hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into moresensitive2

Browse Source
This commit is contained in:
Geoffrey White
2025-07-14 11:58:08 +01:00
parent da0742f3ec b43a0e758b
commit 918700ff6f
186 changed files with 6792 additions and 2004 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
actions/ql/lib/change-notes/2025-07-11-artifact-poisoning.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: fix
---
* The `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` queries now exclude artifacts downloaded to `$[{ runner.temp }}` in addition to `/tmp`.

2
actions/ql/lib/codeql/actions/Helper.qll
View File

@@ -72,7 +72,7 @@ string normalizePath(string path) {
then result = path
else
// foo -> GITHUB_WORKSPACE/foo
if path.regexpMatch("^[^/~].*")
if path.regexpMatch("^[^$/~].*")
then result = "GITHUB_WORKSPACE/" + path.regexpReplaceAll("/$", "")
else
// ~/foo -> ~/foo

4
actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
View File

@@ -262,8 +262,10 @@ class ArtifactPoisoningSink extends DataFlow::Node {
ArtifactPoisoningSink() {
download.getAFollowingStep() = poisonable and
// excluding artifacts downloaded to /tmp
// excluding artifacts downloaded to the temporary directory
not download.getPath().regexpMatch("^/tmp.*") and
not download.getPath().regexpMatch("^\\$\\{\\{\\s*runner\\.temp\\s*}}.*") and
not download.getPath().regexpMatch("^\\$RUNNER_TEMP.*") and
(
poisonable.(Run).getScript() = this.asExpr() and
(

19
actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning93.yml vendored Normal file
View File

@@ -0,0 +1,19 @@
on:
workflow_run:
workflows:
- Benchmark
types:
- completed
jobs:
benchmark:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Download From PR
uses: actions/download-artifact@v4
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
run-id: ${{ github.event.workflow_run.id }}
path: ${{ runner.temp }}/artifacts/
- run: npm install

19
actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning94.yml vendored Normal file
View File

@@ -0,0 +1,19 @@
on:
workflow_run:
workflows:
- Benchmark
types:
- completed
jobs:
benchmark:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Download From PR
uses: actions/download-artifact@v4
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
run-id: ${{ github.event.workflow_run.id }}
path: /tmp/artifacts/
- run: npm install

19
actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning95.yml vendored Normal file
View File

@@ -0,0 +1,19 @@
on:
workflow_run:
workflows:
- Benchmark
types:
- completed
jobs:
benchmark:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Download From PR
uses: actions/download-artifact@v4
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
run-id: ${{ github.event.workflow_run.id }}
path: $RUNNER_TEMP/artifacts/
- run: npm install

18
actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning96.yml vendored Normal file
View File

@@ -0,0 +1,18 @@
on:
workflow_run:
workflows:
- Benchmark
types:
- completed
jobs:
benchmark:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Download From PR
uses: actions/download-artifact@v4
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
run-id: ${{ github.event.workflow_run.id }}
- run: npm install

19
actions/ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning97.yml vendored Normal file
View File

@@ -0,0 +1,19 @@
on:
workflow_run:
workflows:
- Benchmark
types:
- completed
jobs:
benchmark:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Download From PR
uses: actions/download-artifact@v4
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
run-id: ${{ github.event.workflow_run.id }}
path: ${{ runner.temp }}/artifacts/
- run: npm install

4
actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected
View File

@@ -13,6 +13,7 @@ edges
| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | Config |
| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | Config |
| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | Config |
| .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | provenance | Config |
| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | provenance | Config |
| .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | provenance | Config |
| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | provenance | Config |
@@ -44,6 +45,8 @@ nodes
| .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | semmle.label | python test.py |
| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | semmle.label | make snapshot |
| .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | semmle.label | npm install |
| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | semmle.label | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n |
| .github/workflows/test18.yml:12:15:33:12 | Uses Step | semmle.label | Uses Step |
@@ -66,6 +69,7 @@ subpaths
| .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | python test.py | .github/workflows/artifactpoisoning81.yml:3:5:3:23 | pull_request_target | pull_request_target |
| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Uses Step | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run |
| .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | make snapshot | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run |
| .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | npm install | .github/workflows/artifactpoisoning96.yml:2:3:2:14 | workflow_run | workflow_run |
| .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | .github/workflows/artifactpoisoning101.yml:4:3:4:21 | pull_request_target | pull_request_target |
| .github/workflows/test18.yml:36:15:40:58 | Uses Step | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Uses Step | .github/workflows/test18.yml:3:5:3:16 | workflow_run | workflow_run |
| .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | ./gradlew buildScanPublishPrevious\n | .github/workflows/test25.yml:2:3:2:14 | workflow_run | workflow_run |

3
actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected
View File

@@ -13,6 +13,7 @@ edges
| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance | Config |
| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance | Config |
| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | Config |
| .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | provenance | Config |
| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | provenance | Config |
| .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | provenance | Config |
| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | provenance | Config |
@@ -44,6 +45,8 @@ nodes
| .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | semmle.label | python test.py |
| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | semmle.label | make snapshot |
| .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | semmle.label | npm install |
| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | semmle.label | Uses Step |
| .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | semmle.label | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n |
| .github/workflows/test18.yml:12:15:33:12 | Uses Step | semmle.label | Uses Step |

10
actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected
View File

@@ -51,6 +51,16 @@ edges
| .github/workflows/artifactpoisoning92.yml:19:9:25:6 | Run Step: metadata | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step |
| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step |
| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step |
| .github/workflows/artifactpoisoning93.yml:12:9:13:6 | Uses Step | .github/workflows/artifactpoisoning93.yml:13:9:19:6 | Uses Step |
| .github/workflows/artifactpoisoning93.yml:13:9:19:6 | Uses Step | .github/workflows/artifactpoisoning93.yml:19:9:19:24 | Run Step |
| .github/workflows/artifactpoisoning94.yml:12:9:13:6 | Uses Step | .github/workflows/artifactpoisoning94.yml:13:9:19:6 | Uses Step |
| .github/workflows/artifactpoisoning94.yml:13:9:19:6 | Uses Step | .github/workflows/artifactpoisoning94.yml:19:9:19:24 | Run Step |
| .github/workflows/artifactpoisoning95.yml:12:9:13:6 | Uses Step | .github/workflows/artifactpoisoning95.yml:13:9:19:6 | Uses Step |
| .github/workflows/artifactpoisoning95.yml:13:9:19:6 | Uses Step | .github/workflows/artifactpoisoning95.yml:19:9:19:24 | Run Step |
| .github/workflows/artifactpoisoning96.yml:12:9:13:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step |
| .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:18:9:18:24 | Run Step |
| .github/workflows/artifactpoisoning97.yml:12:9:13:6 | Uses Step | .github/workflows/artifactpoisoning97.yml:13:9:19:6 | Uses Step |
| .github/workflows/artifactpoisoning97.yml:13:9:19:6 | Uses Step | .github/workflows/artifactpoisoning97.yml:19:9:19:25 | Run Step |
| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:16:9:19:59 | Run Step: pr_number |
| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step |
| .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step |

4
cpp/ql/lib/change-notes/2025-07-10-final.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: feature
---
* Added a `isFinalValueOfParameter` predicate to DataFlow::Node which holds when a dataflow node represents the final value of an output parameter of a function.

6
cpp/ql/lib/ext/pthread.model.yml Normal file
View File

@@ -0,0 +1,6 @@
extensions:
- addsTo:
pack: codeql/cpp-all
extensible: summaryModel
data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
- ["", "", False, "pthread_create", "", "", "Argument[@3]", "Argument[2].Parameter[@0]", "value", "manual"]

11
cpp/ql/lib/ext/std.thread.model.yml Normal file
View File

@@ -0,0 +1,11 @@
extensions:
- addsTo:
pack: codeql/cpp-all
extensible: summaryModel
data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
- ["std", "thread", True, "thread", "", "", "Argument[*@1]", "Argument[0].Parameter[@0]", "value", "manual"]
- ["std", "thread", True, "thread", "", "", "Argument[*@2]", "Argument[0].Parameter[@1]", "value", "manual"]
- ["std", "thread", True, "thread", "", "", "Argument[*@3]", "Argument[0].Parameter[@2]", "value", "manual"]
- ["std", "thread", True, "thread", "", "", "Argument[*@4]", "Argument[0].Parameter[@3]", "value", "manual"]
- ["std", "thread", True, "thread", "", "", "Argument[*@5]", "Argument[0].Parameter[@4]", "value", "manual"]

11
cpp/ql/lib/semmle/code/cpp/Concept.qll
View File

@@ -57,7 +57,9 @@ class RequiresExpr extends Expr, @requires_expr {
/**
* A C++ requirement in a requires expression.
*/
class RequirementExpr extends Expr { }
class RequirementExpr extends Expr {
RequirementExpr() { this.getParent() instanceof RequiresExpr }
}
/**
* A C++ simple requirement in a requires expression.
@@ -70,7 +72,6 @@ class RequirementExpr extends Expr { }
*/
class SimpleRequirementExpr extends RequirementExpr {
SimpleRequirementExpr() {
this.getParent() instanceof RequiresExpr and
not this instanceof TypeRequirementExpr and
not this instanceof CompoundRequirementExpr and
not this instanceof NestedRequirementExpr
@@ -89,8 +90,6 @@ class SimpleRequirementExpr extends RequirementExpr {
* with `T` a template parameter, then `typename T::a_field;` is a type requirement.
*/
class TypeRequirementExpr extends RequirementExpr, TypeName {
TypeRequirementExpr() { this.getParent() instanceof RequiresExpr }
override string getAPrimaryQlClass() { result = "TypeRequirementExpr" }
}
@@ -140,7 +139,7 @@ class CompoundRequirementExpr extends RequirementExpr, @compound_requirement {
* with `T` a template parameter, then `requires std::is_same<T, int>::value;` is
* a nested requirement.
*/
class NestedRequirementExpr extends Expr, @nested_requirement {
class NestedRequirementExpr extends RequirementExpr, @nested_requirement {
override string toString() { result = "requires ..." }
override string getAPrimaryQlClass() { result = "NestedRequirementExpr" }
@@ -163,7 +162,7 @@ class NestedRequirementExpr extends Expr, @nested_requirement {
* then `C<int, 1>` is a concept id expression that refers to
* the concept `C`.
*/
class ConceptIdExpr extends RequirementExpr, @concept_id {
class ConceptIdExpr extends Expr, @concept_id {
override string toString() {
result = this.getConcept().getName() + "<...>"
or

90
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
View File

@@ -1382,16 +1382,89 @@ predicate neverSkipInPathGraph(Node n) {
exists(n.asIndirectDefinition())
}
class LambdaCallKind = Unit;
private newtype TLambdaCallKind =
TFunctionPointer() or
TFunctor()
class LambdaCallKind extends TLambdaCallKind {
predicate isFunctionPointer() { this = TFunctionPointer() }
predicate isFunctor() { this = TFunctor() }
string toString() {
this.isFunctionPointer() and
result = "Function pointer kind"
or
this.isFunctor() and
result = "Functor kind"
}
}
private class ConstructorCallInstruction extends CallInstruction {
Cpp::Class constructedType;
ConstructorCallInstruction() {
this.getStaticCallTarget().(Cpp::Constructor).getDeclaringType() = constructedType
}
Cpp::Class getConstructedType() { result = constructedType }
}
private class OperatorCall extends Cpp::MemberFunction {
OperatorCall() { this.hasName("operator()") }
}
private predicate isFunctorCreationWithoutConstructor(Node creation, OperatorCall operator) {
exists(UninitializedInstruction init, Instruction dest |
// A construction of an object with no constructor. In this case we use
// the `UninitializedInstruction` as the creation node.
init = creation.asInstruction() and
dest = init.getDestinationAddress() and
not any(ConstructorCallInstruction constructorCall).getThisArgument() = dest and
operator.getDeclaringType() = init.getResultType()
)
or
// Workaround for an extractor bug. In this snippet:
// ```
// struct S { };
// void f(S);
// f(S());
// ```
// The expression `S()` is represented as a 0 literal in the database.
exists(ConstantValueInstruction constant |
constant.getValue() = "0" and
creation.asInstruction() = constant and
constant.getResultType() = operator.getDeclaringType()
)
}
private predicate isFunctorCreationWithConstructor(Node creation, OperatorCall operator) {
exists(DataFlowCall constructorCall, IndirectionPosition pos |
// A construction of an object with a constructor. In this case we use
// the post-update node of the qualifier
pos.getArgumentIndex() = -1 and
isArgumentNode(creation.(PostUpdateNode).getPreUpdateNode(), constructorCall, pos) and
operator.getDeclaringType() =
constructorCall.asCallInstruction().(ConstructorCallInstruction).getConstructedType()
)
}
/** Holds if `creation` is an expression that creates a lambda of kind `kind` for `c`. */
predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c) {
creation.asInstruction().(FunctionAddressInstruction).getFunctionSymbol() = c.asSourceCallable() and
exists(kind)
kind.isFunctionPointer() and
creation.asInstruction().(FunctionAddressInstruction).getFunctionSymbol() = c.asSourceCallable()
or
kind.isFunctor() and
exists(OperatorCall operator | operator = c.asSourceCallable() |
isFunctorCreationWithoutConstructor(creation, operator)
or
isFunctorCreationWithConstructor(creation, operator)
)
}
/** Holds if `call` is a lambda call of kind `kind` where `receiver` is the lambda expression. */
predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
kind.isFunctionPointer() and
(
call.(SummaryCall).getReceiver() = receiver.(FlowSummaryNode).getSummaryNode()
or
@@ -1400,8 +1473,15 @@ predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
// has a result for `getStaticCallTarget`.
not exists(call.getStaticCallTarget()) and
call.asCallInstruction().getCallTargetOperand() = receiver.asOperand()
) and
exists(kind)
)
or
kind.isFunctor() and
(
call.(SummaryCall).getReceiver() = receiver.(FlowSummaryNode).getSummaryNode()
or
not exists(call.getStaticCallTarget()) and
call.asCallInstruction().getThisArgumentOperand() = receiver.asOperand()
)
}
/** Extra data-flow steps needed for lambda flow analysis. */

19
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
View File

@@ -488,6 +488,23 @@ class Node extends TIRDataFlowNode {
result = this.(IndirectParameterNode).getParameter()
}
/**
* Holds if this node represents the `indirectionIndex`'th indirection of
* the value of an output parameter `p` just before reaching the end of a function.
*/
predicate isFinalValueOfParameter(Parameter p, int indirectionIndex) {
exists(FinalParameterNode n | n = this |
p = n.getParameter() and
indirectionIndex = n.getIndirectionIndex()
)
}
/**
* Holds if this node represents the value of an output parameter `p`
* just before reaching the end of a function.
*/
predicate isFinalValueOfParameter(Parameter p) { this.isFinalValueOfParameter(p, _) }
/**
* Gets the variable corresponding to this node, if any. This can be used for
* modeling flow in and out of global variables.
@@ -1225,7 +1242,7 @@ import RawIndirectNodes
/**
* INTERNAL: do not use.
*
* A node representing the value of an update parameter
* A node representing the value of an output parameter
* just before reaching the end of a function.
*/
class FinalParameterNode extends Node, TFinalParameterNode {

14
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
View File

@@ -725,6 +725,20 @@ class UninitializedInstruction extends VariableInstruction {
* Gets the variable that is uninitialized.
*/
final Language::Variable getLocalVariable() { result = var.(IRUserVariable).getVariable() }
/**
* Gets the operand that provides the address of the location to which the
* uninitialized value will be stored.
*/
final AddressOperand getDestinationAddressOperand() { result = this.getAnOperand() }
/**
* Gets the instruction whose result provides the address of the location to
* which the value will be stored, if an exact definition is available.
*/
final Instruction getDestinationAddress() {
result = this.getDestinationAddressOperand().getDef()
}
}
/**

14
cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll
View File

@@ -725,6 +725,20 @@ class UninitializedInstruction extends VariableInstruction {
* Gets the variable that is uninitialized.
*/
final Language::Variable getLocalVariable() { result = var.(IRUserVariable).getVariable() }
/**
* Gets the operand that provides the address of the location to which the
* uninitialized value will be stored.
*/
final AddressOperand getDestinationAddressOperand() { result = this.getAnOperand() }
/**
* Gets the instruction whose result provides the address of the location to
* which the value will be stored, if an exact definition is available.
*/
final Instruction getDestinationAddress() {
result = this.getDestinationAddressOperand().getDef()
}
}
/**

14
cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
View File

@@ -725,6 +725,20 @@ class UninitializedInstruction extends VariableInstruction {
* Gets the variable that is uninitialized.
*/
final Language::Variable getLocalVariable() { result = var.(IRUserVariable).getVariable() }
/**
* Gets the operand that provides the address of the location to which the
* uninitialized value will be stored.
*/
final AddressOperand getDestinationAddressOperand() { result = this.getAnOperand() }
/**
* Gets the instruction whose result provides the address of the location to
* which the value will be stored, if an exact definition is available.
*/
final Instruction getDestinationAddress() {
result = this.getDestinationAddressOperand().getDef()
}
}
/**

5
cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
View File

@@ -14,6 +14,7 @@
import cpp
import semmle.code.cpp.controlflow.Guards
import semmle.code.cpp.ir.IR
class WideCharPointerType extends PointerType {
WideCharPointerType() { this.getBaseType() instanceof WideCharType }
@@ -108,7 +109,9 @@ where
// Avoid cases where the cast is guarded by a check to determine if
// unicode encoding is enabled in such a way to disallow the dangerous cast
// at runtime.
not isLikelyDynamicallyChecked(e1)
not isLikelyDynamicallyChecked(e1) and
// Avoid cases in unreachable blocks.
any(EnterFunctionInstruction e).getASuccessor+().getAst() = e1
select e1,
"Conversion from " + e1.getType().toString() + " to " + e2.getType().toString() +
". Use of invalid string can lead to undefined behavior."

4
cpp/ql/src/change-notes/2025-07-10-pthread-and-std-thread.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added flow models for `pthread_create` and `std::thread`.

4
cpp/ql/src/change-notes/2025-07-10-wchar-fp.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The `cpp/incorrect-string-type-conversion` query no longer alerts on incorrect type conversions that occur in unreachable code.

4
cpp/ql/src/change-notes/2025-07-11-function-objects.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Improved support for dataflow through function objects and lambda expressions.

9
cpp/ql/test/library-tests/dataflow/dataflow-tests/has-parameter-flow-out.ql
View File

@@ -24,10 +24,9 @@ module AstTest {
module IRTest {
private import semmle.code.cpp.ir.dataflow.DataFlow
private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
private string stars(int k) {
k = [0 .. max(FinalParameterNode n | | n.getIndirectionIndex())] and
k = [0 .. max(DataFlow::Node n, int i | n.isFinalValueOfParameter(_, i) | i)] and
(if k = 0 then result = "" else result = "*" + stars(k - 1))
}
@@ -35,14 +34,14 @@ module IRTest {
string getARelevantTag() { result = "ir-def" }
predicate hasActualResult(Location location, string element, string tag, string value) {
exists(Function f, Parameter p, FinalParameterNode n |
exists(Function f, Parameter p, DataFlow::Node n, int i |
p.isNamed() and
n.getParameter() = p and
n.isFinalValueOfParameter(p, i) and
n.getFunction() = f and
location = f.getLocation() and
element = p.toString() and
tag = "ir-def" and
value = stars(n.getIndirectionIndex()) + p.getName()
value = stars(i) + p.getName()
)
}
}

88
cpp/ql/test/library-tests/dataflow/external-models/flow.expected
View File

@@ -21,12 +21,14 @@ models
| 20 | Summary: ; ; false; CreateRemoteThreadEx; ; ; Argument[@4]; Argument[3].Parameter[@0]; value; manual |
| 21 | Summary: ; ; false; CreateThread; ; ; Argument[@3]; Argument[2].Parameter[@0]; value; manual |
| 22 | Summary: ; ; false; ReadFileEx; ; ; Argument[*3].Field[@hEvent]; Argument[4].Parameter[*2].Field[@hEvent]; value; manual |
| 23 | Summary: ; ; false; ymlStepGenerated; ; ; Argument[0]; ReturnValue; taint; df-generated |
| 24 | Summary: ; ; false; ymlStepManual; ; ; Argument[0]; ReturnValue; taint; manual |
| 25 | Summary: ; ; false; ymlStepManual_with_body; ; ; Argument[0]; ReturnValue; taint; manual |
| 26 | Summary: boost::asio; ; false; buffer; ; ; Argument[*0]; ReturnValue; taint; manual |
| 23 | Summary: ; ; false; callWithArgument; ; ; Argument[1]; Argument[0].Parameter[0]; value; manual |
| 24 | Summary: ; ; false; pthread_create; ; ; Argument[@3]; Argument[2].Parameter[@0]; value; manual |
| 25 | Summary: ; ; false; ymlStepGenerated; ; ; Argument[0]; ReturnValue; taint; df-generated |
| 26 | Summary: ; ; false; ymlStepManual; ; ; Argument[0]; ReturnValue; taint; manual |
| 27 | Summary: ; ; false; ymlStepManual_with_body; ; ; Argument[0]; ReturnValue; taint; manual |
| 28 | Summary: boost::asio; ; false; buffer; ; ; Argument[*0]; ReturnValue; taint; manual |
edges
| asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | provenance | MaD:26 |
| asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | provenance | MaD:28 |
| asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:91:7:91:17 | recv_buffer | provenance | Src:MaD:17 |
| asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:93:29:93:39 | *recv_buffer | provenance | Src:MaD:17 Sink:MaD:2 |
| asio_streams.cpp:97:37:97:44 | call to source | asio_streams.cpp:98:7:98:14 | send_str | provenance | TaintFunction |
@@ -35,10 +37,10 @@ edges
| asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:101:7:101:17 | send_buffer | provenance | |
| asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:103:29:103:39 | *send_buffer | provenance | Sink:MaD:2 |
| asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | provenance | |
| asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:26 |
| test.cpp:4:5:4:17 | [summary param] 0 in ymlStepManual | test.cpp:4:5:4:17 | [summary] to write: ReturnValue in ymlStepManual | provenance | MaD:24 |
| test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | test.cpp:5:5:5:20 | [summary] to write: ReturnValue in ymlStepGenerated | provenance | MaD:23 |
| test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | test.cpp:6:5:6:27 | [summary] to write: ReturnValue in ymlStepManual_with_body | provenance | MaD:25 |
| asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:28 |
| test.cpp:4:5:4:17 | [summary param] 0 in ymlStepManual | test.cpp:4:5:4:17 | [summary] to write: ReturnValue in ymlStepManual | provenance | MaD:26 |
| test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | test.cpp:5:5:5:20 | [summary] to write: ReturnValue in ymlStepGenerated | provenance | MaD:25 |
| test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | test.cpp:6:5:6:27 | [summary] to write: ReturnValue in ymlStepManual_with_body | provenance | MaD:27 |
| test.cpp:7:47:7:52 | value2 | test.cpp:7:64:7:69 | value2 | provenance | |
| test.cpp:7:64:7:69 | value2 | test.cpp:7:5:7:30 | *ymlStepGenerated_with_body | provenance | |
| test.cpp:10:10:10:18 | call to ymlSource | test.cpp:10:10:10:18 | call to ymlSource | provenance | Src:MaD:16 |
@@ -50,19 +52,49 @@ edges
| test.cpp:17:10:17:22 | call to ymlStepManual | test.cpp:17:10:17:22 | call to ymlStepManual | provenance | |
| test.cpp:17:10:17:22 | call to ymlStepManual | test.cpp:18:10:18:10 | y | provenance | Sink:MaD:1 |
| test.cpp:17:24:17:24 | x | test.cpp:4:5:4:17 | [summary param] 0 in ymlStepManual | provenance | |
| test.cpp:17:24:17:24 | x | test.cpp:17:10:17:22 | call to ymlStepManual | provenance | MaD:24 |
| test.cpp:17:24:17:24 | x | test.cpp:17:10:17:22 | call to ymlStepManual | provenance | MaD:26 |
| test.cpp:21:10:21:25 | call to ymlStepGenerated | test.cpp:21:10:21:25 | call to ymlStepGenerated | provenance | |
| test.cpp:21:10:21:25 | call to ymlStepGenerated | test.cpp:22:10:22:10 | z | provenance | Sink:MaD:1 |
| test.cpp:21:27:21:27 | x | test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | provenance | |
| test.cpp:21:27:21:27 | x | test.cpp:21:10:21:25 | call to ymlStepGenerated | provenance | MaD:23 |
| test.cpp:21:27:21:27 | x | test.cpp:21:10:21:25 | call to ymlStepGenerated | provenance | MaD:25 |
| test.cpp:25:11:25:33 | call to ymlStepManual_with_body | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | provenance | |
| test.cpp:25:11:25:33 | call to ymlStepManual_with_body | test.cpp:26:10:26:11 | y2 | provenance | Sink:MaD:1 |
| test.cpp:25:35:25:35 | x | test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | provenance | |
| test.cpp:25:35:25:35 | x | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | provenance | MaD:25 |
| test.cpp:25:35:25:35 | x | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | provenance | MaD:27 |
| test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | provenance | |
| test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | test.cpp:33:10:33:11 | z2 | provenance | Sink:MaD:1 |
| test.cpp:32:41:32:41 | x | test.cpp:7:47:7:52 | value2 | provenance | |
| test.cpp:32:41:32:41 | x | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | provenance | |
| test.cpp:46:30:46:32 | *arg [x] | test.cpp:47:12:47:19 | *arg [x] | provenance | |
| test.cpp:47:12:47:19 | *arg [x] | test.cpp:48:13:48:13 | *s [x] | provenance | |
| test.cpp:48:13:48:13 | *s [x] | test.cpp:48:16:48:16 | x | provenance | Sink:MaD:1 |
| test.cpp:52:5:52:18 | [summary param] *3 in pthread_create [x] | test.cpp:52:5:52:18 | [summary] to write: Argument[2].Parameter[*0] in pthread_create [x] | provenance | MaD:24 |
| test.cpp:52:5:52:18 | [summary] to write: Argument[2].Parameter[*0] in pthread_create [x] | test.cpp:46:30:46:32 | *arg [x] | provenance | |
| test.cpp:56:2:56:2 | *s [post update] [x] | test.cpp:59:55:59:64 | *& ... [x] | provenance | |
| test.cpp:56:2:56:18 | ... = ... | test.cpp:56:2:56:2 | *s [post update] [x] | provenance | |
| test.cpp:56:8:56:16 | call to ymlSource | test.cpp:56:2:56:18 | ... = ... | provenance | Src:MaD:16 |
| test.cpp:59:55:59:64 | *& ... [x] | test.cpp:52:5:52:18 | [summary param] *3 in pthread_create [x] | provenance | |
| test.cpp:63:6:63:21 | [summary param] 1 in callWithArgument | test.cpp:63:6:63:21 | [summary] to write: Argument[0].Parameter[0] in callWithArgument | provenance | MaD:23 |
| test.cpp:63:6:63:21 | [summary param] 1 in callWithArgument | test.cpp:63:6:63:21 | [summary] to write: Argument[0].Parameter[0] in callWithArgument | provenance | MaD:23 |
| test.cpp:63:6:63:21 | [summary param] 1 in callWithArgument | test.cpp:63:6:63:21 | [summary] to write: Argument[0].Parameter[0] in callWithArgument | provenance | MaD:23 |
| test.cpp:63:6:63:21 | [summary param] 1 in callWithArgument | test.cpp:63:6:63:21 | [summary] to write: Argument[0].Parameter[0] in callWithArgument | provenance | MaD:23 |
| test.cpp:63:6:63:21 | [summary] to write: Argument[0].Parameter[0] in callWithArgument | test.cpp:68:22:68:22 | y | provenance | |
| test.cpp:63:6:63:21 | [summary] to write: Argument[0].Parameter[0] in callWithArgument | test.cpp:74:22:74:22 | y | provenance | |
| test.cpp:63:6:63:21 | [summary] to write: Argument[0].Parameter[0] in callWithArgument | test.cpp:82:22:82:22 | y | provenance | |
| test.cpp:63:6:63:21 | [summary] to write: Argument[0].Parameter[0] in callWithArgument | test.cpp:88:22:88:22 | y | provenance | |
| test.cpp:68:22:68:22 | y | test.cpp:69:11:69:11 | y | provenance | Sink:MaD:1 |
| test.cpp:74:22:74:22 | y | test.cpp:75:11:75:11 | y | provenance | Sink:MaD:1 |
| test.cpp:82:22:82:22 | y | test.cpp:83:11:83:11 | y | provenance | Sink:MaD:1 |
| test.cpp:88:22:88:22 | y | test.cpp:89:11:89:11 | y | provenance | Sink:MaD:1 |
| test.cpp:94:10:94:18 | call to ymlSource | test.cpp:94:10:94:18 | call to ymlSource | provenance | Src:MaD:16 |
| test.cpp:94:10:94:18 | call to ymlSource | test.cpp:97:26:97:26 | x | provenance | |
| test.cpp:94:10:94:18 | call to ymlSource | test.cpp:101:26:101:26 | x | provenance | |
| test.cpp:94:10:94:18 | call to ymlSource | test.cpp:103:63:103:63 | x | provenance | |
| test.cpp:94:10:94:18 | call to ymlSource | test.cpp:104:62:104:62 | x | provenance | |
| test.cpp:97:26:97:26 | x | test.cpp:63:6:63:21 | [summary param] 1 in callWithArgument | provenance | |
| test.cpp:101:26:101:26 | x | test.cpp:63:6:63:21 | [summary param] 1 in callWithArgument | provenance | |
| test.cpp:103:63:103:63 | x | test.cpp:63:6:63:21 | [summary param] 1 in callWithArgument | provenance | |
| test.cpp:104:62:104:62 | x | test.cpp:63:6:63:21 | [summary param] 1 in callWithArgument | provenance | |
| windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | provenance | MaD:18 |
| windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:22:15:22:29 | *call to GetCommandLineA | provenance | Src:MaD:3 |
| windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:24:8:24:11 | * ... | provenance | |
@@ -189,6 +221,38 @@ nodes
| test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | semmle.label | call to ymlStepGenerated_with_body |
| test.cpp:32:41:32:41 | x | semmle.label | x |
| test.cpp:33:10:33:11 | z2 | semmle.label | z2 |
| test.cpp:46:30:46:32 | *arg [x] | semmle.label | *arg [x] |
| test.cpp:47:12:47:19 | *arg [x] | semmle.label | *arg [x] |
| test.cpp:48:13:48:13 | *s [x] | semmle.label | *s [x] |
| test.cpp:48:16:48:16 | x | semmle.label | x |
| test.cpp:52:5:52:18 | [summary param] *3 in pthread_create [x] | semmle.label | [summary param] *3 in pthread_create [x] |
| test.cpp:52:5:52:18 | [summary] to write: Argument[2].Parameter[*0] in pthread_create [x] | semmle.label | [summary] to write: Argument[2].Parameter[*0] in pthread_create [x] |
| test.cpp:56:2:56:2 | *s [post update] [x] | semmle.label | *s [post update] [x] |
| test.cpp:56:2:56:18 | ... = ... | semmle.label | ... = ... |
| test.cpp:56:8:56:16 | call to ymlSource | semmle.label | call to ymlSource |
| test.cpp:59:55:59:64 | *& ... [x] | semmle.label | *& ... [x] |
| test.cpp:63:6:63:21 | [summary param] 1 in callWithArgument | semmle.label | [summary param] 1 in callWithArgument |
| test.cpp:63:6:63:21 | [summary param] 1 in callWithArgument | semmle.label | [summary param] 1 in callWithArgument |
| test.cpp:63:6:63:21 | [summary param] 1 in callWithArgument | semmle.label | [summary param] 1 in callWithArgument |
| test.cpp:63:6:63:21 | [summary param] 1 in callWithArgument | semmle.label | [summary param] 1 in callWithArgument |
| test.cpp:63:6:63:21 | [summary] to write: Argument[0].Parameter[0] in callWithArgument | semmle.label | [summary] to write: Argument[0].Parameter[0] in callWithArgument |
| test.cpp:63:6:63:21 | [summary] to write: Argument[0].Parameter[0] in callWithArgument | semmle.label | [summary] to write: Argument[0].Parameter[0] in callWithArgument |
| test.cpp:63:6:63:21 | [summary] to write: Argument[0].Parameter[0] in callWithArgument | semmle.label | [summary] to write: Argument[0].Parameter[0] in callWithArgument |
| test.cpp:63:6:63:21 | [summary] to write: Argument[0].Parameter[0] in callWithArgument | semmle.label | [summary] to write: Argument[0].Parameter[0] in callWithArgument |
| test.cpp:68:22:68:22 | y | semmle.label | y |
| test.cpp:69:11:69:11 | y | semmle.label | y |
| test.cpp:74:22:74:22 | y | semmle.label | y |
| test.cpp:75:11:75:11 | y | semmle.label | y |
| test.cpp:82:22:82:22 | y | semmle.label | y |
| test.cpp:83:11:83:11 | y | semmle.label | y |
| test.cpp:88:22:88:22 | y | semmle.label | y |
| test.cpp:89:11:89:11 | y | semmle.label | y |
| test.cpp:94:10:94:18 | call to ymlSource | semmle.label | call to ymlSource |
| test.cpp:94:10:94:18 | call to ymlSource | semmle.label | call to ymlSource |
| test.cpp:97:26:97:26 | x | semmle.label | x |
| test.cpp:101:26:101:26 | x | semmle.label | x |
| test.cpp:103:63:103:63 | x | semmle.label | x |
| test.cpp:104:62:104:62 | x | semmle.label | x |
| windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | semmle.label | [summary param] *0 in CommandLineToArgvA |
| windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | semmle.label | [summary] to write: ReturnValue[**] in CommandLineToArgvA |
| windows.cpp:22:15:22:29 | *call to GetCommandLineA | semmle.label | *call to GetCommandLineA |

3
cpp/ql/test/library-tests/dataflow/external-models/flow.ext.yml
View File

@@ -16,4 +16,5 @@ extensions:
- ["", "", False, "ymlStepManual", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["", "", False, "ymlStepGenerated", "", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
- ["", "", False, "ymlStepManual_with_body", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["", "", False, "ymlStepGenerated_with_body", "", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
- ["", "", False, "ymlStepGenerated_with_body", "", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
- ["", "", False, "callWithArgument", "", "", "Argument[1]", "Argument[0].Parameter[0]", "value", "manual"]

5
cpp/ql/test/library-tests/dataflow/external-models/sinks.expected
View File

@@ -8,3 +8,8 @@
| test.cpp:29:10:29:11 | y3 | test-sink |
| test.cpp:33:10:33:11 | z2 | test-sink |
| test.cpp:36:10:36:11 | z3 | test-sink |
| test.cpp:48:16:48:16 | x | test-sink |
| test.cpp:69:11:69:11 | y | test-sink |
| test.cpp:75:11:75:11 | y | test-sink |
| test.cpp:83:11:83:11 | y | test-sink |
| test.cpp:89:11:89:11 | y | test-sink |

2
cpp/ql/test/library-tests/dataflow/external-models/sources.expected
View File

@@ -1,5 +1,7 @@
| asio_streams.cpp:87:34:87:44 | read_until output argument | remote |
| test.cpp:10:10:10:18 | call to ymlSource | local |
| test.cpp:56:8:56:16 | call to ymlSource | local |
| test.cpp:94:10:94:18 | call to ymlSource | local |
| windows.cpp:22:15:22:29 | *call to GetCommandLineA | local |
| windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | local |
| windows.cpp:39:36:39:38 | GetEnvironmentVariableA output argument | local |

68
cpp/ql/test/library-tests/dataflow/external-models/test.cpp
View File

@@ -35,3 +35,71 @@ void test() {
int z3 = ymlStepGenerated_with_body(x, 0);
ymlSink(z3); // clean
}
struct S {
int x;
};
using pthread_t = unsigned long;
using pthread_attr_t = void*;
void *myThreadFunction(void *arg) {
S* s = (S *)arg;
ymlSink(s->x); // $ ir
return nullptr;
}
int pthread_create(pthread_t *thread, const pthread_attr_t * attr, void *(*start_routine)(void*), void *arg);
int test_pthread_create() {
S s;
s.x = ymlSource();
pthread_t threadId;
pthread_create(&threadId, nullptr, myThreadFunction, (void *)&s);
}
template<typename F>
void callWithArgument(F f, int x);
struct StructWithOperatorCall_has_constructor {
StructWithOperatorCall_has_constructor();
void operator()(int y) {
ymlSink(y); // $ ir
}
};
struct StructWithOperatorCall_no_constructor {
void operator()(int y) {
ymlSink(y); // $ ir
}
};
struct StructWithOperatorCall_has_constructor_2 {
StructWithOperatorCall_has_constructor_2();
void operator()(int y) {
ymlSink(y); // $ ir
}
};
struct StructWithOperatorCall_no_constructor_2 {
void operator()(int y) {
ymlSink(y); // $ ir
}
};
void test_callWithArgument() {
int x = ymlSource();
{
StructWithOperatorCall_has_constructor func;
callWithArgument(func, x);
}
{
StructWithOperatorCall_no_constructor func;
callWithArgument(func, x);
}
callWithArgument(StructWithOperatorCall_has_constructor_2(), x);
callWithArgument(StructWithOperatorCall_no_constructor_2(), x);
}

28
cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
View File

@@ -7767,6 +7767,34 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
| taint.cpp:830:20:830:34 | call to indirect_source | taint.cpp:832:23:832:24 | in | |
| taint.cpp:831:15:831:17 | out | taint.cpp:832:18:832:20 | out | |
| taint.cpp:831:15:831:17 | out | taint.cpp:833:8:833:10 | out | |
| thread.cpp:10:27:10:27 | s | thread.cpp:10:27:10:27 | s | |
| thread.cpp:10:27:10:27 | s | thread.cpp:11:8:11:8 | s | |
| thread.cpp:14:26:14:26 | s | thread.cpp:15:8:15:8 | s | |
| thread.cpp:18:27:18:27 | s | thread.cpp:18:27:18:27 | s | |
| thread.cpp:18:27:18:27 | s | thread.cpp:19:8:19:8 | s | |
| thread.cpp:18:34:18:34 | y | thread.cpp:20:8:20:8 | y | |
| thread.cpp:24:5:24:5 | s | thread.cpp:25:3:25:3 | s | |
| thread.cpp:24:5:24:5 | s | thread.cpp:26:38:26:38 | s | |
| thread.cpp:24:5:24:5 | s | thread.cpp:27:37:27:37 | s | |
| thread.cpp:24:5:24:5 | s | thread.cpp:28:38:28:38 | s | |
| thread.cpp:24:5:24:5 | s | thread.cpp:32:7:32:7 | s | |
| thread.cpp:25:3:25:3 | s [post update] | thread.cpp:26:38:26:38 | s | |
| thread.cpp:25:3:25:3 | s [post update] | thread.cpp:27:37:27:37 | s | |
| thread.cpp:25:3:25:3 | s [post update] | thread.cpp:28:38:28:38 | s | |
| thread.cpp:25:3:25:3 | s [post update] | thread.cpp:32:7:32:7 | s | |
| thread.cpp:25:3:25:16 | ... = ... | thread.cpp:25:5:25:5 | x [post update] | |
| thread.cpp:25:9:25:14 | call to source | thread.cpp:25:3:25:16 | ... = ... | |
| thread.cpp:26:18:26:39 | call to thread | thread.cpp:33:1:33:1 | t1 | |
| thread.cpp:26:38:26:38 | s | thread.cpp:26:37:26:38 | & ... | |
| thread.cpp:27:18:27:38 | call to thread | thread.cpp:33:1:33:1 | t2 | |
| thread.cpp:27:37:27:37 | ref arg s | thread.cpp:28:38:28:38 | s | |
| thread.cpp:27:37:27:37 | ref arg s | thread.cpp:32:7:32:7 | s | |
| thread.cpp:28:18:28:43 | call to thread | thread.cpp:33:1:33:1 | t3 | |
| thread.cpp:28:38:28:38 | s | thread.cpp:28:37:28:38 | & ... | |
| thread.cpp:30:18:32:8 | call to thread | thread.cpp:33:1:33:1 | t4 | |
| thread.cpp:30:24:30:24 | p | thread.cpp:30:24:30:24 | p | |
| thread.cpp:30:24:30:24 | p | thread.cpp:31:10:31:10 | p | |
| thread.cpp:32:7:32:7 | s | thread.cpp:32:6:32:7 | & ... | |
| vector.cpp:16:43:16:49 | source1 | vector.cpp:17:26:17:32 | source1 | |
| vector.cpp:16:43:16:49 | source1 | vector.cpp:31:38:31:44 | source1 | |
| vector.cpp:17:21:17:33 | call to vector | vector.cpp:19:14:19:14 | v | |

13
cpp/ql/test/library-tests/dataflow/taint-tests/stl.h
View File

@@ -681,4 +681,17 @@ namespace std {
// the model for `format`.
template <typename... Args>
int same_signature_as_format_but_different_name(format_string, Args &&...args);
}
namespace std {
class thread {
public:
template<class F, class... Args>
explicit thread(F&&, Args&&...);
~thread();
void join();
void detach();
};
}

462
cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected
View File

@@ -17670,6 +17670,446 @@ signatureMatches
| taint.cpp:822:6:822:19 | take_const_ptr | (unsigned long *,const char *) | | set_cert_ex | 1 |
| taint.cpp:822:6:822:19 | take_const_ptr | (unsigned long *,const char *) | | set_name_ex | 1 |
| taint.cpp:822:6:822:19 | take_const_ptr | (uv_pipe_t *,const char *) | | uv_pipe_bind | 1 |
| thread.cpp:4:6:4:9 | sink | (int) | | ASN1_STRING_type_new | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | ASN1_tag2bit | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | ASN1_tag2str | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | EVP_PKEY_asn1_get0 | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | Jim_ReturnCode | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | Jim_SignalId | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | OBJ_nid2ln | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | OBJ_nid2obj | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | OBJ_nid2sn | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | OSSL_STORE_INFO_type_string | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | OSSL_trace_get_category_name | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | PKCS12_init | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | Symbol_Nth | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | X509_PURPOSE_get0 | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | X509_PURPOSE_get_by_id | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | X509_TRUST_get0 | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | X509_TRUST_get_by_id | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | X509_VERIFY_PARAM_get0 | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | __btowc | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | __current_locale_name | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | __fdopendir | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | __get_errlist | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | __get_errname | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | __math_invalid_i | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | __math_invalidf_i | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | __p_class | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | __p_rcode | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | __p_type | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | __pkey_get | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | __sigdescr_np | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | __strerrordesc_np | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | _tolower | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | _toupper | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | btowc | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | c_tolower | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | c_toupper | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | curlx_sitouz | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | evp_pkey_type2name | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | inet6_option_space | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | isalnum | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | isalpha | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | isblank | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | iscntrl | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | isdigit | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | isgraph | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | islower | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | isprint | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | ispunct | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | isspace | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | isupper | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | isxdigit | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | ossl_cmp_bodytype_to_string | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | ossl_tolower | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | ossl_toupper | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | sigabbrev_np | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | sqlite3_compileoption_get | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | sqlite3_errstr | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | strerrorname_np | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | support_report_failure | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | svcudp_create | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | tls13_alert_code | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | toascii | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | tolower | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | toupper | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | uabs | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | uv__accept | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | uv_err_name | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | uv_get_osfhandle | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | uv_strerror | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | uv_translate_sys_error | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | | zError | 0 |
| thread.cpp:4:6:4:9 | sink | (int) | __pthread_cleanup_class | __setdoit | 0 |
| thread.cpp:18:6:18:22 | thread_function_3 | (ASN1_STRING *,int) | | ASN1_STRING_length_set | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (ASYNC_WAIT_CTX *,int) | | ASYNC_WAIT_CTX_set_status | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (BIGNUM *,int) | | BN_clear_bit | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (BIGNUM *,int) | | BN_mask_bits | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (BIGNUM *,int) | | BN_set_bit | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (BIGNUM *,int) | | BN_set_flags | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (BIGNUM *,int) | | bn_expand2 | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (BIGNUM *,int) | | bn_wexpand | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (BIGNUM *,int) | | ossl_bn_mask_bits_fixed_top | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (BIO *,int) | | BIO_clear_flags | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (BIO *,int) | | BIO_find_type | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (BIO *,int) | | BIO_set_flags | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (BIO *,int) | | BIO_set_init | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (BIO *,int) | | BIO_set_retry_reason | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (BIO *,int) | | BIO_set_shutdown | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (BIO *,int) | | TXT_DB_read | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (CMS_SignerInfo *,int) | | CMS_signed_delete_attr | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (CMS_SignerInfo *,int) | | CMS_unsigned_delete_attr | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (CURL *,int) | | curl_easy_pause | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (Curl_easy *,int) | | Curl_conn_get_socket | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (DH *,int) | | DH_clear_flags | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (DH *,int) | | DH_set_flags | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (DH_METHOD *,int) | | DH_meth_set_flags | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (DSA *,int) | | DSA_clear_flags | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (DSA *,int) | | DSA_set_flags | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (DSA_METHOD *,int) | | DSA_meth_set_flags | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (EC_GROUP *,int) | | EC_GROUP_set_asn1_flag | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (EC_GROUP *,int) | | EC_GROUP_set_curve_name | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (EC_KEY *,int) | | EC_KEY_clear_flags | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (EC_KEY *,int) | | EC_KEY_set_asn1_flag | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (EC_KEY *,int) | | EC_KEY_set_flags | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (ENGINE *,int) | | ENGINE_cmd_is_executable | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (ENGINE *,int) | | ENGINE_set_flags | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (EVP_CIPHER *,int) | | EVP_CIPHER_meth_set_impl_ctx_size | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (EVP_CIPHER *,int) | | EVP_CIPHER_meth_set_iv_length | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (EVP_CIPHER_CTX *,int) | | EVP_CIPHER_CTX_clear_flags | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (EVP_CIPHER_CTX *,int) | | EVP_CIPHER_CTX_set_flags | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (EVP_CIPHER_CTX *,int) | | EVP_CIPHER_CTX_set_key_length | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (EVP_CIPHER_CTX *,int) | | EVP_CIPHER_CTX_set_num | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (EVP_KEYMGMT *,int) | | evp_keymgmt_util_query_operation_name | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (EVP_MD *,int) | | EVP_MD_meth_set_app_datasize | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (EVP_MD *,int) | | EVP_MD_meth_set_input_blocksize | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (EVP_MD *,int) | | EVP_MD_meth_set_result_size | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (EVP_MD_CTX *,int) | | EVP_MD_CTX_clear_flags | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (EVP_MD_CTX *,int) | | EVP_MD_CTX_set_flags | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (EVP_PKEY *,int) | | EVP_PKEY_delete_attr | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (EVP_PKEY *,int) | | EVP_PKEY_save_parameters | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (EVP_PKEY *,int) | | EVP_PKEY_set_type | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (EVP_PKEY_CTX *,int) | | EVP_PKEY_CTX_get_keygen_info | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (EVP_PKEY_CTX *,int) | | EVP_PKEY_CTX_set_dh_kdf_type | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (EVP_PKEY_CTX *,int) | | EVP_PKEY_CTX_set_dh_nid | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (EVP_PKEY_CTX *,int) | | EVP_PKEY_CTX_set_dh_paramgen_type | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (EVP_PKEY_CTX *,int) | | EVP_PKEY_CTX_set_dh_rfc5114 | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (EVP_PKEY_CTX *,int) | | EVP_PKEY_CTX_set_dhx_rfc5114 | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (EVP_PKEY_CTX *,int) | | EVP_PKEY_CTX_set_ec_param_enc | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (EVP_PKEY_CTX *,int) | | EVP_PKEY_CTX_set_ec_paramgen_curve_nid | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (EVP_PKEY_CTX *,int) | | EVP_PKEY_CTX_set_ecdh_kdf_type | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (EVP_PKEY_CTX *,int) | | EVP_PKEY_CTX_set_hkdf_mode | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (EVP_PKEY_CTX *,int) | | EVP_PKEY_CTX_set_rsa_padding | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (EVP_PKEY_CTX *,int) | | EVP_PKEY_CTX_set_rsa_pss_saltlen | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (FFC_PARAMS *,int) | | ossl_ffc_params_set_gindex | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (FFC_PARAMS *,int) | | ossl_ffc_params_set_h | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (FFC_PARAMS *,int) | | ossl_ffc_params_set_pcounter | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (FILE *,int) | | _IO_default_pbackfail | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (FILE *,int) | | _IO_fwide | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (FILE *,int) | | _IO_init | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (FILE *,int) | | _IO_init_internal | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (FILE *,int) | | _IO_new_file_attach | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (FILE *,int) | | _IO_new_file_overflow | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (FILE *,int) | | _IO_old_init | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (FILE *,int) | | _IO_sputbackc | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (FILE *,int) | | _IO_str_overflow | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (FILE *,int) | | _IO_str_pbackfail | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (FILE *,int) | | __printf_buffer_as_file_overflow | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (FILE *,int) | | __wprintf_buffer_as_file_overflow | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (FTS *,int) | | fts_children | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (LIBSSH2_CHANNEL *,int) | | _libssh2_channel_extended_data | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (LIBSSH2_CHANNEL *,int) | | _libssh2_channel_flush | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (LIBSSH2_CHANNEL *,int) | | libssh2_channel_flush_ex | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (LIBSSH2_CHANNEL *,int) | | libssh2_channel_handle_extended_data | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (LIBSSH2_CHANNEL *,int) | | libssh2_channel_handle_extended_data2 | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (LIBSSH2_CHANNEL *,int) | | libssh2_channel_set_blocking | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (LIBSSH2_SESSION *,int) | | _libssh2_session_set_blocking | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (LIBSSH2_SESSION *,int) | | libssh2_hostkey_hash | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (LIBSSH2_SESSION *,int) | | libssh2_session_methods | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (LIBSSH2_SESSION *,int) | | libssh2_session_set_blocking | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (LIBSSH2_SESSION *,int) | | libssh2_session_startup | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (LPCOLESTR,int) | CComBSTR | Append | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OCSP_BASICRESP *,int) | | OCSP_BASICRESP_delete_ext | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OCSP_BASICRESP *,int) | | OCSP_BASICRESP_get_ext | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OCSP_BASICRESP *,int) | | OCSP_resp_get0 | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OCSP_ONEREQ *,int) | | OCSP_ONEREQ_delete_ext | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OCSP_ONEREQ *,int) | | OCSP_ONEREQ_get_ext | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OCSP_REQUEST *,int) | | OCSP_REQUEST_delete_ext | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OCSP_REQUEST *,int) | | OCSP_REQUEST_get_ext | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OCSP_REQUEST *,int) | | OCSP_request_onereq_get0 | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OCSP_SINGLERESP *,int) | | OCSP_SINGLERESP_delete_ext | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OCSP_SINGLERESP *,int) | | OCSP_SINGLERESP_get_ext | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OPENSSL_STACK *,int) | | OPENSSL_sk_delete | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OPENSSL_STACK *,int) | | OPENSSL_sk_reserve | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OPENSSL_sk_compfunc,int) | | OPENSSL_sk_new_reserve | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OSSL_ACKM *,int) | | ossl_ackm_get_ack_deadline | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OSSL_ACKM *,int) | | ossl_ackm_get_ack_frame | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OSSL_ACKM *,int) | | ossl_ackm_get_largest_acked | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OSSL_ACKM *,int) | | ossl_ackm_on_pkt_space_discarded | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OSSL_CMP_CTX *,int) | | OSSL_CMP_CTX_set_serverPort | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OSSL_CMP_CTX *,int) | | ossl_cmp_ctx_set_failInfoCode | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OSSL_CMP_CTX *,int) | | ossl_cmp_ctx_set_status | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OSSL_CMP_CTX *,int) | | ossl_cmp_msg_create | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OSSL_CMP_CTX *,int) | | ossl_cmp_pollReq_new | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OSSL_CMP_MSG *,int) | | ossl_cmp_msg_set_bodytype | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OSSL_CMP_PKIHEADER *,int) | | ossl_cmp_hdr_set_pvno | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OSSL_CMP_REVREPCONTENT *,int) | | ossl_cmp_revrepcontent_get_CertId | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OSSL_CMP_REVREPCONTENT *,int) | | ossl_cmp_revrepcontent_get_pkisi | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OSSL_CMP_SRV_CTX *,int) | | OSSL_CMP_SRV_CTX_set_accept_raverified | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OSSL_CMP_SRV_CTX *,int) | | OSSL_CMP_SRV_CTX_set_accept_unprotected | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OSSL_CMP_SRV_CTX *,int) | | OSSL_CMP_SRV_CTX_set_grant_implicit_confirm | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OSSL_CMP_SRV_CTX *,int) | | OSSL_CMP_SRV_CTX_set_send_unprotected_errors | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OSSL_CRMF_PKIPUBLICATIONINFO *,int) | | OSSL_CRMF_MSG_set_PKIPublicationInfo_action | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OSSL_DECODER_CTX *,int) | | OSSL_DECODER_CTX_set_selection | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OSSL_ENCODER_CTX *,int) | | OSSL_ENCODER_CTX_set_selection | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OSSL_LIB_CTX *,int) | | OSSL_LIB_CTX_get_data | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OSSL_LIB_CTX *,int) | | OSSL_LIB_CTX_set_conf_diagnostics | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OSSL_LIB_CTX *,int) | | ossl_ctx_global_properties | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OSSL_LIB_CTX *,int) | | ossl_dh_new_by_nid_ex | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OSSL_LIB_CTX *,int) | | ossl_lib_ctx_get_data | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OSSL_LIB_CTX *,int) | | ossl_mac_key_new | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OSSL_PARAM *,int) | | OSSL_PARAM_set_int | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OSSL_QRX *,int) | | ossl_qrx_get_bytes_received | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OSSL_RECORD_LAYER *,int) | | tls_set_first_handshake | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OSSL_RECORD_LAYER *,int) | | tls_set_plain_alerts | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (OSSL_STORE_CTX *,int) | | OSSL_STORE_expect | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (PKCS7 *,int) | | PKCS7_set_type | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (QUIC_CHANNEL *,int) | | ossl_quic_channel_new_stream_local | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (QUIC_ENGINE *,int) | | ossl_quic_engine_set_inhibit_tick | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (QUIC_PORT *,int) | | ossl_quic_port_set_allow_incoming | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (QUIC_RCIDM *,int) | | ossl_quic_rcidm_get_preferred_tx_dcid_changed | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (QUIC_RSTREAM *,int) | | ossl_quic_rstream_set_cleanse | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (QUIC_RXFC *,int) | | ossl_quic_rxfc_get_error | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (QUIC_RXFC *,int) | | ossl_quic_rxfc_has_cwm_changed | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (QUIC_SSTREAM *,int) | | ossl_quic_sstream_set_cleanse | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (QUIC_STREAM_MAP *,int) | | ossl_quic_stream_map_get_accept_queue_len | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (QUIC_TXFC *,int) | | ossl_quic_txfc_has_become_blocked | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (RSA *,int) | | RSA_clear_flags | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (RSA *,int) | | RSA_set_flags | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (RSA_METHOD *,int) | | RSA_meth_set_flags | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (RSA_PSS_PARAMS_30 *,int) | | ossl_rsa_pss_params_30_set_hashalg | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (RSA_PSS_PARAMS_30 *,int) | | ossl_rsa_pss_params_30_set_maskgenhashalg | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (RSA_PSS_PARAMS_30 *,int) | | ossl_rsa_pss_params_30_set_saltlen | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (RSA_PSS_PARAMS_30 *,int) | | ossl_rsa_pss_params_30_set_trailerfield | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (SSL *,int) | | SSL_key_update | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (SSL *,int) | | SSL_set_post_handshake_auth | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (SSL *,int) | | SSL_set_purpose | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (SSL *,int) | | SSL_set_quic_tls_early_data_enabled | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (SSL *,int) | | SSL_set_quiet_shutdown | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (SSL *,int) | | SSL_set_read_ahead | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (SSL *,int) | | SSL_set_security_level | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (SSL *,int) | | SSL_set_shutdown | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (SSL *,int) | | SSL_set_trust | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (SSL *,int) | | SSL_set_verify_depth | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (SSL_CONNECTION *,int) | | dtls1_read_failed | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (SSL_CONNECTION *,int) | | ossl_statem_send_fatal | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (SSL_CONNECTION *,int) | | ossl_statem_set_in_init | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (SSL_CONNECTION *,int) | | tls1_shared_group | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (SSL_CTX *,int) | | SSL_CTX_set_post_handshake_auth | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (SSL_CTX *,int) | | SSL_CTX_set_purpose | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (SSL_CTX *,int) | | SSL_CTX_set_quiet_shutdown | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (SSL_CTX *,int) | | SSL_CTX_set_security_level | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (SSL_CTX *,int) | | SSL_CTX_set_srp_strength | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (SSL_CTX *,int) | | SSL_CTX_set_trust | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (SSL_CTX *,int) | | SSL_CTX_set_verify_depth | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (SSL_CTX *,int) | | ssl_md | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (SSL_SESSION *,int) | | SSL_SESSION_set_protocol_version | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (TS_REQ *,int) | | TS_REQ_delete_ext | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (TS_REQ *,int) | | TS_REQ_get_ext | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (TS_RESP_CTX *,int) | | TS_RESP_CTX_add_flags | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (TS_STATUS_INFO *,int) | | TS_STATUS_INFO_set_status | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (TS_TST_INFO *,int) | | TS_TST_INFO_delete_ext | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (TS_TST_INFO *,int) | | TS_TST_INFO_get_ext | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (TS_VERIFY_CTX *,int) | | TS_VERIFY_CTX_add_flags | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (TS_VERIFY_CTX *,int) | | TS_VERIFY_CTX_set_flags | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (WPACKET *,int) | | ossl_DER_w_begin_sequence | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (X509 *,int) | | X509_delete_ext | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (X509 *,int) | | X509_self_signed | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (X509_ACERT *,int) | | X509_ACERT_delete_attr | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (X509_ATTRIBUTE *,int) | | X509_ATTRIBUTE_get0_type | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (X509_CRL *,int) | | X509_CRL_delete_ext | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (X509_NAME *,int) | | X509_NAME_delete_entry | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (X509_REQ *,int) | | X509_REQ_delete_attr | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (X509_REVOKED *,int) | | X509_REVOKED_delete_ext | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (X509_STORE *,int) | | X509_STORE_set_depth | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (X509_STORE *,int) | | X509_STORE_set_purpose | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (X509_STORE *,int) | | X509_STORE_set_trust | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (X509_STORE_CTX *,int) | | X509_STORE_CTX_set_depth | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (X509_STORE_CTX *,int) | | X509_STORE_CTX_set_error | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (X509_STORE_CTX *,int) | | X509_STORE_CTX_set_error_depth | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (X509_STORE_CTX *,int) | | X509_STORE_CTX_set_purpose | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (X509_STORE_CTX *,int) | | X509_STORE_CTX_set_trust | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (X509_VERIFY_PARAM *,int) | | X509_VERIFY_PARAM_get0_host | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (X509_VERIFY_PARAM *,int) | | X509_VERIFY_PARAM_set_auth_level | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (X509_VERIFY_PARAM *,int) | | X509_VERIFY_PARAM_set_depth | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (X509_VERIFY_PARAM *,int) | | X509_VERIFY_PARAM_set_purpose | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (X509_VERIFY_PARAM *,int) | | X509_VERIFY_PARAM_set_trust | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (_Float128,int) | | __ldexpf128 | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (_Float128,int) | | __scalbnf128 | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (__sigset_t *,int) | | __sigaddset_compat | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (__sigset_t *,int) | | __sigdelset_compat | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (acttab *,int) | | acttab_insert | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (addrinfo *,int) | | support_format_addrinfo | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (aiocb_union *,int) | | __aio_enqueue_request | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (argp_fmtstream_t,int) | | __argp_fmtstream_putc | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (char **,int) | | addrsort | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (char *,int) | | Curl_str2addr | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (char *,int) | | PEM_proc_type | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (char,int) | CStringT | CStringT | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (connectdata *,int) | | Curl_conn_is_ssl | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const ASN1_BIT_STRING *,int) | | ASN1_BIT_STRING_get_bit | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const BIGNUM *,int) | | BN_get_flags | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const BIGNUM *,int) | | BN_is_bit_set | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const BIO *,int) | | BIO_get_ex_data | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const BIO *,int) | | BIO_test_flags | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const CMS_SignerInfo *,int) | | CMS_signed_get_attr | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const CMS_SignerInfo *,int) | | CMS_unsigned_get_attr | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const CRYPTO_EX_DATA *,int) | | CRYPTO_get_ex_data | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const DH *,int) | | DH_get_ex_data | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const DH *,int) | | DH_test_flags | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const DH *,int) | | ossl_dh_dup | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const DSA *,int) | | DSA_get_ex_data | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const DSA *,int) | | DSA_test_flags | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const DSA *,int) | | ossl_dsa_dup | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const ECX_KEY *,int) | | ossl_ecx_key_dup | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const EC_KEY *,int) | | EC_KEY_get_ex_data | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const EC_KEY *,int) | | ossl_ec_key_dup | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const ENGINE *,int) | | ENGINE_get_ex_data | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const EVP_CIPHER_CTX *,int) | | EVP_CIPHER_CTX_test_flags | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const EVP_MD_CTX *,int) | | EVP_MD_CTX_test_flags | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const EVP_PKEY *,int) | | EVP_PKEY_get_attr | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const EVP_PKEY *,int) | | EVP_PKEY_get_ex_data | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const ML_DSA_KEY *,int) | | ossl_ml_dsa_key_dup | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const ML_KEM_KEY *,int) | | ossl_ml_kem_key_dup | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const OPENSSL_STACK *,int) | | OPENSSL_sk_value | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const OSSL_CMP_CERTREPMESSAGE *,int) | | ossl_cmp_certrepmessage_get0_certresponse | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const OSSL_CMP_CTX *,int) | | OSSL_CMP_CTX_get0_newPkey | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const OSSL_CMP_CTX *,int) | | OSSL_CMP_CTX_get_option | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const OSSL_CMP_PKISI *,int) | | ossl_cmp_pkisi_check_pkifailureinfo | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const OSSL_CMP_POLLREPCONTENT *,int) | | ossl_cmp_pollrepcontent_get0_pollrep | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const QUIC_CHANNEL *,int) | | ossl_quic_channel_get_local_stream_count_avail | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const QUIC_CHANNEL *,int) | | ossl_quic_channel_get_remote_stream_count_avail | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const RSA *,int) | | RSA_get_ex_data | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const RSA *,int) | | RSA_test_flags | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const RSA *,int) | | ossl_rsa_dup | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const SLH_DSA_KEY *,int) | | ossl_slh_dsa_key_dup | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const SSL *,int) | | SSL_get_ex_data | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const SSL_CTX *,int) | | SSL_CTX_get_ex_data | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const SSL_SESSION *,int) | | SSL_SESSION_get_ex_data | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const SSL_SESSION *,int) | | ssl_session_dup | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const UI *,int) | | UI_get_ex_data | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const UI_METHOD *,int) | | UI_method_get_ex_data | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const X509 *,int) | | X509_get_ex_data | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const X509 *,int) | | X509_get_ext | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const X509_ACERT *,int) | | X509_ACERT_get_attr | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const X509_CRL *,int) | | X509_CRL_get_ext | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const X509_NAME *,int) | | X509_NAME_get_entry | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const X509_POLICY_LEVEL *,int) | | X509_policy_level_get0_node | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const X509_POLICY_TREE *,int) | | X509_policy_tree_get0_level | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const X509_REQ *,int) | | X509_REQ_get_attr | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const X509_REVOKED *,int) | | X509_REVOKED_get_ext | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const X509_STORE *,int) | | X509_STORE_get_ex_data | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const X509_STORE_CTX *,int) | | X509_STORE_CTX_get_ex_data | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const XCHAR *,int) | CStringT | CStringT | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const YCHAR *,int) | CStringT | CStringT | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const char *,int) | | DH_meth_new | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const char *,int) | | DSA_meth_new | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const char *,int) | | Jim_StrDupLen | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const char *,int) | | NETSCAPE_SPKI_b64_decode | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const char *,int) | | RSA_meth_new | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const char *,int) | | ftok | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const char *,int) | | gethostbyname2 | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const char *,int) | | parse_yesno | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const char *,int) | | res_gethostbyname2 | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const stack_st_X509_ATTRIBUTE *,int) | | X509at_get_attr | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const stack_st_X509_EXTENSION *,int) | | X509v3_get_ext | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const unsigned char *,int) | | Jim_GenHashFunction | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const unsigned char *,int) | | OPENSSL_uni2asc | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const unsigned char *,int) | | OPENSSL_uni2utf8 | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (const void *,int) | | inet6_rth_getaddr | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (double,int) | | __ldexp | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (double,int) | | __scalbn | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (double[],int) | | getloadavg | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (dynhds *,int) | | Curl_dynhds_set_opts | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (fexcept_t *,int) | | fegetexceptflag | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (float,int) | | __ldexpf | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (float,int) | | __scalbnf | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (gzFile,int) | | gzflush | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (gzFile,int) | | gzputc | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (int *,int) | | X509_PURPOSE_set | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (int *,int) | | X509_TRUST_set | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (int *,int) | | __lll_unlock_elision | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (int,int) | | BN_security_bits | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (int,int) | | EVP_MD_meth_new | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (int,int) | | EVP_PKEY_meth_new | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (int,int) | | __isctype | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (int,int) | | acttab_alloc | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (int,int) | | div | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (int,int) | | inet6_rth_space | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (long double,int) | | __ldexpl | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (netlink_handle *,int) | | __netlink_request | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (nghttp2_option *,int) | | nghttp2_option_set_no_auto_ping_ack | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (nghttp2_option *,int) | | nghttp2_option_set_no_auto_window_update | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (nghttp2_option *,int) | | nghttp2_option_set_no_closed_streams | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (nghttp2_option *,int) | | nghttp2_option_set_no_http_messaging | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (nghttp2_option *,int) | | nghttp2_option_set_no_recv_client_magic | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (nghttp2_option *,int) | | nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (nghttp2_option *,int) | | nghttp2_option_set_server_fallback_rfc7540_priorities | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (ns_msg,int) | | ns_msg_getflag | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (obstack *,int) | | _obstack_newchunk | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (posix_spawnattr_t *,int) | | posix_spawnattr_setcgroup_np | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (posix_spawnattr_t *,int) | | posix_spawnattr_setschedpolicy | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (pthread_attr_t *,int) | | __pthread_attr_setschedpolicy | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (pthread_barrierattr_t *,int) | | __pthread_barrierattr_setpshared | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (pthread_mutexattr_t *,int) | | ___pthread_mutexattr_settype | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (pthread_mutexattr_t *,int) | | __pthread_mutexattr_setprioceiling | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (pthread_mutexattr_t *,int) | | __pthread_mutexattr_setprotocol | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (pthread_rwlockattr_t *,int) | | __pthread_rwlockattr_setkind_np | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (pthread_rwlockattr_t *,int) | | __pthread_rwlockattr_setpshared | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (rule *,int) | | Configlist_add | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (rule *,int) | | Configlist_addbasis | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (sigset_t *,int) | | sigaddset | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (sigset_t *,int) | | sigdelset | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (sqlite3 *,int) | | sqlite3_busy_timeout | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (sqlite3 *,int) | | sqlite3_db_name | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (sqlite3 *,int) | | sqlite3_wal_autocheckpoint | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (sqlite3_backup *,int) | | sqlite3_backup_step | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (sqlite3_context *,int) | | sqlite3_aggregate_context | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (sqlite3_context *,int) | | sqlite3_result_error_code | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (sqlite3_index_info *,int) | | sqlite3_vtab_collation | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (sqlite3_stmt *,int) | | sqlite3_bind_parameter_name | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (sqlite3_stmt *,int) | | sqlite3_column_blob | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (sqlite3_stmt *,int) | | sqlite3_column_bytes | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (sqlite3_stmt *,int) | | sqlite3_column_bytes16 | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (sqlite3_stmt *,int) | | sqlite3_column_decltype | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (sqlite3_stmt *,int) | | sqlite3_column_decltype16 | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (sqlite3_stmt *,int) | | sqlite3_column_double | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (sqlite3_stmt *,int) | | sqlite3_column_int | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (sqlite3_stmt *,int) | | sqlite3_column_int64 | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (sqlite3_stmt *,int) | | sqlite3_column_name | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (sqlite3_stmt *,int) | | sqlite3_column_name16 | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (sqlite3_stmt *,int) | | sqlite3_column_text | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (sqlite3_stmt *,int) | | sqlite3_column_text16 | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (sqlite3_stmt *,int) | | sqlite3_column_type | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (sqlite3_stmt *,int) | | sqlite3_column_value | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (sqlite3_stmt *,int) | | sqlite3_stmt_explain | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (stack_st_PKCS7 *,int) | | PKCS12_add_safes | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (stack_st_SSL_COMP *,int) | | ssl3_comp_find | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (stack_st_X509_ATTRIBUTE *,int) | | X509at_delete_attr | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (stack_st_X509_EXTENSION *,int) | | X509v3_delete_ext | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (timespec *,int) | | __timespec_get | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (timespec *,int) | | __timespec_getres | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (uint16_t,int) | | tls1_group_id2nid | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (unsigned char *,int) | | RAND_bytes | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (unsigned char *,int) | | RAND_priv_bytes | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (unsigned char *,int) | | ossl_ipaddr_to_asc | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (unsigned short,int) | | dtls1_get_queue_priority | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (uv_env_item_t *,int) | | uv_os_free_environ | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (void *,int) | | DSO_dsobyaddr | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (void *,int) | | sqlite3_realloc | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (void *const *,int) | | __backtrace_symbols | 1 |
| thread.cpp:18:6:18:22 | thread_function_3 | (wchar_t,int) | CStringT | CStringT | 1 |
| vector.cpp:13:6:13:9 | sink | (int) | | ASN1_STRING_type_new | 0 |
| vector.cpp:13:6:13:9 | sink | (int) | | ASN1_tag2bit | 0 |
| vector.cpp:13:6:13:9 | sink | (int) | | ASN1_tag2str | 0 |
@@ -46491,6 +46931,16 @@ getParameterTypeName
| stl.h:678:33:678:38 | format | 1 | func:0 && |
| stl.h:683:6:683:48 | same_signature_as_format_but_different_name | 0 | format_string |
| stl.h:683:6:683:48 | same_signature_as_format_but_different_name | 1 | func:0 && |
| stl.h:687:8:687:8 | operator= | 0 | const thread & |
| stl.h:687:8:687:8 | thread | 0 | const thread & |
| stl.h:690:12:690:17 | thread | 0 | func:0 && |
| stl.h:690:12:690:17 | thread | 0 | func:0 && |
| stl.h:690:12:690:17 | thread | 0 | func:0 && |
| stl.h:690:12:690:17 | thread | 0 | func:0 && |
| stl.h:690:12:690:17 | thread | 1 | func:1 && |
| stl.h:690:12:690:17 | thread | 1 | func:1 && |
| stl.h:690:12:690:17 | thread | 1 | func:1 && |
| stl.h:690:12:690:17 | thread | 1 | func:1 && |
| string.cpp:17:6:17:9 | sink | 0 | const char * |
| string.cpp:18:6:18:9 | sink | 0 | const string & |
| string.cpp:19:6:19:9 | sink | 0 | const char * |
@@ -46741,6 +47191,18 @@ getParameterTypeName
| taint.cpp:817:6:817:27 | write_to_const_ptr_ptr | 1 | const char ** |
| taint.cpp:822:6:822:19 | take_const_ptr | 0 | const char * |
| taint.cpp:822:6:822:19 | take_const_ptr | 1 | const char * |
| thread.cpp:4:6:4:9 | sink | 0 | int |
| thread.cpp:6:8:6:8 | operator= | 0 | S && |
| thread.cpp:6:8:6:8 | operator= | 0 | const S & |
| thread.cpp:10:6:10:22 | thread_function_1 | 0 | S * |
| thread.cpp:14:6:14:22 | thread_function_2 | 0 | S |
| thread.cpp:18:6:18:22 | thread_function_3 | 0 | S * |
| thread.cpp:18:6:18:22 | thread_function_3 | 1 | int |
| thread.cpp:30:18:30:18 | (unnamed constructor) | 0 | const lambda [] type at line 762, col. 18 & |
| thread.cpp:30:18:30:18 | (unnamed constructor) | 0 | lambda [] type at line 762, col. 18 && |
| thread.cpp:30:18:30:18 | operator= | 0 | const lambda [] type at line 762, col. 18 & |
| thread.cpp:30:20:30:20 | _FUN | 0 | S * |
| thread.cpp:30:20:30:20 | operator() | 0 | S * |
| vector.cpp:13:6:13:9 | sink | 0 | int |
| vector.cpp:14:27:14:30 | sink | 0 | vector> & |
| vector.cpp:14:27:14:30 | sink | 0 | vector> & |

33
cpp/ql/test/library-tests/dataflow/taint-tests/thread.cpp Normal file
View File

@@ -0,0 +1,33 @@
#include "stl.h"
int source();
void sink(int);
struct S {
int x;
};
void thread_function_1(S* s) {
sink(s->x); // $ ir
}
void thread_function_2(S s) {
sink(s.x); // $ ir
}
void thread_function_3(S* s, int y) {
sink(s->x); // $ ir
sink(y); // clean
}
void test_thread() {
S s;
s.x = source();
std::thread t1(thread_function_1, &s);
std::thread t2(thread_function_2, s);
std::thread t3(thread_function_3, &s, 42);
std::thread t4([](S* p) {
sink(p->x); // $ ir
}, &s);
}

57
cpp/ql/test/query-tests/Security/CWE/CWE-704/WcharCharConversion.cpp
View File

@@ -18,13 +18,13 @@ void Test()
wchar_t *lpWchar = NULL;
LPCSTR lpcstr = "b";
lpWchar = (LPWSTR)"a"; // BUG
lpWchar = (LPWSTR)lpcstr; // BUG
lpWchar = (LPWSTR)"a"; // $ Alert
lpWchar = (LPWSTR)lpcstr; // $ Alert
lpWchar = (wchar_t*)lpChar; // BUG
lpWchar = (wchar_t*)lpChar; // $ Alert
fconstWChar((LPCWSTR)lpChar); // BUG
fWChar((LPWSTR)lpChar); // BUG
fconstWChar((LPCWSTR)lpChar); // $ Alert
fWChar((LPWSTR)lpChar); // $ Alert
lpChar = (LPSTR)"a"; // Valid
lpWchar = (LPWSTR)L"a"; // Valid
@@ -79,33 +79,64 @@ void CheckedConversionFalsePositiveTest3(unsigned short flags, LPTSTR buffer)
if(flags & UNICODE)
lpWchar = (LPWSTR)buffer; // GOOD
else
lpWchar = (LPWSTR)buffer; // BUG
lpWchar = (LPWSTR)buffer; // $ Alert
if((flags & UNICODE) == 0x8)
lpWchar = (LPWSTR)buffer; // GOOD
else
lpWchar = (LPWSTR)buffer; // BUG
lpWchar = (LPWSTR)buffer; // $ Alert
if((flags & UNICODE) != 0x8)
lpWchar = (LPWSTR)buffer; // BUG
lpWchar = (LPWSTR)buffer; // $ Alert
else
lpWchar = (LPWSTR)buffer; // GOOD
// Bad operator precedence
if(flags & UNICODE == 0x8)
lpWchar = (LPWSTR)buffer; // BUG
lpWchar = (LPWSTR)buffer; // $ Alert
else
lpWchar = (LPWSTR)buffer; // BUG
lpWchar = (LPWSTR)buffer; // $ Alert
if((flags & UNICODE) != 0)
lpWchar = (LPWSTR)buffer; // GOOD
else
lpWchar = (LPWSTR)buffer; // BUG
lpWchar = (LPWSTR)buffer; // $ Alert
if((flags & UNICODE) == 0)
lpWchar = (LPWSTR)buffer; // BUG
lpWchar = (LPWSTR)buffer; // $ Alert
else
lpWchar = (LPWSTR)buffer; // GOOD
lpWchar = (LPWSTR)buffer; // BUG
lpWchar = (LPWSTR)buffer; // $ Alert
}
typedef unsigned long long size_t;
size_t wcslen(const wchar_t *str);
size_t strlen(const char* str);
template<typename C>
size_t str_len(const C *str) {
if (sizeof(C) != 1) {
return wcslen((const wchar_t *)str); // GOOD -- unreachable code
}
return strlen((const char *)str);
}
template<typename C>
size_t wrong_str_len(const C *str) {
if (sizeof(C) == 1) {
return wcslen((const wchar_t *)str); // $ Alert
}
return strlen((const char *)str);
}
void test_str_len(const wchar_t *wstr, const char *str) {
size_t len =
str_len(wstr) +
str_len(str) +
wrong_str_len(wstr) +
wrong_str_len(str);
}

1
cpp/ql/test/query-tests/Security/CWE/CWE-704/WcharCharConversion.expected
View File

@@ -11,3 +11,4 @@
| WcharCharConversion.cpp:103:21:103:26 | buffer | Conversion from LPTSTR to LPWSTR. Use of invalid string can lead to undefined behavior. |
| WcharCharConversion.cpp:106:21:106:26 | buffer | Conversion from LPTSTR to LPWSTR. Use of invalid string can lead to undefined behavior. |
| WcharCharConversion.cpp:110:20:110:25 | buffer | Conversion from LPTSTR to LPWSTR. Use of invalid string can lead to undefined behavior. |
| WcharCharConversion.cpp:130:34:130:36 | str | Conversion from const char * to const wchar_t *. Use of invalid string can lead to undefined behavior. |

3
cpp/ql/test/query-tests/Security/CWE/CWE-704/WcharCharConversion.qlref
View File

@@ -1 +1,2 @@
Security/CWE/CWE-704/WcharCharConversion.ql
query: Security/CWE/CWE-704/WcharCharConversion.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

4
go/extractor/go.mod
View File

@@ -10,7 +10,7 @@ toolchain go1.24.0
// bazel mod tidy
require (
golang.org/x/mod v0.26.0
golang.org/x/tools v0.34.0
golang.org/x/tools v0.35.0
)
require golang.org/x/sync v0.15.0 // indirect
require golang.org/x/sync v0.16.0 // indirect

8
go/extractor/go.sum
View File

@@ -2,7 +2,7 @@ github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
golang.org/x/mod v0.26.0 h1:EGMPT//Ezu+ylkCijjPc+f4Aih7sZvaAr+O3EHBxvZg=
golang.org/x/mod v0.26.0/go.mod h1:/j6NAhSk8iQ723BGAUyoAcn7SlD7s15Dp9Nd/SfeaFQ=
golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo=
golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg=
golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
golang.org/x/tools v0.35.0 h1:mBffYraMEf7aa0sB+NuKnuCy8qI/9Bughn8dC2Gu5r0=
golang.org/x/tools v0.35.0/go.mod h1:NKdj5HkL/73byiZSJjqJgKn3ep7KjFkBOkR/Hps3VPw=

4
go/ql/lib/change-notes/2025-07-08-request-forgery-sinks.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added models for the `Head` function and the `Client.Head` method, from the `net/http` package, to the `Http::ClientRequest` class. This means that they will be recognized as sinks for the query `go/request-forgery` and the experimental query `go/ssrf`.

11
go/ql/lib/semmle/go/frameworks/stdlib/NetHttp.qll
View File

@@ -179,12 +179,11 @@ module NetHttp {
private class RequestCall extends Http::ClientRequest::Range, DataFlow::CallNode {
RequestCall() {
exists(string functionName |
(
this.getTarget().hasQualifiedName("net/http", functionName)
or
this.getTarget().(Method).hasQualifiedName("net/http", "Client", functionName)
) and
(functionName = "Get" or functionName = "Post" or functionName = "PostForm")
this.getTarget().hasQualifiedName("net/http", functionName)
or
this.getTarget().(Method).hasQualifiedName("net/http", "Client", functionName)
|
functionName = ["Get", "Head", "Post", "PostForm"]
)
}

92
go/ql/test/query-tests/Security/CWE-918/RequestForgery.expected
View File

@@ -1,12 +1,18 @@
#select
| RequestForgery.go:11:15:11:66 | call to Get | RequestForgery.go:8:12:8:34 | call to FormValue | RequestForgery.go:11:24:11:65 | ...+... | The $@ of this request depends on a $@. | RequestForgery.go:11:24:11:65 | ...+... | URL | RequestForgery.go:8:12:8:34 | call to FormValue | user-provided value |
| tst.go:14:2:14:18 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:14:11:14:17 | tainted | The $@ of this request depends on a $@. | tst.go:14:11:14:17 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
| tst.go:16:2:16:19 | call to Head | tst.go:10:13:10:35 | call to FormValue | tst.go:16:12:16:18 | tainted | The $@ of this request depends on a $@. | tst.go:16:12:16:18 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
| tst.go:18:2:18:38 | call to Post | tst.go:10:13:10:35 | call to FormValue | tst.go:18:12:18:18 | tainted | The $@ of this request depends on a $@. | tst.go:18:12:18:18 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
| tst.go:22:2:22:14 | call to Do | tst.go:10:13:10:35 | call to FormValue | tst.go:21:34:21:40 | tainted | The $@ of this request depends on a $@. | tst.go:21:34:21:40 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
| tst.go:25:2:25:14 | call to Do | tst.go:10:13:10:35 | call to FormValue | tst.go:24:66:24:72 | tainted | The $@ of this request depends on a $@. | tst.go:24:66:24:72 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
| tst.go:27:2:27:30 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:27:11:27:29 | ...+... | The $@ of this request depends on a $@. | tst.go:27:11:27:29 | ...+... | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
| tst.go:29:2:29:41 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:29:11:29:40 | ...+... | The $@ of this request depends on a $@. | tst.go:29:11:29:40 | ...+... | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
| tst.go:37:2:37:21 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:37:11:37:20 | call to String | The $@ of this request depends on a $@. | tst.go:37:11:37:20 | call to String | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
| tst.go:20:2:20:28 | call to PostForm | tst.go:10:13:10:35 | call to FormValue | tst.go:20:16:20:22 | tainted | The $@ of this request depends on a $@. | tst.go:20:16:20:22 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
| tst.go:24:2:24:15 | call to Do | tst.go:10:13:10:35 | call to FormValue | tst.go:23:35:23:41 | tainted | The $@ of this request depends on a $@. | tst.go:23:35:23:41 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
| tst.go:27:2:27:15 | call to Do | tst.go:10:13:10:35 | call to FormValue | tst.go:26:68:26:74 | tainted | The $@ of this request depends on a $@. | tst.go:26:68:26:74 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
| tst.go:29:2:29:20 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:29:13:29:19 | tainted | The $@ of this request depends on a $@. | tst.go:29:13:29:19 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
| tst.go:30:2:30:21 | call to Head | tst.go:10:13:10:35 | call to FormValue | tst.go:30:14:30:20 | tainted | The $@ of this request depends on a $@. | tst.go:30:14:30:20 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
| tst.go:31:2:31:40 | call to Post | tst.go:10:13:10:35 | call to FormValue | tst.go:31:14:31:20 | tainted | The $@ of this request depends on a $@. | tst.go:31:14:31:20 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
| tst.go:32:2:32:30 | call to PostForm | tst.go:10:13:10:35 | call to FormValue | tst.go:32:18:32:24 | tainted | The $@ of this request depends on a $@. | tst.go:32:18:32:24 | tainted | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
| tst.go:34:2:34:30 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:34:11:34:29 | ...+... | The $@ of this request depends on a $@. | tst.go:34:11:34:29 | ...+... | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
| tst.go:36:2:36:41 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:36:11:36:40 | ...+... | The $@ of this request depends on a $@. | tst.go:36:11:36:40 | ...+... | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
| tst.go:44:2:44:21 | call to Get | tst.go:10:13:10:35 | call to FormValue | tst.go:44:11:44:20 | call to String | The $@ of this request depends on a $@. | tst.go:44:11:44:20 | call to String | URL | tst.go:10:13:10:35 | call to FormValue | user-provided value |
| websocket.go:65:12:65:53 | call to Dial | websocket.go:60:21:60:31 | call to Referer | websocket.go:65:27:65:40 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:65:27:65:40 | untrustedInput | WebSocket URL | websocket.go:60:21:60:31 | call to Referer | user-provided value |
| websocket.go:79:13:79:40 | call to DialConfig | websocket.go:74:21:74:31 | call to Referer | websocket.go:78:36:78:49 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:78:36:78:49 | untrustedInput | WebSocket URL | websocket.go:74:21:74:31 | call to Referer | user-provided value |
| websocket.go:91:3:91:50 | call to Dial | websocket.go:88:21:88:31 | call to Referer | websocket.go:91:31:91:44 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:91:31:91:44 | untrustedInput | WebSocket URL | websocket.go:88:21:88:31 | call to Referer | user-provided value |
@@ -14,27 +20,33 @@
| websocket.go:129:3:129:62 | call to DialContext | websocket.go:126:21:126:31 | call to Referer | websocket.go:129:38:129:51 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:129:38:129:51 | untrustedInput | WebSocket URL | websocket.go:126:21:126:31 | call to Referer | user-provided value |
| websocket.go:155:3:155:45 | call to Dial | websocket.go:154:21:154:31 | call to Referer | websocket.go:155:31:155:44 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:155:31:155:44 | untrustedInput | WebSocket URL | websocket.go:154:21:154:31 | call to Referer | user-provided value |
| websocket.go:162:3:162:45 | call to Dial | websocket.go:160:21:160:31 | call to Referer | websocket.go:162:31:162:44 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:162:31:162:44 | untrustedInput | WebSocket URL | websocket.go:160:21:160:31 | call to Referer | user-provided value |
| websocket.go:197:3:197:32 | call to BuildProxy | websocket.go:195:21:195:31 | call to Referer | websocket.go:197:18:197:31 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:197:18:197:31 | untrustedInput | WebSocket URL | websocket.go:195:21:195:31 | call to Referer | user-provided value |
| websocket.go:204:3:204:25 | call to New | websocket.go:202:21:202:31 | call to Referer | websocket.go:204:11:204:24 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:204:11:204:24 | untrustedInput | WebSocket URL | websocket.go:202:21:202:31 | call to Referer | user-provided value |
| websocket.go:197:7:197:36 | call to BuildProxy | websocket.go:195:21:195:31 | call to Referer | websocket.go:197:22:197:35 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:197:22:197:35 | untrustedInput | WebSocket URL | websocket.go:195:21:195:31 | call to Referer | user-provided value |
| websocket.go:204:7:204:29 | call to New | websocket.go:202:21:202:31 | call to Referer | websocket.go:204:15:204:28 | untrustedInput | The $@ of this request depends on a $@. | websocket.go:204:15:204:28 | untrustedInput | WebSocket URL | websocket.go:202:21:202:31 | call to Referer | user-provided value |
edges
| RequestForgery.go:8:12:8:34 | call to FormValue | RequestForgery.go:11:24:11:65 | ...+... | provenance | Src:MaD:1 |
| tst.go:10:13:10:35 | call to FormValue | tst.go:14:11:14:17 | tainted | provenance | Src:MaD:1 |
| tst.go:10:13:10:35 | call to FormValue | tst.go:16:12:16:18 | tainted | provenance | Src:MaD:1 |
| tst.go:10:13:10:35 | call to FormValue | tst.go:18:12:18:18 | tainted | provenance | Src:MaD:1 |
| tst.go:10:13:10:35 | call to FormValue | tst.go:21:34:21:40 | tainted | provenance | Src:MaD:1 |
| tst.go:10:13:10:35 | call to FormValue | tst.go:24:66:24:72 | tainted | provenance | Src:MaD:1 |
| tst.go:10:13:10:35 | call to FormValue | tst.go:27:11:27:29 | ...+... | provenance | Src:MaD:1 |
| tst.go:10:13:10:35 | call to FormValue | tst.go:29:11:29:40 | ...+... | provenance | Src:MaD:1 |
| tst.go:10:13:10:35 | call to FormValue | tst.go:36:11:36:17 | tainted | provenance | Src:MaD:1 |
| tst.go:35:2:35:2 | definition of u [pointer] | tst.go:36:2:36:2 | u [pointer] | provenance | |
| tst.go:36:2:36:2 | implicit dereference | tst.go:35:2:35:2 | definition of u [pointer] | provenance | |
| tst.go:36:2:36:2 | implicit dereference | tst.go:36:2:36:2 | u | provenance | |
| tst.go:36:2:36:2 | implicit dereference | tst.go:37:11:37:11 | u | provenance | |
| tst.go:36:2:36:2 | u | tst.go:36:2:36:2 | implicit dereference | provenance | |
| tst.go:36:2:36:2 | u | tst.go:37:11:37:11 | u | provenance | |
| tst.go:36:2:36:2 | u [pointer] | tst.go:36:2:36:2 | implicit dereference | provenance | |
| tst.go:36:11:36:17 | tainted | tst.go:36:2:36:2 | u | provenance | Config |
| tst.go:36:11:36:17 | tainted | tst.go:37:11:37:11 | u | provenance | Config |
| tst.go:37:11:37:11 | u | tst.go:37:11:37:20 | call to String | provenance | MaD:3 |
| tst.go:10:13:10:35 | call to FormValue | tst.go:20:16:20:22 | tainted | provenance | Src:MaD:1 |
| tst.go:10:13:10:35 | call to FormValue | tst.go:23:35:23:41 | tainted | provenance | Src:MaD:1 |
| tst.go:10:13:10:35 | call to FormValue | tst.go:26:68:26:74 | tainted | provenance | Src:MaD:1 |
| tst.go:10:13:10:35 | call to FormValue | tst.go:29:13:29:19 | tainted | provenance | Src:MaD:1 |
| tst.go:10:13:10:35 | call to FormValue | tst.go:30:14:30:20 | tainted | provenance | Src:MaD:1 |
| tst.go:10:13:10:35 | call to FormValue | tst.go:31:14:31:20 | tainted | provenance | Src:MaD:1 |
| tst.go:10:13:10:35 | call to FormValue | tst.go:32:18:32:24 | tainted | provenance | Src:MaD:1 |
| tst.go:10:13:10:35 | call to FormValue | tst.go:34:11:34:29 | ...+... | provenance | Src:MaD:1 |
| tst.go:10:13:10:35 | call to FormValue | tst.go:36:11:36:40 | ...+... | provenance | Src:MaD:1 |
| tst.go:10:13:10:35 | call to FormValue | tst.go:43:11:43:17 | tainted | provenance | Src:MaD:1 |
| tst.go:42:2:42:2 | definition of u [pointer] | tst.go:43:2:43:2 | u [pointer] | provenance | |
| tst.go:43:2:43:2 | implicit dereference | tst.go:42:2:42:2 | definition of u [pointer] | provenance | |
| tst.go:43:2:43:2 | implicit dereference | tst.go:43:2:43:2 | u | provenance | |
| tst.go:43:2:43:2 | implicit dereference | tst.go:44:11:44:11 | u | provenance | |
| tst.go:43:2:43:2 | u | tst.go:43:2:43:2 | implicit dereference | provenance | |
| tst.go:43:2:43:2 | u | tst.go:44:11:44:11 | u | provenance | |
| tst.go:43:2:43:2 | u [pointer] | tst.go:43:2:43:2 | implicit dereference | provenance | |
| tst.go:43:11:43:17 | tainted | tst.go:43:2:43:2 | u | provenance | Config |
| tst.go:43:11:43:17 | tainted | tst.go:44:11:44:11 | u | provenance | Config |
| tst.go:44:11:44:11 | u | tst.go:44:11:44:20 | call to String | provenance | MaD:3 |
| websocket.go:60:21:60:31 | call to Referer | websocket.go:65:27:65:40 | untrustedInput | provenance | Src:MaD:2 |
| websocket.go:74:21:74:31 | call to Referer | websocket.go:78:36:78:49 | untrustedInput | provenance | Src:MaD:2 |
| websocket.go:88:21:88:31 | call to Referer | websocket.go:91:31:91:44 | untrustedInput | provenance | Src:MaD:2 |
@@ -42,8 +54,8 @@ edges
| websocket.go:126:21:126:31 | call to Referer | websocket.go:129:38:129:51 | untrustedInput | provenance | Src:MaD:2 |
| websocket.go:154:21:154:31 | call to Referer | websocket.go:155:31:155:44 | untrustedInput | provenance | Src:MaD:2 |
| websocket.go:160:21:160:31 | call to Referer | websocket.go:162:31:162:44 | untrustedInput | provenance | Src:MaD:2 |
| websocket.go:195:21:195:31 | call to Referer | websocket.go:197:18:197:31 | untrustedInput | provenance | Src:MaD:2 |
| websocket.go:202:21:202:31 | call to Referer | websocket.go:204:11:204:24 | untrustedInput | provenance | Src:MaD:2 |
| websocket.go:195:21:195:31 | call to Referer | websocket.go:197:22:197:35 | untrustedInput | provenance | Src:MaD:2 |
| websocket.go:202:21:202:31 | call to Referer | websocket.go:204:15:204:28 | untrustedInput | provenance | Src:MaD:2 |
models
| 1 | Source: net/http; Request; true; FormValue; ; ; ReturnValue; remote; manual |
| 2 | Source: net/http; Request; true; Referer; ; ; ReturnValue; remote; manual |
@@ -53,18 +65,24 @@ nodes
| RequestForgery.go:11:24:11:65 | ...+... | semmle.label | ...+... |
| tst.go:10:13:10:35 | call to FormValue | semmle.label | call to FormValue |
| tst.go:14:11:14:17 | tainted | semmle.label | tainted |
| tst.go:16:12:16:18 | tainted | semmle.label | tainted |
| tst.go:18:12:18:18 | tainted | semmle.label | tainted |
| tst.go:21:34:21:40 | tainted | semmle.label | tainted |
| tst.go:24:66:24:72 | tainted | semmle.label | tainted |
| tst.go:27:11:27:29 | ...+... | semmle.label | ...+... |
| tst.go:29:11:29:40 | ...+... | semmle.label | ...+... |
| tst.go:35:2:35:2 | definition of u [pointer] | semmle.label | definition of u [pointer] |
| tst.go:36:2:36:2 | implicit dereference | semmle.label | implicit dereference |
| tst.go:36:2:36:2 | u | semmle.label | u |
| tst.go:36:2:36:2 | u [pointer] | semmle.label | u [pointer] |
| tst.go:36:11:36:17 | tainted | semmle.label | tainted |
| tst.go:37:11:37:11 | u | semmle.label | u |
| tst.go:37:11:37:20 | call to String | semmle.label | call to String |
| tst.go:20:16:20:22 | tainted | semmle.label | tainted |
| tst.go:23:35:23:41 | tainted | semmle.label | tainted |
| tst.go:26:68:26:74 | tainted | semmle.label | tainted |
| tst.go:29:13:29:19 | tainted | semmle.label | tainted |
| tst.go:30:14:30:20 | tainted | semmle.label | tainted |
| tst.go:31:14:31:20 | tainted | semmle.label | tainted |
| tst.go:32:18:32:24 | tainted | semmle.label | tainted |
| tst.go:34:11:34:29 | ...+... | semmle.label | ...+... |
| tst.go:36:11:36:40 | ...+... | semmle.label | ...+... |
| tst.go:42:2:42:2 | definition of u [pointer] | semmle.label | definition of u [pointer] |
| tst.go:43:2:43:2 | implicit dereference | semmle.label | implicit dereference |
| tst.go:43:2:43:2 | u | semmle.label | u |
| tst.go:43:2:43:2 | u [pointer] | semmle.label | u [pointer] |
| tst.go:43:11:43:17 | tainted | semmle.label | tainted |
| tst.go:44:11:44:11 | u | semmle.label | u |
| tst.go:44:11:44:20 | call to String | semmle.label | call to String |
| websocket.go:60:21:60:31 | call to Referer | semmle.label | call to Referer |
| websocket.go:65:27:65:40 | untrustedInput | semmle.label | untrustedInput |
| websocket.go:74:21:74:31 | call to Referer | semmle.label | call to Referer |
@@ -80,7 +98,7 @@ nodes
| websocket.go:160:21:160:31 | call to Referer | semmle.label | call to Referer |
| websocket.go:162:31:162:44 | untrustedInput | semmle.label | untrustedInput |
| websocket.go:195:21:195:31 | call to Referer | semmle.label | call to Referer |
| websocket.go:197:18:197:31 | untrustedInput | semmle.label | untrustedInput |
| websocket.go:197:22:197:35 | untrustedInput | semmle.label | untrustedInput |
| websocket.go:202:21:202:31 | call to Referer | semmle.label | call to Referer |
| websocket.go:204:11:204:24 | untrustedInput | semmle.label | untrustedInput |
| websocket.go:204:15:204:28 | untrustedInput | semmle.label | untrustedInput |
subpaths

4
go/ql/test/query-tests/Security/CWE-918/RequestForgery.go
View File

@@ -5,10 +5,10 @@ import (
)
func handler(w http.ResponseWriter, req *http.Request) {
target := req.FormValue("target")
target := req.FormValue("target") // $ Source
// BAD: `target` is controlled by the attacker
resp, err := http.Get("https://" + target + ".example.com/data/")
resp, err := http.Get("https://" + target + ".example.com/data/") // $ Alert
if err != nil {
// error handling
}

4
go/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref
View File

@@ -1,2 +1,4 @@
query: Security/CWE-918/RequestForgery.ql
postprocess: utils/test/PrettyPrintModels.ql
postprocess:
- utils/test/PrettyPrintModels.ql
- utils/test/InlineExpectationsTestQuery.ql

29
go/ql/test/query-tests/Security/CWE-918/tst.go
View File

@@ -7,26 +7,33 @@ import (
)
func handler2(w http.ResponseWriter, req *http.Request) {
tainted := req.FormValue("target")
tainted := req.FormValue("target") // $ Source
http.Get("example.com") // OK
http.Get(tainted) // Not OK
http.Get(tainted) // $ Alert
http.Head(tainted) // OK
http.Head(tainted) // $ Alert
http.Post(tainted, "text/basic", nil) // Not OK
http.Post(tainted, "text/basic", nil) // $ Alert
http.PostForm(tainted, nil) // $ Alert
client := &http.Client{}
rq, _ := http.NewRequest("GET", tainted, nil)
client.Do(rq) // Not OK
rq1, _ := http.NewRequest("GET", tainted, nil) // $ Sink
client.Do(rq1) // $ Alert
rq, _ = http.NewRequestWithContext(context.Background(), "GET", tainted, nil)
client.Do(rq) // Not OK
rq2, _ := http.NewRequestWithContext(context.Background(), "GET", tainted, nil) // $ Sink
client.Do(rq2) // $ Alert
http.Get("http://" + tainted) // Not OK
client.Get(tainted) // $ Alert
client.Head(tainted) // $ Alert
client.Post(tainted, "text/basic", nil) // $ Alert
client.PostForm(tainted, nil) // $ Alert
http.Get("http://example.com" + tainted) // Not OK
http.Get("http://" + tainted) // $ Alert
http.Get("http://example.com" + tainted) // $ Alert
http.Get("http://example.com/" + tainted) // OK
@@ -34,7 +41,7 @@ func handler2(w http.ResponseWriter, req *http.Request) {
u, _ := url.Parse("http://example.com/relative-path")
u.Host = tainted
http.Get(u.String()) // Not OK
http.Get(u.String()) // $ Alert
}
func main() {

48
go/ql/test/query-tests/Security/CWE-918/websocket.go
View File

@@ -57,12 +57,12 @@ func test() {
// x net websocket dial bad
http.HandleFunc("/ex2", func(w http.ResponseWriter, r *http.Request) {
untrustedInput := r.Referer()
untrustedInput := r.Referer() // $ Source
origin := "http://localhost/"
// bad as input is directly passed to dial function
ws, _ := websocket.Dial(untrustedInput, "", origin)
ws, _ := websocket.Dial(untrustedInput, "", origin) // $ Alert
var msg = make([]byte, 512)
var n int
n, _ = ws.Read(msg)
@@ -71,12 +71,12 @@ func test() {
// x net websocket dialConfig bad
http.HandleFunc("/ex3", func(w http.ResponseWriter, r *http.Request) {
untrustedInput := r.Referer()
untrustedInput := r.Referer() // $ Source
origin := "http://localhost/"
// bad as input is directly used
config, _ := websocket.NewConfig(untrustedInput, origin) // good
ws2, _ := websocket.DialConfig(config)
config, _ := websocket.NewConfig(untrustedInput, origin) // $ Sink
ws2, _ := websocket.DialConfig(config) // $ Alert
var msg = make([]byte, 512)
var n int
n, _ = ws2.Read(msg)
@@ -85,10 +85,10 @@ func test() {
// nhooyr websocket dial bad
http.HandleFunc("/ex4", func(w http.ResponseWriter, r *http.Request) {
untrustedInput := r.Referer()
untrustedInput := r.Referer() // $ Source
// bad as input is used directly
nhooyr.Dial(context.TODO(), untrustedInput, nil)
nhooyr.Dial(context.TODO(), untrustedInput, nil) // $ Alert
w.WriteHeader(500)
})
@@ -104,10 +104,10 @@ func test() {
// gorilla websocket Dialer.Dial bad
http.HandleFunc("/ex6", func(w http.ResponseWriter, r *http.Request) {
untrustedInput := r.Referer()
untrustedInput := r.Referer() // $ Source
dialer := gorilla.Dialer{}
dialer.Dial(untrustedInput, r.Header)
dialer.Dial(untrustedInput, r.Header) // $ Alert
})
// gorilla websocket Dialer.Dial good
@@ -123,10 +123,10 @@ func test() {
// gorilla websocket Dialer.DialContext bad
http.HandleFunc("/ex8", func(w http.ResponseWriter, r *http.Request) {
untrustedInput := r.Referer()
untrustedInput := r.Referer() // $ Source
dialer := gorilla.Dialer{}
dialer.DialContext(context.TODO(), untrustedInput, r.Header)
dialer.DialContext(context.TODO(), untrustedInput, r.Header) // $ Alert
})
// gorilla websocket Dialer.DialContext good
@@ -151,22 +151,22 @@ func test() {
// gobwas websocket Dial bad
http.HandleFunc("/ex11", func(w http.ResponseWriter, r *http.Request) {
untrustedInput := r.Referer()
gobwas.Dial(context.TODO(), untrustedInput)
untrustedInput := r.Referer() // $ Source
gobwas.Dial(context.TODO(), untrustedInput) // $ Alert
})
// gobwas websocket Dialer.Dial bad
http.HandleFunc("/ex12", func(w http.ResponseWriter, r *http.Request) {
untrustedInput := r.Referer()
untrustedInput := r.Referer() // $ Source
dialer := gobwas.Dialer{}
dialer.Dial(context.TODO(), untrustedInput)
dialer.Dial(context.TODO(), untrustedInput) // $ Alert
})
// gobwas websocket Dialer.Dial good
http.HandleFunc("/ex12", func(w http.ResponseWriter, r *http.Request) {
untrustedInput := r.Referer()
if "localhost" == untrustedInput {
if untrustedInput == "localhost" {
dialer := gobwas.Dialer{}
dialer.Dial(context.TODO(), untrustedInput)
}
@@ -176,8 +176,8 @@ func test() {
http.HandleFunc("/ex13", func(w http.ResponseWriter, r *http.Request) {
untrustedInput := r.Referer()
if "localhost" == untrustedInput {
sac.New(untrustedInput)
if untrustedInput == "localhost" {
_ = sac.New(untrustedInput)
}
})
@@ -185,23 +185,23 @@ func test() {
http.HandleFunc("/ex14", func(w http.ResponseWriter, r *http.Request) {
untrustedInput := r.Referer()
if "localhost" == untrustedInput {
sac.BuildProxy(untrustedInput)
if untrustedInput == "localhost" {
_ = sac.BuildProxy(untrustedInput)
}
})
// sac007 websocket BuildProxy bad
http.HandleFunc("/ex15", func(w http.ResponseWriter, r *http.Request) {
untrustedInput := r.Referer()
untrustedInput := r.Referer() // $ Source
sac.BuildProxy(untrustedInput)
_ = sac.BuildProxy(untrustedInput) // $ Alert
})
// sac007 websocket New bad
http.HandleFunc("/ex16", func(w http.ResponseWriter, r *http.Request) {
untrustedInput := r.Referer()
untrustedInput := r.Referer() // $ Source
sac.New(untrustedInput)
_ = sac.New(untrustedInput) // $ Alert
})
log.Println(http.ListenAndServe(":80", nil))

4
java/kotlin-extractor/generate_dbscheme.py
View File

@@ -35,10 +35,10 @@ def parse_dbscheme(filename):
unions[name] = typs
# tables
for relname, body in re.findall('\n([\w_]+)(\([^)]*\))',
for relname, body in re.findall(r'\n([\w_]+)(\([^)]*\))',
dbscheme,
flags=re.DOTALL):
columns = list(re.findall('(\S+)\s*:\s*([^\s,]+)(?:\s+(ref)|)', body))
columns = list(re.findall(r'(\S+)\s*:\s*([^\s,]+)(?:\s+(ref)|)', body))
tables[relname] = columns
parse_dbscheme(dbscheme)

4
java/ql/lib/change-notes/2025-07-11-unsafe-deserialization-extra-sink.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The qualifiers of a calls to `readObject` on any classes that implement `java.io.ObjectInput` are now recognised as sinks for `java/unsafe-deserialization`. Previously this was only the case for classes which extend `java.io.ObjectInputStream`.

5
java/ql/lib/semmle/code/java/JDK.qll
View File

@@ -211,6 +211,11 @@ class TypeObjectOutputStream extends RefType {
TypeObjectOutputStream() { this.hasQualifiedName("java.io", "ObjectOutputStream") }
}
/** The type `java.io.ObjectInput`. */
class TypeObjectInput extends RefType {
TypeObjectInput() { this.hasQualifiedName("java.io", "ObjectInput") }
}
/** The type `java.io.ObjectInputStream`. */
class TypeObjectInputStream extends RefType {
TypeObjectInputStream() { this.hasQualifiedName("java.io", "ObjectInputStream") }

24
java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll
View File

@@ -23,10 +23,17 @@ private import semmle.code.java.frameworks.google.Gson
private import semmle.code.java.frameworks.apache.Lang
private import semmle.code.java.Reflection
private class ObjectInputStreamReadObjectMethod extends Method {
ObjectInputStreamReadObjectMethod() {
private class ObjectInputReadObjectMethod extends Method {
ObjectInputReadObjectMethod() {
this.getDeclaringType().getASourceSupertype*() instanceof TypeObjectInput and
this.hasName("readObject")
}
}
private class ObjectInputStreamReadUnsharedMethod extends Method {
ObjectInputStreamReadUnsharedMethod() {
this.getDeclaringType().getASourceSupertype*() instanceof TypeObjectInputStream and
(this.hasName("readObject") or this.hasName("readUnshared"))
this.hasName("readUnshared")
}
}
@@ -147,12 +154,13 @@ private module SafeKryoFlow = DataFlow::Global<SafeKryoConfig>;
*/
predicate unsafeDeserialization(MethodCall ma, Expr sink) {
exists(Method m | m = ma.getMethod() |
m instanceof ObjectInputStreamReadObjectMethod and
m instanceof ObjectInputReadObjectMethod and
sink = ma.getQualifier() and
not exists(DataFlow::ExprNode node |
node.getExpr() = sink and
node.getTypeBound() instanceof SafeObjectInputStreamType
)
not DataFlow::exprNode(sink).getTypeBound() instanceof SafeObjectInputStreamType
or
m instanceof ObjectInputStreamReadUnsharedMethod and
sink = ma.getQualifier() and
not DataFlow::exprNode(sink).getTypeBound() instanceof SafeObjectInputStreamType
or
m instanceof XmlDecoderReadObjectMethod and
sink = ma.getQualifier()

12
java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll
View File

@@ -47,6 +47,18 @@ module PolynomialRedosConfig implements DataFlow::ConfigSig {
node instanceof SimpleTypeSanitizer or
node.asExpr().(MethodCall).getMethod() instanceof LengthRestrictedMethod
}
predicate observeDiffInformedIncrementalMode() { any() }
Location getASelectedSinkLocation(DataFlow::Node sink) {
exists(SuperlinearBackTracking::PolynomialBackTrackingTerm regexp |
regexp.getRootTerm() = sink.(PolynomialRedosSink).getRegExp()
|
result = sink.getLocation()
or
result = regexp.getLocation()
)
}
}
module PolynomialRedosFlow = TaintTracking::Global<PolynomialRedosConfig>;

29
java/ql/test/query-tests/security/CWE-502/A.java
View File

@@ -1,6 +1,9 @@
package unsafedeserialization;
import java.io.*;
import java.net.Socket;
import java.beans.XMLDecoder;
import com.example.MyObjectInput;
import com.thoughtworks.xstream.XStream;
import com.esotericsoftware.kryo.Kryo;
import com.esotericsoftware.kryo.io.Input;
@@ -10,13 +13,23 @@ import org.yaml.snakeyaml.Yaml;
import org.nibblesec.tools.SerialKiller;
public class A {
public Object deserialize1(Socket sock) throws java.io.IOException, ClassNotFoundException {
public Object deserialize1a(Socket sock) throws java.io.IOException, ClassNotFoundException {
InputStream inputStream = sock.getInputStream(); // $ Source
ObjectInputStream in = new ObjectInputStream(inputStream);
return in.readObject(); // $ Alert
}
public Object deserialize2(Socket sock) throws java.io.IOException, ClassNotFoundException {
public Object deserialize2() throws java.io.IOException, ClassNotFoundException {
ObjectInput objectInput = A.getTaintedObjectInput(); // $ Source
return objectInput.readObject(); // $ Alert
}
public Object deserialize3() throws java.io.IOException, ClassNotFoundException {
MyObjectInput objectInput = A.getTaintedMyObjectInput(); // $ Source
return objectInput.readObject(); // $ Alert
}
public Object deserialize4(Socket sock) throws java.io.IOException, ClassNotFoundException {
InputStream inputStream = sock.getInputStream(); // $ Source
ObjectInputStream in = new ObjectInputStream(inputStream);
return in.readUnshared(); // $ Alert
@@ -28,20 +41,20 @@ public class A {
return in.readUnshared(); // OK
}
public Object deserialize3(Socket sock) throws java.io.IOException {
public Object deserialize5(Socket sock) throws java.io.IOException {
InputStream inputStream = sock.getInputStream(); // $ Source
XMLDecoder d = new XMLDecoder(inputStream);
return d.readObject(); // $ Alert
}
public Object deserialize4(Socket sock) throws java.io.IOException {
public Object deserialize6(Socket sock) throws java.io.IOException {
XStream xs = new XStream();
InputStream inputStream = sock.getInputStream(); // $ Source
Reader reader = new InputStreamReader(inputStream);
return xs.fromXML(reader); // $ Alert
}
public void deserialize5(Socket sock) throws java.io.IOException {
public void deserialize7(Socket sock) throws java.io.IOException {
Kryo kryo = new Kryo();
Input input = new Input(sock.getInputStream()); // $ Source
A a1 = kryo.readObject(input, A.class); // $ Alert
@@ -56,7 +69,7 @@ public class A {
return kryo;
}
public void deserialize6(Socket sock) throws java.io.IOException {
public void deserialize8(Socket sock) throws java.io.IOException {
Kryo kryo = getSafeKryo();
Input input = new Input(sock.getInputStream());
Object o = kryo.readClassAndObject(input); // OK
@@ -101,4 +114,8 @@ public class A {
A o4 = yaml.loadAs(input, A.class); // $ Alert
A o5 = yaml.loadAs(new InputStreamReader(input), A.class); // $ Alert
}
static ObjectInput getTaintedObjectInput() { return null; }
static MyObjectInput getTaintedMyObjectInput() { return null; }
}

288
java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected
View File

@@ -1,26 +1,28 @@
#select
| A.java:16:12:16:26 | readObject(...) | A.java:14:31:14:51 | getInputStream(...) : InputStream | A.java:16:12:16:13 | in | Unsafe deserialization depends on a $@. | A.java:14:31:14:51 | getInputStream(...) | user-provided value |
| A.java:22:12:22:28 | readUnshared(...) | A.java:20:31:20:51 | getInputStream(...) : InputStream | A.java:22:12:22:13 | in | Unsafe deserialization depends on a $@. | A.java:20:31:20:51 | getInputStream(...) | user-provided value |
| A.java:34:12:34:25 | readObject(...) | A.java:32:31:32:51 | getInputStream(...) : InputStream | A.java:34:12:34:12 | d | Unsafe deserialization depends on a $@. | A.java:32:31:32:51 | getInputStream(...) | user-provided value |
| A.java:41:12:41:29 | fromXML(...) | A.java:39:31:39:51 | getInputStream(...) : InputStream | A.java:41:23:41:28 | reader | Unsafe deserialization depends on a $@. | A.java:39:31:39:51 | getInputStream(...) | user-provided value |
| A.java:47:12:47:42 | readObject(...) | A.java:46:29:46:49 | getInputStream(...) : InputStream | A.java:47:28:47:32 | input | Unsafe deserialization depends on a $@. | A.java:46:29:46:49 | getInputStream(...) | user-provided value |
| A.java:48:12:48:48 | readObjectOrNull(...) | A.java:46:29:46:49 | getInputStream(...) : InputStream | A.java:48:34:48:38 | input | Unsafe deserialization depends on a $@. | A.java:46:29:46:49 | getInputStream(...) | user-provided value |
| A.java:49:16:49:45 | readClassAndObject(...) | A.java:46:29:46:49 | getInputStream(...) : InputStream | A.java:49:40:49:44 | input | Unsafe deserialization depends on a $@. | A.java:46:29:46:49 | getInputStream(...) | user-provided value |
| A.java:68:16:68:31 | load(...) | A.java:67:25:67:45 | getInputStream(...) : InputStream | A.java:68:26:68:30 | input | Unsafe deserialization depends on a $@. | A.java:67:25:67:45 | getInputStream(...) | user-provided value |
| A.java:69:17:69:35 | loadAll(...) | A.java:67:25:67:45 | getInputStream(...) : InputStream | A.java:69:30:69:34 | input | Unsafe deserialization depends on a $@. | A.java:67:25:67:45 | getInputStream(...) | user-provided value |
| A.java:70:17:70:56 | parse(...) | A.java:67:25:67:45 | getInputStream(...) : InputStream | A.java:70:28:70:55 | new InputStreamReader(...) | Unsafe deserialization depends on a $@. | A.java:67:25:67:45 | getInputStream(...) | user-provided value |
| A.java:71:12:71:38 | loadAs(...) | A.java:67:25:67:45 | getInputStream(...) : InputStream | A.java:71:24:71:28 | input | Unsafe deserialization depends on a $@. | A.java:67:25:67:45 | getInputStream(...) | user-provided value |
| A.java:72:12:72:61 | loadAs(...) | A.java:67:25:67:45 | getInputStream(...) : InputStream | A.java:72:24:72:51 | new InputStreamReader(...) | Unsafe deserialization depends on a $@. | A.java:67:25:67:45 | getInputStream(...) | user-provided value |
| A.java:78:16:78:31 | load(...) | A.java:77:25:77:45 | getInputStream(...) : InputStream | A.java:78:26:78:30 | input | Unsafe deserialization depends on a $@. | A.java:77:25:77:45 | getInputStream(...) | user-provided value |
| A.java:79:17:79:35 | loadAll(...) | A.java:77:25:77:45 | getInputStream(...) : InputStream | A.java:79:30:79:34 | input | Unsafe deserialization depends on a $@. | A.java:77:25:77:45 | getInputStream(...) | user-provided value |
| A.java:80:17:80:56 | parse(...) | A.java:77:25:77:45 | getInputStream(...) : InputStream | A.java:80:28:80:55 | new InputStreamReader(...) | Unsafe deserialization depends on a $@. | A.java:77:25:77:45 | getInputStream(...) | user-provided value |
| A.java:81:12:81:38 | loadAs(...) | A.java:77:25:77:45 | getInputStream(...) : InputStream | A.java:81:24:81:28 | input | Unsafe deserialization depends on a $@. | A.java:77:25:77:45 | getInputStream(...) | user-provided value |
| A.java:82:12:82:61 | loadAs(...) | A.java:77:25:77:45 | getInputStream(...) : InputStream | A.java:82:24:82:51 | new InputStreamReader(...) | Unsafe deserialization depends on a $@. | A.java:77:25:77:45 | getInputStream(...) | user-provided value |
| A.java:98:16:98:31 | load(...) | A.java:97:25:97:45 | getInputStream(...) : InputStream | A.java:98:26:98:30 | input | Unsafe deserialization depends on a $@. | A.java:97:25:97:45 | getInputStream(...) | user-provided value |
| A.java:99:17:99:35 | loadAll(...) | A.java:97:25:97:45 | getInputStream(...) : InputStream | A.java:99:30:99:34 | input | Unsafe deserialization depends on a $@. | A.java:97:25:97:45 | getInputStream(...) | user-provided value |
| A.java:100:17:100:56 | parse(...) | A.java:97:25:97:45 | getInputStream(...) : InputStream | A.java:100:28:100:55 | new InputStreamReader(...) | Unsafe deserialization depends on a $@. | A.java:97:25:97:45 | getInputStream(...) | user-provided value |
| A.java:101:12:101:38 | loadAs(...) | A.java:97:25:97:45 | getInputStream(...) : InputStream | A.java:101:24:101:28 | input | Unsafe deserialization depends on a $@. | A.java:97:25:97:45 | getInputStream(...) | user-provided value |
| A.java:102:12:102:61 | loadAs(...) | A.java:97:25:97:45 | getInputStream(...) : InputStream | A.java:102:24:102:51 | new InputStreamReader(...) | Unsafe deserialization depends on a $@. | A.java:97:25:97:45 | getInputStream(...) | user-provided value |
| A.java:19:12:19:26 | readObject(...) | A.java:17:31:17:51 | getInputStream(...) : InputStream | A.java:19:12:19:13 | in | Unsafe deserialization depends on a $@. | A.java:17:31:17:51 | getInputStream(...) | user-provided value |
| A.java:24:12:24:35 | readObject(...) | A.java:23:31:23:55 | getTaintedObjectInput(...) : ObjectInput | A.java:24:12:24:22 | objectInput | Unsafe deserialization depends on a $@. | A.java:23:31:23:55 | getTaintedObjectInput(...) | user-provided value |
| A.java:29:12:29:35 | readObject(...) | A.java:28:33:28:59 | getTaintedMyObjectInput(...) : MyObjectInput | A.java:29:12:29:22 | objectInput | Unsafe deserialization depends on a $@. | A.java:28:33:28:59 | getTaintedMyObjectInput(...) | user-provided value |
| A.java:35:12:35:28 | readUnshared(...) | A.java:33:31:33:51 | getInputStream(...) : InputStream | A.java:35:12:35:13 | in | Unsafe deserialization depends on a $@. | A.java:33:31:33:51 | getInputStream(...) | user-provided value |
| A.java:47:12:47:25 | readObject(...) | A.java:45:31:45:51 | getInputStream(...) : InputStream | A.java:47:12:47:12 | d | Unsafe deserialization depends on a $@. | A.java:45:31:45:51 | getInputStream(...) | user-provided value |
| A.java:54:12:54:29 | fromXML(...) | A.java:52:31:52:51 | getInputStream(...) : InputStream | A.java:54:23:54:28 | reader | Unsafe deserialization depends on a $@. | A.java:52:31:52:51 | getInputStream(...) | user-provided value |
| A.java:60:12:60:42 | readObject(...) | A.java:59:29:59:49 | getInputStream(...) : InputStream | A.java:60:28:60:32 | input | Unsafe deserialization depends on a $@. | A.java:59:29:59:49 | getInputStream(...) | user-provided value |
| A.java:61:12:61:48 | readObjectOrNull(...) | A.java:59:29:59:49 | getInputStream(...) : InputStream | A.java:61:34:61:38 | input | Unsafe deserialization depends on a $@. | A.java:59:29:59:49 | getInputStream(...) | user-provided value |
| A.java:62:16:62:45 | readClassAndObject(...) | A.java:59:29:59:49 | getInputStream(...) : InputStream | A.java:62:40:62:44 | input | Unsafe deserialization depends on a $@. | A.java:59:29:59:49 | getInputStream(...) | user-provided value |
| A.java:81:16:81:31 | load(...) | A.java:80:25:80:45 | getInputStream(...) : InputStream | A.java:81:26:81:30 | input | Unsafe deserialization depends on a $@. | A.java:80:25:80:45 | getInputStream(...) | user-provided value |
| A.java:82:17:82:35 | loadAll(...) | A.java:80:25:80:45 | getInputStream(...) : InputStream | A.java:82:30:82:34 | input | Unsafe deserialization depends on a $@. | A.java:80:25:80:45 | getInputStream(...) | user-provided value |
| A.java:83:17:83:56 | parse(...) | A.java:80:25:80:45 | getInputStream(...) : InputStream | A.java:83:28:83:55 | new InputStreamReader(...) | Unsafe deserialization depends on a $@. | A.java:80:25:80:45 | getInputStream(...) | user-provided value |
| A.java:84:12:84:38 | loadAs(...) | A.java:80:25:80:45 | getInputStream(...) : InputStream | A.java:84:24:84:28 | input | Unsafe deserialization depends on a $@. | A.java:80:25:80:45 | getInputStream(...) | user-provided value |
| A.java:85:12:85:61 | loadAs(...) | A.java:80:25:80:45 | getInputStream(...) : InputStream | A.java:85:24:85:51 | new InputStreamReader(...) | Unsafe deserialization depends on a $@. | A.java:80:25:80:45 | getInputStream(...) | user-provided value |
| A.java:91:16:91:31 | load(...) | A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:91:26:91:30 | input | Unsafe deserialization depends on a $@. | A.java:90:25:90:45 | getInputStream(...) | user-provided value |
| A.java:92:17:92:35 | loadAll(...) | A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:92:30:92:34 | input | Unsafe deserialization depends on a $@. | A.java:90:25:90:45 | getInputStream(...) | user-provided value |
| A.java:93:17:93:56 | parse(...) | A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:93:28:93:55 | new InputStreamReader(...) | Unsafe deserialization depends on a $@. | A.java:90:25:90:45 | getInputStream(...) | user-provided value |
| A.java:94:12:94:38 | loadAs(...) | A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:94:24:94:28 | input | Unsafe deserialization depends on a $@. | A.java:90:25:90:45 | getInputStream(...) | user-provided value |
| A.java:95:12:95:61 | loadAs(...) | A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:95:24:95:51 | new InputStreamReader(...) | Unsafe deserialization depends on a $@. | A.java:90:25:90:45 | getInputStream(...) | user-provided value |
| A.java:111:16:111:31 | load(...) | A.java:110:25:110:45 | getInputStream(...) : InputStream | A.java:111:26:111:30 | input | Unsafe deserialization depends on a $@. | A.java:110:25:110:45 | getInputStream(...) | user-provided value |
| A.java:112:17:112:35 | loadAll(...) | A.java:110:25:110:45 | getInputStream(...) : InputStream | A.java:112:30:112:34 | input | Unsafe deserialization depends on a $@. | A.java:110:25:110:45 | getInputStream(...) | user-provided value |
| A.java:113:17:113:56 | parse(...) | A.java:110:25:110:45 | getInputStream(...) : InputStream | A.java:113:28:113:55 | new InputStreamReader(...) | Unsafe deserialization depends on a $@. | A.java:110:25:110:45 | getInputStream(...) | user-provided value |
| A.java:114:12:114:38 | loadAs(...) | A.java:110:25:110:45 | getInputStream(...) : InputStream | A.java:114:24:114:28 | input | Unsafe deserialization depends on a $@. | A.java:110:25:110:45 | getInputStream(...) | user-provided value |
| A.java:115:12:115:61 | loadAs(...) | A.java:110:25:110:45 | getInputStream(...) : InputStream | A.java:115:24:115:51 | new InputStreamReader(...) | Unsafe deserialization depends on a $@. | A.java:110:25:110:45 | getInputStream(...) | user-provided value |
| B.java:8:12:8:46 | parseObject(...) | B.java:7:31:7:51 | getInputStream(...) : InputStream | B.java:8:29:8:39 | inputStream | Unsafe deserialization depends on a $@. | B.java:7:31:7:51 | getInputStream(...) | user-provided value |
| B.java:15:12:15:28 | parse(...) | B.java:12:31:12:51 | getInputStream(...) : InputStream | B.java:15:23:15:27 | bytes | Unsafe deserialization depends on a $@. | B.java:12:31:12:51 | getInputStream(...) | user-provided value |
| B.java:23:12:23:30 | parseObject(...) | B.java:19:31:19:51 | getInputStream(...) : InputStream | B.java:23:29:23:29 | s | Unsafe deserialization depends on a $@. | B.java:19:31:19:51 | getInputStream(...) | user-provided value |
@@ -72,59 +74,61 @@
| ParcelableEntity.java:32:30:32:70 | fromJson(...) | GsonActivity.java:15:54:15:64 | getIntent(...) : Intent | ParcelableEntity.java:32:44:32:62 | readString(...) | Unsafe deserialization depends on a $@. | GsonActivity.java:15:54:15:64 | getIntent(...) | user-provided value |
| TestMessageBodyReader.java:22:18:22:65 | readObject(...) | TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) | Unsafe deserialization depends on a $@. | TestMessageBodyReader.java:20:55:20:78 | entityStream | user-provided value |
edges
| A.java:14:31:14:51 | getInputStream(...) : InputStream | A.java:15:50:15:60 | inputStream : InputStream | provenance | Src:MaD:1 |
| A.java:14:31:14:51 | getInputStream(...) : InputStream | A.java:16:12:16:13 | in | provenance | Src:MaD:1 inputStreamWrapper |
| A.java:15:28:15:61 | new ObjectInputStream(...) : ObjectInputStream | A.java:16:12:16:13 | in | provenance | |
| A.java:15:50:15:60 | inputStream : InputStream | A.java:15:28:15:61 | new ObjectInputStream(...) : ObjectInputStream | provenance | MaD:11 |
| A.java:20:31:20:51 | getInputStream(...) : InputStream | A.java:21:50:21:60 | inputStream : InputStream | provenance | Src:MaD:1 |
| A.java:20:31:20:51 | getInputStream(...) : InputStream | A.java:22:12:22:13 | in | provenance | Src:MaD:1 inputStreamWrapper |
| A.java:21:28:21:61 | new ObjectInputStream(...) : ObjectInputStream | A.java:22:12:22:13 | in | provenance | |
| A.java:21:50:21:60 | inputStream : InputStream | A.java:21:28:21:61 | new ObjectInputStream(...) : ObjectInputStream | provenance | MaD:11 |
| A.java:32:31:32:51 | getInputStream(...) : InputStream | A.java:33:35:33:45 | inputStream : InputStream | provenance | Src:MaD:1 |
| A.java:33:20:33:46 | new XMLDecoder(...) : XMLDecoder | A.java:34:12:34:12 | d | provenance | |
| A.java:33:35:33:45 | inputStream : InputStream | A.java:33:20:33:46 | new XMLDecoder(...) : XMLDecoder | provenance | MaD:7 |
| A.java:39:31:39:51 | getInputStream(...) : InputStream | A.java:40:43:40:53 | inputStream : InputStream | provenance | Src:MaD:1 |
| A.java:40:21:40:54 | new InputStreamReader(...) : InputStreamReader | A.java:41:23:41:28 | reader | provenance | |
| A.java:40:43:40:53 | inputStream : InputStream | A.java:40:21:40:54 | new InputStreamReader(...) : InputStreamReader | provenance | MaD:10 |
| A.java:46:19:46:50 | new Input(...) : Input | A.java:47:28:47:32 | input | provenance | |
| A.java:46:19:46:50 | new Input(...) : Input | A.java:48:34:48:38 | input | provenance | |
| A.java:46:19:46:50 | new Input(...) : Input | A.java:49:40:49:44 | input | provenance | |
| A.java:46:29:46:49 | getInputStream(...) : InputStream | A.java:46:19:46:50 | new Input(...) : Input | provenance | Src:MaD:1 MaD:5 |
| A.java:67:25:67:45 | getInputStream(...) : InputStream | A.java:68:26:68:30 | input | provenance | Src:MaD:1 |
| A.java:67:25:67:45 | getInputStream(...) : InputStream | A.java:69:30:69:34 | input | provenance | Src:MaD:1 |
| A.java:67:25:67:45 | getInputStream(...) : InputStream | A.java:70:50:70:54 | input : InputStream | provenance | Src:MaD:1 |
| A.java:67:25:67:45 | getInputStream(...) : InputStream | A.java:71:24:71:28 | input | provenance | Src:MaD:1 |
| A.java:67:25:67:45 | getInputStream(...) : InputStream | A.java:72:46:72:50 | input : InputStream | provenance | Src:MaD:1 |
| A.java:70:50:70:54 | input : InputStream | A.java:70:28:70:55 | new InputStreamReader(...) | provenance | MaD:10 |
| A.java:72:46:72:50 | input : InputStream | A.java:72:24:72:51 | new InputStreamReader(...) | provenance | MaD:10 |
| A.java:77:25:77:45 | getInputStream(...) : InputStream | A.java:78:26:78:30 | input | provenance | Src:MaD:1 |
| A.java:77:25:77:45 | getInputStream(...) : InputStream | A.java:79:30:79:34 | input | provenance | Src:MaD:1 |
| A.java:77:25:77:45 | getInputStream(...) : InputStream | A.java:80:50:80:54 | input : InputStream | provenance | Src:MaD:1 |
| A.java:77:25:77:45 | getInputStream(...) : InputStream | A.java:81:24:81:28 | input | provenance | Src:MaD:1 |
| A.java:77:25:77:45 | getInputStream(...) : InputStream | A.java:82:46:82:50 | input : InputStream | provenance | Src:MaD:1 |
| A.java:80:50:80:54 | input : InputStream | A.java:80:28:80:55 | new InputStreamReader(...) | provenance | MaD:10 |
| A.java:82:46:82:50 | input : InputStream | A.java:82:24:82:51 | new InputStreamReader(...) | provenance | MaD:10 |
| A.java:97:25:97:45 | getInputStream(...) : InputStream | A.java:98:26:98:30 | input | provenance | Src:MaD:1 |
| A.java:97:25:97:45 | getInputStream(...) : InputStream | A.java:99:30:99:34 | input | provenance | Src:MaD:1 |
| A.java:97:25:97:45 | getInputStream(...) : InputStream | A.java:100:50:100:54 | input : InputStream | provenance | Src:MaD:1 |
| A.java:97:25:97:45 | getInputStream(...) : InputStream | A.java:101:24:101:28 | input | provenance | Src:MaD:1 |
| A.java:97:25:97:45 | getInputStream(...) : InputStream | A.java:102:46:102:50 | input : InputStream | provenance | Src:MaD:1 |
| A.java:100:50:100:54 | input : InputStream | A.java:100:28:100:55 | new InputStreamReader(...) | provenance | MaD:10 |
| A.java:102:46:102:50 | input : InputStream | A.java:102:24:102:51 | new InputStreamReader(...) | provenance | MaD:10 |
| A.java:17:31:17:51 | getInputStream(...) : InputStream | A.java:18:50:18:60 | inputStream : InputStream | provenance | Src:MaD:1 |
| A.java:17:31:17:51 | getInputStream(...) : InputStream | A.java:19:12:19:13 | in | provenance | Src:MaD:1 inputStreamWrapper |
| A.java:18:28:18:61 | new ObjectInputStream(...) : ObjectInputStream | A.java:19:12:19:13 | in | provenance | |
| A.java:18:50:18:60 | inputStream : InputStream | A.java:18:28:18:61 | new ObjectInputStream(...) : ObjectInputStream | provenance | MaD:13 |
| A.java:23:31:23:55 | getTaintedObjectInput(...) : ObjectInput | A.java:24:12:24:22 | objectInput | provenance | Src:MaD:5 |
| A.java:28:33:28:59 | getTaintedMyObjectInput(...) : MyObjectInput | A.java:29:12:29:22 | objectInput | provenance | Src:MaD:4 |
| A.java:33:31:33:51 | getInputStream(...) : InputStream | A.java:34:50:34:60 | inputStream : InputStream | provenance | Src:MaD:1 |
| A.java:33:31:33:51 | getInputStream(...) : InputStream | A.java:35:12:35:13 | in | provenance | Src:MaD:1 inputStreamWrapper |
| A.java:34:28:34:61 | new ObjectInputStream(...) : ObjectInputStream | A.java:35:12:35:13 | in | provenance | |
| A.java:34:50:34:60 | inputStream : InputStream | A.java:34:28:34:61 | new ObjectInputStream(...) : ObjectInputStream | provenance | MaD:13 |
| A.java:45:31:45:51 | getInputStream(...) : InputStream | A.java:46:35:46:45 | inputStream : InputStream | provenance | Src:MaD:1 |
| A.java:46:20:46:46 | new XMLDecoder(...) : XMLDecoder | A.java:47:12:47:12 | d | provenance | |
| A.java:46:35:46:45 | inputStream : InputStream | A.java:46:20:46:46 | new XMLDecoder(...) : XMLDecoder | provenance | MaD:9 |
| A.java:52:31:52:51 | getInputStream(...) : InputStream | A.java:53:43:53:53 | inputStream : InputStream | provenance | Src:MaD:1 |
| A.java:53:21:53:54 | new InputStreamReader(...) : InputStreamReader | A.java:54:23:54:28 | reader | provenance | |
| A.java:53:43:53:53 | inputStream : InputStream | A.java:53:21:53:54 | new InputStreamReader(...) : InputStreamReader | provenance | MaD:12 |
| A.java:59:19:59:50 | new Input(...) : Input | A.java:60:28:60:32 | input | provenance | |
| A.java:59:19:59:50 | new Input(...) : Input | A.java:61:34:61:38 | input | provenance | |
| A.java:59:19:59:50 | new Input(...) : Input | A.java:62:40:62:44 | input | provenance | |
| A.java:59:29:59:49 | getInputStream(...) : InputStream | A.java:59:19:59:50 | new Input(...) : Input | provenance | Src:MaD:1 MaD:7 |
| A.java:80:25:80:45 | getInputStream(...) : InputStream | A.java:81:26:81:30 | input | provenance | Src:MaD:1 |
| A.java:80:25:80:45 | getInputStream(...) : InputStream | A.java:82:30:82:34 | input | provenance | Src:MaD:1 |
| A.java:80:25:80:45 | getInputStream(...) : InputStream | A.java:83:50:83:54 | input : InputStream | provenance | Src:MaD:1 |
| A.java:80:25:80:45 | getInputStream(...) : InputStream | A.java:84:24:84:28 | input | provenance | Src:MaD:1 |
| A.java:80:25:80:45 | getInputStream(...) : InputStream | A.java:85:46:85:50 | input : InputStream | provenance | Src:MaD:1 |
| A.java:83:50:83:54 | input : InputStream | A.java:83:28:83:55 | new InputStreamReader(...) | provenance | MaD:12 |
| A.java:85:46:85:50 | input : InputStream | A.java:85:24:85:51 | new InputStreamReader(...) | provenance | MaD:12 |
| A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:91:26:91:30 | input | provenance | Src:MaD:1 |
| A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:92:30:92:34 | input | provenance | Src:MaD:1 |
| A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:93:50:93:54 | input : InputStream | provenance | Src:MaD:1 |
| A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:94:24:94:28 | input | provenance | Src:MaD:1 |
| A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:95:46:95:50 | input : InputStream | provenance | Src:MaD:1 |
| A.java:93:50:93:54 | input : InputStream | A.java:93:28:93:55 | new InputStreamReader(...) | provenance | MaD:12 |
| A.java:95:46:95:50 | input : InputStream | A.java:95:24:95:51 | new InputStreamReader(...) | provenance | MaD:12 |
| A.java:110:25:110:45 | getInputStream(...) : InputStream | A.java:111:26:111:30 | input | provenance | Src:MaD:1 |
| A.java:110:25:110:45 | getInputStream(...) : InputStream | A.java:112:30:112:34 | input | provenance | Src:MaD:1 |
| A.java:110:25:110:45 | getInputStream(...) : InputStream | A.java:113:50:113:54 | input : InputStream | provenance | Src:MaD:1 |
| A.java:110:25:110:45 | getInputStream(...) : InputStream | A.java:114:24:114:28 | input | provenance | Src:MaD:1 |
| A.java:110:25:110:45 | getInputStream(...) : InputStream | A.java:115:46:115:50 | input : InputStream | provenance | Src:MaD:1 |
| A.java:113:50:113:54 | input : InputStream | A.java:113:28:113:55 | new InputStreamReader(...) | provenance | MaD:12 |
| A.java:115:46:115:50 | input : InputStream | A.java:115:24:115:51 | new InputStreamReader(...) | provenance | MaD:12 |
| B.java:7:31:7:51 | getInputStream(...) : InputStream | B.java:8:29:8:39 | inputStream | provenance | Src:MaD:1 |
| B.java:12:31:12:51 | getInputStream(...) : InputStream | B.java:14:5:14:15 | inputStream : InputStream | provenance | Src:MaD:1 |
| B.java:14:5:14:15 | inputStream : InputStream | B.java:14:22:14:26 | bytes [post update] : byte[] | provenance | MaD:9 |
| B.java:14:5:14:15 | inputStream : InputStream | B.java:14:22:14:26 | bytes [post update] : byte[] | provenance | MaD:11 |
| B.java:14:22:14:26 | bytes [post update] : byte[] | B.java:15:23:15:27 | bytes | provenance | |
| B.java:19:31:19:51 | getInputStream(...) : InputStream | B.java:21:5:21:15 | inputStream : InputStream | provenance | Src:MaD:1 |
| B.java:21:5:21:15 | inputStream : InputStream | B.java:21:22:21:26 | bytes [post update] : byte[] | provenance | MaD:9 |
| B.java:21:5:21:15 | inputStream : InputStream | B.java:21:22:21:26 | bytes [post update] : byte[] | provenance | MaD:11 |
| B.java:21:22:21:26 | bytes [post update] : byte[] | B.java:22:27:22:31 | bytes : byte[] | provenance | |
| B.java:22:16:22:32 | new String(...) : String | B.java:23:29:23:29 | s | provenance | |
| B.java:22:27:22:31 | bytes : byte[] | B.java:22:16:22:32 | new String(...) : String | provenance | MaD:13 |
| B.java:22:27:22:31 | bytes : byte[] | B.java:22:16:22:32 | new String(...) : String | provenance | MaD:15 |
| B.java:27:31:27:51 | getInputStream(...) : InputStream | B.java:29:5:29:15 | inputStream : InputStream | provenance | Src:MaD:1 |
| B.java:29:5:29:15 | inputStream : InputStream | B.java:29:22:29:26 | bytes [post update] : byte[] | provenance | MaD:9 |
| B.java:29:5:29:15 | inputStream : InputStream | B.java:29:22:29:26 | bytes [post update] : byte[] | provenance | MaD:11 |
| B.java:29:22:29:26 | bytes [post update] : byte[] | B.java:30:27:30:31 | bytes : byte[] | provenance | |
| B.java:30:16:30:32 | new String(...) : String | B.java:31:23:31:23 | s | provenance | |
| B.java:30:27:30:31 | bytes : byte[] | B.java:30:16:30:32 | new String(...) : String | provenance | MaD:13 |
| B.java:30:27:30:31 | bytes : byte[] | B.java:30:16:30:32 | new String(...) : String | provenance | MaD:15 |
| C.java:23:17:23:44 | getParameter(...) : String | C.java:24:13:24:16 | data | provenance | Src:MaD:3 |
| C.java:23:17:23:44 | getParameter(...) : String | C.java:25:19:25:22 | data | provenance | Src:MaD:3 |
| C.java:23:17:23:44 | getParameter(...) : String | C.java:26:25:26:28 | data | provenance | Src:MaD:3 |
@@ -142,28 +146,28 @@ edges
| C.java:52:18:52:37 | new YamlReader(...) : YamlReader | C.java:54:3:54:3 | r | provenance | |
| C.java:52:18:52:37 | new YamlReader(...) : YamlReader | C.java:55:3:55:3 | r | provenance | |
| C.java:52:33:52:36 | data : String | C.java:52:18:52:37 | new YamlReader(...) : YamlReader | provenance | Config |
| C.java:60:18:60:45 | getParameter(...) : String | C.java:60:18:60:56 | getBytes(...) : byte[] | provenance | Src:MaD:3 MaD:14 |
| C.java:60:18:60:45 | getParameter(...) : String | C.java:60:18:60:56 | getBytes(...) : byte[] | provenance | Src:MaD:3 MaD:16 |
| C.java:60:18:60:56 | getBytes(...) : byte[] | C.java:61:55:61:59 | bytes : byte[] | provenance | |
| C.java:60:18:60:56 | getBytes(...) : byte[] | C.java:62:48:62:50 | bis : ByteArrayInputStream | provenance | inputStreamWrapper |
| C.java:61:30:61:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | C.java:62:48:62:50 | bis : ByteArrayInputStream | provenance | |
| C.java:61:55:61:59 | bytes : byte[] | C.java:61:30:61:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | provenance | MaD:8 |
| C.java:61:55:61:59 | bytes : byte[] | C.java:61:30:61:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | provenance | MaD:10 |
| C.java:62:31:62:51 | new HessianInput(...) : HessianInput | C.java:63:3:63:14 | hessianInput | provenance | |
| C.java:62:31:62:51 | new HessianInput(...) : HessianInput | C.java:64:3:64:14 | hessianInput | provenance | |
| C.java:62:48:62:50 | bis : ByteArrayInputStream | C.java:62:31:62:51 | new HessianInput(...) : HessianInput | provenance | Config |
| C.java:69:18:69:45 | getParameter(...) : String | C.java:69:18:69:56 | getBytes(...) : byte[] | provenance | Src:MaD:3 MaD:14 |
| C.java:69:18:69:45 | getParameter(...) : String | C.java:69:18:69:56 | getBytes(...) : byte[] | provenance | Src:MaD:3 MaD:16 |
| C.java:69:18:69:56 | getBytes(...) : byte[] | C.java:70:55:70:59 | bytes : byte[] | provenance | |
| C.java:69:18:69:56 | getBytes(...) : byte[] | C.java:71:50:71:52 | bis : ByteArrayInputStream | provenance | inputStreamWrapper |
| C.java:70:30:70:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | C.java:71:50:71:52 | bis : ByteArrayInputStream | provenance | |
| C.java:70:55:70:59 | bytes : byte[] | C.java:70:30:70:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | provenance | MaD:8 |
| C.java:70:55:70:59 | bytes : byte[] | C.java:70:30:70:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | provenance | MaD:10 |
| C.java:71:32:71:53 | new Hessian2Input(...) : Hessian2Input | C.java:72:3:72:14 | hessianInput | provenance | |
| C.java:71:32:71:53 | new Hessian2Input(...) : Hessian2Input | C.java:73:3:73:14 | hessianInput | provenance | |
| C.java:71:50:71:52 | bis : ByteArrayInputStream | C.java:71:32:71:53 | new Hessian2Input(...) : Hessian2Input | provenance | Config |
| C.java:79:43:79:70 | getParameter(...) : String | C.java:79:26:79:71 | new StringReader(...) | provenance | Src:MaD:3 MaD:12 |
| C.java:84:27:84:54 | getParameter(...) : String | C.java:84:27:84:65 | getBytes(...) : byte[] | provenance | Src:MaD:3 MaD:14 |
| C.java:79:43:79:70 | getParameter(...) : String | C.java:79:26:79:71 | new StringReader(...) | provenance | Src:MaD:3 MaD:14 |
| C.java:84:27:84:54 | getParameter(...) : String | C.java:84:27:84:65 | getBytes(...) : byte[] | provenance | Src:MaD:3 MaD:16 |
| C.java:84:27:84:65 | getBytes(...) : byte[] | C.java:85:54:85:67 | serializedData : byte[] | provenance | |
| C.java:84:27:84:65 | getBytes(...) : byte[] | C.java:86:45:86:46 | is : ByteArrayInputStream | provenance | inputStreamWrapper |
| C.java:85:29:85:68 | new ByteArrayInputStream(...) : ByteArrayInputStream | C.java:86:45:86:46 | is : ByteArrayInputStream | provenance | |
| C.java:85:54:85:67 | serializedData : byte[] | C.java:85:29:85:68 | new ByteArrayInputStream(...) : ByteArrayInputStream | provenance | MaD:8 |
| C.java:85:54:85:67 | serializedData : byte[] | C.java:85:29:85:68 | new ByteArrayInputStream(...) : ByteArrayInputStream | provenance | MaD:10 |
| C.java:86:29:86:47 | new BurlapInput(...) : BurlapInput | C.java:87:3:87:13 | burlapInput | provenance | |
| C.java:86:45:86:46 | is : ByteArrayInputStream | C.java:86:29:86:47 | new BurlapInput(...) : BurlapInput | provenance | Config |
| C.java:86:45:86:46 | is : ByteArrayInputStream | C.java:90:21:90:22 | is : ByteArrayInputStream | provenance | |
@@ -177,12 +181,12 @@ edges
| GsonServlet.java:53:23:53:46 | getParameter(...) : String | GsonServlet.java:60:40:60:43 | json | provenance | Src:MaD:3 |
| JabsorbServlet.java:89:23:89:46 | getParameter(...) : String | JabsorbServlet.java:93:48:93:51 | json : String | provenance | Src:MaD:3 |
| JabsorbServlet.java:93:33:93:52 | new JSONObject(...) : JSONObject | JabsorbServlet.java:102:83:102:92 | jsonObject | provenance | |
| JabsorbServlet.java:93:48:93:51 | json : String | JabsorbServlet.java:93:33:93:52 | new JSONObject(...) : JSONObject | provenance | MaD:16 |
| JabsorbServlet.java:93:48:93:51 | json : String | JabsorbServlet.java:93:33:93:52 | new JSONObject(...) : JSONObject | provenance | MaD:18 |
| JabsorbServlet.java:110:23:110:46 | getParameter(...) : String | JabsorbServlet.java:116:52:116:55 | json | provenance | Src:MaD:3 |
| JacksonTest.java:20:25:20:47 | getInputStream(...) : InputStream | JacksonTest.java:20:54:20:58 | bytes [post update] : byte[] | provenance | Src:MaD:1 MaD:9 |
| JacksonTest.java:20:25:20:47 | getInputStream(...) : InputStream | JacksonTest.java:20:54:20:58 | bytes [post update] : byte[] | provenance | Src:MaD:1 MaD:11 |
| JacksonTest.java:20:54:20:58 | bytes [post update] : byte[] | JacksonTest.java:21:46:21:50 | bytes : byte[] | provenance | |
| JacksonTest.java:21:35:21:57 | new String(...) : String | JacksonTest.java:22:28:22:35 | jexlExpr : String | provenance | |
| JacksonTest.java:21:46:21:50 | bytes : byte[] | JacksonTest.java:21:35:21:57 | new String(...) : String | provenance | MaD:13 |
| JacksonTest.java:21:46:21:50 | bytes : byte[] | JacksonTest.java:21:35:21:57 | new String(...) : String | provenance | MaD:15 |
| JacksonTest.java:22:28:22:35 | jexlExpr : String | JacksonTest.java:74:32:74:37 | string : String | provenance | |
| JacksonTest.java:22:28:22:35 | jexlExpr : String | JacksonTest.java:83:32:83:37 | string : String | provenance | |
| JacksonTest.java:22:28:22:35 | jexlExpr : String | JacksonTest.java:92:32:92:37 | string : String | provenance | |
@@ -197,14 +201,14 @@ edges
| JacksonTest.java:139:32:139:37 | string : String | JacksonTest.java:142:30:142:35 | string | provenance | |
| JacksonTest.java:148:32:148:37 | string : String | JacksonTest.java:151:62:151:67 | string : String | provenance | |
| JacksonTest.java:151:62:151:67 | string : String | JacksonTest.java:151:31:151:68 | createParser(...) | provenance | Config |
| JacksonTest.java:151:62:151:67 | string : String | JacksonTest.java:151:31:151:68 | createParser(...) | provenance | MaD:6 |
| JacksonTest.java:151:62:151:67 | string : String | JacksonTest.java:151:31:151:68 | createParser(...) | provenance | MaD:8 |
| JacksonTest.java:157:32:157:37 | string : String | JacksonTest.java:160:48:160:53 | string : String | provenance | |
| JacksonTest.java:160:48:160:53 | string : String | JacksonTest.java:160:32:160:54 | readTree(...) | provenance | Config |
| JacksonTest.java:166:32:166:36 | input : String | JacksonTest.java:167:30:167:34 | input : String | provenance | |
| JacksonTest.java:167:30:167:34 | input : String | JacksonTest.java:167:30:167:45 | split(...) : String[] | provenance | MaD:15 |
| JacksonTest.java:167:30:167:34 | input : String | JacksonTest.java:167:30:167:45 | split(...) : String[] | provenance | MaD:17 |
| JacksonTest.java:167:30:167:45 | split(...) : String[] | JacksonTest.java:172:30:172:33 | data | provenance | |
| JacksonTest.java:178:32:178:36 | input : String | JacksonTest.java:179:30:179:34 | input : String | provenance | |
| JacksonTest.java:179:30:179:34 | input : String | JacksonTest.java:179:30:179:45 | split(...) : String[] | provenance | MaD:15 |
| JacksonTest.java:179:30:179:34 | input : String | JacksonTest.java:179:30:179:45 | split(...) : String[] | provenance | MaD:17 |
| JacksonTest.java:179:30:179:45 | split(...) : String[] | JacksonTest.java:183:30:183:33 | data | provenance | |
| JoddJsonServlet.java:32:23:32:46 | getParameter(...) : String | JoddJsonServlet.java:45:37:45:40 | json | provenance | Src:MaD:3 |
| JoddJsonServlet.java:32:23:32:46 | getParameter(...) : String | JoddJsonServlet.java:47:56:47:59 | json | provenance | Src:MaD:3 |
@@ -213,73 +217,79 @@ edges
| JoddJsonServlet.java:58:23:58:46 | getParameter(...) : String | JoddJsonServlet.java:63:39:63:42 | json | provenance | Src:MaD:3 |
| ObjectMessageTest.java:6:27:6:41 | message : Message | ObjectMessageTest.java:7:26:7:32 | message | provenance | Src:MaD:2 |
| ParcelableEntity.java:29:50:29:62 | parcel : Parcel | ParcelableEntity.java:32:44:32:49 | parcel : Parcel | provenance | |
| ParcelableEntity.java:32:44:32:49 | parcel : Parcel | ParcelableEntity.java:32:44:32:62 | readString(...) | provenance | MaD:4 |
| ParcelableEntity.java:32:44:32:49 | parcel : Parcel | ParcelableEntity.java:32:44:32:62 | readString(...) | provenance | MaD:6 |
| TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) | provenance | inputStreamWrapper |
| TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | TestMessageBodyReader.java:22:40:22:51 | entityStream : InputStream | provenance | |
| TestMessageBodyReader.java:22:40:22:51 | entityStream : InputStream | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) | provenance | MaD:11 |
| TestMessageBodyReader.java:22:40:22:51 | entityStream : InputStream | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) | provenance | MaD:13 |
models
| 1 | Source: java.net; Socket; false; getInputStream; (); ; ReturnValue; remote; manual |
| 2 | Source: javax.jms; MessageListener; true; onMessage; (Message); ; Parameter[0]; remote; manual |
| 3 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual |
| 4 | Summary: android.os; Parcel; false; readString; ; ; Argument[this]; ReturnValue; taint; manual |
| 5 | Summary: com.esotericsoftware.kryo.io; Input; false; Input; ; ; Argument[0]; Argument[this]; taint; manual |
| 6 | Summary: com.fasterxml.jackson.core; JsonFactory; false; createParser; ; ; Argument[0]; ReturnValue; taint; manual |
| 7 | Summary: java.beans; XMLDecoder; false; XMLDecoder; ; ; Argument[0]; Argument[this]; taint; manual |
| 8 | Summary: java.io; ByteArrayInputStream; false; ByteArrayInputStream; ; ; Argument[0]; Argument[this]; taint; manual |
| 9 | Summary: java.io; InputStream; true; read; (byte[]); ; Argument[this]; Argument[0]; taint; manual |
| 10 | Summary: java.io; InputStreamReader; false; InputStreamReader; ; ; Argument[0]; Argument[this]; taint; manual |
| 11 | Summary: java.io; ObjectInputStream; false; ObjectInputStream; ; ; Argument[0]; Argument[this]; taint; manual |
| 12 | Summary: java.io; StringReader; false; StringReader; ; ; Argument[0]; Argument[this]; taint; manual |
| 13 | Summary: java.lang; String; false; String; ; ; Argument[0]; Argument[this]; taint; manual |
| 14 | Summary: java.lang; String; false; getBytes; ; ; Argument[this]; ReturnValue; taint; manual |
| 15 | Summary: java.lang; String; false; split; ; ; Argument[this]; ReturnValue; taint; manual |
| 16 | Summary: org.json; JSONObject; false; JSONObject; (String); ; Argument[0]; Argument[this]; taint; manual |
| 4 | Source: unsafedeserialization; A; false; getTaintedMyObjectInput; (); ; ReturnValue; remote; manual |
| 5 | Source: unsafedeserialization; A; false; getTaintedObjectInput; (); ; ReturnValue; remote; manual |
| 6 | Summary: android.os; Parcel; false; readString; ; ; Argument[this]; ReturnValue; taint; manual |
| 7 | Summary: com.esotericsoftware.kryo.io; Input; false; Input; ; ; Argument[0]; Argument[this]; taint; manual |
| 8 | Summary: com.fasterxml.jackson.core; JsonFactory; false; createParser; ; ; Argument[0]; ReturnValue; taint; manual |
| 9 | Summary: java.beans; XMLDecoder; false; XMLDecoder; ; ; Argument[0]; Argument[this]; taint; manual |
| 10 | Summary: java.io; ByteArrayInputStream; false; ByteArrayInputStream; ; ; Argument[0]; Argument[this]; taint; manual |
| 11 | Summary: java.io; InputStream; true; read; (byte[]); ; Argument[this]; Argument[0]; taint; manual |
| 12 | Summary: java.io; InputStreamReader; false; InputStreamReader; ; ; Argument[0]; Argument[this]; taint; manual |
| 13 | Summary: java.io; ObjectInputStream; false; ObjectInputStream; ; ; Argument[0]; Argument[this]; taint; manual |
| 14 | Summary: java.io; StringReader; false; StringReader; ; ; Argument[0]; Argument[this]; taint; manual |
| 15 | Summary: java.lang; String; false; String; ; ; Argument[0]; Argument[this]; taint; manual |
| 16 | Summary: java.lang; String; false; getBytes; ; ; Argument[this]; ReturnValue; taint; manual |
| 17 | Summary: java.lang; String; false; split; ; ; Argument[this]; ReturnValue; taint; manual |
| 18 | Summary: org.json; JSONObject; false; JSONObject; (String); ; Argument[0]; Argument[this]; taint; manual |
nodes
| A.java:14:31:14:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| A.java:15:28:15:61 | new ObjectInputStream(...) : ObjectInputStream | semmle.label | new ObjectInputStream(...) : ObjectInputStream |
| A.java:15:50:15:60 | inputStream : InputStream | semmle.label | inputStream : InputStream |
| A.java:16:12:16:13 | in | semmle.label | in |
| A.java:20:31:20:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| A.java:21:28:21:61 | new ObjectInputStream(...) : ObjectInputStream | semmle.label | new ObjectInputStream(...) : ObjectInputStream |
| A.java:21:50:21:60 | inputStream : InputStream | semmle.label | inputStream : InputStream |
| A.java:22:12:22:13 | in | semmle.label | in |
| A.java:32:31:32:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| A.java:33:20:33:46 | new XMLDecoder(...) : XMLDecoder | semmle.label | new XMLDecoder(...) : XMLDecoder |
| A.java:33:35:33:45 | inputStream : InputStream | semmle.label | inputStream : InputStream |
| A.java:34:12:34:12 | d | semmle.label | d |
| A.java:39:31:39:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| A.java:40:21:40:54 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
| A.java:40:43:40:53 | inputStream : InputStream | semmle.label | inputStream : InputStream |
| A.java:41:23:41:28 | reader | semmle.label | reader |
| A.java:46:19:46:50 | new Input(...) : Input | semmle.label | new Input(...) : Input |
| A.java:46:29:46:49 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| A.java:47:28:47:32 | input | semmle.label | input |
| A.java:48:34:48:38 | input | semmle.label | input |
| A.java:49:40:49:44 | input | semmle.label | input |
| A.java:67:25:67:45 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| A.java:68:26:68:30 | input | semmle.label | input |
| A.java:69:30:69:34 | input | semmle.label | input |
| A.java:70:28:70:55 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
| A.java:70:50:70:54 | input : InputStream | semmle.label | input : InputStream |
| A.java:71:24:71:28 | input | semmle.label | input |
| A.java:72:24:72:51 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
| A.java:72:46:72:50 | input : InputStream | semmle.label | input : InputStream |
| A.java:77:25:77:45 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| A.java:78:26:78:30 | input | semmle.label | input |
| A.java:79:30:79:34 | input | semmle.label | input |
| A.java:80:28:80:55 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
| A.java:80:50:80:54 | input : InputStream | semmle.label | input : InputStream |
| A.java:81:24:81:28 | input | semmle.label | input |
| A.java:82:24:82:51 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
| A.java:82:46:82:50 | input : InputStream | semmle.label | input : InputStream |
| A.java:97:25:97:45 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| A.java:98:26:98:30 | input | semmle.label | input |
| A.java:99:30:99:34 | input | semmle.label | input |
| A.java:100:28:100:55 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
| A.java:100:50:100:54 | input : InputStream | semmle.label | input : InputStream |
| A.java:101:24:101:28 | input | semmle.label | input |
| A.java:102:24:102:51 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
| A.java:102:46:102:50 | input : InputStream | semmle.label | input : InputStream |
| A.java:17:31:17:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| A.java:18:28:18:61 | new ObjectInputStream(...) : ObjectInputStream | semmle.label | new ObjectInputStream(...) : ObjectInputStream |
| A.java:18:50:18:60 | inputStream : InputStream | semmle.label | inputStream : InputStream |
| A.java:19:12:19:13 | in | semmle.label | in |
| A.java:23:31:23:55 | getTaintedObjectInput(...) : ObjectInput | semmle.label | getTaintedObjectInput(...) : ObjectInput |
| A.java:24:12:24:22 | objectInput | semmle.label | objectInput |
| A.java:28:33:28:59 | getTaintedMyObjectInput(...) : MyObjectInput | semmle.label | getTaintedMyObjectInput(...) : MyObjectInput |
| A.java:29:12:29:22 | objectInput | semmle.label | objectInput |
| A.java:33:31:33:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| A.java:34:28:34:61 | new ObjectInputStream(...) : ObjectInputStream | semmle.label | new ObjectInputStream(...) : ObjectInputStream |
| A.java:34:50:34:60 | inputStream : InputStream | semmle.label | inputStream : InputStream |
| A.java:35:12:35:13 | in | semmle.label | in |
| A.java:45:31:45:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| A.java:46:20:46:46 | new XMLDecoder(...) : XMLDecoder | semmle.label | new XMLDecoder(...) : XMLDecoder |
| A.java:46:35:46:45 | inputStream : InputStream | semmle.label | inputStream : InputStream |
| A.java:47:12:47:12 | d | semmle.label | d |
| A.java:52:31:52:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| A.java:53:21:53:54 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
| A.java:53:43:53:53 | inputStream : InputStream | semmle.label | inputStream : InputStream |
| A.java:54:23:54:28 | reader | semmle.label | reader |
| A.java:59:19:59:50 | new Input(...) : Input | semmle.label | new Input(...) : Input |
| A.java:59:29:59:49 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| A.java:60:28:60:32 | input | semmle.label | input |
| A.java:61:34:61:38 | input | semmle.label | input |
| A.java:62:40:62:44 | input | semmle.label | input |
| A.java:80:25:80:45 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| A.java:81:26:81:30 | input | semmle.label | input |
| A.java:82:30:82:34 | input | semmle.label | input |
| A.java:83:28:83:55 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
| A.java:83:50:83:54 | input : InputStream | semmle.label | input : InputStream |
| A.java:84:24:84:28 | input | semmle.label | input |
| A.java:85:24:85:51 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
| A.java:85:46:85:50 | input : InputStream | semmle.label | input : InputStream |
| A.java:90:25:90:45 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| A.java:91:26:91:30 | input | semmle.label | input |
| A.java:92:30:92:34 | input | semmle.label | input |
| A.java:93:28:93:55 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
| A.java:93:50:93:54 | input : InputStream | semmle.label | input : InputStream |
| A.java:94:24:94:28 | input | semmle.label | input |
| A.java:95:24:95:51 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
| A.java:95:46:95:50 | input : InputStream | semmle.label | input : InputStream |
| A.java:110:25:110:45 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| A.java:111:26:111:30 | input | semmle.label | input |
| A.java:112:30:112:34 | input | semmle.label | input |
| A.java:113:28:113:55 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
| A.java:113:50:113:54 | input : InputStream | semmle.label | input : InputStream |
| A.java:114:24:114:28 | input | semmle.label | input |
| A.java:115:24:115:51 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
| A.java:115:46:115:50 | input : InputStream | semmle.label | input : InputStream |
| B.java:7:31:7:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| B.java:8:29:8:39 | inputStream | semmle.label | inputStream |
| B.java:12:31:12:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |

7
java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.ext.yml Normal file
View File

@@ -0,0 +1,7 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sourceModel
data:
- ["unsafedeserialization", "A", False, "getTaintedObjectInput", "()", "", "ReturnValue", "remote", "manual"]
- ["unsafedeserialization", "A", False, "getTaintedMyObjectInput", "()", "", "ReturnValue", "remote", "manual"]

109
java/ql/test/query-tests/security/CWE-502/com/example/MyObjectInput.java Normal file
View File

@@ -0,0 +1,109 @@
package com.example;
import java.io.*;
public final class MyObjectInput implements ObjectInput {
@Override
public Object readObject() throws ClassNotFoundException, IOException {
return null;
}
@Override
public int read() throws IOException {
return 0;
}
@Override
public int read(byte[] b) throws IOException {
return 0;
}
@Override
public int read(byte[] b, int off, int len) throws IOException {
return 0;
}
@Override
public long skip(long n) throws IOException {
return 0;
}
@Override
public int available() throws IOException {
return 0;
}
@Override
public void close() throws IOException {}
@Override
public void readFully(byte[] b) throws IOException {}
@Override
public void readFully(byte[] b, int off, int len) throws IOException {}
@Override
public int skipBytes(int n) throws IOException {
return 0;
}
@Override
public boolean readBoolean() throws IOException {
return false;
}
@Override
public byte readByte() throws IOException {
return 0;
}
@Override
public int readUnsignedByte() throws IOException {
return 0;
}
@Override
public short readShort() throws IOException {
return 0;
}
@Override
public int readUnsignedShort() throws IOException {
return 0;
}
@Override
public char readChar() throws IOException {
return 0;
}
@Override
public int readInt() throws IOException {
return 0;
}
@Override
public long readLong() throws IOException {
return 0;
}
@Override
public float readFloat() throws IOException {
return 0;
}
@Override
public double readDouble() throws IOException {
return 0;
}
@Override
public String readLine() throws IOException {
return null;
}
@Override
public String readUTF() throws IOException {
return null;
}
}

4
python/ql/lib/change-notes/2025-06-04-call-graph-type-annotations.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Type annotations such as `foo : Bar` are now treated by the call graph as an indication that `foo` may be an instance of `Bar`.

11
python/ql/lib/semmle/python/Exprs.qll
View File

@@ -762,6 +762,17 @@ class Annotation extends Expr {
or
this = any(FunctionExpr f).getReturns()
}
/** Gets the expression that this annotation annotates. */
Expr getAnnotatedExpression() {
result = any(AnnAssign a | a.getAnnotation() = this).getTarget()
or
result = any(Parameter p | p.getAnnotation() = this)
or
exists(FunctionExpr f, Return r |
this = f.getReturns() and r.getScope() = f.getInnerScope() and result = r.getValue()
)
}
}
/* Expression Contexts */

5
python/ql/lib/semmle/python/dataflow/new/internal/DataFlowDispatch.qll
View File

@@ -580,6 +580,11 @@ private module TrackClassInstanceInput implements CallGraphConstruction::Simple:
class State = Class;
predicate start(Node start, Class cls) {
exists(Annotation ann |
ann = classTracker(cls).asExpr() and
start.asExpr() = ann.getAnnotatedExpression()
)
or
resolveClassCall(start.(CallCfgNode).asCfgNode(), cls)
or
// result of `super().__new__` as used in a `__new__` method implementation

12
python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll
View File

@@ -18,17 +18,7 @@ private module PolynomialReDoSConfig implements DataFlow::ConfigSig {
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
// Diff-informed incremental mode is currently disabled for this query due to
// API limitations. The query exposes sink.getABacktrackingTerm() as an alert
// location, but there is no way to express that information through
// getASelectedSinkLocation() because there is no @location in the CodeQL
// database that corresponds to a term inside a regular expression. As a
// result, this query could miss alerts in diff-informed incremental mode.
//
// To address this problem, we need to have a version of
// getASelectedSinkLocation() that uses hasLocationInfo() instead of
// returning Location objects.
predicate observeDiffInformedIncrementalMode() { none() }
predicate observeDiffInformedIncrementalMode() { any() }
Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.(Sink).getHighlight().getLocation()

6
python/ql/test/experimental/library-tests/CallGraph-type-annotations/InlineCallGraphTest.expected Normal file
View File

@@ -0,0 +1,6 @@
testFailures
debug_callableNotUnique
pointsTo_found_typeTracker_notFound
typeTracker_found_pointsTo_notFound
| type_annotations.py:6:5:6:14 | ControlFlowNode for Attribute() | Foo.method |
| type_annotations.py:16:5:16:14 | ControlFlowNode for Attribute() | Foo.method |

1
python/ql/test/experimental/library-tests/CallGraph-type-annotations/InlineCallGraphTest.qlref Normal file
View File

@@ -0,0 +1 @@
../CallGraph/InlineCallGraphTest.ql

33
python/ql/test/experimental/library-tests/CallGraph-type-annotations/type_annotations.py Normal file
View File

@@ -0,0 +1,33 @@
class Foo:
def method(self):
pass
def test_parameter_annotation(x: Foo):
x.method() #$ tt=Foo.method
def test_no_parameter_annotation(x):
x.method()
def function_with_return_annotation() -> Foo:
return eval("Foo()")
def test_return_annotation():
x = function_with_return_annotation() #$ pt,tt=function_with_return_annotation
x.method() #$ tt=Foo.method
def function_without_return_annotation():
return eval("Foo()")
def test_no_return_annotation():
x = function_without_return_annotation() #$ pt,tt=function_without_return_annotation
x.method()
def test_variable_annotation():
x = eval("Foo()")
x : Foo
# Currently fails because there is no flow from the class definition to the type annotation.
x.method() #$ MISSING: tt=Foo.method
def test_no_variable_annotation():
x = eval("Foo()")
x.method()

2
ql/ql/src/codeql/Locations.qll
View File

@@ -1,4 +1,6 @@
/** Provides classes for working with locations. */
overlay[local]
module;
import files.FileSystem

2
ql/ql/src/codeql/files/FileSystem.qll
View File

@@ -1,4 +1,6 @@
/** Provides classes for working with files and folders. */
overlay[local?]
module;
private import codeql_ql.ast.internal.TreeSitter
private import codeql.Locations

5
ql/ql/src/codeql_ql/StructuredLogs.qll
View File

@@ -1,3 +1,6 @@
overlay[local]
module;
private import ql
private import codeql_ql.ast.internal.TreeSitter
private import experimental.RA
@@ -23,6 +26,7 @@ private float stringToTimestamp(string str) {
}
bindingset[s]
overlay[global]
private Predicate getPredicateFromPosition(string s) {
exists(string r, string filepath, int startline | r = "(.*):(\\d+),(\\d+)-(\\d+),(\\d+)" |
filepath = s.regexpCapture(r, 1) and
@@ -397,6 +401,7 @@ module KindPredicatesLog {
string getPosition() { result = this.getString("position") }
overlay[global]
Predicate getPredicate() { result = getPredicateFromPosition(this.getPosition()) }
/**

12
ql/ql/src/codeql_ql/ast/internal/TreeSitter.qll
View File

@@ -23,6 +23,7 @@ private predicate discardLocation(@location_default loc) {
)
}
overlay[local]
module QL {
/** The base class for all AST nodes */
class AstNode extends @ql_ast_node {
@@ -67,7 +68,6 @@ module QL {
}
/** Gets the file containing the given `node`. */
overlay[local]
private @file getNodeFile(@ql_ast_node node) {
exists(@location_default loc | ql_ast_node_location(node, loc) |
locations_default(loc, result, _, _, _, _)
@@ -75,7 +75,6 @@ module QL {
}
/** Holds if `node` is in the `file` and is part of the overlay base database. */
overlay[local]
private predicate discardableAstNode(@file file, @ql_ast_node node) {
not isOverlay() and file = getNodeFile(node)
}
@@ -1315,6 +1314,7 @@ module QL {
}
}
overlay[local]
module Dbscheme {
/** The base class for all AST nodes */
class AstNode extends @dbscheme_ast_node {
@@ -1359,7 +1359,6 @@ module Dbscheme {
}
/** Gets the file containing the given `node`. */
overlay[local]
private @file getNodeFile(@dbscheme_ast_node node) {
exists(@location_default loc | dbscheme_ast_node_location(node, loc) |
locations_default(loc, result, _, _, _, _)
@@ -1367,7 +1366,6 @@ module Dbscheme {
}
/** Holds if `node` is in the `file` and is part of the overlay base database. */
overlay[local]
private predicate discardableAstNode(@file file, @dbscheme_ast_node node) {
not isOverlay() and file = getNodeFile(node)
}
@@ -1673,6 +1671,7 @@ module Dbscheme {
}
}
overlay[local]
module Blame {
/** The base class for all AST nodes */
class AstNode extends @blame_ast_node {
@@ -1717,7 +1716,6 @@ module Blame {
}
/** Gets the file containing the given `node`. */
overlay[local]
private @file getNodeFile(@blame_ast_node node) {
exists(@location_default loc | blame_ast_node_location(node, loc) |
locations_default(loc, result, _, _, _, _)
@@ -1725,7 +1723,6 @@ module Blame {
}
/** Holds if `node` is in the `file` and is part of the overlay base database. */
overlay[local]
private predicate discardableAstNode(@file file, @blame_ast_node node) {
not isOverlay() and file = getNodeFile(node)
}
@@ -1808,6 +1805,7 @@ module Blame {
}
}
overlay[local]
module JSON {
/** The base class for all AST nodes */
class AstNode extends @json_ast_node {
@@ -1852,7 +1850,6 @@ module JSON {
}
/** Gets the file containing the given `node`. */
overlay[local]
private @file getNodeFile(@json_ast_node node) {
exists(@location_default loc | json_ast_node_location(node, loc) |
locations_default(loc, result, _, _, _, _)
@@ -1860,7 +1857,6 @@ module JSON {
}
/** Holds if `node` is in the `file` and is part of the overlay base database. */
overlay[local]
private predicate discardableAstNode(@file file, @json_ast_node node) {
not isOverlay() and file = getNodeFile(node)
}

5
ql/ql/src/experimental/RA.qll
View File

@@ -1,6 +1,5 @@
/**
* Parses RA expressions.
*/
overlay[local]
module;
/**
* A predicate that contains RA.

1
ql/ql/src/queries/performance/LargeTupleSum.ql
View File

@@ -6,6 +6,7 @@ import ql
import codeql_ql.StructuredLogs
import KindPredicatesLog
overlay[local]
module SumCounts implements Fold<int> {
int base(PipeLineRun run) { result = sum(int i | | run.getCount(i)) }

1
ql/ql/test/experimental/raparser.ql
View File

@@ -1,5 +1,6 @@
import experimental.RA
overlay[local]
class TestPredicate extends string {
TestPredicate() { this = "p1" }

4
ruby/ql/lib/change-notes/2025-07-09-overlay-local.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: breaking
---
* Most classes and predicates in the AST, SSA, and control-flow-graph libraries are now annotated with `overlay[local]`, in preparation for incremental analysis. This could result in compiler errors for custom queries if they extend these classes. To mitigate such errors, look for ways to restructure custom QL code so it doesn't depend on changing the behavior of standard-library classes.

2
ruby/ql/lib/codeql/Locations.qll
View File

@@ -1,4 +1,6 @@
/** Provides classes for working with locations. */
overlay[local]
module;
import files.FileSystem

2
ruby/ql/lib/codeql/files/FileSystem.qll
View File

@@ -1,4 +1,6 @@
/** Provides classes for working with files and folders. */
overlay[local]
module;
private import codeql.Locations
private import codeql.util.FileSystem

3
ruby/ql/lib/codeql/ruby/AST.qll
View File

@@ -1,3 +1,6 @@
overlay[local]
module;
import codeql.Locations
import ast.Call
import ast.Control

2
ruby/ql/lib/codeql/ruby/Diagnostics.qll
View File

@@ -1,4 +1,6 @@
/** Provides classes relating to extraction diagnostics. */
overlay[local]
module;
private import codeql.Locations

8
ruby/ql/lib/codeql/ruby/ast/Call.qll
View File

@@ -1,6 +1,10 @@
overlay[local]
module;
private import codeql.ruby.AST
private import internal.AST
private import internal.Call
private import internal.Literal
private import internal.TreeSitter
private import codeql.ruby.dataflow.internal.DataFlowDispatch
private import codeql.ruby.dataflow.internal.DataFlowImplCommon
@@ -41,7 +45,7 @@ class Call extends Expr instanceof CallImpl {
final Expr getKeywordArgument(string keyword) {
exists(Pair p |
p = this.getAnArgument() and
p.getKey().getConstantValue().isSymbol(keyword) and
keyword = p.getKey().(SymbolLiteral).(StringlikeLiteralImpl).getStringValue() and
result = p.getValue()
)
}
@@ -52,6 +56,7 @@ class Call extends Expr instanceof CallImpl {
final int getNumberOfArguments() { result = super.getNumberOfArgumentsImpl() }
/** Gets a potential target of this call, if any. */
overlay[global]
final Callable getATarget() {
exists(DataFlowCall c |
this = c.asCall().getExpr() and
@@ -153,6 +158,7 @@ class MethodCall extends Call instanceof MethodCallImpl {
* TODO: When API Graphs is able to resolve calls to methods like `Kernel.send`
* this class is no longer necessary and should be removed.
*/
overlay[global]
class UnknownMethodCall extends MethodCall {
UnknownMethodCall() { not exists(this.(Call).getATarget()) }
}

9
ruby/ql/lib/codeql/ruby/ast/Constant.qll
View File

@@ -1,3 +1,6 @@
overlay[local]
module;
private import codeql.ruby.AST
private import internal.AST
private import internal.Constant
@@ -6,6 +9,7 @@ private import internal.Variable
private import internal.TreeSitter
/** A constant value. */
overlay[global]
class ConstantValue extends TConstantValue {
/** Gets a textual representation of this constant value. */
final string toString() { this.hasValueWithType(result, _) }
@@ -134,6 +138,7 @@ class ConstantValue extends TConstantValue {
}
/** Provides different sub classes of `ConstantValue`. */
overlay[global]
module ConstantValue {
/** A constant integer value. */
class ConstantIntegerValue extends ConstantValue, TInt { }
@@ -268,15 +273,18 @@ class ConstantReadAccess extends ConstantAccess {
*
* the value being read at `M::CONST` is `"const"`.
*/
overlay[global]
Expr getValue() { result = getConstantReadAccessValue(this) }
/**
* Gets a fully qualified name for this constant read, based on the context in
* which it occurs.
*/
overlay[global]
string getAQualifiedName() { result = resolveConstant(this) }
/** Gets the module that this read access resolves to, if any. */
overlay[global]
Module getModule() { result = resolveConstantReadAccess(this) }
final override string getAPrimaryQlClass() { result = "ConstantReadAccess" }
@@ -342,6 +350,7 @@ class ConstantWriteAccess extends ConstantAccess {
* constants up the namespace chain, the fully qualified name of a nested
* constant can be ambiguous from just statically looking at the AST.
*/
overlay[global]
string getAQualifiedName() { result = resolveConstantWrite(this) }
}

3
ruby/ql/lib/codeql/ruby/ast/Control.qll
View File

@@ -1,3 +1,6 @@
overlay[local]
module;
private import codeql.ruby.AST
private import internal.AST
private import internal.Control

3
ruby/ql/lib/codeql/ruby/ast/Erb.qll
View File

@@ -1,3 +1,6 @@
overlay[local]
module;
private import codeql.ruby.AST
private import internal.Erb
private import internal.TreeSitter

5
ruby/ql/lib/codeql/ruby/ast/Expr.qll
View File

@@ -1,3 +1,6 @@
overlay[local]
module;
private import codeql.ruby.AST
private import codeql.ruby.CFG
private import internal.AST
@@ -12,6 +15,7 @@ private import internal.TreeSitter
*/
class Expr extends Stmt, TExpr {
/** Gets the constant value of this expression, if any. */
overlay[global]
ConstantValue getConstantValue() { result = getConstantValueExpr(this) }
}
@@ -425,6 +429,7 @@ class StringConcatenation extends Expr, TStringConcatenation {
* "foo" "bar#{ n }"
* ```
*/
overlay[global]
final string getConcatenatedValueText() {
forall(StringLiteral c | c = this.getString(_) |
exists(c.getConstantValue().getStringlikeValue())

18
ruby/ql/lib/codeql/ruby/ast/Literal.qll
View File

@@ -1,3 +1,6 @@
overlay[local]
module;
private import codeql.ruby.AST
private import codeql.ruby.Regexp as RE
private import internal.AST
@@ -41,6 +44,7 @@ class IntegerLiteral extends NumericLiteral instanceof IntegerLiteralImpl {
/** Gets the numerical value of this integer literal. */
final int getValue() { result = super.getValue() }
overlay[global]
final override ConstantValue::ConstantIntegerValue getConstantValue() {
result = NumericLiteral.super.getConstantValue()
}
@@ -57,6 +61,7 @@ class IntegerLiteral extends NumericLiteral instanceof IntegerLiteralImpl {
* ```
*/
class FloatLiteral extends NumericLiteral instanceof FloatLiteralImpl {
overlay[global]
final override ConstantValue::ConstantFloatValue getConstantValue() {
result = NumericLiteral.super.getConstantValue()
}
@@ -72,6 +77,7 @@ class FloatLiteral extends NumericLiteral instanceof FloatLiteralImpl {
* ```
*/
class RationalLiteral extends NumericLiteral instanceof RationalLiteralImpl {
overlay[global]
final override ConstantValue::ConstantRationalValue getConstantValue() {
result = NumericLiteral.super.getConstantValue()
}
@@ -87,6 +93,7 @@ class RationalLiteral extends NumericLiteral instanceof RationalLiteralImpl {
* ```
*/
class ComplexLiteral extends NumericLiteral instanceof ComplexLiteralImpl {
overlay[global]
final override ConstantValue::ConstantComplexValue getConstantValue() {
result = NumericLiteral.super.getConstantValue()
}
@@ -96,6 +103,7 @@ class ComplexLiteral extends NumericLiteral instanceof ComplexLiteralImpl {
/** A `nil` literal. */
class NilLiteral extends Literal instanceof NilLiteralImpl {
overlay[global]
final override ConstantValue::ConstantNilValue getConstantValue() { result = TNil() }
final override string getAPrimaryQlClass() { result = "NilLiteral" }
@@ -122,6 +130,7 @@ class BooleanLiteral extends Literal instanceof BooleanLiteralImpl {
/** Gets the value of this Boolean literal. */
boolean getValue() { result = super.getValue() }
overlay[global]
final override ConstantValue::ConstantBooleanValue getConstantValue() {
result = Literal.super.getConstantValue()
}
@@ -133,6 +142,7 @@ class BooleanLiteral extends Literal instanceof BooleanLiteralImpl {
class EncodingLiteral extends Literal instanceof EncodingLiteralImpl {
final override string getAPrimaryQlClass() { result = "EncodingLiteral" }
overlay[global]
final override ConstantValue::ConstantStringValue getConstantValue() {
result = Literal.super.getConstantValue()
}
@@ -144,6 +154,7 @@ class EncodingLiteral extends Literal instanceof EncodingLiteralImpl {
class LineLiteral extends Literal instanceof LineLiteralImpl {
final override string getAPrimaryQlClass() { result = "LineLiteral" }
overlay[global]
final override ConstantValue::ConstantIntegerValue getConstantValue() {
result = Literal.super.getConstantValue()
}
@@ -155,6 +166,7 @@ class LineLiteral extends Literal instanceof LineLiteralImpl {
class FileLiteral extends Literal instanceof FileLiteralImpl {
final override string getAPrimaryQlClass() { result = "FileLiteral" }
overlay[global]
final override ConstantValue::ConstantStringValue getConstantValue() {
result = Literal.super.getConstantValue()
}
@@ -166,6 +178,7 @@ class FileLiteral extends Literal instanceof FileLiteralImpl {
*/
class StringComponent extends AstNode instanceof StringComponentImpl {
/** Gets the constant value of this string component, if any. */
overlay[global]
ConstantValue::ConstantStringValue getConstantValue() { result = TString(super.getValue()) }
}
@@ -210,6 +223,7 @@ class StringInterpolationComponent extends StringComponent, StmtSequence instanc
final override Stmt getStmt(int n) { toGenerated(result) = g.getChild(n) }
overlay[global]
final override ConstantValue::ConstantStringValue getConstantValue() {
result = StmtSequence.super.getConstantValue()
}
@@ -257,6 +271,7 @@ class RegExpInterpolationComponent extends RegExpComponent, StmtSequence instanc
final override Stmt getStmt(int n) { toGenerated(result) = g.getChild(n) }
overlay[global]
final override ConstantValue::ConstantStringValue getConstantValue() {
result = StmtSequence.super.getConstantValue()
}
@@ -387,6 +402,7 @@ class RegExpLiteral extends StringlikeLiteral instanceof RegExpLiteralImpl {
final predicate hasFreeSpacingFlag() { this.getFlagString().charAt(_) = "x" }
/** Returns the root node of the parse tree of this regular expression. */
overlay[global]
final RE::RegExpTerm getParsed() { result = RE::getParsedRegExp(this) }
}
@@ -404,6 +420,7 @@ class SymbolLiteral extends StringlikeLiteral instanceof SymbolLiteralImpl {
not this instanceof MethodName and result = "SymbolLiteral"
}
overlay[global]
final override ConstantValue::ConstantSymbolValue getConstantValue() {
result = StringlikeLiteral.super.getConstantValue()
}
@@ -436,6 +453,7 @@ class SubshellLiteral extends StringlikeLiteral instanceof SubshellLiteralImpl {
class CharacterLiteral extends Literal instanceof CharacterLiteralImpl {
final override string getAPrimaryQlClass() { result = "CharacterLiteral" }
overlay[global]
final override ConstantValue::ConstantStringValue getConstantValue() {
result = Literal.super.getConstantValue()
}

13
ruby/ql/lib/codeql/ruby/ast/Method.qll
View File

@@ -1,3 +1,6 @@
overlay[local]
module;
private import codeql.ruby.AST
private import codeql.ruby.controlflow.ControlFlowGraph
private import internal.AST
@@ -40,18 +43,22 @@ class MethodBase extends Callable, BodyStmt, Scope, TMethodBase {
* Holds if this method is public.
* Methods are public by default.
*/
overlay[global]
predicate isPublic() { this.getVisibility() = "public" }
/** Holds if this method is private. */
overlay[global]
predicate isPrivate() { this.getVisibility() = "private" }
/** Holds if this method is protected. */
overlay[global]
predicate isProtected() { this.getVisibility() = "protected" }
/**
* Gets a string describing the visibility of this method.
* This is either 'public', 'private' or 'protected'.
*/
overlay[global]
string getVisibility() {
result = getVisibilityModifier(this).getVisibility()
or
@@ -73,6 +80,7 @@ class MethodBase extends Callable, BodyStmt, Scope, TMethodBase {
* end
* ```
*/
overlay[global]
private VisibilityModifier getExplicitVisibilityModifier(Method m) {
result.getMethodArgument() = m
or
@@ -86,6 +94,7 @@ private VisibilityModifier getExplicitVisibilityModifier(Method m) {
* Gets the visibility modifier that defines the visibility of method `m`, if
* any.
*/
overlay[global]
private VisibilityModifier getVisibilityModifier(MethodBase mb) {
mb =
any(Method m |
@@ -202,6 +211,7 @@ class Method extends MethodBase, TMethod {
* end
* ```
*/
overlay[global]
override predicate isPrivate() { super.isPrivate() }
final override Parameter getParameter(int n) {
@@ -210,6 +220,7 @@ class Method extends MethodBase, TMethod {
final override string toString() { result = this.getName() }
overlay[global]
override string getVisibility() {
result = getVisibilityModifier(this).getVisibility()
or
@@ -223,6 +234,7 @@ class Method extends MethodBase, TMethod {
}
}
overlay[global]
pragma[nomagic]
private predicate modifiesIn(VisibilityModifier vm, ModuleBase n, string name) {
n = vm.getEnclosingModule() and
@@ -299,6 +311,7 @@ class SingletonMethod extends MethodBase, TSingletonMethod {
* end
* ```
*/
overlay[global]
override predicate isPrivate() { super.isPrivate() }
}

7
ruby/ql/lib/codeql/ruby/ast/Module.qll
View File

@@ -1,3 +1,6 @@
overlay[local]
module;
private import codeql.ruby.AST
private import codeql.ruby.CFG
private import internal.AST
@@ -8,6 +11,7 @@ private import internal.Scope
/**
* A representation of a run-time `module` or `class` value.
*/
overlay[global]
class Module extends TModule {
/** Gets a declaration of this module, if any. */
ModuleBase getADeclaration() { result.getModule() = this }
@@ -255,6 +259,7 @@ class ModuleBase extends BodyStmt, Scope, TModuleBase {
}
/** Gets the representation of the run-time value of this module or class. */
overlay[global]
Module getModule() { none() }
/**
@@ -333,6 +338,7 @@ class Toplevel extends ModuleBase, TToplevel {
pred = "getBeginBlock" and result = this.getBeginBlock(_)
}
overlay[global]
final override Module getModule() { result = TResolved("Object") }
final override string toString() { result = g.getLocation().getFile().getBaseName() }
@@ -405,6 +411,7 @@ class Namespace extends ModuleBase, ConstantWriteAccess, TNamespace {
*/
override predicate hasGlobalScope() { none() }
overlay[global]
final override Module getModule() {
result = any(string qName | qName = namespaceDeclaration(this) | TResolved(qName))
or

3
ruby/ql/lib/codeql/ruby/ast/Operation.qll
View File

@@ -1,3 +1,6 @@
overlay[local]
module;
private import codeql.ruby.AST
private import internal.AST
private import internal.TreeSitter

3
ruby/ql/lib/codeql/ruby/ast/Parameter.qll
View File

@@ -1,3 +1,6 @@
overlay[local]
module;
private import codeql.ruby.AST
private import internal.AST
private import internal.Variable

4
ruby/ql/lib/codeql/ruby/ast/Pattern.qll
View File

@@ -1,3 +1,6 @@
overlay[local]
module;
private import codeql.ruby.AST
private import internal.AST
private import internal.Pattern
@@ -203,6 +206,7 @@ class HashPattern extends CasePattern, THashPattern {
}
/** Gets the value for a given key name. */
overlay[global]
CasePattern getValueByKey(string key) {
exists(int i |
this.getKey(i).getConstantValue().isStringlikeValue(key) and result = this.getValue(i)

3
ruby/ql/lib/codeql/ruby/ast/Scope.qll
View File

@@ -1,3 +1,6 @@
overlay[local]
module;
private import codeql.ruby.AST
private import internal.AST
private import internal.Scope

3
ruby/ql/lib/codeql/ruby/ast/Statement.qll
View File

@@ -1,3 +1,6 @@
overlay[local]
module;
private import codeql.ruby.AST
private import codeql.ruby.CFG
private import internal.AST

2
ruby/ql/lib/codeql/ruby/ast/Variable.qll
View File

@@ -1,4 +1,6 @@
/** Provides classes for modeling program variables. */
overlay[local]
module;
private import codeql.ruby.AST
private import internal.AST

3
ruby/ql/lib/codeql/ruby/ast/internal/AST.qll
View File

@@ -1,3 +1,6 @@
overlay[local]
module;
import codeql.Locations
private import TreeSitter
private import codeql.ruby.ast.internal.Call

3
ruby/ql/lib/codeql/ruby/ast/internal/Call.qll
View File

@@ -1,3 +1,6 @@
overlay[local]
module;
private import TreeSitter
private import Variable
private import codeql.ruby.AST

11
ruby/ql/lib/codeql/ruby/ast/internal/Constant.qll
View File

@@ -38,6 +38,7 @@ private import ExprNodes
* constant value in some cases.
*/
private module Propagation {
overlay[local]
ExprCfgNode getSource(VariableReadAccessCfgNode read) {
exists(Ssa::WriteDefinition def |
def.assigns(result) and
@@ -199,6 +200,7 @@ private module Propagation {
forex(ExprCfgNode n | n = e.getAControlFlowNode() | isComplex(n, real, imaginary))
}
overlay[local]
private class StringlikeLiteralWithInterpolationCfgNode extends StringlikeLiteralCfgNode {
StringlikeLiteralWithInterpolationCfgNode() {
this.getAComponent() =
@@ -208,6 +210,7 @@ private module Propagation {
)
}
overlay[global]
pragma[nomagic]
private string getComponentValue(int i) {
this.getComponent(i) =
@@ -219,17 +222,20 @@ private module Propagation {
}
language[monotonicAggregates]
overlay[global]
private string getValue() {
result =
strictconcat(int i | exists(this.getComponent(i)) | this.getComponentValue(i) order by i)
}
overlay[global]
pragma[nomagic]
string getSymbolValue() {
result = this.getValue() and
this.getExpr() instanceof SymbolLiteral
}
overlay[global]
pragma[nomagic]
string getStringValue() {
result = this.getValue() and
@@ -237,6 +243,7 @@ private module Propagation {
not this.getExpr() instanceof RegExpLiteral
}
overlay[global]
pragma[nomagic]
string getRegExpValue(string flags) {
result = this.getValue() and
@@ -566,6 +573,7 @@ private predicate isArrayExpr(Expr e, ArrayLiteralCfgNode arr) {
isArrayExpr(e.(MethodCall).getReceiver(), arr)
}
overlay[local]
private class TokenConstantAccess extends ConstantAccess, TTokenConstantAccess {
private Ruby::Constant g;
@@ -577,6 +585,7 @@ private class TokenConstantAccess extends ConstantAccess, TTokenConstantAccess {
/**
* A constant access that has a scope resolution qualifier.
*/
overlay[local]
class ScopeResolutionConstantAccess extends ConstantAccess, TScopeResolutionConstantAccess {
private Ruby::ScopeResolution g;
private Ruby::Constant constant;
@@ -595,6 +604,7 @@ class ScopeResolutionConstantAccess extends ConstantAccess, TScopeResolutionCons
final override predicate hasGlobalScope() { not exists(g.getScope()) }
}
overlay[local]
private class ConstantReadAccessSynth extends ConstantAccess, TConstantReadAccessSynth {
private string value;
@@ -609,6 +619,7 @@ private class ConstantReadAccessSynth extends ConstantAccess, TConstantReadAcces
final override predicate hasGlobalScope() { value.matches("::%") }
}
overlay[local]
private class ConstantWriteAccessSynth extends ConstantAccess, TConstantWriteAccessSynth {
private string value;

3
ruby/ql/lib/codeql/ruby/ast/internal/Control.qll
View File

@@ -1,3 +1,6 @@
overlay[local]
module;
private import TreeSitter
private import codeql.ruby.AST
private import codeql.ruby.ast.internal.AST

3
ruby/ql/lib/codeql/ruby/ast/internal/Erb.qll
View File

@@ -1,3 +1,6 @@
overlay[local]
module;
import codeql.Locations
private import TreeSitter
private import codeql.ruby.ast.Erb

3
ruby/ql/lib/codeql/ruby/ast/internal/Expr.qll
View File

@@ -1,3 +1,6 @@
overlay[local]
module;
private import codeql.ruby.AST
private import codeql.ruby.CFG
private import AST

3
ruby/ql/lib/codeql/ruby/ast/internal/Literal.qll
View File

@@ -1,3 +1,6 @@
overlay[local]
module;
private import codeql.ruby.AST
private import AST
private import Constant

3
ruby/ql/lib/codeql/ruby/ast/internal/Method.qll
View File

@@ -1,3 +1,6 @@
overlay[local]
module;
private import codeql.ruby.AST
private import AST
private import TreeSitter

10
ruby/ql/lib/codeql/ruby/ast/internal/Module.qll
View File

@@ -1,3 +1,6 @@
overlay[local]
module;
private import codeql.ruby.AST
private import Scope as Scope
@@ -11,6 +14,7 @@ private string builtin() {
]
}
overlay[global]
cached
private module Cached {
cached
@@ -215,6 +219,7 @@ private string scopeAppend(string qualifier, string name) {
* both as a performance optimization (minimize non-linear recursion), and as a way
* to prevent infinite recursion.
*/
overlay[global]
private module ResolveImpl {
private ModuleBase enclosing(ModuleBase m, int level) {
result = m and level = 0
@@ -583,6 +588,7 @@ private ModuleBase enclosingModuleNoBlock(Stmt node) {
result = enclosingScopesNoBlock(Scope::scopeOfInclSynth(node))
}
overlay[global]
private Module getAncestors(Module m) {
result = m or
result = getAncestors(m.getAnIncludedModule()) or
@@ -593,6 +599,7 @@ private newtype TMethodOrExpr =
TMethod(Method m) or
TExpr(Expr e)
overlay[global]
private TMethodOrExpr getMethodOrConst(TModule owner, string name) {
exists(ModuleBase m | m.getModule() = owner |
result = TMethod(m.getMethod(name))
@@ -601,12 +608,14 @@ private TMethodOrExpr getMethodOrConst(TModule owner, string name) {
)
}
overlay[global]
module ExposedForTestingOnly {
Method getMethod(TModule owner, string name) { TMethod(result) = getMethodOrConst(owner, name) }
Expr getConst(TModule owner, string name) { TExpr(result) = getMethodOrConst(owner, name) }
}
overlay[global]
private TMethodOrExpr lookupMethodOrConst0(Module m, string name) {
result = lookupMethodOrConst0(m.getAPrependedModule(), name)
or
@@ -621,6 +630,7 @@ private TMethodOrExpr lookupMethodOrConst0(Module m, string name) {
private AstNode getNode(TMethodOrExpr e) { e = TMethod(result) or e = TExpr(result) }
overlay[global]
private TMethodOrExpr lookupMethodOrConst(Module m, string name) {
result = lookupMethodOrConst0(m, name)
or

3
ruby/ql/lib/codeql/ruby/ast/internal/Operation.qll
View File

@@ -1,3 +1,6 @@
overlay[local]
module;
private import codeql.ruby.AST
private import AST
private import TreeSitter

3
ruby/ql/lib/codeql/ruby/ast/internal/Parameter.qll
View File

@@ -1,3 +1,6 @@
overlay[local]
module;
private import codeql.ruby.AST
private import AST
private import TreeSitter

3
ruby/ql/lib/codeql/ruby/ast/internal/Pattern.qll
View File

@@ -1,3 +1,6 @@
overlay[local]
module;
private import codeql.ruby.AST
private import codeql.ruby.ast.internal.Expr
private import codeql.ruby.ast.internal.Parameter

Some files were not shown because too many files have changed in this diff Show More