From 9912aaaf1ab2a66f9d5bc28c777214bf09eb4773 Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Tue, 30 Sep 2025 13:32:56 -0400 Subject: [PATCH 001/110] Adding azure sdk test cases and updated test expected file. --- .../FullServerSideRequestForgery.expected | 6 +++--- .../PartialServerSideRequestForgery.expected | 10 +++++----- .../test_azure_client.py | 4 ++++ 3 files changed, 12 insertions(+), 8 deletions(-) diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.expected b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.expected index 33970318461..ae554fa812c 100644 --- a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.expected +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.expected @@ -45,7 +45,7 @@ edges | test_azure_client.py:14:5:14:12 | ControlFlowNode for full_url | test_azure_client.py:19:39:19:46 | ControlFlowNode for full_url | provenance | Sink:MaD:38 | | test_azure_client.py:14:5:14:12 | ControlFlowNode for full_url | test_azure_client.py:21:19:21:26 | ControlFlowNode for full_url | provenance | Sink:MaD:14 | | test_azure_client.py:14:5:14:12 | ControlFlowNode for full_url | test_azure_client.py:23:58:23:65 | ControlFlowNode for full_url | provenance | Sink:MaD:26 | -| test_azure_client.py:14:5:14:12 | ControlFlowNode for full_url | test_azure_client.py:32:18:32:25 | ControlFlowNode for full_url | provenance | Sink:MaD:27 | +| test_azure_client.py:14:5:14:12 | ControlFlowNode for full_url | test_azure_client.py:33:18:33:25 | ControlFlowNode for full_url | provenance | Sink:MaD:27 | | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | test_http_client.py:1:26:1:32 | ControlFlowNode for request | provenance | | | test_http_client.py:1:26:1:32 | ControlFlowNode for request | test_http_client.py:9:19:9:25 | ControlFlowNode for request | provenance | | | test_http_client.py:1:26:1:32 | ControlFlowNode for request | test_http_client.py:10:19:10:25 | ControlFlowNode for request | provenance | | @@ -110,7 +110,7 @@ nodes | test_azure_client.py:19:39:19:46 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | | test_azure_client.py:21:19:21:26 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | | test_azure_client.py:23:58:23:65 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | -| test_azure_client.py:32:18:32:25 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_azure_client.py:33:18:33:25 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | | test_http_client.py:1:26:1:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | test_http_client.py:9:5:9:15 | ControlFlowNode for unsafe_host | semmle.label | ControlFlowNode for unsafe_host | @@ -148,7 +148,7 @@ subpaths | test_azure_client.py:19:9:19:47 | ControlFlowNode for Attribute() | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | test_azure_client.py:19:39:19:46 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | | test_azure_client.py:21:9:21:39 | ControlFlowNode for KeyClient() | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | test_azure_client.py:21:19:21:26 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | | test_azure_client.py:23:9:23:89 | ControlFlowNode for Attribute() | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | test_azure_client.py:23:58:23:65 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | -| test_azure_client.py:31:5:36:5 | ControlFlowNode for download_blob_from_url() | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | test_azure_client.py:32:18:32:25 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | +| test_azure_client.py:32:5:37:5 | ControlFlowNode for download_blob_from_url() | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | test_azure_client.py:33:18:33:25 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | | test_http_client.py:14:5:14:36 | ControlFlowNode for Attribute() | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | test_http_client.py:13:27:13:37 | ControlFlowNode for unsafe_host | The full URL of this request depends on a $@. | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | | test_http_client.py:14:5:14:36 | ControlFlowNode for Attribute() | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | test_http_client.py:14:25:14:35 | ControlFlowNode for unsafe_path | The full URL of this request depends on a $@. | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | | test_http_client.py:19:5:19:36 | ControlFlowNode for Attribute() | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | test_http_client.py:18:27:18:37 | ControlFlowNode for unsafe_host | The full URL of this request depends on a $@. | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.expected b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.expected index bdcac746538..bbe756e24b7 100644 --- a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.expected +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.expected @@ -89,12 +89,12 @@ edges | test_azure_client.py:13:5:13:7 | ControlFlowNode for url | test_azure_client.py:18:39:18:41 | ControlFlowNode for url | provenance | Sink:MaD:38 | | test_azure_client.py:13:5:13:7 | ControlFlowNode for url | test_azure_client.py:20:19:20:21 | ControlFlowNode for url | provenance | Sink:MaD:14 | | test_azure_client.py:13:5:13:7 | ControlFlowNode for url | test_azure_client.py:22:58:22:60 | ControlFlowNode for url | provenance | Sink:MaD:26 | -| test_azure_client.py:13:5:13:7 | ControlFlowNode for url | test_azure_client.py:26:18:26:20 | ControlFlowNode for url | provenance | Sink:MaD:27 | +| test_azure_client.py:13:5:13:7 | ControlFlowNode for url | test_azure_client.py:27:18:27:20 | ControlFlowNode for url | provenance | Sink:MaD:27 | | test_azure_client.py:14:5:14:12 | ControlFlowNode for full_url | test_azure_client.py:17:32:17:39 | ControlFlowNode for full_url | provenance | Sink:MaD:15 | | test_azure_client.py:14:5:14:12 | ControlFlowNode for full_url | test_azure_client.py:19:39:19:46 | ControlFlowNode for full_url | provenance | Sink:MaD:38 | | test_azure_client.py:14:5:14:12 | ControlFlowNode for full_url | test_azure_client.py:21:19:21:26 | ControlFlowNode for full_url | provenance | Sink:MaD:14 | | test_azure_client.py:14:5:14:12 | ControlFlowNode for full_url | test_azure_client.py:23:58:23:65 | ControlFlowNode for full_url | provenance | Sink:MaD:26 | -| test_azure_client.py:14:5:14:12 | ControlFlowNode for full_url | test_azure_client.py:32:18:32:25 | ControlFlowNode for full_url | provenance | Sink:MaD:27 | +| test_azure_client.py:14:5:14:12 | ControlFlowNode for full_url | test_azure_client.py:33:18:33:25 | ControlFlowNode for full_url | provenance | Sink:MaD:27 | | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | test_http_client.py:1:26:1:32 | ControlFlowNode for request | provenance | | | test_http_client.py:1:26:1:32 | ControlFlowNode for request | test_http_client.py:9:19:9:25 | ControlFlowNode for request | provenance | | | test_http_client.py:1:26:1:32 | ControlFlowNode for request | test_http_client.py:10:19:10:25 | ControlFlowNode for request | provenance | | @@ -207,8 +207,8 @@ nodes | test_azure_client.py:21:19:21:26 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | | test_azure_client.py:22:58:22:60 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | | test_azure_client.py:23:58:23:65 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | -| test_azure_client.py:26:18:26:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_azure_client.py:32:18:32:25 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_azure_client.py:27:18:27:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_azure_client.py:33:18:33:25 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | | test_http_client.py:1:26:1:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | test_http_client.py:9:5:9:15 | ControlFlowNode for unsafe_host | semmle.label | ControlFlowNode for unsafe_host | @@ -245,7 +245,7 @@ subpaths | test_azure_client.py:18:9:18:42 | ControlFlowNode for Attribute() | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | test_azure_client.py:18:39:18:41 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | | test_azure_client.py:20:9:20:34 | ControlFlowNode for KeyClient() | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | test_azure_client.py:20:19:20:21 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | | test_azure_client.py:22:9:22:84 | ControlFlowNode for Attribute() | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | test_azure_client.py:22:58:22:60 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | -| test_azure_client.py:25:5:30:5 | ControlFlowNode for download_blob_from_url() | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | test_azure_client.py:26:18:26:20 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | +| test_azure_client.py:26:5:31:5 | ControlFlowNode for download_blob_from_url() | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | test_azure_client.py:27:18:27:20 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | | test_http_client.py:22:5:22:31 | ControlFlowNode for Attribute() | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | test_http_client.py:18:27:18:37 | ControlFlowNode for unsafe_host | Part of the URL of this request depends on a $@. | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | | test_http_client.py:26:5:26:31 | ControlFlowNode for Attribute() | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | test_http_client.py:25:27:25:37 | ControlFlowNode for unsafe_host | Part of the URL of this request depends on a $@. | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | | test_http_client.py:29:5:29:36 | ControlFlowNode for Attribute() | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | test_http_client.py:29:25:29:35 | ControlFlowNode for unsafe_path | Part of the URL of this request depends on a $@. | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py index d8de2092a2e..f78b0a64137 100644 --- a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py @@ -22,6 +22,7 @@ def azure_sdk_test(credential, output_path): c = ContainerClient.from_container_url(container_url=url, credential=credential) # NOT OK -- user only controlled fragment c = ContainerClient.from_container_url(container_url=full_url, credential=credential) # NOT OK -- user has full control + download_blob_from_url( blob_url=url, # NOT OK -- user only controlled fragment output=output_path, @@ -34,3 +35,6 @@ def azure_sdk_test(credential, output_path): credential=credential, overwrite=True ) + + + From b8ba9052533e62f30f361db281e86e0be583a685 Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Tue, 30 Sep 2025 13:55:31 -0400 Subject: [PATCH 002/110] Added change logs. --- .../lib/change-notes/released/2025-09-30-azure_ssrf_models | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 python/ql/lib/change-notes/released/2025-09-30-azure_ssrf_models diff --git a/python/ql/lib/change-notes/released/2025-09-30-azure_ssrf_models b/python/ql/lib/change-notes/released/2025-09-30-azure_ssrf_models new file mode 100644 index 00000000000..573d5ea109d --- /dev/null +++ b/python/ql/lib/change-notes/released/2025-09-30-azure_ssrf_models @@ -0,0 +1,5 @@ +--- +category: minorAnalysis +--- +* Added `ssrf` MaD for the azure SDK +* Added MaD `ssrf` to `Http::Client::Request` \ No newline at end of file From 46a2a249f9d7d982bdb3dc829abade9c69f82e51 Mon Sep 17 00:00:00 2001 From: Ben Rodes Date: Tue, 30 Sep 2025 14:00:16 -0400 Subject: [PATCH 003/110] Update python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../CWE-918-ServerSideRequestForgery/test_azure_client.py | 1 - 1 file changed, 1 deletion(-) diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py index f78b0a64137..5d2b04b9c9d 100644 --- a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py @@ -22,7 +22,6 @@ def azure_sdk_test(credential, output_path): c = ContainerClient.from_container_url(container_url=url, credential=credential) # NOT OK -- user only controlled fragment c = ContainerClient.from_container_url(container_url=full_url, credential=credential) # NOT OK -- user has full control - download_blob_from_url( blob_url=url, # NOT OK -- user only controlled fragment output=output_path, From 08b72d0a868fe57d42bdac4f0c73f71e2851176f Mon Sep 17 00:00:00 2001 From: Ben Rodes Date: Tue, 30 Sep 2025 14:00:25 -0400 Subject: [PATCH 004/110] Update python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../CWE-918-ServerSideRequestForgery/test_azure_client.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py index 5d2b04b9c9d..d8de2092a2e 100644 --- a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py @@ -34,6 +34,3 @@ def azure_sdk_test(credential, output_path): credential=credential, overwrite=True ) - - - From 7db97799c1415a70502009fa31ca9fa5084253ae Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Tue, 30 Sep 2025 14:02:43 -0400 Subject: [PATCH 005/110] Moved change log to correct location. --- python/ql/lib/change-notes/2025-09-30-azure_ssrf_models.md | 4 ++-- .../lib/change-notes/released/2025-09-30-azure_ssrf_models | 5 ----- 2 files changed, 2 insertions(+), 7 deletions(-) delete mode 100644 python/ql/lib/change-notes/released/2025-09-30-azure_ssrf_models diff --git a/python/ql/lib/change-notes/2025-09-30-azure_ssrf_models.md b/python/ql/lib/change-notes/2025-09-30-azure_ssrf_models.md index 283b703a438..573d5ea109d 100644 --- a/python/ql/lib/change-notes/2025-09-30-azure_ssrf_models.md +++ b/python/ql/lib/change-notes/2025-09-30-azure_ssrf_models.md @@ -1,5 +1,5 @@ --- category: minorAnalysis --- -* Added request forgery sink models for the Azure SDK. -* Made it so that models-as-data sinks with the kind `request-forgery` contribute to the class `Http::Client::Request` which represents HTTP client requests. \ No newline at end of file +* Added `ssrf` MaD for the azure SDK +* Added MaD `ssrf` to `Http::Client::Request` \ No newline at end of file diff --git a/python/ql/lib/change-notes/released/2025-09-30-azure_ssrf_models b/python/ql/lib/change-notes/released/2025-09-30-azure_ssrf_models deleted file mode 100644 index 573d5ea109d..00000000000 --- a/python/ql/lib/change-notes/released/2025-09-30-azure_ssrf_models +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: minorAnalysis ---- -* Added `ssrf` MaD for the azure SDK -* Added MaD `ssrf` to `Http::Client::Request` \ No newline at end of file From 265922d2e509bbd93fbbe87227eb49204a083a5f Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Tue, 30 Sep 2025 14:07:32 -0400 Subject: [PATCH 006/110] Adding docs. --- .../lib/semmle/python/frameworks/SSRFSink.qll | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 python/ql/lib/semmle/python/frameworks/SSRFSink.qll diff --git a/python/ql/lib/semmle/python/frameworks/SSRFSink.qll b/python/ql/lib/semmle/python/frameworks/SSRFSink.qll new file mode 100644 index 00000000000..e9b7ff9e474 --- /dev/null +++ b/python/ql/lib/semmle/python/frameworks/SSRFSink.qll @@ -0,0 +1,42 @@ +/** + * Provides classes for SSRF sinks modeled using Models as Data (MaD). + */ + +private import python +private import semmle.python.Concepts +private import semmle.python.ApiGraphs +private import semmle.python.frameworks.data.ModelsAsData + +/** + * INTERNAL: Do not use. + * + * Sets up SSRF sinks as Http::Client::Request + */ +module SSRFMaDModel { + /** + * An HTTP request modeled from `ssrf` sinks, modeled using MaD. + */ + class SSRFSink extends Http::Client::Request::Range instanceof API::CallNode { + DataFlow::Node urlArg; + + SSRFSink() { + ( + this.getArg(_) = urlArg + or + this.getArgByName(_) = urlArg + ) and + urlArg = ModelOutput::getASinkNode("ssrf").asSink() + } + + override DataFlow::Node getAUrlPart() { result = urlArg } + + override string getFramework() { result = "MaD" } + + override predicate disablesCertificateValidation( + DataFlow::Node disablingNode, DataFlow::Node argumentOrigin + ) { + // NOTE: if you need to define this, you have to special case it for every possible API in MaD + none() + } + } +} From 88adb05d4b21928d26aafc8e5c3d083268ac2068 Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Tue, 30 Sep 2025 14:09:06 -0400 Subject: [PATCH 007/110] Adjusting acryonym for SSRF for casing standards. --- python/ql/lib/semmle/python/frameworks/SSRFSink.qll | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/python/ql/lib/semmle/python/frameworks/SSRFSink.qll b/python/ql/lib/semmle/python/frameworks/SSRFSink.qll index e9b7ff9e474..aeb228daf13 100644 --- a/python/ql/lib/semmle/python/frameworks/SSRFSink.qll +++ b/python/ql/lib/semmle/python/frameworks/SSRFSink.qll @@ -12,14 +12,14 @@ private import semmle.python.frameworks.data.ModelsAsData * * Sets up SSRF sinks as Http::Client::Request */ -module SSRFMaDModel { +module SsrfMaDModel { /** * An HTTP request modeled from `ssrf` sinks, modeled using MaD. */ - class SSRFSink extends Http::Client::Request::Range instanceof API::CallNode { + class SsrfSink extends Http::Client::Request::Range instanceof API::CallNode { DataFlow::Node urlArg; - SSRFSink() { + SsrfSink() { ( this.getArg(_) = urlArg or From 27e19813bea78bcfbfca6b13354a8637529066aa Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Mon, 2 Feb 2026 10:13:59 -0500 Subject: [PATCH 008/110] Removing an upstream change log, not needed for local fork update. --- python/ql/lib/change-notes/2025-09-30-azure_ssrf_models.md | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 python/ql/lib/change-notes/2025-09-30-azure_ssrf_models.md diff --git a/python/ql/lib/change-notes/2025-09-30-azure_ssrf_models.md b/python/ql/lib/change-notes/2025-09-30-azure_ssrf_models.md deleted file mode 100644 index 573d5ea109d..00000000000 --- a/python/ql/lib/change-notes/2025-09-30-azure_ssrf_models.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: minorAnalysis ---- -* Added `ssrf` MaD for the azure SDK -* Added MaD `ssrf` to `Http::Client::Request` \ No newline at end of file From 97ddab0724bc37dec318f02ff79d091423236db5 Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Mon, 2 Feb 2026 16:09:53 -0500 Subject: [PATCH 009/110] Added support for new URIValidator in AntiSSRF library. Updated test caes to use postprocessing results. Currently results for partial ssrf still need work, it is flagging cases where the URL is fully controlled, but is sanitized. I'm not sure if this should be flagged yet. --- ...ServerSideRequestForgeryCustomizations.qll | 45 ++ .../FullServerSideRequestForgery.expected | 364 +++++++----- .../FullServerSideRequestForgery.qlref | 3 +- .../PartialServerSideRequestForgery.expected | 538 +++++++++++------- .../PartialServerSideRequestForgery.qlref | 3 +- .../full_partial_test.py | 75 ++- .../test_azure_client.py | 233 +++++++- .../test_http_client.py | 33 +- .../test_path_validation.py | 132 +++++ .../test_requests.py | 48 +- 10 files changed, 1061 insertions(+), 413 deletions(-) create mode 100644 python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py diff --git a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll index 274e7ee57ad..2139ecf797d 100644 --- a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll +++ b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll @@ -176,4 +176,49 @@ module ServerSideRequestForgery { strNode = [call.getArg(0), call.getArgByName("string")] ) } + + /** A validation that a string does not contain certain characters, considered as a sanitizer. */ + private class UriValidator extends FullUrlControlSanitizer { + UriValidator() { this = DataFlow::BarrierGuard::getABarrierNode() } + } + + import semmle.python.dataflow.new.internal.DataFlowPublic + + private predicate uri_validator(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) { + exists(DataFlow::CallCfgNode call, Node n, string funcs | + funcs in ["in_domain", "in_azure_keyvault_domain", "in_azure_storage_domain"] + | + call = API::moduleImport("AntiSSRF").getMember("URIValidator").getMember(funcs).getACall() and + call.getArg(0).asCfgNode() = node and + n.getALocalSource() = call and + ( + // validator used in a comparison + exists(CompareNode cn, Cmpop op | cn = g | + ( + // validator == true or validator == false or validator is True or validator is False + (op instanceof Eq or op instanceof Is) and + exists(ControlFlowNode l, boolean bool | + l.getNode().(BooleanLiteral).booleanValue() = bool and + bool in [true, false] and + branch = bool and + cn.operands(n.asCfgNode(), op, l) + ) + or + // validator != false or validator != true or validator is not True or validator is not False + (op instanceof NotEq or op instanceof IsNot) and + exists(ControlFlowNode l, boolean bool | + l.getNode().(BooleanLiteral).booleanValue() = bool and + bool in [true, false] and + branch = bool.booleanNot() and + cn.operands(n.asCfgNode(), op, l) + ) + ) + ) + or + // validator call directly (e.g., if URIValidator.in_domain(...) ) + g = call.asCfgNode() and + branch = true + ) + ) + } } diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.expected b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.expected index ae554fa812c..19b5f7efa9d 100644 --- a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.expected +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.expected @@ -1,156 +1,260 @@ +#select +| full_partial_test.py:11:5:11:28 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:11:18:11:27 | ControlFlowNode for user_input | The full URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| full_partial_test.py:15:5:15:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:15:18:15:20 | ControlFlowNode for url | The full URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| full_partial_test.py:22:5:22:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:22:18:22:20 | ControlFlowNode for url | The full URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| full_partial_test.py:27:5:27:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:27:18:27:20 | ControlFlowNode for url | The full URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| full_partial_test.py:47:5:47:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:47:18:47:20 | ControlFlowNode for url | The full URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| full_partial_test.py:51:5:51:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:51:18:51:20 | ControlFlowNode for url | The full URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| full_partial_test.py:55:5:55:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:55:18:55:20 | ControlFlowNode for url | The full URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| full_partial_test.py:59:5:59:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:59:18:59:20 | ControlFlowNode for url | The full URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| full_partial_test.py:63:5:63:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:63:18:63:20 | ControlFlowNode for url | The full URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| full_partial_test.py:72:5:72:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:72:18:72:20 | ControlFlowNode for url | The full URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| full_partial_test.py:76:5:76:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:76:18:76:20 | ControlFlowNode for url | The full URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| full_partial_test.py:89:5:89:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:89:18:89:20 | ControlFlowNode for url | The full URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| full_partial_test.py:93:5:93:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:93:18:93:20 | ControlFlowNode for url | The full URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| full_partial_test.py:97:5:97:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:97:18:97:20 | ControlFlowNode for url | The full URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| test_azure_client.py:16:9:16:63 | ControlFlowNode for SecretClient() | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | test_azure_client.py:16:32:16:39 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | user-provided value | +| test_azure_client.py:18:9:18:47 | ControlFlowNode for Attribute() | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | test_azure_client.py:18:39:18:46 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | user-provided value | +| test_azure_client.py:20:9:20:39 | ControlFlowNode for KeyClient() | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | test_azure_client.py:20:19:20:26 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | user-provided value | +| test_azure_client.py:22:9:22:89 | ControlFlowNode for Attribute() | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | test_azure_client.py:22:58:22:65 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | user-provided value | +| test_azure_client.py:25:5:25:104 | ControlFlowNode for download_blob_from_url() | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | test_azure_client.py:25:37:25:44 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | user-provided value | +| test_http_client.py:15:5:15:36 | ControlFlowNode for Attribute() | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | test_http_client.py:13:27:13:37 | ControlFlowNode for unsafe_host | The full URL of this request depends on a $@. | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| test_http_client.py:15:5:15:36 | ControlFlowNode for Attribute() | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | test_http_client.py:15:25:15:35 | ControlFlowNode for unsafe_path | The full URL of this request depends on a $@. | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| test_http_client.py:21:5:21:36 | ControlFlowNode for Attribute() | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | test_http_client.py:19:27:19:37 | ControlFlowNode for unsafe_host | The full URL of this request depends on a $@. | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| test_http_client.py:21:5:21:36 | ControlFlowNode for Attribute() | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | test_http_client.py:21:25:21:35 | ControlFlowNode for unsafe_path | The full URL of this request depends on a $@. | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:21:13:21:67 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:21:36:21:43 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:37:13:37:64 | ControlFlowNode for KeyClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:37:33:37:40 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:53:13:53:51 | ControlFlowNode for Attribute() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:53:43:53:50 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:64:13:64:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:64:36:64:38 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:71:13:71:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:71:36:71:38 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:74:13:74:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:74:36:74:38 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:79:13:79:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:79:36:79:38 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:87:13:87:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:87:36:87:38 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:90:13:90:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:90:36:90:38 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:95:13:95:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:95:36:95:38 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:102:13:102:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:102:36:102:38 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:107:13:107:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:107:36:107:38 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:110:13:110:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:110:36:110:38 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:115:13:115:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:115:36:115:38 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:122:13:122:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:122:36:122:38 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:125:13:125:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:125:36:125:38 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:132:13:132:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:132:36:132:38 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_requests.py:9:5:9:28 | ControlFlowNode for Attribute() | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | test_requests.py:9:18:9:27 | ControlFlowNode for user_input | The full URL of this request depends on a $@. | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| test_requests.py:17:5:17:27 | ControlFlowNode for Attribute() | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | test_requests.py:17:17:17:26 | ControlFlowNode for user_input | The full URL of this request depends on a $@. | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| test_requests.py:22:16:22:55 | ControlFlowNode for Attribute() | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | test_requests.py:22:45:22:54 | ControlFlowNode for user_input | The full URL of this request depends on a $@. | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | edges | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:1:19:1:25 | ControlFlowNode for request | provenance | | | full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:7:18:7:24 | ControlFlowNode for request | provenance | | -| full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:37:18:37:24 | ControlFlowNode for request | provenance | | -| full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:57:18:57:24 | ControlFlowNode for request | provenance | | -| full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:71:18:71:24 | ControlFlowNode for request | provenance | | -| full_partial_test.py:7:5:7:14 | ControlFlowNode for user_input | full_partial_test.py:10:18:10:27 | ControlFlowNode for user_input | provenance | | -| full_partial_test.py:7:5:7:14 | ControlFlowNode for user_input | full_partial_test.py:12:5:12:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:7:5:7:14 | ControlFlowNode for user_input | full_partial_test.py:18:5:18:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:7:5:7:14 | ControlFlowNode for user_input | full_partial_test.py:22:5:22:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:41:18:41:24 | ControlFlowNode for request | provenance | | +| full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:66:18:66:24 | ControlFlowNode for request | provenance | | +| full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:83:18:83:24 | ControlFlowNode for request | provenance | | +| full_partial_test.py:7:5:7:14 | ControlFlowNode for user_input | full_partial_test.py:11:18:11:27 | ControlFlowNode for user_input | provenance | | +| full_partial_test.py:7:5:7:14 | ControlFlowNode for user_input | full_partial_test.py:13:5:13:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:7:5:7:14 | ControlFlowNode for user_input | full_partial_test.py:20:5:20:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:7:5:7:14 | ControlFlowNode for user_input | full_partial_test.py:25:5:25:7 | ControlFlowNode for url | provenance | | | full_partial_test.py:7:18:7:24 | ControlFlowNode for request | full_partial_test.py:7:5:7:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | -| full_partial_test.py:12:5:12:7 | ControlFlowNode for url | full_partial_test.py:13:18:13:20 | ControlFlowNode for url | provenance | | -| full_partial_test.py:18:5:18:7 | ControlFlowNode for url | full_partial_test.py:19:18:19:20 | ControlFlowNode for url | provenance | | -| full_partial_test.py:22:5:22:7 | ControlFlowNode for url | full_partial_test.py:23:18:23:20 | ControlFlowNode for url | provenance | | -| full_partial_test.py:37:5:37:14 | ControlFlowNode for user_input | full_partial_test.py:41:5:41:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:37:5:37:14 | ControlFlowNode for user_input | full_partial_test.py:44:5:44:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:37:5:37:14 | ControlFlowNode for user_input | full_partial_test.py:47:5:47:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:37:5:37:14 | ControlFlowNode for user_input | full_partial_test.py:50:5:50:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:37:5:37:14 | ControlFlowNode for user_input | full_partial_test.py:53:5:53:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:37:18:37:24 | ControlFlowNode for request | full_partial_test.py:37:5:37:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | -| full_partial_test.py:41:5:41:7 | ControlFlowNode for url | full_partial_test.py:42:18:42:20 | ControlFlowNode for url | provenance | | -| full_partial_test.py:44:5:44:7 | ControlFlowNode for url | full_partial_test.py:45:18:45:20 | ControlFlowNode for url | provenance | | -| full_partial_test.py:47:5:47:7 | ControlFlowNode for url | full_partial_test.py:48:18:48:20 | ControlFlowNode for url | provenance | | -| full_partial_test.py:50:5:50:7 | ControlFlowNode for url | full_partial_test.py:51:18:51:20 | ControlFlowNode for url | provenance | | -| full_partial_test.py:53:5:53:7 | ControlFlowNode for url | full_partial_test.py:54:18:54:20 | ControlFlowNode for url | provenance | | -| full_partial_test.py:57:5:57:14 | ControlFlowNode for user_input | full_partial_test.py:61:5:61:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:57:5:57:14 | ControlFlowNode for user_input | full_partial_test.py:64:5:64:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:57:18:57:24 | ControlFlowNode for request | full_partial_test.py:57:5:57:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | -| full_partial_test.py:61:5:61:7 | ControlFlowNode for url | full_partial_test.py:62:18:62:20 | ControlFlowNode for url | provenance | | -| full_partial_test.py:64:5:64:7 | ControlFlowNode for url | full_partial_test.py:65:18:65:20 | ControlFlowNode for url | provenance | | -| full_partial_test.py:71:5:71:14 | ControlFlowNode for user_input | full_partial_test.py:75:5:75:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:71:5:71:14 | ControlFlowNode for user_input | full_partial_test.py:78:5:78:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:71:5:71:14 | ControlFlowNode for user_input | full_partial_test.py:81:5:81:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:71:18:71:24 | ControlFlowNode for request | full_partial_test.py:71:5:71:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | -| full_partial_test.py:75:5:75:7 | ControlFlowNode for url | full_partial_test.py:76:18:76:20 | ControlFlowNode for url | provenance | | -| full_partial_test.py:78:5:78:7 | ControlFlowNode for url | full_partial_test.py:79:18:79:20 | ControlFlowNode for url | provenance | | -| full_partial_test.py:81:5:81:7 | ControlFlowNode for url | full_partial_test.py:82:18:82:20 | ControlFlowNode for url | provenance | | -| test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | test_azure_client.py:7:19:7:25 | ControlFlowNode for request | provenance | | -| test_azure_client.py:7:19:7:25 | ControlFlowNode for request | test_azure_client.py:10:18:10:24 | ControlFlowNode for request | provenance | | -| test_azure_client.py:7:19:7:25 | ControlFlowNode for request | test_azure_client.py:11:19:11:25 | ControlFlowNode for request | provenance | | -| test_azure_client.py:10:18:10:24 | ControlFlowNode for request | test_azure_client.py:11:5:11:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | -| test_azure_client.py:11:5:11:15 | ControlFlowNode for user_input2 | test_azure_client.py:14:5:14:12 | ControlFlowNode for full_url | provenance | | -| test_azure_client.py:11:19:11:25 | ControlFlowNode for request | test_azure_client.py:11:5:11:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | -| test_azure_client.py:14:5:14:12 | ControlFlowNode for full_url | test_azure_client.py:17:32:17:39 | ControlFlowNode for full_url | provenance | Sink:MaD:15 | -| test_azure_client.py:14:5:14:12 | ControlFlowNode for full_url | test_azure_client.py:19:39:19:46 | ControlFlowNode for full_url | provenance | Sink:MaD:38 | -| test_azure_client.py:14:5:14:12 | ControlFlowNode for full_url | test_azure_client.py:21:19:21:26 | ControlFlowNode for full_url | provenance | Sink:MaD:14 | -| test_azure_client.py:14:5:14:12 | ControlFlowNode for full_url | test_azure_client.py:23:58:23:65 | ControlFlowNode for full_url | provenance | Sink:MaD:26 | -| test_azure_client.py:14:5:14:12 | ControlFlowNode for full_url | test_azure_client.py:33:18:33:25 | ControlFlowNode for full_url | provenance | Sink:MaD:27 | -| test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | test_http_client.py:1:26:1:32 | ControlFlowNode for request | provenance | | -| test_http_client.py:1:26:1:32 | ControlFlowNode for request | test_http_client.py:9:19:9:25 | ControlFlowNode for request | provenance | | -| test_http_client.py:1:26:1:32 | ControlFlowNode for request | test_http_client.py:10:19:10:25 | ControlFlowNode for request | provenance | | +| full_partial_test.py:13:5:13:7 | ControlFlowNode for url | full_partial_test.py:15:18:15:20 | ControlFlowNode for url | provenance | | +| full_partial_test.py:20:5:20:7 | ControlFlowNode for url | full_partial_test.py:22:18:22:20 | ControlFlowNode for url | provenance | | +| full_partial_test.py:25:5:25:7 | ControlFlowNode for url | full_partial_test.py:27:18:27:20 | ControlFlowNode for url | provenance | | +| full_partial_test.py:41:5:41:14 | ControlFlowNode for user_input | full_partial_test.py:45:5:45:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:41:5:41:14 | ControlFlowNode for user_input | full_partial_test.py:49:5:49:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:41:5:41:14 | ControlFlowNode for user_input | full_partial_test.py:53:5:53:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:41:5:41:14 | ControlFlowNode for user_input | full_partial_test.py:57:5:57:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:41:5:41:14 | ControlFlowNode for user_input | full_partial_test.py:61:5:61:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:41:18:41:24 | ControlFlowNode for request | full_partial_test.py:41:5:41:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | +| full_partial_test.py:45:5:45:7 | ControlFlowNode for url | full_partial_test.py:47:18:47:20 | ControlFlowNode for url | provenance | | +| full_partial_test.py:49:5:49:7 | ControlFlowNode for url | full_partial_test.py:51:18:51:20 | ControlFlowNode for url | provenance | | +| full_partial_test.py:53:5:53:7 | ControlFlowNode for url | full_partial_test.py:55:18:55:20 | ControlFlowNode for url | provenance | | +| full_partial_test.py:57:5:57:7 | ControlFlowNode for url | full_partial_test.py:59:18:59:20 | ControlFlowNode for url | provenance | | +| full_partial_test.py:61:5:61:7 | ControlFlowNode for url | full_partial_test.py:63:18:63:20 | ControlFlowNode for url | provenance | | +| full_partial_test.py:66:5:66:14 | ControlFlowNode for user_input | full_partial_test.py:70:5:70:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:66:5:66:14 | ControlFlowNode for user_input | full_partial_test.py:74:5:74:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:66:18:66:24 | ControlFlowNode for request | full_partial_test.py:66:5:66:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | +| full_partial_test.py:70:5:70:7 | ControlFlowNode for url | full_partial_test.py:72:18:72:20 | ControlFlowNode for url | provenance | | +| full_partial_test.py:74:5:74:7 | ControlFlowNode for url | full_partial_test.py:76:18:76:20 | ControlFlowNode for url | provenance | | +| full_partial_test.py:83:5:83:14 | ControlFlowNode for user_input | full_partial_test.py:87:5:87:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:83:5:83:14 | ControlFlowNode for user_input | full_partial_test.py:91:5:91:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:83:5:83:14 | ControlFlowNode for user_input | full_partial_test.py:95:5:95:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:83:18:83:24 | ControlFlowNode for request | full_partial_test.py:83:5:83:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | +| full_partial_test.py:87:5:87:7 | ControlFlowNode for url | full_partial_test.py:89:18:89:20 | ControlFlowNode for url | provenance | | +| full_partial_test.py:91:5:91:7 | ControlFlowNode for url | full_partial_test.py:93:18:93:20 | ControlFlowNode for url | provenance | | +| full_partial_test.py:95:5:95:7 | ControlFlowNode for url | full_partial_test.py:97:18:97:20 | ControlFlowNode for url | provenance | | +| test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | test_azure_client.py:6:19:6:25 | ControlFlowNode for request | provenance | | +| test_azure_client.py:6:19:6:25 | ControlFlowNode for request | test_azure_client.py:9:18:9:24 | ControlFlowNode for request | provenance | | +| test_azure_client.py:6:19:6:25 | ControlFlowNode for request | test_azure_client.py:10:19:10:25 | ControlFlowNode for request | provenance | | +| test_azure_client.py:9:18:9:24 | ControlFlowNode for request | test_azure_client.py:10:5:10:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | +| test_azure_client.py:10:5:10:15 | ControlFlowNode for user_input2 | test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | provenance | | +| test_azure_client.py:10:19:10:25 | ControlFlowNode for request | test_azure_client.py:10:5:10:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | +| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:16:32:16:39 | ControlFlowNode for full_url | provenance | Sink:MaD:15 | +| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:18:39:18:46 | ControlFlowNode for full_url | provenance | Sink:MaD:38 | +| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:20:19:20:26 | ControlFlowNode for full_url | provenance | Sink:MaD:14 | +| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:22:58:22:65 | ControlFlowNode for full_url | provenance | Sink:MaD:26 | +| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:25:37:25:44 | ControlFlowNode for full_url | provenance | Sink:MaD:27 | +| test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | test_http_client.py:1:19:1:25 | ControlFlowNode for request | provenance | | +| test_http_client.py:1:19:1:25 | ControlFlowNode for request | test_http_client.py:9:19:9:25 | ControlFlowNode for request | provenance | | +| test_http_client.py:1:19:1:25 | ControlFlowNode for request | test_http_client.py:10:19:10:25 | ControlFlowNode for request | provenance | | | test_http_client.py:9:5:9:15 | ControlFlowNode for unsafe_host | test_http_client.py:13:27:13:37 | ControlFlowNode for unsafe_host | provenance | | -| test_http_client.py:9:5:9:15 | ControlFlowNode for unsafe_host | test_http_client.py:18:27:18:37 | ControlFlowNode for unsafe_host | provenance | | -| test_http_client.py:9:5:9:15 | ControlFlowNode for unsafe_host | test_http_client.py:25:27:25:37 | ControlFlowNode for unsafe_host | provenance | | +| test_http_client.py:9:5:9:15 | ControlFlowNode for unsafe_host | test_http_client.py:19:27:19:37 | ControlFlowNode for unsafe_host | provenance | | +| test_http_client.py:9:5:9:15 | ControlFlowNode for unsafe_host | test_http_client.py:28:27:28:37 | ControlFlowNode for unsafe_host | provenance | | | test_http_client.py:9:19:9:25 | ControlFlowNode for request | test_http_client.py:9:5:9:15 | ControlFlowNode for unsafe_host | provenance | AdditionalTaintStep | | test_http_client.py:9:19:9:25 | ControlFlowNode for request | test_http_client.py:10:5:10:15 | ControlFlowNode for unsafe_path | provenance | AdditionalTaintStep | -| test_http_client.py:10:5:10:15 | ControlFlowNode for unsafe_path | test_http_client.py:14:25:14:35 | ControlFlowNode for unsafe_path | provenance | | -| test_http_client.py:10:5:10:15 | ControlFlowNode for unsafe_path | test_http_client.py:19:25:19:35 | ControlFlowNode for unsafe_path | provenance | | -| test_http_client.py:10:5:10:15 | ControlFlowNode for unsafe_path | test_http_client.py:29:25:29:35 | ControlFlowNode for unsafe_path | provenance | | +| test_http_client.py:10:5:10:15 | ControlFlowNode for unsafe_path | test_http_client.py:15:25:15:35 | ControlFlowNode for unsafe_path | provenance | | +| test_http_client.py:10:5:10:15 | ControlFlowNode for unsafe_path | test_http_client.py:21:25:21:35 | ControlFlowNode for unsafe_path | provenance | | +| test_http_client.py:10:5:10:15 | ControlFlowNode for unsafe_path | test_http_client.py:34:25:34:35 | ControlFlowNode for unsafe_path | provenance | | | test_http_client.py:10:19:10:25 | ControlFlowNode for request | test_http_client.py:10:5:10:15 | ControlFlowNode for unsafe_path | provenance | AdditionalTaintStep | +| test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:5:19:5:25 | ControlFlowNode for request | provenance | | +| test_path_validation.py:5:19:5:25 | ControlFlowNode for request | test_path_validation.py:8:18:8:24 | ControlFlowNode for request | provenance | | +| test_path_validation.py:5:19:5:25 | ControlFlowNode for request | test_path_validation.py:9:19:9:25 | ControlFlowNode for request | provenance | | +| test_path_validation.py:5:19:5:25 | ControlFlowNode for request | test_path_validation.py:24:18:24:24 | ControlFlowNode for request | provenance | | +| test_path_validation.py:5:19:5:25 | ControlFlowNode for request | test_path_validation.py:25:19:25:25 | ControlFlowNode for request | provenance | | +| test_path_validation.py:5:19:5:25 | ControlFlowNode for request | test_path_validation.py:40:18:40:24 | ControlFlowNode for request | provenance | | +| test_path_validation.py:5:19:5:25 | ControlFlowNode for request | test_path_validation.py:41:19:41:25 | ControlFlowNode for request | provenance | | +| test_path_validation.py:5:19:5:25 | ControlFlowNode for request | test_path_validation.py:57:18:57:24 | ControlFlowNode for request | provenance | | +| test_path_validation.py:8:18:8:24 | ControlFlowNode for request | test_path_validation.py:9:5:9:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | +| test_path_validation.py:9:5:9:15 | ControlFlowNode for user_input2 | test_path_validation.py:11:5:11:12 | ControlFlowNode for full_url | provenance | | +| test_path_validation.py:9:19:9:25 | ControlFlowNode for request | test_path_validation.py:9:5:9:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | +| test_path_validation.py:11:5:11:12 | ControlFlowNode for full_url | test_path_validation.py:21:36:21:43 | ControlFlowNode for full_url | provenance | Sink:MaD:15 | +| test_path_validation.py:24:18:24:24 | ControlFlowNode for request | test_path_validation.py:25:5:25:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | +| test_path_validation.py:25:5:25:15 | ControlFlowNode for user_input2 | test_path_validation.py:27:5:27:12 | ControlFlowNode for full_url | provenance | | +| test_path_validation.py:25:19:25:25 | ControlFlowNode for request | test_path_validation.py:25:5:25:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | +| test_path_validation.py:27:5:27:12 | ControlFlowNode for full_url | test_path_validation.py:37:33:37:40 | ControlFlowNode for full_url | provenance | Sink:MaD:14 | +| test_path_validation.py:40:18:40:24 | ControlFlowNode for request | test_path_validation.py:41:5:41:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | +| test_path_validation.py:41:5:41:15 | ControlFlowNode for user_input2 | test_path_validation.py:43:5:43:12 | ControlFlowNode for full_url | provenance | | +| test_path_validation.py:41:19:41:25 | ControlFlowNode for request | test_path_validation.py:41:5:41:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | +| test_path_validation.py:43:5:43:12 | ControlFlowNode for full_url | test_path_validation.py:53:43:53:50 | ControlFlowNode for full_url | provenance | Sink:MaD:38 | +| test_path_validation.py:57:5:57:14 | ControlFlowNode for user_input | test_path_validation.py:61:5:61:7 | ControlFlowNode for url | provenance | | +| test_path_validation.py:57:18:57:24 | ControlFlowNode for request | test_path_validation.py:57:5:57:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:64:36:64:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:71:36:71:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:74:36:74:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:79:36:79:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:87:36:87:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:90:36:90:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:95:36:95:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:102:36:102:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:107:36:107:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:110:36:110:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:115:36:115:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:122:36:122:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:125:36:125:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:132:36:132:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | test_requests.py:1:19:1:25 | ControlFlowNode for request | provenance | | -| test_requests.py:1:19:1:25 | ControlFlowNode for request | test_requests.py:6:18:6:24 | ControlFlowNode for request | provenance | | -| test_requests.py:6:5:6:14 | ControlFlowNode for user_input | test_requests.py:8:18:8:27 | ControlFlowNode for user_input | provenance | | -| test_requests.py:6:18:6:24 | ControlFlowNode for request | test_requests.py:6:5:6:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | +| test_requests.py:1:19:1:25 | ControlFlowNode for request | test_requests.py:7:18:7:24 | ControlFlowNode for request | provenance | | +| test_requests.py:1:19:1:25 | ControlFlowNode for request | test_requests.py:14:18:14:24 | ControlFlowNode for request | provenance | | +| test_requests.py:1:19:1:25 | ControlFlowNode for request | test_requests.py:20:18:20:24 | ControlFlowNode for request | provenance | | +| test_requests.py:7:5:7:14 | ControlFlowNode for user_input | test_requests.py:9:18:9:27 | ControlFlowNode for user_input | provenance | | +| test_requests.py:7:18:7:24 | ControlFlowNode for request | test_requests.py:7:5:7:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | +| test_requests.py:14:5:14:14 | ControlFlowNode for user_input | test_requests.py:17:17:17:26 | ControlFlowNode for user_input | provenance | | +| test_requests.py:14:18:14:24 | ControlFlowNode for request | test_requests.py:14:5:14:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | +| test_requests.py:20:5:20:14 | ControlFlowNode for user_input | test_requests.py:22:45:22:54 | ControlFlowNode for user_input | provenance | | +| test_requests.py:20:18:20:24 | ControlFlowNode for request | test_requests.py:20:5:20:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | nodes | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | | full_partial_test.py:1:19:1:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | full_partial_test.py:7:5:7:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | | full_partial_test.py:7:18:7:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| full_partial_test.py:10:18:10:27 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | -| full_partial_test.py:12:5:12:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:13:18:13:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:18:5:18:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:19:18:19:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:22:5:22:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:23:18:23:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:37:5:37:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | -| full_partial_test.py:37:18:37:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| full_partial_test.py:41:5:41:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:42:18:42:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:44:5:44:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:45:18:45:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:47:5:47:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:48:18:48:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:50:5:50:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:11:18:11:27 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| full_partial_test.py:13:5:13:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:15:18:15:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:20:5:20:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:22:18:22:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:25:5:25:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:27:18:27:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:41:5:41:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| full_partial_test.py:41:18:41:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| full_partial_test.py:45:5:45:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:47:18:47:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:49:5:49:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | | full_partial_test.py:51:18:51:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | | full_partial_test.py:53:5:53:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:54:18:54:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:57:5:57:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | -| full_partial_test.py:57:18:57:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| full_partial_test.py:55:18:55:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:57:5:57:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:59:18:59:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | | full_partial_test.py:61:5:61:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:62:18:62:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:64:5:64:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:65:18:65:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:71:5:71:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | -| full_partial_test.py:71:18:71:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| full_partial_test.py:75:5:75:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:63:18:63:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:66:5:66:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| full_partial_test.py:66:18:66:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| full_partial_test.py:70:5:70:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:72:18:72:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:74:5:74:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | | full_partial_test.py:76:18:76:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:78:5:78:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:79:18:79:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:81:5:81:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:82:18:82:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| test_azure_client.py:7:19:7:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test_azure_client.py:10:18:10:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test_azure_client.py:11:5:11:15 | ControlFlowNode for user_input2 | semmle.label | ControlFlowNode for user_input2 | -| test_azure_client.py:11:19:11:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test_azure_client.py:14:5:14:12 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | -| test_azure_client.py:17:32:17:39 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | -| test_azure_client.py:19:39:19:46 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | -| test_azure_client.py:21:19:21:26 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | -| test_azure_client.py:23:58:23:65 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | -| test_azure_client.py:33:18:33:25 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | -| test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| test_http_client.py:1:26:1:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| full_partial_test.py:83:5:83:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| full_partial_test.py:83:18:83:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| full_partial_test.py:87:5:87:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:89:18:89:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:91:5:91:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:93:18:93:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:95:5:95:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:97:18:97:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | +| test_azure_client.py:6:19:6:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| test_azure_client.py:9:18:9:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| test_azure_client.py:10:5:10:15 | ControlFlowNode for user_input2 | semmle.label | ControlFlowNode for user_input2 | +| test_azure_client.py:10:19:10:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_azure_client.py:16:32:16:39 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_azure_client.py:18:39:18:46 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_azure_client.py:20:19:20:26 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_azure_client.py:22:58:22:65 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_azure_client.py:25:37:25:44 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | +| test_http_client.py:1:19:1:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | test_http_client.py:9:5:9:15 | ControlFlowNode for unsafe_host | semmle.label | ControlFlowNode for unsafe_host | | test_http_client.py:9:19:9:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | test_http_client.py:10:5:10:15 | ControlFlowNode for unsafe_path | semmle.label | ControlFlowNode for unsafe_path | | test_http_client.py:10:19:10:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | test_http_client.py:13:27:13:37 | ControlFlowNode for unsafe_host | semmle.label | ControlFlowNode for unsafe_host | -| test_http_client.py:14:25:14:35 | ControlFlowNode for unsafe_path | semmle.label | ControlFlowNode for unsafe_path | -| test_http_client.py:18:27:18:37 | ControlFlowNode for unsafe_host | semmle.label | ControlFlowNode for unsafe_host | -| test_http_client.py:19:25:19:35 | ControlFlowNode for unsafe_path | semmle.label | ControlFlowNode for unsafe_path | -| test_http_client.py:25:27:25:37 | ControlFlowNode for unsafe_host | semmle.label | ControlFlowNode for unsafe_host | -| test_http_client.py:29:25:29:35 | ControlFlowNode for unsafe_path | semmle.label | ControlFlowNode for unsafe_path | +| test_http_client.py:15:25:15:35 | ControlFlowNode for unsafe_path | semmle.label | ControlFlowNode for unsafe_path | +| test_http_client.py:19:27:19:37 | ControlFlowNode for unsafe_host | semmle.label | ControlFlowNode for unsafe_host | +| test_http_client.py:21:25:21:35 | ControlFlowNode for unsafe_path | semmle.label | ControlFlowNode for unsafe_path | +| test_http_client.py:28:27:28:37 | ControlFlowNode for unsafe_host | semmle.label | ControlFlowNode for unsafe_host | +| test_http_client.py:34:25:34:35 | ControlFlowNode for unsafe_path | semmle.label | ControlFlowNode for unsafe_path | +| test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | +| test_path_validation.py:5:19:5:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| test_path_validation.py:8:18:8:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| test_path_validation.py:9:5:9:15 | ControlFlowNode for user_input2 | semmle.label | ControlFlowNode for user_input2 | +| test_path_validation.py:9:19:9:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| test_path_validation.py:11:5:11:12 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_path_validation.py:21:36:21:43 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_path_validation.py:24:18:24:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| test_path_validation.py:25:5:25:15 | ControlFlowNode for user_input2 | semmle.label | ControlFlowNode for user_input2 | +| test_path_validation.py:25:19:25:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| test_path_validation.py:27:5:27:12 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_path_validation.py:37:33:37:40 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_path_validation.py:40:18:40:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| test_path_validation.py:41:5:41:15 | ControlFlowNode for user_input2 | semmle.label | ControlFlowNode for user_input2 | +| test_path_validation.py:41:19:41:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| test_path_validation.py:43:5:43:12 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_path_validation.py:53:43:53:50 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_path_validation.py:57:5:57:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| test_path_validation.py:57:18:57:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:64:36:64:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:71:36:71:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:74:36:74:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:79:36:79:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:87:36:87:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:90:36:90:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:95:36:95:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:102:36:102:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:107:36:107:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:110:36:110:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:115:36:115:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:122:36:122:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:125:36:125:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:132:36:132:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | | test_requests.py:1:19:1:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test_requests.py:6:5:6:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | -| test_requests.py:6:18:6:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test_requests.py:8:18:8:27 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| test_requests.py:7:5:7:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| test_requests.py:7:18:7:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| test_requests.py:9:18:9:27 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| test_requests.py:14:5:14:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| test_requests.py:14:18:14:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| test_requests.py:17:17:17:26 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| test_requests.py:20:5:20:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| test_requests.py:20:18:20:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| test_requests.py:22:45:22:54 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | subpaths -#select -| full_partial_test.py:10:5:10:28 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:10:18:10:27 | ControlFlowNode for user_input | The full URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| full_partial_test.py:13:5:13:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:13:18:13:20 | ControlFlowNode for url | The full URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| full_partial_test.py:19:5:19:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:19:18:19:20 | ControlFlowNode for url | The full URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| full_partial_test.py:23:5:23:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:23:18:23:20 | ControlFlowNode for url | The full URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| full_partial_test.py:42:5:42:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:42:18:42:20 | ControlFlowNode for url | The full URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| full_partial_test.py:45:5:45:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:45:18:45:20 | ControlFlowNode for url | The full URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| full_partial_test.py:48:5:48:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:48:18:48:20 | ControlFlowNode for url | The full URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| full_partial_test.py:51:5:51:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:51:18:51:20 | ControlFlowNode for url | The full URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| full_partial_test.py:54:5:54:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:54:18:54:20 | ControlFlowNode for url | The full URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| full_partial_test.py:62:5:62:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:62:18:62:20 | ControlFlowNode for url | The full URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| full_partial_test.py:65:5:65:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:65:18:65:20 | ControlFlowNode for url | The full URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| full_partial_test.py:76:5:76:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:76:18:76:20 | ControlFlowNode for url | The full URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| full_partial_test.py:79:5:79:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:79:18:79:20 | ControlFlowNode for url | The full URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| full_partial_test.py:82:5:82:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:82:18:82:20 | ControlFlowNode for url | The full URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| test_azure_client.py:17:9:17:63 | ControlFlowNode for SecretClient() | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | test_azure_client.py:17:32:17:39 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | -| test_azure_client.py:19:9:19:47 | ControlFlowNode for Attribute() | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | test_azure_client.py:19:39:19:46 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | -| test_azure_client.py:21:9:21:39 | ControlFlowNode for KeyClient() | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | test_azure_client.py:21:19:21:26 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | -| test_azure_client.py:23:9:23:89 | ControlFlowNode for Attribute() | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | test_azure_client.py:23:58:23:65 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | -| test_azure_client.py:32:5:37:5 | ControlFlowNode for download_blob_from_url() | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | test_azure_client.py:33:18:33:25 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | -| test_http_client.py:14:5:14:36 | ControlFlowNode for Attribute() | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | test_http_client.py:13:27:13:37 | ControlFlowNode for unsafe_host | The full URL of this request depends on a $@. | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test_http_client.py:14:5:14:36 | ControlFlowNode for Attribute() | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | test_http_client.py:14:25:14:35 | ControlFlowNode for unsafe_path | The full URL of this request depends on a $@. | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test_http_client.py:19:5:19:36 | ControlFlowNode for Attribute() | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | test_http_client.py:18:27:18:37 | ControlFlowNode for unsafe_host | The full URL of this request depends on a $@. | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test_http_client.py:19:5:19:36 | ControlFlowNode for Attribute() | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | test_http_client.py:19:25:19:35 | ControlFlowNode for unsafe_path | The full URL of this request depends on a $@. | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test_requests.py:8:5:8:28 | ControlFlowNode for Attribute() | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | test_requests.py:8:18:8:27 | ControlFlowNode for user_input | The full URL of this request depends on a $@. | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +testFailures +| test_requests.py:39:40:39:62 | Comment # $ Alert[py/full-ssrf] | Missing result: Alert[py/full-ssrf] | +| test_requests.py:49:40:49:62 | Comment # $ Alert[py/full-ssrf] | Missing result: Alert[py/full-ssrf] | diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.qlref b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.qlref index 50d53b5f47e..35a2814e7f4 100644 --- a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.qlref +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.qlref @@ -1 +1,2 @@ -Security/CWE-918/FullServerSideRequestForgery.ql +query: Security/CWE-918/FullServerSideRequestForgery.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql \ No newline at end of file diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.expected b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.expected index bbe756e24b7..875d8b62b62 100644 --- a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.expected +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.expected @@ -1,124 +1,199 @@ +#select +| full_partial_test.py:80:5:80:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:80:18:80:20 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| full_partial_test.py:105:5:105:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:105:18:105:20 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| full_partial_test.py:112:5:112:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:112:18:112:20 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| full_partial_test.py:119:5:119:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:119:18:119:20 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| full_partial_test.py:126:5:126:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:126:18:126:20 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| full_partial_test.py:136:5:136:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:136:18:136:20 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| full_partial_test.py:143:5:143:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:143:18:143:20 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| test_azure_client.py:15:9:15:58 | ControlFlowNode for SecretClient() | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | test_azure_client.py:15:32:15:34 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | user-provided value | +| test_azure_client.py:17:9:17:42 | ControlFlowNode for Attribute() | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | test_azure_client.py:17:39:17:41 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | user-provided value | +| test_azure_client.py:19:9:19:34 | ControlFlowNode for KeyClient() | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | test_azure_client.py:19:19:19:21 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | user-provided value | +| test_azure_client.py:21:9:21:84 | ControlFlowNode for Attribute() | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | test_azure_client.py:21:58:21:60 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | user-provided value | +| test_azure_client.py:24:5:24:100 | ControlFlowNode for download_blob_from_url() | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | test_azure_client.py:24:37:24:39 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | user-provided value | +| test_http_client.py:25:5:25:31 | ControlFlowNode for Attribute() | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | test_http_client.py:19:27:19:37 | ControlFlowNode for unsafe_host | Part of the URL of this request depends on a $@. | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| test_http_client.py:30:5:30:31 | ControlFlowNode for Attribute() | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | test_http_client.py:28:27:28:37 | ControlFlowNode for unsafe_host | Part of the URL of this request depends on a $@. | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| test_http_client.py:34:5:34:36 | ControlFlowNode for Attribute() | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | test_http_client.py:34:25:34:35 | ControlFlowNode for unsafe_path | Part of the URL of this request depends on a $@. | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| test_http_client.py:39:5:39:29 | ControlFlowNode for Attribute() | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | test_http_client.py:39:25:39:28 | ControlFlowNode for path | Part of the URL of this request depends on a $@. | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| test_http_client.py:44:5:44:29 | ControlFlowNode for Attribute() | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | test_http_client.py:44:25:44:28 | ControlFlowNode for path | Part of the URL of this request depends on a $@. | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:14:13:14:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:14:36:14:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:16:13:16:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:16:36:16:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:30:13:30:59 | ControlFlowNode for KeyClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:30:33:30:35 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:32:13:32:59 | ControlFlowNode for KeyClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:32:33:32:35 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:46:13:46:46 | ControlFlowNode for Attribute() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:46:43:46:45 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:48:13:48:46 | ControlFlowNode for Attribute() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:48:43:48:45 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | edges | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:1:19:1:25 | ControlFlowNode for request | provenance | | | full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:7:18:7:24 | ControlFlowNode for request | provenance | | | full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:8:17:8:23 | ControlFlowNode for request | provenance | | -| full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:37:18:37:24 | ControlFlowNode for request | provenance | | -| full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:38:17:38:23 | ControlFlowNode for request | provenance | | -| full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:57:18:57:24 | ControlFlowNode for request | provenance | | -| full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:58:17:58:23 | ControlFlowNode for request | provenance | | -| full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:71:18:71:24 | ControlFlowNode for request | provenance | | -| full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:72:17:72:23 | ControlFlowNode for request | provenance | | -| full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:86:18:86:24 | ControlFlowNode for request | provenance | | -| full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:92:18:92:24 | ControlFlowNode for request | provenance | | -| full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:98:18:98:24 | ControlFlowNode for request | provenance | | -| full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:104:18:104:24 | ControlFlowNode for request | provenance | | -| full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:110:18:110:24 | ControlFlowNode for request | provenance | | -| full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:119:18:119:24 | ControlFlowNode for request | provenance | | -| full_partial_test.py:7:5:7:14 | ControlFlowNode for user_input | full_partial_test.py:10:18:10:27 | ControlFlowNode for user_input | provenance | | -| full_partial_test.py:7:5:7:14 | ControlFlowNode for user_input | full_partial_test.py:12:5:12:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:7:5:7:14 | ControlFlowNode for user_input | full_partial_test.py:18:5:18:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:7:5:7:14 | ControlFlowNode for user_input | full_partial_test.py:22:5:22:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:41:18:41:24 | ControlFlowNode for request | provenance | | +| full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:42:17:42:23 | ControlFlowNode for request | provenance | | +| full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:66:18:66:24 | ControlFlowNode for request | provenance | | +| full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:67:17:67:23 | ControlFlowNode for request | provenance | | +| full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:83:18:83:24 | ControlFlowNode for request | provenance | | +| full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:84:17:84:23 | ControlFlowNode for request | provenance | | +| full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:101:18:101:24 | ControlFlowNode for request | provenance | | +| full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:108:18:108:24 | ControlFlowNode for request | provenance | | +| full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:115:18:115:24 | ControlFlowNode for request | provenance | | +| full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:122:18:122:24 | ControlFlowNode for request | provenance | | +| full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:129:18:129:24 | ControlFlowNode for request | provenance | | +| full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:139:18:139:24 | ControlFlowNode for request | provenance | | +| full_partial_test.py:7:5:7:14 | ControlFlowNode for user_input | full_partial_test.py:11:18:11:27 | ControlFlowNode for user_input | provenance | | +| full_partial_test.py:7:5:7:14 | ControlFlowNode for user_input | full_partial_test.py:13:5:13:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:7:5:7:14 | ControlFlowNode for user_input | full_partial_test.py:20:5:20:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:7:5:7:14 | ControlFlowNode for user_input | full_partial_test.py:25:5:25:7 | ControlFlowNode for url | provenance | | | full_partial_test.py:7:18:7:24 | ControlFlowNode for request | full_partial_test.py:7:5:7:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | | full_partial_test.py:7:18:7:24 | ControlFlowNode for request | full_partial_test.py:8:5:8:13 | ControlFlowNode for query_val | provenance | AdditionalTaintStep | -| full_partial_test.py:8:5:8:13 | ControlFlowNode for query_val | full_partial_test.py:22:5:22:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:8:5:8:13 | ControlFlowNode for query_val | full_partial_test.py:25:5:25:7 | ControlFlowNode for url | provenance | | | full_partial_test.py:8:17:8:23 | ControlFlowNode for request | full_partial_test.py:8:5:8:13 | ControlFlowNode for query_val | provenance | AdditionalTaintStep | -| full_partial_test.py:12:5:12:7 | ControlFlowNode for url | full_partial_test.py:13:18:13:20 | ControlFlowNode for url | provenance | | -| full_partial_test.py:18:5:18:7 | ControlFlowNode for url | full_partial_test.py:19:18:19:20 | ControlFlowNode for url | provenance | | -| full_partial_test.py:22:5:22:7 | ControlFlowNode for url | full_partial_test.py:23:18:23:20 | ControlFlowNode for url | provenance | | -| full_partial_test.py:37:5:37:14 | ControlFlowNode for user_input | full_partial_test.py:41:5:41:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:37:5:37:14 | ControlFlowNode for user_input | full_partial_test.py:44:5:44:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:37:5:37:14 | ControlFlowNode for user_input | full_partial_test.py:47:5:47:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:37:5:37:14 | ControlFlowNode for user_input | full_partial_test.py:50:5:50:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:37:5:37:14 | ControlFlowNode for user_input | full_partial_test.py:53:5:53:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:37:18:37:24 | ControlFlowNode for request | full_partial_test.py:37:5:37:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | -| full_partial_test.py:37:18:37:24 | ControlFlowNode for request | full_partial_test.py:38:5:38:13 | ControlFlowNode for query_val | provenance | AdditionalTaintStep | -| full_partial_test.py:38:5:38:13 | ControlFlowNode for query_val | full_partial_test.py:47:5:47:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:38:17:38:23 | ControlFlowNode for request | full_partial_test.py:38:5:38:13 | ControlFlowNode for query_val | provenance | AdditionalTaintStep | -| full_partial_test.py:41:5:41:7 | ControlFlowNode for url | full_partial_test.py:42:18:42:20 | ControlFlowNode for url | provenance | | -| full_partial_test.py:44:5:44:7 | ControlFlowNode for url | full_partial_test.py:45:18:45:20 | ControlFlowNode for url | provenance | | -| full_partial_test.py:47:5:47:7 | ControlFlowNode for url | full_partial_test.py:48:18:48:20 | ControlFlowNode for url | provenance | | -| full_partial_test.py:50:5:50:7 | ControlFlowNode for url | full_partial_test.py:51:18:51:20 | ControlFlowNode for url | provenance | | -| full_partial_test.py:53:5:53:7 | ControlFlowNode for url | full_partial_test.py:54:18:54:20 | ControlFlowNode for url | provenance | | -| full_partial_test.py:57:5:57:14 | ControlFlowNode for user_input | full_partial_test.py:61:5:61:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:57:5:57:14 | ControlFlowNode for user_input | full_partial_test.py:64:5:64:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:57:5:57:14 | ControlFlowNode for user_input | full_partial_test.py:67:5:67:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:57:18:57:24 | ControlFlowNode for request | full_partial_test.py:57:5:57:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | -| full_partial_test.py:57:18:57:24 | ControlFlowNode for request | full_partial_test.py:58:5:58:13 | ControlFlowNode for query_val | provenance | AdditionalTaintStep | -| full_partial_test.py:58:5:58:13 | ControlFlowNode for query_val | full_partial_test.py:67:5:67:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:58:17:58:23 | ControlFlowNode for request | full_partial_test.py:58:5:58:13 | ControlFlowNode for query_val | provenance | AdditionalTaintStep | -| full_partial_test.py:61:5:61:7 | ControlFlowNode for url | full_partial_test.py:62:18:62:20 | ControlFlowNode for url | provenance | | -| full_partial_test.py:64:5:64:7 | ControlFlowNode for url | full_partial_test.py:65:18:65:20 | ControlFlowNode for url | provenance | | -| full_partial_test.py:67:5:67:7 | ControlFlowNode for url | full_partial_test.py:68:18:68:20 | ControlFlowNode for url | provenance | | -| full_partial_test.py:71:5:71:14 | ControlFlowNode for user_input | full_partial_test.py:75:5:75:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:71:5:71:14 | ControlFlowNode for user_input | full_partial_test.py:78:5:78:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:71:5:71:14 | ControlFlowNode for user_input | full_partial_test.py:81:5:81:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:71:18:71:24 | ControlFlowNode for request | full_partial_test.py:71:5:71:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | -| full_partial_test.py:71:18:71:24 | ControlFlowNode for request | full_partial_test.py:72:5:72:13 | ControlFlowNode for query_val | provenance | AdditionalTaintStep | -| full_partial_test.py:72:5:72:13 | ControlFlowNode for query_val | full_partial_test.py:81:5:81:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:72:17:72:23 | ControlFlowNode for request | full_partial_test.py:72:5:72:13 | ControlFlowNode for query_val | provenance | AdditionalTaintStep | -| full_partial_test.py:75:5:75:7 | ControlFlowNode for url | full_partial_test.py:76:18:76:20 | ControlFlowNode for url | provenance | | -| full_partial_test.py:78:5:78:7 | ControlFlowNode for url | full_partial_test.py:79:18:79:20 | ControlFlowNode for url | provenance | | -| full_partial_test.py:81:5:81:7 | ControlFlowNode for url | full_partial_test.py:82:18:82:20 | ControlFlowNode for url | provenance | | -| full_partial_test.py:86:5:86:14 | ControlFlowNode for user_input | full_partial_test.py:88:5:88:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:86:18:86:24 | ControlFlowNode for request | full_partial_test.py:86:5:86:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | -| full_partial_test.py:88:5:88:7 | ControlFlowNode for url | full_partial_test.py:89:18:89:20 | ControlFlowNode for url | provenance | | -| full_partial_test.py:92:5:92:14 | ControlFlowNode for user_input | full_partial_test.py:94:5:94:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:92:18:92:24 | ControlFlowNode for request | full_partial_test.py:92:5:92:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | -| full_partial_test.py:94:5:94:7 | ControlFlowNode for url | full_partial_test.py:95:18:95:20 | ControlFlowNode for url | provenance | | -| full_partial_test.py:98:5:98:14 | ControlFlowNode for user_input | full_partial_test.py:100:5:100:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:98:18:98:24 | ControlFlowNode for request | full_partial_test.py:98:5:98:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | -| full_partial_test.py:100:5:100:7 | ControlFlowNode for url | full_partial_test.py:101:18:101:20 | ControlFlowNode for url | provenance | | -| full_partial_test.py:104:5:104:14 | ControlFlowNode for user_input | full_partial_test.py:106:5:106:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:104:18:104:24 | ControlFlowNode for request | full_partial_test.py:104:5:104:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | -| full_partial_test.py:106:5:106:7 | ControlFlowNode for url | full_partial_test.py:107:18:107:20 | ControlFlowNode for url | provenance | | -| full_partial_test.py:110:5:110:14 | ControlFlowNode for user_input | full_partial_test.py:115:5:115:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:110:18:110:24 | ControlFlowNode for request | full_partial_test.py:110:5:110:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | -| full_partial_test.py:115:5:115:7 | ControlFlowNode for url | full_partial_test.py:116:18:116:20 | ControlFlowNode for url | provenance | | -| full_partial_test.py:119:5:119:14 | ControlFlowNode for user_input | full_partial_test.py:121:5:121:7 | ControlFlowNode for url | provenance | | -| full_partial_test.py:119:18:119:24 | ControlFlowNode for request | full_partial_test.py:119:5:119:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | -| full_partial_test.py:121:5:121:7 | ControlFlowNode for url | full_partial_test.py:122:18:122:20 | ControlFlowNode for url | provenance | | -| test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | test_azure_client.py:7:19:7:25 | ControlFlowNode for request | provenance | | -| test_azure_client.py:7:19:7:25 | ControlFlowNode for request | test_azure_client.py:10:18:10:24 | ControlFlowNode for request | provenance | | -| test_azure_client.py:7:19:7:25 | ControlFlowNode for request | test_azure_client.py:11:19:11:25 | ControlFlowNode for request | provenance | | -| test_azure_client.py:10:5:10:14 | ControlFlowNode for user_input | test_azure_client.py:13:5:13:7 | ControlFlowNode for url | provenance | | -| test_azure_client.py:10:18:10:24 | ControlFlowNode for request | test_azure_client.py:10:5:10:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | -| test_azure_client.py:10:18:10:24 | ControlFlowNode for request | test_azure_client.py:11:5:11:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | -| test_azure_client.py:11:5:11:15 | ControlFlowNode for user_input2 | test_azure_client.py:14:5:14:12 | ControlFlowNode for full_url | provenance | | -| test_azure_client.py:11:19:11:25 | ControlFlowNode for request | test_azure_client.py:11:5:11:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | -| test_azure_client.py:13:5:13:7 | ControlFlowNode for url | test_azure_client.py:16:32:16:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_azure_client.py:13:5:13:7 | ControlFlowNode for url | test_azure_client.py:18:39:18:41 | ControlFlowNode for url | provenance | Sink:MaD:38 | -| test_azure_client.py:13:5:13:7 | ControlFlowNode for url | test_azure_client.py:20:19:20:21 | ControlFlowNode for url | provenance | Sink:MaD:14 | -| test_azure_client.py:13:5:13:7 | ControlFlowNode for url | test_azure_client.py:22:58:22:60 | ControlFlowNode for url | provenance | Sink:MaD:26 | -| test_azure_client.py:13:5:13:7 | ControlFlowNode for url | test_azure_client.py:27:18:27:20 | ControlFlowNode for url | provenance | Sink:MaD:27 | -| test_azure_client.py:14:5:14:12 | ControlFlowNode for full_url | test_azure_client.py:17:32:17:39 | ControlFlowNode for full_url | provenance | Sink:MaD:15 | -| test_azure_client.py:14:5:14:12 | ControlFlowNode for full_url | test_azure_client.py:19:39:19:46 | ControlFlowNode for full_url | provenance | Sink:MaD:38 | -| test_azure_client.py:14:5:14:12 | ControlFlowNode for full_url | test_azure_client.py:21:19:21:26 | ControlFlowNode for full_url | provenance | Sink:MaD:14 | -| test_azure_client.py:14:5:14:12 | ControlFlowNode for full_url | test_azure_client.py:23:58:23:65 | ControlFlowNode for full_url | provenance | Sink:MaD:26 | -| test_azure_client.py:14:5:14:12 | ControlFlowNode for full_url | test_azure_client.py:33:18:33:25 | ControlFlowNode for full_url | provenance | Sink:MaD:27 | -| test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | test_http_client.py:1:26:1:32 | ControlFlowNode for request | provenance | | -| test_http_client.py:1:26:1:32 | ControlFlowNode for request | test_http_client.py:9:19:9:25 | ControlFlowNode for request | provenance | | -| test_http_client.py:1:26:1:32 | ControlFlowNode for request | test_http_client.py:10:19:10:25 | ControlFlowNode for request | provenance | | -| test_http_client.py:1:26:1:32 | ControlFlowNode for request | test_http_client.py:11:18:11:24 | ControlFlowNode for request | provenance | | +| full_partial_test.py:13:5:13:7 | ControlFlowNode for url | full_partial_test.py:15:18:15:20 | ControlFlowNode for url | provenance | | +| full_partial_test.py:20:5:20:7 | ControlFlowNode for url | full_partial_test.py:22:18:22:20 | ControlFlowNode for url | provenance | | +| full_partial_test.py:25:5:25:7 | ControlFlowNode for url | full_partial_test.py:27:18:27:20 | ControlFlowNode for url | provenance | | +| full_partial_test.py:41:5:41:14 | ControlFlowNode for user_input | full_partial_test.py:45:5:45:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:41:5:41:14 | ControlFlowNode for user_input | full_partial_test.py:49:5:49:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:41:5:41:14 | ControlFlowNode for user_input | full_partial_test.py:53:5:53:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:41:5:41:14 | ControlFlowNode for user_input | full_partial_test.py:57:5:57:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:41:5:41:14 | ControlFlowNode for user_input | full_partial_test.py:61:5:61:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:41:18:41:24 | ControlFlowNode for request | full_partial_test.py:41:5:41:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | +| full_partial_test.py:41:18:41:24 | ControlFlowNode for request | full_partial_test.py:42:5:42:13 | ControlFlowNode for query_val | provenance | AdditionalTaintStep | +| full_partial_test.py:42:5:42:13 | ControlFlowNode for query_val | full_partial_test.py:53:5:53:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:42:17:42:23 | ControlFlowNode for request | full_partial_test.py:42:5:42:13 | ControlFlowNode for query_val | provenance | AdditionalTaintStep | +| full_partial_test.py:45:5:45:7 | ControlFlowNode for url | full_partial_test.py:47:18:47:20 | ControlFlowNode for url | provenance | | +| full_partial_test.py:49:5:49:7 | ControlFlowNode for url | full_partial_test.py:51:18:51:20 | ControlFlowNode for url | provenance | | +| full_partial_test.py:53:5:53:7 | ControlFlowNode for url | full_partial_test.py:55:18:55:20 | ControlFlowNode for url | provenance | | +| full_partial_test.py:57:5:57:7 | ControlFlowNode for url | full_partial_test.py:59:18:59:20 | ControlFlowNode for url | provenance | | +| full_partial_test.py:61:5:61:7 | ControlFlowNode for url | full_partial_test.py:63:18:63:20 | ControlFlowNode for url | provenance | | +| full_partial_test.py:66:5:66:14 | ControlFlowNode for user_input | full_partial_test.py:70:5:70:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:66:5:66:14 | ControlFlowNode for user_input | full_partial_test.py:74:5:74:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:66:5:66:14 | ControlFlowNode for user_input | full_partial_test.py:78:5:78:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:66:18:66:24 | ControlFlowNode for request | full_partial_test.py:66:5:66:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | +| full_partial_test.py:66:18:66:24 | ControlFlowNode for request | full_partial_test.py:67:5:67:13 | ControlFlowNode for query_val | provenance | AdditionalTaintStep | +| full_partial_test.py:67:5:67:13 | ControlFlowNode for query_val | full_partial_test.py:78:5:78:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:67:17:67:23 | ControlFlowNode for request | full_partial_test.py:67:5:67:13 | ControlFlowNode for query_val | provenance | AdditionalTaintStep | +| full_partial_test.py:70:5:70:7 | ControlFlowNode for url | full_partial_test.py:72:18:72:20 | ControlFlowNode for url | provenance | | +| full_partial_test.py:74:5:74:7 | ControlFlowNode for url | full_partial_test.py:76:18:76:20 | ControlFlowNode for url | provenance | | +| full_partial_test.py:78:5:78:7 | ControlFlowNode for url | full_partial_test.py:80:18:80:20 | ControlFlowNode for url | provenance | | +| full_partial_test.py:83:5:83:14 | ControlFlowNode for user_input | full_partial_test.py:87:5:87:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:83:5:83:14 | ControlFlowNode for user_input | full_partial_test.py:91:5:91:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:83:5:83:14 | ControlFlowNode for user_input | full_partial_test.py:95:5:95:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:83:18:83:24 | ControlFlowNode for request | full_partial_test.py:83:5:83:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | +| full_partial_test.py:83:18:83:24 | ControlFlowNode for request | full_partial_test.py:84:5:84:13 | ControlFlowNode for query_val | provenance | AdditionalTaintStep | +| full_partial_test.py:84:5:84:13 | ControlFlowNode for query_val | full_partial_test.py:95:5:95:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:84:17:84:23 | ControlFlowNode for request | full_partial_test.py:84:5:84:13 | ControlFlowNode for query_val | provenance | AdditionalTaintStep | +| full_partial_test.py:87:5:87:7 | ControlFlowNode for url | full_partial_test.py:89:18:89:20 | ControlFlowNode for url | provenance | | +| full_partial_test.py:91:5:91:7 | ControlFlowNode for url | full_partial_test.py:93:18:93:20 | ControlFlowNode for url | provenance | | +| full_partial_test.py:95:5:95:7 | ControlFlowNode for url | full_partial_test.py:97:18:97:20 | ControlFlowNode for url | provenance | | +| full_partial_test.py:101:5:101:14 | ControlFlowNode for user_input | full_partial_test.py:103:5:103:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:101:18:101:24 | ControlFlowNode for request | full_partial_test.py:101:5:101:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | +| full_partial_test.py:103:5:103:7 | ControlFlowNode for url | full_partial_test.py:105:18:105:20 | ControlFlowNode for url | provenance | | +| full_partial_test.py:108:5:108:14 | ControlFlowNode for user_input | full_partial_test.py:110:5:110:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:108:18:108:24 | ControlFlowNode for request | full_partial_test.py:108:5:108:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | +| full_partial_test.py:110:5:110:7 | ControlFlowNode for url | full_partial_test.py:112:18:112:20 | ControlFlowNode for url | provenance | | +| full_partial_test.py:115:5:115:14 | ControlFlowNode for user_input | full_partial_test.py:117:5:117:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:115:18:115:24 | ControlFlowNode for request | full_partial_test.py:115:5:115:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | +| full_partial_test.py:117:5:117:7 | ControlFlowNode for url | full_partial_test.py:119:18:119:20 | ControlFlowNode for url | provenance | | +| full_partial_test.py:122:5:122:14 | ControlFlowNode for user_input | full_partial_test.py:124:5:124:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:122:18:122:24 | ControlFlowNode for request | full_partial_test.py:122:5:122:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | +| full_partial_test.py:124:5:124:7 | ControlFlowNode for url | full_partial_test.py:126:18:126:20 | ControlFlowNode for url | provenance | | +| full_partial_test.py:129:5:129:14 | ControlFlowNode for user_input | full_partial_test.py:134:5:134:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:129:18:129:24 | ControlFlowNode for request | full_partial_test.py:129:5:129:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | +| full_partial_test.py:134:5:134:7 | ControlFlowNode for url | full_partial_test.py:136:18:136:20 | ControlFlowNode for url | provenance | | +| full_partial_test.py:139:5:139:14 | ControlFlowNode for user_input | full_partial_test.py:141:5:141:7 | ControlFlowNode for url | provenance | | +| full_partial_test.py:139:18:139:24 | ControlFlowNode for request | full_partial_test.py:139:5:139:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | +| full_partial_test.py:141:5:141:7 | ControlFlowNode for url | full_partial_test.py:143:18:143:20 | ControlFlowNode for url | provenance | | +| test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | test_azure_client.py:6:19:6:25 | ControlFlowNode for request | provenance | | +| test_azure_client.py:6:19:6:25 | ControlFlowNode for request | test_azure_client.py:9:18:9:24 | ControlFlowNode for request | provenance | | +| test_azure_client.py:6:19:6:25 | ControlFlowNode for request | test_azure_client.py:10:19:10:25 | ControlFlowNode for request | provenance | | +| test_azure_client.py:9:5:9:14 | ControlFlowNode for user_input | test_azure_client.py:12:5:12:7 | ControlFlowNode for url | provenance | | +| test_azure_client.py:9:18:9:24 | ControlFlowNode for request | test_azure_client.py:9:5:9:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | +| test_azure_client.py:9:18:9:24 | ControlFlowNode for request | test_azure_client.py:10:5:10:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | +| test_azure_client.py:10:5:10:15 | ControlFlowNode for user_input2 | test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | provenance | | +| test_azure_client.py:10:19:10:25 | ControlFlowNode for request | test_azure_client.py:10:5:10:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | +| test_azure_client.py:12:5:12:7 | ControlFlowNode for url | test_azure_client.py:15:32:15:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_azure_client.py:12:5:12:7 | ControlFlowNode for url | test_azure_client.py:17:39:17:41 | ControlFlowNode for url | provenance | Sink:MaD:38 | +| test_azure_client.py:12:5:12:7 | ControlFlowNode for url | test_azure_client.py:19:19:19:21 | ControlFlowNode for url | provenance | Sink:MaD:14 | +| test_azure_client.py:12:5:12:7 | ControlFlowNode for url | test_azure_client.py:21:58:21:60 | ControlFlowNode for url | provenance | Sink:MaD:26 | +| test_azure_client.py:12:5:12:7 | ControlFlowNode for url | test_azure_client.py:24:37:24:39 | ControlFlowNode for url | provenance | Sink:MaD:27 | +| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:16:32:16:39 | ControlFlowNode for full_url | provenance | Sink:MaD:15 | +| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:18:39:18:46 | ControlFlowNode for full_url | provenance | Sink:MaD:38 | +| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:20:19:20:26 | ControlFlowNode for full_url | provenance | Sink:MaD:14 | +| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:22:58:22:65 | ControlFlowNode for full_url | provenance | Sink:MaD:26 | +| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:25:37:25:44 | ControlFlowNode for full_url | provenance | Sink:MaD:27 | +| test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | test_http_client.py:1:19:1:25 | ControlFlowNode for request | provenance | | +| test_http_client.py:1:19:1:25 | ControlFlowNode for request | test_http_client.py:9:19:9:25 | ControlFlowNode for request | provenance | | +| test_http_client.py:1:19:1:25 | ControlFlowNode for request | test_http_client.py:10:19:10:25 | ControlFlowNode for request | provenance | | +| test_http_client.py:1:19:1:25 | ControlFlowNode for request | test_http_client.py:11:18:11:24 | ControlFlowNode for request | provenance | | | test_http_client.py:9:5:9:15 | ControlFlowNode for unsafe_host | test_http_client.py:13:27:13:37 | ControlFlowNode for unsafe_host | provenance | | -| test_http_client.py:9:5:9:15 | ControlFlowNode for unsafe_host | test_http_client.py:18:27:18:37 | ControlFlowNode for unsafe_host | provenance | | -| test_http_client.py:9:5:9:15 | ControlFlowNode for unsafe_host | test_http_client.py:25:27:25:37 | ControlFlowNode for unsafe_host | provenance | | +| test_http_client.py:9:5:9:15 | ControlFlowNode for unsafe_host | test_http_client.py:19:27:19:37 | ControlFlowNode for unsafe_host | provenance | | +| test_http_client.py:9:5:9:15 | ControlFlowNode for unsafe_host | test_http_client.py:28:27:28:37 | ControlFlowNode for unsafe_host | provenance | | | test_http_client.py:9:19:9:25 | ControlFlowNode for request | test_http_client.py:9:5:9:15 | ControlFlowNode for unsafe_host | provenance | AdditionalTaintStep | | test_http_client.py:9:19:9:25 | ControlFlowNode for request | test_http_client.py:10:5:10:15 | ControlFlowNode for unsafe_path | provenance | AdditionalTaintStep | | test_http_client.py:9:19:9:25 | ControlFlowNode for request | test_http_client.py:11:5:11:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | -| test_http_client.py:10:5:10:15 | ControlFlowNode for unsafe_path | test_http_client.py:14:25:14:35 | ControlFlowNode for unsafe_path | provenance | | -| test_http_client.py:10:5:10:15 | ControlFlowNode for unsafe_path | test_http_client.py:19:25:19:35 | ControlFlowNode for unsafe_path | provenance | | -| test_http_client.py:10:5:10:15 | ControlFlowNode for unsafe_path | test_http_client.py:29:25:29:35 | ControlFlowNode for unsafe_path | provenance | | +| test_http_client.py:10:5:10:15 | ControlFlowNode for unsafe_path | test_http_client.py:15:25:15:35 | ControlFlowNode for unsafe_path | provenance | | +| test_http_client.py:10:5:10:15 | ControlFlowNode for unsafe_path | test_http_client.py:21:25:21:35 | ControlFlowNode for unsafe_path | provenance | | +| test_http_client.py:10:5:10:15 | ControlFlowNode for unsafe_path | test_http_client.py:34:25:34:35 | ControlFlowNode for unsafe_path | provenance | | | test_http_client.py:10:19:10:25 | ControlFlowNode for request | test_http_client.py:10:5:10:15 | ControlFlowNode for unsafe_path | provenance | AdditionalTaintStep | | test_http_client.py:10:19:10:25 | ControlFlowNode for request | test_http_client.py:11:5:11:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | -| test_http_client.py:11:5:11:14 | ControlFlowNode for user_input | test_http_client.py:31:5:31:8 | ControlFlowNode for path | provenance | | -| test_http_client.py:11:5:11:14 | ControlFlowNode for user_input | test_http_client.py:35:5:35:8 | ControlFlowNode for path | provenance | | +| test_http_client.py:11:5:11:14 | ControlFlowNode for user_input | test_http_client.py:36:5:36:8 | ControlFlowNode for path | provenance | | +| test_http_client.py:11:5:11:14 | ControlFlowNode for user_input | test_http_client.py:41:5:41:8 | ControlFlowNode for path | provenance | | | test_http_client.py:11:18:11:24 | ControlFlowNode for request | test_http_client.py:11:5:11:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | -| test_http_client.py:31:5:31:8 | ControlFlowNode for path | test_http_client.py:33:25:33:28 | ControlFlowNode for path | provenance | | -| test_http_client.py:35:5:35:8 | ControlFlowNode for path | test_http_client.py:37:25:37:28 | ControlFlowNode for path | provenance | | +| test_http_client.py:36:5:36:8 | ControlFlowNode for path | test_http_client.py:39:25:39:28 | ControlFlowNode for path | provenance | | +| test_http_client.py:41:5:41:8 | ControlFlowNode for path | test_http_client.py:44:25:44:28 | ControlFlowNode for path | provenance | | +| test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:5:19:5:25 | ControlFlowNode for request | provenance | | +| test_path_validation.py:5:19:5:25 | ControlFlowNode for request | test_path_validation.py:8:18:8:24 | ControlFlowNode for request | provenance | | +| test_path_validation.py:5:19:5:25 | ControlFlowNode for request | test_path_validation.py:9:19:9:25 | ControlFlowNode for request | provenance | | +| test_path_validation.py:5:19:5:25 | ControlFlowNode for request | test_path_validation.py:24:18:24:24 | ControlFlowNode for request | provenance | | +| test_path_validation.py:5:19:5:25 | ControlFlowNode for request | test_path_validation.py:25:19:25:25 | ControlFlowNode for request | provenance | | +| test_path_validation.py:5:19:5:25 | ControlFlowNode for request | test_path_validation.py:40:18:40:24 | ControlFlowNode for request | provenance | | +| test_path_validation.py:5:19:5:25 | ControlFlowNode for request | test_path_validation.py:41:19:41:25 | ControlFlowNode for request | provenance | | +| test_path_validation.py:5:19:5:25 | ControlFlowNode for request | test_path_validation.py:57:18:57:24 | ControlFlowNode for request | provenance | | +| test_path_validation.py:8:5:8:14 | ControlFlowNode for user_input | test_path_validation.py:10:5:10:7 | ControlFlowNode for url | provenance | | +| test_path_validation.py:8:18:8:24 | ControlFlowNode for request | test_path_validation.py:8:5:8:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | +| test_path_validation.py:8:18:8:24 | ControlFlowNode for request | test_path_validation.py:9:5:9:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | +| test_path_validation.py:9:5:9:15 | ControlFlowNode for user_input2 | test_path_validation.py:11:5:11:12 | ControlFlowNode for full_url | provenance | | +| test_path_validation.py:9:19:9:25 | ControlFlowNode for request | test_path_validation.py:9:5:9:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | +| test_path_validation.py:10:5:10:7 | ControlFlowNode for url | test_path_validation.py:14:36:14:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:10:5:10:7 | ControlFlowNode for url | test_path_validation.py:16:36:16:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:11:5:11:12 | ControlFlowNode for full_url | test_path_validation.py:19:36:19:43 | ControlFlowNode for full_url | provenance | Sink:MaD:15 | +| test_path_validation.py:11:5:11:12 | ControlFlowNode for full_url | test_path_validation.py:21:36:21:43 | ControlFlowNode for full_url | provenance | Sink:MaD:15 | +| test_path_validation.py:24:5:24:14 | ControlFlowNode for user_input | test_path_validation.py:26:5:26:7 | ControlFlowNode for url | provenance | | +| test_path_validation.py:24:18:24:24 | ControlFlowNode for request | test_path_validation.py:24:5:24:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | +| test_path_validation.py:24:18:24:24 | ControlFlowNode for request | test_path_validation.py:25:5:25:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | +| test_path_validation.py:25:5:25:15 | ControlFlowNode for user_input2 | test_path_validation.py:27:5:27:12 | ControlFlowNode for full_url | provenance | | +| test_path_validation.py:25:19:25:25 | ControlFlowNode for request | test_path_validation.py:25:5:25:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | +| test_path_validation.py:26:5:26:7 | ControlFlowNode for url | test_path_validation.py:30:33:30:35 | ControlFlowNode for url | provenance | Sink:MaD:14 | +| test_path_validation.py:26:5:26:7 | ControlFlowNode for url | test_path_validation.py:32:33:32:35 | ControlFlowNode for url | provenance | Sink:MaD:14 | +| test_path_validation.py:27:5:27:12 | ControlFlowNode for full_url | test_path_validation.py:35:33:35:40 | ControlFlowNode for full_url | provenance | Sink:MaD:14 | +| test_path_validation.py:27:5:27:12 | ControlFlowNode for full_url | test_path_validation.py:37:33:37:40 | ControlFlowNode for full_url | provenance | Sink:MaD:14 | +| test_path_validation.py:40:5:40:14 | ControlFlowNode for user_input | test_path_validation.py:42:5:42:7 | ControlFlowNode for url | provenance | | +| test_path_validation.py:40:18:40:24 | ControlFlowNode for request | test_path_validation.py:40:5:40:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | +| test_path_validation.py:40:18:40:24 | ControlFlowNode for request | test_path_validation.py:41:5:41:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | +| test_path_validation.py:41:5:41:15 | ControlFlowNode for user_input2 | test_path_validation.py:43:5:43:12 | ControlFlowNode for full_url | provenance | | +| test_path_validation.py:41:19:41:25 | ControlFlowNode for request | test_path_validation.py:41:5:41:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | +| test_path_validation.py:42:5:42:7 | ControlFlowNode for url | test_path_validation.py:46:43:46:45 | ControlFlowNode for url | provenance | Sink:MaD:38 | +| test_path_validation.py:42:5:42:7 | ControlFlowNode for url | test_path_validation.py:48:43:48:45 | ControlFlowNode for url | provenance | Sink:MaD:38 | +| test_path_validation.py:43:5:43:12 | ControlFlowNode for full_url | test_path_validation.py:51:43:51:50 | ControlFlowNode for full_url | provenance | Sink:MaD:38 | +| test_path_validation.py:43:5:43:12 | ControlFlowNode for full_url | test_path_validation.py:53:43:53:50 | ControlFlowNode for full_url | provenance | Sink:MaD:38 | +| test_path_validation.py:57:5:57:14 | ControlFlowNode for user_input | test_path_validation.py:61:5:61:7 | ControlFlowNode for url | provenance | | +| test_path_validation.py:57:18:57:24 | ControlFlowNode for request | test_path_validation.py:57:5:57:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:64:36:64:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:66:36:66:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:69:36:69:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:71:36:71:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:74:36:74:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:76:36:76:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:79:36:79:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:81:36:81:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | test_requests.py:1:19:1:25 | ControlFlowNode for request | provenance | | -| test_requests.py:1:19:1:25 | ControlFlowNode for request | test_requests.py:6:18:6:24 | ControlFlowNode for request | provenance | | -| test_requests.py:6:5:6:14 | ControlFlowNode for user_input | test_requests.py:8:18:8:27 | ControlFlowNode for user_input | provenance | | -| test_requests.py:6:18:6:24 | ControlFlowNode for request | test_requests.py:6:5:6:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | +| test_requests.py:1:19:1:25 | ControlFlowNode for request | test_requests.py:7:18:7:24 | ControlFlowNode for request | provenance | | +| test_requests.py:1:19:1:25 | ControlFlowNode for request | test_requests.py:14:18:14:24 | ControlFlowNode for request | provenance | | +| test_requests.py:1:19:1:25 | ControlFlowNode for request | test_requests.py:20:18:20:24 | ControlFlowNode for request | provenance | | +| test_requests.py:7:5:7:14 | ControlFlowNode for user_input | test_requests.py:9:18:9:27 | ControlFlowNode for user_input | provenance | | +| test_requests.py:7:18:7:24 | ControlFlowNode for request | test_requests.py:7:5:7:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | +| test_requests.py:14:5:14:14 | ControlFlowNode for user_input | test_requests.py:17:17:17:26 | ControlFlowNode for user_input | provenance | | +| test_requests.py:14:18:14:24 | ControlFlowNode for request | test_requests.py:14:5:14:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | +| test_requests.py:20:5:20:14 | ControlFlowNode for user_input | test_requests.py:22:45:22:54 | ControlFlowNode for user_input | provenance | | +| test_requests.py:20:18:20:24 | ControlFlowNode for request | test_requests.py:20:5:20:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | nodes | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | | full_partial_test.py:1:19:1:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | @@ -126,91 +201,91 @@ nodes | full_partial_test.py:7:18:7:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | full_partial_test.py:8:5:8:13 | ControlFlowNode for query_val | semmle.label | ControlFlowNode for query_val | | full_partial_test.py:8:17:8:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| full_partial_test.py:10:18:10:27 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | -| full_partial_test.py:12:5:12:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:13:18:13:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:18:5:18:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:19:18:19:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:22:5:22:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:23:18:23:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:37:5:37:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | -| full_partial_test.py:37:18:37:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| full_partial_test.py:38:5:38:13 | ControlFlowNode for query_val | semmle.label | ControlFlowNode for query_val | -| full_partial_test.py:38:17:38:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| full_partial_test.py:41:5:41:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:42:18:42:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:44:5:44:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:45:18:45:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:47:5:47:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:48:18:48:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:50:5:50:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:11:18:11:27 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| full_partial_test.py:13:5:13:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:15:18:15:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:20:5:20:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:22:18:22:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:25:5:25:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:27:18:27:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:41:5:41:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| full_partial_test.py:41:18:41:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| full_partial_test.py:42:5:42:13 | ControlFlowNode for query_val | semmle.label | ControlFlowNode for query_val | +| full_partial_test.py:42:17:42:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| full_partial_test.py:45:5:45:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:47:18:47:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:49:5:49:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | | full_partial_test.py:51:18:51:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | | full_partial_test.py:53:5:53:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:54:18:54:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:57:5:57:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | -| full_partial_test.py:57:18:57:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| full_partial_test.py:58:5:58:13 | ControlFlowNode for query_val | semmle.label | ControlFlowNode for query_val | -| full_partial_test.py:58:17:58:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| full_partial_test.py:55:18:55:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:57:5:57:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:59:18:59:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | | full_partial_test.py:61:5:61:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:62:18:62:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:64:5:64:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:65:18:65:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:67:5:67:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:68:18:68:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:71:5:71:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | -| full_partial_test.py:71:18:71:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| full_partial_test.py:72:5:72:13 | ControlFlowNode for query_val | semmle.label | ControlFlowNode for query_val | -| full_partial_test.py:72:17:72:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| full_partial_test.py:75:5:75:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:63:18:63:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:66:5:66:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| full_partial_test.py:66:18:66:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| full_partial_test.py:67:5:67:13 | ControlFlowNode for query_val | semmle.label | ControlFlowNode for query_val | +| full_partial_test.py:67:17:67:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| full_partial_test.py:70:5:70:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:72:18:72:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:74:5:74:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | | full_partial_test.py:76:18:76:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | | full_partial_test.py:78:5:78:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:79:18:79:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:81:5:81:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:82:18:82:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:86:5:86:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | -| full_partial_test.py:86:18:86:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| full_partial_test.py:88:5:88:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:80:18:80:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:83:5:83:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| full_partial_test.py:83:18:83:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| full_partial_test.py:84:5:84:13 | ControlFlowNode for query_val | semmle.label | ControlFlowNode for query_val | +| full_partial_test.py:84:17:84:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| full_partial_test.py:87:5:87:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | | full_partial_test.py:89:18:89:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:92:5:92:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | -| full_partial_test.py:92:18:92:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| full_partial_test.py:94:5:94:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:95:18:95:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:98:5:98:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | -| full_partial_test.py:98:18:98:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| full_partial_test.py:100:5:100:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:101:18:101:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:104:5:104:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | -| full_partial_test.py:104:18:104:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| full_partial_test.py:106:5:106:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:107:18:107:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:110:5:110:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | -| full_partial_test.py:110:18:110:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| full_partial_test.py:115:5:115:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:116:18:116:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:119:5:119:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | -| full_partial_test.py:119:18:119:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| full_partial_test.py:121:5:121:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| full_partial_test.py:122:18:122:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| test_azure_client.py:7:19:7:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test_azure_client.py:10:5:10:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | -| test_azure_client.py:10:18:10:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test_azure_client.py:11:5:11:15 | ControlFlowNode for user_input2 | semmle.label | ControlFlowNode for user_input2 | -| test_azure_client.py:11:19:11:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test_azure_client.py:13:5:13:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_azure_client.py:14:5:14:12 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | -| test_azure_client.py:16:32:16:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_azure_client.py:17:32:17:39 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | -| test_azure_client.py:18:39:18:41 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_azure_client.py:19:39:19:46 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | -| test_azure_client.py:20:19:20:21 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_azure_client.py:21:19:21:26 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | -| test_azure_client.py:22:58:22:60 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_azure_client.py:23:58:23:65 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | -| test_azure_client.py:27:18:27:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_azure_client.py:33:18:33:25 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | -| test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| test_http_client.py:1:26:1:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| full_partial_test.py:91:5:91:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:93:18:93:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:95:5:95:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:97:18:97:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:101:5:101:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| full_partial_test.py:101:18:101:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| full_partial_test.py:103:5:103:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:105:18:105:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:108:5:108:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| full_partial_test.py:108:18:108:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| full_partial_test.py:110:5:110:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:112:18:112:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:115:5:115:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| full_partial_test.py:115:18:115:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| full_partial_test.py:117:5:117:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:119:18:119:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:122:5:122:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| full_partial_test.py:122:18:122:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| full_partial_test.py:124:5:124:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:126:18:126:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:129:5:129:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| full_partial_test.py:129:18:129:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| full_partial_test.py:134:5:134:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:136:18:136:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:139:5:139:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| full_partial_test.py:139:18:139:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| full_partial_test.py:141:5:141:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| full_partial_test.py:143:18:143:20 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | +| test_azure_client.py:6:19:6:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| test_azure_client.py:9:5:9:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| test_azure_client.py:9:18:9:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| test_azure_client.py:10:5:10:15 | ControlFlowNode for user_input2 | semmle.label | ControlFlowNode for user_input2 | +| test_azure_client.py:10:19:10:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| test_azure_client.py:12:5:12:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_azure_client.py:15:32:15:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_azure_client.py:16:32:16:39 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_azure_client.py:17:39:17:41 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_azure_client.py:18:39:18:46 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_azure_client.py:19:19:19:21 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_azure_client.py:20:19:20:26 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_azure_client.py:21:58:21:60 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_azure_client.py:22:58:22:65 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_azure_client.py:24:37:24:39 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_azure_client.py:25:37:25:44 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | +| test_http_client.py:1:19:1:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | test_http_client.py:9:5:9:15 | ControlFlowNode for unsafe_host | semmle.label | ControlFlowNode for unsafe_host | | test_http_client.py:9:19:9:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | test_http_client.py:10:5:10:15 | ControlFlowNode for unsafe_path | semmle.label | ControlFlowNode for unsafe_path | @@ -218,36 +293,69 @@ nodes | test_http_client.py:11:5:11:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | | test_http_client.py:11:18:11:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | test_http_client.py:13:27:13:37 | ControlFlowNode for unsafe_host | semmle.label | ControlFlowNode for unsafe_host | -| test_http_client.py:14:25:14:35 | ControlFlowNode for unsafe_path | semmle.label | ControlFlowNode for unsafe_path | -| test_http_client.py:18:27:18:37 | ControlFlowNode for unsafe_host | semmle.label | ControlFlowNode for unsafe_host | -| test_http_client.py:19:25:19:35 | ControlFlowNode for unsafe_path | semmle.label | ControlFlowNode for unsafe_path | -| test_http_client.py:25:27:25:37 | ControlFlowNode for unsafe_host | semmle.label | ControlFlowNode for unsafe_host | -| test_http_client.py:29:25:29:35 | ControlFlowNode for unsafe_path | semmle.label | ControlFlowNode for unsafe_path | -| test_http_client.py:31:5:31:8 | ControlFlowNode for path | semmle.label | ControlFlowNode for path | -| test_http_client.py:33:25:33:28 | ControlFlowNode for path | semmle.label | ControlFlowNode for path | -| test_http_client.py:35:5:35:8 | ControlFlowNode for path | semmle.label | ControlFlowNode for path | -| test_http_client.py:37:25:37:28 | ControlFlowNode for path | semmle.label | ControlFlowNode for path | +| test_http_client.py:15:25:15:35 | ControlFlowNode for unsafe_path | semmle.label | ControlFlowNode for unsafe_path | +| test_http_client.py:19:27:19:37 | ControlFlowNode for unsafe_host | semmle.label | ControlFlowNode for unsafe_host | +| test_http_client.py:21:25:21:35 | ControlFlowNode for unsafe_path | semmle.label | ControlFlowNode for unsafe_path | +| test_http_client.py:28:27:28:37 | ControlFlowNode for unsafe_host | semmle.label | ControlFlowNode for unsafe_host | +| test_http_client.py:34:25:34:35 | ControlFlowNode for unsafe_path | semmle.label | ControlFlowNode for unsafe_path | +| test_http_client.py:36:5:36:8 | ControlFlowNode for path | semmle.label | ControlFlowNode for path | +| test_http_client.py:39:25:39:28 | ControlFlowNode for path | semmle.label | ControlFlowNode for path | +| test_http_client.py:41:5:41:8 | ControlFlowNode for path | semmle.label | ControlFlowNode for path | +| test_http_client.py:44:25:44:28 | ControlFlowNode for path | semmle.label | ControlFlowNode for path | +| test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | +| test_path_validation.py:5:19:5:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| test_path_validation.py:8:5:8:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| test_path_validation.py:8:18:8:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| test_path_validation.py:9:5:9:15 | ControlFlowNode for user_input2 | semmle.label | ControlFlowNode for user_input2 | +| test_path_validation.py:9:19:9:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| test_path_validation.py:10:5:10:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:11:5:11:12 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_path_validation.py:14:36:14:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:16:36:16:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:19:36:19:43 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_path_validation.py:21:36:21:43 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_path_validation.py:24:5:24:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| test_path_validation.py:24:18:24:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| test_path_validation.py:25:5:25:15 | ControlFlowNode for user_input2 | semmle.label | ControlFlowNode for user_input2 | +| test_path_validation.py:25:19:25:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| test_path_validation.py:26:5:26:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:27:5:27:12 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_path_validation.py:30:33:30:35 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:32:33:32:35 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:35:33:35:40 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_path_validation.py:37:33:37:40 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_path_validation.py:40:5:40:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| test_path_validation.py:40:18:40:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| test_path_validation.py:41:5:41:15 | ControlFlowNode for user_input2 | semmle.label | ControlFlowNode for user_input2 | +| test_path_validation.py:41:19:41:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| test_path_validation.py:42:5:42:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:43:5:43:12 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_path_validation.py:46:43:46:45 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:48:43:48:45 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:51:43:51:50 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_path_validation.py:53:43:53:50 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_path_validation.py:57:5:57:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| test_path_validation.py:57:18:57:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:64:36:64:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:66:36:66:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:69:36:69:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:71:36:71:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:74:36:74:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:76:36:76:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:79:36:79:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:81:36:81:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | | test_requests.py:1:19:1:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test_requests.py:6:5:6:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | -| test_requests.py:6:18:6:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test_requests.py:8:18:8:27 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| test_requests.py:7:5:7:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| test_requests.py:7:18:7:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| test_requests.py:9:18:9:27 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| test_requests.py:14:5:14:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| test_requests.py:14:18:14:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| test_requests.py:17:17:17:26 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| test_requests.py:20:5:20:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| test_requests.py:20:18:20:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | +| test_requests.py:22:45:22:54 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | subpaths -#select -| full_partial_test.py:68:5:68:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:68:18:68:20 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| full_partial_test.py:89:5:89:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:89:18:89:20 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| full_partial_test.py:95:5:95:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:95:18:95:20 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| full_partial_test.py:101:5:101:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:101:18:101:20 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| full_partial_test.py:107:5:107:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:107:18:107:20 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| full_partial_test.py:116:5:116:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:116:18:116:20 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| full_partial_test.py:122:5:122:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:122:18:122:20 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| test_azure_client.py:16:9:16:58 | ControlFlowNode for SecretClient() | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | test_azure_client.py:16:32:16:34 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | -| test_azure_client.py:18:9:18:42 | ControlFlowNode for Attribute() | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | test_azure_client.py:18:39:18:41 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | -| test_azure_client.py:20:9:20:34 | ControlFlowNode for KeyClient() | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | test_azure_client.py:20:19:20:21 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | -| test_azure_client.py:22:9:22:84 | ControlFlowNode for Attribute() | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | test_azure_client.py:22:58:22:60 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | -| test_azure_client.py:26:5:31:5 | ControlFlowNode for download_blob_from_url() | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | test_azure_client.py:27:18:27:20 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_azure_client.py:7:19:7:25 | ControlFlowNode for ImportMember | user-provided value | -| test_http_client.py:22:5:22:31 | ControlFlowNode for Attribute() | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | test_http_client.py:18:27:18:37 | ControlFlowNode for unsafe_host | Part of the URL of this request depends on a $@. | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test_http_client.py:26:5:26:31 | ControlFlowNode for Attribute() | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | test_http_client.py:25:27:25:37 | ControlFlowNode for unsafe_host | Part of the URL of this request depends on a $@. | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test_http_client.py:29:5:29:36 | ControlFlowNode for Attribute() | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | test_http_client.py:29:25:29:35 | ControlFlowNode for unsafe_path | Part of the URL of this request depends on a $@. | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test_http_client.py:33:5:33:29 | ControlFlowNode for Attribute() | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | test_http_client.py:33:25:33:28 | ControlFlowNode for path | Part of the URL of this request depends on a $@. | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | -| test_http_client.py:37:5:37:29 | ControlFlowNode for Attribute() | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | test_http_client.py:37:25:37:28 | ControlFlowNode for path | Part of the URL of this request depends on a $@. | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | +testFailures +| test_requests.py:1:27:1:36 | Comment # $ Source | Missing result: Source | diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.qlref b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.qlref index 88de9285e5e..651b07aea55 100644 --- a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.qlref +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.qlref @@ -1 +1,2 @@ -Security/CWE-918/PartialServerSideRequestForgery.ql +query: Security/CWE-918/PartialServerSideRequestForgery.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql \ No newline at end of file diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/full_partial_test.py b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/full_partial_test.py index 95ff9d64944..e2f4fc05026 100644 --- a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/full_partial_test.py +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/full_partial_test.py @@ -1,26 +1,30 @@ -from flask import request +from flask import request # $ Source -import requests +import requests import re def full_ssrf(): user_input = request.args['untrusted_input'] query_val = request.args['query_val'] - requests.get(user_input) # NOT OK -- user has full control + # NOT OK -- user has full control + requests.get(user_input) # $ Alert[py/full-ssrf] url = "https://" + user_input - requests.get(url) # NOT OK -- user has full control + # NOT OK -- user has full control + requests.get(url) # $ Alert[py/full-ssrf] # although the path `/foo` is added here, this can be circumvented such that the # final URL is `https://evil.com/#/foo" -- since the fragment (#) is not sent to the # server. url = "https://" + user_input + "/foo" - requests.get(url) # NOT OK -- user has full control + # NOT OK -- user has full control + requests.get(url) # $ Alert[py/full-ssrf] # this might seem like a dummy test, but it serves to check how our sanitizers work. url = "https://" + user_input + "/foo?key=" + query_val - requests.get(url) # NOT OK -- user has full control + # NOT OK -- user has full control + requests.get(url) # $ Alert[py/full-ssrf] # taint-steps are added as `fromNode -> toNode`, but when adding a sanitizer it's # currently only possible to so on either `fromNode` or `toNode` (either all edges in @@ -39,19 +43,24 @@ def full_ssrf_format(): # using .format url = "https://{}".format(user_input) - requests.get(url) # NOT OK -- user has full control + # NOT OK -- user has full control + requests.get(url) # $ Alert[py/full-ssrf] url = "https://{}/foo".format(user_input) - requests.get(url) # NOT OK -- user has full control + # NOT OK -- user has full control + requests.get(url) # $ Alert[py/full-ssrf] url = "https://{}/foo?key={}".format(user_input, query_val) - requests.get(url) # NOT OK -- user has full control + # NOT OK -- user has full control + requests.get(url) # $ Alert[py/full-ssrf] url = "https://{x}".format(x=user_input) - requests.get(url) # NOT OK -- user has full control + # NOT OK -- user has full control + requests.get(url) # $ Alert[py/full-ssrf] url = "https://{1}".format(0, user_input) - requests.get(url) # NOT OK -- user has full control + # NOT OK -- user has full control + requests.get(url) # $ Alert[py/full-ssrf] def full_ssrf_percent_format(): user_input = request.args['untrusted_input'] @@ -59,13 +68,16 @@ def full_ssrf_percent_format(): # using %-formatting url = "https://%s" % user_input - requests.get(url) # NOT OK -- user has full control + # NOT OK -- user has full control + requests.get(url) # $ Alert[py/full-ssrf] url = "https://%s/foo" % user_input - requests.get(url) # NOT OK -- user has full control + # NOT OK -- user has full control + requests.get(url) # $ Alert[py/full-ssrf] url = "https://%s/foo/key=%s" % (user_input, query_val) - requests.get(url) # NOT OK -- user has full control + # NOT OK -- user has full and partial control + requests.get(url) # $ Alert[py/partial-ssrf] $ MISSING: Alert[py/full-ssrf] def full_ssrf_f_strings(): user_input = request.args['untrusted_input'] @@ -73,38 +85,45 @@ def full_ssrf_f_strings(): # using f-strings url = f"https://{user_input}" - requests.get(url) # NOT OK -- user has full control + # NOT OK -- user has full control + requests.get(url) # $ Alert[py/full-ssrf] url = f"https://{user_input}/foo" - requests.get(url) # NOT OK -- user has full control + # NOT OK -- user has full control + requests.get(url) # $ Alert[py/full-ssrf] url = f"https://{user_input}/foo?key={query_val}" - requests.get(url) # NOT OK -- user has full control + # NOT OK -- user has full control + requests.get(url) # $ Alert[py/full-ssrf] def partial_ssrf_1(): user_input = request.args['untrusted_input'] url = "https://example.com/foo?" + user_input - requests.get(url) # NOT OK -- user controls query parameters + # NOT OK -- user controls query parameters + requests.get(url) # $ Alert[py/partial-ssrf] def partial_ssrf_2(): user_input = request.args['untrusted_input'] url = "https://example.com/" + user_input - requests.get(url) # NOT OK -- user controls path + # NOT OK -- user controls path + requests.get(url) # $ Alert[py/partial-ssrf] def partial_ssrf_3(): user_input = request.args['untrusted_input'] url = "https://example.com/" + user_input - requests.get(url) # NOT OK -- user controls path + # NOT OK -- user controls path + requests.get(url) # $ Alert[py/partial-ssrf] def partial_ssrf_4(): user_input = request.args['untrusted_input'] url = "https://example.com/foo#{}".format(user_input) - requests.get(url) # NOT OK -- user contollred fragment + # NOT OK -- user contollred fragment + requests.get(url) # $ Alert[py/partial-ssrf] def partial_ssrf_5(): user_input = request.args['untrusted_input'] @@ -113,20 +132,22 @@ def partial_ssrf_5(): # controlled url = "https://example.com/foo#%s" % user_input - requests.get(url) # NOT OK -- user contollred fragment + # NOT OK -- user contollred fragment + requests.get(url) # $ Alert[py/partial-ssrf] def partial_ssrf_6(): user_input = request.args['untrusted_input'] url = f"https://example.com/foo#{user_input}" - requests.get(url) # NOT OK -- user only controlled fragment + # NOT OK -- user only controlled fragment + requests.get(url) # $ Alert[py/partial-ssrf] def partial_ssrf_7(): user_input = request.args['untrusted_input'] if user_input.isalnum(): url = f"https://example.com/foo#{user_input}" - requests.get(url) # OK - user input can only contain alphanumerical characters + requests.get(url) # OK - user input can only contain alphanumerical characters if user_input.isalpha(): url = f"https://example.com/foo#{user_input}" @@ -154,7 +175,8 @@ def partial_ssrf_7(): if re.fullmatch(r'.*[a-zA-Z0-9]+.*', user_input): url = f"https://example.com/foo#{user_input}" - requests.get(url) # NOT OK, but NOT FOUND - user input can contain arbitrary characters + # NOT OK, but NOT FOUND - user input can contain arbitrary characters + requests.get(url) # $ MISSING: Alert[py/partial-ssrf] if re.match(r'^[a-zA-Z0-9]+$', user_input): @@ -163,7 +185,8 @@ def partial_ssrf_7(): if re.match(r'[a-zA-Z0-9]+', user_input): url = f"https://example.com/foo#{user_input}" - requests.get(url) # NOT OK, but NOT FOUND - user input can contain arbitrary character as a suffix. + # NOT OK, but NOT FOUND - user input can contain arbitrary character as a suffix. + requests.get(url) # $ MISSING: Alert[py/partial-ssrf] reg = re.compile(r'^[a-zA-Z0-9]+$') diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py index d8de2092a2e..28570b7ab4a 100644 --- a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py @@ -3,8 +3,7 @@ from azure.storage.fileshare import ShareFileClient from azure.keyvault.keys import KeyClient from azure.storage.blob import ContainerClient from azure.storage.blob import download_blob_from_url - -from flask import request +from flask import request # $ Source def azure_sdk_test(credential, output_path): user_input = request.args['untrusted_input'] @@ -13,24 +12,214 @@ def azure_sdk_test(credential, output_path): url = f"https://example.com/foo#{user_input}" full_url = f"https://{user_input2}" # Testing Azure sink - c = SecretClient(vault_url=url, credential=credential)# NOT OK -- user only controlled fragment - c = SecretClient(vault_url=full_url, credential=credential) # NOT OK -- user has full control - c = ShareFileClient.from_file_url(url) # NOT OK -- user only controlled fragment - c = ShareFileClient.from_file_url(full_url) # NOT OK -- user has full control - c = KeyClient(url, credential)# NOT OK -- user only controlled fragment - c = KeyClient(full_url, credential) # NOT OK -- user has full control - c = ContainerClient.from_container_url(container_url=url, credential=credential) # NOT OK -- user only controlled fragment - c = ContainerClient.from_container_url(container_url=full_url, credential=credential) # NOT OK -- user has full control + c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] + c = SecretClient(vault_url=full_url, credential=credential) # $ Alert[py/full-ssrf] + c = ShareFileClient.from_file_url(url) # $ Alert[py/partial-ssrf] + c = ShareFileClient.from_file_url(full_url) # $ Alert[py/full-ssrf] + c = KeyClient(url, credential) # $ Alert[py/partial-ssrf] + c = KeyClient(full_url, credential) # $ Alert[py/full-ssrf] + c = ContainerClient.from_container_url(container_url=url, credential=credential) # $ Alert[py/partial-ssrf] + c = ContainerClient.from_container_url(container_url=full_url, credential=credential) # $ Alert[py/full-ssrf] - download_blob_from_url( - blob_url=url, # NOT OK -- user only controlled fragment - output=output_path, - credential=credential, - overwrite=True - ) - download_blob_from_url( - blob_url=full_url, # NOT OK -- user has full control - output=output_path, - credential=credential, - overwrite=True - ) + download_blob_from_url(blob_url=url, output=output_path, credential=credential, overwrite=True ) # $ Alert[py/partial-ssrf] + download_blob_from_url(blob_url=full_url, output=output_path, credential=credential, overwrite=True) # $ Alert[py/full-ssrf] + +# if URIValidator.in_domain(url, trusted_domain): +# # Testing Azure sink +# c = SecretClient(vault_url=url, credential=credential)# OK +# c = ShareFileClient.from_file_url(url) # OK +# c = KeyClient(url, credential)# OK +# c = ContainerClient.from_container_url(container_url=url, credential=credential) # OK + +# download_blob_from_url( +# blob_url=url, # OK +# output=output_path, +# credential=credential, +# overwrite=True +# ) +# else: +# # Testing Azure sink +# c = SecretClient(vault_url=url, credential=credential)# NOT OK -- user only controlled fragment +# c = ShareFileClient.from_file_url(url) # NOT OK -- user only controlled fragment +# c = KeyClient(url, credential)# NOT OK -- user only controlled fragment +# c = ContainerClient.from_container_url(container_url=url, credential=credential) # NOT OK -- user only controlled fragment + +# download_blob_from_url( +# blob_url=url, # NOT OK -- user only controlled fragment +# output=output_path, +# credential=credential, +# overwrite=True +# ) + + +# if URIValidator.in_domain(full_url, trusted_domain): +# # Testing Azure sink +# c = SecretClient(vault_url=full_url, credential=credential) # OK +# c = ShareFileClient.from_file_url(full_url) # OK +# c = KeyClient(full_url, credential) # OK +# c = ContainerClient.from_container_url(container_url=full_url, credential=credential) # OK + +# download_blob_from_url( +# blob_url=full_url, # OK +# output=output_path, +# credential=credential, +# overwrite=True +# ) +# else: +# # Testing Azure sink +# c = SecretClient(vault_url=full_url, credential=credential) # NOT OK -- user has full control +# c = ShareFileClient.from_file_url(full_url) # NOT OK -- user has full control +# c = KeyClient(full_url, credential) # NOT OK -- user has full control +# c = ContainerClient.from_container_url(container_url=full_url, credential=credential) # NOT OK -- user has full control + +# download_blob_from_url( +# blob_url=full_url, # NOT OK -- user has full control +# output=output_path, +# credential=credential, +# overwrite=True +# ) + + +# if URIValidator.in_azure_keyvault_domain(url): +# # Testing Azure sink +# c = SecretClient(vault_url=url, credential=credential)# OK +# c = ShareFileClient.from_file_url(url) # OK +# c = KeyClient(url, credential)# OK +# c = ContainerClient.from_container_url(container_url=url, credential=credential) # OK + +# download_blob_from_url( +# blob_url=url, # OK +# output=output_path, +# credential=credential, +# overwrite=True +# ) +# else: +# # Testing Azure sink +# c = SecretClient(vault_url=url, credential=credential)# NOT OK -- user only controlled fragment +# c = ShareFileClient.from_file_url(url) # NOT OK -- user only controlled fragment +# c = KeyClient(url, credential)# NOT OK -- user only controlled fragment +# c = ContainerClient.from_container_url(container_url=url, credential=credential) # NOT OK -- user only controlled fragment + +# download_blob_from_url( +# blob_url=url, # NOT OK -- user only controlled fragment +# output=output_path, +# credential=credential, +# overwrite=True +# ) + + +# if URIValidator.in_azure_keyvault_domain(full_url): +# # Testing Azure sink +# c = SecretClient(vault_url=full_url, credential=credential) # OK +# c = ShareFileClient.from_file_url(full_url) # OK +# c = KeyClient(full_url, credential) # OK +# c = ContainerClient.from_container_url(container_url=full_url, credential=credential) # OK + +# download_blob_from_url( +# blob_url=full_url, # OK +# output=output_path, +# credential=credential, +# overwrite=True +# ) +# else: +# # Testing Azure sink +# c = SecretClient(vault_url=full_url, credential=credential) # NOT OK -- user has full control +# c = ShareFileClient.from_file_url(full_url) # NOT OK -- user has full control +# c = KeyClient(full_url, credential) # NOT OK -- user has full control +# c = ContainerClient.from_container_url(container_url=full_url, credential=credential) # NOT OK -- user has full control + +# download_blob_from_url( +# blob_url=full_url, # NOT OK -- user has full control +# output=output_path, +# credential=credential, +# overwrite=True +# ) + +# if URIValidator.in_azure_storage_domain(url): +# # Testing Azure sink +# c = SecretClient(vault_url=url, credential=credential)# OK +# c = ShareFileClient.from_file_url(url) # OK +# c = KeyClient(url, credential)# OK +# c = ContainerClient.from_container_url(container_url=url, credential=credential) # OK + +# download_blob_from_url( +# blob_url=url, # OK +# output=output_path, +# credential=credential, +# overwrite=True +# ) +# else: +# # Testing Azure sink +# c = SecretClient(vault_url=url, credential=credential)# NOT OK -- user only controlled fragment +# c = ShareFileClient.from_file_url(url) # NOT OK -- user only controlled fragment +# c = KeyClient(url, credential)# NOT OK -- user only controlled fragment +# c = ContainerClient.from_container_url(container_url=url, credential=credential) # NOT OK -- user only controlled fragment + +# download_blob_from_url( +# blob_url=url, # NOT OK -- user only controlled fragment +# output=output_path, +# credential=credential, +# overwrite=True +# ) + + +# if URIValidator.in_azure_storage_domain(full_url): +# # Testing Azure sink +# c = SecretClient(vault_url=full_url, credential=credential) # OK +# c = ShareFileClient.from_file_url(full_url) # OK +# c = KeyClient(full_url, credential) # OK +# c = ContainerClient.from_container_url(container_url=full_url, credential=credential) # OK + +# download_blob_from_url( +# blob_url=full_url, # OK +# output=output_path, +# credential=credential, +# overwrite=True +# ) +# else: +# # Testing Azure sink +# c = SecretClient(vault_url=full_url, credential=credential) # NOT OK -- user has full control +# c = ShareFileClient.from_file_url(full_url) # NOT OK -- user has full control +# c = KeyClient(full_url, credential) # NOT OK -- user has full control +# c = ContainerClient.from_container_url(container_url=full_url, credential=credential) # NOT OK -- user has full control + +# download_blob_from_url( +# blob_url=full_url, # NOT OK -- user has full control +# output=output_path, +# credential=credential, +# overwrite=True +# ) + +# def azure_sdk_logic_sanity_test(credential, output_path, trusted_domain): +# user_input = request.args['untrusted_input'] +# full_url = f"https://{user_input}" +# if not URIValidator.in_azure_storage_domain(full_url): +# # Testing Azure sink +# c = SecretClient(vault_url=full_url, credential=credential) # NOT OK -- user has full control +# else: +# # Testing Azure sink +# c = SecretClient(vault_url=full_url, credential=credential) # OK + + + +# if not not URIValidator.in_azure_storage_domain(full_url): +# # Testing Azure sink +# c = SecretClient(vault_url=full_url, credential=credential) # OK +# else: +# # Testing Azure sink +# c = SecretClient(vault_url=full_url, credential=credential) # NOT OK -- user has full control + + +# if URIValidator.URIValidator.in_domain(full_url, trusted_domain) and trusted_domain == "example.com": +# # Testing Azure sink +# c = SecretClient(vault_url=full_url, credential=credential) # OK +# else: +# # Testing Azure sink +# c = SecretClient(vault_url=full_url, credential=credential) # NOT OK -- user has full control + +# if not (URIValidator.URIValidator.in_domain(full_url, trusted_domain) and trusted_domain == "example.com"): +# # Testing Azure sink +# c = SecretClient(vault_url=full_url, credential=credential) # NOT OK -- user has full control +# else: +# # Testing Azure sink +# c = SecretClient(vault_url=full_url, credential=credential) # OK \ No newline at end of file diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_http_client.py b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_http_client.py index c833907d843..0a238878e35 100644 --- a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_http_client.py +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_http_client.py @@ -1,5 +1,5 @@ -from flask import Flask, request - +from flask import request # $ Source +from flask import Flask from http.client import HTTPConnection app = Flask(__name__) @@ -10,28 +10,35 @@ def ssrf_test(): unsafe_path = request.args["path"] user_input = request.args['untrusted_input'] - conn = HTTPConnection(unsafe_host) - conn.request("GET", unsafe_path) # NOT OK -- user has full control + conn = HTTPConnection(unsafe_host) # $ Sink[py/full-ssrf] + # NOT OK -- user has full control + conn.request("GET", unsafe_path) # $ Alert[py/full-ssrf] - # Full SSRF variant, where there is ALSO made a request with fixed URL on the same + # Full SSRF variant, where there is AlSO made a request with fixed URL on the same # connection later on. This should not change anything on the overall SSRF alerts. - conn = HTTPConnection(unsafe_host) - conn.request("GET", unsafe_path) # NOT OK -- user has full control + conn = HTTPConnection(unsafe_host) # $ Sink + # NOT OK -- user has full control + conn.request("GET", unsafe_path) # $ Alert[py/full-ssrf] # partial SSRF on SAME connection - conn.request("GET", "/foo") # NOT OK -- user has control of host + # NOT OK -- user has control of host + conn.request("GET", "/foo") # $ Alert[py/partial-ssrf] # the rest are partial SSRF - conn = HTTPConnection(unsafe_host) - conn.request("GET", "/foo") # NOT OK -- user controlled domain + conn = HTTPConnection(unsafe_host) # $ Sink[py/partial-ssrf] + # NOT OK -- user controlled domain + conn.request("GET", "/foo") # $ Alert[py/partial-ssrf] conn = HTTPConnection("example.com") - conn.request("GET", unsafe_path) # NOT OK -- user controlled path + # NOT OK -- user controlled path + conn.request("GET", unsafe_path) # $ Alert[py/partial-ssrf] path = "foo?" + user_input conn = HTTPConnection("example.com") - conn.request("GET", path) # NOT OK -- user controlled query parameters + # NOT OK -- user controlled query parameters + conn.request("GET", path) # $ Alert[py/partial-ssrf] path = "foo#" + user_input conn = HTTPConnection("example.com") - conn.request("GET", path) # NOT OK -- user controlled fragment + # NOT OK -- user controlled fragment + conn.request("GET", path) # $ Alert[py/partial-ssrf] \ No newline at end of file diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py new file mode 100644 index 00000000000..44c569f625d --- /dev/null +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py @@ -0,0 +1,132 @@ +from azure.keyvault.secrets import SecretClient +from azure.storage.fileshare import ShareFileClient +from azure.keyvault.keys import KeyClient +from AntiSSRF import URIValidator +from flask import request # $ Source + +def urivalidator_path_in_domain_validation(credential, trusted_domain): + user_input = request.args['untrusted_input'] + user_input2 = request.args['untrusted_input2'] + url = f"https://example.com/foo#{user_input}" + full_url = f"https://{user_input2}" + + if URIValidator.in_domain(url, trusted_domain): + c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] + else: + c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] + + if URIValidator.in_domain(full_url, trusted_domain): + c = SecretClient(vault_url=full_url, credential=credential) # OK + else: + c = SecretClient(vault_url=full_url, credential=credential) # $ Alert[py/full-ssrf] + +def urivalidator_path_in_azure_keyvault_domain_validation(credential): + user_input = request.args['untrusted_input'] + user_input2 = request.args['untrusted_input2'] + url = f"https://example.com/foo#{user_input}" + full_url = f"https://{user_input2}" + + if URIValidator.in_azure_keyvault_domain(url): + c = KeyClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] + else: + c = KeyClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] + + if URIValidator.in_azure_keyvault_domain(full_url): + c = KeyClient(vault_url=full_url, credential=credential) # OK + else: + c = KeyClient(vault_url=full_url, credential=credential) # $ Alert[py/full-ssrf] + +def urivalidator_path_in_azure_storage_domain_validation(credential): + user_input = request.args['untrusted_input'] + user_input2 = request.args['untrusted_input2'] + url = f"https://example.com/foo#{user_input}" + full_url = f"https://{user_input2}" + + if URIValidator.in_azure_storage_domain(url): + c = ShareFileClient.from_file_url(url) # $ Alert[py/partial-ssrf] + else: + c = ShareFileClient.from_file_url(url) # $ Alert[py/partial-ssrf] + + if URIValidator.in_azure_storage_domain(full_url): + c = ShareFileClient.from_file_url(full_url) # OK + else: + c = ShareFileClient.from_file_url(full_url) # $ Alert[py/full-ssrf] + + +def complex_urivalidator_checks(credential, trusted_domain): + user_input = request.args['untrusted_input'] + # Focus on in_domain only here for simplicity + # It assumed the logic underlying checking paths would apply + # similarly other validator methods + url = f"https://{user_input}" + + if not URIValidator.in_domain(url, trusted_domain): + c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] + else: + c = SecretClient(vault_url=url, credential=credential) # OK + + if URIValidator.in_domain(url, trusted_domain) and trusted_domain == "example.com": + c = SecretClient(vault_url=url, credential=credential) # OK + else: + c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] + + if not (URIValidator.in_domain(url, trusted_domain) and trusted_domain == "example.com"): + c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] + else: + c = SecretClient(vault_url=url, credential=credential) # OK + + if not not not URIValidator.in_domain(url, trusted_domain): + c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] + else: + c = SecretClient(vault_url=url, credential=credential) # OK + + + if URIValidator.in_domain(url, trusted_domain) == True: + c = SecretClient(vault_url=url, credential=credential) # OK + else: + c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] + + if URIValidator.in_domain(url, trusted_domain) == False: + c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] + else: + c = SecretClient(vault_url=url, credential=credential) # OK + + if URIValidator.in_domain(url, trusted_domain) != True: + c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] + else: + c = SecretClient(vault_url=url, credential=credential) # OK + + if URIValidator.in_domain(url, trusted_domain) != False: + c = SecretClient(vault_url=url, credential=credential) # OK + else: + c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] + + if URIValidator.in_domain(url, trusted_domain) is True: + c = SecretClient(vault_url=url, credential=credential) # OK + else: + c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] + + if URIValidator.in_domain(url, trusted_domain) is False: + c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] + else: + c = SecretClient(vault_url=url, credential=credential) # OK + + if URIValidator.in_domain(url, trusted_domain) is not True: + c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] + else: + c = SecretClient(vault_url=url, credential=credential) # OK + + if URIValidator.in_domain(url, trusted_domain) is not False: + c = SecretClient(vault_url=url, credential=credential) # OK + else: + c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] + + if not URIValidator.in_domain(url, trusted_domain) is True: + c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] + else: + c = SecretClient(vault_url=url, credential=credential) # OK + + if not URIValidator.in_domain(url, trusted_domain) is False: + c = SecretClient(vault_url=url, credential=credential) # OK + else: + c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] \ No newline at end of file diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_requests.py b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_requests.py index 443f5c3b81f..cfa2e6aa5a7 100644 --- a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_requests.py +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_requests.py @@ -1,11 +1,49 @@ -from flask import request +from flask import request # $ Source +from AntiSSRF import AntiSSRFPolicy import requests -def ssrf_test(): +def ssrf_test1(): user_input = request.args['untrusted_input'] - - requests.get(user_input) # NOT OK -- user has full control - + # NOT OK -- user has full control + requests.get(user_input) # $ Alert[py/full-ssrf] # since `requests`` always uses complete URLs, it's not interesting to test more of # the framework directly. See `full_partial_test.py` for different ways to do SSRF. + +def ssrf_test2(): + user_input = request.args['untrusted_input'] + # NOT OK -- user has full control + session = requests.Session() + session.get(user_input) # $ Alert[py/full-ssrf] + +def ssrf_test3(): + user_input = request.args['untrusted_input'] + # NOT OK -- user has full control + response = requests.request('', user_input) # $ Alert[py/full-ssrf] + +def ssrf_test_with_policy1(): + user_input = request.args['untrusted_input'] + policy = AntiSSRFPolicy() + session = policy.get_antissrf_session() + # OK -- dangerous user input is filtered by AntiSSRFPolicy + response = session.get(user_input) + +def ssrf_test_with_policy2(): + user_input = request.args['untrusted_input'] + policy = AntiSSRFPolicy() + session = policy.get_antissrf_session() + # overwriting the HTTPAdapter to default requests adapter + # this makes the session unsafe again + session.mount("http://", requests.adapters.HTTPAdapter()) + # NOT OK -- dangerous user input is no longer filtered by AntiSSRFPolicy + response = session.get(user_input) # $ Alert[py/full-ssrf] + +def ssrf_test_with_policy3(adapter): + user_input = request.args['untrusted_input'] + policy = AntiSSRFPolicy() + session = policy.get_antissrf_session() + # overwriting the HTTPAdapter to a custom requests adapter + # this could make the session unsafe again + session.mount("http://", adapter) + # NOT OK -- dangerous user input is no longer filtered by AntiSSRFPolicy + response = session.get(user_input) # $ Alert[py/full-ssrf] \ No newline at end of file From 97f19d03ad7b2f9fa8873f58ce91d46dee225e2a Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Mon, 2 Feb 2026 16:21:34 -0500 Subject: [PATCH 010/110] Updating test case expected alerts. --- .../PartialServerSideRequestForgery.expected | 57 +++++++++++++++++++ .../test_path_validation.py | 34 +++++------ 2 files changed, 74 insertions(+), 17 deletions(-) diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.expected b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.expected index 875d8b62b62..0d3f49c200e 100644 --- a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.expected +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.expected @@ -18,10 +18,27 @@ | test_http_client.py:44:5:44:29 | ControlFlowNode for Attribute() | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | test_http_client.py:44:25:44:28 | ControlFlowNode for path | Part of the URL of this request depends on a $@. | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | | test_path_validation.py:14:13:14:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:14:36:14:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | | test_path_validation.py:16:13:16:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:16:36:16:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:19:13:19:67 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:19:36:19:43 | ControlFlowNode for full_url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | | test_path_validation.py:30:13:30:59 | ControlFlowNode for KeyClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:30:33:30:35 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | | test_path_validation.py:32:13:32:59 | ControlFlowNode for KeyClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:32:33:32:35 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:35:13:35:64 | ControlFlowNode for KeyClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:35:33:35:40 | ControlFlowNode for full_url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | | test_path_validation.py:46:13:46:46 | ControlFlowNode for Attribute() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:46:43:46:45 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | | test_path_validation.py:48:13:48:46 | ControlFlowNode for Attribute() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:48:43:48:45 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:51:13:51:51 | ControlFlowNode for Attribute() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:51:43:51:50 | ControlFlowNode for full_url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:66:13:66:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:66:36:66:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:69:13:69:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:69:36:69:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:76:13:76:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:76:36:76:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:81:13:81:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:81:36:81:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:85:13:85:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:85:36:85:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:92:13:92:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:92:36:92:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:97:13:97:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:97:36:97:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:100:13:100:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:100:36:100:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:105:13:105:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:105:36:105:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:112:13:112:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:112:36:112:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:117:13:117:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:117:36:117:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:120:13:120:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:120:36:120:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:127:13:127:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:127:36:127:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:130:13:130:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:130:36:130:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | edges | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:1:19:1:25 | ControlFlowNode for request | provenance | | | full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:7:18:7:24 | ControlFlowNode for request | provenance | | @@ -184,6 +201,26 @@ edges | test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:76:36:76:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | | test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:79:36:79:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | | test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:81:36:81:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:85:36:85:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:87:36:87:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:90:36:90:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:92:36:92:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:95:36:95:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:97:36:97:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:100:36:100:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:102:36:102:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:105:36:105:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:107:36:107:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:110:36:110:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:112:36:112:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:115:36:115:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:117:36:117:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:120:36:120:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:122:36:122:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:125:36:125:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:127:36:127:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:130:36:130:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:132:36:132:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | test_requests.py:1:19:1:25 | ControlFlowNode for request | provenance | | | test_requests.py:1:19:1:25 | ControlFlowNode for request | test_requests.py:7:18:7:24 | ControlFlowNode for request | provenance | | | test_requests.py:1:19:1:25 | ControlFlowNode for request | test_requests.py:14:18:14:24 | ControlFlowNode for request | provenance | | @@ -345,6 +382,26 @@ nodes | test_path_validation.py:76:36:76:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | | test_path_validation.py:79:36:79:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | | test_path_validation.py:81:36:81:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:85:36:85:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:87:36:87:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:90:36:90:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:92:36:92:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:95:36:95:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:97:36:97:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:100:36:100:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:102:36:102:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:105:36:105:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:107:36:107:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:110:36:110:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:112:36:112:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:115:36:115:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:117:36:117:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:120:36:120:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:122:36:122:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:125:36:125:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:127:36:127:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:130:36:130:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:132:36:132:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | | test_requests.py:1:19:1:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | test_requests.py:7:5:7:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py index 44c569f625d..3e6bb1f6d0c 100644 --- a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py @@ -16,7 +16,7 @@ def urivalidator_path_in_domain_validation(credential, trusted_domain): c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] if URIValidator.in_domain(full_url, trusted_domain): - c = SecretClient(vault_url=full_url, credential=credential) # OK + c = SecretClient(vault_url=full_url, credential=credential) # $ Alert[py/partial-ssrf] else: c = SecretClient(vault_url=full_url, credential=credential) # $ Alert[py/full-ssrf] @@ -32,7 +32,7 @@ def urivalidator_path_in_azure_keyvault_domain_validation(credential): c = KeyClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] if URIValidator.in_azure_keyvault_domain(full_url): - c = KeyClient(vault_url=full_url, credential=credential) # OK + c = KeyClient(vault_url=full_url, credential=credential) # $ Alert[py/partial-ssrf] else: c = KeyClient(vault_url=full_url, credential=credential) # $ Alert[py/full-ssrf] @@ -48,7 +48,7 @@ def urivalidator_path_in_azure_storage_domain_validation(credential): c = ShareFileClient.from_file_url(url) # $ Alert[py/partial-ssrf] if URIValidator.in_azure_storage_domain(full_url): - c = ShareFileClient.from_file_url(full_url) # OK + c = ShareFileClient.from_file_url(full_url) # $ Alert[py/partial-ssrf] else: c = ShareFileClient.from_file_url(full_url) # $ Alert[py/full-ssrf] @@ -63,70 +63,70 @@ def complex_urivalidator_checks(credential, trusted_domain): if not URIValidator.in_domain(url, trusted_domain): c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] else: - c = SecretClient(vault_url=url, credential=credential) # OK + c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] if URIValidator.in_domain(url, trusted_domain) and trusted_domain == "example.com": - c = SecretClient(vault_url=url, credential=credential) # OK + c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] else: c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] if not (URIValidator.in_domain(url, trusted_domain) and trusted_domain == "example.com"): c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] else: - c = SecretClient(vault_url=url, credential=credential) # OK + c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] if not not not URIValidator.in_domain(url, trusted_domain): c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] else: - c = SecretClient(vault_url=url, credential=credential) # OK + c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] if URIValidator.in_domain(url, trusted_domain) == True: - c = SecretClient(vault_url=url, credential=credential) # OK + c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] else: c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] if URIValidator.in_domain(url, trusted_domain) == False: c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] else: - c = SecretClient(vault_url=url, credential=credential) # OK + c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] if URIValidator.in_domain(url, trusted_domain) != True: c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] else: - c = SecretClient(vault_url=url, credential=credential) # OK + c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] if URIValidator.in_domain(url, trusted_domain) != False: - c = SecretClient(vault_url=url, credential=credential) # OK + c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] else: c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] if URIValidator.in_domain(url, trusted_domain) is True: - c = SecretClient(vault_url=url, credential=credential) # OK + c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] else: c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] if URIValidator.in_domain(url, trusted_domain) is False: c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] else: - c = SecretClient(vault_url=url, credential=credential) # OK + c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] if URIValidator.in_domain(url, trusted_domain) is not True: c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] else: - c = SecretClient(vault_url=url, credential=credential) # OK + c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] if URIValidator.in_domain(url, trusted_domain) is not False: - c = SecretClient(vault_url=url, credential=credential) # OK + c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] else: c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] if not URIValidator.in_domain(url, trusted_domain) is True: c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] else: - c = SecretClient(vault_url=url, credential=credential) # OK + c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] if not URIValidator.in_domain(url, trusted_domain) is False: - c = SecretClient(vault_url=url, credential=credential) # OK + c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] else: c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] \ No newline at end of file From 42f6e6a19cdba380b2b0245cfe091c894204fda9 Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Tue, 3 Feb 2026 11:44:34 -0500 Subject: [PATCH 011/110] Fixing inefficiently passed variable in nested existential quantification. --- .../dataflow/ServerSideRequestForgeryCustomizations.qll | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll index 2139ecf797d..e75217d608f 100644 --- a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll +++ b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll @@ -185,15 +185,14 @@ module ServerSideRequestForgery { import semmle.python.dataflow.new.internal.DataFlowPublic private predicate uri_validator(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) { - exists(DataFlow::CallCfgNode call, Node n, string funcs | + exists(DataFlow::CallCfgNode call, string funcs | funcs in ["in_domain", "in_azure_keyvault_domain", "in_azure_storage_domain"] | call = API::moduleImport("AntiSSRF").getMember("URIValidator").getMember(funcs).getACall() and call.getArg(0).asCfgNode() = node and - n.getALocalSource() = call and ( // validator used in a comparison - exists(CompareNode cn, Cmpop op | cn = g | + exists(CompareNode cn, Cmpop op, Node n | cn = g and n.getALocalSource() = call | ( // validator == true or validator == false or validator is True or validator is False (op instanceof Eq or op instanceof Is) and From 4f11913ee53aab76fff8457007c2bf83bce8b6ae Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Fri, 6 Feb 2026 11:23:58 -0500 Subject: [PATCH 012/110] removing SSRFSink.qll --- .../lib/semmle/python/frameworks/SSRFSink.qll | 42 ------------------- 1 file changed, 42 deletions(-) delete mode 100644 python/ql/lib/semmle/python/frameworks/SSRFSink.qll diff --git a/python/ql/lib/semmle/python/frameworks/SSRFSink.qll b/python/ql/lib/semmle/python/frameworks/SSRFSink.qll deleted file mode 100644 index aeb228daf13..00000000000 --- a/python/ql/lib/semmle/python/frameworks/SSRFSink.qll +++ /dev/null @@ -1,42 +0,0 @@ -/** - * Provides classes for SSRF sinks modeled using Models as Data (MaD). - */ - -private import python -private import semmle.python.Concepts -private import semmle.python.ApiGraphs -private import semmle.python.frameworks.data.ModelsAsData - -/** - * INTERNAL: Do not use. - * - * Sets up SSRF sinks as Http::Client::Request - */ -module SsrfMaDModel { - /** - * An HTTP request modeled from `ssrf` sinks, modeled using MaD. - */ - class SsrfSink extends Http::Client::Request::Range instanceof API::CallNode { - DataFlow::Node urlArg; - - SsrfSink() { - ( - this.getArg(_) = urlArg - or - this.getArgByName(_) = urlArg - ) and - urlArg = ModelOutput::getASinkNode("ssrf").asSink() - } - - override DataFlow::Node getAUrlPart() { result = urlArg } - - override string getFramework() { result = "MaD" } - - override predicate disablesCertificateValidation( - DataFlow::Node disablingNode, DataFlow::Node argumentOrigin - ) { - // NOTE: if you need to define this, you have to special case it for every possible API in MaD - none() - } - } -} From f6c302b68cc107d8a361a9dd1e5dbddc88015ee2 Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Fri, 6 Feb 2026 11:28:48 -0500 Subject: [PATCH 013/110] Removing commented out test cases. --- .../test_azure_client.py | 200 ------------------ 1 file changed, 200 deletions(-) diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py index 28570b7ab4a..5dbb7e1ede4 100644 --- a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py @@ -23,203 +23,3 @@ def azure_sdk_test(credential, output_path): download_blob_from_url(blob_url=url, output=output_path, credential=credential, overwrite=True ) # $ Alert[py/partial-ssrf] download_blob_from_url(blob_url=full_url, output=output_path, credential=credential, overwrite=True) # $ Alert[py/full-ssrf] - -# if URIValidator.in_domain(url, trusted_domain): -# # Testing Azure sink -# c = SecretClient(vault_url=url, credential=credential)# OK -# c = ShareFileClient.from_file_url(url) # OK -# c = KeyClient(url, credential)# OK -# c = ContainerClient.from_container_url(container_url=url, credential=credential) # OK - -# download_blob_from_url( -# blob_url=url, # OK -# output=output_path, -# credential=credential, -# overwrite=True -# ) -# else: -# # Testing Azure sink -# c = SecretClient(vault_url=url, credential=credential)# NOT OK -- user only controlled fragment -# c = ShareFileClient.from_file_url(url) # NOT OK -- user only controlled fragment -# c = KeyClient(url, credential)# NOT OK -- user only controlled fragment -# c = ContainerClient.from_container_url(container_url=url, credential=credential) # NOT OK -- user only controlled fragment - -# download_blob_from_url( -# blob_url=url, # NOT OK -- user only controlled fragment -# output=output_path, -# credential=credential, -# overwrite=True -# ) - - -# if URIValidator.in_domain(full_url, trusted_domain): -# # Testing Azure sink -# c = SecretClient(vault_url=full_url, credential=credential) # OK -# c = ShareFileClient.from_file_url(full_url) # OK -# c = KeyClient(full_url, credential) # OK -# c = ContainerClient.from_container_url(container_url=full_url, credential=credential) # OK - -# download_blob_from_url( -# blob_url=full_url, # OK -# output=output_path, -# credential=credential, -# overwrite=True -# ) -# else: -# # Testing Azure sink -# c = SecretClient(vault_url=full_url, credential=credential) # NOT OK -- user has full control -# c = ShareFileClient.from_file_url(full_url) # NOT OK -- user has full control -# c = KeyClient(full_url, credential) # NOT OK -- user has full control -# c = ContainerClient.from_container_url(container_url=full_url, credential=credential) # NOT OK -- user has full control - -# download_blob_from_url( -# blob_url=full_url, # NOT OK -- user has full control -# output=output_path, -# credential=credential, -# overwrite=True -# ) - - -# if URIValidator.in_azure_keyvault_domain(url): -# # Testing Azure sink -# c = SecretClient(vault_url=url, credential=credential)# OK -# c = ShareFileClient.from_file_url(url) # OK -# c = KeyClient(url, credential)# OK -# c = ContainerClient.from_container_url(container_url=url, credential=credential) # OK - -# download_blob_from_url( -# blob_url=url, # OK -# output=output_path, -# credential=credential, -# overwrite=True -# ) -# else: -# # Testing Azure sink -# c = SecretClient(vault_url=url, credential=credential)# NOT OK -- user only controlled fragment -# c = ShareFileClient.from_file_url(url) # NOT OK -- user only controlled fragment -# c = KeyClient(url, credential)# NOT OK -- user only controlled fragment -# c = ContainerClient.from_container_url(container_url=url, credential=credential) # NOT OK -- user only controlled fragment - -# download_blob_from_url( -# blob_url=url, # NOT OK -- user only controlled fragment -# output=output_path, -# credential=credential, -# overwrite=True -# ) - - -# if URIValidator.in_azure_keyvault_domain(full_url): -# # Testing Azure sink -# c = SecretClient(vault_url=full_url, credential=credential) # OK -# c = ShareFileClient.from_file_url(full_url) # OK -# c = KeyClient(full_url, credential) # OK -# c = ContainerClient.from_container_url(container_url=full_url, credential=credential) # OK - -# download_blob_from_url( -# blob_url=full_url, # OK -# output=output_path, -# credential=credential, -# overwrite=True -# ) -# else: -# # Testing Azure sink -# c = SecretClient(vault_url=full_url, credential=credential) # NOT OK -- user has full control -# c = ShareFileClient.from_file_url(full_url) # NOT OK -- user has full control -# c = KeyClient(full_url, credential) # NOT OK -- user has full control -# c = ContainerClient.from_container_url(container_url=full_url, credential=credential) # NOT OK -- user has full control - -# download_blob_from_url( -# blob_url=full_url, # NOT OK -- user has full control -# output=output_path, -# credential=credential, -# overwrite=True -# ) - -# if URIValidator.in_azure_storage_domain(url): -# # Testing Azure sink -# c = SecretClient(vault_url=url, credential=credential)# OK -# c = ShareFileClient.from_file_url(url) # OK -# c = KeyClient(url, credential)# OK -# c = ContainerClient.from_container_url(container_url=url, credential=credential) # OK - -# download_blob_from_url( -# blob_url=url, # OK -# output=output_path, -# credential=credential, -# overwrite=True -# ) -# else: -# # Testing Azure sink -# c = SecretClient(vault_url=url, credential=credential)# NOT OK -- user only controlled fragment -# c = ShareFileClient.from_file_url(url) # NOT OK -- user only controlled fragment -# c = KeyClient(url, credential)# NOT OK -- user only controlled fragment -# c = ContainerClient.from_container_url(container_url=url, credential=credential) # NOT OK -- user only controlled fragment - -# download_blob_from_url( -# blob_url=url, # NOT OK -- user only controlled fragment -# output=output_path, -# credential=credential, -# overwrite=True -# ) - - -# if URIValidator.in_azure_storage_domain(full_url): -# # Testing Azure sink -# c = SecretClient(vault_url=full_url, credential=credential) # OK -# c = ShareFileClient.from_file_url(full_url) # OK -# c = KeyClient(full_url, credential) # OK -# c = ContainerClient.from_container_url(container_url=full_url, credential=credential) # OK - -# download_blob_from_url( -# blob_url=full_url, # OK -# output=output_path, -# credential=credential, -# overwrite=True -# ) -# else: -# # Testing Azure sink -# c = SecretClient(vault_url=full_url, credential=credential) # NOT OK -- user has full control -# c = ShareFileClient.from_file_url(full_url) # NOT OK -- user has full control -# c = KeyClient(full_url, credential) # NOT OK -- user has full control -# c = ContainerClient.from_container_url(container_url=full_url, credential=credential) # NOT OK -- user has full control - -# download_blob_from_url( -# blob_url=full_url, # NOT OK -- user has full control -# output=output_path, -# credential=credential, -# overwrite=True -# ) - -# def azure_sdk_logic_sanity_test(credential, output_path, trusted_domain): -# user_input = request.args['untrusted_input'] -# full_url = f"https://{user_input}" -# if not URIValidator.in_azure_storage_domain(full_url): -# # Testing Azure sink -# c = SecretClient(vault_url=full_url, credential=credential) # NOT OK -- user has full control -# else: -# # Testing Azure sink -# c = SecretClient(vault_url=full_url, credential=credential) # OK - - - -# if not not URIValidator.in_azure_storage_domain(full_url): -# # Testing Azure sink -# c = SecretClient(vault_url=full_url, credential=credential) # OK -# else: -# # Testing Azure sink -# c = SecretClient(vault_url=full_url, credential=credential) # NOT OK -- user has full control - - -# if URIValidator.URIValidator.in_domain(full_url, trusted_domain) and trusted_domain == "example.com": -# # Testing Azure sink -# c = SecretClient(vault_url=full_url, credential=credential) # OK -# else: -# # Testing Azure sink -# c = SecretClient(vault_url=full_url, credential=credential) # NOT OK -- user has full control - -# if not (URIValidator.URIValidator.in_domain(full_url, trusted_domain) and trusted_domain == "example.com"): -# # Testing Azure sink -# c = SecretClient(vault_url=full_url, credential=credential) # NOT OK -- user has full control -# else: -# # Testing Azure sink -# c = SecretClient(vault_url=full_url, credential=credential) # OK \ No newline at end of file From 6c171c804f5d4765ef2bf265205442eb58875f42 Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Fri, 6 Feb 2026 15:20:52 -0500 Subject: [PATCH 014/110] C++: Add more tests for modified years with and without leap year checks (UncheckedLeapYearAfterYearModification). Switch to using 'postprocess' for unit tests. --- ...ckedLeapYearAfterYearModification.expected | 75 +- ...checkedLeapYearAfterYearModification.qlref | 3 +- ...heckedReturnValueForTimeFunctions.expected | 11 +- .../test.cpp | 1291 +++++++++++++++-- 4 files changed, 1249 insertions(+), 131 deletions(-) diff --git a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedLeapYearAfterYearModification.expected b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedLeapYearAfterYearModification.expected index a9c1bc66c50..8fdc1339aa1 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedLeapYearAfterYearModification.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedLeapYearAfterYearModification.expected @@ -1,15 +1,60 @@ -| test.cpp:314:5:314:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:309:13:309:14 | st | st | -| test.cpp:327:5:327:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:322:13:322:14 | st | st | -| test.cpp:338:6:338:10 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:333:62:333:63 | st | st | -| test.cpp:484:5:484:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:480:13:480:14 | st | st | -| test.cpp:497:5:497:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:492:13:492:14 | st | st | -| test.cpp:509:5:509:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:505:13:505:14 | st | st | -| test.cpp:606:11:606:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:56:6:56:12 | tm_year | tm_year | test.cpp:602:12:602:19 | timeinfo | timeinfo | -| test.cpp:634:11:634:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:56:6:56:12 | tm_year | tm_year | test.cpp:628:12:628:19 | timeinfo | timeinfo | -| test.cpp:636:11:636:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:56:6:56:12 | tm_year | tm_year | test.cpp:628:12:628:19 | timeinfo | timeinfo | -| test.cpp:640:5:640:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:629:13:629:14 | st | st | -| test.cpp:642:5:642:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:629:13:629:14 | st | st | -| test.cpp:718:5:718:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:712:13:712:14 | st | st | -| test.cpp:731:5:731:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:725:13:725:14 | st | st | -| test.cpp:732:5:732:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:725:13:725:14 | st | st | -| test.cpp:733:5:733:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:725:13:725:14 | st | st | +#select +| test.cpp:422:5:422:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:417:13:417:14 | st | st | +| test.cpp:440:5:440:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:435:13:435:14 | st | st | +| test.cpp:456:6:456:10 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:451:62:451:63 | st | st | +| test.cpp:647:5:647:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:643:13:643:14 | st | st | +| test.cpp:665:5:665:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:661:13:661:14 | st | st | +| test.cpp:681:5:681:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:677:13:677:14 | st | st | +| test.cpp:792:11:792:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:58:6:58:12 | tm_year | tm_year | test.cpp:789:12:789:19 | timeinfo | timeinfo | +| test.cpp:813:11:813:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:58:6:58:12 | tm_year | tm_year | test.cpp:806:12:806:19 | timeinfo | timeinfo | +| test.cpp:818:5:818:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:807:13:807:14 | st | st | +| test.cpp:954:6:954:10 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:947:14:947:15 | st | st | +| test.cpp:972:6:972:10 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:965:14:965:15 | st | st | +| test.cpp:990:6:990:10 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:984:14:984:15 | st | st | +| test.cpp:1077:5:1077:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:1071:13:1071:14 | st | st | +| test.cpp:1135:9:1135:15 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:92:17:92:23 | tm_year | tm_year | test.cpp:1126:35:1126:36 | tm | tm | +| test.cpp:1137:9:1137:15 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:92:17:92:23 | tm_year | tm_year | test.cpp:1126:35:1126:36 | tm | tm | +| test.cpp:1591:11:1591:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:58:6:58:12 | tm_year | tm_year | test.cpp:1590:41:1590:48 | timeinfo | timeinfo | +| test.cpp:1599:11:1599:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:58:6:58:12 | tm_year | tm_year | test.cpp:1598:41:1598:48 | timeinfo | timeinfo | +| test.cpp:1645:11:1645:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:58:6:58:12 | tm_year | tm_year | test.cpp:1644:57:1644:64 | timeinfo | timeinfo | +| test.cpp:1656:11:1656:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:58:6:58:12 | tm_year | tm_year | test.cpp:1655:57:1655:64 | timeinfo | timeinfo | +| test.cpp:1667:11:1667:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:58:6:58:12 | tm_year | tm_year | test.cpp:1666:30:1666:37 | timeinfo | timeinfo | +| test.cpp:1678:11:1678:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:58:6:58:12 | tm_year | tm_year | test.cpp:1677:30:1677:37 | timeinfo | timeinfo | +| test.cpp:1690:11:1690:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:58:6:58:12 | tm_year | tm_year | test.cpp:1689:30:1689:37 | timeinfo | timeinfo | +| test.cpp:1702:11:1702:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:58:6:58:12 | tm_year | tm_year | test.cpp:1701:30:1701:37 | timeinfo | timeinfo | +| test.cpp:1712:11:1712:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:58:6:58:12 | tm_year | tm_year | test.cpp:1711:30:1711:37 | timeinfo | timeinfo | +| test.cpp:1723:11:1723:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:58:6:58:12 | tm_year | tm_year | test.cpp:1722:40:1722:47 | timeinfo | timeinfo | +| test.cpp:1758:11:1758:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:58:6:58:12 | tm_year | tm_year | test.cpp:1757:45:1757:52 | timeinfo | timeinfo | +| test.cpp:1763:11:1763:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:58:6:58:12 | tm_year | tm_year | test.cpp:1762:45:1762:52 | timeinfo | timeinfo | +| test.cpp:1792:11:1792:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:58:6:58:12 | tm_year | tm_year | test.cpp:1788:38:1788:45 | timeinfo | timeinfo | +| test.cpp:1799:11:1799:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:58:6:58:12 | tm_year | tm_year | test.cpp:1798:36:1798:43 | timeinfo | timeinfo | +testFailures +| test.cpp:422:5:422:9 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | +| test.cpp:440:5:440:9 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | +| test.cpp:456:6:456:10 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | +| test.cpp:647:5:647:9 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | +| test.cpp:665:5:665:9 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | +| test.cpp:681:5:681:9 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | +| test.cpp:792:11:792:17 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | +| test.cpp:813:11:813:17 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | +| test.cpp:818:5:818:9 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | +| test.cpp:954:6:954:10 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | +| test.cpp:972:6:972:10 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | +| test.cpp:990:6:990:10 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | +| test.cpp:1077:5:1077:9 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | +| test.cpp:1135:9:1135:15 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | +| test.cpp:1137:9:1137:15 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | +| test.cpp:1591:11:1591:17 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | +| test.cpp:1599:11:1599:17 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | +| test.cpp:1645:11:1645:17 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | +| test.cpp:1656:11:1656:17 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | +| test.cpp:1667:11:1667:17 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | +| test.cpp:1678:11:1678:17 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | +| test.cpp:1690:11:1690:17 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | +| test.cpp:1702:11:1702:17 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | +| test.cpp:1712:11:1712:17 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | +| test.cpp:1723:11:1723:17 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | +| test.cpp:1758:11:1758:17 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | +| test.cpp:1763:11:1763:17 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | +| test.cpp:1792:11:1792:17 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | +| test.cpp:1799:11:1799:17 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | diff --git a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedLeapYearAfterYearModification.qlref b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedLeapYearAfterYearModification.qlref index 22a30d72b68..12bb5eb1e69 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedLeapYearAfterYearModification.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedLeapYearAfterYearModification.qlref @@ -1 +1,2 @@ -Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql +query: Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql \ No newline at end of file diff --git a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedReturnValueForTimeFunctions.expected b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedReturnValueForTimeFunctions.expected index fb79592b7f2..e893ae1fff0 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedReturnValueForTimeFunctions.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedReturnValueForTimeFunctions.expected @@ -1,5 +1,6 @@ -| test.cpp:317:2:317:21 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:63:1:63:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:309:13:309:14 | st | st | -| test.cpp:330:2:330:21 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:63:1:63:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:322:13:322:14 | st | st | -| test.cpp:341:2:341:21 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:63:1:63:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:333:62:333:63 | st | st | -| test.cpp:720:2:720:21 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:63:1:63:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:712:13:712:14 | st | st | -| test.cpp:735:2:735:21 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:63:1:63:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:725:13:725:14 | st | st | +| test.cpp:425:2:425:21 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:101:1:101:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:417:13:417:14 | st | st | +| test.cpp:443:2:443:21 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:101:1:101:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:435:13:435:14 | st | st | +| test.cpp:459:2:459:21 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:101:1:101:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:451:62:451:63 | st | st | +| test.cpp:956:3:956:22 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:101:1:101:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:947:14:947:15 | st | st | +| test.cpp:974:3:974:22 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:101:1:101:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:965:14:965:15 | st | st | +| test.cpp:1081:2:1081:21 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:101:1:101:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:1071:13:1071:14 | st | st | diff --git a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/test.cpp index 3db9b61edd2..4451450fb25 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/test.cpp @@ -46,6 +46,8 @@ typedef struct _TIME_DYNAMIC_ZONE_INFORMATION { BOOLEAN DynamicDaylightTimeDisabled; } DYNAMIC_TIME_ZONE_INFORMATION, *PDYNAMIC_TIME_ZONE_INFORMATION; +typedef const wchar_t* LPCWSTR; + struct tm { int tm_sec; // seconds after the minute - [0, 60] including leap second @@ -59,6 +61,42 @@ struct tm int tm_isdst; // daylight savings time flag }; +struct timespec +{ + time_t tv_sec; + long tv_nsec; +}; + +/* Timestamps of log entries. */ +struct logtime { + struct tm tm; + long usec; +}; + +/* + * Data structure representing a broken-down timestamp. + * + * CAUTION: the IANA timezone library (src/timezone/) follows the POSIX + * convention that tm_mon counts from 0 and tm_year is relative to 1900. + * However, Postgres' datetime functions generally treat tm_mon as counting + * from 1 and tm_year as relative to 1 BC. Be sure to make the appropriate + * adjustments when moving from one code domain to the other. + */ +struct pg_tm +{ + int tm_sec; + int tm_min; + int tm_hour; + int tm_mday; + int tm_mon; /* see above */ + int tm_year; /* see above */ + int tm_wday; + int tm_yday; + int tm_isdst; + long int tm_gmtoff; + const char *tm_zone; +}; + BOOL SystemTimeToFileTime( const SYSTEMTIME* lpSystemTime, @@ -99,9 +137,16 @@ TzSpecificLocalTimeToSystemTimeEx( LPSYSTEMTIME lpUniversalTime ); +int _wtoi( + const wchar_t *str +); + void GetSystemTime( LPSYSTEMTIME lpSystemTime ); +void GetLocalTime( + LPSYSTEMTIME lpSystemTime +); void GetSystemTimeAsFileTime( LPFILETIME lpSystemTimeAsFileTime @@ -149,6 +194,12 @@ GetFileTime( LPFILETIME lpLastWriteTime ); +struct tm *localtime_r( const time_t *timer, struct tm *buf ); + +/** + * Negative Case + * FileTimeToSystemTime is called and the return value is checked +*/ void Correct_FileTimeToSystemTime(const FILETIME* lpFileTime) { SYSTEMTIME systemTime; @@ -162,6 +213,10 @@ void Correct_FileTimeToSystemTime(const FILETIME* lpFileTime) /// Normal usage } +/** + * Positive (Out of Scope) Bug Case + * FileTimeToSystemTime is called but no check is conducted to verify the result of the operation +*/ void AntiPattern_FileTimeToSystemTime(const FILETIME* lpFileTime) { SYSTEMTIME systemTime; @@ -170,6 +225,10 @@ void AntiPattern_FileTimeToSystemTime(const FILETIME* lpFileTime) FileTimeToSystemTime(lpFileTime, &systemTime); } +/** + * Negative Case + * SystemTimeToTzSpecificLocalTime is called and the return value is verified +*/ void Correct_SystemTimeToTzSpecificLocalTime(const TIME_ZONE_INFORMATION *lpTimeZoneInformation, const SYSTEMTIME *lpUniversalTime) { SYSTEMTIME localTime; @@ -183,6 +242,10 @@ void Correct_SystemTimeToTzSpecificLocalTime(const TIME_ZONE_INFORMATION *lpTime /// Normal usage } +/** + * Positive (Out of Scope) Case + * AntiPattern_SystemTimeToTzSpecificLocalTime is called but the return value is not validated +*/ void AntiPattern_SystemTimeToTzSpecificLocalTime(const TIME_ZONE_INFORMATION *lpTimeZoneInformation, const SYSTEMTIME *lpUniversalTime) { SYSTEMTIME localTime; @@ -191,6 +254,10 @@ void AntiPattern_SystemTimeToTzSpecificLocalTime(const TIME_ZONE_INFORMATION *lp SystemTimeToTzSpecificLocalTime(lpTimeZoneInformation, lpUniversalTime, &localTime); } +/** + * Negative Case + * SystemTimeToTzSpecificLocalTimeEx is called and the return value is validated +*/ void Correct_SystemTimeToTzSpecificLocalTimeEx(const DYNAMIC_TIME_ZONE_INFORMATION *lpTimeZoneInformation, const SYSTEMTIME *lpUniversalTime) { SYSTEMTIME localTime; @@ -204,6 +271,10 @@ void Correct_SystemTimeToTzSpecificLocalTimeEx(const DYNAMIC_TIME_ZONE_INFORMATI /// Normal usage } +/** + * Positive Case + * SystemTimeToTzSpecificLocalTimeEx is called but the return value is not validated +*/ void AntiPattern_SystemTimeToTzSpecificLocalTimeEx(const DYNAMIC_TIME_ZONE_INFORMATION *lpTimeZoneInformation, const SYSTEMTIME *lpUniversalTime) { SYSTEMTIME localTime; @@ -212,6 +283,10 @@ void AntiPattern_SystemTimeToTzSpecificLocalTimeEx(const DYNAMIC_TIME_ZONE_INFOR SystemTimeToTzSpecificLocalTimeEx(lpTimeZoneInformation, lpUniversalTime, &localTime); } +/** + * Negative Case + * Correct use of TzSpecificLocalTimeToSystemTime, function is called and the return value is validated. +*/ void Correct_TzSpecificLocalTimeToSystemTime(const TIME_ZONE_INFORMATION *lpTimeZoneInformation, const SYSTEMTIME *lpLocalTime) { SYSTEMTIME universalTime; @@ -225,6 +300,10 @@ void Correct_TzSpecificLocalTimeToSystemTime(const TIME_ZONE_INFORMATION *lpTime /// Normal usage } +/** + * Positive (Out of Scope) Case + * TzSpecificLocalTimeToSystemTime is called however the return value is not validated +*/ void AntiPattern_TzSpecificLocalTimeToSystemTime(const TIME_ZONE_INFORMATION *lpTimeZoneInformation, const SYSTEMTIME *lpLocalTime) { SYSTEMTIME universalTime; @@ -233,6 +312,10 @@ void AntiPattern_TzSpecificLocalTimeToSystemTime(const TIME_ZONE_INFORMATION *lp TzSpecificLocalTimeToSystemTime(lpTimeZoneInformation, lpLocalTime, &universalTime); } +/** + * Negative Case + * TzSpecificLocalTimeToSystemTimeEx is called and the return value is correctly validated +*/ void Correct_TzSpecificLocalTimeToSystemTimeEx(const DYNAMIC_TIME_ZONE_INFORMATION *lpTimeZoneInformation, const SYSTEMTIME *lpLocalTime) { SYSTEMTIME universalTime; @@ -246,6 +329,10 @@ void Correct_TzSpecificLocalTimeToSystemTimeEx(const DYNAMIC_TIME_ZONE_INFORMATI /// Normal usage } +/** + * Positive (Out of Scope) Case + * TzSpecificLocalTimeToSystemTimeEx is called however the return value is not validated +*/ void AntiPattern_TzSpecificLocalTimeToSystemTimeEx(const DYNAMIC_TIME_ZONE_INFORMATION *lpTimeZoneInformation, const SYSTEMTIME *lpLocalTime) { SYSTEMTIME universalTime; @@ -258,6 +345,10 @@ void AntiPattern_TzSpecificLocalTimeToSystemTimeEx(const DYNAMIC_TIME_ZONE_INFOR SYSTEMTIME Cases *************************************************/ +/** + * Negative Case + * SystemTimeToFileTime is called and the return value is validated in a guard +*/ void Correct_filetime_conversion_check(SYSTEMTIME& st) { FILETIME ft; @@ -273,6 +364,10 @@ void Correct_filetime_conversion_check(SYSTEMTIME& st) ////////////////////////////////////////////// +/** + * Positive (Out of Scope) Case + * SystemTimeToFileTime is called but the return value is not validated in a guard +*/ void AntiPattern_unchecked_filetime_conversion(SYSTEMTIME& st) { FILETIME ft; @@ -281,6 +376,10 @@ void AntiPattern_unchecked_filetime_conversion(SYSTEMTIME& st) SystemTimeToFileTime(&st, &ft); } +/** + * Positive (Out of Scope) Case + * SystemTimeToFileTime is called but the return value is not validated in a guard +*/ void AntiPattern_unchecked_filetime_conversion2(SYSTEMTIME* st) { FILETIME ft; @@ -292,6 +391,10 @@ void AntiPattern_unchecked_filetime_conversion2(SYSTEMTIME* st) } } +/** + * Positive (Out of Scope) + * SYSTEMTIME.wDay is incremented by one (and no guard exists) +*/ void AntiPattern_unchecked_filetime_conversion2() { SYSTEMTIME st; @@ -304,6 +407,11 @@ void AntiPattern_unchecked_filetime_conversion2() SystemTimeToFileTime(&st, &ft); } +/** + * Positive Cases + * - Anti-pattern 1: [year ±n, month, day] + * - Generic (Out of Scope) - UncheckedReturnValueForTimeFunctions +*/ void AntiPattern_unchecked_filetime_conversion2a() { SYSTEMTIME st; @@ -311,12 +419,17 @@ void AntiPattern_unchecked_filetime_conversion2a() GetSystemTime(&st); // BUG - UncheckedLeapYearAfterYearModification - st.wYear += 2; + st.wYear += 2; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] // BUG - UncheckedReturnValueForTimeFunctions SystemTimeToFileTime(&st, &ft); } +/** + * Positive Cases + * - Anti-pattern 1: [year ±n, month, day] + * - Generic (Out of Scope) - UncheckedReturnValueForTimeFunctions +*/ void AntiPattern_unchecked_filetime_conversion2b() { SYSTEMTIME st; @@ -324,23 +437,33 @@ void AntiPattern_unchecked_filetime_conversion2b() GetSystemTime(&st); // BUG - UncheckedLeapYearAfterYearModification - st.wYear++; + st.wYear++; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] // BUG - UncheckedReturnValueForTimeFunctions SystemTimeToFileTime(&st, &ft); } +/** + * Positive Cases + * - Anti-pattern 1: [year ±n, month, day] + * - Generic (Out of Scope) - UncheckedReturnValueForTimeFunctions +*/ void AntiPattern_unchecked_filetime_conversion2b(SYSTEMTIME* st) { FILETIME ft; // BUG - UncheckedLeapYearAfterYearModification - st->wYear++; + st->wYear++; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] // BUG - UncheckedReturnValueForTimeFunctions SystemTimeToFileTime(st, &ft); } +/** + * Positive Cases + * - Anti-pattern 3: datetime.AddDays(±28) + * - Generic (Out of Scope) - UncheckedReturnValueForTimeFunctions +*/ void AntiPattern_unchecked_filetime_conversion3() { SYSTEMTIME st; @@ -349,11 +472,12 @@ void AntiPattern_unchecked_filetime_conversion3() if (st.wMonth < 12) { + // Anti-pattern 3: datetime.AddDays(±28) st.wMonth++; } else { - // Check for leap year, but... + // No check for leap year is required here, as the month is statically set to January. st.wMonth = 1; st.wYear++; } @@ -363,6 +487,11 @@ void AntiPattern_unchecked_filetime_conversion3() } ////////////////////////////////////////////// + +/** + * Negative Case - Anti-pattern 1: [year ±n, month, day] + * Year is incremented and if we are on Feb the 29th, set to the 28th if the new year is a common year. +*/ void CorrectPattern_check1() { SYSTEMTIME st; @@ -370,7 +499,7 @@ void CorrectPattern_check1() st.wYear++; - // Guard + // Guard against February the 29th if (st.wMonth == 2 && st.wDay == 29) { // move back a day when landing on Feb 29 in an non-leap year @@ -385,6 +514,10 @@ void CorrectPattern_check1() AntiPattern_unchecked_filetime_conversion(st); } +/** + * Negative Case - Anti-pattern 1: [year ±n, month, day] + * Years is incremented by some integer and then the leap year case is correctly guarded and handled. +*/ void CorrectPattern_check2(int yearsToAdd) { SYSTEMTIME st; @@ -400,11 +533,18 @@ void CorrectPattern_check2(int yearsToAdd) AntiPattern_unchecked_filetime_conversion(st); } +/** + * Could give rise to AntiPattern 7: IsLeapYear (Conditional Logic) +*/ bool isLeapYear(SYSTEMTIME& st) { return st.wYear % 4 == 0 && (st.wYear % 100 != 0 || st.wYear % 400 == 0); } +/** + * Negative Case - Anti-pattern 1: [year ±n, month, day] + * Years is incremented by some integer and then the leap year case is correctly guarded and handled. +*/ void CorrectPattern_check3() { SYSTEMTIME st; @@ -413,6 +553,9 @@ void CorrectPattern_check3() st.wYear++; // Guard + /** Negative Case - Anti-pattern 7: IsLeapYear + * Body of conditional statement is safe recommended code + */ if (st.wMonth == 2 && st.wDay == 29 && isLeapYear(st)) { // move back a day when landing on Feb 29 in an non-leap year @@ -423,6 +566,9 @@ void CorrectPattern_check3() AntiPattern_unchecked_filetime_conversion(st); } +/** + * Could give rise to AntiPattern 7: IsLeapYear (Conditional Logic) +*/ bool isLeapYear2(int year) { return year % 4 == 0 && (year % 100 != 0 || year % 400 == 0); @@ -433,6 +579,10 @@ bool fixDate(int day, int month, int year) return (month == 2 && day == 29 && isLeapYear2(year)); } +/** + * Negative Case - Anti-pattern 1: [year ±n, month, day] + * Years is incremented by some integer and then the leap year case is correctly guarded and handled. +*/ void CorrectPattern_check4() { SYSTEMTIME st; @@ -442,18 +592,23 @@ void CorrectPattern_check4() st.wYear++; // Guard + /** Negative Case - Anti-pattern 7: IsLeapYear + * Body of conditional statement is safe recommended code + */ if (fixDate(st.wDay, st.wMonth, st.wYear)) { // move back a day when landing on Feb 29 in an non-leap year - st.wDay = 28; // GOOD [FALSE POSITIVE] + st.wDay = 28; // GOOD [FALSE POSITIVE] Anti-pattern 7 } // Safe to use AntiPattern_unchecked_filetime_conversion(st); } - - +/** + * Negative Case - Generic + * No manipulation is conducted on struct populated from GetSystemTime. +*/ void CorrectPattern_NotManipulated_DateFromAPI_0() { SYSTEMTIME st; @@ -464,6 +619,10 @@ void CorrectPattern_NotManipulated_DateFromAPI_0() SystemTimeToFileTime(&st, &ft); } +/** + * Negative Case - Generic + * No manipulation is conducted on struct populated from GetFileTime. +*/ void CorrectPattern_NotManipulated_DateFromAPI_1(HANDLE hWatchdog) { SYSTEMTIME st; @@ -475,43 +634,56 @@ void CorrectPattern_NotManipulated_DateFromAPI_1(HANDLE hWatchdog) ///////////////////////////////////////////////////////////////// +/** + * Negative Case - Anti-pattern 1: [year ±n, month, day] + * Year is incremented by some integer and checked through a conversion through an inter procedural function check +*/ void AntiPattern_1_year_addition() { SYSTEMTIME st; GetSystemTime(&st); - // BUG - UncheckedLeapYearAfterYearModification - st.wYear++; + // Safe, checked interprocedurally through Correct_filetime_conversion_check + st.wYear++; // Usage of potentially invalid date Correct_filetime_conversion_check(st); } + + +/** + * Negative Case - Anti-pattern 1: [year ±n, month, day] + * Years is incremented by some integer and checked through a conversion through an inter procedural function check +*/ void AntiPattern_simple_addition(int yearAddition) { SYSTEMTIME st; GetSystemTime(&st); - // BUG - UncheckedLeapYearAfterYearModification - st.wYear += yearAddition; + st.wYear += yearAddition; // Usage of potentially invalid date Correct_filetime_conversion_check(st); } +/** + * Positive Case - Anti-pattern 1: [year ±n, month, day] + * Years is incremented by some integer but a leap year is not handled *correctly*. +*/ void AntiPattern_IncorrectGuard(int yearsToAdd) { SYSTEMTIME st; GetSystemTime(&st); // BUG - UncheckedLeapYearAfterYearModification - st.wYear += yearsToAdd; + st.wYear += yearsToAdd; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] // Incorrect Guard if (st.wMonth == 2 && st.wDay == 29) { - // Part of a different anti-pattern. + // Part of a different anti-pattern (AntiPattern 5). // Make sure the guard includes the proper check bool isLeapYear = st.wYear % 4 == 0; if (!isLeapYear) @@ -519,9 +691,6 @@ void AntiPattern_IncorrectGuard(int yearsToAdd) st.wDay = 28; } } - - // Potentially Unsafe to use - Correct_filetime_conversion_check(st); } /************************************************* @@ -539,6 +708,10 @@ void CorrectUsageOf_mkgmtime(struct tm& timeinfo) /// _mkgmtime succeeded } +/** + * Positive Case - General (Out of Scope) + * Must Check for return value of _mkgmtime +*/ void AntiPattern_uncheckedUsageOf_mkgmtime(struct tm& timeinfo) { // (out-of-scope) GeneralBug: Must check return value for _mkgmtime @@ -550,6 +723,10 @@ void AntiPattern_uncheckedUsageOf_mkgmtime(struct tm& timeinfo) ////////////////////////////////////////////////////////// +/** + * Negative Case - Anti-pattern 1: [year ±n, month, day] + * Years is incremented by some integer and leap year is not handled correctly. +*/ void Correct_year_addition_struct_tm() { time_t rawtime; @@ -575,7 +752,11 @@ void Correct_year_addition_struct_tm() AntiPattern_uncheckedUsageOf_mkgmtime(timeinfo); } -void Correct_LinuxPattern() +/** + * Positive Case - Anti-pattern 1: [year ±n, month, day] + * Years is incremented by some integer and leap year is not handled correctly. +*/ +void Incorrect_LinuxPattern() { time_t rawtime; struct tm timeinfo; @@ -584,7 +765,8 @@ void Correct_LinuxPattern() errno_t err = gmtime_s(&timeinfo, &rawtime); /* from 1900 -> from 1980 */ - timeinfo.tm_year -= 80; + // BUG - UncheckedLeapYearAfterYearModification + timeinfo.tm_year -= 80; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] /* 0~11 -> 1~12 */ timeinfo.tm_mon++; /* 0~59 -> 0~29(2sec counts) */ @@ -596,34 +778,30 @@ void Correct_LinuxPattern() ////////////////////////////////////////// +/** + * Negative Case - Anti-pattern 1: [year ±n, month, day] + * Years is incremented by some integer and leap year is assumed checked through + * check of a conversion functions return value. +*/ void AntiPattern_year_addition_struct_tm() { time_t rawtime; struct tm timeinfo; time(&rawtime); gmtime_s(&timeinfo, &rawtime); - // BUG - UncheckedLeapYearAfterYearModification - timeinfo.tm_year++; + timeinfo.tm_year++; - // Usage of potentially invalid date + // mkgmtime result checked in nested call here, assume leap year conversion is potentially handled CorrectUsageOf_mkgmtime(timeinfo); } ///////////////////////////////////////////////////////// -void FalsePositiveTests(int x) -{ - struct tm timeinfo; - SYSTEMTIME st; - timeinfo.tm_year = x; - timeinfo.tm_year = 1970; - - st.wYear = x; - st.wYear = 1900 + x; -} - -void FalseNegativeTests(int x) +/** + * Positive Case - Anti-pattern 1: [year ±n, month, day] +*/ +void test(int x) { struct tm timeinfo; SYSTEMTIME st; @@ -631,106 +809,999 @@ void FalseNegativeTests(int x) timeinfo.tm_year = x; // BUG - UncheckedLeapYearAfterYearModification - timeinfo.tm_year = x + timeinfo.tm_year; - // BUG - UncheckedLeapYearAfterYearModification - timeinfo.tm_year = 1970 + timeinfo.tm_year; + // Positive Case - Anti-pattern 1: [year ±n, month, day] + timeinfo.tm_year = x + timeinfo.tm_year; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] st.wYear = x; // BUG - UncheckedLeapYearAfterYearModification - st.wYear = x + st.wYear; - // BUG - UncheckedLeapYearAfterYearModification - st.wYear = (1986 + st.wYear) - 1; + // Positive Case - Anti-pattern 1: [year ±n, month, day] + st.wYear = x + st.wYear; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] } -// False positive -inline void -IncrementMonth(LPSYSTEMTIME pst) +/** + * Positive AntiPattern 1 NOTE: historically considered positive but mktime checks year validity, needs re-assessment + * Year field is modified but via an intermediary variable. +*/ +bool tp_intermediaryVar(struct timespec now, struct logtime ×tamp_remote) { - if (pst->wMonth < 12) + struct tm tm_parsed; + bool timestamp_found = false; + + struct tm tm_now; + time_t t_now; + int year; + + timestamp_found = true; + + /* + * As the timestamp does not contain the year + * number, daylight saving time information, nor + * a time zone, attempt to infer it. Due to + * clock skews, the timestamp may even be part + * of the next year. Use the last year for which + * the timestamp is at most one week in the + * future. + * + * This loop can only run for at most three + * iterations before terminating. + */ + t_now = now.tv_sec; + localtime_r(&t_now, &tm_now); + + timestamp_remote.tm = tm_parsed; + timestamp_remote.tm.tm_isdst = -1; + timestamp_remote.usec = now.tv_nsec * 0.001; + for (year = tm_now.tm_year + 1;; --year) { - pst->wMonth++; - } - else - { - pst->wMonth = 1; - pst->wYear++; + // assert(year >= tm_now.tm_year - 1); + timestamp_remote.tm.tm_year = year; + if (mktime(×tamp_remote.tm) < t_now + 7 * 24 * 60 * 60) + break; } } -///////////////////////////////////////////////////////// -void mkDateTest(int year) -{ - struct tm t; - - t.tm_sec = 0; - t.tm_min = 0; - t.tm_hour = 0; - t.tm_mday = 1; // day of the month - [1, 31] - t.tm_mon = 0; // months since January - [0, 11] - if (year >= 1900) + // False positive + inline void + IncrementMonth(LPSYSTEMTIME pst) { - // 4-digit year - t.tm_year = year - 1900; // GOOD - } else if ((year >= 0) && (year < 100)) { - // 2-digit year assumed in the range 2000 - 2099 - t.tm_year = year + 100; // GOOD [FALSE POSITIVE] - } else { - // fail + if (pst->wMonth < 12) + { + pst->wMonth++; + } + else + { + pst->wMonth = 1; + pst->wYear++; + } } - // ... + + ///////////////////////////////////////////////////////// + + void mkDateTest(int year) + { + struct tm t; + + t.tm_sec = 0; + t.tm_min = 0; + t.tm_hour = 0; + t.tm_mday = 1; // day of the month - [1, 31] + t.tm_mon = 0; // months since January - [0, 11] + if (year >= 1900) + { + // 4-digit year + t.tm_year = year - 1900; // GOOD + } + else if ((year >= 0) && (year < 100)) + { + // 2-digit year assumed in the range 2000 - 2099 + t.tm_year = year + 100; // GOOD [FALSE POSITIVE] + } + else + { + // fail + } + // ... + } + + /** + * Negative Case - Anti-pattern 1a: [a.year, b.month, b.day] + * False positive: No modification of SYSTEMTIME struct. + */ + void unmodified1() + { + SYSTEMTIME st; + FILETIME ft; + WORD w; + + GetSystemTime(&st); + + w = st.wYear; + + SystemTimeToFileTime(&st, &ft); // GOOD - no modification + } + + /** + * Negative Case - Anti-pattern 1a: [a.year, b.month, b.day] + * False positive: No modification of SYSTEMTIME struct. + */ + void unmodified2() + { + SYSTEMTIME st; + FILETIME ft; + WORD *w_ptr; + + GetSystemTime(&st); + + w_ptr = &(st.wYear); + + SystemTimeToFileTime(&st, &ft); // GOOD - no modification + } + + /** + * Positive Case - Anti-pattern 1: [year ±n, month, day] + * Modification of SYSTEMTIME struct adding to year but no leap year guard is conducted. + */ + void modified3() + { + SYSTEMTIME st; + FILETIME ft; + WORD *w_ptr; + + GetSystemTime(&st); + + // BUG - UncheckedLeapYearAfterYearModification + st.wYear = st.wYear + 1; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] + + SystemTimeToFileTime(&st, &ft); + } + + /** + * Positive Case - Anti-pattern 1: [year ±n, month, day] + * Modification of SYSTEMTIME struct adding to year but no leap year guard is conducted. + */ + void modified4() + { + SYSTEMTIME st; + FILETIME ft; + WORD *w_ptr; + + GetSystemTime(&st); + + // BUG - UncheckedLeapYearAfterYearModification + st.wYear++; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] + + SystemTimeToFileTime(&st, &ft); + } + + /** + * Negative Case - Anti-pattern 1: [year ±n, month, day] + * Modification of SYSTEMTIME struct adding to year but value passed to a + * conversion function that can be checked for success, and the result is checked. + */ + void modified5() + { + SYSTEMTIME st; + FILETIME ft; + WORD *w_ptr; + + GetSystemTime(&st); + + st.wYear++; + + // Presumed safe usage, as if the conversion is incorrect, a user can handle the error. + // NOTE: it doesn't mean the user actually does the correct conversion and it it also + // doesn't mean it will error our in all cases that may be invalid. + // For example, if a leap year and the date is 28, we may want 29 if the time is meant + // to capture the end of the month, but 28 is still valid and will not error out. + if (SystemTimeToFileTime(&st, &ft)) + { + ///... + } + } + + struct tm ltime(void) + { + SYSTEMTIME st; + struct tm tm; + bool isLeapYear; + + GetLocalTime(&st); + tm.tm_sec=st.wSecond; + tm.tm_min=st.wMinute; + tm.tm_hour=st.wHour; + tm.tm_mday=st.wDay; + tm.tm_mon=st.wMonth-1; + tm.tm_year=(st.wYear>=1900?st.wYear-1900:0); + + // Check for leap year, and adjust the date accordingly + isLeapYear = tm.tm_year % 4 == 0 && (tm.tm_year % 100 != 0 || tm.tm_year % 400 == 0); + tm.tm_mday = tm.tm_mon == 2 && tm.tm_mday == 29 && !isLeapYear ? 28 : tm.tm_mday; + return tm; + } + +/** +* Negative Case - Anti-pattern 1: [year ±n, month, day] +* Modification of SYSTEMTIME struct by copying from another struct, but no arithmetic is performed. +*/ +bool +FMAPITimeToSysTimeW(LPCWSTR wszTime, SYSTEMTIME *psystime) +{ + // if (!wszTime || SafeIsBadReadPtr(wszTime, 1) || lstrlenW(wszTime) != cchMAPITime) + // return false; + // AssertTag(!SafeIsBadWritePtr(psystime, sizeof(SYSTEMTIME)), 0x0004289a /* tag_abc80 */); + // memset(psystime, 0, sizeof(SYSTEMTIME)); + + psystime->wYear = (WORD)_wtoi(wszTime); + psystime->wMonth = (WORD)_wtoi(wszTime+5); + psystime->wDay = (WORD)_wtoi(wszTime+8); + psystime->wHour = (WORD)_wtoi(wszTime+11); + psystime->wMinute = (WORD)_wtoi(wszTime+14); + return true; } -void unmodified1() +/** +* Negative Case - Anti-pattern 1: [year ±n, month, day] +* Modification of SYSTEMTIME struct by copying from another struct, but no arithmetic is performed. +*/ +bool +ATime_HrGetSysTime(SYSTEMTIME *pst) { - SYSTEMTIME st; - FILETIME ft; - WORD w; - - GetSystemTime(&st); - - w = st.wYear; - - SystemTimeToFileTime(&st, &ft); // GOOD - no modification + // if (!FValidSysTime()) + // { + // TrapSzTag("ATime cannot be converted to SYSTEMTIME", 0x1e14f5c3 /* tag_4fpxd */); + // CORgTag(E_FAIL, 0x6c373230 /* tag_l720 */); + // } + + // pst->wYear = static_cast(m_lYear); + // pst->wMonth = static_cast(m_lMonth); + // //pst->wDayOfWeek = ???; + // pst->wDay = static_cast(m_lDay); + // pst->wHour = static_cast(m_lHour); + // pst->wMinute = static_cast(m_lMinute); + // pst->wSecond = static_cast(m_lSecond); + // pst->wMilliseconds = 0; } -void unmodified2() -{ +/** +* Negative Case - Anti-pattern 1: [year ±n, month, day] +* Modification of SYSTEMTIME struct by copying from another struct, but no arithmetic is performed. +*/ +void fp_daymonth_guard(){ SYSTEMTIME st; FILETIME ft; - WORD *w_ptr; - GetSystemTime(&st); + // FALSE POSITIVE: year is incremented but month is checked and day corrected + // in a ternary operation. It may be possible to fix this with a more sophisticated + // data flow analysis. + st.wYear++; // $ SPURIOUS: Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] - w_ptr = &(st.wYear); - - SystemTimeToFileTime(&st, &ft); // GOOD - no modification -} - -void modified3() -{ - SYSTEMTIME st; - FILETIME ft; - WORD *w_ptr; - - GetSystemTime(&st); - - st.wYear = st.wYear + 1; // BAD + st.wDay = st.wMonth == 2 && st.wDay == 29 ? 28 : st.wDay; SystemTimeToFileTime(&st, &ft); } -void modified4() -{ - SYSTEMTIME st; - FILETIME ft; - WORD *w_ptr; - - GetSystemTime(&st); - - st.wYear++; // BAD - st.wYear++; // BAD - st.wYear++; // BAD - - SystemTimeToFileTime(&st, &ft); +void increment_arg(WORD &x){ + x++; // $ Source } + +void increment_arg_by_pointer(WORD *x){ + (*x)++; // $ Source +} + + +void fn_year_set_through_out_arg(){ + SYSTEMTIME st; + GetSystemTime(&st); + // BAD, year incremented without check + increment_arg(st.wYear); // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] + + // GetSystemTime(&st); + // Bad, year incremented without check + increment_arg_by_pointer(&st.wYear); // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] +} + + +/* TODO: don't alert on simple copies from another struct where all three {year,month,day} are copied +void +GetEpochTime(struct pg_tm *tm) +{ + struct pg_tm *t0; + pg_time_t epoch = 0; + + t0 = pg_gmtime(&epoch); + + tm->tm_year = t0->tm_year; + tm->tm_mon = t0->tm_mon; + tm->tm_mday = t0->tm_mday; + tm->tm_hour = t0->tm_hour; + tm->tm_min = t0->tm_min; + tm->tm_sec = t0->tm_sec; + + tm->tm_year += 1900; + tm->tm_mon++; +} */ + +void +fp_guarded_by_month(struct pg_tm *tm){ + int woy = 52; + int MONTHS_PER_YEAR = 12; + /* + * If it is week 52/53 and the month is January, then the + * week must belong to the previous year. Also, some + * December dates belong to the next year. + */ + if (woy >= 52 && tm->tm_mon == 1) + --tm->tm_year; // Negative Test Case + if (woy <= 1 && tm->tm_mon == MONTHS_PER_YEAR) + ++tm->tm_year; // Negative Test Case +} + +typedef unsigned short CSHORT; + +typedef struct _TIME_FIELDS { + CSHORT Year; + CSHORT Month; + CSHORT Day; + CSHORT Hour; + CSHORT Minute; + CSHORT Second; + CSHORT Milliseconds; + CSHORT Weekday; +} TIME_FIELDS, *PTIME_FIELDS; + +void +tp_ptime(PTIME_FIELDS ptm){ + ptm->Year = ptm->Year - 1; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] +} + + +bool isLeapYearRaw(WORD year) +{ + return year % 4 == 0 && (year % 100 != 0 || year % 400 == 0); +} + +void leap_year_checked_raw_false_positive1(WORD year, WORD offset, WORD day){ + struct tm tmp; + + year += offset; + + if (isLeapYearRaw(year)){ + // in this simplified example, assume the logic of this function + // can assume a day is 28 by default + // this check is more to establish the leap year guard is present + day += 1; + } + + // Assume the check handled leap year correctly + tmp.tm_year = year; // GOOD + tmp.tm_mday = day; +} + + +void leap_year_checked_raw_false_positive2(WORD year, WORD offset, WORD day){ + struct tm tmp; + + year += offset; + + tmp.tm_year = year; // GOOD, check performed immediately after on raw year + + // Adding some additional checks to resemble cases observed in the wild + if ( day > 0) + { + if (isLeapYearRaw(year)){ + // Assume logic that would adjust the day correctly + } + } + else{ + if (isLeapYearRaw(year)){ + // Assume logic that would adjust the day correctly + } + } + + tmp.tm_mday = day; + + year += offset; // $ Source + + tmp.tm_year = year; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] + +} + + +bool isNotLeapYear(struct tm tm) +{ + return !(tm.tm_year % 4 == 0 && (tm.tm_year % 100 != 0 || tm.tm_year % 400 == 0)); +} + +bool isNotLeapYear2(struct tm tm) +{ + return (tm.tm_year % 4 != 0 || (tm.tm_year % 100 == 0 && tm.tm_year % 400 != 0)); +} + + +void inverted_leap_year_check(WORD year, WORD offset, WORD day){ + struct tm tmp; + + tmp.tm_year = year + offset; + + if (isNotLeapYear(tmp)){ + day = 28; + } + + tmp.tm_year = year + offset; + + if(isNotLeapYear2(tmp)){ + day = 28; + } + + + tmp.tm_year = year + offset; + bool isNotLeapYear = (tmp.tm_year % 4 != 0 || (tmp.tm_year % 100 == 0 && tmp.tm_year % 400 != 0)); + + if(isNotLeapYear){ + day = 28; + } + + tmp.tm_year = year + offset; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] +} + + +void simplified_leap_year_check1(WORD year, WORD offset){ + struct tm tmp; + + tmp.tm_year = year + offset; // OK + + bool isLeap = (!((tmp.tm_year + 1900) % 4)) && ((tmp.tm_year + 1900) % 100 || !((tmp.tm_year + 1900) % 400)); + if(isLeap){ + // do something + } + + // Modified after check, could be dangerous + tmp.tm_year = year + offset; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] +} + +void simplified_leap_year_check2(WORD year, WORD offset){ + struct tm tmp; + + tmp.tm_year = year + offset; // OK + + bool isNotLeap = ((tmp.tm_year + 1900) % 4) || (!((tmp.tm_year + 1900) % 100) && ((tmp.tm_year + 1900) % 400)); + if(isNotLeap){ + // do something + } + + // Modified after check, could be dangerous + tmp.tm_year = year + offset; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] +} + +void simplified_leap_year_check3(WORD year, WORD offset){ + SYSTEMTIME tmp; + + tmp.wYear = year + offset; // OK + + bool isLeap = (!(tmp.wYear % 4)) && (tmp.wYear % 100 || !(tmp.wYear% 400)); + if(isLeap){ + // do something + } + + // Modified after check, could be dangerous + tmp.wYear = year + offset; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] +} + +void simplified_leap_year_check4(WORD year, WORD offset){ + SYSTEMTIME tmp; + + tmp.wYear = year + offset; // OK + + bool isNotLeap = (tmp.wYear % 4) || (!(tmp.wYear % 100) && (tmp.wYear % 400)); + if(isNotLeap){ + // do something + } + + // Modified after check, could be dangerous + tmp.wYear = year + offset; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] +} + +void bad_simplified_leap_year_check1(WORD year, WORD offset){ + struct tm tmp; + + tmp.tm_year = year + offset; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] + + // incorrect logic, should negate the %4 result + bool isLeap = ((tmp.tm_year + 1900) % 4) && ((tmp.tm_year + 1900) % 100 || !((tmp.tm_year + 1900) % 400)); + if(isLeap){ + // do something + } +} + +void bad_simplified_leap_year_check2(WORD year, WORD offset){ + struct tm tmp; + + tmp.tm_year = year + offset; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] + + + // incorrect logic, should not negate the %4 result + bool isNotLeap = (!((tmp.tm_year + 1900) % 4)) || (!((tmp.tm_year + 1900) % 100) && ((tmp.tm_year + 1900) % 400)); + if(isNotLeap){ + // do something + } +} + +void bad_simplified_leap_year_check3(WORD year, WORD offset){ + SYSTEMTIME tmp; + + tmp.wYear = year + offset; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] + + // incorrect logic, should negate the %4 result + bool isLeap = (tmp.wYear % 4) && (tmp.wYear % 100 || !(tmp.wYear % 400)); + if(isLeap){ + // do something + } +} + +void bad_simplified_leap_year_check4(WORD year, WORD offset){ + SYSTEMTIME tmp; + + tmp.wYear = year + offset; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] + + + // incorrect logic, should not negate the %4 result + bool isNotLeap = (!(tmp.wYear % 4)) || (!(tmp.wYear % 100) && (tmp.wYear % 400)); + if(isNotLeap){ + // do something + } +} + + +void compound_leap_year_check(WORD year, WORD offset, WORD month, WORD day){ + struct tm tmp; + + tmp.tm_year = year + offset; + + bool isLeap = tmp.tm_year % 4 == 0 && (tmp.tm_year % 100 != 0 || tmp.tm_year % 400 == 0) && (month == 2 && day == 29); + + if(isLeap){ + // do something + } + tmp.tm_mday = day; + tmp.tm_mon = month; +} + +void indirect_time_conversion_check(WORD year, WORD offset){ + SYSTEMTIME tmp; + + tmp.wYear = year + offset; + + FILETIME ft; + + // (out-of-scope) GeneralBug: Unchecked call to SystemTimeToFileTime. this may have failed, but we didn't check the return value! + BOOL res = SystemTimeToFileTime(&tmp, &ft); + + // Assume this check of the result is sufficient as an implicit leap year check. + bool x = (res == 0) ? true : false; +} + +void set_time(WORD year, WORD month, WORD day){ + SYSTEMTIME tmp; + + tmp.wYear = year; //$ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] + tmp.wMonth = month; + tmp.wDay = day; +} + +void constant_month_on_year_modification1(WORD year, WORD offset, WORD month){ + SYSTEMTIME tmp; + + if(month++ > 12){ + tmp.wMonth = 1; + tmp.wYear = year + 1;// OK since the year is incremented with a known non-leap year month change + } + + if(month++ > 12){ + + set_time(year+1, 1, 31);// OK since the year is incremented with a known non-leap year month change + } +} + +void constant_month_on_year_modification2(WORD year, WORD offset, WORD month){ + SYSTEMTIME tmp; + + if(month++ > 12){ + tmp.wMonth = 1; + tmp.wYear = year + 1;// OK since the year is incremented with a known non-leap year month change + } + + + if(month++ > 12){ + // some hueristics to detect a false positive here rely on variable names + // which is often consistent in the wild. + // This variant uses the variable names yeartmp and monthtmp + WORD yeartmp; + WORD monthtmp; + yeartmp = year + 1; + monthtmp = 1; + set_time(yeartmp, monthtmp, 31);// OK since the year is incremented with a known non-leap year month change + } +} + +typedef struct parent_struct { + SYSTEMTIME t; +} PARENT_STRUCT; + + + +void nested_time_struct(WORD year, WORD offset){ + PARENT_STRUCT ps; + + ps.t.wYear = year + offset; // OK, checked below + + bool isLeap = isLeapYearRaw(ps.t.wYear); + + if(isLeap){ + // do something + } +} + +void intermediate_time_struct(WORD year, WORD offset){ + SYSTEMTIME tm, tm2; + FILETIME ftTime; + + tm.wYear = year + offset; + + tm2.wYear = tm.wYear; + + + while ( !SystemTimeToFileTime( &tm2, &ftTime ) ) + { + /// handle error + } + +} + +void constant_day_on_year_modification1(WORD year, WORD offset, WORD month){ + SYSTEMTIME tmp; + + if(month++ > 12){ + tmp.wDay = 1; + tmp.wYear = year + 1;// OK since the year is incremented with a known non-leap year day + } + + if(month++ > 12){ + + set_time(year+1, month, 1);// OK since the year is incremented with a known non-leap year day + } + + if(month++ > 12){ + + // BAD, year incremented, month unknown in block, and date is set to 31 + // which is dangerous. + set_time(year+1, month, 31);// $ Source + } +} + +void constant_day_on_year_modification2(WORD year, WORD month){ + SYSTEMTIME tmp; + + // FLASE POSITIVE SOURCE: + // flowing into set_time, the set time does pass a constant day + // but the source here and the source of that constant month don't align + // Current heuristics require the source of the constant day align with the + // source and/or the sink of the year modification. + // We could potentially improve this by checking the paths of both the year and day + // flows, but this may be more complex than is warranted for now. + year = year + 1; // $ SPURIOUS: Source + + if(month++ > 12){ + tmp.wDay = 1; + tmp.wYear = year;// OK since the year is incremented with a known non-leap year day + } + + if(month++ > 12){ + + set_time(year, month, 1);// OK since the year is incremented with a known non-leap year day + } + + year = year + 1; // $ Source + + if(month++ > 12){ + + // BAD, year incremented, month unknown in block, and date is set to 31 + // which is dangerous. + set_time(year, month, 31); + } +} + + +void modification_after_conversion1(tm timeinfo){ + // convert a tm year into a civil year, then modify after conversion + // This case shows a false negative where the year might be used and it is incorrectly modified, + // and never reassigned to another struct. + WORD year = timeinfo.tm_year + 1900; + + year += 1; // $ MISSING: Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] +} + +WORD get_civil_year(tm timeinfo){ + return timeinfo.tm_year + 1900; +} + +void modification_after_conversion2(tm timeinfo){ + // convert a tm year into a civil year, then modify after conversion + // This case shows a false negative where the year might be used and it is incorrectly modified, + // and never reassigned to another struct. + WORD year = get_civil_year(timeinfo); + year += 1; // $ MISSING: Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] +} + +void modification_after_conversion_saved_to_other_time_struct1(tm timeinfo){ + // convert a tm year into a civil year, then modify after conversion + // This case shows a false negative where the year might be used and it is incorrectly modified, + // and never reassigned to another struct. + WORD year = timeinfo.tm_year + 1900; + + year += 1; // $ MISSING: Source + + SYSTEMTIME s; + // FALSE NEGATIVE: missing this because the conversion happens locally before + // the year adjustment, which seems as though it is part of a conversion itself + s.wYear = year; // $ MISSING: Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] +} + + + +void modification_after_conversion_saved_to_other_time_struct2(tm timeinfo){ + // convert a tm year into a civil year, then modify after conversion + // This case shows a false negative where the year might be used and it is incorrectly modified, + // and never reassigned to another struct. + WORD year = get_civil_year(timeinfo); + + year += 1; // $ Source + + SYSTEMTIME s; + s.wYear = year; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] +} + +void modification_after_conversion_saved_to_other_time_struct3(tm timeinfo){ + // convert a tm year into a civil year, then modify after conversion + // This case shows a false negative where the year might be used and it is incorrectly modified, + // and never reassigned to another struct. + WORD year = timeinfo.tm_year + 1900; + + year = year + 1; // $ MISSING: Source + + SYSTEMTIME s; + // FALSE NEGATIVE: missing this because the conversion happens locally before + // the year adjustment, which seems as though it is part of a conversion itself + s.wYear = year; // $ MISSING: Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] +} + + +void year_saved_to_variable_then_modified1(tm timeinfo){ + // A modified year is not directly assigned to the year, rather, the year is + // saved to a variable, modified, used, but never assigned back. + WORD year = timeinfo.tm_year; + + // NOTE: should we even try to detect cases like this? + // Our current rationale is that a year in a struct is more dangerous than a year in isolation + // A year in isolation is harder to interpret + year += 1; // MISSING: $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] +} + +void modification_before_conversion1(tm timeinfo){ + timeinfo.tm_year += 1; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] + // convert a tm year into a civil year, then modify after conversion + // This case shows a false negative where the year might be used and it is incorrectly modified, + // and never reassigned to another struct. + WORD year = timeinfo.tm_year + 1900; +} + +void modification_before_conversion2(tm timeinfo){ + timeinfo.tm_year += 1; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] + // convert a tm year into a civil year, then modify after conversion + // This case shows a false negative where the year might be used and it is incorrectly modified, + // and never reassigned to another struct. + WORD year = get_civil_year(timeinfo); +} + + + +void year_saved_to_variable_then_modified_with_leap_check1(tm timeinfo){ + // A modified year is not directly assigned to the year, rather, the year is + // saved to a variable, modified, used, but never assigned back. + WORD year = timeinfo.tm_year; + + year += 1; + + // performing a check is considered good enough, even if not used correctly + bool b = (year+1900) % 4 == 0 && ((year+1900) % 100 != 0 || (year+1900) % 400 == 0); +} + + +void modification_after_conversion_with_leap_check1(tm timeinfo){ + // convert a tm year into a civil year, then modify after conversion + // This case shows a false negative where the year might be used and it is incorrectly modified, + // and never reassigned to another struct. + WORD year = timeinfo.tm_year + 1900; + + year += 1; + + // performing a check is considered good enough, even if not used correctly + bool b = year % 4 == 0 && (year % 100 != 0 || year % 400 == 0); +} + +void modification_after_conversion_with_leap_check2(tm timeinfo){ + // convert a tm year into a civil year, then modify after conversion + // This case shows a false negative where the year might be used and it is incorrectly modified, + // and never reassigned to another struct. + WORD year = get_civil_year(timeinfo); + + year += 1; + + // performing a check is considered good enough, even if not used correctly + bool b = year % 4 == 0 && (year % 100 != 0 || year % 400 == 0); +} + +void modification_before_conversion_with_leap_check1(tm timeinfo){ + timeinfo.tm_year += 1; + // convert a tm year into a civil year, then modify after conversion + // This case shows a false negative where the year might be used and it is incorrectly modified, + // and never reassigned to another struct. + WORD year = timeinfo.tm_year + 1900; + + // performing a check is considered good enough, even if not used correctly + bool b = year % 4 == 0 && (year % 100 != 0 || year % 400 == 0); +} + +void modification_before_conversion_with_leap_check2(tm timeinfo){ + timeinfo.tm_year += 1; + // convert a tm year into a civil year, then modify after conversion + // This case shows a false negative where the year might be used and it is incorrectly modified, + // and never reassigned to another struct. + WORD year = get_civil_year(timeinfo); + + // performing a check is considered good enough, even if not used correctly + bool b = (year) % 4 == 0 && ((year) % 100 != 0 || (year) % 400 == 0); +} + +void odd_leap_year_check1(tm timeinfo){ + timeinfo.tm_year += 1; + + + // Using an odd sytle of checking divisible by 4 presumably as an optimization trick + if(((timeinfo.tm_year+1900) & 3) == 0 && ((timeinfo.tm_year+1900) % 100 != 0 || (timeinfo.tm_year+1900) % 400 == 0)) + { + // do something + } +} + +void odd_leap_year_check2(tm timeinfo){ + timeinfo.tm_year += 1; // $ SPURIOUS: Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] + + // Using an odd sytle of checking divisible by 4 presumably as an optimization trick + // but also check unrelated conditions on the year as an optimization to rule out irrelevant years + // for gregorian leap years + if(timeinfo.tm_mon == 2 && ((timeinfo.tm_year+1900) & 3) == 0 && ((timeinfo.tm_year+1900) <= 1582 || (timeinfo.tm_year+1900) % 100 != 0 || (timeinfo.tm_year+1900) % 400 == 0)) + { + // do something + } +} + +void odd_leap_year_check3(tm timeinfo){ + timeinfo.tm_year += 1; // $ SPURIOUS: Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] + + // Using an odd sytle of checking divisible by 4 presumably as an optimization trick + // but also check unrelated conditions on the year as an optimization to rule out irrelevant years + // for gregorian leap years + if(timeinfo.tm_mon == 2 && ((timeinfo.tm_year+1900) % 4) == 0 && ((timeinfo.tm_year+1900) <= 1582 || (timeinfo.tm_year+1900) % 100 != 0 || (timeinfo.tm_year+1900) % 400 == 0)) + { + // do something + } +} + +void odd_leap_year_check4(tm timeinfo){ + timeinfo.tm_year += 1; + WORD year = timeinfo.tm_year + 1900; + + if( (year % 4 == 0) && (year % 100 > 0 || (year % 400 == 0))) + { + // do something + } +} + +void odd_leap_year_check5(tm timeinfo){ + timeinfo.tm_year += 1; + WORD year = timeinfo.tm_year + 1900; + + if( (year % 4 > 0) || (year % 100 == 0 && (year % 400 > 0))) + { + // do something + } +} + + +void date_adjusted_through_mkgmtime(tm timeinfo){ + timeinfo.tm_year += 1; // $ SPURIOUS: Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] + + // Using an odd sytle of checking divisible by 4 presumably as an optimization trick + // but also check unrelated conditions on the year as an optimization to rule out irrelevant years + // for gregorian leap years + if(timeinfo.tm_mon == 2 && ((timeinfo.tm_year+1900) % 4) == 0 && ((timeinfo.tm_year+1900) <= 1582 || (timeinfo.tm_year+1900) % 100 != 0 || (timeinfo.tm_year+1900) % 400 == 0)) + { + // do something + } +} + +bool data_killer(WORD *d){ + (*d) = 1; + return true; +} + +void interproc_data_killer1(tm timeinfo, WORD delta){ + WORD year = delta + 1; + + if(data_killer(&year)){ + timeinfo.tm_year = year; + } +} + + +void leap_year_check_after_normalization(tm timeinfo, WORD delta){ + WORD year = delta + 1; + + if(data_killer(&year)){ + timeinfo.tm_year = year; + } +} + + +void leap_year_check_call_on_conversion1(tm timeinfo){ + timeinfo.tm_year += 1; + isLeapYearRaw(timeinfo.tm_year + 1900); +} + +void leap_year_check_call_on_conversion2(tm timeinfo){ + timeinfo.tm_year += 1; + WORD year = get_civil_year(timeinfo); + isLeapYearRaw(year); +} + +WORD getDaysInMonth(WORD year, WORD month){ + // simplified + if(month == 2){ + return isLeapYearRaw(year) ? 29 : 28; + } + // else assume logic for every other month, + // returning 30 for simplicity + return 30; +} + +WORD get_civil_year_raw(WORD year){ + return year + 1900; +} + +void leap_year_check_call_on_conversion3(tm timeinfo, WORD year, WORD month, WORD delta){ + year += delta; + WORD days = getDaysInMonth(get_civil_year_raw(year), month); + timeinfo.tm_year = year; +} + +void assumed_maketime_conversion1(tm timeinfo) +{ + //the docs of mktime suggest feb29 is handled, and conversion will occur automatically + //no check required. + timeinfo.tm_year += 1; + + mktime(&timeinfo); +} + + +void bad_leap_year_check_logic1(tm timeinfo){ + timeinfo.tm_year += 1; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] + + WORD year = get_civil_year(timeinfo); + + // expected logic: + //(year % 4) && ((year % 100) || !(year % 400 ))) + WORD days = (!(year % 4) && (!(year % 100) || (year % 400))) ? 366 : 365; +} + From 95d4a541bcdec7096807c03c617370448a3f4c92 Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Fri, 6 Feb 2026 15:42:43 -0500 Subject: [PATCH 015/110] C++: Refactor leap year logic for UncheckedLeapYearAfterYearModification. Includes new logic for detecting leap year checks, new forms of leap year checks detected, and various heuristics to remove false postives. Move TimeConversionFunction into LeapYear.qll and refactored to separate conversion functions that are expected to be checked for failure from those that auto correct leap year dates if feb 29 is provided on a non-leap year. Increas the set of known TimeConversionFunctions. --- cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll | 32 + .../UncheckedLeapYearAfterYearModification.ql | 867 +++++++++++++++++- .../UncheckedReturnValueForTimeFunctions.ql | 15 - 3 files changed, 857 insertions(+), 57 deletions(-) diff --git a/cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll b/cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll index 2b68730fa58..77c23d97b02 100644 --- a/cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll +++ b/cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll @@ -308,3 +308,35 @@ private module PossibleYearArithmeticOperationCheckConfig implements DataFlow::C module PossibleYearArithmeticOperationCheckFlow = TaintTracking::Global; + +/** + * This list of APIs should check for the return value to detect problems during the conversion. + */ +class TimeConversionFunction extends Function { + boolean autoLeapYearCorrecting; + + TimeConversionFunction() { + autoLeapYearCorrecting = false and + ( + this.getName() = + [ + "FileTimeToSystemTime", "SystemTimeToFileTime", "SystemTimeToTzSpecificLocalTime", + "SystemTimeToTzSpecificLocalTimeEx", "TzSpecificLocalTimeToSystemTime", + "TzSpecificLocalTimeToSystemTimeEx", "RtlLocalTimeToSystemTime", + "RtlTimeToSecondsSince1970", "_mkgmtime", "SetSystemTime", "VarUdateFromDate", "from_tm" + ] + or + // Matches all forms of GetDateFormat, e.g. GetDateFormatA/W/Ex + this.getName().matches("GetDateFormat%") + ) + or + autoLeapYearCorrecting = true and + this.getName() = + ["mktime", "_mktime32", "_mktime64", "SystemTimeToVariantTime", "VariantTimeToSystemTime"] + } + + /** + * Holds if the function is expected to auto convert a bad leap year date. + */ + predicate isAutoLeapYearCorrecting() { autoLeapYearCorrecting = true } +} diff --git a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql index 03570b3611c..8be4bbfbfe4 100644 --- a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql +++ b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql @@ -1,7 +1,7 @@ /** * @name Year field changed using an arithmetic operation without checking for leap year * @description A field that represents a year is being modified by an arithmetic operation, but no proper check for leap years can be detected afterwards. - * @kind problem + * @kind path-problem * @problem.severity warning * @id cpp/leap-year/unchecked-after-arithmetic-year-modification * @precision medium @@ -11,49 +11,832 @@ import cpp import LeapYear +import semmle.code.cpp.controlflow.IRGuards +import semmle.code.cpp.ir.IR +import semmle.code.cpp.commons.DateTime -from Variable var, LeapYearFieldAccess yfa -where - exists(VariableAccess va | - yfa.getQualifier() = va and - var.getAnAccess() = va and - // The year is modified with an arithmetic operation. Avoid values that are likely false positives - yfa.isModifiedByArithmeticOperationNotForNormalization() and - // Avoid false positives - not ( - // If there is a local check for leap year after the modification - exists(LeapYearFieldAccess yfacheck | - yfacheck.getQualifier() = var.getAnAccess() and - yfacheck.isUsedInCorrectLeapYearCheck() and - yfacheck.getBasicBlock() = yfa.getBasicBlock().getASuccessor*() - ) +/** + * Functions whose operations should never be considered a + * source or sink of a dangerous leap year operation. + * The general concept is to add conversion functions + * that convert one time type to another. Often + * other ignorable operation heuristics will filter these, + * but some cases, the simplest approach is to simply filter + * the function entirely. + * Note that flow through these functions should still be allowed + * we just cannot start or end flow from an operation to a + * year assignment in one of these functions. + */ +class IgnorableFunction extends Function { + IgnorableFunction() { + this instanceof TimeConversionFunction + or + // Helper utility in postgres with string time conversions + this.getName() = "DecodeISO8601Interval" + or + // helper utility for date conversions in qtbase + this.getName() = "adjacentDay" + or + // Windows API function that does timezone conversions + this.getName().matches("%SystemTimeToTzSpecificLocalTime%") + or + // Windows APIs that do time conversions + this.getName().matches("%localtime%\\_s%") + or + // Windows APIs that do time conversions + this.getName().matches("%SpecificLocalTimeToSystemTime%") + or + // postgres function for diffing timestamps, date for leap year + // is not applicable. + this.getName().toLowerCase().matches("%timestamp%age%") + or + // Reading byte streams often involves operations of some base, but that's + // not a real source of leap year issues. + this.getName().toLowerCase().matches("%read%bytes%") + or + // A postgres function for local time conversions + // conversion operations (from one time structure to another) are generally ignorable + this.getName() = "localsub" + or + // Indication of a calendar not applicable to + // gregorian leap year, e.g., Hijri, Persian, Hebrew + this.getName().toLowerCase().matches("%hijri%") + or + this.getFile().getBaseName().toLowerCase().matches("%hijri%") + or + this.getName().toLowerCase().matches("%persian%") + or + this.getFile().getBaseName().toLowerCase().matches("%persian%") + or + this.getName().toLowerCase().matches("%hebrew%") + or + this.getFile().getBaseName().toLowerCase().matches("%hebrew%") + or + // misc. from string/char converters heuristic + this.getName() + .toLowerCase() + .matches(["%char%to%", "%string%to%", "%from%char%", "%from%string%"]) + or + // boost's gregorian.cpp has year manipulations that are checked in complex ways. + // ignore the entire file as a source or sink. + this.getFile().getAbsolutePath().toLowerCase().matches("%boost%gregorian.cpp%") + } +} + +/** + * The set of expressions which are ignorable; either because they seem to not be part of a year mutation, + * or because they seem to be a conversion pattern of mapping date scalars. + */ +abstract class IgnorableOperation extends Expr { } + +class IgnorableExprRem extends IgnorableOperation instanceof RemExpr { } + +/** + * Anything involving an operation with 10, 100, 1000, 10000 is often a sign of conversion + * or atoi. + */ +class IgnorableExpr10MulipleComponent extends IgnorableOperation { + IgnorableExpr10MulipleComponent() { + this.(Operation).getAnOperand().getValue().toInt() in [10, 100, 1000, 10000] + or + exists(AssignOperation a | a.getRValue() = this | + a.getRValue().getValue().toInt() in [10, 100, 1000, 10000] + ) + } +} + +/** + * Anything involving a sub expression with char literal 48, ignore as a likely string conversion + * e.g., X - '0' + */ +class IgnorableExpr48Mapping extends IgnorableOperation { + IgnorableExpr48Mapping() { + this.(SubExpr).getRightOperand().getValue().toInt() = 48 + or + exists(AssignSubExpr e | e.getRValue() = this | e.getRValue().getValue().toInt() = 48) + } +} + +/** + * A binary or arithemtic operation whereby one of the components is textual or a string. + */ +class IgnorableCharLiteralArithmetic extends IgnorableOperation { + IgnorableCharLiteralArithmetic() { + this.(BinaryArithmeticOperation).getAnOperand() instanceof TextLiteral + or + this instanceof TextLiteral and + any(AssignArithmeticOperation arith).getRValue() = this + } +} + +/** + * Constants often used in date conversions (from one date data type to another) + * Numerous examples exist, like 1900 or 2000 that convert years from one + * representation to another. + * Also '0' is sometimes observed as an atoi style conversion. + */ +bindingset[c] +predicate isLikelyConversionConstant(int c) { + exists(int i | i = c.abs() | + i = + [ + 146097, // days in 400-year Gregorian cycle + 36524, // days in 100-year Gregorian subcycle + 1461, // days in 4-year cycle (incl. 1 leap) + 32044, // Fliegel–van Flandern JDN epoch shift + 1721425, // JDN of 0001‑01‑01 (Gregorian) + 1721119, // alt epoch offset + 2400000, // MJD → JDN conversion + 2400001, // alt MJD → JDN conversion + 2141, // fixed‑point month/day extraction + 65536, // observed in some conversions + 7834, // observed in some conversions + 256, // observed in some conversions + 292275056, // qdatetime.h Qt Core year range first year constant + 292278994, // qdatetime.h Qt Core year range last year constant + 1601, // Windows FILETIME epoch start year + 1970, // Unix epoch start year + 70, // Unix epoch start year short form + 1899, // Observed in uses with 1900 to address off by one scenarios + 1900, // Used when converting a 2 digit year + 2000, // Used when converting a 2 digit year + 1400, // Hijri base year, used when converting a 2 digit year + 1980, // FAT filesystem epoch start year + 227013, // constant observed for Hirji year conversion, and Hirji years are not applicable for gregorian leap year + 10631, // constant observed for Hirji year conversion, and Hirji years are not applicable for gregorian leap year + 0 + ] + ) +} + +/** + * Some constants indicate conversion that are ignorable, e.g., + * julian to gregorian conversion or conversions from linux time structs + * that start at 1900, etc. + */ +class IgnorableConstantArithmetic extends IgnorableOperation { + IgnorableConstantArithmetic() { + exists(int i | isLikelyConversionConstant(i) | + this.(Operation).getAnOperand().getValue().toInt() = i or - // If there is a data flow from the variable that was modified to a function that seems to check for leap year - exists(VariableAccess source, ChecksForLeapYearFunctionCall fc | - source = var.getAnAccess() and - LeapYearCheckFlow::flow(DataFlow::exprNode(source), DataFlow::exprNode(fc.getAnArgument())) - ) - or - // If there is a data flow from the field that was modified to a function that seems to check for leap year - exists(VariableAccess vacheck, YearFieldAccess yfacheck, ChecksForLeapYearFunctionCall fc | - vacheck = var.getAnAccess() and - yfacheck.getQualifier() = vacheck and - LeapYearCheckFlow::flow(DataFlow::exprNode(yfacheck), DataFlow::exprNode(fc.getAnArgument())) - ) - or - // If there is a successor or predecessor that sets the month = 1 - exists(MonthFieldAccess mfa, AssignExpr ae | - mfa.getQualifier() = var.getAnAccess() and - mfa.isModified() and - ( - mfa.getBasicBlock() = yfa.getBasicBlock().getASuccessor*() or - yfa.getBasicBlock() = mfa.getBasicBlock().getASuccessor+() - ) and - ae = mfa.getEnclosingElement() and - ae.getAnOperand().getValue().toInt() = 1 + exists(AssignArithmeticOperation a | this = a.getRValue() | + a.getRValue().getValue().toInt() = i ) ) + } +} + +// If a unary minus assume it is some sort of conversion +class IgnorableUnaryMinus extends IgnorableOperation { + IgnorableUnaryMinus() { + this instanceof UnaryMinusExpr + or + this.(Operation).getAnOperand() instanceof UnaryMinusExpr + } +} + +/** + * An argument to a function is ignorable if the function that is called is an ignored function + */ +class OperationAsArgToIgnorableFunction extends IgnorableOperation { + OperationAsArgToIgnorableFunction() { + exists(Call c | + c.getAnArgument().getAChild*() = this and + c.getTarget() instanceof IgnorableFunction + ) + } +} + +/** + * Literal OP literal means the result is constant/known + * and the operation is basically ignorable (it's not a real operation but + * probably one visual simplicity what it means). + */ +class ConstantBinaryArithmeticOperation extends IgnorableOperation, BinaryArithmeticOperation { + ConstantBinaryArithmeticOperation() { + this.getLeftOperand() instanceof Literal and + this.getRightOperand() instanceof Literal + } +} + +class IgnorableBinaryBitwiseOperation extends IgnorableOperation instanceof BinaryBitwiseOperation { +} + +class IgnorableUnaryBitwiseOperation extends IgnorableOperation instanceof UnaryBitwiseOperation { } + +class IgnorableAssignmentBitwiseOperation extends IgnorableOperation instanceof AssignBitwiseOperation +{ } + +/** + * Any arithmetic operation where one of the operands is a pointer or char type, ignore it + */ +class IgnorablePointerOrCharArithmetic extends IgnorableOperation { + IgnorablePointerOrCharArithmetic() { + this instanceof BinaryArithmeticOperation and + ( + this.(BinaryArithmeticOperation).getAnOperand().getUnspecifiedType() instanceof PointerType + or + this.(BinaryArithmeticOperation).getAnOperand().getUnspecifiedType() instanceof CharType + or + // Operations on calls to functions that accept char or char* + this.(BinaryArithmeticOperation) + .getAnOperand() + .(Call) + .getAnArgument() + .getUnspecifiedType() + .stripType() instanceof CharType + or + // Operations on calls to functions named like "strlen", "wcslen", etc + // NOTE: workaround for cases where the wchar_t type is not a char, but an unsigned short + // unclear if there is a best way to filter cases like these out based on type info. + this.(BinaryArithmeticOperation).getAnOperand().(Call).getTarget().getName().matches("%len%") + ) + or + exists(AssignArithmeticOperation a | a.getRValue() = this | + a.getAnOperand().getUnspecifiedType() instanceof PointerType + or + a.getAnOperand().getUnspecifiedType() instanceof CharType + or + // Operations on calls to functions that accept char or char* + a.getAnOperand().(Call).getAnArgument().getUnspecifiedType().stripType() instanceof CharType + or + // Operations on calls to functions named like "strlen", "wcslen", etc + this.(BinaryArithmeticOperation).getAnOperand().(Call).getTarget().getName().matches("%len%") + ) + } +} + +/** + * An expression that is a candidate source for an dataflow configuration for an Operation that could flow to a Year field. + */ +predicate isOperationSourceCandidate(Expr e) { + not e instanceof IgnorableOperation and + exists(Function f | + f = e.getEnclosingFunction() and + not f instanceof IgnorableFunction + ) and + ( + e instanceof SubExpr + or + e instanceof AddExpr + or + e instanceof CrementOperation + or + e instanceof AssignSubExpr + or + e instanceof AssignAddExpr ) -select yfa, - "Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found.", - yfa.getTarget(), yfa.getTarget().toString(), var, var.toString() +} + +/** + * A dataflow that tracks an ignorable operation (eg. bitwise op) to a operation source, so we may disqualify it. + */ +module IgnorableOperationToOperationSourceCandidateConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node n) { n.asExpr() instanceof IgnorableOperation } + + predicate isSink(DataFlow::Node n) { isOperationSourceCandidate(n.asExpr()) } + + // looking for sources and sinks in the same function + DataFlow::FlowFeature getAFeature() { + result instanceof DataFlow::FeatureEqualSourceSinkCallContext + } +} + +module IgnorableOperationToOperationSourceCandidateFlow = + TaintTracking::Global; + +/** + * The set of all expressions which is a candidate expression and also does not flow from to to some ignorable expression (eg. bitwise op) + * ``` + * a = something <<< 2; + * myDate.year = a + 1; // invalid + * ... + * a = someDate.year + 1; + * myDate.year = a; // valid + * ``` + */ +class OperationSource extends Expr { + OperationSource() { + isOperationSourceCandidate(this) and + // If the candidate came from an ignorable operation, ignore the candidate + // NOTE: we cannot easily flow the candidate to an ignorable operation as that can + // be tricky in practice, e.g., a mod operation on a year would be part of a leap year check + // but a mod operation ending in a year is more indicative of something to ignore (a conversion) + not exists(IgnorableOperationToOperationSourceCandidateFlow::PathNode sink | + sink.getNode().asExpr() = this and + sink.isSink() + ) + } +} + +class YearFieldAssignmentNode extends DataFlow::Node { + YearFieldAccess access; + + YearFieldAssignmentNode() { + exists(Function f | + f = this.getEnclosingCallable().getUnderlyingCallable() and not f instanceof IgnorableFunction + ) and + ( + this.asDefinition().(Assignment).getLValue() = access + or + this.asDefinition().(CrementOperation).getOperand() = access + or + exists(Call c | c.getAnArgument() = access and this.asDefiningArgument() = access) + or + exists(Call c, AddressOfExpr aoe | + c.getAnArgument() = aoe and + aoe.getOperand() = access and + this.asDefiningArgument() = aoe + ) + ) + } + + YearFieldAccess getYearFieldAccess() { result = access } +} + +/** + * A DataFlow configuration for identifying flows from some non trivial access or literal + * to the Year field of a date object. + */ +module OperationToYearAssignmentConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node n) { n.asExpr() instanceof OperationSource } + + predicate isSink(DataFlow::Node n) { + n instanceof YearFieldAssignmentNode and + not isYearModifiedWithCheck(n) and + not isControlledByMonthEqualityCheckNonFebruary(n.asExpr()) + } + + predicate isBarrier(DataFlow::Node n) { + exists(ArrayExpr arr | arr.getArrayOffset() = n.asExpr()) + or + n.getType().getUnspecifiedType() instanceof PointerType + or + n.getType().getUnspecifiedType() instanceof CharType + or + // If a type resembles "string" ignore flow (likely string conversion, currently ignored) + n.getType().getUnspecifiedType().stripType().getName().toLowerCase().matches("%string%") + or + n.asExpr() instanceof IgnorableOperation + or + // Flowing into variables that indicate likely non-gregorian years are barriers + // e.g., names similar to hijri, persian, lunar, chinese, hebrew, etc. + exists(Variable v | + v.getName() + .toLowerCase() + .matches(["%hijri%", "%persian%", "%lunar%", "%chinese%", "%hebrew%"]) and + v.getAnAccess() = [n.asIndirectExpr(), n.asExpr()] + ) + or + isLeapYearCheckSink(n) + or + // this is a bit of a hack to address cases where a year is normalized and checked, but the + // normalized year is never itself assigned to the final year struct + // isLeapYear(getCivilYear(year)) + // struct.year = year + // This is assuming a user would have done this all on one line though. + // setting a variable for the conversion and passing that separately would be more difficult to track + // considering this approach good enough for current observed false positives + exists(Call c, Expr arg | + isLeapYearCheckCall(c, arg) and arg.getAChild*() = [n.asExpr(), n.asIndirectExpr()] + ) + or + // If as the flow progresses, the value holding a dangerous operation result + // is apparently being passed by address to some function, it is more than likely + // intended to be modified, and therefore, the definition is killed. + exists(Call c | c.getAnArgument().(AddressOfExpr).getAnOperand() = n.asIndirectExpr()) + } + + /** Block flow out of an operation source to get the "closest" operation to the sink */ + predicate isBarrierIn(DataFlow::Node n) { isSource(n) } + + predicate isBarrierOut(DataFlow::Node n) { isSink(n) } +} + +module OperationToYearAssignmentFlow = TaintTracking::Global; + +predicate isLeapYearCheckSink(DataFlow::Node sink) { + exists(LeapYearGuardCondition lgc | + lgc.checkedYearAccess() = [sink.asExpr(), sink.asIndirectExpr()] + ) + or + isLeapYearCheckCall(_, [sink.asExpr(), sink.asIndirectExpr()]) +} + +/** + * A flow configuration from a Year field access to some Leap year check or guard + */ +module YearAssignmentToLeapYearCheckConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof YearFieldAssignmentNode } + + predicate isSink(DataFlow::Node sink) { isLeapYearCheckSink(sink) } + + predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { + // flow from a YearFieldAccess to the qualifier + node2.asExpr() = node1.asExpr().(YearFieldAccess).getQualifier*() + or + // Pass through any intermediate struct + exists(Assignment a, DataFlow::PostUpdateNode pun | + a.getLValue().(YearFieldAccess).getQualifier*() = pun.getPreUpdateNode().asExpr() and + a.getRValue() = node1.asExpr() and + node2.asExpr() = a.getLValue().(YearFieldAccess).getQualifier*() + ) + or + // flow from a year access qualifier to a year field + exists(YearFieldAccess yfa | node2.asExpr() = yfa and node1.asExpr() = yfa.getQualifier()) + or + // in cases of x.year = x and the x is checked, but the year x.year isn't directly + // flow from a year assignment node to an RHS if it is an assignment + exists(YearFieldAssignmentNode yfan | + node1 = yfan and + node2.asExpr() = yfan.asDefinition().(Assignment).getRValue() + ) + } + + /** + * Enforcing the check must occur in the same call context as the source, + * i.e., do not return from the source function and check in a caller. + */ + DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext } +} + +module YearAssignmentToLeapYearCheckFlow = + TaintTracking::Global; + +/** Does there exist a flow from the given YearFieldAccess to a Leap Year check or guard? */ +predicate isYearModifiedWithCheck(YearFieldAssignmentNode n) { + exists(YearAssignmentToLeapYearCheckFlow::PathNode src | + src.isSource() and + src.getNode() = n + ) + or + // If the time flows to a time conversion whose value/result is checked, + // assume the leap year is being handled. + exists(YearAssignmentToCheckedTimeConversionFlow::PathNode timeQualSrc | + timeQualSrc.isSource() and + timeQualSrc.getNode() = n + ) +} + +/** + * An expression which checks the value of a Month field `a->month == 1`. + */ +class MonthEqualityCheck extends EqualityOperation { + MonthEqualityCheck() { this.getAnOperand() instanceof MonthFieldAccess } + + Expr getExprCompared() { + exists(Expr e | + e = this.getAnOperand() and + not e instanceof MonthFieldAccess and + result = e + ) + } +} + +final class FinalMonthEqualityCheck = MonthEqualityCheck; + +class MonthEqualityCheckGuard extends GuardCondition, FinalMonthEqualityCheck { } + +/** + * Verifies if the expression is guarded by a check on the Month property of a date struct, that is NOT February. + */ +bindingset[e] +pragma[inline_late] +predicate isControlledByMonthEqualityCheckNonFebruary(Expr e) { + exists(MonthEqualityCheckGuard monthGuard | + monthGuard.controls(e.getBasicBlock(), true) and + not monthGuard.getExprCompared().getValueText() = "2" + ) +} + +/** + * Flow from a year field access to a time conversion function + * that auto converts feb29 in non-leap year, or through a conversion function that doesn't + * auto convert to a sanity check guard of the result for error conditions. + */ +module YearAssignmentToCheckedTimeConversionConfig implements DataFlow::StateConfigSig { + class FlowState = boolean; + + predicate isSource(DataFlow::Node source, FlowState state) { + source instanceof YearFieldAssignmentNode and + state = false + } + + predicate isSink(DataFlow::Node sink, FlowState state) { + state = true and + ( + exists(IfStmt ifs | ifs.getCondition().getAChild*() = [sink.asExpr(), sink.asIndirectExpr()]) + or + exists(ConditionalExpr ce | + ce.getCondition().getAChild*() = [sink.asExpr(), sink.asIndirectExpr()] + ) + or + exists(Loop l | l.getCondition().getAChild*() = [sink.asExpr(), sink.asIndirectExpr()]) + ) + or + state in [true, false] and + exists(Call c, TimeConversionFunction f | + f.isAutoLeapYearCorrecting() and + c.getTarget() = f and + c.getAnArgument().getAChild*() = [sink.asExpr(), sink.asIndirectExpr()] + ) + } + + predicate isAdditionalFlowStep( + DataFlow::Node node1, FlowState state1, DataFlow::Node node2, FlowState state2 + ) { + state1 in [true, false] and + state2 = true and + exists(Call c | + c.getTarget() instanceof TimeConversionFunction and + c.getAnArgument().getAChild*() = [node1.asExpr(), node1.asIndirectExpr()] and + node2.asExpr() = c + ) + } + + predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { + // flow from a YearFieldAccess to the qualifier + node2.asExpr() = node1.asExpr().(YearFieldAccess).getQualifier*() + or + node1.(YearFieldAssignmentNode).getYearFieldAccess().getQualifier() = node2.asExpr() + or + // Pass through any intermediate struct + exists(Assignment a, DataFlow::PostUpdateNode pun | + a.getLValue().(YearFieldAccess).getQualifier*() = pun.getPreUpdateNode().asExpr() and + a.getRValue() = node1.asExpr() and + node2.asExpr() = a.getLValue().(YearFieldAccess).getQualifier*() + ) + or + // flow from a year access qualifier to a year field + exists(YearFieldAccess yfa | node2.asExpr() = yfa and node1.asExpr() = yfa.getQualifier()) + } + + DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext } +} + +module YearAssignmentToCheckedTimeConversionFlow = + DataFlow::GlobalWithState; + +/** + * Finds flow from a parameter of a function to a leap year check. + * This is necessary to handle for scenarios like this: + * + * year = DANGEROUS_OP // source + * isLeap = isLeapYear(year); + * // logic based on isLeap + * struct.year = year; // sink + * + * In this case, we may flow a dangerous op to a year assignment, failing + * to barrier the flow through a leap year check, as the leap year check + * is nested, and dataflow does not progress down into the check and out. + * Instead, the point of this flow is to detect isLeapYear's argument + * is checked for leap year, making the isLeapYear call a barrier for + * the dangerous flow if we flow through the parameter identified to + * be checked. + */ +module ParameterToLeapYearCheckConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { exists(source.asParameter()) } + + predicate isSink(DataFlow::Node sink) { + exists(LeapYearGuardCondition lgc | + lgc.checkedYearAccess() = [sink.asExpr(), sink.asIndirectExpr()] + ) + } + + predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { + // flow from a YearFieldAccess to the qualifier + node2.asExpr() = node1.asExpr().(YearFieldAccess).getQualifier*() + or + // flow from a year access qualifier to a year field + exists(YearFieldAccess yfa | node2.asExpr() = yfa and node1.asExpr() = yfa.getQualifier()) + } + + /** + * Enforcing the check must occur in the same call context as the source, + * i.e., do not return from the source function and check in a caller. + */ + DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext } +} + +// NOTE: I do not believe taint flow is necessary here as we should +// be flowing directyly from some parameter to a leap year check. +module ParameterToLeapYearCheckFlow = DataFlow::Global; + +predicate isLeapYearCheckCall(Call c, Expr arg) { + exists(ParameterToLeapYearCheckFlow::PathNode src, Function f, int i | + src.isSource() and + f.getParameter(i) = src.getNode().asParameter() and + c.getTarget() = f and + c.getArgument(i) = arg + ) +} + +class LeapYearGuardCondition extends GuardCondition { + Expr yearSinkDiv4; + Expr yearSinkDiv100; + Expr yearSinkDiv400; + + LeapYearGuardCondition() { + exists( + LogicalAndExpr andExpr, LogicalOrExpr orExpr, GuardCondition div4Check, + GuardCondition div100Check, GuardCondition div400Check, GuardValue gv + | + // Cannonical case: + // form: `(year % 4 == 0) && (year % 100 != 0 || year % 400 == 0)` + // `!((year % 4 == 0) && (year % 100 != 0 || year % 400 == 0))` + // `!(year % 4) && (year % 100 || !(year % 400))` + // Also accepting `((year & 3) == 0) && (year % 100 != 0 || year % 400 == 0)` + // and `(year % 4 == 0) && (year % 100 > 0 || year % 400 == 0)` + this = andExpr and + andExpr.hasOperands(div4Check, orExpr) and + orExpr.hasOperands(div100Check, div400Check) and + ( + // year % 4 == 0 + exists(RemExpr e | + div4Check.comparesEq(e, 0, true, gv) and + e.getRightOperand().getValue().toInt() = 4 and + yearSinkDiv4 = e.getLeftOperand() + ) + or + // year & 3 == 0 + exists(BitwiseAndExpr e | + div4Check.comparesEq(e, 0, true, gv) and + e.getRightOperand().getValue().toInt() = 3 and + yearSinkDiv4 = e.getLeftOperand() + ) + ) and + exists(RemExpr e | + // year % 100 != 0 or year % 100 > 0 + ( + div100Check.comparesEq(e, 0, false, gv) or + div100Check.comparesLt(e, 1, false, gv) + ) and + e.getRightOperand().getValue().toInt() = 100 and + yearSinkDiv100 = e.getLeftOperand() + ) and + // year % 400 == 0 + exists(RemExpr e | + div400Check.comparesEq(e, 0, true, gv) and + e.getRightOperand().getValue().toInt() = 400 and + yearSinkDiv400 = e.getLeftOperand() + ) + or + // Inverted logic case: + // `year % 4 != 0 || (year % 100 == 0 && year % 400 != 0)` + // or `year & 3 != 0 || (year % 100 == 0 && year % 400 != 0)` + // also accepting `year % 4 > 0 || (year % 100 == 0 && year % 400 > 0)` + this = orExpr and + orExpr.hasOperands(div4Check, andExpr) and + andExpr.hasOperands(div100Check, div400Check) and + ( + // year % 4 != 0 or year % 4 > 0 + exists(RemExpr e | + ( + div4Check.comparesEq(e, 0, false, gv) + or + div4Check.comparesLt(e, 1, false, gv) + ) and + e.getRightOperand().getValue().toInt() = 4 and + yearSinkDiv4 = e.getLeftOperand() + ) + or + // year & 3 != 0 + exists(BitwiseAndExpr e | + div4Check.comparesEq(e, 0, false, gv) and + e.getRightOperand().getValue().toInt() = 3 and + yearSinkDiv4 = e.getLeftOperand() + ) + ) and + // year % 100 == 0 + exists(RemExpr e | + div100Check.comparesEq(e, 0, true, gv) and + e.getRightOperand().getValue().toInt() = 100 and + yearSinkDiv100 = e.getLeftOperand() + ) and + // year % 400 != 0 or year % 400 > 0 + exists(RemExpr e | + ( + div400Check.comparesEq(e, 0, false, gv) + or + div400Check.comparesLt(e, 1, false, gv) + ) and + e.getRightOperand().getValue().toInt() = 400 and + yearSinkDiv400 = e.getLeftOperand() + ) + ) + } + + Expr getYearSinkDiv4() { result = yearSinkDiv4 } + + Expr getYearSinkDiv100() { result = yearSinkDiv100 } + + Expr getYearSinkDiv400() { result = yearSinkDiv400 } + + /** + * The variable access that is used in all 3 components of the leap year check + * e.g., see getYearSinkDiv4/100/400.. + * If a field access is used, the qualifier and the field access are both returned + * in checked condition. + * NOTE: if the year is not checked using the same access in all 3 components, no result is returned. + * The typical case observed is a consistent variable access is used. If not, this may indicate a bug. + * We could check more accurately with a dataflow analysis, but this is likely sufficient for now. + */ + VariableAccess checkedYearAccess() { + exists(Variable var | + ( + this.getYearSinkDiv4().getAChild*() = var.getAnAccess() and + this.getYearSinkDiv100().getAChild*() = var.getAnAccess() and + this.getYearSinkDiv400().getAChild*() = var.getAnAccess() and + result = var.getAnAccess() and + ( + result = this.getYearSinkDiv4().getAChild*() or + result = this.getYearSinkDiv100().getAChild*() or + result = this.getYearSinkDiv400().getAChild*() + ) + ) + ) + } +} + +/** + * A difficult case to detect is if a year modification is tied to a month or day modification + * and the month or day is safe for leap year. + * e.g., + * year++; + * month = 1; + * // alternative: day = 15; + * ... values eventually used in the same time struct + * If this is even more challenging if the struct the values end up in are not + * local (set inter-procedurally). + * This flow flows constants 1-31 to a month or day assignment. + * It is assumed a user of this flow will check if the month/day source and month/day sink + * are in the same basic blocks as a year modification source and a year modification sink. + * It is also assumed a user will check if the constant source is a value that is ignorable + * e.g., if it is 2 and the sink is a month assignment, then it isn't ignorable or + * if the value is < 27 and is a day assignment, it is likely ignorable + * + * Obviously this does not handle all conditions (e.g., the month set in another block). + * It is meant to capture the most common cases of false positives. + */ +module CandidateConstantToDayOrMonthAssignmentConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + source.asExpr().getValue().toInt() in [1 .. 31] and + ( + exists(Assignment a | a.getRValue() = source.asExpr()) + or + exists(Call c | c.getAnArgument() = source.asExpr()) + ) + } + + predicate isSink(DataFlow::Node sink) { + exists(Assignment a | + (a.getLValue() instanceof MonthFieldAccess or a.getLValue() instanceof DayFieldAccess) and + a.getRValue() = sink.asExpr() + ) + } +} + +// NOTE: only data flow here (no taint tracking) as we want the exact +// constant flowing to the month assignment +module CandidateConstantToDayOrMonthAssignmentFlow = + DataFlow::Global; + +/** + * The value that the assignment resolves to doesn't represent February, + * and/or if it represents a day, is a 'safe' day (meaning the 27th or prior). + */ +bindingset[dayOrMonthValSrcExpr] +predicate isSafeValueForAssignmentOfMonthOrDayValue(Assignment a, Expr dayOrMonthValSrcExpr) { + a.getLValue() instanceof MonthFieldAccess and + dayOrMonthValSrcExpr.getValue().toInt() != 2 + or + a.getLValue() instanceof DayFieldAccess and + dayOrMonthValSrcExpr.getValue().toInt() <= 27 +} + +import OperationToYearAssignmentFlow::PathGraph + +from OperationToYearAssignmentFlow::PathNode src, OperationToYearAssignmentFlow::PathNode sink +where + OperationToYearAssignmentFlow::flowPath(src, sink) and + // Check if a month is set in the same block as the year operation source + // and the month value would indicate its set to any other month than february. + // Finds if the source year node is in the same block as a source month block + // and if the same for the sinks. + not exists(DataFlow::Node dayOrMonthValSrc, DataFlow::Node dayOrMonthValSink, Assignment a | + CandidateConstantToDayOrMonthAssignmentFlow::flow(dayOrMonthValSrc, dayOrMonthValSink) and + a.getRValue() = dayOrMonthValSink.asExpr() and + dayOrMonthValSink.getBasicBlock() = sink.getNode().getBasicBlock() and + exists(IRBlock dayOrMonthValBB | + dayOrMonthValBB = dayOrMonthValSrc.getBasicBlock() and + // The source of the day is set in the same block as the source for the year + // or the source for the day is set in the same block as the sink for the year + dayOrMonthValBB in [ + src.getNode().getBasicBlock(), + sink.getNode().getBasicBlock() + ] + ) and + isSafeValueForAssignmentOfMonthOrDayValue(a, dayOrMonthValSrc.asExpr()) + ) +select sink, src, sink, + "Year field has been modified, but no appropriate check for LeapYear was found." diff --git a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedReturnValueForTimeFunctions.ql b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedReturnValueForTimeFunctions.ql index af02a2814a2..639eaf54e84 100644 --- a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedReturnValueForTimeFunctions.ql +++ b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedReturnValueForTimeFunctions.ql @@ -44,21 +44,6 @@ class SafeTimeGatheringFunction extends Function { } } -/** - * This list of APIs should check for the return value to detect problems during the conversion. - */ -class TimeConversionFunction extends Function { - TimeConversionFunction() { - this.getQualifiedName() = - [ - "FileTimeToSystemTime", "SystemTimeToFileTime", "SystemTimeToTzSpecificLocalTime", - "SystemTimeToTzSpecificLocalTimeEx", "TzSpecificLocalTimeToSystemTime", - "TzSpecificLocalTimeToSystemTimeEx", "RtlLocalTimeToSystemTime", - "RtlTimeToSecondsSince1970", "_mkgmtime" - ] - } -} - from FunctionCall fcall, TimeConversionFunction trf, Variable var where fcall = trf.getACallToThisFunction() and From d9feadcfec50bfceee158734df79da6d408f66eb Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Fri, 6 Feb 2026 15:45:07 -0500 Subject: [PATCH 016/110] C++. Accept test changes. One false positive introduced, and one false negative remains. --- ...ckedLeapYearAfterYearModification.expected | 199 +++++++++++++----- ...heckedReturnValueForTimeFunctions.expected | 1 + 2 files changed, 142 insertions(+), 58 deletions(-) diff --git a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedLeapYearAfterYearModification.expected b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedLeapYearAfterYearModification.expected index 8fdc1339aa1..64b21f1f9e4 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedLeapYearAfterYearModification.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedLeapYearAfterYearModification.expected @@ -1,60 +1,143 @@ #select -| test.cpp:422:5:422:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:417:13:417:14 | st | st | -| test.cpp:440:5:440:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:435:13:435:14 | st | st | -| test.cpp:456:6:456:10 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:451:62:451:63 | st | st | -| test.cpp:647:5:647:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:643:13:643:14 | st | st | -| test.cpp:665:5:665:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:661:13:661:14 | st | st | -| test.cpp:681:5:681:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:677:13:677:14 | st | st | -| test.cpp:792:11:792:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:58:6:58:12 | tm_year | tm_year | test.cpp:789:12:789:19 | timeinfo | timeinfo | -| test.cpp:813:11:813:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:58:6:58:12 | tm_year | tm_year | test.cpp:806:12:806:19 | timeinfo | timeinfo | -| test.cpp:818:5:818:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:807:13:807:14 | st | st | -| test.cpp:954:6:954:10 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:947:14:947:15 | st | st | -| test.cpp:972:6:972:10 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:965:14:965:15 | st | st | -| test.cpp:990:6:990:10 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:984:14:984:15 | st | st | -| test.cpp:1077:5:1077:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:1071:13:1071:14 | st | st | -| test.cpp:1135:9:1135:15 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:92:17:92:23 | tm_year | tm_year | test.cpp:1126:35:1126:36 | tm | tm | -| test.cpp:1137:9:1137:15 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:92:17:92:23 | tm_year | tm_year | test.cpp:1126:35:1126:36 | tm | tm | -| test.cpp:1591:11:1591:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:58:6:58:12 | tm_year | tm_year | test.cpp:1590:41:1590:48 | timeinfo | timeinfo | -| test.cpp:1599:11:1599:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:58:6:58:12 | tm_year | tm_year | test.cpp:1598:41:1598:48 | timeinfo | timeinfo | -| test.cpp:1645:11:1645:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:58:6:58:12 | tm_year | tm_year | test.cpp:1644:57:1644:64 | timeinfo | timeinfo | -| test.cpp:1656:11:1656:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:58:6:58:12 | tm_year | tm_year | test.cpp:1655:57:1655:64 | timeinfo | timeinfo | -| test.cpp:1667:11:1667:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:58:6:58:12 | tm_year | tm_year | test.cpp:1666:30:1666:37 | timeinfo | timeinfo | -| test.cpp:1678:11:1678:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:58:6:58:12 | tm_year | tm_year | test.cpp:1677:30:1677:37 | timeinfo | timeinfo | -| test.cpp:1690:11:1690:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:58:6:58:12 | tm_year | tm_year | test.cpp:1689:30:1689:37 | timeinfo | timeinfo | -| test.cpp:1702:11:1702:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:58:6:58:12 | tm_year | tm_year | test.cpp:1701:30:1701:37 | timeinfo | timeinfo | -| test.cpp:1712:11:1712:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:58:6:58:12 | tm_year | tm_year | test.cpp:1711:30:1711:37 | timeinfo | timeinfo | -| test.cpp:1723:11:1723:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:58:6:58:12 | tm_year | tm_year | test.cpp:1722:40:1722:47 | timeinfo | timeinfo | -| test.cpp:1758:11:1758:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:58:6:58:12 | tm_year | tm_year | test.cpp:1757:45:1757:52 | timeinfo | timeinfo | -| test.cpp:1763:11:1763:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:58:6:58:12 | tm_year | tm_year | test.cpp:1762:45:1762:52 | timeinfo | timeinfo | -| test.cpp:1792:11:1792:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:58:6:58:12 | tm_year | tm_year | test.cpp:1788:38:1788:45 | timeinfo | timeinfo | -| test.cpp:1799:11:1799:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:58:6:58:12 | tm_year | tm_year | test.cpp:1798:36:1798:43 | timeinfo | timeinfo | +| test.cpp:422:2:422:14 | ... += ... | test.cpp:422:2:422:14 | ... += ... | test.cpp:422:2:422:14 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:440:2:440:11 | ... ++ | test.cpp:440:2:440:11 | ... ++ | test.cpp:440:2:440:11 | ... ++ | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:456:2:456:12 | ... ++ | test.cpp:456:2:456:12 | ... ++ | test.cpp:456:2:456:12 | ... ++ | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:681:2:681:23 | ... += ... | test.cpp:681:2:681:23 | ... += ... | test.cpp:681:2:681:23 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:769:2:769:23 | ... -= ... | test.cpp:769:2:769:23 | ... -= ... | test.cpp:769:2:769:23 | ... -= ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:813:2:813:40 | ... = ... | test.cpp:813:21:813:40 | ... + ... | test.cpp:813:2:813:40 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:818:2:818:24 | ... = ... | test.cpp:818:13:818:24 | ... + ... | test.cpp:818:2:818:24 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:954:3:954:25 | ... = ... | test.cpp:954:14:954:25 | ... + ... | test.cpp:954:3:954:25 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:972:3:972:12 | ... ++ | test.cpp:972:3:972:12 | ... ++ | test.cpp:972:3:972:12 | ... ++ | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1077:2:1077:11 | ... ++ | test.cpp:1077:2:1077:11 | ... ++ | test.cpp:1077:2:1077:11 | ... ++ | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1097:16:1097:23 | increment_arg output argument | test.cpp:1085:2:1085:4 | ... ++ | test.cpp:1097:16:1097:23 | increment_arg output argument | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1101:27:1101:35 | increment_arg_by_pointer output argument | test.cpp:1089:2:1089:7 | ... ++ | test.cpp:1101:27:1101:35 | increment_arg_by_pointer output argument | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1206:2:1206:19 | ... = ... | test.cpp:1204:2:1204:15 | ... += ... | test.cpp:1206:2:1206:19 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1245:2:1245:28 | ... = ... | test.cpp:1245:16:1245:28 | ... + ... | test.cpp:1245:2:1245:28 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1260:2:1260:28 | ... = ... | test.cpp:1260:16:1260:28 | ... + ... | test.cpp:1260:2:1260:28 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1274:2:1274:28 | ... = ... | test.cpp:1274:16:1274:28 | ... + ... | test.cpp:1274:2:1274:28 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1288:2:1288:26 | ... = ... | test.cpp:1288:14:1288:26 | ... + ... | test.cpp:1288:2:1288:26 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1302:2:1302:26 | ... = ... | test.cpp:1302:14:1302:26 | ... + ... | test.cpp:1302:2:1302:26 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1308:2:1308:28 | ... = ... | test.cpp:1308:16:1308:28 | ... + ... | test.cpp:1308:2:1308:28 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1320:2:1320:28 | ... = ... | test.cpp:1320:16:1320:28 | ... + ... | test.cpp:1320:2:1320:28 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1333:2:1333:26 | ... = ... | test.cpp:1333:14:1333:26 | ... + ... | test.cpp:1333:2:1333:26 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1345:2:1345:26 | ... = ... | test.cpp:1345:14:1345:26 | ... + ... | test.cpp:1345:2:1345:26 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1387:2:1387:17 | ... = ... | test.cpp:1478:12:1478:17 | ... + ... | test.cpp:1387:2:1387:17 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1387:2:1387:17 | ... = ... | test.cpp:1492:9:1492:16 | ... + ... | test.cpp:1387:2:1387:17 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1387:2:1387:17 | ... = ... | test.cpp:1504:9:1504:16 | ... + ... | test.cpp:1387:2:1387:17 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1561:2:1561:15 | ... = ... | test.cpp:1558:2:1558:10 | ... += ... | test.cpp:1561:2:1561:15 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1591:2:1591:22 | ... += ... | test.cpp:1591:2:1591:22 | ... += ... | test.cpp:1591:2:1591:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1599:2:1599:22 | ... += ... | test.cpp:1599:2:1599:22 | ... += ... | test.cpp:1599:2:1599:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1678:2:1678:22 | ... += ... | test.cpp:1678:2:1678:22 | ... += ... | test.cpp:1678:2:1678:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1690:2:1690:22 | ... += ... | test.cpp:1690:2:1690:22 | ... += ... | test.cpp:1690:2:1690:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1723:2:1723:22 | ... += ... | test.cpp:1723:2:1723:22 | ... += ... | test.cpp:1723:2:1723:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1799:2:1799:22 | ... += ... | test.cpp:1799:2:1799:22 | ... += ... | test.cpp:1799:2:1799:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. | +edges +| test.cpp:813:21:813:40 | ... + ... | test.cpp:813:2:813:40 | ... = ... | provenance | | +| test.cpp:818:13:818:24 | ... + ... | test.cpp:818:2:818:24 | ... = ... | provenance | | +| test.cpp:954:14:954:25 | ... + ... | test.cpp:954:3:954:25 | ... = ... | provenance | | +| test.cpp:1084:26:1084:26 | *x | test.cpp:1097:16:1097:23 | increment_arg output argument | provenance | | +| test.cpp:1085:2:1085:4 | ... ++ | test.cpp:1084:26:1084:26 | *x | provenance | | +| test.cpp:1088:37:1088:37 | *x | test.cpp:1101:27:1101:35 | increment_arg_by_pointer output argument | provenance | | +| test.cpp:1089:2:1089:7 | ... ++ | test.cpp:1088:37:1088:37 | *x | provenance | | +| test.cpp:1204:2:1204:15 | ... += ... | test.cpp:1206:2:1206:19 | ... = ... | provenance | | +| test.cpp:1245:16:1245:28 | ... + ... | test.cpp:1245:2:1245:28 | ... = ... | provenance | | +| test.cpp:1260:16:1260:28 | ... + ... | test.cpp:1260:2:1260:28 | ... = ... | provenance | | +| test.cpp:1274:16:1274:28 | ... + ... | test.cpp:1274:2:1274:28 | ... = ... | provenance | | +| test.cpp:1288:14:1288:26 | ... + ... | test.cpp:1288:2:1288:26 | ... = ... | provenance | | +| test.cpp:1302:14:1302:26 | ... + ... | test.cpp:1302:2:1302:26 | ... = ... | provenance | | +| test.cpp:1308:16:1308:28 | ... + ... | test.cpp:1308:2:1308:28 | ... = ... | provenance | | +| test.cpp:1320:16:1320:28 | ... + ... | test.cpp:1320:2:1320:28 | ... = ... | provenance | | +| test.cpp:1333:14:1333:26 | ... + ... | test.cpp:1333:2:1333:26 | ... = ... | provenance | | +| test.cpp:1345:14:1345:26 | ... + ... | test.cpp:1345:2:1345:26 | ... = ... | provenance | | +| test.cpp:1384:20:1384:23 | year | test.cpp:1387:2:1387:17 | ... = ... | provenance | | +| test.cpp:1397:15:1397:22 | ... + ... | test.cpp:1397:3:1397:22 | ... = ... | provenance | | +| test.cpp:1402:12:1402:17 | ... + ... | test.cpp:1384:20:1384:23 | year | provenance | | +| test.cpp:1411:15:1411:22 | ... + ... | test.cpp:1411:3:1411:22 | ... = ... | provenance | | +| test.cpp:1421:3:1421:20 | ... = ... | test.cpp:1423:12:1423:18 | yeartmp | provenance | | +| test.cpp:1421:13:1421:20 | ... + ... | test.cpp:1421:3:1421:20 | ... = ... | provenance | | +| test.cpp:1423:12:1423:18 | yeartmp | test.cpp:1384:20:1384:23 | year | provenance | | +| test.cpp:1466:15:1466:22 | ... + ... | test.cpp:1466:3:1466:22 | ... = ... | provenance | | +| test.cpp:1471:12:1471:17 | ... + ... | test.cpp:1384:20:1384:23 | year | provenance | | +| test.cpp:1478:12:1478:17 | ... + ... | test.cpp:1384:20:1384:23 | year | provenance | | +| test.cpp:1492:2:1492:16 | ... = ... | test.cpp:1496:3:1496:18 | ... = ... | provenance | | +| test.cpp:1492:2:1492:16 | ... = ... | test.cpp:1501:12:1501:15 | year | provenance | | +| test.cpp:1492:9:1492:16 | ... + ... | test.cpp:1492:2:1492:16 | ... = ... | provenance | | +| test.cpp:1501:12:1501:15 | year | test.cpp:1384:20:1384:23 | year | provenance | | +| test.cpp:1504:2:1504:16 | ... = ... | test.cpp:1510:12:1510:15 | year | provenance | | +| test.cpp:1504:9:1504:16 | ... + ... | test.cpp:1504:2:1504:16 | ... = ... | provenance | | +| test.cpp:1510:12:1510:15 | year | test.cpp:1384:20:1384:23 | year | provenance | | +| test.cpp:1558:2:1558:10 | ... += ... | test.cpp:1561:2:1561:15 | ... = ... | provenance | | +nodes +| test.cpp:422:2:422:14 | ... += ... | semmle.label | ... += ... | +| test.cpp:440:2:440:11 | ... ++ | semmle.label | ... ++ | +| test.cpp:456:2:456:12 | ... ++ | semmle.label | ... ++ | +| test.cpp:482:3:482:12 | ... ++ | semmle.label | ... ++ | +| test.cpp:681:2:681:23 | ... += ... | semmle.label | ... += ... | +| test.cpp:769:2:769:23 | ... -= ... | semmle.label | ... -= ... | +| test.cpp:813:2:813:40 | ... = ... | semmle.label | ... = ... | +| test.cpp:813:21:813:40 | ... + ... | semmle.label | ... + ... | +| test.cpp:818:2:818:24 | ... = ... | semmle.label | ... = ... | +| test.cpp:818:13:818:24 | ... + ... | semmle.label | ... + ... | +| test.cpp:875:4:875:15 | ... ++ | semmle.label | ... ++ | +| test.cpp:954:3:954:25 | ... = ... | semmle.label | ... = ... | +| test.cpp:954:14:954:25 | ... + ... | semmle.label | ... + ... | +| test.cpp:972:3:972:12 | ... ++ | semmle.label | ... ++ | +| test.cpp:1077:2:1077:11 | ... ++ | semmle.label | ... ++ | +| test.cpp:1084:26:1084:26 | *x | semmle.label | *x | +| test.cpp:1085:2:1085:4 | ... ++ | semmle.label | ... ++ | +| test.cpp:1088:37:1088:37 | *x | semmle.label | *x | +| test.cpp:1089:2:1089:7 | ... ++ | semmle.label | ... ++ | +| test.cpp:1097:16:1097:23 | increment_arg output argument | semmle.label | increment_arg output argument | +| test.cpp:1101:27:1101:35 | increment_arg_by_pointer output argument | semmle.label | increment_arg_by_pointer output argument | +| test.cpp:1204:2:1204:15 | ... += ... | semmle.label | ... += ... | +| test.cpp:1206:2:1206:19 | ... = ... | semmle.label | ... = ... | +| test.cpp:1245:2:1245:28 | ... = ... | semmle.label | ... = ... | +| test.cpp:1245:16:1245:28 | ... + ... | semmle.label | ... + ... | +| test.cpp:1260:2:1260:28 | ... = ... | semmle.label | ... = ... | +| test.cpp:1260:16:1260:28 | ... + ... | semmle.label | ... + ... | +| test.cpp:1274:2:1274:28 | ... = ... | semmle.label | ... = ... | +| test.cpp:1274:16:1274:28 | ... + ... | semmle.label | ... + ... | +| test.cpp:1288:2:1288:26 | ... = ... | semmle.label | ... = ... | +| test.cpp:1288:14:1288:26 | ... + ... | semmle.label | ... + ... | +| test.cpp:1302:2:1302:26 | ... = ... | semmle.label | ... = ... | +| test.cpp:1302:14:1302:26 | ... + ... | semmle.label | ... + ... | +| test.cpp:1308:2:1308:28 | ... = ... | semmle.label | ... = ... | +| test.cpp:1308:16:1308:28 | ... + ... | semmle.label | ... + ... | +| test.cpp:1320:2:1320:28 | ... = ... | semmle.label | ... = ... | +| test.cpp:1320:16:1320:28 | ... + ... | semmle.label | ... + ... | +| test.cpp:1333:2:1333:26 | ... = ... | semmle.label | ... = ... | +| test.cpp:1333:14:1333:26 | ... + ... | semmle.label | ... + ... | +| test.cpp:1345:2:1345:26 | ... = ... | semmle.label | ... = ... | +| test.cpp:1345:14:1345:26 | ... + ... | semmle.label | ... + ... | +| test.cpp:1384:20:1384:23 | year | semmle.label | year | +| test.cpp:1387:2:1387:17 | ... = ... | semmle.label | ... = ... | +| test.cpp:1397:3:1397:22 | ... = ... | semmle.label | ... = ... | +| test.cpp:1397:15:1397:22 | ... + ... | semmle.label | ... + ... | +| test.cpp:1402:12:1402:17 | ... + ... | semmle.label | ... + ... | +| test.cpp:1411:3:1411:22 | ... = ... | semmle.label | ... = ... | +| test.cpp:1411:15:1411:22 | ... + ... | semmle.label | ... + ... | +| test.cpp:1421:3:1421:20 | ... = ... | semmle.label | ... = ... | +| test.cpp:1421:13:1421:20 | ... + ... | semmle.label | ... + ... | +| test.cpp:1423:12:1423:18 | yeartmp | semmle.label | yeartmp | +| test.cpp:1466:3:1466:22 | ... = ... | semmle.label | ... = ... | +| test.cpp:1466:15:1466:22 | ... + ... | semmle.label | ... + ... | +| test.cpp:1471:12:1471:17 | ... + ... | semmle.label | ... + ... | +| test.cpp:1478:12:1478:17 | ... + ... | semmle.label | ... + ... | +| test.cpp:1492:2:1492:16 | ... = ... | semmle.label | ... = ... | +| test.cpp:1492:9:1492:16 | ... + ... | semmle.label | ... + ... | +| test.cpp:1496:3:1496:18 | ... = ... | semmle.label | ... = ... | +| test.cpp:1501:12:1501:15 | year | semmle.label | year | +| test.cpp:1504:2:1504:16 | ... = ... | semmle.label | ... = ... | +| test.cpp:1504:9:1504:16 | ... + ... | semmle.label | ... + ... | +| test.cpp:1510:12:1510:15 | year | semmle.label | year | +| test.cpp:1558:2:1558:10 | ... += ... | semmle.label | ... += ... | +| test.cpp:1561:2:1561:15 | ... = ... | semmle.label | ... = ... | +| test.cpp:1591:2:1591:22 | ... += ... | semmle.label | ... += ... | +| test.cpp:1599:2:1599:22 | ... += ... | semmle.label | ... += ... | +| test.cpp:1678:2:1678:22 | ... += ... | semmle.label | ... += ... | +| test.cpp:1690:2:1690:22 | ... += ... | semmle.label | ... += ... | +| test.cpp:1723:2:1723:22 | ... += ... | semmle.label | ... += ... | +| test.cpp:1799:2:1799:22 | ... += ... | semmle.label | ... += ... | +subpaths testFailures -| test.cpp:422:5:422:9 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | -| test.cpp:440:5:440:9 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | -| test.cpp:456:6:456:10 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | -| test.cpp:647:5:647:9 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | -| test.cpp:665:5:665:9 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | -| test.cpp:681:5:681:9 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | -| test.cpp:792:11:792:17 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | -| test.cpp:813:11:813:17 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | -| test.cpp:818:5:818:9 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | -| test.cpp:954:6:954:10 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | -| test.cpp:972:6:972:10 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | -| test.cpp:990:6:990:10 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | -| test.cpp:1077:5:1077:9 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | -| test.cpp:1135:9:1135:15 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | -| test.cpp:1137:9:1137:15 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | -| test.cpp:1591:11:1591:17 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | -| test.cpp:1599:11:1599:17 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | -| test.cpp:1645:11:1645:17 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | -| test.cpp:1656:11:1656:17 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | -| test.cpp:1667:11:1667:17 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | -| test.cpp:1678:11:1678:17 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | -| test.cpp:1690:11:1690:17 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | -| test.cpp:1702:11:1702:17 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | -| test.cpp:1712:11:1712:17 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | -| test.cpp:1723:11:1723:17 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | -| test.cpp:1758:11:1758:17 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | -| test.cpp:1763:11:1763:17 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | -| test.cpp:1792:11:1792:17 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | -| test.cpp:1799:11:1799:17 | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | Unexpected result: Alert | +| test.cpp:1155:29:1155:98 | // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] | Missing result: Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] | diff --git a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedReturnValueForTimeFunctions.expected b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedReturnValueForTimeFunctions.expected index e893ae1fff0..f572f386be2 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedReturnValueForTimeFunctions.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedReturnValueForTimeFunctions.expected @@ -4,3 +4,4 @@ | test.cpp:956:3:956:22 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:101:1:101:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:947:14:947:15 | st | st | | test.cpp:974:3:974:22 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:101:1:101:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:965:14:965:15 | st | st | | test.cpp:1081:2:1081:21 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:101:1:101:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:1071:13:1071:14 | st | st | +| test.cpp:1794:2:1794:7 | call to mktime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:166:12:166:17 | mktime | mktime | test.cpp:1788:38:1788:45 | timeinfo | timeinfo | From ca18179bd2d36f9cf3ad28b70a845bfada96dbed Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Fri, 6 Feb 2026 16:07:07 -0500 Subject: [PATCH 017/110] C++: Correct false positive. Only TimeConversionFunction that do not auto correct for leap year should be considered. --- .../Leap Year/UncheckedReturnValueForTimeFunctions.ql | 1 + 1 file changed, 1 insertion(+) diff --git a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedReturnValueForTimeFunctions.ql b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedReturnValueForTimeFunctions.ql index 639eaf54e84..8e2d6e9d10f 100644 --- a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedReturnValueForTimeFunctions.ql +++ b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedReturnValueForTimeFunctions.ql @@ -46,6 +46,7 @@ class SafeTimeGatheringFunction extends Function { from FunctionCall fcall, TimeConversionFunction trf, Variable var where + not trf.isAutoLeapYearCorrecting() and fcall = trf.getACallToThisFunction() and fcall instanceof ExprInVoidContext and var.getUnderlyingType() instanceof UnpackedTimeType and From a534d26449e28c11ed671abb3cb3a2b1c3de4742 Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Fri, 6 Feb 2026 16:07:44 -0500 Subject: [PATCH 018/110] C++: Accept test changes. --- .../UncheckedReturnValueForTimeFunctions.expected | 1 - 1 file changed, 1 deletion(-) diff --git a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedReturnValueForTimeFunctions.expected b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedReturnValueForTimeFunctions.expected index f572f386be2..e893ae1fff0 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedReturnValueForTimeFunctions.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedReturnValueForTimeFunctions.expected @@ -4,4 +4,3 @@ | test.cpp:956:3:956:22 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:101:1:101:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:947:14:947:15 | st | st | | test.cpp:974:3:974:22 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:101:1:101:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:965:14:965:15 | st | st | | test.cpp:1081:2:1081:21 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:101:1:101:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:1071:13:1071:14 | st | st | -| test.cpp:1794:2:1794:7 | call to mktime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:166:12:166:17 | mktime | mktime | test.cpp:1788:38:1788:45 | timeinfo | timeinfo | From 2b806ad6fdebb124c9f653b958917503fdcfe094 Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Fri, 6 Feb 2026 16:10:04 -0500 Subject: [PATCH 019/110] C++: Add missing DateTime models for PTIME_FIELDS and TIME_FIELDS --- .../lib/semmle/code/cpp/commons/DateTime.qll | 25 ++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/cpp/ql/lib/semmle/code/cpp/commons/DateTime.qll b/cpp/ql/lib/semmle/code/cpp/commons/DateTime.qll index c67bf7cf96e..a4022161076 100644 --- a/cpp/ql/lib/semmle/code/cpp/commons/DateTime.qll +++ b/cpp/ql/lib/semmle/code/cpp/commons/DateTime.qll @@ -14,7 +14,9 @@ class PackedTimeType extends Type { } } -private predicate timeType(string typeName) { typeName = ["_SYSTEMTIME", "SYSTEMTIME", "tm"] } +private predicate timeType(string typeName) { + typeName = ["_SYSTEMTIME", "SYSTEMTIME", "tm", "TIME_FIELDS", "_TIME_FIELDS", "PTIME_FIELDS"] +} /** * A type that is used to represent times and dates in an 'unpacked' form, that is, @@ -95,3 +97,24 @@ class StructTmMonthFieldAccess extends MonthFieldAccess { class StructTmYearFieldAccess extends YearFieldAccess { StructTmYearFieldAccess() { this.getTarget().getName() = "tm_year" } } + +/** + * A `DayFieldAccess` for the `TIME_FIELDS` struct. + */ +class TimeFieldsDayFieldAccess extends DayFieldAccess { + TimeFieldsDayFieldAccess() { this.getTarget().getName() = "Day" } +} + +/** + * A `MonthFieldAccess` for the `TIME_FIELDS` struct. + */ +class TimeFieldsMonthFieldAccess extends MonthFieldAccess { + TimeFieldsMonthFieldAccess() { this.getTarget().getName() = "Month" } +} + +/** + * A `YearFieldAccess` for the `TIME_FIELDS` struct. + */ +class TimeFieldsYearFieldAccess extends YearFieldAccess { + TimeFieldsYearFieldAccess() { this.getTarget().getName() = "Year" } +} From 36cc20989c22d646382d84926c7c0e65056243ef Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Fri, 6 Feb 2026 16:11:51 -0500 Subject: [PATCH 020/110] C++: Accept test changes (removing false negative) --- .../UncheckedLeapYearAfterYearModification.expected | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedLeapYearAfterYearModification.expected b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedLeapYearAfterYearModification.expected index 64b21f1f9e4..35a635ba903 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedLeapYearAfterYearModification.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedLeapYearAfterYearModification.expected @@ -11,6 +11,7 @@ | test.cpp:1077:2:1077:11 | ... ++ | test.cpp:1077:2:1077:11 | ... ++ | test.cpp:1077:2:1077:11 | ... ++ | Year field has been modified, but no appropriate check for LeapYear was found. | | test.cpp:1097:16:1097:23 | increment_arg output argument | test.cpp:1085:2:1085:4 | ... ++ | test.cpp:1097:16:1097:23 | increment_arg output argument | Year field has been modified, but no appropriate check for LeapYear was found. | | test.cpp:1101:27:1101:35 | increment_arg_by_pointer output argument | test.cpp:1089:2:1089:7 | ... ++ | test.cpp:1101:27:1101:35 | increment_arg_by_pointer output argument | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1155:2:1155:26 | ... = ... | test.cpp:1155:14:1155:26 | ... - ... | test.cpp:1155:2:1155:26 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | | test.cpp:1206:2:1206:19 | ... = ... | test.cpp:1204:2:1204:15 | ... += ... | test.cpp:1206:2:1206:19 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | | test.cpp:1245:2:1245:28 | ... = ... | test.cpp:1245:16:1245:28 | ... + ... | test.cpp:1245:2:1245:28 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | | test.cpp:1260:2:1260:28 | ... = ... | test.cpp:1260:16:1260:28 | ... + ... | test.cpp:1260:2:1260:28 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | @@ -39,6 +40,7 @@ edges | test.cpp:1085:2:1085:4 | ... ++ | test.cpp:1084:26:1084:26 | *x | provenance | | | test.cpp:1088:37:1088:37 | *x | test.cpp:1101:27:1101:35 | increment_arg_by_pointer output argument | provenance | | | test.cpp:1089:2:1089:7 | ... ++ | test.cpp:1088:37:1088:37 | *x | provenance | | +| test.cpp:1155:14:1155:26 | ... - ... | test.cpp:1155:2:1155:26 | ... = ... | provenance | | | test.cpp:1204:2:1204:15 | ... += ... | test.cpp:1206:2:1206:19 | ... = ... | provenance | | | test.cpp:1245:16:1245:28 | ... + ... | test.cpp:1245:2:1245:28 | ... = ... | provenance | | | test.cpp:1260:16:1260:28 | ... + ... | test.cpp:1260:2:1260:28 | ... = ... | provenance | | @@ -89,6 +91,8 @@ nodes | test.cpp:1089:2:1089:7 | ... ++ | semmle.label | ... ++ | | test.cpp:1097:16:1097:23 | increment_arg output argument | semmle.label | increment_arg output argument | | test.cpp:1101:27:1101:35 | increment_arg_by_pointer output argument | semmle.label | increment_arg_by_pointer output argument | +| test.cpp:1155:2:1155:26 | ... = ... | semmle.label | ... = ... | +| test.cpp:1155:14:1155:26 | ... - ... | semmle.label | ... - ... | | test.cpp:1204:2:1204:15 | ... += ... | semmle.label | ... += ... | | test.cpp:1206:2:1206:19 | ... = ... | semmle.label | ... = ... | | test.cpp:1245:2:1245:28 | ... = ... | semmle.label | ... = ... | @@ -139,5 +143,3 @@ nodes | test.cpp:1723:2:1723:22 | ... += ... | semmle.label | ... += ... | | test.cpp:1799:2:1799:22 | ... += ... | semmle.label | ... += ... | subpaths -testFailures -| test.cpp:1155:29:1155:98 | // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] | Missing result: Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] | From 1796bc0abbb43ca8f45e2da7109c4bccf6b48cfa Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Fri, 6 Feb 2026 16:19:11 -0500 Subject: [PATCH 021/110] C++: Add change note. --- .../2026-02-06-UncheckedLeapYearAfterModification_Refactor | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 cpp/ql/lib/change-notes/2026-02-06-UncheckedLeapYearAfterModification_Refactor diff --git a/cpp/ql/lib/change-notes/2026-02-06-UncheckedLeapYearAfterModification_Refactor b/cpp/ql/lib/change-notes/2026-02-06-UncheckedLeapYearAfterModification_Refactor new file mode 100644 index 00000000000..3d0f71c5a65 --- /dev/null +++ b/cpp/ql/lib/change-notes/2026-02-06-UncheckedLeapYearAfterModification_Refactor @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Refactor of UncheckedLeapYearAfterYearModification.ql to address large numbers of false positives. Reduced alerts from 40k to 2k. \ No newline at end of file From 8e36316ebfb898b23d5059173b6fd40e85d8b808 Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Mon, 9 Feb 2026 10:42:34 -0500 Subject: [PATCH 022/110] C++: Addressing Copilot PR suggestions. --- .../UncheckedLeapYearAfterYearModification.ql | 35 ++- ...ckedLeapYearAfterYearModification.expected | 236 +++++++++--------- ...heckedReturnValueForTimeFunctions.expected | 6 +- .../test.cpp | 50 +--- 4 files changed, 140 insertions(+), 187 deletions(-) diff --git a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql index 8be4bbfbfe4..3fd830acd97 100644 --- a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql +++ b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql @@ -12,8 +12,6 @@ import cpp import LeapYear import semmle.code.cpp.controlflow.IRGuards -import semmle.code.cpp.ir.IR -import semmle.code.cpp.commons.DateTime /** * Functions whose operations should never be considered a @@ -92,11 +90,11 @@ abstract class IgnorableOperation extends Expr { } class IgnorableExprRem extends IgnorableOperation instanceof RemExpr { } /** - * Anything involving an operation with 10, 100, 1000, 10000 is often a sign of conversion + * An operation with 10, 100, 1000, 10000 as an operand is often a sign of conversion * or atoi. */ -class IgnorableExpr10MulipleComponent extends IgnorableOperation { - IgnorableExpr10MulipleComponent() { +class IgnorableExpr10MultipleComponent extends IgnorableOperation { + IgnorableExpr10MultipleComponent() { this.(Operation).getAnOperand().getValue().toInt() in [10, 100, 1000, 10000] or exists(AssignOperation a | a.getRValue() = this | @@ -106,7 +104,7 @@ class IgnorableExpr10MulipleComponent extends IgnorableOperation { } /** - * Anything involving a sub expression with char literal 48, ignore as a likely string conversion + * An operation involving a sub expression with char literal 48, ignore as a likely string conversion * e.g., X - '0' */ class IgnorableExpr48Mapping extends IgnorableOperation { @@ -118,7 +116,7 @@ class IgnorableExpr48Mapping extends IgnorableOperation { } /** - * A binary or arithemtic operation whereby one of the components is textual or a string. + * A binary or arithmetic operation whereby one of the components is textual or a string. */ class IgnorableCharLiteralArithmetic extends IgnorableOperation { IgnorableCharLiteralArithmetic() { @@ -170,7 +168,7 @@ predicate isLikelyConversionConstant(int c) { } /** - * Some constants indicate conversion that are ignorable, e.g., + * An `isLikelyConversionConstant` constant indicates conversion that is ignorable, e.g., * julian to gregorian conversion or conversions from linux time structs * that start at 1900, etc. */ @@ -208,7 +206,7 @@ class OperationAsArgToIgnorableFunction extends IgnorableOperation { } /** - * Literal OP literal means the result is constant/known + * A Literal OP literal means the result is constant/known * and the operation is basically ignorable (it's not a real operation but * probably one visual simplicity what it means). */ @@ -228,7 +226,7 @@ class IgnorableAssignmentBitwiseOperation extends IgnorableOperation instanceof { } /** - * Any arithmetic operation where one of the operands is a pointer or char type, ignore it + * An arithmetic operation where one of the operands is a pointer or char type, ignore it */ class IgnorablePointerOrCharArithmetic extends IgnorableOperation { IgnorablePointerOrCharArithmetic() { @@ -267,7 +265,7 @@ class IgnorablePointerOrCharArithmetic extends IgnorableOperation { } /** - * An expression that is a candidate source for an dataflow configuration for an Operation that could flow to a Year field. + * Holds for an expression that is a operation that could flow to a Year field. */ predicate isOperationSourceCandidate(Expr e) { not e instanceof IgnorableOperation and @@ -397,8 +395,8 @@ module OperationToYearAssignmentConfig implements DataFlow::ConfigSig { // This is assuming a user would have done this all on one line though. // setting a variable for the conversion and passing that separately would be more difficult to track // considering this approach good enough for current observed false positives - exists(Call c, Expr arg | - isLeapYearCheckCall(c, arg) and arg.getAChild*() = [n.asExpr(), n.asIndirectExpr()] + exists(Expr arg | + isLeapYearCheckCall(_, arg) and arg.getAChild*() = [n.asExpr(), n.asIndirectExpr()] ) or // If as the flow progresses, the value holding a dangerous operation result @@ -503,9 +501,10 @@ class MonthEqualityCheckGuard extends GuardCondition, FinalMonthEqualityCheck { bindingset[e] pragma[inline_late] predicate isControlledByMonthEqualityCheckNonFebruary(Expr e) { - exists(MonthEqualityCheckGuard monthGuard | + exists(MonthEqualityCheckGuard monthGuard, Expr compared | monthGuard.controls(e.getBasicBlock(), true) and - not monthGuard.getExprCompared().getValueText() = "2" + compared = monthGuard.getExprCompared() and + not compared.getValue().toInt() = 2 ) } @@ -641,7 +640,7 @@ class LeapYearGuardCondition extends GuardCondition { LogicalAndExpr andExpr, LogicalOrExpr orExpr, GuardCondition div4Check, GuardCondition div100Check, GuardCondition div400Check, GuardValue gv | - // Cannonical case: + // canonical case: // form: `(year % 4 == 0) && (year % 100 != 0 || year % 400 == 0)` // `!((year % 4 == 0) && (year % 100 != 0 || year % 400 == 0))` // `!(year % 4) && (year % 100 || !(year % 400))` @@ -733,7 +732,7 @@ class LeapYearGuardCondition extends GuardCondition { Expr getYearSinkDiv400() { result = yearSinkDiv400 } /** - * The variable access that is used in all 3 components of the leap year check + * Gets the variable access that is used in all 3 components of the leap year check * e.g., see getYearSinkDiv4/100/400.. * If a field access is used, the qualifier and the field access are both returned * in checked condition. @@ -802,7 +801,7 @@ module CandidateConstantToDayOrMonthAssignmentFlow = DataFlow::Global; /** - * The value that the assignment resolves to doesn't represent February, + * Holds if value the assignment `a` resolves to (`dayOrMonthValSrcExpr`) doesn't represent February, * and/or if it represents a day, is a 'safe' day (meaning the 27th or prior). */ bindingset[dayOrMonthValSrcExpr] diff --git a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedLeapYearAfterYearModification.expected b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedLeapYearAfterYearModification.expected index 35a635ba903..30b6dad1208 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedLeapYearAfterYearModification.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedLeapYearAfterYearModification.expected @@ -6,69 +6,69 @@ | test.cpp:769:2:769:23 | ... -= ... | test.cpp:769:2:769:23 | ... -= ... | test.cpp:769:2:769:23 | ... -= ... | Year field has been modified, but no appropriate check for LeapYear was found. | | test.cpp:813:2:813:40 | ... = ... | test.cpp:813:21:813:40 | ... + ... | test.cpp:813:2:813:40 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | | test.cpp:818:2:818:24 | ... = ... | test.cpp:818:13:818:24 | ... + ... | test.cpp:818:2:818:24 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | -| test.cpp:954:3:954:25 | ... = ... | test.cpp:954:14:954:25 | ... + ... | test.cpp:954:3:954:25 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | -| test.cpp:972:3:972:12 | ... ++ | test.cpp:972:3:972:12 | ... ++ | test.cpp:972:3:972:12 | ... ++ | Year field has been modified, but no appropriate check for LeapYear was found. | -| test.cpp:1077:2:1077:11 | ... ++ | test.cpp:1077:2:1077:11 | ... ++ | test.cpp:1077:2:1077:11 | ... ++ | Year field has been modified, but no appropriate check for LeapYear was found. | -| test.cpp:1097:16:1097:23 | increment_arg output argument | test.cpp:1085:2:1085:4 | ... ++ | test.cpp:1097:16:1097:23 | increment_arg output argument | Year field has been modified, but no appropriate check for LeapYear was found. | -| test.cpp:1101:27:1101:35 | increment_arg_by_pointer output argument | test.cpp:1089:2:1089:7 | ... ++ | test.cpp:1101:27:1101:35 | increment_arg_by_pointer output argument | Year field has been modified, but no appropriate check for LeapYear was found. | -| test.cpp:1155:2:1155:26 | ... = ... | test.cpp:1155:14:1155:26 | ... - ... | test.cpp:1155:2:1155:26 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | -| test.cpp:1206:2:1206:19 | ... = ... | test.cpp:1204:2:1204:15 | ... += ... | test.cpp:1206:2:1206:19 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | -| test.cpp:1245:2:1245:28 | ... = ... | test.cpp:1245:16:1245:28 | ... + ... | test.cpp:1245:2:1245:28 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | -| test.cpp:1260:2:1260:28 | ... = ... | test.cpp:1260:16:1260:28 | ... + ... | test.cpp:1260:2:1260:28 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:951:3:951:25 | ... = ... | test.cpp:951:14:951:25 | ... + ... | test.cpp:951:3:951:25 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:969:3:969:12 | ... ++ | test.cpp:969:3:969:12 | ... ++ | test.cpp:969:3:969:12 | ... ++ | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1031:2:1031:11 | ... ++ | test.cpp:1031:2:1031:11 | ... ++ | test.cpp:1031:2:1031:11 | ... ++ | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1051:16:1051:23 | increment_arg output argument | test.cpp:1039:2:1039:4 | ... ++ | test.cpp:1051:16:1051:23 | increment_arg output argument | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1055:27:1055:35 | increment_arg_by_pointer output argument | test.cpp:1043:2:1043:7 | ... ++ | test.cpp:1055:27:1055:35 | increment_arg_by_pointer output argument | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1109:2:1109:26 | ... = ... | test.cpp:1109:14:1109:26 | ... - ... | test.cpp:1109:2:1109:26 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1160:2:1160:19 | ... = ... | test.cpp:1158:2:1158:15 | ... += ... | test.cpp:1160:2:1160:19 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1199:2:1199:28 | ... = ... | test.cpp:1199:16:1199:28 | ... + ... | test.cpp:1199:2:1199:28 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1214:2:1214:28 | ... = ... | test.cpp:1214:16:1214:28 | ... + ... | test.cpp:1214:2:1214:28 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1228:2:1228:28 | ... = ... | test.cpp:1228:16:1228:28 | ... + ... | test.cpp:1228:2:1228:28 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1242:2:1242:26 | ... = ... | test.cpp:1242:14:1242:26 | ... + ... | test.cpp:1242:2:1242:26 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1256:2:1256:26 | ... = ... | test.cpp:1256:14:1256:26 | ... + ... | test.cpp:1256:2:1256:26 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1262:2:1262:28 | ... = ... | test.cpp:1262:16:1262:28 | ... + ... | test.cpp:1262:2:1262:28 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | | test.cpp:1274:2:1274:28 | ... = ... | test.cpp:1274:16:1274:28 | ... + ... | test.cpp:1274:2:1274:28 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | -| test.cpp:1288:2:1288:26 | ... = ... | test.cpp:1288:14:1288:26 | ... + ... | test.cpp:1288:2:1288:26 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | -| test.cpp:1302:2:1302:26 | ... = ... | test.cpp:1302:14:1302:26 | ... + ... | test.cpp:1302:2:1302:26 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | -| test.cpp:1308:2:1308:28 | ... = ... | test.cpp:1308:16:1308:28 | ... + ... | test.cpp:1308:2:1308:28 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | -| test.cpp:1320:2:1320:28 | ... = ... | test.cpp:1320:16:1320:28 | ... + ... | test.cpp:1320:2:1320:28 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | -| test.cpp:1333:2:1333:26 | ... = ... | test.cpp:1333:14:1333:26 | ... + ... | test.cpp:1333:2:1333:26 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | -| test.cpp:1345:2:1345:26 | ... = ... | test.cpp:1345:14:1345:26 | ... + ... | test.cpp:1345:2:1345:26 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | -| test.cpp:1387:2:1387:17 | ... = ... | test.cpp:1478:12:1478:17 | ... + ... | test.cpp:1387:2:1387:17 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | -| test.cpp:1387:2:1387:17 | ... = ... | test.cpp:1492:9:1492:16 | ... + ... | test.cpp:1387:2:1387:17 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | -| test.cpp:1387:2:1387:17 | ... = ... | test.cpp:1504:9:1504:16 | ... + ... | test.cpp:1387:2:1387:17 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | -| test.cpp:1561:2:1561:15 | ... = ... | test.cpp:1558:2:1558:10 | ... += ... | test.cpp:1561:2:1561:15 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | -| test.cpp:1591:2:1591:22 | ... += ... | test.cpp:1591:2:1591:22 | ... += ... | test.cpp:1591:2:1591:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. | -| test.cpp:1599:2:1599:22 | ... += ... | test.cpp:1599:2:1599:22 | ... += ... | test.cpp:1599:2:1599:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. | -| test.cpp:1678:2:1678:22 | ... += ... | test.cpp:1678:2:1678:22 | ... += ... | test.cpp:1678:2:1678:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. | -| test.cpp:1690:2:1690:22 | ... += ... | test.cpp:1690:2:1690:22 | ... += ... | test.cpp:1690:2:1690:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. | -| test.cpp:1723:2:1723:22 | ... += ... | test.cpp:1723:2:1723:22 | ... += ... | test.cpp:1723:2:1723:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. | -| test.cpp:1799:2:1799:22 | ... += ... | test.cpp:1799:2:1799:22 | ... += ... | test.cpp:1799:2:1799:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1287:2:1287:26 | ... = ... | test.cpp:1287:14:1287:26 | ... + ... | test.cpp:1287:2:1287:26 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1299:2:1299:26 | ... = ... | test.cpp:1299:14:1299:26 | ... + ... | test.cpp:1299:2:1299:26 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1341:2:1341:17 | ... = ... | test.cpp:1432:12:1432:17 | ... + ... | test.cpp:1341:2:1341:17 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1341:2:1341:17 | ... = ... | test.cpp:1446:9:1446:16 | ... + ... | test.cpp:1341:2:1341:17 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1341:2:1341:17 | ... = ... | test.cpp:1458:9:1458:16 | ... + ... | test.cpp:1341:2:1341:17 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1515:2:1515:15 | ... = ... | test.cpp:1512:2:1512:10 | ... += ... | test.cpp:1515:2:1515:15 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1545:2:1545:22 | ... += ... | test.cpp:1545:2:1545:22 | ... += ... | test.cpp:1545:2:1545:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1553:2:1553:22 | ... += ... | test.cpp:1553:2:1553:22 | ... += ... | test.cpp:1553:2:1553:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1632:2:1632:22 | ... += ... | test.cpp:1632:2:1632:22 | ... += ... | test.cpp:1632:2:1632:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1644:2:1644:22 | ... += ... | test.cpp:1644:2:1644:22 | ... += ... | test.cpp:1644:2:1644:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1677:2:1677:22 | ... += ... | test.cpp:1677:2:1677:22 | ... += ... | test.cpp:1677:2:1677:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. | +| test.cpp:1753:2:1753:22 | ... += ... | test.cpp:1753:2:1753:22 | ... += ... | test.cpp:1753:2:1753:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. | edges | test.cpp:813:21:813:40 | ... + ... | test.cpp:813:2:813:40 | ... = ... | provenance | | | test.cpp:818:13:818:24 | ... + ... | test.cpp:818:2:818:24 | ... = ... | provenance | | -| test.cpp:954:14:954:25 | ... + ... | test.cpp:954:3:954:25 | ... = ... | provenance | | -| test.cpp:1084:26:1084:26 | *x | test.cpp:1097:16:1097:23 | increment_arg output argument | provenance | | -| test.cpp:1085:2:1085:4 | ... ++ | test.cpp:1084:26:1084:26 | *x | provenance | | -| test.cpp:1088:37:1088:37 | *x | test.cpp:1101:27:1101:35 | increment_arg_by_pointer output argument | provenance | | -| test.cpp:1089:2:1089:7 | ... ++ | test.cpp:1088:37:1088:37 | *x | provenance | | -| test.cpp:1155:14:1155:26 | ... - ... | test.cpp:1155:2:1155:26 | ... = ... | provenance | | -| test.cpp:1204:2:1204:15 | ... += ... | test.cpp:1206:2:1206:19 | ... = ... | provenance | | -| test.cpp:1245:16:1245:28 | ... + ... | test.cpp:1245:2:1245:28 | ... = ... | provenance | | -| test.cpp:1260:16:1260:28 | ... + ... | test.cpp:1260:2:1260:28 | ... = ... | provenance | | +| test.cpp:951:14:951:25 | ... + ... | test.cpp:951:3:951:25 | ... = ... | provenance | | +| test.cpp:1038:26:1038:26 | *x | test.cpp:1051:16:1051:23 | increment_arg output argument | provenance | | +| test.cpp:1039:2:1039:4 | ... ++ | test.cpp:1038:26:1038:26 | *x | provenance | | +| test.cpp:1042:37:1042:37 | *x | test.cpp:1055:27:1055:35 | increment_arg_by_pointer output argument | provenance | | +| test.cpp:1043:2:1043:7 | ... ++ | test.cpp:1042:37:1042:37 | *x | provenance | | +| test.cpp:1109:14:1109:26 | ... - ... | test.cpp:1109:2:1109:26 | ... = ... | provenance | | +| test.cpp:1158:2:1158:15 | ... += ... | test.cpp:1160:2:1160:19 | ... = ... | provenance | | +| test.cpp:1199:16:1199:28 | ... + ... | test.cpp:1199:2:1199:28 | ... = ... | provenance | | +| test.cpp:1214:16:1214:28 | ... + ... | test.cpp:1214:2:1214:28 | ... = ... | provenance | | +| test.cpp:1228:16:1228:28 | ... + ... | test.cpp:1228:2:1228:28 | ... = ... | provenance | | +| test.cpp:1242:14:1242:26 | ... + ... | test.cpp:1242:2:1242:26 | ... = ... | provenance | | +| test.cpp:1256:14:1256:26 | ... + ... | test.cpp:1256:2:1256:26 | ... = ... | provenance | | +| test.cpp:1262:16:1262:28 | ... + ... | test.cpp:1262:2:1262:28 | ... = ... | provenance | | | test.cpp:1274:16:1274:28 | ... + ... | test.cpp:1274:2:1274:28 | ... = ... | provenance | | -| test.cpp:1288:14:1288:26 | ... + ... | test.cpp:1288:2:1288:26 | ... = ... | provenance | | -| test.cpp:1302:14:1302:26 | ... + ... | test.cpp:1302:2:1302:26 | ... = ... | provenance | | -| test.cpp:1308:16:1308:28 | ... + ... | test.cpp:1308:2:1308:28 | ... = ... | provenance | | -| test.cpp:1320:16:1320:28 | ... + ... | test.cpp:1320:2:1320:28 | ... = ... | provenance | | -| test.cpp:1333:14:1333:26 | ... + ... | test.cpp:1333:2:1333:26 | ... = ... | provenance | | -| test.cpp:1345:14:1345:26 | ... + ... | test.cpp:1345:2:1345:26 | ... = ... | provenance | | -| test.cpp:1384:20:1384:23 | year | test.cpp:1387:2:1387:17 | ... = ... | provenance | | -| test.cpp:1397:15:1397:22 | ... + ... | test.cpp:1397:3:1397:22 | ... = ... | provenance | | -| test.cpp:1402:12:1402:17 | ... + ... | test.cpp:1384:20:1384:23 | year | provenance | | -| test.cpp:1411:15:1411:22 | ... + ... | test.cpp:1411:3:1411:22 | ... = ... | provenance | | -| test.cpp:1421:3:1421:20 | ... = ... | test.cpp:1423:12:1423:18 | yeartmp | provenance | | -| test.cpp:1421:13:1421:20 | ... + ... | test.cpp:1421:3:1421:20 | ... = ... | provenance | | -| test.cpp:1423:12:1423:18 | yeartmp | test.cpp:1384:20:1384:23 | year | provenance | | -| test.cpp:1466:15:1466:22 | ... + ... | test.cpp:1466:3:1466:22 | ... = ... | provenance | | -| test.cpp:1471:12:1471:17 | ... + ... | test.cpp:1384:20:1384:23 | year | provenance | | -| test.cpp:1478:12:1478:17 | ... + ... | test.cpp:1384:20:1384:23 | year | provenance | | -| test.cpp:1492:2:1492:16 | ... = ... | test.cpp:1496:3:1496:18 | ... = ... | provenance | | -| test.cpp:1492:2:1492:16 | ... = ... | test.cpp:1501:12:1501:15 | year | provenance | | -| test.cpp:1492:9:1492:16 | ... + ... | test.cpp:1492:2:1492:16 | ... = ... | provenance | | -| test.cpp:1501:12:1501:15 | year | test.cpp:1384:20:1384:23 | year | provenance | | -| test.cpp:1504:2:1504:16 | ... = ... | test.cpp:1510:12:1510:15 | year | provenance | | -| test.cpp:1504:9:1504:16 | ... + ... | test.cpp:1504:2:1504:16 | ... = ... | provenance | | -| test.cpp:1510:12:1510:15 | year | test.cpp:1384:20:1384:23 | year | provenance | | -| test.cpp:1558:2:1558:10 | ... += ... | test.cpp:1561:2:1561:15 | ... = ... | provenance | | +| test.cpp:1287:14:1287:26 | ... + ... | test.cpp:1287:2:1287:26 | ... = ... | provenance | | +| test.cpp:1299:14:1299:26 | ... + ... | test.cpp:1299:2:1299:26 | ... = ... | provenance | | +| test.cpp:1338:20:1338:23 | year | test.cpp:1341:2:1341:17 | ... = ... | provenance | | +| test.cpp:1351:15:1351:22 | ... + ... | test.cpp:1351:3:1351:22 | ... = ... | provenance | | +| test.cpp:1356:12:1356:17 | ... + ... | test.cpp:1338:20:1338:23 | year | provenance | | +| test.cpp:1365:15:1365:22 | ... + ... | test.cpp:1365:3:1365:22 | ... = ... | provenance | | +| test.cpp:1375:3:1375:20 | ... = ... | test.cpp:1377:12:1377:18 | yeartmp | provenance | | +| test.cpp:1375:13:1375:20 | ... + ... | test.cpp:1375:3:1375:20 | ... = ... | provenance | | +| test.cpp:1377:12:1377:18 | yeartmp | test.cpp:1338:20:1338:23 | year | provenance | | +| test.cpp:1420:15:1420:22 | ... + ... | test.cpp:1420:3:1420:22 | ... = ... | provenance | | +| test.cpp:1425:12:1425:17 | ... + ... | test.cpp:1338:20:1338:23 | year | provenance | | +| test.cpp:1432:12:1432:17 | ... + ... | test.cpp:1338:20:1338:23 | year | provenance | | +| test.cpp:1446:2:1446:16 | ... = ... | test.cpp:1450:3:1450:18 | ... = ... | provenance | | +| test.cpp:1446:2:1446:16 | ... = ... | test.cpp:1455:12:1455:15 | year | provenance | | +| test.cpp:1446:9:1446:16 | ... + ... | test.cpp:1446:2:1446:16 | ... = ... | provenance | | +| test.cpp:1455:12:1455:15 | year | test.cpp:1338:20:1338:23 | year | provenance | | +| test.cpp:1458:2:1458:16 | ... = ... | test.cpp:1464:12:1464:15 | year | provenance | | +| test.cpp:1458:9:1458:16 | ... + ... | test.cpp:1458:2:1458:16 | ... = ... | provenance | | +| test.cpp:1464:12:1464:15 | year | test.cpp:1338:20:1338:23 | year | provenance | | +| test.cpp:1512:2:1512:10 | ... += ... | test.cpp:1515:2:1515:15 | ... = ... | provenance | | nodes | test.cpp:422:2:422:14 | ... += ... | semmle.label | ... += ... | | test.cpp:440:2:440:11 | ... ++ | semmle.label | ... ++ | @@ -80,66 +80,66 @@ nodes | test.cpp:813:21:813:40 | ... + ... | semmle.label | ... + ... | | test.cpp:818:2:818:24 | ... = ... | semmle.label | ... = ... | | test.cpp:818:13:818:24 | ... + ... | semmle.label | ... + ... | -| test.cpp:875:4:875:15 | ... ++ | semmle.label | ... ++ | -| test.cpp:954:3:954:25 | ... = ... | semmle.label | ... = ... | -| test.cpp:954:14:954:25 | ... + ... | semmle.label | ... + ... | -| test.cpp:972:3:972:12 | ... ++ | semmle.label | ... ++ | -| test.cpp:1077:2:1077:11 | ... ++ | semmle.label | ... ++ | -| test.cpp:1084:26:1084:26 | *x | semmle.label | *x | -| test.cpp:1085:2:1085:4 | ... ++ | semmle.label | ... ++ | -| test.cpp:1088:37:1088:37 | *x | semmle.label | *x | -| test.cpp:1089:2:1089:7 | ... ++ | semmle.label | ... ++ | -| test.cpp:1097:16:1097:23 | increment_arg output argument | semmle.label | increment_arg output argument | -| test.cpp:1101:27:1101:35 | increment_arg_by_pointer output argument | semmle.label | increment_arg_by_pointer output argument | -| test.cpp:1155:2:1155:26 | ... = ... | semmle.label | ... = ... | -| test.cpp:1155:14:1155:26 | ... - ... | semmle.label | ... - ... | -| test.cpp:1204:2:1204:15 | ... += ... | semmle.label | ... += ... | -| test.cpp:1206:2:1206:19 | ... = ... | semmle.label | ... = ... | -| test.cpp:1245:2:1245:28 | ... = ... | semmle.label | ... = ... | -| test.cpp:1245:16:1245:28 | ... + ... | semmle.label | ... + ... | -| test.cpp:1260:2:1260:28 | ... = ... | semmle.label | ... = ... | -| test.cpp:1260:16:1260:28 | ... + ... | semmle.label | ... + ... | +| test.cpp:872:4:872:15 | ... ++ | semmle.label | ... ++ | +| test.cpp:951:3:951:25 | ... = ... | semmle.label | ... = ... | +| test.cpp:951:14:951:25 | ... + ... | semmle.label | ... + ... | +| test.cpp:969:3:969:12 | ... ++ | semmle.label | ... ++ | +| test.cpp:1031:2:1031:11 | ... ++ | semmle.label | ... ++ | +| test.cpp:1038:26:1038:26 | *x | semmle.label | *x | +| test.cpp:1039:2:1039:4 | ... ++ | semmle.label | ... ++ | +| test.cpp:1042:37:1042:37 | *x | semmle.label | *x | +| test.cpp:1043:2:1043:7 | ... ++ | semmle.label | ... ++ | +| test.cpp:1051:16:1051:23 | increment_arg output argument | semmle.label | increment_arg output argument | +| test.cpp:1055:27:1055:35 | increment_arg_by_pointer output argument | semmle.label | increment_arg_by_pointer output argument | +| test.cpp:1109:2:1109:26 | ... = ... | semmle.label | ... = ... | +| test.cpp:1109:14:1109:26 | ... - ... | semmle.label | ... - ... | +| test.cpp:1158:2:1158:15 | ... += ... | semmle.label | ... += ... | +| test.cpp:1160:2:1160:19 | ... = ... | semmle.label | ... = ... | +| test.cpp:1199:2:1199:28 | ... = ... | semmle.label | ... = ... | +| test.cpp:1199:16:1199:28 | ... + ... | semmle.label | ... + ... | +| test.cpp:1214:2:1214:28 | ... = ... | semmle.label | ... = ... | +| test.cpp:1214:16:1214:28 | ... + ... | semmle.label | ... + ... | +| test.cpp:1228:2:1228:28 | ... = ... | semmle.label | ... = ... | +| test.cpp:1228:16:1228:28 | ... + ... | semmle.label | ... + ... | +| test.cpp:1242:2:1242:26 | ... = ... | semmle.label | ... = ... | +| test.cpp:1242:14:1242:26 | ... + ... | semmle.label | ... + ... | +| test.cpp:1256:2:1256:26 | ... = ... | semmle.label | ... = ... | +| test.cpp:1256:14:1256:26 | ... + ... | semmle.label | ... + ... | +| test.cpp:1262:2:1262:28 | ... = ... | semmle.label | ... = ... | +| test.cpp:1262:16:1262:28 | ... + ... | semmle.label | ... + ... | | test.cpp:1274:2:1274:28 | ... = ... | semmle.label | ... = ... | | test.cpp:1274:16:1274:28 | ... + ... | semmle.label | ... + ... | -| test.cpp:1288:2:1288:26 | ... = ... | semmle.label | ... = ... | -| test.cpp:1288:14:1288:26 | ... + ... | semmle.label | ... + ... | -| test.cpp:1302:2:1302:26 | ... = ... | semmle.label | ... = ... | -| test.cpp:1302:14:1302:26 | ... + ... | semmle.label | ... + ... | -| test.cpp:1308:2:1308:28 | ... = ... | semmle.label | ... = ... | -| test.cpp:1308:16:1308:28 | ... + ... | semmle.label | ... + ... | -| test.cpp:1320:2:1320:28 | ... = ... | semmle.label | ... = ... | -| test.cpp:1320:16:1320:28 | ... + ... | semmle.label | ... + ... | -| test.cpp:1333:2:1333:26 | ... = ... | semmle.label | ... = ... | -| test.cpp:1333:14:1333:26 | ... + ... | semmle.label | ... + ... | -| test.cpp:1345:2:1345:26 | ... = ... | semmle.label | ... = ... | -| test.cpp:1345:14:1345:26 | ... + ... | semmle.label | ... + ... | -| test.cpp:1384:20:1384:23 | year | semmle.label | year | -| test.cpp:1387:2:1387:17 | ... = ... | semmle.label | ... = ... | -| test.cpp:1397:3:1397:22 | ... = ... | semmle.label | ... = ... | -| test.cpp:1397:15:1397:22 | ... + ... | semmle.label | ... + ... | -| test.cpp:1402:12:1402:17 | ... + ... | semmle.label | ... + ... | -| test.cpp:1411:3:1411:22 | ... = ... | semmle.label | ... = ... | -| test.cpp:1411:15:1411:22 | ... + ... | semmle.label | ... + ... | -| test.cpp:1421:3:1421:20 | ... = ... | semmle.label | ... = ... | -| test.cpp:1421:13:1421:20 | ... + ... | semmle.label | ... + ... | -| test.cpp:1423:12:1423:18 | yeartmp | semmle.label | yeartmp | -| test.cpp:1466:3:1466:22 | ... = ... | semmle.label | ... = ... | -| test.cpp:1466:15:1466:22 | ... + ... | semmle.label | ... + ... | -| test.cpp:1471:12:1471:17 | ... + ... | semmle.label | ... + ... | -| test.cpp:1478:12:1478:17 | ... + ... | semmle.label | ... + ... | -| test.cpp:1492:2:1492:16 | ... = ... | semmle.label | ... = ... | -| test.cpp:1492:9:1492:16 | ... + ... | semmle.label | ... + ... | -| test.cpp:1496:3:1496:18 | ... = ... | semmle.label | ... = ... | -| test.cpp:1501:12:1501:15 | year | semmle.label | year | -| test.cpp:1504:2:1504:16 | ... = ... | semmle.label | ... = ... | -| test.cpp:1504:9:1504:16 | ... + ... | semmle.label | ... + ... | -| test.cpp:1510:12:1510:15 | year | semmle.label | year | -| test.cpp:1558:2:1558:10 | ... += ... | semmle.label | ... += ... | -| test.cpp:1561:2:1561:15 | ... = ... | semmle.label | ... = ... | -| test.cpp:1591:2:1591:22 | ... += ... | semmle.label | ... += ... | -| test.cpp:1599:2:1599:22 | ... += ... | semmle.label | ... += ... | -| test.cpp:1678:2:1678:22 | ... += ... | semmle.label | ... += ... | -| test.cpp:1690:2:1690:22 | ... += ... | semmle.label | ... += ... | -| test.cpp:1723:2:1723:22 | ... += ... | semmle.label | ... += ... | -| test.cpp:1799:2:1799:22 | ... += ... | semmle.label | ... += ... | +| test.cpp:1287:2:1287:26 | ... = ... | semmle.label | ... = ... | +| test.cpp:1287:14:1287:26 | ... + ... | semmle.label | ... + ... | +| test.cpp:1299:2:1299:26 | ... = ... | semmle.label | ... = ... | +| test.cpp:1299:14:1299:26 | ... + ... | semmle.label | ... + ... | +| test.cpp:1338:20:1338:23 | year | semmle.label | year | +| test.cpp:1341:2:1341:17 | ... = ... | semmle.label | ... = ... | +| test.cpp:1351:3:1351:22 | ... = ... | semmle.label | ... = ... | +| test.cpp:1351:15:1351:22 | ... + ... | semmle.label | ... + ... | +| test.cpp:1356:12:1356:17 | ... + ... | semmle.label | ... + ... | +| test.cpp:1365:3:1365:22 | ... = ... | semmle.label | ... = ... | +| test.cpp:1365:15:1365:22 | ... + ... | semmle.label | ... + ... | +| test.cpp:1375:3:1375:20 | ... = ... | semmle.label | ... = ... | +| test.cpp:1375:13:1375:20 | ... + ... | semmle.label | ... + ... | +| test.cpp:1377:12:1377:18 | yeartmp | semmle.label | yeartmp | +| test.cpp:1420:3:1420:22 | ... = ... | semmle.label | ... = ... | +| test.cpp:1420:15:1420:22 | ... + ... | semmle.label | ... + ... | +| test.cpp:1425:12:1425:17 | ... + ... | semmle.label | ... + ... | +| test.cpp:1432:12:1432:17 | ... + ... | semmle.label | ... + ... | +| test.cpp:1446:2:1446:16 | ... = ... | semmle.label | ... = ... | +| test.cpp:1446:9:1446:16 | ... + ... | semmle.label | ... + ... | +| test.cpp:1450:3:1450:18 | ... = ... | semmle.label | ... = ... | +| test.cpp:1455:12:1455:15 | year | semmle.label | year | +| test.cpp:1458:2:1458:16 | ... = ... | semmle.label | ... = ... | +| test.cpp:1458:9:1458:16 | ... + ... | semmle.label | ... + ... | +| test.cpp:1464:12:1464:15 | year | semmle.label | year | +| test.cpp:1512:2:1512:10 | ... += ... | semmle.label | ... += ... | +| test.cpp:1515:2:1515:15 | ... = ... | semmle.label | ... = ... | +| test.cpp:1545:2:1545:22 | ... += ... | semmle.label | ... += ... | +| test.cpp:1553:2:1553:22 | ... += ... | semmle.label | ... += ... | +| test.cpp:1632:2:1632:22 | ... += ... | semmle.label | ... += ... | +| test.cpp:1644:2:1644:22 | ... += ... | semmle.label | ... += ... | +| test.cpp:1677:2:1677:22 | ... += ... | semmle.label | ... += ... | +| test.cpp:1753:2:1753:22 | ... += ... | semmle.label | ... += ... | subpaths diff --git a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedReturnValueForTimeFunctions.expected b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedReturnValueForTimeFunctions.expected index e893ae1fff0..9c1d83861f0 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedReturnValueForTimeFunctions.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedReturnValueForTimeFunctions.expected @@ -1,6 +1,6 @@ | test.cpp:425:2:425:21 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:101:1:101:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:417:13:417:14 | st | st | | test.cpp:443:2:443:21 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:101:1:101:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:435:13:435:14 | st | st | | test.cpp:459:2:459:21 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:101:1:101:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:451:62:451:63 | st | st | -| test.cpp:956:3:956:22 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:101:1:101:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:947:14:947:15 | st | st | -| test.cpp:974:3:974:22 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:101:1:101:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:965:14:965:15 | st | st | -| test.cpp:1081:2:1081:21 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:101:1:101:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:1071:13:1071:14 | st | st | +| test.cpp:953:3:953:22 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:101:1:101:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:944:14:944:15 | st | st | +| test.cpp:971:3:971:22 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:101:1:101:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:962:14:962:15 | st | st | +| test.cpp:1035:2:1035:21 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:101:1:101:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:1025:13:1025:14 | st | st | diff --git a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/test.cpp index 4451450fb25..28bf66b3436 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/test.cpp @@ -822,17 +822,14 @@ void test(int x) * Positive AntiPattern 1 NOTE: historically considered positive but mktime checks year validity, needs re-assessment * Year field is modified but via an intermediary variable. */ -bool tp_intermediaryVar(struct timespec now, struct logtime ×tamp_remote) +void tp_intermediaryVar(struct timespec now, struct logtime ×tamp_remote) { struct tm tm_parsed; - bool timestamp_found = false; struct tm tm_now; time_t t_now; int year; - timestamp_found = true; - /* * As the timestamp does not contain the year * number, daylight saving time information, nor @@ -1000,26 +997,6 @@ bool tp_intermediaryVar(struct timespec now, struct logtime ×tamp_remote) } } - struct tm ltime(void) - { - SYSTEMTIME st; - struct tm tm; - bool isLeapYear; - - GetLocalTime(&st); - tm.tm_sec=st.wSecond; - tm.tm_min=st.wMinute; - tm.tm_hour=st.wHour; - tm.tm_mday=st.wDay; - tm.tm_mon=st.wMonth-1; - tm.tm_year=(st.wYear>=1900?st.wYear-1900:0); - - // Check for leap year, and adjust the date accordingly - isLeapYear = tm.tm_year % 4 == 0 && (tm.tm_year % 100 != 0 || tm.tm_year % 400 == 0); - tm.tm_mday = tm.tm_mon == 2 && tm.tm_mday == 29 && !isLeapYear ? 28 : tm.tm_mday; - return tm; - } - /** * Negative Case - Anti-pattern 1: [year ±n, month, day] * Modification of SYSTEMTIME struct by copying from another struct, but no arithmetic is performed. @@ -1040,29 +1017,6 @@ FMAPITimeToSysTimeW(LPCWSTR wszTime, SYSTEMTIME *psystime) return true; } -/** -* Negative Case - Anti-pattern 1: [year ±n, month, day] -* Modification of SYSTEMTIME struct by copying from another struct, but no arithmetic is performed. -*/ -bool -ATime_HrGetSysTime(SYSTEMTIME *pst) -{ - // if (!FValidSysTime()) - // { - // TrapSzTag("ATime cannot be converted to SYSTEMTIME", 0x1e14f5c3 /* tag_4fpxd */); - // CORgTag(E_FAIL, 0x6c373230 /* tag_l720 */); - // } - - // pst->wYear = static_cast(m_lYear); - // pst->wMonth = static_cast(m_lMonth); - // //pst->wDayOfWeek = ???; - // pst->wDay = static_cast(m_lDay); - // pst->wHour = static_cast(m_lHour); - // pst->wMinute = static_cast(m_lMinute); - // pst->wSecond = static_cast(m_lSecond); - // pst->wMilliseconds = 0; -} - /** * Negative Case - Anti-pattern 1: [year ±n, month, day] * Modification of SYSTEMTIME struct by copying from another struct, but no arithmetic is performed. @@ -1413,7 +1367,7 @@ void constant_month_on_year_modification2(WORD year, WORD offset, WORD month){ if(month++ > 12){ - // some hueristics to detect a false positive here rely on variable names + // some heuristics to detect a false positive here rely on variable names // which is often consistent in the wild. // This variant uses the variable names yeartmp and monthtmp WORD yeartmp; From 98b51149daefcd8cc75344b0db4fd58db787f3a3 Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Mon, 9 Feb 2026 10:48:24 -0500 Subject: [PATCH 023/110] C++: Change log missing .md extension. --- ... => 2026-02-06-UncheckedLeapYearAfterModification_Refactor.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename cpp/ql/lib/change-notes/{2026-02-06-UncheckedLeapYearAfterModification_Refactor => 2026-02-06-UncheckedLeapYearAfterModification_Refactor.md} (100%) diff --git a/cpp/ql/lib/change-notes/2026-02-06-UncheckedLeapYearAfterModification_Refactor b/cpp/ql/lib/change-notes/2026-02-06-UncheckedLeapYearAfterModification_Refactor.md similarity index 100% rename from cpp/ql/lib/change-notes/2026-02-06-UncheckedLeapYearAfterModification_Refactor rename to cpp/ql/lib/change-notes/2026-02-06-UncheckedLeapYearAfterModification_Refactor.md From df544595525a8df1dab3030753ce673602550910 Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Mon, 9 Feb 2026 13:19:02 -0500 Subject: [PATCH 024/110] Restore prior PR change log (accidentally removed) --- python/ql/lib/change-notes/2025-09-30-azure_ssrf_models.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 python/ql/lib/change-notes/2025-09-30-azure_ssrf_models.md diff --git a/python/ql/lib/change-notes/2025-09-30-azure_ssrf_models.md b/python/ql/lib/change-notes/2025-09-30-azure_ssrf_models.md new file mode 100644 index 00000000000..283b703a438 --- /dev/null +++ b/python/ql/lib/change-notes/2025-09-30-azure_ssrf_models.md @@ -0,0 +1,5 @@ +--- +category: minorAnalysis +--- +* Added request forgery sink models for the Azure SDK. +* Made it so that models-as-data sinks with the kind `request-forgery` contribute to the class `Http::Client::Request` which represents HTTP client requests. \ No newline at end of file From 23bab818553cd00fac1704e75567d775981150b1 Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Mon, 9 Feb 2026 13:22:35 -0500 Subject: [PATCH 025/110] Added change log --- ...026-02-09-ssrf_test_case_cleanup_and_new_ssrf_barriers.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 python/ql/lib/change-notes/2026-02-09-ssrf_test_case_cleanup_and_new_ssrf_barriers.md diff --git a/python/ql/lib/change-notes/2026-02-09-ssrf_test_case_cleanup_and_new_ssrf_barriers.md b/python/ql/lib/change-notes/2026-02-09-ssrf_test_case_cleanup_and_new_ssrf_barriers.md new file mode 100644 index 00000000000..d4373eadfb2 --- /dev/null +++ b/python/ql/lib/change-notes/2026-02-09-ssrf_test_case_cleanup_and_new_ssrf_barriers.md @@ -0,0 +1,5 @@ +--- +category: minorAnalysis +--- +* Modified SSRF tests to use postprocessing to more easily debug results. +* Added new full SSRF sanitization barrier from the new AntiSSRF library. \ No newline at end of file From d33375cd167f048f52dc94d8352d718ce71372bd Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Thu, 5 Feb 2026 17:34:41 +0100 Subject: [PATCH 026/110] chore: upgrade Bazel to 9.0.0 Bazel 9 removes native.cc_* and native.java_* rules from Starlark, requiring explicit imports from rules_cc and rules_java. --- .bazelversion | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.bazelversion b/.bazelversion index e7fdef7e2e6..f7ee06693c1 100644 --- a/.bazelversion +++ b/.bazelversion @@ -1 +1 @@ -8.4.2 +9.0.0 From 39218f5e6b4306d0d7c03e9f9ef640bf2163c2b6 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Thu, 5 Feb 2026 17:34:53 +0100 Subject: [PATCH 027/110] feat: add rules_cc and rules_java module dependencies MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add explicit dependencies required for Bazel 9: - rules_cc 0.2.16: provides cc_binary, cc_library, cc_test - rules_java 9.0.3: provides java_* rules Also update related dependencies: - rules_go: 0.56.1 → 0.59.0 (compatibility with Bazel 9) - gazelle: 0.40.0 → 0.47.0 (compatibility with rules_go 0.59.0) - rules_nodejs: 6.2.0-codeql.1 → 6.7.3 (upstream version) --- MODULE.bazel | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/MODULE.bazel b/MODULE.bazel index 4d1ba916ec1..aa58685a070 100644 --- a/MODULE.bazel +++ b/MODULE.bazel @@ -15,9 +15,11 @@ local_path_override( # see https://registry.bazel.build/ for a list of available packages bazel_dep(name = "platforms", version = "1.0.0") -bazel_dep(name = "rules_go", version = "0.56.1") +bazel_dep(name = "rules_cc", version = "0.2.16") +bazel_dep(name = "rules_go", version = "0.59.0") +bazel_dep(name = "rules_java", version = "9.0.3") bazel_dep(name = "rules_pkg", version = "1.0.1") -bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1") +bazel_dep(name = "rules_nodejs", version = "6.7.3") bazel_dep(name = "rules_python", version = "0.40.0") bazel_dep(name = "rules_shell", version = "0.5.0") bazel_dep(name = "bazel_skylib", version = "1.8.1") @@ -25,7 +27,7 @@ bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl") bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json") bazel_dep(name = "fmt", version = "12.1.0-codeql.1") bazel_dep(name = "rules_kotlin", version = "2.2.0-codeql.1") -bazel_dep(name = "gazelle", version = "0.40.0") +bazel_dep(name = "gazelle", version = "0.47.0") bazel_dep(name = "rules_dotnet", version = "0.21.5-codeql.1") bazel_dep(name = "googletest", version = "1.14.0.bcr.1") bazel_dep(name = "rules_rust", version = "0.66.0") From 4d6fb873abac5fe4a8a14b0ec724ea6918fa5bfd Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Thu, 5 Feb 2026 17:35:02 +0100 Subject: [PATCH 028/110] feat: add Python 3.12 toolchain registration rules_python 1.x requires explicit toolchain setup and no longer auto-registers toolchains. Register Python 3.12 toolchain to ensure Python tools work correctly with Bazel 9. --- MODULE.bazel | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/MODULE.bazel b/MODULE.bazel index aa58685a070..aaa0ea0f7d6 100644 --- a/MODULE.bazel +++ b/MODULE.bazel @@ -190,6 +190,15 @@ pip.parse( ) use_repo(pip, "codegen_deps") +python = use_extension("@rules_python//python/extensions:python.bzl", "python") +python.toolchain( + is_default = True, + python_version = "3.12", +) +use_repo(python, "python_3_12", "python_versions") + +register_toolchains("@python_versions//3.12:all") + swift_deps = use_extension("//swift/third_party:load.bzl", "swift_deps") # following list can be kept in sync with `bazel mod tidy` From 578efeaaa3abc6f05790b4ae90421fbb5b75b819 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Thu, 5 Feb 2026 17:35:09 +0100 Subject: [PATCH 029/110] feat: add rules_cc to autoload configuration Add +@rules_cc to --incompatible_autoload_externally to enable graceful migration path for cc_* rule usages before all files are updated with explicit imports. --- .bazelrc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.bazelrc b/.bazelrc index 679eeec77a3..eb9b1a79321 100644 --- a/.bazelrc +++ b/.bazelrc @@ -34,7 +34,7 @@ common --@rules_dotnet//dotnet/settings:strict_deps=false common --@rules_rust//rust/toolchain/channel=nightly # Reduce this eventually to empty, once we've fixed all our usages of java, and https://github.com/bazel-contrib/rules_go/issues/4193 is fixed -common --incompatible_autoload_externally="+@rules_java,+@rules_shell" +common --incompatible_autoload_externally="+@rules_cc,+@rules_java,+@rules_shell" build --java_language_version=17 build --tool_java_language_version=17 From d1c63603ee4acb6d0770bf23320873da00830f64 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Thu, 5 Feb 2026 17:35:17 +0100 Subject: [PATCH 030/110] refactor: migrate Starlark files to explicit rules_cc imports Bazel 9 removes native.cc_* and CcInfo from global scope. Update: - swift/rules.bzl: Add cc_binary, cc_library, CcInfo imports; use explicit cc_binary/cc_library instead of native.cc_* - misc/bazel/cmake/cmake.bzl: Add CcInfo import for provider usage --- misc/bazel/cmake/cmake.bzl | 2 ++ swift/rules.bzl | 6 ++++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/misc/bazel/cmake/cmake.bzl b/misc/bazel/cmake/cmake.bzl index d98a480c69c..8235b249a2e 100644 --- a/misc/bazel/cmake/cmake.bzl +++ b/misc/bazel/cmake/cmake.bzl @@ -1,3 +1,5 @@ +load("@rules_cc//cc/common:cc_info.bzl", "CcInfo") + CmakeInfo = provider( fields = { "name": "", diff --git a/swift/rules.bzl b/swift/rules.bzl index cb16ca4382a..f0fde7e7140 100644 --- a/swift/rules.bzl +++ b/swift/rules.bzl @@ -1,3 +1,5 @@ +load("@rules_cc//cc:defs.bzl", "cc_binary", "cc_library") +load("@rules_cc//cc/common:cc_info.bzl", "CcInfo") load("//misc/bazel:os.bzl", "os_select") # TODO: make a shared library with the internal repos for transitions @@ -124,7 +126,7 @@ def _wrap_cc(rule, kwargs): ) def swift_cc_binary(**kwargs): - _wrap_cc(native.cc_binary, kwargs) + _wrap_cc(cc_binary, kwargs) def swift_cc_library(**kwargs): - _wrap_cc(native.cc_library, kwargs) + _wrap_cc(cc_library, kwargs) From f881d368f04637d2e45022b0b56bb0b34d8d712d Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Thu, 5 Feb 2026 17:35:25 +0100 Subject: [PATCH 031/110] refactor: migrate BUILD files to explicit rules_cc imports Add explicit load statements for cc_binary, cc_library, and cc_test from @rules_cc//cc:defs.bzl in: - shared/cpp/BUILD.bazel - swift/logging/BUILD.bazel - misc/bazel/internal/zipmerge/BUILD.bazel --- misc/bazel/internal/zipmerge/BUILD.bazel | 4 +++- shared/cpp/BUILD.bazel | 2 ++ swift/logging/BUILD.bazel | 2 ++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/misc/bazel/internal/zipmerge/BUILD.bazel b/misc/bazel/internal/zipmerge/BUILD.bazel index 07cbb34ce97..4b2723d6c64 100644 --- a/misc/bazel/internal/zipmerge/BUILD.bazel +++ b/misc/bazel/internal/zipmerge/BUILD.bazel @@ -1,3 +1,5 @@ +load("@rules_cc//cc:defs.bzl", "cc_binary", "cc_library", "cc_test") + cc_library( name = "lib", srcs = [ @@ -28,7 +30,7 @@ cc_test( linkstatic = True, # required to build the test in the internal repo deps = [ ":lib", - "@bazel_tools//tools/cpp/runfiles", "@googletest//:gtest_main", + "@rules_cc//cc/runfiles", ], ) diff --git a/shared/cpp/BUILD.bazel b/shared/cpp/BUILD.bazel index 5debed90086..f78c4ede92f 100644 --- a/shared/cpp/BUILD.bazel +++ b/shared/cpp/BUILD.bazel @@ -1,3 +1,5 @@ +load("@rules_cc//cc:defs.bzl", "cc_library") + cc_library( name = "extractor_shared", srcs = glob(["*.cpp"]), diff --git a/swift/logging/BUILD.bazel b/swift/logging/BUILD.bazel index 1d6192b3c13..e72a7071d06 100644 --- a/swift/logging/BUILD.bazel +++ b/swift/logging/BUILD.bazel @@ -1,3 +1,5 @@ +load("@rules_cc//cc:defs.bzl", "cc_library") + cc_library( name = "logging", srcs = glob(["*.cpp"]), From 10a2824b8284a97b02278468ea4b222072b5e784 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Thu, 5 Feb 2026 17:35:31 +0100 Subject: [PATCH 032/110] refactor: migrate BUILD files to explicit rules_java imports Add explicit load statements for java_library and java_test from @rules_java//java:defs.bzl in: - javascript/extractor/BUILD.bazel - javascript/extractor/test/com/semmle/js/extractor/test/BUILD.bazel --- javascript/extractor/BUILD.bazel | 1 + .../extractor/test/com/semmle/js/extractor/test/BUILD.bazel | 2 ++ 2 files changed, 3 insertions(+) diff --git a/javascript/extractor/BUILD.bazel b/javascript/extractor/BUILD.bazel index 360dc9370f9..363ea42864f 100644 --- a/javascript/extractor/BUILD.bazel +++ b/javascript/extractor/BUILD.bazel @@ -1,3 +1,4 @@ +load("@rules_java//java:defs.bzl", "java_library") load("@rules_pkg//pkg:mappings.bzl", "pkg_files") load("@semmle_code//:common.bzl", "codeql_fat_jar", "codeql_java_project") diff --git a/javascript/extractor/test/com/semmle/js/extractor/test/BUILD.bazel b/javascript/extractor/test/com/semmle/js/extractor/test/BUILD.bazel index 1bad97bb7cc..2d6a5d01c66 100644 --- a/javascript/extractor/test/com/semmle/js/extractor/test/BUILD.bazel +++ b/javascript/extractor/test/com/semmle/js/extractor/test/BUILD.bazel @@ -1,3 +1,5 @@ +load("@rules_java//java:defs.bzl", "java_test") + java_test( name = "test", srcs = glob(["**/*.java"]), From f8ed810a4470121e1dc23c1cf151a8e0b59eb02d Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Thu, 5 Feb 2026 17:35:39 +0100 Subject: [PATCH 033/110] refactor: migrate C++ runfiles API from bazel_tools to rules_cc Bazel 9 moves the C++ runfiles library from @bazel_tools to @rules_cc. Update zipmerge_test.cpp: - Change include from tools/cpp/runfiles to rules_cc/cc/runfiles - Update namespace from bazel::tools::cpp::runfiles to rules_cc::cc::runfiles Note: The BUILD.bazel dependency change is in a separate commit. --- misc/bazel/internal/zipmerge/zipmerge_test.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/misc/bazel/internal/zipmerge/zipmerge_test.cpp b/misc/bazel/internal/zipmerge/zipmerge_test.cpp index 65278a679f5..616365c7cbd 100644 --- a/misc/bazel/internal/zipmerge/zipmerge_test.cpp +++ b/misc/bazel/internal/zipmerge/zipmerge_test.cpp @@ -9,9 +9,9 @@ #include #include -#include "tools/cpp/runfiles/runfiles.h" +#include "rules_cc/cc/runfiles/runfiles.h" -using bazel::tools::cpp::runfiles::Runfiles; +using rules_cc::cc::runfiles::Runfiles; using namespace std::string_literals; namespace fs = std::filesystem; From ca90de2bedbc594bb34b250d4494c9f060909b48 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Thu, 5 Feb 2026 18:14:25 +0100 Subject: [PATCH 034/110] fix: disable Android SDK auto-detection for Bazel 9 compatibility rules_android has repository visibility issues with Bazel 9 when the Android SDK is present. Since we don't use Android, disable detection by setting ANDROID_HOME to empty. --- .bazelrc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.bazelrc b/.bazelrc index eb9b1a79321..8687f4406cb 100644 --- a/.bazelrc +++ b/.bazelrc @@ -11,6 +11,8 @@ build --compilation_mode opt common --override_module=semmle_code=%workspace%/misc/bazel/semmle_code_stub build --repo_env=CC=clang --repo_env=CXX=clang++ +# Disable Android SDK auto-detection (we don't use it, and rules_android has Bazel 9 compatibility issues) +build --repo_env=ANDROID_HOME= # print test output, like sembuild does. # Set to `errors` if this is too verbose. From b38c3268fb2a8a63ee5320dae3df563ca72242cb Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Fri, 6 Feb 2026 12:18:07 +0100 Subject: [PATCH 035/110] fix: upgrade rules_kotlin to 2.2.2 for Windows compatibility Upgrade from 2.2.0-codeql.1 to 2.2.2-codeql.1 which includes: - Fix Windows bzlmod builder classpath issue - Move to official bazel worker api This eliminates the need for --legacy_external_runfiles on Windows. Also fix codegen templates to be included in runfiles. --- MODULE.bazel | 2 +- .../rules_kotlin/2.2.0-codeql.1/source.json | 4 +- .../rules_kotlin/2.2.2-codeql.1/MODULE.bazel | 38 +++++++++++++++++++ .../codeql_add_language_version_option.patch | 30 +++++++++++++++ .../patches/codeql_do_not_emit_jdeps.patch | 14 +++++++ .../rules_kotlin/2.2.2-codeql.1/source.json | 9 +++++ .../modules/rules_kotlin/metadata.json | 1 + misc/codegen/BUILD.bazel | 3 ++ misc/codegen/templates/BUILD.bazel | 15 ++++++++ 9 files changed, 113 insertions(+), 3 deletions(-) create mode 100644 misc/bazel/registry/modules/rules_kotlin/2.2.2-codeql.1/MODULE.bazel create mode 100644 misc/bazel/registry/modules/rules_kotlin/2.2.2-codeql.1/patches/codeql_add_language_version_option.patch create mode 100644 misc/bazel/registry/modules/rules_kotlin/2.2.2-codeql.1/patches/codeql_do_not_emit_jdeps.patch create mode 100644 misc/bazel/registry/modules/rules_kotlin/2.2.2-codeql.1/source.json diff --git a/MODULE.bazel b/MODULE.bazel index aaa0ea0f7d6..f2c23b9ce85 100644 --- a/MODULE.bazel +++ b/MODULE.bazel @@ -26,7 +26,7 @@ bazel_dep(name = "bazel_skylib", version = "1.8.1") bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl") bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json") bazel_dep(name = "fmt", version = "12.1.0-codeql.1") -bazel_dep(name = "rules_kotlin", version = "2.2.0-codeql.1") +bazel_dep(name = "rules_kotlin", version = "2.2.2-codeql.1") bazel_dep(name = "gazelle", version = "0.47.0") bazel_dep(name = "rules_dotnet", version = "0.21.5-codeql.1") bazel_dep(name = "googletest", version = "1.14.0.bcr.1") diff --git a/misc/bazel/registry/modules/rules_kotlin/2.2.0-codeql.1/source.json b/misc/bazel/registry/modules/rules_kotlin/2.2.0-codeql.1/source.json index bfa243b5a22..ca35aa4a5c1 100644 --- a/misc/bazel/registry/modules/rules_kotlin/2.2.0-codeql.1/source.json +++ b/misc/bazel/registry/modules/rules_kotlin/2.2.0-codeql.1/source.json @@ -2,8 +2,8 @@ "integrity": "sha256-4STROYYIW8ChW+LIXBQVurVwhEK3jSSf4iv430OlNA0=", "url": "https://github.com/bazelbuild/rules_kotlin/releases/download/v2.2.0/rules_kotlin-v2.2.0.tar.gz", "patches": { - "codeql_do_not_emit_jdeps.patch": "sha256-gIlhXEY71vlCkpr5wj2vm3yv6RwcuKLhgbTGqdVvQfU=", - "codeql_add_language_version_option.patch": "sha256-HoH8NWXxmYHmm/SxaugRdXgMntvcQx5gRLW2yQIvWhM=" + "codeql_add_language_version_option.patch": "sha256-HoH8NWXxmYHmm/SxaugRdXgMntvcQx5gRLW2yQIvWhM=", + "codeql_do_not_emit_jdeps.patch": "sha256-gIlhXEY71vlCkpr5wj2vm3yv6RwcuKLhgbTGqdVvQfU=" }, "patch_strip": 1 } diff --git a/misc/bazel/registry/modules/rules_kotlin/2.2.2-codeql.1/MODULE.bazel b/misc/bazel/registry/modules/rules_kotlin/2.2.2-codeql.1/MODULE.bazel new file mode 100644 index 00000000000..2c77fc8adb2 --- /dev/null +++ b/misc/bazel/registry/modules/rules_kotlin/2.2.2-codeql.1/MODULE.bazel @@ -0,0 +1,38 @@ +module( + name = "rules_kotlin", + version = "2.2.2-codeql.1", + compatibility_level = 1, + repo_name = "rules_kotlin", +) + +bazel_dep(name = "platforms", version = "0.0.11") +bazel_dep(name = "bazel_skylib", version = "1.7.1") +bazel_dep(name = "rules_java", version = "8.9.0") +bazel_dep(name = "rules_android", version = "0.6.4") +bazel_dep(name = "bazel_features", version = "1.25.0") +bazel_dep(name = "protobuf", version = "29.0", repo_name = "com_google_protobuf") +bazel_dep(name = "rules_proto", version = "6.0.2", repo_name = "rules_proto") +bazel_dep(name = "abseil-py", version = "2.1.0", repo_name = "py_absl") +bazel_dep(name = "rules_cc", version = "0.0.16") +bazel_dep(name = "bazel_worker_api", version = "0.0.8") +bazel_dep(name = "bazel_worker_java", version = "0.0.8") + +rules_java_toolchains = use_extension("@rules_java//java:extensions.bzl", "toolchains") +use_repo(rules_java_toolchains, "remote_java_tools") + +rules_kotlin_extensions = use_extension( + "//src/main/starlark/core/repositories:bzlmod_setup.bzl", + "rules_kotlin_extensions", +) +use_repo( + rules_kotlin_extensions, + "com_github_google_ksp", + "com_github_jetbrains_kotlin", + "com_github_pinterest_ktlint", + "kotlinx_serialization_core_jvm", + "kotlinx_serialization_json", + "kotlinx_serialization_json_jvm", + "kotlin_build_tools_impl", +) + +register_toolchains("//kotlin/internal:default_toolchain") diff --git a/misc/bazel/registry/modules/rules_kotlin/2.2.2-codeql.1/patches/codeql_add_language_version_option.patch b/misc/bazel/registry/modules/rules_kotlin/2.2.2-codeql.1/patches/codeql_add_language_version_option.patch new file mode 100644 index 00000000000..795d1f88f38 --- /dev/null +++ b/misc/bazel/registry/modules/rules_kotlin/2.2.2-codeql.1/patches/codeql_add_language_version_option.patch @@ -0,0 +1,30 @@ +--- a/src/main/starlark/core/options/opts.kotlinc.bzl 2000-01-01 01:00:00.000000000 +0100 ++++ b/src/main/starlark/core/options/opts.kotlinc.bzl 2025-11-17 16:51:01.012063056 +0100 +@@ -51,6 +51,11 @@ + return None + return ["-Xjdk-release=%s" % version] + ++def _map_language_version_to_flag(version): ++ if not version: ++ return None ++ return ["-language-version=%s" % version, "-api-version=%s" % version] ++ + _KOPTS_ALL = { + "include_stdlibs": struct( + args = dict( +@@ -495,6 +500,15 @@ + value_to_flag = None, + map_value_to_flag = _map_warning_level, + ), ++ "language_version": struct( ++ args = dict( ++ default = "1.9", ++ doc = "-language-version", ++ ), ++ type = attr.string, ++ value_to_flag = None, ++ map_value_to_flag = _map_language_version_to_flag, ++ ), + } + + def _merge(key, rule_defined): diff --git a/misc/bazel/registry/modules/rules_kotlin/2.2.2-codeql.1/patches/codeql_do_not_emit_jdeps.patch b/misc/bazel/registry/modules/rules_kotlin/2.2.2-codeql.1/patches/codeql_do_not_emit_jdeps.patch new file mode 100644 index 00000000000..e6b71ab0c4f --- /dev/null +++ b/misc/bazel/registry/modules/rules_kotlin/2.2.2-codeql.1/patches/codeql_do_not_emit_jdeps.patch @@ -0,0 +1,14 @@ +Emitting jdeps is broken for the 2.0.0 kotlin extractor, and we don't need those files. +Patching it here rather than passing `--@rules_kotlin//kotlin/settings:jvm_emit_jdeps=false` +allows us to not have to specify that option (and therefore pull in `rules_kotlin`) in `semmle-code`. +--- a/kotlin/settings/BUILD.bazel ++++ b/kotlin/settings/BUILD.bazel +@@ -16,6 +16,6 @@ release_archive( + # Flag that controls the emission of jdeps files during kotlin jvm compilation. + bool_flag( + name = "jvm_emit_jdeps", +- build_setting_default = True, # Upstream default behavior ++ build_setting_default = False, + visibility = ["//visibility:public"], + ) + diff --git a/misc/bazel/registry/modules/rules_kotlin/2.2.2-codeql.1/source.json b/misc/bazel/registry/modules/rules_kotlin/2.2.2-codeql.1/source.json new file mode 100644 index 00000000000..23deb231a09 --- /dev/null +++ b/misc/bazel/registry/modules/rules_kotlin/2.2.2-codeql.1/source.json @@ -0,0 +1,9 @@ +{ + "integrity": "sha256-QR2yavs0ksyDUbW1NJkxUir+LFTyZRttEncwoSVtD2A=", + "url": "https://github.com/bazelbuild/rules_kotlin/releases/download/v2.2.2/rules_kotlin-v2.2.2.tar.gz", + "patches": { + "codeql_add_language_version_option.patch": "sha256-HoH8NWXxmYHmm/SxaugRdXgMntvcQx5gRLW2yQIvWhM=", + "codeql_do_not_emit_jdeps.patch": "sha256-gIlhXEY71vlCkpr5wj2vm3yv6RwcuKLhgbTGqdVvQfU=" + }, + "patch_strip": 1 +} diff --git a/misc/bazel/registry/modules/rules_kotlin/metadata.json b/misc/bazel/registry/modules/rules_kotlin/metadata.json index 3609865f4d5..23266f29c4e 100644 --- a/misc/bazel/registry/modules/rules_kotlin/metadata.json +++ b/misc/bazel/registry/modules/rules_kotlin/metadata.json @@ -22,6 +22,7 @@ ], "versions": [ "2.2.0-codeql.1", + "2.2.2-codeql.1" ], "yanked_versions": {} } diff --git a/misc/codegen/BUILD.bazel b/misc/codegen/BUILD.bazel index c7b88de96b7..90e9842a941 100644 --- a/misc/codegen/BUILD.bazel +++ b/misc/codegen/BUILD.bazel @@ -5,6 +5,9 @@ py_binary( srcs = ["codegen.py"], data = [ "//misc/codegen/templates:cpp", + "//misc/codegen/templates:dbscheme", + "//misc/codegen/templates:ql", + "//misc/codegen/templates:rust", "//misc/codegen/templates:trap", ], visibility = ["//visibility:public"], diff --git a/misc/codegen/templates/BUILD.bazel b/misc/codegen/templates/BUILD.bazel index a86346245af..9068cc7f66e 100644 --- a/misc/codegen/templates/BUILD.bazel +++ b/misc/codegen/templates/BUILD.bazel @@ -1,5 +1,10 @@ package(default_visibility = ["//misc/codegen:__subpackages__"]) +filegroup( + name = "dbscheme", + srcs = ["dbscheme.mustache"], +) + filegroup( name = "trap", srcs = glob(["trap_*.mustache"]), @@ -9,3 +14,13 @@ filegroup( name = "cpp", srcs = glob(["cpp_*.mustache"]), ) + +filegroup( + name = "ql", + srcs = glob(["ql_*.mustache"]), +) + +filegroup( + name = "rust", + srcs = glob(["rust_*.mustache"]), +) From 37261b2f5c9eec1966f750b7241161232a7eb9b7 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Fri, 6 Feb 2026 13:04:59 +0100 Subject: [PATCH 036/110] fix: sort use_repo alphabetically in rules_kotlin MODULE.bazel --- .../registry/modules/rules_kotlin/2.2.2-codeql.1/MODULE.bazel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misc/bazel/registry/modules/rules_kotlin/2.2.2-codeql.1/MODULE.bazel b/misc/bazel/registry/modules/rules_kotlin/2.2.2-codeql.1/MODULE.bazel index 2c77fc8adb2..ec37914a8f7 100644 --- a/misc/bazel/registry/modules/rules_kotlin/2.2.2-codeql.1/MODULE.bazel +++ b/misc/bazel/registry/modules/rules_kotlin/2.2.2-codeql.1/MODULE.bazel @@ -29,10 +29,10 @@ use_repo( "com_github_google_ksp", "com_github_jetbrains_kotlin", "com_github_pinterest_ktlint", + "kotlin_build_tools_impl", "kotlinx_serialization_core_jvm", "kotlinx_serialization_json", "kotlinx_serialization_json_jvm", - "kotlin_build_tools_impl", ) register_toolchains("//kotlin/internal:default_toolchain") From 9f8ed710e28870ccd1044c53055bcce57ce062cf Mon Sep 17 00:00:00 2001 From: Ben Rodes Date: Tue, 10 Feb 2026 11:09:25 -0500 Subject: [PATCH 037/110] Update python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../CWE-918-ServerSideRequestForgery/test_path_validation.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py index 3e6bb1f6d0c..4560479d2b3 100644 --- a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py @@ -56,8 +56,8 @@ def urivalidator_path_in_azure_storage_domain_validation(credential): def complex_urivalidator_checks(credential, trusted_domain): user_input = request.args['untrusted_input'] # Focus on in_domain only here for simplicity - # It assumed the logic underlying checking paths would apply - # similarly other validator methods + # It is assumed that the logic underlying path checking would apply + # similarly to other validator methods. url = f"https://{user_input}" if not URIValidator.in_domain(url, trusted_domain): From a91cf6b7cba78087cc011eea9cd15555c07a0c29 Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Tue, 10 Feb 2026 11:37:11 -0500 Subject: [PATCH 038/110] Applying copilot PR suggestions. --- ...ServerSideRequestForgeryCustomizations.qll | 2 +- .../FullServerSideRequestForgery.expected | 129 +++++---- .../PartialServerSideRequestForgery.expected | 248 +++++++++--------- .../full_partial_test.py | 6 +- .../test_azure_client.py | 16 +- .../test_http_client.py | 2 +- .../test_path_validation.py | 80 +++--- .../test_requests.py | 8 +- 8 files changed, 244 insertions(+), 247 deletions(-) diff --git a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll index e75217d608f..afce799d8ac 100644 --- a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll +++ b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll @@ -177,7 +177,7 @@ module ServerSideRequestForgery { ) } - /** A validation that a string does not contain certain characters, considered as a sanitizer. */ + /** A validation of a URI using the `AntiSSRF` library, considered as a full-ssrf sanitizer. */ private class UriValidator extends FullUrlControlSanitizer { UriValidator() { this = DataFlow::BarrierGuard::getABarrierNode() } } diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.expected b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.expected index 19b5f7efa9d..cb46c54ca70 100644 --- a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.expected +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.expected @@ -13,32 +13,32 @@ | full_partial_test.py:89:5:89:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:89:18:89:20 | ControlFlowNode for url | The full URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | | full_partial_test.py:93:5:93:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:93:18:93:20 | ControlFlowNode for url | The full URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | | full_partial_test.py:97:5:97:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:97:18:97:20 | ControlFlowNode for url | The full URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| test_azure_client.py:16:9:16:63 | ControlFlowNode for SecretClient() | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | test_azure_client.py:16:32:16:39 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | user-provided value | -| test_azure_client.py:18:9:18:47 | ControlFlowNode for Attribute() | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | test_azure_client.py:18:39:18:46 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | user-provided value | -| test_azure_client.py:20:9:20:39 | ControlFlowNode for KeyClient() | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | test_azure_client.py:20:19:20:26 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | user-provided value | -| test_azure_client.py:22:9:22:89 | ControlFlowNode for Attribute() | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | test_azure_client.py:22:58:22:65 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | user-provided value | +| test_azure_client.py:16:5:16:59 | ControlFlowNode for SecretClient() | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | test_azure_client.py:16:28:16:35 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | user-provided value | +| test_azure_client.py:18:5:18:43 | ControlFlowNode for Attribute() | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | test_azure_client.py:18:35:18:42 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | user-provided value | +| test_azure_client.py:20:5:20:35 | ControlFlowNode for KeyClient() | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | test_azure_client.py:20:15:20:22 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | user-provided value | +| test_azure_client.py:22:5:22:85 | ControlFlowNode for Attribute() | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | test_azure_client.py:22:54:22:61 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | user-provided value | | test_azure_client.py:25:5:25:104 | ControlFlowNode for download_blob_from_url() | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | test_azure_client.py:25:37:25:44 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | user-provided value | | test_http_client.py:15:5:15:36 | ControlFlowNode for Attribute() | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | test_http_client.py:13:27:13:37 | ControlFlowNode for unsafe_host | The full URL of this request depends on a $@. | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | | test_http_client.py:15:5:15:36 | ControlFlowNode for Attribute() | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | test_http_client.py:15:25:15:35 | ControlFlowNode for unsafe_path | The full URL of this request depends on a $@. | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | | test_http_client.py:21:5:21:36 | ControlFlowNode for Attribute() | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | test_http_client.py:19:27:19:37 | ControlFlowNode for unsafe_host | The full URL of this request depends on a $@. | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | | test_http_client.py:21:5:21:36 | ControlFlowNode for Attribute() | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | test_http_client.py:21:25:21:35 | ControlFlowNode for unsafe_path | The full URL of this request depends on a $@. | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:21:13:21:67 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:21:36:21:43 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:37:13:37:64 | ControlFlowNode for KeyClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:37:33:37:40 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:53:13:53:51 | ControlFlowNode for Attribute() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:53:43:53:50 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:64:13:64:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:64:36:64:38 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:71:13:71:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:71:36:71:38 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:74:13:74:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:74:36:74:38 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:79:13:79:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:79:36:79:38 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:87:13:87:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:87:36:87:38 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:90:13:90:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:90:36:90:38 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:95:13:95:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:95:36:95:38 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:102:13:102:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:102:36:102:38 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:107:13:107:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:107:36:107:38 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:110:13:110:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:110:36:110:38 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:115:13:115:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:115:36:115:38 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:122:13:122:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:122:36:122:38 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:125:13:125:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:125:36:125:38 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:132:13:132:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:132:36:132:38 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:21:9:21:63 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:21:32:21:39 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:37:9:37:60 | ControlFlowNode for KeyClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:37:29:37:36 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:53:9:53:47 | ControlFlowNode for Attribute() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:53:39:53:46 | ControlFlowNode for full_url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:64:9:64:58 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:64:32:64:34 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:71:9:71:58 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:71:32:71:34 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:74:9:74:58 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:74:32:74:34 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:79:9:79:58 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:79:32:79:34 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:87:9:87:58 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:87:32:87:34 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:90:9:90:58 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:90:32:90:34 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:95:9:95:58 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:95:32:95:34 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:102:9:102:58 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:102:32:102:34 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:107:9:107:58 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:107:32:107:34 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:110:9:110:58 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:110:32:110:34 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:115:9:115:58 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:115:32:115:34 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:122:9:122:58 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:122:32:122:34 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:125:9:125:58 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:125:32:125:34 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:132:9:132:58 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:132:32:132:34 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | | test_requests.py:9:5:9:28 | ControlFlowNode for Attribute() | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | test_requests.py:9:18:9:27 | ControlFlowNode for user_input | The full URL of this request depends on a $@. | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | | test_requests.py:17:5:17:27 | ControlFlowNode for Attribute() | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | test_requests.py:17:17:17:26 | ControlFlowNode for user_input | The full URL of this request depends on a $@. | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | | test_requests.py:22:16:22:55 | ControlFlowNode for Attribute() | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | test_requests.py:22:45:22:54 | ControlFlowNode for user_input | The full URL of this request depends on a $@. | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | @@ -85,10 +85,10 @@ edges | test_azure_client.py:9:18:9:24 | ControlFlowNode for request | test_azure_client.py:10:5:10:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | | test_azure_client.py:10:5:10:15 | ControlFlowNode for user_input2 | test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | provenance | | | test_azure_client.py:10:19:10:25 | ControlFlowNode for request | test_azure_client.py:10:5:10:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | -| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:16:32:16:39 | ControlFlowNode for full_url | provenance | Sink:MaD:15 | -| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:18:39:18:46 | ControlFlowNode for full_url | provenance | Sink:MaD:38 | -| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:20:19:20:26 | ControlFlowNode for full_url | provenance | Sink:MaD:14 | -| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:22:58:22:65 | ControlFlowNode for full_url | provenance | Sink:MaD:26 | +| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:16:28:16:35 | ControlFlowNode for full_url | provenance | Sink:MaD:15 | +| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:18:35:18:42 | ControlFlowNode for full_url | provenance | Sink:MaD:38 | +| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:20:15:20:22 | ControlFlowNode for full_url | provenance | Sink:MaD:14 | +| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:22:54:22:61 | ControlFlowNode for full_url | provenance | Sink:MaD:26 | | test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:25:37:25:44 | ControlFlowNode for full_url | provenance | Sink:MaD:27 | | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | test_http_client.py:1:19:1:25 | ControlFlowNode for request | provenance | | | test_http_client.py:1:19:1:25 | ControlFlowNode for request | test_http_client.py:9:19:9:25 | ControlFlowNode for request | provenance | | @@ -113,31 +113,31 @@ edges | test_path_validation.py:8:18:8:24 | ControlFlowNode for request | test_path_validation.py:9:5:9:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | | test_path_validation.py:9:5:9:15 | ControlFlowNode for user_input2 | test_path_validation.py:11:5:11:12 | ControlFlowNode for full_url | provenance | | | test_path_validation.py:9:19:9:25 | ControlFlowNode for request | test_path_validation.py:9:5:9:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | -| test_path_validation.py:11:5:11:12 | ControlFlowNode for full_url | test_path_validation.py:21:36:21:43 | ControlFlowNode for full_url | provenance | Sink:MaD:15 | +| test_path_validation.py:11:5:11:12 | ControlFlowNode for full_url | test_path_validation.py:21:32:21:39 | ControlFlowNode for full_url | provenance | Sink:MaD:15 | | test_path_validation.py:24:18:24:24 | ControlFlowNode for request | test_path_validation.py:25:5:25:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | | test_path_validation.py:25:5:25:15 | ControlFlowNode for user_input2 | test_path_validation.py:27:5:27:12 | ControlFlowNode for full_url | provenance | | | test_path_validation.py:25:19:25:25 | ControlFlowNode for request | test_path_validation.py:25:5:25:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | -| test_path_validation.py:27:5:27:12 | ControlFlowNode for full_url | test_path_validation.py:37:33:37:40 | ControlFlowNode for full_url | provenance | Sink:MaD:14 | +| test_path_validation.py:27:5:27:12 | ControlFlowNode for full_url | test_path_validation.py:37:29:37:36 | ControlFlowNode for full_url | provenance | Sink:MaD:14 | | test_path_validation.py:40:18:40:24 | ControlFlowNode for request | test_path_validation.py:41:5:41:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | | test_path_validation.py:41:5:41:15 | ControlFlowNode for user_input2 | test_path_validation.py:43:5:43:12 | ControlFlowNode for full_url | provenance | | | test_path_validation.py:41:19:41:25 | ControlFlowNode for request | test_path_validation.py:41:5:41:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | -| test_path_validation.py:43:5:43:12 | ControlFlowNode for full_url | test_path_validation.py:53:43:53:50 | ControlFlowNode for full_url | provenance | Sink:MaD:38 | +| test_path_validation.py:43:5:43:12 | ControlFlowNode for full_url | test_path_validation.py:53:39:53:46 | ControlFlowNode for full_url | provenance | Sink:MaD:38 | | test_path_validation.py:57:5:57:14 | ControlFlowNode for user_input | test_path_validation.py:61:5:61:7 | ControlFlowNode for url | provenance | | | test_path_validation.py:57:18:57:24 | ControlFlowNode for request | test_path_validation.py:57:5:57:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:64:36:64:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:71:36:71:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:74:36:74:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:79:36:79:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:87:36:87:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:90:36:90:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:95:36:95:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:102:36:102:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:107:36:107:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:110:36:110:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:115:36:115:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:122:36:122:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:125:36:125:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:132:36:132:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:64:32:64:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:71:32:71:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:74:32:74:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:79:32:79:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:87:32:87:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:90:32:90:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:95:32:95:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:102:32:102:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:107:32:107:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:110:32:110:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:115:32:115:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:122:32:122:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:125:32:125:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:132:32:132:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | test_requests.py:1:19:1:25 | ControlFlowNode for request | provenance | | | test_requests.py:1:19:1:25 | ControlFlowNode for request | test_requests.py:7:18:7:24 | ControlFlowNode for request | provenance | | | test_requests.py:1:19:1:25 | ControlFlowNode for request | test_requests.py:14:18:14:24 | ControlFlowNode for request | provenance | | @@ -192,10 +192,10 @@ nodes | test_azure_client.py:10:5:10:15 | ControlFlowNode for user_input2 | semmle.label | ControlFlowNode for user_input2 | | test_azure_client.py:10:19:10:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | -| test_azure_client.py:16:32:16:39 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | -| test_azure_client.py:18:39:18:46 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | -| test_azure_client.py:20:19:20:26 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | -| test_azure_client.py:22:58:22:65 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_azure_client.py:16:28:16:35 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_azure_client.py:18:35:18:42 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_azure_client.py:20:15:20:22 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_azure_client.py:22:54:22:61 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | | test_azure_client.py:25:37:25:44 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | | test_http_client.py:1:19:1:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | @@ -215,34 +215,34 @@ nodes | test_path_validation.py:9:5:9:15 | ControlFlowNode for user_input2 | semmle.label | ControlFlowNode for user_input2 | | test_path_validation.py:9:19:9:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | test_path_validation.py:11:5:11:12 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | -| test_path_validation.py:21:36:21:43 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_path_validation.py:21:32:21:39 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | | test_path_validation.py:24:18:24:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | test_path_validation.py:25:5:25:15 | ControlFlowNode for user_input2 | semmle.label | ControlFlowNode for user_input2 | | test_path_validation.py:25:19:25:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | test_path_validation.py:27:5:27:12 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | -| test_path_validation.py:37:33:37:40 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_path_validation.py:37:29:37:36 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | | test_path_validation.py:40:18:40:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | test_path_validation.py:41:5:41:15 | ControlFlowNode for user_input2 | semmle.label | ControlFlowNode for user_input2 | | test_path_validation.py:41:19:41:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | test_path_validation.py:43:5:43:12 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | -| test_path_validation.py:53:43:53:50 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_path_validation.py:53:39:53:46 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | | test_path_validation.py:57:5:57:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | | test_path_validation.py:57:18:57:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | test_path_validation.py:61:5:61:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:64:36:64:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:71:36:71:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:74:36:74:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:79:36:79:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:87:36:87:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:90:36:90:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:95:36:95:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:102:36:102:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:107:36:107:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:110:36:110:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:115:36:115:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:122:36:122:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:125:36:125:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:132:36:132:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:64:32:64:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:71:32:71:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:74:32:74:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:79:32:79:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:87:32:87:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:90:32:90:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:95:32:95:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:102:32:102:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:107:32:107:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:110:32:110:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:115:32:115:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:122:32:122:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:125:32:125:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:132:32:132:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | | test_requests.py:1:19:1:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | test_requests.py:7:5:7:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | @@ -255,6 +255,3 @@ nodes | test_requests.py:20:18:20:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | test_requests.py:22:45:22:54 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | subpaths -testFailures -| test_requests.py:39:40:39:62 | Comment # $ Alert[py/full-ssrf] | Missing result: Alert[py/full-ssrf] | -| test_requests.py:49:40:49:62 | Comment # $ Alert[py/full-ssrf] | Missing result: Alert[py/full-ssrf] | diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.expected b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.expected index 0d3f49c200e..314aa99ef60 100644 --- a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.expected +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.expected @@ -6,39 +6,39 @@ | full_partial_test.py:126:5:126:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:126:18:126:20 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | | full_partial_test.py:136:5:136:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:136:18:136:20 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | | full_partial_test.py:143:5:143:21 | ControlFlowNode for Attribute() | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:143:18:143:20 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| test_azure_client.py:15:9:15:58 | ControlFlowNode for SecretClient() | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | test_azure_client.py:15:32:15:34 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | user-provided value | -| test_azure_client.py:17:9:17:42 | ControlFlowNode for Attribute() | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | test_azure_client.py:17:39:17:41 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | user-provided value | -| test_azure_client.py:19:9:19:34 | ControlFlowNode for KeyClient() | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | test_azure_client.py:19:19:19:21 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | user-provided value | -| test_azure_client.py:21:9:21:84 | ControlFlowNode for Attribute() | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | test_azure_client.py:21:58:21:60 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | user-provided value | +| test_azure_client.py:15:5:15:54 | ControlFlowNode for SecretClient() | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | test_azure_client.py:15:28:15:30 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | user-provided value | +| test_azure_client.py:17:5:17:38 | ControlFlowNode for Attribute() | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | test_azure_client.py:17:35:17:37 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | user-provided value | +| test_azure_client.py:19:5:19:30 | ControlFlowNode for KeyClient() | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | test_azure_client.py:19:15:19:17 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | user-provided value | +| test_azure_client.py:21:5:21:80 | ControlFlowNode for Attribute() | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | test_azure_client.py:21:54:21:56 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | user-provided value | | test_azure_client.py:24:5:24:100 | ControlFlowNode for download_blob_from_url() | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | test_azure_client.py:24:37:24:39 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_azure_client.py:6:19:6:25 | ControlFlowNode for ImportMember | user-provided value | | test_http_client.py:25:5:25:31 | ControlFlowNode for Attribute() | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | test_http_client.py:19:27:19:37 | ControlFlowNode for unsafe_host | Part of the URL of this request depends on a $@. | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | | test_http_client.py:30:5:30:31 | ControlFlowNode for Attribute() | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | test_http_client.py:28:27:28:37 | ControlFlowNode for unsafe_host | Part of the URL of this request depends on a $@. | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | | test_http_client.py:34:5:34:36 | ControlFlowNode for Attribute() | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | test_http_client.py:34:25:34:35 | ControlFlowNode for unsafe_path | Part of the URL of this request depends on a $@. | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | | test_http_client.py:39:5:39:29 | ControlFlowNode for Attribute() | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | test_http_client.py:39:25:39:28 | ControlFlowNode for path | Part of the URL of this request depends on a $@. | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | | test_http_client.py:44:5:44:29 | ControlFlowNode for Attribute() | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | test_http_client.py:44:25:44:28 | ControlFlowNode for path | Part of the URL of this request depends on a $@. | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:14:13:14:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:14:36:14:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:16:13:16:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:16:36:16:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:19:13:19:67 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:19:36:19:43 | ControlFlowNode for full_url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:30:13:30:59 | ControlFlowNode for KeyClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:30:33:30:35 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:32:13:32:59 | ControlFlowNode for KeyClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:32:33:32:35 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:35:13:35:64 | ControlFlowNode for KeyClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:35:33:35:40 | ControlFlowNode for full_url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:46:13:46:46 | ControlFlowNode for Attribute() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:46:43:46:45 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:48:13:48:46 | ControlFlowNode for Attribute() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:48:43:48:45 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:51:13:51:51 | ControlFlowNode for Attribute() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:51:43:51:50 | ControlFlowNode for full_url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:66:13:66:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:66:36:66:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:69:13:69:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:69:36:69:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:76:13:76:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:76:36:76:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:81:13:81:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:81:36:81:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:85:13:85:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:85:36:85:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:92:13:92:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:92:36:92:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:97:13:97:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:97:36:97:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:100:13:100:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:100:36:100:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:105:13:105:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:105:36:105:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:112:13:112:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:112:36:112:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:117:13:117:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:117:36:117:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:120:13:120:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:120:36:120:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:127:13:127:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:127:36:127:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | -| test_path_validation.py:130:13:130:62 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:130:36:130:38 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:14:9:14:58 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:14:32:14:34 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:16:9:16:58 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:16:32:16:34 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:19:9:19:63 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:19:32:19:39 | ControlFlowNode for full_url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:30:9:30:55 | ControlFlowNode for KeyClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:30:29:30:31 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:32:9:32:55 | ControlFlowNode for KeyClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:32:29:32:31 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:35:9:35:60 | ControlFlowNode for KeyClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:35:29:35:36 | ControlFlowNode for full_url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:46:9:46:42 | ControlFlowNode for Attribute() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:46:39:46:41 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:48:9:48:42 | ControlFlowNode for Attribute() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:48:39:48:41 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:51:9:51:47 | ControlFlowNode for Attribute() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:51:39:51:46 | ControlFlowNode for full_url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:66:9:66:58 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:66:32:66:34 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:69:9:69:58 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:69:32:69:34 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:76:9:76:58 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:76:32:76:34 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:81:9:81:58 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:81:32:81:34 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:85:9:85:58 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:85:32:85:34 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:92:9:92:58 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:92:32:92:34 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:97:9:97:58 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:97:32:97:34 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:100:9:100:58 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:100:32:100:34 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:105:9:105:58 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:105:32:105:34 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:112:9:112:58 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:112:32:112:34 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:117:9:117:58 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:117:32:117:34 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:120:9:120:58 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:120:32:120:34 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:127:9:127:58 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:127:32:127:34 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | +| test_path_validation.py:130:9:130:58 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:130:32:130:34 | ControlFlowNode for url | Part of the URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | edges | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:1:19:1:25 | ControlFlowNode for request | provenance | | | full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:7:18:7:24 | ControlFlowNode for request | provenance | | @@ -126,15 +126,15 @@ edges | test_azure_client.py:9:18:9:24 | ControlFlowNode for request | test_azure_client.py:10:5:10:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | | test_azure_client.py:10:5:10:15 | ControlFlowNode for user_input2 | test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | provenance | | | test_azure_client.py:10:19:10:25 | ControlFlowNode for request | test_azure_client.py:10:5:10:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | -| test_azure_client.py:12:5:12:7 | ControlFlowNode for url | test_azure_client.py:15:32:15:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_azure_client.py:12:5:12:7 | ControlFlowNode for url | test_azure_client.py:17:39:17:41 | ControlFlowNode for url | provenance | Sink:MaD:38 | -| test_azure_client.py:12:5:12:7 | ControlFlowNode for url | test_azure_client.py:19:19:19:21 | ControlFlowNode for url | provenance | Sink:MaD:14 | -| test_azure_client.py:12:5:12:7 | ControlFlowNode for url | test_azure_client.py:21:58:21:60 | ControlFlowNode for url | provenance | Sink:MaD:26 | +| test_azure_client.py:12:5:12:7 | ControlFlowNode for url | test_azure_client.py:15:28:15:30 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_azure_client.py:12:5:12:7 | ControlFlowNode for url | test_azure_client.py:17:35:17:37 | ControlFlowNode for url | provenance | Sink:MaD:38 | +| test_azure_client.py:12:5:12:7 | ControlFlowNode for url | test_azure_client.py:19:15:19:17 | ControlFlowNode for url | provenance | Sink:MaD:14 | +| test_azure_client.py:12:5:12:7 | ControlFlowNode for url | test_azure_client.py:21:54:21:56 | ControlFlowNode for url | provenance | Sink:MaD:26 | | test_azure_client.py:12:5:12:7 | ControlFlowNode for url | test_azure_client.py:24:37:24:39 | ControlFlowNode for url | provenance | Sink:MaD:27 | -| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:16:32:16:39 | ControlFlowNode for full_url | provenance | Sink:MaD:15 | -| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:18:39:18:46 | ControlFlowNode for full_url | provenance | Sink:MaD:38 | -| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:20:19:20:26 | ControlFlowNode for full_url | provenance | Sink:MaD:14 | -| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:22:58:22:65 | ControlFlowNode for full_url | provenance | Sink:MaD:26 | +| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:16:28:16:35 | ControlFlowNode for full_url | provenance | Sink:MaD:15 | +| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:18:35:18:42 | ControlFlowNode for full_url | provenance | Sink:MaD:38 | +| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:20:15:20:22 | ControlFlowNode for full_url | provenance | Sink:MaD:14 | +| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:22:54:22:61 | ControlFlowNode for full_url | provenance | Sink:MaD:26 | | test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:25:37:25:44 | ControlFlowNode for full_url | provenance | Sink:MaD:27 | | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | test_http_client.py:1:19:1:25 | ControlFlowNode for request | provenance | | | test_http_client.py:1:19:1:25 | ControlFlowNode for request | test_http_client.py:9:19:9:25 | ControlFlowNode for request | provenance | | @@ -169,58 +169,58 @@ edges | test_path_validation.py:8:18:8:24 | ControlFlowNode for request | test_path_validation.py:9:5:9:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | | test_path_validation.py:9:5:9:15 | ControlFlowNode for user_input2 | test_path_validation.py:11:5:11:12 | ControlFlowNode for full_url | provenance | | | test_path_validation.py:9:19:9:25 | ControlFlowNode for request | test_path_validation.py:9:5:9:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | -| test_path_validation.py:10:5:10:7 | ControlFlowNode for url | test_path_validation.py:14:36:14:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:10:5:10:7 | ControlFlowNode for url | test_path_validation.py:16:36:16:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:11:5:11:12 | ControlFlowNode for full_url | test_path_validation.py:19:36:19:43 | ControlFlowNode for full_url | provenance | Sink:MaD:15 | -| test_path_validation.py:11:5:11:12 | ControlFlowNode for full_url | test_path_validation.py:21:36:21:43 | ControlFlowNode for full_url | provenance | Sink:MaD:15 | +| test_path_validation.py:10:5:10:7 | ControlFlowNode for url | test_path_validation.py:14:32:14:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:10:5:10:7 | ControlFlowNode for url | test_path_validation.py:16:32:16:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:11:5:11:12 | ControlFlowNode for full_url | test_path_validation.py:19:32:19:39 | ControlFlowNode for full_url | provenance | Sink:MaD:15 | +| test_path_validation.py:11:5:11:12 | ControlFlowNode for full_url | test_path_validation.py:21:32:21:39 | ControlFlowNode for full_url | provenance | Sink:MaD:15 | | test_path_validation.py:24:5:24:14 | ControlFlowNode for user_input | test_path_validation.py:26:5:26:7 | ControlFlowNode for url | provenance | | | test_path_validation.py:24:18:24:24 | ControlFlowNode for request | test_path_validation.py:24:5:24:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | | test_path_validation.py:24:18:24:24 | ControlFlowNode for request | test_path_validation.py:25:5:25:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | | test_path_validation.py:25:5:25:15 | ControlFlowNode for user_input2 | test_path_validation.py:27:5:27:12 | ControlFlowNode for full_url | provenance | | | test_path_validation.py:25:19:25:25 | ControlFlowNode for request | test_path_validation.py:25:5:25:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | -| test_path_validation.py:26:5:26:7 | ControlFlowNode for url | test_path_validation.py:30:33:30:35 | ControlFlowNode for url | provenance | Sink:MaD:14 | -| test_path_validation.py:26:5:26:7 | ControlFlowNode for url | test_path_validation.py:32:33:32:35 | ControlFlowNode for url | provenance | Sink:MaD:14 | -| test_path_validation.py:27:5:27:12 | ControlFlowNode for full_url | test_path_validation.py:35:33:35:40 | ControlFlowNode for full_url | provenance | Sink:MaD:14 | -| test_path_validation.py:27:5:27:12 | ControlFlowNode for full_url | test_path_validation.py:37:33:37:40 | ControlFlowNode for full_url | provenance | Sink:MaD:14 | +| test_path_validation.py:26:5:26:7 | ControlFlowNode for url | test_path_validation.py:30:29:30:31 | ControlFlowNode for url | provenance | Sink:MaD:14 | +| test_path_validation.py:26:5:26:7 | ControlFlowNode for url | test_path_validation.py:32:29:32:31 | ControlFlowNode for url | provenance | Sink:MaD:14 | +| test_path_validation.py:27:5:27:12 | ControlFlowNode for full_url | test_path_validation.py:35:29:35:36 | ControlFlowNode for full_url | provenance | Sink:MaD:14 | +| test_path_validation.py:27:5:27:12 | ControlFlowNode for full_url | test_path_validation.py:37:29:37:36 | ControlFlowNode for full_url | provenance | Sink:MaD:14 | | test_path_validation.py:40:5:40:14 | ControlFlowNode for user_input | test_path_validation.py:42:5:42:7 | ControlFlowNode for url | provenance | | | test_path_validation.py:40:18:40:24 | ControlFlowNode for request | test_path_validation.py:40:5:40:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | | test_path_validation.py:40:18:40:24 | ControlFlowNode for request | test_path_validation.py:41:5:41:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | | test_path_validation.py:41:5:41:15 | ControlFlowNode for user_input2 | test_path_validation.py:43:5:43:12 | ControlFlowNode for full_url | provenance | | | test_path_validation.py:41:19:41:25 | ControlFlowNode for request | test_path_validation.py:41:5:41:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | -| test_path_validation.py:42:5:42:7 | ControlFlowNode for url | test_path_validation.py:46:43:46:45 | ControlFlowNode for url | provenance | Sink:MaD:38 | -| test_path_validation.py:42:5:42:7 | ControlFlowNode for url | test_path_validation.py:48:43:48:45 | ControlFlowNode for url | provenance | Sink:MaD:38 | -| test_path_validation.py:43:5:43:12 | ControlFlowNode for full_url | test_path_validation.py:51:43:51:50 | ControlFlowNode for full_url | provenance | Sink:MaD:38 | -| test_path_validation.py:43:5:43:12 | ControlFlowNode for full_url | test_path_validation.py:53:43:53:50 | ControlFlowNode for full_url | provenance | Sink:MaD:38 | +| test_path_validation.py:42:5:42:7 | ControlFlowNode for url | test_path_validation.py:46:39:46:41 | ControlFlowNode for url | provenance | Sink:MaD:38 | +| test_path_validation.py:42:5:42:7 | ControlFlowNode for url | test_path_validation.py:48:39:48:41 | ControlFlowNode for url | provenance | Sink:MaD:38 | +| test_path_validation.py:43:5:43:12 | ControlFlowNode for full_url | test_path_validation.py:51:39:51:46 | ControlFlowNode for full_url | provenance | Sink:MaD:38 | +| test_path_validation.py:43:5:43:12 | ControlFlowNode for full_url | test_path_validation.py:53:39:53:46 | ControlFlowNode for full_url | provenance | Sink:MaD:38 | | test_path_validation.py:57:5:57:14 | ControlFlowNode for user_input | test_path_validation.py:61:5:61:7 | ControlFlowNode for url | provenance | | | test_path_validation.py:57:18:57:24 | ControlFlowNode for request | test_path_validation.py:57:5:57:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:64:36:64:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:66:36:66:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:69:36:69:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:71:36:71:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:74:36:74:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:76:36:76:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:79:36:79:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:81:36:81:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:85:36:85:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:87:36:87:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:90:36:90:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:92:36:92:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:95:36:95:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:97:36:97:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:100:36:100:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:102:36:102:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:105:36:105:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:107:36:107:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:110:36:110:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:112:36:112:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:115:36:115:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:117:36:117:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:120:36:120:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:122:36:122:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:125:36:125:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:127:36:127:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:130:36:130:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:132:36:132:38 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:64:32:64:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:66:32:66:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:69:32:69:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:71:32:71:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:74:32:74:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:76:32:76:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:79:32:79:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:81:32:81:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:85:32:85:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:87:32:87:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:90:32:90:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:92:32:92:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:95:32:95:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:97:32:97:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:100:32:100:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:102:32:102:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:105:32:105:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:107:32:107:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:110:32:110:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:112:32:112:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:115:32:115:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:117:32:117:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:120:32:120:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:122:32:122:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:125:32:125:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:127:32:127:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:130:32:130:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:132:32:132:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | test_requests.py:1:19:1:25 | ControlFlowNode for request | provenance | | | test_requests.py:1:19:1:25 | ControlFlowNode for request | test_requests.py:7:18:7:24 | ControlFlowNode for request | provenance | | | test_requests.py:1:19:1:25 | ControlFlowNode for request | test_requests.py:14:18:14:24 | ControlFlowNode for request | provenance | | @@ -311,14 +311,14 @@ nodes | test_azure_client.py:10:19:10:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | test_azure_client.py:12:5:12:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | | test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | -| test_azure_client.py:15:32:15:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_azure_client.py:16:32:16:39 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | -| test_azure_client.py:17:39:17:41 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_azure_client.py:18:39:18:46 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | -| test_azure_client.py:19:19:19:21 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_azure_client.py:20:19:20:26 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | -| test_azure_client.py:21:58:21:60 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_azure_client.py:22:58:22:65 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_azure_client.py:15:28:15:30 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_azure_client.py:16:28:16:35 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_azure_client.py:17:35:17:37 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_azure_client.py:18:35:18:42 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_azure_client.py:19:15:19:17 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_azure_client.py:20:15:20:22 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_azure_client.py:21:54:21:56 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_azure_client.py:22:54:22:61 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | | test_azure_client.py:24:37:24:39 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | | test_azure_client.py:25:37:25:44 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | @@ -347,61 +347,61 @@ nodes | test_path_validation.py:9:19:9:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | test_path_validation.py:10:5:10:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | | test_path_validation.py:11:5:11:12 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | -| test_path_validation.py:14:36:14:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:16:36:16:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:19:36:19:43 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | -| test_path_validation.py:21:36:21:43 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_path_validation.py:14:32:14:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:16:32:16:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:19:32:19:39 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_path_validation.py:21:32:21:39 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | | test_path_validation.py:24:5:24:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | | test_path_validation.py:24:18:24:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | test_path_validation.py:25:5:25:15 | ControlFlowNode for user_input2 | semmle.label | ControlFlowNode for user_input2 | | test_path_validation.py:25:19:25:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | test_path_validation.py:26:5:26:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | | test_path_validation.py:27:5:27:12 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | -| test_path_validation.py:30:33:30:35 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:32:33:32:35 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:35:33:35:40 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | -| test_path_validation.py:37:33:37:40 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_path_validation.py:30:29:30:31 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:32:29:32:31 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:35:29:35:36 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_path_validation.py:37:29:37:36 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | | test_path_validation.py:40:5:40:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | | test_path_validation.py:40:18:40:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | test_path_validation.py:41:5:41:15 | ControlFlowNode for user_input2 | semmle.label | ControlFlowNode for user_input2 | | test_path_validation.py:41:19:41:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | test_path_validation.py:42:5:42:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | | test_path_validation.py:43:5:43:12 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | -| test_path_validation.py:46:43:46:45 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:48:43:48:45 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:51:43:51:50 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | -| test_path_validation.py:53:43:53:50 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_path_validation.py:46:39:46:41 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:48:39:48:41 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:51:39:51:46 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | +| test_path_validation.py:53:39:53:46 | ControlFlowNode for full_url | semmle.label | ControlFlowNode for full_url | | test_path_validation.py:57:5:57:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | | test_path_validation.py:57:18:57:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | test_path_validation.py:61:5:61:7 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:64:36:64:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:66:36:66:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:69:36:69:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:71:36:71:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:74:36:74:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:76:36:76:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:79:36:79:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:81:36:81:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:85:36:85:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:87:36:87:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:90:36:90:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:92:36:92:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:95:36:95:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:97:36:97:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:100:36:100:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:102:36:102:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:105:36:105:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:107:36:107:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:110:36:110:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:112:36:112:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:115:36:115:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:117:36:117:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:120:36:120:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:122:36:122:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:125:36:125:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:127:36:127:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:130:36:130:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | -| test_path_validation.py:132:36:132:38 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:64:32:64:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:66:32:66:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:69:32:69:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:71:32:71:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:74:32:74:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:76:32:76:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:79:32:79:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:81:32:81:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:85:32:85:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:87:32:87:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:90:32:90:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:92:32:92:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:95:32:95:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:97:32:97:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:100:32:100:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:102:32:102:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:105:32:105:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:107:32:107:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:110:32:110:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:112:32:112:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:115:32:115:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:117:32:117:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:120:32:120:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:122:32:122:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:125:32:125:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:127:32:127:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:130:32:130:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | +| test_path_validation.py:132:32:132:34 | ControlFlowNode for url | semmle.label | ControlFlowNode for url | | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | | test_requests.py:1:19:1:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | test_requests.py:7:5:7:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | @@ -414,5 +414,3 @@ nodes | test_requests.py:20:18:20:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | | test_requests.py:22:45:22:54 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | subpaths -testFailures -| test_requests.py:1:27:1:36 | Comment # $ Source | Missing result: Source | diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/full_partial_test.py b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/full_partial_test.py index e2f4fc05026..7b7d067b611 100644 --- a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/full_partial_test.py +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/full_partial_test.py @@ -1,6 +1,6 @@ from flask import request # $ Source -import requests +import requests import re def full_ssrf(): @@ -122,7 +122,7 @@ def partial_ssrf_4(): user_input = request.args['untrusted_input'] url = "https://example.com/foo#{}".format(user_input) - # NOT OK -- user contollred fragment + # NOT OK -- user controlled fragment requests.get(url) # $ Alert[py/partial-ssrf] def partial_ssrf_5(): @@ -132,7 +132,7 @@ def partial_ssrf_5(): # controlled url = "https://example.com/foo#%s" % user_input - # NOT OK -- user contollred fragment + # NOT OK -- user controlled fragment requests.get(url) # $ Alert[py/partial-ssrf] def partial_ssrf_6(): diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py index 5dbb7e1ede4..ac4ff4d365e 100644 --- a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py @@ -12,14 +12,14 @@ def azure_sdk_test(credential, output_path): url = f"https://example.com/foo#{user_input}" full_url = f"https://{user_input2}" # Testing Azure sink - c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] - c = SecretClient(vault_url=full_url, credential=credential) # $ Alert[py/full-ssrf] - c = ShareFileClient.from_file_url(url) # $ Alert[py/partial-ssrf] - c = ShareFileClient.from_file_url(full_url) # $ Alert[py/full-ssrf] - c = KeyClient(url, credential) # $ Alert[py/partial-ssrf] - c = KeyClient(full_url, credential) # $ Alert[py/full-ssrf] - c = ContainerClient.from_container_url(container_url=url, credential=credential) # $ Alert[py/partial-ssrf] - c = ContainerClient.from_container_url(container_url=full_url, credential=credential) # $ Alert[py/full-ssrf] + SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] + SecretClient(vault_url=full_url, credential=credential) # $ Alert[py/full-ssrf] + ShareFileClient.from_file_url(url) # $ Alert[py/partial-ssrf] + ShareFileClient.from_file_url(full_url) # $ Alert[py/full-ssrf] + KeyClient(url, credential) # $ Alert[py/partial-ssrf] + KeyClient(full_url, credential) # $ Alert[py/full-ssrf] + ContainerClient.from_container_url(container_url=url, credential=credential) # $ Alert[py/partial-ssrf] + ContainerClient.from_container_url(container_url=full_url, credential=credential) # $ Alert[py/full-ssrf] download_blob_from_url(blob_url=url, output=output_path, credential=credential, overwrite=True ) # $ Alert[py/partial-ssrf] download_blob_from_url(blob_url=full_url, output=output_path, credential=credential, overwrite=True) # $ Alert[py/full-ssrf] diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_http_client.py b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_http_client.py index 0a238878e35..da812eb6c54 100644 --- a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_http_client.py +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_http_client.py @@ -14,7 +14,7 @@ def ssrf_test(): # NOT OK -- user has full control conn.request("GET", unsafe_path) # $ Alert[py/full-ssrf] - # Full SSRF variant, where there is AlSO made a request with fixed URL on the same + # Full SSRF variant, where there is also a request with fixed URL on the same # connection later on. This should not change anything on the overall SSRF alerts. conn = HTTPConnection(unsafe_host) # $ Sink # NOT OK -- user has full control diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py index 4560479d2b3..ce5a6d33833 100644 --- a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py @@ -11,14 +11,14 @@ def urivalidator_path_in_domain_validation(credential, trusted_domain): full_url = f"https://{user_input2}" if URIValidator.in_domain(url, trusted_domain): - c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] + SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] else: - c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] + SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] if URIValidator.in_domain(full_url, trusted_domain): - c = SecretClient(vault_url=full_url, credential=credential) # $ Alert[py/partial-ssrf] + SecretClient(vault_url=full_url, credential=credential) # $ Alert[py/partial-ssrf] else: - c = SecretClient(vault_url=full_url, credential=credential) # $ Alert[py/full-ssrf] + SecretClient(vault_url=full_url, credential=credential) # $ Alert[py/full-ssrf] def urivalidator_path_in_azure_keyvault_domain_validation(credential): user_input = request.args['untrusted_input'] @@ -27,14 +27,14 @@ def urivalidator_path_in_azure_keyvault_domain_validation(credential): full_url = f"https://{user_input2}" if URIValidator.in_azure_keyvault_domain(url): - c = KeyClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] + KeyClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] else: - c = KeyClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] + KeyClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] if URIValidator.in_azure_keyvault_domain(full_url): - c = KeyClient(vault_url=full_url, credential=credential) # $ Alert[py/partial-ssrf] + KeyClient(vault_url=full_url, credential=credential) # $ Alert[py/partial-ssrf] else: - c = KeyClient(vault_url=full_url, credential=credential) # $ Alert[py/full-ssrf] + KeyClient(vault_url=full_url, credential=credential) # $ Alert[py/full-ssrf] def urivalidator_path_in_azure_storage_domain_validation(credential): user_input = request.args['untrusted_input'] @@ -43,14 +43,14 @@ def urivalidator_path_in_azure_storage_domain_validation(credential): full_url = f"https://{user_input2}" if URIValidator.in_azure_storage_domain(url): - c = ShareFileClient.from_file_url(url) # $ Alert[py/partial-ssrf] + ShareFileClient.from_file_url(url) # $ Alert[py/partial-ssrf] else: - c = ShareFileClient.from_file_url(url) # $ Alert[py/partial-ssrf] + ShareFileClient.from_file_url(url) # $ Alert[py/partial-ssrf] if URIValidator.in_azure_storage_domain(full_url): - c = ShareFileClient.from_file_url(full_url) # $ Alert[py/partial-ssrf] + ShareFileClient.from_file_url(full_url) # $ Alert[py/partial-ssrf] else: - c = ShareFileClient.from_file_url(full_url) # $ Alert[py/full-ssrf] + ShareFileClient.from_file_url(full_url) # $ Alert[py/full-ssrf] def complex_urivalidator_checks(credential, trusted_domain): @@ -61,72 +61,72 @@ def complex_urivalidator_checks(credential, trusted_domain): url = f"https://{user_input}" if not URIValidator.in_domain(url, trusted_domain): - c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] + SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] else: - c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] + SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] if URIValidator.in_domain(url, trusted_domain) and trusted_domain == "example.com": - c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] + SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] else: - c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] + SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] if not (URIValidator.in_domain(url, trusted_domain) and trusted_domain == "example.com"): - c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] + SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] else: - c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] + SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] if not not not URIValidator.in_domain(url, trusted_domain): - c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] + SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] else: - c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] + SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] if URIValidator.in_domain(url, trusted_domain) == True: - c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] + SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] else: - c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] + SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] if URIValidator.in_domain(url, trusted_domain) == False: - c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] + SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] else: - c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] + SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] if URIValidator.in_domain(url, trusted_domain) != True: - c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] + SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] else: - c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] + SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] if URIValidator.in_domain(url, trusted_domain) != False: - c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] + SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] else: - c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] + SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] if URIValidator.in_domain(url, trusted_domain) is True: - c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] + SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] else: - c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] + SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] if URIValidator.in_domain(url, trusted_domain) is False: - c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] + SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] else: - c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] + SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] if URIValidator.in_domain(url, trusted_domain) is not True: - c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] + SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] else: - c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] + SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] if URIValidator.in_domain(url, trusted_domain) is not False: - c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] + SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] else: - c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] + SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] if not URIValidator.in_domain(url, trusted_domain) is True: - c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] + SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] else: - c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] + SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] if not URIValidator.in_domain(url, trusted_domain) is False: - c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] + SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] else: - c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] \ No newline at end of file + SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf] \ No newline at end of file diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_requests.py b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_requests.py index cfa2e6aa5a7..fa5da6cef49 100644 --- a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_requests.py +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_requests.py @@ -1,4 +1,4 @@ -from flask import request # $ Source +from flask import request # $ Source[py/full-ssrf] from AntiSSRF import AntiSSRFPolicy import requests @@ -36,7 +36,8 @@ def ssrf_test_with_policy2(): # this makes the session unsafe again session.mount("http://", requests.adapters.HTTPAdapter()) # NOT OK -- dangerous user input is no longer filtered by AntiSSRFPolicy - response = session.get(user_input) # $ Alert[py/full-ssrf] + # TODO: not currently a scenario we detect. + session.get(user_input) # $ MISSING: Alert[py/full-ssrf] def ssrf_test_with_policy3(adapter): user_input = request.args['untrusted_input'] @@ -46,4 +47,5 @@ def ssrf_test_with_policy3(adapter): # this could make the session unsafe again session.mount("http://", adapter) # NOT OK -- dangerous user input is no longer filtered by AntiSSRFPolicy - response = session.get(user_input) # $ Alert[py/full-ssrf] \ No newline at end of file + # TODO: not currently a scenario we detect. + session.get(user_input) # $ MISSING: Alert[py/full-ssrf] \ No newline at end of file From 4bb110beb87256fdef01f122b2bf9f8c7d254b70 Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Tue, 10 Feb 2026 11:46:16 -0500 Subject: [PATCH 039/110] More copilot suggestions. --- .../CWE-918-ServerSideRequestForgery/test_requests.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_requests.py b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_requests.py index fa5da6cef49..6489096c969 100644 --- a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_requests.py +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_requests.py @@ -19,14 +19,14 @@ def ssrf_test2(): def ssrf_test3(): user_input = request.args['untrusted_input'] # NOT OK -- user has full control - response = requests.request('', user_input) # $ Alert[py/full-ssrf] + requests.request('', user_input) # $ Alert[py/full-ssrf] def ssrf_test_with_policy1(): user_input = request.args['untrusted_input'] policy = AntiSSRFPolicy() session = policy.get_antissrf_session() # OK -- dangerous user input is filtered by AntiSSRFPolicy - response = session.get(user_input) + session.get(user_input) def ssrf_test_with_policy2(): user_input = request.args['untrusted_input'] From 9f9c353806ae05361c5bf4515036e722f89b4176 Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Tue, 10 Feb 2026 11:47:23 -0500 Subject: [PATCH 040/110] Update expected files. Copilot suggestions broke unit test expected results (column numbers). --- .../FullServerSideRequestForgery.expected | 6 +++--- .../PartialServerSideRequestForgery.expected | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.expected b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.expected index cb46c54ca70..c2fd16bfab7 100644 --- a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.expected +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.expected @@ -41,7 +41,7 @@ | test_path_validation.py:132:9:132:58 | ControlFlowNode for SecretClient() | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | test_path_validation.py:132:32:132:34 | ControlFlowNode for url | The full URL of this request depends on a $@. | test_path_validation.py:5:19:5:25 | ControlFlowNode for ImportMember | user-provided value | | test_requests.py:9:5:9:28 | ControlFlowNode for Attribute() | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | test_requests.py:9:18:9:27 | ControlFlowNode for user_input | The full URL of this request depends on a $@. | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | | test_requests.py:17:5:17:27 | ControlFlowNode for Attribute() | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | test_requests.py:17:17:17:26 | ControlFlowNode for user_input | The full URL of this request depends on a $@. | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | -| test_requests.py:22:16:22:55 | ControlFlowNode for Attribute() | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | test_requests.py:22:45:22:54 | ControlFlowNode for user_input | The full URL of this request depends on a $@. | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | +| test_requests.py:22:5:22:44 | ControlFlowNode for Attribute() | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | test_requests.py:22:34:22:43 | ControlFlowNode for user_input | The full URL of this request depends on a $@. | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | user-provided value | edges | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | full_partial_test.py:1:19:1:25 | ControlFlowNode for request | provenance | | | full_partial_test.py:1:19:1:25 | ControlFlowNode for request | full_partial_test.py:7:18:7:24 | ControlFlowNode for request | provenance | | @@ -146,7 +146,7 @@ edges | test_requests.py:7:18:7:24 | ControlFlowNode for request | test_requests.py:7:5:7:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | | test_requests.py:14:5:14:14 | ControlFlowNode for user_input | test_requests.py:17:17:17:26 | ControlFlowNode for user_input | provenance | | | test_requests.py:14:18:14:24 | ControlFlowNode for request | test_requests.py:14:5:14:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | -| test_requests.py:20:5:20:14 | ControlFlowNode for user_input | test_requests.py:22:45:22:54 | ControlFlowNode for user_input | provenance | | +| test_requests.py:20:5:20:14 | ControlFlowNode for user_input | test_requests.py:22:34:22:43 | ControlFlowNode for user_input | provenance | | | test_requests.py:20:18:20:24 | ControlFlowNode for request | test_requests.py:20:5:20:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | nodes | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | @@ -253,5 +253,5 @@ nodes | test_requests.py:17:17:17:26 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | | test_requests.py:20:5:20:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | | test_requests.py:20:18:20:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test_requests.py:22:45:22:54 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| test_requests.py:22:34:22:43 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | subpaths diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.expected b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.expected index 314aa99ef60..8cc69590b7e 100644 --- a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.expected +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.expected @@ -229,7 +229,7 @@ edges | test_requests.py:7:18:7:24 | ControlFlowNode for request | test_requests.py:7:5:7:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | | test_requests.py:14:5:14:14 | ControlFlowNode for user_input | test_requests.py:17:17:17:26 | ControlFlowNode for user_input | provenance | | | test_requests.py:14:18:14:24 | ControlFlowNode for request | test_requests.py:14:5:14:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | -| test_requests.py:20:5:20:14 | ControlFlowNode for user_input | test_requests.py:22:45:22:54 | ControlFlowNode for user_input | provenance | | +| test_requests.py:20:5:20:14 | ControlFlowNode for user_input | test_requests.py:22:34:22:43 | ControlFlowNode for user_input | provenance | | | test_requests.py:20:18:20:24 | ControlFlowNode for request | test_requests.py:20:5:20:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | nodes | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | @@ -412,5 +412,5 @@ nodes | test_requests.py:17:17:17:26 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | | test_requests.py:20:5:20:14 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | | test_requests.py:20:18:20:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test_requests.py:22:45:22:54 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | +| test_requests.py:22:34:22:43 | ControlFlowNode for user_input | semmle.label | ControlFlowNode for user_input | subpaths From 000d8244c4cabb38cc145971b63c5a866c3a3411 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Wed, 11 Feb 2026 09:29:42 +0100 Subject: [PATCH 041/110] address review --- misc/bazel/registry/fix.py | 4 +-- .../rules_kotlin/2.2.0-codeql.1/MODULE.bazel | 36 ------------------- .../codeql_add_language_version_option.patch | 30 ---------------- .../patches/codeql_do_not_emit_jdeps.patch | 14 -------- .../rules_kotlin/2.2.0-codeql.1/source.json | 9 ----- .../patches/codeql_do_not_emit_jdeps.patch | 3 +- .../rules_kotlin/2.2.2-codeql.1/source.json | 2 +- .../modules/rules_kotlin/metadata.json | 1 - swift/rules.bzl | 3 +- 9 files changed, 6 insertions(+), 96 deletions(-) delete mode 100644 misc/bazel/registry/modules/rules_kotlin/2.2.0-codeql.1/MODULE.bazel delete mode 100644 misc/bazel/registry/modules/rules_kotlin/2.2.0-codeql.1/patches/codeql_add_language_version_option.patch delete mode 100644 misc/bazel/registry/modules/rules_kotlin/2.2.0-codeql.1/patches/codeql_do_not_emit_jdeps.patch delete mode 100644 misc/bazel/registry/modules/rules_kotlin/2.2.0-codeql.1/source.json diff --git a/misc/bazel/registry/fix.py b/misc/bazel/registry/fix.py index 863c832be59..57a2bf3b3f9 100755 --- a/misc/bazel/registry/fix.py +++ b/misc/bazel/registry/fix.py @@ -62,10 +62,10 @@ for entry in this_dir.joinpath("modules").iterdir(): patch_json( version / "source.json", patches={ - p.name: sha256(p) for p in patches.iterdir() + p.name: sha256(p) for p in sorted(patches.iterdir()) } if patches.is_dir() else None, patch_strip=1 if patches.is_dir() else None, overlay={ - o.name: sha256(o) for o in overlay.iterdir() + o.name: sha256(o) for o in sorted(overlay.iterdir()) } if overlay.is_dir() else None, ) diff --git a/misc/bazel/registry/modules/rules_kotlin/2.2.0-codeql.1/MODULE.bazel b/misc/bazel/registry/modules/rules_kotlin/2.2.0-codeql.1/MODULE.bazel deleted file mode 100644 index df66ce2051a..00000000000 --- a/misc/bazel/registry/modules/rules_kotlin/2.2.0-codeql.1/MODULE.bazel +++ /dev/null @@ -1,36 +0,0 @@ -module( - name = "rules_kotlin", - version = "2.2.0-codeql.1", - compatibility_level = 1, - repo_name = "rules_kotlin", -) - -bazel_dep(name = "platforms", version = "0.0.11") -bazel_dep(name = "bazel_skylib", version = "1.7.1") -bazel_dep(name = "rules_java", version = "7.2.0") -bazel_dep(name = "rules_android", version = "0.6.4") -bazel_dep(name = "bazel_features", version = "1.25.0") -bazel_dep(name = "protobuf", version = "29.0", repo_name = "com_google_protobuf") -bazel_dep(name = "rules_proto", version = "6.0.2", repo_name = "rules_proto") -bazel_dep(name = "abseil-py", version = "2.1.0", repo_name = "py_absl") -bazel_dep(name = "rules_cc", version = "0.0.16") - -rules_java_toolchains = use_extension("@rules_java//java:extensions.bzl", "toolchains") -use_repo(rules_java_toolchains, "remote_java_tools") - -rules_kotlin_extensions = use_extension( - "//src/main/starlark/core/repositories:bzlmod_setup.bzl", - "rules_kotlin_extensions", -) -use_repo( - rules_kotlin_extensions, - "com_github_google_ksp", - "com_github_jetbrains_kotlin", - "com_github_pinterest_ktlint", - "kotlin_build_tools_impl", - "kotlinx_serialization_core_jvm", - "kotlinx_serialization_json", - "kotlinx_serialization_json_jvm", -) - -register_toolchains("//kotlin/internal:default_toolchain") diff --git a/misc/bazel/registry/modules/rules_kotlin/2.2.0-codeql.1/patches/codeql_add_language_version_option.patch b/misc/bazel/registry/modules/rules_kotlin/2.2.0-codeql.1/patches/codeql_add_language_version_option.patch deleted file mode 100644 index 795d1f88f38..00000000000 --- a/misc/bazel/registry/modules/rules_kotlin/2.2.0-codeql.1/patches/codeql_add_language_version_option.patch +++ /dev/null @@ -1,30 +0,0 @@ ---- a/src/main/starlark/core/options/opts.kotlinc.bzl 2000-01-01 01:00:00.000000000 +0100 -+++ b/src/main/starlark/core/options/opts.kotlinc.bzl 2025-11-17 16:51:01.012063056 +0100 -@@ -51,6 +51,11 @@ - return None - return ["-Xjdk-release=%s" % version] - -+def _map_language_version_to_flag(version): -+ if not version: -+ return None -+ return ["-language-version=%s" % version, "-api-version=%s" % version] -+ - _KOPTS_ALL = { - "include_stdlibs": struct( - args = dict( -@@ -495,6 +500,15 @@ - value_to_flag = None, - map_value_to_flag = _map_warning_level, - ), -+ "language_version": struct( -+ args = dict( -+ default = "1.9", -+ doc = "-language-version", -+ ), -+ type = attr.string, -+ value_to_flag = None, -+ map_value_to_flag = _map_language_version_to_flag, -+ ), - } - - def _merge(key, rule_defined): diff --git a/misc/bazel/registry/modules/rules_kotlin/2.2.0-codeql.1/patches/codeql_do_not_emit_jdeps.patch b/misc/bazel/registry/modules/rules_kotlin/2.2.0-codeql.1/patches/codeql_do_not_emit_jdeps.patch deleted file mode 100644 index e6b71ab0c4f..00000000000 --- a/misc/bazel/registry/modules/rules_kotlin/2.2.0-codeql.1/patches/codeql_do_not_emit_jdeps.patch +++ /dev/null @@ -1,14 +0,0 @@ -Emitting jdeps is broken for the 2.0.0 kotlin extractor, and we don't need those files. -Patching it here rather than passing `--@rules_kotlin//kotlin/settings:jvm_emit_jdeps=false` -allows us to not have to specify that option (and therefore pull in `rules_kotlin`) in `semmle-code`. ---- a/kotlin/settings/BUILD.bazel -+++ b/kotlin/settings/BUILD.bazel -@@ -16,6 +16,6 @@ release_archive( - # Flag that controls the emission of jdeps files during kotlin jvm compilation. - bool_flag( - name = "jvm_emit_jdeps", -- build_setting_default = True, # Upstream default behavior -+ build_setting_default = False, - visibility = ["//visibility:public"], - ) - diff --git a/misc/bazel/registry/modules/rules_kotlin/2.2.0-codeql.1/source.json b/misc/bazel/registry/modules/rules_kotlin/2.2.0-codeql.1/source.json deleted file mode 100644 index ca35aa4a5c1..00000000000 --- a/misc/bazel/registry/modules/rules_kotlin/2.2.0-codeql.1/source.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "integrity": "sha256-4STROYYIW8ChW+LIXBQVurVwhEK3jSSf4iv430OlNA0=", - "url": "https://github.com/bazelbuild/rules_kotlin/releases/download/v2.2.0/rules_kotlin-v2.2.0.tar.gz", - "patches": { - "codeql_add_language_version_option.patch": "sha256-HoH8NWXxmYHmm/SxaugRdXgMntvcQx5gRLW2yQIvWhM=", - "codeql_do_not_emit_jdeps.patch": "sha256-gIlhXEY71vlCkpr5wj2vm3yv6RwcuKLhgbTGqdVvQfU=" - }, - "patch_strip": 1 -} diff --git a/misc/bazel/registry/modules/rules_kotlin/2.2.2-codeql.1/patches/codeql_do_not_emit_jdeps.patch b/misc/bazel/registry/modules/rules_kotlin/2.2.2-codeql.1/patches/codeql_do_not_emit_jdeps.patch index e6b71ab0c4f..838750ba12e 100644 --- a/misc/bazel/registry/modules/rules_kotlin/2.2.2-codeql.1/patches/codeql_do_not_emit_jdeps.patch +++ b/misc/bazel/registry/modules/rules_kotlin/2.2.2-codeql.1/patches/codeql_do_not_emit_jdeps.patch @@ -1,6 +1,7 @@ Emitting jdeps is broken for the 2.0.0 kotlin extractor, and we don't need those files. Patching it here rather than passing `--@rules_kotlin//kotlin/settings:jvm_emit_jdeps=false` -allows us to not have to specify that option (and therefore pull in `rules_kotlin`) in `semmle-code`. +allows us to not have to specify that option (and therefore pull in `rules_kotlin`) in the +internal repo. --- a/kotlin/settings/BUILD.bazel +++ b/kotlin/settings/BUILD.bazel @@ -16,6 +16,6 @@ release_archive( diff --git a/misc/bazel/registry/modules/rules_kotlin/2.2.2-codeql.1/source.json b/misc/bazel/registry/modules/rules_kotlin/2.2.2-codeql.1/source.json index 23deb231a09..7025fb00a27 100644 --- a/misc/bazel/registry/modules/rules_kotlin/2.2.2-codeql.1/source.json +++ b/misc/bazel/registry/modules/rules_kotlin/2.2.2-codeql.1/source.json @@ -3,7 +3,7 @@ "url": "https://github.com/bazelbuild/rules_kotlin/releases/download/v2.2.2/rules_kotlin-v2.2.2.tar.gz", "patches": { "codeql_add_language_version_option.patch": "sha256-HoH8NWXxmYHmm/SxaugRdXgMntvcQx5gRLW2yQIvWhM=", - "codeql_do_not_emit_jdeps.patch": "sha256-gIlhXEY71vlCkpr5wj2vm3yv6RwcuKLhgbTGqdVvQfU=" + "codeql_do_not_emit_jdeps.patch": "sha256-cg06knW+Eq13qHCaelbnZka/WnGPvRrcqXHtpXsy/rA=" }, "patch_strip": 1 } diff --git a/misc/bazel/registry/modules/rules_kotlin/metadata.json b/misc/bazel/registry/modules/rules_kotlin/metadata.json index 23266f29c4e..ea756f78364 100644 --- a/misc/bazel/registry/modules/rules_kotlin/metadata.json +++ b/misc/bazel/registry/modules/rules_kotlin/metadata.json @@ -21,7 +21,6 @@ "github:bazelbuild/rules_kotlin" ], "versions": [ - "2.2.0-codeql.1", "2.2.2-codeql.1" ], "yanked_versions": {} diff --git a/swift/rules.bzl b/swift/rules.bzl index f0fde7e7140..d479f6bff11 100644 --- a/swift/rules.bzl +++ b/swift/rules.bzl @@ -1,5 +1,4 @@ -load("@rules_cc//cc:defs.bzl", "cc_binary", "cc_library") -load("@rules_cc//cc/common:cc_info.bzl", "CcInfo") +load("@rules_cc//cc:defs.bzl", "CcInfo", "cc_binary", "cc_library") load("//misc/bazel:os.bzl", "os_select") # TODO: make a shared library with the internal repos for transitions From 9f5b8141f01c961f82f83b1c04ea030b8d1722e9 Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Wed, 11 Feb 2026 16:11:30 +0100 Subject: [PATCH 042/110] Rust: Fix bad join Before ``` Pipeline standard for TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::argsAreInstantiationsOfToIndex/4#f6ff35dc@be110b6w was evaluated in 512 iterations totaling 114ms (delta sizes total: 10942). 8395 ~0% {5} r1 = JOIN `TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::argsAreInstantiationsOfToIndex/4#f6ff35dc#prev_delta` WITH `TypeInference::NonMethodResolution::NonMethodCall.resolveCallTargetBlanketCand/1#dispred#f8b86f2d#prev` ON FIRST 3 OUTPUT Lhs.1, Lhs.2, _, Lhs.0, Lhs.3 8395 ~0% {4} | REWRITE WITH Tmp.2 := 1, Out.2 := (Tmp.2 + In.4) KEEPING 4 8448 ~0% {5} | JOIN WITH `project#TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::toCheckRanked/5#52f6d5e0#2_0132#join_rhs` ON FIRST 3 OUTPUT Lhs.3, Rhs.3, Lhs.0, Lhs.1, Lhs.2 7440 ~0% {5} | JOIN WITH TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::MkCallAndPos#53e3fb94#prev ON FIRST 2 OUTPUT Rhs.2, Lhs.2, Lhs.0, Lhs.3, Lhs.4 0 ~0% {4} | JOIN WITH `TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::ArgIsInstantiationOfToIndex::ArgSubstIsInstantiationOf::isInstantiationOf/3#5154f0d6#prev` ON FIRST 2 OUTPUT Lhs.2, Lhs.1, Lhs.3, Lhs.4 2937 ~0% {5} r2 = JOIN TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::MkCallAndPos#53e3fb94#prev_delta WITH `TypeInference::NonMethodResolution::NonMethodCall.resolveCallTargetBlanketCand/1#dispred#f8b86f2d#prev` ON FIRST 1 OUTPUT Lhs.2, Rhs.1, Lhs.0, Lhs.1, Rhs.2 0 ~0% {4} | JOIN WITH `TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::ArgIsInstantiationOfToIndex::ArgSubstIsInstantiationOf::isInstantiationOf/3#5154f0d6#prev` ON FIRST 2 OUTPUT Lhs.1, Lhs.4, Lhs.3, Lhs.2 0 ~0% {6} r3 = JOIN r2 WITH `project#TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::toCheckRanked/5#52f6d5e0#2` ON FIRST 3 OUTPUT Lhs.3, Lhs.2, Lhs.0, Lhs.1, Rhs.3, _ {5} | REWRITE WITH Tmp.5 := 0, TEST InOut.4 = Tmp.5 KEEPING 5 0 ~0% {5} | SCAN OUTPUT In.2, In.3, In.1, _, In.0 0 ~0% {5} | REWRITE WITH Out.3 := 0 0 ~0% {4} | JOIN WITH `project#TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::toCheckRanked/5#52f6d5e0#2` ON FIRST 4 OUTPUT Lhs.4, Lhs.0, Lhs.1, _ 0 ~0% {4} | REWRITE WITH Out.3 := 0 12463 ~0% {2} r4 = SCAN `TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::ArgIsInstantiationOfToIndex::ArgSubstIsInstantiationOf::isInstantiationOf/3#5154f0d6#prev_delta` OUTPUT In.1, In.0 22532135 ~0% {4} | JOIN WITH `TypeInference::NonMethodResolution::NonMethodCall.resolveCallTargetBlanketCand/1#dispred#f8b86f2d#reorder_1_0_2#prev` ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.0, Rhs.2 12463 ~0% {4} | JOIN WITH TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::MkCallAndPos#53e3fb94#reorder_0_2_1#prev ON FIRST 2 OUTPUT Lhs.2, Lhs.3, Rhs.2, Lhs.0 12463 ~2% {6} r5 = JOIN r4 WITH `project#TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::toCheckRanked/5#52f6d5e0#2` ON FIRST 3 OUTPUT Lhs.0, Lhs.3, Lhs.1, Lhs.2, Rhs.3, _ {5} | REWRITE WITH Tmp.5 := 0, TEST InOut.4 = Tmp.5 KEEPING 5 4285 ~0% {5} | SCAN OUTPUT In.0, In.2, In.3, _, In.1 4285 ~0% {5} | REWRITE WITH Out.3 := 0 4285 ~1% {4} | JOIN WITH `project#TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::toCheckRanked/5#52f6d5e0#2` ON FIRST 4 OUTPUT Lhs.4, Lhs.0, Lhs.1, _ 4285 ~1% {4} | REWRITE WITH Out.3 := 0 0 ~0% {4} r6 = JOIN r2 WITH `project#TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::toCheckRanked/5#52f6d5e0#2` ON FIRST 3 OUTPUT Lhs.3, Lhs.0, Lhs.1, Rhs.3 0 ~0% {6} | JOIN WITH `TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::argsAreInstantiationsOfToIndex/4#f6ff35dc#prev` ON FIRST 3 OUTPUT Lhs.0, Lhs.1, Lhs.2, Lhs.3, Rhs.3, _ {6} | REWRITE WITH Tmp.5 := 1, Out.5 := (InOut.3 - Tmp.5), TEST Out.5 = InOut.4 0 ~0% {4} | SCAN OUTPUT In.0, In.1, In.2, In.3 12463 ~45% {4} r7 = JOIN r4 WITH `project#TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::toCheckRanked/5#52f6d5e0#2` ON FIRST 3 OUTPUT Lhs.3, Lhs.0, Lhs.1, Rhs.3 8178 ~50% {6} | JOIN WITH `TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::argsAreInstantiationsOfToIndex/4#f6ff35dc#prev` ON FIRST 3 OUTPUT Lhs.1, Lhs.0, Lhs.2, Lhs.3, Rhs.3, _ {6} | REWRITE WITH Tmp.5 := 1, Out.5 := (InOut.3 - Tmp.5), TEST Out.5 = InOut.4 7428 ~58% {4} | SCAN OUTPUT In.1, In.0, In.2, In.3 4264 ~0% {3} r8 = SCAN `TypeInference::NonMethodResolution::NonMethodCall.resolveCallTargetBlanketCand/1#dispred#f8b86f2d#prev_delta` OUTPUT In.1, In.2, In.0 4312 ~0% {5} r9 = JOIN r8 WITH `_project#TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::toCheckRanked/__#join_rhs#1` ON FIRST 2 OUTPUT Lhs.0, Lhs.1, Rhs.2, _, Lhs.2 4312 ~0% {5} | REWRITE WITH Out.3 := 0 4312 ~0% {5} | JOIN WITH `project#TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::toCheckRanked/5#52f6d5e0#2` ON FIRST 4 OUTPUT Lhs.4, Lhs.2, Lhs.0, Lhs.1, _ 4312 ~0% {5} | REWRITE WITH Out.4 := 0 12760 ~0% {5} r10 = JOIN r8 WITH `project#TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::toCheckRanked/5#52f6d5e0#2` ON FIRST 2 OUTPUT Lhs.2, Lhs.0, Lhs.1, Rhs.2, Rhs.3 0 ~0% {7} | JOIN WITH `TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::argsAreInstantiationsOfToIndex/4#f6ff35dc#prev` ON FIRST 3 OUTPUT Lhs.1, Lhs.2, Lhs.3, Lhs.4, Lhs.0, Rhs.3, _ {7} | REWRITE WITH Tmp.6 := 1, Out.6 := (InOut.3 - Tmp.6), TEST Out.6 = InOut.5 0 ~0% {5} | SCAN OUTPUT In.4, In.2, In.0, In.1, In.3 4312 ~0% {5} r11 = r9 UNION r10 4288 ~0% {5} | JOIN WITH TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::MkCallAndPos#53e3fb94#prev ON FIRST 2 OUTPUT Rhs.2, Lhs.2, Lhs.3, Lhs.4, Lhs.0 0 ~0% {4} | JOIN WITH `TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::ArgIsInstantiationOfToIndex::ArgSubstIsInstantiationOf::isInstantiationOf/3#5154f0d6#prev` ON FIRST 2 OUTPUT Lhs.4, Lhs.1, Lhs.2, Lhs.3 11713 ~36% {4} r12 = r1 UNION r3 UNION r5 UNION r6 UNION r7 UNION r11 10942 ~39% {4} | AND NOT `TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::argsAreInstantiationsOfToIndex/4#f6ff35dc#prev`(FIRST 4) return r12 ``` After ``` Pipeline standard for TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::argsAreInstantiationsOfToIndex/4#f6ff35dc@07309ry7 was evaluated in 168 iterations totaling 145ms (delta sizes total: 8395). 12517 ~0% {6} r1 = SCAN `TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::argIsInstantiationOf/5#efdc1fbb#reorder_0_2_3_4_1#prev_delta` OUTPUT In.0, In.1, In.2, In.3, In.4, _ 4337 ~0% {5} | REWRITE WITH Tmp.5 := 0, TEST InOut.3 = Tmp.5 KEEPING 5 4285 ~1% {4} | JOIN WITH `TypeInference::NonMethodResolution::NonMethodCall.resolveCallTargetBlanketCand/1#dispred#f8b86f2d#prev` ON FIRST 3 OUTPUT Lhs.0, Lhs.1, Lhs.2, _ 4285 ~1% {4} | REWRITE WITH Out.3 := 0 0 ~0% {4} r2 = JOIN `TypeInference::NonMethodResolution::NonMethodCall.resolveCallTargetBlanketCand/1#dispred#f8b86f2d#prev_delta` WITH `TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::argIsInstantiationOf/5#efdc1fbb#reorder_0_2_3_4_1#prev` ON FIRST 3 OUTPUT Lhs.0, Lhs.1, Lhs.2, Rhs.3 0 ~0% {5} r3 = SCAN r2 OUTPUT In.0, In.1, In.2, In.3, _ {4} | REWRITE WITH Tmp.4 := 0, TEST InOut.3 = Tmp.4 KEEPING 4 0 ~0% {4} | SCAN OUTPUT In.0, In.1, In.2, _ 0 ~0% {4} | REWRITE WITH Out.3 := 0 8395 ~0% {5} r4 = JOIN `TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::argsAreInstantiationsOfToIndex/4#f6ff35dc#prev_delta` WITH `TypeInference::NonMethodResolution::NonMethodCall.resolveCallTargetBlanketCand/1#dispred#f8b86f2d#prev` ON FIRST 3 OUTPUT Lhs.0, Lhs.1, Lhs.2, _, Lhs.3 8395 ~0% {4} | REWRITE WITH Tmp.3 := 1, Out.3 := (Tmp.3 + In.4) KEEPING 4 0 ~0% {4} | JOIN WITH `TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::argIsInstantiationOf/5#efdc1fbb#reorder_0_2_3_4_1#prev` ON FIRST 4 OUTPUT Lhs.0, Lhs.1, Lhs.2, Lhs.3 0 ~0% {6} r5 = JOIN r2 WITH `TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::argsAreInstantiationsOfToIndex/4#f6ff35dc#prev` ON FIRST 3 OUTPUT Lhs.0, Lhs.1, Lhs.2, Lhs.3, Rhs.3, _ {6} | REWRITE WITH Tmp.5 := 1, Out.5 := (InOut.3 - Tmp.5), TEST Out.5 = InOut.4 0 ~0% {4} | SCAN OUTPUT In.0, In.1, In.2, In.3 12517 ~18% {4} r6 = SCAN `TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::argIsInstantiationOf/5#efdc1fbb#reorder_0_2_3_4_1#prev_delta` OUTPUT In.0, In.1, In.2, In.3 11759 ~12% {4} | JOIN WITH `TypeInference::NonMethodResolution::NonMethodCall.resolveCallTargetBlanketCand/1#dispred#f8b86f2d#prev` ON FIRST 3 OUTPUT Lhs.0, Lhs.1, Lhs.2, Lhs.3 9874 ~12% {6} | JOIN WITH `TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::argsAreInstantiationsOfToIndex/4#f6ff35dc#prev` ON FIRST 3 OUTPUT Lhs.0, Lhs.1, Lhs.2, Lhs.3, Rhs.3, _ {6} | REWRITE WITH Tmp.5 := 1, Out.5 := (InOut.3 - Tmp.5), TEST Out.5 = InOut.4 7476 ~18% {4} | SCAN OUTPUT In.0, In.1, In.2, In.3 11761 ~12% {4} r7 = r1 UNION r3 UNION r4 UNION r5 UNION r6 8395 ~0% {4} | AND NOT `TypeInference::NonMethodResolution::NonMethodArgsAreInstantiationsOfBlanket::argsAreInstantiationsOfToIndex/4#f6ff35dc#prev`(FIRST 4) return r7 ``` --- .../rust/internal/typeinference/FunctionType.qll | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/rust/ql/lib/codeql/rust/internal/typeinference/FunctionType.qll b/rust/ql/lib/codeql/rust/internal/typeinference/FunctionType.qll index aeb186c0cdc..74d8385bdf2 100644 --- a/rust/ql/lib/codeql/rust/internal/typeinference/FunctionType.qll +++ b/rust/ql/lib/codeql/rust/internal/typeinference/FunctionType.qll @@ -419,14 +419,21 @@ module ArgsAreInstantiationsOf { private module ArgIsInstantiationOfToIndex = ArgIsInstantiationOf; + pragma[nomagic] + private predicate argIsInstantiationOf( + Input::Call call, FunctionPosition pos, ImplOrTraitItemNode i, Function f, int rnk + ) { + ArgIsInstantiationOfToIndex::argIsInstantiationOf(MkCallAndPos(call, pos), i, _) and + toCheckRanked(i, f, _, pos, rnk) + } + pragma[nomagic] private predicate argsAreInstantiationsOfToIndex( Input::Call call, ImplOrTraitItemNode i, Function f, int rnk ) { exists(FunctionPosition pos | - ArgIsInstantiationOfToIndex::argIsInstantiationOf(MkCallAndPos(call, pos), i, _) and - call.hasTargetCand(i, f) and - toCheckRanked(i, f, _, pos, rnk) + argIsInstantiationOf(call, pos, i, f, rnk) and + call.hasTargetCand(i, f) | rnk = 0 or From 4d4e7a1b5c21badf976d5647c34aae8eac49908d Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Thu, 12 Feb 2026 08:28:08 -0500 Subject: [PATCH 043/110] Pretty print for tests. --- .../FullServerSideRequestForgery.expected | 50 +++++---- .../FullServerSideRequestForgery.qlref | 4 +- .../PartialServerSideRequestForgery.expected | 106 +++++++++--------- .../PartialServerSideRequestForgery.qlref | 4 +- 4 files changed, 90 insertions(+), 74 deletions(-) diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.expected b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.expected index c2fd16bfab7..7434eca6978 100644 --- a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.expected +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.expected @@ -85,11 +85,11 @@ edges | test_azure_client.py:9:18:9:24 | ControlFlowNode for request | test_azure_client.py:10:5:10:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | | test_azure_client.py:10:5:10:15 | ControlFlowNode for user_input2 | test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | provenance | | | test_azure_client.py:10:19:10:25 | ControlFlowNode for request | test_azure_client.py:10:5:10:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | -| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:16:28:16:35 | ControlFlowNode for full_url | provenance | Sink:MaD:15 | -| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:18:35:18:42 | ControlFlowNode for full_url | provenance | Sink:MaD:38 | -| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:20:15:20:22 | ControlFlowNode for full_url | provenance | Sink:MaD:14 | -| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:22:54:22:61 | ControlFlowNode for full_url | provenance | Sink:MaD:26 | -| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:25:37:25:44 | ControlFlowNode for full_url | provenance | Sink:MaD:27 | +| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:16:28:16:35 | ControlFlowNode for full_url | provenance | Sink:MaD:2 | +| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:18:35:18:42 | ControlFlowNode for full_url | provenance | Sink:MaD:4 | +| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:20:15:20:22 | ControlFlowNode for full_url | provenance | Sink:MaD:1 | +| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:22:54:22:61 | ControlFlowNode for full_url | provenance | Sink:MaD:3 | +| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:25:37:25:44 | ControlFlowNode for full_url | provenance | Sink:MaD:5 | | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | test_http_client.py:1:19:1:25 | ControlFlowNode for request | provenance | | | test_http_client.py:1:19:1:25 | ControlFlowNode for request | test_http_client.py:9:19:9:25 | ControlFlowNode for request | provenance | | | test_http_client.py:1:19:1:25 | ControlFlowNode for request | test_http_client.py:10:19:10:25 | ControlFlowNode for request | provenance | | @@ -113,31 +113,31 @@ edges | test_path_validation.py:8:18:8:24 | ControlFlowNode for request | test_path_validation.py:9:5:9:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | | test_path_validation.py:9:5:9:15 | ControlFlowNode for user_input2 | test_path_validation.py:11:5:11:12 | ControlFlowNode for full_url | provenance | | | test_path_validation.py:9:19:9:25 | ControlFlowNode for request | test_path_validation.py:9:5:9:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | -| test_path_validation.py:11:5:11:12 | ControlFlowNode for full_url | test_path_validation.py:21:32:21:39 | ControlFlowNode for full_url | provenance | Sink:MaD:15 | +| test_path_validation.py:11:5:11:12 | ControlFlowNode for full_url | test_path_validation.py:21:32:21:39 | ControlFlowNode for full_url | provenance | Sink:MaD:2 | | test_path_validation.py:24:18:24:24 | ControlFlowNode for request | test_path_validation.py:25:5:25:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | | test_path_validation.py:25:5:25:15 | ControlFlowNode for user_input2 | test_path_validation.py:27:5:27:12 | ControlFlowNode for full_url | provenance | | | test_path_validation.py:25:19:25:25 | ControlFlowNode for request | test_path_validation.py:25:5:25:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | -| test_path_validation.py:27:5:27:12 | ControlFlowNode for full_url | test_path_validation.py:37:29:37:36 | ControlFlowNode for full_url | provenance | Sink:MaD:14 | +| test_path_validation.py:27:5:27:12 | ControlFlowNode for full_url | test_path_validation.py:37:29:37:36 | ControlFlowNode for full_url | provenance | Sink:MaD:1 | | test_path_validation.py:40:18:40:24 | ControlFlowNode for request | test_path_validation.py:41:5:41:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | | test_path_validation.py:41:5:41:15 | ControlFlowNode for user_input2 | test_path_validation.py:43:5:43:12 | ControlFlowNode for full_url | provenance | | | test_path_validation.py:41:19:41:25 | ControlFlowNode for request | test_path_validation.py:41:5:41:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | -| test_path_validation.py:43:5:43:12 | ControlFlowNode for full_url | test_path_validation.py:53:39:53:46 | ControlFlowNode for full_url | provenance | Sink:MaD:38 | +| test_path_validation.py:43:5:43:12 | ControlFlowNode for full_url | test_path_validation.py:53:39:53:46 | ControlFlowNode for full_url | provenance | Sink:MaD:4 | | test_path_validation.py:57:5:57:14 | ControlFlowNode for user_input | test_path_validation.py:61:5:61:7 | ControlFlowNode for url | provenance | | | test_path_validation.py:57:18:57:24 | ControlFlowNode for request | test_path_validation.py:57:5:57:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:64:32:64:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:71:32:71:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:74:32:74:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:79:32:79:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:87:32:87:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:90:32:90:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:95:32:95:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:102:32:102:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:107:32:107:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:110:32:110:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:115:32:115:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:122:32:122:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:125:32:125:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:132:32:132:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:64:32:64:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:71:32:71:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:74:32:74:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:79:32:79:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:87:32:87:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:90:32:90:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:95:32:95:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:102:32:102:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:107:32:107:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:110:32:110:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:115:32:115:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:122:32:122:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:125:32:125:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:132:32:132:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | test_requests.py:1:19:1:25 | ControlFlowNode for request | provenance | | | test_requests.py:1:19:1:25 | ControlFlowNode for request | test_requests.py:7:18:7:24 | ControlFlowNode for request | provenance | | | test_requests.py:1:19:1:25 | ControlFlowNode for request | test_requests.py:14:18:14:24 | ControlFlowNode for request | provenance | | @@ -148,6 +148,12 @@ edges | test_requests.py:14:18:14:24 | ControlFlowNode for request | test_requests.py:14:5:14:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | | test_requests.py:20:5:20:14 | ControlFlowNode for user_input | test_requests.py:22:34:22:43 | ControlFlowNode for user_input | provenance | | | test_requests.py:20:18:20:24 | ControlFlowNode for request | test_requests.py:20:5:20:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | +models +| 1 | Sink: azure.keyvault.keys.KeyClient!; Call.Argument[0,vault_url:]; request-forgery | +| 2 | Sink: azure.keyvault.secrets.SecretClient!; Call.Argument[0,vault_url:]; request-forgery | +| 3 | Sink: azure.storage.blob.ContainerClient!; Member[from_container_url].Argument[0,container_url:]; request-forgery | +| 4 | Sink: azure.storage.fileshare.ShareFileClient!; Member[from_file_url].Argument[0,file_url:]; request-forgery | +| 5 | Sink: azure; Member[storage].Member[blob].Member[download_blob_from_url].Argument[0,blob_url:]; request-forgery | nodes | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | | full_partial_test.py:1:19:1:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.qlref b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.qlref index 35a2814e7f4..f0a8d1e6b15 100644 --- a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.qlref +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.qlref @@ -1,2 +1,4 @@ query: Security/CWE-918/FullServerSideRequestForgery.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql \ No newline at end of file +postprocess: +- utils/test/InlineExpectationsTestQuery.ql +- utils/test/PrettyPrintModels.ql \ No newline at end of file diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.expected b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.expected index 8cc69590b7e..0b875607157 100644 --- a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.expected +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.expected @@ -126,16 +126,16 @@ edges | test_azure_client.py:9:18:9:24 | ControlFlowNode for request | test_azure_client.py:10:5:10:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | | test_azure_client.py:10:5:10:15 | ControlFlowNode for user_input2 | test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | provenance | | | test_azure_client.py:10:19:10:25 | ControlFlowNode for request | test_azure_client.py:10:5:10:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | -| test_azure_client.py:12:5:12:7 | ControlFlowNode for url | test_azure_client.py:15:28:15:30 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_azure_client.py:12:5:12:7 | ControlFlowNode for url | test_azure_client.py:17:35:17:37 | ControlFlowNode for url | provenance | Sink:MaD:38 | -| test_azure_client.py:12:5:12:7 | ControlFlowNode for url | test_azure_client.py:19:15:19:17 | ControlFlowNode for url | provenance | Sink:MaD:14 | -| test_azure_client.py:12:5:12:7 | ControlFlowNode for url | test_azure_client.py:21:54:21:56 | ControlFlowNode for url | provenance | Sink:MaD:26 | -| test_azure_client.py:12:5:12:7 | ControlFlowNode for url | test_azure_client.py:24:37:24:39 | ControlFlowNode for url | provenance | Sink:MaD:27 | -| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:16:28:16:35 | ControlFlowNode for full_url | provenance | Sink:MaD:15 | -| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:18:35:18:42 | ControlFlowNode for full_url | provenance | Sink:MaD:38 | -| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:20:15:20:22 | ControlFlowNode for full_url | provenance | Sink:MaD:14 | -| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:22:54:22:61 | ControlFlowNode for full_url | provenance | Sink:MaD:26 | -| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:25:37:25:44 | ControlFlowNode for full_url | provenance | Sink:MaD:27 | +| test_azure_client.py:12:5:12:7 | ControlFlowNode for url | test_azure_client.py:15:28:15:30 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_azure_client.py:12:5:12:7 | ControlFlowNode for url | test_azure_client.py:17:35:17:37 | ControlFlowNode for url | provenance | Sink:MaD:4 | +| test_azure_client.py:12:5:12:7 | ControlFlowNode for url | test_azure_client.py:19:15:19:17 | ControlFlowNode for url | provenance | Sink:MaD:1 | +| test_azure_client.py:12:5:12:7 | ControlFlowNode for url | test_azure_client.py:21:54:21:56 | ControlFlowNode for url | provenance | Sink:MaD:3 | +| test_azure_client.py:12:5:12:7 | ControlFlowNode for url | test_azure_client.py:24:37:24:39 | ControlFlowNode for url | provenance | Sink:MaD:5 | +| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:16:28:16:35 | ControlFlowNode for full_url | provenance | Sink:MaD:2 | +| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:18:35:18:42 | ControlFlowNode for full_url | provenance | Sink:MaD:4 | +| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:20:15:20:22 | ControlFlowNode for full_url | provenance | Sink:MaD:1 | +| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:22:54:22:61 | ControlFlowNode for full_url | provenance | Sink:MaD:3 | +| test_azure_client.py:13:5:13:12 | ControlFlowNode for full_url | test_azure_client.py:25:37:25:44 | ControlFlowNode for full_url | provenance | Sink:MaD:5 | | test_http_client.py:1:19:1:25 | ControlFlowNode for ImportMember | test_http_client.py:1:19:1:25 | ControlFlowNode for request | provenance | | | test_http_client.py:1:19:1:25 | ControlFlowNode for request | test_http_client.py:9:19:9:25 | ControlFlowNode for request | provenance | | | test_http_client.py:1:19:1:25 | ControlFlowNode for request | test_http_client.py:10:19:10:25 | ControlFlowNode for request | provenance | | @@ -169,58 +169,58 @@ edges | test_path_validation.py:8:18:8:24 | ControlFlowNode for request | test_path_validation.py:9:5:9:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | | test_path_validation.py:9:5:9:15 | ControlFlowNode for user_input2 | test_path_validation.py:11:5:11:12 | ControlFlowNode for full_url | provenance | | | test_path_validation.py:9:19:9:25 | ControlFlowNode for request | test_path_validation.py:9:5:9:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | -| test_path_validation.py:10:5:10:7 | ControlFlowNode for url | test_path_validation.py:14:32:14:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:10:5:10:7 | ControlFlowNode for url | test_path_validation.py:16:32:16:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:11:5:11:12 | ControlFlowNode for full_url | test_path_validation.py:19:32:19:39 | ControlFlowNode for full_url | provenance | Sink:MaD:15 | -| test_path_validation.py:11:5:11:12 | ControlFlowNode for full_url | test_path_validation.py:21:32:21:39 | ControlFlowNode for full_url | provenance | Sink:MaD:15 | +| test_path_validation.py:10:5:10:7 | ControlFlowNode for url | test_path_validation.py:14:32:14:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:10:5:10:7 | ControlFlowNode for url | test_path_validation.py:16:32:16:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:11:5:11:12 | ControlFlowNode for full_url | test_path_validation.py:19:32:19:39 | ControlFlowNode for full_url | provenance | Sink:MaD:2 | +| test_path_validation.py:11:5:11:12 | ControlFlowNode for full_url | test_path_validation.py:21:32:21:39 | ControlFlowNode for full_url | provenance | Sink:MaD:2 | | test_path_validation.py:24:5:24:14 | ControlFlowNode for user_input | test_path_validation.py:26:5:26:7 | ControlFlowNode for url | provenance | | | test_path_validation.py:24:18:24:24 | ControlFlowNode for request | test_path_validation.py:24:5:24:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | | test_path_validation.py:24:18:24:24 | ControlFlowNode for request | test_path_validation.py:25:5:25:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | | test_path_validation.py:25:5:25:15 | ControlFlowNode for user_input2 | test_path_validation.py:27:5:27:12 | ControlFlowNode for full_url | provenance | | | test_path_validation.py:25:19:25:25 | ControlFlowNode for request | test_path_validation.py:25:5:25:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | -| test_path_validation.py:26:5:26:7 | ControlFlowNode for url | test_path_validation.py:30:29:30:31 | ControlFlowNode for url | provenance | Sink:MaD:14 | -| test_path_validation.py:26:5:26:7 | ControlFlowNode for url | test_path_validation.py:32:29:32:31 | ControlFlowNode for url | provenance | Sink:MaD:14 | -| test_path_validation.py:27:5:27:12 | ControlFlowNode for full_url | test_path_validation.py:35:29:35:36 | ControlFlowNode for full_url | provenance | Sink:MaD:14 | -| test_path_validation.py:27:5:27:12 | ControlFlowNode for full_url | test_path_validation.py:37:29:37:36 | ControlFlowNode for full_url | provenance | Sink:MaD:14 | +| test_path_validation.py:26:5:26:7 | ControlFlowNode for url | test_path_validation.py:30:29:30:31 | ControlFlowNode for url | provenance | Sink:MaD:1 | +| test_path_validation.py:26:5:26:7 | ControlFlowNode for url | test_path_validation.py:32:29:32:31 | ControlFlowNode for url | provenance | Sink:MaD:1 | +| test_path_validation.py:27:5:27:12 | ControlFlowNode for full_url | test_path_validation.py:35:29:35:36 | ControlFlowNode for full_url | provenance | Sink:MaD:1 | +| test_path_validation.py:27:5:27:12 | ControlFlowNode for full_url | test_path_validation.py:37:29:37:36 | ControlFlowNode for full_url | provenance | Sink:MaD:1 | | test_path_validation.py:40:5:40:14 | ControlFlowNode for user_input | test_path_validation.py:42:5:42:7 | ControlFlowNode for url | provenance | | | test_path_validation.py:40:18:40:24 | ControlFlowNode for request | test_path_validation.py:40:5:40:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | | test_path_validation.py:40:18:40:24 | ControlFlowNode for request | test_path_validation.py:41:5:41:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | | test_path_validation.py:41:5:41:15 | ControlFlowNode for user_input2 | test_path_validation.py:43:5:43:12 | ControlFlowNode for full_url | provenance | | | test_path_validation.py:41:19:41:25 | ControlFlowNode for request | test_path_validation.py:41:5:41:15 | ControlFlowNode for user_input2 | provenance | AdditionalTaintStep | -| test_path_validation.py:42:5:42:7 | ControlFlowNode for url | test_path_validation.py:46:39:46:41 | ControlFlowNode for url | provenance | Sink:MaD:38 | -| test_path_validation.py:42:5:42:7 | ControlFlowNode for url | test_path_validation.py:48:39:48:41 | ControlFlowNode for url | provenance | Sink:MaD:38 | -| test_path_validation.py:43:5:43:12 | ControlFlowNode for full_url | test_path_validation.py:51:39:51:46 | ControlFlowNode for full_url | provenance | Sink:MaD:38 | -| test_path_validation.py:43:5:43:12 | ControlFlowNode for full_url | test_path_validation.py:53:39:53:46 | ControlFlowNode for full_url | provenance | Sink:MaD:38 | +| test_path_validation.py:42:5:42:7 | ControlFlowNode for url | test_path_validation.py:46:39:46:41 | ControlFlowNode for url | provenance | Sink:MaD:4 | +| test_path_validation.py:42:5:42:7 | ControlFlowNode for url | test_path_validation.py:48:39:48:41 | ControlFlowNode for url | provenance | Sink:MaD:4 | +| test_path_validation.py:43:5:43:12 | ControlFlowNode for full_url | test_path_validation.py:51:39:51:46 | ControlFlowNode for full_url | provenance | Sink:MaD:4 | +| test_path_validation.py:43:5:43:12 | ControlFlowNode for full_url | test_path_validation.py:53:39:53:46 | ControlFlowNode for full_url | provenance | Sink:MaD:4 | | test_path_validation.py:57:5:57:14 | ControlFlowNode for user_input | test_path_validation.py:61:5:61:7 | ControlFlowNode for url | provenance | | | test_path_validation.py:57:18:57:24 | ControlFlowNode for request | test_path_validation.py:57:5:57:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:64:32:64:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:66:32:66:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:69:32:69:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:71:32:71:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:74:32:74:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:76:32:76:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:79:32:79:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:81:32:81:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:85:32:85:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:87:32:87:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:90:32:90:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:92:32:92:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:95:32:95:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:97:32:97:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:100:32:100:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:102:32:102:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:105:32:105:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:107:32:107:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:110:32:110:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:112:32:112:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:115:32:115:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:117:32:117:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:120:32:120:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:122:32:122:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:125:32:125:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:127:32:127:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:130:32:130:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | -| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:132:32:132:34 | ControlFlowNode for url | provenance | Sink:MaD:15 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:64:32:64:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:66:32:66:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:69:32:69:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:71:32:71:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:74:32:74:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:76:32:76:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:79:32:79:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:81:32:81:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:85:32:85:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:87:32:87:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:90:32:90:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:92:32:92:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:95:32:95:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:97:32:97:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:100:32:100:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:102:32:102:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:105:32:105:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:107:32:107:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:110:32:110:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:112:32:112:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:115:32:115:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:117:32:117:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:120:32:120:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:122:32:122:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:125:32:125:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:127:32:127:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:130:32:130:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | +| test_path_validation.py:61:5:61:7 | ControlFlowNode for url | test_path_validation.py:132:32:132:34 | ControlFlowNode for url | provenance | Sink:MaD:2 | | test_requests.py:1:19:1:25 | ControlFlowNode for ImportMember | test_requests.py:1:19:1:25 | ControlFlowNode for request | provenance | | | test_requests.py:1:19:1:25 | ControlFlowNode for request | test_requests.py:7:18:7:24 | ControlFlowNode for request | provenance | | | test_requests.py:1:19:1:25 | ControlFlowNode for request | test_requests.py:14:18:14:24 | ControlFlowNode for request | provenance | | @@ -231,6 +231,12 @@ edges | test_requests.py:14:18:14:24 | ControlFlowNode for request | test_requests.py:14:5:14:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | | test_requests.py:20:5:20:14 | ControlFlowNode for user_input | test_requests.py:22:34:22:43 | ControlFlowNode for user_input | provenance | | | test_requests.py:20:18:20:24 | ControlFlowNode for request | test_requests.py:20:5:20:14 | ControlFlowNode for user_input | provenance | AdditionalTaintStep | +models +| 1 | Sink: azure.keyvault.keys.KeyClient!; Call.Argument[0,vault_url:]; request-forgery | +| 2 | Sink: azure.keyvault.secrets.SecretClient!; Call.Argument[0,vault_url:]; request-forgery | +| 3 | Sink: azure.storage.blob.ContainerClient!; Member[from_container_url].Argument[0,container_url:]; request-forgery | +| 4 | Sink: azure.storage.fileshare.ShareFileClient!; Member[from_file_url].Argument[0,file_url:]; request-forgery | +| 5 | Sink: azure; Member[storage].Member[blob].Member[download_blob_from_url].Argument[0,blob_url:]; request-forgery | nodes | full_partial_test.py:1:19:1:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | | full_partial_test.py:1:19:1:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.qlref b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.qlref index 651b07aea55..1161c990e22 100644 --- a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.qlref +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.qlref @@ -1,2 +1,4 @@ query: Security/CWE-918/PartialServerSideRequestForgery.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql \ No newline at end of file +postprocess: +- utils/test/InlineExpectationsTestQuery.ql +- utils/test/PrettyPrintModels.ql \ No newline at end of file From e2ad1f65111e75d22bfc8b0dad9b944b8c54d425 Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Thu, 12 Feb 2026 09:20:55 -0500 Subject: [PATCH 044/110] C++: Updating comment per PR reveiw suggestions. --- cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll b/cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll index 77c23d97b02..6916818cdc5 100644 --- a/cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll +++ b/cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll @@ -310,7 +310,9 @@ module PossibleYearArithmeticOperationCheckFlow = TaintTracking::Global; /** - * This list of APIs should check for the return value to detect problems during the conversion. + * Time conversion functions where either + * 1) an incorrect leap year date would result in an error that can be checked from the return value or + * 2) an incorrect leap year date is auto corrected (no checks required) */ class TimeConversionFunction extends Function { boolean autoLeapYearCorrecting; From d1eb9ab5d211dff88d46ab0087da78849ee4e88f Mon Sep 17 00:00:00 2001 From: Ben Rodes Date: Thu, 12 Feb 2026 09:36:36 -0500 Subject: [PATCH 045/110] Update cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com> --- .../Leap Year/UncheckedLeapYearAfterYearModification.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql index 3fd830acd97..7c16922c46a 100644 --- a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql +++ b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql @@ -767,7 +767,7 @@ class LeapYearGuardCondition extends GuardCondition { * ... values eventually used in the same time struct * If this is even more challenging if the struct the values end up in are not * local (set inter-procedurally). - * This flow flows constants 1-31 to a month or day assignment. + * This configuration looks for constants 1-31 flowing to a month or day assignment. * It is assumed a user of this flow will check if the month/day source and month/day sink * are in the same basic blocks as a year modification source and a year modification sink. * It is also assumed a user will check if the constant source is a value that is ignorable From a53218c2ce424b69428cbb4e621a08ec60db3151 Mon Sep 17 00:00:00 2001 From: Ben Rodes Date: Thu, 12 Feb 2026 09:36:57 -0500 Subject: [PATCH 046/110] Update cpp/ql/lib/change-notes/2026-02-06-UncheckedLeapYearAfterModification_Refactor.md Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com> --- .../2026-02-06-UncheckedLeapYearAfterModification_Refactor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/lib/change-notes/2026-02-06-UncheckedLeapYearAfterModification_Refactor.md b/cpp/ql/lib/change-notes/2026-02-06-UncheckedLeapYearAfterModification_Refactor.md index 3d0f71c5a65..4a2cf3ef189 100644 --- a/cpp/ql/lib/change-notes/2026-02-06-UncheckedLeapYearAfterModification_Refactor.md +++ b/cpp/ql/lib/change-notes/2026-02-06-UncheckedLeapYearAfterModification_Refactor.md @@ -1,4 +1,4 @@ --- category: minorAnalysis --- -* Refactor of UncheckedLeapYearAfterYearModification.ql to address large numbers of false positives. Reduced alerts from 40k to 2k. \ No newline at end of file +* Refactored the "Year field changed using an arithmetic operation without checking for leap year" query (`cpp/leap-year/unchecked-after-arithmetic-year-modification`) to address large numbers of false positive results. \ No newline at end of file From f7231f40eb31c9cde646cf5a6bef27af23340f9e Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Thu, 12 Feb 2026 09:52:19 -0500 Subject: [PATCH 047/110] C++: misc comment clean up per PR suggestions. Unified additional flow steps for two similar flows into a common additional step predicate. --- cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll | 2 +- .../UncheckedLeapYearAfterYearModification.ql | 82 +++++++++++-------- 2 files changed, 50 insertions(+), 34 deletions(-) diff --git a/cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll b/cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll index 6916818cdc5..99981873d26 100644 --- a/cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll +++ b/cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll @@ -310,7 +310,7 @@ module PossibleYearArithmeticOperationCheckFlow = TaintTracking::Global; /** - * Time conversion functions where either + * A time conversion function where either * 1) an incorrect leap year date would result in an error that can be checked from the return value or * 2) an incorrect leap year date is auto corrected (no checks required) */ diff --git a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql index 3fd830acd97..70ce862c3c2 100644 --- a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql +++ b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql @@ -27,6 +27,8 @@ import semmle.code.cpp.controlflow.IRGuards */ class IgnorableFunction extends Function { IgnorableFunction() { + // arithmetic in known time conversion functions may look like dangerous operations + // we assume all known time conversion functions are safe. this instanceof TimeConversionFunction or // Helper utility in postgres with string time conversions @@ -421,6 +423,41 @@ predicate isLeapYearCheckSink(DataFlow::Node sink) { isLeapYearCheckCall(_, [sink.asExpr(), sink.asIndirectExpr()]) } +predicate yearAssignmentToCheckCommonSteps(DataFlow::Node node1, DataFlow::Node node2) { + // flow from a YearFieldAccess to the qualifier + node2.asExpr() = node1.asExpr().(YearFieldAccess).getQualifier*() + or + // getting the 'access' can be tricky at definitions (assignments especially) + // as dataflow uses asDefinition not asExpr. + // the YearFieldAssignmentNode holds the access in these cases + node1.(YearFieldAssignmentNode).getYearFieldAccess().getQualifier() = node2.asExpr() + or + // flow from a year access qualifier to a year field + exists(YearFieldAccess yfa | node2.asExpr() = yfa and node1.asExpr() = yfa.getQualifier()) + or + node1.(YearFieldAssignmentNode).getYearFieldAccess().getQualifier() = node2.asExpr() + or + // Pass through any intermediate struct + exists(Assignment a, DataFlow::PostUpdateNode pun | + a.getLValue().(YearFieldAccess).getQualifier*() = pun.getPreUpdateNode().asExpr() and + a.getRValue() = node1.asExpr() and + node2.asExpr() = a.getLValue().(YearFieldAccess).getQualifier*() + ) + or + // in cases of t.year = x and the value of x is checked, but the year t.year isn't directly checked + // flow from a year assignment node to an RHS if it is an assignment + // e.g., + // t.year = x; + // isLeapYear(x); + // --> at this point there is no flow of t.year to a check, but only its raw value + // To detect the flow of 'x' to the isLeapYear check, + // flow from t.year to 'x' (at assignment, t.year = x, flow to the RHS to track use-use flow of x) + exists(YearFieldAssignmentNode yfan | + node1 = yfan and + node2.asExpr() = yfan.asDefinition().(Assignment).getRValue() + ) +} + /** * A flow configuration from a Year field access to some Leap year check or guard */ @@ -430,25 +467,7 @@ module YearAssignmentToLeapYearCheckConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { isLeapYearCheckSink(sink) } predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { - // flow from a YearFieldAccess to the qualifier - node2.asExpr() = node1.asExpr().(YearFieldAccess).getQualifier*() - or - // Pass through any intermediate struct - exists(Assignment a, DataFlow::PostUpdateNode pun | - a.getLValue().(YearFieldAccess).getQualifier*() = pun.getPreUpdateNode().asExpr() and - a.getRValue() = node1.asExpr() and - node2.asExpr() = a.getLValue().(YearFieldAccess).getQualifier*() - ) - or - // flow from a year access qualifier to a year field - exists(YearFieldAccess yfa | node2.asExpr() = yfa and node1.asExpr() = yfa.getQualifier()) - or - // in cases of x.year = x and the x is checked, but the year x.year isn't directly - // flow from a year assignment node to an RHS if it is an assignment - exists(YearFieldAssignmentNode yfan | - node1 = yfan and - node2.asExpr() = yfan.asDefinition().(Assignment).getRValue() - ) + yearAssignmentToCheckCommonSteps(node1, node2) } /** @@ -514,6 +533,11 @@ predicate isControlledByMonthEqualityCheckNonFebruary(Expr e) { * auto convert to a sanity check guard of the result for error conditions. */ module YearAssignmentToCheckedTimeConversionConfig implements DataFlow::StateConfigSig { + // Flow state tracks if flow goes through a known time conversion function + // see `TimeConversionFunction`. + // A valid check with a time conversion function is either the case: + // 1) the year flows into a time conversion function, and the time conversion function's result is checked or + // 2) the year flows into a time conversion function that auto corrects for leap year, so no check is necessary. class FlowState = boolean; predicate isSource(DataFlow::Node source, FlowState state) { @@ -522,6 +546,9 @@ module YearAssignmentToCheckedTimeConversionConfig implements DataFlow::StateCon } predicate isSink(DataFlow::Node sink, FlowState state) { + // Case 1: Flow through a time conversion function that requires a check, + // and we have arrived at a guard, implying the result was checked for possible error, including leap year error. + // state = true indicates the flow went through a time conversion function state = true and ( exists(IfStmt ifs | ifs.getCondition().getAChild*() = [sink.asExpr(), sink.asIndirectExpr()]) @@ -533,6 +560,8 @@ module YearAssignmentToCheckedTimeConversionConfig implements DataFlow::StateCon exists(Loop l | l.getCondition().getAChild*() = [sink.asExpr(), sink.asIndirectExpr()]) ) or + // Case 2: Flow through a time conversion function that auto corrects for leap year, so no check is necessary. + // state true or false, as flowing through a time conversion function is not necessary in this instance. state in [true, false] and exists(Call c, TimeConversionFunction f | f.isAutoLeapYearCorrecting() and @@ -554,20 +583,7 @@ module YearAssignmentToCheckedTimeConversionConfig implements DataFlow::StateCon } predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { - // flow from a YearFieldAccess to the qualifier - node2.asExpr() = node1.asExpr().(YearFieldAccess).getQualifier*() - or - node1.(YearFieldAssignmentNode).getYearFieldAccess().getQualifier() = node2.asExpr() - or - // Pass through any intermediate struct - exists(Assignment a, DataFlow::PostUpdateNode pun | - a.getLValue().(YearFieldAccess).getQualifier*() = pun.getPreUpdateNode().asExpr() and - a.getRValue() = node1.asExpr() and - node2.asExpr() = a.getLValue().(YearFieldAccess).getQualifier*() - ) - or - // flow from a year access qualifier to a year field - exists(YearFieldAccess yfa | node2.asExpr() = yfa and node1.asExpr() = yfa.getQualifier()) + yearAssignmentToCheckCommonSteps(node1, node2) } DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext } From dfe6ed2171f872c8760e5ca789500523dabac8d4 Mon Sep 17 00:00:00 2001 From: Ben Rodes Date: Thu, 12 Feb 2026 10:09:25 -0500 Subject: [PATCH 048/110] Update cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com> --- .../Leap Year/UncheckedLeapYearAfterYearModification.ql | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql index 5ebd8af4392..0273440a49f 100644 --- a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql +++ b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql @@ -106,8 +106,7 @@ class IgnorableExpr10MultipleComponent extends IgnorableOperation { } /** - * An operation involving a sub expression with char literal 48, ignore as a likely string conversion - * e.g., X - '0' + * An operation involving a sub expression with char literal `48`, ignore as a likely string conversion. For example: `X - '0'` */ class IgnorableExpr48Mapping extends IgnorableOperation { IgnorableExpr48Mapping() { From b39732ba02c515f6223ac528853cc878b9a8ad6f Mon Sep 17 00:00:00 2001 From: Ben Rodes Date: Thu, 12 Feb 2026 10:10:11 -0500 Subject: [PATCH 049/110] Update cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com> --- .../Leap Year/UncheckedLeapYearAfterYearModification.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql index 0273440a49f..d22a6b5e557 100644 --- a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql +++ b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql @@ -207,7 +207,7 @@ class OperationAsArgToIgnorableFunction extends IgnorableOperation { } /** - * A Literal OP literal means the result is constant/known + * A binary operation on two literals means the result is constant/known * and the operation is basically ignorable (it's not a real operation but * probably one visual simplicity what it means). */ From f5a38b47015d929477324ea1844f3f5213c047a7 Mon Sep 17 00:00:00 2001 From: Ben Rodes Date: Thu, 12 Feb 2026 10:17:56 -0500 Subject: [PATCH 050/110] Apply suggestion from @geoffw0 Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com> --- .../Leap Year/UncheckedLeapYearAfterYearModification.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql index d22a6b5e557..03236397979 100644 --- a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql +++ b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql @@ -266,7 +266,7 @@ class IgnorablePointerOrCharArithmetic extends IgnorableOperation { } /** - * Holds for an expression that is a operation that could flow to a Year field. + * Holds for an expression that is an add or similar operation that could flow to a Year field. */ predicate isOperationSourceCandidate(Expr e) { not e instanceof IgnorableOperation and From 36e4efe77e55c237be39dbe2ea79ab0d190b8588 Mon Sep 17 00:00:00 2001 From: Ben Rodes Date: Thu, 12 Feb 2026 10:20:32 -0500 Subject: [PATCH 051/110] Apply suggestion from @geoffw0 Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com> --- .../Leap Year/UncheckedLeapYearAfterYearModification.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql index 03236397979..1d8b92a85d3 100644 --- a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql +++ b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql @@ -354,7 +354,7 @@ class YearFieldAssignmentNode extends DataFlow::Node { } /** - * A DataFlow configuration for identifying flows from some non trivial access or literal + * A DataFlow configuration for identifying flows from an identified source * to the Year field of a date object. */ module OperationToYearAssignmentConfig implements DataFlow::ConfigSig { From 9bbbbefd34116b220dd345d77e345861373cda50 Mon Sep 17 00:00:00 2001 From: Ben Rodes Date: Thu, 12 Feb 2026 10:20:59 -0500 Subject: [PATCH 052/110] Apply suggestion from @geoffw0 Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com> --- .../Leap Year/UncheckedLeapYearAfterYearModification.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql index 1d8b92a85d3..21310ab2048 100644 --- a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql +++ b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql @@ -288,7 +288,7 @@ predicate isOperationSourceCandidate(Expr e) { } /** - * A dataflow that tracks an ignorable operation (eg. bitwise op) to a operation source, so we may disqualify it. + * A data flow that tracks an ignorable operation (such as a bitwise operation) to an operation source, so we may disqualify it. */ module IgnorableOperationToOperationSourceCandidateConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node n) { n.asExpr() instanceof IgnorableOperation } From 4a7395b0171d7f84aeaf10e7e10376c2cea2c4dd Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Thu, 12 Feb 2026 11:11:43 -0500 Subject: [PATCH 053/110] C++ Suggested code clean up. --- .../UncheckedLeapYearAfterYearModification.ql | 29 +++++++++---------- 1 file changed, 13 insertions(+), 16 deletions(-) diff --git a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql index 5ebd8af4392..e7bd8fe8ff0 100644 --- a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql +++ b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql @@ -233,32 +233,29 @@ class IgnorableAssignmentBitwiseOperation extends IgnorableOperation instanceof class IgnorablePointerOrCharArithmetic extends IgnorableOperation { IgnorablePointerOrCharArithmetic() { this instanceof BinaryArithmeticOperation and - ( - this.(BinaryArithmeticOperation).getAnOperand().getUnspecifiedType() instanceof PointerType + exists(Expr op | op = this.(BinaryArithmeticOperation).getAnOperand() | + op.getUnspecifiedType() instanceof PointerType or - this.(BinaryArithmeticOperation).getAnOperand().getUnspecifiedType() instanceof CharType + op.getUnspecifiedType() instanceof CharType or // Operations on calls to functions that accept char or char* - this.(BinaryArithmeticOperation) - .getAnOperand() - .(Call) - .getAnArgument() - .getUnspecifiedType() - .stripType() instanceof CharType + op.(Call).getAnArgument().getUnspecifiedType().stripType() instanceof CharType or // Operations on calls to functions named like "strlen", "wcslen", etc // NOTE: workaround for cases where the wchar_t type is not a char, but an unsigned short // unclear if there is a best way to filter cases like these out based on type info. - this.(BinaryArithmeticOperation).getAnOperand().(Call).getTarget().getName().matches("%len%") + op.(Call).getTarget().getName().matches("%len%") ) or exists(AssignArithmeticOperation a | a.getRValue() = this | - a.getAnOperand().getUnspecifiedType() instanceof PointerType - or - a.getAnOperand().getUnspecifiedType() instanceof CharType - or - // Operations on calls to functions that accept char or char* - a.getAnOperand().(Call).getAnArgument().getUnspecifiedType().stripType() instanceof CharType + exists(Expr op | op = a.getAnOperand() | + op.getUnspecifiedType() instanceof PointerType + or + op.getUnspecifiedType() instanceof CharType + or + // Operations on calls to functions that accept char or char* + op.(Call).getAnArgument().getUnspecifiedType().stripType() instanceof CharType + ) or // Operations on calls to functions named like "strlen", "wcslen", etc this.(BinaryArithmeticOperation).getAnOperand().(Call).getTarget().getName().matches("%len%") From d1811bc1fe27b8934e29206fb079d242b8eb1ecf Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Thu, 12 Feb 2026 11:19:24 -0500 Subject: [PATCH 054/110] C++: Removing unnecessary post update node. --- .../Leap Year/UncheckedLeapYearAfterYearModification.ql | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql index decaa6fb9b4..87733f0f69d 100644 --- a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql +++ b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql @@ -434,8 +434,7 @@ predicate yearAssignmentToCheckCommonSteps(DataFlow::Node node1, DataFlow::Node node1.(YearFieldAssignmentNode).getYearFieldAccess().getQualifier() = node2.asExpr() or // Pass through any intermediate struct - exists(Assignment a, DataFlow::PostUpdateNode pun | - a.getLValue().(YearFieldAccess).getQualifier*() = pun.getPreUpdateNode().asExpr() and + exists(Assignment a | a.getRValue() = node1.asExpr() and node2.asExpr() = a.getLValue().(YearFieldAccess).getQualifier*() ) From edb2ed8df278890c96267cf49a1498f29a73a1a8 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Wed, 11 Feb 2026 14:10:14 +0100 Subject: [PATCH 055/110] C#: Extract the implicit property backing field when referenced via the field keyword. --- .../Entities/Expressions/Factory.cs | 3 ++ .../Expressions/PropertyFieldAccess.cs | 28 +++++++++++ .../Entities/Field.cs | 2 +- .../Entities/PropertyField.cs | 50 +++++++++++++++++++ 4 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/PropertyFieldAccess.cs create mode 100644 csharp/extractor/Semmle.Extraction.CSharp/Entities/PropertyField.cs diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Factory.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Factory.cs index 0da8de1e5d5..ed8dae3738f 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Factory.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Factory.cs @@ -160,6 +160,9 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions case SyntaxKind.ThisExpression: return This.CreateExplicit(info); + case SyntaxKind.FieldExpression: + return PropertyFieldAccess.Create(info); + case SyntaxKind.AddressOfExpression: return Unary.Create(info.SetKind(ExprKind.ADDRESS_OF)); diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/PropertyFieldAccess.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/PropertyFieldAccess.cs new file mode 100644 index 00000000000..a9d2afa84c9 --- /dev/null +++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/PropertyFieldAccess.cs @@ -0,0 +1,28 @@ +using System.IO; +using Microsoft.CodeAnalysis; +using Microsoft.CodeAnalysis.CSharp.Syntax; +using Semmle.Extraction.Kinds; + +namespace Semmle.Extraction.CSharp.Entities.Expressions +{ + internal class PropertyFieldAccess : Expression + { + private PropertyFieldAccess(ExpressionNodeInfo info) : base(info.SetKind(ExprKind.FIELD_ACCESS)) { } + + public static Expression Create(ExpressionNodeInfo info) => new PropertyFieldAccess(info).TryPopulate(); + + protected override void PopulateExpression(TextWriter trapFile) + { + var symbolInfo = Context.GetSymbolInfo(Syntax); + if (symbolInfo.Symbol is IFieldSymbol field) + { + var target = PropertyField.Create(Context, field); + trapFile.expr_access(this, target); + if (!field.IsStatic) + { + This.CreateImplicit(Context, field.ContainingType, Location, this, -1); + } + } + } + } +} diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Field.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Field.cs index 9a010aad376..329115f11c7 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Field.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Field.cs @@ -10,7 +10,7 @@ namespace Semmle.Extraction.CSharp.Entities { internal class Field : CachedSymbol, IExpressionParentEntity { - private Field(Context cx, IFieldSymbol init) + protected Field(Context cx, IFieldSymbol init) : base(cx, init) { type = new Lazy(() => Entities.Type.Create(cx, Symbol.Type)); diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PropertyField.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PropertyField.cs new file mode 100644 index 00000000000..7567a9e8960 --- /dev/null +++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PropertyField.cs @@ -0,0 +1,50 @@ +using System.IO; +using Microsoft.CodeAnalysis; +using Semmle.Extraction.CSharp.Util; +using Semmle.Extraction.Kinds; + +namespace Semmle.Extraction.CSharp.Entities +{ + /// + /// Represents the autogenerated backing field `field` for a property. + /// It is only created for properties that use the `field` keyword in their getter or setter, and + /// is not created for auto-properties. + /// + internal class PropertyField : Field + { + protected PropertyField(Context cx, IFieldSymbol init) + : base(cx, init) + { + } + + public static new PropertyField Create(Context cx, IFieldSymbol field) => PropertyFieldFactory.Instance.CreateEntity(cx, (field, field.AssociatedSymbol), field); + + public override bool NeedsPopulation => true; + + public override void Populate(TextWriter trapFile) + { + PopulateNullability(trapFile, Symbol.GetAnnotatedType()); + + var unboundFieldKey = PropertyField.Create(Context, Symbol.OriginalDefinition); + var name = Symbol.AssociatedSymbol is not null ? $"{Symbol.AssociatedSymbol.GetName()}.field" : Symbol.Name; + trapFile.fields(this, VariableKind.None, name, ContainingType!, Type.TypeRef, unboundFieldKey); + + if (Context.OnlyScaffold) + { + return; + } + + if (Context.ExtractLocation(Symbol)) + { + WriteLocationsToTrap(trapFile.field_location, this, Locations); + } + } + + private class PropertyFieldFactory : CachedEntityFactory + { + public static PropertyFieldFactory Instance { get; } = new PropertyFieldFactory(); + + public override PropertyField Create(Context cx, IFieldSymbol init) => new PropertyField(cx, init); + } + } +} From 113f3e880b403b1bf04bc60ca8cc11df5546a4d9 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Wed, 11 Feb 2026 14:55:55 +0100 Subject: [PATCH 056/110] C#: Add property test case where the field keyword is used. --- .../library-tests/properties/PrintAst.expected | 16 ++++++++++++++++ .../properties/Properties17.expected | 1 + .../library-tests/properties/Properties17.ql | 2 +- .../test/library-tests/properties/properties.cs | 9 +++++++++ 4 files changed, 27 insertions(+), 1 deletion(-) diff --git a/csharp/ql/test/library-tests/properties/PrintAst.expected b/csharp/ql/test/library-tests/properties/PrintAst.expected index 2df3ee3f5e8..711e417558e 100644 --- a/csharp/ql/test/library-tests/properties/PrintAst.expected +++ b/csharp/ql/test/library-tests/properties/PrintAst.expected @@ -230,3 +230,19 @@ properties.cs: #-----| 2: (Parameters) # 124| 0: [Parameter] value # 124| 4: [BlockStmt] {...} +# 128| 10: [Class] UseFieldKeyword +# 130| 6: [Property] Prop +# 130| -1: [TypeMention] object +# 132| 3: [Getter] get_Prop +# 132| 4: [BlockStmt] {...} +# 132| 0: [ReturnStmt] return ...; +# 132| 0: [FieldAccess] access to field Prop.field +# 133| 4: [Setter] set_Prop +#-----| 2: (Parameters) +# 133| 0: [Parameter] value +# 133| 4: [BlockStmt] {...} +# 133| 0: [ExprStmt] ...; +# 133| 0: [AssignExpr] ... = ... +# 133| 0: [FieldAccess] access to field Prop.field +# 133| 1: [ParameterAccess] access to parameter value +# 130| 7: [Field] Prop.field diff --git a/csharp/ql/test/library-tests/properties/Properties17.expected b/csharp/ql/test/library-tests/properties/Properties17.expected index 47b563e2676..ee817a63df9 100644 --- a/csharp/ql/test/library-tests/properties/Properties17.expected +++ b/csharp/ql/test/library-tests/properties/Properties17.expected @@ -1,3 +1,4 @@ +| Prop.field | | caption | | next | | y | diff --git a/csharp/ql/test/library-tests/properties/Properties17.ql b/csharp/ql/test/library-tests/properties/Properties17.ql index ca53f5423aa..6bd668ec118 100644 --- a/csharp/ql/test/library-tests/properties/Properties17.ql +++ b/csharp/ql/test/library-tests/properties/Properties17.ql @@ -1,5 +1,5 @@ /** - * @name Test that there are no backing fields + * @name Test that there are no backing fields except for properties that use the `field` keyword in their getter or setter. */ import csharp diff --git a/csharp/ql/test/library-tests/properties/properties.cs b/csharp/ql/test/library-tests/properties/properties.cs index 57ffa7a31a5..2f88214ec75 100644 --- a/csharp/ql/test/library-tests/properties/properties.cs +++ b/csharp/ql/test/library-tests/properties/properties.cs @@ -124,4 +124,13 @@ namespace Properties set { } } } + + class UseFieldKeyword + { + public object Prop + { + get { return field; } + set { field = value; } + } + } } From 97c026761478941374a9975de02709973177487a Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Thu, 12 Feb 2026 11:44:39 +0100 Subject: [PATCH 057/110] C#: Add data flow test for properties using the field keyword. --- .../test/library-tests/dataflow/fields/D.cs | 62 +++++ .../dataflow/fields/FieldFlow.expected | 254 ++++++++++++++++++ 2 files changed, 316 insertions(+) diff --git a/csharp/ql/test/library-tests/dataflow/fields/D.cs b/csharp/ql/test/library-tests/dataflow/fields/D.cs index 7f07cf5ca0b..45dfbffc801 100644 --- a/csharp/ql/test/library-tests/dataflow/fields/D.cs +++ b/csharp/ql/test/library-tests/dataflow/fields/D.cs @@ -89,3 +89,65 @@ public partial class DPartial static T Source(object source) => throw null; } + +public class DFieldProps +{ + object FieldProp0 + { + get { return field; } + set { field = value; } + } = Source(0); + + object FieldProp1 + { + get { return field; } + set { field = value; } + } + + object FieldProp2 + { + get { return field; } + set + { + var x = value; + field = x; + } + } + + static object StaticFieldProp + { + get { return field; } + set { field = value; } + } + + private void M() + { + var d0 = new DFieldProps(); + Sink(d0.FieldProp0); // $ hasValueFlow=0 + Sink(d0.FieldProp1); // no flow + Sink(d0.FieldProp2); // no flow + + var d1 = new DFieldProps(); + var o1 = Source(1); + d1.FieldProp1 = o1; + Sink(d1.FieldProp0); // $ hasValueFlow=0 + Sink(d1.FieldProp1); // $ hasValueFlow=1 + Sink(d1.FieldProp2); // no flow + + var d2 = new DFieldProps(); + var o2 = Source(2); + d2.FieldProp2 = o2; + Sink(d2.FieldProp0); // $ hasValueFlow=0 + Sink(d2.FieldProp1); // no flow + Sink(d2.FieldProp2); // $ hasValueFlow=2 + + var o3 = Source(3); + DFieldProps.StaticFieldProp = o3; + Sink(DFieldProps.StaticFieldProp); // $ hasValueFlow=3 + } + + public static void Sink(object o) { } + + static T Source(object source) => throw null; + +} diff --git a/csharp/ql/test/library-tests/dataflow/fields/FieldFlow.expected b/csharp/ql/test/library-tests/dataflow/fields/FieldFlow.expected index 4e469e11887..44789d1f847 100644 --- a/csharp/ql/test/library-tests/dataflow/fields/FieldFlow.expected +++ b/csharp/ql/test/library-tests/dataflow/fields/FieldFlow.expected @@ -532,6 +532,118 @@ edges | D.cs:84:14:84:14 | access to local variable d : DPartial [field _backingField] : Object | D.cs:60:9:60:11 | this : DPartial [field _backingField] : Object | provenance | | | D.cs:84:14:84:14 | access to local variable d : DPartial [field _backingField] : Object | D.cs:84:14:84:27 | access to property PartialProp1 | provenance | | | D.cs:84:14:84:14 | access to local variable d : DPartial [field _backingField] : Object | D.cs:84:14:84:27 | access to property PartialProp1 | provenance | | +| D.cs:93:14:93:24 | [post] this access : DFieldProps [field FieldProp0.field] : Object | D.cs:125:18:125:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:93:14:93:24 | [post] this access : DFieldProps [field FieldProp0.field] : Object | D.cs:125:18:125:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:93:14:93:24 | [post] this access : DFieldProps [field FieldProp0.field] : Object | D.cs:130:18:130:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:93:14:93:24 | [post] this access : DFieldProps [field FieldProp0.field] : Object | D.cs:130:18:130:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:93:14:93:24 | [post] this access : DFieldProps [field FieldProp0.field] : Object | D.cs:137:18:137:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:93:14:93:24 | [post] this access : DFieldProps [field FieldProp0.field] : Object | D.cs:137:18:137:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:95:12:95:21 | [post] this access : DFieldProps [field FieldProp0.field] : Object | D.cs:93:14:93:24 | [post] this access : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:95:12:95:21 | [post] this access : DFieldProps [field FieldProp0.field] : Object | D.cs:93:14:93:24 | [post] this access : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:97:9:97:11 | this : DFieldProps [field FieldProp0.field] : Object | D.cs:97:22:97:26 | this access : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:97:9:97:11 | this : DFieldProps [field FieldProp0.field] : Object | D.cs:97:22:97:26 | this access : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:97:22:97:26 | this access : DFieldProps [field FieldProp0.field] : Object | D.cs:97:22:97:26 | access to field FieldProp0.field : Object | provenance | | +| D.cs:97:22:97:26 | this access : DFieldProps [field FieldProp0.field] : Object | D.cs:97:22:97:26 | access to field FieldProp0.field : Object | provenance | | +| D.cs:98:9:98:11 | value : Object | D.cs:98:23:98:27 | access to parameter value : Object | provenance | | +| D.cs:98:9:98:11 | value : Object | D.cs:98:23:98:27 | access to parameter value : Object | provenance | | +| D.cs:98:15:98:19 | [post] this access : DFieldProps [field FieldProp0.field] : Object | D.cs:98:9:98:11 | this [Return] : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:98:15:98:19 | [post] this access : DFieldProps [field FieldProp0.field] : Object | D.cs:98:9:98:11 | this [Return] : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:98:23:98:27 | access to parameter value : Object | D.cs:98:15:98:19 | [post] this access : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:98:23:98:27 | access to parameter value : Object | D.cs:98:15:98:19 | [post] this access : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:99:9:99:25 | call to method Source : Object | D.cs:95:12:95:21 | [post] this access : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:99:9:99:25 | call to method Source : Object | D.cs:95:12:95:21 | [post] this access : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:99:9:99:25 | call to method Source : Object | D.cs:98:9:98:11 | value : Object | provenance | | +| D.cs:99:9:99:25 | call to method Source : Object | D.cs:98:9:98:11 | value : Object | provenance | | +| D.cs:103:9:103:11 | this : DFieldProps [field FieldProp1.field] : Object | D.cs:103:22:103:26 | this access : DFieldProps [field FieldProp1.field] : Object | provenance | | +| D.cs:103:9:103:11 | this : DFieldProps [field FieldProp1.field] : Object | D.cs:103:22:103:26 | this access : DFieldProps [field FieldProp1.field] : Object | provenance | | +| D.cs:103:22:103:26 | this access : DFieldProps [field FieldProp1.field] : Object | D.cs:103:22:103:26 | access to field FieldProp1.field : Object | provenance | | +| D.cs:103:22:103:26 | this access : DFieldProps [field FieldProp1.field] : Object | D.cs:103:22:103:26 | access to field FieldProp1.field : Object | provenance | | +| D.cs:104:9:104:11 | value : Object | D.cs:104:23:104:27 | access to parameter value : Object | provenance | | +| D.cs:104:9:104:11 | value : Object | D.cs:104:23:104:27 | access to parameter value : Object | provenance | | +| D.cs:104:15:104:19 | [post] this access : DFieldProps [field FieldProp1.field] : Object | D.cs:104:9:104:11 | this [Return] : DFieldProps [field FieldProp1.field] : Object | provenance | | +| D.cs:104:15:104:19 | [post] this access : DFieldProps [field FieldProp1.field] : Object | D.cs:104:9:104:11 | this [Return] : DFieldProps [field FieldProp1.field] : Object | provenance | | +| D.cs:104:23:104:27 | access to parameter value : Object | D.cs:104:15:104:19 | [post] this access : DFieldProps [field FieldProp1.field] : Object | provenance | | +| D.cs:104:23:104:27 | access to parameter value : Object | D.cs:104:15:104:19 | [post] this access : DFieldProps [field FieldProp1.field] : Object | provenance | | +| D.cs:109:9:109:11 | this : DFieldProps [field FieldProp2.field] : Object | D.cs:109:22:109:26 | this access : DFieldProps [field FieldProp2.field] : Object | provenance | | +| D.cs:109:9:109:11 | this : DFieldProps [field FieldProp2.field] : Object | D.cs:109:22:109:26 | this access : DFieldProps [field FieldProp2.field] : Object | provenance | | +| D.cs:109:22:109:26 | this access : DFieldProps [field FieldProp2.field] : Object | D.cs:109:22:109:26 | access to field FieldProp2.field : Object | provenance | | +| D.cs:109:22:109:26 | this access : DFieldProps [field FieldProp2.field] : Object | D.cs:109:22:109:26 | access to field FieldProp2.field : Object | provenance | | +| D.cs:110:9:110:11 | value : Object | D.cs:112:17:112:17 | access to local variable x : Object | provenance | | +| D.cs:110:9:110:11 | value : Object | D.cs:112:17:112:17 | access to local variable x : Object | provenance | | +| D.cs:112:17:112:17 | access to local variable x : Object | D.cs:113:21:113:21 | access to local variable x : Object | provenance | | +| D.cs:112:17:112:17 | access to local variable x : Object | D.cs:113:21:113:21 | access to local variable x : Object | provenance | | +| D.cs:113:13:113:17 | [post] this access : DFieldProps [field FieldProp2.field] : Object | D.cs:110:9:110:11 | this [Return] : DFieldProps [field FieldProp2.field] : Object | provenance | | +| D.cs:113:13:113:17 | [post] this access : DFieldProps [field FieldProp2.field] : Object | D.cs:110:9:110:11 | this [Return] : DFieldProps [field FieldProp2.field] : Object | provenance | | +| D.cs:113:21:113:21 | access to local variable x : Object | D.cs:113:13:113:17 | [post] this access : DFieldProps [field FieldProp2.field] : Object | provenance | | +| D.cs:113:21:113:21 | access to local variable x : Object | D.cs:113:13:113:17 | [post] this access : DFieldProps [field FieldProp2.field] : Object | provenance | | +| D.cs:119:22:119:26 | access to field StaticFieldProp.field : Object | D.cs:146:14:146:40 | access to property StaticFieldProp | provenance | | +| D.cs:119:22:119:26 | access to field StaticFieldProp.field : Object | D.cs:146:14:146:40 | access to property StaticFieldProp | provenance | | +| D.cs:120:9:120:11 | value : Object | D.cs:120:23:120:27 | access to parameter value : Object | provenance | | +| D.cs:120:9:120:11 | value : Object | D.cs:120:23:120:27 | access to parameter value : Object | provenance | | +| D.cs:120:23:120:27 | access to parameter value : Object | D.cs:119:22:119:26 | access to field StaticFieldProp.field : Object | provenance | | +| D.cs:120:23:120:27 | access to parameter value : Object | D.cs:119:22:119:26 | access to field StaticFieldProp.field : Object | provenance | | +| D.cs:125:13:125:14 | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | D.cs:126:14:126:15 | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:125:13:125:14 | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | D.cs:126:14:126:15 | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:125:18:125:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | D.cs:125:13:125:14 | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:125:18:125:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | D.cs:125:13:125:14 | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:126:14:126:15 | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | D.cs:97:9:97:11 | this : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:126:14:126:15 | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | D.cs:97:9:97:11 | this : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:126:14:126:15 | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | D.cs:126:14:126:26 | access to property FieldProp0 | provenance | | +| D.cs:126:14:126:15 | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | D.cs:126:14:126:26 | access to property FieldProp0 | provenance | | +| D.cs:130:13:130:14 | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | D.cs:133:14:133:15 | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:130:13:130:14 | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | D.cs:133:14:133:15 | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:130:18:130:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | D.cs:130:13:130:14 | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:130:18:130:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | D.cs:130:13:130:14 | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:131:13:131:14 | access to local variable o1 : Object | D.cs:132:25:132:26 | access to local variable o1 : Object | provenance | | +| D.cs:131:13:131:14 | access to local variable o1 : Object | D.cs:132:25:132:26 | access to local variable o1 : Object | provenance | | +| D.cs:131:18:131:34 | call to method Source : Object | D.cs:131:13:131:14 | access to local variable o1 : Object | provenance | | +| D.cs:131:18:131:34 | call to method Source : Object | D.cs:131:13:131:14 | access to local variable o1 : Object | provenance | | +| D.cs:132:9:132:10 | [post] access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | D.cs:134:14:134:15 | access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | provenance | | +| D.cs:132:9:132:10 | [post] access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | D.cs:134:14:134:15 | access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | provenance | | +| D.cs:132:25:132:26 | access to local variable o1 : Object | D.cs:104:9:104:11 | value : Object | provenance | | +| D.cs:132:25:132:26 | access to local variable o1 : Object | D.cs:104:9:104:11 | value : Object | provenance | | +| D.cs:132:25:132:26 | access to local variable o1 : Object | D.cs:132:9:132:10 | [post] access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | provenance | | +| D.cs:132:25:132:26 | access to local variable o1 : Object | D.cs:132:9:132:10 | [post] access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | provenance | | +| D.cs:133:14:133:15 | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | D.cs:97:9:97:11 | this : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:133:14:133:15 | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | D.cs:97:9:97:11 | this : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:133:14:133:15 | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | D.cs:133:14:133:26 | access to property FieldProp0 | provenance | | +| D.cs:133:14:133:15 | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | D.cs:133:14:133:26 | access to property FieldProp0 | provenance | | +| D.cs:134:14:134:15 | access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | D.cs:103:9:103:11 | this : DFieldProps [field FieldProp1.field] : Object | provenance | | +| D.cs:134:14:134:15 | access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | D.cs:103:9:103:11 | this : DFieldProps [field FieldProp1.field] : Object | provenance | | +| D.cs:134:14:134:15 | access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | D.cs:134:14:134:26 | access to property FieldProp1 | provenance | | +| D.cs:134:14:134:15 | access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | D.cs:134:14:134:26 | access to property FieldProp1 | provenance | | +| D.cs:137:13:137:14 | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | D.cs:140:14:140:15 | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:137:13:137:14 | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | D.cs:140:14:140:15 | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:137:18:137:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | D.cs:137:13:137:14 | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:137:18:137:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | D.cs:137:13:137:14 | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:138:13:138:14 | access to local variable o2 : Object | D.cs:139:25:139:26 | access to local variable o2 : Object | provenance | | +| D.cs:138:13:138:14 | access to local variable o2 : Object | D.cs:139:25:139:26 | access to local variable o2 : Object | provenance | | +| D.cs:138:18:138:34 | call to method Source : Object | D.cs:138:13:138:14 | access to local variable o2 : Object | provenance | | +| D.cs:138:18:138:34 | call to method Source : Object | D.cs:138:13:138:14 | access to local variable o2 : Object | provenance | | +| D.cs:139:9:139:10 | [post] access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | D.cs:142:14:142:15 | access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | provenance | | +| D.cs:139:9:139:10 | [post] access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | D.cs:142:14:142:15 | access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | provenance | | +| D.cs:139:25:139:26 | access to local variable o2 : Object | D.cs:110:9:110:11 | value : Object | provenance | | +| D.cs:139:25:139:26 | access to local variable o2 : Object | D.cs:110:9:110:11 | value : Object | provenance | | +| D.cs:139:25:139:26 | access to local variable o2 : Object | D.cs:139:9:139:10 | [post] access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | provenance | | +| D.cs:139:25:139:26 | access to local variable o2 : Object | D.cs:139:9:139:10 | [post] access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | provenance | | +| D.cs:140:14:140:15 | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | D.cs:97:9:97:11 | this : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:140:14:140:15 | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | D.cs:97:9:97:11 | this : DFieldProps [field FieldProp0.field] : Object | provenance | | +| D.cs:140:14:140:15 | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | D.cs:140:14:140:26 | access to property FieldProp0 | provenance | | +| D.cs:140:14:140:15 | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | D.cs:140:14:140:26 | access to property FieldProp0 | provenance | | +| D.cs:142:14:142:15 | access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | D.cs:109:9:109:11 | this : DFieldProps [field FieldProp2.field] : Object | provenance | | +| D.cs:142:14:142:15 | access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | D.cs:109:9:109:11 | this : DFieldProps [field FieldProp2.field] : Object | provenance | | +| D.cs:142:14:142:15 | access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | D.cs:142:14:142:26 | access to property FieldProp2 | provenance | | +| D.cs:142:14:142:15 | access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | D.cs:142:14:142:26 | access to property FieldProp2 | provenance | | +| D.cs:144:13:144:14 | access to local variable o3 : Object | D.cs:145:9:145:35 | access to property StaticFieldProp : Object | provenance | | +| D.cs:144:13:144:14 | access to local variable o3 : Object | D.cs:145:9:145:35 | access to property StaticFieldProp : Object | provenance | | +| D.cs:144:13:144:14 | access to local variable o3 : Object | D.cs:145:39:145:40 | access to local variable o3 : Object | provenance | | +| D.cs:144:13:144:14 | access to local variable o3 : Object | D.cs:145:39:145:40 | access to local variable o3 : Object | provenance | | +| D.cs:144:18:144:34 | call to method Source : Object | D.cs:144:13:144:14 | access to local variable o3 : Object | provenance | | +| D.cs:144:18:144:34 | call to method Source : Object | D.cs:144:13:144:14 | access to local variable o3 : Object | provenance | | +| D.cs:145:9:145:35 | access to property StaticFieldProp : Object | D.cs:146:14:146:40 | access to property StaticFieldProp | provenance | | +| D.cs:145:9:145:35 | access to property StaticFieldProp : Object | D.cs:146:14:146:40 | access to property StaticFieldProp | provenance | | +| D.cs:145:39:145:40 | access to local variable o3 : Object | D.cs:120:9:120:11 | value : Object | provenance | | +| D.cs:145:39:145:40 | access to local variable o3 : Object | D.cs:120:9:120:11 | value : Object | provenance | | | E.cs:8:29:8:29 | o : Object | E.cs:11:21:11:21 | access to parameter o : Object | provenance | | | E.cs:8:29:8:29 | o : Object | E.cs:11:21:11:21 | access to parameter o : Object | provenance | | | E.cs:11:9:11:11 | [post] access to local variable ret : S [field Field] : Object | E.cs:12:16:12:18 | access to local variable ret : S [field Field] : Object | provenance | | @@ -1807,6 +1919,120 @@ nodes | D.cs:84:14:84:14 | access to local variable d : DPartial [field _backingField] : Object | semmle.label | access to local variable d : DPartial [field _backingField] : Object | | D.cs:84:14:84:27 | access to property PartialProp1 | semmle.label | access to property PartialProp1 | | D.cs:84:14:84:27 | access to property PartialProp1 | semmle.label | access to property PartialProp1 | +| D.cs:93:14:93:24 | [post] this access : DFieldProps [field FieldProp0.field] : Object | semmle.label | [post] this access : DFieldProps [field FieldProp0.field] : Object | +| D.cs:93:14:93:24 | [post] this access : DFieldProps [field FieldProp0.field] : Object | semmle.label | [post] this access : DFieldProps [field FieldProp0.field] : Object | +| D.cs:95:12:95:21 | [post] this access : DFieldProps [field FieldProp0.field] : Object | semmle.label | [post] this access : DFieldProps [field FieldProp0.field] : Object | +| D.cs:95:12:95:21 | [post] this access : DFieldProps [field FieldProp0.field] : Object | semmle.label | [post] this access : DFieldProps [field FieldProp0.field] : Object | +| D.cs:97:9:97:11 | this : DFieldProps [field FieldProp0.field] : Object | semmle.label | this : DFieldProps [field FieldProp0.field] : Object | +| D.cs:97:9:97:11 | this : DFieldProps [field FieldProp0.field] : Object | semmle.label | this : DFieldProps [field FieldProp0.field] : Object | +| D.cs:97:22:97:26 | access to field FieldProp0.field : Object | semmle.label | access to field FieldProp0.field : Object | +| D.cs:97:22:97:26 | access to field FieldProp0.field : Object | semmle.label | access to field FieldProp0.field : Object | +| D.cs:97:22:97:26 | this access : DFieldProps [field FieldProp0.field] : Object | semmle.label | this access : DFieldProps [field FieldProp0.field] : Object | +| D.cs:97:22:97:26 | this access : DFieldProps [field FieldProp0.field] : Object | semmle.label | this access : DFieldProps [field FieldProp0.field] : Object | +| D.cs:98:9:98:11 | this [Return] : DFieldProps [field FieldProp0.field] : Object | semmle.label | this [Return] : DFieldProps [field FieldProp0.field] : Object | +| D.cs:98:9:98:11 | this [Return] : DFieldProps [field FieldProp0.field] : Object | semmle.label | this [Return] : DFieldProps [field FieldProp0.field] : Object | +| D.cs:98:9:98:11 | value : Object | semmle.label | value : Object | +| D.cs:98:9:98:11 | value : Object | semmle.label | value : Object | +| D.cs:98:15:98:19 | [post] this access : DFieldProps [field FieldProp0.field] : Object | semmle.label | [post] this access : DFieldProps [field FieldProp0.field] : Object | +| D.cs:98:15:98:19 | [post] this access : DFieldProps [field FieldProp0.field] : Object | semmle.label | [post] this access : DFieldProps [field FieldProp0.field] : Object | +| D.cs:98:23:98:27 | access to parameter value : Object | semmle.label | access to parameter value : Object | +| D.cs:98:23:98:27 | access to parameter value : Object | semmle.label | access to parameter value : Object | +| D.cs:99:9:99:25 | call to method Source : Object | semmle.label | call to method Source : Object | +| D.cs:99:9:99:25 | call to method Source : Object | semmle.label | call to method Source : Object | +| D.cs:103:9:103:11 | this : DFieldProps [field FieldProp1.field] : Object | semmle.label | this : DFieldProps [field FieldProp1.field] : Object | +| D.cs:103:9:103:11 | this : DFieldProps [field FieldProp1.field] : Object | semmle.label | this : DFieldProps [field FieldProp1.field] : Object | +| D.cs:103:22:103:26 | access to field FieldProp1.field : Object | semmle.label | access to field FieldProp1.field : Object | +| D.cs:103:22:103:26 | access to field FieldProp1.field : Object | semmle.label | access to field FieldProp1.field : Object | +| D.cs:103:22:103:26 | this access : DFieldProps [field FieldProp1.field] : Object | semmle.label | this access : DFieldProps [field FieldProp1.field] : Object | +| D.cs:103:22:103:26 | this access : DFieldProps [field FieldProp1.field] : Object | semmle.label | this access : DFieldProps [field FieldProp1.field] : Object | +| D.cs:104:9:104:11 | this [Return] : DFieldProps [field FieldProp1.field] : Object | semmle.label | this [Return] : DFieldProps [field FieldProp1.field] : Object | +| D.cs:104:9:104:11 | this [Return] : DFieldProps [field FieldProp1.field] : Object | semmle.label | this [Return] : DFieldProps [field FieldProp1.field] : Object | +| D.cs:104:9:104:11 | value : Object | semmle.label | value : Object | +| D.cs:104:9:104:11 | value : Object | semmle.label | value : Object | +| D.cs:104:15:104:19 | [post] this access : DFieldProps [field FieldProp1.field] : Object | semmle.label | [post] this access : DFieldProps [field FieldProp1.field] : Object | +| D.cs:104:15:104:19 | [post] this access : DFieldProps [field FieldProp1.field] : Object | semmle.label | [post] this access : DFieldProps [field FieldProp1.field] : Object | +| D.cs:104:23:104:27 | access to parameter value : Object | semmle.label | access to parameter value : Object | +| D.cs:104:23:104:27 | access to parameter value : Object | semmle.label | access to parameter value : Object | +| D.cs:109:9:109:11 | this : DFieldProps [field FieldProp2.field] : Object | semmle.label | this : DFieldProps [field FieldProp2.field] : Object | +| D.cs:109:9:109:11 | this : DFieldProps [field FieldProp2.field] : Object | semmle.label | this : DFieldProps [field FieldProp2.field] : Object | +| D.cs:109:22:109:26 | access to field FieldProp2.field : Object | semmle.label | access to field FieldProp2.field : Object | +| D.cs:109:22:109:26 | access to field FieldProp2.field : Object | semmle.label | access to field FieldProp2.field : Object | +| D.cs:109:22:109:26 | this access : DFieldProps [field FieldProp2.field] : Object | semmle.label | this access : DFieldProps [field FieldProp2.field] : Object | +| D.cs:109:22:109:26 | this access : DFieldProps [field FieldProp2.field] : Object | semmle.label | this access : DFieldProps [field FieldProp2.field] : Object | +| D.cs:110:9:110:11 | this [Return] : DFieldProps [field FieldProp2.field] : Object | semmle.label | this [Return] : DFieldProps [field FieldProp2.field] : Object | +| D.cs:110:9:110:11 | this [Return] : DFieldProps [field FieldProp2.field] : Object | semmle.label | this [Return] : DFieldProps [field FieldProp2.field] : Object | +| D.cs:110:9:110:11 | value : Object | semmle.label | value : Object | +| D.cs:110:9:110:11 | value : Object | semmle.label | value : Object | +| D.cs:112:17:112:17 | access to local variable x : Object | semmle.label | access to local variable x : Object | +| D.cs:112:17:112:17 | access to local variable x : Object | semmle.label | access to local variable x : Object | +| D.cs:113:13:113:17 | [post] this access : DFieldProps [field FieldProp2.field] : Object | semmle.label | [post] this access : DFieldProps [field FieldProp2.field] : Object | +| D.cs:113:13:113:17 | [post] this access : DFieldProps [field FieldProp2.field] : Object | semmle.label | [post] this access : DFieldProps [field FieldProp2.field] : Object | +| D.cs:113:21:113:21 | access to local variable x : Object | semmle.label | access to local variable x : Object | +| D.cs:113:21:113:21 | access to local variable x : Object | semmle.label | access to local variable x : Object | +| D.cs:119:22:119:26 | access to field StaticFieldProp.field : Object | semmle.label | access to field StaticFieldProp.field : Object | +| D.cs:119:22:119:26 | access to field StaticFieldProp.field : Object | semmle.label | access to field StaticFieldProp.field : Object | +| D.cs:120:9:120:11 | value : Object | semmle.label | value : Object | +| D.cs:120:9:120:11 | value : Object | semmle.label | value : Object | +| D.cs:120:23:120:27 | access to parameter value : Object | semmle.label | access to parameter value : Object | +| D.cs:120:23:120:27 | access to parameter value : Object | semmle.label | access to parameter value : Object | +| D.cs:125:13:125:14 | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | semmle.label | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | +| D.cs:125:13:125:14 | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | semmle.label | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | +| D.cs:125:18:125:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | semmle.label | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | +| D.cs:125:18:125:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | semmle.label | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | +| D.cs:126:14:126:15 | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | semmle.label | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | +| D.cs:126:14:126:15 | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | semmle.label | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | +| D.cs:126:14:126:26 | access to property FieldProp0 | semmle.label | access to property FieldProp0 | +| D.cs:126:14:126:26 | access to property FieldProp0 | semmle.label | access to property FieldProp0 | +| D.cs:130:13:130:14 | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | semmle.label | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | +| D.cs:130:13:130:14 | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | semmle.label | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | +| D.cs:130:18:130:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | semmle.label | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | +| D.cs:130:18:130:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | semmle.label | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | +| D.cs:131:13:131:14 | access to local variable o1 : Object | semmle.label | access to local variable o1 : Object | +| D.cs:131:13:131:14 | access to local variable o1 : Object | semmle.label | access to local variable o1 : Object | +| D.cs:131:18:131:34 | call to method Source : Object | semmle.label | call to method Source : Object | +| D.cs:131:18:131:34 | call to method Source : Object | semmle.label | call to method Source : Object | +| D.cs:132:9:132:10 | [post] access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | semmle.label | [post] access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | +| D.cs:132:9:132:10 | [post] access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | semmle.label | [post] access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | +| D.cs:132:25:132:26 | access to local variable o1 : Object | semmle.label | access to local variable o1 : Object | +| D.cs:132:25:132:26 | access to local variable o1 : Object | semmle.label | access to local variable o1 : Object | +| D.cs:133:14:133:15 | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | semmle.label | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | +| D.cs:133:14:133:15 | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | semmle.label | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | +| D.cs:133:14:133:26 | access to property FieldProp0 | semmle.label | access to property FieldProp0 | +| D.cs:133:14:133:26 | access to property FieldProp0 | semmle.label | access to property FieldProp0 | +| D.cs:134:14:134:15 | access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | semmle.label | access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | +| D.cs:134:14:134:15 | access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | semmle.label | access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | +| D.cs:134:14:134:26 | access to property FieldProp1 | semmle.label | access to property FieldProp1 | +| D.cs:134:14:134:26 | access to property FieldProp1 | semmle.label | access to property FieldProp1 | +| D.cs:137:13:137:14 | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | semmle.label | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | +| D.cs:137:13:137:14 | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | semmle.label | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | +| D.cs:137:18:137:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | semmle.label | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | +| D.cs:137:18:137:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | semmle.label | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | +| D.cs:138:13:138:14 | access to local variable o2 : Object | semmle.label | access to local variable o2 : Object | +| D.cs:138:13:138:14 | access to local variable o2 : Object | semmle.label | access to local variable o2 : Object | +| D.cs:138:18:138:34 | call to method Source : Object | semmle.label | call to method Source : Object | +| D.cs:138:18:138:34 | call to method Source : Object | semmle.label | call to method Source : Object | +| D.cs:139:9:139:10 | [post] access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | semmle.label | [post] access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | +| D.cs:139:9:139:10 | [post] access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | semmle.label | [post] access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | +| D.cs:139:25:139:26 | access to local variable o2 : Object | semmle.label | access to local variable o2 : Object | +| D.cs:139:25:139:26 | access to local variable o2 : Object | semmle.label | access to local variable o2 : Object | +| D.cs:140:14:140:15 | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | semmle.label | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | +| D.cs:140:14:140:15 | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | semmle.label | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | +| D.cs:140:14:140:26 | access to property FieldProp0 | semmle.label | access to property FieldProp0 | +| D.cs:140:14:140:26 | access to property FieldProp0 | semmle.label | access to property FieldProp0 | +| D.cs:142:14:142:15 | access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | semmle.label | access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | +| D.cs:142:14:142:15 | access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | semmle.label | access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | +| D.cs:142:14:142:26 | access to property FieldProp2 | semmle.label | access to property FieldProp2 | +| D.cs:142:14:142:26 | access to property FieldProp2 | semmle.label | access to property FieldProp2 | +| D.cs:144:13:144:14 | access to local variable o3 : Object | semmle.label | access to local variable o3 : Object | +| D.cs:144:13:144:14 | access to local variable o3 : Object | semmle.label | access to local variable o3 : Object | +| D.cs:144:18:144:34 | call to method Source : Object | semmle.label | call to method Source : Object | +| D.cs:144:18:144:34 | call to method Source : Object | semmle.label | call to method Source : Object | +| D.cs:145:9:145:35 | access to property StaticFieldProp : Object | semmle.label | access to property StaticFieldProp : Object | +| D.cs:145:9:145:35 | access to property StaticFieldProp : Object | semmle.label | access to property StaticFieldProp : Object | +| D.cs:145:39:145:40 | access to local variable o3 : Object | semmle.label | access to local variable o3 : Object | +| D.cs:145:39:145:40 | access to local variable o3 : Object | semmle.label | access to local variable o3 : Object | +| D.cs:146:14:146:40 | access to property StaticFieldProp | semmle.label | access to property StaticFieldProp | +| D.cs:146:14:146:40 | access to property StaticFieldProp | semmle.label | access to property StaticFieldProp | | E.cs:8:29:8:29 | o : Object | semmle.label | o : Object | | E.cs:8:29:8:29 | o : Object | semmle.label | o : Object | | E.cs:11:9:11:11 | [post] access to local variable ret : S [field Field] : Object | semmle.label | [post] access to local variable ret : S [field Field] : Object | @@ -2648,6 +2874,22 @@ subpaths | D.cs:81:26:81:26 | access to local variable o : Object | D.cs:61:9:61:11 | value : Object | D.cs:61:9:61:11 | this [Return] : DPartial [field _backingField] : Object | D.cs:81:9:81:9 | [post] access to local variable d : DPartial [field _backingField] : Object | | D.cs:84:14:84:14 | access to local variable d : DPartial [field _backingField] : Object | D.cs:60:9:60:11 | this : DPartial [field _backingField] : Object | D.cs:60:22:60:34 | access to field _backingField : Object | D.cs:84:14:84:27 | access to property PartialProp1 | | D.cs:84:14:84:14 | access to local variable d : DPartial [field _backingField] : Object | D.cs:60:9:60:11 | this : DPartial [field _backingField] : Object | D.cs:60:22:60:34 | access to field _backingField : Object | D.cs:84:14:84:27 | access to property PartialProp1 | +| D.cs:99:9:99:25 | call to method Source : Object | D.cs:98:9:98:11 | value : Object | D.cs:98:9:98:11 | this [Return] : DFieldProps [field FieldProp0.field] : Object | D.cs:95:12:95:21 | [post] this access : DFieldProps [field FieldProp0.field] : Object | +| D.cs:99:9:99:25 | call to method Source : Object | D.cs:98:9:98:11 | value : Object | D.cs:98:9:98:11 | this [Return] : DFieldProps [field FieldProp0.field] : Object | D.cs:95:12:95:21 | [post] this access : DFieldProps [field FieldProp0.field] : Object | +| D.cs:126:14:126:15 | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | D.cs:97:9:97:11 | this : DFieldProps [field FieldProp0.field] : Object | D.cs:97:22:97:26 | access to field FieldProp0.field : Object | D.cs:126:14:126:26 | access to property FieldProp0 | +| D.cs:126:14:126:15 | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | D.cs:97:9:97:11 | this : DFieldProps [field FieldProp0.field] : Object | D.cs:97:22:97:26 | access to field FieldProp0.field : Object | D.cs:126:14:126:26 | access to property FieldProp0 | +| D.cs:132:25:132:26 | access to local variable o1 : Object | D.cs:104:9:104:11 | value : Object | D.cs:104:9:104:11 | this [Return] : DFieldProps [field FieldProp1.field] : Object | D.cs:132:9:132:10 | [post] access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | +| D.cs:132:25:132:26 | access to local variable o1 : Object | D.cs:104:9:104:11 | value : Object | D.cs:104:9:104:11 | this [Return] : DFieldProps [field FieldProp1.field] : Object | D.cs:132:9:132:10 | [post] access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | +| D.cs:133:14:133:15 | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | D.cs:97:9:97:11 | this : DFieldProps [field FieldProp0.field] : Object | D.cs:97:22:97:26 | access to field FieldProp0.field : Object | D.cs:133:14:133:26 | access to property FieldProp0 | +| D.cs:133:14:133:15 | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | D.cs:97:9:97:11 | this : DFieldProps [field FieldProp0.field] : Object | D.cs:97:22:97:26 | access to field FieldProp0.field : Object | D.cs:133:14:133:26 | access to property FieldProp0 | +| D.cs:134:14:134:15 | access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | D.cs:103:9:103:11 | this : DFieldProps [field FieldProp1.field] : Object | D.cs:103:22:103:26 | access to field FieldProp1.field : Object | D.cs:134:14:134:26 | access to property FieldProp1 | +| D.cs:134:14:134:15 | access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | D.cs:103:9:103:11 | this : DFieldProps [field FieldProp1.field] : Object | D.cs:103:22:103:26 | access to field FieldProp1.field : Object | D.cs:134:14:134:26 | access to property FieldProp1 | +| D.cs:139:25:139:26 | access to local variable o2 : Object | D.cs:110:9:110:11 | value : Object | D.cs:110:9:110:11 | this [Return] : DFieldProps [field FieldProp2.field] : Object | D.cs:139:9:139:10 | [post] access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | +| D.cs:139:25:139:26 | access to local variable o2 : Object | D.cs:110:9:110:11 | value : Object | D.cs:110:9:110:11 | this [Return] : DFieldProps [field FieldProp2.field] : Object | D.cs:139:9:139:10 | [post] access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | +| D.cs:140:14:140:15 | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | D.cs:97:9:97:11 | this : DFieldProps [field FieldProp0.field] : Object | D.cs:97:22:97:26 | access to field FieldProp0.field : Object | D.cs:140:14:140:26 | access to property FieldProp0 | +| D.cs:140:14:140:15 | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | D.cs:97:9:97:11 | this : DFieldProps [field FieldProp0.field] : Object | D.cs:97:22:97:26 | access to field FieldProp0.field : Object | D.cs:140:14:140:26 | access to property FieldProp0 | +| D.cs:142:14:142:15 | access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | D.cs:109:9:109:11 | this : DFieldProps [field FieldProp2.field] : Object | D.cs:109:22:109:26 | access to field FieldProp2.field : Object | D.cs:142:14:142:26 | access to property FieldProp2 | +| D.cs:142:14:142:15 | access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | D.cs:109:9:109:11 | this : DFieldProps [field FieldProp2.field] : Object | D.cs:109:22:109:26 | access to field FieldProp2.field : Object | D.cs:142:14:142:26 | access to property FieldProp2 | | E.cs:23:25:23:25 | access to local variable o : Object | E.cs:8:29:8:29 | o : Object | E.cs:12:16:12:18 | access to local variable ret : S [field Field] : Object | E.cs:23:17:23:26 | call to method CreateS : S [field Field] : Object | | E.cs:23:25:23:25 | access to local variable o : Object | E.cs:8:29:8:29 | o : Object | E.cs:12:16:12:18 | access to local variable ret : S [field Field] : Object | E.cs:23:17:23:26 | call to method CreateS : S [field Field] : Object | | E.cs:55:29:55:33 | access to local variable taint : Object | E.cs:43:46:43:46 | o : Object | E.cs:43:36:43:36 | s [Return] : RefS [field RefField] : Object | E.cs:55:23:55:26 | [post] access to local variable refs : RefS [field RefField] : Object | @@ -2758,6 +3000,18 @@ testFailures | D.cs:47:14:47:26 | access to property ComplexProp | D.cs:43:32:43:48 | call to method Source : Object | D.cs:47:14:47:26 | access to property ComplexProp | $@ | D.cs:43:32:43:48 | call to method Source : Object | call to method Source : Object | | D.cs:84:14:84:27 | access to property PartialProp1 | D.cs:78:17:78:33 | call to method Source : Object | D.cs:84:14:84:27 | access to property PartialProp1 | $@ | D.cs:78:17:78:33 | call to method Source : Object | call to method Source : Object | | D.cs:84:14:84:27 | access to property PartialProp1 | D.cs:78:17:78:33 | call to method Source : Object | D.cs:84:14:84:27 | access to property PartialProp1 | $@ | D.cs:78:17:78:33 | call to method Source : Object | call to method Source : Object | +| D.cs:126:14:126:26 | access to property FieldProp0 | D.cs:99:9:99:25 | call to method Source : Object | D.cs:126:14:126:26 | access to property FieldProp0 | $@ | D.cs:99:9:99:25 | call to method Source : Object | call to method Source : Object | +| D.cs:126:14:126:26 | access to property FieldProp0 | D.cs:99:9:99:25 | call to method Source : Object | D.cs:126:14:126:26 | access to property FieldProp0 | $@ | D.cs:99:9:99:25 | call to method Source : Object | call to method Source : Object | +| D.cs:133:14:133:26 | access to property FieldProp0 | D.cs:99:9:99:25 | call to method Source : Object | D.cs:133:14:133:26 | access to property FieldProp0 | $@ | D.cs:99:9:99:25 | call to method Source : Object | call to method Source : Object | +| D.cs:133:14:133:26 | access to property FieldProp0 | D.cs:99:9:99:25 | call to method Source : Object | D.cs:133:14:133:26 | access to property FieldProp0 | $@ | D.cs:99:9:99:25 | call to method Source : Object | call to method Source : Object | +| D.cs:134:14:134:26 | access to property FieldProp1 | D.cs:131:18:131:34 | call to method Source : Object | D.cs:134:14:134:26 | access to property FieldProp1 | $@ | D.cs:131:18:131:34 | call to method Source : Object | call to method Source : Object | +| D.cs:134:14:134:26 | access to property FieldProp1 | D.cs:131:18:131:34 | call to method Source : Object | D.cs:134:14:134:26 | access to property FieldProp1 | $@ | D.cs:131:18:131:34 | call to method Source : Object | call to method Source : Object | +| D.cs:140:14:140:26 | access to property FieldProp0 | D.cs:99:9:99:25 | call to method Source : Object | D.cs:140:14:140:26 | access to property FieldProp0 | $@ | D.cs:99:9:99:25 | call to method Source : Object | call to method Source : Object | +| D.cs:140:14:140:26 | access to property FieldProp0 | D.cs:99:9:99:25 | call to method Source : Object | D.cs:140:14:140:26 | access to property FieldProp0 | $@ | D.cs:99:9:99:25 | call to method Source : Object | call to method Source : Object | +| D.cs:142:14:142:26 | access to property FieldProp2 | D.cs:138:18:138:34 | call to method Source : Object | D.cs:142:14:142:26 | access to property FieldProp2 | $@ | D.cs:138:18:138:34 | call to method Source : Object | call to method Source : Object | +| D.cs:142:14:142:26 | access to property FieldProp2 | D.cs:138:18:138:34 | call to method Source : Object | D.cs:142:14:142:26 | access to property FieldProp2 | $@ | D.cs:138:18:138:34 | call to method Source : Object | call to method Source : Object | +| D.cs:146:14:146:40 | access to property StaticFieldProp | D.cs:144:18:144:34 | call to method Source : Object | D.cs:146:14:146:40 | access to property StaticFieldProp | $@ | D.cs:144:18:144:34 | call to method Source : Object | call to method Source : Object | +| D.cs:146:14:146:40 | access to property StaticFieldProp | D.cs:144:18:144:34 | call to method Source : Object | D.cs:146:14:146:40 | access to property StaticFieldProp | $@ | D.cs:144:18:144:34 | call to method Source : Object | call to method Source : Object | | E.cs:24:14:24:20 | access to field Field | E.cs:22:17:22:33 | call to method Source : Object | E.cs:24:14:24:20 | access to field Field | $@ | E.cs:22:17:22:33 | call to method Source : Object | call to method Source : Object | | E.cs:24:14:24:20 | access to field Field | E.cs:22:17:22:33 | call to method Source : Object | E.cs:24:14:24:20 | access to field Field | $@ | E.cs:22:17:22:33 | call to method Source : Object | call to method Source : Object | | E.cs:57:14:57:26 | access to field RefField | E.cs:54:21:54:37 | call to method Source : Object | E.cs:57:14:57:26 | access to field RefField | $@ | E.cs:54:21:54:37 | call to method Source : Object | call to method Source : Object | From d93f4850df3c46b5dcb61a033afde056bebea8c0 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Thu, 12 Feb 2026 11:53:05 +0100 Subject: [PATCH 058/110] C#: Add change-note. --- csharp/ql/lib/change-notes/2026-02-12-field-keyword.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 csharp/ql/lib/change-notes/2026-02-12-field-keyword.md diff --git a/csharp/ql/lib/change-notes/2026-02-12-field-keyword.md b/csharp/ql/lib/change-notes/2026-02-12-field-keyword.md new file mode 100644 index 00000000000..7ca6548b27f --- /dev/null +++ b/csharp/ql/lib/change-notes/2026-02-12-field-keyword.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* C# 14: Added support for the `field` keyword in properties. From c3a1eb181eb7643d023eae9058d40e5e296cd8aa Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Fri, 13 Feb 2026 12:41:51 +0100 Subject: [PATCH 059/110] C#: Extract field modifiers and tag the field as being compiler generated. --- .../Semmle.Extraction.CSharp/Entities/PropertyField.cs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PropertyField.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PropertyField.cs index 7567a9e8960..9e9b1f41fff 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/PropertyField.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/PropertyField.cs @@ -28,6 +28,9 @@ namespace Semmle.Extraction.CSharp.Entities var unboundFieldKey = PropertyField.Create(Context, Symbol.OriginalDefinition); var name = Symbol.AssociatedSymbol is not null ? $"{Symbol.AssociatedSymbol.GetName()}.field" : Symbol.Name; trapFile.fields(this, VariableKind.None, name, ContainingType!, Type.TypeRef, unboundFieldKey); + trapFile.compiler_generated(this); + + PopulateModifiers(trapFile); if (Context.OnlyScaffold) { From a5e6f6daf93e1ff8b57e5b19e5fb4571832fda17 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 12 Feb 2026 12:21:04 +0000 Subject: [PATCH 060/110] Replace "javax" with `javaxOrJakarta()` This is just a find-replace of `"javax` with `javaxOrJakarta() + "`. --- java/ql/lib/experimental/quantum/JCA.qll | 58 ++++++---- java/ql/lib/semmle/code/java/J2EE.qll | 30 ++++-- java/ql/lib/semmle/code/java/JMX.qll | 16 +-- .../semmle/code/java/deadcode/EntryPoints.qll | 8 +- .../code/java/deadcode/WebEntryPoints.qll | 2 +- .../lib/semmle/code/java/frameworks/JAXB.qll | 6 +- .../code/java/frameworks/JavaxAnnotations.qll | 58 ++++++---- .../lib/semmle/code/java/frameworks/JaxWS.qll | 12 ++- .../lib/semmle/code/java/frameworks/Jms.qll | 2 +- .../lib/semmle/code/java/frameworks/Jndi.qll | 14 +-- .../lib/semmle/code/java/frameworks/Mail.qll | 2 +- .../code/java/frameworks/Networking.qll | 2 +- .../semmle/code/java/frameworks/Servlets.qll | 38 ++++--- .../frameworks/javaee/JavaServerFaces.qll | 2 +- .../java/frameworks/javaee/Persistence.qll | 4 +- .../code/java/frameworks/javaee/Xml.qll | 2 +- .../code/java/frameworks/javaee/ejb/EJB.qll | 100 +++++++++++------- .../frameworks/javaee/ejb/EJBRestrictions.qll | 4 +- .../frameworks/javaee/jsf/JSFAnnotations.qll | 4 +- .../frameworks/javaee/jsf/JSFRenderer.qll | 3 +- .../java/frameworks/spring/SpringAutowire.qll | 8 +- .../frameworks/spring/SpringController.qll | 20 +++- .../security/CleartextStorageCookieQuery.qll | 7 +- .../semmle/code/java/security/Encryption.qll | 38 ++++--- .../security/InsecureBeanValidationQuery.qll | 2 +- java/ql/lib/semmle/code/java/security/XSS.qll | 2 +- .../semmle/code/java/security/XmlParsers.qll | 40 ++++--- .../code/java/security/XsltInjection.qll | 10 +- .../Compatibility/JDK9/JdkInternalAccess.ql | 4 +- .../Swing/BadlyOverriddenAdapter.ql | 2 +- .../Frameworks/Swing/ThreadSafety.ql | 7 +- .../CWE-1004/SensitiveCookieNotHttpOnly.ql | 7 +- .../CWE/CWE-319/UseSSLSocketFactories.ql | 2 +- .../CWE-094/JakartaExpressionInjectionLib.qll | 2 +- .../Security/CWE/CWE-094/ScriptInjection.ql | 17 ++- .../CWE/CWE-094/SpringViewManipulationLib.qll | 2 +- .../NonConstantTimeCheckOnSignatureQuery.qll | 12 +-- .../Security/CWE/CWE-327/SslLib.qll | 2 +- .../CWE/CWE-400/LocalThreadResourceAbuse.ql | 5 +- .../Security/CWE/CWE-489/WebComponentMain.ql | 7 +- .../CWE/CWE-625/PermissiveDotRegexQuery.qll | 4 +- .../CWE/CWE-652/XQueryInjectionLib.qll | 8 +- .../InsecureRmiJmxEnvironmentConfiguration.ql | 8 +- .../semmle/code/java/frameworks/Jsf.qll | 3 +- .../modelgenerator/internal/CaptureModels.qll | 2 +- 45 files changed, 370 insertions(+), 218 deletions(-) diff --git a/java/ql/lib/experimental/quantum/JCA.qll b/java/ql/lib/experimental/quantum/JCA.qll index b1b536a3ccb..feac5aaf0ea 100644 --- a/java/ql/lib/experimental/quantum/JCA.qll +++ b/java/ql/lib/experimental/quantum/JCA.qll @@ -295,7 +295,7 @@ module JCAModel { class CipherGetInstanceCall extends MethodCall { CipherGetInstanceCall() { - this.getCallee().hasQualifiedName("javax.crypto", "Cipher", "getInstance") + this.getCallee().hasQualifiedName(javaxOrJakarta() + ".crypto", "Cipher", "getInstance") } Expr getAlgorithmArg() { result = this.getArgument(0) } @@ -307,7 +307,8 @@ module JCAModel { private class CipherOperationCall extends MethodCall { CipherOperationCall() { this.getMethod() - .hasQualifiedName("javax.crypto", "Cipher", ["update", "doFinal", "wrap", "unwrap"]) + .hasQualifiedName(javaxOrJakarta() + ".crypto", "Cipher", + ["update", "doFinal", "wrap", "unwrap"]) } predicate isIntermediate() { this.getMethod().getName() = "update" } @@ -474,7 +475,9 @@ module JCAModel { * An access to the `javax.crypto.Cipher` class. */ private class CipherAccess extends TypeAccess { - CipherAccess() { this.getType().(Class).hasQualifiedName("javax.crypto", "Cipher") } + CipherAccess() { + this.getType().(Class).hasQualifiedName(javaxOrJakarta() + ".crypto", "Cipher") + } } /** @@ -708,7 +711,9 @@ module JCAModel { // and through setter methods class IvParameterSpecInstance extends NonceParameterInstantiation { IvParameterSpecInstance() { - super.getConstructedType().hasQualifiedName("javax.crypto.spec", "IvParameterSpec") + super + .getConstructedType() + .hasQualifiedName(javaxOrJakarta() + ".crypto.spec", "IvParameterSpec") } override DataFlow::Node getInputNode() { result.asExpr() = super.getArgument(0) } @@ -717,7 +722,9 @@ module JCAModel { // TODO: this also specifies the tag length for GCM class GCMParameterSpecInstance extends NonceParameterInstantiation { GCMParameterSpecInstance() { - super.getConstructedType().hasQualifiedName("javax.crypto.spec", "GCMParameterSpec") + super + .getConstructedType() + .hasQualifiedName(javaxOrJakarta() + ".crypto.spec", "GCMParameterSpec") } override DataFlow::Node getInputNode() { result.asExpr() = super.getArgument(1) } @@ -725,7 +732,8 @@ module JCAModel { class IvParameterSpecGetIvCall extends MethodCall { IvParameterSpecGetIvCall() { - this.getMethod().hasQualifiedName("javax.crypto.spec", "IvParameterSpec", "getIV") + this.getMethod() + .hasQualifiedName(javaxOrJakarta() + ".crypto.spec", "IvParameterSpec", "getIV") } } @@ -797,7 +805,9 @@ module JCAModel { } class CipherInitCall extends MethodCall { - CipherInitCall() { this.getCallee().hasQualifiedName("javax.crypto", "Cipher", "init") } + CipherInitCall() { + this.getCallee().hasQualifiedName(javaxOrJakarta() + ".crypto", "Cipher", "init") + } /** * Returns the mode argument to the `init` method @@ -966,7 +976,9 @@ module JCAModel { class DHGenParameterSpecInstance extends KeyGeneratorParameterSpecClassInstanceExpr { DHGenParameterSpecInstance() { - super.getConstructedType().hasQualifiedName("javax.crypto.spec", "DHGenParameterSpec") + super + .getConstructedType() + .hasQualifiedName(javaxOrJakarta() + ".crypto.spec", "DHGenParameterSpec") } Expr getPrimeSizeArg() { result = this.getArgument(0) } @@ -1067,7 +1079,7 @@ module JCAModel { //TODO: Link getAlgorithm from KeyPairGenerator to algorithm instances or AVCs? High priority. class KeyGeneratorGetInstanceCall extends MethodCall { KeyGeneratorGetInstanceCall() { - this.getCallee().hasQualifiedName("javax.crypto", "KeyGenerator", "getInstance") + this.getCallee().hasQualifiedName(javaxOrJakarta() + ".crypto", "KeyGenerator", "getInstance") or this.getCallee().hasQualifiedName("java.security", "KeyPairGenerator", "getInstance") } @@ -1082,7 +1094,8 @@ module JCAModel { this.getCallee().hasQualifiedName("java.security", "KeyPairGenerator", "initialize") and keyType = Crypto::TAsymmetricKeyType() or - this.getCallee().hasQualifiedName("javax.crypto", "KeyGenerator", ["init", "initialize"]) and + this.getCallee() + .hasQualifiedName(javaxOrJakarta() + ".crypto", "KeyGenerator", ["init", "initialize"]) and keyType = Crypto::TSymmetricKeyType() } @@ -1111,7 +1124,7 @@ module JCAModel { Crypto::KeyArtifactType type; KeyGeneratorGenerateCall() { - this.getCallee().hasQualifiedName("javax.crypto", "KeyGenerator", "generateKey") and + this.getCallee().hasQualifiedName(javaxOrJakarta() + ".crypto", "KeyGenerator", "generateKey") and type instanceof Crypto::TSymmetricKeyType or this.getCallee() @@ -1176,7 +1189,7 @@ module JCAModel { class KeySpecInstantiation extends ClassInstanceExpr { KeySpecInstantiation() { this.getConstructedType() - .hasQualifiedName("javax.crypto.spec", + .hasQualifiedName(javaxOrJakarta() + ".crypto.spec", ["PBEKeySpec", "SecretKeySpec", "PBEKeySpec", "DESedeKeySpec"]) } @@ -1227,7 +1240,8 @@ module JCAModel { class SecretKeyFactoryGetInstanceCall extends MethodCall { SecretKeyFactoryGetInstanceCall() { - this.getCallee().hasQualifiedName("javax.crypto", "SecretKeyFactory", "getInstance") + this.getCallee() + .hasQualifiedName(javaxOrJakarta() + ".crypto", "SecretKeyFactory", "getInstance") } Expr getAlgorithmArg() { result = this.getArgument(0) } @@ -1235,7 +1249,8 @@ module JCAModel { class SecretKeyFactoryGenerateSecretCall extends MethodCall { SecretKeyFactoryGenerateSecretCall() { - this.getCallee().hasQualifiedName("javax.crypto", "SecretKeyFactory", "generateSecret") + this.getCallee() + .hasQualifiedName(javaxOrJakarta() + ".crypto", "SecretKeyFactory", "generateSecret") } Expr getKeySpecArg() { result = this.getArgument(0) } @@ -1430,7 +1445,7 @@ module JCAModel { class KeyAgreementInitCall extends MethodCall { KeyAgreementInitCall() { - this.getCallee().hasQualifiedName("javax.crypto", "KeyAgreement", "init") + this.getCallee().hasQualifiedName(javaxOrJakarta() + ".crypto", "KeyAgreement", "init") } Expr getServerKeyArg() { result = this.getArgument(0) } @@ -1438,7 +1453,7 @@ module JCAModel { class KeyAgreementGetInstanceCall extends MethodCall { KeyAgreementGetInstanceCall() { - this.getCallee().hasQualifiedName("javax.crypto", "KeyAgreement", "getInstance") + this.getCallee().hasQualifiedName(javaxOrJakarta() + ".crypto", "KeyAgreement", "getInstance") } Expr getAlgorithmArg() { result = super.getArgument(0) } @@ -1482,7 +1497,8 @@ module JCAModel { class KeyAgreementCall extends MethodCall { KeyAgreementCall() { this.getCallee() - .hasQualifiedName("javax.crypto", "KeyAgreement", ["generateSecret", "doPhase"]) + .hasQualifiedName(javaxOrJakarta() + ".crypto", "KeyAgreement", + ["generateSecret", "doPhase"]) } predicate isIntermediate() { this.getCallee().getName() = "doPhase" } @@ -1647,7 +1663,9 @@ module JCAModel { } class MacGetInstanceCall extends MethodCall { - MacGetInstanceCall() { this.getCallee().hasQualifiedName("javax.crypto", "Mac", "getInstance") } + MacGetInstanceCall() { + this.getCallee().hasQualifiedName(javaxOrJakarta() + ".crypto", "Mac", "getInstance") + } Expr getAlgorithmArg() { result = this.getArgument(0) } @@ -1663,7 +1681,7 @@ module JCAModel { } class MacInitCall extends MethodCall { - MacInitCall() { this.getCallee().hasQualifiedName("javax.crypto", "Mac", "init") } + MacInitCall() { this.getCallee().hasQualifiedName(javaxOrJakarta() + ".crypto", "Mac", "init") } Expr getKeyArg() { result = this.getArgument(0) and this.getMethod().getParameterType(0).hasName("Key") @@ -1691,7 +1709,7 @@ module JCAModel { Expr output; MacOperationCall() { - super.getMethod().getDeclaringType().hasQualifiedName("javax.crypto", "Mac") and + super.getMethod().getDeclaringType().hasQualifiedName(javaxOrJakarta() + ".crypto", "Mac") and ( super.getMethod().hasStringSignature(["doFinal()", "doFinal(byte[])"]) and this = output or diff --git a/java/ql/lib/semmle/code/java/J2EE.qll b/java/ql/lib/semmle/code/java/J2EE.qll index 4412b3715e3..0f7473505df 100644 --- a/java/ql/lib/semmle/code/java/J2EE.qll +++ b/java/ql/lib/semmle/code/java/J2EE.qll @@ -9,49 +9,61 @@ import Type /** An entity bean. */ class EntityBean extends Class { EntityBean() { - exists(Interface i | i.hasQualifiedName("javax.ejb", "EntityBean") | this.hasSupertype+(i)) + exists(Interface i | i.hasQualifiedName(javaxOrJakarta() + ".ejb", "EntityBean") | + this.hasSupertype+(i) + ) } } /** An enterprise bean. */ class EnterpriseBean extends RefType { EnterpriseBean() { - exists(Interface i | i.hasQualifiedName("javax.ejb", "EnterpriseBean") | this.hasSupertype+(i)) + exists(Interface i | i.hasQualifiedName(javaxOrJakarta() + ".ejb", "EnterpriseBean") | + this.hasSupertype+(i) + ) } } /** A local EJB home interface. */ class LocalEjbHomeInterface extends Interface { LocalEjbHomeInterface() { - exists(Interface i | i.hasQualifiedName("javax.ejb", "EJBLocalHome") | this.hasSupertype+(i)) + exists(Interface i | i.hasQualifiedName(javaxOrJakarta() + ".ejb", "EJBLocalHome") | + this.hasSupertype+(i) + ) } } /** A remote EJB home interface. */ class RemoteEjbHomeInterface extends Interface { RemoteEjbHomeInterface() { - exists(Interface i | i.hasQualifiedName("javax.ejb", "EJBHome") | this.hasSupertype+(i)) + exists(Interface i | i.hasQualifiedName(javaxOrJakarta() + ".ejb", "EJBHome") | + this.hasSupertype+(i) + ) } } /** A local EJB interface. */ class LocalEjbInterface extends Interface { LocalEjbInterface() { - exists(Interface i | i.hasQualifiedName("javax.ejb", "EJBLocalObject") | this.hasSupertype+(i)) + exists(Interface i | i.hasQualifiedName(javaxOrJakarta() + ".ejb", "EJBLocalObject") | + this.hasSupertype+(i) + ) } } /** A remote EJB interface. */ class RemoteEjbInterface extends Interface { RemoteEjbInterface() { - exists(Interface i | i.hasQualifiedName("javax.ejb", "EJBObject") | this.hasSupertype+(i)) + exists(Interface i | i.hasQualifiedName(javaxOrJakarta() + ".ejb", "EJBObject") | + this.hasSupertype+(i) + ) } } /** A message bean. */ class MessageBean extends Class { MessageBean() { - exists(Interface i | i.hasQualifiedName("javax.ejb", "MessageDrivenBean") | + exists(Interface i | i.hasQualifiedName(javaxOrJakarta() + ".ejb", "MessageDrivenBean") | this.hasSupertype+(i) ) } @@ -60,6 +72,8 @@ class MessageBean extends Class { /** A session bean. */ class SessionBean extends Class { SessionBean() { - exists(Interface i | i.hasQualifiedName("javax.ejb", "SessionBean") | this.hasSupertype+(i)) + exists(Interface i | i.hasQualifiedName(javaxOrJakarta() + ".ejb", "SessionBean") | + this.hasSupertype+(i) + ) } } diff --git a/java/ql/lib/semmle/code/java/JMX.qll b/java/ql/lib/semmle/code/java/JMX.qll index 3f18e0ecf3d..a951b2a7d1a 100644 --- a/java/ql/lib/semmle/code/java/JMX.qll +++ b/java/ql/lib/semmle/code/java/JMX.qll @@ -18,7 +18,7 @@ class MBean extends ManagedBean { class MXBean extends ManagedBean { MXBean() { this.getQualifiedName().matches("%MXBean%") or - this.getAnAnnotation().getType().hasQualifiedName("javax.management", "MXBean") + this.getAnAnnotation().getType().hasQualifiedName(javaxOrJakarta() + ".management", "MXBean") } } @@ -61,7 +61,7 @@ class JmxRegistrationCall extends MethodCall { class JmxRegistrationMethod extends Method { JmxRegistrationMethod() { // A direct registration with the `MBeanServer`. - this.getDeclaringType().hasQualifiedName("javax.management", "MBeanServer") and + this.getDeclaringType().hasQualifiedName(javaxOrJakarta() + ".management", "MBeanServer") and this.getName() = "registerMBean" or // The `MBeanServer` is often wrapped by an application specific management class, so identify @@ -78,7 +78,7 @@ class JmxRegistrationMethod extends Method { */ int getObjectPosition() { // Passed as the first argument to `registerMBean`. - this.getDeclaringType().hasQualifiedName("javax.management", "MBeanServer") and + this.getDeclaringType().hasQualifiedName(javaxOrJakarta() + ".management", "MBeanServer") and this.getName() = "registerMBean" and result = 0 or @@ -92,16 +92,20 @@ class JmxRegistrationMethod extends Method { /** The class `javax.management.remote.JMXConnectorFactory`. */ class TypeJmxConnectorFactory extends Class { TypeJmxConnectorFactory() { - this.hasQualifiedName("javax.management.remote", "JMXConnectorFactory") + this.hasQualifiedName(javaxOrJakarta() + ".management.remote", "JMXConnectorFactory") } } /** The class `javax.management.remote.JMXServiceURL`. */ class TypeJmxServiceUrl extends Class { - TypeJmxServiceUrl() { this.hasQualifiedName("javax.management.remote", "JMXServiceURL") } + TypeJmxServiceUrl() { + this.hasQualifiedName(javaxOrJakarta() + ".management.remote", "JMXServiceURL") + } } /** The class `javax.management.remote.rmi.RMIConnector`. */ class TypeRmiConnector extends Class { - TypeRmiConnector() { this.hasQualifiedName("javax.management.remote.rmi", "RMIConnector") } + TypeRmiConnector() { + this.hasQualifiedName(javaxOrJakarta() + ".management.remote.rmi", "RMIConnector") + } } diff --git a/java/ql/lib/semmle/code/java/deadcode/EntryPoints.qll b/java/ql/lib/semmle/code/java/deadcode/EntryPoints.qll index ec8ad6e2d4f..26444920a7e 100644 --- a/java/ql/lib/semmle/code/java/deadcode/EntryPoints.qll +++ b/java/ql/lib/semmle/code/java/deadcode/EntryPoints.qll @@ -316,7 +316,7 @@ class FacesComponentReflectivelyConstructedClass extends ReflectivelyConstructed * Entry point for EJB home interfaces. */ class EjbHome extends Interface, EntryPoint { - EjbHome() { this.getAnAncestor().hasQualifiedName("javax.ejb", "EJBHome") } + EjbHome() { this.getAnAncestor().hasQualifiedName(javaxOrJakarta() + ".ejb", "EJBHome") } override Callable getALiveCallable() { result = this.getACallable() } } @@ -325,7 +325,7 @@ class EjbHome extends Interface, EntryPoint { * Entry point for EJB object interfaces. */ class EjbObject extends Interface, EntryPoint { - EjbObject() { this.getAnAncestor().hasQualifiedName("javax.ejb", "EJBObject") } + EjbObject() { this.getAnAncestor().hasQualifiedName(javaxOrJakarta() + ".ejb", "EJBObject") } override Callable getALiveCallable() { result = this.getACallable() } } @@ -341,7 +341,9 @@ class GsonDeserializationEntryPoint extends ReflectivelyConstructedClass { class JaxbDeserializationEntryPoint extends ReflectivelyConstructedClass { JaxbDeserializationEntryPoint() { // A class can be deserialized by JAXB if it's an `XmlRootElement`... - this.getAnAnnotation().getType().hasQualifiedName("javax.xml.bind.annotation", "XmlRootElement") + this.getAnAnnotation() + .getType() + .hasQualifiedName(javaxOrJakarta() + ".xml.bind.annotation", "XmlRootElement") or // ... or the type of an `XmlElement` field. exists(Field elementField | diff --git a/java/ql/lib/semmle/code/java/deadcode/WebEntryPoints.qll b/java/ql/lib/semmle/code/java/deadcode/WebEntryPoints.qll index df9ef0a7b7c..63b142ae3ad 100644 --- a/java/ql/lib/semmle/code/java/deadcode/WebEntryPoints.qll +++ b/java/ql/lib/semmle/code/java/deadcode/WebEntryPoints.qll @@ -45,7 +45,7 @@ class ServletListenerClass extends ReflectivelyConstructedClass { */ class ServletFilterClass extends ReflectivelyConstructedClass { ServletFilterClass() { - this.getAnAncestor().hasQualifiedName("javax.servlet", "Filter") and + this.getAnAncestor().hasQualifiedName(javaxOrJakarta() + ".servlet", "Filter") and // If we have seen any `web.xml` files, this filter will be considered to be live only if it is // referred to as a filter-class in at least one. If no `web.xml` files are found, we assume // that XML extraction was not enabled, and therefore consider all filter classes as live. diff --git a/java/ql/lib/semmle/code/java/frameworks/JAXB.qll b/java/ql/lib/semmle/code/java/frameworks/JAXB.qll index 1283aa3d21e..c781abdb828 100644 --- a/java/ql/lib/semmle/code/java/frameworks/JAXB.qll +++ b/java/ql/lib/semmle/code/java/frameworks/JAXB.qll @@ -6,20 +6,20 @@ import semmle.code.java.Type class JaxbElement extends Class { JaxbElement() { - this.getAnAncestor().hasQualifiedName("javax.xml.bind", "JAXBElement") or + this.getAnAncestor().hasQualifiedName(javaxOrJakarta() + ".xml.bind", "JAXBElement") or this.getAnAnnotation().getType().getName() = "XmlRootElement" } } class JaxbMarshalMethod extends Method { JaxbMarshalMethod() { - this.getDeclaringType().hasQualifiedName("javax.xml.bind", "Marshaller") and + this.getDeclaringType().hasQualifiedName(javaxOrJakarta() + ".xml.bind", "Marshaller") and this.getName() = "marshal" } } class JaxbAnnotationType extends AnnotationType { - JaxbAnnotationType() { this.getPackage().getName() = "javax.xml.bind.annotation" } + JaxbAnnotationType() { this.getPackage().getName() = javaxOrJakarta() + ".xml.bind.annotation" } } class JaxbAnnotated extends Annotatable { diff --git a/java/ql/lib/semmle/code/java/frameworks/JavaxAnnotations.qll b/java/ql/lib/semmle/code/java/frameworks/JavaxAnnotations.qll index 517f55fcc86..feb7381e496 100644 --- a/java/ql/lib/semmle/code/java/frameworks/JavaxAnnotations.qll +++ b/java/ql/lib/semmle/code/java/frameworks/JavaxAnnotations.qll @@ -14,35 +14,45 @@ import java * A `@javax.annotation.Generated` annotation. */ class GeneratedAnnotation extends Annotation { - GeneratedAnnotation() { this.getType().hasQualifiedName("javax.annotation", "Generated") } + GeneratedAnnotation() { + this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation", "Generated") + } } /** * A `@javax.annotation.PostConstruct` annotation. */ class PostConstructAnnotation extends Annotation { - PostConstructAnnotation() { this.getType().hasQualifiedName("javax.annotation", "PostConstruct") } + PostConstructAnnotation() { + this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation", "PostConstruct") + } } /** * A `@javax.annotation.PreDestroy` annotation. */ class PreDestroyAnnotation extends Annotation { - PreDestroyAnnotation() { this.getType().hasQualifiedName("javax.annotation", "PreDestroy") } + PreDestroyAnnotation() { + this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation", "PreDestroy") + } } /** * A `@javax.annotation.Resource` annotation. */ class ResourceAnnotation extends Annotation { - ResourceAnnotation() { this.getType().hasQualifiedName("javax.annotation", "Resource") } + ResourceAnnotation() { + this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation", "Resource") + } } /** * A `@javax.annotation.Resources` annotation. */ class ResourcesAnnotation extends Annotation { - ResourcesAnnotation() { this.getType().hasQualifiedName("javax.annotation", "Resources") } + ResourcesAnnotation() { + this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation", "Resources") + } } /** @@ -50,7 +60,7 @@ class ResourcesAnnotation extends Annotation { */ class JavaxManagedBeanAnnotation extends Annotation { JavaxManagedBeanAnnotation() { - this.getType().hasQualifiedName("javax.annotation", "ManagedBean") + this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation", "ManagedBean") } } @@ -63,7 +73,7 @@ class JavaxManagedBeanAnnotation extends Annotation { */ class DeclareRolesAnnotation extends Annotation { DeclareRolesAnnotation() { - this.getType().hasQualifiedName("javax.annotation.security", "DeclareRoles") + this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation.security", "DeclareRoles") } } @@ -71,7 +81,9 @@ class DeclareRolesAnnotation extends Annotation { * A `@javax.annotation.security.DenyAll` annotation. */ class DenyAllAnnotation extends Annotation { - DenyAllAnnotation() { this.getType().hasQualifiedName("javax.annotation.security", "DenyAll") } + DenyAllAnnotation() { + this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation.security", "DenyAll") + } } /** @@ -79,7 +91,7 @@ class DenyAllAnnotation extends Annotation { */ class PermitAllAnnotation extends Annotation { PermitAllAnnotation() { - this.getType().hasQualifiedName("javax.annotation.security", "PermitAll") + this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation.security", "PermitAll") } } @@ -88,7 +100,7 @@ class PermitAllAnnotation extends Annotation { */ class RolesAllowedAnnotation extends Annotation { RolesAllowedAnnotation() { - this.getType().hasQualifiedName("javax.annotation.security", "RolesAllowed") + this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation.security", "RolesAllowed") } } @@ -96,7 +108,9 @@ class RolesAllowedAnnotation extends Annotation { * A `@javax.annotation.security.RunAs` annotation. */ class RunAsAnnotation extends Annotation { - RunAsAnnotation() { this.getType().hasQualifiedName("javax.annotation.security", "RunAs") } + RunAsAnnotation() { + this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation.security", "RunAs") + } } /* @@ -107,7 +121,9 @@ class RunAsAnnotation extends Annotation { * A `@javax.interceptor.AroundInvoke` annotation. */ class AroundInvokeAnnotation extends Annotation { - AroundInvokeAnnotation() { this.getType().hasQualifiedName("javax.interceptor", "AroundInvoke") } + AroundInvokeAnnotation() { + this.getType().hasQualifiedName(javaxOrJakarta() + ".interceptor", "AroundInvoke") + } } /** @@ -115,7 +131,7 @@ class AroundInvokeAnnotation extends Annotation { */ class ExcludeClassInterceptorsAnnotation extends Annotation { ExcludeClassInterceptorsAnnotation() { - this.getType().hasQualifiedName("javax.interceptor", "ExcludeClassInterceptors") + this.getType().hasQualifiedName(javaxOrJakarta() + ".interceptor", "ExcludeClassInterceptors") } } @@ -124,7 +140,7 @@ class ExcludeClassInterceptorsAnnotation extends Annotation { */ class ExcludeDefaultInterceptorsAnnotation extends Annotation { ExcludeDefaultInterceptorsAnnotation() { - this.getType().hasQualifiedName("javax.interceptor", "ExcludeDefaultInterceptors") + this.getType().hasQualifiedName(javaxOrJakarta() + ".interceptor", "ExcludeDefaultInterceptors") } } @@ -132,7 +148,9 @@ class ExcludeDefaultInterceptorsAnnotation extends Annotation { * A `@javax.interceptor.Interceptors` annotation. */ class InterceptorsAnnotation extends Annotation { - InterceptorsAnnotation() { this.getType().hasQualifiedName("javax.interceptor", "Interceptors") } + InterceptorsAnnotation() { + this.getType().hasQualifiedName(javaxOrJakarta() + ".interceptor", "Interceptors") + } } /* @@ -143,14 +161,16 @@ class InterceptorsAnnotation extends Annotation { * A `@javax.jws.WebMethod` annotation. */ class WebMethodAnnotation extends Annotation { - WebMethodAnnotation() { this.getType().hasQualifiedName("javax.jws", "WebMethod") } + WebMethodAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".jws", "WebMethod") } } /** * A `@javax.jws.WebService` annotation. */ class WebServiceAnnotation extends Annotation { - WebServiceAnnotation() { this.getType().hasQualifiedName("javax.jws", "WebService") } + WebServiceAnnotation() { + this.getType().hasQualifiedName(javaxOrJakarta() + ".jws", "WebService") + } } /* @@ -161,7 +181,9 @@ class WebServiceAnnotation extends Annotation { * A `@javax.xml.ws.WebServiceRef` annotation. */ class WebServiceRefAnnotation extends Annotation { - WebServiceRefAnnotation() { this.getType().hasQualifiedName("javax.xml.ws", "WebServiceRef") } + WebServiceRefAnnotation() { + this.getType().hasQualifiedName(javaxOrJakarta() + ".xml.ws", "WebServiceRef") + } } /* diff --git a/java/ql/lib/semmle/code/java/frameworks/JaxWS.qll b/java/ql/lib/semmle/code/java/frameworks/JaxWS.qll index 8b3ab081ee0..37494136565 100644 --- a/java/ql/lib/semmle/code/java/frameworks/JaxWS.qll +++ b/java/ql/lib/semmle/code/java/frameworks/JaxWS.qll @@ -13,7 +13,7 @@ private import semmle.code.java.security.XSS /** * Gets a name for the root package of JAX-RS. */ -string getAJaxRsPackage() { result in ["javax.ws.rs", "jakarta.ws.rs"] } +string getAJaxRsPackage() { result in [javaxOrJakarta() + ".ws.rs", "jakarta.ws.rs"] } /** * Gets a name for package `subpackage` within the JAX-RS hierarchy. @@ -42,7 +42,7 @@ class JaxWsEndpoint extends Class { result.isPublic() and not result instanceof InitializerMethod and not exists(Annotation a | a = result.getAnAnnotation() | - a.getType().hasQualifiedName(["javax", "jakarta"] + ".jws", "WebMethod") and + a.getType().hasQualifiedName([javaxOrJakarta() + "", "jakarta"] + ".jws", "WebMethod") and a.getValue("exclude").(BooleanLiteral).getBooleanValue() = true ) and forex(ParamOrReturn paramOrRet | paramOrRet = result.getAParameter() or paramOrRet = result | @@ -62,7 +62,7 @@ class JaxWsEndpoint extends Class { /** The annotation type `@XmlJavaTypeAdapter`. */ class XmlJavaTypeAdapter extends AnnotationType { XmlJavaTypeAdapter() { - this.hasQualifiedName(["javax", "jakarta"] + ".xml.bind.annotation.adapters", + this.hasQualifiedName([javaxOrJakarta() + "", "jakarta"] + ".xml.bind.annotation.adapters", "XmlJavaTypeAdapter") } } @@ -115,7 +115,7 @@ private class JaxAcceptableStandardClass extends RefType { this.hasQualifiedName("java.util", "Calendar") or this.hasQualifiedName("java.math", "BigInteger") or this.hasQualifiedName("java.math", "BigDecimal") or - this.hasQualifiedName("javax.xml.namespace", "QName") or + this.hasQualifiedName(javaxOrJakarta() + ".xml.namespace", "QName") or this instanceof TypeUri } } @@ -292,7 +292,9 @@ class JaxRSAnnotation extends Annotation { JaxRSAnnotation() { exists(AnnotationType a | a = this.getType() and - a.getPackage().getName().regexpMatch(["javax\\.ws\\.rs(\\..*)?", "jakarta\\.ws\\.rs(\\..*)?"]) + a.getPackage() + .getName() + .regexpMatch([javaxOrJakarta() + "\\.ws\\.rs(\\..*)?", "jakarta\\.ws\\.rs(\\..*)?"]) ) } } diff --git a/java/ql/lib/semmle/code/java/frameworks/Jms.qll b/java/ql/lib/semmle/code/java/frameworks/Jms.qll index 3cc76771a77..8c86481b4ca 100644 --- a/java/ql/lib/semmle/code/java/frameworks/Jms.qll +++ b/java/ql/lib/semmle/code/java/frameworks/Jms.qll @@ -7,6 +7,6 @@ import java /** The method `ObjectMessage.getObject`. */ class ObjectMessageGetObjectMethod extends Method { ObjectMessageGetObjectMethod() { - this.hasQualifiedName(["javax", "jakarta"] + ".jms", "ObjectMessage", "getObject") + this.hasQualifiedName([javaxOrJakarta() + "", "jakarta"] + ".jms", "ObjectMessage", "getObject") } } diff --git a/java/ql/lib/semmle/code/java/frameworks/Jndi.qll b/java/ql/lib/semmle/code/java/frameworks/Jndi.qll index 0d7d481dc1d..d2b14d5f58e 100644 --- a/java/ql/lib/semmle/code/java/frameworks/Jndi.qll +++ b/java/ql/lib/semmle/code/java/frameworks/Jndi.qll @@ -9,32 +9,34 @@ import java /*--- Types ---*/ /** The interface `javax.naming.Context`. */ class TypeNamingContext extends Interface { - TypeNamingContext() { this.hasQualifiedName("javax.naming", "Context") } + TypeNamingContext() { this.hasQualifiedName(javaxOrJakarta() + ".naming", "Context") } } /** The class `javax.naming.CompositeName`. */ class TypeCompositeName extends Class { - TypeCompositeName() { this.hasQualifiedName("javax.naming", "CompositeName") } + TypeCompositeName() { this.hasQualifiedName(javaxOrJakarta() + ".naming", "CompositeName") } } /** The class `javax.naming.CompoundName`. */ class TypeCompoundName extends Class { - TypeCompoundName() { this.hasQualifiedName("javax.naming", "CompoundName") } + TypeCompoundName() { this.hasQualifiedName(javaxOrJakarta() + ".naming", "CompoundName") } } /** The interface `javax.naming.directory.DirContext`. */ class TypeDirContext extends Interface { - TypeDirContext() { this.hasQualifiedName("javax.naming.directory", "DirContext") } + TypeDirContext() { this.hasQualifiedName(javaxOrJakarta() + ".naming.directory", "DirContext") } } /** The class `javax.naming.directory.SearchControls` */ class TypeSearchControls extends Class { - TypeSearchControls() { this.hasQualifiedName("javax.naming.directory", "SearchControls") } + TypeSearchControls() { + this.hasQualifiedName(javaxOrJakarta() + ".naming.directory", "SearchControls") + } } /** The class `javax.naming.ldap.LdapName`. */ class TypeLdapName extends Class { - TypeLdapName() { this.hasQualifiedName("javax.naming.ldap", "LdapName") } + TypeLdapName() { this.hasQualifiedName(javaxOrJakarta() + ".naming.ldap", "LdapName") } } /*--- Methods ---*/ diff --git a/java/ql/lib/semmle/code/java/frameworks/Mail.qll b/java/ql/lib/semmle/code/java/frameworks/Mail.qll index c61e5ae34f9..5793da4cceb 100644 --- a/java/ql/lib/semmle/code/java/frameworks/Mail.qll +++ b/java/ql/lib/semmle/code/java/frameworks/Mail.qll @@ -8,7 +8,7 @@ import java * The class `javax.mail.Session` or `jakarta.mail.Session`. */ class MailSession extends Class { - MailSession() { this.hasQualifiedName(["javax.mail", "jakarta.mail"], "Session") } + MailSession() { this.hasQualifiedName([javaxOrJakarta() + ".mail", "jakarta.mail"], "Session") } } /** diff --git a/java/ql/lib/semmle/code/java/frameworks/Networking.qll b/java/ql/lib/semmle/code/java/frameworks/Networking.qll index 6eeb5aa9024..21df7ae7f8d 100644 --- a/java/ql/lib/semmle/code/java/frameworks/Networking.qll +++ b/java/ql/lib/semmle/code/java/frameworks/Networking.qll @@ -20,7 +20,7 @@ class TypeSocket extends RefType { /** The type `javax.net.SocketFactory` */ class TypeSocketFactory extends RefType { - TypeSocketFactory() { this.hasQualifiedName("javax.net", "SocketFactory") } + TypeSocketFactory() { this.hasQualifiedName(javaxOrJakarta() + ".net", "SocketFactory") } } /** The type `java.net.URL`. */ diff --git a/java/ql/lib/semmle/code/java/frameworks/Servlets.qll b/java/ql/lib/semmle/code/java/frameworks/Servlets.qll index 7d7beb74fc3..30cd248d4d1 100644 --- a/java/ql/lib/semmle/code/java/frameworks/Servlets.qll +++ b/java/ql/lib/semmle/code/java/frameworks/Servlets.qll @@ -12,7 +12,7 @@ import semmle.code.java.Type */ class ServletRequest extends RefType { ServletRequest() { - this.hasQualifiedName("javax.servlet", "ServletRequest") or + this.hasQualifiedName(javaxOrJakarta() + ".servlet", "ServletRequest") or this instanceof HttpServletRequest } } @@ -21,7 +21,9 @@ class ServletRequest extends RefType { * The interface `javax.servlet.http.HttpServletRequest`. */ class HttpServletRequest extends RefType { - HttpServletRequest() { this.hasQualifiedName("javax.servlet.http", "HttpServletRequest") } + HttpServletRequest() { + this.hasQualifiedName(javaxOrJakarta() + ".servlet.http", "HttpServletRequest") + } } /** @@ -168,7 +170,7 @@ class ServletRequestGetBodyMethod extends Method { */ class ServletResponse extends RefType { ServletResponse() { - this.hasQualifiedName("javax.servlet", "ServletResponse") or + this.hasQualifiedName(javaxOrJakarta() + ".servlet", "ServletResponse") or this instanceof HttpServletResponse } } @@ -177,7 +179,9 @@ class ServletResponse extends RefType { * The interface `javax.servlet.http.HttpServletResponse`. */ class HttpServletResponse extends RefType { - HttpServletResponse() { this.hasQualifiedName("javax.servlet.http", "HttpServletResponse") } + HttpServletResponse() { + this.hasQualifiedName(javaxOrJakarta() + ".servlet.http", "HttpServletResponse") + } } /** @@ -239,7 +243,7 @@ class ServletResponseGetOutputStreamMethod extends Method { /** The class `javax.servlet.http.Cookie`. */ class TypeCookie extends Class { - TypeCookie() { this.hasQualifiedName("javax.servlet.http", "Cookie") } + TypeCookie() { this.hasQualifiedName(javaxOrJakarta() + ".servlet.http", "Cookie") } } /** @@ -331,7 +335,7 @@ class ResponseSetContentTypeMethod extends Method { * A class that has `javax.servlet.Servlet` as an ancestor. */ class ServletClass extends Class { - ServletClass() { this.getAnAncestor().hasQualifiedName("javax.servlet", "Servlet") } + ServletClass() { this.getAnAncestor().hasQualifiedName(javaxOrJakarta() + ".servlet", "Servlet") } } /** @@ -342,13 +346,13 @@ class ServletClass extends Class { */ class ServletWebXmlListenerType extends RefType { ServletWebXmlListenerType() { - this.hasQualifiedName("javax.servlet", "ServletContextAttributeListener") or - this.hasQualifiedName("javax.servlet", "ServletContextListener") or - this.hasQualifiedName("javax.servlet", "ServletRequestAttributeListener") or - this.hasQualifiedName("javax.servlet", "ServletRequestListener") or - this.hasQualifiedName("javax.servlet.http", "HttpSessionAttributeListener") or - this.hasQualifiedName("javax.servlet.http", "HttpSessionIdListener") or - this.hasQualifiedName("javax.servlet.http", "HttpSessionListener") + this.hasQualifiedName(javaxOrJakarta() + ".servlet", "ServletContextAttributeListener") or + this.hasQualifiedName(javaxOrJakarta() + ".servlet", "ServletContextListener") or + this.hasQualifiedName(javaxOrJakarta() + ".servlet", "ServletRequestAttributeListener") or + this.hasQualifiedName(javaxOrJakarta() + ".servlet", "ServletRequestListener") or + this.hasQualifiedName(javaxOrJakarta() + ".servlet.http", "HttpSessionAttributeListener") or + this.hasQualifiedName(javaxOrJakarta() + ".servlet.http", "HttpSessionIdListener") or + this.hasQualifiedName(javaxOrJakarta() + ".servlet.http", "HttpSessionListener") // Listeners that are not configured in `web.xml`: // - `HttpSessionActivationListener` // - `HttpSessionBindingListener` @@ -373,8 +377,8 @@ predicate isRequestGetParamMethod(MethodCall ma) { /** The Java EE RequestDispatcher. */ class RequestDispatcher extends RefType { RequestDispatcher() { - this.hasQualifiedName(["javax.servlet", "jakarta.servlet"], "RequestDispatcher") or - this.hasQualifiedName("javax.portlet", "PortletRequestDispatcher") + this.hasQualifiedName([javaxOrJakarta() + ".servlet", "jakarta.servlet"], "RequestDispatcher") or + this.hasQualifiedName(javaxOrJakarta() + ".portlet", "PortletRequestDispatcher") } } @@ -398,7 +402,7 @@ class RequestDispatchMethod extends Method { * The interface `javax.servlet.ServletContext`. */ class ServletContext extends RefType { - ServletContext() { this.hasQualifiedName("javax.servlet", "ServletContext") } + ServletContext() { this.hasQualifiedName(javaxOrJakarta() + ".servlet", "ServletContext") } } /** The `getResource` method of `ServletContext`. */ @@ -419,5 +423,5 @@ class GetServletResourceAsStreamMethod extends Method { /** The interface `javax.servlet.http.HttpSession` */ class HttpServletSession extends RefType { - HttpServletSession() { this.hasQualifiedName("javax.servlet.http", "HttpSession") } + HttpServletSession() { this.hasQualifiedName(javaxOrJakarta() + ".servlet.http", "HttpSession") } } diff --git a/java/ql/lib/semmle/code/java/frameworks/javaee/JavaServerFaces.qll b/java/ql/lib/semmle/code/java/frameworks/javaee/JavaServerFaces.qll index 2f749962e94..285bd7fd670 100644 --- a/java/ql/lib/semmle/code/java/frameworks/javaee/JavaServerFaces.qll +++ b/java/ql/lib/semmle/code/java/frameworks/javaee/JavaServerFaces.qll @@ -61,7 +61,7 @@ class FacesAccessibleType extends RefType { class FacesComponent extends Class { FacesComponent() { // Must extend UIComponent for it to be a valid component. - this.getAnAncestor().hasQualifiedName("javax.faces.component", "UIComponent") and + this.getAnAncestor().hasQualifiedName(javaxOrJakarta() + ".faces.component", "UIComponent") and ( // Must be registered using either an annotation exists(FacesComponentAnnotation componentAnnotation | diff --git a/java/ql/lib/semmle/code/java/frameworks/javaee/Persistence.qll b/java/ql/lib/semmle/code/java/frameworks/javaee/Persistence.qll index b5031d7dff0..05a7e615552 100644 --- a/java/ql/lib/semmle/code/java/frameworks/javaee/Persistence.qll +++ b/java/ql/lib/semmle/code/java/frameworks/javaee/Persistence.qll @@ -9,7 +9,9 @@ import java /** * Gets a JavaEE Persistence API package name. */ -string getAPersistencePackageName() { result = ["javax.persistence", "jakarta.persistence"] } +string getAPersistencePackageName() { + result = [javaxOrJakarta() + ".persistence", "jakarta.persistence"] +} /** * A `RefType` with the `@Entity` annotation that indicates that it can be persisted using a JPA diff --git a/java/ql/lib/semmle/code/java/frameworks/javaee/Xml.qll b/java/ql/lib/semmle/code/java/frameworks/javaee/Xml.qll index 222b778ba58..6943c8023d4 100644 --- a/java/ql/lib/semmle/code/java/frameworks/javaee/Xml.qll +++ b/java/ql/lib/semmle/code/java/frameworks/javaee/Xml.qll @@ -33,7 +33,7 @@ private class ValidatorConfig extends TransformerConfig { /** The class `javax.xml.validation.Validator`. */ private class Validator extends RefType { - Validator() { this.hasQualifiedName("javax.xml.validation", "Validator") } + Validator() { this.hasQualifiedName(javaxOrJakarta() + ".xml.validation", "Validator") } } /** A safely configured `Validator`. */ diff --git a/java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJB.qll b/java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJB.qll index a866d84df21..efbd0c0b1eb 100644 --- a/java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJB.qll +++ b/java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJB.qll @@ -64,7 +64,7 @@ class SessionEjb extends EJB { result = this.getASupertype() and not result.hasQualifiedName("java.io", "Serializable") and not result.hasQualifiedName("java.io", "Externalizable") and - not result.getPackage().getName() = "javax.ejb" + not result.getPackage().getName() = javaxOrJakarta() + ".ejb" } /** Any remote interfaces of this EJB. */ @@ -216,14 +216,14 @@ abstract class BusinessInterfaceAnnotation extends EjbInterfaceAnnotation { } * An instance of a `@Remote` annotation. */ class RemoteAnnotation extends BusinessInterfaceAnnotation { - RemoteAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Remote") } + RemoteAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Remote") } } /** * An instance of a `@Local` annotation. */ class LocalAnnotation extends BusinessInterfaceAnnotation { - LocalAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Local") } + LocalAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Local") } } /** @@ -330,7 +330,7 @@ class LocalAnnotatedBusinessInterface extends AnnotatedBusinessInterface { * A `@javax.ejb.Init` annotation. */ class InitAnnotation extends Annotation { - InitAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Init") } + InitAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Init") } } /** @@ -383,14 +383,16 @@ abstract class HomeAnnotation extends EjbInterfaceAnnotation { } * An instance of a `@RemoteHome` annotation. */ class RemoteHomeAnnotation extends HomeAnnotation { - RemoteHomeAnnotation() { this.getType().hasQualifiedName("javax.ejb", "RemoteHome") } + RemoteHomeAnnotation() { + this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "RemoteHome") + } } /** * An instance of a `@LocalHome` annotation. */ class LocalHomeAnnotation extends HomeAnnotation { - LocalHomeAnnotation() { this.getType().hasQualifiedName("javax.ejb", "LocalHome") } + LocalHomeAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "LocalHome") } } /** @@ -748,7 +750,9 @@ Type inheritsMatchingCreateMethodExceptThrows(StatefulSessionEjb ejb, EjbInterfa * A `@javax.ejb.AccessTimeout` annotation. */ class AccessTimeoutAnnotation extends Annotation { - AccessTimeoutAnnotation() { this.getType().hasQualifiedName("javax.ejb", "AccessTimeout") } + AccessTimeoutAnnotation() { + this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "AccessTimeout") + } } /** @@ -756,7 +760,7 @@ class AccessTimeoutAnnotation extends Annotation { */ class ActivationConfigPropertyAnnotation extends Annotation { ActivationConfigPropertyAnnotation() { - this.getType().hasQualifiedName("javax.ejb", "ActivationConfigProperty") + this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "ActivationConfigProperty") } } @@ -764,14 +768,18 @@ class ActivationConfigPropertyAnnotation extends Annotation { * A `@javax.ejb.AfterBegin` annotation. */ class AfterBeginAnnotation extends Annotation { - AfterBeginAnnotation() { this.getType().hasQualifiedName("javax.ejb", "AfterBegin") } + AfterBeginAnnotation() { + this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "AfterBegin") + } } /** * A `@javax.ejb.AfterCompletion` annotation. */ class AfterCompletionAnnotation extends Annotation { - AfterCompletionAnnotation() { this.getType().hasQualifiedName("javax.ejb", "AfterCompletion") } + AfterCompletionAnnotation() { + this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "AfterCompletion") + } } /** @@ -779,7 +787,7 @@ class AfterCompletionAnnotation extends Annotation { */ class ApplicationExceptionAnnotation extends Annotation { ApplicationExceptionAnnotation() { - this.getType().hasQualifiedName("javax.ejb", "ApplicationException") + this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "ApplicationException") } } @@ -787,14 +795,18 @@ class ApplicationExceptionAnnotation extends Annotation { * A `@javax.ejb.Asynchronous` annotation. */ class AsynchronousAnnotation extends Annotation { - AsynchronousAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Asynchronous") } + AsynchronousAnnotation() { + this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Asynchronous") + } } /** * A `@javax.ejb.BeforeCompletion` annotation. */ class BeforeCompletionAnnotation extends Annotation { - BeforeCompletionAnnotation() { this.getType().hasQualifiedName("javax.ejb", "BeforeCompletion") } + BeforeCompletionAnnotation() { + this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "BeforeCompletion") + } } /** @@ -802,7 +814,7 @@ class BeforeCompletionAnnotation extends Annotation { */ class ConcurrencyManagementAnnotation extends Annotation { ConcurrencyManagementAnnotation() { - this.getType().hasQualifiedName("javax.ejb", "ConcurrencyManagement") + this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "ConcurrencyManagement") } } @@ -810,119 +822,127 @@ class ConcurrencyManagementAnnotation extends Annotation { * A `@javax.ejb.DependsOn` annotation. */ class DependsOnAnnotation extends Annotation { - DependsOnAnnotation() { this.getType().hasQualifiedName("javax.ejb", "DependsOn") } + DependsOnAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "DependsOn") } } /** * A `@javax.ejb.EJB` annotation. */ class EjbAnnotation extends Annotation { - EjbAnnotation() { this.getType().hasQualifiedName("javax.ejb", "EJB") } + EjbAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "EJB") } } /** * A `@javax.ejb.EJBs` annotation. */ class EJBsAnnotation extends Annotation { - EJBsAnnotation() { this.getType().hasQualifiedName("javax.ejb", "EJBs") } + EJBsAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "EJBs") } } /** * A `@javax.ejb.LocalBean` annotation. */ class LocalBeanAnnotation extends Annotation { - LocalBeanAnnotation() { this.getType().hasQualifiedName("javax.ejb", "LocalBean") } + LocalBeanAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "LocalBean") } } /** * A `@javax.ejb.Lock` annotation. */ class LockAnnotation extends Annotation { - LockAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Lock") } + LockAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Lock") } } /** * A `@javax.ejb.MessageDriven` annotation. */ class MessageDrivenAnnotation extends Annotation { - MessageDrivenAnnotation() { this.getType().hasQualifiedName("javax.ejb", "MessageDriven") } + MessageDrivenAnnotation() { + this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "MessageDriven") + } } /** * A `@javax.ejb.PostActivate` annotation. */ class PostActivateAnnotation extends Annotation { - PostActivateAnnotation() { this.getType().hasQualifiedName("javax.ejb", "PostActivate") } + PostActivateAnnotation() { + this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "PostActivate") + } } /** * A `@javax.ejb.PrePassivate` annotation. */ class PrePassivateAnnotation extends Annotation { - PrePassivateAnnotation() { this.getType().hasQualifiedName("javax.ejb", "PrePassivate") } + PrePassivateAnnotation() { + this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "PrePassivate") + } } /** * A `@javax.ejb.Remove` annotation. */ class RemoveAnnotation extends Annotation { - RemoveAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Remove") } + RemoveAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Remove") } } /** * A `@javax.ejb.Schedule` annotation. */ class ScheduleAnnotation extends Annotation { - ScheduleAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Schedule") } + ScheduleAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Schedule") } } /** * A `@javax.ejb.Schedules` annotation. */ class SchedulesAnnotation extends Annotation { - SchedulesAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Schedules") } + SchedulesAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Schedules") } } /** * A `@javax.ejb.Singleton` annotation. */ class SingletonAnnotation extends Annotation { - SingletonAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Singleton") } + SingletonAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Singleton") } } /** * A `@javax.ejb.Startup` annotation. */ class StartupAnnotation extends Annotation { - StartupAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Startup") } + StartupAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Startup") } } /** * A `@javax.ejb.Stateful` annotation. */ class StatefulAnnotation extends Annotation { - StatefulAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Stateful") } + StatefulAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Stateful") } } /** * A `@javax.ejb.StatefulTimeout` annotation. */ class StatefulTimeoutAnnotation extends Annotation { - StatefulTimeoutAnnotation() { this.getType().hasQualifiedName("javax.ejb", "StatefulTimeout") } + StatefulTimeoutAnnotation() { + this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "StatefulTimeout") + } } /** * A `@javax.ejb.Stateless` annotation. */ class StatelessAnnotation extends Annotation { - StatelessAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Stateless") } + StatelessAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Stateless") } } /** * A `@javax.ejb.Timeout` annotation. */ class TimeoutAnnotation extends Annotation { - TimeoutAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Timeout") } + TimeoutAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Timeout") } } /** @@ -930,7 +950,7 @@ class TimeoutAnnotation extends Annotation { */ class TransactionAttributeAnnotation extends Annotation { TransactionAttributeAnnotation() { - this.getType().hasQualifiedName("javax.ejb", "TransactionAttribute") + this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "TransactionAttribute") } } @@ -939,7 +959,7 @@ class TransactionAttributeAnnotation extends Annotation { */ class TransactionManagementAnnotation extends Annotation { TransactionManagementAnnotation() { - this.getType().hasQualifiedName("javax.ejb", "TransactionManagement") + this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "TransactionManagement") } } @@ -951,7 +971,10 @@ class RequiredTransactionAttributeAnnotation extends TransactionAttributeAnnotat RequiredTransactionAttributeAnnotation() { exists(FieldRead fr | this.getValue("value") = fr and - fr.getField().getType().(RefType).hasQualifiedName("javax.ejb", "TransactionAttributeType") and + fr.getField() + .getType() + .(RefType) + .hasQualifiedName(javaxOrJakarta() + ".ejb", "TransactionAttributeType") and fr.getField().getName() = "REQUIRED" ) } @@ -965,7 +988,10 @@ class RequiresNewTransactionAttributeAnnotation extends TransactionAttributeAnno RequiresNewTransactionAttributeAnnotation() { exists(FieldRead fr | this.getValue("value") = fr and - fr.getField().getType().(RefType).hasQualifiedName("javax.ejb", "TransactionAttributeType") and + fr.getField() + .getType() + .(RefType) + .hasQualifiedName(javaxOrJakarta() + ".ejb", "TransactionAttributeType") and fr.getField().getName() = "REQUIRES_NEW" ) } @@ -999,7 +1025,9 @@ TransactionAttributeAnnotation getInnermostTransactionAttributeAnnotation(Method */ class SetRollbackOnlyMethod extends Method { SetRollbackOnlyMethod() { - this.getDeclaringType().getAnAncestor().hasQualifiedName("javax.ejb", "EJBContext") and + this.getDeclaringType() + .getAnAncestor() + .hasQualifiedName(javaxOrJakarta() + ".ejb", "EJBContext") and this.getName() = "setRollbackOnly" and this.hasNoParameters() } diff --git a/java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJBRestrictions.qll b/java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJBRestrictions.qll index 10b6e7f3df2..47872816825 100644 --- a/java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJBRestrictions.qll +++ b/java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJBRestrictions.qll @@ -159,8 +159,8 @@ class GraphicsPackage extends Package { GraphicsPackage() { this.getName() = "java.awt" or this.getName().matches("java.awt.%") or - this.getName() = "javax.swing" or - this.getName().matches("javax.swing.%") + this.getName() = javaxOrJakarta() + ".swing" or + this.getName().matches(javaxOrJakarta() + ".swing.%") } } diff --git a/java/ql/lib/semmle/code/java/frameworks/javaee/jsf/JSFAnnotations.qll b/java/ql/lib/semmle/code/java/frameworks/javaee/jsf/JSFAnnotations.qll index 3338fa840ab..f62d9e50b68 100644 --- a/java/ql/lib/semmle/code/java/frameworks/javaee/jsf/JSFAnnotations.qll +++ b/java/ql/lib/semmle/code/java/frameworks/javaee/jsf/JSFAnnotations.qll @@ -9,7 +9,7 @@ import default */ class FacesManagedBeanAnnotation extends Annotation { FacesManagedBeanAnnotation() { - this.getType().hasQualifiedName("javax.faces.bean", "ManagedBean") + this.getType().hasQualifiedName(javaxOrJakarta() + ".faces.bean", "ManagedBean") } /** @@ -25,7 +25,7 @@ class FacesManagedBeanAnnotation extends Annotation { */ class FacesComponentAnnotation extends Annotation { FacesComponentAnnotation() { - this.getType().hasQualifiedName("javax.faces.component", "FacesComponent") + this.getType().hasQualifiedName(javaxOrJakarta() + ".faces.component", "FacesComponent") } /** diff --git a/java/ql/lib/semmle/code/java/frameworks/javaee/jsf/JSFRenderer.qll b/java/ql/lib/semmle/code/java/frameworks/javaee/jsf/JSFRenderer.qll index df646e8a9a2..6e6bad91d47 100644 --- a/java/ql/lib/semmle/code/java/frameworks/javaee/jsf/JSFRenderer.qll +++ b/java/ql/lib/semmle/code/java/frameworks/javaee/jsf/JSFRenderer.qll @@ -9,7 +9,8 @@ import java */ class FacesContext extends RefType { FacesContext() { - this.hasQualifiedName(["javax.faces.context", "jakarta.faces.context"], "FacesContext") + this.hasQualifiedName([javaxOrJakarta() + ".faces.context", "jakarta.faces.context"], + "FacesContext") } } diff --git a/java/ql/lib/semmle/code/java/frameworks/spring/SpringAutowire.qll b/java/ql/lib/semmle/code/java/frameworks/spring/SpringAutowire.qll index e758811b368..970870f9503 100644 --- a/java/ql/lib/semmle/code/java/frameworks/spring/SpringAutowire.qll +++ b/java/ql/lib/semmle/code/java/frameworks/spring/SpringAutowire.qll @@ -14,7 +14,7 @@ import SpringComponentScan predicate hasInjectAnnotation(Annotatable a) { a.hasAnnotation("org.springframework.beans.factory.annotation", "Autowired") or a.getAnAnnotation() instanceof SpringResourceAnnotation or - a.hasAnnotation("javax.inject", "Inject") + a.hasAnnotation(javaxOrJakarta() + ".inject", "Inject") } /** @@ -292,7 +292,7 @@ class SpringBeanAutowiredField extends Field { class SpringQualifierAnnotationType extends AnnotationType { SpringQualifierAnnotationType() { this.hasQualifiedName("org.springframework.beans.factory.annotation", "Qualifier") or - this.hasQualifiedName("javax.inject", "Qualifier") or + this.hasQualifiedName(javaxOrJakarta() + ".inject", "Qualifier") or this.getAnAnnotation().getType() instanceof SpringQualifierAnnotationType } } @@ -340,7 +340,9 @@ class SpringQualifierAnnotation extends Annotation { * autowired by Spring, and can optionally specify a qualifier in the "name". */ class SpringResourceAnnotation extends Annotation { - SpringResourceAnnotation() { this.getType().hasQualifiedName("javax.inject", "Resource") } + SpringResourceAnnotation() { + this.getType().hasQualifiedName(javaxOrJakarta() + ".inject", "Resource") + } /** * Gets the specified name value, if any. diff --git a/java/ql/lib/semmle/code/java/frameworks/spring/SpringController.qll b/java/ql/lib/semmle/code/java/frameworks/spring/SpringController.qll index a444dc96d5a..a26e4edc277 100644 --- a/java/ql/lib/semmle/code/java/frameworks/spring/SpringController.qll +++ b/java/ql/lib/semmle/code/java/frameworks/spring/SpringController.qll @@ -210,10 +210,22 @@ class SpringRequestMappingParameter extends Parameter { predicate isNotDirectlyTaintedInput() { this.getType().(RefType).getAnAncestor() instanceof SpringWebRequest or this.getType().(RefType).getAnAncestor() instanceof SpringNativeWebRequest or - this.getType().(RefType).getAnAncestor().hasQualifiedName("javax.servlet", "ServletRequest") or - this.getType().(RefType).getAnAncestor().hasQualifiedName("javax.servlet", "ServletResponse") or - this.getType().(RefType).getAnAncestor().hasQualifiedName("javax.servlet.http", "HttpSession") or - this.getType().(RefType).getAnAncestor().hasQualifiedName("javax.servlet.http", "PushBuilder") or + this.getType() + .(RefType) + .getAnAncestor() + .hasQualifiedName(javaxOrJakarta() + ".servlet", "ServletRequest") or + this.getType() + .(RefType) + .getAnAncestor() + .hasQualifiedName(javaxOrJakarta() + ".servlet", "ServletResponse") or + this.getType() + .(RefType) + .getAnAncestor() + .hasQualifiedName(javaxOrJakarta() + ".servlet.http", "HttpSession") or + this.getType() + .(RefType) + .getAnAncestor() + .hasQualifiedName(javaxOrJakarta() + ".servlet.http", "PushBuilder") or this.getType().(RefType).getAnAncestor().hasQualifiedName("java.security", "Principal") or this.getType() .(RefType) diff --git a/java/ql/lib/semmle/code/java/security/CleartextStorageCookieQuery.qll b/java/ql/lib/semmle/code/java/security/CleartextStorageCookieQuery.qll index 1c99821386d..9f04aff7e40 100644 --- a/java/ql/lib/semmle/code/java/security/CleartextStorageCookieQuery.qll +++ b/java/ql/lib/semmle/code/java/security/CleartextStorageCookieQuery.qll @@ -23,7 +23,9 @@ private class CookieCleartextStorageSink extends CleartextStorageSink { /** The instantiation of a cookie, which can act as storage. */ class Cookie extends Storable, ClassInstanceExpr { Cookie() { - this.getConstructor().getDeclaringType().hasQualifiedName("javax.servlet.http", "Cookie") + this.getConstructor() + .getDeclaringType() + .hasQualifiedName(javaxOrJakarta() + ".servlet.http", "Cookie") } /** Gets an input, for example `input` in `new Cookie("...", input);`. */ @@ -42,7 +44,8 @@ private predicate cookieStore(DataFlow::Node cookie, Expr store) { exists(MethodCall m, Method def | m.getMethod() = def and def.getName() = "addCookie" and - def.getDeclaringType().hasQualifiedName("javax.servlet.http", "HttpServletResponse") and + def.getDeclaringType() + .hasQualifiedName(javaxOrJakarta() + ".servlet.http", "HttpServletResponse") and store = m and cookie.asExpr() = m.getAnArgument() ) diff --git a/java/ql/lib/semmle/code/java/security/Encryption.qll b/java/ql/lib/semmle/code/java/security/Encryption.qll index b948a94962c..73c91433bdc 100644 --- a/java/ql/lib/semmle/code/java/security/Encryption.qll +++ b/java/ql/lib/semmle/code/java/security/Encryption.qll @@ -9,56 +9,58 @@ import java class SslClass extends RefType { SslClass() { exists(Class c | this.getAnAncestor() = c | - c.hasQualifiedName("javax.net.ssl", _) or - c.hasQualifiedName("javax.rmi.ssl", _) + c.hasQualifiedName(javaxOrJakarta() + ".net.ssl", _) or + c.hasQualifiedName(javaxOrJakarta() + ".rmi.ssl", _) ) } } class X509TrustManager extends RefType { - X509TrustManager() { this.hasQualifiedName("javax.net.ssl", "X509TrustManager") } + X509TrustManager() { this.hasQualifiedName(javaxOrJakarta() + ".net.ssl", "X509TrustManager") } } /** The `javax.net.ssl.HttpsURLConnection` class. */ class HttpsUrlConnection extends RefType { - HttpsUrlConnection() { this.hasQualifiedName("javax.net.ssl", "HttpsURLConnection") } + HttpsUrlConnection() { + this.hasQualifiedName(javaxOrJakarta() + ".net.ssl", "HttpsURLConnection") + } } class SslSocketFactory extends RefType { - SslSocketFactory() { this.hasQualifiedName("javax.net.ssl", "SSLSocketFactory") } + SslSocketFactory() { this.hasQualifiedName(javaxOrJakarta() + ".net.ssl", "SSLSocketFactory") } } class SslContext extends RefType { - SslContext() { this.hasQualifiedName("javax.net.ssl", "SSLContext") } + SslContext() { this.hasQualifiedName(javaxOrJakarta() + ".net.ssl", "SSLContext") } } /** The `javax.net.ssl.SslSession` class. */ class SslSession extends RefType { - SslSession() { this.hasQualifiedName("javax.net.ssl", "SSLSession") } + SslSession() { this.hasQualifiedName(javaxOrJakarta() + ".net.ssl", "SSLSession") } } /** The `javax.net.ssl.SslEngine` class. */ class SslEngine extends RefType { - SslEngine() { this.hasQualifiedName("javax.net.ssl", "SSLEngine") } + SslEngine() { this.hasQualifiedName(javaxOrJakarta() + ".net.ssl", "SSLEngine") } } /** The `javax.net.ssl.SslSocket` class. */ class SslSocket extends RefType { - SslSocket() { this.hasQualifiedName("javax.net.ssl", "SSLSocket") } + SslSocket() { this.hasQualifiedName(javaxOrJakarta() + ".net.ssl", "SSLSocket") } } /** The `javax.net.ssl.SslParameters` class. */ class SslParameters extends RefType { - SslParameters() { this.hasQualifiedName("javax.net.ssl", "SSLParameters") } + SslParameters() { this.hasQualifiedName(javaxOrJakarta() + ".net.ssl", "SSLParameters") } } class HostnameVerifier extends RefType { - HostnameVerifier() { this.hasQualifiedName("javax.net.ssl", "HostnameVerifier") } + HostnameVerifier() { this.hasQualifiedName(javaxOrJakarta() + ".net.ssl", "HostnameVerifier") } } /** The Java class `javax.crypto.KeyGenerator`. */ class KeyGenerator extends RefType { - KeyGenerator() { this.hasQualifiedName("javax.crypto", "KeyGenerator") } + KeyGenerator() { this.hasQualifiedName(javaxOrJakarta() + ".crypto", "KeyGenerator") } } /** The Java class `java.security.KeyPairGenerator`. */ @@ -292,7 +294,7 @@ abstract class JavaxCryptoAlgoSpec extends CryptoAlgoSpec { } class JavaxCryptoCipher extends JavaxCryptoAlgoSpec { JavaxCryptoCipher() { exists(Method m | m.getAReference() = this | - m.hasQualifiedName("javax.crypto", "Cipher", "getInstance") + m.hasQualifiedName(javaxOrJakarta() + ".crypto", "Cipher", "getInstance") ) } @@ -302,7 +304,7 @@ class JavaxCryptoCipher extends JavaxCryptoAlgoSpec { class JavaxCryptoSecretKey extends JavaxCryptoAlgoSpec { JavaxCryptoSecretKey() { exists(Constructor c | c.getAReference() = this | - c.getDeclaringType().hasQualifiedName("javax.crypto.spec", "SecretKeySpec") + c.getDeclaringType().hasQualifiedName(javaxOrJakarta() + ".crypto.spec", "SecretKeySpec") ) } @@ -327,7 +329,7 @@ class JavaxCryptoKeyGenerator extends JavaxCryptoAlgoSpec { class JavaxCryptoKeyAgreement extends JavaxCryptoAlgoSpec { JavaxCryptoKeyAgreement() { exists(Method m | m.getAReference() = this | - m.hasQualifiedName("javax.crypto", "KeyAgreement", "getInstance") + m.hasQualifiedName(javaxOrJakarta() + ".crypto", "KeyAgreement", "getInstance") ) } @@ -337,7 +339,7 @@ class JavaxCryptoKeyAgreement extends JavaxCryptoAlgoSpec { class JavaxCryptoKeyFactory extends JavaxCryptoAlgoSpec { JavaxCryptoKeyFactory() { exists(Method m | m.getAReference() = this | - m.hasQualifiedName("javax.crypto", "SecretKeyFactory", "getInstance") + m.hasQualifiedName(javaxOrJakarta() + ".crypto", "SecretKeyFactory", "getInstance") ) } @@ -429,5 +431,7 @@ class DsaGenParameterSpec extends AlgorithmParameterSpec { /** The Java class `javax.crypto.spec.DHGenParameterSpec`. */ class DhGenParameterSpec extends AlgorithmParameterSpec { - DhGenParameterSpec() { this.hasQualifiedName("javax.crypto.spec", "DHGenParameterSpec") } + DhGenParameterSpec() { + this.hasQualifiedName(javaxOrJakarta() + ".crypto.spec", "DHGenParameterSpec") + } } diff --git a/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll index e1c840ce264..88fb540e83b 100644 --- a/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll @@ -25,7 +25,7 @@ class SetMessageInterpolatorCall extends MethodCall { this.getMethod() = m and m.getDeclaringType().getASourceSupertype*() = t and ( - t.hasQualifiedName("javax.validation", ["Configuration", "ValidatorContext"]) and + t.hasQualifiedName(javaxOrJakarta() + ".validation", ["Configuration", "ValidatorContext"]) and m.getName() = "messageInterpolator" or t.hasQualifiedName("org.springframework.validation.beanvalidation", diff --git a/java/ql/lib/semmle/code/java/security/XSS.qll b/java/ql/lib/semmle/code/java/security/XSS.qll index 0d52d480ae7..b094346b753 100644 --- a/java/ql/lib/semmle/code/java/security/XSS.qll +++ b/java/ql/lib/semmle/code/java/security/XSS.qll @@ -127,7 +127,7 @@ class XssVulnerableWriterSource extends MethodCall { ) or exists(Method m | m = this.getMethod() | - m.hasQualifiedName("javax.servlet.jsp", "JspContext", "getOut") + m.hasQualifiedName(javaxOrJakarta() + ".servlet.jsp", "JspContext", "getOut") ) or this.getMethod() instanceof FacesGetResponseWriterMethod diff --git a/java/ql/lib/semmle/code/java/security/XmlParsers.qll b/java/ql/lib/semmle/code/java/security/XmlParsers.qll index 8bb2a015a14..bd1520034eb 100644 --- a/java/ql/lib/semmle/code/java/security/XmlParsers.qll +++ b/java/ql/lib/semmle/code/java/security/XmlParsers.qll @@ -62,12 +62,14 @@ abstract class ParserConfig extends MethodCall { /** The class `javax.xml.parsers.DocumentBuilderFactory`. */ class DocumentBuilderFactory extends RefType { - DocumentBuilderFactory() { this.hasQualifiedName("javax.xml.parsers", "DocumentBuilderFactory") } + DocumentBuilderFactory() { + this.hasQualifiedName(javaxOrJakarta() + ".xml.parsers", "DocumentBuilderFactory") + } } /** The class `javax.xml.parsers.DocumentBuilder`. */ class DocumentBuilder extends RefType { - DocumentBuilder() { this.hasQualifiedName("javax.xml.parsers", "DocumentBuilder") } + DocumentBuilder() { this.hasQualifiedName(javaxOrJakarta() + ".xml.parsers", "DocumentBuilder") } } /** A call to `DocumentBuilder.parse`. */ @@ -174,7 +176,7 @@ class SafeDocumentBuilder extends DocumentBuilderConstruction { /** The class `javax.xml.stream.XMLInputFactory`. */ class XmlInputFactory extends RefType { - XmlInputFactory() { this.hasQualifiedName("javax.xml.stream", "XMLInputFactory") } + XmlInputFactory() { this.hasQualifiedName(javaxOrJakarta() + ".xml.stream", "XMLInputFactory") } } /** A call to `XMLInputFactory.createXMLStreamReader`. */ @@ -243,7 +245,8 @@ class XmlInputFactoryConfig extends ParserConfig { * An `XmlInputFactory` specific expression that indicates whether parsing external entities is supported. */ Expr configOptionIsSupportingExternalEntities() { - result.(ConstantStringExpr).getStringValue() = "javax.xml.stream.isSupportingExternalEntities" + result.(ConstantStringExpr).getStringValue() = + javaxOrJakarta() + ".xml.stream.isSupportingExternalEntities" or exists(Field f | result = f.getAnAccess() and @@ -256,7 +259,7 @@ Expr configOptionIsSupportingExternalEntities() { * An `XmlInputFactory` specific expression that indicates whether DTD is supported. */ Expr configOptionSupportDtd() { - result.(ConstantStringExpr).getStringValue() = "javax.xml.stream.supportDTD" + result.(ConstantStringExpr).getStringValue() = javaxOrJakarta() + ".xml.stream.supportDTD" or exists(Field f | result = f.getAnAccess() and @@ -357,12 +360,14 @@ class SafeSaxBuilder extends VarAccess { * The class `javax.xml.parsers.SAXParser`. */ class SaxParser extends RefType { - SaxParser() { this.hasQualifiedName("javax.xml.parsers", "SAXParser") } + SaxParser() { this.hasQualifiedName(javaxOrJakarta() + ".xml.parsers", "SAXParser") } } /** The class `javax.xml.parsers.SAXParserFactory`. */ class SaxParserFactory extends RefType { - SaxParserFactory() { this.hasQualifiedName("javax.xml.parsers", "SAXParserFactory") } + SaxParserFactory() { + this.hasQualifiedName(javaxOrJakarta() + ".xml.parsers", "SAXParserFactory") + } } /** A call to `SAXParser.parse`. */ @@ -635,7 +640,7 @@ class CreatedSafeXmlReader extends Call { /** The class `javax.xml.transform.sax.SAXSource` */ class SaxSource extends RefType { - SaxSource() { this.hasQualifiedName("javax.xml.transform.sax", "SAXSource") } + SaxSource() { this.hasQualifiedName(javaxOrJakarta() + ".xml.transform.sax", "SAXSource") } } /** A call to the constructor of `SAXSource` with `XmlReader` and `InputSource`. */ @@ -697,7 +702,7 @@ abstract class TransformerConfig extends MethodCall { /** The class `javax.xml.XMLConstants`. */ class XmlConstants extends RefType { - XmlConstants() { this.hasQualifiedName("javax.xml", "XMLConstants") } + XmlConstants() { this.hasQualifiedName(javaxOrJakarta() + ".xml", "XMLConstants") } } /** A configuration specific for transformers and schema. */ @@ -739,14 +744,14 @@ Expr configAccessExternalSchema() { /** The class `javax.xml.transform.TransformerFactory` or `javax.xml.transform.sax.SAXTransformerFactory`. */ class TransformerFactory extends RefType { TransformerFactory() { - this.hasQualifiedName("javax.xml.transform", "TransformerFactory") or - this.hasQualifiedName("javax.xml.transform.sax", "SAXTransformerFactory") + this.hasQualifiedName(javaxOrJakarta() + ".xml.transform", "TransformerFactory") or + this.hasQualifiedName(javaxOrJakarta() + ".xml.transform.sax", "SAXTransformerFactory") } } /** The class `javax.xml.transform.Transformer`. */ class Transformer extends RefType { - Transformer() { this.hasQualifiedName("javax.xml.transform", "Transformer") } + Transformer() { this.hasQualifiedName(javaxOrJakarta() + ".xml.transform", "Transformer") } } /** A call to `Transformer.transform`. */ @@ -843,7 +848,8 @@ class SaxTransformerFactoryNewXmlFilter extends XmlParserCall { SaxTransformerFactoryNewXmlFilter() { exists(Method m | this.getMethod() = m and - m.getDeclaringType().hasQualifiedName("javax.xml.transform.sax", "SAXTransformerFactory") and + m.getDeclaringType() + .hasQualifiedName(javaxOrJakarta() + ".xml.transform.sax", "SAXTransformerFactory") and m.hasName("newXMLFilter") ) } @@ -858,7 +864,7 @@ class SaxTransformerFactoryNewXmlFilter extends XmlParserCall { /* Schema: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#schemafactory */ /** The class `javax.xml.validation.SchemaFactory`. */ class SchemaFactory extends RefType { - SchemaFactory() { this.hasQualifiedName("javax.xml.validation", "SchemaFactory") } + SchemaFactory() { this.hasQualifiedName(javaxOrJakarta() + ".xml.validation", "SchemaFactory") } } /** A `ParserConfig` specific to `SchemaFactory`. */ @@ -913,7 +919,7 @@ class SafeSchemaFactory extends VarAccess { /* Unmarshaller: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxb-unmarshaller */ /** The class `javax.xml.bind.Unmarshaller`. */ class XmlUnmarshaller extends RefType { - XmlUnmarshaller() { this.hasQualifiedName("javax.xml.bind", "Unmarshaller") } + XmlUnmarshaller() { this.hasQualifiedName(javaxOrJakarta() + ".xml.bind", "Unmarshaller") } } /** A call to `Unmarshaller.unmarshal`. */ @@ -934,12 +940,12 @@ class XmlUnmarshal extends XmlParserCall { /* XPathExpression: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xpathexpression */ /** The interface `javax.xml.xpath.XPathExpression`. */ class XPathExpression extends Interface { - XPathExpression() { this.hasQualifiedName("javax.xml.xpath", "XPathExpression") } + XPathExpression() { this.hasQualifiedName(javaxOrJakarta() + ".xml.xpath", "XPathExpression") } } /** The interface `java.xml.xpath.XPath`. */ class XPath extends Interface { - XPath() { this.hasQualifiedName("javax.xml.xpath", "XPath") } + XPath() { this.hasQualifiedName(javaxOrJakarta() + ".xml.xpath", "XPath") } } /** A call to the method `evaluate` of the classes `XPathExpression` or `XPath`. */ diff --git a/java/ql/lib/semmle/code/java/security/XsltInjection.qll b/java/ql/lib/semmle/code/java/security/XsltInjection.qll index d54e9206644..a6b18e1518f 100644 --- a/java/ql/lib/semmle/code/java/security/XsltInjection.qll +++ b/java/ql/lib/semmle/code/java/security/XsltInjection.qll @@ -163,17 +163,17 @@ private predicate xsltPackageStep(DataFlow::Node n1, DataFlow::Node n2) { /** The class `javax.xml.transform.stax.StAXSource`. */ private class TypeStAXSource extends Class { - TypeStAXSource() { this.hasQualifiedName("javax.xml.transform.stax", "StAXSource") } + TypeStAXSource() { this.hasQualifiedName(javaxOrJakarta() + ".xml.transform.stax", "StAXSource") } } /** The class `javax.xml.transform.dom.DOMSource`. */ private class TypeDomSource extends Class { - TypeDomSource() { this.hasQualifiedName("javax.xml.transform.dom", "DOMSource") } + TypeDomSource() { this.hasQualifiedName(javaxOrJakarta() + ".xml.transform.dom", "DOMSource") } } /** The interface `javax.xml.transform.Templates`. */ private class TypeTemplates extends Interface { - TypeTemplates() { this.hasQualifiedName("javax.xml.transform", "Templates") } + TypeTemplates() { this.hasQualifiedName(javaxOrJakarta() + ".xml.transform", "Templates") } } /** The class `net.sf.saxon.s9api.XsltCompiler`. */ @@ -205,7 +205,7 @@ private class DocumentBuilderParse extends MethodCall { /** The class `javax.xml.parsers.DocumentBuilder`. */ private class DocumentBuilder extends RefType { - DocumentBuilder() { this.hasQualifiedName("javax.xml.parsers", "DocumentBuilder") } + DocumentBuilder() { this.hasQualifiedName(javaxOrJakarta() + ".xml.parsers", "DocumentBuilder") } } /** A call to `XMLInputFactory.createXMLStreamReader`. */ @@ -232,5 +232,5 @@ private class XmlInputFactoryEventReader extends MethodCall { /** The class `javax.xml.stream.XMLInputFactory`. */ private class XmlInputFactory extends RefType { - XmlInputFactory() { this.hasQualifiedName("javax.xml.stream", "XMLInputFactory") } + XmlInputFactory() { this.hasQualifiedName(javaxOrJakarta() + ".xml.stream", "XMLInputFactory") } } diff --git a/java/ql/src/Compatibility/JDK9/JdkInternalAccess.ql b/java/ql/src/Compatibility/JDK9/JdkInternalAccess.ql index 9eddcb64a14..4bc0b99c3f5 100644 --- a/java/ql/src/Compatibility/JDK9/JdkInternalAccess.ql +++ b/java/ql/src/Compatibility/JDK9/JdkInternalAccess.ql @@ -115,8 +115,8 @@ predicate jdkPackage(Package p) { | pkgName = [ - "com.sun", "sun", "java", "javax", "com.oracle.net", "genstubs", "jdk", "build.tools", - "org.omg.CORBA", "org.ietf.jgss" + "com.sun", "sun", "java", javaxOrJakarta() + "", "com.oracle.net", "genstubs", "jdk", + "build.tools", "org.omg.CORBA", "org.ietf.jgss" ] ) } diff --git a/java/ql/src/Likely Bugs/Frameworks/Swing/BadlyOverriddenAdapter.ql b/java/ql/src/Likely Bugs/Frameworks/Swing/BadlyOverriddenAdapter.ql index 6a2db4b695f..34fd190ccf1 100644 --- a/java/ql/src/Likely Bugs/Frameworks/Swing/BadlyOverriddenAdapter.ql +++ b/java/ql/src/Likely Bugs/Frameworks/Swing/BadlyOverriddenAdapter.ql @@ -19,7 +19,7 @@ class Adapter extends Class { this.getName().matches("%Adapter") and ( this.getPackage().hasName("java.awt.event") or - this.getPackage().hasName("javax.swing.event") + this.getPackage().hasName(javaxOrJakarta() + ".swing.event") ) } } diff --git a/java/ql/src/Likely Bugs/Frameworks/Swing/ThreadSafety.ql b/java/ql/src/Likely Bugs/Frameworks/Swing/ThreadSafety.ql index 8d49cf1d59e..623470aefc1 100644 --- a/java/ql/src/Likely Bugs/Frameworks/Swing/ThreadSafety.ql +++ b/java/ql/src/Likely Bugs/Frameworks/Swing/ThreadSafety.ql @@ -15,7 +15,12 @@ import java from MethodCall ma, Method m, MainMethod main where - ma.getQualifier().getType().getCompilationUnit().getPackage().getName().matches("javax.swing%") and + ma.getQualifier() + .getType() + .getCompilationUnit() + .getPackage() + .getName() + .matches(javaxOrJakarta() + ".swing%") and ( m.hasName("show") and m.hasNoParameters() or diff --git a/java/ql/src/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql b/java/ql/src/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql index 494e851a533..08d622b576e 100644 --- a/java/ql/src/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql +++ b/java/ql/src/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql @@ -77,7 +77,9 @@ module MatchesHttpOnlyToRawHeaderFlow = TaintTracking::Global Date: Thu, 12 Feb 2026 12:21:38 +0000 Subject: [PATCH 061/110] Define new predicate `javaxOrJakarta()` --- java/ql/lib/semmle/code/java/J2EE.qll | 2 ++ 1 file changed, 2 insertions(+) diff --git a/java/ql/lib/semmle/code/java/J2EE.qll b/java/ql/lib/semmle/code/java/J2EE.qll index 0f7473505df..20aa1aa3ab5 100644 --- a/java/ql/lib/semmle/code/java/J2EE.qll +++ b/java/ql/lib/semmle/code/java/J2EE.qll @@ -6,6 +6,8 @@ module; import Type +string javaxOrJakarta() { result = ["javax", "jakarta"] } + /** An entity bean. */ class EntityBean extends Class { EntityBean() { From 31840902cdf27fd9443d909bce69de8b8d4d379a Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 12 Feb 2026 12:32:25 +0000 Subject: [PATCH 062/110] Fix places which already dealt with both javax and jakarta --- java/ql/lib/semmle/code/java/frameworks/JaxWS.qll | 11 ++++------- java/ql/lib/semmle/code/java/frameworks/Jms.qll | 2 +- java/ql/lib/semmle/code/java/frameworks/Mail.qll | 2 +- java/ql/lib/semmle/code/java/frameworks/Servlets.qll | 2 +- .../code/java/frameworks/javaee/Persistence.qll | 4 +--- .../code/java/frameworks/javaee/jsf/JSFRenderer.qll | 5 +---- .../CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql | 3 +-- .../CWE/CWE-094/JakartaExpressionInjectionLib.qll | 2 +- .../Security/CWE/CWE-400/LocalThreadResourceAbuse.ql | 5 ++--- .../experimental/semmle/code/java/frameworks/Jsf.qll | 3 +-- 10 files changed, 14 insertions(+), 25 deletions(-) diff --git a/java/ql/lib/semmle/code/java/frameworks/JaxWS.qll b/java/ql/lib/semmle/code/java/frameworks/JaxWS.qll index 37494136565..46feac077c5 100644 --- a/java/ql/lib/semmle/code/java/frameworks/JaxWS.qll +++ b/java/ql/lib/semmle/code/java/frameworks/JaxWS.qll @@ -13,7 +13,7 @@ private import semmle.code.java.security.XSS /** * Gets a name for the root package of JAX-RS. */ -string getAJaxRsPackage() { result in [javaxOrJakarta() + ".ws.rs", "jakarta.ws.rs"] } +string getAJaxRsPackage() { result in [javaxOrJakarta() + ".ws.rs"] } /** * Gets a name for package `subpackage` within the JAX-RS hierarchy. @@ -42,7 +42,7 @@ class JaxWsEndpoint extends Class { result.isPublic() and not result instanceof InitializerMethod and not exists(Annotation a | a = result.getAnAnnotation() | - a.getType().hasQualifiedName([javaxOrJakarta() + "", "jakarta"] + ".jws", "WebMethod") and + a.getType().hasQualifiedName(javaxOrJakarta() + ".jws", "WebMethod") and a.getValue("exclude").(BooleanLiteral).getBooleanValue() = true ) and forex(ParamOrReturn paramOrRet | paramOrRet = result.getAParameter() or paramOrRet = result | @@ -62,8 +62,7 @@ class JaxWsEndpoint extends Class { /** The annotation type `@XmlJavaTypeAdapter`. */ class XmlJavaTypeAdapter extends AnnotationType { XmlJavaTypeAdapter() { - this.hasQualifiedName([javaxOrJakarta() + "", "jakarta"] + ".xml.bind.annotation.adapters", - "XmlJavaTypeAdapter") + this.hasQualifiedName(javaxOrJakarta() + ".xml.bind.annotation.adapters", "XmlJavaTypeAdapter") } } @@ -292,9 +291,7 @@ class JaxRSAnnotation extends Annotation { JaxRSAnnotation() { exists(AnnotationType a | a = this.getType() and - a.getPackage() - .getName() - .regexpMatch([javaxOrJakarta() + "\\.ws\\.rs(\\..*)?", "jakarta\\.ws\\.rs(\\..*)?"]) + a.getPackage().getName().regexpMatch(javaxOrJakarta() + "\\.ws\\.rs(\\..*)?") ) } } diff --git a/java/ql/lib/semmle/code/java/frameworks/Jms.qll b/java/ql/lib/semmle/code/java/frameworks/Jms.qll index 8c86481b4ca..abee6b3a427 100644 --- a/java/ql/lib/semmle/code/java/frameworks/Jms.qll +++ b/java/ql/lib/semmle/code/java/frameworks/Jms.qll @@ -7,6 +7,6 @@ import java /** The method `ObjectMessage.getObject`. */ class ObjectMessageGetObjectMethod extends Method { ObjectMessageGetObjectMethod() { - this.hasQualifiedName([javaxOrJakarta() + "", "jakarta"] + ".jms", "ObjectMessage", "getObject") + this.hasQualifiedName(javaxOrJakarta() + ".jms", "ObjectMessage", "getObject") } } diff --git a/java/ql/lib/semmle/code/java/frameworks/Mail.qll b/java/ql/lib/semmle/code/java/frameworks/Mail.qll index 5793da4cceb..b99220c1737 100644 --- a/java/ql/lib/semmle/code/java/frameworks/Mail.qll +++ b/java/ql/lib/semmle/code/java/frameworks/Mail.qll @@ -8,7 +8,7 @@ import java * The class `javax.mail.Session` or `jakarta.mail.Session`. */ class MailSession extends Class { - MailSession() { this.hasQualifiedName([javaxOrJakarta() + ".mail", "jakarta.mail"], "Session") } + MailSession() { this.hasQualifiedName(javaxOrJakarta() + ".mail", "Session") } } /** diff --git a/java/ql/lib/semmle/code/java/frameworks/Servlets.qll b/java/ql/lib/semmle/code/java/frameworks/Servlets.qll index 30cd248d4d1..826636ce073 100644 --- a/java/ql/lib/semmle/code/java/frameworks/Servlets.qll +++ b/java/ql/lib/semmle/code/java/frameworks/Servlets.qll @@ -377,7 +377,7 @@ predicate isRequestGetParamMethod(MethodCall ma) { /** The Java EE RequestDispatcher. */ class RequestDispatcher extends RefType { RequestDispatcher() { - this.hasQualifiedName([javaxOrJakarta() + ".servlet", "jakarta.servlet"], "RequestDispatcher") or + this.hasQualifiedName(javaxOrJakarta() + ".servlet", "RequestDispatcher") or this.hasQualifiedName(javaxOrJakarta() + ".portlet", "PortletRequestDispatcher") } } diff --git a/java/ql/lib/semmle/code/java/frameworks/javaee/Persistence.qll b/java/ql/lib/semmle/code/java/frameworks/javaee/Persistence.qll index 05a7e615552..a6cedcc3fee 100644 --- a/java/ql/lib/semmle/code/java/frameworks/javaee/Persistence.qll +++ b/java/ql/lib/semmle/code/java/frameworks/javaee/Persistence.qll @@ -9,9 +9,7 @@ import java /** * Gets a JavaEE Persistence API package name. */ -string getAPersistencePackageName() { - result = [javaxOrJakarta() + ".persistence", "jakarta.persistence"] -} +string getAPersistencePackageName() { result = javaxOrJakarta() + ".persistence" } /** * A `RefType` with the `@Entity` annotation that indicates that it can be persisted using a JPA diff --git a/java/ql/lib/semmle/code/java/frameworks/javaee/jsf/JSFRenderer.qll b/java/ql/lib/semmle/code/java/frameworks/javaee/jsf/JSFRenderer.qll index 6e6bad91d47..21f8fba6785 100644 --- a/java/ql/lib/semmle/code/java/frameworks/javaee/jsf/JSFRenderer.qll +++ b/java/ql/lib/semmle/code/java/frameworks/javaee/jsf/JSFRenderer.qll @@ -8,10 +8,7 @@ import java * The JSF class `FacesContext` for processing HTTP requests. */ class FacesContext extends RefType { - FacesContext() { - this.hasQualifiedName([javaxOrJakarta() + ".faces.context", "jakarta.faces.context"], - "FacesContext") - } + FacesContext() { this.hasQualifiedName(javaxOrJakarta() + ".faces.context", "FacesContext") } } /** diff --git a/java/ql/src/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql b/java/ql/src/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql index 08d622b576e..afa08fb6928 100644 --- a/java/ql/src/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql +++ b/java/ql/src/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql @@ -145,8 +145,7 @@ class CookieResponseWithoutHttpOnlySink extends DataFlow::ExprNode { /** Holds if `cie` is an invocation of a JAX-RS `NewCookie` constructor that sets `HttpOnly` to true. */ predicate setsHttpOnlyInNewCookie(ClassInstanceExpr cie) { - cie.getConstructedType() - .hasQualifiedName([javaxOrJakarta() + ".ws.rs.core", "jakarta.ws.rs.core"], "NewCookie") and + cie.getConstructedType().hasQualifiedName(javaxOrJakarta() + ".ws.rs.core", "NewCookie") and ( cie.getNumArgument() = 6 and mayBeBooleanTrue(cie.getArgument(5)) // NewCookie(Cookie cookie, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly) diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll index 0b59f1b723a..6f7cb040e79 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll @@ -89,7 +89,7 @@ private class TaintPropagatingCall extends Call { } private class JakartaType extends RefType { - JakartaType() { this.getPackage().hasName([javaxOrJakarta() + ".el", "jakarta.el"]) } + JakartaType() { this.getPackage().hasName(javaxOrJakarta() + ".el") } } private class ELProcessor extends JakartaType { diff --git a/java/ql/src/experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.ql b/java/ql/src/experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.ql index eb5353af4c7..fc9eea83219 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.ql @@ -21,12 +21,11 @@ class GetInitParameter extends Method { ( this.getDeclaringType() .getAnAncestor() - .hasQualifiedName([javaxOrJakarta() + ".servlet", "jakarta.servlet"], + .hasQualifiedName(javaxOrJakarta() + ".servlet", ["FilterConfig", "Registration", "ServletConfig", "ServletContext"]) or this.getDeclaringType() .getAnAncestor() - .hasQualifiedName([javaxOrJakarta() + ".faces.context", "jakarta.faces.context"], - "ExternalContext") + .hasQualifiedName(javaxOrJakarta() + ".faces.context", "ExternalContext") ) and this.getName() = "getInitParameter" } diff --git a/java/ql/src/experimental/semmle/code/java/frameworks/Jsf.qll b/java/ql/src/experimental/semmle/code/java/frameworks/Jsf.qll index aa5a29f85cb..97706ea6d63 100644 --- a/java/ql/src/experimental/semmle/code/java/frameworks/Jsf.qll +++ b/java/ql/src/experimental/semmle/code/java/frameworks/Jsf.qll @@ -10,8 +10,7 @@ import java */ class ExternalContext extends RefType { ExternalContext() { - this.hasQualifiedName([javaxOrJakarta() + ".faces.context", "jakarta.faces.context"], - "ExternalContext") + this.hasQualifiedName(javaxOrJakarta() + ".faces.context", "ExternalContext") } } From 6da3a4557e3a841c2f56450c19c8e2fcd1e01a49 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 12 Feb 2026 13:28:38 +0000 Subject: [PATCH 063/110] Add change note --- java/ql/lib/change-notes/2026-02-12-jakarta.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 java/ql/lib/change-notes/2026-02-12-jakarta.md diff --git a/java/ql/lib/change-notes/2026-02-12-jakarta.md b/java/ql/lib/change-notes/2026-02-12-jakarta.md new file mode 100644 index 00000000000..062e202cb8a --- /dev/null +++ b/java/ql/lib/change-notes/2026-02-12-jakarta.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Some modelling which previously only worked for Java EE packages beginning with "javax" will now also work for Java EE packages beginning with "jakarta" as well. This may lead to some alert changes. From 178fbf9600414f21b9fbc2e608f16e3626488edd Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 12 Feb 2026 13:36:44 +0000 Subject: [PATCH 064/110] Add missing QLDoc --- java/ql/lib/semmle/code/java/J2EE.qll | 1 + 1 file changed, 1 insertion(+) diff --git a/java/ql/lib/semmle/code/java/J2EE.qll b/java/ql/lib/semmle/code/java/J2EE.qll index 20aa1aa3ab5..4cfffcdfa9f 100644 --- a/java/ql/lib/semmle/code/java/J2EE.qll +++ b/java/ql/lib/semmle/code/java/J2EE.qll @@ -6,6 +6,7 @@ module; import Type +/** Gets "java" or "jakarta". */ string javaxOrJakarta() { result = ["javax", "jakarta"] } /** An entity bean. */ From 53b8f2abb18c8bc958af2b0a4ccf36e77ff600bc Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 12 Feb 2026 13:48:22 +0000 Subject: [PATCH 065/110] Apply copilot's fixes --- .../semmle/code/java/security/Encryption.qll | 39 +++++++++---------- .../Compatibility/JDK9/JdkInternalAccess.ql | 4 +- 2 files changed, 20 insertions(+), 23 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/Encryption.qll b/java/ql/lib/semmle/code/java/security/Encryption.qll index 73c91433bdc..b0a0fc72df7 100644 --- a/java/ql/lib/semmle/code/java/security/Encryption.qll +++ b/java/ql/lib/semmle/code/java/security/Encryption.qll @@ -9,58 +9,57 @@ import java class SslClass extends RefType { SslClass() { exists(Class c | this.getAnAncestor() = c | - c.hasQualifiedName(javaxOrJakarta() + ".net.ssl", _) or - c.hasQualifiedName(javaxOrJakarta() + ".rmi.ssl", _) + // Note there are no jakarta equivalents of these classes. + c.hasQualifiedName("javax.net.ssl", _) or + c.hasQualifiedName("javax.rmi.ssl", _) ) } } class X509TrustManager extends RefType { - X509TrustManager() { this.hasQualifiedName(javaxOrJakarta() + ".net.ssl", "X509TrustManager") } + X509TrustManager() { this.hasQualifiedName("javax.net.ssl", "X509TrustManager") } } /** The `javax.net.ssl.HttpsURLConnection` class. */ class HttpsUrlConnection extends RefType { - HttpsUrlConnection() { - this.hasQualifiedName(javaxOrJakarta() + ".net.ssl", "HttpsURLConnection") - } + HttpsUrlConnection() { this.hasQualifiedName("javax.net.ssl", "HttpsURLConnection") } } class SslSocketFactory extends RefType { - SslSocketFactory() { this.hasQualifiedName(javaxOrJakarta() + ".net.ssl", "SSLSocketFactory") } + SslSocketFactory() { this.hasQualifiedName("javax.net.ssl", "SSLSocketFactory") } } class SslContext extends RefType { - SslContext() { this.hasQualifiedName(javaxOrJakarta() + ".net.ssl", "SSLContext") } + SslContext() { this.hasQualifiedName("javax.net.ssl", "SSLContext") } } /** The `javax.net.ssl.SslSession` class. */ class SslSession extends RefType { - SslSession() { this.hasQualifiedName(javaxOrJakarta() + ".net.ssl", "SSLSession") } + SslSession() { this.hasQualifiedName("javax.net.ssl", "SSLSession") } } /** The `javax.net.ssl.SslEngine` class. */ class SslEngine extends RefType { - SslEngine() { this.hasQualifiedName(javaxOrJakarta() + ".net.ssl", "SSLEngine") } + SslEngine() { this.hasQualifiedName("javax.net.ssl", "SSLEngine") } } /** The `javax.net.ssl.SslSocket` class. */ class SslSocket extends RefType { - SslSocket() { this.hasQualifiedName(javaxOrJakarta() + ".net.ssl", "SSLSocket") } + SslSocket() { this.hasQualifiedName("javax.net.ssl", "SSLSocket") } } /** The `javax.net.ssl.SslParameters` class. */ class SslParameters extends RefType { - SslParameters() { this.hasQualifiedName(javaxOrJakarta() + ".net.ssl", "SSLParameters") } + SslParameters() { this.hasQualifiedName("javax.net.ssl", "SSLParameters") } } class HostnameVerifier extends RefType { - HostnameVerifier() { this.hasQualifiedName(javaxOrJakarta() + ".net.ssl", "HostnameVerifier") } + HostnameVerifier() { this.hasQualifiedName("javax.net.ssl", "HostnameVerifier") } } /** The Java class `javax.crypto.KeyGenerator`. */ class KeyGenerator extends RefType { - KeyGenerator() { this.hasQualifiedName(javaxOrJakarta() + ".crypto", "KeyGenerator") } + KeyGenerator() { this.hasQualifiedName("javax.crypto", "KeyGenerator") } } /** The Java class `java.security.KeyPairGenerator`. */ @@ -294,7 +293,7 @@ abstract class JavaxCryptoAlgoSpec extends CryptoAlgoSpec { } class JavaxCryptoCipher extends JavaxCryptoAlgoSpec { JavaxCryptoCipher() { exists(Method m | m.getAReference() = this | - m.hasQualifiedName(javaxOrJakarta() + ".crypto", "Cipher", "getInstance") + m.hasQualifiedName("javax.crypto", "Cipher", "getInstance") ) } @@ -304,7 +303,7 @@ class JavaxCryptoCipher extends JavaxCryptoAlgoSpec { class JavaxCryptoSecretKey extends JavaxCryptoAlgoSpec { JavaxCryptoSecretKey() { exists(Constructor c | c.getAReference() = this | - c.getDeclaringType().hasQualifiedName(javaxOrJakarta() + ".crypto.spec", "SecretKeySpec") + c.getDeclaringType().hasQualifiedName("javax.crypto.spec", "SecretKeySpec") ) } @@ -329,7 +328,7 @@ class JavaxCryptoKeyGenerator extends JavaxCryptoAlgoSpec { class JavaxCryptoKeyAgreement extends JavaxCryptoAlgoSpec { JavaxCryptoKeyAgreement() { exists(Method m | m.getAReference() = this | - m.hasQualifiedName(javaxOrJakarta() + ".crypto", "KeyAgreement", "getInstance") + m.hasQualifiedName("javax.crypto", "KeyAgreement", "getInstance") ) } @@ -339,7 +338,7 @@ class JavaxCryptoKeyAgreement extends JavaxCryptoAlgoSpec { class JavaxCryptoKeyFactory extends JavaxCryptoAlgoSpec { JavaxCryptoKeyFactory() { exists(Method m | m.getAReference() = this | - m.hasQualifiedName(javaxOrJakarta() + ".crypto", "SecretKeyFactory", "getInstance") + m.hasQualifiedName("javax.crypto", "SecretKeyFactory", "getInstance") ) } @@ -431,7 +430,5 @@ class DsaGenParameterSpec extends AlgorithmParameterSpec { /** The Java class `javax.crypto.spec.DHGenParameterSpec`. */ class DhGenParameterSpec extends AlgorithmParameterSpec { - DhGenParameterSpec() { - this.hasQualifiedName(javaxOrJakarta() + ".crypto.spec", "DHGenParameterSpec") - } + DhGenParameterSpec() { this.hasQualifiedName("javax.crypto.spec", "DHGenParameterSpec") } } diff --git a/java/ql/src/Compatibility/JDK9/JdkInternalAccess.ql b/java/ql/src/Compatibility/JDK9/JdkInternalAccess.ql index 4bc0b99c3f5..9eddcb64a14 100644 --- a/java/ql/src/Compatibility/JDK9/JdkInternalAccess.ql +++ b/java/ql/src/Compatibility/JDK9/JdkInternalAccess.ql @@ -115,8 +115,8 @@ predicate jdkPackage(Package p) { | pkgName = [ - "com.sun", "sun", "java", javaxOrJakarta() + "", "com.oracle.net", "genstubs", "jdk", - "build.tools", "org.omg.CORBA", "org.ietf.jgss" + "com.sun", "sun", "java", "javax", "com.oracle.net", "genstubs", "jdk", "build.tools", + "org.omg.CORBA", "org.ietf.jgss" ] ) } From c4192b670ba9b9dccc602b36cb0f84ad34fe2135 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 12 Feb 2026 14:32:24 +0000 Subject: [PATCH 066/110] More copilot suggestions --- java/ql/lib/semmle/code/java/frameworks/JaxWS.qll | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/java/ql/lib/semmle/code/java/frameworks/JaxWS.qll b/java/ql/lib/semmle/code/java/frameworks/JaxWS.qll index 46feac077c5..38bac53485b 100644 --- a/java/ql/lib/semmle/code/java/frameworks/JaxWS.qll +++ b/java/ql/lib/semmle/code/java/frameworks/JaxWS.qll @@ -13,7 +13,7 @@ private import semmle.code.java.security.XSS /** * Gets a name for the root package of JAX-RS. */ -string getAJaxRsPackage() { result in [javaxOrJakarta() + ".ws.rs"] } +string getAJaxRsPackage() { result = javaxOrJakarta() + ".ws.rs" } /** * Gets a name for package `subpackage` within the JAX-RS hierarchy. @@ -114,7 +114,7 @@ private class JaxAcceptableStandardClass extends RefType { this.hasQualifiedName("java.util", "Calendar") or this.hasQualifiedName("java.math", "BigInteger") or this.hasQualifiedName("java.math", "BigDecimal") or - this.hasQualifiedName(javaxOrJakarta() + ".xml.namespace", "QName") or + this.hasQualifiedName("javax.xml.namespace", "QName") or this instanceof TypeUri } } From 91c731f68d5e2414cdd121a90e3bd2d41332a0cb Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Mon, 16 Feb 2026 11:03:27 +0000 Subject: [PATCH 067/110] Fix new usage that was introduced --- java/ql/lib/semmle/code/java/frameworks/JavaxAnnotations.qll | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/java/ql/lib/semmle/code/java/frameworks/JavaxAnnotations.qll b/java/ql/lib/semmle/code/java/frameworks/JavaxAnnotations.qll index feb7381e496..3b70c42fbec 100644 --- a/java/ql/lib/semmle/code/java/frameworks/JavaxAnnotations.qll +++ b/java/ql/lib/semmle/code/java/frameworks/JavaxAnnotations.qll @@ -195,9 +195,7 @@ class WebServiceRefAnnotation extends Annotation { */ class PatternAnnotation extends Annotation, RegexMatch::Range { PatternAnnotation() { - this.getType() - .hasQualifiedName(["javax.validation.constraints", "jakarta.validation.constraints"], - "Pattern") + this.getType().hasQualifiedName(javaxOrJakarta() + ".validation.constraints", "Pattern") } override Expr getRegex() { result = this.getValue("regexp") } From ef04f927fb9b00285aa96a7de4a5e33c6af2f459 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 16 Feb 2026 13:29:25 +0000 Subject: [PATCH 068/110] Release preparation for version 2.24.2 --- actions/ql/lib/CHANGELOG.md | 4 ++++ .../ql/lib/change-notes/released/0.4.28.md | 3 +++ actions/ql/lib/codeql-pack.release.yml | 2 +- actions/ql/lib/qlpack.yml | 2 +- actions/ql/src/CHANGELOG.md | 4 ++++ .../ql/src/change-notes/released/0.6.20.md | 3 +++ actions/ql/src/codeql-pack.release.yml | 2 +- actions/ql/src/qlpack.yml | 2 +- cpp/ql/lib/CHANGELOG.md | 6 +++++ .../2026-02-03-windows-remote-flow-sources.md | 4 ---- cpp/ql/lib/change-notes/released/7.1.1.md | 5 ++++ cpp/ql/lib/codeql-pack.release.yml | 2 +- cpp/ql/lib/qlpack.yml | 2 +- cpp/ql/src/CHANGELOG.md | 4 ++++ cpp/ql/src/change-notes/released/1.5.11.md | 3 +++ cpp/ql/src/codeql-pack.release.yml | 2 +- cpp/ql/src/qlpack.yml | 2 +- .../ql/campaigns/Solorigate/lib/CHANGELOG.md | 4 ++++ .../lib/change-notes/released/1.7.59.md | 3 +++ .../Solorigate/lib/codeql-pack.release.yml | 2 +- csharp/ql/campaigns/Solorigate/lib/qlpack.yml | 2 +- .../ql/campaigns/Solorigate/src/CHANGELOG.md | 4 ++++ .../src/change-notes/released/1.7.59.md | 3 +++ .../Solorigate/src/codeql-pack.release.yml | 2 +- csharp/ql/campaigns/Solorigate/src/qlpack.yml | 2 +- csharp/ql/lib/CHANGELOG.md | 7 ++++++ ...-09-update-system.web.httputility-model.md | 4 ---- .../5.4.7.md} | 8 ++++--- csharp/ql/lib/codeql-pack.release.yml | 2 +- csharp/ql/lib/qlpack.yml | 2 +- csharp/ql/src/CHANGELOG.md | 6 +++++ .../1.6.2.md} | 7 +++--- csharp/ql/src/codeql-pack.release.yml | 2 +- csharp/ql/src/qlpack.yml | 2 +- go/ql/consistency-queries/CHANGELOG.md | 4 ++++ .../change-notes/released/1.0.42.md | 3 +++ .../codeql-pack.release.yml | 2 +- go/ql/consistency-queries/qlpack.yml | 2 +- go/ql/lib/CHANGELOG.md | 10 ++++++++ .../2026-01-20-go-version-1-26.md | 4 ---- .../7.0.0.md} | 11 ++++++--- go/ql/lib/codeql-pack.release.yml | 2 +- go/ql/lib/qlpack.yml | 2 +- go/ql/src/CHANGELOG.md | 4 ++++ go/ql/src/change-notes/released/1.5.6.md | 3 +++ go/ql/src/codeql-pack.release.yml | 2 +- go/ql/src/qlpack.yml | 2 +- java/ql/lib/CHANGELOG.md | 23 ++++++++++++++++++- .../ql/lib/change-notes/2026-02-04-renames.md | 12 ---------- .../change-notes/2026-02-06-kotlin-2.3.10.md | 4 ---- .../2026-02-12-deprecate-unreachableblocks.md | 4 ---- ...02-12-pattern-annotation-ssrf-sanitizer.md | 4 ---- ...tern-annotation-log-injection-sanitizer.md | 4 ---- java/ql/lib/change-notes/released/8.1.0.md | 20 ++++++++++++++++ java/ql/lib/codeql-pack.release.yml | 2 +- java/ql/lib/qlpack.yml | 2 +- java/ql/src/CHANGELOG.md | 4 ++++ java/ql/src/change-notes/released/1.10.7.md | 3 +++ java/ql/src/codeql-pack.release.yml | 2 +- java/ql/src/qlpack.yml | 2 +- javascript/ql/lib/CHANGELOG.md | 4 ++++ .../ql/lib/change-notes/released/2.6.22.md | 3 +++ javascript/ql/lib/codeql-pack.release.yml | 2 +- javascript/ql/lib/qlpack.yml | 2 +- javascript/ql/src/CHANGELOG.md | 4 ++++ .../ql/src/change-notes/released/2.3.2.md | 3 +++ javascript/ql/src/codeql-pack.release.yml | 2 +- javascript/ql/src/qlpack.yml | 2 +- misc/suite-helpers/CHANGELOG.md | 4 ++++ .../change-notes/released/1.0.42.md | 3 +++ misc/suite-helpers/codeql-pack.release.yml | 2 +- misc/suite-helpers/qlpack.yml | 2 +- python/ql/lib/CHANGELOG.md | 11 +++++++++ .../2025-09-30-azure_ssrf_models.md | 5 ---- ...2-05-fix-format-fill-character-misparse.md | 5 ---- python/ql/lib/change-notes/released/6.1.1.md | 10 ++++++++ python/ql/lib/codeql-pack.release.yml | 2 +- python/ql/lib/qlpack.yml | 2 +- python/ql/src/CHANGELOG.md | 4 ++++ python/ql/src/change-notes/released/1.7.7.md | 3 +++ python/ql/src/codeql-pack.release.yml | 2 +- python/ql/src/qlpack.yml | 2 +- ruby/ql/lib/CHANGELOG.md | 4 ++++ ruby/ql/lib/change-notes/released/5.1.10.md | 3 +++ ruby/ql/lib/codeql-pack.release.yml | 2 +- ruby/ql/lib/qlpack.yml | 2 +- ruby/ql/src/CHANGELOG.md | 4 ++++ ruby/ql/src/change-notes/released/1.5.7.md | 3 +++ ruby/ql/src/codeql-pack.release.yml | 2 +- ruby/ql/src/qlpack.yml | 2 +- rust/ql/lib/CHANGELOG.md | 4 ++++ rust/ql/lib/change-notes/released/0.2.6.md | 3 +++ rust/ql/lib/codeql-pack.release.yml | 2 +- rust/ql/lib/qlpack.yml | 2 +- rust/ql/src/CHANGELOG.md | 4 ++++ rust/ql/src/change-notes/released/0.1.27.md | 3 +++ rust/ql/src/codeql-pack.release.yml | 2 +- rust/ql/src/qlpack.yml | 2 +- shared/concepts/CHANGELOG.md | 4 ++++ .../concepts/change-notes/released/0.0.16.md | 3 +++ shared/concepts/codeql-pack.release.yml | 2 +- shared/concepts/qlpack.yml | 2 +- shared/controlflow/CHANGELOG.md | 4 ++++ .../change-notes/released/2.0.26.md | 3 +++ shared/controlflow/codeql-pack.release.yml | 2 +- shared/controlflow/qlpack.yml | 2 +- shared/dataflow/CHANGELOG.md | 4 ++++ .../dataflow/change-notes/released/2.0.26.md | 3 +++ shared/dataflow/codeql-pack.release.yml | 2 +- shared/dataflow/qlpack.yml | 2 +- shared/mad/CHANGELOG.md | 4 ++++ shared/mad/change-notes/released/1.0.42.md | 3 +++ shared/mad/codeql-pack.release.yml | 2 +- shared/mad/qlpack.yml | 2 +- shared/quantum/CHANGELOG.md | 4 ++++ .../quantum/change-notes/released/0.0.20.md | 3 +++ shared/quantum/codeql-pack.release.yml | 2 +- shared/quantum/qlpack.yml | 2 +- shared/rangeanalysis/CHANGELOG.md | 4 ++++ .../change-notes/released/1.0.42.md | 3 +++ shared/rangeanalysis/codeql-pack.release.yml | 2 +- shared/rangeanalysis/qlpack.yml | 2 +- shared/regex/CHANGELOG.md | 4 ++++ shared/regex/change-notes/released/1.0.42.md | 3 +++ shared/regex/codeql-pack.release.yml | 2 +- shared/regex/qlpack.yml | 2 +- shared/ssa/CHANGELOG.md | 4 ++++ shared/ssa/change-notes/released/2.0.18.md | 3 +++ shared/ssa/codeql-pack.release.yml | 2 +- shared/ssa/qlpack.yml | 2 +- shared/threat-models/CHANGELOG.md | 4 ++++ .../change-notes/released/1.0.42.md | 3 +++ shared/threat-models/codeql-pack.release.yml | 2 +- shared/threat-models/qlpack.yml | 2 +- shared/tutorial/CHANGELOG.md | 4 ++++ .../tutorial/change-notes/released/1.0.42.md | 3 +++ shared/tutorial/codeql-pack.release.yml | 2 +- shared/tutorial/qlpack.yml | 2 +- shared/typeflow/CHANGELOG.md | 4 ++++ .../typeflow/change-notes/released/1.0.42.md | 3 +++ shared/typeflow/codeql-pack.release.yml | 2 +- shared/typeflow/qlpack.yml | 2 +- shared/typeinference/CHANGELOG.md | 4 ++++ .../change-notes/released/0.0.23.md | 3 +++ shared/typeinference/codeql-pack.release.yml | 2 +- shared/typeinference/qlpack.yml | 2 +- shared/typetracking/CHANGELOG.md | 4 ++++ .../change-notes/released/2.0.26.md | 3 +++ shared/typetracking/codeql-pack.release.yml | 2 +- shared/typetracking/qlpack.yml | 2 +- shared/typos/CHANGELOG.md | 4 ++++ shared/typos/change-notes/released/1.0.42.md | 3 +++ shared/typos/codeql-pack.release.yml | 2 +- shared/typos/qlpack.yml | 2 +- shared/util/CHANGELOG.md | 4 ++++ shared/util/change-notes/released/2.0.29.md | 3 +++ shared/util/codeql-pack.release.yml | 2 +- shared/util/qlpack.yml | 2 +- shared/xml/CHANGELOG.md | 4 ++++ shared/xml/change-notes/released/1.0.42.md | 3 +++ shared/xml/codeql-pack.release.yml | 2 +- shared/xml/qlpack.yml | 2 +- shared/yaml/CHANGELOG.md | 4 ++++ shared/yaml/change-notes/released/1.0.42.md | 3 +++ shared/yaml/codeql-pack.release.yml | 2 +- shared/yaml/qlpack.yml | 2 +- swift/ql/lib/CHANGELOG.md | 4 ++++ swift/ql/lib/change-notes/released/6.2.2.md | 3 +++ swift/ql/lib/codeql-pack.release.yml | 2 +- swift/ql/lib/qlpack.yml | 2 +- swift/ql/src/CHANGELOG.md | 4 ++++ swift/ql/src/change-notes/released/1.2.16.md | 3 +++ swift/ql/src/codeql-pack.release.yml | 2 +- swift/ql/src/qlpack.yml | 2 +- 174 files changed, 441 insertions(+), 142 deletions(-) create mode 100644 actions/ql/lib/change-notes/released/0.4.28.md create mode 100644 actions/ql/src/change-notes/released/0.6.20.md delete mode 100644 cpp/ql/lib/change-notes/2026-02-03-windows-remote-flow-sources.md create mode 100644 cpp/ql/lib/change-notes/released/7.1.1.md create mode 100644 cpp/ql/src/change-notes/released/1.5.11.md create mode 100644 csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.59.md create mode 100644 csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.59.md delete mode 100644 csharp/ql/lib/change-notes/2026-02-09-update-system.web.httputility-model.md rename csharp/ql/lib/change-notes/{2026-02-05-extension-types.md => released/5.4.7.md} (53%) rename csharp/ql/src/change-notes/{2026-02-04-csrf-inherited-attribute.md => released/1.6.2.md} (92%) create mode 100644 go/ql/consistency-queries/change-notes/released/1.0.42.md delete mode 100644 go/ql/lib/change-notes/2026-01-20-go-version-1-26.md rename go/ql/lib/change-notes/{2026-01-28-shared-basic-block-library.md => released/7.0.0.md} (80%) create mode 100644 go/ql/src/change-notes/released/1.5.6.md delete mode 100644 java/ql/lib/change-notes/2026-02-04-renames.md delete mode 100644 java/ql/lib/change-notes/2026-02-06-kotlin-2.3.10.md delete mode 100644 java/ql/lib/change-notes/2026-02-12-deprecate-unreachableblocks.md delete mode 100644 java/ql/lib/change-notes/2026-02-12-pattern-annotation-ssrf-sanitizer.md delete mode 100644 java/ql/lib/change-notes/2026-02-14-pattern-annotation-log-injection-sanitizer.md create mode 100644 java/ql/lib/change-notes/released/8.1.0.md create mode 100644 java/ql/src/change-notes/released/1.10.7.md create mode 100644 javascript/ql/lib/change-notes/released/2.6.22.md create mode 100644 javascript/ql/src/change-notes/released/2.3.2.md create mode 100644 misc/suite-helpers/change-notes/released/1.0.42.md delete mode 100644 python/ql/lib/change-notes/2025-09-30-azure_ssrf_models.md delete mode 100644 python/ql/lib/change-notes/2026-02-05-fix-format-fill-character-misparse.md create mode 100644 python/ql/lib/change-notes/released/6.1.1.md create mode 100644 python/ql/src/change-notes/released/1.7.7.md create mode 100644 ruby/ql/lib/change-notes/released/5.1.10.md create mode 100644 ruby/ql/src/change-notes/released/1.5.7.md create mode 100644 rust/ql/lib/change-notes/released/0.2.6.md create mode 100644 rust/ql/src/change-notes/released/0.1.27.md create mode 100644 shared/concepts/change-notes/released/0.0.16.md create mode 100644 shared/controlflow/change-notes/released/2.0.26.md create mode 100644 shared/dataflow/change-notes/released/2.0.26.md create mode 100644 shared/mad/change-notes/released/1.0.42.md create mode 100644 shared/quantum/change-notes/released/0.0.20.md create mode 100644 shared/rangeanalysis/change-notes/released/1.0.42.md create mode 100644 shared/regex/change-notes/released/1.0.42.md create mode 100644 shared/ssa/change-notes/released/2.0.18.md create mode 100644 shared/threat-models/change-notes/released/1.0.42.md create mode 100644 shared/tutorial/change-notes/released/1.0.42.md create mode 100644 shared/typeflow/change-notes/released/1.0.42.md create mode 100644 shared/typeinference/change-notes/released/0.0.23.md create mode 100644 shared/typetracking/change-notes/released/2.0.26.md create mode 100644 shared/typos/change-notes/released/1.0.42.md create mode 100644 shared/util/change-notes/released/2.0.29.md create mode 100644 shared/xml/change-notes/released/1.0.42.md create mode 100644 shared/yaml/change-notes/released/1.0.42.md create mode 100644 swift/ql/lib/change-notes/released/6.2.2.md create mode 100644 swift/ql/src/change-notes/released/1.2.16.md diff --git a/actions/ql/lib/CHANGELOG.md b/actions/ql/lib/CHANGELOG.md index d2e85ddb6a2..1b41f2f2f5e 100644 --- a/actions/ql/lib/CHANGELOG.md +++ b/actions/ql/lib/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.4.28 + +No user-facing changes. + ## 0.4.27 ### Bug Fixes diff --git a/actions/ql/lib/change-notes/released/0.4.28.md b/actions/ql/lib/change-notes/released/0.4.28.md new file mode 100644 index 00000000000..af10bae2ab5 --- /dev/null +++ b/actions/ql/lib/change-notes/released/0.4.28.md @@ -0,0 +1,3 @@ +## 0.4.28 + +No user-facing changes. diff --git a/actions/ql/lib/codeql-pack.release.yml b/actions/ql/lib/codeql-pack.release.yml index 5e24b634389..ff6beb81526 100644 --- a/actions/ql/lib/codeql-pack.release.yml +++ b/actions/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.4.27 +lastReleaseVersion: 0.4.28 diff --git a/actions/ql/lib/qlpack.yml b/actions/ql/lib/qlpack.yml index d700f90710a..5725fb5f9aa 100644 --- a/actions/ql/lib/qlpack.yml +++ b/actions/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/actions-all -version: 0.4.28-dev +version: 0.4.28 library: true warnOnImplicitThis: true dependencies: diff --git a/actions/ql/src/CHANGELOG.md b/actions/ql/src/CHANGELOG.md index ebf6b7214c9..c92b28841fa 100644 --- a/actions/ql/src/CHANGELOG.md +++ b/actions/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.6.20 + +No user-facing changes. + ## 0.6.19 No user-facing changes. diff --git a/actions/ql/src/change-notes/released/0.6.20.md b/actions/ql/src/change-notes/released/0.6.20.md new file mode 100644 index 00000000000..35c1118ff45 --- /dev/null +++ b/actions/ql/src/change-notes/released/0.6.20.md @@ -0,0 +1,3 @@ +## 0.6.20 + +No user-facing changes. diff --git a/actions/ql/src/codeql-pack.release.yml b/actions/ql/src/codeql-pack.release.yml index 2baec50a823..e30c5c64b1b 100644 --- a/actions/ql/src/codeql-pack.release.yml +++ b/actions/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.6.19 +lastReleaseVersion: 0.6.20 diff --git a/actions/ql/src/qlpack.yml b/actions/ql/src/qlpack.yml index 7c19f90be06..e41369b5193 100644 --- a/actions/ql/src/qlpack.yml +++ b/actions/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/actions-queries -version: 0.6.20-dev +version: 0.6.20 library: false warnOnImplicitThis: true groups: [actions, queries] diff --git a/cpp/ql/lib/CHANGELOG.md b/cpp/ql/lib/CHANGELOG.md index 6f256c9499b..91f4b009b2b 100644 --- a/cpp/ql/lib/CHANGELOG.md +++ b/cpp/ql/lib/CHANGELOG.md @@ -1,3 +1,9 @@ +## 7.1.1 + +### Minor Analysis Improvements + +* Added remote flow source models for the `winhttp.h` windows header and the Azure SDK core library for C/C++. + ## 7.1.0 ### New Features diff --git a/cpp/ql/lib/change-notes/2026-02-03-windows-remote-flow-sources.md b/cpp/ql/lib/change-notes/2026-02-03-windows-remote-flow-sources.md deleted file mode 100644 index 0a884df065a..00000000000 --- a/cpp/ql/lib/change-notes/2026-02-03-windows-remote-flow-sources.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Added remote flow source models for the `winhttp.h` windows header and the Azure SDK core library for C/C++. \ No newline at end of file diff --git a/cpp/ql/lib/change-notes/released/7.1.1.md b/cpp/ql/lib/change-notes/released/7.1.1.md new file mode 100644 index 00000000000..16bba7ca508 --- /dev/null +++ b/cpp/ql/lib/change-notes/released/7.1.1.md @@ -0,0 +1,5 @@ +## 7.1.1 + +### Minor Analysis Improvements + +* Added remote flow source models for the `winhttp.h` windows header and the Azure SDK core library for C/C++. diff --git a/cpp/ql/lib/codeql-pack.release.yml b/cpp/ql/lib/codeql-pack.release.yml index dcaaa76112a..8e970df6cae 100644 --- a/cpp/ql/lib/codeql-pack.release.yml +++ b/cpp/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 7.1.0 +lastReleaseVersion: 7.1.1 diff --git a/cpp/ql/lib/qlpack.yml b/cpp/ql/lib/qlpack.yml index eeb5d0adf08..d2b42410887 100644 --- a/cpp/ql/lib/qlpack.yml +++ b/cpp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-all -version: 7.1.1-dev +version: 7.1.1 groups: cpp dbscheme: semmlecode.cpp.dbscheme extractor: cpp diff --git a/cpp/ql/src/CHANGELOG.md b/cpp/ql/src/CHANGELOG.md index 61792c6a700..640b66a910d 100644 --- a/cpp/ql/src/CHANGELOG.md +++ b/cpp/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.5.11 + +No user-facing changes. + ## 1.5.10 No user-facing changes. diff --git a/cpp/ql/src/change-notes/released/1.5.11.md b/cpp/ql/src/change-notes/released/1.5.11.md new file mode 100644 index 00000000000..5f42fc9133d --- /dev/null +++ b/cpp/ql/src/change-notes/released/1.5.11.md @@ -0,0 +1,3 @@ +## 1.5.11 + +No user-facing changes. diff --git a/cpp/ql/src/codeql-pack.release.yml b/cpp/ql/src/codeql-pack.release.yml index fda54b31bff..7e8e8103d99 100644 --- a/cpp/ql/src/codeql-pack.release.yml +++ b/cpp/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.5.10 +lastReleaseVersion: 1.5.11 diff --git a/cpp/ql/src/qlpack.yml b/cpp/ql/src/qlpack.yml index b374fb51f75..51a78ddd3fc 100644 --- a/cpp/ql/src/qlpack.yml +++ b/cpp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-queries -version: 1.5.11-dev +version: 1.5.11 groups: - cpp - queries diff --git a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md index 68238efa110..df4169a1174 100644 --- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md +++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.7.59 + +No user-facing changes. + ## 1.7.58 No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.59.md b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.59.md new file mode 100644 index 00000000000..7f6b5bd0256 --- /dev/null +++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.59.md @@ -0,0 +1,3 @@ +## 1.7.59 + +No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml index 422196097f2..45a32aec800 100644 --- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml +++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.7.58 +lastReleaseVersion: 1.7.59 diff --git a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml index bc1e19c5d11..bb75fe4cfff 100644 --- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-all -version: 1.7.59-dev +version: 1.7.59 groups: - csharp - solorigate diff --git a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md index 68238efa110..df4169a1174 100644 --- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md +++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.7.59 + +No user-facing changes. + ## 1.7.58 No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.59.md b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.59.md new file mode 100644 index 00000000000..7f6b5bd0256 --- /dev/null +++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.59.md @@ -0,0 +1,3 @@ +## 1.7.59 + +No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml index 422196097f2..45a32aec800 100644 --- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml +++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.7.58 +lastReleaseVersion: 1.7.59 diff --git a/csharp/ql/campaigns/Solorigate/src/qlpack.yml b/csharp/ql/campaigns/Solorigate/src/qlpack.yml index 87016f799ea..0ab19080276 100644 --- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-queries -version: 1.7.59-dev +version: 1.7.59 groups: - csharp - solorigate diff --git a/csharp/ql/lib/CHANGELOG.md b/csharp/ql/lib/CHANGELOG.md index 2910824c1b7..21b19c8a09a 100644 --- a/csharp/ql/lib/CHANGELOG.md +++ b/csharp/ql/lib/CHANGELOG.md @@ -1,3 +1,10 @@ +## 5.4.7 + +### Minor Analysis Improvements + +* The model for `System.Web.HttpUtility` has been modified to better model the flow of tainted URIs. +* C# 14: Added support for `extension` members in the extractor, QL library, data flow, and Models as Data, covering extension methods, properties, and operators. + ## 5.4.6 ### Minor Analysis Improvements diff --git a/csharp/ql/lib/change-notes/2026-02-09-update-system.web.httputility-model.md b/csharp/ql/lib/change-notes/2026-02-09-update-system.web.httputility-model.md deleted file mode 100644 index 750761fdf37..00000000000 --- a/csharp/ql/lib/change-notes/2026-02-09-update-system.web.httputility-model.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The model for `System.Web.HttpUtility` has been modified to better model the flow of tainted URIs. \ No newline at end of file diff --git a/csharp/ql/lib/change-notes/2026-02-05-extension-types.md b/csharp/ql/lib/change-notes/released/5.4.7.md similarity index 53% rename from csharp/ql/lib/change-notes/2026-02-05-extension-types.md rename to csharp/ql/lib/change-notes/released/5.4.7.md index c3f1a21a5ed..b7d268470a2 100644 --- a/csharp/ql/lib/change-notes/2026-02-05-extension-types.md +++ b/csharp/ql/lib/change-notes/released/5.4.7.md @@ -1,4 +1,6 @@ ---- -category: minorAnalysis ---- +## 5.4.7 + +### Minor Analysis Improvements + +* The model for `System.Web.HttpUtility` has been modified to better model the flow of tainted URIs. * C# 14: Added support for `extension` members in the extractor, QL library, data flow, and Models as Data, covering extension methods, properties, and operators. diff --git a/csharp/ql/lib/codeql-pack.release.yml b/csharp/ql/lib/codeql-pack.release.yml index 2f1d6ff78a8..4db516ab415 100644 --- a/csharp/ql/lib/codeql-pack.release.yml +++ b/csharp/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 5.4.6 +lastReleaseVersion: 5.4.7 diff --git a/csharp/ql/lib/qlpack.yml b/csharp/ql/lib/qlpack.yml index 31fb2ca6618..d873c0c3b08 100644 --- a/csharp/ql/lib/qlpack.yml +++ b/csharp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-all -version: 5.4.7-dev +version: 5.4.7 groups: csharp dbscheme: semmlecode.csharp.dbscheme extractor: csharp diff --git a/csharp/ql/src/CHANGELOG.md b/csharp/ql/src/CHANGELOG.md index d532951fadc..8f2e918ca55 100644 --- a/csharp/ql/src/CHANGELOG.md +++ b/csharp/ql/src/CHANGELOG.md @@ -1,3 +1,9 @@ +## 1.6.2 + +### Bug Fixes + +* The `cs/web/missing-token-validation` ("Missing cross-site request forgery token validation") query now recognizes antiforgery attributes on base controller classes, fixing false positives when `[ValidateAntiForgeryToken]` or `[AutoValidateAntiforgeryToken]` is applied to a parent class. + ## 1.6.1 No user-facing changes. diff --git a/csharp/ql/src/change-notes/2026-02-04-csrf-inherited-attribute.md b/csharp/ql/src/change-notes/released/1.6.2.md similarity index 92% rename from csharp/ql/src/change-notes/2026-02-04-csrf-inherited-attribute.md rename to csharp/ql/src/change-notes/released/1.6.2.md index 7c9875fcdfd..696f2d0d859 100644 --- a/csharp/ql/src/change-notes/2026-02-04-csrf-inherited-attribute.md +++ b/csharp/ql/src/change-notes/released/1.6.2.md @@ -1,4 +1,5 @@ ---- -category: fix ---- +## 1.6.2 + +### Bug Fixes + * The `cs/web/missing-token-validation` ("Missing cross-site request forgery token validation") query now recognizes antiforgery attributes on base controller classes, fixing false positives when `[ValidateAntiForgeryToken]` or `[AutoValidateAntiforgeryToken]` is applied to a parent class. diff --git a/csharp/ql/src/codeql-pack.release.yml b/csharp/ql/src/codeql-pack.release.yml index ef7a789e0cf..5f5beb68311 100644 --- a/csharp/ql/src/codeql-pack.release.yml +++ b/csharp/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.6.1 +lastReleaseVersion: 1.6.2 diff --git a/csharp/ql/src/qlpack.yml b/csharp/ql/src/qlpack.yml index 492445c2374..7986040d2b6 100644 --- a/csharp/ql/src/qlpack.yml +++ b/csharp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-queries -version: 1.6.2-dev +version: 1.6.2 groups: - csharp - queries diff --git a/go/ql/consistency-queries/CHANGELOG.md b/go/ql/consistency-queries/CHANGELOG.md index d0c8171cdf6..e91058f491a 100644 --- a/go/ql/consistency-queries/CHANGELOG.md +++ b/go/ql/consistency-queries/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.42 + +No user-facing changes. + ## 1.0.41 No user-facing changes. diff --git a/go/ql/consistency-queries/change-notes/released/1.0.42.md b/go/ql/consistency-queries/change-notes/released/1.0.42.md new file mode 100644 index 00000000000..821c38854a2 --- /dev/null +++ b/go/ql/consistency-queries/change-notes/released/1.0.42.md @@ -0,0 +1,3 @@ +## 1.0.42 + +No user-facing changes. diff --git a/go/ql/consistency-queries/codeql-pack.release.yml b/go/ql/consistency-queries/codeql-pack.release.yml index d496eab6eb9..53e8667626a 100644 --- a/go/ql/consistency-queries/codeql-pack.release.yml +++ b/go/ql/consistency-queries/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.41 +lastReleaseVersion: 1.0.42 diff --git a/go/ql/consistency-queries/qlpack.yml b/go/ql/consistency-queries/qlpack.yml index 9db7c50224d..96304fa9a18 100644 --- a/go/ql/consistency-queries/qlpack.yml +++ b/go/ql/consistency-queries/qlpack.yml @@ -1,5 +1,5 @@ name: codeql-go-consistency-queries -version: 1.0.42-dev +version: 1.0.42 groups: - go - queries diff --git a/go/ql/lib/CHANGELOG.md b/go/ql/lib/CHANGELOG.md index 126058537ce..34751dc5d8a 100644 --- a/go/ql/lib/CHANGELOG.md +++ b/go/ql/lib/CHANGELOG.md @@ -1,3 +1,13 @@ +## 7.0.0 + +### Breaking Changes + +* The `BasicBlock` class is now defined using the shared basic blocks library. `BasicBlock.getRoot` has been replaced by `BasicBlock.getScope`. `BasicBlock.getAPredecessor` and `BasicBlock.getASuccessor` now take a `SuccessorType` argument. `ReachableJoinBlock.inDominanceFrontierOf` has been removed, so use `BasicBlock.inDominanceFrontier` instead, swapping the receiver and the argument. + +### Major Analysis Improvements + +* Go 1.26 is now supported. + ## 6.0.1 ### Minor Analysis Improvements diff --git a/go/ql/lib/change-notes/2026-01-20-go-version-1-26.md b/go/ql/lib/change-notes/2026-01-20-go-version-1-26.md deleted file mode 100644 index 97f022480c4..00000000000 --- a/go/ql/lib/change-notes/2026-01-20-go-version-1-26.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: majorAnalysis ---- -* Go 1.26 is now supported. diff --git a/go/ql/lib/change-notes/2026-01-28-shared-basic-block-library.md b/go/ql/lib/change-notes/released/7.0.0.md similarity index 80% rename from go/ql/lib/change-notes/2026-01-28-shared-basic-block-library.md rename to go/ql/lib/change-notes/released/7.0.0.md index f26aeb9c07a..602f9f36e35 100644 --- a/go/ql/lib/change-notes/2026-01-28-shared-basic-block-library.md +++ b/go/ql/lib/change-notes/released/7.0.0.md @@ -1,4 +1,9 @@ ---- -category: breaking ---- +## 7.0.0 + +### Breaking Changes + * The `BasicBlock` class is now defined using the shared basic blocks library. `BasicBlock.getRoot` has been replaced by `BasicBlock.getScope`. `BasicBlock.getAPredecessor` and `BasicBlock.getASuccessor` now take a `SuccessorType` argument. `ReachableJoinBlock.inDominanceFrontierOf` has been removed, so use `BasicBlock.inDominanceFrontier` instead, swapping the receiver and the argument. + +### Major Analysis Improvements + +* Go 1.26 is now supported. diff --git a/go/ql/lib/codeql-pack.release.yml b/go/ql/lib/codeql-pack.release.yml index d1f3c68c812..e0db21c7869 100644 --- a/go/ql/lib/codeql-pack.release.yml +++ b/go/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 6.0.1 +lastReleaseVersion: 7.0.0 diff --git a/go/ql/lib/qlpack.yml b/go/ql/lib/qlpack.yml index 758bb94451c..94a5b04b390 100644 --- a/go/ql/lib/qlpack.yml +++ b/go/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-all -version: 6.0.2-dev +version: 7.0.0 groups: go dbscheme: go.dbscheme extractor: go diff --git a/go/ql/src/CHANGELOG.md b/go/ql/src/CHANGELOG.md index f2475a92207..95f203839c5 100644 --- a/go/ql/src/CHANGELOG.md +++ b/go/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.5.6 + +No user-facing changes. + ## 1.5.5 No user-facing changes. diff --git a/go/ql/src/change-notes/released/1.5.6.md b/go/ql/src/change-notes/released/1.5.6.md new file mode 100644 index 00000000000..17fb577dc9e --- /dev/null +++ b/go/ql/src/change-notes/released/1.5.6.md @@ -0,0 +1,3 @@ +## 1.5.6 + +No user-facing changes. diff --git a/go/ql/src/codeql-pack.release.yml b/go/ql/src/codeql-pack.release.yml index 1c73e9d9ce9..9a0b3c9461b 100644 --- a/go/ql/src/codeql-pack.release.yml +++ b/go/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.5.5 +lastReleaseVersion: 1.5.6 diff --git a/go/ql/src/qlpack.yml b/go/ql/src/qlpack.yml index cb2e964d440..43b5c67bc3f 100644 --- a/go/ql/src/qlpack.yml +++ b/go/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-queries -version: 1.5.6-dev +version: 1.5.6 groups: - go - queries diff --git a/java/ql/lib/CHANGELOG.md b/java/ql/lib/CHANGELOG.md index f238699b4e5..fb2908a561e 100644 --- a/java/ql/lib/CHANGELOG.md +++ b/java/ql/lib/CHANGELOG.md @@ -1,3 +1,24 @@ +## 8.1.0 + +### Deprecated APIs + +* The `UnreachableBlocks.qll` library has been deprecated. +* Renamed the following predicates to increase uniformity across languages. The `getBody` predicate already existed on `LoopStmt`, but is now properly inherited. + - `UnaryExpr.getExpr` to `getOperand`. + - `ConditionalExpr.getTrueExpr` to `getThen`. + - `ConditionalExpr.getFalseExpr` to `getElse`. + - `ReturnStmt.getResult` to `getExpr`. + - `WhileStmt.getStmt` to `getBody`. + - `DoStmt.getStmt` to `getBody`. + - `ForStmt.getStmt` to `getBody`. + - `EnhancedForStmt.getStmt` to `getBody`. + +### Minor Analysis Improvements + +* Using a regular expression to check that a string doesn't contain any line breaks is already a sanitizer for `java/log-injection`. Additional ways of doing the regular expression check are now recognised, including annotation with `@javax.validation.constraints.Pattern`. +* More ways of checking that a string matches a regular expression are now considered as sanitizers for various queries, including `java/ssrf` and `java/path-injection`. In particular, being annotated with `@javax.validation.constraints.Pattern` is now recognised as a sanitizer for those queries. +* Kotlin versions up to 2.3.10 are now supported. + ## 8.0.0 ### Breaking Changes @@ -6,7 +27,7 @@ ### New Features -* Kotlin versions up to 2.3.0*x* are now supported. +* Kotlin versions up to 2.3.0 are now supported. ### Minor Analysis Improvements diff --git a/java/ql/lib/change-notes/2026-02-04-renames.md b/java/ql/lib/change-notes/2026-02-04-renames.md deleted file mode 100644 index 9392bcbb4f6..00000000000 --- a/java/ql/lib/change-notes/2026-02-04-renames.md +++ /dev/null @@ -1,12 +0,0 @@ ---- -category: deprecated ---- -* Renamed the following predicates to increase uniformity across languages. The `getBody` predicate already existed on `LoopStmt`, but is now properly inherited. - - `UnaryExpr.getExpr` to `getOperand`. - - `ConditionalExpr.getTrueExpr` to `getThen`. - - `ConditionalExpr.getFalseExpr` to `getElse`. - - `ReturnStmt.getResult` to `getExpr`. - - `WhileStmt.getStmt` to `getBody`. - - `DoStmt.getStmt` to `getBody`. - - `ForStmt.getStmt` to `getBody`. - - `EnhancedForStmt.getStmt` to `getBody`. diff --git a/java/ql/lib/change-notes/2026-02-06-kotlin-2.3.10.md b/java/ql/lib/change-notes/2026-02-06-kotlin-2.3.10.md deleted file mode 100644 index 49b62ea6bbd..00000000000 --- a/java/ql/lib/change-notes/2026-02-06-kotlin-2.3.10.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Kotlin versions up to 2.3.10 are now supported. diff --git a/java/ql/lib/change-notes/2026-02-12-deprecate-unreachableblocks.md b/java/ql/lib/change-notes/2026-02-12-deprecate-unreachableblocks.md deleted file mode 100644 index 24748cbb09e..00000000000 --- a/java/ql/lib/change-notes/2026-02-12-deprecate-unreachableblocks.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: deprecated ---- -* The `UnreachableBlocks.qll` library has been deprecated. diff --git a/java/ql/lib/change-notes/2026-02-12-pattern-annotation-ssrf-sanitizer.md b/java/ql/lib/change-notes/2026-02-12-pattern-annotation-ssrf-sanitizer.md deleted file mode 100644 index 20d3d08b300..00000000000 --- a/java/ql/lib/change-notes/2026-02-12-pattern-annotation-ssrf-sanitizer.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* More ways of checking that a string matches a regular expression are now considered as sanitizers for various queries, including `java/ssrf` and `java/path-injection`. In particular, being annotated with `@javax.validation.constraints.Pattern` is now recognised as a sanitizer for those queries. diff --git a/java/ql/lib/change-notes/2026-02-14-pattern-annotation-log-injection-sanitizer.md b/java/ql/lib/change-notes/2026-02-14-pattern-annotation-log-injection-sanitizer.md deleted file mode 100644 index ceff0714ab8..00000000000 --- a/java/ql/lib/change-notes/2026-02-14-pattern-annotation-log-injection-sanitizer.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Using a regular expression to check that a string doesn't contain any line breaks is already a sanitizer for `java/log-injection`. Additional ways of doing the regular expression check are now recognised, including annotation with `@javax.validation.constraints.Pattern`. diff --git a/java/ql/lib/change-notes/released/8.1.0.md b/java/ql/lib/change-notes/released/8.1.0.md new file mode 100644 index 00000000000..e560747144d --- /dev/null +++ b/java/ql/lib/change-notes/released/8.1.0.md @@ -0,0 +1,20 @@ +## 8.1.0 + +### Deprecated APIs + +* The `UnreachableBlocks.qll` library has been deprecated. +* Renamed the following predicates to increase uniformity across languages. The `getBody` predicate already existed on `LoopStmt`, but is now properly inherited. + - `UnaryExpr.getExpr` to `getOperand`. + - `ConditionalExpr.getTrueExpr` to `getThen`. + - `ConditionalExpr.getFalseExpr` to `getElse`. + - `ReturnStmt.getResult` to `getExpr`. + - `WhileStmt.getStmt` to `getBody`. + - `DoStmt.getStmt` to `getBody`. + - `ForStmt.getStmt` to `getBody`. + - `EnhancedForStmt.getStmt` to `getBody`. + +### Minor Analysis Improvements + +* Using a regular expression to check that a string doesn't contain any line breaks is already a sanitizer for `java/log-injection`. Additional ways of doing the regular expression check are now recognised, including annotation with `@javax.validation.constraints.Pattern`. +* More ways of checking that a string matches a regular expression are now considered as sanitizers for various queries, including `java/ssrf` and `java/path-injection`. In particular, being annotated with `@javax.validation.constraints.Pattern` is now recognised as a sanitizer for those queries. +* Kotlin versions up to 2.3.10 are now supported. diff --git a/java/ql/lib/codeql-pack.release.yml b/java/ql/lib/codeql-pack.release.yml index 0f48687270d..59984961848 100644 --- a/java/ql/lib/codeql-pack.release.yml +++ b/java/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 8.0.0 +lastReleaseVersion: 8.1.0 diff --git a/java/ql/lib/qlpack.yml b/java/ql/lib/qlpack.yml index 177711350d5..2d891f9ac5f 100644 --- a/java/ql/lib/qlpack.yml +++ b/java/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-all -version: 8.0.1-dev +version: 8.1.0 groups: java dbscheme: config/semmlecode.dbscheme extractor: java diff --git a/java/ql/src/CHANGELOG.md b/java/ql/src/CHANGELOG.md index a7307229a49..20585a7e1cc 100644 --- a/java/ql/src/CHANGELOG.md +++ b/java/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.10.7 + +No user-facing changes. + ## 1.10.6 No user-facing changes. diff --git a/java/ql/src/change-notes/released/1.10.7.md b/java/ql/src/change-notes/released/1.10.7.md new file mode 100644 index 00000000000..14e7f9a8ecc --- /dev/null +++ b/java/ql/src/change-notes/released/1.10.7.md @@ -0,0 +1,3 @@ +## 1.10.7 + +No user-facing changes. diff --git a/java/ql/src/codeql-pack.release.yml b/java/ql/src/codeql-pack.release.yml index 4e10f150f2e..6e2189b76c6 100644 --- a/java/ql/src/codeql-pack.release.yml +++ b/java/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.10.6 +lastReleaseVersion: 1.10.7 diff --git a/java/ql/src/qlpack.yml b/java/ql/src/qlpack.yml index 792bb13eb32..2f9b4479008 100644 --- a/java/ql/src/qlpack.yml +++ b/java/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-queries -version: 1.10.7-dev +version: 1.10.7 groups: - java - queries diff --git a/javascript/ql/lib/CHANGELOG.md b/javascript/ql/lib/CHANGELOG.md index c599ea0799b..1d872998261 100644 --- a/javascript/ql/lib/CHANGELOG.md +++ b/javascript/ql/lib/CHANGELOG.md @@ -1,3 +1,7 @@ +## 2.6.22 + +No user-facing changes. + ## 2.6.21 ### Minor Analysis Improvements diff --git a/javascript/ql/lib/change-notes/released/2.6.22.md b/javascript/ql/lib/change-notes/released/2.6.22.md new file mode 100644 index 00000000000..a8957942645 --- /dev/null +++ b/javascript/ql/lib/change-notes/released/2.6.22.md @@ -0,0 +1,3 @@ +## 2.6.22 + +No user-facing changes. diff --git a/javascript/ql/lib/codeql-pack.release.yml b/javascript/ql/lib/codeql-pack.release.yml index 872f4f9807c..205f738ae8d 100644 --- a/javascript/ql/lib/codeql-pack.release.yml +++ b/javascript/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 2.6.21 +lastReleaseVersion: 2.6.22 diff --git a/javascript/ql/lib/qlpack.yml b/javascript/ql/lib/qlpack.yml index 830994432a5..30d166fb610 100644 --- a/javascript/ql/lib/qlpack.yml +++ b/javascript/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-all -version: 2.6.22-dev +version: 2.6.22 groups: javascript dbscheme: semmlecode.javascript.dbscheme extractor: javascript diff --git a/javascript/ql/src/CHANGELOG.md b/javascript/ql/src/CHANGELOG.md index 50da6325746..c08f0793935 100644 --- a/javascript/ql/src/CHANGELOG.md +++ b/javascript/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 2.3.2 + +No user-facing changes. + ## 2.3.1 No user-facing changes. diff --git a/javascript/ql/src/change-notes/released/2.3.2.md b/javascript/ql/src/change-notes/released/2.3.2.md new file mode 100644 index 00000000000..420587fa3dc --- /dev/null +++ b/javascript/ql/src/change-notes/released/2.3.2.md @@ -0,0 +1,3 @@ +## 2.3.2 + +No user-facing changes. diff --git a/javascript/ql/src/codeql-pack.release.yml b/javascript/ql/src/codeql-pack.release.yml index 530699ffecc..f51e9b8563c 100644 --- a/javascript/ql/src/codeql-pack.release.yml +++ b/javascript/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 2.3.1 +lastReleaseVersion: 2.3.2 diff --git a/javascript/ql/src/qlpack.yml b/javascript/ql/src/qlpack.yml index 8fc055f61e1..5e72fce5432 100644 --- a/javascript/ql/src/qlpack.yml +++ b/javascript/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-queries -version: 2.3.2-dev +version: 2.3.2 groups: - javascript - queries diff --git a/misc/suite-helpers/CHANGELOG.md b/misc/suite-helpers/CHANGELOG.md index 0d796d32439..2a81d5f40ba 100644 --- a/misc/suite-helpers/CHANGELOG.md +++ b/misc/suite-helpers/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.42 + +No user-facing changes. + ## 1.0.41 No user-facing changes. diff --git a/misc/suite-helpers/change-notes/released/1.0.42.md b/misc/suite-helpers/change-notes/released/1.0.42.md new file mode 100644 index 00000000000..821c38854a2 --- /dev/null +++ b/misc/suite-helpers/change-notes/released/1.0.42.md @@ -0,0 +1,3 @@ +## 1.0.42 + +No user-facing changes. diff --git a/misc/suite-helpers/codeql-pack.release.yml b/misc/suite-helpers/codeql-pack.release.yml index d496eab6eb9..53e8667626a 100644 --- a/misc/suite-helpers/codeql-pack.release.yml +++ b/misc/suite-helpers/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.41 +lastReleaseVersion: 1.0.42 diff --git a/misc/suite-helpers/qlpack.yml b/misc/suite-helpers/qlpack.yml index 28a63301e69..ba00d002da9 100644 --- a/misc/suite-helpers/qlpack.yml +++ b/misc/suite-helpers/qlpack.yml @@ -1,4 +1,4 @@ name: codeql/suite-helpers -version: 1.0.42-dev +version: 1.0.42 groups: shared warnOnImplicitThis: true diff --git a/python/ql/lib/CHANGELOG.md b/python/ql/lib/CHANGELOG.md index a273dc2628b..76d2adf3a03 100644 --- a/python/ql/lib/CHANGELOG.md +++ b/python/ql/lib/CHANGELOG.md @@ -1,3 +1,14 @@ +## 6.1.1 + +### Minor Analysis Improvements + +* Added request forgery sink models for the Azure SDK. +* Made it so that models-as-data sinks with the kind `request-forgery` contribute to the class `Http::Client::Request` which represents HTTP client requests. + +### Bug Fixes + +- Using `=` as a fill character in a format specifier (e.g `f"{x:=^20}"`) now no longer results in a syntax error during parsing. + ## 6.1.0 ### New Features diff --git a/python/ql/lib/change-notes/2025-09-30-azure_ssrf_models.md b/python/ql/lib/change-notes/2025-09-30-azure_ssrf_models.md deleted file mode 100644 index 283b703a438..00000000000 --- a/python/ql/lib/change-notes/2025-09-30-azure_ssrf_models.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: minorAnalysis ---- -* Added request forgery sink models for the Azure SDK. -* Made it so that models-as-data sinks with the kind `request-forgery` contribute to the class `Http::Client::Request` which represents HTTP client requests. \ No newline at end of file diff --git a/python/ql/lib/change-notes/2026-02-05-fix-format-fill-character-misparse.md b/python/ql/lib/change-notes/2026-02-05-fix-format-fill-character-misparse.md deleted file mode 100644 index 8c0bd18c4dc..00000000000 --- a/python/ql/lib/change-notes/2026-02-05-fix-format-fill-character-misparse.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: fix ---- - -- Using `=` as a fill character in a format specifier (e.g `f"{x:=^20}"`) now no longer results in a syntax error during parsing. diff --git a/python/ql/lib/change-notes/released/6.1.1.md b/python/ql/lib/change-notes/released/6.1.1.md new file mode 100644 index 00000000000..ca4d1bf4684 --- /dev/null +++ b/python/ql/lib/change-notes/released/6.1.1.md @@ -0,0 +1,10 @@ +## 6.1.1 + +### Minor Analysis Improvements + +* Added request forgery sink models for the Azure SDK. +* Made it so that models-as-data sinks with the kind `request-forgery` contribute to the class `Http::Client::Request` which represents HTTP client requests. + +### Bug Fixes + +- Using `=` as a fill character in a format specifier (e.g `f"{x:=^20}"`) now no longer results in a syntax error during parsing. diff --git a/python/ql/lib/codeql-pack.release.yml b/python/ql/lib/codeql-pack.release.yml index 22247782f3e..54acf3e5e47 100644 --- a/python/ql/lib/codeql-pack.release.yml +++ b/python/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 6.1.0 +lastReleaseVersion: 6.1.1 diff --git a/python/ql/lib/qlpack.yml b/python/ql/lib/qlpack.yml index 1ead7adb605..b00b30158be 100644 --- a/python/ql/lib/qlpack.yml +++ b/python/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-all -version: 6.1.1-dev +version: 6.1.1 groups: python dbscheme: semmlecode.python.dbscheme extractor: python diff --git a/python/ql/src/CHANGELOG.md b/python/ql/src/CHANGELOG.md index 3f9a869decc..a68b2d3b8db 100644 --- a/python/ql/src/CHANGELOG.md +++ b/python/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.7.7 + +No user-facing changes. + ## 1.7.6 No user-facing changes. diff --git a/python/ql/src/change-notes/released/1.7.7.md b/python/ql/src/change-notes/released/1.7.7.md new file mode 100644 index 00000000000..e1a2f3e1d9a --- /dev/null +++ b/python/ql/src/change-notes/released/1.7.7.md @@ -0,0 +1,3 @@ +## 1.7.7 + +No user-facing changes. diff --git a/python/ql/src/codeql-pack.release.yml b/python/ql/src/codeql-pack.release.yml index 1f68518dba9..df4010bd267 100644 --- a/python/ql/src/codeql-pack.release.yml +++ b/python/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.7.6 +lastReleaseVersion: 1.7.7 diff --git a/python/ql/src/qlpack.yml b/python/ql/src/qlpack.yml index e6de4a768bf..dea81a83817 100644 --- a/python/ql/src/qlpack.yml +++ b/python/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-queries -version: 1.7.7-dev +version: 1.7.7 groups: - python - queries diff --git a/ruby/ql/lib/CHANGELOG.md b/ruby/ql/lib/CHANGELOG.md index 408f2f3144f..063e5f16211 100644 --- a/ruby/ql/lib/CHANGELOG.md +++ b/ruby/ql/lib/CHANGELOG.md @@ -1,3 +1,7 @@ +## 5.1.10 + +No user-facing changes. + ## 5.1.9 ### Minor Analysis Improvements diff --git a/ruby/ql/lib/change-notes/released/5.1.10.md b/ruby/ql/lib/change-notes/released/5.1.10.md new file mode 100644 index 00000000000..f22ccf3e6e9 --- /dev/null +++ b/ruby/ql/lib/change-notes/released/5.1.10.md @@ -0,0 +1,3 @@ +## 5.1.10 + +No user-facing changes. diff --git a/ruby/ql/lib/codeql-pack.release.yml b/ruby/ql/lib/codeql-pack.release.yml index f9bf2605261..9198af0dd6c 100644 --- a/ruby/ql/lib/codeql-pack.release.yml +++ b/ruby/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 5.1.9 +lastReleaseVersion: 5.1.10 diff --git a/ruby/ql/lib/qlpack.yml b/ruby/ql/lib/qlpack.yml index 824d21e1331..a9e713a73e7 100644 --- a/ruby/ql/lib/qlpack.yml +++ b/ruby/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-all -version: 5.1.10-dev +version: 5.1.10 groups: ruby extractor: ruby dbscheme: ruby.dbscheme diff --git a/ruby/ql/src/CHANGELOG.md b/ruby/ql/src/CHANGELOG.md index fd5b24f166e..247072967e7 100644 --- a/ruby/ql/src/CHANGELOG.md +++ b/ruby/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.5.7 + +No user-facing changes. + ## 1.5.6 No user-facing changes. diff --git a/ruby/ql/src/change-notes/released/1.5.7.md b/ruby/ql/src/change-notes/released/1.5.7.md new file mode 100644 index 00000000000..c60c55034a6 --- /dev/null +++ b/ruby/ql/src/change-notes/released/1.5.7.md @@ -0,0 +1,3 @@ +## 1.5.7 + +No user-facing changes. diff --git a/ruby/ql/src/codeql-pack.release.yml b/ruby/ql/src/codeql-pack.release.yml index 9a0b3c9461b..227ac5febef 100644 --- a/ruby/ql/src/codeql-pack.release.yml +++ b/ruby/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.5.6 +lastReleaseVersion: 1.5.7 diff --git a/ruby/ql/src/qlpack.yml b/ruby/ql/src/qlpack.yml index 63d59fd0faa..20706f6f0ac 100644 --- a/ruby/ql/src/qlpack.yml +++ b/ruby/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-queries -version: 1.5.7-dev +version: 1.5.7 groups: - ruby - queries diff --git a/rust/ql/lib/CHANGELOG.md b/rust/ql/lib/CHANGELOG.md index b913efd02f0..3887b67b4df 100644 --- a/rust/ql/lib/CHANGELOG.md +++ b/rust/ql/lib/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.2.6 + +No user-facing changes. + ## 0.2.5 ### Minor Analysis Improvements diff --git a/rust/ql/lib/change-notes/released/0.2.6.md b/rust/ql/lib/change-notes/released/0.2.6.md new file mode 100644 index 00000000000..edaefe75481 --- /dev/null +++ b/rust/ql/lib/change-notes/released/0.2.6.md @@ -0,0 +1,3 @@ +## 0.2.6 + +No user-facing changes. diff --git a/rust/ql/lib/codeql-pack.release.yml b/rust/ql/lib/codeql-pack.release.yml index 211454ed306..248dd0f4594 100644 --- a/rust/ql/lib/codeql-pack.release.yml +++ b/rust/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.2.5 +lastReleaseVersion: 0.2.6 diff --git a/rust/ql/lib/qlpack.yml b/rust/ql/lib/qlpack.yml index d87089914d3..c23251f51ef 100644 --- a/rust/ql/lib/qlpack.yml +++ b/rust/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/rust-all -version: 0.2.6-dev +version: 0.2.6 groups: rust extractor: rust dbscheme: rust.dbscheme diff --git a/rust/ql/src/CHANGELOG.md b/rust/ql/src/CHANGELOG.md index fe96ab5baad..72f10e760fc 100644 --- a/rust/ql/src/CHANGELOG.md +++ b/rust/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.1.27 + +No user-facing changes. + ## 0.1.26 No user-facing changes. diff --git a/rust/ql/src/change-notes/released/0.1.27.md b/rust/ql/src/change-notes/released/0.1.27.md new file mode 100644 index 00000000000..3e409381bd9 --- /dev/null +++ b/rust/ql/src/change-notes/released/0.1.27.md @@ -0,0 +1,3 @@ +## 0.1.27 + +No user-facing changes. diff --git a/rust/ql/src/codeql-pack.release.yml b/rust/ql/src/codeql-pack.release.yml index e2396c0532f..35535ba43d5 100644 --- a/rust/ql/src/codeql-pack.release.yml +++ b/rust/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.1.26 +lastReleaseVersion: 0.1.27 diff --git a/rust/ql/src/qlpack.yml b/rust/ql/src/qlpack.yml index 850f67e18a8..3ce8fab18ff 100644 --- a/rust/ql/src/qlpack.yml +++ b/rust/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/rust-queries -version: 0.1.27-dev +version: 0.1.27 groups: - rust - queries diff --git a/shared/concepts/CHANGELOG.md b/shared/concepts/CHANGELOG.md index 29dba07c365..933fc5e7cd9 100644 --- a/shared/concepts/CHANGELOG.md +++ b/shared/concepts/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.0.16 + +No user-facing changes. + ## 0.0.15 No user-facing changes. diff --git a/shared/concepts/change-notes/released/0.0.16.md b/shared/concepts/change-notes/released/0.0.16.md new file mode 100644 index 00000000000..62b5521ea01 --- /dev/null +++ b/shared/concepts/change-notes/released/0.0.16.md @@ -0,0 +1,3 @@ +## 0.0.16 + +No user-facing changes. diff --git a/shared/concepts/codeql-pack.release.yml b/shared/concepts/codeql-pack.release.yml index dff35216fc6..a49f7be4cff 100644 --- a/shared/concepts/codeql-pack.release.yml +++ b/shared/concepts/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.0.15 +lastReleaseVersion: 0.0.16 diff --git a/shared/concepts/qlpack.yml b/shared/concepts/qlpack.yml index 4cfa6918d19..fcce8c5cac3 100644 --- a/shared/concepts/qlpack.yml +++ b/shared/concepts/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/concepts -version: 0.0.16-dev +version: 0.0.16 groups: shared library: true dependencies: diff --git a/shared/controlflow/CHANGELOG.md b/shared/controlflow/CHANGELOG.md index 1fd69b562a6..88666b4ad28 100644 --- a/shared/controlflow/CHANGELOG.md +++ b/shared/controlflow/CHANGELOG.md @@ -1,3 +1,7 @@ +## 2.0.26 + +No user-facing changes. + ## 2.0.25 No user-facing changes. diff --git a/shared/controlflow/change-notes/released/2.0.26.md b/shared/controlflow/change-notes/released/2.0.26.md new file mode 100644 index 00000000000..9b1fe95f577 --- /dev/null +++ b/shared/controlflow/change-notes/released/2.0.26.md @@ -0,0 +1,3 @@ +## 2.0.26 + +No user-facing changes. diff --git a/shared/controlflow/codeql-pack.release.yml b/shared/controlflow/codeql-pack.release.yml index f54d8620118..63d57bef481 100644 --- a/shared/controlflow/codeql-pack.release.yml +++ b/shared/controlflow/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 2.0.25 +lastReleaseVersion: 2.0.26 diff --git a/shared/controlflow/qlpack.yml b/shared/controlflow/qlpack.yml index 5ed22593368..99b79514512 100644 --- a/shared/controlflow/qlpack.yml +++ b/shared/controlflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/controlflow -version: 2.0.26-dev +version: 2.0.26 groups: shared library: true dependencies: diff --git a/shared/dataflow/CHANGELOG.md b/shared/dataflow/CHANGELOG.md index 49857928ffe..f9d35bda41d 100644 --- a/shared/dataflow/CHANGELOG.md +++ b/shared/dataflow/CHANGELOG.md @@ -1,3 +1,7 @@ +## 2.0.26 + +No user-facing changes. + ## 2.0.25 No user-facing changes. diff --git a/shared/dataflow/change-notes/released/2.0.26.md b/shared/dataflow/change-notes/released/2.0.26.md new file mode 100644 index 00000000000..9b1fe95f577 --- /dev/null +++ b/shared/dataflow/change-notes/released/2.0.26.md @@ -0,0 +1,3 @@ +## 2.0.26 + +No user-facing changes. diff --git a/shared/dataflow/codeql-pack.release.yml b/shared/dataflow/codeql-pack.release.yml index f54d8620118..63d57bef481 100644 --- a/shared/dataflow/codeql-pack.release.yml +++ b/shared/dataflow/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 2.0.25 +lastReleaseVersion: 2.0.26 diff --git a/shared/dataflow/qlpack.yml b/shared/dataflow/qlpack.yml index de23fe3e38b..243db1c539c 100644 --- a/shared/dataflow/qlpack.yml +++ b/shared/dataflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/dataflow -version: 2.0.26-dev +version: 2.0.26 groups: shared library: true dependencies: diff --git a/shared/mad/CHANGELOG.md b/shared/mad/CHANGELOG.md index bc1ee96895c..7fe382ef31d 100644 --- a/shared/mad/CHANGELOG.md +++ b/shared/mad/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.42 + +No user-facing changes. + ## 1.0.41 No user-facing changes. diff --git a/shared/mad/change-notes/released/1.0.42.md b/shared/mad/change-notes/released/1.0.42.md new file mode 100644 index 00000000000..821c38854a2 --- /dev/null +++ b/shared/mad/change-notes/released/1.0.42.md @@ -0,0 +1,3 @@ +## 1.0.42 + +No user-facing changes. diff --git a/shared/mad/codeql-pack.release.yml b/shared/mad/codeql-pack.release.yml index d496eab6eb9..53e8667626a 100644 --- a/shared/mad/codeql-pack.release.yml +++ b/shared/mad/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.41 +lastReleaseVersion: 1.0.42 diff --git a/shared/mad/qlpack.yml b/shared/mad/qlpack.yml index e1b46e5427c..358b90c92b5 100644 --- a/shared/mad/qlpack.yml +++ b/shared/mad/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/mad -version: 1.0.42-dev +version: 1.0.42 groups: shared library: true dependencies: diff --git a/shared/quantum/CHANGELOG.md b/shared/quantum/CHANGELOG.md index d5252bfc0c4..7ac497bdb32 100644 --- a/shared/quantum/CHANGELOG.md +++ b/shared/quantum/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.0.20 + +No user-facing changes. + ## 0.0.19 No user-facing changes. diff --git a/shared/quantum/change-notes/released/0.0.20.md b/shared/quantum/change-notes/released/0.0.20.md new file mode 100644 index 00000000000..98daf20a59a --- /dev/null +++ b/shared/quantum/change-notes/released/0.0.20.md @@ -0,0 +1,3 @@ +## 0.0.20 + +No user-facing changes. diff --git a/shared/quantum/codeql-pack.release.yml b/shared/quantum/codeql-pack.release.yml index f406319f372..d2e86745bca 100644 --- a/shared/quantum/codeql-pack.release.yml +++ b/shared/quantum/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.0.19 +lastReleaseVersion: 0.0.20 diff --git a/shared/quantum/qlpack.yml b/shared/quantum/qlpack.yml index d3129461a49..84b0091c243 100644 --- a/shared/quantum/qlpack.yml +++ b/shared/quantum/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/quantum -version: 0.0.20-dev +version: 0.0.20 groups: shared library: true dependencies: diff --git a/shared/rangeanalysis/CHANGELOG.md b/shared/rangeanalysis/CHANGELOG.md index 3dde8baa4b0..56497c3d31e 100644 --- a/shared/rangeanalysis/CHANGELOG.md +++ b/shared/rangeanalysis/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.42 + +No user-facing changes. + ## 1.0.41 No user-facing changes. diff --git a/shared/rangeanalysis/change-notes/released/1.0.42.md b/shared/rangeanalysis/change-notes/released/1.0.42.md new file mode 100644 index 00000000000..821c38854a2 --- /dev/null +++ b/shared/rangeanalysis/change-notes/released/1.0.42.md @@ -0,0 +1,3 @@ +## 1.0.42 + +No user-facing changes. diff --git a/shared/rangeanalysis/codeql-pack.release.yml b/shared/rangeanalysis/codeql-pack.release.yml index d496eab6eb9..53e8667626a 100644 --- a/shared/rangeanalysis/codeql-pack.release.yml +++ b/shared/rangeanalysis/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.41 +lastReleaseVersion: 1.0.42 diff --git a/shared/rangeanalysis/qlpack.yml b/shared/rangeanalysis/qlpack.yml index be9c067d84e..0220e237065 100644 --- a/shared/rangeanalysis/qlpack.yml +++ b/shared/rangeanalysis/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/rangeanalysis -version: 1.0.42-dev +version: 1.0.42 groups: shared library: true dependencies: diff --git a/shared/regex/CHANGELOG.md b/shared/regex/CHANGELOG.md index 2e3dacffd92..48478854251 100644 --- a/shared/regex/CHANGELOG.md +++ b/shared/regex/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.42 + +No user-facing changes. + ## 1.0.41 No user-facing changes. diff --git a/shared/regex/change-notes/released/1.0.42.md b/shared/regex/change-notes/released/1.0.42.md new file mode 100644 index 00000000000..821c38854a2 --- /dev/null +++ b/shared/regex/change-notes/released/1.0.42.md @@ -0,0 +1,3 @@ +## 1.0.42 + +No user-facing changes. diff --git a/shared/regex/codeql-pack.release.yml b/shared/regex/codeql-pack.release.yml index d496eab6eb9..53e8667626a 100644 --- a/shared/regex/codeql-pack.release.yml +++ b/shared/regex/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.41 +lastReleaseVersion: 1.0.42 diff --git a/shared/regex/qlpack.yml b/shared/regex/qlpack.yml index 93baefe6d78..915c2fb7c34 100644 --- a/shared/regex/qlpack.yml +++ b/shared/regex/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/regex -version: 1.0.42-dev +version: 1.0.42 groups: shared library: true dependencies: diff --git a/shared/ssa/CHANGELOG.md b/shared/ssa/CHANGELOG.md index 62c6ce297f9..49bac05febb 100644 --- a/shared/ssa/CHANGELOG.md +++ b/shared/ssa/CHANGELOG.md @@ -1,3 +1,7 @@ +## 2.0.18 + +No user-facing changes. + ## 2.0.17 No user-facing changes. diff --git a/shared/ssa/change-notes/released/2.0.18.md b/shared/ssa/change-notes/released/2.0.18.md new file mode 100644 index 00000000000..11e398dac31 --- /dev/null +++ b/shared/ssa/change-notes/released/2.0.18.md @@ -0,0 +1,3 @@ +## 2.0.18 + +No user-facing changes. diff --git a/shared/ssa/codeql-pack.release.yml b/shared/ssa/codeql-pack.release.yml index a5f7c15c020..16342205c73 100644 --- a/shared/ssa/codeql-pack.release.yml +++ b/shared/ssa/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 2.0.17 +lastReleaseVersion: 2.0.18 diff --git a/shared/ssa/qlpack.yml b/shared/ssa/qlpack.yml index d5e6d266097..2c51888e512 100644 --- a/shared/ssa/qlpack.yml +++ b/shared/ssa/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ssa -version: 2.0.18-dev +version: 2.0.18 groups: shared library: true dependencies: diff --git a/shared/threat-models/CHANGELOG.md b/shared/threat-models/CHANGELOG.md index d0c8171cdf6..e91058f491a 100644 --- a/shared/threat-models/CHANGELOG.md +++ b/shared/threat-models/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.42 + +No user-facing changes. + ## 1.0.41 No user-facing changes. diff --git a/shared/threat-models/change-notes/released/1.0.42.md b/shared/threat-models/change-notes/released/1.0.42.md new file mode 100644 index 00000000000..821c38854a2 --- /dev/null +++ b/shared/threat-models/change-notes/released/1.0.42.md @@ -0,0 +1,3 @@ +## 1.0.42 + +No user-facing changes. diff --git a/shared/threat-models/codeql-pack.release.yml b/shared/threat-models/codeql-pack.release.yml index d496eab6eb9..53e8667626a 100644 --- a/shared/threat-models/codeql-pack.release.yml +++ b/shared/threat-models/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.41 +lastReleaseVersion: 1.0.42 diff --git a/shared/threat-models/qlpack.yml b/shared/threat-models/qlpack.yml index 0ed1decf1d0..197379a2b2f 100644 --- a/shared/threat-models/qlpack.yml +++ b/shared/threat-models/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/threat-models -version: 1.0.42-dev +version: 1.0.42 library: true groups: shared dataExtensions: diff --git a/shared/tutorial/CHANGELOG.md b/shared/tutorial/CHANGELOG.md index 83380772573..4ecb5dcd241 100644 --- a/shared/tutorial/CHANGELOG.md +++ b/shared/tutorial/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.42 + +No user-facing changes. + ## 1.0.41 No user-facing changes. diff --git a/shared/tutorial/change-notes/released/1.0.42.md b/shared/tutorial/change-notes/released/1.0.42.md new file mode 100644 index 00000000000..821c38854a2 --- /dev/null +++ b/shared/tutorial/change-notes/released/1.0.42.md @@ -0,0 +1,3 @@ +## 1.0.42 + +No user-facing changes. diff --git a/shared/tutorial/codeql-pack.release.yml b/shared/tutorial/codeql-pack.release.yml index d496eab6eb9..53e8667626a 100644 --- a/shared/tutorial/codeql-pack.release.yml +++ b/shared/tutorial/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.41 +lastReleaseVersion: 1.0.42 diff --git a/shared/tutorial/qlpack.yml b/shared/tutorial/qlpack.yml index 1e937c1f860..f7d1592cc2f 100644 --- a/shared/tutorial/qlpack.yml +++ b/shared/tutorial/qlpack.yml @@ -1,7 +1,7 @@ name: codeql/tutorial description: Library for the CodeQL detective tutorials, helping new users learn to write CodeQL queries. -version: 1.0.42-dev +version: 1.0.42 groups: shared library: true warnOnImplicitThis: true diff --git a/shared/typeflow/CHANGELOG.md b/shared/typeflow/CHANGELOG.md index caecb313a31..176ba027afe 100644 --- a/shared/typeflow/CHANGELOG.md +++ b/shared/typeflow/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.42 + +No user-facing changes. + ## 1.0.41 No user-facing changes. diff --git a/shared/typeflow/change-notes/released/1.0.42.md b/shared/typeflow/change-notes/released/1.0.42.md new file mode 100644 index 00000000000..821c38854a2 --- /dev/null +++ b/shared/typeflow/change-notes/released/1.0.42.md @@ -0,0 +1,3 @@ +## 1.0.42 + +No user-facing changes. diff --git a/shared/typeflow/codeql-pack.release.yml b/shared/typeflow/codeql-pack.release.yml index d496eab6eb9..53e8667626a 100644 --- a/shared/typeflow/codeql-pack.release.yml +++ b/shared/typeflow/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.41 +lastReleaseVersion: 1.0.42 diff --git a/shared/typeflow/qlpack.yml b/shared/typeflow/qlpack.yml index f40dd352f6e..717d5e5c9a5 100644 --- a/shared/typeflow/qlpack.yml +++ b/shared/typeflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typeflow -version: 1.0.42-dev +version: 1.0.42 groups: shared library: true dependencies: diff --git a/shared/typeinference/CHANGELOG.md b/shared/typeinference/CHANGELOG.md index 356c331b5df..4d23ebe8abb 100644 --- a/shared/typeinference/CHANGELOG.md +++ b/shared/typeinference/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.0.23 + +No user-facing changes. + ## 0.0.22 No user-facing changes. diff --git a/shared/typeinference/change-notes/released/0.0.23.md b/shared/typeinference/change-notes/released/0.0.23.md new file mode 100644 index 00000000000..e89a1284bb8 --- /dev/null +++ b/shared/typeinference/change-notes/released/0.0.23.md @@ -0,0 +1,3 @@ +## 0.0.23 + +No user-facing changes. diff --git a/shared/typeinference/codeql-pack.release.yml b/shared/typeinference/codeql-pack.release.yml index 11aaa2243f5..cc2195603d8 100644 --- a/shared/typeinference/codeql-pack.release.yml +++ b/shared/typeinference/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.0.22 +lastReleaseVersion: 0.0.23 diff --git a/shared/typeinference/qlpack.yml b/shared/typeinference/qlpack.yml index 927036035b5..e740633b852 100644 --- a/shared/typeinference/qlpack.yml +++ b/shared/typeinference/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typeinference -version: 0.0.23-dev +version: 0.0.23 groups: shared library: true dependencies: diff --git a/shared/typetracking/CHANGELOG.md b/shared/typetracking/CHANGELOG.md index 8504089f872..d5ca15b5be7 100644 --- a/shared/typetracking/CHANGELOG.md +++ b/shared/typetracking/CHANGELOG.md @@ -1,3 +1,7 @@ +## 2.0.26 + +No user-facing changes. + ## 2.0.25 No user-facing changes. diff --git a/shared/typetracking/change-notes/released/2.0.26.md b/shared/typetracking/change-notes/released/2.0.26.md new file mode 100644 index 00000000000..9b1fe95f577 --- /dev/null +++ b/shared/typetracking/change-notes/released/2.0.26.md @@ -0,0 +1,3 @@ +## 2.0.26 + +No user-facing changes. diff --git a/shared/typetracking/codeql-pack.release.yml b/shared/typetracking/codeql-pack.release.yml index f54d8620118..63d57bef481 100644 --- a/shared/typetracking/codeql-pack.release.yml +++ b/shared/typetracking/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 2.0.25 +lastReleaseVersion: 2.0.26 diff --git a/shared/typetracking/qlpack.yml b/shared/typetracking/qlpack.yml index fcaed606ded..a8b74e13d69 100644 --- a/shared/typetracking/qlpack.yml +++ b/shared/typetracking/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typetracking -version: 2.0.26-dev +version: 2.0.26 groups: shared library: true dependencies: diff --git a/shared/typos/CHANGELOG.md b/shared/typos/CHANGELOG.md index cfbec562b14..9e886726714 100644 --- a/shared/typos/CHANGELOG.md +++ b/shared/typos/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.42 + +No user-facing changes. + ## 1.0.41 No user-facing changes. diff --git a/shared/typos/change-notes/released/1.0.42.md b/shared/typos/change-notes/released/1.0.42.md new file mode 100644 index 00000000000..821c38854a2 --- /dev/null +++ b/shared/typos/change-notes/released/1.0.42.md @@ -0,0 +1,3 @@ +## 1.0.42 + +No user-facing changes. diff --git a/shared/typos/codeql-pack.release.yml b/shared/typos/codeql-pack.release.yml index d496eab6eb9..53e8667626a 100644 --- a/shared/typos/codeql-pack.release.yml +++ b/shared/typos/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.41 +lastReleaseVersion: 1.0.42 diff --git a/shared/typos/qlpack.yml b/shared/typos/qlpack.yml index de131d17f6b..c339ed16159 100644 --- a/shared/typos/qlpack.yml +++ b/shared/typos/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typos -version: 1.0.42-dev +version: 1.0.42 groups: shared library: true warnOnImplicitThis: true diff --git a/shared/util/CHANGELOG.md b/shared/util/CHANGELOG.md index 904aa45e034..de6fbcff12f 100644 --- a/shared/util/CHANGELOG.md +++ b/shared/util/CHANGELOG.md @@ -1,3 +1,7 @@ +## 2.0.29 + +No user-facing changes. + ## 2.0.28 No user-facing changes. diff --git a/shared/util/change-notes/released/2.0.29.md b/shared/util/change-notes/released/2.0.29.md new file mode 100644 index 00000000000..c8e5d5c3d05 --- /dev/null +++ b/shared/util/change-notes/released/2.0.29.md @@ -0,0 +1,3 @@ +## 2.0.29 + +No user-facing changes. diff --git a/shared/util/codeql-pack.release.yml b/shared/util/codeql-pack.release.yml index ec5bd6ba369..1425cb159e4 100644 --- a/shared/util/codeql-pack.release.yml +++ b/shared/util/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 2.0.28 +lastReleaseVersion: 2.0.29 diff --git a/shared/util/qlpack.yml b/shared/util/qlpack.yml index def146658c0..81efc5bf9af 100644 --- a/shared/util/qlpack.yml +++ b/shared/util/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/util -version: 2.0.29-dev +version: 2.0.29 groups: shared library: true dependencies: null diff --git a/shared/xml/CHANGELOG.md b/shared/xml/CHANGELOG.md index 7a85ea45c7b..c642973980d 100644 --- a/shared/xml/CHANGELOG.md +++ b/shared/xml/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.42 + +No user-facing changes. + ## 1.0.41 No user-facing changes. diff --git a/shared/xml/change-notes/released/1.0.42.md b/shared/xml/change-notes/released/1.0.42.md new file mode 100644 index 00000000000..821c38854a2 --- /dev/null +++ b/shared/xml/change-notes/released/1.0.42.md @@ -0,0 +1,3 @@ +## 1.0.42 + +No user-facing changes. diff --git a/shared/xml/codeql-pack.release.yml b/shared/xml/codeql-pack.release.yml index d496eab6eb9..53e8667626a 100644 --- a/shared/xml/codeql-pack.release.yml +++ b/shared/xml/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.41 +lastReleaseVersion: 1.0.42 diff --git a/shared/xml/qlpack.yml b/shared/xml/qlpack.yml index d12cff34fbe..e84e83a927e 100644 --- a/shared/xml/qlpack.yml +++ b/shared/xml/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/xml -version: 1.0.42-dev +version: 1.0.42 groups: shared library: true dependencies: diff --git a/shared/yaml/CHANGELOG.md b/shared/yaml/CHANGELOG.md index 78b636e0288..b2c9cee85a6 100644 --- a/shared/yaml/CHANGELOG.md +++ b/shared/yaml/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.42 + +No user-facing changes. + ## 1.0.41 No user-facing changes. diff --git a/shared/yaml/change-notes/released/1.0.42.md b/shared/yaml/change-notes/released/1.0.42.md new file mode 100644 index 00000000000..821c38854a2 --- /dev/null +++ b/shared/yaml/change-notes/released/1.0.42.md @@ -0,0 +1,3 @@ +## 1.0.42 + +No user-facing changes. diff --git a/shared/yaml/codeql-pack.release.yml b/shared/yaml/codeql-pack.release.yml index d496eab6eb9..53e8667626a 100644 --- a/shared/yaml/codeql-pack.release.yml +++ b/shared/yaml/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.41 +lastReleaseVersion: 1.0.42 diff --git a/shared/yaml/qlpack.yml b/shared/yaml/qlpack.yml index 5ba88d4abdb..263fd7d87a7 100644 --- a/shared/yaml/qlpack.yml +++ b/shared/yaml/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/yaml -version: 1.0.42-dev +version: 1.0.42 groups: shared library: true warnOnImplicitThis: true diff --git a/swift/ql/lib/CHANGELOG.md b/swift/ql/lib/CHANGELOG.md index f4fe2159e07..65446a02bf3 100644 --- a/swift/ql/lib/CHANGELOG.md +++ b/swift/ql/lib/CHANGELOG.md @@ -1,3 +1,7 @@ +## 6.2.2 + +No user-facing changes. + ## 6.2.1 ### Minor Analysis Improvements diff --git a/swift/ql/lib/change-notes/released/6.2.2.md b/swift/ql/lib/change-notes/released/6.2.2.md new file mode 100644 index 00000000000..769c4987cc0 --- /dev/null +++ b/swift/ql/lib/change-notes/released/6.2.2.md @@ -0,0 +1,3 @@ +## 6.2.2 + +No user-facing changes. diff --git a/swift/ql/lib/codeql-pack.release.yml b/swift/ql/lib/codeql-pack.release.yml index 8e36085279d..0d8f9cf7547 100644 --- a/swift/ql/lib/codeql-pack.release.yml +++ b/swift/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 6.2.1 +lastReleaseVersion: 6.2.2 diff --git a/swift/ql/lib/qlpack.yml b/swift/ql/lib/qlpack.yml index 157e1334212..0f240082bf7 100644 --- a/swift/ql/lib/qlpack.yml +++ b/swift/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/swift-all -version: 6.2.2-dev +version: 6.2.2 groups: swift extractor: swift dbscheme: swift.dbscheme diff --git a/swift/ql/src/CHANGELOG.md b/swift/ql/src/CHANGELOG.md index bf6367cf668..0b3d34fc0f5 100644 --- a/swift/ql/src/CHANGELOG.md +++ b/swift/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.2.16 + +No user-facing changes. + ## 1.2.15 No user-facing changes. diff --git a/swift/ql/src/change-notes/released/1.2.16.md b/swift/ql/src/change-notes/released/1.2.16.md new file mode 100644 index 00000000000..2cba5480d4e --- /dev/null +++ b/swift/ql/src/change-notes/released/1.2.16.md @@ -0,0 +1,3 @@ +## 1.2.16 + +No user-facing changes. diff --git a/swift/ql/src/codeql-pack.release.yml b/swift/ql/src/codeql-pack.release.yml index df8980e5dd2..11aa69f2d7a 100644 --- a/swift/ql/src/codeql-pack.release.yml +++ b/swift/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.2.15 +lastReleaseVersion: 1.2.16 diff --git a/swift/ql/src/qlpack.yml b/swift/ql/src/qlpack.yml index bdac35f35b2..d6128248bd7 100644 --- a/swift/ql/src/qlpack.yml +++ b/swift/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/swift-queries -version: 1.2.16-dev +version: 1.2.16 groups: - swift - queries From 2b78a7b256ace097aa9cbd06b4003dd8b214aabd Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Mon, 16 Feb 2026 15:21:30 +0100 Subject: [PATCH 069/110] C#: Add PartialEvent test case. --- .../partial/MethodIsPartial.expected | 14 +- .../ql/test/library-tests/partial/Partial.cs | 8 + .../library-tests/partial/Partial1.expected | 24 +-- .../library-tests/partial/Partial2.expected | 26 +-- .../partial/PartialAccessors.expected | 20 +- .../partial/PartialConstructors.expected | 6 +- .../partial/PartialEvents.expected | 2 + .../library-tests/partial/PartialEvents.ql | 7 + .../partial/PartialIndexers.expected | 4 +- .../partial/PartialMethodBody.expected | 6 +- .../partial/PartialProperties.expected | 4 +- .../library-tests/partial/PrintAst.expected | 178 ++++++++++-------- 12 files changed, 168 insertions(+), 131 deletions(-) create mode 100644 csharp/ql/test/library-tests/partial/PartialEvents.expected create mode 100644 csharp/ql/test/library-tests/partial/PartialEvents.ql diff --git a/csharp/ql/test/library-tests/partial/MethodIsPartial.expected b/csharp/ql/test/library-tests/partial/MethodIsPartial.expected index 4c0e905d8c5..a0f1f88fb98 100644 --- a/csharp/ql/test/library-tests/partial/MethodIsPartial.expected +++ b/csharp/ql/test/library-tests/partial/MethodIsPartial.expected @@ -1,7 +1,7 @@ -| Partial.cs:4:18:4:42 | PartialMethodWithoutBody1 | true | -| Partial.cs:5:17:5:23 | Method2 | false | -| Partial.cs:14:18:14:39 | PartialMethodWithBody1 | true | -| Partial.cs:15:17:15:23 | Method3 | false | -| Partial.cs:34:18:34:42 | PartialMethodWithoutBody2 | true | -| Partial.cs:35:17:35:23 | Method4 | false | -| Partial.cs:40:17:40:23 | Method5 | false | +| Partial.cs:6:18:6:42 | PartialMethodWithoutBody1 | true | +| Partial.cs:7:17:7:23 | Method2 | false | +| Partial.cs:18:18:18:39 | PartialMethodWithBody1 | true | +| Partial.cs:19:17:19:23 | Method3 | false | +| Partial.cs:41:18:41:42 | PartialMethodWithoutBody2 | true | +| Partial.cs:42:17:42:23 | Method4 | false | +| Partial.cs:47:17:47:23 | Method5 | false | diff --git a/csharp/ql/test/library-tests/partial/Partial.cs b/csharp/ql/test/library-tests/partial/Partial.cs index 5a3e4af2e8c..8dd757fcd24 100644 --- a/csharp/ql/test/library-tests/partial/Partial.cs +++ b/csharp/ql/test/library-tests/partial/Partial.cs @@ -1,3 +1,5 @@ +using System; + partial class TwoPartClass { partial void PartialMethodWithBody1(); @@ -7,6 +9,8 @@ partial class TwoPartClass public partial object PartialProperty1 { get; set; } // Declaring declaration. public partial object this[int index] { get; set; } + // Declaring declaration. + public partial event EventHandler PartialEvent1; } partial class TwoPartClass @@ -27,6 +31,9 @@ partial class TwoPartClass get { return _backingArray[index]; } set { _backingArray[index] = value; } } + + // Implementation declaration. + public partial event EventHandler PartialEvent1 { add { } remove { } } } partial class OnePartPartialClass @@ -44,4 +51,5 @@ class NonPartialClass get { return null; } set { } } + public event EventHandler Event; } diff --git a/csharp/ql/test/library-tests/partial/Partial1.expected b/csharp/ql/test/library-tests/partial/Partial1.expected index 55dcaabcea7..3fd8b9e2fd4 100644 --- a/csharp/ql/test/library-tests/partial/Partial1.expected +++ b/csharp/ql/test/library-tests/partial/Partial1.expected @@ -1,14 +1,14 @@ -| Partial.cs:1:15:1:26 | TwoPartClass | -| Partial.cs:4:18:4:42 | PartialMethodWithoutBody1 | -| Partial.cs:12:15:12:26 | TwoPartClass | -| Partial.cs:14:18:14:39 | PartialMethodWithBody1 | -| Partial.cs:18:27:18:42 | PartialProperty1 | -| Partial.cs:20:9:20:11 | get_PartialProperty1 | -| Partial.cs:21:9:21:11 | set_PartialProperty1 | -| Partial.cs:25:27:25:30 | Item | -| Partial.cs:27:9:27:11 | get_Item | -| Partial.cs:28:9:28:11 | set_Item | -| Partial.cs:32:15:32:33 | OnePartPartialClass | -| Partial.cs:34:18:34:42 | PartialMethodWithoutBody2 | +| Partial.cs:3:15:3:26 | TwoPartClass | +| Partial.cs:6:18:6:42 | PartialMethodWithoutBody1 | +| Partial.cs:16:15:16:26 | TwoPartClass | +| Partial.cs:18:18:18:39 | PartialMethodWithBody1 | +| Partial.cs:22:27:22:42 | PartialProperty1 | +| Partial.cs:24:9:24:11 | get_PartialProperty1 | +| Partial.cs:25:9:25:11 | set_PartialProperty1 | +| Partial.cs:29:27:29:30 | Item | +| Partial.cs:31:9:31:11 | get_Item | +| Partial.cs:32:9:32:11 | set_Item | +| Partial.cs:39:15:39:33 | OnePartPartialClass | +| Partial.cs:41:18:41:42 | PartialMethodWithoutBody2 | | PartialMultipleFiles1.cs:1:22:1:41 | PartialMultipleFiles | | PartialMultipleFiles2.cs:1:22:1:41 | PartialMultipleFiles | diff --git a/csharp/ql/test/library-tests/partial/Partial2.expected b/csharp/ql/test/library-tests/partial/Partial2.expected index 87194dd3f9e..8d608c26011 100644 --- a/csharp/ql/test/library-tests/partial/Partial2.expected +++ b/csharp/ql/test/library-tests/partial/Partial2.expected @@ -1,15 +1,15 @@ -| Partial.cs:1:15:1:26 | TwoPartClass | Partial.cs:1:15:1:26 | | -| Partial.cs:1:15:1:26 | TwoPartClass | Partial.cs:4:18:4:42 | PartialMethodWithoutBody1 | -| Partial.cs:1:15:1:26 | TwoPartClass | Partial.cs:5:17:5:23 | Method2 | -| Partial.cs:1:15:1:26 | TwoPartClass | Partial.cs:14:18:14:39 | PartialMethodWithBody1 | -| Partial.cs:1:15:1:26 | TwoPartClass | Partial.cs:15:17:15:23 | Method3 | -| Partial.cs:12:15:12:26 | TwoPartClass | Partial.cs:1:15:1:26 | | -| Partial.cs:12:15:12:26 | TwoPartClass | Partial.cs:4:18:4:42 | PartialMethodWithoutBody1 | -| Partial.cs:12:15:12:26 | TwoPartClass | Partial.cs:5:17:5:23 | Method2 | -| Partial.cs:12:15:12:26 | TwoPartClass | Partial.cs:14:18:14:39 | PartialMethodWithBody1 | -| Partial.cs:12:15:12:26 | TwoPartClass | Partial.cs:15:17:15:23 | Method3 | -| Partial.cs:32:15:32:33 | OnePartPartialClass | Partial.cs:32:15:32:33 | | -| Partial.cs:32:15:32:33 | OnePartPartialClass | Partial.cs:34:18:34:42 | PartialMethodWithoutBody2 | -| Partial.cs:32:15:32:33 | OnePartPartialClass | Partial.cs:35:17:35:23 | Method4 | +| Partial.cs:3:15:3:26 | TwoPartClass | Partial.cs:3:15:3:26 | | +| Partial.cs:3:15:3:26 | TwoPartClass | Partial.cs:6:18:6:42 | PartialMethodWithoutBody1 | +| Partial.cs:3:15:3:26 | TwoPartClass | Partial.cs:7:17:7:23 | Method2 | +| Partial.cs:3:15:3:26 | TwoPartClass | Partial.cs:18:18:18:39 | PartialMethodWithBody1 | +| Partial.cs:3:15:3:26 | TwoPartClass | Partial.cs:19:17:19:23 | Method3 | +| Partial.cs:16:15:16:26 | TwoPartClass | Partial.cs:3:15:3:26 | | +| Partial.cs:16:15:16:26 | TwoPartClass | Partial.cs:6:18:6:42 | PartialMethodWithoutBody1 | +| Partial.cs:16:15:16:26 | TwoPartClass | Partial.cs:7:17:7:23 | Method2 | +| Partial.cs:16:15:16:26 | TwoPartClass | Partial.cs:18:18:18:39 | PartialMethodWithBody1 | +| Partial.cs:16:15:16:26 | TwoPartClass | Partial.cs:19:17:19:23 | Method3 | +| Partial.cs:39:15:39:33 | OnePartPartialClass | Partial.cs:39:15:39:33 | | +| Partial.cs:39:15:39:33 | OnePartPartialClass | Partial.cs:41:18:41:42 | PartialMethodWithoutBody2 | +| Partial.cs:39:15:39:33 | OnePartPartialClass | Partial.cs:42:17:42:23 | Method4 | | PartialMultipleFiles1.cs:1:22:1:41 | PartialMultipleFiles | PartialMultipleFiles1.cs:1:22:1:41 | | | PartialMultipleFiles2.cs:1:22:1:41 | PartialMultipleFiles | PartialMultipleFiles1.cs:1:22:1:41 | | diff --git a/csharp/ql/test/library-tests/partial/PartialAccessors.expected b/csharp/ql/test/library-tests/partial/PartialAccessors.expected index 2c69ed620ae..e9180ffce56 100644 --- a/csharp/ql/test/library-tests/partial/PartialAccessors.expected +++ b/csharp/ql/test/library-tests/partial/PartialAccessors.expected @@ -1,8 +1,12 @@ -| Partial.cs:20:9:20:11 | get_PartialProperty1 | true | -| Partial.cs:21:9:21:11 | set_PartialProperty1 | true | -| Partial.cs:27:9:27:11 | get_Item | true | -| Partial.cs:28:9:28:11 | set_Item | true | -| Partial.cs:41:30:41:32 | get_Property | false | -| Partial.cs:41:35:41:37 | set_Property | false | -| Partial.cs:44:9:44:11 | get_Item | false | -| Partial.cs:45:9:45:11 | set_Item | false | +| Partial.cs:13:39:13:51 | add_PartialEvent1 | false | +| Partial.cs:13:39:13:51 | remove_PartialEvent1 | false | +| Partial.cs:24:9:24:11 | get_PartialProperty1 | true | +| Partial.cs:25:9:25:11 | set_PartialProperty1 | true | +| Partial.cs:31:9:31:11 | get_Item | true | +| Partial.cs:32:9:32:11 | set_Item | true | +| Partial.cs:48:30:48:32 | get_Property | false | +| Partial.cs:48:35:48:37 | set_Property | false | +| Partial.cs:51:9:51:11 | get_Item | false | +| Partial.cs:52:9:52:11 | set_Item | false | +| Partial.cs:54:31:54:35 | add_Event | false | +| Partial.cs:54:31:54:35 | remove_Event | false | diff --git a/csharp/ql/test/library-tests/partial/PartialConstructors.expected b/csharp/ql/test/library-tests/partial/PartialConstructors.expected index 01779f1b81e..69cabb244f5 100644 --- a/csharp/ql/test/library-tests/partial/PartialConstructors.expected +++ b/csharp/ql/test/library-tests/partial/PartialConstructors.expected @@ -1,4 +1,4 @@ -| Partial.cs:1:15:1:26 | TwoPartClass | Partial.cs:1:15:1:26 | {...} | -| Partial.cs:32:15:32:33 | OnePartPartialClass | Partial.cs:32:15:32:33 | {...} | -| Partial.cs:38:7:38:21 | NonPartialClass | Partial.cs:38:7:38:21 | {...} | +| Partial.cs:3:15:3:26 | TwoPartClass | Partial.cs:3:15:3:26 | {...} | +| Partial.cs:39:15:39:33 | OnePartPartialClass | Partial.cs:39:15:39:33 | {...} | +| Partial.cs:45:7:45:21 | NonPartialClass | Partial.cs:45:7:45:21 | {...} | | PartialMultipleFiles1.cs:1:22:1:41 | PartialMultipleFiles | PartialMultipleFiles1.cs:1:22:1:41 | {...} | diff --git a/csharp/ql/test/library-tests/partial/PartialEvents.expected b/csharp/ql/test/library-tests/partial/PartialEvents.expected new file mode 100644 index 00000000000..e3ee325248a --- /dev/null +++ b/csharp/ql/test/library-tests/partial/PartialEvents.expected @@ -0,0 +1,2 @@ +| Partial.cs:13:39:13:51 | PartialEvent1 | false | +| Partial.cs:54:31:54:35 | Event | false | diff --git a/csharp/ql/test/library-tests/partial/PartialEvents.ql b/csharp/ql/test/library-tests/partial/PartialEvents.ql new file mode 100644 index 00000000000..e9f45250266 --- /dev/null +++ b/csharp/ql/test/library-tests/partial/PartialEvents.ql @@ -0,0 +1,7 @@ +import csharp + +private boolean isPartial(Event e) { if e.isPartial() then result = true else result = false } + +from Event e +where e.fromSource() +select e, isPartial(e) diff --git a/csharp/ql/test/library-tests/partial/PartialIndexers.expected b/csharp/ql/test/library-tests/partial/PartialIndexers.expected index 151ed5aad03..be625fc4ad5 100644 --- a/csharp/ql/test/library-tests/partial/PartialIndexers.expected +++ b/csharp/ql/test/library-tests/partial/PartialIndexers.expected @@ -1,2 +1,2 @@ -| Partial.cs:25:27:25:30 | Item | true | -| Partial.cs:42:19:42:22 | Item | false | +| Partial.cs:29:27:29:30 | Item | true | +| Partial.cs:49:19:49:22 | Item | false | diff --git a/csharp/ql/test/library-tests/partial/PartialMethodBody.expected b/csharp/ql/test/library-tests/partial/PartialMethodBody.expected index b75a105bea0..a91a156cb62 100644 --- a/csharp/ql/test/library-tests/partial/PartialMethodBody.expected +++ b/csharp/ql/test/library-tests/partial/PartialMethodBody.expected @@ -1,3 +1,3 @@ -| Partial.cs:4:18:4:42 | PartialMethodWithoutBody1 | false | -| Partial.cs:14:18:14:39 | PartialMethodWithBody1 | true | -| Partial.cs:34:18:34:42 | PartialMethodWithoutBody2 | false | +| Partial.cs:6:18:6:42 | PartialMethodWithoutBody1 | false | +| Partial.cs:18:18:18:39 | PartialMethodWithBody1 | true | +| Partial.cs:41:18:41:42 | PartialMethodWithoutBody2 | false | diff --git a/csharp/ql/test/library-tests/partial/PartialProperties.expected b/csharp/ql/test/library-tests/partial/PartialProperties.expected index 8d2dfc01e74..4686bbf087a 100644 --- a/csharp/ql/test/library-tests/partial/PartialProperties.expected +++ b/csharp/ql/test/library-tests/partial/PartialProperties.expected @@ -1,2 +1,2 @@ -| Partial.cs:18:27:18:42 | PartialProperty1 | true | -| Partial.cs:41:19:41:26 | Property | false | +| Partial.cs:22:27:22:42 | PartialProperty1 | true | +| Partial.cs:48:19:48:26 | Property | false | diff --git a/csharp/ql/test/library-tests/partial/PrintAst.expected b/csharp/ql/test/library-tests/partial/PrintAst.expected index 0729946b18b..90471e0a80c 100644 --- a/csharp/ql/test/library-tests/partial/PrintAst.expected +++ b/csharp/ql/test/library-tests/partial/PrintAst.expected @@ -1,94 +1,110 @@ Partial.cs: -# 1| [Class] TwoPartClass -# 4| 6: [Method] PartialMethodWithoutBody1 -# 4| -1: [TypeMention] Void -# 5| 7: [Method] Method2 +# 3| [Class] TwoPartClass +# 6| 6: [Method] PartialMethodWithoutBody1 +# 6| -1: [TypeMention] Void +# 7| 7: [Method] Method2 +# 7| -1: [TypeMention] Void +# 7| 4: [BlockStmt] {...} +# 13| 8: [Event] PartialEvent1 +# 13| -1: [TypeMention] EventHandler +# 13| 3: [AddEventAccessor] add_PartialEvent1 +#-----| 2: (Parameters) +# 13| 0: [Parameter] value +# 13| 4: [RemoveEventAccessor] remove_PartialEvent1 +#-----| 2: (Parameters) +# 13| 0: [Parameter] value +# 18| 9: [Method] PartialMethodWithBody1 # 5| -1: [TypeMention] Void -# 5| 4: [BlockStmt] {...} -# 14| 8: [Method] PartialMethodWithBody1 -# 3| -1: [TypeMention] Void -# 14| 4: [BlockStmt] {...} -# 15| 9: [Method] Method3 -# 15| -1: [TypeMention] Void -# 15| 4: [BlockStmt] {...} -# 16| 10: [Field] _backingField -# 16| -1: [TypeMention] object -# 18| 11: [Property] PartialProperty1 -# 7| -1: [TypeMention] object -# 18| -1: [TypeMention] object -# 20| 3: [Getter] get_PartialProperty1 -# 20| 4: [BlockStmt] {...} -# 20| 0: [ReturnStmt] return ...; -# 20| 0: [FieldAccess] access to field _backingField -# 21| 4: [Setter] set_PartialProperty1 -#-----| 2: (Parameters) -# 21| 0: [Parameter] value -# 21| 4: [BlockStmt] {...} -# 21| 0: [ExprStmt] ...; -# 21| 0: [AssignExpr] ... = ... -# 21| 0: [FieldAccess] access to field _backingField -# 21| 1: [ParameterAccess] access to parameter value -# 23| 12: [Field] _backingArray -# 23| -1: [TypeMention] Object[] -# 23| 1: [TypeMention] object -# 25| 13: [Indexer] Item +# 18| 4: [BlockStmt] {...} +# 19| 10: [Method] Method3 +# 19| -1: [TypeMention] Void +# 19| 4: [BlockStmt] {...} +# 20| 11: [Field] _backingField +# 20| -1: [TypeMention] object +# 22| 12: [Property] PartialProperty1 # 9| -1: [TypeMention] object -# 25| -1: [TypeMention] object +# 22| -1: [TypeMention] object +# 24| 3: [Getter] get_PartialProperty1 +# 24| 4: [BlockStmt] {...} +# 24| 0: [ReturnStmt] return ...; +# 24| 0: [FieldAccess] access to field _backingField +# 25| 4: [Setter] set_PartialProperty1 +#-----| 2: (Parameters) +# 25| 0: [Parameter] value +# 25| 4: [BlockStmt] {...} +# 25| 0: [ExprStmt] ...; +# 25| 0: [AssignExpr] ... = ... +# 25| 0: [FieldAccess] access to field _backingField +# 25| 1: [ParameterAccess] access to parameter value +# 27| 13: [Field] _backingArray +# 27| -1: [TypeMention] Object[] +# 27| 1: [TypeMention] object +# 29| 14: [Indexer] Item +# 11| -1: [TypeMention] object +# 29| -1: [TypeMention] object #-----| 1: (Parameters) -# 9| 0: [Parameter] index -# 9| -1: [TypeMention] int -# 25| -1: [TypeMention] int -# 27| 3: [Getter] get_Item +# 11| 0: [Parameter] index +# 11| -1: [TypeMention] int +# 29| -1: [TypeMention] int +# 31| 3: [Getter] get_Item #-----| 2: (Parameters) -# 25| 0: [Parameter] index -# 27| 4: [BlockStmt] {...} -# 27| 0: [ReturnStmt] return ...; -# 27| 0: [ArrayAccess] access to array element -# 27| -1: [FieldAccess] access to field _backingArray -# 27| 0: [ParameterAccess] access to parameter index -# 28| 4: [Setter] set_Item +# 29| 0: [Parameter] index +# 31| 4: [BlockStmt] {...} +# 31| 0: [ReturnStmt] return ...; +# 31| 0: [ArrayAccess] access to array element +# 31| -1: [FieldAccess] access to field _backingArray +# 31| 0: [ParameterAccess] access to parameter index +# 32| 4: [Setter] set_Item #-----| 2: (Parameters) -# 25| 0: [Parameter] index -# 28| 1: [Parameter] value -# 28| 4: [BlockStmt] {...} -# 28| 0: [ExprStmt] ...; -# 28| 0: [AssignExpr] ... = ... -# 28| 0: [ArrayAccess] access to array element -# 28| -1: [FieldAccess] access to field _backingArray -# 28| 0: [ParameterAccess] access to parameter index -# 28| 1: [ParameterAccess] access to parameter value -# 32| [Class] OnePartPartialClass -# 34| 6: [Method] PartialMethodWithoutBody2 -# 34| -1: [TypeMention] Void -# 35| 7: [Method] Method4 -# 35| -1: [TypeMention] Void -# 35| 4: [BlockStmt] {...} -# 38| [Class] NonPartialClass -# 40| 6: [Method] Method5 -# 40| -1: [TypeMention] Void -# 40| 4: [BlockStmt] {...} -# 41| 7: [Property] Property -# 41| -1: [TypeMention] object -# 41| 3: [Getter] get_Property -# 41| 4: [Setter] set_Property +# 29| 0: [Parameter] index +# 32| 1: [Parameter] value +# 32| 4: [BlockStmt] {...} +# 32| 0: [ExprStmt] ...; +# 32| 0: [AssignExpr] ... = ... +# 32| 0: [ArrayAccess] access to array element +# 32| -1: [FieldAccess] access to field _backingArray +# 32| 0: [ParameterAccess] access to parameter index +# 32| 1: [ParameterAccess] access to parameter value +# 39| [Class] OnePartPartialClass +# 41| 6: [Method] PartialMethodWithoutBody2 +# 41| -1: [TypeMention] Void +# 42| 7: [Method] Method4 +# 42| -1: [TypeMention] Void +# 42| 4: [BlockStmt] {...} +# 45| [Class] NonPartialClass +# 47| 6: [Method] Method5 +# 47| -1: [TypeMention] Void +# 47| 4: [BlockStmt] {...} +# 48| 7: [Property] Property +# 48| -1: [TypeMention] object +# 48| 3: [Getter] get_Property +# 48| 4: [Setter] set_Property #-----| 2: (Parameters) -# 41| 0: [Parameter] value -# 42| 8: [Indexer] Item -# 42| -1: [TypeMention] object +# 48| 0: [Parameter] value +# 49| 8: [Indexer] Item +# 49| -1: [TypeMention] object #-----| 1: (Parameters) -# 42| 0: [Parameter] index -# 42| -1: [TypeMention] int -# 44| 3: [Getter] get_Item +# 49| 0: [Parameter] index +# 49| -1: [TypeMention] int +# 51| 3: [Getter] get_Item #-----| 2: (Parameters) -# 42| 0: [Parameter] index -# 44| 4: [BlockStmt] {...} -# 44| 0: [ReturnStmt] return ...; -# 44| 0: [NullLiteral] null -# 45| 4: [Setter] set_Item +# 49| 0: [Parameter] index +# 51| 4: [BlockStmt] {...} +# 51| 0: [ReturnStmt] return ...; +# 51| 0: [NullLiteral] null +# 52| 4: [Setter] set_Item #-----| 2: (Parameters) -# 42| 0: [Parameter] index -# 45| 1: [Parameter] value -# 45| 4: [BlockStmt] {...} +# 49| 0: [Parameter] index +# 52| 1: [Parameter] value +# 52| 4: [BlockStmt] {...} +# 54| 9: [Event] Event +# 54| -1: [TypeMention] EventHandler +# 54| 3: [AddEventAccessor] add_Event +#-----| 2: (Parameters) +# 54| 0: [Parameter] value +# 54| 4: [RemoveEventAccessor] remove_Event +#-----| 2: (Parameters) +# 54| 0: [Parameter] value PartialMultipleFiles1.cs: # 1| [Class] PartialMultipleFiles PartialMultipleFiles2.cs: From eec47394972bb2955728dd702fb17c900ed8d824 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Mon, 16 Feb 2026 16:00:26 +0100 Subject: [PATCH 070/110] C#: Add viable callable test for partial event. --- .../ql/test/library-tests/dispatch/CallGraph.expected | 10 ++++++---- .../library-tests/dispatch/GetADynamicTarget.expected | 10 ++++++---- .../ql/test/library-tests/dispatch/ViableCallable.cs | 8 ++++++++ 3 files changed, 20 insertions(+), 8 deletions(-) diff --git a/csharp/ql/test/library-tests/dispatch/CallGraph.expected b/csharp/ql/test/library-tests/dispatch/CallGraph.expected index 4eed880f0a3..0ed729859a4 100644 --- a/csharp/ql/test/library-tests/dispatch/CallGraph.expected +++ b/csharp/ql/test/library-tests/dispatch/CallGraph.expected @@ -270,7 +270,9 @@ | ViableCallable.cs:679:17:679:20 | Run3 | ViableCallable.cs:637:21:637:21 | M | | ViableCallable.cs:679:17:679:20 | Run3 | ViableCallable.cs:646:21:646:21 | M | | ViableCallable.cs:679:17:679:20 | Run3 | ViableCallable.cs:648:21:648:21 | M | -| ViableCallable.cs:707:17:707:20 | Run1 | ViableCallable.cs:702:42:702:44 | get_Property | -| ViableCallable.cs:707:17:707:20 | Run1 | ViableCallable.cs:702:63:702:65 | set_Property | -| ViableCallable.cs:707:17:707:20 | Run1 | ViableCallable.cs:704:49:704:51 | get_Item | -| ViableCallable.cs:707:17:707:20 | Run1 | ViableCallable.cs:704:70:704:72 | set_Item | +| ViableCallable.cs:709:17:709:20 | Run1 | ViableCallable.cs:698:43:698:47 | add_Event | +| ViableCallable.cs:709:17:709:20 | Run1 | ViableCallable.cs:698:43:698:47 | remove_Event | +| ViableCallable.cs:709:17:709:20 | Run1 | ViableCallable.cs:703:42:703:44 | get_Property | +| ViableCallable.cs:709:17:709:20 | Run1 | ViableCallable.cs:703:63:703:65 | set_Property | +| ViableCallable.cs:709:17:709:20 | Run1 | ViableCallable.cs:705:49:705:51 | get_Item | +| ViableCallable.cs:709:17:709:20 | Run1 | ViableCallable.cs:705:70:705:72 | set_Item | diff --git a/csharp/ql/test/library-tests/dispatch/GetADynamicTarget.expected b/csharp/ql/test/library-tests/dispatch/GetADynamicTarget.expected index b38eed691b9..5d6b4be4f87 100644 --- a/csharp/ql/test/library-tests/dispatch/GetADynamicTarget.expected +++ b/csharp/ql/test/library-tests/dispatch/GetADynamicTarget.expected @@ -518,7 +518,9 @@ | ViableCallable.cs:683:9:683:16 | call to method M | C22+TestOverloadResolution2.M(Int32[]) | | ViableCallable.cs:687:9:687:16 | call to method M | C22+TestOverloadResolution1.M(List) | | ViableCallable.cs:687:9:687:16 | call to method M | C22+TestOverloadResolution2.M(List) | -| ViableCallable.cs:712:9:712:18 | access to property Property | C23+Partial1.set_Property(object) | -| ViableCallable.cs:715:13:715:22 | access to property Property | C23+Partial1.get_Property() | -| ViableCallable.cs:718:9:718:12 | access to indexer | C23+Partial1.set_Item(int, object) | -| ViableCallable.cs:721:13:721:16 | access to indexer | C23+Partial1.get_Item(int) | +| ViableCallable.cs:714:9:714:18 | access to property Property | C23+Partial1.set_Property(object) | +| ViableCallable.cs:717:13:717:22 | access to property Property | C23+Partial1.get_Property() | +| ViableCallable.cs:720:9:720:12 | access to indexer | C23+Partial1.set_Item(int, object) | +| ViableCallable.cs:723:13:723:16 | access to indexer | C23+Partial1.get_Item(int) | +| ViableCallable.cs:726:9:726:15 | access to event Event | C23+Partial1.add_Event(EventHandler) | +| ViableCallable.cs:729:9:729:15 | access to event Event | C23+Partial1.remove_Event(EventHandler) | diff --git a/csharp/ql/test/library-tests/dispatch/ViableCallable.cs b/csharp/ql/test/library-tests/dispatch/ViableCallable.cs index 99b4ec54a99..e904eb01a86 100644 --- a/csharp/ql/test/library-tests/dispatch/ViableCallable.cs +++ b/csharp/ql/test/library-tests/dispatch/ViableCallable.cs @@ -695,6 +695,7 @@ public class C23 public partial object Property { get; set; } public partial object this[int index] { get; set; } + public partial event EventHandler Event; } public partial class Partial1 @@ -702,6 +703,7 @@ public class C23 public partial object Property { get { return null; } set { } } public partial object this[int index] { get { return null; } set { } } + public partial event EventHandler Event { add { } remove { } } } public void Run1(Partial1 p) @@ -719,5 +721,11 @@ public class C23 // Viable callable: Partial1.get_Item(int) o = p[0]; + + // Viable callable: Partial1.add_Event + p.Event += (sender, e) => { }; + + // Viable callable: Partial1.remove_Event + p.Event -= (sender, e) => { }; } } From 9289ac283871d030a57abc1890611c076e8866d7 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Fri, 13 Feb 2026 16:24:06 +0100 Subject: [PATCH 071/110] C#: Support for partial event declarations. --- .../Semmle.Extraction.CSharp/Entities/Event.cs | 12 ++++++++---- .../Entities/EventAccessor.cs | 4 ++++ 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Event.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Event.cs index bbd90989617..c93df9ccc4f 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Event.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Event.cs @@ -11,6 +11,10 @@ namespace Semmle.Extraction.CSharp.Entities private Event(Context cx, IEventSymbol init) : base(cx, init) { } + protected override IEventSymbol BodyDeclaringSymbol => Symbol.PartialImplementationPart ?? Symbol; + + public override Microsoft.CodeAnalysis.Location? ReportingLocation => BodyDeclaringSymbol.Locations.BestOrDefault(); + public override void WriteId(EscapingTextWriter trapFile) { trapFile.WriteSubId(ContainingType!); @@ -27,13 +31,13 @@ namespace Semmle.Extraction.CSharp.Entities var type = Type.Create(Context, Symbol.Type); trapFile.events(this, Symbol.GetName(), ContainingType!, type.TypeRef, Create(Context, Symbol.OriginalDefinition)); - var adder = Symbol.AddMethod; - var remover = Symbol.RemoveMethod; + var adder = BodyDeclaringSymbol.AddMethod; + var remover = BodyDeclaringSymbol.RemoveMethod; - if (!(adder is null)) + if (adder is not null) Method.Create(Context, adder); - if (!(remover is null)) + if (remover is not null) Method.Create(Context, remover); PopulateModifiers(trapFile); diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/EventAccessor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/EventAccessor.cs index 254e7c76956..3e8ab9431be 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/EventAccessor.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/EventAccessor.cs @@ -13,6 +13,10 @@ namespace Semmle.Extraction.CSharp.Entities this.@event = @event; } + public override bool NeedsPopulation => + base.NeedsPopulation && + !Symbol.IsPartialDefinition; // Accessors always have an implementing declaration as well. + /// /// Gets the event symbol associated with accessor `symbol`, or `null` /// if there is no associated symbol. From 43c6e7d2500ea7518a55a8794bc7270c5f3b491b Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Mon, 16 Feb 2026 15:29:01 +0100 Subject: [PATCH 072/110] C#: Update test expected output. --- .../library-tests/dispatch/CallGraph.expected | 4 +-- .../library-tests/partial/Partial1.expected | 3 ++ .../partial/PartialAccessors.expected | 4 +-- .../partial/PartialEvents.expected | 2 +- .../library-tests/partial/PrintAst.expected | 30 ++++++++++--------- 5 files changed, 24 insertions(+), 19 deletions(-) diff --git a/csharp/ql/test/library-tests/dispatch/CallGraph.expected b/csharp/ql/test/library-tests/dispatch/CallGraph.expected index 0ed729859a4..2feb959dd86 100644 --- a/csharp/ql/test/library-tests/dispatch/CallGraph.expected +++ b/csharp/ql/test/library-tests/dispatch/CallGraph.expected @@ -270,9 +270,9 @@ | ViableCallable.cs:679:17:679:20 | Run3 | ViableCallable.cs:637:21:637:21 | M | | ViableCallable.cs:679:17:679:20 | Run3 | ViableCallable.cs:646:21:646:21 | M | | ViableCallable.cs:679:17:679:20 | Run3 | ViableCallable.cs:648:21:648:21 | M | -| ViableCallable.cs:709:17:709:20 | Run1 | ViableCallable.cs:698:43:698:47 | add_Event | -| ViableCallable.cs:709:17:709:20 | Run1 | ViableCallable.cs:698:43:698:47 | remove_Event | | ViableCallable.cs:709:17:709:20 | Run1 | ViableCallable.cs:703:42:703:44 | get_Property | | ViableCallable.cs:709:17:709:20 | Run1 | ViableCallable.cs:703:63:703:65 | set_Property | | ViableCallable.cs:709:17:709:20 | Run1 | ViableCallable.cs:705:49:705:51 | get_Item | | ViableCallable.cs:709:17:709:20 | Run1 | ViableCallable.cs:705:70:705:72 | set_Item | +| ViableCallable.cs:709:17:709:20 | Run1 | ViableCallable.cs:706:51:706:53 | add_Event | +| ViableCallable.cs:709:17:709:20 | Run1 | ViableCallable.cs:706:59:706:64 | remove_Event | diff --git a/csharp/ql/test/library-tests/partial/Partial1.expected b/csharp/ql/test/library-tests/partial/Partial1.expected index 3fd8b9e2fd4..fe8f5658f48 100644 --- a/csharp/ql/test/library-tests/partial/Partial1.expected +++ b/csharp/ql/test/library-tests/partial/Partial1.expected @@ -8,6 +8,9 @@ | Partial.cs:29:27:29:30 | Item | | Partial.cs:31:9:31:11 | get_Item | | Partial.cs:32:9:32:11 | set_Item | +| Partial.cs:36:39:36:51 | PartialEvent1 | +| Partial.cs:36:55:36:57 | add_PartialEvent1 | +| Partial.cs:36:63:36:68 | remove_PartialEvent1 | | Partial.cs:39:15:39:33 | OnePartPartialClass | | Partial.cs:41:18:41:42 | PartialMethodWithoutBody2 | | PartialMultipleFiles1.cs:1:22:1:41 | PartialMultipleFiles | diff --git a/csharp/ql/test/library-tests/partial/PartialAccessors.expected b/csharp/ql/test/library-tests/partial/PartialAccessors.expected index e9180ffce56..a9d70645420 100644 --- a/csharp/ql/test/library-tests/partial/PartialAccessors.expected +++ b/csharp/ql/test/library-tests/partial/PartialAccessors.expected @@ -1,9 +1,9 @@ -| Partial.cs:13:39:13:51 | add_PartialEvent1 | false | -| Partial.cs:13:39:13:51 | remove_PartialEvent1 | false | | Partial.cs:24:9:24:11 | get_PartialProperty1 | true | | Partial.cs:25:9:25:11 | set_PartialProperty1 | true | | Partial.cs:31:9:31:11 | get_Item | true | | Partial.cs:32:9:32:11 | set_Item | true | +| Partial.cs:36:55:36:57 | add_PartialEvent1 | true | +| Partial.cs:36:63:36:68 | remove_PartialEvent1 | true | | Partial.cs:48:30:48:32 | get_Property | false | | Partial.cs:48:35:48:37 | set_Property | false | | Partial.cs:51:9:51:11 | get_Item | false | diff --git a/csharp/ql/test/library-tests/partial/PartialEvents.expected b/csharp/ql/test/library-tests/partial/PartialEvents.expected index e3ee325248a..b12f8a07a9d 100644 --- a/csharp/ql/test/library-tests/partial/PartialEvents.expected +++ b/csharp/ql/test/library-tests/partial/PartialEvents.expected @@ -1,2 +1,2 @@ -| Partial.cs:13:39:13:51 | PartialEvent1 | false | +| Partial.cs:36:39:36:51 | PartialEvent1 | true | | Partial.cs:54:31:54:35 | Event | false | diff --git a/csharp/ql/test/library-tests/partial/PrintAst.expected b/csharp/ql/test/library-tests/partial/PrintAst.expected index 90471e0a80c..315de869fb3 100644 --- a/csharp/ql/test/library-tests/partial/PrintAst.expected +++ b/csharp/ql/test/library-tests/partial/PrintAst.expected @@ -5,23 +5,15 @@ Partial.cs: # 7| 7: [Method] Method2 # 7| -1: [TypeMention] Void # 7| 4: [BlockStmt] {...} -# 13| 8: [Event] PartialEvent1 -# 13| -1: [TypeMention] EventHandler -# 13| 3: [AddEventAccessor] add_PartialEvent1 -#-----| 2: (Parameters) -# 13| 0: [Parameter] value -# 13| 4: [RemoveEventAccessor] remove_PartialEvent1 -#-----| 2: (Parameters) -# 13| 0: [Parameter] value -# 18| 9: [Method] PartialMethodWithBody1 +# 18| 8: [Method] PartialMethodWithBody1 # 5| -1: [TypeMention] Void # 18| 4: [BlockStmt] {...} -# 19| 10: [Method] Method3 +# 19| 9: [Method] Method3 # 19| -1: [TypeMention] Void # 19| 4: [BlockStmt] {...} -# 20| 11: [Field] _backingField +# 20| 10: [Field] _backingField # 20| -1: [TypeMention] object -# 22| 12: [Property] PartialProperty1 +# 22| 11: [Property] PartialProperty1 # 9| -1: [TypeMention] object # 22| -1: [TypeMention] object # 24| 3: [Getter] get_PartialProperty1 @@ -36,10 +28,10 @@ Partial.cs: # 25| 0: [AssignExpr] ... = ... # 25| 0: [FieldAccess] access to field _backingField # 25| 1: [ParameterAccess] access to parameter value -# 27| 13: [Field] _backingArray +# 27| 12: [Field] _backingArray # 27| -1: [TypeMention] Object[] # 27| 1: [TypeMention] object -# 29| 14: [Indexer] Item +# 29| 13: [Indexer] Item # 11| -1: [TypeMention] object # 29| -1: [TypeMention] object #-----| 1: (Parameters) @@ -65,6 +57,16 @@ Partial.cs: # 32| -1: [FieldAccess] access to field _backingArray # 32| 0: [ParameterAccess] access to parameter index # 32| 1: [ParameterAccess] access to parameter value +# 36| 14: [Event] PartialEvent1 +# 13| -1: [TypeMention] EventHandler +# 36| 3: [AddEventAccessor] add_PartialEvent1 +#-----| 2: (Parameters) +# 36| 0: [Parameter] value +# 36| 4: [BlockStmt] {...} +# 36| 4: [RemoveEventAccessor] remove_PartialEvent1 +#-----| 2: (Parameters) +# 36| 0: [Parameter] value +# 36| 4: [BlockStmt] {...} # 39| [Class] OnePartPartialClass # 41| 6: [Method] PartialMethodWithoutBody2 # 41| -1: [TypeMention] Void From c29bac2bc19409afda9bf777c9258f348128249f Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Mon, 16 Feb 2026 16:13:06 +0100 Subject: [PATCH 073/110] C#: Add change-note. --- csharp/ql/lib/change-notes/2026-02-16-partial-events.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 csharp/ql/lib/change-notes/2026-02-16-partial-events.md diff --git a/csharp/ql/lib/change-notes/2026-02-16-partial-events.md b/csharp/ql/lib/change-notes/2026-02-16-partial-events.md new file mode 100644 index 00000000000..3bbc1ae829a --- /dev/null +++ b/csharp/ql/lib/change-notes/2026-02-16-partial-events.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* C# 14: Added support for partial events. From 26a1f4888a7fc82e3361d880e0abb31a8c52f5b4 Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Mon, 16 Feb 2026 17:19:44 +0100 Subject: [PATCH 074/110] C++: Modernize `MustFlow` using parameterized modules --- .../semmle/code/cpp/ir/dataflow/MustFlow.qll | 505 +++++++++--------- .../ReturnStackAllocatedMemory.ql | 24 +- .../Memory Management/UninitializedLocal.ql | 21 +- cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql | 26 +- 4 files changed, 282 insertions(+), 294 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/MustFlow.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/MustFlow.qll index b085440f6bc..07e79a907c7 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/MustFlow.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/MustFlow.qll @@ -7,290 +7,279 @@ private import cpp private import semmle.code.cpp.ir.IR -/** - * A configuration of a data flow analysis that performs must-flow analysis. This is different - * from `DataFlow.qll` which performs may-flow analysis (i.e., it finds paths where the source _may_ - * flow to the sink). - * - * Like in `DataFlow.qll`, each use of the `MustFlow.qll` library must define its own unique extension - * of this abstract class. To create a configuration, extend this class with a subclass whose - * characteristic predicate is a unique singleton string and override `isSource`, `isSink` (and - * `isAdditionalFlowStep` if additional steps are required). - */ -abstract class MustFlowConfiguration extends string { - bindingset[this] - MustFlowConfiguration() { any() } - +module MustFlow { /** - * Holds if `source` is a relevant data flow source. + * An input configuration of a data flow analysis that performs must-flow analysis. This is different + * from `DataFlow.qll` which performs may-flow analysis (i.e., it finds paths where the source _may_ + * flow to the sink). */ - abstract predicate isSource(Instruction source); + signature module ConfigSig { + /** + * Holds if `source` is a relevant data flow source. + */ + predicate isSource(Instruction source); - /** - * Holds if `sink` is a relevant data flow sink. - */ - abstract predicate isSink(Operand sink); + /** + * Holds if `sink` is a relevant data flow sink. + */ + predicate isSink(Operand sink); - /** - * Holds if data flow through `instr` is prohibited. - */ - predicate isBarrier(Instruction instr) { none() } + /** + * Holds if data flow through `instr` is prohibited. + */ + default predicate isBarrier(Instruction instr) { none() } - /** - * Holds if the additional flow step from `node1` to `node2` must be taken - * into account in the analysis. - */ - predicate isAdditionalFlowStep(Operand node1, Instruction node2) { none() } + /** + * Holds if the additional flow step from `node1` to `node2` must be taken + * into account in the analysis. + */ + default predicate isAdditionalFlowStep(Operand node1, Instruction node2) { none() } - /** Holds if this configuration allows flow from arguments to parameters. */ - predicate allowInterproceduralFlow() { any() } - - /** - * Holds if data must flow from `source` to `sink` for this configuration. - * - * The corresponding paths are generated from the end-points and the graph - * included in the module `PathGraph`. - */ - final predicate hasFlowPath(MustFlowPathNode source, MustFlowPathSink sink) { - this.isSource(source.getInstruction()) and - source.getASuccessor*() = sink - } -} - -/** Holds if `node` flows from a source. */ -pragma[nomagic] -private predicate flowsFromSource(Instruction node, MustFlowConfiguration config) { - not config.isBarrier(node) and - ( - config.isSource(node) - or - exists(Instruction mid | - step(mid, node, config) and - flowsFromSource(mid, pragma[only_bind_into](config)) - ) - ) -} - -/** Holds if `node` flows to a sink. */ -pragma[nomagic] -private predicate flowsToSink(Instruction node, MustFlowConfiguration config) { - flowsFromSource(node, pragma[only_bind_into](config)) and - ( - config.isSink(node.getAUse()) - or - exists(Instruction mid | - step(node, mid, config) and - flowsToSink(mid, pragma[only_bind_into](config)) - ) - ) -} - -cached -private module Cached { - /** Holds if `p` is the `n`'th parameter of the non-virtual function `f`. */ - private predicate parameterOf(Parameter p, Function f, int n) { - not f.isVirtual() and f.getParameter(n) = p + /** Holds if this configuration allows flow from arguments to parameters. */ + default predicate allowInterproceduralFlow() { any() } } - /** - * Holds if `instr` is the `n`'th argument to a call to the non-virtual function `f`, and - * `init` is the corresponding initialization instruction that receives the value of `instr` in `f`. - */ - private predicate flowIntoParameter( - Function f, int n, CallInstruction call, Instruction instr, InitializeParameterInstruction init - ) { - not f.isVirtual() and - call.getPositionalArgument(n) = instr and - f = call.getStaticCallTarget() and - getEnclosingNonVirtualFunctionInitializeParameter(init, f) and - init.getParameter().getIndex() = pragma[only_bind_into](pragma[only_bind_out](n)) - } + module Global { + import Config - /** - * Holds if `instr` is an argument to a call to the function `f`, and `init` is the - * corresponding initialization instruction that receives the value of `instr` in `f`. - */ - pragma[noinline] - private predicate getPositionalArgumentInitParam( - CallInstruction call, Instruction instr, InitializeParameterInstruction init, Function f - ) { - exists(int n | - parameterOf(_, f, n) and - flowIntoParameter(f, pragma[only_bind_into](pragma[only_bind_out](n)), call, instr, init) - ) - } + /** + * Holds if data must flow from `source` to `sink`. + * + * The corresponding paths are generated from the end-points and the graph + * included in the module `PathGraph`. + */ + predicate flowPath(PathNode source, PathSink sink) { + isSource(source.getInstruction()) and + source.getASuccessor*() = sink + } - /** - * Holds if `instr` is the qualifier to a call to the non-virtual function `f`, and - * `init` is the corresponding initialization instruction that receives the value of - * `instr` in `f`. - */ - pragma[noinline] - private predicate getThisArgumentInitParam( - CallInstruction call, Instruction instr, InitializeParameterInstruction init, Function f - ) { - not f.isVirtual() and - call.getStaticCallTarget() = f and - getEnclosingNonVirtualFunctionInitializeParameter(init, f) and - call.getThisArgument() = instr and - init.getIRVariable() instanceof IRThisVariable - } + /** Holds if `node` flows from a source. */ + pragma[nomagic] + private predicate flowsFromSource(Instruction node) { + not isBarrier(node) and + ( + isSource(node) + or + exists(Instruction mid | + step(mid, node) and + flowsFromSource(mid) + ) + ) + } - /** Holds if `f` is the enclosing non-virtual function of `init`. */ - private predicate getEnclosingNonVirtualFunctionInitializeParameter( - InitializeParameterInstruction init, Function f - ) { - not f.isVirtual() and - init.getEnclosingFunction() = f - } + /** Holds if `node` flows to a sink. */ + pragma[nomagic] + private predicate flowsToSink(Instruction node) { + flowsFromSource(node) and + ( + isSink(node.getAUse()) + or + exists(Instruction mid | + step(node, mid) and + flowsToSink(mid) + ) + ) + } - /** Holds if `f` is the enclosing non-virtual function of `init`. */ - private predicate getEnclosingNonVirtualFunctionInitializeIndirection( - InitializeIndirectionInstruction init, Function f - ) { - not f.isVirtual() and - init.getEnclosingFunction() = f - } + /** + * Gets the enclosing callable of `n`. Unlike `n.getEnclosingCallable()`, this + * predicate ensures that joins go from `n` to the result instead of the other + * way around. + */ + pragma[inline] + private IRFunction getEnclosingCallable(Instruction n) { + pragma[only_bind_into](result) = pragma[only_bind_out](n).getEnclosingIRFunction() + } - /** - * Holds if `instr` is an argument (or argument indirection) to a call, and - * `succ` is the corresponding initialization instruction in the call target. - */ - private predicate flowThroughCallable(Instruction argument, Instruction parameter) { - // Flow from an argument to a parameter - exists(CallInstruction call, InitializeParameterInstruction init | init = parameter | - getPositionalArgumentInitParam(call, argument, init, call.getStaticCallTarget()) - or - getThisArgumentInitParam(call, argument, init, call.getStaticCallTarget()) - ) - or - // Flow from argument indirection to parameter indirection - exists( - CallInstruction call, ReadSideEffectInstruction read, InitializeIndirectionInstruction init - | - init = parameter and - read.getPrimaryInstruction() = call and - getEnclosingNonVirtualFunctionInitializeIndirection(init, call.getStaticCallTarget()) - | - exists(int n | - read.getSideEffectOperand().getAnyDef() = argument and - read.getIndex() = pragma[only_bind_into](n) and - init.getParameter().getIndex() = pragma[only_bind_into](n) + /** Holds if `nodeFrom` flows to `nodeTo`. */ + private predicate step(Instruction nodeFrom, Instruction nodeTo) { + Cached::step(pragma[only_bind_into](nodeFrom), pragma[only_bind_into](nodeTo)) and + ( + allowInterproceduralFlow() + or + getEnclosingCallable(nodeFrom) = getEnclosingCallable(nodeTo) ) or - call.getThisArgument() = argument and - init.getIRVariable() instanceof IRThisVariable - ) - } + isAdditionalFlowStep(nodeFrom.getAUse(), nodeTo) + } - private predicate instructionToOperandStep(Instruction instr, Operand operand) { - operand.getDef() = instr - } + private newtype TLocalPathNode = + MkLocalPathNode(Instruction n) { + flowsToSink(n) and + ( + isSource(n) + or + exists(PathNode mid | step(mid.getInstruction(), n)) + ) + } - /** - * Holds if data flows from `operand` to `instr`. - * - * This predicate ignores flow through `PhiInstruction`s to create a 'must flow' relation. - */ - private predicate operandToInstructionStep(Operand operand, Instruction instr) { - instr.(CopyInstruction).getSourceValueOperand() = operand - or - instr.(ConvertInstruction).getUnaryOperand() = operand - or - instr.(CheckedConvertOrNullInstruction).getUnaryOperand() = operand - or - instr.(InheritanceConversionInstruction).getUnaryOperand() = operand - or - instr.(ChiInstruction).getTotalOperand() = operand + /** A `Node` that is in a path from a source to a sink. */ + class PathNode extends TLocalPathNode { + Instruction n; + + PathNode() { this = MkLocalPathNode(n) } + + /** Gets the underlying node. */ + Instruction getInstruction() { result = n } + + /** Gets a textual representation of this node. */ + string toString() { result = n.getAst().toString() } + + /** Gets the location of this element. */ + Location getLocation() { result = n.getLocation() } + + /** Gets a successor node, if any. */ + PathNode getASuccessor() { step(this.getInstruction(), result.getInstruction()) } + } + + private class PathSink extends PathNode { + PathSink() { isSink(this.getInstruction().getAUse()) } + } + + /** + * Provides the query predicates needed to include a graph in a path-problem query. + */ + module PathGraph { + private predicate reach(PathNode n) { n instanceof PathSink or reach(n.getASuccessor()) } + + /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */ + query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b and reach(b) } + + /** Holds if `n` is a node in the graph of data flow path explanations. */ + query predicate nodes(PathNode n, string key, string val) { + reach(n) and key = "semmle.label" and val = n.toString() + } + } } cached - predicate step(Instruction nodeFrom, Instruction nodeTo) { - exists(Operand mid | - instructionToOperandStep(nodeFrom, mid) and - operandToInstructionStep(mid, nodeTo) - ) - or - flowThroughCallable(nodeFrom, nodeTo) - } -} + private module Cached { + /** Holds if `p` is the `n`'th parameter of the non-virtual function `f`. */ + private predicate parameterOf(Parameter p, Function f, int n) { + not f.isVirtual() and f.getParameter(n) = p + } -/** - * Gets the enclosing callable of `n`. Unlike `n.getEnclosingCallable()`, this - * predicate ensures that joins go from `n` to the result instead of the other - * way around. - */ -pragma[inline] -private IRFunction getEnclosingCallable(Instruction n) { - pragma[only_bind_into](result) = pragma[only_bind_out](n).getEnclosingIRFunction() -} + /** + * Holds if `instr` is the `n`'th argument to a call to the non-virtual function `f`, and + * `init` is the corresponding initialization instruction that receives the value of `instr` in `f`. + */ + private predicate flowIntoParameter( + Function f, int n, CallInstruction call, Instruction instr, + InitializeParameterInstruction init + ) { + not f.isVirtual() and + call.getPositionalArgument(n) = instr and + f = call.getStaticCallTarget() and + getEnclosingNonVirtualFunctionInitializeParameter(init, f) and + init.getParameter().getIndex() = pragma[only_bind_into](pragma[only_bind_out](n)) + } -/** Holds if `nodeFrom` flows to `nodeTo`. */ -private predicate step(Instruction nodeFrom, Instruction nodeTo, MustFlowConfiguration config) { - exists(config) and - Cached::step(pragma[only_bind_into](nodeFrom), pragma[only_bind_into](nodeTo)) and - ( - config.allowInterproceduralFlow() - or - getEnclosingCallable(nodeFrom) = getEnclosingCallable(nodeTo) - ) - or - config.isAdditionalFlowStep(nodeFrom.getAUse(), nodeTo) -} + /** + * Holds if `instr` is an argument to a call to the function `f`, and `init` is the + * corresponding initialization instruction that receives the value of `instr` in `f`. + */ + pragma[noinline] + private predicate getPositionalArgumentInitParam( + CallInstruction call, Instruction instr, InitializeParameterInstruction init, Function f + ) { + exists(int n | + parameterOf(_, f, n) and + flowIntoParameter(f, pragma[only_bind_into](pragma[only_bind_out](n)), call, instr, init) + ) + } -private newtype TLocalPathNode = - MkLocalPathNode(Instruction n, MustFlowConfiguration config) { - flowsToSink(n, config) and - ( - config.isSource(n) + /** + * Holds if `instr` is the qualifier to a call to the non-virtual function `f`, and + * `init` is the corresponding initialization instruction that receives the value of + * `instr` in `f`. + */ + pragma[noinline] + private predicate getThisArgumentInitParam( + CallInstruction call, Instruction instr, InitializeParameterInstruction init, Function f + ) { + not f.isVirtual() and + call.getStaticCallTarget() = f and + getEnclosingNonVirtualFunctionInitializeParameter(init, f) and + call.getThisArgument() = instr and + init.getIRVariable() instanceof IRThisVariable + } + + /** Holds if `f` is the enclosing non-virtual function of `init`. */ + private predicate getEnclosingNonVirtualFunctionInitializeParameter( + InitializeParameterInstruction init, Function f + ) { + not f.isVirtual() and + init.getEnclosingFunction() = f + } + + /** Holds if `f` is the enclosing non-virtual function of `init`. */ + private predicate getEnclosingNonVirtualFunctionInitializeIndirection( + InitializeIndirectionInstruction init, Function f + ) { + not f.isVirtual() and + init.getEnclosingFunction() = f + } + + /** + * Holds if `instr` is an argument (or argument indirection) to a call, and + * `succ` is the corresponding initialization instruction in the call target. + */ + private predicate flowThroughCallable(Instruction argument, Instruction parameter) { + // Flow from an argument to a parameter + exists(CallInstruction call, InitializeParameterInstruction init | init = parameter | + getPositionalArgumentInitParam(call, argument, init, call.getStaticCallTarget()) + or + getThisArgumentInitParam(call, argument, init, call.getStaticCallTarget()) + ) or - exists(MustFlowPathNode mid | step(mid.getInstruction(), n, config)) - ) - } + // Flow from argument indirection to parameter indirection + exists( + CallInstruction call, ReadSideEffectInstruction read, InitializeIndirectionInstruction init + | + init = parameter and + read.getPrimaryInstruction() = call and + getEnclosingNonVirtualFunctionInitializeIndirection(init, call.getStaticCallTarget()) + | + exists(int n | + read.getSideEffectOperand().getAnyDef() = argument and + read.getIndex() = pragma[only_bind_into](n) and + init.getParameter().getIndex() = pragma[only_bind_into](n) + ) + or + call.getThisArgument() = argument and + init.getIRVariable() instanceof IRThisVariable + ) + } -/** A `Node` that is in a path from a source to a sink. */ -class MustFlowPathNode extends TLocalPathNode { - Instruction n; + private predicate instructionToOperandStep(Instruction instr, Operand operand) { + operand.getDef() = instr + } - MustFlowPathNode() { this = MkLocalPathNode(n, _) } + /** + * Holds if data flows from `operand` to `instr`. + * + * This predicate ignores flow through `PhiInstruction`s to create a 'must flow' relation. + */ + private predicate operandToInstructionStep(Operand operand, Instruction instr) { + instr.(CopyInstruction).getSourceValueOperand() = operand + or + instr.(ConvertInstruction).getUnaryOperand() = operand + or + instr.(CheckedConvertOrNullInstruction).getUnaryOperand() = operand + or + instr.(InheritanceConversionInstruction).getUnaryOperand() = operand + or + instr.(ChiInstruction).getTotalOperand() = operand + } - /** Gets the underlying node. */ - Instruction getInstruction() { result = n } - - /** Gets a textual representation of this node. */ - string toString() { result = n.getAst().toString() } - - /** Gets the location of this element. */ - Location getLocation() { result = n.getLocation() } - - /** Gets a successor node, if any. */ - MustFlowPathNode getASuccessor() { - step(this.getInstruction(), result.getInstruction(), this.getConfiguration()) - } - - /** Gets the associated configuration. */ - MustFlowConfiguration getConfiguration() { this = MkLocalPathNode(_, result) } -} - -private class MustFlowPathSink extends MustFlowPathNode { - MustFlowPathSink() { this.getConfiguration().isSink(this.getInstruction().getAUse()) } -} - -/** - * Provides the query predicates needed to include a graph in a path-problem query. - */ -module PathGraph { - private predicate reach(MustFlowPathNode n) { - n instanceof MustFlowPathSink or reach(n.getASuccessor()) - } - - /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */ - query predicate edges(MustFlowPathNode a, MustFlowPathNode b) { - a.getASuccessor() = b and reach(b) - } - - /** Holds if `n` is a node in the graph of data flow path explanations. */ - query predicate nodes(MustFlowPathNode n, string key, string val) { - reach(n) and key = "semmle.label" and val = n.toString() + cached + predicate step(Instruction nodeFrom, Instruction nodeTo) { + exists(Operand mid | + instructionToOperandStep(nodeFrom, mid) and + operandToInstructionStep(mid, nodeTo) + ) + or + flowThroughCallable(nodeFrom, nodeTo) + } } } diff --git a/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql b/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql index b8788910332..efd136bcd2d 100644 --- a/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql +++ b/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql @@ -16,17 +16,15 @@ import cpp import semmle.code.cpp.ir.IR import semmle.code.cpp.ir.dataflow.MustFlow -import PathGraph +import ReturnStackAllocatedMemory::PathGraph /** Holds if `f` has a name that we interpret as evidence of intentionally returning the value of the stack pointer. */ predicate intentionallyReturnsStackPointer(Function f) { f.getName().toLowerCase().matches(["%stack%", "%sp%"]) } -class ReturnStackAllocatedMemoryConfig extends MustFlowConfiguration { - ReturnStackAllocatedMemoryConfig() { this = "ReturnStackAllocatedMemoryConfig" } - - override predicate isSource(Instruction source) { +module ReturnStackAllocatedMemoryConfig implements MustFlow::ConfigSig { + predicate isSource(Instruction source) { exists(Function func | // Rule out FPs caused by extraction errors. not func.hasErrors() and @@ -50,7 +48,7 @@ class ReturnStackAllocatedMemoryConfig extends MustFlowConfiguration { ) } - override predicate isSink(Operand sink) { + predicate isSink(Operand sink) { // Holds if `sink` is a node that represents the `StoreInstruction` that is subsequently used in // a `ReturnValueInstruction`. // We use the `StoreInstruction` instead of the instruction that defines the @@ -72,7 +70,7 @@ class ReturnStackAllocatedMemoryConfig extends MustFlowConfiguration { // int* px = id(&x); // } // ``` - override predicate allowInterproceduralFlow() { none() } + predicate allowInterproceduralFlow() { none() } /** * This configuration intentionally conflates addresses of fields and their object, and pointer offsets @@ -87,20 +85,22 @@ class ReturnStackAllocatedMemoryConfig extends MustFlowConfiguration { * } * ``` */ - override predicate isAdditionalFlowStep(Operand node1, Instruction node2) { + predicate isAdditionalFlowStep(Operand node1, Instruction node2) { node2.(FieldAddressInstruction).getObjectAddressOperand() = node1 or node2.(PointerOffsetInstruction).getLeftOperand() = node1 } - override predicate isBarrier(Instruction n) { n.getResultType() instanceof ErroneousType } + predicate isBarrier(Instruction n) { n.getResultType() instanceof ErroneousType } } +module ReturnStackAllocatedMemory = MustFlow::Global; + from - MustFlowPathNode source, MustFlowPathNode sink, Instruction instr, - ReturnStackAllocatedMemoryConfig conf + ReturnStackAllocatedMemory::PathNode source, ReturnStackAllocatedMemory::PathNode sink, + Instruction instr where - conf.hasFlowPath(pragma[only_bind_into](source), pragma[only_bind_into](sink)) and + ReturnStackAllocatedMemory::flowPath(pragma[only_bind_into](source), pragma[only_bind_into](sink)) and source.getInstruction() = instr select sink.getInstruction(), source, sink, "May return stack-allocated memory from $@.", instr.getAst(), instr.getAst().toString() diff --git a/cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql b/cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql index 763a142f1b9..1697ad31810 100644 --- a/cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql +++ b/cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql @@ -15,7 +15,7 @@ import cpp import semmle.code.cpp.ir.IR import semmle.code.cpp.ir.dataflow.MustFlow -import PathGraph +import UninitializedLocal::PathGraph /** * Auxiliary predicate: Types that don't require initialization @@ -70,25 +70,26 @@ predicate isSinkImpl(Instruction sink, VariableAccess va) { ) } -class MustFlow extends MustFlowConfiguration { - MustFlow() { this = "MustFlow" } - - override predicate isSource(Instruction source) { +module UninitializedLocalConfig implements MustFlow::ConfigSig { + predicate isSource(Instruction source) { source instanceof UninitializedInstruction and exists(Type t | t = source.getResultType() | not allocatedType(t)) } - override predicate isSink(Operand sink) { isSinkImpl(sink.getDef(), _) } + predicate isSink(Operand sink) { isSinkImpl(sink.getDef(), _) } - override predicate allowInterproceduralFlow() { none() } + predicate allowInterproceduralFlow() { none() } - override predicate isBarrier(Instruction instr) { instr instanceof ChiInstruction } + predicate isBarrier(Instruction instr) { instr instanceof ChiInstruction } } +module UninitializedLocal = MustFlow::Global; + from - VariableAccess va, LocalVariable v, MustFlow conf, MustFlowPathNode source, MustFlowPathNode sink + VariableAccess va, LocalVariable v, UninitializedLocal::PathNode source, + UninitializedLocal::PathNode sink where - conf.hasFlowPath(source, sink) and + UninitializedLocal::flowPath(source, sink) and isSinkImpl(sink.getInstruction(), va) and v = va.getTarget() select va, source, sink, "The variable $@ may not be initialized at this access.", v, v.getName() diff --git a/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql b/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql index bb62cfc1755..63b56d470e2 100644 --- a/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql +++ b/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql @@ -17,16 +17,16 @@ import cpp import semmle.code.cpp.ir.IR import semmle.code.cpp.ir.dataflow.MustFlow -import PathGraph +import UnsafeUseOfThis::PathGraph -class UnsafeUseOfThisConfig extends MustFlowConfiguration { - UnsafeUseOfThisConfig() { this = "UnsafeUseOfThisConfig" } +module UnsafeUseOfThisConfig implements MustFlow::ConfigSig { + predicate isSource(Instruction source) { isSource(source, _, _) } - override predicate isSource(Instruction source) { isSource(source, _, _) } - - override predicate isSink(Operand sink) { isSink(sink, _) } + predicate isSink(Operand sink) { isSink(sink, _) } } +module UnsafeUseOfThis = MustFlow::Global; + /** Holds if `sink` is a `this` pointer used by the call instruction `call`. */ predicate isSink(Operand sink, CallInstruction call) { exists(PureVirtualFunction func | @@ -66,19 +66,17 @@ predicate isSource(InitializeParameterInstruction source, string msg, Class c) { * - `msg` is a string describing whether `source` is from a constructor or destructor. */ predicate flows( - MustFlowPathNode source, string msg, Class sourceClass, MustFlowPathNode sink, + UnsafeUseOfThis::PathNode source, string msg, Class sourceClass, UnsafeUseOfThis::PathNode sink, CallInstruction call ) { - exists(UnsafeUseOfThisConfig conf | - conf.hasFlowPath(source, sink) and - isSource(source.getInstruction(), msg, sourceClass) and - isSink(sink.getInstruction().getAUse(), call) - ) + UnsafeUseOfThis::flowPath(source, sink) and + isSource(source.getInstruction(), msg, sourceClass) and + isSink(sink.getInstruction().getAUse(), call) } from - MustFlowPathNode source, MustFlowPathNode sink, CallInstruction call, string msg, - Class sourceClass + UnsafeUseOfThis::PathNode source, UnsafeUseOfThis::PathNode sink, CallInstruction call, + string msg, Class sourceClass where flows(source, msg, sourceClass, sink, call) and // Only raise an alert if there is no override of the pure virtual function in any base class. From 73194a5e86b5e6abc614fa75caaeed3110857554 Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Mon, 16 Feb 2026 17:40:18 +0100 Subject: [PATCH 075/110] C++: Fix QL-for-QL warnings and missing QLDoc --- .../semmle/code/cpp/ir/dataflow/MustFlow.qll | 28 +++++++++++-------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/MustFlow.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/MustFlow.qll index 07e79a907c7..5a0f34c6dc1 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/MustFlow.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/MustFlow.qll @@ -7,6 +7,9 @@ private import cpp private import semmle.code.cpp.ir.IR +/** + * Provides an inter-procedural must-flow data flow analysis. + */ module MustFlow { /** * An input configuration of a data flow analysis that performs must-flow analysis. This is different @@ -39,6 +42,9 @@ module MustFlow { default predicate allowInterproceduralFlow() { any() } } + /** + * Constructs a global must-flow computation. + */ module Global { import Config @@ -170,7 +176,7 @@ module MustFlow { not f.isVirtual() and call.getPositionalArgument(n) = instr and f = call.getStaticCallTarget() and - getEnclosingNonVirtualFunctionInitializeParameter(init, f) and + isEnclosingNonVirtualFunctionInitializeParameter(init, f) and init.getParameter().getIndex() = pragma[only_bind_into](pragma[only_bind_out](n)) } @@ -179,7 +185,7 @@ module MustFlow { * corresponding initialization instruction that receives the value of `instr` in `f`. */ pragma[noinline] - private predicate getPositionalArgumentInitParam( + private predicate isPositionalArgumentInitParam( CallInstruction call, Instruction instr, InitializeParameterInstruction init, Function f ) { exists(int n | @@ -194,18 +200,18 @@ module MustFlow { * `instr` in `f`. */ pragma[noinline] - private predicate getThisArgumentInitParam( + private predicate isThisArgumentInitParam( CallInstruction call, Instruction instr, InitializeParameterInstruction init, Function f ) { not f.isVirtual() and call.getStaticCallTarget() = f and - getEnclosingNonVirtualFunctionInitializeParameter(init, f) and + isEnclosingNonVirtualFunctionInitializeParameter(init, f) and call.getThisArgument() = instr and init.getIRVariable() instanceof IRThisVariable } /** Holds if `f` is the enclosing non-virtual function of `init`. */ - private predicate getEnclosingNonVirtualFunctionInitializeParameter( + private predicate isEnclosingNonVirtualFunctionInitializeParameter( InitializeParameterInstruction init, Function f ) { not f.isVirtual() and @@ -213,7 +219,7 @@ module MustFlow { } /** Holds if `f` is the enclosing non-virtual function of `init`. */ - private predicate getEnclosingNonVirtualFunctionInitializeIndirection( + private predicate isEnclosingNonVirtualFunctionInitializeIndirection( InitializeIndirectionInstruction init, Function f ) { not f.isVirtual() and @@ -221,15 +227,15 @@ module MustFlow { } /** - * Holds if `instr` is an argument (or argument indirection) to a call, and - * `succ` is the corresponding initialization instruction in the call target. + * Holds if `argument` is an argument (or argument indirection) to a call, and + * `parameter` is the corresponding initialization instruction in the call target. */ private predicate flowThroughCallable(Instruction argument, Instruction parameter) { // Flow from an argument to a parameter exists(CallInstruction call, InitializeParameterInstruction init | init = parameter | - getPositionalArgumentInitParam(call, argument, init, call.getStaticCallTarget()) + isPositionalArgumentInitParam(call, argument, init, call.getStaticCallTarget()) or - getThisArgumentInitParam(call, argument, init, call.getStaticCallTarget()) + isThisArgumentInitParam(call, argument, init, call.getStaticCallTarget()) ) or // Flow from argument indirection to parameter indirection @@ -238,7 +244,7 @@ module MustFlow { | init = parameter and read.getPrimaryInstruction() = call and - getEnclosingNonVirtualFunctionInitializeIndirection(init, call.getStaticCallTarget()) + isEnclosingNonVirtualFunctionInitializeIndirection(init, call.getStaticCallTarget()) | exists(int n | read.getSideEffectOperand().getAnyDef() = argument and From b5898c5a3035c9d56fd6dc33fef79ebd38f0dfdd Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 16 Feb 2026 17:07:45 +0000 Subject: [PATCH 076/110] Post-release preparation for codeql-cli-2.24.2 --- actions/ql/lib/qlpack.yml | 2 +- actions/ql/src/qlpack.yml | 2 +- cpp/ql/lib/qlpack.yml | 2 +- cpp/ql/src/qlpack.yml | 2 +- csharp/ql/campaigns/Solorigate/lib/qlpack.yml | 2 +- csharp/ql/campaigns/Solorigate/src/qlpack.yml | 2 +- csharp/ql/lib/qlpack.yml | 2 +- csharp/ql/src/qlpack.yml | 2 +- go/ql/consistency-queries/qlpack.yml | 2 +- go/ql/lib/qlpack.yml | 2 +- go/ql/src/qlpack.yml | 2 +- java/ql/lib/qlpack.yml | 2 +- java/ql/src/qlpack.yml | 2 +- javascript/ql/lib/qlpack.yml | 2 +- javascript/ql/src/qlpack.yml | 2 +- misc/suite-helpers/qlpack.yml | 2 +- python/ql/lib/qlpack.yml | 2 +- python/ql/src/qlpack.yml | 2 +- ruby/ql/lib/qlpack.yml | 2 +- ruby/ql/src/qlpack.yml | 2 +- rust/ql/lib/qlpack.yml | 2 +- rust/ql/src/qlpack.yml | 2 +- shared/concepts/qlpack.yml | 2 +- shared/controlflow/qlpack.yml | 2 +- shared/dataflow/qlpack.yml | 2 +- shared/mad/qlpack.yml | 2 +- shared/quantum/qlpack.yml | 2 +- shared/rangeanalysis/qlpack.yml | 2 +- shared/regex/qlpack.yml | 2 +- shared/ssa/qlpack.yml | 2 +- shared/threat-models/qlpack.yml | 2 +- shared/tutorial/qlpack.yml | 2 +- shared/typeflow/qlpack.yml | 2 +- shared/typeinference/qlpack.yml | 2 +- shared/typetracking/qlpack.yml | 2 +- shared/typos/qlpack.yml | 2 +- shared/util/qlpack.yml | 2 +- shared/xml/qlpack.yml | 2 +- shared/yaml/qlpack.yml | 2 +- swift/ql/lib/qlpack.yml | 2 +- swift/ql/src/qlpack.yml | 2 +- 41 files changed, 41 insertions(+), 41 deletions(-) diff --git a/actions/ql/lib/qlpack.yml b/actions/ql/lib/qlpack.yml index 5725fb5f9aa..a9d5b7e61f6 100644 --- a/actions/ql/lib/qlpack.yml +++ b/actions/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/actions-all -version: 0.4.28 +version: 0.4.29-dev library: true warnOnImplicitThis: true dependencies: diff --git a/actions/ql/src/qlpack.yml b/actions/ql/src/qlpack.yml index e41369b5193..f4e731dc26d 100644 --- a/actions/ql/src/qlpack.yml +++ b/actions/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/actions-queries -version: 0.6.20 +version: 0.6.21-dev library: false warnOnImplicitThis: true groups: [actions, queries] diff --git a/cpp/ql/lib/qlpack.yml b/cpp/ql/lib/qlpack.yml index d2b42410887..31ce003aadc 100644 --- a/cpp/ql/lib/qlpack.yml +++ b/cpp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-all -version: 7.1.1 +version: 7.1.2-dev groups: cpp dbscheme: semmlecode.cpp.dbscheme extractor: cpp diff --git a/cpp/ql/src/qlpack.yml b/cpp/ql/src/qlpack.yml index 51a78ddd3fc..d8620439fe6 100644 --- a/cpp/ql/src/qlpack.yml +++ b/cpp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-queries -version: 1.5.11 +version: 1.5.12-dev groups: - cpp - queries diff --git a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml index bb75fe4cfff..2bf13d256c9 100644 --- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-all -version: 1.7.59 +version: 1.7.60-dev groups: - csharp - solorigate diff --git a/csharp/ql/campaigns/Solorigate/src/qlpack.yml b/csharp/ql/campaigns/Solorigate/src/qlpack.yml index 0ab19080276..780301f353c 100644 --- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-queries -version: 1.7.59 +version: 1.7.60-dev groups: - csharp - solorigate diff --git a/csharp/ql/lib/qlpack.yml b/csharp/ql/lib/qlpack.yml index d873c0c3b08..30f75e74304 100644 --- a/csharp/ql/lib/qlpack.yml +++ b/csharp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-all -version: 5.4.7 +version: 5.4.8-dev groups: csharp dbscheme: semmlecode.csharp.dbscheme extractor: csharp diff --git a/csharp/ql/src/qlpack.yml b/csharp/ql/src/qlpack.yml index 7986040d2b6..d43afd632c1 100644 --- a/csharp/ql/src/qlpack.yml +++ b/csharp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-queries -version: 1.6.2 +version: 1.6.3-dev groups: - csharp - queries diff --git a/go/ql/consistency-queries/qlpack.yml b/go/ql/consistency-queries/qlpack.yml index 96304fa9a18..6f9302c9ac4 100644 --- a/go/ql/consistency-queries/qlpack.yml +++ b/go/ql/consistency-queries/qlpack.yml @@ -1,5 +1,5 @@ name: codeql-go-consistency-queries -version: 1.0.42 +version: 1.0.43-dev groups: - go - queries diff --git a/go/ql/lib/qlpack.yml b/go/ql/lib/qlpack.yml index 94a5b04b390..ac5f63a29bc 100644 --- a/go/ql/lib/qlpack.yml +++ b/go/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-all -version: 7.0.0 +version: 7.0.1-dev groups: go dbscheme: go.dbscheme extractor: go diff --git a/go/ql/src/qlpack.yml b/go/ql/src/qlpack.yml index 43b5c67bc3f..bbac3ffc212 100644 --- a/go/ql/src/qlpack.yml +++ b/go/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-queries -version: 1.5.6 +version: 1.5.7-dev groups: - go - queries diff --git a/java/ql/lib/qlpack.yml b/java/ql/lib/qlpack.yml index 2d891f9ac5f..a1737f2d1cb 100644 --- a/java/ql/lib/qlpack.yml +++ b/java/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-all -version: 8.1.0 +version: 8.1.1-dev groups: java dbscheme: config/semmlecode.dbscheme extractor: java diff --git a/java/ql/src/qlpack.yml b/java/ql/src/qlpack.yml index 2f9b4479008..fda7663d686 100644 --- a/java/ql/src/qlpack.yml +++ b/java/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-queries -version: 1.10.7 +version: 1.10.8-dev groups: - java - queries diff --git a/javascript/ql/lib/qlpack.yml b/javascript/ql/lib/qlpack.yml index 30d166fb610..2415cf3d3b7 100644 --- a/javascript/ql/lib/qlpack.yml +++ b/javascript/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-all -version: 2.6.22 +version: 2.6.23-dev groups: javascript dbscheme: semmlecode.javascript.dbscheme extractor: javascript diff --git a/javascript/ql/src/qlpack.yml b/javascript/ql/src/qlpack.yml index 5e72fce5432..1f57b3e99e2 100644 --- a/javascript/ql/src/qlpack.yml +++ b/javascript/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-queries -version: 2.3.2 +version: 2.3.3-dev groups: - javascript - queries diff --git a/misc/suite-helpers/qlpack.yml b/misc/suite-helpers/qlpack.yml index ba00d002da9..48e31175a00 100644 --- a/misc/suite-helpers/qlpack.yml +++ b/misc/suite-helpers/qlpack.yml @@ -1,4 +1,4 @@ name: codeql/suite-helpers -version: 1.0.42 +version: 1.0.43-dev groups: shared warnOnImplicitThis: true diff --git a/python/ql/lib/qlpack.yml b/python/ql/lib/qlpack.yml index b00b30158be..36b8813f8de 100644 --- a/python/ql/lib/qlpack.yml +++ b/python/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-all -version: 6.1.1 +version: 6.1.2-dev groups: python dbscheme: semmlecode.python.dbscheme extractor: python diff --git a/python/ql/src/qlpack.yml b/python/ql/src/qlpack.yml index dea81a83817..c6b7d29f631 100644 --- a/python/ql/src/qlpack.yml +++ b/python/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-queries -version: 1.7.7 +version: 1.7.8-dev groups: - python - queries diff --git a/ruby/ql/lib/qlpack.yml b/ruby/ql/lib/qlpack.yml index a9e713a73e7..1d14ca0e3d2 100644 --- a/ruby/ql/lib/qlpack.yml +++ b/ruby/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-all -version: 5.1.10 +version: 5.1.11-dev groups: ruby extractor: ruby dbscheme: ruby.dbscheme diff --git a/ruby/ql/src/qlpack.yml b/ruby/ql/src/qlpack.yml index 20706f6f0ac..b027389bc63 100644 --- a/ruby/ql/src/qlpack.yml +++ b/ruby/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-queries -version: 1.5.7 +version: 1.5.8-dev groups: - ruby - queries diff --git a/rust/ql/lib/qlpack.yml b/rust/ql/lib/qlpack.yml index c23251f51ef..f7428ef1087 100644 --- a/rust/ql/lib/qlpack.yml +++ b/rust/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/rust-all -version: 0.2.6 +version: 0.2.7-dev groups: rust extractor: rust dbscheme: rust.dbscheme diff --git a/rust/ql/src/qlpack.yml b/rust/ql/src/qlpack.yml index 3ce8fab18ff..21011bd93d5 100644 --- a/rust/ql/src/qlpack.yml +++ b/rust/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/rust-queries -version: 0.1.27 +version: 0.1.28-dev groups: - rust - queries diff --git a/shared/concepts/qlpack.yml b/shared/concepts/qlpack.yml index fcce8c5cac3..240ee962cfd 100644 --- a/shared/concepts/qlpack.yml +++ b/shared/concepts/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/concepts -version: 0.0.16 +version: 0.0.17-dev groups: shared library: true dependencies: diff --git a/shared/controlflow/qlpack.yml b/shared/controlflow/qlpack.yml index 99b79514512..6ae58a799e6 100644 --- a/shared/controlflow/qlpack.yml +++ b/shared/controlflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/controlflow -version: 2.0.26 +version: 2.0.27-dev groups: shared library: true dependencies: diff --git a/shared/dataflow/qlpack.yml b/shared/dataflow/qlpack.yml index 243db1c539c..d16d8379bbb 100644 --- a/shared/dataflow/qlpack.yml +++ b/shared/dataflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/dataflow -version: 2.0.26 +version: 2.0.27-dev groups: shared library: true dependencies: diff --git a/shared/mad/qlpack.yml b/shared/mad/qlpack.yml index 358b90c92b5..9adf5d48ad5 100644 --- a/shared/mad/qlpack.yml +++ b/shared/mad/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/mad -version: 1.0.42 +version: 1.0.43-dev groups: shared library: true dependencies: diff --git a/shared/quantum/qlpack.yml b/shared/quantum/qlpack.yml index 84b0091c243..91774b4db2d 100644 --- a/shared/quantum/qlpack.yml +++ b/shared/quantum/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/quantum -version: 0.0.20 +version: 0.0.21-dev groups: shared library: true dependencies: diff --git a/shared/rangeanalysis/qlpack.yml b/shared/rangeanalysis/qlpack.yml index 0220e237065..a5e5998c4a7 100644 --- a/shared/rangeanalysis/qlpack.yml +++ b/shared/rangeanalysis/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/rangeanalysis -version: 1.0.42 +version: 1.0.43-dev groups: shared library: true dependencies: diff --git a/shared/regex/qlpack.yml b/shared/regex/qlpack.yml index 915c2fb7c34..2dd53258318 100644 --- a/shared/regex/qlpack.yml +++ b/shared/regex/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/regex -version: 1.0.42 +version: 1.0.43-dev groups: shared library: true dependencies: diff --git a/shared/ssa/qlpack.yml b/shared/ssa/qlpack.yml index 2c51888e512..5e567790cfe 100644 --- a/shared/ssa/qlpack.yml +++ b/shared/ssa/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ssa -version: 2.0.18 +version: 2.0.19-dev groups: shared library: true dependencies: diff --git a/shared/threat-models/qlpack.yml b/shared/threat-models/qlpack.yml index 197379a2b2f..65539cd3c1b 100644 --- a/shared/threat-models/qlpack.yml +++ b/shared/threat-models/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/threat-models -version: 1.0.42 +version: 1.0.43-dev library: true groups: shared dataExtensions: diff --git a/shared/tutorial/qlpack.yml b/shared/tutorial/qlpack.yml index f7d1592cc2f..d632d0426b4 100644 --- a/shared/tutorial/qlpack.yml +++ b/shared/tutorial/qlpack.yml @@ -1,7 +1,7 @@ name: codeql/tutorial description: Library for the CodeQL detective tutorials, helping new users learn to write CodeQL queries. -version: 1.0.42 +version: 1.0.43-dev groups: shared library: true warnOnImplicitThis: true diff --git a/shared/typeflow/qlpack.yml b/shared/typeflow/qlpack.yml index 717d5e5c9a5..19f16908768 100644 --- a/shared/typeflow/qlpack.yml +++ b/shared/typeflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typeflow -version: 1.0.42 +version: 1.0.43-dev groups: shared library: true dependencies: diff --git a/shared/typeinference/qlpack.yml b/shared/typeinference/qlpack.yml index e740633b852..cd15cfac986 100644 --- a/shared/typeinference/qlpack.yml +++ b/shared/typeinference/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typeinference -version: 0.0.23 +version: 0.0.24-dev groups: shared library: true dependencies: diff --git a/shared/typetracking/qlpack.yml b/shared/typetracking/qlpack.yml index a8b74e13d69..41e4b42ff3b 100644 --- a/shared/typetracking/qlpack.yml +++ b/shared/typetracking/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typetracking -version: 2.0.26 +version: 2.0.27-dev groups: shared library: true dependencies: diff --git a/shared/typos/qlpack.yml b/shared/typos/qlpack.yml index c339ed16159..cf3df223c88 100644 --- a/shared/typos/qlpack.yml +++ b/shared/typos/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typos -version: 1.0.42 +version: 1.0.43-dev groups: shared library: true warnOnImplicitThis: true diff --git a/shared/util/qlpack.yml b/shared/util/qlpack.yml index 81efc5bf9af..18d1315e0da 100644 --- a/shared/util/qlpack.yml +++ b/shared/util/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/util -version: 2.0.29 +version: 2.0.30-dev groups: shared library: true dependencies: null diff --git a/shared/xml/qlpack.yml b/shared/xml/qlpack.yml index e84e83a927e..63b5786ba44 100644 --- a/shared/xml/qlpack.yml +++ b/shared/xml/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/xml -version: 1.0.42 +version: 1.0.43-dev groups: shared library: true dependencies: diff --git a/shared/yaml/qlpack.yml b/shared/yaml/qlpack.yml index 263fd7d87a7..1ecff982de7 100644 --- a/shared/yaml/qlpack.yml +++ b/shared/yaml/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/yaml -version: 1.0.42 +version: 1.0.43-dev groups: shared library: true warnOnImplicitThis: true diff --git a/swift/ql/lib/qlpack.yml b/swift/ql/lib/qlpack.yml index 0f240082bf7..da06170849b 100644 --- a/swift/ql/lib/qlpack.yml +++ b/swift/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/swift-all -version: 6.2.2 +version: 6.2.3-dev groups: swift extractor: swift dbscheme: swift.dbscheme diff --git a/swift/ql/src/qlpack.yml b/swift/ql/src/qlpack.yml index d6128248bd7..58dd667f57b 100644 --- a/swift/ql/src/qlpack.yml +++ b/swift/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/swift-queries -version: 1.2.16 +version: 1.2.17-dev groups: - swift - queries From 366ebcad834dc2a8b93e314fa80624f7ed7b5124 Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Mon, 16 Feb 2026 18:58:39 +0100 Subject: [PATCH 077/110] C++: Add `cpp/return-stack-allocated-memory` test case --- .../ReturnStackAllocatedMemory.expected | 8 ++++++++ .../Memory Management/ReturnStackAllocatedMemory/test.cpp | 5 +++++ 2 files changed, 13 insertions(+) diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected index 6aa457b1e8a..23b23dc4a3b 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected @@ -48,6 +48,9 @@ edges | test.cpp:249:13:249:20 | call to strndupa | test.cpp:249:13:249:20 | call to strndupa | | test.cpp:249:13:249:20 | call to strndupa | test.cpp:250:9:250:10 | s2 | | test.cpp:250:9:250:10 | s2 | test.cpp:250:9:250:10 | (void *)... | +| test.cpp:253:17:253:17 | p | test.cpp:256:10:256:10 | p | +| test.cpp:255:19:255:20 | & ... | test.cpp:253:17:253:17 | p | +| test.cpp:255:20:255:20 | x | test.cpp:255:19:255:20 | & ... | nodes | test.cpp:17:9:17:11 | & ... | semmle.label | & ... | | test.cpp:17:10:17:11 | mc | semmle.label | mc | @@ -114,6 +117,10 @@ nodes | test.cpp:249:13:249:20 | call to strndupa | semmle.label | call to strndupa | | test.cpp:250:9:250:10 | (void *)... | semmle.label | (void *)... | | test.cpp:250:9:250:10 | s2 | semmle.label | s2 | +| test.cpp:253:17:253:17 | p | semmle.label | p | +| test.cpp:255:19:255:20 | & ... | semmle.label | & ... | +| test.cpp:255:20:255:20 | x | semmle.label | x | +| test.cpp:256:10:256:10 | p | semmle.label | p | #select | test.cpp:17:9:17:11 | CopyValue: & ... | test.cpp:17:10:17:11 | mc | test.cpp:17:9:17:11 | & ... | May return stack-allocated memory from $@. | test.cpp:17:10:17:11 | mc | mc | | test.cpp:25:9:25:11 | Load: ptr | test.cpp:23:18:23:19 | mc | test.cpp:25:9:25:11 | ptr | May return stack-allocated memory from $@. | test.cpp:23:18:23:19 | mc | mc | @@ -131,3 +138,4 @@ nodes | test.cpp:238:9:238:9 | Load: p | test.cpp:237:12:237:17 | call to alloca | test.cpp:238:9:238:9 | p | May return stack-allocated memory from $@. | test.cpp:237:12:237:17 | call to alloca | call to alloca | | test.cpp:245:9:245:15 | Call: call to strdupa | test.cpp:245:9:245:15 | call to strdupa | test.cpp:245:9:245:15 | call to strdupa | May return stack-allocated memory from $@. | test.cpp:245:9:245:15 | call to strdupa | call to strdupa | | test.cpp:250:9:250:10 | Convert: (void *)... | test.cpp:249:13:249:20 | call to strndupa | test.cpp:250:9:250:10 | (void *)... | May return stack-allocated memory from $@. | test.cpp:249:13:249:20 | call to strndupa | call to strndupa | +| test.cpp:256:10:256:10 | Load: p | test.cpp:255:20:255:20 | x | test.cpp:256:10:256:10 | p | May return stack-allocated memory from $@. | test.cpp:255:20:255:20 | x | x | diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp index abc21aa74d8..ab1a626a4b0 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp @@ -250,3 +250,8 @@ void* test_strndupa(const char* s, size_t size) { return s2; // BAD } +int* f_rec(int *p, bool b) { + int x; + int* px = f_rec(&x, b); // GOOD [FALSE POSITIVE] + return p; +} From 4efbc6ea9beebfe21544fee894c2e0dcf1cdc11f Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Mon, 16 Feb 2026 19:04:23 +0100 Subject: [PATCH 078/110] C++: Handle `allowInterproceduralFlow` correctly in case of recursive functions --- .../semmle/code/cpp/ir/dataflow/MustFlow.qll | 27 +++++-------------- .../ReturnStackAllocatedMemory.expected | 8 ------ .../ReturnStackAllocatedMemory/test.cpp | 2 +- 3 files changed, 8 insertions(+), 29 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/MustFlow.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/MustFlow.qll index 5a0f34c6dc1..a8adb16849c 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/MustFlow.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/MustFlow.qll @@ -87,24 +87,12 @@ module MustFlow { ) } - /** - * Gets the enclosing callable of `n`. Unlike `n.getEnclosingCallable()`, this - * predicate ensures that joins go from `n` to the result instead of the other - * way around. - */ - pragma[inline] - private IRFunction getEnclosingCallable(Instruction n) { - pragma[only_bind_into](result) = pragma[only_bind_out](n).getEnclosingIRFunction() - } - /** Holds if `nodeFrom` flows to `nodeTo`. */ private predicate step(Instruction nodeFrom, Instruction nodeTo) { - Cached::step(pragma[only_bind_into](nodeFrom), pragma[only_bind_into](nodeTo)) and - ( - allowInterproceduralFlow() - or - getEnclosingCallable(nodeFrom) = getEnclosingCallable(nodeTo) - ) + Cached::localStep(pragma[only_bind_into](nodeFrom), pragma[only_bind_into](nodeTo)) + or + allowInterproceduralFlow() and + Cached::flowThroughCallable(pragma[only_bind_into](nodeFrom), pragma[only_bind_into](nodeTo)) or isAdditionalFlowStep(nodeFrom.getAUse(), nodeTo) } @@ -230,7 +218,8 @@ module MustFlow { * Holds if `argument` is an argument (or argument indirection) to a call, and * `parameter` is the corresponding initialization instruction in the call target. */ - private predicate flowThroughCallable(Instruction argument, Instruction parameter) { + cached + predicate flowThroughCallable(Instruction argument, Instruction parameter) { // Flow from an argument to a parameter exists(CallInstruction call, InitializeParameterInstruction init | init = parameter | isPositionalArgumentInitParam(call, argument, init, call.getStaticCallTarget()) @@ -279,13 +268,11 @@ module MustFlow { } cached - predicate step(Instruction nodeFrom, Instruction nodeTo) { + predicate localStep(Instruction nodeFrom, Instruction nodeTo) { exists(Operand mid | instructionToOperandStep(nodeFrom, mid) and operandToInstructionStep(mid, nodeTo) ) - or - flowThroughCallable(nodeFrom, nodeTo) } } } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected index 23b23dc4a3b..6aa457b1e8a 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected @@ -48,9 +48,6 @@ edges | test.cpp:249:13:249:20 | call to strndupa | test.cpp:249:13:249:20 | call to strndupa | | test.cpp:249:13:249:20 | call to strndupa | test.cpp:250:9:250:10 | s2 | | test.cpp:250:9:250:10 | s2 | test.cpp:250:9:250:10 | (void *)... | -| test.cpp:253:17:253:17 | p | test.cpp:256:10:256:10 | p | -| test.cpp:255:19:255:20 | & ... | test.cpp:253:17:253:17 | p | -| test.cpp:255:20:255:20 | x | test.cpp:255:19:255:20 | & ... | nodes | test.cpp:17:9:17:11 | & ... | semmle.label | & ... | | test.cpp:17:10:17:11 | mc | semmle.label | mc | @@ -117,10 +114,6 @@ nodes | test.cpp:249:13:249:20 | call to strndupa | semmle.label | call to strndupa | | test.cpp:250:9:250:10 | (void *)... | semmle.label | (void *)... | | test.cpp:250:9:250:10 | s2 | semmle.label | s2 | -| test.cpp:253:17:253:17 | p | semmle.label | p | -| test.cpp:255:19:255:20 | & ... | semmle.label | & ... | -| test.cpp:255:20:255:20 | x | semmle.label | x | -| test.cpp:256:10:256:10 | p | semmle.label | p | #select | test.cpp:17:9:17:11 | CopyValue: & ... | test.cpp:17:10:17:11 | mc | test.cpp:17:9:17:11 | & ... | May return stack-allocated memory from $@. | test.cpp:17:10:17:11 | mc | mc | | test.cpp:25:9:25:11 | Load: ptr | test.cpp:23:18:23:19 | mc | test.cpp:25:9:25:11 | ptr | May return stack-allocated memory from $@. | test.cpp:23:18:23:19 | mc | mc | @@ -138,4 +131,3 @@ nodes | test.cpp:238:9:238:9 | Load: p | test.cpp:237:12:237:17 | call to alloca | test.cpp:238:9:238:9 | p | May return stack-allocated memory from $@. | test.cpp:237:12:237:17 | call to alloca | call to alloca | | test.cpp:245:9:245:15 | Call: call to strdupa | test.cpp:245:9:245:15 | call to strdupa | test.cpp:245:9:245:15 | call to strdupa | May return stack-allocated memory from $@. | test.cpp:245:9:245:15 | call to strdupa | call to strdupa | | test.cpp:250:9:250:10 | Convert: (void *)... | test.cpp:249:13:249:20 | call to strndupa | test.cpp:250:9:250:10 | (void *)... | May return stack-allocated memory from $@. | test.cpp:249:13:249:20 | call to strndupa | call to strndupa | -| test.cpp:256:10:256:10 | Load: p | test.cpp:255:20:255:20 | x | test.cpp:256:10:256:10 | p | May return stack-allocated memory from $@. | test.cpp:255:20:255:20 | x | x | diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp index ab1a626a4b0..abde10eb6e7 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp @@ -252,6 +252,6 @@ void* test_strndupa(const char* s, size_t size) { int* f_rec(int *p, bool b) { int x; - int* px = f_rec(&x, b); // GOOD [FALSE POSITIVE] + int* px = f_rec(&x, b); // GOOD return p; } From e299cccb6e7133c05bbb1e6c0fcc2f55151bd766 Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Mon, 16 Feb 2026 19:09:30 +0100 Subject: [PATCH 079/110] C++: Simplify test --- .../Memory Management/ReturnStackAllocatedMemory/test.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp index abde10eb6e7..07e3520fa81 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp @@ -250,8 +250,8 @@ void* test_strndupa(const char* s, size_t size) { return s2; // BAD } -int* f_rec(int *p, bool b) { +int* f_rec(int *p) { int x; - int* px = f_rec(&x, b); // GOOD + int* px = f_rec(&x); // GOOD return p; } From 31895c04f80e56b832cba8f39359a4a56a0d45f4 Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Tue, 17 Feb 2026 09:06:36 +0100 Subject: [PATCH 080/110] C++: `MustFlow` minor clean up --- .../semmle/code/cpp/ir/dataflow/MustFlow.qll | 257 +++++++++--------- 1 file changed, 128 insertions(+), 129 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/MustFlow.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/MustFlow.qll index a8adb16849c..2b61190fb71 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/MustFlow.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/MustFlow.qll @@ -89,10 +89,10 @@ module MustFlow { /** Holds if `nodeFrom` flows to `nodeTo`. */ private predicate step(Instruction nodeFrom, Instruction nodeTo) { - Cached::localStep(pragma[only_bind_into](nodeFrom), pragma[only_bind_into](nodeTo)) + Cached::localStep(nodeFrom, nodeTo) or allowInterproceduralFlow() and - Cached::flowThroughCallable(pragma[only_bind_into](nodeFrom), pragma[only_bind_into](nodeTo)) + Cached::flowThroughCallable(nodeFrom, nodeTo) or isAdditionalFlowStep(nodeFrom.getAUse(), nodeTo) } @@ -145,134 +145,133 @@ module MustFlow { } } } +} + +cached +private module Cached { + /** Holds if `p` is the `n`'th parameter of the non-virtual function `f`. */ + private predicate parameterOf(Parameter p, Function f, int n) { + not f.isVirtual() and f.getParameter(n) = p + } + + /** + * Holds if `instr` is the `n`'th argument to a call to the non-virtual function `f`, and + * `init` is the corresponding initialization instruction that receives the value of `instr` in `f`. + */ + private predicate flowIntoParameter( + Function f, int n, CallInstruction call, Instruction instr, InitializeParameterInstruction init + ) { + not f.isVirtual() and + call.getPositionalArgument(n) = instr and + f = call.getStaticCallTarget() and + isEnclosingNonVirtualFunctionInitializeParameter(init, f) and + init.getParameter().getIndex() = pragma[only_bind_into](pragma[only_bind_out](n)) + } + + /** + * Holds if `instr` is an argument to a call to the function `f`, and `init` is the + * corresponding initialization instruction that receives the value of `instr` in `f`. + */ + pragma[noinline] + private predicate isPositionalArgumentInitParam( + CallInstruction call, Instruction instr, InitializeParameterInstruction init, Function f + ) { + exists(int n | + parameterOf(_, f, n) and + flowIntoParameter(f, pragma[only_bind_into](pragma[only_bind_out](n)), call, instr, init) + ) + } + + /** + * Holds if `instr` is the qualifier to a call to the non-virtual function `f`, and + * `init` is the corresponding initialization instruction that receives the value of + * `instr` in `f`. + */ + pragma[noinline] + private predicate isThisArgumentInitParam( + CallInstruction call, Instruction instr, InitializeParameterInstruction init, Function f + ) { + not f.isVirtual() and + call.getStaticCallTarget() = f and + isEnclosingNonVirtualFunctionInitializeParameter(init, f) and + call.getThisArgument() = instr and + init.getIRVariable() instanceof IRThisVariable + } + + /** Holds if `f` is the enclosing non-virtual function of `init`. */ + private predicate isEnclosingNonVirtualFunctionInitializeParameter( + InitializeParameterInstruction init, Function f + ) { + not f.isVirtual() and + init.getEnclosingFunction() = f + } + + /** Holds if `f` is the enclosing non-virtual function of `init`. */ + private predicate isEnclosingNonVirtualFunctionInitializeIndirection( + InitializeIndirectionInstruction init, Function f + ) { + not f.isVirtual() and + init.getEnclosingFunction() = f + } + + /** + * Holds if `argument` is an argument (or argument indirection) to a call, and + * `parameter` is the corresponding initialization instruction in the call target. + */ + cached + predicate flowThroughCallable(Instruction argument, Instruction parameter) { + // Flow from an argument to a parameter + exists(CallInstruction call, InitializeParameterInstruction init | init = parameter | + isPositionalArgumentInitParam(call, argument, init, call.getStaticCallTarget()) + or + isThisArgumentInitParam(call, argument, init, call.getStaticCallTarget()) + ) + or + // Flow from argument indirection to parameter indirection + exists( + CallInstruction call, ReadSideEffectInstruction read, InitializeIndirectionInstruction init + | + init = parameter and + read.getPrimaryInstruction() = call and + isEnclosingNonVirtualFunctionInitializeIndirection(init, call.getStaticCallTarget()) + | + exists(int n | + read.getSideEffectOperand().getAnyDef() = argument and + read.getIndex() = pragma[only_bind_into](n) and + init.getParameter().getIndex() = pragma[only_bind_into](n) + ) + or + call.getThisArgument() = argument and + init.getIRVariable() instanceof IRThisVariable + ) + } + + private predicate instructionToOperandStep(Instruction instr, Operand operand) { + operand.getDef() = instr + } + + /** + * Holds if data flows from `operand` to `instr`. + * + * This predicate ignores flow through `PhiInstruction`s to create a 'must flow' relation. + */ + private predicate operandToInstructionStep(Operand operand, Instruction instr) { + instr.(CopyInstruction).getSourceValueOperand() = operand + or + instr.(ConvertInstruction).getUnaryOperand() = operand + or + instr.(CheckedConvertOrNullInstruction).getUnaryOperand() = operand + or + instr.(InheritanceConversionInstruction).getUnaryOperand() = operand + or + instr.(ChiInstruction).getTotalOperand() = operand + } cached - private module Cached { - /** Holds if `p` is the `n`'th parameter of the non-virtual function `f`. */ - private predicate parameterOf(Parameter p, Function f, int n) { - not f.isVirtual() and f.getParameter(n) = p - } - - /** - * Holds if `instr` is the `n`'th argument to a call to the non-virtual function `f`, and - * `init` is the corresponding initialization instruction that receives the value of `instr` in `f`. - */ - private predicate flowIntoParameter( - Function f, int n, CallInstruction call, Instruction instr, - InitializeParameterInstruction init - ) { - not f.isVirtual() and - call.getPositionalArgument(n) = instr and - f = call.getStaticCallTarget() and - isEnclosingNonVirtualFunctionInitializeParameter(init, f) and - init.getParameter().getIndex() = pragma[only_bind_into](pragma[only_bind_out](n)) - } - - /** - * Holds if `instr` is an argument to a call to the function `f`, and `init` is the - * corresponding initialization instruction that receives the value of `instr` in `f`. - */ - pragma[noinline] - private predicate isPositionalArgumentInitParam( - CallInstruction call, Instruction instr, InitializeParameterInstruction init, Function f - ) { - exists(int n | - parameterOf(_, f, n) and - flowIntoParameter(f, pragma[only_bind_into](pragma[only_bind_out](n)), call, instr, init) - ) - } - - /** - * Holds if `instr` is the qualifier to a call to the non-virtual function `f`, and - * `init` is the corresponding initialization instruction that receives the value of - * `instr` in `f`. - */ - pragma[noinline] - private predicate isThisArgumentInitParam( - CallInstruction call, Instruction instr, InitializeParameterInstruction init, Function f - ) { - not f.isVirtual() and - call.getStaticCallTarget() = f and - isEnclosingNonVirtualFunctionInitializeParameter(init, f) and - call.getThisArgument() = instr and - init.getIRVariable() instanceof IRThisVariable - } - - /** Holds if `f` is the enclosing non-virtual function of `init`. */ - private predicate isEnclosingNonVirtualFunctionInitializeParameter( - InitializeParameterInstruction init, Function f - ) { - not f.isVirtual() and - init.getEnclosingFunction() = f - } - - /** Holds if `f` is the enclosing non-virtual function of `init`. */ - private predicate isEnclosingNonVirtualFunctionInitializeIndirection( - InitializeIndirectionInstruction init, Function f - ) { - not f.isVirtual() and - init.getEnclosingFunction() = f - } - - /** - * Holds if `argument` is an argument (or argument indirection) to a call, and - * `parameter` is the corresponding initialization instruction in the call target. - */ - cached - predicate flowThroughCallable(Instruction argument, Instruction parameter) { - // Flow from an argument to a parameter - exists(CallInstruction call, InitializeParameterInstruction init | init = parameter | - isPositionalArgumentInitParam(call, argument, init, call.getStaticCallTarget()) - or - isThisArgumentInitParam(call, argument, init, call.getStaticCallTarget()) - ) - or - // Flow from argument indirection to parameter indirection - exists( - CallInstruction call, ReadSideEffectInstruction read, InitializeIndirectionInstruction init - | - init = parameter and - read.getPrimaryInstruction() = call and - isEnclosingNonVirtualFunctionInitializeIndirection(init, call.getStaticCallTarget()) - | - exists(int n | - read.getSideEffectOperand().getAnyDef() = argument and - read.getIndex() = pragma[only_bind_into](n) and - init.getParameter().getIndex() = pragma[only_bind_into](n) - ) - or - call.getThisArgument() = argument and - init.getIRVariable() instanceof IRThisVariable - ) - } - - private predicate instructionToOperandStep(Instruction instr, Operand operand) { - operand.getDef() = instr - } - - /** - * Holds if data flows from `operand` to `instr`. - * - * This predicate ignores flow through `PhiInstruction`s to create a 'must flow' relation. - */ - private predicate operandToInstructionStep(Operand operand, Instruction instr) { - instr.(CopyInstruction).getSourceValueOperand() = operand - or - instr.(ConvertInstruction).getUnaryOperand() = operand - or - instr.(CheckedConvertOrNullInstruction).getUnaryOperand() = operand - or - instr.(InheritanceConversionInstruction).getUnaryOperand() = operand - or - instr.(ChiInstruction).getTotalOperand() = operand - } - - cached - predicate localStep(Instruction nodeFrom, Instruction nodeTo) { - exists(Operand mid | - instructionToOperandStep(nodeFrom, mid) and - operandToInstructionStep(mid, nodeTo) - ) - } + predicate localStep(Instruction nodeFrom, Instruction nodeTo) { + exists(Operand mid | + instructionToOperandStep(nodeFrom, mid) and + operandToInstructionStep(mid, nodeTo) + ) } } From 3aa21242cdf08ac14dfc0ef85832734a2251df87 Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Tue, 17 Feb 2026 10:28:29 +0100 Subject: [PATCH 081/110] C++: Add change notes --- cpp/ql/lib/change-notes/2026-02-14-must-flow-fix.md | 4 ++++ cpp/ql/lib/change-notes/2026-02-14-must-flow.md | 4 ++++ 2 files changed, 8 insertions(+) create mode 100644 cpp/ql/lib/change-notes/2026-02-14-must-flow-fix.md create mode 100644 cpp/ql/lib/change-notes/2026-02-14-must-flow.md diff --git a/cpp/ql/lib/change-notes/2026-02-14-must-flow-fix.md b/cpp/ql/lib/change-notes/2026-02-14-must-flow-fix.md new file mode 100644 index 00000000000..fc838f51c06 --- /dev/null +++ b/cpp/ql/lib/change-notes/2026-02-14-must-flow-fix.md @@ -0,0 +1,4 @@ +--- +category: fix +--- +* The `allowInterproceduralFlow` predicate of must-flow data flow configurations now correctly handles direct recursion. diff --git a/cpp/ql/lib/change-notes/2026-02-14-must-flow.md b/cpp/ql/lib/change-notes/2026-02-14-must-flow.md new file mode 100644 index 00000000000..3d1afaa6344 --- /dev/null +++ b/cpp/ql/lib/change-notes/2026-02-14-must-flow.md @@ -0,0 +1,4 @@ +--- +category: breaking +--- +* `MustFlow`, the inter-procedural must-flow data flow analysis library, has been re-worked to use parameterized modules. Like in the case of data flow and taint tracking, instead of extending the `MustFlowConfiguration` class, the user should now implement a module with the `MustFlow::ConfigSig` signature, and instantiate the `MustFlow::Global` parameterized module with the implemented module. From c3f0967e9bde3ab6251d6492a8511271ec23f109 Mon Sep 17 00:00:00 2001 From: idrissrio Date: Fri, 12 Dec 2025 09:03:16 +0100 Subject: [PATCH 082/110] C/C++ overlay: discard single location elements --- .../lib/semmle/code/cpp/internal/Overlay.qll | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/cpp/ql/lib/semmle/code/cpp/internal/Overlay.qll b/cpp/ql/lib/semmle/code/cpp/internal/Overlay.qll index 7e98177f323..3dea144bbf6 100644 --- a/cpp/ql/lib/semmle/code/cpp/internal/Overlay.qll +++ b/cpp/ql/lib/semmle/code/cpp/internal/Overlay.qll @@ -34,6 +34,38 @@ private string getSingleLocationFilePath(@element e) { macroinvocations(e, _, loc, _) or preprocdirects(e, _, loc) + or + diagnostics(e, _, _, _, _, loc) + or + usings(e, _, loc, _) + or + static_asserts(e, _, _, loc, _) + or + derivations(e, _, _, _, loc) + or + frienddecls(e, _, _, loc) + or + comments(e, _, loc) + or + exprs(e, _, loc) + or + stmts(e, _, loc) + or + initialisers(e, _, _, loc) + or + attributes(e, _, _, _, loc) + or + attribute_args(e, _, _, _, loc) + or + namequalifiers(e, _, _, loc) + or + enumconstants(e, _, _, _, _, loc) + or + type_mentions(e, _, loc, _) + or + lambda_capture(e, _, _, _, _, _, loc) + or + concept_templates(e, _, loc) | result = getLocationFilePath(loc) ) From d3541b87d6d7945f6758092c305ba137c49b34aa Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Wed, 11 Feb 2026 16:07:43 +0100 Subject: [PATCH 083/110] Rust: Make path resolution robust against invalid code with conflicting declarations --- .../codeql/rust/internal/PathResolution.qll | 73 +++++++++++++------ .../path-resolution/invalid/main.rs | 6 ++ .../path-resolution/invalid/options.yml | 1 + .../path-resolution/path-resolution.expected | 1 + 4 files changed, 58 insertions(+), 23 deletions(-) create mode 100644 rust/ql/test/library-tests/path-resolution/invalid/main.rs create mode 100644 rust/ql/test/library-tests/path-resolution/invalid/options.yml diff --git a/rust/ql/lib/codeql/rust/internal/PathResolution.qll b/rust/ql/lib/codeql/rust/internal/PathResolution.qll index 432608f6f9d..76c15485bb9 100644 --- a/rust/ql/lib/codeql/rust/internal/PathResolution.qll +++ b/rust/ql/lib/codeql/rust/internal/PathResolution.qll @@ -107,7 +107,7 @@ class SuccessorKind extends TSuccessorKind { } pragma[nomagic] -private ItemNode getAChildSuccessor(ItemNode item, string name, SuccessorKind kind) { +private ItemNode getAChildSuccessor0(ItemNode item, string name, SuccessorKind kind) { item = result.getImmediateParent() and name = result.getName() and // Associated items in `impl` and `trait` blocks are handled elsewhere @@ -116,7 +116,7 @@ private ItemNode getAChildSuccessor(ItemNode item, string name, SuccessorKind ki if result instanceof TypeParam then kind.isInternal() else - if result.isPublic() + if result.isPublic() or item instanceof SourceFile then kind.isBoth() else kind.isInternal() or @@ -130,6 +130,41 @@ private ItemNode getAChildSuccessor(ItemNode item, string name, SuccessorKind ki result = item } +pragma[nomagic] +private NamedItemNode getANamedNonModuleChildSuccessor( + ItemNode item, string name, Namespace ns, int startline, int startcolumn, int endline, + int endcolumn +) { + result.getLocation().hasLocationInfo(_, startline, startcolumn, endline, endcolumn) and + result = getAChildSuccessor0(item, name, _) and + ns = result.getNamespace() and + not result instanceof ModuleItemNode +} + +pragma[nomagic] +private ItemNode getAChildSuccessor(ItemNode item, string name, SuccessorKind kind) { + result = getAChildSuccessor0(item, name, kind) and + // In valid Rust code, there cannot be multiple children with the same name and namespace, + // but to safeguard against combinatorial explosions in invalid code, we always pick the + // last child, except for modules, where we take the union. + ( + not result instanceof NamedItemNode + or + result instanceof ModuleItemNode + or + exists(Namespace ns | + result = + max(NamedItemNode i, int startline, int startcolumn, int endline, int endcolumn | + i = + getANamedNonModuleChildSuccessor(item, name, ns, startline, startcolumn, endline, + endcolumn) + | + i order by startline, startcolumn, endline, endcolumn + ) + ) + ) +} + private module UseOption = Option; private class UseOption = UseOption::Option; @@ -288,10 +323,6 @@ abstract class ItemNode extends Locatable { cached ItemNode getASuccessor(string name, SuccessorKind kind, UseOption useOpt) { Stages::PathResolutionStage::ref() and - sourceFileEdge(this, name, result) and - kind.isBoth() and - useOpt.isNone() - or result = getAChildSuccessor(this, name, kind) and useOpt.isNone() or @@ -471,6 +502,8 @@ abstract class ItemNode extends Locatable { Location getLocation() { result = super.getLocation() } } +abstract class NamedItemNode extends ItemNode { } + abstract class TypeItemNode extends ItemNode { } /** A module or a source file. */ @@ -509,7 +542,7 @@ private class SourceFileItemNode extends ModuleLikeNode instanceof SourceFile { override string getCanonicalPath(Crate c) { none() } } -class CrateItemNode extends ItemNode instanceof Crate { +class CrateItemNode extends NamedItemNode instanceof Crate { /** * Gets the source file that defines this crate. */ @@ -565,7 +598,7 @@ class CrateItemNode extends ItemNode instanceof Crate { override string getCanonicalPath(Crate c) { c = this and result = Crate.super.getName() } } -class ExternCrateItemNode extends ItemNode instanceof ExternCrate { +class ExternCrateItemNode extends NamedItemNode instanceof ExternCrate { override string getName() { result = super.getRename().getName().getText() or @@ -573,7 +606,7 @@ class ExternCrateItemNode extends ItemNode instanceof ExternCrate { result = super.getIdentifier().getText() } - override Namespace getNamespace() { none() } + override Namespace getNamespace() { result.isType() } override Visibility getVisibility() { result = ExternCrate.super.getVisibility() } @@ -587,7 +620,7 @@ class ExternCrateItemNode extends ItemNode instanceof ExternCrate { } /** An item that can occur in a trait or an `impl` block. */ -abstract private class AssocItemNode extends ItemNode instanceof AssocItem { +abstract private class AssocItemNode extends NamedItemNode instanceof AssocItem { /** Holds if this associated item has an implementation. */ abstract predicate hasImplementation(); @@ -626,7 +659,7 @@ private class ConstItemNode extends AssocItemNode instanceof Const { override TypeParam getTypeParam(int i) { none() } } -private class TypeItemTypeItemNode extends TypeItemNode instanceof TypeItem { +private class TypeItemTypeItemNode extends NamedItemNode, TypeItemNode instanceof TypeItem { override string getName() { result = TypeItem.super.getName().getText() } override Namespace getNamespace() { result.isType() } @@ -659,7 +692,7 @@ private class TypeItemTypeItemNode extends TypeItemNode instanceof TypeItem { } /** An item that can be referenced with arguments. */ -abstract class ParameterizableItemNode extends ItemNode { +abstract class ParameterizableItemNode extends NamedItemNode { /** Gets the arity this item. */ abstract int getArity(); } @@ -911,7 +944,7 @@ private class ImplTraitTypeReprItemNodeImpl extends ImplTraitTypeReprItemNode { ItemNode resolveABoundCand() { result = resolvePathCand(this.getABoundPath()) } } -private class ModuleItemNode extends ModuleLikeNode instanceof Module { +private class ModuleItemNode extends NamedItemNode, ModuleLikeNode instanceof Module { override string getName() { result = Module.super.getName().getText() } override Namespace getNamespace() { result.isType() } @@ -929,7 +962,7 @@ private class ModuleItemNode extends ModuleLikeNode instanceof Module { ( exists(SourceFile f | fileImport(this, f) and - sourceFileEdge(f, _, child) + child = getAChildSuccessor(f, _, _) ) or this = child.getImmediateParent() @@ -1001,7 +1034,7 @@ private class StructItemNode extends TypeItemTypeItemNode, ParameterizableItemNo } } -final class TraitItemNode extends ImplOrTraitItemNode, TypeItemNode instanceof Trait { +final class TraitItemNode extends ImplOrTraitItemNode, NamedItemNode, TypeItemNode instanceof Trait { pragma[nomagic] Path getABoundPath() { result = super.getATypeBound().getTypeRepr().(PathTypeRepr).getPath() } @@ -1126,7 +1159,7 @@ private class BlockExprItemNode extends ItemNode instanceof BlockExpr { pragma[nomagic] private Path getWherePredPath(WherePred wp) { result = wp.getTypeRepr().(PathTypeRepr).getPath() } -final class TypeParamItemNode extends TypeItemNode instanceof TypeParam { +final class TypeParamItemNode extends NamedItemNode, TypeItemNode instanceof TypeParam { /** Gets a where predicate for this type parameter, if any */ pragma[nomagic] private WherePred getAWherePred() { @@ -1214,7 +1247,7 @@ final private class TypeParamItemNodeImpl extends TypeParamItemNode instanceof T ItemNode resolveABoundCand() { result = resolvePathCand(this.getABoundPathCand()) } } -abstract private class MacroItemNode extends ItemNode { +abstract private class MacroItemNode extends NamedItemNode { override Namespace getNamespace() { result.isMacro() } override TypeParam getTypeParam(int i) { none() } @@ -1256,12 +1289,6 @@ private class MacroDefItemNode extends MacroItemNode instanceof MacroDef { override Attr getAnAttr() { result = MacroDef.super.getAnAttr() } } -/** Holds if `item` has the name `name` and is a top-level item inside `f`. */ -private predicate sourceFileEdge(SourceFile f, string name, ItemNode item) { - item = f.(ItemNode).getADescendant() and - name = item.getName() -} - /** Holds if `f` is available as `mod name;` inside `folder`. */ pragma[nomagic] private predicate fileModule(SourceFile f, string name, Folder folder) { diff --git a/rust/ql/test/library-tests/path-resolution/invalid/main.rs b/rust/ql/test/library-tests/path-resolution/invalid/main.rs new file mode 100644 index 00000000000..b58fcb2d934 --- /dev/null +++ b/rust/ql/test/library-tests/path-resolution/invalid/main.rs @@ -0,0 +1,6 @@ +// The code in this file is not valid Rust code + +struct A; // A1 +struct A; // A2 + +fn f(x: A) {} // $ item=A2 (the latter occurence takes precedence) diff --git a/rust/ql/test/library-tests/path-resolution/invalid/options.yml b/rust/ql/test/library-tests/path-resolution/invalid/options.yml new file mode 100644 index 00000000000..cf148dd35f8 --- /dev/null +++ b/rust/ql/test/library-tests/path-resolution/invalid/options.yml @@ -0,0 +1 @@ +qltest_cargo_check: false diff --git a/rust/ql/test/library-tests/path-resolution/path-resolution.expected b/rust/ql/test/library-tests/path-resolution/path-resolution.expected index 153d80db4cc..e85bb7876da 100644 --- a/rust/ql/test/library-tests/path-resolution/path-resolution.expected +++ b/rust/ql/test/library-tests/path-resolution/path-resolution.expected @@ -51,6 +51,7 @@ mod | my/nested.rs:1:1:17:1 | mod nested1 | | my/nested.rs:2:5:11:5 | mod nested2 | resolvePath +| invalid/main.rs:6:9:6:9 | A | invalid/main.rs:3:11:4:9 | struct A | | main.rs:4:8:4:9 | my | main.rs:1:1:1:7 | mod my | | main.rs:4:14:4:17 | self | main.rs:1:1:1:7 | mod my | | main.rs:6:5:6:6 | my | main.rs:1:1:1:7 | mod my | From bd94ceddd9b2a23082b3920270b520543c70db03 Mon Sep 17 00:00:00 2001 From: idrissrio Date: Tue, 17 Feb 2026 13:58:55 +0100 Subject: [PATCH 084/110] Java: Add change note for JDK 26 --- java/ql/src/change-notes/2026-02-17-support-java-26 | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 java/ql/src/change-notes/2026-02-17-support-java-26 diff --git a/java/ql/src/change-notes/2026-02-17-support-java-26 b/java/ql/src/change-notes/2026-02-17-support-java-26 new file mode 100644 index 00000000000..50feec4224d --- /dev/null +++ b/java/ql/src/change-notes/2026-02-17-support-java-26 @@ -0,0 +1,4 @@ +--- +category: feature +--- +* The Java extractor and QL libraries now support Java 26. From 1a35a05cccee80af03871f31fad1f7422e58c8cd Mon Sep 17 00:00:00 2001 From: idrissrio Date: Tue, 17 Feb 2026 13:59:45 +0100 Subject: [PATCH 085/110] Java: Update supported language versions to include Java 26 --- docs/codeql/reusables/supported-versions-compilers.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/codeql/reusables/supported-versions-compilers.rst b/docs/codeql/reusables/supported-versions-compilers.rst index 6216bae08df..566238658f3 100644 --- a/docs/codeql/reusables/supported-versions-compilers.rst +++ b/docs/codeql/reusables/supported-versions-compilers.rst @@ -18,7 +18,7 @@ .NET 5, .NET 6, .NET 7, .NET 8, .NET 9","``.sln``, ``.slnx``, ``.csproj``, ``.cs``, ``.cshtml``, ``.xaml``" GitHub Actions,"Not applicable",Not applicable,"``.github/workflows/*.yml``, ``.github/workflows/*.yaml``, ``**/action.yml``, ``**/action.yaml``" Go (aka Golang), "Go up to 1.26", "Go 1.11 or more recent", ``.go`` - Java,"Java 7 to 25 [6]_","javac (OpenJDK and Oracle JDK), + Java,"Java 7 to 26 [6]_","javac (OpenJDK and Oracle JDK), Eclipse compiler for Java (ECJ) [7]_",``.java`` Kotlin,"Kotlin 1.8.0 to 2.3.0\ *x*","kotlinc",``.kt`` @@ -36,7 +36,7 @@ .. [3] Objective-C, Objective-C++, C++/CLI, and C++/CX are not supported. .. [4] Support for the clang-cl compiler is preliminary. .. [5] Support for the Arm Compiler (armcc) is preliminary. - .. [6] Builds that execute on Java 7 to 25 can be analyzed. The analysis understands standard language features in Java 8 to 25; "preview" and "incubator" features are not supported. Source code using Java language versions older than Java 8 are analyzed as Java 8 code. + .. [6] Builds that execute on Java 7 to 26 can be analyzed. The analysis understands standard language features in Java 8 to 26; "preview" and "incubator" features are not supported. Source code using Java language versions older than Java 8 are analyzed as Java 8 code. .. [7] ECJ is supported when the build invokes it via the Maven Compiler plugin or the Takari Lifecycle plugin. .. [8] JSX and Flow code, YAML, JSON, HTML, and XML files may also be analyzed with JavaScript files. .. [9] The extractor requires Python 3 to run. To analyze Python 2.7 you should install both versions of Python. From 8aa839f4c0a8f9c9e30926fd7515db8f49276b98 Mon Sep 17 00:00:00 2001 From: idrissrio Date: Tue, 17 Feb 2026 14:19:12 +0100 Subject: [PATCH 086/110] Java: Address review comments --- ...2026-02-17-support-java-26 => 2026-02-17-support-java-26.md} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename java/ql/src/change-notes/{2026-02-17-support-java-26 => 2026-02-17-support-java-26.md} (73%) diff --git a/java/ql/src/change-notes/2026-02-17-support-java-26 b/java/ql/src/change-notes/2026-02-17-support-java-26.md similarity index 73% rename from java/ql/src/change-notes/2026-02-17-support-java-26 rename to java/ql/src/change-notes/2026-02-17-support-java-26.md index 50feec4224d..db0a108f0ca 100644 --- a/java/ql/src/change-notes/2026-02-17-support-java-26 +++ b/java/ql/src/change-notes/2026-02-17-support-java-26.md @@ -1,4 +1,4 @@ --- -category: feature +category: minorAnalysis --- * The Java extractor and QL libraries now support Java 26. From 5151df456ce482483850faa24f1172776cd5a3ce Mon Sep 17 00:00:00 2001 From: idrissrio Date: Tue, 17 Feb 2026 14:27:27 +0100 Subject: [PATCH 087/110] Java: Fix Maven change note --- ...-maven-default-java-17 => 2025-11-13-maven-default-java-17.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename java/ql/src/change-notes/{2025-11-13-maven-default-java-17 => 2025-11-13-maven-default-java-17.md} (100%) diff --git a/java/ql/src/change-notes/2025-11-13-maven-default-java-17 b/java/ql/src/change-notes/2025-11-13-maven-default-java-17.md similarity index 100% rename from java/ql/src/change-notes/2025-11-13-maven-default-java-17 rename to java/ql/src/change-notes/2025-11-13-maven-default-java-17.md From 549dcb31be650e08cde76924817c5c6357b0e476 Mon Sep 17 00:00:00 2001 From: Ben Rodes Date: Tue, 17 Feb 2026 10:13:55 -0500 Subject: [PATCH 088/110] Update cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com> --- .../Leap Year/UncheckedLeapYearAfterYearModification.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql index 87733f0f69d..a6c11c30c67 100644 --- a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql +++ b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql @@ -142,7 +142,7 @@ predicate isLikelyConversionConstant(int c) { 146097, // days in 400-year Gregorian cycle 36524, // days in 100-year Gregorian subcycle 1461, // days in 4-year cycle (incl. 1 leap) - 32044, // Fliegel–van Flandern JDN epoch shift + 32044, // Fliegel-van Flandern JDN epoch shift 1721425, // JDN of 0001‑01‑01 (Gregorian) 1721119, // alt epoch offset 2400000, // MJD → JDN conversion From c811fae87627a2c11e9096714163e2389a48bb03 Mon Sep 17 00:00:00 2001 From: Ben Rodes Date: Tue, 17 Feb 2026 10:14:11 -0500 Subject: [PATCH 089/110] Update cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com> --- .../Leap Year/UncheckedLeapYearAfterYearModification.ql | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql index a6c11c30c67..064fc5a71d4 100644 --- a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql +++ b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql @@ -145,8 +145,8 @@ predicate isLikelyConversionConstant(int c) { 32044, // Fliegel-van Flandern JDN epoch shift 1721425, // JDN of 0001‑01‑01 (Gregorian) 1721119, // alt epoch offset - 2400000, // MJD → JDN conversion - 2400001, // alt MJD → JDN conversion + 2400000, // MJD -> JDN conversion + 2400001, // alt MJD -> JDN conversion 2141, // fixed‑point month/day extraction 65536, // observed in some conversions 7834, // observed in some conversions From ceb3b21e0f2e27f7cf2926fa235c286eea34c1e9 Mon Sep 17 00:00:00 2001 From: Ben Rodes Date: Tue, 17 Feb 2026 10:28:43 -0500 Subject: [PATCH 090/110] Update python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll Co-authored-by: Taus --- ...ServerSideRequestForgeryCustomizations.qll | 46 +++++++------------ 1 file changed, 17 insertions(+), 29 deletions(-) diff --git a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll index afce799d8ac..3fb260e425d 100644 --- a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll +++ b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll @@ -186,37 +186,25 @@ module ServerSideRequestForgery { private predicate uri_validator(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) { exists(DataFlow::CallCfgNode call, string funcs | - funcs in ["in_domain", "in_azure_keyvault_domain", "in_azure_storage_domain"] - | + funcs in ["in_domain", "in_azure_keyvault_domain", "in_azure_storage_domain"] and call = API::moduleImport("AntiSSRF").getMember("URIValidator").getMember(funcs).getACall() and - call.getArg(0).asCfgNode() = node and - ( - // validator used in a comparison - exists(CompareNode cn, Cmpop op, Node n | cn = g and n.getALocalSource() = call | - ( - // validator == true or validator == false or validator is True or validator is False - (op instanceof Eq or op instanceof Is) and - exists(ControlFlowNode l, boolean bool | - l.getNode().(BooleanLiteral).booleanValue() = bool and - bool in [true, false] and - branch = bool and - cn.operands(n.asCfgNode(), op, l) - ) - or - // validator != false or validator != true or validator is not True or validator is not False - (op instanceof NotEq or op instanceof IsNot) and - exists(ControlFlowNode l, boolean bool | - l.getNode().(BooleanLiteral).booleanValue() = bool and - bool in [true, false] and - branch = bool.booleanNot() and - cn.operands(n.asCfgNode(), op, l) - ) - ) - ) + call.getArg(0).asCfgNode() = node + | + // validator call directly (e.g., if URIValidator.in_domain(...) ) + g = call.asCfgNode() and + branch = true + or + // validator used in a comparison + exists(Cmpop op, Node n, ControlFlowNode l | + n.getALocalSource() = call and g.(CompareNode).operands(n.asCfgNode(), op, l) + | + // validator == true or validator == false or validator is True or validator is False + (op instanceof Eq or op instanceof Is) and + branch = l.getNode().(BooleanLiteral).booleanValue() or - // validator call directly (e.g., if URIValidator.in_domain(...) ) - g = call.asCfgNode() and - branch = true + // validator != false or validator != true or validator is not True or validator is not False + (op instanceof NotEq or op instanceof IsNot) and + branch = l.getNode().(BooleanLiteral).booleanValue().booleanNot() ) ) } From 1072d6a7b756c98114692b34c31ae14d9ae645e6 Mon Sep 17 00:00:00 2001 From: Ben Rodes Date: Tue, 17 Feb 2026 10:49:58 -0500 Subject: [PATCH 091/110] Apply suggestion from @geoffw0 Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com> --- .../Leap Year/UncheckedLeapYearAfterYearModification.ql | 1 + 1 file changed, 1 insertion(+) diff --git a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql index 064fc5a71d4..9f1c15690ee 100644 --- a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql +++ b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql @@ -257,6 +257,7 @@ class IgnorablePointerOrCharArithmetic extends IgnorableOperation { ) or // Operations on calls to functions named like "strlen", "wcslen", etc + // for example `strlen(foo) + bar` this.(BinaryArithmeticOperation).getAnOperand().(Call).getTarget().getName().matches("%len%") ) } From 0676ba1c07d9741b04fe077379588ccbf6d06fa3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=93scar=20San=20Jos=C3=A9?= Date: Tue, 17 Feb 2026 17:23:38 +0100 Subject: [PATCH 092/110] Skip csharp integration tests on macos-26 --- .../posix/standalone_dependencies_no_framework/test.py | 6 ++++-- .../posix/standalone_dependencies_nuget with_space/test.py | 6 ++++-- .../posix/standalone_dependencies_nuget/test.py | 6 ++++-- .../posix/standalone_dependencies_nuget_no_sources/test.py | 6 ++++-- 4 files changed, 16 insertions(+), 8 deletions(-) diff --git a/csharp/ql/integration-tests/posix/standalone_dependencies_no_framework/test.py b/csharp/ql/integration-tests/posix/standalone_dependencies_no_framework/test.py index d1c1745d69b..e0181a1ec5d 100644 --- a/csharp/ql/integration-tests/posix/standalone_dependencies_no_framework/test.py +++ b/csharp/ql/integration-tests/posix/standalone_dependencies_no_framework/test.py @@ -3,10 +3,12 @@ import pytest import os -# Skipping the test on the ARM runners and macos-15, as we're running into trouble with Mono and nuget. +# Skipping the test on the ARM runners, macos-15 and macos-26, as we're running +# into trouble with Mono and nuget. @pytest.mark.only_if( runs_on.linux - or (runs_on.macos and runs_on.x86_64 and not runs_on.macos_15) + or (runs_on.macos and runs_on.x86_64 + and not runs_on.macos_15 and not runs_on.macos_26) ) def test(codeql, csharp): os.environ["CODEQL_EXTRACTOR_CSHARP_BUILDLESS_DOTNET_FRAMEWORK_REFERENCES"] = ( diff --git a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget with_space/test.py b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget with_space/test.py index 6d2058c684c..4f3097bb387 100644 --- a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget with_space/test.py +++ b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget with_space/test.py @@ -3,10 +3,12 @@ import runs_on import pytest -# Skipping the test on the ARM runners and macos-15, as we're running into trouble with Mono and nuget. +# Skipping the test on the ARM runners, macos-15 and macos-26, as we're running +# into trouble with Mono and nuget. @pytest.mark.only_if( runs_on.linux - or (runs_on.macos and runs_on.x86_64 and not runs_on.macos_15) + or (runs_on.macos and runs_on.x86_64 + and not runs_on.macos_15 and not runs_on.macos_26) ) def test(codeql, csharp): # making sure we're not doing any fallback restore: diff --git a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget/test.py b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget/test.py index 7f88196097f..9a8c9b2291e 100644 --- a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget/test.py +++ b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget/test.py @@ -2,10 +2,12 @@ import runs_on import pytest -# Skipping the test on the ARM runners and macos-15, as we're running into trouble with Mono and nuget. +# Skipping the test on the ARM runners, macos-15 and macos-26, as we're running +# into trouble with Mono and nuget. @pytest.mark.only_if( runs_on.linux - or (runs_on.macos and runs_on.x86_64 and not runs_on.macos_15) + or (runs_on.macos and runs_on.x86_64 + and not runs_on.macos_15 and not runs_on.macos_26) ) def test(codeql, csharp): codeql.database.create(build_mode="none") diff --git a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_no_sources/test.py b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_no_sources/test.py index 185fb5201f9..f095580d34d 100644 --- a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_no_sources/test.py +++ b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_no_sources/test.py @@ -2,10 +2,12 @@ import runs_on import pytest -# Skipping the test on the ARM runners, as we're running into trouble with Mono and nuget. +# Skipping the test on the ARM runners, macos-15 and macos-26, as we're running +# into trouble with Mono and nuget. @pytest.mark.only_if( runs_on.linux - or (runs_on.macos and runs_on.x86_64 and not runs_on.macos_15) + or (runs_on.macos and runs_on.x86_64 + and not runs_on.macos_15 and not runs_on.macos_26) ) def test(codeql, csharp): codeql.database.create(source_root="proj", build_mode="none") From 5cf281a1b6b9fe060e00811a56056ba7845edd78 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=93scar=20San=20Jos=C3=A9?= Date: Tue, 17 Feb 2026 18:16:51 +0100 Subject: [PATCH 093/110] Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../posix/standalone_dependencies_no_framework/test.py | 2 +- .../posix/standalone_dependencies_nuget/test.py | 10 ++++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/csharp/ql/integration-tests/posix/standalone_dependencies_no_framework/test.py b/csharp/ql/integration-tests/posix/standalone_dependencies_no_framework/test.py index e0181a1ec5d..8f66ebf714e 100644 --- a/csharp/ql/integration-tests/posix/standalone_dependencies_no_framework/test.py +++ b/csharp/ql/integration-tests/posix/standalone_dependencies_no_framework/test.py @@ -3,7 +3,7 @@ import pytest import os -# Skipping the test on the ARM runners, macos-15 and macos-26, as we're running +# Skipping the test on the ARM runners, macos-15 and macos-26, as we're running # into trouble with Mono and nuget. @pytest.mark.only_if( runs_on.linux diff --git a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget/test.py b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget/test.py index 9a8c9b2291e..ebdad77e716 100644 --- a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget/test.py +++ b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget/test.py @@ -6,8 +6,14 @@ import pytest # into trouble with Mono and nuget. @pytest.mark.only_if( runs_on.linux - or (runs_on.macos and runs_on.x86_64 - and not runs_on.macos_15 and not runs_on.macos_26) + or ( + runs_on.macos + and runs_on.x86_64 + and not ( + runs_on.macos_15 + or runs_on.macos_26 + ) + ) ) def test(codeql, csharp): codeql.database.create(build_mode="none") From 9efe1120260b306d86282e8da35828581b1b9ef0 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 17 Feb 2026 17:16:54 +0000 Subject: [PATCH 094/110] Initial plan From 004ebd386c85c7548f39e37c0efd2fdb4d4afa71 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 17 Feb 2026 17:21:50 +0000 Subject: [PATCH 095/110] Centralize mono/nuget skip predicate in conftest.py Co-authored-by: oscarsj <1410188+oscarsj@users.noreply.github.com> --- csharp/ql/integration-tests/posix/conftest.py | 20 +++++++++++++++++++ .../test.py | 10 ++-------- .../test.py | 10 ++-------- .../standalone_dependencies_nuget/test.py | 16 ++------------- .../test.py | 10 ++-------- 5 files changed, 28 insertions(+), 38 deletions(-) create mode 100644 csharp/ql/integration-tests/posix/conftest.py diff --git a/csharp/ql/integration-tests/posix/conftest.py b/csharp/ql/integration-tests/posix/conftest.py new file mode 100644 index 00000000000..0cd4ee6cfa0 --- /dev/null +++ b/csharp/ql/integration-tests/posix/conftest.py @@ -0,0 +1,20 @@ +import runs_on +import pytest + + +def _supports_mono_nuget(): + """ + Helper function to determine if the current platform supports Mono and nuget. + + Returns True if running on Linux or on macOS x86_64 (excluding macos-15 and macos-26). + macOS ARM runners (macos-15 and macos-26) are excluded due to issues with Mono and nuget. + """ + return ( + runs_on.linux + or ( + runs_on.macos + and runs_on.x86_64 + and not runs_on.macos_15 + and not runs_on.macos_26 + ) + ) diff --git a/csharp/ql/integration-tests/posix/standalone_dependencies_no_framework/test.py b/csharp/ql/integration-tests/posix/standalone_dependencies_no_framework/test.py index 8f66ebf714e..3d0d011f73d 100644 --- a/csharp/ql/integration-tests/posix/standalone_dependencies_no_framework/test.py +++ b/csharp/ql/integration-tests/posix/standalone_dependencies_no_framework/test.py @@ -1,15 +1,9 @@ -import runs_on import pytest import os +from conftest import _supports_mono_nuget -# Skipping the test on the ARM runners, macos-15 and macos-26, as we're running -# into trouble with Mono and nuget. -@pytest.mark.only_if( - runs_on.linux - or (runs_on.macos and runs_on.x86_64 - and not runs_on.macos_15 and not runs_on.macos_26) -) +@pytest.mark.only_if(_supports_mono_nuget()) def test(codeql, csharp): os.environ["CODEQL_EXTRACTOR_CSHARP_BUILDLESS_DOTNET_FRAMEWORK_REFERENCES"] = ( "/non-existent-path" diff --git a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget with_space/test.py b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget with_space/test.py index 4f3097bb387..1b111d08239 100644 --- a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget with_space/test.py +++ b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget with_space/test.py @@ -1,15 +1,9 @@ import os -import runs_on import pytest +from conftest import _supports_mono_nuget -# Skipping the test on the ARM runners, macos-15 and macos-26, as we're running -# into trouble with Mono and nuget. -@pytest.mark.only_if( - runs_on.linux - or (runs_on.macos and runs_on.x86_64 - and not runs_on.macos_15 and not runs_on.macos_26) -) +@pytest.mark.only_if(_supports_mono_nuget()) def test(codeql, csharp): # making sure we're not doing any fallback restore: os.environ["CODEQL_EXTRACTOR_CSHARP_BUILDLESS_NUGET_FEEDS_CHECK_FALLBACK_TIMEOUT"] = "1" diff --git a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget/test.py b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget/test.py index ebdad77e716..2d887a52244 100644 --- a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget/test.py +++ b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget/test.py @@ -1,19 +1,7 @@ -import runs_on import pytest +from conftest import _supports_mono_nuget -# Skipping the test on the ARM runners, macos-15 and macos-26, as we're running -# into trouble with Mono and nuget. -@pytest.mark.only_if( - runs_on.linux - or ( - runs_on.macos - and runs_on.x86_64 - and not ( - runs_on.macos_15 - or runs_on.macos_26 - ) - ) -) +@pytest.mark.only_if(_supports_mono_nuget()) def test(codeql, csharp): codeql.database.create(build_mode="none") diff --git a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_no_sources/test.py b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_no_sources/test.py index f095580d34d..a2bb13e921b 100644 --- a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_no_sources/test.py +++ b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_no_sources/test.py @@ -1,13 +1,7 @@ -import runs_on import pytest +from conftest import _supports_mono_nuget -# Skipping the test on the ARM runners, macos-15 and macos-26, as we're running -# into trouble with Mono and nuget. -@pytest.mark.only_if( - runs_on.linux - or (runs_on.macos and runs_on.x86_64 - and not runs_on.macos_15 and not runs_on.macos_26) -) +@pytest.mark.only_if(_supports_mono_nuget()) def test(codeql, csharp): codeql.database.create(source_root="proj", build_mode="none") From 60b8213fdda848af3dfc2eca803f252fcf98ede6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 17 Feb 2026 17:22:27 +0000 Subject: [PATCH 096/110] Remove unused pytest import from conftest.py Co-authored-by: oscarsj <1410188+oscarsj@users.noreply.github.com> --- csharp/ql/integration-tests/posix/conftest.py | 1 - 1 file changed, 1 deletion(-) diff --git a/csharp/ql/integration-tests/posix/conftest.py b/csharp/ql/integration-tests/posix/conftest.py index 0cd4ee6cfa0..543bc046c98 100644 --- a/csharp/ql/integration-tests/posix/conftest.py +++ b/csharp/ql/integration-tests/posix/conftest.py @@ -1,5 +1,4 @@ import runs_on -import pytest def _supports_mono_nuget(): From 779fd757a397a7585d50d4a5810a8920b6ea2288 Mon Sep 17 00:00:00 2001 From: Ben Rodes Date: Tue, 17 Feb 2026 12:35:15 -0500 Subject: [PATCH 097/110] Update cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com> --- .../Leap Year/UncheckedLeapYearAfterYearModification.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql index 9f1c15690ee..ce7d73b1bfc 100644 --- a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql +++ b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql @@ -143,7 +143,7 @@ predicate isLikelyConversionConstant(int c) { 36524, // days in 100-year Gregorian subcycle 1461, // days in 4-year cycle (incl. 1 leap) 32044, // Fliegel-van Flandern JDN epoch shift - 1721425, // JDN of 0001‑01‑01 (Gregorian) + 1721425, // JDN of 0001-01-01 (Gregorian) 1721119, // alt epoch offset 2400000, // MJD -> JDN conversion 2400001, // alt MJD -> JDN conversion From 0106072b882b7f3752db9bd86978cffe9f01478f Mon Sep 17 00:00:00 2001 From: Ben Rodes Date: Tue, 17 Feb 2026 12:35:27 -0500 Subject: [PATCH 098/110] Update cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com> --- .../Leap Year/UncheckedLeapYearAfterYearModification.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql index ce7d73b1bfc..28271d5c3a6 100644 --- a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql +++ b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql @@ -147,7 +147,7 @@ predicate isLikelyConversionConstant(int c) { 1721119, // alt epoch offset 2400000, // MJD -> JDN conversion 2400001, // alt MJD -> JDN conversion - 2141, // fixed‑point month/day extraction + 2141, // fixed-point month/day extraction 65536, // observed in some conversions 7834, // observed in some conversions 256, // observed in some conversions From ea0d1bf2620defc288276708137c94eb1fdc2590 Mon Sep 17 00:00:00 2001 From: Ben Rodes Date: Tue, 17 Feb 2026 12:38:59 -0500 Subject: [PATCH 099/110] Apply suggestion from @bdrodes --- .../Leap Year/UncheckedLeapYearAfterYearModification.ql | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql index 28271d5c3a6..0a52a2b0ff4 100644 --- a/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql +++ b/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql @@ -162,7 +162,8 @@ predicate isLikelyConversionConstant(int c) { 1400, // Hijri base year, used when converting a 2 digit year 1980, // FAT filesystem epoch start year 227013, // constant observed for Hirji year conversion, and Hirji years are not applicable for gregorian leap year - 10631, // constant observed for Hirji year conversion, and Hirji years are not applicable for gregorian leap year + 10631, // constant observed for Hirji year conversion, and Hirji years are not applicable for gregorian leap year, + 80, // 1980/01/01 is the start of the epoch on DOS 0 ] ) From 6760390d754b01d020cfef2652791bc715770683 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=93scar=20San=20Jos=C3=A9?= Date: Tue, 17 Feb 2026 18:49:11 +0100 Subject: [PATCH 100/110] Fix imports --- .../posix/standalone_dependencies_no_framework/test.py | 3 ++- .../posix/standalone_dependencies_nuget with_space/test.py | 2 +- .../posix/standalone_dependencies_nuget/test.py | 2 +- .../posix/standalone_dependencies_nuget_no_sources/test.py | 2 +- 4 files changed, 5 insertions(+), 4 deletions(-) diff --git a/csharp/ql/integration-tests/posix/standalone_dependencies_no_framework/test.py b/csharp/ql/integration-tests/posix/standalone_dependencies_no_framework/test.py index 3d0d011f73d..21987ed7a2d 100644 --- a/csharp/ql/integration-tests/posix/standalone_dependencies_no_framework/test.py +++ b/csharp/ql/integration-tests/posix/standalone_dependencies_no_framework/test.py @@ -1,6 +1,7 @@ import pytest import os -from conftest import _supports_mono_nuget +from ..conftest import _supports_mono_nuget + @pytest.mark.only_if(_supports_mono_nuget()) diff --git a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget with_space/test.py b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget with_space/test.py index 1b111d08239..662178aa3c0 100644 --- a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget with_space/test.py +++ b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget with_space/test.py @@ -1,6 +1,6 @@ import os import pytest -from conftest import _supports_mono_nuget +from ..conftest import _supports_mono_nuget @pytest.mark.only_if(_supports_mono_nuget()) diff --git a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget/test.py b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget/test.py index 2d887a52244..d8e8c8055ad 100644 --- a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget/test.py +++ b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget/test.py @@ -1,5 +1,5 @@ import pytest -from conftest import _supports_mono_nuget +from ..conftest import _supports_mono_nuget @pytest.mark.only_if(_supports_mono_nuget()) diff --git a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_no_sources/test.py b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_no_sources/test.py index a2bb13e921b..ccd8f61a384 100644 --- a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_no_sources/test.py +++ b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_no_sources/test.py @@ -1,5 +1,5 @@ import pytest -from conftest import _supports_mono_nuget +from ..conftest import _supports_mono_nuget @pytest.mark.only_if(_supports_mono_nuget()) From fa73cd5d5c8233a1a1633f0f8fcc5147627df1e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=93scar=20San=20Jos=C3=A9?= Date: Tue, 17 Feb 2026 18:49:51 +0100 Subject: [PATCH 101/110] Remove unnecessary blank line in test.py --- .../posix/standalone_dependencies_no_framework/test.py | 1 - 1 file changed, 1 deletion(-) diff --git a/csharp/ql/integration-tests/posix/standalone_dependencies_no_framework/test.py b/csharp/ql/integration-tests/posix/standalone_dependencies_no_framework/test.py index 21987ed7a2d..725ded1899c 100644 --- a/csharp/ql/integration-tests/posix/standalone_dependencies_no_framework/test.py +++ b/csharp/ql/integration-tests/posix/standalone_dependencies_no_framework/test.py @@ -3,7 +3,6 @@ import os from ..conftest import _supports_mono_nuget - @pytest.mark.only_if(_supports_mono_nuget()) def test(codeql, csharp): os.environ["CODEQL_EXTRACTOR_CSHARP_BUILDLESS_DOTNET_FRAMEWORK_REFERENCES"] = ( From a1eaf42cbf5fd1ee9695db7c6423e48d6bd19f0c Mon Sep 17 00:00:00 2001 From: Ben Rodes Date: Tue, 17 Feb 2026 13:05:51 -0500 Subject: [PATCH 102/110] Update python/ql/lib/change-notes/2026-02-09-ssrf_test_case_cleanup_and_new_ssrf_barriers.md Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com> --- .../2026-02-09-ssrf_test_case_cleanup_and_new_ssrf_barriers.md | 1 - 1 file changed, 1 deletion(-) diff --git a/python/ql/lib/change-notes/2026-02-09-ssrf_test_case_cleanup_and_new_ssrf_barriers.md b/python/ql/lib/change-notes/2026-02-09-ssrf_test_case_cleanup_and_new_ssrf_barriers.md index d4373eadfb2..c3b4194e7b8 100644 --- a/python/ql/lib/change-notes/2026-02-09-ssrf_test_case_cleanup_and_new_ssrf_barriers.md +++ b/python/ql/lib/change-notes/2026-02-09-ssrf_test_case_cleanup_and_new_ssrf_barriers.md @@ -1,5 +1,4 @@ --- category: minorAnalysis --- -* Modified SSRF tests to use postprocessing to more easily debug results. * Added new full SSRF sanitization barrier from the new AntiSSRF library. \ No newline at end of file From 93d417049c4196d0dddc7cd58959c5c57c5505b6 Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Wed, 18 Feb 2026 08:41:13 +0100 Subject: [PATCH 103/110] C#: Add tests for `Equals` methods with nullable parameter types --- .../NullableTest.cs | 86 +++++++++++++++++++ .../IncorrectEqualsSignature/NullableTest.cs | 86 +++++++++++++++++++ 2 files changed, 172 insertions(+) create mode 100644 csharp/ql/test/query-tests/API Abuse/ClassDoesNotImplementEquals/NullableTest.cs create mode 100644 csharp/ql/test/query-tests/API Abuse/IncorrectEqualsSignature/NullableTest.cs diff --git a/csharp/ql/test/query-tests/API Abuse/ClassDoesNotImplementEquals/NullableTest.cs b/csharp/ql/test/query-tests/API Abuse/ClassDoesNotImplementEquals/NullableTest.cs new file mode 100644 index 00000000000..a66ffbec9a0 --- /dev/null +++ b/csharp/ql/test/query-tests/API Abuse/ClassDoesNotImplementEquals/NullableTest.cs @@ -0,0 +1,86 @@ +using System; + +#nullable enable + +namespace Test +{ + class TestClass1 : IEquatable + { + private int field1; + + public bool Equals(TestClass1? param1) + { + return param1 != null && field1 == param1.field1; + } + + public override bool Equals(object? param2) + { + return param2 is TestClass1 tc && Equals(tc); + } + + public override int GetHashCode() + { + return field1; + } + } + + class TestClass2 : IEquatable + { + private int field1; + + public bool Equals(TestClass2 param1) + { + return param1 != null && field1 == param1.field1; + } + + public override bool Equals(object? param2) + { + return param2 is TestClass2 tc && Equals(tc); + } + + public override int GetHashCode() + { + return field1; + } + } + + class TestClass3 : IEquatable + { + private int field1; + + public bool Equals(TestClass3? param1) + { + return param1 != null && field1 == param1.field1; + } + + public override bool Equals(object param2) + { + return param2 is TestClass3 tc && Equals(tc); + } + + public override int GetHashCode() + { + return field1; + } + } + + class TestClass4 : IEquatable + { + private int field1; + + public bool Equals(TestClass4 param1) + { + return param1 != null && field1 == param1.field1; + } + + public override bool Equals(object param2) + { + return param2 is TestClass4 tc && Equals(tc); + } + + public override int GetHashCode() + { + return field1; + } + } +} \ No newline at end of file diff --git a/csharp/ql/test/query-tests/API Abuse/IncorrectEqualsSignature/NullableTest.cs b/csharp/ql/test/query-tests/API Abuse/IncorrectEqualsSignature/NullableTest.cs new file mode 100644 index 00000000000..a66ffbec9a0 --- /dev/null +++ b/csharp/ql/test/query-tests/API Abuse/IncorrectEqualsSignature/NullableTest.cs @@ -0,0 +1,86 @@ +using System; + +#nullable enable + +namespace Test +{ + class TestClass1 : IEquatable + { + private int field1; + + public bool Equals(TestClass1? param1) + { + return param1 != null && field1 == param1.field1; + } + + public override bool Equals(object? param2) + { + return param2 is TestClass1 tc && Equals(tc); + } + + public override int GetHashCode() + { + return field1; + } + } + + class TestClass2 : IEquatable + { + private int field1; + + public bool Equals(TestClass2 param1) + { + return param1 != null && field1 == param1.field1; + } + + public override bool Equals(object? param2) + { + return param2 is TestClass2 tc && Equals(tc); + } + + public override int GetHashCode() + { + return field1; + } + } + + class TestClass3 : IEquatable + { + private int field1; + + public bool Equals(TestClass3? param1) + { + return param1 != null && field1 == param1.field1; + } + + public override bool Equals(object param2) + { + return param2 is TestClass3 tc && Equals(tc); + } + + public override int GetHashCode() + { + return field1; + } + } + + class TestClass4 : IEquatable + { + private int field1; + + public bool Equals(TestClass4 param1) + { + return param1 != null && field1 == param1.field1; + } + + public override bool Equals(object param2) + { + return param2 is TestClass4 tc && Equals(tc); + } + + public override int GetHashCode() + { + return field1; + } + } +} \ No newline at end of file From 116f5a253c4ce388b56f0b5a2eb7a6b16d545842 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Wed, 18 Feb 2026 12:22:01 +0100 Subject: [PATCH 104/110] Bazel: Update Rust toolchain to nightly/2026-01-22 and rules_rust to 0.68.1.codeql.1 Update the Rust nightly toolchain from nightly/2025-08-01 to nightly/2026-01-22 (rustc 1.95.0-nightly), and rules_rust from 0.66.0 to 0.68.1.codeql.1. The new nightly changed how stdlib metadata is distributed: .rlib files now contain only a metadata stub, with full metadata in separate .rmeta files. rules_rust's stdlib glob doesn't include *.rmeta, causing 'only metadata stub found' errors. This is patched via a custom registry entry (0.68.1.codeql.1). Upstream bug: https://github.com/bazelbuild/rules_rust/issues/3859 --- MODULE.bazel | 44 ++--- .../rules_rust/0.68.1.codeql.1/MODULE.bazel | 151 ++++++++++++++++++ .../patches/include_rmeta_in_stdlib.patch | 12 ++ .../rules_rust/0.68.1.codeql.1/source.json | 9 ++ .../registry/modules/rules_rust/metadata.json | 11 ++ .../src/nightly-toolchain/rust-toolchain.toml | 2 +- rust/ql/test/rust-toolchain.toml | 2 +- 7 files changed, 207 insertions(+), 24 deletions(-) create mode 100644 misc/bazel/registry/modules/rules_rust/0.68.1.codeql.1/MODULE.bazel create mode 100644 misc/bazel/registry/modules/rules_rust/0.68.1.codeql.1/patches/include_rmeta_in_stdlib.patch create mode 100644 misc/bazel/registry/modules/rules_rust/0.68.1.codeql.1/source.json create mode 100644 misc/bazel/registry/modules/rules_rust/metadata.json diff --git a/MODULE.bazel b/MODULE.bazel index 9b326127ce7..5ace37479cb 100644 --- a/MODULE.bazel +++ b/MODULE.bazel @@ -28,7 +28,7 @@ bazel_dep(name = "rules_kotlin", version = "2.2.0-codeql.1") bazel_dep(name = "gazelle", version = "0.40.0") bazel_dep(name = "rules_dotnet", version = "0.21.5-codeql.1") bazel_dep(name = "googletest", version = "1.14.0.bcr.1") -bazel_dep(name = "rules_rust", version = "0.66.0") +bazel_dep(name = "rules_rust", version = "0.68.1.codeql.1") bazel_dep(name = "zstd", version = "1.5.5.bcr.1") bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True) @@ -41,7 +41,7 @@ RUST_EDITION = "2024" # a nightly toolchain is required to enable experimental_use_cc_common_link, which we require internally # we prefer to run the same version as internally, even if experimental_use_cc_common_link is not really # required in this repo -RUST_VERSION = "nightly/2025-08-01" +RUST_VERSION = "nightly/2026-01-22" rust = use_extension("@rules_rust//rust:extensions.bzl", "rust") rust.toolchain( @@ -53,26 +53,26 @@ rust.toolchain( ], # generated by buildutils-internal/scripts/fill-rust-sha256s.py (internal repo) sha256s = { - "2025-08-01/rustc-nightly-x86_64-unknown-linux-gnu.tar.xz": "9bbeaf5d3fc7247d31463a9083aa251c995cc50662c8219e7a2254d76a72a9a4", - "2025-08-01/rustc-nightly-x86_64-apple-darwin.tar.xz": "c9ea539a8eff0d5d162701f99f9e1aabe14dd0dfb420d62362817a5d09219de7", - "2025-08-01/rustc-nightly-aarch64-apple-darwin.tar.xz": "ae83feebbc39cfd982e4ecc8297731fe79c185173aee138467b334c5404b3773", - "2025-08-01/rustc-nightly-x86_64-pc-windows-msvc.tar.xz": "9f170c30d802a349be60cf52ec46260802093cb1013ad667fc0d528b7b10152f", - "2025-08-01/clippy-nightly-x86_64-unknown-linux-gnu.tar.xz": "9ae5f3cd8f557c4f6df522597c69d14398cf604cfaed2b83e767c4b77a7eaaf6", - "2025-08-01/clippy-nightly-x86_64-apple-darwin.tar.xz": "983cb9ee0b6b968188e04ab2d33743d54764b2681ce565e1b3f2b9135c696a3e", - "2025-08-01/clippy-nightly-aarch64-apple-darwin.tar.xz": "ed2219dbc49d088225e1b7c5c4390fa295066e071fddaa2714018f6bb39ddbf0", - "2025-08-01/clippy-nightly-x86_64-pc-windows-msvc.tar.xz": "911f40ab5cbdd686f40e00965271fe47c4805513a308ed01f30eafb25b448a50", - "2025-08-01/cargo-nightly-x86_64-unknown-linux-gnu.tar.xz": "106463c284e48e4904c717471eeec2be5cc83a9d2cae8d6e948b52438cad2e69", - "2025-08-01/cargo-nightly-x86_64-apple-darwin.tar.xz": "6ad35c40efc41a8c531ea43235058347b6902d98a9693bf0aed7fc16d5590cef", - "2025-08-01/cargo-nightly-aarch64-apple-darwin.tar.xz": "dd28c365e9d298abc3154c797720ad36a0058f131265c9978b4c8e4e37012c8a", - "2025-08-01/cargo-nightly-x86_64-pc-windows-msvc.tar.xz": "7b431286e12d6b3834b038f078389a00cac73f351e8c3152b2504a3c06420b3b", - "2025-08-01/llvm-tools-nightly-x86_64-unknown-linux-gnu.tar.xz": "e342e305d7927cc288d386983b2bc253cfad3776b113386e903d0b302648ef47", - "2025-08-01/llvm-tools-nightly-x86_64-apple-darwin.tar.xz": "e44dd3506524d85c37b3a54bcc91d01378fd2c590b2db5c5974d12f05c1b84d1", - "2025-08-01/llvm-tools-nightly-aarch64-apple-darwin.tar.xz": "0c1b5f46dd81be4a9227b10283a0fcaa39c14fea7e81aea6fd6d9887ff6cdc41", - "2025-08-01/llvm-tools-nightly-x86_64-pc-windows-msvc.tar.xz": "423e5fd11406adccbc31b8456ceb7375ce055cdf45e90d2c3babeb2d7f58383f", - "2025-08-01/rust-std-nightly-x86_64-unknown-linux-gnu.tar.xz": "3c0ceb46a252647a1d4c7116d9ccae684fa5e42aaf3296419febd2c962c3b41d", - "2025-08-01/rust-std-nightly-x86_64-apple-darwin.tar.xz": "3be416003cab10f767390a753d1d16ae4d26c7421c03c98992cf1943e5b0efe8", - "2025-08-01/rust-std-nightly-aarch64-apple-darwin.tar.xz": "4046ac0ef951cb056b5028a399124f60999fa37792eab69d008d8d7965f389b4", - "2025-08-01/rust-std-nightly-x86_64-pc-windows-msvc.tar.xz": "191ed9d8603c3a4fe5a7bbbc2feb72049078dae2df3d3b7d5dedf3abbf823e6e", + "2026-01-22/rustc-nightly-x86_64-unknown-linux-gnu.tar.xz": "88db619323cc1321630d124efa51ed02fabc5e020f08cfa0eda2c0ac1afbe69a", + "2026-01-22/rustc-nightly-x86_64-apple-darwin.tar.xz": "08484da3fa38db56f93629aeabdc0ae9ff8ed9704c0792d35259cbc849b3f54c", + "2026-01-22/rustc-nightly-aarch64-apple-darwin.tar.xz": "a39c0b21b7058e364ea1bd43144e42e4bf1efade036b2e82455f2afce194ee81", + "2026-01-22/rustc-nightly-x86_64-pc-windows-msvc.tar.xz": "d00248ee9850dbb6932b2578e32ff74fc7c429854c1aa071066ca31b65385a3b", + "2026-01-22/clippy-nightly-x86_64-unknown-linux-gnu.tar.xz": "70656a0ce994ffff16d5a35a7b170a0acd41e9bb54a589c96ed45bf97b094a4d", + "2026-01-22/clippy-nightly-x86_64-apple-darwin.tar.xz": "fe242519fa961522734733009705aec3c2d9a20cc57291f2aa614e5e6262c88f", + "2026-01-22/clippy-nightly-aarch64-apple-darwin.tar.xz": "38bb226363ec97c9722edf966cd58774a683e19fd2ff2a6030094445d51e06f9", + "2026-01-22/clippy-nightly-x86_64-pc-windows-msvc.tar.xz": "6da9b4470beea67abfebf046f141eee0d2a8db7c7a9e4e2294478734fd477228", + "2026-01-22/cargo-nightly-x86_64-unknown-linux-gnu.tar.xz": "99004e9d10c43a01499642f53bb3184d41137a95d65bfb217098840a9e79e892", + "2026-01-22/cargo-nightly-x86_64-apple-darwin.tar.xz": "6e021394cf8d8400ac6cfdfcef24e4d74f988e91eb8028b36de3a64ce3502990", + "2026-01-22/cargo-nightly-aarch64-apple-darwin.tar.xz": "4b2494cb69ab64132cddbc411a38ea9f1105e54d6f986e43168d54f79510c673", + "2026-01-22/cargo-nightly-x86_64-pc-windows-msvc.tar.xz": "c36613cf57407212d10d37b76e49a60ff42336e953cdff9e177283f530a83fc1", + "2026-01-22/llvm-tools-nightly-x86_64-unknown-linux-gnu.tar.xz": "0b123c5027dbd833aae6845ffe9bd07d309bf798746a7176aadaea68fbcbd05d", + "2026-01-22/llvm-tools-nightly-x86_64-apple-darwin.tar.xz": "a47864491ad5619158c950ab7570fb6e487d5117338585c27334d45824b406d8", + "2026-01-22/llvm-tools-nightly-aarch64-apple-darwin.tar.xz": "db9bc826d6e2e7e914505d50157682e516ceb90357e83d77abddc32c2d962f41", + "2026-01-22/llvm-tools-nightly-x86_64-pc-windows-msvc.tar.xz": "ffaa406932b2fe62e01dad61cf4ed34860a5d2a6f9306ca340d79e630d930039", + "2026-01-22/rust-std-nightly-x86_64-unknown-linux-gnu.tar.xz": "e9c0d5e06e18a4b509391b3088f29293e310cdc8ccc865be8fa3f09733326925", + "2026-01-22/rust-std-nightly-x86_64-apple-darwin.tar.xz": "25d75995cee679a4828ca9fe48c5a31a67c3b0846018440ef912e5a6208f53f6", + "2026-01-22/rust-std-nightly-aarch64-apple-darwin.tar.xz": "e4132bf3f2eed4684c86756a02315bcf481c23e675e3e25630fc604c9cb4594c", + "2026-01-22/rust-std-nightly-x86_64-pc-windows-msvc.tar.xz": "961bb535ef95ae8a5fa4e224cb94aff190f155c45a9bcf7a53e184b024aa41b1", }, versions = [RUST_VERSION], ) diff --git a/misc/bazel/registry/modules/rules_rust/0.68.1.codeql.1/MODULE.bazel b/misc/bazel/registry/modules/rules_rust/0.68.1.codeql.1/MODULE.bazel new file mode 100644 index 00000000000..aedc5a8a242 --- /dev/null +++ b/misc/bazel/registry/modules/rules_rust/0.68.1.codeql.1/MODULE.bazel @@ -0,0 +1,151 @@ +"""bazelbuild/rules_rust""" + +module( + name = "rules_rust", + version = "0.68.1.codeql.1", +) + +############################################################################### +## Core +############################################################################### + +bazel_dep(name = "bazel_features", version = "1.32.0") +bazel_dep(name = "bazel_skylib", version = "1.8.2") +bazel_dep(name = "platforms", version = "1.0.0") +bazel_dep(name = "rules_cc", version = "0.2.4") +bazel_dep(name = "rules_license", version = "1.0.0") +bazel_dep(name = "rules_shell", version = "0.6.1") +bazel_dep(name = "apple_support", version = "1.24.1", repo_name = "build_bazel_apple_support") + +internal_deps = use_extension("//rust/private:internal_extensions.bzl", "i") +use_repo( + internal_deps, + "rrra", + "rrra__anyhow-1.0.71", + "rrra__camino-1.1.9", + "rrra__clap-4.3.11", + "rrra__env_logger-0.10.0", + "rrra__itertools-0.11.0", + "rrra__log-0.4.19", + "rrra__serde-1.0.171", + "rrra__serde_json-1.0.102", + "rules_rust_tinyjson", +) + +cargo_internal_deps = use_extension("//cargo/private:internal_extensions.bzl", "i") +use_repo( + cargo_internal_deps, + "rrc", + "rrc__cargo-util-schemas-0.3.1", + "rrc__cargo_toml-0.20.5", + "rrc__pathdiff-0.1.0", + "rrc__semver-1.0.25", + "rrc__toml-0.8.20", +) + +rust = use_extension("//rust:extensions.bzl", "rust") +rust.toolchain(edition = "2021") +use_repo(rust, "rust_toolchains") + +register_toolchains( + "@rust_toolchains//:all", +) + +rust_host_tools = use_extension("//rust:extensions.bzl", "rust_host_tools") +rust_host_tools.host_tools( + name = "rust_host_tools", +) +use_repo( + rust_host_tools, + "rust_host_tools", +) + +rust_test = use_extension("//test:test_extensions.bzl", "rust_test", dev_dependency = True) +use_repo( + rust_test, + "buildkite_config", + "generated_inputs_in_external_repo", + "libc", + "rtra", + "rtra__serde-1.0.228", + "rtra__serde_json-1.0.145", + "rtvsc", + "rtvsc__serde-1.0.228", + "rtvsc__serde_json-1.0.145", + "rules_rust_test_load_arbitrary_tool", + "rules_rust_toolchain_test_target_json", +) + +bazel_dep(name = "rules_python", version = "0.40.0", dev_dependency = True) +bazel_dep(name = "rules_testing", version = "0.7.0", dev_dependency = True) +bazel_dep(name = "bazel_ci_rules", version = "1.0.0", dev_dependency = True) + +############################################################################### +## Crate Universe +############################################################################### + +crate_universe_internal_deps = use_extension( + "//crate_universe/private:internal_extensions.bzl", + "cu", +) +use_repo( + crate_universe_internal_deps, + "cargo_bazel.buildifier-darwin-amd64", + "cargo_bazel.buildifier-darwin-arm64", + "cargo_bazel.buildifier-linux-amd64", + "cargo_bazel.buildifier-linux-arm64", + "cargo_bazel.buildifier-windows-amd64.exe", + "cui", + "cui__anyhow-1.0.98", + "cui__camino-1.1.9", + "cui__cargo-lock-10.1.0", + "cui__cargo-platform-0.1.9", + "cui__cargo_metadata-0.19.2", + "cui__cargo_toml-0.22.1", + "cui__cfg-expr-0.18.0", + "cui__clap-4.5.37", + "cui__crates-index-3.7.0", + "cui__glob-0.3.2", + "cui__hex-0.4.3", + "cui__indoc-2.0.6", + "cui__itertools-0.14.0", + "cui__maplit-1.0.2", + "cui__normpath-1.3.0", + "cui__once_cell-1.21.3", + "cui__pathdiff-0.2.3", + "cui__regex-1.11.1", + "cui__semver-1.0.26", + "cui__serde-1.0.219", + "cui__serde_json-1.0.140", + "cui__serde_starlark-0.1.17", + "cui__sha2-0.10.8", + "cui__spdx-0.10.8", + "cui__tempfile-3.19.1", + "cui__tera-1.20.0", + "cui__textwrap-0.16.2", + "cui__toml-0.8.21", + "cui__tracing-0.1.41", + "cui__tracing-subscriber-0.3.19", + "cui__url-2.5.4", + "cui__walkdir-2.5.0", +) + +crate_universe_internal_non_repro_deps = use_extension( + "//crate_universe/private:internal_extensions.bzl", + "cu_nr", +) +use_repo( + crate_universe_internal_non_repro_deps, + "cargo_bazel_bootstrap", +) + +crate_universe_internal_dev_deps = use_extension( + "//crate_universe/private:internal_extensions.bzl", + "cu_dev", + dev_dependency = True, +) +use_repo( + crate_universe_internal_dev_deps, + "cross_rs", + "cross_rs_host_bin", +) diff --git a/misc/bazel/registry/modules/rules_rust/0.68.1.codeql.1/patches/include_rmeta_in_stdlib.patch b/misc/bazel/registry/modules/rules_rust/0.68.1.codeql.1/patches/include_rmeta_in_stdlib.patch new file mode 100644 index 00000000000..3707cb51b63 --- /dev/null +++ b/misc/bazel/registry/modules/rules_rust/0.68.1.codeql.1/patches/include_rmeta_in_stdlib.patch @@ -0,0 +1,12 @@ +diff --git a/rust/private/repository_utils.bzl b/rust/private/repository_utils.bzl +index 05b741947..f88074af6 100644 +--- a/rust/private/repository_utils.bzl ++++ b/rust/private/repository_utils.bzl +@@ -280,6 +280,7 @@ rust_stdlib_filegroup( + srcs = glob( + [ + "lib/rustlib/{target_triple}/lib/*.rlib", ++ "lib/rustlib/{target_triple}/lib/*.rmeta", + "lib/rustlib/{target_triple}/lib/*{dylib_ext}*", + "lib/rustlib/{target_triple}/lib/*{staticlib_ext}", + "lib/rustlib/{target_triple}/lib/self-contained/**", diff --git a/misc/bazel/registry/modules/rules_rust/0.68.1.codeql.1/source.json b/misc/bazel/registry/modules/rules_rust/0.68.1.codeql.1/source.json new file mode 100644 index 00000000000..6048521ce2f --- /dev/null +++ b/misc/bazel/registry/modules/rules_rust/0.68.1.codeql.1/source.json @@ -0,0 +1,9 @@ +{ + "integrity": "sha256-yKqAbPYGZnmsI0YyQe6ArWkiZdrQRl9RERy74wuJA1I=", + "strip_prefix": "", + "url": "https://github.com/bazelbuild/rules_rust/releases/download/0.68.1/rules_rust-0.68.1.tar.gz", + "patches": { + "include_rmeta_in_stdlib.patch": "sha256-7n8XHpfkLUMEbRG6lKqdhLWydsWlRRG+Ywkxk6LvY9c=" + }, + "patch_strip": 1 +} diff --git a/misc/bazel/registry/modules/rules_rust/metadata.json b/misc/bazel/registry/modules/rules_rust/metadata.json new file mode 100644 index 00000000000..deffe6f6dfa --- /dev/null +++ b/misc/bazel/registry/modules/rules_rust/metadata.json @@ -0,0 +1,11 @@ +{ + "homepage": "https://github.com/bazelbuild/rules_rust", + "maintainers": [], + "repository": [ + "github:bazelbuild/rules_rust" + ], + "versions": [ + "0.68.1.codeql.1" + ], + "yanked_versions": {} +} diff --git a/rust/extractor/src/nightly-toolchain/rust-toolchain.toml b/rust/extractor/src/nightly-toolchain/rust-toolchain.toml index 7ed21df9121..4e2d228630e 100644 --- a/rust/extractor/src/nightly-toolchain/rust-toolchain.toml +++ b/rust/extractor/src/nightly-toolchain/rust-toolchain.toml @@ -1,3 +1,3 @@ [toolchain] -channel = "nightly-2025-06-01" +channel = "nightly-2026-01-22" components = [ "rust-src" ] diff --git a/rust/ql/test/rust-toolchain.toml b/rust/ql/test/rust-toolchain.toml index 9343bef27c6..15f54ec6b42 100644 --- a/rust/ql/test/rust-toolchain.toml +++ b/rust/ql/test/rust-toolchain.toml @@ -2,6 +2,6 @@ # IMPORTANT: this can also have an impact on QL test results [toolchain] -channel = "1.90" +channel = "1.93" profile = "minimal" components = [ "rust-src" ] From d7250a8abe4c606e3412c78f81ee9141a8898bd8 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Wed, 18 Feb 2026 11:23:01 +0000 Subject: [PATCH 105/110] Address more non-ascii characters. --- .../test.cpp | 153 +++++++++--------- 1 file changed, 76 insertions(+), 77 deletions(-) diff --git a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/test.cpp index 28bf66b3436..850ef560536 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/test.cpp @@ -1,4 +1,4 @@ -typedef unsigned short WORD; +typedef unsigned short WORD; typedef unsigned long DWORD, HANDLE; typedef int BOOL, BOOLEAN, errno_t; typedef char CHAR; @@ -392,7 +392,7 @@ void AntiPattern_unchecked_filetime_conversion2(SYSTEMTIME* st) } /** - * Positive (Out of Scope) + * Positive (Out of Scope) * SYSTEMTIME.wDay is incremented by one (and no guard exists) */ void AntiPattern_unchecked_filetime_conversion2() @@ -409,7 +409,7 @@ void AntiPattern_unchecked_filetime_conversion2() /** * Positive Cases - * - Anti-pattern 1: [year ±n, month, day] + * - Anti-pattern 1: [year +-n, month, day] * - Generic (Out of Scope) - UncheckedReturnValueForTimeFunctions */ void AntiPattern_unchecked_filetime_conversion2a() @@ -427,7 +427,7 @@ void AntiPattern_unchecked_filetime_conversion2a() /** * Positive Cases - * - Anti-pattern 1: [year ±n, month, day] + * - Anti-pattern 1: [year +-n, month, day] * - Generic (Out of Scope) - UncheckedReturnValueForTimeFunctions */ void AntiPattern_unchecked_filetime_conversion2b() @@ -445,7 +445,7 @@ void AntiPattern_unchecked_filetime_conversion2b() /** * Positive Cases - * - Anti-pattern 1: [year ±n, month, day] + * - Anti-pattern 1: [year +-n, month, day] * - Generic (Out of Scope) - UncheckedReturnValueForTimeFunctions */ void AntiPattern_unchecked_filetime_conversion2b(SYSTEMTIME* st) @@ -461,7 +461,7 @@ void AntiPattern_unchecked_filetime_conversion2b(SYSTEMTIME* st) /** * Positive Cases - * - Anti-pattern 3: datetime.AddDays(±28) + * - Anti-pattern 3: datetime.AddDays(+-28) * - Generic (Out of Scope) - UncheckedReturnValueForTimeFunctions */ void AntiPattern_unchecked_filetime_conversion3() @@ -472,7 +472,7 @@ void AntiPattern_unchecked_filetime_conversion3() if (st.wMonth < 12) { - // Anti-pattern 3: datetime.AddDays(±28) + // Anti-pattern 3: datetime.AddDays(+-28) st.wMonth++; } else @@ -489,7 +489,7 @@ void AntiPattern_unchecked_filetime_conversion3() ////////////////////////////////////////////// /** - * Negative Case - Anti-pattern 1: [year ±n, month, day] + * Negative Case - Anti-pattern 1: [year +-n, month, day] * Year is incremented and if we are on Feb the 29th, set to the 28th if the new year is a common year. */ void CorrectPattern_check1() @@ -515,7 +515,7 @@ void CorrectPattern_check1() } /** - * Negative Case - Anti-pattern 1: [year ±n, month, day] + * Negative Case - Anti-pattern 1: [year +-n, month, day] * Years is incremented by some integer and then the leap year case is correctly guarded and handled. */ void CorrectPattern_check2(int yearsToAdd) @@ -542,7 +542,7 @@ bool isLeapYear(SYSTEMTIME& st) } /** - * Negative Case - Anti-pattern 1: [year ±n, month, day] + * Negative Case - Anti-pattern 1: [year +-n, month, day] * Years is incremented by some integer and then the leap year case is correctly guarded and handled. */ void CorrectPattern_check3() @@ -580,7 +580,7 @@ bool fixDate(int day, int month, int year) } /** - * Negative Case - Anti-pattern 1: [year ±n, month, day] + * Negative Case - Anti-pattern 1: [year +-n, month, day] * Years is incremented by some integer and then the leap year case is correctly guarded and handled. */ void CorrectPattern_check4() @@ -635,7 +635,7 @@ void CorrectPattern_NotManipulated_DateFromAPI_1(HANDLE hWatchdog) ///////////////////////////////////////////////////////////////// /** - * Negative Case - Anti-pattern 1: [year ±n, month, day] + * Negative Case - Anti-pattern 1: [year +-n, month, day] * Year is incremented by some integer and checked through a conversion through an inter procedural function check */ void AntiPattern_1_year_addition() @@ -644,7 +644,7 @@ void AntiPattern_1_year_addition() GetSystemTime(&st); // Safe, checked interprocedurally through Correct_filetime_conversion_check - st.wYear++; + st.wYear++; // Usage of potentially invalid date Correct_filetime_conversion_check(st); @@ -653,7 +653,7 @@ void AntiPattern_1_year_addition() /** - * Negative Case - Anti-pattern 1: [year ±n, month, day] + * Negative Case - Anti-pattern 1: [year +-n, month, day] * Years is incremented by some integer and checked through a conversion through an inter procedural function check */ void AntiPattern_simple_addition(int yearAddition) @@ -662,14 +662,14 @@ void AntiPattern_simple_addition(int yearAddition) GetSystemTime(&st); - st.wYear += yearAddition; + st.wYear += yearAddition; // Usage of potentially invalid date Correct_filetime_conversion_check(st); } /** - * Positive Case - Anti-pattern 1: [year ±n, month, day] + * Positive Case - Anti-pattern 1: [year +-n, month, day] * Years is incremented by some integer but a leap year is not handled *correctly*. */ void AntiPattern_IncorrectGuard(int yearsToAdd) @@ -683,7 +683,7 @@ void AntiPattern_IncorrectGuard(int yearsToAdd) // Incorrect Guard if (st.wMonth == 2 && st.wDay == 29) { - // Part of a different anti-pattern (AntiPattern 5). + // Part of a different anti-pattern (AntiPattern 5). // Make sure the guard includes the proper check bool isLeapYear = st.wYear % 4 == 0; if (!isLeapYear) @@ -724,7 +724,7 @@ void AntiPattern_uncheckedUsageOf_mkgmtime(struct tm& timeinfo) ////////////////////////////////////////////////////////// /** - * Negative Case - Anti-pattern 1: [year ±n, month, day] + * Negative Case - Anti-pattern 1: [year +-n, month, day] * Years is incremented by some integer and leap year is not handled correctly. */ void Correct_year_addition_struct_tm() @@ -744,7 +744,7 @@ void Correct_year_addition_struct_tm() timeinfo.tm_year++; // Guard - // move back a day when landing on Feb 29 in an non-leap year + // move back a day when landing on Feb 29 in an non-leap year bool isLeapYear = timeinfo.tm_year % 4 == 0 && (timeinfo.tm_year % 100 != 0 || (timeinfo.tm_year + 1900) % 400 == 0); timeinfo.tm_mday = timeinfo.tm_mon == 1 && timeinfo.tm_mday == 29 && !isLeapYear ? 28 : timeinfo.tm_mday; @@ -753,7 +753,7 @@ void Correct_year_addition_struct_tm() } /** - * Positive Case - Anti-pattern 1: [year ±n, month, day] + * Positive Case - Anti-pattern 1: [year +-n, month, day] * Years is incremented by some integer and leap year is not handled correctly. */ void Incorrect_LinuxPattern() @@ -779,9 +779,9 @@ void Incorrect_LinuxPattern() ////////////////////////////////////////// /** - * Negative Case - Anti-pattern 1: [year ±n, month, day] + * Negative Case - Anti-pattern 1: [year +-n, month, day] * Years is incremented by some integer and leap year is assumed checked through - * check of a conversion functions return value. + * check of a conversion functions return value. */ void AntiPattern_year_addition_struct_tm() { @@ -789,7 +789,7 @@ void AntiPattern_year_addition_struct_tm() struct tm timeinfo; time(&rawtime); gmtime_s(&timeinfo, &rawtime); - timeinfo.tm_year++; + timeinfo.tm_year++; // mkgmtime result checked in nested call here, assume leap year conversion is potentially handled CorrectUsageOf_mkgmtime(timeinfo); @@ -799,7 +799,7 @@ void AntiPattern_year_addition_struct_tm() /** - * Positive Case - Anti-pattern 1: [year ±n, month, day] + * Positive Case - Anti-pattern 1: [year +-n, month, day] */ void test(int x) { @@ -809,12 +809,12 @@ void test(int x) timeinfo.tm_year = x; // BUG - UncheckedLeapYearAfterYearModification - // Positive Case - Anti-pattern 1: [year ±n, month, day] + // Positive Case - Anti-pattern 1: [year +-n, month, day] timeinfo.tm_year = x + timeinfo.tm_year; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] st.wYear = x; // BUG - UncheckedLeapYearAfterYearModification - // Positive Case - Anti-pattern 1: [year ±n, month, day] + // Positive Case - Anti-pattern 1: [year +-n, month, day] st.wYear = x + st.wYear; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] } @@ -848,10 +848,10 @@ void tp_intermediaryVar(struct timespec now, struct logtime ×tamp_remote) timestamp_remote.tm = tm_parsed; timestamp_remote.tm.tm_isdst = -1; timestamp_remote.usec = now.tv_nsec * 0.001; - for (year = tm_now.tm_year + 1;; --year) + for (year = tm_now.tm_year + 1;; --year) { // assert(year >= tm_now.tm_year - 1); - timestamp_remote.tm.tm_year = year; + timestamp_remote.tm.tm_year = year; if (mktime(×tamp_remote.tm) < t_now + 7 * 24 * 60 * 60) break; } @@ -936,7 +936,7 @@ void tp_intermediaryVar(struct timespec now, struct logtime ×tamp_remote) } /** - * Positive Case - Anti-pattern 1: [year ±n, month, day] + * Positive Case - Anti-pattern 1: [year +-n, month, day] * Modification of SYSTEMTIME struct adding to year but no leap year guard is conducted. */ void modified3() @@ -954,7 +954,7 @@ void tp_intermediaryVar(struct timespec now, struct logtime ×tamp_remote) } /** - * Positive Case - Anti-pattern 1: [year ±n, month, day] + * Positive Case - Anti-pattern 1: [year +-n, month, day] * Modification of SYSTEMTIME struct adding to year but no leap year guard is conducted. */ void modified4() @@ -972,9 +972,9 @@ void tp_intermediaryVar(struct timespec now, struct logtime ×tamp_remote) } /** - * Negative Case - Anti-pattern 1: [year ±n, month, day] - * Modification of SYSTEMTIME struct adding to year but value passed to a - * conversion function that can be checked for success, and the result is checked. + * Negative Case - Anti-pattern 1: [year +-n, month, day] + * Modification of SYSTEMTIME struct adding to year but value passed to a + * conversion function that can be checked for success, and the result is checked. */ void modified5() { @@ -984,11 +984,11 @@ void tp_intermediaryVar(struct timespec now, struct logtime ×tamp_remote) GetSystemTime(&st); - st.wYear++; + st.wYear++; - // Presumed safe usage, as if the conversion is incorrect, a user can handle the error. + // Presumed safe usage, as if the conversion is incorrect, a user can handle the error. // NOTE: it doesn't mean the user actually does the correct conversion and it it also - // doesn't mean it will error our in all cases that may be invalid. + // doesn't mean it will error our in all cases that may be invalid. // For example, if a leap year and the date is 28, we may want 29 if the time is meant // to capture the end of the month, but 28 is still valid and will not error out. if (SystemTimeToFileTime(&st, &ft)) @@ -998,7 +998,7 @@ void tp_intermediaryVar(struct timespec now, struct logtime ×tamp_remote) } /** -* Negative Case - Anti-pattern 1: [year ±n, month, day] +* Negative Case - Anti-pattern 1: [year +-n, month, day] * Modification of SYSTEMTIME struct by copying from another struct, but no arithmetic is performed. */ bool @@ -1018,7 +1018,7 @@ FMAPITimeToSysTimeW(LPCWSTR wszTime, SYSTEMTIME *psystime) } /** -* Negative Case - Anti-pattern 1: [year ±n, month, day] +* Negative Case - Anti-pattern 1: [year +-n, month, day] * Modification of SYSTEMTIME struct by copying from another struct, but no arithmetic is performed. */ void fp_daymonth_guard(){ @@ -1128,7 +1128,7 @@ void leap_year_checked_raw_false_positive1(WORD year, WORD offset, WORD day){ } // Assume the check handled leap year correctly - tmp.tm_year = year; // GOOD + tmp.tm_year = year; // GOOD tmp.tm_mday = day; } @@ -1313,7 +1313,7 @@ void compound_leap_year_check(WORD year, WORD offset, WORD month, WORD day){ tmp.tm_year = year + offset; bool isLeap = tmp.tm_year % 4 == 0 && (tmp.tm_year % 100 != 0 || tmp.tm_year % 400 == 0) && (month == 2 && day == 29); - + if(isLeap){ // do something } @@ -1331,7 +1331,7 @@ void indirect_time_conversion_check(WORD year, WORD offset){ // (out-of-scope) GeneralBug: Unchecked call to SystemTimeToFileTime. this may have failed, but we didn't check the return value! BOOL res = SystemTimeToFileTime(&tmp, &ft); - // Assume this check of the result is sufficient as an implicit leap year check. + // Assume this check of the result is sufficient as an implicit leap year check. bool x = (res == 0) ? true : false; } @@ -1365,10 +1365,10 @@ void constant_month_on_year_modification2(WORD year, WORD offset, WORD month){ tmp.wYear = year + 1;// OK since the year is incremented with a known non-leap year month change } - + if(month++ > 12){ // some heuristics to detect a false positive here rely on variable names - // which is often consistent in the wild. + // which is often consistent in the wild. // This variant uses the variable names yeartmp and monthtmp WORD yeartmp; WORD monthtmp; @@ -1400,7 +1400,7 @@ void intermediate_time_struct(WORD year, WORD offset){ SYSTEMTIME tm, tm2; FILETIME ftTime; - tm.wYear = year + offset; + tm.wYear = year + offset; tm2.wYear = tm.wYear; @@ -1428,7 +1428,7 @@ void constant_day_on_year_modification1(WORD year, WORD offset, WORD month){ if(month++ > 12){ // BAD, year incremented, month unknown in block, and date is set to 31 - // which is dangerous. + // which is dangerous. set_time(year+1, month, 31);// $ Source } } @@ -1460,7 +1460,7 @@ void constant_day_on_year_modification2(WORD year, WORD month){ if(month++ > 12){ // BAD, year incremented, month unknown in block, and date is set to 31 - // which is dangerous. + // which is dangerous. set_time(year, month, 31); } } @@ -1468,7 +1468,7 @@ void constant_day_on_year_modification2(WORD year, WORD month){ void modification_after_conversion1(tm timeinfo){ // convert a tm year into a civil year, then modify after conversion - // This case shows a false negative where the year might be used and it is incorrectly modified, + // This case shows a false negative where the year might be used and it is incorrectly modified, // and never reassigned to another struct. WORD year = timeinfo.tm_year + 1900; @@ -1481,7 +1481,7 @@ WORD get_civil_year(tm timeinfo){ void modification_after_conversion2(tm timeinfo){ // convert a tm year into a civil year, then modify after conversion - // This case shows a false negative where the year might be used and it is incorrectly modified, + // This case shows a false negative where the year might be used and it is incorrectly modified, // and never reassigned to another struct. WORD year = get_civil_year(timeinfo); year += 1; // $ MISSING: Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] @@ -1489,14 +1489,14 @@ void modification_after_conversion2(tm timeinfo){ void modification_after_conversion_saved_to_other_time_struct1(tm timeinfo){ // convert a tm year into a civil year, then modify after conversion - // This case shows a false negative where the year might be used and it is incorrectly modified, + // This case shows a false negative where the year might be used and it is incorrectly modified, // and never reassigned to another struct. WORD year = timeinfo.tm_year + 1900; year += 1; // $ MISSING: Source SYSTEMTIME s; - // FALSE NEGATIVE: missing this because the conversion happens locally before + // FALSE NEGATIVE: missing this because the conversion happens locally before // the year adjustment, which seems as though it is part of a conversion itself s.wYear = year; // $ MISSING: Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] } @@ -1505,7 +1505,7 @@ void modification_after_conversion_saved_to_other_time_struct1(tm timeinfo){ void modification_after_conversion_saved_to_other_time_struct2(tm timeinfo){ // convert a tm year into a civil year, then modify after conversion - // This case shows a false negative where the year might be used and it is incorrectly modified, + // This case shows a false negative where the year might be used and it is incorrectly modified, // and never reassigned to another struct. WORD year = get_civil_year(timeinfo); @@ -1517,25 +1517,25 @@ void modification_after_conversion_saved_to_other_time_struct2(tm timeinfo){ void modification_after_conversion_saved_to_other_time_struct3(tm timeinfo){ // convert a tm year into a civil year, then modify after conversion - // This case shows a false negative where the year might be used and it is incorrectly modified, + // This case shows a false negative where the year might be used and it is incorrectly modified, // and never reassigned to another struct. WORD year = timeinfo.tm_year + 1900; year = year + 1; // $ MISSING: Source SYSTEMTIME s; - // FALSE NEGATIVE: missing this because the conversion happens locally before + // FALSE NEGATIVE: missing this because the conversion happens locally before // the year adjustment, which seems as though it is part of a conversion itself s.wYear = year; // $ MISSING: Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] } void year_saved_to_variable_then_modified1(tm timeinfo){ - // A modified year is not directly assigned to the year, rather, the year is - // saved to a variable, modified, used, but never assigned back. + // A modified year is not directly assigned to the year, rather, the year is + // saved to a variable, modified, used, but never assigned back. WORD year = timeinfo.tm_year; - // NOTE: should we even try to detect cases like this? + // NOTE: should we even try to detect cases like this? // Our current rationale is that a year in a struct is more dangerous than a year in isolation // A year in isolation is harder to interpret year += 1; // MISSING: $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] @@ -1544,7 +1544,7 @@ void year_saved_to_variable_then_modified1(tm timeinfo){ void modification_before_conversion1(tm timeinfo){ timeinfo.tm_year += 1; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] // convert a tm year into a civil year, then modify after conversion - // This case shows a false negative where the year might be used and it is incorrectly modified, + // This case shows a false negative where the year might be used and it is incorrectly modified, // and never reassigned to another struct. WORD year = timeinfo.tm_year + 1900; } @@ -1552,7 +1552,7 @@ void modification_before_conversion1(tm timeinfo){ void modification_before_conversion2(tm timeinfo){ timeinfo.tm_year += 1; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] // convert a tm year into a civil year, then modify after conversion - // This case shows a false negative where the year might be used and it is incorrectly modified, + // This case shows a false negative where the year might be used and it is incorrectly modified, // and never reassigned to another struct. WORD year = get_civil_year(timeinfo); } @@ -1560,11 +1560,11 @@ void modification_before_conversion2(tm timeinfo){ void year_saved_to_variable_then_modified_with_leap_check1(tm timeinfo){ - // A modified year is not directly assigned to the year, rather, the year is - // saved to a variable, modified, used, but never assigned back. + // A modified year is not directly assigned to the year, rather, the year is + // saved to a variable, modified, used, but never assigned back. WORD year = timeinfo.tm_year; - year += 1; + year += 1; // performing a check is considered good enough, even if not used correctly bool b = (year+1900) % 4 == 0 && ((year+1900) % 100 != 0 || (year+1900) % 400 == 0); @@ -1573,11 +1573,11 @@ void year_saved_to_variable_then_modified_with_leap_check1(tm timeinfo){ void modification_after_conversion_with_leap_check1(tm timeinfo){ // convert a tm year into a civil year, then modify after conversion - // This case shows a false negative where the year might be used and it is incorrectly modified, + // This case shows a false negative where the year might be used and it is incorrectly modified, // and never reassigned to another struct. WORD year = timeinfo.tm_year + 1900; - year += 1; + year += 1; // performing a check is considered good enough, even if not used correctly bool b = year % 4 == 0 && (year % 100 != 0 || year % 400 == 0); @@ -1585,20 +1585,20 @@ void modification_after_conversion_with_leap_check1(tm timeinfo){ void modification_after_conversion_with_leap_check2(tm timeinfo){ // convert a tm year into a civil year, then modify after conversion - // This case shows a false negative where the year might be used and it is incorrectly modified, + // This case shows a false negative where the year might be used and it is incorrectly modified, // and never reassigned to another struct. WORD year = get_civil_year(timeinfo); - year += 1; + year += 1; // performing a check is considered good enough, even if not used correctly bool b = year % 4 == 0 && (year % 100 != 0 || year % 400 == 0); } void modification_before_conversion_with_leap_check1(tm timeinfo){ - timeinfo.tm_year += 1; + timeinfo.tm_year += 1; // convert a tm year into a civil year, then modify after conversion - // This case shows a false negative where the year might be used and it is incorrectly modified, + // This case shows a false negative where the year might be used and it is incorrectly modified, // and never reassigned to another struct. WORD year = timeinfo.tm_year + 1900; @@ -1607,9 +1607,9 @@ void modification_before_conversion_with_leap_check1(tm timeinfo){ } void modification_before_conversion_with_leap_check2(tm timeinfo){ - timeinfo.tm_year += 1; + timeinfo.tm_year += 1; // convert a tm year into a civil year, then modify after conversion - // This case shows a false negative where the year might be used and it is incorrectly modified, + // This case shows a false negative where the year might be used and it is incorrectly modified, // and never reassigned to another struct. WORD year = get_civil_year(timeinfo); @@ -1653,7 +1653,7 @@ void odd_leap_year_check3(tm timeinfo){ } void odd_leap_year_check4(tm timeinfo){ - timeinfo.tm_year += 1; + timeinfo.tm_year += 1; WORD year = timeinfo.tm_year + 1900; if( (year % 4 == 0) && (year % 100 > 0 || (year % 400 == 0))) @@ -1663,7 +1663,7 @@ void odd_leap_year_check4(tm timeinfo){ } void odd_leap_year_check5(tm timeinfo){ - timeinfo.tm_year += 1; + timeinfo.tm_year += 1; WORD year = timeinfo.tm_year + 1900; if( (year % 4 > 0) || (year % 100 == 0 && (year % 400 > 0))) @@ -1694,7 +1694,7 @@ void interproc_data_killer1(tm timeinfo, WORD delta){ WORD year = delta + 1; if(data_killer(&year)){ - timeinfo.tm_year = year; + timeinfo.tm_year = year; } } @@ -1703,18 +1703,18 @@ void leap_year_check_after_normalization(tm timeinfo, WORD delta){ WORD year = delta + 1; if(data_killer(&year)){ - timeinfo.tm_year = year; + timeinfo.tm_year = year; } } void leap_year_check_call_on_conversion1(tm timeinfo){ - timeinfo.tm_year += 1; + timeinfo.tm_year += 1; isLeapYearRaw(timeinfo.tm_year + 1900); } void leap_year_check_call_on_conversion2(tm timeinfo){ - timeinfo.tm_year += 1; + timeinfo.tm_year += 1; WORD year = get_civil_year(timeinfo); isLeapYearRaw(year); } @@ -1724,7 +1724,7 @@ WORD getDaysInMonth(WORD year, WORD month){ if(month == 2){ return isLeapYearRaw(year) ? 29 : 28; } - // else assume logic for every other month, + // else assume logic for every other month, // returning 30 for simplicity return 30; } @@ -1758,4 +1758,3 @@ void bad_leap_year_check_logic1(tm timeinfo){ //(year % 4) && ((year % 100) || !(year % 400 ))) WORD days = (!(year % 4) && (!(year % 100) || (year % 400))) ? 366 : 365; } - From 24f3d9ede0653357329ba38e3768b319e38f2ddd Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Wed, 18 Feb 2026 13:56:48 +0100 Subject: [PATCH 106/110] Revert rust-toolchain.toml changes and update test expectations --- .../src/nightly-toolchain/rust-toolchain.toml | 2 +- .../NeverTypeRepr/NeverTypeRepr.expected | 1 - .../controlflow/BasicBlocks.expected | 4 --- .../library-tests/controlflow/Cfg.expected | 20 +++------------ .../type-inference/type-inference.expected | 25 +++++++++++++++++++ rust/ql/test/rust-toolchain.toml | 2 +- 6 files changed, 31 insertions(+), 23 deletions(-) diff --git a/rust/extractor/src/nightly-toolchain/rust-toolchain.toml b/rust/extractor/src/nightly-toolchain/rust-toolchain.toml index 4e2d228630e..7ed21df9121 100644 --- a/rust/extractor/src/nightly-toolchain/rust-toolchain.toml +++ b/rust/extractor/src/nightly-toolchain/rust-toolchain.toml @@ -1,3 +1,3 @@ [toolchain] -channel = "nightly-2026-01-22" +channel = "nightly-2025-06-01" components = [ "rust-src" ] diff --git a/rust/ql/test/extractor-tests/generated/NeverTypeRepr/NeverTypeRepr.expected b/rust/ql/test/extractor-tests/generated/NeverTypeRepr/NeverTypeRepr.expected index 7e8d7f8718b..c02b6c82354 100644 --- a/rust/ql/test/extractor-tests/generated/NeverTypeRepr/NeverTypeRepr.expected +++ b/rust/ql/test/extractor-tests/generated/NeverTypeRepr/NeverTypeRepr.expected @@ -1,2 +1 @@ | gen_never_type_repr.rs:7:17:7:17 | ! | -| gen_never_type_repr.rs:7:21:7:26 | ! | diff --git a/rust/ql/test/library-tests/controlflow/BasicBlocks.expected b/rust/ql/test/library-tests/controlflow/BasicBlocks.expected index 80357ae29f8..94760d6875e 100644 --- a/rust/ql/test/library-tests/controlflow/BasicBlocks.expected +++ b/rust/ql/test/library-tests/controlflow/BasicBlocks.expected @@ -743,7 +743,6 @@ dominates | test.rs:529:5:537:5 | enter fn const_block_assert | test.rs:533:21:533:48 | [boolean(true)] ! ... | | test.rs:529:5:537:5 | enter fn const_block_assert | test.rs:533:21:533:48 | if ... {...} | | test.rs:533:13:533:19 | ExprStmt | test.rs:533:13:533:19 | ExprStmt | -| test.rs:533:13:533:19 | enter fn panic_cold_explicit | test.rs:533:13:533:19 | enter fn panic_cold_explicit | | test.rs:533:21:533:48 | [boolean(false)] ! ... | test.rs:533:21:533:48 | [boolean(false)] ! ... | | test.rs:533:21:533:48 | [boolean(true)] ! ... | test.rs:533:13:533:19 | ExprStmt | | test.rs:533:21:533:48 | [boolean(true)] ! ... | test.rs:533:21:533:48 | [boolean(true)] ! ... | @@ -751,7 +750,6 @@ dominates | test.rs:539:5:548:5 | enter fn const_block_panic | test.rs:539:5:548:5 | enter fn const_block_panic | | test.rs:539:5:548:5 | enter fn const_block_panic | test.rs:541:9:546:9 | if false {...} | | test.rs:541:9:546:9 | if false {...} | test.rs:541:9:546:9 | if false {...} | -| test.rs:544:17:544:22 | enter fn panic_cold_explicit | test.rs:544:17:544:22 | enter fn panic_cold_explicit | | test.rs:551:1:556:1 | enter fn dead_code | test.rs:551:1:556:1 | enter fn dead_code | | test.rs:551:1:556:1 | enter fn dead_code | test.rs:553:9:553:17 | ExprStmt | | test.rs:553:9:553:17 | ExprStmt | test.rs:553:9:553:17 | ExprStmt | @@ -1424,7 +1422,6 @@ postDominance | test.rs:529:5:537:5 | enter fn const_block_assert | test.rs:529:5:537:5 | enter fn const_block_assert | | test.rs:533:13:533:19 | ExprStmt | test.rs:533:13:533:19 | ExprStmt | | test.rs:533:13:533:19 | ExprStmt | test.rs:533:21:533:48 | [boolean(true)] ! ... | -| test.rs:533:13:533:19 | enter fn panic_cold_explicit | test.rs:533:13:533:19 | enter fn panic_cold_explicit | | test.rs:533:21:533:48 | [boolean(false)] ! ... | test.rs:533:21:533:48 | [boolean(false)] ! ... | | test.rs:533:21:533:48 | [boolean(true)] ! ... | test.rs:533:21:533:48 | [boolean(true)] ! ... | | test.rs:533:21:533:48 | if ... {...} | test.rs:529:5:537:5 | enter fn const_block_assert | @@ -1435,7 +1432,6 @@ postDominance | test.rs:539:5:548:5 | enter fn const_block_panic | test.rs:539:5:548:5 | enter fn const_block_panic | | test.rs:541:9:546:9 | if false {...} | test.rs:539:5:548:5 | enter fn const_block_panic | | test.rs:541:9:546:9 | if false {...} | test.rs:541:9:546:9 | if false {...} | -| test.rs:544:17:544:22 | enter fn panic_cold_explicit | test.rs:544:17:544:22 | enter fn panic_cold_explicit | | test.rs:551:1:556:1 | enter fn dead_code | test.rs:551:1:556:1 | enter fn dead_code | | test.rs:553:9:553:17 | ExprStmt | test.rs:551:1:556:1 | enter fn dead_code | | test.rs:553:9:553:17 | ExprStmt | test.rs:553:9:553:17 | ExprStmt | diff --git a/rust/ql/test/library-tests/controlflow/Cfg.expected b/rust/ql/test/library-tests/controlflow/Cfg.expected index ef97a3b628f..25fb8f29e04 100644 --- a/rust/ql/test/library-tests/controlflow/Cfg.expected +++ b/rust/ql/test/library-tests/controlflow/Cfg.expected @@ -1288,20 +1288,13 @@ edges | test.rs:529:41:537:5 | { ... } | test.rs:529:5:537:5 | exit fn const_block_assert (normal) | | | test.rs:532:9:534:9 | ExprStmt | test.rs:533:13:533:50 | ExprStmt | | | test.rs:532:9:534:9 | { ... } | test.rs:536:9:536:10 | 42 | | +| test.rs:533:13:533:19 | "explicit panic" | test.rs:533:13:533:19 | ...::panic(...) | | +| test.rs:533:13:533:19 | ...::panic | test.rs:533:13:533:19 | "explicit panic" | | +| test.rs:533:13:533:19 | ...::panic(...) | test.rs:533:13:533:19 | { ... } | | | test.rs:533:13:533:19 | ...::panic_2021!... | test.rs:533:13:533:19 | MacroExpr | | -| test.rs:533:13:533:19 | ...::panic_explicit | test.rs:533:13:533:19 | ...::panic_explicit(...) | | -| test.rs:533:13:533:19 | ...::panic_explicit(...) | test.rs:533:13:533:19 | { ... } | | -| test.rs:533:13:533:19 | ExprStmt | test.rs:533:13:533:19 | fn panic_cold_explicit | | -| test.rs:533:13:533:19 | ExprStmt | test.rs:533:13:533:19 | panic_cold_explicit | | +| test.rs:533:13:533:19 | ExprStmt | test.rs:533:13:533:19 | ...::panic | | | test.rs:533:13:533:19 | MacroExpr | test.rs:533:13:533:19 | { ... } | | -| test.rs:533:13:533:19 | enter fn panic_cold_explicit | test.rs:533:13:533:19 | ...::panic_explicit | | -| test.rs:533:13:533:19 | exit fn panic_cold_explicit (normal) | test.rs:533:13:533:19 | exit fn panic_cold_explicit | | -| test.rs:533:13:533:19 | fn panic_cold_explicit | test.rs:533:13:533:19 | ExprStmt | | -| test.rs:533:13:533:19 | panic_cold_explicit | test.rs:533:13:533:19 | panic_cold_explicit(...) | | -| test.rs:533:13:533:19 | panic_cold_explicit(...) | test.rs:533:13:533:19 | { ... } | | | test.rs:533:13:533:19 | { ... } | test.rs:533:13:533:19 | ...::panic_2021!... | | -| test.rs:533:13:533:19 | { ... } | test.rs:533:13:533:19 | exit fn panic_cold_explicit (normal) | | -| test.rs:533:13:533:19 | { ... } | test.rs:533:13:533:19 | { ... } | | | test.rs:533:13:533:19 | { ... } | test.rs:533:21:533:48 | if ... {...} | | | test.rs:533:13:533:49 | MacroExpr | test.rs:532:9:534:9 | { ... } | | | test.rs:533:13:533:49 | assert!... | test.rs:533:13:533:49 | MacroExpr | | @@ -1324,11 +1317,6 @@ edges | test.rs:541:9:546:9 | ExprStmt | test.rs:541:12:541:16 | false | | | test.rs:541:9:546:9 | if false {...} | test.rs:547:9:547:9 | N | | | test.rs:541:12:541:16 | false | test.rs:541:9:546:9 | if false {...} | false | -| test.rs:544:17:544:22 | ...::panic_explicit | test.rs:544:17:544:22 | ...::panic_explicit(...) | | -| test.rs:544:17:544:22 | ...::panic_explicit(...) | test.rs:544:17:544:22 | { ... } | | -| test.rs:544:17:544:22 | enter fn panic_cold_explicit | test.rs:544:17:544:22 | ...::panic_explicit | | -| test.rs:544:17:544:22 | exit fn panic_cold_explicit (normal) | test.rs:544:17:544:22 | exit fn panic_cold_explicit | | -| test.rs:544:17:544:22 | { ... } | test.rs:544:17:544:22 | exit fn panic_cold_explicit (normal) | | | test.rs:547:9:547:9 | N | test.rs:539:35:548:5 | { ... } | | | test.rs:551:1:556:1 | enter fn dead_code | test.rs:552:5:554:5 | ExprStmt | | | test.rs:551:1:556:1 | exit fn dead_code (normal) | test.rs:551:1:556:1 | exit fn dead_code | | diff --git a/rust/ql/test/library-tests/type-inference/type-inference.expected b/rust/ql/test/library-tests/type-inference/type-inference.expected index 1b750fab458..a2322cdf929 100644 --- a/rust/ql/test/library-tests/type-inference/type-inference.expected +++ b/rust/ql/test/library-tests/type-inference/type-inference.expected @@ -788,12 +788,14 @@ inferCertainType | dereference.rs:116:5:116:5 | x | | dereference.rs:18:1:20:1 | MySmartPointer | | dereference.rs:143:19:151:5 | { ... } | | {EXTERNAL LOCATION} | () | | dereference.rs:144:17:144:26 | key_to_key | | {EXTERNAL LOCATION} | HashMap | +| dereference.rs:144:17:144:26 | key_to_key | A | {EXTERNAL LOCATION} | Global | | dereference.rs:144:17:144:26 | key_to_key | K | {EXTERNAL LOCATION} | & | | dereference.rs:144:17:144:26 | key_to_key | K.TRef | dereference.rs:122:5:123:21 | Key | | dereference.rs:144:17:144:26 | key_to_key | S | {EXTERNAL LOCATION} | RandomState | | dereference.rs:144:17:144:26 | key_to_key | V | {EXTERNAL LOCATION} | & | | dereference.rs:144:17:144:26 | key_to_key | V.TRef | dereference.rs:122:5:123:21 | Key | | dereference.rs:144:30:144:57 | ...::new(...) | | {EXTERNAL LOCATION} | HashMap | +| dereference.rs:144:30:144:57 | ...::new(...) | A | {EXTERNAL LOCATION} | Global | | dereference.rs:144:30:144:57 | ...::new(...) | K | {EXTERNAL LOCATION} | & | | dereference.rs:144:30:144:57 | ...::new(...) | K.TRef | dereference.rs:122:5:123:21 | Key | | dereference.rs:144:30:144:57 | ...::new(...) | S | {EXTERNAL LOCATION} | RandomState | @@ -804,6 +806,7 @@ inferCertainType | dereference.rs:145:24:145:29 | Key {...} | | dereference.rs:122:5:123:21 | Key | | dereference.rs:146:9:149:9 | if ... {...} | | {EXTERNAL LOCATION} | () | | dereference.rs:146:32:146:41 | key_to_key | | {EXTERNAL LOCATION} | HashMap | +| dereference.rs:146:32:146:41 | key_to_key | A | {EXTERNAL LOCATION} | Global | | dereference.rs:146:32:146:41 | key_to_key | K | {EXTERNAL LOCATION} | & | | dereference.rs:146:32:146:41 | key_to_key | K.TRef | dereference.rs:122:5:123:21 | Key | | dereference.rs:146:32:146:41 | key_to_key | S | {EXTERNAL LOCATION} | RandomState | @@ -813,6 +816,7 @@ inferCertainType | dereference.rs:146:52:149:9 | { ... } | | {EXTERNAL LOCATION} | () | | dereference.rs:148:13:148:15 | key | | {EXTERNAL LOCATION} | & | | dereference.rs:150:9:150:18 | key_to_key | | {EXTERNAL LOCATION} | HashMap | +| dereference.rs:150:9:150:18 | key_to_key | A | {EXTERNAL LOCATION} | Global | | dereference.rs:150:9:150:18 | key_to_key | K | {EXTERNAL LOCATION} | & | | dereference.rs:150:9:150:18 | key_to_key | K.TRef | dereference.rs:122:5:123:21 | Key | | dereference.rs:150:9:150:18 | key_to_key | S | {EXTERNAL LOCATION} | RandomState | @@ -3350,16 +3354,20 @@ inferCertainType | main.rs:2345:13:2346:13 | for ... in ... { ... } | | {EXTERNAL LOCATION} | () | | main.rs:2345:29:2346:13 | { ... } | | {EXTERNAL LOCATION} | () | | main.rs:2349:17:2349:20 | map1 | | {EXTERNAL LOCATION} | HashMap | +| main.rs:2349:17:2349:20 | map1 | A | {EXTERNAL LOCATION} | Global | | main.rs:2349:17:2349:20 | map1 | S | {EXTERNAL LOCATION} | RandomState | | main.rs:2349:24:2349:55 | ...::new(...) | | {EXTERNAL LOCATION} | HashMap | +| main.rs:2349:24:2349:55 | ...::new(...) | A | {EXTERNAL LOCATION} | Global | | main.rs:2349:24:2349:55 | ...::new(...) | S | {EXTERNAL LOCATION} | RandomState | | main.rs:2350:9:2350:12 | map1 | | {EXTERNAL LOCATION} | HashMap | +| main.rs:2350:9:2350:12 | map1 | A | {EXTERNAL LOCATION} | Global | | main.rs:2350:9:2350:12 | map1 | S | {EXTERNAL LOCATION} | RandomState | | main.rs:2350:24:2350:38 | ...::new(...) | | {EXTERNAL LOCATION} | Box | | main.rs:2350:24:2350:38 | ...::new(...) | A | {EXTERNAL LOCATION} | Global | | main.rs:2350:33:2350:37 | "one" | | {EXTERNAL LOCATION} | & | | main.rs:2350:33:2350:37 | "one" | TRef | {EXTERNAL LOCATION} | str | | main.rs:2351:9:2351:12 | map1 | | {EXTERNAL LOCATION} | HashMap | +| main.rs:2351:9:2351:12 | map1 | A | {EXTERNAL LOCATION} | Global | | main.rs:2351:9:2351:12 | map1 | S | {EXTERNAL LOCATION} | RandomState | | main.rs:2351:24:2351:38 | ...::new(...) | | {EXTERNAL LOCATION} | Box | | main.rs:2351:24:2351:38 | ...::new(...) | A | {EXTERNAL LOCATION} | Global | @@ -3367,21 +3375,25 @@ inferCertainType | main.rs:2351:33:2351:37 | "two" | TRef | {EXTERNAL LOCATION} | str | | main.rs:2352:9:2352:33 | for ... in ... { ... } | | {EXTERNAL LOCATION} | () | | main.rs:2352:20:2352:23 | map1 | | {EXTERNAL LOCATION} | HashMap | +| main.rs:2352:20:2352:23 | map1 | A | {EXTERNAL LOCATION} | Global | | main.rs:2352:20:2352:23 | map1 | S | {EXTERNAL LOCATION} | RandomState | | main.rs:2352:32:2352:33 | { ... } | | {EXTERNAL LOCATION} | () | | main.rs:2353:9:2353:37 | for ... in ... { ... } | | {EXTERNAL LOCATION} | () | | main.rs:2353:22:2353:25 | map1 | | {EXTERNAL LOCATION} | HashMap | +| main.rs:2353:22:2353:25 | map1 | A | {EXTERNAL LOCATION} | Global | | main.rs:2353:22:2353:25 | map1 | S | {EXTERNAL LOCATION} | RandomState | | main.rs:2353:36:2353:37 | { ... } | | {EXTERNAL LOCATION} | () | | main.rs:2354:9:2354:42 | for ... in ... { ... } | | {EXTERNAL LOCATION} | () | | main.rs:2354:13:2354:24 | TuplePat | | {EXTERNAL LOCATION} | (T_2) | | main.rs:2354:29:2354:32 | map1 | | {EXTERNAL LOCATION} | HashMap | +| main.rs:2354:29:2354:32 | map1 | A | {EXTERNAL LOCATION} | Global | | main.rs:2354:29:2354:32 | map1 | S | {EXTERNAL LOCATION} | RandomState | | main.rs:2354:41:2354:42 | { ... } | | {EXTERNAL LOCATION} | () | | main.rs:2355:9:2355:36 | for ... in ... { ... } | | {EXTERNAL LOCATION} | () | | main.rs:2355:13:2355:24 | TuplePat | | {EXTERNAL LOCATION} | (T_2) | | main.rs:2355:29:2355:33 | &map1 | | {EXTERNAL LOCATION} | & | | main.rs:2355:30:2355:33 | map1 | | {EXTERNAL LOCATION} | HashMap | +| main.rs:2355:30:2355:33 | map1 | A | {EXTERNAL LOCATION} | Global | | main.rs:2355:30:2355:33 | map1 | S | {EXTERNAL LOCATION} | RandomState | | main.rs:2355:35:2355:36 | { ... } | | {EXTERNAL LOCATION} | () | | main.rs:2359:17:2359:17 | a | | {EXTERNAL LOCATION} | i64 | @@ -6452,12 +6464,14 @@ inferType | dereference.rs:116:12:116:12 | 0 | | {EXTERNAL LOCATION} | i32 | | dereference.rs:143:19:151:5 | { ... } | | {EXTERNAL LOCATION} | () | | dereference.rs:144:17:144:26 | key_to_key | | {EXTERNAL LOCATION} | HashMap | +| dereference.rs:144:17:144:26 | key_to_key | A | {EXTERNAL LOCATION} | Global | | dereference.rs:144:17:144:26 | key_to_key | K | {EXTERNAL LOCATION} | & | | dereference.rs:144:17:144:26 | key_to_key | K.TRef | dereference.rs:122:5:123:21 | Key | | dereference.rs:144:17:144:26 | key_to_key | S | {EXTERNAL LOCATION} | RandomState | | dereference.rs:144:17:144:26 | key_to_key | V | {EXTERNAL LOCATION} | & | | dereference.rs:144:17:144:26 | key_to_key | V.TRef | dereference.rs:122:5:123:21 | Key | | dereference.rs:144:30:144:57 | ...::new(...) | | {EXTERNAL LOCATION} | HashMap | +| dereference.rs:144:30:144:57 | ...::new(...) | A | {EXTERNAL LOCATION} | Global | | dereference.rs:144:30:144:57 | ...::new(...) | K | {EXTERNAL LOCATION} | & | | dereference.rs:144:30:144:57 | ...::new(...) | K.TRef | dereference.rs:122:5:123:21 | Key | | dereference.rs:144:30:144:57 | ...::new(...) | S | {EXTERNAL LOCATION} | RandomState | @@ -6483,6 +6497,7 @@ inferType | dereference.rs:146:21:146:27 | ref_key | TRef | {EXTERNAL LOCATION} | & | | dereference.rs:146:21:146:27 | ref_key | TRef.TRef | dereference.rs:122:5:123:21 | Key | | dereference.rs:146:32:146:41 | key_to_key | | {EXTERNAL LOCATION} | HashMap | +| dereference.rs:146:32:146:41 | key_to_key | A | {EXTERNAL LOCATION} | Global | | dereference.rs:146:32:146:41 | key_to_key | K | {EXTERNAL LOCATION} | & | | dereference.rs:146:32:146:41 | key_to_key | K.TRef | dereference.rs:122:5:123:21 | Key | | dereference.rs:146:32:146:41 | key_to_key | S | {EXTERNAL LOCATION} | RandomState | @@ -6508,6 +6523,7 @@ inferType | dereference.rs:148:19:148:25 | ref_key | TRef | {EXTERNAL LOCATION} | & | | dereference.rs:148:19:148:25 | ref_key | TRef.TRef | dereference.rs:122:5:123:21 | Key | | dereference.rs:150:9:150:18 | key_to_key | | {EXTERNAL LOCATION} | HashMap | +| dereference.rs:150:9:150:18 | key_to_key | A | {EXTERNAL LOCATION} | Global | | dereference.rs:150:9:150:18 | key_to_key | K | {EXTERNAL LOCATION} | & | | dereference.rs:150:9:150:18 | key_to_key | K.TRef | dereference.rs:122:5:123:21 | Key | | dereference.rs:150:9:150:18 | key_to_key | S | {EXTERNAL LOCATION} | RandomState | @@ -11262,6 +11278,7 @@ inferType | main.rs:2345:13:2346:13 | for ... in ... { ... } | | {EXTERNAL LOCATION} | () | | main.rs:2345:29:2346:13 | { ... } | | {EXTERNAL LOCATION} | () | | main.rs:2349:17:2349:20 | map1 | | {EXTERNAL LOCATION} | HashMap | +| main.rs:2349:17:2349:20 | map1 | A | {EXTERNAL LOCATION} | Global | | main.rs:2349:17:2349:20 | map1 | K | {EXTERNAL LOCATION} | i32 | | main.rs:2349:17:2349:20 | map1 | S | {EXTERNAL LOCATION} | RandomState | | main.rs:2349:17:2349:20 | map1 | V | {EXTERNAL LOCATION} | Box | @@ -11269,6 +11286,7 @@ inferType | main.rs:2349:17:2349:20 | map1 | V.T | {EXTERNAL LOCATION} | & | | main.rs:2349:17:2349:20 | map1 | V.T.TRef | {EXTERNAL LOCATION} | str | | main.rs:2349:24:2349:55 | ...::new(...) | | {EXTERNAL LOCATION} | HashMap | +| main.rs:2349:24:2349:55 | ...::new(...) | A | {EXTERNAL LOCATION} | Global | | main.rs:2349:24:2349:55 | ...::new(...) | K | {EXTERNAL LOCATION} | i32 | | main.rs:2349:24:2349:55 | ...::new(...) | S | {EXTERNAL LOCATION} | RandomState | | main.rs:2349:24:2349:55 | ...::new(...) | V | {EXTERNAL LOCATION} | Box | @@ -11276,6 +11294,7 @@ inferType | main.rs:2349:24:2349:55 | ...::new(...) | V.T | {EXTERNAL LOCATION} | & | | main.rs:2349:24:2349:55 | ...::new(...) | V.T.TRef | {EXTERNAL LOCATION} | str | | main.rs:2350:9:2350:12 | map1 | | {EXTERNAL LOCATION} | HashMap | +| main.rs:2350:9:2350:12 | map1 | A | {EXTERNAL LOCATION} | Global | | main.rs:2350:9:2350:12 | map1 | K | {EXTERNAL LOCATION} | i32 | | main.rs:2350:9:2350:12 | map1 | S | {EXTERNAL LOCATION} | RandomState | | main.rs:2350:9:2350:12 | map1 | V | {EXTERNAL LOCATION} | Box | @@ -11295,6 +11314,7 @@ inferType | main.rs:2350:33:2350:37 | "one" | | {EXTERNAL LOCATION} | & | | main.rs:2350:33:2350:37 | "one" | TRef | {EXTERNAL LOCATION} | str | | main.rs:2351:9:2351:12 | map1 | | {EXTERNAL LOCATION} | HashMap | +| main.rs:2351:9:2351:12 | map1 | A | {EXTERNAL LOCATION} | Global | | main.rs:2351:9:2351:12 | map1 | K | {EXTERNAL LOCATION} | i32 | | main.rs:2351:9:2351:12 | map1 | S | {EXTERNAL LOCATION} | RandomState | | main.rs:2351:9:2351:12 | map1 | V | {EXTERNAL LOCATION} | Box | @@ -11317,6 +11337,7 @@ inferType | main.rs:2352:13:2352:15 | key | | {EXTERNAL LOCATION} | & | | main.rs:2352:13:2352:15 | key | TRef | {EXTERNAL LOCATION} | i32 | | main.rs:2352:20:2352:23 | map1 | | {EXTERNAL LOCATION} | HashMap | +| main.rs:2352:20:2352:23 | map1 | A | {EXTERNAL LOCATION} | Global | | main.rs:2352:20:2352:23 | map1 | K | {EXTERNAL LOCATION} | i32 | | main.rs:2352:20:2352:23 | map1 | S | {EXTERNAL LOCATION} | RandomState | | main.rs:2352:20:2352:23 | map1 | V | {EXTERNAL LOCATION} | Box | @@ -11337,6 +11358,7 @@ inferType | main.rs:2353:13:2353:17 | value | TRef.T | {EXTERNAL LOCATION} | & | | main.rs:2353:13:2353:17 | value | TRef.T.TRef | {EXTERNAL LOCATION} | str | | main.rs:2353:22:2353:25 | map1 | | {EXTERNAL LOCATION} | HashMap | +| main.rs:2353:22:2353:25 | map1 | A | {EXTERNAL LOCATION} | Global | | main.rs:2353:22:2353:25 | map1 | K | {EXTERNAL LOCATION} | i32 | | main.rs:2353:22:2353:25 | map1 | S | {EXTERNAL LOCATION} | RandomState | | main.rs:2353:22:2353:25 | map1 | V | {EXTERNAL LOCATION} | Box | @@ -11367,6 +11389,7 @@ inferType | main.rs:2354:19:2354:23 | value | TRef.T | {EXTERNAL LOCATION} | & | | main.rs:2354:19:2354:23 | value | TRef.T.TRef | {EXTERNAL LOCATION} | str | | main.rs:2354:29:2354:32 | map1 | | {EXTERNAL LOCATION} | HashMap | +| main.rs:2354:29:2354:32 | map1 | A | {EXTERNAL LOCATION} | Global | | main.rs:2354:29:2354:32 | map1 | K | {EXTERNAL LOCATION} | i32 | | main.rs:2354:29:2354:32 | map1 | S | {EXTERNAL LOCATION} | RandomState | | main.rs:2354:29:2354:32 | map1 | V | {EXTERNAL LOCATION} | Box | @@ -11398,6 +11421,7 @@ inferType | main.rs:2355:19:2355:23 | value | TRef.T.TRef | {EXTERNAL LOCATION} | str | | main.rs:2355:29:2355:33 | &map1 | | {EXTERNAL LOCATION} | & | | main.rs:2355:29:2355:33 | &map1 | TRef | {EXTERNAL LOCATION} | HashMap | +| main.rs:2355:29:2355:33 | &map1 | TRef.A | {EXTERNAL LOCATION} | Global | | main.rs:2355:29:2355:33 | &map1 | TRef.K | {EXTERNAL LOCATION} | i32 | | main.rs:2355:29:2355:33 | &map1 | TRef.S | {EXTERNAL LOCATION} | RandomState | | main.rs:2355:29:2355:33 | &map1 | TRef.V | {EXTERNAL LOCATION} | Box | @@ -11405,6 +11429,7 @@ inferType | main.rs:2355:29:2355:33 | &map1 | TRef.V.T | {EXTERNAL LOCATION} | & | | main.rs:2355:29:2355:33 | &map1 | TRef.V.T.TRef | {EXTERNAL LOCATION} | str | | main.rs:2355:30:2355:33 | map1 | | {EXTERNAL LOCATION} | HashMap | +| main.rs:2355:30:2355:33 | map1 | A | {EXTERNAL LOCATION} | Global | | main.rs:2355:30:2355:33 | map1 | K | {EXTERNAL LOCATION} | i32 | | main.rs:2355:30:2355:33 | map1 | S | {EXTERNAL LOCATION} | RandomState | | main.rs:2355:30:2355:33 | map1 | V | {EXTERNAL LOCATION} | Box | diff --git a/rust/ql/test/rust-toolchain.toml b/rust/ql/test/rust-toolchain.toml index 15f54ec6b42..9343bef27c6 100644 --- a/rust/ql/test/rust-toolchain.toml +++ b/rust/ql/test/rust-toolchain.toml @@ -2,6 +2,6 @@ # IMPORTANT: this can also have an impact on QL test results [toolchain] -channel = "1.93" +channel = "1.90" profile = "minimal" components = [ "rust-src" ] From e11363280a7a1162825da7f8e1d78dcbfce353bb Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Wed, 18 Feb 2026 16:56:28 +0100 Subject: [PATCH 107/110] Rust: accept test changes --- .../NeverTypeRepr/NeverTypeRepr.expected | 1 + .../controlflow/BasicBlocks.expected | 4 +++ .../library-tests/controlflow/Cfg.expected | 20 ++++++++++++--- .../type-inference/type-inference.expected | 25 ------------------- 4 files changed, 21 insertions(+), 29 deletions(-) diff --git a/rust/ql/test/extractor-tests/generated/NeverTypeRepr/NeverTypeRepr.expected b/rust/ql/test/extractor-tests/generated/NeverTypeRepr/NeverTypeRepr.expected index c02b6c82354..7e8d7f8718b 100644 --- a/rust/ql/test/extractor-tests/generated/NeverTypeRepr/NeverTypeRepr.expected +++ b/rust/ql/test/extractor-tests/generated/NeverTypeRepr/NeverTypeRepr.expected @@ -1 +1,2 @@ | gen_never_type_repr.rs:7:17:7:17 | ! | +| gen_never_type_repr.rs:7:21:7:26 | ! | diff --git a/rust/ql/test/library-tests/controlflow/BasicBlocks.expected b/rust/ql/test/library-tests/controlflow/BasicBlocks.expected index 94760d6875e..80357ae29f8 100644 --- a/rust/ql/test/library-tests/controlflow/BasicBlocks.expected +++ b/rust/ql/test/library-tests/controlflow/BasicBlocks.expected @@ -743,6 +743,7 @@ dominates | test.rs:529:5:537:5 | enter fn const_block_assert | test.rs:533:21:533:48 | [boolean(true)] ! ... | | test.rs:529:5:537:5 | enter fn const_block_assert | test.rs:533:21:533:48 | if ... {...} | | test.rs:533:13:533:19 | ExprStmt | test.rs:533:13:533:19 | ExprStmt | +| test.rs:533:13:533:19 | enter fn panic_cold_explicit | test.rs:533:13:533:19 | enter fn panic_cold_explicit | | test.rs:533:21:533:48 | [boolean(false)] ! ... | test.rs:533:21:533:48 | [boolean(false)] ! ... | | test.rs:533:21:533:48 | [boolean(true)] ! ... | test.rs:533:13:533:19 | ExprStmt | | test.rs:533:21:533:48 | [boolean(true)] ! ... | test.rs:533:21:533:48 | [boolean(true)] ! ... | @@ -750,6 +751,7 @@ dominates | test.rs:539:5:548:5 | enter fn const_block_panic | test.rs:539:5:548:5 | enter fn const_block_panic | | test.rs:539:5:548:5 | enter fn const_block_panic | test.rs:541:9:546:9 | if false {...} | | test.rs:541:9:546:9 | if false {...} | test.rs:541:9:546:9 | if false {...} | +| test.rs:544:17:544:22 | enter fn panic_cold_explicit | test.rs:544:17:544:22 | enter fn panic_cold_explicit | | test.rs:551:1:556:1 | enter fn dead_code | test.rs:551:1:556:1 | enter fn dead_code | | test.rs:551:1:556:1 | enter fn dead_code | test.rs:553:9:553:17 | ExprStmt | | test.rs:553:9:553:17 | ExprStmt | test.rs:553:9:553:17 | ExprStmt | @@ -1422,6 +1424,7 @@ postDominance | test.rs:529:5:537:5 | enter fn const_block_assert | test.rs:529:5:537:5 | enter fn const_block_assert | | test.rs:533:13:533:19 | ExprStmt | test.rs:533:13:533:19 | ExprStmt | | test.rs:533:13:533:19 | ExprStmt | test.rs:533:21:533:48 | [boolean(true)] ! ... | +| test.rs:533:13:533:19 | enter fn panic_cold_explicit | test.rs:533:13:533:19 | enter fn panic_cold_explicit | | test.rs:533:21:533:48 | [boolean(false)] ! ... | test.rs:533:21:533:48 | [boolean(false)] ! ... | | test.rs:533:21:533:48 | [boolean(true)] ! ... | test.rs:533:21:533:48 | [boolean(true)] ! ... | | test.rs:533:21:533:48 | if ... {...} | test.rs:529:5:537:5 | enter fn const_block_assert | @@ -1432,6 +1435,7 @@ postDominance | test.rs:539:5:548:5 | enter fn const_block_panic | test.rs:539:5:548:5 | enter fn const_block_panic | | test.rs:541:9:546:9 | if false {...} | test.rs:539:5:548:5 | enter fn const_block_panic | | test.rs:541:9:546:9 | if false {...} | test.rs:541:9:546:9 | if false {...} | +| test.rs:544:17:544:22 | enter fn panic_cold_explicit | test.rs:544:17:544:22 | enter fn panic_cold_explicit | | test.rs:551:1:556:1 | enter fn dead_code | test.rs:551:1:556:1 | enter fn dead_code | | test.rs:553:9:553:17 | ExprStmt | test.rs:551:1:556:1 | enter fn dead_code | | test.rs:553:9:553:17 | ExprStmt | test.rs:553:9:553:17 | ExprStmt | diff --git a/rust/ql/test/library-tests/controlflow/Cfg.expected b/rust/ql/test/library-tests/controlflow/Cfg.expected index 25fb8f29e04..ef97a3b628f 100644 --- a/rust/ql/test/library-tests/controlflow/Cfg.expected +++ b/rust/ql/test/library-tests/controlflow/Cfg.expected @@ -1288,13 +1288,20 @@ edges | test.rs:529:41:537:5 | { ... } | test.rs:529:5:537:5 | exit fn const_block_assert (normal) | | | test.rs:532:9:534:9 | ExprStmt | test.rs:533:13:533:50 | ExprStmt | | | test.rs:532:9:534:9 | { ... } | test.rs:536:9:536:10 | 42 | | -| test.rs:533:13:533:19 | "explicit panic" | test.rs:533:13:533:19 | ...::panic(...) | | -| test.rs:533:13:533:19 | ...::panic | test.rs:533:13:533:19 | "explicit panic" | | -| test.rs:533:13:533:19 | ...::panic(...) | test.rs:533:13:533:19 | { ... } | | | test.rs:533:13:533:19 | ...::panic_2021!... | test.rs:533:13:533:19 | MacroExpr | | -| test.rs:533:13:533:19 | ExprStmt | test.rs:533:13:533:19 | ...::panic | | +| test.rs:533:13:533:19 | ...::panic_explicit | test.rs:533:13:533:19 | ...::panic_explicit(...) | | +| test.rs:533:13:533:19 | ...::panic_explicit(...) | test.rs:533:13:533:19 | { ... } | | +| test.rs:533:13:533:19 | ExprStmt | test.rs:533:13:533:19 | fn panic_cold_explicit | | +| test.rs:533:13:533:19 | ExprStmt | test.rs:533:13:533:19 | panic_cold_explicit | | | test.rs:533:13:533:19 | MacroExpr | test.rs:533:13:533:19 | { ... } | | +| test.rs:533:13:533:19 | enter fn panic_cold_explicit | test.rs:533:13:533:19 | ...::panic_explicit | | +| test.rs:533:13:533:19 | exit fn panic_cold_explicit (normal) | test.rs:533:13:533:19 | exit fn panic_cold_explicit | | +| test.rs:533:13:533:19 | fn panic_cold_explicit | test.rs:533:13:533:19 | ExprStmt | | +| test.rs:533:13:533:19 | panic_cold_explicit | test.rs:533:13:533:19 | panic_cold_explicit(...) | | +| test.rs:533:13:533:19 | panic_cold_explicit(...) | test.rs:533:13:533:19 | { ... } | | | test.rs:533:13:533:19 | { ... } | test.rs:533:13:533:19 | ...::panic_2021!... | | +| test.rs:533:13:533:19 | { ... } | test.rs:533:13:533:19 | exit fn panic_cold_explicit (normal) | | +| test.rs:533:13:533:19 | { ... } | test.rs:533:13:533:19 | { ... } | | | test.rs:533:13:533:19 | { ... } | test.rs:533:21:533:48 | if ... {...} | | | test.rs:533:13:533:49 | MacroExpr | test.rs:532:9:534:9 | { ... } | | | test.rs:533:13:533:49 | assert!... | test.rs:533:13:533:49 | MacroExpr | | @@ -1317,6 +1324,11 @@ edges | test.rs:541:9:546:9 | ExprStmt | test.rs:541:12:541:16 | false | | | test.rs:541:9:546:9 | if false {...} | test.rs:547:9:547:9 | N | | | test.rs:541:12:541:16 | false | test.rs:541:9:546:9 | if false {...} | false | +| test.rs:544:17:544:22 | ...::panic_explicit | test.rs:544:17:544:22 | ...::panic_explicit(...) | | +| test.rs:544:17:544:22 | ...::panic_explicit(...) | test.rs:544:17:544:22 | { ... } | | +| test.rs:544:17:544:22 | enter fn panic_cold_explicit | test.rs:544:17:544:22 | ...::panic_explicit | | +| test.rs:544:17:544:22 | exit fn panic_cold_explicit (normal) | test.rs:544:17:544:22 | exit fn panic_cold_explicit | | +| test.rs:544:17:544:22 | { ... } | test.rs:544:17:544:22 | exit fn panic_cold_explicit (normal) | | | test.rs:547:9:547:9 | N | test.rs:539:35:548:5 | { ... } | | | test.rs:551:1:556:1 | enter fn dead_code | test.rs:552:5:554:5 | ExprStmt | | | test.rs:551:1:556:1 | exit fn dead_code (normal) | test.rs:551:1:556:1 | exit fn dead_code | | diff --git a/rust/ql/test/library-tests/type-inference/type-inference.expected b/rust/ql/test/library-tests/type-inference/type-inference.expected index a2322cdf929..1b750fab458 100644 --- a/rust/ql/test/library-tests/type-inference/type-inference.expected +++ b/rust/ql/test/library-tests/type-inference/type-inference.expected @@ -788,14 +788,12 @@ inferCertainType | dereference.rs:116:5:116:5 | x | | dereference.rs:18:1:20:1 | MySmartPointer | | dereference.rs:143:19:151:5 | { ... } | | {EXTERNAL LOCATION} | () | | dereference.rs:144:17:144:26 | key_to_key | | {EXTERNAL LOCATION} | HashMap | -| dereference.rs:144:17:144:26 | key_to_key | A | {EXTERNAL LOCATION} | Global | | dereference.rs:144:17:144:26 | key_to_key | K | {EXTERNAL LOCATION} | & | | dereference.rs:144:17:144:26 | key_to_key | K.TRef | dereference.rs:122:5:123:21 | Key | | dereference.rs:144:17:144:26 | key_to_key | S | {EXTERNAL LOCATION} | RandomState | | dereference.rs:144:17:144:26 | key_to_key | V | {EXTERNAL LOCATION} | & | | dereference.rs:144:17:144:26 | key_to_key | V.TRef | dereference.rs:122:5:123:21 | Key | | dereference.rs:144:30:144:57 | ...::new(...) | | {EXTERNAL LOCATION} | HashMap | -| dereference.rs:144:30:144:57 | ...::new(...) | A | {EXTERNAL LOCATION} | Global | | dereference.rs:144:30:144:57 | ...::new(...) | K | {EXTERNAL LOCATION} | & | | dereference.rs:144:30:144:57 | ...::new(...) | K.TRef | dereference.rs:122:5:123:21 | Key | | dereference.rs:144:30:144:57 | ...::new(...) | S | {EXTERNAL LOCATION} | RandomState | @@ -806,7 +804,6 @@ inferCertainType | dereference.rs:145:24:145:29 | Key {...} | | dereference.rs:122:5:123:21 | Key | | dereference.rs:146:9:149:9 | if ... {...} | | {EXTERNAL LOCATION} | () | | dereference.rs:146:32:146:41 | key_to_key | | {EXTERNAL LOCATION} | HashMap | -| dereference.rs:146:32:146:41 | key_to_key | A | {EXTERNAL LOCATION} | Global | | dereference.rs:146:32:146:41 | key_to_key | K | {EXTERNAL LOCATION} | & | | dereference.rs:146:32:146:41 | key_to_key | K.TRef | dereference.rs:122:5:123:21 | Key | | dereference.rs:146:32:146:41 | key_to_key | S | {EXTERNAL LOCATION} | RandomState | @@ -816,7 +813,6 @@ inferCertainType | dereference.rs:146:52:149:9 | { ... } | | {EXTERNAL LOCATION} | () | | dereference.rs:148:13:148:15 | key | | {EXTERNAL LOCATION} | & | | dereference.rs:150:9:150:18 | key_to_key | | {EXTERNAL LOCATION} | HashMap | -| dereference.rs:150:9:150:18 | key_to_key | A | {EXTERNAL LOCATION} | Global | | dereference.rs:150:9:150:18 | key_to_key | K | {EXTERNAL LOCATION} | & | | dereference.rs:150:9:150:18 | key_to_key | K.TRef | dereference.rs:122:5:123:21 | Key | | dereference.rs:150:9:150:18 | key_to_key | S | {EXTERNAL LOCATION} | RandomState | @@ -3354,20 +3350,16 @@ inferCertainType | main.rs:2345:13:2346:13 | for ... in ... { ... } | | {EXTERNAL LOCATION} | () | | main.rs:2345:29:2346:13 | { ... } | | {EXTERNAL LOCATION} | () | | main.rs:2349:17:2349:20 | map1 | | {EXTERNAL LOCATION} | HashMap | -| main.rs:2349:17:2349:20 | map1 | A | {EXTERNAL LOCATION} | Global | | main.rs:2349:17:2349:20 | map1 | S | {EXTERNAL LOCATION} | RandomState | | main.rs:2349:24:2349:55 | ...::new(...) | | {EXTERNAL LOCATION} | HashMap | -| main.rs:2349:24:2349:55 | ...::new(...) | A | {EXTERNAL LOCATION} | Global | | main.rs:2349:24:2349:55 | ...::new(...) | S | {EXTERNAL LOCATION} | RandomState | | main.rs:2350:9:2350:12 | map1 | | {EXTERNAL LOCATION} | HashMap | -| main.rs:2350:9:2350:12 | map1 | A | {EXTERNAL LOCATION} | Global | | main.rs:2350:9:2350:12 | map1 | S | {EXTERNAL LOCATION} | RandomState | | main.rs:2350:24:2350:38 | ...::new(...) | | {EXTERNAL LOCATION} | Box | | main.rs:2350:24:2350:38 | ...::new(...) | A | {EXTERNAL LOCATION} | Global | | main.rs:2350:33:2350:37 | "one" | | {EXTERNAL LOCATION} | & | | main.rs:2350:33:2350:37 | "one" | TRef | {EXTERNAL LOCATION} | str | | main.rs:2351:9:2351:12 | map1 | | {EXTERNAL LOCATION} | HashMap | -| main.rs:2351:9:2351:12 | map1 | A | {EXTERNAL LOCATION} | Global | | main.rs:2351:9:2351:12 | map1 | S | {EXTERNAL LOCATION} | RandomState | | main.rs:2351:24:2351:38 | ...::new(...) | | {EXTERNAL LOCATION} | Box | | main.rs:2351:24:2351:38 | ...::new(...) | A | {EXTERNAL LOCATION} | Global | @@ -3375,25 +3367,21 @@ inferCertainType | main.rs:2351:33:2351:37 | "two" | TRef | {EXTERNAL LOCATION} | str | | main.rs:2352:9:2352:33 | for ... in ... { ... } | | {EXTERNAL LOCATION} | () | | main.rs:2352:20:2352:23 | map1 | | {EXTERNAL LOCATION} | HashMap | -| main.rs:2352:20:2352:23 | map1 | A | {EXTERNAL LOCATION} | Global | | main.rs:2352:20:2352:23 | map1 | S | {EXTERNAL LOCATION} | RandomState | | main.rs:2352:32:2352:33 | { ... } | | {EXTERNAL LOCATION} | () | | main.rs:2353:9:2353:37 | for ... in ... { ... } | | {EXTERNAL LOCATION} | () | | main.rs:2353:22:2353:25 | map1 | | {EXTERNAL LOCATION} | HashMap | -| main.rs:2353:22:2353:25 | map1 | A | {EXTERNAL LOCATION} | Global | | main.rs:2353:22:2353:25 | map1 | S | {EXTERNAL LOCATION} | RandomState | | main.rs:2353:36:2353:37 | { ... } | | {EXTERNAL LOCATION} | () | | main.rs:2354:9:2354:42 | for ... in ... { ... } | | {EXTERNAL LOCATION} | () | | main.rs:2354:13:2354:24 | TuplePat | | {EXTERNAL LOCATION} | (T_2) | | main.rs:2354:29:2354:32 | map1 | | {EXTERNAL LOCATION} | HashMap | -| main.rs:2354:29:2354:32 | map1 | A | {EXTERNAL LOCATION} | Global | | main.rs:2354:29:2354:32 | map1 | S | {EXTERNAL LOCATION} | RandomState | | main.rs:2354:41:2354:42 | { ... } | | {EXTERNAL LOCATION} | () | | main.rs:2355:9:2355:36 | for ... in ... { ... } | | {EXTERNAL LOCATION} | () | | main.rs:2355:13:2355:24 | TuplePat | | {EXTERNAL LOCATION} | (T_2) | | main.rs:2355:29:2355:33 | &map1 | | {EXTERNAL LOCATION} | & | | main.rs:2355:30:2355:33 | map1 | | {EXTERNAL LOCATION} | HashMap | -| main.rs:2355:30:2355:33 | map1 | A | {EXTERNAL LOCATION} | Global | | main.rs:2355:30:2355:33 | map1 | S | {EXTERNAL LOCATION} | RandomState | | main.rs:2355:35:2355:36 | { ... } | | {EXTERNAL LOCATION} | () | | main.rs:2359:17:2359:17 | a | | {EXTERNAL LOCATION} | i64 | @@ -6464,14 +6452,12 @@ inferType | dereference.rs:116:12:116:12 | 0 | | {EXTERNAL LOCATION} | i32 | | dereference.rs:143:19:151:5 | { ... } | | {EXTERNAL LOCATION} | () | | dereference.rs:144:17:144:26 | key_to_key | | {EXTERNAL LOCATION} | HashMap | -| dereference.rs:144:17:144:26 | key_to_key | A | {EXTERNAL LOCATION} | Global | | dereference.rs:144:17:144:26 | key_to_key | K | {EXTERNAL LOCATION} | & | | dereference.rs:144:17:144:26 | key_to_key | K.TRef | dereference.rs:122:5:123:21 | Key | | dereference.rs:144:17:144:26 | key_to_key | S | {EXTERNAL LOCATION} | RandomState | | dereference.rs:144:17:144:26 | key_to_key | V | {EXTERNAL LOCATION} | & | | dereference.rs:144:17:144:26 | key_to_key | V.TRef | dereference.rs:122:5:123:21 | Key | | dereference.rs:144:30:144:57 | ...::new(...) | | {EXTERNAL LOCATION} | HashMap | -| dereference.rs:144:30:144:57 | ...::new(...) | A | {EXTERNAL LOCATION} | Global | | dereference.rs:144:30:144:57 | ...::new(...) | K | {EXTERNAL LOCATION} | & | | dereference.rs:144:30:144:57 | ...::new(...) | K.TRef | dereference.rs:122:5:123:21 | Key | | dereference.rs:144:30:144:57 | ...::new(...) | S | {EXTERNAL LOCATION} | RandomState | @@ -6497,7 +6483,6 @@ inferType | dereference.rs:146:21:146:27 | ref_key | TRef | {EXTERNAL LOCATION} | & | | dereference.rs:146:21:146:27 | ref_key | TRef.TRef | dereference.rs:122:5:123:21 | Key | | dereference.rs:146:32:146:41 | key_to_key | | {EXTERNAL LOCATION} | HashMap | -| dereference.rs:146:32:146:41 | key_to_key | A | {EXTERNAL LOCATION} | Global | | dereference.rs:146:32:146:41 | key_to_key | K | {EXTERNAL LOCATION} | & | | dereference.rs:146:32:146:41 | key_to_key | K.TRef | dereference.rs:122:5:123:21 | Key | | dereference.rs:146:32:146:41 | key_to_key | S | {EXTERNAL LOCATION} | RandomState | @@ -6523,7 +6508,6 @@ inferType | dereference.rs:148:19:148:25 | ref_key | TRef | {EXTERNAL LOCATION} | & | | dereference.rs:148:19:148:25 | ref_key | TRef.TRef | dereference.rs:122:5:123:21 | Key | | dereference.rs:150:9:150:18 | key_to_key | | {EXTERNAL LOCATION} | HashMap | -| dereference.rs:150:9:150:18 | key_to_key | A | {EXTERNAL LOCATION} | Global | | dereference.rs:150:9:150:18 | key_to_key | K | {EXTERNAL LOCATION} | & | | dereference.rs:150:9:150:18 | key_to_key | K.TRef | dereference.rs:122:5:123:21 | Key | | dereference.rs:150:9:150:18 | key_to_key | S | {EXTERNAL LOCATION} | RandomState | @@ -11278,7 +11262,6 @@ inferType | main.rs:2345:13:2346:13 | for ... in ... { ... } | | {EXTERNAL LOCATION} | () | | main.rs:2345:29:2346:13 | { ... } | | {EXTERNAL LOCATION} | () | | main.rs:2349:17:2349:20 | map1 | | {EXTERNAL LOCATION} | HashMap | -| main.rs:2349:17:2349:20 | map1 | A | {EXTERNAL LOCATION} | Global | | main.rs:2349:17:2349:20 | map1 | K | {EXTERNAL LOCATION} | i32 | | main.rs:2349:17:2349:20 | map1 | S | {EXTERNAL LOCATION} | RandomState | | main.rs:2349:17:2349:20 | map1 | V | {EXTERNAL LOCATION} | Box | @@ -11286,7 +11269,6 @@ inferType | main.rs:2349:17:2349:20 | map1 | V.T | {EXTERNAL LOCATION} | & | | main.rs:2349:17:2349:20 | map1 | V.T.TRef | {EXTERNAL LOCATION} | str | | main.rs:2349:24:2349:55 | ...::new(...) | | {EXTERNAL LOCATION} | HashMap | -| main.rs:2349:24:2349:55 | ...::new(...) | A | {EXTERNAL LOCATION} | Global | | main.rs:2349:24:2349:55 | ...::new(...) | K | {EXTERNAL LOCATION} | i32 | | main.rs:2349:24:2349:55 | ...::new(...) | S | {EXTERNAL LOCATION} | RandomState | | main.rs:2349:24:2349:55 | ...::new(...) | V | {EXTERNAL LOCATION} | Box | @@ -11294,7 +11276,6 @@ inferType | main.rs:2349:24:2349:55 | ...::new(...) | V.T | {EXTERNAL LOCATION} | & | | main.rs:2349:24:2349:55 | ...::new(...) | V.T.TRef | {EXTERNAL LOCATION} | str | | main.rs:2350:9:2350:12 | map1 | | {EXTERNAL LOCATION} | HashMap | -| main.rs:2350:9:2350:12 | map1 | A | {EXTERNAL LOCATION} | Global | | main.rs:2350:9:2350:12 | map1 | K | {EXTERNAL LOCATION} | i32 | | main.rs:2350:9:2350:12 | map1 | S | {EXTERNAL LOCATION} | RandomState | | main.rs:2350:9:2350:12 | map1 | V | {EXTERNAL LOCATION} | Box | @@ -11314,7 +11295,6 @@ inferType | main.rs:2350:33:2350:37 | "one" | | {EXTERNAL LOCATION} | & | | main.rs:2350:33:2350:37 | "one" | TRef | {EXTERNAL LOCATION} | str | | main.rs:2351:9:2351:12 | map1 | | {EXTERNAL LOCATION} | HashMap | -| main.rs:2351:9:2351:12 | map1 | A | {EXTERNAL LOCATION} | Global | | main.rs:2351:9:2351:12 | map1 | K | {EXTERNAL LOCATION} | i32 | | main.rs:2351:9:2351:12 | map1 | S | {EXTERNAL LOCATION} | RandomState | | main.rs:2351:9:2351:12 | map1 | V | {EXTERNAL LOCATION} | Box | @@ -11337,7 +11317,6 @@ inferType | main.rs:2352:13:2352:15 | key | | {EXTERNAL LOCATION} | & | | main.rs:2352:13:2352:15 | key | TRef | {EXTERNAL LOCATION} | i32 | | main.rs:2352:20:2352:23 | map1 | | {EXTERNAL LOCATION} | HashMap | -| main.rs:2352:20:2352:23 | map1 | A | {EXTERNAL LOCATION} | Global | | main.rs:2352:20:2352:23 | map1 | K | {EXTERNAL LOCATION} | i32 | | main.rs:2352:20:2352:23 | map1 | S | {EXTERNAL LOCATION} | RandomState | | main.rs:2352:20:2352:23 | map1 | V | {EXTERNAL LOCATION} | Box | @@ -11358,7 +11337,6 @@ inferType | main.rs:2353:13:2353:17 | value | TRef.T | {EXTERNAL LOCATION} | & | | main.rs:2353:13:2353:17 | value | TRef.T.TRef | {EXTERNAL LOCATION} | str | | main.rs:2353:22:2353:25 | map1 | | {EXTERNAL LOCATION} | HashMap | -| main.rs:2353:22:2353:25 | map1 | A | {EXTERNAL LOCATION} | Global | | main.rs:2353:22:2353:25 | map1 | K | {EXTERNAL LOCATION} | i32 | | main.rs:2353:22:2353:25 | map1 | S | {EXTERNAL LOCATION} | RandomState | | main.rs:2353:22:2353:25 | map1 | V | {EXTERNAL LOCATION} | Box | @@ -11389,7 +11367,6 @@ inferType | main.rs:2354:19:2354:23 | value | TRef.T | {EXTERNAL LOCATION} | & | | main.rs:2354:19:2354:23 | value | TRef.T.TRef | {EXTERNAL LOCATION} | str | | main.rs:2354:29:2354:32 | map1 | | {EXTERNAL LOCATION} | HashMap | -| main.rs:2354:29:2354:32 | map1 | A | {EXTERNAL LOCATION} | Global | | main.rs:2354:29:2354:32 | map1 | K | {EXTERNAL LOCATION} | i32 | | main.rs:2354:29:2354:32 | map1 | S | {EXTERNAL LOCATION} | RandomState | | main.rs:2354:29:2354:32 | map1 | V | {EXTERNAL LOCATION} | Box | @@ -11421,7 +11398,6 @@ inferType | main.rs:2355:19:2355:23 | value | TRef.T.TRef | {EXTERNAL LOCATION} | str | | main.rs:2355:29:2355:33 | &map1 | | {EXTERNAL LOCATION} | & | | main.rs:2355:29:2355:33 | &map1 | TRef | {EXTERNAL LOCATION} | HashMap | -| main.rs:2355:29:2355:33 | &map1 | TRef.A | {EXTERNAL LOCATION} | Global | | main.rs:2355:29:2355:33 | &map1 | TRef.K | {EXTERNAL LOCATION} | i32 | | main.rs:2355:29:2355:33 | &map1 | TRef.S | {EXTERNAL LOCATION} | RandomState | | main.rs:2355:29:2355:33 | &map1 | TRef.V | {EXTERNAL LOCATION} | Box | @@ -11429,7 +11405,6 @@ inferType | main.rs:2355:29:2355:33 | &map1 | TRef.V.T | {EXTERNAL LOCATION} | & | | main.rs:2355:29:2355:33 | &map1 | TRef.V.T.TRef | {EXTERNAL LOCATION} | str | | main.rs:2355:30:2355:33 | map1 | | {EXTERNAL LOCATION} | HashMap | -| main.rs:2355:30:2355:33 | map1 | A | {EXTERNAL LOCATION} | Global | | main.rs:2355:30:2355:33 | map1 | K | {EXTERNAL LOCATION} | i32 | | main.rs:2355:30:2355:33 | map1 | S | {EXTERNAL LOCATION} | RandomState | | main.rs:2355:30:2355:33 | map1 | V | {EXTERNAL LOCATION} | Box | From 97a02ed9037db367f24d64b1755af7de1698ec05 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Wed, 18 Feb 2026 17:55:02 +0000 Subject: [PATCH 108/110] Rust: Remove MacroCallTargetStats from rust/diagnostic/database-quality. --- rust/ql/src/queries/telemetry/DatabaseQualityDiagnostics.ql | 2 -- 1 file changed, 2 deletions(-) diff --git a/rust/ql/src/queries/telemetry/DatabaseQualityDiagnostics.ql b/rust/ql/src/queries/telemetry/DatabaseQualityDiagnostics.ql index 02933b3bd5f..9cd244c8c5d 100644 --- a/rust/ql/src/queries/telemetry/DatabaseQualityDiagnostics.ql +++ b/rust/ql/src/queries/telemetry/DatabaseQualityDiagnostics.ql @@ -12,8 +12,6 @@ import codeql.util.Unit private predicate diagnostic(string msg, float value, float threshold) { CallTargetStatsReport::percentageOfOk(msg, value) and threshold = 50 or - MacroCallTargetStatsReport::percentageOfOk(msg, value) and threshold = 50 - or ExprTypeStatsReport::percentageOfOk(msg, value) and threshold = 20 } From fd5c5b5635dabd2f29c94f15bcfc30d40dfb6567 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Wed, 18 Feb 2026 17:59:49 +0000 Subject: [PATCH 109/110] Rust: Change note. --- rust/ql/src/change-notes/2026-02-18-database-quality.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 rust/ql/src/change-notes/2026-02-18-database-quality.md diff --git a/rust/ql/src/change-notes/2026-02-18-database-quality.md b/rust/ql/src/change-notes/2026-02-18-database-quality.md new file mode 100644 index 00000000000..ef2f1b3139c --- /dev/null +++ b/rust/ql/src/change-notes/2026-02-18-database-quality.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* The macro resolution metric has been removed from `rust/diagnostic/database-quality`. This metric was found to be an unreliable indicator of database quality in many cases, leading to false alarms on the tool status page. From 38219f6ebb4612a6af966e80a31292437c810ec3 Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Thu, 19 Feb 2026 14:08:36 -0500 Subject: [PATCH 110/110] C++: Fixing FP in unit tests. --- .../UncheckedLeapYearAfterYearModification.expected | 2 -- .../Leap Year/UncheckedLeapYearAfterYearModification/test.cpp | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedLeapYearAfterYearModification.expected b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedLeapYearAfterYearModification.expected index 30b6dad1208..773cb92b0b1 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedLeapYearAfterYearModification.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedLeapYearAfterYearModification.expected @@ -3,7 +3,6 @@ | test.cpp:440:2:440:11 | ... ++ | test.cpp:440:2:440:11 | ... ++ | test.cpp:440:2:440:11 | ... ++ | Year field has been modified, but no appropriate check for LeapYear was found. | | test.cpp:456:2:456:12 | ... ++ | test.cpp:456:2:456:12 | ... ++ | test.cpp:456:2:456:12 | ... ++ | Year field has been modified, but no appropriate check for LeapYear was found. | | test.cpp:681:2:681:23 | ... += ... | test.cpp:681:2:681:23 | ... += ... | test.cpp:681:2:681:23 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. | -| test.cpp:769:2:769:23 | ... -= ... | test.cpp:769:2:769:23 | ... -= ... | test.cpp:769:2:769:23 | ... -= ... | Year field has been modified, but no appropriate check for LeapYear was found. | | test.cpp:813:2:813:40 | ... = ... | test.cpp:813:21:813:40 | ... + ... | test.cpp:813:2:813:40 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | | test.cpp:818:2:818:24 | ... = ... | test.cpp:818:13:818:24 | ... + ... | test.cpp:818:2:818:24 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | | test.cpp:951:3:951:25 | ... = ... | test.cpp:951:14:951:25 | ... + ... | test.cpp:951:3:951:25 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. | @@ -75,7 +74,6 @@ nodes | test.cpp:456:2:456:12 | ... ++ | semmle.label | ... ++ | | test.cpp:482:3:482:12 | ... ++ | semmle.label | ... ++ | | test.cpp:681:2:681:23 | ... += ... | semmle.label | ... += ... | -| test.cpp:769:2:769:23 | ... -= ... | semmle.label | ... -= ... | | test.cpp:813:2:813:40 | ... = ... | semmle.label | ... = ... | | test.cpp:813:21:813:40 | ... + ... | semmle.label | ... + ... | | test.cpp:818:2:818:24 | ... = ... | semmle.label | ... = ... | diff --git a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/test.cpp index 850ef560536..a2dce39cc85 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/test.cpp @@ -766,7 +766,7 @@ void Incorrect_LinuxPattern() /* from 1900 -> from 1980 */ // BUG - UncheckedLeapYearAfterYearModification - timeinfo.tm_year -= 80; // $ Alert[cpp/leap-year/unchecked-after-arithmetic-year-modification] + timeinfo.tm_year -= 80; /* 0~11 -> 1~12 */ timeinfo.tm_mon++; /* 0~59 -> 0~29(2sec counts) */