hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 02:35:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into rdmarsh/cpp/ir-flow-through-outparams

Browse Source 
Pick up new test for user-defined swap functions
This commit is contained in:
Robert Marsh
2020-04-01 17:32:55 -07:00
parent b579e6aabe bbb69d524e
commit a061811939
34 changed files with 187 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
change-notes/1.24/analysis-cpp.md
View File

@@ -20,6 +20,7 @@ The following changes in version 1.24 affect C/C++ analysis in all applications.
| Memory may not be freed (`cpp/memory-may-not-be-freed`) | More true positive results | This query now identifies a wider variety of buffer allocations using the `semmle.code.cpp.models.interfaces.Allocation` library. |
| Mismatching new/free or malloc/delete (`cpp/new-free-mismatch`) | Fewer false positive results | Fixed false positive results in template code. |
| Missing return statement (`cpp/missing-return`) | Fewer false positive results | Functions containing `asm` statements are no longer highlighted by this query. |
| Missing return statement (`cpp/missing-return`) | More accurate locations | Locations reported by this query are now more accurate in some cases. |
| No space for zero terminator (`cpp/no-space-for-terminator`) | More correct results | String arguments to formatting functions are now (usually) expected to be null terminated strings. |
| Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) | | This query is no longer run on LGTM. |
| No space for zero terminator (`cpp/no-space-for-terminator`) | Fewer false positive results | This query has been modified to be more conservative when identifying which pointers point to null-terminated strings. This approach produces fewer, more accurate results. |

8
cpp/ql/src/jsf/4.13 Functions/AV Rule 114.ql
View File

@@ -30,7 +30,13 @@ predicate functionsMissingReturnStmt(Function f, ControlFlowNode blame) {
) and
exists(ReturnStmt s |
f.getAPredecessor() = s and
blame = s.getAPredecessor()
(
blame = s.getAPredecessor() and
count(blame.getASuccessor()) = 1
or
blame = s and
exists(ControlFlowNode pred | pred = s.getAPredecessor() | count(pred.getASuccessor()) != 1)
)
)
}

8
cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
View File

@@ -2089,6 +2089,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
int getParameterPos() { p.isParameterOf(_, result) }
override string toString() { result = p + ": " + ap }
predicate hasLocationInfo(
@@ -2482,13 +2484,15 @@ pragma[nomagic]
private predicate paramFlowsThrough(
ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, Configuration config
) {
exists(PathNodeMid mid, ReturnNodeExt ret |
exists(PathNodeMid mid, ReturnNodeExt ret, int pos |
mid.getNode() = ret and
kind = ret.getKind() and
cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and
config = mid.getConfiguration() and
ap = mid.getAp()
ap = mid.getAp() and
pos = sc.getParameterPos() and
not kind.(ParamUpdateReturnKind).getPosition() = pos
)
}

8
cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
View File

@@ -2089,6 +2089,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
int getParameterPos() { p.isParameterOf(_, result) }
override string toString() { result = p + ": " + ap }
predicate hasLocationInfo(
@@ -2482,13 +2484,15 @@ pragma[nomagic]
private predicate paramFlowsThrough(
ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, Configuration config
) {
exists(PathNodeMid mid, ReturnNodeExt ret |
exists(PathNodeMid mid, ReturnNodeExt ret, int pos |
mid.getNode() = ret and
kind = ret.getKind() and
cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and
config = mid.getConfiguration() and
ap = mid.getAp()
ap = mid.getAp() and
pos = sc.getParameterPos() and
not kind.(ParamUpdateReturnKind).getPosition() = pos
)
}

8
cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
View File

@@ -2089,6 +2089,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
int getParameterPos() { p.isParameterOf(_, result) }
override string toString() { result = p + ": " + ap }
predicate hasLocationInfo(
@@ -2482,13 +2484,15 @@ pragma[nomagic]
private predicate paramFlowsThrough(
ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, Configuration config
) {
exists(PathNodeMid mid, ReturnNodeExt ret |
exists(PathNodeMid mid, ReturnNodeExt ret, int pos |
mid.getNode() = ret and
kind = ret.getKind() and
cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and
config = mid.getConfiguration() and
ap = mid.getAp()
ap = mid.getAp() and
pos = sc.getParameterPos() and
not kind.(ParamUpdateReturnKind).getPosition() = pos
)
}

8
cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
View File

@@ -2089,6 +2089,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
int getParameterPos() { p.isParameterOf(_, result) }
override string toString() { result = p + ": " + ap }
predicate hasLocationInfo(
@@ -2482,13 +2484,15 @@ pragma[nomagic]
private predicate paramFlowsThrough(
ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, Configuration config
) {
exists(PathNodeMid mid, ReturnNodeExt ret |
exists(PathNodeMid mid, ReturnNodeExt ret, int pos |
mid.getNode() = ret and
kind = ret.getKind() and
cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and
config = mid.getConfiguration() and
ap = mid.getAp()
ap = mid.getAp() and
pos = sc.getParameterPos() and
not kind.(ParamUpdateReturnKind).getPosition() = pos
)
}

8
cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
View File

@@ -2089,6 +2089,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
int getParameterPos() { p.isParameterOf(_, result) }
override string toString() { result = p + ": " + ap }
predicate hasLocationInfo(
@@ -2482,13 +2484,15 @@ pragma[nomagic]
private predicate paramFlowsThrough(
ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, Configuration config
) {
exists(PathNodeMid mid, ReturnNodeExt ret |
exists(PathNodeMid mid, ReturnNodeExt ret, int pos |
mid.getNode() = ret and
kind = ret.getKind() and
cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and
config = mid.getConfiguration() and
ap = mid.getAp()
ap = mid.getAp() and
pos = sc.getParameterPos() and
not kind.(ParamUpdateReturnKind).getPosition() = pos
)
}

8
cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
View File

@@ -2089,6 +2089,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
int getParameterPos() { p.isParameterOf(_, result) }
override string toString() { result = p + ": " + ap }
predicate hasLocationInfo(
@@ -2482,13 +2484,15 @@ pragma[nomagic]
private predicate paramFlowsThrough(
ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, Configuration config
) {
exists(PathNodeMid mid, ReturnNodeExt ret |
exists(PathNodeMid mid, ReturnNodeExt ret, int pos |
mid.getNode() = ret and
kind = ret.getKind() and
cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and
config = mid.getConfiguration() and
ap = mid.getAp()
ap = mid.getAp() and
pos = sc.getParameterPos() and
not kind.(ParamUpdateReturnKind).getPosition() = pos
)
}

8
cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
View File

@@ -2089,6 +2089,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
int getParameterPos() { p.isParameterOf(_, result) }
override string toString() { result = p + ": " + ap }
predicate hasLocationInfo(
@@ -2482,13 +2484,15 @@ pragma[nomagic]
private predicate paramFlowsThrough(
ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, Configuration config
) {
exists(PathNodeMid mid, ReturnNodeExt ret |
exists(PathNodeMid mid, ReturnNodeExt ret, int pos |
mid.getNode() = ret and
kind = ret.getKind() and
cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and
config = mid.getConfiguration() and
ap = mid.getAp()
ap = mid.getAp() and
pos = sc.getParameterPos() and
not kind.(ParamUpdateReturnKind).getPosition() = pos
)
}

8
cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
View File

@@ -2089,6 +2089,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
int getParameterPos() { p.isParameterOf(_, result) }
override string toString() { result = p + ": " + ap }
predicate hasLocationInfo(
@@ -2482,13 +2484,15 @@ pragma[nomagic]
private predicate paramFlowsThrough(
ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, Configuration config
) {
exists(PathNodeMid mid, ReturnNodeExt ret |
exists(PathNodeMid mid, ReturnNodeExt ret, int pos |
mid.getNode() = ret and
kind = ret.getKind() and
cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and
config = mid.getConfiguration() and
ap = mid.getAp()
ap = mid.getAp() and
pos = sc.getParameterPos() and
not kind.(ParamUpdateReturnKind).getPosition() = pos
)
}

8
cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
View File

@@ -2089,6 +2089,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
int getParameterPos() { p.isParameterOf(_, result) }
override string toString() { result = p + ": " + ap }
predicate hasLocationInfo(
@@ -2482,13 +2484,15 @@ pragma[nomagic]
private predicate paramFlowsThrough(
ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, Configuration config
) {
exists(PathNodeMid mid, ReturnNodeExt ret |
exists(PathNodeMid mid, ReturnNodeExt ret, int pos |
mid.getNode() = ret and
kind = ret.getKind() and
cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and
config = mid.getConfiguration() and
ap = mid.getAp()
ap = mid.getAp() and
pos = sc.getParameterPos() and
not kind.(ParamUpdateReturnKind).getPosition() = pos
)
}

17
cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
View File

@@ -512,3 +512,20 @@
| taint.cpp:444:7:444:7 | d [post update] | taint.cpp:447:7:447:7 | d | |
| taint.cpp:445:2:445:2 | d [post update] | taint.cpp:446:7:446:7 | d | |
| taint.cpp:445:2:445:2 | d [post update] | taint.cpp:447:7:447:7 | d | |
| taint.cpp:452:16:452:16 | a | taint.cpp:454:10:454:10 | a | |
| taint.cpp:452:24:452:24 | b | taint.cpp:455:6:455:6 | b | |
| taint.cpp:454:10:454:10 | a | taint.cpp:456:6:456:6 | c | |
| taint.cpp:455:6:455:6 | b | taint.cpp:452:16:452:16 | a | |
| taint.cpp:455:6:455:6 | b | taint.cpp:455:2:455:6 | ... = ... | |
| taint.cpp:456:6:456:6 | c | taint.cpp:452:24:452:24 | b | |
| taint.cpp:456:6:456:6 | c | taint.cpp:456:2:456:6 | ... = ... | |
| taint.cpp:462:6:462:11 | call to source | taint.cpp:462:2:462:13 | ... = ... | |
| taint.cpp:462:6:462:11 | call to source | taint.cpp:465:7:465:7 | x | |
| taint.cpp:462:6:462:11 | call to source | taint.cpp:468:7:468:7 | x | |
| taint.cpp:462:6:462:11 | call to source | taint.cpp:470:7:470:7 | x | |
| taint.cpp:463:6:463:6 | 0 | taint.cpp:463:2:463:6 | ... = ... | |
| taint.cpp:463:6:463:6 | 0 | taint.cpp:466:7:466:7 | y | |
| taint.cpp:463:6:463:6 | 0 | taint.cpp:468:10:468:10 | y | |
| taint.cpp:463:6:463:6 | 0 | taint.cpp:471:7:471:7 | y | |
| taint.cpp:468:7:468:7 | ref arg x | taint.cpp:470:7:470:7 | x | |
| taint.cpp:468:10:468:10 | ref arg y | taint.cpp:471:7:471:7 | y | |

26
cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
View File

@@ -195,7 +195,7 @@ void test_memcpy(int *source) {
sink(x);
}
// --- swap ---
// --- std::swap ---
namespace std {
template<class T> constexpr void swap(T& a, T& b);
@@ -446,3 +446,27 @@ void test_qualifiers()
sink(d); // tainted
sink(d.getString()); // tainted
}
// --- non-standard swap ---
void swop(int &a, int &b)
{
int c = a;
a = b;
b = c;
}
void test_swop() {
int x, y;
x = source();
y = 0;
sink(x); // tainted
sink(y); // clean
swop(x, y);
sink(x); // clean [FALSE POSITIVE]
sink(y); // tainted
}

3
cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
View File

@@ -58,3 +58,6 @@
| taint.cpp:439:10:439:18 | call to getMember | taint.cpp:437:15:437:20 | call to source |
| taint.cpp:446:7:446:7 | d | taint.cpp:445:14:445:28 | call to source |
| taint.cpp:447:9:447:17 | call to getString | taint.cpp:445:14:445:28 | call to source |
| taint.cpp:465:7:465:7 | x | taint.cpp:462:6:462:11 | call to source |
| taint.cpp:470:7:470:7 | x | taint.cpp:462:6:462:11 | call to source |
| taint.cpp:471:7:471:7 | y | taint.cpp:462:6:462:11 | call to source |

1
cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
View File

@@ -42,3 +42,4 @@
| taint.cpp:439:10:439:18 | taint.cpp:437:15:437:20 | AST only |
| taint.cpp:446:7:446:7 | taint.cpp:445:14:445:28 | AST only |
| taint.cpp:447:9:447:17 | taint.cpp:445:14:445:28 | AST only |
| taint.cpp:471:7:471:7 | taint.cpp:462:6:462:11 | AST only |

2
cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected
View File

@@ -20,3 +20,5 @@
| taint.cpp:382:7:382:7 | a | taint.cpp:377:23:377:28 | source |
| taint.cpp:429:7:429:7 | b | taint.cpp:428:13:428:18 | call to source |
| taint.cpp:430:9:430:14 | member | taint.cpp:428:13:428:18 | call to source |
| taint.cpp:465:7:465:7 | x | taint.cpp:462:6:462:11 | call to source |
| taint.cpp:470:7:470:7 | x | taint.cpp:462:6:462:11 | call to source |

4
cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/AV Rule 114.expected
View File

@@ -4,9 +4,9 @@
| test.c:25:9:25:14 | ExprStmt | Function f4 should return a value of type int but does not return a value here |
| test.c:39:9:39:14 | ExprStmt | Function f6 should return a value of type int but does not return a value here |
| test.cpp:16:1:18:1 | { ... } | Function g2 should return a value of type MyValue but does not return a value here |
| test.cpp:48:2:48:26 | if (...) ... | Function g7 should return a value of type MyValue but does not return a value here |
| test.cpp:52:1:52:1 | return ... | Function g7 should return a value of type MyValue but does not return a value here |
| test.cpp:74:1:76:1 | { ... } | Function g10 should return a value of type second but does not return a value here |
| test.cpp:86:1:88:1 | { ... } | Function g12 should return a value of type second but does not return a value here |
| test.cpp:108:2:111:2 | if (...) ... | Function g14 should return a value of type int but does not return a value here |
| test.cpp:112:1:112:1 | return ... | Function g14 should return a value of type int but does not return a value here |
| test.cpp:134:2:134:36 | ExprStmt | Function g16 should return a value of type int but does not return a value here |
| test.cpp:141:3:141:37 | ExprStmt | Function g17 should return a value of type int but does not return a value here |

2
cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/test.cpp
View File

@@ -48,7 +48,7 @@ MyValue g7(bool c)
if (c) return MyValue(7);
DONOTHING
DONOTHING
// BAD [the alert here is unfortunately placed]
// BAD
}
typedef void MYVOID;

8
csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
View File

@@ -2089,6 +2089,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
int getParameterPos() { p.isParameterOf(_, result) }
override string toString() { result = p + ": " + ap }
predicate hasLocationInfo(
@@ -2482,13 +2484,15 @@ pragma[nomagic]
private predicate paramFlowsThrough(
ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, Configuration config
) {
exists(PathNodeMid mid, ReturnNodeExt ret |
exists(PathNodeMid mid, ReturnNodeExt ret, int pos |
mid.getNode() = ret and
kind = ret.getKind() and
cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and
config = mid.getConfiguration() and
ap = mid.getAp()
ap = mid.getAp() and
pos = sc.getParameterPos() and
not kind.(ParamUpdateReturnKind).getPosition() = pos
)
}

8
csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
View File

@@ -2089,6 +2089,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
int getParameterPos() { p.isParameterOf(_, result) }
override string toString() { result = p + ": " + ap }
predicate hasLocationInfo(
@@ -2482,13 +2484,15 @@ pragma[nomagic]
private predicate paramFlowsThrough(
ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, Configuration config
) {
exists(PathNodeMid mid, ReturnNodeExt ret |
exists(PathNodeMid mid, ReturnNodeExt ret, int pos |
mid.getNode() = ret and
kind = ret.getKind() and
cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and
config = mid.getConfiguration() and
ap = mid.getAp()
ap = mid.getAp() and
pos = sc.getParameterPos() and
not kind.(ParamUpdateReturnKind).getPosition() = pos
)
}

8
csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
View File

@@ -2089,6 +2089,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
int getParameterPos() { p.isParameterOf(_, result) }
override string toString() { result = p + ": " + ap }
predicate hasLocationInfo(
@@ -2482,13 +2484,15 @@ pragma[nomagic]
private predicate paramFlowsThrough(
ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, Configuration config
) {
exists(PathNodeMid mid, ReturnNodeExt ret |
exists(PathNodeMid mid, ReturnNodeExt ret, int pos |
mid.getNode() = ret and
kind = ret.getKind() and
cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and
config = mid.getConfiguration() and
ap = mid.getAp()
ap = mid.getAp() and
pos = sc.getParameterPos() and
not kind.(ParamUpdateReturnKind).getPosition() = pos
)
}

8
csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
View File

@@ -2089,6 +2089,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
int getParameterPos() { p.isParameterOf(_, result) }
override string toString() { result = p + ": " + ap }
predicate hasLocationInfo(
@@ -2482,13 +2484,15 @@ pragma[nomagic]
private predicate paramFlowsThrough(
ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, Configuration config
) {
exists(PathNodeMid mid, ReturnNodeExt ret |
exists(PathNodeMid mid, ReturnNodeExt ret, int pos |
mid.getNode() = ret and
kind = ret.getKind() and
cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and
config = mid.getConfiguration() and
ap = mid.getAp()
ap = mid.getAp() and
pos = sc.getParameterPos() and
not kind.(ParamUpdateReturnKind).getPosition() = pos
)
}

8
csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
View File

@@ -2089,6 +2089,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
int getParameterPos() { p.isParameterOf(_, result) }
override string toString() { result = p + ": " + ap }
predicate hasLocationInfo(
@@ -2482,13 +2484,15 @@ pragma[nomagic]
private predicate paramFlowsThrough(
ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, Configuration config
) {
exists(PathNodeMid mid, ReturnNodeExt ret |
exists(PathNodeMid mid, ReturnNodeExt ret, int pos |
mid.getNode() = ret and
kind = ret.getKind() and
cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and
config = mid.getConfiguration() and
ap = mid.getAp()
ap = mid.getAp() and
pos = sc.getParameterPos() and
not kind.(ParamUpdateReturnKind).getPosition() = pos
)
}

4
docs/language/learn-ql/cpp/introduce-libraries-cpp.rst
View File

@@ -31,7 +31,7 @@ This table lists `Declaration <https://help.semmle.com/qldoc/cpp/semmle/code/cpp
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| ``namespace`` *N* ``{`` ... ``float`` *var* ``;`` ... ``}`` | `NamespaceVariable <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/Variable.qll/type.Variable$NamespaceVariable.html>`__ | |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| ``int`` *func* ``( void ) {`` ... ``float`` *var* ``;`` ... ``}`` | `LocalVariable <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/Variable.qll/type.Variable$LocalVariable.html>`__ | |
| ``int`` *func* ``( void ) {`` ... ``float`` *var* ``;`` ... ``}`` | `LocalVariable <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/Variable.qll/type.Variable$LocalVariable.html>`__ | See also `Initializer <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/Initializer.qll/type.Initializer$Initializer.html>`__ |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| ``class`` *C* ``{`` ... ``int`` *var* ``;`` ... ``}`` | `MemberVariable <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/Variable.qll/type.Variable$MemberVariable.html>`__ | |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
@@ -286,6 +286,8 @@ This table lists subclasses of `Expr <https://help.semmle.com/qldoc/cpp/semmle/c
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| ``noexcept (`` `Expr <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/exprs/Expr.qll/type.Expr$Expr.html>`__ ``)`` | `NoExceptExpr <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/exprs/Expr.qll/type.Expr$NoExceptExpr.html>`__ | |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| `Expr <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/exprs/Expr.qll/type.Expr$Expr.html>`__ ``=`` `Expr <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/exprs/Expr.qll/type.Expr$Expr.html>`__ | `AssignExpr <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/exprs/Assignment.qll/type.Assignment$AssignExpr.html>`__ | See also `Initializer <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/Initializer.qll/type.Initializer$Initializer.html>`__ |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| `Expr <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/exprs/Expr.qll/type.Expr$Expr.html>`__ ``+=`` `Expr <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/exprs/Expr.qll/type.Expr$Expr.html>`__ | | `AssignAddExpr <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/exprs/Assignment.qll/type.Assignment$AssignAddExpr.html>`__ | |
| | | `AssignPointerAddExpr <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/exprs/Assignment.qll/type.Assignment$AssignPointerAddExpr.html>`__ | |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

8
java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
View File

@@ -2089,6 +2089,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
int getParameterPos() { p.isParameterOf(_, result) }
override string toString() { result = p + ": " + ap }
predicate hasLocationInfo(
@@ -2482,13 +2484,15 @@ pragma[nomagic]
private predicate paramFlowsThrough(
ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, Configuration config
) {
exists(PathNodeMid mid, ReturnNodeExt ret |
exists(PathNodeMid mid, ReturnNodeExt ret, int pos |
mid.getNode() = ret and
kind = ret.getKind() and
cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and
config = mid.getConfiguration() and
ap = mid.getAp()
ap = mid.getAp() and
pos = sc.getParameterPos() and
not kind.(ParamUpdateReturnKind).getPosition() = pos
)
}

8
java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
View File

@@ -2089,6 +2089,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
int getParameterPos() { p.isParameterOf(_, result) }
override string toString() { result = p + ": " + ap }
predicate hasLocationInfo(
@@ -2482,13 +2484,15 @@ pragma[nomagic]
private predicate paramFlowsThrough(
ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, Configuration config
) {
exists(PathNodeMid mid, ReturnNodeExt ret |
exists(PathNodeMid mid, ReturnNodeExt ret, int pos |
mid.getNode() = ret and
kind = ret.getKind() and
cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and
config = mid.getConfiguration() and
ap = mid.getAp()
ap = mid.getAp() and
pos = sc.getParameterPos() and
not kind.(ParamUpdateReturnKind).getPosition() = pos
)
}

8
java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
View File

@@ -2089,6 +2089,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
int getParameterPos() { p.isParameterOf(_, result) }
override string toString() { result = p + ": " + ap }
predicate hasLocationInfo(
@@ -2482,13 +2484,15 @@ pragma[nomagic]
private predicate paramFlowsThrough(
ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, Configuration config
) {
exists(PathNodeMid mid, ReturnNodeExt ret |
exists(PathNodeMid mid, ReturnNodeExt ret, int pos |
mid.getNode() = ret and
kind = ret.getKind() and
cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and
config = mid.getConfiguration() and
ap = mid.getAp()
ap = mid.getAp() and
pos = sc.getParameterPos() and
not kind.(ParamUpdateReturnKind).getPosition() = pos
)
}

8
java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
View File

@@ -2089,6 +2089,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
int getParameterPos() { p.isParameterOf(_, result) }
override string toString() { result = p + ": " + ap }
predicate hasLocationInfo(
@@ -2482,13 +2484,15 @@ pragma[nomagic]
private predicate paramFlowsThrough(
ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, Configuration config
) {
exists(PathNodeMid mid, ReturnNodeExt ret |
exists(PathNodeMid mid, ReturnNodeExt ret, int pos |
mid.getNode() = ret and
kind = ret.getKind() and
cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and
config = mid.getConfiguration() and
ap = mid.getAp()
ap = mid.getAp() and
pos = sc.getParameterPos() and
not kind.(ParamUpdateReturnKind).getPosition() = pos
)
}

8
java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
View File

@@ -2089,6 +2089,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
int getParameterPos() { p.isParameterOf(_, result) }
override string toString() { result = p + ": " + ap }
predicate hasLocationInfo(
@@ -2482,13 +2484,15 @@ pragma[nomagic]
private predicate paramFlowsThrough(
ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, Configuration config
) {
exists(PathNodeMid mid, ReturnNodeExt ret |
exists(PathNodeMid mid, ReturnNodeExt ret, int pos |
mid.getNode() = ret and
kind = ret.getKind() and
cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and
config = mid.getConfiguration() and
ap = mid.getAp()
ap = mid.getAp() and
pos = sc.getParameterPos() and
not kind.(ParamUpdateReturnKind).getPosition() = pos
)
}

8
python/ql/src/Functions/SignatureOverriddenMethod.ql
View File

@@ -14,17 +14,17 @@
import python
import Expressions.CallArgs
from FunctionObject base, PyFunctionObject derived
from FunctionValue base, PythonFunctionValue derived
where
not exists(base.getACall()) and
not exists(FunctionObject a_derived |
not exists(FunctionValue a_derived |
a_derived.overrides(base) and
exists(a_derived.getACall())
) and
not derived.getFunction().isSpecialMethod() and
not derived.getScope().isSpecialMethod() and
derived.getName() != "__init__" and
derived.isNormalMethod() and
not derived.getFunction().isSpecialMethod() and
not derived.getScope().isSpecialMethod() and
// call to overrides distributed for efficiency
(
derived.overrides(base) and derived.minParameters() > base.maxParameters()

2
python/ql/src/semmle/python/objects/ObjectAPI.qll
View File

@@ -415,7 +415,7 @@ class ClassValue extends Value {
* ```
* `this.lookup("f")` is equivalent to `C.__dict__['f']`, which is the class-method
* whereas
* `this.attr("f") is equivalent to `C.f`, which is a bound-method.
* `this.attr("f")` is equivalent to `C.f`, which is a bound-method.
*/
Value lookup(string name) { this.(ClassObjectInternal).lookup(name, result, _) }

6
python/ql/test/library-tests/examples/custom-sanitizer/TestTaint.ql
View File

@@ -2,8 +2,8 @@ import python
import semmle.python.security.TaintTracking
import Taint
from Call call, Expr arg,
boolean expected_taint, boolean has_taint, string test_res,
from
Call call, Expr arg, boolean expected_taint, boolean has_taint, string test_res,
string taint_string
where
call.getLocation().getFile().getShortName() = "test.py" and
@@ -26,6 +26,6 @@ where
has_taint = true
) and
if expected_taint = has_taint then test_res = "ok" else test_res = "failure"
// if expected_taint = has_taint then test_res = "✓" else test_res = "✕"
// if expected_taint = has_taint then test_res = "✓" else test_res = "✕"
select arg.getLocation().toString(), call.getScope().(Function).getName(), arg.toString(),
taint_string, test_res

4
python/ql/test/query-tests/Functions/general/SignatureOverriddenMethod.expected
View File

@@ -1,2 +1,2 @@
| om_test.py:32:5:32:35 | Function grossly_wrong1 | Overriding method 'grossly_wrong1' has signature mismatch with $@. | om_test.py:12:5:12:41 | Function grossly_wrong1 | overridden method |
| om_test.py:35:5:35:47 | Function grossly_wrong2 | Overriding method 'grossly_wrong2' has signature mismatch with $@. | om_test.py:15:5:15:41 | Function grossly_wrong2 | overridden method |
| om_test.py:32:5:32:35 | Function Derived.grossly_wrong1 | Overriding method 'grossly_wrong1' has signature mismatch with $@. | om_test.py:12:5:12:41 | Function Base.grossly_wrong1 | overridden method |
| om_test.py:35:5:35:47 | Function Derived.grossly_wrong2 | Overriding method 'grossly_wrong2' has signature mismatch with $@. | om_test.py:15:5:15:41 | Function Base.grossly_wrong2 | overridden method |

2
python/ql/test/query-tests/Functions/overriding/SignatureOverriddenMethod.expected
View File

@@ -1 +1 @@
| test.py:30:5:30:26 | Function meth3 | Overriding method 'meth3' has signature mismatch with $@. | test.py:11:5:11:20 | Function meth3 | overridden method |
| test.py:30:5:30:26 | Function Derived.meth3 | Overriding method 'meth3' has signature mismatch with $@. | test.py:11:5:11:20 | Function Base.meth3 | overridden method |