hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-25 12:22:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into patch-1

Browse Source
This commit is contained in:
mc
2022-08-04 10:06:01 +01:00
committed by GitHub
parent e4c9f8a9a2 96091e4fa0
commit 8905df9abb
104 changed files with 312 additions and 160 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/check-qldoc.yml vendored
View File

@@ -5,7 +5,7 @@ on:
paths:
- "*/ql/lib/**"
- .github/workflows/check-qldoc.yml
- .github/actions/fetch-codeql
- .github/actions/fetch-codeql/action.yml
branches:
- main
- "rc/*"

2
.github/workflows/csv-coverage-metrics.yml vendored
View File

@@ -12,7 +12,7 @@ on:
- main
paths:
- ".github/workflows/csv-coverage-metrics.yml"
- ".github/actions/fetch-codeql"
- ".github/actions/fetch-codeql/action.yml"
jobs:
publish-java:

2
.github/workflows/csv-coverage-pr-artifacts.yml vendored
View File

@@ -5,7 +5,7 @@ on:
paths:
- ".github/workflows/csv-coverage-pr-comment.yml"
- ".github/workflows/csv-coverage-pr-artifacts.yml"
- ".github/actions/fetch-codeql"
- ".github/actions/fetch-codeql/action.yml"
- "*/ql/src/**/*.ql"
- "*/ql/src/**/*.qll"
- "*/ql/lib/**/*.ql"

2
.github/workflows/go-tests.yml vendored
View File

@@ -4,7 +4,7 @@ on:
paths:
- "go/**"
- .github/workflows/go-tests.yml
- .github/actions/fetch-codeql
- .github/actions/fetch-codeql/action.yml
- codeql-workspace.yml
jobs:
test-linux:

4
.github/workflows/js-ml-tests.yml vendored
View File

@@ -5,7 +5,7 @@ on:
paths:
- "javascript/ql/experimental/adaptivethreatmodeling/**"
- .github/workflows/js-ml-tests.yml
- .github/actions/fetch-codeql
- .github/actions/fetch-codeql/action.yml
- codeql-workspace.yml
branches:
- main
@@ -14,7 +14,7 @@ on:
paths:
- "javascript/ql/experimental/adaptivethreatmodeling/**"
- .github/workflows/js-ml-tests.yml
- .github/actions/fetch-codeql
- .github/actions/fetch-codeql/action.yml
- codeql-workspace.yml
workflow_dispatch:

2
.github/workflows/mad_regenerate-models.yml vendored
View File

@@ -9,7 +9,7 @@ on:
- main
paths:
- ".github/workflows/mad_regenerate-models.yml"
- ".github/actions/fetch-codeql"
- ".github/actions/fetch-codeql/action.yml"
jobs:
regenerate-models:

2
.github/workflows/query-list.yml vendored
View File

@@ -10,7 +10,7 @@ on:
pull_request:
paths:
- '.github/workflows/query-list.yml'
- '.github/actions/fetch-codeql'
- '.github/actions/fetch-codeql/action.yml'
- 'misc/scripts/generate-code-scanning-query-list.py'
jobs:

4
.github/workflows/ruby-build.yml vendored
View File

@@ -5,7 +5,7 @@ on:
paths:
- "ruby/**"
- .github/workflows/ruby-build.yml
- .github/actions/fetch-codeql
- .github/actions/fetch-codeql/action.yml
- codeql-workspace.yml
branches:
- main
@@ -14,7 +14,7 @@ on:
paths:
- "ruby/**"
- .github/workflows/ruby-build.yml
- .github/actions/fetch-codeql
- .github/actions/fetch-codeql/action.yml
- codeql-workspace.yml
branches:
- main

4
.github/workflows/ruby-qltest.yml vendored
View File

@@ -5,7 +5,7 @@ on:
paths:
- "ruby/**"
- .github/workflows/ruby-qltest.yml
- .github/actions/fetch-codeql
- .github/actions/fetch-codeql/action.yml
- codeql-workspace.yml
branches:
- main
@@ -14,7 +14,7 @@ on:
paths:
- "ruby/**"
- .github/workflows/ruby-qltest.yml
- .github/actions/fetch-codeql
- .github/actions/fetch-codeql/action.yml
- codeql-workspace.yml
branches:
- main

2
.github/workflows/swift-codegen.yml vendored
View File

@@ -5,7 +5,7 @@ on:
paths:
- "swift/**"
- .github/workflows/swift-codegen.yml
- .github/actions/fetch-codeql
- .github/actions/fetch-codeql/action.yml
branches:
- main

2
.github/workflows/swift-integration-tests.yml vendored
View File

@@ -5,7 +5,7 @@ on:
paths:
- "swift/**"
- .github/workflows/swift-integration-tests.yml
- .github/actions/fetch-codeql
- .github/actions/fetch-codeql/action.yml
- codeql-workspace.yml
branches:
- main

2
.github/workflows/swift-qltest.yml vendored
View File

@@ -5,7 +5,7 @@ on:
paths:
- "swift/**"
- .github/workflows/swift-qltest.yml
- .github/actions/fetch-codeql
- .github/actions/fetch-codeql/action.yml
- codeql-workspace.yml
branches:
- main

4
.github/workflows/validate-change-notes.yml vendored
View File

@@ -5,7 +5,7 @@ on:
paths:
- "*/ql/*/change-notes/**/*"
- ".github/workflows/validate-change-notes.yml"
- ".github/actions/fetch-codeql"
- ".github/actions/fetch-codeql/action.yml"
branches:
- main
- "rc/*"
@@ -13,7 +13,7 @@ on:
paths:
- "*/ql/*/change-notes/**/*"
- ".github/workflows/validate-change-notes.yml"
- ".github/actions/fetch-codeql"
- ".github/actions/fetch-codeql/action.yml"
jobs:
check-change-note:

6
cpp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,9 @@
## 0.3.2
### Bug Fixes
* Under certain circumstances a variable declaration that is not also a definition could be associated with a `Variable` that did not have the definition as a `VariableDeclarationEntry`. This is now fixed, and a unique `Variable` will exist that has both the declaration and the definition as a `VariableDeclarationEntry`.
## 0.3.1
### Minor Analysis Improvements

4
cpp/ql/lib/change-notes/2022-08-02-must-flow-local-only-flow.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: feature
---
* A new class predicate `MustFlowConfiguration::allowInterproceduralFlow` has been added to the `semmle.code.cpp.ir.dataflow.MustFlow` library. The new predicate can be overridden to disable interprocedural flow.

7
cpp/ql/lib/change-notes/2022-06-24-unique-variable.md → cpp/ql/lib/change-notes/released/0.3.2.md
View File

@@ -1,4 +1,5 @@
---
category: fix
---
## 0.3.2
### Bug Fixes
* Under certain circumstances a variable declaration that is not also a definition could be associated with a `Variable` that did not have the definition as a `VariableDeclarationEntry`. This is now fixed, and a unique `Variable` will exist that has both the declaration and the definition as a `VariableDeclarationEntry`.

2
cpp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.3.1
lastReleaseVersion: 0.3.2

2
cpp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-all
version: 0.3.2-dev
version: 0.3.3-dev
groups: cpp
dbscheme: semmlecode.cpp.dbscheme
extractor: cpp

20
cpp/ql/lib/semmle/code/cpp/ir/dataflow/MustFlow.qll
View File

@@ -38,6 +38,9 @@ abstract class MustFlowConfiguration extends string {
*/
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
/** Holds if this configuration allows flow from arguments to parameters. */
predicate allowInterproceduralFlow() { any() }
/**
* Holds if data must flow from `source` to `sink` for this configuration.
*
@@ -204,10 +207,25 @@ private module Cached {
}
}
/**
* Gets the enclosing callable of `n`. Unlike `n.getEnclosingCallable()`, this
* predicate ensures that joins go from `n` to the result instead of the other
* way around.
*/
pragma[inline]
private Declaration getEnclosingCallable(DataFlow::Node n) {
pragma[only_bind_into](result) = pragma[only_bind_out](n).getEnclosingCallable()
}
/** Holds if `nodeFrom` flows to `nodeTo`. */
private predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo, MustFlowConfiguration config) {
exists(config) and
Cached::step(nodeFrom, nodeTo)
Cached::step(pragma[only_bind_into](nodeFrom), pragma[only_bind_into](nodeTo)) and
(
config.allowInterproceduralFlow()
or
getEnclosingCallable(nodeFrom) = getEnclosingCallable(nodeTo)
)
or
config.isAdditionalFlowStep(nodeFrom, nodeTo)
}

2
cpp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,5 @@
## 0.3.1
## 0.3.0
### Breaking Changes

17
cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
View File

@@ -52,6 +52,18 @@ class ReturnStackAllocatedMemoryConfig extends MustFlowConfiguration {
)
}
// We disable flow into callables in this query as we'd otherwise get a result on this piece of code:
// ```cpp
// int* id(int* px) {
// return px; // this returns the local variable `x`, but it's fine as the local variable isn't declared in this scope.
// }
// void f() {
// int x;
// int* px = id(&x);
// }
// ```
override predicate allowInterproceduralFlow() { none() }
/**
* This configuration intentionally conflates addresses of fields and their object, and pointer offsets
* with their base pointer as this allows us to detect cases where an object's address flows to a
@@ -77,9 +89,6 @@ from
ReturnStackAllocatedMemoryConfig conf
where
conf.hasFlowPath(pragma[only_bind_into](source), pragma[only_bind_into](sink)) and
source.getNode().asInstruction() = var and
// Only raise an alert if we're returning from the _same_ callable as the on that
// declared the stack variable.
var.getEnclosingFunction() = sink.getNode().getEnclosingCallable()
source.getNode().asInstruction() = var
select sink.getNode(), source, sink, "May return stack-allocated memory from $@.", var.getAst(),
var.getAst().toString()

1
cpp/ql/src/change-notes/released/0.3.1.md Normal file
View File

@@ -0,0 +1 @@
## 0.3.1

2
cpp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.3.0
lastReleaseVersion: 0.3.1

3
cpp/ql/src/experimental/Security/CWE/CWE-273/PrivilegeDroppingOutoforder.qhelp
View File

@@ -27,6 +27,9 @@ groups, and finally set the target user.</p>
</example>
<references>
<li>CERT C Coding Standard:
<a href="https://wiki.sei.cmu.edu/confluence/display/c/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges">POS36-C. Observe correct revocation order while relinquishing privileges</a>.
</li>
<li>CERT C Coding Standard:
<a href="https://wiki.sei.cmu.edu/confluence/display/c/POS37-C.+Ensure+that+privilege+relinquishment+is+successful">POS37-C. Ensure that privilege relinquishment is successful</a>.
</li>

2
cpp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-queries
version: 0.3.1-dev
version: 0.3.2-dev
groups:
- cpp
- queries

1
cpp/ql/test/library-tests/templates/CPP-203/decls.expected
View File

@@ -15,6 +15,7 @@
| test.cpp:3:8:3:8 | operator= |
| test.cpp:3:8:3:10 | Str<T> |
| test.cpp:3:8:3:10 | Str<int> |
| test.cpp:7:16:7:16 | T |
| test.cpp:8:11:8:21 | val |
| test.cpp:8:19:8:19 | val |
| test.cpp:10:6:10:6 | f |

13
cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected
View File

@@ -100,12 +100,6 @@ edges
| test.cpp:190:10:190:13 | Unary | test.cpp:190:10:190:13 | (reference dereference) |
| test.cpp:190:10:190:13 | Unary | test.cpp:190:10:190:13 | (reference to) |
| test.cpp:190:10:190:13 | pRef | test.cpp:190:10:190:13 | Unary |
| test.cpp:225:14:225:15 | px | test.cpp:226:10:226:11 | Load |
| test.cpp:226:10:226:11 | Load | test.cpp:226:10:226:11 | px |
| test.cpp:226:10:226:11 | px | test.cpp:226:10:226:11 | StoreValue |
| test.cpp:231:16:231:17 | & ... | test.cpp:225:14:225:15 | px |
| test.cpp:231:17:231:17 | Unary | test.cpp:231:16:231:17 | & ... |
| test.cpp:231:17:231:17 | x | test.cpp:231:17:231:17 | Unary |
nodes
| test.cpp:17:9:17:11 | & ... | semmle.label | & ... |
| test.cpp:17:9:17:11 | StoreValue | semmle.label | StoreValue |
@@ -221,13 +215,6 @@ nodes
| test.cpp:190:10:190:13 | Unary | semmle.label | Unary |
| test.cpp:190:10:190:13 | Unary | semmle.label | Unary |
| test.cpp:190:10:190:13 | pRef | semmle.label | pRef |
| test.cpp:225:14:225:15 | px | semmle.label | px |
| test.cpp:226:10:226:11 | Load | semmle.label | Load |
| test.cpp:226:10:226:11 | StoreValue | semmle.label | StoreValue |
| test.cpp:226:10:226:11 | px | semmle.label | px |
| test.cpp:231:16:231:17 | & ... | semmle.label | & ... |
| test.cpp:231:17:231:17 | Unary | semmle.label | Unary |
| test.cpp:231:17:231:17 | x | semmle.label | x |
#select
| test.cpp:17:9:17:11 | StoreValue | test.cpp:17:10:17:11 | mc | test.cpp:17:9:17:11 | StoreValue | May return stack-allocated memory from $@. | test.cpp:17:10:17:11 | mc | mc |
| test.cpp:25:9:25:11 | StoreValue | test.cpp:23:18:23:19 | mc | test.cpp:25:9:25:11 | StoreValue | May return stack-allocated memory from $@. | test.cpp:23:18:23:19 | mc | mc |

2
csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
View File

@@ -1,3 +1,5 @@
## 1.2.2
## 1.2.1
## 1.2.0

1
csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.2.2.md Normal file
View File

@@ -0,0 +1 @@
## 1.2.2

2
csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.2.1
lastReleaseVersion: 1.2.2

2
csharp/ql/campaigns/Solorigate/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-all
version: 1.2.2-dev
version: 1.2.3-dev
groups:
- csharp
- solorigate

2
csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
View File

@@ -1,3 +1,5 @@
## 1.2.2
## 1.2.1
## 1.2.0

1
csharp/ql/campaigns/Solorigate/src/change-notes/released/1.2.2.md Normal file
View File

@@ -0,0 +1 @@
## 1.2.2

2
csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.2.1
lastReleaseVersion: 1.2.2

2
csharp/ql/campaigns/Solorigate/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-queries
version: 1.2.2-dev
version: 1.2.3-dev
groups:
- csharp
- solorigate

2
csharp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,5 @@
## 0.3.2
## 0.3.1
## 0.3.0

1
csharp/ql/lib/change-notes/released/0.3.2.md Normal file
View File

@@ -0,0 +1 @@
## 0.3.2

2
csharp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.3.1
lastReleaseVersion: 0.3.2

2
csharp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-all
version: 0.3.2-dev
version: 0.3.3-dev
groups: csharp
dbscheme: semmlecode.csharp.dbscheme
extractor: csharp

2
csharp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,5 @@
## 0.3.1
## 0.3.0
### Breaking Changes

1
csharp/ql/src/change-notes/released/0.3.1.md Normal file
View File

@@ -0,0 +1 @@
## 0.3.1

2
csharp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.3.0
lastReleaseVersion: 0.3.1

2
csharp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-queries
version: 0.3.1-dev
version: 0.3.2-dev
groups:
- csharp
- queries

2
go/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,5 @@
## 0.2.2
## 0.2.1
## 0.2.0

1
go/ql/lib/change-notes/released/0.2.2.md Normal file
View File

@@ -0,0 +1 @@
## 0.2.2

2
go/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.2.1
lastReleaseVersion: 0.2.2

2
go/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/go-all
version: 0.2.2-dev
version: 0.2.3-dev
groups: go
dbscheme: go.dbscheme
extractor: go

9
go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll
View File

@@ -70,6 +70,15 @@ module TaintedPath {
PathAsSink() { this = any(FileSystemAccess fsa).getAPathArgument() }
}
/**
* A numeric- or boolean-typed node, considered a sanitizer for path traversal.
*/
class NumericOrBooleanSanitizer extends Sanitizer {
NumericOrBooleanSanitizer() {
this.getType() instanceof NumericType or this.getType() instanceof BoolType
}
}
/**
* A call to `filepath.Rel`, considered as a sanitizer for path traversal.
*/

2
go/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,5 @@
## 0.2.2
## 0.2.1
## 0.2.0

4
go/ql/src/change-notes/2022-08-02-path-injection-sanitizer.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The query `go/path-injection` no longer considers user-controlled numeric or boolean-typed data as potentially dangerous.

1
go/ql/src/change-notes/released/0.2.2.md Normal file
View File

@@ -0,0 +1 @@
## 0.2.2

2
go/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.2.1
lastReleaseVersion: 0.2.2

2
go/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/go-queries
version: 0.2.2-dev
version: 0.2.3-dev
groups:
- go
- queries

11
java/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,14 @@
## 0.3.2
### New Features
* The QL predicate `Expr::getUnderlyingExpr` has been added. It can be used to look through casts and not-null expressions and obtain the underlying expression to which they apply.
### Minor Analysis Improvements
* The JUnit5 version of `AssertNotNull` is now recognized, which removes related false positives in the nullness queries.
* Added data flow models for `java.util.Scanner`.
## 0.3.1
### New Features

4
java/ql/lib/change-notes/2022-05-12-get-underlying-expr.md
View File

@@ -1,4 +0,0 @@
---
category: feature
---
* The QL predicate `Expr::getUnderlyingExpr` has been added. It can be used to look through casts and not-null expressions and obtain the underlying expression to which they apply.

4
java/ql/lib/change-notes/2022-07-26-scanner-models.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Added data flow models for `java.util.Scanner`.

5
java/ql/lib/change-notes/2022-07-27-nullness-junit5.md
View File

@@ -1,5 +0,0 @@
---
category: minorAnalysis
---
* The JUnit5 version of `AssertNotNull` is now recognized, which removes
related false positives in the nullness queries.

10
java/ql/lib/change-notes/released/0.3.2.md Normal file
View File

@@ -0,0 +1,10 @@
## 0.3.2
### New Features
* The QL predicate `Expr::getUnderlyingExpr` has been added. It can be used to look through casts and not-null expressions and obtain the underlying expression to which they apply.
### Minor Analysis Improvements
* The JUnit5 version of `AssertNotNull` is now recognized, which removes related false positives in the nullness queries.
* Added data flow models for `java.util.Scanner`.

2
java/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.3.1
lastReleaseVersion: 0.3.2

2
java/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/java-all
version: 0.3.2-dev
version: 0.3.3-dev
groups: java
dbscheme: config/semmlecode.dbscheme
extractor: java

2
java/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,5 @@
## 0.3.1
## 0.3.0
### Breaking Changes

32
java/ql/src/Security/CWE/CWE-022/TaintedPath.ql
View File

@@ -15,6 +15,7 @@
import java
import semmle.code.java.dataflow.FlowSources
private import semmle.code.java.dataflow.ExternalFlow
import semmle.code.java.security.PathCreation
import DataFlow::PathGraph
import TaintedPathCommon
@@ -34,7 +35,12 @@ class TaintedPathConfig extends TaintTracking::Configuration {
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) {
exists(Expr e | e = sink.asExpr() | e = any(PathCreation p).getAnInput() and not guarded(e))
(
sink.asExpr() = any(PathCreation p).getAnInput()
or
sinkNode(sink, "create-file")
) and
not guarded(sink.asExpr())
}
override predicate isSanitizer(DataFlow::Node node) {
@@ -44,9 +50,21 @@ class TaintedPathConfig extends TaintTracking::Configuration {
}
}
from DataFlow::PathNode source, DataFlow::PathNode sink, PathCreation p, TaintedPathConfig conf
where
sink.getNode().asExpr() = p.getAnInput() and
conf.hasFlowPath(source, sink)
select p, source, sink, "$@ flows to here and is used in a path.", source.getNode(),
"User-provided value"
/**
* Gets the data-flow node at which to report a path ending at `sink`.
*
* Previously this query flagged alerts exclusively at `PathCreation` sites,
* so to avoid perturbing existing alerts, where a `PathCreation` exists we
* continue to report there; otherwise we report directly at `sink`.
*/
DataFlow::Node getReportingNode(DataFlow::Node sink) {
any(TaintedPathConfig c).hasFlowTo(sink) and
if exists(PathCreation pc | pc.getAnInput() = sink.asExpr())
then result.asExpr() = any(PathCreation pc | pc.getAnInput() = sink.asExpr())
else result = sink
}
from DataFlow::PathNode source, DataFlow::PathNode sink, TaintedPathConfig conf
where conf.hasFlowPath(source, sink)
select getReportingNode(sink.getNode()), source, sink, "$@ flows to here and is used in a path.",
source.getNode(), "User-provided value"

2
java/ql/src/Violations of Best Practice/Naming Conventions/SameNameAsSuper.ql
View File

@@ -16,5 +16,5 @@ from RefType sub, RefType sup
where
sub.fromSource() and
sup = sub.getASupertype() and
sub.getName() = sup.getName()
pragma[only_bind_out](sub.getName()) = pragma[only_bind_out](sup.getName())
select sub, sub.getName() + " has the same name as its supertype $@.", sup, sup.getQualifiedName()

4
java/ql/src/change-notes/2022-08-03-tainted-path-mad.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The query `java/path-injection` now recognises vulnerable APIs defined using the `SinkModelCsv` class with the `create-file` type. Out of the box this includes Apache Commons-IO functions, as well as any user-defined sinks.

1
java/ql/src/change-notes/released/0.3.1.md Normal file
View File

@@ -0,0 +1 @@
## 0.3.1

2
java/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.3.0
lastReleaseVersion: 0.3.1

2
java/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/java-queries
version: 0.3.1-dev
version: 0.3.2-dev
groups:
- java
- queries

4
java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected
View File

@@ -8,6 +8,7 @@ edges
| Test.java:79:74:79:97 | getInputStream(...) : ServletInputStream | Test.java:79:52:79:98 | new InputStreamReader(...) : InputStreamReader |
| Test.java:80:31:80:32 | br : BufferedReader | Test.java:80:31:80:43 | readLine(...) : String |
| Test.java:80:31:80:43 | readLine(...) : String | Test.java:82:67:82:81 | ... + ... |
| Test.java:88:17:88:37 | getHostName(...) : String | Test.java:90:26:90:29 | temp |
nodes
| Test.java:19:18:19:38 | getHostName(...) : String | semmle.label | getHostName(...) : String |
| Test.java:24:20:24:23 | temp | semmle.label | temp |
@@ -20,6 +21,8 @@ nodes
| Test.java:80:31:80:32 | br : BufferedReader | semmle.label | br : BufferedReader |
| Test.java:80:31:80:43 | readLine(...) : String | semmle.label | readLine(...) : String |
| Test.java:82:67:82:81 | ... + ... | semmle.label | ... + ... |
| Test.java:88:17:88:37 | getHostName(...) : String | semmle.label | getHostName(...) : String |
| Test.java:90:26:90:29 | temp | semmle.label | temp |
subpaths
#select
| Test.java:24:11:24:24 | new File(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:24:20:24:23 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |
@@ -27,3 +30,4 @@ subpaths
| Test.java:30:11:30:48 | getPath(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:30:44:30:47 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |
| Test.java:34:12:34:25 | new File(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:34:21:34:24 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |
| Test.java:82:52:82:88 | new FileWriter(...) | Test.java:79:74:79:97 | getInputStream(...) : ServletInputStream | Test.java:82:67:82:81 | ... + ... | $@ flows to here and is used in a path. | Test.java:79:74:79:97 | getInputStream(...) | User-provided value |
| Test.java:90:26:90:29 | temp | Test.java:88:17:88:37 | getHostName(...) : String | Test.java:90:26:90:29 | temp | $@ flows to here and is used in a path. | Test.java:88:17:88:37 | getHostName(...) | User-provided value |

21
java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java
View File

@@ -2,7 +2,6 @@
// http://cwe.mitre.org/data/definitions/22.html
package test.cwe22.semmle.tests;
import javax.servlet.http.*;
import javax.servlet.ServletException;
@@ -12,6 +11,7 @@ import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.FileSystems;
import org.apache.commons.io.output.LockableFileWriter;
class Test {
void doGet1(InetAddress address)
@@ -19,13 +19,13 @@ class Test {
String temp = address.getHostName();
File file;
Path path;
// BAD: construct a file path with user input
file = new File(temp);
// BAD: construct a path with user input
path = Paths.get(temp);
// BAD: construct a path with user input
path = FileSystems.getDefault().getPath(temp);
@@ -34,7 +34,7 @@ class Test {
file = new File(temp);
}
}
void doGet2(InetAddress address)
throws IOException {
String temp = address.getHostName();
@@ -44,7 +44,7 @@ class Test {
if(isSafe(temp))
file = new File(temp);
}
void doGet3(InetAddress address)
throws IOException {
String temp = address.getHostName();
@@ -66,7 +66,7 @@ class Test {
return false;
return true;
}
boolean isSortOfSafe(String pathSpec) {
// no file separators
if (pathSpec.contains(File.separator))
@@ -82,4 +82,11 @@ class Test {
BufferedWriter bw = new BufferedWriter(new FileWriter("dir/"+filename, true));
}
}
void doGet4(InetAddress address)
throws IOException {
String temp = address.getHostName();
// BAD: open a file based on user input, using a MaD-documented API
new LockableFileWriter(temp);
}
}

2
java/ql/test/query-tests/security/CWE-022/semmle/tests/options
View File

@@ -1 +1 @@
// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4
// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/apache-commons-io-2.6

7
java/ql/test/stubs/apache-commons-io-2.6/org/apache/commons/io/output/LockableFileWriter.java generated Normal file
View File

@@ -0,0 +1,7 @@
package org.apache.commons.io.output;
public class LockableFileWriter {
public LockableFileWriter(String filename) { }
}

2
javascript/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,5 @@
## 0.2.2
## 0.2.1
### Minor Analysis Improvements

1
javascript/ql/lib/change-notes/released/0.2.2.md Normal file
View File

@@ -0,0 +1 @@
## 0.2.2

2
javascript/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.2.1
lastReleaseVersion: 0.2.2

2
javascript/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/javascript-all
version: 0.2.2-dev
version: 0.2.3-dev
groups: javascript
dbscheme: semmlecode.javascript.dbscheme
extractor: javascript

7
javascript/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,10 @@
## 0.3.1
### New Queries
- A new query "Case-sensitive middleware path" (`js/case-sensitive-middleware-path`) has been added.
It highlights middleware routes that can be bypassed due to having a case-sensitive regular expression path.
## 0.3.0
### Breaking Changes

6
javascript/ql/src/change-notes/2022-06-27-case-sensitive-middleware.md → javascript/ql/src/change-notes/released/0.3.1.md
View File

@@ -1,6 +1,6 @@
---
category: newQuery
---
## 0.3.1
### New Queries
- A new query "Case-sensitive middleware path" (`js/case-sensitive-middleware-path`) has been added.
It highlights middleware routes that can be bypassed due to having a case-sensitive regular expression path.

2
javascript/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.3.0
lastReleaseVersion: 0.3.1

2
javascript/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/javascript-queries
version: 0.3.1-dev
version: 0.3.2-dev
groups:
- javascript
- queries

2
python/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,5 @@
## 0.5.2
## 0.5.1
### Deprecated APIs

1
python/ql/lib/change-notes/released/0.5.2.md Normal file
View File

@@ -0,0 +1 @@
## 0.5.2

2
python/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.5.1
lastReleaseVersion: 0.5.2

2
python/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/python-all
version: 0.5.2-dev
version: 0.5.3-dev
groups: python
dbscheme: semmlecode.python.dbscheme
extractor: python

6
python/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,9 @@
## 0.4.0
### Breaking Changes
* Contextual queries and the query libraries they depend on have been moved to the `codeql/python-all` package.
## 0.3.0
### Breaking Changes

8
python/ql/src/change-notes/2022-07-15-move-contextual-queries.md → python/ql/src/change-notes/released/0.4.0.md
View File

@@ -1,5 +1,5 @@
---
category: breaking
---
* Contextual queries and the query libraries they depend on have been moved to the `codeql/python-all` package.
## 0.4.0
### Breaking Changes
* Contextual queries and the query libraries they depend on have been moved to the `codeql/python-all` package.

2
python/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.3.0
lastReleaseVersion: 0.4.0

2
python/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/python-queries
version: 0.3.1-dev
version: 0.4.1-dev
groups:
- python
- queries

6
python/ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.expected
View File

@@ -7,8 +7,6 @@ edges
| tarslip.py:40:7:40:39 | ControlFlowNode for Attribute() | tarslip.py:41:24:41:26 | ControlFlowNode for tar |
| tarslip.py:56:7:56:39 | ControlFlowNode for Attribute() | tarslip.py:57:5:57:9 | GSSA Variable entry |
| tarslip.py:57:5:57:9 | GSSA Variable entry | tarslip.py:59:21:59:25 | ControlFlowNode for entry |
| tarslip.py:79:7:79:39 | ControlFlowNode for Attribute() | tarslip.py:80:5:80:9 | GSSA Variable entry |
| tarslip.py:80:5:80:9 | GSSA Variable entry | tarslip.py:82:21:82:25 | ControlFlowNode for entry |
nodes
| tarslip.py:12:7:12:39 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| tarslip.py:13:1:13:3 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar |
@@ -23,9 +21,6 @@ nodes
| tarslip.py:56:7:56:39 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| tarslip.py:57:5:57:9 | GSSA Variable entry | semmle.label | GSSA Variable entry |
| tarslip.py:59:21:59:25 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry |
| tarslip.py:79:7:79:39 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| tarslip.py:80:5:80:9 | GSSA Variable entry | semmle.label | GSSA Variable entry |
| tarslip.py:82:21:82:25 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry |
subpaths
#select
| tarslip.py:13:1:13:3 | ControlFlowNode for tar | tarslip.py:12:7:12:39 | ControlFlowNode for Attribute() | tarslip.py:13:1:13:3 | ControlFlowNode for tar | Extraction of tarfile from $@ | tarslip.py:12:7:12:39 | ControlFlowNode for Attribute() | a potentially untrusted source |
@@ -33,4 +28,3 @@ subpaths
| tarslip.py:37:17:37:21 | ControlFlowNode for entry | tarslip.py:33:7:33:39 | ControlFlowNode for Attribute() | tarslip.py:37:17:37:21 | ControlFlowNode for entry | Extraction of tarfile from $@ | tarslip.py:33:7:33:39 | ControlFlowNode for Attribute() | a potentially untrusted source |
| tarslip.py:41:24:41:26 | ControlFlowNode for tar | tarslip.py:40:7:40:39 | ControlFlowNode for Attribute() | tarslip.py:41:24:41:26 | ControlFlowNode for tar | Extraction of tarfile from $@ | tarslip.py:40:7:40:39 | ControlFlowNode for Attribute() | a potentially untrusted source |
| tarslip.py:59:21:59:25 | ControlFlowNode for entry | tarslip.py:56:7:56:39 | ControlFlowNode for Attribute() | tarslip.py:59:21:59:25 | ControlFlowNode for entry | Extraction of tarfile from $@ | tarslip.py:56:7:56:39 | ControlFlowNode for Attribute() | a potentially untrusted source |
| tarslip.py:82:21:82:25 | ControlFlowNode for entry | tarslip.py:79:7:79:39 | ControlFlowNode for Attribute() | tarslip.py:82:21:82:25 | ControlFlowNode for entry | Extraction of tarfile from $@ | tarslip.py:79:7:79:39 | ControlFlowNode for Attribute() | a potentially untrusted source |

7
ruby/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,10 @@
## 0.3.2
### Minor Analysis Improvements
* Calls to `Arel.sql` are now recognised as propagating taint from their argument.
* Calls to `ActiveRecord::Relation#annotate` are now recognized as `SqlExecution`s so that it will be considered as a sink for queries like rb/sql-injection.
## 0.3.1
### Minor Analysis Improvements

5
ruby/ql/lib/change-notes/2022-07-18-sqli-in-activerecord-relation-annotate.md
View File

@@ -1,5 +0,0 @@
---
category: minorAnalysis
---
- Calls to `ActiveRecord::Relation#annotate` are now recognized as`SqlExecution`s so that it will be considered as a sink for queries like rb/sql-injection.

4
ruby/ql/lib/change-notes/2022-07-19-arel.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Calls to `Arel.sql` are now recognised as propagating taint from their argument.

6
ruby/ql/lib/change-notes/released/0.3.2.md Normal file
View File

@@ -0,0 +1,6 @@
## 0.3.2
### Minor Analysis Improvements
* Calls to `Arel.sql` are now recognised as propagating taint from their argument.
* Calls to `ActiveRecord::Relation#annotate` are now recognized as `SqlExecution`s so that it will be considered as a sink for queries like rb/sql-injection.

2
ruby/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.3.1
lastReleaseVersion: 0.3.2

14
ruby/ql/lib/codeql/ruby/printAst.qll
View File

@@ -9,6 +9,7 @@
private import AST
private import codeql.ruby.Regexp as RE
private import codeql.ruby.ast.internal.Synthesis
private import ast.internal.AST
/**
* The query can extend this class to control which nodes are printed.
@@ -35,6 +36,8 @@ private predicate shouldPrintAstEdge(AstNode parent, string edgeName, AstNode ch
any(PrintAstConfiguration config).shouldPrintAstEdge(parent, edgeName, child)
}
private int nonSynthIndex() { result = min([-1, any(int i | exists(getSynthChild(_, i)))]) - 1 }
newtype TPrintNode =
TPrintRegularAstNode(AstNode n) { shouldPrintNode(n) } or
TPrintRegExpNode(RE::RegExpTerm term) {
@@ -112,13 +115,22 @@ class PrintRegularAstNode extends PrintAstNode, TPrintRegularAstNode {
)
}
private int getSynthAstNodeIndex() {
not astNode.isSynthesized() and result = nonSynthIndex()
or
astNode = getSynthChild(astNode.getParent(), result)
}
override int getOrder() {
this =
rank[result](PrintRegularAstNode p, Location l, File f |
l = p.getLocation() and
f = l.getFile()
|
p order by f.getBaseName(), f.getAbsolutePath(), l.getStartLine(), l.getStartColumn()
p
order by
f.getBaseName(), f.getAbsolutePath(), l.getStartLine(), l.getStartColumn(),
l.getEndLine(), l.getEndColumn(), p.getSynthAstNodeIndex()
)
}

2
ruby/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/ruby-all
version: 0.3.2-dev
version: 0.3.3-dev
groups: ruby
extractor: ruby
dbscheme: ruby.dbscheme

7
ruby/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,10 @@
## 0.3.1
### New Queries
* Added a new experimental query, `rb/manually-checking-http-verb`, to detect cases when the HTTP verb for an incoming request is checked and then used as part of control flow.
* Added a new experimental query, `rb/weak-params`, to detect cases when the rails strong parameters pattern isn't followed and values flow into persistent store writes.
## 0.3.0
### Breaking Changes

4
ruby/ql/src/change-notes/2022-07-21-check-http-verb.md
View File

@@ -1,4 +0,0 @@
---
category: newQuery
---
* Added a new experimental query, `rb/manually-checking-http-verb`, to detect cases when the HTTP verb for an incoming request is checked and then used as part of control flow.

4
ruby/ql/src/change-notes/2022-07-21-weak-params.md
View File

@@ -1,4 +0,0 @@
---
category: newQuery
---
* Added a new experimental query, `rb/weak-params`, to detect cases when the rails strong parameters pattern isn't followed and values flow into persistent store writes.

6
ruby/ql/src/change-notes/released/0.3.1.md Normal file
View File

@@ -0,0 +1,6 @@
## 0.3.1
### New Queries
* Added a new experimental query, `rb/manually-checking-http-verb`, to detect cases when the HTTP verb for an incoming request is checked and then used as part of control flow.
* Added a new experimental query, `rb/weak-params`, to detect cases when the rails strong parameters pattern isn't followed and values flow into persistent store writes.

2
ruby/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.3.0
lastReleaseVersion: 0.3.1

Some files were not shown because too many files have changed in this diff Show More