Merge branch 'main' into identity-consistency-check

2026-04-29 02:35:15 +02:00 · 2023-05-03 22:01:06 +01:00
parent e650df810d e42bf2efd8
commit 77001a070b
555 changed files with 21638 additions and 9738 deletions
--- a/java/ql/lib/CHANGELOG.md
+++ b/java/ql/lib/CHANGELOG.md
@@ -1,3 +1,18 @@
+## 0.6.1
+
+### Deprecated APIs
+
+* The `sensitiveResultReceiver` predicate in `SensitiveResultReceiverQuery.qll` has been deprecated and replaced with `isSensitiveResultReceiver` in order to use the new dataflow API.
+
+### Minor Analysis Improvements
+
+* Changed some models of Spring's `FileCopyUtils.copy` to be path injection sinks instead of summaries.
+* Added models for the following packages:
+  * java.nio.file
+* Added models for [Apache HttpComponents](https://hc.apache.org/) versions 4 and 5.
+* Added sanitizers that recognize line breaks to the query `java/log-injection`.
+* Added new flow steps for `java.util.StringJoiner`.
+
 ## 0.6.0

 ### Deprecated APIs
--- a/java/ql/lib/change-notes/2022-09-22-stringjoiner-summaries.md
+++ b/java/ql/lib/change-notes/2022-09-22-stringjoiner-summaries.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added new flow steps for `java.util.StringJoiner`.
--- a/java/ql/lib/change-notes/2022-10-06-log-injection-sanitizers.md
+++ b/java/ql/lib/change-notes/2022-10-06-log-injection-sanitizers.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added sanitizers that recognize line breaks to the query `java/log-injection`.
--- a/java/ql/lib/change-notes/2023-04-05-deprecated-sensitive-result-receiver-predicate.md
+++ b/java/ql/lib/change-notes/2023-04-05-deprecated-sensitive-result-receiver-predicate.md
@@ -1,4 +0,0 @@
---
-category: deprecated
---
-* The `sensitiveResultReceiver` predicate in `SensitiveResultReceiverQuery.qll` has been deprecated and replaced with `isSensitiveResultReceiver` in order to use the new dataflow API.
--- a/java/ql/lib/change-notes/2023-04-06-add-apache-models.md
+++ b/java/ql/lib/change-notes/2023-04-06-add-apache-models.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added models for [Apache HttpComponents](https://hc.apache.org/) versions 4 and 5.
--- a/java/ql/lib/change-notes/2023-04-12-new-models-io.md
+++ b/java/ql/lib/change-notes/2023-04-12-new-models-io.md
@@ -1,5 +0,0 @@
---
-category: minorAnalysis
---
-* Added models for the following packages:
-  * java.nio.file
--- a/java/ql/lib/change-notes/2023-04-24-spring-filecopyutils-sinks.md
+++ b/java/ql/lib/change-notes/2023-04-24-spring-filecopyutils-sinks.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Changed some models of Spring's `FileCopyUtils.copy` to be path injection sinks instead of summaries.
--- a/java/ql/lib/change-notes/released/0.6.1.md
+++ b/java/ql/lib/change-notes/released/0.6.1.md
@@ -0,0 +1,14 @@
+## 0.6.1
+
+### Deprecated APIs
+
+* The `sensitiveResultReceiver` predicate in `SensitiveResultReceiverQuery.qll` has been deprecated and replaced with `isSensitiveResultReceiver` in order to use the new dataflow API.
+
+### Minor Analysis Improvements
+
+* Changed some models of Spring's `FileCopyUtils.copy` to be path injection sinks instead of summaries.
+* Added models for the following packages:
+  * java.nio.file
+* Added models for [Apache HttpComponents](https://hc.apache.org/) versions 4 and 5.
+* Added sanitizers that recognize line breaks to the query `java/log-injection`.
+* Added new flow steps for `java.util.StringJoiner`.
--- a/java/ql/lib/codeql-pack.release.yml
+++ b/java/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.0
+lastReleaseVersion: 0.6.1
--- a/java/ql/lib/qlpack.yml
+++ b/java/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 0.6.1-dev
+version: 0.6.2-dev
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java
--- a/java/ql/lib/semmle/code/java/Member.qll
+++ b/java/ql/lib/semmle/code/java/Member.qll
@@ -379,6 +379,19 @@ class SrcCallable extends Callable {
      this.isProtected() and not tsub.isFinal()
    )
  }
+
+  /**
+   * Holds if this callable is implicitly public in the sense that it can be the
+   * target of virtual dispatch by a call from outside the codebase.
+   */
+  predicate isImplicitlyPublic() {
+    this.isEffectivelyPublic()
+    or
+    exists(SrcMethod m |
+      m.(SrcCallable).isEffectivelyPublic() and
+      m.getAPossibleImplementationOfSrcMethod() = this
+    )
+  }
 }

 /** Gets the erasure of `t1` if it is a raw type, or `t1` itself otherwise. */
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll
@@ -815,24 +815,20 @@ private module Cached {
    )
  }

-  private predicate store(
-    Node node1, Content c, Node node2, DataFlowType contentType, DataFlowType containerType
-  ) {
-    exists(ContentSet cs |
-      c = cs.getAStoreContent() and storeSet(node1, cs, node2, contentType, containerType)
-    )
-  }
-
  /**
   * Holds if data can flow from `node1` to `node2` via a direct assignment to
-   * `f`.
+   * `c`.
   *
   * This includes reverse steps through reads when the result of the read has
   * been stored into, in order to handle cases like `x.f1.f2 = y`.
   */
  cached
-  predicate store(Node node1, TypedContent tc, Node node2, DataFlowType contentType) {
-    store(node1, tc.getContent(), node2, contentType, tc.getContainerType())
+  predicate store(
+    Node node1, Content c, Node node2, DataFlowType contentType, DataFlowType containerType
+  ) {
+    exists(ContentSet cs |
+      c = cs.getAStoreContent() and storeSet(node1, cs, node2, contentType, containerType)
+    )
  }

  /**
@@ -932,36 +928,15 @@ private module Cached {
    TReturnCtxNoFlowThrough() or
    TReturnCtxMaybeFlowThrough(ReturnPosition pos)

-  cached
-  newtype TTypedContentApprox =
-    MkTypedContentApprox(ContentApprox c, DataFlowType t) {
-      exists(Content cont |
-        c = getContentApprox(cont) and
-        store(_, cont, _, _, t)
-      )
-    }
-
-  cached
-  newtype TTypedContent = MkTypedContent(Content c, DataFlowType t) { store(_, c, _, _, t) }
-
-  cached
-  TypedContent getATypedContent(TypedContentApprox c) {
-    exists(ContentApprox cls, DataFlowType t, Content cont |
-      c = MkTypedContentApprox(cls, pragma[only_bind_into](t)) and
-      result = MkTypedContent(cont, pragma[only_bind_into](t)) and
-      cls = getContentApprox(cont)
-    )
-  }
-
  cached
  newtype TAccessPathFront =
-    TFrontNil(DataFlowType t) or
-    TFrontHead(TypedContent tc)
+    TFrontNil() or
+    TFrontHead(Content c)

  cached
  newtype TApproxAccessPathFront =
-    TApproxFrontNil(DataFlowType t) or
-    TApproxFrontHead(TypedContentApprox tc)
+    TApproxFrontNil() or
+    TApproxFrontHead(ContentApprox c)

  cached
  newtype TAccessPathFrontOption =
@@ -986,8 +961,16 @@ predicate recordDataFlowCallSite(DataFlowCall call, DataFlowCallable callable) {
 /**
 * A `Node` at which a cast can occur such that the type should be checked.
 */
-class CastingNode extends Node {
+class CastingNode instanceof Node {
  CastingNode() { castingNode(this) }
+
+  string toString() { result = super.toString() }
+
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
 }

 private predicate readStepWithTypes(
@@ -1135,9 +1118,17 @@ LocalCallContext getLocalCallContext(CallContext ctx, DataFlowCallable callable)
 * The value of a parameter at function entry, viewed as a node in a data
 * flow graph.
 */
-class ParamNode extends Node {
+class ParamNode instanceof Node {
  ParamNode() { parameterNode(this, _, _) }

+  string toString() { result = super.toString() }
+
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+
  /**
   * Holds if this node is the parameter of callable `c` at the specified
   * position.
@@ -1146,9 +1137,17 @@ class ParamNode extends Node {
 }

 /** A data-flow node that represents a call argument. */
-class ArgNode extends Node {
+class ArgNode instanceof Node {
  ArgNode() { argumentNode(this, _, _) }

+  string toString() { result = super.toString() }
+
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+
  /** Holds if this argument occurs at the given position in the given call. */
  final predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
    argumentNode(this, call, pos)
@@ -1159,9 +1158,17 @@ class ArgNode extends Node {
 * A node from which flow can return to the caller. This is either a regular
 * `ReturnNode` or a `PostUpdateNode` corresponding to the value of a parameter.
 */
-class ReturnNodeExt extends Node {
+class ReturnNodeExt instanceof Node {
  ReturnNodeExt() { returnNodeExt(this, _) }

+  string toString() { result = super.toString() }
+
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+
  /** Gets the kind of this returned value. */
  ReturnKindExt getKind() { returnNodeExt(this, result) }
 }
@@ -1170,8 +1177,16 @@ class ReturnNodeExt extends Node {
 * A node to which data can flow from a call. Either an ordinary out node
 * or a post-update node associated with a call argument.
 */
-class OutNodeExt extends Node {
+class OutNodeExt instanceof Node {
  OutNodeExt() { outNodeExt(this) }
+
+  string toString() { result = super.toString() }
+
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
 }

 /**
@@ -1387,67 +1402,37 @@ class ReturnCtx extends TReturnCtx {
  }
 }

-/** An approximated `Content` tagged with the type of a containing object. */
-class TypedContentApprox extends MkTypedContentApprox {
-  private ContentApprox c;
-  private DataFlowType t;
-
-  TypedContentApprox() { this = MkTypedContentApprox(c, t) }
-
-  /** Gets a typed content approximated by this value. */
-  TypedContent getATypedContent() { result = getATypedContent(this) }
-
-  /** Gets the content. */
-  ContentApprox getContent() { result = c }
-
-  /** Gets the container type. */
-  DataFlowType getContainerType() { result = t }
-
-  /** Gets a textual representation of this approximated content. */
-  string toString() { result = c.toString() }
-}
-
 /**
 * The front of an approximated access path. This is either a head or a nil.
 */
 abstract class ApproxAccessPathFront extends TApproxAccessPathFront {
  abstract string toString();

-  abstract DataFlowType getType();
-
  abstract boolean toBoolNonEmpty();

-  TypedContentApprox getHead() { this = TApproxFrontHead(result) }
+  ContentApprox getHead() { this = TApproxFrontHead(result) }

  pragma[nomagic]
-  TypedContent getAHead() {
-    exists(TypedContentApprox cont |
+  Content getAHead() {
+    exists(ContentApprox cont |
      this = TApproxFrontHead(cont) and
-      result = cont.getATypedContent()
+      cont = getContentApprox(result)
    )
  }
 }

 class ApproxAccessPathFrontNil extends ApproxAccessPathFront, TApproxFrontNil {
-  private DataFlowType t;
-
-  ApproxAccessPathFrontNil() { this = TApproxFrontNil(t) }
-
-  override string toString() { result = ppReprType(t) }
-
-  override DataFlowType getType() { result = t }
+  override string toString() { result = "nil" }

  override boolean toBoolNonEmpty() { result = false }
 }

 class ApproxAccessPathFrontHead extends ApproxAccessPathFront, TApproxFrontHead {
-  private TypedContentApprox tc;
+  private ContentApprox c;

-  ApproxAccessPathFrontHead() { this = TApproxFrontHead(tc) }
+  ApproxAccessPathFrontHead() { this = TApproxFrontHead(c) }

-  override string toString() { result = tc.toString() }
-
-  override DataFlowType getType() { result = tc.getContainerType() }
+  override string toString() { result = c.toString() }

  override boolean toBoolNonEmpty() { result = true }
 }
@@ -1461,65 +1446,31 @@ class ApproxAccessPathFrontOption extends TApproxAccessPathFrontOption {
  }
 }

-/** A `Content` tagged with the type of a containing object. */
-class TypedContent extends MkTypedContent {
-  private Content c;
-  private DataFlowType t;
-
-  TypedContent() { this = MkTypedContent(c, t) }
-
-  /** Gets the content. */
-  Content getContent() { result = c }
-
-  /** Gets the container type. */
-  DataFlowType getContainerType() { result = t }
-
-  /** Gets a textual representation of this content. */
-  string toString() { result = c.toString() }
-
-  /**
-   * Holds if access paths with this `TypedContent` at their head always should
-   * be tracked at high precision. This disables adaptive access path precision
-   * for such access paths.
-   */
-  predicate forceHighPrecision() { forceHighPrecision(c) }
-}
-
 /**
 * The front of an access path. This is either a head or a nil.
 */
 abstract class AccessPathFront extends TAccessPathFront {
  abstract string toString();

-  abstract DataFlowType getType();
-
  abstract ApproxAccessPathFront toApprox();

-  TypedContent getHead() { this = TFrontHead(result) }
+  Content getHead() { this = TFrontHead(result) }
 }

 class AccessPathFrontNil extends AccessPathFront, TFrontNil {
-  private DataFlowType t;
+  override string toString() { result = "nil" }

-  AccessPathFrontNil() { this = TFrontNil(t) }
-
-  override string toString() { result = ppReprType(t) }
-
-  override DataFlowType getType() { result = t }
-
-  override ApproxAccessPathFront toApprox() { result = TApproxFrontNil(t) }
+  override ApproxAccessPathFront toApprox() { result = TApproxFrontNil() }
 }

 class AccessPathFrontHead extends AccessPathFront, TFrontHead {
-  private TypedContent tc;
+  private Content c;

-  AccessPathFrontHead() { this = TFrontHead(tc) }
+  AccessPathFrontHead() { this = TFrontHead(c) }

-  override string toString() { result = tc.toString() }
+  override string toString() { result = c.toString() }

-  override DataFlowType getType() { result = tc.getContainerType() }
-
-  override ApproxAccessPathFront toApprox() { result.getAHead() = tc }
+  override ApproxAccessPathFront toApprox() { result.getAHead() = c }
 }

 /** An optional access path front. */
--- a/java/ql/src/CHANGELOG.md
+++ b/java/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.6.1
+
+No user-facing changes.
+
 ## 0.6.0

 ### New Queries
--- a/java/ql/src/change-notes/released/0.6.1.md
+++ b/java/ql/src/change-notes/released/0.6.1.md
@@ -0,0 +1,3 @@
+## 0.6.1
+
+No user-facing changes.
--- a/java/ql/src/codeql-pack.release.yml
+++ b/java/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.0
+lastReleaseVersion: 0.6.1
--- a/java/ql/src/qlpack.yml
+++ b/java/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 0.6.1-dev
+version: 0.6.2-dev
 groups: 
  - java
  - queries
--- a/java/ql/src/utils/modelgenerator/internal/CaptureModels.qll
+++ b/java/ql/src/utils/modelgenerator/internal/CaptureModels.qll
@@ -139,9 +139,9 @@ module ThroughFlowConfig implements DataFlow::StateConfigSig {
  predicate isAdditionalFlowStep(
    DataFlow::Node node1, FlowState state1, DataFlow::Node node2, FlowState state2
  ) {
-    exists(DataFlowImplCommon::TypedContent tc |
-      DataFlowImplCommon::store(node1, tc, node2, _) and
-      isRelevantContent(tc.getContent()) and
+    exists(DataFlow::Content c |
+      DataFlowImplCommon::store(node1, c, node2, _, _) and
+      isRelevantContent(c) and
      (
        state1 instanceof TaintRead and state2.(TaintStore).getStep() = 1
        or
@@ -178,7 +178,7 @@ string captureThroughFlow(DataFlowTargetApi api) {
    string output
  |
    ThroughFlow::flow(p, returnNodeExt) and
-    returnNodeExt.getEnclosingCallable() = api and
+    returnNodeExt.(DataFlow::Node).getEnclosingCallable() = api and
    input = parameterNodeAsInput(p) and
    output = returnNodeAsOutput(returnNodeExt) and
    input != output and
--- a/java/ql/src/utils/modelgenerator/internal/CaptureModelsSpecific.qll
+++ b/java/ql/src/utils/modelgenerator/internal/CaptureModelsSpecific.qll
@@ -73,7 +73,9 @@ private string isExtensible(J::RefType ref) {
 }

 private string typeAsModel(J::RefType type) {
-  result = type.getCompilationUnit().getPackage().getName() + ";" + type.nestedName()
+  result =
+    type.getCompilationUnit().getPackage().getName() + ";" +
+      type.getErasure().(J::RefType).nestedName()
 }

 private J::RefType bestTypeForModel(TargetApiSpecific api) {
@@ -184,7 +186,7 @@ string returnNodeAsOutput(DataFlowImplCommon::ReturnNodeExt node) {
    exists(int pos |
      pos = node.getKind().(DataFlowImplCommon::ParamUpdateReturnKind).getPosition()
    |
-      result = parameterAccess(node.getEnclosingCallable().getParameter(pos))
+      result = parameterAccess(node.(DataFlow::Node).getEnclosingCallable().getParameter(pos))
      or
      result = qualifierString() and pos = -1
    )
@@ -236,7 +238,7 @@ predicate apiSource(DataFlow::Node source) {
 string asInputArgumentSpecific(DataFlow::Node source) {
  exists(int pos |
    source.(DataFlow::ParameterNode).isParameterOf(_, pos) and
-    result = "Argument[" + pos + "]"
+    if pos >= 0 then result = "Argument[" + pos + "]" else result = qualifierString()
  )
  or
  source.asExpr() instanceof J::FieldAccess and