Merge branch 'main' into destructors-for-unconditional-unnamed

2026-04-24 16:25:15 +02:00 · 2024-04-04 15:04:34 +01:00
parent 0b7070feec b8b8e2b991
commit 774efb5f3f
8 changed files with 14356 additions and 14145 deletions
--- a/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
+++ b/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
--- a/cpp/ql/test/library-tests/ir/ir/aliased_ir.expected
+++ b/cpp/ql/test/library-tests/ir/ir/aliased_ir.expected
--- a/cpp/ql/test/library-tests/ir/ir/ir.cpp
+++ b/cpp/ql/test/library-tests/ir/ir/ir.cpp
@@ -1933,6 +1933,20 @@ namespace missing_declaration_entries {
        Bar2<int> b;
        b.two_missing_variable_declaration_entries();
    }
+
+    template<typename T> struct Bar3 {
+
+        int two_more_missing_variable_declaration_entries() {
+            extern int g;
+            int z(float);
+            return g;
+        }
+    };
+
+    void test3() {
+        Bar3<int> b;
+        b.two_more_missing_variable_declaration_entries();
+    }
 }

 template<typename T> T global_template = 42;
--- a/cpp/ql/test/library-tests/ir/ir/operand_locations.expected
+++ b/cpp/ql/test/library-tests/ir/ir/operand_locations.expected
--- a/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
+++ b/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
--- a/javascript/ql/lib/semmle/javascript/dataflow/internal/CallGraphs.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/internal/CallGraphs.qll
@@ -279,6 +279,20 @@ module CallGraph {
    StepSummary::step(getAnAllocationSiteRef(node), result, objectWithMethodsStep())
  }

+  /**
+   * Holds if `function` flows to a property of `host` via non-local data flow.
+   */
+  pragma[nomagic]
+  private predicate complexMethodInstallation(
+    DataFlow::SourceNode host, DataFlow::FunctionNode function
+  ) {
+    not function = getAMethodOnObject(_) and
+    exists(DataFlow::TypeTracker t |
+      getAFunctionReference(function, 0, t) = host.getAPropertySource() and
+      t.start() // require call bit to be false
+    )
+  }
+
  /**
   * Holds if `pred` is assumed to flow to `succ` because a method is stored on an object that is assumed
   * to be the receiver of calls to that method.
@@ -291,9 +305,18 @@ module CallGraph {
   */
  cached
  predicate impliedReceiverStep(DataFlow::SourceNode pred, DataFlow::SourceNode succ) {
+    // To avoid double-recursion, we handle either complex flow for the host object, or for the function, but not both.
    exists(DataFlow::SourceNode host |
+      // Complex flow for the host object
      pred = getAnAllocationSiteRef(host) and
      succ = getAMethodOnObject(host).getReceiver()
+      or
+      // Complex flow for the function
+      exists(DataFlow::FunctionNode function |
+        complexMethodInstallation(host, function) and
+        pred = host and
+        succ = function.getReceiver()
+      )
    )
  }
 }
--- a/javascript/ql/test/library-tests/CallGraphs/AnnotatedTest/implied-receiver.js
+++ b/javascript/ql/test/library-tests/CallGraphs/AnnotatedTest/implied-receiver.js
@@ -0,0 +1,19 @@
+import 'dummy';
+
+function fooFactoryFactory() {
+    return function fooFactory() {
+        return function foo() {
+            /** calls:F.member */
+            this.member();
+        }
+    }
+}
+
+function F() {
+    this.foo = fooFactoryFactory()();
+}
+
+/** name:F.member */
+F.prototype.member = function() {
+    return 42;
+};
--- a/ruby/ql/src/queries/security/cwe-116/IncompleteMultiCharacterSanitization.qhelp
+++ b/ruby/ql/src/queries/security/cwe-116/IncompleteMultiCharacterSanitization.qhelp
@@ -90,7 +90,7 @@ end
 Another potential fix is to use the popular <code>sanitize</code> gem. 
 It keeps most of the safe HTML tags while removing all unsafe tags and attributes.
 </p>
-<sample language="javascript">
+<sample language="ruby">
 require 'sanitize'

 def sanitize_html(input)