diff --git a/.github/workflows/check-qldoc.yml b/.github/workflows/check-qldoc.yml index be986d5ecf6..cc7523162aa 100644 --- a/.github/workflows/check-qldoc.yml +++ b/.github/workflows/check-qldoc.yml @@ -5,7 +5,7 @@ on: paths: - "*/ql/lib/**" - .github/workflows/check-qldoc.yml - - .github/actions/fetch-codeql + - .github/actions/fetch-codeql/action.yml branches: - main - "rc/*" diff --git a/.github/workflows/csv-coverage-metrics.yml b/.github/workflows/csv-coverage-metrics.yml index e263572398e..7555533ab98 100644 --- a/.github/workflows/csv-coverage-metrics.yml +++ b/.github/workflows/csv-coverage-metrics.yml @@ -12,7 +12,7 @@ on: - main paths: - ".github/workflows/csv-coverage-metrics.yml" - - ".github/actions/fetch-codeql" + - ".github/actions/fetch-codeql/action.yml" jobs: publish-java: diff --git a/.github/workflows/csv-coverage-pr-artifacts.yml b/.github/workflows/csv-coverage-pr-artifacts.yml index 3649b99387b..19ad488a3ab 100644 --- a/.github/workflows/csv-coverage-pr-artifacts.yml +++ b/.github/workflows/csv-coverage-pr-artifacts.yml @@ -5,7 +5,7 @@ on: paths: - ".github/workflows/csv-coverage-pr-comment.yml" - ".github/workflows/csv-coverage-pr-artifacts.yml" - - ".github/actions/fetch-codeql" + - ".github/actions/fetch-codeql/action.yml" - "*/ql/src/**/*.ql" - "*/ql/src/**/*.qll" - "*/ql/lib/**/*.ql" diff --git a/.github/workflows/go-tests.yml b/.github/workflows/go-tests.yml index 14114ee2003..26055bd71da 100644 --- a/.github/workflows/go-tests.yml +++ b/.github/workflows/go-tests.yml @@ -4,7 +4,7 @@ on: paths: - "go/**" - .github/workflows/go-tests.yml - - .github/actions/fetch-codeql + - .github/actions/fetch-codeql/action.yml - codeql-workspace.yml jobs: test-linux: diff --git a/.github/workflows/js-ml-tests.yml b/.github/workflows/js-ml-tests.yml index 0b23f91ed48..c932432530b 100644 --- a/.github/workflows/js-ml-tests.yml +++ b/.github/workflows/js-ml-tests.yml @@ -5,7 +5,7 @@ on: paths: - "javascript/ql/experimental/adaptivethreatmodeling/**" - .github/workflows/js-ml-tests.yml - - .github/actions/fetch-codeql + - .github/actions/fetch-codeql/action.yml - codeql-workspace.yml branches: - main @@ -14,7 +14,7 @@ on: paths: - "javascript/ql/experimental/adaptivethreatmodeling/**" - .github/workflows/js-ml-tests.yml - - .github/actions/fetch-codeql + - .github/actions/fetch-codeql/action.yml - codeql-workspace.yml workflow_dispatch: diff --git a/.github/workflows/mad_regenerate-models.yml b/.github/workflows/mad_regenerate-models.yml index 9f16c223ec6..0abc8936911 100644 --- a/.github/workflows/mad_regenerate-models.yml +++ b/.github/workflows/mad_regenerate-models.yml @@ -9,7 +9,7 @@ on: - main paths: - ".github/workflows/mad_regenerate-models.yml" - - ".github/actions/fetch-codeql" + - ".github/actions/fetch-codeql/action.yml" jobs: regenerate-models: diff --git a/.github/workflows/query-list.yml b/.github/workflows/query-list.yml index 0cf1cf30422..efb295dfcf8 100644 --- a/.github/workflows/query-list.yml +++ b/.github/workflows/query-list.yml @@ -10,7 +10,7 @@ on: pull_request: paths: - '.github/workflows/query-list.yml' - - '.github/actions/fetch-codeql' + - '.github/actions/fetch-codeql/action.yml' - 'misc/scripts/generate-code-scanning-query-list.py' jobs: diff --git a/.github/workflows/ruby-build.yml b/.github/workflows/ruby-build.yml index 2f7464e47b3..6ad627aab48 100644 --- a/.github/workflows/ruby-build.yml +++ b/.github/workflows/ruby-build.yml @@ -5,7 +5,7 @@ on: paths: - "ruby/**" - .github/workflows/ruby-build.yml - - .github/actions/fetch-codeql + - .github/actions/fetch-codeql/action.yml - codeql-workspace.yml branches: - main @@ -14,7 +14,7 @@ on: paths: - "ruby/**" - .github/workflows/ruby-build.yml - - .github/actions/fetch-codeql + - .github/actions/fetch-codeql/action.yml - codeql-workspace.yml branches: - main diff --git a/.github/workflows/ruby-qltest.yml b/.github/workflows/ruby-qltest.yml index e5eb7e05ecd..97235b722ba 100644 --- a/.github/workflows/ruby-qltest.yml +++ b/.github/workflows/ruby-qltest.yml @@ -5,7 +5,7 @@ on: paths: - "ruby/**" - .github/workflows/ruby-qltest.yml - - .github/actions/fetch-codeql + - .github/actions/fetch-codeql/action.yml - codeql-workspace.yml branches: - main @@ -14,7 +14,7 @@ on: paths: - "ruby/**" - .github/workflows/ruby-qltest.yml - - .github/actions/fetch-codeql + - .github/actions/fetch-codeql/action.yml - codeql-workspace.yml branches: - main diff --git a/.github/workflows/swift-codegen.yml b/.github/workflows/swift-codegen.yml index 665ee55a247..5700045430d 100644 --- a/.github/workflows/swift-codegen.yml +++ b/.github/workflows/swift-codegen.yml @@ -5,7 +5,7 @@ on: paths: - "swift/**" - .github/workflows/swift-codegen.yml - - .github/actions/fetch-codeql + - .github/actions/fetch-codeql/action.yml branches: - main diff --git a/.github/workflows/swift-integration-tests.yml b/.github/workflows/swift-integration-tests.yml index cc365809c73..4d4248b64e3 100644 --- a/.github/workflows/swift-integration-tests.yml +++ b/.github/workflows/swift-integration-tests.yml @@ -5,7 +5,7 @@ on: paths: - "swift/**" - .github/workflows/swift-integration-tests.yml - - .github/actions/fetch-codeql + - .github/actions/fetch-codeql/action.yml - codeql-workspace.yml branches: - main diff --git a/.github/workflows/swift-qltest.yml b/.github/workflows/swift-qltest.yml index 76a21b0bd8a..3cbcf629c98 100644 --- a/.github/workflows/swift-qltest.yml +++ b/.github/workflows/swift-qltest.yml @@ -5,7 +5,7 @@ on: paths: - "swift/**" - .github/workflows/swift-qltest.yml - - .github/actions/fetch-codeql + - .github/actions/fetch-codeql/action.yml - codeql-workspace.yml branches: - main diff --git a/.github/workflows/validate-change-notes.yml b/.github/workflows/validate-change-notes.yml index b06167ea905..44e0dc6df29 100644 --- a/.github/workflows/validate-change-notes.yml +++ b/.github/workflows/validate-change-notes.yml @@ -5,7 +5,7 @@ on: paths: - "*/ql/*/change-notes/**/*" - ".github/workflows/validate-change-notes.yml" - - ".github/actions/fetch-codeql" + - ".github/actions/fetch-codeql/action.yml" branches: - main - "rc/*" @@ -13,7 +13,7 @@ on: paths: - "*/ql/*/change-notes/**/*" - ".github/workflows/validate-change-notes.yml" - - ".github/actions/fetch-codeql" + - ".github/actions/fetch-codeql/action.yml" jobs: check-change-note: diff --git a/cpp/ql/lib/CHANGELOG.md b/cpp/ql/lib/CHANGELOG.md index 75a047d6f64..9b4761ec2ce 100644 --- a/cpp/ql/lib/CHANGELOG.md +++ b/cpp/ql/lib/CHANGELOG.md @@ -1,3 +1,9 @@ +## 0.3.2 + +### Bug Fixes + +* Under certain circumstances a variable declaration that is not also a definition could be associated with a `Variable` that did not have the definition as a `VariableDeclarationEntry`. This is now fixed, and a unique `Variable` will exist that has both the declaration and the definition as a `VariableDeclarationEntry`. + ## 0.3.1 ### Minor Analysis Improvements diff --git a/cpp/ql/lib/change-notes/2022-08-02-must-flow-local-only-flow.md b/cpp/ql/lib/change-notes/2022-08-02-must-flow-local-only-flow.md new file mode 100644 index 00000000000..820822a5396 --- /dev/null +++ b/cpp/ql/lib/change-notes/2022-08-02-must-flow-local-only-flow.md @@ -0,0 +1,4 @@ +--- +category: feature +--- +* A new class predicate `MustFlowConfiguration::allowInterproceduralFlow` has been added to the `semmle.code.cpp.ir.dataflow.MustFlow` library. The new predicate can be overridden to disable interprocedural flow. diff --git a/cpp/ql/lib/change-notes/2022-06-24-unique-variable.md b/cpp/ql/lib/change-notes/released/0.3.2.md similarity index 92% rename from cpp/ql/lib/change-notes/2022-06-24-unique-variable.md rename to cpp/ql/lib/change-notes/released/0.3.2.md index e04dde1290a..9d3ca0cca67 100644 --- a/cpp/ql/lib/change-notes/2022-06-24-unique-variable.md +++ b/cpp/ql/lib/change-notes/released/0.3.2.md @@ -1,4 +1,5 @@ ---- -category: fix ---- +## 0.3.2 + +### Bug Fixes + * Under certain circumstances a variable declaration that is not also a definition could be associated with a `Variable` that did not have the definition as a `VariableDeclarationEntry`. This is now fixed, and a unique `Variable` will exist that has both the declaration and the definition as a `VariableDeclarationEntry`. diff --git a/cpp/ql/lib/codeql-pack.release.yml b/cpp/ql/lib/codeql-pack.release.yml index bb106b1cb63..18c64250f42 100644 --- a/cpp/ql/lib/codeql-pack.release.yml +++ b/cpp/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.3.1 +lastReleaseVersion: 0.3.2 diff --git a/cpp/ql/lib/qlpack.yml b/cpp/ql/lib/qlpack.yml index ce90251f83f..06e68dba48c 100644 --- a/cpp/ql/lib/qlpack.yml +++ b/cpp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-all -version: 0.3.2-dev +version: 0.3.3-dev groups: cpp dbscheme: semmlecode.cpp.dbscheme extractor: cpp diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/MustFlow.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/MustFlow.qll index 1f3ea2a4d3d..08ee06acdda 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/MustFlow.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/MustFlow.qll @@ -38,6 +38,9 @@ abstract class MustFlowConfiguration extends string { */ predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { none() } + /** Holds if this configuration allows flow from arguments to parameters. */ + predicate allowInterproceduralFlow() { any() } + /** * Holds if data must flow from `source` to `sink` for this configuration. * @@ -204,10 +207,25 @@ private module Cached { } } +/** + * Gets the enclosing callable of `n`. Unlike `n.getEnclosingCallable()`, this + * predicate ensures that joins go from `n` to the result instead of the other + * way around. + */ +pragma[inline] +private Declaration getEnclosingCallable(DataFlow::Node n) { + pragma[only_bind_into](result) = pragma[only_bind_out](n).getEnclosingCallable() +} + /** Holds if `nodeFrom` flows to `nodeTo`. */ private predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo, MustFlowConfiguration config) { exists(config) and - Cached::step(nodeFrom, nodeTo) + Cached::step(pragma[only_bind_into](nodeFrom), pragma[only_bind_into](nodeTo)) and + ( + config.allowInterproceduralFlow() + or + getEnclosingCallable(nodeFrom) = getEnclosingCallable(nodeTo) + ) or config.isAdditionalFlowStep(nodeFrom, nodeTo) } diff --git a/cpp/ql/src/CHANGELOG.md b/cpp/ql/src/CHANGELOG.md index e87fc5dce39..ae7e4f7151b 100644 --- a/cpp/ql/src/CHANGELOG.md +++ b/cpp/ql/src/CHANGELOG.md @@ -1,3 +1,5 @@ +## 0.3.1 + ## 0.3.0 ### Breaking Changes diff --git a/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql b/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql index 7eab1bd03c8..ed1d4084993 100644 --- a/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql +++ b/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql @@ -52,6 +52,18 @@ class ReturnStackAllocatedMemoryConfig extends MustFlowConfiguration { ) } + // We disable flow into callables in this query as we'd otherwise get a result on this piece of code: + // ```cpp + // int* id(int* px) { + // return px; // this returns the local variable `x`, but it's fine as the local variable isn't declared in this scope. + // } + // void f() { + // int x; + // int* px = id(&x); + // } + // ``` + override predicate allowInterproceduralFlow() { none() } + /** * This configuration intentionally conflates addresses of fields and their object, and pointer offsets * with their base pointer as this allows us to detect cases where an object's address flows to a @@ -77,9 +89,6 @@ from ReturnStackAllocatedMemoryConfig conf where conf.hasFlowPath(pragma[only_bind_into](source), pragma[only_bind_into](sink)) and - source.getNode().asInstruction() = var and - // Only raise an alert if we're returning from the _same_ callable as the on that - // declared the stack variable. - var.getEnclosingFunction() = sink.getNode().getEnclosingCallable() + source.getNode().asInstruction() = var select sink.getNode(), source, sink, "May return stack-allocated memory from $@.", var.getAst(), var.getAst().toString() diff --git a/cpp/ql/src/change-notes/released/0.3.1.md b/cpp/ql/src/change-notes/released/0.3.1.md new file mode 100644 index 00000000000..2b0719929a1 --- /dev/null +++ b/cpp/ql/src/change-notes/released/0.3.1.md @@ -0,0 +1 @@ +## 0.3.1 diff --git a/cpp/ql/src/codeql-pack.release.yml b/cpp/ql/src/codeql-pack.release.yml index 95f6e3a0ba6..bb106b1cb63 100644 --- a/cpp/ql/src/codeql-pack.release.yml +++ b/cpp/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.3.0 +lastReleaseVersion: 0.3.1 diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-273/PrivilegeDroppingOutoforder.qhelp b/cpp/ql/src/experimental/Security/CWE/CWE-273/PrivilegeDroppingOutoforder.qhelp index ca8d8dfaf22..1daebb58b3c 100644 --- a/cpp/ql/src/experimental/Security/CWE/CWE-273/PrivilegeDroppingOutoforder.qhelp +++ b/cpp/ql/src/experimental/Security/CWE/CWE-273/PrivilegeDroppingOutoforder.qhelp @@ -27,6 +27,9 @@ groups, and finally set the target user.

+
  • CERT C Coding Standard: +POS36-C. Observe correct revocation order while relinquishing privileges. +
  • CERT C Coding Standard: POS37-C. Ensure that privilege relinquishment is successful.
    • diff --git a/cpp/ql/src/qlpack.yml b/cpp/ql/src/qlpack.yml index 2735b4d5289..03b90cb3668 100644 --- a/cpp/ql/src/qlpack.yml +++ b/cpp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-queries -version: 0.3.1-dev +version: 0.3.2-dev groups: - cpp - queries diff --git a/cpp/ql/test/library-tests/templates/CPP-203/decls.expected b/cpp/ql/test/library-tests/templates/CPP-203/decls.expected index b311041021d..33aa6114052 100644 --- a/cpp/ql/test/library-tests/templates/CPP-203/decls.expected +++ b/cpp/ql/test/library-tests/templates/CPP-203/decls.expected @@ -15,6 +15,7 @@ | test.cpp:3:8:3:8 | operator= | | test.cpp:3:8:3:10 | Str | | test.cpp:3:8:3:10 | Str | +| test.cpp:7:16:7:16 | T | | test.cpp:8:11:8:21 | val | | test.cpp:8:19:8:19 | val | | test.cpp:10:6:10:6 | f | diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected index 6b8a59793a3..8f9d91fc1ad 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected @@ -100,12 +100,6 @@ edges | test.cpp:190:10:190:13 | Unary | test.cpp:190:10:190:13 | (reference dereference) | | test.cpp:190:10:190:13 | Unary | test.cpp:190:10:190:13 | (reference to) | | test.cpp:190:10:190:13 | pRef | test.cpp:190:10:190:13 | Unary | -| test.cpp:225:14:225:15 | px | test.cpp:226:10:226:11 | Load | -| test.cpp:226:10:226:11 | Load | test.cpp:226:10:226:11 | px | -| test.cpp:226:10:226:11 | px | test.cpp:226:10:226:11 | StoreValue | -| test.cpp:231:16:231:17 | & ... | test.cpp:225:14:225:15 | px | -| test.cpp:231:17:231:17 | Unary | test.cpp:231:16:231:17 | & ... | -| test.cpp:231:17:231:17 | x | test.cpp:231:17:231:17 | Unary | nodes | test.cpp:17:9:17:11 | & ... | semmle.label | & ... | | test.cpp:17:9:17:11 | StoreValue | semmle.label | StoreValue | @@ -221,13 +215,6 @@ nodes | test.cpp:190:10:190:13 | Unary | semmle.label | Unary | | test.cpp:190:10:190:13 | Unary | semmle.label | Unary | | test.cpp:190:10:190:13 | pRef | semmle.label | pRef | -| test.cpp:225:14:225:15 | px | semmle.label | px | -| test.cpp:226:10:226:11 | Load | semmle.label | Load | -| test.cpp:226:10:226:11 | StoreValue | semmle.label | StoreValue | -| test.cpp:226:10:226:11 | px | semmle.label | px | -| test.cpp:231:16:231:17 | & ... | semmle.label | & ... | -| test.cpp:231:17:231:17 | Unary | semmle.label | Unary | -| test.cpp:231:17:231:17 | x | semmle.label | x | #select | test.cpp:17:9:17:11 | StoreValue | test.cpp:17:10:17:11 | mc | test.cpp:17:9:17:11 | StoreValue | May return stack-allocated memory from $@. | test.cpp:17:10:17:11 | mc | mc | | test.cpp:25:9:25:11 | StoreValue | test.cpp:23:18:23:19 | mc | test.cpp:25:9:25:11 | StoreValue | May return stack-allocated memory from $@. | test.cpp:23:18:23:19 | mc | mc | diff --git a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md index de0a7eeae4b..0efa6239b0f 100644 --- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md +++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md @@ -1,3 +1,5 @@ +## 1.2.2 + ## 1.2.1 ## 1.2.0 diff --git a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.2.2.md b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.2.2.md new file mode 100644 index 00000000000..81af4d86d3b --- /dev/null +++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.2.2.md @@ -0,0 +1 @@ +## 1.2.2 diff --git a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml index 73dd403938c..0a70a9a01a7 100644 --- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml +++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.2.1 +lastReleaseVersion: 1.2.2 diff --git a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml index fc22389c2a8..78cc75ede63 100644 --- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-all -version: 1.2.2-dev +version: 1.2.3-dev groups: - csharp - solorigate diff --git a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md index de0a7eeae4b..0efa6239b0f 100644 --- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md +++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md @@ -1,3 +1,5 @@ +## 1.2.2 + ## 1.2.1 ## 1.2.0 diff --git a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.2.2.md b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.2.2.md new file mode 100644 index 00000000000..81af4d86d3b --- /dev/null +++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.2.2.md @@ -0,0 +1 @@ +## 1.2.2 diff --git a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml index 73dd403938c..0a70a9a01a7 100644 --- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml +++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.2.1 +lastReleaseVersion: 1.2.2 diff --git a/csharp/ql/campaigns/Solorigate/src/qlpack.yml b/csharp/ql/campaigns/Solorigate/src/qlpack.yml index a2ef81cc0e4..fced50b6ef4 100644 --- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-queries -version: 1.2.2-dev +version: 1.2.3-dev groups: - csharp - solorigate diff --git a/csharp/ql/lib/CHANGELOG.md b/csharp/ql/lib/CHANGELOG.md index d1c89626798..5ea16d73e48 100644 --- a/csharp/ql/lib/CHANGELOG.md +++ b/csharp/ql/lib/CHANGELOG.md @@ -1,3 +1,5 @@ +## 0.3.2 + ## 0.3.1 ## 0.3.0 diff --git a/csharp/ql/lib/change-notes/released/0.3.2.md b/csharp/ql/lib/change-notes/released/0.3.2.md new file mode 100644 index 00000000000..8309e697333 --- /dev/null +++ b/csharp/ql/lib/change-notes/released/0.3.2.md @@ -0,0 +1 @@ +## 0.3.2 diff --git a/csharp/ql/lib/codeql-pack.release.yml b/csharp/ql/lib/codeql-pack.release.yml index bb106b1cb63..18c64250f42 100644 --- a/csharp/ql/lib/codeql-pack.release.yml +++ b/csharp/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.3.1 +lastReleaseVersion: 0.3.2 diff --git a/csharp/ql/lib/qlpack.yml b/csharp/ql/lib/qlpack.yml index 0d72cfc0c65..8f932e28c7a 100644 --- a/csharp/ql/lib/qlpack.yml +++ b/csharp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-all -version: 0.3.2-dev +version: 0.3.3-dev groups: csharp dbscheme: semmlecode.csharp.dbscheme extractor: csharp diff --git a/csharp/ql/src/CHANGELOG.md b/csharp/ql/src/CHANGELOG.md index bf9e8f9c41f..bb530ba1727 100644 --- a/csharp/ql/src/CHANGELOG.md +++ b/csharp/ql/src/CHANGELOG.md @@ -1,3 +1,5 @@ +## 0.3.1 + ## 0.3.0 ### Breaking Changes diff --git a/csharp/ql/src/change-notes/released/0.3.1.md b/csharp/ql/src/change-notes/released/0.3.1.md new file mode 100644 index 00000000000..2b0719929a1 --- /dev/null +++ b/csharp/ql/src/change-notes/released/0.3.1.md @@ -0,0 +1 @@ +## 0.3.1 diff --git a/csharp/ql/src/codeql-pack.release.yml b/csharp/ql/src/codeql-pack.release.yml index 95f6e3a0ba6..bb106b1cb63 100644 --- a/csharp/ql/src/codeql-pack.release.yml +++ b/csharp/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.3.0 +lastReleaseVersion: 0.3.1 diff --git a/csharp/ql/src/qlpack.yml b/csharp/ql/src/qlpack.yml index d3ceb328420..9f59ceafaf5 100644 --- a/csharp/ql/src/qlpack.yml +++ b/csharp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-queries -version: 0.3.1-dev +version: 0.3.2-dev groups: - csharp - queries diff --git a/go/ql/lib/CHANGELOG.md b/go/ql/lib/CHANGELOG.md index 23c4fc2eb4f..a4ead0ef794 100644 --- a/go/ql/lib/CHANGELOG.md +++ b/go/ql/lib/CHANGELOG.md @@ -1,3 +1,5 @@ +## 0.2.2 + ## 0.2.1 ## 0.2.0 diff --git a/go/ql/lib/change-notes/released/0.2.2.md b/go/ql/lib/change-notes/released/0.2.2.md new file mode 100644 index 00000000000..fc31cbd3d6f --- /dev/null +++ b/go/ql/lib/change-notes/released/0.2.2.md @@ -0,0 +1 @@ +## 0.2.2 diff --git a/go/ql/lib/codeql-pack.release.yml b/go/ql/lib/codeql-pack.release.yml index df29a726bcc..16a06790aa8 100644 --- a/go/ql/lib/codeql-pack.release.yml +++ b/go/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.2.1 +lastReleaseVersion: 0.2.2 diff --git a/go/ql/lib/qlpack.yml b/go/ql/lib/qlpack.yml index c360e550193..789f504c667 100644 --- a/go/ql/lib/qlpack.yml +++ b/go/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-all -version: 0.2.2-dev +version: 0.2.3-dev groups: go dbscheme: go.dbscheme extractor: go diff --git a/go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll b/go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll index 2fb37ecb3fa..61499340de3 100644 --- a/go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll +++ b/go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll @@ -70,6 +70,15 @@ module TaintedPath { PathAsSink() { this = any(FileSystemAccess fsa).getAPathArgument() } } + /** + * A numeric- or boolean-typed node, considered a sanitizer for path traversal. + */ + class NumericOrBooleanSanitizer extends Sanitizer { + NumericOrBooleanSanitizer() { + this.getType() instanceof NumericType or this.getType() instanceof BoolType + } + } + /** * A call to `filepath.Rel`, considered as a sanitizer for path traversal. */ diff --git a/go/ql/src/CHANGELOG.md b/go/ql/src/CHANGELOG.md index 1697aa9e561..c981e074fad 100644 --- a/go/ql/src/CHANGELOG.md +++ b/go/ql/src/CHANGELOG.md @@ -1,3 +1,5 @@ +## 0.2.2 + ## 0.2.1 ## 0.2.0 diff --git a/go/ql/src/change-notes/2022-08-02-path-injection-sanitizer.md b/go/ql/src/change-notes/2022-08-02-path-injection-sanitizer.md new file mode 100644 index 00000000000..1c45e8d14e5 --- /dev/null +++ b/go/ql/src/change-notes/2022-08-02-path-injection-sanitizer.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* The query `go/path-injection` no longer considers user-controlled numeric or boolean-typed data as potentially dangerous. diff --git a/go/ql/src/change-notes/released/0.2.2.md b/go/ql/src/change-notes/released/0.2.2.md new file mode 100644 index 00000000000..fc31cbd3d6f --- /dev/null +++ b/go/ql/src/change-notes/released/0.2.2.md @@ -0,0 +1 @@ +## 0.2.2 diff --git a/go/ql/src/codeql-pack.release.yml b/go/ql/src/codeql-pack.release.yml index df29a726bcc..16a06790aa8 100644 --- a/go/ql/src/codeql-pack.release.yml +++ b/go/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.2.1 +lastReleaseVersion: 0.2.2 diff --git a/go/ql/src/qlpack.yml b/go/ql/src/qlpack.yml index 75ed3c98275..b19c723b9c7 100644 --- a/go/ql/src/qlpack.yml +++ b/go/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-queries -version: 0.2.2-dev +version: 0.2.3-dev groups: - go - queries diff --git a/java/ql/lib/CHANGELOG.md b/java/ql/lib/CHANGELOG.md index b5ceb823e75..150a12f68fe 100644 --- a/java/ql/lib/CHANGELOG.md +++ b/java/ql/lib/CHANGELOG.md @@ -1,3 +1,14 @@ +## 0.3.2 + +### New Features + +* The QL predicate `Expr::getUnderlyingExpr` has been added. It can be used to look through casts and not-null expressions and obtain the underlying expression to which they apply. + +### Minor Analysis Improvements + +* The JUnit5 version of `AssertNotNull` is now recognized, which removes related false positives in the nullness queries. +* Added data flow models for `java.util.Scanner`. + ## 0.3.1 ### New Features diff --git a/java/ql/lib/change-notes/2022-05-12-get-underlying-expr.md b/java/ql/lib/change-notes/2022-05-12-get-underlying-expr.md deleted file mode 100644 index f24c9379abb..00000000000 --- a/java/ql/lib/change-notes/2022-05-12-get-underlying-expr.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: feature ---- -* The QL predicate `Expr::getUnderlyingExpr` has been added. It can be used to look through casts and not-null expressions and obtain the underlying expression to which they apply. diff --git a/java/ql/lib/change-notes/2022-07-26-scanner-models.md b/java/ql/lib/change-notes/2022-07-26-scanner-models.md deleted file mode 100644 index 6a78982d639..00000000000 --- a/java/ql/lib/change-notes/2022-07-26-scanner-models.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Added data flow models for `java.util.Scanner`. \ No newline at end of file diff --git a/java/ql/lib/change-notes/2022-07-27-nullness-junit5.md b/java/ql/lib/change-notes/2022-07-27-nullness-junit5.md deleted file mode 100644 index 6cfb0949c69..00000000000 --- a/java/ql/lib/change-notes/2022-07-27-nullness-junit5.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: minorAnalysis ---- -* The JUnit5 version of `AssertNotNull` is now recognized, which removes - related false positives in the nullness queries. diff --git a/java/ql/lib/change-notes/released/0.3.2.md b/java/ql/lib/change-notes/released/0.3.2.md new file mode 100644 index 00000000000..b1d193b28b5 --- /dev/null +++ b/java/ql/lib/change-notes/released/0.3.2.md @@ -0,0 +1,10 @@ +## 0.3.2 + +### New Features + +* The QL predicate `Expr::getUnderlyingExpr` has been added. It can be used to look through casts and not-null expressions and obtain the underlying expression to which they apply. + +### Minor Analysis Improvements + +* The JUnit5 version of `AssertNotNull` is now recognized, which removes related false positives in the nullness queries. +* Added data flow models for `java.util.Scanner`. diff --git a/java/ql/lib/codeql-pack.release.yml b/java/ql/lib/codeql-pack.release.yml index bb106b1cb63..18c64250f42 100644 --- a/java/ql/lib/codeql-pack.release.yml +++ b/java/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.3.1 +lastReleaseVersion: 0.3.2 diff --git a/java/ql/lib/qlpack.yml b/java/ql/lib/qlpack.yml index 0de218dcd22..5fe704a4f35 100644 --- a/java/ql/lib/qlpack.yml +++ b/java/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-all -version: 0.3.2-dev +version: 0.3.3-dev groups: java dbscheme: config/semmlecode.dbscheme extractor: java diff --git a/java/ql/src/CHANGELOG.md b/java/ql/src/CHANGELOG.md index b39e648bf04..33ae45fbb9f 100644 --- a/java/ql/src/CHANGELOG.md +++ b/java/ql/src/CHANGELOG.md @@ -1,3 +1,5 @@ +## 0.3.1 + ## 0.3.0 ### Breaking Changes diff --git a/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql b/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql index 306b835b98b..671e9b00b4d 100644 --- a/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql +++ b/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql @@ -15,6 +15,7 @@ import java import semmle.code.java.dataflow.FlowSources +private import semmle.code.java.dataflow.ExternalFlow import semmle.code.java.security.PathCreation import DataFlow::PathGraph import TaintedPathCommon @@ -34,7 +35,12 @@ class TaintedPathConfig extends TaintTracking::Configuration { override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } override predicate isSink(DataFlow::Node sink) { - exists(Expr e | e = sink.asExpr() | e = any(PathCreation p).getAnInput() and not guarded(e)) + ( + sink.asExpr() = any(PathCreation p).getAnInput() + or + sinkNode(sink, "create-file") + ) and + not guarded(sink.asExpr()) } override predicate isSanitizer(DataFlow::Node node) { @@ -44,9 +50,21 @@ class TaintedPathConfig extends TaintTracking::Configuration { } } -from DataFlow::PathNode source, DataFlow::PathNode sink, PathCreation p, TaintedPathConfig conf -where - sink.getNode().asExpr() = p.getAnInput() and - conf.hasFlowPath(source, sink) -select p, source, sink, "$@ flows to here and is used in a path.", source.getNode(), - "User-provided value" +/** + * Gets the data-flow node at which to report a path ending at `sink`. + * + * Previously this query flagged alerts exclusively at `PathCreation` sites, + * so to avoid perturbing existing alerts, where a `PathCreation` exists we + * continue to report there; otherwise we report directly at `sink`. + */ +DataFlow::Node getReportingNode(DataFlow::Node sink) { + any(TaintedPathConfig c).hasFlowTo(sink) and + if exists(PathCreation pc | pc.getAnInput() = sink.asExpr()) + then result.asExpr() = any(PathCreation pc | pc.getAnInput() = sink.asExpr()) + else result = sink +} + +from DataFlow::PathNode source, DataFlow::PathNode sink, TaintedPathConfig conf +where conf.hasFlowPath(source, sink) +select getReportingNode(sink.getNode()), source, sink, "$@ flows to here and is used in a path.", + source.getNode(), "User-provided value" diff --git a/java/ql/src/Violations of Best Practice/Naming Conventions/SameNameAsSuper.ql b/java/ql/src/Violations of Best Practice/Naming Conventions/SameNameAsSuper.ql index 79f5f2cf473..a9f99658f94 100644 --- a/java/ql/src/Violations of Best Practice/Naming Conventions/SameNameAsSuper.ql +++ b/java/ql/src/Violations of Best Practice/Naming Conventions/SameNameAsSuper.ql @@ -16,5 +16,5 @@ from RefType sub, RefType sup where sub.fromSource() and sup = sub.getASupertype() and - sub.getName() = sup.getName() + pragma[only_bind_out](sub.getName()) = pragma[only_bind_out](sup.getName()) select sub, sub.getName() + " has the same name as its supertype $@.", sup, sup.getQualifiedName() diff --git a/java/ql/src/change-notes/2022-08-03-tainted-path-mad.md b/java/ql/src/change-notes/2022-08-03-tainted-path-mad.md new file mode 100644 index 00000000000..6f70a8f69e1 --- /dev/null +++ b/java/ql/src/change-notes/2022-08-03-tainted-path-mad.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* The query `java/path-injection` now recognises vulnerable APIs defined using the `SinkModelCsv` class with the `create-file` type. Out of the box this includes Apache Commons-IO functions, as well as any user-defined sinks. diff --git a/java/ql/src/change-notes/released/0.3.1.md b/java/ql/src/change-notes/released/0.3.1.md new file mode 100644 index 00000000000..2b0719929a1 --- /dev/null +++ b/java/ql/src/change-notes/released/0.3.1.md @@ -0,0 +1 @@ +## 0.3.1 diff --git a/java/ql/src/codeql-pack.release.yml b/java/ql/src/codeql-pack.release.yml index 95f6e3a0ba6..bb106b1cb63 100644 --- a/java/ql/src/codeql-pack.release.yml +++ b/java/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.3.0 +lastReleaseVersion: 0.3.1 diff --git a/java/ql/src/qlpack.yml b/java/ql/src/qlpack.yml index 9cd3341f443..8c0538014c1 100644 --- a/java/ql/src/qlpack.yml +++ b/java/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-queries -version: 0.3.1-dev +version: 0.3.2-dev groups: - java - queries diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected index 13ac840300d..830f4d76085 100644 --- a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected +++ b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected @@ -8,6 +8,7 @@ edges | Test.java:79:74:79:97 | getInputStream(...) : ServletInputStream | Test.java:79:52:79:98 | new InputStreamReader(...) : InputStreamReader | | Test.java:80:31:80:32 | br : BufferedReader | Test.java:80:31:80:43 | readLine(...) : String | | Test.java:80:31:80:43 | readLine(...) : String | Test.java:82:67:82:81 | ... + ... | +| Test.java:88:17:88:37 | getHostName(...) : String | Test.java:90:26:90:29 | temp | nodes | Test.java:19:18:19:38 | getHostName(...) : String | semmle.label | getHostName(...) : String | | Test.java:24:20:24:23 | temp | semmle.label | temp | @@ -20,6 +21,8 @@ nodes | Test.java:80:31:80:32 | br : BufferedReader | semmle.label | br : BufferedReader | | Test.java:80:31:80:43 | readLine(...) : String | semmle.label | readLine(...) : String | | Test.java:82:67:82:81 | ... + ... | semmle.label | ... + ... | +| Test.java:88:17:88:37 | getHostName(...) : String | semmle.label | getHostName(...) : String | +| Test.java:90:26:90:29 | temp | semmle.label | temp | subpaths #select | Test.java:24:11:24:24 | new File(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:24:20:24:23 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value | @@ -27,3 +30,4 @@ subpaths | Test.java:30:11:30:48 | getPath(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:30:44:30:47 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value | | Test.java:34:12:34:25 | new File(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:34:21:34:24 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value | | Test.java:82:52:82:88 | new FileWriter(...) | Test.java:79:74:79:97 | getInputStream(...) : ServletInputStream | Test.java:82:67:82:81 | ... + ... | $@ flows to here and is used in a path. | Test.java:79:74:79:97 | getInputStream(...) | User-provided value | +| Test.java:90:26:90:29 | temp | Test.java:88:17:88:37 | getHostName(...) : String | Test.java:90:26:90:29 | temp | $@ flows to here and is used in a path. | Test.java:88:17:88:37 | getHostName(...) | User-provided value | diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java b/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java index a0a6694c061..f0d0147df08 100644 --- a/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java +++ b/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java @@ -2,7 +2,6 @@ // http://cwe.mitre.org/data/definitions/22.html package test.cwe22.semmle.tests; - import javax.servlet.http.*; import javax.servlet.ServletException; @@ -12,6 +11,7 @@ import java.nio.file.Path; import java.nio.file.Paths; import java.nio.file.FileSystems; +import org.apache.commons.io.output.LockableFileWriter; class Test { void doGet1(InetAddress address) @@ -19,13 +19,13 @@ class Test { String temp = address.getHostName(); File file; Path path; - + // BAD: construct a file path with user input file = new File(temp); - + // BAD: construct a path with user input path = Paths.get(temp); - + // BAD: construct a path with user input path = FileSystems.getDefault().getPath(temp); @@ -34,7 +34,7 @@ class Test { file = new File(temp); } } - + void doGet2(InetAddress address) throws IOException { String temp = address.getHostName(); @@ -44,7 +44,7 @@ class Test { if(isSafe(temp)) file = new File(temp); } - + void doGet3(InetAddress address) throws IOException { String temp = address.getHostName(); @@ -66,7 +66,7 @@ class Test { return false; return true; } - + boolean isSortOfSafe(String pathSpec) { // no file separators if (pathSpec.contains(File.separator)) @@ -82,4 +82,11 @@ class Test { BufferedWriter bw = new BufferedWriter(new FileWriter("dir/"+filename, true)); } } + + void doGet4(InetAddress address) + throws IOException { + String temp = address.getHostName(); + // BAD: open a file based on user input, using a MaD-documented API + new LockableFileWriter(temp); + } } diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/options b/java/ql/test/query-tests/security/CWE-022/semmle/tests/options index a41b28dc245..6f216f46554 100644 --- a/java/ql/test/query-tests/security/CWE-022/semmle/tests/options +++ b/java/ql/test/query-tests/security/CWE-022/semmle/tests/options @@ -1 +1 @@ -// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4 +// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/apache-commons-io-2.6 diff --git a/java/ql/test/stubs/apache-commons-io-2.6/org/apache/commons/io/output/LockableFileWriter.java b/java/ql/test/stubs/apache-commons-io-2.6/org/apache/commons/io/output/LockableFileWriter.java new file mode 100644 index 00000000000..3c7c9c5ebf5 --- /dev/null +++ b/java/ql/test/stubs/apache-commons-io-2.6/org/apache/commons/io/output/LockableFileWriter.java @@ -0,0 +1,7 @@ +package org.apache.commons.io.output; + +public class LockableFileWriter { + + public LockableFileWriter(String filename) { } + +} diff --git a/javascript/ql/lib/CHANGELOG.md b/javascript/ql/lib/CHANGELOG.md index 23d54f955a7..6f359e0ac85 100644 --- a/javascript/ql/lib/CHANGELOG.md +++ b/javascript/ql/lib/CHANGELOG.md @@ -1,3 +1,5 @@ +## 0.2.2 + ## 0.2.1 ### Minor Analysis Improvements diff --git a/javascript/ql/lib/change-notes/released/0.2.2.md b/javascript/ql/lib/change-notes/released/0.2.2.md new file mode 100644 index 00000000000..fc31cbd3d6f --- /dev/null +++ b/javascript/ql/lib/change-notes/released/0.2.2.md @@ -0,0 +1 @@ +## 0.2.2 diff --git a/javascript/ql/lib/codeql-pack.release.yml b/javascript/ql/lib/codeql-pack.release.yml index df29a726bcc..16a06790aa8 100644 --- a/javascript/ql/lib/codeql-pack.release.yml +++ b/javascript/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.2.1 +lastReleaseVersion: 0.2.2 diff --git a/javascript/ql/lib/qlpack.yml b/javascript/ql/lib/qlpack.yml index 9a05a09e0b6..e559e82a56a 100644 --- a/javascript/ql/lib/qlpack.yml +++ b/javascript/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-all -version: 0.2.2-dev +version: 0.2.3-dev groups: javascript dbscheme: semmlecode.javascript.dbscheme extractor: javascript diff --git a/javascript/ql/src/CHANGELOG.md b/javascript/ql/src/CHANGELOG.md index baf7f9b85e0..00016a45458 100644 --- a/javascript/ql/src/CHANGELOG.md +++ b/javascript/ql/src/CHANGELOG.md @@ -1,3 +1,10 @@ +## 0.3.1 + +### New Queries + +- A new query "Case-sensitive middleware path" (`js/case-sensitive-middleware-path`) has been added. + It highlights middleware routes that can be bypassed due to having a case-sensitive regular expression path. + ## 0.3.0 ### Breaking Changes diff --git a/javascript/ql/src/change-notes/2022-06-27-case-sensitive-middleware.md b/javascript/ql/src/change-notes/released/0.3.1.md similarity index 88% rename from javascript/ql/src/change-notes/2022-06-27-case-sensitive-middleware.md rename to javascript/ql/src/change-notes/released/0.3.1.md index 09895db1e2c..8fe1aaaf4ef 100644 --- a/javascript/ql/src/change-notes/2022-06-27-case-sensitive-middleware.md +++ b/javascript/ql/src/change-notes/released/0.3.1.md @@ -1,6 +1,6 @@ ---- -category: newQuery ---- +## 0.3.1 + +### New Queries - A new query "Case-sensitive middleware path" (`js/case-sensitive-middleware-path`) has been added. It highlights middleware routes that can be bypassed due to having a case-sensitive regular expression path. diff --git a/javascript/ql/src/codeql-pack.release.yml b/javascript/ql/src/codeql-pack.release.yml index 95f6e3a0ba6..bb106b1cb63 100644 --- a/javascript/ql/src/codeql-pack.release.yml +++ b/javascript/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.3.0 +lastReleaseVersion: 0.3.1 diff --git a/javascript/ql/src/qlpack.yml b/javascript/ql/src/qlpack.yml index 5525fe8b54b..9852441a368 100644 --- a/javascript/ql/src/qlpack.yml +++ b/javascript/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-queries -version: 0.3.1-dev +version: 0.3.2-dev groups: - javascript - queries diff --git a/python/ql/lib/CHANGELOG.md b/python/ql/lib/CHANGELOG.md index 83a09c70446..b57f612b336 100644 --- a/python/ql/lib/CHANGELOG.md +++ b/python/ql/lib/CHANGELOG.md @@ -1,3 +1,5 @@ +## 0.5.2 + ## 0.5.1 ### Deprecated APIs diff --git a/python/ql/lib/change-notes/released/0.5.2.md b/python/ql/lib/change-notes/released/0.5.2.md new file mode 100644 index 00000000000..33ae68a2827 --- /dev/null +++ b/python/ql/lib/change-notes/released/0.5.2.md @@ -0,0 +1 @@ +## 0.5.2 diff --git a/python/ql/lib/codeql-pack.release.yml b/python/ql/lib/codeql-pack.release.yml index 0bf7024c337..2d9d3f587f8 100644 --- a/python/ql/lib/codeql-pack.release.yml +++ b/python/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.5.1 +lastReleaseVersion: 0.5.2 diff --git a/python/ql/lib/qlpack.yml b/python/ql/lib/qlpack.yml index f1a7c716b1e..20d79f44e49 100644 --- a/python/ql/lib/qlpack.yml +++ b/python/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-all -version: 0.5.2-dev +version: 0.5.3-dev groups: python dbscheme: semmlecode.python.dbscheme extractor: python diff --git a/python/ql/src/CHANGELOG.md b/python/ql/src/CHANGELOG.md index fae4ab0dc9a..8fdacb47f64 100644 --- a/python/ql/src/CHANGELOG.md +++ b/python/ql/src/CHANGELOG.md @@ -1,3 +1,9 @@ +## 0.4.0 + +### Breaking Changes + +* Contextual queries and the query libraries they depend on have been moved to the `codeql/python-all` package. + ## 0.3.0 ### Breaking Changes diff --git a/python/ql/src/change-notes/2022-07-15-move-contextual-queries.md b/python/ql/src/change-notes/released/0.4.0.md similarity index 78% rename from python/ql/src/change-notes/2022-07-15-move-contextual-queries.md rename to python/ql/src/change-notes/released/0.4.0.md index 25ae1b57b99..c6658b7780f 100644 --- a/python/ql/src/change-notes/2022-07-15-move-contextual-queries.md +++ b/python/ql/src/change-notes/released/0.4.0.md @@ -1,5 +1,5 @@ ---- -category: breaking ---- -* Contextual queries and the query libraries they depend on have been moved to the `codeql/python-all` package. +## 0.4.0 +### Breaking Changes + +* Contextual queries and the query libraries they depend on have been moved to the `codeql/python-all` package. diff --git a/python/ql/src/codeql-pack.release.yml b/python/ql/src/codeql-pack.release.yml index 95f6e3a0ba6..458bfbeccff 100644 --- a/python/ql/src/codeql-pack.release.yml +++ b/python/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.3.0 +lastReleaseVersion: 0.4.0 diff --git a/python/ql/src/qlpack.yml b/python/ql/src/qlpack.yml index 155e57024e8..75227225c64 100644 --- a/python/ql/src/qlpack.yml +++ b/python/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-queries -version: 0.3.1-dev +version: 0.4.1-dev groups: - python - queries diff --git a/python/ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.expected b/python/ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.expected index 2ddfe7143d0..3cd40605b96 100644 --- a/python/ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.expected +++ b/python/ql/test/query-tests/Security/CWE-022-TarSlip/TarSlip.expected @@ -7,8 +7,6 @@ edges | tarslip.py:40:7:40:39 | ControlFlowNode for Attribute() | tarslip.py:41:24:41:26 | ControlFlowNode for tar | | tarslip.py:56:7:56:39 | ControlFlowNode for Attribute() | tarslip.py:57:5:57:9 | GSSA Variable entry | | tarslip.py:57:5:57:9 | GSSA Variable entry | tarslip.py:59:21:59:25 | ControlFlowNode for entry | -| tarslip.py:79:7:79:39 | ControlFlowNode for Attribute() | tarslip.py:80:5:80:9 | GSSA Variable entry | -| tarslip.py:80:5:80:9 | GSSA Variable entry | tarslip.py:82:21:82:25 | ControlFlowNode for entry | nodes | tarslip.py:12:7:12:39 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | tarslip.py:13:1:13:3 | ControlFlowNode for tar | semmle.label | ControlFlowNode for tar | @@ -23,9 +21,6 @@ nodes | tarslip.py:56:7:56:39 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | | tarslip.py:57:5:57:9 | GSSA Variable entry | semmle.label | GSSA Variable entry | | tarslip.py:59:21:59:25 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry | -| tarslip.py:79:7:79:39 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | -| tarslip.py:80:5:80:9 | GSSA Variable entry | semmle.label | GSSA Variable entry | -| tarslip.py:82:21:82:25 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry | subpaths #select | tarslip.py:13:1:13:3 | ControlFlowNode for tar | tarslip.py:12:7:12:39 | ControlFlowNode for Attribute() | tarslip.py:13:1:13:3 | ControlFlowNode for tar | Extraction of tarfile from $@ | tarslip.py:12:7:12:39 | ControlFlowNode for Attribute() | a potentially untrusted source | @@ -33,4 +28,3 @@ subpaths | tarslip.py:37:17:37:21 | ControlFlowNode for entry | tarslip.py:33:7:33:39 | ControlFlowNode for Attribute() | tarslip.py:37:17:37:21 | ControlFlowNode for entry | Extraction of tarfile from $@ | tarslip.py:33:7:33:39 | ControlFlowNode for Attribute() | a potentially untrusted source | | tarslip.py:41:24:41:26 | ControlFlowNode for tar | tarslip.py:40:7:40:39 | ControlFlowNode for Attribute() | tarslip.py:41:24:41:26 | ControlFlowNode for tar | Extraction of tarfile from $@ | tarslip.py:40:7:40:39 | ControlFlowNode for Attribute() | a potentially untrusted source | | tarslip.py:59:21:59:25 | ControlFlowNode for entry | tarslip.py:56:7:56:39 | ControlFlowNode for Attribute() | tarslip.py:59:21:59:25 | ControlFlowNode for entry | Extraction of tarfile from $@ | tarslip.py:56:7:56:39 | ControlFlowNode for Attribute() | a potentially untrusted source | -| tarslip.py:82:21:82:25 | ControlFlowNode for entry | tarslip.py:79:7:79:39 | ControlFlowNode for Attribute() | tarslip.py:82:21:82:25 | ControlFlowNode for entry | Extraction of tarfile from $@ | tarslip.py:79:7:79:39 | ControlFlowNode for Attribute() | a potentially untrusted source | diff --git a/ruby/ql/lib/CHANGELOG.md b/ruby/ql/lib/CHANGELOG.md index fe8a12aa938..09d016efb49 100644 --- a/ruby/ql/lib/CHANGELOG.md +++ b/ruby/ql/lib/CHANGELOG.md @@ -1,3 +1,10 @@ +## 0.3.2 + +### Minor Analysis Improvements + +* Calls to `Arel.sql` are now recognised as propagating taint from their argument. +* Calls to `ActiveRecord::Relation#annotate` are now recognized as `SqlExecution`s so that it will be considered as a sink for queries like rb/sql-injection. + ## 0.3.1 ### Minor Analysis Improvements diff --git a/ruby/ql/lib/change-notes/2022-07-18-sqli-in-activerecord-relation-annotate.md b/ruby/ql/lib/change-notes/2022-07-18-sqli-in-activerecord-relation-annotate.md deleted file mode 100644 index 60ab137f8b2..00000000000 --- a/ruby/ql/lib/change-notes/2022-07-18-sqli-in-activerecord-relation-annotate.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: minorAnalysis ---- - -- Calls to `ActiveRecord::Relation#annotate` are now recognized as`SqlExecution`s so that it will be considered as a sink for queries like rb/sql-injection. \ No newline at end of file diff --git a/ruby/ql/lib/change-notes/2022-07-19-arel.md b/ruby/ql/lib/change-notes/2022-07-19-arel.md deleted file mode 100644 index 3dda3d4b1f6..00000000000 --- a/ruby/ql/lib/change-notes/2022-07-19-arel.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Calls to `Arel.sql` are now recognised as propagating taint from their argument. diff --git a/ruby/ql/lib/change-notes/released/0.3.2.md b/ruby/ql/lib/change-notes/released/0.3.2.md new file mode 100644 index 00000000000..bdb97f6d3ce --- /dev/null +++ b/ruby/ql/lib/change-notes/released/0.3.2.md @@ -0,0 +1,6 @@ +## 0.3.2 + +### Minor Analysis Improvements + +* Calls to `Arel.sql` are now recognised as propagating taint from their argument. +* Calls to `ActiveRecord::Relation#annotate` are now recognized as `SqlExecution`s so that it will be considered as a sink for queries like rb/sql-injection. diff --git a/ruby/ql/lib/codeql-pack.release.yml b/ruby/ql/lib/codeql-pack.release.yml index bb106b1cb63..18c64250f42 100644 --- a/ruby/ql/lib/codeql-pack.release.yml +++ b/ruby/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.3.1 +lastReleaseVersion: 0.3.2 diff --git a/ruby/ql/lib/codeql/ruby/printAst.qll b/ruby/ql/lib/codeql/ruby/printAst.qll index 3056e9aa49f..28f5def4969 100644 --- a/ruby/ql/lib/codeql/ruby/printAst.qll +++ b/ruby/ql/lib/codeql/ruby/printAst.qll @@ -9,6 +9,7 @@ private import AST private import codeql.ruby.Regexp as RE private import codeql.ruby.ast.internal.Synthesis +private import ast.internal.AST /** * The query can extend this class to control which nodes are printed. @@ -35,6 +36,8 @@ private predicate shouldPrintAstEdge(AstNode parent, string edgeName, AstNode ch any(PrintAstConfiguration config).shouldPrintAstEdge(parent, edgeName, child) } +private int nonSynthIndex() { result = min([-1, any(int i | exists(getSynthChild(_, i)))]) - 1 } + newtype TPrintNode = TPrintRegularAstNode(AstNode n) { shouldPrintNode(n) } or TPrintRegExpNode(RE::RegExpTerm term) { @@ -112,13 +115,22 @@ class PrintRegularAstNode extends PrintAstNode, TPrintRegularAstNode { ) } + private int getSynthAstNodeIndex() { + not astNode.isSynthesized() and result = nonSynthIndex() + or + astNode = getSynthChild(astNode.getParent(), result) + } + override int getOrder() { this = rank[result](PrintRegularAstNode p, Location l, File f | l = p.getLocation() and f = l.getFile() | - p order by f.getBaseName(), f.getAbsolutePath(), l.getStartLine(), l.getStartColumn() + p + order by + f.getBaseName(), f.getAbsolutePath(), l.getStartLine(), l.getStartColumn(), + l.getEndLine(), l.getEndColumn(), p.getSynthAstNodeIndex() ) } diff --git a/ruby/ql/lib/qlpack.yml b/ruby/ql/lib/qlpack.yml index 8216fedd9d2..5a763d9c3dd 100644 --- a/ruby/ql/lib/qlpack.yml +++ b/ruby/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-all -version: 0.3.2-dev +version: 0.3.3-dev groups: ruby extractor: ruby dbscheme: ruby.dbscheme diff --git a/ruby/ql/src/CHANGELOG.md b/ruby/ql/src/CHANGELOG.md index 9f227fdc843..9aeec45dc3f 100644 --- a/ruby/ql/src/CHANGELOG.md +++ b/ruby/ql/src/CHANGELOG.md @@ -1,3 +1,10 @@ +## 0.3.1 + +### New Queries + +* Added a new experimental query, `rb/manually-checking-http-verb`, to detect cases when the HTTP verb for an incoming request is checked and then used as part of control flow. +* Added a new experimental query, `rb/weak-params`, to detect cases when the rails strong parameters pattern isn't followed and values flow into persistent store writes. + ## 0.3.0 ### Breaking Changes diff --git a/ruby/ql/src/change-notes/2022-07-21-check-http-verb.md b/ruby/ql/src/change-notes/2022-07-21-check-http-verb.md deleted file mode 100644 index 4a670ba1092..00000000000 --- a/ruby/ql/src/change-notes/2022-07-21-check-http-verb.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: newQuery ---- -* Added a new experimental query, `rb/manually-checking-http-verb`, to detect cases when the HTTP verb for an incoming request is checked and then used as part of control flow. \ No newline at end of file diff --git a/ruby/ql/src/change-notes/2022-07-21-weak-params.md b/ruby/ql/src/change-notes/2022-07-21-weak-params.md deleted file mode 100644 index 08b8f153989..00000000000 --- a/ruby/ql/src/change-notes/2022-07-21-weak-params.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: newQuery ---- -* Added a new experimental query, `rb/weak-params`, to detect cases when the rails strong parameters pattern isn't followed and values flow into persistent store writes. \ No newline at end of file diff --git a/ruby/ql/src/change-notes/released/0.3.1.md b/ruby/ql/src/change-notes/released/0.3.1.md new file mode 100644 index 00000000000..a95409eabd1 --- /dev/null +++ b/ruby/ql/src/change-notes/released/0.3.1.md @@ -0,0 +1,6 @@ +## 0.3.1 + +### New Queries + +* Added a new experimental query, `rb/manually-checking-http-verb`, to detect cases when the HTTP verb for an incoming request is checked and then used as part of control flow. +* Added a new experimental query, `rb/weak-params`, to detect cases when the rails strong parameters pattern isn't followed and values flow into persistent store writes. diff --git a/ruby/ql/src/codeql-pack.release.yml b/ruby/ql/src/codeql-pack.release.yml index 95f6e3a0ba6..bb106b1cb63 100644 --- a/ruby/ql/src/codeql-pack.release.yml +++ b/ruby/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.3.0 +lastReleaseVersion: 0.3.1 diff --git a/ruby/ql/src/qlpack.yml b/ruby/ql/src/qlpack.yml index 6715fc61912..b713a6c49e3 100644 --- a/ruby/ql/src/qlpack.yml +++ b/ruby/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-queries -version: 0.3.1-dev +version: 0.3.2-dev groups: - ruby - queries diff --git a/ruby/ql/test/library-tests/ast/AstDesugar.expected b/ruby/ql/test/library-tests/ast/AstDesugar.expected index 956893e944f..8be5246ab88 100644 --- a/ruby/ql/test/library-tests/ast/AstDesugar.expected +++ b/ruby/ql/test/library-tests/ast/AstDesugar.expected @@ -86,10 +86,10 @@ calls/calls.rb: # 316| getStmt: [SetterMethodCall] call to foo= # 316| getReceiver: [SelfVariableAccess] self # 316| getArgument: [AssignExpr] ... = ... -# 316| getAnOperand/getRightOperand: [MethodCall] call to [] -# 316| getArgument: [IntegerLiteral] 0 -# 316| getReceiver: [LocalVariableAccess] __synth__0 # 316| getAnOperand/getLeftOperand: [LocalVariableAccess] __synth__0__1 +# 316| getAnOperand/getRightOperand: [MethodCall] call to [] +# 316| getReceiver: [LocalVariableAccess] __synth__0 +# 316| getArgument: [IntegerLiteral] 0 # 316| getStmt: [LocalVariableAccess] __synth__0__1 # 316| getStmt: [AssignExpr] ... = ... # 316| getAnOperand/getLeftOperand: [MethodCall] call to bar @@ -97,12 +97,12 @@ calls/calls.rb: # 316| getStmt: [SetterMethodCall] call to bar= # 316| getReceiver: [SelfVariableAccess] self # 316| getArgument: [AssignExpr] ... = ... +# 316| getAnOperand/getLeftOperand: [LocalVariableAccess] __synth__0__1 # 316| getAnOperand/getRightOperand: [MethodCall] call to [] +# 316| getReceiver: [LocalVariableAccess] __synth__0 # 316| getArgument: [RangeLiteral] _ .. _ # 316| getBegin: [IntegerLiteral] 1 # 316| getEnd: [IntegerLiteral] -2 -# 316| getReceiver: [LocalVariableAccess] __synth__0 -# 316| getAnOperand/getLeftOperand: [LocalVariableAccess] __synth__0__1 # 316| getStmt: [LocalVariableAccess] __synth__0__1 # 316| getStmt: [AssignExpr] ... = ... # 316| getAnOperand/getLeftOperand: [ElementReference] ...[...] @@ -111,13 +111,14 @@ calls/calls.rb: # 316| getReceiver: [MethodCall] call to foo # 316| getReceiver: [SelfVariableAccess] self # 316| getArgument: [AssignExpr] ... = ... -# 316| getAnOperand/getRightOperand: [MethodCall] call to [] -# 316| getArgument: [IntegerLiteral] -1 -# 316| getReceiver: [LocalVariableAccess] __synth__0 # 316| getAnOperand/getLeftOperand: [LocalVariableAccess] __synth__0__1 +# 316| getAnOperand/getRightOperand: [MethodCall] call to [] +# 316| getReceiver: [LocalVariableAccess] __synth__0 +# 316| getArgument: [IntegerLiteral] -1 # 316| getArgument: [IntegerLiteral] 4 # 316| getStmt: [LocalVariableAccess] __synth__0__1 # 316| getStmt: [AssignExpr] ... = ... +# 316| getAnOperand/getLeftOperand: [LocalVariableAccess] __synth__0 # 316| getAnOperand/getRightOperand: [SplatExpr] * ... # 316| getAnOperand/getOperand/getReceiver: [ArrayLiteral] [...] # 316| getDesugared: [MethodCall] call to [] @@ -126,14 +127,13 @@ calls/calls.rb: # 316| getArgument: [IntegerLiteral] 2 # 316| getArgument: [IntegerLiteral] 3 # 316| getArgument: [IntegerLiteral] 4 -# 316| getAnOperand/getLeftOperand: [LocalVariableAccess] __synth__0 # 317| [AssignExpr] ... = ... # 317| getDesugared: [StmtSequence] ... # 317| getStmt: [AssignExpr] ... = ... # 317| getAnOperand/getLeftOperand: [LocalVariableAccess] a # 317| getAnOperand/getRightOperand: [MethodCall] call to [] -# 317| getArgument: [IntegerLiteral] 0 # 317| getReceiver: [LocalVariableAccess] __synth__0 +# 317| getArgument: [IntegerLiteral] 0 # 317| getStmt: [AssignExpr] ... = ... # 317| getAnOperand/getLeftOperand: [ElementReference] ...[...] # 317| getDesugared: [StmtSequence] ... @@ -141,15 +141,16 @@ calls/calls.rb: # 317| getReceiver: [MethodCall] call to foo # 317| getReceiver: [SelfVariableAccess] self # 317| getArgument: [AssignExpr] ... = ... +# 317| getAnOperand/getLeftOperand: [LocalVariableAccess] __synth__0__1 # 317| getAnOperand/getRightOperand: [MethodCall] call to [] +# 317| getReceiver: [LocalVariableAccess] __synth__0 # 317| getArgument: [RangeLiteral] _ .. _ # 317| getBegin: [IntegerLiteral] 1 # 317| getEnd: [IntegerLiteral] -1 -# 317| getReceiver: [LocalVariableAccess] __synth__0 -# 317| getAnOperand/getLeftOperand: [LocalVariableAccess] __synth__0__1 # 317| getArgument: [IntegerLiteral] 5 # 317| getStmt: [LocalVariableAccess] __synth__0__1 # 317| getStmt: [AssignExpr] ... = ... +# 317| getAnOperand/getLeftOperand: [LocalVariableAccess] __synth__0 # 317| getAnOperand/getRightOperand: [SplatExpr] * ... # 317| getAnOperand/getOperand/getReceiver: [ArrayLiteral] [...] # 317| getDesugared: [MethodCall] call to [] @@ -157,7 +158,6 @@ calls/calls.rb: # 317| getArgument: [IntegerLiteral] 1 # 317| getArgument: [IntegerLiteral] 2 # 317| getArgument: [IntegerLiteral] 3 -# 317| getAnOperand/getLeftOperand: [LocalVariableAccess] __synth__0 # 318| [AssignAddExpr] ... += ... # 318| getDesugared: [StmtSequence] ... # 318| getStmt: [AssignExpr] ... = ... @@ -167,11 +167,11 @@ calls/calls.rb: # 318| getReceiver: [LocalVariableAccess] __synth__0 # 318| getArgument: [LocalVariableAccess] __synth__1 # 318| getStmt: [AssignExpr] ... = ... +# 318| getAnOperand/getLeftOperand: [LocalVariableAccess] __synth__1 # 318| getAnOperand/getRightOperand: [AddExpr] ... + ... # 318| getAnOperand/getLeftOperand/getReceiver: [MethodCall] call to count # 318| getReceiver: [LocalVariableAccess] __synth__0 # 318| getAnOperand/getArgument/getRightOperand: [IntegerLiteral] 1 -# 318| getAnOperand/getLeftOperand: [LocalVariableAccess] __synth__1 # 318| getStmt: [LocalVariableAccess] __synth__1 # 319| [AssignAddExpr] ... += ... # 319| getDesugared: [StmtSequence] ... @@ -187,12 +187,12 @@ calls/calls.rb: # 319| getAnOperand/getRightOperand: [IntegerLiteral] 0 # 319| getAnOperand/getLeftOperand: [LocalVariableAccess] __synth__1 # 319| getStmt: [AssignExpr] ... = ... +# 319| getAnOperand/getLeftOperand: [LocalVariableAccess] __synth__2 # 319| getAnOperand/getRightOperand: [AddExpr] ... + ... # 319| getAnOperand/getLeftOperand/getReceiver: [MethodCall] call to [] # 319| getReceiver: [LocalVariableAccess] __synth__0 # 319| getArgument: [LocalVariableAccess] __synth__1 # 319| getAnOperand/getArgument/getRightOperand: [IntegerLiteral] 1 -# 319| getAnOperand/getLeftOperand: [LocalVariableAccess] __synth__2 # 319| getStmt: [LocalVariableAccess] __synth__2 # 320| [AssignMulExpr] ... *= ... # 320| getDesugared: [StmtSequence] ... @@ -223,6 +223,7 @@ calls/calls.rb: # 320| getAnOperand/getArgument/getRightOperand: [IntegerLiteral] 1 # 320| getAnOperand/getLeftOperand: [LocalVariableAccess] __synth__3 # 320| getStmt: [AssignExpr] ... = ... +# 320| getAnOperand/getLeftOperand: [LocalVariableAccess] __synth__4 # 320| getAnOperand/getRightOperand: [MulExpr] ... * ... # 320| getAnOperand/getLeftOperand/getReceiver: [MethodCall] call to [] # 320| getReceiver: [LocalVariableAccess] __synth__0 @@ -230,7 +231,6 @@ calls/calls.rb: # 320| getArgument: [LocalVariableAccess] __synth__2 # 320| getArgument: [LocalVariableAccess] __synth__3 # 320| getAnOperand/getArgument/getRightOperand: [IntegerLiteral] 2 -# 320| getAnOperand/getLeftOperand: [LocalVariableAccess] __synth__4 # 320| getStmt: [LocalVariableAccess] __synth__4 # 340| [ForExpr] for ... in ... # 340| getDesugared: [MethodCall] call to each @@ -240,24 +240,24 @@ calls/calls.rb: # 340| getStmt: [AssignExpr] ... = ... # 340| getDesugared: [StmtSequence] ... # 340| getStmt: [AssignExpr] ... = ... +# 340| getAnOperand/getLeftOperand: [LocalVariableAccess] __synth__0__1 # 340| getAnOperand/getRightOperand: [SplatExpr] * ... # 340| getAnOperand/getOperand/getReceiver: [LocalVariableAccess] __synth__0__1 -# 340| getAnOperand/getLeftOperand: [LocalVariableAccess] __synth__0__1 # 340| getStmt: [AssignExpr] ... = ... # 340| getAnOperand/getLeftOperand: [LocalVariableAccess] x # 340| getAnOperand/getRightOperand: [MethodCall] call to [] -# 340| getArgument: [IntegerLiteral] 0 # 340| getReceiver: [LocalVariableAccess] __synth__0__1 +# 340| getArgument: [IntegerLiteral] 0 # 340| getStmt: [AssignExpr] ... = ... # 340| getAnOperand/getLeftOperand: [LocalVariableAccess] y # 340| getAnOperand/getRightOperand: [MethodCall] call to [] -# 340| getArgument: [IntegerLiteral] 1 # 340| getReceiver: [LocalVariableAccess] __synth__0__1 +# 340| getArgument: [IntegerLiteral] 1 # 340| getStmt: [AssignExpr] ... = ... # 340| getAnOperand/getLeftOperand: [LocalVariableAccess] z # 340| getAnOperand/getRightOperand: [MethodCall] call to [] -# 340| getArgument: [IntegerLiteral] 2 # 340| getReceiver: [LocalVariableAccess] __synth__0__1 +# 340| getArgument: [IntegerLiteral] 2 # 340| getAnOperand/getLeftOperand: [DestructuredLhsExpr] (..., ...) # 341| getStmt: [MethodCall] call to foo # 341| getReceiver: [SelfVariableAccess] self @@ -286,9 +286,9 @@ calls/calls.rb: # 362| getReceiver: [SelfVariableAccess] self # 362| getAnOperand/getLeftOperand: [LocalVariableAccess] __synth__0__1 # 362| getStmt: [IfExpr] if ... +# 362| getBranch/getThen: [NilLiteral] nil # 362| getBranch/getElse: [MethodCall] call to empty? # 362| getReceiver: [LocalVariableAccess] __synth__0__1 -# 362| getBranch/getThen: [NilLiteral] nil # 362| getCondition: [MethodCall] call to == # 362| getArgument: [LocalVariableAccess] __synth__0__1 # 362| getReceiver: [NilLiteral] nil @@ -299,6 +299,7 @@ calls/calls.rb: # 364| getReceiver: [SelfVariableAccess] self # 364| getAnOperand/getLeftOperand: [LocalVariableAccess] __synth__0__1 # 364| getStmt: [IfExpr] if ... +# 364| getBranch/getThen: [NilLiteral] nil # 364| getBranch/getElse: [MethodCall] call to bar # 364| getReceiver: [LocalVariableAccess] __synth__0__1 # 364| getArgument: [IntegerLiteral] 1 @@ -307,7 +308,6 @@ calls/calls.rb: # 364| getParameter: [SimpleParameter] x # 364| getDefiningAccess: [LocalVariableAccess] x # 364| getStmt: [LocalVariableAccess] x -# 364| getBranch/getThen: [NilLiteral] nil # 364| getCondition: [MethodCall] call to == # 364| getArgument: [LocalVariableAccess] __synth__0__1 # 364| getReceiver: [NilLiteral] nil @@ -608,19 +608,19 @@ control/loops.rb: # 22| getStmt: [AssignExpr] ... = ... # 22| getDesugared: [StmtSequence] ... # 22| getStmt: [AssignExpr] ... = ... +# 22| getAnOperand/getLeftOperand: [LocalVariableAccess] __synth__0__1 # 22| getAnOperand/getRightOperand: [SplatExpr] * ... # 22| getAnOperand/getOperand/getReceiver: [LocalVariableAccess] __synth__0__1 -# 22| getAnOperand/getLeftOperand: [LocalVariableAccess] __synth__0__1 # 22| getStmt: [AssignExpr] ... = ... # 22| getAnOperand/getLeftOperand: [LocalVariableAccess] key # 22| getAnOperand/getRightOperand: [MethodCall] call to [] -# 22| getArgument: [IntegerLiteral] 0 # 22| getReceiver: [LocalVariableAccess] __synth__0__1 +# 22| getArgument: [IntegerLiteral] 0 # 22| getStmt: [AssignExpr] ... = ... # 22| getAnOperand/getLeftOperand: [LocalVariableAccess] value # 22| getAnOperand/getRightOperand: [MethodCall] call to [] -# 22| getArgument: [IntegerLiteral] 1 # 22| getReceiver: [LocalVariableAccess] __synth__0__1 +# 22| getArgument: [IntegerLiteral] 1 # 22| getAnOperand/getLeftOperand: [DestructuredLhsExpr] (..., ...) # 23| getStmt: [AssignAddExpr] ... += ... # 23| getDesugared: [AssignExpr] ... = ... @@ -653,19 +653,19 @@ control/loops.rb: # 28| getStmt: [AssignExpr] ... = ... # 28| getDesugared: [StmtSequence] ... # 28| getStmt: [AssignExpr] ... = ... +# 28| getAnOperand/getLeftOperand: [LocalVariableAccess] __synth__0__1 # 28| getAnOperand/getRightOperand: [SplatExpr] * ... # 28| getAnOperand/getOperand/getReceiver: [LocalVariableAccess] __synth__0__1 -# 28| getAnOperand/getLeftOperand: [LocalVariableAccess] __synth__0__1 # 28| getStmt: [AssignExpr] ... = ... # 28| getAnOperand/getLeftOperand: [LocalVariableAccess] key # 28| getAnOperand/getRightOperand: [MethodCall] call to [] -# 28| getArgument: [IntegerLiteral] 0 # 28| getReceiver: [LocalVariableAccess] __synth__0__1 +# 28| getArgument: [IntegerLiteral] 0 # 28| getStmt: [AssignExpr] ... = ... # 28| getAnOperand/getLeftOperand: [LocalVariableAccess] value # 28| getAnOperand/getRightOperand: [MethodCall] call to [] -# 28| getArgument: [IntegerLiteral] 1 # 28| getReceiver: [LocalVariableAccess] __synth__0__1 +# 28| getArgument: [IntegerLiteral] 1 # 28| getAnOperand/getLeftOperand: [DestructuredLhsExpr] (..., ...) # 29| getStmt: [AssignAddExpr] ... += ... # 29| getDesugared: [AssignExpr] ... = ... diff --git a/swift/ql/lib/codeql/swift/dataflow/Ssa.qll b/swift/ql/lib/codeql/swift/dataflow/Ssa.qll index 2805dff4637..8f7e95b0caa 100644 --- a/swift/ql/lib/codeql/swift/dataflow/Ssa.qll +++ b/swift/ql/lib/codeql/swift/dataflow/Ssa.qll @@ -39,6 +39,11 @@ module Ssa { read2 = bb2.getNode(i2) ) } + + cached + predicate lastRefRedef(BasicBlock bb, int i, Definition next) { + SsaImplCommon::lastRefRedef(this, bb, i, next) + } } cached diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll index e530df2fc20..efe445dcb31 100644 --- a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll +++ b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll @@ -5,7 +5,6 @@ private import codeql.swift.controlflow.ControlFlowGraph private import codeql.swift.controlflow.CfgNodes private import codeql.swift.dataflow.Ssa private import codeql.swift.controlflow.BasicBlocks -private import codeql.swift.dataflow.internal.SsaImplCommon as SsaImpl private import codeql.swift.dataflow.FlowSummary as FlowSummary private import codeql.swift.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl @@ -51,7 +50,7 @@ private class SsaDefinitionNodeImpl extends SsaDefinitionNode, NodeImpl { } private predicate localFlowSsaInput(Node nodeFrom, Ssa::Definition def, Ssa::Definition next) { - exists(BasicBlock bb, int i | SsaImpl::lastRefRedef(def, bb, i, next) | + exists(BasicBlock bb, int i | def.lastRefRedef(bb, i, next) | def.definesAt(_, bb, i) and def = nodeFrom.asDefinition() )