diff --git a/.codeqlmanifest.json b/.codeqlmanifest.json index a3caa99f3c0..0a3a216dd1c 100644 --- a/.codeqlmanifest.json +++ b/.codeqlmanifest.json @@ -1,3 +1,5 @@ { "provide": [ "*/ql/src/qlpack.yml", + "*/upgrades/qlpack.yml", "misc/legacy-support/*/qlpack.yml", - "misc/suite-helpers/qlpack.yml" ] } + "misc/suite-helpers/qlpack.yml", + "codeql/.codeqlmanifest.json" ] } diff --git a/change-notes/1.23/analysis-cpp.md b/change-notes/1.23/analysis-cpp.md index 3ae57bc6d1d..f22436f55cb 100644 --- a/change-notes/1.23/analysis-cpp.md +++ b/change-notes/1.23/analysis-cpp.md @@ -22,6 +22,7 @@ The following changes in version 1.23 affect C/C++ analysis in all applications. | Too few arguments to formatting function (`cpp/wrong-number-format-arguments`) | Fewer false positive results | Fixed false positives resulting from mistmatching declarations of a formatting function. | | Too many arguments to formatting function (`cpp/too-many-format-arguments`) | Fewer false positive results | Fixed false positives resulting from mistmatching declarations of a formatting function. | | Unclear comparison precedence (`cpp/comparison-precedence`) | Fewer false positive results | False positives involving template classes and functions have been fixed. | +| Comparison of narrow type with wide type in loop condition (`cpp/comparison-with-wider-type`) | Higher precision | The precision of this query has been increased to "high" as the alerts from this query have proved to be valuable on real-world projects. With this precision, results are now displayed by default in LGTM. | ## Changes to QL libraries @@ -38,6 +39,10 @@ The following changes in version 1.23 affect C/C++ analysis in all applications. definition of `x` when `x` is a variable of pointer type. It no longer considers deep paths such as `f(&x.myField)` to be definitions of `x`. These changes are in line with the user expectations we've observed. +* The data-flow library now makes it easier to specify barriers/sanitizers + arising from guards by overriding the predicate + `isBarrierGuard`/`isSanitizerGuard` on data-flow and taint-tracking + configurations respectively. * There is now a `DataFlow::localExprFlow` predicate and a `TaintTracking::localExprTaint` predicate to make it easy to use the most common case of local data flow and taint: from one `Expr` to another. diff --git a/change-notes/1.23/analysis-csharp.md b/change-notes/1.23/analysis-csharp.md index 7ec412a0eb2..df11c0c4abc 100644 --- a/change-notes/1.23/analysis-csharp.md +++ b/change-notes/1.23/analysis-csharp.md @@ -8,6 +8,7 @@ The following changes in version 1.23 affect C# analysis in all applications. | **Query** | **Tags** | **Purpose** | |-----------------------------|-----------|--------------------------------------------------------------------| +| Deserialized delegate (`cs/deserialized-delegate`) | security, external/cwe/cwe-502 | Finds unsafe deserialization of delegate types. | | Unsafe year argument for 'DateTime' constructor (`cs/unsafe-year-construction`) | reliability, date-time | Finds incorrect manipulation of `DateTime` values, which could lead to invalid dates. | | Mishandling the Japanese era start date (`cs/mishandling-japanese-era`) | reliability, date-time | Finds hard-coded Japanese era start dates that could be invalid. | @@ -43,5 +44,6 @@ The following changes in version 1.23 affect C# analysis in all applications. * There is now a `DataFlow::localExprFlow` predicate and a `TaintTracking::localExprTaint` predicate to make it easy to use the most common case of local data flow and taint: from one `Expr` to another. +* Data is now tracked through null-coalescing expressions (`??`). ## Changes to autobuilder diff --git a/change-notes/1.23/analysis-java.md b/change-notes/1.23/analysis-java.md index 7650a283266..b81b681aac5 100644 --- a/change-notes/1.23/analysis-java.md +++ b/change-notes/1.23/analysis-java.md @@ -2,6 +2,12 @@ The following changes in version 1.23 affect Java analysis in all applications. +## New queries + +| **Query** | **Tags** | **Purpose** | +|-----------------------------|-----------|--------------------------------------------------------------------| +| Continue statement that does not continue (`java/continue-in-false-loop`) | correctness | Finds `continue` statements in `do { ... } while (false)` loops. | + ## Changes to existing queries | **Query** | **Expected impact** | **Change** | diff --git a/change-notes/1.23/analysis-javascript.md b/change-notes/1.23/analysis-javascript.md index 73bbf1247f7..49f527af424 100644 --- a/change-notes/1.23/analysis-javascript.md +++ b/change-notes/1.23/analysis-javascript.md @@ -2,7 +2,7 @@ ## General improvements -* Suppor for `globalThis` has been added. +* Support for `globalThis` has been added. * Support for the following frameworks and libraries has been improved: - [firebase](https://www.npmjs.com/package/firebase) @@ -12,22 +12,28 @@ * The call graph has been improved to resolve method calls in more cases. This may produce more security alerts. +* TypeScript 3.6 and 3.7 features are now supported. + +* Automatic classification of generated files has been improved, in particular files generated by Doxygen are now recognized. + ## New queries | **Query** | **Tags** | **Purpose** | |---------------------------------------------------------------------------|-------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Unused index variable (`js/unused-index-variable`) | correctness | Highlights loops that iterate over an array, but do not use the index variable to access array elements, indicating a possible typo or logic error. Results are shown on LGTM by default. | -| Loop bound injection (`js/loop-bound-injection`) | security, external/cwe/cwe-834 | Highlights loops where a user-controlled object with an arbitrary .length value can trick the server to loop indefinitely. Results are not shown on LGTM by default. | +| Loop bound injection (`js/loop-bound-injection`) | security, external/cwe/cwe-834 | Highlights loops where a user-controlled object with an arbitrary .length value can trick the server to loop indefinitely. Results are shown on LGTM by default. | | Suspicious method name (`js/suspicious-method-name-declaration`) | correctness, typescript, methods | Highlights suspiciously named methods where the developer likely meant to write a constructor or function. Results are shown on LGTM by default. | | Shell command built from environment values (`js/shell-command-injection-from-environment`) | correctness, security, external/cwe/cwe-078, external/cwe/cwe-088 | Highlights shell commands that may change behavior inadvertently depending on the execution environment, indicating a possible violation of [CWE-78](https://cwe.mitre.org/data/definitions/78.html). Results are shown on LGTM by default.| | Use of returnless function (`js/use-of-returnless-function`) | maintainability, correctness | Highlights calls where the return value is used, but the callee never returns a value. Results are shown on LGTM by default. | | Useless regular expression character escape (`js/useless-regexp-character-escape`) | correctness, security, external/cwe/cwe-20 | Highlights regular expression strings with useless character escapes, indicating a possible violation of [CWE-20](https://cwe.mitre.org/data/definitions/20.html). Results are shown on LGTM by default. | | Unreachable method overloads (`js/unreachable-method-overloads`) | correctness, typescript | Highlights method overloads that are impossible to use from client code. Results are shown on LGTM by default. | +| Ignoring result from pure array method (`js/ignore-array-result`) | maintainability, correctness | Highlights calls to array methods without side effects where the return value is ignored. Results are shown on LGTM by default. | ## Changes to existing queries | **Query** | **Expected impact** | **Change** | |--------------------------------|------------------------------|---------------------------------------------------------------------------| +| Double escaping or unescaping (`js/double-escaping`) | More results | This rule now detects additional escaping and unescaping functions. | | Incomplete string escaping or encoding (`js/incomplete-sanitization`) | Fewer false-positive results | This rule now recognizes additional ways delimiters can be stripped away. | | Client-side cross-site scripting (`js/xss`) | More results, fewer false-positive results | More potential vulnerabilities involving functions that manipulate DOM attributes are now recognized, and more sanitizers are detected. | | Code injection (`js/code-injection`) | More results | More potential vulnerabilities involving functions that manipulate DOM event handler attributes are now recognized. | @@ -40,6 +46,8 @@ | Reflected cross-site scripting (`js/reflected-xss`) | Fewer false-positive results | The query now recognizes more sanitizers. | | Stored cross-site scripting (`js/stored-xss`) | Fewer false-positive results | The query now recognizes more sanitizers. | | Uncontrolled command line (`js/command-line-injection`) | More results | This query now treats responses from servers as untrusted. | +| Uncontrolled data used in path expression (`js/path-injection`) | Fewer false-positive results | This query now recognizes calls to Express `sendFile` as safe in some cases. | +| Unknown directive (`js/unknown-directive`) | Fewer false positive results | This query no longer flags uses of ":", which is sometimes used like a directive. | ## Changes to QL libraries diff --git a/change-notes/1.23/analysis-python.md b/change-notes/1.23/analysis-python.md index 5f5c288bbec..6cea1745284 100644 --- a/change-notes/1.23/analysis-python.md +++ b/change-notes/1.23/analysis-python.md @@ -19,4 +19,9 @@ | **Query** | **Expected impact** | **Change** | |----------------------------|------------------------|------------| | Unreachable code | Fewer false positives | Analysis now accounts for uses of `contextlib.suppress` to suppress exceptions. | +| `__iter__` method returns a non-iterator | Better alert message | Alert now highlights which class is expected to be an iterator. | + +## Changes to QL libraries + +* Django library now recognizes positional arguments from a `django.conf.urls.url` regex (Django version 1.x) diff --git a/change-notes/1.23/extractor-javascript.md b/change-notes/1.23/extractor-javascript.md index 18a67a65900..8b7a35f5b4f 100644 --- a/change-notes/1.23/extractor-javascript.md +++ b/change-notes/1.23/extractor-javascript.md @@ -5,6 +5,17 @@ ## Changes to code extraction * Asynchronous generator methods are now parsed correctly and no longer cause a spurious syntax error. +* Files in `node_modules` and `bower_components` folders are no longer extracted by default. If you still want to extract files from these folders, you can add the following filters to your `lgtm.yml` file (or add them to existing filters): + +```yaml +extraction: + javascript: + index: + filters: + - include: "**/node_modules" + - include: "**/bower_components" +``` + * Recognition of CommonJS modules has improved. As a result, some files that were previously extracted as global scripts are now extracted as modules. * Top-level `await` is now supported. diff --git a/config/identical-files.json b/config/identical-files.json index 25c696289b8..4fdac5c7fea 100644 --- a/config/identical-files.json +++ b/config/identical-files.json @@ -76,7 +76,11 @@ "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll", "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll", "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/Operand.qll", - "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/Operand.qll" + "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/Operand.qll" + ], + "IR IRType": [ + "cpp/ql/src/semmle/code/cpp/ir/implementation/IRType.qll", + "csharp/ql/src/semmle/code/csharp/ir/implementation/IRType.qll" ], "IR Operand Tag": [ "cpp/ql/src/semmle/code/cpp/ir/implementation/internal/OperandTag.qll", @@ -169,22 +173,39 @@ "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintIRImports.qll", "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintIRImports.qll" ], + "C++ SSA SSAConstructionImports": [ + "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstructionImports.qll", + "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstructionImports.qll" + ], "C++ SSA AliasAnalysis": [ "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll", "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll" ], - "C++ SSA SSAConstruction": [ + "C++ IR ValueNumberingImports": [ + "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll", + "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll", + "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingImports.qll" + ], + "IR SSA SimpleSSA": [ + "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll", + "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll" + ], + "IR SSA SSAConstruction": [ "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll", - "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll" + "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll", + "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll" ], - "C++ SSA PrintSSA": [ + "IR SSA PrintSSA": [ "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll", - "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll" + "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll", + "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll" ], - "C++ IR ValueNumber": [ + "IR ValueNumber": [ "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll", "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll", - "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll" + "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll", + "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/gvn/ValueNumbering.qll", + "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll" ], "C++ IR ConstantAnalysis": [ "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/constant/ConstantAnalysis.qll", @@ -235,5 +256,9 @@ "C# IR PrintIRImports": [ "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/PrintIRImports.qll", "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/PrintIRImports.qll" + ], + "C# IR ValueNumberingImports": [ + "csharp/ql/src/semmle/code/csharp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll", + "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll" ] } diff --git a/cpp/ql/src/Best Practices/Unused Entities/UnusedStaticVariables.ql b/cpp/ql/src/Best Practices/Unused Entities/UnusedStaticVariables.ql index 26cf42521e5..3ad43998d18 100644 --- a/cpp/ql/src/Best Practices/Unused Entities/UnusedStaticVariables.ql +++ b/cpp/ql/src/Best Practices/Unused Entities/UnusedStaticVariables.ql @@ -21,6 +21,7 @@ from Variable v where v.isStatic() and v.hasDefinition() and + not v.isConstexpr() and not exists(VariableAccess a | a.getTarget() = v) and not v instanceof MemberVariable and not declarationHasSideEffects(v) and diff --git a/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.qhelp b/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.qhelp index a8c2b1567a7..0af74559dff 100644 --- a/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.qhelp +++ b/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.qhelp @@ -2,36 +2,39 @@ "-//Semmle//qhelp//EN" "qhelp.dtd"> - -

- Checking for overflow of integer addition needs to be done with - care, because automatic type promotion can prevent the check - from working correctly. -

- - -

- Use an explicit cast to make sure that the result of the addition is - not implicitly converted to a larger type. -

- - - -

- On a typical architecture where short is 16 bits - and int is 32 bits, the operands of the addition are - automatically promoted to int, so it cannot overflow - and the result of the comparison is always false. -

-

- The code below implements the check correctly, by using an - explicit cast to make sure that the result of the addition - is unsigned short. -

- - - -
  • Preserving Rules
    • -
  • Understand integer conversion rules
    • -     + + +

    +Checking for overflow of integer addition needs to be done with +care, because automatic type promotion can prevent the check +from working as intended, with the same value (true +or false) always being returned. +

    +     + +

    +Use an explicit cast to make sure that the result of the addition is +not implicitly converted to a larger type. +

    +     + + +

    +On a typical architecture where short is 16 bits +and int is 32 bits, the operands of the addition are +automatically promoted to int, so it cannot overflow +and the result of the comparison is always false. +

    +

    +The code below implements the check correctly, by using an +explicit cast to make sure that the result of the addition +is unsigned short (which may overflow, in which case +the comparison would evaluate to true). +

    + +     + +
  • Preserving Rules
    • +
  • Understand integer conversion rules
    • +         diff --git a/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheckExample1.cpp b/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheckExample1.cpp index 4da403cdf51..0e1e539ccb9 100644 --- a/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheckExample1.cpp +++ b/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheckExample1.cpp @@ -1,3 +1,4 @@ bool checkOverflow(unsigned short x, unsigned short y) { - return (x + y < x); // BAD: x and y are automatically promoted to int. + // BAD: comparison is always false due to type promotion + return (x + y < x); } diff --git a/cpp/ql/src/Likely Bugs/Arithmetic/ComparisonPrecedence.ql b/cpp/ql/src/Likely Bugs/Arithmetic/ComparisonPrecedence.ql index 9f28862b273..d4b23265eed 100644 --- a/cpp/ql/src/Likely Bugs/Arithmetic/ComparisonPrecedence.ql +++ b/cpp/ql/src/Likely Bugs/Arithmetic/ComparisonPrecedence.ql @@ -18,4 +18,4 @@ where co.getAChild() = chco and not chco.isParenthesised() and not co.isFromUninstantiatedTemplate(_) -select co, "Check the comparison operator precedence." +select co, "Comparison as an operand to another comparison." diff --git a/cpp/ql/src/Likely Bugs/Memory Management/Buffer Overflow/BufferAccess.qll b/cpp/ql/src/Likely Bugs/Memory Management/Buffer Overflow/BufferAccess.qll new file mode 100644 index 00000000000..286db31020f --- /dev/null +++ b/cpp/ql/src/Likely Bugs/Memory Management/Buffer Overflow/BufferAccess.qll @@ -0,0 +1,174 @@ +import cpp +import semmle.code.cpp.dataflow.TaintTracking +private import semmle.code.cpp.dataflow.RecursionPrevention + +/** + * A buffer which includes an allocation size. + */ +abstract class BufferWithSize extends DataFlow::Node { + abstract Expr getSizeExpr(); + + BufferAccess getAnAccess() { + any(BufferWithSizeConfig bsc).hasFlow(this, DataFlow::exprNode(result.getPointer())) + } +} + +/** An allocation function. */ +abstract class Alloc extends Function { } + +/** + * Allocation functions identified by the QL for C/C++ standard library. + */ +class DefaultAlloc extends Alloc { + DefaultAlloc() { allocationFunction(this) } +} + +/** A buffer created through a call to an allocation function. */ +class AllocBuffer extends BufferWithSize { + FunctionCall call; + + AllocBuffer() { + asExpr() = call and + call.getTarget() instanceof Alloc + } + + override Expr getSizeExpr() { result = call.getArgument(0) } +} + +/** + * Find accesses of buffers for which we have a size expression. + */ +private class BufferWithSizeConfig extends TaintTracking::Configuration { + BufferWithSizeConfig() { this = "BufferWithSize" } + + override predicate isSource(DataFlow::Node n) { n = any(BufferWithSize b) } + + override predicate isSink(DataFlow::Node n) { n.asExpr() = any(BufferAccess ae).getPointer() } + + override predicate isSanitizer(DataFlow::Node s) { + s = any(BufferWithSize b) and + s.asExpr().getControlFlowScope() instanceof Alloc + } +} + +/** + * An access (read or write) to a buffer, provided as a pair of + * a pointer to the buffer and the length of data to be read or written. + * Extend this class to support different kinds of buffer access. + */ +abstract class BufferAccess extends Locatable { + /** Gets the pointer to the buffer being accessed. */ + abstract Expr getPointer(); + + /** Gets the length of the data being read or written by this buffer access. */ + abstract Expr getAccessedLength(); +} + +/** + * A buffer access through an array expression. + */ +class ArrayBufferAccess extends BufferAccess, ArrayExpr { + override Expr getPointer() { result = this.getArrayBase() } + + override Expr getAccessedLength() { result = this.getArrayOffset() } +} + +/** + * A buffer access through an overloaded array expression. + */ +class OverloadedArrayBufferAccess extends BufferAccess, OverloadedArrayExpr { + override Expr getPointer() { result = this.getQualifier() } + + override Expr getAccessedLength() { result = this.getAnArgument() } +} + +/** + * A buffer access through pointer arithmetic. + */ +class PointerArithmeticAccess extends BufferAccess, Expr { + PointerArithmeticOperation p; + + PointerArithmeticAccess() { + this = p and + p.getAnOperand().getType().getUnspecifiedType() instanceof IntegralType and + not p.getParent() instanceof ComparisonOperation + } + + override Expr getPointer() { + result = p.getAnOperand() and + result.getType().getUnspecifiedType() instanceof PointerType + } + + override Expr getAccessedLength() { + result = p.getAnOperand() and + result.getType().getUnspecifiedType() instanceof IntegralType + } +} + +/** + * A pair of buffer accesses through a call to memcpy. + */ +class MemCpy extends BufferAccess, FunctionCall { + MemCpy() { getTarget().hasName("memcpy") } + + override Expr getPointer() { + result = getArgument(0) or + result = getArgument(1) + } + + override Expr getAccessedLength() { result = getArgument(2) } +} + +class StrncpySizeExpr extends BufferAccess, FunctionCall { + StrncpySizeExpr() { getTarget().hasName("strncpy") } + + override Expr getPointer() { + result = getArgument(0) or + result = getArgument(1) + } + + override Expr getAccessedLength() { result = getArgument(2) } +} + +class RecvSizeExpr extends BufferAccess, FunctionCall { + RecvSizeExpr() { getTarget().hasName("recv") } + + override Expr getPointer() { result = getArgument(1) } + + override Expr getAccessedLength() { result = getArgument(2) } +} + +class SendSizeExpr extends BufferAccess, FunctionCall { + SendSizeExpr() { getTarget().hasName("send") } + + override Expr getPointer() { result = getArgument(1) } + + override Expr getAccessedLength() { result = getArgument(2) } +} + +class SnprintfSizeExpr extends BufferAccess, FunctionCall { + SnprintfSizeExpr() { getTarget().hasName("snprintf") } + + override Expr getPointer() { result = getArgument(0) } + + override Expr getAccessedLength() { result = getArgument(1) } +} + +class MemcmpSizeExpr extends BufferAccess, FunctionCall { + MemcmpSizeExpr() { getTarget().hasName("Memcmp") } + + override Expr getPointer() { + result = getArgument(0) or + result = getArgument(1) + } + + override Expr getAccessedLength() { result = getArgument(2) } +} + +class MallocSizeExpr extends BufferAccess, FunctionCall { + MallocSizeExpr() { getTarget().hasName("malloc") } + + override Expr getPointer() { none() } + + override Expr getAccessedLength() { result = getArgument(1) } +} diff --git a/cpp/ql/src/Likely Bugs/Memory Management/Buffer Overflow/NtohlArrayBad.cpp b/cpp/ql/src/Likely Bugs/Memory Management/Buffer Overflow/NtohlArrayBad.cpp new file mode 100644 index 00000000000..0185bbb9da6 --- /dev/null +++ b/cpp/ql/src/Likely Bugs/Memory Management/Buffer Overflow/NtohlArrayBad.cpp @@ -0,0 +1,6 @@ +int get_number_from_network(); + +int process_network(int[] buff, int buffSize) { + int i = ntohl(get_number_from_network()); + return buff[i]; +} \ No newline at end of file diff --git a/cpp/ql/src/Likely Bugs/Memory Management/Buffer Overflow/NtohlArrayGood.cpp b/cpp/ql/src/Likely Bugs/Memory Management/Buffer Overflow/NtohlArrayGood.cpp new file mode 100644 index 00000000000..2d5ec265261 --- /dev/null +++ b/cpp/ql/src/Likely Bugs/Memory Management/Buffer Overflow/NtohlArrayGood.cpp @@ -0,0 +1,10 @@ +uint32_t get_number_from_network(); + +int process_network(int[] buff, uint32_t buffSize) { + uint32_t i = ntohl(get_number_from_network()); + if (i < buffSize) { + return buff[i]; + } else { + return -1; + } +} \ No newline at end of file diff --git a/cpp/ql/src/Likely Bugs/Memory Management/Buffer Overflow/NtohlArrayNoBound.qll b/cpp/ql/src/Likely Bugs/Memory Management/Buffer Overflow/NtohlArrayNoBound.qll new file mode 100644 index 00000000000..3e1f74bfbed --- /dev/null +++ b/cpp/ql/src/Likely Bugs/Memory Management/Buffer Overflow/NtohlArrayNoBound.qll @@ -0,0 +1,33 @@ +import cpp +import semmle.code.cpp.dataflow.DataFlow +import semmle.code.cpp.controlflow.Guards +import BufferAccess +import semmle.code.cpp.valuenumbering.GlobalValueNumbering + +class NetworkFunctionCall extends FunctionCall { + NetworkFunctionCall() { + getTarget().hasName("ntohd") or + getTarget().hasName("ntohf") or + getTarget().hasName("ntohl") or + getTarget().hasName("ntohll") or + getTarget().hasName("ntohs") + } +} + +class NetworkToBufferSizeConfiguration extends DataFlow::Configuration { + NetworkToBufferSizeConfiguration() { this = "NetworkToBufferSizeConfiguration" } + + override predicate isSource(DataFlow::Node node) { node.asExpr() instanceof NetworkFunctionCall } + + override predicate isSink(DataFlow::Node node) { + node.asExpr() = any(BufferAccess ba).getAccessedLength() + } + + override predicate isBarrier(DataFlow::Node node) { + exists(GuardCondition gc, GVN gvn | + gc.getAChild*() = gvn.getAnExpr() and + globalValueNumber(node.asExpr()) = gvn and + gc.controls(node.asExpr().getBasicBlock(), _) + ) + } +} diff --git a/cpp/ql/src/Likely Bugs/Memory Management/Buffer Overflow/NtohlArrayNoBoundOpenSource.qhelp b/cpp/ql/src/Likely Bugs/Memory Management/Buffer Overflow/NtohlArrayNoBoundOpenSource.qhelp new file mode 100644 index 00000000000..fc8f309f73a --- /dev/null +++ b/cpp/ql/src/Likely Bugs/Memory Management/Buffer Overflow/NtohlArrayNoBoundOpenSource.qhelp @@ -0,0 +1,54 @@ + + + + +

    +Data received over a network connection may be received in a different byte order than +the byte order used by the local host, making the data difficult to process. To address this, +data received over the wire is usually converted to host byte order by a call to a network-to-host +byte order function, such as ntohl. +

    +

    +The use of a network-to-host byte order function is therefore a good indicator that the returned +value is unvalidated data retrieved from the network, and should not be used without further +validation. In particular, the returned value should not be used as an array index or array length +value without validation, as this could result in a buffer overflow vulnerability. +

    +     + + +

    +Validate data returned by network-to-host byte order functions before use and especially before +using the value as an array index or bound. +

    +     + + +

    In the example below, network data is retrieved and passed to ntohl to convert +it to host byte order. The data is then used as an index in an array access expression. However, +there is no validation that the data returned by ntohl is within the bounds of the array, +which could lead to reading outside the bounds of the buffer. +

    + +

    In the corrected example, the returned data is validated against the known size of the buffer, +before being used as an array index.

    + +     + + +
  • + + ntohl - winsock reference + +
    • +
  • + + ntohl - Linux man page + +
    • + +     + +     diff --git a/cpp/ql/src/Likely Bugs/Memory Management/Buffer Overflow/NtohlArrayNoBoundOpenSource.ql b/cpp/ql/src/Likely Bugs/Memory Management/Buffer Overflow/NtohlArrayNoBoundOpenSource.ql new file mode 100644 index 00000000000..d6d0a55d148 --- /dev/null +++ b/cpp/ql/src/Likely Bugs/Memory Management/Buffer Overflow/NtohlArrayNoBoundOpenSource.ql @@ -0,0 +1,17 @@ +/** + * @id cpp/network-to-host-function-as-array-bound + * @name Untrusted network-to-host usage + * @description Using the result of a network-to-host byte order function, such as ntohl, as an + * array bound or length value without checking it may result in buffer overflows or + * other vulnerabilties. + * @kind problem + * @problem.severity error + */ + +import cpp +import NtohlArrayNoBound +import semmle.code.cpp.dataflow.DataFlow + +from NetworkToBufferSizeConfiguration bufConfig, DataFlow::Node source, DataFlow::Node sink +where bufConfig.hasFlow(source, sink) +select sink, "Unchecked use of data from network function $@", source, source.toString() diff --git a/cpp/ql/src/Microsoft/SAL.qll b/cpp/ql/src/Microsoft/SAL.qll index b9f6c2d037d..fe6b455fa9b 100644 --- a/cpp/ql/src/Microsoft/SAL.qll +++ b/cpp/ql/src/Microsoft/SAL.qll @@ -2,29 +2,45 @@ import cpp class SALMacro extends Macro { SALMacro() { - this.getFile().getBaseName() = "sal.h" or - this.getFile().getBaseName() = "specstrings_strict.h" or - this.getFile().getBaseName() = "specstrings.h" + exists(string filename | filename = this.getFile().getBaseName() | + filename = "sal.h" or + filename = "specstrings_strict.h" or + filename = "specstrings.h" or + filename = "w32p.h" or + filename = "minwindef.h" + ) and + ( + // Dialect for Windows 8 and above + this.getName().matches("\\_%\\_") + or + // Dialect for Windows 7 + this.getName().matches("\\_\\_%") + ) } } +pragma[noinline] +predicate isTopLevelMacroAccess(MacroAccess ma) { not exists(ma.getParentInvocation()) } + class SALAnnotation extends MacroInvocation { SALAnnotation() { this.getMacro() instanceof SALMacro and - not exists(this.getParentInvocation()) + isTopLevelMacroAccess(this) } /** Returns the `Declaration` annotated by `this`. */ - Declaration getDeclaration() { annotatesAt(this, result.getADeclarationEntry(), _, _) } + Declaration getDeclaration() { + annotatesAt(this, result.getADeclarationEntry(), _, _) and + not result instanceof Type // exclude typedefs + } /** Returns the `DeclarationEntry` annotated by `this`. */ - DeclarationEntry getDeclarationEntry() { annotatesAt(this, result, _, _) } + DeclarationEntry getDeclarationEntry() { + annotatesAt(this, result, _, _) and + not result instanceof TypeDeclarationEntry // exclude typedefs + } } -/* - * Particular SAL annotations of interest - */ - class SALCheckReturn extends SALAnnotation { SALCheckReturn() { exists(SALMacro m | m = this.getMacro() | @@ -39,8 +55,8 @@ class SALNotNull extends SALAnnotation { exists(SALMacro m | m = this.getMacro() | not m.getName().matches("%\\_opt\\_%") and ( - m.getName().matches("\\_In%") or - m.getName().matches("\\_Out%") or + m.getName().matches("_In%") or + m.getName().matches("_Out%") or m.getName() = "_Ret_notnull_" ) ) and @@ -63,42 +79,124 @@ class SALMaybeNull extends SALAnnotation { } } -/* - * Implementation details +/////////////////////////////////////////////////////////////////////////////// +// Implementation details +/** + * Holds if `a` annotates the declaration entry `d` and + * its start position is the `idx`th position in `file` that holds a SAL element. */ - -private predicate annotatesAt(SALAnnotation a, DeclarationEntry e, File file, int idx) { - a = salElementAt(file, idx) and - ( - // Base case: `a` right before `e` - e = salElementAt(file, idx + 1) - or - // Recursive case: `a` right before some annotation on `e` - annotatesAt(_, e, file, idx + 1) - ) -} - -library class SALElement extends Element { - SALElement() { - this instanceof DeclarationEntry or - this instanceof SALAnnotation - } -} - -/** Gets the `idx`th `SALElement` in `file`. */ -private SALElement salElementAt(File file, int idx) { - interestingLoc(file, result, interestingStartPos(file, idx)) +predicate annotatesAt(SALAnnotation a, DeclarationEntry d, File file, int idx) { + annotatesAtPosition(a.(SALElement).getStartPosition(), d, file, idx) } /** - * Holds if an SALElement element at character `result` comes at - * position `idx` in `file`. + * Holds if `pos` is the `idx`th position in `file` that holds a SAL element, + * which annotates the declaration entry `d` (by occurring before it without + * any other declaration entries in between). */ -private int interestingStartPos(File file, int idx) { - result = rank[idx](int otherStart | interestingLoc(file, _, otherStart)) +// For performance reasons, do not mention the annotation itself here, +// but compute with positions instead. This performs better on databases +// with many annotations at the same position. +private predicate annotatesAtPosition(SALPosition pos, DeclarationEntry d, File file, int idx) { + pos = salRelevantPositionAt(file, idx) and + salAnnotationPos(pos) and + ( + // Base case: `pos` right before `d` + d.(SALElement).getStartPosition() = salRelevantPositionAt(file, idx + 1) + or + // Recursive case: `pos` right before some annotation on `d` + annotatesAtPosition(_, d, file, idx + 1) + ) } -/** Holds if `element` in `file` is at character `startPos`. */ -private predicate interestingLoc(File file, SALElement element, int startPos) { - element.getLocation().charLoc(file, startPos, _) +/** + * A parameter annotated by one or more SAL annotations. + */ +class SALParameter extends Parameter { + /** One of this parameter's annotations. */ + SALAnnotation a; + + SALParameter() { annotatesAt(a, this.getADeclarationEntry(), _, _) } + + predicate isIn() { a.getMacroName().toLowerCase().matches("%\\_in%") } + + predicate isOut() { a.getMacroName().toLowerCase().matches("%\\_out%") } + + predicate isInOut() { a.getMacroName().toLowerCase().matches("%\\_inout%") } +} + +/** + * A SAL element, i.e. a SAL annotation or a declaration entry + * that may have SAL annotations. + */ +library class SALElement extends Element { + SALElement() { + containsSALAnnotation(this.(DeclarationEntry).getFile()) or + this instanceof SALAnnotation + } + + predicate hasStartPosition(File file, int line, int col) { + exists(Location loc | loc = this.getLocation() | + file = loc.getFile() and + line = loc.getStartLine() and + col = loc.getStartColumn() + ) + } + + predicate hasEndPosition(File file, int line, int col) { + exists(Location loc | + loc = this.(FunctionDeclarationEntry).getBlock().getLocation() + or + this = any(VariableDeclarationEntry vde | + vde.isDefinition() and + loc = vde.getVariable().getInitializer().getLocation() + ) + | + file = loc.getFile() and + line = loc.getEndLine() and + col = loc.getEndColumn() + ) + } + + SALPosition getStartPosition() { + exists(File file, int line, int col | + this.hasStartPosition(file, line, col) and + result = MkSALPosition(file, line, col) + ) + } +} + +/** Holds if `file` contains a SAL annotation. */ +pragma[noinline] +private predicate containsSALAnnotation(File file) { any(SALAnnotation a).getFile() = file } + +/** + * A source-file position of a `SALElement`. Unlike location, this denotes a + * point in the file rather than a range. + */ +private newtype SALPosition = + MkSALPosition(File file, int line, int col) { + exists(SALElement e | + e.hasStartPosition(file, line, col) + or + e.hasEndPosition(file, line, col) + ) + } + +/** Holds if `pos` is the start position of a SAL annotation. */ +pragma[noinline] +private predicate salAnnotationPos(SALPosition pos) { + any(SALAnnotation a).(SALElement).getStartPosition() = pos +} + +/** + * Gets the `idx`th position in `file` that holds a SAL element, + * ordering positions lexicographically by their start line and start column. + */ +private SALPosition salRelevantPositionAt(File file, int idx) { + result = rank[idx](SALPosition pos, int line, int col | + pos = MkSALPosition(file, line, col) + | + pos order by line, col + ) } diff --git a/cpp/ql/src/Microsoft/SAL/IgnoreReturnValueSAL.ql b/cpp/ql/src/Microsoft/SAL/IgnoreReturnValueSAL.ql new file mode 100644 index 00000000000..569f684a4c3 --- /dev/null +++ b/cpp/ql/src/Microsoft/SAL/IgnoreReturnValueSAL.ql @@ -0,0 +1,25 @@ +/** + * @name SAL requires inspecting return value + * @description When a return value is discarded even though the SAL annotation + * requires inspecting it, a recoverable error may turn into a + * whole-program crash. + * @kind problem + * @problem.severity warning + * @tags reliability + * external/cwe/cwe-573 + * external/cwe/cwe-252 + * @opaque-id SM02344 + * @microsoft.severity Important + * @id cpp/ignorereturnvaluesal + */ + +import Microsoft.SAL + +from Function f, FunctionCall call +where + call.getTarget() = f and + call instanceof ExprInVoidContext and + any(SALCheckReturn a).getDeclaration() = f and + not any(Options o).okToIgnoreReturnValue(call) +select call, "Return value of $@ discarded although a SAL annotation " + "requires inspecting it.", + f, f.getName() diff --git a/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql b/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql index c704506a4fa..92f679a0f1f 100644 --- a/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql +++ b/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql @@ -5,7 +5,7 @@ * @id cpp/comparison-with-wider-type * @kind problem * @problem.severity warning - * @precision medium + * @precision high * @tags reliability * security * external/cwe/cwe-190 diff --git a/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.qhelp b/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.qhelp new file mode 100644 index 00000000000..8e6a8903483 --- /dev/null +++ b/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.qhelp @@ -0,0 +1,59 @@ + + + + +

    A common pattern is to initialize a local variable by calling another function (an +"initialization" function) with the address of the local variable as a pointer argument. That +function is then responsible for writing to the memory location referenced by the pointer.

    + +

    In some cases, the called function may not always write to the memory pointed to by the +pointer argument. In such cases, the function will typically return a "status" code, informing the +caller as to whether the initialization succeeded or not. If the caller does not check the status +code before reading the local variable, it may read unitialized memory, which can result in +unexpected behavior.

    + +     + + +

    When using a initialization function that does not guarantee to initialize the memory pointed to +by the passed pointer, and returns a status code to indicate whether such initialization occurred, +the status code should be checked before reading from the local variable.

    + +     + + +

    In this hypothetical example we have code for managing a series of devices. The code +includes a DeviceConfig struct that can represent properties about each device. +The initDeviceConfig function can be called to initialize one of these structures, by +providing a "device number", which can be used to look up the appropriate properties in some data +store. If an invalid device number is provided, the function returns a status code of +-1, and does not initialize the provided pointer.

    + +

    In the first code sample below, the notify function calls the +initDeviceConfig function with a pointer to the local variable config, +which is then subsequently accessed to fetch properties of the device. However, the code does not +check the return value from the function call to initDeviceConfig. If the +device number passed to the notify function was invalid, the +initDeviceConfig function will leave the config variable uninitialized, +which will result in the notify function accessing uninitialized memory.

    + + + +

    To fix this, the code needs to check that the return value of the call to +initDeviceConfig is zero. If that is true, then the calling code can safely assume +that the local variable has been initialized.

    + + + +     + + +
  • + Wikipedia: + Uninitialized variable. +
    • + +     +     \ No newline at end of file diff --git a/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql b/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql new file mode 100644 index 00000000000..f9eb2fe5400 --- /dev/null +++ b/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql @@ -0,0 +1,33 @@ +/** + * @name Conditionally uninitialized variable + * @description When an initialization function is used to initialize a local variable, but the + * returned status code is not checked, the variable may be left in an uninitialized + * state, and reading the variable may result in undefined behavior. + * @kind problem + * @problem.severity warning + * @opaque-id SM02313 + * @id cpp/conditionally-uninitialized-variable + * @tags security + * external/cwe/cwe-457 + */ + +import cpp +import semmle.code.cpp.controlflow.SSA +private import UninitializedVariables + +from + ConditionallyInitializedVariable v, ConditionalInitializationFunction f, + ConditionalInitializationCall call, string defined, Evidence e +where + exists(v.getARiskyAccess(f, call, e)) and + ( + if e = DefinitionInSnapshot() + then defined = "" + else + if e = SuggestiveSALAnnotation() + then defined = "externally defined (SAL) " + else defined = "externally defined (CSV) " + ) +select call, + "The status of this call to " + defined + + "$@ is not checked, potentially leaving $@ uninitialized.", f, f.getName(), v, v.getName() diff --git a/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariableBad.c b/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariableBad.c new file mode 100644 index 00000000000..1f281f3cfd9 --- /dev/null +++ b/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariableBad.c @@ -0,0 +1,25 @@ +struct DeviceConfig { + bool isEnabled; + int channel; +}; + +int initDeviceConfig(DeviceConfig *ref, int deviceNumber) { + if (deviceNumber >= getMaxDevices()) { + // No device with that number, return -1 to indicate failure + return -1; + } + // Device with that number, fetch parameters and initialize struct + ref->isEnabled = fetchIsDeviceEnabled(deviceNumber); + ref->channel = fetchDeviceChannel(deviceNumber); + // Return 0 to indicate success + return 0; +} + +int notify(int deviceNumber) { + DeviceConfig config; + initDeviceConfig(&config, deviceNumber); + // BAD: Using config without checking the status code that is returned + if (config->isEnabled) { + notifyChannel(config->channel); + } +} \ No newline at end of file diff --git a/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariableGood.c b/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariableGood.c new file mode 100644 index 00000000000..a9dcc06c9a5 --- /dev/null +++ b/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariableGood.c @@ -0,0 +1,27 @@ +struct DeviceConfig { + bool isEnabled; + int channel; +}; + +int initDeviceConfig(DeviceConfig *ref, int deviceNumber) { + if (deviceNumber >= getMaxDevices()) { + // No device with that number, return -1 to indicate failure + return -1; + } + // Device with that number, fetch parameters and initialize struct + ref->isEnabled = fetchIsDeviceEnabled(deviceNumber); + ref->channel = fetchDeviceChannel(deviceNumber); + // Return 0 to indicate success + return 0; +} + +void notify(int deviceNumber) { + DeviceConfig config; + int statusCode = initDeviceConfig(&config, deviceNumber); + if (statusCode == 0) { + // GOOD: Status code returned by initialization function is checked, so this is safe + if (config->isEnabled) { + notifyChannel(config->channel); + } + } +} \ No newline at end of file diff --git a/cpp/ql/src/Security/CWE/CWE-457/InitializationFunctions.qll b/cpp/ql/src/Security/CWE/CWE-457/InitializationFunctions.qll new file mode 100644 index 00000000000..240bd7aa25e --- /dev/null +++ b/cpp/ql/src/Security/CWE/CWE-457/InitializationFunctions.qll @@ -0,0 +1,690 @@ +/** + * Provides classes and predicates for identifying functions that initialize their arguments. + */ + +import cpp +import external.ExternalArtifact +private import semmle.code.cpp.dispatch.VirtualDispatch +import semmle.code.cpp.NestedFields +import Microsoft.SAL +import semmle.code.cpp.controlflow.Guards + +/** A context under which a function may be called. */ +private newtype TContext = + /** No specific call context. */ + NoContext() or + /** + * The call context is that the given other parameter is null. + * + * This context is created for all parameters that are null checked in the body of the function. + */ + ParamNull(Parameter p) { p = any(ParameterNullCheck pnc).getParameter() } or + /** + * The call context is that the given other parameter is not null. + * + * This context is created for all parameters that are null checked in the body of the function. + */ + ParamNotNull(Parameter p) { p = any(ParameterNullCheck pnc).getParameter() } + +/** + * A context under which a function may be called. + * + * Some functions may conditionally initialize a parameter depending on the value of another + * parameter. Consider: + * ``` + * int MyInitFunction(int* paramToBeInitialized, int* paramToCheck) { + * if (!paramToCheck) { + * // fail! + * return -1; + * } + * paramToBeInitialized = 0; + * } + * ``` + * In this case, whether `paramToBeInitialized` is initialized when this function call completes + * depends on whether `paramToCheck` is or is not null. A call-context insensitive analysis will + * determine that any call to this function may leave the parameter uninitialized, even if the + * argument to paramToCheck is guaranteed to be non-null (`&foo`, for example). + * + * This class models call contexts that can be considered when calculating whether a given parameter + * initializes or not. The supported contexts are: + * - `ParamNull(otherParam)` - the given `otherParam` is considered to be null. Applies when + * exactly one parameter other than this one is null checked. + * - `ParamNotNull(otherParam)` - the given `otherParam` is considered to be not null. Applies when + * exactly one parameter other than this one is null checked. + * - `NoContext()` - applies in all other circumstances. + */ +class Context extends TContext { + string toString() { + this = NoContext() and result = "NoContext" + or + this = ParamNull(any(Parameter p | result = "ParamNull(" + p.getName() + ")")) + or + this = ParamNotNull(any(Parameter p | result = "ParamNotNull(" + p.getName() + ")")) + } +} + +/** + * A check against a parameter. + */ +abstract class ParameterCheck extends Expr { + /** + * Gets a successor of this check that should be ignored for the given context. + */ + abstract ControlFlowNode getIgnoredSuccessorForContext(Context c); +} + +/** A null-check expression on a parameter. */ +class ParameterNullCheck extends ParameterCheck { + Parameter p; + ControlFlowNode nullSuccessor; + ControlFlowNode notNullSuccessor; + + ParameterNullCheck() { + this.isCondition() and + p.getFunction() instanceof InitializationFunction and + p.getType().getUnspecifiedType() instanceof PointerType and + exists(VariableAccess va | va = p.getAnAccess() | + nullSuccessor = getATrueSuccessor() and + notNullSuccessor = getAFalseSuccessor() and + ( + va = this.(NotExpr).getOperand() or + va = any(EQExpr eq | eq = this and eq.getAnOperand().getValue() = "0").getAnOperand() or + va = getAssertedFalseCondition(this) or + va = any(NEExpr eq | + eq = getAssertedFalseCondition(this) and eq.getAnOperand().getValue() = "0" + ).getAnOperand() + ) + or + nullSuccessor = getAFalseSuccessor() and + notNullSuccessor = getATrueSuccessor() and + ( + va = this or + va = any(NEExpr eq | eq = this and eq.getAnOperand().getValue() = "0").getAnOperand() or + va = any(EQExpr eq | + eq = getAssertedFalseCondition(this) and eq.getAnOperand().getValue() = "0" + ).getAnOperand() + ) + ) + } + + /** The parameter being null-checked. */ + Parameter getParameter() { result = p } + + override ControlFlowNode getIgnoredSuccessorForContext(Context c) { + c = ParamNull(p) and result = notNullSuccessor + or + c = ParamNotNull(p) and result = nullSuccessor + } + + /** The successor at which the parameter is confirmed to be null. */ + ControlFlowNode getNullSuccessor() { result = nullSuccessor } + + /** The successor at which the parameter is confirmed to be not-null. */ + ControlFlowNode getNotNullSuccessor() { result = notNullSuccessor } +} + +/** + * An entry in a CSV file in cond-init that contains externally defined functions that are + * conditional initializers. These files are typically produced by running the + * ConditionallyInitializedFunction companion query. + */ +class ValidatedExternalCondInitFunction extends ExternalData { + ValidatedExternalCondInitFunction() { this.getDataPath().matches("%cond-init%.csv") } + + predicate isExternallyVerified(Function f, int param) { + functionSignature(f, getField(1), getField(2)) and param = getFieldAsInt(3) + } +} + +/** + * The type of evidence used to determine whether a function initializes a parameter. + */ +newtype Evidence = + /** + * The function is defined in the snapshot, and the CFG has been analyzed to determine that the + * parameter is not initialized on at least one path to the exit. + */ + DefinitionInSnapshot() or + /** + * The function is externally defined, but the parameter has an `_out` SAL annotation which + * suggests that it is initialized in the function. + */ + SuggestiveSALAnnotation() or + /** + * We have been given a CSV file which indicates this parameter is conditionally initialized. + */ + ExternalEvidence() + +/** + * A call to an function which initializes one or more of its parameters. + */ +class InitializationFunctionCall extends FunctionCall { + Expr initializedArgument; + + InitializationFunctionCall() { initializedArgument = getAnInitializedArgument(this) } + + /** Gets a parameter that is initialized by this call. */ + Parameter getAnInitParameter() { result.getAnAccess() = initializedArgument } +} + +/** + * A variable access which is dereferenced then assigned to. + */ +private predicate isPointerDereferenceAssignmentTarget(VariableAccess target) { + target.getParent().(PointerDereferenceExpr) = any(Assignment e).getLValue() +} + +/** + * A function which initializes one or more of its parameters. + */ +class InitializationFunction extends Function { + int i; + Evidence evidence; + + InitializationFunction() { + evidence = DefinitionInSnapshot() and + ( + // Assignment by pointer dereferencing the parameter + isPointerDereferenceAssignmentTarget(this.getParameter(i).getAnAccess()) or + // Field wise assignment to the parameter + any(Assignment e).getLValue() = getAFieldAccess(this.getParameter(i)) or + i = this + .(MemberFunction) + .getAnOverridingFunction+() + .(InitializationFunction) + .initializedParameter() or + getParameter(i) = any(InitializationFunctionCall c).getAnInitParameter() + ) + or + // If we have no definition, we look at SAL annotations + not this.isDefined() and + this.getParameter(i).(SALParameter).isOut() and + evidence = SuggestiveSALAnnotation() + or + // We have some external information that this function conditionally initializes + not this.isDefined() and + any(ValidatedExternalCondInitFunction vc).isExternallyVerified(this, i) and + evidence = ExternalEvidence() + } + + /** Gets a parameter index which is initialized by this function. */ + int initializedParameter() { result = i } + + /** Gets a `ControlFlowNode` which assigns a new value to the parameter with the given index. */ + ControlFlowNode paramReassignment(int index) { + index = i and + ( + result = this.getParameter(i).getAnAccess() and + ( + result = any(Assignment a).getLValue().(PointerDereferenceExpr).getOperand() + or + // Field wise assignment to the parameter + result = any(Assignment a).getLValue().(FieldAccess).getQualifier() + or + // Assignment to a nested field of the parameter + result = any(Assignment a).getLValue().(NestedFieldAccess).getUltimateQualifier() + or + result = getAnInitializedArgument(any(Call c)) + or + exists(IfStmt check | result = check.getCondition().getAChild*() | + paramReassignmentCondition(check) + ) + ) + or + result = any(AssumeExpr e | + e.getEnclosingFunction() = this and e.getAChild().(Literal).getValue() = "0" + ) + ) + } + + /** + * Helper predicate: holds if the `if` statement `check` contains a + * reassignment to the `i`th parameter within its `then` statement. + */ + pragma[noinline] + private predicate paramReassignmentCondition(IfStmt check) { + this.paramReassignment(i).getEnclosingStmt().getParentStmt*() = check.getThen() + } + + /** Holds if `n` can be reached without the parameter at `index` being reassigned. */ + predicate paramNotReassignedAt(ControlFlowNode n, int index, Context c) { + c = getAContext(index) and + ( + not exists(this.getEntryPoint()) and index = i and n = this + or + n = this.getEntryPoint() and index = i + or + exists(ControlFlowNode mid | paramNotReassignedAt(mid, index, c) | + n = mid.getASuccessor() and + not n = paramReassignment(index) and + /* + * Ignore successor edges where the parameter is null, because it is then confirmed to be + * initialized. + */ + + not exists(ParameterNullCheck nullCheck | + nullCheck = mid and + nullCheck = getANullCheck(index) and + n = nullCheck.getNullSuccessor() + ) and + /* + * Ignore successor edges which are excluded by the given context + */ + + not exists(ParameterCheck paramCheck | paramCheck = mid | + n = paramCheck.getIgnoredSuccessorForContext(c) + ) + ) + ) + } + + /** Gets a null-check on the parameter at `index`. */ + private ParameterNullCheck getANullCheck(int index) { + getParameter(index) = result.getParameter() + } + + /** Gets a parameter which is not at the given index. */ + private Parameter getOtherParameter(int index) { + index = i and + result = getAParameter() and + not result.getIndex() = index + } + + /** + * Gets a call `Context` that is applicable when considering whether parameter at the `index` can + * be conditionally initialized. + */ + Context getAContext(int index) { + index = i and + /* + * If there is one and only one other parameter which is null checked in the body of the method, + * then we have two contexts to consider - that the other param is null, or that the other param + * is not null. + */ + + if + strictcount(Parameter p | + exists(Context c | c = ParamNull(p) or c = ParamNotNull(p)) and + p = getOtherParameter(index) + ) = 1 + then + exists(Parameter p | p = getOtherParameter(index) | + result = ParamNull(p) or result = ParamNotNull(p) + ) + else + // Otherwise, only consider NoContext. + result = NoContext() + } + + /** + * Holds if this function should be whitelisted - that is, not considered as conditionally + * initializing its parameters. + */ + predicate whitelisted() { + exists(string name | this.hasName(name) | + // Return value is not a success code but the output functions never fail. + name.matches("_Interlocked%") + or + // Functions that never fail, according to MSDN. + name = "QueryPerformanceCounter" + or + name = "QueryPerformanceFrequency" + or + // Functions that never fail post-Vista, according to MSDN. + name = "InitializeCriticalSectionAndSpinCount" + or + // `rand_s` writes 0 to a non-null argument if it fails, according to MSDN. + name = "rand_s" + or + // IntersectRect initializes the argument regardless of whether the input intersects + name = "IntersectRect" + or + name = "SetRect" + or + name = "UnionRect" + or + // These functions appears to have an incorrect CFG, which leads to false positives + name = "PhysicalToLogicalDPIPoint" + or + name = "LogicalToPhysicalDPIPoint" + or + // Sets NtProductType to default on error + name = "RtlGetNtProductType" + or + // Our CFG is not sophisticated enough to detect that the argument is always initialized + name = "StringCchLengthA" + or + // All paths init the argument, and always returns SUCCESS. + name = "RtlUnicodeToMultiByteSize" + or + // All paths init the argument, and always returns SUCCESS. + name = "RtlMultiByteToUnicodeSize" + or + // All paths init the argument, and always returns SUCCESS. + name = "RtlUnicodeToMultiByteN" + or + // Always initializes argument + name = "RtlGetFirstRange" + or + // Destination range is zeroed out on failure, assuming first two parameters are valid + name = "memcpy_s" + or + // This zeroes the memory unconditionally + name = "SeCreateAccessState" + ) + } +} + +/** + * A function which initializes one or more of its parameters, but not on all paths. + */ +class ConditionalInitializationFunction extends InitializationFunction { + Context c; + + ConditionalInitializationFunction() { + c = this.getAContext(i) and + not this.whitelisted() and + exists(Type status | status = this.getType().getUnspecifiedType() | + status instanceof IntegralType or + status instanceof Enum + ) and + not this.getType().getName().toLowerCase() = "size_t" and + ( + /* + * If there is no definition, consider this to be conditionally initializing (based on either + * SAL or external data). + */ + + not evidence = DefinitionInSnapshot() + or + /* + * If this function is defined in this snapshot, then it conditionally initializes if there + * is at least one path through the function which doesn't initialize the parameter. + * + * Explicitly ignore pure virtual functions. + */ + + this.isDefined() and + this.paramNotReassignedAt(this, i, c) and + not this instanceof PureVirtualFunction + ) + } + + /** Gets the evidence associated with the given parameter. */ + Evidence getEvidence(int param) { + /* + * Note: due to the way the predicate dispatch interacts with fields, this needs to be + * implemented on this class, not `InitializationFunction`. If implemented on the latter it + * can return evidence that does not result in conditional initialization. + */ + + param = i and evidence = result + } + + /** Gets the index of a parameter which is conditionally initialized. */ + int conditionallyInitializedParameter(Context context) { result = i and context = c } +} + +/** + * More elaborate tracking, flagging cases where the status is checked after + * the potentially uninitialized variable has been used, and ignoring cases + * where the status is not checked but there is no use of the potentially + * uninitialized variable, may be obtained via `getARiskyAccess`. + */ +class ConditionalInitializationCall extends FunctionCall { + ConditionalInitializationFunction target; + + ConditionalInitializationCall() { target = getTarget(this) } + + /** Gets the argument passed for the given parameter to this call. */ + Expr getArgumentForParameter(Parameter p) { + p = getTarget().getAParameter() and + result = getArgument(p.getIndex()) + } + + /** + * Gets an argument conditionally initialized by this call. + */ + Expr getAConditionallyInitializedArgument(ConditionalInitializationFunction condTarget, Evidence e) { + condTarget = target and + exists(Context context | + result = getAConditionallyInitializedArgument(this, condTarget, context, e) + | + context = NoContext() + or + exists(Parameter otherP, Expr otherArg | + context = ParamNotNull(otherP) or + context = ParamNull(otherP) + | + otherArg = getArgumentForParameter(otherP) and + (otherArg instanceof AddressOfExpr implies context = ParamNotNull(otherP)) and + (otherArg.getType() instanceof ArrayType implies context = ParamNotNull(otherP)) and + (otherArg.getValue() = "0" implies context = ParamNull(otherP)) + ) + ) + } + + VariableAccess getAConditionallyInitializedVariable() { + not result.getTarget().getAnAssignedValue().getASuccessor+() = result and + // Should not be assigned field-wise prior to the call. + not exists(Assignment a, FieldAccess fa | + fa.getQualifier() = result.getTarget().getAnAccess() and + a.getLValue() = fa and + fa.getASuccessor+() = result + ) and + result = this + .getArgument(getTarget(this) + .(ConditionalInitializationFunction) + .conditionallyInitializedParameter(_)) + .(AddressOfExpr) + .getOperand() + } + + Variable getStatusVariable() { + exists(AssignExpr a | a.getLValue() = result.getAnAccess() | a.getRValue() = this) + or + result.getInitializer().getExpr() = this + } + + Expr getSuccessCheck() { + exists(this.getAFalseSuccessor()) and result = this + or + result = this.getParent() and + ( + result instanceof NotExpr or + result.(EQExpr).getAnOperand().getValue() = "0" or + result.(GEExpr).getLesserOperand().getValue() = "0" + ) + } + + Expr getFailureCheck() { + result = this.getParent() and + ( + result instanceof NotExpr or + result.(NEExpr).getAnOperand().getValue() = "0" or + result.(LTExpr).getLesserOperand().getValue() = "0" + ) + } + + private predicate inCheckedContext() { + exists(Call parent | this = parent.getAnArgument() | + parent.getTarget() instanceof Operator or + parent.getTarget().hasName("VerifyOkCatastrophic") + ) + } + + ControlFlowNode uncheckedReaches(LocalVariable var) { + ( + not exists(var.getInitializer()) and + var = this.getAConditionallyInitializedVariable().getTarget() and + if exists(this.getFailureCheck()) + then result = this.getFailureCheck().getATrueSuccessor() + else + if exists(this.getSuccessCheck()) + then result = this.getSuccessCheck().getAFalseSuccessor() + else ( + result = this.getASuccessor() and not this.inCheckedContext() + ) + ) + or + exists(ControlFlowNode mid | mid = uncheckedReaches(var) | + not mid = getStatusVariable().getAnAccess() and + not mid = var.getAnAccess() and + not exists(VariableAccess write | result = write and write = var.getAnAccess() | + write = any(AssignExpr a).getLValue() or + write = any(AddressOfExpr a).getOperand() + ) and + result = mid.getASuccessor() + ) + } + + VariableAccess getARiskyRead(Function f) { + f = this.getTarget() and + exists(this.getFile().getRelativePath()) and + result = this.uncheckedReaches(result.getTarget()) and + not this.(GuardCondition).controls(result.getBasicBlock(), _) + } +} + +/** + * Gets the position of an argument to the call which is initialized by the call. + */ +pragma[nomagic] +int initializedArgument(Call call) { + exists(InitializationFunction target | + target = getTarget(call) and + result = target.initializedParameter() + ) +} + +/** + * Gets an argument which is initialized by the call. + */ +Expr getAnInitializedArgument(Call call) { result = call.getArgument(initializedArgument(call)) } + +/** + * Gets the position of an argument to the call to the target which is conditionally initialized by + * the call, under the given context and evidence. + */ +pragma[nomagic] +int conditionallyInitializedArgument( + Call call, ConditionalInitializationFunction target, Context c, Evidence e +) { + target = getTarget(call) and + c = target.getAContext(result) and + e = target.getEvidence(result) and + result = target.conditionallyInitializedParameter(c) +} + +/** + * Gets an argument which is conditionally initialized by the call to the given target under the given context and evidence. + */ +Expr getAConditionallyInitializedArgument( + Call call, ConditionalInitializationFunction target, Context c, Evidence e +) { + result = call.getArgument(conditionallyInitializedArgument(call, target, c, e)) +} + +/** + * Gets the type signature for the functions parameters. + */ +string typeSig(Function f) { + result = concat(int i, Type pt | + pt = f.getParameter(i).getType() + | + pt.getUnspecifiedType().toString(), "," order by i + ) +} + +/** + * Holds where qualifiedName and typeSig make up the signature for the function. + */ +predicate functionSignature(Function f, string qualifiedName, string typeSig) { + qualifiedName = f.getQualifiedName() and + typeSig = typeSig(f) +} + +/** + * Gets a possible definition for the undefined function by matching the undefined function name + * and parameter arity with a defined function. + * + * This is useful for identifying call to target dependencies across libraries, where the libraries + * are never statically linked together. + */ +Function getAPossibleDefinition(Function undefinedFunction) { + not undefinedFunction.isDefined() and + exists(string qn, string typeSig | + functionSignature(undefinedFunction, qn, typeSig) and functionSignature(result, qn, typeSig) + ) and + result.isDefined() +} + +/** + * Gets a possible target for the Call, using the name and parameter matching if we did not associate + * this call with a specific definition at link or compile time, and performing simple virtual + * dispatch resolution. + */ +Function getTarget(Call c) { + if VirtualDispatch::getAViableTarget(c).isDefined() + then + /* + * If there is at least one defined target after performing some simple virtual dispatch + * resolution, then the result is all the defined targets. + */ + + result = VirtualDispatch::getAViableTarget(c) and + result.isDefined() + else + if exists(getAPossibleDefinition(VirtualDispatch::getAViableTarget(c))) + then + /* + * If we can use the heuristic matching of functions to find definitions for some of the viable + * targets, return those. + */ + + result = getAPossibleDefinition(VirtualDispatch::getAViableTarget(c)) + else + // Otherwise, the result is the undefined `Function` instances + result = VirtualDispatch::getAViableTarget(c) +} + +/** + * Get an access of a field on `Variable` v. + */ +FieldAccess getAFieldAccess(Variable v) { + exists(VariableAccess va, Expr qualifierExpr | + // Find an access of the variable, or an AddressOfExpr that has the access + va = v.getAnAccess() and + ( + qualifierExpr = va or + qualifierExpr.(AddressOfExpr).getOperand() = va + ) + | + // Direct field access + qualifierExpr = result.getQualifier() + or + // Nested field access + qualifierExpr = result.(NestedFieldAccess).getUltimateQualifier() + ) +} + +/** + * Gets a condition which is asserted to be false by the given `ne` expression, according to this pattern: + * ``` + * int a = !!result; + * if (!a) { // <- ne + * .... + * } + * ``` + */ +Expr getAssertedFalseCondition(NotExpr ne) { + exists(LocalVariable v | + result = v.getInitializer().getExpr().(NotExpr).getOperand().(NotExpr).getOperand() and + ne.getOperand() = v.getAnAccess() and + nonAssignedVariable(v) + // and not passed by val? + ) +} + +pragma[noinline] +private predicate nonAssignedVariable(Variable v) { not exists(v.getAnAssignment()) } diff --git a/cpp/ql/src/Security/CWE/CWE-457/UninitializedVariables.qll b/cpp/ql/src/Security/CWE/CWE-457/UninitializedVariables.qll new file mode 100644 index 00000000000..4289f66e21d --- /dev/null +++ b/cpp/ql/src/Security/CWE/CWE-457/UninitializedVariables.qll @@ -0,0 +1,190 @@ +/** + * A module for identifying conditionally initialized variables. + */ + +import cpp +import InitializationFunctions + +// Optimised reachability predicates +private predicate reaches(ControlFlowNode a, ControlFlowNode b) = fastTC(successor/2)(a, b) + +private predicate successor(ControlFlowNode a, ControlFlowNode b) { b = a.getASuccessor() } + +class WhitelistedCallsConfig extends string { + WhitelistedCallsConfig() { this = "config" } + + abstract predicate isWhitelisted(Call c); +} + +abstract class WhitelistedCall extends Call { + override Function getTarget() { none() } +} + +private predicate hasConditionalInitialization( + ConditionalInitializationFunction f, ConditionalInitializationCall call, LocalVariable v, + VariableAccess initAccess, Evidence e +) { + // Ignore whitelisted calls + not call instanceof WhitelistedCall and + f = getTarget(call) and + initAccess = v.getAnAccess() and + initAccess = call.getAConditionallyInitializedArgument(f, e).(AddressOfExpr).getOperand() +} + +/** + * A variable that can be conditionally initialized by a call. + */ +class ConditionallyInitializedVariable extends LocalVariable { + ConditionalInitializationCall call; + ConditionalInitializationFunction f; + VariableAccess initAccess; + Evidence e; + + ConditionallyInitializedVariable() { + // Find a call that conditionally initializes this variable + hasConditionalInitialization(f, call, this, initAccess, e) and + // Ignore cases where the variable is assigned prior to the call + not reaches(getAnAssignedValue(), initAccess) and + // Ignore cases where the variable is assigned field-wise prior to the call. + not exists(FieldAccess fa | + exists(Assignment a | + fa = getAFieldAccess(this) and + a.getLValue() = fa + ) + | + reaches(fa, initAccess) + ) and + // Ignore cases where the variable is assigned by a prior call to an initialization function + not exists(Call c | + getAnAccess() = getAnInitializedArgument(c).(AddressOfExpr).getOperand() and + reaches(c, initAccess) + ) and + /* + * Static local variables with constant initializers do not have the initializer expr as part of + * the CFG, but should always be considered as initialized, so exclude them. + */ + + not exists(getInitializer().getExpr()) + } + + /** + * Gets an access of the variable `v` which is not used as an lvalue, and not used as an argument + * to an initialization function. + */ + private VariableAccess getAReadAccess() { + result = this.getAnAccess() and + // Not used as an lvalue + not result = any(AssignExpr a).getLValue() and + // Not passed to another initialization function + not exists(Call c, int j | j = c.getTarget().(InitializationFunction).initializedParameter() | + result = c.getArgument(j).(AddressOfExpr).getOperand() + ) and + // Not a pointless read + not result = any(ExprStmt es).getExpr() + } + + /** + * Gets a read access of variable `v` that occurs after the `initializingCall`. + */ + private VariableAccess getAReadAccessAfterCall(ConditionalInitializationCall initializingCall) { + // Variable associated with this particular call + call = initializingCall and + // Access is a meaningful read access + result = getAReadAccess() and + // Which occurs after the call + reaches(call, result) and + /* + * Ignore risky accesses which are arguments to calls which also include another parameter to + * the original call. This is an attempt to eliminate results where the "status" can be checked + * through another parameter that assigned as part of the original call. + */ + + not exists(Call c | + c.getAnArgument() = result or + c.getAnArgument().(AddressOfExpr).getOperand() = result + | + exists(LocalVariable lv | + call.getAnArgument().(AddressOfExpr).getOperand() = lv.getAnAccess() and + not lv = this + | + c.getAnArgument() = lv.getAnAccess() + ) + ) + } + + /** + * Gets an access to the variable that is risky because the variable may not be initialized after + * the `call`, and the status of the call is never checked. + */ + VariableAccess getARiskyAccessWithNoStatusCheck( + ConditionalInitializationFunction initializingFunction, + ConditionalInitializationCall initializingCall, Evidence evidence + ) { + // Variable associated with this particular call + call = initializingCall and + initializingFunction = f and + e = evidence and + result = getAReadAccessAfterCall(initializingCall) and + ( + // Access is risky because status return code ignored completely + call instanceof ExprInVoidContext + or + // Access is risky because status return code ignored completely + exists(LocalVariable status | call = status.getAnAssignedValue() | + not exists(status.getAnAccess()) + ) + ) + } + + /** + * Gets an access to the variable that is risky because the variable may not be initialized after + * the `call`, and the status of the call is only checked after the risky access. + */ + VariableAccess getARiskyAccessBeforeStatusCheck( + ConditionalInitializationFunction initializingFunction, + ConditionalInitializationCall initializingCall, Evidence evidence + ) { + // Variable associated with this particular call + call = initializingCall and + initializingFunction = f and + e = evidence and + result = getAReadAccessAfterCall(initializingCall) and + exists(LocalVariable status, Assignment a | + a.getRValue() = call and + call = status.getAnAssignedValue() and + // There exists a check of the status code + definitionUsePair(status, a, _) and + // And the check of the status code does not occur before the risky access + not exists(VariableAccess statusAccess | + definitionUsePair(status, a, statusAccess) and + reaches(statusAccess, result) + ) and + // Ignore cases where the assignment to the status code is used directly + a instanceof ExprInVoidContext and + /* + * Ignore risky accesses which are arguments to calls which also include the status code. + * If both the risky value and status code are passed to a different function, that + * function is responsible for checking the status code. + */ + + not exists(Call c | + c.getAnArgument() = result or + c.getAnArgument().(AddressOfExpr).getOperand() = result + | + definitionUsePair(status, a, c.getAnArgument()) + ) + ) + } + + /** + * Gets an access to the variable that is risky because the variable may not be initialized after + * the `call`. + */ + VariableAccess getARiskyAccess( + ConditionalInitializationFunction initializingFunction, + ConditionalInitializationCall initializingCall, Evidence evidence + ) { + result = getARiskyAccessBeforeStatusCheck(initializingFunction, initializingCall, evidence) or + result = getARiskyAccessWithNoStatusCheck(initializingFunction, initializingCall, evidence) + } +} diff --git a/cpp/ql/src/semmle/code/cpp/NestedFields.qll b/cpp/ql/src/semmle/code/cpp/NestedFields.qll new file mode 100644 index 00000000000..12109be8ece --- /dev/null +++ b/cpp/ql/src/semmle/code/cpp/NestedFields.qll @@ -0,0 +1,41 @@ +import cpp + +/** + * Gets a `Field` that is nested within the given `Struct`. + * + * This identifies `Field`s which are located in the same memory + */ +private Field getANestedField(Struct s) { + result = s.getAField() + or + exists(NestedStruct ns | + s = ns.getDeclaringType() and + result = getANestedField(ns) + ) +} + +/** + * Unwraps a series of field accesses to determine the inner-most qualifier. + */ +private Expr getUltimateQualifier(FieldAccess fa) { + exists(Expr qualifier | qualifier = fa.getQualifier() | + result = getUltimateQualifier(qualifier) + or + not qualifier instanceof FieldAccess and result = qualifier + ) +} + +/** + * Accesses to nested fields. + */ +class NestedFieldAccess extends FieldAccess { + Expr ultimateQualifier; + + NestedFieldAccess() { + ultimateQualifier = getUltimateQualifier(this) and + getTarget() = getANestedField(ultimateQualifier.getType().stripType()) + } + + /** Gets the ultimate qualifier of this nested field access. */ + Expr getUltimateQualifier() { result = ultimateQualifier } +} diff --git a/cpp/ql/src/semmle/code/cpp/PrintAST.ql b/cpp/ql/src/semmle/code/cpp/PrintAST.ql index 6fc40dd0525..e4c53030da5 100644 --- a/cpp/ql/src/semmle/code/cpp/PrintAST.ql +++ b/cpp/ql/src/semmle/code/cpp/PrintAST.ql @@ -7,3 +7,15 @@ import cpp import PrintAST + +/** + * Temporarily tweak this class or make a copy to control which functions are + * printed. + */ +class Cfg extends PrintASTConfiguration { + /** + * TWEAK THIS PREDICATE AS NEEDED. + * Holds if the AST for `func` should be printed. + */ + override predicate shouldPrintFunction(Function func) { any() } +} diff --git a/cpp/ql/src/semmle/code/cpp/Type.qll b/cpp/ql/src/semmle/code/cpp/Type.qll index c65c4941355..10a1b6b1724 100644 --- a/cpp/ql/src/semmle/code/cpp/Type.qll +++ b/cpp/ql/src/semmle/code/cpp/Type.qll @@ -610,7 +610,9 @@ class FloatingPointType extends ArithmeticType { ( kind >= 24 and kind <= 32 or - kind = 38 + kind >= 38 and kind <= 42 + or + kind >= 45 and kind <= 50 ) ) } diff --git a/cpp/ql/src/semmle/code/cpp/commons/VoidContext.qll b/cpp/ql/src/semmle/code/cpp/commons/VoidContext.qll index 08def499e13..4b0b1299fd8 100644 --- a/cpp/ql/src/semmle/code/cpp/commons/VoidContext.qll +++ b/cpp/ql/src/semmle/code/cpp/commons/VoidContext.qll @@ -35,7 +35,8 @@ private predicate exprInVoidContext(Expr e) { exists(CommaExpr c | c.getLeftOperand() = e) or exists(CommaExpr c | c.getRightOperand() = e and c instanceof ExprInVoidContext) + or + exists(ForStmt for | for.getUpdate() = e) ) and - not e instanceof Qualifier and not e.getActualType() instanceof VoidType } diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll index 0caa2ab05df..fc0b5a90882 100644 --- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll +++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll @@ -5,6 +5,8 @@ private import cpp private import semmle.code.cpp.dataflow.internal.FlowVar private import semmle.code.cpp.models.interfaces.DataFlow +private import semmle.code.cpp.controlflow.Guards +private import semmle.code.cpp.valuenumbering.GlobalValueNumbering cached private newtype TNode = @@ -680,12 +682,16 @@ VariableAccess getAnAccessToAssignedVariable(Expr assign) { * * It is important that all extending classes in scope are disjoint. */ -class BarrierGuard extends Expr { - /** NOT YET SUPPORTED. Holds if this guard validates `e` upon evaluating to `branch`. */ - abstract deprecated predicate checks(Expr e, boolean branch); +class BarrierGuard extends GuardCondition { + /** Override this predicate to hold if this guard validates `e` upon evaluating to `b`. */ + abstract predicate checks(Expr e, boolean b); /** Gets a node guarded by this guard. */ - final Node getAGuardedNode() { - none() // stub + final ExprNode getAGuardedNode() { + exists(GVN value, boolean branch | + result.getExpr() = value.getAnExpr() and + this.checks(value.getAnExpr(), branch) and + this.controls(result.getExpr().getBasicBlock(), branch) + ) } } diff --git a/cpp/ql/src/semmle/code/cpp/dispatch/VirtualDispatch.qll b/cpp/ql/src/semmle/code/cpp/dispatch/VirtualDispatch.qll new file mode 100644 index 00000000000..2fa9322843e --- /dev/null +++ b/cpp/ql/src/semmle/code/cpp/dispatch/VirtualDispatch.qll @@ -0,0 +1,83 @@ +import cpp + +/** + * A module for performing simple virtual dispatch analysis. + */ +module VirtualDispatch { + /** + * Gets a possible implementation target when the given function is the static target of a virtual call. + */ + private MemberFunction getAPossibleImplementation(MemberFunction staticTarget) { + /* + * `IUnknown` is a COM interface with many sub-types, and many overrides (tens of thousands on + * some databases), so we ignore any member functions defined within that interface. + */ + + not staticTarget.getDeclaringType().hasName("IUnknown") and + result = staticTarget.getAnOverridingFunction*() + } + + /** Gets the static type of the qualifier expression for the given call. */ + private Class getCallQualifierType(FunctionCall c) { + result = c.getQualifier().getType().stripType() and + /* + * `IUnknown` is a COM interface with many sub-types (tens of thousands on some databases), so + * we ignore any cases where the qualifier type is that interface. + */ + + not result.hasName("IUnknown") + } + + /** + * Gets a viable target for the given function call. + * + * If `c` is a virtual call, then we will perform a simple virtual dispatch analysis to return + * the `Function` instances which might be a viable target, based on an analysis of the declared + * type of the qualifier expression. + * + * (This analysis is imprecise: it looks for subtypes of the declared type of the qualifier expression + * and the possible implementations of `c.getTarget()` that are declared or inherited by those subtypes. + * This does not account for virtual inheritance and the ways this affects dispatch.) + * + * If `c` is not a virtual call, the result will be `c.getTarget()`. + */ + Function getAViableTarget(Call c) { + exists(Function staticTarget | staticTarget = c.getTarget() | + if c.(FunctionCall).isVirtual() and staticTarget instanceof MemberFunction + then + exists(Class qualifierType, Class qualifierSubType | + result = getAPossibleImplementation(staticTarget) and + qualifierType = getCallQualifierType(c) and + qualifierType = qualifierSubType.getABaseClass*() and + mayInherit(qualifierSubType, result) and + not cannotInherit(qualifierSubType, result) + ) + else result = staticTarget + ) + } + + /** Holds if `f` is declared in `c` or a transitive base class of `c`. */ + private predicate mayInherit(Class c, MemberFunction f) { + f.getDeclaringType() = c.getABaseClass*() + } + + /** + * Holds if `c` cannot inherit the member function `f`, + * i.e. `c` or one of its supertypes overrides `f`. + */ + private predicate cannotInherit(Class c, MemberFunction f) { + exists(Class overridingType, MemberFunction override | + cannotInheritHelper(c, f, overridingType, override) and + override.overrides+(f) + ) + } + + pragma[noinline] + private predicate cannotInheritHelper( + Class c, MemberFunction f, Class overridingType, MemberFunction override + ) { + c.getABaseClass*() = overridingType and + override.getDeclaringType() = overridingType and + overridingType.getABaseClass+() = f.getDeclaringType() + } +} diff --git a/cpp/ql/src/semmle/code/cpp/exprs/Expr.qll b/cpp/ql/src/semmle/code/cpp/exprs/Expr.qll index e4da80fd70b..d020ab82e10 100644 --- a/cpp/ql/src/semmle/code/cpp/exprs/Expr.qll +++ b/cpp/ql/src/semmle/code/cpp/exprs/Expr.qll @@ -540,6 +540,13 @@ class ErrorExpr extends Expr, @errorexpr { */ class AssumeExpr extends Expr, @assume { override string toString() { result = "__assume(...)" } + + override string getCanonicalQLClass() { result = "AssumeExpr" } + + /** + * Gets the operand of the `__assume` expressions. + */ + Expr getOperand() { this.hasChild(result, 0) } } /** diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll index 08556a4af39..0753dfd266e 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll @@ -37,7 +37,7 @@ private class DefaultTaintTrackingCfg extends DataFlow::Configuration { } private predicate accessesVariable(CopyInstruction copy, Variable var) { - exists(VariableAddressInstruction va | va.getVariable().getAST() = var | + exists(VariableAddressInstruction va | va.getASTVariable() = var | copy.(StoreInstruction).getDestinationAddress() = va or copy.(LoadInstruction).getSourceAddress() = va diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll index 0476ea3c30a..cd989c94710 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll @@ -5,6 +5,7 @@ private import cpp private import semmle.code.cpp.ir.IR private import semmle.code.cpp.controlflow.IRGuards +private import semmle.code.cpp.ir.ValueNumbering /** * A newtype wrapper to prevent accidental casts between `Node` and @@ -213,6 +214,14 @@ private predicate simpleInstructionLocalFlowStep(Instruction iFrom, Instruction */ predicate localFlow(Node source, Node sink) { localFlowStep*(source, sink) } +/** + * Holds if data can flow from `i1` to `i2` in zero or more + * local (intra-procedural) steps. + */ +predicate localInstructionFlow(Instruction e1, Instruction e2) { + localFlow(instructionNode(e1), instructionNode(e2)) +} + /** * Holds if data can flow from `e1` to `e2` in zero or more * local (intra-procedural) steps. @@ -220,7 +229,7 @@ predicate localFlow(Node source, Node sink) { localFlowStep*(source, sink) } predicate localExprFlow(Expr e1, Expr e2) { localFlow(exprNode(e1), exprNode(e2)) } /** - * A guard that validates some expression. + * A guard that validates some instruction. * * To use this in a configuration, extend the class and provide a * characteristic predicate precisely specifying the guard, and override @@ -229,11 +238,15 @@ predicate localExprFlow(Expr e1, Expr e2) { localFlow(exprNode(e1), exprNode(e2) * It is important that all extending classes in scope are disjoint. */ class BarrierGuard extends IRGuardCondition { - /** NOT YET SUPPORTED. Holds if this guard validates `e` upon evaluating to `b`. */ - abstract deprecated predicate checks(Instruction e, boolean b); + /** Override this predicate to hold if this guard validates `instr` upon evaluating to `b`. */ + abstract predicate checks(Instruction instr, boolean b); /** Gets a node guarded by this guard. */ final Node getAGuardedNode() { - none() // stub + exists(ValueNumber value, boolean edge | + result.asInstruction() = value.getAnInstruction() and + this.checks(value.getAnInstruction(), edge) and + this.controls(result.asInstruction().getBlock(), edge) + ) } } diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll index e34709e94ec..8d7c9194f4f 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll @@ -53,6 +53,14 @@ private predicate localInstructionTaintStep(Instruction nodeFrom, Instruction no */ predicate localTaint(DataFlow::Node source, DataFlow::Node sink) { localTaintStep*(source, sink) } +/** + * Holds if taint can flow from `i1` to `i2` in zero or more + * local (intra-procedural) steps. + */ +predicate localInstructionTaint(Instruction i1, Instruction i2) { + localTaint(DataFlow::instructionNode(i1), DataFlow::instructionNode(i2)) +} + /** * Holds if taint can flow from `e1` to `e2` in zero or more * local (intra-procedural) steps. diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/IRType.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/IRType.qll new file mode 100644 index 00000000000..0abfa14023d --- /dev/null +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/IRType.qll @@ -0,0 +1,247 @@ +/** + * Minimal, language-neutral type system for the IR. + */ + +private import internal.IRTypeInternal + +private newtype TIRType = + TIRVoidType() or + TIRUnknownType() or + TIRErrorType() { Language::hasErrorType() } or + TIRBooleanType(int byteSize) { Language::hasBooleanType(byteSize) } or + TIRSignedIntegerType(int byteSize) { Language::hasSignedIntegerType(byteSize) } or + TIRUnsignedIntegerType(int byteSize) { Language::hasUnsignedIntegerType(byteSize) } or + TIRFloatingPointType(int byteSize) { Language::hasFloatingPointType(byteSize) } or + TIRAddressType(int byteSize) { Language::hasAddressType(byteSize) } or + TIRFunctionAddressType(int byteSize) { Language::hasFunctionAddressType(byteSize) } or + TIROpaqueType(Language::OpaqueTypeTag tag, int byteSize) { + Language::hasOpaqueType(tag, byteSize) + } + +/** + * The language-neutral type of an IR `Instruction`, `Operand`, or `IRVariable`. + * The interface to `IRType` and its subclasses is the same across all languages for which the IR + * is supported, so analyses that expect to be used for multiple languages should generally use + * `IRType` rather than a language-specific type. + * + * Many types from the language-specific type system will map to a single canonical `IRType`. Two + * types that map to the same `IRType` are considered equivalent by the IR. As an example, in C++, + * all pointer types map to the same instance of `IRAddressType`. + */ +class IRType extends TIRType { + string toString() { none() } + + /** + * Gets a string that uniquely identifies this `IRType`. This string is often the same as the + * result of `IRType.toString()`, but for some types it may be more verbose to ensure uniqueness. + */ + string getIdentityString() { result = toString() } + + /** + * Gets the size of the type, in bytes, if known. + * + * This will hold for all `IRType` objects except `IRUnknownType`. + */ + int getByteSize() { none() } + + /** + * Gets a single instance of `LanguageType` that maps to this `IRType`. + */ + Language::LanguageType getCanonicalLanguageType() { none() } +} + +/** + * An unknown type. Generally used to represent results and operands that access an unknown set of + * memory locations, such as the side effects of a function call. + */ +class IRUnknownType extends IRType, TIRUnknownType { + final override string toString() { result = "unknown" } + + final override int getByteSize() { none() } + + final override Language::LanguageType getCanonicalLanguageType() { + result = Language::getCanonicalUnknownType() + } +} + +/** + * A void type, which has no values. Used to represent the result type of an instruction that does + * not produce a result. + */ +class IRVoidType extends IRType, TIRVoidType { + final override string toString() { result = "void" } + + final override int getByteSize() { result = 0 } + + final override Language::LanguageType getCanonicalLanguageType() { + result = Language::getCanonicalVoidType() + } +} + +/** + * An error type. Used when an error in the source code prevents the extractor from determining the + * proper type. + */ +class IRErrorType extends IRType, TIRErrorType { + final override string toString() { result = "error" } + + final override int getByteSize() { result = 0 } + + final override Language::LanguageType getCanonicalLanguageType() { + result = Language::getCanonicalErrorType() + } +} + +private class IRSizedType extends IRType { + int byteSize; + + IRSizedType() { + this = TIRBooleanType(byteSize) or + this = TIRSignedIntegerType(byteSize) or + this = TIRUnsignedIntegerType(byteSize) or + this = TIRFloatingPointType(byteSize) or + this = TIRAddressType(byteSize) or + this = TIRFunctionAddressType(byteSize) or + this = TIROpaqueType(_, byteSize) + } + + final override int getByteSize() { result = byteSize } +} + +/** + * A Boolean type, which can hold the values `true` (non-zero) or `false` (zero). + */ +class IRBooleanType extends IRSizedType, TIRBooleanType { + final override string toString() { result = "bool" + byteSize.toString() } + + final override Language::LanguageType getCanonicalLanguageType() { + result = Language::getCanonicalBooleanType(byteSize) + } +} + +/** + * A numberic type. This includes `IRSignedIntegerType`, `IRUnsignedIntegerType`, and + * `IRFloatingPointType`. + */ +class IRNumericType extends IRSizedType { + IRNumericType() { + this = TIRSignedIntegerType(byteSize) or + this = TIRUnsignedIntegerType(byteSize) or + this = TIRFloatingPointType(byteSize) + } +} + +/** + * A signed two's-complement integer. Also used to represent enums whose underlying type is a signed + * integer, as well as character types whose representation is signed. + */ +class IRSignedIntegerType extends IRNumericType, TIRSignedIntegerType { + final override string toString() { result = "int" + byteSize.toString() } + + final override Language::LanguageType getCanonicalLanguageType() { + result = Language::getCanonicalSignedIntegerType(byteSize) + } +} + +/** + * An unsigned two's-complement integer. Also used to represent enums whose underlying type is an + * unsigned integer, as well as character types whose representation is unsigned. + */ +class IRUnsignedIntegerType extends IRNumericType, TIRUnsignedIntegerType { + final override string toString() { result = "uint" + byteSize.toString() } + + final override Language::LanguageType getCanonicalLanguageType() { + result = Language::getCanonicalUnsignedIntegerType(byteSize) + } +} + +/** + * A floating-point type. + */ +class IRFloatingPointType extends IRNumericType, TIRFloatingPointType { + final override string toString() { result = "float" + byteSize.toString() } + + final override Language::LanguageType getCanonicalLanguageType() { + result = Language::getCanonicalFloatingPointType(byteSize) + } +} + +/** + * An address type, representing the memory address of data. Used to represent pointers, references, + * and lvalues, include those that are garbage collected. + * + * The address of a function is represented by the separate `IRFunctionAddressType`. + */ +class IRAddressType extends IRSizedType, TIRAddressType { + final override string toString() { result = "addr" + byteSize.toString() } + + final override Language::LanguageType getCanonicalLanguageType() { + result = Language::getCanonicalAddressType(byteSize) + } +} + +/** + * An address type, representing the memory address of code. Used to represent function pointers, + * function references, and the target of a direct function call. + */ +class IRFunctionAddressType extends IRSizedType, TIRFunctionAddressType { + final override string toString() { result = "func" + byteSize.toString() } + + final override Language::LanguageType getCanonicalLanguageType() { + result = Language::getCanonicalFunctionAddressType(byteSize) + } +} + +/** + * A type with known size that does not fit any of the other kinds of type. Used to represent + * classes, structs, unions, fixed-size arrays, pointers-to-member, and more. + */ +class IROpaqueType extends IRSizedType, TIROpaqueType { + Language::OpaqueTypeTag tag; + + IROpaqueType() { this = TIROpaqueType(tag, byteSize) } + + final override string toString() { + result = "opaque" + byteSize.toString() + "{" + tag.toString() + "}" + } + + final override string getIdentityString() { + result = "opaque" + byteSize.toString() + "{" + Language::getOpaqueTagIdentityString(tag) + "}" + } + + final override Language::LanguageType getCanonicalLanguageType() { + result = Language::getCanonicalOpaqueType(tag, byteSize) + } + + /** + * Gets the "tag" that differentiates this type from other incompatible opaque types that have the + * same size. + */ + final Language::OpaqueTypeTag getTag() { result = tag } +} + +module IRTypeSanity { + query predicate missingCanonicalLanguageType(IRType type, string message) { + not exists(type.getCanonicalLanguageType()) and + message = "Type does not have a canonical `LanguageType`" + } + + query predicate multipleCanonicalLanguageTypes(IRType type, string message) { + strictcount(type.getCanonicalLanguageType()) > 1 and + message = "Type has multiple canonical `LanguageType`s: " + + concat(type.getCanonicalLanguageType().toString(), ", ") + } + + query predicate missingIRType(Language::LanguageType type, string message) { + not exists(type.getIRType()) and + message = "`LanguageType` does not have a corresponding `IRType`." + } + + query predicate multipleIRTypes(Language::LanguageType type, string message) { + strictcount(type.getIRType()) > 1 and + message = "`LanguageType` " + type.getAQlClass() + " has multiple `IRType`s: " + + concat(type.getIRType().toString(), ", ") + } + + import Language::LanguageTypeSanity +} diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll index d4f1599d78e..a71608ee855 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll @@ -5,6 +5,7 @@ private newtype TMemoryAccessKind = TBufferMayMemoryAccess() or TEscapedMemoryAccess() or TEscapedMayMemoryAccess() or + TNonLocalMayMemoryAccess() or TPhiMemoryAccess() or TUnmodeledMemoryAccess() or TChiTotalMemoryAccess() or @@ -80,6 +81,14 @@ class EscapedMayMemoryAccess extends MemoryAccessKind, TEscapedMayMemoryAccess { override string toString() { result = "escaped(may)" } } +/** + * The operand or result may access all memory whose address has escaped, other than data on the + * stack frame of the current function. + */ +class NonLocalMayMemoryAccess extends MemoryAccessKind, TNonLocalMayMemoryAccess { + override string toString() { result = "nonlocal(may)" } +} + /** * The operand is a Phi operand, which accesses the same memory as its * definition. diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll index 0c1009b4fac..eb07be7f30c 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll @@ -57,6 +57,7 @@ private newtype TOpcode = TUnmodeledDefinition() or TUnmodeledUse() or TAliasedDefinition() or + TAliasedUse() or TPhi() or TBuiltIn() or TVarArgsStart() or @@ -393,6 +394,10 @@ module Opcode { final override string toString() { result = "AliasedDefinition" } } + class AliasedUse extends Opcode, TAliasedUse { + final override string toString() { result = "AliasedUse" } + } + class Phi extends Opcode, TPhi { final override string toString() { result = "Phi" } } diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll index 278040f8ab8..badd48552a5 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll @@ -5,6 +5,7 @@ import IRVariable import Operand private import internal.IRImports as Imports import Imports::EdgeKind +import Imports::IRType import Imports::MemoryAccessKind private newtype TIRPropertyProvider = MkIRPropertyProvider() diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRSanity.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRSanity.qll index 3921472dc8e..de66a3c99dc 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRSanity.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRSanity.qll @@ -1,2 +1,3 @@ private import IR import InstructionSanity +import IRTypeSanity diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll index a7ca4593ac4..1a607f82c29 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll @@ -5,6 +5,7 @@ import Imports::TempVariableTag private import Imports::IRUtilities private import Imports::TTempVariableTag private import Imports::TIRVariable +private import Imports::IRType IRUserVariable getIRUserVariable(Language::Function func, Language::Variable var) { result.getVariable() = var and @@ -24,7 +25,17 @@ abstract class IRVariable extends TIRVariable { /** * Gets the type of the variable. */ - abstract Language::Type getType(); + final Language::Type getType() { getLanguageType().hasType(result, false) } + + /** + * Gets the language-neutral type of the variable. + */ + final IRType getIRType() { result = getLanguageType().getIRType() } + + /** + * Gets the type of the variable. + */ + abstract Language::LanguageType getLanguageType(); /** * Gets the AST node that declared this variable, or that introduced this @@ -59,7 +70,7 @@ abstract class IRVariable extends TIRVariable { */ class IRUserVariable extends IRVariable, TIRUserVariable { Language::Variable var; - Language::Type type; + Language::LanguageType type; IRUserVariable() { this = TIRUserVariable(var, type, func) } @@ -71,7 +82,7 @@ class IRUserVariable extends IRVariable, TIRUserVariable { result = getVariable().toString() + " " + getVariable().getLocation().toString() } - final override Language::Type getType() { result = type } + final override Language::LanguageType getLanguageType() { result = type } /** * Gets the original user-declared variable. @@ -110,11 +121,11 @@ IRTempVariable getIRTempVariable(Language::AST ast, TempVariableTag tag) { class IRTempVariable extends IRVariable, IRAutomaticVariable, TIRTempVariable { Language::AST ast; TempVariableTag tag; - Language::Type type; + Language::LanguageType type; IRTempVariable() { this = TIRTempVariable(func, ast, tag, type) } - final override Language::Type getType() { result = type } + final override Language::LanguageType getLanguageType() { result = type } final override Language::AST getAST() { result = ast } diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll index 6d5e697150e..049983c9126 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll @@ -5,6 +5,7 @@ import IRVariable import Operand private import internal.InstructionImports as Imports import Imports::EdgeKind +import Imports::IRType import Imports::MemoryAccessKind import Imports::Opcode private import Imports::OperandTag @@ -49,7 +50,8 @@ module InstructionSanity { ( opcode instanceof ReadSideEffectOpcode or opcode instanceof Opcode::InlineAsm or - opcode instanceof Opcode::CallSideEffect + opcode instanceof Opcode::CallSideEffect or + opcode instanceof Opcode::AliasedUse ) and tag instanceof SideEffectOperandTag ) @@ -113,10 +115,12 @@ module InstructionSanity { } query predicate missingOperandType(Operand operand, string message) { - exists(Language::Function func | + exists(Language::Function func, Instruction use | not exists(operand.getType()) and - func = operand.getUse().getEnclosingFunction() and - message = "Operand missing type in function '" + Language::getIdentityString(func) + "'." + use = operand.getUse() and + func = use.getEnclosingFunction() and + message = "Operand '" + operand.toString() + "' of instruction '" + use.getOpcode().toString() + + "' missing type in function '" + Language::getIdentityString(func) + "'." ) } @@ -260,6 +264,7 @@ module InstructionSanity { ) { exists(IRBlock useBlock, int useIndex, Instruction defInstr, IRBlock defBlock, int defIndex | not useOperand.getUse() instanceof UnmodeledUseInstruction and + not defInstr instanceof UnmodeledDefinitionInstruction and pointOfEvaluation(useOperand, useBlock, useIndex) and defInstr = useOperand.getAnyDef() and ( @@ -321,7 +326,7 @@ class Instruction extends Construction::TInstruction { } private string getResultPrefix() { - if getResultType() instanceof Language::VoidType + if getResultIRType() instanceof IRVoidType then result = "v" else if hasMemoryResult() @@ -353,23 +358,6 @@ class Instruction extends Construction::TInstruction { ) } - bindingset[type] - private string getValueCategoryString(string type) { - if isGLValue() then result = "glval<" + type + ">" else result = type - } - - string getResultTypeString() { - exists(string valcat | - valcat = getValueCategoryString(getResultType().toString()) and - if - getResultType() instanceof Language::UnknownType and - not isGLValue() and - exists(getResultSize()) - then result = valcat + "[" + getResultSize().toString() + "]" - else result = valcat - ) - } - /** * Gets a human-readable string that uniquely identifies this instruction * within the function. This string is used to refer to this instruction when @@ -389,7 +377,9 @@ class Instruction extends Construction::TInstruction { * * Example: `r1_1(int*)` */ - final string getResultString() { result = getResultId() + "(" + getResultTypeString() + ")" } + final string getResultString() { + result = getResultId() + "(" + getResultLanguageType().getDumpString() + ")" + } /** * Gets a string describing the operands of this instruction, suitable for @@ -457,6 +447,16 @@ class Instruction extends Construction::TInstruction { result = Construction::getInstructionUnconvertedResultExpression(this) } + final Language::LanguageType getResultLanguageType() { + result = Construction::getInstructionResultType(this) + } + + /** + * Gets the type of the result produced by this instruction. If the instruction does not produce + * a result, its result type will be `IRVoidType`. + */ + final IRType getResultIRType() { result = getResultLanguageType().getIRType() } + /** * Gets the type of the result produced by this instruction. If the * instruction does not produce a result, its result type will be `VoidType`. @@ -464,7 +464,16 @@ class Instruction extends Construction::TInstruction { * If `isGLValue()` holds, then the result type of this instruction should be * thought of as "pointer to `getResultType()`". */ - final Language::Type getResultType() { Construction::instructionHasType(this, result, _) } + final Language::Type getResultType() { + exists(Language::LanguageType resultType | + resultType = getResultLanguageType() and + ( + resultType.hasUnspecifiedType(result, _) + or + not resultType.hasUnspecifiedType(_, _) and result instanceof Language::UnknownType + ) + ) + } /** * Holds if the result produced by this instruction is a glvalue. If this @@ -484,7 +493,7 @@ class Instruction extends Construction::TInstruction { * result of the `Load` instruction is a prvalue of type `int`, representing * the integer value loaded from variable `x`. */ - final predicate isGLValue() { Construction::instructionHasType(this, _, true) } + final predicate isGLValue() { Construction::getInstructionResultType(this).hasType(_, true) } /** * Gets the size of the result produced by this instruction, in bytes. If the @@ -493,16 +502,7 @@ class Instruction extends Construction::TInstruction { * If `this.isGLValue()` holds for this instruction, the value of * `getResultSize()` will always be the size of a pointer. */ - final int getResultSize() { - if isGLValue() - then - // a glvalue is always pointer-sized. - result = Language::getPointerSize() - else - if getResultType() instanceof Language::UnknownType - then result = Construction::getInstructionResultSize(this) - else result = Language::getTypeSize(getResultType()) - } + final int getResultSize() { result = Construction::getInstructionResultType(this).getByteSize() } /** * Gets the opcode that specifies the operation performed by this instruction. @@ -1384,7 +1384,7 @@ class CatchInstruction extends Instruction { * An instruction that catches an exception of a specific type. */ class CatchByTypeInstruction extends CatchInstruction { - Language::Type exceptionType; + Language::LanguageType exceptionType; CatchByTypeInstruction() { getOpcode() instanceof Opcode::CatchByType and @@ -1396,7 +1396,7 @@ class CatchByTypeInstruction extends CatchInstruction { /** * Gets the type of exception to be caught. */ - final Language::Type getExceptionType() { result = exceptionType } + final Language::LanguageType getExceptionType() { result = exceptionType } } /** @@ -1423,6 +1423,13 @@ class AliasedDefinitionInstruction extends Instruction { final override MemoryAccessKind getResultMemoryAccess() { result instanceof EscapedMemoryAccess } } +/** + * An instruction that consumes all escaped memory on exit from the function. + */ +class AliasedUseInstruction extends Instruction { + AliasedUseInstruction() { getOpcode() instanceof Opcode::AliasedUse } +} + class UnmodeledUseInstruction extends Instruction { UnmodeledUseInstruction() { getOpcode() instanceof Opcode::UnmodeledUse } diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll index a23fb081afe..07dd107bf12 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll @@ -1,9 +1,10 @@ private import internal.IRInternal -import Instruction -import IRBlock +private import Instruction +private import IRBlock private import internal.OperandImports as Imports -import Imports::MemoryAccessKind -import Imports::Overlap +private import Imports::MemoryAccessKind +private import Imports::IRType +private import Imports::Overlap private import Imports::OperandTag cached @@ -143,22 +144,40 @@ class Operand extends TOperand { * the definition type, such as in the case of a partial read or a read from a pointer that * has been cast to a different type. */ - Language::Type getType() { result = getAnyDef().getResultType() } + Language::LanguageType getLanguageType() { result = getAnyDef().getResultLanguageType() } + + /** + * Gets the language-neutral type of the value consumed by this operand. This is usually the same + * as the result type of the definition instruction consumed by this operand. For register + * operands, this is always the case. For some memory operands, the operand type may be different + * from the definition type, such as in the case of a partial read or a read from a pointer that + * has been cast to a different type. + */ + final IRType getIRType() { result = getLanguageType().getIRType() } + + /** + * Gets the type of the value consumed by this operand. This is usually the same as the + * result type of the definition instruction consumed by this operand. For register operands, + * this is always the case. For some memory operands, the operand type may be different from + * the definition type, such as in the case of a partial read or a read from a pointer that + * has been cast to a different type. + */ + final Language::Type getType() { getLanguageType().hasType(result, _) } /** * Holds if the value consumed by this operand is a glvalue. If this * holds, the value of the operand represents the address of a location, * and the type of the location is given by `getType()`. If this does * not hold, the value of the operand represents a value whose type is - * given by `getResultType()`. + * given by `getType()`. */ - predicate isGLValue() { getAnyDef().isGLValue() } + final predicate isGLValue() { getLanguageType().hasType(_, true) } /** * Gets the size of the value consumed by this operand, in bytes. If the operand does not have * a known constant size, this predicate does not hold. */ - int getSize() { result = Language::getTypeSize(getType()) } + final int getSize() { result = getLanguageType().getByteSize() } } /** @@ -170,11 +189,6 @@ class MemoryOperand extends Operand { this = TPhiOperand(_, _, _, _) } - override predicate isGLValue() { - // A `MemoryOperand` can never be a glvalue - none() - } - /** * Gets the kind of memory access performed by the operand. */ @@ -239,7 +253,7 @@ class NonPhiMemoryOperand extends NonPhiOperand, MemoryOperand, TNonPhiMemoryOpe class TypedOperand extends NonPhiMemoryOperand { override TypedOperandTag tag; - final override Language::Type getType() { + final override Language::LanguageType getLanguageType() { result = Construction::getInstructionOperandType(useInstr, tag) } } @@ -381,13 +395,10 @@ class PositionalArgumentOperand extends ArgumentOperand { class SideEffectOperand extends TypedOperand { override SideEffectOperandTag tag; - final override int getSize() { - if getType() instanceof Language::UnknownType - then result = Construction::getInstructionOperandSize(useInstr, tag) - else result = Language::getTypeSize(getType()) - } - override MemoryAccessKind getMemoryAccess() { + useInstr instanceof AliasedUseInstruction and + result instanceof NonLocalMayMemoryAccess + or useInstr instanceof CallSideEffectInstruction and result instanceof EscapedMayMemoryAccess or diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll index df6c5be7728..79e5a2b6713 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll @@ -1,5 +1,5 @@ private import internal.ValueNumberingInternal -private import cpp +private import internal.ValueNumberingImports private import IR /** @@ -23,31 +23,32 @@ newtype TValueNumber = initializeParameterValueNumber(_, irFunc, var) } or TInitializeThisValueNumber(IRFunction irFunc) { initializeThisValueNumber(_, irFunc) } or - TConstantValueNumber(IRFunction irFunc, Type type, string value) { + TConstantValueNumber(IRFunction irFunc, IRType type, string value) { constantValueNumber(_, irFunc, type, value) } or - TStringConstantValueNumber(IRFunction irFunc, Type type, string value) { + TStringConstantValueNumber(IRFunction irFunc, IRType type, string value) { stringConstantValueNumber(_, irFunc, type, value) } or - TFieldAddressValueNumber(IRFunction irFunc, Field field, ValueNumber objectAddress) { + TFieldAddressValueNumber(IRFunction irFunc, Language::Field field, ValueNumber objectAddress) { fieldAddressValueNumber(_, irFunc, field, objectAddress) } or TBinaryValueNumber( - IRFunction irFunc, Opcode opcode, Type type, ValueNumber leftOperand, ValueNumber rightOperand + IRFunction irFunc, Opcode opcode, IRType type, ValueNumber leftOperand, ValueNumber rightOperand ) { binaryValueNumber(_, irFunc, opcode, type, leftOperand, rightOperand) } or TPointerArithmeticValueNumber( - IRFunction irFunc, Opcode opcode, Type type, int elementSize, ValueNumber leftOperand, + IRFunction irFunc, Opcode opcode, IRType type, int elementSize, ValueNumber leftOperand, ValueNumber rightOperand ) { pointerArithmeticValueNumber(_, irFunc, opcode, type, elementSize, leftOperand, rightOperand) } or - TUnaryValueNumber(IRFunction irFunc, Opcode opcode, Type type, ValueNumber operand) { + TUnaryValueNumber(IRFunction irFunc, Opcode opcode, IRType type, ValueNumber operand) { unaryValueNumber(_, irFunc, opcode, type, operand) } or TInheritanceConversionValueNumber( - IRFunction irFunc, Opcode opcode, Class baseClass, Class derivedClass, ValueNumber operand + IRFunction irFunc, Opcode opcode, Language::Class baseClass, Language::Class derivedClass, + ValueNumber operand ) { inheritanceConversionValueNumber(_, irFunc, opcode, baseClass, derivedClass, operand) } or @@ -59,7 +60,7 @@ newtype TValueNumber = class ValueNumber extends TValueNumber { final string toString() { result = getExampleInstruction().getResultId() } - final Location getLocation() { result = getExampleInstruction().getLocation() } + final Language::Location getLocation() { result = getExampleInstruction().getLocation() } /** * Gets the instructions that have been assigned this value number. This will always produce at @@ -150,23 +151,23 @@ private predicate initializeThisValueNumber(InitializeThisInstruction instr, IRF } private predicate constantValueNumber( - ConstantInstruction instr, IRFunction irFunc, Type type, string value + ConstantInstruction instr, IRFunction irFunc, IRType type, string value ) { instr.getEnclosingIRFunction() = irFunc and - instr.getResultType() = type and + instr.getResultIRType() = type and instr.getValue() = value } private predicate stringConstantValueNumber( - StringConstantInstruction instr, IRFunction irFunc, Type type, string value + StringConstantInstruction instr, IRFunction irFunc, IRType type, string value ) { instr.getEnclosingIRFunction() = irFunc and - instr.getResultType() = type and + instr.getResultIRType() = type and instr.getValue().getValue() = value } private predicate fieldAddressValueNumber( - FieldAddressInstruction instr, IRFunction irFunc, Field field, ValueNumber objectAddress + FieldAddressInstruction instr, IRFunction irFunc, Language::Field field, ValueNumber objectAddress ) { instr.getEnclosingIRFunction() = irFunc and instr.getField() = field and @@ -174,43 +175,43 @@ private predicate fieldAddressValueNumber( } private predicate binaryValueNumber( - BinaryInstruction instr, IRFunction irFunc, Opcode opcode, Type type, ValueNumber leftOperand, + BinaryInstruction instr, IRFunction irFunc, Opcode opcode, IRType type, ValueNumber leftOperand, ValueNumber rightOperand ) { instr.getEnclosingIRFunction() = irFunc and not instr instanceof PointerArithmeticInstruction and instr.getOpcode() = opcode and - instr.getResultType() = type and + instr.getResultIRType() = type and valueNumber(instr.getLeft()) = leftOperand and valueNumber(instr.getRight()) = rightOperand } private predicate pointerArithmeticValueNumber( - PointerArithmeticInstruction instr, IRFunction irFunc, Opcode opcode, Type type, int elementSize, - ValueNumber leftOperand, ValueNumber rightOperand + PointerArithmeticInstruction instr, IRFunction irFunc, Opcode opcode, IRType type, + int elementSize, ValueNumber leftOperand, ValueNumber rightOperand ) { instr.getEnclosingIRFunction() = irFunc and instr.getOpcode() = opcode and - instr.getResultType() = type and + instr.getResultIRType() = type and instr.getElementSize() = elementSize and valueNumber(instr.getLeft()) = leftOperand and valueNumber(instr.getRight()) = rightOperand } private predicate unaryValueNumber( - UnaryInstruction instr, IRFunction irFunc, Opcode opcode, Type type, ValueNumber operand + UnaryInstruction instr, IRFunction irFunc, Opcode opcode, IRType type, ValueNumber operand ) { instr.getEnclosingIRFunction() = irFunc and not instr instanceof InheritanceConversionInstruction and not instr instanceof CopyInstruction and instr.getOpcode() = opcode and - instr.getResultType() = type and + instr.getResultIRType() = type and valueNumber(instr.getUnary()) = operand } private predicate inheritanceConversionValueNumber( - InheritanceConversionInstruction instr, IRFunction irFunc, Opcode opcode, Class baseClass, - Class derivedClass, ValueNumber operand + InheritanceConversionInstruction instr, IRFunction irFunc, Opcode opcode, + Language::Class baseClass, Language::Class derivedClass, ValueNumber operand ) { instr.getEnclosingIRFunction() = irFunc and instr.getOpcode() = opcode and @@ -225,7 +226,7 @@ private predicate inheritanceConversionValueNumber( */ private predicate uniqueValueNumber(Instruction instr, IRFunction irFunc) { instr.getEnclosingIRFunction() = irFunc and - not instr.getResultType() instanceof VoidType and + not instr.getResultIRType() instanceof IRVoidType and not numberableInstruction(instr) } @@ -269,38 +270,41 @@ private ValueNumber nonUniqueValueNumber(Instruction instr) { initializeThisValueNumber(instr, irFunc) and result = TInitializeThisValueNumber(irFunc) or - exists(Type type, string value | + exists(IRType type, string value | constantValueNumber(instr, irFunc, type, value) and result = TConstantValueNumber(irFunc, type, value) ) or - exists(Type type, string value | + exists(IRType type, string value | stringConstantValueNumber(instr, irFunc, type, value) and result = TStringConstantValueNumber(irFunc, type, value) ) or - exists(Field field, ValueNumber objectAddress | + exists(Language::Field field, ValueNumber objectAddress | fieldAddressValueNumber(instr, irFunc, field, objectAddress) and result = TFieldAddressValueNumber(irFunc, field, objectAddress) ) or - exists(Opcode opcode, Type type, ValueNumber leftOperand, ValueNumber rightOperand | + exists(Opcode opcode, IRType type, ValueNumber leftOperand, ValueNumber rightOperand | binaryValueNumber(instr, irFunc, opcode, type, leftOperand, rightOperand) and result = TBinaryValueNumber(irFunc, opcode, type, leftOperand, rightOperand) ) or - exists(Opcode opcode, Type type, ValueNumber operand | + exists(Opcode opcode, IRType type, ValueNumber operand | unaryValueNumber(instr, irFunc, opcode, type, operand) and result = TUnaryValueNumber(irFunc, opcode, type, operand) ) or - exists(Opcode opcode, Class baseClass, Class derivedClass, ValueNumber operand | + exists( + Opcode opcode, Language::Class baseClass, Language::Class derivedClass, ValueNumber operand + | inheritanceConversionValueNumber(instr, irFunc, opcode, baseClass, derivedClass, operand) and result = TInheritanceConversionValueNumber(irFunc, opcode, baseClass, derivedClass, operand) ) or exists( - Opcode opcode, Type type, int elementSize, ValueNumber leftOperand, ValueNumber rightOperand + Opcode opcode, IRType type, int elementSize, ValueNumber leftOperand, + ValueNumber rightOperand | pointerArithmeticValueNumber(instr, irFunc, opcode, type, elementSize, leftOperand, rightOperand) and diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingImports.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingImports.qll new file mode 100644 index 00000000000..0282f6887f1 --- /dev/null +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingImports.qll @@ -0,0 +1,2 @@ +import semmle.code.cpp.ir.internal.Overlap +import semmle.code.cpp.ir.internal.IRCppLanguage as Language diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll index 95ddffb2274..955d422cf9a 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll @@ -1,6 +1,6 @@ -private import cpp import AliasAnalysis import semmle.code.cpp.ir.internal.Overlap +private import semmle.code.cpp.ir.internal.IRCppLanguage as Language private import semmle.code.cpp.Print private import semmle.code.cpp.ir.implementation.unaliased_ssa.IR private import semmle.code.cpp.ir.internal.IntegerConstant as Ints @@ -10,31 +10,42 @@ private import semmle.code.cpp.ir.implementation.internal.OperandTag private class IntValue = Ints::IntValue; private predicate hasResultMemoryAccess( - Instruction instr, IRVariable var, Type type, IntValue startBitOffset, IntValue endBitOffset + Instruction instr, IRVariable var, IRType type, Language::LanguageType languageType, + IntValue startBitOffset, IntValue endBitOffset ) { resultPointsTo(instr.getResultAddress(), var, startBitOffset) and - type = instr.getResultType() and - if exists(instr.getResultSize()) - then endBitOffset = Ints::add(startBitOffset, Ints::mul(instr.getResultSize(), 8)) + languageType = instr.getResultLanguageType() and + type = languageType.getIRType() and + if exists(type.getByteSize()) + then endBitOffset = Ints::add(startBitOffset, Ints::mul(type.getByteSize(), 8)) else endBitOffset = Ints::unknown() } private predicate hasOperandMemoryAccess( - MemoryOperand operand, IRVariable var, Type type, IntValue startBitOffset, IntValue endBitOffset + MemoryOperand operand, IRVariable var, IRType type, Language::LanguageType languageType, + IntValue startBitOffset, IntValue endBitOffset ) { resultPointsTo(operand.getAddressOperand().getAnyDef(), var, startBitOffset) and - type = operand.getType() and - if exists(operand.getSize()) - then endBitOffset = Ints::add(startBitOffset, Ints::mul(operand.getSize(), 8)) + languageType = operand.getLanguageType() and + type = languageType.getIRType() and + if exists(type.getByteSize()) + then endBitOffset = Ints::add(startBitOffset, Ints::mul(type.getByteSize(), 8)) else endBitOffset = Ints::unknown() } private newtype TMemoryLocation = - TVariableMemoryLocation(IRVariable var, Type type, IntValue startBitOffset, IntValue endBitOffset) { - hasResultMemoryAccess(_, var, type, startBitOffset, endBitOffset) or - hasOperandMemoryAccess(_, var, type, startBitOffset, endBitOffset) + TVariableMemoryLocation( + IRVariable var, IRType type, Language::LanguageType languageType, IntValue startBitOffset, + IntValue endBitOffset + ) { + ( + hasResultMemoryAccess(_, var, type, _, startBitOffset, endBitOffset) or + hasOperandMemoryAccess(_, var, type, _, startBitOffset, endBitOffset) + ) and + languageType = type.getCanonicalLanguageType() } or TUnknownMemoryLocation(IRFunction irFunc) or + TUnknownNonLocalMemoryLocation(IRFunction irFunc) or TUnknownVirtualVariable(IRFunction irFunc) /** @@ -49,9 +60,11 @@ abstract class MemoryLocation extends TMemoryLocation { abstract VirtualVariable getVirtualVariable(); - abstract Type getType(); + abstract Language::LanguageType getType(); abstract string getUniqueId(); + + final IRType getIRType() { result = getType().getIRType() } } abstract class VirtualVariable extends MemoryLocation { } @@ -62,20 +75,34 @@ abstract class VirtualVariable extends MemoryLocation { } */ class VariableMemoryLocation extends TVariableMemoryLocation, MemoryLocation { IRVariable var; - Type type; + IRType type; + Language::LanguageType languageType; IntValue startBitOffset; IntValue endBitOffset; VariableMemoryLocation() { - this = TVariableMemoryLocation(var, type, startBitOffset, endBitOffset) + this = TVariableMemoryLocation(var, type, languageType, startBitOffset, endBitOffset) } final override string toString() { result = var.toString() + Interval::getIntervalString(startBitOffset, endBitOffset) + "<" + - type.toString() + ">" + type.toString() + ", " + languageType.toString() + ">" } - final override Type getType() { result = type } + final override Language::LanguageType getType() { + if + strictcount(Language::LanguageType accessType | + hasResultMemoryAccess(_, var, type, accessType, startBitOffset, endBitOffset) or + hasOperandMemoryAccess(_, var, type, accessType, startBitOffset, endBitOffset) + ) = 1 + then + // All of the accesses have the same `LanguageType`, so just use that. + hasResultMemoryAccess(_, var, type, result, startBitOffset, endBitOffset) or + hasOperandMemoryAccess(_, var, type, result, startBitOffset, endBitOffset) + else + // There is no single type for all accesses, so just use the canonical one for this `IRType`. + result = type.getCanonicalLanguageType() + } final IntValue getStartBitOffset() { result = startBitOffset } @@ -85,13 +112,14 @@ class VariableMemoryLocation extends TVariableMemoryLocation, MemoryLocation { final override string getUniqueId() { result = var.getUniqueId() + Interval::getIntervalString(startBitOffset, endBitOffset) + "<" + - getTypeIdentityString(type) + ">" + type.getIdentityString() + ">" } final override VirtualVariable getVirtualVariable() { if variableAddressEscapes(var) then result = TUnknownVirtualVariable(var.getEnclosingIRFunction()) - else result = TVariableMemoryLocation(var, var.getType(), 0, var.getType().getSize() * 8) + else + result = TVariableMemoryLocation(var, var.getIRType(), _, 0, var.getIRType().getByteSize() * 8) } /** @@ -99,7 +127,7 @@ class VariableMemoryLocation extends TVariableMemoryLocation, MemoryLocation { */ final predicate coversEntireVariable() { startBitOffset = 0 and - endBitOffset = var.getType().getSize() * 8 + endBitOffset = var.getIRType().getByteSize() * 8 } } @@ -111,7 +139,7 @@ class VariableMemoryLocation extends TVariableMemoryLocation, MemoryLocation { class VariableVirtualVariable extends VariableMemoryLocation, VirtualVariable { VariableVirtualVariable() { not variableAddressEscapes(var) and - type = var.getType() and + type = var.getIRType() and coversEntireVariable() } } @@ -128,11 +156,33 @@ class UnknownMemoryLocation extends TUnknownMemoryLocation, MemoryLocation { final override VirtualVariable getVirtualVariable() { result = TUnknownVirtualVariable(irFunc) } - final override Type getType() { result instanceof UnknownType } + final override Language::LanguageType getType() { + result = any(IRUnknownType type).getCanonicalLanguageType() + } final override string getUniqueId() { result = "{Unknown}" } } +/** + * An access to memory that is not known to be confined to a specific `IRVariable`, but is known to + * not access memory on the current function's stack frame. + */ +class UnknownNonLocalMemoryLocation extends TUnknownNonLocalMemoryLocation, MemoryLocation { + IRFunction irFunc; + + UnknownNonLocalMemoryLocation() { this = TUnknownNonLocalMemoryLocation(irFunc) } + + final override string toString() { result = "{UnknownNonLocal}" } + + final override VirtualVariable getVirtualVariable() { result = TUnknownVirtualVariable(irFunc) } + + final override Language::LanguageType getType() { + result = any(IRUnknownType type).getCanonicalLanguageType() + } + + final override string getUniqueId() { result = "{UnknownNonLocal}" } +} + /** * An access to all aliased memory. */ @@ -143,7 +193,9 @@ class UnknownVirtualVariable extends TUnknownVirtualVariable, VirtualVariable { final override string toString() { result = "{AllAliased}" } - final override Type getType() { result instanceof UnknownType } + final override Language::LanguageType getType() { + result = any(IRUnknownType type).getCanonicalLanguageType() + } final override string getUniqueId() { result = " " + toString() } @@ -163,6 +215,13 @@ Overlap getOverlap(MemoryLocation def, MemoryLocation use) { def instanceof UnknownMemoryLocation and result instanceof MayPartiallyOverlap or + // An UnknownNonLocalMemoryLocation may partially overlap any location within the same virtual + // variable, except a local variable. + def.getVirtualVariable() = use.getVirtualVariable() and + def instanceof UnknownNonLocalMemoryLocation and + result instanceof MayPartiallyOverlap and + not use.(VariableMemoryLocation).getVariable() instanceof IRAutomaticVariable + or exists(VariableMemoryLocation defVariableLocation | defVariableLocation = def and ( @@ -171,13 +230,20 @@ Overlap getOverlap(MemoryLocation def, MemoryLocation use) { (use instanceof UnknownMemoryLocation or use instanceof UnknownVirtualVariable) and result instanceof MayPartiallyOverlap or + // A VariableMemoryLocation that is not a local variable may partially overlap an unknown + // non-local location within the same virtual variable. + def.getVirtualVariable() = use.getVirtualVariable() and + use instanceof UnknownNonLocalMemoryLocation and + result instanceof MayPartiallyOverlap and + not defVariableLocation.getVariable() instanceof IRAutomaticVariable + or // A VariableMemoryLocation overlaps another location within the same variable based on the relationship // of the two offset intervals. exists(Overlap intervalOverlap | intervalOverlap = getVariableMemoryLocationOverlap(def, use) and if intervalOverlap instanceof MustExactlyOverlap then - if def.getType() = use.getType() + if def.getIRType() = use.getIRType() then // The def and use types match, so it's an exact overlap. result instanceof MustExactlyOverlap @@ -282,11 +348,11 @@ MemoryLocation getResultMemoryLocation(Instruction instr) { ( ( kind.usesAddressOperand() and - if hasResultMemoryAccess(instr, _, _, _, _) + if hasResultMemoryAccess(instr, _, _, _, _, _) then - exists(IRVariable var, Type type, IntValue startBitOffset, IntValue endBitOffset | - hasResultMemoryAccess(instr, var, type, startBitOffset, endBitOffset) and - result = TVariableMemoryLocation(var, type, startBitOffset, endBitOffset) + exists(IRVariable var, IRType type, IntValue startBitOffset, IntValue endBitOffset | + hasResultMemoryAccess(instr, var, type, _, startBitOffset, endBitOffset) and + result = TVariableMemoryLocation(var, type, _, startBitOffset, endBitOffset) ) else result = TUnknownMemoryLocation(instr.getEnclosingIRFunction()) ) @@ -296,6 +362,9 @@ MemoryLocation getResultMemoryLocation(Instruction instr) { or kind instanceof EscapedMayMemoryAccess and result = TUnknownMemoryLocation(instr.getEnclosingIRFunction()) + or + kind instanceof NonLocalMayMemoryAccess and + result = TUnknownNonLocalMemoryLocation(instr.getEnclosingIRFunction()) ) ) } @@ -306,11 +375,11 @@ MemoryLocation getOperandMemoryLocation(MemoryOperand operand) { ( ( kind.usesAddressOperand() and - if hasOperandMemoryAccess(operand, _, _, _, _) + if hasOperandMemoryAccess(operand, _, _, _, _, _) then - exists(IRVariable var, Type type, IntValue startBitOffset, IntValue endBitOffset | - hasOperandMemoryAccess(operand, var, type, startBitOffset, endBitOffset) and - result = TVariableMemoryLocation(var, type, startBitOffset, endBitOffset) + exists(IRVariable var, IRType type, IntValue startBitOffset, IntValue endBitOffset | + hasOperandMemoryAccess(operand, var, type, _, startBitOffset, endBitOffset) and + result = TVariableMemoryLocation(var, type, _, startBitOffset, endBitOffset) ) else result = TUnknownMemoryLocation(operand.getEnclosingIRFunction()) ) @@ -320,6 +389,9 @@ MemoryLocation getOperandMemoryLocation(MemoryOperand operand) { or kind instanceof EscapedMayMemoryAccess and result = TUnknownMemoryLocation(operand.getEnclosingIRFunction()) + or + kind instanceof NonLocalMayMemoryAccess and + result = TUnknownNonLocalMemoryLocation(operand.getEnclosingIRFunction()) ) ) } diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRImports.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRImports.qll index 74f7b4a2b64..42d6e7db693 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRImports.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRImports.qll @@ -1,2 +1,3 @@ import semmle.code.cpp.ir.implementation.EdgeKind as EdgeKind +import semmle.code.cpp.ir.implementation.IRType as IRType import semmle.code.cpp.ir.implementation.MemoryAccessKind as MemoryAccessKind diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRVariableImports.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRVariableImports.qll index 1f0f5eaccde..8c60565defc 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRVariableImports.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/IRVariableImports.qll @@ -1,3 +1,4 @@ +import semmle.code.cpp.ir.implementation.IRType as IRType import semmle.code.cpp.ir.implementation.TempVariableTag as TempVariableTag import semmle.code.cpp.ir.internal.IRUtilities as IRUtilities import semmle.code.cpp.ir.internal.TempVariableTag as TTempVariableTag diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/InstructionImports.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/InstructionImports.qll index 0138af075dc..a75f70dbe2f 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/InstructionImports.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/InstructionImports.qll @@ -1,4 +1,5 @@ import semmle.code.cpp.ir.implementation.EdgeKind as EdgeKind +import semmle.code.cpp.ir.implementation.IRType as IRType import semmle.code.cpp.ir.implementation.MemoryAccessKind as MemoryAccessKind import semmle.code.cpp.ir.implementation.Opcode as Opcode import semmle.code.cpp.ir.implementation.internal.OperandTag as OperandTag diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/OperandImports.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/OperandImports.qll index e626662ccf2..3c781579cee 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/OperandImports.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/OperandImports.qll @@ -1,3 +1,4 @@ import semmle.code.cpp.ir.implementation.MemoryAccessKind as MemoryAccessKind +import semmle.code.cpp.ir.implementation.IRType as IRType import semmle.code.cpp.ir.internal.Overlap as Overlap import semmle.code.cpp.ir.implementation.internal.OperandTag as OperandTag diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll index a5c09c6401b..23121523a6b 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll @@ -4,34 +4,52 @@ private import Alias private import SSAConstruction private import DebugSSA +bindingset[offset] +private string getKeySuffixForOffset(int offset) { + if offset % 2 = 0 then result = "" else result = "_Chi" +} + +bindingset[offset] +private int getIndexForOffset(int offset) { result = offset / 2 } + /** * Property provide that dumps the memory access of each result. Useful for debugging SSA * construction. */ class PropertyProvider extends IRPropertyProvider { override string getInstructionProperty(Instruction instruction, string key) { - exists(MemoryLocation location | - location = getResultMemoryLocation(instruction) and - ( - key = "ResultMemoryLocation" and result = location.toString() - or - key = "ResultVirtualVariable" and result = location.getVirtualVariable().toString() + key = "ResultMemoryLocation" and + result = strictconcat(MemoryLocation loc | + loc = getResultMemoryLocation(instruction) + | + loc.toString(), "," ) - ) or - exists(MemoryLocation location | - location = getOperandMemoryLocation(instruction.getAnOperand()) and - ( - key = "OperandMemoryAccess" and result = location.toString() - or - key = "OperandVirtualVariable" and result = location.getVirtualVariable().toString() + key = "ResultVirtualVariable" and + result = strictconcat(MemoryLocation loc | + loc = getResultMemoryLocation(instruction) + | + loc.getVirtualVariable().toString(), "," ) - ) or - exists(MemoryLocation useLocation, IRBlock defBlock, int defRank, int defIndex | - hasDefinitionAtRank(useLocation, _, defBlock, defRank, defIndex) and - defBlock.getInstruction(defIndex) = instruction and - key = "DefinitionRank[" + useLocation.toString() + "]" and + key = "OperandMemoryLocation" and + result = strictconcat(MemoryLocation loc | + loc = getOperandMemoryLocation(instruction.getAnOperand()) + | + loc.toString(), "," + ) + or + key = "OperandVirtualVariable" and + result = strictconcat(MemoryLocation loc | + loc = getOperandMemoryLocation(instruction.getAnOperand()) + | + loc.getVirtualVariable().toString(), "," + ) + or + exists(MemoryLocation useLocation, IRBlock defBlock, int defRank, int defOffset | + hasDefinitionAtRank(useLocation, _, defBlock, defRank, defOffset) and + defBlock.getInstruction(getIndexForOffset(defOffset)) = instruction and + key = "DefinitionRank" + getKeySuffixForOffset(defOffset) + "[" + useLocation.toString() + "]" and result = defRank.toString() ) or @@ -41,10 +59,11 @@ class PropertyProvider extends IRPropertyProvider { result = useRank.toString() ) or - exists(MemoryLocation useLocation, IRBlock defBlock, int defRank, int defIndex | - hasDefinitionAtRank(useLocation, _, defBlock, defRank, defIndex) and - defBlock.getInstruction(defIndex) = instruction and - key = "DefinitionReachesUse[" + useLocation.toString() + "]" and + exists(MemoryLocation useLocation, IRBlock defBlock, int defRank, int defOffset | + hasDefinitionAtRank(useLocation, _, defBlock, defRank, defOffset) and + defBlock.getInstruction(getIndexForOffset(defOffset)) = instruction and + key = "DefinitionReachesUse" + getKeySuffixForOffset(defOffset) + "[" + useLocation.toString() + + "]" and result = strictconcat(IRBlock useBlock, int useRank, int useIndex | exists(Instruction useInstruction | hasUseAtRank(useLocation, useBlock, useRank, useInstruction) and diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll index 3010825d50b..7152dec5c4a 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll @@ -1,8 +1,5 @@ import SSAConstructionInternal -private import cpp -private import semmle.code.cpp.ir.implementation.Opcode -private import semmle.code.cpp.ir.implementation.internal.OperandTag -private import semmle.code.cpp.ir.internal.Overlap +private import SSAConstructionImports private import NewIR private class OldBlock = Reachability::ReachableBlock; @@ -18,7 +15,7 @@ private module Cached { } cached - predicate functionHasIR(Function func) { + predicate functionHasIR(Language::Function func) { exists(OldIR::IRFunction irFunc | irFunc.getFunction() = func) } @@ -42,7 +39,7 @@ private module Cached { not oldInstruction instanceof OldIR::PhiInstruction and hasChiNode(_, oldInstruction) } or - Unreached(Function function) { + Unreached(Language::Function function) { exists(OldInstruction oldInstruction | function = oldInstruction.getEnclosingFunction() and Reachability::isInfeasibleInstructionSuccessor(oldInstruction, _) @@ -50,12 +47,14 @@ private module Cached { } cached - predicate hasTempVariable(Function func, Locatable ast, TempVariableTag tag, Type type) { + predicate hasTempVariable( + Language::Function func, Language::AST ast, TempVariableTag tag, Language::LanguageType type + ) { exists(OldIR::IRTempVariable var | var.getEnclosingFunction() = func and var.getAST() = ast and var.getTag() = tag and - var.getType() = type + var.getLanguageType() = type ) } @@ -135,24 +134,12 @@ private module Cached { } cached - Type getInstructionOperandType(Instruction instr, TypedOperandTag tag) { + Language::LanguageType getInstructionOperandType(Instruction instr, TypedOperandTag tag) { exists(OldInstruction oldInstruction, OldIR::TypedOperand oldOperand | oldInstruction = getOldInstruction(instr) and oldOperand = oldInstruction.getAnOperand() and tag = oldOperand.getOperandTag() and - result = oldOperand.getType() - ) - } - - cached - int getInstructionOperandSize(Instruction instr, SideEffectOperandTag tag) { - exists(OldInstruction oldInstruction, OldIR::SideEffectOperand oldOperand | - oldInstruction = getOldInstruction(instr) and - oldOperand = oldInstruction.getAnOperand() and - tag = oldOperand.getOperandTag() and - // Only return a result for operands that need an explicit result size. - oldOperand.getType() instanceof UnknownType and - result = oldOperand.getSize() + result = oldOperand.getLanguageType() ) } @@ -196,20 +183,21 @@ private module Cached { } cached - Expr getInstructionConvertedResultExpression(Instruction instruction) { + Language::Expr getInstructionConvertedResultExpression(Instruction instruction) { result = getOldInstruction(instruction).getConvertedResultExpression() } cached - Expr getInstructionUnconvertedResultExpression(Instruction instruction) { + Language::Expr getInstructionUnconvertedResultExpression(Instruction instruction) { result = getOldInstruction(instruction).getUnconvertedResultExpression() } - /** + /* * This adds Chi nodes to the instruction successor relation; if an instruction has a Chi node, * that node is its successor in the new successor relation, and the Chi node's successors are * the new instructions generated from the successors of the old instruction */ + cached Instruction getInstructionSuccessor(Instruction instruction, EdgeKind kind) { if hasChiNode(_, getOldInstruction(instruction)) @@ -252,7 +240,7 @@ private module Cached { } cached - Locatable getInstructionAST(Instruction instruction) { + Language::AST getInstructionAST(Instruction instruction) { exists(OldInstruction oldInstruction | instruction = WrappedInstruction(oldInstruction) or @@ -270,29 +258,25 @@ private module Cached { } cached - predicate instructionHasType(Instruction instruction, Type type, boolean isGLValue) { + Language::LanguageType getInstructionResultType(Instruction instruction) { exists(OldInstruction oldInstruction | instruction = WrappedInstruction(oldInstruction) and - type = oldInstruction.getResultType() and - if oldInstruction.isGLValue() then isGLValue = true else isGLValue = false + result = oldInstruction.getResultLanguageType() ) or exists(OldInstruction oldInstruction, Alias::VirtualVariable vvar | instruction = Chi(oldInstruction) and hasChiNode(vvar, oldInstruction) and - type = vvar.getType() and - isGLValue = false + result = vvar.getType() ) or exists(Alias::MemoryLocation location | instruction = Phi(_, location) and - type = location.getType() and - isGLValue = false + result = location.getType() ) or instruction = Unreached(_) and - type instanceof VoidType and - isGLValue = false + result = Language::getVoidType() } cached @@ -338,7 +322,7 @@ private module Cached { } cached - Field getInstructionField(Instruction instruction) { + Language::Field getInstructionField(Instruction instruction) { result = getOldInstruction(instruction).(OldIR::FieldInstruction).getField() } @@ -348,7 +332,7 @@ private module Cached { } cached - Function getInstructionFunction(Instruction instruction) { + Language::Function getInstructionFunction(Instruction instruction) { result = getOldInstruction(instruction).(OldIR::FunctionInstruction).getFunctionSymbol() } @@ -358,19 +342,19 @@ private module Cached { } cached - StringLiteral getInstructionStringLiteral(Instruction instruction) { + Language::StringLiteral getInstructionStringLiteral(Instruction instruction) { result = getOldInstruction(instruction).(OldIR::StringConstantInstruction).getValue() } cached - BuiltInOperation getInstructionBuiltInOperation(Instruction instruction) { + Language::BuiltInOperation getInstructionBuiltInOperation(Instruction instruction) { result = getOldInstruction(instruction) .(OldIR::BuiltInOperationInstruction) .getBuiltInOperation() } cached - Type getInstructionExceptionType(Instruction instruction) { + Language::LanguageType getInstructionExceptionType(Instruction instruction) { result = getOldInstruction(instruction).(OldIR::CatchByTypeInstruction).getExceptionType() } @@ -380,14 +364,9 @@ private module Cached { } cached - int getInstructionResultSize(Instruction instruction) { - // Only return a result for instructions that needed an explicit result size. - instruction.getResultType() instanceof UnknownType and - result = getOldInstruction(instruction).getResultSize() - } - - cached - predicate getInstructionInheritance(Instruction instruction, Class baseClass, Class derivedClass) { + predicate getInstructionInheritance( + Instruction instruction, Language::Class baseClass, Language::Class derivedClass + ) { exists(OldIR::InheritanceConversionInstruction oldInstr | oldInstr = getOldInstruction(instruction) and baseClass = oldInstr.getBaseClass() and diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstructionImports.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstructionImports.qll new file mode 100644 index 00000000000..00f12020a29 --- /dev/null +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstructionImports.qll @@ -0,0 +1,3 @@ +import semmle.code.cpp.ir.implementation.Opcode +import semmle.code.cpp.ir.implementation.internal.OperandTag +import semmle.code.cpp.ir.internal.Overlap diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstructionInternal.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstructionInternal.qll index 5eebc0b9516..c0922aff891 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstructionInternal.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstructionInternal.qll @@ -2,4 +2,5 @@ import semmle.code.cpp.ir.implementation.unaliased_ssa.IR as OldIR import semmle.code.cpp.ir.implementation.unaliased_ssa.internal.reachability.ReachableBlock as Reachability import semmle.code.cpp.ir.implementation.unaliased_ssa.internal.reachability.Dominance as Dominance import semmle.code.cpp.ir.implementation.aliased_ssa.IR as NewIR +import semmle.code.cpp.ir.internal.IRCppLanguage as Language import AliasedSSA as Alias diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/internal/IRTypeInternal.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/internal/IRTypeInternal.qll new file mode 100644 index 00000000000..bd6c2f4c151 --- /dev/null +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/internal/IRTypeInternal.qll @@ -0,0 +1 @@ +import semmle.code.cpp.ir.internal.IRCppLanguage as Language diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TIRVariable.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TIRVariable.qll index 908a208b83a..fea67ef5ecd 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TIRVariable.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TIRVariable.qll @@ -2,11 +2,11 @@ private import TIRVariableInternal private import Imports::TempVariableTag newtype TIRVariable = - TIRUserVariable(Language::Variable var, Language::Type type, Language::Function func) { + TIRUserVariable(Language::Variable var, Language::LanguageType type, Language::Function func) { Construction::hasUserVariable(func, var, type) } or TIRTempVariable( - Language::Function func, Language::AST ast, TempVariableTag tag, Language::Type type + Language::Function func, Language::AST ast, TempVariableTag tag, Language::LanguageType type ) { Construction::hasTempVariable(func, ast, tag, type) } diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IR.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IR.qll index 278040f8ab8..badd48552a5 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IR.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IR.qll @@ -5,6 +5,7 @@ import IRVariable import Operand private import internal.IRImports as Imports import Imports::EdgeKind +import Imports::IRType import Imports::MemoryAccessKind private newtype TIRPropertyProvider = MkIRPropertyProvider() diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRSanity.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRSanity.qll index 3921472dc8e..de66a3c99dc 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRSanity.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRSanity.qll @@ -1,2 +1,3 @@ private import IR import InstructionSanity +import IRTypeSanity diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRVariable.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRVariable.qll index a7ca4593ac4..1a607f82c29 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRVariable.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRVariable.qll @@ -5,6 +5,7 @@ import Imports::TempVariableTag private import Imports::IRUtilities private import Imports::TTempVariableTag private import Imports::TIRVariable +private import Imports::IRType IRUserVariable getIRUserVariable(Language::Function func, Language::Variable var) { result.getVariable() = var and @@ -24,7 +25,17 @@ abstract class IRVariable extends TIRVariable { /** * Gets the type of the variable. */ - abstract Language::Type getType(); + final Language::Type getType() { getLanguageType().hasType(result, false) } + + /** + * Gets the language-neutral type of the variable. + */ + final IRType getIRType() { result = getLanguageType().getIRType() } + + /** + * Gets the type of the variable. + */ + abstract Language::LanguageType getLanguageType(); /** * Gets the AST node that declared this variable, or that introduced this @@ -59,7 +70,7 @@ abstract class IRVariable extends TIRVariable { */ class IRUserVariable extends IRVariable, TIRUserVariable { Language::Variable var; - Language::Type type; + Language::LanguageType type; IRUserVariable() { this = TIRUserVariable(var, type, func) } @@ -71,7 +82,7 @@ class IRUserVariable extends IRVariable, TIRUserVariable { result = getVariable().toString() + " " + getVariable().getLocation().toString() } - final override Language::Type getType() { result = type } + final override Language::LanguageType getLanguageType() { result = type } /** * Gets the original user-declared variable. @@ -110,11 +121,11 @@ IRTempVariable getIRTempVariable(Language::AST ast, TempVariableTag tag) { class IRTempVariable extends IRVariable, IRAutomaticVariable, TIRTempVariable { Language::AST ast; TempVariableTag tag; - Language::Type type; + Language::LanguageType type; IRTempVariable() { this = TIRTempVariable(func, ast, tag, type) } - final override Language::Type getType() { result = type } + final override Language::LanguageType getLanguageType() { result = type } final override Language::AST getAST() { result = ast } diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll index 6d5e697150e..049983c9126 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll @@ -5,6 +5,7 @@ import IRVariable import Operand private import internal.InstructionImports as Imports import Imports::EdgeKind +import Imports::IRType import Imports::MemoryAccessKind import Imports::Opcode private import Imports::OperandTag @@ -49,7 +50,8 @@ module InstructionSanity { ( opcode instanceof ReadSideEffectOpcode or opcode instanceof Opcode::InlineAsm or - opcode instanceof Opcode::CallSideEffect + opcode instanceof Opcode::CallSideEffect or + opcode instanceof Opcode::AliasedUse ) and tag instanceof SideEffectOperandTag ) @@ -113,10 +115,12 @@ module InstructionSanity { } query predicate missingOperandType(Operand operand, string message) { - exists(Language::Function func | + exists(Language::Function func, Instruction use | not exists(operand.getType()) and - func = operand.getUse().getEnclosingFunction() and - message = "Operand missing type in function '" + Language::getIdentityString(func) + "'." + use = operand.getUse() and + func = use.getEnclosingFunction() and + message = "Operand '" + operand.toString() + "' of instruction '" + use.getOpcode().toString() + + "' missing type in function '" + Language::getIdentityString(func) + "'." ) } @@ -260,6 +264,7 @@ module InstructionSanity { ) { exists(IRBlock useBlock, int useIndex, Instruction defInstr, IRBlock defBlock, int defIndex | not useOperand.getUse() instanceof UnmodeledUseInstruction and + not defInstr instanceof UnmodeledDefinitionInstruction and pointOfEvaluation(useOperand, useBlock, useIndex) and defInstr = useOperand.getAnyDef() and ( @@ -321,7 +326,7 @@ class Instruction extends Construction::TInstruction { } private string getResultPrefix() { - if getResultType() instanceof Language::VoidType + if getResultIRType() instanceof IRVoidType then result = "v" else if hasMemoryResult() @@ -353,23 +358,6 @@ class Instruction extends Construction::TInstruction { ) } - bindingset[type] - private string getValueCategoryString(string type) { - if isGLValue() then result = "glval<" + type + ">" else result = type - } - - string getResultTypeString() { - exists(string valcat | - valcat = getValueCategoryString(getResultType().toString()) and - if - getResultType() instanceof Language::UnknownType and - not isGLValue() and - exists(getResultSize()) - then result = valcat + "[" + getResultSize().toString() + "]" - else result = valcat - ) - } - /** * Gets a human-readable string that uniquely identifies this instruction * within the function. This string is used to refer to this instruction when @@ -389,7 +377,9 @@ class Instruction extends Construction::TInstruction { * * Example: `r1_1(int*)` */ - final string getResultString() { result = getResultId() + "(" + getResultTypeString() + ")" } + final string getResultString() { + result = getResultId() + "(" + getResultLanguageType().getDumpString() + ")" + } /** * Gets a string describing the operands of this instruction, suitable for @@ -457,6 +447,16 @@ class Instruction extends Construction::TInstruction { result = Construction::getInstructionUnconvertedResultExpression(this) } + final Language::LanguageType getResultLanguageType() { + result = Construction::getInstructionResultType(this) + } + + /** + * Gets the type of the result produced by this instruction. If the instruction does not produce + * a result, its result type will be `IRVoidType`. + */ + final IRType getResultIRType() { result = getResultLanguageType().getIRType() } + /** * Gets the type of the result produced by this instruction. If the * instruction does not produce a result, its result type will be `VoidType`. @@ -464,7 +464,16 @@ class Instruction extends Construction::TInstruction { * If `isGLValue()` holds, then the result type of this instruction should be * thought of as "pointer to `getResultType()`". */ - final Language::Type getResultType() { Construction::instructionHasType(this, result, _) } + final Language::Type getResultType() { + exists(Language::LanguageType resultType | + resultType = getResultLanguageType() and + ( + resultType.hasUnspecifiedType(result, _) + or + not resultType.hasUnspecifiedType(_, _) and result instanceof Language::UnknownType + ) + ) + } /** * Holds if the result produced by this instruction is a glvalue. If this @@ -484,7 +493,7 @@ class Instruction extends Construction::TInstruction { * result of the `Load` instruction is a prvalue of type `int`, representing * the integer value loaded from variable `x`. */ - final predicate isGLValue() { Construction::instructionHasType(this, _, true) } + final predicate isGLValue() { Construction::getInstructionResultType(this).hasType(_, true) } /** * Gets the size of the result produced by this instruction, in bytes. If the @@ -493,16 +502,7 @@ class Instruction extends Construction::TInstruction { * If `this.isGLValue()` holds for this instruction, the value of * `getResultSize()` will always be the size of a pointer. */ - final int getResultSize() { - if isGLValue() - then - // a glvalue is always pointer-sized. - result = Language::getPointerSize() - else - if getResultType() instanceof Language::UnknownType - then result = Construction::getInstructionResultSize(this) - else result = Language::getTypeSize(getResultType()) - } + final int getResultSize() { result = Construction::getInstructionResultType(this).getByteSize() } /** * Gets the opcode that specifies the operation performed by this instruction. @@ -1384,7 +1384,7 @@ class CatchInstruction extends Instruction { * An instruction that catches an exception of a specific type. */ class CatchByTypeInstruction extends CatchInstruction { - Language::Type exceptionType; + Language::LanguageType exceptionType; CatchByTypeInstruction() { getOpcode() instanceof Opcode::CatchByType and @@ -1396,7 +1396,7 @@ class CatchByTypeInstruction extends CatchInstruction { /** * Gets the type of exception to be caught. */ - final Language::Type getExceptionType() { result = exceptionType } + final Language::LanguageType getExceptionType() { result = exceptionType } } /** @@ -1423,6 +1423,13 @@ class AliasedDefinitionInstruction extends Instruction { final override MemoryAccessKind getResultMemoryAccess() { result instanceof EscapedMemoryAccess } } +/** + * An instruction that consumes all escaped memory on exit from the function. + */ +class AliasedUseInstruction extends Instruction { + AliasedUseInstruction() { getOpcode() instanceof Opcode::AliasedUse } +} + class UnmodeledUseInstruction extends Instruction { UnmodeledUseInstruction() { getOpcode() instanceof Opcode::UnmodeledUse } diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Operand.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Operand.qll index a23fb081afe..07dd107bf12 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Operand.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Operand.qll @@ -1,9 +1,10 @@ private import internal.IRInternal -import Instruction -import IRBlock +private import Instruction +private import IRBlock private import internal.OperandImports as Imports -import Imports::MemoryAccessKind -import Imports::Overlap +private import Imports::MemoryAccessKind +private import Imports::IRType +private import Imports::Overlap private import Imports::OperandTag cached @@ -143,22 +144,40 @@ class Operand extends TOperand { * the definition type, such as in the case of a partial read or a read from a pointer that * has been cast to a different type. */ - Language::Type getType() { result = getAnyDef().getResultType() } + Language::LanguageType getLanguageType() { result = getAnyDef().getResultLanguageType() } + + /** + * Gets the language-neutral type of the value consumed by this operand. This is usually the same + * as the result type of the definition instruction consumed by this operand. For register + * operands, this is always the case. For some memory operands, the operand type may be different + * from the definition type, such as in the case of a partial read or a read from a pointer that + * has been cast to a different type. + */ + final IRType getIRType() { result = getLanguageType().getIRType() } + + /** + * Gets the type of the value consumed by this operand. This is usually the same as the + * result type of the definition instruction consumed by this operand. For register operands, + * this is always the case. For some memory operands, the operand type may be different from + * the definition type, such as in the case of a partial read or a read from a pointer that + * has been cast to a different type. + */ + final Language::Type getType() { getLanguageType().hasType(result, _) } /** * Holds if the value consumed by this operand is a glvalue. If this * holds, the value of the operand represents the address of a location, * and the type of the location is given by `getType()`. If this does * not hold, the value of the operand represents a value whose type is - * given by `getResultType()`. + * given by `getType()`. */ - predicate isGLValue() { getAnyDef().isGLValue() } + final predicate isGLValue() { getLanguageType().hasType(_, true) } /** * Gets the size of the value consumed by this operand, in bytes. If the operand does not have * a known constant size, this predicate does not hold. */ - int getSize() { result = Language::getTypeSize(getType()) } + final int getSize() { result = getLanguageType().getByteSize() } } /** @@ -170,11 +189,6 @@ class MemoryOperand extends Operand { this = TPhiOperand(_, _, _, _) } - override predicate isGLValue() { - // A `MemoryOperand` can never be a glvalue - none() - } - /** * Gets the kind of memory access performed by the operand. */ @@ -239,7 +253,7 @@ class NonPhiMemoryOperand extends NonPhiOperand, MemoryOperand, TNonPhiMemoryOpe class TypedOperand extends NonPhiMemoryOperand { override TypedOperandTag tag; - final override Language::Type getType() { + final override Language::LanguageType getLanguageType() { result = Construction::getInstructionOperandType(useInstr, tag) } } @@ -381,13 +395,10 @@ class PositionalArgumentOperand extends ArgumentOperand { class SideEffectOperand extends TypedOperand { override SideEffectOperandTag tag; - final override int getSize() { - if getType() instanceof Language::UnknownType - then result = Construction::getInstructionOperandSize(useInstr, tag) - else result = Language::getTypeSize(getType()) - } - override MemoryAccessKind getMemoryAccess() { + useInstr instanceof AliasedUseInstruction and + result instanceof NonLocalMayMemoryAccess + or useInstr instanceof CallSideEffectInstruction and result instanceof EscapedMayMemoryAccess or diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll index df6c5be7728..79e5a2b6713 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll @@ -1,5 +1,5 @@ private import internal.ValueNumberingInternal -private import cpp +private import internal.ValueNumberingImports private import IR /** @@ -23,31 +23,32 @@ newtype TValueNumber = initializeParameterValueNumber(_, irFunc, var) } or TInitializeThisValueNumber(IRFunction irFunc) { initializeThisValueNumber(_, irFunc) } or - TConstantValueNumber(IRFunction irFunc, Type type, string value) { + TConstantValueNumber(IRFunction irFunc, IRType type, string value) { constantValueNumber(_, irFunc, type, value) } or - TStringConstantValueNumber(IRFunction irFunc, Type type, string value) { + TStringConstantValueNumber(IRFunction irFunc, IRType type, string value) { stringConstantValueNumber(_, irFunc, type, value) } or - TFieldAddressValueNumber(IRFunction irFunc, Field field, ValueNumber objectAddress) { + TFieldAddressValueNumber(IRFunction irFunc, Language::Field field, ValueNumber objectAddress) { fieldAddressValueNumber(_, irFunc, field, objectAddress) } or TBinaryValueNumber( - IRFunction irFunc, Opcode opcode, Type type, ValueNumber leftOperand, ValueNumber rightOperand + IRFunction irFunc, Opcode opcode, IRType type, ValueNumber leftOperand, ValueNumber rightOperand ) { binaryValueNumber(_, irFunc, opcode, type, leftOperand, rightOperand) } or TPointerArithmeticValueNumber( - IRFunction irFunc, Opcode opcode, Type type, int elementSize, ValueNumber leftOperand, + IRFunction irFunc, Opcode opcode, IRType type, int elementSize, ValueNumber leftOperand, ValueNumber rightOperand ) { pointerArithmeticValueNumber(_, irFunc, opcode, type, elementSize, leftOperand, rightOperand) } or - TUnaryValueNumber(IRFunction irFunc, Opcode opcode, Type type, ValueNumber operand) { + TUnaryValueNumber(IRFunction irFunc, Opcode opcode, IRType type, ValueNumber operand) { unaryValueNumber(_, irFunc, opcode, type, operand) } or TInheritanceConversionValueNumber( - IRFunction irFunc, Opcode opcode, Class baseClass, Class derivedClass, ValueNumber operand + IRFunction irFunc, Opcode opcode, Language::Class baseClass, Language::Class derivedClass, + ValueNumber operand ) { inheritanceConversionValueNumber(_, irFunc, opcode, baseClass, derivedClass, operand) } or @@ -59,7 +60,7 @@ newtype TValueNumber = class ValueNumber extends TValueNumber { final string toString() { result = getExampleInstruction().getResultId() } - final Location getLocation() { result = getExampleInstruction().getLocation() } + final Language::Location getLocation() { result = getExampleInstruction().getLocation() } /** * Gets the instructions that have been assigned this value number. This will always produce at @@ -150,23 +151,23 @@ private predicate initializeThisValueNumber(InitializeThisInstruction instr, IRF } private predicate constantValueNumber( - ConstantInstruction instr, IRFunction irFunc, Type type, string value + ConstantInstruction instr, IRFunction irFunc, IRType type, string value ) { instr.getEnclosingIRFunction() = irFunc and - instr.getResultType() = type and + instr.getResultIRType() = type and instr.getValue() = value } private predicate stringConstantValueNumber( - StringConstantInstruction instr, IRFunction irFunc, Type type, string value + StringConstantInstruction instr, IRFunction irFunc, IRType type, string value ) { instr.getEnclosingIRFunction() = irFunc and - instr.getResultType() = type and + instr.getResultIRType() = type and instr.getValue().getValue() = value } private predicate fieldAddressValueNumber( - FieldAddressInstruction instr, IRFunction irFunc, Field field, ValueNumber objectAddress + FieldAddressInstruction instr, IRFunction irFunc, Language::Field field, ValueNumber objectAddress ) { instr.getEnclosingIRFunction() = irFunc and instr.getField() = field and @@ -174,43 +175,43 @@ private predicate fieldAddressValueNumber( } private predicate binaryValueNumber( - BinaryInstruction instr, IRFunction irFunc, Opcode opcode, Type type, ValueNumber leftOperand, + BinaryInstruction instr, IRFunction irFunc, Opcode opcode, IRType type, ValueNumber leftOperand, ValueNumber rightOperand ) { instr.getEnclosingIRFunction() = irFunc and not instr instanceof PointerArithmeticInstruction and instr.getOpcode() = opcode and - instr.getResultType() = type and + instr.getResultIRType() = type and valueNumber(instr.getLeft()) = leftOperand and valueNumber(instr.getRight()) = rightOperand } private predicate pointerArithmeticValueNumber( - PointerArithmeticInstruction instr, IRFunction irFunc, Opcode opcode, Type type, int elementSize, - ValueNumber leftOperand, ValueNumber rightOperand + PointerArithmeticInstruction instr, IRFunction irFunc, Opcode opcode, IRType type, + int elementSize, ValueNumber leftOperand, ValueNumber rightOperand ) { instr.getEnclosingIRFunction() = irFunc and instr.getOpcode() = opcode and - instr.getResultType() = type and + instr.getResultIRType() = type and instr.getElementSize() = elementSize and valueNumber(instr.getLeft()) = leftOperand and valueNumber(instr.getRight()) = rightOperand } private predicate unaryValueNumber( - UnaryInstruction instr, IRFunction irFunc, Opcode opcode, Type type, ValueNumber operand + UnaryInstruction instr, IRFunction irFunc, Opcode opcode, IRType type, ValueNumber operand ) { instr.getEnclosingIRFunction() = irFunc and not instr instanceof InheritanceConversionInstruction and not instr instanceof CopyInstruction and instr.getOpcode() = opcode and - instr.getResultType() = type and + instr.getResultIRType() = type and valueNumber(instr.getUnary()) = operand } private predicate inheritanceConversionValueNumber( - InheritanceConversionInstruction instr, IRFunction irFunc, Opcode opcode, Class baseClass, - Class derivedClass, ValueNumber operand + InheritanceConversionInstruction instr, IRFunction irFunc, Opcode opcode, + Language::Class baseClass, Language::Class derivedClass, ValueNumber operand ) { instr.getEnclosingIRFunction() = irFunc and instr.getOpcode() = opcode and @@ -225,7 +226,7 @@ private predicate inheritanceConversionValueNumber( */ private predicate uniqueValueNumber(Instruction instr, IRFunction irFunc) { instr.getEnclosingIRFunction() = irFunc and - not instr.getResultType() instanceof VoidType and + not instr.getResultIRType() instanceof IRVoidType and not numberableInstruction(instr) } @@ -269,38 +270,41 @@ private ValueNumber nonUniqueValueNumber(Instruction instr) { initializeThisValueNumber(instr, irFunc) and result = TInitializeThisValueNumber(irFunc) or - exists(Type type, string value | + exists(IRType type, string value | constantValueNumber(instr, irFunc, type, value) and result = TConstantValueNumber(irFunc, type, value) ) or - exists(Type type, string value | + exists(IRType type, string value | stringConstantValueNumber(instr, irFunc, type, value) and result = TStringConstantValueNumber(irFunc, type, value) ) or - exists(Field field, ValueNumber objectAddress | + exists(Language::Field field, ValueNumber objectAddress | fieldAddressValueNumber(instr, irFunc, field, objectAddress) and result = TFieldAddressValueNumber(irFunc, field, objectAddress) ) or - exists(Opcode opcode, Type type, ValueNumber leftOperand, ValueNumber rightOperand | + exists(Opcode opcode, IRType type, ValueNumber leftOperand, ValueNumber rightOperand | binaryValueNumber(instr, irFunc, opcode, type, leftOperand, rightOperand) and result = TBinaryValueNumber(irFunc, opcode, type, leftOperand, rightOperand) ) or - exists(Opcode opcode, Type type, ValueNumber operand | + exists(Opcode opcode, IRType type, ValueNumber operand | unaryValueNumber(instr, irFunc, opcode, type, operand) and result = TUnaryValueNumber(irFunc, opcode, type, operand) ) or - exists(Opcode opcode, Class baseClass, Class derivedClass, ValueNumber operand | + exists( + Opcode opcode, Language::Class baseClass, Language::Class derivedClass, ValueNumber operand + | inheritanceConversionValueNumber(instr, irFunc, opcode, baseClass, derivedClass, operand) and result = TInheritanceConversionValueNumber(irFunc, opcode, baseClass, derivedClass, operand) ) or exists( - Opcode opcode, Type type, int elementSize, ValueNumber leftOperand, ValueNumber rightOperand + Opcode opcode, IRType type, int elementSize, ValueNumber leftOperand, + ValueNumber rightOperand | pointerArithmeticValueNumber(instr, irFunc, opcode, type, elementSize, leftOperand, rightOperand) and diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll new file mode 100644 index 00000000000..0282f6887f1 --- /dev/null +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll @@ -0,0 +1,2 @@ +import semmle.code.cpp.ir.internal.Overlap +import semmle.code.cpp.ir.internal.IRCppLanguage as Language diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll index d0f70f61498..3ec6766399e 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll @@ -1,6 +1,8 @@ private import cpp import semmle.code.cpp.ir.implementation.raw.IR private import semmle.code.cpp.ir.implementation.internal.OperandTag +private import semmle.code.cpp.ir.internal.CppType +private import semmle.code.cpp.ir.internal.Overlap private import semmle.code.cpp.ir.internal.TempVariableTag private import InstructionTag private import TranslatedCondition @@ -25,16 +27,16 @@ private module Cached { cached newtype TInstruction = MkInstruction(TranslatedElement element, InstructionTag tag) { - element.hasInstruction(_, tag, _, _) + element.hasInstruction(_, tag, _) } cached - predicate hasUserVariable(Function func, Variable var, Type type) { + predicate hasUserVariable(Function func, Variable var, CppType type) { getTranslatedFunction(func).hasUserVariable(var, type) } cached - predicate hasTempVariable(Function func, Locatable ast, TempVariableTag tag, Type type) { + predicate hasTempVariable(Function func, Locatable ast, TempVariableTag tag, CppType type) { exists(TranslatedElement element | element.getAST() = ast and func = element.getFunction() and @@ -85,22 +87,16 @@ private module Cached { } cached - Type getInstructionOperandType(Instruction instruction, TypedOperandTag tag) { + CppType getInstructionOperandType(Instruction instruction, TypedOperandTag tag) { // For all `LoadInstruction`s, the operand type of the `LoadOperand` is the same as // the result type of the load. - result = instruction.(LoadInstruction).getResultType() + result = instruction.(LoadInstruction).getResultLanguageType() or not instruction instanceof LoadInstruction and result = getInstructionTranslatedElement(instruction) .getInstructionOperandType(getInstructionTag(instruction), tag) } - cached - int getInstructionOperandSize(Instruction instruction, SideEffectOperandTag tag) { - result = getInstructionTranslatedElement(instruction) - .getInstructionOperandSize(getInstructionTag(instruction), tag) - } - cached Instruction getPhiOperandDefinition( PhiInstruction instruction, IRBlock predecessorBlock, Overlap overlap @@ -220,15 +216,15 @@ private module Cached { } cached - predicate instructionHasType(Instruction instruction, Type type, boolean isGLValue) { + CppType getInstructionResultType(Instruction instruction) { getInstructionTranslatedElement(instruction) - .hasInstruction(_, getInstructionTag(instruction), type, isGLValue) + .hasInstruction(_, getInstructionTag(instruction), result) } cached Opcode getInstructionOpcode(Instruction instruction) { getInstructionTranslatedElement(instruction) - .hasInstruction(result, getInstructionTag(instruction), _, _) + .hasInstruction(result, getInstructionTag(instruction), _) } cached @@ -283,7 +279,7 @@ private module Cached { } cached - Type getInstructionExceptionType(Instruction instruction) { + CppType getInstructionExceptionType(Instruction instruction) { result = getInstructionTranslatedElement(instruction) .getInstructionExceptionType(getInstructionTag(instruction)) } @@ -310,6 +306,11 @@ private module Cached { ) } + cached + predicate needsUnknownOpaqueType(int byteSize) { + exists(TranslatedElement element | element.needsUnknownOpaqueType(byteSize)) + } + cached int getInstructionResultSize(Instruction instruction) { exists(TranslatedElement element, InstructionTag tag | diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRImports.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRImports.qll index 74f7b4a2b64..42d6e7db693 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRImports.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRImports.qll @@ -1,2 +1,3 @@ import semmle.code.cpp.ir.implementation.EdgeKind as EdgeKind +import semmle.code.cpp.ir.implementation.IRType as IRType import semmle.code.cpp.ir.implementation.MemoryAccessKind as MemoryAccessKind diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRVariableImports.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRVariableImports.qll index 1f0f5eaccde..8c60565defc 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRVariableImports.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRVariableImports.qll @@ -1,3 +1,4 @@ +import semmle.code.cpp.ir.implementation.IRType as IRType import semmle.code.cpp.ir.implementation.TempVariableTag as TempVariableTag import semmle.code.cpp.ir.internal.IRUtilities as IRUtilities import semmle.code.cpp.ir.internal.TempVariableTag as TTempVariableTag diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionImports.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionImports.qll index 0138af075dc..a75f70dbe2f 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionImports.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionImports.qll @@ -1,4 +1,5 @@ import semmle.code.cpp.ir.implementation.EdgeKind as EdgeKind +import semmle.code.cpp.ir.implementation.IRType as IRType import semmle.code.cpp.ir.implementation.MemoryAccessKind as MemoryAccessKind import semmle.code.cpp.ir.implementation.Opcode as Opcode import semmle.code.cpp.ir.implementation.internal.OperandTag as OperandTag diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll index c18ff827992..7b0d33546cf 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionTag.qll @@ -26,6 +26,7 @@ newtype TInstructionTag = UnmodeledDefinitionTag() or UnmodeledUseTag() or AliasedDefinitionTag() or + AliasedUseTag() or SwitchBranchTag() or CallTargetTag() or CallTag() or @@ -119,6 +120,8 @@ string getInstructionTagId(TInstructionTag tag) { or tag = AliasedDefinitionTag() and result = "AliasedDef" or + tag = AliasedUseTag() and result = "AliasedUse" + or tag = SwitchBranchTag() and result = "SwitchBranch" or tag = CallTargetTag() and result = "CallTarget" diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/OperandImports.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/OperandImports.qll index e626662ccf2..3c781579cee 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/OperandImports.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/OperandImports.qll @@ -1,3 +1,4 @@ import semmle.code.cpp.ir.implementation.MemoryAccessKind as MemoryAccessKind +import semmle.code.cpp.ir.implementation.IRType as IRType import semmle.code.cpp.ir.internal.Overlap as Overlap import semmle.code.cpp.ir.implementation.internal.OperandTag as OperandTag diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll index fd8f15a6eb3..f6cd98bcdb4 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll @@ -1,6 +1,7 @@ private import cpp private import semmle.code.cpp.ir.implementation.Opcode private import semmle.code.cpp.ir.implementation.internal.OperandTag +private import semmle.code.cpp.ir.internal.CppType private import semmle.code.cpp.models.interfaces.SideEffect private import InstructionTag private import TranslatedElement @@ -33,13 +34,10 @@ abstract class TranslatedCall extends TranslatedExpr { else result = getFirstCallTargetInstruction() } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = CallTag() and opcode instanceof Opcode::Call and - resultType = getCallResultType() and - isGLValue = false + resultType = getTypeForPRValue(getCallResultType()) or hasSideEffect() and tag = CallSideEffectTag() and @@ -47,13 +45,12 @@ abstract class TranslatedCall extends TranslatedExpr { if hasWriteSideEffect() then ( opcode instanceof Opcode::CallSideEffect and - resultType instanceof UnknownType + resultType = getUnknownType() ) else ( opcode instanceof Opcode::CallReadSideEffect and - resultType instanceof VoidType + resultType = getVoidType() ) - ) and - isGLValue = false + ) } override Instruction getChildSuccessor(TranslatedElement child) { @@ -118,11 +115,11 @@ abstract class TranslatedCall extends TranslatedExpr { result = getEnclosingFunction().getUnmodeledDefinitionInstruction() } - final override Type getInstructionOperandType(InstructionTag tag, TypedOperandTag operandTag) { + final override CppType getInstructionOperandType(InstructionTag tag, TypedOperandTag operandTag) { tag = CallSideEffectTag() and hasSideEffect() and operandTag instanceof SideEffectOperandTag and - result instanceof UnknownType + result = getUnknownType() } final override Instruction getResult() { result = getInstruction(CallTag()) } @@ -224,18 +221,12 @@ abstract class TranslatedDirectCall extends TranslatedCall { final override Instruction getCallTargetResult() { result = getInstruction(CallTargetTag()) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { - TranslatedCall.super.hasInstruction(opcode, tag, resultType, isGLValue) + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { + TranslatedCall.super.hasInstruction(opcode, tag, resultType) or tag = CallTargetTag() and opcode instanceof Opcode::FunctionAddress and - // The database does not contain a `FunctionType` for a function unless - // its address was taken, so we'll just use glval instead of - // glval. - resultType instanceof UnknownType and - isGLValue = true + resultType = getFunctionGLValueType() } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -253,7 +244,7 @@ abstract class TranslatedDirectCall extends TranslatedCall { abstract class TranslatedCallExpr extends TranslatedNonConstantExpr, TranslatedCall { override Call expr; - final override Type getCallResultType() { result = getResultType() } + final override Type getCallResultType() { result = expr.getType() } final override predicate hasArguments() { exists(expr.getArgument(0)) } @@ -349,9 +340,7 @@ class TranslatedSideEffects extends TranslatedElement, TTranslatedSideEffects { ) } - override predicate hasInstruction(Opcode opcode, InstructionTag tag, Type t, boolean isGLValue) { - none() - } + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType type) { none() } override Instruction getFirstInstruction() { result = getChild(0).getFirstInstruction() } @@ -359,7 +348,9 @@ class TranslatedSideEffects extends TranslatedElement, TTranslatedSideEffects { override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) { none() } - override Type getInstructionOperandType(InstructionTag tag, TypedOperandTag operandTag) { none() } + override CppType getInstructionOperandType(InstructionTag tag, TypedOperandTag operandTag) { + none() + } /** * Gets the `TranslatedFunction` containing this expression. @@ -406,34 +397,30 @@ class TranslatedSideEffect extends TranslatedElement, TTranslatedArgumentSideEff override Instruction getFirstInstruction() { result = getInstruction(OnlyInstructionTag()) } - override predicate hasInstruction(Opcode opcode, InstructionTag tag, Type t, boolean isGLValue) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType type) { isWrite() and hasSpecificWriteSideEffect(opcode) and tag = OnlyInstructionTag() and ( opcode instanceof BufferAccessOpcode and - t instanceof UnknownType + type = getUnknownType() or not opcode instanceof BufferAccessOpcode and - ( - t = arg.getUnspecifiedType().(DerivedType).getBaseType() and - not t instanceof VoidType - or - arg.getUnspecifiedType().(DerivedType).getBaseType() instanceof VoidType and - t instanceof UnknownType + exists(Type baseType | baseType = arg.getUnspecifiedType().(DerivedType).getBaseType() | + if baseType instanceof VoidType + then type = getUnknownType() + else type = getTypeForPRValueOrUnknown(baseType) ) or index = -1 and not arg.getUnspecifiedType() instanceof DerivedType and - t = arg.getUnspecifiedType() - ) and - isGLValue = false + type = getTypeForPRValueOrUnknown(arg.getUnspecifiedType()) + ) or not isWrite() and hasSpecificReadSideEffect(opcode) and tag = OnlyInstructionTag() and - t instanceof VoidType and - isGLValue = false + type = getVoidType() } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -459,15 +446,27 @@ class TranslatedSideEffect extends TranslatedElement, TTranslatedArgumentSideEff .getFullyConverted()).getResult() } - override Type getInstructionOperandType(InstructionTag tag, TypedOperandTag operandTag) { - tag instanceof OnlyInstructionTag and - result = arg.getType().getUnspecifiedType().(DerivedType).getBaseType() and - operandTag instanceof SideEffectOperandTag - or - tag instanceof OnlyInstructionTag and - result = arg.getType().getUnspecifiedType() and - not result instanceof DerivedType and - operandTag instanceof SideEffectOperandTag + override CppType getInstructionOperandType(InstructionTag tag, TypedOperandTag operandTag) { + if hasSpecificReadSideEffect(any(Opcode::BufferReadSideEffect op)) + then + result = getUnknownType() and + tag instanceof OnlyInstructionTag and + operandTag instanceof SideEffectOperandTag + else + exists(Type operandType | + tag instanceof OnlyInstructionTag and + operandType = arg.getType().getUnspecifiedType().(DerivedType).getBaseType() and + operandTag instanceof SideEffectOperandTag + or + tag instanceof OnlyInstructionTag and + operandType = arg.getType().getUnspecifiedType() and + not operandType instanceof DerivedType and + operandTag instanceof SideEffectOperandTag + | + // If the type we select is an incomplete type (e.g. a forward-declared `struct`), there will + // not be a `CppType` that represents that type. In that case, fall back to `UnknownCppType`. + result = getTypeForPRValueOrUnknown(operandType) + ) } predicate hasSpecificWriteSideEffect(Opcode op) { @@ -517,7 +516,7 @@ class TranslatedSideEffect extends TranslatedElement, TTranslatedArgumentSideEff ) or not call.getTarget() instanceof SideEffectFunction and - op instanceof Opcode::IndirectReadSideEffect + op instanceof Opcode::BufferReadSideEffect } override Instruction getPrimaryInstructionForSideEffect(InstructionTag tag) { diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCondition.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCondition.qll index 6c501ef4284..e2fc86db7ce 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCondition.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCondition.qll @@ -1,6 +1,7 @@ private import cpp private import semmle.code.cpp.ir.implementation.Opcode private import semmle.code.cpp.ir.implementation.internal.OperandTag +private import semmle.code.cpp.ir.internal.CppType private import InstructionTag private import TranslatedElement private import TranslatedExpr @@ -37,9 +38,7 @@ abstract class TranslatedFlexibleCondition extends TranslatedCondition, Conditio final override Instruction getFirstInstruction() { result = getOperand().getFirstInstruction() } - final override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { none() } @@ -105,9 +104,7 @@ abstract class TranslatedBinaryLogicalOperation extends TranslatedNativeConditio result = getLeftOperand().getFirstInstruction() } - final override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { none() } @@ -163,13 +160,10 @@ class TranslatedValueCondition extends TranslatedCondition, TTranslatedValueCond override Instruction getFirstInstruction() { result = getValueExpr().getFirstInstruction() } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = ValueConditionConditionalBranchTag() and opcode instanceof Opcode::ConditionalBranch and - resultType instanceof VoidType and - isGLValue = false + resultType = getVoidType() } override Instruction getChildSuccessor(TranslatedElement child) { diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedDeclarationEntry.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedDeclarationEntry.qll index 1efe8cf9f78..294a539ec31 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedDeclarationEntry.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedDeclarationEntry.qll @@ -1,7 +1,8 @@ private import cpp private import semmle.code.cpp.ir.implementation.Opcode -private import semmle.code.cpp.ir.internal.IRUtilities private import semmle.code.cpp.ir.implementation.internal.OperandTag +private import semmle.code.cpp.ir.internal.CppType +private import semmle.code.cpp.ir.internal.IRUtilities private import InstructionTag private import TranslatedElement private import TranslatedExpr @@ -54,19 +55,15 @@ abstract class TranslatedVariableDeclaration extends TranslatedElement, Initiali result = getInstruction(InitializerVariableAddressTag()) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = InitializerVariableAddressTag() and opcode instanceof Opcode::VariableAddress and - resultType = getVariableType(getVariable()) and - isGLValue = true + resultType = getTypeForGLValue(getVariableType(getVariable())) or hasUninitializedInstruction() and tag = InitializerStoreTag() and opcode instanceof Opcode::Uninitialized and - resultType = getVariableType(getVariable()) and - isGLValue = false + resultType = getTypeForPRValue(getVariableType(getVariable())) } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll index 8ba27e9a9d6..2bffcdcc8ae 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll @@ -3,6 +3,7 @@ import semmle.code.cpp.ir.implementation.raw.IR private import semmle.code.cpp.ir.IRConfiguration private import semmle.code.cpp.ir.implementation.Opcode private import semmle.code.cpp.ir.implementation.internal.OperandTag +private import semmle.code.cpp.ir.internal.CppType private import semmle.code.cpp.ir.internal.TempVariableTag private import InstructionTag private import TranslatedCondition @@ -12,11 +13,6 @@ private import TranslatedExpr private import IRConstruction private import semmle.code.cpp.models.interfaces.SideEffect -/** - * Gets the built-in `int` type. - */ -Type getIntType() { result.(IntType).isImplicitlySigned() } - /** * Gets the "real" parent of `expr`. This predicate treats conversions as if * they were explicit nodes in the expression tree, rather than as implicit @@ -54,6 +50,9 @@ private predicate ignoreExprAndDescendants(Expr expr) { // constant value. isIRConstant(getRealParent(expr)) or + // Ignore descendants of `__assume` expressions, since we translated these to `NoOp`. + getRealParent(expr) instanceof AssumeExpr + or // The `DestructorCall` node for a `DestructorFieldDestruction` has a `FieldAccess` // node as its qualifier, but that `FieldAccess` does not have a child of its own. // We'll ignore that `FieldAccess`, and supply the receiver as part of the calling @@ -67,8 +66,8 @@ private predicate ignoreExprAndDescendants(Expr expr) { ) or // Do not translate input/output variables in GNU asm statements - getRealParent(expr) instanceof AsmStmt - or + // getRealParent(expr) instanceof AsmStmt + // or ignoreExprAndDescendants(getRealParent(expr)) // recursive case or // We do not yet translate destructors properly, so for now we ignore any @@ -542,9 +541,7 @@ abstract class TranslatedElement extends TTranslatedElement { * If the instruction does not return a result, `resultType` should be * `VoidType`. */ - abstract predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ); + abstract predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType); /** * Gets the `Function` that contains this element. @@ -584,7 +581,7 @@ abstract class TranslatedElement extends TTranslatedElement { * `tag` must be unique for each variable generated from the same AST node * (not just from the same `TranslatedElement`). */ - predicate hasTempVariable(TempVariableTag tag, Type type) { none() } + predicate hasTempVariable(TempVariableTag tag, CppType type) { none() } /** * If the instruction specified by `tag` is a `FunctionInstruction`, gets the @@ -629,6 +626,8 @@ abstract class TranslatedElement extends TTranslatedElement { */ int getInstructionResultSize(InstructionTag tag) { none() } + predicate needsUnknownOpaqueType(int byteSize) { none() } + /** * If the instruction specified by `tag` is a `StringConstantInstruction`, * gets the `StringLiteral` for that instruction. @@ -644,7 +643,7 @@ abstract class TranslatedElement extends TTranslatedElement { * If the instruction specified by `tag` is a `CatchByTypeInstruction`, * gets the type of the exception to be caught. */ - Type getInstructionExceptionType(InstructionTag tag) { none() } + CppType getInstructionExceptionType(InstructionTag tag) { none() } /** * If the instruction specified by `tag` is an `InheritanceConversionInstruction`, @@ -663,7 +662,7 @@ abstract class TranslatedElement extends TTranslatedElement { /** * Gets the type of the memory operand specified by `operandTag` on the the instruction specified by `tag`. */ - Type getInstructionOperandType(InstructionTag tag, TypedOperandTag operandTag) { none() } + CppType getInstructionOperandType(InstructionTag tag, TypedOperandTag operandTag) { none() } /** * Gets the size of the memory operand specified by `operandTag` on the the instruction specified by `tag`. diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll index 7b9417b570d..c9806cd03c8 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll @@ -1,6 +1,8 @@ private import cpp +private import semmle.code.cpp.ir.implementation.IRType private import semmle.code.cpp.ir.implementation.Opcode private import semmle.code.cpp.ir.implementation.internal.OperandTag +private import semmle.code.cpp.ir.internal.CppType private import semmle.code.cpp.ir.internal.TempVariableTag private import InstructionTag private import TranslatedCondition @@ -51,10 +53,21 @@ abstract class TranslatedExpr extends TranslatedElement { */ abstract predicate producesExprResult(); + final CppType getResultType() { + if isResultGLValue() + then result = getTypeForGLValue(expr.getType()) + else result = getTypeForPRValue(expr.getType()) + } + /** - * Gets the type of the result produced by this expression. + * Holds if the result of this `TranslatedExpr` is a glvalue. */ - final Type getResultType() { result = expr.getUnspecifiedType() } + predicate isResultGLValue() { + // This implementation is overridden in `TranslatedCoreExpr` to mark them + // as glvalues if they have loads on them. It's not overridden in + // `TranslatedResultCopy` since result copies never have loads. + expr.isGLValueCategory() + } final override Locatable getAST() { result = expr } @@ -82,6 +95,22 @@ abstract class TranslatedExpr extends TranslatedElement { abstract class TranslatedCoreExpr extends TranslatedExpr { final override string toString() { result = expr.toString() } + /** + * Holds if the result of this `TranslatedExpr` is a glvalue. + */ + override predicate isResultGLValue() { + super.isResultGLValue() + or + // If this TranslatedExpr doesn't produce the result, then it must represent + // a glvalue that is then loaded by a TranslatedLoad. + hasLoad() + } + + final predicate hasLoad() { + expr.hasLValueToRValueConversion() and + not ignoreLoad(expr) + } + final override predicate producesExprResult() { // If there's no load, then this is the only TranslatedExpr for this // expression. @@ -89,30 +118,6 @@ abstract class TranslatedCoreExpr extends TranslatedExpr { // If there's a result copy, then this expression's result is the copy. not exprNeedsCopyIfNotLoaded(expr) } - - private predicate hasLoad() { - expr.hasLValueToRValueConversion() and - not ignoreLoad(expr) - } - - /** - * Returns `true` if the result of this `TranslatedExpr` is a glvalue, or - * `false` if the result is a prvalue. - * - * This predicate returns a `boolean` value instead of just a being a plain - * predicate because all of the subclass predicates that call it require a - * `boolean` value. - */ - final boolean isResultGLValue() { - if - expr.isGLValueCategory() - or - // If this TranslatedExpr doesn't produce the result, then it must represent - // a glvalue that is then loaded by a TranslatedLoad. - hasLoad() - then result = true - else result = false - } } class TranslatedConditionValue extends TranslatedCoreExpr, ConditionContext, @@ -123,38 +128,32 @@ class TranslatedConditionValue extends TranslatedCoreExpr, ConditionContext, override Instruction getFirstInstruction() { result = getCondition().getFirstInstruction() } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { ( tag = ConditionValueTrueTempAddressTag() or tag = ConditionValueFalseTempAddressTag() or tag = ConditionValueResultTempAddressTag() ) and opcode instanceof Opcode::VariableAddress and - resultType = getResultType() and - isGLValue = true + resultType = getTypeForGLValue(expr.getType()) or ( tag = ConditionValueTrueConstantTag() or tag = ConditionValueFalseConstantTag() ) and opcode instanceof Opcode::Constant and - resultType = getResultType() and - isGLValue = isResultGLValue() + resultType = getResultType() or ( tag = ConditionValueTrueStoreTag() or tag = ConditionValueFalseStoreTag() ) and opcode instanceof Opcode::Store and - resultType = getResultType() and - isGLValue = isResultGLValue() + resultType = getResultType() or tag = ConditionValueResultLoadTag() and opcode instanceof Opcode::Load and - resultType = getResultType() and - isGLValue = isResultGLValue() + resultType = getResultType() } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -215,9 +214,9 @@ class TranslatedConditionValue extends TranslatedCoreExpr, ConditionContext, ) } - override predicate hasTempVariable(TempVariableTag tag, Type type) { + override predicate hasTempVariable(TempVariableTag tag, CppType type) { tag = ConditionValueTempVar() and - type = getResultType() + type = getTypeForPRValue(expr.getType()) } override IRVariable getInstructionVariable(InstructionTag tag) { @@ -265,13 +264,10 @@ class TranslatedLoad extends TranslatedExpr, TTranslatedLoad { override TranslatedElement getChild(int id) { id = 0 and result = getOperand() } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = LoadTag() and opcode instanceof Opcode::Load and - resultType = expr.getUnspecifiedType() and - if expr.isGLValueCategory() then isGLValue = true else isGLValue = false + resultType = getResultType() } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -318,13 +314,10 @@ class TranslatedResultCopy extends TranslatedExpr, TTranslatedResultCopy { override TranslatedElement getChild(int id) { id = 0 and result = getOperand() } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = ResultCopyTag() and opcode instanceof Opcode::CopyValue and - resultType = getOperand().getResultType() and - isGLValue = getOperand().isResultGLValue() + resultType = getOperand().getResultType() } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -372,9 +365,7 @@ class TranslatedCommaExpr extends TranslatedNonConstantExpr { child = getRightOperand() and result = getParent().getChildSuccessor(this) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { none() } @@ -389,6 +380,10 @@ class TranslatedCommaExpr extends TranslatedNonConstantExpr { } } +private int getElementSize(Type type) { + result = max(type.getUnspecifiedType().(PointerType).getBaseType().getSize()) +} + abstract class TranslatedCrementOperation extends TranslatedNonConstantExpr { override CrementOperation expr; @@ -397,9 +392,9 @@ abstract class TranslatedCrementOperation extends TranslatedNonConstantExpr { final override string getInstructionConstantValue(InstructionTag tag) { tag = CrementConstantTag() and exists(Type resultType | - resultType = getResultType() and + resultType = expr.getUnspecifiedType() and ( - resultType instanceof IntegralType and result = "1" + resultType instanceof IntegralOrEnumType and result = "1" or resultType instanceof FloatingPointType and result = "1.0" or @@ -408,38 +403,34 @@ abstract class TranslatedCrementOperation extends TranslatedNonConstantExpr { ) } - private Type getConstantType() { + private CppType getConstantType() { exists(Type resultType | - resultType = getResultType() and + resultType = expr.getUnspecifiedType() and ( - resultType instanceof ArithmeticType and result = resultType + resultType instanceof ArithmeticType and + result = getTypeForPRValue(expr.getType()) or resultType instanceof PointerType and result = getIntType() ) ) } - final override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { - isGLValue = false and - ( - tag = CrementLoadTag() and - opcode instanceof Opcode::Load and - resultType = getResultType() - or - tag = CrementConstantTag() and - opcode instanceof Opcode::Constant and - resultType = getConstantType() - or - tag = CrementOpTag() and - opcode = getOpcode() and - resultType = getResultType() - or - tag = CrementStoreTag() and - opcode instanceof Opcode::Store and - resultType = getResultType() - ) + final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { + tag = CrementLoadTag() and + opcode instanceof Opcode::Load and + resultType = getTypeForPRValue(expr.getType()) + or + tag = CrementConstantTag() and + opcode instanceof Opcode::Constant and + resultType = getConstantType() + or + tag = CrementOpTag() and + opcode = getOpcode() and + resultType = getTypeForPRValue(expr.getType()) + or + tag = CrementStoreTag() and + opcode instanceof Opcode::Store and + resultType = getTypeForPRValue(expr.getType()) } final override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) { @@ -500,7 +491,7 @@ abstract class TranslatedCrementOperation extends TranslatedNonConstantExpr { getOpcode() instanceof Opcode::PointerAdd or getOpcode() instanceof Opcode::PointerSub ) and - result = max(getResultType().(PointerType).getBaseType().getSize()) + result = getElementSize(expr.getType()) } final TranslatedExpr getOperand() { @@ -509,7 +500,7 @@ abstract class TranslatedCrementOperation extends TranslatedNonConstantExpr { final Opcode getOpcode() { exists(Type resultType | - resultType = getResultType() and + resultType = expr.getUnspecifiedType() and ( ( expr instanceof IncrementOperation and @@ -590,13 +581,10 @@ class TranslatedArrayExpr extends TranslatedNonConstantExpr { override Instruction getResult() { result = getInstruction(OnlyInstructionTag()) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = OnlyInstructionTag() and opcode instanceof Opcode::PointerAdd and - resultType = getResultType() and - isGLValue = true + resultType = getTypeForGLValue(expr.getType()) } override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) { @@ -612,7 +600,7 @@ class TranslatedArrayExpr extends TranslatedNonConstantExpr { override int getInstructionElementSize(InstructionTag tag) { tag = OnlyInstructionTag() and - result = max(getResultType().getSize()) + result = max(expr.getUnspecifiedType().getSize()) } private TranslatedExpr getBaseOperand() { @@ -635,9 +623,7 @@ abstract class TranslatedTransparentExpr extends TranslatedNonConstantExpr { child = getOperand() and result = getParent().getChildSuccessor(this) } - final override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { none() } @@ -688,13 +674,10 @@ class TranslatedThisExpr extends TranslatedNonConstantExpr { final override TranslatedElement getChild(int id) { none() } - final override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = OnlyInstructionTag() and opcode instanceof Opcode::CopyValue and - resultType = expr.getUnspecifiedType() and - isGLValue = false + resultType = getResultType() } final override Instruction getResult() { result = getInstruction(OnlyInstructionTag()) } @@ -755,13 +738,10 @@ class TranslatedNonFieldVariableAccess extends TranslatedVariableAccess { override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) { none() } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = OnlyInstructionTag() and opcode instanceof Opcode::VariableAddress and - resultType = getResultType() and - isGLValue = true + resultType = getTypeForGLValue(expr.getType()) } override IRVariable getInstructionVariable(InstructionTag tag) { @@ -781,13 +761,10 @@ class TranslatedFieldAccess extends TranslatedVariableAccess { result = getQualifier().getResult() } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = OnlyInstructionTag() and opcode instanceof Opcode::FieldAddress and - resultType = getResultType() and - isGLValue = true + resultType = getTypeForGLValue(expr.getType()) } override Field getInstructionField(InstructionTag tag) { @@ -811,13 +788,10 @@ class TranslatedFunctionAccess extends TranslatedNonConstantExpr { kind instanceof GotoEdge } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = OnlyInstructionTag() and opcode instanceof Opcode::FunctionAddress and - resultType = expr.getUnspecifiedType() and - isGLValue = true + resultType = getResultType() } override Function getInstructionFunction(InstructionTag tag) { @@ -859,15 +833,10 @@ abstract class TranslatedConstantExpr extends TranslatedCoreExpr, TTranslatedVal none() } - final override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = OnlyInstructionTag() and opcode = getOpcode() and - resultType = getResultType() and - if expr.isGLValueCategory() or expr.hasLValueToRValueConversion() - then isGLValue = true - else isGLValue = false + resultType = getResultType() } final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -913,13 +882,10 @@ abstract class TranslatedSingleInstructionExpr extends TranslatedNonConstantExpr */ abstract Opcode getOpcode(); - final override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { opcode = getOpcode() and tag = OnlyInstructionTag() and - resultType = getResultType() and - isGLValue = isResultGLValue() + resultType = getResultType() } final override Instruction getResult() { result = getInstruction(OnlyInstructionTag()) } @@ -993,13 +959,10 @@ abstract class TranslatedSingleInstructionConversion extends TranslatedConversio child = getOperand() and result = getInstruction(OnlyInstructionTag()) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = OnlyInstructionTag() and opcode = getOpcode() and - resultType = getResultType() and - isGLValue = isResultGLValue() + resultType = getResultType() } override Instruction getResult() { result = getInstruction(OnlyInstructionTag()) } @@ -1044,7 +1007,7 @@ class TranslatedDynamicCast extends TranslatedSingleInstructionConversion { override Opcode getOpcode() { exists(Type resultType | - resultType = getResultType() and + resultType = expr.getUnspecifiedType() and if resultType instanceof PointerType then if resultType.(PointerType).getBaseType() instanceof VoidType @@ -1102,19 +1065,14 @@ class TranslatedBoolConversion extends TranslatedConversion { child = getOperand() and result = getInstruction(BoolConversionConstantTag()) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { - isGLValue = false and - ( - tag = BoolConversionConstantTag() and - opcode instanceof Opcode::Constant and - resultType = getOperand().getResultType() - or - tag = BoolConversionCompareTag() and - opcode instanceof Opcode::CompareNE and - resultType instanceof BoolType - ) + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { + tag = BoolConversionConstantTag() and + opcode instanceof Opcode::Constant and + resultType = getOperand().getResultType() + or + tag = BoolConversionCompareTag() and + opcode instanceof Opcode::CompareNE and + resultType = getBoolType() } override Instruction getResult() { result = getInstruction(BoolConversionCompareTag()) } @@ -1245,7 +1203,7 @@ class TranslatedBinaryOperation extends TranslatedSingleInstructionExpr { opcode instanceof Opcode::PointerSub or opcode instanceof Opcode::PointerDiff ) and - result = max(getPointerOperand().getResultType().(PointerType).getBaseType().getSize()) + result = getElementSize(getPointerOperand().getExpr().getType()) ) } @@ -1330,13 +1288,10 @@ class TranslatedAssignExpr extends TranslatedAssignment { result = getInstruction(AssignmentStoreTag()) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = AssignmentStoreTag() and opcode instanceof Opcode::Store and - resultType = getResultType() and - isGLValue = false + resultType = getTypeForPRValue(expr.getType()) // Always a prvalue } override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) { @@ -1413,14 +1368,16 @@ class TranslatedAssignOperation extends TranslatedAssignment { // anyway. If we really want to model this case perfectly, we'll need the // extractor to tell us what the promoted type of the left operand would // be. - result = getLeftOperand().getResultType() + result = getLeftOperand().getExpr().getType() else // The right operand has already been converted to the type of the op. - result = getRightOperand().getResultType() + result = getRightOperand().getExpr().getType() } private predicate leftOperandNeedsConversion() { - getConvertedLeftOperandType() != getLeftOperand().getResultType() + getConvertedLeftOperandType().getUnspecifiedType() != getLeftOperand() + .getExpr() + .getUnspecifiedType() } private Opcode getOpcode() { @@ -1449,32 +1406,27 @@ class TranslatedAssignOperation extends TranslatedAssignment { expr instanceof AssignPointerSubExpr and result instanceof Opcode::PointerSub } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { - isGLValue = false and + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { + tag = AssignOperationLoadTag() and + opcode instanceof Opcode::Load and + resultType = getTypeForPRValue(getLeftOperand().getExpr().getType()) + or + tag = AssignOperationOpTag() and + opcode = getOpcode() and + resultType = getTypeForPRValue(getConvertedLeftOperandType()) + or + tag = AssignmentStoreTag() and + opcode instanceof Opcode::Store and + resultType = getTypeForPRValue(expr.getType()) // Always a prvalue + or + leftOperandNeedsConversion() and + opcode instanceof Opcode::Convert and ( - tag = AssignOperationLoadTag() and - opcode instanceof Opcode::Load and - resultType = getLeftOperand().getResultType() + tag = AssignOperationConvertLeftTag() and + resultType = getTypeForPRValue(getConvertedLeftOperandType()) or - tag = AssignOperationOpTag() and - opcode = getOpcode() and - resultType = getConvertedLeftOperandType() - or - tag = AssignmentStoreTag() and - opcode instanceof Opcode::Store and - resultType = getResultType() - or - leftOperandNeedsConversion() and - opcode instanceof Opcode::Convert and - ( - tag = AssignOperationConvertLeftTag() and - resultType = getConvertedLeftOperandType() - or - tag = AssignOperationConvertResultTag() and - resultType = getLeftOperand().getResultType() - ) + tag = AssignOperationConvertResultTag() and + resultType = getTypeForPRValue(getLeftOperand().getExpr().getType()) ) } @@ -1484,7 +1436,7 @@ class TranslatedAssignOperation extends TranslatedAssignment { opcode = getOpcode() and (opcode instanceof Opcode::PointerAdd or opcode instanceof Opcode::PointerSub) ) and - result = max(getResultType().(PointerType).getBaseType().getSize()) + result = getElementSize(expr.getType()) } override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) { @@ -1566,13 +1518,10 @@ class TranslatedConstantAllocationSize extends TranslatedAllocationSize { final override Instruction getFirstInstruction() { result = getInstruction(AllocationSizeTag()) } - final override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = AllocationSizeTag() and opcode instanceof Opcode::Constant and - resultType = expr.getAllocator().getParameter(0).getUnspecifiedType() and - isGLValue = false + resultType = getTypeForPRValue(expr.getAllocator().getParameter(0).getType()) } final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -1605,11 +1554,8 @@ class TranslatedNonConstantAllocationSize extends TranslatedAllocationSize { final override Instruction getFirstInstruction() { result = getExtent().getFirstInstruction() } - final override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { - isGLValue = false and - resultType = expr.getAllocator().getParameter(0).getUnspecifiedType() and + final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { + resultType = getTypeForPRValue(expr.getAllocator().getParameter(0).getType()) and ( // Convert the extent to `size_t`, because the AST doesn't do this already. tag = AllocationExtentConvertTag() and opcode instanceof Opcode::Convert @@ -1681,7 +1627,7 @@ class TranslatedAllocatorCall extends TTranslatedAllocatorCall, TranslatedDirect tag = CallTargetTag() and result = expr.getAllocator() } - final override Type getCallResultType() { result = expr.getAllocator().getUnspecifiedType() } + final override Type getCallResultType() { result = expr.getAllocator().getType() } final override TranslatedExpr getQualifier() { none() } @@ -1736,13 +1682,10 @@ class TranslatedDestructorFieldDestruction extends TranslatedNonConstantExpr, St final override TranslatedElement getChild(int id) { id = 0 and result = getDestructorCall() } - final override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = OnlyInstructionTag() and opcode instanceof Opcode::FieldAddress and - resultType = expr.getTarget().getUnspecifiedType() and - isGLValue = true + resultType = getTypeForGLValue(expr.getTarget().getType()) } final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -1789,9 +1732,7 @@ class TranslatedConditionalExpr extends TranslatedNonConstantExpr, ConditionCont override Instruction getFirstInstruction() { result = getCondition().getFirstInstruction() } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { not resultIsVoid() and ( ( @@ -1802,8 +1743,11 @@ class TranslatedConditionalExpr extends TranslatedNonConstantExpr, ConditionCont tag = ConditionValueResultTempAddressTag() ) and opcode instanceof Opcode::VariableAddress and - resultType = getResultType() and - isGLValue = true + ( + if expr.isGLValueCategory() + then resultType = getTypeForGLValue(any(UnknownType t)) // glvalue to a glvalue + else resultType = getTypeForGLValue(expr.getType()) // glvalue to the result type + ) or ( not thenIsVoid() and tag = ConditionValueTrueStoreTag() @@ -1811,13 +1755,11 @@ class TranslatedConditionalExpr extends TranslatedNonConstantExpr, ConditionCont not elseIsVoid() and tag = ConditionValueFalseStoreTag() ) and opcode instanceof Opcode::Store and - resultType = getResultType() and - isGLValue = false + resultType = getResultType() or tag = ConditionValueResultLoadTag() and opcode instanceof Opcode::Load and - resultType = getResultType() and - isGLValue = isResultGLValue() + resultType = getResultType() ) } @@ -1885,7 +1827,7 @@ class TranslatedConditionalExpr extends TranslatedNonConstantExpr, ConditionCont ) } - override predicate hasTempVariable(TempVariableTag tag, Type type) { + override predicate hasTempVariable(TempVariableTag tag, CppType type) { not resultIsVoid() and tag = ConditionValueTempVar() and type = getResultType() @@ -1945,7 +1887,7 @@ class TranslatedConditionalExpr extends TranslatedNonConstantExpr, ConditionCont } private predicate thenIsVoid() { - getThen().getResultType() instanceof VoidType + getThen().getResultType().getIRType() instanceof IRVoidType or // A `ThrowExpr.getType()` incorrectly returns the type of exception being // thrown, rather than `void`. Handle that case here. @@ -1953,14 +1895,14 @@ class TranslatedConditionalExpr extends TranslatedNonConstantExpr, ConditionCont } private predicate elseIsVoid() { - getElse().getResultType() instanceof VoidType + getElse().getResultType().getIRType() instanceof IRVoidType or // A `ThrowExpr.getType()` incorrectly returns the type of exception being // thrown, rather than `void`. Handle that case here. expr.getElse() instanceof ThrowExpr } - private predicate resultIsVoid() { getResultType() instanceof VoidType } + private predicate resultIsVoid() { getResultType().getIRType() instanceof IRVoidType } } /** @@ -1969,13 +1911,10 @@ class TranslatedConditionalExpr extends TranslatedNonConstantExpr, ConditionCont abstract class TranslatedThrowExpr extends TranslatedNonConstantExpr { override ThrowExpr expr; - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = ThrowTag() and opcode = getThrowOpcode() and - resultType instanceof VoidType and - isGLValue = false + resultType = getVoidType() } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -2002,15 +1941,12 @@ class TranslatedThrowValueExpr extends TranslatedThrowExpr, InitializationContex result = getInstruction(InitializerVariableAddressTag()) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { - TranslatedThrowExpr.super.hasInstruction(opcode, tag, resultType, isGLValue) + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { + TranslatedThrowExpr.super.hasInstruction(opcode, tag, resultType) or tag = InitializerVariableAddressTag() and opcode instanceof Opcode::VariableAddress and - resultType = getExceptionType() and - isGLValue = true + resultType = getTypeForGLValue(getExceptionType()) } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -2031,9 +1967,9 @@ class TranslatedThrowValueExpr extends TranslatedThrowExpr, InitializationContex result = getIRTempVariable(expr, ThrowTempVar()) } - final override predicate hasTempVariable(TempVariableTag tag, Type type) { + final override predicate hasTempVariable(TempVariableTag tag, CppType type) { tag = ThrowTempVar() and - type = getExceptionType() + type = getTypeForPRValue(getExceptionType()) } final override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) { @@ -2047,10 +1983,10 @@ class TranslatedThrowValueExpr extends TranslatedThrowExpr, InitializationContex ) } - final override Type getInstructionOperandType(InstructionTag tag, TypedOperandTag operandTag) { + final override CppType getInstructionOperandType(InstructionTag tag, TypedOperandTag operandTag) { tag = ThrowTag() and operandTag instanceof LoadOperandTag and - result = getExceptionType() + result = getTypeForPRValue(getExceptionType()) } override Instruction getTargetAddress() { @@ -2065,7 +2001,7 @@ class TranslatedThrowValueExpr extends TranslatedThrowExpr, InitializationContex final override Opcode getThrowOpcode() { result instanceof Opcode::ThrowValue } - private Type getExceptionType() { result = expr.getUnspecifiedType() } + private Type getExceptionType() { result = expr.getType() } } /** @@ -2123,13 +2059,10 @@ class TranslatedBuiltInOperation extends TranslatedNonConstantExpr { ) } - final override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = OnlyInstructionTag() and opcode = getOpcode() and - resultType = getResultType() and - isGLValue = isResultGLValue() + resultType = getResultType() } final override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) { @@ -2196,13 +2129,10 @@ abstract class TranslatedNewOrNewArrayExpr extends TranslatedNonConstantExpr, In id = 1 and result = getInitialization() } - final override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = OnlyInstructionTag() and opcode instanceof Opcode::Convert and - resultType = getResultType() and - isGLValue = false + resultType = getResultType() } final override Instruction getFirstInstruction() { @@ -2363,9 +2293,7 @@ class TranslatedConditionDeclExpr extends TranslatedNonConstantExpr { child = getConditionExpr() and result = getParent().getChildSuccessor(this) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { none() } @@ -2414,23 +2342,18 @@ class TranslatedLambdaExpr extends TranslatedNonConstantExpr, InitializationCont result = getInstruction(LoadTag()) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = InitializerVariableAddressTag() and opcode instanceof Opcode::VariableAddress and - resultType = getResultType() and - isGLValue = true + resultType = getTypeForGLValue(expr.getType()) or tag = InitializerStoreTag() and opcode instanceof Opcode::Uninitialized and - resultType = getResultType() and - isGLValue = false + resultType = getTypeForPRValue(expr.getType()) or tag = LoadTag() and opcode instanceof Opcode::Load and - resultType = getResultType() and - isGLValue = false + resultType = getTypeForPRValue(expr.getType()) } override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) { @@ -2456,16 +2379,16 @@ class TranslatedLambdaExpr extends TranslatedNonConstantExpr, InitializationCont result = getTempVariable(LambdaTempVar()) } - override predicate hasTempVariable(TempVariableTag tag, Type type) { + override predicate hasTempVariable(TempVariableTag tag, CppType type) { tag = LambdaTempVar() and - type = getResultType() + type = getTypeForPRValue(expr.getType()) } final override Instruction getTargetAddress() { result = getInstruction(InitializerVariableAddressTag()) } - final override Type getTargetType() { result = getResultType() } + final override Type getTargetType() { result = expr.getType() } private predicate hasInitializer() { exists(getInitialization()) } @@ -2496,13 +2419,10 @@ class TranslatedStmtExpr extends TranslatedNonConstantExpr { result = getInstruction(OnlyInstructionTag()) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { opcode instanceof Opcode::CopyValue and tag instanceof OnlyInstructionTag and - resultType = expr.getType() and - isGLValue = false + resultType = getResultType() } override Instruction getResult() { result = getInstruction(OnlyInstructionTag()) } @@ -2589,3 +2509,26 @@ private predicate exprImmediatelyDiscarded(Expr expr) { or exists(ForStmt for | for.getUpdate() = expr) } + +/** + * The IR translation of an `__assume` expression. We currently translate these as `NoOp`. In the + * future, we will probably want to do something better. At a minimum, we can model `__assume(0)` as + * `Unreached`. + */ +class TranslatedAssumeExpr extends TranslatedSingleInstructionExpr { + override AssumeExpr expr; + + final override Opcode getOpcode() { result instanceof Opcode::NoOp } + + final override Instruction getFirstInstruction() { result = getInstruction(OnlyInstructionTag()) } + + final override TranslatedElement getChild(int id) { none() } + + final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { + tag = OnlyInstructionTag() and + result = getParent().getChildSuccessor(this) and + kind instanceof GotoEdge + } + + final override Instruction getChildSuccessor(TranslatedElement child) { none() } +} diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll index a035f8b9b31..5b437f45c54 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll @@ -1,6 +1,7 @@ private import cpp import semmle.code.cpp.ir.implementation.raw.IR private import semmle.code.cpp.ir.implementation.Opcode +private import semmle.code.cpp.ir.internal.CppType private import semmle.code.cpp.ir.internal.IRUtilities private import semmle.code.cpp.ir.implementation.internal.OperandTag private import semmle.code.cpp.ir.internal.TempVariableTag @@ -95,6 +96,9 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction { result = getInstruction(UnmodeledUseTag()) or tag = UnmodeledUseTag() and + result = getInstruction(AliasedUseTag()) + or + tag = AliasedUseTag() and result = getInstruction(ExitFunctionTag()) ) } @@ -115,55 +119,46 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction { or ( child = getDestructorDestructionList() and - if getReturnType() instanceof VoidType - then result = getInstruction(ReturnTag()) - else result = getInstruction(ReturnValueAddressTag()) + if hasReturnValue() + then result = getInstruction(ReturnValueAddressTag()) + else result = getInstruction(ReturnTag()) ) } - final override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { ( tag = EnterFunctionTag() and opcode instanceof Opcode::EnterFunction and - resultType instanceof VoidType and - isGLValue = false + resultType = getVoidType() or tag = UnmodeledDefinitionTag() and opcode instanceof Opcode::UnmodeledDefinition and - resultType instanceof UnknownType and - isGLValue = false + resultType = getUnknownType() or tag = AliasedDefinitionTag() and opcode instanceof Opcode::AliasedDefinition and - resultType instanceof UnknownType and - isGLValue = false + resultType = getUnknownType() or tag = InitializeThisTag() and opcode instanceof Opcode::InitializeThis and - resultType = getThisType() and - isGLValue = true + resultType = getTypeForGLValue(getThisType()) or tag = ReturnValueAddressTag() and opcode instanceof Opcode::VariableAddress and - resultType = getReturnType() and - not resultType instanceof VoidType and - isGLValue = true + resultType = getTypeForGLValue(getReturnType()) and + hasReturnValue() or ( tag = ReturnTag() and - resultType instanceof VoidType and - isGLValue = false and - if getReturnType() instanceof VoidType - then opcode instanceof Opcode::ReturnVoid - else opcode instanceof Opcode::ReturnValue + resultType = getVoidType() and + if hasReturnValue() + then opcode instanceof Opcode::ReturnValue + else opcode instanceof Opcode::ReturnVoid ) or tag = UnwindTag() and opcode instanceof Opcode::Unwind and - resultType instanceof VoidType and - isGLValue = false and + resultType = getVoidType() and ( // Only generate the `Unwind` instruction if there is any exception // handling present in the function. @@ -173,13 +168,15 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction { or tag = UnmodeledUseTag() and opcode instanceof Opcode::UnmodeledUse and - resultType instanceof VoidType and - isGLValue = false + resultType = getVoidType() + or + tag = AliasedUseTag() and + opcode instanceof Opcode::AliasedUse and + resultType = getVoidType() or tag = ExitFunctionTag() and opcode instanceof Opcode::ExitFunction and - resultType instanceof VoidType and - isGLValue = false + resultType = getVoidType() ) } @@ -197,8 +194,12 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction { operandTag instanceof UnmodeledUseOperandTag and result = getUnmodeledDefinitionInstruction() or + tag = AliasedUseTag() and + operandTag instanceof SideEffectOperandTag and + result = getUnmodeledDefinitionInstruction() + or tag = ReturnTag() and - not getReturnType() instanceof VoidType and + hasReturnValue() and ( operandTag instanceof AddressOperandTag and result = getInstruction(ReturnValueAddressTag()) @@ -208,11 +209,15 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction { ) } - final override Type getInstructionOperandType(InstructionTag tag, TypedOperandTag operandTag) { + final override CppType getInstructionOperandType(InstructionTag tag, TypedOperandTag operandTag) { tag = ReturnTag() and - not getReturnType() instanceof VoidType and + hasReturnValue() and operandTag instanceof LoadOperandTag and - result = getReturnType() + result = getTypeForPRValue(getReturnType()) + or + tag = AliasedUseTag() and + operandTag instanceof SideEffectOperandTag and + result = getUnknownType() } final override IRVariable getInstructionVariable(InstructionTag tag) { @@ -220,10 +225,10 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction { result = getReturnVariable() } - final override predicate hasTempVariable(TempVariableTag tag, Type type) { + final override predicate hasTempVariable(TempVariableTag tag, CppType type) { tag = ReturnValueTempVar() and - type = getReturnType() and - not type instanceof VoidType + hasReturnValue() and + type = getTypeForPRValue(getReturnType()) } /** @@ -241,6 +246,11 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction { result = getIRTempVariable(func, ReturnValueTempVar()) } + /** + * Holds if the function has a non-`void` return type. + */ + final predicate hasReturnValue() { not func.getUnspecifiedType() instanceof VoidType } + /** * Gets the single `UnmodeledDefinition` instruction for this function. */ @@ -271,7 +281,7 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction { * parameters and local variables, plus any global variables or static data members that are * directly accessed by the function. */ - final predicate hasUserVariable(Variable var, Type type) { + final predicate hasUserVariable(Variable var, CppType type) { ( ( var instanceof GlobalOrNamespaceVariable @@ -287,10 +297,10 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction { or var.(Parameter).getCatchBlock().getEnclosingFunction() = func ) and - type = getVariableType(var) + type = getTypeForPRValue(getVariableType(var)) } - final private Type getReturnType() { result = func.getUnspecifiedType() } + final Type getReturnType() { result = func.getType() } } /** @@ -335,18 +345,14 @@ class TranslatedParameter extends TranslatedElement, TTranslatedParameter { final override Instruction getChildSuccessor(TranslatedElement child) { none() } - final override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = InitializerVariableAddressTag() and opcode instanceof Opcode::VariableAddress and - resultType = getVariableType(param) and - isGLValue = true + resultType = getTypeForGLValue(getVariableType(param)) or tag = InitializerStoreTag() and opcode instanceof Opcode::InitializeParameter and - resultType = getVariableType(param) and - isGLValue = false + resultType = getTypeForPRValue(getVariableType(param)) } final override IRVariable getInstructionVariable(InstructionTag tag) { @@ -404,9 +410,7 @@ class TranslatedConstructorInitList extends TranslatedElement, InitializationCon else result = getParent().getChildSuccessor(this) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { none() } @@ -469,9 +473,7 @@ class TranslatedDestructorDestructionList extends TranslatedElement, else result = getParent().getChildSuccessor(this) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { none() } diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedInitialization.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedInitialization.qll index 01c29d422f4..21ad11513bd 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedInitialization.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedInitialization.qll @@ -1,6 +1,7 @@ private import cpp private import semmle.code.cpp.ir.implementation.Opcode private import semmle.code.cpp.ir.implementation.internal.OperandTag +private import semmle.code.cpp.ir.internal.CppType private import InstructionTag private import TranslatedElement private import TranslatedExpr @@ -79,9 +80,7 @@ abstract class TranslatedListInitialization extends TranslatedInitialization, In ) } - final override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { none() } @@ -150,13 +149,10 @@ class TranslatedSimpleDirectInitialization extends TranslatedDirectInitializatio not expr instanceof StringLiteral } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = InitializerStoreTag() and opcode instanceof Opcode::Store and - resultType = getContext().getTargetType() and - isGLValue = false + resultType = getTypeForPRValue(getContext().getTargetType()) } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -188,20 +184,16 @@ class TranslatedSimpleDirectInitialization extends TranslatedDirectInitializatio class TranslatedStringLiteralInitialization extends TranslatedDirectInitialization { override StringLiteral expr; - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { // Load the string literal to make it a prvalue of type `char[len]` tag = InitializerLoadStringTag() and opcode instanceof Opcode::Load and - resultType = getInitializer().getResultType() and - isGLValue = false + resultType = getTypeForPRValue(expr.getType()) or // Store the string into the target. tag = InitializerStoreTag() and opcode instanceof Opcode::Store and - resultType = getInitializer().getResultType() and - isGLValue = false + resultType = getTypeForPRValue(expr.getType()) or exists(int startIndex, int elementCount | // If the initializer string isn't large enough to fill the target, then @@ -213,26 +205,22 @@ class TranslatedStringLiteralInitialization extends TranslatedDirectInitializati // space in the target array. tag = ZeroPadStringConstantTag() and opcode instanceof Opcode::Constant and - resultType instanceof UnknownType and - isGLValue = false + resultType = getUnknownOpaqueType(elementCount * getElementType().getSize()) or // The index of the first element to be zero initialized. tag = ZeroPadStringElementIndexTag() and opcode instanceof Opcode::Constant and - resultType = getIntType() and - isGLValue = false + resultType = getIntType() or // Compute the address of the first element to be zero initialized. tag = ZeroPadStringElementAddressTag() and opcode instanceof Opcode::PointerAdd and - resultType = getElementType() and - isGLValue = true + resultType = getTypeForGLValue(getElementType()) or // Store the constant zero into the remainder of the string. tag = ZeroPadStringStoreTag() and opcode instanceof Opcode::Store and - resultType instanceof UnknownType and - isGLValue = false + resultType = getUnknownOpaqueType(elementCount * getElementType().getSize()) ) ) } @@ -326,6 +314,13 @@ class TranslatedStringLiteralInitialization extends TranslatedDirectInitializati ) } + override predicate needsUnknownOpaqueType(int byteSize) { + exists(int elementCount | + zeroInitRange(_, elementCount) and + byteSize = elementCount * getElementType().getSize() + ) + } + override int getInstructionResultSize(InstructionTag tag) { exists(int elementCount | zeroInitRange(_, elementCount) and @@ -338,7 +333,7 @@ class TranslatedStringLiteralInitialization extends TranslatedDirectInitializati } private Type getElementType() { - result = getContext().getTargetType().(ArrayType).getBaseType().getUnspecifiedType() + result = getContext().getTargetType().getUnspecifiedType().(ArrayType).getBaseType() } /** @@ -348,7 +343,7 @@ class TranslatedStringLiteralInitialization extends TranslatedDirectInitializati private predicate zeroInitRange(int startIndex, int elementCount) { exists(int targetCount | startIndex = expr.getUnspecifiedType().(ArrayType).getArraySize() and - targetCount = getContext().getTargetType().(ArrayType).getArraySize() and + targetCount = getContext().getTargetType().getUnspecifiedType().(ArrayType).getArraySize() and elementCount = targetCount - startIndex and elementCount > 0 ) @@ -359,9 +354,7 @@ class TranslatedConstructorInitialization extends TranslatedDirectInitialization StructorCallContext { override ConstructorCall expr; - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { none() } @@ -412,13 +405,10 @@ abstract class TranslatedFieldInitialization extends TranslatedElement { */ final int getOrder() { result = field.getInitializationOrder() } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = getFieldAddressTag() and opcode instanceof Opcode::FieldAddress and - resultType = field.getUnspecifiedType() and - isGLValue = true + resultType = getTypeForGLValue(field.getType()) } override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) { @@ -481,20 +471,16 @@ class TranslatedFieldValueInitialization extends TranslatedFieldInitialization, TTranslatedFieldValueInitialization { TranslatedFieldValueInitialization() { this = TTranslatedFieldValueInitialization(ast, field) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { - TranslatedFieldInitialization.super.hasInstruction(opcode, tag, resultType, isGLValue) + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { + TranslatedFieldInitialization.super.hasInstruction(opcode, tag, resultType) or tag = getFieldDefaultValueTag() and opcode instanceof Opcode::Constant and - resultType = field.getUnspecifiedType() and - isGLValue = false + resultType = getTypeForPRValue(field.getType()) or tag = getFieldDefaultValueStoreTag() and opcode instanceof Opcode::Store and - resultType = field.getUnspecifiedType() and - isGLValue = false + resultType = getTypeForPRValue(field.getUnspecifiedType()) } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -557,18 +543,14 @@ abstract class TranslatedElementInitialization extends TranslatedElement { final override Instruction getFirstInstruction() { result = getInstruction(getElementIndexTag()) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = getElementIndexTag() and opcode instanceof Opcode::Constant and - resultType = getIntType() and - isGLValue = false + resultType = getIntType() or tag = getElementAddressTag() and opcode instanceof Opcode::PointerAdd and - resultType = getElementType() and - isGLValue = true + resultType = getTypeForGLValue(getElementType()) } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -606,7 +588,7 @@ abstract class TranslatedElementInitialization extends TranslatedElement { final ArrayOrVectorAggregateLiteral getInitList() { result = initList } - final Type getElementType() { result = initList.getElementType().getUnspecifiedType() } + final Type getElementType() { result = initList.getElementType() } } /** @@ -659,20 +641,16 @@ class TranslatedElementValueInitialization extends TranslatedElementInitializati this = TTranslatedElementValueInitialization(initList, elementIndex, elementCount) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { - TranslatedElementInitialization.super.hasInstruction(opcode, tag, resultType, isGLValue) + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { + TranslatedElementInitialization.super.hasInstruction(opcode, tag, resultType) or tag = getElementDefaultValueTag() and opcode instanceof Opcode::Constant and - resultType = getDefaultValueType() and - isGLValue = false + resultType = getDefaultValueType() or tag = getElementDefaultValueStoreTag() and opcode instanceof Opcode::Store and - resultType = getDefaultValueType() and - isGLValue = false + resultType = getDefaultValueType() } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -726,6 +704,10 @@ class TranslatedElementValueInitialization extends TranslatedElementInitializati override int getElementIndex() { result = elementIndex } + override predicate needsUnknownOpaqueType(int byteSize) { + elementCount != 0 and byteSize = elementCount * getElementType().getSize() + } + private InstructionTag getElementDefaultValueTag() { result = InitializerElementDefaultValueTag() } @@ -734,8 +716,10 @@ class TranslatedElementValueInitialization extends TranslatedElementInitializati result = InitializerElementDefaultValueStoreTag() } - private Type getDefaultValueType() { - if elementCount = 1 then result = getElementType() else result instanceof UnknownType + private CppType getDefaultValueType() { + if elementCount = 1 + then result = getTypeForPRValue(getElementType()) + else result = getUnknownOpaqueType(elementCount * getElementType().getSize()) } } @@ -766,13 +750,10 @@ abstract class TranslatedStructorCallFromStructor extends TranslatedElement, Str abstract class TranslatedBaseStructorCall extends TranslatedStructorCallFromStructor { final override Instruction getFirstInstruction() { result = getInstruction(OnlyInstructionTag()) } - final override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = OnlyInstructionTag() and opcode instanceof Opcode::ConvertToBase and - resultType = call.getTarget().getDeclaringType().getUnspecifiedType() and - isGLValue = true + resultType = getTypeForGLValue(call.getTarget().getDeclaringType()) } final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -822,9 +803,7 @@ class TranslatedConstructorDelegationInit extends TranslatedConstructorCallFromC result = getStructorCall().getFirstInstruction() } - final override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { none() } diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll index d84e9fc1c4e..62cbba8604b 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedStmt.qll @@ -1,6 +1,7 @@ private import cpp private import semmle.code.cpp.ir.internal.IRUtilities private import semmle.code.cpp.ir.implementation.internal.OperandTag +private import semmle.code.cpp.ir.internal.CppType private import semmle.code.cpp.ir.internal.TempVariableTag private import InstructionTag private import TranslatedCondition @@ -35,13 +36,10 @@ class TranslatedEmptyStmt extends TranslatedStmt { override Instruction getFirstInstruction() { result = getInstruction(OnlyInstructionTag()) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = OnlyInstructionTag() and opcode instanceof Opcode::NoOp and - resultType instanceof VoidType and - isGLValue = false + resultType = getVoidType() } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -63,9 +61,7 @@ class TranslatedDeclStmt extends TranslatedStmt { override TranslatedElement getChild(int id) { result = getDeclarationEntry(id) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { none() } @@ -112,9 +108,7 @@ class TranslatedExprStmt extends TranslatedStmt { override TranslatedElement getChild(int id) { id = 0 and result = getExpr() } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { none() } @@ -145,13 +139,10 @@ class TranslatedReturnValueStmt extends TranslatedReturnStmt, InitializationCont result = getInstruction(InitializerVariableAddressTag()) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = InitializerVariableAddressTag() and opcode instanceof Opcode::VariableAddress and - resultType = getEnclosingFunction().getReturnVariable().getType() and - isGLValue = true + resultType = getTypeForGLValue(getEnclosingFunction().getReturnType()) } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -174,7 +165,7 @@ class TranslatedReturnValueStmt extends TranslatedReturnStmt, InitializationCont result = getInstruction(InitializerVariableAddressTag()) } - override Type getTargetType() { result = getEnclosingFunction().getReturnVariable().getType() } + override Type getTargetType() { result = getEnclosingFunction().getReturnType() } TranslatedInitialization getInitialization() { result = getTranslatedInitialization(stmt.getExpr().getFullyConverted()) @@ -188,13 +179,10 @@ class TranslatedReturnVoidStmt extends TranslatedReturnStmt { override Instruction getFirstInstruction() { result = getInstruction(OnlyInstructionTag()) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = OnlyInstructionTag() and opcode instanceof Opcode::NoOp and - resultType instanceof VoidType and - isGLValue = false + resultType = getVoidType() } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -218,9 +206,7 @@ class TranslatedTryStmt extends TranslatedStmt { result = getHandler(id - 1) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { none() } @@ -262,14 +248,11 @@ class TranslatedBlock extends TranslatedStmt { override TranslatedElement getChild(int id) { result = getStmt(id) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { isEmpty() and opcode instanceof Opcode::NoOp and tag = OnlyInstructionTag() and - resultType instanceof VoidType and - isGLValue = false + resultType = getVoidType() } override Instruction getFirstInstruction() { @@ -330,13 +313,10 @@ abstract class TranslatedHandler extends TranslatedStmt { class TranslatedCatchByTypeHandler extends TranslatedHandler { TranslatedCatchByTypeHandler() { exists(stmt.getParameter()) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = CatchTag() and opcode instanceof Opcode::CatchByType and - resultType instanceof VoidType and - isGLValue = false + resultType = getVoidType() } override TranslatedElement getChild(int id) { @@ -362,9 +342,9 @@ class TranslatedCatchByTypeHandler extends TranslatedHandler { ) } - override Type getInstructionExceptionType(InstructionTag tag) { + override CppType getInstructionExceptionType(InstructionTag tag) { tag = CatchTag() and - result = stmt.getParameter().getType() + result = getTypeForPRValue(stmt.getParameter().getType()) } private TranslatedParameter getParameter() { @@ -378,13 +358,10 @@ class TranslatedCatchByTypeHandler extends TranslatedHandler { class TranslatedCatchAnyHandler extends TranslatedHandler { TranslatedCatchAnyHandler() { not exists(stmt.getParameter()) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = CatchTag() and opcode instanceof Opcode::CatchAny and - resultType instanceof VoidType and - isGLValue = false + resultType = getVoidType() } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -436,9 +413,7 @@ class TranslatedIfStmt extends TranslatedStmt, ConditionContext { result = getParent().getChildSuccessor(this) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { none() } } @@ -466,9 +441,7 @@ abstract class TranslatedLoop extends TranslatedStmt, ConditionContext { id = 1 and result = getBody() } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { none() } @@ -597,9 +570,7 @@ class TranslatedRangeBasedForStmt extends TranslatedStmt, ConditionContext { result = getCondition().getFirstInstruction() } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { none() } @@ -649,13 +620,10 @@ class TranslatedJumpStmt extends TranslatedStmt { override TranslatedElement getChild(int id) { none() } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = OnlyInstructionTag() and opcode instanceof Opcode::NoOp and - resultType instanceof VoidType and - isGLValue = false + resultType = getVoidType() } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -693,13 +661,10 @@ class TranslatedSwitchStmt extends TranslatedStmt { id = 1 and result = getBody() } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = SwitchBranchTag() and opcode instanceof Opcode::Switch and - resultType instanceof VoidType and - isGLValue = false + resultType = getVoidType() } override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) { @@ -727,37 +692,20 @@ class TranslatedSwitchStmt extends TranslatedStmt { class TranslatedAsmStmt extends TranslatedStmt { override AsmStmt stmt; - override TranslatedElement getChild(int id) { none() } + override TranslatedExpr getChild(int id) { + result = getTranslatedExpr(stmt.getChild(id).(Expr).getFullyConverted()) + } override Instruction getFirstInstruction() { - if exists(stmt.getChild(0)) - then result = getInstruction(AsmInputTag(0)) + if exists(getChild(0)) + then result = getChild(0).getFirstInstruction() else result = getInstruction(AsmTag()) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isGLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType resultType) { tag = AsmTag() and opcode instanceof Opcode::InlineAsm and - resultType instanceof UnknownType and - isGLValue = false - or - exists(int index, VariableAccess va | - tag = AsmInputTag(index) and - stmt.getChild(index) = va and - opcode instanceof Opcode::VariableAddress and - resultType = va.getType().getUnspecifiedType() and - isGLValue = true - ) - } - - override IRVariable getInstructionVariable(InstructionTag tag) { - exists(int index | - tag = AsmInputTag(index) and - result = getIRUserVariable(stmt.getEnclosingFunction(), - stmt.getChild(index).(VariableAccess).getTarget()) - ) + resultType = getUnknownType() } override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) { @@ -768,29 +716,28 @@ class TranslatedAsmStmt extends TranslatedStmt { exists(int index | tag = AsmTag() and operandTag = asmOperand(index) and - result = getInstruction(AsmInputTag(index)) + result = getChild(index).getResult() ) } - final override Type getInstructionOperandType(InstructionTag tag, TypedOperandTag operandTag) { + final override CppType getInstructionOperandType(InstructionTag tag, TypedOperandTag operandTag) { tag = AsmTag() and operandTag instanceof SideEffectOperandTag and - result instanceof UnknownType + result = getUnknownType() } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { tag = AsmTag() and result = getParent().getChildSuccessor(this) and kind instanceof GotoEdge - or + } + + override Instruction getChildSuccessor(TranslatedElement child) { exists(int index | - tag = AsmInputTag(index) and - kind instanceof GotoEdge and - if exists(stmt.getChild(index + 1)) - then result = getInstruction(AsmInputTag(index + 1)) + child = getChild(index) and + if exists(getChild(index + 1)) + then result = getChild(index + 1).getFirstInstruction() else result = getInstruction(AsmTag()) ) } - - override Instruction getChildSuccessor(TranslatedElement child) { none() } } diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IR.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IR.qll index 278040f8ab8..badd48552a5 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IR.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IR.qll @@ -5,6 +5,7 @@ import IRVariable import Operand private import internal.IRImports as Imports import Imports::EdgeKind +import Imports::IRType import Imports::MemoryAccessKind private newtype TIRPropertyProvider = MkIRPropertyProvider() diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRSanity.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRSanity.qll index 3921472dc8e..de66a3c99dc 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRSanity.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRSanity.qll @@ -1,2 +1,3 @@ private import IR import InstructionSanity +import IRTypeSanity diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll index a7ca4593ac4..1a607f82c29 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll @@ -5,6 +5,7 @@ import Imports::TempVariableTag private import Imports::IRUtilities private import Imports::TTempVariableTag private import Imports::TIRVariable +private import Imports::IRType IRUserVariable getIRUserVariable(Language::Function func, Language::Variable var) { result.getVariable() = var and @@ -24,7 +25,17 @@ abstract class IRVariable extends TIRVariable { /** * Gets the type of the variable. */ - abstract Language::Type getType(); + final Language::Type getType() { getLanguageType().hasType(result, false) } + + /** + * Gets the language-neutral type of the variable. + */ + final IRType getIRType() { result = getLanguageType().getIRType() } + + /** + * Gets the type of the variable. + */ + abstract Language::LanguageType getLanguageType(); /** * Gets the AST node that declared this variable, or that introduced this @@ -59,7 +70,7 @@ abstract class IRVariable extends TIRVariable { */ class IRUserVariable extends IRVariable, TIRUserVariable { Language::Variable var; - Language::Type type; + Language::LanguageType type; IRUserVariable() { this = TIRUserVariable(var, type, func) } @@ -71,7 +82,7 @@ class IRUserVariable extends IRVariable, TIRUserVariable { result = getVariable().toString() + " " + getVariable().getLocation().toString() } - final override Language::Type getType() { result = type } + final override Language::LanguageType getLanguageType() { result = type } /** * Gets the original user-declared variable. @@ -110,11 +121,11 @@ IRTempVariable getIRTempVariable(Language::AST ast, TempVariableTag tag) { class IRTempVariable extends IRVariable, IRAutomaticVariable, TIRTempVariable { Language::AST ast; TempVariableTag tag; - Language::Type type; + Language::LanguageType type; IRTempVariable() { this = TIRTempVariable(func, ast, tag, type) } - final override Language::Type getType() { result = type } + final override Language::LanguageType getLanguageType() { result = type } final override Language::AST getAST() { result = ast } diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll index 6d5e697150e..049983c9126 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll @@ -5,6 +5,7 @@ import IRVariable import Operand private import internal.InstructionImports as Imports import Imports::EdgeKind +import Imports::IRType import Imports::MemoryAccessKind import Imports::Opcode private import Imports::OperandTag @@ -49,7 +50,8 @@ module InstructionSanity { ( opcode instanceof ReadSideEffectOpcode or opcode instanceof Opcode::InlineAsm or - opcode instanceof Opcode::CallSideEffect + opcode instanceof Opcode::CallSideEffect or + opcode instanceof Opcode::AliasedUse ) and tag instanceof SideEffectOperandTag ) @@ -113,10 +115,12 @@ module InstructionSanity { } query predicate missingOperandType(Operand operand, string message) { - exists(Language::Function func | + exists(Language::Function func, Instruction use | not exists(operand.getType()) and - func = operand.getUse().getEnclosingFunction() and - message = "Operand missing type in function '" + Language::getIdentityString(func) + "'." + use = operand.getUse() and + func = use.getEnclosingFunction() and + message = "Operand '" + operand.toString() + "' of instruction '" + use.getOpcode().toString() + + "' missing type in function '" + Language::getIdentityString(func) + "'." ) } @@ -260,6 +264,7 @@ module InstructionSanity { ) { exists(IRBlock useBlock, int useIndex, Instruction defInstr, IRBlock defBlock, int defIndex | not useOperand.getUse() instanceof UnmodeledUseInstruction and + not defInstr instanceof UnmodeledDefinitionInstruction and pointOfEvaluation(useOperand, useBlock, useIndex) and defInstr = useOperand.getAnyDef() and ( @@ -321,7 +326,7 @@ class Instruction extends Construction::TInstruction { } private string getResultPrefix() { - if getResultType() instanceof Language::VoidType + if getResultIRType() instanceof IRVoidType then result = "v" else if hasMemoryResult() @@ -353,23 +358,6 @@ class Instruction extends Construction::TInstruction { ) } - bindingset[type] - private string getValueCategoryString(string type) { - if isGLValue() then result = "glval<" + type + ">" else result = type - } - - string getResultTypeString() { - exists(string valcat | - valcat = getValueCategoryString(getResultType().toString()) and - if - getResultType() instanceof Language::UnknownType and - not isGLValue() and - exists(getResultSize()) - then result = valcat + "[" + getResultSize().toString() + "]" - else result = valcat - ) - } - /** * Gets a human-readable string that uniquely identifies this instruction * within the function. This string is used to refer to this instruction when @@ -389,7 +377,9 @@ class Instruction extends Construction::TInstruction { * * Example: `r1_1(int*)` */ - final string getResultString() { result = getResultId() + "(" + getResultTypeString() + ")" } + final string getResultString() { + result = getResultId() + "(" + getResultLanguageType().getDumpString() + ")" + } /** * Gets a string describing the operands of this instruction, suitable for @@ -457,6 +447,16 @@ class Instruction extends Construction::TInstruction { result = Construction::getInstructionUnconvertedResultExpression(this) } + final Language::LanguageType getResultLanguageType() { + result = Construction::getInstructionResultType(this) + } + + /** + * Gets the type of the result produced by this instruction. If the instruction does not produce + * a result, its result type will be `IRVoidType`. + */ + final IRType getResultIRType() { result = getResultLanguageType().getIRType() } + /** * Gets the type of the result produced by this instruction. If the * instruction does not produce a result, its result type will be `VoidType`. @@ -464,7 +464,16 @@ class Instruction extends Construction::TInstruction { * If `isGLValue()` holds, then the result type of this instruction should be * thought of as "pointer to `getResultType()`". */ - final Language::Type getResultType() { Construction::instructionHasType(this, result, _) } + final Language::Type getResultType() { + exists(Language::LanguageType resultType | + resultType = getResultLanguageType() and + ( + resultType.hasUnspecifiedType(result, _) + or + not resultType.hasUnspecifiedType(_, _) and result instanceof Language::UnknownType + ) + ) + } /** * Holds if the result produced by this instruction is a glvalue. If this @@ -484,7 +493,7 @@ class Instruction extends Construction::TInstruction { * result of the `Load` instruction is a prvalue of type `int`, representing * the integer value loaded from variable `x`. */ - final predicate isGLValue() { Construction::instructionHasType(this, _, true) } + final predicate isGLValue() { Construction::getInstructionResultType(this).hasType(_, true) } /** * Gets the size of the result produced by this instruction, in bytes. If the @@ -493,16 +502,7 @@ class Instruction extends Construction::TInstruction { * If `this.isGLValue()` holds for this instruction, the value of * `getResultSize()` will always be the size of a pointer. */ - final int getResultSize() { - if isGLValue() - then - // a glvalue is always pointer-sized. - result = Language::getPointerSize() - else - if getResultType() instanceof Language::UnknownType - then result = Construction::getInstructionResultSize(this) - else result = Language::getTypeSize(getResultType()) - } + final int getResultSize() { result = Construction::getInstructionResultType(this).getByteSize() } /** * Gets the opcode that specifies the operation performed by this instruction. @@ -1384,7 +1384,7 @@ class CatchInstruction extends Instruction { * An instruction that catches an exception of a specific type. */ class CatchByTypeInstruction extends CatchInstruction { - Language::Type exceptionType; + Language::LanguageType exceptionType; CatchByTypeInstruction() { getOpcode() instanceof Opcode::CatchByType and @@ -1396,7 +1396,7 @@ class CatchByTypeInstruction extends CatchInstruction { /** * Gets the type of exception to be caught. */ - final Language::Type getExceptionType() { result = exceptionType } + final Language::LanguageType getExceptionType() { result = exceptionType } } /** @@ -1423,6 +1423,13 @@ class AliasedDefinitionInstruction extends Instruction { final override MemoryAccessKind getResultMemoryAccess() { result instanceof EscapedMemoryAccess } } +/** + * An instruction that consumes all escaped memory on exit from the function. + */ +class AliasedUseInstruction extends Instruction { + AliasedUseInstruction() { getOpcode() instanceof Opcode::AliasedUse } +} + class UnmodeledUseInstruction extends Instruction { UnmodeledUseInstruction() { getOpcode() instanceof Opcode::UnmodeledUse } diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll index a23fb081afe..07dd107bf12 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll @@ -1,9 +1,10 @@ private import internal.IRInternal -import Instruction -import IRBlock +private import Instruction +private import IRBlock private import internal.OperandImports as Imports -import Imports::MemoryAccessKind -import Imports::Overlap +private import Imports::MemoryAccessKind +private import Imports::IRType +private import Imports::Overlap private import Imports::OperandTag cached @@ -143,22 +144,40 @@ class Operand extends TOperand { * the definition type, such as in the case of a partial read or a read from a pointer that * has been cast to a different type. */ - Language::Type getType() { result = getAnyDef().getResultType() } + Language::LanguageType getLanguageType() { result = getAnyDef().getResultLanguageType() } + + /** + * Gets the language-neutral type of the value consumed by this operand. This is usually the same + * as the result type of the definition instruction consumed by this operand. For register + * operands, this is always the case. For some memory operands, the operand type may be different + * from the definition type, such as in the case of a partial read or a read from a pointer that + * has been cast to a different type. + */ + final IRType getIRType() { result = getLanguageType().getIRType() } + + /** + * Gets the type of the value consumed by this operand. This is usually the same as the + * result type of the definition instruction consumed by this operand. For register operands, + * this is always the case. For some memory operands, the operand type may be different from + * the definition type, such as in the case of a partial read or a read from a pointer that + * has been cast to a different type. + */ + final Language::Type getType() { getLanguageType().hasType(result, _) } /** * Holds if the value consumed by this operand is a glvalue. If this * holds, the value of the operand represents the address of a location, * and the type of the location is given by `getType()`. If this does * not hold, the value of the operand represents a value whose type is - * given by `getResultType()`. + * given by `getType()`. */ - predicate isGLValue() { getAnyDef().isGLValue() } + final predicate isGLValue() { getLanguageType().hasType(_, true) } /** * Gets the size of the value consumed by this operand, in bytes. If the operand does not have * a known constant size, this predicate does not hold. */ - int getSize() { result = Language::getTypeSize(getType()) } + final int getSize() { result = getLanguageType().getByteSize() } } /** @@ -170,11 +189,6 @@ class MemoryOperand extends Operand { this = TPhiOperand(_, _, _, _) } - override predicate isGLValue() { - // A `MemoryOperand` can never be a glvalue - none() - } - /** * Gets the kind of memory access performed by the operand. */ @@ -239,7 +253,7 @@ class NonPhiMemoryOperand extends NonPhiOperand, MemoryOperand, TNonPhiMemoryOpe class TypedOperand extends NonPhiMemoryOperand { override TypedOperandTag tag; - final override Language::Type getType() { + final override Language::LanguageType getLanguageType() { result = Construction::getInstructionOperandType(useInstr, tag) } } @@ -381,13 +395,10 @@ class PositionalArgumentOperand extends ArgumentOperand { class SideEffectOperand extends TypedOperand { override SideEffectOperandTag tag; - final override int getSize() { - if getType() instanceof Language::UnknownType - then result = Construction::getInstructionOperandSize(useInstr, tag) - else result = Language::getTypeSize(getType()) - } - override MemoryAccessKind getMemoryAccess() { + useInstr instanceof AliasedUseInstruction and + result instanceof NonLocalMayMemoryAccess + or useInstr instanceof CallSideEffectInstruction and result instanceof EscapedMayMemoryAccess or diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll index df6c5be7728..79e5a2b6713 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll @@ -1,5 +1,5 @@ private import internal.ValueNumberingInternal -private import cpp +private import internal.ValueNumberingImports private import IR /** @@ -23,31 +23,32 @@ newtype TValueNumber = initializeParameterValueNumber(_, irFunc, var) } or TInitializeThisValueNumber(IRFunction irFunc) { initializeThisValueNumber(_, irFunc) } or - TConstantValueNumber(IRFunction irFunc, Type type, string value) { + TConstantValueNumber(IRFunction irFunc, IRType type, string value) { constantValueNumber(_, irFunc, type, value) } or - TStringConstantValueNumber(IRFunction irFunc, Type type, string value) { + TStringConstantValueNumber(IRFunction irFunc, IRType type, string value) { stringConstantValueNumber(_, irFunc, type, value) } or - TFieldAddressValueNumber(IRFunction irFunc, Field field, ValueNumber objectAddress) { + TFieldAddressValueNumber(IRFunction irFunc, Language::Field field, ValueNumber objectAddress) { fieldAddressValueNumber(_, irFunc, field, objectAddress) } or TBinaryValueNumber( - IRFunction irFunc, Opcode opcode, Type type, ValueNumber leftOperand, ValueNumber rightOperand + IRFunction irFunc, Opcode opcode, IRType type, ValueNumber leftOperand, ValueNumber rightOperand ) { binaryValueNumber(_, irFunc, opcode, type, leftOperand, rightOperand) } or TPointerArithmeticValueNumber( - IRFunction irFunc, Opcode opcode, Type type, int elementSize, ValueNumber leftOperand, + IRFunction irFunc, Opcode opcode, IRType type, int elementSize, ValueNumber leftOperand, ValueNumber rightOperand ) { pointerArithmeticValueNumber(_, irFunc, opcode, type, elementSize, leftOperand, rightOperand) } or - TUnaryValueNumber(IRFunction irFunc, Opcode opcode, Type type, ValueNumber operand) { + TUnaryValueNumber(IRFunction irFunc, Opcode opcode, IRType type, ValueNumber operand) { unaryValueNumber(_, irFunc, opcode, type, operand) } or TInheritanceConversionValueNumber( - IRFunction irFunc, Opcode opcode, Class baseClass, Class derivedClass, ValueNumber operand + IRFunction irFunc, Opcode opcode, Language::Class baseClass, Language::Class derivedClass, + ValueNumber operand ) { inheritanceConversionValueNumber(_, irFunc, opcode, baseClass, derivedClass, operand) } or @@ -59,7 +60,7 @@ newtype TValueNumber = class ValueNumber extends TValueNumber { final string toString() { result = getExampleInstruction().getResultId() } - final Location getLocation() { result = getExampleInstruction().getLocation() } + final Language::Location getLocation() { result = getExampleInstruction().getLocation() } /** * Gets the instructions that have been assigned this value number. This will always produce at @@ -150,23 +151,23 @@ private predicate initializeThisValueNumber(InitializeThisInstruction instr, IRF } private predicate constantValueNumber( - ConstantInstruction instr, IRFunction irFunc, Type type, string value + ConstantInstruction instr, IRFunction irFunc, IRType type, string value ) { instr.getEnclosingIRFunction() = irFunc and - instr.getResultType() = type and + instr.getResultIRType() = type and instr.getValue() = value } private predicate stringConstantValueNumber( - StringConstantInstruction instr, IRFunction irFunc, Type type, string value + StringConstantInstruction instr, IRFunction irFunc, IRType type, string value ) { instr.getEnclosingIRFunction() = irFunc and - instr.getResultType() = type and + instr.getResultIRType() = type and instr.getValue().getValue() = value } private predicate fieldAddressValueNumber( - FieldAddressInstruction instr, IRFunction irFunc, Field field, ValueNumber objectAddress + FieldAddressInstruction instr, IRFunction irFunc, Language::Field field, ValueNumber objectAddress ) { instr.getEnclosingIRFunction() = irFunc and instr.getField() = field and @@ -174,43 +175,43 @@ private predicate fieldAddressValueNumber( } private predicate binaryValueNumber( - BinaryInstruction instr, IRFunction irFunc, Opcode opcode, Type type, ValueNumber leftOperand, + BinaryInstruction instr, IRFunction irFunc, Opcode opcode, IRType type, ValueNumber leftOperand, ValueNumber rightOperand ) { instr.getEnclosingIRFunction() = irFunc and not instr instanceof PointerArithmeticInstruction and instr.getOpcode() = opcode and - instr.getResultType() = type and + instr.getResultIRType() = type and valueNumber(instr.getLeft()) = leftOperand and valueNumber(instr.getRight()) = rightOperand } private predicate pointerArithmeticValueNumber( - PointerArithmeticInstruction instr, IRFunction irFunc, Opcode opcode, Type type, int elementSize, - ValueNumber leftOperand, ValueNumber rightOperand + PointerArithmeticInstruction instr, IRFunction irFunc, Opcode opcode, IRType type, + int elementSize, ValueNumber leftOperand, ValueNumber rightOperand ) { instr.getEnclosingIRFunction() = irFunc and instr.getOpcode() = opcode and - instr.getResultType() = type and + instr.getResultIRType() = type and instr.getElementSize() = elementSize and valueNumber(instr.getLeft()) = leftOperand and valueNumber(instr.getRight()) = rightOperand } private predicate unaryValueNumber( - UnaryInstruction instr, IRFunction irFunc, Opcode opcode, Type type, ValueNumber operand + UnaryInstruction instr, IRFunction irFunc, Opcode opcode, IRType type, ValueNumber operand ) { instr.getEnclosingIRFunction() = irFunc and not instr instanceof InheritanceConversionInstruction and not instr instanceof CopyInstruction and instr.getOpcode() = opcode and - instr.getResultType() = type and + instr.getResultIRType() = type and valueNumber(instr.getUnary()) = operand } private predicate inheritanceConversionValueNumber( - InheritanceConversionInstruction instr, IRFunction irFunc, Opcode opcode, Class baseClass, - Class derivedClass, ValueNumber operand + InheritanceConversionInstruction instr, IRFunction irFunc, Opcode opcode, + Language::Class baseClass, Language::Class derivedClass, ValueNumber operand ) { instr.getEnclosingIRFunction() = irFunc and instr.getOpcode() = opcode and @@ -225,7 +226,7 @@ private predicate inheritanceConversionValueNumber( */ private predicate uniqueValueNumber(Instruction instr, IRFunction irFunc) { instr.getEnclosingIRFunction() = irFunc and - not instr.getResultType() instanceof VoidType and + not instr.getResultIRType() instanceof IRVoidType and not numberableInstruction(instr) } @@ -269,38 +270,41 @@ private ValueNumber nonUniqueValueNumber(Instruction instr) { initializeThisValueNumber(instr, irFunc) and result = TInitializeThisValueNumber(irFunc) or - exists(Type type, string value | + exists(IRType type, string value | constantValueNumber(instr, irFunc, type, value) and result = TConstantValueNumber(irFunc, type, value) ) or - exists(Type type, string value | + exists(IRType type, string value | stringConstantValueNumber(instr, irFunc, type, value) and result = TStringConstantValueNumber(irFunc, type, value) ) or - exists(Field field, ValueNumber objectAddress | + exists(Language::Field field, ValueNumber objectAddress | fieldAddressValueNumber(instr, irFunc, field, objectAddress) and result = TFieldAddressValueNumber(irFunc, field, objectAddress) ) or - exists(Opcode opcode, Type type, ValueNumber leftOperand, ValueNumber rightOperand | + exists(Opcode opcode, IRType type, ValueNumber leftOperand, ValueNumber rightOperand | binaryValueNumber(instr, irFunc, opcode, type, leftOperand, rightOperand) and result = TBinaryValueNumber(irFunc, opcode, type, leftOperand, rightOperand) ) or - exists(Opcode opcode, Type type, ValueNumber operand | + exists(Opcode opcode, IRType type, ValueNumber operand | unaryValueNumber(instr, irFunc, opcode, type, operand) and result = TUnaryValueNumber(irFunc, opcode, type, operand) ) or - exists(Opcode opcode, Class baseClass, Class derivedClass, ValueNumber operand | + exists( + Opcode opcode, Language::Class baseClass, Language::Class derivedClass, ValueNumber operand + | inheritanceConversionValueNumber(instr, irFunc, opcode, baseClass, derivedClass, operand) and result = TInheritanceConversionValueNumber(irFunc, opcode, baseClass, derivedClass, operand) ) or exists( - Opcode opcode, Type type, int elementSize, ValueNumber leftOperand, ValueNumber rightOperand + Opcode opcode, IRType type, int elementSize, ValueNumber leftOperand, + ValueNumber rightOperand | pointerArithmeticValueNumber(instr, irFunc, opcode, type, elementSize, leftOperand, rightOperand) and diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll new file mode 100644 index 00000000000..0282f6887f1 --- /dev/null +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll @@ -0,0 +1,2 @@ +import semmle.code.cpp.ir.internal.Overlap +import semmle.code.cpp.ir.internal.IRCppLanguage as Language diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRImports.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRImports.qll index 74f7b4a2b64..42d6e7db693 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRImports.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRImports.qll @@ -1,2 +1,3 @@ import semmle.code.cpp.ir.implementation.EdgeKind as EdgeKind +import semmle.code.cpp.ir.implementation.IRType as IRType import semmle.code.cpp.ir.implementation.MemoryAccessKind as MemoryAccessKind diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRVariableImports.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRVariableImports.qll index 1f0f5eaccde..8c60565defc 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRVariableImports.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/IRVariableImports.qll @@ -1,3 +1,4 @@ +import semmle.code.cpp.ir.implementation.IRType as IRType import semmle.code.cpp.ir.implementation.TempVariableTag as TempVariableTag import semmle.code.cpp.ir.internal.IRUtilities as IRUtilities import semmle.code.cpp.ir.internal.TempVariableTag as TTempVariableTag diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/InstructionImports.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/InstructionImports.qll index 0138af075dc..a75f70dbe2f 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/InstructionImports.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/InstructionImports.qll @@ -1,4 +1,5 @@ import semmle.code.cpp.ir.implementation.EdgeKind as EdgeKind +import semmle.code.cpp.ir.implementation.IRType as IRType import semmle.code.cpp.ir.implementation.MemoryAccessKind as MemoryAccessKind import semmle.code.cpp.ir.implementation.Opcode as Opcode import semmle.code.cpp.ir.implementation.internal.OperandTag as OperandTag diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/OperandImports.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/OperandImports.qll index e626662ccf2..3c781579cee 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/OperandImports.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/OperandImports.qll @@ -1,3 +1,4 @@ import semmle.code.cpp.ir.implementation.MemoryAccessKind as MemoryAccessKind +import semmle.code.cpp.ir.implementation.IRType as IRType import semmle.code.cpp.ir.internal.Overlap as Overlap import semmle.code.cpp.ir.implementation.internal.OperandTag as OperandTag diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll index a5c09c6401b..23121523a6b 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll @@ -4,34 +4,52 @@ private import Alias private import SSAConstruction private import DebugSSA +bindingset[offset] +private string getKeySuffixForOffset(int offset) { + if offset % 2 = 0 then result = "" else result = "_Chi" +} + +bindingset[offset] +private int getIndexForOffset(int offset) { result = offset / 2 } + /** * Property provide that dumps the memory access of each result. Useful for debugging SSA * construction. */ class PropertyProvider extends IRPropertyProvider { override string getInstructionProperty(Instruction instruction, string key) { - exists(MemoryLocation location | - location = getResultMemoryLocation(instruction) and - ( - key = "ResultMemoryLocation" and result = location.toString() - or - key = "ResultVirtualVariable" and result = location.getVirtualVariable().toString() + key = "ResultMemoryLocation" and + result = strictconcat(MemoryLocation loc | + loc = getResultMemoryLocation(instruction) + | + loc.toString(), "," ) - ) or - exists(MemoryLocation location | - location = getOperandMemoryLocation(instruction.getAnOperand()) and - ( - key = "OperandMemoryAccess" and result = location.toString() - or - key = "OperandVirtualVariable" and result = location.getVirtualVariable().toString() + key = "ResultVirtualVariable" and + result = strictconcat(MemoryLocation loc | + loc = getResultMemoryLocation(instruction) + | + loc.getVirtualVariable().toString(), "," ) - ) or - exists(MemoryLocation useLocation, IRBlock defBlock, int defRank, int defIndex | - hasDefinitionAtRank(useLocation, _, defBlock, defRank, defIndex) and - defBlock.getInstruction(defIndex) = instruction and - key = "DefinitionRank[" + useLocation.toString() + "]" and + key = "OperandMemoryLocation" and + result = strictconcat(MemoryLocation loc | + loc = getOperandMemoryLocation(instruction.getAnOperand()) + | + loc.toString(), "," + ) + or + key = "OperandVirtualVariable" and + result = strictconcat(MemoryLocation loc | + loc = getOperandMemoryLocation(instruction.getAnOperand()) + | + loc.getVirtualVariable().toString(), "," + ) + or + exists(MemoryLocation useLocation, IRBlock defBlock, int defRank, int defOffset | + hasDefinitionAtRank(useLocation, _, defBlock, defRank, defOffset) and + defBlock.getInstruction(getIndexForOffset(defOffset)) = instruction and + key = "DefinitionRank" + getKeySuffixForOffset(defOffset) + "[" + useLocation.toString() + "]" and result = defRank.toString() ) or @@ -41,10 +59,11 @@ class PropertyProvider extends IRPropertyProvider { result = useRank.toString() ) or - exists(MemoryLocation useLocation, IRBlock defBlock, int defRank, int defIndex | - hasDefinitionAtRank(useLocation, _, defBlock, defRank, defIndex) and - defBlock.getInstruction(defIndex) = instruction and - key = "DefinitionReachesUse[" + useLocation.toString() + "]" and + exists(MemoryLocation useLocation, IRBlock defBlock, int defRank, int defOffset | + hasDefinitionAtRank(useLocation, _, defBlock, defRank, defOffset) and + defBlock.getInstruction(getIndexForOffset(defOffset)) = instruction and + key = "DefinitionReachesUse" + getKeySuffixForOffset(defOffset) + "[" + useLocation.toString() + + "]" and result = strictconcat(IRBlock useBlock, int useRank, int useIndex | exists(Instruction useInstruction | hasUseAtRank(useLocation, useBlock, useRank, useInstruction) and diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll index 3010825d50b..7152dec5c4a 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll @@ -1,8 +1,5 @@ import SSAConstructionInternal -private import cpp -private import semmle.code.cpp.ir.implementation.Opcode -private import semmle.code.cpp.ir.implementation.internal.OperandTag -private import semmle.code.cpp.ir.internal.Overlap +private import SSAConstructionImports private import NewIR private class OldBlock = Reachability::ReachableBlock; @@ -18,7 +15,7 @@ private module Cached { } cached - predicate functionHasIR(Function func) { + predicate functionHasIR(Language::Function func) { exists(OldIR::IRFunction irFunc | irFunc.getFunction() = func) } @@ -42,7 +39,7 @@ private module Cached { not oldInstruction instanceof OldIR::PhiInstruction and hasChiNode(_, oldInstruction) } or - Unreached(Function function) { + Unreached(Language::Function function) { exists(OldInstruction oldInstruction | function = oldInstruction.getEnclosingFunction() and Reachability::isInfeasibleInstructionSuccessor(oldInstruction, _) @@ -50,12 +47,14 @@ private module Cached { } cached - predicate hasTempVariable(Function func, Locatable ast, TempVariableTag tag, Type type) { + predicate hasTempVariable( + Language::Function func, Language::AST ast, TempVariableTag tag, Language::LanguageType type + ) { exists(OldIR::IRTempVariable var | var.getEnclosingFunction() = func and var.getAST() = ast and var.getTag() = tag and - var.getType() = type + var.getLanguageType() = type ) } @@ -135,24 +134,12 @@ private module Cached { } cached - Type getInstructionOperandType(Instruction instr, TypedOperandTag tag) { + Language::LanguageType getInstructionOperandType(Instruction instr, TypedOperandTag tag) { exists(OldInstruction oldInstruction, OldIR::TypedOperand oldOperand | oldInstruction = getOldInstruction(instr) and oldOperand = oldInstruction.getAnOperand() and tag = oldOperand.getOperandTag() and - result = oldOperand.getType() - ) - } - - cached - int getInstructionOperandSize(Instruction instr, SideEffectOperandTag tag) { - exists(OldInstruction oldInstruction, OldIR::SideEffectOperand oldOperand | - oldInstruction = getOldInstruction(instr) and - oldOperand = oldInstruction.getAnOperand() and - tag = oldOperand.getOperandTag() and - // Only return a result for operands that need an explicit result size. - oldOperand.getType() instanceof UnknownType and - result = oldOperand.getSize() + result = oldOperand.getLanguageType() ) } @@ -196,20 +183,21 @@ private module Cached { } cached - Expr getInstructionConvertedResultExpression(Instruction instruction) { + Language::Expr getInstructionConvertedResultExpression(Instruction instruction) { result = getOldInstruction(instruction).getConvertedResultExpression() } cached - Expr getInstructionUnconvertedResultExpression(Instruction instruction) { + Language::Expr getInstructionUnconvertedResultExpression(Instruction instruction) { result = getOldInstruction(instruction).getUnconvertedResultExpression() } - /** + /* * This adds Chi nodes to the instruction successor relation; if an instruction has a Chi node, * that node is its successor in the new successor relation, and the Chi node's successors are * the new instructions generated from the successors of the old instruction */ + cached Instruction getInstructionSuccessor(Instruction instruction, EdgeKind kind) { if hasChiNode(_, getOldInstruction(instruction)) @@ -252,7 +240,7 @@ private module Cached { } cached - Locatable getInstructionAST(Instruction instruction) { + Language::AST getInstructionAST(Instruction instruction) { exists(OldInstruction oldInstruction | instruction = WrappedInstruction(oldInstruction) or @@ -270,29 +258,25 @@ private module Cached { } cached - predicate instructionHasType(Instruction instruction, Type type, boolean isGLValue) { + Language::LanguageType getInstructionResultType(Instruction instruction) { exists(OldInstruction oldInstruction | instruction = WrappedInstruction(oldInstruction) and - type = oldInstruction.getResultType() and - if oldInstruction.isGLValue() then isGLValue = true else isGLValue = false + result = oldInstruction.getResultLanguageType() ) or exists(OldInstruction oldInstruction, Alias::VirtualVariable vvar | instruction = Chi(oldInstruction) and hasChiNode(vvar, oldInstruction) and - type = vvar.getType() and - isGLValue = false + result = vvar.getType() ) or exists(Alias::MemoryLocation location | instruction = Phi(_, location) and - type = location.getType() and - isGLValue = false + result = location.getType() ) or instruction = Unreached(_) and - type instanceof VoidType and - isGLValue = false + result = Language::getVoidType() } cached @@ -338,7 +322,7 @@ private module Cached { } cached - Field getInstructionField(Instruction instruction) { + Language::Field getInstructionField(Instruction instruction) { result = getOldInstruction(instruction).(OldIR::FieldInstruction).getField() } @@ -348,7 +332,7 @@ private module Cached { } cached - Function getInstructionFunction(Instruction instruction) { + Language::Function getInstructionFunction(Instruction instruction) { result = getOldInstruction(instruction).(OldIR::FunctionInstruction).getFunctionSymbol() } @@ -358,19 +342,19 @@ private module Cached { } cached - StringLiteral getInstructionStringLiteral(Instruction instruction) { + Language::StringLiteral getInstructionStringLiteral(Instruction instruction) { result = getOldInstruction(instruction).(OldIR::StringConstantInstruction).getValue() } cached - BuiltInOperation getInstructionBuiltInOperation(Instruction instruction) { + Language::BuiltInOperation getInstructionBuiltInOperation(Instruction instruction) { result = getOldInstruction(instruction) .(OldIR::BuiltInOperationInstruction) .getBuiltInOperation() } cached - Type getInstructionExceptionType(Instruction instruction) { + Language::LanguageType getInstructionExceptionType(Instruction instruction) { result = getOldInstruction(instruction).(OldIR::CatchByTypeInstruction).getExceptionType() } @@ -380,14 +364,9 @@ private module Cached { } cached - int getInstructionResultSize(Instruction instruction) { - // Only return a result for instructions that needed an explicit result size. - instruction.getResultType() instanceof UnknownType and - result = getOldInstruction(instruction).getResultSize() - } - - cached - predicate getInstructionInheritance(Instruction instruction, Class baseClass, Class derivedClass) { + predicate getInstructionInheritance( + Instruction instruction, Language::Class baseClass, Language::Class derivedClass + ) { exists(OldIR::InheritanceConversionInstruction oldInstr | oldInstr = getOldInstruction(instruction) and baseClass = oldInstr.getBaseClass() and diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstructionImports.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstructionImports.qll new file mode 100644 index 00000000000..00f12020a29 --- /dev/null +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstructionImports.qll @@ -0,0 +1,3 @@ +import semmle.code.cpp.ir.implementation.Opcode +import semmle.code.cpp.ir.implementation.internal.OperandTag +import semmle.code.cpp.ir.internal.Overlap diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstructionInternal.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstructionInternal.qll index dc19a8130d9..4cfbdfe831e 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstructionInternal.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstructionInternal.qll @@ -2,4 +2,5 @@ import semmle.code.cpp.ir.implementation.raw.IR as OldIR import semmle.code.cpp.ir.implementation.raw.internal.reachability.ReachableBlock as Reachability import semmle.code.cpp.ir.implementation.raw.internal.reachability.Dominance as Dominance import semmle.code.cpp.ir.implementation.unaliased_ssa.IR as NewIR +import semmle.code.cpp.ir.internal.IRCppLanguage as Language import SimpleSSA as Alias diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll index 7cca5855a20..5925631b67c 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll @@ -1,24 +1,20 @@ import AliasAnalysis -private import cpp -private import semmle.code.cpp.ir.implementation.raw.IR -private import semmle.code.cpp.ir.internal.IntegerConstant as Ints -private import semmle.code.cpp.ir.implementation.internal.OperandTag -private import semmle.code.cpp.ir.internal.Overlap +private import SimpleSSAImports private class IntValue = Ints::IntValue; private predicate hasResultMemoryAccess( - Instruction instr, IRVariable var, Type type, IntValue bitOffset + Instruction instr, IRVariable var, Language::LanguageType type, IntValue bitOffset ) { resultPointsTo(instr.getResultAddressOperand().getAnyDef(), var, bitOffset) and - type = instr.getResultType() + type = instr.getResultLanguageType() } private predicate hasOperandMemoryAccess( - MemoryOperand operand, IRVariable var, Type type, IntValue bitOffset + MemoryOperand operand, IRVariable var, Language::LanguageType type, IntValue bitOffset ) { resultPointsTo(operand.getAddressOperand().getAnyDef(), var, bitOffset) and - type = operand.getType() + type = operand.getLanguageType() } /** @@ -30,17 +26,17 @@ private predicate isVariableModeled(IRVariable var) { not variableAddressEscapes(var) and // There's no need to check for the right size. An `IRVariable` never has an `UnknownType`, so the test for // `type = var.getType()` is sufficient. - forall(Instruction instr, Type type, IntValue bitOffset | + forall(Instruction instr, Language::LanguageType type, IntValue bitOffset | hasResultMemoryAccess(instr, var, type, bitOffset) | bitOffset = 0 and - type = var.getType() + type.getIRType() = var.getIRType() ) and - forall(MemoryOperand operand, Type type, IntValue bitOffset | + forall(MemoryOperand operand, Language::LanguageType type, IntValue bitOffset | hasOperandMemoryAccess(operand, var, type, bitOffset) | bitOffset = 0 and - type = var.getType() + type.getIRType() = var.getIRType() ) } @@ -59,7 +55,7 @@ class MemoryLocation extends TMemoryLocation { final VirtualVariable getVirtualVariable() { result = this } - final Type getType() { result = var.getType() } + final Language::LanguageType getType() { result = var.getLanguageType() } final string getUniqueId() { result = var.getUniqueId() } } diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSAImports.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSAImports.qll new file mode 100644 index 00000000000..8f160f5a456 --- /dev/null +++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSAImports.qll @@ -0,0 +1,5 @@ +import semmle.code.cpp.ir.implementation.raw.IR +import semmle.code.cpp.ir.internal.IntegerConstant as Ints +import semmle.code.cpp.ir.implementation.internal.OperandTag +import semmle.code.cpp.ir.internal.IRCppLanguage as Language +import semmle.code.cpp.ir.internal.Overlap diff --git a/cpp/ql/src/semmle/code/cpp/ir/internal/CppType.qll b/cpp/ql/src/semmle/code/cpp/ir/internal/CppType.qll new file mode 100644 index 00000000000..88184d90345 --- /dev/null +++ b/cpp/ql/src/semmle/code/cpp/ir/internal/CppType.qll @@ -0,0 +1,507 @@ +private import cpp +private import semmle.code.cpp.Print +private import semmle.code.cpp.ir.implementation.IRType +private import semmle.code.cpp.ir.implementation.raw.internal.IRConstruction as IRConstruction + +private int getPointerSize() { result = max(any(NullPointerType t).getSize()) } + +/** + * Works around an extractor bug where a function reference gets a size of one byte. + */ +private int getTypeSizeWorkaround(Type type) { + exists(Type unspecifiedType | + unspecifiedType = type.getUnspecifiedType() and + ( + unspecifiedType instanceof FunctionReferenceType and + result = getPointerSize() + or + exists(PointerToMemberType ptmType | + ptmType = unspecifiedType and + ( + if ptmType.getBaseType().getUnspecifiedType() instanceof RoutineType + then result = getPointerSize() * 2 + else result = getPointerSize() + ) + ) + or + exists(ArrayType arrayType | + // Treat `T[]` as `T*`. + arrayType = unspecifiedType and + not arrayType.hasArraySize() and + result = getPointerSize() + ) + ) + ) +} + +private int getTypeSize(Type type) { + if exists(getTypeSizeWorkaround(type)) + then result = getTypeSizeWorkaround(type) + else result = type.getSize() +} + +/** + * Holds if an `IRErrorType` should exist. + */ +predicate hasErrorType() { exists(ErroneousType t) } + +/** + * Holds if an `IRBooleanType` with the specified `byteSize` should exist. + */ +predicate hasBooleanType(int byteSize) { byteSize = getTypeSize(any(BoolType type)) } + +private predicate isSigned(IntegralOrEnumType type) { + type.(IntegralType).isSigned() + or + exists(Enum enumType | + // If the enum has an explicit underlying type, we'll determine signedness from that. If not, + // we'll assume unsigned. The actual rules for the implicit underlying type of an enum vary + // between compilers, so we'll need an extractor change to get this 100% right. Until then, + // unsigned is a reasonable default. + enumType = type.getUnspecifiedType() and + enumType.getExplicitUnderlyingType().getUnspecifiedType().(IntegralType).isSigned() + ) +} + +private predicate isSignedIntegerType(IntegralOrEnumType type) { + isSigned(type) and not type instanceof BoolType +} + +private predicate isUnsignedIntegerType(IntegralOrEnumType type) { + not isSigned(type) and not type instanceof BoolType +} + +/** + * Holds if an `IRSignedIntegerType` with the specified `byteSize` should exist. + */ +predicate hasSignedIntegerType(int byteSize) { + byteSize = any(IntegralOrEnumType type | isSignedIntegerType(type)).getSize() +} + +/** + * Holds if an `IRUnsignedIntegerType` with the specified `byteSize` should exist. + */ +predicate hasUnsignedIntegerType(int byteSize) { + byteSize = any(IntegralOrEnumType type | isUnsignedIntegerType(type)).getSize() +} + +/** + * Holds if an `IRFloatingPointType` with the specified `byteSize` should exist. + */ +predicate hasFloatingPointType(int byteSize) { byteSize = any(FloatingPointType type).getSize() } + +private predicate isPointerIshType(Type type) { + type instanceof PointerType + or + type instanceof ReferenceType + or + type instanceof NullPointerType + or + // Treat `T[]` as a pointer. The only place we should see these is as the type of a parameter. If + // the corresponding decayed `T*` type is available, we'll use that, but if it's not available, + // we're stuck with `T[]`. Just treat it as a pointer. + type instanceof ArrayType and not exists(type.getSize()) +} + +/** + * Holds if an `IRAddressType` with the specified `byteSize` should exist. + */ +predicate hasAddressType(int byteSize) { + // This covers all pointers, all references, and because it also looks at `NullPointerType`, it + // should always return a result that makes sense for arbitrary glvalues as well. + byteSize = any(Type type | isPointerIshType(type)).getSize() +} + +/** + * Holds if an `IRFunctionAddressType` with the specified `byteSize` should exist. + */ +predicate hasFunctionAddressType(int byteSize) { + byteSize = getPointerSize() or // Covers function lvalues + byteSize = getTypeSize(any(FunctionPointerIshType type)) +} + +private predicate isOpaqueType(Type type) { + exists(type.getSize()) and // Only include complete types + ( + type instanceof ArrayType or + type instanceof Class or + type instanceof GNUVectorType + ) + or + type instanceof PointerToMemberType // PTMs are missing size info +} + +/** + * Holds if an `IROpaqueType` with the specified `tag` and `byteSize` should exist. + */ +predicate hasOpaqueType(Type tag, int byteSize) { + isOpaqueType(tag) and byteSize = getTypeSize(tag) + or + tag instanceof UnknownType and IRConstruction::needsUnknownOpaqueType(byteSize) +} + +/** + * Gets the `IRType` that represents a prvalue of the specified `Type`. + */ +private IRType getIRTypeForPRValue(Type type) { + exists(Type unspecifiedType | unspecifiedType = type.getUnspecifiedType() | + isOpaqueType(unspecifiedType) and + exists(IROpaqueType opaqueType | opaqueType = result | + opaqueType.getByteSize() = getTypeSize(type) and + opaqueType.getTag() = unspecifiedType + ) + or + unspecifiedType instanceof BoolType and result.(IRBooleanType).getByteSize() = type.getSize() + or + isSignedIntegerType(unspecifiedType) and + result.(IRSignedIntegerType).getByteSize() = type.getSize() + or + isUnsignedIntegerType(unspecifiedType) and + result.(IRUnsignedIntegerType).getByteSize() = type.getSize() + or + unspecifiedType instanceof FloatingPointType and + result.(IRFloatingPointType).getByteSize() = type.getSize() + or + isPointerIshType(unspecifiedType) and result.(IRAddressType).getByteSize() = getTypeSize(type) + or + unspecifiedType instanceof FunctionPointerIshType and + result.(IRFunctionAddressType).getByteSize() = getTypeSize(type) + or + unspecifiedType instanceof VoidType and result instanceof IRVoidType + or + unspecifiedType instanceof ErroneousType and result instanceof IRErrorType + or + unspecifiedType instanceof UnknownType and result instanceof IRUnknownType + ) +} + +private newtype TCppType = + TPRValueType(Type type) { exists(getIRTypeForPRValue(type)) } or + TFunctionGLValueType() or + TGLValueAddressType(Type type) or + TUnknownOpaqueType(int byteSize) { IRConstruction::needsUnknownOpaqueType(byteSize) } or + TUnknownType() + +/** + * The C++ type of an IR entity. + * This cannot just be `Type` for a couple reasons: + * - Some types needed by the IR might not exist in the database (e.g. `RoutineType`s for functions + * that are always called directly) + * - Some types needed by the IR are not representable in the C++ type system (e.g. the result type + * of a `VariableAddress` where the variable is of reference type) + */ +class CppType extends TCppType { + string toString() { none() } + + /** Gets a string used in IR dumps */ + string getDumpString() { result = toString() } + + /** Gets the size of the type in bytes, if known. */ + final int getByteSize() { result = getIRType().getByteSize() } + + /** + * Gets the `IRType` that represents this `CppType`. Many different `CppType`s can map to a single + * `IRType`. + */ + IRType getIRType() { none() } + + /** + * Holds if the `CppType` represents a prvalue of type `Type` (if `isGLValue` is `false`), or if + * it represents a glvalue of type `Type` (if `isGLValue` is `true`). + */ + predicate hasType(Type type, boolean isGLValue) { none() } + + final predicate hasUnspecifiedType(Type type, boolean isGLValue) { + exists(Type specifiedType | + hasType(specifiedType, isGLValue) and + type = specifiedType.getUnspecifiedType() + ) + } +} + +/** + * A `CppType` that wraps an existing `Type` (either as a prvalue or a glvalue). + */ +private class CppWrappedType extends CppType { + Type ctype; + + CppWrappedType() { + this = TPRValueType(ctype) or + this = TGLValueAddressType(ctype) + } +} + +/** + * A `CppType` that represents a prvalue of an existing `Type`. + */ +private class CppPRValueType extends CppWrappedType, TPRValueType { + final override string toString() { result = ctype.toString() } + + final override string getDumpString() { result = ctype.getUnspecifiedType().toString() } + + final override IRType getIRType() { result = getIRTypeForPRValue(ctype) } + + final override predicate hasType(Type type, boolean isGLValue) { + type = ctype and + isGLValue = false + } +} + +/** + * A `CppType` that has unknown type but a known size. Generally to represent synthesized types that + * occur in certain cases during IR construction, such as the type of a zero-initialized segment of + * a partially-initialized array. + */ +private class CppUnknownOpaqueType extends CppType, TUnknownOpaqueType { + int byteSize; + + CppUnknownOpaqueType() { this = TUnknownOpaqueType(byteSize) } + + final override string toString() { result = "unknown[" + byteSize.toString() + "]" } + + final override IROpaqueType getIRType() { + result.getByteSize() = byteSize and result.getTag() instanceof UnknownType + } + + override predicate hasType(Type type, boolean isGLValue) { + type instanceof UnknownType and isGLValue = false + } +} + +/** + * A `CppType` that represents a glvalue of an existing `Type`. + */ +private class CppGLValueAddressType extends CppWrappedType, TGLValueAddressType { + final override string toString() { result = "glval<" + ctype.toString() + ">" } + + final override string getDumpString() { + result = "glval<" + ctype.getUnspecifiedType().toString() + ">" + } + + final override IRAddressType getIRType() { result.getByteSize() = getPointerSize() } + + final override predicate hasType(Type type, boolean isGLValue) { + type = ctype and + isGLValue = true + } +} + +/** + * A `CppType` that represents a function lvalue. + */ +private class CppFunctionGLValueType extends CppType, TFunctionGLValueType { + final override string toString() { result = "glval" } + + final override IRFunctionAddressType getIRType() { result.getByteSize() = getPointerSize() } + + final override predicate hasType(Type type, boolean isGLValue) { + type instanceof UnknownType and isGLValue = true + } +} + +/** + * A `CppType` that represents an unknown type. + */ +private class CppUnknownType extends CppType, TUnknownType { + final override string toString() { result = any(UnknownType type).toString() } + + final override IRUnknownType getIRType() { any() } + + final override predicate hasType(Type type, boolean isGLValue) { + type instanceof UnknownType and isGLValue = false + } +} + +/** + * Gets the single instance of `CppUnknownType`. + */ +CppUnknownType getUnknownType() { any() } + +/** + * Gets the `CppType` that represents a prvalue of type `void`. + */ +CppPRValueType getVoidType() { exists(VoidType voidType | result.hasType(voidType, false)) } + +/** + * Gets the `CppType` that represents a prvalue of type `type`. + */ +CppType getTypeForPRValue(Type type) { + if type instanceof UnknownType + then result instanceof CppUnknownType + else result.hasType(type, false) +} + +/** + * Gets the `CppType` that represents a prvalue of type `type`, if such a `CppType` exists. + * Otherwise, gets `CppUnknownType`. + */ +CppType getTypeForPRValueOrUnknown(Type type) { + result = getTypeForPRValue(type) + or + not exists(getTypeForPRValue(type)) and result = getUnknownType() +} + +/** + * Gets the `CppType` that represents a glvalue of type `type`. + */ +CppType getTypeForGLValue(Type type) { result.hasType(type, true) } + +/** + * Gets the `CppType` that represents a prvalue of type `int`. + */ +CppPRValueType getIntType() { + exists(IntType type | + type.isImplicitlySigned() and + result.hasType(type, false) + ) +} + +/** + * Gets the `CppType` that represents a prvalue of type `bool`. + */ +CppPRValueType getBoolType() { exists(BoolType type | result.hasType(type, false)) } + +/** + * Gets the `CppType` that represents a glvalue of function type. + */ +CppFunctionGLValueType getFunctionGLValueType() { any() } + +/** + * Gets the `CppType` that represents a opaque of unknown type with size `byteSize`. + */ +CppUnknownOpaqueType getUnknownOpaqueType(int byteSize) { result.getByteSize() = byteSize } + +/** + * Gets the `CppType` that is the canonical type for an `IRBooleanType` with the specified + * `byteSize`. + */ +CppWrappedType getCanonicalBooleanType(int byteSize) { + exists(BoolType type | result = TPRValueType(type) and byteSize = type.getSize()) +} + +/** + * Compute the sorting priority of an `IntegralType` based on its signedness. + */ +private int getSignPriority(IntegralType type) { + // Explicitly unsigned types sort first. Explicitly signed types sort last. Types with no explicit + // signedness sort in between. This lets us always choose `int` over `signed int`, while also + // choosing `unsigned char`+`char` when `char` is signed, and `unsigned char`+`signed char` when + // `char` is unsigned. + if type.isExplicitlyUnsigned() + then result = 2 + else + if type.isExplicitlySigned() + then result = 0 + else result = 1 +} + +/** + * Gets the sort priority of an `IntegralType` based on its kind. + */ +private int getKindPriority(IntegralType type) { + // `CharType` sorts lower so that we prefer the plain integer types when they have the same size + // as a `CharType`. + if type instanceof CharType then result = 0 else result = 1 +} + +/** + * Gets the `CppType` that is the canonical type for an `IRSignedIntegerType` with the specified + * `byteSize`. + */ +CppPRValueType getCanonicalSignedIntegerType(int byteSize) { + result = TPRValueType(max(IntegralType type | + type.isSigned() and type.getSize() = byteSize + | + type order by getKindPriority(type), getSignPriority(type), type.toString() desc + )) +} + +/** + * Gets the `CppType` that is the canonical type for an `IRUnsignedIntegerType` with the specified + * `byteSize`. + */ +CppPRValueType getCanonicalUnsignedIntegerType(int byteSize) { + result = TPRValueType(max(IntegralType type | + type.isUnsigned() and type.getSize() = byteSize + | + type order by getKindPriority(type), getSignPriority(type), type.toString() desc + )) +} + +/** + * Gets the `CppType` that is the canonical type for an `IRFloatingPointType` with the specified + * `byteSize`. + */ +CppPRValueType getCanonicalFloatingPointType(int byteSize) { + result = TPRValueType(max(FloatingPointType type | + type.getSize() = byteSize + | + type order by type.toString() desc + )) +} + +/** + * Gets the `CppType` that is the canonical type for an `IRAddressType` with the specified + * `byteSize`. + */ +CppPRValueType getCanonicalAddressType(int byteSize) { + // We just use `NullPointerType`, since it should be unique. + exists(NullPointerType type | + type.getSize() = byteSize and + result = TPRValueType(type) + ) +} + +/** + * Gets the `CppType` that is the canonical type for an `IRFunctionAddressType` with the specified + * `byteSize`. + */ +CppFunctionGLValueType getCanonicalFunctionAddressType(int byteSize) { + result.getByteSize() = byteSize +} + +/** + * Gets the `CppType` that is the canonical type for `IRErrorType`. + */ +CppPRValueType getCanonicalErrorType() { result = TPRValueType(any(ErroneousType type)) } + +/** + * Gets the `CppType` that is the canonical type for `IRUnknownType`. + */ +CppUnknownType getCanonicalUnknownType() { any() } + +/** + * Gets the `CppType` that is the canonical type for `IRVoidType`. + */ +CppPRValueType getCanonicalVoidType() { result = TPRValueType(any(VoidType type)) } + +/** + * Gets the `CppType` that is the canonical type for an `IROpaqueType` with the specified `tag` and + * `byteSize`. + */ +CppType getCanonicalOpaqueType(Type tag, int byteSize) { + isOpaqueType(tag) and + result = TPRValueType(tag.getUnspecifiedType()) and + getTypeSize(tag) = byteSize + or + tag instanceof UnknownType and result = getUnknownOpaqueType(byteSize) +} + +/** + * Gets a string that uniquely identifies an `IROpaqueType` tag. This may be different from the usual + * `toString()` of the tag in order to ensure uniqueness. + */ +string getOpaqueTagIdentityString(Type tag) { + hasOpaqueType(tag, _) and + result = getTypeIdentityString(tag) +} + +module LanguageTypeSanity { + query predicate missingCppType(Type type, string message) { + not exists(getTypeForPRValue(type)) and + exists(type.getSize()) and + // `ProxyClass`es have a size, but only appear in uninstantiated templates + not type instanceof ProxyClass and + message = "Type does not have an associated `CppType`." + } +} diff --git a/cpp/ql/src/semmle/code/cpp/ir/internal/IRCppLanguage.qll b/cpp/ql/src/semmle/code/cpp/ir/internal/IRCppLanguage.qll index cda661bd216..613958a0d4c 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/internal/IRCppLanguage.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/internal/IRCppLanguage.qll @@ -1,6 +1,13 @@ private import cpp as Cpp private import semmle.code.cpp.Print as Print private import IRUtilities +private import semmle.code.cpp.ir.implementation.IRType +private import semmle.code.cpp.ir.implementation.raw.internal.IRConstruction as IRConstruction +import CppType + +class LanguageType = CppType; + +class OpaqueTypeTag = Cpp::Type; class Function = Cpp::Function; diff --git a/cpp/ql/src/semmle/code/cpp/rangeanalysis/RangeAnalysis.qll b/cpp/ql/src/semmle/code/cpp/rangeanalysis/RangeAnalysis.qll index 50fe6ab9a55..b663f336d0a 100644 --- a/cpp/ql/src/semmle/code/cpp/rangeanalysis/RangeAnalysis.qll +++ b/cpp/ql/src/semmle/code/cpp/rangeanalysis/RangeAnalysis.qll @@ -80,7 +80,7 @@ private module RangeAnalysisCache { cached module RangeAnalysisPublic { /** - * Holds if `b + delta` is a valid bound for `i`. + * Holds if `b + delta` is a valid bound for `i` and this is the best such delta. * - `upper = true` : `i <= b + delta` * - `upper = false` : `i >= b + delta` * @@ -90,11 +90,12 @@ private module RangeAnalysisCache { */ cached predicate boundedInstruction(Instruction i, Bound b, int delta, boolean upper, Reason reason) { - boundedInstruction(i, b, delta, upper, _, _, reason) + boundedInstruction(i, b, delta, upper, _, _, reason) and + bestInstructionBound(i, b, delta, upper) } /** - * Holds if `b + delta` is a valid bound for `op`. + * Holds if `b + delta` is a valid bound for `op` and this is the best such delta. * - `upper = true` : `op <= b + delta` * - `upper = false` : `op >= b + delta` * @@ -104,9 +105,8 @@ private module RangeAnalysisCache { */ cached predicate boundedOperand(Operand op, Bound b, int delta, boolean upper, Reason reason) { - boundedNonPhiOperand(op, b, delta, upper, _, _, reason) - or - boundedPhiOperand(op, b, delta, upper, _, _, reason) + boundedOperandCand(op, b, delta, upper, reason) and + bestOperandBound(op, b, delta, upper) } } @@ -124,6 +124,43 @@ private module RangeAnalysisCache { private import RangeAnalysisCache import RangeAnalysisPublic +/** + * Holds if `b + delta` is a valid bound for `e` and this is the best such delta. + * - `upper = true` : `e <= b + delta` + * - `upper = false` : `e >= b + delta` + */ +private predicate bestInstructionBound(Instruction i, Bound b, int delta, boolean upper) { + delta = min(int d | boundedInstruction(i, b, d, upper, _, _, _)) and upper = true + or + delta = max(int d | boundedInstruction(i, b, d, upper, _, _, _)) and upper = false +} + +/** + * Holds if `b + delta` is a valid bound for `op`. + * - `upper = true` : `op <= b + delta` + * - `upper = false` : `op >= b + delta` + * + * The reason for the bound is given by `reason` and may be either a condition + * or `NoReason` if the bound was proven directly without the use of a bounding + * condition. + */ +private predicate boundedOperandCand(Operand op, Bound b, int delta, boolean upper, Reason reason) { + boundedNonPhiOperand(op, b, delta, upper, _, _, reason) + or + boundedPhiOperand(op, b, delta, upper, _, _, reason) +} + +/** + * Holds if `b + delta` is a valid bound for `op` and this is the best such delta. + * - `upper = true` : `op <= b + delta` + * - `upper = false` : `op >= b + delta` + */ +private predicate bestOperandBound(Operand op, Bound b, int delta, boolean upper) { + delta = min(int d | boundedOperandCand(op, b, d, upper, _)) and upper = true + or + delta = max(int d | boundedOperandCand(op, b, d, upper, _)) and upper = false +} + /** * Gets a condition that tests whether `vn` equals `bound + delta`. * diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/BarrierGuard.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/BarrierGuard.cpp new file mode 100644 index 00000000000..9c3c8bc4569 --- /dev/null +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/BarrierGuard.cpp @@ -0,0 +1,68 @@ +int source(); +void sink(int); +bool guarded(int); + +void bg_basic(int source) { + if (guarded(source)) { + sink(source); // no flow + } else { + sink(source); // flow + } +} + +void bg_not(int source) { + if (!guarded(source)) { + sink(source); // flow + } else { + sink(source); // no flow + } +} + +void bg_and(int source, bool arbitrary) { + if (guarded(source) && arbitrary) { + sink(source); // no flow + } else { + sink(source); // flow + } +} + +void bg_or(int source, bool arbitrary) { + if (guarded(source) || arbitrary) { + sink(source); // flow + } else { + sink(source); // flow + } +} + +void bg_return(int source) { + if (!guarded(source)) { + return; + } + sink(source); // no flow +} + +struct XY { + int x, y; +}; + +void bg_stackstruct(XY s1, XY s2) { + s1.x = source(); + if (guarded(s1.x)) { + sink(s1.x); // no flow + } else if (guarded(s1.y)) { + sink(s1.x); // flow + } else if (guarded(s2.y)) { + sink(s1.x); // flow + } +} + +void bg_structptr(XY *p1, XY *p2) { + p1->x = source(); + if (guarded(p1->x)) { + sink(p1->x); // no flow [FALSE POSITIVE in AST] + } else if (guarded(p1->y)) { + sink(p1->x); // flow [NOT DETECTED in IR] + } else if (guarded(p2->x)) { + sink(p1->x); // flow [NOT DETECTED in IR] + } +} diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/DataflowTestCommon.qll b/cpp/ql/test/library-tests/dataflow/dataflow-tests/DataflowTestCommon.qll index 02ee4d45380..a81394640ee 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/DataflowTestCommon.qll +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/DataflowTestCommon.qll @@ -1,6 +1,20 @@ import cpp import semmle.code.cpp.dataflow.DataFlow +/** + * A `BarrierGuard` that stops flow to all occurrences of `x` within statement + * S in `if (guarded(x)) S`. + */ +// This is tested in `BarrierGuard.cpp`. +class TestBarrierGuard extends DataFlow::BarrierGuard { + TestBarrierGuard() { this.(FunctionCall).getTarget().getName() = "guarded" } + + override predicate checks(Expr checked, boolean isTrue) { + checked = this.(FunctionCall).getArgument(0) and + isTrue = true + } +} + /** Common data flow configuration to be used by tests. */ class TestAllocationConfig extends DataFlow::Configuration { TestAllocationConfig() { this = "TestAllocationConfig" } @@ -26,4 +40,6 @@ class TestAllocationConfig extends DataFlow::Configuration { override predicate isBarrier(DataFlow::Node barrier) { barrier.asExpr().(VariableAccess).getTarget().hasName("barrier") } + + override predicate isBarrierGuard(DataFlow::BarrierGuard bg) { bg instanceof TestBarrierGuard } } diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/IRDataflowTestCommon.qll b/cpp/ql/test/library-tests/dataflow/dataflow-tests/IRDataflowTestCommon.qll index eb5fa14e2e0..490f7e4290a 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/IRDataflowTestCommon.qll +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/IRDataflowTestCommon.qll @@ -1,5 +1,20 @@ import cpp import semmle.code.cpp.ir.dataflow.DataFlow +import semmle.code.cpp.ir.IR + +/** + * A `BarrierGuard` that stops flow to all occurrences of `x` within statement + * S in `if (guarded(x)) S`. + */ +// This is tested in `BarrierGuard.cpp`. +class TestBarrierGuard extends DataFlow::BarrierGuard { + TestBarrierGuard() { this.(CallInstruction).getStaticCallTarget().getName() = "guarded" } + + override predicate checks(Instruction checked, boolean isTrue) { + checked = this.(CallInstruction).getPositionalArgument(0) and + isTrue = true + } +} /** Common data flow configuration to be used by tests. */ class TestAllocationConfig extends DataFlow::Configuration { @@ -24,4 +39,6 @@ class TestAllocationConfig extends DataFlow::Configuration { override predicate isBarrier(DataFlow::Node barrier) { barrier.asExpr().(VariableAccess).getTarget().hasName("barrier") } + + override predicate isBarrierGuard(DataFlow::BarrierGuard bg) { bg instanceof TestBarrierGuard } } diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.expected index b9fca1f678f..6527db4b77e 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.expected +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.expected @@ -1,3 +1,13 @@ +| BarrierGuard.cpp:9:10:9:15 | source | BarrierGuard.cpp:5:19:5:24 | source | +| BarrierGuard.cpp:15:10:15:15 | source | BarrierGuard.cpp:13:17:13:22 | source | +| BarrierGuard.cpp:25:10:25:15 | source | BarrierGuard.cpp:21:17:21:22 | source | +| BarrierGuard.cpp:31:10:31:15 | source | BarrierGuard.cpp:29:16:29:21 | source | +| BarrierGuard.cpp:33:10:33:15 | source | BarrierGuard.cpp:29:16:29:21 | source | +| BarrierGuard.cpp:53:13:53:13 | x | BarrierGuard.cpp:49:10:49:15 | call to source | +| BarrierGuard.cpp:55:13:55:13 | x | BarrierGuard.cpp:49:10:49:15 | call to source | +| BarrierGuard.cpp:62:14:62:14 | x | BarrierGuard.cpp:60:11:60:16 | call to source | +| BarrierGuard.cpp:64:14:64:14 | x | BarrierGuard.cpp:60:11:60:16 | call to source | +| BarrierGuard.cpp:66:14:66:14 | x | BarrierGuard.cpp:60:11:60:16 | call to source | | acrossLinkTargets.cpp:12:8:12:8 | x | acrossLinkTargets.cpp:19:27:19:32 | call to source | | clang.cpp:18:8:18:19 | sourceArray1 | clang.cpp:12:9:12:20 | sourceArray1 | | clang.cpp:22:8:22:20 | & ... | clang.cpp:12:9:12:20 | sourceArray1 | diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_diff.expected index cd7e3dac785..7d0d4e7d72e 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_diff.expected +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_diff.expected @@ -1,3 +1,6 @@ +| BarrierGuard.cpp:60:11:60:16 | BarrierGuard.cpp:62:14:62:14 | AST only | +| BarrierGuard.cpp:60:11:60:16 | BarrierGuard.cpp:64:14:64:14 | AST only | +| BarrierGuard.cpp:60:11:60:16 | BarrierGuard.cpp:66:14:66:14 | AST only | | clang.cpp:12:9:12:20 | clang.cpp:22:8:22:20 | AST only | | clang.cpp:28:27:28:32 | clang.cpp:29:27:29:28 | AST only | | clang.cpp:28:27:28:32 | clang.cpp:30:27:30:34 | AST only | diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_ir.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_ir.expected index 83ba546480f..9b67a013a58 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_ir.expected +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test_ir.expected @@ -1,3 +1,10 @@ +| BarrierGuard.cpp:9:10:9:15 | Load: source | BarrierGuard.cpp:5:19:5:24 | InitializeParameter: source | +| BarrierGuard.cpp:15:10:15:15 | Load: source | BarrierGuard.cpp:13:17:13:22 | InitializeParameter: source | +| BarrierGuard.cpp:25:10:25:15 | Load: source | BarrierGuard.cpp:21:17:21:22 | InitializeParameter: source | +| BarrierGuard.cpp:31:10:31:15 | Load: source | BarrierGuard.cpp:29:16:29:21 | InitializeParameter: source | +| BarrierGuard.cpp:33:10:33:15 | Load: source | BarrierGuard.cpp:29:16:29:21 | InitializeParameter: source | +| BarrierGuard.cpp:53:13:53:13 | Load: x | BarrierGuard.cpp:49:10:49:15 | Call: call to source | +| BarrierGuard.cpp:55:13:55:13 | Load: x | BarrierGuard.cpp:49:10:49:15 | Call: call to source | | acrossLinkTargets.cpp:12:8:12:8 | Convert: (int)... | acrossLinkTargets.cpp:19:27:19:32 | Call: call to source | | acrossLinkTargets.cpp:12:8:12:8 | Load: x | acrossLinkTargets.cpp:19:27:19:32 | Call: call to source | | clang.cpp:18:8:18:19 | Convert: (const int *)... | clang.cpp:12:9:12:20 | InitializeParameter: sourceArray1 | diff --git a/cpp/ql/test/library-tests/ir/ir/PrintAST.expected b/cpp/ql/test/library-tests/ir/ir/PrintAST.expected index 5de69a800bc..19a4288a4c4 100644 --- a/cpp/ql/test/library-tests/ir/ir/PrintAST.expected +++ b/cpp/ql/test/library-tests/ir/ir/PrintAST.expected @@ -7795,16 +7795,16 @@ ir.cpp: # 1101| 0: [VariableAccess] x # 1101| Type = [IntType] int # 1101| ValueCategory = prvalue(load) -# 1104| [TopLevelFunction] void AsmStmtWithOutputs(unsigned int&, unsigned int&, unsigned int&, unsigned int&) +# 1104| [TopLevelFunction] void AsmStmtWithOutputs(unsigned int&, unsigned int, unsigned int&, unsigned int) # 1104| params: # 1104| 0: [Parameter] a # 1104| Type = [LValueReferenceType] unsigned int & # 1104| 1: [Parameter] b -# 1104| Type = [LValueReferenceType] unsigned int & +# 1104| Type = [IntType] unsigned int # 1104| 2: [Parameter] c # 1104| Type = [LValueReferenceType] unsigned int & # 1104| 3: [Parameter] d -# 1104| Type = [LValueReferenceType] unsigned int & +# 1104| Type = [IntType] unsigned int # 1105| body: [Block] { ... } # 1106| 0: [AsmStmt] asm statement # 1109| 0: [ReferenceDereferenceExpr] (reference dereference) @@ -7813,24 +7813,18 @@ ir.cpp: # 1109| expr: [VariableAccess] a # 1109| Type = [LValueReferenceType] unsigned int & # 1109| ValueCategory = prvalue(load) -# 1109| 1: [ReferenceDereferenceExpr] (reference dereference) +# 1109| 1: [VariableAccess] b # 1109| Type = [IntType] unsigned int # 1109| ValueCategory = lvalue -# 1109| expr: [VariableAccess] b -# 1109| Type = [LValueReferenceType] unsigned int & -# 1109| ValueCategory = prvalue(load) # 1109| 2: [ReferenceDereferenceExpr] (reference dereference) # 1109| Type = [IntType] unsigned int -# 1109| ValueCategory = lvalue +# 1109| ValueCategory = prvalue(load) # 1109| expr: [VariableAccess] c # 1109| Type = [LValueReferenceType] unsigned int & # 1109| ValueCategory = prvalue(load) -# 1109| 3: [ReferenceDereferenceExpr] (reference dereference) +# 1109| 3: [VariableAccess] d # 1109| Type = [IntType] unsigned int -# 1109| ValueCategory = lvalue -# 1109| expr: [VariableAccess] d -# 1109| Type = [LValueReferenceType] unsigned int & -# 1109| ValueCategory = prvalue(load) +# 1109| ValueCategory = prvalue(load) # 1111| 1: [ReturnStmt] return ... # 1113| [TopLevelFunction] void ExternDeclarations() # 1113| params: diff --git a/cpp/ql/test/library-tests/ir/ir/aliased_ssa_sanity.expected b/cpp/ql/test/library-tests/ir/ir/aliased_ssa_sanity.expected index 012ff53039b..928f535f9d8 100644 --- a/cpp/ql/test/library-tests/ir/ir/aliased_ssa_sanity.expected +++ b/cpp/ql/test/library-tests/ir/ir/aliased_ssa_sanity.expected @@ -14,3 +14,8 @@ containsLoopOfForwardEdges lostReachability backEdgeCountMismatch useNotDominatedByDefinition +missingCanonicalLanguageType +multipleCanonicalLanguageTypes +missingIRType +multipleIRTypes +missingCppType diff --git a/cpp/ql/test/library-tests/ir/ir/ir.cpp b/cpp/ql/test/library-tests/ir/ir/ir.cpp index 08748ecb8d2..7ebd2e22aee 100644 --- a/cpp/ql/test/library-tests/ir/ir/ir.cpp +++ b/cpp/ql/test/library-tests/ir/ir/ir.cpp @@ -1101,12 +1101,12 @@ int AsmStmt(int x) { return x; } -static void AsmStmtWithOutputs(unsigned int& a, unsigned int& b, unsigned int& c, unsigned int& d) +static void AsmStmtWithOutputs(unsigned int& a, unsigned int b, unsigned int& c, unsigned int d) { __asm__ __volatile__ ( "cpuid\n\t" - : "+a" (a), "+b" (b), "+c" (c), "+d" (d) + : "+a" (a), "+b" (b) : "c" (c), "d" (d) ); } diff --git a/cpp/ql/test/library-tests/ir/ir/raw_ir.expected b/cpp/ql/test/library-tests/ir/ir/raw_ir.expected index d7c144f7181..0827819e3cf 100644 --- a/cpp/ql/test/library-tests/ir/ir/raw_ir.expected +++ b/cpp/ql/test/library-tests/ir/ir/raw_ir.expected @@ -14,12 +14,13 @@ bad_asts.cpp: # 16| r0_10(int) = Constant[1] : # 16| r0_11(int) = Call : func:r0_9, this:r0_8, 0:r0_10 # 16| mu0_12(unknown) = ^CallSideEffect : ~mu0_2 -# 16| v0_13(void) = ^IndirectReadSideEffect[-1] : &:r0_8, ~mu0_2 +# 16| v0_13(void) = ^BufferReadSideEffect[-1] : &:r0_8, ~mu0_2 # 16| mu0_14(S) = ^IndirectMayWriteSideEffect[-1] : &:r0_8 # 17| v0_15(void) = NoOp : # 14| v0_16(void) = ReturnVoid : # 14| v0_17(void) = UnmodeledUse : mu* -# 14| v0_18(void) = ExitFunction : +# 14| v0_18(void) = AliasedUse : ~mu0_2 +# 14| v0_19(void) = ExitFunction : # 22| void Bad::Point::Point() # 22| Block 0 @@ -30,7 +31,8 @@ bad_asts.cpp: # 23| v0_4(void) = NoOp : # 22| v0_5(void) = ReturnVoid : # 22| v0_6(void) = UnmodeledUse : mu* -# 22| v0_7(void) = ExitFunction : +# 22| v0_7(void) = AliasedUse : ~mu0_2 +# 22| v0_8(void) = ExitFunction : # 26| void Bad::CallCopyConstructor(Bad::Point const&) # 26| Block 0 @@ -49,7 +51,8 @@ bad_asts.cpp: # 28| v0_12(void) = NoOp : # 26| v0_13(void) = ReturnVoid : # 26| v0_14(void) = UnmodeledUse : mu* -# 26| v0_15(void) = ExitFunction : +# 26| v0_15(void) = AliasedUse : ~mu0_2 +# 26| v0_16(void) = ExitFunction : # 30| void Bad::errorExpr() # 30| Block 0 @@ -69,7 +72,8 @@ bad_asts.cpp: # 34| v0_13(void) = NoOp : # 30| v0_14(void) = ReturnVoid : # 30| v0_15(void) = UnmodeledUse : mu* -# 30| v0_16(void) = ExitFunction : +# 30| v0_16(void) = AliasedUse : ~mu0_2 +# 30| v0_17(void) = ExitFunction : clang.cpp: # 5| int* globalIntAddress() @@ -84,7 +88,8 @@ clang.cpp: # 5| r0_7(glval) = VariableAddress[#return] : # 5| v0_8(void) = ReturnValue : &:r0_7, ~mu0_2 # 5| v0_9(void) = UnmodeledUse : mu* -# 5| v0_10(void) = ExitFunction : +# 5| v0_10(void) = AliasedUse : ~mu0_2 +# 5| v0_11(void) = ExitFunction : ir.cpp: # 1| void Constants() @@ -179,7 +184,8 @@ ir.cpp: # 41| v0_87(void) = NoOp : # 1| v0_88(void) = ReturnVoid : # 1| v0_89(void) = UnmodeledUse : mu* -# 1| v0_90(void) = ExitFunction : +# 1| v0_90(void) = AliasedUse : ~mu0_2 +# 1| v0_91(void) = ExitFunction : # 43| void Foo() # 43| Block 0 @@ -212,7 +218,8 @@ ir.cpp: # 48| v0_26(void) = NoOp : # 43| v0_27(void) = ReturnVoid : # 43| v0_28(void) = UnmodeledUse : mu* -# 43| v0_29(void) = ExitFunction : +# 43| v0_29(void) = AliasedUse : ~mu0_2 +# 43| v0_30(void) = ExitFunction : # 50| void IntegerOps(int, int) # 50| Block 0 @@ -385,7 +392,8 @@ ir.cpp: # 85| v0_166(void) = NoOp : # 50| v0_167(void) = ReturnVoid : # 50| v0_168(void) = UnmodeledUse : mu* -# 50| v0_169(void) = ExitFunction : +# 50| v0_169(void) = AliasedUse : ~mu0_2 +# 50| v0_170(void) = ExitFunction : # 87| void IntegerCompare(int, int) # 87| Block 0 @@ -443,7 +451,8 @@ ir.cpp: # 96| v0_51(void) = NoOp : # 87| v0_52(void) = ReturnVoid : # 87| v0_53(void) = UnmodeledUse : mu* -# 87| v0_54(void) = ExitFunction : +# 87| v0_54(void) = AliasedUse : ~mu0_2 +# 87| v0_55(void) = ExitFunction : # 98| void IntegerCrement(int) # 98| Block 0 @@ -485,7 +494,8 @@ ir.cpp: # 105| v0_35(void) = NoOp : # 98| v0_36(void) = ReturnVoid : # 98| v0_37(void) = UnmodeledUse : mu* -# 98| v0_38(void) = ExitFunction : +# 98| v0_38(void) = AliasedUse : ~mu0_2 +# 98| v0_39(void) = ExitFunction : # 107| void IntegerCrement_LValue(int) # 107| Block 0 @@ -517,7 +527,8 @@ ir.cpp: # 112| v0_25(void) = NoOp : # 107| v0_26(void) = ReturnVoid : # 107| v0_27(void) = UnmodeledUse : mu* -# 107| v0_28(void) = ExitFunction : +# 107| v0_28(void) = AliasedUse : ~mu0_2 +# 107| v0_29(void) = ExitFunction : # 114| void FloatOps(double, double) # 114| Block 0 @@ -599,7 +610,8 @@ ir.cpp: # 131| v0_75(void) = NoOp : # 114| v0_76(void) = ReturnVoid : # 114| v0_77(void) = UnmodeledUse : mu* -# 114| v0_78(void) = ExitFunction : +# 114| v0_78(void) = AliasedUse : ~mu0_2 +# 114| v0_79(void) = ExitFunction : # 133| void FloatCompare(double, double) # 133| Block 0 @@ -657,7 +669,8 @@ ir.cpp: # 142| v0_51(void) = NoOp : # 133| v0_52(void) = ReturnVoid : # 133| v0_53(void) = UnmodeledUse : mu* -# 133| v0_54(void) = ExitFunction : +# 133| v0_54(void) = AliasedUse : ~mu0_2 +# 133| v0_55(void) = ExitFunction : # 144| void FloatCrement(float) # 144| Block 0 @@ -699,7 +712,8 @@ ir.cpp: # 151| v0_35(void) = NoOp : # 144| v0_36(void) = ReturnVoid : # 144| v0_37(void) = UnmodeledUse : mu* -# 144| v0_38(void) = ExitFunction : +# 144| v0_38(void) = AliasedUse : ~mu0_2 +# 144| v0_39(void) = ExitFunction : # 153| void PointerOps(int*, int) # 153| Block 0 @@ -775,7 +789,8 @@ ir.cpp: # 169| v0_69(void) = NoOp : # 153| v0_70(void) = ReturnVoid : # 153| v0_71(void) = UnmodeledUse : mu* -# 153| v0_72(void) = ExitFunction : +# 153| v0_72(void) = AliasedUse : ~mu0_2 +# 153| v0_73(void) = ExitFunction : # 171| void ArrayAccess(int*, int) # 171| Block 0 @@ -857,7 +872,8 @@ ir.cpp: # 185| v0_75(void) = NoOp : # 171| v0_76(void) = ReturnVoid : # 171| v0_77(void) = UnmodeledUse : mu* -# 171| v0_78(void) = ExitFunction : +# 171| v0_78(void) = AliasedUse : ~mu0_2 +# 171| v0_79(void) = ExitFunction : # 187| void StringLiteral(int) # 187| Block 0 @@ -890,7 +906,8 @@ ir.cpp: # 191| v0_26(void) = NoOp : # 187| v0_27(void) = ReturnVoid : # 187| v0_28(void) = UnmodeledUse : mu* -# 187| v0_29(void) = ExitFunction : +# 187| v0_29(void) = AliasedUse : ~mu0_2 +# 187| v0_30(void) = ExitFunction : # 193| void PointerCompare(int*, int*) # 193| Block 0 @@ -948,7 +965,8 @@ ir.cpp: # 202| v0_51(void) = NoOp : # 193| v0_52(void) = ReturnVoid : # 193| v0_53(void) = UnmodeledUse : mu* -# 193| v0_54(void) = ExitFunction : +# 193| v0_54(void) = AliasedUse : ~mu0_2 +# 193| v0_55(void) = ExitFunction : # 204| void PointerCrement(int*) # 204| Block 0 @@ -990,7 +1008,8 @@ ir.cpp: # 211| v0_35(void) = NoOp : # 204| v0_36(void) = ReturnVoid : # 204| v0_37(void) = UnmodeledUse : mu* -# 204| v0_38(void) = ExitFunction : +# 204| v0_38(void) = AliasedUse : ~mu0_2 +# 204| v0_39(void) = ExitFunction : # 213| void CompoundAssignment() # 213| Block 0 @@ -1034,7 +1053,8 @@ ir.cpp: # 228| v0_37(void) = NoOp : # 213| v0_38(void) = ReturnVoid : # 213| v0_39(void) = UnmodeledUse : mu* -# 213| v0_40(void) = ExitFunction : +# 213| v0_40(void) = AliasedUse : ~mu0_2 +# 213| v0_41(void) = ExitFunction : # 230| void UninitializedVariables() # 230| Block 0 @@ -1050,7 +1070,8 @@ ir.cpp: # 233| v0_9(void) = NoOp : # 230| v0_10(void) = ReturnVoid : # 230| v0_11(void) = UnmodeledUse : mu* -# 230| v0_12(void) = ExitFunction : +# 230| v0_12(void) = AliasedUse : ~mu0_2 +# 230| v0_13(void) = ExitFunction : # 235| int Parameters(int, int) # 235| Block 0 @@ -1071,7 +1092,8 @@ ir.cpp: # 235| r0_14(glval) = VariableAddress[#return] : # 235| v0_15(void) = ReturnValue : &:r0_14, ~mu0_2 # 235| v0_16(void) = UnmodeledUse : mu* -# 235| v0_17(void) = ExitFunction : +# 235| v0_17(void) = AliasedUse : ~mu0_2 +# 235| v0_18(void) = ExitFunction : # 239| void IfStatements(bool, int, int) # 239| Block 0 @@ -1129,7 +1151,8 @@ ir.cpp: # 251| v6_0(void) = NoOp : # 239| v6_1(void) = ReturnVoid : # 239| v6_2(void) = UnmodeledUse : mu* -# 239| v6_3(void) = ExitFunction : +# 239| v6_3(void) = AliasedUse : ~mu0_2 +# 239| v6_4(void) = ExitFunction : # 240| Block 7 # 240| v7_0(void) = NoOp : @@ -1156,7 +1179,8 @@ ir.cpp: # 257| v2_0(void) = NoOp : # 253| v2_1(void) = ReturnVoid : # 253| v2_2(void) = UnmodeledUse : mu* -# 253| v2_3(void) = ExitFunction : +# 253| v2_3(void) = AliasedUse : ~mu0_2 +# 253| v2_4(void) = ExitFunction : # 254| Block 3 # 254| r3_0(glval) = VariableAddress[n] : @@ -1194,7 +1218,8 @@ ir.cpp: # 263| v2_0(void) = NoOp : # 259| v2_1(void) = ReturnVoid : # 259| v2_2(void) = UnmodeledUse : mu* -# 259| v2_3(void) = ExitFunction : +# 259| v2_3(void) = AliasedUse : ~mu0_2 +# 259| v2_4(void) = ExitFunction : # 265| void For_Empty() # 265| Block 0 @@ -1208,7 +1233,8 @@ ir.cpp: # 265| Block 1 # 265| v1_0(void) = ReturnVoid : # 265| v1_1(void) = UnmodeledUse : mu* -# 265| v1_2(void) = ExitFunction : +# 265| v1_2(void) = AliasedUse : ~mu0_2 +# 265| v1_3(void) = ExitFunction : # 268| Block 2 # 268| v2_0(void) = NoOp : @@ -1227,7 +1253,8 @@ ir.cpp: # 272| Block 1 # 272| v1_0(void) = ReturnVoid : # 272| v1_1(void) = UnmodeledUse : mu* -# 272| v1_2(void) = ExitFunction : +# 272| v1_2(void) = AliasedUse : ~mu0_2 +# 272| v1_3(void) = ExitFunction : # 274| Block 2 # 274| v2_0(void) = NoOp : @@ -1260,7 +1287,8 @@ ir.cpp: # 283| v3_0(void) = NoOp : # 278| v3_1(void) = ReturnVoid : # 278| v3_2(void) = UnmodeledUse : mu* -# 278| v3_3(void) = ExitFunction : +# 278| v3_3(void) = AliasedUse : ~mu0_2 +# 278| v3_4(void) = ExitFunction : # 285| void For_Update() # 285| Block 0 @@ -1275,7 +1303,8 @@ ir.cpp: # 285| Block 1 # 285| v1_0(void) = ReturnVoid : # 285| v1_1(void) = UnmodeledUse : mu* -# 285| v1_2(void) = ExitFunction : +# 285| v1_2(void) = AliasedUse : ~mu0_2 +# 285| v1_3(void) = ExitFunction : # 288| Block 2 # 288| v2_0(void) = NoOp : @@ -1313,7 +1342,8 @@ ir.cpp: # 296| v3_0(void) = NoOp : # 292| v3_1(void) = ReturnVoid : # 292| v3_2(void) = UnmodeledUse : mu* -# 292| v3_3(void) = ExitFunction : +# 292| v3_3(void) = AliasedUse : ~mu0_2 +# 292| v3_4(void) = ExitFunction : # 298| void For_InitUpdate() # 298| Block 0 @@ -1328,7 +1358,8 @@ ir.cpp: # 298| Block 1 # 298| v1_0(void) = ReturnVoid : # 298| v1_1(void) = UnmodeledUse : mu* -# 298| v1_2(void) = ExitFunction : +# 298| v1_2(void) = AliasedUse : ~mu0_2 +# 298| v1_3(void) = ExitFunction : # 300| Block 2 # 300| v2_0(void) = NoOp : @@ -1371,7 +1402,8 @@ ir.cpp: # 309| v3_0(void) = NoOp : # 304| v3_1(void) = ReturnVoid : # 304| v3_2(void) = UnmodeledUse : mu* -# 304| v3_3(void) = ExitFunction : +# 304| v3_3(void) = AliasedUse : ~mu0_2 +# 304| v3_4(void) = ExitFunction : # 311| void For_InitConditionUpdate() # 311| Block 0 @@ -1405,7 +1437,8 @@ ir.cpp: # 315| v3_0(void) = NoOp : # 311| v3_1(void) = ReturnVoid : # 311| v3_2(void) = UnmodeledUse : mu* -# 311| v3_3(void) = ExitFunction : +# 311| v3_3(void) = AliasedUse : ~mu0_2 +# 311| v3_4(void) = ExitFunction : # 317| void For_Break() # 317| Block 0 @@ -1452,7 +1485,8 @@ ir.cpp: # 323| v5_1(void) = NoOp : # 317| v5_2(void) = ReturnVoid : # 317| v5_3(void) = UnmodeledUse : mu* -# 317| v5_4(void) = ExitFunction : +# 317| v5_4(void) = AliasedUse : ~mu0_2 +# 317| v5_5(void) = ExitFunction : # 325| void For_Continue_Update() # 325| Block 0 @@ -1499,7 +1533,8 @@ ir.cpp: # 331| v5_0(void) = NoOp : # 325| v5_1(void) = ReturnVoid : # 325| v5_2(void) = UnmodeledUse : mu* -# 325| v5_3(void) = ExitFunction : +# 325| v5_3(void) = AliasedUse : ~mu0_2 +# 325| v5_4(void) = ExitFunction : # 333| void For_Continue_NoUpdate() # 333| Block 0 @@ -1541,7 +1576,8 @@ ir.cpp: # 339| v5_0(void) = NoOp : # 333| v5_1(void) = ReturnVoid : # 333| v5_2(void) = UnmodeledUse : mu* -# 333| v5_3(void) = ExitFunction : +# 333| v5_3(void) = AliasedUse : ~mu0_2 +# 333| v5_4(void) = ExitFunction : # 341| int Dereference(int*) # 341| Block 0 @@ -1563,7 +1599,8 @@ ir.cpp: # 341| r0_15(glval) = VariableAddress[#return] : # 341| v0_16(void) = ReturnValue : &:r0_15, ~mu0_2 # 341| v0_17(void) = UnmodeledUse : mu* -# 341| v0_18(void) = ExitFunction : +# 341| v0_18(void) = AliasedUse : ~mu0_2 +# 341| v0_19(void) = ExitFunction : # 348| int* AddressOf() # 348| Block 0 @@ -1577,7 +1614,8 @@ ir.cpp: # 348| r0_7(glval) = VariableAddress[#return] : # 348| v0_8(void) = ReturnValue : &:r0_7, ~mu0_2 # 348| v0_9(void) = UnmodeledUse : mu* -# 348| v0_10(void) = ExitFunction : +# 348| v0_10(void) = AliasedUse : ~mu0_2 +# 348| v0_11(void) = ExitFunction : # 352| void Break(int) # 352| Block 0 @@ -1614,7 +1652,8 @@ ir.cpp: # 358| v4_1(void) = NoOp : # 352| v4_2(void) = ReturnVoid : # 352| v4_3(void) = UnmodeledUse : mu* -# 352| v4_4(void) = ExitFunction : +# 352| v4_4(void) = AliasedUse : ~mu0_2 +# 352| v4_5(void) = ExitFunction : # 353| Block 5 # 353| r5_0(glval) = VariableAddress[n] : @@ -1669,7 +1708,8 @@ ir.cpp: # 367| v5_0(void) = NoOp : # 360| v5_1(void) = ReturnVoid : # 360| v5_2(void) = UnmodeledUse : mu* -# 360| v5_3(void) = ExitFunction : +# 360| v5_3(void) = AliasedUse : ~mu0_2 +# 360| v5_4(void) = ExitFunction : # 372| void Call() # 372| Block 0 @@ -1682,7 +1722,8 @@ ir.cpp: # 374| v0_6(void) = NoOp : # 372| v0_7(void) = ReturnVoid : # 372| v0_8(void) = UnmodeledUse : mu* -# 372| v0_9(void) = ExitFunction : +# 372| v0_9(void) = AliasedUse : ~mu0_2 +# 372| v0_10(void) = ExitFunction : # 376| int CallAdd(int, int) # 376| Block 0 @@ -1705,7 +1746,8 @@ ir.cpp: # 376| r0_16(glval) = VariableAddress[#return] : # 376| v0_17(void) = ReturnValue : &:r0_16, ~mu0_2 # 376| v0_18(void) = UnmodeledUse : mu* -# 376| v0_19(void) = ExitFunction : +# 376| v0_19(void) = AliasedUse : ~mu0_2 +# 376| v0_20(void) = ExitFunction : # 380| int Comma(int, int) # 380| Block 0 @@ -1732,7 +1774,8 @@ ir.cpp: # 380| r0_20(glval) = VariableAddress[#return] : # 380| v0_21(void) = ReturnValue : &:r0_20, ~mu0_2 # 380| v0_22(void) = UnmodeledUse : mu* -# 380| v0_23(void) = ExitFunction : +# 380| v0_23(void) = AliasedUse : ~mu0_2 +# 380| v0_24(void) = ExitFunction : # 384| void Switch(int) # 384| Block 0 @@ -1813,7 +1856,8 @@ ir.cpp: # 410| v9_1(void) = NoOp : # 384| v9_2(void) = ReturnVoid : # 384| v9_3(void) = UnmodeledUse : mu* -# 384| v9_4(void) = ExitFunction : +# 384| v9_4(void) = AliasedUse : ~mu0_2 +# 384| v9_5(void) = ExitFunction : # 422| Point ReturnStruct(Point) # 422| Block 0 @@ -1829,7 +1873,8 @@ ir.cpp: # 422| r0_9(glval) = VariableAddress[#return] : # 422| v0_10(void) = ReturnValue : &:r0_9, ~mu0_2 # 422| v0_11(void) = UnmodeledUse : mu* -# 422| v0_12(void) = ExitFunction : +# 422| v0_12(void) = AliasedUse : ~mu0_2 +# 422| v0_13(void) = ExitFunction : # 426| void FieldAccess() # 426| Block 0 @@ -1856,7 +1901,8 @@ ir.cpp: # 431| v0_20(void) = NoOp : # 426| v0_21(void) = ReturnVoid : # 426| v0_22(void) = UnmodeledUse : mu* -# 426| v0_23(void) = ExitFunction : +# 426| v0_23(void) = AliasedUse : ~mu0_2 +# 426| v0_24(void) = ExitFunction : # 433| void LogicalOr(bool, bool) # 433| Block 0 @@ -1918,7 +1964,8 @@ ir.cpp: # 445| v7_0(void) = NoOp : # 433| v7_1(void) = ReturnVoid : # 433| v7_2(void) = UnmodeledUse : mu* -# 433| v7_3(void) = ExitFunction : +# 433| v7_3(void) = AliasedUse : ~mu0_2 +# 433| v7_4(void) = ExitFunction : # 447| void LogicalAnd(bool, bool) # 447| Block 0 @@ -1980,7 +2027,8 @@ ir.cpp: # 459| v7_0(void) = NoOp : # 447| v7_1(void) = ReturnVoid : # 447| v7_2(void) = UnmodeledUse : mu* -# 447| v7_3(void) = ExitFunction : +# 447| v7_3(void) = AliasedUse : ~mu0_2 +# 447| v7_4(void) = ExitFunction : # 461| void LogicalNot(bool, bool) # 461| Block 0 @@ -2035,7 +2083,8 @@ ir.cpp: # 473| v6_0(void) = NoOp : # 461| v6_1(void) = ReturnVoid : # 461| v6_2(void) = UnmodeledUse : mu* -# 461| v6_3(void) = ExitFunction : +# 461| v6_3(void) = AliasedUse : ~mu0_2 +# 461| v6_4(void) = ExitFunction : # 475| void ConditionValues(bool, bool) # 475| Block 0 @@ -2106,7 +2155,8 @@ ir.cpp: # 480| v7_5(void) = NoOp : # 475| v7_6(void) = ReturnVoid : # 475| v7_7(void) = UnmodeledUse : mu* -# 475| v7_8(void) = ExitFunction : +# 475| v7_8(void) = AliasedUse : ~mu0_2 +# 475| v7_9(void) = ExitFunction : # 479| Block 8 # 479| r8_0(glval) = VariableAddress[#temp479:11] : @@ -2183,7 +2233,8 @@ ir.cpp: # 484| v3_3(void) = NoOp : # 482| v3_4(void) = ReturnVoid : # 482| v3_5(void) = UnmodeledUse : mu* -# 482| v3_6(void) = ExitFunction : +# 482| v3_6(void) = AliasedUse : ~mu0_2 +# 482| v3_7(void) = ExitFunction : # 486| void Conditional_LValue(bool) # 486| Block 0 @@ -2204,24 +2255,25 @@ ir.cpp: #-----| True -> Block 2 # 489| Block 1 -# 489| r1_0(glval) = VariableAddress[#temp489:6] : -# 489| r1_1(glval) = Load : &:r1_0, ~mu0_2 -# 489| mu1_2(int) = Store : &:r1_1, r0_9 -# 490| v1_3(void) = NoOp : -# 486| v1_4(void) = ReturnVoid : -# 486| v1_5(void) = UnmodeledUse : mu* -# 486| v1_6(void) = ExitFunction : +# 489| r1_0(glval) = VariableAddress[#temp489:6] : +# 489| r1_1(glval) = Load : &:r1_0, ~mu0_2 +# 489| mu1_2(int) = Store : &:r1_1, r0_9 +# 490| v1_3(void) = NoOp : +# 486| v1_4(void) = ReturnVoid : +# 486| v1_5(void) = UnmodeledUse : mu* +# 486| v1_6(void) = AliasedUse : ~mu0_2 +# 486| v1_7(void) = ExitFunction : # 489| Block 2 -# 489| r2_0(glval) = VariableAddress[x] : -# 489| r2_1(glval) = VariableAddress[#temp489:6] : -# 489| mu2_2(int) = Store : &:r2_1, r2_0 +# 489| r2_0(glval) = VariableAddress[x] : +# 489| r2_1(glval) = VariableAddress[#temp489:6] : +# 489| mu2_2(glval) = Store : &:r2_1, r2_0 #-----| Goto -> Block 1 # 489| Block 3 -# 489| r3_0(glval) = VariableAddress[y] : -# 489| r3_1(glval) = VariableAddress[#temp489:6] : -# 489| mu3_2(int) = Store : &:r3_1, r3_0 +# 489| r3_0(glval) = VariableAddress[y] : +# 489| r3_1(glval) = VariableAddress[#temp489:6] : +# 489| mu3_2(glval) = Store : &:r3_1, r3_0 #-----| Goto -> Block 1 # 492| void Conditional_Void(bool) @@ -2241,7 +2293,8 @@ ir.cpp: # 494| v1_0(void) = NoOp : # 492| v1_1(void) = ReturnVoid : # 492| v1_2(void) = UnmodeledUse : mu* -# 492| v1_3(void) = ExitFunction : +# 492| v1_3(void) = AliasedUse : ~mu0_2 +# 492| v1_4(void) = ExitFunction : # 493| Block 2 # 493| r2_0(glval) = FunctionAddress[VoidFunc] : @@ -2275,7 +2328,8 @@ ir.cpp: # 501| v0_15(void) = NoOp : # 496| v0_16(void) = ReturnVoid : # 496| v0_17(void) = UnmodeledUse : mu* -# 496| v0_18(void) = ExitFunction : +# 496| v0_18(void) = AliasedUse : ~mu0_2 +# 496| v0_19(void) = ExitFunction : # 503| void InitList(int, float) # 503| Block 0 @@ -2323,7 +2377,8 @@ ir.cpp: # 510| v0_41(void) = NoOp : # 503| v0_42(void) = ReturnVoid : # 503| v0_43(void) = UnmodeledUse : mu* -# 503| v0_44(void) = ExitFunction : +# 503| v0_44(void) = AliasedUse : ~mu0_2 +# 503| v0_45(void) = ExitFunction : # 512| void NestedInitList(int, float) # 512| Block 0 @@ -2400,7 +2455,8 @@ ir.cpp: # 517| v0_70(void) = NoOp : # 512| v0_71(void) = ReturnVoid : # 512| v0_72(void) = UnmodeledUse : mu* -# 512| v0_73(void) = ExitFunction : +# 512| v0_73(void) = AliasedUse : ~mu0_2 +# 512| v0_74(void) = ExitFunction : # 519| void ArrayInit(int, float) # 519| Block 0 @@ -2448,7 +2504,8 @@ ir.cpp: # 523| v0_41(void) = NoOp : # 519| v0_42(void) = ReturnVoid : # 519| v0_43(void) = UnmodeledUse : mu* -# 519| v0_44(void) = ExitFunction : +# 519| v0_44(void) = AliasedUse : ~mu0_2 +# 519| v0_45(void) = ExitFunction : # 530| void UnionInit(int, float) # 530| Block 0 @@ -2469,7 +2526,8 @@ ir.cpp: # 533| v0_14(void) = NoOp : # 530| v0_15(void) = ReturnVoid : # 530| v0_16(void) = UnmodeledUse : mu* -# 530| v0_17(void) = ExitFunction : +# 530| v0_17(void) = AliasedUse : ~mu0_2 +# 530| v0_18(void) = ExitFunction : # 535| void EarlyReturn(int, int) # 535| Block 0 @@ -2492,7 +2550,8 @@ ir.cpp: # 535| Block 1 # 535| v1_0(void) = ReturnVoid : # 535| v1_1(void) = UnmodeledUse : mu* -# 535| v1_2(void) = ExitFunction : +# 535| v1_2(void) = AliasedUse : ~mu0_2 +# 535| v1_3(void) = ExitFunction : # 537| Block 2 # 537| v2_0(void) = NoOp : @@ -2528,7 +2587,8 @@ ir.cpp: # 543| r1_0(glval) = VariableAddress[#return] : # 543| v1_1(void) = ReturnValue : &:r1_0, ~mu0_2 # 543| v1_2(void) = UnmodeledUse : mu* -# 543| v1_3(void) = ExitFunction : +# 543| v1_3(void) = AliasedUse : ~mu0_2 +# 543| v1_4(void) = ExitFunction : # 545| Block 2 # 545| r2_0(glval) = VariableAddress[#return] : @@ -2564,7 +2624,8 @@ ir.cpp: # 551| r0_12(glval) = VariableAddress[#return] : # 551| v0_13(void) = ReturnValue : &:r0_12, ~mu0_2 # 551| v0_14(void) = UnmodeledUse : mu* -# 551| v0_15(void) = ExitFunction : +# 551| v0_15(void) = AliasedUse : ~mu0_2 +# 551| v0_16(void) = ExitFunction : # 560| int EnumSwitch(E) # 560| Block 0 @@ -2585,7 +2646,8 @@ ir.cpp: # 560| r1_0(glval) = VariableAddress[#return] : # 560| v1_1(void) = ReturnValue : &:r1_0, ~mu0_2 # 560| v1_2(void) = UnmodeledUse : mu* -# 560| v1_3(void) = ExitFunction : +# 560| v1_3(void) = AliasedUse : ~mu0_2 +# 560| v1_4(void) = ExitFunction : # 564| Block 2 # 564| v2_0(void) = NoOp : @@ -2670,7 +2732,8 @@ ir.cpp: # 580| v0_57(void) = NoOp : # 571| v0_58(void) = ReturnVoid : # 571| v0_59(void) = UnmodeledUse : mu* -# 571| v0_60(void) = ExitFunction : +# 571| v0_60(void) = AliasedUse : ~mu0_2 +# 571| v0_61(void) = ExitFunction : # 584| void VarArgs() # 584| Block 0 @@ -2685,14 +2748,15 @@ ir.cpp: # 585| r0_8(char *) = Convert : r0_7 # 585| v0_9(void) = Call : func:r0_3, 0:r0_5, 1:r0_6, 2:r0_8 # 585| mu0_10(unknown) = ^CallSideEffect : ~mu0_2 -# 585| v0_11(void) = ^IndirectReadSideEffect[0] : &:r0_5, ~mu0_2 -# 585| v0_12(void) = ^IndirectReadSideEffect[2] : &:r0_8, ~mu0_2 +# 585| v0_11(void) = ^BufferReadSideEffect[0] : &:r0_5, ~mu0_2 +# 585| v0_12(void) = ^BufferReadSideEffect[2] : &:r0_8, ~mu0_2 # 585| mu0_13(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_5 # 585| mu0_14(unknown) = ^BufferMayWriteSideEffect[2] : &:r0_8 # 586| v0_15(void) = NoOp : # 584| v0_16(void) = ReturnVoid : # 584| v0_17(void) = UnmodeledUse : mu* -# 584| v0_18(void) = ExitFunction : +# 584| v0_18(void) = AliasedUse : ~mu0_2 +# 584| v0_19(void) = ExitFunction : # 590| void SetFuncPtr() # 590| Block 0 @@ -2700,13 +2764,13 @@ ir.cpp: # 590| mu0_1(unknown) = AliasedDefinition : # 590| mu0_2(unknown) = UnmodeledDefinition : # 591| r0_3(glval<..(*)(..)>) = VariableAddress[pfn] : -# 591| r0_4(glval<..(*)(..)>) = FunctionAddress[FuncPtrTarget] : +# 591| r0_4(..(*)(..)) = FunctionAddress[FuncPtrTarget] : # 591| mu0_5(..(*)(..)) = Store : &:r0_3, r0_4 # 592| r0_6(glval<..()(..)>) = FunctionAddress[FuncPtrTarget] : # 592| r0_7(..(*)(..)) = CopyValue : r0_6 # 592| r0_8(glval<..(*)(..)>) = VariableAddress[pfn] : # 592| mu0_9(..(*)(..)) = Store : &:r0_8, r0_7 -# 593| r0_10(glval<..(*)(..)>) = FunctionAddress[FuncPtrTarget] : +# 593| r0_10(..(*)(..)) = FunctionAddress[FuncPtrTarget] : # 593| r0_11(..(*)(..)) = CopyValue : r0_10 # 593| r0_12(glval<..(*)(..)>) = VariableAddress[pfn] : # 593| mu0_13(..(*)(..)) = Store : &:r0_12, r0_11 @@ -2720,7 +2784,8 @@ ir.cpp: # 595| v0_21(void) = NoOp : # 590| v0_22(void) = ReturnVoid : # 590| v0_23(void) = UnmodeledUse : mu* -# 590| v0_24(void) = ExitFunction : +# 590| v0_24(void) = AliasedUse : ~mu0_2 +# 590| v0_25(void) = ExitFunction : # 615| void DeclareObject() # 615| Block 0 @@ -2737,7 +2802,7 @@ ir.cpp: # 617| r0_10(char *) = Convert : r0_9 # 617| v0_11(void) = Call : func:r0_8, this:r0_7, 0:r0_10 # 617| mu0_12(unknown) = ^CallSideEffect : ~mu0_2 -# 617| v0_13(void) = ^IndirectReadSideEffect[0] : &:r0_10, ~mu0_2 +# 617| v0_13(void) = ^BufferReadSideEffect[0] : &:r0_10, ~mu0_2 # 617| mu0_14(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_10 # 618| r0_15(glval) = VariableAddress[s3] : # 618| r0_16(glval) = FunctionAddress[ReturnObject] : @@ -2750,12 +2815,13 @@ ir.cpp: # 619| r0_23(char *) = Convert : r0_22 # 619| v0_24(void) = Call : func:r0_21, this:r0_20, 0:r0_23 # 619| mu0_25(unknown) = ^CallSideEffect : ~mu0_2 -# 619| v0_26(void) = ^IndirectReadSideEffect[0] : &:r0_23, ~mu0_2 +# 619| v0_26(void) = ^BufferReadSideEffect[0] : &:r0_23, ~mu0_2 # 619| mu0_27(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_23 # 620| v0_28(void) = NoOp : # 615| v0_29(void) = ReturnVoid : # 615| v0_30(void) = UnmodeledUse : mu* -# 615| v0_31(void) = ExitFunction : +# 615| v0_31(void) = AliasedUse : ~mu0_2 +# 615| v0_32(void) = ExitFunction : # 622| void CallMethods(String&, String*, String) # 622| Block 0 @@ -2775,7 +2841,7 @@ ir.cpp: # 623| r0_13(glval) = FunctionAddress[c_str] : # 623| r0_14(char *) = Call : func:r0_13, this:r0_12 # 623| mu0_15(unknown) = ^CallSideEffect : ~mu0_2 -# 623| v0_16(void) = ^IndirectReadSideEffect[-1] : &:r0_12, ~mu0_2 +# 623| v0_16(void) = ^BufferReadSideEffect[-1] : &:r0_12, ~mu0_2 # 623| mu0_17(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_12 # 624| r0_18(glval) = VariableAddress[p] : # 624| r0_19(String *) = Load : &:r0_18, ~mu0_2 @@ -2783,19 +2849,20 @@ ir.cpp: # 624| r0_21(glval) = FunctionAddress[c_str] : # 624| r0_22(char *) = Call : func:r0_21, this:r0_20 # 624| mu0_23(unknown) = ^CallSideEffect : ~mu0_2 -# 624| v0_24(void) = ^IndirectReadSideEffect[-1] : &:r0_20, ~mu0_2 +# 624| v0_24(void) = ^BufferReadSideEffect[-1] : &:r0_20, ~mu0_2 # 624| mu0_25(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_20 # 625| r0_26(glval) = VariableAddress[s] : # 625| r0_27(glval) = Convert : r0_26 # 625| r0_28(glval) = FunctionAddress[c_str] : # 625| r0_29(char *) = Call : func:r0_28, this:r0_27 # 625| mu0_30(unknown) = ^CallSideEffect : ~mu0_2 -# 625| v0_31(void) = ^IndirectReadSideEffect[-1] : &:r0_27, ~mu0_2 +# 625| v0_31(void) = ^BufferReadSideEffect[-1] : &:r0_27, ~mu0_2 # 625| mu0_32(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_27 # 626| v0_33(void) = NoOp : # 622| v0_34(void) = ReturnVoid : # 622| v0_35(void) = UnmodeledUse : mu* -# 622| v0_36(void) = ExitFunction : +# 622| v0_36(void) = AliasedUse : ~mu0_2 +# 622| v0_37(void) = ExitFunction : # 630| int C::StaticMemberFunction(int) # 630| Block 0 @@ -2811,7 +2878,8 @@ ir.cpp: # 630| r0_9(glval) = VariableAddress[#return] : # 630| v0_10(void) = ReturnValue : &:r0_9, ~mu0_2 # 630| v0_11(void) = UnmodeledUse : mu* -# 630| v0_12(void) = ExitFunction : +# 630| v0_12(void) = AliasedUse : ~mu0_2 +# 630| v0_13(void) = ExitFunction : # 634| int C::InstanceMemberFunction(int) # 634| Block 0 @@ -2828,7 +2896,8 @@ ir.cpp: # 634| r0_10(glval) = VariableAddress[#return] : # 634| v0_11(void) = ReturnValue : &:r0_10, ~mu0_2 # 634| v0_12(void) = UnmodeledUse : mu* -# 634| v0_13(void) = ExitFunction : +# 634| v0_13(void) = AliasedUse : ~mu0_2 +# 634| v0_14(void) = ExitFunction : # 638| int C::VirtualMemberFunction(int) # 638| Block 0 @@ -2845,7 +2914,8 @@ ir.cpp: # 638| r0_10(glval) = VariableAddress[#return] : # 638| v0_11(void) = ReturnValue : &:r0_10, ~mu0_2 # 638| v0_12(void) = UnmodeledUse : mu* -# 638| v0_13(void) = ExitFunction : +# 638| v0_13(void) = AliasedUse : ~mu0_2 +# 638| v0_14(void) = ExitFunction : # 642| void C::FieldAccess() # 642| Block 0 @@ -2887,7 +2957,8 @@ ir.cpp: # 650| v0_35(void) = NoOp : # 642| v0_36(void) = ReturnVoid : # 642| v0_37(void) = UnmodeledUse : mu* -# 642| v0_38(void) = ExitFunction : +# 642| v0_38(void) = AliasedUse : ~mu0_2 +# 642| v0_39(void) = ExitFunction : # 652| void C::MethodCalls() # 652| Block 0 @@ -2900,7 +2971,7 @@ ir.cpp: # 653| r0_6(int) = Constant[0] : # 653| r0_7(int) = Call : func:r0_5, this:r0_4, 0:r0_6 # 653| mu0_8(unknown) = ^CallSideEffect : ~mu0_2 -# 653| v0_9(void) = ^IndirectReadSideEffect[-1] : &:r0_4, ~mu0_2 +# 653| v0_9(void) = ^BufferReadSideEffect[-1] : &:r0_4, ~mu0_2 # 653| mu0_10(C) = ^IndirectMayWriteSideEffect[-1] : &:r0_4 # 654| r0_11(C *) = CopyValue : r0_3 # 654| r0_12(glval) = CopyValue : r0_11 @@ -2908,19 +2979,20 @@ ir.cpp: # 654| r0_14(int) = Constant[1] : # 654| r0_15(int) = Call : func:r0_13, this:r0_12, 0:r0_14 # 654| mu0_16(unknown) = ^CallSideEffect : ~mu0_2 -# 654| v0_17(void) = ^IndirectReadSideEffect[-1] : &:r0_12, ~mu0_2 +# 654| v0_17(void) = ^BufferReadSideEffect[-1] : &:r0_12, ~mu0_2 # 654| mu0_18(C) = ^IndirectMayWriteSideEffect[-1] : &:r0_12 #-----| r0_19(C *) = CopyValue : r0_3 # 655| r0_20(glval) = FunctionAddress[InstanceMemberFunction] : # 655| r0_21(int) = Constant[2] : # 655| r0_22(int) = Call : func:r0_20, this:r0_19, 0:r0_21 # 655| mu0_23(unknown) = ^CallSideEffect : ~mu0_2 -#-----| v0_24(void) = ^IndirectReadSideEffect[-1] : &:r0_19, ~mu0_2 +#-----| v0_24(void) = ^BufferReadSideEffect[-1] : &:r0_19, ~mu0_2 #-----| mu0_25(C) = ^IndirectMayWriteSideEffect[-1] : &:r0_19 # 656| v0_26(void) = NoOp : # 652| v0_27(void) = ReturnVoid : # 652| v0_28(void) = UnmodeledUse : mu* -# 652| v0_29(void) = ExitFunction : +# 652| v0_29(void) = AliasedUse : ~mu0_2 +# 652| v0_30(void) = ExitFunction : # 658| void C::C() # 658| Block 0 @@ -2947,12 +3019,13 @@ ir.cpp: # 662| r0_20(char *) = Convert : r0_19 # 662| v0_21(void) = Call : func:r0_18, this:r0_17, 0:r0_20 # 662| mu0_22(unknown) = ^CallSideEffect : ~mu0_2 -# 662| v0_23(void) = ^IndirectReadSideEffect[0] : &:r0_20, ~mu0_2 +# 662| v0_23(void) = ^BufferReadSideEffect[0] : &:r0_20, ~mu0_2 # 662| mu0_24(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_20 # 664| v0_25(void) = NoOp : # 658| v0_26(void) = ReturnVoid : # 658| v0_27(void) = UnmodeledUse : mu* -# 658| v0_28(void) = ExitFunction : +# 658| v0_28(void) = AliasedUse : ~mu0_2 +# 658| v0_29(void) = ExitFunction : # 675| int DerefReference(int&) # 675| Block 0 @@ -2969,7 +3042,8 @@ ir.cpp: # 675| r0_10(glval) = VariableAddress[#return] : # 675| v0_11(void) = ReturnValue : &:r0_10, ~mu0_2 # 675| v0_12(void) = UnmodeledUse : mu* -# 675| v0_13(void) = ExitFunction : +# 675| v0_13(void) = AliasedUse : ~mu0_2 +# 675| v0_14(void) = ExitFunction : # 679| int& TakeReference() # 679| Block 0 @@ -2983,7 +3057,8 @@ ir.cpp: # 679| r0_7(glval) = VariableAddress[#return] : # 679| v0_8(void) = ReturnValue : &:r0_7, ~mu0_2 # 679| v0_9(void) = UnmodeledUse : mu* -# 679| v0_10(void) = ExitFunction : +# 679| v0_10(void) = AliasedUse : ~mu0_2 +# 679| v0_11(void) = ExitFunction : # 685| void InitReference(int) # 685| Block 0 @@ -3013,7 +3088,8 @@ ir.cpp: # 689| v0_23(void) = NoOp : # 685| v0_24(void) = ReturnVoid : # 685| v0_25(void) = UnmodeledUse : mu* -# 685| v0_26(void) = ExitFunction : +# 685| v0_26(void) = AliasedUse : ~mu0_2 +# 685| v0_27(void) = ExitFunction : # 691| void ArrayReferences() # 691| Block 0 @@ -3038,7 +3114,8 @@ ir.cpp: # 695| v0_18(void) = NoOp : # 691| v0_19(void) = ReturnVoid : # 691| v0_20(void) = UnmodeledUse : mu* -# 691| v0_21(void) = ExitFunction : +# 691| v0_21(void) = AliasedUse : ~mu0_2 +# 691| v0_22(void) = ExitFunction : # 697| void FunctionReferences() # 697| Block 0 @@ -3063,7 +3140,8 @@ ir.cpp: # 701| v0_18(void) = NoOp : # 697| v0_19(void) = ReturnVoid : # 697| v0_20(void) = UnmodeledUse : mu* -# 697| v0_21(void) = ExitFunction : +# 697| v0_21(void) = AliasedUse : ~mu0_2 +# 697| v0_22(void) = ExitFunction : # 704| int min(int, int) # 704| Block 0 @@ -3105,7 +3183,8 @@ ir.cpp: # 704| r3_3(glval) = VariableAddress[#return] : # 704| v3_4(void) = ReturnValue : &:r3_3, ~mu0_2 # 704| v3_5(void) = UnmodeledUse : mu* -# 704| v3_6(void) = ExitFunction : +# 704| v3_6(void) = AliasedUse : ~mu0_2 +# 704| v3_7(void) = ExitFunction : # 708| int CallMin(int, int) # 708| Block 0 @@ -3128,7 +3207,8 @@ ir.cpp: # 708| r0_16(glval) = VariableAddress[#return] : # 708| v0_17(void) = ReturnValue : &:r0_16, ~mu0_2 # 708| v0_18(void) = UnmodeledUse : mu* -# 708| v0_19(void) = ExitFunction : +# 708| v0_19(void) = AliasedUse : ~mu0_2 +# 708| v0_20(void) = ExitFunction : # 715| long Outer::Func(void*, char) # 715| Block 0 @@ -3145,7 +3225,8 @@ ir.cpp: # 715| r0_10(glval) = VariableAddress[#return] : # 715| v0_11(void) = ReturnValue : &:r0_10, ~mu0_2 # 715| v0_12(void) = UnmodeledUse : mu* -# 715| v0_13(void) = ExitFunction : +# 715| v0_13(void) = AliasedUse : ~mu0_2 +# 715| v0_14(void) = ExitFunction : # 720| double CallNestedTemplateFunc() # 720| Block 0 @@ -3158,14 +3239,15 @@ ir.cpp: # 721| r0_6(char) = Constant[111] : # 721| r0_7(long) = Call : func:r0_4, 0:r0_5, 1:r0_6 # 721| mu0_8(unknown) = ^CallSideEffect : ~mu0_2 -# 721| v0_9(void) = ^IndirectReadSideEffect[0] : &:r0_5, ~mu0_2 +# 721| v0_9(void) = ^BufferReadSideEffect[0] : &:r0_5, ~mu0_2 # 721| mu0_10(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_5 # 721| r0_11(double) = Convert : r0_7 # 721| mu0_12(double) = Store : &:r0_3, r0_11 # 720| r0_13(glval) = VariableAddress[#return] : # 720| v0_14(void) = ReturnValue : &:r0_13, ~mu0_2 # 720| v0_15(void) = UnmodeledUse : mu* -# 720| v0_16(void) = ExitFunction : +# 720| v0_16(void) = AliasedUse : ~mu0_2 +# 720| v0_17(void) = ExitFunction : # 724| void TryCatch(bool) # 724| Block 0 @@ -3185,7 +3267,8 @@ ir.cpp: # 724| Block 1 # 724| v1_0(void) = UnmodeledUse : mu* -# 724| v1_1(void) = ExitFunction : +# 724| v1_1(void) = AliasedUse : ~mu0_2 +# 724| v1_2(void) = ExitFunction : # 724| Block 2 # 724| v2_0(void) = Unwind : @@ -3232,7 +3315,7 @@ ir.cpp: # 731| r7_3(char *) = Convert : r7_2 # 731| v7_4(void) = Call : func:r7_1, this:r7_0, 0:r7_3 # 731| mu7_5(unknown) = ^CallSideEffect : ~mu0_2 -# 731| v7_6(void) = ^IndirectReadSideEffect[0] : &:r7_3, ~mu0_2 +# 731| v7_6(void) = ^BufferReadSideEffect[0] : &:r7_3, ~mu0_2 # 731| mu7_7(unknown) = ^BufferMayWriteSideEffect[0] : &:r7_3 # 731| v7_8(void) = ThrowValue : &:r7_0, ~mu0_2 #-----| Exception -> Block 9 @@ -3257,7 +3340,7 @@ ir.cpp: # 736| r10_5(char *) = Load : &:r10_4, ~mu0_2 # 736| v10_6(void) = Call : func:r10_3, this:r10_2, 0:r10_5 # 736| mu10_7(unknown) = ^CallSideEffect : ~mu0_2 -# 736| v10_8(void) = ^IndirectReadSideEffect[0] : &:r10_5, ~mu0_2 +# 736| v10_8(void) = ^BufferReadSideEffect[0] : &:r10_5, ~mu0_2 # 736| mu10_9(unknown) = ^BufferMayWriteSideEffect[0] : &:r10_5 # 736| v10_10(void) = ThrowValue : &:r10_2, ~mu0_2 #-----| Exception -> Block 2 @@ -3302,8 +3385,8 @@ ir.cpp: #-----| r0_14(String &) = CopyValue : r0_13 # 745| r0_15(String &) = Call : func:r0_9, this:r0_8, 0:r0_14 # 745| mu0_16(unknown) = ^CallSideEffect : ~mu0_2 -#-----| v0_17(void) = ^IndirectReadSideEffect[-1] : &:r0_8, ~mu0_2 -#-----| v0_18(void) = ^IndirectReadSideEffect[0] : &:r0_14, ~mu0_2 +#-----| v0_17(void) = ^BufferReadSideEffect[-1] : &:r0_8, ~mu0_2 +#-----| v0_18(void) = ^BufferReadSideEffect[0] : &:r0_14, ~mu0_2 #-----| mu0_19(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_8 #-----| mu0_20(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_14 #-----| r0_21(glval) = CopyValue : r0_15 @@ -3315,7 +3398,8 @@ ir.cpp: # 745| r0_27(glval) = VariableAddress[#return] : # 745| v0_28(void) = ReturnValue : &:r0_27, ~mu0_2 # 745| v0_29(void) = UnmodeledUse : mu* -# 745| v0_30(void) = ExitFunction : +# 745| v0_30(void) = AliasedUse : ~mu0_2 +# 745| v0_31(void) = ExitFunction : # 745| void Base::Base(Base const&) # 745| Block 0 @@ -3332,7 +3416,8 @@ ir.cpp: # 745| v0_10(void) = NoOp : # 745| v0_11(void) = ReturnVoid : # 745| v0_12(void) = UnmodeledUse : mu* -# 745| v0_13(void) = ExitFunction : +# 745| v0_13(void) = AliasedUse : ~mu0_2 +# 745| v0_14(void) = ExitFunction : # 748| void Base::Base() # 748| Block 0 @@ -3347,7 +3432,8 @@ ir.cpp: # 749| v0_8(void) = NoOp : # 748| v0_9(void) = ReturnVoid : # 748| v0_10(void) = UnmodeledUse : mu* -# 748| v0_11(void) = ExitFunction : +# 748| v0_11(void) = AliasedUse : ~mu0_2 +# 748| v0_12(void) = ExitFunction : # 750| void Base::~Base() # 750| Block 0 @@ -3362,7 +3448,8 @@ ir.cpp: # 751| mu0_8(unknown) = ^CallSideEffect : ~mu0_2 # 750| v0_9(void) = ReturnVoid : # 750| v0_10(void) = UnmodeledUse : mu* -# 750| v0_11(void) = ExitFunction : +# 750| v0_11(void) = AliasedUse : ~mu0_2 +# 750| v0_12(void) = ExitFunction : # 754| Middle& Middle::operator=(Middle const&) # 754| Block 0 @@ -3384,8 +3471,8 @@ ir.cpp: #-----| r0_15(Base &) = CopyValue : r0_14 # 754| r0_16(Base &) = Call : func:r0_8, this:r0_7, 0:r0_15 # 754| mu0_17(unknown) = ^CallSideEffect : ~mu0_2 -#-----| v0_18(void) = ^IndirectReadSideEffect[-1] : &:r0_7, ~mu0_2 -#-----| v0_19(void) = ^IndirectReadSideEffect[0] : &:r0_15, ~mu0_2 +#-----| v0_18(void) = ^BufferReadSideEffect[-1] : &:r0_7, ~mu0_2 +#-----| v0_19(void) = ^BufferReadSideEffect[0] : &:r0_15, ~mu0_2 #-----| mu0_20(Base) = ^IndirectMayWriteSideEffect[-1] : &:r0_7 #-----| mu0_21(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_15 #-----| r0_22(glval) = CopyValue : r0_16 @@ -3400,8 +3487,8 @@ ir.cpp: #-----| r0_31(String &) = CopyValue : r0_30 # 754| r0_32(String &) = Call : func:r0_26, this:r0_25, 0:r0_31 # 754| mu0_33(unknown) = ^CallSideEffect : ~mu0_2 -#-----| v0_34(void) = ^IndirectReadSideEffect[-1] : &:r0_25, ~mu0_2 -#-----| v0_35(void) = ^IndirectReadSideEffect[0] : &:r0_31, ~mu0_2 +#-----| v0_34(void) = ^BufferReadSideEffect[-1] : &:r0_25, ~mu0_2 +#-----| v0_35(void) = ^BufferReadSideEffect[0] : &:r0_31, ~mu0_2 #-----| mu0_36(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_25 #-----| mu0_37(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_31 #-----| r0_38(glval) = CopyValue : r0_32 @@ -3413,7 +3500,8 @@ ir.cpp: # 754| r0_44(glval) = VariableAddress[#return] : # 754| v0_45(void) = ReturnValue : &:r0_44, ~mu0_2 # 754| v0_46(void) = UnmodeledUse : mu* -# 754| v0_47(void) = ExitFunction : +# 754| v0_47(void) = AliasedUse : ~mu0_2 +# 754| v0_48(void) = ExitFunction : # 757| void Middle::Middle() # 757| Block 0 @@ -3432,7 +3520,8 @@ ir.cpp: # 758| v0_12(void) = NoOp : # 757| v0_13(void) = ReturnVoid : # 757| v0_14(void) = UnmodeledUse : mu* -# 757| v0_15(void) = ExitFunction : +# 757| v0_15(void) = AliasedUse : ~mu0_2 +# 757| v0_16(void) = ExitFunction : # 759| void Middle::~Middle() # 759| Block 0 @@ -3451,7 +3540,8 @@ ir.cpp: # 760| mu0_12(unknown) = ^CallSideEffect : ~mu0_2 # 759| v0_13(void) = ReturnVoid : # 759| v0_14(void) = UnmodeledUse : mu* -# 759| v0_15(void) = ExitFunction : +# 759| v0_15(void) = AliasedUse : ~mu0_2 +# 759| v0_16(void) = ExitFunction : # 763| Derived& Derived::operator=(Derived const&) # 763| Block 0 @@ -3473,8 +3563,8 @@ ir.cpp: #-----| r0_15(Middle &) = CopyValue : r0_14 # 763| r0_16(Middle &) = Call : func:r0_8, this:r0_7, 0:r0_15 # 763| mu0_17(unknown) = ^CallSideEffect : ~mu0_2 -#-----| v0_18(void) = ^IndirectReadSideEffect[-1] : &:r0_7, ~mu0_2 -#-----| v0_19(void) = ^IndirectReadSideEffect[0] : &:r0_15, ~mu0_2 +#-----| v0_18(void) = ^BufferReadSideEffect[-1] : &:r0_7, ~mu0_2 +#-----| v0_19(void) = ^BufferReadSideEffect[0] : &:r0_15, ~mu0_2 #-----| mu0_20(Middle) = ^IndirectMayWriteSideEffect[-1] : &:r0_7 #-----| mu0_21(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_15 #-----| r0_22(glval) = CopyValue : r0_16 @@ -3489,8 +3579,8 @@ ir.cpp: #-----| r0_31(String &) = CopyValue : r0_30 # 763| r0_32(String &) = Call : func:r0_26, this:r0_25, 0:r0_31 # 763| mu0_33(unknown) = ^CallSideEffect : ~mu0_2 -#-----| v0_34(void) = ^IndirectReadSideEffect[-1] : &:r0_25, ~mu0_2 -#-----| v0_35(void) = ^IndirectReadSideEffect[0] : &:r0_31, ~mu0_2 +#-----| v0_34(void) = ^BufferReadSideEffect[-1] : &:r0_25, ~mu0_2 +#-----| v0_35(void) = ^BufferReadSideEffect[0] : &:r0_31, ~mu0_2 #-----| mu0_36(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_25 #-----| mu0_37(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_31 #-----| r0_38(glval) = CopyValue : r0_32 @@ -3502,7 +3592,8 @@ ir.cpp: # 763| r0_44(glval) = VariableAddress[#return] : # 763| v0_45(void) = ReturnValue : &:r0_44, ~mu0_2 # 763| v0_46(void) = UnmodeledUse : mu* -# 763| v0_47(void) = ExitFunction : +# 763| v0_47(void) = AliasedUse : ~mu0_2 +# 763| v0_48(void) = ExitFunction : # 766| void Derived::Derived() # 766| Block 0 @@ -3521,7 +3612,8 @@ ir.cpp: # 767| v0_12(void) = NoOp : # 766| v0_13(void) = ReturnVoid : # 766| v0_14(void) = UnmodeledUse : mu* -# 766| v0_15(void) = ExitFunction : +# 766| v0_15(void) = AliasedUse : ~mu0_2 +# 766| v0_16(void) = ExitFunction : # 768| void Derived::~Derived() # 768| Block 0 @@ -3540,7 +3632,8 @@ ir.cpp: # 769| mu0_12(unknown) = ^CallSideEffect : ~mu0_2 # 768| v0_13(void) = ReturnVoid : # 768| v0_14(void) = UnmodeledUse : mu* -# 768| v0_15(void) = ExitFunction : +# 768| v0_15(void) = AliasedUse : ~mu0_2 +# 768| v0_16(void) = ExitFunction : # 775| void MiddleVB1::MiddleVB1() # 775| Block 0 @@ -3559,7 +3652,8 @@ ir.cpp: # 776| v0_12(void) = NoOp : # 775| v0_13(void) = ReturnVoid : # 775| v0_14(void) = UnmodeledUse : mu* -# 775| v0_15(void) = ExitFunction : +# 775| v0_15(void) = AliasedUse : ~mu0_2 +# 775| v0_16(void) = ExitFunction : # 777| void MiddleVB1::~MiddleVB1() # 777| Block 0 @@ -3578,7 +3672,8 @@ ir.cpp: # 778| mu0_12(unknown) = ^CallSideEffect : ~mu0_2 # 777| v0_13(void) = ReturnVoid : # 777| v0_14(void) = UnmodeledUse : mu* -# 777| v0_15(void) = ExitFunction : +# 777| v0_15(void) = AliasedUse : ~mu0_2 +# 777| v0_16(void) = ExitFunction : # 784| void MiddleVB2::MiddleVB2() # 784| Block 0 @@ -3597,7 +3692,8 @@ ir.cpp: # 785| v0_12(void) = NoOp : # 784| v0_13(void) = ReturnVoid : # 784| v0_14(void) = UnmodeledUse : mu* -# 784| v0_15(void) = ExitFunction : +# 784| v0_15(void) = AliasedUse : ~mu0_2 +# 784| v0_16(void) = ExitFunction : # 786| void MiddleVB2::~MiddleVB2() # 786| Block 0 @@ -3616,7 +3712,8 @@ ir.cpp: # 787| mu0_12(unknown) = ^CallSideEffect : ~mu0_2 # 786| v0_13(void) = ReturnVoid : # 786| v0_14(void) = UnmodeledUse : mu* -# 786| v0_15(void) = ExitFunction : +# 786| v0_15(void) = AliasedUse : ~mu0_2 +# 786| v0_16(void) = ExitFunction : # 793| void DerivedVB::DerivedVB() # 793| Block 0 @@ -3643,7 +3740,8 @@ ir.cpp: # 794| v0_20(void) = NoOp : # 793| v0_21(void) = ReturnVoid : # 793| v0_22(void) = UnmodeledUse : mu* -# 793| v0_23(void) = ExitFunction : +# 793| v0_23(void) = AliasedUse : ~mu0_2 +# 793| v0_24(void) = ExitFunction : # 795| void DerivedVB::~DerivedVB() # 795| Block 0 @@ -3670,7 +3768,8 @@ ir.cpp: # 796| mu0_20(unknown) = ^CallSideEffect : ~mu0_2 # 795| v0_21(void) = ReturnVoid : # 795| v0_22(void) = UnmodeledUse : mu* -# 795| v0_23(void) = ExitFunction : +# 795| v0_23(void) = AliasedUse : ~mu0_2 +# 795| v0_24(void) = ExitFunction : # 799| void HierarchyConversions() # 799| Block 0 @@ -3708,8 +3807,8 @@ ir.cpp: # 808| r0_31(Base &) = CopyValue : r0_30 # 808| r0_32(Base &) = Call : func:r0_28, this:r0_27, 0:r0_31 # 808| mu0_33(unknown) = ^CallSideEffect : ~mu0_2 -# 808| v0_34(void) = ^IndirectReadSideEffect[-1] : &:r0_27, ~mu0_2 -# 808| v0_35(void) = ^IndirectReadSideEffect[0] : &:r0_31, ~mu0_2 +# 808| v0_34(void) = ^BufferReadSideEffect[-1] : &:r0_27, ~mu0_2 +# 808| v0_35(void) = ^BufferReadSideEffect[0] : &:r0_31, ~mu0_2 # 808| mu0_36(Base) = ^IndirectMayWriteSideEffect[-1] : &:r0_27 # 808| mu0_37(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_31 # 808| r0_38(glval) = CopyValue : r0_32 @@ -3721,14 +3820,14 @@ ir.cpp: # 809| r0_44(Base &) = CopyValue : r0_43 # 809| v0_45(void) = Call : func:r0_41, 0:r0_44 # 809| mu0_46(unknown) = ^CallSideEffect : ~mu0_2 -# 809| v0_47(void) = ^IndirectReadSideEffect[0] : &:r0_44, ~mu0_2 +# 809| v0_47(void) = ^BufferReadSideEffect[0] : &:r0_44, ~mu0_2 # 809| mu0_48(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_44 # 809| r0_49(glval) = Convert : v0_45 # 809| r0_50(Base &) = CopyValue : r0_49 # 809| r0_51(Base &) = Call : func:r0_40, this:r0_39, 0:r0_50 # 809| mu0_52(unknown) = ^CallSideEffect : ~mu0_2 -# 809| v0_53(void) = ^IndirectReadSideEffect[-1] : &:r0_39, ~mu0_2 -# 809| v0_54(void) = ^IndirectReadSideEffect[0] : &:r0_50, ~mu0_2 +# 809| v0_53(void) = ^BufferReadSideEffect[-1] : &:r0_39, ~mu0_2 +# 809| v0_54(void) = ^BufferReadSideEffect[0] : &:r0_50, ~mu0_2 # 809| mu0_55(Base) = ^IndirectMayWriteSideEffect[-1] : &:r0_39 # 809| mu0_56(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_50 # 809| r0_57(glval) = CopyValue : r0_51 @@ -3740,14 +3839,14 @@ ir.cpp: # 810| r0_63(Base &) = CopyValue : r0_62 # 810| v0_64(void) = Call : func:r0_60, 0:r0_63 # 810| mu0_65(unknown) = ^CallSideEffect : ~mu0_2 -# 810| v0_66(void) = ^IndirectReadSideEffect[0] : &:r0_63, ~mu0_2 +# 810| v0_66(void) = ^BufferReadSideEffect[0] : &:r0_63, ~mu0_2 # 810| mu0_67(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_63 # 810| r0_68(glval) = Convert : v0_64 # 810| r0_69(Base &) = CopyValue : r0_68 # 810| r0_70(Base &) = Call : func:r0_59, this:r0_58, 0:r0_69 # 810| mu0_71(unknown) = ^CallSideEffect : ~mu0_2 -# 810| v0_72(void) = ^IndirectReadSideEffect[-1] : &:r0_58, ~mu0_2 -# 810| v0_73(void) = ^IndirectReadSideEffect[0] : &:r0_69, ~mu0_2 +# 810| v0_72(void) = ^BufferReadSideEffect[-1] : &:r0_58, ~mu0_2 +# 810| v0_73(void) = ^BufferReadSideEffect[0] : &:r0_69, ~mu0_2 # 810| mu0_74(Base) = ^IndirectMayWriteSideEffect[-1] : &:r0_58 # 810| mu0_75(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_69 # 810| r0_76(glval) = CopyValue : r0_70 @@ -3779,8 +3878,8 @@ ir.cpp: # 816| r0_102(Middle &) = CopyValue : r0_101 # 816| r0_103(Middle &) = Call : func:r0_98, this:r0_97, 0:r0_102 # 816| mu0_104(unknown) = ^CallSideEffect : ~mu0_2 -# 816| v0_105(void) = ^IndirectReadSideEffect[-1] : &:r0_97, ~mu0_2 -# 816| v0_106(void) = ^IndirectReadSideEffect[0] : &:r0_102, ~mu0_2 +# 816| v0_105(void) = ^BufferReadSideEffect[-1] : &:r0_97, ~mu0_2 +# 816| v0_106(void) = ^BufferReadSideEffect[0] : &:r0_102, ~mu0_2 # 816| mu0_107(Middle) = ^IndirectMayWriteSideEffect[-1] : &:r0_97 # 816| mu0_108(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_102 # 816| r0_109(glval) = CopyValue : r0_103 @@ -3792,8 +3891,8 @@ ir.cpp: # 817| r0_115(Middle &) = CopyValue : r0_114 # 817| r0_116(Middle &) = Call : func:r0_111, this:r0_110, 0:r0_115 # 817| mu0_117(unknown) = ^CallSideEffect : ~mu0_2 -# 817| v0_118(void) = ^IndirectReadSideEffect[-1] : &:r0_110, ~mu0_2 -# 817| v0_119(void) = ^IndirectReadSideEffect[0] : &:r0_115, ~mu0_2 +# 817| v0_118(void) = ^BufferReadSideEffect[-1] : &:r0_110, ~mu0_2 +# 817| v0_119(void) = ^BufferReadSideEffect[0] : &:r0_115, ~mu0_2 # 817| mu0_120(Middle) = ^IndirectMayWriteSideEffect[-1] : &:r0_110 # 817| mu0_121(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_115 # 817| r0_122(glval) = CopyValue : r0_116 @@ -3820,8 +3919,8 @@ ir.cpp: # 822| r0_143(Base &) = CopyValue : r0_142 # 822| r0_144(Base &) = Call : func:r0_139, this:r0_138, 0:r0_143 # 822| mu0_145(unknown) = ^CallSideEffect : ~mu0_2 -# 822| v0_146(void) = ^IndirectReadSideEffect[-1] : &:r0_138, ~mu0_2 -# 822| v0_147(void) = ^IndirectReadSideEffect[0] : &:r0_143, ~mu0_2 +# 822| v0_146(void) = ^BufferReadSideEffect[-1] : &:r0_138, ~mu0_2 +# 822| v0_147(void) = ^BufferReadSideEffect[0] : &:r0_143, ~mu0_2 # 822| mu0_148(Base) = ^IndirectMayWriteSideEffect[-1] : &:r0_138 # 822| mu0_149(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_143 # 822| r0_150(glval) = CopyValue : r0_144 @@ -3834,14 +3933,14 @@ ir.cpp: # 823| r0_157(Base &) = CopyValue : r0_156 # 823| v0_158(void) = Call : func:r0_153, 0:r0_157 # 823| mu0_159(unknown) = ^CallSideEffect : ~mu0_2 -# 823| v0_160(void) = ^IndirectReadSideEffect[0] : &:r0_157, ~mu0_2 +# 823| v0_160(void) = ^BufferReadSideEffect[0] : &:r0_157, ~mu0_2 # 823| mu0_161(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_157 # 823| r0_162(glval) = Convert : v0_158 # 823| r0_163(Base &) = CopyValue : r0_162 # 823| r0_164(Base &) = Call : func:r0_152, this:r0_151, 0:r0_163 # 823| mu0_165(unknown) = ^CallSideEffect : ~mu0_2 -# 823| v0_166(void) = ^IndirectReadSideEffect[-1] : &:r0_151, ~mu0_2 -# 823| v0_167(void) = ^IndirectReadSideEffect[0] : &:r0_163, ~mu0_2 +# 823| v0_166(void) = ^BufferReadSideEffect[-1] : &:r0_151, ~mu0_2 +# 823| v0_167(void) = ^BufferReadSideEffect[0] : &:r0_163, ~mu0_2 # 823| mu0_168(Base) = ^IndirectMayWriteSideEffect[-1] : &:r0_151 # 823| mu0_169(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_163 # 823| r0_170(glval) = CopyValue : r0_164 @@ -3854,14 +3953,14 @@ ir.cpp: # 824| r0_177(Base &) = CopyValue : r0_176 # 824| v0_178(void) = Call : func:r0_173, 0:r0_177 # 824| mu0_179(unknown) = ^CallSideEffect : ~mu0_2 -# 824| v0_180(void) = ^IndirectReadSideEffect[0] : &:r0_177, ~mu0_2 +# 824| v0_180(void) = ^BufferReadSideEffect[0] : &:r0_177, ~mu0_2 # 824| mu0_181(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_177 # 824| r0_182(glval) = Convert : v0_178 # 824| r0_183(Base &) = CopyValue : r0_182 # 824| r0_184(Base &) = Call : func:r0_172, this:r0_171, 0:r0_183 # 824| mu0_185(unknown) = ^CallSideEffect : ~mu0_2 -# 824| v0_186(void) = ^IndirectReadSideEffect[-1] : &:r0_171, ~mu0_2 -# 824| v0_187(void) = ^IndirectReadSideEffect[0] : &:r0_183, ~mu0_2 +# 824| v0_186(void) = ^BufferReadSideEffect[-1] : &:r0_171, ~mu0_2 +# 824| v0_187(void) = ^BufferReadSideEffect[0] : &:r0_183, ~mu0_2 # 824| mu0_188(Base) = ^IndirectMayWriteSideEffect[-1] : &:r0_171 # 824| mu0_189(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_183 # 824| r0_190(glval) = CopyValue : r0_184 @@ -3897,8 +3996,8 @@ ir.cpp: # 830| r0_220(Derived &) = CopyValue : r0_219 # 830| r0_221(Derived &) = Call : func:r0_215, this:r0_214, 0:r0_220 # 830| mu0_222(unknown) = ^CallSideEffect : ~mu0_2 -# 830| v0_223(void) = ^IndirectReadSideEffect[-1] : &:r0_214, ~mu0_2 -# 830| v0_224(void) = ^IndirectReadSideEffect[0] : &:r0_220, ~mu0_2 +# 830| v0_223(void) = ^BufferReadSideEffect[-1] : &:r0_214, ~mu0_2 +# 830| v0_224(void) = ^BufferReadSideEffect[0] : &:r0_220, ~mu0_2 # 830| mu0_225(Derived) = ^IndirectMayWriteSideEffect[-1] : &:r0_214 # 830| mu0_226(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_220 # 830| r0_227(glval) = CopyValue : r0_221 @@ -3911,8 +4010,8 @@ ir.cpp: # 831| r0_234(Derived &) = CopyValue : r0_233 # 831| r0_235(Derived &) = Call : func:r0_229, this:r0_228, 0:r0_234 # 831| mu0_236(unknown) = ^CallSideEffect : ~mu0_2 -# 831| v0_237(void) = ^IndirectReadSideEffect[-1] : &:r0_228, ~mu0_2 -# 831| v0_238(void) = ^IndirectReadSideEffect[0] : &:r0_234, ~mu0_2 +# 831| v0_237(void) = ^BufferReadSideEffect[-1] : &:r0_228, ~mu0_2 +# 831| v0_238(void) = ^BufferReadSideEffect[0] : &:r0_234, ~mu0_2 # 831| mu0_239(Derived) = ^IndirectMayWriteSideEffect[-1] : &:r0_228 # 831| mu0_240(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_234 # 831| r0_241(glval) = CopyValue : r0_235 @@ -3952,7 +4051,8 @@ ir.cpp: # 840| v0_275(void) = NoOp : # 799| v0_276(void) = ReturnVoid : # 799| v0_277(void) = UnmodeledUse : mu* -# 799| v0_278(void) = ExitFunction : +# 799| v0_278(void) = AliasedUse : ~mu0_2 +# 799| v0_279(void) = ExitFunction : # 842| void PolymorphicBase::PolymorphicBase() # 842| Block 0 @@ -3963,7 +4063,8 @@ ir.cpp: # 842| v0_4(void) = NoOp : # 842| v0_5(void) = ReturnVoid : # 842| v0_6(void) = UnmodeledUse : mu* -# 842| v0_7(void) = ExitFunction : +# 842| v0_7(void) = AliasedUse : ~mu0_2 +# 842| v0_8(void) = ExitFunction : # 846| void PolymorphicDerived::PolymorphicDerived() # 846| Block 0 @@ -3978,7 +4079,8 @@ ir.cpp: # 846| v0_8(void) = NoOp : # 846| v0_9(void) = ReturnVoid : # 846| v0_10(void) = UnmodeledUse : mu* -# 846| v0_11(void) = ExitFunction : +# 846| v0_11(void) = AliasedUse : ~mu0_2 +# 846| v0_12(void) = ExitFunction : # 846| void PolymorphicDerived::~PolymorphicDerived() # 846| Block 0 @@ -3993,7 +4095,8 @@ ir.cpp: # 846| mu0_8(unknown) = ^CallSideEffect : ~mu0_2 # 846| v0_9(void) = ReturnVoid : # 846| v0_10(void) = UnmodeledUse : mu* -# 846| v0_11(void) = ExitFunction : +# 846| v0_11(void) = AliasedUse : ~mu0_2 +# 846| v0_12(void) = ExitFunction : # 849| void DynamicCast() # 849| Block 0 @@ -4049,7 +4152,8 @@ ir.cpp: # 865| v0_49(void) = NoOp : # 849| v0_50(void) = ReturnVoid : # 849| v0_51(void) = UnmodeledUse : mu* -# 849| v0_52(void) = ExitFunction : +# 849| v0_52(void) = AliasedUse : ~mu0_2 +# 849| v0_53(void) = ExitFunction : # 867| void String::String() # 867| Block 0 @@ -4062,12 +4166,13 @@ ir.cpp: # 868| r0_6(char *) = Convert : r0_5 # 868| v0_7(void) = Call : func:r0_4, this:r0_3, 0:r0_6 # 868| mu0_8(unknown) = ^CallSideEffect : ~mu0_2 -# 868| v0_9(void) = ^IndirectReadSideEffect[0] : &:r0_6, ~mu0_2 +# 868| v0_9(void) = ^BufferReadSideEffect[0] : &:r0_6, ~mu0_2 # 868| mu0_10(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_6 # 869| v0_11(void) = NoOp : # 867| v0_12(void) = ReturnVoid : # 867| v0_13(void) = UnmodeledUse : mu* -# 867| v0_14(void) = ExitFunction : +# 867| v0_14(void) = AliasedUse : ~mu0_2 +# 867| v0_15(void) = ExitFunction : # 871| void ArrayConversions() # 871| Block 0 @@ -4120,7 +4225,8 @@ ir.cpp: # 881| v0_46(void) = NoOp : # 871| v0_47(void) = ReturnVoid : # 871| v0_48(void) = UnmodeledUse : mu* -# 871| v0_49(void) = ExitFunction : +# 871| v0_49(void) = AliasedUse : ~mu0_2 +# 871| v0_50(void) = ExitFunction : # 883| void FuncPtrConversions(int(*)(int), void*) # 883| Block 0 @@ -4144,7 +4250,8 @@ ir.cpp: # 886| v0_17(void) = NoOp : # 883| v0_18(void) = ReturnVoid : # 883| v0_19(void) = UnmodeledUse : mu* -# 883| v0_20(void) = ExitFunction : +# 883| v0_20(void) = AliasedUse : ~mu0_2 +# 883| v0_21(void) = ExitFunction : # 888| void VarArgUsage(int) # 888| Block 0 @@ -4188,7 +4295,8 @@ ir.cpp: # 898| v0_37(void) = NoOp : # 888| v0_38(void) = ReturnVoid : # 888| v0_39(void) = UnmodeledUse : mu* -# 888| v0_40(void) = ExitFunction : +# 888| v0_40(void) = AliasedUse : ~mu0_2 +# 888| v0_41(void) = ExitFunction : # 900| void CastToVoid(int) # 900| Block 0 @@ -4202,7 +4310,8 @@ ir.cpp: # 902| v0_7(void) = NoOp : # 900| v0_8(void) = ReturnVoid : # 900| v0_9(void) = UnmodeledUse : mu* -# 900| v0_10(void) = ExitFunction : +# 900| v0_10(void) = AliasedUse : ~mu0_2 +# 900| v0_11(void) = ExitFunction : # 904| void ConstantConditions(int) # 904| Block 0 @@ -4227,7 +4336,8 @@ ir.cpp: # 907| v1_3(void) = NoOp : # 904| v1_4(void) = ReturnVoid : # 904| v1_5(void) = UnmodeledUse : mu* -# 904| v1_6(void) = ExitFunction : +# 904| v1_6(void) = AliasedUse : ~mu0_2 +# 904| v1_7(void) = ExitFunction : # 906| Block 2 # 906| r2_0(glval) = VariableAddress[x] : @@ -4285,7 +4395,7 @@ ir.cpp: # 945| r0_37(char *) = Convert : r0_36 # 945| v0_38(void) = Call : func:r0_35, this:r0_34, 0:r0_37 # 945| mu0_39(unknown) = ^CallSideEffect : ~mu0_2 -# 945| v0_40(void) = ^IndirectReadSideEffect[0] : &:r0_37, ~mu0_2 +# 945| v0_40(void) = ^BufferReadSideEffect[0] : &:r0_37, ~mu0_2 # 945| mu0_41(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_37 # 946| r0_42(glval) = FunctionAddress[operator new] : # 946| r0_43(unsigned long) = Constant[256] : @@ -4305,7 +4415,8 @@ ir.cpp: # 948| v0_57(void) = NoOp : # 940| v0_58(void) = ReturnVoid : # 940| v0_59(void) = UnmodeledUse : mu* -# 940| v0_60(void) = ExitFunction : +# 940| v0_60(void) = AliasedUse : ~mu0_2 +# 940| v0_61(void) = ExitFunction : # 950| void OperatorNewArray(int) # 950| Block 0 @@ -4385,7 +4496,8 @@ ir.cpp: # 959| v0_73(void) = NoOp : # 950| v0_74(void) = ReturnVoid : # 950| v0_75(void) = UnmodeledUse : mu* -# 950| v0_76(void) = ExitFunction : +# 950| v0_76(void) = AliasedUse : ~mu0_2 +# 950| v0_77(void) = ExitFunction : # 961| int designatedInit() # 961| Block 0 @@ -4424,7 +4536,8 @@ ir.cpp: # 961| r0_32(glval) = VariableAddress[#return] : # 961| v0_33(void) = ReturnValue : &:r0_32, ~mu0_2 # 961| v0_34(void) = UnmodeledUse : mu* -# 961| v0_35(void) = ExitFunction : +# 961| v0_35(void) = AliasedUse : ~mu0_2 +# 961| v0_36(void) = ExitFunction : # 966| void IfStmtWithDeclaration(int, int) # 966| Block 0 @@ -4504,7 +4617,8 @@ ir.cpp: # 976| v6_0(void) = NoOp : # 966| v6_1(void) = ReturnVoid : # 966| v6_2(void) = UnmodeledUse : mu* -# 966| v6_3(void) = ExitFunction : +# 966| v6_3(void) = AliasedUse : ~mu0_2 +# 966| v6_4(void) = ExitFunction : # 978| void WhileStmtWithDeclaration(int, int) # 978| Block 0 @@ -4564,7 +4678,8 @@ ir.cpp: # 985| v6_0(void) = NoOp : # 978| v6_1(void) = ReturnVoid : # 978| v6_2(void) = UnmodeledUse : mu* -# 978| v6_3(void) = ExitFunction : +# 978| v6_3(void) = AliasedUse : ~mu0_2 +# 978| v6_4(void) = ExitFunction : # 979| Block 7 # 979| r7_0(glval) = VariableAddress[b] : @@ -4606,7 +4721,8 @@ ir.cpp: # 987| r0_20(glval) = VariableAddress[#return] : # 987| v0_21(void) = ReturnValue : &:r0_20, ~mu0_2 # 987| v0_22(void) = UnmodeledUse : mu* -# 987| v0_23(void) = ExitFunction : +# 987| v0_23(void) = AliasedUse : ~mu0_2 +# 987| v0_24(void) = ExitFunction : # 991| int ExprStmt(int, int, int) # 991| Block 0 @@ -4657,7 +4773,8 @@ ir.cpp: # 991| r3_9(glval) = VariableAddress[#return] : # 991| v3_10(void) = ReturnValue : &:r3_9, ~mu0_2 # 991| v3_11(void) = UnmodeledUse : mu* -# 991| v3_12(void) = ExitFunction : +# 991| v3_12(void) = AliasedUse : ~mu0_2 +# 991| v3_13(void) = ExitFunction : # 1006| void OperatorDelete() # 1006| Block 0 @@ -4677,7 +4794,8 @@ ir.cpp: # 1012| v0_13(void) = NoOp : # 1006| v0_14(void) = ReturnVoid : # 1006| v0_15(void) = UnmodeledUse : mu* -# 1006| v0_16(void) = ExitFunction : +# 1006| v0_16(void) = AliasedUse : ~mu0_2 +# 1006| v0_17(void) = ExitFunction : # 1015| void OperatorDeleteArray() # 1015| Block 0 @@ -4697,7 +4815,8 @@ ir.cpp: # 1021| v0_13(void) = NoOp : # 1015| v0_14(void) = ReturnVoid : # 1015| v0_15(void) = UnmodeledUse : mu* -# 1015| v0_16(void) = ExitFunction : +# 1015| v0_16(void) = AliasedUse : ~mu0_2 +# 1015| v0_17(void) = ExitFunction : # 1025| void EmptyStructInit() # 1025| Block 0 @@ -4709,7 +4828,8 @@ ir.cpp: # 1027| v0_5(void) = NoOp : # 1025| v0_6(void) = ReturnVoid : # 1025| v0_7(void) = UnmodeledUse : mu* -# 1025| v0_8(void) = ExitFunction : +# 1025| v0_8(void) = AliasedUse : ~mu0_2 +# 1025| v0_9(void) = ExitFunction : # 1029| void (lambda [] type at line 1029, col. 12)::(constructor)((lambda [] type at line 1029, col. 12)&&) # 1029| Block 0 @@ -4722,7 +4842,8 @@ ir.cpp: # 1029| v0_6(void) = NoOp : # 1029| v0_7(void) = ReturnVoid : # 1029| v0_8(void) = UnmodeledUse : mu* -# 1029| v0_9(void) = ExitFunction : +# 1029| v0_9(void) = AliasedUse : ~mu0_2 +# 1029| v0_10(void) = ExitFunction : # 1029| void (lambda [] type at line 1029, col. 12)::operator()() const # 1029| Block 0 @@ -4733,7 +4854,8 @@ ir.cpp: # 1029| v0_4(void) = NoOp : # 1029| v0_5(void) = ReturnVoid : # 1029| v0_6(void) = UnmodeledUse : mu* -# 1029| v0_7(void) = ExitFunction : +# 1029| v0_7(void) = AliasedUse : ~mu0_2 +# 1029| v0_8(void) = ExitFunction : # 1029| void(* (lambda [] type at line 1029, col. 12)::operator void (*)()() const)() # 1029| Block 0 @@ -4742,12 +4864,13 @@ ir.cpp: # 1029| mu0_2(unknown) = UnmodeledDefinition : # 1029| r0_3(glval) = InitializeThis : # 1029| r0_4(glval<..(*)(..)>) = VariableAddress[#return] : -# 1029| r0_5(glval<..(*)(..)>) = FunctionAddress[_FUN] : +# 1029| r0_5(..(*)(..)) = FunctionAddress[_FUN] : # 1029| mu0_6(..(*)(..)) = Store : &:r0_4, r0_5 # 1029| r0_7(glval<..(*)(..)>) = VariableAddress[#return] : # 1029| v0_8(void) = ReturnValue : &:r0_7, ~mu0_2 # 1029| v0_9(void) = UnmodeledUse : mu* -# 1029| v0_10(void) = ExitFunction : +# 1029| v0_10(void) = AliasedUse : ~mu0_2 +# 1029| v0_11(void) = ExitFunction : # 1031| void Lambda(int, String const&) # 1031| Block 0 @@ -4785,7 +4908,7 @@ ir.cpp: # 1035| r0_31(float) = Constant[1.0] : # 1035| r0_32(char) = Call : func:r0_30, this:r0_29, 0:r0_31 # 1035| mu0_33(unknown) = ^CallSideEffect : ~mu0_2 -# 1035| v0_34(void) = ^IndirectReadSideEffect[-1] : &:r0_29, ~mu0_2 +# 1035| v0_34(void) = ^BufferReadSideEffect[-1] : &:r0_29, ~mu0_2 # 1035| mu0_35(decltype([...](...){...})) = ^IndirectMayWriteSideEffect[-1] : &:r0_29 # 1036| r0_36(glval) = VariableAddress[lambda_val] : # 1036| r0_37(glval) = FunctionAddress[(constructor)] : @@ -4803,7 +4926,7 @@ ir.cpp: # 1036| r0_49(lambda [] type at line 1036, col. 21 &) = CopyValue : r0_48 # 1036| v0_50(void) = Call : func:r0_37, this:r0_36, 0:r0_49 # 1036| mu0_51(unknown) = ^CallSideEffect : ~mu0_2 -# 1036| v0_52(void) = ^IndirectReadSideEffect[0] : &:r0_49, ~mu0_2 +# 1036| v0_52(void) = ^BufferReadSideEffect[0] : &:r0_49, ~mu0_2 # 1036| mu0_53(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_49 # 1037| r0_54(glval) = VariableAddress[lambda_val] : # 1037| r0_55(glval) = Convert : r0_54 @@ -4811,7 +4934,7 @@ ir.cpp: # 1037| r0_57(float) = Constant[2.0] : # 1037| r0_58(char) = Call : func:r0_56, this:r0_55, 0:r0_57 # 1037| mu0_59(unknown) = ^CallSideEffect : ~mu0_2 -# 1037| v0_60(void) = ^IndirectReadSideEffect[-1] : &:r0_55, ~mu0_2 +# 1037| v0_60(void) = ^BufferReadSideEffect[-1] : &:r0_55, ~mu0_2 # 1037| mu0_61(decltype([...](...){...})) = ^IndirectMayWriteSideEffect[-1] : &:r0_55 # 1038| r0_62(glval) = VariableAddress[lambda_ref_explicit] : # 1038| r0_63(glval) = VariableAddress[#temp1038:30] : @@ -4830,7 +4953,7 @@ ir.cpp: # 1039| r0_76(float) = Constant[3.0] : # 1039| r0_77(char) = Call : func:r0_75, this:r0_74, 0:r0_76 # 1039| mu0_78(unknown) = ^CallSideEffect : ~mu0_2 -# 1039| v0_79(void) = ^IndirectReadSideEffect[-1] : &:r0_74, ~mu0_2 +# 1039| v0_79(void) = ^BufferReadSideEffect[-1] : &:r0_74, ~mu0_2 # 1039| mu0_80(decltype([...](...){...})) = ^IndirectMayWriteSideEffect[-1] : &:r0_74 # 1040| r0_81(glval) = VariableAddress[lambda_val_explicit] : # 1040| r0_82(glval) = FunctionAddress[(constructor)] : @@ -4844,7 +4967,7 @@ ir.cpp: # 1040| r0_90(lambda [] type at line 1040, col. 30 &) = CopyValue : r0_89 # 1040| v0_91(void) = Call : func:r0_82, this:r0_81, 0:r0_90 # 1040| mu0_92(unknown) = ^CallSideEffect : ~mu0_2 -# 1040| v0_93(void) = ^IndirectReadSideEffect[0] : &:r0_90, ~mu0_2 +# 1040| v0_93(void) = ^BufferReadSideEffect[0] : &:r0_90, ~mu0_2 # 1040| mu0_94(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_90 # 1041| r0_95(glval) = VariableAddress[lambda_val_explicit] : # 1041| r0_96(glval) = Convert : r0_95 @@ -4852,7 +4975,7 @@ ir.cpp: # 1041| r0_98(float) = Constant[4.0] : # 1041| r0_99(char) = Call : func:r0_97, this:r0_96, 0:r0_98 # 1041| mu0_100(unknown) = ^CallSideEffect : ~mu0_2 -# 1041| v0_101(void) = ^IndirectReadSideEffect[-1] : &:r0_96, ~mu0_2 +# 1041| v0_101(void) = ^BufferReadSideEffect[-1] : &:r0_96, ~mu0_2 # 1041| mu0_102(decltype([...](...){...})) = ^IndirectMayWriteSideEffect[-1] : &:r0_96 # 1042| r0_103(glval) = VariableAddress[lambda_mixed_explicit] : # 1042| r0_104(glval) = VariableAddress[#temp1042:32] : @@ -4875,7 +4998,7 @@ ir.cpp: # 1043| r0_121(float) = Constant[5.0] : # 1043| r0_122(char) = Call : func:r0_120, this:r0_119, 0:r0_121 # 1043| mu0_123(unknown) = ^CallSideEffect : ~mu0_2 -# 1043| v0_124(void) = ^IndirectReadSideEffect[-1] : &:r0_119, ~mu0_2 +# 1043| v0_124(void) = ^BufferReadSideEffect[-1] : &:r0_119, ~mu0_2 # 1043| mu0_125(decltype([...](...){...})) = ^IndirectMayWriteSideEffect[-1] : &:r0_119 # 1044| r0_126(glval) = VariableAddress[r] : # 1044| r0_127(glval) = VariableAddress[x] : @@ -4914,12 +5037,13 @@ ir.cpp: # 1046| r0_160(float) = Constant[6.0] : # 1046| r0_161(char) = Call : func:r0_159, this:r0_158, 0:r0_160 # 1046| mu0_162(unknown) = ^CallSideEffect : ~mu0_2 -# 1046| v0_163(void) = ^IndirectReadSideEffect[-1] : &:r0_158, ~mu0_2 +# 1046| v0_163(void) = ^BufferReadSideEffect[-1] : &:r0_158, ~mu0_2 # 1046| mu0_164(decltype([...](...){...})) = ^IndirectMayWriteSideEffect[-1] : &:r0_158 # 1047| v0_165(void) = NoOp : # 1031| v0_166(void) = ReturnVoid : # 1031| v0_167(void) = UnmodeledUse : mu* -# 1031| v0_168(void) = ExitFunction : +# 1031| v0_168(void) = AliasedUse : ~mu0_2 +# 1031| v0_169(void) = ExitFunction : # 1032| void (void Lambda(int, String const&))::(lambda [] type at line 1032, col. 23)::(constructor)((void Lambda(int, String const&))::(lambda [] type at line 1032, col. 23)&&) # 1032| Block 0 @@ -4932,7 +5056,8 @@ ir.cpp: # 1032| v0_6(void) = NoOp : # 1032| v0_7(void) = ReturnVoid : # 1032| v0_8(void) = UnmodeledUse : mu* -# 1032| v0_9(void) = ExitFunction : +# 1032| v0_9(void) = AliasedUse : ~mu0_2 +# 1032| v0_10(void) = ExitFunction : # 1032| char (void Lambda(int, String const&))::(lambda [] type at line 1032, col. 23)::operator()(float) const # 1032| Block 0 @@ -4948,7 +5073,8 @@ ir.cpp: # 1032| r0_9(glval) = VariableAddress[#return] : # 1032| v0_10(void) = ReturnValue : &:r0_9, ~mu0_2 # 1032| v0_11(void) = UnmodeledUse : mu* -# 1032| v0_12(void) = ExitFunction : +# 1032| v0_12(void) = AliasedUse : ~mu0_2 +# 1032| v0_13(void) = ExitFunction : # 1032| char(* (void Lambda(int, String const&))::(lambda [] type at line 1032, col. 23)::operator char (*)(float)() const)(float) # 1032| Block 0 @@ -4957,12 +5083,13 @@ ir.cpp: # 1032| mu0_2(unknown) = UnmodeledDefinition : # 1032| r0_3(glval) = InitializeThis : # 1032| r0_4(glval<..(*)(..)>) = VariableAddress[#return] : -# 1032| r0_5(glval<..(*)(..)>) = FunctionAddress[_FUN] : +# 1032| r0_5(..(*)(..)) = FunctionAddress[_FUN] : # 1032| mu0_6(..(*)(..)) = Store : &:r0_4, r0_5 # 1032| r0_7(glval<..(*)(..)>) = VariableAddress[#return] : # 1032| v0_8(void) = ReturnValue : &:r0_7, ~mu0_2 # 1032| v0_9(void) = UnmodeledUse : mu* -# 1032| v0_10(void) = ExitFunction : +# 1032| v0_10(void) = AliasedUse : ~mu0_2 +# 1032| v0_11(void) = ExitFunction : # 1034| char (void Lambda(int, String const&))::(lambda [] type at line 1034, col. 21)::operator()(float) const # 1034| Block 0 @@ -4980,7 +5107,7 @@ ir.cpp: # 1034| r0_11(glval) = FunctionAddress[c_str] : # 1034| r0_12(char *) = Call : func:r0_11, this:r0_10 # 1034| mu0_13(unknown) = ^CallSideEffect : ~mu0_2 -# 1034| v0_14(void) = ^IndirectReadSideEffect[-1] : &:r0_10, ~mu0_2 +# 1034| v0_14(void) = ^BufferReadSideEffect[-1] : &:r0_10, ~mu0_2 # 1034| mu0_15(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_10 #-----| r0_16(lambda [] type at line 1034, col. 21 *) = CopyValue : r0_3 #-----| r0_17(glval) = FieldAddress[x] : r0_16 @@ -4992,7 +5119,8 @@ ir.cpp: # 1034| r0_23(glval) = VariableAddress[#return] : # 1034| v0_24(void) = ReturnValue : &:r0_23, ~mu0_2 # 1034| v0_25(void) = UnmodeledUse : mu* -# 1034| v0_26(void) = ExitFunction : +# 1034| v0_26(void) = AliasedUse : ~mu0_2 +# 1034| v0_27(void) = ExitFunction : # 1036| void (void Lambda(int, String const&))::(lambda [] type at line 1036, col. 21)::~() # 1036| Block 0 @@ -5007,7 +5135,8 @@ ir.cpp: # 1036| mu0_8(unknown) = ^CallSideEffect : ~mu0_2 # 1036| v0_9(void) = ReturnVoid : # 1036| v0_10(void) = UnmodeledUse : mu* -# 1036| v0_11(void) = ExitFunction : +# 1036| v0_11(void) = AliasedUse : ~mu0_2 +# 1036| v0_12(void) = ExitFunction : # 1036| char (void Lambda(int, String const&))::(lambda [] type at line 1036, col. 21)::operator()(float) const # 1036| Block 0 @@ -5023,7 +5152,7 @@ ir.cpp: # 1036| r0_9(glval) = FunctionAddress[c_str] : # 1036| r0_10(char *) = Call : func:r0_9, this:r0_8 # 1036| mu0_11(unknown) = ^CallSideEffect : ~mu0_2 -#-----| v0_12(void) = ^IndirectReadSideEffect[-1] : &:r0_8, ~mu0_2 +#-----| v0_12(void) = ^BufferReadSideEffect[-1] : &:r0_8, ~mu0_2 #-----| mu0_13(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_8 #-----| r0_14(lambda [] type at line 1036, col. 21 *) = CopyValue : r0_3 #-----| r0_15(glval) = FieldAddress[x] : r0_14 @@ -5034,7 +5163,8 @@ ir.cpp: # 1036| r0_20(glval) = VariableAddress[#return] : # 1036| v0_21(void) = ReturnValue : &:r0_20, ~mu0_2 # 1036| v0_22(void) = UnmodeledUse : mu* -# 1036| v0_23(void) = ExitFunction : +# 1036| v0_23(void) = AliasedUse : ~mu0_2 +# 1036| v0_24(void) = ExitFunction : # 1038| char (void Lambda(int, String const&))::(lambda [] type at line 1038, col. 30)::operator()(float) const # 1038| Block 0 @@ -5052,7 +5182,7 @@ ir.cpp: # 1038| r0_11(glval) = FunctionAddress[c_str] : # 1038| r0_12(char *) = Call : func:r0_11, this:r0_10 # 1038| mu0_13(unknown) = ^CallSideEffect : ~mu0_2 -# 1038| v0_14(void) = ^IndirectReadSideEffect[-1] : &:r0_10, ~mu0_2 +# 1038| v0_14(void) = ^BufferReadSideEffect[-1] : &:r0_10, ~mu0_2 # 1038| mu0_15(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_10 # 1038| r0_16(int) = Constant[0] : # 1038| r0_17(glval) = PointerAdd[1] : r0_12, r0_16 @@ -5061,7 +5191,8 @@ ir.cpp: # 1038| r0_20(glval) = VariableAddress[#return] : # 1038| v0_21(void) = ReturnValue : &:r0_20, ~mu0_2 # 1038| v0_22(void) = UnmodeledUse : mu* -# 1038| v0_23(void) = ExitFunction : +# 1038| v0_23(void) = AliasedUse : ~mu0_2 +# 1038| v0_24(void) = ExitFunction : # 1040| void (void Lambda(int, String const&))::(lambda [] type at line 1040, col. 30)::(constructor)((void Lambda(int, String const&))::(lambda [] type at line 1040, col. 30)&&) # 1040| Block 0 @@ -5078,7 +5209,8 @@ ir.cpp: # 1040| v0_10(void) = NoOp : # 1040| v0_11(void) = ReturnVoid : # 1040| v0_12(void) = UnmodeledUse : mu* -# 1040| v0_13(void) = ExitFunction : +# 1040| v0_13(void) = AliasedUse : ~mu0_2 +# 1040| v0_14(void) = ExitFunction : # 1040| void (void Lambda(int, String const&))::(lambda [] type at line 1040, col. 30)::~() # 1040| Block 0 @@ -5093,7 +5225,8 @@ ir.cpp: # 1040| mu0_8(unknown) = ^CallSideEffect : ~mu0_2 # 1040| v0_9(void) = ReturnVoid : # 1040| v0_10(void) = UnmodeledUse : mu* -# 1040| v0_11(void) = ExitFunction : +# 1040| v0_11(void) = AliasedUse : ~mu0_2 +# 1040| v0_12(void) = ExitFunction : # 1040| char (void Lambda(int, String const&))::(lambda [] type at line 1040, col. 30)::operator()(float) const # 1040| Block 0 @@ -5109,7 +5242,7 @@ ir.cpp: # 1040| r0_9(glval) = FunctionAddress[c_str] : # 1040| r0_10(char *) = Call : func:r0_9, this:r0_8 # 1040| mu0_11(unknown) = ^CallSideEffect : ~mu0_2 -#-----| v0_12(void) = ^IndirectReadSideEffect[-1] : &:r0_8, ~mu0_2 +#-----| v0_12(void) = ^BufferReadSideEffect[-1] : &:r0_8, ~mu0_2 #-----| mu0_13(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_8 # 1040| r0_14(int) = Constant[0] : # 1040| r0_15(glval) = PointerAdd[1] : r0_10, r0_14 @@ -5118,7 +5251,8 @@ ir.cpp: # 1040| r0_18(glval) = VariableAddress[#return] : # 1040| v0_19(void) = ReturnValue : &:r0_18, ~mu0_2 # 1040| v0_20(void) = UnmodeledUse : mu* -# 1040| v0_21(void) = ExitFunction : +# 1040| v0_21(void) = AliasedUse : ~mu0_2 +# 1040| v0_22(void) = ExitFunction : # 1042| char (void Lambda(int, String const&))::(lambda [] type at line 1042, col. 32)::operator()(float) const # 1042| Block 0 @@ -5136,7 +5270,7 @@ ir.cpp: # 1042| r0_11(glval) = FunctionAddress[c_str] : # 1042| r0_12(char *) = Call : func:r0_11, this:r0_10 # 1042| mu0_13(unknown) = ^CallSideEffect : ~mu0_2 -# 1042| v0_14(void) = ^IndirectReadSideEffect[-1] : &:r0_10, ~mu0_2 +# 1042| v0_14(void) = ^BufferReadSideEffect[-1] : &:r0_10, ~mu0_2 # 1042| mu0_15(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_10 #-----| r0_16(lambda [] type at line 1042, col. 32 *) = CopyValue : r0_3 #-----| r0_17(glval) = FieldAddress[x] : r0_16 @@ -5147,7 +5281,8 @@ ir.cpp: # 1042| r0_22(glval) = VariableAddress[#return] : # 1042| v0_23(void) = ReturnValue : &:r0_22, ~mu0_2 # 1042| v0_24(void) = UnmodeledUse : mu* -# 1042| v0_25(void) = ExitFunction : +# 1042| v0_25(void) = AliasedUse : ~mu0_2 +# 1042| v0_26(void) = ExitFunction : # 1045| char (void Lambda(int, String const&))::(lambda [] type at line 1045, col. 23)::operator()(float) const # 1045| Block 0 @@ -5165,7 +5300,7 @@ ir.cpp: # 1045| r0_11(glval) = FunctionAddress[c_str] : # 1045| r0_12(char *) = Call : func:r0_11, this:r0_10 # 1045| mu0_13(unknown) = ^CallSideEffect : ~mu0_2 -# 1045| v0_14(void) = ^IndirectReadSideEffect[-1] : &:r0_10, ~mu0_2 +# 1045| v0_14(void) = ^BufferReadSideEffect[-1] : &:r0_10, ~mu0_2 # 1045| mu0_15(String) = ^IndirectMayWriteSideEffect[-1] : &:r0_10 #-----| r0_16(lambda [] type at line 1045, col. 23 *) = CopyValue : r0_3 #-----| r0_17(glval) = FieldAddress[x] : r0_16 @@ -5185,7 +5320,8 @@ ir.cpp: # 1045| r0_31(glval) = VariableAddress[#return] : # 1045| v0_32(void) = ReturnValue : &:r0_31, ~mu0_2 # 1045| v0_33(void) = UnmodeledUse : mu* -# 1045| v0_34(void) = ExitFunction : +# 1045| v0_34(void) = AliasedUse : ~mu0_2 +# 1045| v0_35(void) = ExitFunction : # 1068| void RangeBasedFor(vector const&) # 1068| Block 0 @@ -5207,7 +5343,7 @@ ir.cpp: # 1069| r0_15(glval) = FunctionAddress[begin] : # 1069| r0_16(iterator) = Call : func:r0_15, this:r0_14 # 1069| mu0_17(unknown) = ^CallSideEffect : ~mu0_2 -#-----| v0_18(void) = ^IndirectReadSideEffect[-1] : &:r0_14, ~mu0_2 +#-----| v0_18(void) = ^BufferReadSideEffect[-1] : &:r0_14, ~mu0_2 #-----| mu0_19(vector) = ^IndirectMayWriteSideEffect[-1] : &:r0_14 # 1069| mu0_20(iterator) = Store : &:r0_11, r0_16 # 1069| r0_21(glval) = VariableAddress[(__end)] : @@ -5217,7 +5353,7 @@ ir.cpp: # 1069| r0_25(glval) = FunctionAddress[end] : # 1069| r0_26(iterator) = Call : func:r0_25, this:r0_24 # 1069| mu0_27(unknown) = ^CallSideEffect : ~mu0_2 -#-----| v0_28(void) = ^IndirectReadSideEffect[-1] : &:r0_24, ~mu0_2 +#-----| v0_28(void) = ^BufferReadSideEffect[-1] : &:r0_24, ~mu0_2 #-----| mu0_29(vector) = ^IndirectMayWriteSideEffect[-1] : &:r0_24 # 1069| mu0_30(iterator) = Store : &:r0_21, r0_26 #-----| Goto -> Block 6 @@ -5230,7 +5366,7 @@ ir.cpp: #-----| r1_4(iterator) = Load : &:r1_3, ~mu0_2 # 1075| r1_5(bool) = Call : func:r1_2, this:r1_1, 0:r1_4 # 1075| mu1_6(unknown) = ^CallSideEffect : ~mu0_2 -#-----| v1_7(void) = ^IndirectReadSideEffect[-1] : &:r1_1, ~mu0_2 +#-----| v1_7(void) = ^BufferReadSideEffect[-1] : &:r1_1, ~mu0_2 #-----| mu1_8(iterator) = ^IndirectMayWriteSideEffect[-1] : &:r1_1 # 1075| v1_9(void) = ConditionalBranch : r1_5 #-----| False -> Block 5 @@ -5241,7 +5377,7 @@ ir.cpp: # 1075| r2_1(glval) = FunctionAddress[operator++] : # 1075| r2_2(iterator &) = Call : func:r2_1, this:r2_0 # 1075| mu2_3(unknown) = ^CallSideEffect : ~mu0_2 -#-----| v2_4(void) = ^IndirectReadSideEffect[-1] : &:r2_0, ~mu0_2 +#-----| v2_4(void) = ^BufferReadSideEffect[-1] : &:r2_0, ~mu0_2 #-----| mu2_5(iterator) = ^IndirectMayWriteSideEffect[-1] : &:r2_0 # 1075| r2_6(glval) = CopyValue : r2_2 #-----| Goto (back edge) -> Block 1 @@ -5253,7 +5389,7 @@ ir.cpp: # 1075| r3_3(glval) = FunctionAddress[operator*] : # 1075| r3_4(int &) = Call : func:r3_3, this:r3_2 # 1075| mu3_5(unknown) = ^CallSideEffect : ~mu0_2 -#-----| v3_6(void) = ^IndirectReadSideEffect[-1] : &:r3_2, ~mu0_2 +#-----| v3_6(void) = ^BufferReadSideEffect[-1] : &:r3_2, ~mu0_2 #-----| mu3_7(iterator) = ^IndirectMayWriteSideEffect[-1] : &:r3_2 # 1075| r3_8(glval) = CopyValue : r3_4 # 1075| r3_9(glval) = Convert : r3_8 @@ -5277,7 +5413,8 @@ ir.cpp: # 1080| v5_1(void) = NoOp : # 1068| v5_2(void) = ReturnVoid : # 1068| v5_3(void) = UnmodeledUse : mu* -# 1068| v5_4(void) = ExitFunction : +# 1068| v5_4(void) = AliasedUse : ~mu0_2 +# 1068| v5_5(void) = ExitFunction : #-----| Block 6 #-----| r6_0(glval) = VariableAddress[(__begin)] : @@ -5287,7 +5424,7 @@ ir.cpp: #-----| r6_4(iterator) = Load : &:r6_3, ~mu0_2 # 1069| r6_5(bool) = Call : func:r6_2, this:r6_1, 0:r6_4 # 1069| mu6_6(unknown) = ^CallSideEffect : ~mu0_2 -#-----| v6_7(void) = ^IndirectReadSideEffect[-1] : &:r6_1, ~mu0_2 +#-----| v6_7(void) = ^BufferReadSideEffect[-1] : &:r6_1, ~mu0_2 #-----| mu6_8(iterator) = ^IndirectMayWriteSideEffect[-1] : &:r6_1 # 1069| v6_9(void) = ConditionalBranch : r6_5 #-----| False -> Block 10 @@ -5300,7 +5437,7 @@ ir.cpp: # 1069| r7_3(glval) = FunctionAddress[operator*] : # 1069| r7_4(int &) = Call : func:r7_3, this:r7_2 # 1069| mu7_5(unknown) = ^CallSideEffect : ~mu0_2 -#-----| v7_6(void) = ^IndirectReadSideEffect[-1] : &:r7_2, ~mu0_2 +#-----| v7_6(void) = ^BufferReadSideEffect[-1] : &:r7_2, ~mu0_2 #-----| mu7_7(iterator) = ^IndirectMayWriteSideEffect[-1] : &:r7_2 # 1069| r7_8(int) = Load : &:r7_4, ~mu0_2 # 1069| mu7_9(int) = Store : &:r7_0, r7_8 @@ -5322,7 +5459,7 @@ ir.cpp: # 1069| r9_2(glval) = FunctionAddress[operator++] : # 1069| r9_3(iterator &) = Call : func:r9_2, this:r9_1 # 1069| mu9_4(unknown) = ^CallSideEffect : ~mu0_2 -#-----| v9_5(void) = ^IndirectReadSideEffect[-1] : &:r9_1, ~mu0_2 +#-----| v9_5(void) = ^BufferReadSideEffect[-1] : &:r9_1, ~mu0_2 #-----| mu9_6(iterator) = ^IndirectMayWriteSideEffect[-1] : &:r9_1 # 1069| r9_7(glval) = CopyValue : r9_3 #-----| Goto (back edge) -> Block 6 @@ -5341,7 +5478,7 @@ ir.cpp: # 1075| r10_10(glval) = FunctionAddress[begin] : # 1075| r10_11(iterator) = Call : func:r10_10, this:r10_9 # 1075| mu10_12(unknown) = ^CallSideEffect : ~mu0_2 -#-----| v10_13(void) = ^IndirectReadSideEffect[-1] : &:r10_9, ~mu0_2 +#-----| v10_13(void) = ^BufferReadSideEffect[-1] : &:r10_9, ~mu0_2 #-----| mu10_14(vector) = ^IndirectMayWriteSideEffect[-1] : &:r10_9 # 1075| mu10_15(iterator) = Store : &:r10_6, r10_11 # 1075| r10_16(glval) = VariableAddress[(__end)] : @@ -5351,7 +5488,7 @@ ir.cpp: # 1075| r10_20(glval) = FunctionAddress[end] : # 1075| r10_21(iterator) = Call : func:r10_20, this:r10_19 # 1075| mu10_22(unknown) = ^CallSideEffect : ~mu0_2 -#-----| v10_23(void) = ^IndirectReadSideEffect[-1] : &:r10_19, ~mu0_2 +#-----| v10_23(void) = ^BufferReadSideEffect[-1] : &:r10_19, ~mu0_2 #-----| mu10_24(vector) = ^IndirectMayWriteSideEffect[-1] : &:r10_19 # 1075| mu10_25(iterator) = Store : &:r10_16, r10_21 #-----| Goto -> Block 1 @@ -5371,30 +5508,37 @@ ir.cpp: # 1099| r0_10(glval) = VariableAddress[#return] : # 1099| v0_11(void) = ReturnValue : &:r0_10, ~mu0_2 # 1099| v0_12(void) = UnmodeledUse : mu* -# 1099| v0_13(void) = ExitFunction : +# 1099| v0_13(void) = AliasedUse : ~mu0_2 +# 1099| v0_14(void) = ExitFunction : -# 1104| void AsmStmtWithOutputs(unsigned int&, unsigned int&, unsigned int&, unsigned int&) +# 1104| void AsmStmtWithOutputs(unsigned int&, unsigned int, unsigned int&, unsigned int) # 1104| Block 0 # 1104| v0_0(void) = EnterFunction : # 1104| mu0_1(unknown) = AliasedDefinition : # 1104| mu0_2(unknown) = UnmodeledDefinition : # 1104| r0_3(glval) = VariableAddress[a] : # 1104| mu0_4(unsigned int &) = InitializeParameter[a] : &:r0_3 -# 1104| r0_5(glval) = VariableAddress[b] : -# 1104| mu0_6(unsigned int &) = InitializeParameter[b] : &:r0_5 +# 1104| r0_5(glval) = VariableAddress[b] : +# 1104| mu0_6(unsigned int) = InitializeParameter[b] : &:r0_5 # 1104| r0_7(glval) = VariableAddress[c] : # 1104| mu0_8(unsigned int &) = InitializeParameter[c] : &:r0_7 -# 1104| r0_9(glval) = VariableAddress[d] : -# 1104| mu0_10(unsigned int &) = InitializeParameter[d] : &:r0_9 -# 1106| r0_11(glval) = VariableAddress[a] : -# 1106| r0_12(glval) = VariableAddress[b] : -# 1106| r0_13(glval) = VariableAddress[c] : -# 1106| r0_14(glval) = VariableAddress[d] : -# 1106| mu0_15(unknown) = InlineAsm : ~mu0_2, 0:r0_11, 1:r0_12, 2:r0_13, 3:r0_14 -# 1111| v0_16(void) = NoOp : -# 1104| v0_17(void) = ReturnVoid : -# 1104| v0_18(void) = UnmodeledUse : mu* -# 1104| v0_19(void) = ExitFunction : +# 1104| r0_9(glval) = VariableAddress[d] : +# 1104| mu0_10(unsigned int) = InitializeParameter[d] : &:r0_9 +# 1109| r0_11(glval) = VariableAddress[a] : +# 1109| r0_12(unsigned int &) = Load : &:r0_11, ~mu0_2 +# 1109| r0_13(glval) = CopyValue : r0_12 +# 1109| r0_14(glval) = VariableAddress[b] : +# 1109| r0_15(glval) = VariableAddress[c] : +# 1109| r0_16(unsigned int &) = Load : &:r0_15, ~mu0_2 +# 1109| r0_17(unsigned int) = Load : &:r0_16, ~mu0_2 +# 1109| r0_18(glval) = VariableAddress[d] : +# 1109| r0_19(unsigned int) = Load : &:r0_18, ~mu0_2 +# 1106| mu0_20(unknown) = InlineAsm : ~mu0_2, 0:r0_13, 1:r0_14, 2:r0_17, 3:r0_19 +# 1111| v0_21(void) = NoOp : +# 1104| v0_22(void) = ReturnVoid : +# 1104| v0_23(void) = UnmodeledUse : mu* +# 1104| v0_24(void) = AliasedUse : ~mu0_2 +# 1104| v0_25(void) = ExitFunction : # 1113| void ExternDeclarations() # 1113| Block 0 @@ -5410,7 +5554,8 @@ ir.cpp: # 1120| v0_9(void) = NoOp : # 1113| v0_10(void) = ReturnVoid : # 1113| v0_11(void) = UnmodeledUse : mu* -# 1113| v0_12(void) = ExitFunction : +# 1113| v0_12(void) = AliasedUse : ~mu0_2 +# 1113| v0_13(void) = ExitFunction : # 1128| void ExternDeclarationsInMacro() # 1128| Block 0 @@ -5444,7 +5589,8 @@ ir.cpp: # 1131| v3_1(void) = NoOp : # 1128| v3_2(void) = ReturnVoid : # 1128| v3_3(void) = UnmodeledUse : mu* -# 1128| v3_4(void) = ExitFunction : +# 1128| v3_4(void) = AliasedUse : ~mu0_2 +# 1128| v3_5(void) = ExitFunction : # 1133| void TryCatchNoCatchAny(bool) # 1133| Block 0 @@ -5464,7 +5610,8 @@ ir.cpp: # 1133| Block 1 # 1133| v1_0(void) = UnmodeledUse : mu* -# 1133| v1_1(void) = ExitFunction : +# 1133| v1_1(void) = AliasedUse : ~mu0_2 +# 1133| v1_2(void) = ExitFunction : # 1133| Block 2 # 1133| v2_0(void) = Unwind : @@ -5511,7 +5658,7 @@ ir.cpp: # 1140| r7_3(char *) = Convert : r7_2 # 1140| v7_4(void) = Call : func:r7_1, this:r7_0, 0:r7_3 # 1140| mu7_5(unknown) = ^CallSideEffect : ~mu0_2 -# 1140| v7_6(void) = ^IndirectReadSideEffect[0] : &:r7_3, ~mu0_2 +# 1140| v7_6(void) = ^BufferReadSideEffect[0] : &:r7_3, ~mu0_2 # 1140| mu7_7(unknown) = ^BufferMayWriteSideEffect[0] : &:r7_3 # 1140| v7_8(void) = ThrowValue : &:r7_0, ~mu0_2 #-----| Exception -> Block 9 @@ -5536,7 +5683,7 @@ ir.cpp: # 1145| r10_5(char *) = Load : &:r10_4, ~mu0_2 # 1145| v10_6(void) = Call : func:r10_3, this:r10_2, 0:r10_5 # 1145| mu10_7(unknown) = ^CallSideEffect : ~mu0_2 -# 1145| v10_8(void) = ^IndirectReadSideEffect[0] : &:r10_5, ~mu0_2 +# 1145| v10_8(void) = ^BufferReadSideEffect[0] : &:r10_5, ~mu0_2 # 1145| mu10_9(unknown) = ^BufferMayWriteSideEffect[0] : &:r10_5 # 1145| v10_10(void) = ThrowValue : &:r10_2, ~mu0_2 #-----| Exception -> Block 2 @@ -5617,7 +5764,8 @@ ir.cpp: # 1159| v0_55(void) = NoOp : # 1153| v0_56(void) = ReturnVoid : # 1153| v0_57(void) = UnmodeledUse : mu* -# 1153| v0_58(void) = ExitFunction : +# 1153| v0_58(void) = AliasedUse : ~mu0_2 +# 1153| v0_59(void) = ExitFunction : # 1163| int ModeledCallTarget(int) # 1163| Block 0 @@ -5646,7 +5794,8 @@ ir.cpp: # 1163| r0_22(glval) = VariableAddress[#return] : # 1163| v0_23(void) = ReturnValue : &:r0_22, ~mu0_2 # 1163| v0_24(void) = UnmodeledUse : mu* -# 1163| v0_25(void) = ExitFunction : +# 1163| v0_25(void) = AliasedUse : ~mu0_2 +# 1163| v0_26(void) = ExitFunction : perf-regression.cpp: # 6| void Big::Big() @@ -5663,7 +5812,8 @@ perf-regression.cpp: # 6| v0_9(void) = NoOp : # 6| v0_10(void) = ReturnVoid : # 6| v0_11(void) = UnmodeledUse : mu* -# 6| v0_12(void) = ExitFunction : +# 6| v0_12(void) = AliasedUse : ~mu0_2 +# 6| v0_13(void) = ExitFunction : # 9| int main() # 9| Block 0 @@ -5686,4 +5836,5 @@ perf-regression.cpp: # 9| r0_16(glval) = VariableAddress[#return] : # 9| v0_17(void) = ReturnValue : &:r0_16, ~mu0_2 # 9| v0_18(void) = UnmodeledUse : mu* -# 9| v0_19(void) = ExitFunction : +# 9| v0_19(void) = AliasedUse : ~mu0_2 +# 9| v0_20(void) = ExitFunction : diff --git a/cpp/ql/test/library-tests/ir/ir/raw_sanity.expected b/cpp/ql/test/library-tests/ir/ir/raw_sanity.expected index 012ff53039b..928f535f9d8 100644 --- a/cpp/ql/test/library-tests/ir/ir/raw_sanity.expected +++ b/cpp/ql/test/library-tests/ir/ir/raw_sanity.expected @@ -14,3 +14,8 @@ containsLoopOfForwardEdges lostReachability backEdgeCountMismatch useNotDominatedByDefinition +missingCanonicalLanguageType +multipleCanonicalLanguageTypes +missingIRType +multipleIRTypes +missingCppType diff --git a/cpp/ql/test/library-tests/ir/ir/unaliased_ssa_sanity.expected b/cpp/ql/test/library-tests/ir/ir/unaliased_ssa_sanity.expected index 012ff53039b..928f535f9d8 100644 --- a/cpp/ql/test/library-tests/ir/ir/unaliased_ssa_sanity.expected +++ b/cpp/ql/test/library-tests/ir/ir/unaliased_ssa_sanity.expected @@ -14,3 +14,8 @@ containsLoopOfForwardEdges lostReachability backEdgeCountMismatch useNotDominatedByDefinition +missingCanonicalLanguageType +multipleCanonicalLanguageTypes +missingIRType +multipleIRTypes +missingCppType diff --git a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected index ff8c2b30a05..46f8cf19aea 100644 --- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected +++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected @@ -84,7 +84,8 @@ ssa.cpp: # 13| r6_12(glval) = VariableAddress[#return] : # 13| v6_13(void) = ReturnValue : &:r6_12, m6_11 # 13| v6_14(void) = UnmodeledUse : mu* -# 13| v6_15(void) = ExitFunction : +# 13| v6_15(void) = AliasedUse : ~m6_0 +# 13| v6_16(void) = ExitFunction : # 31| int UnreachableViaGoto() # 31| Block 0 @@ -99,7 +100,8 @@ ssa.cpp: # 31| r0_8(glval) = VariableAddress[#return] : # 31| v0_9(void) = ReturnValue : &:r0_8, m0_7 # 31| v0_10(void) = UnmodeledUse : mu* -# 31| v0_11(void) = ExitFunction : +# 31| v0_11(void) = AliasedUse : ~m0_1 +# 31| v0_12(void) = ExitFunction : # 38| int UnreachableIf(bool) # 38| Block 0 @@ -125,7 +127,8 @@ ssa.cpp: # 38| r1_1(glval) = VariableAddress[#return] : # 38| v1_2(void) = ReturnValue : &:r1_1, m1_0 # 38| v1_3(void) = UnmodeledUse : mu* -# 38| v1_4(void) = ExitFunction : +# 38| v1_4(void) = AliasedUse : ~m0_1 +# 38| v1_5(void) = ExitFunction : # 42| Block 2 # 42| r2_0(glval) = VariableAddress[x] : @@ -188,7 +191,8 @@ ssa.cpp: # 59| r1_4(glval) = VariableAddress[#return] : # 59| v1_5(void) = ReturnValue : &:r1_4, m1_3 # 59| v1_6(void) = UnmodeledUse : mu* -# 59| v1_7(void) = ExitFunction : +# 59| v1_7(void) = AliasedUse : ~m0_1 +# 59| v1_8(void) = ExitFunction : # 59| Block 2 # 59| v2_0(void) = Unreached : @@ -220,7 +224,8 @@ ssa.cpp: # 71| v2_0(void) = NoOp : # 68| v2_1(void) = ReturnVoid : # 68| v2_2(void) = UnmodeledUse : mu* -# 68| v2_3(void) = ExitFunction : +# 68| v2_3(void) = AliasedUse : ~m3_0 +# 68| v2_4(void) = ExitFunction : # 69| Block 3 # 69| m3_0(unknown) = Phi : from 0:~m0_1, from 1:~m1_8 @@ -292,7 +297,8 @@ ssa.cpp: # 89| v3_14(void) = NoOp : # 75| v3_15(void) = ReturnVoid : # 75| v3_16(void) = UnmodeledUse : mu* -# 75| v3_17(void) = ExitFunction : +# 75| v3_17(void) = AliasedUse : ~m0_1 +# 75| v3_18(void) = ExitFunction : # 91| void MustExactlyOverlap(Point) # 91| Block 0 @@ -308,7 +314,8 @@ ssa.cpp: # 93| v0_9(void) = NoOp : # 91| v0_10(void) = ReturnVoid : # 91| v0_11(void) = UnmodeledUse : mu* -# 91| v0_12(void) = ExitFunction : +# 91| v0_12(void) = AliasedUse : ~m0_1 +# 91| v0_13(void) = ExitFunction : # 95| void MustExactlyOverlapEscaped(Point) # 95| Block 0 @@ -329,13 +336,14 @@ ssa.cpp: # 97| v0_14(void) = Call : func:r0_10, 0:r0_13 # 97| m0_15(unknown) = ^CallSideEffect : ~m0_5 # 97| m0_16(unknown) = Chi : total:m0_5, partial:m0_15 -# 97| v0_17(void) = ^IndirectReadSideEffect[0] : &:r0_13, ~m0_16 +# 97| v0_17(void) = ^BufferReadSideEffect[0] : &:r0_13, ~m0_16 # 97| m0_18(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_13 # 97| m0_19(unknown) = Chi : total:m0_16, partial:m0_18 # 98| v0_20(void) = NoOp : # 95| v0_21(void) = ReturnVoid : # 95| v0_22(void) = UnmodeledUse : mu* -# 95| v0_23(void) = ExitFunction : +# 95| v0_23(void) = AliasedUse : ~m0_16 +# 95| v0_24(void) = ExitFunction : # 100| void MustTotallyOverlap(Point) # 100| Block 0 @@ -357,7 +365,8 @@ ssa.cpp: # 103| v0_15(void) = NoOp : # 100| v0_16(void) = ReturnVoid : # 100| v0_17(void) = UnmodeledUse : mu* -# 100| v0_18(void) = ExitFunction : +# 100| v0_18(void) = AliasedUse : ~m0_1 +# 100| v0_19(void) = ExitFunction : # 105| void MustTotallyOverlapEscaped(Point) # 105| Block 0 @@ -384,13 +393,14 @@ ssa.cpp: # 108| v0_20(void) = Call : func:r0_16, 0:r0_19 # 108| m0_21(unknown) = ^CallSideEffect : ~m0_5 # 108| m0_22(unknown) = Chi : total:m0_5, partial:m0_21 -# 108| v0_23(void) = ^IndirectReadSideEffect[0] : &:r0_19, ~m0_22 +# 108| v0_23(void) = ^BufferReadSideEffect[0] : &:r0_19, ~m0_22 # 108| m0_24(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_19 # 108| m0_25(unknown) = Chi : total:m0_22, partial:m0_24 # 109| v0_26(void) = NoOp : # 105| v0_27(void) = ReturnVoid : # 105| v0_28(void) = UnmodeledUse : mu* -# 105| v0_29(void) = ExitFunction : +# 105| v0_29(void) = AliasedUse : ~m0_22 +# 105| v0_30(void) = ExitFunction : # 111| void MayPartiallyOverlap(int, int) # 111| Block 0 @@ -420,7 +430,8 @@ ssa.cpp: # 114| v0_23(void) = NoOp : # 111| v0_24(void) = ReturnVoid : # 111| v0_25(void) = UnmodeledUse : mu* -# 111| v0_26(void) = ExitFunction : +# 111| v0_26(void) = AliasedUse : ~m0_1 +# 111| v0_27(void) = ExitFunction : # 116| void MayPartiallyOverlapEscaped(int, int) # 116| Block 0 @@ -455,13 +466,14 @@ ssa.cpp: # 119| v0_28(void) = Call : func:r0_24, 0:r0_27 # 119| m0_29(unknown) = ^CallSideEffect : ~m0_19 # 119| m0_30(unknown) = Chi : total:m0_19, partial:m0_29 -# 119| v0_31(void) = ^IndirectReadSideEffect[0] : &:r0_27, ~m0_30 +# 119| v0_31(void) = ^BufferReadSideEffect[0] : &:r0_27, ~m0_30 # 119| m0_32(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_27 # 119| m0_33(unknown) = Chi : total:m0_30, partial:m0_32 # 120| v0_34(void) = NoOp : # 116| v0_35(void) = ReturnVoid : # 116| v0_36(void) = UnmodeledUse : mu* -# 116| v0_37(void) = ExitFunction : +# 116| v0_37(void) = AliasedUse : ~m0_30 +# 116| v0_38(void) = ExitFunction : # 122| void MergeMustExactlyOverlap(bool, int, int) # 122| Block 0 @@ -523,7 +535,8 @@ ssa.cpp: # 132| v3_11(void) = NoOp : # 122| v3_12(void) = ReturnVoid : # 122| v3_13(void) = UnmodeledUse : mu* -# 122| v3_14(void) = ExitFunction : +# 122| v3_14(void) = AliasedUse : ~m0_1 +# 122| v3_15(void) = ExitFunction : # 134| void MergeMustExactlyWithMustTotallyOverlap(bool, Point, int) # 134| Block 0 @@ -579,7 +592,8 @@ ssa.cpp: # 143| v3_7(void) = NoOp : # 134| v3_8(void) = ReturnVoid : # 134| v3_9(void) = UnmodeledUse : mu* -# 134| v3_10(void) = ExitFunction : +# 134| v3_10(void) = AliasedUse : ~m0_1 +# 134| v3_11(void) = ExitFunction : # 145| void MergeMustExactlyWithMayPartiallyOverlap(bool, Point, int) # 145| Block 0 @@ -633,7 +647,8 @@ ssa.cpp: # 154| v3_5(void) = NoOp : # 145| v3_6(void) = ReturnVoid : # 145| v3_7(void) = UnmodeledUse : mu* -# 145| v3_8(void) = ExitFunction : +# 145| v3_8(void) = AliasedUse : ~m0_1 +# 145| v3_9(void) = ExitFunction : # 156| void MergeMustTotallyOverlapWithMayPartiallyOverlap(bool, Rect, int) # 156| Block 0 @@ -689,7 +704,8 @@ ssa.cpp: # 165| v3_6(void) = NoOp : # 156| v3_7(void) = ReturnVoid : # 156| v3_8(void) = UnmodeledUse : mu* -# 156| v3_9(void) = ExitFunction : +# 156| v3_9(void) = AliasedUse : ~m0_1 +# 156| v3_10(void) = ExitFunction : # 171| void WrapperStruct(Wrapper) # 171| Block 0 @@ -723,7 +739,8 @@ ssa.cpp: # 177| v0_27(void) = NoOp : # 171| v0_28(void) = ReturnVoid : # 171| v0_29(void) = UnmodeledUse : mu* -# 171| v0_30(void) = ExitFunction : +# 171| v0_30(void) = AliasedUse : ~m0_1 +# 171| v0_31(void) = ExitFunction : # 179| int AsmStmt(int*) # 179| Block 0 @@ -742,7 +759,8 @@ ssa.cpp: # 179| r0_12(glval) = VariableAddress[#return] : # 179| v0_13(void) = ReturnValue : &:r0_12, m0_11 # 179| v0_14(void) = UnmodeledUse : mu* -# 179| v0_15(void) = ExitFunction : +# 179| v0_15(void) = AliasedUse : ~m0_6 +# 179| v0_16(void) = ExitFunction : # 184| void AsmStmtWithOutputs(unsigned int&, unsigned int&, unsigned int&, unsigned int&) # 184| Block 0 @@ -751,26 +769,31 @@ ssa.cpp: # 184| mu0_2(unknown) = UnmodeledDefinition : # 184| r0_3(glval) = VariableAddress[a] : # 184| m0_4(unsigned int &) = InitializeParameter[a] : &:r0_3 -# 184| m0_5(unknown) = Chi : total:m0_1, partial:m0_4 -# 184| r0_6(glval) = VariableAddress[b] : -# 184| m0_7(unsigned int &) = InitializeParameter[b] : &:r0_6 -# 184| m0_8(unknown) = Chi : total:m0_5, partial:m0_7 -# 184| r0_9(glval) = VariableAddress[c] : -# 184| m0_10(unsigned int &) = InitializeParameter[c] : &:r0_9 -# 184| m0_11(unknown) = Chi : total:m0_8, partial:m0_10 -# 184| r0_12(glval) = VariableAddress[d] : -# 184| m0_13(unsigned int &) = InitializeParameter[d] : &:r0_12 -# 184| m0_14(unknown) = Chi : total:m0_11, partial:m0_13 -# 186| r0_15(glval) = VariableAddress[a] : -# 186| r0_16(glval) = VariableAddress[b] : -# 186| r0_17(glval) = VariableAddress[c] : -# 186| r0_18(glval) = VariableAddress[d] : -# 186| m0_19(unknown) = InlineAsm : ~mu0_2, 0:r0_15, 1:r0_16, 2:r0_17, 3:r0_18 -# 186| m0_20(unknown) = Chi : total:m0_14, partial:m0_19 -# 192| v0_21(void) = NoOp : -# 184| v0_22(void) = ReturnVoid : -# 184| v0_23(void) = UnmodeledUse : mu* -# 184| v0_24(void) = ExitFunction : +# 184| r0_5(glval) = VariableAddress[b] : +# 184| m0_6(unsigned int &) = InitializeParameter[b] : &:r0_5 +# 184| r0_7(glval) = VariableAddress[c] : +# 184| m0_8(unsigned int &) = InitializeParameter[c] : &:r0_7 +# 184| r0_9(glval) = VariableAddress[d] : +# 184| m0_10(unsigned int &) = InitializeParameter[d] : &:r0_9 +# 189| r0_11(glval) = VariableAddress[a] : +# 189| r0_12(unsigned int &) = Load : &:r0_11, m0_4 +# 189| r0_13(glval) = CopyValue : r0_12 +# 189| r0_14(glval) = VariableAddress[b] : +# 189| r0_15(unsigned int &) = Load : &:r0_14, m0_6 +# 189| r0_16(glval) = CopyValue : r0_15 +# 190| r0_17(glval) = VariableAddress[c] : +# 190| r0_18(unsigned int &) = Load : &:r0_17, m0_8 +# 190| r0_19(unsigned int) = Load : &:r0_18, ~m0_1 +# 190| r0_20(glval) = VariableAddress[d] : +# 190| r0_21(unsigned int &) = Load : &:r0_20, m0_10 +# 190| r0_22(unsigned int) = Load : &:r0_21, ~m0_1 +# 186| m0_23(unknown) = InlineAsm : ~mu0_2, 0:r0_13, 1:r0_16, 2:r0_19, 3:r0_22 +# 186| m0_24(unknown) = Chi : total:m0_1, partial:m0_23 +# 192| v0_25(void) = NoOp : +# 184| v0_26(void) = ReturnVoid : +# 184| v0_27(void) = UnmodeledUse : mu* +# 184| v0_28(void) = AliasedUse : ~m0_24 +# 184| v0_29(void) = ExitFunction : # 198| int PureFunctions(char*, char*, int) # 198| Block 0 @@ -819,7 +842,8 @@ ssa.cpp: # 198| r0_42(glval) = VariableAddress[#return] : # 198| v0_43(void) = ReturnValue : &:r0_42, m0_41 # 198| v0_44(void) = UnmodeledUse : mu* -# 198| v0_45(void) = ExitFunction : +# 198| v0_45(void) = AliasedUse : ~m0_1 +# 198| v0_46(void) = ExitFunction : # 207| int ModeledCallTarget(int) # 207| Block 0 @@ -851,4 +875,5 @@ ssa.cpp: # 207| r0_25(glval) = VariableAddress[#return] : # 207| v0_26(void) = ReturnValue : &:r0_25, m0_24 # 207| v0_27(void) = UnmodeledUse : mu* -# 207| v0_28(void) = ExitFunction : +# 207| v0_28(void) = AliasedUse : ~m0_1 +# 207| v0_29(void) = ExitFunction : diff --git a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_sanity.expected b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_sanity.expected index 012ff53039b..928f535f9d8 100644 --- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_sanity.expected +++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_sanity.expected @@ -14,3 +14,8 @@ containsLoopOfForwardEdges lostReachability backEdgeCountMismatch useNotDominatedByDefinition +missingCanonicalLanguageType +multipleCanonicalLanguageTypes +missingIRType +multipleIRTypes +missingCppType diff --git a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected index 8204cdad960..7aae6b70dfd 100644 --- a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected +++ b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected @@ -78,7 +78,8 @@ ssa.cpp: # 13| r6_11(glval) = VariableAddress[#return] : # 13| v6_12(void) = ReturnValue : &:r6_11, m6_10 # 13| v6_13(void) = UnmodeledUse : mu* -# 13| v6_14(void) = ExitFunction : +# 13| v6_14(void) = AliasedUse : ~mu0_2 +# 13| v6_15(void) = ExitFunction : # 31| int UnreachableViaGoto() # 31| Block 0 @@ -93,7 +94,8 @@ ssa.cpp: # 31| r0_8(glval) = VariableAddress[#return] : # 31| v0_9(void) = ReturnValue : &:r0_8, m0_7 # 31| v0_10(void) = UnmodeledUse : mu* -# 31| v0_11(void) = ExitFunction : +# 31| v0_11(void) = AliasedUse : ~mu0_2 +# 31| v0_12(void) = ExitFunction : # 38| int UnreachableIf(bool) # 38| Block 0 @@ -119,7 +121,8 @@ ssa.cpp: # 38| r1_1(glval) = VariableAddress[#return] : # 38| v1_2(void) = ReturnValue : &:r1_1, m1_0 # 38| v1_3(void) = UnmodeledUse : mu* -# 38| v1_4(void) = ExitFunction : +# 38| v1_4(void) = AliasedUse : ~mu0_2 +# 38| v1_5(void) = ExitFunction : # 42| Block 2 # 42| r2_0(glval) = VariableAddress[x] : @@ -191,7 +194,8 @@ ssa.cpp: # 59| r1_4(glval) = VariableAddress[#return] : # 59| v1_5(void) = ReturnValue : &:r1_4, m1_3 # 59| v1_6(void) = UnmodeledUse : mu* -# 59| v1_7(void) = ExitFunction : +# 59| v1_7(void) = AliasedUse : ~mu0_2 +# 59| v1_8(void) = ExitFunction : # 59| Block 2 # 59| v2_0(void) = Unreached : @@ -222,7 +226,8 @@ ssa.cpp: # 71| v2_0(void) = NoOp : # 68| v2_1(void) = ReturnVoid : # 68| v2_2(void) = UnmodeledUse : mu* -# 68| v2_3(void) = ExitFunction : +# 68| v2_3(void) = AliasedUse : ~mu0_2 +# 68| v2_4(void) = ExitFunction : # 69| Block 3 # 69| m3_0(int) = Phi : from 0:m0_4, from 1:m3_6 @@ -293,7 +298,8 @@ ssa.cpp: # 89| v3_14(void) = NoOp : # 75| v3_15(void) = ReturnVoid : # 75| v3_16(void) = UnmodeledUse : mu* -# 75| v3_17(void) = ExitFunction : +# 75| v3_17(void) = AliasedUse : ~mu0_2 +# 75| v3_18(void) = ExitFunction : # 91| void MustExactlyOverlap(Point) # 91| Block 0 @@ -309,7 +315,8 @@ ssa.cpp: # 93| v0_9(void) = NoOp : # 91| v0_10(void) = ReturnVoid : # 91| v0_11(void) = UnmodeledUse : mu* -# 91| v0_12(void) = ExitFunction : +# 91| v0_12(void) = AliasedUse : ~mu0_2 +# 91| v0_13(void) = ExitFunction : # 95| void MustExactlyOverlapEscaped(Point) # 95| Block 0 @@ -328,12 +335,13 @@ ssa.cpp: # 97| r0_12(void *) = Convert : r0_11 # 97| v0_13(void) = Call : func:r0_9, 0:r0_12 # 97| mu0_14(unknown) = ^CallSideEffect : ~mu0_2 -# 97| v0_15(void) = ^IndirectReadSideEffect[0] : &:r0_12, ~mu0_2 +# 97| v0_15(void) = ^BufferReadSideEffect[0] : &:r0_12, ~mu0_2 # 97| mu0_16(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_12 # 98| v0_17(void) = NoOp : # 95| v0_18(void) = ReturnVoid : # 95| v0_19(void) = UnmodeledUse : mu* -# 95| v0_20(void) = ExitFunction : +# 95| v0_20(void) = AliasedUse : ~mu0_2 +# 95| v0_21(void) = ExitFunction : # 100| void MustTotallyOverlap(Point) # 100| Block 0 @@ -355,7 +363,8 @@ ssa.cpp: # 103| v0_15(void) = NoOp : # 100| v0_16(void) = ReturnVoid : # 100| v0_17(void) = UnmodeledUse : mu* -# 100| v0_18(void) = ExitFunction : +# 100| v0_18(void) = AliasedUse : ~mu0_2 +# 100| v0_19(void) = ExitFunction : # 105| void MustTotallyOverlapEscaped(Point) # 105| Block 0 @@ -380,12 +389,13 @@ ssa.cpp: # 108| r0_18(void *) = Convert : r0_17 # 108| v0_19(void) = Call : func:r0_15, 0:r0_18 # 108| mu0_20(unknown) = ^CallSideEffect : ~mu0_2 -# 108| v0_21(void) = ^IndirectReadSideEffect[0] : &:r0_18, ~mu0_2 +# 108| v0_21(void) = ^BufferReadSideEffect[0] : &:r0_18, ~mu0_2 # 108| mu0_22(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_18 # 109| v0_23(void) = NoOp : # 105| v0_24(void) = ReturnVoid : # 105| v0_25(void) = UnmodeledUse : mu* -# 105| v0_26(void) = ExitFunction : +# 105| v0_26(void) = AliasedUse : ~mu0_2 +# 105| v0_27(void) = ExitFunction : # 111| void MayPartiallyOverlap(int, int) # 111| Block 0 @@ -413,7 +423,8 @@ ssa.cpp: # 114| v0_21(void) = NoOp : # 111| v0_22(void) = ReturnVoid : # 111| v0_23(void) = UnmodeledUse : mu* -# 111| v0_24(void) = ExitFunction : +# 111| v0_24(void) = AliasedUse : ~mu0_2 +# 111| v0_25(void) = ExitFunction : # 116| void MayPartiallyOverlapEscaped(int, int) # 116| Block 0 @@ -444,12 +455,13 @@ ssa.cpp: # 119| r0_24(void *) = Convert : r0_23 # 119| v0_25(void) = Call : func:r0_21, 0:r0_24 # 119| mu0_26(unknown) = ^CallSideEffect : ~mu0_2 -# 119| v0_27(void) = ^IndirectReadSideEffect[0] : &:r0_24, ~mu0_2 +# 119| v0_27(void) = ^BufferReadSideEffect[0] : &:r0_24, ~mu0_2 # 119| mu0_28(unknown) = ^BufferMayWriteSideEffect[0] : &:r0_24 # 120| v0_29(void) = NoOp : # 116| v0_30(void) = ReturnVoid : # 116| v0_31(void) = UnmodeledUse : mu* -# 116| v0_32(void) = ExitFunction : +# 116| v0_32(void) = AliasedUse : ~mu0_2 +# 116| v0_33(void) = ExitFunction : # 122| void MergeMustExactlyOverlap(bool, int, int) # 122| Block 0 @@ -505,7 +517,8 @@ ssa.cpp: # 132| v3_9(void) = NoOp : # 122| v3_10(void) = ReturnVoid : # 122| v3_11(void) = UnmodeledUse : mu* -# 122| v3_12(void) = ExitFunction : +# 122| v3_12(void) = AliasedUse : ~mu0_2 +# 122| v3_13(void) = ExitFunction : # 134| void MergeMustExactlyWithMustTotallyOverlap(bool, Point, int) # 134| Block 0 @@ -556,7 +569,8 @@ ssa.cpp: # 143| v3_5(void) = NoOp : # 134| v3_6(void) = ReturnVoid : # 134| v3_7(void) = UnmodeledUse : mu* -# 134| v3_8(void) = ExitFunction : +# 134| v3_8(void) = AliasedUse : ~mu0_2 +# 134| v3_9(void) = ExitFunction : # 145| void MergeMustExactlyWithMayPartiallyOverlap(bool, Point, int) # 145| Block 0 @@ -606,7 +620,8 @@ ssa.cpp: # 154| v3_4(void) = NoOp : # 145| v3_5(void) = ReturnVoid : # 145| v3_6(void) = UnmodeledUse : mu* -# 145| v3_7(void) = ExitFunction : +# 145| v3_7(void) = AliasedUse : ~mu0_2 +# 145| v3_8(void) = ExitFunction : # 156| void MergeMustTotallyOverlapWithMayPartiallyOverlap(bool, Rect, int) # 156| Block 0 @@ -658,7 +673,8 @@ ssa.cpp: # 165| v3_5(void) = NoOp : # 156| v3_6(void) = ReturnVoid : # 156| v3_7(void) = UnmodeledUse : mu* -# 156| v3_8(void) = ExitFunction : +# 156| v3_8(void) = AliasedUse : ~mu0_2 +# 156| v3_9(void) = ExitFunction : # 171| void WrapperStruct(Wrapper) # 171| Block 0 @@ -692,7 +708,8 @@ ssa.cpp: # 177| v0_27(void) = NoOp : # 171| v0_28(void) = ReturnVoid : # 171| v0_29(void) = UnmodeledUse : mu* -# 171| v0_30(void) = ExitFunction : +# 171| v0_30(void) = AliasedUse : ~mu0_2 +# 171| v0_31(void) = ExitFunction : # 179| int AsmStmt(int*) # 179| Block 0 @@ -710,7 +727,8 @@ ssa.cpp: # 179| r0_11(glval) = VariableAddress[#return] : # 179| v0_12(void) = ReturnValue : &:r0_11, m0_10 # 179| v0_13(void) = UnmodeledUse : mu* -# 179| v0_14(void) = ExitFunction : +# 179| v0_14(void) = AliasedUse : ~mu0_2 +# 179| v0_15(void) = ExitFunction : # 184| void AsmStmtWithOutputs(unsigned int&, unsigned int&, unsigned int&, unsigned int&) # 184| Block 0 @@ -718,22 +736,31 @@ ssa.cpp: # 184| mu0_1(unknown) = AliasedDefinition : # 184| mu0_2(unknown) = UnmodeledDefinition : # 184| r0_3(glval) = VariableAddress[a] : -# 184| mu0_4(unsigned int &) = InitializeParameter[a] : &:r0_3 +# 184| m0_4(unsigned int &) = InitializeParameter[a] : &:r0_3 # 184| r0_5(glval) = VariableAddress[b] : -# 184| mu0_6(unsigned int &) = InitializeParameter[b] : &:r0_5 +# 184| m0_6(unsigned int &) = InitializeParameter[b] : &:r0_5 # 184| r0_7(glval) = VariableAddress[c] : -# 184| mu0_8(unsigned int &) = InitializeParameter[c] : &:r0_7 +# 184| m0_8(unsigned int &) = InitializeParameter[c] : &:r0_7 # 184| r0_9(glval) = VariableAddress[d] : -# 184| mu0_10(unsigned int &) = InitializeParameter[d] : &:r0_9 -# 186| r0_11(glval) = VariableAddress[a] : -# 186| r0_12(glval) = VariableAddress[b] : -# 186| r0_13(glval) = VariableAddress[c] : -# 186| r0_14(glval) = VariableAddress[d] : -# 186| mu0_15(unknown) = InlineAsm : ~mu0_2, 0:r0_11, 1:r0_12, 2:r0_13, 3:r0_14 -# 192| v0_16(void) = NoOp : -# 184| v0_17(void) = ReturnVoid : -# 184| v0_18(void) = UnmodeledUse : mu* -# 184| v0_19(void) = ExitFunction : +# 184| m0_10(unsigned int &) = InitializeParameter[d] : &:r0_9 +# 189| r0_11(glval) = VariableAddress[a] : +# 189| r0_12(unsigned int &) = Load : &:r0_11, m0_4 +# 189| r0_13(glval) = CopyValue : r0_12 +# 189| r0_14(glval) = VariableAddress[b] : +# 189| r0_15(unsigned int &) = Load : &:r0_14, m0_6 +# 189| r0_16(glval) = CopyValue : r0_15 +# 190| r0_17(glval) = VariableAddress[c] : +# 190| r0_18(unsigned int &) = Load : &:r0_17, m0_8 +# 190| r0_19(unsigned int) = Load : &:r0_18, ~mu0_2 +# 190| r0_20(glval) = VariableAddress[d] : +# 190| r0_21(unsigned int &) = Load : &:r0_20, m0_10 +# 190| r0_22(unsigned int) = Load : &:r0_21, ~mu0_2 +# 186| mu0_23(unknown) = InlineAsm : ~mu0_2, 0:r0_13, 1:r0_16, 2:r0_19, 3:r0_22 +# 192| v0_24(void) = NoOp : +# 184| v0_25(void) = ReturnVoid : +# 184| v0_26(void) = UnmodeledUse : mu* +# 184| v0_27(void) = AliasedUse : ~mu0_2 +# 184| v0_28(void) = ExitFunction : # 198| int PureFunctions(char*, char*, int) # 198| Block 0 @@ -782,7 +809,8 @@ ssa.cpp: # 198| r0_42(glval) = VariableAddress[#return] : # 198| v0_43(void) = ReturnValue : &:r0_42, m0_41 # 198| v0_44(void) = UnmodeledUse : mu* -# 198| v0_45(void) = ExitFunction : +# 198| v0_45(void) = AliasedUse : ~mu0_2 +# 198| v0_46(void) = ExitFunction : # 207| int ModeledCallTarget(int) # 207| Block 0 @@ -811,4 +839,5 @@ ssa.cpp: # 207| r0_22(glval) = VariableAddress[#return] : # 207| v0_23(void) = ReturnValue : &:r0_22, m0_21 # 207| v0_24(void) = UnmodeledUse : mu* -# 207| v0_25(void) = ExitFunction : +# 207| v0_25(void) = AliasedUse : ~mu0_2 +# 207| v0_26(void) = ExitFunction : diff --git a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_sanity.expected b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_sanity.expected index 012ff53039b..928f535f9d8 100644 --- a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_sanity.expected +++ b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_sanity.expected @@ -14,3 +14,8 @@ containsLoopOfForwardEdges lostReachability backEdgeCountMismatch useNotDominatedByDefinition +missingCanonicalLanguageType +multipleCanonicalLanguageTypes +missingIRType +multipleIRTypes +missingCppType diff --git a/cpp/ql/test/library-tests/rangeanalysis/rangeanalysis/RangeAnalysis.expected b/cpp/ql/test/library-tests/rangeanalysis/rangeanalysis/RangeAnalysis.expected index cb3366e91b5..a7d7a6684e3 100644 --- a/cpp/ql/test/library-tests/rangeanalysis/rangeanalysis/RangeAnalysis.expected +++ b/cpp/ql/test/library-tests/rangeanalysis/rangeanalysis/RangeAnalysis.expected @@ -51,7 +51,6 @@ | test.cpp:163:12:163:12 | Load: x | test.cpp:153:23:153:23 | InitializeParameter: y | -1 | false | CompareNE: ... != ... | test.cpp:160:9:160:16 | test.cpp:160:9:160:16 | | test.cpp:163:12:163:12 | Load: x | test.cpp:153:23:153:23 | InitializeParameter: y | -1 | true | CompareLT: ... < ... | test.cpp:154:6:154:10 | test.cpp:154:6:154:10 | | test.cpp:163:12:163:12 | Load: x | test.cpp:153:23:153:23 | InitializeParameter: y | -1 | true | CompareNE: ... != ... | test.cpp:160:9:160:16 | test.cpp:160:9:160:16 | -| test.cpp:167:12:167:12 | Load: x | test.cpp:153:23:153:23 | InitializeParameter: y | 0 | false | CompareLT: ... < ... | test.cpp:154:6:154:10 | test.cpp:154:6:154:10 | | test.cpp:167:12:167:12 | Load: x | test.cpp:153:23:153:23 | InitializeParameter: y | 1 | false | CompareEQ: ... == ... | test.cpp:166:9:166:16 | test.cpp:166:9:166:16 | | test.cpp:167:12:167:12 | Load: x | test.cpp:153:23:153:23 | InitializeParameter: y | 1 | true | CompareEQ: ... == ... | test.cpp:166:9:166:16 | test.cpp:166:9:166:16 | | test.cpp:169:12:169:12 | Load: x | test.cpp:153:23:153:23 | InitializeParameter: y | 0 | false | CompareLT: ... < ... | test.cpp:154:6:154:10 | test.cpp:154:6:154:10 | diff --git a/cpp/ql/test/library-tests/rangeanalysis/rangeanalysis/RangeAnalysis.ql b/cpp/ql/test/library-tests/rangeanalysis/rangeanalysis/RangeAnalysis.ql index b009ce5001f..ef158f0de28 100644 --- a/cpp/ql/test/library-tests/rangeanalysis/rangeanalysis/RangeAnalysis.ql +++ b/cpp/ql/test/library-tests/rangeanalysis/rangeanalysis/RangeAnalysis.ql @@ -11,13 +11,7 @@ query predicate instructionBounds( or exists(ReturnValueInstruction retInstr | retInstr.getReturnValueOperand() = i.getAUse()) ) and - ( - upper = true and - delta = min(int d | boundedInstruction(i, b, d, upper, reason)) - or - upper = false and - delta = max(int d | boundedInstruction(i, b, d, upper, reason)) - ) and + boundedInstruction(i, b, delta, upper, reason) and not valueNumber(b.getInstruction()) = valueNumber(i) and if reason instanceof CondReason then reasonLoc = reason.(CondReason).getCond().getLocation() diff --git a/cpp/ql/test/library-tests/syntax-zoo/aliased_ssa_sanity.expected b/cpp/ql/test/library-tests/syntax-zoo/aliased_ssa_sanity.expected index 9e8588507ff..a7d9b22fc72 100644 --- a/cpp/ql/test/library-tests/syntax-zoo/aliased_ssa_sanity.expected +++ b/cpp/ql/test/library-tests/syntax-zoo/aliased_ssa_sanity.expected @@ -1,9 +1,9 @@ missingOperand | misc.c:125:5:125:11 | CopyValue: (statement expression) | Instruction 'CopyValue' is missing an expected operand with tag 'Unary' in function '$@'. | misc.c:97:6:97:10 | IR: misc3 | void misc3() | -| parameterinitializer.cpp:27:3:27:6 | IndirectReadSideEffect: my_c | Instruction 'IndirectReadSideEffect' is missing an expected operand with tag 'SideEffect' in function '$@'. | allocators.cpp:14:5:14:8 | IR: main | int main() | -| parameterinitializer.cpp:27:3:27:6 | IndirectReadSideEffect: my_c | Instruction 'IndirectReadSideEffect' is missing an expected operand with tag 'SideEffect' in function '$@'. | no_dynamic_init.cpp:9:5:9:8 | IR: main | int main() | -| parameterinitializer.cpp:27:3:27:6 | IndirectReadSideEffect: my_c | Instruction 'IndirectReadSideEffect' is missing an expected operand with tag 'SideEffect' in function '$@'. | parameterinitializer.cpp:18:5:18:8 | IR: main | int main() | -| parameterinitializer.cpp:27:3:27:6 | IndirectReadSideEffect: my_c | Instruction 'IndirectReadSideEffect' is missing an expected operand with tag 'SideEffect' in function '$@'. | stream_it.cpp:16:5:16:8 | IR: main | int main() | +| parameterinitializer.cpp:27:3:27:6 | BufferReadSideEffect: my_c | Instruction 'BufferReadSideEffect' is missing an expected operand with tag 'SideEffect' in function '$@'. | allocators.cpp:14:5:14:8 | IR: main | int main() | +| parameterinitializer.cpp:27:3:27:6 | BufferReadSideEffect: my_c | Instruction 'BufferReadSideEffect' is missing an expected operand with tag 'SideEffect' in function '$@'. | no_dynamic_init.cpp:9:5:9:8 | IR: main | int main() | +| parameterinitializer.cpp:27:3:27:6 | BufferReadSideEffect: my_c | Instruction 'BufferReadSideEffect' is missing an expected operand with tag 'SideEffect' in function '$@'. | parameterinitializer.cpp:18:5:18:8 | IR: main | int main() | +| parameterinitializer.cpp:27:3:27:6 | BufferReadSideEffect: my_c | Instruction 'BufferReadSideEffect' is missing an expected operand with tag 'SideEffect' in function '$@'. | stream_it.cpp:16:5:16:8 | IR: main | int main() | | try_catch.cpp:13:5:13:16 | ThrowValue: throw ... | Instruction 'ThrowValue' is missing an expected operand with tag 'Load' in function '$@'. | try_catch.cpp:11:6:11:17 | IR: bypass_catch | void bypass_catch() | unexpectedOperand duplicateOperand @@ -13,7 +13,6 @@ missingOperandType sideEffectWithoutPrimary instructionWithoutSuccessor | VacuousDestructorCall.cpp:2:29:2:29 | InitializeParameter: y | -| assume0.cpp:7:2:7:2 | Chi: call to f | | condition_decls.cpp:16:19:16:20 | Chi: call to BoxedInt | | condition_decls.cpp:26:23:26:24 | Chi: call to BoxedInt | | condition_decls.cpp:41:22:41:23 | Chi: call to BoxedInt | @@ -546,3 +545,8 @@ lostReachability | range_analysis.c:371:37:371:39 | Constant: 500 | backEdgeCountMismatch useNotDominatedByDefinition +missingCanonicalLanguageType +multipleCanonicalLanguageTypes +missingIRType +multipleIRTypes +missingCppType diff --git a/cpp/ql/test/library-tests/syntax-zoo/raw_sanity.expected b/cpp/ql/test/library-tests/syntax-zoo/raw_sanity.expected index 1bcffed0736..68298b46256 100644 --- a/cpp/ql/test/library-tests/syntax-zoo/raw_sanity.expected +++ b/cpp/ql/test/library-tests/syntax-zoo/raw_sanity.expected @@ -8,6 +8,7 @@ missingOperand | misc.c:220:9:223:3 | FieldAddress: {...} | Instruction 'FieldAddress' is missing an expected operand with tag 'Unary' in function '$@'. | misc.c:219:5:219:26 | IR: assign_designated_init | int assign_designated_init(someStruct*) | | misc.c:220:9:223:3 | FieldAddress: {...} | Instruction 'FieldAddress' is missing an expected operand with tag 'Unary' in function '$@'. | misc.c:219:5:219:26 | IR: assign_designated_init | int assign_designated_init(someStruct*) | | pointer_to_member.cpp:36:13:36:19 | FieldAddress: x1 | Instruction 'FieldAddress' is missing an expected operand with tag 'Unary' in function '$@'. | pointer_to_member.cpp:32:6:32:14 | IR: pmIsConst | void pmIsConst() | +| pointer_to_member.cpp:36:22:36:28 | Store: f1 | Instruction 'Store' is missing an expected operand with tag 'StoreValue' in function '$@'. | pointer_to_member.cpp:32:6:32:14 | IR: pmIsConst | void pmIsConst() | | range_analysis.c:368:10:368:21 | Store: ... ? ... : ... | Instruction 'Store' is missing an expected operand with tag 'StoreValue' in function '$@'. | range_analysis.c:355:14:355:27 | IR: test_ternary01 | unsigned int test_ternary01(unsigned int) | | range_analysis.c:369:10:369:36 | Store: ... ? ... : ... | Instruction 'Store' is missing an expected operand with tag 'StoreValue' in function '$@'. | range_analysis.c:355:14:355:27 | IR: test_ternary01 | unsigned int test_ternary01(unsigned int) | | range_analysis.c:370:10:370:38 | Store: ... ? ... : ... | Instruction 'Store' is missing an expected operand with tag 'StoreValue' in function '$@'. | range_analysis.c:355:14:355:27 | IR: test_ternary01 | unsigned int test_ternary01(unsigned int) | @@ -25,8 +26,6 @@ instructionWithoutSuccessor | VacuousDestructorCall.cpp:2:29:2:29 | InitializeParameter: y | | VacuousDestructorCall.cpp:3:3:3:3 | VariableAddress: x | | VacuousDestructorCall.cpp:4:3:4:3 | Load: y | -| assume0.cpp:7:2:7:2 | CallSideEffect: call to f | -| assume0.cpp:9:11:9:11 | Constant: (bool)... | | condition_decls.cpp:16:19:16:20 | CallSideEffect: call to BoxedInt | | condition_decls.cpp:26:19:26:20 | IndirectMayWriteSideEffect: bi | | condition_decls.cpp:26:23:26:24 | CallSideEffect: call to BoxedInt | @@ -46,7 +45,6 @@ instructionWithoutSuccessor | misc.c:219:47:219:48 | InitializeParameter: sp | | misc.c:221:10:221:10 | Store: 1 | | misc.c:222:10:222:10 | Store: 2 | -| ms_assume.cpp:20:12:20:12 | Constant: (bool)... | | ms_try_except.cpp:3:9:3:9 | Uninitialized: definition of x | | ms_try_except.cpp:7:13:7:17 | Store: ... = ... | | ms_try_except.cpp:9:19:9:19 | Load: j | @@ -68,6 +66,7 @@ instructionWithoutSuccessor | ms_try_mix.cpp:51:5:51:11 | ThrowValue: throw ... | | ms_try_mix.cpp:53:13:54:3 | NoOp: { ... } | | pointer_to_member.cpp:36:11:36:30 | FieldAddress: {...} | +| pointer_to_member.cpp:36:11:36:30 | FieldAddress: {...} | | static_init_templates.cpp:80:27:80:36 | Convert: (void *)... | | static_init_templates.cpp:80:27:80:36 | Convert: (void *)... | | static_init_templates.cpp:89:27:89:36 | Convert: (void *)... | @@ -611,86 +610,12 @@ lostReachability | range_analysis.c:371:37:371:39 | Constant: 500 | backEdgeCountMismatch useNotDominatedByDefinition -| VacuousDestructorCall.cpp:4:3:4:3 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | VacuousDestructorCall.cpp:2:6:2:6 | IR: CallDestructor | void CallDestructor(int, int*) | -| assume0.cpp:11:2:11:2 | Operand | Operand 'Operand' is not dominated by its definition in function '$@'. | assume0.cpp:5:6:5:6 | IR: h | void h() | -| condition_decls.cpp:16:15:16:15 | Operand | Operand 'Operand' is not dominated by its definition in function '$@'. | condition_decls.cpp:15:6:15:17 | IR: if_decl_bind | void if_decl_bind(int) | -| condition_decls.cpp:16:15:16:16 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | condition_decls.cpp:15:6:15:17 | IR: if_decl_bind | void if_decl_bind(int) | -| condition_decls.cpp:16:15:16:16 | Operand | Operand 'Operand' is not dominated by its definition in function '$@'. | condition_decls.cpp:15:6:15:17 | IR: if_decl_bind | void if_decl_bind(int) | -| condition_decls.cpp:17:5:17:15 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | condition_decls.cpp:15:6:15:17 | IR: if_decl_bind | void if_decl_bind(int) | -| condition_decls.cpp:17:11:17:15 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | condition_decls.cpp:15:6:15:17 | IR: if_decl_bind | void if_decl_bind(int) | -| condition_decls.cpp:20:5:20:15 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | condition_decls.cpp:15:6:15:17 | IR: if_decl_bind | void if_decl_bind(int) | -| condition_decls.cpp:20:11:20:15 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | condition_decls.cpp:15:6:15:17 | IR: if_decl_bind | void if_decl_bind(int) | -| condition_decls.cpp:26:19:26:19 | Operand | Operand 'Operand' is not dominated by its definition in function '$@'. | condition_decls.cpp:25:6:25:21 | IR: switch_decl_bind | void switch_decl_bind(int) | -| condition_decls.cpp:26:19:26:20 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | condition_decls.cpp:25:6:25:21 | IR: switch_decl_bind | void switch_decl_bind(int) | -| condition_decls.cpp:26:19:26:20 | Operand | Operand 'Operand' is not dominated by its definition in function '$@'. | condition_decls.cpp:25:6:25:21 | IR: switch_decl_bind | void switch_decl_bind(int) | -| condition_decls.cpp:28:5:28:15 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | condition_decls.cpp:25:6:25:21 | IR: switch_decl_bind | void switch_decl_bind(int) | -| condition_decls.cpp:28:11:28:15 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | condition_decls.cpp:25:6:25:21 | IR: switch_decl_bind | void switch_decl_bind(int) | -| condition_decls.cpp:31:5:31:15 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | condition_decls.cpp:25:6:25:21 | IR: switch_decl_bind | void switch_decl_bind(int) | -| condition_decls.cpp:31:11:31:15 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | condition_decls.cpp:25:6:25:21 | IR: switch_decl_bind | void switch_decl_bind(int) | -| condition_decls.cpp:34:5:34:18 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | condition_decls.cpp:25:6:25:21 | IR: switch_decl_bind | void switch_decl_bind(int) | -| condition_decls.cpp:34:9:34:13 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | condition_decls.cpp:25:6:25:21 | IR: switch_decl_bind | void switch_decl_bind(int) | -| condition_decls.cpp:41:18:41:18 | Operand | Operand 'Operand' is not dominated by its definition in function '$@'. | condition_decls.cpp:40:6:40:20 | IR: while_decl_bind | void while_decl_bind(int) | -| condition_decls.cpp:41:18:41:19 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | condition_decls.cpp:40:6:40:20 | IR: while_decl_bind | void while_decl_bind(int) | -| condition_decls.cpp:41:18:41:19 | Operand | Operand 'Operand' is not dominated by its definition in function '$@'. | condition_decls.cpp:40:6:40:20 | IR: while_decl_bind | void while_decl_bind(int) | -| condition_decls.cpp:42:5:42:7 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | condition_decls.cpp:40:6:40:20 | IR: while_decl_bind | void while_decl_bind(int) | -| condition_decls.cpp:44:3:44:5 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | condition_decls.cpp:40:6:40:20 | IR: while_decl_bind | void while_decl_bind(int) | -| condition_decls.cpp:48:48:48:48 | Operand | Operand 'Operand' is not dominated by its definition in function '$@'. | condition_decls.cpp:47:6:47:18 | IR: for_decl_bind | void for_decl_bind(int) | -| condition_decls.cpp:48:48:48:49 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | condition_decls.cpp:47:6:47:18 | IR: for_decl_bind | void for_decl_bind(int) | -| condition_decls.cpp:48:48:48:49 | Operand | Operand 'Operand' is not dominated by its definition in function '$@'. | condition_decls.cpp:47:6:47:18 | IR: for_decl_bind | void for_decl_bind(int) | -| condition_decls.cpp:48:56:48:61 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | condition_decls.cpp:47:6:47:18 | IR: for_decl_bind | void for_decl_bind(int) | -| condition_decls.cpp:49:5:49:7 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | condition_decls.cpp:47:6:47:18 | IR: for_decl_bind | void for_decl_bind(int) | -| condition_decls.cpp:51:3:51:5 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | condition_decls.cpp:47:6:47:18 | IR: for_decl_bind | void for_decl_bind(int) | -| cpp11.cpp:28:21:28:21 | Operand | Operand 'Operand' is not dominated by its definition in function '$@'. | cpp11.cpp:27:7:27:14 | IR: getFirst | int range_based_for_11::getFirst() | -| file://:0:0:0:0 | Operand | Operand 'Operand' is not dominated by its definition in function '$@'. | cpp11.cpp:27:7:27:14 | IR: getFirst | int range_based_for_11::getFirst() | -| misc.c:68:16:68:16 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | misc.c:16:6:16:10 | IR: misc1 | void misc1(int, int) | -| misc.c:70:13:70:15 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | misc.c:16:6:16:10 | IR: misc1 | void misc1(int, int) | -| misc.c:72:11:72:11 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | misc.c:16:6:16:10 | IR: misc1 | void misc1(int, int) | -| misc.c:82:5:82:12 | Operand | Operand 'Operand' is not dominated by its definition in function '$@'. | misc.c:16:6:16:10 | IR: misc1 | void misc1(int, int) | -| misc.c:83:5:83:12 | Operand | Operand 'Operand' is not dominated by its definition in function '$@'. | misc.c:16:6:16:10 | IR: misc1 | void misc1(int, int) | -| misc.c:83:14:83:14 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | misc.c:16:6:16:10 | IR: misc1 | void misc1(int, int) | -| misc.c:83:17:83:17 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | misc.c:16:6:16:10 | IR: misc1 | void misc1(int, int) | -| misc.c:84:6:84:13 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | misc.c:16:6:16:10 | IR: misc1 | void misc1(int, int) | -| misc.c:84:6:84:13 | Operand | Operand 'Operand' is not dominated by its definition in function '$@'. | misc.c:16:6:16:10 | IR: misc1 | void misc1(int, int) | -| misc.c:84:16:84:16 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | misc.c:16:6:16:10 | IR: misc1 | void misc1(int, int) | -| misc.c:84:19:84:19 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | misc.c:16:6:16:10 | IR: misc1 | void misc1(int, int) | -| misc.c:85:9:85:13 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | misc.c:16:6:16:10 | IR: misc1 | void misc1(int, int) | -| misc.c:86:9:86:9 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | misc.c:16:6:16:10 | IR: misc1 | void misc1(int, int) | -| misc.c:87:10:87:10 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | misc.c:16:6:16:10 | IR: misc1 | void misc1(int, int) | -| misc.c:88:9:88:9 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | misc.c:16:6:16:10 | IR: misc1 | void misc1(int, int) | -| misc.c:88:9:88:17 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | misc.c:16:6:16:10 | IR: misc1 | void misc1(int, int) | -| misc.c:171:15:171:15 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | misc.c:168:6:168:8 | IR: vla | void vla() | -| misc.c:173:19:173:24 | Operand | Operand 'Operand' is not dominated by its definition in function '$@'. | misc.c:168:6:168:8 | IR: vla | void vla() | -| misc.c:174:17:174:22 | Operand | Operand 'Operand' is not dominated by its definition in function '$@'. | misc.c:168:6:168:8 | IR: vla | void vla() | -| misc.c:174:30:174:35 | Operand | Operand 'Operand' is not dominated by its definition in function '$@'. | misc.c:168:6:168:8 | IR: vla | void vla() | -| misc.c:219:5:219:26 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | misc.c:219:5:219:26 | IR: assign_designated_init | int assign_designated_init(someStruct*) | -| misc.c:220:4:220:5 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | misc.c:219:5:219:26 | IR: assign_designated_init | int assign_designated_init(someStruct*) | -| ms_try_except.cpp:9:19:9:19 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | ms_try_except.cpp:2:6:2:18 | IR: ms_try_except | void ms_try_except(int) | -| ms_try_except.cpp:19:17:19:17 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | ms_try_except.cpp:2:6:2:18 | IR: ms_try_except | void ms_try_except(int) | -| ms_try_mix.cpp:14:16:14:19 | Operand | Operand 'Operand' is not dominated by its definition in function '$@'. | ms_try_mix.cpp:10:6:10:18 | IR: ms_except_mix | void ms_except_mix(int) | -| ms_try_mix.cpp:15:13:15:14 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | ms_try_mix.cpp:10:6:10:18 | IR: ms_except_mix | void ms_except_mix(int) | -| ms_try_mix.cpp:16:13:16:19 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | ms_try_mix.cpp:10:6:10:18 | IR: ms_except_mix | void ms_except_mix(int) | -| ms_try_mix.cpp:18:16:18:19 | Operand | Operand 'Operand' is not dominated by its definition in function '$@'. | ms_try_mix.cpp:10:6:10:18 | IR: ms_except_mix | void ms_except_mix(int) | -| ms_try_mix.cpp:21:16:21:19 | Operand | Operand 'Operand' is not dominated by its definition in function '$@'. | ms_try_mix.cpp:10:6:10:18 | IR: ms_except_mix | void ms_except_mix(int) | -| ms_try_mix.cpp:24:12:24:15 | Operand | Operand 'Operand' is not dominated by its definition in function '$@'. | ms_try_mix.cpp:10:6:10:18 | IR: ms_except_mix | void ms_except_mix(int) | -| ms_try_mix.cpp:31:16:31:19 | Operand | Operand 'Operand' is not dominated by its definition in function '$@'. | ms_try_mix.cpp:27:6:27:19 | IR: ms_finally_mix | void ms_finally_mix(int) | -| ms_try_mix.cpp:32:13:32:14 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | ms_try_mix.cpp:27:6:27:19 | IR: ms_finally_mix | void ms_finally_mix(int) | -| ms_try_mix.cpp:33:13:33:19 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | ms_try_mix.cpp:27:6:27:19 | IR: ms_finally_mix | void ms_finally_mix(int) | -| ms_try_mix.cpp:35:16:35:19 | Operand | Operand 'Operand' is not dominated by its definition in function '$@'. | ms_try_mix.cpp:27:6:27:19 | IR: ms_finally_mix | void ms_finally_mix(int) | -| ms_try_mix.cpp:38:16:38:19 | Operand | Operand 'Operand' is not dominated by its definition in function '$@'. | ms_try_mix.cpp:27:6:27:19 | IR: ms_finally_mix | void ms_finally_mix(int) | -| ms_try_mix.cpp:41:12:41:15 | Operand | Operand 'Operand' is not dominated by its definition in function '$@'. | ms_try_mix.cpp:27:6:27:19 | IR: ms_finally_mix | void ms_finally_mix(int) | -| ms_try_mix.cpp:51:5:51:11 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | ms_try_mix.cpp:47:6:47:28 | IR: ms_empty_finally_at_end | void ms_empty_finally_at_end() | | pointer_to_member.cpp:36:11:36:30 | Unary | Operand 'Unary' is not dominated by its definition in function '$@'. | pointer_to_member.cpp:32:6:32:14 | IR: pmIsConst | void pmIsConst() | | pointer_to_member.cpp:36:13:36:19 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | pointer_to_member.cpp:32:6:32:14 | IR: pmIsConst | void pmIsConst() | -| stmt_expr.cpp:30:20:30:21 | Operand | Operand 'Operand' is not dominated by its definition in function '$@'. | stmt_expr.cpp:21:6:21:6 | IR: g | void stmtexpr::g(int) | -| stmt_expr.cpp:31:16:31:18 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | stmt_expr.cpp:21:6:21:6 | IR: g | void stmtexpr::g(int) | +| pointer_to_member.cpp:36:22:36:28 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | pointer_to_member.cpp:32:6:32:14 | IR: pmIsConst | void pmIsConst() | | try_catch.cpp:21:13:21:24 | Address | Operand 'Address' is not dominated by its definition in function '$@'. | try_catch.cpp:19:6:19:23 | IR: throw_from_nonstmt | void throw_from_nonstmt(int) | -| vla.c:3:5:3:8 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | vla.c:3:5:3:8 | IR: main | int main(int, char**) | -| vla.c:5:16:5:19 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | vla.c:3:5:3:8 | IR: main | int main(int, char**) | -| vla.c:5:22:5:25 | Operand | Operand 'Operand' is not dominated by its definition in function '$@'. | vla.c:3:5:3:8 | IR: main | int main(int, char**) | -| vla.c:5:27:5:30 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | vla.c:3:5:3:8 | IR: main | int main(int, char**) | -| vla.c:5:27:5:33 | Load | Operand 'Load' is not dominated by its definition in function '$@'. | vla.c:3:5:3:8 | IR: main | int main(int, char**) | -| vla.c:12:37:12:42 | Operand | Operand 'Operand' is not dominated by its definition in function '$@'. | vla.c:11:6:11:16 | IR: vla_typedef | void vla_typedef() | -| vla.c:12:55:12:60 | Operand | Operand 'Operand' is not dominated by its definition in function '$@'. | vla.c:11:6:11:16 | IR: vla_typedef | void vla_typedef() | -| vla.c:14:40:14:45 | Operand | Operand 'Operand' is not dominated by its definition in function '$@'. | vla.c:11:6:11:16 | IR: vla_typedef | void vla_typedef() | -| vla.c:14:58:14:63 | Operand | Operand 'Operand' is not dominated by its definition in function '$@'. | vla.c:11:6:11:16 | IR: vla_typedef | void vla_typedef() | -| vla.c:14:74:14:79 | Operand | Operand 'Operand' is not dominated by its definition in function '$@'. | vla.c:11:6:11:16 | IR: vla_typedef | void vla_typedef() | +missingCanonicalLanguageType +multipleCanonicalLanguageTypes +missingIRType +multipleIRTypes +missingCppType diff --git a/cpp/ql/test/library-tests/syntax-zoo/unaliased_ssa_sanity.expected b/cpp/ql/test/library-tests/syntax-zoo/unaliased_ssa_sanity.expected index d064a1264ec..4ba89c3d0c6 100644 --- a/cpp/ql/test/library-tests/syntax-zoo/unaliased_ssa_sanity.expected +++ b/cpp/ql/test/library-tests/syntax-zoo/unaliased_ssa_sanity.expected @@ -1,9 +1,5 @@ missingOperand | misc.c:125:5:125:11 | CopyValue: (statement expression) | Instruction 'CopyValue' is missing an expected operand with tag 'Unary' in function '$@'. | misc.c:97:6:97:10 | IR: misc3 | void misc3() | -| parameterinitializer.cpp:27:3:27:6 | IndirectReadSideEffect: my_c | Instruction 'IndirectReadSideEffect' is missing an expected operand with tag 'SideEffect' in function '$@'. | allocators.cpp:14:5:14:8 | IR: main | int main() | -| parameterinitializer.cpp:27:3:27:6 | IndirectReadSideEffect: my_c | Instruction 'IndirectReadSideEffect' is missing an expected operand with tag 'SideEffect' in function '$@'. | no_dynamic_init.cpp:9:5:9:8 | IR: main | int main() | -| parameterinitializer.cpp:27:3:27:6 | IndirectReadSideEffect: my_c | Instruction 'IndirectReadSideEffect' is missing an expected operand with tag 'SideEffect' in function '$@'. | parameterinitializer.cpp:18:5:18:8 | IR: main | int main() | -| parameterinitializer.cpp:27:3:27:6 | IndirectReadSideEffect: my_c | Instruction 'IndirectReadSideEffect' is missing an expected operand with tag 'SideEffect' in function '$@'. | stream_it.cpp:16:5:16:8 | IR: main | int main() | | try_catch.cpp:13:5:13:16 | ThrowValue: throw ... | Instruction 'ThrowValue' is missing an expected operand with tag 'Load' in function '$@'. | try_catch.cpp:11:6:11:17 | IR: bypass_catch | void bypass_catch() | unexpectedOperand duplicateOperand @@ -22,7 +18,6 @@ missingOperandType sideEffectWithoutPrimary instructionWithoutSuccessor | VacuousDestructorCall.cpp:2:29:2:29 | InitializeParameter: y | -| assume0.cpp:7:2:7:2 | CallSideEffect: call to f | | condition_decls.cpp:16:19:16:20 | CallSideEffect: call to BoxedInt | | condition_decls.cpp:26:23:26:24 | CallSideEffect: call to BoxedInt | | condition_decls.cpp:41:22:41:23 | CallSideEffect: call to BoxedInt | @@ -555,3 +550,8 @@ lostReachability | range_analysis.c:371:37:371:39 | Constant: 500 | backEdgeCountMismatch useNotDominatedByDefinition +missingCanonicalLanguageType +multipleCanonicalLanguageTypes +missingIRType +multipleIRTypes +missingCppType diff --git a/cpp/ql/test/library-tests/valuenumbering/GlobalValueNumbering/ir_gvn.expected b/cpp/ql/test/library-tests/valuenumbering/GlobalValueNumbering/ir_gvn.expected index ec6f300a957..c37bf5c8bfc 100644 --- a/cpp/ql/test/library-tests/valuenumbering/GlobalValueNumbering/ir_gvn.expected +++ b/cpp/ql/test/library-tests/valuenumbering/GlobalValueNumbering/ir_gvn.expected @@ -67,7 +67,8 @@ test.cpp: # 1| valnum = unique # 1| v0_33(void) = ReturnValue : &:r0_32 # 1| v0_34(void) = UnmodeledUse : mu* -# 1| v0_35(void) = ExitFunction : +# 1| v0_35(void) = AliasedUse : ~m0_1 +# 1| v0_36(void) = ExitFunction : # 12| int test01(int, int) # 12| Block 0 @@ -149,7 +150,8 @@ test.cpp: # 12| valnum = unique # 12| v0_39(void) = ReturnValue : &:r0_38 # 12| v0_40(void) = UnmodeledUse : mu* -# 12| v0_41(void) = ExitFunction : +# 12| v0_41(void) = AliasedUse : ~m0_1 +# 12| v0_42(void) = ExitFunction : # 25| int test02(int, int) # 25| Block 0 @@ -238,7 +240,8 @@ test.cpp: # 25| valnum = unique # 25| v0_43(void) = ReturnValue : &:r0_42 # 25| v0_44(void) = UnmodeledUse : mu* -# 25| v0_45(void) = ExitFunction : +# 25| v0_45(void) = AliasedUse : ~m0_26 +# 25| v0_46(void) = ExitFunction : # 39| int test03(int, int, int*) # 39| Block 0 @@ -336,7 +339,8 @@ test.cpp: # 39| valnum = unique # 39| v0_47(void) = ReturnValue : &:r0_46 # 39| v0_48(void) = UnmodeledUse : mu* -# 39| v0_49(void) = ExitFunction : +# 39| v0_49(void) = AliasedUse : ~m0_30 +# 39| v0_50(void) = ExitFunction : # 49| unsigned int my_strspn(char const*, char const*) # 49| Block 0 @@ -396,27 +400,27 @@ test.cpp: #-----| Goto -> Block 3 # 56| Block 3 -# 56| m3_0(char *) = Phi : from 2:m2_3, from 5:m5_4 +# 56| m3_0(decltype(nullptr)) = Phi : from 2:m2_3, from 5:m5_4 # 56| valnum = m3_0 -# 56| r3_1(glval) = VariableAddress[ptr] : +# 56| r3_1(glval) = VariableAddress[ptr] : # 56| valnum = r0_7 -# 56| r3_2(char *) = Load : &:r3_1, m3_0 +# 56| r3_2(char *) = Load : &:r3_1, m3_0 # 56| valnum = m3_0 -# 56| r3_3(char) = Load : &:r3_2, ~m0_1 +# 56| r3_3(char) = Load : &:r3_2, ~m0_1 # 56| valnum = unique -# 56| r3_4(int) = Convert : r3_3 +# 56| r3_4(int) = Convert : r3_3 # 56| valnum = unique -# 56| r3_5(glval) = VariableAddress[str] : +# 56| r3_5(glval) = VariableAddress[str] : # 56| valnum = r0_3 -# 56| r3_6(char *) = Load : &:r3_5, m0_4 +# 56| r3_6(char *) = Load : &:r3_5, m0_4 # 56| valnum = m0_4 -# 56| r3_7(char) = Load : &:r3_6, ~m0_1 +# 56| r3_7(char) = Load : &:r3_6, ~m0_1 # 56| valnum = unique -# 56| r3_8(int) = Convert : r3_7 +# 56| r3_8(int) = Convert : r3_7 # 56| valnum = unique -# 56| r3_9(bool) = CompareNE : r3_4, r3_8 +# 56| r3_9(bool) = CompareNE : r3_4, r3_8 # 56| valnum = unique -# 56| v3_10(void) = ConditionalBranch : r3_9 +# 56| v3_10(void) = ConditionalBranch : r3_9 #-----| False -> Block 6 #-----| True -> Block 4 @@ -498,7 +502,8 @@ test.cpp: # 49| valnum = r9_1 # 49| v9_6(void) = ReturnValue : &:r9_5, m9_4 # 49| v9_7(void) = UnmodeledUse : mu* -# 49| v9_8(void) = ExitFunction : +# 49| v9_8(void) = AliasedUse : ~m0_1 +# 49| v9_9(void) = ExitFunction : # 75| void test04(two_values*) # 75| Block 0 @@ -577,10 +582,13 @@ test.cpp: #-----| Goto -> Block 2 # 82| Block 2 -# 82| v2_0(void) = NoOp : -# 75| v2_1(void) = ReturnVoid : -# 75| v2_2(void) = UnmodeledUse : mu* -# 75| v2_3(void) = ExitFunction : +# 82| m2_0(unknown) = Phi : from 0:~m0_9, from 1:~m1_3 +# 82| valnum = unique +# 82| v2_1(void) = NoOp : +# 75| v2_2(void) = ReturnVoid : +# 75| v2_3(void) = UnmodeledUse : mu* +# 75| v2_4(void) = AliasedUse : ~m2_0 +# 75| v2_5(void) = ExitFunction : # 84| void test05(int, int, void*) # 84| Block 0 @@ -653,7 +661,8 @@ test.cpp: # 89| v3_5(void) = NoOp : # 84| v3_6(void) = ReturnVoid : # 84| v3_7(void) = UnmodeledUse : mu* -# 84| v3_8(void) = ExitFunction : +# 84| v3_8(void) = AliasedUse : ~m0_1 +# 84| v3_9(void) = ExitFunction : # 91| int regression_test00() # 91| Block 0 @@ -686,7 +695,8 @@ test.cpp: # 91| valnum = r0_9 # 91| v0_14(void) = ReturnValue : &:r0_13, m0_12 # 91| v0_15(void) = UnmodeledUse : mu* -# 91| v0_16(void) = ExitFunction : +# 91| v0_16(void) = AliasedUse : ~m0_1 +# 91| v0_17(void) = ExitFunction : # 104| int inheritanceConversions(Derived*) # 104| Block 0 @@ -747,7 +757,8 @@ test.cpp: # 104| valnum = r0_23 # 104| v0_28(void) = ReturnValue : &:r0_27, m0_26 # 104| v0_29(void) = UnmodeledUse : mu* -# 104| v0_30(void) = ExitFunction : +# 104| v0_30(void) = AliasedUse : ~m0_1 +# 104| v0_31(void) = ExitFunction : # 112| void test06() # 112| Block 0 @@ -767,4 +778,5 @@ test.cpp: # 117| v0_7(void) = NoOp : # 112| v0_8(void) = ReturnVoid : # 112| v0_9(void) = UnmodeledUse : mu* -# 112| v0_10(void) = ExitFunction : +# 112| v0_10(void) = AliasedUse : ~m0_1 +# 112| v0_11(void) = ExitFunction : diff --git a/cpp/ql/test/library-tests/variables/variables/types.expected b/cpp/ql/test/library-tests/variables/variables/types.expected index f239d276871..cdc8c42a762 100644 --- a/cpp/ql/test/library-tests/variables/variables/types.expected +++ b/cpp/ql/test/library-tests/variables/variables/types.expected @@ -1,18 +1,18 @@ | ..()(..) | RoutineType | | | | | | ..(*)(..) | FunctionPointerType | | ..()(..) | | | -| _Complex __float128 | ArithmeticType | | | | | +| _Complex __float128 | FloatingPointType | | | | | | _Complex double | FloatingPointType | | | | | | _Complex float | FloatingPointType | | | | | | _Complex long double | FloatingPointType | | | | | -| _Decimal32 | ArithmeticType | | | | | -| _Decimal64 | ArithmeticType | | | | | -| _Decimal128 | ArithmeticType | | | | | -| _Float32 | ArithmeticType | | | | | -| _Float32x | ArithmeticType | | | | | -| _Float64 | ArithmeticType | | | | | -| _Float64x | ArithmeticType | | | | | -| _Float128 | ArithmeticType | | | | | -| _Float128x | ArithmeticType | | | | | +| _Decimal32 | Decimal32Type | | | | | +| _Decimal64 | Decimal64Type | | | | | +| _Decimal128 | Decimal128Type | | | | | +| _Float32 | FloatingPointType | | | | | +| _Float32x | FloatingPointType | | | | | +| _Float64 | FloatingPointType | | | | | +| _Float64x | FloatingPointType | | | | | +| _Float128 | FloatingPointType | | | | | +| _Float128x | FloatingPointType | | | | | | _Imaginary double | FloatingPointType | | | | | | _Imaginary float | FloatingPointType | | | | | | _Imaginary long double | FloatingPointType | | | | | diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/ComparisonPrecedence/ComparisonPrecedence.expected b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/ComparisonPrecedence/ComparisonPrecedence.expected index e07d202a678..c3ae88df15c 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/ComparisonPrecedence/ComparisonPrecedence.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/ComparisonPrecedence/ComparisonPrecedence.expected @@ -1,9 +1,9 @@ -| template.cpp:4:7:4:15 | ... < ... | Check the comparison operator precedence. | -| test.cpp:42:6:42:14 | ... < ... | Check the comparison operator precedence. | -| test.cpp:43:6:43:14 | ... > ... | Check the comparison operator precedence. | -| test.cpp:44:6:44:16 | ... <= ... | Check the comparison operator precedence. | -| test.cpp:45:6:45:16 | ... <= ... | Check the comparison operator precedence. | -| test.cpp:46:6:46:14 | ... > ... | Check the comparison operator precedence. | -| test.cpp:50:6:50:32 | ... < ... | Check the comparison operator precedence. | -| test.cpp:51:6:51:18 | ... < ... | Check the comparison operator precedence. | -| test.cpp:54:8:54:16 | ... < ... | Check the comparison operator precedence. | +| template.cpp:4:7:4:15 | ... < ... | Comparison as an operand to another comparison. | +| test.cpp:42:6:42:14 | ... < ... | Comparison as an operand to another comparison. | +| test.cpp:43:6:43:14 | ... > ... | Comparison as an operand to another comparison. | +| test.cpp:44:6:44:16 | ... <= ... | Comparison as an operand to another comparison. | +| test.cpp:45:6:45:16 | ... <= ... | Comparison as an operand to another comparison. | +| test.cpp:46:6:46:14 | ... > ... | Comparison as an operand to another comparison. | +| test.cpp:50:6:50:32 | ... < ... | Comparison as an operand to another comparison. | +| test.cpp:51:6:51:18 | ... < ... | Comparison as an operand to another comparison. | +| test.cpp:54:8:54:16 | ... < ... | Comparison as an operand to another comparison. | diff --git a/cpp/upgrades/qlpack.yml b/cpp/upgrades/qlpack.yml new file mode 100644 index 00000000000..eaf90d6cf90 --- /dev/null +++ b/cpp/upgrades/qlpack.yml @@ -0,0 +1,2 @@ +name: codeql-cpp-upgrades +upgrades: . diff --git a/csharp/autobuilder/Semmle.Autobuild.Tests/BuildScripts.cs b/csharp/autobuilder/Semmle.Autobuild.Tests/BuildScripts.cs index dd0397c9605..20d19a3525c 100644 --- a/csharp/autobuilder/Semmle.Autobuild.Tests/BuildScripts.cs +++ b/csharp/autobuilder/Semmle.Autobuild.Tests/BuildScripts.cs @@ -340,6 +340,9 @@ namespace Semmle.Extraction.Tests string nugetRestore = null, string allSolutions = null, string cwd = @"C:\Project") { + Actions.GetEnvironmentVariable["CODEQL_AUTOBUILDER_CSHARP_NO_INDEXING"] = "false"; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_ROOT"] = @"C:\codeql\csharp"; + Actions.GetEnvironmentVariable["CODEQL_JAVA_HOME"] = @"C:\codeql\tools\java"; Actions.GetEnvironmentVariable["SEMMLE_DIST"] = @"C:\odasa"; Actions.GetEnvironmentVariable["SEMMLE_JAVA_HOME"] = @"C:\odasa\tools\java"; Actions.GetEnvironmentVariable["LGTM_PROJECT_LANGUAGE"] = lgtmLanguage; @@ -373,12 +376,12 @@ namespace Semmle.Extraction.Tests Actions.RunProcess["cmd.exe /C dotnet clean test.csproj"] = 0; Actions.RunProcess["cmd.exe /C dotnet restore test.csproj"] = 0; Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --auto dotnet build --no-incremental /p:UseSharedCompilation=false test.csproj"] = 0; - Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0; + Actions.RunProcess[@"cmd.exe /C C:\codeql\tools\java\bin\java -jar C:\codeql\csharp\tools\extractor-asp.jar ."] = 0; Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0; Actions.FileExists["csharp.log"] = true; Actions.FileExists["test.csproj"] = true; - Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null; - Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = ""; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR"] = ""; Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\nbar.cs\ntest.csproj"; Actions.EnumerateDirectories[@"C:\Project"] = ""; var xml = new XmlDocument(); @@ -402,12 +405,12 @@ namespace Semmle.Extraction.Tests Actions.RunProcess["dotnet clean test.csproj"] = 0; Actions.RunProcess["dotnet restore test.csproj"] = 0; Actions.RunProcess[@"C:\odasa/tools/odasa index --auto dotnet build --no-incremental /p:UseSharedCompilation=false test.csproj"] = 0; - Actions.RunProcess[@"C:\odasa\tools\java/bin/java -jar C:\odasa/tools/extractor-asp.jar ."] = 0; + Actions.RunProcess[@"C:\codeql\tools\java/bin/java -jar C:\codeql\csharp/tools/extractor-asp.jar ."] = 0; Actions.RunProcess[@"C:\odasa/tools/odasa index --xml --extensions config csproj props xml"] = 0; Actions.FileExists["csharp.log"] = true; Actions.FileExists["test.csproj"] = true; - Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null; - Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = ""; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR"] = ""; Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest.cs\ntest.csproj"; Actions.EnumerateDirectories[@"C:\Project"] = ""; var xml = new XmlDocument(); @@ -428,8 +431,8 @@ namespace Semmle.Extraction.Tests public void TestLinuxCSharpAutoBuilderExtractorFailed() { Actions.FileExists["csharp.log"] = false; - Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null; - Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = ""; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR"] = ""; Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest.cs"; Actions.EnumerateDirectories[@"C:\Project"] = ""; @@ -522,11 +525,11 @@ namespace Semmle.Extraction.Tests public void TestLinuxBuildlessExtractionSuccess() { Actions.RunProcess[@"C:\odasa\tools/csharp/Semmle.Extraction.CSharp.Standalone --references:."] = 0; - Actions.RunProcess[@"C:\odasa\tools\java/bin/java -jar C:\odasa/tools/extractor-asp.jar ."] = 0; + Actions.RunProcess[@"C:\codeql\tools\java/bin/java -jar C:\codeql\csharp/tools/extractor-asp.jar ."] = 0; Actions.RunProcess[@"C:\odasa/tools/odasa index --xml --extensions config csproj props xml"] = 0; Actions.FileExists["csharp.log"] = true; - Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null; - Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = ""; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR"] = ""; Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest.sln"; Actions.EnumerateDirectories[@"C:\Project"] = ""; @@ -539,8 +542,8 @@ namespace Semmle.Extraction.Tests { Actions.RunProcess[@"C:\odasa\tools/csharp/Semmle.Extraction.CSharp.Standalone --references:."] = 10; Actions.FileExists["csharp.log"] = true; - Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null; - Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = ""; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR"] = ""; Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest.sln"; Actions.EnumerateDirectories[@"C:\Project"] = ""; @@ -552,11 +555,11 @@ namespace Semmle.Extraction.Tests public void TestLinuxBuildlessExtractionSolution() { Actions.RunProcess[@"C:\odasa\tools/csharp/Semmle.Extraction.CSharp.Standalone foo.sln --references:."] = 0; - Actions.RunProcess[@"C:\odasa\tools\java/bin/java -jar C:\odasa/tools/extractor-asp.jar ."] = 0; + Actions.RunProcess[@"C:\codeql\tools\java/bin/java -jar C:\codeql\csharp/tools/extractor-asp.jar ."] = 0; Actions.RunProcess[@"C:\odasa/tools/odasa index --xml --extensions config csproj props xml"] = 0; Actions.FileExists["csharp.log"] = true; - Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null; - Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = ""; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR"] = ""; Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest.sln"; Actions.EnumerateDirectories[@"C:\Project"] = ""; @@ -596,11 +599,11 @@ namespace Semmle.Extraction.Tests public void TestLinuxBuildCommand() { Actions.RunProcess[@"C:\odasa/tools/odasa index --auto ""./build.sh --skip-tests"""] = 0; - Actions.RunProcess[@"C:\odasa\tools\java/bin/java -jar C:\odasa/tools/extractor-asp.jar ."] = 0; + Actions.RunProcess[@"C:\codeql\tools\java/bin/java -jar C:\codeql\csharp/tools/extractor-asp.jar ."] = 0; Actions.RunProcess[@"C:\odasa/tools/odasa index --xml --extensions config csproj props xml"] = 0; Actions.FileExists["csharp.log"] = true; - Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null; - Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = ""; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR"] = ""; Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest.sln"; Actions.EnumerateDirectories[@"C:\Project"] = ""; @@ -615,12 +618,12 @@ namespace Semmle.Extraction.Tests { Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\nbuild/build.sh"; Actions.EnumerateDirectories[@"C:\Project"] = ""; - Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null; - Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = ""; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR"] = ""; Actions.RunProcess["/bin/chmod u+x build/build.sh"] = 0; Actions.RunProcess[@"C:\odasa/tools/odasa index --auto build/build.sh"] = 0; Actions.RunProcessWorkingDirectory[@"C:\odasa/tools/odasa index --auto build/build.sh"] = "build"; - Actions.RunProcess[@"C:\odasa\tools\java/bin/java -jar C:\odasa/tools/extractor-asp.jar ."] = 0; + Actions.RunProcess[@"C:\codeql\tools\java/bin/java -jar C:\codeql\csharp/tools/extractor-asp.jar ."] = 0; Actions.RunProcess[@"C:\odasa/tools/odasa index --xml --extensions config csproj props xml"] = 0; Actions.FileExists["csharp.log"] = true; @@ -633,8 +636,8 @@ namespace Semmle.Extraction.Tests { Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\nbuild.sh"; Actions.EnumerateDirectories[@"C:\Project"] = ""; - Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null; - Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = ""; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR"] = ""; Actions.RunProcess["/bin/chmod u+x build.sh"] = 0; Actions.RunProcess[@"C:\odasa/tools/odasa index --auto build.sh"] = 0; @@ -650,8 +653,8 @@ namespace Semmle.Extraction.Tests { Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\nbuild.sh"; Actions.EnumerateDirectories[@"C:\Project"] = ""; - Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null; - Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = ""; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR"] = ""; Actions.RunProcess["/bin/chmod u+x build.sh"] = 0; Actions.RunProcess[@"C:\odasa/tools/odasa index --auto build.sh"] = 5; @@ -667,11 +670,11 @@ namespace Semmle.Extraction.Tests { Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\nbuild.bat"; Actions.EnumerateDirectories[@"C:\Project"] = ""; - Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null; - Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = ""; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR"] = ""; Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --auto build.bat"] = 0; Actions.RunProcessWorkingDirectory[@"cmd.exe /C C:\odasa\tools\odasa index --auto build.bat"] = ""; - Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0; + Actions.RunProcess[@"cmd.exe /C C:\codeql\tools\java\bin\java -jar C:\codeql\csharp\tools\extractor-asp.jar ."] = 0; Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0; Actions.FileExists["csharp.log"] = true; @@ -684,11 +687,11 @@ namespace Semmle.Extraction.Tests { Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\nbuild.bat"; Actions.EnumerateDirectories[@"C:\Project"] = ""; - Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null; - Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = ""; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR"] = ""; Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --auto build.bat"] = 1; Actions.RunProcessWorkingDirectory[@"cmd.exe /C C:\odasa\tools\odasa index --auto build.bat"] = ""; - Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0; + Actions.RunProcess[@"cmd.exe /C C:\codeql\tools\java\bin\java -jar C:\codeql\csharp\tools\extractor-asp.jar ."] = 0; Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config"] = 0; Actions.FileExists["csharp.log"] = true; @@ -700,13 +703,13 @@ namespace Semmle.Extraction.Tests public void TestWindowsCmdIgnoreErrors() { Actions.RunProcess["cmd.exe /C C:\\odasa\\tools\\odasa index --auto ^\"build.cmd --skip-tests^\""] = 3; - Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0; + Actions.RunProcess[@"cmd.exe /C C:\codeql\tools\java\bin\java -jar C:\codeql\csharp\tools\extractor-asp.jar ."] = 0; Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config"] = 0; Actions.FileExists["csharp.log"] = true; SkipVsWhere(); - Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null; - Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = ""; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR"] = ""; Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest.sln"; Actions.EnumerateDirectories[@"C:\Project"] = ""; @@ -721,7 +724,7 @@ namespace Semmle.Extraction.Tests Actions.RunProcess["cmd.exe /C CALL ^\"C:\\Program Files ^(x86^)\\Microsoft Visual Studio 12.0\\VC\\vcvarsall.bat^\" && C:\\odasa\\tools\\odasa index --auto msbuild C:\\Project\\test1.sln /p:UseSharedCompilation=false /t:Windows /p:Platform=\"x86\" /p:Configuration=\"Debug\" /p:MvcBuildViews=true /P:Fu=Bar"] = 0; Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\csharp\nuget\nuget.exe restore C:\Project\test2.sln"] = 0; Actions.RunProcess["cmd.exe /C CALL ^\"C:\\Program Files ^(x86^)\\Microsoft Visual Studio 12.0\\VC\\vcvarsall.bat^\" && C:\\odasa\\tools\\odasa index --auto msbuild C:\\Project\\test2.sln /p:UseSharedCompilation=false /t:Windows /p:Platform=\"x86\" /p:Configuration=\"Debug\" /p:MvcBuildViews=true /P:Fu=Bar"] = 0; - Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0; + Actions.RunProcess[@"cmd.exe /C C:\codeql\tools\java\bin\java -jar C:\codeql\csharp\tools\extractor-asp.jar ."] = 0; Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0; Actions.FileExists["csharp.log"] = true; Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe"] = false; @@ -730,8 +733,8 @@ namespace Semmle.Extraction.Tests Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC\vcvarsall.bat"] = false; Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\vcvarsall.bat"] = true; - Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null; - Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = ""; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR"] = ""; Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest1.cs\ntest2.cs"; Actions.EnumerateDirectories[@"C:\Project"] = ""; @@ -752,7 +755,7 @@ namespace Semmle.Extraction.Tests Actions.RunProcess["cmd.exe /C CALL ^\"C:\\Program Files ^(x86^)\\Microsoft Visual Studio 12.0\\VC\\vcvarsall.bat^\" && C:\\odasa\\tools\\odasa index --auto msbuild test1.csproj /p:UseSharedCompilation=false /t:Windows /p:Platform=\"x86\" /p:Configuration=\"Debug\" /p:MvcBuildViews=true /P:Fu=Bar"] = 0; Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\csharp\nuget\nuget.exe restore test2.csproj"] = 0; Actions.RunProcess["cmd.exe /C CALL ^\"C:\\Program Files ^(x86^)\\Microsoft Visual Studio 12.0\\VC\\vcvarsall.bat^\" && C:\\odasa\\tools\\odasa index --auto msbuild test2.csproj /p:UseSharedCompilation=false /t:Windows /p:Platform=\"x86\" /p:Configuration=\"Debug\" /p:MvcBuildViews=true /P:Fu=Bar"] = 0; - Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0; + Actions.RunProcess[@"cmd.exe /C C:\codeql\tools\java\bin\java -jar C:\codeql\csharp\tools\extractor-asp.jar ."] = 0; Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0; Actions.FileExists["csharp.log"] = true; Actions.FileExists[@"test1.csproj"] = true; @@ -763,8 +766,8 @@ namespace Semmle.Extraction.Tests Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC\vcvarsall.bat"] = false; Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\vcvarsall.bat"] = true; - Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null; - Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = ""; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR"] = ""; Actions.EnumerateFiles[@"C:\Project"] = "test1.csproj\ntest2.csproj\ntest1.cs\ntest2.cs"; Actions.EnumerateDirectories[@"C:\Project"] = ""; @@ -803,8 +806,8 @@ namespace Semmle.Extraction.Tests Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\vcvarsall.bat"] = true; Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC\vcvarsall.bat"] = false; Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\vcvarsall.bat"] = true; - Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null; - Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = ""; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR"] = ""; Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest1.cs\ntest2.cs"; Actions.EnumerateDirectories[@"C:\Project"] = ""; @@ -824,7 +827,7 @@ namespace Semmle.Extraction.Tests { Actions.RunProcess["cmd.exe /C CALL ^\"C:\\Program Files ^(x86^)\\Microsoft Visual Studio 12.0\\VC\\vcvarsall.bat^\" && C:\\odasa\\tools\\odasa index --auto msbuild C:\\Project\\test1.sln /p:UseSharedCompilation=false /t:Windows /p:Platform=\"x86\" /p:Configuration=\"Debug\" /p:MvcBuildViews=true /P:Fu=Bar"] = 0; Actions.RunProcess["cmd.exe /C CALL ^\"C:\\Program Files ^(x86^)\\Microsoft Visual Studio 12.0\\VC\\vcvarsall.bat^\" && C:\\odasa\\tools\\odasa index --auto msbuild C:\\Project\\test2.sln /p:UseSharedCompilation=false /t:Windows /p:Platform=\"x86\" /p:Configuration=\"Debug\" /p:MvcBuildViews=true /P:Fu=Bar"] = 0; - Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0; + Actions.RunProcess[@"cmd.exe /C C:\codeql\tools\java\bin\java -jar C:\codeql\csharp\tools\extractor-asp.jar ."] = 0; Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0; Actions.FileExists["csharp.log"] = true; Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe"] = false; @@ -832,8 +835,8 @@ namespace Semmle.Extraction.Tests Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\vcvarsall.bat"] = true; Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC\vcvarsall.bat"] = false; Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\vcvarsall.bat"] = true; - Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null; - Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = ""; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR"] = ""; Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest1.cs\ntest2.cs"; Actions.EnumerateDirectories[@"C:\Project"] = ""; @@ -852,11 +855,11 @@ namespace Semmle.Extraction.Tests public void TestSkipNugetBuildless() { Actions.RunProcess[@"C:\odasa\tools/csharp/Semmle.Extraction.CSharp.Standalone foo.sln --references:. --skip-nuget"] = 0; - Actions.RunProcess[@"C:\odasa\tools\java/bin/java -jar C:\odasa/tools/extractor-asp.jar ."] = 0; + Actions.RunProcess[@"C:\codeql\tools\java/bin/java -jar C:\codeql\csharp/tools/extractor-asp.jar ."] = 0; Actions.RunProcess[@"C:\odasa/tools/odasa index --xml --extensions config csproj props xml"] = 0; Actions.FileExists["csharp.log"] = true; - Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null; - Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = ""; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR"] = ""; Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest.sln"; Actions.EnumerateDirectories[@"C:\Project"] = ""; @@ -872,12 +875,12 @@ namespace Semmle.Extraction.Tests Actions.RunProcess["dotnet clean test.csproj"] = 0; Actions.RunProcess["dotnet restore test.csproj"] = 0; Actions.RunProcess[@"C:\odasa/tools/odasa index --auto dotnet build --no-incremental /p:UseSharedCompilation=false --no-restore test.csproj"] = 0; - Actions.RunProcess[@"C:\odasa\tools\java/bin/java -jar C:\odasa/tools/extractor-asp.jar ."] = 0; + Actions.RunProcess[@"C:\codeql\tools\java/bin/java -jar C:\codeql\csharp/tools/extractor-asp.jar ."] = 0; Actions.RunProcess[@"C:\odasa/tools/odasa index --xml --extensions config csproj props xml"] = 0; Actions.FileExists["csharp.log"] = true; Actions.FileExists["test.csproj"] = true; - Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null; - Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = ""; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR"] = ""; Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest.cs\ntest.csproj"; Actions.EnumerateDirectories[@"C:\Project"] = ""; var xml = new XmlDocument(); @@ -899,7 +902,7 @@ namespace Semmle.Extraction.Tests { Actions.RunProcess["dotnet --list-sdks"] = 0; Actions.RunProcessOut["dotnet --list-sdks"] = "2.1.2 [C:\\Program Files\\dotnet\\sdks]\n2.1.4 [C:\\Program Files\\dotnet\\sdks]"; - Actions.RunProcess[@"curl -sO https://dot.net/v1/dotnet-install.sh"] = 0; + Actions.RunProcess[@"curl -L -sO https://dot.net/v1/dotnet-install.sh"] = 0; Actions.RunProcess[@"chmod u+x dotnet-install.sh"] = 0; Actions.RunProcess[@"./dotnet-install.sh --channel release --version 2.1.3 --install-dir C:\Project/.dotnet"] = 0; Actions.RunProcess[@"rm dotnet-install.sh"] = 0; @@ -907,12 +910,12 @@ namespace Semmle.Extraction.Tests Actions.RunProcess[@"C:\Project/.dotnet/dotnet clean test.csproj"] = 0; Actions.RunProcess[@"C:\Project/.dotnet/dotnet restore test.csproj"] = 0; Actions.RunProcess[@"C:\odasa/tools/odasa index --auto C:\Project/.dotnet/dotnet build --no-incremental /p:UseSharedCompilation=false test.csproj"] = 0; - Actions.RunProcess[@"C:\odasa\tools\java/bin/java -jar C:\odasa/tools/extractor-asp.jar ."] = 0; + Actions.RunProcess[@"C:\codeql\tools\java/bin/java -jar C:\codeql\csharp/tools/extractor-asp.jar ."] = 0; Actions.RunProcess[@"C:\odasa/tools/odasa index --xml --extensions config csproj props xml"] = 0; Actions.FileExists["csharp.log"] = true; Actions.FileExists["test.csproj"] = true; - Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null; - Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = ""; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR"] = ""; Actions.GetEnvironmentVariable["PATH"] = "/bin:/usr/bin"; Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest.cs\ntest.csproj"; Actions.EnumerateDirectories[@"C:\Project"] = ""; @@ -935,7 +938,7 @@ namespace Semmle.Extraction.Tests { Actions.RunProcess["dotnet --list-sdks"] = 0; Actions.RunProcessOut["dotnet --list-sdks"] = "2.1.3 [C:\\Program Files\\dotnet\\sdks]\n2.1.4 [C:\\Program Files\\dotnet\\sdks]"; - Actions.RunProcess[@"curl -sO https://dot.net/v1/dotnet-install.sh"] = 0; + Actions.RunProcess[@"curl -L -sO https://dot.net/v1/dotnet-install.sh"] = 0; Actions.RunProcess[@"chmod u+x dotnet-install.sh"] = 0; Actions.RunProcess[@"./dotnet-install.sh --channel release --version 2.1.3 --install-dir C:\Project/.dotnet"] = 0; Actions.RunProcess[@"rm dotnet-install.sh"] = 0; @@ -943,12 +946,12 @@ namespace Semmle.Extraction.Tests Actions.RunProcess[@"C:\Project/.dotnet/dotnet clean test.csproj"] = 0; Actions.RunProcess[@"C:\Project/.dotnet/dotnet restore test.csproj"] = 0; Actions.RunProcess[@"C:\odasa/tools/odasa index --auto C:\Project/.dotnet/dotnet build --no-incremental /p:UseSharedCompilation=false test.csproj"] = 0; - Actions.RunProcess[@"C:\odasa\tools\java/bin/java -jar C:\odasa/tools/extractor-asp.jar ."] = 0; + Actions.RunProcess[@"C:\codeql\tools\java/bin/java -jar C:\codeql\csharp/tools/extractor-asp.jar ."] = 0; Actions.RunProcess[@"C:\odasa/tools/odasa index --xml --extensions config csproj props xml"] = 0; Actions.FileExists["csharp.log"] = true; Actions.FileExists["test.csproj"] = true; - Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null; - Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = ""; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR"] = ""; Actions.GetEnvironmentVariable["PATH"] = "/bin:/usr/bin"; Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\nbar.cs\ntest.csproj"; Actions.EnumerateDirectories[@"C:\Project"] = ""; @@ -977,12 +980,12 @@ namespace Semmle.Extraction.Tests Actions.RunProcess[@"cmd.exe /C C:\Project\.dotnet\dotnet clean test.csproj"] = 0; Actions.RunProcess[@"cmd.exe /C C:\Project\.dotnet\dotnet restore test.csproj"] = 0; Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --auto C:\Project\.dotnet\dotnet build --no-incremental /p:UseSharedCompilation=false test.csproj"] = 0; - Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0; + Actions.RunProcess[@"cmd.exe /C C:\codeql\tools\java\bin\java -jar C:\codeql\csharp\tools\extractor-asp.jar ."] = 0; Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0; Actions.FileExists["csharp.log"] = true; Actions.FileExists["test.csproj"] = true; - Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null; - Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = ""; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR"] = ""; Actions.GetEnvironmentVariable["PATH"] = "/bin:/usr/bin"; Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest.cs\ntest.csproj"; Actions.EnumerateDirectories[@"C:\Project"] = ""; @@ -1005,7 +1008,7 @@ namespace Semmle.Extraction.Tests { Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\csharp\nuget\nuget.exe restore dirs.proj"] = 1; Actions.RunProcess["cmd.exe /C CALL ^\"C:\\Program Files ^(x86^)\\Microsoft Visual Studio 12.0\\VC\\vcvarsall.bat^\" && C:\\odasa\\tools\\odasa index --auto msbuild dirs.proj /p:UseSharedCompilation=false /t:Windows /p:Platform=\"x86\" /p:Configuration=\"Debug\" /p:MvcBuildViews=true /P:Fu=Bar"] = 0; - Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0; + Actions.RunProcess[@"cmd.exe /C C:\codeql\tools\java\bin\java -jar C:\codeql\csharp\tools\extractor-asp.jar ."] = 0; Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0; Actions.FileExists["csharp.log"] = true; Actions.FileExists[@"a\test.csproj"] = true; @@ -1016,8 +1019,8 @@ namespace Semmle.Extraction.Tests Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC\vcvarsall.bat"] = false; Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\vcvarsall.bat"] = true; - Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null; - Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = ""; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR"] = ""; Actions.EnumerateFiles[@"C:\Project"] = "a\\test.cs\na\\test.csproj\ndirs.proj"; Actions.EnumerateDirectories[@"C:\Project"] = ""; @@ -1048,13 +1051,13 @@ namespace Semmle.Extraction.Tests { Actions.RunProcess[@"mono C:\odasa\tools/csharp/nuget/nuget.exe restore dirs.proj"] = 1; Actions.RunProcess[@"C:\odasa/tools/odasa index --auto msbuild dirs.proj /p:UseSharedCompilation=false /t:rebuild /p:MvcBuildViews=true"] = 0; - Actions.RunProcess[@"C:\odasa\tools\java/bin/java -jar C:\odasa/tools/extractor-asp.jar ."] = 0; + Actions.RunProcess[@"C:\codeql\tools\java/bin/java -jar C:\codeql\csharp/tools/extractor-asp.jar ."] = 0; Actions.RunProcess[@"C:\odasa/tools/odasa index --xml --extensions config csproj props xml"] = 0; Actions.FileExists["csharp.log"] = true; Actions.FileExists["a/test.csproj"] = true; Actions.FileExists["dirs.proj"] = true; - Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null; - Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = ""; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR"] = ""; Actions.EnumerateFiles[@"C:\Project"] = "a/test.cs\na/test.csproj\ndirs.proj"; Actions.EnumerateDirectories[@"C:\Project"] = ""; @@ -1083,8 +1086,8 @@ namespace Semmle.Extraction.Tests public void TestCyclicDirsProj() { Actions.FileExists["dirs.proj"] = true; - Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null; - Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = ""; + Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR"] = ""; Actions.FileExists["csharp.log"] = false; Actions.EnumerateFiles[@"C:\Project"] = "dirs.proj"; Actions.EnumerateDirectories[@"C:\Project"] = ""; diff --git a/csharp/autobuilder/Semmle.Autobuild/AspBuildRule.cs b/csharp/autobuilder/Semmle.Autobuild/AspBuildRule.cs index a39481545d8..b5b3dfcf61d 100644 --- a/csharp/autobuilder/Semmle.Autobuild/AspBuildRule.cs +++ b/csharp/autobuilder/Semmle.Autobuild/AspBuildRule.cs @@ -1,6 +1,4 @@ -using System.IO; - -namespace Semmle.Autobuild +namespace Semmle.Autobuild { /// /// ASP extraction. @@ -9,10 +7,14 @@ namespace Semmle.Autobuild { public BuildScript Analyse(Autobuilder builder, bool auto) { + (var javaHome, var dist) = + builder.CodeQLJavaHome != null ? + (builder.CodeQLJavaHome, builder.CodeQLExtractorCSharpRoot) : + (builder.SemmleJavaHome, builder.SemmleDist); var command = new CommandBuilder(builder.Actions). - RunCommand(builder.Actions.PathCombine(builder.SemmleJavaHome, "bin", "java")). + RunCommand(builder.Actions.PathCombine(javaHome, "bin", "java")). Argument("-jar"). - QuoteArgument(builder.Actions.PathCombine(builder.SemmleDist, "tools", "extractor-asp.jar")). + QuoteArgument(builder.Actions.PathCombine(dist, "tools", "extractor-asp.jar")). Argument("."); return command.Script; } diff --git a/csharp/autobuilder/Semmle.Autobuild/AutobuildOptions.cs b/csharp/autobuilder/Semmle.Autobuild/AutobuildOptions.cs index 4a2e906fc81..740b740f9fb 100644 --- a/csharp/autobuilder/Semmle.Autobuild/AutobuildOptions.cs +++ b/csharp/autobuilder/Semmle.Autobuild/AutobuildOptions.cs @@ -29,6 +29,7 @@ namespace Semmle.Autobuild public bool NugetRestore; public Language Language; + public bool Indexing; /// /// Reads options from environment variables. @@ -53,6 +54,7 @@ namespace Semmle.Autobuild NugetRestore = actions.GetEnvironmentVariable(prefix + "NUGET_RESTORE").AsBool("nuget_restore", true); Language = actions.GetEnvironmentVariable("LGTM_PROJECT_LANGUAGE").AsLanguage(); + Indexing = !actions.GetEnvironmentVariable("CODEQL_AUTOBUILDER_CSHARP_NO_INDEXING").AsBool("no_indexing", false); } } diff --git a/csharp/autobuilder/Semmle.Autobuild/Autobuilder.cs b/csharp/autobuilder/Semmle.Autobuild/Autobuilder.cs index a5a463d01a3..001934f489d 100644 --- a/csharp/autobuilder/Semmle.Autobuild/Autobuilder.cs +++ b/csharp/autobuilder/Semmle.Autobuild/Autobuilder.cs @@ -176,14 +176,18 @@ namespace Semmle.Autobuild return ret ?? new List(); }); + CodeQLExtractorCSharpRoot = Actions.GetEnvironmentVariable("CODEQL_EXTRACTOR_CSHARP_ROOT"); + + CodeQLJavaHome = Actions.GetEnvironmentVariable("CODEQL_JAVA_HOME"); + SemmleDist = Actions.GetEnvironmentVariable("SEMMLE_DIST"); SemmleJavaHome = Actions.GetEnvironmentVariable("SEMMLE_JAVA_HOME"); SemmlePlatformTools = Actions.GetEnvironmentVariable("SEMMLE_PLATFORM_TOOLS"); - if (SemmleDist == null) - Log(Severity.Error, "The environment variable SEMMLE_DIST has not been set."); + if (CodeQLExtractorCSharpRoot == null && SemmleDist == null) + Log(Severity.Error, "The environment variables CODEQL_EXTRACTOR_CSHARP_ROOT and SEMMLE_DIST have not been set."); } readonly ILogger logger = new ConsoleLogger(Verbosity.Info); @@ -259,9 +263,9 @@ namespace Semmle.Autobuild break; case CSharpBuildStrategy.Auto: var cleanTrapFolder = - BuildScript.DeleteDirectory(Actions.GetEnvironmentVariable("TRAP_FOLDER")); + BuildScript.DeleteDirectory(Actions.GetEnvironmentVariable("CODEQL_EXTRACTOR_CSHARP_TRAP_DIR") ?? Actions.GetEnvironmentVariable("TRAP_FOLDER")); var cleanSourceArchive = - BuildScript.DeleteDirectory(Actions.GetEnvironmentVariable("SOURCE_ARCHIVE")); + BuildScript.DeleteDirectory(Actions.GetEnvironmentVariable("CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR") ?? Actions.GetEnvironmentVariable("SOURCE_ARCHIVE")); var tryCleanExtractorArgsLogs = BuildScript.Create(actions => { @@ -361,6 +365,16 @@ namespace Semmle.Autobuild return 1; }); + /// + /// Value of CODEQL_EXTRACTOR_CSHARP_ROOT environment variable. + /// + public string CodeQLExtractorCSharpRoot { get; private set; } + + /// + /// Value of CODEQL_JAVA_HOME environment variable. + /// + public string CodeQLJavaHome { get; private set; } + /// /// Value of SEMMLE_DIST environment variable. /// @@ -380,5 +394,12 @@ namespace Semmle.Autobuild /// The absolute path of the odasa executable. /// public string Odasa => SemmleDist == null ? null : Actions.PathCombine(SemmleDist, "tools", "odasa"); + + /// + /// Construct a command that executed the given wrapped in + /// an odasa --index, unless indexing has been disabled, in which case + /// is run directly. + /// + internal CommandBuilder MaybeIndex(CommandBuilder builder, string cmd) => Options.Indexing ? builder.IndexCommand(Odasa, cmd) : builder.RunCommand(cmd); } } diff --git a/csharp/autobuilder/Semmle.Autobuild/BuildCommandAutoRule.cs b/csharp/autobuilder/Semmle.Autobuild/BuildCommandAutoRule.cs index 8ae3ee60966..09c41ccf74c 100644 --- a/csharp/autobuilder/Semmle.Autobuild/BuildCommandAutoRule.cs +++ b/csharp/autobuilder/Semmle.Autobuild/BuildCommandAutoRule.cs @@ -52,7 +52,7 @@ namespace Semmle.Autobuild if (vsTools != null) command.CallBatFile(vsTools.Path); - command.IndexCommand(builder.Odasa, scriptPath); + builder.MaybeIndex(command, scriptPath); return command.Script; }); } diff --git a/csharp/autobuilder/Semmle.Autobuild/BuildCommandRule.cs b/csharp/autobuilder/Semmle.Autobuild/BuildCommandRule.cs index 8019b5798bc..2e582b707f2 100644 --- a/csharp/autobuilder/Semmle.Autobuild/BuildCommandRule.cs +++ b/csharp/autobuilder/Semmle.Autobuild/BuildCommandRule.cs @@ -19,7 +19,7 @@ var vsTools = MsBuildRule.GetVcVarsBatFile(builder); if (vsTools != null) command.CallBatFile(vsTools.Path); - command.IndexCommand(builder.Odasa, builder.Options.BuildCommand); + builder.MaybeIndex(command, builder.Options.BuildCommand); return command.Script; }); diff --git a/csharp/autobuilder/Semmle.Autobuild/DotNetRule.cs b/csharp/autobuilder/Semmle.Autobuild/DotNetRule.cs index 105e466071b..789d68db30a 100644 --- a/csharp/autobuilder/Semmle.Autobuild/DotNetRule.cs +++ b/csharp/autobuilder/Semmle.Autobuild/DotNetRule.cs @@ -196,6 +196,7 @@ Invoke-Command -ScriptBlock $ScriptBlock"; { var curl = new CommandBuilder(builder.Actions). RunCommand("curl"). + Argument("-L"). Argument("-sO"). Argument("https://dot.net/v1/dotnet-install.sh"); @@ -259,13 +260,12 @@ Invoke-Command -ScriptBlock $ScriptBlock"; CommandBuilder GetBuildCommand(Autobuilder builder, (string DotNetPath, IDictionary Environment)? arg) { - var build = new CommandBuilder(builder.Actions, null, arg?.Environment). - IndexCommand(builder.Odasa, DotNetCommand(builder.Actions, arg?.DotNetPath)). + var build = new CommandBuilder(builder.Actions, null, arg?.Environment); + return builder.MaybeIndex(build, DotNetCommand(builder.Actions, arg?.DotNetPath)). Argument("build"). Argument("--no-incremental"). Argument("/p:UseSharedCompilation=false"). Argument(builder.Options.DotNetArguments); - return build; } } } diff --git a/csharp/autobuilder/Semmle.Autobuild/MsBuildRule.cs b/csharp/autobuilder/Semmle.Autobuild/MsBuildRule.cs index 593039919ed..b0ee01b8d3c 100644 --- a/csharp/autobuilder/Semmle.Autobuild/MsBuildRule.cs +++ b/csharp/autobuilder/Semmle.Autobuild/MsBuildRule.cs @@ -36,7 +36,10 @@ namespace Semmle.Autobuild builder.Log(Severity.Warning, "Could not find a suitable version of vcvarsall.bat"); } - var nuget = builder.Actions.PathCombine(builder.SemmlePlatformTools, "csharp", "nuget", "nuget.exe"); + var nuget = + builder.SemmlePlatformTools != null ? + builder.Actions.PathCombine(builder.SemmlePlatformTools, "csharp", "nuget", "nuget.exe") : + "nuget"; var ret = BuildScript.Success; @@ -56,7 +59,7 @@ namespace Semmle.Autobuild if (vsTools != null) command.CallBatFile(vsTools.Path); - command.IndexCommand(builder.Odasa, MsBuild); + builder.MaybeIndex(command, MsBuild); command.QuoteArgument(projectOrSolution.FullPath); command.Argument("/p:UseSharedCompilation=false"); diff --git a/csharp/autobuilder/Semmle.Autobuild/XmlBuildRule.cs b/csharp/autobuilder/Semmle.Autobuild/XmlBuildRule.cs index 8d34fde6413..5814c2b63d2 100644 --- a/csharp/autobuilder/Semmle.Autobuild/XmlBuildRule.cs +++ b/csharp/autobuilder/Semmle.Autobuild/XmlBuildRule.cs @@ -1,6 +1,4 @@ -using System.Collections.Generic; - -namespace Semmle.Autobuild +namespace Semmle.Autobuild { /// /// XML extraction. @@ -9,6 +7,9 @@ namespace Semmle.Autobuild { public BuildScript Analyse(Autobuilder builder, bool auto) { + if (!builder.Options.Indexing) + return BuildScript.Success; + var command = new CommandBuilder(builder.Actions). RunCommand(builder.Odasa). Argument("index --xml --extensions config csproj props xml"); diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Extractor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Extractor.cs index acabad9e349..7ca12e00f26 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp/Extractor.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp/Extractor.cs @@ -405,22 +405,23 @@ namespace Semmle.Extraction.CSharp static string GetCSharpLogDirectory() { - string snapshot = Environment.GetEnvironmentVariable("ODASA_SNAPSHOT"); - string buildErrorDir = Environment.GetEnvironmentVariable("ODASA_BUILD_ERROR_DIR"); - string traps = Environment.GetEnvironmentVariable("TRAP_FOLDER"); + var codeQlLogDir = Environment.GetEnvironmentVariable("CODEQL_EXTRACTOR_CSHARP_LOG_DIR"); + if (!string.IsNullOrEmpty(codeQlLogDir)) + return codeQlLogDir; + + var snapshot = Environment.GetEnvironmentVariable("ODASA_SNAPSHOT"); if (!string.IsNullOrEmpty(snapshot)) - { return Path.Combine(snapshot, "log"); - } + + var buildErrorDir = Environment.GetEnvironmentVariable("ODASA_BUILD_ERROR_DIR"); if (!string.IsNullOrEmpty(buildErrorDir)) - { // Used by `qltest` return buildErrorDir; - } + + var traps = Environment.GetEnvironmentVariable("TRAP_FOLDER"); if (!string.IsNullOrEmpty(traps)) - { return traps; - } + return Directory.GetCurrentDirectory(); } } diff --git a/csharp/extractor/Semmle.Extraction/Layout.cs b/csharp/extractor/Semmle.Extraction/Layout.cs index cf6cad327cd..d59e455083d 100644 --- a/csharp/extractor/Semmle.Extraction/Layout.cs +++ b/csharp/extractor/Semmle.Extraction/Layout.cs @@ -100,8 +100,8 @@ namespace Semmle.Extraction /// Default constructor reads parameters from the environment. /// public Layout() : this( - Environment.GetEnvironmentVariable("TRAP_FOLDER"), - Environment.GetEnvironmentVariable("SOURCE_ARCHIVE"), + Environment.GetEnvironmentVariable("CODEQL_EXTRACTOR_CSHARP_TRAP_DIR") ?? Environment.GetEnvironmentVariable("TRAP_FOLDER"), + Environment.GetEnvironmentVariable("CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR") ?? Environment.GetEnvironmentVariable("SOURCE_ARCHIVE"), Environment.GetEnvironmentVariable("ODASA_CSHARP_LAYOUT")) { } diff --git a/csharp/ql/src/Security Features/CWE-020/RuntimeChecksBypass.qhelp b/csharp/ql/src/Security Features/CWE-020/RuntimeChecksBypass.qhelp new file mode 100644 index 00000000000..1ac3a59befc --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-020/RuntimeChecksBypass.qhelp @@ -0,0 +1,20 @@ + + + + +

    + A write that looks like it may be bypassing runtime checks. +

    + +     + + +
  • +OWASP: +Data Validation. +
    • + +     +     diff --git a/csharp/ql/src/Security Features/CWE-020/RuntimeChecksBypass.ql b/csharp/ql/src/Security Features/CWE-020/RuntimeChecksBypass.ql new file mode 100644 index 00000000000..438c566361b --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-020/RuntimeChecksBypass.ql @@ -0,0 +1,35 @@ +/** + * @name Serialization check bypass + * @description A write that looks like it may be bypassing runtime checks. + * @kind problem + * @id cs/serialization-check-bypass + * @problem.severity warning + * @tags security + * external/cwe/cwe-20 + */ + +/* + * consider: @precision medium + */ + +import semmle.code.csharp.serialization.Serialization + +/** + * The result is a write to the field `f`, assigning it the value + * of variable `v` which was checked by the condition `check`. + */ +Expr checkedWrite(Field f, Variable v, IfStmt check) { + result = v.getAnAccess() and + result = f.getAnAssignedValue() and + check.getCondition() = v.getAnAccess().getParent*() and + result.getAControlFlowNode() = check.getAControlFlowNode().getASuccessor*() +} + +from BinarySerializableType t, Field f, IfStmt check, Expr write, Expr unsafeWrite +where + f = t.getASerializedField() and + write = checkedWrite(f, t.getAConstructor().getAParameter(), check) and + unsafeWrite = f.getAnAssignedValue() and + t.getADeserializationCallback() = unsafeWrite.getEnclosingCallable() and + not t.getADeserializationCallback().calls*(checkedWrite(f, _, _).getEnclosingCallable()) +select unsafeWrite, "This write to $@ may be circumventing a $@.", f, f.toString(), check, "check" diff --git a/csharp/ql/src/Security Features/CWE-091/XMLInjection.qhelp b/csharp/ql/src/Security Features/CWE-091/XMLInjection.qhelp new file mode 100644 index 00000000000..3aff9901bfc --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-091/XMLInjection.qhelp @@ -0,0 +1,45 @@ + + + +

    +The APIs provided by the .NET libraries for XML manipulation allow the insertion of "raw" text at +a specified point in an XML document. If user input is passed to this API, it could allow a +malicious user to add extra content that could corrupt or supersede existing content, or enable +unintended additional functionality. +

    +     + +

    +Avoid using the WriteRaw method on System.Xml.XmlWriter with user input. +If possible, use the high-level APIs to write new XML elements to a document, as these automatically +escape user content. If that is not possible, then user input should be escaped before being +included in a string that will be used with the WriteRaw API. +

    +     + +

    In this example, user input is provided describing the name of an employee to add to an XML +document representing a set of names. The WriteRaw API is used to write the new +employee record to the XML file.

    + +

    However, if a malicious user were to provide the content + Bobby Pages</name></employee><employee><name>Hacker1, they +would be able to add an extra entry into the XML file. +

    +

    The corrected version demonstrates two ways to avoid this issue. The first is to escape user +input before passing it to the WriteRaw API, which prevents a malicious user from +closing or opening XML tags. The second approach uses the high level XML API to add XML elements, +which ensures the content is appropriately escaped.

    + +     + + +
  • + Web Application Security Consortium: XML Injection. +
    • +
  • + Microsoft Docs: WriteRaw. +
    • +     +     diff --git a/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql b/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql new file mode 100644 index 00000000000..16e897ab2e9 --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql @@ -0,0 +1,53 @@ +/** + * @name XML injection + * @description Building an XML document from user-controlled sources is vulnerable to insertion of + * malicious code by the user. + * @kind problem + * @id cs/xml-injection + * @problem.severity error + * @tags security + * external/cwe/cwe-091 + */ + +/* + * consider: @precision high + */ + +import csharp +import semmle.code.csharp.dataflow.flowsources.Remote +import semmle.code.csharp.frameworks.system.Xml + +/** + * A taint-tracking configuration for untrusted user input used in XML. + */ +class TaintTrackingConfiguration extends TaintTracking::Configuration { + TaintTrackingConfiguration() { this = "XMLInjection" } + + override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + override predicate isSink(DataFlow::Node sink) { + exists(MethodCall mc | + mc.getTarget().hasName("WriteRaw") and + mc.getTarget().getDeclaringType().getABaseType*().hasQualifiedName("System.Xml.XmlWriter") + | + mc.getArgument(0) = sink.asExpr() + ) + } + + override predicate isSanitizer(DataFlow::Node node) { + exists(MethodCall mc | + mc.getTarget().hasName("Escape") and + mc + .getTarget() + .getDeclaringType() + .getABaseType*() + .hasQualifiedName("System.Security.SecurityElement") + | + mc = node.asExpr() + ) + } +} + +from TaintTrackingConfiguration c, DataFlow::Node source, DataFlow::Node sink +where c.hasFlow(source, sink) +select sink, "$@ flows to here and is inserted as XML.", source, "User-provided value" diff --git a/csharp/ql/src/Security Features/CWE-091/XMLInjectionBad.cs b/csharp/ql/src/Security Features/CWE-091/XMLInjectionBad.cs new file mode 100644 index 00000000000..522e6606580 --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-091/XMLInjectionBad.cs @@ -0,0 +1,21 @@ +using System; +using System.Security; +using System.Web; +using System.Xml; + +public class XMLInjectionHandler : IHttpHandler { + public void ProcessRequest(HttpContext ctx) { + string employeeName = ctx.Request.QueryString["employeeName"]; + + using (XmlWriter writer = XmlWriter.Create("employees.xml")) + { + writer.WriteStartDocument(); + + // BAD: Insert user input directly into XML + writer.WriteRaw("" + employeeName + ""); + + writer.WriteEndElement(); + writer.WriteEndDocument(); + } + } +} \ No newline at end of file diff --git a/csharp/ql/src/Security Features/CWE-091/XMLInjectionGood.cs b/csharp/ql/src/Security Features/CWE-091/XMLInjectionGood.cs new file mode 100644 index 00000000000..be04ea7acb3 --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-091/XMLInjectionGood.cs @@ -0,0 +1,25 @@ +using System; +using System.Security; +using System.Web; +using System.Xml; + +public class XMLInjectionHandler : IHttpHandler { + public void ProcessRequest(HttpContext ctx) { + string employeeName = ctx.Request.QueryString["employeeName"]; + + using (XmlWriter writer = XmlWriter.Create("employees.xml")) + { + writer.WriteStartDocument(); + + // GOOD: Escape user input before inserting into string + writer.WriteRaw("" + SecurityElement.Escape(employeeName) + ""); + + // GOOD: Use standard API, which automatically encodes values + writer.WriteStartElement("Employee"); + writer.WriteElementString("Name", employeeName); + writer.WriteEndElement(); + + writer.WriteEndElement(); + writer.WriteEndDocument(); + } + } \ No newline at end of file diff --git a/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.qhelp b/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.qhelp new file mode 100644 index 00000000000..e1dbe9c1bd0 --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.qhelp @@ -0,0 +1,37 @@ + + + +

    +C# supports runtime loading of assemblies by path through the use of the +System.Reflection.Assembly API. If an external user can influence the path used to +load an assembly, then the application can potentially be tricked into loading an assembly which +was not intended to be loaded, and executing arbitrary code. +

    +     + +

    +Avoid loading assemblies based on user provided input. If this is not possible, ensure that the path +is validated before being used with Assembly. For example, compare the provided input +against a whitelist of known safe assemblies, or confirm that the path is restricted to a single +directory which only contains safe assemblies. +

    +     + +

    In this example, user input is provided describing the path to an assembly, which is loaded +without validation. This is problematic because it allows the user to load any assembly installed +on the system, and is particularly problematic if an attacker can upload a custom DLL elsewhere on +the system.

    + +

    In the corrected version, user input is validated against one of two options, and the assembly +is only loaded if the user input matches one of those options.

    + +     + + +
  • Microsoft: + System.Reflection.Assembly. +
    • +     +     diff --git a/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql b/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql new file mode 100644 index 00000000000..7adcaa22d09 --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql @@ -0,0 +1,66 @@ +/** + * @name Assembly path injection + * @description Loading a .NET assembly based on a path constructed from user-controlled sources + * may allow a malicious user to load code which modifies the program in unintended + * ways. + * @kind problem + * @id cs/assembly-path-injection + * @problem.severity error + * @tags security + * external/cwe/cwe-114 + */ + +/* + * consider: @precision high + */ + +import csharp +import semmle.code.csharp.dataflow.flowsources.Remote + +class MainMethod extends Method { + MainMethod() { + this.hasName("Main") and + this.isStatic() and + (this.getReturnType() instanceof VoidType or this.getReturnType() instanceof IntType) and + if this.getNumberOfParameters() = 1 + then this.getParameter(0).getType().(ArrayType).getElementType() instanceof StringType + else this.getNumberOfParameters() = 0 + } +} + +/** + * A taint-tracking configuration for untrusted user input used to load a DLL. + */ +class TaintTrackingConfiguration extends TaintTracking::Configuration { + TaintTrackingConfiguration() { this = "DLLInjection" } + + override predicate isSource(DataFlow::Node source) { + source instanceof RemoteFlowSource or + source.asExpr() = any(MainMethod main).getParameter(0).getAnAccess() + } + + override predicate isSink(DataFlow::Node sink) { + exists(MethodCall mc, string name, int arg | + mc.getTarget().getName().matches(name) and + mc + .getTarget() + .getDeclaringType() + .getABaseType*() + .hasQualifiedName("System.Reflection.Assembly") and + mc.getArgument(arg) = sink.asExpr() + | + name = "LoadFrom" and arg = 0 and mc.getNumberOfArguments() = [1 .. 2] + or + name = "LoadFile" and arg = 0 + or + name = "LoadWithPartialName" and arg = 0 + or + name = "UnsafeLoadFrom" and arg = 0 + ) + } +} + +from TaintTrackingConfiguration c, DataFlow::Node source, DataFlow::Node sink +where c.hasFlow(source, sink) +select sink, "$@ flows to here and is used as the path to dynamically load an assembly.", source, + "User-provided value" diff --git a/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjectionBad.cs b/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjectionBad.cs new file mode 100644 index 00000000000..e037b34c95c --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjectionBad.cs @@ -0,0 +1,18 @@ +using System; +using System.Web; +using System.Reflection; + +public class AssemblyPathInjectionHandler : IHttpHandler { + public void ProcessRequest(HttpContext ctx) { + string assemblyPath = ctx.Request.QueryString["assemblyPath"]; + + // BAD: Load assembly based on user input + var badAssembly = Assembly.LoadFile(assemblyPath); + + // Method called on loaded assembly. If the user can control the loaded assembly, then this + // could result in a remote code execution vulnerability + MethodInfo m = badAssembly.GetType("Config").GetMethod("GetCustomPath"); + Object customPath = m.Invoke(null, null); + // ... + } +} \ No newline at end of file diff --git a/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjectionGood.cs b/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjectionGood.cs new file mode 100644 index 00000000000..c980e8514fb --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjectionGood.cs @@ -0,0 +1,19 @@ +using System; +using System.Web; +using System.Reflection; + +public class AssemblyPathInjectionHandler : IHttpHandler { + public void ProcessRequest(HttpContext ctx) { + string configType = ctx.Request.QueryString["configType"]; + + if (configType.equals("configType1") || configType.equals("configType2")) { + // GOOD: Loaded assembly is one of the two known safe options + var safeAssembly = Assembly.LoadFile(@"C:\SafeLibraries\" + configType + ".dll"); + + // Code execution is limited to one of two known and vetted assemblies + MethodInfo m = safeAssembly.GetType("Config").GetMethod("GetCustomPath"); + Object customPath = m.Invoke(null, null); + // ... + } + } +} \ No newline at end of file diff --git a/csharp/ql/src/Security Features/CWE-321/HardcodedEncryptionKey.ql b/csharp/ql/src/Security Features/CWE-321/HardcodedEncryptionKey.ql new file mode 100644 index 00000000000..cce122ffa62 --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-321/HardcodedEncryptionKey.ql @@ -0,0 +1,39 @@ +/** + * @name Hard-coded encryption key + * @description The .Key property or rgbKey parameter of a SymmetricAlgorithm should never be a hard-coded value. + * @kind problem + * @id cs/hardcoded-key + * @problem.severity error + * @tags security + */ + +/* + * consider: @precision high + */ + +import csharp +import semmle.code.csharp.security.cryptography.EncryptionKeyDataFlow::EncryptionKeyDataFlow + +/** + * The creation of a literal byte array. + */ +class ByteArrayLiteralSource extends KeySource { + ByteArrayLiteralSource() { + this.asExpr() = any(ArrayCreation ac | + ac.getArrayType().getElementType() instanceof ByteType and + ac.hasInitializer() + ) + } +} + +/** + * Any string literal as a source + */ +class StringLiteralSource extends KeySource { + StringLiteralSource() { this.asExpr() instanceof StringLiteral } +} + +from SymmetricKeyTaintTrackingConfiguration keyFlow, KeySource src, SymmetricEncryptionKeySink sink +where keyFlow.hasFlow(src, sink) +select sink, "Hard-coded symmetric $@ is used in symmetric algorithm in " + sink.getDescription(), + src, "key" diff --git a/csharp/ql/src/Security Features/CWE-321/HardcodedEncryptionKeyBad.cs b/csharp/ql/src/Security Features/CWE-321/HardcodedEncryptionKeyBad.cs new file mode 100644 index 00000000000..4ce81a349f7 --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-321/HardcodedEncryptionKeyBad.cs @@ -0,0 +1,8 @@ +using System.Security.Cryptography; + +var b = new AesCryptoServiceProvider() +{ + // BAD: explicit key assignment, hard-coded value + Key = new byte[] { 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 } +}; + diff --git a/csharp/ql/src/Security Features/CWE-321/HardcodedSymmetricEncryptionKey.ql b/csharp/ql/src/Security Features/CWE-321/HardcodedSymmetricEncryptionKey.ql new file mode 100644 index 00000000000..4113651677b --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-321/HardcodedSymmetricEncryptionKey.ql @@ -0,0 +1,22 @@ +/** + * @name Hard-coded symmetric encryption key + * @description The .Key property or rgbKey parameter of a SymmetricAlgorithm should never be a hardcoded value. + * @kind path-problem + * @id cs/hard-coded-symmetric-encryption-key + * @problem.severity error + * @tags security + */ + +/* + * consider: @precision high + */ + +import csharp +import semmle.code.csharp.security.cryptography.HardcodedSymmetricEncryptionKey::HardcodedSymmetricEncryptionKey +import DataFlow::PathGraph + +from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink +where c.hasFlowPath(source, sink) +select sink.getNode(), source, sink, + "Hard-coded symmetric $@ is used in symmetric algorithm in " + + sink.getNode().(Sink).getDescription() + ".", source.getNode(), "key" diff --git a/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.qhelp b/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.qhelp new file mode 100644 index 00000000000..c59feeed61c --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.qhelp @@ -0,0 +1,44 @@ + + + + +

    + SQL Server connections where the client is not enforcing the encryption in transit are susceptible to multiple attacks, including a man-in-the-middle, that would potentially compromise the user credentials and/or the TDS session. +

    + +     + + +

    Ensure that the client code enforces the Encrypt option by setting it to true in the connection string.

    + +     + + +

    The following example shows a SQL connection string that is not explicitly enabling the Encrypt setting to force encryption.

    + + + +

    + The following example shows a SQL connection string that is explicitly enabling the Encrypt setting to force encryption in transit. +

    + + + +     + +
  • Microsoft, SQL Protocols blog: + Selectively using secure connection to SQL Server. +
    • +
  • Microsoft: + SqlConnection.ConnectionString Property. +
    • +
  • Microsoft: + Using Connection String Keywords with SQL Server Native Client. +
    • +
  • Microsoft: + Setting the connection properties. +
    • +     +     diff --git a/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.ql b/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.ql new file mode 100644 index 00000000000..78bcc1c19e5 --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.ql @@ -0,0 +1,47 @@ +/** + * @name Insecure SQL connection + * @description Using an SQL Server connection without enforcing encryption is a security vulnerability. + * @kind path-problem + * @id cs/insecure-sql-connection + * @problem.severity error + * @tags security + * external/cwe/cwe-327 + */ + +/* + * consider: @precision high + */ + +import csharp +import DataFlow::PathGraph + +/** + * A `DataFlow::Configuration` for tracking `Strings passed to SqlConnectionStringBuilder` instances. + */ +class TaintTrackingConfiguration extends TaintTracking::Configuration { + TaintTrackingConfiguration() { this = "TaintTrackingConfiguration" } + + override predicate isSource(DataFlow::Node source) { + exists(string s | s = source.asExpr().(StringLiteral).getValue().toLowerCase() | + s.matches("%encrypt=false%") + or + not s.matches("%encrypt=%") + ) + } + + override predicate isSink(DataFlow::Node sink) { + exists(ObjectCreation oc | + oc.getRuntimeArgument(0) = sink.asExpr() and + ( + oc.getType().getName() = "SqlConnectionStringBuilder" + or + oc.getType().getName() = "SqlConnection" + ) + ) + } +} + +from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink +where c.hasFlowPath(source, sink) +select sink.getNode(), source, sink, "$@ flows to here and does not specify `Encrypt=True`.", + source.getNode(), "Connection string" diff --git a/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnectionBad.cs b/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnectionBad.cs new file mode 100644 index 00000000000..d90af93ece7 --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnectionBad.cs @@ -0,0 +1,7 @@ +using System.Data.SqlClient; + +// BAD, Encrypt not specified +string connectString = + "Server=1.2.3.4;Database=Anything;Integrated Security=true;"; +SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(connectString); +var conn = new SqlConnection(builder.ConnectionString); \ No newline at end of file diff --git a/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnectionGood.cs b/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnectionGood.cs new file mode 100644 index 00000000000..83e341e2f79 --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnectionGood.cs @@ -0,0 +1,6 @@ +using System.Data.SqlClient; + +string connectString = + "Server=1.2.3.4;Database=Anything;Integrated Security=true;;Encrypt=true;"; +SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(connectString); +var conn = new SqlConnection(builder.ConnectionString); \ No newline at end of file diff --git a/csharp/ql/src/Security Features/CWE-502/DeserializedDelegate.qhelp b/csharp/ql/src/Security Features/CWE-502/DeserializedDelegate.qhelp new file mode 100644 index 00000000000..323b8d918bf --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-502/DeserializedDelegate.qhelp @@ -0,0 +1,35 @@ + + + + +

    Deserializing a delegate object may result in remote code execution, when an +attacker can control the serialized data.

    + +     + + +

    Avoid deserializing delegate objects, if possible, or make sure that the serialized +data cannot be controlled by an attacker.

    + +     + + +

    In this example, a file stream is deserialized to a Func<int> +object, using a BinaryFormatter. The file stream is a parameter of a public +method, so depending on the calls to InvokeSerialized, this may or may not +pose a security problem.

    + + + +     + + +
  • +Microsoft: +BinaryFormatter Class. +
    • + +     +     diff --git a/csharp/ql/src/Security Features/CWE-502/DeserializedDelegate.ql b/csharp/ql/src/Security Features/CWE-502/DeserializedDelegate.ql new file mode 100644 index 00000000000..31d28311908 --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-502/DeserializedDelegate.ql @@ -0,0 +1,22 @@ +/** + * @name Deserialized delegate + * @description Deserializing a delegate allows for remote code execution when an + * attacker can control the serialized data. + * @kind problem + * @id cs/deserialized-delegate + * @problem.severity warning + * @precision high + * @tags security + * external/cwe/cwe-502 + */ + +import csharp +import semmle.code.csharp.frameworks.system.linq.Expressions +import semmle.code.csharp.serialization.Deserializers + +from Call deserialization, Cast cast +where + deserialization.getTarget() instanceof UnsafeDeserializer and + cast.getExpr() = deserialization and + cast.getTargetType() instanceof SystemLinqExpressions::DelegateExtType +select deserialization, "Deserialization of delegate type." diff --git a/csharp/ql/src/Security Features/CWE-502/DeserializedDelegateBad.cs b/csharp/ql/src/Security Features/CWE-502/DeserializedDelegateBad.cs new file mode 100644 index 00000000000..12b2dc76987 --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-502/DeserializedDelegateBad.cs @@ -0,0 +1,14 @@ +using System; +using System.IO; +using System.Runtime.Serialization.Formatters.Binary; + +class Bad +{ + public static int InvokeSerialized(FileStream fs) + { + var formatter = new BinaryFormatter(); + // BAD + var f = (Func)formatter.Deserialize(fs); + return f(); + } +} diff --git a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.qhelp b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.qhelp new file mode 100644 index 00000000000..7acfd20fe3a --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.qhelp @@ -0,0 +1,38 @@ + + + + +

    Deserializing an object from untrusted input may result in security problems, such +as denial-of-service or remote code execution.

    + +     + + +

    Avoid using an unsafe deserialization framework.

    + +     + + +

    In this example, a string is deserialized using a +JavaScriptSerializer with a simple type resolver. Using a type resolver +means that arbitrary code may be executed.

    + + + +

    To fix this specific vulnerability, we avoid using a type resolver. In other cases, +it may be necessary to use a different deserialization framework.

    + + + +     + + +
  • +Muñoz, Alvaro and Mirosh, Oleksandr: +JSON Attacks. +
    • + +     +     diff --git a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.ql b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.ql new file mode 100644 index 00000000000..edd0e15c247 --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.ql @@ -0,0 +1,22 @@ +/** + * @name Unsafe deserializer + * @description Calling an unsafe deserializer with data controlled by an attacker + * can lead to denial of service and other security problems. + * @kind problem + * @id cs/unsafe-deserialization + * @problem.severity warning + * @tags security + * external/cwe/cwe-502 + */ + +/* + * consider: @precision low + */ + +import csharp +import UnsafeDeserialization::UnsafeDeserialization + +from Call deserializeCall, Sink sink +where deserializeCall.getAnArgument() = sink.asExpr() +select deserializeCall, + "Unsafe deserializer is used. Make sure the value being deserialized comes from a trusted source." diff --git a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.qll b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.qll new file mode 100644 index 00000000000..4e401eb4804 --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.qll @@ -0,0 +1,83 @@ +/** + * Provides a taint-tracking configuration for reasoning about uncontrolled data + * in calls to unsafe deserializers (XML, JSON, XAML). + */ + +import csharp + +module UnsafeDeserialization { + private import semmle.code.csharp.dataflow.flowsources.Remote + private import semmle.code.csharp.dataflow.flowsources.Remote + private import semmle.code.csharp.serialization.Deserializers + + /** + * A data flow source for unsafe deserialization vulnerabilities. + */ + abstract class Source extends DataFlow::Node { } + + /** + * A data flow sink for unsafe deserialization vulnerabilities. + */ + abstract class Sink extends DataFlow::Node { } + + /** + * A sanitizer for unsafe deserialization vulnerabilities. + */ + abstract class Sanitizer extends DataFlow::Node { } + + /** + * A taint-tracking configuration for reasoning about unsafe deserialization. + */ + class TaintTrackingConfig extends TaintTracking::Configuration { + TaintTrackingConfig() { this = "UnsafeDeserialization" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } + } + + class RemoteSource extends Source { + RemoteSource() { this instanceof RemoteFlowSource } + } + + /** A call to an unsafe deserializer. */ + class UnsafeDeserializerSink extends Sink { + UnsafeDeserializerSink() { + exists(Call c | + this.asExpr() = c.getAnArgument() and + c.getTarget() instanceof UnsafeDeserializer + ) + } + } + + private class JavaScriptSerializerClass extends Class { + JavaScriptSerializerClass() { + this.hasQualifiedName("System.Web.Script.Serialization.JavaScriptSerializer") + } + } + + /** + * An unsafe use of a JavaScript deserializer. That is, a use with a custom type-resolver + * (constructor parameter). + */ + class JavaScriptSerializerSink extends Sink { + JavaScriptSerializerSink() { + exists(ObjectCreation oc | + oc.getTarget().getDeclaringType() instanceof JavaScriptSerializerClass and + oc.getTarget().getNumberOfParameters() > 0 and + exists(MethodCall mc, Method m | + m = mc.getTarget() and + m.getDeclaringType() instanceof JavaScriptSerializerClass and + ( + m.hasName("Deserialize") or + m.hasName("DeserializeObject") + ) and + this.asExpr() = mc.getAnArgument() and + DataFlow::localFlow(DataFlow::exprNode(oc), DataFlow::exprNode(mc.getQualifier())) + ) + ) + } + } +} diff --git a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationBad.cs b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationBad.cs new file mode 100644 index 00000000000..385e700a0bf --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationBad.cs @@ -0,0 +1,11 @@ +using System.Web.Script.Serialization; + +class Bad +{ + public static object Deserialize(string s) + { + JavaScriptSerializer sr = new JavaScriptSerializer(new SimpleTypeResolver()); + // BAD + return sr.DeserializeObject(s); + } +} diff --git a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationGood.cs b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationGood.cs new file mode 100644 index 00000000000..775862cd683 --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationGood.cs @@ -0,0 +1,11 @@ +using System.Web.Script.Serialization; + +class Good +{ + public static object Deserialize(string s) + { + // GOOD + JavaScriptSerializer sr = new JavaScriptSerializer(); + return sr.DeserializeObject(s); + } +} diff --git a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.qhelp b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.qhelp new file mode 100644 index 00000000000..ef946f40136 --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.qhelp @@ -0,0 +1,39 @@ + + + + +

    Deserializing an object from untrusted input may result in security problems, such +as denial-of-service or remote code execution.

    + +     + + +

    Avoid deserializing objects from an untrusted source, and if not possible, make sure +to use a safe deserialization framework.

    + +     + + +

    In this example, text from an HTML text box is deserialized using a +JavaScriptSerializer with a simple type resolver. Using a type resolver +means that arbitrary code may be executed.

    + + + +

    To fix this specific vulnerability, we avoid using a type resolver. In other cases, +it may be necessary to use a different deserialization framework.

    + + + +     + + +
  • +Muñoz, Alvaro and Mirosh, Oleksandr: +JSON Attacks. +
    • + +     +     diff --git a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql new file mode 100644 index 00000000000..b0b659857ab --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql @@ -0,0 +1,23 @@ +/** + * @name Deserialization of untrusted data + * @description Calling an unsafe deserializer with data controlled by an attacker + * can lead to denial of service and other security problems. + * @kind path-problem + * @id cs/unsafe-deserialization-untrusted-input + * @problem.severity error + * @tags security + * external/cwe/cwe-502 + */ + +/* + * consider: @precision high + */ + +import csharp +import UnsafeDeserialization::UnsafeDeserialization +import DataFlow::PathGraph + +from TaintTrackingConfig config, DataFlow::PathNode source, DataFlow::PathNode sink +where config.hasFlowPath(source, sink) +select sink.getNode(), source, sink, "$@ flows to unsafe deserializer.", source.getNode(), + "User-provided data" diff --git a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInputBad.cs b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInputBad.cs new file mode 100644 index 00000000000..db2b25097ba --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInputBad.cs @@ -0,0 +1,12 @@ +using System.Web.UI.WebControls; +using System.Web.Script.Serialization; + +class Bad +{ + public static object Deserialize(TextBox textBox) + { + JavaScriptSerializer sr = new JavaScriptSerializer(new SimpleTypeResolver()); + // BAD + return sr.DeserializeObject(textBox.Text); + } +} diff --git a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInputGood.cs b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInputGood.cs new file mode 100644 index 00000000000..d1e2935b218 --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInputGood.cs @@ -0,0 +1,12 @@ +using System.Web.UI.WebControls; +using System.Web.Script.Serialization; + +class Good +{ + public static object Deserialize(TextBox textBox) + { + JavaScriptSerializer sr = new JavaScriptSerializer(); + // GOOD + return sr.DeserializeObject(textBox.Text); + } +} diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll index d1ca7596f30..e69d5d93bf5 100644 --- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll +++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll @@ -86,6 +86,10 @@ module LocalFlow { scope = e2 and isSuccessor = true or + e1 = e2.(NullCoalescingExpr).getAnOperand() and + scope = e2 and + isSuccessor = false + or e1 = e2.(SuppressNullableWarningExpr).getExpr() and scope = e2 and isSuccessor = true diff --git a/csharp/ql/src/semmle/code/csharp/frameworks/system/security/cryptography/SymmetricAlgorithm.qll b/csharp/ql/src/semmle/code/csharp/frameworks/system/security/cryptography/SymmetricAlgorithm.qll new file mode 100644 index 00000000000..d0b9c2e5239 --- /dev/null +++ b/csharp/ql/src/semmle/code/csharp/frameworks/system/security/cryptography/SymmetricAlgorithm.qll @@ -0,0 +1,137 @@ +/** + * Provides classes for working with symmetric cryptography algorithms. + */ + +import csharp + +/** + * Holds if the object creation `oc` is the creation of the reference type with the specified `qualifiedName`, or a class derived from + * the class with the specified `qualifiedName`. + */ +private predicate isCreatingObject(ObjectCreation oc, string qualifiedName) { + exists(RefType t | t = oc.getType() | t.getBaseClass*().hasQualifiedName(qualifiedName)) +} + +/** + * Holds if the method call `mc` is returning the reference type with the specified `qualifiedName`. + * and the target of the method call is a library method. + */ +private predicate isReturningObject(MethodCall mc, string qualifiedName) { + mc.getTarget().fromLibrary() and + exists(RefType t | t = mc.getType() | t.hasQualifiedName(qualifiedName)) +} + +/** + * Holds if the method call `mc` is a call on the library method target with the specified `qualifiedName` and `methodName`, and an argument at + * index `argumentIndex` has the specified value `argumentValue` (case-insensitive). + */ +bindingset[argumentValue] +private predicate isMethodCalledWithArg( + MethodCall mc, string qualifiedName, string methodName, int argumentIndex, string argumentValue +) { + mc.getTarget().fromLibrary() and + mc.getTarget().hasQualifiedName(qualifiedName, methodName) and + mc.getArgument(argumentIndex).getValue().toUpperCase() = argumentValue.toUpperCase() +} + +/** + * The class `System.Security.Cryptography.SymmetricAlgorithm` or any sub class of this class. + */ +class SymmetricAlgorithm extends Class { + SymmetricAlgorithm() { + this.getABaseType*().hasQualifiedName("System.Security.Cryptography", "SymmetricAlgorithm") + } + + /** Gets the `IV` property. */ + Property getIVProperty() { result = this.getProperty("IV") } + + /** Gets the 'Key' property. */ + Property getKeyProperty() { result = this.getProperty("Key") } + + /** Gets a method call that constructs a symmetric encryptor. */ + MethodCall getASymmetricEncryptor() { result.getTarget() = this.getAMethod("CreateEncryptor") } + + /** Gets a method call that constructs a symmetric decryptor. */ + MethodCall getASymmetricDecryptor() { result.getTarget() = this.getAMethod("CreateDecryptor") } +} + +/** + * Holds if the expression 'e' creates DES symmetric algorithm. + * Note: not all of the class names are supported on all platforms. + */ +predicate isCreatingDES(Expr e) { + isCreatingObject(e, "System.Security.Cryptography.DES") or + isReturningObject(e, "System.Security.Cryptography.DES") or + isMethodCalledWithArg(e, "System.Security.Cryptography.SymmetricAlgorithm", "Create", 0, "DES") or + isMethodCalledWithArg(e, "System.Security.Cryptography.SymmetricAlgorithm", "Create", 0, + "System.Security.Cryptography.DES") or + isMethodCalledWithArg(e, "System.Security.Cryptography.CryptoConfig", "CreateFromName", 0, "DES") or + isMethodCalledWithArg(e, "System.Security.Cryptography.CryptoConfig", "CreateFromName", 0, + "System.Security.Cryptography.DES") +} + +/** + * Holds if the expression 'e' creates Triple DES symmetric algorithm. + * Note: not all of the class names are supported on all platforms. + */ +predicate isCreatingTripleDES(Expr e) { + isCreatingObject(e, "System.Security.Cryptography.TripleDES") or + isReturningObject(e, "System.Security.Cryptography.TripleDES") or + isMethodCalledWithArg(e, "System.Security.Cryptography.SymmetricAlgorithm", "Create", 0, + "TripleDES") or + isMethodCalledWithArg(e, "System.Security.Cryptography.SymmetricAlgorithm", "Create", 0, "3DES") or + isMethodCalledWithArg(e, "System.Security.Cryptography.SymmetricAlgorithm", "Create", 0, + "Triple DES") or + isMethodCalledWithArg(e, "System.Security.Cryptography.SymmetricAlgorithm", "Create", 0, + "System.Security.Cryptography.TripleDES") or + isMethodCalledWithArg(e, "System.Security.Cryptography.CryptoConfig", "CreateFromName", 0, + "TripleDES") or + isMethodCalledWithArg(e, "System.Security.Cryptography.CryptoConfig", "CreateFromName", 0, "3DES") or + isMethodCalledWithArg(e, "System.Security.Cryptography.CryptoConfig", "CreateFromName", 0, + "Triple DES") or + isMethodCalledWithArg(e, "System.Security.Cryptography.CryptoConfig", "CreateFromName", 0, + "System.Security.Cryptography.TripleDES") +} + +/** + * Holds if the expression 'e' creates RC2 symmetric algorithm. + * Note: not all of the class names are supported on all platforms. + */ +predicate isCreatingRC2(Expr e) { + isCreatingObject(e, "System.Security.Cryptography.RC2") or + isReturningObject(e, "System.Security.Cryptography.RC2") or + isMethodCalledWithArg(e, "System.Security.Cryptography.SymmetricAlgorithm", "Create", 0, "RC2") or + isMethodCalledWithArg(e, "System.Security.Cryptography.SymmetricAlgorithm", "Create", 0, + "System.Security.Cryptography.RC2") or + isMethodCalledWithArg(e, "System.Security.Cryptography.CryptoConfig", "CreateFromName", 0, "RC2") or + isMethodCalledWithArg(e, "System.Security.Cryptography.CryptoConfig", "CreateFromName", 0, + "System.Security.Cryptography.RC2") +} + +/** + * Holds if the expression 'e' creates Rijndael symmetric algorithm. + */ +predicate isCreatingRijndael(Expr e) { + isCreatingObject(e, "System.Security.Cryptography.Rijndael") or + isReturningObject(e, "System.Security.Cryptography.Rijndael") or + isMethodCalledWithArg(e, "System.Security.Cryptography.SymmetricAlgorithm", "Create", 0, + "Rijndael") or + isMethodCalledWithArg(e, "System.Security.Cryptography.SymmetricAlgorithm", "Create", 0, + "RijndaelManaged") or + isMethodCalledWithArg(e, "System.Security.Cryptography.SymmetricAlgorithm", "Create", 0, + "System.Security.Cryptography.Rijndael") or + isMethodCalledWithArg(e, "System.Security.Cryptography.SymmetricAlgorithm", "Create", 0, + "System.Security.Cryptography.RijndaelManaged") or + isMethodCalledWithArg(e, "System.Security.Cryptography.SymmetricAlgorithm", "Create", 0, + "System.Security.Cryptography.SymmetricAlgorithm") or // this creates Rijndael + isMethodCalledWithArg(e, "System.Security.Cryptography.CryptoConfig", "CreateFromName", 0, + "Rijndael") or + isMethodCalledWithArg(e, "System.Security.Cryptography.CryptoConfig", "CreateFromName", 0, + "System.Security.Cryptography.Rijndael") or + isMethodCalledWithArg(e, "System.Security.Cryptography.CryptoConfig", "CreateFromName", 0, + "RijndaelManaged") or + isMethodCalledWithArg(e, "System.Security.Cryptography.CryptoConfig", "CreateFromName", 0, + "System.Security.Cryptography.RijndaelManaged") or + isMethodCalledWithArg(e, "System.Security.Cryptography.CryptoConfig", "CreateFromName", 0, + "System.Security.Cryptography.SymmetricAlgorithm") // this creates Rijndael +} diff --git a/csharp/ql/src/semmle/code/csharp/ir/PrintIR.ql b/csharp/ql/src/semmle/code/csharp/ir/PrintIR.ql index c9c836fa252..1f93a39ad6f 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/PrintIR.ql +++ b/csharp/ql/src/semmle/code/csharp/ir/PrintIR.ql @@ -1,7 +1,7 @@ /** * @name Print IR * @description Outputs a representation of the IR graph - * @id charp/print-ir + * @id csharp/print-ir * @kind graph */ diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/IRType.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/IRType.qll new file mode 100644 index 00000000000..0abfa14023d --- /dev/null +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/IRType.qll @@ -0,0 +1,247 @@ +/** + * Minimal, language-neutral type system for the IR. + */ + +private import internal.IRTypeInternal + +private newtype TIRType = + TIRVoidType() or + TIRUnknownType() or + TIRErrorType() { Language::hasErrorType() } or + TIRBooleanType(int byteSize) { Language::hasBooleanType(byteSize) } or + TIRSignedIntegerType(int byteSize) { Language::hasSignedIntegerType(byteSize) } or + TIRUnsignedIntegerType(int byteSize) { Language::hasUnsignedIntegerType(byteSize) } or + TIRFloatingPointType(int byteSize) { Language::hasFloatingPointType(byteSize) } or + TIRAddressType(int byteSize) { Language::hasAddressType(byteSize) } or + TIRFunctionAddressType(int byteSize) { Language::hasFunctionAddressType(byteSize) } or + TIROpaqueType(Language::OpaqueTypeTag tag, int byteSize) { + Language::hasOpaqueType(tag, byteSize) + } + +/** + * The language-neutral type of an IR `Instruction`, `Operand`, or `IRVariable`. + * The interface to `IRType` and its subclasses is the same across all languages for which the IR + * is supported, so analyses that expect to be used for multiple languages should generally use + * `IRType` rather than a language-specific type. + * + * Many types from the language-specific type system will map to a single canonical `IRType`. Two + * types that map to the same `IRType` are considered equivalent by the IR. As an example, in C++, + * all pointer types map to the same instance of `IRAddressType`. + */ +class IRType extends TIRType { + string toString() { none() } + + /** + * Gets a string that uniquely identifies this `IRType`. This string is often the same as the + * result of `IRType.toString()`, but for some types it may be more verbose to ensure uniqueness. + */ + string getIdentityString() { result = toString() } + + /** + * Gets the size of the type, in bytes, if known. + * + * This will hold for all `IRType` objects except `IRUnknownType`. + */ + int getByteSize() { none() } + + /** + * Gets a single instance of `LanguageType` that maps to this `IRType`. + */ + Language::LanguageType getCanonicalLanguageType() { none() } +} + +/** + * An unknown type. Generally used to represent results and operands that access an unknown set of + * memory locations, such as the side effects of a function call. + */ +class IRUnknownType extends IRType, TIRUnknownType { + final override string toString() { result = "unknown" } + + final override int getByteSize() { none() } + + final override Language::LanguageType getCanonicalLanguageType() { + result = Language::getCanonicalUnknownType() + } +} + +/** + * A void type, which has no values. Used to represent the result type of an instruction that does + * not produce a result. + */ +class IRVoidType extends IRType, TIRVoidType { + final override string toString() { result = "void" } + + final override int getByteSize() { result = 0 } + + final override Language::LanguageType getCanonicalLanguageType() { + result = Language::getCanonicalVoidType() + } +} + +/** + * An error type. Used when an error in the source code prevents the extractor from determining the + * proper type. + */ +class IRErrorType extends IRType, TIRErrorType { + final override string toString() { result = "error" } + + final override int getByteSize() { result = 0 } + + final override Language::LanguageType getCanonicalLanguageType() { + result = Language::getCanonicalErrorType() + } +} + +private class IRSizedType extends IRType { + int byteSize; + + IRSizedType() { + this = TIRBooleanType(byteSize) or + this = TIRSignedIntegerType(byteSize) or + this = TIRUnsignedIntegerType(byteSize) or + this = TIRFloatingPointType(byteSize) or + this = TIRAddressType(byteSize) or + this = TIRFunctionAddressType(byteSize) or + this = TIROpaqueType(_, byteSize) + } + + final override int getByteSize() { result = byteSize } +} + +/** + * A Boolean type, which can hold the values `true` (non-zero) or `false` (zero). + */ +class IRBooleanType extends IRSizedType, TIRBooleanType { + final override string toString() { result = "bool" + byteSize.toString() } + + final override Language::LanguageType getCanonicalLanguageType() { + result = Language::getCanonicalBooleanType(byteSize) + } +} + +/** + * A numberic type. This includes `IRSignedIntegerType`, `IRUnsignedIntegerType`, and + * `IRFloatingPointType`. + */ +class IRNumericType extends IRSizedType { + IRNumericType() { + this = TIRSignedIntegerType(byteSize) or + this = TIRUnsignedIntegerType(byteSize) or + this = TIRFloatingPointType(byteSize) + } +} + +/** + * A signed two's-complement integer. Also used to represent enums whose underlying type is a signed + * integer, as well as character types whose representation is signed. + */ +class IRSignedIntegerType extends IRNumericType, TIRSignedIntegerType { + final override string toString() { result = "int" + byteSize.toString() } + + final override Language::LanguageType getCanonicalLanguageType() { + result = Language::getCanonicalSignedIntegerType(byteSize) + } +} + +/** + * An unsigned two's-complement integer. Also used to represent enums whose underlying type is an + * unsigned integer, as well as character types whose representation is unsigned. + */ +class IRUnsignedIntegerType extends IRNumericType, TIRUnsignedIntegerType { + final override string toString() { result = "uint" + byteSize.toString() } + + final override Language::LanguageType getCanonicalLanguageType() { + result = Language::getCanonicalUnsignedIntegerType(byteSize) + } +} + +/** + * A floating-point type. + */ +class IRFloatingPointType extends IRNumericType, TIRFloatingPointType { + final override string toString() { result = "float" + byteSize.toString() } + + final override Language::LanguageType getCanonicalLanguageType() { + result = Language::getCanonicalFloatingPointType(byteSize) + } +} + +/** + * An address type, representing the memory address of data. Used to represent pointers, references, + * and lvalues, include those that are garbage collected. + * + * The address of a function is represented by the separate `IRFunctionAddressType`. + */ +class IRAddressType extends IRSizedType, TIRAddressType { + final override string toString() { result = "addr" + byteSize.toString() } + + final override Language::LanguageType getCanonicalLanguageType() { + result = Language::getCanonicalAddressType(byteSize) + } +} + +/** + * An address type, representing the memory address of code. Used to represent function pointers, + * function references, and the target of a direct function call. + */ +class IRFunctionAddressType extends IRSizedType, TIRFunctionAddressType { + final override string toString() { result = "func" + byteSize.toString() } + + final override Language::LanguageType getCanonicalLanguageType() { + result = Language::getCanonicalFunctionAddressType(byteSize) + } +} + +/** + * A type with known size that does not fit any of the other kinds of type. Used to represent + * classes, structs, unions, fixed-size arrays, pointers-to-member, and more. + */ +class IROpaqueType extends IRSizedType, TIROpaqueType { + Language::OpaqueTypeTag tag; + + IROpaqueType() { this = TIROpaqueType(tag, byteSize) } + + final override string toString() { + result = "opaque" + byteSize.toString() + "{" + tag.toString() + "}" + } + + final override string getIdentityString() { + result = "opaque" + byteSize.toString() + "{" + Language::getOpaqueTagIdentityString(tag) + "}" + } + + final override Language::LanguageType getCanonicalLanguageType() { + result = Language::getCanonicalOpaqueType(tag, byteSize) + } + + /** + * Gets the "tag" that differentiates this type from other incompatible opaque types that have the + * same size. + */ + final Language::OpaqueTypeTag getTag() { result = tag } +} + +module IRTypeSanity { + query predicate missingCanonicalLanguageType(IRType type, string message) { + not exists(type.getCanonicalLanguageType()) and + message = "Type does not have a canonical `LanguageType`" + } + + query predicate multipleCanonicalLanguageTypes(IRType type, string message) { + strictcount(type.getCanonicalLanguageType()) > 1 and + message = "Type has multiple canonical `LanguageType`s: " + + concat(type.getCanonicalLanguageType().toString(), ", ") + } + + query predicate missingIRType(Language::LanguageType type, string message) { + not exists(type.getIRType()) and + message = "`LanguageType` does not have a corresponding `IRType`." + } + + query predicate multipleIRTypes(Language::LanguageType type, string message) { + strictcount(type.getIRType()) > 1 and + message = "`LanguageType` " + type.getAQlClass() + " has multiple `IRType`s: " + + concat(type.getIRType().toString(), ", ") + } + + import Language::LanguageTypeSanity +} diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/MemoryAccessKind.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/MemoryAccessKind.qll index d4f1599d78e..a71608ee855 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/MemoryAccessKind.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/MemoryAccessKind.qll @@ -5,6 +5,7 @@ private newtype TMemoryAccessKind = TBufferMayMemoryAccess() or TEscapedMemoryAccess() or TEscapedMayMemoryAccess() or + TNonLocalMayMemoryAccess() or TPhiMemoryAccess() or TUnmodeledMemoryAccess() or TChiTotalMemoryAccess() or @@ -80,6 +81,14 @@ class EscapedMayMemoryAccess extends MemoryAccessKind, TEscapedMayMemoryAccess { override string toString() { result = "escaped(may)" } } +/** + * The operand or result may access all memory whose address has escaped, other than data on the + * stack frame of the current function. + */ +class NonLocalMayMemoryAccess extends MemoryAccessKind, TNonLocalMayMemoryAccess { + override string toString() { result = "nonlocal(may)" } +} + /** * The operand is a Phi operand, which accesses the same memory as its * definition. diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/Opcode.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/Opcode.qll index 0c1009b4fac..eb07be7f30c 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/Opcode.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/Opcode.qll @@ -57,6 +57,7 @@ private newtype TOpcode = TUnmodeledDefinition() or TUnmodeledUse() or TAliasedDefinition() or + TAliasedUse() or TPhi() or TBuiltIn() or TVarArgsStart() or @@ -393,6 +394,10 @@ module Opcode { final override string toString() { result = "AliasedDefinition" } } + class AliasedUse extends Opcode, TAliasedUse { + final override string toString() { result = "AliasedUse" } + } + class Phi extends Opcode, TPhi { final override string toString() { result = "Phi" } } diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/internal/IRTypeInternal.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/internal/IRTypeInternal.qll new file mode 100644 index 00000000000..0ee01a30ac3 --- /dev/null +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/internal/IRTypeInternal.qll @@ -0,0 +1 @@ +import semmle.code.csharp.ir.internal.IRCSharpLanguage as Language diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/internal/TIRVariable.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/internal/TIRVariable.qll index 908a208b83a..fea67ef5ecd 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/internal/TIRVariable.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/internal/TIRVariable.qll @@ -2,11 +2,11 @@ private import TIRVariableInternal private import Imports::TempVariableTag newtype TIRVariable = - TIRUserVariable(Language::Variable var, Language::Type type, Language::Function func) { + TIRUserVariable(Language::Variable var, Language::LanguageType type, Language::Function func) { Construction::hasUserVariable(func, var, type) } or TIRTempVariable( - Language::Function func, Language::AST ast, TempVariableTag tag, Language::Type type + Language::Function func, Language::AST ast, TempVariableTag tag, Language::LanguageType type ) { Construction::hasTempVariable(func, ast, tag, type) } diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IR.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IR.qll index 278040f8ab8..badd48552a5 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IR.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IR.qll @@ -5,6 +5,7 @@ import IRVariable import Operand private import internal.IRImports as Imports import Imports::EdgeKind +import Imports::IRType import Imports::MemoryAccessKind private newtype TIRPropertyProvider = MkIRPropertyProvider() diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IRSanity.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IRSanity.qll index 3921472dc8e..de66a3c99dc 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IRSanity.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IRSanity.qll @@ -1,2 +1,3 @@ private import IR import InstructionSanity +import IRTypeSanity diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IRVariable.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IRVariable.qll index a7ca4593ac4..1a607f82c29 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IRVariable.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IRVariable.qll @@ -5,6 +5,7 @@ import Imports::TempVariableTag private import Imports::IRUtilities private import Imports::TTempVariableTag private import Imports::TIRVariable +private import Imports::IRType IRUserVariable getIRUserVariable(Language::Function func, Language::Variable var) { result.getVariable() = var and @@ -24,7 +25,17 @@ abstract class IRVariable extends TIRVariable { /** * Gets the type of the variable. */ - abstract Language::Type getType(); + final Language::Type getType() { getLanguageType().hasType(result, false) } + + /** + * Gets the language-neutral type of the variable. + */ + final IRType getIRType() { result = getLanguageType().getIRType() } + + /** + * Gets the type of the variable. + */ + abstract Language::LanguageType getLanguageType(); /** * Gets the AST node that declared this variable, or that introduced this @@ -59,7 +70,7 @@ abstract class IRVariable extends TIRVariable { */ class IRUserVariable extends IRVariable, TIRUserVariable { Language::Variable var; - Language::Type type; + Language::LanguageType type; IRUserVariable() { this = TIRUserVariable(var, type, func) } @@ -71,7 +82,7 @@ class IRUserVariable extends IRVariable, TIRUserVariable { result = getVariable().toString() + " " + getVariable().getLocation().toString() } - final override Language::Type getType() { result = type } + final override Language::LanguageType getLanguageType() { result = type } /** * Gets the original user-declared variable. @@ -110,11 +121,11 @@ IRTempVariable getIRTempVariable(Language::AST ast, TempVariableTag tag) { class IRTempVariable extends IRVariable, IRAutomaticVariable, TIRTempVariable { Language::AST ast; TempVariableTag tag; - Language::Type type; + Language::LanguageType type; IRTempVariable() { this = TIRTempVariable(func, ast, tag, type) } - final override Language::Type getType() { result = type } + final override Language::LanguageType getLanguageType() { result = type } final override Language::AST getAST() { result = ast } diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/Instruction.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/Instruction.qll index 6d5e697150e..049983c9126 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/Instruction.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/Instruction.qll @@ -5,6 +5,7 @@ import IRVariable import Operand private import internal.InstructionImports as Imports import Imports::EdgeKind +import Imports::IRType import Imports::MemoryAccessKind import Imports::Opcode private import Imports::OperandTag @@ -49,7 +50,8 @@ module InstructionSanity { ( opcode instanceof ReadSideEffectOpcode or opcode instanceof Opcode::InlineAsm or - opcode instanceof Opcode::CallSideEffect + opcode instanceof Opcode::CallSideEffect or + opcode instanceof Opcode::AliasedUse ) and tag instanceof SideEffectOperandTag ) @@ -113,10 +115,12 @@ module InstructionSanity { } query predicate missingOperandType(Operand operand, string message) { - exists(Language::Function func | + exists(Language::Function func, Instruction use | not exists(operand.getType()) and - func = operand.getUse().getEnclosingFunction() and - message = "Operand missing type in function '" + Language::getIdentityString(func) + "'." + use = operand.getUse() and + func = use.getEnclosingFunction() and + message = "Operand '" + operand.toString() + "' of instruction '" + use.getOpcode().toString() + + "' missing type in function '" + Language::getIdentityString(func) + "'." ) } @@ -260,6 +264,7 @@ module InstructionSanity { ) { exists(IRBlock useBlock, int useIndex, Instruction defInstr, IRBlock defBlock, int defIndex | not useOperand.getUse() instanceof UnmodeledUseInstruction and + not defInstr instanceof UnmodeledDefinitionInstruction and pointOfEvaluation(useOperand, useBlock, useIndex) and defInstr = useOperand.getAnyDef() and ( @@ -321,7 +326,7 @@ class Instruction extends Construction::TInstruction { } private string getResultPrefix() { - if getResultType() instanceof Language::VoidType + if getResultIRType() instanceof IRVoidType then result = "v" else if hasMemoryResult() @@ -353,23 +358,6 @@ class Instruction extends Construction::TInstruction { ) } - bindingset[type] - private string getValueCategoryString(string type) { - if isGLValue() then result = "glval<" + type + ">" else result = type - } - - string getResultTypeString() { - exists(string valcat | - valcat = getValueCategoryString(getResultType().toString()) and - if - getResultType() instanceof Language::UnknownType and - not isGLValue() and - exists(getResultSize()) - then result = valcat + "[" + getResultSize().toString() + "]" - else result = valcat - ) - } - /** * Gets a human-readable string that uniquely identifies this instruction * within the function. This string is used to refer to this instruction when @@ -389,7 +377,9 @@ class Instruction extends Construction::TInstruction { * * Example: `r1_1(int*)` */ - final string getResultString() { result = getResultId() + "(" + getResultTypeString() + ")" } + final string getResultString() { + result = getResultId() + "(" + getResultLanguageType().getDumpString() + ")" + } /** * Gets a string describing the operands of this instruction, suitable for @@ -457,6 +447,16 @@ class Instruction extends Construction::TInstruction { result = Construction::getInstructionUnconvertedResultExpression(this) } + final Language::LanguageType getResultLanguageType() { + result = Construction::getInstructionResultType(this) + } + + /** + * Gets the type of the result produced by this instruction. If the instruction does not produce + * a result, its result type will be `IRVoidType`. + */ + final IRType getResultIRType() { result = getResultLanguageType().getIRType() } + /** * Gets the type of the result produced by this instruction. If the * instruction does not produce a result, its result type will be `VoidType`. @@ -464,7 +464,16 @@ class Instruction extends Construction::TInstruction { * If `isGLValue()` holds, then the result type of this instruction should be * thought of as "pointer to `getResultType()`". */ - final Language::Type getResultType() { Construction::instructionHasType(this, result, _) } + final Language::Type getResultType() { + exists(Language::LanguageType resultType | + resultType = getResultLanguageType() and + ( + resultType.hasUnspecifiedType(result, _) + or + not resultType.hasUnspecifiedType(_, _) and result instanceof Language::UnknownType + ) + ) + } /** * Holds if the result produced by this instruction is a glvalue. If this @@ -484,7 +493,7 @@ class Instruction extends Construction::TInstruction { * result of the `Load` instruction is a prvalue of type `int`, representing * the integer value loaded from variable `x`. */ - final predicate isGLValue() { Construction::instructionHasType(this, _, true) } + final predicate isGLValue() { Construction::getInstructionResultType(this).hasType(_, true) } /** * Gets the size of the result produced by this instruction, in bytes. If the @@ -493,16 +502,7 @@ class Instruction extends Construction::TInstruction { * If `this.isGLValue()` holds for this instruction, the value of * `getResultSize()` will always be the size of a pointer. */ - final int getResultSize() { - if isGLValue() - then - // a glvalue is always pointer-sized. - result = Language::getPointerSize() - else - if getResultType() instanceof Language::UnknownType - then result = Construction::getInstructionResultSize(this) - else result = Language::getTypeSize(getResultType()) - } + final int getResultSize() { result = Construction::getInstructionResultType(this).getByteSize() } /** * Gets the opcode that specifies the operation performed by this instruction. @@ -1384,7 +1384,7 @@ class CatchInstruction extends Instruction { * An instruction that catches an exception of a specific type. */ class CatchByTypeInstruction extends CatchInstruction { - Language::Type exceptionType; + Language::LanguageType exceptionType; CatchByTypeInstruction() { getOpcode() instanceof Opcode::CatchByType and @@ -1396,7 +1396,7 @@ class CatchByTypeInstruction extends CatchInstruction { /** * Gets the type of exception to be caught. */ - final Language::Type getExceptionType() { result = exceptionType } + final Language::LanguageType getExceptionType() { result = exceptionType } } /** @@ -1423,6 +1423,13 @@ class AliasedDefinitionInstruction extends Instruction { final override MemoryAccessKind getResultMemoryAccess() { result instanceof EscapedMemoryAccess } } +/** + * An instruction that consumes all escaped memory on exit from the function. + */ +class AliasedUseInstruction extends Instruction { + AliasedUseInstruction() { getOpcode() instanceof Opcode::AliasedUse } +} + class UnmodeledUseInstruction extends Instruction { UnmodeledUseInstruction() { getOpcode() instanceof Opcode::UnmodeledUse } diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/Operand.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/Operand.qll index a23fb081afe..07dd107bf12 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/Operand.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/Operand.qll @@ -1,9 +1,10 @@ private import internal.IRInternal -import Instruction -import IRBlock +private import Instruction +private import IRBlock private import internal.OperandImports as Imports -import Imports::MemoryAccessKind -import Imports::Overlap +private import Imports::MemoryAccessKind +private import Imports::IRType +private import Imports::Overlap private import Imports::OperandTag cached @@ -143,22 +144,40 @@ class Operand extends TOperand { * the definition type, such as in the case of a partial read or a read from a pointer that * has been cast to a different type. */ - Language::Type getType() { result = getAnyDef().getResultType() } + Language::LanguageType getLanguageType() { result = getAnyDef().getResultLanguageType() } + + /** + * Gets the language-neutral type of the value consumed by this operand. This is usually the same + * as the result type of the definition instruction consumed by this operand. For register + * operands, this is always the case. For some memory operands, the operand type may be different + * from the definition type, such as in the case of a partial read or a read from a pointer that + * has been cast to a different type. + */ + final IRType getIRType() { result = getLanguageType().getIRType() } + + /** + * Gets the type of the value consumed by this operand. This is usually the same as the + * result type of the definition instruction consumed by this operand. For register operands, + * this is always the case. For some memory operands, the operand type may be different from + * the definition type, such as in the case of a partial read or a read from a pointer that + * has been cast to a different type. + */ + final Language::Type getType() { getLanguageType().hasType(result, _) } /** * Holds if the value consumed by this operand is a glvalue. If this * holds, the value of the operand represents the address of a location, * and the type of the location is given by `getType()`. If this does * not hold, the value of the operand represents a value whose type is - * given by `getResultType()`. + * given by `getType()`. */ - predicate isGLValue() { getAnyDef().isGLValue() } + final predicate isGLValue() { getLanguageType().hasType(_, true) } /** * Gets the size of the value consumed by this operand, in bytes. If the operand does not have * a known constant size, this predicate does not hold. */ - int getSize() { result = Language::getTypeSize(getType()) } + final int getSize() { result = getLanguageType().getByteSize() } } /** @@ -170,11 +189,6 @@ class MemoryOperand extends Operand { this = TPhiOperand(_, _, _, _) } - override predicate isGLValue() { - // A `MemoryOperand` can never be a glvalue - none() - } - /** * Gets the kind of memory access performed by the operand. */ @@ -239,7 +253,7 @@ class NonPhiMemoryOperand extends NonPhiOperand, MemoryOperand, TNonPhiMemoryOpe class TypedOperand extends NonPhiMemoryOperand { override TypedOperandTag tag; - final override Language::Type getType() { + final override Language::LanguageType getLanguageType() { result = Construction::getInstructionOperandType(useInstr, tag) } } @@ -381,13 +395,10 @@ class PositionalArgumentOperand extends ArgumentOperand { class SideEffectOperand extends TypedOperand { override SideEffectOperandTag tag; - final override int getSize() { - if getType() instanceof Language::UnknownType - then result = Construction::getInstructionOperandSize(useInstr, tag) - else result = Language::getTypeSize(getType()) - } - override MemoryAccessKind getMemoryAccess() { + useInstr instanceof AliasedUseInstruction and + result instanceof NonLocalMayMemoryAccess + or useInstr instanceof CallSideEffectInstruction and result instanceof EscapedMayMemoryAccess or diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/gvn/ValueNumbering.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/gvn/ValueNumbering.qll index c914f731e4d..79e5a2b6713 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/gvn/ValueNumbering.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/gvn/ValueNumbering.qll @@ -1,5 +1,5 @@ private import internal.ValueNumberingInternal -import csharp +private import internal.ValueNumberingImports private import IR /** @@ -23,31 +23,32 @@ newtype TValueNumber = initializeParameterValueNumber(_, irFunc, var) } or TInitializeThisValueNumber(IRFunction irFunc) { initializeThisValueNumber(_, irFunc) } or - TConstantValueNumber(IRFunction irFunc, Type type, string value) { + TConstantValueNumber(IRFunction irFunc, IRType type, string value) { constantValueNumber(_, irFunc, type, value) } or - TStringConstantValueNumber(IRFunction irFunc, Type type, string value) { + TStringConstantValueNumber(IRFunction irFunc, IRType type, string value) { stringConstantValueNumber(_, irFunc, type, value) } or - TFieldAddressValueNumber(IRFunction irFunc, Field field, ValueNumber objectAddress) { + TFieldAddressValueNumber(IRFunction irFunc, Language::Field field, ValueNumber objectAddress) { fieldAddressValueNumber(_, irFunc, field, objectAddress) } or TBinaryValueNumber( - IRFunction irFunc, Opcode opcode, Type type, ValueNumber leftOperand, ValueNumber rightOperand + IRFunction irFunc, Opcode opcode, IRType type, ValueNumber leftOperand, ValueNumber rightOperand ) { binaryValueNumber(_, irFunc, opcode, type, leftOperand, rightOperand) } or TPointerArithmeticValueNumber( - IRFunction irFunc, Opcode opcode, Type type, int elementSize, ValueNumber leftOperand, + IRFunction irFunc, Opcode opcode, IRType type, int elementSize, ValueNumber leftOperand, ValueNumber rightOperand ) { pointerArithmeticValueNumber(_, irFunc, opcode, type, elementSize, leftOperand, rightOperand) } or - TUnaryValueNumber(IRFunction irFunc, Opcode opcode, Type type, ValueNumber operand) { + TUnaryValueNumber(IRFunction irFunc, Opcode opcode, IRType type, ValueNumber operand) { unaryValueNumber(_, irFunc, opcode, type, operand) } or TInheritanceConversionValueNumber( - IRFunction irFunc, Opcode opcode, Class baseClass, Class derivedClass, ValueNumber operand + IRFunction irFunc, Opcode opcode, Language::Class baseClass, Language::Class derivedClass, + ValueNumber operand ) { inheritanceConversionValueNumber(_, irFunc, opcode, baseClass, derivedClass, operand) } or @@ -59,7 +60,7 @@ newtype TValueNumber = class ValueNumber extends TValueNumber { final string toString() { result = getExampleInstruction().getResultId() } - final Location getLocation() { result = getExampleInstruction().getLocation() } + final Language::Location getLocation() { result = getExampleInstruction().getLocation() } /** * Gets the instructions that have been assigned this value number. This will always produce at @@ -79,7 +80,10 @@ class ValueNumber extends TValueNumber { ) } - final Operand getAUse() { this = valueNumber(result.getDefinitionInstruction()) } + /** + * Gets an `Operand` whose definition is exact and has this value number. + */ + final Operand getAUse() { this = valueNumber(result.getDef()) } } /** @@ -107,15 +111,24 @@ private class CongruentCopyInstruction extends CopyInstruction { * a `unique` value number that is never shared by multiple instructions. */ private predicate numberableInstruction(Instruction instr) { - instr instanceof VariableAddressInstruction or - instr instanceof InitializeParameterInstruction or - instr instanceof InitializeThisInstruction or - instr instanceof ConstantInstruction or - instr instanceof StringConstantInstruction or - instr instanceof FieldAddressInstruction or - instr instanceof BinaryInstruction or - instr instanceof UnaryInstruction or - instr instanceof PointerArithmeticInstruction or + instr instanceof VariableAddressInstruction + or + instr instanceof InitializeParameterInstruction + or + instr instanceof InitializeThisInstruction + or + instr instanceof ConstantInstruction + or + instr instanceof StringConstantInstruction + or + instr instanceof FieldAddressInstruction + or + instr instanceof BinaryInstruction + or + instr instanceof UnaryInstruction and not instr instanceof CopyInstruction + or + instr instanceof PointerArithmeticInstruction + or instr instanceof CongruentCopyInstruction } @@ -123,14 +136,14 @@ private predicate variableAddressValueNumber( VariableAddressInstruction instr, IRFunction irFunc, IRVariable var ) { instr.getEnclosingIRFunction() = irFunc and - instr.getVariable() = var + instr.getIRVariable() = var } private predicate initializeParameterValueNumber( InitializeParameterInstruction instr, IRFunction irFunc, IRVariable var ) { instr.getEnclosingIRFunction() = irFunc and - instr.getVariable() = var + instr.getIRVariable() = var } private predicate initializeThisValueNumber(InitializeThisInstruction instr, IRFunction irFunc) { @@ -138,23 +151,23 @@ private predicate initializeThisValueNumber(InitializeThisInstruction instr, IRF } private predicate constantValueNumber( - ConstantInstruction instr, IRFunction irFunc, Type type, string value + ConstantInstruction instr, IRFunction irFunc, IRType type, string value ) { instr.getEnclosingIRFunction() = irFunc and - instr.getResultType() = type and + instr.getResultIRType() = type and instr.getValue() = value } private predicate stringConstantValueNumber( - StringConstantInstruction instr, IRFunction irFunc, Type type, string value + StringConstantInstruction instr, IRFunction irFunc, IRType type, string value ) { instr.getEnclosingIRFunction() = irFunc and - instr.getResultType() = type and + instr.getResultIRType() = type and instr.getValue().getValue() = value } private predicate fieldAddressValueNumber( - FieldAddressInstruction instr, IRFunction irFunc, Field field, ValueNumber objectAddress + FieldAddressInstruction instr, IRFunction irFunc, Language::Field field, ValueNumber objectAddress ) { instr.getEnclosingIRFunction() = irFunc and instr.getField() = field and @@ -162,42 +175,43 @@ private predicate fieldAddressValueNumber( } private predicate binaryValueNumber( - BinaryInstruction instr, IRFunction irFunc, Opcode opcode, Type type, ValueNumber leftOperand, + BinaryInstruction instr, IRFunction irFunc, Opcode opcode, IRType type, ValueNumber leftOperand, ValueNumber rightOperand ) { instr.getEnclosingIRFunction() = irFunc and not instr instanceof PointerArithmeticInstruction and instr.getOpcode() = opcode and - instr.getResultType() = type and + instr.getResultIRType() = type and valueNumber(instr.getLeft()) = leftOperand and valueNumber(instr.getRight()) = rightOperand } private predicate pointerArithmeticValueNumber( - PointerArithmeticInstruction instr, IRFunction irFunc, Opcode opcode, Type type, int elementSize, - ValueNumber leftOperand, ValueNumber rightOperand + PointerArithmeticInstruction instr, IRFunction irFunc, Opcode opcode, IRType type, + int elementSize, ValueNumber leftOperand, ValueNumber rightOperand ) { instr.getEnclosingIRFunction() = irFunc and instr.getOpcode() = opcode and - instr.getResultType() = type and + instr.getResultIRType() = type and instr.getElementSize() = elementSize and valueNumber(instr.getLeft()) = leftOperand and valueNumber(instr.getRight()) = rightOperand } private predicate unaryValueNumber( - UnaryInstruction instr, IRFunction irFunc, Opcode opcode, Type type, ValueNumber operand + UnaryInstruction instr, IRFunction irFunc, Opcode opcode, IRType type, ValueNumber operand ) { instr.getEnclosingIRFunction() = irFunc and not instr instanceof InheritanceConversionInstruction and + not instr instanceof CopyInstruction and instr.getOpcode() = opcode and - instr.getResultType() = type and + instr.getResultIRType() = type and valueNumber(instr.getUnary()) = operand } private predicate inheritanceConversionValueNumber( - InheritanceConversionInstruction instr, IRFunction irFunc, Opcode opcode, Class baseClass, - Class derivedClass, ValueNumber operand + InheritanceConversionInstruction instr, IRFunction irFunc, Opcode opcode, + Language::Class baseClass, Language::Class derivedClass, ValueNumber operand ) { instr.getEnclosingIRFunction() = irFunc and instr.getOpcode() = opcode and @@ -212,7 +226,7 @@ private predicate inheritanceConversionValueNumber( */ private predicate uniqueValueNumber(Instruction instr, IRFunction irFunc) { instr.getEnclosingIRFunction() = irFunc and - not instr.getResultType() instanceof VoidType and + not instr.getResultIRType() instanceof IRVoidType and not numberableInstruction(instr) } @@ -230,9 +244,10 @@ ValueNumber valueNumber(Instruction instr) { } /** - * Gets the value number assigned to `instr`, if any. Returns at most one result. + * Gets the value number assigned to the exact definition of `op`, if any. + * Returns at most one result. */ -ValueNumber valueNumberOfOperand(Operand op) { result = valueNumber(op.getDefinitionInstruction()) } +ValueNumber valueNumberOfOperand(Operand op) { result = valueNumber(op.getDef()) } /** * Gets the value number assigned to `instr`, if any, unless that instruction is assigned a unique @@ -255,38 +270,41 @@ private ValueNumber nonUniqueValueNumber(Instruction instr) { initializeThisValueNumber(instr, irFunc) and result = TInitializeThisValueNumber(irFunc) or - exists(Type type, string value | + exists(IRType type, string value | constantValueNumber(instr, irFunc, type, value) and result = TConstantValueNumber(irFunc, type, value) ) or - exists(Type type, string value | + exists(IRType type, string value | stringConstantValueNumber(instr, irFunc, type, value) and result = TStringConstantValueNumber(irFunc, type, value) ) or - exists(Field field, ValueNumber objectAddress | + exists(Language::Field field, ValueNumber objectAddress | fieldAddressValueNumber(instr, irFunc, field, objectAddress) and result = TFieldAddressValueNumber(irFunc, field, objectAddress) ) or - exists(Opcode opcode, Type type, ValueNumber leftOperand, ValueNumber rightOperand | + exists(Opcode opcode, IRType type, ValueNumber leftOperand, ValueNumber rightOperand | binaryValueNumber(instr, irFunc, opcode, type, leftOperand, rightOperand) and result = TBinaryValueNumber(irFunc, opcode, type, leftOperand, rightOperand) ) or - exists(Opcode opcode, Type type, ValueNumber operand | + exists(Opcode opcode, IRType type, ValueNumber operand | unaryValueNumber(instr, irFunc, opcode, type, operand) and result = TUnaryValueNumber(irFunc, opcode, type, operand) ) or - exists(Opcode opcode, Class baseClass, Class derivedClass, ValueNumber operand | + exists( + Opcode opcode, Language::Class baseClass, Language::Class derivedClass, ValueNumber operand + | inheritanceConversionValueNumber(instr, irFunc, opcode, baseClass, derivedClass, operand) and result = TInheritanceConversionValueNumber(irFunc, opcode, baseClass, derivedClass, operand) ) or exists( - Opcode opcode, Type type, int elementSize, ValueNumber leftOperand, ValueNumber rightOperand + Opcode opcode, IRType type, int elementSize, ValueNumber leftOperand, + ValueNumber rightOperand | pointerArithmeticValueNumber(instr, irFunc, opcode, type, elementSize, leftOperand, rightOperand) and diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll new file mode 100644 index 00000000000..555cb581d37 --- /dev/null +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll @@ -0,0 +1 @@ +import semmle.code.csharp.ir.internal.Overlap diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll index b49dacc701b..e25693a0207 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll @@ -1 +1,2 @@ import semmle.code.csharp.ir.implementation.raw.IR as IR +import semmle.code.csharp.ir.internal.IRCSharpLanguage as Language diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/IRConstruction.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/IRConstruction.qll index a7a5943972e..0d2627e183f 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/IRConstruction.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/IRConstruction.qll @@ -1,6 +1,8 @@ import csharp import semmle.code.csharp.ir.implementation.raw.IR private import semmle.code.csharp.ir.implementation.internal.OperandTag +private import semmle.code.csharp.ir.internal.CSharpType +private import semmle.code.csharp.ir.internal.Overlap private import semmle.code.csharp.ir.internal.TempVariableTag private import InstructionTag private import TranslatedCondition @@ -31,16 +33,18 @@ private module Cached { cached newtype TInstruction = MkInstruction(TranslatedElement element, InstructionTag tag) { - element.hasInstruction(_, tag, _, _) + element.hasInstruction(_, tag, _) } cached - predicate hasUserVariable(Callable callable, Variable var, Type type) { + predicate hasUserVariable(Callable callable, Variable var, CSharpType type) { getTranslatedFunction(callable).hasUserVariable(var, type) } cached - predicate hasTempVariable(Callable callable, Language::AST ast, TempVariableTag tag, Type type) { + predicate hasTempVariable( + Callable callable, Language::AST ast, TempVariableTag tag, CSharpType type + ) { exists(TranslatedElement element | element.getAST() = ast and callable = element.getFunction() and @@ -83,22 +87,16 @@ private module Cached { } cached - Type getInstructionOperandType(Instruction instruction, TypedOperandTag tag) { + CSharpType getInstructionOperandType(Instruction instruction, TypedOperandTag tag) { // For all `LoadInstruction`s, the operand type of the `LoadOperand` is the same as // the result type of the load. if instruction instanceof LoadInstruction - then result = instruction.(LoadInstruction).getResultType() + then result = instruction.(LoadInstruction).getResultLanguageType() else result = getInstructionTranslatedElement(instruction) .getInstructionOperandType(getInstructionTag(instruction), tag) } - cached - int getInstructionOperandSize(Instruction instruction, SideEffectOperandTag tag) { - result = getInstructionTranslatedElement(instruction) - .getInstructionOperandSize(getInstructionTag(instruction), tag) - } - cached Instruction getPhiOperandDefinition( PhiInstruction instruction, IRBlock predecessorBlock, Overlap overlap @@ -216,15 +214,15 @@ private module Cached { } cached - predicate instructionHasType(Instruction instruction, Type type, boolean isLValue) { + CSharpType getInstructionResultType(Instruction instruction) { getInstructionTranslatedElement(instruction) - .hasInstruction(_, getInstructionTag(instruction), type, isLValue) + .hasInstruction(_, getInstructionTag(instruction), result) } cached Opcode getInstructionOpcode(Instruction instruction) { getInstructionTranslatedElement(instruction) - .hasInstruction(result, getInstructionTag(instruction), _, _) + .hasInstruction(result, getInstructionTag(instruction), _) } cached @@ -274,7 +272,7 @@ private module Cached { } cached - Type getInstructionExceptionType(Instruction instruction) { + CSharpType getInstructionExceptionType(Instruction instruction) { result = getInstructionTranslatedElement(instruction) .getInstructionExceptionType(getInstructionTag(instruction)) } diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/IRImports.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/IRImports.qll index b5abc1049f3..3b716c201ac 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/IRImports.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/IRImports.qll @@ -1,2 +1,3 @@ import semmle.code.csharp.ir.implementation.EdgeKind as EdgeKind +import semmle.code.csharp.ir.implementation.IRType as IRType import semmle.code.csharp.ir.implementation.MemoryAccessKind as MemoryAccessKind diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/IRVariableImports.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/IRVariableImports.qll index 20c299416ef..9ab8de41259 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/IRVariableImports.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/IRVariableImports.qll @@ -1,3 +1,4 @@ +import semmle.code.csharp.ir.implementation.IRType as IRType import semmle.code.csharp.ir.implementation.TempVariableTag as TempVariableTag import semmle.code.csharp.ir.internal.IRUtilities as IRUtilities import semmle.code.csharp.ir.internal.TempVariableTag as TTempVariableTag diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/InstructionImports.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/InstructionImports.qll index da9b8e6e877..8628f5be373 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/InstructionImports.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/InstructionImports.qll @@ -1,4 +1,5 @@ import semmle.code.csharp.ir.implementation.EdgeKind as EdgeKind +import semmle.code.csharp.ir.implementation.IRType as IRType import semmle.code.csharp.ir.implementation.MemoryAccessKind as MemoryAccessKind import semmle.code.csharp.ir.implementation.Opcode as Opcode import semmle.code.csharp.ir.implementation.internal.OperandTag as OperandTag diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/InstructionTag.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/InstructionTag.qll index 4130169b0cf..818d37cf803 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/InstructionTag.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/InstructionTag.qll @@ -32,6 +32,7 @@ newtype TInstructionTag = UnmodeledDefinitionTag() or UnmodeledUseTag() or AliasedDefinitionTag() or + AliasedUseTag() or SwitchBranchTag() or CallTargetTag() or CallTag() or @@ -131,6 +132,8 @@ string getInstructionTagId(TInstructionTag tag) { or tag = AliasedDefinitionTag() and result = "AliasedDef" or + tag = AliasedUseTag() and result = "AliasedUse" + or tag = SwitchBranchTag() and result = "SwitchBranch" or tag = CallTargetTag() and result = "CallTarget" diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/OperandImports.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/OperandImports.qll index 13667df7276..997185fb9f7 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/OperandImports.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/OperandImports.qll @@ -1,3 +1,4 @@ import semmle.code.csharp.ir.implementation.MemoryAccessKind as MemoryAccessKind +import semmle.code.csharp.ir.implementation.IRType as IRType import semmle.code.csharp.ir.internal.Overlap as Overlap import semmle.code.csharp.ir.implementation.internal.OperandTag as OperandTag diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedCondition.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedCondition.qll index 93e8e67200a..cc398a86011 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedCondition.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedCondition.qll @@ -1,6 +1,7 @@ import csharp private import semmle.code.csharp.ir.implementation.Opcode private import semmle.code.csharp.ir.implementation.internal.OperandTag +private import semmle.code.csharp.ir.internal.CSharpType private import InstructionTag private import TranslatedElement private import TranslatedExpr @@ -33,9 +34,7 @@ abstract class TranslatedFlexibleCondition extends TranslatedCondition, Conditio result = this.getOperand().getFirstInstruction() } - final override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { none() } @@ -99,9 +98,7 @@ abstract class TranslatedBinaryLogicalOperation extends TranslatedNativeConditio result = this.getLeftOperand().getFirstInstruction() } - final override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { none() } diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedElement.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedElement.qll index f98527e084f..4403ab07f08 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedElement.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedElement.qll @@ -3,6 +3,7 @@ import semmle.code.csharp.ir.implementation.raw.IR private import semmle.code.csharp.ir.IRConfiguration private import semmle.code.csharp.ir.implementation.Opcode private import semmle.code.csharp.ir.implementation.internal.OperandTag +private import semmle.code.csharp.ir.internal.CSharpType private import semmle.code.csharp.ir.internal.TempVariableTag private import InstructionTag private import TranslatedCondition @@ -15,11 +16,6 @@ private import desugar.Foreach private import desugar.Delegate private import desugar.Lock -/** - * Gets the built-in `int` type. - */ -IntType getIntType() { any() } - ArrayType getArrayOfDim(int dim, Type type) { result.getRank() = dim and result.getElementType() = type @@ -420,9 +416,7 @@ abstract class TranslatedElement extends TTranslatedElement { * If the instruction does not return a result, `resultType` should be * `VoidType`. */ - abstract predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ); + abstract predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType); /** * Gets the `Function` that contains this element. @@ -462,7 +456,7 @@ abstract class TranslatedElement extends TTranslatedElement { * `tag` must be unique for each variable generated from the same AST node * (not just from the same `TranslatedElement`). */ - predicate hasTempVariable(TempVariableTag tag, Type type) { none() } + predicate hasTempVariable(TempVariableTag tag, CSharpType type) { none() } /** * If the instruction specified by `tag` is a `FunctionInstruction`, gets the @@ -517,7 +511,7 @@ abstract class TranslatedElement extends TTranslatedElement { * If the instruction specified by `tag` is a `CatchByTypeInstruction`, * gets the type of the exception to be caught. */ - Type getInstructionExceptionType(InstructionTag tag) { none() } + CSharpType getInstructionExceptionType(InstructionTag tag) { none() } /** * If the instruction specified by `tag` is an `InheritanceConversionInstruction`, @@ -536,13 +530,7 @@ abstract class TranslatedElement extends TTranslatedElement { /** * Gets the type of the memory operand specified by `operandTag` on the the instruction specified by `tag`. */ - Type getInstructionOperandType(InstructionTag tag, TypedOperandTag operandTag) { none() } - - /** - * Gets the size of the memory operand specified by `operandTag` on the the instruction specified by `tag`. - * Only holds for operands whose type is `UnknownType`. - */ - int getInstructionOperandSize(InstructionTag tag, SideEffectOperandTag operandTag) { none() } + CSharpType getInstructionOperandType(InstructionTag tag, TypedOperandTag operandTag) { none() } /** * Gets the instruction generated by this element with tag `tag`. diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedExpr.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedExpr.qll index 3476484e413..2ccac5af4e0 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedExpr.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedExpr.qll @@ -2,6 +2,7 @@ import csharp private import semmle.code.csharp.ir.implementation.Opcode private import semmle.code.csharp.ir.implementation.internal.OperandTag private import semmle.code.csharp.ir.internal.TempVariableTag +private import semmle.code.csharp.ir.internal.CSharpType private import semmle.code.csharp.ir.internal.IRUtilities private import InstructionTag private import TranslatedCondition @@ -96,6 +97,12 @@ abstract class TranslatedCoreExpr extends TranslatedExpr { not needsLoad(expr) } + final CSharpType getResultCSharpType() { + if isResultLValue() = true + then result = getTypeForGLValue(expr.getType()) + else result = getTypeForPRValue(expr.getType()) + } + /** * Returns `true` if the result of this `TranslatedExpr` is a lvalue, or * `false` if the result is a rvalue. @@ -117,38 +124,32 @@ class TranslatedConditionValue extends TranslatedCoreExpr, ConditionContext, override Instruction getFirstInstruction() { result = this.getCondition().getFirstInstruction() } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { ( tag = ConditionValueTrueTempAddressTag() or tag = ConditionValueFalseTempAddressTag() or tag = ConditionValueResultTempAddressTag() ) and opcode instanceof Opcode::VariableAddress and - resultType = this.getResultType() and - isLValue = true + resultType = getTypeForGLValue(expr.getType()) or ( tag = ConditionValueTrueConstantTag() or tag = ConditionValueFalseConstantTag() ) and opcode instanceof Opcode::Constant and - resultType = this.getResultType() and - isLValue = this.isResultLValue() + resultType = getResultCSharpType() or ( tag = ConditionValueTrueStoreTag() or tag = ConditionValueFalseStoreTag() ) and opcode instanceof Opcode::Store and - resultType = this.getResultType() and - isLValue = this.isResultLValue() + resultType = getResultCSharpType() or tag = ConditionValueResultLoadTag() and opcode instanceof Opcode::Load and - resultType = this.getResultType() and - isLValue = this.isResultLValue() + resultType = getResultCSharpType() } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -209,9 +210,9 @@ class TranslatedConditionValue extends TranslatedCoreExpr, ConditionContext, ) } - override predicate hasTempVariable(TempVariableTag tag, Type type) { + override predicate hasTempVariable(TempVariableTag tag, CSharpType type) { tag = ConditionValueTempVar() and - type = this.getResultType() + type = this.getResultCSharpType() } override IRVariable getInstructionVariable(InstructionTag tag) { @@ -259,13 +260,12 @@ class TranslatedLoad extends TranslatedExpr, TTranslatedLoad { override TranslatedElement getChild(int id) { id = 0 and result = this.getOperand() } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { tag = LoadTag() and opcode instanceof Opcode::Load and - resultType = expr.getType() and - if not this.producesExprResult() then isLValue = true else isLValue = false + if producesExprResult() + then resultType = getTypeForPRValue(expr.getType()) + else resultType = getTypeForGLValue(expr.getType()) } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -326,32 +326,27 @@ abstract class TranslatedCrementOperation extends TranslatedNonConstantExpr { or resultType instanceof FloatingPointType and result = this.getResultType() or - resultType instanceof PointerType and result = getIntType() + resultType instanceof PointerType and result = any(IntType t) ) ) } - final override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { - isLValue = false and - ( - tag = CrementLoadTag() and - opcode instanceof Opcode::Load and - resultType = this.getResultType() - or - tag = CrementConstantTag() and - opcode instanceof Opcode::Constant and - resultType = this.getConstantType() - or - tag = CrementOpTag() and - opcode = this.getOpcode() and - resultType = this.getResultType() - or - tag = CrementStoreTag() and - opcode instanceof Opcode::Store and - resultType = this.getResultType() - ) + final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { + tag = CrementLoadTag() and + opcode instanceof Opcode::Load and + resultType = getTypeForPRValue(expr.getType()) + or + tag = CrementConstantTag() and + opcode instanceof Opcode::Constant and + resultType = getTypeForPRValue(this.getConstantType()) + or + tag = CrementOpTag() and + opcode = this.getOpcode() and + resultType = getTypeForPRValue(expr.getType()) + or + tag = CrementStoreTag() and + opcode instanceof Opcode::Store and + resultType = getTypeForPRValue(expr.getType()) } final override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) { @@ -466,9 +461,7 @@ class TranslatedObjectInitializerExpr extends TranslatedNonConstantExpr, Initial override Instruction getFirstInstruction() { result = this.getChild(0).getFirstInstruction() } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { none() } @@ -505,9 +498,7 @@ class TranslatedCollectionInitializer extends TranslatedNonConstantExpr, Initial override Instruction getFirstInstruction() { result = this.getChild(0).getFirstInstruction() } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { none() } @@ -608,23 +599,19 @@ class TranslatedArrayAccess extends TranslatedNonConstantExpr { override Instruction getResult() { result = this.getInstruction(PointerAddTag(getRank() - 1)) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { exists(int index | inBounds(index) and tag = PointerAddTag(index) and opcode instanceof Opcode::PointerAdd and - resultType = this.getInstruction(ElementsAddressTag(index)).getResultType() and - isLValue = false + resultType = getTypeForPRValue(getArrayOfDim(getRank() - index, expr.getType())) ) or exists(int index | inBounds(index) and tag = ElementsAddressTag(index) and opcode instanceof Opcode::ElementsAddress and - resultType = getArrayOfDim(getRank() - index, expr.getType()) and - isLValue = false + resultType = getTypeForPRValue(getArrayOfDim(getRank() - index, expr.getType())) ) } @@ -693,9 +680,7 @@ abstract class TranslatedPointerOps extends TranslatedNonConstantExpr { child = this.getOperand() and result = this.getParent().getChildSuccessor(this) } - final override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { none() } @@ -725,13 +710,10 @@ class TranslatedThisExpr extends TranslatedNonConstantExpr { final override TranslatedElement getChild(int id) { none() } - final override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { tag = OnlyInstructionTag() and opcode instanceof Opcode::CopyValue and - resultType = expr.getType() and - isLValue = false + resultType = getTypeForPRValue(expr.getType()) } final override Instruction getResult() { result = this.getInstruction(OnlyInstructionTag()) } @@ -777,14 +759,11 @@ abstract class TranslatedVariableAccess extends TranslatedNonConstantExpr { else result = this.getInstruction(AddressTag()) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { this.needsExtraLoad() and tag = LoadTag() and opcode instanceof Opcode::Load and - resultType = this.getResultType() and - isLValue = false + resultType = getTypeForPRValue(expr.getType()) } final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -858,15 +837,12 @@ class TranslatedNonFieldVariableAccess extends TranslatedVariableAccess { result = TranslatedVariableAccess.super.getInstructionOperand(tag, operandTag) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { - TranslatedVariableAccess.super.hasInstruction(opcode, tag, resultType, isLValue) + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { + TranslatedVariableAccess.super.hasInstruction(opcode, tag, resultType) or tag = AddressTag() and opcode instanceof Opcode::VariableAddress and - resultType = this.getResultType() and - isLValue = true + resultType = getTypeForGLValue(this.getResultType()) } override IRVariable getInstructionVariable(InstructionTag tag) { @@ -909,13 +885,10 @@ class TranslatedFieldAccess extends TranslatedVariableAccess { result = this.getParent().getParent().(InitializationContext).getTargetAddress() } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { tag = AddressTag() and opcode instanceof Opcode::FieldAddress and - resultType = this.getResultType() and - isLValue = true + resultType = getTypeForGLValue(expr.getType()) } override Field getInstructionField(InstructionTag tag) { @@ -939,13 +912,10 @@ class TranslatedFunctionAccess extends TranslatedNonConstantExpr { kind instanceof GotoEdge } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { tag = OnlyInstructionTag() and opcode instanceof Opcode::FunctionAddress and - resultType = expr.getType() and - isLValue = true + resultType = getTypeForGLValue(expr.getType()) } override Callable getInstructionFunction(InstructionTag tag) { @@ -989,13 +959,10 @@ abstract class TranslatedConstantExpr extends TranslatedCoreExpr, TTranslatedVal none() } - final override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { tag = OnlyInstructionTag() and opcode = this.getOpcode() and - resultType = this.getResultType() and - isLValue = false + resultType = getTypeForPRValue(expr.getType()) } final override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -1041,13 +1008,10 @@ abstract class TranslatedSingleInstructionExpr extends TranslatedNonConstantExpr */ abstract Opcode getOpcode(); - final override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { opcode = getOpcode() and tag = OnlyInstructionTag() and - resultType = this.getResultType() and - isLValue = this.isResultLValue() + resultType = getResultCSharpType() } final override Instruction getResult() { result = this.getInstruction(OnlyInstructionTag()) } @@ -1119,14 +1083,11 @@ class TranslatedCast extends TranslatedNonConstantExpr { child = this.getOperand() and result = this.getInstruction(ConvertTag()) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { ( tag = ConvertTag() and opcode = this.getOpcode() and - resultType = this.getResultType() and - isLValue = false + resultType = getTypeForPRValue(expr.getType()) ) } @@ -1296,9 +1257,7 @@ abstract class TranslatedAssignment extends TranslatedNonConstantExpr { result = this.getRightOperand().getFirstInstruction() } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { ( this.needsConversion() and tag = AssignmentConvertRightTag() and @@ -1306,8 +1265,7 @@ abstract class TranslatedAssignment extends TranslatedNonConstantExpr { // crudely represent conversions. Could // be useful to represent the whole chain of conversions opcode instanceof Opcode::Convert and - resultType = expr.getLValue().getType() and - isLValue = false + resultType = getTypeForPRValue(expr.getLValue().getType()) ) } @@ -1354,15 +1312,12 @@ class TranslatedAssignExpr extends TranslatedAssignment { result = this.getInstruction(AssignmentStoreTag()) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { - TranslatedAssignment.super.hasInstruction(opcode, tag, resultType, isLValue) + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { + TranslatedAssignment.super.hasInstruction(opcode, tag, resultType) or tag = AssignmentStoreTag() and opcode instanceof Opcode::Store and - resultType = this.getResultType() and - isLValue = false + resultType = getTypeForPRValue(expr.getType()) } override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) { @@ -1484,32 +1439,27 @@ class TranslatedAssignOperation extends TranslatedAssignment { expr instanceof AssignRShiftExpr and result instanceof Opcode::ShiftRight } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { - isLValue = false and + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { + tag = AssignOperationLoadTag() and + opcode instanceof Opcode::Load and + resultType = getTypeForPRValue(this.getLeftOperand().getResultType()) + or + tag = AssignOperationOpTag() and + opcode = getOpcode() and + resultType = getTypeForPRValue(this.getConvertedLeftOperandType()) + or + tag = AssignmentStoreTag() and + opcode instanceof Opcode::Store and + resultType = getTypeForPRValue(expr.getType()) + or + this.leftOperandNeedsConversion() and + opcode instanceof Opcode::Convert and ( - tag = AssignOperationLoadTag() and - opcode instanceof Opcode::Load and - resultType = this.getLeftOperand().getResultType() + tag = AssignOperationConvertLeftTag() and + resultType = getTypeForPRValue(this.getConvertedLeftOperandType()) or - tag = AssignOperationOpTag() and - opcode = getOpcode() and - resultType = this.getConvertedLeftOperandType() - or - tag = AssignmentStoreTag() and - opcode instanceof Opcode::Store and - resultType = this.getResultType() - or - this.leftOperandNeedsConversion() and - opcode instanceof Opcode::Convert and - ( - tag = AssignOperationConvertLeftTag() and - resultType = this.getConvertedLeftOperandType() - or - tag = AssignOperationConvertResultTag() and - resultType = this.getLeftOperand().getResultType() - ) + tag = AssignOperationConvertResultTag() and + resultType = getTypeForPRValue(this.getLeftOperand().getResultType()) ) } @@ -1595,9 +1545,7 @@ class TranslatedConditionalExpr extends TranslatedNonConstantExpr, ConditionCont override Instruction getFirstInstruction() { result = this.getCondition().getFirstInstruction() } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { not this.resultIsVoid() and ( ( @@ -1608,8 +1556,7 @@ class TranslatedConditionalExpr extends TranslatedNonConstantExpr, ConditionCont tag = ConditionValueResultTempAddressTag() ) and opcode instanceof Opcode::VariableAddress and - resultType = this.getResultType() and - isLValue = true + resultType = getTypeForGLValue(this.getResultType()) or ( not this.thenIsVoid() and tag = ConditionValueTrueStoreTag() @@ -1617,13 +1564,11 @@ class TranslatedConditionalExpr extends TranslatedNonConstantExpr, ConditionCont not this.elseIsVoid() and tag = ConditionValueFalseStoreTag() ) and opcode instanceof Opcode::Store and - resultType = this.getResultType() and - isLValue = false + resultType = getTypeForPRValue(this.getResultType()) or tag = ConditionValueResultLoadTag() and opcode instanceof Opcode::Load and - resultType = this.getResultType() and - isLValue = this.isResultLValue() + resultType = this.getResultCSharpType() ) } @@ -1691,10 +1636,10 @@ class TranslatedConditionalExpr extends TranslatedNonConstantExpr, ConditionCont ) } - override predicate hasTempVariable(TempVariableTag tag, Type type) { + override predicate hasTempVariable(TempVariableTag tag, CSharpType type) { not this.resultIsVoid() and tag = ConditionValueTempVar() and - type = this.getResultType() + type = getTypeForPRValue(this.getResultType()) } override IRVariable getInstructionVariable(InstructionTag tag) { @@ -1828,35 +1773,28 @@ class TranslatedIsExpr extends TranslatedNonConstantExpr { result = this.getInstruction(GeneratedNEQTag()) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { this.hasVar() and tag = InitializerStoreTag() and opcode instanceof Opcode::Store and - resultType = expr.getPattern().getType() and - isLValue = false + resultType = getTypeForPRValue(expr.getPattern().getType()) or tag = ConvertTag() and opcode instanceof Opcode::CheckedConvertOrNull and - resultType = expr.getPattern().getType() and - isLValue = false + resultType = getTypeForPRValue(expr.getPattern().getType()) or tag = GeneratedNEQTag() and opcode instanceof Opcode::CompareNE and - resultType = expr.getType() and - isLValue = false + resultType = getTypeForPRValue(expr.getType()) or tag = GeneratedConstantTag() and opcode instanceof Opcode::Constant and - resultType = expr.getPattern().getType() and - isLValue = false + resultType = getTypeForPRValue(expr.getPattern().getType()) or this.hasVar() and tag = GeneratedBranchTag() and opcode instanceof Opcode::ConditionalBranch and - resultType instanceof VoidType and - isLValue = false + resultType = getVoidType() } override string getInstructionConstantValue(InstructionTag tag) { @@ -1906,6 +1844,99 @@ class TranslatedIsExpr extends TranslatedNonConstantExpr { } } +/** + * The IR translation of a lambda expression. This initializes a temporary variable whose type is that of the lambda, + * using the initializer list that represents the captures of the lambda. + */ +class TranslatedLambdaExpr extends TranslatedNonConstantExpr, InitializationContext { + override LambdaExpr expr; + + final override Instruction getFirstInstruction() { + result = this.getInstruction(InitializerVariableAddressTag()) + } + + final override TranslatedElement getChild(int id) { id = 0 and result = this.getInitialization() } + + override Instruction getResult() { result = this.getInstruction(LoadTag()) } + + override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { + tag = InitializerVariableAddressTag() and + kind instanceof GotoEdge and + result = this.getInstruction(InitializerStoreTag()) + or + tag = InitializerStoreTag() and + kind instanceof GotoEdge and + ( + result = this.getInitialization().getFirstInstruction() + or + not this.hasInitializer() and result = this.getInstruction(LoadTag()) + ) + or + tag = LoadTag() and + kind instanceof GotoEdge and + result = this.getParent().getChildSuccessor(this) + } + + override Instruction getChildSuccessor(TranslatedElement child) { + child = getInitialization() and + result = this.getInstruction(LoadTag()) + } + + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { + tag = InitializerVariableAddressTag() and + opcode instanceof Opcode::VariableAddress and + resultType = getTypeForGLValue(expr.getType()) + or + tag = InitializerStoreTag() and + opcode instanceof Opcode::Uninitialized and + resultType = getTypeForPRValue(expr.getType()) + or + tag = LoadTag() and + opcode instanceof Opcode::Load and + resultType = getTypeForPRValue(expr.getType()) + } + + override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) { + tag = InitializerStoreTag() and + operandTag instanceof AddressOperandTag and + result = this.getInstruction(InitializerVariableAddressTag()) + or + tag = LoadTag() and + ( + operandTag instanceof AddressOperandTag and + result = this.getInstruction(InitializerVariableAddressTag()) + or + operandTag instanceof LoadOperandTag and + result = this.getEnclosingFunction().getUnmodeledDefinitionInstruction() + ) + } + + override IRVariable getInstructionVariable(InstructionTag tag) { + ( + tag = InitializerVariableAddressTag() or + tag = InitializerStoreTag() + ) and + result = this.getTempVariable(LambdaTempVar()) + } + + override predicate hasTempVariable(TempVariableTag tag, CSharpType type) { + tag = LambdaTempVar() and + type = getTypeForPRValue(this.getResultType()) + } + + final override Instruction getTargetAddress() { + result = this.getInstruction(InitializerVariableAddressTag()) + } + + final override Type getTargetType() { result = this.getResultType() } + + private predicate hasInitializer() { exists(this.getInitialization()) } + + private TranslatedInitialization getInitialization() { + result = getTranslatedInitialization(expr.getChild(0)) + } +} + /** * The translation of a `DelegateCall`. Since this type of call needs * desugaring, we treat it as a special case. The AST node of the @@ -1929,9 +1960,7 @@ class TranslatedDelegateCall extends TranslatedNonConstantExpr { result = getParent().getChildSuccessor(this) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { none() } @@ -1958,21 +1987,17 @@ abstract class TranslatedCreation extends TranslatedCoreExpr, TTranslatedCreatio id = 1 and result = this.getInitializerExpr() } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { // Instruction that allocated space for a new object, // and returns its address tag = NewObjTag() and opcode instanceof Opcode::NewObj and - resultType = expr.getType() and - isLValue = false + resultType = getTypeForPRValue(expr.getType()) or this.needsLoad() and tag = LoadTag() and opcode instanceof Opcode::Load and - resultType = expr.getType() and - isLValue = false + resultType = getTypeForPRValue(expr.getType()) } final override Instruction getFirstInstruction() { result = this.getInstruction(NewObjTag()) } @@ -2083,9 +2108,7 @@ class TranslatedEventAccess extends TranslatedNonConstantExpr { // accessor call. override TranslatedElement getChild(int id) { id = 0 and result = this.getLValue() } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { none() } diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedFunction.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedFunction.qll index ef0e5fb6a67..9d63f7060e9 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedFunction.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedFunction.qll @@ -1,6 +1,7 @@ import csharp import semmle.code.csharp.ir.implementation.raw.IR private import semmle.code.csharp.ir.implementation.Opcode +private import semmle.code.csharp.ir.internal.CSharpType private import semmle.code.csharp.ir.internal.IRUtilities private import semmle.code.csharp.ir.implementation.internal.OperandTag private import semmle.code.csharp.ir.internal.TempVariableTag @@ -98,6 +99,9 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction { result = this.getInstruction(UnmodeledUseTag()) or tag = UnmodeledUseTag() and + result = getInstruction(AliasedUseTag()) + or + tag = AliasedUseTag() and result = this.getInstruction(ExitFunctionTag()) ) } @@ -126,40 +130,32 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction { else result = this.getReturnSuccessorInstruction() } - final override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { ( tag = EnterFunctionTag() and opcode instanceof Opcode::EnterFunction and - resultType instanceof VoidType and - isLValue = false + resultType = getVoidType() or tag = UnmodeledDefinitionTag() and opcode instanceof Opcode::UnmodeledDefinition and - resultType instanceof Language::UnknownType and - isLValue = false + resultType = getUnknownType() or tag = AliasedDefinitionTag() and opcode instanceof Opcode::AliasedDefinition and - resultType instanceof Language::UnknownType and - isLValue = false + resultType = getUnknownType() or tag = InitializeThisTag() and opcode instanceof Opcode::InitializeThis and - resultType = getThisType() and - isLValue = true + resultType = getTypeForGLValue(getThisType()) or tag = ReturnValueAddressTag() and opcode instanceof Opcode::VariableAddress and - resultType = this.getReturnType() and - not resultType instanceof VoidType and - isLValue = true + not getReturnType() instanceof VoidType and + resultType = getTypeForGLValue(getReturnType()) or ( tag = ReturnTag() and - resultType instanceof VoidType and - isLValue = false and + resultType = getVoidType() and if this.getReturnType() instanceof VoidType then opcode instanceof Opcode::ReturnVoid else opcode instanceof Opcode::ReturnValue @@ -167,8 +163,7 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction { or tag = UnwindTag() and opcode instanceof Opcode::Unwind and - resultType instanceof VoidType and - isLValue = false and + resultType = getVoidType() and ( // Only generate the `Unwind` instruction if there is any exception // handling present in the function (compiler generated or not). @@ -178,13 +173,15 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction { or tag = UnmodeledUseTag() and opcode instanceof Opcode::UnmodeledUse and - resultType instanceof VoidType and - isLValue = false + resultType = getVoidType() + or + tag = AliasedUseTag() and + opcode instanceof Opcode::AliasedUse and + resultType = getVoidType() or tag = ExitFunctionTag() and opcode instanceof Opcode::ExitFunction and - resultType instanceof VoidType and - isLValue = false + resultType = getVoidType() ) } @@ -202,6 +199,10 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction { operandTag instanceof UnmodeledUseOperandTag and result = getUnmodeledDefinitionInstruction() or + tag = AliasedUseTag() and + operandTag instanceof SideEffectOperandTag and + result = getUnmodeledDefinitionInstruction() + or tag = ReturnTag() and not this.getReturnType() instanceof VoidType and ( @@ -213,11 +214,15 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction { ) } - final override Type getInstructionOperandType(InstructionTag tag, TypedOperandTag operandTag) { + final override CSharpType getInstructionOperandType(InstructionTag tag, TypedOperandTag operandTag) { tag = ReturnTag() and not this.getReturnType() instanceof VoidType and operandTag instanceof LoadOperandTag and - result = this.getReturnType() + result = getTypeForPRValue(this.getReturnType()) + or + tag = AliasedUseTag() and + operandTag instanceof SideEffectOperandTag and + result = getUnknownType() } final override IRVariable getInstructionVariable(InstructionTag tag) { @@ -225,10 +230,10 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction { result = this.getReturnVariable() } - final override predicate hasTempVariable(TempVariableTag tag, Type type) { + final override predicate hasTempVariable(TempVariableTag tag, CSharpType type) { tag = ReturnValueTempVar() and - type = this.getReturnType() and - not type instanceof VoidType + type = getTypeForPRValue(this.getReturnType()) and + not getReturnType() instanceof VoidType } /** @@ -284,7 +289,7 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction { * parameters and local variables, plus any static fields that are directly accessed by the * function. */ - final predicate hasUserVariable(Variable var, Type type) { + final predicate hasUserVariable(Variable var, CSharpType type) { ( var.(Member).isStatic() and exists(VariableAccess access | @@ -294,7 +299,7 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction { or var.(LocalScopeVariable).getCallable() = callable ) and - type = getVariableType(var) + type = getTypeForPRValue(getVariableType(var)) } final private Type getReturnType() { result = callable.getReturnType() } @@ -339,18 +344,14 @@ class TranslatedParameter extends TranslatedElement, TTranslatedParameter { final override Instruction getChildSuccessor(TranslatedElement child) { none() } - final override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { tag = InitializerVariableAddressTag() and opcode instanceof Opcode::VariableAddress and - resultType = getVariableType(param) and - isLValue = true + resultType = getTypeForGLValue(param.getType()) or tag = InitializerStoreTag() and opcode instanceof Opcode::InitializeParameter and - resultType = getVariableType(param) and - isLValue = false + resultType = getTypeForPRValue(param.getType()) } final override IRVariable getInstructionVariable(InstructionTag tag) { diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedInitialization.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedInitialization.qll index d0d98a4918a..0f6094f7a93 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedInitialization.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedInitialization.qll @@ -6,6 +6,7 @@ import csharp private import semmle.code.csharp.ir.implementation.Opcode private import semmle.code.csharp.ir.implementation.internal.OperandTag +private import semmle.code.csharp.ir.internal.CSharpType private import InstructionTag private import TranslatedElement private import TranslatedExpr @@ -87,9 +88,7 @@ abstract class TranslatedListInitialization extends TranslatedInitialization, In ) } - final override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + final override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { none() } @@ -134,13 +133,10 @@ class TranslatedDirectInitialization extends TranslatedInitialization { result = this.getInitializer().getFirstInstruction() } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { tag = InitializerStoreTag() and opcode instanceof Opcode::Store and - resultType = this.getContext().getTargetType() and - isLValue = false + resultType = getTypeForPRValue(this.getContext().getTargetType()) or needsConversion() and tag = AssignmentConvertRightTag() and @@ -148,8 +144,7 @@ class TranslatedDirectInitialization extends TranslatedInitialization { // crudely represent conversions. Could // be useful to represent the whole chain of conversions opcode instanceof Opcode::Convert and - resultType = this.getContext().getTargetType() and - isLValue = false + resultType = getTypeForPRValue(this.getContext().getTargetType()) } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -218,18 +213,14 @@ abstract class TranslatedElementInitialization extends TranslatedElement { result = this.getInstruction(getElementIndexTag()) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { tag = getElementIndexTag() and opcode instanceof Opcode::Constant and - resultType = getIntType() and - isLValue = false + resultType = getIntType() or tag = getElementAddressTag() and opcode instanceof Opcode::PointerAdd and - resultType = getElementType() and - isLValue = true + resultType = getTypeForGLValue(getElementType()) } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -353,14 +344,11 @@ class TranslatedConstructorInitializer extends TranslatedConstructorCallFromCons else result = this.getConstructorCall().getFirstInstruction() } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { this.needsConversion() and tag = OnlyInstructionTag() and opcode instanceof Opcode::Convert and - resultType = call.getTarget().getDeclaringType() and - isLValue = true + resultType = getTypeForGLValue(call.getTarget().getDeclaringType()) } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedStmt.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedStmt.qll index 3e4934987a3..ff6a7597ad2 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedStmt.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/TranslatedStmt.qll @@ -1,4 +1,5 @@ import csharp +private import semmle.code.csharp.ir.internal.CSharpType private import semmle.code.csharp.ir.internal.TempVariableTag private import semmle.code.csharp.ir.implementation.internal.OperandTag private import InstructionTag @@ -39,13 +40,10 @@ class TranslatedEmptyStmt extends TranslatedStmt { override Instruction getFirstInstruction() { result = this.getInstruction(OnlyInstructionTag()) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { tag = OnlyInstructionTag() and opcode instanceof Opcode::NoOp and - resultType instanceof VoidType and - isLValue = false + resultType = getVoidType() } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -62,9 +60,7 @@ class TranslatedDeclStmt extends TranslatedStmt { override TranslatedElement getChild(int id) { result = this.getLocalDeclaration(id) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { none() } @@ -97,9 +93,7 @@ class TranslatedExprStmt extends TranslatedStmt { override TranslatedElement getChild(int id) { id = 0 and result = this.getExpr() } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { none() } @@ -161,13 +155,10 @@ class TranslatedReturnValueStmt extends TranslatedReturnStmt, InitializationCont result = this.getInstruction(InitializerVariableAddressTag()) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { tag = InitializerVariableAddressTag() and opcode instanceof Opcode::VariableAddress and - resultType = this.getEnclosingFunction().getReturnVariable().getType() and - isLValue = true + resultType = getTypeForGLValue(this.getEnclosingFunction().getFunction().getReturnType()) } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -206,13 +197,10 @@ class TranslatedReturnVoidStmt extends TranslatedReturnStmt { override Instruction getFirstInstruction() { result = this.getInstruction(OnlyInstructionTag()) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { tag = OnlyInstructionTag() and opcode instanceof Opcode::NoOp and - resultType instanceof VoidType and - isLValue = false + resultType = getVoidType() } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -240,9 +228,7 @@ class TranslatedTryStmt extends TranslatedStmt { result = this.getCatchClause(id - 2) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { none() } @@ -289,14 +275,11 @@ class TranslatedBlock extends TranslatedStmt { override TranslatedElement getChild(int id) { result = this.getStmt(id) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { isEmpty() and opcode instanceof Opcode::NoOp and tag = OnlyInstructionTag() and - resultType instanceof VoidType and - isLValue = false + resultType = getVoidType() } override Instruction getFirstInstruction() { @@ -357,13 +340,10 @@ abstract class TranslatedClause extends TranslatedStmt { class TranslatedCatchByTypeClause extends TranslatedClause { TranslatedCatchByTypeClause() { stmt instanceof SpecificCatchClause } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { tag = CatchTag() and opcode instanceof Opcode::CatchByType and - resultType instanceof VoidType and - isLValue = false + resultType = getVoidType() } override TranslatedElement getChild(int id) { @@ -389,9 +369,9 @@ class TranslatedCatchByTypeClause extends TranslatedClause { ) } - override Type getInstructionExceptionType(InstructionTag tag) { + override CSharpType getInstructionExceptionType(InstructionTag tag) { tag = CatchTag() and - result = stmt.(SpecificCatchClause).getVariable().getType() + result = getTypeForPRValue(stmt.(SpecificCatchClause).getVariable().getType()) } private TranslatedLocalDeclaration getParameter() { @@ -405,13 +385,10 @@ class TranslatedCatchByTypeClause extends TranslatedClause { class TranslatedGeneralCatchClause extends TranslatedClause { TranslatedGeneralCatchClause() { stmt instanceof GeneralCatchClause } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { tag = CatchTag() and opcode instanceof Opcode::CatchAny and - resultType instanceof VoidType and - isLValue = false + resultType = getVoidType() } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -439,18 +416,14 @@ class TranslatedThrowExceptionStmt extends TranslatedStmt, InitializationContext result = this.getInstruction(InitializerVariableAddressTag()) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { tag = ThrowTag() and opcode instanceof Opcode::ThrowValue and - resultType instanceof VoidType and - isLValue = false + resultType = getVoidType() or tag = InitializerVariableAddressTag() and opcode instanceof Opcode::VariableAddress and - resultType = this.getExceptionType() and - isLValue = true + resultType = getTypeForGLValue(this.getExceptionType()) } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -473,9 +446,9 @@ class TranslatedThrowExceptionStmt extends TranslatedStmt, InitializationContext result = getIRTempVariable(stmt, ThrowTempVar()) } - final override predicate hasTempVariable(TempVariableTag tag, Type type) { + final override predicate hasTempVariable(TempVariableTag tag, CSharpType type) { tag = ThrowTempVar() and - type = this.getExceptionType() + type = getTypeForPRValue(this.getExceptionType()) } final override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) { @@ -490,10 +463,10 @@ class TranslatedThrowExceptionStmt extends TranslatedStmt, InitializationContext ) } - final override Type getInstructionOperandType(InstructionTag tag, TypedOperandTag operandTag) { + final override CSharpType getInstructionOperandType(InstructionTag tag, TypedOperandTag operandTag) { tag = ThrowTag() and operandTag instanceof LoadOperandTag and - result = this.getExceptionType() + result = getTypeForPRValue(this.getExceptionType()) } override Instruction getTargetAddress() { @@ -522,13 +495,10 @@ class TranslatedEmptyThrowStmt extends TranslatedStmt { override Instruction getFirstInstruction() { result = this.getInstruction(ThrowTag()) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { tag = ThrowTag() and opcode instanceof Opcode::ReThrow and - resultType instanceof VoidType and - isLValue = false + resultType = getVoidType() } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -582,9 +552,7 @@ class TranslatedIfStmt extends TranslatedStmt, ConditionContext { result = this.getParent().getChildSuccessor(this) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { none() } } @@ -610,9 +578,7 @@ abstract class TranslatedLoop extends TranslatedStmt, ConditionContext { id = 1 and result = this.getBody() } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { none() } @@ -724,13 +690,10 @@ abstract class TranslatedSpecificJump extends TranslatedStmt { override TranslatedElement getChild(int id) { none() } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { tag = OnlyInstructionTag() and opcode instanceof Opcode::NoOp and - resultType instanceof VoidType and - isLValue = false + resultType = getVoidType() } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -852,13 +815,10 @@ class TranslatedSwitchStmt extends TranslatedStmt { result = getTranslatedStmt(stmt.getChild(id)) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { tag = SwitchBranchTag() and opcode instanceof Opcode::Switch and - resultType instanceof VoidType and - isLValue = false + resultType = getVoidType() } override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) { @@ -935,9 +895,7 @@ class TranslatedUnsafeStmt extends TranslatedStmt { result = this.getParent().getChildSuccessor(this) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { none() } @@ -971,9 +929,7 @@ class TranslatedFixedStmt extends TranslatedStmt { child = this.getBody() and result = this.getParent().getChildSuccessor(this) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { none() } @@ -1012,9 +968,7 @@ class TranslatedLockStmt extends TranslatedStmt { result = getParent().getChildSuccessor(this) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { none() } @@ -1046,9 +1000,7 @@ class TranslatedCheckedUncheckedStmt extends TranslatedStmt { result = this.getParent().getChildSuccessor(this) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { none() } @@ -1089,9 +1041,7 @@ class TranslatedUsingBlockStmt extends TranslatedStmt { child = this.getBody() and result = this.getParent().getChildSuccessor(this) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { none() } @@ -1125,9 +1075,7 @@ class TranslatedUsingDeclStmt extends TranslatedStmt { child = this.getDecl(this.noDecls() - 1) and result = this.getParent().getChildSuccessor(this) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { none() } diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/common/TranslatedCallBase.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/common/TranslatedCallBase.qll index b6f708d04d9..db02eadd419 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/common/TranslatedCallBase.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/common/TranslatedCallBase.qll @@ -10,6 +10,7 @@ private import semmle.code.csharp.ir.implementation.raw.internal.InstructionTag private import semmle.code.csharp.ir.implementation.raw.internal.TranslatedElement private import semmle.code.csharp.ir.implementation.raw.internal.TranslatedExpr private import semmle.code.csharp.ir.Util +private import semmle.code.csharp.ir.internal.CSharpType private import semmle.code.csharp.ir.internal.IRCSharpLanguage as Language private import TranslatedExprBase @@ -32,13 +33,10 @@ abstract class TranslatedCallBase extends TranslatedElement { else result = getInstruction(CallTargetTag()) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { tag = CallTag() and opcode instanceof Opcode::Call and - resultType = getCallResultType() and - isLValue = false + resultType = getTypeForPRValue(getCallResultType()) or hasSideEffect() and tag = CallSideEffectTag() and @@ -46,20 +44,18 @@ abstract class TranslatedCallBase extends TranslatedElement { if hasWriteSideEffect() then ( opcode instanceof Opcode::CallSideEffect and - resultType instanceof Language::UnknownType + resultType = getUnknownType() ) else ( opcode instanceof Opcode::CallReadSideEffect and - resultType instanceof Language::UnknownType + resultType = getUnknownType() ) - ) and - isLValue = false + ) or tag = CallTargetTag() and opcode instanceof Opcode::FunctionAddress and // Since the DB does not have a function type, // we just use the UnknownType - resultType instanceof Language::UnknownType and - isLValue = true + resultType = getFunctionAddressType() } override Instruction getChildSuccessor(TranslatedElement child) { @@ -115,11 +111,11 @@ abstract class TranslatedCallBase extends TranslatedElement { result = getUnmodeledDefinitionInstruction() } - final override Type getInstructionOperandType(InstructionTag tag, TypedOperandTag operandTag) { + final override CSharpType getInstructionOperandType(InstructionTag tag, TypedOperandTag operandTag) { tag = CallSideEffectTag() and hasSideEffect() and operandTag instanceof SideEffectOperandTag and - result instanceof Language::UnknownType + result = getUnknownType() } Instruction getResult() { result = getInstruction(CallTag()) } diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/common/TranslatedConditionBase.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/common/TranslatedConditionBase.qll index 7503e3b41e2..8d4c5202d34 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/common/TranslatedConditionBase.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/common/TranslatedConditionBase.qll @@ -9,6 +9,7 @@ private import semmle.code.csharp.ir.implementation.raw.internal.InstructionTag private import semmle.code.csharp.ir.implementation.raw.internal.TranslatedElement private import semmle.code.csharp.ir.implementation.raw.internal.TranslatedExpr private import semmle.code.csharp.ir.implementation.raw.internal.TranslatedCondition +private import semmle.code.csharp.ir.internal.CSharpType private import semmle.code.csharp.ir.internal.IRCSharpLanguage as Language /** @@ -38,13 +39,10 @@ abstract class ValueConditionBase extends ConditionBase { override Instruction getFirstInstruction() { result = getValueExpr().getFirstInstruction() } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { tag = ValueConditionConditionalBranchTag() and opcode instanceof Opcode::ConditionalBranch and - resultType instanceof VoidType and - isLValue = false + resultType = getVoidType() } override Instruction getChildSuccessor(TranslatedElement child) { diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/common/TranslatedDeclarationBase.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/common/TranslatedDeclarationBase.qll index 2dfd1b745e0..549b554ee94 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/common/TranslatedDeclarationBase.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/common/TranslatedDeclarationBase.qll @@ -11,6 +11,7 @@ private import semmle.code.csharp.ir.implementation.raw.internal.InstructionTag private import semmle.code.csharp.ir.implementation.raw.internal.TranslatedElement private import semmle.code.csharp.ir.implementation.raw.internal.TranslatedExpr private import semmle.code.csharp.ir.implementation.raw.internal.TranslatedInitialization +private import semmle.code.csharp.ir.internal.CSharpType private import semmle.code.csharp.ir.internal.IRCSharpLanguage as Language abstract class LocalVariableDeclarationBase extends TranslatedElement { @@ -18,19 +19,15 @@ abstract class LocalVariableDeclarationBase extends TranslatedElement { override Instruction getFirstInstruction() { result = getVarAddress() } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { tag = InitializerVariableAddressTag() and opcode instanceof Opcode::VariableAddress and - resultType = getVarType() and - isLValue = true + resultType = getTypeForGLValue(getVarType()) or hasUninitializedInstruction() and tag = InitializerStoreTag() and opcode instanceof Opcode::Uninitialized and - resultType = getVarType() and - isLValue = false + resultType = getTypeForPRValue(getVarType()) } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/desugar/Common.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/desugar/Common.qll index 1b29ac7c543..fc8665efedf 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/desugar/Common.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/desugar/Common.qll @@ -8,6 +8,7 @@ import csharp private import semmle.code.csharp.ir.implementation.Opcode private import semmle.code.csharp.ir.implementation.internal.OperandTag +private import semmle.code.csharp.ir.internal.CSharpType private import semmle.code.csharp.ir.internal.TempVariableTag private import semmle.code.csharp.ir.implementation.raw.internal.TranslatedElement private import semmle.code.csharp.ir.implementation.raw.internal.TranslatedFunction @@ -30,9 +31,7 @@ private import semmle.code.csharp.ir.internal.IRCSharpLanguage as Language abstract class TranslatedCompilerGeneratedTry extends TranslatedCompilerGeneratedStmt { override Stmt generatedBy; - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { none() } @@ -72,13 +71,10 @@ abstract class TranslatedCompilerGeneratedTry extends TranslatedCompilerGenerate * The concrete implementation needs to specify the immediate operand that represents the constant. */ abstract class TranslatedCompilerGeneratedConstant extends TranslatedCompilerGeneratedExpr { - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { opcode instanceof Opcode::Constant and tag = OnlyInstructionTag() and - resultType = getResultType() and - isLValue = false + resultType = getTypeForPRValue(getResultType()) } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { @@ -117,9 +113,7 @@ abstract class TranslatedCompilerGeneratedBlock extends TranslatedCompilerGenera ) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { none() } @@ -170,9 +164,7 @@ abstract class TranslatedCompilerGeneratedIfStmt extends TranslatedCompilerGener result = getParent().getChildSuccessor(this) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { none() } } @@ -190,19 +182,15 @@ abstract class TranslatedCompilerGeneratedVariableAccess extends TranslatedCompi override Instruction getChildSuccessor(TranslatedElement child) { none() } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { tag = AddressTag() and opcode instanceof Opcode::VariableAddress and - resultType = getResultType() and - isLValue = true + resultType = getTypeForGLValue(getResultType()) or needsLoad() and tag = LoadTag() and opcode instanceof Opcode::Load and - resultType = getResultType() and - isLValue = false + resultType = getTypeForPRValue(getResultType()) } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/desugar/Foreach.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/desugar/Foreach.qll index 06a001e8912..4a4468b0bd3 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/desugar/Foreach.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/desugar/Foreach.qll @@ -36,6 +36,7 @@ import csharp private import semmle.code.csharp.ir.implementation.Opcode private import semmle.code.csharp.ir.implementation.internal.OperandTag +private import semmle.code.csharp.ir.internal.CSharpType private import semmle.code.csharp.ir.internal.TempVariableTag private import semmle.code.csharp.ir.implementation.raw.internal.InstructionTag private import semmle.code.csharp.ir.implementation.raw.internal.TranslatedExpr @@ -112,9 +113,7 @@ class TranslatedForeachWhile extends TranslatedCompilerGeneratedStmt, ConditionC TranslatedForeachWhile() { this = TTranslatedCompilerGeneratedElement(generatedBy, 2) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { none() } @@ -329,9 +328,9 @@ private class TranslatedForeachEnumerator extends TranslatedCompilerGeneratedDec TranslatedForeachEnumerator() { this = TTranslatedCompilerGeneratedElement(generatedBy, 8) } - override predicate hasTempVariable(TempVariableTag tag, Type type) { + override predicate hasTempVariable(TempVariableTag tag, CSharpType type) { tag = ForeachEnumTempVar() and - type = getInitialization().getCallResultType() + type = getTypeForPRValue(getInitialization().getCallResultType()) } override IRTempVariable getIRVariable() { @@ -388,9 +387,9 @@ private class TranslatedMoveNextEnumAcc extends TTranslatedCompilerGeneratedElem override Type getResultType() { result instanceof BoolType } - override predicate hasTempVariable(TempVariableTag tag, Type type) { + override predicate hasTempVariable(TempVariableTag tag, CSharpType type) { tag = ForeachEnumTempVar() and - type = getResultType() + type = getTypeForPRValue(getResultType()) } override IRVariable getInstructionVariable(InstructionTag tag) { @@ -413,9 +412,9 @@ private class TranslatedForeachCurrentEnumAcc extends TTranslatedCompilerGenerat override Type getResultType() { result instanceof BoolType } - override predicate hasTempVariable(TempVariableTag tag, Type type) { + override predicate hasTempVariable(TempVariableTag tag, CSharpType type) { tag = ForeachEnumTempVar() and - type = getResultType() + type = getTypeForPRValue(getResultType()) } override IRVariable getInstructionVariable(InstructionTag tag) { @@ -438,9 +437,9 @@ private class TranslatedForeachDisposeEnumAcc extends TTranslatedCompilerGenerat override Type getResultType() { result instanceof BoolType } - override predicate hasTempVariable(TempVariableTag tag, Type type) { + override predicate hasTempVariable(TempVariableTag tag, CSharpType type) { tag = ForeachEnumTempVar() and - type = getResultType() + type = getTypeForPRValue(getResultType()) } override IRVariable getInstructionVariable(InstructionTag tag) { diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/desugar/Lock.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/desugar/Lock.qll index 1fb0167b4cc..7a0ec9d5cbc 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/desugar/Lock.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/desugar/Lock.qll @@ -21,6 +21,7 @@ import csharp private import semmle.code.csharp.ir.implementation.Opcode private import semmle.code.csharp.ir.implementation.internal.OperandTag +private import semmle.code.csharp.ir.internal.CSharpType private import semmle.code.csharp.ir.internal.TempVariableTag private import semmle.code.csharp.ir.implementation.raw.internal.TranslatedExpr private import semmle.code.csharp.ir.implementation.raw.internal.TranslatedElement @@ -259,9 +260,9 @@ private class TranslatedLockWasTakenDecl extends TranslatedCompilerGeneratedDecl TranslatedLockWasTakenDecl() { this = TTranslatedCompilerGeneratedElement(generatedBy, 8) } - override predicate hasTempVariable(TempVariableTag tag, Type type) { + override predicate hasTempVariable(TempVariableTag tag, CSharpType type) { tag = LockWasTakenTemp() and - type instanceof BoolType + type = getBoolType() } override IRTempVariable getIRVariable() { @@ -290,9 +291,9 @@ private class TranslatedLockedVarDecl extends TranslatedCompilerGeneratedDeclara TranslatedLockedVarDecl() { this = TTranslatedCompilerGeneratedElement(generatedBy, 9) } - override predicate hasTempVariable(TempVariableTag tag, Type type) { + override predicate hasTempVariable(TempVariableTag tag, CSharpType type) { tag = LockedVarTemp() and - type = generatedBy.getExpr().getType() + type = getTypeForPRValue(generatedBy.getExpr().getType()) } override IRTempVariable getIRVariable() { @@ -321,9 +322,9 @@ private class TranslatedMonitorEnterVarAcc extends TTranslatedCompilerGeneratedE override Type getResultType() { result = generatedBy.getExpr().getType() } - override predicate hasTempVariable(TempVariableTag tag, Type type) { + override predicate hasTempVariable(TempVariableTag tag, CSharpType type) { tag = LockedVarTemp() and - type = getResultType() + type = getTypeForPRValue(getResultType()) } override IRVariable getInstructionVariable(InstructionTag tag) { @@ -352,9 +353,9 @@ private class TranslatedMonitorExitVarAcc extends TTranslatedCompilerGeneratedEl result = getTempVariable(LockedVarTemp()) } - override predicate hasTempVariable(TempVariableTag tag, Type type) { + override predicate hasTempVariable(TempVariableTag tag, CSharpType type) { tag = LockedVarTemp() and - type = getResultType() + type = getTypeForPRValue(getResultType()) } override predicate needsLoad() { any() } @@ -372,9 +373,9 @@ private class TranslatedLockWasTakenCondVarAcc extends TTranslatedCompilerGenera override Type getResultType() { result instanceof BoolType } - override predicate hasTempVariable(TempVariableTag tag, Type type) { + override predicate hasTempVariable(TempVariableTag tag, CSharpType type) { tag = LockWasTakenTemp() and - type = getResultType() + type = getTypeForPRValue(getResultType()) } override IRVariable getInstructionVariable(InstructionTag tag) { @@ -397,9 +398,9 @@ private class TranslatedLockWasTakenRefArg extends TTranslatedCompilerGeneratedE override Type getResultType() { result instanceof BoolType } - override predicate hasTempVariable(TempVariableTag tag, Type type) { + override predicate hasTempVariable(TempVariableTag tag, CSharpType type) { tag = LockWasTakenTemp() and - type = getResultType() + type = getTypeForPRValue(getResultType()) } override IRVariable getInstructionVariable(InstructionTag tag) { diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/desugar/internal/TranslatedCompilerGeneratedDeclaration.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/desugar/internal/TranslatedCompilerGeneratedDeclaration.qll index 3083a91e706..b13702ac168 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/desugar/internal/TranslatedCompilerGeneratedDeclaration.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/desugar/internal/TranslatedCompilerGeneratedDeclaration.qll @@ -12,6 +12,7 @@ private import semmle.code.csharp.ir.implementation.raw.internal.TranslatedEleme private import semmle.code.csharp.ir.implementation.raw.internal.TranslatedFunction private import semmle.code.csharp.ir.implementation.raw.internal.common.TranslatedDeclarationBase private import TranslatedCompilerGeneratedElement +private import semmle.code.csharp.ir.internal.CSharpType private import semmle.code.csharp.ir.internal.IRCSharpLanguage as Language abstract class TranslatedCompilerGeneratedDeclaration extends LocalVariableDeclarationBase, @@ -28,18 +29,15 @@ abstract class TranslatedCompilerGeneratedDeclaration extends LocalVariableDecla child = getInitialization() and result = getInstruction(InitializerStoreTag()) } - override predicate hasInstruction( - Opcode opcode, InstructionTag tag, Type resultType, boolean isLValue - ) { - LocalVariableDeclarationBase.super.hasInstruction(opcode, tag, resultType, isLValue) + override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) { + LocalVariableDeclarationBase.super.hasInstruction(opcode, tag, resultType) or // we can reuse the initializer store tag // since compiler generated declarations // do not have the `Uninitialized` instruction tag = InitializerStoreTag() and opcode instanceof Opcode::Store and - resultType = getVarType() and - isLValue = false + resultType = getTypeForPRValue(getVarType()) } override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) { diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IR.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IR.qll index 278040f8ab8..badd48552a5 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IR.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IR.qll @@ -5,6 +5,7 @@ import IRVariable import Operand private import internal.IRImports as Imports import Imports::EdgeKind +import Imports::IRType import Imports::MemoryAccessKind private newtype TIRPropertyProvider = MkIRPropertyProvider() diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IRSanity.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IRSanity.qll index 3921472dc8e..de66a3c99dc 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IRSanity.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IRSanity.qll @@ -1,2 +1,3 @@ private import IR import InstructionSanity +import IRTypeSanity diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IRVariable.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IRVariable.qll index a7ca4593ac4..1a607f82c29 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IRVariable.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IRVariable.qll @@ -5,6 +5,7 @@ import Imports::TempVariableTag private import Imports::IRUtilities private import Imports::TTempVariableTag private import Imports::TIRVariable +private import Imports::IRType IRUserVariable getIRUserVariable(Language::Function func, Language::Variable var) { result.getVariable() = var and @@ -24,7 +25,17 @@ abstract class IRVariable extends TIRVariable { /** * Gets the type of the variable. */ - abstract Language::Type getType(); + final Language::Type getType() { getLanguageType().hasType(result, false) } + + /** + * Gets the language-neutral type of the variable. + */ + final IRType getIRType() { result = getLanguageType().getIRType() } + + /** + * Gets the type of the variable. + */ + abstract Language::LanguageType getLanguageType(); /** * Gets the AST node that declared this variable, or that introduced this @@ -59,7 +70,7 @@ abstract class IRVariable extends TIRVariable { */ class IRUserVariable extends IRVariable, TIRUserVariable { Language::Variable var; - Language::Type type; + Language::LanguageType type; IRUserVariable() { this = TIRUserVariable(var, type, func) } @@ -71,7 +82,7 @@ class IRUserVariable extends IRVariable, TIRUserVariable { result = getVariable().toString() + " " + getVariable().getLocation().toString() } - final override Language::Type getType() { result = type } + final override Language::LanguageType getLanguageType() { result = type } /** * Gets the original user-declared variable. @@ -110,11 +121,11 @@ IRTempVariable getIRTempVariable(Language::AST ast, TempVariableTag tag) { class IRTempVariable extends IRVariable, IRAutomaticVariable, TIRTempVariable { Language::AST ast; TempVariableTag tag; - Language::Type type; + Language::LanguageType type; IRTempVariable() { this = TIRTempVariable(func, ast, tag, type) } - final override Language::Type getType() { result = type } + final override Language::LanguageType getLanguageType() { result = type } final override Language::AST getAST() { result = ast } diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/Instruction.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/Instruction.qll index 6d5e697150e..049983c9126 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/Instruction.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/Instruction.qll @@ -5,6 +5,7 @@ import IRVariable import Operand private import internal.InstructionImports as Imports import Imports::EdgeKind +import Imports::IRType import Imports::MemoryAccessKind import Imports::Opcode private import Imports::OperandTag @@ -49,7 +50,8 @@ module InstructionSanity { ( opcode instanceof ReadSideEffectOpcode or opcode instanceof Opcode::InlineAsm or - opcode instanceof Opcode::CallSideEffect + opcode instanceof Opcode::CallSideEffect or + opcode instanceof Opcode::AliasedUse ) and tag instanceof SideEffectOperandTag ) @@ -113,10 +115,12 @@ module InstructionSanity { } query predicate missingOperandType(Operand operand, string message) { - exists(Language::Function func | + exists(Language::Function func, Instruction use | not exists(operand.getType()) and - func = operand.getUse().getEnclosingFunction() and - message = "Operand missing type in function '" + Language::getIdentityString(func) + "'." + use = operand.getUse() and + func = use.getEnclosingFunction() and + message = "Operand '" + operand.toString() + "' of instruction '" + use.getOpcode().toString() + + "' missing type in function '" + Language::getIdentityString(func) + "'." ) } @@ -260,6 +264,7 @@ module InstructionSanity { ) { exists(IRBlock useBlock, int useIndex, Instruction defInstr, IRBlock defBlock, int defIndex | not useOperand.getUse() instanceof UnmodeledUseInstruction and + not defInstr instanceof UnmodeledDefinitionInstruction and pointOfEvaluation(useOperand, useBlock, useIndex) and defInstr = useOperand.getAnyDef() and ( @@ -321,7 +326,7 @@ class Instruction extends Construction::TInstruction { } private string getResultPrefix() { - if getResultType() instanceof Language::VoidType + if getResultIRType() instanceof IRVoidType then result = "v" else if hasMemoryResult() @@ -353,23 +358,6 @@ class Instruction extends Construction::TInstruction { ) } - bindingset[type] - private string getValueCategoryString(string type) { - if isGLValue() then result = "glval<" + type + ">" else result = type - } - - string getResultTypeString() { - exists(string valcat | - valcat = getValueCategoryString(getResultType().toString()) and - if - getResultType() instanceof Language::UnknownType and - not isGLValue() and - exists(getResultSize()) - then result = valcat + "[" + getResultSize().toString() + "]" - else result = valcat - ) - } - /** * Gets a human-readable string that uniquely identifies this instruction * within the function. This string is used to refer to this instruction when @@ -389,7 +377,9 @@ class Instruction extends Construction::TInstruction { * * Example: `r1_1(int*)` */ - final string getResultString() { result = getResultId() + "(" + getResultTypeString() + ")" } + final string getResultString() { + result = getResultId() + "(" + getResultLanguageType().getDumpString() + ")" + } /** * Gets a string describing the operands of this instruction, suitable for @@ -457,6 +447,16 @@ class Instruction extends Construction::TInstruction { result = Construction::getInstructionUnconvertedResultExpression(this) } + final Language::LanguageType getResultLanguageType() { + result = Construction::getInstructionResultType(this) + } + + /** + * Gets the type of the result produced by this instruction. If the instruction does not produce + * a result, its result type will be `IRVoidType`. + */ + final IRType getResultIRType() { result = getResultLanguageType().getIRType() } + /** * Gets the type of the result produced by this instruction. If the * instruction does not produce a result, its result type will be `VoidType`. @@ -464,7 +464,16 @@ class Instruction extends Construction::TInstruction { * If `isGLValue()` holds, then the result type of this instruction should be * thought of as "pointer to `getResultType()`". */ - final Language::Type getResultType() { Construction::instructionHasType(this, result, _) } + final Language::Type getResultType() { + exists(Language::LanguageType resultType | + resultType = getResultLanguageType() and + ( + resultType.hasUnspecifiedType(result, _) + or + not resultType.hasUnspecifiedType(_, _) and result instanceof Language::UnknownType + ) + ) + } /** * Holds if the result produced by this instruction is a glvalue. If this @@ -484,7 +493,7 @@ class Instruction extends Construction::TInstruction { * result of the `Load` instruction is a prvalue of type `int`, representing * the integer value loaded from variable `x`. */ - final predicate isGLValue() { Construction::instructionHasType(this, _, true) } + final predicate isGLValue() { Construction::getInstructionResultType(this).hasType(_, true) } /** * Gets the size of the result produced by this instruction, in bytes. If the @@ -493,16 +502,7 @@ class Instruction extends Construction::TInstruction { * If `this.isGLValue()` holds for this instruction, the value of * `getResultSize()` will always be the size of a pointer. */ - final int getResultSize() { - if isGLValue() - then - // a glvalue is always pointer-sized. - result = Language::getPointerSize() - else - if getResultType() instanceof Language::UnknownType - then result = Construction::getInstructionResultSize(this) - else result = Language::getTypeSize(getResultType()) - } + final int getResultSize() { result = Construction::getInstructionResultType(this).getByteSize() } /** * Gets the opcode that specifies the operation performed by this instruction. @@ -1384,7 +1384,7 @@ class CatchInstruction extends Instruction { * An instruction that catches an exception of a specific type. */ class CatchByTypeInstruction extends CatchInstruction { - Language::Type exceptionType; + Language::LanguageType exceptionType; CatchByTypeInstruction() { getOpcode() instanceof Opcode::CatchByType and @@ -1396,7 +1396,7 @@ class CatchByTypeInstruction extends CatchInstruction { /** * Gets the type of exception to be caught. */ - final Language::Type getExceptionType() { result = exceptionType } + final Language::LanguageType getExceptionType() { result = exceptionType } } /** @@ -1423,6 +1423,13 @@ class AliasedDefinitionInstruction extends Instruction { final override MemoryAccessKind getResultMemoryAccess() { result instanceof EscapedMemoryAccess } } +/** + * An instruction that consumes all escaped memory on exit from the function. + */ +class AliasedUseInstruction extends Instruction { + AliasedUseInstruction() { getOpcode() instanceof Opcode::AliasedUse } +} + class UnmodeledUseInstruction extends Instruction { UnmodeledUseInstruction() { getOpcode() instanceof Opcode::UnmodeledUse } diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/Operand.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/Operand.qll index a23fb081afe..07dd107bf12 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/Operand.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/Operand.qll @@ -1,9 +1,10 @@ private import internal.IRInternal -import Instruction -import IRBlock +private import Instruction +private import IRBlock private import internal.OperandImports as Imports -import Imports::MemoryAccessKind -import Imports::Overlap +private import Imports::MemoryAccessKind +private import Imports::IRType +private import Imports::Overlap private import Imports::OperandTag cached @@ -143,22 +144,40 @@ class Operand extends TOperand { * the definition type, such as in the case of a partial read or a read from a pointer that * has been cast to a different type. */ - Language::Type getType() { result = getAnyDef().getResultType() } + Language::LanguageType getLanguageType() { result = getAnyDef().getResultLanguageType() } + + /** + * Gets the language-neutral type of the value consumed by this operand. This is usually the same + * as the result type of the definition instruction consumed by this operand. For register + * operands, this is always the case. For some memory operands, the operand type may be different + * from the definition type, such as in the case of a partial read or a read from a pointer that + * has been cast to a different type. + */ + final IRType getIRType() { result = getLanguageType().getIRType() } + + /** + * Gets the type of the value consumed by this operand. This is usually the same as the + * result type of the definition instruction consumed by this operand. For register operands, + * this is always the case. For some memory operands, the operand type may be different from + * the definition type, such as in the case of a partial read or a read from a pointer that + * has been cast to a different type. + */ + final Language::Type getType() { getLanguageType().hasType(result, _) } /** * Holds if the value consumed by this operand is a glvalue. If this * holds, the value of the operand represents the address of a location, * and the type of the location is given by `getType()`. If this does * not hold, the value of the operand represents a value whose type is - * given by `getResultType()`. + * given by `getType()`. */ - predicate isGLValue() { getAnyDef().isGLValue() } + final predicate isGLValue() { getLanguageType().hasType(_, true) } /** * Gets the size of the value consumed by this operand, in bytes. If the operand does not have * a known constant size, this predicate does not hold. */ - int getSize() { result = Language::getTypeSize(getType()) } + final int getSize() { result = getLanguageType().getByteSize() } } /** @@ -170,11 +189,6 @@ class MemoryOperand extends Operand { this = TPhiOperand(_, _, _, _) } - override predicate isGLValue() { - // A `MemoryOperand` can never be a glvalue - none() - } - /** * Gets the kind of memory access performed by the operand. */ @@ -239,7 +253,7 @@ class NonPhiMemoryOperand extends NonPhiOperand, MemoryOperand, TNonPhiMemoryOpe class TypedOperand extends NonPhiMemoryOperand { override TypedOperandTag tag; - final override Language::Type getType() { + final override Language::LanguageType getLanguageType() { result = Construction::getInstructionOperandType(useInstr, tag) } } @@ -381,13 +395,10 @@ class PositionalArgumentOperand extends ArgumentOperand { class SideEffectOperand extends TypedOperand { override SideEffectOperandTag tag; - final override int getSize() { - if getType() instanceof Language::UnknownType - then result = Construction::getInstructionOperandSize(useInstr, tag) - else result = Language::getTypeSize(getType()) - } - override MemoryAccessKind getMemoryAccess() { + useInstr instanceof AliasedUseInstruction and + result instanceof NonLocalMayMemoryAccess + or useInstr instanceof CallSideEffectInstruction and result instanceof EscapedMayMemoryAccess or diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll index f887d39d10b..79e5a2b6713 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll @@ -1,5 +1,5 @@ private import internal.ValueNumberingInternal -private import csharp +private import internal.ValueNumberingImports private import IR /** @@ -23,31 +23,32 @@ newtype TValueNumber = initializeParameterValueNumber(_, irFunc, var) } or TInitializeThisValueNumber(IRFunction irFunc) { initializeThisValueNumber(_, irFunc) } or - TConstantValueNumber(IRFunction irFunc, Type type, string value) { + TConstantValueNumber(IRFunction irFunc, IRType type, string value) { constantValueNumber(_, irFunc, type, value) } or - TStringConstantValueNumber(IRFunction irFunc, Type type, string value) { + TStringConstantValueNumber(IRFunction irFunc, IRType type, string value) { stringConstantValueNumber(_, irFunc, type, value) } or - TFieldAddressValueNumber(IRFunction irFunc, Field field, ValueNumber objectAddress) { + TFieldAddressValueNumber(IRFunction irFunc, Language::Field field, ValueNumber objectAddress) { fieldAddressValueNumber(_, irFunc, field, objectAddress) } or TBinaryValueNumber( - IRFunction irFunc, Opcode opcode, Type type, ValueNumber leftOperand, ValueNumber rightOperand + IRFunction irFunc, Opcode opcode, IRType type, ValueNumber leftOperand, ValueNumber rightOperand ) { binaryValueNumber(_, irFunc, opcode, type, leftOperand, rightOperand) } or TPointerArithmeticValueNumber( - IRFunction irFunc, Opcode opcode, Type type, int elementSize, ValueNumber leftOperand, + IRFunction irFunc, Opcode opcode, IRType type, int elementSize, ValueNumber leftOperand, ValueNumber rightOperand ) { pointerArithmeticValueNumber(_, irFunc, opcode, type, elementSize, leftOperand, rightOperand) } or - TUnaryValueNumber(IRFunction irFunc, Opcode opcode, Type type, ValueNumber operand) { + TUnaryValueNumber(IRFunction irFunc, Opcode opcode, IRType type, ValueNumber operand) { unaryValueNumber(_, irFunc, opcode, type, operand) } or TInheritanceConversionValueNumber( - IRFunction irFunc, Opcode opcode, Class baseClass, Class derivedClass, ValueNumber operand + IRFunction irFunc, Opcode opcode, Language::Class baseClass, Language::Class derivedClass, + ValueNumber operand ) { inheritanceConversionValueNumber(_, irFunc, opcode, baseClass, derivedClass, operand) } or @@ -59,7 +60,7 @@ newtype TValueNumber = class ValueNumber extends TValueNumber { final string toString() { result = getExampleInstruction().getResultId() } - final Location getLocation() { result = getExampleInstruction().getLocation() } + final Language::Location getLocation() { result = getExampleInstruction().getLocation() } /** * Gets the instructions that have been assigned this value number. This will always produce at @@ -150,23 +151,23 @@ private predicate initializeThisValueNumber(InitializeThisInstruction instr, IRF } private predicate constantValueNumber( - ConstantInstruction instr, IRFunction irFunc, Type type, string value + ConstantInstruction instr, IRFunction irFunc, IRType type, string value ) { instr.getEnclosingIRFunction() = irFunc and - instr.getResultType() = type and + instr.getResultIRType() = type and instr.getValue() = value } private predicate stringConstantValueNumber( - StringConstantInstruction instr, IRFunction irFunc, Type type, string value + StringConstantInstruction instr, IRFunction irFunc, IRType type, string value ) { instr.getEnclosingIRFunction() = irFunc and - instr.getResultType() = type and + instr.getResultIRType() = type and instr.getValue().getValue() = value } private predicate fieldAddressValueNumber( - FieldAddressInstruction instr, IRFunction irFunc, Field field, ValueNumber objectAddress + FieldAddressInstruction instr, IRFunction irFunc, Language::Field field, ValueNumber objectAddress ) { instr.getEnclosingIRFunction() = irFunc and instr.getField() = field and @@ -174,43 +175,43 @@ private predicate fieldAddressValueNumber( } private predicate binaryValueNumber( - BinaryInstruction instr, IRFunction irFunc, Opcode opcode, Type type, ValueNumber leftOperand, + BinaryInstruction instr, IRFunction irFunc, Opcode opcode, IRType type, ValueNumber leftOperand, ValueNumber rightOperand ) { instr.getEnclosingIRFunction() = irFunc and not instr instanceof PointerArithmeticInstruction and instr.getOpcode() = opcode and - instr.getResultType() = type and + instr.getResultIRType() = type and valueNumber(instr.getLeft()) = leftOperand and valueNumber(instr.getRight()) = rightOperand } private predicate pointerArithmeticValueNumber( - PointerArithmeticInstruction instr, IRFunction irFunc, Opcode opcode, Type type, int elementSize, - ValueNumber leftOperand, ValueNumber rightOperand + PointerArithmeticInstruction instr, IRFunction irFunc, Opcode opcode, IRType type, + int elementSize, ValueNumber leftOperand, ValueNumber rightOperand ) { instr.getEnclosingIRFunction() = irFunc and instr.getOpcode() = opcode and - instr.getResultType() = type and + instr.getResultIRType() = type and instr.getElementSize() = elementSize and valueNumber(instr.getLeft()) = leftOperand and valueNumber(instr.getRight()) = rightOperand } private predicate unaryValueNumber( - UnaryInstruction instr, IRFunction irFunc, Opcode opcode, Type type, ValueNumber operand + UnaryInstruction instr, IRFunction irFunc, Opcode opcode, IRType type, ValueNumber operand ) { instr.getEnclosingIRFunction() = irFunc and not instr instanceof InheritanceConversionInstruction and not instr instanceof CopyInstruction and instr.getOpcode() = opcode and - instr.getResultType() = type and + instr.getResultIRType() = type and valueNumber(instr.getUnary()) = operand } private predicate inheritanceConversionValueNumber( - InheritanceConversionInstruction instr, IRFunction irFunc, Opcode opcode, Class baseClass, - Class derivedClass, ValueNumber operand + InheritanceConversionInstruction instr, IRFunction irFunc, Opcode opcode, + Language::Class baseClass, Language::Class derivedClass, ValueNumber operand ) { instr.getEnclosingIRFunction() = irFunc and instr.getOpcode() = opcode and @@ -225,7 +226,7 @@ private predicate inheritanceConversionValueNumber( */ private predicate uniqueValueNumber(Instruction instr, IRFunction irFunc) { instr.getEnclosingIRFunction() = irFunc and - not instr.getResultType() instanceof VoidType and + not instr.getResultIRType() instanceof IRVoidType and not numberableInstruction(instr) } @@ -269,38 +270,41 @@ private ValueNumber nonUniqueValueNumber(Instruction instr) { initializeThisValueNumber(instr, irFunc) and result = TInitializeThisValueNumber(irFunc) or - exists(Type type, string value | + exists(IRType type, string value | constantValueNumber(instr, irFunc, type, value) and result = TConstantValueNumber(irFunc, type, value) ) or - exists(Type type, string value | + exists(IRType type, string value | stringConstantValueNumber(instr, irFunc, type, value) and result = TStringConstantValueNumber(irFunc, type, value) ) or - exists(Field field, ValueNumber objectAddress | + exists(Language::Field field, ValueNumber objectAddress | fieldAddressValueNumber(instr, irFunc, field, objectAddress) and result = TFieldAddressValueNumber(irFunc, field, objectAddress) ) or - exists(Opcode opcode, Type type, ValueNumber leftOperand, ValueNumber rightOperand | + exists(Opcode opcode, IRType type, ValueNumber leftOperand, ValueNumber rightOperand | binaryValueNumber(instr, irFunc, opcode, type, leftOperand, rightOperand) and result = TBinaryValueNumber(irFunc, opcode, type, leftOperand, rightOperand) ) or - exists(Opcode opcode, Type type, ValueNumber operand | + exists(Opcode opcode, IRType type, ValueNumber operand | unaryValueNumber(instr, irFunc, opcode, type, operand) and result = TUnaryValueNumber(irFunc, opcode, type, operand) ) or - exists(Opcode opcode, Class baseClass, Class derivedClass, ValueNumber operand | + exists( + Opcode opcode, Language::Class baseClass, Language::Class derivedClass, ValueNumber operand + | inheritanceConversionValueNumber(instr, irFunc, opcode, baseClass, derivedClass, operand) and result = TInheritanceConversionValueNumber(irFunc, opcode, baseClass, derivedClass, operand) ) or exists( - Opcode opcode, Type type, int elementSize, ValueNumber leftOperand, ValueNumber rightOperand + Opcode opcode, IRType type, int elementSize, ValueNumber leftOperand, + ValueNumber rightOperand | pointerArithmeticValueNumber(instr, irFunc, opcode, type, elementSize, leftOperand, rightOperand) and diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll new file mode 100644 index 00000000000..555cb581d37 --- /dev/null +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll @@ -0,0 +1 @@ +import semmle.code.csharp.ir.internal.Overlap diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll index 188c68483ad..9e4a85dd8ed 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll @@ -1 +1,2 @@ import semmle.code.csharp.ir.implementation.unaliased_ssa.IR as IR +import semmle.code.csharp.ir.internal.IRCSharpLanguage as Language diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/IRImports.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/IRImports.qll index b5abc1049f3..3b716c201ac 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/IRImports.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/IRImports.qll @@ -1,2 +1,3 @@ import semmle.code.csharp.ir.implementation.EdgeKind as EdgeKind +import semmle.code.csharp.ir.implementation.IRType as IRType import semmle.code.csharp.ir.implementation.MemoryAccessKind as MemoryAccessKind diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/IRVariableImports.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/IRVariableImports.qll index 20c299416ef..9ab8de41259 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/IRVariableImports.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/IRVariableImports.qll @@ -1,3 +1,4 @@ +import semmle.code.csharp.ir.implementation.IRType as IRType import semmle.code.csharp.ir.implementation.TempVariableTag as TempVariableTag import semmle.code.csharp.ir.internal.IRUtilities as IRUtilities import semmle.code.csharp.ir.internal.TempVariableTag as TTempVariableTag diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/InstructionImports.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/InstructionImports.qll index da9b8e6e877..8628f5be373 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/InstructionImports.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/InstructionImports.qll @@ -1,4 +1,5 @@ import semmle.code.csharp.ir.implementation.EdgeKind as EdgeKind +import semmle.code.csharp.ir.implementation.IRType as IRType import semmle.code.csharp.ir.implementation.MemoryAccessKind as MemoryAccessKind import semmle.code.csharp.ir.implementation.Opcode as Opcode import semmle.code.csharp.ir.implementation.internal.OperandTag as OperandTag diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/OperandImports.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/OperandImports.qll index 13667df7276..997185fb9f7 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/OperandImports.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/OperandImports.qll @@ -1,3 +1,4 @@ import semmle.code.csharp.ir.implementation.MemoryAccessKind as MemoryAccessKind +import semmle.code.csharp.ir.implementation.IRType as IRType import semmle.code.csharp.ir.internal.Overlap as Overlap import semmle.code.csharp.ir.implementation.internal.OperandTag as OperandTag diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll index a5c09c6401b..23121523a6b 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll @@ -4,34 +4,52 @@ private import Alias private import SSAConstruction private import DebugSSA +bindingset[offset] +private string getKeySuffixForOffset(int offset) { + if offset % 2 = 0 then result = "" else result = "_Chi" +} + +bindingset[offset] +private int getIndexForOffset(int offset) { result = offset / 2 } + /** * Property provide that dumps the memory access of each result. Useful for debugging SSA * construction. */ class PropertyProvider extends IRPropertyProvider { override string getInstructionProperty(Instruction instruction, string key) { - exists(MemoryLocation location | - location = getResultMemoryLocation(instruction) and - ( - key = "ResultMemoryLocation" and result = location.toString() - or - key = "ResultVirtualVariable" and result = location.getVirtualVariable().toString() + key = "ResultMemoryLocation" and + result = strictconcat(MemoryLocation loc | + loc = getResultMemoryLocation(instruction) + | + loc.toString(), "," ) - ) or - exists(MemoryLocation location | - location = getOperandMemoryLocation(instruction.getAnOperand()) and - ( - key = "OperandMemoryAccess" and result = location.toString() - or - key = "OperandVirtualVariable" and result = location.getVirtualVariable().toString() + key = "ResultVirtualVariable" and + result = strictconcat(MemoryLocation loc | + loc = getResultMemoryLocation(instruction) + | + loc.getVirtualVariable().toString(), "," ) - ) or - exists(MemoryLocation useLocation, IRBlock defBlock, int defRank, int defIndex | - hasDefinitionAtRank(useLocation, _, defBlock, defRank, defIndex) and - defBlock.getInstruction(defIndex) = instruction and - key = "DefinitionRank[" + useLocation.toString() + "]" and + key = "OperandMemoryLocation" and + result = strictconcat(MemoryLocation loc | + loc = getOperandMemoryLocation(instruction.getAnOperand()) + | + loc.toString(), "," + ) + or + key = "OperandVirtualVariable" and + result = strictconcat(MemoryLocation loc | + loc = getOperandMemoryLocation(instruction.getAnOperand()) + | + loc.getVirtualVariable().toString(), "," + ) + or + exists(MemoryLocation useLocation, IRBlock defBlock, int defRank, int defOffset | + hasDefinitionAtRank(useLocation, _, defBlock, defRank, defOffset) and + defBlock.getInstruction(getIndexForOffset(defOffset)) = instruction and + key = "DefinitionRank" + getKeySuffixForOffset(defOffset) + "[" + useLocation.toString() + "]" and result = defRank.toString() ) or @@ -41,10 +59,11 @@ class PropertyProvider extends IRPropertyProvider { result = useRank.toString() ) or - exists(MemoryLocation useLocation, IRBlock defBlock, int defRank, int defIndex | - hasDefinitionAtRank(useLocation, _, defBlock, defRank, defIndex) and - defBlock.getInstruction(defIndex) = instruction and - key = "DefinitionReachesUse[" + useLocation.toString() + "]" and + exists(MemoryLocation useLocation, IRBlock defBlock, int defRank, int defOffset | + hasDefinitionAtRank(useLocation, _, defBlock, defRank, defOffset) and + defBlock.getInstruction(getIndexForOffset(defOffset)) = instruction and + key = "DefinitionReachesUse" + getKeySuffixForOffset(defOffset) + "[" + useLocation.toString() + + "]" and result = strictconcat(IRBlock useBlock, int useRank, int useIndex | exists(Instruction useInstruction | hasUseAtRank(useLocation, useBlock, useRank, useInstruction) and diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll index 159b6328ab0..7152dec5c4a 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll @@ -1,9 +1,6 @@ import SSAConstructionInternal -private import semmle.code.csharp.ir.implementation.Opcode -private import semmle.code.csharp.ir.implementation.internal.OperandTag -private import semmle.code.csharp.ir.internal.Overlap +private import SSAConstructionImports private import NewIR -private import semmle.code.csharp.ir.internal.IRCSharpLanguage as Language private class OldBlock = Reachability::ReachableBlock; @@ -51,13 +48,13 @@ private module Cached { cached predicate hasTempVariable( - Language::Function func, Language::AST ast, TempVariableTag tag, Language::Type type + Language::Function func, Language::AST ast, TempVariableTag tag, Language::LanguageType type ) { exists(OldIR::IRTempVariable var | var.getEnclosingFunction() = func and var.getAST() = ast and var.getTag() = tag and - var.getType() = type + var.getLanguageType() = type ) } @@ -137,24 +134,12 @@ private module Cached { } cached - Language::Type getInstructionOperandType(Instruction instr, TypedOperandTag tag) { + Language::LanguageType getInstructionOperandType(Instruction instr, TypedOperandTag tag) { exists(OldInstruction oldInstruction, OldIR::TypedOperand oldOperand | oldInstruction = getOldInstruction(instr) and oldOperand = oldInstruction.getAnOperand() and tag = oldOperand.getOperandTag() and - result = oldOperand.getType() - ) - } - - cached - int getInstructionOperandSize(Instruction instr, SideEffectOperandTag tag) { - exists(OldInstruction oldInstruction, OldIR::SideEffectOperand oldOperand | - oldInstruction = getOldInstruction(instr) and - oldOperand = oldInstruction.getAnOperand() and - tag = oldOperand.getOperandTag() and - // Only return a result for operands that need an explicit result size. - oldOperand.getType() instanceof Language::UnknownType and - result = oldOperand.getSize() + result = oldOperand.getLanguageType() ) } @@ -273,29 +258,25 @@ private module Cached { } cached - predicate instructionHasType(Instruction instruction, Language::Type type, boolean isGLValue) { + Language::LanguageType getInstructionResultType(Instruction instruction) { exists(OldInstruction oldInstruction | instruction = WrappedInstruction(oldInstruction) and - type = oldInstruction.getResultType() and - if oldInstruction.isGLValue() then isGLValue = true else isGLValue = false + result = oldInstruction.getResultLanguageType() ) or exists(OldInstruction oldInstruction, Alias::VirtualVariable vvar | instruction = Chi(oldInstruction) and hasChiNode(vvar, oldInstruction) and - type = vvar.getType() and - isGLValue = false + result = vvar.getType() ) or exists(Alias::MemoryLocation location | instruction = Phi(_, location) and - type = location.getType() and - isGLValue = false + result = location.getType() ) or instruction = Unreached(_) and - type instanceof Language::VoidType and - isGLValue = false + result = Language::getVoidType() } cached @@ -373,7 +354,7 @@ private module Cached { } cached - Language::Type getInstructionExceptionType(Instruction instruction) { + Language::LanguageType getInstructionExceptionType(Instruction instruction) { result = getOldInstruction(instruction).(OldIR::CatchByTypeInstruction).getExceptionType() } @@ -382,13 +363,6 @@ private module Cached { result = getOldInstruction(instruction).(OldIR::PointerArithmeticInstruction).getElementSize() } - cached - int getInstructionResultSize(Instruction instruction) { - // Only return a result for instructions that needed an explicit result size. - instruction.getResultType() instanceof Language::UnknownType and - result = getOldInstruction(instruction).getResultSize() - } - cached predicate getInstructionInheritance( Instruction instruction, Language::Class baseClass, Language::Class derivedClass @@ -844,7 +818,7 @@ module DefUse { } /** - * Expose some of the internal predicates to PrintSSA.qll. We do this by publicly importing those modules in the + * Expose some of the internal predicates to PrintSSA.qll. We do this by publically importing those modules in the * `DebugSSA` module, which is then imported by PrintSSA. */ module DebugSSA { diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SSAConstructionImports.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SSAConstructionImports.qll new file mode 100644 index 00000000000..6ee403226bc --- /dev/null +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SSAConstructionImports.qll @@ -0,0 +1,3 @@ +import semmle.code.csharp.ir.implementation.Opcode +import semmle.code.csharp.ir.implementation.internal.OperandTag +import semmle.code.csharp.ir.internal.Overlap diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SSAConstructionInternal.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SSAConstructionInternal.qll index a4ced8d6d7c..44ff1f110c1 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SSAConstructionInternal.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SSAConstructionInternal.qll @@ -2,4 +2,5 @@ import semmle.code.csharp.ir.implementation.raw.IR as OldIR import semmle.code.csharp.ir.implementation.raw.internal.reachability.ReachableBlock as Reachability import semmle.code.csharp.ir.implementation.raw.internal.reachability.Dominance as Dominance import semmle.code.csharp.ir.implementation.unaliased_ssa.IR as NewIR +import semmle.code.csharp.ir.internal.IRCSharpLanguage as Language import SimpleSSA as Alias diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll index 42f582f7df2..5925631b67c 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll @@ -1,24 +1,20 @@ import AliasAnalysis -private import csharp -private import semmle.code.csharp.ir.implementation.raw.IR -private import semmle.code.csharp.ir.internal.IntegerConstant as Ints -private import semmle.code.csharp.ir.implementation.internal.OperandTag -private import semmle.code.csharp.ir.internal.Overlap +private import SimpleSSAImports private class IntValue = Ints::IntValue; private predicate hasResultMemoryAccess( - Instruction instr, IRVariable var, Type type, IntValue bitOffset + Instruction instr, IRVariable var, Language::LanguageType type, IntValue bitOffset ) { resultPointsTo(instr.getResultAddressOperand().getAnyDef(), var, bitOffset) and - type = instr.getResultType() + type = instr.getResultLanguageType() } private predicate hasOperandMemoryAccess( - MemoryOperand operand, IRVariable var, Type type, IntValue bitOffset + MemoryOperand operand, IRVariable var, Language::LanguageType type, IntValue bitOffset ) { resultPointsTo(operand.getAddressOperand().getAnyDef(), var, bitOffset) and - type = operand.getType() + type = operand.getLanguageType() } /** @@ -30,17 +26,17 @@ private predicate isVariableModeled(IRVariable var) { not variableAddressEscapes(var) and // There's no need to check for the right size. An `IRVariable` never has an `UnknownType`, so the test for // `type = var.getType()` is sufficient. - forall(Instruction instr, Type type, IntValue bitOffset | + forall(Instruction instr, Language::LanguageType type, IntValue bitOffset | hasResultMemoryAccess(instr, var, type, bitOffset) | bitOffset = 0 and - type = var.getType() + type.getIRType() = var.getIRType() ) and - forall(MemoryOperand operand, Type type, IntValue bitOffset | + forall(MemoryOperand operand, Language::LanguageType type, IntValue bitOffset | hasOperandMemoryAccess(operand, var, type, bitOffset) | bitOffset = 0 and - type = var.getType() + type.getIRType() = var.getIRType() ) } @@ -59,7 +55,7 @@ class MemoryLocation extends TMemoryLocation { final VirtualVariable getVirtualVariable() { result = this } - final Type getType() { result = var.getType() } + final Language::LanguageType getType() { result = var.getLanguageType() } final string getUniqueId() { result = var.getUniqueId() } } diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SimpleSSAImports.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SimpleSSAImports.qll new file mode 100644 index 00000000000..b6f92fda444 --- /dev/null +++ b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SimpleSSAImports.qll @@ -0,0 +1,5 @@ +import semmle.code.csharp.ir.implementation.raw.IR +import semmle.code.csharp.ir.internal.IntegerConstant as Ints +import semmle.code.csharp.ir.implementation.internal.OperandTag +import semmle.code.csharp.ir.internal.IRCSharpLanguage as Language +import semmle.code.csharp.ir.internal.Overlap diff --git a/csharp/ql/src/semmle/code/csharp/ir/internal/CSharpType.qll b/csharp/ql/src/semmle/code/csharp/ir/internal/CSharpType.qll new file mode 100644 index 00000000000..ac400b210a5 --- /dev/null +++ b/csharp/ql/src/semmle/code/csharp/ir/internal/CSharpType.qll @@ -0,0 +1,366 @@ +private import csharp +private import semmle.code.csharp.ir.implementation.IRType +private import IRCSharpLanguage as Language + +int getTypeSize(Type type) { + // REVIEW: Is this complete? + result = type.(SimpleType).getSize() + or + result = getTypeSize(type.(Enum).getUnderlyingType()) + or + // TODO: Generate a reasonable size + type instanceof Struct and result = 16 + or + type instanceof RefType and result = getPointerSize() + or + type instanceof PointerType and result = getPointerSize() + or + result = getTypeSize(type.(TupleType).getUnderlyingType()) + or + // TODO: Add room for extra field + result = getTypeSize(type.(NullableType).getUnderlyingType()) + or + type instanceof VoidType and result = 0 +} + +int getPointerSize() { result = 8 } + +/** + * Holds if an `IRErrorType` should exist. + */ +predicate hasErrorType() { exists(UnknownType t) } + +/** + * Holds if an `IRBooleanType` with the specified `byteSize` should exist. + */ +predicate hasBooleanType(int byteSize) { byteSize = getTypeSize(any(BoolType type)) } + +private predicate isSignedIntegerType(ValueType type) { + type instanceof SignedIntegralType or + type.(Enum).getUnderlyingType() instanceof SignedIntegralType +} + +private predicate isUnsignedIntegerType(ValueType type) { + type instanceof UnsignedIntegralType or + type instanceof CharType or + type.(Enum).getUnderlyingType() instanceof UnsignedIntegralType +} + +/** + * Holds if an `IRSignedIntegerType` with the specified `byteSize` should exist. + */ +predicate hasSignedIntegerType(int byteSize) { + byteSize = getTypeSize(any(ValueType type | isSignedIntegerType(type))) +} + +/** + * Holds if an `IRUnsignedIntegerType` with the specified `byteSize` should exist. + */ +predicate hasUnsignedIntegerType(int byteSize) { + byteSize = getTypeSize(any(ValueType type | isUnsignedIntegerType(type))) +} + +/** + * Holds if an `IRFloatingPointType` with the specified `byteSize` should exist. + */ +predicate hasFloatingPointType(int byteSize) { byteSize = any(FloatingPointType type).getSize() } + +private predicate isPointerIshType(Type type) { + type instanceof PointerType or + type instanceof RefType +} + +/** + * Holds if an `IRAddressType` with the specified `byteSize` should exist. + */ +predicate hasAddressType(int byteSize) { + // This covers all pointers, all references, and because it also looks at `NullType`, it + // should always return a result that makes sense for arbitrary glvalues as well. + byteSize = getTypeSize(any(Type type | isPointerIshType(type))) +} + +/** + * Holds if an `IRFunctionAddressType` with the specified `byteSize` should exist. + */ +predicate hasFunctionAddressType(int byteSize) { byteSize = getTypeSize(any(NullType type)) } + +private int getBaseClassSize(ValueOrRefType type) { + if exists(type.getBaseClass()) then result = getContentSize(type.getBaseClass()) else result = 0 +} + +private int getContentSize(ValueOrRefType type) { + result = getBaseClassSize(type) + + sum(Field field | not field.isStatic() | getTypeSize(field.getType())) +} + +private predicate isOpaqueType(ValueOrRefType type) { + type instanceof Struct or + type instanceof NullableType or + type instanceof DecimalType +} + +/** + * Holds if an `IROpaqueType` with the specified `tag` and `byteSize` should exist. + */ +predicate hasOpaqueType(Type tag, int byteSize) { + isOpaqueType(tag) and byteSize = getTypeSize(tag) +} + +private Type getRepresentationType(Type type) { + result = type.(Enum).getUnderlyingType() + or + result = type.(TupleType).getUnderlyingType() + or + not type instanceof Enum and not type instanceof TupleType and result = type +} + +/** + * Gets the `IRType` that represents a prvalue of the specified `Type`. + */ +private IRType getIRTypeForPRValue(Type type) { + exists(Type repType | repType = getRepresentationType(type) | + exists(IROpaqueType opaqueType | opaqueType = result | + opaqueType.getByteSize() = getTypeSize(repType) and + opaqueType.getTag() = repType + ) + or + result.(IRBooleanType).getByteSize() = repType.(BoolType).getSize() + or + isSignedIntegerType(repType) and + result.(IRSignedIntegerType).getByteSize() = getTypeSize(repType) + or + isUnsignedIntegerType(repType) and + result.(IRUnsignedIntegerType).getByteSize() = getTypeSize(repType) + or + result.(IRFloatingPointType).getByteSize() = repType.(FloatingPointType).getSize() + or + isPointerIshType(repType) and result.(IRAddressType).getByteSize() = getTypeSize(repType) + or + repType instanceof VoidType and result instanceof IRVoidType + or + repType instanceof UnknownType and result instanceof IRErrorType + ) +} + +string getOpaqueTagIdentityString(Type tag) { result = tag.getQualifiedName() } + +private newtype TCSharpType = + TPRValueType(Type type) { exists(getIRTypeForPRValue(type)) } or + TGLValueAddressType(Type type) { any() } or + TFunctionAddressType() or + TUnknownType() + +class CSharpType extends TCSharpType { + abstract string toString(); + + /** Gets a string used in IR dumps */ + string getDumpString() { result = toString() } + + /** Gets the size of the type in bytes, if known. */ + final int getByteSize() { result = getIRType().getByteSize() } + + /** + * Gets the `IRType` that represents this `CSharpType`. Many different `CSharpType`s can map to a + * single `IRType`. + */ + abstract IRType getIRType(); + + /** + * Holds if the `CSharpType` represents a prvalue of type `Type` (if `isGLValue` is `false`), or + * if it represents a glvalue of type `Type` (if `isGLValue` is `true`). + */ + abstract predicate hasType(Type type, boolean isGLValue); + + final predicate hasUnspecifiedType(Type type, boolean isGLValue) { hasType(type, isGLValue) } +} + +/** + * A `CSharpType` that wraps an existing `Type` (either as a prvalue or a glvalue). + */ +private class CSharpWrappedType extends CSharpType { + Type cstype; + + CSharpWrappedType() { + this = TPRValueType(cstype) or + this = TGLValueAddressType(cstype) + } + + abstract override string toString(); + + abstract override IRType getIRType(); + + abstract override predicate hasType(Type type, boolean isGLValue); +} + +/** + * A `CSharpType` that represents a prvalue of an existing `Type`. + */ +private class CSharpPRValueType extends CSharpWrappedType, TPRValueType { + final override string toString() { result = cstype.toString() } + + final override IRType getIRType() { result = getIRTypeForPRValue(cstype) } + + final override predicate hasType(Type type, boolean isGLValue) { + type = cstype and + isGLValue = false + } +} + +/** + * A `CSharpType` that represents a glvalue of an existing `Type`. + */ +private class CSharpGLValueAddressType extends CSharpWrappedType, TGLValueAddressType { + final override string toString() { result = "glval<" + cstype.toString() + ">" } + + final override IRAddressType getIRType() { result.getByteSize() = getPointerSize() } + + final override predicate hasType(Type type, boolean isGLValue) { + type = cstype and + isGLValue = true + } +} + +/** + * A `CSharpType` that represents a function address. + */ +private class CSharpFunctionAddressType extends CSharpType, TFunctionAddressType { + final override string toString() { result = "" } + + final override IRFunctionAddressType getIRType() { result.getByteSize() = getPointerSize() } + + final override predicate hasType(Type type, boolean isGLValue) { + type instanceof VoidType and isGLValue = true + } +} + +/** + * A `CSharpType` that represents an unknown type. + */ +private class CSharpUnknownType extends CSharpType, TUnknownType { + final override string toString() { result = "" } + + final override IRUnknownType getIRType() { any() } + + final override predicate hasType(Type type, boolean isGLValue) { + type instanceof VoidType and isGLValue = false + } +} + +/** + * Gets the single instance of `CSharpUnknownType`. + */ +CSharpUnknownType getUnknownType() { any() } + +/** + * Gets the `CSharpType` that represents a prvalue of type `void`. + */ +CSharpPRValueType getVoidType() { exists(VoidType voidType | result.hasType(voidType, false)) } + +/** + * Gets the `CSharpType` that represents a prvalue of type `type`. + */ +CSharpPRValueType getTypeForPRValue(Type type) { result.hasType(type, false) } + +/** + * Gets the `CSharpType` that represents a glvalue of type `type`. + */ +CSharpGLValueAddressType getTypeForGLValue(Type type) { result.hasType(type, true) } + +/** + * Gets the `CSharpType` that represents a prvalue of type `int`. + */ +CSharpPRValueType getIntType() { result.hasType(any(IntType t), false) } + +/** + * Gets the `CSharpType` that represents a prvalue of type `bool`. + */ +CSharpPRValueType getBoolType() { result.hasType(any(BoolType t), false) } + +/** + * Gets the `CSharpType` that represents a prvalue of `NullType`. + */ +CSharpPRValueType getNullType() { result.hasType(any(NullType t), false) } + +/** + * Gets the `CSharpType` that represents a function address. + */ +CSharpFunctionAddressType getFunctionAddressType() { any() } + +/** + * Gets the `CSharpType` that is the canonical type for an `IRBooleanType` with the specified + * `byteSize`. + */ +CSharpPRValueType getCanonicalBooleanType(int byteSize) { + exists(BoolType type | result = TPRValueType(type) and byteSize = type.getSize()) +} + +/** + * Gets the `CSharpType` that is the canonical type for an `IRSignedIntegerType` with the specified + * `byteSize`. + */ +CSharpPRValueType getCanonicalSignedIntegerType(int byteSize) { + result = TPRValueType(any(SignedIntegralType t | t.getSize() = byteSize)) +} + +/** + * Gets the `CSharpType` that is the canonical type for an `IRUnsignedIntegerType` with the specified + * `byteSize`. + */ +CSharpPRValueType getCanonicalUnsignedIntegerType(int byteSize) { + result = TPRValueType(any(UnsignedIntegralType t | t.getSize() = byteSize)) +} + +/** + * Gets the `CSharpType` that is the canonical type for an `IRFloatingPointType` with the specified + * `byteSize`. + */ +CSharpPRValueType getCanonicalFloatingPointType(int byteSize) { + result = TPRValueType(any(FloatingPointType type | type.getSize() = byteSize)) +} + +/** + * Gets the `CSharpType` that is the canonical type for an `IRAddressType` with the specified + * `byteSize`. + */ +CSharpPRValueType getCanonicalAddressType(int byteSize) { + // We just use `NullType`, since it should be unique. + result = TPRValueType(any(NullType type | getTypeSize(type) = byteSize)) +} + +/** + * Gets the `CSharpType` that is the canonical type for an `IRFunctionAddressType` with the specified + * `byteSize`. + */ +CSharpFunctionAddressType getCanonicalFunctionAddressType(int byteSize) { + result.getByteSize() = byteSize +} + +/** + * Gets the `CSharpType` that is the canonical type for `IRErrorType`. + */ +CSharpPRValueType getCanonicalErrorType() { result = TPRValueType(any(UnknownType type)) } + +/** + * Gets the `CSharpType` that is the canonical type for `IRUnknownType`. + */ +CSharpUnknownType getCanonicalUnknownType() { any() } + +/** + * Gets the `CSharpType` that is the canonical type for `IRVoidType`. + */ +CSharpPRValueType getCanonicalVoidType() { result = TPRValueType(any(VoidType type)) } + +/** + * Gets the `CSharpType` that is the canonical type for an `IROpaqueType` with the specified `tag` and + * `byteSize`. + */ +CSharpPRValueType getCanonicalOpaqueType(Type tag, int byteSize) { + isOpaqueType(tag) and + result = TPRValueType(tag) and + getTypeSize(tag) = byteSize +} + +module LanguageTypeSanity { + // Nothing interesting here for C# yet, but the module still has to exist because it is imported + // by `IRTypeSanity`. +} diff --git a/csharp/ql/src/semmle/code/csharp/ir/internal/IRCSharpLanguage.qll b/csharp/ql/src/semmle/code/csharp/ir/internal/IRCSharpLanguage.qll index c359879c87f..70f3e38ade7 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/internal/IRCSharpLanguage.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/internal/IRCSharpLanguage.qll @@ -1,5 +1,10 @@ private import csharp as CSharp private import IRUtilities +import CSharpType + +class LanguageType = CSharpType; + +class OpaqueTypeTag = CSharp::ValueOrRefType; class Function = CSharp::Callable; @@ -81,32 +86,6 @@ predicate hasPositionalArgIndex(int argIndex) { predicate hasAsmOperandIndex(int operandIndex) { none() } -int getTypeSize(Type type) { - // REVIEW: Is this complete? - result = type.(CSharp::SimpleType).getSize() - or - result = getTypeSize(type.(CSharp::Enum).getUnderlyingType()) - or - // TODO: Generate a reasonable size - type instanceof CSharp::Struct and result = 16 - or - type instanceof CSharp::RefType and result = getPointerSize() - or - type instanceof CSharp::PointerType and result = getPointerSize() - or - result = getTypeSize(type.(CSharp::TupleType).getUnderlyingType()) - or - // TODO: Add room for extra field - result = getTypeSize(type.(CSharp::NullableType).getUnderlyingType()) - or - type instanceof CSharp::VoidType and result = 0 -} - -int getPointerSize() { - // TODO: Deal with sizes in general - result = 8 -} - predicate isVariableAutomatic(Variable var) { var instanceof CSharp::LocalScopeVariable } string getStringLiteralText(StringLiteral s) { diff --git a/csharp/ql/src/semmle/code/csharp/ir/internal/IRUtilities.qll b/csharp/ql/src/semmle/code/csharp/ir/internal/IRUtilities.qll index c14e361aa01..1aeace91377 100644 --- a/csharp/ql/src/semmle/code/csharp/ir/internal/IRUtilities.qll +++ b/csharp/ql/src/semmle/code/csharp/ir/internal/IRUtilities.qll @@ -1,25 +1,13 @@ private import csharp /** - * Get the actual type of the specified variable, as opposed to the declared type. - * This returns the type of the variable after any pointer decay is applied, and - * after any unsized array type has its size inferred from the initializer. + * Get the actual type of the specified variable, as opposed to the declared + * type. */ Type getVariableType(Variable v) { - exists(Type declaredType | - declaredType = v.getType() and - if v instanceof Parameter - then result = declaredType - else - if declaredType instanceof ArrayType - then - // TODO: Arrays have a declared dimension in C#, so this should not be needed - // and not declaredType.(ArrayType).hasArraySize() - result = v.getInitializer().getType() - or - not exists(v.getInitializer()) and result = declaredType - else result = declaredType - ) + // C# doesn't seem to have any cases where the variable's actual type differs + // from its declared type. + result = v.getType() } predicate hasCaseEdge(CaseStmt caseStmt, string minValue, string maxValue) { diff --git a/csharp/ql/src/semmle/code/csharp/security/cryptography/EncryptionKeyDataFlow.qll b/csharp/ql/src/semmle/code/csharp/security/cryptography/EncryptionKeyDataFlow.qll new file mode 100644 index 00000000000..7bde645b8f8 --- /dev/null +++ b/csharp/ql/src/semmle/code/csharp/security/cryptography/EncryptionKeyDataFlow.qll @@ -0,0 +1,83 @@ +/** + * This module has classes and data flow configuration for working with symmetric encryption keys data flow. + */ + +import csharp + +module EncryptionKeyDataFlow { + private import semmle.code.csharp.frameworks.system.security.cryptography.SymmetricAlgorithm + + /** Array of type Byte */ + class ByteArray extends ArrayType { + ByteArray() { getElementType() instanceof ByteType } + } + + /** Abstract class for all sources of keys */ + abstract class KeySource extends DataFlow::Node { } + + /** + * A symmetric encryption sink is abstract base class for all ways to set a key for symmetric encryption. + */ + abstract class SymmetricEncryptionKeySink extends DataFlow::Node { + /** override to create a meaningful description of the sink */ + abstract string getDescription(); + } + + /** + * A sanitizer for symmetric encryption key. If present, for example, key is properly constructed or retrieved from secret storage. + */ + abstract class KeySanitizer extends DataFlow::ExprNode { } + + /** + * Symmetric Algorithm, 'Key' property assigned a value + */ + class SymmetricEncryptionKeyPropertySink extends SymmetricEncryptionKeySink { + SymmetricEncryptionKeyPropertySink() { + exists(SymmetricAlgorithm ag | asExpr() = ag.getKeyProperty().getAnAssignedValue()) + } + + override string getDescription() { result = "Key property assignment" } + } + + /** + * Symmetric Algorithm, CreateEncryptor method, rgbKey parameter + */ + class SymmetricEncryptionCreateEncryptorSink extends SymmetricEncryptionKeySink { + SymmetricEncryptionCreateEncryptorSink() { + exists(SymmetricAlgorithm ag, MethodCall mc | mc = ag.getASymmetricEncryptor() | + asExpr() = mc.getArgumentForName("rgbKey") + ) + } + + override string getDescription() { result = "Encryptor(rgbKey, IV)" } + } + + /** + * Symmetric Algorithm, CreateDecryptor method, rgbKey parameter + */ + class SymmetricEncryptionCreateDecryptorSink extends SymmetricEncryptionKeySink { + SymmetricEncryptionCreateDecryptorSink() { + exists(SymmetricAlgorithm ag, MethodCall mc | mc = ag.getASymmetricDecryptor() | + asExpr() = mc.getArgumentForName("rgbKey") + ) + } + + override string getDescription() { result = "Decryptor(rgbKey, IV)" } + } + + /** + * Symmetric Key Data Flow configuration. + */ + class SymmetricKeyTaintTrackingConfiguration extends TaintTracking::Configuration { + SymmetricKeyTaintTrackingConfiguration() { this = "SymmetricKeyTaintTracking" } + + /** Holds if the node is a key source. */ + override predicate isSource(DataFlow::Node src) { src instanceof KeySource } + + /** Holds if the node is a symmetric encryption key sink. */ + override predicate isSink(DataFlow::Node sink) { sink instanceof SymmetricEncryptionKeySink } + + /** Holds if the node is a key sanitizer. */ + override predicate isSanitizer(DataFlow::Node sanitizer) { sanitizer instanceof KeySanitizer } + } +} diff --git a/csharp/ql/src/semmle/code/csharp/security/cryptography/HardcodedSymmetricEncryptionKey.qll b/csharp/ql/src/semmle/code/csharp/security/cryptography/HardcodedSymmetricEncryptionKey.qll new file mode 100644 index 00000000000..b1ecb404477 --- /dev/null +++ b/csharp/ql/src/semmle/code/csharp/security/cryptography/HardcodedSymmetricEncryptionKey.qll @@ -0,0 +1,112 @@ +/** + * Provides a taint-tracking configuration for reasoning about hard-coded + * symmetric encryption keys. + */ + +import csharp + +module HardcodedSymmetricEncryptionKey { + private import semmle.code.csharp.frameworks.system.security.cryptography.SymmetricAlgorithm + + /** A data flow source for hard-coded symmetric encryption keys. */ + abstract class Source extends DataFlow::Node { } + + /** A data flow sink for hard-coded symmetric encryption keys. */ + abstract class Sink extends DataFlow::ExprNode { + /** Gets a description of this sink. */ + abstract string getDescription(); + } + + /** A sanitizer for hard-coded symmetric encryption keys. */ + abstract class Sanitizer extends DataFlow::ExprNode { } + + private class ByteArrayType extends ArrayType { + ByteArrayType() { getElementType() instanceof ByteType } + } + + private class ByteArrayLiteralSource extends Source { + ByteArrayLiteralSource() { + this.asExpr() = any(ArrayCreation ac | + ac.getArrayType() instanceof ByteArrayType and + ac.hasInitializer() + ) + } + } + + private class StringLiteralSource extends Source { + StringLiteralSource() { this.asExpr() instanceof StringLiteral } + } + + private class SymmetricEncryptionKeyPropertySink extends Sink { + SymmetricEncryptionKeyPropertySink() { + this.asExpr() = any(SymmetricAlgorithm sa).getKeyProperty().getAnAssignedValue() + } + + override string getDescription() { result = "'Key' property assignment" } + } + + private class SymmetricEncryptionCreateEncryptorSink extends Sink { + SymmetricEncryptionCreateEncryptorSink() { + exists(SymmetricAlgorithm ag, MethodCall mc | mc = ag.getASymmetricEncryptor() | + asExpr() = mc.getArgumentForName("rgbKey") + ) + } + + override string getDescription() { result = "Encryptor(rgbKey, IV)" } + } + + private class SymmetricEncryptionCreateDecryptorSink extends Sink { + SymmetricEncryptionCreateDecryptorSink() { + exists(SymmetricAlgorithm ag, MethodCall mc | mc = ag.getASymmetricDecryptor() | + asExpr() = mc.getArgumentForName("rgbKey") + ) + } + + override string getDescription() { result = "Decryptor(rgbKey, IV)" } + } + + private class CreateSymmetricKeySink extends Sink { + CreateSymmetricKeySink() { + exists(MethodCall mc, Method m | + mc.getTarget() = m and + m + .hasQualifiedName("Windows.Security.Cryptography.Core.SymmetricKeyAlgorithmProvider", + "CreateSymmetricKey") and + this.asExpr() = mc.getArgumentForName("keyMaterial") + ) + } + + override string getDescription() { result = "CreateSymmetricKey(IBuffer keyMaterial)" } + } + + private class CryptographicBuffer extends Class { + CryptographicBuffer() { + this.hasQualifiedName("Windows.Security.Cryptography", "CryptographicBuffer") + } + } + + /** + * A taint-tracking configuration for uncontrolled data in path expression vulnerabilities. + */ + class TaintTrackingConfiguration extends TaintTracking::Configuration { + TaintTrackingConfiguration() { this = "HardcodedSymmetricEncryptionKey" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } + + /** + * Since `CryptographicBuffer` uses native code inside, taint tracking doesn't pass through it. + * Need to create an additional custom step. + */ + override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(MethodCall mc, CryptographicBuffer c | + pred.asExpr() = mc.getAnArgument() and + mc.getTarget() = c.getAMethod() and + succ.asExpr() = mc + ) + } + } +} diff --git a/csharp/ql/src/semmle/code/csharp/serialization/Deserializers.qll b/csharp/ql/src/semmle/code/csharp/serialization/Deserializers.qll new file mode 100644 index 00000000000..685a48b7079 --- /dev/null +++ b/csharp/ql/src/semmle/code/csharp/serialization/Deserializers.qll @@ -0,0 +1,65 @@ +/** + * Provides a library of known unsafe deserializers. + * See https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf. + */ + +import csharp + +/** An unsafe deserializer. */ +abstract class UnsafeDeserializer extends Callable { } + +class SystemDeserializer extends UnsafeDeserializer { + SystemDeserializer() { + this + .hasQualifiedName("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter", + "Deserialize") + or + this + .hasQualifiedName("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter", + "UnsafeDeserialize") + or + this + .hasQualifiedName("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter", + "UnsafeDeserializeMethodResponse") + or + this + .hasQualifiedName("System.Runtime.Deserialization.Formatters.Soap.SoapFormatter", + "Deserialize") + or + this.hasQualifiedName("System.Web.UI.ObjectStateFormatter", "Deserialize") + or + this.hasQualifiedName("System.Runtime.Serialization.NetDataContractSerializer", "Deserialize") + or + this.hasQualifiedName("System.Runtime.Serialization.NetDataContractSerializer", "ReadObject") + or + this.hasQualifiedName("System.Web.UI.LosFormatter", "Deserialize") + or + this.hasQualifiedName("System.Workflow.ComponentModel.Activity", "Load") + or + this.hasQualifiedName("System.Resources.ResourceReader", "ResourceReader") + or + this.hasQualifiedName("System.Messaging", "BinaryMessageFormatter") + or + this.hasQualifiedName("System.Windows.Markup.XamlReader", "Parse") + or + this.hasQualifiedName("System.Windows.Markup.XamlReader", "Load") + or + this.hasQualifiedName("System.Windows.Markup.XamlReader", "LoadAsync") + } +} + +class MicrosoftDeserializer extends UnsafeDeserializer { + MicrosoftDeserializer() { + this.hasQualifiedName("Microsoft.Web.Design.Remote.ProxyObject", "DecodeValue") + } +} + +class WrapperDeserializer extends UnsafeDeserializer { + WrapperDeserializer() { + exists(Call call | + call.getEnclosingCallable() = this and + call.getAnArgument() instanceof ParameterAccess and + call.getTarget() instanceof UnsafeDeserializer + ) + } +} diff --git a/csharp/ql/src/semmle/code/csharp/serialization/Serialization.qll b/csharp/ql/src/semmle/code/csharp/serialization/Serialization.qll new file mode 100644 index 00000000000..704d10065f0 --- /dev/null +++ b/csharp/ql/src/semmle/code/csharp/serialization/Serialization.qll @@ -0,0 +1,105 @@ +import csharp + +class SerializationConstructor extends Constructor { + SerializationConstructor() { + this.getNumberOfParameters() = 2 and + this.getParameter(0).getType().hasName("SerializationInfo") and + this.getParameter(1).getType().hasName("StreamingContext") + } +} + +/** + * A serializable type, using any of the built-in .NET serialization mechanisms. + */ +abstract class SerializableType extends ValueOrRefType { + /** + * A method or constructor that should always be considered as potentially + * called on a deserialized object. The precise details depend on the + * deserialization mechanism. + */ + abstract Callable getADeserializationCallback(); + + /** + * A field whose value is restored during a deserialization, rendering it + * potentially untrusted. + */ + abstract Field getASerializedField(); + + /** + * Get a callback that is automatically executed (without user code + * interaction) when an object instance is deserialized. This includes + * deserialization callbacks as well as cleanup/dispose calls. + */ + Callable getAnAutomaticCallback() { + result = this.getADeserializationCallback() or + result.(Destructor).getDeclaringType() = this or + result = any(Method m | + m.getDeclaringType() = this and + m.hasName("Dispose") and + ( + m.getNumberOfParameters() = 0 + or + m.getNumberOfParameters() = 1 and m.getParameter(0).getType() instanceof BoolType + ) + ) + } +} + +/** + * To be serializable by the `BinaryFormatter`, a class must have the `Serializable` + * attribute. + */ +class BinarySerializableType extends SerializableType { + BinarySerializableType() { this.getAnAttribute().getType().hasName("SerializableAttribute") } + + /** + * In addition to the defaults, a `BinarySerializer` will call any method annotated + * with an `OnDeserialized` or `OnDeserializing` attribute, as well as an + * `OnDeserialization` method. + */ + override Callable getADeserializationCallback() { + result.(SerializationConstructor).getDeclaringType() = this + or + result = this.getAMethod() and + ( + result.(Attributable).getAnAttribute().getType().hasName("OnDeserializedAttribute") or + result.(Attributable).getAnAttribute().getType().hasName("OnDeserializingAttribute") or + result.hasName("OnDeserialization") + ) + } + + override Field getASerializedField() { + result.getDeclaringType() = this and + not result.getAnAttribute().getType().hasName("NonSerializedAttribute") and + not result.isStatic() + } +} + +/** + * If a class annotated with the `Serializable` attribute also implements `ISerializable`, + * then it is serialized and deserialized in a special way. + */ +class CustomBinarySerializableType extends BinarySerializableType { + CustomBinarySerializableType() { this.getABaseType*().hasName("ISerializable") } + + /** + * For custom deserialization, the `BinarySerializer` will call the serialization constructor. + */ + override Callable getADeserializationCallback() { + result = super.getADeserializationCallback() or + result.(SerializationConstructor).getDeclaringType() = this + } +} + +class DangerousCallable extends Callable { + DangerousCallable() { + //files + this.(Method).getQualifiedName().matches("System.IO.File.Write%") or + this.(Method).getQualifiedName().matches("System.IO.File.%Copy%") or + this.(Method).getQualifiedName().matches("System.IO.File.%Move%") or + this.(Method).getQualifiedName().matches("System.IO.File.%Append%") or + this.(Method).getQualifiedName().matches("System.IO.%.%Delete%") or + //assembly + this.(Method).getQualifiedName().matches("System.Reflection.Assembly.%Load%") + } +} diff --git a/csharp/ql/test/library-tests/cil/dataflow/DataFlow.expected b/csharp/ql/test/library-tests/cil/dataflow/DataFlow.expected index 65e04f8d48c..d82ff134b35 100644 --- a/csharp/ql/test/library-tests/cil/dataflow/DataFlow.expected +++ b/csharp/ql/test/library-tests/cil/dataflow/DataFlow.expected @@ -12,6 +12,8 @@ | dataflow.cs:46:35:46:39 | "t1b" | dataflow.cs:46:18:46:40 | call to method Taint1 | | dataflow.cs:49:35:49:38 | "t6" | dataflow.cs:49:18:49:45 | call to method TaintIndirect | | dataflow.cs:49:41:49:44 | "t6" | dataflow.cs:49:18:49:45 | call to method TaintIndirect | +| dataflow.cs:102:30:102:33 | null | dataflow.cs:74:21:74:52 | ... ?? ... | | dataflow.cs:102:30:102:33 | null | dataflow.cs:89:24:89:51 | ... ? ... : ... | | dataflow.cs:102:30:102:33 | null | dataflow.cs:108:20:108:33 | call to method IndirectNull | +| dataflow.cs:109:23:109:26 | null | dataflow.cs:74:21:74:52 | ... ?? ... | | dataflow.cs:109:23:109:26 | null | dataflow.cs:89:24:89:51 | ... ? ... : ... | diff --git a/csharp/ql/test/library-tests/dataflow/local/DataFlow.expected b/csharp/ql/test/library-tests/dataflow/local/DataFlow.expected index 63462bbad86..78c0204ed20 100644 --- a/csharp/ql/test/library-tests/dataflow/local/DataFlow.expected +++ b/csharp/ql/test/library-tests/dataflow/local/DataFlow.expected @@ -8,7 +8,9 @@ | LocalDataFlow.cs:412:15:412:20 | access to local variable sink70 | | LocalDataFlow.cs:420:19:420:24 | access to local variable sink71 | | LocalDataFlow.cs:430:23:430:28 | access to local variable sink72 | -| LocalDataFlow.cs:466:15:466:21 | access to parameter tainted | +| LocalDataFlow.cs:445:15:445:20 | access to local variable sink73 | +| LocalDataFlow.cs:446:15:446:20 | access to local variable sink74 | +| LocalDataFlow.cs:472:15:472:21 | access to parameter tainted | | SSA.cs:9:15:9:22 | access to local variable ssaSink0 | | SSA.cs:25:15:25:22 | access to local variable ssaSink1 | | SSA.cs:43:15:43:22 | access to local variable ssaSink2 | diff --git a/csharp/ql/test/library-tests/dataflow/local/DataFlowStep.expected b/csharp/ql/test/library-tests/dataflow/local/DataFlowStep.expected index d38e1f02215..1b93aded791 100644 --- a/csharp/ql/test/library-tests/dataflow/local/DataFlowStep.expected +++ b/csharp/ql/test/library-tests/dataflow/local/DataFlowStep.expected @@ -545,7 +545,10 @@ | LocalDataFlow.cs:408:15:408:22 | access to local variable nonSink0 | LocalDataFlow.cs:415:31:415:38 | access to local variable nonSink0 | | LocalDataFlow.cs:411:13:411:34 | SSA def(sink70) | LocalDataFlow.cs:412:15:412:20 | access to local variable sink70 | | LocalDataFlow.cs:411:22:411:34 | ... = ... | LocalDataFlow.cs:411:13:411:34 | SSA def(sink70) | +| LocalDataFlow.cs:411:22:411:34 | SSA def(sink0) | LocalDataFlow.cs:443:34:443:38 | access to local variable sink0 | +| LocalDataFlow.cs:411:22:411:34 | SSA def(sink0) | LocalDataFlow.cs:444:22:444:26 | access to local variable sink0 | | LocalDataFlow.cs:411:30:411:34 | access to local variable sink0 | LocalDataFlow.cs:411:22:411:34 | ... = ... | +| LocalDataFlow.cs:411:30:411:34 | access to local variable sink0 | LocalDataFlow.cs:411:22:411:34 | SSA def(sink0) | | LocalDataFlow.cs:412:15:412:20 | [post] access to local variable sink70 | LocalDataFlow.cs:419:13:419:18 | access to local variable sink70 | | LocalDataFlow.cs:412:15:412:20 | access to local variable sink70 | LocalDataFlow.cs:419:13:419:18 | access to local variable sink70 | | LocalDataFlow.cs:415:9:415:38 | SSA def(nonSink0) | LocalDataFlow.cs:416:15:416:22 | access to local variable nonSink0 | @@ -562,12 +565,23 @@ | LocalDataFlow.cs:427:17:427:22 | access to local variable sink70 | LocalDataFlow.cs:429:18:429:30 | SSA def(sink72) | | LocalDataFlow.cs:429:18:429:30 | SSA def(sink72) | LocalDataFlow.cs:430:23:430:28 | access to local variable sink72 | | LocalDataFlow.cs:435:17:435:24 | access to local variable nonSink0 | LocalDataFlow.cs:437:18:437:33 | SSA def(nonSink17) | +| LocalDataFlow.cs:435:17:435:24 | access to local variable nonSink0 | LocalDataFlow.cs:443:22:443:29 | access to local variable nonSink0 | | LocalDataFlow.cs:437:18:437:33 | SSA def(nonSink17) | LocalDataFlow.cs:438:23:438:31 | access to local variable nonSink17 | -| LocalDataFlow.cs:458:28:458:30 | this | LocalDataFlow.cs:458:41:458:45 | this access | -| LocalDataFlow.cs:458:50:458:52 | this | LocalDataFlow.cs:458:56:458:60 | this access | -| LocalDataFlow.cs:458:50:458:52 | value | LocalDataFlow.cs:458:64:458:68 | access to parameter value | -| LocalDataFlow.cs:464:41:464:47 | tainted | LocalDataFlow.cs:466:15:466:21 | access to parameter tainted | -| LocalDataFlow.cs:469:44:469:53 | nonTainted | LocalDataFlow.cs:471:15:471:24 | access to parameter nonTainted | +| LocalDataFlow.cs:443:13:443:38 | SSA def(sink73) | LocalDataFlow.cs:445:15:445:20 | access to local variable sink73 | +| LocalDataFlow.cs:443:22:443:29 | access to local variable nonSink0 | LocalDataFlow.cs:443:22:443:38 | ... ?? ... | +| LocalDataFlow.cs:443:22:443:29 | access to local variable nonSink0 | LocalDataFlow.cs:444:31:444:38 | access to local variable nonSink0 | +| LocalDataFlow.cs:443:22:443:38 | ... ?? ... | LocalDataFlow.cs:443:13:443:38 | SSA def(sink73) | +| LocalDataFlow.cs:443:34:443:38 | access to local variable sink0 | LocalDataFlow.cs:443:22:443:38 | ... ?? ... | +| LocalDataFlow.cs:443:34:443:38 | access to local variable sink0 | LocalDataFlow.cs:444:22:444:26 | access to local variable sink0 | +| LocalDataFlow.cs:444:13:444:38 | SSA def(sink74) | LocalDataFlow.cs:446:15:446:20 | access to local variable sink74 | +| LocalDataFlow.cs:444:22:444:26 | access to local variable sink0 | LocalDataFlow.cs:444:22:444:38 | ... ?? ... | +| LocalDataFlow.cs:444:22:444:38 | ... ?? ... | LocalDataFlow.cs:444:13:444:38 | SSA def(sink74) | +| LocalDataFlow.cs:444:31:444:38 | access to local variable nonSink0 | LocalDataFlow.cs:444:22:444:38 | ... ?? ... | +| LocalDataFlow.cs:464:28:464:30 | this | LocalDataFlow.cs:464:41:464:45 | this access | +| LocalDataFlow.cs:464:50:464:52 | this | LocalDataFlow.cs:464:56:464:60 | this access | +| LocalDataFlow.cs:464:50:464:52 | value | LocalDataFlow.cs:464:64:464:68 | access to parameter value | +| LocalDataFlow.cs:470:41:470:47 | tainted | LocalDataFlow.cs:472:15:472:21 | access to parameter tainted | +| LocalDataFlow.cs:475:44:475:53 | nonTainted | LocalDataFlow.cs:477:15:477:24 | access to parameter nonTainted | | SSA.cs:5:17:5:17 | SSA entry def(this.S) | SSA.cs:67:9:67:14 | access to field S | | SSA.cs:5:17:5:17 | this | SSA.cs:67:9:67:12 | this access | | SSA.cs:5:26:5:32 | tainted | SSA.cs:8:24:8:30 | access to parameter tainted | diff --git a/csharp/ql/test/library-tests/dataflow/local/LocalDataFlow.cs b/csharp/ql/test/library-tests/dataflow/local/LocalDataFlow.cs index 154b4d5fcb9..65de9fc65fe 100644 --- a/csharp/ql/test/library-tests/dataflow/local/LocalDataFlow.cs +++ b/csharp/ql/test/library-tests/dataflow/local/LocalDataFlow.cs @@ -438,6 +438,12 @@ public class LocalDataFlow Check(nonSink17); break; } + + // Null-coalescing expressions + var sink73 = nonSink0 ?? sink0; + var sink74 = sink0 ?? nonSink0; + Check(sink73); + Check(sink74); } static void Check(T x) { } diff --git a/csharp/ql/test/library-tests/dataflow/local/TaintTracking.expected b/csharp/ql/test/library-tests/dataflow/local/TaintTracking.expected index ba3d91130f2..756d79333c1 100644 --- a/csharp/ql/test/library-tests/dataflow/local/TaintTracking.expected +++ b/csharp/ql/test/library-tests/dataflow/local/TaintTracking.expected @@ -62,7 +62,9 @@ | LocalDataFlow.cs:412:15:412:20 | access to local variable sink70 | | LocalDataFlow.cs:420:19:420:24 | access to local variable sink71 | | LocalDataFlow.cs:430:23:430:28 | access to local variable sink72 | -| LocalDataFlow.cs:466:15:466:21 | access to parameter tainted | +| LocalDataFlow.cs:445:15:445:20 | access to local variable sink73 | +| LocalDataFlow.cs:446:15:446:20 | access to local variable sink74 | +| LocalDataFlow.cs:472:15:472:21 | access to parameter tainted | | SSA.cs:9:15:9:22 | access to local variable ssaSink0 | | SSA.cs:25:15:25:22 | access to local variable ssaSink1 | | SSA.cs:43:15:43:22 | access to local variable ssaSink2 | diff --git a/csharp/ql/test/library-tests/dataflow/local/TaintTrackingStep.expected b/csharp/ql/test/library-tests/dataflow/local/TaintTrackingStep.expected index f9511969108..f320c87cb8b 100644 --- a/csharp/ql/test/library-tests/dataflow/local/TaintTrackingStep.expected +++ b/csharp/ql/test/library-tests/dataflow/local/TaintTrackingStep.expected @@ -690,7 +690,10 @@ | LocalDataFlow.cs:408:15:408:22 | access to local variable nonSink0 | LocalDataFlow.cs:415:31:415:38 | access to local variable nonSink0 | | LocalDataFlow.cs:411:13:411:34 | SSA def(sink70) | LocalDataFlow.cs:412:15:412:20 | access to local variable sink70 | | LocalDataFlow.cs:411:22:411:34 | ... = ... | LocalDataFlow.cs:411:13:411:34 | SSA def(sink70) | +| LocalDataFlow.cs:411:22:411:34 | SSA def(sink0) | LocalDataFlow.cs:443:34:443:38 | access to local variable sink0 | +| LocalDataFlow.cs:411:22:411:34 | SSA def(sink0) | LocalDataFlow.cs:444:22:444:26 | access to local variable sink0 | | LocalDataFlow.cs:411:30:411:34 | access to local variable sink0 | LocalDataFlow.cs:411:22:411:34 | ... = ... | +| LocalDataFlow.cs:411:30:411:34 | access to local variable sink0 | LocalDataFlow.cs:411:22:411:34 | SSA def(sink0) | | LocalDataFlow.cs:412:15:412:20 | [post] access to local variable sink70 | LocalDataFlow.cs:419:13:419:18 | access to local variable sink70 | | LocalDataFlow.cs:412:15:412:20 | access to local variable sink70 | LocalDataFlow.cs:419:13:419:18 | access to local variable sink70 | | LocalDataFlow.cs:415:9:415:38 | SSA def(nonSink0) | LocalDataFlow.cs:416:15:416:22 | access to local variable nonSink0 | @@ -707,15 +710,26 @@ | LocalDataFlow.cs:427:17:427:22 | access to local variable sink70 | LocalDataFlow.cs:429:18:429:30 | SSA def(sink72) | | LocalDataFlow.cs:429:18:429:30 | SSA def(sink72) | LocalDataFlow.cs:430:23:430:28 | access to local variable sink72 | | LocalDataFlow.cs:435:17:435:24 | access to local variable nonSink0 | LocalDataFlow.cs:437:18:437:33 | SSA def(nonSink17) | +| LocalDataFlow.cs:435:17:435:24 | access to local variable nonSink0 | LocalDataFlow.cs:443:22:443:29 | access to local variable nonSink0 | | LocalDataFlow.cs:437:18:437:33 | SSA def(nonSink17) | LocalDataFlow.cs:438:23:438:31 | access to local variable nonSink17 | -| LocalDataFlow.cs:458:28:458:30 | this | LocalDataFlow.cs:458:41:458:45 | this access | -| LocalDataFlow.cs:458:50:458:52 | this | LocalDataFlow.cs:458:56:458:60 | this access | -| LocalDataFlow.cs:458:50:458:52 | value | LocalDataFlow.cs:458:50:458:52 | value | -| LocalDataFlow.cs:458:50:458:52 | value | LocalDataFlow.cs:458:64:458:68 | access to parameter value | -| LocalDataFlow.cs:464:41:464:47 | tainted | LocalDataFlow.cs:464:41:464:47 | tainted | -| LocalDataFlow.cs:464:41:464:47 | tainted | LocalDataFlow.cs:466:15:466:21 | access to parameter tainted | -| LocalDataFlow.cs:469:44:469:53 | nonTainted | LocalDataFlow.cs:469:44:469:53 | nonTainted | -| LocalDataFlow.cs:469:44:469:53 | nonTainted | LocalDataFlow.cs:471:15:471:24 | access to parameter nonTainted | +| LocalDataFlow.cs:443:13:443:38 | SSA def(sink73) | LocalDataFlow.cs:445:15:445:20 | access to local variable sink73 | +| LocalDataFlow.cs:443:22:443:29 | access to local variable nonSink0 | LocalDataFlow.cs:443:22:443:38 | ... ?? ... | +| LocalDataFlow.cs:443:22:443:29 | access to local variable nonSink0 | LocalDataFlow.cs:444:31:444:38 | access to local variable nonSink0 | +| LocalDataFlow.cs:443:22:443:38 | ... ?? ... | LocalDataFlow.cs:443:13:443:38 | SSA def(sink73) | +| LocalDataFlow.cs:443:34:443:38 | access to local variable sink0 | LocalDataFlow.cs:443:22:443:38 | ... ?? ... | +| LocalDataFlow.cs:443:34:443:38 | access to local variable sink0 | LocalDataFlow.cs:444:22:444:26 | access to local variable sink0 | +| LocalDataFlow.cs:444:13:444:38 | SSA def(sink74) | LocalDataFlow.cs:446:15:446:20 | access to local variable sink74 | +| LocalDataFlow.cs:444:22:444:26 | access to local variable sink0 | LocalDataFlow.cs:444:22:444:38 | ... ?? ... | +| LocalDataFlow.cs:444:22:444:38 | ... ?? ... | LocalDataFlow.cs:444:13:444:38 | SSA def(sink74) | +| LocalDataFlow.cs:444:31:444:38 | access to local variable nonSink0 | LocalDataFlow.cs:444:22:444:38 | ... ?? ... | +| LocalDataFlow.cs:464:28:464:30 | this | LocalDataFlow.cs:464:41:464:45 | this access | +| LocalDataFlow.cs:464:50:464:52 | this | LocalDataFlow.cs:464:56:464:60 | this access | +| LocalDataFlow.cs:464:50:464:52 | value | LocalDataFlow.cs:464:50:464:52 | value | +| LocalDataFlow.cs:464:50:464:52 | value | LocalDataFlow.cs:464:64:464:68 | access to parameter value | +| LocalDataFlow.cs:470:41:470:47 | tainted | LocalDataFlow.cs:470:41:470:47 | tainted | +| LocalDataFlow.cs:470:41:470:47 | tainted | LocalDataFlow.cs:472:15:472:21 | access to parameter tainted | +| LocalDataFlow.cs:475:44:475:53 | nonTainted | LocalDataFlow.cs:475:44:475:53 | nonTainted | +| LocalDataFlow.cs:475:44:475:53 | nonTainted | LocalDataFlow.cs:477:15:477:24 | access to parameter nonTainted | | SSA.cs:5:17:5:17 | SSA entry def(this.S) | SSA.cs:67:9:67:14 | access to field S | | SSA.cs:5:17:5:17 | this | SSA.cs:67:9:67:12 | this access | | SSA.cs:5:26:5:32 | tainted | SSA.cs:5:26:5:32 | tainted | diff --git a/csharp/ql/test/library-tests/ir/ir/raw_ir.expected b/csharp/ql/test/library-tests/ir/ir/raw_ir.expected index acba7e50086..5e3701a4c5a 100644 --- a/csharp/ql/test/library-tests/ir/ir/raw_ir.expected +++ b/csharp/ql/test/library-tests/ir/ir/raw_ir.expected @@ -2,8 +2,8 @@ array.cs: # 2| System.Void ArrayTest.one_dim_init_acc() # 2| Block 0 # 2| v0_0(Void) = EnterFunction : -# 2| mu0_1(null) = AliasedDefinition : -# 2| mu0_2(null) = UnmodeledDefinition : +# 2| mu0_1() = AliasedDefinition : +# 2| mu0_2() = UnmodeledDefinition : # 2| r0_3(glval) = InitializeThis : # 4| r0_4(glval) = VariableAddress[one_dim] : # 4| mu0_5(Int32[]) = Uninitialized[one_dim] : &:r0_4 @@ -53,13 +53,14 @@ array.cs: # 10| mu0_49(Int32) = Store : &:r0_48, r0_43 # 2| v0_50(Void) = ReturnVoid : # 2| v0_51(Void) = UnmodeledUse : mu* -# 2| v0_52(Void) = ExitFunction : +# 2| v0_52(Void) = AliasedUse : ~mu0_2 +# 2| v0_53(Void) = ExitFunction : # 13| System.Void ArrayTest.twod_and_init_acc() # 13| Block 0 # 13| v0_0(Void) = EnterFunction : -# 13| mu0_1(null) = AliasedDefinition : -# 13| mu0_2(null) = UnmodeledDefinition : +# 13| mu0_1() = AliasedDefinition : +# 13| mu0_2() = UnmodeledDefinition : # 13| r0_3(glval) = InitializeThis : # 15| r0_4(glval) = VariableAddress[a] : # 15| mu0_5(Int32[,]) = Uninitialized[a] : &:r0_4 @@ -144,14 +145,15 @@ array.cs: # 20| mu0_84(Int32) = Store : &:r0_83, r0_76 # 13| v0_85(Void) = ReturnVoid : # 13| v0_86(Void) = UnmodeledUse : mu* -# 13| v0_87(Void) = ExitFunction : +# 13| v0_87(Void) = AliasedUse : ~mu0_2 +# 13| v0_88(Void) = ExitFunction : assignop.cs: # 4| System.Void AssignOp.Main() # 4| Block 0 # 4| v0_0(Void) = EnterFunction : -# 4| mu0_1(null) = AliasedDefinition : -# 4| mu0_2(null) = UnmodeledDefinition : +# 4| mu0_1() = AliasedDefinition : +# 4| mu0_2() = UnmodeledDefinition : # 5| r0_3(glval) = VariableAddress[a] : # 5| r0_4(Int32) = Constant[1] : # 5| mu0_5(Int32) = Store : &:r0_3, r0_4 @@ -215,19 +217,20 @@ assignop.cs: # 17| mu0_63(Int32) = Store : &:r0_60, r0_62 # 4| v0_64(Void) = ReturnVoid : # 4| v0_65(Void) = UnmodeledUse : mu* -# 4| v0_66(Void) = ExitFunction : +# 4| v0_66(Void) = AliasedUse : ~mu0_2 +# 4| v0_67(Void) = ExitFunction : casts.cs: # 11| System.Void Casts.Main() # 11| Block 0 # 11| v0_0(Void) = EnterFunction : -# 11| mu0_1(null) = AliasedDefinition : -# 11| mu0_2(null) = UnmodeledDefinition : +# 11| mu0_1() = AliasedDefinition : +# 11| mu0_2() = UnmodeledDefinition : # 13| r0_3(glval) = VariableAddress[Aobj] : # 13| r0_4(Casts_A) = NewObj : -# 13| r0_5(glval) = FunctionAddress[Casts_A] : +# 13| r0_5() = FunctionAddress[Casts_A] : # 13| v0_6(Void) = Call : func:r0_5, this:r0_4 -# 13| mu0_7(null) = ^CallSideEffect : ~mu0_2 +# 13| mu0_7() = ^CallSideEffect : ~mu0_2 # 13| mu0_8(Casts_A) = Store : &:r0_3, r0_4 # 14| r0_9(glval) = VariableAddress[bobjCE] : # 14| r0_10(glval) = VariableAddress[Aobj] : @@ -241,25 +244,26 @@ casts.cs: # 15| mu0_18(Casts_B) = Store : &:r0_14, r0_17 # 11| v0_19(Void) = ReturnVoid : # 11| v0_20(Void) = UnmodeledUse : mu* -# 11| v0_21(Void) = ExitFunction : +# 11| v0_21(Void) = AliasedUse : ~mu0_2 +# 11| v0_22(Void) = ExitFunction : collections.cs: # 11| System.Void Collections.Main() # 11| Block 0 # 11| v0_0(Void) = EnterFunction : -# 11| mu0_1(null) = AliasedDefinition : -# 11| mu0_2(null) = UnmodeledDefinition : +# 11| mu0_1() = AliasedDefinition : +# 11| mu0_2() = UnmodeledDefinition : # 13| r0_3(glval>) = VariableAddress[dict] : # 13| r0_4(Dictionary) = NewObj : -# 13| r0_5(glval) = FunctionAddress[Dictionary] : +# 13| r0_5() = FunctionAddress[Dictionary] : # 13| v0_6(Void) = Call : func:r0_5, this:r0_4 -# 13| mu0_7(null) = ^CallSideEffect : ~mu0_2 -# 15| r0_8(glval) = FunctionAddress[Add] : +# 13| mu0_7() = ^CallSideEffect : ~mu0_2 +# 15| r0_8() = FunctionAddress[Add] : # 15| r0_9(Int32) = Constant[0] : # 15| r0_10(MyClass) = NewObj : -# 15| r0_11(glval) = FunctionAddress[MyClass] : +# 15| r0_11() = FunctionAddress[MyClass] : # 15| v0_12(Void) = Call : func:r0_11, this:r0_10 -# 15| mu0_13(null) = ^CallSideEffect : ~mu0_2 +# 15| mu0_13() = ^CallSideEffect : ~mu0_2 # 15| r0_14(String) = StringConstant["Hello"] : # 15| r0_15(glval) = FieldAddress[a] : r0_10 # 15| mu0_16(String) = Store : &:r0_15, r0_14 @@ -267,13 +271,13 @@ collections.cs: # 15| r0_18(glval) = FieldAddress[b] : r0_10 # 15| mu0_19(String) = Store : &:r0_18, r0_17 # 15| v0_20(Void) = Call : func:r0_8, this:r0_4, 0:r0_9, 1:r0_10 -# 15| mu0_21(null) = ^CallSideEffect : ~mu0_2 -# 16| r0_22(glval) = FunctionAddress[Add] : +# 15| mu0_21() = ^CallSideEffect : ~mu0_2 +# 16| r0_22() = FunctionAddress[Add] : # 16| r0_23(Int32) = Constant[1] : # 16| r0_24(MyClass) = NewObj : -# 16| r0_25(glval) = FunctionAddress[MyClass] : +# 16| r0_25() = FunctionAddress[MyClass] : # 16| v0_26(Void) = Call : func:r0_25, this:r0_24 -# 16| mu0_27(null) = ^CallSideEffect : ~mu0_2 +# 16| mu0_27() = ^CallSideEffect : ~mu0_2 # 16| r0_28(String) = StringConstant["Foo"] : # 16| r0_29(glval) = FieldAddress[a] : r0_24 # 16| mu0_30(String) = Store : &:r0_29, r0_28 @@ -281,29 +285,31 @@ collections.cs: # 16| r0_32(glval) = FieldAddress[b] : r0_24 # 16| mu0_33(String) = Store : &:r0_32, r0_31 # 16| v0_34(Void) = Call : func:r0_22, this:r0_4, 0:r0_23, 1:r0_24 -# 16| mu0_35(null) = ^CallSideEffect : ~mu0_2 +# 16| mu0_35() = ^CallSideEffect : ~mu0_2 # 13| mu0_36(Dictionary) = Store : &:r0_3, r0_4 # 11| v0_37(Void) = ReturnVoid : # 11| v0_38(Void) = UnmodeledUse : mu* -# 11| v0_39(Void) = ExitFunction : +# 11| v0_39(Void) = AliasedUse : ~mu0_2 +# 11| v0_40(Void) = ExitFunction : constructor_init.cs: # 5| System.Void BaseClass..ctor() # 5| Block 0 # 5| v0_0(Void) = EnterFunction : -# 5| mu0_1(null) = AliasedDefinition : -# 5| mu0_2(null) = UnmodeledDefinition : +# 5| mu0_1() = AliasedDefinition : +# 5| mu0_2() = UnmodeledDefinition : # 5| r0_3(glval) = InitializeThis : # 6| v0_4(Void) = NoOp : # 5| v0_5(Void) = ReturnVoid : # 5| v0_6(Void) = UnmodeledUse : mu* -# 5| v0_7(Void) = ExitFunction : +# 5| v0_7(Void) = AliasedUse : ~mu0_2 +# 5| v0_8(Void) = ExitFunction : # 9| System.Void BaseClass..ctor(System.Int32) # 9| Block 0 # 9| v0_0(Void) = EnterFunction : -# 9| mu0_1(null) = AliasedDefinition : -# 9| mu0_2(null) = UnmodeledDefinition : +# 9| mu0_1() = AliasedDefinition : +# 9| mu0_2() = UnmodeledDefinition : # 9| r0_3(glval) = InitializeThis : # 9| r0_4(glval) = VariableAddress[i] : # 9| mu0_5(Int32) = InitializeParameter[i] : &:r0_4 @@ -314,98 +320,103 @@ constructor_init.cs: # 11| mu0_10(Int32) = Store : &:r0_9, r0_7 # 9| v0_11(Void) = ReturnVoid : # 9| v0_12(Void) = UnmodeledUse : mu* -# 9| v0_13(Void) = ExitFunction : +# 9| v0_13(Void) = AliasedUse : ~mu0_2 +# 9| v0_14(Void) = ExitFunction : # 17| System.Void DerivedClass..ctor() # 17| Block 0 # 17| v0_0(Void) = EnterFunction : -# 17| mu0_1(null) = AliasedDefinition : -# 17| mu0_2(null) = UnmodeledDefinition : +# 17| mu0_1() = AliasedDefinition : +# 17| mu0_2() = UnmodeledDefinition : # 17| r0_3(glval) = InitializeThis : # 17| r0_4(glval) = Convert[DerivedClass : BaseClass] : r0_3 -# 17| r0_5(glval) = FunctionAddress[BaseClass] : +# 17| r0_5() = FunctionAddress[BaseClass] : # 17| v0_6(Void) = Call : func:r0_5, this:r0_4 -# 17| mu0_7(null) = ^CallSideEffect : ~mu0_2 +# 17| mu0_7() = ^CallSideEffect : ~mu0_2 # 18| v0_8(Void) = NoOp : # 17| v0_9(Void) = ReturnVoid : # 17| v0_10(Void) = UnmodeledUse : mu* -# 17| v0_11(Void) = ExitFunction : +# 17| v0_11(Void) = AliasedUse : ~mu0_2 +# 17| v0_12(Void) = ExitFunction : # 21| System.Void DerivedClass..ctor(System.Int32) # 21| Block 0 # 21| v0_0(Void) = EnterFunction : -# 21| mu0_1(null) = AliasedDefinition : -# 21| mu0_2(null) = UnmodeledDefinition : +# 21| mu0_1() = AliasedDefinition : +# 21| mu0_2() = UnmodeledDefinition : # 21| r0_3(glval) = InitializeThis : # 21| r0_4(glval) = VariableAddress[i] : # 21| mu0_5(Int32) = InitializeParameter[i] : &:r0_4 # 21| r0_6(glval) = Convert[DerivedClass : BaseClass] : r0_3 -# 21| r0_7(glval) = FunctionAddress[BaseClass] : +# 21| r0_7() = FunctionAddress[BaseClass] : # 21| r0_8(glval) = VariableAddress[i] : # 21| r0_9(Int32) = Load : &:r0_8, ~mu0_2 # 21| v0_10(Void) = Call : func:r0_7, this:r0_6, 0:r0_9 -# 21| mu0_11(null) = ^CallSideEffect : ~mu0_2 +# 21| mu0_11() = ^CallSideEffect : ~mu0_2 # 22| v0_12(Void) = NoOp : # 21| v0_13(Void) = ReturnVoid : # 21| v0_14(Void) = UnmodeledUse : mu* -# 21| v0_15(Void) = ExitFunction : +# 21| v0_15(Void) = AliasedUse : ~mu0_2 +# 21| v0_16(Void) = ExitFunction : # 25| System.Void DerivedClass..ctor(System.Int32,System.Int32) # 25| Block 0 # 25| v0_0(Void) = EnterFunction : -# 25| mu0_1(null) = AliasedDefinition : -# 25| mu0_2(null) = UnmodeledDefinition : +# 25| mu0_1() = AliasedDefinition : +# 25| mu0_2() = UnmodeledDefinition : # 25| r0_3(glval) = InitializeThis : # 25| r0_4(glval) = VariableAddress[i] : # 25| mu0_5(Int32) = InitializeParameter[i] : &:r0_4 # 25| r0_6(glval) = VariableAddress[j] : # 25| mu0_7(Int32) = InitializeParameter[j] : &:r0_6 -# 25| r0_8(glval) = FunctionAddress[DerivedClass] : +# 25| r0_8() = FunctionAddress[DerivedClass] : # 25| r0_9(glval) = VariableAddress[i] : # 25| r0_10(Int32) = Load : &:r0_9, ~mu0_2 # 25| v0_11(Void) = Call : func:r0_8, this:r0_3, 0:r0_10 -# 25| mu0_12(null) = ^CallSideEffect : ~mu0_2 +# 25| mu0_12() = ^CallSideEffect : ~mu0_2 # 26| v0_13(Void) = NoOp : # 25| v0_14(Void) = ReturnVoid : # 25| v0_15(Void) = UnmodeledUse : mu* -# 25| v0_16(Void) = ExitFunction : +# 25| v0_16(Void) = AliasedUse : ~mu0_2 +# 25| v0_17(Void) = ExitFunction : # 29| System.Void DerivedClass.Main() # 29| Block 0 # 29| v0_0(Void) = EnterFunction : -# 29| mu0_1(null) = AliasedDefinition : -# 29| mu0_2(null) = UnmodeledDefinition : +# 29| mu0_1() = AliasedDefinition : +# 29| mu0_2() = UnmodeledDefinition : # 31| r0_3(glval) = VariableAddress[obj1] : # 31| r0_4(DerivedClass) = NewObj : -# 31| r0_5(glval) = FunctionAddress[DerivedClass] : +# 31| r0_5() = FunctionAddress[DerivedClass] : # 31| v0_6(Void) = Call : func:r0_5, this:r0_4 -# 31| mu0_7(null) = ^CallSideEffect : ~mu0_2 +# 31| mu0_7() = ^CallSideEffect : ~mu0_2 # 31| mu0_8(DerivedClass) = Store : &:r0_3, r0_4 # 32| r0_9(glval) = VariableAddress[obj2] : # 32| r0_10(DerivedClass) = NewObj : -# 32| r0_11(glval) = FunctionAddress[DerivedClass] : +# 32| r0_11() = FunctionAddress[DerivedClass] : # 32| r0_12(Int32) = Constant[1] : # 32| v0_13(Void) = Call : func:r0_11, this:r0_10, 0:r0_12 -# 32| mu0_14(null) = ^CallSideEffect : ~mu0_2 +# 32| mu0_14() = ^CallSideEffect : ~mu0_2 # 32| mu0_15(DerivedClass) = Store : &:r0_9, r0_10 # 33| r0_16(glval) = VariableAddress[obj3] : # 33| r0_17(DerivedClass) = NewObj : -# 33| r0_18(glval) = FunctionAddress[DerivedClass] : +# 33| r0_18() = FunctionAddress[DerivedClass] : # 33| r0_19(Int32) = Constant[1] : # 33| r0_20(Int32) = Constant[2] : # 33| v0_21(Void) = Call : func:r0_18, this:r0_17, 0:r0_19, 1:r0_20 -# 33| mu0_22(null) = ^CallSideEffect : ~mu0_2 +# 33| mu0_22() = ^CallSideEffect : ~mu0_2 # 33| mu0_23(DerivedClass) = Store : &:r0_16, r0_17 # 29| v0_24(Void) = ReturnVoid : # 29| v0_25(Void) = UnmodeledUse : mu* -# 29| v0_26(Void) = ExitFunction : +# 29| v0_26(Void) = AliasedUse : ~mu0_2 +# 29| v0_27(Void) = ExitFunction : crement.cs: # 3| System.Void CrementOpsTest.Main() # 3| Block 0 # 3| v0_0(Void) = EnterFunction : -# 3| mu0_1(null) = AliasedDefinition : -# 3| mu0_2(null) = UnmodeledDefinition : +# 3| mu0_1() = AliasedDefinition : +# 3| mu0_2() = UnmodeledDefinition : # 5| r0_3(glval) = VariableAddress[x] : # 5| r0_4(Int32) = Constant[10] : # 5| mu0_5(Int32) = Store : &:r0_3, r0_4 @@ -439,14 +450,15 @@ crement.cs: # 9| mu0_33(Int32) = Store : &:r0_32, r0_28 # 3| v0_34(Void) = ReturnVoid : # 3| v0_35(Void) = UnmodeledUse : mu* -# 3| v0_36(Void) = ExitFunction : +# 3| v0_36(Void) = AliasedUse : ~mu0_2 +# 3| v0_37(Void) = ExitFunction : delegates.cs: # 6| System.Int32 Delegates.returns(System.Int32) # 6| Block 0 # 6| v0_0(Void) = EnterFunction : -# 6| mu0_1(null) = AliasedDefinition : -# 6| mu0_2(null) = UnmodeledDefinition : +# 6| mu0_1() = AliasedDefinition : +# 6| mu0_2() = UnmodeledDefinition : # 6| r0_3(glval) = VariableAddress[ret] : # 6| mu0_4(Int32) = InitializeParameter[ret] : &:r0_3 # 8| r0_5(glval) = VariableAddress[#return] : @@ -456,88 +468,93 @@ delegates.cs: # 6| r0_9(glval) = VariableAddress[#return] : # 6| v0_10(Void) = ReturnValue : &:r0_9, ~mu0_2 # 6| v0_11(Void) = UnmodeledUse : mu* -# 6| v0_12(Void) = ExitFunction : +# 6| v0_12(Void) = AliasedUse : ~mu0_2 +# 6| v0_13(Void) = ExitFunction : # 11| System.Void Delegates.Main() # 11| Block 0 -# 11| v0_0(Void) = EnterFunction : -# 11| mu0_1(null) = AliasedDefinition : -# 11| mu0_2(null) = UnmodeledDefinition : -# 12| r0_3(glval) = VariableAddress[del1] : -# 12| r0_4(Del) = NewObj : -# 12| r0_5(glval) = FunctionAddress[Del] : -# 12| r0_6(glval) = FunctionAddress[returns] : -# 12| v0_7(Void) = Call : func:r0_5, this:r0_4, 0:r0_6 -# 12| mu0_8(null) = ^CallSideEffect : ~mu0_2 -# 12| mu0_9(Del) = Store : &:r0_3, r0_4 -# 13| r0_10(glval) = VariableAddress[del1] : -# 13| r0_11(Del) = Load : &:r0_10, ~mu0_2 -# 13| r0_12(glval) = FunctionAddress[Invoke] : -# 13| r0_13(Int32) = Constant[5] : -# 13| v0_14(Void) = Call : func:r0_12, this:r0_11, 0:r0_13 -# 13| mu0_15(null) = ^CallSideEffect : ~mu0_2 -# 11| v0_16(Void) = ReturnVoid : -# 11| v0_17(Void) = UnmodeledUse : mu* -# 11| v0_18(Void) = ExitFunction : +# 11| v0_0(Void) = EnterFunction : +# 11| mu0_1() = AliasedDefinition : +# 11| mu0_2() = UnmodeledDefinition : +# 12| r0_3(glval) = VariableAddress[del1] : +# 12| r0_4(Del) = NewObj : +# 12| r0_5() = FunctionAddress[Del] : +# 12| r0_6(glval) = FunctionAddress[returns] : +# 12| v0_7(Void) = Call : func:r0_5, this:r0_4, 0:r0_6 +# 12| mu0_8() = ^CallSideEffect : ~mu0_2 +# 12| mu0_9(Del) = Store : &:r0_3, r0_4 +# 13| r0_10(glval) = VariableAddress[del1] : +# 13| r0_11(Del) = Load : &:r0_10, ~mu0_2 +# 13| r0_12() = FunctionAddress[Invoke] : +# 13| r0_13(Int32) = Constant[5] : +# 13| v0_14(Void) = Call : func:r0_12, this:r0_11, 0:r0_13 +# 13| mu0_15() = ^CallSideEffect : ~mu0_2 +# 11| v0_16(Void) = ReturnVoid : +# 11| v0_17(Void) = UnmodeledUse : mu* +# 11| v0_18(Void) = AliasedUse : ~mu0_2 +# 11| v0_19(Void) = ExitFunction : events.cs: # 8| System.Void Events..ctor() # 8| Block 0 # 8| v0_0(Void) = EnterFunction : -# 8| mu0_1(null) = AliasedDefinition : -# 8| mu0_2(null) = UnmodeledDefinition : +# 8| mu0_1() = AliasedDefinition : +# 8| mu0_2() = UnmodeledDefinition : # 8| r0_3(glval) = InitializeThis : # 10| r0_4(MyDel) = NewObj : -# 10| r0_5(glval) = FunctionAddress[MyDel] : +# 10| r0_5() = FunctionAddress[MyDel] : # 10| r0_6(glval) = FunctionAddress[Fun] : # 10| v0_7(Void) = Call : func:r0_5, this:r0_4, 0:r0_6 -# 10| mu0_8(null) = ^CallSideEffect : ~mu0_2 +# 10| mu0_8() = ^CallSideEffect : ~mu0_2 # 10| r0_9(Events) = CopyValue : r0_3 # 10| r0_10(glval) = FieldAddress[Inst] : r0_9 # 10| mu0_11(MyDel) = Store : &:r0_10, r0_4 # 8| v0_12(Void) = ReturnVoid : # 8| v0_13(Void) = UnmodeledUse : mu* -# 8| v0_14(Void) = ExitFunction : +# 8| v0_14(Void) = AliasedUse : ~mu0_2 +# 8| v0_15(Void) = ExitFunction : # 13| System.Void Events.AddEvent() # 13| Block 0 # 13| v0_0(Void) = EnterFunction : -# 13| mu0_1(null) = AliasedDefinition : -# 13| mu0_2(null) = UnmodeledDefinition : +# 13| mu0_1() = AliasedDefinition : +# 13| mu0_2() = UnmodeledDefinition : # 13| r0_3(glval) = InitializeThis : # 15| r0_4(Events) = CopyValue : r0_3 -# 15| r0_5(glval) = FunctionAddress[add_MyEvent] : +# 15| r0_5() = FunctionAddress[add_MyEvent] : # 15| r0_6(Events) = CopyValue : r0_3 # 15| r0_7(glval) = FieldAddress[Inst] : r0_6 # 15| r0_8(MyDel) = Load : &:r0_7, ~mu0_2 # 15| v0_9(Void) = Call : func:r0_5, this:r0_4, 0:r0_8 -# 15| mu0_10(null) = ^CallSideEffect : ~mu0_2 +# 15| mu0_10() = ^CallSideEffect : ~mu0_2 # 13| v0_11(Void) = ReturnVoid : # 13| v0_12(Void) = UnmodeledUse : mu* -# 13| v0_13(Void) = ExitFunction : +# 13| v0_13(Void) = AliasedUse : ~mu0_2 +# 13| v0_14(Void) = ExitFunction : # 18| System.Void Events.RemoveEvent() # 18| Block 0 # 18| v0_0(Void) = EnterFunction : -# 18| mu0_1(null) = AliasedDefinition : -# 18| mu0_2(null) = UnmodeledDefinition : +# 18| mu0_1() = AliasedDefinition : +# 18| mu0_2() = UnmodeledDefinition : # 18| r0_3(glval) = InitializeThis : # 20| r0_4(Events) = CopyValue : r0_3 -# 20| r0_5(glval) = FunctionAddress[remove_MyEvent] : +# 20| r0_5() = FunctionAddress[remove_MyEvent] : # 20| r0_6(Events) = CopyValue : r0_3 # 20| r0_7(glval) = FieldAddress[Inst] : r0_6 # 20| r0_8(MyDel) = Load : &:r0_7, ~mu0_2 # 20| v0_9(Void) = Call : func:r0_5, this:r0_4, 0:r0_8 -# 20| mu0_10(null) = ^CallSideEffect : ~mu0_2 +# 20| mu0_10() = ^CallSideEffect : ~mu0_2 # 18| v0_11(Void) = ReturnVoid : # 18| v0_12(Void) = UnmodeledUse : mu* -# 18| v0_13(Void) = ExitFunction : +# 18| v0_13(Void) = AliasedUse : ~mu0_2 +# 18| v0_14(Void) = ExitFunction : # 23| System.String Events.Fun(System.String) # 23| Block 0 # 23| v0_0(Void) = EnterFunction : -# 23| mu0_1(null) = AliasedDefinition : -# 23| mu0_2(null) = UnmodeledDefinition : +# 23| mu0_1() = AliasedDefinition : +# 23| mu0_2() = UnmodeledDefinition : # 23| r0_3(glval) = InitializeThis : # 23| r0_4(glval) = VariableAddress[str] : # 23| mu0_5(String) = InitializeParameter[str] : &:r0_4 @@ -548,49 +565,51 @@ events.cs: # 23| r0_10(glval) = VariableAddress[#return] : # 23| v0_11(Void) = ReturnValue : &:r0_10, ~mu0_2 # 23| v0_12(Void) = UnmodeledUse : mu* -# 23| v0_13(Void) = ExitFunction : +# 23| v0_13(Void) = AliasedUse : ~mu0_2 +# 23| v0_14(Void) = ExitFunction : # 28| System.Void Events.Main(System.String[]) # 28| Block 0 # 28| v0_0(Void) = EnterFunction : -# 28| mu0_1(null) = AliasedDefinition : -# 28| mu0_2(null) = UnmodeledDefinition : +# 28| mu0_1() = AliasedDefinition : +# 28| mu0_2() = UnmodeledDefinition : # 28| r0_3(glval) = VariableAddress[args] : # 28| mu0_4(String[]) = InitializeParameter[args] : &:r0_3 # 30| r0_5(glval) = VariableAddress[obj] : # 30| r0_6(Events) = NewObj : -# 30| r0_7(glval) = FunctionAddress[Events] : +# 30| r0_7() = FunctionAddress[Events] : # 30| v0_8(Void) = Call : func:r0_7, this:r0_6 -# 30| mu0_9(null) = ^CallSideEffect : ~mu0_2 +# 30| mu0_9() = ^CallSideEffect : ~mu0_2 # 30| mu0_10(Events) = Store : &:r0_5, r0_6 # 31| r0_11(glval) = VariableAddress[obj] : # 31| r0_12(Events) = Load : &:r0_11, ~mu0_2 -# 31| r0_13(glval) = FunctionAddress[AddEvent] : +# 31| r0_13() = FunctionAddress[AddEvent] : # 31| v0_14(Void) = Call : func:r0_13, this:r0_12 -# 31| mu0_15(null) = ^CallSideEffect : ~mu0_2 +# 31| mu0_15() = ^CallSideEffect : ~mu0_2 # 32| r0_16(glval) = VariableAddress[result] : # 32| r0_17(glval) = VariableAddress[obj] : # 32| r0_18(Events) = Load : &:r0_17, ~mu0_2 -# 32| r0_19(glval) = FunctionAddress[Invoke] : +# 32| r0_19() = FunctionAddress[Invoke] : # 32| r0_20(String) = StringConstant["string"] : # 32| v0_21(Void) = Call : func:r0_19, this:r0_18, 0:r0_20 -# 32| mu0_22(null) = ^CallSideEffect : ~mu0_2 +# 32| mu0_22() = ^CallSideEffect : ~mu0_2 # 32| mu0_23(String) = Store : &:r0_16, v0_21 # 33| r0_24(glval) = VariableAddress[obj] : # 33| r0_25(Events) = Load : &:r0_24, ~mu0_2 -# 33| r0_26(glval) = FunctionAddress[RemoveEvent] : +# 33| r0_26() = FunctionAddress[RemoveEvent] : # 33| v0_27(Void) = Call : func:r0_26, this:r0_25 -# 33| mu0_28(null) = ^CallSideEffect : ~mu0_2 +# 33| mu0_28() = ^CallSideEffect : ~mu0_2 # 28| v0_29(Void) = ReturnVoid : # 28| v0_30(Void) = UnmodeledUse : mu* -# 28| v0_31(Void) = ExitFunction : +# 28| v0_31(Void) = AliasedUse : ~mu0_2 +# 28| v0_32(Void) = ExitFunction : foreach.cs: # 4| System.Void ForEach.Main() # 4| Block 0 # 4| v0_0(Void) = EnterFunction : -# 4| mu0_1(null) = AliasedDefinition : -# 4| mu0_2(null) = UnmodeledDefinition : +# 4| mu0_1() = AliasedDefinition : +# 4| mu0_2() = UnmodeledDefinition : # 5| r0_3(glval) = VariableAddress[a_array] : # 5| mu0_4(Int32[]) = Uninitialized[a_array] : &:r0_3 # 5| r0_5(Int32) = Constant[0] : @@ -624,18 +643,18 @@ foreach.cs: # 7| r0_33(glval) = VariableAddress[#temp7:9] : # 7| r0_34(glval) = VariableAddress[a_array] : # 7| r0_35(Int32[]) = Load : &:r0_34, ~mu0_2 -# 7| r0_36(glval) = FunctionAddress[GetEnumerator] : +# 7| r0_36() = FunctionAddress[GetEnumerator] : # 7| r0_37(IEnumerator) = Call : func:r0_36, this:r0_35 -# 7| mu0_38(null) = ^CallSideEffect : ~mu0_2 +# 7| mu0_38() = ^CallSideEffect : ~mu0_2 # 7| mu0_39(IEnumerator) = Store : &:r0_33, r0_37 #-----| Goto -> Block 1 # 7| Block 1 # 7| r1_0(glval) = VariableAddress[#temp7:9] : # 7| r1_1(Boolean) = Load : &:r1_0, ~mu0_2 -# 7| r1_2(glval) = FunctionAddress[MoveNext] : +# 7| r1_2() = FunctionAddress[MoveNext] : # 7| r1_3(Boolean) = Call : func:r1_2, this:r1_1 -# 7| mu1_4(null) = ^CallSideEffect : ~mu0_2 +# 7| mu1_4() = ^CallSideEffect : ~mu0_2 # 7| v1_5(Void) = ConditionalBranch : r1_3 #-----| False -> Block 3 #-----| True -> Block 2 @@ -644,9 +663,9 @@ foreach.cs: # 7| r2_0(glval) = VariableAddress[items] : # 7| r2_1(glval) = VariableAddress[#temp7:9] : # 7| r2_2(Boolean) = Load : &:r2_1, ~mu0_2 -# 7| r2_3(glval) = FunctionAddress[get_Current] : +# 7| r2_3() = FunctionAddress[get_Current] : # 7| r2_4(Int32) = Call : func:r2_3, this:r2_2 -# 7| mu2_5(null) = ^CallSideEffect : ~mu0_2 +# 7| mu2_5() = ^CallSideEffect : ~mu0_2 # 7| mu2_6(Int32) = Store : &:r2_0, r2_4 # 9| r2_7(glval) = VariableAddress[x] : # 9| r2_8(glval) = VariableAddress[items] : @@ -657,19 +676,20 @@ foreach.cs: # 7| Block 3 # 7| r3_0(glval) = VariableAddress[#temp7:9] : # 7| r3_1(Boolean) = Load : &:r3_0, ~mu0_2 -# 7| r3_2(glval) = FunctionAddress[Dispose] : +# 7| r3_2() = FunctionAddress[Dispose] : # 7| v3_3(Void) = Call : func:r3_2, this:r3_1 -# 7| mu3_4(null) = ^CallSideEffect : ~mu0_2 +# 7| mu3_4() = ^CallSideEffect : ~mu0_2 # 4| v3_5(Void) = ReturnVoid : # 4| v3_6(Void) = UnmodeledUse : mu* -# 4| v3_7(Void) = ExitFunction : +# 4| v3_7(Void) = AliasedUse : ~mu0_2 +# 4| v3_8(Void) = ExitFunction : func_with_param_call.cs: # 5| System.Int32 test_call_with_param.f(System.Int32,System.Int32) # 5| Block 0 # 5| v0_0(Void) = EnterFunction : -# 5| mu0_1(null) = AliasedDefinition : -# 5| mu0_2(null) = UnmodeledDefinition : +# 5| mu0_1() = AliasedDefinition : +# 5| mu0_2() = UnmodeledDefinition : # 5| r0_3(glval) = VariableAddress[x] : # 5| mu0_4(Int32) = InitializeParameter[x] : &:r0_3 # 5| r0_5(glval) = VariableAddress[y] : @@ -684,31 +704,33 @@ func_with_param_call.cs: # 5| r0_14(glval) = VariableAddress[#return] : # 5| v0_15(Void) = ReturnValue : &:r0_14, ~mu0_2 # 5| v0_16(Void) = UnmodeledUse : mu* -# 5| v0_17(Void) = ExitFunction : +# 5| v0_17(Void) = AliasedUse : ~mu0_2 +# 5| v0_18(Void) = ExitFunction : # 10| System.Int32 test_call_with_param.g() # 10| Block 0 # 10| v0_0(Void) = EnterFunction : -# 10| mu0_1(null) = AliasedDefinition : -# 10| mu0_2(null) = UnmodeledDefinition : +# 10| mu0_1() = AliasedDefinition : +# 10| mu0_2() = UnmodeledDefinition : # 12| r0_3(glval) = VariableAddress[#return] : -# 12| r0_4(glval) = FunctionAddress[f] : +# 12| r0_4() = FunctionAddress[f] : # 12| r0_5(Int32) = Constant[2] : # 12| r0_6(Int32) = Constant[3] : # 12| r0_7(Int32) = Call : func:r0_4, 0:r0_5, 1:r0_6 -# 12| mu0_8(null) = ^CallSideEffect : ~mu0_2 +# 12| mu0_8() = ^CallSideEffect : ~mu0_2 # 12| mu0_9(Int32) = Store : &:r0_3, r0_7 # 10| r0_10(glval) = VariableAddress[#return] : # 10| v0_11(Void) = ReturnValue : &:r0_10, ~mu0_2 # 10| v0_12(Void) = UnmodeledUse : mu* -# 10| v0_13(Void) = ExitFunction : +# 10| v0_13(Void) = AliasedUse : ~mu0_2 +# 10| v0_14(Void) = ExitFunction : indexers.cs: # 8| System.String Indexers.MyClass.get_Item(System.Int32) # 8| Block 0 # 8| v0_0(Void) = EnterFunction : -# 8| mu0_1(null) = AliasedDefinition : -# 8| mu0_2(null) = UnmodeledDefinition : +# 8| mu0_1() = AliasedDefinition : +# 8| mu0_2() = UnmodeledDefinition : # 8| r0_3(glval) = InitializeThis : # 6| r0_4(glval) = VariableAddress[index] : # 6| mu0_5(Int32) = InitializeParameter[index] : &:r0_4 @@ -724,13 +746,14 @@ indexers.cs: # 8| r0_15(glval) = VariableAddress[#return] : # 8| v0_16(Void) = ReturnValue : &:r0_15, ~mu0_2 # 8| v0_17(Void) = UnmodeledUse : mu* -# 8| v0_18(Void) = ExitFunction : +# 8| v0_18(Void) = AliasedUse : ~mu0_2 +# 8| v0_19(Void) = ExitFunction : # 12| System.Void Indexers.MyClass.set_Item(System.Int32,System.String) # 12| Block 0 # 12| v0_0(Void) = EnterFunction : -# 12| mu0_1(null) = AliasedDefinition : -# 12| mu0_2(null) = UnmodeledDefinition : +# 12| mu0_1() = AliasedDefinition : +# 12| mu0_2() = UnmodeledDefinition : # 12| r0_3(glval) = InitializeThis : # 6| r0_4(glval) = VariableAddress[index] : # 6| mu0_5(Int32) = InitializeParameter[index] : &:r0_4 @@ -747,55 +770,57 @@ indexers.cs: # 14| mu0_16(String) = Store : &:r0_15, r0_9 # 12| v0_17(Void) = ReturnVoid : # 12| v0_18(Void) = UnmodeledUse : mu* -# 12| v0_19(Void) = ExitFunction : +# 12| v0_19(Void) = AliasedUse : ~mu0_2 +# 12| v0_20(Void) = ExitFunction : # 19| System.Void Indexers.Main() # 19| Block 0 # 19| v0_0(Void) = EnterFunction : -# 19| mu0_1(null) = AliasedDefinition : -# 19| mu0_2(null) = UnmodeledDefinition : +# 19| mu0_1() = AliasedDefinition : +# 19| mu0_2() = UnmodeledDefinition : # 21| r0_3(glval) = VariableAddress[inst] : # 21| r0_4(MyClass) = NewObj : -# 21| r0_5(glval) = FunctionAddress[MyClass] : +# 21| r0_5() = FunctionAddress[MyClass] : # 21| v0_6(Void) = Call : func:r0_5, this:r0_4 -# 21| mu0_7(null) = ^CallSideEffect : ~mu0_2 +# 21| mu0_7() = ^CallSideEffect : ~mu0_2 # 21| mu0_8(MyClass) = Store : &:r0_3, r0_4 # 22| r0_9(glval) = VariableAddress[inst] : # 22| r0_10(MyClass) = Load : &:r0_9, ~mu0_2 -# 22| r0_11(glval) = FunctionAddress[set_Item] : +# 22| r0_11() = FunctionAddress[set_Item] : # 22| r0_12(Int32) = Constant[0] : # 22| r0_13(String) = StringConstant["str1"] : # 22| v0_14(Void) = Call : func:r0_11, this:r0_10, 0:r0_12, 1:r0_13 -# 22| mu0_15(null) = ^CallSideEffect : ~mu0_2 +# 22| mu0_15() = ^CallSideEffect : ~mu0_2 # 23| r0_16(glval) = VariableAddress[inst] : # 23| r0_17(MyClass) = Load : &:r0_16, ~mu0_2 -# 23| r0_18(glval) = FunctionAddress[set_Item] : +# 23| r0_18() = FunctionAddress[set_Item] : # 23| r0_19(Int32) = Constant[1] : # 23| r0_20(String) = StringConstant["str1"] : # 23| v0_21(Void) = Call : func:r0_18, this:r0_17, 0:r0_19, 1:r0_20 -# 23| mu0_22(null) = ^CallSideEffect : ~mu0_2 +# 23| mu0_22() = ^CallSideEffect : ~mu0_2 # 24| r0_23(glval) = VariableAddress[inst] : # 24| r0_24(MyClass) = Load : &:r0_23, ~mu0_2 -# 24| r0_25(glval) = FunctionAddress[set_Item] : +# 24| r0_25() = FunctionAddress[set_Item] : # 24| r0_26(Int32) = Constant[1] : # 24| r0_27(glval) = VariableAddress[inst] : # 24| r0_28(MyClass) = Load : &:r0_27, ~mu0_2 -# 24| r0_29(glval) = FunctionAddress[get_Item] : +# 24| r0_29() = FunctionAddress[get_Item] : # 24| r0_30(Int32) = Constant[0] : # 24| r0_31(String) = Call : func:r0_29, this:r0_28, 0:r0_30 -# 24| mu0_32(null) = ^CallSideEffect : ~mu0_2 +# 24| mu0_32() = ^CallSideEffect : ~mu0_2 # 24| v0_33(Void) = Call : func:r0_25, this:r0_24, 0:r0_26, 1:r0_31 -# 24| mu0_34(null) = ^CallSideEffect : ~mu0_2 +# 24| mu0_34() = ^CallSideEffect : ~mu0_2 # 19| v0_35(Void) = ReturnVoid : # 19| v0_36(Void) = UnmodeledUse : mu* -# 19| v0_37(Void) = ExitFunction : +# 19| v0_37(Void) = AliasedUse : ~mu0_2 +# 19| v0_38(Void) = ExitFunction : inheritance_polymorphism.cs: # 3| System.Int32 A.function() # 3| Block 0 # 3| v0_0(Void) = EnterFunction : -# 3| mu0_1(null) = AliasedDefinition : -# 3| mu0_2(null) = UnmodeledDefinition : +# 3| mu0_1() = AliasedDefinition : +# 3| mu0_2() = UnmodeledDefinition : # 3| r0_3(glval) = InitializeThis : # 5| r0_4(glval) = VariableAddress[#return] : # 5| r0_5(Int32) = Constant[0] : @@ -803,13 +828,14 @@ inheritance_polymorphism.cs: # 3| r0_7(glval) = VariableAddress[#return] : # 3| v0_8(Void) = ReturnValue : &:r0_7, ~mu0_2 # 3| v0_9(Void) = UnmodeledUse : mu* -# 3| v0_10(Void) = ExitFunction : +# 3| v0_10(Void) = AliasedUse : ~mu0_2 +# 3| v0_11(Void) = ExitFunction : # 15| System.Int32 C.function() # 15| Block 0 # 15| v0_0(Void) = EnterFunction : -# 15| mu0_1(null) = AliasedDefinition : -# 15| mu0_2(null) = UnmodeledDefinition : +# 15| mu0_1() = AliasedDefinition : +# 15| mu0_2() = UnmodeledDefinition : # 15| r0_3(glval) = InitializeThis : # 17| r0_4(glval) = VariableAddress[#return] : # 17| r0_5(Int32) = Constant[1] : @@ -817,58 +843,60 @@ inheritance_polymorphism.cs: # 15| r0_7(glval) = VariableAddress[#return] : # 15| v0_8(Void) = ReturnValue : &:r0_7, ~mu0_2 # 15| v0_9(Void) = UnmodeledUse : mu* -# 15| v0_10(Void) = ExitFunction : +# 15| v0_10(Void) = AliasedUse : ~mu0_2 +# 15| v0_11(Void) = ExitFunction : # 23| System.Void Program.Main() # 23| Block 0 -# 23| v0_0(Void) = EnterFunction : -# 23| mu0_1(null) = AliasedDefinition : -# 23| mu0_2(null) = UnmodeledDefinition : -# 25| r0_3(glval) = VariableAddress[objB] : -# 25| r0_4(B) = NewObj : -# 25| r0_5(glval) = FunctionAddress[B] : -# 25| v0_6(Void) = Call : func:r0_5, this:r0_4 -# 25| mu0_7(null) = ^CallSideEffect : ~mu0_2 -# 25| mu0_8(B) = Store : &:r0_3, r0_4 -# 26| r0_9(glval) = VariableAddress[objB] : -# 26| r0_10(B) = Load : &:r0_9, ~mu0_2 -# 26| r0_11(glval) = FunctionAddress[function] : -# 26| r0_12(Int32) = Call : func:r0_11, this:r0_10 -# 26| mu0_13(null) = ^CallSideEffect : ~mu0_2 -# 29| r0_14(glval) = VariableAddress[objA] : -# 29| mu0_15(A) = Uninitialized[objA] : &:r0_14 -# 30| r0_16(glval) = VariableAddress[objB] : -# 30| r0_17(B) = Load : &:r0_16, ~mu0_2 -# 30| r0_18(A) = Convert : r0_17 -# 30| r0_19(glval) = VariableAddress[objA] : -# 30| mu0_20(A) = Store : &:r0_19, r0_18 -# 31| r0_21(glval) = VariableAddress[objA] : -# 31| r0_22(A) = Load : &:r0_21, ~mu0_2 -# 31| r0_23(glval) = FunctionAddress[function] : -# 31| r0_24(Int32) = Call : func:r0_23, this:r0_22 -# 31| mu0_25(null) = ^CallSideEffect : ~mu0_2 -# 33| r0_26(glval) = VariableAddress[objC] : -# 33| r0_27(C) = NewObj : -# 33| r0_28(glval) = FunctionAddress[C] : -# 33| v0_29(Void) = Call : func:r0_28, this:r0_27 -# 33| mu0_30(null) = ^CallSideEffect : ~mu0_2 -# 33| r0_31(A) = Convert : r0_27 -# 33| mu0_32(A) = Store : &:r0_26, r0_27 -# 34| r0_33(glval) = VariableAddress[objC] : -# 34| r0_34(A) = Load : &:r0_33, ~mu0_2 -# 34| r0_35(glval) = FunctionAddress[function] : -# 34| r0_36(Int32) = Call : func:r0_35, this:r0_34 -# 34| mu0_37(null) = ^CallSideEffect : ~mu0_2 -# 23| v0_38(Void) = ReturnVoid : -# 23| v0_39(Void) = UnmodeledUse : mu* -# 23| v0_40(Void) = ExitFunction : +# 23| v0_0(Void) = EnterFunction : +# 23| mu0_1() = AliasedDefinition : +# 23| mu0_2() = UnmodeledDefinition : +# 25| r0_3(glval) = VariableAddress[objB] : +# 25| r0_4(B) = NewObj : +# 25| r0_5() = FunctionAddress[B] : +# 25| v0_6(Void) = Call : func:r0_5, this:r0_4 +# 25| mu0_7() = ^CallSideEffect : ~mu0_2 +# 25| mu0_8(B) = Store : &:r0_3, r0_4 +# 26| r0_9(glval) = VariableAddress[objB] : +# 26| r0_10(B) = Load : &:r0_9, ~mu0_2 +# 26| r0_11() = FunctionAddress[function] : +# 26| r0_12(Int32) = Call : func:r0_11, this:r0_10 +# 26| mu0_13() = ^CallSideEffect : ~mu0_2 +# 29| r0_14(glval) = VariableAddress[objA] : +# 29| mu0_15(A) = Uninitialized[objA] : &:r0_14 +# 30| r0_16(glval) = VariableAddress[objB] : +# 30| r0_17(B) = Load : &:r0_16, ~mu0_2 +# 30| r0_18(A) = Convert : r0_17 +# 30| r0_19(glval) = VariableAddress[objA] : +# 30| mu0_20(A) = Store : &:r0_19, r0_18 +# 31| r0_21(glval) = VariableAddress[objA] : +# 31| r0_22(A) = Load : &:r0_21, ~mu0_2 +# 31| r0_23() = FunctionAddress[function] : +# 31| r0_24(Int32) = Call : func:r0_23, this:r0_22 +# 31| mu0_25() = ^CallSideEffect : ~mu0_2 +# 33| r0_26(glval) = VariableAddress[objC] : +# 33| r0_27(C) = NewObj : +# 33| r0_28() = FunctionAddress[C] : +# 33| v0_29(Void) = Call : func:r0_28, this:r0_27 +# 33| mu0_30() = ^CallSideEffect : ~mu0_2 +# 33| r0_31(A) = Convert : r0_27 +# 33| mu0_32(A) = Store : &:r0_26, r0_27 +# 34| r0_33(glval) = VariableAddress[objC] : +# 34| r0_34(A) = Load : &:r0_33, ~mu0_2 +# 34| r0_35() = FunctionAddress[function] : +# 34| r0_36(Int32) = Call : func:r0_35, this:r0_34 +# 34| mu0_37() = ^CallSideEffect : ~mu0_2 +# 23| v0_38(Void) = ReturnVoid : +# 23| v0_39(Void) = UnmodeledUse : mu* +# 23| v0_40(Void) = AliasedUse : ~mu0_2 +# 23| v0_41(Void) = ExitFunction : inoutref.cs: # 11| System.Void InOutRef.set(MyClass,MyClass) # 11| Block 0 # 11| v0_0(Void) = EnterFunction : -# 11| mu0_1(null) = AliasedDefinition : -# 11| mu0_2(null) = UnmodeledDefinition : +# 11| mu0_1() = AliasedDefinition : +# 11| mu0_2() = UnmodeledDefinition : # 11| r0_3(glval) = VariableAddress[o1] : # 11| mu0_4(MyClass) = InitializeParameter[o1] : &:r0_3 # 11| r0_5(glval) = VariableAddress[o2] : @@ -880,13 +908,14 @@ inoutref.cs: # 13| mu0_11(MyClass) = Store : &:r0_10, r0_8 # 11| v0_12(Void) = ReturnVoid : # 11| v0_13(Void) = UnmodeledUse : mu* -# 11| v0_14(Void) = ExitFunction : +# 11| v0_14(Void) = AliasedUse : ~mu0_2 +# 11| v0_15(Void) = ExitFunction : # 16| System.Void InOutRef.F(System.Int32,MyStruct,MyStruct,MyClass,MyClass) # 16| Block 0 # 16| v0_0(Void) = EnterFunction : -# 16| mu0_1(null) = AliasedDefinition : -# 16| mu0_2(null) = UnmodeledDefinition : +# 16| mu0_1() = AliasedDefinition : +# 16| mu0_2() = UnmodeledDefinition : # 16| r0_3(glval) = VariableAddress[a] : # 16| mu0_4(Int32) = InitializeParameter[a] : &:r0_3 # 16| r0_5(glval) = VariableAddress[b] : @@ -929,47 +958,48 @@ inoutref.cs: # 24| r0_42(glval) = VariableAddress[b] : # 24| r0_43(MyStruct) = Load : &:r0_42, ~mu0_2 # 24| mu0_44(MyStruct) = Store : &:r0_43, r0_41 -# 26| r0_45(glval) = FunctionAddress[set] : +# 26| r0_45() = FunctionAddress[set] : # 26| r0_46(glval) = VariableAddress[c] : # 26| r0_47(MyClass) = Load : &:r0_46, ~mu0_2 # 26| r0_48(glval) = VariableAddress[c1] : # 26| r0_49(MyClass) = Load : &:r0_48, ~mu0_2 # 26| r0_50(MyClass) = Load : &:r0_49, ~mu0_2 # 26| v0_51(Void) = Call : func:r0_45, 0:r0_47, 1:r0_50 -# 26| mu0_52(null) = ^CallSideEffect : ~mu0_2 +# 26| mu0_52() = ^CallSideEffect : ~mu0_2 # 16| v0_53(Void) = ReturnVoid : # 16| v0_54(Void) = UnmodeledUse : mu* -# 16| v0_55(Void) = ExitFunction : +# 16| v0_55(Void) = AliasedUse : ~mu0_2 +# 16| v0_56(Void) = ExitFunction : # 29| System.Void InOutRef.Main() # 29| Block 0 # 29| v0_0(Void) = EnterFunction : -# 29| mu0_1(null) = AliasedDefinition : -# 29| mu0_2(null) = UnmodeledDefinition : +# 29| mu0_1() = AliasedDefinition : +# 29| mu0_2() = UnmodeledDefinition : # 31| r0_3(glval) = VariableAddress[a] : # 31| r0_4(Int32) = Constant[0] : # 31| mu0_5(Int32) = Store : &:r0_3, r0_4 # 32| r0_6(glval) = VariableAddress[b] : # 32| r0_7(MyStruct) = NewObj : -# 32| r0_8(glval) = FunctionAddress[MyStruct] : +# 32| r0_8() = FunctionAddress[MyStruct] : # 32| v0_9(Void) = Call : func:r0_8, this:r0_7 -# 32| mu0_10(null) = ^CallSideEffect : ~mu0_2 +# 32| mu0_10() = ^CallSideEffect : ~mu0_2 # 32| r0_11(MyStruct) = Load : &:r0_7, ~mu0_2 # 32| mu0_12(MyStruct) = Store : &:r0_6, r0_11 # 33| r0_13(glval) = VariableAddress[c] : # 33| r0_14(MyClass) = NewObj : -# 33| r0_15(glval) = FunctionAddress[MyClass] : +# 33| r0_15() = FunctionAddress[MyClass] : # 33| v0_16(Void) = Call : func:r0_15, this:r0_14 -# 33| mu0_17(null) = ^CallSideEffect : ~mu0_2 +# 33| mu0_17() = ^CallSideEffect : ~mu0_2 # 33| mu0_18(MyClass) = Store : &:r0_13, r0_14 -# 34| r0_19(glval) = FunctionAddress[F] : +# 34| r0_19() = FunctionAddress[F] : # 34| r0_20(glval) = VariableAddress[a] : # 34| r0_21(glval) = VariableAddress[b] : # 34| r0_22(glval) = VariableAddress[b] : # 34| r0_23(glval) = VariableAddress[c] : # 34| r0_24(glval) = VariableAddress[c] : # 34| v0_25(Void) = Call : func:r0_19, 0:r0_20, 1:r0_21, 2:r0_22, 3:r0_23, 4:r0_24 -# 34| mu0_26(null) = ^CallSideEffect : ~mu0_2 +# 34| mu0_26() = ^CallSideEffect : ~mu0_2 # 36| r0_27(glval) = VariableAddress[x] : # 36| r0_28(glval) = VariableAddress[b] : # 36| r0_29(glval) = FieldAddress[fld] : r0_28 @@ -977,14 +1007,15 @@ inoutref.cs: # 36| mu0_31(Int32) = Store : &:r0_27, r0_30 # 29| v0_32(Void) = ReturnVoid : # 29| v0_33(Void) = UnmodeledUse : mu* -# 29| v0_34(Void) = ExitFunction : +# 29| v0_34(Void) = AliasedUse : ~mu0_2 +# 29| v0_35(Void) = ExitFunction : isexpr.cs: # 8| System.Void IsExpr.Main() # 8| Block 0 # 8| v0_0(Void) = EnterFunction : -# 8| mu0_1(null) = AliasedDefinition : -# 8| mu0_2(null) = UnmodeledDefinition : +# 8| mu0_1() = AliasedDefinition : +# 8| mu0_2() = UnmodeledDefinition : # 10| r0_3(glval) = VariableAddress[obj] : # 10| r0_4(null) = Constant[null] : # 10| r0_5(Is_A) = Convert : r0_4 @@ -1008,7 +1039,8 @@ isexpr.cs: # 8| Block 1 # 8| v1_0(Void) = ReturnVoid : # 8| v1_1(Void) = UnmodeledUse : mu* -# 8| v1_2(Void) = ExitFunction : +# 8| v1_2(Void) = AliasedUse : ~mu0_2 +# 8| v1_3(Void) = ExitFunction : # 13| Block 2 # 13| v2_0(Void) = ConditionalBranch : r0_18 @@ -1046,8 +1078,8 @@ jumps.cs: # 5| System.Void Jumps.Main() # 5| Block 0 # 5| v0_0(Void) = EnterFunction : -# 5| mu0_1(null) = AliasedDefinition : -# 5| mu0_2(null) = UnmodeledDefinition : +# 5| mu0_1() = AliasedDefinition : +# 5| mu0_2() = UnmodeledDefinition : # 7| r0_3(glval) = VariableAddress[i] : # 7| r0_4(Int32) = Constant[1] : # 7| mu0_5(Int32) = Store : &:r0_3, r0_4 @@ -1089,10 +1121,10 @@ jumps.cs: #-----| Goto -> Block 7 # 13| Block 6 -# 13| r6_0(glval) = FunctionAddress[WriteLine] : -# 13| r6_1(String) = StringConstant["BreakAndContinue"] : -# 13| v6_2(Void) = Call : func:r6_0, 0:r6_1 -# 13| mu6_3(null) = ^CallSideEffect : ~mu0_2 +# 13| r6_0() = FunctionAddress[WriteLine] : +# 13| r6_1(String) = StringConstant["BreakAndContinue"] : +# 13| v6_2(Void) = Call : func:r6_0, 0:r6_1 +# 13| mu6_3() = ^CallSideEffect : ~mu0_2 #-----| Goto -> Block 19 # 16| Block 7 @@ -1207,26 +1239,27 @@ jumps.cs: #-----| Goto -> Block 22 # 37| Block 22 -# 37| v22_0(Void) = NoOp : -# 38| r22_1(glval) = FunctionAddress[WriteLine] : -# 38| r22_2(String) = StringConstant["Done"] : -# 38| v22_3(Void) = Call : func:r22_1, 0:r22_2 -# 38| mu22_4(null) = ^CallSideEffect : ~mu0_2 -# 5| v22_5(Void) = ReturnVoid : -# 5| v22_6(Void) = UnmodeledUse : mu* -# 5| v22_7(Void) = ExitFunction : +# 37| v22_0(Void) = NoOp : +# 38| r22_1() = FunctionAddress[WriteLine] : +# 38| r22_2(String) = StringConstant["Done"] : +# 38| v22_3(Void) = Call : func:r22_1, 0:r22_2 +# 38| mu22_4() = ^CallSideEffect : ~mu0_2 +# 5| v22_5(Void) = ReturnVoid : +# 5| v22_6(Void) = UnmodeledUse : mu* +# 5| v22_7(Void) = AliasedUse : ~mu0_2 +# 5| v22_8(Void) = ExitFunction : lock.cs: # 5| System.Void LockTest.A() # 5| Block 0 # 5| v0_0(Void) = EnterFunction : -# 5| mu0_1(null) = AliasedDefinition : -# 5| mu0_2(null) = UnmodeledDefinition : +# 5| mu0_1() = AliasedDefinition : +# 5| mu0_2() = UnmodeledDefinition : # 7| r0_3(glval) = VariableAddress[object] : # 7| r0_4(Object) = NewObj : -# 7| r0_5(glval) = FunctionAddress[Object] : +# 7| r0_5() = FunctionAddress[Object] : # 7| v0_6(Void) = Call : func:r0_5, this:r0_4 -# 7| mu0_7(null) = ^CallSideEffect : ~mu0_2 +# 7| mu0_7() = ^CallSideEffect : ~mu0_2 # 7| mu0_8(Object) = Store : &:r0_3, r0_4 # 8| r0_9(glval) = VariableAddress[#temp8:9] : # 8| r0_10(glval) = VariableAddress[object] : @@ -1235,20 +1268,20 @@ lock.cs: # 8| r0_13(glval) = VariableAddress[#temp8:9] : # 8| r0_14(Boolean) = Constant[false] : # 8| mu0_15(Boolean) = Store : &:r0_13, r0_14 -# 8| r0_16(glval) = FunctionAddress[Enter] : +# 8| r0_16() = FunctionAddress[Enter] : # 8| r0_17(glval) = VariableAddress[#temp8:9] : # 8| r0_18(Object) = Load : &:r0_17, ~mu0_2 # 8| r0_19(glval) = VariableAddress[#temp8:9] : # 8| v0_20(Void) = Call : func:r0_16, 0:r0_18, 1:r0_19 -# 8| mu0_21(null) = ^CallSideEffect : ~mu0_2 -# 10| r0_22(glval) = FunctionAddress[WriteLine] : +# 8| mu0_21() = ^CallSideEffect : ~mu0_2 +# 10| r0_22() = FunctionAddress[WriteLine] : # 10| r0_23(glval) = VariableAddress[object] : # 10| r0_24(Object) = Load : &:r0_23, ~mu0_2 -# 10| r0_25(glval) = FunctionAddress[ToString] : +# 10| r0_25() = FunctionAddress[ToString] : # 10| r0_26(String) = Call : func:r0_25, this:r0_24 -# 10| mu0_27(null) = ^CallSideEffect : ~mu0_2 +# 10| mu0_27() = ^CallSideEffect : ~mu0_2 # 10| v0_28(Void) = Call : func:r0_22, 0:r0_26 -# 10| mu0_29(null) = ^CallSideEffect : ~mu0_2 +# 10| mu0_29() = ^CallSideEffect : ~mu0_2 # 8| r0_30(glval) = VariableAddress[#temp8:9] : # 8| r0_31(Boolean) = Load : &:r0_30, ~mu0_2 # 8| v0_32(Void) = ConditionalBranch : r0_31 @@ -1258,33 +1291,35 @@ lock.cs: # 5| Block 1 # 5| v1_0(Void) = ReturnVoid : # 5| v1_1(Void) = UnmodeledUse : mu* -# 5| v1_2(Void) = ExitFunction : +# 5| v1_2(Void) = AliasedUse : ~mu0_2 +# 5| v1_3(Void) = ExitFunction : # 8| Block 2 -# 8| r2_0(glval) = FunctionAddress[Exit] : +# 8| r2_0() = FunctionAddress[Exit] : # 8| r2_1(glval) = VariableAddress[#temp8:9] : # 8| r2_2(Object) = Load : &:r2_1, ~mu0_2 # 8| v2_3(Void) = Call : func:r2_0, 0:r2_2 -# 8| mu2_4(null) = ^CallSideEffect : ~mu0_2 +# 8| mu2_4() = ^CallSideEffect : ~mu0_2 #-----| Goto -> Block 1 obj_creation.cs: # 7| System.Void ObjCreation.MyClass..ctor() # 7| Block 0 # 7| v0_0(Void) = EnterFunction : -# 7| mu0_1(null) = AliasedDefinition : -# 7| mu0_2(null) = UnmodeledDefinition : +# 7| mu0_1() = AliasedDefinition : +# 7| mu0_2() = UnmodeledDefinition : # 7| r0_3(glval) = InitializeThis : # 8| v0_4(Void) = NoOp : # 7| v0_5(Void) = ReturnVoid : # 7| v0_6(Void) = UnmodeledUse : mu* -# 7| v0_7(Void) = ExitFunction : +# 7| v0_7(Void) = AliasedUse : ~mu0_2 +# 7| v0_8(Void) = ExitFunction : # 11| System.Void ObjCreation.MyClass..ctor(System.Int32) # 11| Block 0 # 11| v0_0(Void) = EnterFunction : -# 11| mu0_1(null) = AliasedDefinition : -# 11| mu0_2(null) = UnmodeledDefinition : +# 11| mu0_1() = AliasedDefinition : +# 11| mu0_2() = UnmodeledDefinition : # 11| r0_3(glval) = InitializeThis : # 11| r0_4(glval) = VariableAddress[_x] : # 11| mu0_5(Int32) = InitializeParameter[_x] : &:r0_4 @@ -1295,37 +1330,39 @@ obj_creation.cs: # 13| mu0_10(Int32) = Store : &:r0_9, r0_7 # 11| v0_11(Void) = ReturnVoid : # 11| v0_12(Void) = UnmodeledUse : mu* -# 11| v0_13(Void) = ExitFunction : +# 11| v0_13(Void) = AliasedUse : ~mu0_2 +# 11| v0_14(Void) = ExitFunction : # 17| System.Void ObjCreation.SomeFun(ObjCreation.MyClass) # 17| Block 0 # 17| v0_0(Void) = EnterFunction : -# 17| mu0_1(null) = AliasedDefinition : -# 17| mu0_2(null) = UnmodeledDefinition : +# 17| mu0_1() = AliasedDefinition : +# 17| mu0_2() = UnmodeledDefinition : # 17| r0_3(glval) = VariableAddress[x] : # 17| mu0_4(MyClass) = InitializeParameter[x] : &:r0_3 # 18| v0_5(Void) = NoOp : # 17| v0_6(Void) = ReturnVoid : # 17| v0_7(Void) = UnmodeledUse : mu* -# 17| v0_8(Void) = ExitFunction : +# 17| v0_8(Void) = AliasedUse : ~mu0_2 +# 17| v0_9(Void) = ExitFunction : # 21| System.Void ObjCreation.Main() # 21| Block 0 # 21| v0_0(Void) = EnterFunction : -# 21| mu0_1(null) = AliasedDefinition : -# 21| mu0_2(null) = UnmodeledDefinition : +# 21| mu0_1() = AliasedDefinition : +# 21| mu0_2() = UnmodeledDefinition : # 23| r0_3(glval) = VariableAddress[obj] : # 23| r0_4(MyClass) = NewObj : -# 23| r0_5(glval) = FunctionAddress[MyClass] : +# 23| r0_5() = FunctionAddress[MyClass] : # 23| r0_6(Int32) = Constant[100] : # 23| v0_7(Void) = Call : func:r0_5, this:r0_4, 0:r0_6 -# 23| mu0_8(null) = ^CallSideEffect : ~mu0_2 +# 23| mu0_8() = ^CallSideEffect : ~mu0_2 # 23| mu0_9(MyClass) = Store : &:r0_3, r0_4 # 24| r0_10(glval) = VariableAddress[obj_initlist] : # 24| r0_11(MyClass) = NewObj : -# 24| r0_12(glval) = FunctionAddress[MyClass] : +# 24| r0_12() = FunctionAddress[MyClass] : # 24| v0_13(Void) = Call : func:r0_12, this:r0_11 -# 24| mu0_14(null) = ^CallSideEffect : ~mu0_2 +# 24| mu0_14() = ^CallSideEffect : ~mu0_2 # 24| r0_15(Int32) = Constant[101] : # 24| r0_16(glval) = FieldAddress[x] : r0_11 # 24| mu0_17(Int32) = Store : &:r0_16, r0_15 @@ -1336,32 +1373,33 @@ obj_creation.cs: # 25| r0_22(glval) = FieldAddress[x] : r0_21 # 25| r0_23(Int32) = Load : &:r0_22, ~mu0_2 # 25| mu0_24(Int32) = Store : &:r0_19, r0_23 -# 27| r0_25(glval) = FunctionAddress[SomeFun] : +# 27| r0_25() = FunctionAddress[SomeFun] : # 27| r0_26(MyClass) = NewObj : -# 27| r0_27(glval) = FunctionAddress[MyClass] : +# 27| r0_27() = FunctionAddress[MyClass] : # 27| r0_28(Int32) = Constant[100] : # 27| v0_29(Void) = Call : func:r0_27, this:r0_26, 0:r0_28 -# 27| mu0_30(null) = ^CallSideEffect : ~mu0_2 +# 27| mu0_30() = ^CallSideEffect : ~mu0_2 # 27| v0_31(Void) = Call : func:r0_25, 0:r0_26 -# 27| mu0_32(null) = ^CallSideEffect : ~mu0_2 +# 27| mu0_32() = ^CallSideEffect : ~mu0_2 # 21| v0_33(Void) = ReturnVoid : # 21| v0_34(Void) = UnmodeledUse : mu* -# 21| v0_35(Void) = ExitFunction : +# 21| v0_35(Void) = AliasedUse : ~mu0_2 +# 21| v0_36(Void) = ExitFunction : pointers.cs: # 3| System.Void Pointers.addone(System.Int32[]) # 3| Block 0 # 3| v0_0(Void) = EnterFunction : -# 3| mu0_1(null) = AliasedDefinition : -# 3| mu0_2(null) = UnmodeledDefinition : +# 3| mu0_1() = AliasedDefinition : +# 3| mu0_2() = UnmodeledDefinition : # 3| r0_3(glval) = VariableAddress[arr] : # 3| mu0_4(Int32[]) = InitializeParameter[arr] : &:r0_3 # 5| r0_5(glval) = VariableAddress[length] : # 5| r0_6(glval) = VariableAddress[arr] : # 5| r0_7(Int32[]) = Load : &:r0_6, ~mu0_2 -# 5| r0_8(glval) = FunctionAddress[get_Length] : +# 5| r0_8() = FunctionAddress[get_Length] : # 5| r0_9(Int32) = Call : func:r0_8, this:r0_7 -# 5| mu0_10(null) = ^CallSideEffect : ~mu0_2 +# 5| mu0_10() = ^CallSideEffect : ~mu0_2 # 5| mu0_11(Int32) = Store : &:r0_5, r0_9 # 6| r0_12(glval) = VariableAddress[b] : # 6| r0_13(glval) = VariableAddress[arr] : @@ -1380,7 +1418,8 @@ pointers.cs: # 3| Block 1 # 3| v1_0(Void) = ReturnVoid : # 3| v1_1(Void) = UnmodeledUse : mu* -# 3| v1_2(Void) = ExitFunction : +# 3| v1_2(Void) = AliasedUse : ~mu0_2 +# 3| v1_3(Void) = ExitFunction : # 9| Block 2 # 9| r2_0(glval) = VariableAddress[i] : @@ -1412,19 +1451,19 @@ pointers.cs: # 25| System.Void Pointers.Main() # 25| Block 0 # 25| v0_0(Void) = EnterFunction : -# 25| mu0_1(null) = AliasedDefinition : -# 25| mu0_2(null) = UnmodeledDefinition : +# 25| mu0_1() = AliasedDefinition : +# 25| mu0_2() = UnmodeledDefinition : # 26| r0_3(glval) = VariableAddress[o] : # 26| r0_4(MyClass) = NewObj : -# 26| r0_5(glval) = FunctionAddress[MyClass] : +# 26| r0_5() = FunctionAddress[MyClass] : # 26| v0_6(Void) = Call : func:r0_5, this:r0_4 -# 26| mu0_7(null) = ^CallSideEffect : ~mu0_2 +# 26| mu0_7() = ^CallSideEffect : ~mu0_2 # 26| mu0_8(MyClass) = Store : &:r0_3, r0_4 # 27| r0_9(glval) = VariableAddress[s] : # 27| r0_10(MyStruct) = NewObj : -# 27| r0_11(glval) = FunctionAddress[MyStruct] : +# 27| r0_11() = FunctionAddress[MyStruct] : # 27| v0_12(Void) = Call : func:r0_11, this:r0_10 -# 27| mu0_13(null) = ^CallSideEffect : ~mu0_2 +# 27| mu0_13() = ^CallSideEffect : ~mu0_2 # 27| r0_14(MyStruct) = Load : &:r0_10, ~mu0_2 # 27| mu0_15(MyStruct) = Store : &:r0_9, r0_14 # 30| r0_16(glval) = VariableAddress[p] : @@ -1468,38 +1507,40 @@ pointers.cs: # 39| r0_54(glval) = PointerAdd[4] : r0_43, r0_53 # 39| r0_55(Int32) = Constant[3] : # 39| mu0_56(Int32) = Store : &:r0_54, r0_55 -# 40| r0_57(glval) = FunctionAddress[addone] : +# 40| r0_57() = FunctionAddress[addone] : # 40| r0_58(glval) = VariableAddress[arr] : # 40| r0_59(Int32[]) = Load : &:r0_58, ~mu0_2 # 40| v0_60(Void) = Call : func:r0_57, 0:r0_59 -# 40| mu0_61(null) = ^CallSideEffect : ~mu0_2 +# 40| mu0_61() = ^CallSideEffect : ~mu0_2 # 25| v0_62(Void) = ReturnVoid : # 25| v0_63(Void) = UnmodeledUse : mu* -# 25| v0_64(Void) = ExitFunction : +# 25| v0_64(Void) = AliasedUse : ~mu0_2 +# 25| v0_65(Void) = ExitFunction : prop.cs: # 7| System.Int32 PropClass.get_Prop() # 7| Block 0 # 7| v0_0(Void) = EnterFunction : -# 7| mu0_1(null) = AliasedDefinition : -# 7| mu0_2(null) = UnmodeledDefinition : +# 7| mu0_1() = AliasedDefinition : +# 7| mu0_2() = UnmodeledDefinition : # 7| r0_3(glval) = InitializeThis : # 9| r0_4(glval) = VariableAddress[#return] : # 9| r0_5(PropClass) = CopyValue : r0_3 -# 9| r0_6(glval) = FunctionAddress[func] : +# 9| r0_6() = FunctionAddress[func] : # 9| r0_7(Int32) = Call : func:r0_6, this:r0_5 -# 9| mu0_8(null) = ^CallSideEffect : ~mu0_2 +# 9| mu0_8() = ^CallSideEffect : ~mu0_2 # 9| mu0_9(Int32) = Store : &:r0_4, r0_7 # 7| r0_10(glval) = VariableAddress[#return] : # 7| v0_11(Void) = ReturnValue : &:r0_10, ~mu0_2 # 7| v0_12(Void) = UnmodeledUse : mu* -# 7| v0_13(Void) = ExitFunction : +# 7| v0_13(Void) = AliasedUse : ~mu0_2 +# 7| v0_14(Void) = ExitFunction : # 12| System.Void PropClass.set_Prop(System.Int32) # 12| Block 0 # 12| v0_0(Void) = EnterFunction : -# 12| mu0_1(null) = AliasedDefinition : -# 12| mu0_2(null) = UnmodeledDefinition : +# 12| mu0_1() = AliasedDefinition : +# 12| mu0_2() = UnmodeledDefinition : # 12| r0_3(glval) = InitializeThis : # 12| r0_4(glval) = VariableAddress[value] : # 12| mu0_5(Int32) = InitializeParameter[value] : &:r0_4 @@ -1509,13 +1550,14 @@ prop.cs: # 14| mu0_9(Int32) = Store : &:r0_8, r0_7 # 12| v0_10(Void) = ReturnVoid : # 12| v0_11(Void) = UnmodeledUse : mu* -# 12| v0_12(Void) = ExitFunction : +# 12| v0_12(Void) = AliasedUse : ~mu0_2 +# 12| v0_13(Void) = ExitFunction : # 18| System.Int32 PropClass.func() # 18| Block 0 # 18| v0_0(Void) = EnterFunction : -# 18| mu0_1(null) = AliasedDefinition : -# 18| mu0_2(null) = UnmodeledDefinition : +# 18| mu0_1() = AliasedDefinition : +# 18| mu0_2() = UnmodeledDefinition : # 18| r0_3(glval) = InitializeThis : # 20| r0_4(glval) = VariableAddress[#return] : # 20| r0_5(Int32) = Constant[0] : @@ -1523,86 +1565,91 @@ prop.cs: # 18| r0_7(glval) = VariableAddress[#return] : # 18| v0_8(Void) = ReturnValue : &:r0_7, ~mu0_2 # 18| v0_9(Void) = UnmodeledUse : mu* -# 18| v0_10(Void) = ExitFunction : +# 18| v0_10(Void) = AliasedUse : ~mu0_2 +# 18| v0_11(Void) = ExitFunction : # 26| System.Void Prog.Main() # 26| Block 0 # 26| v0_0(Void) = EnterFunction : -# 26| mu0_1(null) = AliasedDefinition : -# 26| mu0_2(null) = UnmodeledDefinition : +# 26| mu0_1() = AliasedDefinition : +# 26| mu0_2() = UnmodeledDefinition : # 28| r0_3(glval) = VariableAddress[obj] : # 28| r0_4(PropClass) = NewObj : -# 28| r0_5(glval) = FunctionAddress[PropClass] : +# 28| r0_5() = FunctionAddress[PropClass] : # 28| v0_6(Void) = Call : func:r0_5, this:r0_4 -# 28| mu0_7(null) = ^CallSideEffect : ~mu0_2 +# 28| mu0_7() = ^CallSideEffect : ~mu0_2 # 28| mu0_8(PropClass) = Store : &:r0_3, r0_4 # 29| r0_9(glval) = VariableAddress[obj] : # 29| r0_10(PropClass) = Load : &:r0_9, ~mu0_2 -# 29| r0_11(glval) = FunctionAddress[set_Prop] : +# 29| r0_11() = FunctionAddress[set_Prop] : # 29| r0_12(Int32) = Constant[5] : # 29| v0_13(Void) = Call : func:r0_11, this:r0_10, 0:r0_12 -# 29| mu0_14(null) = ^CallSideEffect : ~mu0_2 +# 29| mu0_14() = ^CallSideEffect : ~mu0_2 # 30| r0_15(glval) = VariableAddress[x] : # 30| r0_16(glval) = VariableAddress[obj] : # 30| r0_17(PropClass) = Load : &:r0_16, ~mu0_2 -# 30| r0_18(glval) = FunctionAddress[get_Prop] : +# 30| r0_18() = FunctionAddress[get_Prop] : # 30| r0_19(Int32) = Call : func:r0_18, this:r0_17 -# 30| mu0_20(null) = ^CallSideEffect : ~mu0_2 +# 30| mu0_20() = ^CallSideEffect : ~mu0_2 # 30| mu0_21(Int32) = Store : &:r0_15, r0_19 # 26| v0_22(Void) = ReturnVoid : # 26| v0_23(Void) = UnmodeledUse : mu* -# 26| v0_24(Void) = ExitFunction : +# 26| v0_24(Void) = AliasedUse : ~mu0_2 +# 26| v0_25(Void) = ExitFunction : simple_call.cs: # 5| System.Int32 test_simple_call.f() # 5| Block 0 # 5| v0_0(Void) = EnterFunction : -# 5| mu0_1(null) = AliasedDefinition : -# 5| mu0_2(null) = UnmodeledDefinition : +# 5| mu0_1() = AliasedDefinition : +# 5| mu0_2() = UnmodeledDefinition : # 7| r0_3(glval) = VariableAddress[#return] : # 7| r0_4(Int32) = Constant[0] : # 7| mu0_5(Int32) = Store : &:r0_3, r0_4 # 5| r0_6(glval) = VariableAddress[#return] : # 5| v0_7(Void) = ReturnValue : &:r0_6, ~mu0_2 # 5| v0_8(Void) = UnmodeledUse : mu* -# 5| v0_9(Void) = ExitFunction : +# 5| v0_9(Void) = AliasedUse : ~mu0_2 +# 5| v0_10(Void) = ExitFunction : # 10| System.Int32 test_simple_call.g() # 10| Block 0 # 10| v0_0(Void) = EnterFunction : -# 10| mu0_1(null) = AliasedDefinition : -# 10| mu0_2(null) = UnmodeledDefinition : +# 10| mu0_1() = AliasedDefinition : +# 10| mu0_2() = UnmodeledDefinition : # 10| r0_3(glval) = InitializeThis : # 12| r0_4(glval) = VariableAddress[#return] : -# 12| r0_5(glval) = FunctionAddress[f] : +# 12| r0_5() = FunctionAddress[f] : # 12| r0_6(Int32) = Call : func:r0_5 -# 12| mu0_7(null) = ^CallSideEffect : ~mu0_2 +# 12| mu0_7() = ^CallSideEffect : ~mu0_2 # 12| mu0_8(Int32) = Store : &:r0_4, r0_6 # 10| r0_9(glval) = VariableAddress[#return] : # 10| v0_10(Void) = ReturnValue : &:r0_9, ~mu0_2 # 10| v0_11(Void) = UnmodeledUse : mu* -# 10| v0_12(Void) = ExitFunction : +# 10| v0_12(Void) = AliasedUse : ~mu0_2 +# 10| v0_13(Void) = ExitFunction : simple_function.cs: # 5| System.Int32 test_simple_function.f() # 5| Block 0 # 5| v0_0(Void) = EnterFunction : -# 5| mu0_1(null) = AliasedDefinition : -# 5| mu0_2(null) = UnmodeledDefinition : +# 5| mu0_1() = AliasedDefinition : +# 5| mu0_2() = UnmodeledDefinition : # 7| r0_3(glval) = VariableAddress[#return] : # 7| r0_4(Int32) = Constant[0] : # 7| mu0_5(Int32) = Store : &:r0_3, r0_4 # 5| r0_6(glval) = VariableAddress[#return] : # 5| v0_7(Void) = ReturnValue : &:r0_6, ~mu0_2 # 5| v0_8(Void) = UnmodeledUse : mu* -# 5| v0_9(Void) = ExitFunction : +# 5| v0_9(Void) = AliasedUse : ~mu0_2 +# 5| v0_10(Void) = ExitFunction : stmts.cs: # 5| System.Int32 test_stmts.ifStmt(System.Int32) # 5| Block 0 # 5| v0_0(Void) = EnterFunction : -# 5| mu0_1(null) = AliasedDefinition : -# 5| mu0_2(null) = UnmodeledDefinition : +# 5| mu0_1() = AliasedDefinition : +# 5| mu0_2() = UnmodeledDefinition : # 5| r0_3(glval) = VariableAddress[x] : # 5| mu0_4(Int32) = InitializeParameter[x] : &:r0_3 # 7| r0_5(glval) = VariableAddress[x] : @@ -1617,7 +1664,8 @@ stmts.cs: # 5| r1_0(glval) = VariableAddress[#return] : # 5| v1_1(Void) = ReturnValue : &:r1_0, ~mu0_2 # 5| v1_2(Void) = UnmodeledUse : mu* -# 5| v1_3(Void) = ExitFunction : +# 5| v1_3(Void) = AliasedUse : ~mu0_2 +# 5| v1_4(Void) = ExitFunction : # 10| Block 2 # 10| r2_0(glval) = VariableAddress[#return] : @@ -1634,8 +1682,8 @@ stmts.cs: # 13| System.Void test_stmts.whileStmt(System.Int32) # 13| Block 0 # 13| v0_0(Void) = EnterFunction : -# 13| mu0_1(null) = AliasedDefinition : -# 13| mu0_2(null) = UnmodeledDefinition : +# 13| mu0_1() = AliasedDefinition : +# 13| mu0_2() = UnmodeledDefinition : # 13| r0_3(glval) = VariableAddress[x] : # 13| mu0_4(Int32) = InitializeParameter[x] : &:r0_3 # 15| r0_5(glval) = VariableAddress[i] : @@ -1646,7 +1694,8 @@ stmts.cs: # 13| Block 1 # 13| v1_0(Void) = ReturnVoid : # 13| v1_1(Void) = UnmodeledUse : mu* -# 13| v1_2(Void) = ExitFunction : +# 13| v1_2(Void) = AliasedUse : ~mu0_2 +# 13| v1_3(Void) = ExitFunction : # 16| Block 2 # 16| r2_0(glval) = VariableAddress[i] : @@ -1669,13 +1718,13 @@ stmts.cs: # 22| System.Int32 test_stmts.switchStmt() # 22| Block 0 # 22| v0_0(Void) = EnterFunction : -# 22| mu0_1(null) = AliasedDefinition : -# 22| mu0_2(null) = UnmodeledDefinition : +# 22| mu0_1() = AliasedDefinition : +# 22| mu0_2() = UnmodeledDefinition : # 24| r0_3(glval) = VariableAddress[caseSwitch] : # 24| r0_4(Object) = NewObj : -# 24| r0_5(glval) = FunctionAddress[Object] : +# 24| r0_5() = FunctionAddress[Object] : # 24| v0_6(Void) = Call : func:r0_5, this:r0_4 -# 24| mu0_7(null) = ^CallSideEffect : ~mu0_2 +# 24| mu0_7() = ^CallSideEffect : ~mu0_2 # 24| mu0_8(Object) = Store : &:r0_3, r0_4 # 25| r0_9(glval) = VariableAddress[select] : # 25| r0_10(Int32) = Constant[0] : @@ -1693,7 +1742,8 @@ stmts.cs: # 22| r1_0(glval) = VariableAddress[#return] : # 22| v1_1(Void) = ReturnValue : &:r1_0, ~mu0_2 # 22| v1_2(Void) = UnmodeledUse : mu* -# 22| v1_3(Void) = ExitFunction : +# 22| v1_3(Void) = AliasedUse : ~mu0_2 +# 22| v1_4(Void) = ExitFunction : # 29| Block 2 # 29| v2_0(Void) = NoOp : @@ -1735,8 +1785,8 @@ stmts.cs: # 46| System.Void test_stmts.tryCatchFinally() # 46| Block 0 # 46| v0_0(Void) = EnterFunction : -# 46| mu0_1(null) = AliasedDefinition : -# 46| mu0_2(null) = UnmodeledDefinition : +# 46| mu0_1() = AliasedDefinition : +# 46| mu0_2() = UnmodeledDefinition : # 48| r0_3(glval) = VariableAddress[x] : # 48| r0_4(Int32) = Constant[5] : # 48| mu0_5(Int32) = Store : &:r0_3, r0_4 @@ -1750,7 +1800,8 @@ stmts.cs: # 46| Block 1 # 46| v1_0(Void) = UnmodeledUse : mu* -# 46| v1_1(Void) = ExitFunction : +# 46| v1_1(Void) = AliasedUse : ~mu0_2 +# 46| v1_2(Void) = ExitFunction : # 46| Block 2 # 46| v2_0(Void) = Unwind : @@ -1759,9 +1810,9 @@ stmts.cs: # 52| Block 3 # 52| r3_0(glval) = VariableAddress[#throw52:17] : # 52| r3_1(Exception) = NewObj : -# 52| r3_2(glval) = FunctionAddress[Exception] : +# 52| r3_2() = FunctionAddress[Exception] : # 52| v3_3(Void) = Call : func:r3_2, this:r3_1 -# 52| mu3_4(null) = ^CallSideEffect : ~mu0_2 +# 52| mu3_4() = ^CallSideEffect : ~mu0_2 # 52| mu3_5(Exception) = Store : &:r3_0, r3_1 # 52| v3_6(Void) = ThrowValue : &:r3_0, ~mu0_2 #-----| Exception -> Block 6 @@ -1800,8 +1851,8 @@ stmts.cs: # 69| System.Void test_stmts.forStmt() # 69| Block 0 # 69| v0_0(Void) = EnterFunction : -# 69| mu0_1(null) = AliasedDefinition : -# 69| mu0_2(null) = UnmodeledDefinition : +# 69| mu0_1() = AliasedDefinition : +# 69| mu0_2() = UnmodeledDefinition : # 71| r0_3(glval) = VariableAddress[x] : # 71| r0_4(Int32) = Constant[0] : # 71| mu0_5(Int32) = Store : &:r0_3, r0_4 @@ -1816,7 +1867,8 @@ stmts.cs: # 69| Block 1 # 69| v1_0(Void) = ReturnVoid : # 69| v1_1(Void) = UnmodeledUse : mu* -# 69| v1_2(Void) = ExitFunction : +# 69| v1_2(Void) = AliasedUse : ~mu0_2 +# 69| v1_3(Void) = ExitFunction : # 72| Block 2 # 72| r2_0(glval) = VariableAddress[i] : @@ -1883,8 +1935,8 @@ stmts.cs: # 89| System.Void test_stmts.doWhile() # 89| Block 0 # 89| v0_0(Void) = EnterFunction : -# 89| mu0_1(null) = AliasedDefinition : -# 89| mu0_2(null) = UnmodeledDefinition : +# 89| mu0_1() = AliasedDefinition : +# 89| mu0_2() = UnmodeledDefinition : # 91| r0_3(glval) = VariableAddress[x] : # 91| r0_4(Int32) = Constant[0] : # 91| mu0_5(Int32) = Store : &:r0_3, r0_4 @@ -1893,7 +1945,8 @@ stmts.cs: # 89| Block 1 # 89| v1_0(Void) = ReturnVoid : # 89| v1_1(Void) = UnmodeledUse : mu* -# 89| v1_2(Void) = ExitFunction : +# 89| v1_2(Void) = AliasedUse : ~mu0_2 +# 89| v1_3(Void) = ExitFunction : # 94| Block 2 # 94| r2_0(glval) = VariableAddress[x] : @@ -1913,8 +1966,8 @@ stmts.cs: # 99| System.Void test_stmts.checkedUnchecked() # 99| Block 0 # 99| v0_0(Void) = EnterFunction : -# 99| mu0_1(null) = AliasedDefinition : -# 99| mu0_2(null) = UnmodeledDefinition : +# 99| mu0_1() = AliasedDefinition : +# 99| mu0_2() = UnmodeledDefinition : # 101| r0_3(glval) = VariableAddress[num] : # 101| r0_4(Int32) = Constant[2147483647] : # 101| r0_5(Int32) = Load : &:r0_4, ~mu0_2 @@ -1933,90 +1986,95 @@ stmts.cs: # 108| mu0_18(Int32) = Store : &:r0_17, r0_16 # 99| v0_19(Void) = ReturnVoid : # 99| v0_20(Void) = UnmodeledUse : mu* -# 99| v0_21(Void) = ExitFunction : +# 99| v0_21(Void) = AliasedUse : ~mu0_2 +# 99| v0_22(Void) = ExitFunction : using.cs: # 7| System.Void UsingStmt.MyDisposable..ctor() # 7| Block 0 # 7| v0_0(Void) = EnterFunction : -# 7| mu0_1(null) = AliasedDefinition : -# 7| mu0_2(null) = UnmodeledDefinition : +# 7| mu0_1() = AliasedDefinition : +# 7| mu0_2() = UnmodeledDefinition : # 7| r0_3(glval) = InitializeThis : # 7| v0_4(Void) = NoOp : # 7| v0_5(Void) = ReturnVoid : # 7| v0_6(Void) = UnmodeledUse : mu* -# 7| v0_7(Void) = ExitFunction : +# 7| v0_7(Void) = AliasedUse : ~mu0_2 +# 7| v0_8(Void) = ExitFunction : # 8| System.Void UsingStmt.MyDisposable.DoSomething() # 8| Block 0 # 8| v0_0(Void) = EnterFunction : -# 8| mu0_1(null) = AliasedDefinition : -# 8| mu0_2(null) = UnmodeledDefinition : +# 8| mu0_1() = AliasedDefinition : +# 8| mu0_2() = UnmodeledDefinition : # 8| r0_3(glval) = InitializeThis : # 8| v0_4(Void) = NoOp : # 8| v0_5(Void) = ReturnVoid : # 8| v0_6(Void) = UnmodeledUse : mu* -# 8| v0_7(Void) = ExitFunction : +# 8| v0_7(Void) = AliasedUse : ~mu0_2 +# 8| v0_8(Void) = ExitFunction : # 9| System.Void UsingStmt.MyDisposable.Dispose() # 9| Block 0 # 9| v0_0(Void) = EnterFunction : -# 9| mu0_1(null) = AliasedDefinition : -# 9| mu0_2(null) = UnmodeledDefinition : +# 9| mu0_1() = AliasedDefinition : +# 9| mu0_2() = UnmodeledDefinition : # 9| r0_3(glval) = InitializeThis : # 9| v0_4(Void) = NoOp : # 9| v0_5(Void) = ReturnVoid : # 9| v0_6(Void) = UnmodeledUse : mu* -# 9| v0_7(Void) = ExitFunction : +# 9| v0_7(Void) = AliasedUse : ~mu0_2 +# 9| v0_8(Void) = ExitFunction : # 12| System.Void UsingStmt.Main() # 12| Block 0 # 12| v0_0(Void) = EnterFunction : -# 12| mu0_1(null) = AliasedDefinition : -# 12| mu0_2(null) = UnmodeledDefinition : +# 12| mu0_1() = AliasedDefinition : +# 12| mu0_2() = UnmodeledDefinition : # 14| r0_3(glval) = VariableAddress[o1] : # 14| r0_4(MyDisposable) = NewObj : -# 14| r0_5(glval) = FunctionAddress[MyDisposable] : +# 14| r0_5() = FunctionAddress[MyDisposable] : # 14| v0_6(Void) = Call : func:r0_5, this:r0_4 -# 14| mu0_7(null) = ^CallSideEffect : ~mu0_2 +# 14| mu0_7() = ^CallSideEffect : ~mu0_2 # 14| mu0_8(MyDisposable) = Store : &:r0_3, r0_4 # 16| r0_9(glval) = VariableAddress[o1] : # 16| r0_10(MyDisposable) = Load : &:r0_9, ~mu0_2 -# 16| r0_11(glval) = FunctionAddress[DoSomething] : +# 16| r0_11() = FunctionAddress[DoSomething] : # 16| v0_12(Void) = Call : func:r0_11, this:r0_10 -# 16| mu0_13(null) = ^CallSideEffect : ~mu0_2 +# 16| mu0_13() = ^CallSideEffect : ~mu0_2 # 19| r0_14(glval) = VariableAddress[o2] : # 19| r0_15(MyDisposable) = NewObj : -# 19| r0_16(glval) = FunctionAddress[MyDisposable] : +# 19| r0_16() = FunctionAddress[MyDisposable] : # 19| v0_17(Void) = Call : func:r0_16, this:r0_15 -# 19| mu0_18(null) = ^CallSideEffect : ~mu0_2 +# 19| mu0_18() = ^CallSideEffect : ~mu0_2 # 19| mu0_19(MyDisposable) = Store : &:r0_14, r0_15 # 22| r0_20(glval) = VariableAddress[o2] : # 22| r0_21(MyDisposable) = Load : &:r0_20, ~mu0_2 -# 22| r0_22(glval) = FunctionAddress[DoSomething] : +# 22| r0_22() = FunctionAddress[DoSomething] : # 22| v0_23(Void) = Call : func:r0_22, this:r0_21 -# 22| mu0_24(null) = ^CallSideEffect : ~mu0_2 +# 22| mu0_24() = ^CallSideEffect : ~mu0_2 # 25| r0_25(glval) = VariableAddress[o3] : # 25| r0_26(MyDisposable) = NewObj : -# 25| r0_27(glval) = FunctionAddress[MyDisposable] : +# 25| r0_27() = FunctionAddress[MyDisposable] : # 25| v0_28(Void) = Call : func:r0_27, this:r0_26 -# 25| mu0_29(null) = ^CallSideEffect : ~mu0_2 +# 25| mu0_29() = ^CallSideEffect : ~mu0_2 # 25| mu0_30(MyDisposable) = Store : &:r0_25, r0_26 # 26| r0_31(glval) = VariableAddress[o3] : # 26| r0_32(MyDisposable) = Load : &:r0_31, ~mu0_2 -# 26| r0_33(glval) = FunctionAddress[DoSomething] : +# 26| r0_33() = FunctionAddress[DoSomething] : # 26| v0_34(Void) = Call : func:r0_33, this:r0_32 -# 26| mu0_35(null) = ^CallSideEffect : ~mu0_2 +# 26| mu0_35() = ^CallSideEffect : ~mu0_2 # 12| v0_36(Void) = ReturnVoid : # 12| v0_37(Void) = UnmodeledUse : mu* -# 12| v0_38(Void) = ExitFunction : +# 12| v0_38(Void) = AliasedUse : ~mu0_2 +# 12| v0_39(Void) = ExitFunction : variables.cs: # 5| System.Void test_variables.f() # 5| Block 0 # 5| v0_0(Void) = EnterFunction : -# 5| mu0_1(null) = AliasedDefinition : -# 5| mu0_2(null) = UnmodeledDefinition : +# 5| mu0_1() = AliasedDefinition : +# 5| mu0_2() = UnmodeledDefinition : # 7| r0_3(glval) = VariableAddress[x] : # 7| mu0_4(Int32) = Uninitialized[x] : &:r0_3 # 7| r0_5(glval) = VariableAddress[y] : @@ -2035,4 +2093,5 @@ variables.cs: # 10| mu0_18(Int32) = Store : &:r0_15, r0_17 # 5| v0_19(Void) = ReturnVoid : # 5| v0_20(Void) = UnmodeledUse : mu* -# 5| v0_21(Void) = ExitFunction : +# 5| v0_21(Void) = AliasedUse : ~mu0_2 +# 5| v0_22(Void) = ExitFunction : diff --git a/csharp/ql/test/library-tests/ir/ir/raw_ir_sanity.expected b/csharp/ql/test/library-tests/ir/ir/raw_ir_sanity.expected index 012ff53039b..c709a73f5e3 100644 --- a/csharp/ql/test/library-tests/ir/ir/raw_ir_sanity.expected +++ b/csharp/ql/test/library-tests/ir/ir/raw_ir_sanity.expected @@ -14,3 +14,7 @@ containsLoopOfForwardEdges lostReachability backEdgeCountMismatch useNotDominatedByDefinition +missingCanonicalLanguageType +multipleCanonicalLanguageTypes +missingIRType +multipleIRTypes diff --git a/csharp/ql/test/library-tests/ir/ir/unaliased_ssa_sanity.expected b/csharp/ql/test/library-tests/ir/ir/unaliased_ssa_sanity.expected index 012ff53039b..c709a73f5e3 100644 --- a/csharp/ql/test/library-tests/ir/ir/unaliased_ssa_sanity.expected +++ b/csharp/ql/test/library-tests/ir/ir/unaliased_ssa_sanity.expected @@ -14,3 +14,7 @@ containsLoopOfForwardEdges lostReachability backEdgeCountMismatch useNotDominatedByDefinition +missingCanonicalLanguageType +multipleCanonicalLanguageTypes +missingIRType +multipleIRTypes diff --git a/csharp/ql/test/query-tests/API Abuse/NoDisposeCallOnLocalIDisposable/NoDisposeCallOnLocalIDisposable.cs b/csharp/ql/test/query-tests/API Abuse/NoDisposeCallOnLocalIDisposable/NoDisposeCallOnLocalIDisposable.cs index 45caec0022d..82a33086144 100644 --- a/csharp/ql/test/query-tests/API Abuse/NoDisposeCallOnLocalIDisposable/NoDisposeCallOnLocalIDisposable.cs +++ b/csharp/ql/test/query-tests/API Abuse/NoDisposeCallOnLocalIDisposable/NoDisposeCallOnLocalIDisposable.cs @@ -83,6 +83,11 @@ class Test // GOOD: Disposed automatically. using var c2 = new Timer(TimerProc); + // GOOD: ownership taken via ?? + StringReader source = null; + using(XmlReader.Create(source ?? new StringReader("xml"), null)) + ; + return null; } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-091/XMLInjection/Test.cs b/csharp/ql/test/query-tests/Security Features/CWE-091/XMLInjection/Test.cs new file mode 100644 index 00000000000..af89b7d7328 --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-091/XMLInjection/Test.cs @@ -0,0 +1,37 @@ +// semmle-extractor-options: /r:System.Private.Xml.dll /r:System.Xml.dll /r:System.Xml.ReaderWriter.dll /r:System.Runtime.Extensions.dll /r:System.Collections.Specialized.dll ${testdir}/../../../../resources/stubs/System.Web.cs + +using System; +using System.Security; +using System.Web; +using System.Xml; + +public class XMLInjectionHandler : IHttpHandler { + public void ProcessRequest(HttpContext ctx) { + string employeeName = ctx.Request.QueryString["employeeName"]; + + using (XmlWriter writer = XmlWriter.Create("employees.xml")) + { + writer.WriteStartDocument(); + + // BAD: Insert user input directly into XML + writer.WriteRaw("" + employeeName + ""); + + // GOOD: Escape user input before inserting into string + writer.WriteRaw("" + SecurityElement.Escape(employeeName) + ""); + + // GOOD: Use standard API, which automatically encodes values + writer.WriteStartElement("Employee"); + writer.WriteElementString("Name", employeeName); + writer.WriteEndElement(); + + writer.WriteEndElement(); + writer.WriteEndDocument(); + } + } + + public bool IsReusable { + get { + return true; + } + } +} diff --git a/csharp/ql/test/query-tests/Security Features/CWE-091/XMLInjection/XMLInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-091/XMLInjection/XMLInjection.expected new file mode 100644 index 00000000000..a4c6c87daa0 --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-091/XMLInjection/XMLInjection.expected @@ -0,0 +1 @@ +| Test.cs:17:25:17:80 | ... + ... | $@ flows to here and is inserted as XML. | Test.cs:10:27:10:49 | access to property QueryString | User-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-091/XMLInjection/XMLInjection.qlref b/csharp/ql/test/query-tests/Security Features/CWE-091/XMLInjection/XMLInjection.qlref new file mode 100644 index 00000000000..e3b1776a3fb --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-091/XMLInjection/XMLInjection.qlref @@ -0,0 +1 @@ +Security Features/CWE-091/XMLInjection.ql \ No newline at end of file diff --git a/csharp/ql/test/query-tests/Security Features/CWE-114/AssemblyPathInjection/AssemblyPathInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-114/AssemblyPathInjection/AssemblyPathInjection.expected new file mode 100644 index 00000000000..9cd34259ba1 --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-114/AssemblyPathInjection/AssemblyPathInjection.expected @@ -0,0 +1 @@ +| Test.cs:12:36:12:46 | access to local variable libraryName | $@ flows to here and is used as the path to dynamically load an assembly. | Test.cs:9:26:9:48 | access to property QueryString | User-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-114/AssemblyPathInjection/AssemblyPathInjection.qlref b/csharp/ql/test/query-tests/Security Features/CWE-114/AssemblyPathInjection/AssemblyPathInjection.qlref new file mode 100644 index 00000000000..b1cd9fb617f --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-114/AssemblyPathInjection/AssemblyPathInjection.qlref @@ -0,0 +1 @@ +Security Features/CWE-114/AssemblyPathInjection.ql \ No newline at end of file diff --git a/csharp/ql/test/query-tests/Security Features/CWE-114/AssemblyPathInjection/Test.cs b/csharp/ql/test/query-tests/Security Features/CWE-114/AssemblyPathInjection/Test.cs new file mode 100644 index 00000000000..07493f3d773 --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-114/AssemblyPathInjection/Test.cs @@ -0,0 +1,23 @@ +// semmle-extractor-options: /r:System.Collections.Specialized.dll ${testdir}/../../../../resources/stubs/System.Web.cs + +using System; +using System.Web; +using System.Reflection; + +public class DLLInjectionHandler : IHttpHandler { + public void ProcessRequest(HttpContext ctx) { + string libraryName = ctx.Request.QueryString["libraryName"]; + + // BAD: Load DLL based on user input + var badDLL = Assembly.LoadFile(libraryName); + + // GOOD: Load DLL using fixed string + var goodDLL = Assembly.LoadFile(@"C:\visual studio 2012\Projects\ConsoleApplication1\ConsoleApplication1\DLL.dll"); + } + + public bool IsReusable { + get { + return true; + } + } +} diff --git a/csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.cs b/csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.cs new file mode 100644 index 00000000000..9d58f2df62e --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.cs @@ -0,0 +1,117 @@ +// semmle-extractor-options: /r:System.IO.FileSystem.dll /r:System.Security.Cryptography.Primitives.dll /r:System.Security.Cryptography.Csp.dll /r:System.Security.Cryptography.Algorithms.dll +using System; +using System.IO; +using System.Text; +using System.Security.Cryptography; +using Windows.Security.Cryptography; +using Windows.Security.Cryptography.Core; + +namespace HardcodedSymmetricEncryptionKey +{ + class Program + { + static void Main(string[] args) + { + var a = new AesCryptoServiceProvider(); + + // BAD: explicit key assignment, hard-coded value + a.Key = new byte[] { 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 }; + + var b = new AesCryptoServiceProvider() + { + // BAD: explicit key assignment, hard-coded value + Key = new byte[] { 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 } + }; + + var c = new byte[] { 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 }; + var d = c; + + var byteArrayFromString = Encoding.UTF8.GetBytes("Hello, world: here is a very bad way to create a key"); + + // BAD: key assignment via variable, from hard-coded value + a.Key = d; + + // GOOD (not really, but better than hard coding) + a.Key = File.ReadAllBytes("secret.key"); + + var cp = CreateProvider(d); + + var iv = new byte[] { 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 }; + + // BAD: hard-coded key passed to Encrypt [NOT DETECTED] + var ct = Encrypt("Test string here", c, iv); + + // BAD: hard-coded key converted from string and passed to Encrypt [NOT DETECTED] + var ct1 = Encrypt("Test string here", byteArrayFromString, iv); + + // GOOD (this function hashes password) + var de = DecryptWithPassword(ct, c, iv); + + // BAD [NOT DETECTED] + CreateCryptographicKey(null, byteArrayFromString); + + // GOOD + CreateCryptographicKey(null, File.ReadAllBytes("secret.key")); + } + + public static string DecryptWithPassword(byte[] cipherText, byte[] password, byte[] IV) + { + byte[] rawPlaintext; + var salt = new byte[] { 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 }; + using (Rfc2898DeriveBytes k1 = new Rfc2898DeriveBytes(password, salt, 100)) + { + using (Aes aes = new AesManaged()) + { + using (MemoryStream ms = new MemoryStream()) + { + // GOOD: for this test, the flow through Rfc2898DeriveBytes should be considered GOOD. + // GOOD: Use of hard-coded password for Rfc2898DeriveBytes is found by Semmle CWE-798: HardcodedCredentials.ql + using (CryptoStream cs = new CryptoStream(ms, aes.CreateDecryptor(k1.GetBytes(16), IV), CryptoStreamMode.Write)) + { + cs.Write(cipherText, 0, cipherText.Length); + } + rawPlaintext = ms.ToArray(); + } + + return Encoding.Unicode.GetString(rawPlaintext); + } + } + } + + static SymmetricAlgorithm CreateProvider(byte[] key) + { + return new AesManaged() + { + // BAD: assignment from parameter + Key = key + }; + } + + public static byte[] Encrypt(string plaintext, byte[] key, byte[] IV) + { + byte[] rawPlaintext = Encoding.Unicode.GetBytes("Test string here"); + byte[] cipherText = null; + using (Aes aes = new AesManaged()) + { + using (MemoryStream ms = new MemoryStream()) + { + // BAD: flow of hardcoded key to CreateEncryptor constructor + using (CryptoStream cs = new CryptoStream(ms, aes.CreateEncryptor(key, IV), CryptoStreamMode.Write)) + { + cs.Write(rawPlaintext, 0, rawPlaintext.Length); + } + + cipherText = ms.ToArray(); + } + + return cipherText; + } + } + + static CryptographicKey CreateCryptographicKey(SymmetricKeyAlgorithmProvider p, byte[] bytes) + { + var buffer = CryptographicBuffer.CreateFromByteArray(bytes); + return p.CreateSymmetricKey(buffer); + } + } +} diff --git a/csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.expected b/csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.expected new file mode 100644 index 00000000000..29a4889da65 --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.expected @@ -0,0 +1,6 @@ +| HardcodedSymmetricEncryptionKey.cs:18:21:18:97 | array creation of type Byte[] | Hard-coded symmetric $@ is used in symmetric algorithm in Key property assignment | HardcodedSymmetricEncryptionKey.cs:18:21:18:97 | array creation of type Byte[] | key | +| HardcodedSymmetricEncryptionKey.cs:23:23:23:99 | array creation of type Byte[] | Hard-coded symmetric $@ is used in symmetric algorithm in Key property assignment | HardcodedSymmetricEncryptionKey.cs:23:23:23:99 | array creation of type Byte[] | key | +| HardcodedSymmetricEncryptionKey.cs:32:21:32:21 | access to local variable d | Hard-coded symmetric $@ is used in symmetric algorithm in Key property assignment | HardcodedSymmetricEncryptionKey.cs:26:21:26:97 | array creation of type Byte[] | key | +| HardcodedSymmetricEncryptionKey.cs:86:23:86:25 | access to parameter key | Hard-coded symmetric $@ is used in symmetric algorithm in Key property assignment | HardcodedSymmetricEncryptionKey.cs:26:21:26:97 | array creation of type Byte[] | key | +| HardcodedSymmetricEncryptionKey.cs:99:87:99:89 | access to parameter key | Hard-coded symmetric $@ is used in symmetric algorithm in Encryptor(rgbKey, IV) | HardcodedSymmetricEncryptionKey.cs:26:21:26:97 | array creation of type Byte[] | key | +| HardcodedSymmetricEncryptionKey.cs:99:87:99:89 | access to parameter key | Hard-coded symmetric $@ is used in symmetric algorithm in Encryptor(rgbKey, IV) | HardcodedSymmetricEncryptionKey.cs:29:62:29:115 | "Hello, world: here is a very bad way to create a key" | key | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.qlref b/csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.qlref new file mode 100644 index 00000000000..a2d565b3295 --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.qlref @@ -0,0 +1 @@ +Security Features/CWE-321/HardcodedEncryptionKey.ql \ No newline at end of file diff --git a/csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/Stubs.cs b/csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/Stubs.cs new file mode 100644 index 00000000000..3263367dbb3 --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/Stubs.cs @@ -0,0 +1,22 @@ +namespace Windows.Security.Cryptography +{ + public static class CryptographicBuffer + { + public static Windows.Storage.Streams.IBuffer CreateFromByteArray(byte[] value) => throw null; + } +} + +namespace Windows.Storage.Streams +{ + public interface IBuffer { } +} + +namespace Windows.Security.Cryptography.Core +{ + public sealed class CryptographicKey { } + + public sealed class SymmetricKeyAlgorithmProvider + { + public CryptographicKey CreateSymmetricKey(Windows.Storage.Streams.IBuffer keyMaterial) => throw null; + } +} \ No newline at end of file diff --git a/csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.cs b/csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.cs new file mode 100644 index 00000000000..c57499a14ce --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.cs @@ -0,0 +1,59 @@ +using System.Data.SqlClient; + +namespace InsecureSQLConnection +{ + public class Class1 + { + public void StringInConstructor() + { + SqlConnection conn = new SqlConnection("Encrypt=true"); + } + + public void StringInProperty() + { + SqlConnection conn = new SqlConnection(); + conn.ConnectionString = "Encrypt=true"; + + } + + public void StringInBuilder() + { + SqlConnectionStringBuilder conBuilder = new SqlConnectionStringBuilder(); + conBuilder.Encrypt = true; + SqlConnection conn = new SqlConnection(conBuilder.ToString()); + } + + public void StringInBuilderProperty() + { + SqlConnectionStringBuilder conBuilder = new SqlConnectionStringBuilder(); + conBuilder.Encrypt = true; + SqlConnection conn = new SqlConnection(); + conn.ConnectionString = conBuilder.ToString(); + + } + + public void TriggerThis() + { + // BAD, Encrypt not specified [NOT DETECTED] + SqlConnection conn = new SqlConnection("Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;"); + } + + void Test4() + { + string connectString = + "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd"; + // BAD, Encrypt not specified [NOT DETECTED] + SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(connectString); + var conn = new SqlConnection(builder.ConnectionString); + } + + void Test5() + { + string connectString = + "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false"; + // BAD, Encrypt set to false [NOT DETECTED] + SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(connectString); + var conn = new SqlConnection(builder.ConnectionString); + } + } +} diff --git a/csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.expected b/csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.qlref b/csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.qlref new file mode 100644 index 00000000000..e3b1776a3fb --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.qlref @@ -0,0 +1 @@ +Security Features/CWE-091/XMLInjection.ql \ No newline at end of file diff --git a/csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnection/stubs.cs b/csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnection/stubs.cs new file mode 100644 index 00000000000..26461fc0224 --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnection/stubs.cs @@ -0,0 +1,71 @@ +// This file contains auto-generated code. + +namespace System +{ + namespace Data + { + // Generated from `System.Data.IDbConnection` in `System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089` + public interface IDbConnection : System.IDisposable + { + string ConnectionString { get; set; } + } + + namespace Common + { + // Generated from `System.Data.Common.DbConnectionStringBuilder` in `System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089` + public class DbConnectionStringBuilder : System.Collections.IEnumerable, System.Collections.IDictionary, System.Collections.ICollection + { + System.Collections.IDictionaryEnumerator System.Collections.IDictionary.GetEnumerator() => throw null; + System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null; + bool System.Collections.ICollection.IsSynchronized { get => throw null; } + bool System.Collections.IDictionary.Contains(object keyword) => throw null; + object System.Collections.ICollection.SyncRoot { get => throw null; } + public object this[object keyword] { get => throw null; set => throw null; } + public bool IsReadOnly { get => throw null; } + public override string ToString() => throw null; + public string ConnectionString { get => throw null; set => throw null; } + public virtual System.Collections.ICollection Keys { get => throw null; } + public virtual System.Collections.ICollection Values { get => throw null; } + public virtual bool IsFixedSize { get => throw null; } + public virtual int Count { get => throw null; } + public virtual void Clear() => throw null; + void System.Collections.ICollection.CopyTo(System.Array array, int index) => throw null; + void System.Collections.IDictionary.Add(object keyword, object value) => throw null; + void System.Collections.IDictionary.Remove(object keyword) => throw null; + public void Dispose() => throw null; + } + + // Generated from `System.Data.Common.DbConnection` in `System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089` + abstract public class DbConnection : System.IDisposable, System.Data.IDbConnection + { + public abstract string ConnectionString { get; set; } + public void Dispose() => throw null; + } + + } + namespace SqlClient + { + // Generated from `System.Data.SqlClient.SqlConnectionStringBuilder` in `System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089` + public class SqlConnectionStringBuilder : System.Data.Common.DbConnectionStringBuilder + { + public SqlConnectionStringBuilder() => throw null; + public SqlConnectionStringBuilder(string connectionString) => throw null; + public bool Encrypt { get => throw null; set => throw null; } + public override System.Collections.ICollection Keys { get => throw null; } + public override System.Collections.ICollection Values { get => throw null; } + public override bool IsFixedSize { get => throw null; } + public override void Clear() => throw null; + } + + // Generated from `System.Data.SqlClient.SqlConnection` in `System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089` + public class SqlConnection : System.Data.Common.DbConnection, System.ICloneable + { + object System.ICloneable.Clone() => throw null; + public SqlConnection() => throw null; + public SqlConnection(string connectionString) => throw null; + public override string ConnectionString { get => throw null; set => throw null; } + } + + } + } +} diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/DeserializedDelegate/DeserializedDelegate.cs b/csharp/ql/test/query-tests/Security Features/CWE-502/DeserializedDelegate/DeserializedDelegate.cs new file mode 100644 index 00000000000..93dede10b15 --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-502/DeserializedDelegate/DeserializedDelegate.cs @@ -0,0 +1,22 @@ +using System; +using System.Linq.Expressions; +using System.IO; +using System.Runtime.Serialization.Formatters.Binary; + +class DeserializedDelegate +{ + delegate int D(); + + public static void M(FileStream fs) + { + var formatter = new BinaryFormatter(); + // BAD + var a = (Func)formatter.Deserialize(fs); + // BAD + var b = (Expression>)formatter.Deserialize(fs); + // BAD + var c = (D)formatter.Deserialize(fs); + // GOOD + var d = (int)formatter.Deserialize(fs); + } +} diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/DeserializedDelegate/DeserializedDelegate.expected b/csharp/ql/test/query-tests/Security Features/CWE-502/DeserializedDelegate/DeserializedDelegate.expected new file mode 100644 index 00000000000..79cc1962888 --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-502/DeserializedDelegate/DeserializedDelegate.expected @@ -0,0 +1,4 @@ +| DeserializedDelegate.cs:14:28:14:52 | call to method Deserialize | Deserialization of delegate type. | +| DeserializedDelegate.cs:16:40:16:64 | call to method Deserialize | Deserialization of delegate type. | +| DeserializedDelegate.cs:18:20:18:44 | call to method Deserialize | Deserialization of delegate type. | +| DeserializedDelegateBad.cs:11:28:11:52 | call to method Deserialize | Deserialization of delegate type. | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/DeserializedDelegate/DeserializedDelegate.qlref b/csharp/ql/test/query-tests/Security Features/CWE-502/DeserializedDelegate/DeserializedDelegate.qlref new file mode 100644 index 00000000000..913c61338c4 --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-502/DeserializedDelegate/DeserializedDelegate.qlref @@ -0,0 +1 @@ +Security Features/CWE-502/DeserializedDelegate.ql \ No newline at end of file diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/DeserializedDelegate/DeserializedDelegateBad.cs b/csharp/ql/test/query-tests/Security Features/CWE-502/DeserializedDelegate/DeserializedDelegateBad.cs new file mode 100644 index 00000000000..12b2dc76987 --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-502/DeserializedDelegate/DeserializedDelegateBad.cs @@ -0,0 +1,14 @@ +using System; +using System.IO; +using System.Runtime.Serialization.Formatters.Binary; + +class Bad +{ + public static int InvokeSerialized(FileStream fs) + { + var formatter = new BinaryFormatter(); + // BAD + var f = (Func)formatter.Deserialize(fs); + return f(); + } +} diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/DeserializedDelegate/ExtractorOptions.cs b/csharp/ql/test/query-tests/Security Features/CWE-502/DeserializedDelegate/ExtractorOptions.cs new file mode 100644 index 00000000000..7b252c937e9 --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-502/DeserializedDelegate/ExtractorOptions.cs @@ -0,0 +1 @@ +// semmle-extractor-options: /r:System.Runtime.Serialization.Formatters.dll /r:System.IO.FileSystem.dll /r:System.Linq.Expressions.dll diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/ExtractorOptions.cs b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/ExtractorOptions.cs new file mode 100644 index 00000000000..11f05a14a00 --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/ExtractorOptions.cs @@ -0,0 +1 @@ +// semmle-extractor-options: /r:System.Runtime.Extensions.dll /r:System.IO.FileSystem.dll diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/SystemWebStub.cs b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/SystemWebStub.cs new file mode 100644 index 00000000000..48c74335f6f --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/SystemWebStub.cs @@ -0,0 +1,34 @@ +// This file contains auto-generated code. +// original-extractor-options: /r:System.Runtime.Extensions.dll /r:System.IO.FileSystem.dll + +namespace System +{ + namespace Web + { + namespace Script + { + namespace Serialization + { + // Generated from `System.Web.Script.Serialization.JavaScriptSerializer` in `System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35` + public class JavaScriptSerializer + { + public JavaScriptSerializer() => throw null; + public JavaScriptSerializer(System.Web.Script.Serialization.JavaScriptTypeResolver resolver) => throw null; + public object DeserializeObject(string input) => throw null; + } + + // Generated from `System.Web.Script.Serialization.JavaScriptTypeResolver` in `System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35` + abstract public class JavaScriptTypeResolver + { + } + + // Generated from `System.Web.Script.Serialization.SimpleTypeResolver` in `System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35` + public class SimpleTypeResolver : System.Web.Script.Serialization.JavaScriptTypeResolver + { + public SimpleTypeResolver() => throw null; + } + + } + } + } +} diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/UnsafeDeserialization.expected b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/UnsafeDeserialization.expected new file mode 100644 index 00000000000..6edb1f62902 --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/UnsafeDeserialization.expected @@ -0,0 +1 @@ +| UnsafeDeserializationBad.cs:9:16:9:38 | call to method DeserializeObject | Unsafe deserializer is used. Make sure the value being deserialized comes from a trusted source. | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/UnsafeDeserialization.qlref b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/UnsafeDeserialization.qlref new file mode 100644 index 00000000000..78efa2399c0 --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/UnsafeDeserialization.qlref @@ -0,0 +1 @@ +Security Features/CWE-502/UnsafeDeserialization.ql \ No newline at end of file diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/UnsafeDeserializationBad.cs b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/UnsafeDeserializationBad.cs new file mode 100644 index 00000000000..385e700a0bf --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/UnsafeDeserializationBad.cs @@ -0,0 +1,11 @@ +using System.Web.Script.Serialization; + +class Bad +{ + public static object Deserialize(string s) + { + JavaScriptSerializer sr = new JavaScriptSerializer(new SimpleTypeResolver()); + // BAD + return sr.DeserializeObject(s); + } +} diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/UnsafeDeserializationGood.cs b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/UnsafeDeserializationGood.cs new file mode 100644 index 00000000000..775862cd683 --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/UnsafeDeserializationGood.cs @@ -0,0 +1,11 @@ +using System.Web.Script.Serialization; + +class Good +{ + public static object Deserialize(string s) + { + // GOOD + JavaScriptSerializer sr = new JavaScriptSerializer(); + return sr.DeserializeObject(s); + } +} diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/ExtractorOptions.cs b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/ExtractorOptions.cs new file mode 100644 index 00000000000..11f05a14a00 --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/ExtractorOptions.cs @@ -0,0 +1 @@ +// semmle-extractor-options: /r:System.Runtime.Extensions.dll /r:System.IO.FileSystem.dll diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/SystemWebStub.cs b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/SystemWebStub.cs new file mode 100644 index 00000000000..293c0cdf355 --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/SystemWebStub.cs @@ -0,0 +1,45 @@ +// This file contains auto-generated code. +// original-extractor-options: /r:System.Runtime.Extensions.dll /r:System.IO.FileSystem.dll + +namespace System +{ + namespace Web + { + namespace UI + { + namespace WebControls + { + public class TextBox + { + public string Text { get; set; } + } + } + } + + namespace Script + { + namespace Serialization + { + // Generated from `System.Web.Script.Serialization.JavaScriptSerializer` in `System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35` + public class JavaScriptSerializer + { + public JavaScriptSerializer() => throw null; + public JavaScriptSerializer(System.Web.Script.Serialization.JavaScriptTypeResolver resolver) => throw null; + public object DeserializeObject(string input) => throw null; + } + + // Generated from `System.Web.Script.Serialization.JavaScriptTypeResolver` in `System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35` + abstract public class JavaScriptTypeResolver + { + } + + // Generated from `System.Web.Script.Serialization.SimpleTypeResolver` in `System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35` + public class SimpleTypeResolver : System.Web.Script.Serialization.JavaScriptTypeResolver + { + public SimpleTypeResolver() => throw null; + } + + } + } + } +} diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/UnsafeDeserializationUntrustedInput.expected b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/UnsafeDeserializationUntrustedInput.expected new file mode 100644 index 00000000000..fce66c8e1d5 --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/UnsafeDeserializationUntrustedInput.expected @@ -0,0 +1,7 @@ +edges +| UnsafeDeserializationUntrustedInputBad.cs:10:37:10:43 | access to parameter textBox | UnsafeDeserializationUntrustedInputBad.cs:10:37:10:48 | access to property Text | +nodes +| UnsafeDeserializationUntrustedInputBad.cs:10:37:10:43 | access to parameter textBox | semmle.label | access to parameter textBox | +| UnsafeDeserializationUntrustedInputBad.cs:10:37:10:48 | access to property Text | semmle.label | access to property Text | +#select +| UnsafeDeserializationUntrustedInputBad.cs:10:37:10:48 | access to property Text | UnsafeDeserializationUntrustedInputBad.cs:10:37:10:43 | access to parameter textBox | UnsafeDeserializationUntrustedInputBad.cs:10:37:10:48 | access to property Text | $@ flows to unsafe deserializer. | UnsafeDeserializationUntrustedInputBad.cs:10:37:10:43 | access to parameter textBox | User-provided data | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/UnsafeDeserializationUntrustedInput.qlref b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/UnsafeDeserializationUntrustedInput.qlref new file mode 100644 index 00000000000..626bcae9b33 --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/UnsafeDeserializationUntrustedInput.qlref @@ -0,0 +1 @@ +Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql \ No newline at end of file diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/UnsafeDeserializationUntrustedInputBad.cs b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/UnsafeDeserializationUntrustedInputBad.cs new file mode 100644 index 00000000000..db2b25097ba --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/UnsafeDeserializationUntrustedInputBad.cs @@ -0,0 +1,12 @@ +using System.Web.UI.WebControls; +using System.Web.Script.Serialization; + +class Bad +{ + public static object Deserialize(TextBox textBox) + { + JavaScriptSerializer sr = new JavaScriptSerializer(new SimpleTypeResolver()); + // BAD + return sr.DeserializeObject(textBox.Text); + } +} diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/UnsafeDeserializationUntrustedInputGood.cs b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/UnsafeDeserializationUntrustedInputGood.cs new file mode 100644 index 00000000000..d1e2935b218 --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/UnsafeDeserializationUntrustedInputGood.cs @@ -0,0 +1,12 @@ +using System.Web.UI.WebControls; +using System.Web.Script.Serialization; + +class Good +{ + public static object Deserialize(TextBox textBox) + { + JavaScriptSerializer sr = new JavaScriptSerializer(); + // GOOD + return sr.DeserializeObject(textBox.Text); + } +} diff --git a/csharp/upgrades/qlpack.yml b/csharp/upgrades/qlpack.yml new file mode 100644 index 00000000000..8ad3718778d --- /dev/null +++ b/csharp/upgrades/qlpack.yml @@ -0,0 +1,2 @@ +name: codeql-csharp-upgrades +upgrades: . diff --git a/docs/language/global-sphinx-files/_templates/layout.html b/docs/language/global-sphinx-files/_templates/layout.html index 6aa09b5fb38..de3b189e1ee 100644 --- a/docs/language/global-sphinx-files/_templates/layout.html +++ b/docs/language/global-sphinx-files/_templates/layout.html @@ -61,7 +61,7 @@
    - Learn QL + Learn CodeQL QL for variant analysis QL tools Queries diff --git a/docs/language/learn-ql/about-ql.rst b/docs/language/learn-ql/about-ql.rst index 145f98ad600..8f2f26018a4 100644 --- a/docs/language/learn-ql/about-ql.rst +++ b/docs/language/learn-ql/about-ql.rst @@ -1,11 +1,11 @@ About QL ======== -This section is aimed at users with a background in general purpose programming as well as in databases. For a basic introduction and information on how to get started, see :doc:`Introduction to the QL language ` and :doc:`Learning QL <../index>`. +This section is aimed at users with a background in general purpose programming as well as in databases. For a basic introduction and information on how to get started, see :doc:`Introduction to QL ` and :doc:`Learning CodeQL <../index>`. QL is a declarative, object-oriented query language that is optimized to enable efficient analysis of hierarchical data structures, in particular, databases representing software artifacts. -The queries and metrics used in LGTM are implemented using QL. This ensures that they can be extended or revised easily to keep up with changes in definitions of best coding practice. We continually improve existing queries as we work towards the ultimate goal of 100% precision. +The queries and metrics used in LGTM are implemented using CodeQL, which uses QL to analyze code. This ensures that they can be extended or revised easily to keep up with changes in definitions of best coding practice. We continually improve existing queries as we work towards the ultimate goal of 100% precision. You can write queries to identify security vulnerabilities, find coding errors and bugs, or find code that breaks your team's guidelines for best practice. You can also create customized versions of the default queries to accommodate a new framework. diff --git a/docs/language/learn-ql/advanced/abstract-classes.rst b/docs/language/learn-ql/advanced/abstract-classes.rst index d616a31395b..32441b35996 100644 --- a/docs/language/learn-ql/advanced/abstract-classes.rst +++ b/docs/language/learn-ql/advanced/abstract-classes.rst @@ -4,7 +4,7 @@ Semantics of abstract classes Concrete classes ---------------- -Concrete QL classes, as described in the QL language handbook topic on `Classes `__, lend themselves well to top-down modeling. We start from general superclasses representing large sets of values, and carve out individual subclasses representing more restricted sets of values. +Concrete classes, as described in the QL language handbook topic on `Classes `__, lend themselves well to top-down modeling. We start from general superclasses representing large sets of values, and carve out individual subclasses representing more restricted sets of values. A classic example where this approach is useful is when modeling ASTs (Abstract Syntax Trees): the node types of an AST form a natural inheritance hierarchy, where, for example, there is a class ``Expr`` representing all expression nodes, with many different subclasses for different categories of expressions. There might be a class ``ArithmeticExpr`` representing arithmetic expressions, which in turn could have subclasses ``AddExpr`` and ``SubExpr``. @@ -57,7 +57,7 @@ Like a concrete class, an abstract class has one or more superclasses and a char Example ~~~~~~~ -The following example is taken from the standard QL library for Java: +The following example is taken from the CodeQL library for Java: .. code-block:: ql diff --git a/docs/language/learn-ql/advanced/advanced-ql.rst b/docs/language/learn-ql/advanced/advanced-ql.rst index e9397bd5ab2..67af5a6fb26 100644 --- a/docs/language/learn-ql/advanced/advanced-ql.rst +++ b/docs/language/learn-ql/advanced/advanced-ql.rst @@ -8,7 +8,7 @@ Advanced QL ./* -Topics on advanced uses of QL. These topics assume that you are familiar with the QL language and the basics of query writing. +Topics on advanced uses of QL. These topics assume that you are familiar with QL and the basics of query writing. - :doc:`Semantics of abstract classes ` - :doc:`Choosing appropriate ways to constrain types ` diff --git a/docs/language/learn-ql/advanced/constraining-types.rst b/docs/language/learn-ql/advanced/constraining-types.rst index e150c8ba380..3a8d2e76637 100644 --- a/docs/language/learn-ql/advanced/constraining-types.rst +++ b/docs/language/learn-ql/advanced/constraining-types.rst @@ -8,7 +8,7 @@ Type constraint methods Note - The examples below use the Java QL library. All QL libraries support using these methods to constrain variables, the only difference is in the names of the classes used. + The examples below use the CodeQL library for Java. All libraries support using these methods to constrain variables, the only difference is in the names of the classes used. There are several ways of imposing type constraints on variables: diff --git a/docs/language/learn-ql/advanced/determining-specific-types-variables.rst b/docs/language/learn-ql/advanced/determining-specific-types-variables.rst index ce3c5a9e211..7deadde39c9 100644 --- a/docs/language/learn-ql/advanced/determining-specific-types-variables.rst +++ b/docs/language/learn-ql/advanced/determining-specific-types-variables.rst @@ -1,14 +1,14 @@ Determining the most specific types of a variable ================================================= -It is sometimes useful to be able to determine what QL types an entity has -- especially when you are unfamiliar with the QL library used by a query. To help with this, QL provides a predicate called ``getAQlClass()``, which returns the most specific QL types of the entity that it is called on. +It is sometimes useful to be able to determine what types an entity has -- especially when you are unfamiliar with the library used by a query. To help with this, there is a predicate called ``getAQlClass()``, which returns the most specific QL types of the entity that it is called on. This can be useful when you are not sure of the most precise class of a value. Discovering a more precise class can allow you to cast to it and use predicates that are not available on the more general class. Example ------- -If you were working with a Java snapshot database, you might use ``getAQlClass()`` on every ``Expr`` in a callable called ``c``: +If you were working with a Java database, you might use ``getAQlClass()`` on every ``Expr`` in a callable called ``c``: **Java example** @@ -23,6 +23,6 @@ If you were working with a Java snapshot database, you might use ``getAQlClass() and e.getEnclosingCallable() = c select e, e.getAQlClass() -The result of this query is a list of the most specific types of every ``Expr`` in that function. You will see multiple results for some expressions because that expression is represented by more than one QL type. +The result of this query is a list of the most specific types of every ``Expr`` in that function. You will see multiple results for some expressions because that expression is represented by more than one type. -For example, ``StringLiteral``\ s like ``"Hello"`` in Java belong to both the ``StringLiteral`` QL class (a specialization of the ``Literal`` QL class) and the ``CompileTimeConstantExpr`` QL class. So any instances of ``StringLiteral``\ s in the results will produce more than one result, one for each of the QL classes to which they belong. +For example, ``StringLiteral``\ s like ``"Hello"`` in Java belong to both the ``StringLiteral`` class (a specialization of the ``Literal`` class) and the ``CompileTimeConstantExpr`` class. So any instances of ``StringLiteral``\ s in the results will produce more than one result, one for each of the classes to which they belong. diff --git a/docs/language/learn-ql/advanced/equivalence.rst b/docs/language/learn-ql/advanced/equivalence.rst index 40f00cde00f..bf5efb595d0 100644 --- a/docs/language/learn-ql/advanced/equivalence.rst +++ b/docs/language/learn-ql/advanced/equivalence.rst @@ -6,7 +6,7 @@ The two expressions: #. ``a() != b()`` #. ``not(a() = b())`` -look equivalent - so much so that inexperienced (and even experienced) QL programmers have been known to rewrite one as the other. However, they are not equivalent due to the quantifiers involved. +look equivalent - so much so that inexperienced (and even experienced) programmers have been known to rewrite one as the other. However, they are not equivalent due to the quantifiers involved. Thinking of ``a()`` and ``b()`` as sets of values, the first expression says that there is a pair of values (one from each side of the inequality) which are different. diff --git a/docs/language/learn-ql/advanced/monotonic-aggregates.rst b/docs/language/learn-ql/advanced/monotonic-aggregates.rst index 515dec6dff0..161776dbcf6 100644 --- a/docs/language/learn-ql/advanced/monotonic-aggregates.rst +++ b/docs/language/learn-ql/advanced/monotonic-aggregates.rst @@ -1,7 +1,7 @@ Monotonic aggregates in QL ========================== -In addition to standard QL aggregates, QL also supports *monotonic* aggregates. These are a slightly different way of computing aggregates which have some advantages, notably the ability to be used recursively, which normal aggregates do not have. You can enable them in a scope by adding the \ ``language[monotonicAggregates]`` pragma on a predicate, class, or module. +In addition to standard aggregates, QL also supports *monotonic* aggregates. These are a slightly different way of computing aggregates which have some advantages, notably the ability to be used recursively, which normal aggregates do not have. You can enable them in a scope by adding the \ ``language[monotonicAggregates]`` pragma on a predicate, class, or module. Syntax ------ diff --git a/docs/language/learn-ql/beginner/find-thief-3.rst b/docs/language/learn-ql/beginner/find-thief-3.rst index 03f7c866230..f8323147cf1 100644 --- a/docs/language/learn-ql/beginner/find-thief-3.rst +++ b/docs/language/learn-ql/beginner/find-thief-3.rst @@ -77,4 +77,4 @@ What next? - Help the villagers track down another criminal in the :doc:`next tutorial `. - Find out more about the concepts you discovered in this tutorial in the `QL language handbook `__. -- Explore the libraries that help you get data about code in :doc:`Learning QL <../../index>`. +- Explore the libraries that help you get data about code in :doc:`Learning CodeQL <../../index>`. diff --git a/docs/language/learn-ql/beginner/fire-2.rst b/docs/language/learn-ql/beginner/fire-2.rst index c5380fb0b6b..0c7e4852ae7 100644 --- a/docs/language/learn-ql/beginner/fire-2.rst +++ b/docs/language/learn-ql/beginner/fire-2.rst @@ -40,4 +40,4 @@ What next? - Find out who will be the new ruler of the village in the :doc:`next tutorial `. - Learn more about predicates and classes in the `QL language handbook `__. -- Explore the libraries that help you get data about code in :doc:`Learning QL <../../index>`. +- Explore the libraries that help you get data about code in :doc:`Learning CodeQL <../../index>`. diff --git a/docs/language/learn-ql/beginner/heir.rst b/docs/language/learn-ql/beginner/heir.rst index b5efd73fc40..f0f0c315025 100644 --- a/docs/language/learn-ql/beginner/heir.rst +++ b/docs/language/learn-ql/beginner/heir.rst @@ -161,4 +161,4 @@ What next? - Learn more about recursion in the `QL language handbook `__. - Put your QL skills to the test and solve the :doc:`River crossing puzzle <../ql-etudes/river-crossing>`. -- Start using QL to analyze projects. See :doc:`Learning QL <../../index>` for a summary of the available languages and resources. +- Start using QL to analyze projects. See :doc:`Learning CodeQL <../../index>` for a summary of the available languages and resources. diff --git a/docs/language/learn-ql/beginner/ql-tutorials.rst b/docs/language/learn-ql/beginner/ql-tutorials.rst index 2ba6e449b86..d97c4d6688e 100644 --- a/docs/language/learn-ql/beginner/ql-tutorials.rst +++ b/docs/language/learn-ql/beginner/ql-tutorials.rst @@ -7,18 +7,21 @@ QL detective tutorials ./* -Welcome to QL! These tutorials are aimed at complete beginners. They teach you how to write QL queries and introduce you to key logic concepts along the way. +Welcome to the detective tutorials! These are aimed at complete beginners who would like to learn the basics of QL, +before analyzing code with CodeQL. +The tutorials teach you how to write queries and introduce you to key logic concepts along the way. -We recommend you first read the :doc:`Introduction to the QL language <../introduction-to-ql>` page for a basic description of QL. +We recommend you first read the :doc:`Introduction to QL <../introduction-to-ql>` page for a description of the language and +some simple examples. -Currently the following tutorials are available: +Currently the following detective tutorials are available: -- :doc:`Find the thief ` - a three part mystery that introduces logical connectives, quantifiers and aggregates +- :doc:`Find the thief ` - a three part mystery that introduces logical connectives, quantifiers, and aggregates - :doc:`Catch the fire starter ` - an intriguing search that introduces predicates and classes - :doc:`Crown the rightful heir ` - a detective puzzle that introduces recursion Further resources ----------------- -- For a summary of available learning resources, see :doc:`Learning QL <../../index>`. +- For a summary of available learning resources, see :doc:`Learning CodeQL <../../index>`. - For an overview of the important concepts in QL, see the `QL language handbook `__. diff --git a/docs/language/learn-ql/cobol/introduce-libraries-cobol.rst b/docs/language/learn-ql/cobol/introduce-libraries-cobol.rst index 8ab24df1edd..2d01200484d 100644 --- a/docs/language/learn-ql/cobol/introduce-libraries-cobol.rst +++ b/docs/language/learn-ql/cobol/introduce-libraries-cobol.rst @@ -1,10 +1,10 @@ -Introducing the QL libraries for COBOL -====================================== +Introducing the CodeQL libraries for COBOL +========================================== Overview -------- -There is an extensive QL library for analyzing COBOL code. The classes in this library present the data from a snapshot database in an object-oriented form and provide abstractions and predicates to help you with common analysis tasks. +There is an extensive library for analyzing COBOL code. The classes in this library present the data from a CodeQL database in an object-oriented form and provide abstractions and predicates to help you with common analysis tasks. The library is implemented as a set of QL modules–that is, files with the extension ``.qll``. The module ``cobol.qll`` imports most other standard library modules, so you can include the complete library by beginning your query with: @@ -12,12 +12,12 @@ The library is implemented as a set of QL modules–that is, files with the exte import cobol -The rest of this tutorial briefly summarizes the most important QL classes and predicates provided by this library, including references to the `detailed API documentation `__ where applicable. +The rest of this tutorial briefly summarizes the most important classes and predicates provided by this library, including references to the `detailed API documentation `__ where applicable. Introducing the library ----------------------- -The QL COBOL library presents information about COBOL source code at different levels: +The CodeQL library for COBOL presents information about COBOL source code at different levels: - **Textual** — classes that represent source code as unstructured text files - **Lexical** — classes that represent comments and other tokens of interest @@ -36,7 +36,7 @@ At its most basic level, a COBOL code base can simply be viewed as a collection Files and folders ^^^^^^^^^^^^^^^^^ -In QL, files are represented as entities of class `File `__, and folders as entities of class `Folder `__, both of which are subclasses of class `Container `__. +Files are represented as entities of class `File `__, and folders as entities of class `Folder `__, both of which are subclasses of class `Container `__. Class `Container `__ provides the following member predicates: @@ -48,7 +48,7 @@ Note that while ``getAFile`` and ``getAFolder`` are declared on class `Container Both files and folders have paths, which can be accessed by the predicate ``Container.getAbsolutePath()``. For example, if ``f`` represents a file with the path ``/home/user/project/src/main.cbl``, then ``f.getAbsolutePath()`` evaluates to the string ``"/home/user/project/src/main.cbl"``, while ``f.getParentContainer().getAbsolutePath()`` returns ``"/home/user/project/src"``. -These paths are absolute file system paths. If you want to obtain the path of a file relative to the snapshot source location, use ``Container.getRelativePath()`` instead. Note, however, that a snapshot may contain files that are not located underneath the snapshot source location; for such files, ``getRelativePath()`` will not return anything. +These paths are absolute file system paths. If you want to obtain the path of a file relative to the source location in the CodeQL database, use ``Container.getRelativePath()`` instead. Note, however, that a database may contain files that are not located underneath the source location; for such files, ``getRelativePath()`` will not return anything. The following member predicates of class `Container `__ provide more information about the name of a file or folder: @@ -68,9 +68,9 @@ For example, the following query computes, for each folder, the number of COBOL Locations ^^^^^^^^^ -Most entities in a snapshot database have an associated source location. Locations are identified by four pieces of information: a file, a start line, a start column, an end line, and an end column. Line and column counts are 1-based (so the first character of a file is at line 1, column 1), and the end position is inclusive. +Most entities in a CodeQL database have an associated source location. Locations are identified by four pieces of information: a file, a start line, a start column, an end line, and an end column. Line and column counts are 1-based (so the first character of a file is at line 1, column 1), and the end position is inclusive. -All entities associated with a source location belong to the QL class `Locatable `__. The location itself is modeled by the QL class `Location `__ and can be accessed through the member predicate ``Locatable.getLocation()``. The `Location `__ class provides the following member predicates: +All entities associated with a source location belong to the class `Locatable `__. The location itself is modeled by the class `Location `__ and can be accessed through the member predicate ``Locatable.getLocation()``. The `Location `__ class provides the following member predicates: - ``Location.getFile()``, ``Location.getStartLine()``, ``Location.getStartColumn()``, ``Location.getEndLine()``, ``Location.getEndColumn()`` return detailed information about the location. - ``Location.getNumLines()`` returns the number of (whole or partial) lines covered by the location. @@ -104,13 +104,13 @@ The most important member predicates are as follows: Syntactic level ~~~~~~~~~~~~~~~ -The majority of classes in the QL COBOL library is concerned with representing a COBOL program as a collection of `abstract syntax trees `__ (ASTs). +The majority of classes in the CodeQL library for COBOL are concerned with representing a COBOL program as a collection of `abstract syntax trees `__ (ASTs). -The QL class `ASTNode `__ contains all entities representing nodes in the abstract syntax trees and defines generic tree traversal predicates: +The class `ASTNode `__ contains all entities representing nodes in the abstract syntax trees and defines generic tree traversal predicates: - ``ASTNode.getParent()``: returns the parent node of this AST node, if any. -Please note that the QL libraries for COBOL do not currently represent all possible parts of a COBOL program. Due to the complexity of the language, and its many dialects, this is an ongoing task. We prioritize elements that are of interest to queries, and expand this selection over time. Please check the `detailed API documentation `__ to see what is currently available. +Please note that the libraries for COBOL do not currently represent all possible parts of a COBOL program. Due to the complexity of the language, and its many dialects, this is an ongoing task. We prioritize elements that are of interest to queries, and expand this selection over time. Please check the `detailed API documentation `__ to see what is currently available. The main structure of any COBOL program is represented by the `Unit `__ class and its subclasses. For example, each program definition has a `ProgramDefinition `__ counterpart. For each ``PROCEDURE DIVISION`` in the program, there will be a `ProcedureDivision `__ class. diff --git a/docs/language/learn-ql/cobol/ql-for-cobol.rst b/docs/language/learn-ql/cobol/ql-for-cobol.rst index 12ba25e69f4..f85ff62649e 100644 --- a/docs/language/learn-ql/cobol/ql-for-cobol.rst +++ b/docs/language/learn-ql/cobol/ql-for-cobol.rst @@ -1,5 +1,5 @@ -QL for COBOL -============ +CodeQL for COBOL +================ .. toctree:: :glob: @@ -7,14 +7,14 @@ QL for COBOL introduce-libraries-cobol -This page provides an overview of the QL for COBOL documentation that is currently available. +This page provides an overview of the CodeQL for COBOL documentation that is currently available. - `Basic COBOL query `__ describes how to write and run queries using LGTM. -- :doc:`Introducing the QL libraries for COBOL ` introduces the standard libraries used to write queries for COBOL code. +- :doc:`Introducing the CodeQL libraries for COBOL ` introduces the standard libraries used to write queries for COBOL code. Other resources --------------- -- For the queries used in LGTM, display a `COBOL query `__ and click **Open in query console** to see the QL code used to find alerts. -- For more information about the COBOL QL library see the `QL library for COBOL `__. +- For the queries used in LGTM, display a `COBOL query `__ and click **Open in query console** to see the code used to find alerts. +- For more information about the library for COBOL see the `CodeQL library for COBOL `__. diff --git a/docs/language/learn-ql/conf.py b/docs/language/learn-ql/conf.py index d9b1de5e9fc..94d3bf2205f 100644 --- a/docs/language/learn-ql/conf.py +++ b/docs/language/learn-ql/conf.py @@ -1,6 +1,6 @@ # -*- coding: utf-8 -*- # -# Learn QL documentation build configuration file, created by +# Learn CodeQL documentation build configuration file, created by # on Tuesday Nov 13 2018. # # This file is execfile()d with the current directory set to its @@ -41,16 +41,16 @@ highlight_language = 'ql' master_doc = 'index' # General information about the project. -project = u'Learning QL' +project = u'Learning CodeQL' # -- Project-specifc options for HTML output ---------------------------------------------- # The name for this set of Sphinx documents. If None, it defaults to # " v documentation". -html_title = 'Learn QL' +html_title = 'Learn CodeQL' # Output file base name for HTML help builder. -htmlhelp_basename = 'Learn QL' +htmlhelp_basename = 'Learn CodeQL' # The version info for this project, if different from version and release in main conf.py file. # The short X.Y version. diff --git a/docs/language/learn-ql/cpp/conversions-classes.rst b/docs/language/learn-ql/cpp/conversions-classes.rst index 716991f96b2..016efa50d67 100644 --- a/docs/language/learn-ql/cpp/conversions-classes.rst +++ b/docs/language/learn-ql/cpp/conversions-classes.rst @@ -4,12 +4,12 @@ Tutorial: Conversions and classes Overview -------- -This topic contains worked examples of how to write queries using the standard QL library classes for C/C++ conversions and classes. +This topic contains worked examples of how to write queries using the CodeQL library classes for C/C++ conversions and classes. Conversions ----------- -Let us take a look at the QL ``Conversion`` class in the standard library: +Let us take a look at the ``Conversion`` class in the standard library: - ``Expr`` @@ -128,26 +128,26 @@ Unlike the earlier versions of the query, this query would return each side of t Note - In general, QL predicates named ``getAXxx`` exploit the ability to return multiple results (multiple instances of ``Xxx``) whereas plain ``getXxx`` predicates usually return at most one specific instance of ``Xxx``. + In general, predicates named ``getAXxx`` exploit the ability to return multiple results (multiple instances of ``Xxx``) whereas plain ``getXxx`` predicates usually return at most one specific instance of ``Xxx``. Classes ------- -Next we're going to look at C++ classes, using the following QL classes: +Next we're going to look at C++ classes, using the following CodeQL classes: - ``Type`` - - ``UserType``—includes classes, typedefs and enums + - ``UserType``—includes classes, typedefs, and enums - ``Class``—a class or struct - - ``Struct``—a struct, which is treated as a subtype of Class in QL. + - ``Struct``—a struct, which is treated as a subtype of ``Class`` - ``TemplateClass``—a C++ class template Finding derived classes ~~~~~~~~~~~~~~~~~~~~~~~ -We want to create a query that checks for destructors that should be ``virtual``. Specifically, when a class and a class derived from it both have destructors, the base class destructor should generally be virtual. This ensures that the derived class destructor is always invoked. A ``Destructor`` in QL is a subtype of ``MemberFunction``: +We want to create a query that checks for destructors that should be ``virtual``. Specifically, when a class and a class derived from it both have destructors, the base class destructor should generally be virtual. This ensures that the derived class destructor is always invoked. In the CodeQL library, ``Destructor`` is a subtype of ``MemberFunction``: - ``Function`` @@ -221,13 +221,13 @@ Our last change is to use ``Function.isVirtual()`` to find cases where the base That completes the query. -There is a similar built-in LGTM `query `__ that finds classes in a C/C++ project with virtual functions but no virtual destructor. You can take a look at the QL code for this query by clicking **Open in query console** at the top of that page. +There is a similar built-in LGTM `query `__ that finds classes in a C/C++ project with virtual functions but no virtual destructor. You can take a look at the code for this query by clicking **Open in query console** at the top of that page. What next? ---------- - Explore other ways of querying classes using examples from the `C/C++ cookbook `__. - Take a look at the :doc:`Analyzing data flow in C/C++ ` tutorial. -- Try the worked examples in the following topics: :doc:`Example: Checking that constructors initialize all private fields ` and :doc:`Example: Checking for allocations equal to 'strlen(string)' without space for a null terminator `. +- Try the worked examples in the following topics: :doc:`Example: Checking that constructors initialize all private fields `, and :doc:`Example: Checking for allocations equal to 'strlen(string)' without space for a null terminator `. - Find out more about QL in the `QL language handbook `__ and `QL language specification `__. - Learn more about the query console in `Using the query console `__. diff --git a/docs/language/learn-ql/cpp/dataflow.rst b/docs/language/learn-ql/cpp/dataflow.rst index 4867f3daf47..89f25913fbc 100644 --- a/docs/language/learn-ql/cpp/dataflow.rst +++ b/docs/language/learn-ql/cpp/dataflow.rst @@ -4,10 +4,10 @@ Analyzing data flow in C/C++ Overview -------- -This topic describes how data flow analysis is implemented in the QL for C/C++ library and includes examples to help you write your own data flow queries. -The following sections describe how to utilize the QL libraries for local data flow, global data flow and taint tracking. +This topic describes how data flow analysis is implemented in the CodeQL libraries for C/C++ and includes examples to help you write your own data flow queries. +The following sections describe how to utilize the libraries for local data flow, global data flow, and taint tracking. -For a more general introduction to modeling data flow in QL, see :doc:`Introduction to data flow analysis in QL <../intro-to-data-flow>`. +For a more general introduction to modeling data flow, see :doc:`Introduction to data flow analysis with CodeQL <../intro-to-data-flow>`. Local data flow --------------- @@ -166,6 +166,7 @@ The following predicates are defined in the configuration: - ``isSource``—defines where data may flow from - ``isSink``—defines where data may flow to - ``isBarrier``—optional, restricts the data flow +- ``isBarrierGuard``—optional, restricts the data flow - ``isAdditionalFlowStep``—optional, adds additional flow steps The characteristic predicate ``MyDataFlowConfiguration()`` defines the name of the configuration, so ``"MyDataFlowConfiguration"`` should be replaced by the name of your class. @@ -204,6 +205,7 @@ The following predicates are defined in the configuration: - ``isSource``—defines where taint may flow from - ``isSink``—defines where taint may flow to - ``isSanitizer``—optional, restricts the taint flow +- ``isSanitizerGuard``—optional, restricts the taint flow - ``isAdditionalTaintStep``—optional, adds additional taint steps Similar to global data flow, the characteristic predicate ``MyTaintTrackingConfiguration()`` defines the unique name of the configuration, so ``"MyTaintTrackingConfiguration"`` should be replaced by the name of your class. diff --git a/docs/language/learn-ql/cpp/expressions-types.rst b/docs/language/learn-ql/cpp/expressions-types.rst index d6bd0b2c740..1595d594683 100644 --- a/docs/language/learn-ql/cpp/expressions-types.rst +++ b/docs/language/learn-ql/cpp/expressions-types.rst @@ -4,12 +4,12 @@ Tutorial: Expressions, types and statements Overview -------- -This topic contains worked examples of how to write queries using the standard QL library classes for C/C++ expressions, types, and statements. +This topic contains worked examples of how to write queries using the standard CodeQL library classes for C/C++ expressions, types, and statements. Expressions and types --------------------- -Each part of an expression in C becomes an instance of the QL ``Expr`` class. For example, the C code ``x = x + 1`` becomes an ``AssignExpr``, an ``AddExpr``, two instances of ``VariableAccess`` and a ``Literal``. All of these QL classes extend ``Expr``. +Each part of an expression in C becomes an instance of the ``Expr`` class. For example, the C code ``x = x + 1`` becomes an ``AssignExpr``, an ``AddExpr``, two instances of ``VariableAccess`` and a ``Literal``. All of these CodeQL classes extend ``Expr``. Finding assignments to zero ~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -26,7 +26,7 @@ In the following example we find instances of ``AssignExpr`` which assign the co ➤ `See this in the query console `__ -The ``where`` clause in this example gets the expression on the right side of the assignment, ``getRValue()``, and compares it with zero. Notice that there are no checks to make sure that the right side of the assignment is an integer or that it has a value (that is, it is compile-time constant, rather than a variable). For expressions where either of these assumptions is wrong, the associated QL predicate simply does not return anything and the ``where`` clause will not produce a result. You could think of it as if there is an implicit ``exists(e.getRValue().getValue().toInt())`` at the beginning of this line. +The ``where`` clause in this example gets the expression on the right side of the assignment, ``getRValue()``, and compares it with zero. Notice that there are no checks to make sure that the right side of the assignment is an integer or that it has a value (that is, it is compile-time constant, rather than a variable). For expressions where either of these assumptions is wrong, the associated predicate simply does not return anything and the ``where`` clause will not produce a result. You could think of it as if there is an implicit ``exists(e.getRValue().getValue().toInt())`` at the beginning of this line. It is also worth noting that the query above would find this C code: @@ -34,7 +34,7 @@ It is also worth noting that the query above would find this C code: yPtr = NULL; -This is because the snapshot contains a representation of the code base after the preprocessor transforms have run (for more information, see `Database generation `__). This means that any macro invocations, such as the ``NULL`` define used here, are expanded during the creation of the snapshot. If you want to write queries about macros then there are some special library classes that have been designed specifically for this purpose (for example, the ``Macro``, ``MacroInvocation`` classes and predicates like ``Element.isInMacroExpansion()``). In this case, it is good that macros are expanded, but we do not want to find assignments to pointers. +This is because the database contains a representation of the code base after the preprocessor transforms have run (for more information, see `Database generation `__). This means that any macro invocations, such as the ``NULL`` define used here, are expanded during the creation of the database. If you want to write queries about macros then there are some special library classes that have been designed specifically for this purpose (for example, the ``Macro``, ``MacroInvocation`` classes and predicates like ``Element.isInMacroExpansion()``). In this case, it is good that macros are expanded, but we do not want to find assignments to pointers. Finding assignments of 0 to an integer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/docs/language/learn-ql/cpp/function-classes.rst b/docs/language/learn-ql/cpp/function-classes.rst index e8f0f743722..51f07a8d0f0 100644 --- a/docs/language/learn-ql/cpp/function-classes.rst +++ b/docs/language/learn-ql/cpp/function-classes.rst @@ -4,14 +4,14 @@ Tutorial: Function classes Overview -------- -The standard QL library for C and C++ represents functions using the ``Function`` class (see :doc:`Introducing the C/C++ libraries `). +The standard CodeQL library for C and C++ represents functions using the ``Function`` class (see :doc:`Introducing the C/C++ libraries `). The example queries in this topic explore some of the most useful library predicates for querying functions. Finding all static functions ---------------------------- -Using the member predicate ``Function.isStatic()`` we can list all of the static functions in a snapshot: +Using the member predicate ``Function.isStatic()`` we can list all the static functions in a database: .. code-block:: ql @@ -26,7 +26,7 @@ This query is very general, so there are probably too many results to be interes Finding functions that are not called ------------------------------------- -It might be more interesting to find functions that are not called, using the standard QL ``FunctionCall`` class from the **abstract syntax tree** category (see :doc:`Introducing the C/C++ libraries `). The ``FunctionCall`` class can be used to identify places where a function is actually used, and it is related to ``Function`` through the ``FunctionCall.getTarget()`` predicate. +It might be more interesting to find functions that are not called, using the standard CodeQL ``FunctionCall`` class from the **abstract syntax tree** category (see :doc:`Introducing the C/C++ libraries `). The ``FunctionCall`` class can be used to identify places where a function is actually used, and it is related to ``Function`` through the ``FunctionCall.getTarget()`` predicate. .. code-block:: ql @@ -58,9 +58,9 @@ You can modify the query to remove functions where a function pointer is used to This query returns fewer results. However, if you examine the results then you can probably still find potential refinements. -For example, there is a more complicated LGTM `query `__ that finds unused static functions. To see the QL code for this query, click **Open in query console** at the top of the page. +For example, there is a more complicated LGTM `query `__ that finds unused static functions. To see the code for this query, click **Open in query console** at the top of the page. - You can explore the definition of an element in the standard QL libraries and see what predicates are available. Use the keyboard **F3** button to open the definition of any element. Alternatively, hover over the element and click **Jump to definition** in the tooltip displayed. The library file is opened in a new tab with the definition highlighted. + You can explore the definition of an element in the standard libraries and see what predicates are available. Use the keyboard **F3** button to open the definition of any element. Alternatively, hover over the element and click **Jump to definition** in the tooltip displayed. The library file is opened in a new tab with the definition highlighted. Finding a specific function --------------------------- diff --git a/docs/language/learn-ql/cpp/introduce-libraries-cpp.rst b/docs/language/learn-ql/cpp/introduce-libraries-cpp.rst index 1ab7cdd1498..6bea8d40c2c 100644 --- a/docs/language/learn-ql/cpp/introduce-libraries-cpp.rst +++ b/docs/language/learn-ql/cpp/introduce-libraries-cpp.rst @@ -1,23 +1,23 @@ -Introducing the C/C++ libraries -=============================== +Introducing the CodeQL libraries for C/C++ +========================================== Overview -------- -There is an extensive QL library for analyzing snapshots extracted from C/C++ projects. The QL classes in this library present the data from a snapshot database in an object-oriented form and provide abstractions and predicates to help you with common analysis tasks. The library is implemented as a set of QL modules, that is, files with the extension ``.qll``. The module ``cpp.qll`` imports all of the core C/C++ library modules, so you can include the complete library by beginning your query with: +There is an extensive library for analyzing CodeQL databases extracted from C/C++ projects. The classes in this library present the data from a database in an object-oriented form and provide abstractions and predicates to help you with common analysis tasks. The library is implemented as a set of QL modules, that is, files with the extension ``.qll``. The module ``cpp.qll`` imports all the core C/C++ library modules, so you can include the complete library by beginning your query with: .. code-block:: ql import cpp -The rest of this topic summarizes available QL classes and corresponding C/C++ constructs. +The rest of this topic summarizes the available CodeQL classes and corresponding C/C++ constructs. -NOTE: You can find related classes and features using the query console's auto-complete feature. You can also press *F3* to jump to the definition of any element; QL library files are opened in new tabs in the console. +NOTE: You can find related classes and features using the query console's auto-complete feature. You can also press *F3* to jump to the definition of any element; library files are opened in new tabs in the console. Summary of the library classes ------------------------------ -The most commonly used standard QL library classes are listed below. The listing is broken down by functionality. Each QL library class is annotated with a C/C++ construct it corresponds to. +The most commonly used standard library classes are listed below. The listing is broken down by functionality. Each library class is annotated with a C/C++ construct it corresponds to. Declaration classes ~~~~~~~~~~~~~~~~~~~ @@ -25,7 +25,7 @@ Declaration classes This table lists `Declaration `__ classes representing C/C++ declarations. +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| Example syntax | QL class | Remarks | +| Example syntax | CodeQL class | Remarks | +=================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+=======================================================================================================================================================================+====================================================================================================================================================================================================+ | ``int`` *var* ``;`` | `GlobalVariable `__ | | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ @@ -154,7 +154,7 @@ Statement classes This table lists subclasses of `Stmt `__ representing C/C++ statements. +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| Example syntax | QL class | Remarks | +| Example syntax | CodeQL class | Remarks | +===============================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+==================================================================================================================================================================+===================================================================================================================================================================================================================================================================================================+ | ``__asm__ ("`` *movb %bh, (%eax)* ``");`` | `AsmStmt `__ | Specific to a given CPU instruction set | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ @@ -215,7 +215,7 @@ Expression classes This table lists subclasses of `Expr `__ representing C/C++ expressions. +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| Example syntax | QL class(es) | Remarks | +| Example syntax | CodeQL class(es) | Remarks | +========================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+==========================================================================================================================================================================================================+=============================================================================================================================================================================================================================================================================================================+ | ``{`` `Expr `__... ``}`` | | `ArrayAggregateLiteral `__ | | | | | `ClassAggregateLiteral `__ | | @@ -417,7 +417,7 @@ Type classes This table lists subclasses of `Type `__ representing C/C++ types. +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| Example syntax | QL class | Remarks | +| Example syntax | CodeQL class | Remarks | +=============================================================================================================================================================================================================================================================================================================================================================================================================================================+==================================================================================================================================================================+==================================================================================================================================================================================================================================================================================+ | ``void`` | `VoidType `__ | | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ @@ -485,7 +485,7 @@ Preprocessor classes This table lists `Preprocessor `__ classes representing C/C++ preprocessing directives. +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| Example syntax | QL class | Remarks | +| Example syntax | CodeQL class | Remarks | +=============================================================================================================================================================================================================================================================================================================================================================================================================================================+==================================================================================================================================================================+===================================================================================================================================================================================================================================================================================+ | ``#elif`` *condition* | `PreprocessorElif `__ | | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ @@ -522,6 +522,6 @@ This table lists `Preprocessor `, :doc:`Expressions, types and statements `, :doc:`Conversions and classes `, and :doc:`Analyzing data flow in C/C++ `. +- Experiment with the worked examples in the CodeQL for C/C++ topics: :doc:`Function classes `, :doc:`Expressions, types and statements `, :doc:`Conversions and classes `, and :doc:`Analyzing data flow in C/C++ `. - Find out more about QL in the `QL language handbook `__ and `QL language specification `__. - Learn more about the query console in `Using the query console `__. diff --git a/docs/language/learn-ql/cpp/private-field-initialization.rst b/docs/language/learn-ql/cpp/private-field-initialization.rst index 4aa155adeb0..26b57660142 100644 --- a/docs/language/learn-ql/cpp/private-field-initialization.rst +++ b/docs/language/learn-ql/cpp/private-field-initialization.rst @@ -4,7 +4,7 @@ Example: Checking that constructors initialize all private fields Overview -------- -This topic describes how a C++ query was developed. The example introduces recursive predicates and demonstrates the typical workflow used to refine a query. For a full overview of the topics available for learning to write QL queries for C/C++ code, see :doc:`QL for C/C++ `. +This topic describes how a C++ query was developed. The example introduces recursive predicates and demonstrates the typical workflow used to refine a query. For a full overview of the topics available for learning to write queries for C/C++ code, see :doc:`CodeQL for C/C++ `. Problem—finding every private field and checking for initialization ------------------------------------------------------------------- @@ -29,7 +29,7 @@ We can start by looking at every private field in a class and checking that ever #. ``f.isPrivate()`` checks if the field is private. #. ``not exists(Assignment a | a = f.getAnAssignment() and a.getEnclosingFunction() = c)`` checks that there is no assignment to the field in the constructor. -This QL code looks fairly complete, but when you test it on a project, there are several results that contain examples that we have overlooked. +This code looks fairly complete, but when you test it on a project, there are several results that contain examples that we have overlooked. Refinement 1—excluding fields initialized by lists -------------------------------------------------- @@ -62,7 +62,7 @@ These can be excluded by adding an extra condition to check for this special con Refinement 2—excluding fields initialized by external libraries --------------------------------------------------------------- -When you test the revised query, you may discover that fields from classes in external libraries are over-reported. This is often because a header file declares a constructor that is defined in a source file that is not analyzed (external libraries are often excluded from analysis). When the source code is analyzed, the snapshot is populated with a ``Constructor`` entry with no body. This ``constructor`` therefore contains no assignments and consequently the query reports that any fields initialized by the constructor are "uninitialized." There is no particular reason to be suspicious of these cases, and we can exclude them from the results by defining a condition to exclude constructors that have no body: +When you test the revised query, you may discover that fields from classes in external libraries are over-reported. This is often because a header file declares a constructor that is defined in a source file that is not analyzed (external libraries are often excluded from analysis). When the source code is analyzed, the CodeQL database is populated with a ``Constructor`` entry with no body. This ``constructor`` therefore contains no assignments and consequently the query reports that any fields initialized by the constructor are "uninitialized." There is no particular reason to be suspicious of these cases, and we can exclude them from the results by defining a condition to exclude constructors that have no body: .. code-block:: ql diff --git a/docs/language/learn-ql/cpp/ql-for-cpp.rst b/docs/language/learn-ql/cpp/ql-for-cpp.rst index 909d0e2e323..b1596c7de92 100644 --- a/docs/language/learn-ql/cpp/ql-for-cpp.rst +++ b/docs/language/learn-ql/cpp/ql-for-cpp.rst @@ -1,5 +1,5 @@ -QL for C/C++ -============ +CodeQL for C/C++ +================ .. toctree:: :glob: @@ -13,19 +13,19 @@ QL for C/C++ private-field-initialization zero-space-terminator -These topics provide an overview of the QL C/C++ standard libraries and show examples of how to write queries that use them. +These topics provide an overview of the CodeQL libraries for C/C++ and show examples of how to write queries that use them. -- `Basic C/C++ QL query `__ describes how to write and run queries using LGTM. +- `Basic C/C++ query `__ describes how to write and run queries using LGTM. -- :doc:`Introducing the QL libraries for C/C++ ` introduces the standard libraries used to write queries for C and C++ code. +- :doc:`Introducing the CodeQL libraries for C/C++ ` introduces the standard libraries used to write queries for C and C++ code. -- :doc:`Tutorial: Function classes ` demonstrates how to write queries using the standard QL library classes for C/C++ functions. +- :doc:`Tutorial: Function classes ` demonstrates how to write queries using the standard CodeQL library classes for C/C++ functions. -- :doc:`Tutorial: Expressions, types and statements ` demonstrates how to write queries using the standard QL library classes for C/C++ expressions, types and statements. +- :doc:`Tutorial: Expressions, types and statements ` demonstrates how to write queries using the standard CodeQL library classes for C/C++ expressions, types and statements. -- :doc:`Tutorial: Conversions and classes ` demonstrates how to write queries using the standard QL library classes for C/C++ conversions and classes. +- :doc:`Tutorial: Conversions and classes ` demonstrates how to write queries using the standard CodeQL library classes for C/C++ conversions and classes. -- :doc:`Tutorial: Analyzing data flow in C/C++ ` demonstrates how to write queries using the standard QL for C/C++ data flow and taint tracking libraries. +- :doc:`Tutorial: Analyzing data flow in C/C++ ` demonstrates how to write queries using the standard data flow and taint tracking libraries for C/C++. - :doc:`Example: Checking that constructors initialize all private fields ` works through the development of a query. It introduces recursive predicates and shows the typical workflow used to refine a query. @@ -51,6 +51,8 @@ Advanced libraries Other resources --------------- -- For examples of how to query common C/C++ elements, see the `C/C++ QL cookbook `__. -- For the queries used in LGTM, display a `C/C++ query `__ and click **Open in query console** to see the QL code used to find alerts. -- For more information about the C/C++ QL library see the `QL library for C/C++ `__. +.. TODO: Rename the cookbooks: C/C++ cookbook, or C/C++ CodeQL cookbook, or CodeQL cookbook for C/C++, or...? + +- For examples of how to query common C/C++ elements, see the `C/C++ cookbook `__. +- For the queries used in LGTM, display a `C/C++ query `__ and click **Open in query console** to see the code used to find alerts. +- For more information about the library for C/C++ see the `CodeQL library for C/C++ `__. diff --git a/docs/language/learn-ql/cpp/value-numbering-hash-cons.rst b/docs/language/learn-ql/cpp/value-numbering-hash-cons.rst index 7a1bbd2888b..e05f93dbae1 100644 --- a/docs/language/learn-ql/cpp/value-numbering-hash-cons.rst +++ b/docs/language/learn-ql/cpp/value-numbering-hash-cons.rst @@ -4,7 +4,7 @@ Hash consing and value numbering Overview -------- -In C and C++ QL databases, each node in the abstract syntax tree is represented by a separate object. This allows both analysis and results display to refer to specific appearances of a piece of syntax. However, it is frequently useful to determine whether two expressions are equivalent, either syntactically or semantically. +In C and C++ databases, each node in the abstract syntax tree is represented by a separate object. This allows both analysis and results display to refer to specific appearances of a piece of syntax. However, it is frequently useful to determine whether two expressions are equivalent, either syntactically or semantically. The `hash consing `__ library (defined in ``semmle.code.cpp.valuenumbering.HashCons``) provides a mechanism for identifying expressions that have the same syntactic structure. The `global value numbering `__ library (defined in ``semmle.code.cpp.valuenumbering.GlobalValueNumbering``) provides a mechanism for identifying expressions that compute the same value at runtime. diff --git a/docs/language/learn-ql/cpp/zero-space-terminator.rst b/docs/language/learn-ql/cpp/zero-space-terminator.rst index e977470ea6f..7026d9fa9ae 100644 --- a/docs/language/learn-ql/cpp/zero-space-terminator.rst +++ b/docs/language/learn-ql/cpp/zero-space-terminator.rst @@ -4,7 +4,7 @@ Example: Checking for allocations equal to ``strlen(string)`` without space for Overview -------- -This topic describes how a C/C++ query for detecting a potential buffer overflow was developed. For a full overview of the topics available for learning to write QL queries for C/C++ code, see :doc:`QL for C/C++ `. +This topic describes how a C/C++ query for detecting a potential buffer overflow was developed. For a full overview of the topics available for learning to write queries for C/C++ code, see :doc:`CodeQL for C/C++ `. Problem—detecting memory allocation that omits space for a null termination character ------------------------------------------------------------------------------------- @@ -32,7 +32,7 @@ Defining the entities of interest You could approach this problem either by searching for code similar to the call to ``malloc`` in line 3 or the call to ``strcpy`` in line 5 (see example above). For our basic query, we start with a simple assumption: any call to ``malloc`` with only a ``strlen`` to define the memory size is likely to cause an error when the memory is populated. -Calls to ``strlen`` can be identified using the library `StrlenCall `__ class, but we need to define a new class to identify calls to ``malloc``. Both the library class and the new class need to extend the standard QL class ``FunctionCall``, with the added restriction of the function name that they apply to: +Calls to ``strlen`` can be identified using the library `StrlenCall `__ class, but we need to define a new class to identify calls to ``malloc``. Both the library class and the new class need to extend the standard class ``FunctionCall``, with the added restriction of the function name that they apply to: .. code-block:: ql @@ -52,7 +52,7 @@ Calls to ``strlen`` can be identified using the library `StrlenCall `. +For a more general introduction to modeling data flow, see :doc:`Introduction to data flow analysis with CodeQL <../intro-to-data-flow>`. Local data flow --------------- @@ -548,6 +548,6 @@ This can be adapted from the ``SystemUriFlow`` class: What next? ---------- -- Learn about the QL standard libraries used to write queries for C# in :doc:`Introducing the C# libraries `. +- Learn about the standard libraries used to write queries for C# in :doc:`Introducing the C# libraries `. - Find out more about QL in the `QL language handbook `__ and `QL language specification `__. - Learn more about the query console in `Using the query console `__. diff --git a/docs/language/learn-ql/csharp/introduce-libraries-csharp.rst b/docs/language/learn-ql/csharp/introduce-libraries-csharp.rst index 43e6c11327c..32a782d5034 100644 --- a/docs/language/learn-ql/csharp/introduce-libraries-csharp.rst +++ b/docs/language/learn-ql/csharp/introduce-libraries-csharp.rst @@ -1,25 +1,23 @@ -Introducing the C# libraries -============================ +Introducing the CodeQL libraries for C# +======================================= Overview -------- -The C# QL libraries are a data model for analysis of C# code. QL is an object-oriented language, so the data model is represented as *QL classes*, which are organized into *QL libraries*. The QL classes are a layer of logic built on top of an underlying database. - -The core library is imported at the top of each query using: +There is an extensive library for analyzing CodeQL databases extracted from C# projects. The classes in this library present the data from a database in an object-oriented form and provide abstractions and predicates to help you with common analysis tasks. The library is implemented as a set of QL modules, that is, files with the extension ``.qll``. The module ``csharp.qll`` imports all the core C# library modules, so you can include the complete library by beginning your query with: .. code-block:: ql import csharp -Since this is required for all C# queries, it is omitted from QL snippets below. +Since this is required for all C# queries, it is omitted from code snippets below. -The core library contains all the program elements, including `files <#files>`__, `types <#types>`__, methods, `variables <#variables>`__, `statements <#statements>`__, and `expressions <#expressions>`__. This is sufficient for most queries, however additional libraries can be imported for bespoke functionality such as control flow and data flow. See :doc:`QL for C# ` for information about these additional libraries. +The core library contains all the program elements, including `files <#files>`__, `types <#types>`__, methods, `variables <#variables>`__, `statements <#statements>`__, and `expressions <#expressions>`__. This is sufficient for most queries, however additional libraries can be imported for bespoke functionality such as control flow and data flow. See :doc:`CodeQL for C# ` for information about these additional libraries. Class hierarchies ~~~~~~~~~~~~~~~~~ -Each section contains a QL class hierarchy, showing the inheritance structure between QL classes. For example: +Each section contains a class hierarchy, showing the inheritance structure between CodeQL classes. For example: - ``Expr`` @@ -46,13 +44,13 @@ Each section contains a QL class hierarchy, showing the inheritance structure be This means that the class ``AddExpr`` extends class ``BinaryArithmeticOperation``, which in turn extends class ``ArithmeticOperation`` and so on. If you want to query any arithmetic operation, then use the class ``ArithmeticOperation``, but if you specifically want to limit the query to addition operations, then use the class ``AddExpr``. -QL classes can also be considered to be *sets*, and the ``extends`` relation between classes defines a subset. Every member of class ``AddExpr`` is also in the class ``BinaryArithmeticOperation``. In general, QL classes overlap and an entity can be a member of several classes. +Classes can also be considered to be *sets*, and the ``extends`` relation between classes defines a subset. Every member of class ``AddExpr`` is also in the class ``BinaryArithmeticOperation``. In general, classes overlap and an entity can be a member of several classes. This overview omits some of the less important or intermediate classes from the class hierarchy. Each class has predicates, which are logical propositions about that class. They also define navigable relationships between classes. Predicates are inherited, so for example the ``AddExpr`` class inherits the predicates ``getLeftOperand()`` and ``getRightOperand()`` from ``BinaryArithmeticOperation``, and ``getType()`` from class ``Expr``. This is similar to how methods are inherited in object-oriented programming languages. -In this overview, we present the most common and useful predicates. Consult the reference, QL source code, and autocomplete in the editor for the complete list of predicates available on each class. +In this overview, we present the most common and useful predicates. Consult the `reference `__, the CodeQL source code, and autocomplete in the editor for the complete list of predicates available on each class. Exercises ~~~~~~~~~ @@ -72,7 +70,7 @@ Exercise 1: Simplify the following query: Files ----- -Files are represented by the QL class `File `__, and directories by the QL class `Folder `__. The database contains all of the source files and assemblies used during the compilation. +Files are represented by the class `File `__, and directories by the class `Folder `__. The database contains all of the source files and assemblies used during the compilation. Class hierarchy ~~~~~~~~~~~~~~~ @@ -143,7 +141,7 @@ To list all elements in ``Main.cs``, their QL class and location: where e.getFile().getShortName() = "Main" select e, e.getAQlClass(), e.getLocation() -Note that ``getAQlClass()`` is available on all QL classes and is a useful way to figure out the QL class of something. Often the same element will have several QL classes which are all returned by ``getAQlClass()``. +Note that ``getAQlClass()`` is available on all entities and is a useful way to figure out the QL class of something. Often the same element will have several classes which are all returned by ``getAQlClass()``. Locations --------- @@ -234,7 +232,7 @@ Find declarations containing a username: Variables --------- -The QL class `Variable `__ represents C# variables, such as fields, parameters and local variables. The database contains all variables from the source code, as well as all fields and parameters from assemblies referenced by the program. +The class `Variable `__ represents C# variables, such as fields, parameters and local variables. The database contains all variables from the source code, as well as all fields and parameters from assemblies referenced by the program. Class hierarchy ~~~~~~~~~~~~~~~ @@ -283,7 +281,7 @@ Find all unused local variables: Types ----- -Types are represented by the QL class `Type `__ and consist of builtin types, interfaces, classes, structs, enums, and type parameters. The database contains types from the program and all referenced assemblies including mscorlib and the .NET framework. +Types are represented by the CodeQL class `Type `__ and consist of builtin types, interfaces, classes, structs, enums, and type parameters. The database contains types from the program and all referenced assemblies including mscorlib and the .NET framework. The builtin types (``object``, ``int``, ``double`` etc.) have corresponding types (``System.Object``, ``System.Int32`` etc.) in mscorlib. @@ -438,7 +436,7 @@ Exercise 5: Write a query to find all classes starting with the letter ``A``. (` Callables --------- -Callables are represented by the QL class `Callable `__ and are anything that can be called independently, such as methods, constructors, destructors, operators, anonymous functions, indexers, and property accessors. +Callables are represented by the class `Callable `__ and are anything that can be called independently, such as methods, constructors, destructors, operators, anonymous functions, indexers, and property accessors. The database contains all of the callables in your program and in all referenced assemblies. @@ -564,7 +562,7 @@ Find ``Main`` methods which are not ``private``: Statements ---------- -Statements are represented by the QL class `Stmt `__ and make up the body of methods (and other callables). The database contains all statements in the source code, but does not contain any statements from referenced assemblies where the source code is not available. +Statements are represented by the class `Stmt `__ and make up the body of methods (and other callables). The database contains all statements in the source code, but does not contain any statements from referenced assemblies where the source code is not available. Class hierarchy ~~~~~~~~~~~~~~~ @@ -922,7 +920,7 @@ Exercise 9: Limit the previous query to string types. Exclude empty passwords or Attributes ---------- -C# attributes are represented by the QL class `Attribute `__. They can be present on many C# elements, such as classes, methods, fields, and parameters. The database contains attributes from the source code and all assembly references. +C# attributes are represented by the class `Attribute `__. They can be present on many C# elements, such as classes, methods, fields, and parameters. The database contains attributes from the source code and all assembly references. The attribute of any ``Element`` can be obtained via ``getAnAttribute()``, whereas if you have an attribute, you can find its element via ``getTarget()``. The following two query fragments are identical: @@ -1122,6 +1120,6 @@ Here is the fixed version: What next? ---------- -- Visit :doc:`Tutorial: Analyzing data flow in C# ` to learn more about writing queries using the standard QL for C# data flow and taint tracking libraries. +- Visit :doc:`Tutorial: Analyzing data flow in C# ` to learn more about writing queries using the standard data flow and taint tracking libraries. - Find out more about QL in the `QL language handbook `__ and `QL language specification `__. - Learn more about the query console in `Using the query console `__. \ No newline at end of file diff --git a/docs/language/learn-ql/csharp/ql-for-csharp.rst b/docs/language/learn-ql/csharp/ql-for-csharp.rst index 56d8f7ef017..013464ed036 100644 --- a/docs/language/learn-ql/csharp/ql-for-csharp.rst +++ b/docs/language/learn-ql/csharp/ql-for-csharp.rst @@ -1,5 +1,5 @@ -QL for C# -========= +CodeQL for C# +============= .. toctree:: :glob: @@ -8,17 +8,17 @@ QL for C# introduce-libraries-csharp dataflow -These topics provide an overview of the QL C# libraries and show examples of how to use them. +These topics provide an overview of the CodeQL libraries for C# and show examples of how to use them. -- `Basic C# QL query `__ describes how to write and run queries using LGTM. +- `Basic C# query `__ describes how to write and run queries using LGTM. -- :doc:`Introducing the C# libraries ` introduces the standard libraries used to write queries for C# code. +- :doc:`Introducing the CodeQL libraries for C# ` introduces the standard libraries used to write queries for C# code. .. raw:: html -- :doc:`Tutorial: Analyzing data flow in C# ` demonstrates how to write queries using the standard QL for C# data flow and taint tracking libraries. +- :doc:`Tutorial: Analyzing data flow in C# ` demonstrates how to write queries using the standard data flow and taint tracking libraries for C#. .. raw:: html @@ -35,6 +35,6 @@ These topics provide an overview of the QL C# libraries and show examples of how Other resources --------------- -- For examples of how to query common C# elements, see the `C# QL cookbook `__. -- For the queries used in LGTM, display a `C# query `__ and click **Open in query console** to see the QL code used to find alerts. -- For more information about the C/C++ QL library see the `QL library for C# `__. +- For examples of how to query common C# elements, see the `C# cookbook `__. +- For the queries used in LGTM, display a `C# query `__ and click **Open in query console** to see the code used to find alerts. +- For more information about the library for C# see the `CodeQL library for C# `__. diff --git a/docs/language/learn-ql/database.rst b/docs/language/learn-ql/database.rst new file mode 100644 index 00000000000..fe8e2e273ef --- /dev/null +++ b/docs/language/learn-ql/database.rst @@ -0,0 +1,33 @@ +What's in a CodeQL database? +============================ + +A CodeQL database contains a variety of data related to a particular code base at a particular point in time. For details of how the database is generated see `Database generation `__. + +The database contains a full, hierarchical representation of the program defined by the code base. The database schema varies according to the language analyzed. The schema provides an interface between the initial lexical analysis during the extraction process, and the actual complex analysis using CodeQL. When the source code languages being analyzed change (such as Java 7 evolving into Java 8), this interface between the analysis phases can also change. + +For each language, a CodeQL library defines classes to provide a layer of abstraction over the database tables. This provides an object-oriented view of the data which makes it easier to write queries. This is easiest to explain using an example. + +Example +------- + +For a Java program, two key tables are: + +- The ``expressions`` table containing a row for every single expression in the source code that was analyzed during the build process. +- The ``statements`` table containing a row for every single statement in the source code that was analyzed during the build process. + +The CodeQL library defines classes to provide a layer of abstraction over each of these tables (and the related auxiliary tables): ``Expr`` and ``Stmt``. + +Most classes in the library are similar: they are abstractions over one or more database tables. Looking at one of the libraries illustrates this: + +.. code-block:: ql + + class Expr extends StmtParent, @expr { + ... + + /** the location of this expression */ + Location getLocation() { exprs(this,_,_,result) } + + ... + } + +The ``Expr`` class, shown here, extends from the database type ``@expr``. Member predicates of the ``Expr`` class are implemented in terms of the database-provided ``exprs`` table. diff --git a/docs/language/learn-ql/go/ql-for-go.rst b/docs/language/learn-ql/go/ql-for-go.rst new file mode 100644 index 00000000000..baa390dc7c6 --- /dev/null +++ b/docs/language/learn-ql/go/ql-for-go.rst @@ -0,0 +1,13 @@ +CodeQL for Go +============= + +This page provides an overview of the CodeQL for Go documentation that is currently available. + +- `Basic Go query `__ describes how to write and run queries using LGTM. + + +Other resources +--------------- + +- For the queries used in LGTM, display a `Go query `__ and click **Open in query console** to see the code used to find alerts. +- For more information about the library for Go see the `CodeQL library for Go `__. \ No newline at end of file diff --git a/docs/language/learn-ql/index.rst b/docs/language/learn-ql/index.rst index 063b5d1fb3c..76649890131 100644 --- a/docs/language/learn-ql/index.rst +++ b/docs/language/learn-ql/index.rst @@ -1,14 +1,13 @@ -Learning QL -########### +Learning CodeQL +############### +CodeQL is the code analysis platform used by security researchers to automate `variant analysis `__. +You can use CodeQL queries to explore code and quickly find variants of security vulnerabilities and bugs. +These queries are easy to write and share–visit the topics below and `our open source repository on GitHub `__ to learn more. +You can also try out CodeQL in the `query console `__ on `LGTM.com `__. +Here, you can query open source projects directly, without having to download CodeQL databases and libraries. -`QL `__ is the query language used in Semmle's `variant analysis `__ engine. -You can use queries written in QL to explore code and quickly find variants of security vulnerabilities and bugs. -The QL language is also part of the technology behind `LGTM `__, Semmle's analysis platform that combines deep semantic code search with data science insights to help developers ship secure code. - -QL queries are easy to write and share–visit the topics below and `our open source repository on GitHub `__ to learn more. -You can also try out QL in the `query console `__ on `LGTM.com `__. -Here, you can write QL code to query open source projects directly, without having to download snapshots and libraries. +CodeQL is based on a powerful query language called QL. The following topics help you understand QL in general, as well as how to use it when analyzing code with CodeQL. .. _getting-started: @@ -25,10 +24,10 @@ If you are new to QL, start by looking at the following topics: beginner/ql-tutorials ql-etudes/river-crossing -QL training and variant analysis examples -****************************************** +CodeQL training and variant analysis examples +********************************************* -To start learning how to use QL in variant analysis for a specific language, see: +To start learning how to use CodeQL for variant analysis for code written in a specific language, see: .. toctree:: :maxdepth: -1 @@ -37,8 +36,8 @@ To start learning how to use QL in variant analysis for a specific language, see .. _writing-ql-queries: -Writing QL queries -****************** +Writing CodeQL queries +********************** To learn more about writing your own queries, see: @@ -48,7 +47,7 @@ To learn more about writing your own queries, see: writing-queries/writing-queries -For more information on writing QL to query code written in a specific language see: +For more information on using CodeQL to query code written in a specific language, see: .. toctree:: :maxdepth: 2 @@ -57,6 +56,7 @@ For more information on writing QL to query code written in a specific language cpp/ql-for-cpp csharp/ql-for-csharp cobol/ql-for-cobol + go/ql-for-go java/ql-for-java javascript/ql-for-javascript python/ql-for-python @@ -76,10 +76,10 @@ For more technical information see: Reference topics **************** -For a more comprehensive guide to QL see the following reference topics: +For a more comprehensive guide to the query language itself, see the following reference topics: -- `QL language handbook `__—a description of important concepts in QL -- `QL language specification `__—a formal specification of the QL language. +- `QL language handbook `__—a description of important concepts in QL. +- `QL language specification `__—a formal specification of QL. Search ****** diff --git a/docs/language/learn-ql/intro-to-data-flow.rst b/docs/language/learn-ql/intro-to-data-flow.rst index 024df3525e8..fcd907af947 100644 --- a/docs/language/learn-ql/intro-to-data-flow.rst +++ b/docs/language/learn-ql/intro-to-data-flow.rst @@ -1,15 +1,15 @@ -Introduction to data flow analysis in QL -######################################## +Introduction to data flow analysis with CodeQL +############################################## Overview ******** Data flow analysis computes the possible values that a variable can hold at various points in a program, determining how those values propagate through the program and where they are used. -Many of Semmle's built-in security queries implement data flow analysis, which can highlight the fate of potentially malicious or insecure data that can cause vulnerabilities in your code base. +Many CodeQL security queries implement data flow analysis, which can highlight the fate of potentially malicious or insecure data that can cause vulnerabilities in your code base. These queries help you understand if data is used in an insecure way, whether dangerous arguments are passed to functions, or whether sensitive data can leak. -As well as highlighting potential security issues, you can also use data flow analysis to understand other aspects of how a program behaves, by finding, for example, uses of unititialized variables and resource leaks. +As well as highlighting potential security issues, you can also use data flow analysis to understand other aspects of how a program behaves, by finding, for example, uses of uninitialized variables and resource leaks. -The following sections provide a brief introduction to data flow analysis in QL. +The following sections provide a brief introduction to data flow analysis with CodeQL. See the following tutorials for more information about analyzing data flow in specific languages: @@ -30,7 +30,7 @@ See the following tutorials for more information about analyzing data flow in sp Data flow graph *************** -The QL data flow libraries implement data flow analysis on a program or function by modeling its data flow graph. +The CodeQL data flow libraries implement data flow analysis on a program or function by modeling its data flow graph. Unlike the `abstract syntax tree `__, the data flow graph does not reflect the syntactic structure of the program, but models the way data flows through the program at runtime. Nodes in the abstract syntax tree represent syntactic elements such as statements or expressions. Nodes in the data flow graph, on the other hand, represent semantic elements that carry values at runtime. @@ -58,18 +58,18 @@ Computing an accurate and complete data flow graph presents several challenges: - Aliasing between variables can result in a single write changing the value that multiple pointers point to. - The data flow graph can be very large and slow to compute. -To overcome these potential problems, two kinds of data flow are modeled in the QL libraries: +To overcome these potential problems, two kinds of data flow are modeled in the libraries: -- Local data flow, concerning the data flow within a single function. When reasoning about local, you only considers edges between data flow nodes belonging to the same function.It is generally sufficiently fast, efficient and precise for many queries, and it is usually possible to compute the local data flow for all functions in a snapshot. +- Local data flow, concerning the data flow within a single function. When reasoning about local data flow, you only consider edges between data flow nodes belonging to the same function. It is generally sufficiently fast, efficient and precise for many queries, and it is usually possible to compute the local data flow for all functions in a CodeQL database. - Global data flow, effectively considers the data flow within an entire program, by calculating data flow between functions and through object properties. Computing global data flow is typically more time and energy intensive than local data flow, therefore queries should be refined to look for more specific sources and sinks. -Many of the built-in queries included in the latest Semmle release contain examples of both local and global data flow analysis. See `the built-in queries `__ for details. +Many CodeQL queries contain examples of both local and global data flow analysis. See `the built-in queries `__ for details. Normal data flow vs taint tracking ********************************** -In the QL standard libraries, we make a distinction between 'normal' data flow and taint tracking. +In the standard libraries, we make a distinction between 'normal' data flow and taint tracking. The normal data flow libraries are used to analyze the information flow in which data values are preserved at each step. For example, if you are tracking an insecure object ``x`` (which might be some untrusted or potentially malicious data), a step in the program may 'change' its value. So, in a simple process such as ``y = x + 1``, a normal data flow analysis will highlight the use of ``x``, but not ``y``. @@ -81,5 +81,5 @@ These flow steps are modeled in the taint-tracking library using predicates that What next? ********** -- Search for ``DataFlow`` and ``TaintTracking`` in the `QL standard libraries `__ to learn more about the technical implementation of data flow analysis in QL for specific programming languages. -- Visit `Learning QL `__ to find language-specific QL tutorials on data flow and other topics. +- Search for ``DataFlow`` and ``TaintTracking`` in the `standard CodeQL libraries `__ to learn more about the technical implementation of data flow analysis for specific programming languages. +- Visit `Learning CodeQL `__ to find language-specific tutorials on data flow and other topics. diff --git a/docs/language/learn-ql/introduction-to-ql.rst b/docs/language/learn-ql/introduction-to-ql.rst index 737c593fb4a..e54fd9b3c69 100644 --- a/docs/language/learn-ql/introduction-to-ql.rst +++ b/docs/language/learn-ql/introduction-to-ql.rst @@ -1,18 +1,22 @@ -Introduction to the QL language -=============================== +Introduction to QL +================== -QL is a powerful query language that is used to analyze code. Queries written in QL can be used to find errors and uncover variants of important security vulnerabilities. Visit Semmle's `security research page `__ to read about examples of vulnerabilities that we have recently found in open source projects using QL queries. +QL is the powerful query language that underlies CodeQL, which is used to analyze code. +Queries written with CodeQL can find errors and uncover variants of important security vulnerabilities. +Visit Semmle's `security research page `__ to read about examples of vulnerabilities that we have recently found in open source projects. + +Before diving into code analysis with CodeQL, it can be helpful to learn about the underlying language more generally. QL is a logic programming language, so it is built up of logical formulas. QL uses common logical connectives (such as ``and``, ``or``, and ``not``), quantifiers (such as ``forall`` and ``exists``), and other important logical concepts such as predicates. -QL also supports recursion and aggregates. This allows you to write complex recursive queries using simple QL syntax and directly use aggregates such as ``count``, ``sum`` and ``average``. +QL also supports recursion and aggregates. This allows you to write complex recursive queries using simple QL syntax and directly use aggregates such as ``count``, ``sum``, and ``average``. Basic syntax ------------ -The basic syntax will look familiar to anyone who has used SQL, but it is used somewhat differently. +The basic syntax of QL will look familiar to anyone who has used SQL, but it is used somewhat differently. -A QL query is defined by a **select** clause, which specifies what the result of the query should be. You can try out the examples and exercises in this topic directly in LGTM. Open the `query console `__. Before you can run a query, you need to select a language and project to query (for these logic examples, any language and project will do). +A query is defined by a **select** clause, which specifies what the result of the query should be. You can try out the examples and exercises in this topic directly in LGTM. Open the `query console `__. Before you can run a query, you need to select a language and project to query (for these logic examples, any language and project will do). Once you have selected a language, the query console is populated with the query: @@ -110,9 +114,12 @@ To simplify the query, we can introduce a class ``SmallInt`` representing the in ➤ `See this in the query console `__ -Now that you've seen some general examples, let's use QL queries to analyze projects. In particular, LGTM generates a database representing the code and then QL is used to query this database. See `Database generation `__ for more details on how the database is built. +Now that you've seen some general examples, let's use the CodeQL libraries to analyze projects. +In particular, LGTM generates a database representing the code and then CodeQL is used to query this database. See `Database generation `__ for more details on how the database is built. -The previous exercises just used the primitive types built in to QL. Although we chose a project to query, they did not use the project-specific database. The following example queries *do* use these databases and give you an idea of what QL can be used for. There are more details about how to write QL `below <#learning-ql>`__, so don't worry if you don't fully understand these examples yet! +.. XX: Perhaps a link to the "CodeQL libraries for X"? + +The previous exercises just used the primitive types built in to QL. Although we chose a project to query, they did not use the project-specific database. The following example queries *do* use these databases and give you an idea of what CodeQL can be used for. There are more details about how to use CodeQL `below <#learning-ql>`__, so don't worry if you don't fully understand these examples yet! Python ~~~~~~ @@ -153,9 +160,9 @@ Java ➤ `See this in the query console `__. The ``from`` clause defines a variable ``p`` representing a parameter. The ``where`` clause finds unused parameters by limiting the parameters ``p`` to those which are not accessed. Finally, the ``select`` clause lists these parameters. -Learning QL ------------ +Learning CodeQL +--------------- -- To find out more about how to write your own QL queries, try working through the :doc:`QL detective tutorials `. -- For an overview of the other available resources, see :doc:`Learning QL <../index>`. -- For a more technical description of QL, see :doc:`About QL `. +- To find out more about how to write your own queries, try working through the :doc:`QL detective tutorials `. +- For an overview of the other available resources, see :doc:`Learning CodeQL <../index>`. +- For a more technical description of the underlying language, see :doc:`About QL `. diff --git a/docs/language/learn-ql/java/annotations.rst b/docs/language/learn-ql/java/annotations.rst index 2808633dcf1..9fbb70776c4 100644 --- a/docs/language/learn-ql/java/annotations.rst +++ b/docs/language/learn-ql/java/annotations.rst @@ -4,9 +4,9 @@ Tutorial: Annotations Overview -------- -Snapshots of Java projects contain information about all annotations attached to program elements. +CodeQL databases of Java projects contain information about all annotations attached to program elements. -In QL, annotations are represented as follows: +Annotations are represented by the following CodeQL classes: - The class ``Annotatable`` represents all entities that may have an annotation attached to them (that is, packages, reference types, fields, methods, and local variables). - The class ``AnnotationType`` represents a Java annotation type, such as ``java.lang.Override``; annotation types are interfaces. @@ -23,7 +23,7 @@ As an example, recall that the Java standard library defines an annotation ``Sup String[] value; } -In QL, ``SuppressWarnings`` is represented as an ``AnnotationType``, with ``value`` as its only ``AnnotationElement``. +``SuppressWarnings`` is represented as an ``AnnotationType``, with ``value`` as its only ``AnnotationElement``. A typical usage of ``SuppressWarnings`` would be the following annotation to prevent a warning about using raw types: @@ -35,7 +35,7 @@ A typical usage of ``SuppressWarnings`` would be the following annotation to pre } } -In QL, the expression ``@SuppressWarnings("rawtypes")`` is represented as an ``Annotation``. The string literal ``"rawtypes"`` is used to initialize the annotation element ``value``, and its value can be extracted from the annotation by means of the ``getValue`` predicate. +The expression ``@SuppressWarnings("rawtypes")`` is represented as an ``Annotation``. The string literal ``"rawtypes"`` is used to initialize the annotation element ``value``, and its value can be extracted from the annotation by means of the ``getValue`` predicate. We could then write the following query to find all ``@SuppressWarnings`` annotations attached to constructors, and return both the annotation itself and the value of its ``value`` element: @@ -101,7 +101,7 @@ As a first step, let us write a query that finds all ``@Override`` annotations. where ann.getType().hasQualifiedName("java.lang", "Override") select ann -As always, it is a good idea to try this query on a Java snapshot to make sure it actually produces some results. On the earlier example, it should find the annotation on ``Sub1.m``. Next, we encapsulate the concept of an ``@Override`` annotation as a QL class: +As always, it is a good idea to try this query on a CodeQL database for a Java project to make sure it actually produces some results. On the earlier example, it should find the annotation on ``Sub1.m``. Next, we encapsulate the concept of an ``@Override`` annotation as a CodeQL class: :: @@ -147,7 +147,7 @@ For example, consider the following example program: Here, both ``A.m`` and ``A.n`` are marked as deprecated. Methods ``n`` and ``r`` both call ``m``, but note that ``n`` itself is deprecated, so we probably should not warn about this call. -Like in the previous example, we start by defining a QL class for representing ``@Deprecated`` annotations: +Like in the previous example, we start by defining a class for representing ``@Deprecated`` annotations: .. code-block:: ql @@ -204,7 +204,7 @@ For instance, consider this slightly updated example: Here, the programmer has explicitly suppressed warnings about deprecated calls in ``A.r``, so our query should not flag the call to ``A.m`` any more. -To do so, we first introduce a QL class for representing all ``@SuppressWarnings`` annotations where the string ``deprecated`` occurs among the list of warnings to suppress: +To do so, we first introduce a class for representing all ``@SuppressWarnings`` annotations where the string ``deprecated`` occurs among the list of warnings to suppress: .. code-block:: ql @@ -238,6 +238,6 @@ Now we can extend our query to filter out calls in methods carrying a ``Suppress What next? ---------- -- Take a look at some of the other tutorials: :doc:`Tutorial: Javadoc `, :doc:`Tutorial: Working with source locations `. -- Find out how specific classes in the AST are represented in the QL standard library for Java: :doc:`AST class reference `. +- Take a look at some of the other tutorials: :doc:`Tutorial: Javadoc ` and :doc:`Tutorial: Working with source locations `. +- Find out how specific classes in the AST are represented in the standard library for Java: :doc:`AST class reference `. - Find out more about QL in the `QL language handbook `__ and `QL language specification `__. diff --git a/docs/language/learn-ql/java/ast-class-reference.rst b/docs/language/learn-ql/java/ast-class-reference.rst index e9fcc4b1d6a..268b95acac5 100644 --- a/docs/language/learn-ql/java/ast-class-reference.rst +++ b/docs/language/learn-ql/java/ast-class-reference.rst @@ -15,7 +15,7 @@ Statement classes This table lists all subclasses of `Stmt`_. +------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------+---------------------------------------------+ -| Statement syntax | QL class | Superclasses | Remarks | +| Statement syntax | CodeQL class | Superclasses | Remarks | +========================================================================+===========================================================================================================================================================+===================================+=============================================+ | ``;`` | `EmptyStmt `__ | | | +------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------+---------------------------------------------+ @@ -87,7 +87,7 @@ Literals All classes in this subsection are subclasses of `Literal `__. +---------------------------+--------------------------+ -| Expression syntax example | QL class | +| Expression syntax example | CodeQL class | +===========================+==========================+ | ``true`` | ``BooleanLiteral`` | +---------------------------+--------------------------+ @@ -112,7 +112,7 @@ Unary expressions All classes in this subsection are subclasses of `UnaryExpr `__. +---------------------------+-----------------+---------------------+---------------------------------------------------+ -| Expression syntax example | QL class | Superclasses | Remarks | +| Expression syntax example | CodeQL class | Superclasses | Remarks | +===========================+=================+=====================+===================================================+ | ``x++`` | ``PostIncExpr`` | ``UnaryAssignExpr`` | | +---------------------------+-----------------+---------------------+---------------------------------------------------+ @@ -137,7 +137,7 @@ Binary expressions All classes in this subsection are subclasses of `BinaryExpr `__. +---------------------------+--------------------+--------------------+ -| Expression syntax example | QL class | Superclasses | +| Expression syntax example | CodeQL class | Superclasses | +===========================+====================+====================+ | ``x * y`` | ``MulExpr`` | | +---------------------------+--------------------+--------------------+ @@ -184,7 +184,7 @@ Assignment expressions All classes in this table are subclasses of `Assignment `__. +---------------------------+-----------------------+--------------+ -| Expression syntax example | QL class | Superclasses | +| Expression syntax example | CodeQL class | Superclasses | +===========================+=======================+==============+ | ``x = y`` | ``AssignExpr`` | | +---------------------------+-----------------------+--------------+ @@ -215,7 +215,7 @@ Accesses ~~~~~~~~ +--------------------------------------+-------------------------------------------------------------------------------------------------------------------------+ -| Expression syntax examples | QL class | +| Expression syntax examples | CodeQL class | +======================================+=========================================================================================================================+ | ``this`` | `ThisAccess `__ | +--------------------------------------+ + @@ -250,7 +250,7 @@ Miscellaneous ~~~~~~~~~~~~~ +------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------+ -| Expression syntax examples | QL class | Remarks | +| Expression syntax examples | CodeQL class | Remarks | +==================================================================+=======================================================================================================================+=============================================================================+ | ``(int) f`` | `CastExpr `__ | | +------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------+ diff --git a/docs/language/learn-ql/java/call-graph.rst b/docs/language/learn-ql/java/call-graph.rst index 4be0153fca4..bb24c2d8550 100644 --- a/docs/language/learn-ql/java/call-graph.rst +++ b/docs/language/learn-ql/java/call-graph.rst @@ -4,7 +4,7 @@ Tutorial: Navigating the call graph Call graph API -------------- -The QL Java library provides two abstract classes for representing a program's call graph: ``Callable`` and ``Call``. The former is simply the common superclass of ``Method`` and ``Constructor``, the latter is a common superclass of ``MethodAccess``, ``ClassInstanceExpression``, ``ThisConstructorInvocationStmt`` and ``SuperConstructorInvocationStmt``. Simply put, a ``Callable`` is something that can be invoked, and a ``Call`` is something that invokes a ``Callable``. +The CodeQL library for Java provides two abstract classes for representing a program's call graph: ``Callable`` and ``Call``. The former is simply the common superclass of ``Method`` and ``Constructor``, the latter is a common superclass of ``MethodAccess``, ``ClassInstanceExpression``, ``ThisConstructorInvocationStmt`` and ``SuperConstructorInvocationStmt``. Simply put, a ``Callable`` is something that can be invoked, and a ``Call`` is something that invokes a ``Callable``. For example, in the following program all callables and calls have been annotated with comments: @@ -160,6 +160,6 @@ Finally, on many Java projects there are methods that are invoked indirectly by What next? ---------- -- Find out how to query metadata and white space: :doc:`Tutorial: Annotations `, :doc:`Tutorial: Javadoc `, :doc:`Tutorial: Working with source locations `. -- Find out how specific classes in the AST are represented in the QL standard library for Java: :doc:`AST class reference `. +- Find out how to query metadata and white space: :doc:`Tutorial: Annotations `, :doc:`Tutorial: Javadoc `, and :doc:`Tutorial: Working with source locations `. +- Find out how specific classes in the AST are represented in the standard library for Java: :doc:`AST class reference `. - Find out more about QL in the `QL language handbook `__ and `QL language specification `__. diff --git a/docs/language/learn-ql/java/dataflow.rst b/docs/language/learn-ql/java/dataflow.rst index 39a2b6d5f50..974579e1bcc 100644 --- a/docs/language/learn-ql/java/dataflow.rst +++ b/docs/language/learn-ql/java/dataflow.rst @@ -4,10 +4,10 @@ Analyzing data flow in Java Overview -------- -This topic describes how data flow analysis is implemented in the QL for Java library and includes examples to help you write your own data flow queries. -The following sections describe how to utilize the QL libraries for local data flow, global data flow and taint tracking. +This topic describes how data flow analysis is implemented in the CodeQL libraries for Java and includes examples to help you write your own data flow queries. +The following sections describe how to utilize the libraries for local data flow, global data flow, and taint tracking. -For a more general introduction to modeling data flow in QL, see :doc:`Introduction to data flow analysis in QL <../intro-to-data-flow>`. +For a more general introduction to modeling data flow, see :doc:`Introduction to data flow analysis with CodeQL <../intro-to-data-flow>`. Local data flow --------------- diff --git a/docs/language/learn-ql/java/expressions-statements.rst b/docs/language/learn-ql/java/expressions-statements.rst index 0dfaa9f18ed..b08f2cf0b8b 100644 --- a/docs/language/learn-ql/java/expressions-statements.rst +++ b/docs/language/learn-ql/java/expressions-statements.rst @@ -22,12 +22,12 @@ If ``l`` is bigger than 2\ :sup:`31`\ - 1 (the largest positive value of type `` All primitive numeric types have a maximum value, beyond which they will wrap around to their lowest possible value (called an "overflow"). For ``int``, this maximum value is 2\ :sup:`31`\ - 1. Type ``long`` can accommodate larger values up to a maximum of 2\ :sup:`63`\ - 1. In this example, this means that ``l`` can take on a value that is higher than the maximum for type ``int``; ``i`` will never be able to reach this value, instead overflowing and returning to a low value. -We will develop a query that finds code that looks like it might exhibit this kind of behavior. We will be using several of the standard QL library classes for representing statements and functions, a full list of which can be found in the :doc:`AST class reference `. +We will develop a query that finds code that looks like it might exhibit this kind of behavior. We will be using several of the standard library classes for representing statements and functions, a full list of which can be found in the :doc:`AST class reference `. Initial query ------------- -We start out by writing a query that finds less-than expressions (QL class ``LTExpr``) where the left operand is of type ``int`` and the right operand is of type ``long``: +We start out by writing a query that finds less-than expressions (CodeQL class ``LTExpr``) where the left operand is of type ``int`` and the right operand is of type ``long``: .. code-block:: ql @@ -57,7 +57,7 @@ Notice that we use the predicate ``getType`` (available on all subclasses of ``E The class ``LoopStmt`` is a common superclass of all loops, including, in particular, ``for`` loops as in our example above. While different kinds of loops have different syntax, they all have a loop condition, which can be accessed through predicate ``getCondition``. We use the reflexive transitive closure operator ``*`` applied to the ``getAChildExpr`` predicate to express the requirement that ``expr`` should be nested inside the loop condition. In particular, it can be the loop condition itself. -The final conjunct in the ``where`` clause takes advantage of the fact that QL predicates can return more than one value (they are really relations). In particular, ``getAnOperand`` may return *either* operand of ``expr``, so ``expr.getAnOperand().isCompileTimeConstant()`` holds if at least one of the operands is constant. Negating this condition means that the query will only find expressions where *neither* of the operands is constant. +The final conjunct in the ``where`` clause takes advantage of the fact that `predicates `__ can return more than one value (they are really relations). In particular, ``getAnOperand`` may return *either* operand of ``expr``, so ``expr.getAnOperand().isCompileTimeConstant()`` holds if at least one of the operands is constant. Negating this condition means that the query will only find expressions where *neither* of the operands is constant. Generalizing the query ---------------------- @@ -76,7 +76,7 @@ In order to compare the ranges of types, we define a predicate that returns the (pt.hasName("long") and result=64) } -We now want to generalize our query to apply to any comparison where the width of the type on the smaller end of the comparison is less than the width of the type on the greater end. Let us call such a comparison *overflow prone*, and introduce an abstract QL class to model it: +We now want to generalize our query to apply to any comparison where the width of the type on the smaller end of the comparison is less than the width of the type on the greater end. Let us call such a comparison *overflow prone*, and introduce an abstract class to model it: .. code-block:: ql @@ -121,6 +121,6 @@ Now we rewrite our query to make use of these new classes: What next? ---------- -- Have a look at some of the other tutorials: :doc:`Tutorial: Types and the class hierarchy `, :doc:`Tutorial: Navigating the call graph `, :doc:`Tutorial: Annotations `, :doc:`Tutorial: Javadoc `, :doc:`Tutorial: Working with source locations `. -- Find out how specific classes in the AST are represented in the QL standard library for Java: :doc:`AST class reference `. +- Have a look at some of the other tutorials: :doc:`Tutorial: Types and the class hierarchy `, :doc:`Tutorial: Navigating the call graph `, :doc:`Tutorial: Annotations `, :doc:`Tutorial: Javadoc `, and :doc:`Tutorial: Working with source locations `. +- Find out how specific classes in the AST are represented in the standard library for Java: :doc:`AST class reference `. - Find out more about QL in the `QL language handbook `__ and `QL language specification `__. diff --git a/docs/language/learn-ql/java/introduce-libraries-java.rst b/docs/language/learn-ql/java/introduce-libraries-java.rst index 9f37957e5c6..b3d5987ab41 100644 --- a/docs/language/learn-ql/java/introduce-libraries-java.rst +++ b/docs/language/learn-ql/java/introduce-libraries-java.rst @@ -1,25 +1,25 @@ -Introducing the QL libraries for Java -===================================== +Introducing the CodeQL libraries for Java +========================================= Overview -------- -There is an extensive QL library for analyzing Java code. The QL classes in this library present the data from a snapshot database in an object-oriented form and provide abstractions and predicates to help you with common analysis tasks. +There is an extensive library for analyzing CodeQL databases extracted from Java projects. The classes in this library present the data from a database in an object-oriented form and provide abstractions and predicates to help you with common analysis tasks. -The library is implemented as a set of QL modules, that is, files with the extension ``.qll``. The module ``java.qll`` imports all other standard library modules, so you can include the complete library by beginning your query with: +The library is implemented as a set of QL modules, that is, files with the extension ``.qll``. The module ``java.qll`` imports all the core Java library modules, so you can include the complete library by beginning your query with: .. code-block:: ql import java -The rest of this topic briefly summarizes the most important QL classes and predicates provided by this library. +The rest of this topic briefly summarizes the most important classes and predicates provided by this library. The example queries in this topic illustrate the types of results returned by different library classes. The results themselves are not interesting but can be used as the basis for developing a more complex query. The tutorial topics show how you can take a simple query and fine-tune it to find precisely the results you're interested in. Summary of the library classes ------------------------------ -The most important classes in the standard QL Java library can be grouped into five main categories: +The most important classes in the standard Java library can be grouped into five main categories: #. Classes for representing program elements (such as classes and methods) #. Classes for representing AST nodes (such as statements and expressions) @@ -89,7 +89,7 @@ Several more specialized classes are available as well: - A ``LocalClass``, which is `a class declared inside a method or constructor `__. - An ``AnonymousClass``, which is an `anonymous class `__. -Finally, the QL library also has a number of singleton classes that wrap frequently used Java standard library classes: ``TypeObject``, ``TypeCloneable``, ``TypeRuntime``, ``TypeSerializable``, ``TypeString``, ``TypeSystem`` and ``TypeClass``. Each QL class represents the standard Java class suggested by its name. +Finally, the library also has a number of singleton classes that wrap frequently used Java standard library classes: ``TypeObject``, ``TypeCloneable``, ``TypeRuntime``, ``TypeSerializable``, ``TypeString``, ``TypeSystem`` and ``TypeClass``. Each CodeQL class represents the standard Java class suggested by its name. As an example, we can write a query that finds all nested classes that directly extend ``Object``: @@ -160,7 +160,7 @@ As an example, the following query finds all type variables with type bound ``Nu ➤ `See this in the query console `__. When we ran it on the LGTM.com demo projects, the *neo4j/neo4j*, *gradle/gradle* and *hibernate/hibernate-orm* projects all contained examples of this pattern. -For dealing with legacy code that is unaware of generics, every generic type has a "raw" version without any type parameters. In QL, raw types are represented using class ``RawType``, which has the expected subclasses ``RawClass`` and ``RawInterface``. Again, there is a predicate ``getSourceDeclaration`` for obtaining the corresponding generic type. As an example, we can find variables of (raw) type ``Map``: +For dealing with legacy code that is unaware of generics, every generic type has a "raw" version without any type parameters. In the CodeQL libraries, raw types are represented using class ``RawType``, which has the expected subclasses ``RawClass`` and ``RawInterface``. Again, there is a predicate ``getSourceDeclaration`` for obtaining the corresponding generic type. As an example, we can find variables of (raw) type ``Map``: .. code-block:: ql @@ -342,7 +342,7 @@ For example, the following query finds methods with a `cyclomatic complexity `, :doc:`Expressions and statements `, :doc:`Navigating the call graph `, :doc:`Annotations `, :doc:`Javadoc ` and :doc:`Working with source locations `. -- Find out how specific classes in the AST are represented in the QL standard library for Java: :doc:`AST class reference `. +- Experiment with the worked examples in the CodeQL for Java tutorial topics: :doc:`Types and the class hierarchy `, :doc:`Expressions and statements `, :doc:`Navigating the call graph `, :doc:`Annotations `, :doc:`Javadoc ` and :doc:`Working with source locations `. +- Find out how specific classes in the AST are represented in the standard library for Java: :doc:`AST class reference `. - Find out more about QL in the `QL language handbook `__ and `QL language specification `__. diff --git a/docs/language/learn-ql/java/javadoc.rst b/docs/language/learn-ql/java/javadoc.rst index 4b76da9c1fa..bd0a11b9132 100644 --- a/docs/language/learn-ql/java/javadoc.rst +++ b/docs/language/learn-ql/java/javadoc.rst @@ -49,7 +49,7 @@ The ``JavadocTag`` has several subclasses representing specific kinds of Javadoc Example: Finding spurious @param tags ------------------------------------- -As an example of using the QL Javadoc API, let us write a query that finds ``@param`` tags that refer to a non-existent parameter. +As an example of using the CodeQL Javadoc API, let us write a query that finds ``@param`` tags that refer to a non-existent parameter. For example, consider the following program: @@ -110,7 +110,7 @@ For example, consider the following Java program: Notice that the Javadoc comment of ``A.foo`` documents two thrown exceptions: ``IOException`` and ``RuntimeException``. The former is clearly spurious: ``A.foo`` does not have a ``throws IOException`` clause, and thus cannot throw this kind of exception. On the other hand, ``RuntimeException`` is an unchecked exception, so it can be thrown even if there is no explicit ``throws`` clause listing it. Therefore, our query should flag the ``@throws`` tag for ``IOException``, but not the one for ``RuntimeException.`` -Recall from above that QL represents ``@throws`` tags using class ``ThrowsTag``. This class does not provide a member predicate for determining the exception type that is being documented, so we first need to implement our own version. A simple version might look as follows: +Recall from above that the CodeQL library represents ``@throws`` tags using class ``ThrowsTag``. This class does not provide a member predicate for determining the exception type that is being documented, so we first need to implement our own version. A simple version might look as follows: .. code-block:: ql @@ -170,7 +170,7 @@ This program defines its own class ``IOException``, which is unrelated to the cl As an example of the second problem, method ``A.foo`` from our previous example was annotated with a ``@throws RuntimeException`` tag. Our current version of ``mayThrow``, however, would think that ``A.foo`` cannot throw a ``RuntimeException``, and thus flag the tag as spurious. -We can make ``mayThrow`` less restrictive by introducing a new QL class to represent unchecked exceptions, which are just the subtypes of ``java.lang.RuntimeException`` and ``java.lang.Error``: +We can make ``mayThrow`` less restrictive by introducing a new class to represent unchecked exceptions, which are just the subtypes of ``java.lang.RuntimeException`` and ``java.lang.Error``: .. code-block:: ql @@ -220,5 +220,5 @@ What next? ---------- - Find out how you can use the location API to define queries on whitespace: :doc:`Tutorial: Working with source locations `. -- Find out how specific classes in the AST are represented in the QL standard library for Java: :doc:`AST class reference `. +- Find out how specific classes in the AST are represented in the standard library for Java: :doc:`AST class reference `. - Find out more about QL in the `QL language handbook `__ and `QL language specification `__. diff --git a/docs/language/learn-ql/java/ql-for-java.rst b/docs/language/learn-ql/java/ql-for-java.rst index f09a5ae990d..aa26c5ba6bb 100644 --- a/docs/language/learn-ql/java/ql-for-java.rst +++ b/docs/language/learn-ql/java/ql-for-java.rst @@ -1,5 +1,5 @@ -QL for Java -=========== +CodeQL for Java +=============== .. toctree:: :glob: @@ -15,31 +15,31 @@ QL for Java source-locations ast-class-reference -These topics provide an overview of the QL Java standard library and show examples of how to use them. +These topics provide an overview of the CodeQL libraries for Java and show examples of how to use them. -- `Basic Java QL query `__ describes how to write and run queries using LGTM. +- `Basic Java query `__ describes how to write and run queries using LGTM. -- :doc:`Introducing the QL libraries for Java ` an introduction to the organization of the standard libraries used to write queries for Java code. +- :doc:`Introducing the CodeQL libraries for Java ` introduces the standard libraries used to write queries for Java code. -- :doc:`Tutorial: Analyzing data flow in Java ` demonstrates how to write queries using the standard QL for Java data flow and taint tracking libraries. +- :doc:`Tutorial: Analyzing data flow in Java ` demonstrates how to write queries using the standard data flow and taint tracking libraries for Java. -- :doc:`Tutorial: Types and the class hierarchy ` introduces the QL classes for representing a program's class hierarchy by means of examples. +- :doc:`Tutorial: Types and the class hierarchy ` introduces the classes for representing a program's class hierarchy by means of examples. -- :doc:`Tutorial: Expressions and statements ` introduces the QL classes for representing a program's syntactic structure by means of examples. +- :doc:`Tutorial: Expressions and statements ` introduces the classes for representing a program's syntactic structure by means of examples. -- :doc:`Tutorial: Navigating the call graph ` a worked example of how to write a query that navigates a program's call graph to find unused methods. +- :doc:`Tutorial: Navigating the call graph ` is a worked example of how to write a query that navigates a program's call graph to find unused methods. -- :doc:`Tutorial: Annotations ` introduces the QL classes for representing annotations by means of examples. +- :doc:`Tutorial: Annotations ` introduces the classes for representing annotations by means of examples. -- :doc:`Tutorial: Javadoc ` introduces the QL classes for representing Javadoc comments by means of examples. +- :doc:`Tutorial: Javadoc ` introduces the classes for representing Javadoc comments by means of examples. -- :doc:`Tutorial: Working with source locations ` a worked example of how to write a query that uses the location information provided in the snapshot for finding likely bugs. +- :doc:`Tutorial: Working with source locations ` is a worked example of how to write a query that uses the location information provided in the database for finding likely bugs. -- :doc:`AST class reference ` an overview of all AST classes in the QL standard library for Java. +- :doc:`AST class reference ` gives an overview of all AST classes in the standard CodeQL library for Java. Other resources --------------- -- For examples of how to query common Java elements, see the `Java QL cookbook `__. -- For the queries used in LGTM, display a `Java query `__ and click **Open in query console** to see the QL code used to find alerts. -- For more information about the Java QL library see the `QL library for Java `__. +- For examples of how to query common Java elements, see the `Java cookbook `__. +- For the queries used in LGTM, display a `Java query `__ and click **Open in query console** to see the code used to find alerts. +- For more information about the library for Java see the `CodeQL library for Java `__. diff --git a/docs/language/learn-ql/java/source-locations.rst b/docs/language/learn-ql/java/source-locations.rst index ebb40916d04..6e29777fab9 100644 --- a/docs/language/learn-ql/java/source-locations.rst +++ b/docs/language/learn-ql/java/source-locations.rst @@ -16,12 +16,12 @@ Note that the source layout gives a fairly clear indication of the intended mean We will now develop a query that finds this kind of suspicious nesting, where the operator of the inner expression has more white space around it than the operator of the outer expression. This pattern may not necessarily indicate a bug, but at the very least it makes the code hard to read and prone to misinterpretation. -White space is not directly represented in the snapshot database, but we can deduce its presence from the location information associated with program elements and AST nodes. So we will start by providing an overview of source location management in the QL standard library. +White space is not directly represented in the CodeQL database, but we can deduce its presence from the location information associated with program elements and AST nodes. So we will start by providing an overview of source location management in the standard library for Java. Location API ------------ -For every entity that has a representation in Java source code (including, in particular, program elements and AST nodes), the QL standard library provides the following predicates for accessing source location information: +For every entity that has a representation in Java source code (including, in particular, program elements and AST nodes), the standard CodeQL library provides the following predicates for accessing source location information: - ``getLocation`` returns a ``Location`` object describing the start and end position of the entity. - ``getFile`` returns a ``File`` object representing the file containing the entity. @@ -123,7 +123,7 @@ If we run this initial query, we might notice some false positives arising from i< start + 100 -Note that our predicate ``operatorWS`` computes the **total** amount of white space around the operator, which, in this case, is one for the ``<`` and two for the ``+``. Ideally, we would like to exclude cases where the amount of white space before and after the operator are not the same. Currently, snapshot databases do not record enough information to figure this out, but as an approximation we could require that the total number of white space characters is even: +Note that our predicate ``operatorWS`` computes the **total** amount of white space around the operator, which, in this case, is one for the ``<`` and two for the ``+``. Ideally, we would like to exclude cases where the amount of white space before and after the operator are not the same. Currently, CodeQL databases do not record enough information to figure this out, but as an approximation we could require that the total number of white space characters is even: .. code-block:: ql @@ -141,7 +141,7 @@ Note that our predicate ``operatorWS`` computes the **total** amount of white sp ➤ `See this in the query console `__. Any results will be refined by our changes to the query. -Another source of false positives are associative operators: in an expression of the form ``x + y+z``, the first plus is syntactically nested inside the second, since + in Java associates to the left; hence the expression is flagged as suspicious. But since + is associative to begin with, it does not matter which way around the operators are nested, so this is a false positive.To exclude these cases, let us define a new QL class identifying binary expressions with an associative operator: +Another source of false positives are associative operators: in an expression of the form ``x + y+z``, the first plus is syntactically nested inside the second, since + in Java associates to the left; hence the expression is flagged as suspicious. But since + is associative to begin with, it does not matter which way around the operators are nested, so this is a false positive.To exclude these cases, let us define a new class identifying binary expressions with an associative operator: .. code-block:: ql @@ -184,5 +184,5 @@ Whitespace suggests that the programmer meant to toggle ``i`` between zero and o What next? ---------- -- Find out how specific classes in the AST are represented in the QL standard library for Java: :doc:`AST class reference `. +- Find out how specific classes in the AST are represented in the standard library for Java: :doc:`AST class reference `. - Find out more about QL in the `QL language handbook `__ and `QL language specification `__. diff --git a/docs/language/learn-ql/java/types-class-hierarchy.rst b/docs/language/learn-ql/java/types-class-hierarchy.rst index cc7e6da4afd..7677c64965d 100644 --- a/docs/language/learn-ql/java/types-class-hierarchy.rst +++ b/docs/language/learn-ql/java/types-class-hierarchy.rst @@ -4,7 +4,7 @@ Tutorial: Types and the class hierarchy Overview -------- -The standard QL library for Java represents Java types by means of the ``Type`` class and its various subclasses. +The standard CodeQL library represents Java types by means of the ``Type`` class and its various subclasses. In particular, class ``PrimitiveType`` represents primitive types that are built into the Java language (such as ``boolean`` and ``int``), whereas ``RefType`` and its subclasses represent reference types, that is classes, interfaces, array types, and so on. This includes both types from the Java standard library (like ``java.lang.Object``) and types defined by non-library code. @@ -62,7 +62,7 @@ In this tutorial, we do not try to distinguish these two cases. Our query should - Both ``source`` and ``target`` are array types. - The element type of ``source`` is a transitive super type of the element type of ``target``. -This recipe is not too difficult to translate into a QL query: +This recipe is not too difficult to translate into a query: .. code-block:: ql @@ -93,7 +93,7 @@ In code that does not use generics, this method is often used in the following w Here, ``l`` has the raw type ``List``, so ``l.toArray`` has return type ``Object[]``, independent of the type of its argument array. Hence the cast goes from ``Object[]`` to ``A[]`` and will be flagged as problematic by our query, although at runtime this cast can never go wrong. -To identify these cases, we can create two QL classes that represent, respectively, the ``Collection.toArray`` class, and calls to this method or any method that overrides it: +To identify these cases, we can create two CodeQL classes that represent, respectively, the ``Collection.toArray`` class, and calls to this method or any method that overrides it: .. code-block:: ql @@ -160,7 +160,7 @@ Since ``zkProp`` is a map from ``Object`` to ``Object``, ``zkProp.entrySet`` ret In general, we want to find calls to ``Collection.contains`` (or any of its overriding methods in any parameterized instance of ``Collection``), such that the type ``E`` of collection elements and the type ``A`` of the argument to ``contains`` are unrelated, that is, they have no common subtype. -We start by creating a QL class that describes ``java.util.Collection``: +We start by creating a class that describes ``java.util.Collection``: .. code-block:: ql @@ -179,7 +179,7 @@ To make sure we have not mistyped anything, we can run a simple test query: This query should return precisely one result. -Next, we can create a QL class that describes ``java.util.Collection.contains``: +Next, we can create a class that describes ``java.util.Collection.contains``: .. code-block:: ql @@ -198,9 +198,9 @@ Notice that we use ``hasStringSignature`` to check that: Alternatively, we could have implemented these three checks more verbosely using ``hasName``, ``getNumberOfParameters``, and ``getParameter(0).getType() instanceof TypeObject``. -As before, it is a good idea to test the new QL class by running a simple query to select all instances of ``JavaUtilCollectionContains``; again there should only be a single result. +As before, it is a good idea to test the new class by running a simple query to select all instances of ``JavaUtilCollectionContains``; again there should only be a single result. -Now we want to identify all calls to ``Collection.contains``, including any methods that override it, and considering all parameterized instances of ``Collection`` and its subclasses. That is, we are looking for method accesses where the source declaration of the invoked method (reflexively or transitively) overrides ``Collection.contains``. We encode this in a QL class ``JavaUtilCollectionContainsCall``: +Now we want to identify all calls to ``Collection.contains``, including any methods that override it, and considering all parameterized instances of ``Collection`` and its subclasses. That is, we are looking for method accesses where the source declaration of the invoked method (reflexively or transitively) overrides ``Collection.contains``. We encode this in a CodeQL class ``JavaUtilCollectionContainsCall``: .. code-block:: ql @@ -230,7 +230,7 @@ For the latter, we proceed as follows: - Find a (reflexive or transitive) super type ``S`` of ``D`` that is a parameterized instance of ``java.util.Collection``. - Return the (only) type argument of ``S``. -We encode this in QL as follows: +We encode this as follows: .. code-block:: ql @@ -268,11 +268,11 @@ Now we are ready to write a first version of our query: Improvements ~~~~~~~~~~~~ -For many programs, this query yields a large number of false positive results due to type variables and wild cards: if the collection element type is some type variable ``E`` and the argument type is ``String``, for example, QL will consider that the two have no common subtype, and our query will flag the call. An easy way to exclude such false positive results is to simply require that neither ``collEltType`` nor ``argType`` are instances of ``TypeVariable``. +For many programs, this query yields a large number of false positive results due to type variables and wild cards: if the collection element type is some type variable ``E`` and the argument type is ``String``, for example, CodeQL will consider that the two have no common subtype, and our query will flag the call. An easy way to exclude such false positive results is to simply require that neither ``collEltType`` nor ``argType`` are instances of ``TypeVariable``. Another source of false positives is autoboxing of primitive types: if, for example, the collection's element type is ``Integer`` and the argument is of type ``int``, predicate ``haveCommonDescendant`` will fail, since ``int`` is not a ``RefType``. Thus, our query should check that ``collEltType`` is not the boxed type of ``argType``. -Finally, ``null`` is special because its type (known as ```` in QL) is compatible with every reference type, so we should exclude it from consideration. +Finally, ``null`` is special because its type (known as ```` in the CodeQL library) is compatible with every reference type, so we should exclude it from consideration. Adding these three improvements, our final query becomes: @@ -295,6 +295,6 @@ Adding these three improvements, our final query becomes: What next? ---------- -- Take a look at some of the other tutorials: :doc:`Tutorial: Expressions and statements `, :doc:`Tutorial: Navigating the call graph `, :doc:`Tutorial: Annotations `, :doc:`Tutorial: Javadoc `, :doc:`Tutorial: Working with source locations `. -- Find out how specific classes in the AST are represented in the QL standard library for Java: :doc:`AST class reference `. +- Take a look at some of the other tutorials: :doc:`Tutorial: Expressions and statements `, :doc:`Tutorial: Navigating the call graph `, :doc:`Tutorial: Annotations `, :doc:`Tutorial: Javadoc `, and :doc:`Tutorial: Working with source locations `. +- Find out how specific classes in the AST are represented in the standard library for Java: :doc:`AST class reference `. - Find out more about QL in the `QL language handbook `__ and `QL language specification `__. diff --git a/docs/language/learn-ql/javascript/ast-class-reference.rst b/docs/language/learn-ql/javascript/ast-class-reference.rst index 1231f83c4cf..1b513b2d4ec 100644 --- a/docs/language/learn-ql/javascript/ast-class-reference.rst +++ b/docs/language/learn-ql/javascript/ast-class-reference.rst @@ -7,7 +7,7 @@ Statement classes This table lists subclasses of `Stmt `__ representing ECMAScript and TypeScript statements. +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| Statement syntax | QL class | Superclasses | Remarks | +| Statement syntax | CodeQL class | Superclasses | Remarks | +=============================================================================================================================================================================================================================================================================================================================================================================================================================================+==================================================================================================================================================================+==========================================================================================================================================================================================================================================================================================================================================================================================================================+===================================================================================================================================================================================================+ | `Expr `__ ``;`` | `ExprStmt `__ | | | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ @@ -105,7 +105,7 @@ Literals All classes in this subsection are subclasses of `Literal `__. +-------------------+------------------------------------------------------------------------------------------------------------------------+ -| Expression syntax | QL class | +| Expression syntax | CodeQL class | +===================+========================================================================================================================+ | ``true`` | `BooleanLiteral `__ | +-------------------+------------------------------------------------------------------------------------------------------------------------+ @@ -123,7 +123,7 @@ All classes in this subsection are subclasses of `Literal `__, which has subclasses to represent specific kinds of identifiers: +All identifiers are represented by the class `Identifier `__, which has subclasses to represent specific kinds of identifiers: - `VarAccess `__: an identifier that refers to a variable - `VarDecl `__: an identifier that declares a variable, for example ``x`` in ``var x = "hi"`` or in ``function(x) { }`` @@ -142,7 +142,7 @@ Primary expressions All classes in this subsection are subclasses of `Expr `__. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| Expression syntax | QL class | Superclasses | Remarks | +| Expression syntax | CodeQL class | Superclasses | Remarks | +======================================================================================================================================================================================================================================================================+==========================================================================================================================================+======================================================================================================================+================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+ | ``this`` | `ThisExpr `__ | | | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ @@ -167,7 +167,7 @@ Properties All classes in this subsection are subclasses of `Property `__. Note that `Property `__ is not a subclass of `Expr `__. +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------+ -| Property syntax | QL class | Superclasses | +| Property syntax | CodeQL class | Superclasses | +=====================================================================================================================================================================================================================================================================================================================================================================+========================================================================================================================+============================================================================================================================+ | `Identifier `__ ``:`` `Expr `__ | `ValueProperty `__ | | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------+ @@ -182,7 +182,7 @@ Property accesses All classes in this subsection are subclasses of `PropAccess `__. +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ -| Expression syntax | QL class | +| Expression syntax | CodeQL class | +=========================================================================================================================================================================================================================+==============================================================================================================+ | `Expr `__ ``.`` `Identifier `__ | `DotExpr `__ | +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ @@ -195,7 +195,7 @@ Function calls and ``new`` All classes in this subsection are subclasses of `InvokeExpr `__. +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| Expression syntax | QL class | Remarks | +| Expression syntax | CodeQL class | Remarks | +============================================================================================================================================================================================================================================================================================================================================+========================================================================================================================+==========================================================================================================================================================================================================================================================================================================================================================================+ | `Expr `__ ``(`` `Expr `__... ``)`` | `CallExpr `__ | | +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ @@ -210,7 +210,7 @@ Unary expressions All classes in this subsection are subclasses of `UnaryExpr `__. +---------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------+ -| Expression syntax | QL class | +| Expression syntax | CodeQL class | +===============================================================================================================+======================================================================================================================+ | ``~`` `Expr `__ | `BitNotExpr `__ | +---------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------+ @@ -235,7 +235,7 @@ Binary expressions All classes in this subsection are subclasses of `BinaryExpr `__. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| Expression syntax | QL class | Superclasses | +| Expression syntax | CodeQL class | Superclasses | +======================================================================================================================================================================================================================+========================================================================================================================+====================================================================================================================================================================================================================================+ | `Expr `__ ``*`` `Expr `__ | `MulExpr `__ | | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ @@ -292,7 +292,7 @@ Assignment expressions All classes in this table are subclasses of `Assignment `__. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+ -| Expression syntax | QL class | Superclasses | +| Expression syntax | CodeQL class | Superclasses | +================================================================================================================================================================================================================+==============================================================================================================================+================================================================================================================================+ | `Expr `__ ``=`` `Expr `__ | `AssignExpr `__ | | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+ @@ -327,7 +327,7 @@ Update expressions All classes in this table are subclasses of `UpdateExpr `__. +-----------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------+ -| Expression syntax | QL class | +| Expression syntax | CodeQL class | +===========================================================================================================+==================================================================================================================+ | `Expr `__ ``++`` | `PostIncExpr `__ | +-----------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------+ @@ -344,7 +344,7 @@ Miscellaneous All classes in this table are subclasses of `Expr `__. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------+ -| Expression syntax | QL class | +| Expression syntax | CodeQL class | +======================================================================================================================================================================================================================================================================================================================+==========================================================================================================================+ | `Expr `__ ``?`` `Expr `__ ``:`` `Expr `__ | `ConditionalExpr `__ | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------+ diff --git a/docs/language/learn-ql/javascript/dataflow-cheat-sheet.rst b/docs/language/learn-ql/javascript/dataflow-cheat-sheet.rst index 5159c26bf19..a2ff4309ee0 100644 --- a/docs/language/learn-ql/javascript/dataflow-cheat-sheet.rst +++ b/docs/language/learn-ql/javascript/dataflow-cheat-sheet.rst @@ -1,14 +1,14 @@ Data flow cheat sheet ===================== -This page describes parts of the JavaScript QL libraries commonly used for variant analysis and in data flow queries. +This page describes parts of the JavaScript libraries commonly used for variant analysis and in data flow queries. Taint tracking path queries --------------------------- Use the following template to create a taint tracking path query: -.. code-block:: ql +.. code-block:: ql /** * @kind path-problem @@ -134,10 +134,10 @@ Files - `File `__, `Folder `__ extends - `Container `__ -- file or folder in the snapshot + `Container `__ -- file or folder in the database - `getBaseName `__ -- the name of the file or folder - - `getRelativePath `__ -- path relative to the snapshot root + - `getRelativePath `__ -- path relative to the database root AST nodes --------- diff --git a/docs/language/learn-ql/javascript/dataflow.rst b/docs/language/learn-ql/javascript/dataflow.rst index 3cd41de6a84..15cd1ad7e46 100644 --- a/docs/language/learn-ql/javascript/dataflow.rst +++ b/docs/language/learn-ql/javascript/dataflow.rst @@ -4,13 +4,13 @@ Analyzing data flow in JavaScript and TypeScript Overview -------- -This topic describes how data flow analysis is implemented in the QL libraries for JavaScript/TypeScript and includes examples to help you write your own data flow queries. -The following sections describe how to utilize the QL libraries for local data flow, global data flow, and taint tracking. +This topic describes how data flow analysis is implemented in the CodeQL libraries for JavaScript/TypeScript and includes examples to help you write your own data flow queries. +The following sections describe how to utilize the libraries for local data flow, global data flow, and taint tracking. As our running example, we will develop a query that identifies command-line arguments that are passed as a file path to the standard Node.js ``readFile`` function. While this is not a problematic pattern as such, it is typical of the kind of reasoning that is frequently used in security queries. -For a more general introduction to modeling data flow in QL, see :doc:`Introduction to data flow analysis in QL <../intro-to-data-flow>`. +For a more general introduction to modeling data flow, see :doc:`Introduction to data flow analysis with CodeQL <../intro-to-data-flow>`. Data flow nodes --------------- @@ -174,7 +174,7 @@ There are two points worth making about the source node API: 2. Strings are not source nodes and cannot be tracked using this API. You can, however, use the ``mayHaveStringValue`` predicate on class ``DataFlow::Node`` to reason about the possible string values flowing into a data flow node. -For a full description of the ``DataFlow::SourceNode`` API, see the `QL JavaScript standard library `__. +For a full description of the ``DataFlow::SourceNode`` API, see the `JavaScript standard library `__. Exercises ~~~~~~~~~ diff --git a/docs/language/learn-ql/javascript/flow-labels.rst b/docs/language/learn-ql/javascript/flow-labels.rst index aa6ded8e7bc..c693319576d 100644 --- a/docs/language/learn-ql/javascript/flow-labels.rst +++ b/docs/language/learn-ql/javascript/flow-labels.rst @@ -393,6 +393,6 @@ string may be an absolute path and whether it may contain ``..`` components. What next? ---------- -- Learn about the QL standard libraries used to write queries for JavaScript in :doc:`Introducing the JavaScript libraries `. +- Learn about the standard CodeQL libraries used to write queries for JavaScript in :doc:`Introducing the JavaScript libraries `. - Find out more about QL in the `QL language handbook `__ and `QL language specification `__. - Learn more about the query console in `Using the query console `__. diff --git a/docs/language/learn-ql/javascript/introduce-libraries-js.rst b/docs/language/learn-ql/javascript/introduce-libraries-js.rst index 0e3a7e5acdd..edac4a8c21b 100644 --- a/docs/language/learn-ql/javascript/introduce-libraries-js.rst +++ b/docs/language/learn-ql/javascript/introduce-libraries-js.rst @@ -1,10 +1,10 @@ -Introducing the QL libraries for JavaScript -=========================================== +Introducing the CodeQL libraries for JavaScript +=============================================== Overview -------- -There is an extensive QL library for analyzing JavaScript code. The classes in this library present the data from a snapshot database in an object-oriented form and provide abstractions and predicates to help you with common analysis tasks. +There is an extensive CodeQL library for analyzing JavaScript code. The classes in this library present the data from a CodeQL database in an object-oriented form and provide abstractions and predicates to help you with common analysis tasks. The library is implemented as a set of QL modules, that is, files with the extension ``.qll``. The module ``javascript.qll`` imports most other standard library modules, so you can include the complete library by beginning your query with: @@ -12,12 +12,12 @@ The library is implemented as a set of QL modules, that is, files with the exten import javascript -The rest of this tutorial briefly summarizes the most important QL classes and predicates provided by this library, including references to the `detailed API documentation `__ where applicable. +The rest of this tutorial briefly summarizes the most important classes and predicates provided by this library, including references to the `detailed API documentation `__ where applicable. Introducing the library ----------------------- -The QL JavaScript library presents information about JavaScript source code at different levels: +The CodeQL library for JavaScript presents information about JavaScript source code at different levels: - **Textual** — classes that represent source code as unstructured text files - **Lexical** — classes that represent source code as a series of tokens and comments @@ -39,12 +39,12 @@ Textual level At its most basic level, a JavaScript code base can simply be viewed as a collection of files organized into folders, where each file is composed of zero or more lines of text. -Note that the textual content of a program is not included in the snapshot database unless you specifically request it during extraction. In particular, snapshots on LGTM do not normally include textual information. +Note that the textual content of a program is not included in the CodeQL database unless you specifically request it during extraction. In particular, databases on LGTM (also known as "snapshots") do not normally include textual information. Files and folders ^^^^^^^^^^^^^^^^^ -In QL, files are represented as entities of class `File `__, and folders as entities of class `Folder `__, both of which are subclasses of class `Container `__. +In the CodeQL libraries, files are represented as entities of class `File `__, and folders as entities of class `Folder `__, both of which are subclasses of class `Container `__. Class `Container `__ provides the following member predicates: @@ -56,7 +56,7 @@ Note that while ``getAFile`` and ``getAFolder`` are declared on class `Container Both files and folders have paths, which can be accessed by the predicate ``Container.getAbsolutePath()``. For example, if ``f`` represents a file with the path ``/home/user/project/src/index.js``, then ``f.getAbsolutePath()`` evaluates to the string ``"/home/user/project/src/index.js"``, while ``f.getParentContainer().getAbsolutePath()`` returns ``"/home/user/project/src"``. -These paths are absolute file system paths. If you want to obtain the path of a file relative to the snapshot source location, use ``Container.getRelativePath()`` instead. Note, however, that a snapshot may contain files that are not located underneath the snapshot source location; for such files, ``getRelativePath()`` will not return anything. +These paths are absolute file system paths. If you want to obtain the path of a file relative to the source location in the CodeQL database, use ``Container.getRelativePath()`` instead. Note, however, that a database may contain files that are not located underneath the source location; for such files, ``getRelativePath()`` will not return anything. The following member predicates of class `Container `__ provide more information about the name of a file or folder: @@ -78,9 +78,9 @@ For example, the following query computes, for each folder, the number of JavaSc Locations ^^^^^^^^^ -Most entities in a snapshot database have an associated source location. Locations are identified by four pieces of information: a file, a start line, a start column, an end line, and an end column. Line and column counts are 1-based (so the first character of a file is at line 1, column 1), and the end position is inclusive. +Most entities in a CodeQL database have an associated source location. Locations are identified by four pieces of information: a file, a start line, a start column, an end line, and an end column. Line and column counts are 1-based (so the first character of a file is at line 1, column 1), and the end position is inclusive. -All entities associated with a source location belong to the QL class `Locatable `__. The location itself is modeled by the QL class `Location `__ and can be accessed through the member predicate ``Locatable.getLocation()``. The `Location `__ class provides the following member predicates: +All entities associated with a source location belong to the class `Locatable `__. The location itself is modeled by the class `Location `__ and can be accessed through the member predicate ``Locatable.getLocation()``. The `Location `__ class provides the following member predicates: - ``Location.getFile()``, ``Location.getStartLine()``, ``Location.getStartColumn()``, ``Location.getEndLine()``, ``Location.getEndColumn()`` return detailed information about the location. - ``Location.getNumLines()`` returns the number of (whole or partial) lines covered by the location. @@ -90,12 +90,12 @@ All entities associated with a source location belong to the QL class `Locatable Lines ^^^^^ -Lines of text in files are represented by the QL class `Line `__. This class offers the following member predicates: +Lines of text in files are represented by the class `Line `__. This class offers the following member predicates: - ``Line.getText()`` returns the text of the line, excluding any terminating newline characters. - ``Line.getTerminator()`` returns the terminator character(s) of the line. The last line in a file may not have any terminator characters, in which case this predicate does not return anything; otherwise it returns either the two-character string ``"\r\n"`` (carriage-return followed by newline), or one of the one-character strings ``"\n"`` (newline), ``"\r"`` (carriage-return), ``"\u2028"`` (Unicode character LINE SEPARATOR), ``"\u2029"`` (Unicode character PARAGRAPH SEPARATOR). -Note that, as mentioned above, the textual representation of the program is not included in the snapshot database by default. +Note that, as mentioned above, the textual representation of the program is not included in the CodeQL database by default. Lexical level ~~~~~~~~~~~~~ @@ -180,9 +180,9 @@ As an example of a query using only lexical information, consider the following Syntactic level ~~~~~~~~~~~~~~~ -The majority of classes in the QL JavaScript library is concerned with representing a JavaScript program as a collection of `abstract syntax trees `__ (ASTs). +The majority of classes in the JavaScript library is concerned with representing a JavaScript program as a collection of `abstract syntax trees `__ (ASTs). -The QL class `ASTNode `__ contains all entities representing nodes in the abstract syntax trees and defines generic tree traversal predicates: +The class `ASTNode `__ contains all entities representing nodes in the abstract syntax trees and defines generic tree traversal predicates: - ``ASTNode.getChild(i)``: returns the ``i``\ th child of this AST node. - ``ASTNode.getAChild()``: returns any child of this AST node. @@ -352,7 +352,7 @@ As an example of how to use expression AST nodes, here is a query that finds exp Functions ^^^^^^^^^ -JavaScript provides several ways of defining functions: in ECMAScript 5, there are function declaration statements and function expressions, and ECMAScript 2015 adds arrow function expressions. These different syntactic forms are represented by the QL classes `FunctionDeclStmt `__ (a subclass of `Stmt `__), `FunctionExpr `__ (a subclass of `Expr `__) and `ArrowFunctionExpr `__ (also a subclass of +JavaScript provides several ways of defining functions: in ECMAScript 5, there are function declaration statements and function expressions, and ECMAScript 2015 adds arrow function expressions. These different syntactic forms are represented by the classes `FunctionDeclStmt `__ (a subclass of `Stmt `__), `FunctionExpr `__ (a subclass of `Expr `__) and `ArrowFunctionExpr `__ (also a subclass of `Expr `__), respectively. All three are subclasses of `Function `__, which provides common member predicates for accessing function parameters or the function body: - ``Function.getId()`` returns the `Identifier `__ naming the function, which may not be defined for function expressions. @@ -389,7 +389,7 @@ As another example, this query finds functions that have two parameters that bin Classes ^^^^^^^ -Classes can be defined either by class declaration statements, represented by the QL class `ClassDeclStmt `__ (which is a subclass of `Stmt `__), or by class expressions, represented by the QL class `ClassExpr `__ (which is a subclass of `Expr `__). Both of these classes are also subclasses of `ClassDefinition `__, which provides common member predicates for accessing the name of a class, its superclass, and its body: +Classes can be defined either by class declaration statements, represented by the CodeQL class `ClassDeclStmt `__ (which is a subclass of `Stmt `__), or by class expressions, represented by the CodeQL class `ClassExpr `__ (which is a subclass of `Expr `__). Both of these classes are also subclasses of `ClassDefinition `__, which provides common member predicates for accessing the name of a class, its superclass, and its body: - ``ClassDefinition.getIdentifier()`` returns the `Identifier `__ naming the function, which may not be defined for class expressions. - ``ClassDefinition.getSuperClass()`` returns the `Expr `__ specifying the superclass, which may not be defined. @@ -400,14 +400,14 @@ Classes can be defined either by class declaration statements, represented by th Note that class fields are not a standard language feature yet, so details of their representation may change. -Method definitions are represented by the QL class `MethodDefinition `__, which (like its counterpart `FieldDefinition `__ for fields) is a subclass of `MemberDefinition `__. That class provides the following important member predicates: +Method definitions are represented by the class `MethodDefinition `__, which (like its counterpart `FieldDefinition `__ for fields) is a subclass of `MemberDefinition `__. That class provides the following important member predicates: - ``MemberDefinition.isStatic()``: holds if this is a static member. - ``MemberDefinition.isComputed()``: holds if the name of this member is computed at runtime. - ``MemberDefinition.getName()``: gets the name of this member if it can be determined statically. - ``MemberDefinition.getInit()``: gets the initializer of this field; for methods, the initializer is a function expressions, for fields it may be an arbitrary expression, and may be undefined. -There are three QL classes for modeling special methods: `ConstructorDefinition `__ models constructors, while `GetterMethodDefinition `__ and `SetterMethodDefinition `__ model getter and setter methods, respectively. +There are three classes for modeling special methods: `ConstructorDefinition `__ models constructors, while `GetterMethodDefinition `__ and `SetterMethodDefinition `__ model getter and setter methods, respectively. Declarations and binding patterns ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -472,7 +472,7 @@ As an example of a query involving properties, consider the following query that Modules ^^^^^^^ -The JavaScript library has support for working with ECMAScript 2015 modules, as well as legacy CommonJS modules (still commonly employed by Node.js code bases) and AMD-style modules. The QL classes `ES2015Module `__, `NodeModule `__, and `AMDModule `__ represent these three types of modules, and all three extend the common superclass `Module `__. +The JavaScript library has support for working with ECMAScript 2015 modules, as well as legacy CommonJS modules (still commonly employed by Node.js code bases) and AMD-style modules. The classes `ES2015Module `__, `NodeModule `__, and `AMDModule `__ represent these three types of modules, and all three extend the common superclass `Module `__. The most important member predicates defined by `Module `__ are: @@ -485,12 +485,12 @@ Moreover, there is a class `Import `__, `Variable `__, `VarDecl `__ and `VarAccess `__, respectively. +Name binding is modeled in the JavaScript libraries using four concepts: *scopes*, *variables*, *variable declarations*, and *variable accesses*, represented by the classes `Scope `__, `Variable `__, `VarDecl `__ and `VarAccess `__, respectively. Scopes ^^^^^^ -In ECMAScript 5, there are three kinds of scopes: the global scope (one per program), function scopes (one per function), and catch clause scopes (one per ``catch`` clause). These three kinds of scopes are represented by the QL classes `GlobalScope `__, `FunctionScope `__ and `CatchScope `__. ECMAScript 2015 adds block scopes for ``let``-bound variables, which are also represented by QL class `Scope `__, class expression scopes (`ClassExprScope `__), +In ECMAScript 5, there are three kinds of scopes: the global scope (one per program), function scopes (one per function), and catch clause scopes (one per ``catch`` clause). These three kinds of scopes are represented by the classes `GlobalScope `__, `FunctionScope `__ and `CatchScope `__. ECMAScript 2015 adds block scopes for ``let``-bound variables, which are also represented by class `Scope `__, class expression scopes (`ClassExprScope `__), and module scopes (`ModuleScope `__). Class `Scope `__ provides the following API: @@ -510,7 +510,7 @@ It is important not to confuse variables and their declarations: local variables Variable declarations and accesses ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Variables may be declared by variable declarators, by function declaration statements and expressions, by class declaration statements or expressions, or by parameters of functions and ``catch`` clauses. While these declarations differ in their syntactic form, in each case there is an identifier naming the declared variable. We consider that identifier to be the declaration proper, and assign it the QL class `VarDecl `__. Identifiers that reference a variable, on the other hand, are given the QL class `VarAccess `__. +Variables may be declared by variable declarators, by function declaration statements and expressions, by class declaration statements or expressions, or by parameters of functions and ``catch`` clauses. While these declarations differ in their syntactic form, in each case there is an identifier naming the declared variable. We consider that identifier to be the declaration proper, and assign it the class `VarDecl `__. Identifiers that reference a variable, on the other hand, are given the class `VarAccess `__. The most important predicates involving variables, their declarations, and their accesses are as follows: @@ -538,9 +538,9 @@ As an example, consider the following query which finds distinct function declar Control flow ~~~~~~~~~~~~ -A different program representation in terms of intraprocedural control flow graphs (CFGs) is provided by the QL classes in library `CFG.qll `__. +A different program representation in terms of intraprocedural control flow graphs (CFGs) is provided by the classes in library `CFG.qll `__. -Class `ControlFlowNode `__ represents a single node in the control flow graph, which is either an expression, a statement, or a synthetic control flow node. Note that `Expr `__ and `Stmt `__ do not inherit from `ControlFlowNode `__ at the QL level, although their entity types are compatible, so you can explicitly cast from one to the other if you need to map between the AST-based and the CFG-based program representations. +Class `ControlFlowNode `__ represents a single node in the control flow graph, which is either an expression, a statement, or a synthetic control flow node. Note that `Expr `__ and `Stmt `__ do not inherit from `ControlFlowNode `__ at the CodeQL level, although their entity types are compatible, so you can explicitly cast from one to the other if you need to map between the AST-based and the CFG-based program representations. There are two kinds of synthetic control flow nodes: entry nodes (class `ControlFlowEntryNode `__), which represent the beginning of a top-level or function, and exit nodes (class `ControlFlowExitNode `__), which represent their end. They do not correspond to any AST nodes, but simply serve as the unique entry point and exit point of a control flow graph. Entry and exit nodes can be accessed through the predicates ``StmtContainer.getEntry()`` and ``StmtContainer.getExit()``. @@ -578,7 +578,7 @@ Data flow Definitions and uses ^^^^^^^^^^^^^^^^^^^^ -Library `DefUse.qll `__ provides QL classes and predicates to determine `def-use `__ relationships between definitions and uses of variables. +Library `DefUse.qll `__ provides classes and predicates to determine `def-use `__ relationships between definitions and uses of variables. Classes `VarDef `__ and `VarUse `__ contain all expressions that define and use a variable, respectively. For the former, you can use predicate ``VarDef.getAVariable()`` to find out which variables are defined by a given variable definition (recall that destructuring assignments in ECMAScript 2015 define several variables at the same time). Similarly, predicate ``VarUse.getVariable()`` returns the (single) variable being accessed by a variable use. @@ -645,7 +645,7 @@ Note that the data flow modeling in this library is intraprocedural, that is, fl Type inference ~~~~~~~~~~~~~~ -The library ``semmle.javascript.dataflow.TypeInference`` implements a simple type inference for JavaScript based on intraprocedural, heap-insensitive flow analysis. Basically, the inference algorithm approximates the possible concrete runtime values of variables and expressions as sets of abstract values (represented by QL class `AbstractValue `__), each of which stands for a set of concrete values. +The library ``semmle.javascript.dataflow.TypeInference`` implements a simple type inference for JavaScript based on intraprocedural, heap-insensitive flow analysis. Basically, the inference algorithm approximates the possible concrete runtime values of variables and expressions as sets of abstract values (represented by the class `AbstractValue `__), each of which stands for a set of concrete values. For example, there is an abstract value representing all non-zero numbers, and another representing all non-empty strings except for those that can be converted to a number. Both of these abstract values are fairly coarse approximations that represent very large sets of concrete values. @@ -657,7 +657,7 @@ Each indefinite abstract value is associated with a string value describing the To check whether an abstract value is indefinite, you can use the ``isIndefinite`` member predicate. Its single argument describes the cause of imprecision. -Each abstract value has one or more associated types (QL class `InferredType `__ corresponding roughly to the type tags computed by the ``typeof`` operator. The types are ``null``, ``undefined``, ``boolean``, ``number``, ``string``, ``function``, ``class``, ``date`` and ``object``. +Each abstract value has one or more associated types (CodeQL class `InferredType `__ corresponding roughly to the type tags computed by the ``typeof`` operator. The types are ``null``, ``undefined``, ``boolean``, ``number``, ``string``, ``function``, ``class``, ``date`` and ``object``. To access the results of the type inference, use class `DataFlow::AnalyzedNode `__: any `DataFlow::Node `__ can be cast to this class, and additionally there is a convenience predicate ``Expr::analyze`` that maps expressions directly to their corresponding ``AnalyzedNode``\ s. @@ -820,12 +820,12 @@ The most important classes include (all in module ``HTTP``): - ``CookieDefinition``: an expression that sets a cookie in an HTTP response. - ``RequestInputAccess``: an expression that accesses user-controlled request data. -For each framework library, there is a corresponding QL library (for example ``semmle.javacript.frameworks.Express``) that instantiates the above classes for that framework and adds framework-specific classes. +For each framework library, there is a corresponding CodeQL library (for example ``semmle.javacript.frameworks.Express``) that instantiates the above classes for that framework and adds framework-specific classes. Node.js ^^^^^^^ -The ``semmle.javascript.NodeJS`` library provides support for working with `Node.js `__ modules through the following QL classes: +The ``semmle.javascript.NodeJS`` library provides support for working with `Node.js `__ modules through the following classes: - `NodeModule `__: a top-level that defines a Node.js module; see the section on `Modules <#modules>`__ for more information. - `Require `__: a call to the special ``require`` function that imports a module. @@ -844,7 +844,7 @@ As an example of the use of these classes, here is a query that counts for every NPM ^^^ -The ``semmle.javascript.NPM`` library provides support for working with `NPM `__ packages through the following QL classes: +The ``semmle.javascript.NPM`` library provides support for working with `NPM `__ packages through the following classes: - `PackageJSON `__: a ``package.json`` file describing an NPM package; various getter predicates are available for accessing detailed information about the package, which are described in the `online API documentation `__. - `BugTrackerInfo `__, `ContributorInfo `__, `RepositoryInfo `__: these classes model parts of the ``package.json`` file providing information on bug tracking systems, contributors and repositories. @@ -903,7 +903,7 @@ Miscellaneous Externs ^^^^^^^ -The ``semmle.javascript.Externs`` library provides support for working with `externs `__ through the following QL classes: +The ``semmle.javascript.Externs`` library provides support for working with `externs `__ through the following classes: - `ExternalDecl `__: common superclass modeling all different kinds of externs declarations; it defines two member predicates: @@ -938,7 +938,7 @@ JSDoc The ``semmle.javascript.JSDoc`` library provides support for working with `JSDoc comments `__. Documentation comments are parsed into an abstract syntax tree representation closely following the format employed by the `Doctrine `__ JSDoc parser. -A JSDoc comment as a whole is represented by an entity of QL class `JSDoc `__, while individual tags are represented by QL class `JSDocTag `__. Important member predicates of these two classes include: +A JSDoc comment as a whole is represented by an entity of class `JSDoc `__, while individual tags are represented by class `JSDocTag `__. Important member predicates of these two classes include: - ``JSDoc.getDescription()`` returns the descriptive header of the JSDoc comment, if any. - ``JSDoc.getComment()`` maps the `JSDoc `__ entity to its underlying `Comment `__ entity. @@ -948,7 +948,7 @@ A JSDoc comment as a whole is represented by an entity of QL class `JSDoc `__ and its subclasses, which again represent type expressions as abstract syntax trees. Examples of type expressions are `JSDocAnyTypeExpr `__, representing the "any" type ``*``, or `JSDocNullTypeExpr `__, representing the null type. +Types in JSDoc comments are represented by the class `JSDocTypeExpr `__ and its subclasses, which again represent type expressions as abstract syntax trees. Examples of type expressions are `JSDocAnyTypeExpr `__, representing the "any" type ``*``, or `JSDocNullTypeExpr `__, representing the null type. As an example, here is a query that finds ``@param`` tags that do not specify the name of the documented parameter: @@ -979,9 +979,9 @@ However, unlike HTML, JSX is interleaved with JavaScript, hence `JSXElement `__ files that were processed by the JavaScript extractor when building the snapshot database. +The ``semmle.javascript.JSON`` library provides support for working with `JSON `__ files that were processed by the JavaScript extractor when building the CodeQL database. -JSON files are modeled as trees of JSON values. Each JSON value is represented by an entity of QL class `JSONValue `__, which provides the following member predicates: +JSON files are modeled as trees of JSON values. Each JSON value is represented by an entity of class `JSONValue `__, which provides the following member predicates: - ``JSONValue.getParent()`` returns the JSON object or array in which this value occurs. - ``JSONValue.getChild(i)`` returns the ``i``\ th child of this JSON object or array. @@ -1000,16 +1000,16 @@ Class `JSONValue `__. Similar to `ASTNode `__, class `RegExpTerm `__ provides member predicates ``getParent()`` and ``getChild(i)`` to navigate the structure of the syntax tree. +The ``semmle.javascript.Regexp`` library provides support for working with regular expression literals. The syntactic structure of regular expression literals is represented as an abstract syntax tree of regular expression terms, modeled by the class `RegExpTerm `__. Similar to `ASTNode `__, class `RegExpTerm `__ provides member predicates ``getParent()`` and ``getChild(i)`` to navigate the structure of the syntax tree. Various subclasses of `RegExpTerm `__ model different kinds of regular expression constructs and operators; see `the API documentation `__ for details. YAML ^^^^ -The ``semmle.javascript.YAML`` library provides support for working with `YAML `__ files that were processed by the JavaScript extractor when building the snapshot database. +The ``semmle.javascript.YAML`` library provides support for working with `YAML `__ files that were processed by the JavaScript extractor when building the CodeQL database. -YAML files are modeled as trees of YAML nodes. Each YAML node is represented by an entity of QL class `YAMLNode `__, which provides, among others, the following member predicates: +YAML files are modeled as trees of YAML nodes. Each YAML node is represented by an entity of class `YAMLNode `__, which provides, among others, the following member predicates: - ``YAMLNode.getParentNode()`` returns the YAML collection in which this node is syntactically nested. - ``YAMLNode.getChildNode(i)`` returns the ``i``\ th child node of this node, ``YAMLNode.getAChildNode()`` returns any child node of this node. @@ -1029,6 +1029,6 @@ Predicate ``YAMLMapping.maps(key, value)`` models the key-value relation represe What next? ---------- -- Learn about the QL standard libraries used to write queries for TypeScript in :doc:`Introducing the TypeScript libraries `. +- Learn about the standard CodeQL libraries used to write queries for TypeScript in :doc:`Introducing the TypeScript libraries `. - Find out more about QL in the `QL language handbook `__ and `QL language specification `__. - Learn more about the query console in `Using the query console `__. diff --git a/docs/language/learn-ql/javascript/introduce-libraries-ts.rst b/docs/language/learn-ql/javascript/introduce-libraries-ts.rst index a31bf9ffad6..4884cc8ce09 100644 --- a/docs/language/learn-ql/javascript/introduce-libraries-ts.rst +++ b/docs/language/learn-ql/javascript/introduce-libraries-ts.rst @@ -1,16 +1,16 @@ -Introducing the QL libraries for TypeScript -=========================================== +Introducing the CodeQL libraries for TypeScript +=============================================== Overview -------- -Support for analyzing TypeScript code is bundled with the JavaScript QL libraries, so you can include the full TypeScript library by importing the ``javascript.qll`` module: +Support for analyzing TypeScript code is bundled with the CodeQL libraries for JavaScript, so you can include the full TypeScript library by importing the ``javascript.qll`` module: .. code-block:: ql import javascript -The :doc:`QL library introduction for JavaScript ` covers most of this library, and is also relevant for TypeScript analysis. This document supplements the JavaScript QL documentation with the TypeScript-specific classes and predicates. +The :doc:`CodeQL library introduction for JavaScript ` covers most of this library, and is also relevant for TypeScript analysis. This document supplements the JavaScript documentation with the TypeScript-specific classes and predicates. Syntax ------ @@ -124,7 +124,7 @@ Select expressions that cast a value to a type parameter: Classes and interfaces ~~~~~~~~~~~~~~~~~~~~~~ -The QL class `ClassOrInterface `__ is a common supertype of classes and interfaces, and provides some TypeScript-specific member predicates: +The CodeQL class `ClassOrInterface `__ is a common supertype of classes and interfaces, and provides some TypeScript-specific member predicates: - ``ClassOrInterface.isAbstract()`` holds if this is an interface or a class with the ``abstract`` modifier. - ``ClassOrInterface.getASuperInterface()`` gets a type from the ``implements`` clause of a class or from the ``extends`` clause of an interface. @@ -134,7 +134,7 @@ The QL class `ClassOrInterface `__. -Also see the documentation for classes in the `Introduction to the QL libraries for JavaScript `__. +Also see the documentation for classes in the `Introduction to the CodeQL libraries for JavaScript `__. To select the type references to a class or an interface, use ``getTypeName()``. @@ -175,6 +175,8 @@ Ambient nodes are mostly ignored by control flow and data flow analysis. The out Static type information ----------------------- +.. TODO: Remove link to QL command-line tools below? + Static type information and global name binding is available for projects with "full" TypeScript extraction enabled. This option is enabled by default for projects on LGTM.com. If you are using the `QL command-line tools `__, you must enable it by passing ``--typescript-full`` to the JavaScript extractor. For further information on customizing calls to the extractor, see `Customizing JavaScript extraction `__. **Note:** Without full extraction, the classes and predicates described in this section are empty. @@ -262,7 +264,7 @@ Additionally, ``Type`` has the following subclasses which overlap partially with Canonical names and named types ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -``CanonicalName`` is a QL class representing a qualified name relative to a root scope, such as a module or the global scope. It typically represents an entity such as a type, namespace, variable, or function. ``TypeName`` and ``Namespace`` are subclasses of this class. +``CanonicalName`` is a CodeQL class representing a qualified name relative to a root scope, such as a module or the global scope. It typically represents an entity such as a type, namespace, variable, or function. ``TypeName`` and ``Namespace`` are subclasses of this class. Canonical names can be recognized using the ``hasQualifiedName`` predicate: @@ -274,7 +276,7 @@ For convenience, this predicate is also available on other classes, such as ``Ty Function types ~~~~~~~~~~~~~~ -There is no QL class for function types, as any type with a call or construct signature is usable as a function. The type ``CallSignatureType`` represents such a signature (with or without the ``new`` keyword). +There is no CodeQL class for function types, as any type with a call or construct signature is usable as a function. The type ``CallSignatureType`` represents such a signature (with or without the ``new`` keyword). Signatures can be obtained in several ways: @@ -353,7 +355,7 @@ TypeScript also allows you to import types and namespaces, and give them local n The local name ``B`` is represented as a `LocalTypeName `__ named ``B``, restricted to just the file containing the import. An import statement can also introduce a `Variable `__ and a `LocalNamespaceName `__. -The following table shows the relevant QL classes for working with each kind of name. The classes are described in more detail below. +The following table shows the relevant classes for working with each kind of name. The classes are described in more detail below. +-----------+------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ | Kind | Local alias | Canonical name | Definition | Access | @@ -419,7 +421,7 @@ Find imported names that are used as both a type and a value: Namespace names ~~~~~~~~~~~~~~~ -Namespaces are represented by the QL classes `Namespace `__ and `LocalNamespaceName `__. The `NamespaceDefinition `__ class represents a syntactic definition of a namespace, which includes ordinary namespace declarations as well as enum declarations. +Namespaces are represented by the classes `Namespace `__ and `LocalNamespaceName `__. The `NamespaceDefinition `__ class represents a syntactic definition of a namespace, which includes ordinary namespace declarations as well as enum declarations. Note that these classes deal exclusively with namespaces referenced from inside type annotations, not through expressions. @@ -443,6 +445,6 @@ A `LocalNamespaceName `. +- Learn about the standard CodeQL libraries used to write queries for JavaScript in :doc:`Introducing the JavaScript libraries `. - Find out more about QL in the `QL language handbook `__ and `QL language specification `__. - Learn more about the query console in `Using the query console `__. \ No newline at end of file diff --git a/docs/language/learn-ql/javascript/ql-for-javascript.rst b/docs/language/learn-ql/javascript/ql-for-javascript.rst index 5df6e2581e5..d2d864cc072 100644 --- a/docs/language/learn-ql/javascript/ql-for-javascript.rst +++ b/docs/language/learn-ql/javascript/ql-for-javascript.rst @@ -1,5 +1,5 @@ -QL for JavaScript -================= +CodeQL for JavaScript +===================== .. toctree:: :glob: @@ -13,25 +13,25 @@ QL for JavaScript ast-class-reference dataflow-cheat-sheet -These documents provide an overview of the QL JavaScript and TypeScript standard libraries and show examples of how to use them. +These documents provide an overview of the CodeQL libraries for JavaScript and TypeScript and show examples of how to use them. -- `Basic JavaScript QL query `__ describes how to write and run queries using LGTM. +- `Basic JavaScript query `__ describes how to write and run queries using LGTM. -- :doc:`Introducing the QL libraries for JavaScript `: an overview of the standard libraries used to write queries for JavaScript code. There is an extensive QL library for analyzing JavaScript code. This tutorial briefly summarizes the most important QL classes and predicates provided by this library. +- :doc:`Introducing the CodeQL libraries for JavaScript ` introduces the standard libraries used to write queries for JavaScript code. There is an extensive CodeQL library for analyzing JavaScript code. This tutorial briefly summarizes the most important classes and predicates provided by this library. -- :doc:`Introducing the QL libraries for TypeScript `: an overview of the standard libraries used to write queries for TypeScript code. +- :doc:`Introducing the CodeQL libraries for TypeScript ` introduces the standard libraries used to write queries for TypeScript code. -- :doc:`Analyzing data flow in JavaScript/TypeScript `: demonstrates how to write queries using the standard QL for JavaScript/TypeScript data flow and taint tracking libraries. +- :doc:`Analyzing data flow in JavaScript/TypeScript ` demonstrates how to write queries using the standard data flow and taint tracking libraries for JavaScript/TypeScript. -- :doc:`Advanced data-flow analysis using flow labels `: shows a more advanced example of data flow analysis using flow labels. +- :doc:`Advanced data-flow analysis using flow labels ` shows a more advanced example of data flow analysis using flow labels. -- :doc:`AST class reference `: an overview of all AST classes in the QL standard library for JavaScript. +- :doc:`AST class reference ` gives an overview of all AST classes in the standard CodeQL library for JavaScript. -- :doc:`Data flow cheat sheet `: bits of QL commonly used for variant analysis and in data flow queries. +- :doc:`Data flow cheat sheet ` lists parts of the CodeQL libraries that are commonly used for variant analysis and in data flow queries. Other resources --------------- -- For examples of how to query common JavaScript elements, see the `JavaScript QL cookbook `__ -- For the queries used in LGTM, display a `JavaScript query `__ and click **Open in query console** to see the QL code used to find alerts. -- For more information about the JavaScript QL library see the `QL library for JavaScript `__. +- For examples of how to query common JavaScript elements, see the `JavaScript cookbook `__. +- For the queries used in LGTM, display a `JavaScript query `__ and click **Open in query console** to see the code used to find alerts. +- For more information about the library for JavaScript see the `CodeQL library for JavaScript `__. diff --git a/docs/language/learn-ql/javascript/type-tracking.rst b/docs/language/learn-ql/javascript/type-tracking.rst index d6bcb9e7a7c..f0dadd9ef70 100644 --- a/docs/language/learn-ql/javascript/type-tracking.rst +++ b/docs/language/learn-ql/javascript/type-tracking.rst @@ -1,8 +1,8 @@ Tutorial: API modelling using type tracking =========================================== -This tutorial demonstrates how to build a simple model of the Firebase API in QL -using the JavaScript type-tracking library. +This tutorial demonstrates how to build a simple model of the Firebase API +using the CodeQL type-tracking library for JavaScript. The type-tracking library makes it possible to track values through properties and function calls, usually to recognize method calls and properties accessed on a specific type of object. @@ -89,7 +89,7 @@ For instance, ``firebaseSetterCall()`` fails to find anything in this example: var ref = getDatabase().ref("forecast"); ref.set("Rain"); -Notice that the QL predicate ``firebaseDatabase()`` still finds the call to ``firebase.database()``, +Notice that the predicate ``firebaseDatabase()`` still finds the call to ``firebase.database()``, but not the ``getDatabase()`` call. This means ``firebaseRef()`` has no result, which in turn means ``firebaseSetterCall()`` has no result. diff --git a/docs/language/learn-ql/locations.rst b/docs/language/learn-ql/locations.rst index eebb6fec68e..df210819ef2 100644 --- a/docs/language/learn-ql/locations.rst +++ b/docs/language/learn-ql/locations.rst @@ -1,6 +1,8 @@ Locations and strings for QL entities ===================================== +.. Not sure how much of this topic needs to change, and what the title should be + Providing locations ------------------- @@ -55,18 +57,18 @@ By convention, the location of an entire file may also be denoted by a ``file:// Other types of URL ^^^^^^^^^^^^^^^^^^ -The following, less-common types of URL are valid QL but are not supported by LGTM and will be omitted from any results: +The following, less-common types of URL are valid but are not supported by LGTM and will be omitted from any results: - **HTTP URLs** are supported in some client applications. For an example, see the code snippet above. - **Folder URLs** can be useful, for example to provide folder-level metrics. They may use a file URL, for example ``file:///opt/src:0:0:0:0``, but they may also start with a scheme of ``folder://``, and no trailing numbers, for example ``folder:///opt/src``. -- **Relative file URLs** are like normal file URLs, but start with the scheme ``relative://``. They are typically only meaningful in the context of a particular snapshot, and are taken to be implicitly prefixed by the snapshot's source location. Note that, in particular, the relative URL of a file will stay constant regardless of where the snapshot is analyzed. It is often most convenient to produce these URLs as input when importing external information; selecting one from a QL class would be unusual, and client applications may not handle it appropriately. +- **Relative file URLs** are like normal file URLs, but start with the scheme ``relative://``. They are typically only meaningful in the context of a particular database, and are taken to be implicitly prefixed by the database's source location. Note that, in particular, the relative URL of a file will stay constant regardless of where the database is analyzed. It is often most convenient to produce these URLs as input when importing external information; selecting one from a QL class would be unusual, and client applications may not handle it appropriately. Providing location information ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If no ``getURL()`` member predicate is defined, a QL class is checked for the presence of a member predicate called ``hasLocationInfo(..)``. This can be understood as a convenient way of providing file URLs (see above) without constructing the long URL string in QL. ``hasLocationInfo(..)`` should be a predicate, its first column must be ``string``-typed (it corresponds to the "path" portion of a file URL), and it must have an additional 3 or 4 ``int``-typed columns, which are interpreted like a trailing group of three or four numbers on a file URL. -For example, let us imagine that the locations for methods provided by the extractor extend from the first character of the method name to the closing curly brace of the method body, and we want to "fix" them in QL to ensure that only the method name is selected. The following code shows two ways of achieving this: +For example, let us imagine that the locations for methods provided by the extractor extend from the first character of the method name to the closing curly brace of the method body, and we want to "fix" them to ensure that only the method name is selected. The following code shows two ways of achieving this: .. code-block:: ql @@ -104,7 +106,7 @@ Using extracted location information Finally, if the above two predicates fail, client applications will attempt to call a predicate called ``getLocation()`` with no parameters, and try to apply one of the above two predicates to the result. This allows certain locations to be put into the database, assigned identifiers, and picked up. -By convention, the return value of the ``getLocation()`` predicate should be a QL class called ``Location``, and it should define a version of ``hasLocationInfo(..)`` (or ``getURL()``, though the former is preferable). If the ``Location`` class does not provide either of these member predicates, then no location information will be available. +By convention, the return value of the ``getLocation()`` predicate should be a class called ``Location``, and it should define a version of ``hasLocationInfo(..)`` (or ``getURL()``, though the former is preferable). If the ``Location`` class does not provide either of these member predicates, then no location information will be available. The ``toString()`` predicate ---------------------------- diff --git a/docs/language/learn-ql/python/control-flow.rst b/docs/language/learn-ql/python/control-flow.rst index 45b30f51f21..fc41f59c933 100644 --- a/docs/language/learn-ql/python/control-flow.rst +++ b/docs/language/learn-ql/python/control-flow.rst @@ -1,12 +1,12 @@ Tutorial: Control flow analysis =============================== -In order to analyze the `Control-flow graph `__ of a ``Scope`` we can use the two QL classes ``ControlFlowNode`` and ``BasicBlock``. These classes allow you to ask such questions as "can you reach point A from point B?" or "Is it possible to reach point B *without* going through point A?". To report results we use the class ``AstNode``, which represents a syntactic element and corresponds to the source code - allowing the results of the query to be more easily understood. +To analyze the `Control-flow graph `__ of a ``Scope`` we can use the two CodeQL classes ``ControlFlowNode`` and ``BasicBlock``. These classes allow you to ask such questions as "can you reach point A from point B?" or "Is it possible to reach point B *without* going through point A?". To report results we use the class ``AstNode``, which represents a syntactic element and corresponds to the source code - allowing the results of the query to be more easily understood. The ``ControlFlowNode`` class ----------------------------- -The ``ControlFlowNode`` class represents nodes in the control flow graph. There is a one-to-many relation between AST nodes and control flow nodes. Each syntactic element, the ``AstNode,`` maps to zero, one or many ``ControlFlowNode`` classes, but each ControlFlowNode maps to exactly one ``AstNode``. +The ``ControlFlowNode`` class represents nodes in the control flow graph. There is a one-to-many relation between AST nodes and control flow nodes. Each syntactic element, the ``AstNode,`` maps to zero, one, or many ``ControlFlowNode`` classes, but each ``ControlFlowNode`` maps to exactly one ``AstNode``. To show why this complex relation is required consider the following Python code: @@ -21,7 +21,7 @@ To show why this complex relation is required consider the following Python code There are many paths through the above code. There are three different paths through the call to ``close_resource();`` one normal path, one path that breaks out of the loop, and one path where an exception is raised by ``might_raise()``. (An annotated flow graph can be seen :doc:`here `.) -The simplest use of the ``ControlFlowNode`` and ``AstNode`` classes is to find unreachable code. There is one ``ControlFlowNode`` per path through any ``AstNode`` and any ``AstNode`` that is unreachable has no paths flowing through it; therefore any ``AstNode`` without a corresponding ``ControlFlowNode`` is unreachable. +The simplest use of the ``ControlFlowNode`` and ``AstNode`` classes is to find unreachable code. There is one ``ControlFlowNode`` per path through any ``AstNode`` and any ``AstNode`` that is unreachable has no paths flowing through it. Therefore, any ``AstNode`` without a corresponding ``ControlFlowNode`` is unreachable. **Unreachable AST nodes** @@ -103,5 +103,5 @@ Combining these conditions we get: What next? ---------- -- Experiment with the worked examples in the QL for Python tutorial topic: :doc:`Taint tracking and data flow analysis in Python `. +- Experiment with the worked examples in the tutorial topic :doc:`Taint tracking and data flow analysis in Python `. - Find out more about QL in the `QL language handbook `__ and `QL language specification `__. diff --git a/docs/language/learn-ql/python/functions.rst b/docs/language/learn-ql/python/functions.rst index 7e33b77f5fc..79fcfa270d9 100644 --- a/docs/language/learn-ql/python/functions.rst +++ b/docs/language/learn-ql/python/functions.rst @@ -1,14 +1,14 @@ Tutorial: Functions =================== -This example uses the standard QL class ``Function`` (see :doc:`Introducing the Python libraries `). +This example uses the standard CodeQL class ``Function`` (see :doc:`Introducing the Python libraries `). Finding all functions called "get..." ------------------------------------- In this example we look for all the "getters" in a program. Programmers moving to Python from Java are often tempted to write lots of getter and setter methods, rather than use properties. We might want to find those methods. -Using the member predicate ``Function.getName()``, we can list all of the getter functions in a snapshot: +Using the member predicate ``Function.getName()``, we can list all of the getter functions in a database: Tip @@ -77,5 +77,5 @@ In a later tutorial we will see how to use the type-inference library to find ca What next? ---------- -- Experiment with the worked examples in the QL for Python tutorial topics: :doc:`Statements and expressions `, :doc:`Control flow `, :doc:`Points-to analysis and type inference `. +- Experiment with the worked examples in the following tutorial topics: :doc:`Statements and expressions `, :doc:`Control flow `, and :doc:`Points-to analysis and type inference `. - Find out more about QL in the `QL language handbook `__ and `QL language specification `__. diff --git a/docs/language/learn-ql/python/introduce-libraries-python.rst b/docs/language/learn-ql/python/introduce-libraries-python.rst index 4314cf36913..1594afc9679 100644 --- a/docs/language/learn-ql/python/introduce-libraries-python.rst +++ b/docs/language/learn-ql/python/introduce-libraries-python.rst @@ -1,39 +1,35 @@ -Introducing the QL libraries for Python -======================================= +Introducing the CodeQL libraries for Python +=========================================== -These libraries have been created to help you analyze Python code, providing an object-oriented layer on top of the raw data in the snapshot database. They are written in standard QL. - -The QL libraries all have a ``.qll`` extension, to signify that they contain QL library code but no actual queries. Each file contains a QL class or hierarchy of classes. - -You can include all of the standard libraries by beginning each query with this statement: +There is an extensive library for analyzing CodeQL databases extracted from Python projects. The classes in this library present the data from a database in an object-oriented form and provide abstractions and predicates to help you with common analysis tasks. The library is implemented as a set of QL modules, that is, files with the extension ``.qll``. The module ``python.qll`` imports all the core Python library modules, so you can include the complete library by beginning your query with: .. code-block:: ql import python -The rest of this tutorial summarizes the contents of the standard QL libraries. We recommend that you read this and then work through the practical examples in the Python tutorials shown at the end of the page. +The rest of this tutorial summarizes the contents of the standard libraries for Python. We recommend that you read this and then work through the practical examples in the tutorials shown at the end of the page. Overview of the library ----------------------- -The QL Python library incorporates a large number of classes, each class corresponding either to one kind of entity in Python source code or to an entity that can be derived form the source code using static analysis. These classes can be divided into four categories: +The CodeQL library for Python incorporates a large number of classes. Each class corresponds either to one kind of entity in Python source code or to an entity that can be derived from the source code using static analysis. These classes can be divided into four categories: - **Syntactic** - classes that represent entities in the Python source code. - **Control flow** - classes that represent entities from the control flow graphs. - **Type inference** - classes that represent the inferred values and types of entities in the Python source code. -- **Taint tracking** - classes that represent the source, sinks and kinds of taint used to implement taint-tracking queries. +- **Taint tracking** - classes that represent the source, sinks and kinds of taint used to implement taint-tracking queries. Syntactic classes ~~~~~~~~~~~~~~~~~ -This part of the library represents the Python source code. The ``Module``, ``Class`` and ``Function`` classes correspond to Python modules, classes and functions respectively, collectively these are known as ``Scope`` classes. Each ``Scope`` contains a list of statements each of which is represented by a subclass of the class ``Stmt``. Statements themselves can contain other statements or expressions which are represented by subclasses of ``Expr``. Finally, there are a few additional classes for the parts of more complex expressions such as list comprehensions. Collectively these classes are subclasses of ``AstNode`` and form an `Abstract syntax tree `__ (AST). The root of each AST is a ``Module``. +This part of the library represents the Python source code. The ``Module``, ``Class``, and ``Function`` classes correspond to Python modules, classes, and functions respectively, collectively these are known as ``Scope`` classes. Each ``Scope`` contains a list of statements each of which is represented by a subclass of the class ``Stmt``. Statements themselves can contain other statements or expressions which are represented by subclasses of ``Expr``. Finally, there are a few additional classes for the parts of more complex expressions such as list comprehensions. Collectively these classes are subclasses of ``AstNode`` and form an `Abstract syntax tree `__ (AST). The root of each AST is a ``Module``. `Symbolic information `__ is attached to the AST in the form of variables (represented by the class ``Variable``). Scope ^^^^^ -A Python program is a group of modules. Technically a module is just a list of statements, but we often think of it as composed of classes and functions. These top-level entities, the module, class and function are represented by the three classes (`Module `__, `Class `__ and `Function `__ which are all subclasses of ``Scope``. +A Python program is a group of modules. Technically a module is just a list of statements, but we often think of it as composed of classes and functions. These top-level entities, the module, class, and function are represented by the three CodeQL classes (`Module `__, `Class `__ and `Function `__ which are all subclasses of ``Scope``. - ``Scope`` @@ -65,7 +61,7 @@ A statement is represented by the `Stmt `__ class representing the ``for`` statement has a number of member predicates to access its parts: +The `For `__ class representing the ``for`` statement has a number of member predicates to access its parts: - ``getTarget()`` returns the ``Expr`` representing the variable ``var``. - ``getIter()`` returns the ``Expr`` resenting the variable ``seq``. @@ -98,7 +94,7 @@ As an example, to find expressions of the form ``a+2`` where the left is a simpl Variable ^^^^^^^^ -Variables are represented by the `Variable `__ class in the Python QL library. There are two subclasses, ``LocalVariable`` for function-level and class-level variables and ``GlobalVariable`` for module-level variables. +Variables are represented by the `Variable `__ class in the CodeQL library. There are two subclasses, ``LocalVariable`` for function-level and class-level variables and ``GlobalVariable`` for module-level variables. Other source code elements ^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -108,7 +104,7 @@ Although the meaning of the program is encoded by the syntactic elements, ``Scop Examples ^^^^^^^^ -Each syntactic element in Python source is recorded in the snapshot. These can be queried via the corresponding class. Let us start with a couple of simple examples. +Each syntactic element in Python source is recorded in the CodeQL database. These can be queried via the corresponding class. Let us start with a couple of simple examples. 1. Finding all finally blocks ''''''''''''''''''''''''''''' @@ -137,13 +133,13 @@ A block that does nothing is one that contains no statements except ``pass`` sta not exists(Stmt s | s = ex.getAStmt() | not s instanceof Pass) -where ``ex`` is an ``ExceptStmt`` and ``Pass`` is the class representing ``pass`` statements. Instead of using the double negative, **"no**\ *statements that are*\ **not**\ *pass statements"*, this can also be expressed positively, "all statements must be pass statements." The positive form is expressed in QL using the ``forall`` quantifier: +where ``ex`` is an ``ExceptStmt`` and ``Pass`` is the class representing ``pass`` statements. Instead of using the double negative, "**no** \ *statements that are* \ **not** \ *pass statements"*, this can also be expressed positively, *"all statements must be pass statements."* The positive form is expressed using the ``forall`` quantifier: .. code-block:: ql forall(Stmt s | s = ex.getAStmt() | s instanceof Pass) -Both forms are equivalent. Using the positive QL expression, the whole query looks like this: +Both forms are equivalent. Using the positive expression, the whole query looks like this: **Find pass-only ``except`` blocks** @@ -160,9 +156,9 @@ Both forms are equivalent. Using the positive QL expression, the whole query loo Summary ^^^^^^^ -The most commonly used standard QL library classes in the syntactic part of the library are organized as follows: +The most commonly used standard classes in the syntactic part of the library are organized as follows: -``Module``, ``Class``, ``Function``, ``Stmt`` and ``Expr`` - they are all subclasses of `AstNode `__. +``Module``, ``Class``, ``Function``, ``Stmt``, and ``Expr`` - they are all subclasses of `AstNode `__. Abstract syntax tree '''''''''''''''''''' @@ -293,7 +289,7 @@ The classes in the control-flow part of the library are: Type-inference classes ---------------------- -The QL library for Python also supplies some classes for accessing the inferred types of values. The classes ``Value`` and ``ClassValue`` allow you to query the possible classes that an expression may have at runtime. For example, which ``ClassValue``\ s are iterable can be determined using the query: +The CodeQL library for Python also supplies some classes for accessing the inferred types of values. The classes ``Value`` and ``ClassValue`` allow you to query the possible classes that an expression may have at runtime. For example, which ``ClassValue``\ s are iterable can be determined using the query: **Find iterable "ClassValue"s** @@ -321,7 +317,7 @@ These classes are explained in more detail in :doc:`Tutorial: Points-to analysis Taint-tracking classes ---------------------- -The QL library for Python also supplies classes to specify taint-tracking analyses. The ``Configuration`` class can be overrridden to specify a taint-tracking analysis, by specifying source, sinks, sanitizers and additional flow steps. For those analyses that require additional types of taint to be tracked the ``TaintKind`` class can be overridden. +The CodeQL library for Python also supplies classes to specify taint-tracking analyses. The ``Configuration`` class can be overridden to specify a taint-tracking analysis, by specifying source, sinks, sanitizers and additional flow steps. For those analyses that require additional types of taint to be tracked the ``TaintKind`` class can be overridden. Summary @@ -336,5 +332,5 @@ These classes are explained in more detail in :doc:`Tutorial: Taint tracking and What next? ---------- -- Experiment with the worked examples in the QL for Python tutorial topics: :doc:`Functions `, :doc:`Statements and expressions `, :doc:`Control flow `, :doc:`Points-to analysis and type inference ` and :doc:`Taint tracking and data flow analysis in Python `. +- Experiment with the worked examples in the following tutorial topics: :doc:`Functions `, :doc:`Statements and expressions `, :doc:`Control flow `, :doc:`Points-to analysis and type inference `, and :doc:`Taint tracking and data flow analysis in Python `. - Find out more about QL in the `QL language handbook `__ and `QL language specification `__. diff --git a/docs/language/learn-ql/python/pointsto-type-infer.rst b/docs/language/learn-ql/python/pointsto-type-infer.rst index bcbab520477..eb80efe815f 100644 --- a/docs/language/learn-ql/python/pointsto-type-infer.rst +++ b/docs/language/learn-ql/python/pointsto-type-infer.rst @@ -1,12 +1,12 @@ Tutorial: Points-to analysis and type inference =============================================== -This topic contains worked examples of how to write queries using the standard QL library classes for Python type inference. +This topic contains worked examples of how to write queries using the standard CodeQL library classes for Python type inference. The ``Value`` class -------------------- -The ``Value`` class and its subclasses ``FunctionValue``, ``ClassValue`` and ``ModuleValue`` represent the values an expression may hold at runtime. +The ``Value`` class and its subclasses ``FunctionValue``, ``ClassValue``, and ``ModuleValue`` represent the values an expression may hold at runtime. Summary ~~~~~~~ @@ -201,7 +201,7 @@ There are two problems with this query: - It assumes that any call to something named "eval" is a call to the builtin ``eval`` function, which may result in some false positive results. - It assumes that ``eval`` cannot be referred to by any other name, which may result in some false negative results. -We can get much more accurate results using call-graph analysis. First, we can precisely identify the ``FunctionValue`` for the ``eval`` function, by using the ``Value::named`` QL predicate as follows: +We can get much more accurate results using call-graph analysis. First, we can precisely identify the ``FunctionValue`` for the ``eval`` function, by using the ``Value::named`` predicate as follows: .. code-block:: ql @@ -227,9 +227,5 @@ Then we can use ``Value.getACall()`` to identify calls to the ``eval`` function, What next? ---------- -For more information on writing QL, see: - -- `QL language handbook `__ - an introduction to the concepts of QL. -- :doc:`Learning QL <../../index>` - an overview of the resources for learning how to write your own QL queries. -- `Database generation `__ - an overview of the process that creates a snapshot from source code. -- :doc:`What's in a snapshot? <../snapshot>` - a description of the snapshot database. +- Find out more about QL in the `QL language handbook `__ and `QL language specification `__. +- Read a description of the CodeQL database in :doc:`What's in a CodeQL database? <../database>` diff --git a/docs/language/learn-ql/python/ql-for-python.rst b/docs/language/learn-ql/python/ql-for-python.rst index 479a30dccb5..680c0c374b5 100644 --- a/docs/language/learn-ql/python/ql-for-python.rst +++ b/docs/language/learn-ql/python/ql-for-python.rst @@ -1,5 +1,5 @@ -QL for Python -============= +CodeQL for Python +================= .. toctree:: :glob: @@ -13,25 +13,25 @@ QL for Python taint-tracking pointsto-type-infer -The following tutorials and worked examples are designed to help you learn how to write effective and efficient QL queries for Python projects. You should work through these topics in the order displayed. +The following tutorials and worked examples are designed to help you learn how to write effective and efficient queries for Python projects. You should work through these topics in the order displayed. -- `Basic Python QL query `__ describes how to write and run queries using LGTM. +- `Basic Python query `__ describes how to write and run queries using LGTM. -- :doc:`Introducing the QL libraries for Python ` an introduction to the standard QL libraries used to write queries for Python code. +- :doc:`Introducing the CodeQL libraries for Python ` introduces the standard libraries used to write queries for Python code. -- :doc:`Tutorial: Functions ` worked examples of how to write queries using the standard QL library classes for Python functions. +- :doc:`Tutorial: Functions ` demonstrates how to write queries using the standard CodeQL library classes for Python functions. -- :doc:`Tutorial: Statements and expressions ` worked examples of how to write queries using the standard QL library classes for Python statements and expressions. +- :doc:`Tutorial: Statements and expressions ` demonstrates how to write queries using the standard CodeQL library classes for Python statements and expressions. -- :doc:`Tutorial: Control flow ` worked examples of how to write queries using the standard QL library classes for Python control flow. +- :doc:`Tutorial: Control flow ` demonstrates how to write queries using the standard CodeQL library classes for Python control flow. -- :doc:`Tutorial: Points-to analysis and type inference ` worked examples of how to write queries using the standard QL library classes for Python type inference. +- :doc:`Tutorial: Points-to analysis and type inference ` demonstrates how to write queries using the standard CodeQL library classes for Python type inference. -- :doc:`Taint tracking and data flow analysis in Python ` worked examples of how to write queries using the standard taint tracking and data flow QL libraries for Python. +- :doc:`Taint tracking and data flow analysis in Python ` demonstrates how to write queries using the standard taint tracking and data flow libraries for Python. Other resources --------------- -- For examples of how to query common Python elements, see the `Python QL cookbook `__ -- For the queries used in LGTM, display a `Python query `__ and click **Open in query console** to see the QL code used to find alerts -- For more information about the Python QL library see the `QL library for Python `__. +- For examples of how to query common Python elements, see the `Python cookbook `__. +- For the queries used in LGTM, display a `Python query `__ and click **Open in query console** to see the code used to find alerts. +- For more information about the library for Python see the `CodeQL library for Python `__. diff --git a/docs/language/learn-ql/python/statements-expressions.rst b/docs/language/learn-ql/python/statements-expressions.rst index 8aa1bea96f4..9a0a2484fc7 100644 --- a/docs/language/learn-ql/python/statements-expressions.rst +++ b/docs/language/learn-ql/python/statements-expressions.rst @@ -4,7 +4,7 @@ Tutorial: Statements and expressions Statements ---------- -The bulk of Python code takes the form of statements. Each different type of statement in Python is represented by a separate class in QL. +The bulk of Python code takes the form of statements. Each different type of statement in Python is represented by a separate CodeQL class. Here is the full class hierarchy: @@ -165,7 +165,7 @@ The clause ``cmp.getOp(0) instanceof Is and cmp.getComparator(0) = literal`` che Example: Duplicates in dictionary literals ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -If there are duplicate keys in a Python dictionary, then the second key will overwrite the first, which is almost certainly a mistake. We can find these duplicates in QL, but the query is more complex than previous examples and will require us to write a ``predicate`` as a helper. +If there are duplicate keys in a Python dictionary, then the second key will overwrite the first, which is almost certainly a mistake. We can find these duplicates with CodeQL, but the query is more complex than previous examples and will require us to write a ``predicate`` as a helper. Here is the query: @@ -274,5 +274,5 @@ Here is the relevant part of the class hierarchy: What next? ---------- -- Experiment with the worked examples in the QL for Python tutorial topics: :doc:`Control flow `, :doc:`Points-to analysis and type inference `. +- Experiment with the worked examples in the following tutorial topics: :doc:`Control flow ` and :doc:`Points-to analysis and type inference `. - Find out more about QL in the `QL language handbook `__ and `QL language specification `__. diff --git a/docs/language/learn-ql/python/taint-tracking.rst b/docs/language/learn-ql/python/taint-tracking.rst index 71cd000c716..7335df5af11 100644 --- a/docs/language/learn-ql/python/taint-tracking.rst +++ b/docs/language/learn-ql/python/taint-tracking.rst @@ -13,10 +13,10 @@ Taint tracking differs from basic data flow in that it considers non-value-prese For example, in the assignment ``dir = path + "/"``, if ``path`` is tainted then ``dir`` is also tainted, even though there is no data flow from ``path`` to ``path + "/"``. -Separate QL libraries have been written to handle 'normal' data flow and taint tracking in :doc:`C/C++ <../cpp/dataflow>`, :doc:`C# <../csharp/dataflow>`, :doc:`Java <../java/dataflow>`, and :doc:`JavaScript <../javascript/dataflow>`. You can access the appropriate classes and predicates that reason about these different modes of data flow by importing the appropriate QL library in your query. +Separate CodeQL libraries have been written to handle 'normal' data flow and taint tracking in :doc:`C/C++ <../cpp/dataflow>`, :doc:`C# <../csharp/dataflow>`, :doc:`Java <../java/dataflow>`, and :doc:`JavaScript <../javascript/dataflow>`. You can access the appropriate classes and predicates that reason about these different modes of data flow by importing the appropriate library in your query. In Python analysis, we can use the same taint tracking library to model both 'normal' data flow and taint flow, but we are still able make the distinction between steps that preserve value and those that don't by defining additional data flow properties. -For further information on data flow and taint tracking in QL, see :doc:`Introduction to data flow <../intro-to-data-flow>`. +For further information on data flow and taint tracking with CodeQL, see :doc:`Introduction to data flow <../intro-to-data-flow>`. Fundamentals of taint tracking and data flow analysis ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -222,7 +222,7 @@ The ``TaintTracking::Source`` and ``TaintTracking::Sink`` classes have predicate ... } -The ``TaintKind`` itself is just a string (a QL string, not a QL entity representing a Python string), +The ``TaintKind`` itself is just a string (a QL string, not a CodeQL entity representing a Python string), which provides methods to extend flow and allow the kind of taint to change along the path. The ``TaintKind`` class has many predicates allowing flow to be modified. This simplest ``TaintKind`` does not override any predicates, meaning that it only flows as opaque data. @@ -254,5 +254,5 @@ which defines the simplest possible taint kind class, ``HardcodedValue``, and cu What next? ---------- -- Experiment with the worked examples in the QL for Python tutorial topics: :doc:`Control flow `, and :doc:`Points-to analysis and type inference `. +- Experiment with the worked examples in the following tutorial topics: :doc:`Control flow ` and :doc:`Points-to analysis and type inference `. - Find out more about QL in the `QL language handbook `__ and `QL language specification `__. diff --git a/docs/language/learn-ql/ql-etudes/river-crossing.rst b/docs/language/learn-ql/ql-etudes/river-crossing.rst index e6fb0024612..fef3363a08b 100644 --- a/docs/language/learn-ql/ql-etudes/river-crossing.rst +++ b/docs/language/learn-ql/ql-etudes/river-crossing.rst @@ -1,7 +1,7 @@ River crossing puzzle ##################### -The aim of this tutorial is to write a QL query that finds a solution to the following classical logic puzzle: +The aim of this tutorial is to write a query that finds a solution to the following classical logic puzzle: .. pull-quote:: @@ -243,7 +243,7 @@ You could tweak the predicate and the select clause to make the solution clearer Alternative solutions --------------------- -Here are some more example QL queries that solve the river crossing puzzle: +Here are some more example queries that solve the river crossing puzzle: #. This query uses a modified ``path`` variable to describe the resulting path in more detail. diff --git a/docs/language/learn-ql/snapshot.rst b/docs/language/learn-ql/snapshot.rst deleted file mode 100644 index f89229b8b27..00000000000 --- a/docs/language/learn-ql/snapshot.rst +++ /dev/null @@ -1,33 +0,0 @@ -What's in a snapshot database? -=============================== - -A snapshot database contains a variety of data related to a particular code base at a particular point in time. For details of how the database is generated see `Database generation `__. - -The database contains a full, hierarchical representation of the program defined by the code base. The database schema varies according to the language analyzed. The schema provides an interface between the initial lexical analysis during the extraction process, and the actual complex analysis using QL. When the source code languages being analyzed change (such as Java 7 evolving into Java 8), this interface between the analysis phases can also change. - -For each language, a QL library defines classes to provide a layer of abstraction over the database tables. This provides an object-oriented view of the data which makes it easier to write queries. This is easiest to explain using an example. - -Example -------- - -For a Java program, two key tables are: - -- The ``expressions`` table containing a row for every single expression in the source code that was analyzed during the build process. -- The ``statements`` table containing a row for every single statement in the source code that was analyzed during the build process. - -The QL library defines classes to provide a layer of abstraction over each of these tables (and the related auxiliary tables): ``Expr`` and ``Stmt``. - -Most classes in the QL library are similar: they are abstractions over one or more database tables. Looking at one of the QL libraries illustrates this: - -.. code-block:: ql - - class Expr extends StmtParent, @expr { - ... - - /** the location of this expression */ - Location getLocation() { exprs(this,_,_,result) } - - ... - } - -The ``Expr`` class, shown here, extends from the database type ``@expr``. Member predicates of the ``Expr`` class are implemented in terms of the database-provided ``exprs`` table. diff --git a/docs/language/learn-ql/technical-info.rst b/docs/language/learn-ql/technical-info.rst index 777cc2f1041..7494011f7c6 100644 --- a/docs/language/learn-ql/technical-info.rst +++ b/docs/language/learn-ql/technical-info.rst @@ -4,6 +4,6 @@ Technical information .. toctree:: :hidden: - snapshot + database -- :doc:`What's in a snapshot database ` \ No newline at end of file +- :doc:`What's in a CodeQL database? ` \ No newline at end of file diff --git a/docs/language/learn-ql/writing-queries/introduction-to-queries.rst b/docs/language/learn-ql/writing-queries/introduction-to-queries.rst index c36c8c47de7..4dca736817c 100644 --- a/docs/language/learn-ql/writing-queries/introduction-to-queries.rst +++ b/docs/language/learn-ql/writing-queries/introduction-to-queries.rst @@ -4,13 +4,15 @@ Introduction to query files Overview ******** -Queries are programs written in QL. The QL queries included in the Semmle tools are designed to highlight issues related to the security, correctness, maintainability, and readability of a code base. You can also write custom queries to find specific issues relevant to your own project. Three important types of query are: +Queries are programs written with CodeQL. They are designed to highlight issues related to the security, correctness, maintainability, and readability of a code base. You can also write custom queries to find specific issues relevant to your own project. Three important types of query are: - **Alert queries**: queries that highlight issues in specific locations in your code. - **Path queries**: queries that describe the flow of information between a source and a sink in your code. - **Metric queries**: queries that compute statistics for your code. -You can add custom queries to `custom query packs `__ to analyze your projects in `LGTM `__, use them to analyze a project using the `QL command-line tools `__, or you can contribute to Semmle's built-in queries in our `open source repository on GitHub `__. +You can add custom queries to `custom query packs `__ to analyze your projects in `LGTM `__, use them to analyze a project using the `command-line tools `__, or you can contribute to the standard CodeQL queries in our `open source repository on GitHub `__. + +.. TODO: Change "command-line tools" to a link to the CodeQL CLI? Similarly, change "QL for Eclipse". .. pull-quote:: @@ -22,13 +24,13 @@ You can add custom queries to `custom query packs `__, and detailed technical information about QL in the `QL language handbook `__ and the `QL language specification `__. -For information on how to format QL code when contributing queries to the GitHub repository, see the `QL style guide `__. +For information on how to format your code when contributing queries to the GitHub repository, see the `QL style guide `__. Basic query structure ********************* -`Queries `__ written in QL have the file extension ``.ql``, and contain a ``select`` clause. Many of the built-in Semmle queries include additional optional information, and have the following structure:: +`Queries `__ written with CodeQL have the file extension ``.ql``, and contain a ``select`` clause. Many of the existing queries include additional optional information, and have the following structure:: /** * @@ -36,9 +38,9 @@ Basic query structure * */ - import /* ... QL libraries or modules ... */ + import /* ... CodeQL libraries or modules ... */ - /* ... Optional, define QL classes and predicates ... */ + /* ... Optional, define CodeQL classes and predicates ... */ from /* ... variable declarations ... */ where /* ... logical formula ... */ @@ -49,9 +51,9 @@ The following sections describe the information that is typically included in a Query metadata ============== -Query metadata is used to identify your custom queries when they are added to the Semmle repository or used in your analysis. Metadata provides information about the query's purpose, and also specifies how to interpret and display the query results. For a full list of metadata properties, see the :doc:`query metadata reference `. The exact metadata requirement depends on how you are going to run your query: +Query metadata is used to identify your custom queries when they are added to the GitHub repository or used in your analysis. Metadata provides information about the query's purpose, and also specifies how to interpret and display the query results. For a full list of metadata properties, see the :doc:`query metadata reference `. The exact metadata requirement depends on how you are going to run your query: -- If you are contributing a query to the Semmle open source repository for inclusion in the standard queries, please read the `query metadata style guide `__. +- If you are contributing a query to the GitHub repository, please read the `query metadata style guide `__. - If you are adding a custom query to a query pack for analysis using LGTM , see `Writing custom queries to include in LGTM analysis `__. - If you are analyzing a project using the `QL command-line tools `__, see `Preparing custom queries `__. - If you are running a query in the query console on LGTM or in the Quick query window in QL for Eclipse, metadata is not mandatory. However, if you want your results to be displayed as either an 'alert' or a 'path', you must specify the correct `@kind` property, as explained below. See `Using the query console `__ and `Running a quick query `__ for further information. @@ -60,7 +62,7 @@ Query metadata is used to identify your custom queries when they are added to th Note - Queries that are contributed to the Semmle open source repository, added to a query pack in LGTM, or used to analyze a project with the QL command-line tools must have a query type (``@kind``) specified. The ``@kind`` property indicates how to interpret and display the results of the query analysis: + Queries that are contributed to the open source repository, added to a query pack in LGTM, or used to analyze a project with the QL command-line tools must have a query type (``@kind``) specified. The ``@kind`` property indicates how to interpret and display the results of the query analysis: - Alert query metadata must contain ``@kind problem``. - Path query metadata must contain ``@kind path-problem``. @@ -71,8 +73,8 @@ Query metadata is used to identify your custom queries when they are added to th Import statements ================= -Each query generally contains one or more ``import`` statements, which define the `QL libraries `__ or `modules `__ to import into the query. QL libraries and modules provide a way of grouping together related `types `__, `predicates `__, and other modules. The contents of each library or module that you import can then be accessed by the query. -`Semmle's open source repository on GitHub `__ contains all of the standard QL libraries for each supported language. +Each query generally contains one or more ``import`` statements, which define the `libraries `__ or `modules `__ to import into the query. Libraries and modules provide a way of grouping together related `types `__, `predicates `__, and other modules. The contents of each library or module that you import can then be accessed by the query. +Our `open source repository on GitHub `__ contains the standard CodeQL libraries for each supported language. When writing your own alert queries, you would typically import the standard library for the language of the project that you are querying, using ``import`` followed by a language: @@ -83,13 +85,13 @@ When writing your own alert queries, you would typically import the standard lib - JavaScript/TypeScript: ``javascript`` - Python: ``python`` -There are also QL libraries containing commonly used predicates, types, and other modules associated with different analyses, including data flow, control flow, and taint-tracking. In order to calculate path graphs, path queries require you to import a data flow library into the query file. See :doc:`Constructing path queries ` for further information. +There are also libraries containing commonly used predicates, types, and other modules associated with different analyses, including data flow, control flow, and taint-tracking. In order to calculate path graphs, path queries require you to import a data flow library into the query file. See :doc:`Constructing path queries ` for further information. -You can explore the contents of all the standard QL libraries in the `QL library reference documentation `__, using `QL for Eclipse `__, or in the `GitHub repository `__. +You can explore the contents of all the standard libraries in the `CodeQL library reference documentation `__, using `QL for Eclipse `__, or in the `GitHub repository `__. -Optional QL classes and predicates ----------------------------------- +Optional CodeQL classes and predicates +-------------------------------------- You can customize your analysis by defining your own predicates and classes in the query. See `Defining a predicate `__ and `Defining a class `__ for further details. @@ -97,13 +99,13 @@ From clause =========== The ``from`` clause declares the variables that are used in the query. Each declaration must be of the form `` ``. -For more information on the `types `__ available in QL, and to learn how to define your own types using `classes `__, see the `QL language handbook `__. +For more information on the available `types `__, and to learn how to define your own types using `classes `__, see the `QL language handbook `__. Where clause ============ The ``where`` clause defines the logical conditions to apply to the variables declared in the ``from`` clause to generate your results. This clause uses `aggregations `__, `predicates `__, and logical `formulas `_ to limit the variables of interest to a smaller set, which meet the defined conditions. -The QL libraries group commonly used predicates for specific languages and frameworks. You can also define your own predicates in the body of the query file or in your own custom modules, as described above. +The CodeQL libraries group commonly used predicates for specific languages and frameworks. You can also define your own predicates in the body of the query file or in your own custom modules, as described above. Select clause ============= @@ -138,6 +140,6 @@ What next? - See the queries used in real-life variant analysis on the `Semmle blog `__. - To learn more about writing path queries, see :doc:`Constructing path queries `. -- Take a look at the `built-in queries `__ to see examples of the queries included in the Semmle tools. -- Explore the `query cookbooks `__ to see how to access the basic language elements contained in the QL libraries. -- For a full list of resources to help you learn QL, including beginner tutorials and language-specific examples, visit `Learning QL `__. \ No newline at end of file +- Take a look at the `built-in queries `__ to see examples of the queries included in CodeQL. +- Explore the `query cookbooks `__ to see how to access the basic language elements contained in the CodeQL libraries. +- For a full list of resources to help you learn CodeQL, including beginner tutorials and language-specific examples, visit `Learning CodeQL `__. \ No newline at end of file diff --git a/docs/language/learn-ql/writing-queries/path-queries.rst b/docs/language/learn-ql/writing-queries/path-queries.rst index 50de68dbe55..01a6e0d97ea 100644 --- a/docs/language/learn-ql/writing-queries/path-queries.rst +++ b/docs/language/learn-ql/writing-queries/path-queries.rst @@ -5,8 +5,8 @@ Overview ======== Security researchers are particularly interested in the way that information flows in a program. Many vulnerabilities are caused by seemingly benign data flowing to unexpected locations, and being used in a malicious way. -Path queries written in QL are particularly useful for analyzing data flow as they can be used to track the path taken by a variable from its possible starting points (``source``) to its possible end points (``sink``). -To model paths in QL, your query must provide information about the ``source`` and the ``sink``, as well as the data flow steps that link them. +Path queries written with CodeQL are particularly useful for analyzing data flow as they can be used to track the path taken by a variable from its possible starting points (``source``) to its possible end points (``sink``). +To model paths, your query must provide information about the ``source`` and the ``sink``, as well as the data flow steps that link them. This topic provides information on how to structure a path query file so you can explore the paths associated with the results of data flow analysis. @@ -17,8 +17,8 @@ This topic provides information on how to structure a path query file so you can The alerts generated by path queries are displayed by default in `LGTM `__ and included in the results generated using the `QL command-line tools `__. You can also view the paths explanations generated by your path query `directly in LGTM `__, or using the `Path explorer view `__ in `QL for Eclipse `__. -To learn more about modeling data flow in QL, see :doc:`Introduction to data flow <../intro-to-data-flow>`. -For more language-specific information on analyzing data flow with QL see: +To learn more about modeling data flow with CodeQL, see :doc:`Introduction to data flow <../intro-to-data-flow>`. +For more language-specific information on analyzing data flow, see: - :doc:`Analyzing data flow in C/C++ <../cpp/dataflow>` - :doc:`Analyzing data flow in C# <../csharp/dataflow>` @@ -29,7 +29,7 @@ For more language-specific information on analyzing data flow with QL see: Path query examples ******************* -The easiest way to get started writing your own path query is to modify one of the existing queries. Visit the links below to see all of the built-in path queries: +The easiest way to get started writing your own path query is to modify one of the existing queries. Visit the links below to see all the built-in path queries: - `C/C++ path queries `__ - `C# path queries `__ @@ -43,7 +43,7 @@ Constructing a path query ========================= Path queries require certain metadata, query predicates, and ``select`` statement structures. -Many of the built-in path queries included in the Semmle tools follow a simple structure, which depends on how the language you are analyzing is modeled in QL. +Many of the built-in path queries included in CodeQL follow a simple structure, which depends on how the language you are analyzing is modeled with CodeQL. For C/C++, C#, Java, and JavaScript you should use the following template:: @@ -63,7 +63,7 @@ For C/C++, C#, Java, and JavaScript you should use the following template:: Where: -- ``DataFlow::Pathgraph`` is the path graph module you need to import from the standard QL libraries. +- ``DataFlow::Pathgraph`` is the path graph module you need to import from the standard CodeQL libraries. - ``source`` and ``sink`` are nodes on the `path graph `__, and ``DataFlow::PathNode`` is their type. - ``Configuration`` is a class containing the predicates which define how data may flow between the ``source`` and the ``sink``. @@ -85,7 +85,7 @@ For Python you should use a slightly different template:: Where: -- ``semmle.python.security.Paths`` is the path graph module imported from the standard QL libraries. +- ``semmle.python.security.Paths`` is the path graph module imported from the standard CodeQL libraries. - ``source`` and ``sink`` are nodes on the path graph, ``TaintedPathSource source`` and ``TaintedPathSink`` are their respective types. Note, you do not need to declare a configuration class to define the data flow from the ``source`` to the ``sink`` in a Python path query. @@ -103,9 +103,9 @@ Generating path explanations In order to generate path explanations, your query needs to compute a `path graph `__. To do this you need to define a `query predicate `__ called ``edges`` in your query. This predicate defines the edge relations of the graph you are computing, and it is used to compute the paths related to each result that your query generates. -You can import a predefined ``edges`` predicate from a path graph module in one of the standard QL data flow libraries. In addition to the path graph module, the data flow libraries contain the other ``classes``, ``predicates``, and ``modules`` that are commonly used in data flow analysis. The import statement to use depends on the language that you are analyzing. +You can import a predefined ``edges`` predicate from a path graph module in one of the standard data flow libraries. In addition to the path graph module, the data flow libraries contain the other ``classes``, ``predicates``, and ``modules`` that are commonly used in data flow analysis. The import statement to use depends on the language that you are analyzing. -For C/C++, C#. Java, and JavaScript you would use:: +For C/C++, C#, Java, and JavaScript you would use:: import DataFlow::PathGraph @@ -115,7 +115,7 @@ For Python, the ``Paths`` module contains the ``edges`` predicate:: import semmle.python.security.Paths -You can also import libraries specifically designed to implement data flow analysis in various common frameworks and environments, and many additional libraries are included with the Semmle tools. To see examples of the different libraries used in data flow analysis, see the links to the built-in queries above or browse the `standard QL libraries `__. +You can also import libraries specifically designed to implement data flow analysis in various common frameworks and environments, and many additional libraries are included with CodeQL. To see examples of the different libraries used in data flow analysis, see the links to the built-in queries above or browse the `standard libraries `__. For all languages, you can also optionally define a ``nodes`` query predicate, which specifies the nodes of the path graph that you are interested in. If ``nodes`` is defined, only edges with endpoints defined by these nodes are selected. If ``nodes`` is not defined, you select all possible endpoints of ``edges``. @@ -128,7 +128,7 @@ You can also define your own ``edges`` predicate in the body of your query. It s /** Logical conditions which hold if `(a,b)` is an edge in the data flow graph */ } -For more examples of how to define an ``edges`` predicate, visit the `standard QL libraries `__ and search for ``edges``. +For more examples of how to define an ``edges`` predicate, visit the `standard CodeQL libraries `__ and search for ``edges``. Declaring sources and sinks *************************** @@ -136,7 +136,7 @@ Declaring sources and sinks You must provide information about the ``source`` and ``sink`` in your path query. These are objects that correspond to the nodes of the paths that you are exploring. The name and the type of the ``source`` and the ``sink`` must be declared in the ``from`` statement of the query, and the types must be compatible with the nodes of the graph computed by the ``edges`` predicate. -If you are querying C/C++, C#, Java or JavaScript code (and you have used ``import DataFlow::PathGraph`` in your query), the definitions of the ``source`` and ``sink`` are accessed via the ``Configuration`` class in the data flow library. You should declare all three of these objects in the ``from`` statement. +If you are querying C/C++, C#, Java, or JavaScript code (and you have used ``import DataFlow::PathGraph`` in your query), the definitions of the ``source`` and ``sink`` are accessed via the ``Configuration`` class in the data flow library. You should declare all three of these objects in the ``from`` statement. For example:: from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink @@ -191,5 +191,5 @@ What next? ********** - Take a look at the path queries for `C/C++ `__, `C# `__, `Java `__, `JavaScript `__, and `Python `__ to see examples of the queries included in the Semmle tools. -- Explore the `query cookbooks `__ to see how to access the basic language elements contained in the QL libraries. -- For a full list of resources to help you learn QL, including beginner tutorials and language-specific examples, visit `Learning QL `__. +- Explore the `query cookbooks `__ to see how to access the basic language elements contained in the CodeQL libraries. +- For a full list of resources to help you learn CodeQL, including beginner tutorials and language-specific examples, visit `Learning CodeQL `__. diff --git a/docs/language/learn-ql/writing-queries/query-help.rst b/docs/language/learn-ql/writing-queries/query-help.rst index 9e295df7620..c3692b7fac0 100644 --- a/docs/language/learn-ql/writing-queries/query-help.rst +++ b/docs/language/learn-ql/writing-queries/query-help.rst @@ -2,16 +2,16 @@ Query help reference ******************** This topic provides detailed information on the structure of query help files. -For more information about how to write useful query help in a style that is consistent with Semmle's built-in queries, see the `Query help style guide `__ on GitHub. +For more information about how to write useful query help in a style that is consistent with the standard CodeQL queries, see the `Query help style guide `__ on GitHub. .. pull-quote:: Note - You can access the query help for Semmle's built-in queries by visiting the `Built-in query pages `__. - You can also access the raw query help files in the `Semmle/ql GitHub repository `__. - For example, the `JavaScript security queries `__ and `C/C++ critical queries `__. + You can access the query help for CodeQL queries by visiting the `Built-in query pages `__. + You can also access the raw query help files in the `GitHub repository `__. + For example, see the `JavaScript security queries `__ and `C/C++ critical queries `__. For queries run by default on LGTM, there are several different ways to access the query help. For further information, see `Where do I see the query help for a query on LGTM? `__ in the LGTM user help. @@ -207,5 +207,5 @@ The included file, `ThreadUnsafeICryptoTransformOverview.qhelp `__ on GitHub. -- To learn more about writing custom queries, and how to format your QL for clarity and consistency, see `Writing QL queries `__. +- To learn more about contributing to the standard CodeQL queries and libraries, see our `Contributing guidelines `__ on GitHub. +- To learn more about writing custom queries, and how to format your code for clarity and consistency, see `Writing CodeQL queries `__. diff --git a/docs/language/learn-ql/writing-queries/select-statement.rst b/docs/language/learn-ql/writing-queries/select-statement.rst index ea2b256e421..86e0770d426 100644 --- a/docs/language/learn-ql/writing-queries/select-statement.rst +++ b/docs/language/learn-ql/writing-queries/select-statement.rst @@ -27,7 +27,7 @@ If you look at some of the LGTM queries, you'll see that they can select extra e Developing a select statement ----------------------------- -Here's a simple query that uses the standard QL ``CodeDuplication.qll`` library to identify similar files. +Here's a simple query that uses the standard CodeQL ``CodeDuplication.qll`` library to identify similar files. Basic select statement ~~~~~~~~~~~~~~~~~~~~~~ diff --git a/docs/language/learn-ql/writing-queries/writing-queries.rst b/docs/language/learn-ql/writing-queries/writing-queries.rst index 1c3877e1a77..caedde2b0a0 100644 --- a/docs/language/learn-ql/writing-queries/writing-queries.rst +++ b/docs/language/learn-ql/writing-queries/writing-queries.rst @@ -1,8 +1,7 @@ -Writing QL queries -################## +Writing CodeQL queries +###################### - -If you are familiar with QL, you can modify the existing Semmle queries or write custom queries to analyze, improve, and secure your own projects. Get started by reading the information for query writers and viewing the examples provided below. +If you are familiar with CodeQL, you can modify the existing queries or write custom queries to analyze, improve, and secure your own projects. Get started by reading the information for query writers and viewing the examples provided below. Information for query writers ***************************** @@ -18,19 +17,21 @@ Information for query writers ../locations -Visit `Learning QL `__ to find basic information about QL, as well as help and advice on writing QL for specific programming languages. To learn more about the structure of query files, the key information to include when writing your own QL queries, and how to format your QL for clarity and consistency, see the following topics: +Visit `Learning CodeQL `__ to find basic information about CodeQL. This includes information about the underlying query language QL, as well as help and advice on writing queries for specific programming languages. +To learn more about the structure of query files, the key information to include when writing your own queries, and how to format them for clarity and consistency, see the following topics: - :doc:`Introduction to query files `–an introduction to the information contained in a basic query file. - :doc:`Constructing path queries `–a quick guide to structuring path queries to use in security research. -- :doc:`Introduction to data flow analysis in QL <../intro-to-data-flow>`–a brief introduction to modeling data flow using QL. +- :doc:`Introduction to data flow analysis with CodeQL <../intro-to-data-flow>`–a brief introduction to modeling data flow using CodeQL. - :doc:`Defining 'select' statements `–further detail on developing query alert messages to provide extra information in your query results. -- :doc:`Locations and strings for QL entities <../locations>`–further detail on providing location information in query results. +- :doc:`Locations and strings for CodeQL entities <../locations>`–further detail on providing location information in query results. - `QL style guide on GitHub `__–a guide to formatting QL for consistency and clarity. -Viewing the built-in QL queries +Viewing existing CodeQL queries ******************************* -The easiest way to get started writing your own queries is to modify an existing query. To view examples of the queries included in the latest release of the Semmle tools, or to try out the QL query cookbooks, visit `Exploring QL queries `__. You can also find all of the Semmle queries in our `open source repository on GitHub `__. +The easiest way to get started writing your own queries is to modify an existing query. To see these queries, or to try out the CodeQL query cookbooks, visit `Exploring CodeQL queries `__. +SYou can also find all the CodeQL queries in our `open source repository on GitHub `__. You can also find examples of queries developed to find security vulnerabilities and bugs in open-source software projects in the `Semmle demos GitHub repository `__ and the `Semmle blog `__. @@ -45,7 +46,9 @@ Contributing queries query-help Contributions to the standard queries and libraries are very welcome–see our `contributing guidelines `__ for further information. -If you are contributing a query to the open source GitHub repository, writing a custom query for LGTM, or using a custom query in an analysis with the QL command-line tools, then you need to include extra metadata in your query to ensure that the query results are interpreted and displayed correctly. See the following topics for more information on query metadata: +If you are contributing a query to the open source GitHub repository, writing a custom query for LGTM, or using a custom query in an analysis with our command-line tools, then you need to include extra metadata in your query to ensure that the query results are interpreted and displayed correctly. See the following topics for more information on query metadata: + +.. TODO: Change "command-line tools" to a link to the CodeQL CLI? - :doc:`Query metadata reference ` - `Query metadata style guide on GitHub `__ diff --git a/docs/language/ql-handbook/annotations.rst b/docs/language/ql-handbook/annotations.rst index e4f4b0c40cd..8673b8194f6 100644 --- a/docs/language/ql-handbook/annotations.rst +++ b/docs/language/ql-handbook/annotations.rst @@ -245,7 +245,7 @@ Compiler pragmas **Available for**: |characteristic predicates|, |member predicates|, |non-member predicates| -The following compiler pragmas affect the compilation and optimization of QL queries. You +The following compiler pragmas affect the compilation and optimization of queries. You should avoid using these annotations unless you experience significant performance issues. Before adding pragmas to your code, contact Semmle to describe the performance problems. diff --git a/docs/language/ql-handbook/index.rst b/docs/language/ql-handbook/index.rst index 2bd22a3a628..701d7d02237 100644 --- a/docs/language/ql-handbook/index.rst +++ b/docs/language/ql-handbook/index.rst @@ -9,7 +9,7 @@ help you understand how the language works, and how to write more advanced QL co Each section describes an important concept or syntactic construct of QL. For an overview, see the table of contents below. -If you are just getting started with QL, see `Learning QL `_ +If you are just getting started with QL, see `Learning CodeQL `_ for a list of the available resources. .. index:: specification diff --git a/docs/language/ql-handbook/types.rst b/docs/language/ql-handbook/types.rst index 999ec5ca51f..6aa9043bd62 100644 --- a/docs/language/ql-handbook/types.rst +++ b/docs/language/ql-handbook/types.rst @@ -230,7 +230,7 @@ abstract class, you can add more subclasses to it. **Example** -If you are writing a security query in QL, you may be interested in identifying +If you are writing a security query, you may be interested in identifying all expressions that can be interpreted as SQL queries. You can use the following abstract class to describe these expressions:: @@ -438,7 +438,7 @@ In the standard QL language libraries, this is usually done as follows: and provide a definition for any abstract predicates from ``A``. - Annotate the algebraic datatype with :ref:`private`, and leave the classes public. -For example, the following code snippet from the QL for C# data flow library defines classes +For example, the following code snippet from the CodeQL data-flow library for C# defines classes for dealing with tainted or untainted values. In this case, it doesn't make sense for ``TaintType`` to extend a database type. It is part of the taint analysis, not the underlying program, so it's helpful to extend a new type (namely ``TTaintType``):: @@ -473,7 +473,7 @@ Database types Database types are defined in the database schema. This means that they depend on the database that you are querying, and vary according to the data you are analyzing. -For example, if you are querying a QL database for a Java project, the database types may +For example, if you are querying a CodeQL database for a Java project, the database types may include ``@ifstmt``, representing an if statement in the Java code, and ``@variable``, representing a variable. diff --git a/docs/language/ql-training/slide-snippets/info.rst b/docs/language/ql-training/slide-snippets/info.rst index d093559eaba..583a456207b 100644 --- a/docs/language/ql-training/slide-snippets/info.rst +++ b/docs/language/ql-training/slide-snippets/info.rst @@ -5,7 +5,7 @@ To try the examples in this presentation we recommend you download `QL for Eclip **QL language resources** -- If you are new to QL, try the QL language tutorials at `Learning QL `__. +- If you are new to QL, try the QL language tutorials at `Learning CodeQL `__. - To learn more about the main features of QL, try looking at the `QL language handbook `__. - For further information about writing queries in QL, see `Writing QL queries `__. diff --git a/java/config/suites/lgtm/java-queries-lgtm b/java/config/suites/lgtm/java-queries-lgtm index 3ab79126ded..152992143f5 100644 --- a/java/config/suites/lgtm/java-queries-lgtm +++ b/java/config/suites/lgtm/java-queries-lgtm @@ -2,6 +2,8 @@ @_namespace com.lgtm/java-queries + semmlecode-queries/AlertSuppression.ql @_namespace com.lgtm/java-queries ++ semmlecode-queries/AlertSuppressionAnnotations.ql + @_namespace com.lgtm/java-queries + semmlecode-queries/filters/ClassifyFiles.ql @_namespace com.lgtm/java-queries diff --git a/java/ql/src/AlertSuppressionAnnotations.ql b/java/ql/src/AlertSuppressionAnnotations.ql new file mode 100644 index 00000000000..446055d5116 --- /dev/null +++ b/java/ql/src/AlertSuppressionAnnotations.ql @@ -0,0 +1,96 @@ +/** + * @name Alert suppression using annotations + * @description Generates information about alert suppressions + * using 'SuppressWarnings' annotations. + * @kind alert-suppression + * @id java/alert-suppression-annotations + */ + +import java +import Metrics.Internal.Extents + +/** Gets the LGTM suppression annotation text in the string `s`, if any. */ +bindingset[s] +string getAnnotationText(string s) { + // match `lgtm[...]` anywhere in the comment + result = s.regexpFind("(?i)\\blgtm\\s*\\[[^\\]]*\\]", _, _) +} + +/** + * An alert suppression annotation. + */ +class SuppressionAnnotation extends SuppressWarningsAnnotation { + string text; + + SuppressionAnnotation() { + text = this.getASuppressedWarningLiteral().getValue() and + exists(getAnnotationText(text)) + } + + /** + * Gets the text of this suppression annotation. + */ + string getText() { result = text } + + private Annotation getASiblingAnnotation() { + result = getAnnotatedElement().(Annotatable).getAnAnnotation() and + (getAnnotatedElement() instanceof Callable or getAnnotatedElement() instanceof RefType) + } + + private Annotation firstAnnotation() { + result = min(this.getASiblingAnnotation() as m + order by + m.getLocation().getStartLine(), m.getLocation().getStartColumn() + ) + } + + /** + * Holds if this annotation applies to the range from column `startcolumn` of line `startline` + * to column `endcolumn` of line `endline` in file `filepath`. + */ + predicate covers(string filepath, int startline, int startcolumn, int endline, int endcolumn) { + if firstAnnotation().hasLocationInfo(filepath, _, _, _, _) + then + getAnnotatedElement().hasLocationInfo(filepath, _, _, endline, endcolumn) and + firstAnnotation().hasLocationInfo(filepath, startline, startcolumn, _, _) + else getAnnotatedElement().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) + } + + /** Gets the scope of this suppression. */ + SuppressionScope getScope() { this = result.getSuppressionAnnotation() } +} + +/** + * The scope of an alert suppression annotation. + */ +class SuppressionScope extends @annotation { + SuppressionScope() { this instanceof SuppressionAnnotation } + + /** Gets a suppression annotation with this scope. */ + SuppressionAnnotation getSuppressionAnnotation() { result = this } + + /** + * Holds if this element is at the specified location. + * The location spans column `startcolumn` of line `startline` to + * column `endcolumn` of line `endline` in file `filepath`. + * For more information, see + * [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html). + */ + predicate hasLocationInfo( + string filepath, int startline, int startcolumn, int endline, int endcolumn + ) { + this.(SuppressionAnnotation).covers(filepath, startline, startcolumn, endline, endcolumn) + } + + /** Gets a textual representation of this element. */ + string toString() { result = "suppression range" } +} + +from SuppressionAnnotation c, string text, string annotationText +where + text = c.getText() and + annotationText = getAnnotationText(text) +select c, // suppression entity + text, // full text of suppression string + annotationText, // LGTM suppression annotation text + c.getScope() // scope of suppression diff --git a/java/ql/src/Likely Bugs/Statements/ContinueInFalseLoop.qhelp b/java/ql/src/Likely Bugs/Statements/ContinueInFalseLoop.qhelp new file mode 100644 index 00000000000..73e5381be33 --- /dev/null +++ b/java/ql/src/Likely Bugs/Statements/ContinueInFalseLoop.qhelp @@ -0,0 +1,25 @@ + + + + + +

    A continue statement only re-runs the loop if the loop condition is true. Therefore using continue in a loop with a constant false condition will never cause the loop body to be re-run, which is misleading. +

    + +     + + +

    Replace the continue statement with a break statement if the intent is to break from the loop. +

    + +     + + +
  • +Java Language Specification: +14.13 The do Statement. +
    • +     +     diff --git a/java/ql/src/Likely Bugs/Statements/ContinueInFalseLoop.ql b/java/ql/src/Likely Bugs/Statements/ContinueInFalseLoop.ql new file mode 100644 index 00000000000..e6095791ddb --- /dev/null +++ b/java/ql/src/Likely Bugs/Statements/ContinueInFalseLoop.ql @@ -0,0 +1,21 @@ +/** + * @name Continue statement that does not continue + * @description A 'continue' statement only re-runs the loop if the + * loop-condition is true. Therefore using 'continue' in a loop + * with a constant false condition is misleading and usually a + * bug. + * @kind problem + * @id java/continue-in-false-loop + * @problem.severity warning + * @precision high + * @tags correctness + */ + +import java + +from DoStmt do, ContinueStmt continue +where + do.getCondition().(BooleanLiteral).getBooleanValue() = false and + continue.(JumpStmt).getTarget() = do +select continue, "This 'continue' never re-runs the loop - the $@ is always false.", + do.getCondition(), "loop condition" diff --git a/java/ql/src/Metrics/Internal/Extents.qll b/java/ql/src/Metrics/Internal/Extents.qll index 38494b1bd96..47ee9a850a6 100644 --- a/java/ql/src/Metrics/Internal/Extents.qll +++ b/java/ql/src/Metrics/Internal/Extents.qll @@ -1,15 +1,19 @@ -import java - -/* +/** + * Provides classes that modify the default location information + * of `RefType`s and `Callable`s to cover their full extent. + * * When this library is imported, the `hasLocationInfo` predicate of * `Callable` and `RefTypes` is overridden to specify their entire range * instead of just the range of their name. The latter can still be * obtained by invoking the `getLocation()` predicate. * - * The full ranges are required for the purpose of associating a violation - * with an individual `Callable` or `RefType` as opposed to a whole `File`. + * The full ranges may be used to determine whether a given location + * (for example, the location of an alert) is contained within the extent + * of a `Callable` or `RefType`. */ +import java + /** * A Callable whose `hasLocationInfo` is overridden to specify its entire range * including the body (if any), as opposed to the location of its name only. @@ -48,20 +52,9 @@ class RangeRefType extends RefType { } private Member lastMember() { - exists(Member m, int i | - result = m and - m = getAMember() and - i = rankOfMember(m) and - not exists(Member other | other = getAMember() and rankOfMember(other) > i) - ) - } - - private int rankOfMember(Member m) { - this.getAMember() = m and - exists(Location mLoc, File f, int maxCol | mLoc = m.getLocation() | - f = mLoc.getFile() and - maxCol = max(Location loc | loc.getFile() = f | loc.getStartColumn()) and - result = mLoc.getStartLine() * maxCol + mLoc.getStartColumn() - ) + result = max(this.getAMember() as m + order by + m.getLocation().getStartLine(), m.getLocation().getStartColumn() + ) } } diff --git a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.java b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.java new file mode 100644 index 00000000000..1f0c7de674b --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.java @@ -0,0 +1,9 @@ +import io.netty.handler.codec.http.DefaultHttpHeaders; + +public class ResponseSplitting { + // BAD: Disables the internal response splitting verification + private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false); + + // GOOD: Verifies headers passed don't contain CRLF characters + private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(); +} diff --git a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.qhelp b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.qhelp new file mode 100644 index 00000000000..17afa6275fc --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.qhelp @@ -0,0 +1,5 @@ + + + diff --git a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql new file mode 100644 index 00000000000..d74bfa351a8 --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql @@ -0,0 +1,20 @@ +/** + * @name Disabled Netty HTTP header validation + * @description Disabling HTTP header validation makes code vulnerable to + * attack by header splitting if user input is written directly to + * an HTTP header. + * @kind problem + * @problem.severity error + * @precision high + * @id java/netty-http-response-splitting + * @tags security + * external/cwe/cwe-113 + */ + +import java + +from ClassInstanceExpr new +where + new.getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultHttpHeaders") and + new.getArgument(0).getProperExpr().(BooleanLiteral).getBooleanValue() = false +select new, "Response-splitting vulnerability due to verification being disabled." diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.qhelp b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.qhelp index 87c2d03709b..aafdc26e49c 100644 --- a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.qhelp +++ b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.qhelp @@ -26,6 +26,13 @@ characters, thus avoiding the potential problem.

    + +

    The following example shows the use of the library 'netty' with HTTP response-splitting verification configurations. +The second way will verify the parameters before using them to build the HTTP response.

    + + +     +
  • InfosecWriters: HTTP response splitting. diff --git a/java/ql/src/config/semmlecode.dbscheme b/java/ql/src/config/semmlecode.dbscheme index 886aec63fb9..e7706df98aa 100755 --- a/java/ql/src/config/semmlecode.dbscheme +++ b/java/ql/src/config/semmlecode.dbscheme @@ -494,6 +494,7 @@ case @stmt.kind of | 20 = @superconstructorinvocationstmt | 21 = @case | 22 = @catchclause +| 23 = @yieldstmt ; #keyset[parent,idx] diff --git a/java/ql/src/config/semmlecode.dbscheme.stats b/java/ql/src/config/semmlecode.dbscheme.stats index 621bfff8b15..22e7ff7e830 100644 --- a/java/ql/src/config/semmlecode.dbscheme.stats +++ b/java/ql/src/config/semmlecode.dbscheme.stats @@ -189,6 +189,10 @@ 28672 +@yieldstmt +100 + + @arrayaccess 53561 diff --git a/java/ql/src/semmle/code/java/Completion.qll b/java/ql/src/semmle/code/java/Completion.qll index a6195bcf600..c8b4f966a3b 100644 --- a/java/ql/src/semmle/code/java/Completion.qll +++ b/java/ql/src/semmle/code/java/Completion.qll @@ -52,13 +52,13 @@ newtype Completion = (innerValue = true or innerValue = false) } or /** - * The expression or statement completes via a `break` statement without a value. + * The expression or statement completes via a `break` statement. */ BreakCompletion(MaybeLabel l) or /** - * The expression or statement completes via a value `break` statement. + * The expression or statement completes via a `yield` statement. */ - ValueBreakCompletion(NormalOrBooleanCompletion c) or + YieldCompletion(NormalOrBooleanCompletion c) or /** * The expression or statement completes via a `continue` statement. */ diff --git a/java/ql/src/semmle/code/java/ControlFlowGraph.qll b/java/ql/src/semmle/code/java/ControlFlowGraph.qll index 45f96a36c9d..9c7cc976d46 100644 --- a/java/ql/src/semmle/code/java/ControlFlowGraph.qll +++ b/java/ql/src/semmle/code/java/ControlFlowGraph.qll @@ -804,23 +804,23 @@ private module ControlFlowGraphImpl { or // handle `switch` expression exists(SwitchExpr switch | switch = n | - // value `break` terminates the `switch` - last(switch.getAStmt(), last, ValueBreakCompletion(completion)) + // `yield` terminates the `switch` + last(switch.getAStmt(), last, YieldCompletion(completion)) or // any other abnormal completion is propagated last(switch.getAStmt(), last, completion) and - not completion instanceof ValueBreakCompletion and + not completion instanceof YieldCompletion and completion != NormalCompletion() ) or // the last node in a case rule is the last node in the right-hand side last(n.(SwitchCase).getRuleStatement(), last, completion) or - // ...and if the rhs is an expression we wrap the completion as a value break + // ...and if the rhs is an expression we wrap the completion as a yield exists(Completion caseCompletion | last(n.(SwitchCase).getRuleExpression(), last, caseCompletion) and if caseCompletion instanceof NormalOrBooleanCompletion - then completion = ValueBreakCompletion(caseCompletion) + then completion = YieldCompletion(caseCompletion) else completion = caseCompletion ) or @@ -833,18 +833,18 @@ private module ControlFlowGraphImpl { // `throw` statements or throwing calls give rise to ` Throw` completion exists(ThrowableType tt | mayThrow(n, tt) | last = n and completion = ThrowCompletion(tt)) or - // `break` statements without value give rise to a `Break` completion - exists(BreakStmt break | break = n and last = n and not break.hasValue() | + // `break` statements give rise to a `Break` completion + exists(BreakStmt break | break = n and last = n | completion = labelledBreakCompletion(MkLabel(break.getLabel())) or not exists(break.getLabel()) and completion = anonymousBreakCompletion() ) or - // value break statements get their completion wrapped as a value break + // yield statements get their completion wrapped as a yield exists(Completion caseCompletion | - last(n.(BreakStmt).getValue(), last, caseCompletion) and + last(n.(YieldStmt).getValue(), last, caseCompletion) and if caseCompletion instanceof NormalOrBooleanCompletion - then completion = ValueBreakCompletion(caseCompletion) + then completion = YieldCompletion(caseCompletion) else completion = caseCompletion ) or @@ -1112,9 +1112,9 @@ private module ControlFlowGraphImpl { n = case and result = first(case.getRuleStatement()) ) or - // Value break - exists(BreakStmt break | completion = NormalCompletion() | - n = break and result = first(break.getValue()) + // Yield + exists(YieldStmt yield | completion = NormalCompletion() | + n = yield and result = first(yield.getValue()) ) or // Synchronized statements execute their expression _before_ synchronization, so the CFG reflects that. diff --git a/java/ql/src/semmle/code/java/Expr.qll b/java/ql/src/semmle/code/java/Expr.qll index 0ab25628e47..313a8eb6aa8 100755 --- a/java/ql/src/semmle/code/java/Expr.qll +++ b/java/ql/src/semmle/code/java/Expr.qll @@ -1084,7 +1084,7 @@ class ConditionalExpr extends Expr, @conditionalexpr { } /** - * PREVIEW FEATURE in Java 12. Subject to removal in a future release. + * PREVIEW FEATURE in Java 13. Subject to removal in a future release. * * A `switch` expression. */ @@ -1117,7 +1117,7 @@ class SwitchExpr extends Expr, @switchexpr { Expr getAResult() { result = getACase().getRuleExpression() or - exists(BreakStmt break | break.(JumpStmt).getTarget() = this and result = break.getValue()) + exists(YieldStmt yield | yield.(JumpStmt).getTarget() = this and result = yield.getValue()) } /** Gets a printable representation of this expression. */ diff --git a/java/ql/src/semmle/code/java/JDKAnnotations.qll b/java/ql/src/semmle/code/java/JDKAnnotations.qll index e3e1e40d946..652b1b48f14 100644 --- a/java/ql/src/semmle/code/java/JDKAnnotations.qll +++ b/java/ql/src/semmle/code/java/JDKAnnotations.qll @@ -18,6 +18,12 @@ class OverrideAnnotation extends Annotation { class SuppressWarningsAnnotation extends Annotation { SuppressWarningsAnnotation() { this.getType().hasQualifiedName("java.lang", "SuppressWarnings") } + /** Gets the `StringLiteral` of a warning suppressed by this annotation. */ + StringLiteral getASuppressedWarningLiteral() { + result = this.getAValue() or + result = this.getAValue().(ArrayInit).getAnInit() + } + /** Gets the name of a warning suppressed by this annotation. */ string getASuppressedWarning() { result = this.getAValue().(StringLiteral).getLiteral() or diff --git a/java/ql/src/semmle/code/java/Statement.qll b/java/ql/src/semmle/code/java/Statement.qll index 2f98615b243..2a5f94ef781 100755 --- a/java/ql/src/semmle/code/java/Statement.qll +++ b/java/ql/src/semmle/code/java/Statement.qll @@ -417,7 +417,7 @@ class SwitchCase extends Stmt, @case { SwitchStmt getSwitch() { result.getACase() = this } /** - * PREVIEW FEATURE in Java 12. Subject to removal in a future release. + * PREVIEW FEATURE in Java 13. Subject to removal in a future release. * * Gets the switch expression to which this case belongs, if any. */ @@ -432,7 +432,7 @@ class SwitchCase extends Stmt, @case { } /** - * PREVIEW FEATURE in Java 12. Subject to removal in a future release. + * PREVIEW FEATURE in Java 13. Subject to removal in a future release. * * Holds if this `case` is a switch labeled rule of the form `... -> ...`. */ @@ -443,14 +443,14 @@ class SwitchCase extends Stmt, @case { } /** - * PREVIEW FEATURE in Java 12. Subject to removal in a future release. + * PREVIEW FEATURE in Java 13. Subject to removal in a future release. * * Gets the expression on the right-hand side of the arrow, if any. */ Expr getRuleExpression() { result.getParent() = this and result.getIndex() = -1 } /** - * PREVIEW FEATURE in Java 12. Subject to removal in a future release. + * PREVIEW FEATURE in Java 13. Subject to removal in a future release. * * Gets the statement on the right-hand side of the arrow, if any. */ @@ -465,7 +465,7 @@ class ConstCase extends SwitchCase { Expr getValue() { result.getParent() = this and result.getIndex() = 0 } /** - * PREVIEW FEATURE in Java 12. Subject to removal in a future release. + * PREVIEW FEATURE in Java 13. Subject to removal in a future release. * * Gets the `case` constant at the specified index. */ @@ -558,10 +558,11 @@ class ThrowStmt extends Stmt, @throwstmt { } } -/** A `break` or `continue` statement. */ +/** A `break`, `yield` or `continue` statement. */ class JumpStmt extends Stmt { JumpStmt() { this instanceof BreakStmt or + this instanceof YieldStmt or this instanceof ContinueStmt } @@ -585,9 +586,7 @@ class JumpStmt extends Stmt { ) } - private SwitchExpr getSwitchExprTarget() { - this.(BreakStmt).hasValue() and result = this.getParent+() - } + private SwitchExpr getSwitchExprTarget() { result = this.(YieldStmt).getParent+() } private StmtParent getEnclosingTarget() { result = getSwitchExprTarget() @@ -598,7 +597,7 @@ class JumpStmt extends Stmt { } /** - * Gets the statement or `switch` expression that this `break` or `continue` jumps to. + * Gets the statement or `switch` expression that this `break`, `yield` or `continue` jumps to. */ StmtParent getTarget() { result = getLabelTarget() @@ -615,34 +614,31 @@ class BreakStmt extends Stmt, @breakstmt { /** Holds if this `break` statement has an explicit label. */ predicate hasLabel() { exists(string s | s = this.getLabel()) } - /** - * PREVIEW FEATURE in Java 12. Subject to removal in a future release. - * - * Gets the value of this `break` statement, if any. - */ - Expr getValue() { result.getParent() = this } - - /** - * PREVIEW FEATURE in Java 12. Subject to removal in a future release. - * - * Holds if this `break` statement has a value. - */ - predicate hasValue() { exists(Expr e | e.getParent() = this) } - /** Gets a printable representation of this statement. May include more detail than `toString()`. */ override string pp() { - if this.hasLabel() - then result = "break " + this.getLabel() - else - if this.hasValue() - then result = "break ..." - else result = "break" + if this.hasLabel() then result = "break " + this.getLabel() else result = "break" } /** This statement's Halstead ID (used to compute Halstead metrics). */ override string getHalsteadID() { result = "BreakStmt" } } +/** + * PREVIEW FEATURE in Java 13. Subject to removal in a future release. + * + * A `yield` statement. + */ +class YieldStmt extends Stmt, @yieldstmt { + /** + * Gets the value of this `yield` statement. + */ + Expr getValue() { result.getParent() = this } + + override string pp() { result = "yield ..." } + + override string getHalsteadID() { result = "YieldStmt" } +} + /** A `continue` statement. */ class ContinueStmt extends Stmt, @continuestmt { /** Gets the label targeted by this `continue` statement, if any. */ diff --git a/java/ql/test/library-tests/guards12/options b/java/ql/test/library-tests/guards12/options index 33d712034f9..99827347b32 100644 --- a/java/ql/test/library-tests/guards12/options +++ b/java/ql/test/library-tests/guards12/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args --enable-preview -source 12 -target 12 +//semmle-extractor-options: --javac-args --enable-preview -source 13 -target 13 diff --git a/java/ql/test/query-tests/AlertSuppression/AlertSuppressionAnnotations.expected b/java/ql/test/query-tests/AlertSuppression/AlertSuppressionAnnotations.expected new file mode 100644 index 00000000000..bf6f7c45602 --- /dev/null +++ b/java/ql/test/query-tests/AlertSuppression/AlertSuppressionAnnotations.expected @@ -0,0 +1,6 @@ +| TestSuppressWarnings.java:2:1:2:49 | SuppressWarnings | lgtm[java/non-sync-override] | lgtm[java/non-sync-override] | TestSuppressWarnings.java:2:1:21:5 | suppression range | +| TestSuppressWarnings.java:5:5:5:31 | SuppressWarnings | lgtm[] | lgtm[] | TestSuppressWarnings.java:5:5:8:5 | suppression range | +| TestSuppressWarnings.java:10:5:10:104 | SuppressWarnings | lgtm[java/confusing-method-name] not confusing | lgtm[java/confusing-method-name] | TestSuppressWarnings.java:9:5:13:5 | suppression range | +| TestSuppressWarnings.java:10:5:10:104 | SuppressWarnings | lgtm[java/non-sync-override] | lgtm[java/non-sync-override] | TestSuppressWarnings.java:9:5:13:5 | suppression range | +| TestSuppressWarnings.java:18:5:18:98 | SuppressWarnings | lgtm[java/confusing-method-name] blah blah lgtm[java/non-sync-override] | lgtm[java/confusing-method-name] | TestSuppressWarnings.java:18:5:21:5 | suppression range | +| TestSuppressWarnings.java:18:5:18:98 | SuppressWarnings | lgtm[java/confusing-method-name] blah blah lgtm[java/non-sync-override] | lgtm[java/non-sync-override] | TestSuppressWarnings.java:18:5:21:5 | suppression range | diff --git a/java/ql/test/query-tests/AlertSuppression/AlertSuppressionAnnotations.qlref b/java/ql/test/query-tests/AlertSuppression/AlertSuppressionAnnotations.qlref new file mode 100644 index 00000000000..786b59ab3b9 --- /dev/null +++ b/java/ql/test/query-tests/AlertSuppression/AlertSuppressionAnnotations.qlref @@ -0,0 +1 @@ +AlertSuppressionAnnotations.ql diff --git a/java/ql/test/query-tests/AlertSuppression/TestSuppressWarnings.java b/java/ql/test/query-tests/AlertSuppression/TestSuppressWarnings.java new file mode 100644 index 00000000000..29e9be656f4 --- /dev/null +++ b/java/ql/test/query-tests/AlertSuppression/TestSuppressWarnings.java @@ -0,0 +1,22 @@ + +@SuppressWarnings("lgtm[java/non-sync-override]") +@Deprecated +class TestSuppressWarnings { + @SuppressWarnings("lgtm[]") + public void test() { + + } + @Deprecated + @SuppressWarnings({"lgtm[java/confusing-method-name] not confusing","lgtm[java/non-sync-override]"}) + public void test2() { + + } + @SuppressWarnings("lgtm") + public void test3() { + + } + @SuppressWarnings({"lgtm[java/confusing-method-name] blah blah lgtm[java/non-sync-override]"}) + public void test4() { + + } +} diff --git a/java/ql/test/query-tests/ContinueInFalseLoop/A.java b/java/ql/test/query-tests/ContinueInFalseLoop/A.java new file mode 100644 index 00000000000..14c4ee0e7aa --- /dev/null +++ b/java/ql/test/query-tests/ContinueInFalseLoop/A.java @@ -0,0 +1,84 @@ +public class A { + + public interface Cond { + boolean cond(); + } + + void test1(int x, Cond c) { + int i; + + // --- do loops --- + + do { + if (c.cond()) + continue; // BAD + if (c.cond()) + break; + } while (false); + + do { + if (c.cond()) + continue; + if (c.cond()) + break; + } while (true); + + do { + if (c.cond()) + continue; + if (c.cond()) + break; + } while (c.cond()); + + // --- while, for loops --- + + while (false) { + if (c.cond()) + continue; // GOOD [never reached, if the condition changed so it was then the result would no longer apply] + if (c.cond()) + break; + } + + for (i = 0; false; i++) { + if (c.cond()) + continue; // GOOD [never reached, if the condition changed so it was then the result would no longer apply] + if (c.cond()) + break; + } + + // --- nested loops --- + + do { + do { + if (c.cond()) + continue; // BAD + if (c.cond()) + break; + } while (false); + if (c.cond()) + break; + } while (true); + + do { + do { + if (c.cond()) + continue; // GOOD + if (c.cond()) + break; + } while (true); + } while (false); + + do { + switch (x) { + case 1: + // do [1] + break; // break out of the switch + default: + // do [2] + // break out of the loop entirely, skipping [3] + continue; // BAD; labelled break is better + }; + // do [3] + } while (false); + } +} diff --git a/java/ql/test/query-tests/ContinueInFalseLoop/ContinueInFalseLoop.expected b/java/ql/test/query-tests/ContinueInFalseLoop/ContinueInFalseLoop.expected new file mode 100644 index 00000000000..2ce5be1ec66 --- /dev/null +++ b/java/ql/test/query-tests/ContinueInFalseLoop/ContinueInFalseLoop.expected @@ -0,0 +1,3 @@ +| A.java:14:9:14:17 | stmt | This 'continue' never re-runs the loop - the $@ is always false. | A.java:17:14:17:18 | false | loop condition | +| A.java:54:11:54:19 | stmt | This 'continue' never re-runs the loop - the $@ is always false. | A.java:57:16:57:20 | false | loop condition | +| A.java:79:9:79:17 | stmt | This 'continue' never re-runs the loop - the $@ is always false. | A.java:82:14:82:18 | false | loop condition | diff --git a/java/ql/test/query-tests/ContinueInFalseLoop/ContinueInFalseLoop.qlref b/java/ql/test/query-tests/ContinueInFalseLoop/ContinueInFalseLoop.qlref new file mode 100644 index 00000000000..525b40f8409 --- /dev/null +++ b/java/ql/test/query-tests/ContinueInFalseLoop/ContinueInFalseLoop.qlref @@ -0,0 +1 @@ +Likely Bugs/Statements/ContinueInFalseLoop.ql diff --git a/javascript/config/suites/javascript/correctness-core b/javascript/config/suites/javascript/correctness-core index 6a53405e1c3..d6b91e83a07 100644 --- a/javascript/config/suites/javascript/correctness-core +++ b/javascript/config/suites/javascript/correctness-core @@ -37,5 +37,6 @@ + semmlecode-javascript-queries/RegExp/UnboundBackref.ql: /Correctness/Regular Expressions + semmlecode-javascript-queries/RegExp/UnmatchableCaret.ql: /Correctness/Regular Expressions + semmlecode-javascript-queries/RegExp/UnmatchableDollar.ql: /Correctness/Regular Expressions ++ semmlecode-javascript-queries/Statements/IgnoreArrayResult.ql: /Correctness/Statements + semmlecode-javascript-queries/Statements/InconsistentLoopOrientation.ql: /Correctness/Statements + semmlecode-javascript-queries/Statements/UnreachableStatement.ql: /Correctness/Statements diff --git a/javascript/config/suites/javascript/security b/javascript/config/suites/javascript/security index 5dbd0a81811..d8eb5e805d5 100644 --- a/javascript/config/suites/javascript/security +++ b/javascript/config/suites/javascript/security @@ -9,7 +9,7 @@ + semmlecode-javascript-queries/Security/CWE-022/ZipSlip.ql: /Security/CWE/CWE-022 + semmlecode-javascript-queries/Security/CWE-078/CommandInjection.ql: /Security/CWE/CWE-078 + semmlecode-javascript-queries/Security/CWE-078/IndirectCommandInjection.ql: /Security/CWE/CWE-078 -+ semmlecode-javascript-queries/Security/CWE-078/ShellCommandInjectionFromEnvironment: /Security/CWE/CWE-078 ++ semmlecode-javascript-queries/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql: /Security/CWE/CWE-078 + semmlecode-javascript-queries/Security/CWE-079/ReflectedXss.ql: /Security/CWE/CWE-079 + semmlecode-javascript-queries/Security/CWE-079/StoredXss.ql: /Security/CWE/CWE-079 + semmlecode-javascript-queries/Security/CWE-079/Xss.ql: /Security/CWE/CWE-079 diff --git a/javascript/extractor/lib/typescript/package.json b/javascript/extractor/lib/typescript/package.json index fd440415096..3b3360158d3 100644 --- a/javascript/extractor/lib/typescript/package.json +++ b/javascript/extractor/lib/typescript/package.json @@ -2,7 +2,7 @@ "name": "typescript-parser-wrapper", "private": true, "dependencies": { - "typescript": "3.6.3" + "typescript": "^3.7.2" }, "scripts": { "build": "tsc --project tsconfig.json", diff --git a/javascript/extractor/lib/typescript/src/main.ts b/javascript/extractor/lib/typescript/src/main.ts index 604ed107db9..bce59fc79d3 100644 --- a/javascript/extractor/lib/typescript/src/main.ts +++ b/javascript/extractor/lib/typescript/src/main.ts @@ -126,7 +126,7 @@ function checkCycle(root: any) { function isBlacklistedProperty(k: string) { return k === "parent" || k === "pos" || k === "end" || k === "symbol" || k === "localSymbol" - || k === "flowNode" || k === "returnFlowNode" + || k === "flowNode" || k === "returnFlowNode" || k === "endFlowNode" || k === "nextContainer" || k === "locals" || k === "bindDiagnostics" || k === "bindSuggestionDiagnostics"; } @@ -162,10 +162,10 @@ function prepareNextFile() { } } -function handleParseCommand(command: ParseCommand) { +function handleParseCommand(command: ParseCommand, checkPending = true) { let filename = command.filename; let expectedFilename = state.pendingFiles[state.pendingFileIndex]; - if (expectedFilename !== filename) { + if (expectedFilename !== filename && checkPending) { throw new Error("File requested out of order. Expected '" + expectedFilename + "' but got '" + filename + "'"); } ++state.pendingFileIndex; @@ -515,13 +515,13 @@ if (process.argv.length > 2) { handleParseCommand({ command: "parse", filename: sf.fileName, - }); + }, false); } } else if (pathlib.extname(argument) === ".ts" || pathlib.extname(argument) === ".tsx") { handleParseCommand({ command: "parse", filename: argument, - }); + }, false); } else { console.error("Unrecognized file or flag: " + argument); } diff --git a/javascript/extractor/lib/typescript/src/type_table.ts b/javascript/extractor/lib/typescript/src/type_table.ts index 553afcf2e41..19eb64a8f10 100644 --- a/javascript/extractor/lib/typescript/src/type_table.ts +++ b/javascript/extractor/lib/typescript/src/type_table.ts @@ -597,7 +597,7 @@ export class TypeTable { let tupleType = tupleReference.target; let minLength = tupleType.minLength != null ? tupleType.minLength - : tupleReference.typeArguments.length; + : this.typeChecker.getTypeArguments(tupleReference).length; let hasRestElement = tupleType.hasRestElement ? 't' : 'f'; let prefix = `tuple;${minLength};${hasRestElement}`; return this.makeTypeStringVectorFromTypeReferenceArguments(prefix, type); @@ -714,11 +714,12 @@ export class TypeTable { // There can be an extra type argument at the end, denoting an explicit 'this' type argument. // We discard the extra argument in our model. let target = type.target; - if (type.typeArguments == null) return tag; + let typeArguments = this.typeChecker.getTypeArguments(type); + if (typeArguments == null) return tag; if (target.typeParameters != null) { - return this.makeTypeStringVector(tag, type.typeArguments, target.typeParameters.length); + return this.makeTypeStringVector(tag, typeArguments, target.typeParameters.length); } else { - return this.makeTypeStringVector(tag, type.typeArguments); + return this.makeTypeStringVector(tag, typeArguments); } } @@ -992,7 +993,7 @@ export class TypeTable { * `T` is the type parameter declared on the `Promise` interface. */ private getSelfType(type: ts.Type): ts.TypeReference { - if (isTypeReference(type) && type.typeArguments != null && type.typeArguments.length > 0) { + if (isTypeReference(type) && this.typeChecker.getTypeArguments(type).length > 0) { return type.target; } return null; @@ -1181,8 +1182,9 @@ export class TypeTable { if (isTypeReference(type)) { // Note that this case also handles tuple types, since a tuple type is represented as // a reference to a synthetic generic interface. - if (type.typeArguments != null) { - type.typeArguments.forEach(callback); + let typeArguments = this.typeChecker.getTypeArguments(type); + if (typeArguments != null) { + typeArguments.forEach(callback); } } else if (type.flags & ts.TypeFlags.UnionOrIntersection) { (type as ts.UnionOrIntersectionType).types.forEach(callback); diff --git a/javascript/extractor/lib/typescript/yarn.lock b/javascript/extractor/lib/typescript/yarn.lock index 62205cc17f4..5116c7eb5c3 100644 --- a/javascript/extractor/lib/typescript/yarn.lock +++ b/javascript/extractor/lib/typescript/yarn.lock @@ -225,9 +225,9 @@ tsutils@^2.12.1: dependencies: tslib "^1.8.1" -typescript@3.6.3: - version "3.6.3" - resolved "typescript-3.6.3.tgz#fea942fabb20f7e1ca7164ff626f1a9f3f70b4da" +typescript@^3.7.2: + version "3.7.2" + resolved "typescript-3.7.2.tgz" wrappy@1: version "1.0.2" diff --git a/javascript/extractor/src/com/semmle/jcorn/CustomParser.java b/javascript/extractor/src/com/semmle/jcorn/CustomParser.java index a77548ed21f..888a0aec639 100644 --- a/javascript/extractor/src/com/semmle/jcorn/CustomParser.java +++ b/javascript/extractor/src/com/semmle/jcorn/CustomParser.java @@ -7,6 +7,7 @@ import com.semmle.js.ast.AssignmentExpression; import com.semmle.js.ast.BlockStatement; import com.semmle.js.ast.CallExpression; import com.semmle.js.ast.CatchClause; +import com.semmle.js.ast.Chainable; import com.semmle.js.ast.ClassExpression; import com.semmle.js.ast.ComprehensionBlock; import com.semmle.js.ast.ComprehensionExpression; @@ -470,7 +471,8 @@ public class CustomParser extends FlowParser { Expression property = this.parsePropertyIdentifierOrIdentifier(); MemberExpression node = - new MemberExpression(start, base, property, false, false, isOnOptionalChain(false, base)); + new MemberExpression( + start, base, property, false, false, Chainable.isOnOptionalChain(false, base)); return Pair.make(this.finishNode(node), true); } else if (this.eat(doubleDot)) { SourceLocation start = new SourceLocation(startLoc); diff --git a/javascript/extractor/src/com/semmle/jcorn/Parser.java b/javascript/extractor/src/com/semmle/jcorn/Parser.java index 013f8e57181..f0e3c0d004f 100644 --- a/javascript/extractor/src/com/semmle/jcorn/Parser.java +++ b/javascript/extractor/src/com/semmle/jcorn/Parser.java @@ -1520,10 +1520,6 @@ public class Parser { } } - protected boolean isOnOptionalChain(boolean optional, Expression base) { - return optional || base instanceof Chainable && ((Chainable) base).isOnOptionalChain(); - } - /** * Parse a single subscript {@code s}; if more subscripts could follow, return {@code Pair.make(s, * true}, otherwise return {@code Pair.make(s, false)}. @@ -1544,7 +1540,7 @@ public class Parser { this.parseExpression(false, null), true, optional, - isOnOptionalChain(optional, base)); + Chainable.isOnOptionalChain(optional, base)); this.expect(TokenType.bracketR); return Pair.make(this.finishNode(node), true); } else if (!noCalls && this.eat(TokenType.parenL)) { @@ -1572,10 +1568,10 @@ public class Parser { new ArrayList<>(), exprList, optional, - isOnOptionalChain(optional, base)); + Chainable.isOnOptionalChain(optional, base)); return Pair.make(this.finishNode(node), true); } else if (this.type == TokenType.backQuote) { - if (isOnOptionalChain(optional, base)) { + if (Chainable.isOnOptionalChain(optional, base)) { this.raise(base, "An optional chain may not be used in a tagged template expression."); } TaggedTemplateExpression node = @@ -1590,7 +1586,7 @@ public class Parser { this.parseIdent(true), false, optional, - isOnOptionalChain(optional, base)); + Chainable.isOnOptionalChain(optional, base)); return Pair.make(this.finishNode(node), true); } else { return Pair.make(base, false); @@ -1832,7 +1828,7 @@ public class Parser { Expression callee = this.parseSubscripts(this.parseExprAtom(null), innerStartPos, innerStartLoc, true); - if (isOnOptionalChain(false, callee)) + if (Chainable.isOnOptionalChain(false, callee)) this.raise(callee, "An optional chain may not be used in a `new` expression."); return parseNewArguments(startLoc, callee); @@ -2314,7 +2310,7 @@ public class Parser { } if (node instanceof MemberExpression) { - if (isOnOptionalChain(false, (MemberExpression) node)) + if (Chainable.isOnOptionalChain(false, (MemberExpression) node)) this.raise(node, "Invalid left-hand side in assignment"); if (!isBinding) return node; } diff --git a/javascript/extractor/src/com/semmle/js/ast/Chainable.java b/javascript/extractor/src/com/semmle/js/ast/Chainable.java index a6efe38d1eb..7d6e17d360b 100644 --- a/javascript/extractor/src/com/semmle/js/ast/Chainable.java +++ b/javascript/extractor/src/com/semmle/js/ast/Chainable.java @@ -7,4 +7,14 @@ public interface Chainable { /** Is this on an optional chain? */ abstract boolean isOnOptionalChain(); + + /** + * Returns true if a chainable node is on an optional chain. + * + * @param optional true if the node in question is itself optional (has the ?. token) + * @param base the calle or base of the optional access + */ + public static boolean isOnOptionalChain(boolean optional, Expression base) { + return optional || base instanceof Chainable && ((Chainable) base).isOnOptionalChain(); + } } diff --git a/javascript/extractor/src/com/semmle/js/ast/DeclarationFlags.java b/javascript/extractor/src/com/semmle/js/ast/DeclarationFlags.java index 2a936bcc3b7..8a6921cb20b 100644 --- a/javascript/extractor/src/com/semmle/js/ast/DeclarationFlags.java +++ b/javascript/extractor/src/com/semmle/js/ast/DeclarationFlags.java @@ -17,9 +17,10 @@ public class DeclarationFlags { public static final int protected_ = 1 << 6; public static final int optional = 1 << 7; public static final int definiteAssignmentAssertion = 1 << 8; + public static final int declareKeyword = 1 << 9; public static final int none = 0; - public static final int numberOfFlags = 9; + public static final int numberOfFlags = 10; public static final List names = Arrays.asList( @@ -31,7 +32,8 @@ public class DeclarationFlags { "private", "protected", "optional", - "definiteAssignmentAssertion"); + "definiteAssignmentAssertion", + "declare"); public static final List relationNames = Arrays.asList( @@ -43,7 +45,8 @@ public class DeclarationFlags { "hasPrivateKeyword", "hasProtectedKeyword", "isOptionalMember", - "hasDefiniteAssignmentAssertion"); + "hasDefiniteAssignmentAssertion", + "hasDeclareKeyword"); public static boolean isComputed(int flags) { return (flags & computed) != 0; @@ -81,6 +84,10 @@ public class DeclarationFlags { return (flags & definiteAssignmentAssertion) != 0; } + public static boolean hasDeclareKeyword(int flags) { + return (flags & declareKeyword) != 0; + } + /** Returns a mask with the computed bit set to the value of enable. */ public static int getComputed(boolean enable) { return enable ? computed : 0; @@ -128,6 +135,11 @@ public class DeclarationFlags { return enable ? definiteAssignmentAssertion : 0; } + /** Returns a mask with the declare keyword bit set to the value of enable. */ + public static int getDeclareKeyword(boolean enable) { + return enable ? declareKeyword : 0; + } + /** Returns true if the nth bit is set in flags. */ public static boolean hasNthFlag(int flags, int n) { return (flags & (1 << n)) != 0; diff --git a/javascript/extractor/src/com/semmle/js/ast/DefaultVisitor.java b/javascript/extractor/src/com/semmle/js/ast/DefaultVisitor.java index d6779fdaa3b..cb11b9376ea 100644 --- a/javascript/extractor/src/com/semmle/js/ast/DefaultVisitor.java +++ b/javascript/extractor/src/com/semmle/js/ast/DefaultVisitor.java @@ -34,13 +34,13 @@ import com.semmle.ts.ast.InferTypeExpr; import com.semmle.ts.ast.InterfaceDeclaration; import com.semmle.ts.ast.InterfaceTypeExpr; import com.semmle.ts.ast.IntersectionTypeExpr; -import com.semmle.ts.ast.IsTypeExpr; import com.semmle.ts.ast.KeywordTypeExpr; import com.semmle.ts.ast.MappedTypeExpr; import com.semmle.ts.ast.NamespaceDeclaration; import com.semmle.ts.ast.NonNullAssertion; import com.semmle.ts.ast.OptionalTypeExpr; import com.semmle.ts.ast.ParenthesizedTypeExpr; +import com.semmle.ts.ast.PredicateTypeExpr; import com.semmle.ts.ast.RestTypeExpr; import com.semmle.ts.ast.TupleTypeExpr; import com.semmle.ts.ast.TypeAliasDeclaration; @@ -634,7 +634,7 @@ public class DefaultVisitor implements Visitor { } @Override - public R visit(IsTypeExpr nd, C c) { + public R visit(PredicateTypeExpr nd, C c) { return visit((TypeExpression) nd, c); } diff --git a/javascript/extractor/src/com/semmle/js/ast/MemberDefinition.java b/javascript/extractor/src/com/semmle/js/ast/MemberDefinition.java index bfd0f62462f..c04b79fa366 100644 --- a/javascript/extractor/src/com/semmle/js/ast/MemberDefinition.java +++ b/javascript/extractor/src/com/semmle/js/ast/MemberDefinition.java @@ -75,6 +75,11 @@ public abstract class MemberDefinition extends Node { return DeclarationFlags.isReadonly(flags); } + /** Returns true if this has the declare modifier. */ + public boolean hasDeclareKeyword() { + return DeclarationFlags.hasDeclareKeyword(flags); + } + /** * Returns the expression denoting the name of the member, or {@code null} if this is a * call/construct signature. diff --git a/javascript/extractor/src/com/semmle/js/ast/NodeCopier.java b/javascript/extractor/src/com/semmle/js/ast/NodeCopier.java index cdfc0441a57..9c61ca081df 100644 --- a/javascript/extractor/src/com/semmle/js/ast/NodeCopier.java +++ b/javascript/extractor/src/com/semmle/js/ast/NodeCopier.java @@ -30,13 +30,13 @@ import com.semmle.ts.ast.InferTypeExpr; import com.semmle.ts.ast.InterfaceDeclaration; import com.semmle.ts.ast.InterfaceTypeExpr; import com.semmle.ts.ast.IntersectionTypeExpr; -import com.semmle.ts.ast.IsTypeExpr; import com.semmle.ts.ast.KeywordTypeExpr; import com.semmle.ts.ast.MappedTypeExpr; import com.semmle.ts.ast.NamespaceDeclaration; import com.semmle.ts.ast.NonNullAssertion; import com.semmle.ts.ast.OptionalTypeExpr; import com.semmle.ts.ast.ParenthesizedTypeExpr; +import com.semmle.ts.ast.PredicateTypeExpr; import com.semmle.ts.ast.RestTypeExpr; import com.semmle.ts.ast.TupleTypeExpr; import com.semmle.ts.ast.TypeAliasDeclaration; @@ -717,8 +717,12 @@ public class NodeCopier implements Visitor { } @Override - public INode visit(IsTypeExpr nd, Void c) { - return new IsTypeExpr(visit(nd.getLoc()), copy(nd.getLeft()), copy(nd.getRight())); + public INode visit(PredicateTypeExpr nd, Void c) { + return new PredicateTypeExpr( + visit(nd.getLoc()), + copy(nd.getExpression()), + copy(nd.getTypeExpr()), + nd.hasAssertsKeyword()); } @Override diff --git a/javascript/extractor/src/com/semmle/js/ast/Visitor.java b/javascript/extractor/src/com/semmle/js/ast/Visitor.java index f825d448719..97a0dd73118 100644 --- a/javascript/extractor/src/com/semmle/js/ast/Visitor.java +++ b/javascript/extractor/src/com/semmle/js/ast/Visitor.java @@ -30,13 +30,13 @@ import com.semmle.ts.ast.InferTypeExpr; import com.semmle.ts.ast.InterfaceDeclaration; import com.semmle.ts.ast.InterfaceTypeExpr; import com.semmle.ts.ast.IntersectionTypeExpr; -import com.semmle.ts.ast.IsTypeExpr; import com.semmle.ts.ast.KeywordTypeExpr; import com.semmle.ts.ast.MappedTypeExpr; import com.semmle.ts.ast.NamespaceDeclaration; import com.semmle.ts.ast.NonNullAssertion; import com.semmle.ts.ast.OptionalTypeExpr; import com.semmle.ts.ast.ParenthesizedTypeExpr; +import com.semmle.ts.ast.PredicateTypeExpr; import com.semmle.ts.ast.RestTypeExpr; import com.semmle.ts.ast.TupleTypeExpr; import com.semmle.ts.ast.TypeAliasDeclaration; @@ -256,7 +256,7 @@ public interface Visitor { public R visit(TypeofTypeExpr nd, C c); - public R visit(IsTypeExpr nd, C c); + public R visit(PredicateTypeExpr nd, C c); public R visit(InterfaceTypeExpr nd, C c); diff --git a/javascript/extractor/src/com/semmle/js/extractor/ASTExtractor.java b/javascript/extractor/src/com/semmle/js/extractor/ASTExtractor.java index c2a3ee70cb8..af15c7ad51c 100644 --- a/javascript/extractor/src/com/semmle/js/extractor/ASTExtractor.java +++ b/javascript/extractor/src/com/semmle/js/extractor/ASTExtractor.java @@ -125,13 +125,13 @@ import com.semmle.ts.ast.InferTypeExpr; import com.semmle.ts.ast.InterfaceDeclaration; import com.semmle.ts.ast.InterfaceTypeExpr; import com.semmle.ts.ast.IntersectionTypeExpr; -import com.semmle.ts.ast.IsTypeExpr; import com.semmle.ts.ast.KeywordTypeExpr; import com.semmle.ts.ast.MappedTypeExpr; import com.semmle.ts.ast.NamespaceDeclaration; import com.semmle.ts.ast.NonNullAssertion; import com.semmle.ts.ast.OptionalTypeExpr; import com.semmle.ts.ast.ParenthesizedTypeExpr; +import com.semmle.ts.ast.PredicateTypeExpr; import com.semmle.ts.ast.RestTypeExpr; import com.semmle.ts.ast.TupleTypeExpr; import com.semmle.ts.ast.TypeAliasDeclaration; @@ -1410,6 +1410,10 @@ public class ASTExtractor { } } + if (nd.hasDeclareKeyword()) { + trapwriter.addTuple("hasDeclareKeyword", methkey); + } + return methkey; } @@ -1707,10 +1711,13 @@ public class ASTExtractor { } @Override - public Label visit(IsTypeExpr nd, Context c) { + public Label visit(PredicateTypeExpr nd, Context c) { Label key = super.visit(nd, c); - visit(nd.getLeft(), key, 0, IdContext.varInTypeBind); - visit(nd.getRight(), key, 1, IdContext.typeBind); + visit(nd.getExpression(), key, 0, IdContext.varInTypeBind); + visit(nd.getTypeExpr(), key, 1, IdContext.typeBind); + if (nd.hasAssertsKeyword()) { + trapwriter.addTuple("hasAssertsKeyword", key); + } return key; } diff --git a/javascript/extractor/src/com/semmle/js/extractor/AutoBuild.java b/javascript/extractor/src/com/semmle/js/extractor/AutoBuild.java index 5ffa5680cd9..55d3f8632a2 100644 --- a/javascript/extractor/src/com/semmle/js/extractor/AutoBuild.java +++ b/javascript/extractor/src/com/semmle/js/extractor/AutoBuild.java @@ -387,6 +387,10 @@ public class AutoBuild { patterns.add("-**/*.min.js"); patterns.add("-**/*-min.js"); + // exclude `node_modules` and `bower_components` + patterns.add("-**/node_modules"); + patterns.add("-**/bower_components"); + String base = LGTM_SRC.toString().replace('\\', '/'); // process `$LGTM_INDEX_FILTERS` for (String pattern : Main.NEWLINE.split(getEnvVar("LGTM_INDEX_FILTERS", ""))) { diff --git a/javascript/extractor/src/com/semmle/js/extractor/ExprKinds.java b/javascript/extractor/src/com/semmle/js/extractor/ExprKinds.java index fb7e04395e1..122ccda028e 100644 --- a/javascript/extractor/src/com/semmle/js/extractor/ExprKinds.java +++ b/javascript/extractor/src/com/semmle/js/extractor/ExprKinds.java @@ -249,6 +249,7 @@ public class ExprKinds { @Override public Integer visit(MetaProperty nd, Void c) { if (nd.getMeta().getName().equals("new")) return 82; // @newtargetexpr + if (nd.getMeta().getName().equals("import")) return 115; // @importmetaexpr return 93; // @functionsentexpr } diff --git a/javascript/extractor/src/com/semmle/js/extractor/ScopeManager.java b/javascript/extractor/src/com/semmle/js/extractor/ScopeManager.java index 1270b0a9409..3bffa4ad3ae 100644 --- a/javascript/extractor/src/com/semmle/js/extractor/ScopeManager.java +++ b/javascript/extractor/src/com/semmle/js/extractor/ScopeManager.java @@ -46,9 +46,9 @@ import com.semmle.ts.ast.InferTypeExpr; import com.semmle.ts.ast.InterfaceDeclaration; import com.semmle.ts.ast.InterfaceTypeExpr; import com.semmle.ts.ast.IntersectionTypeExpr; -import com.semmle.ts.ast.IsTypeExpr; import com.semmle.ts.ast.NamespaceDeclaration; import com.semmle.ts.ast.ParenthesizedTypeExpr; +import com.semmle.ts.ast.PredicateTypeExpr; import com.semmle.ts.ast.TupleTypeExpr; import com.semmle.ts.ast.TypeAliasDeclaration; import com.semmle.ts.ast.UnionTypeExpr; @@ -660,8 +660,8 @@ public class ScopeManager { } @Override - public Void visit(IsTypeExpr nd, Void c) { - return nd.getRight().accept(this, c); + public Void visit(PredicateTypeExpr nd, Void c) { + return nd.getTypeExpr().accept(this, c); } @Override diff --git a/javascript/extractor/src/com/semmle/js/extractor/TypeExprKinds.java b/javascript/extractor/src/com/semmle/js/extractor/TypeExprKinds.java index 78b901da475..6c9263a5360 100644 --- a/javascript/extractor/src/com/semmle/js/extractor/TypeExprKinds.java +++ b/javascript/extractor/src/com/semmle/js/extractor/TypeExprKinds.java @@ -16,11 +16,11 @@ import com.semmle.ts.ast.IndexedAccessTypeExpr; import com.semmle.ts.ast.InferTypeExpr; import com.semmle.ts.ast.InterfaceTypeExpr; import com.semmle.ts.ast.IntersectionTypeExpr; -import com.semmle.ts.ast.IsTypeExpr; import com.semmle.ts.ast.KeywordTypeExpr; import com.semmle.ts.ast.MappedTypeExpr; import com.semmle.ts.ast.OptionalTypeExpr; import com.semmle.ts.ast.ParenthesizedTypeExpr; +import com.semmle.ts.ast.PredicateTypeExpr; import com.semmle.ts.ast.RestTypeExpr; import com.semmle.ts.ast.TupleTypeExpr; import com.semmle.ts.ast.TypeParameter; @@ -159,7 +159,7 @@ public class TypeExprKinds { } @Override - public Integer visit(IsTypeExpr nd, Void c) { + public Integer visit(PredicateTypeExpr nd, Void c) { return isTypeExpr; } diff --git a/javascript/extractor/src/com/semmle/js/extractor/test/AutoBuildTests.java b/javascript/extractor/src/com/semmle/js/extractor/test/AutoBuildTests.java index 0d45908885b..28e618f45ea 100644 --- a/javascript/extractor/src/com/semmle/js/extractor/test/AutoBuildTests.java +++ b/javascript/extractor/src/com/semmle/js/extractor/test/AutoBuildTests.java @@ -160,7 +160,7 @@ public class AutoBuildTests { addFile(false, LGTM_SRC, "tst.json"); addFile(true, LGTM_SRC, "package.json"); addFile(true, LGTM_SRC, ".eslintrc.yml"); - addFile(true, LGTM_SRC, "node_modules", "leftpad", "index.js"); + addFile(true, LGTM_SRC, "vendor", "leftpad", "index.js"); runTest(); } @@ -184,72 +184,72 @@ public class AutoBuildTests { public void includeFile() throws IOException { envVars.put("LGTM_INDEX_INCLUDE", "tst.js"); addFile(true, LGTM_SRC, "tst.js"); - addFile(false, LGTM_SRC, "node_modules", "leftpad", "index.js"); + addFile(false, LGTM_SRC, "vendor", "leftpad", "index.js"); runTest(); } @Test public void excludeFile() throws IOException { - envVars.put("LGTM_INDEX_EXCLUDE", "node_modules/leftpad/index.js"); + envVars.put("LGTM_INDEX_EXCLUDE", "vendor/leftpad/index.js"); addFile(true, LGTM_SRC, "tst.js"); - addFile(false, LGTM_SRC, "node_modules", "leftpad", "index.js"); + addFile(false, LGTM_SRC, "vendor", "leftpad", "index.js"); runTest(); } @Test public void excludeFolderByPattern() throws IOException { - envVars.put("LGTM_INDEX_FILTERS", "exclude:**/node_modules"); + envVars.put("LGTM_INDEX_FILTERS", "exclude:**/vendor"); addFile(true, LGTM_SRC, "tst.js"); - addFile(false, LGTM_SRC, "node_modules", "leftpad", "index.js"); + addFile(false, LGTM_SRC, "vendor", "leftpad", "index.js"); runTest(); } @Test public void excludeFolderByPattern2() throws IOException { - envVars.put("LGTM_INDEX_FILTERS", "exclude:*/**/node_modules"); + envVars.put("LGTM_INDEX_FILTERS", "exclude:*/**/vendor"); addFile(true, LGTM_SRC, "tst.js"); - addFile(true, LGTM_SRC, "node_modules", "dep", "index.js"); - addFile(false, LGTM_SRC, "node_modules", "dep", "node_modules", "depdep", "index.js"); + addFile(true, LGTM_SRC, "vendor", "dep", "index.js"); + addFile(false, LGTM_SRC, "vendor", "dep", "vendor", "depdep", "index.js"); runTest(); } @Test public void excludeFolderByPattern3() throws IOException { - envVars.put("LGTM_INDEX_FILTERS", "exclude:**/node_modules\n"); + envVars.put("LGTM_INDEX_FILTERS", "exclude:**/vendor\n"); addFile(true, LGTM_SRC, "tst.js"); - addFile(false, LGTM_SRC, "node_modules", "leftpad", "index.js"); + addFile(false, LGTM_SRC, "vendor", "leftpad", "index.js"); runTest(); } @Test public void excludeFolderByPatterns() throws IOException { - envVars.put("LGTM_INDEX_FILTERS", "exclude:foo\nexclude:**/node_modules"); + envVars.put("LGTM_INDEX_FILTERS", "exclude:foo\nexclude:**/vendor"); addFile(true, LGTM_SRC, "tst.js"); - addFile(false, LGTM_SRC, "node_modules", "leftpad", "index.js"); + addFile(false, LGTM_SRC, "vendor", "leftpad", "index.js"); runTest(); } @Test public void excludeFolderByName() throws IOException { - envVars.put("LGTM_INDEX_EXCLUDE", "node_modules"); + envVars.put("LGTM_INDEX_EXCLUDE", "vendor"); addFile(true, LGTM_SRC, "tst.js"); - addFile(false, LGTM_SRC, "node_modules", "leftpad", "index.js"); + addFile(false, LGTM_SRC, "vendor", "leftpad", "index.js"); runTest(); } @Test public void excludeFolderByName2() throws IOException { - envVars.put("LGTM_INDEX_EXCLUDE", "node_modules\n"); + envVars.put("LGTM_INDEX_EXCLUDE", "vendor\n"); addFile(true, LGTM_SRC, "tst.js"); - addFile(false, LGTM_SRC, "node_modules", "leftpad", "index.js"); + addFile(false, LGTM_SRC, "vendor", "leftpad", "index.js"); runTest(); } @Test public void excludeFolderByName3() throws IOException { - envVars.put("LGTM_INDEX_EXCLUDE", "./node_modules\n"); + envVars.put("LGTM_INDEX_EXCLUDE", "./vendor\n"); addFile(true, LGTM_SRC, "tst.js"); - addFile(false, LGTM_SRC, "node_modules", "leftpad", "index.js"); + addFile(false, LGTM_SRC, "vendor", "leftpad", "index.js"); runTest(); } @@ -258,8 +258,8 @@ public class AutoBuildTests { envVars.put("LGTM_INDEX_FILTERS", "exclude:**/*.js"); addFile(false, LGTM_SRC, "tst.js"); addFile(true, LGTM_SRC, "tst.html"); - addFile(false, LGTM_SRC, "node_modules", "leftpad", "index.js"); - addFile(true, LGTM_SRC, "node_modules", "leftpad", "index.html"); + addFile(false, LGTM_SRC, "vendor", "leftpad", "index.js"); + addFile(true, LGTM_SRC, "vendor", "leftpad", "index.html"); runTest(); } @@ -268,7 +268,7 @@ public class AutoBuildTests { envVars.put("LGTM_INDEX_FILTERS", "include:**/*.json"); addFile(true, LGTM_SRC, "tst.js"); addFile(true, LGTM_SRC, "tst.json"); - addFile(true, LGTM_SRC, "node_modules", "leftpad", "tst.json"); + addFile(true, LGTM_SRC, "vendor", "leftpad", "tst.json"); runTest(); } @@ -277,16 +277,16 @@ public class AutoBuildTests { envVars.put("LGTM_INDEX_FILTERS", "include:*.json"); addFile(true, LGTM_SRC, "tst.js"); addFile(true, LGTM_SRC, "tst.json"); - addFile(false, LGTM_SRC, "node_modules", "leftpad", "tst.json"); + addFile(false, LGTM_SRC, "vendor", "leftpad", "tst.json"); runTest(); } @Test public void includeAndExclude() throws IOException { - envVars.put("LGTM_INDEX_FILTERS", "include:**/*.json\n" + "exclude:**/node_modules"); + envVars.put("LGTM_INDEX_FILTERS", "include:**/*.json\n" + "exclude:**/vendor"); addFile(true, LGTM_SRC, "tst.js"); addFile(true, LGTM_SRC, "tst.json"); - addFile(false, LGTM_SRC, "node_modules", "leftpad", "tst.json"); + addFile(false, LGTM_SRC, "vendor", "leftpad", "tst.json"); runTest(); } @@ -295,7 +295,7 @@ public class AutoBuildTests { Path repositoryFolders = Files.createFile(SEMMLE_DIST.resolve("repositoryFolders.csv")); List csvLines = new ArrayList<>(); csvLines.add("classification,path"); - csvLines.add("thirdparty," + LGTM_SRC.resolve("node_modules")); + csvLines.add("thirdparty," + LGTM_SRC.resolve("vendor")); csvLines.add("external," + LGTM_SRC.resolve("foo").resolve("bar").toUri()); csvLines.add("metadata," + LGTM_SRC.resolve(".git")); Files.write(repositoryFolders, csvLines, StandardCharsets.UTF_8); @@ -303,7 +303,7 @@ public class AutoBuildTests { addFile(true, LGTM_SRC, "tst.js"); addFile(false, LGTM_SRC, "foo", "bar", "tst.js"); addFile(false, LGTM_SRC, ".git", "tst.js"); - addFile(true, LGTM_SRC, "node_modules", "leftpad", "tst.js"); + addFile(true, LGTM_SRC, "vendor", "leftpad", "tst.js"); runTest(); } @@ -324,7 +324,7 @@ public class AutoBuildTests { Path repositoryFolders = Files.createFile(SEMMLE_DIST.resolve("repositoryFolders.csv")); List csvLines = new ArrayList<>(); csvLines.add("classification,path"); - csvLines.add("thirdparty," + LGTM_SRC.resolve("node_modules")); + csvLines.add("thirdparty," + LGTM_SRC.resolve("vendor")); csvLines.add("external," + LGTM_SRC.resolve("foo").resolve("bar")); csvLines.add("metadata," + LGTM_SRC.resolve(".git")); Files.write(repositoryFolders, csvLines, StandardCharsets.UTF_8); @@ -333,7 +333,7 @@ public class AutoBuildTests { addFile(true, LGTM_SRC, "tst.js"); addFile(true, LGTM_SRC, "foo", "bar", "tst.js"); addFile(false, LGTM_SRC, ".git", "tst.js"); - addFile(true, LGTM_SRC, "node_modules", "leftpad", "tst.js"); + addFile(true, LGTM_SRC, "vendor", "leftpad", "tst.js"); runTest(); } @@ -453,13 +453,13 @@ public class AutoBuildTests { @Test public void includeNonExistentFile() throws IOException { envVars.put("LGTM_INDEX_INCLUDE", "tst.js"); - addFile(false, LGTM_SRC, "node_modules", "leftpad", "index.js"); + addFile(false, LGTM_SRC, "vendor", "leftpad", "index.js"); runTest(); } @Test public void excludeNonExistentFile() throws IOException { - envVars.put("LGTM_INDEX_EXCLUDE", "node_modules/leftpad/index.js"); + envVars.put("LGTM_INDEX_EXCLUDE", "vendor/leftpad/index.js"); addFile(true, LGTM_SRC, "tst.js"); runTest(); } @@ -483,6 +483,40 @@ public class AutoBuildTests { runTest(); } + @Test + public void nodeModulesAreExcluded() throws IOException { + addFile(true, LGTM_SRC, "index.js"); + addFile(false, LGTM_SRC, "node_modules", "dep", "main.js"); + addFile(false, LGTM_SRC, "node_modules", "dep", "node_modules", "leftpad", "index.js"); + runTest(); + } + + @Test + public void nodeModulesCanBeReincluded() throws IOException { + envVars.put("LGTM_INDEX_FILTERS", "include:**/node_modules"); + addFile(true, LGTM_SRC, "index.js"); + addFile(true, LGTM_SRC, "node_modules", "dep", "main.js"); + addFile(true, LGTM_SRC, "node_modules", "dep", "node_modules", "leftpad", "index.js"); + runTest(); + } + + @Test + public void bowerComponentsAreExcluded() throws IOException { + addFile(true, LGTM_SRC, "index.js"); + addFile(false, LGTM_SRC, "bower_components", "dep", "main.js"); + addFile(false, LGTM_SRC, "bower_components", "dep", "bower_components", "leftpad", "index.js"); + runTest(); + } + + @Test + public void bowerComponentsCanBeReincluded() throws IOException { + envVars.put("LGTM_INDEX_FILTERS", "include:**/bower_components"); + addFile(true, LGTM_SRC, "index.js"); + addFile(true, LGTM_SRC, "bower_components", "dep", "main.js"); + addFile(true, LGTM_SRC, "bower_components", "dep", "bower_components", "leftpad", "index.js"); + runTest(); + } + @Test public void customExtensions() throws IOException { envVars.put("LGTM_INDEX_FILETYPES", ".jsm:js\n.soy:html"); diff --git a/javascript/extractor/src/com/semmle/js/parser/TypeScriptASTConverter.java b/javascript/extractor/src/com/semmle/js/parser/TypeScriptASTConverter.java index 55a36130efe..4912b5577f8 100644 --- a/javascript/extractor/src/com/semmle/js/parser/TypeScriptASTConverter.java +++ b/javascript/extractor/src/com/semmle/js/parser/TypeScriptASTConverter.java @@ -17,6 +17,7 @@ import com.semmle.js.ast.BlockStatement; import com.semmle.js.ast.BreakStatement; import com.semmle.js.ast.CallExpression; import com.semmle.js.ast.CatchClause; +import com.semmle.js.ast.Chainable; import com.semmle.js.ast.ClassBody; import com.semmle.js.ast.ClassDeclaration; import com.semmle.js.ast.ClassExpression; @@ -126,13 +127,13 @@ import com.semmle.ts.ast.InferTypeExpr; import com.semmle.ts.ast.InterfaceDeclaration; import com.semmle.ts.ast.InterfaceTypeExpr; import com.semmle.ts.ast.IntersectionTypeExpr; -import com.semmle.ts.ast.IsTypeExpr; import com.semmle.ts.ast.KeywordTypeExpr; import com.semmle.ts.ast.MappedTypeExpr; import com.semmle.ts.ast.NamespaceDeclaration; import com.semmle.ts.ast.NonNullAssertion; import com.semmle.ts.ast.OptionalTypeExpr; import com.semmle.ts.ast.ParenthesizedTypeExpr; +import com.semmle.ts.ast.PredicateTypeExpr; import com.semmle.ts.ast.RestTypeExpr; import com.semmle.ts.ast.TupleTypeExpr; import com.semmle.ts.ast.TypeAliasDeclaration; @@ -877,7 +878,10 @@ public class TypeScriptASTConverter { } Expression callee = convertChild(node, "expression"); List typeArguments = convertChildrenAsTypes(node, "typeArguments"); - CallExpression call = new CallExpression(loc, callee, typeArguments, arguments, false, false); + boolean optional = node.has("questionDotToken"); + boolean onOptionalChain = Chainable.isOnOptionalChain(optional, callee); + CallExpression call = + new CallExpression(loc, callee, typeArguments, arguments, optional, onOptionalChain); attachResolvedSignature(call, node); return call; } @@ -942,9 +946,7 @@ public class TypeScriptASTConverter { SourceLocation bodyLoc = new SourceLocation(loc.getSource(), loc.getStart(), loc.getEnd()); advance(bodyLoc, skip); ClassBody body = new ClassBody(bodyLoc, convertChildren(node, "members")); - if ("ClassExpression".equals(kind) || id == null) { - // Note that `export default class {}` is represented as a ClassDeclaration - // in TypeScript but we treat this as a ClassExpression. + if ("ClassExpression".equals(kind)) { ClassExpression classExpr = new ClassExpression(loc, id, typeParameters, superClass, superInterfaces, body); attachSymbolInformation(classExpr.getClassDef(), node); @@ -967,7 +969,13 @@ public class TypeScriptASTConverter { classDecl.addDecorators(convertChildren(node, "decorators")); advanceUntilAfter(loc, classDecl.getDecorators()); } - return fixExports(loc, classDecl); + Node exportedDecl = fixExports(loc, classDecl); + // Convert default-exported anonymous class declarations to class expressions. + if (exportedDecl instanceof ExportDefaultDeclaration && !classDecl.getClassDef().hasId()) { + return new ExportDefaultDeclaration( + exportedDecl.getLoc(), new ClassExpression(classDecl.getLoc(), classDecl.getClassDef())); + } + return exportedDecl; } private Node convertCommaListExpression(JsonObject node, SourceLocation loc) throws ParseError { @@ -1104,7 +1112,9 @@ public class TypeScriptASTConverter { throws ParseError { Expression object = convertChild(node, "expression"); Expression property = convertChild(node, "argumentExpression"); - return new MemberExpression(loc, object, property, true, false, false); + boolean optional = node.has("questionDotToken"); + boolean onOptionalChain = Chainable.isOnOptionalChain(optional, object); + return new MemberExpression(loc, object, property, true, optional, onOptionalChain); } private Node convertEmptyStatement(SourceLocation loc) { @@ -1580,10 +1590,16 @@ public class TypeScriptASTConverter { private Node convertMetaProperty(JsonObject node, SourceLocation loc) throws ParseError { Position metaStart = loc.getStart(); + String keywordKind = + syntaxKinds.get(node.getAsJsonPrimitive("keywordToken").getAsInt() + "").getAsString(); + String identifier = keywordKind.equals("ImportKeyword") ? "import" : "new"; Position metaEnd = - new Position(metaStart.getLine(), metaStart.getColumn() + 3, metaStart.getOffset() + 3); - SourceLocation metaLoc = new SourceLocation("new", metaStart, metaEnd); - Identifier meta = new Identifier(metaLoc, "new"); + new Position( + metaStart.getLine(), + metaStart.getColumn() + identifier.length(), + metaStart.getOffset() + identifier.length()); + SourceLocation metaLoc = new SourceLocation(identifier, metaStart, metaEnd); + Identifier meta = new Identifier(metaLoc, identifier); return new MetaProperty(loc, meta, convertChild(node, "name")); } @@ -1961,8 +1977,11 @@ public class TypeScriptASTConverter { private Node convertPropertyAccessExpression(JsonObject node, SourceLocation loc) throws ParseError { + Expression base = convertChild(node, "expression"); + boolean optional = node.has("questionDotToken"); + boolean onOptionalChain = Chainable.isOnOptionalChain(optional, base); return new MemberExpression( - loc, convertChild(node, "expression"), convertChild(node, "name"), false, false, false); + loc, base, convertChild(node, "name"), false, optional, onOptionalChain); } private Node convertPropertyAssignment(JsonObject node, SourceLocation loc) throws ParseError { @@ -1990,6 +2009,9 @@ public class TypeScriptASTConverter { if (node.get("exclamationToken") != null) { flags |= DeclarationFlags.definiteAssignmentAssertion; } + if (hasModifier(node, "DeclareKeyword")) { + flags |= DeclarationFlags.declareKeyword; + } FieldDefinition fieldDefinition = new FieldDefinition( loc, @@ -2180,8 +2202,11 @@ public class TypeScriptASTConverter { } private Node convertTypePredicate(JsonObject node, SourceLocation loc) throws ParseError { - return new IsTypeExpr( - loc, convertChildAsType(node, "parameterName"), convertChildAsType(node, "type")); + return new PredicateTypeExpr( + loc, + convertChildAsType(node, "parameterName"), + convertChildAsType(node, "type"), + node.has("assertsModifier")); } private Node convertTypeReference(JsonObject node, SourceLocation loc) throws ParseError { diff --git a/javascript/extractor/src/com/semmle/ts/ast/IsTypeExpr.java b/javascript/extractor/src/com/semmle/ts/ast/IsTypeExpr.java deleted file mode 100644 index a64fdb83650..00000000000 --- a/javascript/extractor/src/com/semmle/ts/ast/IsTypeExpr.java +++ /dev/null @@ -1,32 +0,0 @@ -package com.semmle.ts.ast; - -import com.semmle.js.ast.SourceLocation; -import com.semmle.js.ast.Visitor; - -/** - * A type of form E is T where E is a parameter name or this and - * T is a type. - */ -public class IsTypeExpr extends TypeExpression { - private final ITypeExpression left; // Always Identifier or KeywordTypeExpr (in case of 'this') - private final ITypeExpression right; - - public IsTypeExpr(SourceLocation loc, ITypeExpression left, ITypeExpression right) { - super("IsTypeExpr", loc); - this.left = left; - this.right = right; - } - - public ITypeExpression getLeft() { - return left; - } - - public ITypeExpression getRight() { - return right; - } - - @Override - public R accept(Visitor v, C c) { - return v.visit(this, c); - } -} diff --git a/javascript/extractor/src/com/semmle/ts/ast/PredicateTypeExpr.java b/javascript/extractor/src/com/semmle/ts/ast/PredicateTypeExpr.java new file mode 100644 index 00000000000..27bd3c1718c --- /dev/null +++ b/javascript/extractor/src/com/semmle/ts/ast/PredicateTypeExpr.java @@ -0,0 +1,44 @@ +package com.semmle.ts.ast; + +import com.semmle.js.ast.SourceLocation; +import com.semmle.js.ast.Visitor; + +/** + * A type of form E is T, asserts E is T or asserts E where E is + * a parameter name or this and T is a type. + */ +public class PredicateTypeExpr extends TypeExpression { + private final ITypeExpression expression; + private final ITypeExpression type; + private final boolean hasAssertsKeyword; + + public PredicateTypeExpr( + SourceLocation loc, + ITypeExpression expression, + ITypeExpression type, + boolean hasAssertsKeyword) { + super("PredicateTypeExpr", loc); + this.expression = expression; + this.type = type; + this.hasAssertsKeyword = hasAssertsKeyword; + } + + /** Returns the E in E is T. */ + public ITypeExpression getExpression() { + return expression; + } + + /** Returns the T in E is T. */ + public ITypeExpression getTypeExpr() { + return type; + } + + public boolean hasAssertsKeyword() { + return hasAssertsKeyword; + } + + @Override + public R accept(Visitor v, C c) { + return v.visit(this, c); + } +} diff --git a/javascript/extractor/tests/ts/input/exportclass.ts b/javascript/extractor/tests/ts/input/exportclass.ts new file mode 100644 index 00000000000..c433d66cf64 --- /dev/null +++ b/javascript/extractor/tests/ts/input/exportclass.ts @@ -0,0 +1 @@ +export class {} diff --git a/javascript/extractor/tests/ts/input/optionalChaining.ts b/javascript/extractor/tests/ts/input/optionalChaining.ts new file mode 100644 index 00000000000..5070e38ab24 --- /dev/null +++ b/javascript/extractor/tests/ts/input/optionalChaining.ts @@ -0,0 +1,3 @@ +base?.x.y; +base?.(x).y; +base?.[z].y; diff --git a/javascript/extractor/tests/ts/output/trap/exportclass.ts.trap b/javascript/extractor/tests/ts/output/trap/exportclass.ts.trap new file mode 100644 index 00000000000..603b20d64fd --- /dev/null +++ b/javascript/extractor/tests/ts/output/trap/exportclass.ts.trap @@ -0,0 +1,114 @@ +#10000=@"/exportclass.ts;sourcefile" +files(#10000,"/exportclass.ts","exportclass","ts",0) +#10001=@"/;folder" +folders(#10001,"/","") +containerparent(#10001,#10000) +#10002=@"loc,{#10000},0,0,0,0" +locations_default(#10002,#10000,0,0,0,0) +hasLocation(#10000,#10002) +#20000=@"global_scope" +scopes(#20000,0) +#20001=@"script;{#10000},1,1" +#20002=* +lines(#20002,#20001,"export class {}"," +") +#20003=@"loc,{#10000},1,1,1,15" +locations_default(#20003,#10000,1,1,1,15) +hasLocation(#20002,#20003) +numlines(#20001,1,1,0) +#20004=* +tokeninfo(#20004,7,#20001,0,"export") +#20005=@"loc,{#10000},1,1,1,6" +locations_default(#20005,#10000,1,1,1,6) +hasLocation(#20004,#20005) +#20006=* +tokeninfo(#20006,7,#20001,1,"class") +#20007=@"loc,{#10000},1,8,1,12" +locations_default(#20007,#10000,1,8,1,12) +hasLocation(#20006,#20007) +#20008=* +tokeninfo(#20008,8,#20001,2,"{") +#20009=@"loc,{#10000},1,14,1,14" +locations_default(#20009,#10000,1,14,1,14) +hasLocation(#20008,#20009) +#20010=* +tokeninfo(#20010,8,#20001,3,"}") +#20011=@"loc,{#10000},1,15,1,15" +locations_default(#20011,#10000,1,15,1,15) +hasLocation(#20010,#20011) +#20012=* +tokeninfo(#20012,0,#20001,4,"") +#20013=@"loc,{#10000},2,1,2,0" +locations_default(#20013,#10000,2,1,2,0) +hasLocation(#20012,#20013) +toplevels(#20001,0) +#20014=@"loc,{#10000},1,1,2,0" +locations_default(#20014,#10000,1,1,2,0) +hasLocation(#20001,#20014) +#20015=@"module;{#10000},1,1" +scopes(#20015,3) +scopenodes(#20001,#20015) +scopenesting(#20015,#20000) +isModule(#20001) +isES2015Module(#20001) +#20016=* +stmts(#20016,30,#20001,0,"export class {}") +hasLocation(#20016,#20003) +stmtContainers(#20016,#20001) +#20017=* +stmts(#20017,26,#20016,-1,"class {}") +#20018=@"loc,{#10000},1,8,1,15" +locations_default(#20018,#10000,1,8,1,15) +hasLocation(#20017,#20018) +stmtContainers(#20017,#20001) +#20019=* +properties(#20019,#20017,2,0,"constructor() {}") +#20020=@"loc,{#10000},1,6,1,5" +locations_default(#20020,#10000,1,6,1,5) +hasLocation(#20019,#20020) +#20021=* +exprs(#20021,0,#20019,0,"constructor") +hasLocation(#20021,#20020) +enclosingStmt(#20021,#20017) +exprContainers(#20021,#20001) +literals("constructor","constructor",#20021) +#20022=* +exprs(#20022,9,#20019,1,"() {}") +hasLocation(#20022,#20020) +enclosingStmt(#20022,#20017) +exprContainers(#20022,#20001) +#20023=* +scopes(#20023,1) +scopenodes(#20022,#20023) +scopenesting(#20023,#20015) +#20024=@"var;{arguments};{#20023}" +variables(#20024,"arguments",#20023) +isArgumentsObject(#20024) +#20025=* +stmts(#20025,1,#20022,-2,"{}") +hasLocation(#20025,#20020) +stmtContainers(#20025,#20022) +isMethod(#20019) +#20026=* +entry_cfg_node(#20026,#20001) +#20027=@"loc,{#10000},1,1,1,0" +locations_default(#20027,#10000,1,1,1,0) +hasLocation(#20026,#20027) +#20028=* +exit_cfg_node(#20028,#20001) +hasLocation(#20028,#20013) +successor(#20022,#20019) +#20029=* +entry_cfg_node(#20029,#20022) +hasLocation(#20029,#20020) +#20030=* +exit_cfg_node(#20030,#20022) +hasLocation(#20030,#20020) +successor(#20025,#20030) +successor(#20029,#20025) +successor(#20021,#20022) +successor(#20019,#20017) +successor(#20017,#20028) +successor(#20026,#20016) +numlines(#10000,1,1,0) +filetype(#10000,"typescript") diff --git a/javascript/extractor/tests/ts/output/trap/optionalChaining.ts.trap b/javascript/extractor/tests/ts/output/trap/optionalChaining.ts.trap new file mode 100644 index 00000000000..0a414c9da57 --- /dev/null +++ b/javascript/extractor/tests/ts/output/trap/optionalChaining.ts.trap @@ -0,0 +1,303 @@ +#10000=@"/optionalChaining.ts;sourcefile" +files(#10000,"/optionalChaining.ts","optionalChaining","ts",0) +#10001=@"/;folder" +folders(#10001,"/","") +containerparent(#10001,#10000) +#10002=@"loc,{#10000},0,0,0,0" +locations_default(#10002,#10000,0,0,0,0) +hasLocation(#10000,#10002) +#20000=@"global_scope" +scopes(#20000,0) +#20001=@"script;{#10000},1,1" +#20002=* +lines(#20002,#20001,"base?.x.y;"," +") +#20003=@"loc,{#10000},1,1,1,10" +locations_default(#20003,#10000,1,1,1,10) +hasLocation(#20002,#20003) +#20004=* +lines(#20004,#20001,"base?.(x).y;"," +") +#20005=@"loc,{#10000},2,1,2,12" +locations_default(#20005,#10000,2,1,2,12) +hasLocation(#20004,#20005) +#20006=* +lines(#20006,#20001,"base?.[z].y;"," +") +#20007=@"loc,{#10000},3,1,3,12" +locations_default(#20007,#10000,3,1,3,12) +hasLocation(#20006,#20007) +numlines(#20001,3,3,0) +#20008=* +tokeninfo(#20008,6,#20001,0,"base") +#20009=@"loc,{#10000},1,1,1,4" +locations_default(#20009,#10000,1,1,1,4) +hasLocation(#20008,#20009) +#20010=* +tokeninfo(#20010,8,#20001,1,"?.") +#20011=@"loc,{#10000},1,5,1,6" +locations_default(#20011,#10000,1,5,1,6) +hasLocation(#20010,#20011) +#20012=* +tokeninfo(#20012,6,#20001,2,"x") +#20013=@"loc,{#10000},1,7,1,7" +locations_default(#20013,#10000,1,7,1,7) +hasLocation(#20012,#20013) +#20014=* +tokeninfo(#20014,8,#20001,3,".") +#20015=@"loc,{#10000},1,8,1,8" +locations_default(#20015,#10000,1,8,1,8) +hasLocation(#20014,#20015) +#20016=* +tokeninfo(#20016,6,#20001,4,"y") +#20017=@"loc,{#10000},1,9,1,9" +locations_default(#20017,#10000,1,9,1,9) +hasLocation(#20016,#20017) +#20018=* +tokeninfo(#20018,8,#20001,5,";") +#20019=@"loc,{#10000},1,10,1,10" +locations_default(#20019,#10000,1,10,1,10) +hasLocation(#20018,#20019) +#20020=* +tokeninfo(#20020,6,#20001,6,"base") +#20021=@"loc,{#10000},2,1,2,4" +locations_default(#20021,#10000,2,1,2,4) +hasLocation(#20020,#20021) +#20022=* +tokeninfo(#20022,8,#20001,7,"?.") +#20023=@"loc,{#10000},2,5,2,6" +locations_default(#20023,#10000,2,5,2,6) +hasLocation(#20022,#20023) +#20024=* +tokeninfo(#20024,8,#20001,8,"(") +#20025=@"loc,{#10000},2,7,2,7" +locations_default(#20025,#10000,2,7,2,7) +hasLocation(#20024,#20025) +#20026=* +tokeninfo(#20026,6,#20001,9,"x") +#20027=@"loc,{#10000},2,8,2,8" +locations_default(#20027,#10000,2,8,2,8) +hasLocation(#20026,#20027) +#20028=* +tokeninfo(#20028,8,#20001,10,")") +#20029=@"loc,{#10000},2,9,2,9" +locations_default(#20029,#10000,2,9,2,9) +hasLocation(#20028,#20029) +#20030=* +tokeninfo(#20030,8,#20001,11,".") +#20031=@"loc,{#10000},2,10,2,10" +locations_default(#20031,#10000,2,10,2,10) +hasLocation(#20030,#20031) +#20032=* +tokeninfo(#20032,6,#20001,12,"y") +#20033=@"loc,{#10000},2,11,2,11" +locations_default(#20033,#10000,2,11,2,11) +hasLocation(#20032,#20033) +#20034=* +tokeninfo(#20034,8,#20001,13,";") +#20035=@"loc,{#10000},2,12,2,12" +locations_default(#20035,#10000,2,12,2,12) +hasLocation(#20034,#20035) +#20036=* +tokeninfo(#20036,6,#20001,14,"base") +#20037=@"loc,{#10000},3,1,3,4" +locations_default(#20037,#10000,3,1,3,4) +hasLocation(#20036,#20037) +#20038=* +tokeninfo(#20038,8,#20001,15,"?.") +#20039=@"loc,{#10000},3,5,3,6" +locations_default(#20039,#10000,3,5,3,6) +hasLocation(#20038,#20039) +#20040=* +tokeninfo(#20040,8,#20001,16,"[") +#20041=@"loc,{#10000},3,7,3,7" +locations_default(#20041,#10000,3,7,3,7) +hasLocation(#20040,#20041) +#20042=* +tokeninfo(#20042,6,#20001,17,"z") +#20043=@"loc,{#10000},3,8,3,8" +locations_default(#20043,#10000,3,8,3,8) +hasLocation(#20042,#20043) +#20044=* +tokeninfo(#20044,8,#20001,18,"]") +#20045=@"loc,{#10000},3,9,3,9" +locations_default(#20045,#10000,3,9,3,9) +hasLocation(#20044,#20045) +#20046=* +tokeninfo(#20046,8,#20001,19,".") +#20047=@"loc,{#10000},3,10,3,10" +locations_default(#20047,#10000,3,10,3,10) +hasLocation(#20046,#20047) +#20048=* +tokeninfo(#20048,6,#20001,20,"y") +#20049=@"loc,{#10000},3,11,3,11" +locations_default(#20049,#10000,3,11,3,11) +hasLocation(#20048,#20049) +#20050=* +tokeninfo(#20050,8,#20001,21,";") +#20051=@"loc,{#10000},3,12,3,12" +locations_default(#20051,#10000,3,12,3,12) +hasLocation(#20050,#20051) +#20052=* +tokeninfo(#20052,0,#20001,22,"") +#20053=@"loc,{#10000},4,1,4,0" +locations_default(#20053,#10000,4,1,4,0) +hasLocation(#20052,#20053) +toplevels(#20001,0) +#20054=@"loc,{#10000},1,1,4,0" +locations_default(#20054,#10000,1,1,4,0) +hasLocation(#20001,#20054) +#20055=* +stmts(#20055,2,#20001,0,"base?.x.y;") +hasLocation(#20055,#20003) +stmtContainers(#20055,#20001) +#20056=* +exprs(#20056,14,#20055,0,"base?.x.y") +#20057=@"loc,{#10000},1,1,1,9" +locations_default(#20057,#10000,1,1,1,9) +hasLocation(#20056,#20057) +enclosingStmt(#20056,#20055) +exprContainers(#20056,#20001) +#20058=* +exprs(#20058,14,#20056,0,"base?.x") +#20059=@"loc,{#10000},1,1,1,7" +locations_default(#20059,#10000,1,1,1,7) +hasLocation(#20058,#20059) +enclosingStmt(#20058,#20055) +exprContainers(#20058,#20001) +#20060=* +exprs(#20060,79,#20058,0,"base") +hasLocation(#20060,#20009) +enclosingStmt(#20060,#20055) +exprContainers(#20060,#20001) +literals("base","base",#20060) +#20061=@"var;{base};{#20000}" +variables(#20061,"base",#20000) +bind(#20060,#20061) +#20062=* +exprs(#20062,0,#20058,1,"x") +hasLocation(#20062,#20013) +enclosingStmt(#20062,#20055) +exprContainers(#20062,#20001) +literals("x","x",#20062) +isOptionalChaining(#20058) +#20063=* +exprs(#20063,0,#20056,1,"y") +hasLocation(#20063,#20017) +enclosingStmt(#20063,#20055) +exprContainers(#20063,#20001) +literals("y","y",#20063) +#20064=* +stmts(#20064,2,#20001,1,"base?.(x).y;") +hasLocation(#20064,#20005) +stmtContainers(#20064,#20001) +#20065=* +exprs(#20065,14,#20064,0,"base?.(x).y") +#20066=@"loc,{#10000},2,1,2,11" +locations_default(#20066,#10000,2,1,2,11) +hasLocation(#20065,#20066) +enclosingStmt(#20065,#20064) +exprContainers(#20065,#20001) +#20067=* +exprs(#20067,13,#20065,0,"base?.(x)") +#20068=@"loc,{#10000},2,1,2,9" +locations_default(#20068,#10000,2,1,2,9) +hasLocation(#20067,#20068) +enclosingStmt(#20067,#20064) +exprContainers(#20067,#20001) +#20069=* +exprs(#20069,79,#20067,-1,"base") +hasLocation(#20069,#20021) +enclosingStmt(#20069,#20064) +exprContainers(#20069,#20001) +literals("base","base",#20069) +bind(#20069,#20061) +#20070=* +exprs(#20070,79,#20067,0,"x") +hasLocation(#20070,#20027) +enclosingStmt(#20070,#20064) +exprContainers(#20070,#20001) +literals("x","x",#20070) +#20071=@"var;{x};{#20000}" +variables(#20071,"x",#20000) +bind(#20070,#20071) +isOptionalChaining(#20067) +#20072=* +exprs(#20072,0,#20065,1,"y") +hasLocation(#20072,#20033) +enclosingStmt(#20072,#20064) +exprContainers(#20072,#20001) +literals("y","y",#20072) +#20073=* +stmts(#20073,2,#20001,2,"base?.[z].y;") +hasLocation(#20073,#20007) +stmtContainers(#20073,#20001) +#20074=* +exprs(#20074,14,#20073,0,"base?.[z].y") +#20075=@"loc,{#10000},3,1,3,11" +locations_default(#20075,#10000,3,1,3,11) +hasLocation(#20074,#20075) +enclosingStmt(#20074,#20073) +exprContainers(#20074,#20001) +#20076=* +exprs(#20076,15,#20074,0,"base?.[z]") +#20077=@"loc,{#10000},3,1,3,9" +locations_default(#20077,#10000,3,1,3,9) +hasLocation(#20076,#20077) +enclosingStmt(#20076,#20073) +exprContainers(#20076,#20001) +#20078=* +exprs(#20078,79,#20076,0,"base") +hasLocation(#20078,#20037) +enclosingStmt(#20078,#20073) +exprContainers(#20078,#20001) +literals("base","base",#20078) +bind(#20078,#20061) +#20079=* +exprs(#20079,79,#20076,1,"z") +hasLocation(#20079,#20043) +enclosingStmt(#20079,#20073) +exprContainers(#20079,#20001) +literals("z","z",#20079) +#20080=@"var;{z};{#20000}" +variables(#20080,"z",#20000) +bind(#20079,#20080) +isOptionalChaining(#20076) +#20081=* +exprs(#20081,0,#20074,1,"y") +hasLocation(#20081,#20049) +enclosingStmt(#20081,#20073) +exprContainers(#20081,#20001) +literals("y","y",#20081) +#20082=* +entry_cfg_node(#20082,#20001) +#20083=@"loc,{#10000},1,1,1,0" +locations_default(#20083,#10000,1,1,1,0) +hasLocation(#20082,#20083) +#20084=* +exit_cfg_node(#20084,#20001) +hasLocation(#20084,#20053) +successor(#20073,#20078) +successor(#20081,#20074) +successor(#20079,#20076) +successor(#20078,#20079) +successor(#20076,#20081) +successor(#20078,#20084) +successor(#20074,#20084) +successor(#20064,#20069) +successor(#20072,#20065) +successor(#20070,#20067) +successor(#20069,#20070) +successor(#20067,#20072) +successor(#20069,#20073) +successor(#20065,#20073) +successor(#20055,#20060) +successor(#20063,#20056) +successor(#20062,#20058) +successor(#20060,#20062) +successor(#20058,#20063) +successor(#20060,#20064) +successor(#20056,#20064) +successor(#20082,#20055) +numlines(#10000,3,3,0) +filetype(#10000,"typescript") diff --git a/javascript/ql/src/Expressions/ExprHasNoEffect.ql b/javascript/ql/src/Expressions/ExprHasNoEffect.ql index 14024ec8f38..917ab81a3e7 100644 --- a/javascript/ql/src/Expressions/ExprHasNoEffect.ql +++ b/javascript/ql/src/Expressions/ExprHasNoEffect.ql @@ -13,122 +13,10 @@ */ import javascript -import DOMProperties -import semmle.javascript.frameworks.xUnit -import semmle.javascript.RestrictedLocations import ExprHasNoEffect +import semmle.javascript.RestrictedLocations -/** - * Holds if `e` is of the form `x;` or `e.p;` and has a JSDoc comment containing a tag. - * In that case, it is probably meant as a declaration and shouldn't be flagged by this query. - * - * This will still flag cases where the JSDoc comment contains no tag at all (and hence carries - * no semantic information), and expression statements with an ordinary (non-JSDoc) comment - * attached to them. - */ -predicate isDeclaration(Expr e) { - (e instanceof VarAccess or e instanceof PropAccess) and - exists(e.getParent().(ExprStmt).getDocumentation().getATag()) -} - -/** - * Holds if there exists a getter for a property called `name` anywhere in the program. - */ -predicate isGetterProperty(string name) { - // there is a call of the form `Object.defineProperty(..., name, descriptor)` ... - exists(CallToObjectDefineProperty defProp | name = defProp.getPropertyName() | - // ... where `descriptor` defines a getter - defProp.hasPropertyAttributeWrite("get", _) - or - // ... where `descriptor` may define a getter - exists(DataFlow::SourceNode descriptor | descriptor.flowsTo(defProp.getPropertyDescriptor()) | - descriptor.isIncomplete(_) - or - // minimal escape analysis for the descriptor - exists(DataFlow::InvokeNode invk | - not invk = defProp and - descriptor.flowsTo(invk.getAnArgument()) - ) - ) - ) - or - // there is an object expression with a getter property `name` - exists(ObjectExpr obj | obj.getPropertyByName(name) instanceof PropertyGetter) -} - -/** - * A property access that may invoke a getter. - */ -class GetterPropertyAccess extends PropAccess { - override predicate isImpure() { isGetterProperty(getPropertyName()) } -} - -/** - * Holds if `c` is an indirect eval call of the form `(dummy, eval)(...)`, where - * `dummy` is some expression whose value is discarded, and which simply - * exists to prevent the call from being interpreted as a direct eval. - */ -predicate isIndirectEval(CallExpr c, Expr dummy) { - exists(SeqExpr seq | seq = c.getCallee().stripParens() | - dummy = seq.getOperand(0) and - seq.getOperand(1).(GlobalVarAccess).getName() = "eval" and - seq.getNumOperands() = 2 - ) -} - -/** - * Holds if `c` is a call of the form `(dummy, e[p])(...)`, where `dummy` is - * some expression whose value is discarded, and which simply exists - * to prevent the call from being interpreted as a method call. - */ -predicate isReceiverSuppressingCall(CallExpr c, Expr dummy, PropAccess callee) { - exists(SeqExpr seq | seq = c.getCallee().stripParens() | - dummy = seq.getOperand(0) and - seq.getOperand(1) = callee and - seq.getNumOperands() = 2 - ) -} - -/** - * Holds if evaluating `e` has no side effects (except potentially allocating - * and initializing a new object). - * - * For calls, we do not check whether their arguments have any side effects: - * even if they do, the call itself is useless and should be flagged by this - * query. - */ -predicate noSideEffects(Expr e) { - e.isPure() - or - // `new Error(...)`, `new SyntaxError(...)`, etc. - forex(Function f | f = e.flow().(DataFlow::NewNode).getACallee() | - f.(ExternalType).getASupertype*().getName() = "Error" - ) -} from Expr e -where - noSideEffects(e) and - inVoidContext(e) and - // disregard pure expressions wrapped in a void(...) - not e instanceof VoidExpr and - // filter out directives (unknown directives are handled by UnknownDirective.ql) - not exists(Directive d | e = d.getExpr()) and - // or about externs - not e.inExternsFile() and - // don't complain about declarations - not isDeclaration(e) and - // exclude DOM properties, which sometimes have magical auto-update properties - not isDOMProperty(e.(PropAccess).getPropertyName()) and - // exclude xUnit.js annotations - not e instanceof XUnitAnnotation and - // exclude common patterns that are most likely intentional - not isIndirectEval(_, e) and - not isReceiverSuppressingCall(_, e, _) and - // exclude anonymous function expressions as statements; these can only arise - // from a syntax error we already flag - not exists(FunctionExpr fe, ExprStmt es | fe = e | - fe = es.getExpr() and - not exists(fe.getName()) - ) +where hasNoEffect(e) select e.(FirstLineOf), "This expression has no effect." diff --git a/javascript/ql/src/Expressions/ExprHasNoEffect.qll b/javascript/ql/src/Expressions/ExprHasNoEffect.qll index 858f719ba0a..bee980e5fd8 100644 --- a/javascript/ql/src/Expressions/ExprHasNoEffect.qll +++ b/javascript/ql/src/Expressions/ExprHasNoEffect.qll @@ -3,6 +3,8 @@ */ import javascript +import DOMProperties +import semmle.javascript.frameworks.xUnit /** * Holds if `e` appears in a syntactic context where its value is discarded. @@ -37,3 +39,121 @@ predicate inVoidContext(Expr e) { or exists(LogicalBinaryExpr logical | e = logical.getRightOperand() and inVoidContext(logical)) } + + +/** + * Holds if `e` is of the form `x;` or `e.p;` and has a JSDoc comment containing a tag. + * In that case, it is probably meant as a declaration and shouldn't be flagged by this query. + * + * This will still flag cases where the JSDoc comment contains no tag at all (and hence carries + * no semantic information), and expression statements with an ordinary (non-JSDoc) comment + * attached to them. + */ +predicate isDeclaration(Expr e) { + (e instanceof VarAccess or e instanceof PropAccess) and + exists(e.getParent().(ExprStmt).getDocumentation().getATag()) +} + +/** + * Holds if there exists a getter for a property called `name` anywhere in the program. + */ +predicate isGetterProperty(string name) { + // there is a call of the form `Object.defineProperty(..., name, descriptor)` ... + exists(CallToObjectDefineProperty defProp | name = defProp.getPropertyName() | + // ... where `descriptor` defines a getter + defProp.hasPropertyAttributeWrite("get", _) + or + // ... where `descriptor` may define a getter + exists(DataFlow::SourceNode descriptor | descriptor.flowsTo(defProp.getPropertyDescriptor()) | + descriptor.isIncomplete(_) + or + // minimal escape analysis for the descriptor + exists(DataFlow::InvokeNode invk | + not invk = defProp and + descriptor.flowsTo(invk.getAnArgument()) + ) + ) + ) + or + // there is an object expression with a getter property `name` + exists(ObjectExpr obj | obj.getPropertyByName(name) instanceof PropertyGetter) +} + +/** + * A property access that may invoke a getter. + */ +class GetterPropertyAccess extends PropAccess { + override predicate isImpure() { isGetterProperty(getPropertyName()) } +} + +/** + * Holds if `c` is an indirect eval call of the form `(dummy, eval)(...)`, where + * `dummy` is some expression whose value is discarded, and which simply + * exists to prevent the call from being interpreted as a direct eval. + */ +predicate isIndirectEval(CallExpr c, Expr dummy) { + exists(SeqExpr seq | seq = c.getCallee().stripParens() | + dummy = seq.getOperand(0) and + seq.getOperand(1).(GlobalVarAccess).getName() = "eval" and + seq.getNumOperands() = 2 + ) +} + +/** + * Holds if `c` is a call of the form `(dummy, e[p])(...)`, where `dummy` is + * some expression whose value is discarded, and which simply exists + * to prevent the call from being interpreted as a method call. + */ +predicate isReceiverSuppressingCall(CallExpr c, Expr dummy, PropAccess callee) { + exists(SeqExpr seq | seq = c.getCallee().stripParens() | + dummy = seq.getOperand(0) and + seq.getOperand(1) = callee and + seq.getNumOperands() = 2 + ) +} + +/** + * Holds if evaluating `e` has no side effects (except potentially allocating + * and initializing a new object). + * + * For calls, we do not check whether their arguments have any side effects: + * even if they do, the call itself is useless and should be flagged by this + * query. + */ +predicate noSideEffects(Expr e) { + e.isPure() + or + // `new Error(...)`, `new SyntaxError(...)`, etc. + forex(Function f | f = e.flow().(DataFlow::NewNode).getACallee() | + f.(ExternalType).getASupertype*().getName() = "Error" + ) +} + +/** + * Holds if the expression `e` should be reported as having no effect. + */ +predicate hasNoEffect(Expr e) { + noSideEffects(e) and + inVoidContext(e) and + // disregard pure expressions wrapped in a void(...) + not e instanceof VoidExpr and + // filter out directives (unknown directives are handled by UnknownDirective.ql) + not exists(Directive d | e = d.getExpr()) and + // or about externs + not e.inExternsFile() and + // don't complain about declarations + not isDeclaration(e) and + // exclude DOM properties, which sometimes have magical auto-update properties + not isDOMProperty(e.(PropAccess).getPropertyName()) and + // exclude xUnit.js annotations + not e instanceof XUnitAnnotation and + // exclude common patterns that are most likely intentional + not isIndirectEval(_, e) and + not isReceiverSuppressingCall(_, e, _) and + // exclude anonymous function expressions as statements; these can only arise + // from a syntax error we already flag + not exists(FunctionExpr fe, ExprStmt es | fe = e | + fe = es.getExpr() and + not exists(fe.getName()) + ) +} \ No newline at end of file diff --git a/javascript/ql/src/Expressions/UnknownDirective.ql b/javascript/ql/src/Expressions/UnknownDirective.ql index 61cda697cc3..4f027db6bbc 100644 --- a/javascript/ql/src/Expressions/UnknownDirective.ql +++ b/javascript/ql/src/Expressions/UnknownDirective.ql @@ -13,6 +13,8 @@ import javascript from Directive d where not d instanceof KnownDirective and + // ignore ":" pseudo-directive sometimes seen in dual-use shell/node.js scripts + not d.getExpr().getStringValue() = ":" and // but exclude attribute top-levels: `` not d.getParent() instanceof CodeInAttribute select d, "Unknown directive: '" + truncate(d.getDirectiveText(), 20, " ... (truncated)") + "'." diff --git a/javascript/ql/src/LanguageFeatures/IllegalInvocation.ql b/javascript/ql/src/LanguageFeatures/IllegalInvocation.ql index f9cf0a458a6..467b80f4dac 100644 --- a/javascript/ql/src/LanguageFeatures/IllegalInvocation.ql +++ b/javascript/ql/src/LanguageFeatures/IllegalInvocation.ql @@ -61,5 +61,7 @@ where forex(DataFlow::InvokeNode cs2, Function otherCallee | cs2.getInvokeExpr() = cs.getInvokeExpr() and otherCallee = cs2.getACallee() | illegalInvocation(cs, otherCallee, _, _) - ) + ) and + // require that all callees are known + not cs.isIncomplete() select cs, "Illegal invocation of $@ " + how + ".", callee, calleeDesc diff --git a/javascript/ql/src/Security/CWE-116/DoubleEscaping.qhelp b/javascript/ql/src/Security/CWE-116/DoubleEscaping.qhelp index 02cce7c5911..6c36fde4b28 100644 --- a/javascript/ql/src/Security/CWE-116/DoubleEscaping.qhelp +++ b/javascript/ql/src/Security/CWE-116/DoubleEscaping.qhelp @@ -10,8 +10,8 @@ attacks such as cross-site scripting. One particular example of this is HTML ent where HTML special characters are replaced by HTML character entities to prevent them from being interpreted as HTML markup. For example, the less-than character is encoded as &lt; and the double-quote character as &quot;. -Other examples include backslash-escaping for including untrusted data in string literals and -percent-encoding for URI components. +Other examples include backslash escaping or JSON encoding for including untrusted data in string +literals, and percent-encoding for URI components.

    The reverse process of replacing escape sequences with the characters they represent is known as diff --git a/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql b/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql index a150a2d7a7a..6340a2fcedc 100644 --- a/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql +++ b/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql @@ -46,7 +46,12 @@ string getStringValue(RegExpLiteral rl) { */ DataFlow::Node getASimplePredecessor(DataFlow::Node nd) { result = nd.getAPredecessor() and - not nd.(DataFlow::SsaDefinitionNode).getSsaVariable().getDefinition() instanceof SsaPhiNode + not exists(SsaDefinition ssa | + ssa = nd.(DataFlow::SsaDefinitionNode).getSsaVariable().getDefinition() + | + ssa instanceof SsaPhiNode or + ssa instanceof SsaVariableCapture + ) } /** @@ -54,38 +59,31 @@ DataFlow::Node getASimplePredecessor(DataFlow::Node nd) { * into a form described by regular expression `regex`. */ predicate escapingScheme(string metachar, string regex) { - metachar = "&" and regex = "&.*;" + metachar = "&" and regex = "&.+;" or - metachar = "%" and regex = "%.*" + metachar = "%" and regex = "%.+" or - metachar = "\\" and regex = "\\\\.*" + metachar = "\\" and regex = "\\\\.+" } /** - * A call to `String.prototype.replace` that replaces all instances of a pattern. + * A method call that performs string replacement. */ -class Replacement extends DataFlow::Node { - RegExpLiteral pattern; - - Replacement() { - exists(DataFlow::MethodCallNode mcn | this = mcn | - mcn.getMethodName() = "replace" and - pattern.flow().(DataFlow::SourceNode).flowsTo(mcn.getArgument(0)) and - mcn.getNumArgument() = 2 and - pattern.isGlobal() - ) - } - +abstract class Replacement extends DataFlow::Node { /** * Holds if this replacement replaces the string `input` with `output`. */ - predicate replaces(string input, string output) { - exists(DataFlow::MethodCallNode mcn | - mcn = this and - input = getStringValue(pattern) and - output = mcn.getArgument(1).getStringValue() - ) - } + abstract predicate replaces(string input, string output); + + /** + * Gets the input of this replacement. + */ + abstract DataFlow::Node getInput(); + + /** + * Gets the output of this replacement. + */ + abstract DataFlow::SourceNode getOutput(); /** * Holds if this replacement escapes `char` using `metachar`. @@ -118,9 +116,12 @@ class Replacement extends DataFlow::Node { /** * Gets the previous replacement in this chain of replacements. */ - Replacement getPreviousReplacement() { - result = getASimplePredecessor*(this.(DataFlow::MethodCallNode).getReceiver()) - } + Replacement getPreviousReplacement() { result.getOutput() = getASimplePredecessor*(getInput()) } + + /** + * Gets the next replacement in this chain of replacements. + */ + Replacement getNextReplacement() { this = result.getPreviousReplacement() } /** * Gets an earlier replacement in this chain of replacements that @@ -130,7 +131,9 @@ class Replacement extends DataFlow::Node { exists(Replacement pred | pred = this.getPreviousReplacement() | if pred.escapes(_, metachar) then result = pred - else result = pred.getAnEarlierEscaping(metachar) + else ( + not pred.unescapes(metachar, _) and result = pred.getAnEarlierEscaping(metachar) + ) ) } @@ -142,11 +145,100 @@ class Replacement extends DataFlow::Node { exists(Replacement succ | this = succ.getPreviousReplacement() | if succ.unescapes(metachar, _) then result = succ - else result = succ.getALaterUnescaping(metachar) + else ( + not succ.escapes(_, metachar) and result = succ.getALaterUnescaping(metachar) + ) ) } } +/** + * A call to `String.prototype.replace` that replaces all instances of a pattern. + */ +class GlobalStringReplacement extends Replacement, DataFlow::MethodCallNode { + RegExpLiteral pattern; + + GlobalStringReplacement() { + this.getMethodName() = "replace" and + pattern.flow().(DataFlow::SourceNode).flowsTo(this.getArgument(0)) and + this.getNumArgument() = 2 and + pattern.isGlobal() + } + + override predicate replaces(string input, string output) { + input = getStringValue(pattern) and + output = this.getArgument(1).getStringValue() + or + exists(DataFlow::FunctionNode replacer, DataFlow::PropRead pr, DataFlow::ObjectLiteralNode map | + replacer = getCallback(1) and + replacer.getParameter(0).flowsToExpr(pr.getPropertyNameExpr()) and + pr = map.getAPropertyRead() and + pr.flowsTo(replacer.getAReturn()) and + map.asExpr().(ObjectExpr).getPropertyByName(input).getInit().getStringValue() = output + ) + } + + override DataFlow::Node getInput() { result = this.getReceiver() } + + override DataFlow::SourceNode getOutput() { result = this } +} + +/** + * A call to `JSON.stringify`, viewed as a string replacement. + */ +class JsonStringifyReplacement extends Replacement, DataFlow::CallNode { + JsonStringifyReplacement() { this = DataFlow::globalVarRef("JSON").getAMemberCall("stringify") } + + override predicate replaces(string input, string output) { + input = "\\" and output = "\\\\" + // the other replacements are not relevant for this query + } + + override DataFlow::Node getInput() { result = this.getArgument(0) } + + override DataFlow::SourceNode getOutput() { result = this } +} + +/** + * A call to `JSON.parse`, viewed as a string replacement. + */ +class JsonParseReplacement extends Replacement { + JsonParserCall self; + + JsonParseReplacement() { this = self } + + override predicate replaces(string input, string output) { + input = "\\\\" and output = "\\" + // the other replacements are not relevant for this query + } + + override DataFlow::Node getInput() { result = self.getInput() } + + override DataFlow::SourceNode getOutput() { result = self.getOutput() } +} + +/** + * A string replacement wrapped in a utility function. + */ +class WrappedReplacement extends Replacement, DataFlow::CallNode { + int i; + + Replacement inner; + + WrappedReplacement() { + exists(DataFlow::FunctionNode wrapped | wrapped.getFunction() = getACallee() | + wrapped.getParameter(i).flowsTo(inner.getPreviousReplacement*().getInput()) and + inner.getNextReplacement*().getOutput().flowsTo(wrapped.getAReturn()) + ) + } + + override predicate replaces(string input, string output) { inner.replaces(input, output) } + + override DataFlow::Node getInput() { result = getArgument(i) } + + override DataFlow::SourceNode getOutput() { result = this } +} + from Replacement primary, Replacement supplementary, string message, string metachar where primary.escapes(metachar, _) and diff --git a/javascript/ql/src/Security/CWE-834/LoopBoundInjection.ql b/javascript/ql/src/Security/CWE-834/LoopBoundInjection.ql index 72de22117cd..36576c8adde 100644 --- a/javascript/ql/src/Security/CWE-834/LoopBoundInjection.ql +++ b/javascript/ql/src/Security/CWE-834/LoopBoundInjection.ql @@ -7,7 +7,7 @@ * @id js/loop-bound-injection * @tags security * external/cwe/cwe-834 - * @precision medium + * @precision high */ import javascript diff --git a/javascript/ql/src/Security/Summaries/ExtractFlowStepSummaries.ql b/javascript/ql/src/Security/Summaries/ExtractFlowStepSummaries.ql index e63900f16ba..1a3670013ed 100644 --- a/javascript/ql/src/Security/Summaries/ExtractFlowStepSummaries.ql +++ b/javascript/ql/src/Security/Summaries/ExtractFlowStepSummaries.ql @@ -14,17 +14,19 @@ import PortalExitSource import PortalEntrySink from - TaintTracking::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, Portal p1, - Portal p2, DataFlow::FlowLabel lbl1, DataFlow::FlowLabel lbl2 + TaintTracking::Configuration cfg, DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink, Portal p1, + Portal p2, DataFlow::FlowLabel lbl1, DataFlow::FlowLabel lbl2, DataFlow::MidPathNode last where - cfg.hasFlowPath(source, sink) and + cfg = source.getConfiguration() and + last = source.getASuccessor*() and + sink = last.getASuccessor() and p1 = source.getNode().(PortalExitSource).getPortal() and p2 = sink.getNode().(PortalEntrySink).getPortal() and - lbl1 = sink.getPathSummary().getStartLabel() and - lbl2 = sink.getPathSummary().getEndLabel() and + lbl1 = last.getPathSummary().getStartLabel() and + lbl2 = last.getPathSummary().getEndLabel() and // avoid constructing infeasible paths - sink.getPathSummary().hasCall() = false and - sink.getPathSummary().hasReturn() = false and + last.getPathSummary().hasCall() = false and + last.getPathSummary().hasReturn() = false and // restrict to steps flow function parameters to returns p1.(ParameterPortal).getBasePortal() = p2.(ReturnPortal).getBasePortal() and // restrict to data/taint flow diff --git a/javascript/ql/src/Security/Summaries/ExtractSinkSummaries.ql b/javascript/ql/src/Security/Summaries/ExtractSinkSummaries.ql index 22ce077743e..588fe796811 100644 --- a/javascript/ql/src/Security/Summaries/ExtractSinkSummaries.ql +++ b/javascript/ql/src/Security/Summaries/ExtractSinkSummaries.ql @@ -11,10 +11,13 @@ import Configurations import PortalExitSource import SinkFromAnnotation -from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, Portal p +from DataFlow::Configuration cfg, DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink, + Portal p, DataFlow::MidPathNode last where - cfg.hasFlowPath(source, sink) and + cfg = source.getConfiguration() and + last = source.getASuccessor*() and + sink = last.getASuccessor() and p = source.getNode().(PortalExitSource).getPortal() and // avoid constructing infeasible paths - sink.getPathSummary().hasReturn() = false -select p.toString(), source.getPathSummary().getStartLabel().toString(), cfg.toString() + last.getPathSummary().hasReturn() = false +select p.toString(), last.getPathSummary().getStartLabel().toString(), cfg.toString() diff --git a/javascript/ql/src/Security/Summaries/ExtractSourceSummaries.ql b/javascript/ql/src/Security/Summaries/ExtractSourceSummaries.ql index 81f52f23533..de7ddf04b3f 100644 --- a/javascript/ql/src/Security/Summaries/ExtractSourceSummaries.ql +++ b/javascript/ql/src/Security/Summaries/ExtractSourceSummaries.ql @@ -11,10 +11,13 @@ import Configurations import PortalEntrySink import SourceFromAnnotation -from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, Portal p +from DataFlow::Configuration cfg, DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink, + Portal p, DataFlow::MidPathNode last where - cfg.hasFlowPath(source, sink) and + cfg = source.getConfiguration() and + last = source.getASuccessor*() and + sink = last.getASuccessor() and p = sink.getNode().(PortalEntrySink).getPortal() and // avoid constructing infeasible paths - sink.getPathSummary().hasCall() = false -select p.toString(), sink.getPathSummary().getEndLabel().toString(), cfg.toString() + last.getPathSummary().hasCall() = false +select p.toString(), last.getPathSummary().getEndLabel().toString(), cfg.toString() diff --git a/javascript/ql/src/Statements/IgnoreArrayResult.qhelp b/javascript/ql/src/Statements/IgnoreArrayResult.qhelp new file mode 100644 index 00000000000..70e3cb4e5cc --- /dev/null +++ b/javascript/ql/src/Statements/IgnoreArrayResult.qhelp @@ -0,0 +1,48 @@ + + + +

    +The concat, join and slice methods are +pure and do not modify any of the inputs or the array the method is called +on. It is therefore generally an error to ignore the return value from a call +to one of these methods. +

    + + + + +

    +Use the returned value from the calls to concat, join +or slice. +

    + +     + + +

    +A function extend is defined in the following example. The +function uses the concat method to add elements to the +arr array. However, the extend function has no +effect as the return value from concat is ignored: +

    + + + +

    +Assigning the returned value from the call to concat to the +arr variable fixes the error: +

    + + + +     + + +
  • Mozilla Developer Network: Array concat.
    • +
  • Mozilla Developer Network: Array slice.
    • +
  • Mozilla Developer Network: Array join.
    • + +     + diff --git a/javascript/ql/src/Statements/IgnoreArrayResult.ql b/javascript/ql/src/Statements/IgnoreArrayResult.ql new file mode 100644 index 00000000000..6f6698797f1 --- /dev/null +++ b/javascript/ql/src/Statements/IgnoreArrayResult.ql @@ -0,0 +1,45 @@ +/** + * @name Ignoring result from pure array method + * @description Ignoring the result of an array method that does not modify its receiver is generally an error. + * @kind problem + * @problem.severity warning + * @id js/ignore-array-result + * @tags maintainability + * correctness + * @precision high + */ + +import javascript +import Expressions.ExprHasNoEffect + +DataFlow::SourceNode callsArray(DataFlow::TypeBackTracker t, DataFlow::MethodCallNode call) { + isIgnoredPureArrayCall(call) and + t.start() and + result = call.getReceiver().getALocalSource() + or + exists(DataFlow::TypeBackTracker t2 | result = callsArray(t2, call).backtrack(t2, t)) +} + +DataFlow::SourceNode callsArray(DataFlow::MethodCallNode call) { + result = callsArray(DataFlow::TypeBackTracker::end(), call) +} + +predicate isIgnoredPureArrayCall(DataFlow::MethodCallNode call) { + inVoidContext(call.asExpr()) and + ( + call.getMethodName() = "concat" and + call.getNumArgument() = 1 + or + call.getMethodName() = "join" and + call.getNumArgument() < 2 + or + call.getMethodName() = "slice" and + call.getNumArgument() < 3 + ) +} + +from DataFlow::MethodCallNode call +where + callsArray(call) instanceof DataFlow::ArrayCreationNode and + not call.getReceiver().asExpr().(ArrayExpr).getSize() = 0 +select call, "Result from call to " + call.getMethodName() + " ignored." diff --git a/javascript/ql/src/Statements/UseOfReturnlessFunction.ql b/javascript/ql/src/Statements/UseOfReturnlessFunction.ql index c586cfe2497..f8f459cc84d 100644 --- a/javascript/ql/src/Statements/UseOfReturnlessFunction.ql +++ b/javascript/ql/src/Statements/UseOfReturnlessFunction.ql @@ -82,17 +82,87 @@ predicate alwaysThrows(Function f) { ) } -from DataFlow::CallNode call -where - not call.isIndefinite(_) and - forex(Function f | f = call.getACallee() | +/** + * Holds if the last statement in the function is flagged by the js/useless-expression query. + */ +predicate lastStatementHasNoEffect(Function f) { + hasNoEffect(f.getExit().getAPredecessor()) +} + +/** + * Holds if `func` is a callee of `call`, and all possible callees of `call` never return a value. + */ +predicate callToVoidFunction(DataFlow::CallNode call, Function func) { + not call.isIncomplete() and + func = call.getACallee() and + forall(Function f | f = call.getACallee() | returnsVoid(f) and not isStub(f) and not alwaysThrows(f) + ) +} + +/** + * Holds if `name` is the name of a method from `Array.prototype` or Lodash, + * where that method takes a callback as parameter, + * and the callback is expected to return a value. + */ +predicate hasNonVoidCallbackMethod(string name) { + name = "every" or + name = "filter" or + name = "find" or + name = "findIndex" or + name = "flatMap" or + name = "map" or + name = "reduce" or + name = "reduceRight" or + name = "some" or + name = "sort" +} + +DataFlow::SourceNode array(DataFlow::TypeTracker t) { + t.start() and result instanceof DataFlow::ArrayCreationNode + or + exists (DataFlow::TypeTracker t2 | + result = array(t2).track(t2, t) + ) +} + +DataFlow::SourceNode array() { result = array(DataFlow::TypeTracker::end()) } + +/** + * Holds if `call` is an Array or Lodash method accepting a callback `func`, + * where the `call` expects a callback that returns an expression, + * but `func` does not return a value. + */ +predicate voidArrayCallback(DataFlow::CallNode call, Function func) { + hasNonVoidCallbackMethod(call.getCalleeName()) and + exists(int index | + index = min(int i | exists(call.getCallback(i))) and + func = call.getCallback(index).getFunction() + ) and + returnsVoid(func) and + not isStub(func) and + not alwaysThrows(func) and + ( + call.getReceiver().getALocalSource() = array() + or + call.getCalleeNode().getALocalSource() instanceof LodashUnderscore::Member + ) +} + +from DataFlow::CallNode call, Function func, string name, string msg +where + ( + callToVoidFunction(call, func) and + msg = "the $@ does not return anything, yet the return value is used." and + name = func.describe() + or + voidArrayCallback(call, func) and + msg = "the $@ does not return anything, yet the return value from the call to " + call.getCalleeName() + " is used." and + name = "callback function" ) and - not benignContext(call.asExpr()) and - + not lastStatementHasNoEffect(func) and // anonymous one-shot closure. Those are used in weird ways and we ignore them. not oneshotClosure(call.asExpr()) select - call, "the function $@ does not return anything, yet the return value is used.", call.getACallee(), call.getCalleeName() - + call, msg, func, name diff --git a/javascript/ql/src/Statements/examples/IgnoreArrayResult.js b/javascript/ql/src/Statements/examples/IgnoreArrayResult.js new file mode 100644 index 00000000000..7137d5261a6 --- /dev/null +++ b/javascript/ql/src/Statements/examples/IgnoreArrayResult.js @@ -0,0 +1,5 @@ +var arr = [1,2,3]; + +function extend(others) { + arr.concat(others); +} \ No newline at end of file diff --git a/javascript/ql/src/Statements/examples/IgnoreArrayResultFixed.js b/javascript/ql/src/Statements/examples/IgnoreArrayResultFixed.js new file mode 100644 index 00000000000..1c7977e9ef0 --- /dev/null +++ b/javascript/ql/src/Statements/examples/IgnoreArrayResultFixed.js @@ -0,0 +1,5 @@ +var arr = [1,2,3]; + +function extend(others) { + arr = arr.concat(others); +} \ No newline at end of file diff --git a/javascript/ql/src/meta/analysis-quality/CallGraphQuality.qll b/javascript/ql/src/meta/analysis-quality/CallGraphQuality.qll index 065d6faa5d5..80c20a02143 100644 --- a/javascript/ql/src/meta/analysis-quality/CallGraphQuality.qll +++ b/javascript/ql/src/meta/analysis-quality/CallGraphQuality.qll @@ -47,97 +47,6 @@ class RelevantFunction extends Function { } } -/** - * Holds if `name` is a the name of an external module. - */ -predicate isExternalLibrary(string name) { - // Mentioned in package.json - any(Dependency dep).info(name, _) or - // Node.js built-in - name = "assert" or - name = "async_hooks" or - name = "child_process" or - name = "cluster" or - name = "crypto" or - name = "dns" or - name = "domain" or - name = "events" or - name = "fs" or - name = "http" or - name = "http2" or - name = "https" or - name = "inspector" or - name = "net" or - name = "os" or - name = "path" or - name = "perf_hooks" or - name = "process" or - name = "punycode" or - name = "querystring" or - name = "readline" or - name = "repl" or - name = "stream" or - name = "string_decoder" or - name = "timer" or - name = "tls" or - name = "trace_events" or - name = "tty" or - name = "dgram" or - name = "url" or - name = "util" or - name = "v8" or - name = "vm" or - name = "worker_threads" or - name = "zlib" -} - -/** - * Holds if the global variable `name` is defined externally. - */ -predicate isExternalGlobal(string name) { - exists(ExternalGlobalDecl decl | decl.getName() = name) - or - exists(Dependency dep | - // If name is never assigned anywhere, and it coincides with a dependency, - // it's most likely coming from there. - dep.info(name, _) and - not exists(Assignment assign | assign.getLhs().(GlobalVarAccess).getName() = name) - ) - or - name = "_" -} - -/** - * Gets a node that was derived from an import of `moduleName`. - * - * This is a rough approximation as it follows all property reads, invocations, - * and callbacks, so some of these might refer to internal objects. - * - * Additionally, we don't recognize when a project imports another file in the - * same project using its module name (for example import "vscode" from inside the vscode project). - */ -SourceNode externalNode() { - exists(string moduleName | - result = moduleImport(moduleName) and - isExternalLibrary(moduleName) - ) - or - exists(string name | - result = globalVarRef(name) and - isExternalGlobal(name) - ) - or - result = DOM::domValueRef() - or - result = jquery() - or - result = externalNode().getAPropertyRead() - or - result = externalNode().getAnInvocation() - or - result = externalNode().(InvokeNode).getCallback(_).getParameter(_) -} - /** * Gets a data flow node that can be resolved to a function, usually a callback. * @@ -167,7 +76,7 @@ SourceNode nodeLeadingToInvocation() { result.flowsTo(arg) ) or - exists(AdditionalPartialInvokeNode invoke, Node arg | + exists(PartialInvokeNode invoke, Node arg | invoke.isPartialArgument(arg, _, _) and result.flowsTo(arg) ) @@ -192,49 +101,15 @@ class ResolvableCall extends RelevantInvoke { } } -/** - * A call site that is believed to call an external function. - */ -class ExternalCall extends RelevantInvoke { - ExternalCall() { - not this instanceof ResolvableCall and // avoid double counting - ( - // Call to modelled external library - this = externalNode() - or - // 'require' call or similar - this = moduleImport(_) - or - // Resolved to externs file - exists(this.(InvokeNode).getACallee(1)) - or - // Modelled as taint step but isn't from an NPM module, for example, `substring` or `push`. - exists(TaintTracking::AdditionalTaintStep step | - step.step(_, this) - or - step.step(this.getAnArgument(), _) - ) - ) - } -} - /** * A call site that could not be resolved. */ class UnresolvableCall extends RelevantInvoke { UnresolvableCall() { - not this instanceof ResolvableCall and - not this instanceof ExternalCall + not this instanceof ResolvableCall } } -/** - * A call that is believed to call a function within the same project. - */ -class NonExternalCall extends RelevantInvoke { - NonExternalCall() { not this instanceof ExternalCall } -} - /** * A function with at least one call site. */ diff --git a/javascript/ql/src/semmle/javascript/Classes.qll b/javascript/ql/src/semmle/javascript/Classes.qll index 5cf94d409f5..793ff5a92e4 100644 --- a/javascript/ql/src/semmle/javascript/Classes.qll +++ b/javascript/ql/src/semmle/javascript/Classes.qll @@ -1059,6 +1059,12 @@ class FieldDeclaration extends MemberDeclaration, @field { /** Holds if this is a TypeScript field marked as definitely assigned with the `!` operator. */ predicate hasDefiniteAssignmentAssertion() { hasDefiniteAssignmentAssertion(this) } + + override predicate isAmbient() { + hasDeclareKeyword(this) + or + getParent().isAmbient() + } } /** diff --git a/javascript/ql/src/semmle/javascript/Closure.qll b/javascript/ql/src/semmle/javascript/Closure.qll index 8e6f07a35dc..066f68ca5fa 100644 --- a/javascript/ql/src/semmle/javascript/Closure.qll +++ b/javascript/ql/src/semmle/javascript/Closure.qll @@ -248,4 +248,25 @@ module Closure { DataFlow::SourceNode moduleImport(string moduleName) { getClosureNamespaceFromSourceNode(result) = moduleName } + + /** + * A call to `goog.bind`, as a partial function invocation. + */ + private class BindCall extends DataFlow::PartialInvokeNode::Range, DataFlow::CallNode { + BindCall() { this = moduleImport("goog.bind").getACall() } + + override predicate isPartialArgument(DataFlow::Node callback, DataFlow::Node argument, int index) { + index >= 0 and + callback = getArgument(0) and + argument = getArgument(index + 2) + } + + override DataFlow::SourceNode getBoundFunction(DataFlow::Node callback, int boundArgs) { + boundArgs = getNumArgument() - 2 and + callback = getArgument(0) and + result = this + } + + override DataFlow::Node getBoundReceiver() { result = getArgument(1) } + } } diff --git a/javascript/ql/src/semmle/javascript/Concepts.qll b/javascript/ql/src/semmle/javascript/Concepts.qll index 3d94723a013..23bbbce3b16 100644 --- a/javascript/ql/src/semmle/javascript/Concepts.qll +++ b/javascript/ql/src/semmle/javascript/Concepts.qll @@ -39,6 +39,14 @@ abstract class FileSystemAccess extends DataFlow::Node { * sanitization to prevent the path arguments from traversing outside the root folder. */ DataFlow::Node getRootPathArgument() { none() } + + /** + * Holds if this file system access will reject paths containing upward navigation + * segments (`../`). + * + * `argument` should refer to the relevant path argument or root path argument. + */ + predicate isUpwardNavigationRejected(DataFlow::Node argument) { none() } } /** diff --git a/javascript/ql/src/semmle/javascript/ES2015Modules.qll b/javascript/ql/src/semmle/javascript/ES2015Modules.qll index b1895a7366e..cd6e68455b1 100644 --- a/javascript/ql/src/semmle/javascript/ES2015Modules.qll +++ b/javascript/ql/src/semmle/javascript/ES2015Modules.qll @@ -641,4 +641,4 @@ class OriginalExportDeclaration extends ExportDeclaration { result = this.(ExportDefaultDeclaration).getSourceNode(name) or result = this.(ExportNamedDeclaration).getSourceNode(name) } -} +} \ No newline at end of file diff --git a/javascript/ql/src/semmle/javascript/Expr.qll b/javascript/ql/src/semmle/javascript/Expr.qll index 750f9d397cc..276284d5233 100644 --- a/javascript/ql/src/semmle/javascript/Expr.qll +++ b/javascript/ql/src/semmle/javascript/Expr.qll @@ -2645,3 +2645,15 @@ class OptionalChainRoot extends ChainElem { */ OptionalUse getAnOptionalUse() { result = optionalUse } } + +/** + * An `import.meta` expression. + * + * Example: + * ```js + * let url = import.meta.url; + * ``` + */ +class ImportMetaExpr extends @importmetaexpr, Expr { + override predicate isImpure() { none() } +} \ No newline at end of file diff --git a/javascript/ql/src/semmle/javascript/GeneratedCode.qll b/javascript/ql/src/semmle/javascript/GeneratedCode.qll index b4877f8a8fa..0f8b161e7ae 100644 --- a/javascript/ql/src/semmle/javascript/GeneratedCode.qll +++ b/javascript/ql/src/semmle/javascript/GeneratedCode.qll @@ -137,6 +137,11 @@ private predicate isGeneratedHtml(File f) { e.getAttributeByName("name").getValue() = "generator" ) or + exists(HTML::CommentNode comment | + comment.getText().regexpMatch("\\s*Generated by [\\w-]+ \\d+\\.\\d+\\.\\d+\\s*") and + comment.getFile() = f + ) + or 20 < countStartingHtmlElements(f, _) } diff --git a/javascript/ql/src/semmle/javascript/TypeScript.qll b/javascript/ql/src/semmle/javascript/TypeScript.qll index 005f9a5ee12..597c059eb05 100644 --- a/javascript/ql/src/semmle/javascript/TypeScript.qll +++ b/javascript/ql/src/semmle/javascript/TypeScript.qll @@ -914,20 +914,49 @@ class TypeofTypeExpr extends @typeoftypeexpr, TypeExpr { } /** - * A type of form `E is T` where `E` is a parameter name or `this`, and `T` is a type. + * A function return type that refines the type of one of its parameters or `this`. * - * This can only occur as the return type of a function type. + * Examples: + * ```js + * function f(x): x is string {} + * function f(x): asserts x is string {} + * function f(x): asserts x {} + * ``` */ -class IsTypeExpr extends @istypeexpr, TypeExpr { +class PredicateTypeExpr extends @predicatetypeexpr, TypeExpr { /** * Gets the parameter name or `this` token `E` in `E is T`. */ VarTypeAccess getParameterName() { result = this.getChildTypeExpr(0) } /** - * Gets the type `T` in `E is T`. + * Gets the type `T` in `E is T` or `asserts E is T`. + * + * Has no results for types of form `asserts E`. */ TypeExpr getPredicateType() { result = this.getChildTypeExpr(1) } + + /** + * Holds if this is a type of form `asserts E is T` or `asserts E`. + */ + predicate hasAssertsKeyword() { + hasAssertsKeyword(this) + } +} + +/** + * A function return type of form `x is T` or `asserts x is T`. + * + * Examples: + * ```js + * function f(x): x is string {} + * function f(x): asserts x is string {} + * ``` + */ +class IsTypeExpr extends PredicateTypeExpr { + IsTypeExpr() { + exists(getPredicateType()) + } } /** @@ -966,15 +995,16 @@ class ReadonlyTypeExpr extends @readonlytypeexpr, TypeExpr { * * This can occur as * - part of the operand to a `typeof` type, or - * - as the first operand to an `is` type. + * - as the first operand to a predicate type * * For example, it may occur as the `E` in these examples: * ``` * var x : typeof E * function f(...) : E is T {} + * function f(...) : asserts E {} * ``` * - * In the latter case, this may also refer to the pseudo-variable `this`. + * In the latter two cases, this may also refer to the pseudo-variable `this`. */ class VarTypeAccess extends @vartypeaccess, TypeExpr { } diff --git a/javascript/ql/src/semmle/javascript/dataflow/BackwardExploration.qll b/javascript/ql/src/semmle/javascript/dataflow/BackwardExploration.qll new file mode 100644 index 00000000000..caf67e6db7f --- /dev/null +++ b/javascript/ql/src/semmle/javascript/dataflow/BackwardExploration.qll @@ -0,0 +1,44 @@ +/** + * Provides machinery for performing backward data-flow exploration. + * + * Importing this module effectively makes all data-flow and taint-tracking configurations + * ignore their `isSource` predicate. Instead, flow is tracked from any _initial node_ (that is, + * a node without incoming flow) to a sink node. All initial nodes are then treated as source + * nodes. + * + * Data-flow exploration cannot be used with configurations depending on other configurations. + * + * NOTE: This library should only be used for debugging, not in production code. Backward + * exploration in particular does not scale on non-trivial code bases and hence is of limited + * usefulness as it stands. + */ + +import javascript + +private class BackwardExploringConfiguration extends DataFlow::Configuration { + DataFlow::Configuration cfg; + + BackwardExploringConfiguration() { + this = cfg + } + + override predicate isSource(DataFlow::Node node) { any() } + + override predicate isSource(DataFlow::Node node, DataFlow::FlowLabel lbl) { any() } + + override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) { + exists(DataFlow::PathNode src, DataFlow::PathNode snk | hasFlowPath(src, snk) | + source = src.getNode() and + sink = snk.getNode() + ) + } + + override predicate hasFlowPath(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) { + exists(DataFlow::MidPathNode first | + source.getConfiguration() = this and + source.getASuccessor() = first and + not exists(DataFlow::MidPathNode mid | mid.getASuccessor() = first) and + first.getASuccessor*() = sink + ) + } +} diff --git a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll index 3b12416015b..568c1c92eab 100644 --- a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll +++ b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll @@ -432,18 +432,6 @@ abstract class AdditionalSink extends DataFlow::Node { predicate isSinkFor(Configuration cfg, FlowLabel lbl) { none() } } -/** - * An invocation that is modeled as a partial function application. - * - * This contributes additional argument-passing flow edges that should be added to all data flow configurations. - */ -abstract class AdditionalPartialInvokeNode extends DataFlow::InvokeNode { - /** - * Holds if `argument` is passed as argument `index` to the function in `callback`. - */ - abstract predicate isPartialArgument(DataFlow::Node callback, DataFlow::Node argument, int index); -} - /** * Additional flow step to model flow from import specifiers into the SSA variable * corresponding to the imported variable. @@ -457,45 +445,6 @@ private class FlowStepThroughImport extends AdditionalFlowStep, DataFlow::ValueN } } -/** - * A partial call through the built-in `Function.prototype.bind`. - */ -private class BindPartialCall extends AdditionalPartialInvokeNode, DataFlow::MethodCallNode { - BindPartialCall() { getMethodName() = "bind" } - - override predicate isPartialArgument(DataFlow::Node callback, DataFlow::Node argument, int index) { - callback = getReceiver() and - argument = getArgument(index + 1) - } -} - -/** - * A partial call through `_.partial`. - */ -private class LodashPartialCall extends AdditionalPartialInvokeNode { - LodashPartialCall() { this = LodashUnderscore::member("partial").getACall() } - - override predicate isPartialArgument(DataFlow::Node callback, DataFlow::Node argument, int index) { - callback = getArgument(0) and - argument = getArgument(index + 1) - } -} - -/** - * A partial call through `ramda.partial`. - */ -private class RamdaPartialCall extends AdditionalPartialInvokeNode { - RamdaPartialCall() { this = DataFlow::moduleMember("ramda", "partial").getACall() } - - override predicate isPartialArgument(DataFlow::Node callback, DataFlow::Node argument, int index) { - callback = getArgument(0) and - exists(DataFlow::ArrayCreationNode array | - array.flowsTo(getArgument(1)) and - argument = array.getElement(index) - ) - } -} - /** * Holds if there is a flow step from `pred` to `succ` described by `summary` * under configuration `cfg`. @@ -505,6 +454,7 @@ private class RamdaPartialCall extends AdditionalPartialInvokeNode { private predicate basicFlowStep( DataFlow::Node pred, DataFlow::Node succ, PathSummary summary, DataFlow::Configuration cfg ) { + isLive() and isRelevantForward(pred, cfg) and ( // Local flow @@ -939,9 +889,9 @@ private predicate flowsTo( PathNode flowsource, DataFlow::Node source, SinkPathNode flowsink, DataFlow::Node sink, DataFlow::Configuration cfg ) { - flowsource = MkPathNode(source, cfg, _) and + flowsource.wraps(source, cfg) and flowsink = flowsource.getASuccessor*() and - flowsink = MkPathNode(sink, id(cfg), _) + flowsink.wraps(sink, id(cfg)) } /** @@ -984,19 +934,45 @@ private predicate onPath(DataFlow::Node nd, DataFlow::Configuration cfg, PathSum } /** - * Holds if `cfg` has at least one source and at least one sink. + * Holds if there is a configuration that has at least one source and at least one sink. */ pragma[noinline] -private predicate isLive(DataFlow::Configuration cfg) { isSource(_, cfg, _) and isSink(_, cfg, _) } +private predicate isLive() { exists(DataFlow::Configuration cfg | isSource(_, cfg, _) and isSink(_, cfg, _)) } /** * A data flow node on an inter-procedural path from a source. */ private newtype TPathNode = - MkPathNode(DataFlow::Node nd, DataFlow::Configuration cfg, PathSummary summary) { - isLive(cfg) and + MkSourceNode(DataFlow::Node nd, DataFlow::Configuration cfg) { isSourceNode(nd, cfg, _) } + or + MkMidNode(DataFlow::Node nd, DataFlow::Configuration cfg, PathSummary summary) { + isLive() and onPath(nd, cfg, summary) } + or + MkSinkNode(DataFlow::Node nd, DataFlow::Configuration cfg) { isSinkNode(nd, cfg, _) } + +/** + * Holds if `nd` is a source node for configuration `cfg`, and there is a path from `nd` to a sink + * with the given `summary`. + */ +private predicate isSourceNode(DataFlow::Node nd, DataFlow::Configuration cfg, PathSummary summary) { + exists(FlowLabel lbl | summary = PathSummary::level(lbl) | + isSource(nd, cfg, lbl) and + isLive() and + onPath(nd, cfg, summary) + ) +} + +/** + * Holds if `nd` is a sink node for configuration `cfg`, and there is a path from a source to `nd` + * with the given `summary`. + */ +private predicate isSinkNode(DataFlow::Node nd, DataFlow::Configuration cfg, PathSummary summary) { + isSink(nd, cfg, summary.getEndLabel()) and + isLive() and + onPath(nd, cfg, summary) +} /** * Maps `cfg` to itself. @@ -1008,48 +984,46 @@ bindingset[cfg, result] private DataFlow::Configuration id(DataFlow::Configuration cfg) { result >= cfg and cfg >= result } /** - * A data flow node on an inter-procedural path from a source to a sink. + * A data-flow node on an inter-procedural path from a source to a sink. * - * A path node is a triple `(nd, cfg, summary)` where `nd` is a data flow node and `cfg` - * is a data flow tracking configuration such that `nd` is on a path from a source to a - * sink under `cfg` summarized by `summary`. + * A path node wraps a data-flow node `nd` and a data-flow configuration `cfg` such that `nd` is + * on a path from a source to a sink under `cfg`. + * + * There are three kinds of path nodes: + * + * - source nodes: wrapping a source node and a configuration such that there is a path from that + * source to some sink under the configuration; + * - sink nodes: wrapping a sink node and a configuration such that there is a path from some source + * to that sink under the configuration; + * - mid nodes: wrapping a node, a configuration and a path summary such that there is a path from + * some source to the node with the given summary that can be extended to a path to some sink node, + * all under the configuration. */ class PathNode extends TPathNode { DataFlow::Node nd; - DataFlow::Configuration cfg; - PathSummary summary; + Configuration cfg; - PathNode() { this = MkPathNode(nd, cfg, summary) } + PathNode() { + this = MkSourceNode(nd, cfg) or + this = MkMidNode(nd, cfg, _) or + this = MkSinkNode(nd, cfg) + } - /** Gets the underlying data flow node of this path node. */ - DataFlow::Node getNode() { result = nd } + /** Holds if this path node wraps data-flow node `nd` and configuration `c`. */ + predicate wraps(DataFlow::Node n, DataFlow::Configuration c) { + nd = n and cfg = c + } - /** Gets the underlying data flow tracking configuration of this path node. */ + /** Gets the underlying configuration of this path node. */ DataFlow::Configuration getConfiguration() { result = cfg } - /** Gets the summary of the path underlying this path node. */ - PathSummary getPathSummary() { result = summary } - - /** - * Gets a successor node of this path node, including hidden nodes. - */ - private PathNode getASuccessorInternal() { - exists(DataFlow::Node succ, PathSummary newSummary | - flowStep(nd, id(cfg), succ, newSummary) and - result = MkPathNode(succ, id(cfg), summary.append(newSummary)) - ) - } - - /** - * Gets a successor of this path node, if it is a hidden node. - */ - private PathNode getAHiddenSuccessor() { - isHidden() and - result = getASuccessorInternal() - } + /** Gets the underlying data-flow node of this path node. */ + DataFlow::Node getNode() { result = nd } /** Gets a successor node of this path node. */ - PathNode getASuccessor() { result = getASuccessorInternal().getAHiddenSuccessor*() } + final PathNode getASuccessor() { + result = getASuccessor(this) + } /** Gets a textual representation of this path node. */ string toString() { result = nd.toString() } @@ -1066,6 +1040,68 @@ class PathNode extends TPathNode { ) { nd.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) } +} + +/** Gets the mid node corresponding to `src`. */ +private MidPathNode initialMidNode(SourcePathNode src) { + exists(DataFlow::Node nd, Configuration cfg, PathSummary summary | + result.wraps(nd, cfg, summary) and + src = MkSourceNode(nd, cfg) and + isSourceNode(nd, cfg, summary) + ) +} + +/** Gets the mid node corresponding to `snk`. */ +private MidPathNode finalMidNode(SinkPathNode snk) { + exists(DataFlow::Node nd, Configuration cfg, PathSummary summary | + result.wraps(nd, cfg, summary) and + snk = MkSinkNode(nd, cfg) and + isSinkNode(nd, cfg, summary) + ) +} + +/** + * Gets a node to which data from `nd` may flow in one step. + */ +private PathNode getASuccessor(PathNode nd) { + // source node to mid node + result = initialMidNode(nd) + or + // mid node to mid node + exists(Configuration cfg, DataFlow::Node predNd, PathSummary summary, DataFlow::Node succNd, PathSummary newSummary | + nd = MkMidNode(predNd, cfg, summary) and + flowStep(predNd, id(cfg), succNd, newSummary) and + result = MkMidNode(succNd, id(cfg), summary.append(newSummary)) + ) + or + // mid node to sink node + nd = finalMidNode(result) +} + +private PathNode getASuccessorIfHidden(PathNode nd) { + nd.(MidPathNode).isHidden() and + result = getASuccessor(nd) +} + +/** + * A path node corresponding to an intermediate node on a path from a source to a sink. + * + * A mid node is a triple `(nd, cfg, summary)` where `nd` is a data-flow node and `cfg` + * is a configuration such that `nd` is on a path from a source to a sink under `cfg` + * summarized by `summary`. + */ +class MidPathNode extends PathNode, MkMidNode { + PathSummary summary; + + MidPathNode() { this = MkMidNode(nd, cfg, summary) } + + /** Gets the summary of the path underlying this path node. */ + PathSummary getPathSummary() { result = summary } + + /** Holds if this path node wraps data-flow node `nd`, configuration `c` and summary `s`. */ + predicate wraps(DataFlow::Node n, DataFlow::Configuration c, PathSummary s) { + nd = n and cfg = c and summary = s + } /** * Holds if this node is hidden from paths in path explanation queries, except @@ -1085,20 +1121,15 @@ class PathNode extends TPathNode { /** * A path node corresponding to a flow source. */ -class SourcePathNode extends PathNode { - SourcePathNode() { - exists(FlowLabel lbl | - summary = PathSummary::level(lbl) and - isSource(nd, cfg, lbl) - ) - } +class SourcePathNode extends PathNode, MkSourceNode { + SourcePathNode() { this = MkSourceNode(nd, cfg) } } /** * A path node corresponding to a flow sink. */ -class SinkPathNode extends PathNode { - SinkPathNode() { isSink(nd, cfg, summary.getEndLabel()) } +class SinkPathNode extends PathNode, MkSinkNode { + SinkPathNode() { this = MkSinkNode(nd, cfg) } } /** @@ -1107,11 +1138,51 @@ class SinkPathNode extends PathNode { module PathGraph { /** Holds if `nd` is a node in the graph of data flow path explanations. */ query predicate nodes(PathNode nd) { - not nd.isHidden() or - nd instanceof SourcePathNode or - nd instanceof SinkPathNode + not nd.(MidPathNode).isHidden() + } + + /** + * Gets a node to which data from `nd` may flow in one step, skipping over hidden nodes. + */ + private PathNode succ0(PathNode nd) { + result = getASuccessorIfHidden*(nd.getASuccessor()) and + // skip hidden nodes + nodes(nd) and nodes(result) + } + + /** + * Gets a node to which data from `nd` may flow in one step, where outgoing edges from intermediate + * nodes are merged with any incoming edge from a corresponding source node. + * + * For example, assume that `src` is a source node for `nd1`, which has `nd2` as its direct + * successor. Then `succ0` will yield two edges `src` → `nd1` and `nd1` → `nd2`, + * to which `succ1` will add the edge `src` → `nd2`. + */ + private PathNode succ1(PathNode nd) { + result = succ0(nd) + or + result = succ0(initialMidNode(nd)) + } + + /** + * Gets a node to which data from `nd` may flow in one step, where incoming edges into intermediate + * nodes are merged with any outgoing edge to a corresponding sink node. + * + * For example, assume that `snk` is a source node for `nd2`, which has `nd1` as its direct + * predecessor. Then `succ1` will yield two edges `nd1` → `nd2` and `nd2` → `snk`, + * while `succ2` will yield just one edge `nd1` → `snk`. + */ + private PathNode succ2(PathNode nd) { + result = succ1(nd) + or + succ1(nd) = finalMidNode(result) } /** Holds if `pred` → `succ` is an edge in the graph of data flow path explanations. */ - query predicate edges(PathNode pred, PathNode succ) { pred.getASuccessor() = succ } + query predicate edges(PathNode pred, PathNode succ) { + succ = succ2(pred) and + // skip over uninteresting edges + not succ = initialMidNode(pred) and + not pred = finalMidNode(succ) + } } diff --git a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll index 88f42d810c4..8798df6cc37 100644 --- a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll +++ b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll @@ -19,6 +19,7 @@ */ import javascript +private import internal.CallGraphs module DataFlow { cached @@ -117,14 +118,23 @@ module DataFlow { int getIntValue() { result = asExpr().getIntValue() } /** Gets a function value that may reach this node. */ - FunctionNode getAFunctionValue() { - result.getAstNode() = analyze().getAValue().(AbstractCallable).getFunction() + final FunctionNode getAFunctionValue() { + CallGraph::getAFunctionReference(result, 0).flowsTo(this) + } + + /** Gets a function value that may reach this node with the given `imprecision` level. */ + final FunctionNode getAFunctionValue(int imprecision) { + CallGraph::getAFunctionReference(result, imprecision).flowsTo(this) + } + + /** + * Gets a function value that may reach this node, + * possibly derived from a partial function invocation. + */ + final FunctionNode getABoundFunctionValue(int boundArgs) { + result = getAFunctionValue() and boundArgs = 0 or - exists(string name | - GlobalAccessPath::isAssignedInUniqueFile(name) and - GlobalAccessPath::fromRhs(result) = name and - GlobalAccessPath::fromReference(this) = name - ) + CallGraph::getABoundFunctionReference(result, boundArgs).flowsTo(this) } /** @@ -1415,6 +1425,8 @@ module DataFlow { or e instanceof NewTargetExpr or + e instanceof ImportMetaExpr + or e instanceof FunctionBindExpr or e instanceof TaggedTemplateExpr diff --git a/javascript/ql/src/semmle/javascript/dataflow/ForwardExploration.qll b/javascript/ql/src/semmle/javascript/dataflow/ForwardExploration.qll new file mode 100644 index 00000000000..0e3a7ae91c2 --- /dev/null +++ b/javascript/ql/src/semmle/javascript/dataflow/ForwardExploration.qll @@ -0,0 +1,42 @@ +/** + * Provides machinery for performing forward data-flow exploration. + * + * Importing this module effectively makes all data-flow and taint-tracking configurations + * ignore their `isSink` predicate. Instead, flow is tracked from source nodes as far as + * possible, until a _terminal node_ (that is, a node without any outgoing flow) is reached. + * All terminal nodes are then treated as sink nodes. + * + * Data-flow exploration cannot be used with configurations depending on other configurations. + * + * NOTE: This library should only be used for debugging, not in production code. + */ + +import javascript + +private class ForwardExploringConfiguration extends DataFlow::Configuration { + DataFlow::Configuration cfg; + + ForwardExploringConfiguration() { + this = cfg + } + + override predicate isSink(DataFlow::Node node) { any() } + + override predicate isSink(DataFlow::Node node, DataFlow::FlowLabel lbl) { any() } + + override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) { + exists(DataFlow::PathNode src, DataFlow::PathNode snk | hasFlowPath(src, snk) | + source = src.getNode() and + sink = snk.getNode() + ) + } + + override predicate hasFlowPath(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) { + exists(DataFlow::MidPathNode last | + source.getConfiguration() = this and + source.getASuccessor*() = last and + not last.getASuccessor() instanceof DataFlow::MidPathNode and + last.getASuccessor() = sink + ) + } +} diff --git a/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll b/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll index 896391ec827..a44f2909ce0 100644 --- a/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll +++ b/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll @@ -6,6 +6,7 @@ private import javascript private import semmle.javascript.dependencies.Dependencies +private import internal.CallGraphs /** A data flow node corresponding to an expression. */ class ExprNode extends DataFlow::ValueNode { @@ -89,9 +90,43 @@ class InvokeNode extends DataFlow::SourceNode { Function getEnclosingFunction() { result = getBasicBlock().getContainer() } - /** Gets a function passed as the `i`th argument of this invocation. */ + /** + * Gets a function passed as the `i`th argument of this invocation. + * + * This predicate only performs local data flow tracking. + * Consider using `getABoundCallbackParameter` to handle interprocedural flow of callback functions. + */ FunctionNode getCallback(int i) { result.flowsTo(getArgument(i)) } + /** + * Gets a parameter of a callback passed into this call. + * + * `callback` indicates which argument the callback passed into, and `param` + * is the index of the parameter in the callback function. + * + * For example, for the call below, `getABoundCallbackParameter(1, 0)` refers + * to the parameter `e` (the first parameter of the second callback argument): + * ```js + * addEventHandler("click", e => { ... }) + * ``` + * + * This predicate takes interprocedural data flow into account, as well as + * partial function applications such as `.bind`. + * + * For example, for the call below `getABoundCallbackParameter(1, 0)` returns the parameter `e`, + * (the first parameter of the second callback argument), since the first parameter of `foo` + * has been bound by the `bind` call: + * ```js + * function foo(x, e) { } + * addEventHandler("click", foo.bind(this, "value of x")) + * ``` + */ + ParameterNode getABoundCallbackParameter(int callback, int param) { + exists(int boundArgs | + result = getArgument(callback).getABoundFunctionValue(boundArgs).getParameter(param + boundArgs) + ) + } + /** * Holds if the `i`th argument of this invocation is an object literal whose property * `name` is set to `result`. @@ -104,7 +139,7 @@ class InvokeNode extends DataFlow::SourceNode { } /** Gets an abstract value representing possible callees of this call site. */ - AbstractValue getACalleeValue() { result = InvokeNode::getACalleeValue(this) } + final AbstractValue getACalleeValue() { result = getCalleeNode().analyze().getAValue() } /** * Gets a potential callee of this call site. @@ -112,7 +147,7 @@ class InvokeNode extends DataFlow::SourceNode { * To alter the call graph as seen by the interprocedural data flow libraries, override * the `getACallee(int imprecision)` predicate instead. */ - Function getACallee() { result = InvokeNode::getACallee(this) } + final Function getACallee() { result = getACallee(0) } /** * Gets a callee of this call site where `imprecision` is a heuristic measure of how @@ -120,12 +155,15 @@ class InvokeNode extends DataFlow::SourceNode { * imprecise analysis of global variables and is not, in fact, a viable callee at all. * * Callees with imprecision zero, in particular, have either been derived without - * considering global variables, or are calls to a global variable within the same file. + * considering global variables, or are calls to a global variable within the same file, + * or a global variable that has unique definition within the project. * * This predicate can be overridden to alter the call graph used by the interprocedural * data flow libraries. */ - Function getACallee(int imprecision) { result = InvokeNode::getACallee(this, imprecision) } + Function getACallee(int imprecision) { + result = CallGraph::getACallee(this, imprecision).getFunction() + } /** * Holds if the approximation of possible callees for this call site is @@ -173,60 +211,6 @@ class InvokeNode extends DataFlow::SourceNode { } } -/** Auxiliary module used to cache a few related predicates together. */ -cached -private module InvokeNode { - /** Gets an abstract value representing possible callees of `invk`. */ - cached - AbstractValue getACalleeValue(InvokeNode invk) { - result = invk.getCalleeNode().analyze().getAValue() - } - - /** Gets a potential callee of `invk` based on dataflow analysis results. */ - private Function getACalleeFromDataflow(InvokeNode invk) { - result = getACalleeValue(invk).(AbstractCallable).getFunction() - } - - /** Gets a potential callee of `invk`. */ - cached - Function getACallee(InvokeNode invk) { - result = getACalleeFromDataflow(invk) - or - not exists(getACalleeFromDataflow(invk)) and - result = invk.(DataFlow::Impl::ExplicitInvokeNode).asExpr().(InvokeExpr).getResolvedCallee() - } - - /** - * Gets a callee of `invk` where `imprecision` is a heuristic measure of how - * likely it is that `callee` is only suggested as a potential callee due to - * imprecise analysis of global variables and is not, in fact, a viable callee at all. - * - * Callees with imprecision zero, in particular, have either been derived without - * considering global variables, or are calls to a global variable within the same file. - */ - cached - Function getACallee(InvokeNode invk, int imprecision) { - result = getACallee(invk) and - ( - // if global flow was used to derive the callee, we may be imprecise - if invk.isIndefinite("global") - then - // callees within the same file are probably genuine - result.getFile() = invk.getFile() and imprecision = 0 - or - // calls to global functions declared in an externs file are fairly - // safe as well - result.inExternsFile() and imprecision = 1 - or - // otherwise we make worst-case assumptions - imprecision = 2 - else - // no global flow, so no imprecision - imprecision = 0 - ) - } -} - /** A data flow node corresponding to a function call without `new`. */ class CallNode extends InvokeNode { override DataFlow::Impl::CallNodeDef impl; @@ -403,6 +387,9 @@ class ArrayLiteralNode extends DataFlow::ValueNode, DataFlow::SourceNode { /** Gets an element of this array literal. */ DataFlow::ValueNode getAnElement() { result = DataFlow::valueNode(astNode.getAnElement()) } + + /** Gets the initial size of this array. */ + int getSize() { result = astNode.getSize() } } /** A data flow node corresponding to a `new Array()` or `Array()` invocation. */ @@ -420,6 +407,14 @@ class ArrayConstructorInvokeNode extends DataFlow::InvokeNode { getNumArgument() > 1 and result = getAnArgument() } + + /** Gets the initial size of the created array, if it can be determined. */ + int getSize() { + if getNumArgument() = 1 then + result = getArgument(0).getIntValue() + else + result = count(getAnElement()) + } } /** @@ -440,6 +435,12 @@ class ArrayCreationNode extends DataFlow::ValueNode, DataFlow::SourceNode { /** Gets an initial element of this array, if one if provided. */ DataFlow::ValueNode getAnElement() { result = getElement(_) } + + /** Gets the initial size of the created array, if it can be determined. */ + int getSize() { + result = this.(ArrayLiteralNode).getSize() or + result = this.(ArrayConstructorInvokeNode).getSize() + } } /** @@ -660,6 +661,8 @@ class ClassNode extends DataFlow::SourceNode { /** * Gets a direct super class of this class. + * + * This predicate can be overridden to customize the class hierarchy. */ ClassNode getADirectSuperClass() { result.getAClassReference().flowsTo(getASuperClassNode()) } @@ -689,10 +692,17 @@ class ClassNode extends DataFlow::SourceNode { /** * Gets a dataflow node that refers to this class object. + * + * This predicate can be overridden to customize the tracking of class objects. */ - private DataFlow::SourceNode getAClassReference(DataFlow::TypeTracker t) { + DataFlow::SourceNode getAClassReference(DataFlow::TypeTracker t) { t.start() and - result.(AnalyzedNode).getAValue() = getAbstractClassValue() + result.(AnalyzedNode).getAValue() = getAbstractClassValue() and + ( + not CallGraph::isIndefiniteGlobal(result) + or + result.getAstNode().getFile() = this.getAstNode().getFile() + ) or exists(DataFlow::TypeTracker t2 | result = getAClassReference(t2).track(t2, t)) } @@ -701,14 +711,16 @@ class ClassNode extends DataFlow::SourceNode { * Gets a dataflow node that refers to this class object. */ cached - DataFlow::SourceNode getAClassReference() { + final DataFlow::SourceNode getAClassReference() { result = getAClassReference(DataFlow::TypeTracker::end()) } /** * Gets a dataflow node that refers to an instance of this class. + * + * This predicate can be overridden to customize the tracking of class instances. */ - private DataFlow::SourceNode getAnInstanceReference(DataFlow::TypeTracker t) { + DataFlow::SourceNode getAnInstanceReference(DataFlow::TypeTracker t) { result = getAClassReference(t.continue()).getAnInstantiation() or t.start() and @@ -743,10 +755,17 @@ class ClassNode extends DataFlow::SourceNode { * Gets a dataflow node that refers to an instance of this class. */ cached - DataFlow::SourceNode getAnInstanceReference() { + final DataFlow::SourceNode getAnInstanceReference() { result = getAnInstanceReference(DataFlow::TypeTracker::end()) } + /** + * Gets an access to a static member of this class. + */ + DataFlow::PropRead getAStaticMemberAccess(string name) { + result = getAClassReference().getAPropertyRead(name) + } + /** * Holds if this class is exposed in the global scope through the given qualified name. */ @@ -978,3 +997,140 @@ module ClassNode { } } } + +/** + * A data flow node that performs a partial function application. + * + * Examples: + * ```js + * fn.bind(this) + * x.method.bind(x) + * _.partial(fn, x, y, z) + * ``` + */ +class PartialInvokeNode extends DataFlow::Node { + PartialInvokeNode::Range range; + + PartialInvokeNode() { this = range } + + /** + * Holds if `argument` is passed as argument `index` to the function in `callback`. + */ + predicate isPartialArgument(DataFlow::Node callback, DataFlow::Node argument, int index) { + range.isPartialArgument(callback, argument, index) + } + + /** + * Gets a node referring to a bound version of `callback` with `boundArgs` arguments bound. + */ + DataFlow::SourceNode getBoundFunction(DataFlow::Node callback, int boundArgs) { + result = range.getBoundFunction(callback, boundArgs) + } + + /** + * Gets the node holding the receiver to be passed to the bound function, if specified. + */ + DataFlow::Node getBoundReceiver() { result = range.getBoundReceiver() } +} + +module PartialInvokeNode { + /** + * A data flow node that performs a partial function application. + */ + abstract class Range extends DataFlow::Node { + /** + * Holds if `argument` is passed as argument `index` to the function in `callback`. + */ + predicate isPartialArgument(DataFlow::Node callback, DataFlow::Node argument, int index) { none() } + + /** + * Gets a node referring to a bound version of `callback` with `boundArgs` arguments bound. + */ + DataFlow::SourceNode getBoundFunction(DataFlow::Node callback, int boundArgs) { none() } + + /** + * Gets the node holding the receiver to be passed to the bound function, if specified. + */ + DataFlow::Node getBoundReceiver() { none() } + } + + /** + * A partial call through the built-in `Function.prototype.bind`. + */ + private class BindPartialCall extends PartialInvokeNode::Range, DataFlow::MethodCallNode { + BindPartialCall() { + getMethodName() = "bind" and + + // Avoid overlap with angular.bind and goog.bind + not this = AngularJS::angular().getAMethodCall() and + not getReceiver().accessesGlobal("goog") + } + + override predicate isPartialArgument(DataFlow::Node callback, DataFlow::Node argument, int index) { + index >= 0 and + callback = getReceiver() and + argument = getArgument(index + 1) + } + + override DataFlow::SourceNode getBoundFunction(DataFlow::Node callback, int boundArgs) { + callback = getReceiver() and + boundArgs = getNumArgument() - 1 and + result = this + } + + override DataFlow::Node getBoundReceiver() { + result = getArgument(0) + } + } + + /** + * A partial call through `_.partial`. + */ + private class LodashPartialCall extends PartialInvokeNode::Range, DataFlow::CallNode { + LodashPartialCall() { this = LodashUnderscore::member("partial").getACall() } + + override predicate isPartialArgument(DataFlow::Node callback, DataFlow::Node argument, int index) { + index >= 0 and + callback = getArgument(0) and + argument = getArgument(index + 1) + } + + override DataFlow::SourceNode getBoundFunction(DataFlow::Node callback, int boundArgs) { + callback = getArgument(0) and + boundArgs = getNumArgument() - 1 and + result = this + } + } + + /** + * A partial call through `ramda.partial`. + */ + private class RamdaPartialCall extends PartialInvokeNode::Range, DataFlow::CallNode { + RamdaPartialCall() { this = DataFlow::moduleMember("ramda", "partial").getACall() } + + private DataFlow::ArrayCreationNode getArgumentsArray() { + result.flowsTo(getArgument(1)) + } + + override predicate isPartialArgument(DataFlow::Node callback, DataFlow::Node argument, int index) { + callback = getArgument(0) and + argument = getArgumentsArray().getElement(index) + } + + override DataFlow::SourceNode getBoundFunction(DataFlow::Node callback, int boundArgs) { + callback = getArgument(0) and + boundArgs = getArgumentsArray().getSize() and + result = this + } + } +} + +/** + * DEPRECATED. Subclasses should extend `PartialInvokeNode::Range` instead, + * and predicates should use `PartialInvokeNode` instead. + * + * An invocation that is modeled as a partial function application. + * + * This contributes additional argument-passing flow edges that should be added to all data flow configurations. + */ +deprecated class AdditionalPartialInvokeNode = PartialInvokeNode::Range; diff --git a/javascript/ql/src/semmle/javascript/dataflow/Sources.qll b/javascript/ql/src/semmle/javascript/dataflow/Sources.qll index 9cf4ca2b646..6b179f726c4 100644 --- a/javascript/ql/src/semmle/javascript/dataflow/Sources.qll +++ b/javascript/ql/src/semmle/javascript/dataflow/Sources.qll @@ -235,7 +235,8 @@ module SourceNode { astNode instanceof FunctionSentExpr or astNode instanceof FunctionBindExpr or astNode instanceof DynamicImportExpr or - astNode instanceof ImportSpecifier + astNode instanceof ImportSpecifier or + astNode instanceof ImportMetaExpr ) or DataFlow::parameterNode(this, _) diff --git a/javascript/ql/src/semmle/javascript/dataflow/TypeTracking.qll b/javascript/ql/src/semmle/javascript/dataflow/TypeTracking.qll index 231ae4c45d1..ef639d99ad4 100644 --- a/javascript/ql/src/semmle/javascript/dataflow/TypeTracking.qll +++ b/javascript/ql/src/semmle/javascript/dataflow/TypeTracking.qll @@ -55,6 +55,7 @@ module StepSummary { /** * INTERNAL: Use `SourceNode.track()` or `SourceNode.backtrack()` instead. */ + cached predicate step(DataFlow::SourceNode pred, DataFlow::SourceNode succ, StepSummary summary) { exists(DataFlow::Node mid | pred.flowsTo(mid) | smallstep(mid, succ, summary)) } @@ -170,6 +171,7 @@ class TypeTracker extends TTypeTracker { TypeTracker() { this = MkTypeTracker(hasCall, prop) } /** Gets the summary resulting from appending `step` to this type-tracking summary. */ + cached TypeTracker append(StepSummary step) { step = LevelStep() and result = this or diff --git a/javascript/ql/src/semmle/javascript/dataflow/internal/CallGraphs.qll b/javascript/ql/src/semmle/javascript/dataflow/internal/CallGraphs.qll new file mode 100644 index 00000000000..a5e140734a4 --- /dev/null +++ b/javascript/ql/src/semmle/javascript/dataflow/internal/CallGraphs.qll @@ -0,0 +1,149 @@ +/** + * Internal predicates for computing the call graph. + */ +private import javascript + +cached +module CallGraph { + /** Gets the function referenced by `node`, as determined by the type inference. */ + cached + Function getAFunctionValue(AnalyzedNode node) { + result = node.getAValue().(AbstractCallable).getFunction() + } + + /** Holds if the type inferred for `node` is indefinite due to global flow. */ + cached + predicate isIndefiniteGlobal(AnalyzedNode node) { + node.analyze().getAValue().isIndefinite("global") + } + + /** + * Gets a data flow node that refers to the given function. + * + * Note that functions are not currently type-tracked, but this exposes the type-tracker `t` + * from underlying class tracking if the function came from a class or instance. + */ + pragma[nomagic] + private + DataFlow::SourceNode getAFunctionReference(DataFlow::FunctionNode function, int imprecision, DataFlow::TypeTracker t) { + t.start() and + exists(Function fun | + fun = function.getFunction() and + fun = getAFunctionValue(result) + | + if isIndefiniteGlobal(result) then + fun.getFile() = result.getFile() and imprecision = 0 + or + fun.inExternsFile() and imprecision = 1 + or + imprecision = 2 + else + imprecision = 0 + ) + or + imprecision = 0 and + t.start() and + exists(string name | + GlobalAccessPath::isAssignedInUniqueFile(name) and + GlobalAccessPath::fromRhs(function) = name and + GlobalAccessPath::fromReference(result) = name + ) + or + imprecision = 0 and + exists(DataFlow::ClassNode cls | + exists(string name | + function = cls.getInstanceMethod(name) and + getAnInstanceMemberAccess(cls, name, t.continue()).flowsTo(result) + or + function = cls.getStaticMethod(name) and + cls.getAClassReference(t.continue()).getAPropertyRead(name).flowsTo(result) + ) + or + function = cls.getConstructor() and + cls.getAClassReference(t.continue()).flowsTo(result) + ) + } + + /** + * Gets a data flow node that refers to the given function. + */ + cached + DataFlow::SourceNode getAFunctionReference(DataFlow::FunctionNode function, int imprecision) { + result = getAFunctionReference(function, imprecision, DataFlow::TypeTracker::end()) + } + + /** + * Gets a data flow node that refers to the result of the given partial function invocation, + * with `function` as the underlying function. + */ + pragma[nomagic] + private + DataFlow::SourceNode getABoundFunctionReference(DataFlow::FunctionNode function, int boundArgs, DataFlow::TypeTracker t) { + exists(DataFlow::PartialInvokeNode partial, DataFlow::Node callback | + result = partial.getBoundFunction(callback, boundArgs) and + getAFunctionReference(function, 0, t.continue()).flowsTo(callback) + ) + or + exists(DataFlow::StepSummary summary, DataFlow::TypeTracker t2 | + result = getABoundFunctionReferenceAux(function, boundArgs, t2, summary) and + t = t2.append(summary) + ) + } + + pragma[noinline] + private + DataFlow::SourceNode getABoundFunctionReferenceAux(DataFlow::FunctionNode function, int boundArgs, DataFlow::TypeTracker t, DataFlow::StepSummary summary) { + exists(DataFlow::SourceNode prev | + prev = getABoundFunctionReference(function, boundArgs, t) and + DataFlow::StepSummary::step(prev, result, summary) + ) + } + + /** + * Gets a data flow node that refers to the result of the given partial function invocation, + * with `function` as the underlying function. + */ + cached + DataFlow::SourceNode getABoundFunctionReference(DataFlow::FunctionNode function, int boundArgs) { + result = getABoundFunctionReference(function, boundArgs, DataFlow::TypeTracker::end()) + } + + /** + * Gets a property read that accesses the property `name` on an instance of this class. + * + * Concretely, this holds when the base is an instance of this class or a subclass thereof. + * + * This predicate may be overridden to customize the class hierarchy analysis. + */ + pragma[nomagic] + private + DataFlow::PropRead getAnInstanceMemberAccess(DataFlow::ClassNode cls, string name, DataFlow::TypeTracker t) { + result = cls.getAnInstanceReference(t.continue()).getAPropertyRead(name) + or + exists(DataFlow::ClassNode subclass | + result = getAnInstanceMemberAccess(subclass, name, t) and + not exists(subclass.getInstanceMember(name, _)) and + cls = subclass.getADirectSuperClass() + ) + } + + /** + * Gets a possible callee of `node` with the given `imprecision`. + * + * Does not include custom call edges. + */ + cached + DataFlow::FunctionNode getACallee(DataFlow::InvokeNode node, int imprecision) { + getAFunctionReference(result, imprecision).flowsTo(node.getCalleeNode()) + or + imprecision = 0 and + exists(InvokeExpr expr | expr = node.(DataFlow::Impl::ExplicitInvokeNode).asExpr() | + result.getFunction() = expr.getResolvedCallee() + or + exists(DataFlow::ClassNode cls | + expr.(SuperCall).getBinder() = cls.getConstructor().getFunction() and + result = cls.getADirectSuperClass().getConstructor() + ) + ) + } +} diff --git a/javascript/ql/src/semmle/javascript/dataflow/internal/FlowSteps.qll b/javascript/ql/src/semmle/javascript/dataflow/internal/FlowSteps.qll index 85b15285fd8..6a7d86770c7 100644 --- a/javascript/ql/src/semmle/javascript/dataflow/internal/FlowSteps.qll +++ b/javascript/ql/src/semmle/javascript/dataflow/internal/FlowSteps.qll @@ -97,54 +97,11 @@ private module CachedSteps { f = cap.getContainer() } - /** - * Holds if the method invoked by `invoke` resolved to a member named `name` in `cls` - * or one of its super classes. - */ - cached - predicate callResolvesToMember(DataFlow::InvokeNode invoke, DataFlow::ClassNode cls, string name) { - invoke = cls.getAnInstanceReference().getAMethodCall(name) - or - exists(DataFlow::ClassNode subclass | - callResolvesToMember(invoke, subclass, name) and - not exists(subclass.getAnInstanceMember(name)) and - cls = subclass.getADirectSuperClass() - ) - } - /** * Holds if `invk` may invoke `f`. */ cached - predicate calls(DataFlow::InvokeNode invk, Function f) { - f = invk.getACallee(0) - or - exists(DataFlow::ClassNode cls | - // Call to class member - exists(string name | - callResolvesToMember(invk, cls, name) and - f = cls.getInstanceMethod(name).getFunction() - or - invk = cls.getAClassReference().getAMethodCall(name) and - f = cls.getStaticMethod(name).getFunction() - ) - or - // Call to constructor - invk = cls.getAClassReference().getAnInvocation() and - f = cls.getConstructor().getFunction() - or - // Super call to constructor - invk.asExpr().(SuperCall).getBinder() = cls.getConstructor().getFunction() and - f = cls.getADirectSuperClass().getConstructor().getFunction() - ) - or - // Call from `foo.bar.baz()` to `foo.bar.baz = function()` - exists(string name | - GlobalAccessPath::isAssignedInUniqueFile(name) and - GlobalAccessPath::fromRhs(f.flow()) = name and - GlobalAccessPath::fromReference(invk.getCalleeNode()) = name - ) - } + predicate calls(DataFlow::InvokeNode invk, Function f) { f = invk.getACallee(0) } /** * Holds if `invk` may invoke `f` indirectly through the given `callback` argument. @@ -152,7 +109,7 @@ private module CachedSteps { * This only holds for explicitly modeled partial calls. */ private predicate partiallyCalls( - DataFlow::AdditionalPartialInvokeNode invk, DataFlow::AnalyzedNode callback, Function f + DataFlow::PartialInvokeNode invk, DataFlow::AnalyzedNode callback, Function f ) { invk.isPartialArgument(callback, _, _) and exists(AbstractFunction callee | callee = callback.getAValue() | @@ -184,7 +141,7 @@ private module CachedSteps { ) or exists(DataFlow::Node callback, int i, Parameter p | - invk.(DataFlow::AdditionalPartialInvokeNode).isPartialArgument(callback, arg, i) and + invk.(DataFlow::PartialInvokeNode).isPartialArgument(callback, arg, i) and partiallyCalls(invk, callback, f) and f.getParameter(i) = p and not p.isRestParameter() and @@ -525,3 +482,4 @@ module PathSummary { */ PathSummary return() { exists(FlowLabel lbl | result = MkPathSummary(true, false, lbl, lbl)) } } + diff --git a/javascript/ql/src/semmle/javascript/dataflow/internal/PropertyTypeInference.qll b/javascript/ql/src/semmle/javascript/dataflow/internal/PropertyTypeInference.qll index 54e98769964..0f6b816daeb 100644 --- a/javascript/ql/src/semmle/javascript/dataflow/internal/PropertyTypeInference.qll +++ b/javascript/ql/src/semmle/javascript/dataflow/internal/PropertyTypeInference.qll @@ -50,17 +50,17 @@ abstract class AnalyzedPropertyRead extends DataFlow::AnalyzedNode { } /** - * Flow analysis for (non-numeric) property read accesses. + * Flow analysis for non-numeric property read accesses. */ -private class AnalyzedPropertyAccess extends AnalyzedPropertyRead, DataFlow::ValueNode { - override PropAccess astNode; +private class AnalyzedNonNumericPropertyRead extends AnalyzedPropertyRead { + DataFlow::PropRead self; DataFlow::AnalyzedNode baseNode; string propName; - AnalyzedPropertyAccess() { - astNode.accesses(baseNode.asExpr(), propName) and - isNonNumericPropertyName(propName) and - astNode instanceof RValue + AnalyzedNonNumericPropertyRead() { + this = self and + self.accesses(baseNode, propName) and + isNonNumericPropertyName(propName) } override predicate reads(AbstractValue base, string prop) { @@ -148,7 +148,7 @@ private predicate explicitPropertyWrite( * Flow analysis for `arguments.callee`. We assume it is never redefined, * which is unsound in practice, but pragmatically useful. */ -private class AnalyzedArgumentsCallee extends AnalyzedPropertyAccess { +private class AnalyzedArgumentsCallee extends AnalyzedNonNumericPropertyRead { AnalyzedArgumentsCallee() { propName = "callee" } override AbstractValue getALocalValue() { @@ -156,18 +156,18 @@ private class AnalyzedArgumentsCallee extends AnalyzedPropertyAccess { result = TAbstractFunction(baseVal.getFunction()) ) or - hasNonArgumentsBase(astNode) and result = super.getALocalValue() + hasNonArgumentsBase(self) and result = super.getALocalValue() } } /** - * Holds if `pacc` is of the form `e.callee` where `e` could evaluate to some + * Holds if `pr` is of the form `e.callee` where `e` could evaluate to some * value that is not an arguments object. */ -private predicate hasNonArgumentsBase(PropAccess pacc) { - pacc.getPropertyName() = "callee" and +private predicate hasNonArgumentsBase(DataFlow::PropRead pr) { + pr.getPropertyName() = "callee" and exists(AbstractValue baseVal | - baseVal = pacc.getBase().analyze().getALocalValue() and + baseVal = pr.getBase().analyze().getALocalValue() and not baseVal instanceof AbstractArguments ) } diff --git a/javascript/ql/src/semmle/javascript/dataflow/internal/VariableTypeInference.qll b/javascript/ql/src/semmle/javascript/dataflow/internal/VariableTypeInference.qll index 63d9c8e9563..3a26ab234c1 100644 --- a/javascript/ql/src/semmle/javascript/dataflow/internal/VariableTypeInference.qll +++ b/javascript/ql/src/semmle/javascript/dataflow/internal/VariableTypeInference.qll @@ -223,7 +223,11 @@ abstract class AnalyzedSsaDefinition extends SsaDefinition { * Flow analysis for SSA definitions corresponding to `VarDef`s. */ private class AnalyzedExplicitDefinition extends AnalyzedSsaDefinition, SsaExplicitDefinition { - override AbstractValue getAnRhsValue() { result = getDef().(AnalyzedVarDef).getAnAssignedValue() } + override AbstractValue getAnRhsValue() { + result = getDef().(AnalyzedVarDef).getAnAssignedValue() + or + result = getRhsNode().analyze().getALocalValue() + } } /** @@ -241,6 +245,8 @@ private class AnalyzedVariableCapture extends AnalyzedSsaDefinition, SsaVariable exists(LocalVariable v | v = getSourceVariable() | result = v.(AnalyzedCapturedVariable).getALocalValue() or + result = any(AnalyzedExplicitDefinition def | def.getSourceVariable() = v).getAnRhsValue() + or not guaranteedToBeInitialized(v) and result = getImplicitInitValue(v) ) } diff --git a/javascript/ql/src/semmle/javascript/frameworks/AngularJS/AngularJSCore.qll b/javascript/ql/src/semmle/javascript/frameworks/AngularJS/AngularJSCore.qll index bb41de85a2c..45ad2066f2a 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/AngularJS/AngularJSCore.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/AngularJS/AngularJSCore.qll @@ -1060,21 +1060,42 @@ private class RouteInstantiatedController extends Controller { /** * Dataflow for the arguments of AngularJS dependency-injected functions. */ -private class DependencyInjectedArgumentInitializer extends DataFlow::AnalyzedValueNode { +private class DependencyInjectedArgumentInitializer extends DataFlow::AnalyzedNode { DataFlow::AnalyzedNode service; DependencyInjectedArgumentInitializer() { exists( - AngularJS::InjectableFunction f, SimpleParameter param, AngularJS::CustomServiceDefinition def + AngularJS::InjectableFunction f, Parameter param, AngularJS::CustomServiceDefinition def | - astNode = param.getAnInitialUse() and + this = DataFlow::parameterNode(param) and def.getServiceReference() = f.getAResolvedDependency(param) and service = def.getAService() ) } override AbstractValue getAValue() { - result = DataFlow::AnalyzedValueNode.super.getAValue() or + result = DataFlow::AnalyzedNode.super.getAValue() or result = service.getALocalValue() } } + +/** + * A call to `angular.bind`, as a partial function invocation. + */ +private class BindCall extends DataFlow::PartialInvokeNode::Range, DataFlow::CallNode { + BindCall() { this = angular().getAMemberCall("bind") } + + override predicate isPartialArgument(DataFlow::Node callback, DataFlow::Node argument, int index) { + index >= 0 and + callback = getArgument(1) and + argument = getArgument(index + 2) + } + + override DataFlow::SourceNode getBoundFunction(DataFlow::Node callback, int boundArgs) { + callback = getArgument(1) and + boundArgs = getNumArgument() - 2 and + result = this + } + + override DataFlow::Node getBoundReceiver() { result = getArgument(0) } +} diff --git a/javascript/ql/src/semmle/javascript/frameworks/AsyncPackage.qll b/javascript/ql/src/semmle/javascript/frameworks/AsyncPackage.qll index 3072e8d565a..aaa8d57f49b 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/AsyncPackage.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/AsyncPackage.qll @@ -70,7 +70,7 @@ module AsyncPackage { * to the first parameter of the final callback, while `result1, result2, ...` are propagated to * the parameters of the following task. */ - private class WaterfallNextTaskCall extends DataFlow::AdditionalPartialInvokeNode { + private class WaterfallNextTaskCall extends DataFlow::PartialInvokeNode::Range, DataFlow::CallNode { Waterfall waterfall; int n; diff --git a/javascript/ql/src/semmle/javascript/frameworks/Express.qll b/javascript/ql/src/semmle/javascript/frameworks/Express.qll index 4c0bb7cd34f..b6a972c47d7 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/Express.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/Express.qll @@ -839,6 +839,10 @@ module Express { override DataFlow::Node getRootPathArgument() { result = this.(DataFlow::CallNode).getOptionArgument(1, "root") } + + override predicate isUpwardNavigationRejected(DataFlow::Node argument) { + argument = getAPathArgument() + } } /** diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll b/javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll index 6f64ebe27d2..299042cc281 100644 --- a/javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll +++ b/javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll @@ -174,18 +174,20 @@ private module PersistentWebStorage { * An event handler that handles `postMessage` events. */ class PostMessageEventHandler extends Function { + int paramIndex; + PostMessageEventHandler() { - exists(CallExpr addEventListener | - addEventListener.getCallee().accessesGlobal("addEventListener") and + exists(DataFlow::CallNode addEventListener | + addEventListener = DataFlow::globalVarRef("addEventListener").getACall() and addEventListener.getArgument(0).mayHaveStringValue("message") and - addEventListener.getArgument(1).analyze().getAValue().(AbstractFunction).getFunction() = this + addEventListener.getArgument(1).getABoundFunctionValue(paramIndex).getFunction() = this ) } /** * Gets the parameter that contains the event. */ - SimpleParameter getEventParameter() { result = getParameter(0) } + Parameter getEventParameter() { result = getParameter(paramIndex) } } /** diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/IndirectCommandArgument.qll b/javascript/ql/src/semmle/javascript/security/dataflow/IndirectCommandArgument.qll index f509d9f8c6c..9f62ad7ccc8 100644 --- a/javascript/ql/src/semmle/javascript/security/dataflow/IndirectCommandArgument.qll +++ b/javascript/ql/src/semmle/javascript/security/dataflow/IndirectCommandArgument.qll @@ -10,7 +10,7 @@ import javascript * That is, either `shell` is a Unix shell (`sh` or similar) and * `arg` is `"-c"`, or `shell` is `cmd.exe` and `arg` is `"/c"`. */ -private predicate shellCmd(ConstantString shell, string arg) { +private predicate shellCmd(Expr shell, string arg) { exists(string s | s = shell.getStringValue() | (s = "sh" or s = "bash" or s = "/bin/sh" or s = "/bin/bash") and arg = "-c" @@ -23,25 +23,29 @@ private predicate shellCmd(ConstantString shell, string arg) { } /** - * Data flow configuration for tracking string literals that look like they - * may refer to an operating-system shell, and array literals that may end up being - * interpreted as argument lists for system commands. + * Gets a data-flow node whose value ends up being interpreted as the command argument in `sys` + * after a flow summarized by `t`. */ -private class ArgumentListTracking extends DataFlow::Configuration { - ArgumentListTracking() { this = "ArgumentListTracking" } +private DataFlow::Node commandArgument(SystemCommandExecution sys, DataFlow::TypeBackTracker t) { + t.start() and + result = sys.getACommandArgument() + or + exists(DataFlow::TypeBackTracker t2 | + t = t2.smallstep(result, commandArgument(sys, t2)) + ) +} - override predicate isSource(DataFlow::Node nd) { - nd instanceof DataFlow::ArrayCreationNode - or - exists(ConstantString shell | shellCmd(shell, _) | nd = DataFlow::valueNode(shell)) - } - - override predicate isSink(DataFlow::Node nd) { - exists(SystemCommandExecution sys | - nd = sys.getACommandArgument() or - nd = sys.getArgumentList() - ) - } +/** + * Gets a data-flow node whose value ends up being interpreted as the argument list in `sys` + * after a flow summarized by `t`. + */ +private DataFlow::SourceNode argumentList(SystemCommandExecution sys, DataFlow::TypeBackTracker t) { + t.start() and + result = sys.getArgumentList().getALocalSource() + or + exists(DataFlow::TypeBackTracker t2 | + result = argumentList(sys, t2).backtrack(t2, t) + ) } /** @@ -60,11 +64,11 @@ private class ArgumentListTracking extends DataFlow::Configuration { */ predicate isIndirectCommandArgument(DataFlow::Node source, SystemCommandExecution sys) { exists( - ArgumentListTracking cfg, DataFlow::ArrayCreationNode args, ConstantString shell, string dashC + DataFlow::ArrayCreationNode args, DataFlow::Node shell, string dashC | - shellCmd(shell, dashC) and - cfg.hasFlow(DataFlow::valueNode(shell), sys.getACommandArgument()) and - cfg.hasFlow(args, sys.getArgumentList()) and + shellCmd(shell.asExpr(), dashC) and + shell = commandArgument(sys, DataFlow::TypeBackTracker::end()) and + args = argumentList(sys, DataFlow::TypeBackTracker::end()) and args.getAPropertyWrite().getRhs().mayHaveStringValue(dashC) and source = args.getAPropertyWrite().getRhs() ) diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/LoopBoundInjectionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/LoopBoundInjectionCustomizations.qll index c595fc0d2cd..6bf1ef5634a 100644 --- a/javascript/ql/src/semmle/javascript/security/dataflow/LoopBoundInjectionCustomizations.qll +++ b/javascript/ql/src/semmle/javascript/security/dataflow/LoopBoundInjectionCustomizations.qll @@ -79,6 +79,18 @@ module LoopBoundInjection { */ abstract class Sink extends DataFlow::Node { } + /** + * Holds if there exists an array access indexed by the variable `var` where it is likely that + * the array access will cause a crash if `var` grows unbounded. + */ + predicate hasCrashingArrayAccess(Variable var) { + exists(DataFlow::PropRead arrayRead, Expr throws | + arrayRead.getPropertyNameExpr() = var.getAnAccess() and + arrayRead.flowsToExpr(throws) and + isCrashingWithNullValues(throws) + ) + } + /** * An object that that is being iterated in a `for` loop, such as `for (..; .. sink.length; ...) ...` */ @@ -86,14 +98,7 @@ module LoopBoundInjection { LoopSink() { exists(ArrayIterationLoop loop | this = loop.getLengthRead().getBase() and - // In the DoS we are looking for arrayRead will evaluate to undefined, - // this may cause an exception to be thrown, thus bailing out of the loop. - // A DoS cannot happen if such an exception is thrown. - not exists(DataFlow::PropRead arrayRead, Expr throws | - arrayRead.getPropertyNameExpr() = loop.getIndexVariable().getAnAccess() and - arrayRead.flowsToExpr(throws) and - isCrashingWithNullValues(throws) - ) and + not hasCrashingArrayAccess(loop.getIndexVariable()) and // The existence of some kind of early-exit usually indicates that the loop will stop early and no DoS happens. not exists(BreakStmt br | br.getTarget() = loop) and not exists(ReturnStmt ret | @@ -187,14 +192,13 @@ module LoopBoundInjection { call = LodashUnderscore::member(name).getACall() and call.getArgument(0) = this and // Here it is just assumed that the array element is the first parameter in the callback function. - not exists(DataFlow::FunctionNode func, DataFlow::ParameterNode e | + not exists(DataFlow::FunctionNode func | func.flowsTo(call.getAnArgument()) and - e = func.getParameter(0) and ( // Looking for obvious null-pointers happening on the array elements in the iteration. // Similar to what is done in the loop iteration sink. exists(Expr throws | - e.flowsToExpr(throws) and + func.getParameter(0).flowsToExpr(throws) and isCrashingWithNullValues(throws) ) or @@ -202,6 +206,9 @@ module LoopBoundInjection { exists(ThrowStmt throw | throw.getTarget() = func.asExpr() ) + or + // A crash happens looking up the index variable. + hasCrashingArrayAccess(func.getParameter(1).getParameter().getVariable()) ) ) ) diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll index c31f09d13b4..b9a3b234db9 100644 --- a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll +++ b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll @@ -19,13 +19,11 @@ module TaintedPath { Configuration() { this = "TaintedPath" } override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) { - source instanceof Source and - label instanceof Label::PosixPath + label = source.(Source).getAFlowLabel() } override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) { - sink instanceof Sink and - label instanceof Label::PosixPath + label = sink.(Sink).getAFlowLabel() } override predicate isBarrier(DataFlow::Node node) { diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll index 5427be491d7..220262e2819 100644 --- a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll +++ b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll @@ -10,12 +10,22 @@ module TaintedPath { /** * A data flow source for tainted-path vulnerabilities. */ - abstract class Source extends DataFlow::Node { } + abstract class Source extends DataFlow::Node { + /** Gets a flow label denoting the type of value for which this is a source. */ + DataFlow::FlowLabel getAFlowLabel() { + result instanceof Label::PosixPath + } + } /** * A data flow sink for tainted-path vulnerabilities. */ - abstract class Sink extends DataFlow::Node { } + abstract class Sink extends DataFlow::Node { + /** Gets a flow label denoting the type of value for which this is a sink. */ + DataFlow::FlowLabel getAFlowLabel() { + result instanceof Label::PosixPath + } + } /** * A sanitizer for tainted-path vulnerabilities. @@ -369,17 +379,36 @@ module TaintedPath { * A path argument to a file system access. */ class FsPathSink extends Sink, DataFlow::ValueNode { + FileSystemAccess fileSystemAccess; + FsPathSink() { - exists(FileSystemAccess fs | - this = fs.getAPathArgument() and - not exists(fs.getRootPathArgument()) + ( + this = fileSystemAccess.getAPathArgument() and + not exists(fileSystemAccess.getRootPathArgument()) or - this = fs.getRootPathArgument() + this = fileSystemAccess.getRootPathArgument() ) and not this = any(ResolvingPathCall call).getInput() } } + /** + * A path argument to a file system access, which disallows upward navigation. + */ + private class FsPathSinkWithoutUpwardNavigation extends FsPathSink { + FsPathSinkWithoutUpwardNavigation() { + fileSystemAccess.isUpwardNavigationRejected(this) + } + + override DataFlow::FlowLabel getAFlowLabel() { + // The protection is ineffective if the ../ segments have already + // cancelled out against the intended root dir using path.join or similar. + // Only flag normalized paths, as this corresponds to the output + // of a normalizing call that had a malicious input. + result.(Label::PosixPath).isNormalized() + } + } + /** * A path argument to the Express `res.render` method. */ diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll b/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll index fbea366ed93..52c4a9b9332 100644 --- a/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll +++ b/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll @@ -39,6 +39,18 @@ module Shared { ) } } + + /** + * A call to `encodeURI` or `encodeURIComponent`, viewed as a sanitizer for + * XSS vulnerabilities. + */ + class UriEncodingSanitizer extends Sanitizer, DataFlow::CallNode { + UriEncodingSanitizer() { + exists(string name | this = DataFlow::globalVarRef(name).getACall() | + name = "encodeURI" or name = "encodeURIComponent" + ) + } + } } /** Provides classes and predicates for the DOM-based XSS query. */ @@ -251,6 +263,8 @@ module DomBasedXss { * so any such replacement stops taint propagation. */ private class MetacharEscapeSanitizer extends Sanitizer, Shared::MetacharEscapeSanitizer { } + + private class UriEncodingSanitizer extends Sanitizer, Shared::UriEncodingSanitizer { } } /** Provides classes and predicates for the reflected XSS query. */ @@ -294,6 +308,8 @@ module ReflectedXss { * so any such replacement stops taint propagation. */ private class MetacharEscapeSanitizer extends Sanitizer, Shared::MetacharEscapeSanitizer { } + + private class UriEncodingSanitizer extends Sanitizer, Shared::UriEncodingSanitizer { } } /** Provides classes and predicates for the stored XSS query. */ @@ -320,4 +336,6 @@ module StoredXss { * so any such replacement stops taint propagation. */ private class MetacharEscapeSanitizer extends Sanitizer, Shared::MetacharEscapeSanitizer { } + + private class UriEncodingSanitizer extends Sanitizer, Shared::UriEncodingSanitizer { } } diff --git a/javascript/ql/src/semmlecode.javascript.dbscheme b/javascript/ql/src/semmlecode.javascript.dbscheme index ab0dab3b55b..5a5adbf98dc 100644 --- a/javascript/ql/src/semmlecode.javascript.dbscheme +++ b/javascript/ql/src/semmlecode.javascript.dbscheme @@ -200,8 +200,8 @@ case @stmt.kind of isInstantiated(unique int decl: @namespacedeclaration ref); -@declarablestmt = @declstmt | @namespacedeclaration | @classdeclstmt | @functiondeclstmt | @enumdeclaration | @externalmoduledeclaration | @globalaugmentationdeclaration; -hasDeclareKeyword(unique int stmt: @declarablestmt ref); +@declarablenode = @declstmt | @namespacedeclaration | @classdeclstmt | @functiondeclstmt | @enumdeclaration | @externalmoduledeclaration | @globalaugmentationdeclaration | @field; +hasDeclareKeyword(unique int stmt: @declarablenode ref); isForAwaitOf(unique int forof: @forofstmt ref); @@ -349,6 +349,7 @@ case @expr.kind of | 112 = @e4x_xml_static_qualident | 113 = @e4x_xml_dynamic_qualident | 114 = @e4x_xml_dotdotexpr +| 115 = @importmetaexpr ; @varaccess = @proper_varaccess | @export_varaccess; @@ -558,7 +559,7 @@ case @typeexpr.kind of | 17 = @localvartypeaccess | 18 = @qualifiedvartypeaccess | 19 = @thisvartypeaccess -| 20 = @istypeexpr +| 20 = @predicatetypeexpr | 21 = @interfacetypeexpr | 22 = @typeparameter | 23 = @plainfunctiontypeexpr @@ -636,6 +637,8 @@ case @type.kind of @unionorintersectiontype = @uniontype | @intersectiontype; @typevariabletype = @canonicaltypevariabletype | @lexicaltypevariabletype; +hasAssertsKeyword(int node: @predicatetypeexpr ref); + @typed_ast_node = @expr | @typeexpr | @function; ast_node_type( unique int node: @typed_ast_node ref, @@ -1169,4 +1172,4 @@ extraction_data( varchar(900) cacheFile: string ref, boolean fromCache: boolean ref, int length: int ref -) \ No newline at end of file +) diff --git a/javascript/ql/src/semmlecode.javascript.dbscheme.stats b/javascript/ql/src/semmlecode.javascript.dbscheme.stats index 5f638b48c37..f7d36078a5a 100644 --- a/javascript/ql/src/semmlecode.javascript.dbscheme.stats +++ b/javascript/ql/src/semmlecode.javascript.dbscheme.stats @@ -514,6 +514,10 @@ 1 +@importmetaexpr +1 + + @namedimportspecifier 4 @@ -846,7 +850,7 @@ 20 -@istypeexpr +@predicatetypeexpr 86 @@ -7914,6 +7918,17 @@ +hasAssertsKeyword +66 + + +node +66 + + + + + isAbstractMember 66 diff --git a/javascript/ql/test/library-tests/CallGraphs/AnnotatedTest/client.js b/javascript/ql/test/library-tests/CallGraphs/AnnotatedTest/client.js new file mode 100644 index 00000000000..f1308447c22 --- /dev/null +++ b/javascript/ql/test/library-tests/CallGraphs/AnnotatedTest/client.js @@ -0,0 +1,12 @@ +const lib = require("./lib"), + { f } = require("./lib"); + +/** calls:lib.f */ +lib.f(); +/** calls:lib.f */ +f(); + +(function() { + /** calls:lib.f */ + f(); +})(); diff --git a/javascript/ql/test/library-tests/CallGraphs/AnnotatedTest/lib.js b/javascript/ql/test/library-tests/CallGraphs/AnnotatedTest/lib.js new file mode 100644 index 00000000000..37b8606ab1d --- /dev/null +++ b/javascript/ql/test/library-tests/CallGraphs/AnnotatedTest/lib.js @@ -0,0 +1,3 @@ +module.exports.f = + /** name:lib.f */ + function() {}; diff --git a/javascript/ql/test/library-tests/CallGraphs/FullTest/tests.expected b/javascript/ql/test/library-tests/CallGraphs/FullTest/tests.expected index 6adc2b27556..90d47a02286 100644 --- a/javascript/ql/test/library-tests/CallGraphs/FullTest/tests.expected +++ b/javascript/ql/test/library-tests/CallGraphs/FullTest/tests.expected @@ -60,7 +60,6 @@ test_getAFunctionValue | classes.js:12:3:16:3 | class B ... }\\n } | classes.js:12:21:12:20 | (...arg ... rgs); } | | classes.js:12:19:12:19 | A | classes.js:2:11:2:10 | () {} | | classes.js:12:21:12:20 | (...arg ... rgs); } | classes.js:12:21:12:20 | (...arg ... rgs); } | -| classes.js:12:21:12:20 | super | classes.js:2:11:2:10 | () {} | | classes.js:13:10:15:5 | () {\\n ... ;\\n } | classes.js:13:10:15:5 | () {\\n ... ;\\n } | | classes.js:18:3:18:15 | new B().hello | classes.js:13:10:15:5 | () {\\n ... ;\\n } | | classes.js:18:7:18:7 | B | classes.js:12:21:12:20 | (...arg ... rgs); } | @@ -76,12 +75,10 @@ test_getAFunctionValue | es2015.js:14:20:14:46 | "Wait f ... leClass | es2015.js:2:14:4:3 | () {\\n ... ");\\n } | | es2015.js:14:35:14:46 | ExampleClass | es2015.js:2:14:4:3 | () {\\n ... ");\\n } | | es2015.js:15:14:17:3 | () {\\n ... ();\\n } | es2015.js:15:14:17:3 | () {\\n ... ();\\n } | -| es2015.js:16:5:16:9 | super | es2015.js:2:14:4:3 | () {\\n ... ");\\n } | | es2015.js:20:1:22:1 | functio ... = 42;\\n} | es2015.js:20:1:22:1 | functio ... = 42;\\n} | | es2015.js:24:1:29:1 | class O ... ;\\n }\\n} | es2015.js:25:14:28:3 | () {\\n ... x);\\n } | | es2015.js:24:24:24:34 | PseudoClass | es2015.js:20:1:22:1 | functio ... = 42;\\n} | | es2015.js:25:14:28:3 | () {\\n ... x);\\n } | es2015.js:25:14:28:3 | () {\\n ... x);\\n } | -| es2015.js:26:5:26:9 | super | es2015.js:20:1:22:1 | functio ... = 42;\\n} | | es2015.js:31:1:33:1 | functio ... +y+z;\\n} | es2015.js:31:1:33:1 | functio ... +y+z;\\n} | | es2015.js:34:1:34:3 | sum | es2015.js:31:1:33:1 | functio ... +y+z;\\n} | | es2015.js:35:1:35:3 | sum | es2015.js:31:1:33:1 | functio ... +y+z;\\n} | @@ -184,8 +181,8 @@ test_getAFunctionValue | tst.js:64:17:64:17 | B | tst.js:50:1:50:15 | function B() {} | | tst.js:65:5:65:23 | b.f = function() {} | tst.js:65:11:65:23 | function() {} | | tst.js:65:11:65:23 | function() {} | tst.js:65:11:65:23 | function() {} | +| tst.js:66:5:66:7 | b.f | tst.js:52:5:54:2 | functio ... g();\\n\\t} | | tst.js:66:5:66:7 | b.f | tst.js:65:11:65:23 | function() {} | -| tst.js:69:1:69:8 | globalfn | tst3.js:1:1:1:22 | functio ... fn() {} | | tst.js:70:1:70:9 | globalfn2 | tst3.js:2:1:2:23 | functio ... n2() {} | test_getArgument | classes.js:4:7:4:26 | console.log("Hello") | 0 | classes.js:4:19:4:25 | "Hello" | @@ -404,7 +401,6 @@ test_getACallee | es2015.js:6:1:6:18 | new ExampleClass() | es2015.js:2:14:4:3 | () {\\n ... ");\\n } | | es2015.js:10:5:10:22 | arguments.callee() | es2015.js:8:2:12:1 | functio ... \\n };\\n} | | es2015.js:16:5:16:11 | super() | es2015.js:2:14:4:3 | () {\\n ... ");\\n } | -| es2015.js:26:5:26:11 | super() | es2015.js:20:1:22:1 | functio ... = 42;\\n} | | es2015.js:34:1:34:17 | sum(...[1, 2, 3]) | es2015.js:31:1:33:1 | functio ... +y+z;\\n} | | es2015.js:35:1:35:17 | sum(1, ...[2, 3]) | es2015.js:31:1:33:1 | functio ... +y+z;\\n} | | es2015.js:36:1:36:17 | sum(1, ...[2], 3) | es2015.js:31:1:33:1 | functio ... +y+z;\\n} | @@ -441,8 +437,8 @@ test_getACallee | tst.js:53:3:53:10 | this.g() | tst.js:57:39:57:51 | function() {} | | tst.js:60:15:60:21 | new A() | tst.js:44:1:44:15 | function A() {} | | tst.js:64:13:64:19 | new B() | tst.js:50:1:50:15 | function B() {} | +| tst.js:66:5:66:9 | b.f() | tst.js:52:5:54:2 | functio ... g();\\n\\t} | | tst.js:66:5:66:9 | b.f() | tst.js:65:11:65:23 | function() {} | -| tst.js:69:1:69:10 | globalfn() | tst3.js:1:1:1:22 | functio ... fn() {} | | tst.js:70:1:70:11 | globalfn2() | tst3.js:2:1:2:23 | functio ... n2() {} | test_getCalleeName | a.js:2:1:2:5 | foo() | foo | diff --git a/javascript/ql/test/library-tests/Flow/AbstractValues.expected b/javascript/ql/test/library-tests/Flow/AbstractValues.expected index f172a33c000..42117cac98a 100644 --- a/javascript/ql/test/library-tests/Flow/AbstractValues.expected +++ b/javascript/ql/test/library-tests/Flow/AbstractValues.expected @@ -208,6 +208,8 @@ | nodeJsLib.js:1:18:1:43 | instance of function nodeJsModule | | nodeJsLib.js:3:15:3:37 | function nodeJsFoo | | nodeJsLib.js:3:15:3:37 | instance of function nodeJsFoo | +| nullish-coalescing-op.ts:1:1:3:1 | function test | +| nullish-coalescing-op.ts:1:1:3:1 | instance of function test | | o.js:1:1:2:0 | exports object of module o | | o.js:1:1:2:0 | module object of module o | | objlit.js:1:14:1:15 | object literal | diff --git a/javascript/ql/test/library-tests/Flow/abseval.expected b/javascript/ql/test/library-tests/Flow/abseval.expected index a856e3ec474..00d7f27da89 100644 --- a/javascript/ql/test/library-tests/Flow/abseval.expected +++ b/javascript/ql/test/library-tests/Flow/abseval.expected @@ -80,6 +80,7 @@ | classAccessors.js:12:9:12:11 | myZ | classAccessors.js:12:15:12:20 | this.z | file://:0:0:0:0 | indefinite value (call) | | classAccessors.js:12:9:12:11 | myZ | classAccessors.js:12:15:12:20 | this.z | file://:0:0:0:0 | indefinite value (heap) | | destructuring.js:2:7:2:24 | { x, y = (z = x) } | destructuring.js:2:28:2:28 | o | file://:0:0:0:0 | indefinite value (call) | +| destructuring.js:3:7:3:8 | z1 | destructuring.js:3:12:3:12 | z | file://:0:0:0:0 | indefinite value (call) | | destructuring.js:3:7:3:8 | z1 | destructuring.js:3:12:3:12 | z | file://:0:0:0:0 | indefinite value (heap) | | es2015.js:1:5:1:7 | Sup | es2015.js:1:11:6:1 | class { ... ;\\n }\\n} | es2015.js:1:11:6:1 | class Sup | | es2015.js:4:9:4:12 | ctor | es2015.js:4:16:4:25 | new.target | file://:0:0:0:0 | indefinite value (call) | @@ -203,6 +204,8 @@ | nodeJsClient.js:5:5:5:6 | x2 | nodeJsClient.js:5:10:5:15 | es.foo | esLib.js:3:8:3:24 | function foo | | nodeJsClient.js:5:5:5:6 | x2 | nodeJsClient.js:5:10:5:15 | es.foo | file://:0:0:0:0 | indefinite value (call) | | nodeJsClient.js:5:5:5:6 | x2 | nodeJsClient.js:5:10:5:15 | es.foo | file://:0:0:0:0 | indefinite value (heap) | +| nullish-coalescing-op.ts:2:7:2:7 | y | nullish-coalescing-op.ts:2:11:2:18 | x ?? 0.5 | file://:0:0:0:0 | indefinite value (call) | +| nullish-coalescing-op.ts:2:7:2:7 | y | nullish-coalescing-op.ts:2:11:2:18 | x ?? 0.5 | file://:0:0:0:0 | non-zero value | | objlit.js:1:5:1:5 | A | objlit.js:1:9:1:15 | A \|\| {} | file://:0:0:0:0 | indefinite value (global) | | objlit.js:1:5:1:5 | A | objlit.js:1:9:1:15 | A \|\| {} | objlit.js:1:14:1:15 | object literal | | objlit.js:7:5:7:5 | B | objlit.js:7:9:7:10 | {} | objlit.js:7:9:7:10 | object literal | diff --git a/javascript/ql/test/library-tests/Flow/getAPrototype.expected b/javascript/ql/test/library-tests/Flow/getAPrototype.expected index e8825515715..07ff1f76b24 100644 --- a/javascript/ql/test/library-tests/Flow/getAPrototype.expected +++ b/javascript/ql/test/library-tests/Flow/getAPrototype.expected @@ -40,6 +40,7 @@ | nestedImport.js:9:1:12:1 | instance of function tst | nestedImport.js:9:1:12:1 | instance of function tst | | nodeJsLib.js:1:18:1:43 | instance of function nodeJsModule | nodeJsLib.js:1:18:1:43 | instance of function nodeJsModule | | nodeJsLib.js:3:15:3:37 | instance of function nodeJsFoo | nodeJsLib.js:3:15:3:37 | instance of function nodeJsFoo | +| nullish-coalescing-op.ts:1:1:3:1 | instance of function test | nullish-coalescing-op.ts:1:1:3:1 | instance of function test | | objlit.js:2:9:2:21 | instance of anonymous function | objlit.js:2:9:2:21 | instance of anonymous function | | objlit.js:4:8:4:20 | instance of method baz | objlit.js:4:8:4:20 | instance of method baz | | objlit.js:10:2:12:1 | instance of anonymous function | objlit.js:10:2:12:1 | instance of anonymous function | diff --git a/javascript/ql/test/library-tests/Flow/nullish-coalescing-op.ts b/javascript/ql/test/library-tests/Flow/nullish-coalescing-op.ts new file mode 100644 index 00000000000..9fb2e4c1312 --- /dev/null +++ b/javascript/ql/test/library-tests/Flow/nullish-coalescing-op.ts @@ -0,0 +1,3 @@ +function test(x) { + let y = x ?? 0.5; +} diff --git a/javascript/ql/test/library-tests/Flow/types.expected b/javascript/ql/test/library-tests/Flow/types.expected index ba7aca62b08..9b13b469bed 100644 --- a/javascript/ql/test/library-tests/Flow/types.expected +++ b/javascript/ql/test/library-tests/Flow/types.expected @@ -113,6 +113,7 @@ | nodeJsClient.js:2:5:2:6 | es | nodeJsClient.js:2:10:2:27 | require('./esLib') | boolean, class, date, function, null, number, object, regular expression,string or undefined | | nodeJsClient.js:4:5:4:6 | x1 | nodeJsClient.js:4:10:4:15 | nj.foo | boolean, class, date, function, null, number, object, regular expression,string or undefined | | nodeJsClient.js:5:5:5:6 | x2 | nodeJsClient.js:5:10:5:15 | es.foo | boolean, class, date, function, null, number, object, regular expression,string or undefined | +| nullish-coalescing-op.ts:2:7:2:7 | y | nullish-coalescing-op.ts:2:11:2:18 | x ?? 0.5 | boolean, class, date, function, null, number, object, regular expression,string or undefined | | objlit.js:1:5:1:5 | A | objlit.js:1:9:1:15 | A \|\| {} | boolean, class, date, function, null, number, object, regular expression,string or undefined | | objlit.js:7:5:7:5 | B | objlit.js:7:9:7:10 | {} | object | | objlit.js:14:5:14:6 | x1 | objlit.js:14:10:14:10 | A | boolean, class, date, function, null, number, object, regular expression,string or undefined | diff --git a/javascript/ql/test/library-tests/OptionalChaining/OptionalChainRoot.expected b/javascript/ql/test/library-tests/OptionalChaining/OptionalChainRoot.expected index 5ec86ee7462..1ff8c71d6db 100644 --- a/javascript/ql/test/library-tests/OptionalChaining/OptionalChainRoot.expected +++ b/javascript/ql/test/library-tests/OptionalChaining/OptionalChainRoot.expected @@ -1,7 +1,25 @@ +| short-circuiting-typescript.ts:3:5:3:18 | x?.(o1 = null) | short-circuiting-typescript.ts:3:5:3:18 | x?.(o1 = null) | +| short-circuiting-typescript.ts:7:5:7:18 | x?.[o2 = null] | short-circuiting-typescript.ts:7:5:7:18 | x?.[o2 = null] | +| short-circuiting-typescript.ts:12:5:12:31 | x?.[o3 ... = null) | short-circuiting-typescript.ts:12:5:12:18 | x?.[o3 = null] | +| short-circuiting-typescript.ts:12:5:12:31 | x?.[o3 ... = null) | short-circuiting-typescript.ts:12:5:12:31 | x?.[o3 ... = null) | | short-circuiting.js:3:5:3:18 | x?.(o1 = null) | short-circuiting.js:3:5:3:18 | x?.(o1 = null) | | short-circuiting.js:7:5:7:18 | x?.[o2 = null] | short-circuiting.js:7:5:7:18 | x?.[o2 = null] | | short-circuiting.js:12:5:12:31 | x?.[o3 ... = null) | short-circuiting.js:12:5:12:18 | x?.[o3 = null] | | short-circuiting.js:12:5:12:31 | x?.[o3 ... = null) | short-circuiting.js:12:5:12:31 | x?.[o3 ... = null) | +| tst-typescript.ts:2:1:2:6 | a?.b.c | tst-typescript.ts:2:1:2:4 | a?.b | +| tst-typescript.ts:3:1:3:6 | a.b?.c | tst-typescript.ts:3:1:3:6 | a.b?.c | +| tst-typescript.ts:4:1:4:7 | a?.b?.c | tst-typescript.ts:4:1:4:4 | a?.b | +| tst-typescript.ts:4:1:4:7 | a?.b?.c | tst-typescript.ts:4:1:4:7 | a?.b?.c | +| tst-typescript.ts:7:1:7:7 | f?.()() | tst-typescript.ts:7:1:7:5 | f?.() | +| tst-typescript.ts:8:1:8:7 | f()?.() | tst-typescript.ts:8:1:8:7 | f()?.() | +| tst-typescript.ts:9:1:9:9 | f?.()?.() | tst-typescript.ts:9:1:9:5 | f?.() | +| tst-typescript.ts:9:1:9:9 | f?.()?.() | tst-typescript.ts:9:1:9:9 | f?.()?.() | +| tst-typescript.ts:12:1:12:8 | a?.m().b | tst-typescript.ts:12:1:12:4 | a?.m | +| tst-typescript.ts:13:1:13:9 | a.m?.().b | tst-typescript.ts:13:1:13:7 | a.m?.() | +| tst-typescript.ts:14:1:14:8 | a.m()?.b | tst-typescript.ts:14:1:14:8 | a.m()?.b | +| tst-typescript.ts:15:1:15:11 | a?.m?.()?.b | tst-typescript.ts:15:1:15:4 | a?.m | +| tst-typescript.ts:15:1:15:11 | a?.m?.()?.b | tst-typescript.ts:15:1:15:8 | a?.m?.() | +| tst-typescript.ts:15:1:15:11 | a?.m?.()?.b | tst-typescript.ts:15:1:15:11 | a?.m?.()?.b | | tst.js:2:1:2:6 | a?.b.c | tst.js:2:1:2:4 | a?.b | | tst.js:3:1:3:6 | a.b?.c | tst.js:3:1:3:6 | a.b?.c | | tst.js:4:1:4:7 | a?.b?.c | tst.js:4:1:4:4 | a?.b | diff --git a/javascript/ql/test/library-tests/OptionalChaining/OptionalUse.expected b/javascript/ql/test/library-tests/OptionalChaining/OptionalUse.expected index 430d4d52299..8358bb0ecde 100644 --- a/javascript/ql/test/library-tests/OptionalChaining/OptionalUse.expected +++ b/javascript/ql/test/library-tests/OptionalChaining/OptionalUse.expected @@ -1,7 +1,25 @@ +| short-circuiting-typescript.ts:3:5:3:18 | x?.(o1 = null) | +| short-circuiting-typescript.ts:7:5:7:18 | x?.[o2 = null] | +| short-circuiting-typescript.ts:12:5:12:18 | x?.[o3 = null] | +| short-circuiting-typescript.ts:12:5:12:31 | x?.[o3 ... = null) | | short-circuiting.js:3:5:3:18 | x?.(o1 = null) | | short-circuiting.js:7:5:7:18 | x?.[o2 = null] | | short-circuiting.js:12:5:12:18 | x?.[o3 = null] | | short-circuiting.js:12:5:12:31 | x?.[o3 ... = null) | +| tst-typescript.ts:2:1:2:4 | a?.b | +| tst-typescript.ts:3:1:3:6 | a.b?.c | +| tst-typescript.ts:4:1:4:4 | a?.b | +| tst-typescript.ts:4:1:4:7 | a?.b?.c | +| tst-typescript.ts:7:1:7:5 | f?.() | +| tst-typescript.ts:8:1:8:7 | f()?.() | +| tst-typescript.ts:9:1:9:5 | f?.() | +| tst-typescript.ts:9:1:9:9 | f?.()?.() | +| tst-typescript.ts:12:1:12:4 | a?.m | +| tst-typescript.ts:13:1:13:7 | a.m?.() | +| tst-typescript.ts:14:1:14:8 | a.m()?.b | +| tst-typescript.ts:15:1:15:4 | a?.m | +| tst-typescript.ts:15:1:15:8 | a?.m?.() | +| tst-typescript.ts:15:1:15:11 | a?.m?.()?.b | | tst.js:2:1:2:4 | a?.b | | tst.js:3:1:3:6 | a.b?.c | | tst.js:4:1:4:4 | a?.b | diff --git a/javascript/ql/test/library-tests/OptionalChaining/ShortCircuiting.expected b/javascript/ql/test/library-tests/OptionalChaining/ShortCircuiting.expected index d61dccc8c5a..6711c704828 100644 --- a/javascript/ql/test/library-tests/OptionalChaining/ShortCircuiting.expected +++ b/javascript/ql/test/library-tests/OptionalChaining/ShortCircuiting.expected @@ -1,3 +1,11 @@ +| short-circuiting-typescript.ts:4:10:4:11 | o1 | file://:0:0:0:0 | null | +| short-circuiting-typescript.ts:4:10:4:11 | o1 | short-circuiting-typescript.ts:2:14:2:15 | object literal | +| short-circuiting-typescript.ts:8:10:8:11 | o2 | file://:0:0:0:0 | null | +| short-circuiting-typescript.ts:8:10:8:11 | o2 | short-circuiting-typescript.ts:6:14:6:15 | object literal | +| short-circuiting-typescript.ts:13:10:13:11 | o3 | file://:0:0:0:0 | null | +| short-circuiting-typescript.ts:13:10:13:11 | o3 | short-circuiting-typescript.ts:10:14:10:15 | object literal | +| short-circuiting-typescript.ts:14:10:14:11 | o4 | file://:0:0:0:0 | null | +| short-circuiting-typescript.ts:14:10:14:11 | o4 | short-circuiting-typescript.ts:11:14:11:15 | object literal | | short-circuiting.js:4:10:4:11 | o1 | file://:0:0:0:0 | null | | short-circuiting.js:4:10:4:11 | o1 | short-circuiting.js:2:14:2:15 | object literal | | short-circuiting.js:8:10:8:11 | o2 | file://:0:0:0:0 | null | diff --git a/javascript/ql/test/library-tests/OptionalChaining/ShortCirtuiting.expected b/javascript/ql/test/library-tests/OptionalChaining/ShortCirtuiting.expected deleted file mode 100644 index d61dccc8c5a..00000000000 --- a/javascript/ql/test/library-tests/OptionalChaining/ShortCirtuiting.expected +++ /dev/null @@ -1,8 +0,0 @@ -| short-circuiting.js:4:10:4:11 | o1 | file://:0:0:0:0 | null | -| short-circuiting.js:4:10:4:11 | o1 | short-circuiting.js:2:14:2:15 | object literal | -| short-circuiting.js:8:10:8:11 | o2 | file://:0:0:0:0 | null | -| short-circuiting.js:8:10:8:11 | o2 | short-circuiting.js:6:14:6:15 | object literal | -| short-circuiting.js:13:10:13:11 | o3 | file://:0:0:0:0 | null | -| short-circuiting.js:13:10:13:11 | o3 | short-circuiting.js:10:14:10:15 | object literal | -| short-circuiting.js:14:10:14:11 | o4 | file://:0:0:0:0 | null | -| short-circuiting.js:14:10:14:11 | o4 | short-circuiting.js:11:14:11:15 | object literal | diff --git a/javascript/ql/test/library-tests/OptionalChaining/ShortCirtuiting.ql b/javascript/ql/test/library-tests/OptionalChaining/ShortCirtuiting.ql deleted file mode 100644 index e14838bd3ed..00000000000 --- a/javascript/ql/test/library-tests/OptionalChaining/ShortCirtuiting.ql +++ /dev/null @@ -1,7 +0,0 @@ -import javascript - -from CallExpr c, Expr arg -where - c.getCalleeName() = "DUMP" and - arg = c.getArgument(0) -select arg, arg.analyze().getAValue() diff --git a/javascript/ql/test/library-tests/OptionalChaining/short-circuiting-typescript.ts b/javascript/ql/test/library-tests/OptionalChaining/short-circuiting-typescript.ts new file mode 100644 index 00000000000..7367e64dd4c --- /dev/null +++ b/javascript/ql/test/library-tests/OptionalChaining/short-circuiting-typescript.ts @@ -0,0 +1,15 @@ +(function() { + var o1 = {}; + x?.(o1 = null); + DUMP(o1); + + var o2 = {}; + x?.[o2 = null]; + DUMP(o2); + + var o3 = {}, + o4 = {}; + x?.[o3 = null]?.(o4 = null); + DUMP(o3); + DUMP(o4); +}); diff --git a/javascript/ql/test/library-tests/OptionalChaining/tst-typescript.ts b/javascript/ql/test/library-tests/OptionalChaining/tst-typescript.ts new file mode 100644 index 00000000000..39389024d6d --- /dev/null +++ b/javascript/ql/test/library-tests/OptionalChaining/tst-typescript.ts @@ -0,0 +1,15 @@ +a.b.c; +a?.b.c; +a.b?.c; +a?.b?.c; + +f()(); +f?.()(); +f()?.(); +f?.()?.(); + +a.m().b; +a?.m().b; +a.m?.().b; +a.m()?.b; +a?.m?.()?.b; diff --git a/javascript/ql/test/library-tests/PartialInvokeNode/closure.js b/javascript/ql/test/library-tests/PartialInvokeNode/closure.js new file mode 100644 index 00000000000..7b386e8e165 --- /dev/null +++ b/javascript/ql/test/library-tests/PartialInvokeNode/closure.js @@ -0,0 +1,5 @@ +goog.module('test'); + +function test(x) { + addEventListener("click", goog.bind(function(x, event) {}, this, x)); +} diff --git a/javascript/ql/test/library-tests/PartialInvokeNode/test.expected b/javascript/ql/test/library-tests/PartialInvokeNode/test.expected new file mode 100644 index 00000000000..edb94190810 --- /dev/null +++ b/javascript/ql/test/library-tests/PartialInvokeNode/test.expected @@ -0,0 +1,26 @@ +getBoundFunction +| closure.js:4:29:4:69 | goog.bi ... his, x) | closure.js:4:39:4:59 | functio ... ent) {} | 1 | closure.js:4:29:4:69 | goog.bi ... his, x) | +| tst.js:5:29:5:63 | functio ... his, x) | tst.js:5:29:5:49 | functio ... ent) {} | 1 | tst.js:5:29:5:63 | functio ... his, x) | +| tst.js:6:29:6:68 | lodash. ... {}, x) | tst.js:6:44:6:64 | functio ... ent) {} | 1 | tst.js:6:29:6:68 | lodash. ... {}, x) | +| tst.js:7:29:7:65 | R.parti ... }, [x]) | tst.js:7:39:7:59 | functio ... ent) {} | 1 | tst.js:7:29:7:65 | R.parti ... }, [x]) | +| tst.js:8:29:8:72 | angular ... {}, x) | tst.js:8:48:8:68 | functio ... ent) {} | 1 | tst.js:8:29:8:72 | angular ... {}, x) | +| tst.js:11:29:11:43 | f.bind(this, x) | tst.js:11:29:11:29 | f | 1 | tst.js:11:29:11:43 | f.bind(this, x) | +isPartialArgument +| closure.js:4:29:4:69 | goog.bi ... his, x) | closure.js:4:39:4:59 | functio ... ent) {} | closure.js:4:68:4:68 | x | 0 | +| tst.js:5:29:5:63 | functio ... his, x) | tst.js:5:29:5:49 | functio ... ent) {} | tst.js:5:62:5:62 | x | 0 | +| tst.js:6:29:6:68 | lodash. ... {}, x) | tst.js:6:44:6:64 | functio ... ent) {} | tst.js:6:67:6:67 | x | 0 | +| tst.js:7:29:7:65 | R.parti ... }, [x]) | tst.js:7:39:7:59 | functio ... ent) {} | tst.js:7:63:7:63 | x | 0 | +| tst.js:8:29:8:72 | angular ... {}, x) | tst.js:8:48:8:68 | functio ... ent) {} | tst.js:8:71:8:71 | x | 0 | +| tst.js:11:29:11:43 | f.bind(this, x) | tst.js:11:29:11:29 | f | tst.js:11:42:11:42 | x | 0 | +getBoundReceiver +| closure.js:4:29:4:69 | goog.bi ... his, x) | closure.js:4:62:4:65 | this | +| tst.js:5:29:5:63 | functio ... his, x) | tst.js:5:56:5:59 | this | +| tst.js:8:29:8:72 | angular ... {}, x) | tst.js:8:42:8:45 | this | +| tst.js:11:29:11:43 | f.bind(this, x) | tst.js:11:36:11:39 | this | +clickEvent +| closure.js:4:51:4:55 | event | +| tst.js:5:41:5:45 | event | +| tst.js:6:56:6:60 | event | +| tst.js:7:51:7:55 | event | +| tst.js:8:60:8:64 | event | +| tst.js:10:17:10:21 | event | diff --git a/javascript/ql/test/library-tests/PartialInvokeNode/test.ql b/javascript/ql/test/library-tests/PartialInvokeNode/test.ql new file mode 100644 index 00000000000..a7e5a010a05 --- /dev/null +++ b/javascript/ql/test/library-tests/PartialInvokeNode/test.ql @@ -0,0 +1,21 @@ +import javascript + +query +DataFlow::Node getBoundFunction(DataFlow::PartialInvokeNode invoke, DataFlow::Node callback, int boundArgs) { + result = invoke.getBoundFunction(callback, boundArgs) +} + +query +predicate isPartialArgument(DataFlow::PartialInvokeNode invoke, DataFlow::Node callback, DataFlow::Node argument, int index) { + invoke.isPartialArgument(callback, argument, index) +} + +query +DataFlow::Node getBoundReceiver(DataFlow::PartialInvokeNode invoke) { + result = invoke.getBoundReceiver() +} + +query +DataFlow::Node clickEvent() { + result = DataFlow::globalVarRef("addEventListener").getACall().getABoundCallbackParameter(1, 0) +} diff --git a/javascript/ql/test/library-tests/PartialInvokeNode/tst.js b/javascript/ql/test/library-tests/PartialInvokeNode/tst.js new file mode 100644 index 00000000000..68926bff6a3 --- /dev/null +++ b/javascript/ql/test/library-tests/PartialInvokeNode/tst.js @@ -0,0 +1,12 @@ +let lodash = require('lodash'); +let R = require('ramda'); + +function test(x) { + addEventListener("click", function(x, event) {}.bind(this, x)); + addEventListener("click", lodash.partial(function(x, event) {}, x)); + addEventListener("click", R.partial(function(x, event) {}, [x])); + addEventListener("click", angular.bind(this, function(x, event) {}, x)); + + function f(x, event) {} + addEventListener("click", f.bind(this, x)); +} diff --git a/javascript/ql/test/library-tests/TypeScript/CallGraph/CallGraph.expected b/javascript/ql/test/library-tests/TypeScript/CallGraph/CallGraph.expected index 1a7d3e72bde..4cfb86ac7c6 100644 --- a/javascript/ql/test/library-tests/TypeScript/CallGraph/CallGraph.expected +++ b/javascript/ql/test/library-tests/TypeScript/CallGraph/CallGraph.expected @@ -1,4 +1,5 @@ | tst.ts:4:5:4:21 | x.method("Hello") | tst.ts:15:3:17:3 | public ... x);\\n } | | tst.ts:9:17:9:33 | new AngryLogger() | tst.ts:20:34:20:33 | (...arg ... rgs); } | +| tst.ts:10:5:10:49 | (newLog ... hello") | tst.ts:15:3:17:3 | public ... x);\\n } | | tst.ts:10:5:10:49 | (newLog ... hello") | tst.ts:21:3:23:3 | public ... ");\\n } | | tst.ts:20:34:20:33 | super(...args) | tst.ts:14:14:14:13 | () {} | diff --git a/javascript/ql/test/library-tests/TypeScript/CallGraph/tst.ts b/javascript/ql/test/library-tests/TypeScript/CallGraph/tst.ts index ea4136b5480..c0f7b1476bf 100644 --- a/javascript/ql/test/library-tests/TypeScript/CallGraph/tst.ts +++ b/javascript/ql/test/library-tests/TypeScript/CallGraph/tst.ts @@ -4,7 +4,7 @@ class MyClass { x.method("Hello"); // Resolve based on local dataflow. - // Type information should not degrade call graph precision. + // Type information may degrade call graph precision. var newLogger: Logger; newLogger = new AngryLogger(); (newLogger as Logger).method("I said, hello"); diff --git a/javascript/ql/test/library-tests/TypeScript/DeclareInClass/test.expected b/javascript/ql/test/library-tests/TypeScript/DeclareInClass/test.expected new file mode 100644 index 00000000000..17658f9c17d --- /dev/null +++ b/javascript/ql/test/library-tests/TypeScript/DeclareInClass/test.expected @@ -0,0 +1 @@ +| tst.ts:2:5:2:22 | declare x: number; | true | diff --git a/javascript/ql/test/library-tests/TypeScript/DeclareInClass/test.ql b/javascript/ql/test/library-tests/TypeScript/DeclareInClass/test.ql new file mode 100644 index 00000000000..b4a528dc9b1 --- /dev/null +++ b/javascript/ql/test/library-tests/TypeScript/DeclareInClass/test.ql @@ -0,0 +1,5 @@ +import javascript + +from FieldDeclaration f, boolean ambient +where if f.isAmbient() then ambient = true else ambient = false +select f, ambient diff --git a/javascript/ql/test/library-tests/TypeScript/DeclareInClass/tst.ts b/javascript/ql/test/library-tests/TypeScript/DeclareInClass/tst.ts new file mode 100644 index 00000000000..0952c23532d --- /dev/null +++ b/javascript/ql/test/library-tests/TypeScript/DeclareInClass/tst.ts @@ -0,0 +1,3 @@ +class C { + declare x: number; +} diff --git a/javascript/ql/test/library-tests/TypeScript/ImportMeta/test.expected b/javascript/ql/test/library-tests/TypeScript/ImportMeta/test.expected new file mode 100644 index 00000000000..0ff37c1665a --- /dev/null +++ b/javascript/ql/test/library-tests/TypeScript/ImportMeta/test.expected @@ -0,0 +1 @@ +| tst.ts:7:9:7:19 | import.meta | diff --git a/javascript/ql/test/library-tests/TypeScript/ImportMeta/test.ql b/javascript/ql/test/library-tests/TypeScript/ImportMeta/test.ql new file mode 100644 index 00000000000..311aa4b4050 --- /dev/null +++ b/javascript/ql/test/library-tests/TypeScript/ImportMeta/test.ql @@ -0,0 +1,5 @@ +import javascript + +from Expr prop +where prop instanceof ImportMetaExpr +select prop \ No newline at end of file diff --git a/javascript/ql/test/library-tests/TypeScript/ImportMeta/tsconfig.json b/javascript/ql/test/library-tests/TypeScript/ImportMeta/tsconfig.json new file mode 100644 index 00000000000..17971333806 --- /dev/null +++ b/javascript/ql/test/library-tests/TypeScript/ImportMeta/tsconfig.json @@ -0,0 +1,3 @@ +{ + +} diff --git a/javascript/ql/test/library-tests/TypeScript/ImportMeta/tst.ts b/javascript/ql/test/library-tests/TypeScript/ImportMeta/tst.ts new file mode 100644 index 00000000000..fe18ee13784 --- /dev/null +++ b/javascript/ql/test/library-tests/TypeScript/ImportMeta/tst.ts @@ -0,0 +1,7 @@ + + +interface ImportMeta { + wellKnownProperty: { a: number, b: string, c: boolean }; +} + +var a = import.meta.wellKnownProperty.a; \ No newline at end of file diff --git a/javascript/ql/test/library-tests/TypeScript/PromiseType/PromiseType.expected b/javascript/ql/test/library-tests/TypeScript/PromiseType/PromiseType.expected index bd0c467ad14..40c1f30e72a 100644 --- a/javascript/ql/test/library-tests/TypeScript/PromiseType/PromiseType.expected +++ b/javascript/ql/test/library-tests/TypeScript/PromiseType/PromiseType.expected @@ -1,10 +1,8 @@ | p1 | MyPromise | string | | p2 | MyPromise | any | | p3 | Promise | string | -| p4 | PromiseLike | string | | p5 | PromiseLike | string | | p6 | Thenable | string | -| p7 | Thenable | string | | p8 | ThenPromise | string | | p9 | JQueryPromise | string | | p10 | JQueryGenericPromise | string | diff --git a/javascript/ql/test/library-tests/TypeScript/TypeAnnotations/IsTypeExpr.qll b/javascript/ql/test/library-tests/TypeScript/TypeAnnotations/IsTypeExpr.qll deleted file mode 100644 index a0ff44c2bdd..00000000000 --- a/javascript/ql/test/library-tests/TypeScript/TypeAnnotations/IsTypeExpr.qll +++ /dev/null @@ -1,5 +0,0 @@ -import javascript - -query predicate test_IsTypeExpr(IsTypeExpr type, VarTypeAccess res0, TypeExpr res1) { - res0 = type.getParameterName() and res1 = type.getPredicateType() -} diff --git a/javascript/ql/test/library-tests/TypeScript/TypeAnnotations/PredicateTypeExpr.qll b/javascript/ql/test/library-tests/TypeScript/TypeAnnotations/PredicateTypeExpr.qll new file mode 100644 index 00000000000..c38bf54ad1f --- /dev/null +++ b/javascript/ql/test/library-tests/TypeScript/TypeAnnotations/PredicateTypeExpr.qll @@ -0,0 +1,13 @@ +import javascript + +query predicate test_IsTypeExpr(IsTypeExpr type, VarTypeAccess res0, TypeExpr res1) { + res0 = type.getParameterName() and res1 = type.getPredicateType() +} + +query predicate test_PredicateTypeExpr(PredicateTypeExpr type, VarTypeAccess res0) { + res0 = type.getParameterName() +} + +query predicate test_hasAssertsKeyword(PredicateTypeExpr type) { + type.hasAssertsKeyword() +} diff --git a/javascript/ql/test/library-tests/TypeScript/TypeAnnotations/tests.expected b/javascript/ql/test/library-tests/TypeScript/TypeAnnotations/tests.expected index eb0c717b2db..5db52c2afcd 100644 --- a/javascript/ql/test/library-tests/TypeScript/TypeAnnotations/tests.expected +++ b/javascript/ql/test/library-tests/TypeScript/TypeAnnotations/tests.expected @@ -105,6 +105,9 @@ test_VariableTypes | tst.ts:135:5:135:24 | tupleWithRestElement | tupleWithRestElement | tst.ts:135:27:135:47 | [number ... ring[]] | | tst.ts:136:5:136:36 | tupleWi ... lements | tupleWithOptionalAndRestElements | tst.ts:136:39:136:68 | [number ... mber[]] | | tst.ts:137:5:137:15 | unknownType | unknownType | tst.ts:137:18:137:24 | unknown | +| tst.ts:142:17:142:25 | condition | condition | tst.ts:142:28:142:30 | any | +| tst.ts:142:33:142:35 | msg | msg | tst.ts:142:39:142:44 | string | +| tst.ts:148:25:148:27 | val | val | tst.ts:148:30:148:32 | any | test_QualifiedTypeAccess | tst.ts:63:19:63:21 | N.I | tst.ts:63:19:63:19 | N | tst.ts:63:21:63:21 | I | | tst.ts:64:20:64:24 | N.M.I | tst.ts:64:20:64:22 | N.M | tst.ts:64:24:64:24 | I | @@ -148,6 +151,17 @@ test_IsTypeExpr | tst.ts:76:21:76:32 | that is Leaf | tst.ts:76:21:76:24 | that | tst.ts:76:29:76:32 | Leaf | | tst.ts:80:36:80:55 | x is Generic | tst.ts:80:36:80:36 | x | tst.ts:80:41:80:55 | Generic | | tst.ts:81:38:81:50 | x is typeof x | tst.ts:81:38:81:38 | x | tst.ts:81:43:81:50 | typeof x | +| tst.ts:148:36:148:56 | asserts ... string | tst.ts:148:44:148:46 | val | tst.ts:148:51:148:56 | string | +test_PredicateTypeExpr +| tst.ts:75:17:75:28 | this is Leaf | tst.ts:75:17:75:20 | this | +| tst.ts:76:21:76:32 | that is Leaf | tst.ts:76:21:76:24 | that | +| tst.ts:80:36:80:55 | x is Generic | tst.ts:80:36:80:36 | x | +| tst.ts:81:38:81:50 | x is typeof x | tst.ts:81:38:81:38 | x | +| tst.ts:142:48:142:64 | asserts condition | tst.ts:142:56:142:64 | condition | +| tst.ts:148:36:148:56 | asserts ... string | tst.ts:148:44:148:46 | val | +test_hasAssertsKeyword +| tst.ts:142:48:142:64 | asserts condition | +| tst.ts:148:36:148:56 | asserts ... string | test_ThisParameterTypes | function hasThisParam | tst.ts:116:29:116:32 | void | | method hasThisParam of interface InterfaceWithThisParam | tst.ts:119:22:119:43 | Interfa ... isParam | @@ -254,6 +268,8 @@ test_ReturnTypes | tst.ts:94:1:94:37 | functio ... rn x; } | function f1 | tst.ts:94:23:94:23 | S | | tst.ts:95:1:95:53 | functio ... x,y]; } | function f2 | tst.ts:95:31:95:35 | [S,T] | | tst.ts:96:1:96:52 | functio ... rn x; } | function f3 | tst.ts:96:38:96:38 | S | +| tst.ts:142:1:146:1 | functio ... )\\n }\\n} | function assert | tst.ts:142:48:142:64 | asserts condition | +| tst.ts:148:1:152:1 | functio ... ;\\n }\\n} | function assertIsString | tst.ts:148:36:148:56 | asserts ... string | test_KeyofTypeExpr | tst.ts:49:16:49:30 | keyof Interface | tst.ts:49:22:49:30 | Interface | | tst.ts:113:26:113:35 | keyof Node | tst.ts:113:32:113:35 | Node | diff --git a/javascript/ql/test/library-tests/TypeScript/TypeAnnotations/tests.ql b/javascript/ql/test/library-tests/TypeScript/TypeAnnotations/tests.ql index ff894fb06a5..bdabbc5f533 100644 --- a/javascript/ql/test/library-tests/TypeScript/TypeAnnotations/tests.ql +++ b/javascript/ql/test/library-tests/TypeScript/TypeAnnotations/tests.ql @@ -11,7 +11,7 @@ import GenericTypeExpr import IntersectionTypeExpr import FunctionTypeReturns import InterfaceTypeExpr -import IsTypeExpr +import PredicateTypeExpr import ThisParameterTypes import ChildIndex import TypeArguments diff --git a/javascript/ql/test/library-tests/TypeScript/TypeAnnotations/tst.ts b/javascript/ql/test/library-tests/TypeScript/TypeAnnotations/tst.ts index a9985b42878..faeb9e9c833 100644 --- a/javascript/ql/test/library-tests/TypeScript/TypeAnnotations/tst.ts +++ b/javascript/ql/test/library-tests/TypeScript/TypeAnnotations/tst.ts @@ -138,3 +138,15 @@ let unknownType: unknown; let taggedTemplateLiteralTypeArg1 = someTag`Hello`; let taggedTemplateLiteralTypeArg2 = someTag`Hello`; + +function assert(condition: any, msg?: string): asserts condition { + if (!condition) { + throw new AssertionError(msg) + } +} + +function assertIsString(val: any): asserts val is string { + if (typeof val !== "string") { + throw new AssertionError("Not a string!"); + } +} diff --git a/javascript/ql/test/library-tests/TypeScript/Types/GetExprType.expected b/javascript/ql/test/library-tests/TypeScript/Types/GetExprType.expected index 371cdb05b21..62832265649 100644 --- a/javascript/ql/test/library-tests/TypeScript/Types/GetExprType.expected +++ b/javascript/ql/test/library-tests/TypeScript/Types/GetExprType.expected @@ -93,6 +93,30 @@ | tst.ts:43:28:43:30 | foo | "foo" | | tst.ts:43:33:43:37 | "foo" | "foo" | | type_alias.ts:3:5:3:5 | b | boolean | +| type_alias.ts:7:5:7:5 | c | ValueOrArray | +| type_alias.ts:14:9:14:32 | [proper ... ]: Json | any | +| type_alias.ts:14:10:14:17 | property | string | +| type_alias.ts:17:5:17:8 | json | Json | +| type_alias.ts:21:18:21:35 | [key: string]: any | any | +| type_alias.ts:21:19:21:21 | key | string | +| type_alias.ts:23:7:23:12 | myNode | VirtualNode | +| type_alias.ts:24:5:27:5 | ["div", ... ]\\n ] | VirtualNode | +| type_alias.ts:24:6:24:10 | "div" | "div" | +| type_alias.ts:24:13:24:28 | { id: "parent" } | string \| { [key: string]: any; } | +| type_alias.ts:24:15:24:16 | id | string | +| type_alias.ts:24:19:24:26 | "parent" | "parent" | +| type_alias.ts:25:9:25:61 | ["div", ... child"] | VirtualNode | +| type_alias.ts:25:10:25:14 | "div" | "div" | +| type_alias.ts:25:17:25:37 | { id: " ... hild" } | string \| { [key: string]: any; } | +| type_alias.ts:25:19:25:20 | id | string | +| type_alias.ts:25:23:25:35 | "first-child" | "first-child" | +| type_alias.ts:25:40:25:60 | "I'm th ... child" | "I'm the first child" | +| type_alias.ts:26:9:26:63 | ["div", ... child"] | VirtualNode | +| type_alias.ts:26:10:26:14 | "div" | "div" | +| type_alias.ts:26:17:26:38 | { id: " ... hild" } | string \| { [key: string]: any; } | +| type_alias.ts:26:19:26:20 | id | string | +| type_alias.ts:26:23:26:36 | "second-child" | "second-child" | +| type_alias.ts:26:41:26:62 | "I'm th ... child" | "I'm the second child" | | type_definition_objects.ts:1:13:1:17 | dummy | typeof dummy.ts | | type_definition_objects.ts:1:24:1:32 | "./dummy" | any | | type_definition_objects.ts:3:14:3:14 | C | C | @@ -115,4 +139,4 @@ | type_definitions.ts:16:5:16:9 | color | Color | | type_definitions.ts:18:6:18:22 | EnumWithOneMember | EnumWithOneMember | | type_definitions.ts:19:5:19:5 | e | EnumWithOneMember | -| type_definitions.ts:22:5:22:23 | aliasForNumberArray | number[] | +| type_definitions.ts:22:5:22:23 | aliasForNumberArray | Alias | diff --git a/javascript/ql/test/library-tests/TypeScript/Types/GetTypeDefinitionType.expected b/javascript/ql/test/library-tests/TypeScript/Types/GetTypeDefinitionType.expected index 00d2813750e..66c343fd601 100644 --- a/javascript/ql/test/library-tests/TypeScript/Types/GetTypeDefinitionType.expected +++ b/javascript/ql/test/library-tests/TypeScript/Types/GetTypeDefinitionType.expected @@ -1,8 +1,11 @@ | type_alias.ts:1:1:1:17 | type B = boolean; | boolean | +| type_alias.ts:5:1:5:50 | type Va ... ay>; | ValueOrArray | +| type_alias.ts:9:1:15:13 | type Js ... Json[]; | Json | +| type_alias.ts:19:1:21:57 | type Vi ... ode[]]; | VirtualNode | | type_definition_objects.ts:3:8:3:17 | class C {} | C | | type_definition_objects.ts:6:8:6:16 | enum E {} | E | | type_definitions.ts:3:1:5:1 | interfa ... x: S;\\n} | I | | type_definitions.ts:8:1:10:1 | class C ... x: T\\n} | C | | type_definitions.ts:13:1:15:1 | enum Co ... blue\\n} | Color | | type_definitions.ts:18:1:18:33 | enum En ... ember } | EnumWithOneMember | -| type_definitions.ts:21:1:21:20 | type Alias = T[]; | T[] | +| type_definitions.ts:21:1:21:20 | type Alias = T[]; | Alias | diff --git a/javascript/ql/test/library-tests/TypeScript/Types/GetTypeExprType.expected b/javascript/ql/test/library-tests/TypeScript/Types/GetTypeExprType.expected index 5bd82703bd8..0b9af780186 100644 --- a/javascript/ql/test/library-tests/TypeScript/Types/GetTypeExprType.expected +++ b/javascript/ql/test/library-tests/TypeScript/Types/GetTypeExprType.expected @@ -57,20 +57,56 @@ | tst.ts:37:17:37:18 | [] | [] | | tst.ts:38:27:38:47 | [number ... ring[]] | [number, ...string[]] | | tst.ts:38:28:38:33 | number | number | -| tst.ts:38:36:38:46 | ...string[] | string[] | +| tst.ts:38:36:38:46 | ...string[] | string | | tst.ts:38:39:38:44 | string | string | | tst.ts:38:39:38:46 | string[] | string[] | | tst.ts:39:39:39:68 | [number ... mber[]] | [number, string?, ...number[]] | | tst.ts:39:40:39:45 | number | number | | tst.ts:39:48:39:53 | string | string | | tst.ts:39:48:39:54 | string? | string | -| tst.ts:39:57:39:67 | ...number[] | number[] | +| tst.ts:39:57:39:67 | ...number[] | number | | tst.ts:39:60:39:65 | number | number | | tst.ts:39:60:39:67 | number[] | number[] | | tst.ts:40:18:40:24 | unknown | unknown | | type_alias.ts:1:6:1:6 | B | boolean | | type_alias.ts:1:10:1:16 | boolean | boolean | | type_alias.ts:3:8:3:8 | B | boolean | +| type_alias.ts:5:6:5:17 | ValueOrArray | ValueOrArray | +| type_alias.ts:5:19:5:19 | T | T | +| type_alias.ts:5:24:5:24 | T | T | +| type_alias.ts:5:24:5:49 | T \| Arr ... ray> | ValueOrArray | +| type_alias.ts:5:28:5:32 | Array | T[] | +| type_alias.ts:5:28:5:49 | Array> | ValueOrArray[] | +| type_alias.ts:5:34:5:45 | ValueOrArray | ValueOrArray | +| type_alias.ts:5:34:5:48 | ValueOrArray | ValueOrArray | +| type_alias.ts:5:47:5:47 | T | T | +| type_alias.ts:7:8:7:19 | ValueOrArray | ValueOrArray | +| type_alias.ts:7:8:7:27 | ValueOrArray | ValueOrArray | +| type_alias.ts:7:21:7:26 | number | number | +| type_alias.ts:9:6:9:9 | Json | Json | +| type_alias.ts:10:5:15:12 | \| strin ... Json[] | Json | +| type_alias.ts:10:7:10:12 | string | string | +| type_alias.ts:11:7:11:12 | number | number | +| type_alias.ts:12:7:12:13 | boolean | boolean | +| type_alias.ts:13:7:13:10 | null | null | +| type_alias.ts:14:7:14:34 | { [prop ... Json } | { [property: string]: Json; } | +| type_alias.ts:14:20:14:25 | string | string | +| type_alias.ts:14:29:14:32 | Json | Json | +| type_alias.ts:15:7:15:10 | Json | Json | +| type_alias.ts:15:7:15:12 | Json[] | Json[] | +| type_alias.ts:17:11:17:14 | Json | Json | +| type_alias.ts:19:6:19:16 | VirtualNode | VirtualNode | +| type_alias.ts:20:5:21:56 | \| strin ... Node[]] | VirtualNode | +| type_alias.ts:20:7:20:12 | string | string | +| type_alias.ts:21:7:21:56 | [string ... Node[]] | [string, { [key: string]: any; }, ...VirtualNod... | +| type_alias.ts:21:8:21:13 | string | string | +| type_alias.ts:21:16:21:37 | { [key: ... : any } | { [key: string]: any; } | +| type_alias.ts:21:24:21:29 | string | string | +| type_alias.ts:21:33:21:35 | any | any | +| type_alias.ts:21:40:21:55 | ...VirtualNode[] | VirtualNode | +| type_alias.ts:21:43:21:53 | VirtualNode | VirtualNode | +| type_alias.ts:21:43:21:55 | VirtualNode[] | VirtualNode[] | +| type_alias.ts:23:15:23:25 | VirtualNode | VirtualNode | | type_definitions.ts:3:11:3:11 | I | I | | type_definitions.ts:3:13:3:13 | S | S | | type_definitions.ts:4:6:4:6 | S | S | @@ -84,10 +120,10 @@ | type_definitions.ts:11:10:11:15 | number | number | | type_definitions.ts:16:12:16:16 | Color | Color | | type_definitions.ts:19:8:19:24 | EnumWithOneMember | EnumWithOneMember | -| type_definitions.ts:21:6:21:10 | Alias | T[] | +| type_definitions.ts:21:6:21:10 | Alias | Alias | | type_definitions.ts:21:12:21:12 | T | T | | type_definitions.ts:21:17:21:17 | T | T | -| type_definitions.ts:21:17:21:19 | T[] | T[] | -| type_definitions.ts:22:26:22:30 | Alias | T[] | -| type_definitions.ts:22:26:22:38 | Alias | number[] | +| type_definitions.ts:21:17:21:19 | T[] | Alias | +| type_definitions.ts:22:26:22:30 | Alias | Alias | +| type_definitions.ts:22:26:22:38 | Alias | Alias | | type_definitions.ts:22:32:22:37 | number | number | diff --git a/javascript/ql/test/library-tests/TypeScript/Types/ReferenceDefinition.expected b/javascript/ql/test/library-tests/TypeScript/Types/ReferenceDefinition.expected index 9704ac96d53..3426a936189 100644 --- a/javascript/ql/test/library-tests/TypeScript/Types/ReferenceDefinition.expected +++ b/javascript/ql/test/library-tests/TypeScript/Types/ReferenceDefinition.expected @@ -1,3 +1,5 @@ +| Alias | type_definitions.ts:21:1:21:20 | type Alias = T[]; | +| Alias | type_definitions.ts:21:1:21:20 | type Alias = T[]; | | C | type_definition_objects.ts:3:8:3:17 | class C {} | | C | type_definitions.ts:8:1:10:1 | class C ... x: T\\n} | | C | type_definitions.ts:8:1:10:1 | class C ... x: T\\n} | @@ -9,3 +11,7 @@ | EnumWithOneMember | type_definitions.ts:18:26:18:31 | member | | I | type_definitions.ts:3:1:5:1 | interfa ... x: S;\\n} | | I | type_definitions.ts:3:1:5:1 | interfa ... x: S;\\n} | +| Json | type_alias.ts:9:1:15:13 | type Js ... Json[]; | +| ValueOrArray | type_alias.ts:5:1:5:50 | type Va ... ay>; | +| ValueOrArray | type_alias.ts:5:1:5:50 | type Va ... ay>; | +| VirtualNode | type_alias.ts:19:1:21:57 | type Vi ... ode[]]; | diff --git a/javascript/ql/test/library-tests/TypeScript/Types/type_alias.ts b/javascript/ql/test/library-tests/TypeScript/Types/type_alias.ts index 3a831766991..d13eb159754 100644 --- a/javascript/ql/test/library-tests/TypeScript/Types/type_alias.ts +++ b/javascript/ql/test/library-tests/TypeScript/Types/type_alias.ts @@ -1,3 +1,27 @@ type B = boolean; var b: B; + +type ValueOrArray = T | Array>; + +var c: ValueOrArray; + +type Json = + | string + | number + | boolean + | null + | { [property: string]: Json } + | Json[]; + +var json: Json; + +type VirtualNode = + | string + | [string, { [key: string]: any }, ...VirtualNode[]]; + +const myNode: VirtualNode = + ["div", { id: "parent" }, + ["div", { id: "first-child" }, "I'm the first child"], + ["div", { id: "second-child" }, "I'm the second child"] + ]; diff --git a/javascript/ql/test/query-tests/Expressions/UnknownDirective/dual-use.js b/javascript/ql/test/query-tests/Expressions/UnknownDirective/dual-use.js new file mode 100644 index 00000000000..ea0af2e7fd3 --- /dev/null +++ b/javascript/ql/test/query-tests/Expressions/UnknownDirective/dual-use.js @@ -0,0 +1,4 @@ +#!/bin/sh +":" //# ; exec /usr/bin/env node "$0" "$@" + +console.log('javascript'); diff --git a/javascript/ql/test/query-tests/LanguageFeatures/IllegalInvocation/IllegalInvocation.expected b/javascript/ql/test/query-tests/LanguageFeatures/IllegalInvocation/IllegalInvocation.expected index fdca252fa67..fc95550e31f 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/IllegalInvocation/IllegalInvocation.expected +++ b/javascript/ql/test/query-tests/LanguageFeatures/IllegalInvocation/IllegalInvocation.expected @@ -1,7 +1,5 @@ | tst.js:12:1:12:3 | C() | Illegal invocation of $@ as a function. | tst.js:1:9:1:8 | () {} | a constructor | | tst.js:13:1:13:10 | new (x=>x) | Illegal invocation of $@ using 'new'. | tst.js:13:6:13:9 | x=>x | an arrow function | -| tst.js:15:1:15:9 | new c.m() | Illegal invocation of $@ using 'new'. | tst.js:2:4:2:8 | () {} | a method | -| tst.js:24:1:24:9 | new o.g() | Illegal invocation of $@ using 'new'. | tst.js:19:4:19:8 | () {} | a method | | tst.js:42:1:42:7 | new g() | Illegal invocation of $@ using 'new'. | tst.js:39:1:39:16 | function* g() {} | a generator function | | tst.js:43:1:43:7 | new h() | Illegal invocation of $@ using 'new'. | tst.js:40:1:40:21 | async f ... h() {} | an async function | | tst.js:45:1:45:8 | reflective call | Illegal invocation of $@ as a function. | tst.js:1:9:1:8 | () {} | a constructor | diff --git a/javascript/ql/test/query-tests/LanguageFeatures/IllegalInvocation/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/IllegalInvocation/tst.js index ecd10bb47ff..6a489653379 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/IllegalInvocation/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/IllegalInvocation/tst.js @@ -12,7 +12,7 @@ let c = new C(); // OK C(); // NOT OK new (x=>x); // NOT OK c.m(); // OK -new c.m(); // NOT OK +new c.m(); // NOT OK - but not flagged var o = { f: function() {}, @@ -21,7 +21,7 @@ var o = { o.f(); // OK new o.f(); // OK o.g(); // OK -new o.g(); // NOT OK +new o.g(); // NOT OK - but not flagged function f(b) { var g; @@ -53,4 +53,12 @@ class E { E.call(); // OK E.apply(); // OK -//semmle-extractor-options: --experimental +function invoke(fn) { + if (typeof fn === "function" && fn.hasOwnProperty("foo")) { + fn(); // OK + } +} +invoke(C); +invoke(function() {}); + +//semmle-extractor-options: --experimental \ No newline at end of file diff --git a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/arraycalls.js b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/arraycalls.js new file mode 100644 index 00000000000..6aaeaa7a9f1 --- /dev/null +++ b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/arraycalls.js @@ -0,0 +1,2 @@ +Array(45); // OK +new Array(45); // OK diff --git a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/arraydef.js b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/arraydef.js new file mode 100644 index 00000000000..8d70876f13a --- /dev/null +++ b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/arraydef.js @@ -0,0 +1,2 @@ +function Array() {} +Array.prototype.foo = function() {}; diff --git a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/externs.js b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/externs.js index ecc8ef4b71b..c81b555e5aa 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/externs.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/externs.js @@ -1,4 +1,10 @@ function Error() {} +Error.prototype.toString = function() {}; + function String() {} +String.prototype.toString = function() {}; + +function Array() {} +Array.prototype.toString = function() {}; //semmle-extractor-options: --externs \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected index 15f16afc916..187526de3a2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected @@ -1 +1 @@ -| normalizedPaths.js:208:35:208:60 | // OK - ... anyway | Spurious alert | +| normalizedPaths.js:208:38:208:63 | // OK - ... anyway | Spurious alert | diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected index 0985114baef..ad39e2200be 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected @@ -51,6 +51,8 @@ nodes | TaintedPath-es6.js:7:20:7:26 | req.url | | TaintedPath-es6.js:7:20:7:26 | req.url | | TaintedPath-es6.js:7:20:7:26 | req.url | +| TaintedPath-es6.js:7:20:7:26 | req.url | +| TaintedPath-es6.js:10:26:10:45 | join("public", path) | | TaintedPath-es6.js:10:26:10:45 | join("public", path) | | TaintedPath-es6.js:10:26:10:45 | join("public", path) | | TaintedPath-es6.js:10:26:10:45 | join("public", path) | @@ -135,6 +137,8 @@ nodes | TaintedPath.js:9:24:9:30 | req.url | | TaintedPath.js:9:24:9:30 | req.url | | TaintedPath.js:9:24:9:30 | req.url | +| TaintedPath.js:9:24:9:30 | req.url | +| TaintedPath.js:12:29:12:32 | path | | TaintedPath.js:12:29:12:32 | path | | TaintedPath.js:12:29:12:32 | path | | TaintedPath.js:12:29:12:32 | path | @@ -155,6 +159,7 @@ nodes | TaintedPath.js:15:29:15:48 | "/home/user/" + path | | TaintedPath.js:15:29:15:48 | "/home/user/" + path | | TaintedPath.js:15:29:15:48 | "/home/user/" + path | +| TaintedPath.js:15:29:15:48 | "/home/user/" + path | | TaintedPath.js:15:45:15:48 | path | | TaintedPath.js:15:45:15:48 | path | | TaintedPath.js:15:45:15:48 | path | @@ -171,6 +176,7 @@ nodes | TaintedPath.js:19:33:19:36 | path | | TaintedPath.js:19:33:19:36 | path | | TaintedPath.js:19:33:19:36 | path | +| TaintedPath.js:19:33:19:36 | path | | TaintedPath.js:23:33:23:36 | path | | TaintedPath.js:23:33:23:36 | path | | TaintedPath.js:23:33:23:36 | path | @@ -187,6 +193,8 @@ nodes | TaintedPath.js:23:33:23:36 | path | | TaintedPath.js:23:33:23:36 | path | | TaintedPath.js:23:33:23:36 | path | +| TaintedPath.js:23:33:23:36 | path | +| TaintedPath.js:27:33:27:36 | path | | TaintedPath.js:27:33:27:36 | path | | TaintedPath.js:27:33:27:36 | path | | TaintedPath.js:27:33:27:36 | path | @@ -219,6 +227,7 @@ nodes | TaintedPath.js:31:31:31:34 | path | | TaintedPath.js:31:31:31:34 | path | | TaintedPath.js:31:31:31:34 | path | +| TaintedPath.js:31:31:31:34 | path | | TaintedPath.js:35:31:35:34 | path | | TaintedPath.js:35:31:35:34 | path | | TaintedPath.js:35:31:35:34 | path | @@ -235,6 +244,8 @@ nodes | TaintedPath.js:35:31:35:34 | path | | TaintedPath.js:35:31:35:34 | path | | TaintedPath.js:35:31:35:34 | path | +| TaintedPath.js:35:31:35:34 | path | +| TaintedPath.js:39:31:39:34 | path | | TaintedPath.js:39:31:39:34 | path | | TaintedPath.js:39:31:39:34 | path | | TaintedPath.js:39:31:39:34 | path | @@ -319,6 +330,8 @@ nodes | TaintedPath.js:45:20:45:26 | req.url | | TaintedPath.js:45:20:45:26 | req.url | | TaintedPath.js:45:20:45:26 | req.url | +| TaintedPath.js:45:20:45:26 | req.url | +| TaintedPath.js:49:29:49:52 | pathMod ... e(path) | | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | @@ -359,6 +372,7 @@ nodes | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | +| TaintedPath.js:53:29:53:49 | pathMod ... n(path) | | TaintedPath.js:53:45:53:48 | path | | TaintedPath.js:53:45:53:48 | path | | TaintedPath.js:53:45:53:48 | path | @@ -379,6 +393,7 @@ nodes | TaintedPath.js:55:29:55:58 | pathMod ... ath, z) | | TaintedPath.js:55:29:55:58 | pathMod ... ath, z) | | TaintedPath.js:55:29:55:58 | pathMod ... ath, z) | +| TaintedPath.js:55:29:55:58 | pathMod ... ath, z) | | TaintedPath.js:55:51:55:54 | path | | TaintedPath.js:55:51:55:54 | path | | TaintedPath.js:55:51:55:54 | path | @@ -399,6 +414,7 @@ nodes | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | +| TaintedPath.js:57:29:57:54 | pathMod ... e(path) | | TaintedPath.js:57:50:57:53 | path | | TaintedPath.js:57:50:57:53 | path | | TaintedPath.js:57:50:57:53 | path | @@ -419,6 +435,7 @@ nodes | TaintedPath.js:59:29:59:56 | pathMod ... , path) | | TaintedPath.js:59:29:59:56 | pathMod ... , path) | | TaintedPath.js:59:29:59:56 | pathMod ... , path) | +| TaintedPath.js:59:29:59:56 | pathMod ... , path) | | TaintedPath.js:59:52:59:55 | path | | TaintedPath.js:59:52:59:55 | path | | TaintedPath.js:59:52:59:55 | path | @@ -439,6 +456,7 @@ nodes | TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | | TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | | TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | +| TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | | TaintedPath.js:61:49:61:52 | path | | TaintedPath.js:61:49:61:52 | path | | TaintedPath.js:61:49:61:52 | path | @@ -459,6 +477,7 @@ nodes | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | +| TaintedPath.js:63:29:63:52 | pathMod ... e(path) | | TaintedPath.js:63:48:63:51 | path | | TaintedPath.js:63:48:63:51 | path | | TaintedPath.js:63:48:63:51 | path | @@ -479,6 +498,7 @@ nodes | TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | | TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | | TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | +| TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | | TaintedPath.js:65:54:65:57 | path | | TaintedPath.js:65:54:65:57 | path | | TaintedPath.js:65:54:65:57 | path | @@ -511,6 +531,7 @@ nodes | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | +| TaintedPath.js:67:29:67:61 | pathMod ... h(path) | | TaintedPath.js:67:57:67:60 | path | | TaintedPath.js:67:57:67:60 | path | | TaintedPath.js:67:57:67:60 | path | @@ -531,6 +552,7 @@ nodes | TaintedPath.js:78:26:78:45 | Cookie.get("unsafe") | | TaintedPath.js:78:26:78:45 | Cookie.get("unsafe") | | TaintedPath.js:78:26:78:45 | Cookie.get("unsafe") | +| TaintedPath.js:78:26:78:45 | Cookie.get("unsafe") | | TaintedPath.js:84:31:84:70 | require ... eq.url) | | TaintedPath.js:84:31:84:70 | require ... eq.url) | | TaintedPath.js:84:31:84:70 | require ... eq.url) | @@ -563,6 +585,8 @@ nodes | TaintedPath.js:84:31:84:76 | require ... ).query | | TaintedPath.js:84:31:84:76 | require ... ).query | | TaintedPath.js:84:31:84:76 | require ... ).query | +| TaintedPath.js:84:31:84:76 | require ... ).query | +| TaintedPath.js:84:63:84:69 | req.url | | TaintedPath.js:84:63:84:69 | req.url | | TaintedPath.js:84:63:84:69 | req.url | | TaintedPath.js:84:63:84:69 | req.url | @@ -599,6 +623,8 @@ nodes | TaintedPath.js:85:31:85:74 | require ... ).query | | TaintedPath.js:85:31:85:74 | require ... ).query | | TaintedPath.js:85:31:85:74 | require ... ).query | +| TaintedPath.js:85:31:85:74 | require ... ).query | +| TaintedPath.js:85:61:85:67 | req.url | | TaintedPath.js:85:61:85:67 | req.url | | TaintedPath.js:85:61:85:67 | req.url | | TaintedPath.js:85:61:85:67 | req.url | @@ -635,6 +661,8 @@ nodes | TaintedPath.js:86:31:86:73 | require ... ).query | | TaintedPath.js:86:31:86:73 | require ... ).query | | TaintedPath.js:86:31:86:73 | require ... ).query | +| TaintedPath.js:86:31:86:73 | require ... ).query | +| TaintedPath.js:86:60:86:66 | req.url | | TaintedPath.js:86:60:86:66 | req.url | | TaintedPath.js:86:60:86:66 | req.url | | TaintedPath.js:86:60:86:66 | req.url | @@ -643,6 +671,9 @@ nodes | TaintedPath.js:94:48:94:60 | req.params[0] | | TaintedPath.js:94:48:94:60 | req.params[0] | | TaintedPath.js:94:48:94:60 | req.params[0] | +| TaintedPath.js:94:48:94:60 | req.params[0] | +| TaintedPath.js:94:48:94:60 | req.params[0] | +| TaintedPath.js:102:30:102:31 | ev | | TaintedPath.js:102:30:102:31 | ev | | TaintedPath.js:102:30:102:31 | ev | | TaintedPath.js:102:30:102:31 | ev | @@ -723,6 +754,8 @@ nodes | TaintedPath.js:107:23:107:29 | req.url | | TaintedPath.js:107:23:107:29 | req.url | | TaintedPath.js:107:23:107:29 | req.url | +| TaintedPath.js:107:23:107:29 | req.url | +| TaintedPath.js:109:28:109:48 | fs.real ... c(path) | | TaintedPath.js:109:28:109:48 | fs.real ... c(path) | | TaintedPath.js:109:28:109:48 | fs.real ... c(path) | | TaintedPath.js:109:28:109:48 | fs.real ... c(path) | @@ -767,6 +800,7 @@ nodes | TaintedPath.js:112:45:112:52 | realpath | | TaintedPath.js:112:45:112:52 | realpath | | TaintedPath.js:112:45:112:52 | realpath | +| TaintedPath.js:112:45:112:52 | realpath | | normalizedPaths.js:11:7:11:27 | path | | normalizedPaths.js:11:7:11:27 | path | | normalizedPaths.js:11:7:11:27 | path | @@ -775,38 +809,44 @@ nodes | normalizedPaths.js:11:14:11:27 | req.query.path | | normalizedPaths.js:11:14:11:27 | req.query.path | | normalizedPaths.js:11:14:11:27 | req.query.path | -| normalizedPaths.js:13:16:13:19 | path | -| normalizedPaths.js:13:16:13:19 | path | -| normalizedPaths.js:13:16:13:19 | path | -| normalizedPaths.js:13:16:13:19 | path | -| normalizedPaths.js:14:16:14:26 | './' + path | -| normalizedPaths.js:14:16:14:26 | './' + path | -| normalizedPaths.js:14:16:14:26 | './' + path | -| normalizedPaths.js:14:23:14:26 | path | -| normalizedPaths.js:14:23:14:26 | path | -| normalizedPaths.js:14:23:14:26 | path | -| normalizedPaths.js:15:16:15:19 | path | -| normalizedPaths.js:15:16:15:19 | path | -| normalizedPaths.js:15:16:15:19 | path | -| normalizedPaths.js:15:16:15:19 | path | -| normalizedPaths.js:15:16:15:35 | path + '/index.html' | -| normalizedPaths.js:15:16:15:35 | path + '/index.html' | -| normalizedPaths.js:15:16:15:35 | path + '/index.html' | -| normalizedPaths.js:15:16:15:35 | path + '/index.html' | -| normalizedPaths.js:16:16:16:50 | pathMod ... .html') | -| normalizedPaths.js:16:16:16:50 | pathMod ... .html') | -| normalizedPaths.js:16:16:16:50 | pathMod ... .html') | -| normalizedPaths.js:16:16:16:50 | pathMod ... .html') | -| normalizedPaths.js:16:32:16:35 | path | -| normalizedPaths.js:16:32:16:35 | path | -| normalizedPaths.js:16:32:16:35 | path | -| normalizedPaths.js:16:32:16:35 | path | -| normalizedPaths.js:17:16:17:54 | pathMod ... , path) | -| normalizedPaths.js:17:16:17:54 | pathMod ... , path) | -| normalizedPaths.js:17:16:17:54 | pathMod ... , path) | -| normalizedPaths.js:17:50:17:53 | path | -| normalizedPaths.js:17:50:17:53 | path | -| normalizedPaths.js:17:50:17:53 | path | +| normalizedPaths.js:11:14:11:27 | req.query.path | +| normalizedPaths.js:13:19:13:22 | path | +| normalizedPaths.js:13:19:13:22 | path | +| normalizedPaths.js:13:19:13:22 | path | +| normalizedPaths.js:13:19:13:22 | path | +| normalizedPaths.js:13:19:13:22 | path | +| normalizedPaths.js:14:19:14:29 | './' + path | +| normalizedPaths.js:14:19:14:29 | './' + path | +| normalizedPaths.js:14:19:14:29 | './' + path | +| normalizedPaths.js:14:19:14:29 | './' + path | +| normalizedPaths.js:14:26:14:29 | path | +| normalizedPaths.js:14:26:14:29 | path | +| normalizedPaths.js:14:26:14:29 | path | +| normalizedPaths.js:15:19:15:22 | path | +| normalizedPaths.js:15:19:15:22 | path | +| normalizedPaths.js:15:19:15:22 | path | +| normalizedPaths.js:15:19:15:22 | path | +| normalizedPaths.js:15:19:15:38 | path + '/index.html' | +| normalizedPaths.js:15:19:15:38 | path + '/index.html' | +| normalizedPaths.js:15:19:15:38 | path + '/index.html' | +| normalizedPaths.js:15:19:15:38 | path + '/index.html' | +| normalizedPaths.js:15:19:15:38 | path + '/index.html' | +| normalizedPaths.js:16:19:16:53 | pathMod ... .html') | +| normalizedPaths.js:16:19:16:53 | pathMod ... .html') | +| normalizedPaths.js:16:19:16:53 | pathMod ... .html') | +| normalizedPaths.js:16:19:16:53 | pathMod ... .html') | +| normalizedPaths.js:16:19:16:53 | pathMod ... .html') | +| normalizedPaths.js:16:35:16:38 | path | +| normalizedPaths.js:16:35:16:38 | path | +| normalizedPaths.js:16:35:16:38 | path | +| normalizedPaths.js:16:35:16:38 | path | +| normalizedPaths.js:17:19:17:57 | pathMod ... , path) | +| normalizedPaths.js:17:19:17:57 | pathMod ... , path) | +| normalizedPaths.js:17:19:17:57 | pathMod ... , path) | +| normalizedPaths.js:17:19:17:57 | pathMod ... , path) | +| normalizedPaths.js:17:53:17:56 | path | +| normalizedPaths.js:17:53:17:56 | path | +| normalizedPaths.js:17:53:17:56 | path | | normalizedPaths.js:21:7:21:49 | path | | normalizedPaths.js:21:7:21:49 | path | | normalizedPaths.js:21:7:21:49 | path | @@ -819,58 +859,71 @@ nodes | normalizedPaths.js:21:35:21:48 | req.query.path | | normalizedPaths.js:21:35:21:48 | req.query.path | | normalizedPaths.js:21:35:21:48 | req.query.path | -| normalizedPaths.js:23:16:23:19 | path | -| normalizedPaths.js:23:16:23:19 | path | -| normalizedPaths.js:23:16:23:19 | path | -| normalizedPaths.js:23:16:23:19 | path | -| normalizedPaths.js:24:16:24:26 | './' + path | -| normalizedPaths.js:24:16:24:26 | './' + path | -| normalizedPaths.js:24:23:24:26 | path | -| normalizedPaths.js:24:23:24:26 | path | -| normalizedPaths.js:25:16:25:19 | path | -| normalizedPaths.js:25:16:25:19 | path | -| normalizedPaths.js:25:16:25:19 | path | -| normalizedPaths.js:25:16:25:19 | path | -| normalizedPaths.js:25:16:25:35 | path + '/index.html' | -| normalizedPaths.js:25:16:25:35 | path + '/index.html' | -| normalizedPaths.js:25:16:25:35 | path + '/index.html' | -| normalizedPaths.js:25:16:25:35 | path + '/index.html' | -| normalizedPaths.js:26:16:26:50 | pathMod ... .html') | -| normalizedPaths.js:26:16:26:50 | pathMod ... .html') | -| normalizedPaths.js:26:16:26:50 | pathMod ... .html') | -| normalizedPaths.js:26:16:26:50 | pathMod ... .html') | -| normalizedPaths.js:26:32:26:35 | path | -| normalizedPaths.js:26:32:26:35 | path | -| normalizedPaths.js:26:32:26:35 | path | -| normalizedPaths.js:26:32:26:35 | path | -| normalizedPaths.js:27:16:27:54 | pathMod ... , path) | -| normalizedPaths.js:27:16:27:54 | pathMod ... , path) | -| normalizedPaths.js:27:50:27:53 | path | -| normalizedPaths.js:27:50:27:53 | path | +| normalizedPaths.js:21:35:21:48 | req.query.path | +| normalizedPaths.js:23:19:23:22 | path | +| normalizedPaths.js:23:19:23:22 | path | +| normalizedPaths.js:23:19:23:22 | path | +| normalizedPaths.js:23:19:23:22 | path | +| normalizedPaths.js:23:19:23:22 | path | +| normalizedPaths.js:24:19:24:29 | './' + path | +| normalizedPaths.js:24:19:24:29 | './' + path | +| normalizedPaths.js:24:19:24:29 | './' + path | +| normalizedPaths.js:24:26:24:29 | path | +| normalizedPaths.js:24:26:24:29 | path | +| normalizedPaths.js:25:19:25:22 | path | +| normalizedPaths.js:25:19:25:22 | path | +| normalizedPaths.js:25:19:25:22 | path | +| normalizedPaths.js:25:19:25:22 | path | +| normalizedPaths.js:25:19:25:38 | path + '/index.html' | +| normalizedPaths.js:25:19:25:38 | path + '/index.html' | +| normalizedPaths.js:25:19:25:38 | path + '/index.html' | +| normalizedPaths.js:25:19:25:38 | path + '/index.html' | +| normalizedPaths.js:25:19:25:38 | path + '/index.html' | +| normalizedPaths.js:26:19:26:53 | pathMod ... .html') | +| normalizedPaths.js:26:19:26:53 | pathMod ... .html') | +| normalizedPaths.js:26:19:26:53 | pathMod ... .html') | +| normalizedPaths.js:26:19:26:53 | pathMod ... .html') | +| normalizedPaths.js:26:19:26:53 | pathMod ... .html') | +| normalizedPaths.js:26:35:26:38 | path | +| normalizedPaths.js:26:35:26:38 | path | +| normalizedPaths.js:26:35:26:38 | path | +| normalizedPaths.js:26:35:26:38 | path | +| normalizedPaths.js:27:19:27:57 | pathMod ... , path) | +| normalizedPaths.js:27:19:27:57 | pathMod ... , path) | +| normalizedPaths.js:27:19:27:57 | pathMod ... , path) | +| normalizedPaths.js:27:53:27:56 | path | +| normalizedPaths.js:27:53:27:56 | path | | normalizedPaths.js:31:7:31:49 | path | | normalizedPaths.js:31:7:31:49 | path | | normalizedPaths.js:31:14:31:49 | pathMod ... y.path) | | normalizedPaths.js:31:14:31:49 | pathMod ... y.path) | | normalizedPaths.js:31:35:31:48 | req.query.path | | normalizedPaths.js:31:35:31:48 | req.query.path | -| normalizedPaths.js:36:16:36:19 | path | -| normalizedPaths.js:36:16:36:19 | path | -| normalizedPaths.js:41:18:41:21 | path | -| normalizedPaths.js:41:18:41:21 | path | +| normalizedPaths.js:31:35:31:48 | req.query.path | +| normalizedPaths.js:36:19:36:22 | path | +| normalizedPaths.js:36:19:36:22 | path | +| normalizedPaths.js:36:19:36:22 | path | +| normalizedPaths.js:41:21:41:24 | path | +| normalizedPaths.js:41:21:41:24 | path | +| normalizedPaths.js:41:21:41:24 | path | | normalizedPaths.js:54:7:54:49 | path | | normalizedPaths.js:54:7:54:49 | path | | normalizedPaths.js:54:14:54:49 | pathMod ... y.path) | | normalizedPaths.js:54:14:54:49 | pathMod ... y.path) | | normalizedPaths.js:54:35:54:48 | req.query.path | | normalizedPaths.js:54:35:54:48 | req.query.path | -| normalizedPaths.js:59:16:59:19 | path | -| normalizedPaths.js:59:16:59:19 | path | -| normalizedPaths.js:63:16:63:19 | path | -| normalizedPaths.js:63:16:63:19 | path | -| normalizedPaths.js:63:16:63:35 | path + "/index.html" | -| normalizedPaths.js:63:16:63:35 | path + "/index.html" | -| normalizedPaths.js:68:18:68:21 | path | -| normalizedPaths.js:68:18:68:21 | path | +| normalizedPaths.js:54:35:54:48 | req.query.path | +| normalizedPaths.js:59:19:59:22 | path | +| normalizedPaths.js:59:19:59:22 | path | +| normalizedPaths.js:59:19:59:22 | path | +| normalizedPaths.js:63:19:63:22 | path | +| normalizedPaths.js:63:19:63:22 | path | +| normalizedPaths.js:63:19:63:38 | path + "/index.html" | +| normalizedPaths.js:63:19:63:38 | path + "/index.html" | +| normalizedPaths.js:63:19:63:38 | path + "/index.html" | +| normalizedPaths.js:68:21:68:24 | path | +| normalizedPaths.js:68:21:68:24 | path | +| normalizedPaths.js:68:21:68:24 | path | | normalizedPaths.js:73:7:73:56 | path | | normalizedPaths.js:73:7:73:56 | path | | normalizedPaths.js:73:7:73:56 | path | @@ -883,15 +936,20 @@ nodes | normalizedPaths.js:73:42:73:55 | req.query.path | | normalizedPaths.js:73:42:73:55 | req.query.path | | normalizedPaths.js:73:42:73:55 | req.query.path | -| normalizedPaths.js:78:19:78:22 | path | -| normalizedPaths.js:78:19:78:22 | path | -| normalizedPaths.js:78:19:78:22 | path | +| normalizedPaths.js:73:42:73:55 | req.query.path | +| normalizedPaths.js:78:22:78:25 | path | +| normalizedPaths.js:78:22:78:25 | path | +| normalizedPaths.js:78:22:78:25 | path | +| normalizedPaths.js:78:22:78:25 | path | | normalizedPaths.js:82:7:82:27 | path | | normalizedPaths.js:82:7:82:27 | path | | normalizedPaths.js:82:14:82:27 | req.query.path | | normalizedPaths.js:82:14:82:27 | req.query.path | +| normalizedPaths.js:82:14:82:27 | req.query.path | | normalizedPaths.js:87:29:87:32 | path | | normalizedPaths.js:87:29:87:32 | path | +| normalizedPaths.js:87:29:87:32 | path | +| normalizedPaths.js:90:31:90:34 | path | | normalizedPaths.js:90:31:90:34 | path | | normalizedPaths.js:94:7:94:49 | path | | normalizedPaths.js:94:7:94:49 | path | @@ -899,6 +957,8 @@ nodes | normalizedPaths.js:94:14:94:49 | pathMod ... y.path) | | normalizedPaths.js:94:35:94:48 | req.query.path | | normalizedPaths.js:94:35:94:48 | req.query.path | +| normalizedPaths.js:94:35:94:48 | req.query.path | +| normalizedPaths.js:99:29:99:32 | path | | normalizedPaths.js:99:29:99:32 | path | | normalizedPaths.js:99:29:99:32 | path | | normalizedPaths.js:117:7:117:44 | path | @@ -913,18 +973,21 @@ nodes | normalizedPaths.js:117:30:117:43 | req.query.path | | normalizedPaths.js:117:30:117:43 | req.query.path | | normalizedPaths.js:117:30:117:43 | req.query.path | -| normalizedPaths.js:119:16:119:19 | path | -| normalizedPaths.js:119:16:119:19 | path | -| normalizedPaths.js:119:16:119:19 | path | -| normalizedPaths.js:119:16:119:19 | path | -| normalizedPaths.js:120:16:120:50 | pathMod ... .html') | -| normalizedPaths.js:120:16:120:50 | pathMod ... .html') | -| normalizedPaths.js:120:16:120:50 | pathMod ... .html') | -| normalizedPaths.js:120:16:120:50 | pathMod ... .html') | -| normalizedPaths.js:120:32:120:35 | path | -| normalizedPaths.js:120:32:120:35 | path | -| normalizedPaths.js:120:32:120:35 | path | -| normalizedPaths.js:120:32:120:35 | path | +| normalizedPaths.js:117:30:117:43 | req.query.path | +| normalizedPaths.js:119:19:119:22 | path | +| normalizedPaths.js:119:19:119:22 | path | +| normalizedPaths.js:119:19:119:22 | path | +| normalizedPaths.js:119:19:119:22 | path | +| normalizedPaths.js:119:19:119:22 | path | +| normalizedPaths.js:120:19:120:53 | pathMod ... .html') | +| normalizedPaths.js:120:19:120:53 | pathMod ... .html') | +| normalizedPaths.js:120:19:120:53 | pathMod ... .html') | +| normalizedPaths.js:120:19:120:53 | pathMod ... .html') | +| normalizedPaths.js:120:19:120:53 | pathMod ... .html') | +| normalizedPaths.js:120:35:120:38 | path | +| normalizedPaths.js:120:35:120:38 | path | +| normalizedPaths.js:120:35:120:38 | path | +| normalizedPaths.js:120:35:120:38 | path | | normalizedPaths.js:130:7:130:49 | path | | normalizedPaths.js:130:7:130:49 | path | | normalizedPaths.js:130:7:130:49 | path | @@ -934,9 +997,11 @@ nodes | normalizedPaths.js:130:35:130:48 | req.query.path | | normalizedPaths.js:130:35:130:48 | req.query.path | | normalizedPaths.js:130:35:130:48 | req.query.path | -| normalizedPaths.js:135:18:135:21 | path | -| normalizedPaths.js:135:18:135:21 | path | -| normalizedPaths.js:135:18:135:21 | path | +| normalizedPaths.js:130:35:130:48 | req.query.path | +| normalizedPaths.js:135:21:135:24 | path | +| normalizedPaths.js:135:21:135:24 | path | +| normalizedPaths.js:135:21:135:24 | path | +| normalizedPaths.js:135:21:135:24 | path | | normalizedPaths.js:139:7:139:62 | path | | normalizedPaths.js:139:7:139:62 | path | | normalizedPaths.js:139:7:139:62 | path | @@ -946,9 +1011,11 @@ nodes | normalizedPaths.js:139:48:139:61 | req.query.path | | normalizedPaths.js:139:48:139:61 | req.query.path | | normalizedPaths.js:139:48:139:61 | req.query.path | -| normalizedPaths.js:144:18:144:21 | path | -| normalizedPaths.js:144:18:144:21 | path | -| normalizedPaths.js:144:18:144:21 | path | +| normalizedPaths.js:139:48:139:61 | req.query.path | +| normalizedPaths.js:144:21:144:24 | path | +| normalizedPaths.js:144:21:144:24 | path | +| normalizedPaths.js:144:21:144:24 | path | +| normalizedPaths.js:144:21:144:24 | path | | normalizedPaths.js:148:7:148:58 | path | | normalizedPaths.js:148:7:148:58 | path | | normalizedPaths.js:148:14:148:58 | 'foo/' ... y.path) | @@ -957,20 +1024,26 @@ nodes | normalizedPaths.js:148:23:148:58 | pathMod ... y.path) | | normalizedPaths.js:148:44:148:57 | req.query.path | | normalizedPaths.js:148:44:148:57 | req.query.path | -| normalizedPaths.js:151:18:151:21 | path | -| normalizedPaths.js:151:18:151:21 | path | -| normalizedPaths.js:153:18:153:21 | path | -| normalizedPaths.js:153:18:153:21 | path | +| normalizedPaths.js:148:44:148:57 | req.query.path | +| normalizedPaths.js:151:21:151:24 | path | +| normalizedPaths.js:151:21:151:24 | path | +| normalizedPaths.js:151:21:151:24 | path | +| normalizedPaths.js:153:21:153:24 | path | +| normalizedPaths.js:153:21:153:24 | path | +| normalizedPaths.js:153:21:153:24 | path | | normalizedPaths.js:160:7:160:49 | path | | normalizedPaths.js:160:7:160:49 | path | | normalizedPaths.js:160:14:160:49 | pathMod ... y.path) | | normalizedPaths.js:160:14:160:49 | pathMod ... y.path) | | normalizedPaths.js:160:35:160:48 | req.query.path | | normalizedPaths.js:160:35:160:48 | req.query.path | -| normalizedPaths.js:165:16:165:19 | path | -| normalizedPaths.js:165:16:165:19 | path | -| normalizedPaths.js:170:18:170:21 | path | -| normalizedPaths.js:170:18:170:21 | path | +| normalizedPaths.js:160:35:160:48 | req.query.path | +| normalizedPaths.js:165:19:165:22 | path | +| normalizedPaths.js:165:19:165:22 | path | +| normalizedPaths.js:165:19:165:22 | path | +| normalizedPaths.js:170:21:170:24 | path | +| normalizedPaths.js:170:21:170:24 | path | +| normalizedPaths.js:170:21:170:24 | path | | normalizedPaths.js:174:7:174:27 | path | | normalizedPaths.js:174:7:174:27 | path | | normalizedPaths.js:174:7:174:27 | path | @@ -979,23 +1052,30 @@ nodes | normalizedPaths.js:174:14:174:27 | req.query.path | | normalizedPaths.js:174:14:174:27 | req.query.path | | normalizedPaths.js:174:14:174:27 | req.query.path | -| normalizedPaths.js:184:16:184:19 | path | -| normalizedPaths.js:184:16:184:19 | path | -| normalizedPaths.js:184:16:184:19 | path | -| normalizedPaths.js:184:16:184:19 | path | -| normalizedPaths.js:187:18:187:21 | path | -| normalizedPaths.js:187:18:187:21 | path | -| normalizedPaths.js:189:18:189:21 | path | -| normalizedPaths.js:189:18:189:21 | path | -| normalizedPaths.js:192:18:192:21 | path | -| normalizedPaths.js:192:18:192:21 | path | -| normalizedPaths.js:192:18:192:21 | path | -| normalizedPaths.js:192:18:192:21 | path | -| normalizedPaths.js:194:18:194:21 | path | -| normalizedPaths.js:199:18:199:21 | path | -| normalizedPaths.js:199:18:199:21 | path | -| normalizedPaths.js:199:18:199:21 | path | -| normalizedPaths.js:199:18:199:21 | path | +| normalizedPaths.js:174:14:174:27 | req.query.path | +| normalizedPaths.js:184:19:184:22 | path | +| normalizedPaths.js:184:19:184:22 | path | +| normalizedPaths.js:184:19:184:22 | path | +| normalizedPaths.js:184:19:184:22 | path | +| normalizedPaths.js:184:19:184:22 | path | +| normalizedPaths.js:187:21:187:24 | path | +| normalizedPaths.js:187:21:187:24 | path | +| normalizedPaths.js:187:21:187:24 | path | +| normalizedPaths.js:189:21:189:24 | path | +| normalizedPaths.js:189:21:189:24 | path | +| normalizedPaths.js:189:21:189:24 | path | +| normalizedPaths.js:192:21:192:24 | path | +| normalizedPaths.js:192:21:192:24 | path | +| normalizedPaths.js:192:21:192:24 | path | +| normalizedPaths.js:192:21:192:24 | path | +| normalizedPaths.js:192:21:192:24 | path | +| normalizedPaths.js:194:21:194:24 | path | +| normalizedPaths.js:194:21:194:24 | path | +| normalizedPaths.js:199:21:199:24 | path | +| normalizedPaths.js:199:21:199:24 | path | +| normalizedPaths.js:199:21:199:24 | path | +| normalizedPaths.js:199:21:199:24 | path | +| normalizedPaths.js:199:21:199:24 | path | | normalizedPaths.js:201:7:201:49 | normalizedPath | | normalizedPaths.js:201:7:201:49 | normalizedPath | | normalizedPaths.js:201:7:201:49 | normalizedPath | @@ -1008,18 +1088,21 @@ nodes | normalizedPaths.js:201:45:201:48 | path | | normalizedPaths.js:201:45:201:48 | path | | normalizedPaths.js:201:45:201:48 | path | -| normalizedPaths.js:205:18:205:31 | normalizedPath | -| normalizedPaths.js:205:18:205:31 | normalizedPath | -| normalizedPaths.js:205:18:205:31 | normalizedPath | -| normalizedPaths.js:205:18:205:31 | normalizedPath | -| normalizedPaths.js:208:18:208:31 | normalizedPath | -| normalizedPaths.js:208:18:208:31 | normalizedPath | -| normalizedPaths.js:208:18:208:31 | normalizedPath | -| normalizedPaths.js:208:18:208:31 | normalizedPath | -| normalizedPaths.js:210:18:210:31 | normalizedPath | -| normalizedPaths.js:210:18:210:31 | normalizedPath | -| normalizedPaths.js:210:18:210:31 | normalizedPath | -| normalizedPaths.js:210:18:210:31 | normalizedPath | +| normalizedPaths.js:205:21:205:34 | normalizedPath | +| normalizedPaths.js:205:21:205:34 | normalizedPath | +| normalizedPaths.js:205:21:205:34 | normalizedPath | +| normalizedPaths.js:205:21:205:34 | normalizedPath | +| normalizedPaths.js:205:21:205:34 | normalizedPath | +| normalizedPaths.js:208:21:208:34 | normalizedPath | +| normalizedPaths.js:208:21:208:34 | normalizedPath | +| normalizedPaths.js:208:21:208:34 | normalizedPath | +| normalizedPaths.js:208:21:208:34 | normalizedPath | +| normalizedPaths.js:208:21:208:34 | normalizedPath | +| normalizedPaths.js:210:21:210:34 | normalizedPath | +| normalizedPaths.js:210:21:210:34 | normalizedPath | +| normalizedPaths.js:210:21:210:34 | normalizedPath | +| normalizedPaths.js:210:21:210:34 | normalizedPath | +| normalizedPaths.js:210:21:210:34 | normalizedPath | | normalizedPaths.js:214:7:214:49 | path | | normalizedPaths.js:214:7:214:49 | path | | normalizedPaths.js:214:7:214:49 | path | @@ -1032,6 +1115,7 @@ nodes | normalizedPaths.js:214:35:214:48 | req.query.path | | normalizedPaths.js:214:35:214:48 | req.query.path | | normalizedPaths.js:214:35:214:48 | req.query.path | +| normalizedPaths.js:214:35:214:48 | req.query.path | | normalizedPaths.js:219:3:219:33 | path | | normalizedPaths.js:219:3:219:33 | path | | normalizedPaths.js:219:3:219:33 | path | @@ -1044,10 +1128,11 @@ nodes | normalizedPaths.js:219:29:219:32 | path | | normalizedPaths.js:219:29:219:32 | path | | normalizedPaths.js:219:29:219:32 | path | -| normalizedPaths.js:222:18:222:21 | path | -| normalizedPaths.js:222:18:222:21 | path | -| normalizedPaths.js:222:18:222:21 | path | -| normalizedPaths.js:222:18:222:21 | path | +| normalizedPaths.js:222:21:222:24 | path | +| normalizedPaths.js:222:21:222:24 | path | +| normalizedPaths.js:222:21:222:24 | path | +| normalizedPaths.js:222:21:222:24 | path | +| normalizedPaths.js:222:21:222:24 | path | | normalizedPaths.js:226:7:226:70 | path | | normalizedPaths.js:226:7:226:70 | path | | normalizedPaths.js:226:14:226:49 | pathMod ... y.path) | @@ -1056,24 +1141,50 @@ nodes | normalizedPaths.js:226:14:226:70 | pathMod ... g, ' ') | | normalizedPaths.js:226:35:226:48 | req.query.path | | normalizedPaths.js:226:35:226:48 | req.query.path | -| normalizedPaths.js:228:18:228:21 | path | -| normalizedPaths.js:228:18:228:21 | path | +| normalizedPaths.js:226:35:226:48 | req.query.path | +| normalizedPaths.js:228:21:228:24 | path | +| normalizedPaths.js:228:21:228:24 | path | +| normalizedPaths.js:228:21:228:24 | path | | tainted-require.js:7:19:7:37 | req.param("module") | | tainted-require.js:7:19:7:37 | req.param("module") | | tainted-require.js:7:19:7:37 | req.param("module") | | tainted-require.js:7:19:7:37 | req.param("module") | -| tainted-sendFile.js:7:16:7:33 | req.param("gimme") | -| tainted-sendFile.js:7:16:7:33 | req.param("gimme") | -| tainted-sendFile.js:7:16:7:33 | req.param("gimme") | -| tainted-sendFile.js:7:16:7:33 | req.param("gimme") | -| tainted-sendFile.js:9:16:9:33 | req.param("gimme") | -| tainted-sendFile.js:9:16:9:33 | req.param("gimme") | -| tainted-sendFile.js:9:16:9:33 | req.param("gimme") | -| tainted-sendFile.js:9:16:9:33 | req.param("gimme") | -| tainted-sendFile.js:17:43:17:58 | req.param("dir") | -| tainted-sendFile.js:17:43:17:58 | req.param("dir") | -| tainted-sendFile.js:17:43:17:58 | req.param("dir") | -| tainted-sendFile.js:17:43:17:58 | req.param("dir") | +| tainted-require.js:7:19:7:37 | req.param("module") | +| tainted-require.js:7:19:7:37 | req.param("module") | +| tainted-sendFile.js:8:16:8:33 | req.param("gimme") | +| tainted-sendFile.js:8:16:8:33 | req.param("gimme") | +| tainted-sendFile.js:8:16:8:33 | req.param("gimme") | +| tainted-sendFile.js:8:16:8:33 | req.param("gimme") | +| tainted-sendFile.js:10:16:10:33 | req.param("gimme") | +| tainted-sendFile.js:10:16:10:33 | req.param("gimme") | +| tainted-sendFile.js:10:16:10:33 | req.param("gimme") | +| tainted-sendFile.js:10:16:10:33 | req.param("gimme") | +| tainted-sendFile.js:18:43:18:58 | req.param("dir") | +| tainted-sendFile.js:18:43:18:58 | req.param("dir") | +| tainted-sendFile.js:18:43:18:58 | req.param("dir") | +| tainted-sendFile.js:18:43:18:58 | req.param("dir") | +| tainted-sendFile.js:18:43:18:58 | req.param("dir") | +| tainted-sendFile.js:18:43:18:58 | req.param("dir") | +| tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | +| tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | +| tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | +| tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | +| tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | +| tainted-sendFile.js:24:37:24:48 | req.params.x | +| tainted-sendFile.js:24:37:24:48 | req.params.x | +| tainted-sendFile.js:24:37:24:48 | req.params.x | +| tainted-sendFile.js:24:37:24:48 | req.params.x | +| tainted-sendFile.js:24:37:24:48 | req.params.x | +| tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | +| tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | +| tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | +| tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | +| tainted-sendFile.js:25:34:25:45 | req.params.x | +| tainted-sendFile.js:25:34:25:45 | req.params.x | +| tainted-sendFile.js:25:34:25:45 | req.params.x | +| tainted-sendFile.js:25:34:25:45 | req.params.x | +| views.js:1:43:1:55 | req.params[0] | +| views.js:1:43:1:55 | req.params[0] | | views.js:1:43:1:55 | req.params[0] | | views.js:1:43:1:55 | req.params[0] | | views.js:1:43:1:55 | req.params[0] | @@ -1139,6 +1250,18 @@ edges | TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:7:14:7:33 | parse(req.url, true) | | TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:7:14:7:33 | parse(req.url, true) | | TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:7:14:7:33 | parse(req.url, true) | +| TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:7:14:7:33 | parse(req.url, true) | +| TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:7:14:7:33 | parse(req.url, true) | +| TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:7:14:7:33 | parse(req.url, true) | +| TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:7:14:7:33 | parse(req.url, true) | +| TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:7:14:7:33 | parse(req.url, true) | +| TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:7:14:7:33 | parse(req.url, true) | +| TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:7:14:7:33 | parse(req.url, true) | +| TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:7:14:7:33 | parse(req.url, true) | +| TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:7:14:7:33 | parse(req.url, true) | +| TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:7:14:7:33 | parse(req.url, true) | +| TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:7:14:7:33 | parse(req.url, true) | +| TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:7:14:7:33 | parse(req.url, true) | | TaintedPath-es6.js:10:41:10:44 | path | TaintedPath-es6.js:10:26:10:45 | join("public", path) | | TaintedPath-es6.js:10:41:10:44 | path | TaintedPath-es6.js:10:26:10:45 | join("public", path) | | TaintedPath-es6.js:10:41:10:44 | path | TaintedPath-es6.js:10:26:10:45 | join("public", path) | @@ -1151,6 +1274,34 @@ edges | TaintedPath-es6.js:10:41:10:44 | path | TaintedPath-es6.js:10:26:10:45 | join("public", path) | | TaintedPath-es6.js:10:41:10:44 | path | TaintedPath-es6.js:10:26:10:45 | join("public", path) | | TaintedPath-es6.js:10:41:10:44 | path | TaintedPath-es6.js:10:26:10:45 | join("public", path) | +| TaintedPath-es6.js:10:41:10:44 | path | TaintedPath-es6.js:10:26:10:45 | join("public", path) | +| TaintedPath-es6.js:10:41:10:44 | path | TaintedPath-es6.js:10:26:10:45 | join("public", path) | +| TaintedPath-es6.js:10:41:10:44 | path | TaintedPath-es6.js:10:26:10:45 | join("public", path) | +| TaintedPath-es6.js:10:41:10:44 | path | TaintedPath-es6.js:10:26:10:45 | join("public", path) | +| TaintedPath-es6.js:10:41:10:44 | path | TaintedPath-es6.js:10:26:10:45 | join("public", path) | +| TaintedPath-es6.js:10:41:10:44 | path | TaintedPath-es6.js:10:26:10:45 | join("public", path) | +| TaintedPath-es6.js:10:41:10:44 | path | TaintedPath-es6.js:10:26:10:45 | join("public", path) | +| TaintedPath-es6.js:10:41:10:44 | path | TaintedPath-es6.js:10:26:10:45 | join("public", path) | +| TaintedPath-es6.js:10:41:10:44 | path | TaintedPath-es6.js:10:26:10:45 | join("public", path) | +| TaintedPath-es6.js:10:41:10:44 | path | TaintedPath-es6.js:10:26:10:45 | join("public", path) | +| TaintedPath-es6.js:10:41:10:44 | path | TaintedPath-es6.js:10:26:10:45 | join("public", path) | +| TaintedPath-es6.js:10:41:10:44 | path | TaintedPath-es6.js:10:26:10:45 | join("public", path) | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:12:29:12:32 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:12:29:12:32 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:12:29:12:32 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:12:29:12:32 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:12:29:12:32 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:12:29:12:32 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:12:29:12:32 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:12:29:12:32 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:12:29:12:32 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:12:29:12:32 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:12:29:12:32 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:12:29:12:32 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:12:29:12:32 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:12:29:12:32 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:12:29:12:32 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:12:29:12:32 | path | | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:12:29:12:32 | path | | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:12:29:12:32 | path | | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:12:29:12:32 | path | @@ -1183,6 +1334,26 @@ edges | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:19:33:19:36 | path | | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:19:33:19:36 | path | | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:19:33:19:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:19:33:19:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:19:33:19:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:19:33:19:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:19:33:19:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:23:33:23:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:23:33:23:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:23:33:23:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:23:33:23:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:23:33:23:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:23:33:23:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:23:33:23:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:23:33:23:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:23:33:23:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:23:33:23:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:23:33:23:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:23:33:23:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:23:33:23:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:23:33:23:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:23:33:23:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:23:33:23:36 | path | | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:23:33:23:36 | path | | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:23:33:23:36 | path | | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:23:33:23:36 | path | @@ -1215,38 +1386,38 @@ edges | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:33:27:36 | path | | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:33:27:36 | path | | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:33:27:36 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:33:27:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:33:27:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:33:27:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:33:27:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:33:27:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:33:27:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:33:27:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:33:27:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:33:27:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:33:27:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:33:27:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:33:27:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:33:27:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:33:27:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:33:27:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:33:27:36 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:31:31:31:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:31:31:31:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:31:31:31:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:31:31:31:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:31:31:31:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:31:31:31:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:31:31:31:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:31:31:31:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:31:31:31:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:31:31:31:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:31:31:31:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:31:31:31:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:31:31:31:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:31:31:31:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:31:31:31:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:31:31:31:34 | path | | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:31:31:31:34 | path | | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:31:31:31:34 | path | | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:31:31:31:34 | path | @@ -1263,102 +1434,6 @@ edges | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:31:31:31:34 | path | | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:31:31:31:34 | path | | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:31:31:31:34 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:5:35:5 | path | | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:31:35:34 | path | | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:31:35:34 | path | | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:31:35:34 | path | @@ -1375,102 +1450,38 @@ edges | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:31:35:34 | path | | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:31:35:34 | path | | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:5:39:5 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:31:35:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:31:35:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:31:35:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:31:35:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:31:35:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:31:35:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:31:35:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:31:35:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:31:35:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:31:35:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:31:35:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:31:35:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:31:35:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:31:35:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:31:35:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:35:31:35:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:31:39:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:31:39:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:31:39:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:31:39:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:31:39:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:31:39:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:31:39:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:31:39:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:31:39:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:31:39:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:31:39:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:31:39:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:31:39:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:31:39:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:31:39:34 | path | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:31:39:34 | path | | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:31:39:34 | path | | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:31:39:34 | path | | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:31:39:34 | path | @@ -1551,6 +1562,34 @@ edges | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:9:14:9:37 | url.par ... , true) | | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:9:14:9:37 | url.par ... , true) | | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:9:14:9:37 | url.par ... , true) | +| TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:9:14:9:37 | url.par ... , true) | +| TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:9:14:9:37 | url.par ... , true) | +| TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:9:14:9:37 | url.par ... , true) | +| TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:9:14:9:37 | url.par ... , true) | +| TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:9:14:9:37 | url.par ... , true) | +| TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:9:14:9:37 | url.par ... , true) | +| TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:9:14:9:37 | url.par ... , true) | +| TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:9:14:9:37 | url.par ... , true) | +| TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:9:14:9:37 | url.par ... , true) | +| TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:9:14:9:37 | url.par ... , true) | +| TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:9:14:9:37 | url.par ... , true) | +| TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:9:14:9:37 | url.par ... , true) | +| TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:9:14:9:37 | url.par ... , true) | +| TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:9:14:9:37 | url.par ... , true) | +| TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:9:14:9:37 | url.par ... , true) | +| TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:9:14:9:37 | url.par ... , true) | +| TaintedPath.js:15:45:15:48 | path | TaintedPath.js:15:29:15:48 | "/home/user/" + path | +| TaintedPath.js:15:45:15:48 | path | TaintedPath.js:15:29:15:48 | "/home/user/" + path | +| TaintedPath.js:15:45:15:48 | path | TaintedPath.js:15:29:15:48 | "/home/user/" + path | +| TaintedPath.js:15:45:15:48 | path | TaintedPath.js:15:29:15:48 | "/home/user/" + path | +| TaintedPath.js:15:45:15:48 | path | TaintedPath.js:15:29:15:48 | "/home/user/" + path | +| TaintedPath.js:15:45:15:48 | path | TaintedPath.js:15:29:15:48 | "/home/user/" + path | +| TaintedPath.js:15:45:15:48 | path | TaintedPath.js:15:29:15:48 | "/home/user/" + path | +| TaintedPath.js:15:45:15:48 | path | TaintedPath.js:15:29:15:48 | "/home/user/" + path | +| TaintedPath.js:15:45:15:48 | path | TaintedPath.js:15:29:15:48 | "/home/user/" + path | +| TaintedPath.js:15:45:15:48 | path | TaintedPath.js:15:29:15:48 | "/home/user/" + path | +| TaintedPath.js:15:45:15:48 | path | TaintedPath.js:15:29:15:48 | "/home/user/" + path | +| TaintedPath.js:15:45:15:48 | path | TaintedPath.js:15:29:15:48 | "/home/user/" + path | | TaintedPath.js:15:45:15:48 | path | TaintedPath.js:15:29:15:48 | "/home/user/" + path | | TaintedPath.js:15:45:15:48 | path | TaintedPath.js:15:29:15:48 | "/home/user/" + path | | TaintedPath.js:15:45:15:48 | path | TaintedPath.js:15:29:15:48 | "/home/user/" + path | @@ -1563,1654 +1602,6 @@ edges | TaintedPath.js:15:45:15:48 | path | TaintedPath.js:15:29:15:48 | "/home/user/" + path | | TaintedPath.js:15:45:15:48 | path | TaintedPath.js:15:29:15:48 | "/home/user/" + path | | TaintedPath.js:15:45:15:48 | path | TaintedPath.js:15:29:15:48 | "/home/user/" + path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:31:31:31:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:31:31:31:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:31:31:31:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:31:31:31:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:31:31:31:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:31:31:31:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:31:31:31:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:31:31:31:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:31:31:31:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:31:31:31:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:31:31:31:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:31:31:31:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:31:31:31:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:31:31:31:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:31:31:31:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:31:31:31:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:35:5:35:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:35:31:35:34 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:3:38:3 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:35:5:35:5 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:39:5:39:5 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:39:5:39:5 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:39:5:39:5 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:39:5:39:5 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:39:5:39:5 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:39:5:39:5 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:39:5:39:5 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:39:5:39:5 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:39:5:39:5 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:39:5:39:5 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:39:5:39:5 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:39:5:39:5 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:39:5:39:5 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:39:5:39:5 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:39:5:39:5 | path | TaintedPath.js:39:31:39:34 | path | -| TaintedPath.js:39:5:39:5 | path | TaintedPath.js:39:31:39:34 | path | | TaintedPath.js:45:3:45:44 | path | TaintedPath.js:49:48:49:51 | path | | TaintedPath.js:45:3:45:44 | path | TaintedPath.js:49:48:49:51 | path | | TaintedPath.js:45:3:45:44 | path | TaintedPath.js:49:48:49:51 | path | @@ -3415,6 +1806,22 @@ edges | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:45:10:45:33 | url.par ... , true) | | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:45:10:45:33 | url.par ... , true) | | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:45:10:45:33 | url.par ... , true) | +| TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:45:10:45:33 | url.par ... , true) | +| TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:45:10:45:33 | url.par ... , true) | +| TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:45:10:45:33 | url.par ... , true) | +| TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:45:10:45:33 | url.par ... , true) | +| TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:45:10:45:33 | url.par ... , true) | +| TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:45:10:45:33 | url.par ... , true) | +| TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:45:10:45:33 | url.par ... , true) | +| TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:45:10:45:33 | url.par ... , true) | +| TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:45:10:45:33 | url.par ... , true) | +| TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:45:10:45:33 | url.par ... , true) | +| TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:45:10:45:33 | url.par ... , true) | +| TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:45:10:45:33 | url.par ... , true) | +| TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:45:10:45:33 | url.par ... , true) | +| TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:45:10:45:33 | url.par ... , true) | +| TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:45:10:45:33 | url.par ... , true) | +| TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:45:10:45:33 | url.par ... , true) | | TaintedPath.js:49:48:49:51 | path | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | | TaintedPath.js:49:48:49:51 | path | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | | TaintedPath.js:49:48:49:51 | path | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | @@ -3431,6 +1838,38 @@ edges | TaintedPath.js:49:48:49:51 | path | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | | TaintedPath.js:49:48:49:51 | path | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | | TaintedPath.js:49:48:49:51 | path | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | +| TaintedPath.js:49:48:49:51 | path | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | +| TaintedPath.js:49:48:49:51 | path | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | +| TaintedPath.js:49:48:49:51 | path | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | +| TaintedPath.js:49:48:49:51 | path | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | +| TaintedPath.js:49:48:49:51 | path | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | +| TaintedPath.js:49:48:49:51 | path | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | +| TaintedPath.js:49:48:49:51 | path | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | +| TaintedPath.js:49:48:49:51 | path | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | +| TaintedPath.js:49:48:49:51 | path | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | +| TaintedPath.js:49:48:49:51 | path | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | +| TaintedPath.js:49:48:49:51 | path | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | +| TaintedPath.js:49:48:49:51 | path | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | +| TaintedPath.js:49:48:49:51 | path | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | +| TaintedPath.js:49:48:49:51 | path | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | +| TaintedPath.js:49:48:49:51 | path | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | +| TaintedPath.js:49:48:49:51 | path | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | +| TaintedPath.js:53:45:53:48 | path | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | +| TaintedPath.js:53:45:53:48 | path | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | +| TaintedPath.js:53:45:53:48 | path | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | +| TaintedPath.js:53:45:53:48 | path | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | +| TaintedPath.js:53:45:53:48 | path | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | +| TaintedPath.js:53:45:53:48 | path | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | +| TaintedPath.js:53:45:53:48 | path | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | +| TaintedPath.js:53:45:53:48 | path | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | +| TaintedPath.js:53:45:53:48 | path | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | +| TaintedPath.js:53:45:53:48 | path | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | +| TaintedPath.js:53:45:53:48 | path | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | +| TaintedPath.js:53:45:53:48 | path | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | +| TaintedPath.js:53:45:53:48 | path | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | +| TaintedPath.js:53:45:53:48 | path | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | +| TaintedPath.js:53:45:53:48 | path | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | +| TaintedPath.js:53:45:53:48 | path | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | | TaintedPath.js:53:45:53:48 | path | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | | TaintedPath.js:53:45:53:48 | path | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | | TaintedPath.js:53:45:53:48 | path | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | @@ -3459,6 +1898,34 @@ edges | TaintedPath.js:55:51:55:54 | path | TaintedPath.js:55:29:55:58 | pathMod ... ath, z) | | TaintedPath.js:55:51:55:54 | path | TaintedPath.js:55:29:55:58 | pathMod ... ath, z) | | TaintedPath.js:55:51:55:54 | path | TaintedPath.js:55:29:55:58 | pathMod ... ath, z) | +| TaintedPath.js:55:51:55:54 | path | TaintedPath.js:55:29:55:58 | pathMod ... ath, z) | +| TaintedPath.js:55:51:55:54 | path | TaintedPath.js:55:29:55:58 | pathMod ... ath, z) | +| TaintedPath.js:55:51:55:54 | path | TaintedPath.js:55:29:55:58 | pathMod ... ath, z) | +| TaintedPath.js:55:51:55:54 | path | TaintedPath.js:55:29:55:58 | pathMod ... ath, z) | +| TaintedPath.js:55:51:55:54 | path | TaintedPath.js:55:29:55:58 | pathMod ... ath, z) | +| TaintedPath.js:55:51:55:54 | path | TaintedPath.js:55:29:55:58 | pathMod ... ath, z) | +| TaintedPath.js:55:51:55:54 | path | TaintedPath.js:55:29:55:58 | pathMod ... ath, z) | +| TaintedPath.js:55:51:55:54 | path | TaintedPath.js:55:29:55:58 | pathMod ... ath, z) | +| TaintedPath.js:55:51:55:54 | path | TaintedPath.js:55:29:55:58 | pathMod ... ath, z) | +| TaintedPath.js:55:51:55:54 | path | TaintedPath.js:55:29:55:58 | pathMod ... ath, z) | +| TaintedPath.js:55:51:55:54 | path | TaintedPath.js:55:29:55:58 | pathMod ... ath, z) | +| TaintedPath.js:55:51:55:54 | path | TaintedPath.js:55:29:55:58 | pathMod ... ath, z) | +| TaintedPath.js:57:50:57:53 | path | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | +| TaintedPath.js:57:50:57:53 | path | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | +| TaintedPath.js:57:50:57:53 | path | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | +| TaintedPath.js:57:50:57:53 | path | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | +| TaintedPath.js:57:50:57:53 | path | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | +| TaintedPath.js:57:50:57:53 | path | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | +| TaintedPath.js:57:50:57:53 | path | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | +| TaintedPath.js:57:50:57:53 | path | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | +| TaintedPath.js:57:50:57:53 | path | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | +| TaintedPath.js:57:50:57:53 | path | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | +| TaintedPath.js:57:50:57:53 | path | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | +| TaintedPath.js:57:50:57:53 | path | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | +| TaintedPath.js:57:50:57:53 | path | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | +| TaintedPath.js:57:50:57:53 | path | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | +| TaintedPath.js:57:50:57:53 | path | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | +| TaintedPath.js:57:50:57:53 | path | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | | TaintedPath.js:57:50:57:53 | path | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | | TaintedPath.js:57:50:57:53 | path | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | | TaintedPath.js:57:50:57:53 | path | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | @@ -3491,6 +1958,38 @@ edges | TaintedPath.js:59:52:59:55 | path | TaintedPath.js:59:29:59:56 | pathMod ... , path) | | TaintedPath.js:59:52:59:55 | path | TaintedPath.js:59:29:59:56 | pathMod ... , path) | | TaintedPath.js:59:52:59:55 | path | TaintedPath.js:59:29:59:56 | pathMod ... , path) | +| TaintedPath.js:59:52:59:55 | path | TaintedPath.js:59:29:59:56 | pathMod ... , path) | +| TaintedPath.js:59:52:59:55 | path | TaintedPath.js:59:29:59:56 | pathMod ... , path) | +| TaintedPath.js:59:52:59:55 | path | TaintedPath.js:59:29:59:56 | pathMod ... , path) | +| TaintedPath.js:59:52:59:55 | path | TaintedPath.js:59:29:59:56 | pathMod ... , path) | +| TaintedPath.js:59:52:59:55 | path | TaintedPath.js:59:29:59:56 | pathMod ... , path) | +| TaintedPath.js:59:52:59:55 | path | TaintedPath.js:59:29:59:56 | pathMod ... , path) | +| TaintedPath.js:59:52:59:55 | path | TaintedPath.js:59:29:59:56 | pathMod ... , path) | +| TaintedPath.js:59:52:59:55 | path | TaintedPath.js:59:29:59:56 | pathMod ... , path) | +| TaintedPath.js:59:52:59:55 | path | TaintedPath.js:59:29:59:56 | pathMod ... , path) | +| TaintedPath.js:59:52:59:55 | path | TaintedPath.js:59:29:59:56 | pathMod ... , path) | +| TaintedPath.js:59:52:59:55 | path | TaintedPath.js:59:29:59:56 | pathMod ... , path) | +| TaintedPath.js:59:52:59:55 | path | TaintedPath.js:59:29:59:56 | pathMod ... , path) | +| TaintedPath.js:59:52:59:55 | path | TaintedPath.js:59:29:59:56 | pathMod ... , path) | +| TaintedPath.js:59:52:59:55 | path | TaintedPath.js:59:29:59:56 | pathMod ... , path) | +| TaintedPath.js:59:52:59:55 | path | TaintedPath.js:59:29:59:56 | pathMod ... , path) | +| TaintedPath.js:59:52:59:55 | path | TaintedPath.js:59:29:59:56 | pathMod ... , path) | +| TaintedPath.js:61:49:61:52 | path | TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | +| TaintedPath.js:61:49:61:52 | path | TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | +| TaintedPath.js:61:49:61:52 | path | TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | +| TaintedPath.js:61:49:61:52 | path | TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | +| TaintedPath.js:61:49:61:52 | path | TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | +| TaintedPath.js:61:49:61:52 | path | TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | +| TaintedPath.js:61:49:61:52 | path | TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | +| TaintedPath.js:61:49:61:52 | path | TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | +| TaintedPath.js:61:49:61:52 | path | TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | +| TaintedPath.js:61:49:61:52 | path | TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | +| TaintedPath.js:61:49:61:52 | path | TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | +| TaintedPath.js:61:49:61:52 | path | TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | +| TaintedPath.js:61:49:61:52 | path | TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | +| TaintedPath.js:61:49:61:52 | path | TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | +| TaintedPath.js:61:49:61:52 | path | TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | +| TaintedPath.js:61:49:61:52 | path | TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | | TaintedPath.js:61:49:61:52 | path | TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | | TaintedPath.js:61:49:61:52 | path | TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | | TaintedPath.js:61:49:61:52 | path | TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | @@ -3523,6 +2022,38 @@ edges | TaintedPath.js:63:48:63:51 | path | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | | TaintedPath.js:63:48:63:51 | path | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | | TaintedPath.js:63:48:63:51 | path | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | +| TaintedPath.js:63:48:63:51 | path | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | +| TaintedPath.js:63:48:63:51 | path | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | +| TaintedPath.js:63:48:63:51 | path | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | +| TaintedPath.js:63:48:63:51 | path | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | +| TaintedPath.js:63:48:63:51 | path | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | +| TaintedPath.js:63:48:63:51 | path | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | +| TaintedPath.js:63:48:63:51 | path | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | +| TaintedPath.js:63:48:63:51 | path | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | +| TaintedPath.js:63:48:63:51 | path | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | +| TaintedPath.js:63:48:63:51 | path | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | +| TaintedPath.js:63:48:63:51 | path | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | +| TaintedPath.js:63:48:63:51 | path | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | +| TaintedPath.js:63:48:63:51 | path | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | +| TaintedPath.js:63:48:63:51 | path | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | +| TaintedPath.js:63:48:63:51 | path | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | +| TaintedPath.js:63:48:63:51 | path | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | +| TaintedPath.js:65:54:65:57 | path | TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | +| TaintedPath.js:65:54:65:57 | path | TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | +| TaintedPath.js:65:54:65:57 | path | TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | +| TaintedPath.js:65:54:65:57 | path | TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | +| TaintedPath.js:65:54:65:57 | path | TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | +| TaintedPath.js:65:54:65:57 | path | TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | +| TaintedPath.js:65:54:65:57 | path | TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | +| TaintedPath.js:65:54:65:57 | path | TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | +| TaintedPath.js:65:54:65:57 | path | TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | +| TaintedPath.js:65:54:65:57 | path | TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | +| TaintedPath.js:65:54:65:57 | path | TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | +| TaintedPath.js:65:54:65:57 | path | TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | +| TaintedPath.js:65:54:65:57 | path | TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | +| TaintedPath.js:65:54:65:57 | path | TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | +| TaintedPath.js:65:54:65:57 | path | TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | +| TaintedPath.js:65:54:65:57 | path | TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | | TaintedPath.js:65:54:65:57 | path | TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | | TaintedPath.js:65:54:65:57 | path | TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | | TaintedPath.js:65:54:65:57 | path | TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | @@ -3555,6 +2086,38 @@ edges | TaintedPath.js:67:57:67:60 | path | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | | TaintedPath.js:67:57:67:60 | path | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | | TaintedPath.js:67:57:67:60 | path | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | +| TaintedPath.js:67:57:67:60 | path | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | +| TaintedPath.js:67:57:67:60 | path | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | +| TaintedPath.js:67:57:67:60 | path | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | +| TaintedPath.js:67:57:67:60 | path | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | +| TaintedPath.js:67:57:67:60 | path | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | +| TaintedPath.js:67:57:67:60 | path | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | +| TaintedPath.js:67:57:67:60 | path | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | +| TaintedPath.js:67:57:67:60 | path | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | +| TaintedPath.js:67:57:67:60 | path | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | +| TaintedPath.js:67:57:67:60 | path | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | +| TaintedPath.js:67:57:67:60 | path | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | +| TaintedPath.js:67:57:67:60 | path | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | +| TaintedPath.js:67:57:67:60 | path | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | +| TaintedPath.js:67:57:67:60 | path | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | +| TaintedPath.js:67:57:67:60 | path | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | +| TaintedPath.js:67:57:67:60 | path | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | +| TaintedPath.js:84:31:84:70 | require ... eq.url) | TaintedPath.js:84:31:84:76 | require ... ).query | +| TaintedPath.js:84:31:84:70 | require ... eq.url) | TaintedPath.js:84:31:84:76 | require ... ).query | +| TaintedPath.js:84:31:84:70 | require ... eq.url) | TaintedPath.js:84:31:84:76 | require ... ).query | +| TaintedPath.js:84:31:84:70 | require ... eq.url) | TaintedPath.js:84:31:84:76 | require ... ).query | +| TaintedPath.js:84:31:84:70 | require ... eq.url) | TaintedPath.js:84:31:84:76 | require ... ).query | +| TaintedPath.js:84:31:84:70 | require ... eq.url) | TaintedPath.js:84:31:84:76 | require ... ).query | +| TaintedPath.js:84:31:84:70 | require ... eq.url) | TaintedPath.js:84:31:84:76 | require ... ).query | +| TaintedPath.js:84:31:84:70 | require ... eq.url) | TaintedPath.js:84:31:84:76 | require ... ).query | +| TaintedPath.js:84:31:84:70 | require ... eq.url) | TaintedPath.js:84:31:84:76 | require ... ).query | +| TaintedPath.js:84:31:84:70 | require ... eq.url) | TaintedPath.js:84:31:84:76 | require ... ).query | +| TaintedPath.js:84:31:84:70 | require ... eq.url) | TaintedPath.js:84:31:84:76 | require ... ).query | +| TaintedPath.js:84:31:84:70 | require ... eq.url) | TaintedPath.js:84:31:84:76 | require ... ).query | +| TaintedPath.js:84:31:84:70 | require ... eq.url) | TaintedPath.js:84:31:84:76 | require ... ).query | +| TaintedPath.js:84:31:84:70 | require ... eq.url) | TaintedPath.js:84:31:84:76 | require ... ).query | +| TaintedPath.js:84:31:84:70 | require ... eq.url) | TaintedPath.js:84:31:84:76 | require ... ).query | +| TaintedPath.js:84:31:84:70 | require ... eq.url) | TaintedPath.js:84:31:84:76 | require ... ).query | | TaintedPath.js:84:31:84:70 | require ... eq.url) | TaintedPath.js:84:31:84:76 | require ... ).query | | TaintedPath.js:84:31:84:70 | require ... eq.url) | TaintedPath.js:84:31:84:76 | require ... ).query | | TaintedPath.js:84:31:84:70 | require ... eq.url) | TaintedPath.js:84:31:84:76 | require ... ).query | @@ -3587,6 +2150,38 @@ edges | TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:70 | require ... eq.url) | | TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:70 | require ... eq.url) | | TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:70 | require ... eq.url) | +| TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:70 | require ... eq.url) | +| TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:70 | require ... eq.url) | +| TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:70 | require ... eq.url) | +| TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:70 | require ... eq.url) | +| TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:70 | require ... eq.url) | +| TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:70 | require ... eq.url) | +| TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:70 | require ... eq.url) | +| TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:70 | require ... eq.url) | +| TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:70 | require ... eq.url) | +| TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:70 | require ... eq.url) | +| TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:70 | require ... eq.url) | +| TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:70 | require ... eq.url) | +| TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:70 | require ... eq.url) | +| TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:70 | require ... eq.url) | +| TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:70 | require ... eq.url) | +| TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:70 | require ... eq.url) | +| TaintedPath.js:85:31:85:68 | require ... eq.url) | TaintedPath.js:85:31:85:74 | require ... ).query | +| TaintedPath.js:85:31:85:68 | require ... eq.url) | TaintedPath.js:85:31:85:74 | require ... ).query | +| TaintedPath.js:85:31:85:68 | require ... eq.url) | TaintedPath.js:85:31:85:74 | require ... ).query | +| TaintedPath.js:85:31:85:68 | require ... eq.url) | TaintedPath.js:85:31:85:74 | require ... ).query | +| TaintedPath.js:85:31:85:68 | require ... eq.url) | TaintedPath.js:85:31:85:74 | require ... ).query | +| TaintedPath.js:85:31:85:68 | require ... eq.url) | TaintedPath.js:85:31:85:74 | require ... ).query | +| TaintedPath.js:85:31:85:68 | require ... eq.url) | TaintedPath.js:85:31:85:74 | require ... ).query | +| TaintedPath.js:85:31:85:68 | require ... eq.url) | TaintedPath.js:85:31:85:74 | require ... ).query | +| TaintedPath.js:85:31:85:68 | require ... eq.url) | TaintedPath.js:85:31:85:74 | require ... ).query | +| TaintedPath.js:85:31:85:68 | require ... eq.url) | TaintedPath.js:85:31:85:74 | require ... ).query | +| TaintedPath.js:85:31:85:68 | require ... eq.url) | TaintedPath.js:85:31:85:74 | require ... ).query | +| TaintedPath.js:85:31:85:68 | require ... eq.url) | TaintedPath.js:85:31:85:74 | require ... ).query | +| TaintedPath.js:85:31:85:68 | require ... eq.url) | TaintedPath.js:85:31:85:74 | require ... ).query | +| TaintedPath.js:85:31:85:68 | require ... eq.url) | TaintedPath.js:85:31:85:74 | require ... ).query | +| TaintedPath.js:85:31:85:68 | require ... eq.url) | TaintedPath.js:85:31:85:74 | require ... ).query | +| TaintedPath.js:85:31:85:68 | require ... eq.url) | TaintedPath.js:85:31:85:74 | require ... ).query | | TaintedPath.js:85:31:85:68 | require ... eq.url) | TaintedPath.js:85:31:85:74 | require ... ).query | | TaintedPath.js:85:31:85:68 | require ... eq.url) | TaintedPath.js:85:31:85:74 | require ... ).query | | TaintedPath.js:85:31:85:68 | require ... eq.url) | TaintedPath.js:85:31:85:74 | require ... ).query | @@ -3619,6 +2214,38 @@ edges | TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:68 | require ... eq.url) | | TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:68 | require ... eq.url) | | TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:68 | require ... eq.url) | +| TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:68 | require ... eq.url) | +| TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:68 | require ... eq.url) | +| TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:68 | require ... eq.url) | +| TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:68 | require ... eq.url) | +| TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:68 | require ... eq.url) | +| TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:68 | require ... eq.url) | +| TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:68 | require ... eq.url) | +| TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:68 | require ... eq.url) | +| TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:68 | require ... eq.url) | +| TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:68 | require ... eq.url) | +| TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:68 | require ... eq.url) | +| TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:68 | require ... eq.url) | +| TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:68 | require ... eq.url) | +| TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:68 | require ... eq.url) | +| TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:68 | require ... eq.url) | +| TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:68 | require ... eq.url) | +| TaintedPath.js:86:31:86:67 | require ... eq.url) | TaintedPath.js:86:31:86:73 | require ... ).query | +| TaintedPath.js:86:31:86:67 | require ... eq.url) | TaintedPath.js:86:31:86:73 | require ... ).query | +| TaintedPath.js:86:31:86:67 | require ... eq.url) | TaintedPath.js:86:31:86:73 | require ... ).query | +| TaintedPath.js:86:31:86:67 | require ... eq.url) | TaintedPath.js:86:31:86:73 | require ... ).query | +| TaintedPath.js:86:31:86:67 | require ... eq.url) | TaintedPath.js:86:31:86:73 | require ... ).query | +| TaintedPath.js:86:31:86:67 | require ... eq.url) | TaintedPath.js:86:31:86:73 | require ... ).query | +| TaintedPath.js:86:31:86:67 | require ... eq.url) | TaintedPath.js:86:31:86:73 | require ... ).query | +| TaintedPath.js:86:31:86:67 | require ... eq.url) | TaintedPath.js:86:31:86:73 | require ... ).query | +| TaintedPath.js:86:31:86:67 | require ... eq.url) | TaintedPath.js:86:31:86:73 | require ... ).query | +| TaintedPath.js:86:31:86:67 | require ... eq.url) | TaintedPath.js:86:31:86:73 | require ... ).query | +| TaintedPath.js:86:31:86:67 | require ... eq.url) | TaintedPath.js:86:31:86:73 | require ... ).query | +| TaintedPath.js:86:31:86:67 | require ... eq.url) | TaintedPath.js:86:31:86:73 | require ... ).query | +| TaintedPath.js:86:31:86:67 | require ... eq.url) | TaintedPath.js:86:31:86:73 | require ... ).query | +| TaintedPath.js:86:31:86:67 | require ... eq.url) | TaintedPath.js:86:31:86:73 | require ... ).query | +| TaintedPath.js:86:31:86:67 | require ... eq.url) | TaintedPath.js:86:31:86:73 | require ... ).query | +| TaintedPath.js:86:31:86:67 | require ... eq.url) | TaintedPath.js:86:31:86:73 | require ... ).query | | TaintedPath.js:86:31:86:67 | require ... eq.url) | TaintedPath.js:86:31:86:73 | require ... ).query | | TaintedPath.js:86:31:86:67 | require ... eq.url) | TaintedPath.js:86:31:86:73 | require ... ).query | | TaintedPath.js:86:31:86:67 | require ... eq.url) | TaintedPath.js:86:31:86:73 | require ... ).query | @@ -3651,6 +2278,27 @@ edges | TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:67 | require ... eq.url) | | TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:67 | require ... eq.url) | | TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:67 | require ... eq.url) | +| TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:67 | require ... eq.url) | +| TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:67 | require ... eq.url) | +| TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:67 | require ... eq.url) | +| TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:67 | require ... eq.url) | +| TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:67 | require ... eq.url) | +| TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:67 | require ... eq.url) | +| TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:67 | require ... eq.url) | +| TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:67 | require ... eq.url) | +| TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:67 | require ... eq.url) | +| TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:67 | require ... eq.url) | +| TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:67 | require ... eq.url) | +| TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:67 | require ... eq.url) | +| TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:67 | require ... eq.url) | +| TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:67 | require ... eq.url) | +| TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:67 | require ... eq.url) | +| TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:67 | require ... eq.url) | +| TaintedPath.js:94:48:94:60 | req.params[0] | TaintedPath.js:94:48:94:60 | req.params[0] | +| TaintedPath.js:102:30:102:31 | ev | TaintedPath.js:103:24:103:25 | ev | +| TaintedPath.js:102:30:102:31 | ev | TaintedPath.js:103:24:103:25 | ev | +| TaintedPath.js:102:30:102:31 | ev | TaintedPath.js:103:24:103:25 | ev | +| TaintedPath.js:102:30:102:31 | ev | TaintedPath.js:103:24:103:25 | ev | | TaintedPath.js:102:30:102:31 | ev | TaintedPath.js:103:24:103:25 | ev | | TaintedPath.js:102:30:102:31 | ev | TaintedPath.js:103:24:103:25 | ev | | TaintedPath.js:102:30:102:31 | ev | TaintedPath.js:103:24:103:25 | ev | @@ -3663,6 +2311,10 @@ edges | TaintedPath.js:103:24:103:30 | ev.data | TaintedPath.js:78:26:78:45 | Cookie.get("unsafe") | | TaintedPath.js:103:24:103:30 | ev.data | TaintedPath.js:78:26:78:45 | Cookie.get("unsafe") | | TaintedPath.js:103:24:103:30 | ev.data | TaintedPath.js:78:26:78:45 | Cookie.get("unsafe") | +| TaintedPath.js:103:24:103:30 | ev.data | TaintedPath.js:78:26:78:45 | Cookie.get("unsafe") | +| TaintedPath.js:103:24:103:30 | ev.data | TaintedPath.js:78:26:78:45 | Cookie.get("unsafe") | +| TaintedPath.js:103:24:103:30 | ev.data | TaintedPath.js:78:26:78:45 | Cookie.get("unsafe") | +| TaintedPath.js:103:24:103:30 | ev.data | TaintedPath.js:78:26:78:45 | Cookie.get("unsafe") | | TaintedPath.js:107:6:107:47 | path | TaintedPath.js:109:44:109:47 | path | | TaintedPath.js:107:6:107:47 | path | TaintedPath.js:109:44:109:47 | path | | TaintedPath.js:107:6:107:47 | path | TaintedPath.js:109:44:109:47 | path | @@ -3759,6 +2411,38 @@ edges | TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:107:13:107:36 | url.par ... , true) | | TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:107:13:107:36 | url.par ... , true) | | TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:107:13:107:36 | url.par ... , true) | +| TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:107:13:107:36 | url.par ... , true) | +| TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:107:13:107:36 | url.par ... , true) | +| TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:107:13:107:36 | url.par ... , true) | +| TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:107:13:107:36 | url.par ... , true) | +| TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:107:13:107:36 | url.par ... , true) | +| TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:107:13:107:36 | url.par ... , true) | +| TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:107:13:107:36 | url.par ... , true) | +| TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:107:13:107:36 | url.par ... , true) | +| TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:107:13:107:36 | url.par ... , true) | +| TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:107:13:107:36 | url.par ... , true) | +| TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:107:13:107:36 | url.par ... , true) | +| TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:107:13:107:36 | url.par ... , true) | +| TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:107:13:107:36 | url.par ... , true) | +| TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:107:13:107:36 | url.par ... , true) | +| TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:107:13:107:36 | url.par ... , true) | +| TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:107:13:107:36 | url.par ... , true) | +| TaintedPath.js:109:44:109:47 | path | TaintedPath.js:109:28:109:48 | fs.real ... c(path) | +| TaintedPath.js:109:44:109:47 | path | TaintedPath.js:109:28:109:48 | fs.real ... c(path) | +| TaintedPath.js:109:44:109:47 | path | TaintedPath.js:109:28:109:48 | fs.real ... c(path) | +| TaintedPath.js:109:44:109:47 | path | TaintedPath.js:109:28:109:48 | fs.real ... c(path) | +| TaintedPath.js:109:44:109:47 | path | TaintedPath.js:109:28:109:48 | fs.real ... c(path) | +| TaintedPath.js:109:44:109:47 | path | TaintedPath.js:109:28:109:48 | fs.real ... c(path) | +| TaintedPath.js:109:44:109:47 | path | TaintedPath.js:109:28:109:48 | fs.real ... c(path) | +| TaintedPath.js:109:44:109:47 | path | TaintedPath.js:109:28:109:48 | fs.real ... c(path) | +| TaintedPath.js:109:44:109:47 | path | TaintedPath.js:109:28:109:48 | fs.real ... c(path) | +| TaintedPath.js:109:44:109:47 | path | TaintedPath.js:109:28:109:48 | fs.real ... c(path) | +| TaintedPath.js:109:44:109:47 | path | TaintedPath.js:109:28:109:48 | fs.real ... c(path) | +| TaintedPath.js:109:44:109:47 | path | TaintedPath.js:109:28:109:48 | fs.real ... c(path) | +| TaintedPath.js:109:44:109:47 | path | TaintedPath.js:109:28:109:48 | fs.real ... c(path) | +| TaintedPath.js:109:44:109:47 | path | TaintedPath.js:109:28:109:48 | fs.real ... c(path) | +| TaintedPath.js:109:44:109:47 | path | TaintedPath.js:109:28:109:48 | fs.real ... c(path) | +| TaintedPath.js:109:44:109:47 | path | TaintedPath.js:109:28:109:48 | fs.real ... c(path) | | TaintedPath.js:109:44:109:47 | path | TaintedPath.js:109:28:109:48 | fs.real ... c(path) | | TaintedPath.js:109:44:109:47 | path | TaintedPath.js:109:28:109:48 | fs.real ... c(path) | | TaintedPath.js:109:44:109:47 | path | TaintedPath.js:109:28:109:48 | fs.real ... c(path) | @@ -3795,58 +2479,88 @@ edges | TaintedPath.js:111:32:111:39 | realpath | TaintedPath.js:112:45:112:52 | realpath | | TaintedPath.js:111:32:111:39 | realpath | TaintedPath.js:112:45:112:52 | realpath | | TaintedPath.js:111:32:111:39 | realpath | TaintedPath.js:112:45:112:52 | realpath | -| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:13:16:13:19 | path | -| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:13:16:13:19 | path | -| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:13:16:13:19 | path | -| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:13:16:13:19 | path | -| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:14:23:14:26 | path | -| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:14:23:14:26 | path | -| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:14:23:14:26 | path | -| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:15:16:15:19 | path | -| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:15:16:15:19 | path | -| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:15:16:15:19 | path | -| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:15:16:15:19 | path | -| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:16:32:16:35 | path | -| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:16:32:16:35 | path | -| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:16:32:16:35 | path | -| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:16:32:16:35 | path | -| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:17:50:17:53 | path | -| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:17:50:17:53 | path | -| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:17:50:17:53 | path | +| TaintedPath.js:111:32:111:39 | realpath | TaintedPath.js:112:45:112:52 | realpath | +| TaintedPath.js:111:32:111:39 | realpath | TaintedPath.js:112:45:112:52 | realpath | +| TaintedPath.js:111:32:111:39 | realpath | TaintedPath.js:112:45:112:52 | realpath | +| TaintedPath.js:111:32:111:39 | realpath | TaintedPath.js:112:45:112:52 | realpath | +| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:13:19:13:22 | path | +| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:13:19:13:22 | path | +| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:13:19:13:22 | path | +| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:13:19:13:22 | path | +| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:13:19:13:22 | path | +| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:13:19:13:22 | path | +| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:13:19:13:22 | path | +| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:13:19:13:22 | path | +| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:14:26:14:29 | path | +| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:14:26:14:29 | path | +| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:14:26:14:29 | path | +| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:15:19:15:22 | path | +| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:15:19:15:22 | path | +| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:15:19:15:22 | path | +| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:15:19:15:22 | path | +| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:16:35:16:38 | path | +| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:16:35:16:38 | path | +| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:16:35:16:38 | path | +| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:16:35:16:38 | path | +| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:17:53:17:56 | path | +| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:17:53:17:56 | path | +| normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:17:53:17:56 | path | | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:11:7:11:27 | path | | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:11:7:11:27 | path | | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:11:7:11:27 | path | | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:11:7:11:27 | path | -| normalizedPaths.js:14:23:14:26 | path | normalizedPaths.js:14:16:14:26 | './' + path | -| normalizedPaths.js:14:23:14:26 | path | normalizedPaths.js:14:16:14:26 | './' + path | -| normalizedPaths.js:14:23:14:26 | path | normalizedPaths.js:14:16:14:26 | './' + path | -| normalizedPaths.js:15:16:15:19 | path | normalizedPaths.js:15:16:15:35 | path + '/index.html' | -| normalizedPaths.js:15:16:15:19 | path | normalizedPaths.js:15:16:15:35 | path + '/index.html' | -| normalizedPaths.js:15:16:15:19 | path | normalizedPaths.js:15:16:15:35 | path + '/index.html' | -| normalizedPaths.js:15:16:15:19 | path | normalizedPaths.js:15:16:15:35 | path + '/index.html' | -| normalizedPaths.js:16:32:16:35 | path | normalizedPaths.js:16:16:16:50 | pathMod ... .html') | -| normalizedPaths.js:16:32:16:35 | path | normalizedPaths.js:16:16:16:50 | pathMod ... .html') | -| normalizedPaths.js:16:32:16:35 | path | normalizedPaths.js:16:16:16:50 | pathMod ... .html') | -| normalizedPaths.js:16:32:16:35 | path | normalizedPaths.js:16:16:16:50 | pathMod ... .html') | -| normalizedPaths.js:17:50:17:53 | path | normalizedPaths.js:17:16:17:54 | pathMod ... , path) | -| normalizedPaths.js:17:50:17:53 | path | normalizedPaths.js:17:16:17:54 | pathMod ... , path) | -| normalizedPaths.js:17:50:17:53 | path | normalizedPaths.js:17:16:17:54 | pathMod ... , path) | -| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:23:16:23:19 | path | -| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:23:16:23:19 | path | -| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:23:16:23:19 | path | -| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:23:16:23:19 | path | -| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:24:23:24:26 | path | -| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:24:23:24:26 | path | -| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:25:16:25:19 | path | -| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:25:16:25:19 | path | -| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:25:16:25:19 | path | -| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:25:16:25:19 | path | -| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:26:32:26:35 | path | -| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:26:32:26:35 | path | -| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:26:32:26:35 | path | -| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:26:32:26:35 | path | -| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:27:50:27:53 | path | -| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:27:50:27:53 | path | +| normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:11:7:11:27 | path | +| normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:11:7:11:27 | path | +| normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:11:7:11:27 | path | +| normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:11:7:11:27 | path | +| normalizedPaths.js:14:26:14:29 | path | normalizedPaths.js:14:19:14:29 | './' + path | +| normalizedPaths.js:14:26:14:29 | path | normalizedPaths.js:14:19:14:29 | './' + path | +| normalizedPaths.js:14:26:14:29 | path | normalizedPaths.js:14:19:14:29 | './' + path | +| normalizedPaths.js:14:26:14:29 | path | normalizedPaths.js:14:19:14:29 | './' + path | +| normalizedPaths.js:14:26:14:29 | path | normalizedPaths.js:14:19:14:29 | './' + path | +| normalizedPaths.js:14:26:14:29 | path | normalizedPaths.js:14:19:14:29 | './' + path | +| normalizedPaths.js:15:19:15:22 | path | normalizedPaths.js:15:19:15:38 | path + '/index.html' | +| normalizedPaths.js:15:19:15:22 | path | normalizedPaths.js:15:19:15:38 | path + '/index.html' | +| normalizedPaths.js:15:19:15:22 | path | normalizedPaths.js:15:19:15:38 | path + '/index.html' | +| normalizedPaths.js:15:19:15:22 | path | normalizedPaths.js:15:19:15:38 | path + '/index.html' | +| normalizedPaths.js:15:19:15:22 | path | normalizedPaths.js:15:19:15:38 | path + '/index.html' | +| normalizedPaths.js:15:19:15:22 | path | normalizedPaths.js:15:19:15:38 | path + '/index.html' | +| normalizedPaths.js:15:19:15:22 | path | normalizedPaths.js:15:19:15:38 | path + '/index.html' | +| normalizedPaths.js:15:19:15:22 | path | normalizedPaths.js:15:19:15:38 | path + '/index.html' | +| normalizedPaths.js:16:35:16:38 | path | normalizedPaths.js:16:19:16:53 | pathMod ... .html') | +| normalizedPaths.js:16:35:16:38 | path | normalizedPaths.js:16:19:16:53 | pathMod ... .html') | +| normalizedPaths.js:16:35:16:38 | path | normalizedPaths.js:16:19:16:53 | pathMod ... .html') | +| normalizedPaths.js:16:35:16:38 | path | normalizedPaths.js:16:19:16:53 | pathMod ... .html') | +| normalizedPaths.js:16:35:16:38 | path | normalizedPaths.js:16:19:16:53 | pathMod ... .html') | +| normalizedPaths.js:16:35:16:38 | path | normalizedPaths.js:16:19:16:53 | pathMod ... .html') | +| normalizedPaths.js:16:35:16:38 | path | normalizedPaths.js:16:19:16:53 | pathMod ... .html') | +| normalizedPaths.js:16:35:16:38 | path | normalizedPaths.js:16:19:16:53 | pathMod ... .html') | +| normalizedPaths.js:17:53:17:56 | path | normalizedPaths.js:17:19:17:57 | pathMod ... , path) | +| normalizedPaths.js:17:53:17:56 | path | normalizedPaths.js:17:19:17:57 | pathMod ... , path) | +| normalizedPaths.js:17:53:17:56 | path | normalizedPaths.js:17:19:17:57 | pathMod ... , path) | +| normalizedPaths.js:17:53:17:56 | path | normalizedPaths.js:17:19:17:57 | pathMod ... , path) | +| normalizedPaths.js:17:53:17:56 | path | normalizedPaths.js:17:19:17:57 | pathMod ... , path) | +| normalizedPaths.js:17:53:17:56 | path | normalizedPaths.js:17:19:17:57 | pathMod ... , path) | +| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:23:19:23:22 | path | +| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:23:19:23:22 | path | +| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:23:19:23:22 | path | +| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:23:19:23:22 | path | +| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:23:19:23:22 | path | +| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:23:19:23:22 | path | +| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:23:19:23:22 | path | +| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:23:19:23:22 | path | +| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:24:26:24:29 | path | +| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:24:26:24:29 | path | +| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:25:19:25:22 | path | +| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:25:19:25:22 | path | +| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:25:19:25:22 | path | +| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:25:19:25:22 | path | +| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:26:35:26:38 | path | +| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:26:35:26:38 | path | +| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:26:35:26:38 | path | +| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:26:35:26:38 | path | +| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:27:53:27:56 | path | +| normalizedPaths.js:21:7:21:49 | path | normalizedPaths.js:27:53:27:56 | path | | normalizedPaths.js:21:14:21:49 | pathMod ... y.path) | normalizedPaths.js:21:7:21:49 | path | | normalizedPaths.js:21:14:21:49 | pathMod ... y.path) | normalizedPaths.js:21:7:21:49 | path | | normalizedPaths.js:21:14:21:49 | pathMod ... y.path) | normalizedPaths.js:21:7:21:49 | path | @@ -3855,41 +2569,74 @@ edges | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:21:14:21:49 | pathMod ... y.path) | | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:21:14:21:49 | pathMod ... y.path) | | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:21:14:21:49 | pathMod ... y.path) | -| normalizedPaths.js:24:23:24:26 | path | normalizedPaths.js:24:16:24:26 | './' + path | -| normalizedPaths.js:24:23:24:26 | path | normalizedPaths.js:24:16:24:26 | './' + path | -| normalizedPaths.js:25:16:25:19 | path | normalizedPaths.js:25:16:25:35 | path + '/index.html' | -| normalizedPaths.js:25:16:25:19 | path | normalizedPaths.js:25:16:25:35 | path + '/index.html' | -| normalizedPaths.js:25:16:25:19 | path | normalizedPaths.js:25:16:25:35 | path + '/index.html' | -| normalizedPaths.js:25:16:25:19 | path | normalizedPaths.js:25:16:25:35 | path + '/index.html' | -| normalizedPaths.js:26:32:26:35 | path | normalizedPaths.js:26:16:26:50 | pathMod ... .html') | -| normalizedPaths.js:26:32:26:35 | path | normalizedPaths.js:26:16:26:50 | pathMod ... .html') | -| normalizedPaths.js:26:32:26:35 | path | normalizedPaths.js:26:16:26:50 | pathMod ... .html') | -| normalizedPaths.js:26:32:26:35 | path | normalizedPaths.js:26:16:26:50 | pathMod ... .html') | -| normalizedPaths.js:27:50:27:53 | path | normalizedPaths.js:27:16:27:54 | pathMod ... , path) | -| normalizedPaths.js:27:50:27:53 | path | normalizedPaths.js:27:16:27:54 | pathMod ... , path) | -| normalizedPaths.js:31:7:31:49 | path | normalizedPaths.js:36:16:36:19 | path | -| normalizedPaths.js:31:7:31:49 | path | normalizedPaths.js:36:16:36:19 | path | -| normalizedPaths.js:31:7:31:49 | path | normalizedPaths.js:41:18:41:21 | path | -| normalizedPaths.js:31:7:31:49 | path | normalizedPaths.js:41:18:41:21 | path | +| normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:21:14:21:49 | pathMod ... y.path) | +| normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:21:14:21:49 | pathMod ... y.path) | +| normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:21:14:21:49 | pathMod ... y.path) | +| normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:21:14:21:49 | pathMod ... y.path) | +| normalizedPaths.js:24:26:24:29 | path | normalizedPaths.js:24:19:24:29 | './' + path | +| normalizedPaths.js:24:26:24:29 | path | normalizedPaths.js:24:19:24:29 | './' + path | +| normalizedPaths.js:24:26:24:29 | path | normalizedPaths.js:24:19:24:29 | './' + path | +| normalizedPaths.js:24:26:24:29 | path | normalizedPaths.js:24:19:24:29 | './' + path | +| normalizedPaths.js:25:19:25:22 | path | normalizedPaths.js:25:19:25:38 | path + '/index.html' | +| normalizedPaths.js:25:19:25:22 | path | normalizedPaths.js:25:19:25:38 | path + '/index.html' | +| normalizedPaths.js:25:19:25:22 | path | normalizedPaths.js:25:19:25:38 | path + '/index.html' | +| normalizedPaths.js:25:19:25:22 | path | normalizedPaths.js:25:19:25:38 | path + '/index.html' | +| normalizedPaths.js:25:19:25:22 | path | normalizedPaths.js:25:19:25:38 | path + '/index.html' | +| normalizedPaths.js:25:19:25:22 | path | normalizedPaths.js:25:19:25:38 | path + '/index.html' | +| normalizedPaths.js:25:19:25:22 | path | normalizedPaths.js:25:19:25:38 | path + '/index.html' | +| normalizedPaths.js:25:19:25:22 | path | normalizedPaths.js:25:19:25:38 | path + '/index.html' | +| normalizedPaths.js:26:35:26:38 | path | normalizedPaths.js:26:19:26:53 | pathMod ... .html') | +| normalizedPaths.js:26:35:26:38 | path | normalizedPaths.js:26:19:26:53 | pathMod ... .html') | +| normalizedPaths.js:26:35:26:38 | path | normalizedPaths.js:26:19:26:53 | pathMod ... .html') | +| normalizedPaths.js:26:35:26:38 | path | normalizedPaths.js:26:19:26:53 | pathMod ... .html') | +| normalizedPaths.js:26:35:26:38 | path | normalizedPaths.js:26:19:26:53 | pathMod ... .html') | +| normalizedPaths.js:26:35:26:38 | path | normalizedPaths.js:26:19:26:53 | pathMod ... .html') | +| normalizedPaths.js:26:35:26:38 | path | normalizedPaths.js:26:19:26:53 | pathMod ... .html') | +| normalizedPaths.js:26:35:26:38 | path | normalizedPaths.js:26:19:26:53 | pathMod ... .html') | +| normalizedPaths.js:27:53:27:56 | path | normalizedPaths.js:27:19:27:57 | pathMod ... , path) | +| normalizedPaths.js:27:53:27:56 | path | normalizedPaths.js:27:19:27:57 | pathMod ... , path) | +| normalizedPaths.js:27:53:27:56 | path | normalizedPaths.js:27:19:27:57 | pathMod ... , path) | +| normalizedPaths.js:27:53:27:56 | path | normalizedPaths.js:27:19:27:57 | pathMod ... , path) | +| normalizedPaths.js:31:7:31:49 | path | normalizedPaths.js:36:19:36:22 | path | +| normalizedPaths.js:31:7:31:49 | path | normalizedPaths.js:36:19:36:22 | path | +| normalizedPaths.js:31:7:31:49 | path | normalizedPaths.js:36:19:36:22 | path | +| normalizedPaths.js:31:7:31:49 | path | normalizedPaths.js:36:19:36:22 | path | +| normalizedPaths.js:31:7:31:49 | path | normalizedPaths.js:41:21:41:24 | path | +| normalizedPaths.js:31:7:31:49 | path | normalizedPaths.js:41:21:41:24 | path | +| normalizedPaths.js:31:7:31:49 | path | normalizedPaths.js:41:21:41:24 | path | +| normalizedPaths.js:31:7:31:49 | path | normalizedPaths.js:41:21:41:24 | path | | normalizedPaths.js:31:14:31:49 | pathMod ... y.path) | normalizedPaths.js:31:7:31:49 | path | | normalizedPaths.js:31:14:31:49 | pathMod ... y.path) | normalizedPaths.js:31:7:31:49 | path | | normalizedPaths.js:31:35:31:48 | req.query.path | normalizedPaths.js:31:14:31:49 | pathMod ... y.path) | | normalizedPaths.js:31:35:31:48 | req.query.path | normalizedPaths.js:31:14:31:49 | pathMod ... y.path) | -| normalizedPaths.js:54:7:54:49 | path | normalizedPaths.js:59:16:59:19 | path | -| normalizedPaths.js:54:7:54:49 | path | normalizedPaths.js:59:16:59:19 | path | -| normalizedPaths.js:54:7:54:49 | path | normalizedPaths.js:63:16:63:19 | path | -| normalizedPaths.js:54:7:54:49 | path | normalizedPaths.js:63:16:63:19 | path | -| normalizedPaths.js:54:7:54:49 | path | normalizedPaths.js:68:18:68:21 | path | -| normalizedPaths.js:54:7:54:49 | path | normalizedPaths.js:68:18:68:21 | path | +| normalizedPaths.js:31:35:31:48 | req.query.path | normalizedPaths.js:31:14:31:49 | pathMod ... y.path) | +| normalizedPaths.js:31:35:31:48 | req.query.path | normalizedPaths.js:31:14:31:49 | pathMod ... y.path) | +| normalizedPaths.js:54:7:54:49 | path | normalizedPaths.js:59:19:59:22 | path | +| normalizedPaths.js:54:7:54:49 | path | normalizedPaths.js:59:19:59:22 | path | +| normalizedPaths.js:54:7:54:49 | path | normalizedPaths.js:59:19:59:22 | path | +| normalizedPaths.js:54:7:54:49 | path | normalizedPaths.js:59:19:59:22 | path | +| normalizedPaths.js:54:7:54:49 | path | normalizedPaths.js:63:19:63:22 | path | +| normalizedPaths.js:54:7:54:49 | path | normalizedPaths.js:63:19:63:22 | path | +| normalizedPaths.js:54:7:54:49 | path | normalizedPaths.js:68:21:68:24 | path | +| normalizedPaths.js:54:7:54:49 | path | normalizedPaths.js:68:21:68:24 | path | +| normalizedPaths.js:54:7:54:49 | path | normalizedPaths.js:68:21:68:24 | path | +| normalizedPaths.js:54:7:54:49 | path | normalizedPaths.js:68:21:68:24 | path | | normalizedPaths.js:54:14:54:49 | pathMod ... y.path) | normalizedPaths.js:54:7:54:49 | path | | normalizedPaths.js:54:14:54:49 | pathMod ... y.path) | normalizedPaths.js:54:7:54:49 | path | | normalizedPaths.js:54:35:54:48 | req.query.path | normalizedPaths.js:54:14:54:49 | pathMod ... y.path) | | normalizedPaths.js:54:35:54:48 | req.query.path | normalizedPaths.js:54:14:54:49 | pathMod ... y.path) | -| normalizedPaths.js:63:16:63:19 | path | normalizedPaths.js:63:16:63:35 | path + "/index.html" | -| normalizedPaths.js:63:16:63:19 | path | normalizedPaths.js:63:16:63:35 | path + "/index.html" | -| normalizedPaths.js:73:7:73:56 | path | normalizedPaths.js:78:19:78:22 | path | -| normalizedPaths.js:73:7:73:56 | path | normalizedPaths.js:78:19:78:22 | path | -| normalizedPaths.js:73:7:73:56 | path | normalizedPaths.js:78:19:78:22 | path | +| normalizedPaths.js:54:35:54:48 | req.query.path | normalizedPaths.js:54:14:54:49 | pathMod ... y.path) | +| normalizedPaths.js:54:35:54:48 | req.query.path | normalizedPaths.js:54:14:54:49 | pathMod ... y.path) | +| normalizedPaths.js:63:19:63:22 | path | normalizedPaths.js:63:19:63:38 | path + "/index.html" | +| normalizedPaths.js:63:19:63:22 | path | normalizedPaths.js:63:19:63:38 | path + "/index.html" | +| normalizedPaths.js:63:19:63:22 | path | normalizedPaths.js:63:19:63:38 | path + "/index.html" | +| normalizedPaths.js:63:19:63:22 | path | normalizedPaths.js:63:19:63:38 | path + "/index.html" | +| normalizedPaths.js:73:7:73:56 | path | normalizedPaths.js:78:22:78:25 | path | +| normalizedPaths.js:73:7:73:56 | path | normalizedPaths.js:78:22:78:25 | path | +| normalizedPaths.js:73:7:73:56 | path | normalizedPaths.js:78:22:78:25 | path | +| normalizedPaths.js:73:7:73:56 | path | normalizedPaths.js:78:22:78:25 | path | +| normalizedPaths.js:73:7:73:56 | path | normalizedPaths.js:78:22:78:25 | path | +| normalizedPaths.js:73:7:73:56 | path | normalizedPaths.js:78:22:78:25 | path | | normalizedPaths.js:73:14:73:56 | pathMod ... y.path) | normalizedPaths.js:73:7:73:56 | path | | normalizedPaths.js:73:14:73:56 | pathMod ... y.path) | normalizedPaths.js:73:7:73:56 | path | | normalizedPaths.js:73:14:73:56 | pathMod ... y.path) | normalizedPaths.js:73:7:73:56 | path | @@ -3899,25 +2646,41 @@ edges | normalizedPaths.js:73:42:73:55 | req.query.path | normalizedPaths.js:73:35:73:55 | './' + ... ry.path | | normalizedPaths.js:73:42:73:55 | req.query.path | normalizedPaths.js:73:35:73:55 | './' + ... ry.path | | normalizedPaths.js:73:42:73:55 | req.query.path | normalizedPaths.js:73:35:73:55 | './' + ... ry.path | +| normalizedPaths.js:73:42:73:55 | req.query.path | normalizedPaths.js:73:35:73:55 | './' + ... ry.path | +| normalizedPaths.js:73:42:73:55 | req.query.path | normalizedPaths.js:73:35:73:55 | './' + ... ry.path | +| normalizedPaths.js:73:42:73:55 | req.query.path | normalizedPaths.js:73:35:73:55 | './' + ... ry.path | +| normalizedPaths.js:82:7:82:27 | path | normalizedPaths.js:87:29:87:32 | path | +| normalizedPaths.js:82:7:82:27 | path | normalizedPaths.js:87:29:87:32 | path | | normalizedPaths.js:82:7:82:27 | path | normalizedPaths.js:87:29:87:32 | path | | normalizedPaths.js:82:7:82:27 | path | normalizedPaths.js:87:29:87:32 | path | | normalizedPaths.js:82:7:82:27 | path | normalizedPaths.js:90:31:90:34 | path | +| normalizedPaths.js:82:7:82:27 | path | normalizedPaths.js:90:31:90:34 | path | | normalizedPaths.js:82:14:82:27 | req.query.path | normalizedPaths.js:82:7:82:27 | path | | normalizedPaths.js:82:14:82:27 | req.query.path | normalizedPaths.js:82:7:82:27 | path | +| normalizedPaths.js:82:14:82:27 | req.query.path | normalizedPaths.js:82:7:82:27 | path | +| normalizedPaths.js:82:14:82:27 | req.query.path | normalizedPaths.js:82:7:82:27 | path | +| normalizedPaths.js:94:7:94:49 | path | normalizedPaths.js:99:29:99:32 | path | +| normalizedPaths.js:94:7:94:49 | path | normalizedPaths.js:99:29:99:32 | path | | normalizedPaths.js:94:7:94:49 | path | normalizedPaths.js:99:29:99:32 | path | | normalizedPaths.js:94:7:94:49 | path | normalizedPaths.js:99:29:99:32 | path | | normalizedPaths.js:94:14:94:49 | pathMod ... y.path) | normalizedPaths.js:94:7:94:49 | path | | normalizedPaths.js:94:14:94:49 | pathMod ... y.path) | normalizedPaths.js:94:7:94:49 | path | | normalizedPaths.js:94:35:94:48 | req.query.path | normalizedPaths.js:94:14:94:49 | pathMod ... y.path) | | normalizedPaths.js:94:35:94:48 | req.query.path | normalizedPaths.js:94:14:94:49 | pathMod ... y.path) | -| normalizedPaths.js:117:7:117:44 | path | normalizedPaths.js:119:16:119:19 | path | -| normalizedPaths.js:117:7:117:44 | path | normalizedPaths.js:119:16:119:19 | path | -| normalizedPaths.js:117:7:117:44 | path | normalizedPaths.js:119:16:119:19 | path | -| normalizedPaths.js:117:7:117:44 | path | normalizedPaths.js:119:16:119:19 | path | -| normalizedPaths.js:117:7:117:44 | path | normalizedPaths.js:120:32:120:35 | path | -| normalizedPaths.js:117:7:117:44 | path | normalizedPaths.js:120:32:120:35 | path | -| normalizedPaths.js:117:7:117:44 | path | normalizedPaths.js:120:32:120:35 | path | -| normalizedPaths.js:117:7:117:44 | path | normalizedPaths.js:120:32:120:35 | path | +| normalizedPaths.js:94:35:94:48 | req.query.path | normalizedPaths.js:94:14:94:49 | pathMod ... y.path) | +| normalizedPaths.js:94:35:94:48 | req.query.path | normalizedPaths.js:94:14:94:49 | pathMod ... y.path) | +| normalizedPaths.js:117:7:117:44 | path | normalizedPaths.js:119:19:119:22 | path | +| normalizedPaths.js:117:7:117:44 | path | normalizedPaths.js:119:19:119:22 | path | +| normalizedPaths.js:117:7:117:44 | path | normalizedPaths.js:119:19:119:22 | path | +| normalizedPaths.js:117:7:117:44 | path | normalizedPaths.js:119:19:119:22 | path | +| normalizedPaths.js:117:7:117:44 | path | normalizedPaths.js:119:19:119:22 | path | +| normalizedPaths.js:117:7:117:44 | path | normalizedPaths.js:119:19:119:22 | path | +| normalizedPaths.js:117:7:117:44 | path | normalizedPaths.js:119:19:119:22 | path | +| normalizedPaths.js:117:7:117:44 | path | normalizedPaths.js:119:19:119:22 | path | +| normalizedPaths.js:117:7:117:44 | path | normalizedPaths.js:120:35:120:38 | path | +| normalizedPaths.js:117:7:117:44 | path | normalizedPaths.js:120:35:120:38 | path | +| normalizedPaths.js:117:7:117:44 | path | normalizedPaths.js:120:35:120:38 | path | +| normalizedPaths.js:117:7:117:44 | path | normalizedPaths.js:120:35:120:38 | path | | normalizedPaths.js:117:14:117:44 | fs.real ... y.path) | normalizedPaths.js:117:7:117:44 | path | | normalizedPaths.js:117:14:117:44 | fs.real ... y.path) | normalizedPaths.js:117:7:117:44 | path | | normalizedPaths.js:117:14:117:44 | fs.real ... y.path) | normalizedPaths.js:117:7:117:44 | path | @@ -3926,63 +2689,112 @@ edges | normalizedPaths.js:117:30:117:43 | req.query.path | normalizedPaths.js:117:14:117:44 | fs.real ... y.path) | | normalizedPaths.js:117:30:117:43 | req.query.path | normalizedPaths.js:117:14:117:44 | fs.real ... y.path) | | normalizedPaths.js:117:30:117:43 | req.query.path | normalizedPaths.js:117:14:117:44 | fs.real ... y.path) | -| normalizedPaths.js:120:32:120:35 | path | normalizedPaths.js:120:16:120:50 | pathMod ... .html') | -| normalizedPaths.js:120:32:120:35 | path | normalizedPaths.js:120:16:120:50 | pathMod ... .html') | -| normalizedPaths.js:120:32:120:35 | path | normalizedPaths.js:120:16:120:50 | pathMod ... .html') | -| normalizedPaths.js:120:32:120:35 | path | normalizedPaths.js:120:16:120:50 | pathMod ... .html') | -| normalizedPaths.js:130:7:130:49 | path | normalizedPaths.js:135:18:135:21 | path | -| normalizedPaths.js:130:7:130:49 | path | normalizedPaths.js:135:18:135:21 | path | -| normalizedPaths.js:130:7:130:49 | path | normalizedPaths.js:135:18:135:21 | path | +| normalizedPaths.js:117:30:117:43 | req.query.path | normalizedPaths.js:117:14:117:44 | fs.real ... y.path) | +| normalizedPaths.js:117:30:117:43 | req.query.path | normalizedPaths.js:117:14:117:44 | fs.real ... y.path) | +| normalizedPaths.js:117:30:117:43 | req.query.path | normalizedPaths.js:117:14:117:44 | fs.real ... y.path) | +| normalizedPaths.js:117:30:117:43 | req.query.path | normalizedPaths.js:117:14:117:44 | fs.real ... y.path) | +| normalizedPaths.js:120:35:120:38 | path | normalizedPaths.js:120:19:120:53 | pathMod ... .html') | +| normalizedPaths.js:120:35:120:38 | path | normalizedPaths.js:120:19:120:53 | pathMod ... .html') | +| normalizedPaths.js:120:35:120:38 | path | normalizedPaths.js:120:19:120:53 | pathMod ... .html') | +| normalizedPaths.js:120:35:120:38 | path | normalizedPaths.js:120:19:120:53 | pathMod ... .html') | +| normalizedPaths.js:120:35:120:38 | path | normalizedPaths.js:120:19:120:53 | pathMod ... .html') | +| normalizedPaths.js:120:35:120:38 | path | normalizedPaths.js:120:19:120:53 | pathMod ... .html') | +| normalizedPaths.js:120:35:120:38 | path | normalizedPaths.js:120:19:120:53 | pathMod ... .html') | +| normalizedPaths.js:120:35:120:38 | path | normalizedPaths.js:120:19:120:53 | pathMod ... .html') | +| normalizedPaths.js:130:7:130:49 | path | normalizedPaths.js:135:21:135:24 | path | +| normalizedPaths.js:130:7:130:49 | path | normalizedPaths.js:135:21:135:24 | path | +| normalizedPaths.js:130:7:130:49 | path | normalizedPaths.js:135:21:135:24 | path | +| normalizedPaths.js:130:7:130:49 | path | normalizedPaths.js:135:21:135:24 | path | +| normalizedPaths.js:130:7:130:49 | path | normalizedPaths.js:135:21:135:24 | path | +| normalizedPaths.js:130:7:130:49 | path | normalizedPaths.js:135:21:135:24 | path | | normalizedPaths.js:130:14:130:49 | pathMod ... y.path) | normalizedPaths.js:130:7:130:49 | path | | normalizedPaths.js:130:14:130:49 | pathMod ... y.path) | normalizedPaths.js:130:7:130:49 | path | | normalizedPaths.js:130:14:130:49 | pathMod ... y.path) | normalizedPaths.js:130:7:130:49 | path | | normalizedPaths.js:130:35:130:48 | req.query.path | normalizedPaths.js:130:14:130:49 | pathMod ... y.path) | | normalizedPaths.js:130:35:130:48 | req.query.path | normalizedPaths.js:130:14:130:49 | pathMod ... y.path) | | normalizedPaths.js:130:35:130:48 | req.query.path | normalizedPaths.js:130:14:130:49 | pathMod ... y.path) | -| normalizedPaths.js:139:7:139:62 | path | normalizedPaths.js:144:18:144:21 | path | -| normalizedPaths.js:139:7:139:62 | path | normalizedPaths.js:144:18:144:21 | path | -| normalizedPaths.js:139:7:139:62 | path | normalizedPaths.js:144:18:144:21 | path | +| normalizedPaths.js:130:35:130:48 | req.query.path | normalizedPaths.js:130:14:130:49 | pathMod ... y.path) | +| normalizedPaths.js:130:35:130:48 | req.query.path | normalizedPaths.js:130:14:130:49 | pathMod ... y.path) | +| normalizedPaths.js:130:35:130:48 | req.query.path | normalizedPaths.js:130:14:130:49 | pathMod ... y.path) | +| normalizedPaths.js:139:7:139:62 | path | normalizedPaths.js:144:21:144:24 | path | +| normalizedPaths.js:139:7:139:62 | path | normalizedPaths.js:144:21:144:24 | path | +| normalizedPaths.js:139:7:139:62 | path | normalizedPaths.js:144:21:144:24 | path | +| normalizedPaths.js:139:7:139:62 | path | normalizedPaths.js:144:21:144:24 | path | +| normalizedPaths.js:139:7:139:62 | path | normalizedPaths.js:144:21:144:24 | path | +| normalizedPaths.js:139:7:139:62 | path | normalizedPaths.js:144:21:144:24 | path | | normalizedPaths.js:139:14:139:62 | pathMod ... y.path) | normalizedPaths.js:139:7:139:62 | path | | normalizedPaths.js:139:14:139:62 | pathMod ... y.path) | normalizedPaths.js:139:7:139:62 | path | | normalizedPaths.js:139:14:139:62 | pathMod ... y.path) | normalizedPaths.js:139:7:139:62 | path | | normalizedPaths.js:139:48:139:61 | req.query.path | normalizedPaths.js:139:14:139:62 | pathMod ... y.path) | | normalizedPaths.js:139:48:139:61 | req.query.path | normalizedPaths.js:139:14:139:62 | pathMod ... y.path) | | normalizedPaths.js:139:48:139:61 | req.query.path | normalizedPaths.js:139:14:139:62 | pathMod ... y.path) | -| normalizedPaths.js:148:7:148:58 | path | normalizedPaths.js:151:18:151:21 | path | -| normalizedPaths.js:148:7:148:58 | path | normalizedPaths.js:151:18:151:21 | path | -| normalizedPaths.js:148:7:148:58 | path | normalizedPaths.js:153:18:153:21 | path | -| normalizedPaths.js:148:7:148:58 | path | normalizedPaths.js:153:18:153:21 | path | +| normalizedPaths.js:139:48:139:61 | req.query.path | normalizedPaths.js:139:14:139:62 | pathMod ... y.path) | +| normalizedPaths.js:139:48:139:61 | req.query.path | normalizedPaths.js:139:14:139:62 | pathMod ... y.path) | +| normalizedPaths.js:139:48:139:61 | req.query.path | normalizedPaths.js:139:14:139:62 | pathMod ... y.path) | +| normalizedPaths.js:148:7:148:58 | path | normalizedPaths.js:151:21:151:24 | path | +| normalizedPaths.js:148:7:148:58 | path | normalizedPaths.js:151:21:151:24 | path | +| normalizedPaths.js:148:7:148:58 | path | normalizedPaths.js:151:21:151:24 | path | +| normalizedPaths.js:148:7:148:58 | path | normalizedPaths.js:151:21:151:24 | path | +| normalizedPaths.js:148:7:148:58 | path | normalizedPaths.js:153:21:153:24 | path | +| normalizedPaths.js:148:7:148:58 | path | normalizedPaths.js:153:21:153:24 | path | +| normalizedPaths.js:148:7:148:58 | path | normalizedPaths.js:153:21:153:24 | path | +| normalizedPaths.js:148:7:148:58 | path | normalizedPaths.js:153:21:153:24 | path | | normalizedPaths.js:148:14:148:58 | 'foo/' ... y.path) | normalizedPaths.js:148:7:148:58 | path | | normalizedPaths.js:148:14:148:58 | 'foo/' ... y.path) | normalizedPaths.js:148:7:148:58 | path | | normalizedPaths.js:148:23:148:58 | pathMod ... y.path) | normalizedPaths.js:148:14:148:58 | 'foo/' ... y.path) | | normalizedPaths.js:148:23:148:58 | pathMod ... y.path) | normalizedPaths.js:148:14:148:58 | 'foo/' ... y.path) | | normalizedPaths.js:148:44:148:57 | req.query.path | normalizedPaths.js:148:23:148:58 | pathMod ... y.path) | | normalizedPaths.js:148:44:148:57 | req.query.path | normalizedPaths.js:148:23:148:58 | pathMod ... y.path) | -| normalizedPaths.js:160:7:160:49 | path | normalizedPaths.js:165:16:165:19 | path | -| normalizedPaths.js:160:7:160:49 | path | normalizedPaths.js:165:16:165:19 | path | -| normalizedPaths.js:160:7:160:49 | path | normalizedPaths.js:170:18:170:21 | path | -| normalizedPaths.js:160:7:160:49 | path | normalizedPaths.js:170:18:170:21 | path | +| normalizedPaths.js:148:44:148:57 | req.query.path | normalizedPaths.js:148:23:148:58 | pathMod ... y.path) | +| normalizedPaths.js:148:44:148:57 | req.query.path | normalizedPaths.js:148:23:148:58 | pathMod ... y.path) | +| normalizedPaths.js:160:7:160:49 | path | normalizedPaths.js:165:19:165:22 | path | +| normalizedPaths.js:160:7:160:49 | path | normalizedPaths.js:165:19:165:22 | path | +| normalizedPaths.js:160:7:160:49 | path | normalizedPaths.js:165:19:165:22 | path | +| normalizedPaths.js:160:7:160:49 | path | normalizedPaths.js:165:19:165:22 | path | +| normalizedPaths.js:160:7:160:49 | path | normalizedPaths.js:170:21:170:24 | path | +| normalizedPaths.js:160:7:160:49 | path | normalizedPaths.js:170:21:170:24 | path | +| normalizedPaths.js:160:7:160:49 | path | normalizedPaths.js:170:21:170:24 | path | +| normalizedPaths.js:160:7:160:49 | path | normalizedPaths.js:170:21:170:24 | path | | normalizedPaths.js:160:14:160:49 | pathMod ... y.path) | normalizedPaths.js:160:7:160:49 | path | | normalizedPaths.js:160:14:160:49 | pathMod ... y.path) | normalizedPaths.js:160:7:160:49 | path | | normalizedPaths.js:160:35:160:48 | req.query.path | normalizedPaths.js:160:14:160:49 | pathMod ... y.path) | | normalizedPaths.js:160:35:160:48 | req.query.path | normalizedPaths.js:160:14:160:49 | pathMod ... y.path) | -| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:184:16:184:19 | path | -| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:184:16:184:19 | path | -| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:184:16:184:19 | path | -| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:184:16:184:19 | path | -| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:187:18:187:21 | path | -| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:187:18:187:21 | path | -| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:189:18:189:21 | path | -| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:189:18:189:21 | path | -| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:192:18:192:21 | path | -| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:192:18:192:21 | path | -| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:192:18:192:21 | path | -| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:192:18:192:21 | path | -| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:194:18:194:21 | path | -| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:199:18:199:21 | path | -| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:199:18:199:21 | path | -| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:199:18:199:21 | path | -| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:199:18:199:21 | path | +| normalizedPaths.js:160:35:160:48 | req.query.path | normalizedPaths.js:160:14:160:49 | pathMod ... y.path) | +| normalizedPaths.js:160:35:160:48 | req.query.path | normalizedPaths.js:160:14:160:49 | pathMod ... y.path) | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:184:19:184:22 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:184:19:184:22 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:184:19:184:22 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:184:19:184:22 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:184:19:184:22 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:184:19:184:22 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:184:19:184:22 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:184:19:184:22 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:187:21:187:24 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:187:21:187:24 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:187:21:187:24 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:187:21:187:24 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:189:21:189:24 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:189:21:189:24 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:189:21:189:24 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:189:21:189:24 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:192:21:192:24 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:192:21:192:24 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:192:21:192:24 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:192:21:192:24 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:192:21:192:24 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:192:21:192:24 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:192:21:192:24 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:192:21:192:24 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:194:21:194:24 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:194:21:194:24 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:199:21:199:24 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:199:21:199:24 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:199:21:199:24 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:199:21:199:24 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:199:21:199:24 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:199:21:199:24 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:199:21:199:24 | path | +| normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:199:21:199:24 | path | | normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:201:45:201:48 | path | | normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:201:45:201:48 | path | | normalizedPaths.js:174:7:174:27 | path | normalizedPaths.js:201:45:201:48 | path | @@ -3991,18 +2803,34 @@ edges | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:174:7:174:27 | path | | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:174:7:174:27 | path | | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:174:7:174:27 | path | -| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:205:18:205:31 | normalizedPath | -| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:205:18:205:31 | normalizedPath | -| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:205:18:205:31 | normalizedPath | -| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:205:18:205:31 | normalizedPath | -| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:208:18:208:31 | normalizedPath | -| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:208:18:208:31 | normalizedPath | -| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:208:18:208:31 | normalizedPath | -| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:208:18:208:31 | normalizedPath | -| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:210:18:210:31 | normalizedPath | -| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:210:18:210:31 | normalizedPath | -| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:210:18:210:31 | normalizedPath | -| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:210:18:210:31 | normalizedPath | +| normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:174:7:174:27 | path | +| normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:174:7:174:27 | path | +| normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:174:7:174:27 | path | +| normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:174:7:174:27 | path | +| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:205:21:205:34 | normalizedPath | +| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:205:21:205:34 | normalizedPath | +| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:205:21:205:34 | normalizedPath | +| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:205:21:205:34 | normalizedPath | +| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:205:21:205:34 | normalizedPath | +| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:205:21:205:34 | normalizedPath | +| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:205:21:205:34 | normalizedPath | +| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:205:21:205:34 | normalizedPath | +| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:208:21:208:34 | normalizedPath | +| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:208:21:208:34 | normalizedPath | +| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:208:21:208:34 | normalizedPath | +| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:208:21:208:34 | normalizedPath | +| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:208:21:208:34 | normalizedPath | +| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:208:21:208:34 | normalizedPath | +| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:208:21:208:34 | normalizedPath | +| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:208:21:208:34 | normalizedPath | +| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:210:21:210:34 | normalizedPath | +| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:210:21:210:34 | normalizedPath | +| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:210:21:210:34 | normalizedPath | +| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:210:21:210:34 | normalizedPath | +| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:210:21:210:34 | normalizedPath | +| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:210:21:210:34 | normalizedPath | +| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:210:21:210:34 | normalizedPath | +| normalizedPaths.js:201:7:201:49 | normalizedPath | normalizedPaths.js:210:21:210:34 | normalizedPath | | normalizedPaths.js:201:24:201:49 | pathMod ... e(path) | normalizedPaths.js:201:7:201:49 | normalizedPath | | normalizedPaths.js:201:24:201:49 | pathMod ... e(path) | normalizedPaths.js:201:7:201:49 | normalizedPath | | normalizedPaths.js:201:24:201:49 | pathMod ... e(path) | normalizedPaths.js:201:7:201:49 | normalizedPath | @@ -4023,10 +2851,18 @@ edges | normalizedPaths.js:214:35:214:48 | req.query.path | normalizedPaths.js:214:14:214:49 | pathMod ... y.path) | | normalizedPaths.js:214:35:214:48 | req.query.path | normalizedPaths.js:214:14:214:49 | pathMod ... y.path) | | normalizedPaths.js:214:35:214:48 | req.query.path | normalizedPaths.js:214:14:214:49 | pathMod ... y.path) | -| normalizedPaths.js:219:3:219:33 | path | normalizedPaths.js:222:18:222:21 | path | -| normalizedPaths.js:219:3:219:33 | path | normalizedPaths.js:222:18:222:21 | path | -| normalizedPaths.js:219:3:219:33 | path | normalizedPaths.js:222:18:222:21 | path | -| normalizedPaths.js:219:3:219:33 | path | normalizedPaths.js:222:18:222:21 | path | +| normalizedPaths.js:214:35:214:48 | req.query.path | normalizedPaths.js:214:14:214:49 | pathMod ... y.path) | +| normalizedPaths.js:214:35:214:48 | req.query.path | normalizedPaths.js:214:14:214:49 | pathMod ... y.path) | +| normalizedPaths.js:214:35:214:48 | req.query.path | normalizedPaths.js:214:14:214:49 | pathMod ... y.path) | +| normalizedPaths.js:214:35:214:48 | req.query.path | normalizedPaths.js:214:14:214:49 | pathMod ... y.path) | +| normalizedPaths.js:219:3:219:33 | path | normalizedPaths.js:222:21:222:24 | path | +| normalizedPaths.js:219:3:219:33 | path | normalizedPaths.js:222:21:222:24 | path | +| normalizedPaths.js:219:3:219:33 | path | normalizedPaths.js:222:21:222:24 | path | +| normalizedPaths.js:219:3:219:33 | path | normalizedPaths.js:222:21:222:24 | path | +| normalizedPaths.js:219:3:219:33 | path | normalizedPaths.js:222:21:222:24 | path | +| normalizedPaths.js:219:3:219:33 | path | normalizedPaths.js:222:21:222:24 | path | +| normalizedPaths.js:219:3:219:33 | path | normalizedPaths.js:222:21:222:24 | path | +| normalizedPaths.js:219:3:219:33 | path | normalizedPaths.js:222:21:222:24 | path | | normalizedPaths.js:219:10:219:33 | decodeU ... t(path) | normalizedPaths.js:219:3:219:33 | path | | normalizedPaths.js:219:10:219:33 | decodeU ... t(path) | normalizedPaths.js:219:3:219:33 | path | | normalizedPaths.js:219:10:219:33 | decodeU ... t(path) | normalizedPaths.js:219:3:219:33 | path | @@ -4035,381 +2871,114 @@ edges | normalizedPaths.js:219:29:219:32 | path | normalizedPaths.js:219:10:219:33 | decodeU ... t(path) | | normalizedPaths.js:219:29:219:32 | path | normalizedPaths.js:219:10:219:33 | decodeU ... t(path) | | normalizedPaths.js:219:29:219:32 | path | normalizedPaths.js:219:10:219:33 | decodeU ... t(path) | -| normalizedPaths.js:226:7:226:70 | path | normalizedPaths.js:228:18:228:21 | path | -| normalizedPaths.js:226:7:226:70 | path | normalizedPaths.js:228:18:228:21 | path | +| normalizedPaths.js:226:7:226:70 | path | normalizedPaths.js:228:21:228:24 | path | +| normalizedPaths.js:226:7:226:70 | path | normalizedPaths.js:228:21:228:24 | path | +| normalizedPaths.js:226:7:226:70 | path | normalizedPaths.js:228:21:228:24 | path | +| normalizedPaths.js:226:7:226:70 | path | normalizedPaths.js:228:21:228:24 | path | | normalizedPaths.js:226:14:226:49 | pathMod ... y.path) | normalizedPaths.js:226:14:226:70 | pathMod ... g, ' ') | | normalizedPaths.js:226:14:226:49 | pathMod ... y.path) | normalizedPaths.js:226:14:226:70 | pathMod ... g, ' ') | | normalizedPaths.js:226:14:226:70 | pathMod ... g, ' ') | normalizedPaths.js:226:7:226:70 | path | | normalizedPaths.js:226:14:226:70 | pathMod ... g, ' ') | normalizedPaths.js:226:7:226:70 | path | | normalizedPaths.js:226:35:226:48 | req.query.path | normalizedPaths.js:226:14:226:49 | pathMod ... y.path) | | normalizedPaths.js:226:35:226:48 | req.query.path | normalizedPaths.js:226:14:226:49 | pathMod ... y.path) | +| normalizedPaths.js:226:35:226:48 | req.query.path | normalizedPaths.js:226:14:226:49 | pathMod ... y.path) | +| normalizedPaths.js:226:35:226:48 | req.query.path | normalizedPaths.js:226:14:226:49 | pathMod ... y.path) | +| tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | +| tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | +| tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | +| tainted-sendFile.js:18:43:18:58 | req.param("dir") | tainted-sendFile.js:18:43:18:58 | req.param("dir") | +| tainted-sendFile.js:24:37:24:48 | req.params.x | tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | +| tainted-sendFile.js:24:37:24:48 | req.params.x | tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | +| tainted-sendFile.js:24:37:24:48 | req.params.x | tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | +| tainted-sendFile.js:24:37:24:48 | req.params.x | tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | +| tainted-sendFile.js:24:37:24:48 | req.params.x | tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | +| tainted-sendFile.js:24:37:24:48 | req.params.x | tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | +| tainted-sendFile.js:24:37:24:48 | req.params.x | tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | +| tainted-sendFile.js:24:37:24:48 | req.params.x | tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | +| tainted-sendFile.js:24:37:24:48 | req.params.x | tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | +| tainted-sendFile.js:24:37:24:48 | req.params.x | tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | +| tainted-sendFile.js:24:37:24:48 | req.params.x | tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | +| tainted-sendFile.js:24:37:24:48 | req.params.x | tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | +| tainted-sendFile.js:24:37:24:48 | req.params.x | tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | +| tainted-sendFile.js:25:34:25:45 | req.params.x | tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | +| tainted-sendFile.js:25:34:25:45 | req.params.x | tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | +| tainted-sendFile.js:25:34:25:45 | req.params.x | tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | +| tainted-sendFile.js:25:34:25:45 | req.params.x | tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | +| tainted-sendFile.js:25:34:25:45 | req.params.x | tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | +| tainted-sendFile.js:25:34:25:45 | req.params.x | tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | +| tainted-sendFile.js:25:34:25:45 | req.params.x | tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | +| tainted-sendFile.js:25:34:25:45 | req.params.x | tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | +| tainted-sendFile.js:25:34:25:45 | req.params.x | tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | +| tainted-sendFile.js:25:34:25:45 | req.params.x | tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | +| views.js:1:43:1:55 | req.params[0] | views.js:1:43:1:55 | req.params[0] | #select | TaintedPath-es6.js:10:26:10:45 | join("public", path) | TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:10:26:10:45 | join("public", path) | This path depends on $@. | TaintedPath-es6.js:7:20:7:26 | req.url | a user-provided value | -| TaintedPath-es6.js:10:26:10:45 | join("public", path) | TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:10:26:10:45 | join("public", path) | This path depends on $@. | TaintedPath-es6.js:7:20:7:26 | req.url | a user-provided value | -| TaintedPath-es6.js:10:26:10:45 | join("public", path) | TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:10:26:10:45 | join("public", path) | This path depends on $@. | TaintedPath-es6.js:7:20:7:26 | req.url | a user-provided value | -| TaintedPath-es6.js:10:26:10:45 | join("public", path) | TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:10:26:10:45 | join("public", path) | This path depends on $@. | TaintedPath-es6.js:7:20:7:26 | req.url | a user-provided value | -| TaintedPath.js:12:29:12:32 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:12:29:12:32 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:12:29:12:32 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:12:29:12:32 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:12:29:12:32 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:12:29:12:32 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:12:29:12:32 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:12:29:12:32 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:12:29:12:32 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:12:29:12:32 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:12:29:12:32 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:12:29:12:32 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:12:29:12:32 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:12:29:12:32 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:12:29:12:32 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:12:29:12:32 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:12:29:12:32 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:12:29:12:32 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:12:29:12:32 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:12:29:12:32 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:12:29:12:32 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:12:29:12:32 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:12:29:12:32 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:12:29:12:32 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:12:29:12:32 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:12:29:12:32 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:12:29:12:32 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:12:29:12:32 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:12:29:12:32 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:12:29:12:32 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | | TaintedPath.js:12:29:12:32 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:12:29:12:32 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | | TaintedPath.js:15:29:15:48 | "/home/user/" + path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:15:29:15:48 | "/home/user/" + path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:15:29:15:48 | "/home/user/" + path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:15:29:15:48 | "/home/user/" + path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:15:29:15:48 | "/home/user/" + path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:15:29:15:48 | "/home/user/" + path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:15:29:15:48 | "/home/user/" + path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:15:29:15:48 | "/home/user/" + path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:19:33:19:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:19:33:19:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:19:33:19:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:19:33:19:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:19:33:19:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:19:33:19:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | | TaintedPath.js:19:33:19:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:19:33:19:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | | TaintedPath.js:23:33:23:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:23:33:23:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:23:33:23:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:23:33:23:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:23:33:23:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:23:33:23:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:23:33:23:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:23:33:23:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:23:33:23:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:23:33:23:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:23:33:23:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:23:33:23:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:23:33:23:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:23:33:23:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:23:33:23:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:23:33:23:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:23:33:23:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:23:33:23:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:23:33:23:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:23:33:23:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:23:33:23:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:23:33:23:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:23:33:23:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:23:33:23:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:23:33:23:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:23:33:23:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:23:33:23:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:23:33:23:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:23:33:23:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:23:33:23:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:23:33:23:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:23:33:23:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:27:33:27:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:27:33:27:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:27:33:27:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:27:33:27:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:27:33:27:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:27:33:27:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:27:33:27:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:27:33:27:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:27:33:27:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:27:33:27:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:27:33:27:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:27:33:27:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:27:33:27:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:27:33:27:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:27:33:27:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:27:33:27:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:27:33:27:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:27:33:27:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:27:33:27:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:27:33:27:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:27:33:27:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:27:33:27:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:27:33:27:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:27:33:27:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:27:33:27:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:27:33:27:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:27:33:27:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:27:33:27:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:27:33:27:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:27:33:27:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | | TaintedPath.js:27:33:27:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:27:33:27:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | | TaintedPath.js:31:31:31:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:31:31:31:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:31:31:31:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:31:31:31:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:31:31:31:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:31:31:31:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:31:31:31:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:31:31:31:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:31:31:31:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:31:31:31:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:31:31:31:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:31:31:31:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:31:31:31:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:31:31:31:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:31:31:31:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:31:31:31:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:31:31:31:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:31:31:31:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:31:31:31:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:31:31:31:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:31:31:31:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:31:31:31:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:31:31:31:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:31:31:31:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:31:31:31:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:31:31:31:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:31:31:31:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:31:31:31:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:31:31:31:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:31:31:31:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:31:31:31:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:31:31:31:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:35:31:35:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:35:31:35:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:35:31:35:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:35:31:35:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:35:31:35:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:35:31:35:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:35:31:35:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:35:31:35:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:35:31:35:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:35:31:35:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:35:31:35:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:35:31:35:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:35:31:35:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:35:31:35:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:35:31:35:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:35:31:35:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:35:31:35:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:35:31:35:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:35:31:35:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:35:31:35:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:35:31:35:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:35:31:35:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:35:31:35:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:35:31:35:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:35:31:35:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:35:31:35:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:35:31:35:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:35:31:35:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:35:31:35:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:35:31:35:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | | TaintedPath.js:35:31:35:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:35:31:35:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | | TaintedPath.js:39:31:39:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:39:31:39:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:39:31:39:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:39:31:39:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:39:31:39:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:39:31:39:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:39:31:39:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:39:31:39:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:39:31:39:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:39:31:39:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:39:31:39:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:39:31:39:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:39:31:39:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:39:31:39:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:39:31:39:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:39:31:39:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:39:31:39:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:39:31:39:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:39:31:39:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:39:31:39:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:39:31:39:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:39:31:39:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:39:31:39:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:39:31:39:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:39:31:39:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:39:31:39:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:39:31:39:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:39:31:39:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:39:31:39:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:39:31:39:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | -| TaintedPath.js:39:31:39:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:39:31:39:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value | | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:49:29:49:52 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:49:29:49:52 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:49:29:49:52 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:49:29:49:52 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:49:29:49:52 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:49:29:49:52 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:49:29:49:52 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:49:29:49:52 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:49:29:49:52 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:49:29:49:52 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:49:29:49:52 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:49:29:49:52 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:49:29:49:52 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:49:29:49:52 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:49:29:49:52 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:49:29:49:52 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:53:29:53:49 | pathMod ... n(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:53:29:53:49 | pathMod ... n(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:53:29:53:49 | pathMod ... n(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:53:29:53:49 | pathMod ... n(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:53:29:53:49 | pathMod ... n(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:53:29:53:49 | pathMod ... n(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:53:29:53:49 | pathMod ... n(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:53:29:53:49 | pathMod ... n(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | | TaintedPath.js:55:29:55:58 | pathMod ... ath, z) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:55:29:55:58 | pathMod ... ath, z) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:55:29:55:58 | pathMod ... ath, z) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:55:29:55:58 | pathMod ... ath, z) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:55:29:55:58 | pathMod ... ath, z) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:55:29:55:58 | pathMod ... ath, z) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:55:29:55:58 | pathMod ... ath, z) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:55:29:55:58 | pathMod ... ath, z) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:57:29:57:54 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:57:29:57:54 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:57:29:57:54 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:57:29:57:54 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:57:29:57:54 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:57:29:57:54 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:57:29:57:54 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:57:29:57:54 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | | TaintedPath.js:59:29:59:56 | pathMod ... , path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:59:29:59:56 | pathMod ... , path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:59:29:59:56 | pathMod ... , path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:59:29:59:56 | pathMod ... , path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:59:29:59:56 | pathMod ... , path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:59:29:59:56 | pathMod ... , path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:59:29:59:56 | pathMod ... , path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:59:29:59:56 | pathMod ... , path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | | TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:61:29:61:56 | pathMod ... ath, x) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:63:29:63:52 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:63:29:63:52 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:63:29:63:52 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | | TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:67:29:67:61 | pathMod ... h(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:67:29:67:61 | pathMod ... h(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:67:29:67:61 | pathMod ... h(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:67:29:67:61 | pathMod ... h(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:67:29:67:61 | pathMod ... h(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:67:29:67:61 | pathMod ... h(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:67:29:67:61 | pathMod ... h(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:67:29:67:61 | pathMod ... h(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:67:29:67:61 | pathMod ... h(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:67:29:67:61 | pathMod ... h(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:67:29:67:61 | pathMod ... h(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:67:29:67:61 | pathMod ... h(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:67:29:67:61 | pathMod ... h(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:67:29:67:61 | pathMod ... h(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:67:29:67:61 | pathMod ... h(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value | -| TaintedPath.js:78:26:78:45 | Cookie.get("unsafe") | TaintedPath.js:102:30:102:31 | ev | TaintedPath.js:78:26:78:45 | Cookie.get("unsafe") | This path depends on $@. | TaintedPath.js:102:30:102:31 | ev | a user-provided value | -| TaintedPath.js:78:26:78:45 | Cookie.get("unsafe") | TaintedPath.js:102:30:102:31 | ev | TaintedPath.js:78:26:78:45 | Cookie.get("unsafe") | This path depends on $@. | TaintedPath.js:102:30:102:31 | ev | a user-provided value | -| TaintedPath.js:78:26:78:45 | Cookie.get("unsafe") | TaintedPath.js:102:30:102:31 | ev | TaintedPath.js:78:26:78:45 | Cookie.get("unsafe") | This path depends on $@. | TaintedPath.js:102:30:102:31 | ev | a user-provided value | | TaintedPath.js:78:26:78:45 | Cookie.get("unsafe") | TaintedPath.js:102:30:102:31 | ev | TaintedPath.js:78:26:78:45 | Cookie.get("unsafe") | This path depends on $@. | TaintedPath.js:102:30:102:31 | ev | a user-provided value | | TaintedPath.js:84:31:84:76 | require ... ).query | TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:76 | require ... ).query | This path depends on $@. | TaintedPath.js:84:63:84:69 | req.url | a user-provided value | -| TaintedPath.js:84:31:84:76 | require ... ).query | TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:76 | require ... ).query | This path depends on $@. | TaintedPath.js:84:63:84:69 | req.url | a user-provided value | -| TaintedPath.js:84:31:84:76 | require ... ).query | TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:76 | require ... ).query | This path depends on $@. | TaintedPath.js:84:63:84:69 | req.url | a user-provided value | -| TaintedPath.js:84:31:84:76 | require ... ).query | TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:76 | require ... ).query | This path depends on $@. | TaintedPath.js:84:63:84:69 | req.url | a user-provided value | -| TaintedPath.js:84:31:84:76 | require ... ).query | TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:76 | require ... ).query | This path depends on $@. | TaintedPath.js:84:63:84:69 | req.url | a user-provided value | -| TaintedPath.js:84:31:84:76 | require ... ).query | TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:76 | require ... ).query | This path depends on $@. | TaintedPath.js:84:63:84:69 | req.url | a user-provided value | -| TaintedPath.js:84:31:84:76 | require ... ).query | TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:76 | require ... ).query | This path depends on $@. | TaintedPath.js:84:63:84:69 | req.url | a user-provided value | -| TaintedPath.js:84:31:84:76 | require ... ).query | TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:76 | require ... ).query | This path depends on $@. | TaintedPath.js:84:63:84:69 | req.url | a user-provided value | -| TaintedPath.js:84:31:84:76 | require ... ).query | TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:76 | require ... ).query | This path depends on $@. | TaintedPath.js:84:63:84:69 | req.url | a user-provided value | -| TaintedPath.js:84:31:84:76 | require ... ).query | TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:76 | require ... ).query | This path depends on $@. | TaintedPath.js:84:63:84:69 | req.url | a user-provided value | -| TaintedPath.js:84:31:84:76 | require ... ).query | TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:76 | require ... ).query | This path depends on $@. | TaintedPath.js:84:63:84:69 | req.url | a user-provided value | -| TaintedPath.js:84:31:84:76 | require ... ).query | TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:76 | require ... ).query | This path depends on $@. | TaintedPath.js:84:63:84:69 | req.url | a user-provided value | -| TaintedPath.js:84:31:84:76 | require ... ).query | TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:76 | require ... ).query | This path depends on $@. | TaintedPath.js:84:63:84:69 | req.url | a user-provided value | -| TaintedPath.js:84:31:84:76 | require ... ).query | TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:76 | require ... ).query | This path depends on $@. | TaintedPath.js:84:63:84:69 | req.url | a user-provided value | -| TaintedPath.js:84:31:84:76 | require ... ).query | TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:76 | require ... ).query | This path depends on $@. | TaintedPath.js:84:63:84:69 | req.url | a user-provided value | -| TaintedPath.js:84:31:84:76 | require ... ).query | TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:76 | require ... ).query | This path depends on $@. | TaintedPath.js:84:63:84:69 | req.url | a user-provided value | | TaintedPath.js:85:31:85:74 | require ... ).query | TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:74 | require ... ).query | This path depends on $@. | TaintedPath.js:85:61:85:67 | req.url | a user-provided value | -| TaintedPath.js:85:31:85:74 | require ... ).query | TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:74 | require ... ).query | This path depends on $@. | TaintedPath.js:85:61:85:67 | req.url | a user-provided value | -| TaintedPath.js:85:31:85:74 | require ... ).query | TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:74 | require ... ).query | This path depends on $@. | TaintedPath.js:85:61:85:67 | req.url | a user-provided value | -| TaintedPath.js:85:31:85:74 | require ... ).query | TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:74 | require ... ).query | This path depends on $@. | TaintedPath.js:85:61:85:67 | req.url | a user-provided value | -| TaintedPath.js:85:31:85:74 | require ... ).query | TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:74 | require ... ).query | This path depends on $@. | TaintedPath.js:85:61:85:67 | req.url | a user-provided value | -| TaintedPath.js:85:31:85:74 | require ... ).query | TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:74 | require ... ).query | This path depends on $@. | TaintedPath.js:85:61:85:67 | req.url | a user-provided value | -| TaintedPath.js:85:31:85:74 | require ... ).query | TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:74 | require ... ).query | This path depends on $@. | TaintedPath.js:85:61:85:67 | req.url | a user-provided value | -| TaintedPath.js:85:31:85:74 | require ... ).query | TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:74 | require ... ).query | This path depends on $@. | TaintedPath.js:85:61:85:67 | req.url | a user-provided value | -| TaintedPath.js:85:31:85:74 | require ... ).query | TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:74 | require ... ).query | This path depends on $@. | TaintedPath.js:85:61:85:67 | req.url | a user-provided value | -| TaintedPath.js:85:31:85:74 | require ... ).query | TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:74 | require ... ).query | This path depends on $@. | TaintedPath.js:85:61:85:67 | req.url | a user-provided value | -| TaintedPath.js:85:31:85:74 | require ... ).query | TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:74 | require ... ).query | This path depends on $@. | TaintedPath.js:85:61:85:67 | req.url | a user-provided value | -| TaintedPath.js:85:31:85:74 | require ... ).query | TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:74 | require ... ).query | This path depends on $@. | TaintedPath.js:85:61:85:67 | req.url | a user-provided value | -| TaintedPath.js:85:31:85:74 | require ... ).query | TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:74 | require ... ).query | This path depends on $@. | TaintedPath.js:85:61:85:67 | req.url | a user-provided value | -| TaintedPath.js:85:31:85:74 | require ... ).query | TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:74 | require ... ).query | This path depends on $@. | TaintedPath.js:85:61:85:67 | req.url | a user-provided value | -| TaintedPath.js:85:31:85:74 | require ... ).query | TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:74 | require ... ).query | This path depends on $@. | TaintedPath.js:85:61:85:67 | req.url | a user-provided value | -| TaintedPath.js:85:31:85:74 | require ... ).query | TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:74 | require ... ).query | This path depends on $@. | TaintedPath.js:85:61:85:67 | req.url | a user-provided value | -| TaintedPath.js:86:31:86:73 | require ... ).query | TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:73 | require ... ).query | This path depends on $@. | TaintedPath.js:86:60:86:66 | req.url | a user-provided value | -| TaintedPath.js:86:31:86:73 | require ... ).query | TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:73 | require ... ).query | This path depends on $@. | TaintedPath.js:86:60:86:66 | req.url | a user-provided value | -| TaintedPath.js:86:31:86:73 | require ... ).query | TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:73 | require ... ).query | This path depends on $@. | TaintedPath.js:86:60:86:66 | req.url | a user-provided value | -| TaintedPath.js:86:31:86:73 | require ... ).query | TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:73 | require ... ).query | This path depends on $@. | TaintedPath.js:86:60:86:66 | req.url | a user-provided value | -| TaintedPath.js:86:31:86:73 | require ... ).query | TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:73 | require ... ).query | This path depends on $@. | TaintedPath.js:86:60:86:66 | req.url | a user-provided value | -| TaintedPath.js:86:31:86:73 | require ... ).query | TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:73 | require ... ).query | This path depends on $@. | TaintedPath.js:86:60:86:66 | req.url | a user-provided value | -| TaintedPath.js:86:31:86:73 | require ... ).query | TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:73 | require ... ).query | This path depends on $@. | TaintedPath.js:86:60:86:66 | req.url | a user-provided value | -| TaintedPath.js:86:31:86:73 | require ... ).query | TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:73 | require ... ).query | This path depends on $@. | TaintedPath.js:86:60:86:66 | req.url | a user-provided value | -| TaintedPath.js:86:31:86:73 | require ... ).query | TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:73 | require ... ).query | This path depends on $@. | TaintedPath.js:86:60:86:66 | req.url | a user-provided value | -| TaintedPath.js:86:31:86:73 | require ... ).query | TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:73 | require ... ).query | This path depends on $@. | TaintedPath.js:86:60:86:66 | req.url | a user-provided value | -| TaintedPath.js:86:31:86:73 | require ... ).query | TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:73 | require ... ).query | This path depends on $@. | TaintedPath.js:86:60:86:66 | req.url | a user-provided value | -| TaintedPath.js:86:31:86:73 | require ... ).query | TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:73 | require ... ).query | This path depends on $@. | TaintedPath.js:86:60:86:66 | req.url | a user-provided value | -| TaintedPath.js:86:31:86:73 | require ... ).query | TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:73 | require ... ).query | This path depends on $@. | TaintedPath.js:86:60:86:66 | req.url | a user-provided value | -| TaintedPath.js:86:31:86:73 | require ... ).query | TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:73 | require ... ).query | This path depends on $@. | TaintedPath.js:86:60:86:66 | req.url | a user-provided value | -| TaintedPath.js:86:31:86:73 | require ... ).query | TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:73 | require ... ).query | This path depends on $@. | TaintedPath.js:86:60:86:66 | req.url | a user-provided value | | TaintedPath.js:86:31:86:73 | require ... ).query | TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:73 | require ... ).query | This path depends on $@. | TaintedPath.js:86:60:86:66 | req.url | a user-provided value | | TaintedPath.js:94:48:94:60 | req.params[0] | TaintedPath.js:94:48:94:60 | req.params[0] | TaintedPath.js:94:48:94:60 | req.params[0] | This path depends on $@. | TaintedPath.js:94:48:94:60 | req.params[0] | a user-provided value | -| TaintedPath.js:94:48:94:60 | req.params[0] | TaintedPath.js:94:48:94:60 | req.params[0] | TaintedPath.js:94:48:94:60 | req.params[0] | This path depends on $@. | TaintedPath.js:94:48:94:60 | req.params[0] | a user-provided value | -| TaintedPath.js:94:48:94:60 | req.params[0] | TaintedPath.js:94:48:94:60 | req.params[0] | TaintedPath.js:94:48:94:60 | req.params[0] | This path depends on $@. | TaintedPath.js:94:48:94:60 | req.params[0] | a user-provided value | -| TaintedPath.js:94:48:94:60 | req.params[0] | TaintedPath.js:94:48:94:60 | req.params[0] | TaintedPath.js:94:48:94:60 | req.params[0] | This path depends on $@. | TaintedPath.js:94:48:94:60 | req.params[0] | a user-provided value | -| TaintedPath.js:109:28:109:48 | fs.real ... c(path) | TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:109:28:109:48 | fs.real ... c(path) | This path depends on $@. | TaintedPath.js:107:23:107:29 | req.url | a user-provided value | -| TaintedPath.js:109:28:109:48 | fs.real ... c(path) | TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:109:28:109:48 | fs.real ... c(path) | This path depends on $@. | TaintedPath.js:107:23:107:29 | req.url | a user-provided value | -| TaintedPath.js:109:28:109:48 | fs.real ... c(path) | TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:109:28:109:48 | fs.real ... c(path) | This path depends on $@. | TaintedPath.js:107:23:107:29 | req.url | a user-provided value | | TaintedPath.js:109:28:109:48 | fs.real ... c(path) | TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:109:28:109:48 | fs.real ... c(path) | This path depends on $@. | TaintedPath.js:107:23:107:29 | req.url | a user-provided value | | TaintedPath.js:112:45:112:52 | realpath | TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:112:45:112:52 | realpath | This path depends on $@. | TaintedPath.js:107:23:107:29 | req.url | a user-provided value | -| TaintedPath.js:112:45:112:52 | realpath | TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:112:45:112:52 | realpath | This path depends on $@. | TaintedPath.js:107:23:107:29 | req.url | a user-provided value | -| TaintedPath.js:112:45:112:52 | realpath | TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:112:45:112:52 | realpath | This path depends on $@. | TaintedPath.js:107:23:107:29 | req.url | a user-provided value | -| TaintedPath.js:112:45:112:52 | realpath | TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:112:45:112:52 | realpath | This path depends on $@. | TaintedPath.js:107:23:107:29 | req.url | a user-provided value | -| normalizedPaths.js:13:16:13:19 | path | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:13:16:13:19 | path | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value | -| normalizedPaths.js:13:16:13:19 | path | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:13:16:13:19 | path | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value | -| normalizedPaths.js:13:16:13:19 | path | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:13:16:13:19 | path | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value | -| normalizedPaths.js:13:16:13:19 | path | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:13:16:13:19 | path | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value | -| normalizedPaths.js:14:16:14:26 | './' + path | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:14:16:14:26 | './' + path | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value | -| normalizedPaths.js:14:16:14:26 | './' + path | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:14:16:14:26 | './' + path | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value | -| normalizedPaths.js:14:16:14:26 | './' + path | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:14:16:14:26 | './' + path | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value | -| normalizedPaths.js:15:16:15:35 | path + '/index.html' | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:15:16:15:35 | path + '/index.html' | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value | -| normalizedPaths.js:15:16:15:35 | path + '/index.html' | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:15:16:15:35 | path + '/index.html' | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value | -| normalizedPaths.js:15:16:15:35 | path + '/index.html' | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:15:16:15:35 | path + '/index.html' | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value | -| normalizedPaths.js:15:16:15:35 | path + '/index.html' | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:15:16:15:35 | path + '/index.html' | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value | -| normalizedPaths.js:16:16:16:50 | pathMod ... .html') | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:16:16:16:50 | pathMod ... .html') | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value | -| normalizedPaths.js:16:16:16:50 | pathMod ... .html') | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:16:16:16:50 | pathMod ... .html') | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value | -| normalizedPaths.js:16:16:16:50 | pathMod ... .html') | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:16:16:16:50 | pathMod ... .html') | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value | -| normalizedPaths.js:16:16:16:50 | pathMod ... .html') | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:16:16:16:50 | pathMod ... .html') | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value | -| normalizedPaths.js:17:16:17:54 | pathMod ... , path) | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:17:16:17:54 | pathMod ... , path) | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value | -| normalizedPaths.js:17:16:17:54 | pathMod ... , path) | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:17:16:17:54 | pathMod ... , path) | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value | -| normalizedPaths.js:17:16:17:54 | pathMod ... , path) | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:17:16:17:54 | pathMod ... , path) | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value | -| normalizedPaths.js:23:16:23:19 | path | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:23:16:23:19 | path | This path depends on $@. | normalizedPaths.js:21:35:21:48 | req.query.path | a user-provided value | -| normalizedPaths.js:23:16:23:19 | path | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:23:16:23:19 | path | This path depends on $@. | normalizedPaths.js:21:35:21:48 | req.query.path | a user-provided value | -| normalizedPaths.js:23:16:23:19 | path | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:23:16:23:19 | path | This path depends on $@. | normalizedPaths.js:21:35:21:48 | req.query.path | a user-provided value | -| normalizedPaths.js:23:16:23:19 | path | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:23:16:23:19 | path | This path depends on $@. | normalizedPaths.js:21:35:21:48 | req.query.path | a user-provided value | -| normalizedPaths.js:24:16:24:26 | './' + path | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:24:16:24:26 | './' + path | This path depends on $@. | normalizedPaths.js:21:35:21:48 | req.query.path | a user-provided value | -| normalizedPaths.js:24:16:24:26 | './' + path | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:24:16:24:26 | './' + path | This path depends on $@. | normalizedPaths.js:21:35:21:48 | req.query.path | a user-provided value | -| normalizedPaths.js:25:16:25:35 | path + '/index.html' | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:25:16:25:35 | path + '/index.html' | This path depends on $@. | normalizedPaths.js:21:35:21:48 | req.query.path | a user-provided value | -| normalizedPaths.js:25:16:25:35 | path + '/index.html' | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:25:16:25:35 | path + '/index.html' | This path depends on $@. | normalizedPaths.js:21:35:21:48 | req.query.path | a user-provided value | -| normalizedPaths.js:25:16:25:35 | path + '/index.html' | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:25:16:25:35 | path + '/index.html' | This path depends on $@. | normalizedPaths.js:21:35:21:48 | req.query.path | a user-provided value | -| normalizedPaths.js:25:16:25:35 | path + '/index.html' | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:25:16:25:35 | path + '/index.html' | This path depends on $@. | normalizedPaths.js:21:35:21:48 | req.query.path | a user-provided value | -| normalizedPaths.js:26:16:26:50 | pathMod ... .html') | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:26:16:26:50 | pathMod ... .html') | This path depends on $@. | normalizedPaths.js:21:35:21:48 | req.query.path | a user-provided value | -| normalizedPaths.js:26:16:26:50 | pathMod ... .html') | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:26:16:26:50 | pathMod ... .html') | This path depends on $@. | normalizedPaths.js:21:35:21:48 | req.query.path | a user-provided value | -| normalizedPaths.js:26:16:26:50 | pathMod ... .html') | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:26:16:26:50 | pathMod ... .html') | This path depends on $@. | normalizedPaths.js:21:35:21:48 | req.query.path | a user-provided value | -| normalizedPaths.js:26:16:26:50 | pathMod ... .html') | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:26:16:26:50 | pathMod ... .html') | This path depends on $@. | normalizedPaths.js:21:35:21:48 | req.query.path | a user-provided value | -| normalizedPaths.js:27:16:27:54 | pathMod ... , path) | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:27:16:27:54 | pathMod ... , path) | This path depends on $@. | normalizedPaths.js:21:35:21:48 | req.query.path | a user-provided value | -| normalizedPaths.js:27:16:27:54 | pathMod ... , path) | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:27:16:27:54 | pathMod ... , path) | This path depends on $@. | normalizedPaths.js:21:35:21:48 | req.query.path | a user-provided value | -| normalizedPaths.js:36:16:36:19 | path | normalizedPaths.js:31:35:31:48 | req.query.path | normalizedPaths.js:36:16:36:19 | path | This path depends on $@. | normalizedPaths.js:31:35:31:48 | req.query.path | a user-provided value | -| normalizedPaths.js:36:16:36:19 | path | normalizedPaths.js:31:35:31:48 | req.query.path | normalizedPaths.js:36:16:36:19 | path | This path depends on $@. | normalizedPaths.js:31:35:31:48 | req.query.path | a user-provided value | -| normalizedPaths.js:41:18:41:21 | path | normalizedPaths.js:31:35:31:48 | req.query.path | normalizedPaths.js:41:18:41:21 | path | This path depends on $@. | normalizedPaths.js:31:35:31:48 | req.query.path | a user-provided value | -| normalizedPaths.js:41:18:41:21 | path | normalizedPaths.js:31:35:31:48 | req.query.path | normalizedPaths.js:41:18:41:21 | path | This path depends on $@. | normalizedPaths.js:31:35:31:48 | req.query.path | a user-provided value | -| normalizedPaths.js:59:16:59:19 | path | normalizedPaths.js:54:35:54:48 | req.query.path | normalizedPaths.js:59:16:59:19 | path | This path depends on $@. | normalizedPaths.js:54:35:54:48 | req.query.path | a user-provided value | -| normalizedPaths.js:59:16:59:19 | path | normalizedPaths.js:54:35:54:48 | req.query.path | normalizedPaths.js:59:16:59:19 | path | This path depends on $@. | normalizedPaths.js:54:35:54:48 | req.query.path | a user-provided value | -| normalizedPaths.js:63:16:63:35 | path + "/index.html" | normalizedPaths.js:54:35:54:48 | req.query.path | normalizedPaths.js:63:16:63:35 | path + "/index.html" | This path depends on $@. | normalizedPaths.js:54:35:54:48 | req.query.path | a user-provided value | -| normalizedPaths.js:63:16:63:35 | path + "/index.html" | normalizedPaths.js:54:35:54:48 | req.query.path | normalizedPaths.js:63:16:63:35 | path + "/index.html" | This path depends on $@. | normalizedPaths.js:54:35:54:48 | req.query.path | a user-provided value | -| normalizedPaths.js:68:18:68:21 | path | normalizedPaths.js:54:35:54:48 | req.query.path | normalizedPaths.js:68:18:68:21 | path | This path depends on $@. | normalizedPaths.js:54:35:54:48 | req.query.path | a user-provided value | -| normalizedPaths.js:68:18:68:21 | path | normalizedPaths.js:54:35:54:48 | req.query.path | normalizedPaths.js:68:18:68:21 | path | This path depends on $@. | normalizedPaths.js:54:35:54:48 | req.query.path | a user-provided value | -| normalizedPaths.js:78:19:78:22 | path | normalizedPaths.js:73:42:73:55 | req.query.path | normalizedPaths.js:78:19:78:22 | path | This path depends on $@. | normalizedPaths.js:73:42:73:55 | req.query.path | a user-provided value | -| normalizedPaths.js:78:19:78:22 | path | normalizedPaths.js:73:42:73:55 | req.query.path | normalizedPaths.js:78:19:78:22 | path | This path depends on $@. | normalizedPaths.js:73:42:73:55 | req.query.path | a user-provided value | -| normalizedPaths.js:78:19:78:22 | path | normalizedPaths.js:73:42:73:55 | req.query.path | normalizedPaths.js:78:19:78:22 | path | This path depends on $@. | normalizedPaths.js:73:42:73:55 | req.query.path | a user-provided value | -| normalizedPaths.js:87:29:87:32 | path | normalizedPaths.js:82:14:82:27 | req.query.path | normalizedPaths.js:87:29:87:32 | path | This path depends on $@. | normalizedPaths.js:82:14:82:27 | req.query.path | a user-provided value | +| normalizedPaths.js:13:19:13:22 | path | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:13:19:13:22 | path | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value | +| normalizedPaths.js:14:19:14:29 | './' + path | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:14:19:14:29 | './' + path | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value | +| normalizedPaths.js:15:19:15:38 | path + '/index.html' | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:15:19:15:38 | path + '/index.html' | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value | +| normalizedPaths.js:16:19:16:53 | pathMod ... .html') | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:16:19:16:53 | pathMod ... .html') | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value | +| normalizedPaths.js:17:19:17:57 | pathMod ... , path) | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:17:19:17:57 | pathMod ... , path) | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value | +| normalizedPaths.js:23:19:23:22 | path | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:23:19:23:22 | path | This path depends on $@. | normalizedPaths.js:21:35:21:48 | req.query.path | a user-provided value | +| normalizedPaths.js:24:19:24:29 | './' + path | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:24:19:24:29 | './' + path | This path depends on $@. | normalizedPaths.js:21:35:21:48 | req.query.path | a user-provided value | +| normalizedPaths.js:25:19:25:38 | path + '/index.html' | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:25:19:25:38 | path + '/index.html' | This path depends on $@. | normalizedPaths.js:21:35:21:48 | req.query.path | a user-provided value | +| normalizedPaths.js:26:19:26:53 | pathMod ... .html') | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:26:19:26:53 | pathMod ... .html') | This path depends on $@. | normalizedPaths.js:21:35:21:48 | req.query.path | a user-provided value | +| normalizedPaths.js:27:19:27:57 | pathMod ... , path) | normalizedPaths.js:21:35:21:48 | req.query.path | normalizedPaths.js:27:19:27:57 | pathMod ... , path) | This path depends on $@. | normalizedPaths.js:21:35:21:48 | req.query.path | a user-provided value | +| normalizedPaths.js:36:19:36:22 | path | normalizedPaths.js:31:35:31:48 | req.query.path | normalizedPaths.js:36:19:36:22 | path | This path depends on $@. | normalizedPaths.js:31:35:31:48 | req.query.path | a user-provided value | +| normalizedPaths.js:41:21:41:24 | path | normalizedPaths.js:31:35:31:48 | req.query.path | normalizedPaths.js:41:21:41:24 | path | This path depends on $@. | normalizedPaths.js:31:35:31:48 | req.query.path | a user-provided value | +| normalizedPaths.js:59:19:59:22 | path | normalizedPaths.js:54:35:54:48 | req.query.path | normalizedPaths.js:59:19:59:22 | path | This path depends on $@. | normalizedPaths.js:54:35:54:48 | req.query.path | a user-provided value | +| normalizedPaths.js:63:19:63:38 | path + "/index.html" | normalizedPaths.js:54:35:54:48 | req.query.path | normalizedPaths.js:63:19:63:38 | path + "/index.html" | This path depends on $@. | normalizedPaths.js:54:35:54:48 | req.query.path | a user-provided value | +| normalizedPaths.js:68:21:68:24 | path | normalizedPaths.js:54:35:54:48 | req.query.path | normalizedPaths.js:68:21:68:24 | path | This path depends on $@. | normalizedPaths.js:54:35:54:48 | req.query.path | a user-provided value | +| normalizedPaths.js:78:22:78:25 | path | normalizedPaths.js:73:42:73:55 | req.query.path | normalizedPaths.js:78:22:78:25 | path | This path depends on $@. | normalizedPaths.js:73:42:73:55 | req.query.path | a user-provided value | | normalizedPaths.js:87:29:87:32 | path | normalizedPaths.js:82:14:82:27 | req.query.path | normalizedPaths.js:87:29:87:32 | path | This path depends on $@. | normalizedPaths.js:82:14:82:27 | req.query.path | a user-provided value | | normalizedPaths.js:90:31:90:34 | path | normalizedPaths.js:82:14:82:27 | req.query.path | normalizedPaths.js:90:31:90:34 | path | This path depends on $@. | normalizedPaths.js:82:14:82:27 | req.query.path | a user-provided value | | normalizedPaths.js:99:29:99:32 | path | normalizedPaths.js:94:35:94:48 | req.query.path | normalizedPaths.js:99:29:99:32 | path | This path depends on $@. | normalizedPaths.js:94:35:94:48 | req.query.path | a user-provided value | -| normalizedPaths.js:99:29:99:32 | path | normalizedPaths.js:94:35:94:48 | req.query.path | normalizedPaths.js:99:29:99:32 | path | This path depends on $@. | normalizedPaths.js:94:35:94:48 | req.query.path | a user-provided value | -| normalizedPaths.js:119:16:119:19 | path | normalizedPaths.js:117:30:117:43 | req.query.path | normalizedPaths.js:119:16:119:19 | path | This path depends on $@. | normalizedPaths.js:117:30:117:43 | req.query.path | a user-provided value | -| normalizedPaths.js:119:16:119:19 | path | normalizedPaths.js:117:30:117:43 | req.query.path | normalizedPaths.js:119:16:119:19 | path | This path depends on $@. | normalizedPaths.js:117:30:117:43 | req.query.path | a user-provided value | -| normalizedPaths.js:119:16:119:19 | path | normalizedPaths.js:117:30:117:43 | req.query.path | normalizedPaths.js:119:16:119:19 | path | This path depends on $@. | normalizedPaths.js:117:30:117:43 | req.query.path | a user-provided value | -| normalizedPaths.js:119:16:119:19 | path | normalizedPaths.js:117:30:117:43 | req.query.path | normalizedPaths.js:119:16:119:19 | path | This path depends on $@. | normalizedPaths.js:117:30:117:43 | req.query.path | a user-provided value | -| normalizedPaths.js:120:16:120:50 | pathMod ... .html') | normalizedPaths.js:117:30:117:43 | req.query.path | normalizedPaths.js:120:16:120:50 | pathMod ... .html') | This path depends on $@. | normalizedPaths.js:117:30:117:43 | req.query.path | a user-provided value | -| normalizedPaths.js:120:16:120:50 | pathMod ... .html') | normalizedPaths.js:117:30:117:43 | req.query.path | normalizedPaths.js:120:16:120:50 | pathMod ... .html') | This path depends on $@. | normalizedPaths.js:117:30:117:43 | req.query.path | a user-provided value | -| normalizedPaths.js:120:16:120:50 | pathMod ... .html') | normalizedPaths.js:117:30:117:43 | req.query.path | normalizedPaths.js:120:16:120:50 | pathMod ... .html') | This path depends on $@. | normalizedPaths.js:117:30:117:43 | req.query.path | a user-provided value | -| normalizedPaths.js:120:16:120:50 | pathMod ... .html') | normalizedPaths.js:117:30:117:43 | req.query.path | normalizedPaths.js:120:16:120:50 | pathMod ... .html') | This path depends on $@. | normalizedPaths.js:117:30:117:43 | req.query.path | a user-provided value | -| normalizedPaths.js:135:18:135:21 | path | normalizedPaths.js:130:35:130:48 | req.query.path | normalizedPaths.js:135:18:135:21 | path | This path depends on $@. | normalizedPaths.js:130:35:130:48 | req.query.path | a user-provided value | -| normalizedPaths.js:135:18:135:21 | path | normalizedPaths.js:130:35:130:48 | req.query.path | normalizedPaths.js:135:18:135:21 | path | This path depends on $@. | normalizedPaths.js:130:35:130:48 | req.query.path | a user-provided value | -| normalizedPaths.js:135:18:135:21 | path | normalizedPaths.js:130:35:130:48 | req.query.path | normalizedPaths.js:135:18:135:21 | path | This path depends on $@. | normalizedPaths.js:130:35:130:48 | req.query.path | a user-provided value | -| normalizedPaths.js:144:18:144:21 | path | normalizedPaths.js:139:48:139:61 | req.query.path | normalizedPaths.js:144:18:144:21 | path | This path depends on $@. | normalizedPaths.js:139:48:139:61 | req.query.path | a user-provided value | -| normalizedPaths.js:144:18:144:21 | path | normalizedPaths.js:139:48:139:61 | req.query.path | normalizedPaths.js:144:18:144:21 | path | This path depends on $@. | normalizedPaths.js:139:48:139:61 | req.query.path | a user-provided value | -| normalizedPaths.js:144:18:144:21 | path | normalizedPaths.js:139:48:139:61 | req.query.path | normalizedPaths.js:144:18:144:21 | path | This path depends on $@. | normalizedPaths.js:139:48:139:61 | req.query.path | a user-provided value | -| normalizedPaths.js:151:18:151:21 | path | normalizedPaths.js:148:44:148:57 | req.query.path | normalizedPaths.js:151:18:151:21 | path | This path depends on $@. | normalizedPaths.js:148:44:148:57 | req.query.path | a user-provided value | -| normalizedPaths.js:151:18:151:21 | path | normalizedPaths.js:148:44:148:57 | req.query.path | normalizedPaths.js:151:18:151:21 | path | This path depends on $@. | normalizedPaths.js:148:44:148:57 | req.query.path | a user-provided value | -| normalizedPaths.js:153:18:153:21 | path | normalizedPaths.js:148:44:148:57 | req.query.path | normalizedPaths.js:153:18:153:21 | path | This path depends on $@. | normalizedPaths.js:148:44:148:57 | req.query.path | a user-provided value | -| normalizedPaths.js:153:18:153:21 | path | normalizedPaths.js:148:44:148:57 | req.query.path | normalizedPaths.js:153:18:153:21 | path | This path depends on $@. | normalizedPaths.js:148:44:148:57 | req.query.path | a user-provided value | -| normalizedPaths.js:165:16:165:19 | path | normalizedPaths.js:160:35:160:48 | req.query.path | normalizedPaths.js:165:16:165:19 | path | This path depends on $@. | normalizedPaths.js:160:35:160:48 | req.query.path | a user-provided value | -| normalizedPaths.js:165:16:165:19 | path | normalizedPaths.js:160:35:160:48 | req.query.path | normalizedPaths.js:165:16:165:19 | path | This path depends on $@. | normalizedPaths.js:160:35:160:48 | req.query.path | a user-provided value | -| normalizedPaths.js:170:18:170:21 | path | normalizedPaths.js:160:35:160:48 | req.query.path | normalizedPaths.js:170:18:170:21 | path | This path depends on $@. | normalizedPaths.js:160:35:160:48 | req.query.path | a user-provided value | -| normalizedPaths.js:170:18:170:21 | path | normalizedPaths.js:160:35:160:48 | req.query.path | normalizedPaths.js:170:18:170:21 | path | This path depends on $@. | normalizedPaths.js:160:35:160:48 | req.query.path | a user-provided value | -| normalizedPaths.js:184:16:184:19 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:184:16:184:19 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | -| normalizedPaths.js:184:16:184:19 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:184:16:184:19 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | -| normalizedPaths.js:184:16:184:19 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:184:16:184:19 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | -| normalizedPaths.js:184:16:184:19 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:184:16:184:19 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | -| normalizedPaths.js:187:18:187:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:187:18:187:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | -| normalizedPaths.js:187:18:187:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:187:18:187:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | -| normalizedPaths.js:189:18:189:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:189:18:189:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | -| normalizedPaths.js:189:18:189:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:189:18:189:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | -| normalizedPaths.js:192:18:192:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:192:18:192:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | -| normalizedPaths.js:192:18:192:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:192:18:192:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | -| normalizedPaths.js:192:18:192:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:192:18:192:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | -| normalizedPaths.js:192:18:192:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:192:18:192:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | -| normalizedPaths.js:194:18:194:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:194:18:194:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | -| normalizedPaths.js:199:18:199:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:199:18:199:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | -| normalizedPaths.js:199:18:199:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:199:18:199:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | -| normalizedPaths.js:199:18:199:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:199:18:199:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | -| normalizedPaths.js:199:18:199:21 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:199:18:199:21 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | -| normalizedPaths.js:205:18:205:31 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:205:18:205:31 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | -| normalizedPaths.js:205:18:205:31 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:205:18:205:31 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | -| normalizedPaths.js:205:18:205:31 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:205:18:205:31 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | -| normalizedPaths.js:205:18:205:31 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:205:18:205:31 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | -| normalizedPaths.js:208:18:208:31 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:208:18:208:31 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | -| normalizedPaths.js:208:18:208:31 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:208:18:208:31 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | -| normalizedPaths.js:208:18:208:31 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:208:18:208:31 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | -| normalizedPaths.js:208:18:208:31 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:208:18:208:31 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | -| normalizedPaths.js:210:18:210:31 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:210:18:210:31 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | -| normalizedPaths.js:210:18:210:31 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:210:18:210:31 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | -| normalizedPaths.js:210:18:210:31 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:210:18:210:31 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | -| normalizedPaths.js:210:18:210:31 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:210:18:210:31 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | -| normalizedPaths.js:222:18:222:21 | path | normalizedPaths.js:214:35:214:48 | req.query.path | normalizedPaths.js:222:18:222:21 | path | This path depends on $@. | normalizedPaths.js:214:35:214:48 | req.query.path | a user-provided value | -| normalizedPaths.js:222:18:222:21 | path | normalizedPaths.js:214:35:214:48 | req.query.path | normalizedPaths.js:222:18:222:21 | path | This path depends on $@. | normalizedPaths.js:214:35:214:48 | req.query.path | a user-provided value | -| normalizedPaths.js:222:18:222:21 | path | normalizedPaths.js:214:35:214:48 | req.query.path | normalizedPaths.js:222:18:222:21 | path | This path depends on $@. | normalizedPaths.js:214:35:214:48 | req.query.path | a user-provided value | -| normalizedPaths.js:222:18:222:21 | path | normalizedPaths.js:214:35:214:48 | req.query.path | normalizedPaths.js:222:18:222:21 | path | This path depends on $@. | normalizedPaths.js:214:35:214:48 | req.query.path | a user-provided value | -| normalizedPaths.js:228:18:228:21 | path | normalizedPaths.js:226:35:226:48 | req.query.path | normalizedPaths.js:228:18:228:21 | path | This path depends on $@. | normalizedPaths.js:226:35:226:48 | req.query.path | a user-provided value | -| normalizedPaths.js:228:18:228:21 | path | normalizedPaths.js:226:35:226:48 | req.query.path | normalizedPaths.js:228:18:228:21 | path | This path depends on $@. | normalizedPaths.js:226:35:226:48 | req.query.path | a user-provided value | +| normalizedPaths.js:119:19:119:22 | path | normalizedPaths.js:117:30:117:43 | req.query.path | normalizedPaths.js:119:19:119:22 | path | This path depends on $@. | normalizedPaths.js:117:30:117:43 | req.query.path | a user-provided value | +| normalizedPaths.js:120:19:120:53 | pathMod ... .html') | normalizedPaths.js:117:30:117:43 | req.query.path | normalizedPaths.js:120:19:120:53 | pathMod ... .html') | This path depends on $@. | normalizedPaths.js:117:30:117:43 | req.query.path | a user-provided value | +| normalizedPaths.js:135:21:135:24 | path | normalizedPaths.js:130:35:130:48 | req.query.path | normalizedPaths.js:135:21:135:24 | path | This path depends on $@. | normalizedPaths.js:130:35:130:48 | req.query.path | a user-provided value | +| normalizedPaths.js:144:21:144:24 | path | normalizedPaths.js:139:48:139:61 | req.query.path | normalizedPaths.js:144:21:144:24 | path | This path depends on $@. | normalizedPaths.js:139:48:139:61 | req.query.path | a user-provided value | +| normalizedPaths.js:151:21:151:24 | path | normalizedPaths.js:148:44:148:57 | req.query.path | normalizedPaths.js:151:21:151:24 | path | This path depends on $@. | normalizedPaths.js:148:44:148:57 | req.query.path | a user-provided value | +| normalizedPaths.js:153:21:153:24 | path | normalizedPaths.js:148:44:148:57 | req.query.path | normalizedPaths.js:153:21:153:24 | path | This path depends on $@. | normalizedPaths.js:148:44:148:57 | req.query.path | a user-provided value | +| normalizedPaths.js:165:19:165:22 | path | normalizedPaths.js:160:35:160:48 | req.query.path | normalizedPaths.js:165:19:165:22 | path | This path depends on $@. | normalizedPaths.js:160:35:160:48 | req.query.path | a user-provided value | +| normalizedPaths.js:170:21:170:24 | path | normalizedPaths.js:160:35:160:48 | req.query.path | normalizedPaths.js:170:21:170:24 | path | This path depends on $@. | normalizedPaths.js:160:35:160:48 | req.query.path | a user-provided value | +| normalizedPaths.js:184:19:184:22 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:184:19:184:22 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | +| normalizedPaths.js:187:21:187:24 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:187:21:187:24 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | +| normalizedPaths.js:189:21:189:24 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:189:21:189:24 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | +| normalizedPaths.js:192:21:192:24 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:192:21:192:24 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | +| normalizedPaths.js:194:21:194:24 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:194:21:194:24 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | +| normalizedPaths.js:199:21:199:24 | path | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:199:21:199:24 | path | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | +| normalizedPaths.js:205:21:205:34 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:205:21:205:34 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | +| normalizedPaths.js:208:21:208:34 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:208:21:208:34 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | +| normalizedPaths.js:210:21:210:34 | normalizedPath | normalizedPaths.js:174:14:174:27 | req.query.path | normalizedPaths.js:210:21:210:34 | normalizedPath | This path depends on $@. | normalizedPaths.js:174:14:174:27 | req.query.path | a user-provided value | +| normalizedPaths.js:222:21:222:24 | path | normalizedPaths.js:214:35:214:48 | req.query.path | normalizedPaths.js:222:21:222:24 | path | This path depends on $@. | normalizedPaths.js:214:35:214:48 | req.query.path | a user-provided value | +| normalizedPaths.js:228:21:228:24 | path | normalizedPaths.js:226:35:226:48 | req.query.path | normalizedPaths.js:228:21:228:24 | path | This path depends on $@. | normalizedPaths.js:226:35:226:48 | req.query.path | a user-provided value | | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | This path depends on $@. | tainted-require.js:7:19:7:37 | req.param("module") | a user-provided value | -| tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | This path depends on $@. | tainted-require.js:7:19:7:37 | req.param("module") | a user-provided value | -| tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | This path depends on $@. | tainted-require.js:7:19:7:37 | req.param("module") | a user-provided value | -| tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | This path depends on $@. | tainted-require.js:7:19:7:37 | req.param("module") | a user-provided value | -| tainted-sendFile.js:7:16:7:33 | req.param("gimme") | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | a user-provided value | -| tainted-sendFile.js:7:16:7:33 | req.param("gimme") | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | a user-provided value | -| tainted-sendFile.js:7:16:7:33 | req.param("gimme") | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | a user-provided value | -| tainted-sendFile.js:7:16:7:33 | req.param("gimme") | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | a user-provided value | -| tainted-sendFile.js:9:16:9:33 | req.param("gimme") | tainted-sendFile.js:9:16:9:33 | req.param("gimme") | tainted-sendFile.js:9:16:9:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:9:16:9:33 | req.param("gimme") | a user-provided value | -| tainted-sendFile.js:9:16:9:33 | req.param("gimme") | tainted-sendFile.js:9:16:9:33 | req.param("gimme") | tainted-sendFile.js:9:16:9:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:9:16:9:33 | req.param("gimme") | a user-provided value | -| tainted-sendFile.js:9:16:9:33 | req.param("gimme") | tainted-sendFile.js:9:16:9:33 | req.param("gimme") | tainted-sendFile.js:9:16:9:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:9:16:9:33 | req.param("gimme") | a user-provided value | -| tainted-sendFile.js:9:16:9:33 | req.param("gimme") | tainted-sendFile.js:9:16:9:33 | req.param("gimme") | tainted-sendFile.js:9:16:9:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:9:16:9:33 | req.param("gimme") | a user-provided value | -| tainted-sendFile.js:17:43:17:58 | req.param("dir") | tainted-sendFile.js:17:43:17:58 | req.param("dir") | tainted-sendFile.js:17:43:17:58 | req.param("dir") | This path depends on $@. | tainted-sendFile.js:17:43:17:58 | req.param("dir") | a user-provided value | -| tainted-sendFile.js:17:43:17:58 | req.param("dir") | tainted-sendFile.js:17:43:17:58 | req.param("dir") | tainted-sendFile.js:17:43:17:58 | req.param("dir") | This path depends on $@. | tainted-sendFile.js:17:43:17:58 | req.param("dir") | a user-provided value | -| tainted-sendFile.js:17:43:17:58 | req.param("dir") | tainted-sendFile.js:17:43:17:58 | req.param("dir") | tainted-sendFile.js:17:43:17:58 | req.param("dir") | This path depends on $@. | tainted-sendFile.js:17:43:17:58 | req.param("dir") | a user-provided value | -| tainted-sendFile.js:17:43:17:58 | req.param("dir") | tainted-sendFile.js:17:43:17:58 | req.param("dir") | tainted-sendFile.js:17:43:17:58 | req.param("dir") | This path depends on $@. | tainted-sendFile.js:17:43:17:58 | req.param("dir") | a user-provided value | -| views.js:1:43:1:55 | req.params[0] | views.js:1:43:1:55 | req.params[0] | views.js:1:43:1:55 | req.params[0] | This path depends on $@. | views.js:1:43:1:55 | req.params[0] | a user-provided value | -| views.js:1:43:1:55 | req.params[0] | views.js:1:43:1:55 | req.params[0] | views.js:1:43:1:55 | req.params[0] | This path depends on $@. | views.js:1:43:1:55 | req.params[0] | a user-provided value | -| views.js:1:43:1:55 | req.params[0] | views.js:1:43:1:55 | req.params[0] | views.js:1:43:1:55 | req.params[0] | This path depends on $@. | views.js:1:43:1:55 | req.params[0] | a user-provided value | +| tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | a user-provided value | +| tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | a user-provided value | +| tainted-sendFile.js:18:43:18:58 | req.param("dir") | tainted-sendFile.js:18:43:18:58 | req.param("dir") | tainted-sendFile.js:18:43:18:58 | req.param("dir") | This path depends on $@. | tainted-sendFile.js:18:43:18:58 | req.param("dir") | a user-provided value | +| tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | tainted-sendFile.js:24:37:24:48 | req.params.x | tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | This path depends on $@. | tainted-sendFile.js:24:37:24:48 | req.params.x | a user-provided value | +| tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | tainted-sendFile.js:25:34:25:45 | req.params.x | tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | This path depends on $@. | tainted-sendFile.js:25:34:25:45 | req.params.x | a user-provided value | | views.js:1:43:1:55 | req.params[0] | views.js:1:43:1:55 | req.params[0] | views.js:1:43:1:55 | req.params[0] | This path depends on $@. | views.js:1:43:1:55 | req.params[0] | a user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js index aa323632ec8..cc55a3422dc 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js @@ -10,21 +10,21 @@ let app = express(); app.get('/basic', (req, res) => { let path = req.query.path; - res.sendFile(path); // NOT OK - res.sendFile('./' + path); // NOT OK - res.sendFile(path + '/index.html'); // NOT OK - res.sendFile(pathModule.join(path, 'index.html')); // NOT OK - res.sendFile(pathModule.join('/home/user/www', path)); // NOT OK + fs.readFileSync(path); // NOT OK + fs.readFileSync('./' + path); // NOT OK + fs.readFileSync(path + '/index.html'); // NOT OK + fs.readFileSync(pathModule.join(path, 'index.html')); // NOT OK + fs.readFileSync(pathModule.join('/home/user/www', path)); // NOT OK }); app.get('/normalize', (req, res) => { let path = pathModule.normalize(req.query.path); - res.sendFile(path); // NOT OK - res.sendFile('./' + path); // NOT OK - res.sendFile(path + '/index.html'); // NOT OK - res.sendFile(pathModule.join(path, 'index.html')); // NOT OK - res.sendFile(pathModule.join('/home/user/www', path)); // NOT OK + fs.readFileSync(path); // NOT OK + fs.readFileSync('./' + path); // NOT OK + fs.readFileSync(path + '/index.html'); // NOT OK + fs.readFileSync(pathModule.join(path, 'index.html')); // NOT OK + fs.readFileSync(pathModule.join('/home/user/www', path)); // NOT OK }); app.get('/normalize-notAbsolute', (req, res) => { @@ -33,21 +33,21 @@ app.get('/normalize-notAbsolute', (req, res) => { if (pathModule.isAbsolute(path)) return; - res.sendFile(path); // NOT OK + fs.readFileSync(path); // NOT OK if (!path.startsWith(".")) - res.sendFile(path); // OK + fs.readFileSync(path); // OK else - res.sendFile(path); // NOT OK - wrong polarity + fs.readFileSync(path); // NOT OK - wrong polarity if (!path.startsWith("..")) - res.sendFile(path); // OK + fs.readFileSync(path); // OK if (!path.startsWith("../")) - res.sendFile(path); // OK + fs.readFileSync(path); // OK if (!path.startsWith(".." + pathModule.sep)) - res.sendFile(path); // OK + fs.readFileSync(path); // OK }); app.get('/normalize-noInitialDotDot', (req, res) => { @@ -56,16 +56,16 @@ app.get('/normalize-noInitialDotDot', (req, res) => { if (path.startsWith("..")) return; - res.sendFile(path); // NOT OK - could be absolute + fs.readFileSync(path); // NOT OK - could be absolute - res.sendFile("./" + path); // OK - coerced to relative + fs.readFileSync("./" + path); // OK - coerced to relative - res.sendFile(path + "/index.html"); // NOT OK - not coerced + fs.readFileSync(path + "/index.html"); // NOT OK - not coerced if (!pathModule.isAbsolute(path)) - res.sendFile(path); // OK + fs.readFileSync(path); // OK else - res.sendFile(path); // NOT OK + fs.readFileSync(path); // NOT OK }); app.get('/prepend-normalize', (req, res) => { @@ -73,9 +73,9 @@ app.get('/prepend-normalize', (req, res) => { let path = pathModule.normalize('./' + req.query.path); if (!path.startsWith("..")) - res.sendFile(path); // OK + fs.readFileSync(path); // OK else - res.sendFile(path); // NOT OK + fs.readFileSync(path); // NOT OK }); app.get('/absolute', (req, res) => { @@ -107,53 +107,53 @@ app.get('/combined-check', (req, res) => { // Combined absoluteness and folder check in one startsWith call if (path.startsWith("/home/user/www")) - res.sendFile(path); // OK + fs.readFileSync(path); // OK if (path[0] !== "/" && path[0] !== ".") - res.sendFile(path); // OK + fs.readFileSync(path); // OK }); app.get('/realpath', (req, res) => { let path = fs.realpathSync(req.query.path); - res.sendFile(path); // NOT OK - res.sendFile(pathModule.join(path, 'index.html')); // NOT OK + fs.readFileSync(path); // NOT OK + fs.readFileSync(pathModule.join(path, 'index.html')); // NOT OK if (path.startsWith("/home/user/www")) - res.sendFile(path); // OK - both absolute and normalized before check + fs.readFileSync(path); // OK - both absolute and normalized before check - res.sendFile(pathModule.join('.', path)); // OK - normalized and coerced to relative - res.sendFile(pathModule.join('/home/user/www', path)); // OK + fs.readFileSync(pathModule.join('.', path)); // OK - normalized and coerced to relative + fs.readFileSync(pathModule.join('/home/user/www', path)); // OK }); app.get('/coerce-relative', (req, res) => { let path = pathModule.join('.', req.query.path); if (!path.startsWith('..')) - res.sendFile(path); // OK + fs.readFileSync(path); // OK else - res.sendFile(path); // NOT OK + fs.readFileSync(path); // NOT OK }); app.get('/coerce-absolute', (req, res) => { let path = pathModule.join('/home/user/www', req.query.path); if (path.startsWith('/home/user/www')) - res.sendFile(path); // OK + fs.readFileSync(path); // OK else - res.sendFile(path); // NOT OK + fs.readFileSync(path); // NOT OK }); app.get('/concat-after-normalization', (req, res) => { let path = 'foo/' + pathModule.normalize(req.query.path); if (!path.startsWith('..')) - res.sendFile(path); // NOT OK - prefixing foo/ invalidates check + fs.readFileSync(path); // NOT OK - prefixing foo/ invalidates check else - res.sendFile(path); // NOT OK + fs.readFileSync(path); // NOT OK if (!path.includes('..')) - res.sendFile(path); // OK + fs.readFileSync(path); // OK }); app.get('/noDotDot', (req, res) => { @@ -162,12 +162,12 @@ app.get('/noDotDot', (req, res) => { if (path.includes('..')) return; - res.sendFile(path); // NOT OK - can still be absolute + fs.readFileSync(path); // NOT OK - can still be absolute if (!pathModule.isAbsolute(path)) - res.sendFile(path); // OK + fs.readFileSync(path); // OK else - res.sendFile(path); // NOT OK + fs.readFileSync(path); // NOT OK }); app.get('/join-regression', (req, res) => { @@ -181,53 +181,53 @@ app.get('/join-regression', (req, res) => { if (path.startsWith('/x')) {path;} else {path;} if (path.startsWith('.')) {path;} else {path;} - res.sendFile(path); // NOT OK + fs.readFileSync(path); // NOT OK if (pathModule.isAbsolute(path)) - res.sendFile(path); // NOT OK + fs.readFileSync(path); // NOT OK else - res.sendFile(path); // NOT OK + fs.readFileSync(path); // NOT OK if (path.includes('..')) - res.sendFile(path); // NOT OK + fs.readFileSync(path); // NOT OK else - res.sendFile(path); // NOT OK + fs.readFileSync(path); // NOT OK if (!path.includes('..') && !pathModule.isAbsolute(path)) - res.sendFile(path); // OK + fs.readFileSync(path); // OK else - res.sendFile(path); // NOT OK + fs.readFileSync(path); // NOT OK let normalizedPath = pathModule.normalize(path); if (normalizedPath.startsWith('/home/user/www')) - res.sendFile(normalizedPath); // OK + fs.readFileSync(normalizedPath); // OK else - res.sendFile(normalizedPath); // NOT OK + fs.readFileSync(normalizedPath); // NOT OK if (normalizedPath.startsWith('/home/user/www') || normalizedPath.startsWith('/home/user/public')) - res.sendFile(normalizedPath); // OK - but flagged anyway + fs.readFileSync(normalizedPath); // OK - but flagged anyway else - res.sendFile(normalizedPath); // NOT OK + fs.readFileSync(normalizedPath); // NOT OK }); app.get('/decode-after-normalization', (req, res) => { let path = pathModule.normalize(req.query.path); if (!pathModule.isAbsolute(path) && !path.startsWith('..')) - res.sendFile(path); // OK + fs.readFileSync(path); // OK path = decodeURIComponent(path); if (!pathModule.isAbsolute(path) && !path.startsWith('..')) - res.sendFile(path); // NOT OK - not normalized + fs.readFileSync(path); // NOT OK - not normalized }); app.get('/replace', (req, res) => { let path = pathModule.normalize(req.query.path).replace(/%20/g, ' '); if (!pathModule.isAbsolute(path)) { - res.sendFile(path); // NOT OK + fs.readFileSync(path); // NOT OK path = path.replace(/\.\./g, ''); - res.sendFile(path); // OK + fs.readFileSync(path); // OK } }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js index 21f385f44ad..50e4152e5bf 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js @@ -1,8 +1,9 @@ var express = require('express'); +let path = require('path'); var app = express(); -app.get('/some/path', function(req, res) { +app.get('/some/path/:x', function(req, res) { // BAD: sending a file based on un-sanitized query parameters res.sendFile(req.param("gimme")); // BAD: same as above @@ -15,4 +16,13 @@ app.get('/some/path', function(req, res) { // BAD: doesn't help if user controls root res.sendFile(req.param("file"), { root: req.param("dir") }); + + let homeDir = path.resolve('.'); + res.sendFile(homeDir + '/data/' + req.params.x); // OK: sendFile disallows ../ + res.sendfile('data/' + req.params.x); // OK: sendfile disallows ../ + + res.sendFile(path.resolve('data', req.params.x)); // NOT OK + res.sendfile(path.join('data', req.params.x)); // NOT OK + + res.sendFile(homeDir + path.join('data', req.params.x)); // kinda OK - can only escape from 'data/' }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlip.expected b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlip.expected index f9415bcd8ac..3bcb0a5c135 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlip.expected +++ b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlip.expected @@ -1,23 +1,41 @@ nodes | AdmZipBad.js:6:24:6:41 | zipEntry.entryName | +| AdmZipBad.js:6:24:6:41 | zipEntry.entryName | +| AdmZipBad.js:6:24:6:41 | zipEntry.entryName | +| TarSlipBad.js:6:36:6:46 | header.name | +| TarSlipBad.js:6:36:6:46 | header.name | | TarSlipBad.js:6:36:6:46 | header.name | | ZipSlipBad2.js:5:9:5:46 | fileName | | ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path | | ZipSlipBad2.js:5:37:5:46 | entry.path | +| ZipSlipBad2.js:5:37:5:46 | entry.path | +| ZipSlipBad2.js:6:22:6:29 | fileName | | ZipSlipBad2.js:6:22:6:29 | fileName | | ZipSlipBad.js:7:11:7:31 | fileName | | ZipSlipBad.js:7:22:7:31 | entry.path | +| ZipSlipBad.js:7:22:7:31 | entry.path | +| ZipSlipBad.js:8:37:8:44 | fileName | | ZipSlipBad.js:8:37:8:44 | fileName | | ZipSlipBadUnzipper.js:7:9:7:29 | fileName | | ZipSlipBadUnzipper.js:7:20:7:29 | entry.path | +| ZipSlipBadUnzipper.js:7:20:7:29 | entry.path | +| ZipSlipBadUnzipper.js:8:37:8:44 | fileName | | ZipSlipBadUnzipper.js:8:37:8:44 | fileName | edges +| AdmZipBad.js:6:24:6:41 | zipEntry.entryName | AdmZipBad.js:6:24:6:41 | zipEntry.entryName | +| TarSlipBad.js:6:36:6:46 | header.name | TarSlipBad.js:6:36:6:46 | header.name | +| ZipSlipBad2.js:5:9:5:46 | fileName | ZipSlipBad2.js:6:22:6:29 | fileName | | ZipSlipBad2.js:5:9:5:46 | fileName | ZipSlipBad2.js:6:22:6:29 | fileName | | ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path | ZipSlipBad2.js:5:9:5:46 | fileName | | ZipSlipBad2.js:5:37:5:46 | entry.path | ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path | +| ZipSlipBad2.js:5:37:5:46 | entry.path | ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path | +| ZipSlipBad.js:7:11:7:31 | fileName | ZipSlipBad.js:8:37:8:44 | fileName | | ZipSlipBad.js:7:11:7:31 | fileName | ZipSlipBad.js:8:37:8:44 | fileName | | ZipSlipBad.js:7:22:7:31 | entry.path | ZipSlipBad.js:7:11:7:31 | fileName | +| ZipSlipBad.js:7:22:7:31 | entry.path | ZipSlipBad.js:7:11:7:31 | fileName | | ZipSlipBadUnzipper.js:7:9:7:29 | fileName | ZipSlipBadUnzipper.js:8:37:8:44 | fileName | +| ZipSlipBadUnzipper.js:7:9:7:29 | fileName | ZipSlipBadUnzipper.js:8:37:8:44 | fileName | +| ZipSlipBadUnzipper.js:7:20:7:29 | entry.path | ZipSlipBadUnzipper.js:7:9:7:29 | fileName | | ZipSlipBadUnzipper.js:7:20:7:29 | entry.path | ZipSlipBadUnzipper.js:7:9:7:29 | fileName | #select | AdmZipBad.js:6:24:6:41 | zipEntry.entryName | AdmZipBad.js:6:24:6:41 | zipEntry.entryName | AdmZipBad.js:6:24:6:41 | zipEntry.entryName | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | AdmZipBad.js:6:24:6:41 | zipEntry.entryName | item path | diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected index 8b058d2e799..abfab9e262d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected @@ -4,38 +4,30 @@ nodes | child_process-test.js:6:15:6:44 | url.par ... ).query | | child_process-test.js:6:15:6:49 | url.par ... ry.path | | child_process-test.js:6:25:6:31 | req.url | +| child_process-test.js:6:25:6:31 | req.url | +| child_process-test.js:17:13:17:15 | cmd | | child_process-test.js:17:13:17:15 | cmd | | child_process-test.js:18:17:18:19 | cmd | +| child_process-test.js:18:17:18:19 | cmd | +| child_process-test.js:19:17:19:19 | cmd | | child_process-test.js:19:17:19:19 | cmd | | child_process-test.js:20:21:20:23 | cmd | +| child_process-test.js:20:21:20:23 | cmd | +| child_process-test.js:21:14:21:16 | cmd | | child_process-test.js:21:14:21:16 | cmd | | child_process-test.js:22:18:22:20 | cmd | +| child_process-test.js:22:18:22:20 | cmd | +| child_process-test.js:23:13:23:15 | cmd | | child_process-test.js:23:13:23:15 | cmd | | child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" | +| child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" | | child_process-test.js:25:21:25:23 | cmd | -| child_process-test.js:36:7:36:20 | sh | -| child_process-test.js:36:12:36:20 | 'cmd.exe' | -| child_process-test.js:38:7:38:20 | sh | -| child_process-test.js:38:12:38:20 | '/bin/sh' | -| child_process-test.js:39:14:39:15 | sh | -| child_process-test.js:39:18:39:30 | [ flag, cmd ] | | child_process-test.js:39:26:39:28 | cmd | -| child_process-test.js:41:9:41:17 | args | -| child_process-test.js:41:16:41:17 | [] | +| child_process-test.js:39:26:39:28 | cmd | +| child_process-test.js:43:15:43:17 | cmd | | child_process-test.js:43:15:43:17 | cmd | -| child_process-test.js:44:17:44:27 | "/bin/bash" | -| child_process-test.js:44:30:44:33 | args | -| child_process-test.js:46:9:46:12 | "sh" | -| child_process-test.js:46:15:46:18 | args | -| child_process-test.js:48:9:48:17 | args | -| child_process-test.js:48:16:48:17 | [] | | child_process-test.js:50:15:50:17 | cmd | -| child_process-test.js:51:17:51:32 | `/bin` + "/bash" | -| child_process-test.js:51:35:51:38 | args | -| child_process-test.js:55:14:55:16 | cmd | -| child_process-test.js:55:19:55:22 | args | -| child_process-test.js:56:12:56:14 | cmd | -| child_process-test.js:56:17:56:20 | args | +| child_process-test.js:50:15:50:17 | cmd | | execSeries.js:3:20:3:22 | arr | | execSeries.js:6:14:6:16 | arr | | execSeries.js:6:14:6:21 | arr[i++] | @@ -43,11 +35,13 @@ nodes | execSeries.js:14:13:14:20 | commands | | execSeries.js:14:24:14:30 | command | | execSeries.js:14:41:14:47 | command | +| execSeries.js:14:41:14:47 | command | | execSeries.js:18:7:18:58 | cmd | | execSeries.js:18:13:18:47 | require ... , true) | | execSeries.js:18:13:18:53 | require ... ).query | | execSeries.js:18:13:18:58 | require ... ry.path | | execSeries.js:18:34:18:40 | req.url | +| execSeries.js:18:34:18:40 | req.url | | execSeries.js:19:12:19:16 | [cmd] | | execSeries.js:19:13:19:15 | cmd | | other.js:5:9:5:49 | cmd | @@ -55,88 +49,112 @@ nodes | other.js:5:15:5:44 | url.par ... ).query | | other.js:5:15:5:49 | url.par ... ry.path | | other.js:5:25:5:31 | req.url | +| other.js:5:25:5:31 | req.url | +| other.js:7:33:7:35 | cmd | | other.js:7:33:7:35 | cmd | | other.js:8:28:8:30 | cmd | +| other.js:8:28:8:30 | cmd | +| other.js:9:32:9:34 | cmd | | other.js:9:32:9:34 | cmd | | other.js:10:29:10:31 | cmd | +| other.js:10:29:10:31 | cmd | +| other.js:11:29:11:31 | cmd | | other.js:11:29:11:31 | cmd | | other.js:12:27:12:29 | cmd | +| other.js:12:27:12:29 | cmd | +| other.js:14:28:14:30 | cmd | | other.js:14:28:14:30 | cmd | | other.js:15:34:15:36 | cmd | +| other.js:15:34:15:36 | cmd | +| other.js:16:21:16:23 | cmd | | other.js:16:21:16:23 | cmd | | other.js:17:27:17:29 | cmd | +| other.js:17:27:17:29 | cmd | +| other.js:18:22:18:24 | cmd | | other.js:18:22:18:24 | cmd | | other.js:19:36:19:38 | cmd | +| other.js:19:36:19:38 | cmd | +| third-party-command-injection.js:5:20:5:26 | command | | third-party-command-injection.js:5:20:5:26 | command | | third-party-command-injection.js:6:21:6:27 | command | -| tst_shell-command-injection-from-environment.js:4:25:4:61 | ['-rf', ... temp")] | +| third-party-command-injection.js:6:21:6:27 | command | edges | child_process-test.js:6:9:6:49 | cmd | child_process-test.js:17:13:17:15 | cmd | +| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:17:13:17:15 | cmd | +| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:18:17:18:19 | cmd | | child_process-test.js:6:9:6:49 | cmd | child_process-test.js:18:17:18:19 | cmd | | child_process-test.js:6:9:6:49 | cmd | child_process-test.js:19:17:19:19 | cmd | +| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:19:17:19:19 | cmd | +| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:20:21:20:23 | cmd | | child_process-test.js:6:9:6:49 | cmd | child_process-test.js:20:21:20:23 | cmd | | child_process-test.js:6:9:6:49 | cmd | child_process-test.js:21:14:21:16 | cmd | +| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:21:14:21:16 | cmd | | child_process-test.js:6:9:6:49 | cmd | child_process-test.js:22:18:22:20 | cmd | +| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:22:18:22:20 | cmd | +| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:23:13:23:15 | cmd | | child_process-test.js:6:9:6:49 | cmd | child_process-test.js:23:13:23:15 | cmd | | child_process-test.js:6:9:6:49 | cmd | child_process-test.js:25:21:25:23 | cmd | | child_process-test.js:6:9:6:49 | cmd | child_process-test.js:39:26:39:28 | cmd | +| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:39:26:39:28 | cmd | | child_process-test.js:6:9:6:49 | cmd | child_process-test.js:43:15:43:17 | cmd | +| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:43:15:43:17 | cmd | +| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:50:15:50:17 | cmd | | child_process-test.js:6:9:6:49 | cmd | child_process-test.js:50:15:50:17 | cmd | | child_process-test.js:6:15:6:38 | url.par ... , true) | child_process-test.js:6:15:6:44 | url.par ... ).query | | child_process-test.js:6:15:6:44 | url.par ... ).query | child_process-test.js:6:15:6:49 | url.par ... ry.path | | child_process-test.js:6:15:6:49 | url.par ... ry.path | child_process-test.js:6:9:6:49 | cmd | | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:6:15:6:38 | url.par ... , true) | -| child_process-test.js:25:13:25:23 | "foo" + cmd | child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" | -| child_process-test.js:25:21:25:23 | cmd | child_process-test.js:25:13:25:23 | "foo" + cmd | +| child_process-test.js:6:25:6:31 | req.url | child_process-test.js:6:15:6:38 | url.par ... , true) | +| child_process-test.js:25:21:25:23 | cmd | child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" | | child_process-test.js:25:21:25:23 | cmd | child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" | -| child_process-test.js:36:7:36:20 | sh | child_process-test.js:39:5:39:5 | sh | -| child_process-test.js:36:7:36:20 | sh | child_process-test.js:39:14:39:15 | sh | -| child_process-test.js:36:12:36:20 | 'cmd.exe' | child_process-test.js:36:7:36:20 | sh | -| child_process-test.js:38:7:38:20 | sh | child_process-test.js:39:5:39:5 | sh | -| child_process-test.js:38:7:38:20 | sh | child_process-test.js:39:14:39:15 | sh | -| child_process-test.js:38:12:38:20 | '/bin/sh' | child_process-test.js:38:7:38:20 | sh | -| child_process-test.js:39:5:39:5 | sh | child_process-test.js:39:14:39:15 | sh | -| child_process-test.js:41:9:41:17 | args | child_process-test.js:44:30:44:33 | args | -| child_process-test.js:41:9:41:17 | args | child_process-test.js:46:15:46:18 | args | -| child_process-test.js:41:16:41:17 | [] | child_process-test.js:41:9:41:17 | args | -| child_process-test.js:46:9:46:12 | "sh" | child_process-test.js:55:14:55:16 | cmd | -| child_process-test.js:46:15:46:18 | args | child_process-test.js:55:19:55:22 | args | -| child_process-test.js:48:9:48:17 | args | child_process-test.js:51:35:51:38 | args | -| child_process-test.js:48:16:48:17 | [] | child_process-test.js:48:9:48:17 | args | -| child_process-test.js:55:14:55:16 | cmd | child_process-test.js:56:12:56:14 | cmd | -| child_process-test.js:55:19:55:22 | args | child_process-test.js:56:17:56:20 | args | -| execSeries.js:3:20:3:22 | arr | execSeries.js:5:4:5:3 | arr | | execSeries.js:3:20:3:22 | arr | execSeries.js:6:14:6:16 | arr | -| execSeries.js:5:4:5:3 | arr | execSeries.js:6:14:6:16 | arr | | execSeries.js:6:14:6:16 | arr | execSeries.js:6:14:6:21 | arr[i++] | | execSeries.js:6:14:6:21 | arr[i++] | execSeries.js:14:24:14:30 | command | | execSeries.js:13:19:13:26 | commands | execSeries.js:14:13:14:20 | commands | | execSeries.js:14:13:14:20 | commands | execSeries.js:3:20:3:22 | arr | | execSeries.js:14:13:14:20 | commands | execSeries.js:14:24:14:30 | command | | execSeries.js:14:24:14:30 | command | execSeries.js:14:41:14:47 | command | +| execSeries.js:14:24:14:30 | command | execSeries.js:14:41:14:47 | command | | execSeries.js:18:7:18:58 | cmd | execSeries.js:19:13:19:15 | cmd | | execSeries.js:18:13:18:47 | require ... , true) | execSeries.js:18:13:18:53 | require ... ).query | | execSeries.js:18:13:18:53 | require ... ).query | execSeries.js:18:13:18:58 | require ... ry.path | | execSeries.js:18:13:18:58 | require ... ry.path | execSeries.js:18:7:18:58 | cmd | | execSeries.js:18:34:18:40 | req.url | execSeries.js:18:13:18:47 | require ... , true) | +| execSeries.js:18:34:18:40 | req.url | execSeries.js:18:13:18:47 | require ... , true) | | execSeries.js:19:12:19:16 | [cmd] | execSeries.js:13:19:13:26 | commands | | execSeries.js:19:13:19:15 | cmd | execSeries.js:19:12:19:16 | [cmd] | | other.js:5:9:5:49 | cmd | other.js:7:33:7:35 | cmd | +| other.js:5:9:5:49 | cmd | other.js:7:33:7:35 | cmd | +| other.js:5:9:5:49 | cmd | other.js:8:28:8:30 | cmd | | other.js:5:9:5:49 | cmd | other.js:8:28:8:30 | cmd | | other.js:5:9:5:49 | cmd | other.js:9:32:9:34 | cmd | +| other.js:5:9:5:49 | cmd | other.js:9:32:9:34 | cmd | +| other.js:5:9:5:49 | cmd | other.js:10:29:10:31 | cmd | | other.js:5:9:5:49 | cmd | other.js:10:29:10:31 | cmd | | other.js:5:9:5:49 | cmd | other.js:11:29:11:31 | cmd | +| other.js:5:9:5:49 | cmd | other.js:11:29:11:31 | cmd | +| other.js:5:9:5:49 | cmd | other.js:12:27:12:29 | cmd | | other.js:5:9:5:49 | cmd | other.js:12:27:12:29 | cmd | | other.js:5:9:5:49 | cmd | other.js:14:28:14:30 | cmd | +| other.js:5:9:5:49 | cmd | other.js:14:28:14:30 | cmd | +| other.js:5:9:5:49 | cmd | other.js:15:34:15:36 | cmd | | other.js:5:9:5:49 | cmd | other.js:15:34:15:36 | cmd | | other.js:5:9:5:49 | cmd | other.js:16:21:16:23 | cmd | +| other.js:5:9:5:49 | cmd | other.js:16:21:16:23 | cmd | +| other.js:5:9:5:49 | cmd | other.js:17:27:17:29 | cmd | | other.js:5:9:5:49 | cmd | other.js:17:27:17:29 | cmd | | other.js:5:9:5:49 | cmd | other.js:18:22:18:24 | cmd | +| other.js:5:9:5:49 | cmd | other.js:18:22:18:24 | cmd | +| other.js:5:9:5:49 | cmd | other.js:19:36:19:38 | cmd | | other.js:5:9:5:49 | cmd | other.js:19:36:19:38 | cmd | | other.js:5:15:5:38 | url.par ... , true) | other.js:5:15:5:44 | url.par ... ).query | | other.js:5:15:5:44 | url.par ... ).query | other.js:5:15:5:49 | url.par ... ry.path | | other.js:5:15:5:49 | url.par ... ry.path | other.js:5:9:5:49 | cmd | | other.js:5:25:5:31 | req.url | other.js:5:15:5:38 | url.par ... , true) | +| other.js:5:25:5:31 | req.url | other.js:5:15:5:38 | url.par ... , true) | +| third-party-command-injection.js:5:20:5:26 | command | third-party-command-injection.js:6:21:6:27 | command | +| third-party-command-injection.js:5:20:5:26 | command | third-party-command-injection.js:6:21:6:27 | command | +| third-party-command-injection.js:5:20:5:26 | command | third-party-command-injection.js:6:21:6:27 | command | | third-party-command-injection.js:5:20:5:26 | command | third-party-command-injection.js:6:21:6:27 | command | #select | child_process-test.js:17:13:17:15 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:17:13:17:15 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection.expected b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection.expected index bd142297996..9377069360e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection.expected @@ -1,33 +1,20 @@ nodes -| child_process-test.js:36:7:36:20 | sh | -| child_process-test.js:36:12:36:20 | 'cmd.exe' | -| child_process-test.js:38:7:38:20 | sh | -| child_process-test.js:38:12:38:20 | '/bin/sh' | -| child_process-test.js:39:14:39:15 | sh | -| child_process-test.js:39:18:39:30 | [ flag, cmd ] | -| child_process-test.js:41:9:41:17 | args | -| child_process-test.js:41:16:41:17 | [] | -| child_process-test.js:44:17:44:27 | "/bin/bash" | -| child_process-test.js:44:30:44:33 | args | -| child_process-test.js:46:9:46:12 | "sh" | -| child_process-test.js:46:15:46:18 | args | -| child_process-test.js:48:9:48:17 | args | -| child_process-test.js:48:16:48:17 | [] | -| child_process-test.js:51:17:51:32 | `/bin` + "/bash" | -| child_process-test.js:51:35:51:38 | args | -| child_process-test.js:55:14:55:16 | cmd | -| child_process-test.js:55:19:55:22 | args | -| child_process-test.js:56:12:56:14 | cmd | -| child_process-test.js:56:17:56:20 | args | +| command-line-parameter-command-injection.js:4:10:4:21 | process.argv | +| command-line-parameter-command-injection.js:4:10:4:21 | process.argv | | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | | command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | +| command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | +| command-line-parameter-command-injection.js:8:22:8:33 | process.argv | | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | | command-line-parameter-command-injection.js:8:22:8:36 | process.argv[2] | | command-line-parameter-command-injection.js:10:6:10:33 | args | | command-line-parameter-command-injection.js:10:13:10:24 | process.argv | +| command-line-parameter-command-injection.js:10:13:10:24 | process.argv | | command-line-parameter-command-injection.js:10:13:10:33 | process ... lice(2) | | command-line-parameter-command-injection.js:11:14:11:17 | args | | command-line-parameter-command-injection.js:11:14:11:20 | args[0] | +| command-line-parameter-command-injection.js:11:14:11:20 | args[0] | +| command-line-parameter-command-injection.js:12:14:12:32 | "cmd.sh " + args[0] | | command-line-parameter-command-injection.js:12:14:12:32 | "cmd.sh " + args[0] | | command-line-parameter-command-injection.js:12:26:12:29 | args | | command-line-parameter-command-injection.js:12:26:12:32 | args[0] | @@ -36,6 +23,8 @@ nodes | command-line-parameter-command-injection.js:14:18:14:30 | args.slice(1) | | command-line-parameter-command-injection.js:15:14:15:22 | fewerArgs | | command-line-parameter-command-injection.js:15:14:15:25 | fewerArgs[0] | +| command-line-parameter-command-injection.js:15:14:15:25 | fewerArgs[0] | +| command-line-parameter-command-injection.js:16:14:16:37 | "cmd.sh ... Args[0] | | command-line-parameter-command-injection.js:16:14:16:37 | "cmd.sh ... Args[0] | | command-line-parameter-command-injection.js:16:26:16:34 | fewerArgs | | command-line-parameter-command-injection.js:16:26:16:37 | fewerArgs[0] | @@ -43,66 +32,67 @@ nodes | command-line-parameter-command-injection.js:18:13:18:21 | fewerArgs | | command-line-parameter-command-injection.js:18:13:18:24 | fewerArgs[0] | | command-line-parameter-command-injection.js:19:14:19:17 | arg0 | +| command-line-parameter-command-injection.js:19:14:19:17 | arg0 | +| command-line-parameter-command-injection.js:20:14:20:29 | "cmd.sh " + arg0 | | command-line-parameter-command-injection.js:20:14:20:29 | "cmd.sh " + arg0 | | command-line-parameter-command-injection.js:20:26:20:29 | arg0 | | command-line-parameter-command-injection.js:24:8:24:35 | args | | command-line-parameter-command-injection.js:24:15:24:26 | process.argv | +| command-line-parameter-command-injection.js:24:15:24:26 | process.argv | | command-line-parameter-command-injection.js:24:15:24:35 | process ... lice(2) | | command-line-parameter-command-injection.js:26:14:26:50 | `node $ ... ption"` | +| command-line-parameter-command-injection.js:26:14:26:50 | `node $ ... ption"` | | command-line-parameter-command-injection.js:26:32:26:35 | args | | command-line-parameter-command-injection.js:26:32:26:38 | args[0] | | command-line-parameter-command-injection.js:27:14:27:57 | `node $ ... ption"` | +| command-line-parameter-command-injection.js:27:14:27:57 | `node $ ... ption"` | | command-line-parameter-command-injection.js:27:32:27:35 | args | | command-line-parameter-command-injection.js:27:32:27:45 | args.join(' ') | -| tst_shell-command-injection-from-environment.js:4:25:4:61 | ['-rf', ... temp")] | edges -| child_process-test.js:36:7:36:20 | sh | child_process-test.js:39:5:39:5 | sh | -| child_process-test.js:36:7:36:20 | sh | child_process-test.js:39:14:39:15 | sh | -| child_process-test.js:36:12:36:20 | 'cmd.exe' | child_process-test.js:36:7:36:20 | sh | -| child_process-test.js:38:7:38:20 | sh | child_process-test.js:39:5:39:5 | sh | -| child_process-test.js:38:7:38:20 | sh | child_process-test.js:39:14:39:15 | sh | -| child_process-test.js:38:12:38:20 | '/bin/sh' | child_process-test.js:38:7:38:20 | sh | -| child_process-test.js:39:5:39:5 | sh | child_process-test.js:39:14:39:15 | sh | -| child_process-test.js:41:9:41:17 | args | child_process-test.js:44:30:44:33 | args | -| child_process-test.js:41:9:41:17 | args | child_process-test.js:46:15:46:18 | args | -| child_process-test.js:41:16:41:17 | [] | child_process-test.js:41:9:41:17 | args | -| child_process-test.js:46:9:46:12 | "sh" | child_process-test.js:55:14:55:16 | cmd | -| child_process-test.js:46:15:46:18 | args | child_process-test.js:55:19:55:22 | args | -| child_process-test.js:48:9:48:17 | args | child_process-test.js:51:35:51:38 | args | -| child_process-test.js:48:16:48:17 | [] | child_process-test.js:48:9:48:17 | args | -| child_process-test.js:55:14:55:16 | cmd | child_process-test.js:56:12:56:14 | cmd | -| child_process-test.js:55:19:55:22 | args | child_process-test.js:56:17:56:20 | args | +| command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line-parameter-command-injection.js:8:22:8:36 | process.argv[2] | +| command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line-parameter-command-injection.js:8:22:8:36 | process.argv[2] | +| command-line-parameter-command-injection.js:8:22:8:36 | process.argv[2] | command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | | command-line-parameter-command-injection.js:8:22:8:36 | process.argv[2] | command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | | command-line-parameter-command-injection.js:10:6:10:33 | args | command-line-parameter-command-injection.js:11:14:11:17 | args | | command-line-parameter-command-injection.js:10:6:10:33 | args | command-line-parameter-command-injection.js:12:26:12:29 | args | | command-line-parameter-command-injection.js:10:6:10:33 | args | command-line-parameter-command-injection.js:14:18:14:21 | args | | command-line-parameter-command-injection.js:10:13:10:24 | process.argv | command-line-parameter-command-injection.js:10:13:10:33 | process ... lice(2) | +| command-line-parameter-command-injection.js:10:13:10:24 | process.argv | command-line-parameter-command-injection.js:10:13:10:33 | process ... lice(2) | | command-line-parameter-command-injection.js:10:13:10:33 | process ... lice(2) | command-line-parameter-command-injection.js:10:6:10:33 | args | | command-line-parameter-command-injection.js:11:14:11:17 | args | command-line-parameter-command-injection.js:11:14:11:20 | args[0] | +| command-line-parameter-command-injection.js:11:14:11:17 | args | command-line-parameter-command-injection.js:11:14:11:20 | args[0] | | command-line-parameter-command-injection.js:12:26:12:29 | args | command-line-parameter-command-injection.js:12:26:12:32 | args[0] | | command-line-parameter-command-injection.js:12:26:12:32 | args[0] | command-line-parameter-command-injection.js:12:14:12:32 | "cmd.sh " + args[0] | +| command-line-parameter-command-injection.js:12:26:12:32 | args[0] | command-line-parameter-command-injection.js:12:14:12:32 | "cmd.sh " + args[0] | | command-line-parameter-command-injection.js:14:6:14:30 | fewerArgs | command-line-parameter-command-injection.js:15:14:15:22 | fewerArgs | | command-line-parameter-command-injection.js:14:6:14:30 | fewerArgs | command-line-parameter-command-injection.js:16:26:16:34 | fewerArgs | | command-line-parameter-command-injection.js:14:6:14:30 | fewerArgs | command-line-parameter-command-injection.js:18:13:18:21 | fewerArgs | | command-line-parameter-command-injection.js:14:18:14:21 | args | command-line-parameter-command-injection.js:14:18:14:30 | args.slice(1) | | command-line-parameter-command-injection.js:14:18:14:30 | args.slice(1) | command-line-parameter-command-injection.js:14:6:14:30 | fewerArgs | | command-line-parameter-command-injection.js:15:14:15:22 | fewerArgs | command-line-parameter-command-injection.js:15:14:15:25 | fewerArgs[0] | +| command-line-parameter-command-injection.js:15:14:15:22 | fewerArgs | command-line-parameter-command-injection.js:15:14:15:25 | fewerArgs[0] | | command-line-parameter-command-injection.js:16:26:16:34 | fewerArgs | command-line-parameter-command-injection.js:16:26:16:37 | fewerArgs[0] | | command-line-parameter-command-injection.js:16:26:16:37 | fewerArgs[0] | command-line-parameter-command-injection.js:16:14:16:37 | "cmd.sh ... Args[0] | +| command-line-parameter-command-injection.js:16:26:16:37 | fewerArgs[0] | command-line-parameter-command-injection.js:16:14:16:37 | "cmd.sh ... Args[0] | +| command-line-parameter-command-injection.js:18:6:18:24 | arg0 | command-line-parameter-command-injection.js:19:14:19:17 | arg0 | | command-line-parameter-command-injection.js:18:6:18:24 | arg0 | command-line-parameter-command-injection.js:19:14:19:17 | arg0 | | command-line-parameter-command-injection.js:18:6:18:24 | arg0 | command-line-parameter-command-injection.js:20:26:20:29 | arg0 | | command-line-parameter-command-injection.js:18:13:18:21 | fewerArgs | command-line-parameter-command-injection.js:18:13:18:24 | fewerArgs[0] | | command-line-parameter-command-injection.js:18:13:18:24 | fewerArgs[0] | command-line-parameter-command-injection.js:18:6:18:24 | arg0 | | command-line-parameter-command-injection.js:20:26:20:29 | arg0 | command-line-parameter-command-injection.js:20:14:20:29 | "cmd.sh " + arg0 | +| command-line-parameter-command-injection.js:20:26:20:29 | arg0 | command-line-parameter-command-injection.js:20:14:20:29 | "cmd.sh " + arg0 | | command-line-parameter-command-injection.js:24:8:24:35 | args | command-line-parameter-command-injection.js:26:32:26:35 | args | | command-line-parameter-command-injection.js:24:8:24:35 | args | command-line-parameter-command-injection.js:27:32:27:35 | args | | command-line-parameter-command-injection.js:24:15:24:26 | process.argv | command-line-parameter-command-injection.js:24:15:24:35 | process ... lice(2) | +| command-line-parameter-command-injection.js:24:15:24:26 | process.argv | command-line-parameter-command-injection.js:24:15:24:35 | process ... lice(2) | | command-line-parameter-command-injection.js:24:15:24:35 | process ... lice(2) | command-line-parameter-command-injection.js:24:8:24:35 | args | | command-line-parameter-command-injection.js:26:32:26:35 | args | command-line-parameter-command-injection.js:26:32:26:38 | args[0] | | command-line-parameter-command-injection.js:26:32:26:38 | args[0] | command-line-parameter-command-injection.js:26:14:26:50 | `node $ ... ption"` | +| command-line-parameter-command-injection.js:26:32:26:38 | args[0] | command-line-parameter-command-injection.js:26:14:26:50 | `node $ ... ption"` | | command-line-parameter-command-injection.js:27:32:27:35 | args | command-line-parameter-command-injection.js:27:32:27:45 | args.join(' ') | | command-line-parameter-command-injection.js:27:32:27:45 | args.join(' ') | command-line-parameter-command-injection.js:27:14:27:57 | `node $ ... ption"` | +| command-line-parameter-command-injection.js:27:32:27:45 | args.join(' ') | command-line-parameter-command-injection.js:27:14:27:57 | `node $ ... ption"` | #select | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line argument | | command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line argument | diff --git a/javascript/ql/test/query-tests/Security/CWE-078/ShellCommandInjectionFromEnvironment.expected b/javascript/ql/test/query-tests/Security/CWE-078/ShellCommandInjectionFromEnvironment.expected index 9015113f9fb..ec3e7c99ecb 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/ShellCommandInjectionFromEnvironment.expected +++ b/javascript/ql/test/query-tests/Security/CWE-078/ShellCommandInjectionFromEnvironment.expected @@ -1,46 +1,13 @@ nodes -| child_process-test.js:36:7:36:20 | sh | -| child_process-test.js:36:12:36:20 | 'cmd.exe' | -| child_process-test.js:38:7:38:20 | sh | -| child_process-test.js:38:12:38:20 | '/bin/sh' | -| child_process-test.js:39:14:39:15 | sh | -| child_process-test.js:39:18:39:30 | [ flag, cmd ] | -| child_process-test.js:41:9:41:17 | args | -| child_process-test.js:41:16:41:17 | [] | -| child_process-test.js:44:17:44:27 | "/bin/bash" | -| child_process-test.js:44:30:44:33 | args | -| child_process-test.js:46:9:46:12 | "sh" | -| child_process-test.js:46:15:46:18 | args | -| child_process-test.js:48:9:48:17 | args | -| child_process-test.js:48:16:48:17 | [] | -| child_process-test.js:51:17:51:32 | `/bin` + "/bash" | -| child_process-test.js:51:35:51:38 | args | -| child_process-test.js:55:14:55:16 | cmd | -| child_process-test.js:55:19:55:22 | args | -| child_process-test.js:56:12:56:14 | cmd | -| child_process-test.js:56:17:56:20 | args | -| tst_shell-command-injection-from-environment.js:4:25:4:61 | ['-rf', ... temp")] | +| tst_shell-command-injection-from-environment.js:5:14:5:53 | 'rm -rf ... "temp") | | tst_shell-command-injection-from-environment.js:5:14:5:53 | 'rm -rf ... "temp") | | tst_shell-command-injection-from-environment.js:5:26:5:53 | path.jo ... "temp") | | tst_shell-command-injection-from-environment.js:5:36:5:44 | __dirname | +| tst_shell-command-injection-from-environment.js:5:36:5:44 | __dirname | edges -| child_process-test.js:36:7:36:20 | sh | child_process-test.js:39:5:39:5 | sh | -| child_process-test.js:36:7:36:20 | sh | child_process-test.js:39:14:39:15 | sh | -| child_process-test.js:36:12:36:20 | 'cmd.exe' | child_process-test.js:36:7:36:20 | sh | -| child_process-test.js:38:7:38:20 | sh | child_process-test.js:39:5:39:5 | sh | -| child_process-test.js:38:7:38:20 | sh | child_process-test.js:39:14:39:15 | sh | -| child_process-test.js:38:12:38:20 | '/bin/sh' | child_process-test.js:38:7:38:20 | sh | -| child_process-test.js:39:5:39:5 | sh | child_process-test.js:39:14:39:15 | sh | -| child_process-test.js:41:9:41:17 | args | child_process-test.js:44:30:44:33 | args | -| child_process-test.js:41:9:41:17 | args | child_process-test.js:46:15:46:18 | args | -| child_process-test.js:41:16:41:17 | [] | child_process-test.js:41:9:41:17 | args | -| child_process-test.js:46:9:46:12 | "sh" | child_process-test.js:55:14:55:16 | cmd | -| child_process-test.js:46:15:46:18 | args | child_process-test.js:55:19:55:22 | args | -| child_process-test.js:48:9:48:17 | args | child_process-test.js:51:35:51:38 | args | -| child_process-test.js:48:16:48:17 | [] | child_process-test.js:48:9:48:17 | args | -| child_process-test.js:55:14:55:16 | cmd | child_process-test.js:56:12:56:14 | cmd | -| child_process-test.js:55:19:55:22 | args | child_process-test.js:56:17:56:20 | args | | tst_shell-command-injection-from-environment.js:5:26:5:53 | path.jo ... "temp") | tst_shell-command-injection-from-environment.js:5:14:5:53 | 'rm -rf ... "temp") | +| tst_shell-command-injection-from-environment.js:5:26:5:53 | path.jo ... "temp") | tst_shell-command-injection-from-environment.js:5:14:5:53 | 'rm -rf ... "temp") | +| tst_shell-command-injection-from-environment.js:5:36:5:44 | __dirname | tst_shell-command-injection-from-environment.js:5:26:5:53 | path.jo ... "temp") | | tst_shell-command-injection-from-environment.js:5:36:5:44 | __dirname | tst_shell-command-injection-from-environment.js:5:26:5:53 | path.jo ... "temp") | #select | tst_shell-command-injection-from-environment.js:5:14:5:53 | 'rm -rf ... "temp") | tst_shell-command-injection-from-environment.js:5:36:5:44 | __dirname | tst_shell-command-injection-from-environment.js:5:14:5:53 | 'rm -rf ... "temp") | This shell command depends on an uncontrolled $@. | tst_shell-command-injection-from-environment.js:5:36:5:44 | __dirname | absolute path | diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected index 7ba39b3f4a9..bcf54b75580 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected @@ -1,88 +1,132 @@ nodes | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | +| ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | +| ReflectedXss.js:8:33:8:45 | req.params.id | | ReflectedXss.js:8:33:8:45 | req.params.id | | etherpad.js:9:5:9:53 | response | | etherpad.js:9:16:9:30 | req.query.jsonp | +| etherpad.js:9:16:9:30 | req.query.jsonp | | etherpad.js:9:16:9:53 | req.que ... e + ")" | | etherpad.js:11:12:11:19 | response | +| etherpad.js:11:12:11:19 | response | | formatting.js:4:9:4:29 | evil | | formatting.js:4:16:4:29 | req.query.evil | +| formatting.js:4:16:4:29 | req.query.evil | +| formatting.js:6:14:6:47 | util.fo ... , evil) | | formatting.js:6:14:6:47 | util.fo ... , evil) | | formatting.js:6:43:6:46 | evil | | formatting.js:7:14:7:53 | require ... , evil) | +| formatting.js:7:14:7:53 | require ... , evil) | | formatting.js:7:49:7:52 | evil | | partial.js:9:25:9:25 | x | | partial.js:10:14:10:14 | x | | partial.js:10:14:10:18 | x + y | +| partial.js:10:14:10:18 | x + y | +| partial.js:13:42:13:48 | req.url | | partial.js:13:42:13:48 | req.url | | partial.js:18:25:18:25 | x | | partial.js:19:14:19:14 | x | | partial.js:19:14:19:18 | x + y | +| partial.js:19:14:19:18 | x + y | +| partial.js:22:51:22:57 | req.url | | partial.js:22:51:22:57 | req.url | | partial.js:27:25:27:25 | x | | partial.js:28:14:28:14 | x | | partial.js:28:14:28:18 | x + y | +| partial.js:28:14:28:18 | x + y | +| partial.js:31:47:31:53 | req.url | | partial.js:31:47:31:53 | req.url | | partial.js:36:25:36:25 | x | | partial.js:37:14:37:14 | x | | partial.js:37:14:37:18 | x + y | +| partial.js:37:14:37:18 | x + y | +| partial.js:40:43:40:49 | req.url | | partial.js:40:43:40:49 | req.url | | promises.js:5:3:5:59 | new Pro ... .data)) | | promises.js:5:44:5:57 | req.query.data | +| promises.js:5:44:5:57 | req.query.data | | promises.js:6:11:6:11 | x | | promises.js:6:11:6:11 | x | | promises.js:6:25:6:25 | x | | promises.js:6:25:6:25 | x | +| promises.js:6:25:6:25 | x | | tst2.js:6:7:6:30 | p | | tst2.js:6:7:6:30 | r | | tst2.js:6:9:6:9 | p | +| tst2.js:6:9:6:9 | p | +| tst2.js:6:12:6:15 | q: r | | tst2.js:6:12:6:15 | q: r | | tst2.js:7:12:7:12 | p | +| tst2.js:7:12:7:12 | p | +| tst2.js:8:12:8:12 | r | | tst2.js:8:12:8:12 | r | | tst2.js:14:7:14:24 | p | | tst2.js:14:9:14:9 | p | +| tst2.js:14:9:14:9 | p | | tst2.js:18:12:18:12 | p | +| tst2.js:18:12:18:12 | p | +| tst2.js:21:14:21:14 | p | | tst2.js:21:14:21:14 | p | edges | ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | -| etherpad.js:9:5:9:53 | response | etherpad.js:11:3:11:3 | response | +| ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | +| ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | +| ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | +| etherpad.js:9:5:9:53 | response | etherpad.js:11:12:11:19 | response | | etherpad.js:9:5:9:53 | response | etherpad.js:11:12:11:19 | response | -| etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:9:16:9:36 | req.que ... p + "(" | -| etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:9:16:9:47 | req.que ... esponse | | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:9:16:9:53 | req.que ... e + ")" | -| etherpad.js:9:16:9:36 | req.que ... p + "(" | etherpad.js:9:16:9:47 | req.que ... esponse | -| etherpad.js:9:16:9:36 | req.que ... p + "(" | etherpad.js:9:16:9:53 | req.que ... e + ")" | -| etherpad.js:9:16:9:47 | req.que ... esponse | etherpad.js:9:16:9:53 | req.que ... e + ")" | +| etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:9:16:9:53 | req.que ... e + ")" | | etherpad.js:9:16:9:53 | req.que ... e + ")" | etherpad.js:9:5:9:53 | response | -| etherpad.js:11:3:11:3 | response | etherpad.js:11:12:11:19 | response | | formatting.js:4:9:4:29 | evil | formatting.js:6:43:6:46 | evil | | formatting.js:4:9:4:29 | evil | formatting.js:7:49:7:52 | evil | | formatting.js:4:16:4:29 | req.query.evil | formatting.js:4:9:4:29 | evil | +| formatting.js:4:16:4:29 | req.query.evil | formatting.js:4:9:4:29 | evil | | formatting.js:6:43:6:46 | evil | formatting.js:6:14:6:47 | util.fo ... , evil) | +| formatting.js:6:43:6:46 | evil | formatting.js:6:14:6:47 | util.fo ... , evil) | +| formatting.js:7:49:7:52 | evil | formatting.js:7:14:7:53 | require ... , evil) | | formatting.js:7:49:7:52 | evil | formatting.js:7:14:7:53 | require ... , evil) | | partial.js:9:25:9:25 | x | partial.js:10:14:10:14 | x | | partial.js:10:14:10:14 | x | partial.js:10:14:10:18 | x + y | +| partial.js:10:14:10:14 | x | partial.js:10:14:10:18 | x + y | +| partial.js:13:42:13:48 | req.url | partial.js:9:25:9:25 | x | | partial.js:13:42:13:48 | req.url | partial.js:9:25:9:25 | x | | partial.js:18:25:18:25 | x | partial.js:19:14:19:14 | x | | partial.js:19:14:19:14 | x | partial.js:19:14:19:18 | x + y | +| partial.js:19:14:19:14 | x | partial.js:19:14:19:18 | x + y | +| partial.js:22:51:22:57 | req.url | partial.js:18:25:18:25 | x | | partial.js:22:51:22:57 | req.url | partial.js:18:25:18:25 | x | | partial.js:27:25:27:25 | x | partial.js:28:14:28:14 | x | | partial.js:28:14:28:14 | x | partial.js:28:14:28:18 | x + y | +| partial.js:28:14:28:14 | x | partial.js:28:14:28:18 | x + y | +| partial.js:31:47:31:53 | req.url | partial.js:27:25:27:25 | x | | partial.js:31:47:31:53 | req.url | partial.js:27:25:27:25 | x | | partial.js:36:25:36:25 | x | partial.js:37:14:37:14 | x | | partial.js:37:14:37:14 | x | partial.js:37:14:37:18 | x + y | +| partial.js:37:14:37:14 | x | partial.js:37:14:37:18 | x + y | +| partial.js:40:43:40:49 | req.url | partial.js:36:25:36:25 | x | | partial.js:40:43:40:49 | req.url | partial.js:36:25:36:25 | x | | promises.js:5:3:5:59 | new Pro ... .data)) | promises.js:6:11:6:11 | x | | promises.js:5:44:5:57 | req.query.data | promises.js:5:3:5:59 | new Pro ... .data)) | +| promises.js:5:44:5:57 | req.query.data | promises.js:5:3:5:59 | new Pro ... .data)) | +| promises.js:5:44:5:57 | req.query.data | promises.js:6:11:6:11 | x | | promises.js:5:44:5:57 | req.query.data | promises.js:6:11:6:11 | x | | promises.js:6:11:6:11 | x | promises.js:6:25:6:25 | x | | promises.js:6:11:6:11 | x | promises.js:6:25:6:25 | x | +| promises.js:6:11:6:11 | x | promises.js:6:25:6:25 | x | +| promises.js:6:11:6:11 | x | promises.js:6:25:6:25 | x | +| tst2.js:6:7:6:30 | p | tst2.js:7:12:7:12 | p | | tst2.js:6:7:6:30 | p | tst2.js:7:12:7:12 | p | | tst2.js:6:7:6:30 | r | tst2.js:8:12:8:12 | r | +| tst2.js:6:7:6:30 | r | tst2.js:8:12:8:12 | r | +| tst2.js:6:9:6:9 | p | tst2.js:6:7:6:30 | p | | tst2.js:6:9:6:9 | p | tst2.js:6:7:6:30 | p | | tst2.js:6:12:6:15 | q: r | tst2.js:6:7:6:30 | r | +| tst2.js:6:12:6:15 | q: r | tst2.js:6:7:6:30 | r | +| tst2.js:14:7:14:24 | p | tst2.js:18:12:18:12 | p | | tst2.js:14:7:14:24 | p | tst2.js:18:12:18:12 | p | | tst2.js:14:7:14:24 | p | tst2.js:21:14:21:14 | p | +| tst2.js:14:7:14:24 | p | tst2.js:21:14:21:14 | p | +| tst2.js:14:9:14:9 | p | tst2.js:14:7:14:24 | p | | tst2.js:14:9:14:9 | p | tst2.js:14:7:14:24 | p | #select | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:8:33:8:45 | req.params.id | user-provided value | @@ -94,7 +138,6 @@ edges | partial.js:28:14:28:18 | x + y | partial.js:31:47:31:53 | req.url | partial.js:28:14:28:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:31:47:31:53 | req.url | user-provided value | | partial.js:37:14:37:18 | x + y | partial.js:40:43:40:49 | req.url | partial.js:37:14:37:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:40:43:40:49 | req.url | user-provided value | | promises.js:6:25:6:25 | x | promises.js:5:44:5:57 | req.query.data | promises.js:6:25:6:25 | x | Cross-site scripting vulnerability due to $@. | promises.js:5:44:5:57 | req.query.data | user-provided value | -| promises.js:6:25:6:25 | x | promises.js:5:44:5:57 | req.query.data | promises.js:6:25:6:25 | x | Cross-site scripting vulnerability due to $@. | promises.js:5:44:5:57 | req.query.data | user-provided value | | tst2.js:7:12:7:12 | p | tst2.js:6:9:6:9 | p | tst2.js:7:12:7:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:6:9:6:9 | p | user-provided value | | tst2.js:8:12:8:12 | r | tst2.js:6:12:6:15 | q: r | tst2.js:8:12:8:12 | r | Cross-site scripting vulnerability due to $@. | tst2.js:6:12:6:15 | q: r | user-provided value | | tst2.js:18:12:18:12 | p | tst2.js:14:9:14:9 | p | tst2.js:18:12:18:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:14:9:14:9 | p | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss.expected index 0370cc7e3c0..b0062e70b78 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss.expected @@ -1,7 +1,11 @@ nodes | xss-through-filenames.js:7:43:7:48 | files1 | +| xss-through-filenames.js:7:43:7:48 | files1 | +| xss-through-filenames.js:8:18:8:23 | files1 | | xss-through-filenames.js:8:18:8:23 | files1 | | xss-through-filenames.js:25:43:25:48 | files1 | +| xss-through-filenames.js:25:43:25:48 | files1 | +| xss-through-filenames.js:26:19:26:24 | files1 | | xss-through-filenames.js:26:19:26:24 | files1 | | xss-through-filenames.js:29:13:29:23 | files2 | | xss-through-filenames.js:29:22:29:23 | [] | @@ -9,14 +13,24 @@ nodes | xss-through-filenames.js:30:34:30:37 | file | | xss-through-filenames.js:31:25:31:28 | file | | xss-through-filenames.js:33:19:33:24 | files2 | +| xss-through-filenames.js:33:19:33:24 | files2 | | xss-through-filenames.js:35:13:35:35 | files3 | | xss-through-filenames.js:35:22:35:35 | format(files2) | | xss-through-filenames.js:35:29:35:34 | files2 | | xss-through-filenames.js:37:19:37:24 | files3 | +| xss-through-filenames.js:37:19:37:24 | files3 | edges | xss-through-filenames.js:7:43:7:48 | files1 | xss-through-filenames.js:8:18:8:23 | files1 | +| xss-through-filenames.js:7:43:7:48 | files1 | xss-through-filenames.js:8:18:8:23 | files1 | +| xss-through-filenames.js:7:43:7:48 | files1 | xss-through-filenames.js:8:18:8:23 | files1 | +| xss-through-filenames.js:7:43:7:48 | files1 | xss-through-filenames.js:8:18:8:23 | files1 | +| xss-through-filenames.js:25:43:25:48 | files1 | xss-through-filenames.js:26:19:26:24 | files1 | +| xss-through-filenames.js:25:43:25:48 | files1 | xss-through-filenames.js:26:19:26:24 | files1 | +| xss-through-filenames.js:25:43:25:48 | files1 | xss-through-filenames.js:26:19:26:24 | files1 | | xss-through-filenames.js:25:43:25:48 | files1 | xss-through-filenames.js:26:19:26:24 | files1 | | xss-through-filenames.js:25:43:25:48 | files1 | xss-through-filenames.js:30:9:30:14 | files1 | +| xss-through-filenames.js:25:43:25:48 | files1 | xss-through-filenames.js:30:9:30:14 | files1 | +| xss-through-filenames.js:29:13:29:23 | files2 | xss-through-filenames.js:33:19:33:24 | files2 | | xss-through-filenames.js:29:13:29:23 | files2 | xss-through-filenames.js:33:19:33:24 | files2 | | xss-through-filenames.js:29:13:29:23 | files2 | xss-through-filenames.js:35:29:35:34 | files2 | | xss-through-filenames.js:29:22:29:23 | [] | xss-through-filenames.js:29:13:29:23 | files2 | @@ -24,6 +38,7 @@ edges | xss-through-filenames.js:30:34:30:37 | file | xss-through-filenames.js:31:25:31:28 | file | | xss-through-filenames.js:31:25:31:28 | file | xss-through-filenames.js:29:22:29:23 | [] | | xss-through-filenames.js:35:13:35:35 | files3 | xss-through-filenames.js:37:19:37:24 | files3 | +| xss-through-filenames.js:35:13:35:35 | files3 | xss-through-filenames.js:37:19:37:24 | files3 | | xss-through-filenames.js:35:22:35:35 | format(files2) | xss-through-filenames.js:35:13:35:35 | files3 | | xss-through-filenames.js:35:29:35:34 | files2 | xss-through-filenames.js:35:22:35:35 | format(files2) | #select diff --git a/javascript/ql/test/query-tests/Security/CWE-079/Xss.expected b/javascript/ql/test/query-tests/Security/CWE-079/Xss.expected index 266c53922f9..f29d3e5de0f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/Xss.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/Xss.expected @@ -1,174 +1,292 @@ nodes | addEventListener.js:1:43:1:47 | event | +| addEventListener.js:1:43:1:47 | event | | addEventListener.js:2:20:2:24 | event | | addEventListener.js:2:20:2:29 | event.data | +| addEventListener.js:2:20:2:29 | event.data | +| addEventListener.js:5:43:5:48 | data | +| addEventListener.js:5:43:5:48 | {data} | +| addEventListener.js:5:43:5:48 | {data} | +| addEventListener.js:5:44:5:47 | data | +| addEventListener.js:6:20:6:23 | data | +| addEventListener.js:6:20:6:23 | data | +| addEventListener.js:10:21:10:25 | event | +| addEventListener.js:10:21:10:25 | event | +| addEventListener.js:12:24:12:28 | event | +| addEventListener.js:12:24:12:33 | event.data | +| addEventListener.js:12:24:12:33 | event.data | | jquery.js:2:7:2:40 | tainted | | jquery.js:2:17:2:33 | document.location | +| jquery.js:2:17:2:33 | document.location | | jquery.js:2:17:2:40 | documen ... .search | | jquery.js:4:5:4:11 | tainted | +| jquery.js:4:5:4:11 | tainted | +| jquery.js:7:5:7:34 | "
    " | | jquery.js:7:5:7:34 | "
    " | | jquery.js:7:20:7:26 | tainted | | jquery.js:8:18:8:34 | "XSS: " + tainted | +| jquery.js:8:18:8:34 | "XSS: " + tainted | | jquery.js:8:28:8:34 | tainted | | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | +| nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | +| nodemailer.js:13:50:13:66 | req.query.message | | nodemailer.js:13:50:13:66 | req.query.message | | react-native.js:7:7:7:33 | tainted | | react-native.js:7:17:7:33 | req.param("code") | +| react-native.js:7:17:7:33 | req.param("code") | +| react-native.js:8:18:8:24 | tainted | | react-native.js:8:18:8:24 | tainted | | react-native.js:9:27:9:33 | tainted | +| react-native.js:9:27:9:33 | tainted | +| stored-xss.js:2:39:2:55 | document.location | | stored-xss.js:2:39:2:55 | document.location | | stored-xss.js:2:39:2:62 | documen ... .search | | stored-xss.js:3:35:3:51 | document.location | +| stored-xss.js:3:35:3:51 | document.location | | stored-xss.js:3:35:3:58 | documen ... .search | | stored-xss.js:5:20:5:52 | session ... ssion') | +| stored-xss.js:5:20:5:52 | session ... ssion') | +| stored-xss.js:8:20:8:48 | localSt ... local') | | stored-xss.js:8:20:8:48 | localSt ... local') | | string-manipulations.js:3:16:3:32 | document.location | +| string-manipulations.js:3:16:3:32 | document.location | +| string-manipulations.js:3:16:3:32 | document.location | +| string-manipulations.js:4:16:4:32 | document.location | | string-manipulations.js:4:16:4:32 | document.location | | string-manipulations.js:4:16:4:37 | documen ... on.href | +| string-manipulations.js:4:16:4:37 | documen ... on.href | +| string-manipulations.js:5:16:5:32 | document.location | | string-manipulations.js:5:16:5:32 | document.location | | string-manipulations.js:5:16:5:37 | documen ... on.href | | string-manipulations.js:5:16:5:47 | documen ... lueOf() | +| string-manipulations.js:5:16:5:47 | documen ... lueOf() | +| string-manipulations.js:6:16:6:32 | document.location | | string-manipulations.js:6:16:6:32 | document.location | | string-manipulations.js:6:16:6:37 | documen ... on.href | | string-manipulations.js:6:16:6:43 | documen ... f.sup() | +| string-manipulations.js:6:16:6:43 | documen ... f.sup() | +| string-manipulations.js:7:16:7:32 | document.location | | string-manipulations.js:7:16:7:32 | document.location | | string-manipulations.js:7:16:7:37 | documen ... on.href | | string-manipulations.js:7:16:7:51 | documen ... rCase() | +| string-manipulations.js:7:16:7:51 | documen ... rCase() | +| string-manipulations.js:8:16:8:32 | document.location | | string-manipulations.js:8:16:8:32 | document.location | | string-manipulations.js:8:16:8:37 | documen ... on.href | | string-manipulations.js:8:16:8:48 | documen ... mLeft() | +| string-manipulations.js:8:16:8:48 | documen ... mLeft() | | string-manipulations.js:9:16:9:58 | String. ... n.href) | +| string-manipulations.js:9:16:9:58 | String. ... n.href) | +| string-manipulations.js:9:36:9:52 | document.location | | string-manipulations.js:9:36:9:52 | document.location | | string-manipulations.js:9:36:9:57 | documen ... on.href | | string-manipulations.js:10:16:10:45 | String( ... n.href) | +| string-manipulations.js:10:16:10:45 | String( ... n.href) | +| string-manipulations.js:10:23:10:39 | document.location | | string-manipulations.js:10:23:10:39 | document.location | | string-manipulations.js:10:23:10:44 | documen ... on.href | | translate.js:6:7:6:39 | target | | translate.js:6:16:6:32 | document.location | +| translate.js:6:16:6:32 | document.location | | translate.js:6:16:6:39 | documen ... .search | | translate.js:7:42:7:47 | target | | translate.js:7:42:7:60 | target.substring(1) | | translate.js:9:27:9:50 | searchP ... 'term') | +| translate.js:9:27:9:50 | searchP ... 'term') | | tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | | tst3.js:2:23:2:74 | decodeU ... str(1)) | | tst3.js:2:42:2:56 | window.location | +| tst3.js:2:42:2:56 | window.location | | tst3.js:2:42:2:63 | window. ... .search | | tst3.js:2:42:2:73 | window. ... bstr(1) | | tst3.js:4:25:4:28 | data | | tst3.js:4:25:4:32 | data.src | +| tst3.js:4:25:4:32 | data.src | | tst3.js:5:26:5:29 | data | | tst3.js:5:26:5:31 | data.p | +| tst3.js:5:26:5:31 | data.p | | tst3.js:7:32:7:35 | data | | tst3.js:7:32:7:37 | data.p | +| tst3.js:7:32:7:37 | data.p | | tst3.js:9:37:9:40 | data | | tst3.js:9:37:9:42 | data.p | +| tst3.js:9:37:9:42 | data.p | | tst3.js:10:38:10:41 | data | | tst3.js:10:38:10:43 | data.p | +| tst3.js:10:38:10:43 | data.p | | tst.js:2:7:2:39 | target | | tst.js:2:16:2:32 | document.location | +| tst.js:2:16:2:32 | document.location | | tst.js:2:16:2:39 | documen ... .search | | tst.js:5:18:5:23 | target | +| tst.js:5:18:5:23 | target | | tst.js:8:18:8:126 | "" | +| tst.js:8:18:8:126 | "" | +| tst.js:8:37:8:53 | document.location | | tst.js:8:37:8:53 | document.location | | tst.js:8:37:8:58 | documen ... on.href | | tst.js:8:37:8:114 | documen ... t=")+8) | | tst.js:12:5:12:42 | '
    ' | +| tst.js:12:5:12:42 | '
    ' | | tst.js:12:28:12:33 | target | | tst.js:19:25:19:41 | document.location | +| tst.js:19:25:19:41 | document.location | +| tst.js:20:18:20:35 | params.get('name') | | tst.js:20:18:20:35 | params.get('name') | | tst.js:23:42:23:47 | target | | tst.js:23:42:23:60 | target.substring(1) | | tst.js:24:18:24:41 | searchP ... 'name') | +| tst.js:24:18:24:41 | searchP ... 'name') | | tst.js:27:14:27:19 | target | | tst.js:29:18:29:23 | target | +| tst.js:29:18:29:23 | target | +| tst.js:31:5:31:21 | document.location | | tst.js:31:5:31:21 | document.location | | tst.js:31:5:31:28 | documen ... .search | | tst.js:34:10:34:26 | document.location | +| tst.js:34:10:34:26 | document.location | | tst.js:34:10:34:33 | documen ... .search | | tst.js:37:16:37:20 | bar() | +| tst.js:37:16:37:20 | bar() | | tst.js:43:16:43:44 | baz(doc ... search) | +| tst.js:43:16:43:44 | baz(doc ... search) | +| tst.js:43:20:43:36 | document.location | | tst.js:43:20:43:36 | document.location | | tst.js:43:20:43:43 | documen ... .search | | tst.js:49:16:49:45 | wrap(do ... search) | +| tst.js:49:16:49:45 | wrap(do ... search) | +| tst.js:49:21:49:37 | document.location | | tst.js:49:21:49:37 | document.location | | tst.js:49:21:49:44 | documen ... .search | | tst.js:57:16:57:45 | chop(do ... search) | +| tst.js:57:16:57:45 | chop(do ... search) | +| tst.js:57:21:57:37 | document.location | | tst.js:57:21:57:37 | document.location | | tst.js:57:21:57:44 | documen ... .search | | tst.js:59:16:59:45 | chop(do ... search) | +| tst.js:59:16:59:45 | chop(do ... search) | +| tst.js:59:21:59:37 | document.location | | tst.js:59:21:59:37 | document.location | | tst.js:59:21:59:44 | documen ... .search | | tst.js:61:16:61:32 | wrap(chop(bar())) | +| tst.js:61:16:61:32 | wrap(chop(bar())) | | tst.js:61:21:61:31 | chop(bar()) | | tst.js:61:26:61:30 | bar() | | tst.js:63:34:63:34 | s | | tst.js:65:18:65:18 | s | +| tst.js:65:18:65:18 | s | +| tst.js:67:25:67:41 | document.location | | tst.js:67:25:67:41 | document.location | | tst.js:67:25:67:48 | documen ... .search | | tst.js:68:25:68:41 | document.location | +| tst.js:68:25:68:41 | document.location | | tst.js:68:25:68:48 | documen ... .search | | tst.js:71:16:71:20 | bar() | +| tst.js:71:16:71:20 | bar() | | tst.js:73:1:73:27 | [,docum ... search] | | tst.js:73:3:73:19 | document.location | +| tst.js:73:3:73:19 | document.location | | tst.js:73:3:73:26 | documen ... .search | | tst.js:73:46:73:46 | x | | tst.js:76:20:76:20 | x | +| tst.js:76:20:76:20 | x | +| tst.js:80:49:80:65 | document.location | | tst.js:80:49:80:65 | document.location | | tst.js:80:49:80:72 | documen ... .search | +| tst.js:80:49:80:72 | documen ... .search | +| tst.js:84:26:84:42 | document.location | | tst.js:84:26:84:42 | document.location | | tst.js:84:26:84:49 | documen ... .search | +| tst.js:84:26:84:49 | documen ... .search | +| tst.js:85:25:85:41 | document.location | | tst.js:85:25:85:41 | document.location | | tst.js:85:25:85:48 | documen ... .search | +| tst.js:85:25:85:48 | documen ... .search | +| tst.js:87:33:87:49 | document.location | | tst.js:87:33:87:49 | document.location | | tst.js:87:33:87:56 | documen ... .search | +| tst.js:87:33:87:56 | documen ... .search | +| tst.js:88:32:88:48 | document.location | | tst.js:88:32:88:48 | document.location | | tst.js:88:32:88:55 | documen ... .search | +| tst.js:88:32:88:55 | documen ... .search | +| tst.js:93:39:93:55 | document.location | | tst.js:93:39:93:55 | document.location | | tst.js:93:39:93:62 | documen ... .search | +| tst.js:93:39:93:62 | documen ... .search | +| tst.js:99:30:99:46 | document.location | | tst.js:99:30:99:46 | document.location | | tst.js:99:30:99:53 | documen ... .search | +| tst.js:99:30:99:53 | documen ... .search | +| tst.js:105:25:105:41 | document.location | | tst.js:105:25:105:41 | document.location | | tst.js:105:25:105:48 | documen ... .search | +| tst.js:105:25:105:48 | documen ... .search | | tst.js:110:7:110:44 | v | | tst.js:110:11:110:27 | document.location | +| tst.js:110:11:110:27 | document.location | | tst.js:110:11:110:34 | documen ... .search | | tst.js:110:11:110:44 | documen ... bstr(1) | | tst.js:113:18:113:18 | v | +| tst.js:113:18:113:18 | v | +| tst.js:145:29:145:43 | window.location | | tst.js:145:29:145:43 | window.location | | tst.js:145:29:145:50 | window. ... .search | | tst.js:148:29:148:29 | v | | tst.js:148:49:148:49 | v | +| tst.js:148:49:148:49 | v | | tst.js:152:29:152:46 | xssSourceService() | +| tst.js:152:29:152:46 | xssSourceService() | +| tst.js:155:40:155:54 | window.location | | tst.js:155:40:155:54 | window.location | | tst.js:155:40:155:61 | window. ... .search | | tst.js:174:9:174:41 | target | | tst.js:174:18:174:34 | document.location | +| tst.js:174:18:174:34 | document.location | | tst.js:174:18:174:41 | documen ... .search | | tst.js:177:28:177:33 | target | +| tst.js:177:28:177:33 | target | | tst.js:181:9:181:42 | tainted | | tst.js:181:19:181:35 | document.location | +| tst.js:181:19:181:35 | document.location | | tst.js:181:19:181:42 | documen ... .search | | tst.js:183:31:183:37 | tainted | +| tst.js:183:31:183:37 | tainted | +| tst.js:185:42:185:48 | tainted | | tst.js:185:42:185:48 | tainted | | tst.js:186:33:186:39 | tainted | +| tst.js:186:33:186:39 | tainted | | tst.js:188:54:188:60 | tainted | +| tst.js:188:54:188:60 | tainted | +| tst.js:189:45:189:51 | tainted | | tst.js:189:45:189:51 | tainted | | tst.js:194:9:194:42 | tainted | | tst.js:194:19:194:35 | document.location | +| tst.js:194:19:194:35 | document.location | | tst.js:194:19:194:42 | documen ... .search | | tst.js:196:67:196:73 | tainted | +| tst.js:196:67:196:73 | tainted | +| tst.js:197:67:197:73 | tainted | | tst.js:197:67:197:73 | tainted | | tst.js:201:35:201:41 | tainted | | tst.js:203:46:203:52 | tainted | | tst.js:204:38:204:44 | tainted | | tst.js:205:35:205:41 | tainted | | tst.js:209:28:209:46 | this.state.tainted1 | +| tst.js:209:28:209:46 | this.state.tainted1 | +| tst.js:210:28:210:46 | this.state.tainted2 | | tst.js:210:28:210:46 | this.state.tainted2 | | tst.js:211:28:211:46 | this.state.tainted3 | +| tst.js:211:28:211:46 | this.state.tainted3 | +| tst.js:215:32:215:49 | prevState.tainted4 | | tst.js:215:32:215:49 | prevState.tainted4 | | tst.js:222:28:222:46 | this.props.tainted1 | +| tst.js:222:28:222:46 | this.props.tainted1 | +| tst.js:223:28:223:46 | this.props.tainted2 | | tst.js:223:28:223:46 | this.props.tainted2 | | tst.js:224:28:224:46 | this.props.tainted3 | +| tst.js:224:28:224:46 | this.props.tainted3 | +| tst.js:228:32:228:49 | prevProps.tainted4 | | tst.js:228:32:228:49 | prevProps.tainted4 | | tst.js:233:35:233:41 | tainted | | tst.js:235:20:235:26 | tainted | @@ -176,60 +294,119 @@ nodes | tst.js:238:23:238:29 | tainted | | tst.js:244:39:244:55 | props.propTainted | | tst.js:248:60:248:82 | this.st ... Tainted | +| tst.js:248:60:248:82 | this.st ... Tainted | | tst.js:252:23:252:29 | tainted | | tst.js:256:7:256:17 | window.name | +| tst.js:256:7:256:17 | window.name | +| tst.js:256:7:256:17 | window.name | +| tst.js:257:7:257:10 | name | +| tst.js:257:7:257:10 | name | | tst.js:257:7:257:10 | name | | tst.js:261:11:261:21 | window.name | +| tst.js:261:11:261:21 | window.name | +| tst.js:261:11:261:21 | window.name | +| tst.js:277:22:277:29 | location | +| tst.js:277:22:277:29 | location | | tst.js:277:22:277:29 | location | | tst.js:282:9:282:29 | tainted | +| tst.js:282:9:282:29 | tainted | +| tst.js:282:19:282:29 | window.name | | tst.js:282:19:282:29 | window.name | | tst.js:285:59:285:65 | tainted | +| tst.js:285:59:285:65 | tainted | +| tst.js:285:59:285:65 | tainted | +| v-html.vue:2:8:2:23 | v-html=tainted | | v-html.vue:2:8:2:23 | v-html=tainted | | v-html.vue:6:42:6:58 | document.location | +| v-html.vue:6:42:6:58 | document.location | | winjs.js:2:7:2:53 | tainted | | winjs.js:2:17:2:33 | document.location | +| winjs.js:2:17:2:33 | document.location | | winjs.js:2:17:2:40 | documen ... .search | | winjs.js:2:17:2:53 | documen ... ring(1) | | winjs.js:3:43:3:49 | tainted | +| winjs.js:3:43:3:49 | tainted | +| winjs.js:4:43:4:49 | tainted | | winjs.js:4:43:4:49 | tainted | edges | addEventListener.js:1:43:1:47 | event | addEventListener.js:2:20:2:24 | event | +| addEventListener.js:1:43:1:47 | event | addEventListener.js:2:20:2:24 | event | | addEventListener.js:2:20:2:24 | event | addEventListener.js:2:20:2:29 | event.data | +| addEventListener.js:2:20:2:24 | event | addEventListener.js:2:20:2:29 | event.data | +| addEventListener.js:5:43:5:48 | data | addEventListener.js:6:20:6:23 | data | +| addEventListener.js:5:43:5:48 | data | addEventListener.js:6:20:6:23 | data | +| addEventListener.js:5:43:5:48 | {data} | addEventListener.js:5:44:5:47 | data | +| addEventListener.js:5:43:5:48 | {data} | addEventListener.js:5:44:5:47 | data | +| addEventListener.js:5:44:5:47 | data | addEventListener.js:5:43:5:48 | data | +| addEventListener.js:10:21:10:25 | event | addEventListener.js:12:24:12:28 | event | +| addEventListener.js:10:21:10:25 | event | addEventListener.js:12:24:12:28 | event | +| addEventListener.js:12:24:12:28 | event | addEventListener.js:12:24:12:33 | event.data | +| addEventListener.js:12:24:12:28 | event | addEventListener.js:12:24:12:33 | event.data | +| jquery.js:2:7:2:40 | tainted | jquery.js:4:5:4:11 | tainted | | jquery.js:2:7:2:40 | tainted | jquery.js:4:5:4:11 | tainted | | jquery.js:2:7:2:40 | tainted | jquery.js:7:20:7:26 | tainted | | jquery.js:2:7:2:40 | tainted | jquery.js:8:28:8:34 | tainted | | jquery.js:2:17:2:33 | document.location | jquery.js:2:17:2:40 | documen ... .search | +| jquery.js:2:17:2:33 | document.location | jquery.js:2:17:2:40 | documen ... .search | | jquery.js:2:17:2:40 | documen ... .search | jquery.js:2:7:2:40 | tainted | -| jquery.js:7:5:7:26 | "
    " | -| jquery.js:7:20:7:26 | tainted | jquery.js:7:5:7:26 | "
    " | | jquery.js:7:20:7:26 | tainted | jquery.js:7:5:7:34 | "
    " | | jquery.js:8:28:8:34 | tainted | jquery.js:8:18:8:34 | "XSS: " + tainted | +| jquery.js:8:28:8:34 | tainted | jquery.js:8:18:8:34 | "XSS: " + tainted | +| nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | +| nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | +| nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | | nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | | react-native.js:7:7:7:33 | tainted | react-native.js:8:18:8:24 | tainted | +| react-native.js:7:7:7:33 | tainted | react-native.js:8:18:8:24 | tainted | +| react-native.js:7:7:7:33 | tainted | react-native.js:9:27:9:33 | tainted | | react-native.js:7:7:7:33 | tainted | react-native.js:9:27:9:33 | tainted | | react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted | +| react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted | +| stored-xss.js:2:39:2:55 | document.location | stored-xss.js:2:39:2:62 | documen ... .search | | stored-xss.js:2:39:2:55 | document.location | stored-xss.js:2:39:2:62 | documen ... .search | | stored-xss.js:2:39:2:62 | documen ... .search | stored-xss.js:5:20:5:52 | session ... ssion') | +| stored-xss.js:2:39:2:62 | documen ... .search | stored-xss.js:5:20:5:52 | session ... ssion') | +| stored-xss.js:3:35:3:51 | document.location | stored-xss.js:3:35:3:58 | documen ... .search | | stored-xss.js:3:35:3:51 | document.location | stored-xss.js:3:35:3:58 | documen ... .search | | stored-xss.js:3:35:3:58 | documen ... .search | stored-xss.js:8:20:8:48 | localSt ... local') | +| stored-xss.js:3:35:3:58 | documen ... .search | stored-xss.js:8:20:8:48 | localSt ... local') | +| string-manipulations.js:3:16:3:32 | document.location | string-manipulations.js:3:16:3:32 | document.location | +| string-manipulations.js:4:16:4:32 | document.location | string-manipulations.js:4:16:4:37 | documen ... on.href | +| string-manipulations.js:4:16:4:32 | document.location | string-manipulations.js:4:16:4:37 | documen ... on.href | +| string-manipulations.js:4:16:4:32 | document.location | string-manipulations.js:4:16:4:37 | documen ... on.href | | string-manipulations.js:4:16:4:32 | document.location | string-manipulations.js:4:16:4:37 | documen ... on.href | | string-manipulations.js:5:16:5:32 | document.location | string-manipulations.js:5:16:5:37 | documen ... on.href | +| string-manipulations.js:5:16:5:32 | document.location | string-manipulations.js:5:16:5:37 | documen ... on.href | +| string-manipulations.js:5:16:5:37 | documen ... on.href | string-manipulations.js:5:16:5:47 | documen ... lueOf() | | string-manipulations.js:5:16:5:37 | documen ... on.href | string-manipulations.js:5:16:5:47 | documen ... lueOf() | | string-manipulations.js:6:16:6:32 | document.location | string-manipulations.js:6:16:6:37 | documen ... on.href | +| string-manipulations.js:6:16:6:32 | document.location | string-manipulations.js:6:16:6:37 | documen ... on.href | +| string-manipulations.js:6:16:6:37 | documen ... on.href | string-manipulations.js:6:16:6:43 | documen ... f.sup() | | string-manipulations.js:6:16:6:37 | documen ... on.href | string-manipulations.js:6:16:6:43 | documen ... f.sup() | | string-manipulations.js:7:16:7:32 | document.location | string-manipulations.js:7:16:7:37 | documen ... on.href | +| string-manipulations.js:7:16:7:32 | document.location | string-manipulations.js:7:16:7:37 | documen ... on.href | +| string-manipulations.js:7:16:7:37 | documen ... on.href | string-manipulations.js:7:16:7:51 | documen ... rCase() | | string-manipulations.js:7:16:7:37 | documen ... on.href | string-manipulations.js:7:16:7:51 | documen ... rCase() | | string-manipulations.js:8:16:8:32 | document.location | string-manipulations.js:8:16:8:37 | documen ... on.href | +| string-manipulations.js:8:16:8:32 | document.location | string-manipulations.js:8:16:8:37 | documen ... on.href | +| string-manipulations.js:8:16:8:37 | documen ... on.href | string-manipulations.js:8:16:8:48 | documen ... mLeft() | | string-manipulations.js:8:16:8:37 | documen ... on.href | string-manipulations.js:8:16:8:48 | documen ... mLeft() | | string-manipulations.js:9:36:9:52 | document.location | string-manipulations.js:9:36:9:57 | documen ... on.href | +| string-manipulations.js:9:36:9:52 | document.location | string-manipulations.js:9:36:9:57 | documen ... on.href | +| string-manipulations.js:9:36:9:57 | documen ... on.href | string-manipulations.js:9:16:9:58 | String. ... n.href) | | string-manipulations.js:9:36:9:57 | documen ... on.href | string-manipulations.js:9:16:9:58 | String. ... n.href) | | string-manipulations.js:10:23:10:39 | document.location | string-manipulations.js:10:23:10:44 | documen ... on.href | +| string-manipulations.js:10:23:10:39 | document.location | string-manipulations.js:10:23:10:44 | documen ... on.href | +| string-manipulations.js:10:23:10:44 | documen ... on.href | string-manipulations.js:10:16:10:45 | String( ... n.href) | | string-manipulations.js:10:23:10:44 | documen ... on.href | string-manipulations.js:10:16:10:45 | String( ... n.href) | | translate.js:6:7:6:39 | target | translate.js:7:42:7:47 | target | | translate.js:6:16:6:32 | document.location | translate.js:6:16:6:39 | documen ... .search | +| translate.js:6:16:6:32 | document.location | translate.js:6:16:6:39 | documen ... .search | | translate.js:6:16:6:39 | documen ... .search | translate.js:6:7:6:39 | target | | translate.js:7:42:7:47 | target | translate.js:7:42:7:60 | target.substring(1) | | translate.js:7:42:7:60 | target.substring(1) | translate.js:9:27:9:50 | searchP ... 'term') | +| translate.js:7:42:7:60 | target.substring(1) | translate.js:9:27:9:50 | searchP ... 'term') | | tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | tst3.js:4:25:4:28 | data | | tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | tst3.js:5:26:5:29 | data | | tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | tst3.js:7:32:7:35 | data | @@ -237,89 +414,155 @@ edges | tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | tst3.js:10:38:10:41 | data | | tst3.js:2:23:2:74 | decodeU ... str(1)) | tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | | tst3.js:2:42:2:56 | window.location | tst3.js:2:42:2:63 | window. ... .search | +| tst3.js:2:42:2:56 | window.location | tst3.js:2:42:2:63 | window. ... .search | | tst3.js:2:42:2:63 | window. ... .search | tst3.js:2:42:2:73 | window. ... bstr(1) | | tst3.js:2:42:2:73 | window. ... bstr(1) | tst3.js:2:23:2:74 | decodeU ... str(1)) | | tst3.js:4:25:4:28 | data | tst3.js:4:25:4:32 | data.src | +| tst3.js:4:25:4:28 | data | tst3.js:4:25:4:32 | data.src | +| tst3.js:5:26:5:29 | data | tst3.js:5:26:5:31 | data.p | | tst3.js:5:26:5:29 | data | tst3.js:5:26:5:31 | data.p | | tst3.js:7:32:7:35 | data | tst3.js:7:32:7:37 | data.p | +| tst3.js:7:32:7:35 | data | tst3.js:7:32:7:37 | data.p | +| tst3.js:9:37:9:40 | data | tst3.js:9:37:9:42 | data.p | | tst3.js:9:37:9:40 | data | tst3.js:9:37:9:42 | data.p | | tst3.js:10:38:10:41 | data | tst3.js:10:38:10:43 | data.p | +| tst3.js:10:38:10:41 | data | tst3.js:10:38:10:43 | data.p | +| tst.js:2:7:2:39 | target | tst.js:5:18:5:23 | target | | tst.js:2:7:2:39 | target | tst.js:5:18:5:23 | target | | tst.js:2:7:2:39 | target | tst.js:12:28:12:33 | target | | tst.js:2:7:2:39 | target | tst.js:23:42:23:47 | target | | tst.js:2:16:2:32 | document.location | tst.js:2:16:2:39 | documen ... .search | +| tst.js:2:16:2:32 | document.location | tst.js:2:16:2:39 | documen ... .search | | tst.js:2:16:2:39 | documen ... .search | tst.js:2:7:2:39 | target | -| tst.js:8:18:8:114 | "" | +| tst.js:8:37:8:53 | document.location | tst.js:8:37:8:58 | documen ... on.href | | tst.js:8:37:8:53 | document.location | tst.js:8:37:8:58 | documen ... on.href | | tst.js:8:37:8:58 | documen ... on.href | tst.js:8:37:8:114 | documen ... t=")+8) | -| tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:114 | "" | -| tst.js:12:5:12:33 | '
    ' | -| tst.js:12:28:12:33 | target | tst.js:12:5:12:33 | '
    " | | tst.js:12:28:12:33 | target | tst.js:12:5:12:42 | '
    ' | +| tst.js:12:28:12:33 | target | tst.js:12:5:12:42 | '
    ' | +| tst.js:19:25:19:41 | document.location | tst.js:20:18:20:35 | params.get('name') | +| tst.js:19:25:19:41 | document.location | tst.js:20:18:20:35 | params.get('name') | +| tst.js:19:25:19:41 | document.location | tst.js:20:18:20:35 | params.get('name') | | tst.js:19:25:19:41 | document.location | tst.js:20:18:20:35 | params.get('name') | | tst.js:23:42:23:47 | target | tst.js:23:42:23:60 | target.substring(1) | | tst.js:23:42:23:60 | target.substring(1) | tst.js:24:18:24:41 | searchP ... 'name') | +| tst.js:23:42:23:60 | target.substring(1) | tst.js:24:18:24:41 | searchP ... 'name') | | tst.js:27:14:27:19 | target | tst.js:29:18:29:23 | target | +| tst.js:27:14:27:19 | target | tst.js:29:18:29:23 | target | +| tst.js:31:5:31:21 | document.location | tst.js:31:5:31:28 | documen ... .search | | tst.js:31:5:31:21 | document.location | tst.js:31:5:31:28 | documen ... .search | | tst.js:31:5:31:28 | documen ... .search | tst.js:27:14:27:19 | target | | tst.js:34:10:34:26 | document.location | tst.js:34:10:34:33 | documen ... .search | +| tst.js:34:10:34:26 | document.location | tst.js:34:10:34:33 | documen ... .search | +| tst.js:34:10:34:33 | documen ... .search | tst.js:37:16:37:20 | bar() | | tst.js:34:10:34:33 | documen ... .search | tst.js:37:16:37:20 | bar() | | tst.js:34:10:34:33 | documen ... .search | tst.js:61:26:61:30 | bar() | | tst.js:34:10:34:33 | documen ... .search | tst.js:71:16:71:20 | bar() | +| tst.js:34:10:34:33 | documen ... .search | tst.js:71:16:71:20 | bar() | +| tst.js:43:20:43:36 | document.location | tst.js:43:20:43:43 | documen ... .search | | tst.js:43:20:43:36 | document.location | tst.js:43:20:43:43 | documen ... .search | | tst.js:43:20:43:43 | documen ... .search | tst.js:43:16:43:44 | baz(doc ... search) | +| tst.js:43:20:43:43 | documen ... .search | tst.js:43:16:43:44 | baz(doc ... search) | +| tst.js:49:21:49:37 | document.location | tst.js:49:21:49:44 | documen ... .search | | tst.js:49:21:49:37 | document.location | tst.js:49:21:49:44 | documen ... .search | | tst.js:49:21:49:44 | documen ... .search | tst.js:49:16:49:45 | wrap(do ... search) | +| tst.js:49:21:49:44 | documen ... .search | tst.js:49:16:49:45 | wrap(do ... search) | +| tst.js:57:21:57:37 | document.location | tst.js:57:21:57:44 | documen ... .search | | tst.js:57:21:57:37 | document.location | tst.js:57:21:57:44 | documen ... .search | | tst.js:57:21:57:44 | documen ... .search | tst.js:57:16:57:45 | chop(do ... search) | +| tst.js:57:21:57:44 | documen ... .search | tst.js:57:16:57:45 | chop(do ... search) | +| tst.js:59:21:59:37 | document.location | tst.js:59:21:59:44 | documen ... .search | | tst.js:59:21:59:37 | document.location | tst.js:59:21:59:44 | documen ... .search | | tst.js:59:21:59:44 | documen ... .search | tst.js:59:16:59:45 | chop(do ... search) | +| tst.js:59:21:59:44 | documen ... .search | tst.js:59:16:59:45 | chop(do ... search) | +| tst.js:61:21:61:31 | chop(bar()) | tst.js:61:16:61:32 | wrap(chop(bar())) | | tst.js:61:21:61:31 | chop(bar()) | tst.js:61:16:61:32 | wrap(chop(bar())) | | tst.js:61:26:61:30 | bar() | tst.js:61:21:61:31 | chop(bar()) | | tst.js:63:34:63:34 | s | tst.js:65:18:65:18 | s | +| tst.js:63:34:63:34 | s | tst.js:65:18:65:18 | s | +| tst.js:67:25:67:41 | document.location | tst.js:67:25:67:48 | documen ... .search | | tst.js:67:25:67:41 | document.location | tst.js:67:25:67:48 | documen ... .search | | tst.js:67:25:67:48 | documen ... .search | tst.js:63:34:63:34 | s | | tst.js:68:25:68:41 | document.location | tst.js:68:25:68:48 | documen ... .search | +| tst.js:68:25:68:41 | document.location | tst.js:68:25:68:48 | documen ... .search | | tst.js:68:25:68:48 | documen ... .search | tst.js:63:34:63:34 | s | | tst.js:73:1:73:27 | [,docum ... search] | tst.js:73:46:73:46 | x | | tst.js:73:3:73:19 | document.location | tst.js:73:3:73:26 | documen ... .search | +| tst.js:73:3:73:19 | document.location | tst.js:73:3:73:26 | documen ... .search | | tst.js:73:3:73:26 | documen ... .search | tst.js:73:1:73:27 | [,docum ... search] | -| tst.js:73:46:73:46 | x | tst.js:74:7:74:7 | x | | tst.js:73:46:73:46 | x | tst.js:76:20:76:20 | x | -| tst.js:74:7:74:7 | x | tst.js:76:20:76:20 | x | +| tst.js:73:46:73:46 | x | tst.js:76:20:76:20 | x | +| tst.js:80:49:80:65 | document.location | tst.js:80:49:80:72 | documen ... .search | +| tst.js:80:49:80:65 | document.location | tst.js:80:49:80:72 | documen ... .search | +| tst.js:80:49:80:65 | document.location | tst.js:80:49:80:72 | documen ... .search | | tst.js:80:49:80:65 | document.location | tst.js:80:49:80:72 | documen ... .search | | tst.js:84:26:84:42 | document.location | tst.js:84:26:84:49 | documen ... .search | +| tst.js:84:26:84:42 | document.location | tst.js:84:26:84:49 | documen ... .search | +| tst.js:84:26:84:42 | document.location | tst.js:84:26:84:49 | documen ... .search | +| tst.js:84:26:84:42 | document.location | tst.js:84:26:84:49 | documen ... .search | +| tst.js:85:25:85:41 | document.location | tst.js:85:25:85:48 | documen ... .search | +| tst.js:85:25:85:41 | document.location | tst.js:85:25:85:48 | documen ... .search | +| tst.js:85:25:85:41 | document.location | tst.js:85:25:85:48 | documen ... .search | | tst.js:85:25:85:41 | document.location | tst.js:85:25:85:48 | documen ... .search | | tst.js:87:33:87:49 | document.location | tst.js:87:33:87:56 | documen ... .search | +| tst.js:87:33:87:49 | document.location | tst.js:87:33:87:56 | documen ... .search | +| tst.js:87:33:87:49 | document.location | tst.js:87:33:87:56 | documen ... .search | +| tst.js:87:33:87:49 | document.location | tst.js:87:33:87:56 | documen ... .search | +| tst.js:88:32:88:48 | document.location | tst.js:88:32:88:55 | documen ... .search | +| tst.js:88:32:88:48 | document.location | tst.js:88:32:88:55 | documen ... .search | +| tst.js:88:32:88:48 | document.location | tst.js:88:32:88:55 | documen ... .search | | tst.js:88:32:88:48 | document.location | tst.js:88:32:88:55 | documen ... .search | | tst.js:93:39:93:55 | document.location | tst.js:93:39:93:62 | documen ... .search | +| tst.js:93:39:93:55 | document.location | tst.js:93:39:93:62 | documen ... .search | +| tst.js:93:39:93:55 | document.location | tst.js:93:39:93:62 | documen ... .search | +| tst.js:93:39:93:55 | document.location | tst.js:93:39:93:62 | documen ... .search | +| tst.js:99:30:99:46 | document.location | tst.js:99:30:99:53 | documen ... .search | +| tst.js:99:30:99:46 | document.location | tst.js:99:30:99:53 | documen ... .search | +| tst.js:99:30:99:46 | document.location | tst.js:99:30:99:53 | documen ... .search | | tst.js:99:30:99:46 | document.location | tst.js:99:30:99:53 | documen ... .search | | tst.js:105:25:105:41 | document.location | tst.js:105:25:105:48 | documen ... .search | +| tst.js:105:25:105:41 | document.location | tst.js:105:25:105:48 | documen ... .search | +| tst.js:105:25:105:41 | document.location | tst.js:105:25:105:48 | documen ... .search | +| tst.js:105:25:105:41 | document.location | tst.js:105:25:105:48 | documen ... .search | | tst.js:110:7:110:44 | v | tst.js:113:18:113:18 | v | +| tst.js:110:7:110:44 | v | tst.js:113:18:113:18 | v | +| tst.js:110:11:110:27 | document.location | tst.js:110:11:110:34 | documen ... .search | | tst.js:110:11:110:27 | document.location | tst.js:110:11:110:34 | documen ... .search | | tst.js:110:11:110:34 | documen ... .search | tst.js:110:11:110:44 | documen ... bstr(1) | | tst.js:110:11:110:44 | documen ... bstr(1) | tst.js:110:7:110:44 | v | | tst.js:145:29:145:43 | window.location | tst.js:145:29:145:50 | window. ... .search | +| tst.js:145:29:145:43 | window.location | tst.js:145:29:145:50 | window. ... .search | | tst.js:145:29:145:50 | window. ... .search | tst.js:148:29:148:29 | v | | tst.js:148:29:148:29 | v | tst.js:148:49:148:49 | v | +| tst.js:148:29:148:29 | v | tst.js:148:49:148:49 | v | +| tst.js:155:40:155:54 | window.location | tst.js:155:40:155:61 | window. ... .search | | tst.js:155:40:155:54 | window.location | tst.js:155:40:155:61 | window. ... .search | | tst.js:155:40:155:61 | window. ... .search | tst.js:152:29:152:46 | xssSourceService() | +| tst.js:155:40:155:61 | window. ... .search | tst.js:152:29:152:46 | xssSourceService() | | tst.js:174:9:174:41 | target | tst.js:177:28:177:33 | target | +| tst.js:174:9:174:41 | target | tst.js:177:28:177:33 | target | +| tst.js:174:18:174:34 | document.location | tst.js:174:18:174:41 | documen ... .search | | tst.js:174:18:174:34 | document.location | tst.js:174:18:174:41 | documen ... .search | | tst.js:174:18:174:41 | documen ... .search | tst.js:174:9:174:41 | target | | tst.js:181:9:181:42 | tainted | tst.js:183:31:183:37 | tainted | +| tst.js:181:9:181:42 | tainted | tst.js:183:31:183:37 | tainted | +| tst.js:181:9:181:42 | tainted | tst.js:185:42:185:48 | tainted | | tst.js:181:9:181:42 | tainted | tst.js:185:42:185:48 | tainted | | tst.js:181:9:181:42 | tainted | tst.js:186:33:186:39 | tainted | +| tst.js:181:9:181:42 | tainted | tst.js:186:33:186:39 | tainted | +| tst.js:181:9:181:42 | tainted | tst.js:188:54:188:60 | tainted | | tst.js:181:9:181:42 | tainted | tst.js:188:54:188:60 | tainted | | tst.js:181:9:181:42 | tainted | tst.js:189:45:189:51 | tainted | +| tst.js:181:9:181:42 | tainted | tst.js:189:45:189:51 | tainted | +| tst.js:181:19:181:35 | document.location | tst.js:181:19:181:42 | documen ... .search | | tst.js:181:19:181:35 | document.location | tst.js:181:19:181:42 | documen ... .search | | tst.js:181:19:181:42 | documen ... .search | tst.js:181:9:181:42 | tainted | | tst.js:194:9:194:42 | tainted | tst.js:196:67:196:73 | tainted | +| tst.js:194:9:194:42 | tainted | tst.js:196:67:196:73 | tainted | +| tst.js:194:9:194:42 | tainted | tst.js:197:67:197:73 | tainted | | tst.js:194:9:194:42 | tainted | tst.js:197:67:197:73 | tainted | -| tst.js:194:9:194:42 | tainted | tst.js:200:20:200:19 | tainted | | tst.js:194:9:194:42 | tainted | tst.js:201:35:201:41 | tainted | -| tst.js:194:9:194:42 | tainted | tst.js:203:27:203:26 | tainted | | tst.js:194:9:194:42 | tainted | tst.js:203:46:203:52 | tainted | | tst.js:194:9:194:42 | tainted | tst.js:204:38:204:44 | tainted | | tst.js:194:9:194:42 | tainted | tst.js:205:35:205:41 | tainted | @@ -329,31 +572,54 @@ edges | tst.js:194:9:194:42 | tainted | tst.js:238:23:238:29 | tainted | | tst.js:194:9:194:42 | tainted | tst.js:252:23:252:29 | tainted | | tst.js:194:19:194:35 | document.location | tst.js:194:19:194:42 | documen ... .search | +| tst.js:194:19:194:35 | document.location | tst.js:194:19:194:42 | documen ... .search | | tst.js:194:19:194:42 | documen ... .search | tst.js:194:9:194:42 | tainted | -| tst.js:200:20:200:19 | tainted | tst.js:201:35:201:41 | tainted | -| tst.js:200:20:200:19 | tainted | tst.js:204:38:204:44 | tainted | -| tst.js:200:20:200:19 | tainted | tst.js:205:35:205:41 | tainted | | tst.js:201:35:201:41 | tainted | tst.js:209:28:209:46 | this.state.tainted1 | -| tst.js:203:27:203:26 | tainted | tst.js:203:46:203:52 | tainted | +| tst.js:201:35:201:41 | tainted | tst.js:209:28:209:46 | this.state.tainted1 | +| tst.js:203:46:203:52 | tainted | tst.js:210:28:210:46 | this.state.tainted2 | | tst.js:203:46:203:52 | tainted | tst.js:210:28:210:46 | this.state.tainted2 | | tst.js:204:38:204:44 | tainted | tst.js:211:28:211:46 | this.state.tainted3 | +| tst.js:204:38:204:44 | tainted | tst.js:211:28:211:46 | this.state.tainted3 | +| tst.js:205:35:205:41 | tainted | tst.js:215:32:215:49 | prevState.tainted4 | | tst.js:205:35:205:41 | tainted | tst.js:215:32:215:49 | prevState.tainted4 | | tst.js:233:35:233:41 | tainted | tst.js:222:28:222:46 | this.props.tainted1 | +| tst.js:233:35:233:41 | tainted | tst.js:222:28:222:46 | this.props.tainted1 | +| tst.js:235:20:235:26 | tainted | tst.js:223:28:223:46 | this.props.tainted2 | | tst.js:235:20:235:26 | tainted | tst.js:223:28:223:46 | this.props.tainted2 | | tst.js:237:23:237:29 | tainted | tst.js:224:28:224:46 | this.props.tainted3 | +| tst.js:237:23:237:29 | tainted | tst.js:224:28:224:46 | this.props.tainted3 | +| tst.js:238:23:238:29 | tainted | tst.js:228:32:228:49 | prevProps.tainted4 | | tst.js:238:23:238:29 | tainted | tst.js:228:32:228:49 | prevProps.tainted4 | | tst.js:244:39:244:55 | props.propTainted | tst.js:248:60:248:82 | this.st ... Tainted | +| tst.js:244:39:244:55 | props.propTainted | tst.js:248:60:248:82 | this.st ... Tainted | | tst.js:252:23:252:29 | tainted | tst.js:244:39:244:55 | props.propTainted | +| tst.js:256:7:256:17 | window.name | tst.js:256:7:256:17 | window.name | +| tst.js:257:7:257:10 | name | tst.js:257:7:257:10 | name | +| tst.js:261:11:261:21 | window.name | tst.js:261:11:261:21 | window.name | +| tst.js:277:22:277:29 | location | tst.js:277:22:277:29 | location | +| tst.js:282:9:282:29 | tainted | tst.js:285:59:285:65 | tainted | +| tst.js:282:9:282:29 | tainted | tst.js:285:59:285:65 | tainted | +| tst.js:282:9:282:29 | tainted | tst.js:285:59:285:65 | tainted | | tst.js:282:9:282:29 | tainted | tst.js:285:59:285:65 | tainted | | tst.js:282:19:282:29 | window.name | tst.js:282:9:282:29 | tainted | +| tst.js:282:19:282:29 | window.name | tst.js:282:9:282:29 | tainted | +| tst.js:285:59:285:65 | tainted | tst.js:285:59:285:65 | tainted | +| v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted | +| v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted | +| v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted | | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted | | winjs.js:2:7:2:53 | tainted | winjs.js:3:43:3:49 | tainted | +| winjs.js:2:7:2:53 | tainted | winjs.js:3:43:3:49 | tainted | | winjs.js:2:7:2:53 | tainted | winjs.js:4:43:4:49 | tainted | +| winjs.js:2:7:2:53 | tainted | winjs.js:4:43:4:49 | tainted | +| winjs.js:2:17:2:33 | document.location | winjs.js:2:17:2:40 | documen ... .search | | winjs.js:2:17:2:33 | document.location | winjs.js:2:17:2:40 | documen ... .search | | winjs.js:2:17:2:40 | documen ... .search | winjs.js:2:17:2:53 | documen ... ring(1) | | winjs.js:2:17:2:53 | documen ... ring(1) | winjs.js:2:7:2:53 | tainted | #select | addEventListener.js:2:20:2:29 | event.data | addEventListener.js:1:43:1:47 | event | addEventListener.js:2:20:2:29 | event.data | Cross-site scripting vulnerability due to $@. | addEventListener.js:1:43:1:47 | event | user-provided value | +| addEventListener.js:6:20:6:23 | data | addEventListener.js:5:43:5:48 | {data} | addEventListener.js:6:20:6:23 | data | Cross-site scripting vulnerability due to $@. | addEventListener.js:5:43:5:48 | {data} | user-provided value | +| addEventListener.js:12:24:12:33 | event.data | addEventListener.js:10:21:10:25 | event | addEventListener.js:12:24:12:33 | event.data | Cross-site scripting vulnerability due to $@. | addEventListener.js:10:21:10:25 | event | user-provided value | | jquery.js:4:5:4:11 | tainted | jquery.js:2:17:2:33 | document.location | jquery.js:4:5:4:11 | tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value | | jquery.js:7:5:7:34 | "
    " | jquery.js:2:17:2:33 | document.location | jquery.js:7:5:7:34 | "
    " | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value | | jquery.js:8:18:8:34 | "XSS: " + tainted | jquery.js:2:17:2:33 | document.location | jquery.js:8:18:8:34 | "XSS: " + tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-079/addEventListener.js b/javascript/ql/test/query-tests/Security/CWE-079/addEventListener.js index 2f4b92adbee..fbb1dcfe01d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/addEventListener.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/addEventListener.js @@ -1,3 +1,17 @@ this.addEventListener('message', function(event) { document.write(event.data); // NOT OK }) + +this.addEventListener('message', function({data}) { + document.write(data); // NOT OK +}) + +function test() { + function foo(x, event, y) { + document.write(x.data); // OK + document.write(event.data); // NOT OK + document.write(y.data); // OK + } + + window.addEventListener("message", foo.bind(null, {data: 'items'})); +} diff --git a/javascript/ql/test/query-tests/Security/CWE-079/encodeuri.js b/javascript/ql/test/query-tests/Security/CWE-079/encodeuri.js new file mode 100644 index 00000000000..a48f720bed1 --- /dev/null +++ b/javascript/ql/test/query-tests/Security/CWE-079/encodeuri.js @@ -0,0 +1,4 @@ +function test() { + let loc = window.location.href; + $('click'); // OK +} diff --git a/javascript/ql/test/query-tests/Security/CWE-089/typed/SqlInjection.expected b/javascript/ql/test/query-tests/Security/CWE-089/typed/SqlInjection.expected index d5525ba35f2..f2b2489094c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/typed/SqlInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-089/typed/SqlInjection.expected @@ -2,14 +2,18 @@ nodes | typedClient.ts:13:7:13:32 | v | | typedClient.ts:13:11:13:32 | JSON.pa ... body.x) | | typedClient.ts:13:22:13:29 | req.body | +| typedClient.ts:13:22:13:29 | req.body | | typedClient.ts:13:22:13:31 | req.body.x | | typedClient.ts:14:24:14:32 | { id: v } | +| typedClient.ts:14:24:14:32 | { id: v } | | typedClient.ts:14:30:14:30 | v | edges | typedClient.ts:13:7:13:32 | v | typedClient.ts:14:30:14:30 | v | | typedClient.ts:13:11:13:32 | JSON.pa ... body.x) | typedClient.ts:13:7:13:32 | v | | typedClient.ts:13:22:13:29 | req.body | typedClient.ts:13:22:13:31 | req.body.x | +| typedClient.ts:13:22:13:29 | req.body | typedClient.ts:13:22:13:31 | req.body.x | | typedClient.ts:13:22:13:31 | req.body.x | typedClient.ts:13:11:13:32 | JSON.pa ... body.x) | | typedClient.ts:14:30:14:30 | v | typedClient.ts:14:24:14:32 | { id: v } | +| typedClient.ts:14:30:14:30 | v | typedClient.ts:14:24:14:32 | { id: v } | #select | typedClient.ts:14:24:14:32 | { id: v } | typedClient.ts:13:22:13:29 | req.body | typedClient.ts:14:24:14:32 | { id: v } | This query depends on $@. | typedClient.ts:13:22:13:29 | req.body | a user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected index 0e3abcdd085..7489f310223 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected @@ -2,159 +2,242 @@ nodes | mongodb.js:12:11:12:20 | query | | mongodb.js:12:19:12:20 | {} | | mongodb.js:13:19:13:26 | req.body | +| mongodb.js:13:19:13:26 | req.body | | mongodb.js:13:19:13:32 | req.body.title | | mongodb.js:18:16:18:20 | query | +| mongodb.js:18:16:18:20 | query | | mongodb.js:26:11:26:32 | title | | mongodb.js:26:19:26:26 | req.body | +| mongodb.js:26:19:26:26 | req.body | | mongodb.js:26:19:26:32 | req.body.title | | mongodb.js:32:18:32:45 | { title ... itle) } | +| mongodb.js:32:18:32:45 | { title ... itle) } | | mongodb.js:32:27:32:43 | JSON.parse(title) | | mongodb.js:32:38:32:42 | title | | mongodb.js:48:11:48:20 | query | | mongodb.js:48:19:48:20 | {} | | mongodb.js:49:19:49:33 | req.query.title | +| mongodb.js:49:19:49:33 | req.query.title | +| mongodb.js:54:16:54:20 | query | | mongodb.js:54:16:54:20 | query | | mongodb_bodySafe.js:23:11:23:20 | query | | mongodb_bodySafe.js:23:19:23:20 | {} | | mongodb_bodySafe.js:24:19:24:33 | req.query.title | +| mongodb_bodySafe.js:24:19:24:33 | req.query.title | +| mongodb_bodySafe.js:29:16:29:20 | query | | mongodb_bodySafe.js:29:16:29:20 | query | | mongoose.js:20:11:20:20 | query | | mongoose.js:20:19:20:20 | {} | | mongoose.js:21:19:21:26 | req.body | +| mongoose.js:21:19:21:26 | req.body | | mongoose.js:21:19:21:32 | req.body.title | | mongoose.js:27:20:27:24 | query | +| mongoose.js:27:20:27:24 | query | +| mongoose.js:30:25:30:29 | query | | mongoose.js:30:25:30:29 | query | | mongoose.js:33:24:33:28 | query | +| mongoose.js:33:24:33:28 | query | +| mongoose.js:36:31:36:35 | query | | mongoose.js:36:31:36:35 | query | | mongoose.js:39:19:39:23 | query | +| mongoose.js:39:19:39:23 | query | +| mongoose.js:42:22:42:26 | query | | mongoose.js:42:22:42:26 | query | | mongoose.js:45:31:45:35 | query | +| mongoose.js:45:31:45:35 | query | +| mongoose.js:48:31:48:35 | query | | mongoose.js:48:31:48:35 | query | | mongoose.js:51:31:51:35 | query | +| mongoose.js:51:31:51:35 | query | +| mongoose.js:54:25:54:29 | query | | mongoose.js:54:25:54:29 | query | | mongoose.js:57:21:57:25 | query | +| mongoose.js:57:21:57:25 | query | | mongoose.js:60:25:60:29 | query | +| mongoose.js:60:25:60:29 | query | +| mongoose.js:63:24:63:28 | query | | mongoose.js:63:24:63:28 | query | | mongooseJsonParse.js:19:11:19:20 | query | | mongooseJsonParse.js:19:19:19:20 | {} | | mongooseJsonParse.js:20:19:20:44 | JSON.pa ... y.data) | | mongooseJsonParse.js:20:19:20:50 | JSON.pa ... ).title | | mongooseJsonParse.js:20:30:20:43 | req.query.data | +| mongooseJsonParse.js:20:30:20:43 | req.query.data | +| mongooseJsonParse.js:23:19:23:23 | query | | mongooseJsonParse.js:23:19:23:23 | query | | mongooseModelClient.js:10:7:10:32 | v | | mongooseModelClient.js:10:11:10:32 | JSON.pa ... body.x) | | mongooseModelClient.js:10:22:10:29 | req.body | +| mongooseModelClient.js:10:22:10:29 | req.body | | mongooseModelClient.js:10:22:10:31 | req.body.x | | mongooseModelClient.js:11:16:11:24 | { id: v } | +| mongooseModelClient.js:11:16:11:24 | { id: v } | | mongooseModelClient.js:11:22:11:22 | v | | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | +| mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | +| mongooseModelClient.js:12:22:12:29 | req.body | | mongooseModelClient.js:12:22:12:29 | req.body | | mongooseModelClient.js:12:22:12:32 | req.body.id | | socketio.js:10:25:10:30 | handle | +| socketio.js:10:25:10:30 | handle | +| socketio.js:11:12:11:53 | `INSERT ... andle}` | | socketio.js:11:12:11:53 | `INSERT ... andle}` | | socketio.js:11:46:11:51 | handle | | tst2.js:9:27:9:84 | "select ... d + "'" | +| tst2.js:9:27:9:84 | "select ... d + "'" | +| tst2.js:9:66:9:78 | req.params.id | | tst2.js:9:66:9:78 | req.params.id | | tst3.js:8:7:9:55 | query1 | | tst3.js:8:16:9:55 | "SELECT ... PRICE" | | tst3.js:9:16:9:34 | req.params.category | +| tst3.js:9:16:9:34 | req.params.category | +| tst3.js:10:14:10:19 | query1 | | tst3.js:10:14:10:19 | query1 | | tst4.js:8:10:8:66 | 'SELECT ... d + '"' | +| tst4.js:8:10:8:66 | 'SELECT ... d + '"' | +| tst4.js:8:46:8:60 | $routeParams.id | | tst4.js:8:46:8:60 | $routeParams.id | | tst.js:10:10:10:64 | 'SELECT ... d + '"' | +| tst.js:10:10:10:64 | 'SELECT ... d + '"' | +| tst.js:10:46:10:58 | req.params.id | | tst.js:10:46:10:58 | req.params.id | edges -| mongodb.js:12:11:12:20 | query | mongodb.js:14:59:14:58 | query | +| mongodb.js:12:11:12:20 | query | mongodb.js:18:16:18:20 | query | | mongodb.js:12:11:12:20 | query | mongodb.js:18:16:18:20 | query | | mongodb.js:12:19:12:20 | {} | mongodb.js:12:11:12:20 | query | | mongodb.js:13:19:13:26 | req.body | mongodb.js:13:19:13:32 | req.body.title | +| mongodb.js:13:19:13:26 | req.body | mongodb.js:13:19:13:32 | req.body.title | | mongodb.js:13:19:13:32 | req.body.title | mongodb.js:12:11:12:20 | query | | mongodb.js:13:19:13:32 | req.body.title | mongodb.js:12:19:12:20 | {} | -| mongodb.js:13:19:13:32 | req.body.title | mongodb.js:14:59:14:58 | query | | mongodb.js:13:19:13:32 | req.body.title | mongodb.js:18:16:18:20 | query | -| mongodb.js:14:59:14:58 | query | mongodb.js:18:16:18:20 | query | -| mongodb.js:26:11:26:32 | title | mongodb.js:27:11:27:35 | title | +| mongodb.js:13:19:13:32 | req.body.title | mongodb.js:18:16:18:20 | query | | mongodb.js:26:11:26:32 | title | mongodb.js:32:38:32:42 | title | | mongodb.js:26:19:26:26 | req.body | mongodb.js:26:19:26:32 | req.body.title | +| mongodb.js:26:19:26:26 | req.body | mongodb.js:26:19:26:32 | req.body.title | | mongodb.js:26:19:26:32 | req.body.title | mongodb.js:26:11:26:32 | title | -| mongodb.js:27:11:27:35 | title | mongodb.js:32:38:32:42 | title | +| mongodb.js:32:27:32:43 | JSON.parse(title) | mongodb.js:32:18:32:45 | { title ... itle) } | | mongodb.js:32:27:32:43 | JSON.parse(title) | mongodb.js:32:18:32:45 | { title ... itle) } | | mongodb.js:32:38:32:42 | title | mongodb.js:32:27:32:43 | JSON.parse(title) | -| mongodb.js:48:11:48:20 | query | mongodb.js:50:59:50:58 | query | +| mongodb.js:48:11:48:20 | query | mongodb.js:54:16:54:20 | query | | mongodb.js:48:11:48:20 | query | mongodb.js:54:16:54:20 | query | | mongodb.js:48:19:48:20 | {} | mongodb.js:48:11:48:20 | query | | mongodb.js:49:19:49:33 | req.query.title | mongodb.js:48:11:48:20 | query | +| mongodb.js:49:19:49:33 | req.query.title | mongodb.js:48:11:48:20 | query | +| mongodb.js:49:19:49:33 | req.query.title | mongodb.js:48:19:48:20 | {} | | mongodb.js:49:19:49:33 | req.query.title | mongodb.js:48:19:48:20 | {} | -| mongodb.js:49:19:49:33 | req.query.title | mongodb.js:50:59:50:58 | query | | mongodb.js:49:19:49:33 | req.query.title | mongodb.js:54:16:54:20 | query | -| mongodb.js:50:59:50:58 | query | mongodb.js:54:16:54:20 | query | -| mongodb_bodySafe.js:23:11:23:20 | query | mongodb_bodySafe.js:25:59:25:58 | query | +| mongodb.js:49:19:49:33 | req.query.title | mongodb.js:54:16:54:20 | query | +| mongodb.js:49:19:49:33 | req.query.title | mongodb.js:54:16:54:20 | query | +| mongodb.js:49:19:49:33 | req.query.title | mongodb.js:54:16:54:20 | query | +| mongodb_bodySafe.js:23:11:23:20 | query | mongodb_bodySafe.js:29:16:29:20 | query | | mongodb_bodySafe.js:23:11:23:20 | query | mongodb_bodySafe.js:29:16:29:20 | query | | mongodb_bodySafe.js:23:19:23:20 | {} | mongodb_bodySafe.js:23:11:23:20 | query | | mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:23:11:23:20 | query | +| mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:23:11:23:20 | query | +| mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:23:19:23:20 | {} | | mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:23:19:23:20 | {} | -| mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:25:59:25:58 | query | | mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:29:16:29:20 | query | -| mongodb_bodySafe.js:25:59:25:58 | query | mongodb_bodySafe.js:29:16:29:20 | query | +| mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:29:16:29:20 | query | +| mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:29:16:29:20 | query | +| mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:29:16:29:20 | query | +| mongoose.js:20:11:20:20 | query | mongoose.js:27:20:27:24 | query | | mongoose.js:20:11:20:20 | query | mongoose.js:27:20:27:24 | query | | mongoose.js:20:11:20:20 | query | mongoose.js:30:25:30:29 | query | +| mongoose.js:20:11:20:20 | query | mongoose.js:30:25:30:29 | query | +| mongoose.js:20:11:20:20 | query | mongoose.js:33:24:33:28 | query | | mongoose.js:20:11:20:20 | query | mongoose.js:33:24:33:28 | query | | mongoose.js:20:11:20:20 | query | mongoose.js:36:31:36:35 | query | +| mongoose.js:20:11:20:20 | query | mongoose.js:36:31:36:35 | query | +| mongoose.js:20:11:20:20 | query | mongoose.js:39:19:39:23 | query | | mongoose.js:20:11:20:20 | query | mongoose.js:39:19:39:23 | query | | mongoose.js:20:11:20:20 | query | mongoose.js:42:22:42:26 | query | +| mongoose.js:20:11:20:20 | query | mongoose.js:42:22:42:26 | query | +| mongoose.js:20:11:20:20 | query | mongoose.js:45:31:45:35 | query | | mongoose.js:20:11:20:20 | query | mongoose.js:45:31:45:35 | query | | mongoose.js:20:11:20:20 | query | mongoose.js:48:31:48:35 | query | +| mongoose.js:20:11:20:20 | query | mongoose.js:48:31:48:35 | query | +| mongoose.js:20:11:20:20 | query | mongoose.js:51:31:51:35 | query | | mongoose.js:20:11:20:20 | query | mongoose.js:51:31:51:35 | query | | mongoose.js:20:11:20:20 | query | mongoose.js:54:25:54:29 | query | +| mongoose.js:20:11:20:20 | query | mongoose.js:54:25:54:29 | query | +| mongoose.js:20:11:20:20 | query | mongoose.js:57:21:57:25 | query | | mongoose.js:20:11:20:20 | query | mongoose.js:57:21:57:25 | query | | mongoose.js:20:11:20:20 | query | mongoose.js:60:25:60:29 | query | +| mongoose.js:20:11:20:20 | query | mongoose.js:60:25:60:29 | query | +| mongoose.js:20:11:20:20 | query | mongoose.js:63:24:63:28 | query | | mongoose.js:20:11:20:20 | query | mongoose.js:63:24:63:28 | query | | mongoose.js:20:19:20:20 | {} | mongoose.js:20:11:20:20 | query | | mongoose.js:21:19:21:26 | req.body | mongoose.js:21:19:21:32 | req.body.title | +| mongoose.js:21:19:21:26 | req.body | mongoose.js:21:19:21:32 | req.body.title | | mongoose.js:21:19:21:32 | req.body.title | mongoose.js:20:11:20:20 | query | | mongoose.js:21:19:21:32 | req.body.title | mongoose.js:20:19:20:20 | {} | | mongoose.js:21:19:21:32 | req.body.title | mongoose.js:27:20:27:24 | query | +| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:27:20:27:24 | query | +| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:30:25:30:29 | query | | mongoose.js:21:19:21:32 | req.body.title | mongoose.js:30:25:30:29 | query | | mongoose.js:21:19:21:32 | req.body.title | mongoose.js:33:24:33:28 | query | +| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:33:24:33:28 | query | +| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:36:31:36:35 | query | | mongoose.js:21:19:21:32 | req.body.title | mongoose.js:36:31:36:35 | query | | mongoose.js:21:19:21:32 | req.body.title | mongoose.js:39:19:39:23 | query | +| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:39:19:39:23 | query | +| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:42:22:42:26 | query | | mongoose.js:21:19:21:32 | req.body.title | mongoose.js:42:22:42:26 | query | | mongoose.js:21:19:21:32 | req.body.title | mongoose.js:45:31:45:35 | query | +| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:45:31:45:35 | query | +| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:48:31:48:35 | query | | mongoose.js:21:19:21:32 | req.body.title | mongoose.js:48:31:48:35 | query | | mongoose.js:21:19:21:32 | req.body.title | mongoose.js:51:31:51:35 | query | +| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:51:31:51:35 | query | +| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:54:25:54:29 | query | | mongoose.js:21:19:21:32 | req.body.title | mongoose.js:54:25:54:29 | query | | mongoose.js:21:19:21:32 | req.body.title | mongoose.js:57:21:57:25 | query | +| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:57:21:57:25 | query | +| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:60:25:60:29 | query | | mongoose.js:21:19:21:32 | req.body.title | mongoose.js:60:25:60:29 | query | | mongoose.js:21:19:21:32 | req.body.title | mongoose.js:63:24:63:28 | query | +| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:63:24:63:28 | query | +| mongooseJsonParse.js:19:11:19:20 | query | mongooseJsonParse.js:23:19:23:23 | query | | mongooseJsonParse.js:19:11:19:20 | query | mongooseJsonParse.js:23:19:23:23 | query | | mongooseJsonParse.js:19:19:19:20 | {} | mongooseJsonParse.js:19:11:19:20 | query | | mongooseJsonParse.js:20:19:20:44 | JSON.pa ... y.data) | mongooseJsonParse.js:20:19:20:50 | JSON.pa ... ).title | | mongooseJsonParse.js:20:19:20:50 | JSON.pa ... ).title | mongooseJsonParse.js:19:11:19:20 | query | | mongooseJsonParse.js:20:19:20:50 | JSON.pa ... ).title | mongooseJsonParse.js:19:19:19:20 | {} | | mongooseJsonParse.js:20:19:20:50 | JSON.pa ... ).title | mongooseJsonParse.js:23:19:23:23 | query | +| mongooseJsonParse.js:20:19:20:50 | JSON.pa ... ).title | mongooseJsonParse.js:23:19:23:23 | query | +| mongooseJsonParse.js:20:30:20:43 | req.query.data | mongooseJsonParse.js:20:19:20:44 | JSON.pa ... y.data) | | mongooseJsonParse.js:20:30:20:43 | req.query.data | mongooseJsonParse.js:20:19:20:44 | JSON.pa ... y.data) | | mongooseModelClient.js:10:7:10:32 | v | mongooseModelClient.js:11:22:11:22 | v | | mongooseModelClient.js:10:11:10:32 | JSON.pa ... body.x) | mongooseModelClient.js:10:7:10:32 | v | | mongooseModelClient.js:10:22:10:29 | req.body | mongooseModelClient.js:10:22:10:31 | req.body.x | +| mongooseModelClient.js:10:22:10:29 | req.body | mongooseModelClient.js:10:22:10:31 | req.body.x | | mongooseModelClient.js:10:22:10:31 | req.body.x | mongooseModelClient.js:10:11:10:32 | JSON.pa ... body.x) | | mongooseModelClient.js:11:22:11:22 | v | mongooseModelClient.js:11:16:11:24 | { id: v } | +| mongooseModelClient.js:11:22:11:22 | v | mongooseModelClient.js:11:16:11:24 | { id: v } | +| mongooseModelClient.js:12:22:12:29 | req.body | mongooseModelClient.js:12:22:12:32 | req.body.id | | mongooseModelClient.js:12:22:12:29 | req.body | mongooseModelClient.js:12:22:12:32 | req.body.id | | mongooseModelClient.js:12:22:12:32 | req.body.id | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | +| mongooseModelClient.js:12:22:12:32 | req.body.id | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | +| socketio.js:10:25:10:30 | handle | socketio.js:11:46:11:51 | handle | | socketio.js:10:25:10:30 | handle | socketio.js:11:46:11:51 | handle | | socketio.js:11:46:11:51 | handle | socketio.js:11:12:11:53 | `INSERT ... andle}` | -| tst2.js:9:27:9:78 | "select ... rams.id | tst2.js:9:27:9:84 | "select ... d + "'" | -| tst2.js:9:66:9:78 | req.params.id | tst2.js:9:27:9:78 | "select ... rams.id | +| socketio.js:11:46:11:51 | handle | socketio.js:11:12:11:53 | `INSERT ... andle}` | +| tst2.js:9:66:9:78 | req.params.id | tst2.js:9:27:9:84 | "select ... d + "'" | +| tst2.js:9:66:9:78 | req.params.id | tst2.js:9:27:9:84 | "select ... d + "'" | +| tst2.js:9:66:9:78 | req.params.id | tst2.js:9:27:9:84 | "select ... d + "'" | | tst2.js:9:66:9:78 | req.params.id | tst2.js:9:27:9:84 | "select ... d + "'" | | tst3.js:8:7:9:55 | query1 | tst3.js:10:14:10:19 | query1 | -| tst3.js:8:16:9:34 | "SELECT ... ategory | tst3.js:8:16:9:55 | "SELECT ... PRICE" | +| tst3.js:8:7:9:55 | query1 | tst3.js:10:14:10:19 | query1 | | tst3.js:8:16:9:55 | "SELECT ... PRICE" | tst3.js:8:7:9:55 | query1 | -| tst3.js:9:16:9:34 | req.params.category | tst3.js:8:16:9:34 | "SELECT ... ategory | | tst3.js:9:16:9:34 | req.params.category | tst3.js:8:16:9:55 | "SELECT ... PRICE" | -| tst4.js:8:10:8:60 | 'SELECT ... rams.id | tst4.js:8:10:8:66 | 'SELECT ... d + '"' | -| tst4.js:8:46:8:60 | $routeParams.id | tst4.js:8:10:8:60 | 'SELECT ... rams.id | +| tst3.js:9:16:9:34 | req.params.category | tst3.js:8:16:9:55 | "SELECT ... PRICE" | | tst4.js:8:46:8:60 | $routeParams.id | tst4.js:8:10:8:66 | 'SELECT ... d + '"' | -| tst.js:10:10:10:58 | 'SELECT ... rams.id | tst.js:10:10:10:64 | 'SELECT ... d + '"' | -| tst.js:10:46:10:58 | req.params.id | tst.js:10:10:10:58 | 'SELECT ... rams.id | +| tst4.js:8:46:8:60 | $routeParams.id | tst4.js:8:10:8:66 | 'SELECT ... d + '"' | +| tst4.js:8:46:8:60 | $routeParams.id | tst4.js:8:10:8:66 | 'SELECT ... d + '"' | +| tst4.js:8:46:8:60 | $routeParams.id | tst4.js:8:10:8:66 | 'SELECT ... d + '"' | +| tst.js:10:46:10:58 | req.params.id | tst.js:10:10:10:64 | 'SELECT ... d + '"' | +| tst.js:10:46:10:58 | req.params.id | tst.js:10:10:10:64 | 'SELECT ... d + '"' | +| tst.js:10:46:10:58 | req.params.id | tst.js:10:10:10:64 | 'SELECT ... d + '"' | | tst.js:10:46:10:58 | req.params.id | tst.js:10:10:10:64 | 'SELECT ... d + '"' | #select | mongodb.js:18:16:18:20 | query | mongodb.js:13:19:13:26 | req.body | mongodb.js:18:16:18:20 | query | This query depends on $@. | mongodb.js:13:19:13:26 | req.body | a user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected index 1a5f6ed778c..3f98240b753 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected @@ -1,99 +1,215 @@ nodes | angularjs.js:10:22:10:29 | location | +| angularjs.js:10:22:10:29 | location | +| angularjs.js:10:22:10:36 | location.search | | angularjs.js:10:22:10:36 | location.search | | angularjs.js:13:23:13:30 | location | +| angularjs.js:13:23:13:30 | location | +| angularjs.js:13:23:13:37 | location.search | | angularjs.js:13:23:13:37 | location.search | | angularjs.js:16:28:16:35 | location | +| angularjs.js:16:28:16:35 | location | +| angularjs.js:16:28:16:42 | location.search | | angularjs.js:16:28:16:42 | location.search | | angularjs.js:19:22:19:29 | location | +| angularjs.js:19:22:19:29 | location | +| angularjs.js:19:22:19:36 | location.search | | angularjs.js:19:22:19:36 | location.search | | angularjs.js:22:27:22:34 | location | +| angularjs.js:22:27:22:34 | location | +| angularjs.js:22:27:22:41 | location.search | | angularjs.js:22:27:22:41 | location.search | | angularjs.js:25:23:25:30 | location | +| angularjs.js:25:23:25:30 | location | +| angularjs.js:25:23:25:37 | location.search | | angularjs.js:25:23:25:37 | location.search | | angularjs.js:28:33:28:40 | location | +| angularjs.js:28:33:28:40 | location | +| angularjs.js:28:33:28:47 | location.search | | angularjs.js:28:33:28:47 | location.search | | angularjs.js:31:28:31:35 | location | +| angularjs.js:31:28:31:35 | location | +| angularjs.js:31:28:31:42 | location.search | | angularjs.js:31:28:31:42 | location.search | | angularjs.js:34:18:34:25 | location | +| angularjs.js:34:18:34:25 | location | +| angularjs.js:34:18:34:32 | location.search | | angularjs.js:34:18:34:32 | location.search | | angularjs.js:40:18:40:25 | location | +| angularjs.js:40:18:40:25 | location | +| angularjs.js:40:18:40:32 | location.search | | angularjs.js:40:18:40:32 | location.search | | angularjs.js:44:17:44:24 | location | +| angularjs.js:44:17:44:24 | location | +| angularjs.js:44:17:44:31 | location.search | | angularjs.js:44:17:44:31 | location.search | | angularjs.js:47:16:47:23 | location | +| angularjs.js:47:16:47:23 | location | +| angularjs.js:47:16:47:30 | location.search | | angularjs.js:47:16:47:30 | location.search | | angularjs.js:50:22:50:29 | location | +| angularjs.js:50:22:50:29 | location | +| angularjs.js:50:22:50:36 | location.search | | angularjs.js:50:22:50:36 | location.search | | angularjs.js:53:32:53:39 | location | +| angularjs.js:53:32:53:39 | location | +| angularjs.js:53:32:53:46 | location.search | | angularjs.js:53:32:53:46 | location.search | | express.js:7:24:7:69 | "return ... + "];" | +| express.js:7:24:7:69 | "return ... + "];" | +| express.js:7:44:7:62 | req.param("wobble") | | express.js:7:44:7:62 | req.param("wobble") | | express.js:9:34:9:79 | "return ... + "];" | +| express.js:9:34:9:79 | "return ... + "];" | +| express.js:9:54:9:72 | req.param("wobble") | | express.js:9:54:9:72 | req.param("wobble") | | express.js:12:8:12:53 | "return ... + "];" | +| express.js:12:8:12:53 | "return ... + "];" | +| express.js:12:28:12:46 | req.param("wobble") | | express.js:12:28:12:46 | req.param("wobble") | | react-native.js:7:7:7:33 | tainted | | react-native.js:7:17:7:33 | req.param("code") | +| react-native.js:7:17:7:33 | req.param("code") | +| react-native.js:8:32:8:38 | tainted | | react-native.js:8:32:8:38 | tainted | | react-native.js:10:23:10:29 | tainted | +| react-native.js:10:23:10:29 | tainted | +| tst.js:2:6:2:22 | document.location | | tst.js:2:6:2:22 | document.location | | tst.js:2:6:2:27 | documen ... on.href | | tst.js:2:6:2:83 | documen ... t=")+8) | +| tst.js:2:6:2:83 | documen ... t=")+8) | +| tst.js:5:12:5:28 | document.location | | tst.js:5:12:5:28 | document.location | | tst.js:5:12:5:33 | documen ... on.hash | +| tst.js:5:12:5:33 | documen ... on.hash | +| tst.js:14:10:14:26 | document.location | | tst.js:14:10:14:26 | document.location | | tst.js:14:10:14:33 | documen ... .search | | tst.js:14:10:14:74 | documen ... , "$1") | +| tst.js:14:10:14:74 | documen ... , "$1") | +| tst.js:17:21:17:37 | document.location | | tst.js:17:21:17:37 | document.location | | tst.js:17:21:17:42 | documen ... on.hash | +| tst.js:17:21:17:42 | documen ... on.hash | +| tst.js:20:30:20:46 | document.location | | tst.js:20:30:20:46 | document.location | | tst.js:20:30:20:51 | documen ... on.hash | +| tst.js:20:30:20:51 | documen ... on.hash | | tst.js:23:6:23:46 | atob(do ... ing(1)) | +| tst.js:23:6:23:46 | atob(do ... ing(1)) | +| tst.js:23:11:23:27 | document.location | | tst.js:23:11:23:27 | document.location | | tst.js:23:11:23:32 | documen ... on.hash | | tst.js:23:11:23:45 | documen ... ring(1) | | tst.js:26:26:26:33 | location | +| tst.js:26:26:26:33 | location | | tst.js:26:26:26:40 | location.search | | tst.js:26:26:26:53 | locatio ... ring(1) | +| tst.js:26:26:26:53 | locatio ... ring(1) | edges | angularjs.js:10:22:10:29 | location | angularjs.js:10:22:10:36 | location.search | +| angularjs.js:10:22:10:29 | location | angularjs.js:10:22:10:36 | location.search | +| angularjs.js:10:22:10:29 | location | angularjs.js:10:22:10:36 | location.search | +| angularjs.js:10:22:10:29 | location | angularjs.js:10:22:10:36 | location.search | +| angularjs.js:13:23:13:30 | location | angularjs.js:13:23:13:37 | location.search | +| angularjs.js:13:23:13:30 | location | angularjs.js:13:23:13:37 | location.search | +| angularjs.js:13:23:13:30 | location | angularjs.js:13:23:13:37 | location.search | | angularjs.js:13:23:13:30 | location | angularjs.js:13:23:13:37 | location.search | | angularjs.js:16:28:16:35 | location | angularjs.js:16:28:16:42 | location.search | +| angularjs.js:16:28:16:35 | location | angularjs.js:16:28:16:42 | location.search | +| angularjs.js:16:28:16:35 | location | angularjs.js:16:28:16:42 | location.search | +| angularjs.js:16:28:16:35 | location | angularjs.js:16:28:16:42 | location.search | +| angularjs.js:19:22:19:29 | location | angularjs.js:19:22:19:36 | location.search | +| angularjs.js:19:22:19:29 | location | angularjs.js:19:22:19:36 | location.search | +| angularjs.js:19:22:19:29 | location | angularjs.js:19:22:19:36 | location.search | | angularjs.js:19:22:19:29 | location | angularjs.js:19:22:19:36 | location.search | | angularjs.js:22:27:22:34 | location | angularjs.js:22:27:22:41 | location.search | +| angularjs.js:22:27:22:34 | location | angularjs.js:22:27:22:41 | location.search | +| angularjs.js:22:27:22:34 | location | angularjs.js:22:27:22:41 | location.search | +| angularjs.js:22:27:22:34 | location | angularjs.js:22:27:22:41 | location.search | +| angularjs.js:25:23:25:30 | location | angularjs.js:25:23:25:37 | location.search | +| angularjs.js:25:23:25:30 | location | angularjs.js:25:23:25:37 | location.search | +| angularjs.js:25:23:25:30 | location | angularjs.js:25:23:25:37 | location.search | | angularjs.js:25:23:25:30 | location | angularjs.js:25:23:25:37 | location.search | | angularjs.js:28:33:28:40 | location | angularjs.js:28:33:28:47 | location.search | +| angularjs.js:28:33:28:40 | location | angularjs.js:28:33:28:47 | location.search | +| angularjs.js:28:33:28:40 | location | angularjs.js:28:33:28:47 | location.search | +| angularjs.js:28:33:28:40 | location | angularjs.js:28:33:28:47 | location.search | +| angularjs.js:31:28:31:35 | location | angularjs.js:31:28:31:42 | location.search | +| angularjs.js:31:28:31:35 | location | angularjs.js:31:28:31:42 | location.search | +| angularjs.js:31:28:31:35 | location | angularjs.js:31:28:31:42 | location.search | | angularjs.js:31:28:31:35 | location | angularjs.js:31:28:31:42 | location.search | | angularjs.js:34:18:34:25 | location | angularjs.js:34:18:34:32 | location.search | +| angularjs.js:34:18:34:25 | location | angularjs.js:34:18:34:32 | location.search | +| angularjs.js:34:18:34:25 | location | angularjs.js:34:18:34:32 | location.search | +| angularjs.js:34:18:34:25 | location | angularjs.js:34:18:34:32 | location.search | +| angularjs.js:40:18:40:25 | location | angularjs.js:40:18:40:32 | location.search | +| angularjs.js:40:18:40:25 | location | angularjs.js:40:18:40:32 | location.search | +| angularjs.js:40:18:40:25 | location | angularjs.js:40:18:40:32 | location.search | | angularjs.js:40:18:40:25 | location | angularjs.js:40:18:40:32 | location.search | | angularjs.js:44:17:44:24 | location | angularjs.js:44:17:44:31 | location.search | +| angularjs.js:44:17:44:24 | location | angularjs.js:44:17:44:31 | location.search | +| angularjs.js:44:17:44:24 | location | angularjs.js:44:17:44:31 | location.search | +| angularjs.js:44:17:44:24 | location | angularjs.js:44:17:44:31 | location.search | +| angularjs.js:47:16:47:23 | location | angularjs.js:47:16:47:30 | location.search | +| angularjs.js:47:16:47:23 | location | angularjs.js:47:16:47:30 | location.search | +| angularjs.js:47:16:47:23 | location | angularjs.js:47:16:47:30 | location.search | | angularjs.js:47:16:47:23 | location | angularjs.js:47:16:47:30 | location.search | | angularjs.js:50:22:50:29 | location | angularjs.js:50:22:50:36 | location.search | +| angularjs.js:50:22:50:29 | location | angularjs.js:50:22:50:36 | location.search | +| angularjs.js:50:22:50:29 | location | angularjs.js:50:22:50:36 | location.search | +| angularjs.js:50:22:50:29 | location | angularjs.js:50:22:50:36 | location.search | +| angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search | +| angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search | +| angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search | | angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search | -| express.js:7:24:7:62 | "return ... obble") | express.js:7:24:7:69 | "return ... + "];" | -| express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:62 | "return ... obble") | | express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" | -| express.js:9:34:9:72 | "return ... obble") | express.js:9:34:9:79 | "return ... + "];" | -| express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:72 | "return ... obble") | +| express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" | +| express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" | +| express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" | | express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:79 | "return ... + "];" | -| express.js:12:8:12:46 | "return ... obble") | express.js:12:8:12:53 | "return ... + "];" | -| express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:46 | "return ... obble") | +| express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:79 | "return ... + "];" | +| express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:79 | "return ... + "];" | +| express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:79 | "return ... + "];" | +| express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ... + "];" | +| express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ... + "];" | +| express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ... + "];" | | express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ... + "];" | | react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted | +| react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted | +| react-native.js:7:7:7:33 | tainted | react-native.js:10:23:10:29 | tainted | | react-native.js:7:7:7:33 | tainted | react-native.js:10:23:10:29 | tainted | | react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted | +| react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted | +| tst.js:2:6:2:22 | document.location | tst.js:2:6:2:27 | documen ... on.href | | tst.js:2:6:2:22 | document.location | tst.js:2:6:2:27 | documen ... on.href | | tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) | +| tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) | +| tst.js:5:12:5:28 | document.location | tst.js:5:12:5:33 | documen ... on.hash | +| tst.js:5:12:5:28 | document.location | tst.js:5:12:5:33 | documen ... on.hash | +| tst.js:5:12:5:28 | document.location | tst.js:5:12:5:33 | documen ... on.hash | | tst.js:5:12:5:28 | document.location | tst.js:5:12:5:33 | documen ... on.hash | | tst.js:14:10:14:26 | document.location | tst.js:14:10:14:33 | documen ... .search | +| tst.js:14:10:14:26 | document.location | tst.js:14:10:14:33 | documen ... .search | +| tst.js:14:10:14:33 | documen ... .search | tst.js:14:10:14:74 | documen ... , "$1") | | tst.js:14:10:14:33 | documen ... .search | tst.js:14:10:14:74 | documen ... , "$1") | | tst.js:17:21:17:37 | document.location | tst.js:17:21:17:42 | documen ... on.hash | +| tst.js:17:21:17:37 | document.location | tst.js:17:21:17:42 | documen ... on.hash | +| tst.js:17:21:17:37 | document.location | tst.js:17:21:17:42 | documen ... on.hash | +| tst.js:17:21:17:37 | document.location | tst.js:17:21:17:42 | documen ... on.hash | | tst.js:20:30:20:46 | document.location | tst.js:20:30:20:51 | documen ... on.hash | +| tst.js:20:30:20:46 | document.location | tst.js:20:30:20:51 | documen ... on.hash | +| tst.js:20:30:20:46 | document.location | tst.js:20:30:20:51 | documen ... on.hash | +| tst.js:20:30:20:46 | document.location | tst.js:20:30:20:51 | documen ... on.hash | +| tst.js:23:11:23:27 | document.location | tst.js:23:11:23:32 | documen ... on.hash | | tst.js:23:11:23:27 | document.location | tst.js:23:11:23:32 | documen ... on.hash | | tst.js:23:11:23:32 | documen ... on.hash | tst.js:23:11:23:45 | documen ... ring(1) | | tst.js:23:11:23:45 | documen ... ring(1) | tst.js:23:6:23:46 | atob(do ... ing(1)) | +| tst.js:23:11:23:45 | documen ... ring(1) | tst.js:23:6:23:46 | atob(do ... ing(1)) | | tst.js:26:26:26:33 | location | tst.js:26:26:26:40 | location.search | +| tst.js:26:26:26:33 | location | tst.js:26:26:26:40 | location.search | +| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) | | tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) | #select | angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:29 | location | angularjs.js:10:22:10:36 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:10:22:10:29 | location | User-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected index d7dd25fde08..8f91bda7241 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected @@ -1,102 +1,223 @@ nodes | angularjs.js:10:22:10:29 | location | +| angularjs.js:10:22:10:29 | location | +| angularjs.js:10:22:10:36 | location.search | | angularjs.js:10:22:10:36 | location.search | | angularjs.js:13:23:13:30 | location | +| angularjs.js:13:23:13:30 | location | +| angularjs.js:13:23:13:37 | location.search | | angularjs.js:13:23:13:37 | location.search | | angularjs.js:16:28:16:35 | location | +| angularjs.js:16:28:16:35 | location | +| angularjs.js:16:28:16:42 | location.search | | angularjs.js:16:28:16:42 | location.search | | angularjs.js:19:22:19:29 | location | +| angularjs.js:19:22:19:29 | location | +| angularjs.js:19:22:19:36 | location.search | | angularjs.js:19:22:19:36 | location.search | | angularjs.js:22:27:22:34 | location | +| angularjs.js:22:27:22:34 | location | +| angularjs.js:22:27:22:41 | location.search | | angularjs.js:22:27:22:41 | location.search | | angularjs.js:25:23:25:30 | location | +| angularjs.js:25:23:25:30 | location | +| angularjs.js:25:23:25:37 | location.search | | angularjs.js:25:23:25:37 | location.search | | angularjs.js:28:33:28:40 | location | +| angularjs.js:28:33:28:40 | location | +| angularjs.js:28:33:28:47 | location.search | | angularjs.js:28:33:28:47 | location.search | | angularjs.js:31:28:31:35 | location | +| angularjs.js:31:28:31:35 | location | +| angularjs.js:31:28:31:42 | location.search | | angularjs.js:31:28:31:42 | location.search | | angularjs.js:34:18:34:25 | location | +| angularjs.js:34:18:34:25 | location | +| angularjs.js:34:18:34:32 | location.search | | angularjs.js:34:18:34:32 | location.search | | angularjs.js:40:18:40:25 | location | +| angularjs.js:40:18:40:25 | location | +| angularjs.js:40:18:40:32 | location.search | | angularjs.js:40:18:40:32 | location.search | | angularjs.js:44:17:44:24 | location | +| angularjs.js:44:17:44:24 | location | +| angularjs.js:44:17:44:31 | location.search | | angularjs.js:44:17:44:31 | location.search | | angularjs.js:47:16:47:23 | location | +| angularjs.js:47:16:47:23 | location | +| angularjs.js:47:16:47:30 | location.search | | angularjs.js:47:16:47:30 | location.search | | angularjs.js:50:22:50:29 | location | +| angularjs.js:50:22:50:29 | location | +| angularjs.js:50:22:50:36 | location.search | | angularjs.js:50:22:50:36 | location.search | | angularjs.js:53:32:53:39 | location | +| angularjs.js:53:32:53:39 | location | +| angularjs.js:53:32:53:46 | location.search | | angularjs.js:53:32:53:46 | location.search | | eslint-escope-build.js:20:22:20:22 | c | +| eslint-escope-build.js:20:22:20:22 | c | +| eslint-escope-build.js:21:16:21:16 | c | | eslint-escope-build.js:21:16:21:16 | c | | express.js:7:24:7:69 | "return ... + "];" | +| express.js:7:24:7:69 | "return ... + "];" | +| express.js:7:44:7:62 | req.param("wobble") | | express.js:7:44:7:62 | req.param("wobble") | | express.js:9:34:9:79 | "return ... + "];" | +| express.js:9:34:9:79 | "return ... + "];" | +| express.js:9:54:9:72 | req.param("wobble") | | express.js:9:54:9:72 | req.param("wobble") | | express.js:12:8:12:53 | "return ... + "];" | +| express.js:12:8:12:53 | "return ... + "];" | +| express.js:12:28:12:46 | req.param("wobble") | | express.js:12:28:12:46 | req.param("wobble") | | react-native.js:7:7:7:33 | tainted | | react-native.js:7:17:7:33 | req.param("code") | +| react-native.js:7:17:7:33 | req.param("code") | +| react-native.js:8:32:8:38 | tainted | | react-native.js:8:32:8:38 | tainted | | react-native.js:10:23:10:29 | tainted | +| react-native.js:10:23:10:29 | tainted | +| tst.js:2:6:2:22 | document.location | | tst.js:2:6:2:22 | document.location | | tst.js:2:6:2:27 | documen ... on.href | | tst.js:2:6:2:83 | documen ... t=")+8) | +| tst.js:2:6:2:83 | documen ... t=")+8) | +| tst.js:5:12:5:28 | document.location | | tst.js:5:12:5:28 | document.location | | tst.js:5:12:5:33 | documen ... on.hash | +| tst.js:5:12:5:33 | documen ... on.hash | +| tst.js:14:10:14:26 | document.location | | tst.js:14:10:14:26 | document.location | | tst.js:14:10:14:33 | documen ... .search | | tst.js:14:10:14:74 | documen ... , "$1") | +| tst.js:14:10:14:74 | documen ... , "$1") | +| tst.js:17:21:17:37 | document.location | | tst.js:17:21:17:37 | document.location | | tst.js:17:21:17:42 | documen ... on.hash | +| tst.js:17:21:17:42 | documen ... on.hash | +| tst.js:20:30:20:46 | document.location | | tst.js:20:30:20:46 | document.location | | tst.js:20:30:20:51 | documen ... on.hash | +| tst.js:20:30:20:51 | documen ... on.hash | | tst.js:23:6:23:46 | atob(do ... ing(1)) | +| tst.js:23:6:23:46 | atob(do ... ing(1)) | +| tst.js:23:11:23:27 | document.location | | tst.js:23:11:23:27 | document.location | | tst.js:23:11:23:32 | documen ... on.hash | | tst.js:23:11:23:45 | documen ... ring(1) | | tst.js:26:26:26:33 | location | +| tst.js:26:26:26:33 | location | | tst.js:26:26:26:40 | location.search | | tst.js:26:26:26:53 | locatio ... ring(1) | +| tst.js:26:26:26:53 | locatio ... ring(1) | edges | angularjs.js:10:22:10:29 | location | angularjs.js:10:22:10:36 | location.search | +| angularjs.js:10:22:10:29 | location | angularjs.js:10:22:10:36 | location.search | +| angularjs.js:10:22:10:29 | location | angularjs.js:10:22:10:36 | location.search | +| angularjs.js:10:22:10:29 | location | angularjs.js:10:22:10:36 | location.search | +| angularjs.js:13:23:13:30 | location | angularjs.js:13:23:13:37 | location.search | +| angularjs.js:13:23:13:30 | location | angularjs.js:13:23:13:37 | location.search | +| angularjs.js:13:23:13:30 | location | angularjs.js:13:23:13:37 | location.search | | angularjs.js:13:23:13:30 | location | angularjs.js:13:23:13:37 | location.search | | angularjs.js:16:28:16:35 | location | angularjs.js:16:28:16:42 | location.search | +| angularjs.js:16:28:16:35 | location | angularjs.js:16:28:16:42 | location.search | +| angularjs.js:16:28:16:35 | location | angularjs.js:16:28:16:42 | location.search | +| angularjs.js:16:28:16:35 | location | angularjs.js:16:28:16:42 | location.search | +| angularjs.js:19:22:19:29 | location | angularjs.js:19:22:19:36 | location.search | +| angularjs.js:19:22:19:29 | location | angularjs.js:19:22:19:36 | location.search | +| angularjs.js:19:22:19:29 | location | angularjs.js:19:22:19:36 | location.search | | angularjs.js:19:22:19:29 | location | angularjs.js:19:22:19:36 | location.search | | angularjs.js:22:27:22:34 | location | angularjs.js:22:27:22:41 | location.search | +| angularjs.js:22:27:22:34 | location | angularjs.js:22:27:22:41 | location.search | +| angularjs.js:22:27:22:34 | location | angularjs.js:22:27:22:41 | location.search | +| angularjs.js:22:27:22:34 | location | angularjs.js:22:27:22:41 | location.search | +| angularjs.js:25:23:25:30 | location | angularjs.js:25:23:25:37 | location.search | +| angularjs.js:25:23:25:30 | location | angularjs.js:25:23:25:37 | location.search | +| angularjs.js:25:23:25:30 | location | angularjs.js:25:23:25:37 | location.search | | angularjs.js:25:23:25:30 | location | angularjs.js:25:23:25:37 | location.search | | angularjs.js:28:33:28:40 | location | angularjs.js:28:33:28:47 | location.search | +| angularjs.js:28:33:28:40 | location | angularjs.js:28:33:28:47 | location.search | +| angularjs.js:28:33:28:40 | location | angularjs.js:28:33:28:47 | location.search | +| angularjs.js:28:33:28:40 | location | angularjs.js:28:33:28:47 | location.search | +| angularjs.js:31:28:31:35 | location | angularjs.js:31:28:31:42 | location.search | +| angularjs.js:31:28:31:35 | location | angularjs.js:31:28:31:42 | location.search | +| angularjs.js:31:28:31:35 | location | angularjs.js:31:28:31:42 | location.search | | angularjs.js:31:28:31:35 | location | angularjs.js:31:28:31:42 | location.search | | angularjs.js:34:18:34:25 | location | angularjs.js:34:18:34:32 | location.search | +| angularjs.js:34:18:34:25 | location | angularjs.js:34:18:34:32 | location.search | +| angularjs.js:34:18:34:25 | location | angularjs.js:34:18:34:32 | location.search | +| angularjs.js:34:18:34:25 | location | angularjs.js:34:18:34:32 | location.search | +| angularjs.js:40:18:40:25 | location | angularjs.js:40:18:40:32 | location.search | +| angularjs.js:40:18:40:25 | location | angularjs.js:40:18:40:32 | location.search | +| angularjs.js:40:18:40:25 | location | angularjs.js:40:18:40:32 | location.search | | angularjs.js:40:18:40:25 | location | angularjs.js:40:18:40:32 | location.search | | angularjs.js:44:17:44:24 | location | angularjs.js:44:17:44:31 | location.search | +| angularjs.js:44:17:44:24 | location | angularjs.js:44:17:44:31 | location.search | +| angularjs.js:44:17:44:24 | location | angularjs.js:44:17:44:31 | location.search | +| angularjs.js:44:17:44:24 | location | angularjs.js:44:17:44:31 | location.search | +| angularjs.js:47:16:47:23 | location | angularjs.js:47:16:47:30 | location.search | +| angularjs.js:47:16:47:23 | location | angularjs.js:47:16:47:30 | location.search | +| angularjs.js:47:16:47:23 | location | angularjs.js:47:16:47:30 | location.search | | angularjs.js:47:16:47:23 | location | angularjs.js:47:16:47:30 | location.search | | angularjs.js:50:22:50:29 | location | angularjs.js:50:22:50:36 | location.search | +| angularjs.js:50:22:50:29 | location | angularjs.js:50:22:50:36 | location.search | +| angularjs.js:50:22:50:29 | location | angularjs.js:50:22:50:36 | location.search | +| angularjs.js:50:22:50:29 | location | angularjs.js:50:22:50:36 | location.search | +| angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search | +| angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search | +| angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search | | angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search | | eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c | -| express.js:7:24:7:62 | "return ... obble") | express.js:7:24:7:69 | "return ... + "];" | -| express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:62 | "return ... obble") | +| eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c | +| eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c | +| eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c | +| express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" | +| express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" | +| express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" | | express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" | -| express.js:9:34:9:72 | "return ... obble") | express.js:9:34:9:79 | "return ... + "];" | -| express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:72 | "return ... obble") | | express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:79 | "return ... + "];" | -| express.js:12:8:12:46 | "return ... obble") | express.js:12:8:12:53 | "return ... + "];" | -| express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:46 | "return ... obble") | +| express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:79 | "return ... + "];" | +| express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:79 | "return ... + "];" | +| express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:79 | "return ... + "];" | +| express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ... + "];" | +| express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ... + "];" | +| express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ... + "];" | | express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ... + "];" | | react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted | +| react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted | +| react-native.js:7:7:7:33 | tainted | react-native.js:10:23:10:29 | tainted | | react-native.js:7:7:7:33 | tainted | react-native.js:10:23:10:29 | tainted | | react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted | +| react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted | +| tst.js:2:6:2:22 | document.location | tst.js:2:6:2:27 | documen ... on.href | | tst.js:2:6:2:22 | document.location | tst.js:2:6:2:27 | documen ... on.href | | tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) | +| tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) | +| tst.js:5:12:5:28 | document.location | tst.js:5:12:5:33 | documen ... on.hash | +| tst.js:5:12:5:28 | document.location | tst.js:5:12:5:33 | documen ... on.hash | +| tst.js:5:12:5:28 | document.location | tst.js:5:12:5:33 | documen ... on.hash | | tst.js:5:12:5:28 | document.location | tst.js:5:12:5:33 | documen ... on.hash | | tst.js:14:10:14:26 | document.location | tst.js:14:10:14:33 | documen ... .search | +| tst.js:14:10:14:26 | document.location | tst.js:14:10:14:33 | documen ... .search | +| tst.js:14:10:14:33 | documen ... .search | tst.js:14:10:14:74 | documen ... , "$1") | | tst.js:14:10:14:33 | documen ... .search | tst.js:14:10:14:74 | documen ... , "$1") | | tst.js:17:21:17:37 | document.location | tst.js:17:21:17:42 | documen ... on.hash | +| tst.js:17:21:17:37 | document.location | tst.js:17:21:17:42 | documen ... on.hash | +| tst.js:17:21:17:37 | document.location | tst.js:17:21:17:42 | documen ... on.hash | +| tst.js:17:21:17:37 | document.location | tst.js:17:21:17:42 | documen ... on.hash | | tst.js:20:30:20:46 | document.location | tst.js:20:30:20:51 | documen ... on.hash | +| tst.js:20:30:20:46 | document.location | tst.js:20:30:20:51 | documen ... on.hash | +| tst.js:20:30:20:46 | document.location | tst.js:20:30:20:51 | documen ... on.hash | +| tst.js:20:30:20:46 | document.location | tst.js:20:30:20:51 | documen ... on.hash | +| tst.js:23:11:23:27 | document.location | tst.js:23:11:23:32 | documen ... on.hash | | tst.js:23:11:23:27 | document.location | tst.js:23:11:23:32 | documen ... on.hash | | tst.js:23:11:23:32 | documen ... on.hash | tst.js:23:11:23:45 | documen ... ring(1) | | tst.js:23:11:23:45 | documen ... ring(1) | tst.js:23:6:23:46 | atob(do ... ing(1)) | +| tst.js:23:11:23:45 | documen ... ring(1) | tst.js:23:6:23:46 | atob(do ... ing(1)) | | tst.js:26:26:26:33 | location | tst.js:26:26:26:40 | location.search | +| tst.js:26:26:26:33 | location | tst.js:26:26:26:40 | location.search | +| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) | | tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) | #select | eslint-escope-build.js:21:16:21:16 | c | eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c | $@ flows to here and is interpreted as code. | eslint-escope-build.js:20:22:20:22 | c | User-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/UnsafeDynamicMethodAccess.expected b/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/UnsafeDynamicMethodAccess.expected index f3bb67d4ad3..e7c7a4eb681 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/UnsafeDynamicMethodAccess.expected +++ b/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/UnsafeDynamicMethodAccess.expected @@ -1,41 +1,53 @@ nodes | example.js:9:37:9:38 | ev | +| example.js:9:37:9:38 | ev | | example.js:10:9:10:37 | message | | example.js:10:19:10:37 | JSON.parse(ev.data) | | example.js:10:30:10:31 | ev | | example.js:10:30:10:36 | ev.data | | example.js:13:5:13:24 | window[message.name] | +| example.js:13:5:13:24 | window[message.name] | | example.js:13:12:13:18 | message | | example.js:13:12:13:23 | message.name | | tst.js:3:37:3:38 | ev | +| tst.js:3:37:3:38 | ev | | tst.js:4:9:4:37 | message | | tst.js:4:19:4:37 | JSON.parse(ev.data) | | tst.js:4:30:4:31 | ev | | tst.js:4:30:4:36 | ev.data | | tst.js:5:5:5:24 | window[message.name] | +| tst.js:5:5:5:24 | window[message.name] | | tst.js:5:12:5:18 | message | | tst.js:5:12:5:23 | message.name | | tst.js:6:9:6:28 | window[message.name] | +| tst.js:6:9:6:28 | window[message.name] | | tst.js:6:16:6:22 | message | | tst.js:6:16:6:27 | message.name | | tst.js:11:5:11:19 | f[message.name] | +| tst.js:11:5:11:19 | f[message.name] | | tst.js:11:7:11:13 | message | | tst.js:11:7:11:18 | message.name | | tst.js:15:5:15:14 | window[ev] | +| tst.js:15:5:15:14 | window[ev] | | tst.js:15:12:15:13 | ev | | tst.js:21:5:21:29 | window[ ... e.name] | +| tst.js:21:5:21:29 | window[ ... e.name] | | tst.js:21:12:21:28 | '' + message.name | | tst.js:21:17:21:23 | message | | tst.js:21:17:21:28 | message.name | edges | example.js:9:37:9:38 | ev | example.js:10:30:10:31 | ev | +| example.js:9:37:9:38 | ev | example.js:10:30:10:31 | ev | | example.js:10:9:10:37 | message | example.js:13:12:13:18 | message | | example.js:10:19:10:37 | JSON.parse(ev.data) | example.js:10:9:10:37 | message | | example.js:10:30:10:31 | ev | example.js:10:30:10:36 | ev.data | | example.js:10:30:10:36 | ev.data | example.js:10:19:10:37 | JSON.parse(ev.data) | | example.js:13:12:13:18 | message | example.js:13:12:13:23 | message.name | | example.js:13:12:13:23 | message.name | example.js:13:5:13:24 | window[message.name] | +| example.js:13:12:13:23 | message.name | example.js:13:5:13:24 | window[message.name] | | tst.js:3:37:3:38 | ev | tst.js:4:30:4:31 | ev | +| tst.js:3:37:3:38 | ev | tst.js:4:30:4:31 | ev | +| tst.js:3:37:3:38 | ev | tst.js:15:12:15:13 | ev | | tst.js:3:37:3:38 | ev | tst.js:15:12:15:13 | ev | | tst.js:4:9:4:37 | message | tst.js:5:12:5:18 | message | | tst.js:4:9:4:37 | message | tst.js:6:16:6:22 | message | @@ -46,11 +58,16 @@ edges | tst.js:4:30:4:36 | ev.data | tst.js:4:19:4:37 | JSON.parse(ev.data) | | tst.js:5:12:5:18 | message | tst.js:5:12:5:23 | message.name | | tst.js:5:12:5:23 | message.name | tst.js:5:5:5:24 | window[message.name] | +| tst.js:5:12:5:23 | message.name | tst.js:5:5:5:24 | window[message.name] | | tst.js:6:16:6:22 | message | tst.js:6:16:6:27 | message.name | | tst.js:6:16:6:27 | message.name | tst.js:6:9:6:28 | window[message.name] | +| tst.js:6:16:6:27 | message.name | tst.js:6:9:6:28 | window[message.name] | | tst.js:11:7:11:13 | message | tst.js:11:7:11:18 | message.name | | tst.js:11:7:11:18 | message.name | tst.js:11:5:11:19 | f[message.name] | +| tst.js:11:7:11:18 | message.name | tst.js:11:5:11:19 | f[message.name] | | tst.js:15:12:15:13 | ev | tst.js:15:5:15:14 | window[ev] | +| tst.js:15:12:15:13 | ev | tst.js:15:5:15:14 | window[ev] | +| tst.js:21:12:21:28 | '' + message.name | tst.js:21:5:21:29 | window[ ... e.name] | | tst.js:21:12:21:28 | '' + message.name | tst.js:21:5:21:29 | window[ ... e.name] | | tst.js:21:17:21:23 | message | tst.js:21:17:21:28 | message.name | | tst.js:21:17:21:28 | message.name | tst.js:21:12:21:28 | '' + message.name | diff --git a/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/DoubleEscaping.expected b/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/DoubleEscaping.expected index d4930ad07cf..23e5a4a6b05 100644 --- a/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/DoubleEscaping.expected +++ b/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/DoubleEscaping.expected @@ -5,3 +5,8 @@ | tst.js:53:10:53:33 | s.repla ... , '\\\\') | This replacement may produce '\\' characters that are double-unescaped $@. | tst.js:53:10:54:33 | s.repla ... , '\\'') | here | | tst.js:60:7:60:28 | s.repla ... '%25') | This replacement may double-escape '%' characters from $@. | tst.js:59:7:59:28 | s.repla ... '%26') | here | | tst.js:68:10:70:38 | s.repla ... &") | This replacement may double-escape '&' characters from $@. | tst.js:68:10:69:39 | s.repla ... apos;") | here | +| tst.js:74:10:77:10 | JSON.st ... ) | This replacement may double-escape '\\' characters from $@. | tst.js:75:12:76:37 | s.repla ... u003E") | here | +| tst.js:86:10:86:22 | JSON.parse(s) | This replacement may produce '\\' characters that are double-unescaped $@. | tst.js:86:10:86:47 | JSON.pa ... g, "<") | here | +| tst.js:99:10:99:66 | s.repla ... &") | This replacement may double-escape '&' characters from $@. | tst.js:99:10:99:43 | s.repla ... epl[c]) | here | +| tst.js:107:10:107:53 | encodeD ... &") | This replacement may double-escape '&' characters from $@. | tst.js:107:10:107:30 | encodeD ... otes(s) | here | +| tst.js:115:10:115:47 | encodeQ ... &") | This replacement may double-escape '&' characters from $@. | tst.js:115:10:115:24 | encodeQuotes(s) | here | diff --git a/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js b/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js index 19ab94d2691..9c69c837f6b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js @@ -69,3 +69,68 @@ function badEncode(s) { .replace(indirect2, "'") .replace(indirect3, "&"); } + +function badEscape1(s) { + return JSON.stringify( + s.replace(//g, "\\u003E") + ); +} + +function goodEscape1(s) { + return JSON.stringify(s) + .replace(//g, "\\u003E"); +} + +function badUnescape2(s) { + return JSON.parse(s).replace(/\\u003C/g, "<").replace(/\\u003E/g, ">"); +} + +function goodUnescape2(s) { + return JSON.parse(s.replace(/\\u003C/g, "<").replace(/\\u003E/g, ">")); +} + +function badEncodeWithReplacer(s) { + var repl = { + '"': """, + "'": "'", + "&": "&" + }; + return s.replace(/["']/g, (c) => repl[c]).replace(/&/g, "&"); +} + +function encodeDoubleQuotes(s) { + return s.replace(/"/g, """); +} + +function badWrappedEncode(s) { + return encodeDoubleQuotes(s).replace(/&/g, "&"); +} + +function encodeQuotes(s) { + return s.replace(/"/g, """).replace(/'/g, "'"); +} + +function badWrappedEncode2(s) { + return encodeQuotes(s).replace(/&/g, "&"); +} + +function roundtrip(s) { + return JSON.parse(JSON.stringify(s)); +} + +// dubious, but out of scope for this query +function badRoundtrip(s) { + return s.replace(/\\\\/g, "\\").replace(/\\/g, "\\\\"); +} + +function testWithCapturedVar(x) { + var captured = x; + (function() { + captured = captured.replace(/\\/g, "\\\\"); + })(); +} + +function cloneAndStringify(s) { + return JSON.stringify(JSON.parse(JSON.stringify(s))); +} diff --git a/javascript/ql/test/query-tests/Security/CWE-134/TaintedFormatString.expected b/javascript/ql/test/query-tests/Security/CWE-134/TaintedFormatString.expected index 161ad1ecbbb..0ea3425b00e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-134/TaintedFormatString.expected +++ b/javascript/ql/test/query-tests/Security/CWE-134/TaintedFormatString.expected @@ -1,25 +1,85 @@ nodes | tst.js:5:15:5:30 | req.query.format | +| tst.js:5:15:5:30 | req.query.format | +| tst.js:5:15:5:30 | req.query.format | +| tst.js:6:26:6:41 | req.query.format | +| tst.js:6:26:6:41 | req.query.format | | tst.js:6:26:6:41 | req.query.format | | tst.js:7:15:7:30 | req.query.format | +| tst.js:7:15:7:30 | req.query.format | +| tst.js:7:15:7:30 | req.query.format | +| tst.js:8:17:8:32 | req.query.format | +| tst.js:8:17:8:32 | req.query.format | | tst.js:8:17:8:32 | req.query.format | | tst.js:9:16:9:31 | req.query.format | +| tst.js:9:16:9:31 | req.query.format | +| tst.js:9:16:9:31 | req.query.format | +| tst.js:10:12:10:27 | req.query.format | +| tst.js:10:12:10:27 | req.query.format | | tst.js:10:12:10:27 | req.query.format | | tst.js:11:32:11:47 | req.query.format | +| tst.js:11:32:11:47 | req.query.format | +| tst.js:11:32:11:47 | req.query.format | +| tst.js:12:21:12:36 | req.query.format | +| tst.js:12:21:12:36 | req.query.format | | tst.js:12:21:12:36 | req.query.format | | tst.js:13:35:13:50 | req.query.format | +| tst.js:13:35:13:50 | req.query.format | +| tst.js:13:35:13:50 | req.query.format | +| tst.js:14:29:14:44 | req.query.format | +| tst.js:14:29:14:44 | req.query.format | | tst.js:14:29:14:44 | req.query.format | | tst.js:15:30:15:45 | req.query.format | +| tst.js:15:30:15:45 | req.query.format | +| tst.js:15:30:15:45 | req.query.format | +| tst.js:16:26:16:41 | req.query.format | +| tst.js:16:26:16:41 | req.query.format | | tst.js:16:26:16:41 | req.query.format | | tst.js:17:30:17:45 | req.query.format | +| tst.js:17:30:17:45 | req.query.format | +| tst.js:17:30:17:45 | req.query.format | +| tst.js:18:38:18:53 | req.query.format | +| tst.js:18:38:18:53 | req.query.format | | tst.js:18:38:18:53 | req.query.format | | tst.js:20:17:20:32 | req.query.format | +| tst.js:20:17:20:32 | req.query.format | +| tst.js:20:17:20:32 | req.query.format | +| tst.js:21:16:21:31 | req.query.format | +| tst.js:21:16:21:31 | req.query.format | | tst.js:21:16:21:31 | req.query.format | | tst.js:22:17:22:32 | req.query.format | +| tst.js:22:17:22:32 | req.query.format | +| tst.js:22:17:22:32 | req.query.format | +| tst.js:24:25:24:40 | req.query.format | +| tst.js:24:25:24:40 | req.query.format | | tst.js:24:25:24:40 | req.query.format | | tst.js:25:33:25:48 | req.query.format | +| tst.js:25:33:25:48 | req.query.format | +| tst.js:25:33:25:48 | req.query.format | +| tst.js:26:34:26:49 | req.query.format | +| tst.js:26:34:26:49 | req.query.format | | tst.js:26:34:26:49 | req.query.format | edges +| tst.js:5:15:5:30 | req.query.format | tst.js:5:15:5:30 | req.query.format | +| tst.js:6:26:6:41 | req.query.format | tst.js:6:26:6:41 | req.query.format | +| tst.js:7:15:7:30 | req.query.format | tst.js:7:15:7:30 | req.query.format | +| tst.js:8:17:8:32 | req.query.format | tst.js:8:17:8:32 | req.query.format | +| tst.js:9:16:9:31 | req.query.format | tst.js:9:16:9:31 | req.query.format | +| tst.js:10:12:10:27 | req.query.format | tst.js:10:12:10:27 | req.query.format | +| tst.js:11:32:11:47 | req.query.format | tst.js:11:32:11:47 | req.query.format | +| tst.js:12:21:12:36 | req.query.format | tst.js:12:21:12:36 | req.query.format | +| tst.js:13:35:13:50 | req.query.format | tst.js:13:35:13:50 | req.query.format | +| tst.js:14:29:14:44 | req.query.format | tst.js:14:29:14:44 | req.query.format | +| tst.js:15:30:15:45 | req.query.format | tst.js:15:30:15:45 | req.query.format | +| tst.js:16:26:16:41 | req.query.format | tst.js:16:26:16:41 | req.query.format | +| tst.js:17:30:17:45 | req.query.format | tst.js:17:30:17:45 | req.query.format | +| tst.js:18:38:18:53 | req.query.format | tst.js:18:38:18:53 | req.query.format | +| tst.js:20:17:20:32 | req.query.format | tst.js:20:17:20:32 | req.query.format | +| tst.js:21:16:21:31 | req.query.format | tst.js:21:16:21:31 | req.query.format | +| tst.js:22:17:22:32 | req.query.format | tst.js:22:17:22:32 | req.query.format | +| tst.js:24:25:24:40 | req.query.format | tst.js:24:25:24:40 | req.query.format | +| tst.js:25:33:25:48 | req.query.format | tst.js:25:33:25:48 | req.query.format | +| tst.js:26:34:26:49 | req.query.format | tst.js:26:34:26:49 | req.query.format | #select | tst.js:5:15:5:30 | req.query.format | tst.js:5:15:5:30 | req.query.format | tst.js:5:15:5:30 | req.query.format | $@ flows here and is used in a format string. | tst.js:5:15:5:30 | req.query.format | User-provided value | | tst.js:6:26:6:41 | req.query.format | tst.js:6:26:6:41 | req.query.format | tst.js:6:26:6:41 | req.query.format | $@ flows here and is used in a format string. | tst.js:6:26:6:41 | req.query.format | User-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-200/FileAccessToHttp.expected b/javascript/ql/test/query-tests/Security/CWE-200/FileAccessToHttp.expected index 940a463636d..36d71d9c229 100644 --- a/javascript/ql/test/query-tests/Security/CWE-200/FileAccessToHttp.expected +++ b/javascript/ql/test/query-tests/Security/CWE-200/FileAccessToHttp.expected @@ -1,43 +1,58 @@ nodes | FileAccessToHttp.js:4:5:4:47 | content | | FileAccessToHttp.js:4:15:4:47 | fs.read ... "utf8") | +| FileAccessToHttp.js:4:15:4:47 | fs.read ... "utf8") | +| FileAccessToHttp.js:5:11:10:1 | {\\n hos ... ent }\\n} | | FileAccessToHttp.js:5:11:10:1 | {\\n hos ... ent }\\n} | | FileAccessToHttp.js:9:12:9:31 | { Referer: content } | | FileAccessToHttp.js:9:23:9:29 | content | | bufferRead.js:12:13:12:43 | buffer | | bufferRead.js:12:22:12:43 | new Buf ... s.size) | +| bufferRead.js:12:22:12:43 | new Buf ... s.size) | | bufferRead.js:15:15:15:62 | postData | | bufferRead.js:15:26:15:31 | buffer | | bufferRead.js:15:26:15:62 | buffer. ... esRead) | | bufferRead.js:33:21:33:28 | postData | +| bufferRead.js:33:21:33:28 | postData | | googlecompiler.js:7:19:7:28 | codestring | | googlecompiler.js:9:7:15:4 | post_data | | googlecompiler.js:9:19:15:4 | queryst ... dy\\n }) | | googlecompiler.js:9:41:15:3 | {\\n ... ody\\n } | | googlecompiler.js:14:21:14:30 | codestring | | googlecompiler.js:38:18:38:26 | post_data | +| googlecompiler.js:38:18:38:26 | post_data | +| googlecompiler.js:44:54:44:57 | data | | googlecompiler.js:44:54:44:57 | data | | googlecompiler.js:56:14:56:17 | data | | readFileSync.js:5:5:5:39 | data | | readFileSync.js:5:12:5:39 | fs.read ... t.txt") | +| readFileSync.js:5:12:5:39 | fs.read ... t.txt") | | readFileSync.js:7:7:7:25 | s | | readFileSync.js:7:11:7:14 | data | | readFileSync.js:7:11:7:25 | data.toString() | | readFileSync.js:26:18:26:18 | s | +| readFileSync.js:26:18:26:18 | s | | readStreamRead.js:13:13:13:35 | chunk | | readStreamRead.js:13:21:13:35 | readable.read() | +| readStreamRead.js:13:21:13:35 | readable.read() | +| readStreamRead.js:30:19:30:23 | chunk | | readStreamRead.js:30:19:30:23 | chunk | | request.js:6:19:6:26 | jsonData | | request.js:8:11:8:20 | {jsonData} | +| request.js:8:11:8:20 | {jsonData} | | request.js:8:12:8:19 | jsonData | | request.js:13:18:13:24 | xmlData | | request.js:16:11:23:3 | {\\n u ... ody\\n } | +| request.js:16:11:23:3 | {\\n u ... ody\\n } | | request.js:22:11:22:17 | xmlData | | request.js:28:52:28:55 | data | +| request.js:28:52:28:55 | data | | request.js:35:14:35:17 | data | | request.js:43:51:43:54 | data | +| request.js:43:51:43:54 | data | | request.js:50:13:50:16 | data | | sentAsHeaders.js:10:79:10:84 | buffer | +| sentAsHeaders.js:10:79:10:84 | buffer | | sentAsHeaders.js:11:13:11:59 | content | | sentAsHeaders.js:11:23:11:28 | buffer | | sentAsHeaders.js:11:23:11:59 | buffer. ... esRead) | @@ -46,54 +61,63 @@ nodes | sentAsHeaders.js:12:19:12:74 | content ... =", "") | | sentAsHeaders.js:12:19:12:81 | content ... .trim() | | sentAsHeaders.js:14:20:19:9 | {\\n ... } | +| sentAsHeaders.js:14:20:19:9 | {\\n ... } | | sentAsHeaders.js:18:20:18:55 | { Refer ... ntent } | | sentAsHeaders.js:18:31:18:53 | "http:/ ... content | | sentAsHeaders.js:18:47:18:53 | content | | sentAsHeaders.js:20:20:25:9 | {\\n ... } | +| sentAsHeaders.js:20:20:25:9 | {\\n ... } | | sentAsHeaders.js:24:20:24:55 | { Refer ... ntent } | | sentAsHeaders.js:24:31:24:53 | "http:/ ... content | | sentAsHeaders.js:24:47:24:53 | content | edges | FileAccessToHttp.js:4:5:4:47 | content | FileAccessToHttp.js:9:23:9:29 | content | | FileAccessToHttp.js:4:15:4:47 | fs.read ... "utf8") | FileAccessToHttp.js:4:5:4:47 | content | +| FileAccessToHttp.js:4:15:4:47 | fs.read ... "utf8") | FileAccessToHttp.js:4:5:4:47 | content | +| FileAccessToHttp.js:9:12:9:31 | { Referer: content } | FileAccessToHttp.js:5:11:10:1 | {\\n hos ... ent }\\n} | | FileAccessToHttp.js:9:12:9:31 | { Referer: content } | FileAccessToHttp.js:5:11:10:1 | {\\n hos ... ent }\\n} | | FileAccessToHttp.js:9:23:9:29 | content | FileAccessToHttp.js:9:12:9:31 | { Referer: content } | -| bufferRead.js:12:13:12:43 | buffer | bufferRead.js:13:53:13:52 | buffer | | bufferRead.js:12:13:12:43 | buffer | bufferRead.js:15:26:15:31 | buffer | | bufferRead.js:12:22:12:43 | new Buf ... s.size) | bufferRead.js:12:13:12:43 | buffer | -| bufferRead.js:13:53:13:52 | buffer | bufferRead.js:15:26:15:31 | buffer | +| bufferRead.js:12:22:12:43 | new Buf ... s.size) | bufferRead.js:12:13:12:43 | buffer | +| bufferRead.js:15:15:15:62 | postData | bufferRead.js:33:21:33:28 | postData | | bufferRead.js:15:15:15:62 | postData | bufferRead.js:33:21:33:28 | postData | | bufferRead.js:15:26:15:31 | buffer | bufferRead.js:15:26:15:62 | buffer. ... esRead) | | bufferRead.js:15:26:15:62 | buffer. ... esRead) | bufferRead.js:15:15:15:62 | postData | | googlecompiler.js:7:19:7:28 | codestring | googlecompiler.js:14:21:14:30 | codestring | | googlecompiler.js:9:7:15:4 | post_data | googlecompiler.js:38:18:38:26 | post_data | +| googlecompiler.js:9:7:15:4 | post_data | googlecompiler.js:38:18:38:26 | post_data | | googlecompiler.js:9:19:15:4 | queryst ... dy\\n }) | googlecompiler.js:9:7:15:4 | post_data | | googlecompiler.js:9:41:15:3 | {\\n ... ody\\n } | googlecompiler.js:9:19:15:4 | queryst ... dy\\n }) | | googlecompiler.js:14:21:14:30 | codestring | googlecompiler.js:9:41:15:3 | {\\n ... ody\\n } | -| googlecompiler.js:44:54:44:57 | data | googlecompiler.js:55:6:55:9 | data | | googlecompiler.js:44:54:44:57 | data | googlecompiler.js:56:14:56:17 | data | -| googlecompiler.js:55:6:55:9 | data | googlecompiler.js:56:14:56:17 | data | +| googlecompiler.js:44:54:44:57 | data | googlecompiler.js:56:14:56:17 | data | | googlecompiler.js:56:14:56:17 | data | googlecompiler.js:7:19:7:28 | codestring | | readFileSync.js:5:5:5:39 | data | readFileSync.js:7:11:7:14 | data | | readFileSync.js:5:12:5:39 | fs.read ... t.txt") | readFileSync.js:5:5:5:39 | data | +| readFileSync.js:5:12:5:39 | fs.read ... t.txt") | readFileSync.js:5:5:5:39 | data | +| readFileSync.js:7:7:7:25 | s | readFileSync.js:26:18:26:18 | s | | readFileSync.js:7:7:7:25 | s | readFileSync.js:26:18:26:18 | s | | readFileSync.js:7:11:7:14 | data | readFileSync.js:7:11:7:25 | data.toString() | | readFileSync.js:7:11:7:25 | data.toString() | readFileSync.js:7:7:7:25 | s | | readStreamRead.js:13:13:13:35 | chunk | readStreamRead.js:30:19:30:23 | chunk | +| readStreamRead.js:13:13:13:35 | chunk | readStreamRead.js:30:19:30:23 | chunk | +| readStreamRead.js:13:21:13:35 | readable.read() | readStreamRead.js:13:13:13:35 | chunk | | readStreamRead.js:13:21:13:35 | readable.read() | readStreamRead.js:13:13:13:35 | chunk | | request.js:6:19:6:26 | jsonData | request.js:8:12:8:19 | jsonData | | request.js:8:12:8:19 | jsonData | request.js:8:11:8:20 | {jsonData} | +| request.js:8:12:8:19 | jsonData | request.js:8:11:8:20 | {jsonData} | | request.js:13:18:13:24 | xmlData | request.js:22:11:22:17 | xmlData | | request.js:22:11:22:17 | xmlData | request.js:16:11:23:3 | {\\n u ... ody\\n } | -| request.js:28:52:28:55 | data | request.js:34:6:34:9 | data | +| request.js:22:11:22:17 | xmlData | request.js:16:11:23:3 | {\\n u ... ody\\n } | +| request.js:28:52:28:55 | data | request.js:35:14:35:17 | data | | request.js:28:52:28:55 | data | request.js:35:14:35:17 | data | -| request.js:34:6:34:9 | data | request.js:35:14:35:17 | data | | request.js:35:14:35:17 | data | request.js:6:19:6:26 | jsonData | -| request.js:43:51:43:54 | data | request.js:49:6:49:9 | data | | request.js:43:51:43:54 | data | request.js:50:13:50:16 | data | -| request.js:49:6:49:9 | data | request.js:50:13:50:16 | data | +| request.js:43:51:43:54 | data | request.js:50:13:50:16 | data | | request.js:50:13:50:16 | data | request.js:13:18:13:24 | xmlData | | sentAsHeaders.js:10:79:10:84 | buffer | sentAsHeaders.js:11:23:11:28 | buffer | +| sentAsHeaders.js:10:79:10:84 | buffer | sentAsHeaders.js:11:23:11:28 | buffer | | sentAsHeaders.js:11:13:11:59 | content | sentAsHeaders.js:12:19:12:25 | content | | sentAsHeaders.js:11:23:11:28 | buffer | sentAsHeaders.js:11:23:11:59 | buffer. ... esRead) | | sentAsHeaders.js:11:23:11:59 | buffer. ... esRead) | sentAsHeaders.js:11:13:11:59 | content | @@ -103,9 +127,11 @@ edges | sentAsHeaders.js:12:19:12:74 | content ... =", "") | sentAsHeaders.js:12:19:12:81 | content ... .trim() | | sentAsHeaders.js:12:19:12:81 | content ... .trim() | sentAsHeaders.js:12:9:12:81 | content | | sentAsHeaders.js:18:20:18:55 | { Refer ... ntent } | sentAsHeaders.js:14:20:19:9 | {\\n ... } | +| sentAsHeaders.js:18:20:18:55 | { Refer ... ntent } | sentAsHeaders.js:14:20:19:9 | {\\n ... } | | sentAsHeaders.js:18:31:18:53 | "http:/ ... content | sentAsHeaders.js:18:20:18:55 | { Refer ... ntent } | | sentAsHeaders.js:18:47:18:53 | content | sentAsHeaders.js:18:31:18:53 | "http:/ ... content | | sentAsHeaders.js:24:20:24:55 | { Refer ... ntent } | sentAsHeaders.js:20:20:25:9 | {\\n ... } | +| sentAsHeaders.js:24:20:24:55 | { Refer ... ntent } | sentAsHeaders.js:20:20:25:9 | {\\n ... } | | sentAsHeaders.js:24:31:24:53 | "http:/ ... content | sentAsHeaders.js:24:20:24:55 | { Refer ... ntent } | | sentAsHeaders.js:24:47:24:53 | content | sentAsHeaders.js:24:31:24:53 | "http:/ ... content | #select diff --git a/javascript/ql/test/query-tests/Security/CWE-201/PostMessageStar.expected b/javascript/ql/test/query-tests/Security/CWE-201/PostMessageStar.expected index d5f76456e25..bb1736fd461 100644 --- a/javascript/ql/test/query-tests/Security/CWE-201/PostMessageStar.expected +++ b/javascript/ql/test/query-tests/Security/CWE-201/PostMessageStar.expected @@ -1,17 +1,34 @@ nodes | PostMessageStar2.js:1:27:1:34 | password | +| PostMessageStar2.js:1:27:1:34 | password | +| PostMessageStar2.js:1:27:1:34 | password | | PostMessageStar2.js:4:7:4:15 | data | | PostMessageStar2.js:4:14:4:15 | {} | | PostMessageStar2.js:5:14:5:21 | password | +| PostMessageStar2.js:5:14:5:21 | password | +| PostMessageStar2.js:8:29:8:32 | data | | PostMessageStar2.js:8:29:8:32 | data | | PostMessageStar2.js:9:29:9:36 | data.foo | +| PostMessageStar2.js:9:29:9:36 | data.foo | +| PostMessageStar2.js:13:27:13:33 | authKey | +| PostMessageStar2.js:13:27:13:33 | authKey | | PostMessageStar2.js:13:27:13:33 | authKey | | PostMessageStar.js:1:27:1:34 | userName | +| PostMessageStar.js:1:27:1:34 | userName | +| PostMessageStar.js:1:27:1:34 | userName | edges +| PostMessageStar2.js:1:27:1:34 | password | PostMessageStar2.js:1:27:1:34 | password | +| PostMessageStar2.js:4:7:4:15 | data | PostMessageStar2.js:8:29:8:32 | data | | PostMessageStar2.js:4:7:4:15 | data | PostMessageStar2.js:8:29:8:32 | data | | PostMessageStar2.js:4:14:4:15 | {} | PostMessageStar2.js:4:7:4:15 | data | | PostMessageStar2.js:5:14:5:21 | password | PostMessageStar2.js:4:14:4:15 | {} | +| PostMessageStar2.js:5:14:5:21 | password | PostMessageStar2.js:4:14:4:15 | {} | | PostMessageStar2.js:5:14:5:21 | password | PostMessageStar2.js:9:29:9:36 | data.foo | +| PostMessageStar2.js:5:14:5:21 | password | PostMessageStar2.js:9:29:9:36 | data.foo | +| PostMessageStar2.js:5:14:5:21 | password | PostMessageStar2.js:9:29:9:36 | data.foo | +| PostMessageStar2.js:5:14:5:21 | password | PostMessageStar2.js:9:29:9:36 | data.foo | +| PostMessageStar2.js:13:27:13:33 | authKey | PostMessageStar2.js:13:27:13:33 | authKey | +| PostMessageStar.js:1:27:1:34 | userName | PostMessageStar.js:1:27:1:34 | userName | #select | PostMessageStar2.js:1:27:1:34 | password | PostMessageStar2.js:1:27:1:34 | password | PostMessageStar2.js:1:27:1:34 | password | Sensitive data returned from $@ is sent to another window without origin restriction. | PostMessageStar2.js:1:27:1:34 | password | here | | PostMessageStar2.js:8:29:8:32 | data | PostMessageStar2.js:5:14:5:21 | password | PostMessageStar2.js:8:29:8:32 | data | Sensitive data returned from $@ is sent to another window without origin restriction. | PostMessageStar2.js:5:14:5:21 | password | here | diff --git a/javascript/ql/test/query-tests/Security/CWE-209/StackTraceExposure.expected b/javascript/ql/test/query-tests/Security/CWE-209/StackTraceExposure.expected index e85b168c31e..dfee2aaa859 100644 --- a/javascript/ql/test/query-tests/Security/CWE-209/StackTraceExposure.expected +++ b/javascript/ql/test/query-tests/Security/CWE-209/StackTraceExposure.expected @@ -1,21 +1,33 @@ nodes | node.js:8:10:8:12 | err | +| node.js:8:10:8:12 | err | | node.js:11:13:11:15 | err | | node.js:11:13:11:21 | err.stack | +| node.js:11:13:11:21 | err.stack | | tst.js:6:12:6:12 | e | +| tst.js:6:12:6:12 | e | +| tst.js:7:13:7:13 | e | | tst.js:7:13:7:13 | e | | tst.js:8:15:8:15 | e | | tst.js:16:20:16:20 | e | | tst.js:17:11:17:11 | e | | tst.js:17:11:17:17 | e.stack | +| tst.js:17:11:17:17 | e.stack | edges | node.js:8:10:8:12 | err | node.js:11:13:11:15 | err | +| node.js:8:10:8:12 | err | node.js:11:13:11:15 | err | +| node.js:11:13:11:15 | err | node.js:11:13:11:21 | err.stack | | node.js:11:13:11:15 | err | node.js:11:13:11:21 | err.stack | | tst.js:6:12:6:12 | e | tst.js:7:13:7:13 | e | +| tst.js:6:12:6:12 | e | tst.js:7:13:7:13 | e | +| tst.js:6:12:6:12 | e | tst.js:7:13:7:13 | e | +| tst.js:6:12:6:12 | e | tst.js:7:13:7:13 | e | +| tst.js:6:12:6:12 | e | tst.js:8:15:8:15 | e | | tst.js:6:12:6:12 | e | tst.js:8:15:8:15 | e | | tst.js:8:15:8:15 | e | tst.js:16:20:16:20 | e | | tst.js:16:20:16:20 | e | tst.js:17:11:17:11 | e | | tst.js:17:11:17:11 | e | tst.js:17:11:17:17 | e.stack | +| tst.js:17:11:17:11 | e | tst.js:17:11:17:17 | e.stack | #select | node.js:11:13:11:21 | err.stack | node.js:8:10:8:12 | err | node.js:11:13:11:21 | err.stack | Stack trace information from $@ may be exposed to an external user here. | node.js:8:10:8:12 | err | here | | tst.js:7:13:7:13 | e | tst.js:6:12:6:12 | e | tst.js:7:13:7:13 | e | Stack trace information from $@ may be exposed to an external user here. | tst.js:6:12:6:12 | e | here | diff --git a/javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected b/javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected index e562c22f904..ef07eb2ea18 100644 --- a/javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected +++ b/javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected @@ -1,101 +1,227 @@ nodes | passwords.js:2:17:2:24 | password | +| passwords.js:2:17:2:24 | password | +| passwords.js:2:17:2:24 | password | +| passwords.js:3:17:3:26 | o.password | +| passwords.js:3:17:3:26 | o.password | | passwords.js:3:17:3:26 | o.password | | passwords.js:4:17:4:29 | getPassword() | +| passwords.js:4:17:4:29 | getPassword() | +| passwords.js:4:17:4:29 | getPassword() | +| passwords.js:5:17:5:31 | o.getPassword() | +| passwords.js:5:17:5:31 | o.getPassword() | | passwords.js:5:17:5:31 | o.getPassword() | | passwords.js:7:20:7:20 | x | | passwords.js:8:21:8:21 | x | +| passwords.js:8:21:8:21 | x | +| passwords.js:10:11:10:18 | password | | passwords.js:10:11:10:18 | password | | passwords.js:12:18:12:25 | password | +| passwords.js:12:18:12:25 | password | +| passwords.js:12:18:12:25 | password | +| passwords.js:14:17:14:38 | name + ... assword | | passwords.js:14:17:14:38 | name + ... assword | | passwords.js:14:31:14:38 | password | +| passwords.js:14:31:14:38 | password | | passwords.js:16:17:16:38 | `${name ... sword}` | +| passwords.js:16:17:16:38 | `${name ... sword}` | +| passwords.js:16:29:16:36 | password | | passwords.js:16:29:16:36 | password | | passwords.js:18:9:20:5 | obj1 | | passwords.js:18:16:20:5 | {\\n ... x\\n } | +| passwords.js:18:16:20:5 | {\\n ... x\\n } | +| passwords.js:21:17:21:20 | obj1 | | passwords.js:21:17:21:20 | obj1 | | passwords.js:23:9:25:5 | obj2 | | passwords.js:23:16:25:5 | {\\n ... d\\n } | | passwords.js:24:12:24:19 | password | +| passwords.js:24:12:24:19 | password | +| passwords.js:26:17:26:20 | obj2 | | passwords.js:26:17:26:20 | obj2 | | passwords.js:28:9:28:17 | obj3 | | passwords.js:28:16:28:17 | {} | | passwords.js:29:17:29:20 | obj3 | +| passwords.js:29:17:29:20 | obj3 | +| passwords.js:30:14:30:21 | password | | passwords.js:30:14:30:21 | password | | passwords.js:77:37:77:53 | req.body.password | +| passwords.js:77:37:77:53 | req.body.password | +| passwords.js:78:17:78:38 | temp.en ... assword | | passwords.js:78:17:78:38 | temp.en ... assword | | passwords.js:80:9:80:25 | secret | | passwords.js:80:18:80:25 | password | +| passwords.js:80:18:80:25 | password | +| passwords.js:81:17:81:31 | `pw: ${secret}` | | passwords.js:81:17:81:31 | `pw: ${secret}` | | passwords.js:81:24:81:29 | secret | | passwords.js:93:21:93:46 | "Passwo ... assword | +| passwords.js:93:21:93:46 | "Passwo ... assword | +| passwords.js:93:39:93:46 | password | | passwords.js:93:39:93:46 | password | | passwords.js:98:21:98:46 | "Passwo ... assword | +| passwords.js:98:21:98:46 | "Passwo ... assword | +| passwords.js:98:39:98:46 | password | | passwords.js:98:39:98:46 | password | | passwords.js:105:21:105:46 | "Passwo ... assword | +| passwords.js:105:21:105:46 | "Passwo ... assword | +| passwords.js:105:39:105:46 | password | | passwords.js:105:39:105:46 | password | | passwords.js:110:21:110:46 | "Passwo ... assword | +| passwords.js:110:21:110:46 | "Passwo ... assword | +| passwords.js:110:39:110:46 | password | | passwords.js:110:39:110:46 | password | | passwords.js:114:25:114:50 | "Passwo ... assword | +| passwords.js:114:25:114:50 | "Passwo ... assword | +| passwords.js:114:43:114:50 | password | | passwords.js:114:43:114:50 | password | | passwords.js:119:21:119:46 | "Passwo ... assword | +| passwords.js:119:21:119:46 | "Passwo ... assword | +| passwords.js:119:39:119:46 | password | | passwords.js:119:39:119:46 | password | | passwords.js:122:17:122:49 | name + ... tring() | +| passwords.js:122:17:122:49 | name + ... tring() | +| passwords.js:122:31:122:38 | password | | passwords.js:122:31:122:38 | password | | passwords.js:122:31:122:49 | password.toString() | | passwords.js:123:17:123:48 | name + ... lueOf() | +| passwords.js:123:17:123:48 | name + ... lueOf() | +| passwords.js:123:31:123:38 | password | | passwords.js:123:31:123:38 | password | | passwords.js:123:31:123:48 | password.valueOf() | | passwords.js:127:9:132:5 | config | | passwords.js:127:18:132:5 | {\\n ... )\\n } | +| passwords.js:127:18:132:5 | {\\n ... )\\n } | +| passwords.js:130:12:130:19 | password | | passwords.js:130:12:130:19 | password | | passwords.js:131:12:131:24 | getPassword() | +| passwords.js:131:12:131:24 | getPassword() | +| passwords.js:135:17:135:22 | config | | passwords.js:135:17:135:22 | config | | passwords.js:136:17:136:24 | config.x | +| passwords.js:136:17:136:24 | config.x | +| passwords.js:137:17:137:24 | config.y | | passwords.js:137:17:137:24 | config.y | | passwords_in_browser1.js:2:13:2:20 | password | +| passwords_in_browser1.js:2:13:2:20 | password | +| passwords_in_browser1.js:2:13:2:20 | password | +| passwords_in_browser2.js:2:13:2:20 | password | +| passwords_in_browser2.js:2:13:2:20 | password | | passwords_in_browser2.js:2:13:2:20 | password | | passwords_in_server_1.js:6:13:6:20 | password | +| passwords_in_server_1.js:6:13:6:20 | password | +| passwords_in_server_1.js:6:13:6:20 | password | +| passwords_in_server_2.js:3:13:3:20 | password | +| passwords_in_server_2.js:3:13:3:20 | password | | passwords_in_server_2.js:3:13:3:20 | password | | passwords_in_server_3.js:2:13:2:20 | password | +| passwords_in_server_3.js:2:13:2:20 | password | +| passwords_in_server_3.js:2:13:2:20 | password | | passwords_in_server_4.js:2:13:2:20 | password | +| passwords_in_server_4.js:2:13:2:20 | password | +| passwords_in_server_4.js:2:13:2:20 | password | +| passwords_in_server_5.js:4:7:4:24 | req.query.password | | passwords_in_server_5.js:4:7:4:24 | req.query.password | | passwords_in_server_5.js:7:12:7:12 | x | | passwords_in_server_5.js:8:17:8:17 | x | +| passwords_in_server_5.js:8:17:8:17 | x | edges +| passwords.js:2:17:2:24 | password | passwords.js:2:17:2:24 | password | +| passwords.js:3:17:3:26 | o.password | passwords.js:3:17:3:26 | o.password | +| passwords.js:4:17:4:29 | getPassword() | passwords.js:4:17:4:29 | getPassword() | +| passwords.js:5:17:5:31 | o.getPassword() | passwords.js:5:17:5:31 | o.getPassword() | +| passwords.js:7:20:7:20 | x | passwords.js:8:21:8:21 | x | | passwords.js:7:20:7:20 | x | passwords.js:8:21:8:21 | x | | passwords.js:10:11:10:18 | password | passwords.js:7:20:7:20 | x | +| passwords.js:10:11:10:18 | password | passwords.js:7:20:7:20 | x | +| passwords.js:12:18:12:25 | password | passwords.js:12:18:12:25 | password | +| passwords.js:14:31:14:38 | password | passwords.js:14:17:14:38 | name + ... assword | +| passwords.js:14:31:14:38 | password | passwords.js:14:17:14:38 | name + ... assword | +| passwords.js:14:31:14:38 | password | passwords.js:14:17:14:38 | name + ... assword | | passwords.js:14:31:14:38 | password | passwords.js:14:17:14:38 | name + ... assword | | passwords.js:16:29:16:36 | password | passwords.js:16:17:16:38 | `${name ... sword}` | +| passwords.js:16:29:16:36 | password | passwords.js:16:17:16:38 | `${name ... sword}` | +| passwords.js:16:29:16:36 | password | passwords.js:16:17:16:38 | `${name ... sword}` | +| passwords.js:16:29:16:36 | password | passwords.js:16:17:16:38 | `${name ... sword}` | +| passwords.js:18:9:20:5 | obj1 | passwords.js:21:17:21:20 | obj1 | | passwords.js:18:9:20:5 | obj1 | passwords.js:21:17:21:20 | obj1 | | passwords.js:18:16:20:5 | {\\n ... x\\n } | passwords.js:18:9:20:5 | obj1 | +| passwords.js:18:16:20:5 | {\\n ... x\\n } | passwords.js:18:9:20:5 | obj1 | +| passwords.js:23:9:25:5 | obj2 | passwords.js:26:17:26:20 | obj2 | | passwords.js:23:9:25:5 | obj2 | passwords.js:26:17:26:20 | obj2 | | passwords.js:23:16:25:5 | {\\n ... d\\n } | passwords.js:23:9:25:5 | obj2 | | passwords.js:24:12:24:19 | password | passwords.js:23:16:25:5 | {\\n ... d\\n } | +| passwords.js:24:12:24:19 | password | passwords.js:23:16:25:5 | {\\n ... d\\n } | +| passwords.js:28:9:28:17 | obj3 | passwords.js:29:17:29:20 | obj3 | | passwords.js:28:9:28:17 | obj3 | passwords.js:29:17:29:20 | obj3 | | passwords.js:28:16:28:17 | {} | passwords.js:28:9:28:17 | obj3 | | passwords.js:30:14:30:21 | password | passwords.js:28:16:28:17 | {} | +| passwords.js:30:14:30:21 | password | passwords.js:28:16:28:17 | {} | +| passwords.js:77:37:77:53 | req.body.password | passwords.js:78:17:78:38 | temp.en ... assword | +| passwords.js:77:37:77:53 | req.body.password | passwords.js:78:17:78:38 | temp.en ... assword | +| passwords.js:77:37:77:53 | req.body.password | passwords.js:78:17:78:38 | temp.en ... assword | | passwords.js:77:37:77:53 | req.body.password | passwords.js:78:17:78:38 | temp.en ... assword | | passwords.js:80:9:80:25 | secret | passwords.js:81:24:81:29 | secret | | passwords.js:80:18:80:25 | password | passwords.js:80:9:80:25 | secret | +| passwords.js:80:18:80:25 | password | passwords.js:80:9:80:25 | secret | +| passwords.js:81:24:81:29 | secret | passwords.js:81:17:81:31 | `pw: ${secret}` | | passwords.js:81:24:81:29 | secret | passwords.js:81:17:81:31 | `pw: ${secret}` | | passwords.js:93:39:93:46 | password | passwords.js:93:21:93:46 | "Passwo ... assword | +| passwords.js:93:39:93:46 | password | passwords.js:93:21:93:46 | "Passwo ... assword | +| passwords.js:93:39:93:46 | password | passwords.js:93:21:93:46 | "Passwo ... assword | +| passwords.js:93:39:93:46 | password | passwords.js:93:21:93:46 | "Passwo ... assword | +| passwords.js:98:39:98:46 | password | passwords.js:98:21:98:46 | "Passwo ... assword | +| passwords.js:98:39:98:46 | password | passwords.js:98:21:98:46 | "Passwo ... assword | +| passwords.js:98:39:98:46 | password | passwords.js:98:21:98:46 | "Passwo ... assword | | passwords.js:98:39:98:46 | password | passwords.js:98:21:98:46 | "Passwo ... assword | | passwords.js:105:39:105:46 | password | passwords.js:105:21:105:46 | "Passwo ... assword | +| passwords.js:105:39:105:46 | password | passwords.js:105:21:105:46 | "Passwo ... assword | +| passwords.js:105:39:105:46 | password | passwords.js:105:21:105:46 | "Passwo ... assword | +| passwords.js:105:39:105:46 | password | passwords.js:105:21:105:46 | "Passwo ... assword | +| passwords.js:110:39:110:46 | password | passwords.js:110:21:110:46 | "Passwo ... assword | +| passwords.js:110:39:110:46 | password | passwords.js:110:21:110:46 | "Passwo ... assword | +| passwords.js:110:39:110:46 | password | passwords.js:110:21:110:46 | "Passwo ... assword | | passwords.js:110:39:110:46 | password | passwords.js:110:21:110:46 | "Passwo ... assword | | passwords.js:114:43:114:50 | password | passwords.js:114:25:114:50 | "Passwo ... assword | +| passwords.js:114:43:114:50 | password | passwords.js:114:25:114:50 | "Passwo ... assword | +| passwords.js:114:43:114:50 | password | passwords.js:114:25:114:50 | "Passwo ... assword | +| passwords.js:114:43:114:50 | password | passwords.js:114:25:114:50 | "Passwo ... assword | +| passwords.js:119:39:119:46 | password | passwords.js:119:21:119:46 | "Passwo ... assword | +| passwords.js:119:39:119:46 | password | passwords.js:119:21:119:46 | "Passwo ... assword | +| passwords.js:119:39:119:46 | password | passwords.js:119:21:119:46 | "Passwo ... assword | | passwords.js:119:39:119:46 | password | passwords.js:119:21:119:46 | "Passwo ... assword | | passwords.js:122:31:122:38 | password | passwords.js:122:31:122:49 | password.toString() | +| passwords.js:122:31:122:38 | password | passwords.js:122:31:122:49 | password.toString() | +| passwords.js:122:31:122:49 | password.toString() | passwords.js:122:17:122:49 | name + ... tring() | | passwords.js:122:31:122:49 | password.toString() | passwords.js:122:17:122:49 | name + ... tring() | | passwords.js:123:31:123:38 | password | passwords.js:123:31:123:48 | password.valueOf() | +| passwords.js:123:31:123:38 | password | passwords.js:123:31:123:48 | password.valueOf() | +| passwords.js:123:31:123:48 | password.valueOf() | passwords.js:123:17:123:48 | name + ... lueOf() | | passwords.js:123:31:123:48 | password.valueOf() | passwords.js:123:17:123:48 | name + ... lueOf() | | passwords.js:127:9:132:5 | config | passwords.js:135:17:135:22 | config | +| passwords.js:127:9:132:5 | config | passwords.js:135:17:135:22 | config | +| passwords.js:127:18:132:5 | {\\n ... )\\n } | passwords.js:127:9:132:5 | config | | passwords.js:127:18:132:5 | {\\n ... )\\n } | passwords.js:127:9:132:5 | config | | passwords.js:130:12:130:19 | password | passwords.js:127:18:132:5 | {\\n ... )\\n } | +| passwords.js:130:12:130:19 | password | passwords.js:127:18:132:5 | {\\n ... )\\n } | +| passwords.js:130:12:130:19 | password | passwords.js:136:17:136:24 | config.x | +| passwords.js:130:12:130:19 | password | passwords.js:136:17:136:24 | config.x | +| passwords.js:130:12:130:19 | password | passwords.js:136:17:136:24 | config.x | | passwords.js:130:12:130:19 | password | passwords.js:136:17:136:24 | config.x | | passwords.js:131:12:131:24 | getPassword() | passwords.js:127:18:132:5 | {\\n ... )\\n } | +| passwords.js:131:12:131:24 | getPassword() | passwords.js:127:18:132:5 | {\\n ... )\\n } | | passwords.js:131:12:131:24 | getPassword() | passwords.js:137:17:137:24 | config.y | +| passwords.js:131:12:131:24 | getPassword() | passwords.js:137:17:137:24 | config.y | +| passwords.js:131:12:131:24 | getPassword() | passwords.js:137:17:137:24 | config.y | +| passwords.js:131:12:131:24 | getPassword() | passwords.js:137:17:137:24 | config.y | +| passwords_in_browser1.js:2:13:2:20 | password | passwords_in_browser1.js:2:13:2:20 | password | +| passwords_in_browser2.js:2:13:2:20 | password | passwords_in_browser2.js:2:13:2:20 | password | +| passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password | +| passwords_in_server_2.js:3:13:3:20 | password | passwords_in_server_2.js:3:13:3:20 | password | +| passwords_in_server_3.js:2:13:2:20 | password | passwords_in_server_3.js:2:13:2:20 | password | +| passwords_in_server_4.js:2:13:2:20 | password | passwords_in_server_4.js:2:13:2:20 | password | | passwords_in_server_5.js:4:7:4:24 | req.query.password | passwords_in_server_5.js:7:12:7:12 | x | +| passwords_in_server_5.js:4:7:4:24 | req.query.password | passwords_in_server_5.js:7:12:7:12 | x | +| passwords_in_server_5.js:7:12:7:12 | x | passwords_in_server_5.js:8:17:8:17 | x | | passwords_in_server_5.js:7:12:7:12 | x | passwords_in_server_5.js:8:17:8:17 | x | #select | passwords.js:2:17:2:24 | password | passwords.js:2:17:2:24 | password | passwords.js:2:17:2:24 | password | Sensitive data returned by $@ is logged here. | passwords.js:2:17:2:24 | password | an access to password | diff --git a/javascript/ql/test/query-tests/Security/CWE-312/CleartextStorage.expected b/javascript/ql/test/query-tests/Security/CWE-312/CleartextStorage.expected index ee327c75a5f..096bcfe6528 100644 --- a/javascript/ql/test/query-tests/Security/CWE-312/CleartextStorage.expected +++ b/javascript/ql/test/query-tests/Security/CWE-312/CleartextStorage.expected @@ -1,25 +1,57 @@ nodes | CleartextStorage2.js:5:7:5:58 | pw | | CleartextStorage2.js:5:12:5:58 | url.par ... assword | +| CleartextStorage2.js:5:12:5:58 | url.par ... assword | +| CleartextStorage2.js:7:19:7:34 | 'password=' + pw | | CleartextStorage2.js:7:19:7:34 | 'password=' + pw | | CleartextStorage2.js:7:33:7:34 | pw | | CleartextStorage.js:5:7:5:40 | pw | | CleartextStorage.js:5:12:5:40 | req.par ... sword") | +| CleartextStorage.js:5:12:5:40 | req.par ... sword") | +| CleartextStorage.js:7:26:7:27 | pw | | CleartextStorage.js:7:26:7:27 | pw | | tst-angularjs.js:3:32:3:45 | data1.password | +| tst-angularjs.js:3:32:3:45 | data1.password | +| tst-angularjs.js:3:32:3:45 | data1.password | +| tst-angularjs.js:4:33:4:46 | data2.password | +| tst-angularjs.js:4:33:4:46 | data2.password | | tst-angularjs.js:4:33:4:46 | data2.password | | tst-angularjs.js:5:27:5:40 | data3.password | +| tst-angularjs.js:5:27:5:40 | data3.password | +| tst-angularjs.js:5:27:5:40 | data3.password | +| tst-angularjs.js:6:33:6:46 | data4.password | +| tst-angularjs.js:6:33:6:46 | data4.password | | tst-angularjs.js:6:33:6:46 | data4.password | | tst-webstorage.js:1:18:1:30 | data.password | +| tst-webstorage.js:1:18:1:30 | data.password | +| tst-webstorage.js:1:18:1:30 | data.password | +| tst-webstorage.js:2:27:2:39 | data.password | +| tst-webstorage.js:2:27:2:39 | data.password | | tst-webstorage.js:2:27:2:39 | data.password | | tst-webstorage.js:3:20:3:32 | data.password | +| tst-webstorage.js:3:20:3:32 | data.password | +| tst-webstorage.js:3:20:3:32 | data.password | +| tst-webstorage.js:4:29:4:41 | data.password | +| tst-webstorage.js:4:29:4:41 | data.password | | tst-webstorage.js:4:29:4:41 | data.password | edges | CleartextStorage2.js:5:7:5:58 | pw | CleartextStorage2.js:7:33:7:34 | pw | | CleartextStorage2.js:5:12:5:58 | url.par ... assword | CleartextStorage2.js:5:7:5:58 | pw | +| CleartextStorage2.js:5:12:5:58 | url.par ... assword | CleartextStorage2.js:5:7:5:58 | pw | +| CleartextStorage2.js:7:33:7:34 | pw | CleartextStorage2.js:7:19:7:34 | 'password=' + pw | | CleartextStorage2.js:7:33:7:34 | pw | CleartextStorage2.js:7:19:7:34 | 'password=' + pw | | CleartextStorage.js:5:7:5:40 | pw | CleartextStorage.js:7:26:7:27 | pw | +| CleartextStorage.js:5:7:5:40 | pw | CleartextStorage.js:7:26:7:27 | pw | | CleartextStorage.js:5:12:5:40 | req.par ... sword") | CleartextStorage.js:5:7:5:40 | pw | +| CleartextStorage.js:5:12:5:40 | req.par ... sword") | CleartextStorage.js:5:7:5:40 | pw | +| tst-angularjs.js:3:32:3:45 | data1.password | tst-angularjs.js:3:32:3:45 | data1.password | +| tst-angularjs.js:4:33:4:46 | data2.password | tst-angularjs.js:4:33:4:46 | data2.password | +| tst-angularjs.js:5:27:5:40 | data3.password | tst-angularjs.js:5:27:5:40 | data3.password | +| tst-angularjs.js:6:33:6:46 | data4.password | tst-angularjs.js:6:33:6:46 | data4.password | +| tst-webstorage.js:1:18:1:30 | data.password | tst-webstorage.js:1:18:1:30 | data.password | +| tst-webstorage.js:2:27:2:39 | data.password | tst-webstorage.js:2:27:2:39 | data.password | +| tst-webstorage.js:3:20:3:32 | data.password | tst-webstorage.js:3:20:3:32 | data.password | +| tst-webstorage.js:4:29:4:41 | data.password | tst-webstorage.js:4:29:4:41 | data.password | #select | CleartextStorage2.js:7:19:7:34 | 'password=' + pw | CleartextStorage2.js:5:12:5:58 | url.par ... assword | CleartextStorage2.js:7:19:7:34 | 'password=' + pw | Sensitive data returned by $@ is stored here. | CleartextStorage2.js:5:12:5:58 | url.par ... assword | an access to current_password | | CleartextStorage.js:7:26:7:27 | pw | CleartextStorage.js:5:12:5:40 | req.par ... sword") | CleartextStorage.js:7:26:7:27 | pw | Sensitive data returned by $@ is stored here. | CleartextStorage.js:5:12:5:40 | req.par ... sword") | a call to param | diff --git a/javascript/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.expected b/javascript/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.expected index a8b7a6f3598..491d6a3aa00 100644 --- a/javascript/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.expected +++ b/javascript/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.expected @@ -1,12 +1,24 @@ nodes | tst.js:3:5:3:24 | secretText | | tst.js:3:18:3:24 | trusted | +| tst.js:3:18:3:24 | trusted | +| tst.js:11:17:11:26 | secretText | +| tst.js:11:17:11:26 | secretText | | tst.js:11:17:11:26 | secretText | | tst.js:17:17:17:25 | o.trusted | +| tst.js:17:17:17:25 | o.trusted | +| tst.js:17:17:17:25 | o.trusted | +| tst.js:19:17:19:24 | password | +| tst.js:19:17:19:24 | password | | tst.js:19:17:19:24 | password | edges | tst.js:3:5:3:24 | secretText | tst.js:11:17:11:26 | secretText | +| tst.js:3:5:3:24 | secretText | tst.js:11:17:11:26 | secretText | | tst.js:3:18:3:24 | trusted | tst.js:3:5:3:24 | secretText | +| tst.js:3:18:3:24 | trusted | tst.js:3:5:3:24 | secretText | +| tst.js:11:17:11:26 | secretText | tst.js:11:17:11:26 | secretText | +| tst.js:17:17:17:25 | o.trusted | tst.js:17:17:17:25 | o.trusted | +| tst.js:19:17:19:24 | password | tst.js:19:17:19:24 | password | #select | tst.js:11:17:11:26 | secretText | tst.js:3:18:3:24 | trusted | tst.js:11:17:11:26 | secretText | Sensitive data from $@ is used in a broken or weak cryptographic algorithm. | tst.js:3:18:3:24 | trusted | an access to trusted | | tst.js:11:17:11:26 | secretText | tst.js:11:17:11:26 | secretText | tst.js:11:17:11:26 | secretText | Sensitive data from $@ is used in a broken or weak cryptographic algorithm. | tst.js:11:17:11:26 | secretText | an access to secretText | diff --git a/javascript/ql/test/query-tests/Security/CWE-338/InsecureRandomness.expected b/javascript/ql/test/query-tests/Security/CWE-338/InsecureRandomness.expected index 3b4f56f3326..256f0f044be 100644 --- a/javascript/ql/test/query-tests/Security/CWE-338/InsecureRandomness.expected +++ b/javascript/ql/test/query-tests/Security/CWE-338/InsecureRandomness.expected @@ -1,59 +1,120 @@ nodes | tst.js:2:20:2:32 | Math.random() | +| tst.js:2:20:2:32 | Math.random() | +| tst.js:2:20:2:32 | Math.random() | +| tst.js:6:20:6:43 | "prefix ... andom() | | tst.js:6:20:6:43 | "prefix ... andom() | | tst.js:6:31:6:43 | Math.random() | +| tst.js:6:31:6:43 | Math.random() | +| tst.js:10:20:10:32 | Math.random() | +| tst.js:10:20:10:32 | Math.random() | | tst.js:10:20:10:32 | Math.random() | | tst.js:19:9:19:36 | suffix | | tst.js:19:18:19:30 | Math.random() | +| tst.js:19:18:19:30 | Math.random() | | tst.js:19:18:19:36 | Math.random() % 255 | | tst.js:20:20:20:36 | "prefix" + suffix | +| tst.js:20:20:20:36 | "prefix" + suffix | | tst.js:20:31:20:36 | suffix | | tst.js:28:9:28:26 | pw | | tst.js:28:14:28:26 | Math.random() | +| tst.js:28:14:28:26 | Math.random() | +| tst.js:29:20:29:21 | pw | | tst.js:29:20:29:21 | pw | | tst.js:41:20:41:33 | !Math.random() | +| tst.js:41:20:41:33 | !Math.random() | +| tst.js:41:21:41:33 | Math.random() | | tst.js:41:21:41:33 | Math.random() | | tst.js:45:18:45:30 | Math.random() | +| tst.js:45:18:45:30 | Math.random() | +| tst.js:45:18:45:30 | Math.random() | +| tst.js:50:16:50:28 | Math.random() | +| tst.js:50:16:50:28 | Math.random() | | tst.js:50:16:50:28 | Math.random() | | tst.js:55:17:55:29 | Math.random() | +| tst.js:55:17:55:29 | Math.random() | +| tst.js:55:17:55:29 | Math.random() | +| tst.js:61:17:61:34 | '' + Math.random() | | tst.js:61:17:61:34 | '' + Math.random() | | tst.js:61:22:61:34 | Math.random() | +| tst.js:61:22:61:34 | Math.random() | | tst.js:66:18:66:42 | Math.fl ... ndom()) | +| tst.js:66:18:66:42 | Math.fl ... ndom()) | +| tst.js:66:29:66:41 | Math.random() | | tst.js:66:29:66:41 | Math.random() | | tst.js:71:9:71:48 | rand | | tst.js:71:16:71:48 | Math.fl ... 999999) | | tst.js:71:27:71:39 | Math.random() | +| tst.js:71:27:71:39 | Math.random() | | tst.js:71:27:71:47 | Math.ra ... 9999999 | | tst.js:72:9:72:48 | concat | | tst.js:72:18:72:48 | ts.toSt ... tring() | | tst.js:72:34:72:37 | rand | | tst.js:72:34:72:48 | rand.toString() | | tst.js:73:23:73:28 | concat | +| tst.js:73:23:73:28 | concat | +| tst.js:77:16:77:21 | secret | | tst.js:77:16:77:21 | secret | | tst.js:80:7:80:19 | Math.random() | +| tst.js:80:7:80:19 | Math.random() | +| tst.js:84:19:84:31 | Math.random() | +| tst.js:84:19:84:31 | Math.random() | | tst.js:84:19:84:31 | Math.random() | | tst.js:90:32:90:44 | Math.random() | +| tst.js:90:32:90:44 | Math.random() | +| tst.js:90:32:90:44 | Math.random() | +| tst.js:95:33:95:45 | Math.random() | +| tst.js:95:33:95:45 | Math.random() | | tst.js:95:33:95:45 | Math.random() | edges +| tst.js:2:20:2:32 | Math.random() | tst.js:2:20:2:32 | Math.random() | | tst.js:6:31:6:43 | Math.random() | tst.js:6:20:6:43 | "prefix ... andom() | +| tst.js:6:31:6:43 | Math.random() | tst.js:6:20:6:43 | "prefix ... andom() | +| tst.js:6:31:6:43 | Math.random() | tst.js:6:20:6:43 | "prefix ... andom() | +| tst.js:6:31:6:43 | Math.random() | tst.js:6:20:6:43 | "prefix ... andom() | +| tst.js:10:20:10:32 | Math.random() | tst.js:10:20:10:32 | Math.random() | | tst.js:19:9:19:36 | suffix | tst.js:20:31:20:36 | suffix | | tst.js:19:18:19:30 | Math.random() | tst.js:19:18:19:36 | Math.random() % 255 | +| tst.js:19:18:19:30 | Math.random() | tst.js:19:18:19:36 | Math.random() % 255 | | tst.js:19:18:19:36 | Math.random() % 255 | tst.js:19:9:19:36 | suffix | | tst.js:20:31:20:36 | suffix | tst.js:20:20:20:36 | "prefix" + suffix | +| tst.js:20:31:20:36 | suffix | tst.js:20:20:20:36 | "prefix" + suffix | +| tst.js:28:9:28:26 | pw | tst.js:29:20:29:21 | pw | | tst.js:28:9:28:26 | pw | tst.js:29:20:29:21 | pw | | tst.js:28:14:28:26 | Math.random() | tst.js:28:9:28:26 | pw | +| tst.js:28:14:28:26 | Math.random() | tst.js:28:9:28:26 | pw | | tst.js:41:21:41:33 | Math.random() | tst.js:41:20:41:33 | !Math.random() | +| tst.js:41:21:41:33 | Math.random() | tst.js:41:20:41:33 | !Math.random() | +| tst.js:41:21:41:33 | Math.random() | tst.js:41:20:41:33 | !Math.random() | +| tst.js:41:21:41:33 | Math.random() | tst.js:41:20:41:33 | !Math.random() | +| tst.js:45:18:45:30 | Math.random() | tst.js:45:18:45:30 | Math.random() | +| tst.js:50:16:50:28 | Math.random() | tst.js:50:16:50:28 | Math.random() | +| tst.js:55:17:55:29 | Math.random() | tst.js:55:17:55:29 | Math.random() | | tst.js:61:22:61:34 | Math.random() | tst.js:61:17:61:34 | '' + Math.random() | +| tst.js:61:22:61:34 | Math.random() | tst.js:61:17:61:34 | '' + Math.random() | +| tst.js:61:22:61:34 | Math.random() | tst.js:61:17:61:34 | '' + Math.random() | +| tst.js:61:22:61:34 | Math.random() | tst.js:61:17:61:34 | '' + Math.random() | +| tst.js:66:29:66:41 | Math.random() | tst.js:66:18:66:42 | Math.fl ... ndom()) | +| tst.js:66:29:66:41 | Math.random() | tst.js:66:18:66:42 | Math.fl ... ndom()) | +| tst.js:66:29:66:41 | Math.random() | tst.js:66:18:66:42 | Math.fl ... ndom()) | | tst.js:66:29:66:41 | Math.random() | tst.js:66:18:66:42 | Math.fl ... ndom()) | | tst.js:71:9:71:48 | rand | tst.js:72:34:72:37 | rand | | tst.js:71:16:71:48 | Math.fl ... 999999) | tst.js:71:9:71:48 | rand | | tst.js:71:27:71:39 | Math.random() | tst.js:71:27:71:47 | Math.ra ... 9999999 | +| tst.js:71:27:71:39 | Math.random() | tst.js:71:27:71:47 | Math.ra ... 9999999 | | tst.js:71:27:71:47 | Math.ra ... 9999999 | tst.js:71:16:71:48 | Math.fl ... 999999) | | tst.js:72:9:72:48 | concat | tst.js:73:23:73:28 | concat | +| tst.js:72:9:72:48 | concat | tst.js:73:23:73:28 | concat | | tst.js:72:18:72:48 | ts.toSt ... tring() | tst.js:72:9:72:48 | concat | | tst.js:72:34:72:37 | rand | tst.js:72:34:72:48 | rand.toString() | | tst.js:72:34:72:48 | rand.toString() | tst.js:72:18:72:48 | ts.toSt ... tring() | | tst.js:80:7:80:19 | Math.random() | tst.js:77:16:77:21 | secret | +| tst.js:80:7:80:19 | Math.random() | tst.js:77:16:77:21 | secret | +| tst.js:80:7:80:19 | Math.random() | tst.js:77:16:77:21 | secret | +| tst.js:80:7:80:19 | Math.random() | tst.js:77:16:77:21 | secret | +| tst.js:84:19:84:31 | Math.random() | tst.js:84:19:84:31 | Math.random() | +| tst.js:90:32:90:44 | Math.random() | tst.js:90:32:90:44 | Math.random() | +| tst.js:95:33:95:45 | Math.random() | tst.js:95:33:95:45 | Math.random() | #select | tst.js:2:20:2:32 | Math.random() | tst.js:2:20:2:32 | Math.random() | tst.js:2:20:2:32 | Math.random() | Cryptographically insecure $@ in a security context. | tst.js:2:20:2:32 | Math.random() | random value | | tst.js:6:20:6:43 | "prefix ... andom() | tst.js:6:31:6:43 | Math.random() | tst.js:6:20:6:43 | "prefix ... andom() | Cryptographically insecure $@ in a security context. | tst.js:6:31:6:43 | Math.random() | random value | diff --git a/javascript/ql/test/query-tests/Security/CWE-346/CorsMisconfigurationForCredentials.expected b/javascript/ql/test/query-tests/Security/CWE-346/CorsMisconfigurationForCredentials.expected index e1c2b876501..22058065dfc 100644 --- a/javascript/ql/test/query-tests/Security/CWE-346/CorsMisconfigurationForCredentials.expected +++ b/javascript/ql/test/query-tests/Security/CWE-346/CorsMisconfigurationForCredentials.expected @@ -4,15 +4,25 @@ nodes | tst.js:12:18:12:47 | url.par ... ).query | | tst.js:12:18:12:54 | url.par ... .origin | | tst.js:12:28:12:34 | req.url | +| tst.js:12:28:12:34 | req.url | +| tst.js:13:50:13:55 | origin | | tst.js:13:50:13:55 | origin | | tst.js:18:50:18:53 | null | +| tst.js:18:50:18:53 | null | +| tst.js:18:50:18:53 | null | +| tst.js:23:50:23:55 | "null" | +| tst.js:23:50:23:55 | "null" | | tst.js:23:50:23:55 | "null" | edges | tst.js:12:9:12:54 | origin | tst.js:13:50:13:55 | origin | +| tst.js:12:9:12:54 | origin | tst.js:13:50:13:55 | origin | | tst.js:12:18:12:41 | url.par ... , true) | tst.js:12:18:12:47 | url.par ... ).query | | tst.js:12:18:12:47 | url.par ... ).query | tst.js:12:18:12:54 | url.par ... .origin | | tst.js:12:18:12:54 | url.par ... .origin | tst.js:12:9:12:54 | origin | | tst.js:12:28:12:34 | req.url | tst.js:12:18:12:41 | url.par ... , true) | +| tst.js:12:28:12:34 | req.url | tst.js:12:18:12:41 | url.par ... , true) | +| tst.js:18:50:18:53 | null | tst.js:18:50:18:53 | null | +| tst.js:23:50:23:55 | "null" | tst.js:23:50:23:55 | "null" | #select | tst.js:13:50:13:55 | origin | tst.js:12:28:12:34 | req.url | tst.js:13:50:13:55 | origin | $@ leak vulnerability due to $@. | tst.js:14:5:14:59 | res.set ... , true) | Credential | tst.js:12:28:12:34 | req.url | a misconfigured CORS header value | | tst.js:18:50:18:53 | null | tst.js:18:50:18:53 | null | tst.js:18:50:18:53 | null | $@ leak vulnerability due to $@. | tst.js:19:5:19:59 | res.set ... , true) | Credential | tst.js:18:50:18:53 | null | a misconfigured CORS header value | diff --git a/javascript/ql/test/query-tests/Security/CWE-400/PrototypePollution.expected b/javascript/ql/test/query-tests/Security/CWE-400/PrototypePollution.expected index 3151701d190..8200ed7876d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/PrototypePollution.expected +++ b/javascript/ql/test/query-tests/Security/CWE-400/PrototypePollution.expected @@ -1,20 +1,36 @@ nodes | angularmerge.js:1:30:1:34 | event | +| angularmerge.js:1:30:1:34 | event | +| angularmerge.js:2:21:2:42 | JSON.pa ... t.data) | | angularmerge.js:2:21:2:42 | JSON.pa ... t.data) | | angularmerge.js:2:32:2:36 | event | | angularmerge.js:2:32:2:41 | event.data | | src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | +| src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | +| src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | +| src-vulnerable-lodash/tst.js:10:17:12:5 | {\\n ... K\\n } | | src-vulnerable-lodash/tst.js:10:17:12:5 | {\\n ... K\\n } | | src-vulnerable-lodash/tst.js:11:16:11:30 | req.query.value | +| src-vulnerable-lodash/tst.js:11:16:11:30 | req.query.value | | src-vulnerable-lodash/tst.js:15:14:15:28 | req.query.value | +| src-vulnerable-lodash/tst.js:15:14:15:28 | req.query.value | +| src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n ... K\\n } | | src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n ... K\\n } | | src-vulnerable-lodash/tst.js:18:16:18:25 | opts.thing | edges | angularmerge.js:1:30:1:34 | event | angularmerge.js:2:32:2:36 | event | +| angularmerge.js:1:30:1:34 | event | angularmerge.js:2:32:2:36 | event | | angularmerge.js:2:32:2:36 | event | angularmerge.js:2:32:2:41 | event.data | | angularmerge.js:2:32:2:41 | event.data | angularmerge.js:2:21:2:42 | JSON.pa ... t.data) | +| angularmerge.js:2:32:2:41 | event.data | angularmerge.js:2:21:2:42 | JSON.pa ... t.data) | +| src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | +| src-vulnerable-lodash/tst.js:11:16:11:30 | req.query.value | src-vulnerable-lodash/tst.js:10:17:12:5 | {\\n ... K\\n } | +| src-vulnerable-lodash/tst.js:11:16:11:30 | req.query.value | src-vulnerable-lodash/tst.js:10:17:12:5 | {\\n ... K\\n } | +| src-vulnerable-lodash/tst.js:11:16:11:30 | req.query.value | src-vulnerable-lodash/tst.js:10:17:12:5 | {\\n ... K\\n } | | src-vulnerable-lodash/tst.js:11:16:11:30 | req.query.value | src-vulnerable-lodash/tst.js:10:17:12:5 | {\\n ... K\\n } | | src-vulnerable-lodash/tst.js:15:14:15:28 | req.query.value | src-vulnerable-lodash/tst.js:18:16:18:25 | opts.thing | +| src-vulnerable-lodash/tst.js:15:14:15:28 | req.query.value | src-vulnerable-lodash/tst.js:18:16:18:25 | opts.thing | +| src-vulnerable-lodash/tst.js:18:16:18:25 | opts.thing | src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n ... K\\n } | | src-vulnerable-lodash/tst.js:18:16:18:25 | opts.thing | src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n ... K\\n } | #select | angularmerge.js:2:21:2:42 | JSON.pa ... t.data) | angularmerge.js:1:30:1:34 | event | angularmerge.js:2:21:2:42 | JSON.pa ... t.data) | Prototype pollution caused by merging a user-controlled value from $@ using a vulnerable version of $@. | angularmerge.js:1:30:1:34 | event | here | angularmerge.js:2:3:2:43 | angular ... .data)) | angular | diff --git a/javascript/ql/test/query-tests/Security/CWE-400/RemotePropertyInjection.expected b/javascript/ql/test/query-tests/Security/CWE-400/RemotePropertyInjection.expected index 1c61836da65..4eecfb2b0ee 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/RemotePropertyInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-400/RemotePropertyInjection.expected @@ -2,21 +2,35 @@ nodes | tst.js:8:6:8:52 | prop | | tst.js:8:13:8:52 | myCoolL ... rolled) | | tst.js:8:28:8:51 | req.que ... trolled | +| tst.js:8:28:8:51 | req.que ... trolled | +| tst.js:9:8:9:11 | prop | | tst.js:9:8:9:11 | prop | | tst.js:13:15:13:18 | prop | +| tst.js:13:15:13:18 | prop | | tst.js:14:31:14:34 | prop | +| tst.js:14:31:14:34 | prop | +| tst.js:16:10:16:13 | prop | | tst.js:16:10:16:13 | prop | | tstNonExpr.js:5:7:5:23 | userVal | | tstNonExpr.js:5:17:5:23 | req.url | +| tstNonExpr.js:5:17:5:23 | req.url | +| tstNonExpr.js:8:17:8:23 | userVal | | tstNonExpr.js:8:17:8:23 | userVal | edges | tst.js:8:6:8:52 | prop | tst.js:9:8:9:11 | prop | +| tst.js:8:6:8:52 | prop | tst.js:9:8:9:11 | prop | +| tst.js:8:6:8:52 | prop | tst.js:13:15:13:18 | prop | | tst.js:8:6:8:52 | prop | tst.js:13:15:13:18 | prop | | tst.js:8:6:8:52 | prop | tst.js:14:31:14:34 | prop | +| tst.js:8:6:8:52 | prop | tst.js:14:31:14:34 | prop | +| tst.js:8:6:8:52 | prop | tst.js:16:10:16:13 | prop | | tst.js:8:6:8:52 | prop | tst.js:16:10:16:13 | prop | | tst.js:8:13:8:52 | myCoolL ... rolled) | tst.js:8:6:8:52 | prop | | tst.js:8:28:8:51 | req.que ... trolled | tst.js:8:13:8:52 | myCoolL ... rolled) | +| tst.js:8:28:8:51 | req.que ... trolled | tst.js:8:13:8:52 | myCoolL ... rolled) | | tstNonExpr.js:5:7:5:23 | userVal | tstNonExpr.js:8:17:8:23 | userVal | +| tstNonExpr.js:5:7:5:23 | userVal | tstNonExpr.js:8:17:8:23 | userVal | +| tstNonExpr.js:5:17:5:23 | req.url | tstNonExpr.js:5:7:5:23 | userVal | | tstNonExpr.js:5:17:5:23 | req.url | tstNonExpr.js:5:7:5:23 | userVal | #select | tst.js:9:8:9:11 | prop | tst.js:8:28:8:51 | req.que ... trolled | tst.js:9:8:9:11 | prop | A $@ is used as a property name to write to. | tst.js:8:28:8:51 | req.que ... trolled | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.expected b/javascript/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.expected index d898f17eb60..9e405b7a8d4 100644 --- a/javascript/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.expected +++ b/javascript/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.expected @@ -1,9 +1,21 @@ nodes | tst.js:7:22:7:36 | req.params.data | +| tst.js:7:22:7:36 | req.params.data | +| tst.js:7:22:7:36 | req.params.data | +| tst.js:8:25:8:39 | req.params.data | +| tst.js:8:25:8:39 | req.params.data | | tst.js:8:25:8:39 | req.params.data | | tst.js:12:26:12:40 | req.params.data | +| tst.js:12:26:12:40 | req.params.data | +| tst.js:12:26:12:40 | req.params.data | +| tst.js:13:29:13:43 | req.params.data | +| tst.js:13:29:13:43 | req.params.data | | tst.js:13:29:13:43 | req.params.data | edges +| tst.js:7:22:7:36 | req.params.data | tst.js:7:22:7:36 | req.params.data | +| tst.js:8:25:8:39 | req.params.data | tst.js:8:25:8:39 | req.params.data | +| tst.js:12:26:12:40 | req.params.data | tst.js:12:26:12:40 | req.params.data | +| tst.js:13:29:13:43 | req.params.data | tst.js:13:29:13:43 | req.params.data | #select | tst.js:7:22:7:36 | req.params.data | tst.js:7:22:7:36 | req.params.data | tst.js:7:22:7:36 | req.params.data | Unsafe deserialization of $@. | tst.js:7:22:7:36 | req.params.data | user input | | tst.js:8:25:8:39 | req.params.data | tst.js:8:25:8:39 | req.params.data | tst.js:8:25:8:39 | req.params.data | Unsafe deserialization of $@. | tst.js:8:25:8:39 | req.params.data | user input | diff --git a/javascript/ql/test/query-tests/Security/CWE-506/HardcodedDataInterpretedAsCode.expected b/javascript/ql/test/query-tests/Security/CWE-506/HardcodedDataInterpretedAsCode.expected index 2c244ed4bde..9fa00a26d25 100644 --- a/javascript/ql/test/query-tests/Security/CWE-506/HardcodedDataInterpretedAsCode.expected +++ b/javascript/ql/test/query-tests/Security/CWE-506/HardcodedDataInterpretedAsCode.expected @@ -1,26 +1,44 @@ nodes | event-stream-orig.js:2:1113:2:1139 | e("2e2f ... 17461") | +| event-stream-orig.js:2:1113:2:1139 | e("2e2f ... 17461") | +| event-stream-orig.js:2:1115:2:1138 | "2e2f74 ... 617461" | | event-stream-orig.js:2:1115:2:1138 | "2e2f74 ... 617461" | | event-stream.js:9:11:9:37 | e("2e2f ... 17461") | +| event-stream.js:9:11:9:37 | e("2e2f ... 17461") | +| event-stream.js:9:13:9:36 | "2e2f74 ... 617461" | | event-stream.js:9:13:9:36 | "2e2f74 ... 617461" | | tst.js:1:5:1:88 | totallyHarmlessString | | tst.js:1:29:1:88 | '636f6e ... 6e2729' | +| tst.js:1:29:1:88 | '636f6e ... 6e2729' | | tst.js:2:6:2:46 | Buffer. ... 'hex') | | tst.js:2:6:2:57 | Buffer. ... tring() | +| tst.js:2:6:2:57 | Buffer. ... tring() | | tst.js:2:18:2:38 | totally ... sString | | tst.js:5:5:5:23 | test | | tst.js:5:12:5:23 | "0123456789" | +| tst.js:5:12:5:23 | "0123456789" | | tst.js:7:8:7:11 | test | | tst.js:7:8:7:15 | test+"n" | +| tst.js:7:8:7:15 | test+"n" | edges | event-stream-orig.js:2:1115:2:1138 | "2e2f74 ... 617461" | event-stream-orig.js:2:1113:2:1139 | e("2e2f ... 17461") | +| event-stream-orig.js:2:1115:2:1138 | "2e2f74 ... 617461" | event-stream-orig.js:2:1113:2:1139 | e("2e2f ... 17461") | +| event-stream-orig.js:2:1115:2:1138 | "2e2f74 ... 617461" | event-stream-orig.js:2:1113:2:1139 | e("2e2f ... 17461") | +| event-stream-orig.js:2:1115:2:1138 | "2e2f74 ... 617461" | event-stream-orig.js:2:1113:2:1139 | e("2e2f ... 17461") | +| event-stream.js:9:13:9:36 | "2e2f74 ... 617461" | event-stream.js:9:11:9:37 | e("2e2f ... 17461") | +| event-stream.js:9:13:9:36 | "2e2f74 ... 617461" | event-stream.js:9:11:9:37 | e("2e2f ... 17461") | +| event-stream.js:9:13:9:36 | "2e2f74 ... 617461" | event-stream.js:9:11:9:37 | e("2e2f ... 17461") | | event-stream.js:9:13:9:36 | "2e2f74 ... 617461" | event-stream.js:9:11:9:37 | e("2e2f ... 17461") | | tst.js:1:5:1:88 | totallyHarmlessString | tst.js:2:18:2:38 | totally ... sString | | tst.js:1:29:1:88 | '636f6e ... 6e2729' | tst.js:1:5:1:88 | totallyHarmlessString | +| tst.js:1:29:1:88 | '636f6e ... 6e2729' | tst.js:1:5:1:88 | totallyHarmlessString | +| tst.js:2:6:2:46 | Buffer. ... 'hex') | tst.js:2:6:2:57 | Buffer. ... tring() | | tst.js:2:6:2:46 | Buffer. ... 'hex') | tst.js:2:6:2:57 | Buffer. ... tring() | | tst.js:2:18:2:38 | totally ... sString | tst.js:2:6:2:46 | Buffer. ... 'hex') | | tst.js:5:5:5:23 | test | tst.js:7:8:7:11 | test | | tst.js:5:12:5:23 | "0123456789" | tst.js:5:5:5:23 | test | +| tst.js:5:12:5:23 | "0123456789" | tst.js:5:5:5:23 | test | +| tst.js:7:8:7:11 | test | tst.js:7:8:7:15 | test+"n" | | tst.js:7:8:7:11 | test | tst.js:7:8:7:15 | test+"n" | #select | event-stream-orig.js:2:1113:2:1139 | e("2e2f ... 17461") | event-stream-orig.js:2:1115:2:1138 | "2e2f74 ... 617461" | event-stream-orig.js:2:1113:2:1139 | e("2e2f ... 17461") | Hard-coded data from $@ is interpreted as an import path. | event-stream-orig.js:2:1115:2:1138 | "2e2f74 ... 617461" | here | diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected index 29e1740021e..85eda636b0e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected +++ b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected @@ -3,43 +3,68 @@ nodes | tst2.js:2:7:2:33 | href | | tst2.js:2:14:2:28 | window.location | | tst2.js:2:14:2:28 | window.location | +| tst2.js:2:14:2:28 | window.location | | tst2.js:2:14:2:33 | window.location.href | | tst2.js:2:14:2:33 | window.location.href | | tst2.js:4:21:4:24 | href | | tst2.js:4:21:4:24 | href | | tst2.js:4:21:4:55 | href.su ... '?')+1) | +| tst2.js:4:21:4:55 | href.su ... '?')+1) | | tst6.js:2:7:2:45 | redirect | | tst6.js:2:18:2:45 | $locati ... irect') | +| tst6.js:2:18:2:45 | $locati ... irect') | +| tst6.js:4:21:4:28 | redirect | | tst6.js:4:21:4:28 | redirect | | tst6.js:6:17:6:24 | redirect | +| tst6.js:6:17:6:24 | redirect | +| tst6.js:8:21:8:48 | $locati ... irect') | | tst6.js:8:21:8:48 | $locati ... irect') | | tst6.js:8:21:8:56 | $locati ... + "foo" | +| tst6.js:8:21:8:56 | $locati ... + "foo" | +| tst7.js:2:12:2:28 | document.location | | tst7.js:2:12:2:28 | document.location | | tst7.js:2:12:2:35 | documen ... .search | +| tst7.js:2:12:2:35 | documen ... .search | +| tst7.js:5:27:5:43 | document.location | | tst7.js:5:27:5:43 | document.location | | tst7.js:5:27:5:50 | documen ... .search | +| tst7.js:5:27:5:50 | documen ... .search | +| tst9.js:2:21:2:37 | document.location | | tst9.js:2:21:2:37 | document.location | | tst9.js:2:21:2:37 | document.location | | tst9.js:2:21:2:42 | documen ... on.hash | | tst9.js:2:21:2:55 | documen ... ring(1) | +| tst9.js:2:21:2:55 | documen ... ring(1) | | tst10.js:5:17:5:46 | '/' + d ... .search | +| tst10.js:5:17:5:46 | '/' + d ... .search | +| tst10.js:5:23:5:39 | document.location | | tst10.js:5:23:5:39 | document.location | | tst10.js:5:23:5:46 | documen ... .search | | tst10.js:8:17:8:47 | '//' + ... .search | +| tst10.js:8:17:8:47 | '//' + ... .search | +| tst10.js:8:24:8:40 | document.location | | tst10.js:8:24:8:40 | document.location | | tst10.js:8:24:8:47 | documen ... .search | | tst10.js:11:17:11:50 | '//foo' ... .search | +| tst10.js:11:17:11:50 | '//foo' ... .search | +| tst10.js:11:27:11:43 | document.location | | tst10.js:11:27:11:43 | document.location | | tst10.js:11:27:11:50 | documen ... .search | | tst10.js:14:17:14:56 | 'https: ... .search | +| tst10.js:14:17:14:56 | 'https: ... .search | +| tst10.js:14:33:14:49 | document.location | | tst10.js:14:33:14:49 | document.location | | tst10.js:14:33:14:56 | documen ... .search | | tst.js:2:19:2:69 | /.*redi ... n.href) | | tst.js:2:19:2:72 | /.*redi ... ref)[1] | +| tst.js:2:19:2:72 | /.*redi ... ref)[1] | +| tst.js:2:47:2:63 | document.location | | tst.js:2:47:2:63 | document.location | | tst.js:2:47:2:68 | documen ... on.href | | tst.js:6:20:6:56 | indirec ... n.href) | | tst.js:6:20:6:59 | indirec ... ref)[1] | +| tst.js:6:20:6:59 | indirec ... ref)[1] | +| tst.js:6:34:6:50 | document.location | | tst.js:6:34:6:50 | document.location | | tst.js:6:34:6:55 | documen ... on.href | edges @@ -47,33 +72,62 @@ edges | tst2.js:2:7:2:33 | href | tst2.js:4:21:4:24 | href | | tst2.js:2:14:2:28 | window.location | tst2.js:2:14:2:33 | window.location.href | | tst2.js:2:14:2:28 | window.location | tst2.js:2:14:2:33 | window.location.href | +| tst2.js:2:14:2:28 | window.location | tst2.js:2:14:2:33 | window.location.href | | tst2.js:2:14:2:33 | window.location.href | tst2.js:2:7:2:33 | href | | tst2.js:2:14:2:33 | window.location.href | tst2.js:2:7:2:33 | href | | tst2.js:4:21:4:24 | href | tst2.js:4:21:4:55 | href.su ... '?')+1) | | tst2.js:4:21:4:24 | href | tst2.js:4:21:4:55 | href.su ... '?')+1) | +| tst2.js:4:21:4:24 | href | tst2.js:4:21:4:55 | href.su ... '?')+1) | +| tst2.js:4:21:4:24 | href | tst2.js:4:21:4:55 | href.su ... '?')+1) | | tst2.js:4:21:4:55 | href.su ... '?')+1) | tst2.js:2:14:2:28 | window.location | | tst6.js:2:7:2:45 | redirect | tst6.js:4:21:4:28 | redirect | +| tst6.js:2:7:2:45 | redirect | tst6.js:4:21:4:28 | redirect | +| tst6.js:2:7:2:45 | redirect | tst6.js:6:17:6:24 | redirect | | tst6.js:2:7:2:45 | redirect | tst6.js:6:17:6:24 | redirect | | tst6.js:2:18:2:45 | $locati ... irect') | tst6.js:2:7:2:45 | redirect | +| tst6.js:2:18:2:45 | $locati ... irect') | tst6.js:2:7:2:45 | redirect | +| tst6.js:8:21:8:48 | $locati ... irect') | tst6.js:8:21:8:56 | $locati ... + "foo" | +| tst6.js:8:21:8:48 | $locati ... irect') | tst6.js:8:21:8:56 | $locati ... + "foo" | +| tst6.js:8:21:8:48 | $locati ... irect') | tst6.js:8:21:8:56 | $locati ... + "foo" | | tst6.js:8:21:8:48 | $locati ... irect') | tst6.js:8:21:8:56 | $locati ... + "foo" | | tst7.js:2:12:2:28 | document.location | tst7.js:2:12:2:35 | documen ... .search | +| tst7.js:2:12:2:28 | document.location | tst7.js:2:12:2:35 | documen ... .search | +| tst7.js:2:12:2:28 | document.location | tst7.js:2:12:2:35 | documen ... .search | +| tst7.js:2:12:2:28 | document.location | tst7.js:2:12:2:35 | documen ... .search | +| tst7.js:5:27:5:43 | document.location | tst7.js:5:27:5:50 | documen ... .search | +| tst7.js:5:27:5:43 | document.location | tst7.js:5:27:5:50 | documen ... .search | +| tst7.js:5:27:5:43 | document.location | tst7.js:5:27:5:50 | documen ... .search | | tst7.js:5:27:5:43 | document.location | tst7.js:5:27:5:50 | documen ... .search | | tst9.js:2:21:2:37 | document.location | tst9.js:2:21:2:42 | documen ... on.hash | | tst9.js:2:21:2:37 | document.location | tst9.js:2:21:2:42 | documen ... on.hash | +| tst9.js:2:21:2:37 | document.location | tst9.js:2:21:2:42 | documen ... on.hash | +| tst9.js:2:21:2:42 | documen ... on.hash | tst9.js:2:21:2:55 | documen ... ring(1) | | tst9.js:2:21:2:42 | documen ... on.hash | tst9.js:2:21:2:55 | documen ... ring(1) | | tst9.js:2:21:2:55 | documen ... ring(1) | tst9.js:2:21:2:37 | document.location | | tst10.js:5:23:5:39 | document.location | tst10.js:5:23:5:46 | documen ... .search | +| tst10.js:5:23:5:39 | document.location | tst10.js:5:23:5:46 | documen ... .search | +| tst10.js:5:23:5:46 | documen ... .search | tst10.js:5:17:5:46 | '/' + d ... .search | | tst10.js:5:23:5:46 | documen ... .search | tst10.js:5:17:5:46 | '/' + d ... .search | | tst10.js:8:24:8:40 | document.location | tst10.js:8:24:8:47 | documen ... .search | +| tst10.js:8:24:8:40 | document.location | tst10.js:8:24:8:47 | documen ... .search | +| tst10.js:8:24:8:47 | documen ... .search | tst10.js:8:17:8:47 | '//' + ... .search | | tst10.js:8:24:8:47 | documen ... .search | tst10.js:8:17:8:47 | '//' + ... .search | | tst10.js:11:27:11:43 | document.location | tst10.js:11:27:11:50 | documen ... .search | +| tst10.js:11:27:11:43 | document.location | tst10.js:11:27:11:50 | documen ... .search | +| tst10.js:11:27:11:50 | documen ... .search | tst10.js:11:17:11:50 | '//foo' ... .search | | tst10.js:11:27:11:50 | documen ... .search | tst10.js:11:17:11:50 | '//foo' ... .search | | tst10.js:14:33:14:49 | document.location | tst10.js:14:33:14:56 | documen ... .search | +| tst10.js:14:33:14:49 | document.location | tst10.js:14:33:14:56 | documen ... .search | +| tst10.js:14:33:14:56 | documen ... .search | tst10.js:14:17:14:56 | 'https: ... .search | | tst10.js:14:33:14:56 | documen ... .search | tst10.js:14:17:14:56 | 'https: ... .search | | tst.js:2:19:2:69 | /.*redi ... n.href) | tst.js:2:19:2:72 | /.*redi ... ref)[1] | +| tst.js:2:19:2:69 | /.*redi ... n.href) | tst.js:2:19:2:72 | /.*redi ... ref)[1] | +| tst.js:2:47:2:63 | document.location | tst.js:2:47:2:68 | documen ... on.href | | tst.js:2:47:2:63 | document.location | tst.js:2:47:2:68 | documen ... on.href | | tst.js:2:47:2:68 | documen ... on.href | tst.js:2:19:2:69 | /.*redi ... n.href) | | tst.js:6:20:6:56 | indirec ... n.href) | tst.js:6:20:6:59 | indirec ... ref)[1] | +| tst.js:6:20:6:56 | indirec ... n.href) | tst.js:6:20:6:59 | indirec ... ref)[1] | +| tst.js:6:34:6:50 | document.location | tst.js:6:34:6:55 | documen ... on.href | | tst.js:6:34:6:50 | document.location | tst.js:6:34:6:55 | documen ... on.href | | tst.js:6:34:6:55 | documen ... on.href | tst.js:6:20:6:56 | indirec ... n.href) | #select diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ServerSideUrlRedirect/ServerSideUrlRedirect.expected b/javascript/ql/test/query-tests/Security/CWE-601/ServerSideUrlRedirect/ServerSideUrlRedirect.expected index 158aa410f19..5e92ab22c9f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-601/ServerSideUrlRedirect/ServerSideUrlRedirect.expected +++ b/javascript/ql/test/query-tests/Security/CWE-601/ServerSideUrlRedirect/ServerSideUrlRedirect.expected @@ -1,44 +1,74 @@ nodes | express.js:7:16:7:34 | req.param("target") | +| express.js:7:16:7:34 | req.param("target") | +| express.js:7:16:7:34 | req.param("target") | +| express.js:12:26:12:44 | req.param("target") | +| express.js:12:26:12:44 | req.param("target") | | express.js:12:26:12:44 | req.param("target") | | express.js:27:7:27:34 | target | | express.js:27:16:27:34 | req.param("target") | +| express.js:27:16:27:34 | req.param("target") | +| express.js:33:18:33:23 | target | | express.js:33:18:33:23 | target | | express.js:35:16:35:21 | target | +| express.js:35:16:35:21 | target | +| express.js:40:16:40:108 | (req.pa ... ntacts" | | express.js:40:16:40:108 | (req.pa ... ntacts" | | express.js:40:69:40:87 | req.param('action') | +| express.js:40:69:40:87 | req.param('action') | | express.js:74:16:74:43 | `${req. ... )}/foo` | +| express.js:74:16:74:43 | `${req. ... )}/foo` | +| express.js:74:19:74:37 | req.param("target") | | express.js:74:19:74:37 | req.param("target") | | express.js:83:7:83:34 | target | | express.js:83:16:83:34 | req.param("target") | +| express.js:83:16:83:34 | req.param("target") | | express.js:90:18:90:23 | target | +| express.js:90:18:90:23 | target | +| express.js:97:16:97:21 | target | | express.js:97:16:97:21 | target | | express.js:118:16:118:63 | [req.qu ... ection] | | express.js:118:16:118:72 | [req.qu ... oin('') | +| express.js:118:16:118:72 | [req.qu ... oin('') | +| express.js:118:17:118:30 | req.query.page | | express.js:118:17:118:30 | req.query.page | | express.js:134:16:134:36 | '/' + r ... ms.user | +| express.js:134:16:134:36 | '/' + r ... ms.user | +| express.js:134:22:134:36 | req.params.user | | express.js:134:22:134:36 | req.params.user | | express.js:135:16:135:37 | '//' + ... ms.user | +| express.js:135:16:135:37 | '//' + ... ms.user | +| express.js:135:23:135:37 | req.params.user | | express.js:135:23:135:37 | req.params.user | | express.js:136:16:136:36 | 'u' + r ... ms.user | +| express.js:136:16:136:36 | 'u' + r ... ms.user | +| express.js:136:22:136:36 | req.params.user | | express.js:136:22:136:36 | req.params.user | | koa.js:6:6:6:27 | url | | koa.js:6:12:6:27 | ctx.query.target | +| koa.js:6:12:6:27 | ctx.query.target | +| koa.js:7:15:7:17 | url | | koa.js:7:15:7:17 | url | | koa.js:8:15:8:26 | `${url}${x}` | +| koa.js:8:15:8:26 | `${url}${x}` | | koa.js:8:18:8:20 | url | | koa.js:14:16:14:18 | url | +| koa.js:14:16:14:18 | url | | node.js:6:7:6:52 | target | | node.js:6:16:6:39 | url.par ... , true) | | node.js:6:16:6:45 | url.par ... ).query | | node.js:6:16:6:52 | url.par ... .target | | node.js:6:26:6:32 | req.url | +| node.js:6:26:6:32 | req.url | +| node.js:7:34:7:39 | target | | node.js:7:34:7:39 | target | | node.js:11:7:11:52 | target | | node.js:11:16:11:39 | url.par ... , true) | | node.js:11:16:11:45 | url.par ... ).query | | node.js:11:16:11:52 | url.par ... .target | | node.js:11:26:11:32 | req.url | +| node.js:11:26:11:32 | req.url | +| node.js:15:34:15:45 | '/' + target | | node.js:15:34:15:45 | '/' + target | | node.js:15:40:15:45 | target | | node.js:29:7:29:52 | target | @@ -46,65 +76,93 @@ nodes | node.js:29:16:29:45 | url.par ... ).query | | node.js:29:16:29:52 | url.par ... .target | | node.js:29:26:29:32 | req.url | +| node.js:29:26:29:32 | req.url | | node.js:32:34:32:39 | target | | node.js:32:34:32:55 | target ... =" + me | +| node.js:32:34:32:55 | target ... =" + me | | react-native.js:7:7:7:33 | tainted | | react-native.js:7:17:7:33 | req.param("code") | +| react-native.js:7:17:7:33 | req.param("code") | +| react-native.js:8:17:8:23 | tainted | | react-native.js:8:17:8:23 | tainted | | react-native.js:9:26:9:32 | tainted | +| react-native.js:9:26:9:32 | tainted | edges +| express.js:7:16:7:34 | req.param("target") | express.js:7:16:7:34 | req.param("target") | +| express.js:12:26:12:44 | req.param("target") | express.js:12:26:12:44 | req.param("target") | +| express.js:27:7:27:34 | target | express.js:33:18:33:23 | target | | express.js:27:7:27:34 | target | express.js:33:18:33:23 | target | | express.js:27:7:27:34 | target | express.js:35:16:35:21 | target | +| express.js:27:7:27:34 | target | express.js:35:16:35:21 | target | +| express.js:27:16:27:34 | req.param("target") | express.js:27:7:27:34 | target | | express.js:27:16:27:34 | req.param("target") | express.js:27:7:27:34 | target | | express.js:40:69:40:87 | req.param('action') | express.js:40:16:40:108 | (req.pa ... ntacts" | +| express.js:40:69:40:87 | req.param('action') | express.js:40:16:40:108 | (req.pa ... ntacts" | +| express.js:40:69:40:87 | req.param('action') | express.js:40:16:40:108 | (req.pa ... ntacts" | +| express.js:40:69:40:87 | req.param('action') | express.js:40:16:40:108 | (req.pa ... ntacts" | +| express.js:74:19:74:37 | req.param("target") | express.js:74:16:74:43 | `${req. ... )}/foo` | +| express.js:74:19:74:37 | req.param("target") | express.js:74:16:74:43 | `${req. ... )}/foo` | +| express.js:74:19:74:37 | req.param("target") | express.js:74:16:74:43 | `${req. ... )}/foo` | | express.js:74:19:74:37 | req.param("target") | express.js:74:16:74:43 | `${req. ... )}/foo` | | express.js:83:7:83:34 | target | express.js:90:18:90:23 | target | +| express.js:83:7:83:34 | target | express.js:90:18:90:23 | target | +| express.js:83:7:83:34 | target | express.js:97:16:97:21 | target | | express.js:83:7:83:34 | target | express.js:97:16:97:21 | target | | express.js:83:16:83:34 | req.param("target") | express.js:83:7:83:34 | target | +| express.js:83:16:83:34 | req.param("target") | express.js:83:7:83:34 | target | +| express.js:118:16:118:63 | [req.qu ... ection] | express.js:118:16:118:72 | [req.qu ... oin('') | | express.js:118:16:118:63 | [req.qu ... ection] | express.js:118:16:118:72 | [req.qu ... oin('') | | express.js:118:17:118:30 | req.query.page | express.js:118:16:118:63 | [req.qu ... ection] | +| express.js:118:17:118:30 | req.query.page | express.js:118:16:118:63 | [req.qu ... ection] | +| express.js:134:22:134:36 | req.params.user | express.js:134:16:134:36 | '/' + r ... ms.user | +| express.js:134:22:134:36 | req.params.user | express.js:134:16:134:36 | '/' + r ... ms.user | +| express.js:134:22:134:36 | req.params.user | express.js:134:16:134:36 | '/' + r ... ms.user | | express.js:134:22:134:36 | req.params.user | express.js:134:16:134:36 | '/' + r ... ms.user | | express.js:135:23:135:37 | req.params.user | express.js:135:16:135:37 | '//' + ... ms.user | +| express.js:135:23:135:37 | req.params.user | express.js:135:16:135:37 | '//' + ... ms.user | +| express.js:135:23:135:37 | req.params.user | express.js:135:16:135:37 | '//' + ... ms.user | +| express.js:135:23:135:37 | req.params.user | express.js:135:16:135:37 | '//' + ... ms.user | +| express.js:136:22:136:36 | req.params.user | express.js:136:16:136:36 | 'u' + r ... ms.user | +| express.js:136:22:136:36 | req.params.user | express.js:136:16:136:36 | 'u' + r ... ms.user | +| express.js:136:22:136:36 | req.params.user | express.js:136:16:136:36 | 'u' + r ... ms.user | | express.js:136:22:136:36 | req.params.user | express.js:136:16:136:36 | 'u' + r ... ms.user | | koa.js:6:6:6:27 | url | koa.js:7:15:7:17 | url | +| koa.js:6:6:6:27 | url | koa.js:7:15:7:17 | url | | koa.js:6:6:6:27 | url | koa.js:8:18:8:20 | url | -| koa.js:6:6:6:27 | url | koa.js:10:40:10:42 | url | -| koa.js:6:6:6:27 | url | koa.js:10:40:10:42 | url | -| koa.js:6:6:6:27 | url | koa.js:10:51:10:51 | url | -| koa.js:6:6:6:27 | url | koa.js:11:6:11:8 | url | +| koa.js:6:6:6:27 | url | koa.js:14:16:14:18 | url | | koa.js:6:6:6:27 | url | koa.js:14:16:14:18 | url | | koa.js:6:12:6:27 | ctx.query.target | koa.js:6:6:6:27 | url | +| koa.js:6:12:6:27 | ctx.query.target | koa.js:6:6:6:27 | url | | koa.js:8:18:8:20 | url | koa.js:8:15:8:26 | `${url}${x}` | -| koa.js:10:40:10:42 | url | koa.js:10:51:10:51 | url | -| koa.js:10:40:10:42 | url | koa.js:10:51:10:51 | url | -| koa.js:10:40:10:42 | url | koa.js:11:6:11:8 | url | -| koa.js:10:40:10:42 | url | koa.js:11:6:11:8 | url | -| koa.js:10:40:10:42 | url | koa.js:14:16:14:18 | url | -| koa.js:10:40:10:42 | url | koa.js:14:16:14:18 | url | -| koa.js:10:51:10:51 | url | koa.js:11:6:11:8 | url | -| koa.js:10:51:10:51 | url | koa.js:14:16:14:18 | url | -| koa.js:11:6:11:8 | url | koa.js:14:16:14:18 | url | +| koa.js:8:18:8:20 | url | koa.js:8:15:8:26 | `${url}${x}` | +| node.js:6:7:6:52 | target | node.js:7:34:7:39 | target | | node.js:6:7:6:52 | target | node.js:7:34:7:39 | target | | node.js:6:16:6:39 | url.par ... , true) | node.js:6:16:6:45 | url.par ... ).query | | node.js:6:16:6:45 | url.par ... ).query | node.js:6:16:6:52 | url.par ... .target | | node.js:6:16:6:52 | url.par ... .target | node.js:6:7:6:52 | target | | node.js:6:26:6:32 | req.url | node.js:6:16:6:39 | url.par ... , true) | +| node.js:6:26:6:32 | req.url | node.js:6:16:6:39 | url.par ... , true) | | node.js:11:7:11:52 | target | node.js:15:40:15:45 | target | | node.js:11:16:11:39 | url.par ... , true) | node.js:11:16:11:45 | url.par ... ).query | | node.js:11:16:11:45 | url.par ... ).query | node.js:11:16:11:52 | url.par ... .target | | node.js:11:16:11:52 | url.par ... .target | node.js:11:7:11:52 | target | | node.js:11:26:11:32 | req.url | node.js:11:16:11:39 | url.par ... , true) | +| node.js:11:26:11:32 | req.url | node.js:11:16:11:39 | url.par ... , true) | +| node.js:15:40:15:45 | target | node.js:15:34:15:45 | '/' + target | | node.js:15:40:15:45 | target | node.js:15:34:15:45 | '/' + target | | node.js:29:7:29:52 | target | node.js:32:34:32:39 | target | | node.js:29:16:29:39 | url.par ... , true) | node.js:29:16:29:45 | url.par ... ).query | | node.js:29:16:29:45 | url.par ... ).query | node.js:29:16:29:52 | url.par ... .target | | node.js:29:16:29:52 | url.par ... .target | node.js:29:7:29:52 | target | | node.js:29:26:29:32 | req.url | node.js:29:16:29:39 | url.par ... , true) | -| node.js:32:34:32:39 | target | node.js:32:34:32:50 | target + "?from=" | +| node.js:29:26:29:32 | req.url | node.js:29:16:29:39 | url.par ... , true) | | node.js:32:34:32:39 | target | node.js:32:34:32:55 | target ... =" + me | -| node.js:32:34:32:50 | target + "?from=" | node.js:32:34:32:55 | target ... =" + me | +| node.js:32:34:32:39 | target | node.js:32:34:32:55 | target ... =" + me | +| react-native.js:7:7:7:33 | tainted | react-native.js:8:17:8:23 | tainted | | react-native.js:7:7:7:33 | tainted | react-native.js:8:17:8:23 | tainted | | react-native.js:7:7:7:33 | tainted | react-native.js:9:26:9:32 | tainted | +| react-native.js:7:7:7:33 | tainted | react-native.js:9:26:9:32 | tainted | +| react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted | | react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted | #select | express.js:7:16:7:34 | req.param("target") | express.js:7:16:7:34 | req.param("target") | express.js:7:16:7:34 | req.param("target") | Untrusted URL redirection due to $@. | express.js:7:16:7:34 | req.param("target") | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-611/Xxe.expected b/javascript/ql/test/query-tests/Security/CWE-611/Xxe.expected index 982bd6ee841..03dc33e7113 100644 --- a/javascript/ql/test/query-tests/Security/CWE-611/Xxe.expected +++ b/javascript/ql/test/query-tests/Security/CWE-611/Xxe.expected @@ -1,17 +1,32 @@ nodes | domparser.js:2:7:2:36 | src | | domparser.js:2:13:2:29 | document.location | +| domparser.js:2:13:2:29 | document.location | | domparser.js:2:13:2:36 | documen ... .search | | domparser.js:11:55:11:57 | src | +| domparser.js:11:55:11:57 | src | +| domparser.js:14:57:14:59 | src | | domparser.js:14:57:14:59 | src | | libxml.noent.js:6:21:6:41 | req.par ... e-xml") | +| libxml.noent.js:6:21:6:41 | req.par ... e-xml") | +| libxml.noent.js:6:21:6:41 | req.par ... e-xml") | | libxml.sax.js:7:22:7:42 | req.par ... e-xml") | +| libxml.sax.js:7:22:7:42 | req.par ... e-xml") | +| libxml.sax.js:7:22:7:42 | req.par ... e-xml") | +| libxml.saxpush.js:7:15:7:35 | req.par ... e-xml") | +| libxml.saxpush.js:7:15:7:35 | req.par ... e-xml") | | libxml.saxpush.js:7:15:7:35 | req.par ... e-xml") | edges | domparser.js:2:7:2:36 | src | domparser.js:11:55:11:57 | src | +| domparser.js:2:7:2:36 | src | domparser.js:11:55:11:57 | src | +| domparser.js:2:7:2:36 | src | domparser.js:14:57:14:59 | src | | domparser.js:2:7:2:36 | src | domparser.js:14:57:14:59 | src | | domparser.js:2:13:2:29 | document.location | domparser.js:2:13:2:36 | documen ... .search | +| domparser.js:2:13:2:29 | document.location | domparser.js:2:13:2:36 | documen ... .search | | domparser.js:2:13:2:36 | documen ... .search | domparser.js:2:7:2:36 | src | +| libxml.noent.js:6:21:6:41 | req.par ... e-xml") | libxml.noent.js:6:21:6:41 | req.par ... e-xml") | +| libxml.sax.js:7:22:7:42 | req.par ... e-xml") | libxml.sax.js:7:22:7:42 | req.par ... e-xml") | +| libxml.saxpush.js:7:15:7:35 | req.par ... e-xml") | libxml.saxpush.js:7:15:7:35 | req.par ... e-xml") | #select | domparser.js:11:55:11:57 | src | domparser.js:2:13:2:29 | document.location | domparser.js:11:55:11:57 | src | A $@ is parsed as XML without guarding against external entity expansion. | domparser.js:2:13:2:29 | document.location | user-provided value | | domparser.js:14:57:14:59 | src | domparser.js:2:13:2:29 | document.location | domparser.js:14:57:14:59 | src | A $@ is parsed as XML without guarding against external entity expansion. | domparser.js:2:13:2:29 | document.location | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.expected b/javascript/ql/test/query-tests/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.expected index 0fe75f2e75e..dc2b32cdd9e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.expected +++ b/javascript/ql/test/query-tests/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.expected @@ -1,10 +1,20 @@ nodes | tst.js:17:11:17:113 | `Hi, lo ... token}` | +| tst.js:17:11:17:113 | `Hi, lo ... token}` | +| tst.js:17:84:17:91 | req.host | | tst.js:17:84:17:91 | req.host | | tst.js:18:11:18:127 | `Hi, lo ... reset.` | +| tst.js:18:11:18:127 | `Hi, lo ... reset.` | +| tst.js:18:78:18:85 | req.host | | tst.js:18:78:18:85 | req.host | edges | tst.js:17:84:17:91 | req.host | tst.js:17:11:17:113 | `Hi, lo ... token}` | +| tst.js:17:84:17:91 | req.host | tst.js:17:11:17:113 | `Hi, lo ... token}` | +| tst.js:17:84:17:91 | req.host | tst.js:17:11:17:113 | `Hi, lo ... token}` | +| tst.js:17:84:17:91 | req.host | tst.js:17:11:17:113 | `Hi, lo ... token}` | +| tst.js:18:78:18:85 | req.host | tst.js:18:11:18:127 | `Hi, lo ... reset.` | +| tst.js:18:78:18:85 | req.host | tst.js:18:11:18:127 | `Hi, lo ... reset.` | +| tst.js:18:78:18:85 | req.host | tst.js:18:11:18:127 | `Hi, lo ... reset.` | | tst.js:18:78:18:85 | req.host | tst.js:18:11:18:127 | `Hi, lo ... reset.` | #select | tst.js:17:11:17:113 | `Hi, lo ... token}` | tst.js:17:84:17:91 | req.host | tst.js:17:11:17:113 | `Hi, lo ... token}` | Links in this email can be hijacked by poisoning the HTTP host header $@. | tst.js:17:84:17:91 | req.host | here | diff --git a/javascript/ql/test/query-tests/Security/CWE-643/XpathInjection.expected b/javascript/ql/test/query-tests/Security/CWE-643/XpathInjection.expected index dc107f8d15d..8cb5413d0b3 100644 --- a/javascript/ql/test/query-tests/Security/CWE-643/XpathInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-643/XpathInjection.expected @@ -1,33 +1,51 @@ nodes | XpathInjectionBad.js:6:7:6:38 | userName | | XpathInjectionBad.js:6:18:6:38 | req.par ... rName") | +| XpathInjectionBad.js:6:18:6:38 | req.par ... rName") | +| XpathInjectionBad.js:9:34:9:96 | "//user ... text()" | | XpathInjectionBad.js:9:34:9:96 | "//user ... text()" | | XpathInjectionBad.js:9:66:9:73 | userName | | tst2.js:1:13:1:29 | document.location | +| tst2.js:1:13:1:29 | document.location | | tst2.js:1:13:1:34 | documen ... on.hash | | tst2.js:1:13:1:47 | documen ... ring(1) | | tst2.js:2:27:2:31 | query | +| tst2.js:2:27:2:31 | query | +| tst2.js:3:19:3:23 | query | | tst2.js:3:19:3:23 | query | | tst.js:6:7:6:37 | tainted | | tst.js:6:17:6:37 | req.par ... rName") | +| tst.js:6:17:6:37 | req.par ... rName") | +| tst.js:7:15:7:21 | tainted | | tst.js:7:15:7:21 | tainted | | tst.js:8:16:8:22 | tainted | +| tst.js:8:16:8:22 | tainted | | tst.js:9:17:9:23 | tainted | +| tst.js:9:17:9:23 | tainted | +| tst.js:11:8:11:14 | tainted | | tst.js:11:8:11:14 | tainted | edges | XpathInjectionBad.js:6:7:6:38 | userName | XpathInjectionBad.js:9:66:9:73 | userName | | XpathInjectionBad.js:6:18:6:38 | req.par ... rName") | XpathInjectionBad.js:6:7:6:38 | userName | -| XpathInjectionBad.js:9:34:9:73 | "//user ... serName | XpathInjectionBad.js:9:34:9:96 | "//user ... text()" | -| XpathInjectionBad.js:9:66:9:73 | userName | XpathInjectionBad.js:9:34:9:73 | "//user ... serName | +| XpathInjectionBad.js:6:18:6:38 | req.par ... rName") | XpathInjectionBad.js:6:7:6:38 | userName | | XpathInjectionBad.js:9:66:9:73 | userName | XpathInjectionBad.js:9:34:9:96 | "//user ... text()" | +| XpathInjectionBad.js:9:66:9:73 | userName | XpathInjectionBad.js:9:34:9:96 | "//user ... text()" | +| tst2.js:1:13:1:29 | document.location | tst2.js:1:13:1:34 | documen ... on.hash | | tst2.js:1:13:1:29 | document.location | tst2.js:1:13:1:34 | documen ... on.hash | | tst2.js:1:13:1:34 | documen ... on.hash | tst2.js:1:13:1:47 | documen ... ring(1) | | tst2.js:1:13:1:47 | documen ... ring(1) | tst2.js:2:27:2:31 | query | +| tst2.js:1:13:1:47 | documen ... ring(1) | tst2.js:2:27:2:31 | query | +| tst2.js:1:13:1:47 | documen ... ring(1) | tst2.js:3:19:3:23 | query | | tst2.js:1:13:1:47 | documen ... ring(1) | tst2.js:3:19:3:23 | query | | tst.js:6:7:6:37 | tainted | tst.js:7:15:7:21 | tainted | +| tst.js:6:7:6:37 | tainted | tst.js:7:15:7:21 | tainted | +| tst.js:6:7:6:37 | tainted | tst.js:8:16:8:22 | tainted | | tst.js:6:7:6:37 | tainted | tst.js:8:16:8:22 | tainted | | tst.js:6:7:6:37 | tainted | tst.js:9:17:9:23 | tainted | +| tst.js:6:7:6:37 | tainted | tst.js:9:17:9:23 | tainted | | tst.js:6:7:6:37 | tainted | tst.js:11:8:11:14 | tainted | +| tst.js:6:7:6:37 | tainted | tst.js:11:8:11:14 | tainted | +| tst.js:6:17:6:37 | req.par ... rName") | tst.js:6:7:6:37 | tainted | | tst.js:6:17:6:37 | req.par ... rName") | tst.js:6:7:6:37 | tainted | #select | XpathInjectionBad.js:9:34:9:96 | "//user ... text()" | XpathInjectionBad.js:6:18:6:38 | req.par ... rName") | XpathInjectionBad.js:9:34:9:96 | "//user ... text()" | $@ flows here and is used in an XPath expression. | XpathInjectionBad.js:6:18:6:38 | req.par ... rName") | User-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.expected b/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.expected index 2343c1c34bf..dedd3625d6e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.expected @@ -1,34 +1,51 @@ nodes | RegExpInjection.js:5:7:5:28 | key | | RegExpInjection.js:5:13:5:28 | req.param("key") | +| RegExpInjection.js:5:13:5:28 | req.param("key") | | RegExpInjection.js:5:31:5:56 | input | | RegExpInjection.js:5:39:5:56 | req.param("input") | +| RegExpInjection.js:5:39:5:56 | req.param("input") | +| RegExpInjection.js:8:23:8:45 | "\\\\b" + ... (.*)\\n" | | RegExpInjection.js:8:23:8:45 | "\\\\b" + ... (.*)\\n" | | RegExpInjection.js:8:31:8:33 | key | | RegExpInjection.js:19:14:19:22 | wrap(key) | +| RegExpInjection.js:19:14:19:22 | wrap(key) | | RegExpInjection.js:19:19:19:21 | key | | RegExpInjection.js:21:14:21:22 | wrap(key) | +| RegExpInjection.js:21:14:21:22 | wrap(key) | | RegExpInjection.js:21:19:21:21 | key | | RegExpInjection.js:24:12:24:27 | req.param("key") | +| RegExpInjection.js:24:12:24:27 | req.param("key") | +| RegExpInjection.js:27:14:27:21 | getKey() | | RegExpInjection.js:27:14:27:21 | getKey() | | RegExpInjection.js:29:21:29:21 | s | | RegExpInjection.js:29:21:29:21 | s | | RegExpInjection.js:31:23:31:23 | s | | RegExpInjection.js:31:23:31:23 | s | +| RegExpInjection.js:31:23:31:23 | s | | RegExpInjection.js:33:12:33:14 | key | | RegExpInjection.js:34:12:34:19 | getKey() | | RegExpInjection.js:40:19:40:23 | input | +| RegExpInjection.js:40:19:40:23 | input | +| RegExpInjection.js:41:22:41:26 | input | | RegExpInjection.js:41:22:41:26 | input | | RegExpInjection.js:42:21:42:25 | input | +| RegExpInjection.js:42:21:42:25 | input | +| RegExpInjection.js:45:20:45:24 | input | | RegExpInjection.js:45:20:45:24 | input | | RegExpInjection.js:46:23:46:27 | input | +| RegExpInjection.js:46:23:46:27 | input | +| RegExpInjection.js:47:22:47:26 | input | | RegExpInjection.js:47:22:47:26 | input | | RegExpInjection.js:50:46:50:50 | input | +| RegExpInjection.js:50:46:50:50 | input | +| tst.js:1:46:1:46 | e | | tst.js:1:46:1:46 | e | | tst.js:2:9:2:21 | data | | tst.js:2:16:2:16 | e | | tst.js:2:16:2:21 | e.data | | tst.js:3:16:3:35 | "^"+ data.name + "$" | +| tst.js:3:16:3:35 | "^"+ data.name + "$" | | tst.js:3:21:3:24 | data | | tst.js:3:21:3:29 | data.name | edges @@ -37,32 +54,48 @@ edges | RegExpInjection.js:5:7:5:28 | key | RegExpInjection.js:21:19:21:21 | key | | RegExpInjection.js:5:7:5:28 | key | RegExpInjection.js:33:12:33:14 | key | | RegExpInjection.js:5:13:5:28 | req.param("key") | RegExpInjection.js:5:7:5:28 | key | +| RegExpInjection.js:5:13:5:28 | req.param("key") | RegExpInjection.js:5:7:5:28 | key | +| RegExpInjection.js:5:31:5:56 | input | RegExpInjection.js:40:19:40:23 | input | | RegExpInjection.js:5:31:5:56 | input | RegExpInjection.js:40:19:40:23 | input | | RegExpInjection.js:5:31:5:56 | input | RegExpInjection.js:41:22:41:26 | input | +| RegExpInjection.js:5:31:5:56 | input | RegExpInjection.js:41:22:41:26 | input | +| RegExpInjection.js:5:31:5:56 | input | RegExpInjection.js:42:21:42:25 | input | | RegExpInjection.js:5:31:5:56 | input | RegExpInjection.js:42:21:42:25 | input | | RegExpInjection.js:5:31:5:56 | input | RegExpInjection.js:45:20:45:24 | input | +| RegExpInjection.js:5:31:5:56 | input | RegExpInjection.js:45:20:45:24 | input | +| RegExpInjection.js:5:31:5:56 | input | RegExpInjection.js:46:23:46:27 | input | | RegExpInjection.js:5:31:5:56 | input | RegExpInjection.js:46:23:46:27 | input | | RegExpInjection.js:5:31:5:56 | input | RegExpInjection.js:47:22:47:26 | input | +| RegExpInjection.js:5:31:5:56 | input | RegExpInjection.js:47:22:47:26 | input | +| RegExpInjection.js:5:31:5:56 | input | RegExpInjection.js:50:46:50:50 | input | | RegExpInjection.js:5:31:5:56 | input | RegExpInjection.js:50:46:50:50 | input | | RegExpInjection.js:5:39:5:56 | req.param("input") | RegExpInjection.js:5:31:5:56 | input | -| RegExpInjection.js:8:23:8:33 | "\\\\b" + key | RegExpInjection.js:8:23:8:45 | "\\\\b" + ... (.*)\\n" | -| RegExpInjection.js:8:31:8:33 | key | RegExpInjection.js:8:23:8:33 | "\\\\b" + key | +| RegExpInjection.js:5:39:5:56 | req.param("input") | RegExpInjection.js:5:31:5:56 | input | +| RegExpInjection.js:8:31:8:33 | key | RegExpInjection.js:8:23:8:45 | "\\\\b" + ... (.*)\\n" | | RegExpInjection.js:8:31:8:33 | key | RegExpInjection.js:8:23:8:45 | "\\\\b" + ... (.*)\\n" | | RegExpInjection.js:19:19:19:21 | key | RegExpInjection.js:19:14:19:22 | wrap(key) | +| RegExpInjection.js:19:19:19:21 | key | RegExpInjection.js:19:14:19:22 | wrap(key) | +| RegExpInjection.js:21:19:21:21 | key | RegExpInjection.js:21:14:21:22 | wrap(key) | | RegExpInjection.js:21:19:21:21 | key | RegExpInjection.js:21:14:21:22 | wrap(key) | | RegExpInjection.js:24:12:24:27 | req.param("key") | RegExpInjection.js:27:14:27:21 | getKey() | +| RegExpInjection.js:24:12:24:27 | req.param("key") | RegExpInjection.js:27:14:27:21 | getKey() | +| RegExpInjection.js:24:12:24:27 | req.param("key") | RegExpInjection.js:27:14:27:21 | getKey() | +| RegExpInjection.js:24:12:24:27 | req.param("key") | RegExpInjection.js:27:14:27:21 | getKey() | | RegExpInjection.js:24:12:24:27 | req.param("key") | RegExpInjection.js:34:12:34:19 | getKey() | +| RegExpInjection.js:24:12:24:27 | req.param("key") | RegExpInjection.js:34:12:34:19 | getKey() | +| RegExpInjection.js:29:21:29:21 | s | RegExpInjection.js:31:23:31:23 | s | +| RegExpInjection.js:29:21:29:21 | s | RegExpInjection.js:31:23:31:23 | s | | RegExpInjection.js:29:21:29:21 | s | RegExpInjection.js:31:23:31:23 | s | | RegExpInjection.js:29:21:29:21 | s | RegExpInjection.js:31:23:31:23 | s | | RegExpInjection.js:33:12:33:14 | key | RegExpInjection.js:29:21:29:21 | s | | RegExpInjection.js:34:12:34:19 | getKey() | RegExpInjection.js:29:21:29:21 | s | | tst.js:1:46:1:46 | e | tst.js:2:16:2:16 | e | +| tst.js:1:46:1:46 | e | tst.js:2:16:2:16 | e | | tst.js:2:9:2:21 | data | tst.js:3:21:3:24 | data | | tst.js:2:16:2:16 | e | tst.js:2:16:2:21 | e.data | | tst.js:2:16:2:21 | e.data | tst.js:2:9:2:21 | data | -| tst.js:3:16:3:29 | "^"+ data.name | tst.js:3:16:3:35 | "^"+ data.name + "$" | | tst.js:3:21:3:24 | data | tst.js:3:21:3:29 | data.name | -| tst.js:3:21:3:29 | data.name | tst.js:3:16:3:29 | "^"+ data.name | +| tst.js:3:21:3:29 | data.name | tst.js:3:16:3:35 | "^"+ data.name + "$" | | tst.js:3:21:3:29 | data.name | tst.js:3:16:3:35 | "^"+ data.name + "$" | #select | RegExpInjection.js:8:23:8:45 | "\\\\b" + ... (.*)\\n" | RegExpInjection.js:5:13:5:28 | req.param("key") | RegExpInjection.js:8:23:8:45 | "\\\\b" + ... (.*)\\n" | This regular expression is constructed from a $@. | RegExpInjection.js:5:13:5:28 | req.param("key") | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall.expected b/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall.expected index 8de8a639cd3..1a512526e98 100644 --- a/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall.expected +++ b/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall.expected @@ -1,11 +1,13 @@ nodes | UnsafeDynamicMethodAccess.js:5:37:5:38 | ev | +| UnsafeDynamicMethodAccess.js:5:37:5:38 | ev | | UnsafeDynamicMethodAccess.js:6:9:6:37 | message | | UnsafeDynamicMethodAccess.js:6:19:6:37 | JSON.parse(ev.data) | | UnsafeDynamicMethodAccess.js:6:30:6:31 | ev | | UnsafeDynamicMethodAccess.js:6:30:6:36 | ev.data | | UnsafeDynamicMethodAccess.js:15:5:15:21 | obj[message.name] | | UnsafeDynamicMethodAccess.js:15:5:15:21 | obj[message.name] | +| UnsafeDynamicMethodAccess.js:15:5:15:21 | obj[message.name] | | UnsafeDynamicMethodAccess.js:15:9:15:15 | message | | UnsafeDynamicMethodAccess.js:15:9:15:20 | message.name | | UnvalidatedDynamicMethodCall.js:14:7:14:41 | action | @@ -13,8 +15,11 @@ nodes | UnvalidatedDynamicMethodCall.js:14:16:14:41 | actions ... action] | | UnvalidatedDynamicMethodCall.js:14:16:14:41 | actions ... action] | | UnvalidatedDynamicMethodCall.js:14:24:14:40 | req.params.action | +| UnvalidatedDynamicMethodCall.js:14:24:14:40 | req.params.action | | UnvalidatedDynamicMethodCall.js:15:11:15:16 | action | | UnvalidatedDynamicMethodCall.js:15:11:15:16 | action | +| UnvalidatedDynamicMethodCall.js:15:11:15:16 | action | +| tst.js:6:39:6:40 | ev | | tst.js:6:39:6:40 | ev | | tst.js:7:9:7:39 | name | | tst.js:7:16:7:34 | JSON.parse(ev.data) | @@ -23,10 +28,12 @@ nodes | tst.js:7:27:7:33 | ev.data | | tst.js:9:5:9:16 | obj[ev.data] | | tst.js:9:5:9:16 | obj[ev.data] | +| tst.js:9:5:9:16 | obj[ev.data] | | tst.js:9:9:9:10 | ev | | tst.js:9:9:9:15 | ev.data | | tst.js:11:5:11:13 | obj[name] | | tst.js:11:5:11:13 | obj[name] | +| tst.js:11:5:11:13 | obj[name] | | tst.js:11:9:11:12 | name | | tst.js:17:9:17:22 | fn | | tst.js:17:9:17:22 | fn | @@ -35,25 +42,34 @@ nodes | tst.js:17:18:17:21 | name | | tst.js:18:5:18:6 | fn | | tst.js:18:5:18:6 | fn | +| tst.js:18:5:18:6 | fn | | tst.js:20:7:20:8 | fn | +| tst.js:20:7:20:8 | fn | +| tst.js:21:7:21:15 | obj[name] | | tst.js:21:7:21:15 | obj[name] | | tst.js:21:7:21:15 | obj[name] | | tst.js:21:11:21:14 | name | | tst.js:22:11:22:12 | fn | +| tst.js:22:11:22:12 | fn | +| tst.js:26:7:26:15 | obj[name] | | tst.js:26:7:26:15 | obj[name] | | tst.js:26:7:26:15 | obj[name] | | tst.js:26:11:26:14 | name | | tst.js:28:7:28:15 | obj[name] | +| tst.js:28:7:28:15 | obj[name] | | tst.js:28:11:28:14 | name | | tst.js:34:9:34:24 | key | | tst.js:34:15:34:24 | "$" + name | | tst.js:34:21:34:24 | name | | tst.js:35:5:35:12 | obj[key] | | tst.js:35:5:35:12 | obj[key] | +| tst.js:35:5:35:12 | obj[key] | | tst.js:35:9:35:11 | key | | tst.js:37:7:37:14 | obj[key] | +| tst.js:37:7:37:14 | obj[key] | | tst.js:37:11:37:13 | key | | tst.js:47:39:47:40 | ev | +| tst.js:47:39:47:40 | ev | | tst.js:48:9:48:39 | name | | tst.js:48:16:48:34 | JSON.parse(ev.data) | | tst.js:48:16:48:39 | JSON.pa ... a).name | @@ -63,8 +79,10 @@ nodes | tst.js:49:14:49:23 | obj2[name] | | tst.js:49:19:49:22 | name | | tst.js:50:5:50:6 | fn | +| tst.js:50:5:50:6 | fn | edges | UnsafeDynamicMethodAccess.js:5:37:5:38 | ev | UnsafeDynamicMethodAccess.js:6:30:6:31 | ev | +| UnsafeDynamicMethodAccess.js:5:37:5:38 | ev | UnsafeDynamicMethodAccess.js:6:30:6:31 | ev | | UnsafeDynamicMethodAccess.js:6:9:6:37 | message | UnsafeDynamicMethodAccess.js:15:9:15:15 | message | | UnsafeDynamicMethodAccess.js:6:19:6:37 | JSON.parse(ev.data) | UnsafeDynamicMethodAccess.js:6:9:6:37 | message | | UnsafeDynamicMethodAccess.js:6:30:6:31 | ev | UnsafeDynamicMethodAccess.js:6:30:6:36 | ev.data | @@ -72,13 +90,20 @@ edges | UnsafeDynamicMethodAccess.js:15:9:15:15 | message | UnsafeDynamicMethodAccess.js:15:9:15:20 | message.name | | UnsafeDynamicMethodAccess.js:15:9:15:20 | message.name | UnsafeDynamicMethodAccess.js:15:5:15:21 | obj[message.name] | | UnsafeDynamicMethodAccess.js:15:9:15:20 | message.name | UnsafeDynamicMethodAccess.js:15:5:15:21 | obj[message.name] | +| UnsafeDynamicMethodAccess.js:15:9:15:20 | message.name | UnsafeDynamicMethodAccess.js:15:5:15:21 | obj[message.name] | +| UnvalidatedDynamicMethodCall.js:14:7:14:41 | action | UnvalidatedDynamicMethodCall.js:15:11:15:16 | action | +| UnvalidatedDynamicMethodCall.js:14:7:14:41 | action | UnvalidatedDynamicMethodCall.js:15:11:15:16 | action | | UnvalidatedDynamicMethodCall.js:14:7:14:41 | action | UnvalidatedDynamicMethodCall.js:15:11:15:16 | action | | UnvalidatedDynamicMethodCall.js:14:7:14:41 | action | UnvalidatedDynamicMethodCall.js:15:11:15:16 | action | | UnvalidatedDynamicMethodCall.js:14:16:14:41 | actions ... action] | UnvalidatedDynamicMethodCall.js:14:7:14:41 | action | | UnvalidatedDynamicMethodCall.js:14:16:14:41 | actions ... action] | UnvalidatedDynamicMethodCall.js:14:7:14:41 | action | | UnvalidatedDynamicMethodCall.js:14:24:14:40 | req.params.action | UnvalidatedDynamicMethodCall.js:14:16:14:41 | actions ... action] | | UnvalidatedDynamicMethodCall.js:14:24:14:40 | req.params.action | UnvalidatedDynamicMethodCall.js:14:16:14:41 | actions ... action] | +| UnvalidatedDynamicMethodCall.js:14:24:14:40 | req.params.action | UnvalidatedDynamicMethodCall.js:14:16:14:41 | actions ... action] | +| UnvalidatedDynamicMethodCall.js:14:24:14:40 | req.params.action | UnvalidatedDynamicMethodCall.js:14:16:14:41 | actions ... action] | | tst.js:6:39:6:40 | ev | tst.js:7:27:7:28 | ev | +| tst.js:6:39:6:40 | ev | tst.js:7:27:7:28 | ev | +| tst.js:6:39:6:40 | ev | tst.js:9:9:9:10 | ev | | tst.js:6:39:6:40 | ev | tst.js:9:9:9:10 | ev | | tst.js:7:9:7:39 | name | tst.js:11:9:11:12 | name | | tst.js:7:9:7:39 | name | tst.js:17:18:17:21 | name | @@ -93,23 +118,29 @@ edges | tst.js:9:9:9:10 | ev | tst.js:9:9:9:15 | ev.data | | tst.js:9:9:9:15 | ev.data | tst.js:9:5:9:16 | obj[ev.data] | | tst.js:9:9:9:15 | ev.data | tst.js:9:5:9:16 | obj[ev.data] | +| tst.js:9:9:9:15 | ev.data | tst.js:9:5:9:16 | obj[ev.data] | +| tst.js:11:9:11:12 | name | tst.js:11:5:11:13 | obj[name] | | tst.js:11:9:11:12 | name | tst.js:11:5:11:13 | obj[name] | | tst.js:11:9:11:12 | name | tst.js:11:5:11:13 | obj[name] | | tst.js:17:9:17:22 | fn | tst.js:18:5:18:6 | fn | | tst.js:17:9:17:22 | fn | tst.js:18:5:18:6 | fn | -| tst.js:17:9:17:22 | fn | tst.js:19:9:19:31 | fn | +| tst.js:17:9:17:22 | fn | tst.js:18:5:18:6 | fn | +| tst.js:17:9:17:22 | fn | tst.js:18:5:18:6 | fn | | tst.js:17:9:17:22 | fn | tst.js:20:7:20:8 | fn | +| tst.js:17:9:17:22 | fn | tst.js:20:7:20:8 | fn | +| tst.js:17:9:17:22 | fn | tst.js:22:11:22:12 | fn | | tst.js:17:9:17:22 | fn | tst.js:22:11:22:12 | fn | | tst.js:17:14:17:22 | obj[name] | tst.js:17:9:17:22 | fn | | tst.js:17:14:17:22 | obj[name] | tst.js:17:9:17:22 | fn | | tst.js:17:18:17:21 | name | tst.js:17:14:17:22 | obj[name] | | tst.js:17:18:17:21 | name | tst.js:17:14:17:22 | obj[name] | -| tst.js:19:9:19:31 | fn | tst.js:20:7:20:8 | fn | -| tst.js:19:9:19:31 | fn | tst.js:22:11:22:12 | fn | +| tst.js:21:11:21:14 | name | tst.js:21:7:21:15 | obj[name] | | tst.js:21:11:21:14 | name | tst.js:21:7:21:15 | obj[name] | | tst.js:21:11:21:14 | name | tst.js:21:7:21:15 | obj[name] | | tst.js:26:11:26:14 | name | tst.js:26:7:26:15 | obj[name] | | tst.js:26:11:26:14 | name | tst.js:26:7:26:15 | obj[name] | +| tst.js:26:11:26:14 | name | tst.js:26:7:26:15 | obj[name] | +| tst.js:28:11:28:14 | name | tst.js:28:7:28:15 | obj[name] | | tst.js:28:11:28:14 | name | tst.js:28:7:28:15 | obj[name] | | tst.js:34:9:34:24 | key | tst.js:35:9:35:11 | key | | tst.js:34:9:34:24 | key | tst.js:37:11:37:13 | key | @@ -117,7 +148,10 @@ edges | tst.js:34:21:34:24 | name | tst.js:34:15:34:24 | "$" + name | | tst.js:35:9:35:11 | key | tst.js:35:5:35:12 | obj[key] | | tst.js:35:9:35:11 | key | tst.js:35:5:35:12 | obj[key] | +| tst.js:35:9:35:11 | key | tst.js:35:5:35:12 | obj[key] | | tst.js:37:11:37:13 | key | tst.js:37:7:37:14 | obj[key] | +| tst.js:37:11:37:13 | key | tst.js:37:7:37:14 | obj[key] | +| tst.js:47:39:47:40 | ev | tst.js:48:27:48:28 | ev | | tst.js:47:39:47:40 | ev | tst.js:48:27:48:28 | ev | | tst.js:48:9:48:39 | name | tst.js:49:19:49:22 | name | | tst.js:48:16:48:34 | JSON.parse(ev.data) | tst.js:48:16:48:39 | JSON.pa ... a).name | @@ -125,27 +159,20 @@ edges | tst.js:48:27:48:28 | ev | tst.js:48:27:48:33 | ev.data | | tst.js:48:27:48:33 | ev.data | tst.js:48:16:48:34 | JSON.parse(ev.data) | | tst.js:49:9:49:23 | fn | tst.js:50:5:50:6 | fn | +| tst.js:49:9:49:23 | fn | tst.js:50:5:50:6 | fn | | tst.js:49:14:49:23 | obj2[name] | tst.js:49:9:49:23 | fn | | tst.js:49:19:49:22 | name | tst.js:49:14:49:23 | obj2[name] | #select | UnsafeDynamicMethodAccess.js:15:5:15:21 | obj[message.name] | UnsafeDynamicMethodAccess.js:5:37:5:38 | ev | UnsafeDynamicMethodAccess.js:15:5:15:21 | obj[message.name] | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | UnsafeDynamicMethodAccess.js:5:37:5:38 | ev | user-controlled | -| UnsafeDynamicMethodAccess.js:15:5:15:21 | obj[message.name] | UnsafeDynamicMethodAccess.js:5:37:5:38 | ev | UnsafeDynamicMethodAccess.js:15:5:15:21 | obj[message.name] | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | UnsafeDynamicMethodAccess.js:5:37:5:38 | ev | user-controlled | -| UnvalidatedDynamicMethodCall.js:15:11:15:16 | action | UnvalidatedDynamicMethodCall.js:14:24:14:40 | req.params.action | UnvalidatedDynamicMethodCall.js:15:11:15:16 | action | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | UnvalidatedDynamicMethodCall.js:14:24:14:40 | req.params.action | user-controlled | | UnvalidatedDynamicMethodCall.js:15:11:15:16 | action | UnvalidatedDynamicMethodCall.js:14:24:14:40 | req.params.action | UnvalidatedDynamicMethodCall.js:15:11:15:16 | action | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | UnvalidatedDynamicMethodCall.js:14:24:14:40 | req.params.action | user-controlled | | tst.js:9:5:9:16 | obj[ev.data] | tst.js:6:39:6:40 | ev | tst.js:9:5:9:16 | obj[ev.data] | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | tst.js:6:39:6:40 | ev | user-controlled | -| tst.js:9:5:9:16 | obj[ev.data] | tst.js:6:39:6:40 | ev | tst.js:9:5:9:16 | obj[ev.data] | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | tst.js:6:39:6:40 | ev | user-controlled | | tst.js:11:5:11:13 | obj[name] | tst.js:6:39:6:40 | ev | tst.js:11:5:11:13 | obj[name] | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | tst.js:6:39:6:40 | ev | user-controlled | -| tst.js:11:5:11:13 | obj[name] | tst.js:6:39:6:40 | ev | tst.js:11:5:11:13 | obj[name] | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | tst.js:6:39:6:40 | ev | user-controlled | -| tst.js:18:5:18:6 | fn | tst.js:6:39:6:40 | ev | tst.js:18:5:18:6 | fn | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | tst.js:6:39:6:40 | ev | user-controlled | | tst.js:18:5:18:6 | fn | tst.js:6:39:6:40 | ev | tst.js:18:5:18:6 | fn | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | tst.js:6:39:6:40 | ev | user-controlled | | tst.js:20:7:20:8 | fn | tst.js:6:39:6:40 | ev | tst.js:20:7:20:8 | fn | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | tst.js:6:39:6:40 | ev | user-controlled | | tst.js:21:7:21:15 | obj[name] | tst.js:6:39:6:40 | ev | tst.js:21:7:21:15 | obj[name] | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | tst.js:6:39:6:40 | ev | user-controlled | -| tst.js:21:7:21:15 | obj[name] | tst.js:6:39:6:40 | ev | tst.js:21:7:21:15 | obj[name] | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | tst.js:6:39:6:40 | ev | user-controlled | | tst.js:22:11:22:12 | fn | tst.js:6:39:6:40 | ev | tst.js:22:11:22:12 | fn | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | tst.js:6:39:6:40 | ev | user-controlled | | tst.js:26:7:26:15 | obj[name] | tst.js:6:39:6:40 | ev | tst.js:26:7:26:15 | obj[name] | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | tst.js:6:39:6:40 | ev | user-controlled | -| tst.js:26:7:26:15 | obj[name] | tst.js:6:39:6:40 | ev | tst.js:26:7:26:15 | obj[name] | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | tst.js:6:39:6:40 | ev | user-controlled | | tst.js:28:7:28:15 | obj[name] | tst.js:6:39:6:40 | ev | tst.js:28:7:28:15 | obj[name] | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | tst.js:6:39:6:40 | ev | user-controlled | | tst.js:35:5:35:12 | obj[key] | tst.js:6:39:6:40 | ev | tst.js:35:5:35:12 | obj[key] | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | tst.js:6:39:6:40 | ev | user-controlled | -| tst.js:35:5:35:12 | obj[key] | tst.js:6:39:6:40 | ev | tst.js:35:5:35:12 | obj[key] | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | tst.js:6:39:6:40 | ev | user-controlled | | tst.js:37:7:37:14 | obj[key] | tst.js:6:39:6:40 | ev | tst.js:37:7:37:14 | obj[key] | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | tst.js:6:39:6:40 | ev | user-controlled | | tst.js:50:5:50:6 | fn | tst.js:47:39:47:40 | ev | tst.js:50:5:50:6 | fn | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | tst.js:47:39:47:40 | ev | user-controlled | diff --git a/javascript/ql/test/query-tests/Security/CWE-776/XmlBomb.expected b/javascript/ql/test/query-tests/Security/CWE-776/XmlBomb.expected index 483d2d585c7..77b9f6f86ca 100644 --- a/javascript/ql/test/query-tests/Security/CWE-776/XmlBomb.expected +++ b/javascript/ql/test/query-tests/Security/CWE-776/XmlBomb.expected @@ -1,35 +1,66 @@ nodes | closure.js:2:7:2:36 | src | | closure.js:2:13:2:29 | document.location | +| closure.js:2:13:2:29 | document.location | | closure.js:2:13:2:36 | documen ... .search | | closure.js:4:24:4:26 | src | +| closure.js:4:24:4:26 | src | | domparser.js:2:7:2:36 | src | | domparser.js:2:13:2:29 | document.location | +| domparser.js:2:13:2:29 | document.location | | domparser.js:2:13:2:36 | documen ... .search | | domparser.js:6:37:6:39 | src | +| domparser.js:6:37:6:39 | src | +| domparser.js:11:55:11:57 | src | | domparser.js:11:55:11:57 | src | | domparser.js:14:57:14:59 | src | +| domparser.js:14:57:14:59 | src | +| expat.js:7:16:7:36 | req.par ... e-xml") | +| expat.js:7:16:7:36 | req.par ... e-xml") | | expat.js:7:16:7:36 | req.par ... e-xml") | | jquery.js:2:7:2:36 | src | | jquery.js:2:13:2:29 | document.location | +| jquery.js:2:13:2:29 | document.location | | jquery.js:2:13:2:36 | documen ... .search | | jquery.js:5:14:5:16 | src | +| jquery.js:5:14:5:16 | src | +| libxml.js:6:21:6:41 | req.par ... e-xml") | +| libxml.js:6:21:6:41 | req.par ... e-xml") | | libxml.js:6:21:6:41 | req.par ... e-xml") | | libxml.noent.js:6:21:6:41 | req.par ... e-xml") | +| libxml.noent.js:6:21:6:41 | req.par ... e-xml") | +| libxml.noent.js:6:21:6:41 | req.par ... e-xml") | | libxml.sax.js:7:22:7:42 | req.par ... e-xml") | +| libxml.sax.js:7:22:7:42 | req.par ... e-xml") | +| libxml.sax.js:7:22:7:42 | req.par ... e-xml") | +| libxml.saxpush.js:7:15:7:35 | req.par ... e-xml") | +| libxml.saxpush.js:7:15:7:35 | req.par ... e-xml") | | libxml.saxpush.js:7:15:7:35 | req.par ... e-xml") | edges | closure.js:2:7:2:36 | src | closure.js:4:24:4:26 | src | +| closure.js:2:7:2:36 | src | closure.js:4:24:4:26 | src | +| closure.js:2:13:2:29 | document.location | closure.js:2:13:2:36 | documen ... .search | | closure.js:2:13:2:29 | document.location | closure.js:2:13:2:36 | documen ... .search | | closure.js:2:13:2:36 | documen ... .search | closure.js:2:7:2:36 | src | | domparser.js:2:7:2:36 | src | domparser.js:6:37:6:39 | src | +| domparser.js:2:7:2:36 | src | domparser.js:6:37:6:39 | src | +| domparser.js:2:7:2:36 | src | domparser.js:11:55:11:57 | src | | domparser.js:2:7:2:36 | src | domparser.js:11:55:11:57 | src | | domparser.js:2:7:2:36 | src | domparser.js:14:57:14:59 | src | +| domparser.js:2:7:2:36 | src | domparser.js:14:57:14:59 | src | +| domparser.js:2:13:2:29 | document.location | domparser.js:2:13:2:36 | documen ... .search | | domparser.js:2:13:2:29 | document.location | domparser.js:2:13:2:36 | documen ... .search | | domparser.js:2:13:2:36 | documen ... .search | domparser.js:2:7:2:36 | src | +| expat.js:7:16:7:36 | req.par ... e-xml") | expat.js:7:16:7:36 | req.par ... e-xml") | +| jquery.js:2:7:2:36 | src | jquery.js:5:14:5:16 | src | | jquery.js:2:7:2:36 | src | jquery.js:5:14:5:16 | src | | jquery.js:2:13:2:29 | document.location | jquery.js:2:13:2:36 | documen ... .search | +| jquery.js:2:13:2:29 | document.location | jquery.js:2:13:2:36 | documen ... .search | | jquery.js:2:13:2:36 | documen ... .search | jquery.js:2:7:2:36 | src | +| libxml.js:6:21:6:41 | req.par ... e-xml") | libxml.js:6:21:6:41 | req.par ... e-xml") | +| libxml.noent.js:6:21:6:41 | req.par ... e-xml") | libxml.noent.js:6:21:6:41 | req.par ... e-xml") | +| libxml.sax.js:7:22:7:42 | req.par ... e-xml") | libxml.sax.js:7:22:7:42 | req.par ... e-xml") | +| libxml.saxpush.js:7:15:7:35 | req.par ... e-xml") | libxml.saxpush.js:7:15:7:35 | req.par ... e-xml") | #select | closure.js:4:24:4:26 | src | closure.js:2:13:2:29 | document.location | closure.js:4:24:4:26 | src | A $@ is parsed as XML without guarding against uncontrolled entity expansion. | closure.js:2:13:2:29 | document.location | user-provided value | | domparser.js:6:37:6:39 | src | domparser.js:2:13:2:29 | document.location | domparser.js:6:37:6:39 | src | A $@ is parsed as XML without guarding against uncontrolled entity expansion. | domparser.js:2:13:2:29 | document.location | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected index 2542f187d84..e2c1a2ded5c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected +++ b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected @@ -1,61 +1,225 @@ nodes | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | +| HardcodedCredentials.js:5:15:5:22 | 'dbuser' | +| HardcodedCredentials.js:5:15:5:22 | 'dbuser' | +| HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | +| HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | | HardcodedCredentials.js:15:36:15:50 | "user:abcdefgh" | +| HardcodedCredentials.js:15:36:15:50 | "user:abcdefgh" | +| HardcodedCredentials.js:15:36:15:50 | "user:abcdefgh" | +| HardcodedCredentials.js:16:37:16:51 | "user:abcdefgh" | +| HardcodedCredentials.js:16:37:16:51 | "user:abcdefgh" | | HardcodedCredentials.js:16:37:16:51 | "user:abcdefgh" | | HardcodedCredentials.js:18:16:18:30 | "user:abcdefgh" | +| HardcodedCredentials.js:18:16:18:30 | "user:abcdefgh" | +| HardcodedCredentials.js:20:36:20:51 | getCredentials() | | HardcodedCredentials.js:20:36:20:51 | getCredentials() | | HardcodedCredentials.js:27:25:27:31 | 'admin' | +| HardcodedCredentials.js:27:25:27:31 | 'admin' | +| HardcodedCredentials.js:27:25:27:31 | 'admin' | +| HardcodedCredentials.js:27:34:27:43 | 'abcdefgh' | +| HardcodedCredentials.js:27:34:27:43 | 'abcdefgh' | | HardcodedCredentials.js:27:34:27:43 | 'abcdefgh' | | HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' | +| HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' | +| HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' | +| HardcodedCredentials.js:29:35:29:44 | 'abcdefgh' | +| HardcodedCredentials.js:29:35:29:44 | 'abcdefgh' | | HardcodedCredentials.js:29:35:29:44 | 'abcdefgh' | | HardcodedCredentials.js:35:15:35:24 | 'username' | +| HardcodedCredentials.js:35:15:35:24 | 'username' | +| HardcodedCredentials.js:35:15:35:24 | 'username' | +| HardcodedCredentials.js:35:27:35:36 | 'abcdefgh' | +| HardcodedCredentials.js:35:27:35:36 | 'abcdefgh' | | HardcodedCredentials.js:35:27:35:36 | 'abcdefgh' | | HardcodedCredentials.js:41:38:41:47 | 'username' | +| HardcodedCredentials.js:41:38:41:47 | 'username' | +| HardcodedCredentials.js:41:38:41:47 | 'username' | +| HardcodedCredentials.js:41:67:41:76 | 'abcdefgh' | +| HardcodedCredentials.js:41:67:41:76 | 'abcdefgh' | | HardcodedCredentials.js:41:67:41:76 | 'abcdefgh' | | HardcodedCredentials.js:42:35:42:44 | 'username' | +| HardcodedCredentials.js:42:35:42:44 | 'username' | +| HardcodedCredentials.js:42:35:42:44 | 'username' | +| HardcodedCredentials.js:42:64:42:73 | 'abcdefgh' | +| HardcodedCredentials.js:42:64:42:73 | 'abcdefgh' | | HardcodedCredentials.js:42:64:42:73 | 'abcdefgh' | | HardcodedCredentials.js:44:34:44:43 | 'username' | +| HardcodedCredentials.js:44:34:44:43 | 'username' | +| HardcodedCredentials.js:44:34:44:43 | 'username' | +| HardcodedCredentials.js:44:63:44:72 | 'abcdefgh' | +| HardcodedCredentials.js:44:63:44:72 | 'abcdefgh' | | HardcodedCredentials.js:44:63:44:72 | 'abcdefgh' | | HardcodedCredentials.js:46:25:46:34 | 'abcdefgh' | +| HardcodedCredentials.js:46:25:46:34 | 'abcdefgh' | +| HardcodedCredentials.js:46:25:46:34 | 'abcdefgh' | +| HardcodedCredentials.js:53:27:53:36 | 'username' | +| HardcodedCredentials.js:53:27:53:36 | 'username' | | HardcodedCredentials.js:53:27:53:36 | 'username' | | HardcodedCredentials.js:53:39:53:48 | 'abcdefgh' | +| HardcodedCredentials.js:53:39:53:48 | 'abcdefgh' | +| HardcodedCredentials.js:53:39:53:48 | 'abcdefgh' | +| HardcodedCredentials.js:56:21:56:30 | 'username' | +| HardcodedCredentials.js:56:21:56:30 | 'username' | | HardcodedCredentials.js:56:21:56:30 | 'username' | | HardcodedCredentials.js:57:21:57:30 | 'abcdefgh' | +| HardcodedCredentials.js:57:21:57:30 | 'abcdefgh' | +| HardcodedCredentials.js:57:21:57:30 | 'abcdefgh' | +| HardcodedCredentials.js:61:42:61:54 | 'bearerToken' | +| HardcodedCredentials.js:61:42:61:54 | 'bearerToken' | | HardcodedCredentials.js:61:42:61:54 | 'bearerToken' | | HardcodedCredentials.js:65:23:65:35 | 'bearerToken' | +| HardcodedCredentials.js:65:23:65:35 | 'bearerToken' | +| HardcodedCredentials.js:65:23:65:35 | 'bearerToken' | +| HardcodedCredentials.js:69:28:69:37 | 'username' | +| HardcodedCredentials.js:69:28:69:37 | 'username' | | HardcodedCredentials.js:69:28:69:37 | 'username' | | HardcodedCredentials.js:69:40:69:49 | 'abcdefgh' | +| HardcodedCredentials.js:69:40:69:49 | 'abcdefgh' | +| HardcodedCredentials.js:69:40:69:49 | 'abcdefgh' | +| HardcodedCredentials.js:70:28:70:37 | 'username' | +| HardcodedCredentials.js:70:28:70:37 | 'username' | | HardcodedCredentials.js:70:28:70:37 | 'username' | | HardcodedCredentials.js:70:40:70:49 | 'abcdefgh' | +| HardcodedCredentials.js:70:40:70:49 | 'abcdefgh' | +| HardcodedCredentials.js:70:40:70:49 | 'abcdefgh' | +| HardcodedCredentials.js:72:23:72:32 | 'username' | +| HardcodedCredentials.js:72:23:72:32 | 'username' | | HardcodedCredentials.js:72:23:72:32 | 'username' | | HardcodedCredentials.js:72:35:72:44 | 'abcdefgh' | +| HardcodedCredentials.js:72:35:72:44 | 'abcdefgh' | +| HardcodedCredentials.js:72:35:72:44 | 'abcdefgh' | +| HardcodedCredentials.js:75:21:75:30 | 'username' | +| HardcodedCredentials.js:75:21:75:30 | 'username' | | HardcodedCredentials.js:75:21:75:30 | 'username' | | HardcodedCredentials.js:76:21:76:30 | 'abcdefgh' | +| HardcodedCredentials.js:76:21:76:30 | 'abcdefgh' | +| HardcodedCredentials.js:76:21:76:30 | 'abcdefgh' | +| HardcodedCredentials.js:84:38:84:47 | 'username' | +| HardcodedCredentials.js:84:38:84:47 | 'username' | | HardcodedCredentials.js:84:38:84:47 | 'username' | | HardcodedCredentials.js:84:50:84:59 | 'abcdefgh' | +| HardcodedCredentials.js:84:50:84:59 | 'abcdefgh' | +| HardcodedCredentials.js:84:50:84:59 | 'abcdefgh' | +| HardcodedCredentials.js:86:44:86:53 | 'username' | +| HardcodedCredentials.js:86:44:86:53 | 'username' | | HardcodedCredentials.js:86:44:86:53 | 'username' | | HardcodedCredentials.js:86:56:86:65 | 'abcdefgh' | +| HardcodedCredentials.js:86:56:86:65 | 'abcdefgh' | +| HardcodedCredentials.js:86:56:86:65 | 'abcdefgh' | +| HardcodedCredentials.js:91:25:91:31 | 'TOKEN' | +| HardcodedCredentials.js:91:25:91:31 | 'TOKEN' | | HardcodedCredentials.js:91:25:91:31 | 'TOKEN' | | HardcodedCredentials.js:98:18:98:21 | 'x1' | +| HardcodedCredentials.js:98:18:98:21 | 'x1' | +| HardcodedCredentials.js:98:18:98:21 | 'x1' | +| HardcodedCredentials.js:99:16:99:19 | 'x2' | +| HardcodedCredentials.js:99:16:99:19 | 'x2' | | HardcodedCredentials.js:99:16:99:19 | 'x2' | | HardcodedCredentials.js:100:25:100:28 | 'x3' | +| HardcodedCredentials.js:100:25:100:28 | 'x3' | +| HardcodedCredentials.js:100:25:100:28 | 'x3' | +| HardcodedCredentials.js:101:19:101:22 | 'x4' | +| HardcodedCredentials.js:101:19:101:22 | 'x4' | | HardcodedCredentials.js:101:19:101:22 | 'x4' | | HardcodedCredentials.js:102:14:102:23 | 'abcdefgh' | +| HardcodedCredentials.js:102:14:102:23 | 'abcdefgh' | +| HardcodedCredentials.js:102:14:102:23 | 'abcdefgh' | +| HardcodedCredentials.js:103:17:103:26 | 'abcdefgh' | +| HardcodedCredentials.js:103:17:103:26 | 'abcdefgh' | | HardcodedCredentials.js:103:17:103:26 | 'abcdefgh' | | HardcodedCredentials.js:104:27:104:36 | 'abcdefgh' | +| HardcodedCredentials.js:104:27:104:36 | 'abcdefgh' | +| HardcodedCredentials.js:104:27:104:36 | 'abcdefgh' | +| HardcodedCredentials.js:105:19:105:28 | 'abcdefgh' | +| HardcodedCredentials.js:105:19:105:28 | 'abcdefgh' | | HardcodedCredentials.js:105:19:105:28 | 'abcdefgh' | | HardcodedCredentials.js:106:16:106:25 | 'abcdefgh' | +| HardcodedCredentials.js:106:16:106:25 | 'abcdefgh' | +| HardcodedCredentials.js:106:16:106:25 | 'abcdefgh' | +| HardcodedCredentials.js:112:19:112:22 | 'x5' | +| HardcodedCredentials.js:112:19:112:22 | 'x5' | | HardcodedCredentials.js:112:19:112:22 | 'x5' | | HardcodedCredentials.js:113:19:113:28 | 'abcdefgh' | +| HardcodedCredentials.js:113:19:113:28 | 'abcdefgh' | +| HardcodedCredentials.js:113:19:113:28 | 'abcdefgh' | +| HardcodedCredentials.js:130:44:130:53 | 'abcdefgh' | +| HardcodedCredentials.js:130:44:130:53 | 'abcdefgh' | | HardcodedCredentials.js:130:44:130:53 | 'abcdefgh' | | HardcodedCredentials.js:131:52:131:61 | 'abcdefgh' | +| HardcodedCredentials.js:131:52:131:61 | 'abcdefgh' | +| HardcodedCredentials.js:131:52:131:61 | 'abcdefgh' | +| HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | +| HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | | HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | | HardcodedCredentials.js:160:38:160:48 | "change_me" | +| HardcodedCredentials.js:160:38:160:48 | "change_me" | +| HardcodedCredentials.js:160:38:160:48 | "change_me" | +| HardcodedCredentials.js:161:41:161:51 | 'change_me' | +| HardcodedCredentials.js:161:41:161:51 | 'change_me' | | HardcodedCredentials.js:161:41:161:51 | 'change_me' | | HardcodedCredentials.js:164:35:164:45 | 'change_me' | +| HardcodedCredentials.js:164:35:164:45 | 'change_me' | +| HardcodedCredentials.js:164:35:164:45 | 'change_me' | edges +| HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | +| HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | +| HardcodedCredentials.js:15:36:15:50 | "user:abcdefgh" | HardcodedCredentials.js:15:36:15:50 | "user:abcdefgh" | +| HardcodedCredentials.js:16:37:16:51 | "user:abcdefgh" | HardcodedCredentials.js:16:37:16:51 | "user:abcdefgh" | | HardcodedCredentials.js:18:16:18:30 | "user:abcdefgh" | HardcodedCredentials.js:20:36:20:51 | getCredentials() | +| HardcodedCredentials.js:18:16:18:30 | "user:abcdefgh" | HardcodedCredentials.js:20:36:20:51 | getCredentials() | +| HardcodedCredentials.js:18:16:18:30 | "user:abcdefgh" | HardcodedCredentials.js:20:36:20:51 | getCredentials() | +| HardcodedCredentials.js:18:16:18:30 | "user:abcdefgh" | HardcodedCredentials.js:20:36:20:51 | getCredentials() | +| HardcodedCredentials.js:27:25:27:31 | 'admin' | HardcodedCredentials.js:27:25:27:31 | 'admin' | +| HardcodedCredentials.js:27:34:27:43 | 'abcdefgh' | HardcodedCredentials.js:27:34:27:43 | 'abcdefgh' | +| HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' | HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' | +| HardcodedCredentials.js:29:35:29:44 | 'abcdefgh' | HardcodedCredentials.js:29:35:29:44 | 'abcdefgh' | +| HardcodedCredentials.js:35:15:35:24 | 'username' | HardcodedCredentials.js:35:15:35:24 | 'username' | +| HardcodedCredentials.js:35:27:35:36 | 'abcdefgh' | HardcodedCredentials.js:35:27:35:36 | 'abcdefgh' | +| HardcodedCredentials.js:41:38:41:47 | 'username' | HardcodedCredentials.js:41:38:41:47 | 'username' | +| HardcodedCredentials.js:41:67:41:76 | 'abcdefgh' | HardcodedCredentials.js:41:67:41:76 | 'abcdefgh' | +| HardcodedCredentials.js:42:35:42:44 | 'username' | HardcodedCredentials.js:42:35:42:44 | 'username' | +| HardcodedCredentials.js:42:64:42:73 | 'abcdefgh' | HardcodedCredentials.js:42:64:42:73 | 'abcdefgh' | +| HardcodedCredentials.js:44:34:44:43 | 'username' | HardcodedCredentials.js:44:34:44:43 | 'username' | +| HardcodedCredentials.js:44:63:44:72 | 'abcdefgh' | HardcodedCredentials.js:44:63:44:72 | 'abcdefgh' | +| HardcodedCredentials.js:46:25:46:34 | 'abcdefgh' | HardcodedCredentials.js:46:25:46:34 | 'abcdefgh' | +| HardcodedCredentials.js:53:27:53:36 | 'username' | HardcodedCredentials.js:53:27:53:36 | 'username' | +| HardcodedCredentials.js:53:39:53:48 | 'abcdefgh' | HardcodedCredentials.js:53:39:53:48 | 'abcdefgh' | +| HardcodedCredentials.js:56:21:56:30 | 'username' | HardcodedCredentials.js:56:21:56:30 | 'username' | +| HardcodedCredentials.js:57:21:57:30 | 'abcdefgh' | HardcodedCredentials.js:57:21:57:30 | 'abcdefgh' | +| HardcodedCredentials.js:61:42:61:54 | 'bearerToken' | HardcodedCredentials.js:61:42:61:54 | 'bearerToken' | +| HardcodedCredentials.js:65:23:65:35 | 'bearerToken' | HardcodedCredentials.js:65:23:65:35 | 'bearerToken' | +| HardcodedCredentials.js:69:28:69:37 | 'username' | HardcodedCredentials.js:69:28:69:37 | 'username' | +| HardcodedCredentials.js:69:40:69:49 | 'abcdefgh' | HardcodedCredentials.js:69:40:69:49 | 'abcdefgh' | +| HardcodedCredentials.js:70:28:70:37 | 'username' | HardcodedCredentials.js:70:28:70:37 | 'username' | +| HardcodedCredentials.js:70:40:70:49 | 'abcdefgh' | HardcodedCredentials.js:70:40:70:49 | 'abcdefgh' | +| HardcodedCredentials.js:72:23:72:32 | 'username' | HardcodedCredentials.js:72:23:72:32 | 'username' | +| HardcodedCredentials.js:72:35:72:44 | 'abcdefgh' | HardcodedCredentials.js:72:35:72:44 | 'abcdefgh' | +| HardcodedCredentials.js:75:21:75:30 | 'username' | HardcodedCredentials.js:75:21:75:30 | 'username' | +| HardcodedCredentials.js:76:21:76:30 | 'abcdefgh' | HardcodedCredentials.js:76:21:76:30 | 'abcdefgh' | +| HardcodedCredentials.js:84:38:84:47 | 'username' | HardcodedCredentials.js:84:38:84:47 | 'username' | +| HardcodedCredentials.js:84:50:84:59 | 'abcdefgh' | HardcodedCredentials.js:84:50:84:59 | 'abcdefgh' | +| HardcodedCredentials.js:86:44:86:53 | 'username' | HardcodedCredentials.js:86:44:86:53 | 'username' | +| HardcodedCredentials.js:86:56:86:65 | 'abcdefgh' | HardcodedCredentials.js:86:56:86:65 | 'abcdefgh' | +| HardcodedCredentials.js:91:25:91:31 | 'TOKEN' | HardcodedCredentials.js:91:25:91:31 | 'TOKEN' | +| HardcodedCredentials.js:98:18:98:21 | 'x1' | HardcodedCredentials.js:98:18:98:21 | 'x1' | +| HardcodedCredentials.js:99:16:99:19 | 'x2' | HardcodedCredentials.js:99:16:99:19 | 'x2' | +| HardcodedCredentials.js:100:25:100:28 | 'x3' | HardcodedCredentials.js:100:25:100:28 | 'x3' | +| HardcodedCredentials.js:101:19:101:22 | 'x4' | HardcodedCredentials.js:101:19:101:22 | 'x4' | +| HardcodedCredentials.js:102:14:102:23 | 'abcdefgh' | HardcodedCredentials.js:102:14:102:23 | 'abcdefgh' | +| HardcodedCredentials.js:103:17:103:26 | 'abcdefgh' | HardcodedCredentials.js:103:17:103:26 | 'abcdefgh' | +| HardcodedCredentials.js:104:27:104:36 | 'abcdefgh' | HardcodedCredentials.js:104:27:104:36 | 'abcdefgh' | +| HardcodedCredentials.js:105:19:105:28 | 'abcdefgh' | HardcodedCredentials.js:105:19:105:28 | 'abcdefgh' | +| HardcodedCredentials.js:106:16:106:25 | 'abcdefgh' | HardcodedCredentials.js:106:16:106:25 | 'abcdefgh' | +| HardcodedCredentials.js:112:19:112:22 | 'x5' | HardcodedCredentials.js:112:19:112:22 | 'x5' | +| HardcodedCredentials.js:113:19:113:28 | 'abcdefgh' | HardcodedCredentials.js:113:19:113:28 | 'abcdefgh' | +| HardcodedCredentials.js:130:44:130:53 | 'abcdefgh' | HardcodedCredentials.js:130:44:130:53 | 'abcdefgh' | +| HardcodedCredentials.js:131:52:131:61 | 'abcdefgh' | HardcodedCredentials.js:131:52:131:61 | 'abcdefgh' | +| HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | +| HardcodedCredentials.js:160:38:160:48 | "change_me" | HardcodedCredentials.js:160:38:160:48 | "change_me" | +| HardcodedCredentials.js:161:41:161:51 | 'change_me' | HardcodedCredentials.js:161:41:161:51 | 'change_me' | +| HardcodedCredentials.js:164:35:164:45 | 'change_me' | HardcodedCredentials.js:164:35:164:45 | 'change_me' | #select | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name | | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | password | diff --git a/javascript/ql/test/query-tests/Security/CWE-807/ConditionalBypass.expected b/javascript/ql/test/query-tests/Security/CWE-807/ConditionalBypass.expected index 8c2d94e0a9d..ff45448452c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-807/ConditionalBypass.expected +++ b/javascript/ql/test/query-tests/Security/CWE-807/ConditionalBypass.expected @@ -1,43 +1,106 @@ nodes | tst.js:9:8:9:26 | req.params.shutDown | +| tst.js:9:8:9:26 | req.params.shutDown | +| tst.js:9:8:9:26 | req.params.shutDown | | tst.js:14:9:14:19 | req.cookies | +| tst.js:14:9:14:19 | req.cookies | +| tst.js:14:9:14:30 | req.coo ... inThing | | tst.js:14:9:14:30 | req.coo ... inThing | | tst.js:30:9:30:37 | v3 | | tst.js:30:14:30:37 | id(req. ... okieId) | | tst.js:30:17:30:27 | req.cookies | +| tst.js:30:17:30:27 | req.cookies | | tst.js:30:17:30:36 | req.cookies.cookieId | | tst.js:31:9:31:10 | v3 | +| tst.js:31:9:31:10 | v3 | +| tst.js:37:13:37:23 | req.cookies | | tst.js:37:13:37:23 | req.cookies | | tst.js:37:13:37:32 | req.cookies.cookieId | +| tst.js:37:13:37:32 | req.cookies.cookieId | +| tst.js:43:9:43:19 | req.cookies | | tst.js:43:9:43:19 | req.cookies | | tst.js:43:9:43:28 | req.cookies.cookieId | +| tst.js:43:9:43:28 | req.cookies.cookieId | +| tst.js:50:8:50:23 | req.params.login | +| tst.js:50:8:50:23 | req.params.login | | tst.js:50:8:50:23 | req.params.login | | tst.js:65:8:65:23 | req.params.login | +| tst.js:65:8:65:23 | req.params.login | +| tst.js:65:8:65:23 | req.params.login | +| tst.js:70:9:70:19 | req.cookies | | tst.js:70:9:70:19 | req.cookies | | tst.js:70:9:70:28 | req.cookies.cookieId | +| tst.js:70:9:70:28 | req.cookies.cookieId | +| tst.js:70:34:70:53 | req.params.requestId | +| tst.js:70:34:70:53 | req.params.requestId | | tst.js:70:34:70:53 | req.params.requestId | | tst.js:75:14:75:24 | req.cookies | +| tst.js:75:14:75:24 | req.cookies | +| tst.js:75:14:75:33 | req.cookies.cookieId | | tst.js:75:14:75:33 | req.cookies.cookieId | | tst.js:75:39:75:58 | req.params.requestId | +| tst.js:75:39:75:58 | req.params.requestId | +| tst.js:75:39:75:58 | req.params.requestId | +| tst.js:90:9:90:19 | req.cookies | | tst.js:90:9:90:19 | req.cookies | | tst.js:90:9:90:28 | req.cookies.cookieId | +| tst.js:90:9:90:28 | req.cookies.cookieId | +| tst.js:90:9:90:41 | req.coo ... secret" | | tst.js:90:9:90:41 | req.coo ... secret" | | tst.js:104:10:104:17 | req.body | +| tst.js:104:10:104:17 | req.body | +| tst.js:104:10:104:17 | req.body | +| tst.js:111:13:111:32 | req.query.vulnerable | +| tst.js:111:13:111:32 | req.query.vulnerable | | tst.js:111:13:111:32 | req.query.vulnerable | | tst.js:118:13:118:32 | req.query.vulnerable | +| tst.js:118:13:118:32 | req.query.vulnerable | +| tst.js:118:13:118:32 | req.query.vulnerable | +| tst.js:126:13:126:32 | req.query.vulnerable | +| tst.js:126:13:126:32 | req.query.vulnerable | | tst.js:126:13:126:32 | req.query.vulnerable | edges +| tst.js:9:8:9:26 | req.params.shutDown | tst.js:9:8:9:26 | req.params.shutDown | | tst.js:14:9:14:19 | req.cookies | tst.js:14:9:14:30 | req.coo ... inThing | +| tst.js:14:9:14:19 | req.cookies | tst.js:14:9:14:30 | req.coo ... inThing | +| tst.js:14:9:14:19 | req.cookies | tst.js:14:9:14:30 | req.coo ... inThing | +| tst.js:14:9:14:19 | req.cookies | tst.js:14:9:14:30 | req.coo ... inThing | +| tst.js:30:9:30:37 | v3 | tst.js:31:9:31:10 | v3 | | tst.js:30:9:30:37 | v3 | tst.js:31:9:31:10 | v3 | | tst.js:30:14:30:37 | id(req. ... okieId) | tst.js:30:9:30:37 | v3 | | tst.js:30:17:30:27 | req.cookies | tst.js:30:17:30:36 | req.cookies.cookieId | +| tst.js:30:17:30:27 | req.cookies | tst.js:30:17:30:36 | req.cookies.cookieId | | tst.js:30:17:30:36 | req.cookies.cookieId | tst.js:30:14:30:37 | id(req. ... okieId) | | tst.js:37:13:37:23 | req.cookies | tst.js:37:13:37:32 | req.cookies.cookieId | +| tst.js:37:13:37:23 | req.cookies | tst.js:37:13:37:32 | req.cookies.cookieId | +| tst.js:37:13:37:23 | req.cookies | tst.js:37:13:37:32 | req.cookies.cookieId | +| tst.js:37:13:37:23 | req.cookies | tst.js:37:13:37:32 | req.cookies.cookieId | | tst.js:43:9:43:19 | req.cookies | tst.js:43:9:43:28 | req.cookies.cookieId | +| tst.js:43:9:43:19 | req.cookies | tst.js:43:9:43:28 | req.cookies.cookieId | +| tst.js:43:9:43:19 | req.cookies | tst.js:43:9:43:28 | req.cookies.cookieId | +| tst.js:43:9:43:19 | req.cookies | tst.js:43:9:43:28 | req.cookies.cookieId | +| tst.js:50:8:50:23 | req.params.login | tst.js:50:8:50:23 | req.params.login | +| tst.js:65:8:65:23 | req.params.login | tst.js:65:8:65:23 | req.params.login | | tst.js:70:9:70:19 | req.cookies | tst.js:70:9:70:28 | req.cookies.cookieId | +| tst.js:70:9:70:19 | req.cookies | tst.js:70:9:70:28 | req.cookies.cookieId | +| tst.js:70:9:70:19 | req.cookies | tst.js:70:9:70:28 | req.cookies.cookieId | +| tst.js:70:9:70:19 | req.cookies | tst.js:70:9:70:28 | req.cookies.cookieId | +| tst.js:70:34:70:53 | req.params.requestId | tst.js:70:34:70:53 | req.params.requestId | | tst.js:75:14:75:24 | req.cookies | tst.js:75:14:75:33 | req.cookies.cookieId | +| tst.js:75:14:75:24 | req.cookies | tst.js:75:14:75:33 | req.cookies.cookieId | +| tst.js:75:14:75:24 | req.cookies | tst.js:75:14:75:33 | req.cookies.cookieId | +| tst.js:75:14:75:24 | req.cookies | tst.js:75:14:75:33 | req.cookies.cookieId | +| tst.js:75:39:75:58 | req.params.requestId | tst.js:75:39:75:58 | req.params.requestId | +| tst.js:90:9:90:19 | req.cookies | tst.js:90:9:90:28 | req.cookies.cookieId | +| tst.js:90:9:90:19 | req.cookies | tst.js:90:9:90:28 | req.cookies.cookieId | +| tst.js:90:9:90:19 | req.cookies | tst.js:90:9:90:28 | req.cookies.cookieId | | tst.js:90:9:90:19 | req.cookies | tst.js:90:9:90:28 | req.cookies.cookieId | | tst.js:90:9:90:28 | req.cookies.cookieId | tst.js:90:9:90:41 | req.coo ... secret" | +| tst.js:90:9:90:28 | req.cookies.cookieId | tst.js:90:9:90:41 | req.coo ... secret" | +| tst.js:104:10:104:17 | req.body | tst.js:104:10:104:17 | req.body | +| tst.js:111:13:111:32 | req.query.vulnerable | tst.js:111:13:111:32 | req.query.vulnerable | +| tst.js:118:13:118:32 | req.query.vulnerable | tst.js:118:13:118:32 | req.query.vulnerable | +| tst.js:126:13:126:32 | req.query.vulnerable | tst.js:126:13:126:32 | req.query.vulnerable | #select | tst.js:9:8:9:26 | req.params.shutDown | tst.js:9:8:9:26 | req.params.shutDown | tst.js:9:8:9:26 | req.params.shutDown | This condition guards a sensitive $@, but $@ controls it. | tst.js:11:9:11:22 | process.exit() | action | tst.js:9:8:9:26 | req.params.shutDown | a user-provided value | | tst.js:14:9:14:30 | req.coo ... inThing | tst.js:14:9:14:19 | req.cookies | tst.js:14:9:14:30 | req.coo ... inThing | This condition guards a sensitive $@, but $@ controls it. | tst.js:16:9:16:17 | o.login() | action | tst.js:14:9:14:19 | req.cookies | a user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjection.expected b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjection.expected index dec60a2bbb8..7f1b07adbe4 100644 --- a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjection.expected @@ -1,49 +1,85 @@ nodes | LoopBoundInjectionBad.js:8:13:8:20 | req.body | +| LoopBoundInjectionBad.js:8:13:8:20 | req.body | +| LoopBoundInjectionBad.js:10:15:10:22 | req.body | | LoopBoundInjectionBad.js:10:15:10:22 | req.body | | LoopBoundInjectionBad.js:12:25:12:32 | req.body | +| LoopBoundInjectionBad.js:12:25:12:32 | req.body | +| LoopBoundInjectionBad.js:14:19:14:26 | req.body | | LoopBoundInjectionBad.js:14:19:14:26 | req.body | | LoopBoundInjectionBad.js:17:18:17:20 | val | | LoopBoundInjectionBad.js:20:25:20:27 | val | +| LoopBoundInjectionBad.js:20:25:20:27 | val | | LoopBoundInjectionBad.js:25:20:25:22 | val | | LoopBoundInjectionBad.js:29:16:29:18 | val | +| LoopBoundInjectionBad.js:29:16:29:18 | val | | LoopBoundInjectionBad.js:35:30:35:32 | val | | LoopBoundInjectionBad.js:38:15:38:17 | val | +| LoopBoundInjectionBad.js:38:15:38:17 | val | | LoopBoundInjectionBad.js:46:24:46:26 | val | | LoopBoundInjectionBad.js:51:25:51:27 | val | +| LoopBoundInjectionBad.js:51:25:51:27 | val | +| LoopBoundInjectionExitBad.js:8:9:8:16 | req.body | | LoopBoundInjectionExitBad.js:8:9:8:16 | req.body | | LoopBoundInjectionExitBad.js:10:9:10:16 | req.body | +| LoopBoundInjectionExitBad.js:10:9:10:16 | req.body | | LoopBoundInjectionExitBad.js:12:10:12:17 | req.body | +| LoopBoundInjectionExitBad.js:12:10:12:17 | req.body | +| LoopBoundInjectionExitBad.js:14:14:14:21 | req.body | | LoopBoundInjectionExitBad.js:14:14:14:21 | req.body | | LoopBoundInjectionExitBad.js:17:17:17:19 | val | | LoopBoundInjectionExitBad.js:20:22:20:24 | val | +| LoopBoundInjectionExitBad.js:20:22:20:24 | val | | LoopBoundInjectionExitBad.js:31:17:31:19 | val | | LoopBoundInjectionExitBad.js:34:22:34:24 | val | +| LoopBoundInjectionExitBad.js:34:22:34:24 | val | | LoopBoundInjectionExitBad.js:46:18:46:20 | val | | LoopBoundInjectionExitBad.js:49:22:49:24 | val | +| LoopBoundInjectionExitBad.js:49:22:49:24 | val | | LoopBoundInjectionExitBad.js:59:22:59:24 | val | | LoopBoundInjectionExitBad.js:60:8:60:10 | val | +| LoopBoundInjectionExitBad.js:60:8:60:10 | val | +| LoopBoundInjectionLodash.js:9:13:9:20 | req.body | | LoopBoundInjectionLodash.js:9:13:9:20 | req.body | | LoopBoundInjectionLodash.js:12:18:12:20 | val | | LoopBoundInjectionLodash.js:13:13:13:15 | val | +| LoopBoundInjectionLodash.js:13:13:13:15 | val | edges | LoopBoundInjectionBad.js:8:13:8:20 | req.body | LoopBoundInjectionBad.js:17:18:17:20 | val | +| LoopBoundInjectionBad.js:8:13:8:20 | req.body | LoopBoundInjectionBad.js:17:18:17:20 | val | +| LoopBoundInjectionBad.js:10:15:10:22 | req.body | LoopBoundInjectionBad.js:25:20:25:22 | val | | LoopBoundInjectionBad.js:10:15:10:22 | req.body | LoopBoundInjectionBad.js:25:20:25:22 | val | | LoopBoundInjectionBad.js:12:25:12:32 | req.body | LoopBoundInjectionBad.js:35:30:35:32 | val | +| LoopBoundInjectionBad.js:12:25:12:32 | req.body | LoopBoundInjectionBad.js:35:30:35:32 | val | +| LoopBoundInjectionBad.js:14:19:14:26 | req.body | LoopBoundInjectionBad.js:46:24:46:26 | val | | LoopBoundInjectionBad.js:14:19:14:26 | req.body | LoopBoundInjectionBad.js:46:24:46:26 | val | | LoopBoundInjectionBad.js:17:18:17:20 | val | LoopBoundInjectionBad.js:20:25:20:27 | val | +| LoopBoundInjectionBad.js:17:18:17:20 | val | LoopBoundInjectionBad.js:20:25:20:27 | val | +| LoopBoundInjectionBad.js:25:20:25:22 | val | LoopBoundInjectionBad.js:29:16:29:18 | val | | LoopBoundInjectionBad.js:25:20:25:22 | val | LoopBoundInjectionBad.js:29:16:29:18 | val | | LoopBoundInjectionBad.js:35:30:35:32 | val | LoopBoundInjectionBad.js:38:15:38:17 | val | +| LoopBoundInjectionBad.js:35:30:35:32 | val | LoopBoundInjectionBad.js:38:15:38:17 | val | +| LoopBoundInjectionBad.js:46:24:46:26 | val | LoopBoundInjectionBad.js:51:25:51:27 | val | | LoopBoundInjectionBad.js:46:24:46:26 | val | LoopBoundInjectionBad.js:51:25:51:27 | val | | LoopBoundInjectionExitBad.js:8:9:8:16 | req.body | LoopBoundInjectionExitBad.js:17:17:17:19 | val | +| LoopBoundInjectionExitBad.js:8:9:8:16 | req.body | LoopBoundInjectionExitBad.js:17:17:17:19 | val | +| LoopBoundInjectionExitBad.js:10:9:10:16 | req.body | LoopBoundInjectionExitBad.js:31:17:31:19 | val | | LoopBoundInjectionExitBad.js:10:9:10:16 | req.body | LoopBoundInjectionExitBad.js:31:17:31:19 | val | | LoopBoundInjectionExitBad.js:12:10:12:17 | req.body | LoopBoundInjectionExitBad.js:46:18:46:20 | val | +| LoopBoundInjectionExitBad.js:12:10:12:17 | req.body | LoopBoundInjectionExitBad.js:46:18:46:20 | val | +| LoopBoundInjectionExitBad.js:14:14:14:21 | req.body | LoopBoundInjectionExitBad.js:59:22:59:24 | val | | LoopBoundInjectionExitBad.js:14:14:14:21 | req.body | LoopBoundInjectionExitBad.js:59:22:59:24 | val | | LoopBoundInjectionExitBad.js:17:17:17:19 | val | LoopBoundInjectionExitBad.js:20:22:20:24 | val | +| LoopBoundInjectionExitBad.js:17:17:17:19 | val | LoopBoundInjectionExitBad.js:20:22:20:24 | val | +| LoopBoundInjectionExitBad.js:31:17:31:19 | val | LoopBoundInjectionExitBad.js:34:22:34:24 | val | | LoopBoundInjectionExitBad.js:31:17:31:19 | val | LoopBoundInjectionExitBad.js:34:22:34:24 | val | | LoopBoundInjectionExitBad.js:46:18:46:20 | val | LoopBoundInjectionExitBad.js:49:22:49:24 | val | +| LoopBoundInjectionExitBad.js:46:18:46:20 | val | LoopBoundInjectionExitBad.js:49:22:49:24 | val | +| LoopBoundInjectionExitBad.js:59:22:59:24 | val | LoopBoundInjectionExitBad.js:60:8:60:10 | val | | LoopBoundInjectionExitBad.js:59:22:59:24 | val | LoopBoundInjectionExitBad.js:60:8:60:10 | val | | LoopBoundInjectionLodash.js:9:13:9:20 | req.body | LoopBoundInjectionLodash.js:12:18:12:20 | val | +| LoopBoundInjectionLodash.js:9:13:9:20 | req.body | LoopBoundInjectionLodash.js:12:18:12:20 | val | +| LoopBoundInjectionLodash.js:12:18:12:20 | val | LoopBoundInjectionLodash.js:13:13:13:15 | val | | LoopBoundInjectionLodash.js:12:18:12:20 | val | LoopBoundInjectionLodash.js:13:13:13:15 | val | #select | LoopBoundInjectionBad.js:20:25:20:27 | val | LoopBoundInjectionBad.js:8:13:8:20 | req.body | LoopBoundInjectionBad.js:20:25:20:27 | val | Iterating over user-controlled object with a potentially unbounded .length property from $@. | LoopBoundInjectionBad.js:8:13:8:20 | req.body | here | diff --git a/javascript/ql/test/query-tests/Security/CWE-843/TypeConfusionThroughParameterTampering.expected b/javascript/ql/test/query-tests/Security/CWE-843/TypeConfusionThroughParameterTampering.expected index 5cd1cf4abaa..9baa3bcaecd 100644 --- a/javascript/ql/test/query-tests/Security/CWE-843/TypeConfusionThroughParameterTampering.expected +++ b/javascript/ql/test/query-tests/Security/CWE-843/TypeConfusionThroughParameterTampering.expected @@ -1,45 +1,54 @@ nodes | tst.js:5:9:5:27 | foo | | tst.js:5:15:5:27 | req.query.foo | +| tst.js:5:15:5:27 | req.query.foo | +| tst.js:6:5:6:7 | foo | | tst.js:6:5:6:7 | foo | | tst.js:8:5:8:7 | foo | +| tst.js:8:5:8:7 | foo | +| tst.js:11:9:11:11 | foo | | tst.js:11:9:11:11 | foo | | tst.js:14:16:14:18 | bar | | tst.js:15:9:15:11 | bar | +| tst.js:15:9:15:11 | bar | | tst.js:17:7:17:9 | foo | | tst.js:27:5:27:7 | foo | +| tst.js:27:5:27:7 | foo | +| tst.js:28:5:28:7 | foo | | tst.js:28:5:28:7 | foo | | tst.js:36:9:36:11 | foo | +| tst.js:36:9:36:11 | foo | +| tst.js:41:5:41:7 | foo | | tst.js:41:5:41:7 | foo | | tst.js:45:9:45:35 | foo | | tst.js:45:15:45:35 | ctx.req ... ery.foo | +| tst.js:45:15:45:35 | ctx.req ... ery.foo | +| tst.js:46:5:46:7 | foo | | tst.js:46:5:46:7 | foo | edges | tst.js:5:9:5:27 | foo | tst.js:6:5:6:7 | foo | +| tst.js:5:9:5:27 | foo | tst.js:6:5:6:7 | foo | | tst.js:5:9:5:27 | foo | tst.js:8:5:8:7 | foo | -| tst.js:5:9:5:27 | foo | tst.js:10:5:10:4 | foo | +| tst.js:5:9:5:27 | foo | tst.js:8:5:8:7 | foo | +| tst.js:5:9:5:27 | foo | tst.js:11:9:11:11 | foo | | tst.js:5:9:5:27 | foo | tst.js:11:9:11:11 | foo | | tst.js:5:9:5:27 | foo | tst.js:17:7:17:9 | foo | | tst.js:5:9:5:27 | foo | tst.js:27:5:27:7 | foo | +| tst.js:5:9:5:27 | foo | tst.js:27:5:27:7 | foo | | tst.js:5:9:5:27 | foo | tst.js:28:5:28:7 | foo | -| tst.js:5:9:5:27 | foo | tst.js:30:9:30:31 | foo | -| tst.js:5:9:5:27 | foo | tst.js:30:9:30:31 | foo | -| tst.js:5:9:5:27 | foo | tst.js:35:5:35:5 | foo | +| tst.js:5:9:5:27 | foo | tst.js:28:5:28:7 | foo | +| tst.js:5:9:5:27 | foo | tst.js:36:9:36:11 | foo | | tst.js:5:9:5:27 | foo | tst.js:36:9:36:11 | foo | | tst.js:5:9:5:27 | foo | tst.js:41:5:41:7 | foo | +| tst.js:5:9:5:27 | foo | tst.js:41:5:41:7 | foo | | tst.js:5:15:5:27 | req.query.foo | tst.js:5:9:5:27 | foo | -| tst.js:10:5:10:4 | foo | tst.js:11:9:11:11 | foo | +| tst.js:5:15:5:27 | req.query.foo | tst.js:5:9:5:27 | foo | +| tst.js:14:16:14:18 | bar | tst.js:15:9:15:11 | bar | | tst.js:14:16:14:18 | bar | tst.js:15:9:15:11 | bar | | tst.js:17:7:17:9 | foo | tst.js:14:16:14:18 | bar | -| tst.js:30:9:30:31 | foo | tst.js:35:5:35:5 | foo | -| tst.js:30:9:30:31 | foo | tst.js:35:5:35:5 | foo | -| tst.js:30:9:30:31 | foo | tst.js:36:9:36:11 | foo | -| tst.js:30:9:30:31 | foo | tst.js:36:9:36:11 | foo | -| tst.js:30:9:30:31 | foo | tst.js:41:5:41:7 | foo | -| tst.js:30:9:30:31 | foo | tst.js:41:5:41:7 | foo | -| tst.js:35:5:35:5 | foo | tst.js:36:9:36:11 | foo | -| tst.js:35:5:35:5 | foo | tst.js:41:5:41:7 | foo | | tst.js:45:9:45:35 | foo | tst.js:46:5:46:7 | foo | +| tst.js:45:9:45:35 | foo | tst.js:46:5:46:7 | foo | +| tst.js:45:15:45:35 | ctx.req ... ery.foo | tst.js:45:9:45:35 | foo | | tst.js:45:15:45:35 | ctx.req ... ery.foo | tst.js:45:9:45:35 | foo | #select | tst.js:6:5:6:7 | foo | tst.js:5:15:5:27 | req.query.foo | tst.js:6:5:6:7 | foo | Potential type confusion for $@. | tst.js:5:15:5:27 | req.query.foo | HTTP request parameter | diff --git a/javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.expected b/javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.expected index 0f56b81d0e3..53a6ddea6a5 100644 --- a/javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.expected +++ b/javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.expected @@ -1,17 +1,33 @@ nodes | HttpToFileAccess.js:5:18:5:18 | d | +| HttpToFileAccess.js:5:18:5:18 | d | +| HttpToFileAccess.js:6:37:6:37 | d | | HttpToFileAccess.js:6:37:6:37 | d | | tst.js:15:26:15:26 | c | +| tst.js:15:26:15:26 | c | +| tst.js:16:33:16:33 | c | | tst.js:16:33:16:33 | c | | tst.js:19:25:19:25 | c | +| tst.js:19:25:19:25 | c | +| tst.js:24:22:24:22 | c | | tst.js:24:22:24:22 | c | edges | HttpToFileAccess.js:5:18:5:18 | d | HttpToFileAccess.js:6:37:6:37 | d | +| HttpToFileAccess.js:5:18:5:18 | d | HttpToFileAccess.js:6:37:6:37 | d | +| HttpToFileAccess.js:5:18:5:18 | d | HttpToFileAccess.js:6:37:6:37 | d | +| HttpToFileAccess.js:5:18:5:18 | d | HttpToFileAccess.js:6:37:6:37 | d | +| tst.js:15:26:15:26 | c | tst.js:16:33:16:33 | c | +| tst.js:15:26:15:26 | c | tst.js:16:33:16:33 | c | +| tst.js:15:26:15:26 | c | tst.js:16:33:16:33 | c | | tst.js:15:26:15:26 | c | tst.js:16:33:16:33 | c | | tst.js:15:26:15:26 | c | tst.js:19:25:19:25 | c | -| tst.js:15:26:15:26 | c | tst.js:23:27:23:26 | c | +| tst.js:15:26:15:26 | c | tst.js:19:25:19:25 | c | +| tst.js:15:26:15:26 | c | tst.js:19:25:19:25 | c | +| tst.js:15:26:15:26 | c | tst.js:19:25:19:25 | c | +| tst.js:15:26:15:26 | c | tst.js:24:22:24:22 | c | +| tst.js:15:26:15:26 | c | tst.js:24:22:24:22 | c | +| tst.js:15:26:15:26 | c | tst.js:24:22:24:22 | c | | tst.js:15:26:15:26 | c | tst.js:24:22:24:22 | c | -| tst.js:23:27:23:26 | c | tst.js:24:22:24:22 | c | #select | HttpToFileAccess.js:6:37:6:37 | d | HttpToFileAccess.js:5:18:5:18 | d | HttpToFileAccess.js:6:37:6:37 | d | $@ flows to file system | HttpToFileAccess.js:5:18:5:18 | d | Untrusted data | | tst.js:16:33:16:33 | c | tst.js:15:26:15:26 | c | tst.js:16:33:16:33 | c | $@ flows to file system | tst.js:15:26:15:26 | c | Untrusted data | diff --git a/javascript/ql/test/query-tests/Security/CWE-916/InsufficientPasswordHash.expected b/javascript/ql/test/query-tests/Security/CWE-916/InsufficientPasswordHash.expected index cdd69e35a19..40cd78138e4 100644 --- a/javascript/ql/test/query-tests/Security/CWE-916/InsufficientPasswordHash.expected +++ b/javascript/ql/test/query-tests/Security/CWE-916/InsufficientPasswordHash.expected @@ -1,8 +1,17 @@ nodes | tst.js:5:48:5:55 | password | +| tst.js:5:48:5:55 | password | +| tst.js:5:48:5:55 | password | +| tst.js:7:46:7:53 | password | +| tst.js:7:46:7:53 | password | | tst.js:7:46:7:53 | password | | tst.js:9:43:9:50 | password | +| tst.js:9:43:9:50 | password | +| tst.js:9:43:9:50 | password | edges +| tst.js:5:48:5:55 | password | tst.js:5:48:5:55 | password | +| tst.js:7:46:7:53 | password | tst.js:7:46:7:53 | password | +| tst.js:9:43:9:50 | password | tst.js:9:43:9:50 | password | #select | tst.js:5:48:5:55 | password | tst.js:5:48:5:55 | password | tst.js:5:48:5:55 | password | Password from $@ is hashed insecurely. | tst.js:5:48:5:55 | password | an access to password | | tst.js:7:46:7:53 | password | tst.js:7:46:7:53 | password | tst.js:7:46:7:53 | password | Password from $@ is hashed insecurely. | tst.js:7:46:7:53 | password | an access to password | diff --git a/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected b/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected index a8520620fd3..5aeef6447cc 100644 --- a/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected +++ b/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected @@ -4,34 +4,51 @@ nodes | tst.js:14:19:14:48 | url.par ... ).query | | tst.js:14:19:14:52 | url.par ... ery.url | | tst.js:14:29:14:35 | req.url | +| tst.js:14:29:14:35 | req.url | +| tst.js:18:13:18:19 | tainted | | tst.js:18:13:18:19 | tainted | | tst.js:20:17:20:23 | tainted | +| tst.js:20:17:20:23 | tainted | | tst.js:23:19:23:25 | tainted | +| tst.js:23:19:23:25 | tainted | +| tst.js:26:13:26:31 | "http://" + tainted | | tst.js:26:13:26:31 | "http://" + tainted | | tst.js:26:25:26:31 | tainted | | tst.js:28:13:28:42 | "http:/ ... tainted | +| tst.js:28:13:28:42 | "http:/ ... tainted | | tst.js:28:36:28:42 | tainted | | tst.js:30:13:30:43 | "http:/ ... tainted | +| tst.js:30:13:30:43 | "http:/ ... tainted | | tst.js:30:37:30:43 | tainted | | tst.js:34:34:34:40 | tainted | +| tst.js:34:34:34:40 | tainted | +| tst.js:36:16:36:31 | new Uri(tainted) | | tst.js:36:16:36:31 | new Uri(tainted) | | tst.js:36:24:36:30 | tainted | | tst.js:37:22:37:37 | new Uri(tainted) | +| tst.js:37:22:37:37 | new Uri(tainted) | | tst.js:37:30:37:36 | tainted | | tst.js:41:13:41:51 | `http:/ ... inted}` | +| tst.js:41:13:41:51 | `http:/ ... inted}` | | tst.js:41:43:41:49 | tainted | | tst.js:43:13:43:54 | `http:/ ... inted}` | +| tst.js:43:13:43:54 | `http:/ ... inted}` | | tst.js:43:46:43:52 | tainted | | tst.js:45:13:45:56 | 'http:/ ... tainted | +| tst.js:45:13:45:56 | 'http:/ ... tainted | | tst.js:45:50:45:56 | tainted | edges | tst.js:14:9:14:52 | tainted | tst.js:18:13:18:19 | tainted | +| tst.js:14:9:14:52 | tainted | tst.js:18:13:18:19 | tainted | | tst.js:14:9:14:52 | tainted | tst.js:20:17:20:23 | tainted | +| tst.js:14:9:14:52 | tainted | tst.js:20:17:20:23 | tainted | +| tst.js:14:9:14:52 | tainted | tst.js:23:19:23:25 | tainted | | tst.js:14:9:14:52 | tainted | tst.js:23:19:23:25 | tainted | | tst.js:14:9:14:52 | tainted | tst.js:26:25:26:31 | tainted | | tst.js:14:9:14:52 | tainted | tst.js:28:36:28:42 | tainted | | tst.js:14:9:14:52 | tainted | tst.js:30:37:30:43 | tainted | | tst.js:14:9:14:52 | tainted | tst.js:34:34:34:40 | tainted | +| tst.js:14:9:14:52 | tainted | tst.js:34:34:34:40 | tainted | | tst.js:14:9:14:52 | tainted | tst.js:36:24:36:30 | tainted | | tst.js:14:9:14:52 | tainted | tst.js:37:30:37:36 | tainted | | tst.js:14:9:14:52 | tainted | tst.js:41:43:41:49 | tainted | @@ -41,13 +58,22 @@ edges | tst.js:14:19:14:48 | url.par ... ).query | tst.js:14:19:14:52 | url.par ... ery.url | | tst.js:14:19:14:52 | url.par ... ery.url | tst.js:14:9:14:52 | tainted | | tst.js:14:29:14:35 | req.url | tst.js:14:19:14:42 | url.par ... , true) | +| tst.js:14:29:14:35 | req.url | tst.js:14:19:14:42 | url.par ... , true) | +| tst.js:26:25:26:31 | tainted | tst.js:26:13:26:31 | "http://" + tainted | | tst.js:26:25:26:31 | tainted | tst.js:26:13:26:31 | "http://" + tainted | | tst.js:28:36:28:42 | tainted | tst.js:28:13:28:42 | "http:/ ... tainted | +| tst.js:28:36:28:42 | tainted | tst.js:28:13:28:42 | "http:/ ... tainted | +| tst.js:30:37:30:43 | tainted | tst.js:30:13:30:43 | "http:/ ... tainted | | tst.js:30:37:30:43 | tainted | tst.js:30:13:30:43 | "http:/ ... tainted | | tst.js:36:24:36:30 | tainted | tst.js:36:16:36:31 | new Uri(tainted) | +| tst.js:36:24:36:30 | tainted | tst.js:36:16:36:31 | new Uri(tainted) | +| tst.js:37:30:37:36 | tainted | tst.js:37:22:37:37 | new Uri(tainted) | | tst.js:37:30:37:36 | tainted | tst.js:37:22:37:37 | new Uri(tainted) | | tst.js:41:43:41:49 | tainted | tst.js:41:13:41:51 | `http:/ ... inted}` | +| tst.js:41:43:41:49 | tainted | tst.js:41:13:41:51 | `http:/ ... inted}` | | tst.js:43:46:43:52 | tainted | tst.js:43:13:43:54 | `http:/ ... inted}` | +| tst.js:43:46:43:52 | tainted | tst.js:43:13:43:54 | `http:/ ... inted}` | +| tst.js:45:50:45:56 | tainted | tst.js:45:13:45:56 | 'http:/ ... tainted | | tst.js:45:50:45:56 | tainted | tst.js:45:13:45:56 | 'http:/ ... tainted | #select | tst.js:18:5:18:20 | request(tainted) | tst.js:14:29:14:35 | req.url | tst.js:18:13:18:19 | tainted | The $@ of this request depends on $@. | tst.js:18:13:18:19 | tainted | URL | tst.js:14:29:14:35 | req.url | a user-provided value | diff --git a/javascript/ql/test/query-tests/Statements/IgnoreArrayResult/IgnoreArrayResult.expected b/javascript/ql/test/query-tests/Statements/IgnoreArrayResult/IgnoreArrayResult.expected new file mode 100644 index 00000000000..9f5c5a0b082 --- /dev/null +++ b/javascript/ql/test/query-tests/Statements/IgnoreArrayResult/IgnoreArrayResult.expected @@ -0,0 +1,2 @@ +| tst.js:3:1:3:19 | arr.concat([1,2,3]) | Result from call to concat ignored. | +| tst.js:5:1:5:15 | arr.concat(arr) | Result from call to concat ignored. | diff --git a/javascript/ql/test/query-tests/Statements/IgnoreArrayResult/IgnoreArrayResult.qlref b/javascript/ql/test/query-tests/Statements/IgnoreArrayResult/IgnoreArrayResult.qlref new file mode 100644 index 00000000000..2cbc7e722a5 --- /dev/null +++ b/javascript/ql/test/query-tests/Statements/IgnoreArrayResult/IgnoreArrayResult.qlref @@ -0,0 +1 @@ +Statements/IgnoreArrayResult.ql \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Statements/IgnoreArrayResult/tst.js b/javascript/ql/test/query-tests/Statements/IgnoreArrayResult/tst.js new file mode 100644 index 00000000000..47efe8c1cb6 --- /dev/null +++ b/javascript/ql/test/query-tests/Statements/IgnoreArrayResult/tst.js @@ -0,0 +1,11 @@ +var arr = [1,2,3]; + +arr.concat([1,2,3]); // NOT OK! + +arr.concat(arr); // NOT OK! + +console.log(arr.concat([1,2,3])); + +({concat: Array.prototype.concat}.concat(arr)); + +[].concat([1,2,3]); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/UseOfReturnlessFunction.expected b/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/UseOfReturnlessFunction.expected index 500d900ff9e..f23b702bf20 100644 --- a/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/UseOfReturnlessFunction.expected +++ b/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/UseOfReturnlessFunction.expected @@ -1,5 +1,7 @@ -| tst.js:20:17:20:33 | onlySideEffects() | the function $@ does not return anything, yet the return value is used. | tst.js:11:5:13:5 | functio ... )\\n } | onlySideEffects | -| tst.js:24:13:24:29 | onlySideEffects() | the function $@ does not return anything, yet the return value is used. | tst.js:11:5:13:5 | functio ... )\\n } | onlySideEffects | -| tst.js:30:20:30:36 | onlySideEffects() | the function $@ does not return anything, yet the return value is used. | tst.js:11:5:13:5 | functio ... )\\n } | onlySideEffects | -| tst.js:53:10:53:34 | bothOnl ... fects() | the function $@ does not return anything, yet the return value is used. | tst.js:11:5:13:5 | functio ... )\\n } | bothOnlyHaveSideEffects | -| tst.js:53:10:53:34 | bothOnl ... fects() | the function $@ does not return anything, yet the return value is used. | tst.js:48:2:50:5 | functio ... )\\n } | bothOnlyHaveSideEffects | +| tst.js:20:17:20:33 | onlySideEffects() | the $@ does not return anything, yet the return value is used. | tst.js:11:5:13:5 | functio ... )\\n } | function onlySideEffects | +| tst.js:24:13:24:29 | onlySideEffects() | the $@ does not return anything, yet the return value is used. | tst.js:11:5:13:5 | functio ... )\\n } | function onlySideEffects | +| tst.js:30:20:30:36 | onlySideEffects() | the $@ does not return anything, yet the return value is used. | tst.js:11:5:13:5 | functio ... )\\n } | function onlySideEffects | +| tst.js:53:10:53:34 | bothOnl ... fects() | the $@ does not return anything, yet the return value is used. | tst.js:11:5:13:5 | functio ... )\\n } | function onlySideEffects | +| tst.js:53:10:53:34 | bothOnl ... fects() | the $@ does not return anything, yet the return value is used. | tst.js:48:2:50:5 | functio ... )\\n } | function onlySideEffects2 | +| tst.js:76:12:76:46 | [1,2,3] ... n, 3)}) | the $@ does not return anything, yet the return value from the call to filter is used. | tst.js:76:27:76:45 | n => {equals(n, 3)} | callback function | +| tst.js:80:12:80:50 | filter( ... 3) } ) | the $@ does not return anything, yet the return value from the call to filter is used. | tst.js:80:28:80:48 | x => { ... x, 3) } | callback function | diff --git a/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js b/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js index 8bb49f7e761..8a6a44707ed 100644 --- a/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js +++ b/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js @@ -68,4 +68,18 @@ var h = returnsValue() || alwaysThrows(); // OK! console.log(h); + + function equals(x, y) { + return x === y; + } + + var foo = [1,2,3].filter(n => {equals(n, 3)}) // NOT OK! + console.log(foo); + + import { filter } from 'lodash' + var bar = filter([1,2,4], x => { equals(x, 3) } ) // NOT OK! + console.log(bar); + + var baz = [1,2,3].filter(n => {n === 3}) // OK + console.log(baz); })(); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/filters/ClassifyFiles/ClassifyFiles.expected b/javascript/ql/test/query-tests/filters/ClassifyFiles/ClassifyFiles.expected index 045fccd225e..7c583b1bf39 100644 --- a/javascript/ql/test/query-tests/filters/ClassifyFiles/ClassifyFiles.expected +++ b/javascript/ql/test/query-tests/filters/ClassifyFiles/ClassifyFiles.expected @@ -6,6 +6,7 @@ | ai.1.2.3-build0123.js:0:0:0:0 | ai.1.2.3-build0123.js | library | | bundle-directive.js:0:0:0:0 | bundle-directive.js | generated | | data.js:0:0:0:0 | data.js | generated | +| doxygen-generated.html:0:0:0:0 | doxygen-generated.html | generated | | etherpad.html:0:0:0:0 | etherpad.html | generated | | exported-data.js:0:0:0:0 | exported-data.js | generated | | htmltidy.html:0:0:0:0 | htmltidy.html | generated | diff --git a/javascript/ql/test/query-tests/filters/ClassifyFiles/doxygen-generated.html b/javascript/ql/test/query-tests/filters/ClassifyFiles/doxygen-generated.html new file mode 100644 index 00000000000..b659cc3fcb0 --- /dev/null +++ b/javascript/ql/test/query-tests/filters/ClassifyFiles/doxygen-generated.html @@ -0,0 +1,8 @@ + + + + + + 1 + + diff --git a/javascript/upgrades/874ebfcd4d2fd346c10ebec145466d9071d78606/old.dbscheme b/javascript/upgrades/874ebfcd4d2fd346c10ebec145466d9071d78606/old.dbscheme new file mode 100644 index 00000000000..874ebfcd4d2 --- /dev/null +++ b/javascript/upgrades/874ebfcd4d2fd346c10ebec145466d9071d78606/old.dbscheme @@ -0,0 +1,1173 @@ +/*** Standard fragments ***/ + +/** Files and folders **/ + +@location = @location_default; + +locations_default(unique int id: @location_default, + int file: @file ref, + int beginLine: int ref, + int beginColumn: int ref, + int endLine: int ref, + int endColumn: int ref + ); + +@sourceline = @locatable; + +numlines(int element_id: @sourceline ref, + int num_lines: int ref, + int num_code: int ref, + int num_comment: int ref + ); + + +/* + fromSource(0) = unknown, + fromSource(1) = from source, + fromSource(2) = from library +*/ +files(unique int id: @file, + varchar(900) name: string ref, + varchar(900) simple: string ref, + varchar(900) ext: string ref, + int fromSource: int ref); + +folders(unique int id: @folder, + varchar(900) name: string ref, + varchar(900) simple: string ref); + + +@container = @folder | @file ; + + +containerparent(int parent: @container ref, + unique int child: @container ref); + +/** Duplicate code **/ + +duplicateCode( + unique int id : @duplication, + varchar(900) relativePath : string ref, + int equivClass : int ref); + +similarCode( + unique int id : @similarity, + varchar(900) relativePath : string ref, + int equivClass : int ref); + +@duplication_or_similarity = @duplication | @similarity; + +tokens( + int id : @duplication_or_similarity ref, + int offset : int ref, + int beginLine : int ref, + int beginColumn : int ref, + int endLine : int ref, + int endColumn : int ref); + +/** External data **/ + +externalData( + int id : @externalDataElement, + varchar(900) path : string ref, + int column: int ref, + varchar(900) value : string ref +); + +snapshotDate(unique date snapshotDate : date ref); + +sourceLocationPrefix(varchar(900) prefix : string ref); + +/** Version control data **/ + +svnentries( + int id : @svnentry, + varchar(500) revision : string ref, + varchar(500) author : string ref, + date revisionDate : date ref, + int changeSize : int ref +); + +svnaffectedfiles( + int id : @svnentry ref, + int file : @file ref, + varchar(500) action : string ref +); + +svnentrymsg( + int id : @svnentry ref, + varchar(500) message : string ref +); + +svnchurn( + int commit : @svnentry ref, + int file : @file ref, + int addedLines : int ref, + int deletedLines : int ref +); + + +/*** JavaScript-specific part ***/ + +filetype( + int file: @file ref, + string filetype: string ref +) + +// top-level code fragments +toplevels (unique int id: @toplevel, + int kind: int ref); + +isExterns (int toplevel: @toplevel ref); + +case @toplevel.kind of + 0 = @script +| 1 = @inline_script +| 2 = @event_handler +| 3 = @javascript_url; + +isModule (int tl: @toplevel ref); +isNodejs (int tl: @toplevel ref); +isES2015Module (int tl: @toplevel ref); +isClosureModule (int tl: @toplevel ref); + +// statements +#keyset[parent, idx] +stmts (unique int id: @stmt, + int kind: int ref, + int parent: @stmtparent ref, + int idx: int ref, + varchar(900) tostring: string ref); + +stmtContainers (unique int stmt: @stmt ref, + int container: @stmt_container ref); + +jumpTargets (unique int jump: @stmt ref, + int target: @stmt ref); + +@stmtparent = @stmt | @toplevel | @functionexpr | @arrowfunctionexpr; +@stmt_container = @toplevel | @function | @namespacedeclaration | @externalmoduledeclaration | @globalaugmentationdeclaration; + +case @stmt.kind of + 0 = @emptystmt +| 1 = @blockstmt +| 2 = @exprstmt +| 3 = @ifstmt +| 4 = @labeledstmt +| 5 = @breakstmt +| 6 = @continuestmt +| 7 = @withstmt +| 8 = @switchstmt +| 9 = @returnstmt +| 10 = @throwstmt +| 11 = @trystmt +| 12 = @whilestmt +| 13 = @dowhilestmt +| 14 = @forstmt +| 15 = @forinstmt +| 16 = @debuggerstmt +| 17 = @functiondeclstmt +| 18 = @vardeclstmt +| 19 = @case +| 20 = @catchclause +| 21 = @forofstmt +| 22 = @constdeclstmt +| 23 = @letstmt +| 24 = @legacy_letstmt +| 25 = @foreachstmt +| 26 = @classdeclstmt +| 27 = @importdeclaration +| 28 = @exportalldeclaration +| 29 = @exportdefaultdeclaration +| 30 = @exportnameddeclaration +| 31 = @namespacedeclaration +| 32 = @importequalsdeclaration +| 33 = @exportassigndeclaration +| 34 = @interfacedeclaration +| 35 = @typealiasdeclaration +| 36 = @enumdeclaration +| 37 = @externalmoduledeclaration +| 38 = @exportasnamespacedeclaration +| 39 = @globalaugmentationdeclaration +; + +@declstmt = @vardeclstmt | @constdeclstmt | @letstmt | @legacy_letstmt; + +@exportdeclaration = @exportalldeclaration | @exportdefaultdeclaration | @exportnameddeclaration; + +@namespacedefinition = @namespacedeclaration | @enumdeclaration; +@typedefinition = @classdefinition | @interfacedeclaration | @enumdeclaration | @typealiasdeclaration | @enum_member; + +isInstantiated(unique int decl: @namespacedeclaration ref); + +@declarablestmt = @declstmt | @namespacedeclaration | @classdeclstmt | @functiondeclstmt | @enumdeclaration | @externalmoduledeclaration | @globalaugmentationdeclaration; +hasDeclareKeyword(unique int stmt: @declarablestmt ref); + +isForAwaitOf(unique int forof: @forofstmt ref); + +// expressions +#keyset[parent, idx] +exprs (unique int id: @expr, + int kind: int ref, + int parent: @exprparent ref, + int idx: int ref, + varchar(900) tostring: string ref); + +literals (varchar(900) value: string ref, + varchar(900) raw: string ref, + unique int expr: @exprortype ref); + +enclosingStmt (unique int expr: @exprortype ref, + int stmt: @stmt ref); + +exprContainers (unique int expr: @exprortype ref, + int container: @stmt_container ref); + +arraySize (unique int ae: @arraylike ref, + int sz: int ref); + +isDelegating (int yield: @yieldexpr ref); + +@exprorstmt = @expr | @stmt; +@exprortype = @expr | @typeexpr; +@exprparent = @exprorstmt | @property | @functiontypeexpr; +@arraylike = @arrayexpr | @arraypattern; +@type_annotation = @typeexpr | @jsdoc_type_expr; + +case @expr.kind of + 0 = @label +| 1 = @nullliteral +| 2 = @booleanliteral +| 3 = @numberliteral +| 4 = @stringliteral +| 5 = @regexpliteral +| 6 = @thisexpr +| 7 = @arrayexpr +| 8 = @objexpr +| 9 = @functionexpr +| 10 = @seqexpr +| 11 = @conditionalexpr +| 12 = @newexpr +| 13 = @callexpr +| 14 = @dotexpr +| 15 = @indexexpr +| 16 = @negexpr +| 17 = @plusexpr +| 18 = @lognotexpr +| 19 = @bitnotexpr +| 20 = @typeofexpr +| 21 = @voidexpr +| 22 = @deleteexpr +| 23 = @eqexpr +| 24 = @neqexpr +| 25 = @eqqexpr +| 26 = @neqqexpr +| 27 = @ltexpr +| 28 = @leexpr +| 29 = @gtexpr +| 30 = @geexpr +| 31 = @lshiftexpr +| 32 = @rshiftexpr +| 33 = @urshiftexpr +| 34 = @addexpr +| 35 = @subexpr +| 36 = @mulexpr +| 37 = @divexpr +| 38 = @modexpr +| 39 = @bitorexpr +| 40 = @xorexpr +| 41 = @bitandexpr +| 42 = @inexpr +| 43 = @instanceofexpr +| 44 = @logandexpr +| 45 = @logorexpr +| 47 = @assignexpr +| 48 = @assignaddexpr +| 49 = @assignsubexpr +| 50 = @assignmulexpr +| 51 = @assigndivexpr +| 52 = @assignmodexpr +| 53 = @assignlshiftexpr +| 54 = @assignrshiftexpr +| 55 = @assignurshiftexpr +| 56 = @assignorexpr +| 57 = @assignxorexpr +| 58 = @assignandexpr +| 59 = @preincexpr +| 60 = @postincexpr +| 61 = @predecexpr +| 62 = @postdecexpr +| 63 = @parexpr +| 64 = @vardeclarator +| 65 = @arrowfunctionexpr +| 66 = @spreadelement +| 67 = @arraypattern +| 68 = @objectpattern +| 69 = @yieldexpr +| 70 = @taggedtemplateexpr +| 71 = @templateliteral +| 72 = @templateelement +| 73 = @arraycomprehensionexpr +| 74 = @generatorexpr +| 75 = @forincomprehensionblock +| 76 = @forofcomprehensionblock +| 77 = @legacy_letexpr +| 78 = @vardecl +| 79 = @proper_varaccess +| 80 = @classexpr +| 81 = @superexpr +| 82 = @newtargetexpr +| 83 = @namedimportspecifier +| 84 = @importdefaultspecifier +| 85 = @importnamespacespecifier +| 86 = @namedexportspecifier +| 87 = @expexpr +| 88 = @assignexpexpr +| 89 = @jsxelement +| 90 = @jsxqualifiedname +| 91 = @jsxemptyexpr +| 92 = @awaitexpr +| 93 = @functionsentexpr +| 94 = @decorator +| 95 = @exportdefaultspecifier +| 96 = @exportnamespacespecifier +| 97 = @bindexpr +| 98 = @externalmodulereference +| 99 = @dynamicimport +| 100 = @expressionwithtypearguments +| 101 = @prefixtypeassertion +| 102 = @astypeassertion +| 103 = @export_varaccess +| 104 = @decorator_list +| 105 = @non_null_assertion +| 106 = @bigintliteral +| 107 = @nullishcoalescingexpr +| 108 = @e4x_xml_anyname +| 109 = @e4x_xml_static_attribute_selector +| 110 = @e4x_xml_dynamic_attribute_selector +| 111 = @e4x_xml_filter_expression +| 112 = @e4x_xml_static_qualident +| 113 = @e4x_xml_dynamic_qualident +| 114 = @e4x_xml_dotdotexpr +| 115 = @importmetaexpr +; + +@varaccess = @proper_varaccess | @export_varaccess; +@varref = @vardecl | @varaccess; + +@identifier = @label | @varref | @typeidentifier; + +@literal = @nullliteral | @booleanliteral | @numberliteral | @stringliteral | @regexpliteral | @bigintliteral; + +@propaccess = @dotexpr | @indexexpr; + +@invokeexpr = @newexpr | @callexpr; + +@unaryexpr = @negexpr | @plusexpr | @lognotexpr | @bitnotexpr | @typeofexpr | @voidexpr | @deleteexpr | @spreadelement; + +@equalitytest = @eqexpr | @neqexpr | @eqqexpr | @neqqexpr; + +@comparison = @equalitytest | @ltexpr | @leexpr | @gtexpr | @geexpr; + +@binaryexpr = @comparison | @lshiftexpr | @rshiftexpr | @urshiftexpr | @addexpr | @subexpr | @mulexpr | @divexpr | @modexpr | @expexpr | @bitorexpr | @xorexpr | @bitandexpr | @inexpr | @instanceofexpr | @logandexpr | @logorexpr | @nullishcoalescingexpr; + +@assignment = @assignexpr | @assignaddexpr | @assignsubexpr | @assignmulexpr | @assigndivexpr | @assignmodexpr | @assignexpexpr | @assignlshiftexpr | @assignrshiftexpr | @assignurshiftexpr | @assignorexpr | @assignxorexpr | @assignandexpr; + +@updateexpr = @preincexpr | @postincexpr | @predecexpr | @postdecexpr; + +@pattern = @varref | @arraypattern | @objectpattern; + +@comprehensionexpr = @arraycomprehensionexpr | @generatorexpr; + +@comprehensionblock = @forincomprehensionblock | @forofcomprehensionblock; + +@importspecifier = @namedimportspecifier | @importdefaultspecifier | @importnamespacespecifier; + +@exportspecifier = @namedexportspecifier | @exportdefaultspecifier | @exportnamespacespecifier; + +@typeassertion = @astypeassertion | @prefixtypeassertion; + +@classdefinition = @classdeclstmt | @classexpr; +@interfacedefinition = @interfacedeclaration | @interfacetypeexpr; +@classorinterface = @classdefinition | @interfacedefinition; + +@lexical_decl = @vardecl | @typedecl; +@lexical_access = @varaccess | @localtypeaccess | @localvartypeaccess | @localnamespaceaccess; +@lexical_ref = @lexical_decl | @lexical_access; + +@e4x_xml_attribute_selector = @e4x_xml_static_attribute_selector | @e4x_xml_dynamic_attribute_selector; +@e4x_xml_qualident = @e4x_xml_static_qualident | @e4x_xml_dynamic_qualident; + +// scopes +scopes (unique int id: @scope, + int kind: int ref); + +case @scope.kind of + 0 = @globalscope +| 1 = @functionscope +| 2 = @catchscope +| 3 = @modulescope +| 4 = @blockscope +| 5 = @forscope +| 6 = @forinscope // for-of scopes work the same as for-in scopes +| 7 = @comprehensionblockscope +| 8 = @classexprscope +| 9 = @namespacescope +| 10 = @classdeclscope +| 11 = @interfacescope +| 12 = @typealiasscope +| 13 = @mappedtypescope +| 14 = @enumscope +| 15 = @externalmodulescope +| 16 = @conditionaltypescope; + +scopenodes (unique int node: @ast_node ref, + int scope: @scope ref); + +scopenesting (unique int inner: @scope ref, + int outer: @scope ref); + +// functions +@function = @functiondeclstmt | @functionexpr | @arrowfunctionexpr; + +@parameterized = @function | @catchclause; +@type_parameterized = @function | @classorinterface | @typealiasdeclaration | @mappedtypeexpr | @infertypeexpr; + +isGenerator (int fun: @function ref); +hasRestParameter (int fun: @function ref); +isAsync (int fun: @function ref); + +// variables and lexically scoped type names +#keyset[scope, name] +variables (unique int id: @variable, + varchar(900) name: string ref, + int scope: @scope ref); + +#keyset[scope, name] +local_type_names (unique int id: @local_type_name, + varchar(900) name: string ref, + int scope: @scope ref); + +#keyset[scope, name] +local_namespace_names (unique int id: @local_namespace_name, + varchar(900) name: string ref, + int scope: @scope ref); + +isArgumentsObject (int id: @variable ref); + +@lexical_name = @variable | @local_type_name | @local_namespace_name; + +@bind_id = @varaccess | @localvartypeaccess; +bind (unique int id: @bind_id ref, + int decl: @variable ref); + +decl (unique int id: @vardecl ref, + int decl: @variable ref); + +@typebind_id = @localtypeaccess | @export_varaccess; +typebind (unique int id: @typebind_id ref, + int decl: @local_type_name ref); + +@typedecl_id = @typedecl | @vardecl; +typedecl (unique int id: @typedecl_id ref, + int decl: @local_type_name ref); + +namespacedecl (unique int id: @vardecl ref, + int decl: @local_namespace_name ref); + +@namespacebind_id = @localnamespaceaccess | @export_varaccess; +namespacebind (unique int id: @namespacebind_id ref, + int decl: @local_namespace_name ref); + + +// properties in object literals, property patterns in object patterns, and method declarations in classes +#keyset[parent, index] +properties (unique int id: @property, + int parent: @property_parent ref, + int index: int ref, + int kind: int ref, + varchar(900) tostring: string ref); + +case @property.kind of + 0 = @value_property +| 1 = @property_getter +| 2 = @property_setter +| 3 = @jsx_attribute +| 4 = @function_call_signature +| 5 = @constructor_call_signature +| 6 = @index_signature +| 7 = @enum_member +| 8 = @proper_field +| 9 = @parameter_field +; + +@property_parent = @objexpr | @objectpattern | @classdefinition | @jsxelement | @interfacedefinition | @enumdeclaration; +@property_accessor = @property_getter | @property_setter; +@call_signature = @function_call_signature | @constructor_call_signature; +@field = @proper_field | @parameter_field; +@field_or_vardeclarator = @field | @vardeclarator; + +isComputed (int id: @property ref); +isMethod (int id: @property ref); +isStatic (int id: @property ref); +isAbstractMember (int id: @property ref); +isConstEnum (int id: @enumdeclaration ref); +isAbstractClass (int id: @classdeclstmt ref); + +hasPublicKeyword (int id: @property ref); +hasPrivateKeyword (int id: @property ref); +hasProtectedKeyword (int id: @property ref); +hasReadonlyKeyword (int id: @property ref); +isOptionalMember (int id: @property ref); +hasDefiniteAssignmentAssertion (int id: @field_or_vardeclarator ref); + +#keyset[constructor, param_index] +parameter_fields( + unique int field: @parameter_field ref, + int constructor: @functionexpr ref, + int param_index: int ref +); + +// types +#keyset[parent, idx] +typeexprs ( + unique int id: @typeexpr, + int kind: int ref, + int parent: @typeexpr_parent ref, + int idx: int ref, + varchar(900) tostring: string ref +); + +case @typeexpr.kind of + 0 = @localtypeaccess +| 1 = @typedecl +| 2 = @keywordtypeexpr +| 3 = @stringliteraltypeexpr +| 4 = @numberliteraltypeexpr +| 5 = @booleanliteraltypeexpr +| 6 = @arraytypeexpr +| 7 = @uniontypeexpr +| 8 = @indexedaccesstypeexpr +| 9 = @intersectiontypeexpr +| 10 = @parenthesizedtypeexpr +| 11 = @tupletypeexpr +| 12 = @keyoftypeexpr +| 13 = @qualifiedtypeaccess +| 14 = @generictypeexpr +| 15 = @typelabel +| 16 = @typeoftypeexpr +| 17 = @localvartypeaccess +| 18 = @qualifiedvartypeaccess +| 19 = @thisvartypeaccess +| 20 = @istypeexpr +| 21 = @interfacetypeexpr +| 22 = @typeparameter +| 23 = @plainfunctiontypeexpr +| 24 = @constructortypeexpr +| 25 = @localnamespaceaccess +| 26 = @qualifiednamespaceaccess +| 27 = @mappedtypeexpr +| 28 = @conditionaltypeexpr +| 29 = @infertypeexpr +| 30 = @importtypeaccess +| 31 = @importnamespaceaccess +| 32 = @importvartypeaccess +| 33 = @optionaltypeexpr +| 34 = @resttypeexpr +| 35 = @bigintliteraltypeexpr +| 36 = @readonlytypeexpr +; + +@typeref = @typeaccess | @typedecl; +@typeidentifier = @typedecl | @localtypeaccess | @typelabel | @localvartypeaccess | @localnamespaceaccess; +@typeexpr_parent = @expr | @stmt | @property | @typeexpr; +@literaltypeexpr = @stringliteraltypeexpr | @numberliteraltypeexpr | @booleanliteraltypeexpr | @bigintliteraltypeexpr; +@typeaccess = @localtypeaccess | @qualifiedtypeaccess | @importtypeaccess; +@vartypeaccess = @localvartypeaccess | @qualifiedvartypeaccess | @thisvartypeaccess | @importvartypeaccess; +@namespaceaccess = @localnamespaceaccess | @qualifiednamespaceaccess | @importnamespaceaccess; +@importtypeexpr = @importtypeaccess | @importnamespaceaccess | @importvartypeaccess; + +@functiontypeexpr = @plainfunctiontypeexpr | @constructortypeexpr; + +// types +types ( + unique int id: @type, + int kind: int ref, + varchar(900) tostring: string ref +); + +#keyset[parent, idx] +type_child ( + int child: @type ref, + int parent: @type ref, + int idx: int ref +); + +case @type.kind of + 0 = @anytype +| 1 = @stringtype +| 2 = @numbertype +| 3 = @uniontype +| 4 = @truetype +| 5 = @falsetype +| 6 = @typereference +| 7 = @objecttype +| 8 = @canonicaltypevariabletype +| 9 = @typeoftype +| 10 = @voidtype +| 11 = @undefinedtype +| 12 = @nulltype +| 13 = @nevertype +| 14 = @plainsymboltype +| 15 = @uniquesymboltype +| 16 = @objectkeywordtype +| 17 = @intersectiontype +| 18 = @tupletype +| 19 = @lexicaltypevariabletype +| 20 = @thistype +| 21 = @numberliteraltype +| 22 = @stringliteraltype +| 23 = @unknowntype +| 24 = @biginttype +| 25 = @bigintliteraltype +; + +@booleanliteraltype = @truetype | @falsetype; +@symboltype = @plainsymboltype | @uniquesymboltype; +@unionorintersectiontype = @uniontype | @intersectiontype; +@typevariabletype = @canonicaltypevariabletype | @lexicaltypevariabletype; + +@typed_ast_node = @expr | @typeexpr | @function; +ast_node_type( + unique int node: @typed_ast_node ref, + int typ: @type ref); + +declared_function_signature( + unique int node: @function ref, + int sig: @signature_type ref +); + +invoke_expr_signature( + unique int node: @invokeexpr ref, + int sig: @signature_type ref +); + +invoke_expr_overload_index( + unique int node: @invokeexpr ref, + int index: int ref +); + +symbols ( + unique int id: @symbol, + int kind: int ref, + varchar(900) name: string ref +); + +symbol_parent ( + unique int symbol: @symbol ref, + int parent: @symbol ref +); + +symbol_module ( + int symbol: @symbol ref, + varchar(900) moduleName: string ref +); + +symbol_global ( + int symbol: @symbol ref, + varchar(900) globalName: string ref +); + +case @symbol.kind of + 0 = @root_symbol +| 1 = @member_symbol +| 2 = @other_symbol +; + +@type_with_symbol = @typereference | @typevariabletype | @typeoftype | @uniquesymboltype; +@ast_node_with_symbol = @typedefinition | @namespacedefinition | @toplevel | @typeaccess | @namespaceaccess | @vardecl | @function | @invokeexpr; + +ast_node_symbol( + unique int node: @ast_node_with_symbol ref, + int symbol: @symbol ref); + +type_symbol( + unique int typ: @type_with_symbol ref, + int symbol: @symbol ref); + +#keyset[typ, name] +type_property( + int typ: @type ref, + varchar(900) name: string ref, + int propertyType: @type ref); + +@literaltype = @stringliteraltype | @numberliteraltype | @booleanliteraltype | @bigintliteraltype; +@type_with_literal_value = @stringliteraltype | @numberliteraltype | @bigintliteraltype; +type_literal_value( + unique int typ: @type_with_literal_value ref, + varchar(900) value: string ref); + +signature_types ( + unique int id: @signature_type, + int kind: int ref, + varchar(900) tostring: string ref, + int type_parameters: int ref, + int required_params: int ref +); + +case @signature_type.kind of + 0 = @function_signature_type +| 1 = @constructor_signature_type +; + +#keyset[typ, kind, index] +type_contains_signature ( + int typ: @type ref, + int kind: int ref, // constructor/call/index + int index: int ref, // ordering of overloaded signatures + int sig: @signature_type ref +); + +#keyset[parent, index] +signature_contains_type ( + int child: @type ref, + int parent: @signature_type ref, + int index: int ref +); + +#keyset[sig, index] +signature_parameter_name ( + int sig: @signature_type ref, + int index: int ref, + varchar(900) name: string ref +); + +number_index_type ( + unique int baseType: @type ref, + int propertyType: @type ref +); + +string_index_type ( + unique int baseType: @type ref, + int propertyType: @type ref +); + +base_type_names( + int typeName: @symbol ref, + int baseTypeName: @symbol ref +); + +self_types( + int typeName: @symbol ref, + int selfType: @typereference ref +); + +tuple_type_min_length( + unique int typ: @type ref, + int minLength: int ref +); + +tuple_type_rest( + unique int typ: @type ref +); + +// comments +comments (unique int id: @comment, + int kind: int ref, + int toplevel: @toplevel ref, + varchar(900) text: string ref, + varchar(900) tostring: string ref); + +case @comment.kind of + 0 = @slashslashcomment +| 1 = @slashstarcomment +| 2 = @doccomment +| 3 = @htmlcommentstart +| 4 = @htmlcommentend; + +@htmlcomment = @htmlcommentstart | @htmlcommentend; +@linecomment = @slashslashcomment | @htmlcomment; +@blockcomment = @slashstarcomment | @doccomment; + +// source lines +lines (unique int id: @line, + int toplevel: @toplevel ref, + varchar(900) text: string ref, + varchar(2) terminator: string ref); +indentation (int file: @file ref, + int lineno: int ref, + varchar(1) indentChar: string ref, + int indentDepth: int ref); + +// JavaScript parse errors +jsParseErrors (unique int id: @js_parse_error, + int toplevel: @toplevel ref, + varchar(900) message: string ref, + varchar(900) line: string ref); + +// regular expressions +#keyset[parent, idx] +regexpterm (unique int id: @regexpterm, + int kind: int ref, + int parent: @regexpparent ref, + int idx: int ref, + varchar(900) tostring: string ref); + +@regexpparent = @regexpterm | @regexpliteral; + +case @regexpterm.kind of + 0 = @regexp_alt +| 1 = @regexp_seq +| 2 = @regexp_caret +| 3 = @regexp_dollar +| 4 = @regexp_wordboundary +| 5 = @regexp_nonwordboundary +| 6 = @regexp_positive_lookahead +| 7 = @regexp_negative_lookahead +| 8 = @regexp_star +| 9 = @regexp_plus +| 10 = @regexp_opt +| 11 = @regexp_range +| 12 = @regexp_dot +| 13 = @regexp_group +| 14 = @regexp_normal_char +| 15 = @regexp_hex_escape +| 16 = @regexp_unicode_escape +| 17 = @regexp_dec_escape +| 18 = @regexp_oct_escape +| 19 = @regexp_ctrl_escape +| 20 = @regexp_char_class_escape +| 21 = @regexp_id_escape +| 22 = @regexp_backref +| 23 = @regexp_char_class +| 24 = @regexp_char_range +| 25 = @regexp_positive_lookbehind +| 26 = @regexp_negative_lookbehind +| 27 = @regexp_unicode_property_escape; + +regexpParseErrors (unique int id: @regexp_parse_error, + int regexp: @regexpterm ref, + varchar(900) message: string ref); + +@regexp_quantifier = @regexp_star | @regexp_plus | @regexp_opt | @regexp_range; +@regexp_escape = @regexp_char_escape | @regexp_char_class_escape | @regexp_unicode_property_escape; +@regexp_char_escape = @regexp_hex_escape | @regexp_unicode_escape | @regexp_dec_escape | @regexp_oct_escape | @regexp_ctrl_escape | @regexp_id_escape; +@regexp_constant = @regexp_normal_char | @regexp_char_escape; +@regexp_lookahead = @regexp_positive_lookahead | @regexp_negative_lookahead; +@regexp_lookbehind = @regexp_positive_lookbehind | @regexp_negative_lookbehind; +@regexp_subpattern = @regexp_lookahead | @regexp_lookbehind; + +isGreedy (int id: @regexp_quantifier ref); +rangeQuantifierLowerBound (unique int id: @regexp_range ref, int lo: int ref); +rangeQuantifierUpperBound (unique int id: @regexp_range ref, int hi: int ref); +isCapture (unique int id: @regexp_group ref, int number: int ref); +isNamedCapture (unique int id: @regexp_group ref, string name: string ref); +isInverted (int id: @regexp_char_class ref); +regexpConstValue (unique int id: @regexp_constant ref, varchar(1) value: string ref); +charClassEscape (unique int id: @regexp_char_class_escape ref, varchar(1) value: string ref); +backref (unique int id: @regexp_backref ref, int value: int ref); +namedBackref (unique int id: @regexp_backref ref, string name: string ref); +unicodePropertyEscapeName (unique int id: @regexp_unicode_property_escape ref, string name: string ref); +unicodePropertyEscapeValue (unique int id: @regexp_unicode_property_escape ref, string value: string ref); + +// tokens +#keyset[toplevel, idx] +tokeninfo (unique int id: @token, + int kind: int ref, + int toplevel: @toplevel ref, + int idx: int ref, + varchar(900) value: string ref); + +case @token.kind of + 0 = @token_eof +| 1 = @token_null_literal +| 2 = @token_boolean_literal +| 3 = @token_numeric_literal +| 4 = @token_string_literal +| 5 = @token_regular_expression +| 6 = @token_identifier +| 7 = @token_keyword +| 8 = @token_punctuator; + +// associate comments with the token immediately following them (which may be EOF) +next_token (int comment: @comment ref, int token: @token ref); + +// JSON +#keyset[parent, idx] +json (unique int id: @json_value, + int kind: int ref, + int parent: @json_parent ref, + int idx: int ref, + varchar(900) tostring: string ref); + +json_literals (varchar(900) value: string ref, + varchar(900) raw: string ref, + unique int expr: @json_value ref); + +json_properties (int obj: @json_object ref, + varchar(900) property: string ref, + int value: @json_value ref); + +json_errors (unique int id: @json_parse_error, + varchar(900) message: string ref); + +json_locations(unique int locatable: @json_locatable ref, + int location: @location_default ref); + +case @json_value.kind of + 0 = @json_null +| 1 = @json_boolean +| 2 = @json_number +| 3 = @json_string +| 4 = @json_array +| 5 = @json_object; + +@json_parent = @json_object | @json_array | @file; + +@json_locatable = @json_value | @json_parse_error; + +// locations +@ast_node = @toplevel | @stmt | @expr | @property | @typeexpr; + +@locatable = @file + | @ast_node + | @comment + | @line + | @js_parse_error | @regexp_parse_error + | @regexpterm + | @json_locatable + | @token + | @cfg_node + | @jsdoc | @jsdoc_type_expr | @jsdoc_tag + | @yaml_locatable + | @xmllocatable + | @configLocatable; + +hasLocation (unique int locatable: @locatable ref, + int location: @location ref); + +// CFG +entry_cfg_node (unique int id: @entry_node, int container: @stmt_container ref); +exit_cfg_node (unique int id: @exit_node, int container: @stmt_container ref); +guard_node (unique int id: @guard_node, int kind: int ref, int test: @expr ref); +case @guard_node.kind of + 0 = @falsy_guard +| 1 = @truthy_guard; +@condition_guard = @falsy_guard | @truthy_guard; + +@synthetic_cfg_node = @entry_node | @exit_node | @guard_node; +@cfg_node = @synthetic_cfg_node | @exprparent; + +successor (int pred: @cfg_node ref, int succ: @cfg_node ref); + +// JSDoc comments +jsdoc (unique int id: @jsdoc, varchar(900) description: string ref, int comment: @comment ref); +#keyset[parent, idx] +jsdoc_tags (unique int id: @jsdoc_tag, varchar(900) title: string ref, + int parent: @jsdoc ref, int idx: int ref, varchar(900) tostring: string ref); +jsdoc_tag_descriptions (unique int tag: @jsdoc_tag ref, varchar(900) text: string ref); +jsdoc_tag_names (unique int tag: @jsdoc_tag ref, varchar(900) text: string ref); + +#keyset[parent, idx] +jsdoc_type_exprs (unique int id: @jsdoc_type_expr, + int kind: int ref, + int parent: @jsdoc_type_expr_parent ref, + int idx: int ref, + varchar(900) tostring: string ref); +case @jsdoc_type_expr.kind of + 0 = @jsdoc_any_type_expr +| 1 = @jsdoc_null_type_expr +| 2 = @jsdoc_undefined_type_expr +| 3 = @jsdoc_unknown_type_expr +| 4 = @jsdoc_void_type_expr +| 5 = @jsdoc_named_type_expr +| 6 = @jsdoc_applied_type_expr +| 7 = @jsdoc_nullable_type_expr +| 8 = @jsdoc_non_nullable_type_expr +| 9 = @jsdoc_record_type_expr +| 10 = @jsdoc_array_type_expr +| 11 = @jsdoc_union_type_expr +| 12 = @jsdoc_function_type_expr +| 13 = @jsdoc_optional_type_expr +| 14 = @jsdoc_rest_type_expr +; + +#keyset[id, idx] +jsdoc_record_field_name (int id: @jsdoc_record_type_expr ref, int idx: int ref, varchar(900) name: string ref); +jsdoc_prefix_qualifier (int id: @jsdoc_type_expr ref); +jsdoc_has_new_parameter (int fn: @jsdoc_function_type_expr ref); + +@jsdoc_type_expr_parent = @jsdoc_type_expr | @jsdoc_tag; + +jsdoc_errors (unique int id: @jsdoc_error, int tag: @jsdoc_tag ref, varchar(900) message: string ref, varchar(900) tostring: string ref); + +// YAML +#keyset[parent, idx] +yaml (unique int id: @yaml_node, + int kind: int ref, + int parent: @yaml_node_parent ref, + int idx: int ref, + varchar(900) tag: string ref, + varchar(900) tostring: string ref); + +case @yaml_node.kind of + 0 = @yaml_scalar_node +| 1 = @yaml_mapping_node +| 2 = @yaml_sequence_node +| 3 = @yaml_alias_node +; + +@yaml_collection_node = @yaml_mapping_node | @yaml_sequence_node; + +@yaml_node_parent = @yaml_collection_node | @file; + +yaml_anchors (unique int node: @yaml_node ref, + varchar(900) anchor: string ref); + +yaml_aliases (unique int alias: @yaml_alias_node ref, + varchar(900) target: string ref); + +yaml_scalars (unique int scalar: @yaml_scalar_node ref, + int style: int ref, + varchar(900) value: string ref); + +yaml_errors (unique int id: @yaml_error, + varchar(900) message: string ref); + +yaml_locations(unique int locatable: @yaml_locatable ref, + int location: @location_default ref); + +@yaml_locatable = @yaml_node | @yaml_error; + +/* XML Files */ + +xmlEncoding( + unique int id: @file ref, + varchar(900) encoding: string ref +); + +xmlDTDs( + unique int id: @xmldtd, + varchar(900) root: string ref, + varchar(900) publicId: string ref, + varchar(900) systemId: string ref, + int fileid: @file ref +); + +xmlElements( + unique int id: @xmlelement, + varchar(900) name: string ref, + int parentid: @xmlparent ref, + int idx: int ref, + int fileid: @file ref +); + +xmlAttrs( + unique int id: @xmlattribute, + int elementid: @xmlelement ref, + varchar(900) name: string ref, + varchar(3600) value: string ref, + int idx: int ref, + int fileid: @file ref +); + +xmlNs( + int id: @xmlnamespace, + varchar(900) prefixName: string ref, + varchar(900) URI: string ref, + int fileid: @file ref +); + +xmlHasNs( + int elementId: @xmlnamespaceable ref, + int nsId: @xmlnamespace ref, + int fileid: @file ref +); + +xmlComments( + unique int id: @xmlcomment, + varchar(3600) text: string ref, + int parentid: @xmlparent ref, + int fileid: @file ref +); + +xmlChars( + unique int id: @xmlcharacters, + varchar(3600) text: string ref, + int parentid: @xmlparent ref, + int idx: int ref, + int isCDATA: int ref, + int fileid: @file ref +); + +@xmlparent = @file | @xmlelement; +@xmlnamespaceable = @xmlelement | @xmlattribute; + +xmllocations( + int xmlElement: @xmllocatable ref, + int location: @location_default ref +); + +@xmllocatable = @xmlcharacters | @xmlelement | @xmlcomment | @xmlattribute | @xmldtd | @file | @xmlnamespace; + +@dataflownode = @expr | @functiondeclstmt | @classdeclstmt | @namespacedeclaration | @enumdeclaration | @property; + +@optionalchainable = @callexpr | @propaccess; + +isOptionalChaining(int id: @optionalchainable ref); + +/* + * configuration files with key value pairs + */ + +configs( + unique int id: @config +); + +configNames( + unique int id: @configName, + int config: @config ref, + string name: string ref +); + +configValues( + unique int id: @configValue, + int config: @config ref, + string value: string ref +); + +configLocations( + int locatable: @configLocatable ref, + int location: @location_default ref +); + +@configLocatable = @config | @configName | @configValue; + +/** + * The time taken for the extraction of a file. + * This table contains non-deterministic content. + * + * The sum of the `time` column for each (`file`, `timerKind`) pair + * is the total time taken for extraction of `file`. The `extractionPhase` + * column provides a granular view of the extraction time of the file. + */ +extraction_time( + int file : @file ref, + // see `com.semmle.js.extractor.ExtractionMetrics.ExtractionPhase`. + int extractionPhase: int ref, + // 0 for the elapsed CPU time in nanoseconds, 1 for the elapsed wallclock time in nanoseconds + int timerKind: int ref, + float time: float ref +) + +/** + * Non-timing related data for the extraction of a single file. + * This table contains non-deterministic content. + */ +extraction_data( + int file : @file ref, + // the absolute path to the cache file + varchar(900) cacheFile: string ref, + boolean fromCache: boolean ref, + int length: int ref +) diff --git a/javascript/upgrades/874ebfcd4d2fd346c10ebec145466d9071d78606/semmlecode.javascript.dbscheme b/javascript/upgrades/874ebfcd4d2fd346c10ebec145466d9071d78606/semmlecode.javascript.dbscheme new file mode 100644 index 00000000000..5a5adbf98dc --- /dev/null +++ b/javascript/upgrades/874ebfcd4d2fd346c10ebec145466d9071d78606/semmlecode.javascript.dbscheme @@ -0,0 +1,1175 @@ +/*** Standard fragments ***/ + +/** Files and folders **/ + +@location = @location_default; + +locations_default(unique int id: @location_default, + int file: @file ref, + int beginLine: int ref, + int beginColumn: int ref, + int endLine: int ref, + int endColumn: int ref + ); + +@sourceline = @locatable; + +numlines(int element_id: @sourceline ref, + int num_lines: int ref, + int num_code: int ref, + int num_comment: int ref + ); + + +/* + fromSource(0) = unknown, + fromSource(1) = from source, + fromSource(2) = from library +*/ +files(unique int id: @file, + varchar(900) name: string ref, + varchar(900) simple: string ref, + varchar(900) ext: string ref, + int fromSource: int ref); + +folders(unique int id: @folder, + varchar(900) name: string ref, + varchar(900) simple: string ref); + + +@container = @folder | @file ; + + +containerparent(int parent: @container ref, + unique int child: @container ref); + +/** Duplicate code **/ + +duplicateCode( + unique int id : @duplication, + varchar(900) relativePath : string ref, + int equivClass : int ref); + +similarCode( + unique int id : @similarity, + varchar(900) relativePath : string ref, + int equivClass : int ref); + +@duplication_or_similarity = @duplication | @similarity; + +tokens( + int id : @duplication_or_similarity ref, + int offset : int ref, + int beginLine : int ref, + int beginColumn : int ref, + int endLine : int ref, + int endColumn : int ref); + +/** External data **/ + +externalData( + int id : @externalDataElement, + varchar(900) path : string ref, + int column: int ref, + varchar(900) value : string ref +); + +snapshotDate(unique date snapshotDate : date ref); + +sourceLocationPrefix(varchar(900) prefix : string ref); + +/** Version control data **/ + +svnentries( + int id : @svnentry, + varchar(500) revision : string ref, + varchar(500) author : string ref, + date revisionDate : date ref, + int changeSize : int ref +); + +svnaffectedfiles( + int id : @svnentry ref, + int file : @file ref, + varchar(500) action : string ref +); + +svnentrymsg( + int id : @svnentry ref, + varchar(500) message : string ref +); + +svnchurn( + int commit : @svnentry ref, + int file : @file ref, + int addedLines : int ref, + int deletedLines : int ref +); + + +/*** JavaScript-specific part ***/ + +filetype( + int file: @file ref, + string filetype: string ref +) + +// top-level code fragments +toplevels (unique int id: @toplevel, + int kind: int ref); + +isExterns (int toplevel: @toplevel ref); + +case @toplevel.kind of + 0 = @script +| 1 = @inline_script +| 2 = @event_handler +| 3 = @javascript_url; + +isModule (int tl: @toplevel ref); +isNodejs (int tl: @toplevel ref); +isES2015Module (int tl: @toplevel ref); +isClosureModule (int tl: @toplevel ref); + +// statements +#keyset[parent, idx] +stmts (unique int id: @stmt, + int kind: int ref, + int parent: @stmtparent ref, + int idx: int ref, + varchar(900) tostring: string ref); + +stmtContainers (unique int stmt: @stmt ref, + int container: @stmt_container ref); + +jumpTargets (unique int jump: @stmt ref, + int target: @stmt ref); + +@stmtparent = @stmt | @toplevel | @functionexpr | @arrowfunctionexpr; +@stmt_container = @toplevel | @function | @namespacedeclaration | @externalmoduledeclaration | @globalaugmentationdeclaration; + +case @stmt.kind of + 0 = @emptystmt +| 1 = @blockstmt +| 2 = @exprstmt +| 3 = @ifstmt +| 4 = @labeledstmt +| 5 = @breakstmt +| 6 = @continuestmt +| 7 = @withstmt +| 8 = @switchstmt +| 9 = @returnstmt +| 10 = @throwstmt +| 11 = @trystmt +| 12 = @whilestmt +| 13 = @dowhilestmt +| 14 = @forstmt +| 15 = @forinstmt +| 16 = @debuggerstmt +| 17 = @functiondeclstmt +| 18 = @vardeclstmt +| 19 = @case +| 20 = @catchclause +| 21 = @forofstmt +| 22 = @constdeclstmt +| 23 = @letstmt +| 24 = @legacy_letstmt +| 25 = @foreachstmt +| 26 = @classdeclstmt +| 27 = @importdeclaration +| 28 = @exportalldeclaration +| 29 = @exportdefaultdeclaration +| 30 = @exportnameddeclaration +| 31 = @namespacedeclaration +| 32 = @importequalsdeclaration +| 33 = @exportassigndeclaration +| 34 = @interfacedeclaration +| 35 = @typealiasdeclaration +| 36 = @enumdeclaration +| 37 = @externalmoduledeclaration +| 38 = @exportasnamespacedeclaration +| 39 = @globalaugmentationdeclaration +; + +@declstmt = @vardeclstmt | @constdeclstmt | @letstmt | @legacy_letstmt; + +@exportdeclaration = @exportalldeclaration | @exportdefaultdeclaration | @exportnameddeclaration; + +@namespacedefinition = @namespacedeclaration | @enumdeclaration; +@typedefinition = @classdefinition | @interfacedeclaration | @enumdeclaration | @typealiasdeclaration | @enum_member; + +isInstantiated(unique int decl: @namespacedeclaration ref); + +@declarablenode = @declstmt | @namespacedeclaration | @classdeclstmt | @functiondeclstmt | @enumdeclaration | @externalmoduledeclaration | @globalaugmentationdeclaration | @field; +hasDeclareKeyword(unique int stmt: @declarablenode ref); + +isForAwaitOf(unique int forof: @forofstmt ref); + +// expressions +#keyset[parent, idx] +exprs (unique int id: @expr, + int kind: int ref, + int parent: @exprparent ref, + int idx: int ref, + varchar(900) tostring: string ref); + +literals (varchar(900) value: string ref, + varchar(900) raw: string ref, + unique int expr: @exprortype ref); + +enclosingStmt (unique int expr: @exprortype ref, + int stmt: @stmt ref); + +exprContainers (unique int expr: @exprortype ref, + int container: @stmt_container ref); + +arraySize (unique int ae: @arraylike ref, + int sz: int ref); + +isDelegating (int yield: @yieldexpr ref); + +@exprorstmt = @expr | @stmt; +@exprortype = @expr | @typeexpr; +@exprparent = @exprorstmt | @property | @functiontypeexpr; +@arraylike = @arrayexpr | @arraypattern; +@type_annotation = @typeexpr | @jsdoc_type_expr; + +case @expr.kind of + 0 = @label +| 1 = @nullliteral +| 2 = @booleanliteral +| 3 = @numberliteral +| 4 = @stringliteral +| 5 = @regexpliteral +| 6 = @thisexpr +| 7 = @arrayexpr +| 8 = @objexpr +| 9 = @functionexpr +| 10 = @seqexpr +| 11 = @conditionalexpr +| 12 = @newexpr +| 13 = @callexpr +| 14 = @dotexpr +| 15 = @indexexpr +| 16 = @negexpr +| 17 = @plusexpr +| 18 = @lognotexpr +| 19 = @bitnotexpr +| 20 = @typeofexpr +| 21 = @voidexpr +| 22 = @deleteexpr +| 23 = @eqexpr +| 24 = @neqexpr +| 25 = @eqqexpr +| 26 = @neqqexpr +| 27 = @ltexpr +| 28 = @leexpr +| 29 = @gtexpr +| 30 = @geexpr +| 31 = @lshiftexpr +| 32 = @rshiftexpr +| 33 = @urshiftexpr +| 34 = @addexpr +| 35 = @subexpr +| 36 = @mulexpr +| 37 = @divexpr +| 38 = @modexpr +| 39 = @bitorexpr +| 40 = @xorexpr +| 41 = @bitandexpr +| 42 = @inexpr +| 43 = @instanceofexpr +| 44 = @logandexpr +| 45 = @logorexpr +| 47 = @assignexpr +| 48 = @assignaddexpr +| 49 = @assignsubexpr +| 50 = @assignmulexpr +| 51 = @assigndivexpr +| 52 = @assignmodexpr +| 53 = @assignlshiftexpr +| 54 = @assignrshiftexpr +| 55 = @assignurshiftexpr +| 56 = @assignorexpr +| 57 = @assignxorexpr +| 58 = @assignandexpr +| 59 = @preincexpr +| 60 = @postincexpr +| 61 = @predecexpr +| 62 = @postdecexpr +| 63 = @parexpr +| 64 = @vardeclarator +| 65 = @arrowfunctionexpr +| 66 = @spreadelement +| 67 = @arraypattern +| 68 = @objectpattern +| 69 = @yieldexpr +| 70 = @taggedtemplateexpr +| 71 = @templateliteral +| 72 = @templateelement +| 73 = @arraycomprehensionexpr +| 74 = @generatorexpr +| 75 = @forincomprehensionblock +| 76 = @forofcomprehensionblock +| 77 = @legacy_letexpr +| 78 = @vardecl +| 79 = @proper_varaccess +| 80 = @classexpr +| 81 = @superexpr +| 82 = @newtargetexpr +| 83 = @namedimportspecifier +| 84 = @importdefaultspecifier +| 85 = @importnamespacespecifier +| 86 = @namedexportspecifier +| 87 = @expexpr +| 88 = @assignexpexpr +| 89 = @jsxelement +| 90 = @jsxqualifiedname +| 91 = @jsxemptyexpr +| 92 = @awaitexpr +| 93 = @functionsentexpr +| 94 = @decorator +| 95 = @exportdefaultspecifier +| 96 = @exportnamespacespecifier +| 97 = @bindexpr +| 98 = @externalmodulereference +| 99 = @dynamicimport +| 100 = @expressionwithtypearguments +| 101 = @prefixtypeassertion +| 102 = @astypeassertion +| 103 = @export_varaccess +| 104 = @decorator_list +| 105 = @non_null_assertion +| 106 = @bigintliteral +| 107 = @nullishcoalescingexpr +| 108 = @e4x_xml_anyname +| 109 = @e4x_xml_static_attribute_selector +| 110 = @e4x_xml_dynamic_attribute_selector +| 111 = @e4x_xml_filter_expression +| 112 = @e4x_xml_static_qualident +| 113 = @e4x_xml_dynamic_qualident +| 114 = @e4x_xml_dotdotexpr +| 115 = @importmetaexpr +; + +@varaccess = @proper_varaccess | @export_varaccess; +@varref = @vardecl | @varaccess; + +@identifier = @label | @varref | @typeidentifier; + +@literal = @nullliteral | @booleanliteral | @numberliteral | @stringliteral | @regexpliteral | @bigintliteral; + +@propaccess = @dotexpr | @indexexpr; + +@invokeexpr = @newexpr | @callexpr; + +@unaryexpr = @negexpr | @plusexpr | @lognotexpr | @bitnotexpr | @typeofexpr | @voidexpr | @deleteexpr | @spreadelement; + +@equalitytest = @eqexpr | @neqexpr | @eqqexpr | @neqqexpr; + +@comparison = @equalitytest | @ltexpr | @leexpr | @gtexpr | @geexpr; + +@binaryexpr = @comparison | @lshiftexpr | @rshiftexpr | @urshiftexpr | @addexpr | @subexpr | @mulexpr | @divexpr | @modexpr | @expexpr | @bitorexpr | @xorexpr | @bitandexpr | @inexpr | @instanceofexpr | @logandexpr | @logorexpr | @nullishcoalescingexpr; + +@assignment = @assignexpr | @assignaddexpr | @assignsubexpr | @assignmulexpr | @assigndivexpr | @assignmodexpr | @assignexpexpr | @assignlshiftexpr | @assignrshiftexpr | @assignurshiftexpr | @assignorexpr | @assignxorexpr | @assignandexpr; + +@updateexpr = @preincexpr | @postincexpr | @predecexpr | @postdecexpr; + +@pattern = @varref | @arraypattern | @objectpattern; + +@comprehensionexpr = @arraycomprehensionexpr | @generatorexpr; + +@comprehensionblock = @forincomprehensionblock | @forofcomprehensionblock; + +@importspecifier = @namedimportspecifier | @importdefaultspecifier | @importnamespacespecifier; + +@exportspecifier = @namedexportspecifier | @exportdefaultspecifier | @exportnamespacespecifier; + +@typeassertion = @astypeassertion | @prefixtypeassertion; + +@classdefinition = @classdeclstmt | @classexpr; +@interfacedefinition = @interfacedeclaration | @interfacetypeexpr; +@classorinterface = @classdefinition | @interfacedefinition; + +@lexical_decl = @vardecl | @typedecl; +@lexical_access = @varaccess | @localtypeaccess | @localvartypeaccess | @localnamespaceaccess; +@lexical_ref = @lexical_decl | @lexical_access; + +@e4x_xml_attribute_selector = @e4x_xml_static_attribute_selector | @e4x_xml_dynamic_attribute_selector; +@e4x_xml_qualident = @e4x_xml_static_qualident | @e4x_xml_dynamic_qualident; + +// scopes +scopes (unique int id: @scope, + int kind: int ref); + +case @scope.kind of + 0 = @globalscope +| 1 = @functionscope +| 2 = @catchscope +| 3 = @modulescope +| 4 = @blockscope +| 5 = @forscope +| 6 = @forinscope // for-of scopes work the same as for-in scopes +| 7 = @comprehensionblockscope +| 8 = @classexprscope +| 9 = @namespacescope +| 10 = @classdeclscope +| 11 = @interfacescope +| 12 = @typealiasscope +| 13 = @mappedtypescope +| 14 = @enumscope +| 15 = @externalmodulescope +| 16 = @conditionaltypescope; + +scopenodes (unique int node: @ast_node ref, + int scope: @scope ref); + +scopenesting (unique int inner: @scope ref, + int outer: @scope ref); + +// functions +@function = @functiondeclstmt | @functionexpr | @arrowfunctionexpr; + +@parameterized = @function | @catchclause; +@type_parameterized = @function | @classorinterface | @typealiasdeclaration | @mappedtypeexpr | @infertypeexpr; + +isGenerator (int fun: @function ref); +hasRestParameter (int fun: @function ref); +isAsync (int fun: @function ref); + +// variables and lexically scoped type names +#keyset[scope, name] +variables (unique int id: @variable, + varchar(900) name: string ref, + int scope: @scope ref); + +#keyset[scope, name] +local_type_names (unique int id: @local_type_name, + varchar(900) name: string ref, + int scope: @scope ref); + +#keyset[scope, name] +local_namespace_names (unique int id: @local_namespace_name, + varchar(900) name: string ref, + int scope: @scope ref); + +isArgumentsObject (int id: @variable ref); + +@lexical_name = @variable | @local_type_name | @local_namespace_name; + +@bind_id = @varaccess | @localvartypeaccess; +bind (unique int id: @bind_id ref, + int decl: @variable ref); + +decl (unique int id: @vardecl ref, + int decl: @variable ref); + +@typebind_id = @localtypeaccess | @export_varaccess; +typebind (unique int id: @typebind_id ref, + int decl: @local_type_name ref); + +@typedecl_id = @typedecl | @vardecl; +typedecl (unique int id: @typedecl_id ref, + int decl: @local_type_name ref); + +namespacedecl (unique int id: @vardecl ref, + int decl: @local_namespace_name ref); + +@namespacebind_id = @localnamespaceaccess | @export_varaccess; +namespacebind (unique int id: @namespacebind_id ref, + int decl: @local_namespace_name ref); + + +// properties in object literals, property patterns in object patterns, and method declarations in classes +#keyset[parent, index] +properties (unique int id: @property, + int parent: @property_parent ref, + int index: int ref, + int kind: int ref, + varchar(900) tostring: string ref); + +case @property.kind of + 0 = @value_property +| 1 = @property_getter +| 2 = @property_setter +| 3 = @jsx_attribute +| 4 = @function_call_signature +| 5 = @constructor_call_signature +| 6 = @index_signature +| 7 = @enum_member +| 8 = @proper_field +| 9 = @parameter_field +; + +@property_parent = @objexpr | @objectpattern | @classdefinition | @jsxelement | @interfacedefinition | @enumdeclaration; +@property_accessor = @property_getter | @property_setter; +@call_signature = @function_call_signature | @constructor_call_signature; +@field = @proper_field | @parameter_field; +@field_or_vardeclarator = @field | @vardeclarator; + +isComputed (int id: @property ref); +isMethod (int id: @property ref); +isStatic (int id: @property ref); +isAbstractMember (int id: @property ref); +isConstEnum (int id: @enumdeclaration ref); +isAbstractClass (int id: @classdeclstmt ref); + +hasPublicKeyword (int id: @property ref); +hasPrivateKeyword (int id: @property ref); +hasProtectedKeyword (int id: @property ref); +hasReadonlyKeyword (int id: @property ref); +isOptionalMember (int id: @property ref); +hasDefiniteAssignmentAssertion (int id: @field_or_vardeclarator ref); + +#keyset[constructor, param_index] +parameter_fields( + unique int field: @parameter_field ref, + int constructor: @functionexpr ref, + int param_index: int ref +); + +// types +#keyset[parent, idx] +typeexprs ( + unique int id: @typeexpr, + int kind: int ref, + int parent: @typeexpr_parent ref, + int idx: int ref, + varchar(900) tostring: string ref +); + +case @typeexpr.kind of + 0 = @localtypeaccess +| 1 = @typedecl +| 2 = @keywordtypeexpr +| 3 = @stringliteraltypeexpr +| 4 = @numberliteraltypeexpr +| 5 = @booleanliteraltypeexpr +| 6 = @arraytypeexpr +| 7 = @uniontypeexpr +| 8 = @indexedaccesstypeexpr +| 9 = @intersectiontypeexpr +| 10 = @parenthesizedtypeexpr +| 11 = @tupletypeexpr +| 12 = @keyoftypeexpr +| 13 = @qualifiedtypeaccess +| 14 = @generictypeexpr +| 15 = @typelabel +| 16 = @typeoftypeexpr +| 17 = @localvartypeaccess +| 18 = @qualifiedvartypeaccess +| 19 = @thisvartypeaccess +| 20 = @predicatetypeexpr +| 21 = @interfacetypeexpr +| 22 = @typeparameter +| 23 = @plainfunctiontypeexpr +| 24 = @constructortypeexpr +| 25 = @localnamespaceaccess +| 26 = @qualifiednamespaceaccess +| 27 = @mappedtypeexpr +| 28 = @conditionaltypeexpr +| 29 = @infertypeexpr +| 30 = @importtypeaccess +| 31 = @importnamespaceaccess +| 32 = @importvartypeaccess +| 33 = @optionaltypeexpr +| 34 = @resttypeexpr +| 35 = @bigintliteraltypeexpr +| 36 = @readonlytypeexpr +; + +@typeref = @typeaccess | @typedecl; +@typeidentifier = @typedecl | @localtypeaccess | @typelabel | @localvartypeaccess | @localnamespaceaccess; +@typeexpr_parent = @expr | @stmt | @property | @typeexpr; +@literaltypeexpr = @stringliteraltypeexpr | @numberliteraltypeexpr | @booleanliteraltypeexpr | @bigintliteraltypeexpr; +@typeaccess = @localtypeaccess | @qualifiedtypeaccess | @importtypeaccess; +@vartypeaccess = @localvartypeaccess | @qualifiedvartypeaccess | @thisvartypeaccess | @importvartypeaccess; +@namespaceaccess = @localnamespaceaccess | @qualifiednamespaceaccess | @importnamespaceaccess; +@importtypeexpr = @importtypeaccess | @importnamespaceaccess | @importvartypeaccess; + +@functiontypeexpr = @plainfunctiontypeexpr | @constructortypeexpr; + +// types +types ( + unique int id: @type, + int kind: int ref, + varchar(900) tostring: string ref +); + +#keyset[parent, idx] +type_child ( + int child: @type ref, + int parent: @type ref, + int idx: int ref +); + +case @type.kind of + 0 = @anytype +| 1 = @stringtype +| 2 = @numbertype +| 3 = @uniontype +| 4 = @truetype +| 5 = @falsetype +| 6 = @typereference +| 7 = @objecttype +| 8 = @canonicaltypevariabletype +| 9 = @typeoftype +| 10 = @voidtype +| 11 = @undefinedtype +| 12 = @nulltype +| 13 = @nevertype +| 14 = @plainsymboltype +| 15 = @uniquesymboltype +| 16 = @objectkeywordtype +| 17 = @intersectiontype +| 18 = @tupletype +| 19 = @lexicaltypevariabletype +| 20 = @thistype +| 21 = @numberliteraltype +| 22 = @stringliteraltype +| 23 = @unknowntype +| 24 = @biginttype +| 25 = @bigintliteraltype +; + +@booleanliteraltype = @truetype | @falsetype; +@symboltype = @plainsymboltype | @uniquesymboltype; +@unionorintersectiontype = @uniontype | @intersectiontype; +@typevariabletype = @canonicaltypevariabletype | @lexicaltypevariabletype; + +hasAssertsKeyword(int node: @predicatetypeexpr ref); + +@typed_ast_node = @expr | @typeexpr | @function; +ast_node_type( + unique int node: @typed_ast_node ref, + int typ: @type ref); + +declared_function_signature( + unique int node: @function ref, + int sig: @signature_type ref +); + +invoke_expr_signature( + unique int node: @invokeexpr ref, + int sig: @signature_type ref +); + +invoke_expr_overload_index( + unique int node: @invokeexpr ref, + int index: int ref +); + +symbols ( + unique int id: @symbol, + int kind: int ref, + varchar(900) name: string ref +); + +symbol_parent ( + unique int symbol: @symbol ref, + int parent: @symbol ref +); + +symbol_module ( + int symbol: @symbol ref, + varchar(900) moduleName: string ref +); + +symbol_global ( + int symbol: @symbol ref, + varchar(900) globalName: string ref +); + +case @symbol.kind of + 0 = @root_symbol +| 1 = @member_symbol +| 2 = @other_symbol +; + +@type_with_symbol = @typereference | @typevariabletype | @typeoftype | @uniquesymboltype; +@ast_node_with_symbol = @typedefinition | @namespacedefinition | @toplevel | @typeaccess | @namespaceaccess | @vardecl | @function | @invokeexpr; + +ast_node_symbol( + unique int node: @ast_node_with_symbol ref, + int symbol: @symbol ref); + +type_symbol( + unique int typ: @type_with_symbol ref, + int symbol: @symbol ref); + +#keyset[typ, name] +type_property( + int typ: @type ref, + varchar(900) name: string ref, + int propertyType: @type ref); + +@literaltype = @stringliteraltype | @numberliteraltype | @booleanliteraltype | @bigintliteraltype; +@type_with_literal_value = @stringliteraltype | @numberliteraltype | @bigintliteraltype; +type_literal_value( + unique int typ: @type_with_literal_value ref, + varchar(900) value: string ref); + +signature_types ( + unique int id: @signature_type, + int kind: int ref, + varchar(900) tostring: string ref, + int type_parameters: int ref, + int required_params: int ref +); + +case @signature_type.kind of + 0 = @function_signature_type +| 1 = @constructor_signature_type +; + +#keyset[typ, kind, index] +type_contains_signature ( + int typ: @type ref, + int kind: int ref, // constructor/call/index + int index: int ref, // ordering of overloaded signatures + int sig: @signature_type ref +); + +#keyset[parent, index] +signature_contains_type ( + int child: @type ref, + int parent: @signature_type ref, + int index: int ref +); + +#keyset[sig, index] +signature_parameter_name ( + int sig: @signature_type ref, + int index: int ref, + varchar(900) name: string ref +); + +number_index_type ( + unique int baseType: @type ref, + int propertyType: @type ref +); + +string_index_type ( + unique int baseType: @type ref, + int propertyType: @type ref +); + +base_type_names( + int typeName: @symbol ref, + int baseTypeName: @symbol ref +); + +self_types( + int typeName: @symbol ref, + int selfType: @typereference ref +); + +tuple_type_min_length( + unique int typ: @type ref, + int minLength: int ref +); + +tuple_type_rest( + unique int typ: @type ref +); + +// comments +comments (unique int id: @comment, + int kind: int ref, + int toplevel: @toplevel ref, + varchar(900) text: string ref, + varchar(900) tostring: string ref); + +case @comment.kind of + 0 = @slashslashcomment +| 1 = @slashstarcomment +| 2 = @doccomment +| 3 = @htmlcommentstart +| 4 = @htmlcommentend; + +@htmlcomment = @htmlcommentstart | @htmlcommentend; +@linecomment = @slashslashcomment | @htmlcomment; +@blockcomment = @slashstarcomment | @doccomment; + +// source lines +lines (unique int id: @line, + int toplevel: @toplevel ref, + varchar(900) text: string ref, + varchar(2) terminator: string ref); +indentation (int file: @file ref, + int lineno: int ref, + varchar(1) indentChar: string ref, + int indentDepth: int ref); + +// JavaScript parse errors +jsParseErrors (unique int id: @js_parse_error, + int toplevel: @toplevel ref, + varchar(900) message: string ref, + varchar(900) line: string ref); + +// regular expressions +#keyset[parent, idx] +regexpterm (unique int id: @regexpterm, + int kind: int ref, + int parent: @regexpparent ref, + int idx: int ref, + varchar(900) tostring: string ref); + +@regexpparent = @regexpterm | @regexpliteral; + +case @regexpterm.kind of + 0 = @regexp_alt +| 1 = @regexp_seq +| 2 = @regexp_caret +| 3 = @regexp_dollar +| 4 = @regexp_wordboundary +| 5 = @regexp_nonwordboundary +| 6 = @regexp_positive_lookahead +| 7 = @regexp_negative_lookahead +| 8 = @regexp_star +| 9 = @regexp_plus +| 10 = @regexp_opt +| 11 = @regexp_range +| 12 = @regexp_dot +| 13 = @regexp_group +| 14 = @regexp_normal_char +| 15 = @regexp_hex_escape +| 16 = @regexp_unicode_escape +| 17 = @regexp_dec_escape +| 18 = @regexp_oct_escape +| 19 = @regexp_ctrl_escape +| 20 = @regexp_char_class_escape +| 21 = @regexp_id_escape +| 22 = @regexp_backref +| 23 = @regexp_char_class +| 24 = @regexp_char_range +| 25 = @regexp_positive_lookbehind +| 26 = @regexp_negative_lookbehind +| 27 = @regexp_unicode_property_escape; + +regexpParseErrors (unique int id: @regexp_parse_error, + int regexp: @regexpterm ref, + varchar(900) message: string ref); + +@regexp_quantifier = @regexp_star | @regexp_plus | @regexp_opt | @regexp_range; +@regexp_escape = @regexp_char_escape | @regexp_char_class_escape | @regexp_unicode_property_escape; +@regexp_char_escape = @regexp_hex_escape | @regexp_unicode_escape | @regexp_dec_escape | @regexp_oct_escape | @regexp_ctrl_escape | @regexp_id_escape; +@regexp_constant = @regexp_normal_char | @regexp_char_escape; +@regexp_lookahead = @regexp_positive_lookahead | @regexp_negative_lookahead; +@regexp_lookbehind = @regexp_positive_lookbehind | @regexp_negative_lookbehind; +@regexp_subpattern = @regexp_lookahead | @regexp_lookbehind; + +isGreedy (int id: @regexp_quantifier ref); +rangeQuantifierLowerBound (unique int id: @regexp_range ref, int lo: int ref); +rangeQuantifierUpperBound (unique int id: @regexp_range ref, int hi: int ref); +isCapture (unique int id: @regexp_group ref, int number: int ref); +isNamedCapture (unique int id: @regexp_group ref, string name: string ref); +isInverted (int id: @regexp_char_class ref); +regexpConstValue (unique int id: @regexp_constant ref, varchar(1) value: string ref); +charClassEscape (unique int id: @regexp_char_class_escape ref, varchar(1) value: string ref); +backref (unique int id: @regexp_backref ref, int value: int ref); +namedBackref (unique int id: @regexp_backref ref, string name: string ref); +unicodePropertyEscapeName (unique int id: @regexp_unicode_property_escape ref, string name: string ref); +unicodePropertyEscapeValue (unique int id: @regexp_unicode_property_escape ref, string value: string ref); + +// tokens +#keyset[toplevel, idx] +tokeninfo (unique int id: @token, + int kind: int ref, + int toplevel: @toplevel ref, + int idx: int ref, + varchar(900) value: string ref); + +case @token.kind of + 0 = @token_eof +| 1 = @token_null_literal +| 2 = @token_boolean_literal +| 3 = @token_numeric_literal +| 4 = @token_string_literal +| 5 = @token_regular_expression +| 6 = @token_identifier +| 7 = @token_keyword +| 8 = @token_punctuator; + +// associate comments with the token immediately following them (which may be EOF) +next_token (int comment: @comment ref, int token: @token ref); + +// JSON +#keyset[parent, idx] +json (unique int id: @json_value, + int kind: int ref, + int parent: @json_parent ref, + int idx: int ref, + varchar(900) tostring: string ref); + +json_literals (varchar(900) value: string ref, + varchar(900) raw: string ref, + unique int expr: @json_value ref); + +json_properties (int obj: @json_object ref, + varchar(900) property: string ref, + int value: @json_value ref); + +json_errors (unique int id: @json_parse_error, + varchar(900) message: string ref); + +json_locations(unique int locatable: @json_locatable ref, + int location: @location_default ref); + +case @json_value.kind of + 0 = @json_null +| 1 = @json_boolean +| 2 = @json_number +| 3 = @json_string +| 4 = @json_array +| 5 = @json_object; + +@json_parent = @json_object | @json_array | @file; + +@json_locatable = @json_value | @json_parse_error; + +// locations +@ast_node = @toplevel | @stmt | @expr | @property | @typeexpr; + +@locatable = @file + | @ast_node + | @comment + | @line + | @js_parse_error | @regexp_parse_error + | @regexpterm + | @json_locatable + | @token + | @cfg_node + | @jsdoc | @jsdoc_type_expr | @jsdoc_tag + | @yaml_locatable + | @xmllocatable + | @configLocatable; + +hasLocation (unique int locatable: @locatable ref, + int location: @location ref); + +// CFG +entry_cfg_node (unique int id: @entry_node, int container: @stmt_container ref); +exit_cfg_node (unique int id: @exit_node, int container: @stmt_container ref); +guard_node (unique int id: @guard_node, int kind: int ref, int test: @expr ref); +case @guard_node.kind of + 0 = @falsy_guard +| 1 = @truthy_guard; +@condition_guard = @falsy_guard | @truthy_guard; + +@synthetic_cfg_node = @entry_node | @exit_node | @guard_node; +@cfg_node = @synthetic_cfg_node | @exprparent; + +successor (int pred: @cfg_node ref, int succ: @cfg_node ref); + +// JSDoc comments +jsdoc (unique int id: @jsdoc, varchar(900) description: string ref, int comment: @comment ref); +#keyset[parent, idx] +jsdoc_tags (unique int id: @jsdoc_tag, varchar(900) title: string ref, + int parent: @jsdoc ref, int idx: int ref, varchar(900) tostring: string ref); +jsdoc_tag_descriptions (unique int tag: @jsdoc_tag ref, varchar(900) text: string ref); +jsdoc_tag_names (unique int tag: @jsdoc_tag ref, varchar(900) text: string ref); + +#keyset[parent, idx] +jsdoc_type_exprs (unique int id: @jsdoc_type_expr, + int kind: int ref, + int parent: @jsdoc_type_expr_parent ref, + int idx: int ref, + varchar(900) tostring: string ref); +case @jsdoc_type_expr.kind of + 0 = @jsdoc_any_type_expr +| 1 = @jsdoc_null_type_expr +| 2 = @jsdoc_undefined_type_expr +| 3 = @jsdoc_unknown_type_expr +| 4 = @jsdoc_void_type_expr +| 5 = @jsdoc_named_type_expr +| 6 = @jsdoc_applied_type_expr +| 7 = @jsdoc_nullable_type_expr +| 8 = @jsdoc_non_nullable_type_expr +| 9 = @jsdoc_record_type_expr +| 10 = @jsdoc_array_type_expr +| 11 = @jsdoc_union_type_expr +| 12 = @jsdoc_function_type_expr +| 13 = @jsdoc_optional_type_expr +| 14 = @jsdoc_rest_type_expr +; + +#keyset[id, idx] +jsdoc_record_field_name (int id: @jsdoc_record_type_expr ref, int idx: int ref, varchar(900) name: string ref); +jsdoc_prefix_qualifier (int id: @jsdoc_type_expr ref); +jsdoc_has_new_parameter (int fn: @jsdoc_function_type_expr ref); + +@jsdoc_type_expr_parent = @jsdoc_type_expr | @jsdoc_tag; + +jsdoc_errors (unique int id: @jsdoc_error, int tag: @jsdoc_tag ref, varchar(900) message: string ref, varchar(900) tostring: string ref); + +// YAML +#keyset[parent, idx] +yaml (unique int id: @yaml_node, + int kind: int ref, + int parent: @yaml_node_parent ref, + int idx: int ref, + varchar(900) tag: string ref, + varchar(900) tostring: string ref); + +case @yaml_node.kind of + 0 = @yaml_scalar_node +| 1 = @yaml_mapping_node +| 2 = @yaml_sequence_node +| 3 = @yaml_alias_node +; + +@yaml_collection_node = @yaml_mapping_node | @yaml_sequence_node; + +@yaml_node_parent = @yaml_collection_node | @file; + +yaml_anchors (unique int node: @yaml_node ref, + varchar(900) anchor: string ref); + +yaml_aliases (unique int alias: @yaml_alias_node ref, + varchar(900) target: string ref); + +yaml_scalars (unique int scalar: @yaml_scalar_node ref, + int style: int ref, + varchar(900) value: string ref); + +yaml_errors (unique int id: @yaml_error, + varchar(900) message: string ref); + +yaml_locations(unique int locatable: @yaml_locatable ref, + int location: @location_default ref); + +@yaml_locatable = @yaml_node | @yaml_error; + +/* XML Files */ + +xmlEncoding( + unique int id: @file ref, + varchar(900) encoding: string ref +); + +xmlDTDs( + unique int id: @xmldtd, + varchar(900) root: string ref, + varchar(900) publicId: string ref, + varchar(900) systemId: string ref, + int fileid: @file ref +); + +xmlElements( + unique int id: @xmlelement, + varchar(900) name: string ref, + int parentid: @xmlparent ref, + int idx: int ref, + int fileid: @file ref +); + +xmlAttrs( + unique int id: @xmlattribute, + int elementid: @xmlelement ref, + varchar(900) name: string ref, + varchar(3600) value: string ref, + int idx: int ref, + int fileid: @file ref +); + +xmlNs( + int id: @xmlnamespace, + varchar(900) prefixName: string ref, + varchar(900) URI: string ref, + int fileid: @file ref +); + +xmlHasNs( + int elementId: @xmlnamespaceable ref, + int nsId: @xmlnamespace ref, + int fileid: @file ref +); + +xmlComments( + unique int id: @xmlcomment, + varchar(3600) text: string ref, + int parentid: @xmlparent ref, + int fileid: @file ref +); + +xmlChars( + unique int id: @xmlcharacters, + varchar(3600) text: string ref, + int parentid: @xmlparent ref, + int idx: int ref, + int isCDATA: int ref, + int fileid: @file ref +); + +@xmlparent = @file | @xmlelement; +@xmlnamespaceable = @xmlelement | @xmlattribute; + +xmllocations( + int xmlElement: @xmllocatable ref, + int location: @location_default ref +); + +@xmllocatable = @xmlcharacters | @xmlelement | @xmlcomment | @xmlattribute | @xmldtd | @file | @xmlnamespace; + +@dataflownode = @expr | @functiondeclstmt | @classdeclstmt | @namespacedeclaration | @enumdeclaration | @property; + +@optionalchainable = @callexpr | @propaccess; + +isOptionalChaining(int id: @optionalchainable ref); + +/* + * configuration files with key value pairs + */ + +configs( + unique int id: @config +); + +configNames( + unique int id: @configName, + int config: @config ref, + string name: string ref +); + +configValues( + unique int id: @configValue, + int config: @config ref, + string value: string ref +); + +configLocations( + int locatable: @configLocatable ref, + int location: @location_default ref +); + +@configLocatable = @config | @configName | @configValue; + +/** + * The time taken for the extraction of a file. + * This table contains non-deterministic content. + * + * The sum of the `time` column for each (`file`, `timerKind`) pair + * is the total time taken for extraction of `file`. The `extractionPhase` + * column provides a granular view of the extraction time of the file. + */ +extraction_time( + int file : @file ref, + // see `com.semmle.js.extractor.ExtractionMetrics.ExtractionPhase`. + int extractionPhase: int ref, + // 0 for the elapsed CPU time in nanoseconds, 1 for the elapsed wallclock time in nanoseconds + int timerKind: int ref, + float time: float ref +) + +/** + * Non-timing related data for the extraction of a single file. + * This table contains non-deterministic content. + */ +extraction_data( + int file : @file ref, + // the absolute path to the cache file + varchar(900) cacheFile: string ref, + boolean fromCache: boolean ref, + int length: int ref +) diff --git a/javascript/upgrades/874ebfcd4d2fd346c10ebec145466d9071d78606/upgrade.properties b/javascript/upgrades/874ebfcd4d2fd346c10ebec145466d9071d78606/upgrade.properties new file mode 100644 index 00000000000..bf1a8cb0c61 --- /dev/null +++ b/javascript/upgrades/874ebfcd4d2fd346c10ebec145466d9071d78606/upgrade.properties @@ -0,0 +1,2 @@ +description: add support for TypeScript 3.7 features +compatibility: backwards diff --git a/javascript/upgrades/ab0dab3b55b386f366e9904e10139edebca0495c/old.dbscheme b/javascript/upgrades/ab0dab3b55b386f366e9904e10139edebca0495c/old.dbscheme new file mode 100644 index 00000000000..ab0dab3b55b --- /dev/null +++ b/javascript/upgrades/ab0dab3b55b386f366e9904e10139edebca0495c/old.dbscheme @@ -0,0 +1,1172 @@ +/*** Standard fragments ***/ + +/** Files and folders **/ + +@location = @location_default; + +locations_default(unique int id: @location_default, + int file: @file ref, + int beginLine: int ref, + int beginColumn: int ref, + int endLine: int ref, + int endColumn: int ref + ); + +@sourceline = @locatable; + +numlines(int element_id: @sourceline ref, + int num_lines: int ref, + int num_code: int ref, + int num_comment: int ref + ); + + +/* + fromSource(0) = unknown, + fromSource(1) = from source, + fromSource(2) = from library +*/ +files(unique int id: @file, + varchar(900) name: string ref, + varchar(900) simple: string ref, + varchar(900) ext: string ref, + int fromSource: int ref); + +folders(unique int id: @folder, + varchar(900) name: string ref, + varchar(900) simple: string ref); + + +@container = @folder | @file ; + + +containerparent(int parent: @container ref, + unique int child: @container ref); + +/** Duplicate code **/ + +duplicateCode( + unique int id : @duplication, + varchar(900) relativePath : string ref, + int equivClass : int ref); + +similarCode( + unique int id : @similarity, + varchar(900) relativePath : string ref, + int equivClass : int ref); + +@duplication_or_similarity = @duplication | @similarity; + +tokens( + int id : @duplication_or_similarity ref, + int offset : int ref, + int beginLine : int ref, + int beginColumn : int ref, + int endLine : int ref, + int endColumn : int ref); + +/** External data **/ + +externalData( + int id : @externalDataElement, + varchar(900) path : string ref, + int column: int ref, + varchar(900) value : string ref +); + +snapshotDate(unique date snapshotDate : date ref); + +sourceLocationPrefix(varchar(900) prefix : string ref); + +/** Version control data **/ + +svnentries( + int id : @svnentry, + varchar(500) revision : string ref, + varchar(500) author : string ref, + date revisionDate : date ref, + int changeSize : int ref +); + +svnaffectedfiles( + int id : @svnentry ref, + int file : @file ref, + varchar(500) action : string ref +); + +svnentrymsg( + int id : @svnentry ref, + varchar(500) message : string ref +); + +svnchurn( + int commit : @svnentry ref, + int file : @file ref, + int addedLines : int ref, + int deletedLines : int ref +); + + +/*** JavaScript-specific part ***/ + +filetype( + int file: @file ref, + string filetype: string ref +) + +// top-level code fragments +toplevels (unique int id: @toplevel, + int kind: int ref); + +isExterns (int toplevel: @toplevel ref); + +case @toplevel.kind of + 0 = @script +| 1 = @inline_script +| 2 = @event_handler +| 3 = @javascript_url; + +isModule (int tl: @toplevel ref); +isNodejs (int tl: @toplevel ref); +isES2015Module (int tl: @toplevel ref); +isClosureModule (int tl: @toplevel ref); + +// statements +#keyset[parent, idx] +stmts (unique int id: @stmt, + int kind: int ref, + int parent: @stmtparent ref, + int idx: int ref, + varchar(900) tostring: string ref); + +stmtContainers (unique int stmt: @stmt ref, + int container: @stmt_container ref); + +jumpTargets (unique int jump: @stmt ref, + int target: @stmt ref); + +@stmtparent = @stmt | @toplevel | @functionexpr | @arrowfunctionexpr; +@stmt_container = @toplevel | @function | @namespacedeclaration | @externalmoduledeclaration | @globalaugmentationdeclaration; + +case @stmt.kind of + 0 = @emptystmt +| 1 = @blockstmt +| 2 = @exprstmt +| 3 = @ifstmt +| 4 = @labeledstmt +| 5 = @breakstmt +| 6 = @continuestmt +| 7 = @withstmt +| 8 = @switchstmt +| 9 = @returnstmt +| 10 = @throwstmt +| 11 = @trystmt +| 12 = @whilestmt +| 13 = @dowhilestmt +| 14 = @forstmt +| 15 = @forinstmt +| 16 = @debuggerstmt +| 17 = @functiondeclstmt +| 18 = @vardeclstmt +| 19 = @case +| 20 = @catchclause +| 21 = @forofstmt +| 22 = @constdeclstmt +| 23 = @letstmt +| 24 = @legacy_letstmt +| 25 = @foreachstmt +| 26 = @classdeclstmt +| 27 = @importdeclaration +| 28 = @exportalldeclaration +| 29 = @exportdefaultdeclaration +| 30 = @exportnameddeclaration +| 31 = @namespacedeclaration +| 32 = @importequalsdeclaration +| 33 = @exportassigndeclaration +| 34 = @interfacedeclaration +| 35 = @typealiasdeclaration +| 36 = @enumdeclaration +| 37 = @externalmoduledeclaration +| 38 = @exportasnamespacedeclaration +| 39 = @globalaugmentationdeclaration +; + +@declstmt = @vardeclstmt | @constdeclstmt | @letstmt | @legacy_letstmt; + +@exportdeclaration = @exportalldeclaration | @exportdefaultdeclaration | @exportnameddeclaration; + +@namespacedefinition = @namespacedeclaration | @enumdeclaration; +@typedefinition = @classdefinition | @interfacedeclaration | @enumdeclaration | @typealiasdeclaration | @enum_member; + +isInstantiated(unique int decl: @namespacedeclaration ref); + +@declarablestmt = @declstmt | @namespacedeclaration | @classdeclstmt | @functiondeclstmt | @enumdeclaration | @externalmoduledeclaration | @globalaugmentationdeclaration; +hasDeclareKeyword(unique int stmt: @declarablestmt ref); + +isForAwaitOf(unique int forof: @forofstmt ref); + +// expressions +#keyset[parent, idx] +exprs (unique int id: @expr, + int kind: int ref, + int parent: @exprparent ref, + int idx: int ref, + varchar(900) tostring: string ref); + +literals (varchar(900) value: string ref, + varchar(900) raw: string ref, + unique int expr: @exprortype ref); + +enclosingStmt (unique int expr: @exprortype ref, + int stmt: @stmt ref); + +exprContainers (unique int expr: @exprortype ref, + int container: @stmt_container ref); + +arraySize (unique int ae: @arraylike ref, + int sz: int ref); + +isDelegating (int yield: @yieldexpr ref); + +@exprorstmt = @expr | @stmt; +@exprortype = @expr | @typeexpr; +@exprparent = @exprorstmt | @property | @functiontypeexpr; +@arraylike = @arrayexpr | @arraypattern; +@type_annotation = @typeexpr | @jsdoc_type_expr; + +case @expr.kind of + 0 = @label +| 1 = @nullliteral +| 2 = @booleanliteral +| 3 = @numberliteral +| 4 = @stringliteral +| 5 = @regexpliteral +| 6 = @thisexpr +| 7 = @arrayexpr +| 8 = @objexpr +| 9 = @functionexpr +| 10 = @seqexpr +| 11 = @conditionalexpr +| 12 = @newexpr +| 13 = @callexpr +| 14 = @dotexpr +| 15 = @indexexpr +| 16 = @negexpr +| 17 = @plusexpr +| 18 = @lognotexpr +| 19 = @bitnotexpr +| 20 = @typeofexpr +| 21 = @voidexpr +| 22 = @deleteexpr +| 23 = @eqexpr +| 24 = @neqexpr +| 25 = @eqqexpr +| 26 = @neqqexpr +| 27 = @ltexpr +| 28 = @leexpr +| 29 = @gtexpr +| 30 = @geexpr +| 31 = @lshiftexpr +| 32 = @rshiftexpr +| 33 = @urshiftexpr +| 34 = @addexpr +| 35 = @subexpr +| 36 = @mulexpr +| 37 = @divexpr +| 38 = @modexpr +| 39 = @bitorexpr +| 40 = @xorexpr +| 41 = @bitandexpr +| 42 = @inexpr +| 43 = @instanceofexpr +| 44 = @logandexpr +| 45 = @logorexpr +| 47 = @assignexpr +| 48 = @assignaddexpr +| 49 = @assignsubexpr +| 50 = @assignmulexpr +| 51 = @assigndivexpr +| 52 = @assignmodexpr +| 53 = @assignlshiftexpr +| 54 = @assignrshiftexpr +| 55 = @assignurshiftexpr +| 56 = @assignorexpr +| 57 = @assignxorexpr +| 58 = @assignandexpr +| 59 = @preincexpr +| 60 = @postincexpr +| 61 = @predecexpr +| 62 = @postdecexpr +| 63 = @parexpr +| 64 = @vardeclarator +| 65 = @arrowfunctionexpr +| 66 = @spreadelement +| 67 = @arraypattern +| 68 = @objectpattern +| 69 = @yieldexpr +| 70 = @taggedtemplateexpr +| 71 = @templateliteral +| 72 = @templateelement +| 73 = @arraycomprehensionexpr +| 74 = @generatorexpr +| 75 = @forincomprehensionblock +| 76 = @forofcomprehensionblock +| 77 = @legacy_letexpr +| 78 = @vardecl +| 79 = @proper_varaccess +| 80 = @classexpr +| 81 = @superexpr +| 82 = @newtargetexpr +| 83 = @namedimportspecifier +| 84 = @importdefaultspecifier +| 85 = @importnamespacespecifier +| 86 = @namedexportspecifier +| 87 = @expexpr +| 88 = @assignexpexpr +| 89 = @jsxelement +| 90 = @jsxqualifiedname +| 91 = @jsxemptyexpr +| 92 = @awaitexpr +| 93 = @functionsentexpr +| 94 = @decorator +| 95 = @exportdefaultspecifier +| 96 = @exportnamespacespecifier +| 97 = @bindexpr +| 98 = @externalmodulereference +| 99 = @dynamicimport +| 100 = @expressionwithtypearguments +| 101 = @prefixtypeassertion +| 102 = @astypeassertion +| 103 = @export_varaccess +| 104 = @decorator_list +| 105 = @non_null_assertion +| 106 = @bigintliteral +| 107 = @nullishcoalescingexpr +| 108 = @e4x_xml_anyname +| 109 = @e4x_xml_static_attribute_selector +| 110 = @e4x_xml_dynamic_attribute_selector +| 111 = @e4x_xml_filter_expression +| 112 = @e4x_xml_static_qualident +| 113 = @e4x_xml_dynamic_qualident +| 114 = @e4x_xml_dotdotexpr +; + +@varaccess = @proper_varaccess | @export_varaccess; +@varref = @vardecl | @varaccess; + +@identifier = @label | @varref | @typeidentifier; + +@literal = @nullliteral | @booleanliteral | @numberliteral | @stringliteral | @regexpliteral | @bigintliteral; + +@propaccess = @dotexpr | @indexexpr; + +@invokeexpr = @newexpr | @callexpr; + +@unaryexpr = @negexpr | @plusexpr | @lognotexpr | @bitnotexpr | @typeofexpr | @voidexpr | @deleteexpr | @spreadelement; + +@equalitytest = @eqexpr | @neqexpr | @eqqexpr | @neqqexpr; + +@comparison = @equalitytest | @ltexpr | @leexpr | @gtexpr | @geexpr; + +@binaryexpr = @comparison | @lshiftexpr | @rshiftexpr | @urshiftexpr | @addexpr | @subexpr | @mulexpr | @divexpr | @modexpr | @expexpr | @bitorexpr | @xorexpr | @bitandexpr | @inexpr | @instanceofexpr | @logandexpr | @logorexpr | @nullishcoalescingexpr; + +@assignment = @assignexpr | @assignaddexpr | @assignsubexpr | @assignmulexpr | @assigndivexpr | @assignmodexpr | @assignexpexpr | @assignlshiftexpr | @assignrshiftexpr | @assignurshiftexpr | @assignorexpr | @assignxorexpr | @assignandexpr; + +@updateexpr = @preincexpr | @postincexpr | @predecexpr | @postdecexpr; + +@pattern = @varref | @arraypattern | @objectpattern; + +@comprehensionexpr = @arraycomprehensionexpr | @generatorexpr; + +@comprehensionblock = @forincomprehensionblock | @forofcomprehensionblock; + +@importspecifier = @namedimportspecifier | @importdefaultspecifier | @importnamespacespecifier; + +@exportspecifier = @namedexportspecifier | @exportdefaultspecifier | @exportnamespacespecifier; + +@typeassertion = @astypeassertion | @prefixtypeassertion; + +@classdefinition = @classdeclstmt | @classexpr; +@interfacedefinition = @interfacedeclaration | @interfacetypeexpr; +@classorinterface = @classdefinition | @interfacedefinition; + +@lexical_decl = @vardecl | @typedecl; +@lexical_access = @varaccess | @localtypeaccess | @localvartypeaccess | @localnamespaceaccess; +@lexical_ref = @lexical_decl | @lexical_access; + +@e4x_xml_attribute_selector = @e4x_xml_static_attribute_selector | @e4x_xml_dynamic_attribute_selector; +@e4x_xml_qualident = @e4x_xml_static_qualident | @e4x_xml_dynamic_qualident; + +// scopes +scopes (unique int id: @scope, + int kind: int ref); + +case @scope.kind of + 0 = @globalscope +| 1 = @functionscope +| 2 = @catchscope +| 3 = @modulescope +| 4 = @blockscope +| 5 = @forscope +| 6 = @forinscope // for-of scopes work the same as for-in scopes +| 7 = @comprehensionblockscope +| 8 = @classexprscope +| 9 = @namespacescope +| 10 = @classdeclscope +| 11 = @interfacescope +| 12 = @typealiasscope +| 13 = @mappedtypescope +| 14 = @enumscope +| 15 = @externalmodulescope +| 16 = @conditionaltypescope; + +scopenodes (unique int node: @ast_node ref, + int scope: @scope ref); + +scopenesting (unique int inner: @scope ref, + int outer: @scope ref); + +// functions +@function = @functiondeclstmt | @functionexpr | @arrowfunctionexpr; + +@parameterized = @function | @catchclause; +@type_parameterized = @function | @classorinterface | @typealiasdeclaration | @mappedtypeexpr | @infertypeexpr; + +isGenerator (int fun: @function ref); +hasRestParameter (int fun: @function ref); +isAsync (int fun: @function ref); + +// variables and lexically scoped type names +#keyset[scope, name] +variables (unique int id: @variable, + varchar(900) name: string ref, + int scope: @scope ref); + +#keyset[scope, name] +local_type_names (unique int id: @local_type_name, + varchar(900) name: string ref, + int scope: @scope ref); + +#keyset[scope, name] +local_namespace_names (unique int id: @local_namespace_name, + varchar(900) name: string ref, + int scope: @scope ref); + +isArgumentsObject (int id: @variable ref); + +@lexical_name = @variable | @local_type_name | @local_namespace_name; + +@bind_id = @varaccess | @localvartypeaccess; +bind (unique int id: @bind_id ref, + int decl: @variable ref); + +decl (unique int id: @vardecl ref, + int decl: @variable ref); + +@typebind_id = @localtypeaccess | @export_varaccess; +typebind (unique int id: @typebind_id ref, + int decl: @local_type_name ref); + +@typedecl_id = @typedecl | @vardecl; +typedecl (unique int id: @typedecl_id ref, + int decl: @local_type_name ref); + +namespacedecl (unique int id: @vardecl ref, + int decl: @local_namespace_name ref); + +@namespacebind_id = @localnamespaceaccess | @export_varaccess; +namespacebind (unique int id: @namespacebind_id ref, + int decl: @local_namespace_name ref); + + +// properties in object literals, property patterns in object patterns, and method declarations in classes +#keyset[parent, index] +properties (unique int id: @property, + int parent: @property_parent ref, + int index: int ref, + int kind: int ref, + varchar(900) tostring: string ref); + +case @property.kind of + 0 = @value_property +| 1 = @property_getter +| 2 = @property_setter +| 3 = @jsx_attribute +| 4 = @function_call_signature +| 5 = @constructor_call_signature +| 6 = @index_signature +| 7 = @enum_member +| 8 = @proper_field +| 9 = @parameter_field +; + +@property_parent = @objexpr | @objectpattern | @classdefinition | @jsxelement | @interfacedefinition | @enumdeclaration; +@property_accessor = @property_getter | @property_setter; +@call_signature = @function_call_signature | @constructor_call_signature; +@field = @proper_field | @parameter_field; +@field_or_vardeclarator = @field | @vardeclarator; + +isComputed (int id: @property ref); +isMethod (int id: @property ref); +isStatic (int id: @property ref); +isAbstractMember (int id: @property ref); +isConstEnum (int id: @enumdeclaration ref); +isAbstractClass (int id: @classdeclstmt ref); + +hasPublicKeyword (int id: @property ref); +hasPrivateKeyword (int id: @property ref); +hasProtectedKeyword (int id: @property ref); +hasReadonlyKeyword (int id: @property ref); +isOptionalMember (int id: @property ref); +hasDefiniteAssignmentAssertion (int id: @field_or_vardeclarator ref); + +#keyset[constructor, param_index] +parameter_fields( + unique int field: @parameter_field ref, + int constructor: @functionexpr ref, + int param_index: int ref +); + +// types +#keyset[parent, idx] +typeexprs ( + unique int id: @typeexpr, + int kind: int ref, + int parent: @typeexpr_parent ref, + int idx: int ref, + varchar(900) tostring: string ref +); + +case @typeexpr.kind of + 0 = @localtypeaccess +| 1 = @typedecl +| 2 = @keywordtypeexpr +| 3 = @stringliteraltypeexpr +| 4 = @numberliteraltypeexpr +| 5 = @booleanliteraltypeexpr +| 6 = @arraytypeexpr +| 7 = @uniontypeexpr +| 8 = @indexedaccesstypeexpr +| 9 = @intersectiontypeexpr +| 10 = @parenthesizedtypeexpr +| 11 = @tupletypeexpr +| 12 = @keyoftypeexpr +| 13 = @qualifiedtypeaccess +| 14 = @generictypeexpr +| 15 = @typelabel +| 16 = @typeoftypeexpr +| 17 = @localvartypeaccess +| 18 = @qualifiedvartypeaccess +| 19 = @thisvartypeaccess +| 20 = @istypeexpr +| 21 = @interfacetypeexpr +| 22 = @typeparameter +| 23 = @plainfunctiontypeexpr +| 24 = @constructortypeexpr +| 25 = @localnamespaceaccess +| 26 = @qualifiednamespaceaccess +| 27 = @mappedtypeexpr +| 28 = @conditionaltypeexpr +| 29 = @infertypeexpr +| 30 = @importtypeaccess +| 31 = @importnamespaceaccess +| 32 = @importvartypeaccess +| 33 = @optionaltypeexpr +| 34 = @resttypeexpr +| 35 = @bigintliteraltypeexpr +| 36 = @readonlytypeexpr +; + +@typeref = @typeaccess | @typedecl; +@typeidentifier = @typedecl | @localtypeaccess | @typelabel | @localvartypeaccess | @localnamespaceaccess; +@typeexpr_parent = @expr | @stmt | @property | @typeexpr; +@literaltypeexpr = @stringliteraltypeexpr | @numberliteraltypeexpr | @booleanliteraltypeexpr | @bigintliteraltypeexpr; +@typeaccess = @localtypeaccess | @qualifiedtypeaccess | @importtypeaccess; +@vartypeaccess = @localvartypeaccess | @qualifiedvartypeaccess | @thisvartypeaccess | @importvartypeaccess; +@namespaceaccess = @localnamespaceaccess | @qualifiednamespaceaccess | @importnamespaceaccess; +@importtypeexpr = @importtypeaccess | @importnamespaceaccess | @importvartypeaccess; + +@functiontypeexpr = @plainfunctiontypeexpr | @constructortypeexpr; + +// types +types ( + unique int id: @type, + int kind: int ref, + varchar(900) tostring: string ref +); + +#keyset[parent, idx] +type_child ( + int child: @type ref, + int parent: @type ref, + int idx: int ref +); + +case @type.kind of + 0 = @anytype +| 1 = @stringtype +| 2 = @numbertype +| 3 = @uniontype +| 4 = @truetype +| 5 = @falsetype +| 6 = @typereference +| 7 = @objecttype +| 8 = @canonicaltypevariabletype +| 9 = @typeoftype +| 10 = @voidtype +| 11 = @undefinedtype +| 12 = @nulltype +| 13 = @nevertype +| 14 = @plainsymboltype +| 15 = @uniquesymboltype +| 16 = @objectkeywordtype +| 17 = @intersectiontype +| 18 = @tupletype +| 19 = @lexicaltypevariabletype +| 20 = @thistype +| 21 = @numberliteraltype +| 22 = @stringliteraltype +| 23 = @unknowntype +| 24 = @biginttype +| 25 = @bigintliteraltype +; + +@booleanliteraltype = @truetype | @falsetype; +@symboltype = @plainsymboltype | @uniquesymboltype; +@unionorintersectiontype = @uniontype | @intersectiontype; +@typevariabletype = @canonicaltypevariabletype | @lexicaltypevariabletype; + +@typed_ast_node = @expr | @typeexpr | @function; +ast_node_type( + unique int node: @typed_ast_node ref, + int typ: @type ref); + +declared_function_signature( + unique int node: @function ref, + int sig: @signature_type ref +); + +invoke_expr_signature( + unique int node: @invokeexpr ref, + int sig: @signature_type ref +); + +invoke_expr_overload_index( + unique int node: @invokeexpr ref, + int index: int ref +); + +symbols ( + unique int id: @symbol, + int kind: int ref, + varchar(900) name: string ref +); + +symbol_parent ( + unique int symbol: @symbol ref, + int parent: @symbol ref +); + +symbol_module ( + int symbol: @symbol ref, + varchar(900) moduleName: string ref +); + +symbol_global ( + int symbol: @symbol ref, + varchar(900) globalName: string ref +); + +case @symbol.kind of + 0 = @root_symbol +| 1 = @member_symbol +| 2 = @other_symbol +; + +@type_with_symbol = @typereference | @typevariabletype | @typeoftype | @uniquesymboltype; +@ast_node_with_symbol = @typedefinition | @namespacedefinition | @toplevel | @typeaccess | @namespaceaccess | @vardecl | @function | @invokeexpr; + +ast_node_symbol( + unique int node: @ast_node_with_symbol ref, + int symbol: @symbol ref); + +type_symbol( + unique int typ: @type_with_symbol ref, + int symbol: @symbol ref); + +#keyset[typ, name] +type_property( + int typ: @type ref, + varchar(900) name: string ref, + int propertyType: @type ref); + +@literaltype = @stringliteraltype | @numberliteraltype | @booleanliteraltype | @bigintliteraltype; +@type_with_literal_value = @stringliteraltype | @numberliteraltype | @bigintliteraltype; +type_literal_value( + unique int typ: @type_with_literal_value ref, + varchar(900) value: string ref); + +signature_types ( + unique int id: @signature_type, + int kind: int ref, + varchar(900) tostring: string ref, + int type_parameters: int ref, + int required_params: int ref +); + +case @signature_type.kind of + 0 = @function_signature_type +| 1 = @constructor_signature_type +; + +#keyset[typ, kind, index] +type_contains_signature ( + int typ: @type ref, + int kind: int ref, // constructor/call/index + int index: int ref, // ordering of overloaded signatures + int sig: @signature_type ref +); + +#keyset[parent, index] +signature_contains_type ( + int child: @type ref, + int parent: @signature_type ref, + int index: int ref +); + +#keyset[sig, index] +signature_parameter_name ( + int sig: @signature_type ref, + int index: int ref, + varchar(900) name: string ref +); + +number_index_type ( + unique int baseType: @type ref, + int propertyType: @type ref +); + +string_index_type ( + unique int baseType: @type ref, + int propertyType: @type ref +); + +base_type_names( + int typeName: @symbol ref, + int baseTypeName: @symbol ref +); + +self_types( + int typeName: @symbol ref, + int selfType: @typereference ref +); + +tuple_type_min_length( + unique int typ: @type ref, + int minLength: int ref +); + +tuple_type_rest( + unique int typ: @type ref +); + +// comments +comments (unique int id: @comment, + int kind: int ref, + int toplevel: @toplevel ref, + varchar(900) text: string ref, + varchar(900) tostring: string ref); + +case @comment.kind of + 0 = @slashslashcomment +| 1 = @slashstarcomment +| 2 = @doccomment +| 3 = @htmlcommentstart +| 4 = @htmlcommentend; + +@htmlcomment = @htmlcommentstart | @htmlcommentend; +@linecomment = @slashslashcomment | @htmlcomment; +@blockcomment = @slashstarcomment | @doccomment; + +// source lines +lines (unique int id: @line, + int toplevel: @toplevel ref, + varchar(900) text: string ref, + varchar(2) terminator: string ref); +indentation (int file: @file ref, + int lineno: int ref, + varchar(1) indentChar: string ref, + int indentDepth: int ref); + +// JavaScript parse errors +jsParseErrors (unique int id: @js_parse_error, + int toplevel: @toplevel ref, + varchar(900) message: string ref, + varchar(900) line: string ref); + +// regular expressions +#keyset[parent, idx] +regexpterm (unique int id: @regexpterm, + int kind: int ref, + int parent: @regexpparent ref, + int idx: int ref, + varchar(900) tostring: string ref); + +@regexpparent = @regexpterm | @regexpliteral; + +case @regexpterm.kind of + 0 = @regexp_alt +| 1 = @regexp_seq +| 2 = @regexp_caret +| 3 = @regexp_dollar +| 4 = @regexp_wordboundary +| 5 = @regexp_nonwordboundary +| 6 = @regexp_positive_lookahead +| 7 = @regexp_negative_lookahead +| 8 = @regexp_star +| 9 = @regexp_plus +| 10 = @regexp_opt +| 11 = @regexp_range +| 12 = @regexp_dot +| 13 = @regexp_group +| 14 = @regexp_normal_char +| 15 = @regexp_hex_escape +| 16 = @regexp_unicode_escape +| 17 = @regexp_dec_escape +| 18 = @regexp_oct_escape +| 19 = @regexp_ctrl_escape +| 20 = @regexp_char_class_escape +| 21 = @regexp_id_escape +| 22 = @regexp_backref +| 23 = @regexp_char_class +| 24 = @regexp_char_range +| 25 = @regexp_positive_lookbehind +| 26 = @regexp_negative_lookbehind +| 27 = @regexp_unicode_property_escape; + +regexpParseErrors (unique int id: @regexp_parse_error, + int regexp: @regexpterm ref, + varchar(900) message: string ref); + +@regexp_quantifier = @regexp_star | @regexp_plus | @regexp_opt | @regexp_range; +@regexp_escape = @regexp_char_escape | @regexp_char_class_escape | @regexp_unicode_property_escape; +@regexp_char_escape = @regexp_hex_escape | @regexp_unicode_escape | @regexp_dec_escape | @regexp_oct_escape | @regexp_ctrl_escape | @regexp_id_escape; +@regexp_constant = @regexp_normal_char | @regexp_char_escape; +@regexp_lookahead = @regexp_positive_lookahead | @regexp_negative_lookahead; +@regexp_lookbehind = @regexp_positive_lookbehind | @regexp_negative_lookbehind; +@regexp_subpattern = @regexp_lookahead | @regexp_lookbehind; + +isGreedy (int id: @regexp_quantifier ref); +rangeQuantifierLowerBound (unique int id: @regexp_range ref, int lo: int ref); +rangeQuantifierUpperBound (unique int id: @regexp_range ref, int hi: int ref); +isCapture (unique int id: @regexp_group ref, int number: int ref); +isNamedCapture (unique int id: @regexp_group ref, string name: string ref); +isInverted (int id: @regexp_char_class ref); +regexpConstValue (unique int id: @regexp_constant ref, varchar(1) value: string ref); +charClassEscape (unique int id: @regexp_char_class_escape ref, varchar(1) value: string ref); +backref (unique int id: @regexp_backref ref, int value: int ref); +namedBackref (unique int id: @regexp_backref ref, string name: string ref); +unicodePropertyEscapeName (unique int id: @regexp_unicode_property_escape ref, string name: string ref); +unicodePropertyEscapeValue (unique int id: @regexp_unicode_property_escape ref, string value: string ref); + +// tokens +#keyset[toplevel, idx] +tokeninfo (unique int id: @token, + int kind: int ref, + int toplevel: @toplevel ref, + int idx: int ref, + varchar(900) value: string ref); + +case @token.kind of + 0 = @token_eof +| 1 = @token_null_literal +| 2 = @token_boolean_literal +| 3 = @token_numeric_literal +| 4 = @token_string_literal +| 5 = @token_regular_expression +| 6 = @token_identifier +| 7 = @token_keyword +| 8 = @token_punctuator; + +// associate comments with the token immediately following them (which may be EOF) +next_token (int comment: @comment ref, int token: @token ref); + +// JSON +#keyset[parent, idx] +json (unique int id: @json_value, + int kind: int ref, + int parent: @json_parent ref, + int idx: int ref, + varchar(900) tostring: string ref); + +json_literals (varchar(900) value: string ref, + varchar(900) raw: string ref, + unique int expr: @json_value ref); + +json_properties (int obj: @json_object ref, + varchar(900) property: string ref, + int value: @json_value ref); + +json_errors (unique int id: @json_parse_error, + varchar(900) message: string ref); + +json_locations(unique int locatable: @json_locatable ref, + int location: @location_default ref); + +case @json_value.kind of + 0 = @json_null +| 1 = @json_boolean +| 2 = @json_number +| 3 = @json_string +| 4 = @json_array +| 5 = @json_object; + +@json_parent = @json_object | @json_array | @file; + +@json_locatable = @json_value | @json_parse_error; + +// locations +@ast_node = @toplevel | @stmt | @expr | @property | @typeexpr; + +@locatable = @file + | @ast_node + | @comment + | @line + | @js_parse_error | @regexp_parse_error + | @regexpterm + | @json_locatable + | @token + | @cfg_node + | @jsdoc | @jsdoc_type_expr | @jsdoc_tag + | @yaml_locatable + | @xmllocatable + | @configLocatable; + +hasLocation (unique int locatable: @locatable ref, + int location: @location ref); + +// CFG +entry_cfg_node (unique int id: @entry_node, int container: @stmt_container ref); +exit_cfg_node (unique int id: @exit_node, int container: @stmt_container ref); +guard_node (unique int id: @guard_node, int kind: int ref, int test: @expr ref); +case @guard_node.kind of + 0 = @falsy_guard +| 1 = @truthy_guard; +@condition_guard = @falsy_guard | @truthy_guard; + +@synthetic_cfg_node = @entry_node | @exit_node | @guard_node; +@cfg_node = @synthetic_cfg_node | @exprparent; + +successor (int pred: @cfg_node ref, int succ: @cfg_node ref); + +// JSDoc comments +jsdoc (unique int id: @jsdoc, varchar(900) description: string ref, int comment: @comment ref); +#keyset[parent, idx] +jsdoc_tags (unique int id: @jsdoc_tag, varchar(900) title: string ref, + int parent: @jsdoc ref, int idx: int ref, varchar(900) tostring: string ref); +jsdoc_tag_descriptions (unique int tag: @jsdoc_tag ref, varchar(900) text: string ref); +jsdoc_tag_names (unique int tag: @jsdoc_tag ref, varchar(900) text: string ref); + +#keyset[parent, idx] +jsdoc_type_exprs (unique int id: @jsdoc_type_expr, + int kind: int ref, + int parent: @jsdoc_type_expr_parent ref, + int idx: int ref, + varchar(900) tostring: string ref); +case @jsdoc_type_expr.kind of + 0 = @jsdoc_any_type_expr +| 1 = @jsdoc_null_type_expr +| 2 = @jsdoc_undefined_type_expr +| 3 = @jsdoc_unknown_type_expr +| 4 = @jsdoc_void_type_expr +| 5 = @jsdoc_named_type_expr +| 6 = @jsdoc_applied_type_expr +| 7 = @jsdoc_nullable_type_expr +| 8 = @jsdoc_non_nullable_type_expr +| 9 = @jsdoc_record_type_expr +| 10 = @jsdoc_array_type_expr +| 11 = @jsdoc_union_type_expr +| 12 = @jsdoc_function_type_expr +| 13 = @jsdoc_optional_type_expr +| 14 = @jsdoc_rest_type_expr +; + +#keyset[id, idx] +jsdoc_record_field_name (int id: @jsdoc_record_type_expr ref, int idx: int ref, varchar(900) name: string ref); +jsdoc_prefix_qualifier (int id: @jsdoc_type_expr ref); +jsdoc_has_new_parameter (int fn: @jsdoc_function_type_expr ref); + +@jsdoc_type_expr_parent = @jsdoc_type_expr | @jsdoc_tag; + +jsdoc_errors (unique int id: @jsdoc_error, int tag: @jsdoc_tag ref, varchar(900) message: string ref, varchar(900) tostring: string ref); + +// YAML +#keyset[parent, idx] +yaml (unique int id: @yaml_node, + int kind: int ref, + int parent: @yaml_node_parent ref, + int idx: int ref, + varchar(900) tag: string ref, + varchar(900) tostring: string ref); + +case @yaml_node.kind of + 0 = @yaml_scalar_node +| 1 = @yaml_mapping_node +| 2 = @yaml_sequence_node +| 3 = @yaml_alias_node +; + +@yaml_collection_node = @yaml_mapping_node | @yaml_sequence_node; + +@yaml_node_parent = @yaml_collection_node | @file; + +yaml_anchors (unique int node: @yaml_node ref, + varchar(900) anchor: string ref); + +yaml_aliases (unique int alias: @yaml_alias_node ref, + varchar(900) target: string ref); + +yaml_scalars (unique int scalar: @yaml_scalar_node ref, + int style: int ref, + varchar(900) value: string ref); + +yaml_errors (unique int id: @yaml_error, + varchar(900) message: string ref); + +yaml_locations(unique int locatable: @yaml_locatable ref, + int location: @location_default ref); + +@yaml_locatable = @yaml_node | @yaml_error; + +/* XML Files */ + +xmlEncoding( + unique int id: @file ref, + varchar(900) encoding: string ref +); + +xmlDTDs( + unique int id: @xmldtd, + varchar(900) root: string ref, + varchar(900) publicId: string ref, + varchar(900) systemId: string ref, + int fileid: @file ref +); + +xmlElements( + unique int id: @xmlelement, + varchar(900) name: string ref, + int parentid: @xmlparent ref, + int idx: int ref, + int fileid: @file ref +); + +xmlAttrs( + unique int id: @xmlattribute, + int elementid: @xmlelement ref, + varchar(900) name: string ref, + varchar(3600) value: string ref, + int idx: int ref, + int fileid: @file ref +); + +xmlNs( + int id: @xmlnamespace, + varchar(900) prefixName: string ref, + varchar(900) URI: string ref, + int fileid: @file ref +); + +xmlHasNs( + int elementId: @xmlnamespaceable ref, + int nsId: @xmlnamespace ref, + int fileid: @file ref +); + +xmlComments( + unique int id: @xmlcomment, + varchar(3600) text: string ref, + int parentid: @xmlparent ref, + int fileid: @file ref +); + +xmlChars( + unique int id: @xmlcharacters, + varchar(3600) text: string ref, + int parentid: @xmlparent ref, + int idx: int ref, + int isCDATA: int ref, + int fileid: @file ref +); + +@xmlparent = @file | @xmlelement; +@xmlnamespaceable = @xmlelement | @xmlattribute; + +xmllocations( + int xmlElement: @xmllocatable ref, + int location: @location_default ref +); + +@xmllocatable = @xmlcharacters | @xmlelement | @xmlcomment | @xmlattribute | @xmldtd | @file | @xmlnamespace; + +@dataflownode = @expr | @functiondeclstmt | @classdeclstmt | @namespacedeclaration | @enumdeclaration | @property; + +@optionalchainable = @callexpr | @propaccess; + +isOptionalChaining(int id: @optionalchainable ref); + +/* + * configuration files with key value pairs + */ + +configs( + unique int id: @config +); + +configNames( + unique int id: @configName, + int config: @config ref, + string name: string ref +); + +configValues( + unique int id: @configValue, + int config: @config ref, + string value: string ref +); + +configLocations( + int locatable: @configLocatable ref, + int location: @location_default ref +); + +@configLocatable = @config | @configName | @configValue; + +/** + * The time taken for the extraction of a file. + * This table contains non-deterministic content. + * + * The sum of the `time` column for each (`file`, `timerKind`) pair + * is the total time taken for extraction of `file`. The `extractionPhase` + * column provides a granular view of the extraction time of the file. + */ +extraction_time( + int file : @file ref, + // see `com.semmle.js.extractor.ExtractionMetrics.ExtractionPhase`. + int extractionPhase: int ref, + // 0 for the elapsed CPU time in nanoseconds, 1 for the elapsed wallclock time in nanoseconds + int timerKind: int ref, + float time: float ref +) + +/** + * Non-timing related data for the extraction of a single file. + * This table contains non-deterministic content. + */ +extraction_data( + int file : @file ref, + // the absolute path to the cache file + varchar(900) cacheFile: string ref, + boolean fromCache: boolean ref, + int length: int ref +) \ No newline at end of file diff --git a/javascript/upgrades/ab0dab3b55b386f366e9904e10139edebca0495c/semmlecode.javascript.dbscheme b/javascript/upgrades/ab0dab3b55b386f366e9904e10139edebca0495c/semmlecode.javascript.dbscheme new file mode 100644 index 00000000000..874ebfcd4d2 --- /dev/null +++ b/javascript/upgrades/ab0dab3b55b386f366e9904e10139edebca0495c/semmlecode.javascript.dbscheme @@ -0,0 +1,1173 @@ +/*** Standard fragments ***/ + +/** Files and folders **/ + +@location = @location_default; + +locations_default(unique int id: @location_default, + int file: @file ref, + int beginLine: int ref, + int beginColumn: int ref, + int endLine: int ref, + int endColumn: int ref + ); + +@sourceline = @locatable; + +numlines(int element_id: @sourceline ref, + int num_lines: int ref, + int num_code: int ref, + int num_comment: int ref + ); + + +/* + fromSource(0) = unknown, + fromSource(1) = from source, + fromSource(2) = from library +*/ +files(unique int id: @file, + varchar(900) name: string ref, + varchar(900) simple: string ref, + varchar(900) ext: string ref, + int fromSource: int ref); + +folders(unique int id: @folder, + varchar(900) name: string ref, + varchar(900) simple: string ref); + + +@container = @folder | @file ; + + +containerparent(int parent: @container ref, + unique int child: @container ref); + +/** Duplicate code **/ + +duplicateCode( + unique int id : @duplication, + varchar(900) relativePath : string ref, + int equivClass : int ref); + +similarCode( + unique int id : @similarity, + varchar(900) relativePath : string ref, + int equivClass : int ref); + +@duplication_or_similarity = @duplication | @similarity; + +tokens( + int id : @duplication_or_similarity ref, + int offset : int ref, + int beginLine : int ref, + int beginColumn : int ref, + int endLine : int ref, + int endColumn : int ref); + +/** External data **/ + +externalData( + int id : @externalDataElement, + varchar(900) path : string ref, + int column: int ref, + varchar(900) value : string ref +); + +snapshotDate(unique date snapshotDate : date ref); + +sourceLocationPrefix(varchar(900) prefix : string ref); + +/** Version control data **/ + +svnentries( + int id : @svnentry, + varchar(500) revision : string ref, + varchar(500) author : string ref, + date revisionDate : date ref, + int changeSize : int ref +); + +svnaffectedfiles( + int id : @svnentry ref, + int file : @file ref, + varchar(500) action : string ref +); + +svnentrymsg( + int id : @svnentry ref, + varchar(500) message : string ref +); + +svnchurn( + int commit : @svnentry ref, + int file : @file ref, + int addedLines : int ref, + int deletedLines : int ref +); + + +/*** JavaScript-specific part ***/ + +filetype( + int file: @file ref, + string filetype: string ref +) + +// top-level code fragments +toplevels (unique int id: @toplevel, + int kind: int ref); + +isExterns (int toplevel: @toplevel ref); + +case @toplevel.kind of + 0 = @script +| 1 = @inline_script +| 2 = @event_handler +| 3 = @javascript_url; + +isModule (int tl: @toplevel ref); +isNodejs (int tl: @toplevel ref); +isES2015Module (int tl: @toplevel ref); +isClosureModule (int tl: @toplevel ref); + +// statements +#keyset[parent, idx] +stmts (unique int id: @stmt, + int kind: int ref, + int parent: @stmtparent ref, + int idx: int ref, + varchar(900) tostring: string ref); + +stmtContainers (unique int stmt: @stmt ref, + int container: @stmt_container ref); + +jumpTargets (unique int jump: @stmt ref, + int target: @stmt ref); + +@stmtparent = @stmt | @toplevel | @functionexpr | @arrowfunctionexpr; +@stmt_container = @toplevel | @function | @namespacedeclaration | @externalmoduledeclaration | @globalaugmentationdeclaration; + +case @stmt.kind of + 0 = @emptystmt +| 1 = @blockstmt +| 2 = @exprstmt +| 3 = @ifstmt +| 4 = @labeledstmt +| 5 = @breakstmt +| 6 = @continuestmt +| 7 = @withstmt +| 8 = @switchstmt +| 9 = @returnstmt +| 10 = @throwstmt +| 11 = @trystmt +| 12 = @whilestmt +| 13 = @dowhilestmt +| 14 = @forstmt +| 15 = @forinstmt +| 16 = @debuggerstmt +| 17 = @functiondeclstmt +| 18 = @vardeclstmt +| 19 = @case +| 20 = @catchclause +| 21 = @forofstmt +| 22 = @constdeclstmt +| 23 = @letstmt +| 24 = @legacy_letstmt +| 25 = @foreachstmt +| 26 = @classdeclstmt +| 27 = @importdeclaration +| 28 = @exportalldeclaration +| 29 = @exportdefaultdeclaration +| 30 = @exportnameddeclaration +| 31 = @namespacedeclaration +| 32 = @importequalsdeclaration +| 33 = @exportassigndeclaration +| 34 = @interfacedeclaration +| 35 = @typealiasdeclaration +| 36 = @enumdeclaration +| 37 = @externalmoduledeclaration +| 38 = @exportasnamespacedeclaration +| 39 = @globalaugmentationdeclaration +; + +@declstmt = @vardeclstmt | @constdeclstmt | @letstmt | @legacy_letstmt; + +@exportdeclaration = @exportalldeclaration | @exportdefaultdeclaration | @exportnameddeclaration; + +@namespacedefinition = @namespacedeclaration | @enumdeclaration; +@typedefinition = @classdefinition | @interfacedeclaration | @enumdeclaration | @typealiasdeclaration | @enum_member; + +isInstantiated(unique int decl: @namespacedeclaration ref); + +@declarablestmt = @declstmt | @namespacedeclaration | @classdeclstmt | @functiondeclstmt | @enumdeclaration | @externalmoduledeclaration | @globalaugmentationdeclaration; +hasDeclareKeyword(unique int stmt: @declarablestmt ref); + +isForAwaitOf(unique int forof: @forofstmt ref); + +// expressions +#keyset[parent, idx] +exprs (unique int id: @expr, + int kind: int ref, + int parent: @exprparent ref, + int idx: int ref, + varchar(900) tostring: string ref); + +literals (varchar(900) value: string ref, + varchar(900) raw: string ref, + unique int expr: @exprortype ref); + +enclosingStmt (unique int expr: @exprortype ref, + int stmt: @stmt ref); + +exprContainers (unique int expr: @exprortype ref, + int container: @stmt_container ref); + +arraySize (unique int ae: @arraylike ref, + int sz: int ref); + +isDelegating (int yield: @yieldexpr ref); + +@exprorstmt = @expr | @stmt; +@exprortype = @expr | @typeexpr; +@exprparent = @exprorstmt | @property | @functiontypeexpr; +@arraylike = @arrayexpr | @arraypattern; +@type_annotation = @typeexpr | @jsdoc_type_expr; + +case @expr.kind of + 0 = @label +| 1 = @nullliteral +| 2 = @booleanliteral +| 3 = @numberliteral +| 4 = @stringliteral +| 5 = @regexpliteral +| 6 = @thisexpr +| 7 = @arrayexpr +| 8 = @objexpr +| 9 = @functionexpr +| 10 = @seqexpr +| 11 = @conditionalexpr +| 12 = @newexpr +| 13 = @callexpr +| 14 = @dotexpr +| 15 = @indexexpr +| 16 = @negexpr +| 17 = @plusexpr +| 18 = @lognotexpr +| 19 = @bitnotexpr +| 20 = @typeofexpr +| 21 = @voidexpr +| 22 = @deleteexpr +| 23 = @eqexpr +| 24 = @neqexpr +| 25 = @eqqexpr +| 26 = @neqqexpr +| 27 = @ltexpr +| 28 = @leexpr +| 29 = @gtexpr +| 30 = @geexpr +| 31 = @lshiftexpr +| 32 = @rshiftexpr +| 33 = @urshiftexpr +| 34 = @addexpr +| 35 = @subexpr +| 36 = @mulexpr +| 37 = @divexpr +| 38 = @modexpr +| 39 = @bitorexpr +| 40 = @xorexpr +| 41 = @bitandexpr +| 42 = @inexpr +| 43 = @instanceofexpr +| 44 = @logandexpr +| 45 = @logorexpr +| 47 = @assignexpr +| 48 = @assignaddexpr +| 49 = @assignsubexpr +| 50 = @assignmulexpr +| 51 = @assigndivexpr +| 52 = @assignmodexpr +| 53 = @assignlshiftexpr +| 54 = @assignrshiftexpr +| 55 = @assignurshiftexpr +| 56 = @assignorexpr +| 57 = @assignxorexpr +| 58 = @assignandexpr +| 59 = @preincexpr +| 60 = @postincexpr +| 61 = @predecexpr +| 62 = @postdecexpr +| 63 = @parexpr +| 64 = @vardeclarator +| 65 = @arrowfunctionexpr +| 66 = @spreadelement +| 67 = @arraypattern +| 68 = @objectpattern +| 69 = @yieldexpr +| 70 = @taggedtemplateexpr +| 71 = @templateliteral +| 72 = @templateelement +| 73 = @arraycomprehensionexpr +| 74 = @generatorexpr +| 75 = @forincomprehensionblock +| 76 = @forofcomprehensionblock +| 77 = @legacy_letexpr +| 78 = @vardecl +| 79 = @proper_varaccess +| 80 = @classexpr +| 81 = @superexpr +| 82 = @newtargetexpr +| 83 = @namedimportspecifier +| 84 = @importdefaultspecifier +| 85 = @importnamespacespecifier +| 86 = @namedexportspecifier +| 87 = @expexpr +| 88 = @assignexpexpr +| 89 = @jsxelement +| 90 = @jsxqualifiedname +| 91 = @jsxemptyexpr +| 92 = @awaitexpr +| 93 = @functionsentexpr +| 94 = @decorator +| 95 = @exportdefaultspecifier +| 96 = @exportnamespacespecifier +| 97 = @bindexpr +| 98 = @externalmodulereference +| 99 = @dynamicimport +| 100 = @expressionwithtypearguments +| 101 = @prefixtypeassertion +| 102 = @astypeassertion +| 103 = @export_varaccess +| 104 = @decorator_list +| 105 = @non_null_assertion +| 106 = @bigintliteral +| 107 = @nullishcoalescingexpr +| 108 = @e4x_xml_anyname +| 109 = @e4x_xml_static_attribute_selector +| 110 = @e4x_xml_dynamic_attribute_selector +| 111 = @e4x_xml_filter_expression +| 112 = @e4x_xml_static_qualident +| 113 = @e4x_xml_dynamic_qualident +| 114 = @e4x_xml_dotdotexpr +| 115 = @importmetaexpr +; + +@varaccess = @proper_varaccess | @export_varaccess; +@varref = @vardecl | @varaccess; + +@identifier = @label | @varref | @typeidentifier; + +@literal = @nullliteral | @booleanliteral | @numberliteral | @stringliteral | @regexpliteral | @bigintliteral; + +@propaccess = @dotexpr | @indexexpr; + +@invokeexpr = @newexpr | @callexpr; + +@unaryexpr = @negexpr | @plusexpr | @lognotexpr | @bitnotexpr | @typeofexpr | @voidexpr | @deleteexpr | @spreadelement; + +@equalitytest = @eqexpr | @neqexpr | @eqqexpr | @neqqexpr; + +@comparison = @equalitytest | @ltexpr | @leexpr | @gtexpr | @geexpr; + +@binaryexpr = @comparison | @lshiftexpr | @rshiftexpr | @urshiftexpr | @addexpr | @subexpr | @mulexpr | @divexpr | @modexpr | @expexpr | @bitorexpr | @xorexpr | @bitandexpr | @inexpr | @instanceofexpr | @logandexpr | @logorexpr | @nullishcoalescingexpr; + +@assignment = @assignexpr | @assignaddexpr | @assignsubexpr | @assignmulexpr | @assigndivexpr | @assignmodexpr | @assignexpexpr | @assignlshiftexpr | @assignrshiftexpr | @assignurshiftexpr | @assignorexpr | @assignxorexpr | @assignandexpr; + +@updateexpr = @preincexpr | @postincexpr | @predecexpr | @postdecexpr; + +@pattern = @varref | @arraypattern | @objectpattern; + +@comprehensionexpr = @arraycomprehensionexpr | @generatorexpr; + +@comprehensionblock = @forincomprehensionblock | @forofcomprehensionblock; + +@importspecifier = @namedimportspecifier | @importdefaultspecifier | @importnamespacespecifier; + +@exportspecifier = @namedexportspecifier | @exportdefaultspecifier | @exportnamespacespecifier; + +@typeassertion = @astypeassertion | @prefixtypeassertion; + +@classdefinition = @classdeclstmt | @classexpr; +@interfacedefinition = @interfacedeclaration | @interfacetypeexpr; +@classorinterface = @classdefinition | @interfacedefinition; + +@lexical_decl = @vardecl | @typedecl; +@lexical_access = @varaccess | @localtypeaccess | @localvartypeaccess | @localnamespaceaccess; +@lexical_ref = @lexical_decl | @lexical_access; + +@e4x_xml_attribute_selector = @e4x_xml_static_attribute_selector | @e4x_xml_dynamic_attribute_selector; +@e4x_xml_qualident = @e4x_xml_static_qualident | @e4x_xml_dynamic_qualident; + +// scopes +scopes (unique int id: @scope, + int kind: int ref); + +case @scope.kind of + 0 = @globalscope +| 1 = @functionscope +| 2 = @catchscope +| 3 = @modulescope +| 4 = @blockscope +| 5 = @forscope +| 6 = @forinscope // for-of scopes work the same as for-in scopes +| 7 = @comprehensionblockscope +| 8 = @classexprscope +| 9 = @namespacescope +| 10 = @classdeclscope +| 11 = @interfacescope +| 12 = @typealiasscope +| 13 = @mappedtypescope +| 14 = @enumscope +| 15 = @externalmodulescope +| 16 = @conditionaltypescope; + +scopenodes (unique int node: @ast_node ref, + int scope: @scope ref); + +scopenesting (unique int inner: @scope ref, + int outer: @scope ref); + +// functions +@function = @functiondeclstmt | @functionexpr | @arrowfunctionexpr; + +@parameterized = @function | @catchclause; +@type_parameterized = @function | @classorinterface | @typealiasdeclaration | @mappedtypeexpr | @infertypeexpr; + +isGenerator (int fun: @function ref); +hasRestParameter (int fun: @function ref); +isAsync (int fun: @function ref); + +// variables and lexically scoped type names +#keyset[scope, name] +variables (unique int id: @variable, + varchar(900) name: string ref, + int scope: @scope ref); + +#keyset[scope, name] +local_type_names (unique int id: @local_type_name, + varchar(900) name: string ref, + int scope: @scope ref); + +#keyset[scope, name] +local_namespace_names (unique int id: @local_namespace_name, + varchar(900) name: string ref, + int scope: @scope ref); + +isArgumentsObject (int id: @variable ref); + +@lexical_name = @variable | @local_type_name | @local_namespace_name; + +@bind_id = @varaccess | @localvartypeaccess; +bind (unique int id: @bind_id ref, + int decl: @variable ref); + +decl (unique int id: @vardecl ref, + int decl: @variable ref); + +@typebind_id = @localtypeaccess | @export_varaccess; +typebind (unique int id: @typebind_id ref, + int decl: @local_type_name ref); + +@typedecl_id = @typedecl | @vardecl; +typedecl (unique int id: @typedecl_id ref, + int decl: @local_type_name ref); + +namespacedecl (unique int id: @vardecl ref, + int decl: @local_namespace_name ref); + +@namespacebind_id = @localnamespaceaccess | @export_varaccess; +namespacebind (unique int id: @namespacebind_id ref, + int decl: @local_namespace_name ref); + + +// properties in object literals, property patterns in object patterns, and method declarations in classes +#keyset[parent, index] +properties (unique int id: @property, + int parent: @property_parent ref, + int index: int ref, + int kind: int ref, + varchar(900) tostring: string ref); + +case @property.kind of + 0 = @value_property +| 1 = @property_getter +| 2 = @property_setter +| 3 = @jsx_attribute +| 4 = @function_call_signature +| 5 = @constructor_call_signature +| 6 = @index_signature +| 7 = @enum_member +| 8 = @proper_field +| 9 = @parameter_field +; + +@property_parent = @objexpr | @objectpattern | @classdefinition | @jsxelement | @interfacedefinition | @enumdeclaration; +@property_accessor = @property_getter | @property_setter; +@call_signature = @function_call_signature | @constructor_call_signature; +@field = @proper_field | @parameter_field; +@field_or_vardeclarator = @field | @vardeclarator; + +isComputed (int id: @property ref); +isMethod (int id: @property ref); +isStatic (int id: @property ref); +isAbstractMember (int id: @property ref); +isConstEnum (int id: @enumdeclaration ref); +isAbstractClass (int id: @classdeclstmt ref); + +hasPublicKeyword (int id: @property ref); +hasPrivateKeyword (int id: @property ref); +hasProtectedKeyword (int id: @property ref); +hasReadonlyKeyword (int id: @property ref); +isOptionalMember (int id: @property ref); +hasDefiniteAssignmentAssertion (int id: @field_or_vardeclarator ref); + +#keyset[constructor, param_index] +parameter_fields( + unique int field: @parameter_field ref, + int constructor: @functionexpr ref, + int param_index: int ref +); + +// types +#keyset[parent, idx] +typeexprs ( + unique int id: @typeexpr, + int kind: int ref, + int parent: @typeexpr_parent ref, + int idx: int ref, + varchar(900) tostring: string ref +); + +case @typeexpr.kind of + 0 = @localtypeaccess +| 1 = @typedecl +| 2 = @keywordtypeexpr +| 3 = @stringliteraltypeexpr +| 4 = @numberliteraltypeexpr +| 5 = @booleanliteraltypeexpr +| 6 = @arraytypeexpr +| 7 = @uniontypeexpr +| 8 = @indexedaccesstypeexpr +| 9 = @intersectiontypeexpr +| 10 = @parenthesizedtypeexpr +| 11 = @tupletypeexpr +| 12 = @keyoftypeexpr +| 13 = @qualifiedtypeaccess +| 14 = @generictypeexpr +| 15 = @typelabel +| 16 = @typeoftypeexpr +| 17 = @localvartypeaccess +| 18 = @qualifiedvartypeaccess +| 19 = @thisvartypeaccess +| 20 = @istypeexpr +| 21 = @interfacetypeexpr +| 22 = @typeparameter +| 23 = @plainfunctiontypeexpr +| 24 = @constructortypeexpr +| 25 = @localnamespaceaccess +| 26 = @qualifiednamespaceaccess +| 27 = @mappedtypeexpr +| 28 = @conditionaltypeexpr +| 29 = @infertypeexpr +| 30 = @importtypeaccess +| 31 = @importnamespaceaccess +| 32 = @importvartypeaccess +| 33 = @optionaltypeexpr +| 34 = @resttypeexpr +| 35 = @bigintliteraltypeexpr +| 36 = @readonlytypeexpr +; + +@typeref = @typeaccess | @typedecl; +@typeidentifier = @typedecl | @localtypeaccess | @typelabel | @localvartypeaccess | @localnamespaceaccess; +@typeexpr_parent = @expr | @stmt | @property | @typeexpr; +@literaltypeexpr = @stringliteraltypeexpr | @numberliteraltypeexpr | @booleanliteraltypeexpr | @bigintliteraltypeexpr; +@typeaccess = @localtypeaccess | @qualifiedtypeaccess | @importtypeaccess; +@vartypeaccess = @localvartypeaccess | @qualifiedvartypeaccess | @thisvartypeaccess | @importvartypeaccess; +@namespaceaccess = @localnamespaceaccess | @qualifiednamespaceaccess | @importnamespaceaccess; +@importtypeexpr = @importtypeaccess | @importnamespaceaccess | @importvartypeaccess; + +@functiontypeexpr = @plainfunctiontypeexpr | @constructortypeexpr; + +// types +types ( + unique int id: @type, + int kind: int ref, + varchar(900) tostring: string ref +); + +#keyset[parent, idx] +type_child ( + int child: @type ref, + int parent: @type ref, + int idx: int ref +); + +case @type.kind of + 0 = @anytype +| 1 = @stringtype +| 2 = @numbertype +| 3 = @uniontype +| 4 = @truetype +| 5 = @falsetype +| 6 = @typereference +| 7 = @objecttype +| 8 = @canonicaltypevariabletype +| 9 = @typeoftype +| 10 = @voidtype +| 11 = @undefinedtype +| 12 = @nulltype +| 13 = @nevertype +| 14 = @plainsymboltype +| 15 = @uniquesymboltype +| 16 = @objectkeywordtype +| 17 = @intersectiontype +| 18 = @tupletype +| 19 = @lexicaltypevariabletype +| 20 = @thistype +| 21 = @numberliteraltype +| 22 = @stringliteraltype +| 23 = @unknowntype +| 24 = @biginttype +| 25 = @bigintliteraltype +; + +@booleanliteraltype = @truetype | @falsetype; +@symboltype = @plainsymboltype | @uniquesymboltype; +@unionorintersectiontype = @uniontype | @intersectiontype; +@typevariabletype = @canonicaltypevariabletype | @lexicaltypevariabletype; + +@typed_ast_node = @expr | @typeexpr | @function; +ast_node_type( + unique int node: @typed_ast_node ref, + int typ: @type ref); + +declared_function_signature( + unique int node: @function ref, + int sig: @signature_type ref +); + +invoke_expr_signature( + unique int node: @invokeexpr ref, + int sig: @signature_type ref +); + +invoke_expr_overload_index( + unique int node: @invokeexpr ref, + int index: int ref +); + +symbols ( + unique int id: @symbol, + int kind: int ref, + varchar(900) name: string ref +); + +symbol_parent ( + unique int symbol: @symbol ref, + int parent: @symbol ref +); + +symbol_module ( + int symbol: @symbol ref, + varchar(900) moduleName: string ref +); + +symbol_global ( + int symbol: @symbol ref, + varchar(900) globalName: string ref +); + +case @symbol.kind of + 0 = @root_symbol +| 1 = @member_symbol +| 2 = @other_symbol +; + +@type_with_symbol = @typereference | @typevariabletype | @typeoftype | @uniquesymboltype; +@ast_node_with_symbol = @typedefinition | @namespacedefinition | @toplevel | @typeaccess | @namespaceaccess | @vardecl | @function | @invokeexpr; + +ast_node_symbol( + unique int node: @ast_node_with_symbol ref, + int symbol: @symbol ref); + +type_symbol( + unique int typ: @type_with_symbol ref, + int symbol: @symbol ref); + +#keyset[typ, name] +type_property( + int typ: @type ref, + varchar(900) name: string ref, + int propertyType: @type ref); + +@literaltype = @stringliteraltype | @numberliteraltype | @booleanliteraltype | @bigintliteraltype; +@type_with_literal_value = @stringliteraltype | @numberliteraltype | @bigintliteraltype; +type_literal_value( + unique int typ: @type_with_literal_value ref, + varchar(900) value: string ref); + +signature_types ( + unique int id: @signature_type, + int kind: int ref, + varchar(900) tostring: string ref, + int type_parameters: int ref, + int required_params: int ref +); + +case @signature_type.kind of + 0 = @function_signature_type +| 1 = @constructor_signature_type +; + +#keyset[typ, kind, index] +type_contains_signature ( + int typ: @type ref, + int kind: int ref, // constructor/call/index + int index: int ref, // ordering of overloaded signatures + int sig: @signature_type ref +); + +#keyset[parent, index] +signature_contains_type ( + int child: @type ref, + int parent: @signature_type ref, + int index: int ref +); + +#keyset[sig, index] +signature_parameter_name ( + int sig: @signature_type ref, + int index: int ref, + varchar(900) name: string ref +); + +number_index_type ( + unique int baseType: @type ref, + int propertyType: @type ref +); + +string_index_type ( + unique int baseType: @type ref, + int propertyType: @type ref +); + +base_type_names( + int typeName: @symbol ref, + int baseTypeName: @symbol ref +); + +self_types( + int typeName: @symbol ref, + int selfType: @typereference ref +); + +tuple_type_min_length( + unique int typ: @type ref, + int minLength: int ref +); + +tuple_type_rest( + unique int typ: @type ref +); + +// comments +comments (unique int id: @comment, + int kind: int ref, + int toplevel: @toplevel ref, + varchar(900) text: string ref, + varchar(900) tostring: string ref); + +case @comment.kind of + 0 = @slashslashcomment +| 1 = @slashstarcomment +| 2 = @doccomment +| 3 = @htmlcommentstart +| 4 = @htmlcommentend; + +@htmlcomment = @htmlcommentstart | @htmlcommentend; +@linecomment = @slashslashcomment | @htmlcomment; +@blockcomment = @slashstarcomment | @doccomment; + +// source lines +lines (unique int id: @line, + int toplevel: @toplevel ref, + varchar(900) text: string ref, + varchar(2) terminator: string ref); +indentation (int file: @file ref, + int lineno: int ref, + varchar(1) indentChar: string ref, + int indentDepth: int ref); + +// JavaScript parse errors +jsParseErrors (unique int id: @js_parse_error, + int toplevel: @toplevel ref, + varchar(900) message: string ref, + varchar(900) line: string ref); + +// regular expressions +#keyset[parent, idx] +regexpterm (unique int id: @regexpterm, + int kind: int ref, + int parent: @regexpparent ref, + int idx: int ref, + varchar(900) tostring: string ref); + +@regexpparent = @regexpterm | @regexpliteral; + +case @regexpterm.kind of + 0 = @regexp_alt +| 1 = @regexp_seq +| 2 = @regexp_caret +| 3 = @regexp_dollar +| 4 = @regexp_wordboundary +| 5 = @regexp_nonwordboundary +| 6 = @regexp_positive_lookahead +| 7 = @regexp_negative_lookahead +| 8 = @regexp_star +| 9 = @regexp_plus +| 10 = @regexp_opt +| 11 = @regexp_range +| 12 = @regexp_dot +| 13 = @regexp_group +| 14 = @regexp_normal_char +| 15 = @regexp_hex_escape +| 16 = @regexp_unicode_escape +| 17 = @regexp_dec_escape +| 18 = @regexp_oct_escape +| 19 = @regexp_ctrl_escape +| 20 = @regexp_char_class_escape +| 21 = @regexp_id_escape +| 22 = @regexp_backref +| 23 = @regexp_char_class +| 24 = @regexp_char_range +| 25 = @regexp_positive_lookbehind +| 26 = @regexp_negative_lookbehind +| 27 = @regexp_unicode_property_escape; + +regexpParseErrors (unique int id: @regexp_parse_error, + int regexp: @regexpterm ref, + varchar(900) message: string ref); + +@regexp_quantifier = @regexp_star | @regexp_plus | @regexp_opt | @regexp_range; +@regexp_escape = @regexp_char_escape | @regexp_char_class_escape | @regexp_unicode_property_escape; +@regexp_char_escape = @regexp_hex_escape | @regexp_unicode_escape | @regexp_dec_escape | @regexp_oct_escape | @regexp_ctrl_escape | @regexp_id_escape; +@regexp_constant = @regexp_normal_char | @regexp_char_escape; +@regexp_lookahead = @regexp_positive_lookahead | @regexp_negative_lookahead; +@regexp_lookbehind = @regexp_positive_lookbehind | @regexp_negative_lookbehind; +@regexp_subpattern = @regexp_lookahead | @regexp_lookbehind; + +isGreedy (int id: @regexp_quantifier ref); +rangeQuantifierLowerBound (unique int id: @regexp_range ref, int lo: int ref); +rangeQuantifierUpperBound (unique int id: @regexp_range ref, int hi: int ref); +isCapture (unique int id: @regexp_group ref, int number: int ref); +isNamedCapture (unique int id: @regexp_group ref, string name: string ref); +isInverted (int id: @regexp_char_class ref); +regexpConstValue (unique int id: @regexp_constant ref, varchar(1) value: string ref); +charClassEscape (unique int id: @regexp_char_class_escape ref, varchar(1) value: string ref); +backref (unique int id: @regexp_backref ref, int value: int ref); +namedBackref (unique int id: @regexp_backref ref, string name: string ref); +unicodePropertyEscapeName (unique int id: @regexp_unicode_property_escape ref, string name: string ref); +unicodePropertyEscapeValue (unique int id: @regexp_unicode_property_escape ref, string value: string ref); + +// tokens +#keyset[toplevel, idx] +tokeninfo (unique int id: @token, + int kind: int ref, + int toplevel: @toplevel ref, + int idx: int ref, + varchar(900) value: string ref); + +case @token.kind of + 0 = @token_eof +| 1 = @token_null_literal +| 2 = @token_boolean_literal +| 3 = @token_numeric_literal +| 4 = @token_string_literal +| 5 = @token_regular_expression +| 6 = @token_identifier +| 7 = @token_keyword +| 8 = @token_punctuator; + +// associate comments with the token immediately following them (which may be EOF) +next_token (int comment: @comment ref, int token: @token ref); + +// JSON +#keyset[parent, idx] +json (unique int id: @json_value, + int kind: int ref, + int parent: @json_parent ref, + int idx: int ref, + varchar(900) tostring: string ref); + +json_literals (varchar(900) value: string ref, + varchar(900) raw: string ref, + unique int expr: @json_value ref); + +json_properties (int obj: @json_object ref, + varchar(900) property: string ref, + int value: @json_value ref); + +json_errors (unique int id: @json_parse_error, + varchar(900) message: string ref); + +json_locations(unique int locatable: @json_locatable ref, + int location: @location_default ref); + +case @json_value.kind of + 0 = @json_null +| 1 = @json_boolean +| 2 = @json_number +| 3 = @json_string +| 4 = @json_array +| 5 = @json_object; + +@json_parent = @json_object | @json_array | @file; + +@json_locatable = @json_value | @json_parse_error; + +// locations +@ast_node = @toplevel | @stmt | @expr | @property | @typeexpr; + +@locatable = @file + | @ast_node + | @comment + | @line + | @js_parse_error | @regexp_parse_error + | @regexpterm + | @json_locatable + | @token + | @cfg_node + | @jsdoc | @jsdoc_type_expr | @jsdoc_tag + | @yaml_locatable + | @xmllocatable + | @configLocatable; + +hasLocation (unique int locatable: @locatable ref, + int location: @location ref); + +// CFG +entry_cfg_node (unique int id: @entry_node, int container: @stmt_container ref); +exit_cfg_node (unique int id: @exit_node, int container: @stmt_container ref); +guard_node (unique int id: @guard_node, int kind: int ref, int test: @expr ref); +case @guard_node.kind of + 0 = @falsy_guard +| 1 = @truthy_guard; +@condition_guard = @falsy_guard | @truthy_guard; + +@synthetic_cfg_node = @entry_node | @exit_node | @guard_node; +@cfg_node = @synthetic_cfg_node | @exprparent; + +successor (int pred: @cfg_node ref, int succ: @cfg_node ref); + +// JSDoc comments +jsdoc (unique int id: @jsdoc, varchar(900) description: string ref, int comment: @comment ref); +#keyset[parent, idx] +jsdoc_tags (unique int id: @jsdoc_tag, varchar(900) title: string ref, + int parent: @jsdoc ref, int idx: int ref, varchar(900) tostring: string ref); +jsdoc_tag_descriptions (unique int tag: @jsdoc_tag ref, varchar(900) text: string ref); +jsdoc_tag_names (unique int tag: @jsdoc_tag ref, varchar(900) text: string ref); + +#keyset[parent, idx] +jsdoc_type_exprs (unique int id: @jsdoc_type_expr, + int kind: int ref, + int parent: @jsdoc_type_expr_parent ref, + int idx: int ref, + varchar(900) tostring: string ref); +case @jsdoc_type_expr.kind of + 0 = @jsdoc_any_type_expr +| 1 = @jsdoc_null_type_expr +| 2 = @jsdoc_undefined_type_expr +| 3 = @jsdoc_unknown_type_expr +| 4 = @jsdoc_void_type_expr +| 5 = @jsdoc_named_type_expr +| 6 = @jsdoc_applied_type_expr +| 7 = @jsdoc_nullable_type_expr +| 8 = @jsdoc_non_nullable_type_expr +| 9 = @jsdoc_record_type_expr +| 10 = @jsdoc_array_type_expr +| 11 = @jsdoc_union_type_expr +| 12 = @jsdoc_function_type_expr +| 13 = @jsdoc_optional_type_expr +| 14 = @jsdoc_rest_type_expr +; + +#keyset[id, idx] +jsdoc_record_field_name (int id: @jsdoc_record_type_expr ref, int idx: int ref, varchar(900) name: string ref); +jsdoc_prefix_qualifier (int id: @jsdoc_type_expr ref); +jsdoc_has_new_parameter (int fn: @jsdoc_function_type_expr ref); + +@jsdoc_type_expr_parent = @jsdoc_type_expr | @jsdoc_tag; + +jsdoc_errors (unique int id: @jsdoc_error, int tag: @jsdoc_tag ref, varchar(900) message: string ref, varchar(900) tostring: string ref); + +// YAML +#keyset[parent, idx] +yaml (unique int id: @yaml_node, + int kind: int ref, + int parent: @yaml_node_parent ref, + int idx: int ref, + varchar(900) tag: string ref, + varchar(900) tostring: string ref); + +case @yaml_node.kind of + 0 = @yaml_scalar_node +| 1 = @yaml_mapping_node +| 2 = @yaml_sequence_node +| 3 = @yaml_alias_node +; + +@yaml_collection_node = @yaml_mapping_node | @yaml_sequence_node; + +@yaml_node_parent = @yaml_collection_node | @file; + +yaml_anchors (unique int node: @yaml_node ref, + varchar(900) anchor: string ref); + +yaml_aliases (unique int alias: @yaml_alias_node ref, + varchar(900) target: string ref); + +yaml_scalars (unique int scalar: @yaml_scalar_node ref, + int style: int ref, + varchar(900) value: string ref); + +yaml_errors (unique int id: @yaml_error, + varchar(900) message: string ref); + +yaml_locations(unique int locatable: @yaml_locatable ref, + int location: @location_default ref); + +@yaml_locatable = @yaml_node | @yaml_error; + +/* XML Files */ + +xmlEncoding( + unique int id: @file ref, + varchar(900) encoding: string ref +); + +xmlDTDs( + unique int id: @xmldtd, + varchar(900) root: string ref, + varchar(900) publicId: string ref, + varchar(900) systemId: string ref, + int fileid: @file ref +); + +xmlElements( + unique int id: @xmlelement, + varchar(900) name: string ref, + int parentid: @xmlparent ref, + int idx: int ref, + int fileid: @file ref +); + +xmlAttrs( + unique int id: @xmlattribute, + int elementid: @xmlelement ref, + varchar(900) name: string ref, + varchar(3600) value: string ref, + int idx: int ref, + int fileid: @file ref +); + +xmlNs( + int id: @xmlnamespace, + varchar(900) prefixName: string ref, + varchar(900) URI: string ref, + int fileid: @file ref +); + +xmlHasNs( + int elementId: @xmlnamespaceable ref, + int nsId: @xmlnamespace ref, + int fileid: @file ref +); + +xmlComments( + unique int id: @xmlcomment, + varchar(3600) text: string ref, + int parentid: @xmlparent ref, + int fileid: @file ref +); + +xmlChars( + unique int id: @xmlcharacters, + varchar(3600) text: string ref, + int parentid: @xmlparent ref, + int idx: int ref, + int isCDATA: int ref, + int fileid: @file ref +); + +@xmlparent = @file | @xmlelement; +@xmlnamespaceable = @xmlelement | @xmlattribute; + +xmllocations( + int xmlElement: @xmllocatable ref, + int location: @location_default ref +); + +@xmllocatable = @xmlcharacters | @xmlelement | @xmlcomment | @xmlattribute | @xmldtd | @file | @xmlnamespace; + +@dataflownode = @expr | @functiondeclstmt | @classdeclstmt | @namespacedeclaration | @enumdeclaration | @property; + +@optionalchainable = @callexpr | @propaccess; + +isOptionalChaining(int id: @optionalchainable ref); + +/* + * configuration files with key value pairs + */ + +configs( + unique int id: @config +); + +configNames( + unique int id: @configName, + int config: @config ref, + string name: string ref +); + +configValues( + unique int id: @configValue, + int config: @config ref, + string value: string ref +); + +configLocations( + int locatable: @configLocatable ref, + int location: @location_default ref +); + +@configLocatable = @config | @configName | @configValue; + +/** + * The time taken for the extraction of a file. + * This table contains non-deterministic content. + * + * The sum of the `time` column for each (`file`, `timerKind`) pair + * is the total time taken for extraction of `file`. The `extractionPhase` + * column provides a granular view of the extraction time of the file. + */ +extraction_time( + int file : @file ref, + // see `com.semmle.js.extractor.ExtractionMetrics.ExtractionPhase`. + int extractionPhase: int ref, + // 0 for the elapsed CPU time in nanoseconds, 1 for the elapsed wallclock time in nanoseconds + int timerKind: int ref, + float time: float ref +) + +/** + * Non-timing related data for the extraction of a single file. + * This table contains non-deterministic content. + */ +extraction_data( + int file : @file ref, + // the absolute path to the cache file + varchar(900) cacheFile: string ref, + boolean fromCache: boolean ref, + int length: int ref +) diff --git a/javascript/upgrades/ab0dab3b55b386f366e9904e10139edebca0495c/upgrade.properties b/javascript/upgrades/ab0dab3b55b386f366e9904e10139edebca0495c/upgrade.properties new file mode 100644 index 00000000000..ed9fa5ca539 --- /dev/null +++ b/javascript/upgrades/ab0dab3b55b386f366e9904e10139edebca0495c/upgrade.properties @@ -0,0 +1,2 @@ +description: Add support for import.meta expressions to the database +compatibility: backwards diff --git a/javascript/upgrades/qlpack.yml b/javascript/upgrades/qlpack.yml new file mode 100644 index 00000000000..e28efab120f --- /dev/null +++ b/javascript/upgrades/qlpack.yml @@ -0,0 +1,2 @@ +name: codeql-javascript-upgrades +upgrades: . diff --git a/misc/suite-helpers/lgtm-displayed-only.yml b/misc/suite-helpers/lgtm-displayed-only.yml index edb3e72c8e7..1b7237495e2 100644 --- a/misc/suite-helpers/lgtm-displayed-only.yml +++ b/misc/suite-helpers/lgtm-displayed-only.yml @@ -1,8 +1,12 @@ - description: Selectors for excluding queries that LGTM doesn't display by default - exclude: - kind: problem + kind: + - problem + - path-problem precision: medium - exclude: - kind: problem + kind: + - problem + - path-problem precision: high problem.severity: recommendation diff --git a/misc/suite-helpers/lgtm-selectors.yml b/misc/suite-helpers/lgtm-selectors.yml index 13bfccd71b2..e84a1f15867 100644 --- a/misc/suite-helpers/lgtm-selectors.yml +++ b/misc/suite-helpers/lgtm-selectors.yml @@ -1,11 +1,15 @@ - description: Selectors for selecting the LGTM-relevant queries for a language - include: - kind: problem + kind: + - problem + - path-problem precision: - high - very high - include: - kind: problem + kind: + - problem + - path-problem precision: medium problem.severity: - error diff --git a/python/ql/src/Functions/IterReturnsNonIterator.py b/python/ql/src/Functions/IterReturnsNonIterator.py index 91f2ab699de..585dfbee6b6 100644 --- a/python/ql/src/Functions/IterReturnsNonIterator.py +++ b/python/ql/src/Functions/IterReturnsNonIterator.py @@ -1,18 +1,33 @@ class MyRange(object): def __init__(self, low, high): - self.current = low + self.low = low self.high = high def __iter__(self): - return self + return MyRangeIterator(self.low, self.high) -#Fixed version -class MyRange(object): - def __init__(self, low, high): + def skip(self, to_skip): + return MyRangeIterator(self.low, self.high, to_skip) + +class MyRangeIterator(object): + def __init__(self, low, high, skip=None): self.current = low self.high = high + self.skip = skip - def __iter__(self): - while self.current < self.high: - yield self.current - self.current += 1 + def __next__(self): + if self.current >= self.high: + raise StopIteration + to_return = self.current + self.current += 1 + if self.skip and to_return in self.skip: + return self.__next__() + return to_return + + # Problem is fixed by uncommenting these lines + # def __iter__(self): + # return self + +my_range = MyRange(0,10) +x = sum(my_range) # x = 45 +y = sum(my_range.skip({6,9})) # TypeError: 'MyRangeIterator' object is not iterable diff --git a/python/ql/src/Functions/IterReturnsNonIterator.qhelp b/python/ql/src/Functions/IterReturnsNonIterator.qhelp index ebb043b5d0f..4b5e17bba09 100644 --- a/python/ql/src/Functions/IterReturnsNonIterator.qhelp +++ b/python/ql/src/Functions/IterReturnsNonIterator.qhelp @@ -3,35 +3,33 @@ "qhelp.dtd"> -

    The __iter__ method of a class should return an iterator. +

    The __iter__ method of a class should always return an iterator.

    -Iteration in Python relies on this behavior and attempting to iterate over an -instance of a class with an incorrect __iter__ method will raise a TypeError. +

    Iterators must implement both __next__ and __iter__ for Python 3, or both next and __iter__ for Python 2. The __iter__ method of the iterator must return the iterator object itself.

    + +

    Iteration in Python relies on this behavior and attempting to iterate over an instance of a class with an incorrect __iter__ method can raise a TypeError.

    -     -

    Make the __iter__ return a new iterator, either as an instance of -a separate class or as a generator.

    - +

    Make sure the value returned by __iter__ implements the full iterator protocol.

     -

    In this example the MyRange class's __iter__ method does not -return an iterator. This will cause the program to fail when anyone attempts -to use the iterator in a for loop or in statement. -

    +

    In this example, we have implemented our own version of range, extending the normal functionality with the ability to skip some elements by using the skip method. However, the iterator MyRangeIterator does not fully implement the iterator protocol (namely it is missing __iter__).

    -

    The fixed version implements the __iter__ method as a generator function.

    +

    Iterating over the elements in the range seems to work on the surface, for example the code x = sum(my_range) gives the expected result. However, if we run sum(iter(my_range)) we get a TypeError: 'MyRangeIterator' object is not iterable.

    + +

    If we try to skip some elements using our custom method, for example y = sum(my_range.skip({6,9})), this also raises a TypeError.

    + +

    The fix is to implement the __iter__ method in MyRangeIterator.

     -
  • Python Language Reference: object.__iter__.
    • -
  • Python Standard Library: Iterator Types.
    • - +
  • Python Language Reference: object.__iter__.
    • +
  • Python Standard Library: Iterator Types.
    •      diff --git a/python/ql/src/Functions/IterReturnsNonIterator.ql b/python/ql/src/Functions/IterReturnsNonIterator.ql index 7c727af8d4e..67db4e89aa3 100644 --- a/python/ql/src/Functions/IterReturnsNonIterator.ql +++ b/python/ql/src/Functions/IterReturnsNonIterator.ql @@ -12,21 +12,20 @@ import python -FunctionObject iter_method(ClassObject t) { - result = t.lookupAttribute("__iter__") -} - -cached ClassObject return_type(FunctionObject f) { +ClassObject return_type(FunctionObject f) { exists(ControlFlowNode n, Return ret | - ret.getScope() = f.getFunction() and ret.getValue() = n.getNode() and + ret.getScope() = f.getFunction() and + ret.getValue() = n.getNode() and n.refersTo(_, result, _) ) } -from ClassObject t, FunctionObject iter -where exists(ClassObject ret_t | iter = iter_method(t) and - ret_t = return_type(iter) and - not ret_t.isIterator() - ) - -select iter, "The '__iter__' method of iterable class $@ does not return an iterator.", t, t.getName() \ No newline at end of file +from ClassObject iterable, FunctionObject iter, ClassObject iterator +where + iter = iterable.lookupAttribute("__iter__") and + iterator = return_type(iter) and + not iterator.isIterator() +select iterator, + "Class " + iterator.getName() + + " is returned as an iterator (by $@) but does not fully implement the iterator interface.", + iter, iter.getName() diff --git a/python/ql/src/Imports/Cyclic.qll b/python/ql/src/Imports/Cyclic.qll index bcda354ed95..c550c163c66 100644 --- a/python/ql/src/Imports/Cyclic.qll +++ b/python/ql/src/Imports/Cyclic.qll @@ -21,7 +21,8 @@ predicate circular_import(ModuleValue m1, ModuleValue m2) { ModuleValue stmt_imports(ImportingStmt s) { exists(string name | result.importedAs(name) and not name = "__main__" | name = s.getAnImportedModuleName() and - s.getASubExpression().pointsTo(result) + s.getASubExpression().pointsTo(result) and + not result.isPackage() ) } diff --git a/python/ql/src/Imports/UnusedImport.ql b/python/ql/src/Imports/UnusedImport.ql index 6d927550c0c..3ac04e2e4d2 100644 --- a/python/ql/src/Imports/UnusedImport.ql +++ b/python/ql/src/Imports/UnusedImport.ql @@ -14,13 +14,13 @@ import python import Variables.Definition predicate global_name_used(Module m, Variable name) { - exists (Name u, GlobalVariable v | + exists(Name u, GlobalVariable v | u.uses(v) and v.getId() = name.getId() and u.getEnclosingModule() = m ) or - /* A use of an undefined class local variable, will use the global variable */ + // A use of an undefined class local variable, will use the global variable exists(Name u, LocalVariable v | u.uses(v) and v.getId() = name.getId() and @@ -31,24 +31,21 @@ predicate global_name_used(Module m, Variable name) { /** Holds if a module has `__all__` but we don't understand it */ predicate all_not_understood(Module m) { - exists(GlobalVariable a | - a.getId() = "__all__" and a.getScope() = m | - /* __all__ is not defined as a simple list */ + exists(GlobalVariable a | a.getId() = "__all__" and a.getScope() = m | + // `__all__` is not defined as a simple list not m.declaredInAll(_) or - /* __all__ is modified */ + // `__all__` is modified exists(Call c | c.getFunc().(Attribute).getObject() = a.getALoad()) ) } predicate imported_module_used_in_doctest(Import imp) { exists(string modname | - imp.getAName().getAsname().(Name).getId() = modname - and - /* Look for doctests containing the patterns: - * >>> …name… - * ... …name… - */ + imp.getAName().getAsname().(Name).getId() = modname and + // Look for doctests containing the patterns: + // >>> …name… + // ... …name… exists(StrConst doc | doc.getEnclosingModule() = imp.getScope() and doc.isDocString() and @@ -58,52 +55,52 @@ predicate imported_module_used_in_doctest(Import imp) { } predicate imported_module_used_in_typehint(Import imp) { - exists(string modname | - imp.getAName().getAsname().(Name).getId() = modname - and - /* Look for typehints containing the patterns: - * # type: …name… - */ + exists(string modname, Location loc | + imp.getAName().getAsname().(Name).getId() = modname and + loc.getFile() = imp.getScope().(Module).getFile() + | + // Look for type hints containing the patterns: + // # type: …name… exists(Comment typehint | - typehint.getLocation().getFile() = imp.getScope().(Module).getFile() and + loc = typehint.getLocation() and typehint.getText().regexpMatch("# type:.*" + modname + ".*") ) + or + // Type hint is inside a string annotation, as needed for forward references + exists(string typehint, Expr annotation | + annotation = any(Arguments a).getAnAnnotation() + or + annotation = any(AnnAssign a).getAnnotation() + | + annotation.pointsTo(Value::forString(typehint)) and + loc = annotation.getLocation() and + typehint.regexpMatch(".*\\b" + modname + "\\b.*") + ) ) } - predicate unused_import(Import imp, Variable name) { - ((Name)imp.getAName().getAsname()).getVariable() = name - and - not imp.getAnImportedModuleName() = "__future__" - and - not imp.getEnclosingModule().declaredInAll(name.getId()) - and - imp.getScope() = imp.getEnclosingModule() - and - not global_name_used(imp.getScope(), name) - and - /* Imports in __init__.py are used to force module loading */ - not imp.getEnclosingModule().isPackageInit() - and - /* Name may be imported for use in epytext documentation */ - not exists(Comment cmt | - cmt.getText().matches("%L{" + name.getId() + "}%") | + imp.getAName().getAsname().(Name).getVariable() = name and + not imp.getAnImportedModuleName() = "__future__" and + not imp.getEnclosingModule().declaredInAll(name.getId()) and + imp.getScope() = imp.getEnclosingModule() and + not global_name_used(imp.getScope(), name) and + // Imports in `__init__.py` are used to force module loading + not imp.getEnclosingModule().isPackageInit() and + // Name may be imported for use in epytext documentation + not exists(Comment cmt | cmt.getText().matches("%L{" + name.getId() + "}%") | cmt.getLocation().getFile() = imp.getLocation().getFile() - ) - and - not name_acceptable_for_unused_variable(name) - and - /* Assume that opaque `__all__` includes imported module */ - not all_not_understood(imp.getEnclosingModule()) - and - not imported_module_used_in_doctest(imp) - and - not imported_module_used_in_typehint(imp) + ) and + not name_acceptable_for_unused_variable(name) and + // Assume that opaque `__all__` includes imported module + not all_not_understood(imp.getEnclosingModule()) and + not imported_module_used_in_doctest(imp) and + not imported_module_used_in_typehint(imp) and + // Only consider import statements that actually point-to something (possibly an unknown module). + // If this is not the case, it's likely that the import statement never gets executed. + imp.getAName().getValue().pointsTo(_) } - from Stmt s, Variable name where unused_import(s, name) select s, "Import of '" + name.getId() + "' is not used." - diff --git a/python/ql/src/Security/CWE-089/SqlInjection.qhelp b/python/ql/src/Security/CWE-089/SqlInjection.qhelp index e976401a6b5..286b71a6047 100644 --- a/python/ql/src/Security/CWE-089/SqlInjection.qhelp +++ b/python/ql/src/Security/CWE-089/SqlInjection.qhelp @@ -21,20 +21,29 @@ or prepared statements.

    -In the following snippet, from an example django app, -a name is stored in the database using two different queries. +In the following snippet, a user is fetched from the database using three +different queries.

    In the first case, the query string is built by -directly using string formatting from a user-supplied request attribute. +directly using string formatting from a user-supplied request parameter. The parameter may include quote characters, so this code is vulnerable to a SQL injection attack.

    In the second case, the user-supplied request attribute is passed -to the database using query parameters. +to the database using query parameters. The database connector library will +take care of escaping and inserting quotes as needed. +

    + +

    +In the third case, the placeholder in the SQL string has been manually quoted. Since most +databaseconnector libraries will insert their own quotes, doing so yourself will make the code +vulnerable to SQL injection attacks. In this example, if username was +; DROP ALL TABLES -- , the final SQL query would be +SELECT * FROM users WHERE username = ''; DROP ALL TABLES -- ''

    diff --git a/python/ql/src/Security/CWE-089/examples/sql_injection.py b/python/ql/src/Security/CWE-089/examples/sql_injection.py index 541c580f712..fe6dbc50c01 100644 --- a/python/ql/src/Security/CWE-089/examples/sql_injection.py +++ b/python/ql/src/Security/CWE-089/examples/sql_injection.py @@ -1,21 +1,19 @@ - -from django.conf.urls import patterns, url +from django.conf.urls import url from django.db import connection -def save_name(request): +def show_user(request, username): + with connection.cursor() as cursor: + # BAD -- Using string formatting + cursor.execute("SELECT * FROM users WHERE username = '%s'" % username) + user = cursor.fetchone() - if request.method == 'POST': - name = request.POST.get('name') - curs = connection.cursor() - #BAD -- Using string formatting - curs.execute( - "insert into names_file ('name') values ('%s')" % name) - #GOOD -- Using parameters - curs.execute( - "insert into names_file ('name') values ('%s')", name) + # GOOD -- Using parameters + cursor.execute("SELECT * FROM users WHERE username = %s", username) + user = cursor.fetchone() + # BAD -- Manually quoting placeholder (%s) + cursor.execute("SELECT * FROM users WHERE username = '%s'", username) + user = cursor.fetchone() -urlpatterns = patterns(url(r'^save_name/$', - upload, name='save_name')) - +urlpatterns = [url(r'^users/(?P[^/]+)$', show_user)] diff --git a/python/ql/src/Statements/UnreachableCode.ql b/python/ql/src/Statements/UnreachableCode.ql index 2bdfc84ebb3..88f8b9427a2 100644 --- a/python/ql/src/Statements/UnreachableCode.ql +++ b/python/ql/src/Statements/UnreachableCode.ql @@ -16,9 +16,7 @@ import python predicate typing_import(ImportingStmt is) { exists(Module m | is.getScope() = m and - exists(TypeHintComment tc | - tc.getLocation().getFile() = m.getFile() - ) + exists(TypeHintComment tc | tc.getLocation().getFile() = m.getFile()) ) } @@ -39,6 +37,15 @@ predicate suppression_in_scope(Stmt s) { ) } +/** Holds if `s` is a statement that raises an exception at the end of an if-elif-else chain. */ +predicate marks_an_impossible_else_branch(Stmt s) { + exists(If i | i.getOrelse().getItem(0) = s | + s.(Assert).getTest() instanceof False + or + s instanceof Raise + ) +} + predicate reportable_unreachable(Stmt s) { s.isUnreachable() and not typing_import(s) and @@ -46,11 +53,10 @@ predicate reportable_unreachable(Stmt s) { not exists(Stmt other | other.isUnreachable() | other.contains(s) or - exists(StmtList l, int i, int j | - l.getItem(i) = other and l.getItem(j) = s and i < j - ) + exists(StmtList l, int i, int j | l.getItem(i) = other and l.getItem(j) = s and i < j) ) and - not unique_yield(s) + not unique_yield(s) and + not marks_an_impossible_else_branch(s) } from Stmt s diff --git a/python/ql/src/Variables/UndefinedExport.ql b/python/ql/src/Variables/UndefinedExport.ql index 6bf128def79..edd2e375c0f 100644 --- a/python/ql/src/Variables/UndefinedExport.ql +++ b/python/ql/src/Variables/UndefinedExport.ql @@ -14,39 +14,54 @@ import python /** Whether name is declared in the __all__ list of this module */ -predicate declaredInAll(Module m, StrConst name) -{ - exists(Assign a, GlobalVariable all | - a.defines(all) and a.getScope() = m and - all.getId() = "__all__" and ((List)a.getValue()).getAnElt() = name +predicate declaredInAll(Module m, StrConst name) { + exists(Assign a, GlobalVariable all | + a.defines(all) and + a.getScope() = m and + all.getId() = "__all__" and + a.getValue().(List).getAnElt() = name ) } -predicate mutates_globals(PythonModuleObject m) { +predicate mutates_globals(ModuleValue m) { exists(CallNode globals | - globals = Object::builtin("globals").(FunctionObject).getACall() and - globals.getScope() = m.getModule() | + globals = Value::named("globals").(FunctionValue).getACall() and + globals.getScope() = m.getScope() + | exists(AttrNode attr | attr.getObject() = globals) or exists(SubscriptNode sub | sub.getValue() = globals and sub.isStore()) ) or - exists(Object enum_convert | - enum_convert.hasLongName("enum.Enum._convert") and - exists(CallNode call | - call.getScope() = m.getModule() - | - enum_convert.(FunctionObject).getACall() = call or - call.getFunction().refersTo(enum_convert) + exists(Value enum_convert, ClassValue enum_class | + enum_class.getASuperType() = Value::named("enum.Enum") and + enum_convert = enum_class.attr("_convert") and + exists(CallNode call | call.getScope() = m.getScope() | + enum_convert.getACall() = call or + call.getFunction().pointsTo(enum_convert) ) ) } -from PythonModuleObject m, StrConst name, string exported_name -where declaredInAll(m.getModule(), name) and -exported_name = name.strValue() and -not m.hasAttribute(exported_name) and -not (m.getShortName() = "__init__" and exists(m.getPackage().getModule().getSubModule(exported_name))) and -not exists(ImportStarNode imp | imp.getEnclosingModule() = m.getModule() | not imp.getModule().refersTo(_)) and -not mutates_globals(m) -select name, "The name '" + exported_name + "' is exported by __all__ but is not defined." \ No newline at end of file +predicate is_exported_submodule_name(ModuleValue m, string exported_name) { + m.getScope().getShortName() = "__init__" and + exists(m.getScope().getPackage().getSubModule(exported_name)) +} + +predicate contains_unknown_import_star(ModuleValue m) { + exists(ImportStarNode imp | imp.getEnclosingModule() = m.getScope() | + imp.getModule().pointsTo().isAbsent() + or + not exists(imp.getModule().pointsTo()) + ) +} + +from ModuleValue m, StrConst name, string exported_name +where + declaredInAll(m.getScope(), name) and + exported_name = name.strValue() and + not m.hasAttribute(exported_name) and + not is_exported_submodule_name(m, exported_name) and + not contains_unknown_import_star(m) and + not mutates_globals(m) +select name, "The name '" + exported_name + "' is exported by __all__ but is not defined." diff --git a/python/ql/src/semmle/python/Module.qll b/python/ql/src/semmle/python/Module.qll index a3bf174897f..68361d1b12c 100644 --- a/python/ql/src/semmle/python/Module.qll +++ b/python/ql/src/semmle/python/Module.qll @@ -52,6 +52,13 @@ class Module extends Module_, Scope, AstNode { result = moduleNameFromFile(this.getPath()) } + /** Gets the short name of the module. For example the short name of module x.y.z is 'z' */ + string getShortName() { + result = this.getName().suffix(this.getPackage().getName().length()+1) + or + result = this.getName() and not exists(this.getPackage()) + } + /** Gets this module */ override Module getEnclosingModule() { result = this diff --git a/python/ql/src/semmle/python/dataflow/Configuration.qll b/python/ql/src/semmle/python/dataflow/Configuration.qll index b1eb4ced1ed..3672f022b4c 100644 --- a/python/ql/src/semmle/python/dataflow/Configuration.qll +++ b/python/ql/src/semmle/python/dataflow/Configuration.qll @@ -23,7 +23,7 @@ module TaintTracking { /* Old implementation API */ - predicate isSource(Source source) { none() } + predicate isSource(Source src) { none() } predicate isSink(Sink sink) { none() } @@ -34,14 +34,14 @@ module TaintTracking { /* New implementation API */ /** - * Holds if `source` is a source of taint of `kind` that is relevant + * Holds if `src` is a source of taint of `kind` that is relevant * for this configuration. */ - predicate isSource(DataFlow::Node node, TaintKind kind) { - exists(TaintSource source | - this.isSource(source) and - node.asCfgNode() = source and - source.isSourceOf(kind) + predicate isSource(DataFlow::Node src, TaintKind kind) { + exists(TaintSource taintSrc | + this.isSource(taintSrc) and + src.asCfgNode() = taintSrc and + taintSrc.isSourceOf(kind) ) } @@ -49,11 +49,11 @@ module TaintTracking { * Holds if `sink` is a sink of taint of `kind` that is relevant * for this configuration. */ - predicate isSink(DataFlow::Node node, TaintKind kind) { - exists(TaintSink sink | - this.isSink(sink) and - node.asCfgNode() = sink and - sink.sinks(kind) + predicate isSink(DataFlow::Node sink, TaintKind kind) { + exists(TaintSink taintSink | + this.isSink(taintSink) and + sink.asCfgNode() = taintSink and + taintSink.sinks(kind) ) } @@ -116,27 +116,27 @@ module TaintTracking { /* Common query API */ - predicate hasFlowPath(PathSource source, PathSink sink) { - this.(TaintTrackingImplementation).hasFlowPath(source, sink) + predicate hasFlowPath(PathSource src, PathSink sink) { + this.(TaintTrackingImplementation).hasFlowPath(src, sink) } /* Old query API */ /* deprecated */ - predicate hasFlow(Source source, Sink sink) { - exists(PathSource psource, PathSink psink | - this.hasFlowPath(psource, psink) and - source = psource.getNode().asCfgNode() and + predicate hasFlow(Source src, Sink sink) { + exists(PathSource psrc, PathSink psink | + this.hasFlowPath(psrc, psink) and + src = psrc.getNode().asCfgNode() and sink = psink.getNode().asCfgNode() ) } /* New query API */ - predicate hasSimpleFlow(DataFlow::Node source, DataFlow::Node sink) { - exists(PathSource psource, PathSink psink | - this.hasFlowPath(psource, psink) and - source = psource.getNode() and + predicate hasSimpleFlow(DataFlow::Node src, DataFlow::Node sink) { + exists(PathSource psrc, PathSink psink | + this.hasFlowPath(psrc, psink) and + src = psrc.getNode() and sink = psink.getNode() ) } diff --git a/python/ql/src/semmle/python/objects/ObjectAPI.qll b/python/ql/src/semmle/python/objects/ObjectAPI.qll index dd6b856875a..7247b7d450c 100644 --- a/python/ql/src/semmle/python/objects/ObjectAPI.qll +++ b/python/ql/src/semmle/python/objects/ObjectAPI.qll @@ -99,6 +99,12 @@ class Value extends TObject { this.(ObjectInternal).hasAttribute(name) } + /** Whether this value is absent from the database, but has been inferred to likely exist */ + predicate isAbsent() { + this instanceof AbsentModuleObjectInternal + or + this instanceof AbsentModuleAttributeObjectInternal + } } /** Class representing modules in the Python program @@ -139,6 +145,11 @@ class ModuleValue extends Value { PointsToInternal::module_imported_as(this, name) } + /** Whether this module is a package. */ + predicate isPackage() { + this instanceof PackageObjectInternal + } + } module Module { @@ -384,12 +395,12 @@ class ClassValue extends Value { Types::failedInference(this, reason) } - /** Gets the nth base class of this class */ + /** Gets the nth immediate base type of this class. */ ClassValue getBaseType(int n) { result = Types::getBase(this, n) } - /** Gets a base class of this class */ + /** Gets an immediate base type of this class. */ ClassValue getABaseType() { result = Types::getBase(this, _) } diff --git a/python/ql/src/semmle/python/security/SensitiveData.qll b/python/ql/src/semmle/python/security/SensitiveData.qll index 9b253da6937..5dddd9b0d30 100644 --- a/python/ql/src/semmle/python/security/SensitiveData.qll +++ b/python/ql/src/semmle/python/security/SensitiveData.qll @@ -112,12 +112,6 @@ module SensitiveData { private SensitiveData fromFunction(Value func) { result = HeuristicNames::getSensitiveDataForName(func.getName()) - or - // This is particularly to pick up methods with an argument like "password", which - // may indicate a lookup. - exists(string name | name = func.(PythonFunctionValue).getScope().getAnArg().asName().getId() | - result = HeuristicNames::getSensitiveDataForName(name) - ) } abstract class Source extends TaintSource { diff --git a/python/ql/src/semmle/python/web/django/General.qll b/python/ql/src/semmle/python/web/django/General.qll new file mode 100644 index 00000000000..423d853cdad --- /dev/null +++ b/python/ql/src/semmle/python/web/django/General.qll @@ -0,0 +1,40 @@ +import python +import semmle.python.regex +import semmle.python.web.Http + +predicate django_route(CallNode call, ControlFlowNode regex, FunctionValue view) { + exists(FunctionValue url | + Value::named("django.conf.urls.url") = url and + url.getArgumentForCall(call, 0) = regex and + url.getArgumentForCall(call, 1).pointsTo(view) + ) +} + +class DjangoRouteRegex extends RegexString { + DjangoRouteRegex() { django_route(_, this.getAFlowNode(), _) } +} + +class DjangoRoute extends CallNode { + DjangoRoute() { django_route(this, _, _) } + + FunctionValue getViewFunction() { django_route(this, _, result) } + + string getNamedArgument() { + exists(DjangoRouteRegex regex | + django_route(this, regex.getAFlowNode(), _) and + regex.getGroupName(_, _) = result + ) + } + + /** + * Get the number of positional arguments that will be passed to the view. + * Will only return a result if there are no named arguments. + */ + int getNumPositionalArguments() { + exists(DjangoRouteRegex regex | + django_route(this, regex.getAFlowNode(), _) and + not exists(string s | s = regex.getGroupName(_, _)) and + result = count(regex.getGroupNumber(_, _)) + ) + } +} diff --git a/python/ql/src/semmle/python/web/django/Model.qll b/python/ql/src/semmle/python/web/django/Model.qll index 34cf5856802..b8f47b64bdf 100644 --- a/python/ql/src/semmle/python/web/django/Model.qll +++ b/python/ql/src/semmle/python/web/django/Model.qll @@ -54,33 +54,6 @@ class DjangoModelObjects extends TaintSource { override string toString() { result = "django.db.models.Model.objects" } } -/** A write to a field of a django model, which is a vulnerable to external data. */ -class DjangoModelFieldWrite extends SqlInjectionSink { - DjangoModelFieldWrite() { - exists(AttrNode attr, DjangoModel model | - this = attr and attr.isStore() and attr.getObject(_).pointsTo(model) - ) - } - - override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind } - - override string toString() { result = "django model field write" } -} - -/** A direct reference to a django model object, which is vulnerable to external data. */ -class DjangoModelDirectObjectReference extends TaintSink { - DjangoModelDirectObjectReference() { - exists(CallNode objects_get_call, ControlFlowNode objects | this = objects_get_call.getAnArg() | - objects_get_call.getFunction().(AttrNode).getObject("get") = objects and - any(DjangoDbTableObjects objs).taints(objects) - ) - } - - override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind } - - override string toString() { result = "django model object reference" } -} - /** * A call to the `raw` method on a django model. This allows a raw SQL query * to be sent to the database, which is a security risk. diff --git a/python/ql/src/semmle/python/web/django/Request.qll b/python/ql/src/semmle/python/web/django/Request.qll index d2ad2ff30d3..24a29ea4542 100644 --- a/python/ql/src/semmle/python/web/django/Request.qll +++ b/python/ql/src/semmle/python/web/django/Request.qll @@ -1,7 +1,7 @@ import python -import semmle.python.regex import semmle.python.security.TaintTracking import semmle.python.web.Http +import semmle.python.web.django.General /** A django.request.HttpRequest object */ class DjangoRequest extends TaintKind { @@ -52,7 +52,7 @@ abstract class DjangoRequestSource extends HttpRequestTaintSource { private class DjangoFunctionBasedViewRequestArgument extends DjangoRequestSource { DjangoFunctionBasedViewRequestArgument() { exists(FunctionValue view | - url_dispatch(_, _, view) and + django_route(_, _, view) and this = view.getScope().getArg(0).asName().getAFlowNode() ) } @@ -67,7 +67,7 @@ private class DjangoView extends ClassValue { } private FunctionValue djangoViewHttpMethod() { - exists(DjangoView view | view.attr(httpVerbLower()) = result) + exists(DjangoView view | view.lookup(httpVerbLower()) = result) } class DjangoClassBasedViewRequestArgument extends DjangoRequestSource { @@ -76,41 +76,18 @@ class DjangoClassBasedViewRequestArgument extends DjangoRequestSource { } } -/* *********** Routing ********* */ -/* Function based views */ -predicate url_dispatch(CallNode call, ControlFlowNode regex, FunctionValue view) { - exists(FunctionValue url | - Value::named("django.conf.urls.url") = url and - url.getArgumentForCall(call, 0) = regex and - url.getArgumentForCall(call, 1).pointsTo(view) - ) -} - -class UrlRegex extends RegexString { - UrlRegex() { url_dispatch(_, this.getAFlowNode(), _) } -} - -class UrlRouting extends CallNode { - UrlRouting() { url_dispatch(this, _, _) } - - FunctionValue getViewFunction() { url_dispatch(this, _, result) } - - string getNamedArgument() { - exists(UrlRegex regex | - url_dispatch(this, regex.getAFlowNode(), _) and - regex.getGroupName(_, _) = result - ) - } -} - /** An argument specified in a url routing table */ -class HttpRequestParameter extends HttpRequestTaintSource { - HttpRequestParameter() { - exists(UrlRouting url | - this.(ControlFlowNode).getNode() = url - .getViewFunction() - .getScope() - .getArgByName(url.getNamedArgument()) +class DjangoRequestParameter extends HttpRequestTaintSource { + DjangoRequestParameter() { + exists(DjangoRoute route, Function f | + f = route.getViewFunction().getScope() | + this.(ControlFlowNode).getNode() = f.getArgByName(route.getNamedArgument()) + or + exists(int i | i >= 0 | + i < route.getNumPositionalArguments() and + // +1 because first argument is always the request + this.(ControlFlowNode).getNode() = f.getArg(i+1) + ) ) } diff --git a/python/ql/test/3/library-tests/web/django/Sinks.expected b/python/ql/test/3/library-tests/web/django/Sinks.expected deleted file mode 100644 index b4142a2d82a..00000000000 --- a/python/ql/test/3/library-tests/web/django/Sinks.expected +++ /dev/null @@ -1,6 +0,0 @@ -| models.py:9 | key | externally controlled string | -| rawsql.py:4 | BinaryExpr | externally controlled string | -| rawsql.py:13 | BinaryExpr | externally controlled string | -| rawsql.py:18 | BinaryExpr | externally controlled string | -| rawsql.py:22 | BinaryExpr | externally controlled string | -| views.py:8 | Attribute() | externally controlled string | diff --git a/python/ql/test/3/library-tests/web/django/Sinks.ql b/python/ql/test/3/library-tests/web/django/Sinks.ql deleted file mode 100644 index db9b6a89b93..00000000000 --- a/python/ql/test/3/library-tests/web/django/Sinks.ql +++ /dev/null @@ -1,13 +0,0 @@ - -import python - - -import semmle.python.web.django.Request -import semmle.python.web.django.Model -import semmle.python.web.django.Db -import semmle.python.web.django.Response -import semmle.python.security.strings.Untrusted - -from TaintSink sink, TaintKind kind -where sink.sinks(kind) -select sink.getLocation().toString(), sink.(ControlFlowNode).getNode().toString(), kind.toString() diff --git a/python/ql/test/3/library-tests/web/django/Sources.expected b/python/ql/test/3/library-tests/web/django/Sources.expected deleted file mode 100644 index 965142343dc..00000000000 --- a/python/ql/test/3/library-tests/web/django/Sources.expected +++ /dev/null @@ -1,8 +0,0 @@ -| models.py:9 | Attribute | django.db.models.Model.objects | -| rawsql.py:13 | Attribute | django.db.models.Model.objects | -| rawsql.py:16 | Attribute | django.db.models.Model.objects | -| rawsql.py:21 | Attribute | django.db.models.Model.objects | -| views.py:6 | request | django.request.HttpRequest | -| views.py:8 | HttpResponse() | django.response.HttpResponse | -| views.py:11 | path | externally controlled string | -| views.py:11 | request | django.request.HttpRequest | diff --git a/python/ql/test/3/library-tests/web/django/Sources.ql b/python/ql/test/3/library-tests/web/django/Sources.ql deleted file mode 100644 index 60d42cb2ac1..00000000000 --- a/python/ql/test/3/library-tests/web/django/Sources.ql +++ /dev/null @@ -1,12 +0,0 @@ - -import python - - -import semmle.python.web.django.Request -import semmle.python.web.django.Model -import semmle.python.web.django.Response -import semmle.python.security.strings.Untrusted - -from TaintSource src, TaintKind kind -where src.isSourceOf(kind) -select src.getLocation().toString(), src.(ControlFlowNode).getNode().toString(), kind.toString() diff --git a/python/ql/test/3/library-tests/web/django/Taint.expected b/python/ql/test/3/library-tests/web/django/Taint.expected deleted file mode 100644 index 3f40979c8a2..00000000000 --- a/python/ql/test/3/library-tests/web/django/Taint.expected +++ /dev/null @@ -1,24 +0,0 @@ -| models.py:9 | Attribute | django.db.models.Model.objects | -| rawsql.py:13 | Attribute | django.db.models.Model.objects | -| rawsql.py:13 | Attribute() | django.db.models.Model.objects | -| rawsql.py:16 | Attribute | django.db.models.Model.objects | -| rawsql.py:16 | Attribute() | django.db.models.Model.objects | -| rawsql.py:17 | Attribute() | django.db.models.Model.objects | -| rawsql.py:17 | m | django.db.models.Model.objects | -| rawsql.py:18 | Attribute() | django.db.models.Model.objects | -| rawsql.py:18 | m | django.db.models.Model.objects | -| rawsql.py:21 | Attribute | django.db.models.Model.objects | -| rawsql.py:21 | Attribute() | django.db.models.Model.objects | -| rawsql.py:22 | Attribute() | django.db.models.Model.objects | -| rawsql.py:22 | m | django.db.models.Model.objects | -| views.py:6 | request | django.request.HttpRequest | -| views.py:8 | Attribute | django.http.request.QueryDict | -| views.py:8 | Attribute() | externally controlled string | -| views.py:8 | HttpResponse() | django.response.HttpResponse | -| views.py:8 | request | django.request.HttpRequest | -| views.py:11 | path | externally controlled string | -| views.py:11 | request | django.request.HttpRequest | -| views.py:12 | Dict | {externally controlled string} | -| views.py:12 | path | externally controlled string | -| views.py:13 | env | {externally controlled string} | -| views.py:13 | request | django.request.HttpRequest | diff --git a/python/ql/test/3/library-tests/web/django/Taint.ql b/python/ql/test/3/library-tests/web/django/Taint.ql deleted file mode 100644 index b12a6560125..00000000000 --- a/python/ql/test/3/library-tests/web/django/Taint.ql +++ /dev/null @@ -1,14 +0,0 @@ - -import python - - -import semmle.python.web.django.Request -import semmle.python.web.django.Model -import semmle.python.web.django.Response -import semmle.python.security.strings.Untrusted - - -from TaintedNode node - -select node.getLocation().toString(), node.getAstNode().toString(), node.getTaintKind().toString() - diff --git a/python/ql/test/3/library-tests/web/django/django/__init__.py b/python/ql/test/3/library-tests/web/django/django/__init__.py deleted file mode 100644 index fc8d5b8c09b..00000000000 --- a/python/ql/test/3/library-tests/web/django/django/__init__.py +++ /dev/null @@ -1 +0,0 @@ -#Fake django package \ No newline at end of file diff --git a/python/ql/test/3/library-tests/web/django/django/conf/__init__.py b/python/ql/test/3/library-tests/web/django/django/conf/__init__.py deleted file mode 100644 index fc8d5b8c09b..00000000000 --- a/python/ql/test/3/library-tests/web/django/django/conf/__init__.py +++ /dev/null @@ -1 +0,0 @@ -#Fake django package \ No newline at end of file diff --git a/python/ql/test/3/library-tests/web/django/django/conf/urls.py b/python/ql/test/3/library-tests/web/django/django/conf/urls.py deleted file mode 100644 index 580cc063d99..00000000000 --- a/python/ql/test/3/library-tests/web/django/django/conf/urls.py +++ /dev/null @@ -1,3 +0,0 @@ - -def url(regex, view): - pass \ No newline at end of file diff --git a/python/ql/test/3/library-tests/web/django/django/db/__init__.py b/python/ql/test/3/library-tests/web/django/django/db/__init__.py deleted file mode 100644 index fc8d5b8c09b..00000000000 --- a/python/ql/test/3/library-tests/web/django/django/db/__init__.py +++ /dev/null @@ -1 +0,0 @@ -#Fake django package \ No newline at end of file diff --git a/python/ql/test/3/library-tests/web/django/django/db/models/__init__.py b/python/ql/test/3/library-tests/web/django/django/db/models/__init__.py deleted file mode 100644 index eb9c72adc45..00000000000 --- a/python/ql/test/3/library-tests/web/django/django/db/models/__init__.py +++ /dev/null @@ -1,2 +0,0 @@ -class Model: - pass diff --git a/python/ql/test/3/library-tests/web/django/django/db/models/expressions.py b/python/ql/test/3/library-tests/web/django/django/db/models/expressions.py deleted file mode 100644 index d7e0d1c27b6..00000000000 --- a/python/ql/test/3/library-tests/web/django/django/db/models/expressions.py +++ /dev/null @@ -1,2 +0,0 @@ -class RawSQL: - pass diff --git a/python/ql/test/3/library-tests/web/django/django/http/__init__.py b/python/ql/test/3/library-tests/web/django/django/http/__init__.py deleted file mode 100644 index e1a02f873cb..00000000000 --- a/python/ql/test/3/library-tests/web/django/django/http/__init__.py +++ /dev/null @@ -1,2 +0,0 @@ - -from .response import HttpResponse diff --git a/python/ql/test/3/library-tests/web/django/django/http/response.py b/python/ql/test/3/library-tests/web/django/django/http/response.py deleted file mode 100644 index f3dd53d15b0..00000000000 --- a/python/ql/test/3/library-tests/web/django/django/http/response.py +++ /dev/null @@ -1,5 +0,0 @@ - -class HttpResponse: - - def __init__(self, *args): - pass diff --git a/python/ql/test/3/library-tests/web/django/models.py b/python/ql/test/3/library-tests/web/django/models.py deleted file mode 100644 index 571c594d055..00000000000 --- a/python/ql/test/3/library-tests/web/django/models.py +++ /dev/null @@ -1,10 +0,0 @@ - -from django.db import models - -class MyModel(models.Model): - title = models.CharField(max_length=500) - summary = models.TextField(blank=True) - -def update_my_model(key, title): - item = MyModel.objects.get(pk=key) - item.title = title diff --git a/python/ql/test/3/library-tests/web/django/rawsql.py b/python/ql/test/3/library-tests/web/django/rawsql.py deleted file mode 100644 index c6c82909c2d..00000000000 --- a/python/ql/test/3/library-tests/web/django/rawsql.py +++ /dev/null @@ -1,23 +0,0 @@ -from django.db.models.expressions import RawSQL - -def raw1(arg): - return RawSQL("select foo from bar where baz = %s" % arg, "") - - -from django.db import models - -class MyModel(models.Model): - pass - -def raw2(arg): - MyModel.objects.raw("select foo from bar where baz = %s" % arg) - -def raw3(arg): - m = MyModel.objects.filter('foo') - m = m.filter('bar') - m.raw("select foo from bar where baz = %s" % arg) - -def raw4(arg): - m = MyModel.objects.filter('foo') - m.extra("select foo from bar where baz = %s" % arg) - diff --git a/python/ql/test/3/library-tests/web/django/urls.py b/python/ql/test/3/library-tests/web/django/urls.py deleted file mode 100644 index d5a941ae519..00000000000 --- a/python/ql/test/3/library-tests/web/django/urls.py +++ /dev/null @@ -1,9 +0,0 @@ -from django.conf.urls import url -import views - -urlpatterns = [ - - url(r'^route1$', views.view_func1), - url(r'^(?P.*)$', views.view_func2), - url(r'^route2$', views.ClassView.as_view()) -] diff --git a/python/ql/test/3/library-tests/web/django/views.py b/python/ql/test/3/library-tests/web/django/views.py deleted file mode 100644 index f7de60a23f6..00000000000 --- a/python/ql/test/3/library-tests/web/django/views.py +++ /dev/null @@ -1,19 +0,0 @@ - -from django.http import HttpResponse -from django.shortcuts import redirect, render -from django.views.generic import View - -def view_func1(request): - # Whether this is safe depends on template.html -- annoyingly - return HttpResponse(request.GET.get("untrusted")) - - -def view_func2(request, path='default'): - env = {'path': path} - return render(request, 'vulnerable-path.html', env) - - -class ClassView(View): - - def get(self, request): - pass diff --git a/python/ql/test/3/library-tests/web/options b/python/ql/test/3/library-tests/web/options deleted file mode 100644 index f2d60a4bc3c..00000000000 --- a/python/ql/test/3/library-tests/web/options +++ /dev/null @@ -1 +0,0 @@ -semmle-extractor-options: --max-import-depth=3 --lang=3 diff --git a/python/ql/test/library-tests/web/django/Sinks.expected b/python/ql/test/library-tests/web/django/Sinks.expected index 82d1b71e53a..e3d233c9990 100644 --- a/python/ql/test/library-tests/web/django/Sinks.expected +++ b/python/ql/test/library-tests/web/django/Sinks.expected @@ -1,6 +1,16 @@ -| test.py:18 | Str | externally controlled string | -| test.py:21 | BinaryExpr | externally controlled string | -| test.py:24 | BinaryExpr | externally controlled string | -| test.py:25 | BinaryExpr | externally controlled string | -| test.py:26 | BinaryExpr | externally controlled string | -| test.py:34 | BinaryExpr | externally controlled string | +| sql.py:13 | Str | externally controlled string | +| sql.py:14 | Str | externally controlled string | +| sql.py:17 | BinaryExpr | externally controlled string | +| sql.py:20 | BinaryExpr | externally controlled string | +| sql.py:21 | BinaryExpr | externally controlled string | +| sql.py:22 | BinaryExpr | externally controlled string | +| sql.py:36 | Str | externally controlled string | +| sql.py:42 | BinaryExpr | externally controlled string | +| sql.py:47 | BinaryExpr | externally controlled string | +| views.py:7 | Attribute() | externally controlled string | +| views.py:11 | Attribute() | externally controlled string | +| views.py:15 | Attribute() | externally controlled string | +| views.py:23 | Attribute() | externally controlled string | +| views.py:29 | Attribute() | externally controlled string | +| views.py:34 | Attribute() | externally controlled string | +| views.py:38 | Attribute() | externally controlled string | diff --git a/python/ql/test/library-tests/web/django/Sources.expected b/python/ql/test/library-tests/web/django/Sources.expected index 8f421a2d169..35e0d3d8ced 100644 --- a/python/ql/test/library-tests/web/django/Sources.expected +++ b/python/ql/test/library-tests/web/django/Sources.expected @@ -1,2 +1,19 @@ +| test.py:5 | path | externally controlled string | +| test.py:5 | request | django.request.HttpRequest | +| test.py:11 | path | externally controlled string | | test.py:11 | request | django.request.HttpRequest | -| test.py:31 | request | django.request.HttpRequest | +| views.py:6 | bar | externally controlled string | +| views.py:6 | foo | externally controlled string | +| views.py:6 | request | django.request.HttpRequest | +| views.py:10 | request | django.request.HttpRequest | +| views.py:14 | request | django.request.HttpRequest | +| views.py:22 | request | django.request.HttpRequest | +| views.py:28 | request | django.request.HttpRequest | +| views.py:32 | page_number | externally controlled string | +| views.py:32 | request | django.request.HttpRequest | +| views.py:37 | arg0 | externally controlled string | +| views.py:37 | arg1 | externally controlled string | +| views.py:37 | request | django.request.HttpRequest | +| views.py:57 | request | django.request.HttpRequest | +| views.py:57 | username | externally controlled string | +| views.py:66 | request | django.request.HttpRequest | diff --git a/python/ql/test/library-tests/web/django/sql.py b/python/ql/test/library-tests/web/django/sql.py new file mode 100644 index 00000000000..7809c24edc1 --- /dev/null +++ b/python/ql/test/library-tests/web/django/sql.py @@ -0,0 +1,53 @@ +from django.db import connection, models +from django.db.models.expressions import RawSQL + + +class User(models.Model): + username = models.CharField(max_length=100) + description = models.TextField(blank=True) + + +def show_user(username): + with connection.cursor() as cursor: + # GOOD -- Using parameters + cursor.execute("SELECT * FROM users WHERE username = %s", username) + User.objects.raw("SELECT * FROM users WHERE username = %s", (username,)) + + # BAD -- Using string formatting + cursor.execute("SELECT * FROM users WHERE username = '%s'" % username) + + # BAD -- other ways of executing raw SQL code with string interpolation + User.objects.annotate(RawSQL("insert into names_file ('name') values ('%s')" % username)) + User.objects.raw("insert into names_file ('name') values ('%s')" % username) + User.objects.extra("insert into names_file ('name') values ('%s')" % username) + + # BAD (but currently no custom query to find this) + # + # It is exposed to SQL injection (https://docs.djangoproject.com/en/2.2/ref/models/querysets/#extra) + # For example, using name = "; DROP ALL TABLES -- " + # will result in SQL: SELECT * FROM name WHERE name = ''; DROP ALL TABLES -- '' + # + # This shouldn't be very widespread, since using a normal string will result in invalid SQL + # Using name = "example", will result in SQL: SELECT * FROM name WHERE name = ''example'' + # which in MySQL will give a syntax error + # + # When testing this out locally, none of the queries worked against SQLite3, but I could use + # the SQL injection against MySQL. + User.objects.raw("SELECT * FROM users WHERE username = '%s'", (username,)) + + +def raw3(arg): + m = User.objects.filter('foo') + m = m.filter('bar') + m.raw("select foo from bar where baz = %s" % arg) + + +def raw4(arg): + m = User.objects.filter('foo') + m.extra("select foo from bar where baz = %s" % arg) + + +def update_user(key, description1): + # Neither of these are exposed to sql-injections + user = User.objects.get(pk=key) + item.description = description diff --git a/python/ql/test/library-tests/web/django/test.py b/python/ql/test/library-tests/web/django/test.py index e6c39c30a32..5664647c3a7 100644 --- a/python/ql/test/library-tests/web/django/test.py +++ b/python/ql/test/library-tests/web/django/test.py @@ -1,40 +1,18 @@ +from django.conf.urls import url +from django.shortcuts import redirect, render -from django.conf.urls import patterns, url -from django.db import connection, models -from django.db.models.expressions import RawSQL -from django.http.response import HttpResponse -import base64 -class Name(models.Model): - pass +def with_template(request, path='default'): + env = {'path': path} + # We would need to understand django templates to know if this is safe or not + return render(request, 'possibly-vulnerable-template.html', env) -def save_name(request): - if request.method == 'POST': - name = request.POST.get('name') - curs = connection.cursor() - #GOOD -- Using parameters - curs.execute( - "insert into names_file ('name') values ('%s')", name) - #BAD -- Using string formatting - curs.execute( - "insert into names_file ('name') values ('%s')" % name) +def vuln_redirect(request, path): + return redirect(path) - #BAD -- other ways of executing raw SQL code with string interpolation - Name.objects.annotate(RawSQL("insert into names_file ('name') values ('%s')" % name)) - Name.objects.raw("insert into names_file ('name') values ('%s')" % name) - Name.objects.extra("insert into names_file ('name') values ('%s')" % name) -urlpatterns1 = patterns(url(r'^save_name/$', - save_name, name='save_name')) - -def maybe_xss(request): - first_name = request.POST.get('first_name', '') - resp = HttpResponse() - resp.write("first name is " + first_name) - return resp - -urlpatterns2 = [ - # Route to code_execution - url(r'^maybe_xss$', maybe_xss, name='maybe_xss') +urlpatterns = [ + url(r'^(?P.*)$', with_template), + url(r'^redirect/(?P.*)$', vuln_redirect), ] diff --git a/python/ql/test/library-tests/web/django/views.py b/python/ql/test/library-tests/web/django/views.py new file mode 100644 index 00000000000..57d1ea5460c --- /dev/null +++ b/python/ql/test/library-tests/web/django/views.py @@ -0,0 +1,72 @@ +from django.conf.urls import patterns, url +from django.http.response import HttpResponse +from django.views.generic import View + + +def url_match_xss(request, foo, bar, no_taint=None): + return HttpResponse('url_match_xss: {} {}'.format(foo, bar)) + + +def get_params_xss(request): + return HttpResponse(request.GET.get("untrusted")) + + +def post_params_xss(request): + return HttpResponse(request.POST.get("untrusted")) + + +class Foo(object): + # Note: since Foo is used as the super type in a class view, it will be able to handle requests. + + # TODO: Currently we don't flag `untrusted` as a DjangoRequestParameter + def post(self, request, untrusted): + return HttpResponse('Foo post: {}'.format(untrusted)) + + +class ClassView(View, Foo): + # TODO: Currently we don't flag `untrusted` as a DjangoRequestParameter + def get(self, request, untrusted): + return HttpResponse('ClassView get: {}'.format(untrusted)) + + +def show_articles(request, page_number=1): + page_number = int(page_number) + return HttpResponse('articles page: {}'.format(page_number)) + + +def xxs_positional_arg(request, arg0, arg1, no_taint=None): + return HttpResponse('xxs_positional_arg: {} {}'.format(arg0, arg1)) + + +urlpatterns = [ + url(r'^url_match/(?P[^/]+)/(?P[^/]+)$', url_match_xss), + url(r'^get_params$', get_params_xss), + url(r'^post_params$', post_params_xss), + url(r'^class_view/(?P.+)$', ClassView.as_view()), + + # one pattern to support `articles/page-` and ensuring that articles/ goes to page-1 + url(r'articles/^(?:page-(?P\d+)/)?$', show_articles), + # passing as positional argument is not the recommended way of doing things, but it is certainly + # possible + url(r'^([^/]+)/(?:foo|bar)/([^/]+)$', xxs_positional_arg, name='xxs_positional_arg'), +] + + +# Using patterns() for routing + +def show_user(request, username): + pass + + +urlpatterns = patterns(url(r'^users/(?P[^/]+)$', show_user)) + + +# Show we understand the keyword arguments to django.conf.urls.url + +def we_understand_url_kwargs(request): + pass + + +urlpatterns = [ + url(view=we_understand_url_kwargs, regex=r'^specifying-as-kwargs-is-not-a-problem$') +] diff --git a/python/ql/test/query-tests/Functions/general/IncorrectRaiseInSpecialMethod.expected b/python/ql/test/query-tests/Functions/general/IncorrectRaiseInSpecialMethod.expected index a5049d58046..0735be5137c 100644 --- a/python/ql/test/query-tests/Functions/general/IncorrectRaiseInSpecialMethod.expected +++ b/python/ql/test/query-tests/Functions/general/IncorrectRaiseInSpecialMethod.expected @@ -1,2 +1,2 @@ -| protocols.py:66:5:66:33 | Function __getitem__ | Function always raises $@; raise LookupError instead | file://:Compiled Code:0:0:0:0 | builtin-class ZeroDivisionError | builtin-class ZeroDivisionError | -| protocols.py:69:5:69:26 | Function __getattr__ | Function always raises $@; raise AttributeError instead | file://:Compiled Code:0:0:0:0 | builtin-class ZeroDivisionError | builtin-class ZeroDivisionError | +| protocols.py:98:5:98:33 | Function __getitem__ | Function always raises $@; raise LookupError instead | file://:Compiled Code:0:0:0:0 | builtin-class ZeroDivisionError | builtin-class ZeroDivisionError | +| protocols.py:101:5:101:26 | Function __getattr__ | Function always raises $@; raise AttributeError instead | file://:Compiled Code:0:0:0:0 | builtin-class ZeroDivisionError | builtin-class ZeroDivisionError | diff --git a/python/ql/test/query-tests/Functions/general/IterReturnsNonIterator.expected b/python/ql/test/query-tests/Functions/general/IterReturnsNonIterator.expected index 0fbb62b7aa8..2393f18674a 100644 --- a/python/ql/test/query-tests/Functions/general/IterReturnsNonIterator.expected +++ b/python/ql/test/query-tests/Functions/general/IterReturnsNonIterator.expected @@ -1 +1,4 @@ -| protocols.py:16:5:16:23 | Function __iter__ | The '__iter__' method of iterable class $@ does not return an iterator. | protocols.py:14:1:14:16 | class X | X | +| file://:Compiled Code:0:0:0:0 | builtin-class object | Class object is returned as an iterator (by $@) but does not fully implement the iterator interface. | protocols.py:16:5:16:23 | Function __iter__ | __iter__ | +| protocols.py:20:1:20:26 | class IteratorMissingNext | Class IteratorMissingNext is returned as an iterator (by $@) but does not fully implement the iterator interface. | protocols.py:22:5:22:23 | Function __iter__ | __iter__ | +| protocols.py:20:1:20:26 | class IteratorMissingNext | Class IteratorMissingNext is returned as an iterator (by $@) but does not fully implement the iterator interface. | protocols.py:27:5:27:23 | Function __iter__ | __iter__ | +| protocols.py:30:1:30:26 | class IteratorMissingIter | Class IteratorMissingIter is returned as an iterator (by $@) but does not fully implement the iterator interface. | protocols.py:40:5:40:23 | Function __iter__ | __iter__ | diff --git a/python/ql/test/query-tests/Functions/general/IterReturnsNonSelf.expected b/python/ql/test/query-tests/Functions/general/IterReturnsNonSelf.expected index 88c2e672db8..9fd22c1df61 100644 --- a/python/ql/test/query-tests/Functions/general/IterReturnsNonSelf.expected +++ b/python/ql/test/query-tests/Functions/general/IterReturnsNonSelf.expected @@ -1 +1 @@ -| protocols.py:22:1:22:29 | class AlmostIterator | Class AlmostIterator is an iterator but its $@ method does not return 'self'. | protocols.py:30:5:30:23 | Function __iter__ | __iter__ | +| protocols.py:54:1:54:29 | class AlmostIterator | Class AlmostIterator is an iterator but its $@ method does not return 'self'. | protocols.py:62:5:62:23 | Function __iter__ | __iter__ | diff --git a/python/ql/test/query-tests/Functions/general/OverlyComplexDelMethod.expected b/python/ql/test/query-tests/Functions/general/OverlyComplexDelMethod.expected index 9eb184f57ba..84c08d89426 100644 --- a/python/ql/test/query-tests/Functions/general/OverlyComplexDelMethod.expected +++ b/python/ql/test/query-tests/Functions/general/OverlyComplexDelMethod.expected @@ -1 +1 @@ -| protocols.py:42:5:42:22 | Function __del__ | Overly complex '__del__' method. | +| protocols.py:74:5:74:22 | Function __del__ | Overly complex '__del__' method. | diff --git a/python/ql/test/query-tests/Functions/general/SignatureSpecialMethods.expected b/python/ql/test/query-tests/Functions/general/SignatureSpecialMethods.expected index d26ae70958e..bda8b8e6472 100644 --- a/python/ql/test/query-tests/Functions/general/SignatureSpecialMethods.expected +++ b/python/ql/test/query-tests/Functions/general/SignatureSpecialMethods.expected @@ -5,5 +5,5 @@ | om_test.py:71:5:71:19 | Function __repr__ | Too few parameters for special method __repr__, which has no parameters, but should have 1, in class $@. | om_test.py:57:1:57:28 | class WrongSpecials | WrongSpecials | | om_test.py:74:5:74:46 | Function __add__ | 1 default values(s) will never be used for special method __add__, in class $@. | om_test.py:57:1:57:28 | class WrongSpecials | WrongSpecials | | om_test.py:97:15:97:34 | Function lambda | Too few parameters for special method __sub__, which has 1 parameter, but should have 2, in class $@. | om_test.py:95:1:95:28 | class NotOKSpecials | NotOKSpecials | -| protocols.py:72:1:72:12 | Function f | Too few parameters for special method __add__, which has 1 parameter, but should have 2, in class $@. | protocols.py:75:1:75:29 | class MissingMethods | MissingMethods | -| protocols.py:72:1:72:12 | Function f | Too few parameters for special method __set__, which has 1 parameter, but should have 3, in class $@. | protocols.py:75:1:75:29 | class MissingMethods | MissingMethods | +| protocols.py:104:1:104:12 | Function f | Too few parameters for special method __add__, which has 1 parameter, but should have 2, in class $@. | protocols.py:107:1:107:29 | class MissingMethods | MissingMethods | +| protocols.py:104:1:104:12 | Function f | Too few parameters for special method __set__, which has 1 parameter, but should have 3, in class $@. | protocols.py:107:1:107:29 | class MissingMethods | MissingMethods | diff --git a/python/ql/test/query-tests/Functions/general/protocols.py b/python/ql/test/query-tests/Functions/general/protocols.py index 739dda00e45..33ed3d7bcd3 100644 --- a/python/ql/test/query-tests/Functions/general/protocols.py +++ b/python/ql/test/query-tests/Functions/general/protocols.py @@ -17,6 +17,38 @@ class X(object): return object() +class IteratorMissingNext: + + def __iter__(self): + return self + +class IterableMissingNext: + + def __iter__(self): + return IteratorMissingNext() + +class IteratorMissingIter: + + def next(self): + pass + + def __next__(self): + pass + +class IterableMissingIter: + + def __iter__(self): + return IteratorMissingIter() + +class IterableWithGenerator: + # returning a generator from __iter__ in an iterable is ok + + def __iter__(self): + i = 0 + while True: + yield i + i += 1 + #Iterator not returning self class AlmostIterator(object): @@ -57,34 +89,30 @@ class MiniDel(object): def __del__(self): self.close() - + class IncorrectSpecialMethods(object): - + def __add__(self, other): raise NotImplementedError() - + def __getitem__(self, index): raise ZeroDivisionError() - + def __getattr__(self): raise ZeroDivisionError() - + def f(self): pass - + class MissingMethods(object): - + __repr__ = f # This should be OK __add__ = f # But not this __set__ = f # or this - + #OK Special method class OK(object): - + def __call__(self): yield 0 raise StopIteration - - - - diff --git a/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/CyclicImport.expected b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/CyclicImport.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/CyclicImport.qlref b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/CyclicImport.qlref new file mode 100644 index 00000000000..814bba9fad6 --- /dev/null +++ b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/CyclicImport.qlref @@ -0,0 +1 @@ +Imports/CyclicImport.ql \ No newline at end of file diff --git a/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/ModuleLevelCyclicImport.expected b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/ModuleLevelCyclicImport.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/ModuleLevelCyclicImport.qlref b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/ModuleLevelCyclicImport.qlref new file mode 100644 index 00000000000..5119f8fdaae --- /dev/null +++ b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/ModuleLevelCyclicImport.qlref @@ -0,0 +1 @@ +Imports/ModuleLevelCyclicImport.ql \ No newline at end of file diff --git a/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/bar/__init__.py b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/bar/__init__.py new file mode 100644 index 00000000000..e69de29bb2d diff --git a/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/bar/foo.py b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/bar/foo.py new file mode 100644 index 00000000000..702712c61be --- /dev/null +++ b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/bar/foo.py @@ -0,0 +1,2 @@ +from package import p +foo = 5 diff --git a/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/options b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/options new file mode 100644 index 00000000000..3819071b01c --- /dev/null +++ b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/options @@ -0,0 +1 @@ +semmle-extractor-options: -R . diff --git a/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/package/__init__.py b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/package/__init__.py new file mode 100644 index 00000000000..ccbe206d503 --- /dev/null +++ b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/package/__init__.py @@ -0,0 +1,3 @@ +from bar.foo import foo +from package import baz +p = 1 diff --git a/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/package/baz.py b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/package/baz.py new file mode 100644 index 00000000000..fe687984078 --- /dev/null +++ b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/package/baz.py @@ -0,0 +1,2 @@ +from package import p +from bar.foo import foo diff --git a/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/test.py b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/test.py new file mode 100644 index 00000000000..7479d4678c2 --- /dev/null +++ b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/false-negative/test.py @@ -0,0 +1 @@ +from package import p diff --git a/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/CyclicImport.expected b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/CyclicImport.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/CyclicImport.qlref b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/CyclicImport.qlref new file mode 100644 index 00000000000..814bba9fad6 --- /dev/null +++ b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/CyclicImport.qlref @@ -0,0 +1 @@ +Imports/CyclicImport.ql \ No newline at end of file diff --git a/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/ModuleLevelCyclicImport.expected b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/ModuleLevelCyclicImport.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/ModuleLevelCyclicImport.qlref b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/ModuleLevelCyclicImport.qlref new file mode 100644 index 00000000000..5119f8fdaae --- /dev/null +++ b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/ModuleLevelCyclicImport.qlref @@ -0,0 +1 @@ +Imports/ModuleLevelCyclicImport.ql \ No newline at end of file diff --git a/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/bar/__init__.py b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/bar/__init__.py new file mode 100644 index 00000000000..e69de29bb2d diff --git a/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/bar/foo.py b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/bar/foo.py new file mode 100644 index 00000000000..702712c61be --- /dev/null +++ b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/bar/foo.py @@ -0,0 +1,2 @@ +from package import p +foo = 5 diff --git a/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/options b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/options new file mode 100644 index 00000000000..3819071b01c --- /dev/null +++ b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/options @@ -0,0 +1 @@ +semmle-extractor-options: -R . diff --git a/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/package/__init__.py b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/package/__init__.py new file mode 100644 index 00000000000..b3586a190cf --- /dev/null +++ b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/package/__init__.py @@ -0,0 +1,3 @@ +p = 1 +from bar.foo import foo +from package import baz diff --git a/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/package/baz.py b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/package/baz.py new file mode 100644 index 00000000000..fe687984078 --- /dev/null +++ b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/package/baz.py @@ -0,0 +1,2 @@ +from package import p +from bar.foo import foo diff --git a/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/test.py b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/test.py new file mode 100644 index 00000000000..7479d4678c2 --- /dev/null +++ b/python/ql/test/query-tests/Imports/cyclic-module-package-fp/true-negative/test.py @@ -0,0 +1 @@ +from package import p diff --git a/python/ql/test/query-tests/Imports/unused/imports_test.py b/python/ql/test/query-tests/Imports/unused/imports_test.py index a1b457f0422..cf2024ac183 100644 --- a/python/ql/test/query-tests/Imports/unused/imports_test.py +++ b/python/ql/test/query-tests/Imports/unused/imports_test.py @@ -76,3 +76,17 @@ import typing foo = None # type: typing.Optional[int] + +# OK since the import statement is never executed +if False: + import never_imported + +# OK since the imported module is used in a forward-referenced type annotation. +import only_used_in_parameter_annotation + +def func(x: 'Optional[only_used_in_parameter_annotation]'): + pass + +import only_used_in_annotated_assignment + +var : 'Optional[only_used_in_annotated_assignment]' = 5 diff --git a/python/ql/test/query-tests/Security/CWE-089/SqlInjection.expected b/python/ql/test/query-tests/Security/CWE-089/SqlInjection.expected index 9c00ffdb2db..461d42fccf1 100644 --- a/python/ql/test/query-tests/Security/CWE-089/SqlInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-089/SqlInjection.expected @@ -1,17 +1,14 @@ edges -| sql_injection.py:9:15:9:21 | django.request.HttpRequest | sql_injection.py:12:16:12:22 | django.request.HttpRequest | -| sql_injection.py:12:16:12:22 | django.request.HttpRequest | sql_injection.py:12:16:12:27 | django.http.request.QueryDict | -| sql_injection.py:12:16:12:27 | django.http.request.QueryDict | sql_injection.py:12:16:12:39 | externally controlled string | -| sql_injection.py:12:16:12:39 | externally controlled string | sql_injection.py:19:63:19:66 | externally controlled string | -| sql_injection.py:12:16:12:39 | externally controlled string | sql_injection.py:22:88:22:91 | externally controlled string | -| sql_injection.py:12:16:12:39 | externally controlled string | sql_injection.py:23:76:23:79 | externally controlled string | -| sql_injection.py:12:16:12:39 | externally controlled string | sql_injection.py:24:78:24:81 | externally controlled string | -| sql_injection.py:19:63:19:66 | externally controlled string | sql_injection.py:19:13:19:66 | externally controlled string | -| sql_injection.py:22:88:22:91 | externally controlled string | sql_injection.py:22:38:22:91 | externally controlled string | -| sql_injection.py:23:76:23:79 | externally controlled string | sql_injection.py:23:26:23:79 | externally controlled string | -| sql_injection.py:24:78:24:81 | externally controlled string | sql_injection.py:24:28:24:81 | externally controlled string | +| sql_injection.py:12:24:12:31 | externally controlled string | sql_injection.py:19:70:19:77 | externally controlled string | +| sql_injection.py:12:24:12:31 | externally controlled string | sql_injection.py:22:88:22:95 | externally controlled string | +| sql_injection.py:12:24:12:31 | externally controlled string | sql_injection.py:23:76:23:83 | externally controlled string | +| sql_injection.py:12:24:12:31 | externally controlled string | sql_injection.py:24:78:24:85 | externally controlled string | +| sql_injection.py:19:70:19:77 | externally controlled string | sql_injection.py:19:24:19:77 | externally controlled string | +| sql_injection.py:22:88:22:95 | externally controlled string | sql_injection.py:22:38:22:95 | externally controlled string | +| sql_injection.py:23:76:23:83 | externally controlled string | sql_injection.py:23:26:23:83 | externally controlled string | +| sql_injection.py:24:78:24:85 | externally controlled string | sql_injection.py:24:28:24:85 | externally controlled string | #select -| sql_injection.py:19:13:19:66 | BinaryExpr | sql_injection.py:9:15:9:21 | django.request.HttpRequest | sql_injection.py:19:13:19:66 | externally controlled string | This SQL query depends on $@. | sql_injection.py:9:15:9:21 | request | a user-provided value | -| sql_injection.py:22:38:22:91 | BinaryExpr | sql_injection.py:9:15:9:21 | django.request.HttpRequest | sql_injection.py:22:38:22:91 | externally controlled string | This SQL query depends on $@. | sql_injection.py:9:15:9:21 | request | a user-provided value | -| sql_injection.py:23:26:23:79 | BinaryExpr | sql_injection.py:9:15:9:21 | django.request.HttpRequest | sql_injection.py:23:26:23:79 | externally controlled string | This SQL query depends on $@. | sql_injection.py:9:15:9:21 | request | a user-provided value | -| sql_injection.py:24:28:24:81 | BinaryExpr | sql_injection.py:9:15:9:21 | django.request.HttpRequest | sql_injection.py:24:28:24:81 | externally controlled string | This SQL query depends on $@. | sql_injection.py:9:15:9:21 | request | a user-provided value | +| sql_injection.py:19:24:19:77 | BinaryExpr | sql_injection.py:12:24:12:31 | externally controlled string | sql_injection.py:19:24:19:77 | externally controlled string | This SQL query depends on $@. | sql_injection.py:12:24:12:31 | username | a user-provided value | +| sql_injection.py:22:38:22:95 | BinaryExpr | sql_injection.py:12:24:12:31 | externally controlled string | sql_injection.py:22:38:22:95 | externally controlled string | This SQL query depends on $@. | sql_injection.py:12:24:12:31 | username | a user-provided value | +| sql_injection.py:23:26:23:83 | BinaryExpr | sql_injection.py:12:24:12:31 | externally controlled string | sql_injection.py:23:26:23:83 | externally controlled string | This SQL query depends on $@. | sql_injection.py:12:24:12:31 | username | a user-provided value | +| sql_injection.py:24:28:24:85 | BinaryExpr | sql_injection.py:12:24:12:31 | externally controlled string | sql_injection.py:24:28:24:85 | externally controlled string | This SQL query depends on $@. | sql_injection.py:12:24:12:31 | username | a user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-089/sql_injection.py b/python/ql/test/query-tests/Security/CWE-089/sql_injection.py index b312241b809..9ccca7503bd 100644 --- a/python/ql/test/query-tests/Security/CWE-089/sql_injection.py +++ b/python/ql/test/query-tests/Security/CWE-089/sql_injection.py @@ -1,28 +1,40 @@ +"""This is copied from ql/python/ql/test/library-tests/web/django/test.py +and a only a slight extension of ql/python/ql/src/Security/CWE-089/examples/sql_injection.py +""" -from django.conf.urls import patterns, url +from django.conf.urls import url from django.db import connection, models from django.db.models.expressions import RawSQL -class Name(models.Model): +class User(models.Model): pass -def save_name(request): +def show_user(request, username): + with connection.cursor() as cursor: + # GOOD -- Using parameters + cursor.execute("SELECT * FROM users WHERE username = %s", username) + User.objects.raw("SELECT * FROM users WHERE username = %s", (username,)) - if request.method == 'POST': - name = request.POST.get('name') - curs = connection.cursor() - #GOOD -- Using parameters - curs.execute( - "insert into names_file ('name') values ('%s')", name) - #BAD -- Using string formatting - curs.execute( - "insert into names_file ('name') values ('%s')" % name) + # BAD -- Using string formatting + cursor.execute("SELECT * FROM users WHERE username = '%s'" % username) - #BAD -- other ways of executing raw SQL code with string interpolation - Name.objects.annotate(RawSQL("insert into names_file ('name') values ('%s')" % name)) - Name.objects.raw("insert into names_file ('name') values ('%s')" % name) - Name.objects.extra("insert into names_file ('name') values ('%s')" % name) + # BAD -- other ways of executing raw SQL code with string interpolation + User.objects.annotate(RawSQL("insert into names_file ('name') values ('%s')" % username)) + User.objects.raw("insert into names_file ('name') values ('%s')" % username) + User.objects.extra("insert into names_file ('name') values ('%s')" % username) -urlpatterns = patterns(url(r'^save_name/$', - save_name, name='save_name')) + # BAD (but currently no custom query to find this) + # + # It is exposed to SQL injection (https://docs.djangoproject.com/en/2.2/ref/models/querysets/#extra) + # For example, using name = "; DROP ALL TABLES -- " + # will result in SQL: SELECT * FROM name WHERE name = ''; DROP ALL TABLES -- '' + # + # This shouldn't be very widespread, since using a normal string will result in invalid SQL + # Using name = "example", will result in SQL: SELECT * FROM name WHERE name = ''example'' + # which in MySQL will give a syntax error + # + # When testing this out locally, none of the queries worked against SQLite3, but I could use + # the SQL injection against MySQL. + User.objects.raw("SELECT * FROM users WHERE username = '%s'", (username,)) +urlpatterns = [url(r'^users/(?P[^/]+)$', show_user)] diff --git a/python/ql/test/query-tests/Security/lib/django/conf/urls.py b/python/ql/test/query-tests/Security/lib/django/conf/urls.py index cf65525e893..6c1a83baf0b 100644 --- a/python/ql/test/query-tests/Security/lib/django/conf/urls.py +++ b/python/ql/test/query-tests/Security/lib/django/conf/urls.py @@ -1,7 +1,6 @@ - -def url(pattern, *args): +# https://docs.djangoproject.com/en/1.11/_modules/django/conf/urls/#url +def url(regex, view, kwargs=None, name=None): pass def patterns(*urls): pass - diff --git a/python/ql/test/query-tests/Security/lib/django/views/__init__.py b/python/ql/test/query-tests/Security/lib/django/views/__init__.py new file mode 100644 index 00000000000..e69de29bb2d diff --git a/python/ql/test/query-tests/Security/lib/django/views/generic.py b/python/ql/test/query-tests/Security/lib/django/views/generic.py new file mode 100644 index 00000000000..d924b03d062 --- /dev/null +++ b/python/ql/test/query-tests/Security/lib/django/views/generic.py @@ -0,0 +1,2 @@ +class View: + pass diff --git a/python/ql/test/query-tests/Statements/unreachable/test.py b/python/ql/test/query-tests/Statements/unreachable/test.py index b1b69942de9..493dcc24dd1 100755 --- a/python/ql/test/query-tests/Statements/unreachable/test.py +++ b/python/ql/test/query-tests/Statements/unreachable/test.py @@ -120,3 +120,20 @@ def foo(x): print(x, "== 0") +# Unreachable catch-all case + +def unreachable_catch_all_assert_false(x): + if x < 0: + return "negative" + elif x >= 0: + return "positive" + else: + assert False, x + +def unreachable_catch_all_raise(x): + if x < 0: + pass + elif x >= 0: + pass + else: + raise ValueError(x) diff --git a/python/upgrades/qlpack.yml b/python/upgrades/qlpack.yml new file mode 100644 index 00000000000..9939911eb99 --- /dev/null +++ b/python/upgrades/qlpack.yml @@ -0,0 +1,2 @@ +name: codeql-python-upgrades +upgrades: .