From cab9c64fbc75131162159fa48863753ce4d0c0b1 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 16 Jan 2025 12:02:37 +0000 Subject: [PATCH 01/14] Add docs for data flow in Go Mostly based on the java and C# equivalents. --- .../analyzing-data-flow-in-go.rst | 369 ++++++++++++++++++ .../codeql-language-guides/codeql-for-go.rst | 5 +- .../about-data-flow-analysis.rst | 1 + .../creating-path-queries.rst | 1 + 4 files changed, 373 insertions(+), 3 deletions(-) create mode 100644 docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst new file mode 100644 index 00000000000..181009d34ef --- /dev/null +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst @@ -0,0 +1,369 @@ +.. _analyzing-data-flow-in-go: + +Analyzing data flow in Go +========================= + +You can use CodeQL to track the flow of data through a Go program to its use. + +About this article +------------------ + +This article describes how data flow analysis is implemented in the CodeQL libraries for Go and includes examples to help you write your own data flow queries. +The following sections describe how to use the libraries for local data flow, global data flow, and taint tracking. + +For a more general introduction to modeling data flow, see ":ref:`About data flow analysis `." + +.. include:: ../reusables/new-data-flow-api.rst + +Local data flow +--------------- + +Local data flow is data flow within a single method or callable. Local data flow is usually easier, faster, and more precise than global data flow, and is sufficient for many queries. + +Using local data flow +~~~~~~~~~~~~~~~~~~~~~ + +The ``DataFlow`` module defines the class ``Node`` denoting any element that data can flow through. +The ``Node`` class has a number of useful subclasses, such as ``ExprNode`` for expressions, ``ParameterNode`` for parameters, and ``InstructionNode`` for control-flow nodes. +You can map between data flow nodes and expressions/control-flow nodes/parameters using the member predicates ``asExpr``, ``asParameter`` and ``asInstructionNode``: + +.. code-block:: ql + + class Node { + /** Gets the expression corresponding to this node, if any. */ + Expr asExpr() { ... } + + /** Gets the parameter corresponding to this node, if any. */ + Parameter asParameter() { ... } + + /** Gets the IR instruction corresponding to this node, if any. */ + IR::Instruction asInstruction() { ... } + + ... + } + +or using the predicates ``exprNode``, ``parameterNode`` and ``instructionNode``: + +.. code-block:: ql + + /** + * Gets the `Node` corresponding to `e`. + */ + ExprNode exprNode(Expr e) { ... } + + /** + * Gets the `Node` corresponding to the value of `p` at function entry. + */ + ParameterNode parameterNode(Parameter p) { ... } + + /** + * Gets the `Node` corresponding to `insn`. + */ + InstructionNode instructionNode(IR::Instruction insn) { ... } + +The predicate ``localFlowStep(Node nodeFrom, Node nodeTo)`` holds if there is an immediate data flow edge from the node ``nodeFrom`` to the node ``nodeTo``. You can apply the predicate recursively by using the ``+`` and ``*`` operators, or by using the predefined recursive predicate ``localFlow``, which is equivalent to ``localFlowStep*``. + +For example, you can find flow from a parameter ``source`` to an expression ``sink`` in zero or more local steps: + +.. code-block:: ql + + DataFlow::localFlow(DataFlow::parameterNode(source), DataFlow::exprNode(sink)) + +Using local taint tracking +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Local taint tracking extends local data flow by including non-value-preserving flow steps. For example: + +.. code-block:: go + + temp := x; + y := temp + ", " + temp; + +If ``x`` is a tainted string then ``y`` is also tainted. + + +The local taint tracking library is in the module ``TaintTracking``. Like local data flow, a predicate ``localTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo)`` holds if there is an immediate taint propagation edge from the node ``nodeFrom`` to the node ``nodeTo``. You can apply the predicate recursively by using the ``+`` and ``*`` operators, or by using the predefined recursive predicate ``localTaint``, which is equivalent to ``localTaintStep*``. + +For example, you can find taint propagation from a parameter ``source`` to an expression ``sink`` in zero or more local steps: + +.. code-block:: ql + + TaintTracking::localTaint(DataFlow::parameterNode(source), DataFlow::exprNode(sink)) + +Examples +~~~~~~~~ + +This query finds the filename passed to ``os.Open(..)``. + +.. code-block:: ql + + import go + + from Function osOpen, CallExpr call + where + osOpen.hasQualifiedName("os", "Open") and + call.getTarget() = osOpen + select call.getArgument(0) + +Unfortunately, this only gives the expression in the argument, not the values which could be passed to it. So we use local data flow to find all expressions that flow into the argument: + +.. code-block:: ql + + import go + + from Function osOpen, CallExpr call, Expr src + where + osOpen.hasQualifiedName("os", "Open") and + call.getTarget() = osOpen and + DataFlow::localFlow(DataFlow::exprNode(src), DataFlow::exprNode(call.getArgument(0))) + select src + +Then we can make the source more specific, for example an access to a parameter. This query finds where a public parameter is passed to ``os.Open(..)``: + +.. code-block:: ql + +import go + + from Function osOpen, CallExpr call, Parameter p + where + osOpen.hasQualifiedName("os", "Open") and + call.getTarget() = osOpen and + DataFlow::localFlow(DataFlow::parameterNode(p), DataFlow::exprNode(call.getArgument(0))) + select p + +This query finds calls to formatting functions where the format string is not hard-coded. + +.. code-block:: ql + + import go + + from StringOps::Formatting::Range format, CallExpr call, Expr formatString + where + call.getTarget() = format and + formatString = call.getArgument(format.getFormatStringIndex()) and + not exists(DataFlow::Node source, DataFlow::Node sink | + DataFlow::localFlow(source, sink) and + source.asExpr() instanceof StringLit and + sink.asExpr() = formatString + ) + select call, "Argument to String format method isn't hard-coded." + +Exercises +~~~~~~~~~ + +Exercise 1: Write a query that finds all hard-coded strings used to create a ``url.URL``, using local data flow. (`Answer <#exercise-1>`__) + +Global data flow +---------------- + +Global data flow tracks data flow throughout the entire program, and is therefore more powerful than local data flow. However, global data flow is less precise than local data flow, and the analysis typically requires significantly more time and memory to perform. + +.. pull-quote:: Note + + .. include:: ../reusables/path-problem.rst + +Using global data flow +~~~~~~~~~~~~~~~~~~~~~~ + +The global data flow library is used by implementing the signature ``DataFlow::ConfigSig`` and applying the module ``DataFlow::Global``: + +.. code-block:: ql + + import go + + module MyFlowConfiguration implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + ... + } + + predicate isSink(DataFlow::Node sink) { + ... + } + } + + module MyFlow = DataFlow::Global; + +These predicates are defined in the configuration: + +- ``isSource`` - defines where data may flow from. +- ``isSink`` - defines where data may flow to. +- ``isBarrier`` - optional, restricts the data flow. +- ``isAdditionalFlowStep`` - optional, adds additional flow steps. + +The data flow analysis is performed using the predicate ``flow(DataFlow::Node source, DataFlow::Node sink)``: + +.. code-block:: ql + + from DataFlow::Node source, DataFlow::Node sink + where MyFlow::flow(source, sink) + select source, "Data flow to $@.", sink, sink.toString() + +Using global taint tracking +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Global taint tracking is to global data flow what local taint tracking is to local data flow. That is, global taint tracking extends global data flow with additional non-value-preserving steps. The global taint tracking library is used by applying the module ``TaintTracking::Global`` to your configuration instead of ``DataFlow::Global``: + +.. code-block:: ql + + import go + + module MyFlowConfiguration implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + ... + } + + predicate isSink(DataFlow::Node sink) { + ... + } + } + + module MyFlow = TaintTracking::Global; + +The resulting module has an identical signature to the one obtained from ``DataFlow::Global``. + +Flow sources +~~~~~~~~~~~~ + +The data flow library contains some predefined flow sources. The class ``RemoteFlowSource`` (defined in ``semmle.code.java.dataflow.FlowSources``) represents data flow sources that may be controlled by a remote user, which is useful for finding security problems. + +Examples +~~~~~~~~ + +This query shows a taint-tracking configuration that uses remote user input as data sources. + +.. code-block:: ql + + import go + + module MyFlowConfiguration implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + source instanceof RemoteFlowSource + } + + ... + } + + module MyTaintFlow = TaintTracking::Global; + +Exercises +~~~~~~~~~ + +Exercise 2: Write a query that finds all hard-coded strings used to create a ``url.URL``, using global data flow. (`Answer <#exercise-2>`__) + +Exercise 3: Write a class that represents flow sources from ``os.Getenv(..)``. (`Answer <#exercise-3>`__) + +Exercise 4: Using the answers from 2 and 3, write a query which finds all global data flows from ``os.Getenv`` to ``url.URL``. (`Answer <#exercise-4>`__) + +Answers +------- + +Exercise 1 +~~~~~~~~~~ + +.. code-block:: ql + + import go + + from Function urlParse, Expr arg, StringLit rawURL, CallExpr call + where + ( + urlParse.hasQualifiedName("url", "Parse") or + urlParse.hasQualifiedName("url", "ParseRequestURI") + ) and + call.getTarget() = urlParse and + arg = call.getArgument(0) and + DataFlow::localFlow(DataFlow::exprNode(rawURL), DataFlow::exprNode(arg)) + select call.getArgument(0) + +Exercise 2 +~~~~~~~~~~ + +.. code-block:: ql + + import go + + module LiteralToURLConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + source.asExpr() instanceof StringLit + } + + predicate isSink(DataFlow::Node sink) { + exists(Function urlParse, CallExpr call | + ( + urlParse.hasQualifiedName("url", "Parse") or + urlParse.hasQualifiedName("url", "ParseRequestURI") + ) and + call.getTarget() = urlParse and + sink.asExpr() = call.getArgument(0) + ) + } + } + + module LiteralToURLFlow = DataFlow::Global; + + from DataFlow::Node src, DataFlow::Node sink + where LiteralToURLFlow::flow(src, sink) + select src, "This string constructs a URL $@.", sink, "here" + +Exercise 3 +~~~~~~~~~~ + +.. code-block:: ql + + import go + + class GetenvSource extends CallExpr { + GetenvSource() { + exists(Function m | m = this.getTarget() | + m.hasQualifiedName("os", "Getenv") + ) + } + } + +Exercise 4 +~~~~~~~~~~ + +.. code-block:: ql + + import go + + class GetenvSource extends CallExpr { + GetenvSource() { + exists(Function m | m = this.getTarget() | + m.hasQualifiedName("os", "Getenv") + ) + } + } + + module GetenvToURLConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + source instanceof GetenvSource + } + + predicate isSink(DataFlow::Node sink) { + exists(Function urlParse, CallExpr call | + ( + urlParse.hasQualifiedName("url", "Parse") or + urlParse.hasQualifiedName("url", "ParseRequestURI") + ) and + call.getTarget() = urlParse and + sink.asExpr() = call.getArgument(0) + ) + } + } + } + + module GetenvToURLFlow = DataFlow::Global; + + from DataFlow::Node src, DataFlow::Node sink + where GetenvToURLFlow::flow(src, sink) + select src, "This environment variable constructs a URL $@.", sink, "here" + +Further reading +--------------- + +- `Exploring data flow with path queries `__ in the GitHub documentation. + + +.. include:: ../reusables/go-further-reading.rst +.. include:: ../reusables/codeql-ref-tools-further-reading.rst diff --git a/docs/codeql/codeql-language-guides/codeql-for-go.rst b/docs/codeql/codeql-language-guides/codeql-for-go.rst index 30799c146a8..96d3697c826 100644 --- a/docs/codeql/codeql-language-guides/codeql-for-go.rst +++ b/docs/codeql/codeql-language-guides/codeql-for-go.rst @@ -11,7 +11,7 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat basic-query-for-go-code codeql-library-for-go abstract-syntax-tree-classes-for-working-with-go-programs - modeling-data-flow-in-go-libraries + analyzing-data-flow-in-go customizing-library-models-for-go - :doc:`Basic query for Go code `: Learn to write and run a simple CodeQL query. @@ -22,7 +22,6 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat - :doc:`Abstract syntax tree classes for working with Go programs `: CodeQL has a large selection of classes for representing the abstract syntax tree of Go programs. -- :doc:`Modeling data flow in Go libraries `: When analyzing a Go program, CodeQL does not examine the source code for external packages. - To track the flow of untrusted data through a library, you can create a model of the library. +- :doc:`Analyzing data flow in Go `: You can use CodeQL to track the flow of data through a Go program to its use. - :doc:`Customizing library models for Go `: You can model frameworks and libraries that your codebase depends on using data extensions and publish them as CodeQL model packs. diff --git a/docs/codeql/writing-codeql-queries/about-data-flow-analysis.rst b/docs/codeql/writing-codeql-queries/about-data-flow-analysis.rst index 61290e095b2..65a5ea32c35 100644 --- a/docs/codeql/writing-codeql-queries/about-data-flow-analysis.rst +++ b/docs/codeql/writing-codeql-queries/about-data-flow-analysis.rst @@ -18,6 +18,7 @@ See the following tutorials for more information about analyzing data flow in sp - ":ref:`Analyzing data flow in C/C++ `" - ":ref:`Analyzing data flow in C# `" +- ":ref:`Analyzing data flow in Go `" - ":ref:`Analyzing data flow in Java/Kotlin `" - ":ref:`Analyzing data flow in JavaScript/TypeScript `" - ":ref:`Analyzing data flow in Python `" diff --git a/docs/codeql/writing-codeql-queries/creating-path-queries.rst b/docs/codeql/writing-codeql-queries/creating-path-queries.rst index 036083d2912..7e178f94b44 100644 --- a/docs/codeql/writing-codeql-queries/creating-path-queries.rst +++ b/docs/codeql/writing-codeql-queries/creating-path-queries.rst @@ -28,6 +28,7 @@ For more language-specific information on analyzing data flow, see: - ":ref:`Analyzing data flow in C/C++ `" - ":ref:`Analyzing data flow in C# `" +- ":ref:`Analyzing data flow in Go `" - ":ref:`Analyzing data flow in Java/Kotlin `" - ":ref:`Analyzing data flow in JavaScript/TypeScript `" - ":ref:`Analyzing data flow in Python `" From 4f2d7ade5b5912ffa105ba8b61c2494cd57adfd8 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 16 Jan 2025 12:03:14 +0000 Subject: [PATCH 02/14] Delete old docs for data flow in Go --- .../modeling-data-flow-in-go-libraries.rst | 124 ------------------ .../learn-ql/go/library-modeling-go.rst | 122 ----------------- 2 files changed, 246 deletions(-) delete mode 100644 docs/codeql/codeql-language-guides/modeling-data-flow-in-go-libraries.rst delete mode 100644 go/docs/language/learn-ql/go/library-modeling-go.rst diff --git a/docs/codeql/codeql-language-guides/modeling-data-flow-in-go-libraries.rst b/docs/codeql/codeql-language-guides/modeling-data-flow-in-go-libraries.rst deleted file mode 100644 index deaed7cf3af..00000000000 --- a/docs/codeql/codeql-language-guides/modeling-data-flow-in-go-libraries.rst +++ /dev/null @@ -1,124 +0,0 @@ -.. _modeling-data-flow-in-go-libraries: - -Modeling data flow in Go libraries -================================== - -When analyzing a Go program, CodeQL does not examine the source code for -external packages. To track the flow of untrusted data through a library, you -can create a model of the library. - -You can find existing models in the ``go/ql/lib/semmle/go/frameworks/`` folder of the -`CodeQL repository `__. -To add a new model, you should make a new file in that folder, named after the library. - -Sources -------- - -To mark a source of data that is controlled by an untrusted user, we -create a class extending ``RemoteFlowSource::Range``. Inheritance and -the characteristic predicate of the class should be used to specify -exactly the dataflow node that introduces the data. Here is a short -example from ``Mux.qll``. - -.. code-block:: ql - - class RequestVars extends DataFlow::RemoteFlowSource::Range, DataFlow::CallNode { - RequestVars() { this.getTarget().hasQualifiedName("github.com/gorilla/mux", "Vars") } - } - -This has the effect that all calls to `the function Vars from the -package mux `__ are -treated as sources of untrusted data. - -Flow propagation ----------------- - -By default, we assume that all functions in libraries do not have -any data flow. To indicate that a particular function does have data flow, -create a class extending ``TaintTracking::FunctionModel`` (or -``DataFlow::FunctionModel`` if the untrusted user data is passed on -without being modified). - -Inheritance and the characteristic predicate of the class should specify -the function. The class should also have a member predicate with the signature -``override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp)`` -(or -``override predicate hasDataFlow(FunctionInput inp, FunctionOutput outp)`` -if extending ``DataFlow::FunctionModel``). The body should constrain -``inp`` and ``outp``. - -``FunctionInput`` is an abstract representation of the inputs to a -function. The options are: - -* the receiver (``inp.isReceiver()``) -* one of the parameters (``inp.isParameter(i)``) -* one of the results (``inp.isResult(i)``, or ``inp.isResult`` if there is only one result) - -Note that it may seem strange that the result of a function could be -considered as a function input, but it is needed in some cases. For -instance, the function ``bufio.NewWriter`` returns a writer ``bw`` that -buffers write operations to an underlying writer ``w``. If tainted data -is written to ``bw``, then it makes sense to propagate that taint back -to the underlying writer ``w``, which can be modeled by saying that -``bufio.NewWriter`` propagates taint from its result to its first -argument. - -Similarly, ``FunctionOutput`` is an abstract representation of the -outputs to a function. The options are: - -* the receiver (``outp.isReceiver()``) -* one of the parameters (``outp.isParameter(i)``) -* one of the results (``outp.isResult(i)``, or ``outp.isResult`` if there is only one result) - -Here is an example from ``Gin.qll``, which has been slightly simplified. - -.. code-block:: ql - - private class ParamsGet extends TaintTracking::FunctionModel, Method { - ParamsGet() { this.hasQualifiedName("github.com/gin-gonic/gin", "Params", "Get") } - - override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) { - inp.isReceiver() and outp.isResult(0) - } - } - -This has the effect that calls to the ``Get`` method with receiver type -``Params`` from the ``gin-gonic/gin`` package allow taint to flow from -the receiver to the first result. In other words, if ``p`` has type -``Params`` and taint can flow to it, then after the line -``x := p.Get("foo")`` taint can also flow to ``x``. - -Sanitizers ----------- - -It is not necessary to indicate that library functions are sanitizers. -Their bodies are not analyzed, so it is assumed that data does not -flow through them. - -Sinks ------ - -Data-flow sinks are specified by queries rather than by library models. -However, you can use library models to indicate when functions belong to -special categories. Queries can then use these categories when specifying -sinks. Classes representing these special categories are contained in -``go/ql/lib/semmle/go/Concepts.qll`` in the `CodeQL repository -`__. -``Concepts.qll`` includes classes for logger mechanisms, -HTTP response writers, HTTP redirects, and marshaling and unmarshaling -functions. - -Here is a short example from ``Stdlib.qll``, which has been slightly simplified. - -.. code-block:: ql - - private class PrintfCall extends LoggerCall::Range, DataFlow::CallNode { - PrintfCall() { this.getTarget().hasQualifiedName("fmt", ["Print", "Printf", "Println"]) } - - override DataFlow::Node getAMessageComponent() { result = this.getAnArgument() } - } - -This has the effect that any call to ``Print``, ``Printf``, or -``Println`` in the package ``fmt`` is recognized as a logger call. -Any query that uses logger calls as a sink will then identify when tainted data -has been passed as an argument to ``Print``, ``Printf``, or ``Println``. diff --git a/go/docs/language/learn-ql/go/library-modeling-go.rst b/go/docs/language/learn-ql/go/library-modeling-go.rst deleted file mode 100644 index 3d63ac14cd7..00000000000 --- a/go/docs/language/learn-ql/go/library-modeling-go.rst +++ /dev/null @@ -1,122 +0,0 @@ -Modeling data flow in Go libraries -================================== - -When analyzing a Go program, CodeQL does not examine the source code for -external packages. To track the flow of untrusted data through a library, you -can create a model of the library. - -You can find existing models in the ``go/ql/lib/semmle/go/frameworks/`` folder of the -`CodeQL repository `__. -To add a new model, you should make a new file in that folder, named after the library. - -Sources -------- - -To mark a source of data that is controlled by an untrusted user, we -create a class extending ``RemoteFlowSource::Range``. Inheritance and -the characteristic predicate of the class should be used to specify -exactly the dataflow node that introduces the data. Here is a short -example from ``Mux.qll``. - -.. code-block:: ql - - class RequestVars extends DataFlow::RemoteFlowSource::Range, DataFlow::CallNode { - RequestVars() { this.getTarget().hasQualifiedName("github.com/gorilla/mux", "Vars") } - } - -This has the effect that all calls to `the function Vars from the -package mux `__ are -treated as sources of untrusted data. - -Flow propagation ----------------- - -By default, we assume that all functions in libraries do not have -any data flow. To indicate that a particular function does have data flow, -create a class extending ``TaintTracking::FunctionModel`` (or -``DataFlow::FunctionModel`` if the untrusted user data is passed on -without being modified). - -Inheritance and the characteristic predicate of the class should specify -the function. The class should also have a member predicate with the signature -``override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp)`` -(or -``override predicate hasDataFlow(FunctionInput inp, FunctionOutput outp)`` -if extending ``DataFlow::FunctionModel``). The body should constrain -``inp`` and ``outp``. - -``FunctionInput`` is an abstract representation of the inputs to a -function. The options are: - -* the receiver (``inp.isReceiver()``) -* one of the parameters (``inp.isParameter(i)``) -* one of the results (``inp.isResult(i)``, or ``inp.isResult`` if there is only one result) - -Note that it may seem strange that the result of a function could be -considered as a function input, but it is needed in some cases. For -instance, the function ``bufio.NewWriter`` returns a writer ``bw`` that -buffers write operations to an underlying writer ``w``. If tainted data -is written to ``bw``, then it makes sense to propagate that taint back -to the underlying writer ``w``, which can be modeled by saying that -``bufio.NewWriter`` propagates taint from its result to its first -argument. - -Similarly, ``FunctionOutput`` is an abstract representation of the -outputs to a function. The options are: - -* the receiver (``outp.isReceiver()``) -* one of the parameters (``outp.isParameter(i)``) -* one of the results (``outp.isResult(i)``, or ``outp.isResult`` if there is only one result) - -Here is an example from ``Gin.qll``, which has been slightly simplified. - -.. code-block:: ql - - private class ParamsGet extends TaintTracking::FunctionModel, Method { - ParamsGet() { this.hasQualifiedName("github.com/gin-gonic/gin", "Params", "Get") } - - override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) { - inp.isReceiver() and outp.isResult(0) - } - } - -This has the effect that calls to the ``Get`` method with receiver type -``Params`` from the ``gin-gonic/gin`` package allow taint to flow from -the receiver to the first result. In other words, if ``p`` has type -``Params`` and taint can flow to it, then after the line -``x := p.Get("foo")`` taint can also flow to ``x``. - -Sanitizers ----------- - -It is not necessary to indicate that library functions are sanitizers. -Their bodies are not analyzed, so it is assumed that data does not -flow through them. - -Sinks ------ - -Data-flow sinks are specified by queries rather than by library models. -However, you can use library models to indicate when functions belong to -special categories. Queries can then use these categories when specifying -sinks. Classes representing these special categories are contained in -``go/ql/lib/semmle/go/Concepts.qll`` in the `CodeQL for Go repository -`__. -``Concepts.qll`` includes classes for logger mechanisms, -HTTP response writers, HTTP redirects, and marshaling and unmarshaling -functions. - -Here is a short example from ``Stdlib.qll``, which has been slightly simplified. - -.. code-block:: ql - - private class PrintfCall extends LoggerCall::Range, DataFlow::CallNode { - PrintfCall() { this.getTarget().hasQualifiedName("fmt", ["Print", "Printf", "Println"]) } - - override DataFlow::Node getAMessageComponent() { result = this.getAnArgument() } - } - -This has the effect that any call to ``Print``, ``Printf``, or -``Println`` in the package ``fmt`` is recognized as a logger call. -Any query that uses logger calls as a sink will then identify when tainted data -has been passed as an argument to ``Print``, ``Printf``, or ``Println``. From 9785aac8be326b14ead32c9d4332c1796569cdae Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 16 Jan 2025 12:04:45 +0000 Subject: [PATCH 03/14] Update java data flow docs: update use of deprecated class --- .../codeql-language-guides/analyzing-data-flow-in-java.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst index 0c6453d8993..0a958f30559 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst @@ -145,7 +145,7 @@ This query finds calls to formatting functions where the format string is not ha import semmle.code.java.dataflow.DataFlow import semmle.code.java.StringFormat - from StringFormatMethod format, MethodAccess call, Expr formatString + from StringFormatMethod format, MethodCall call, Expr formatString where call.getMethod() = format and call.getArgument(format.getFormatStringIndex()) = formatString and @@ -313,7 +313,7 @@ Exercise 3 import java - class GetenvSource extends MethodAccess { + class GetenvSource extends MethodCall { GetenvSource() { exists(Method m | m = this.getMethod() | m.hasName("getenv") and @@ -331,7 +331,7 @@ Exercise 4 class GetenvSource extends DataFlow::ExprNode { GetenvSource() { - exists(Method m | m = this.asExpr().(MethodAccess).getMethod() | + exists(Method m | m = this.asExpr().(MethodCall).getMethod() | m.hasName("getenv") and m.getDeclaringType() instanceof TypeSystem ) From 037ce3d3dff2b24d7f16a669d41201164cbf6fc0 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 16 Jan 2025 12:05:42 +0000 Subject: [PATCH 04/14] Update java data flow docs: Add 5 missing "import java"s --- .../codeql-language-guides/analyzing-data-flow-in-java.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst index 0a958f30559..86e02e93491 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst @@ -177,6 +177,7 @@ You use the global data flow library by implementing the signature ``DataFlow::C .. code-block:: ql + import java import semmle.code.java.dataflow.DataFlow module MyFlowConfiguration implements DataFlow::ConfigSig { @@ -213,6 +214,7 @@ Global taint tracking is to global data flow as local taint tracking is to local .. code-block:: ql + import java import semmle.code.java.dataflow.TaintTracking module MyFlowConfiguration implements DataFlow::ConfigSig { @@ -271,6 +273,7 @@ Exercise 1 .. code-block:: ql + import java import semmle.code.java.dataflow.DataFlow from Constructor url, Call call, StringLiteral src @@ -285,6 +288,7 @@ Exercise 2 .. code-block:: ql + import java import semmle.code.java.dataflow.DataFlow module LiteralToURLConfig implements DataFlow::ConfigSig { @@ -327,6 +331,7 @@ Exercise 4 .. code-block:: ql + import java import semmle.code.java.dataflow.DataFlow class GetenvSource extends DataFlow::ExprNode { From 75424f3010b17888631a80830b55fc807b5562f8 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 16 Jan 2025 12:06:23 +0000 Subject: [PATCH 05/14] Update java data flow docs: two misc improvements Copied from the C# equivalent. --- .../analyzing-data-flow-in-java.rst | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst index 86e02e93491..f26b1abc86e 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst @@ -194,10 +194,10 @@ You use the global data flow library by implementing the signature ``DataFlow::C These predicates are defined in the configuration: -- ``isSource``—defines where data may flow from -- ``isSink``—defines where data may flow to -- ``isBarrier``—optional, restricts the data flow -- ``isAdditionalFlowStep``—optional, adds additional flow steps +- ``isSource`` - defines where data may flow from. +- ``isSink`` - defines where data may flow to. +- ``isBarrier`` - optional, restricts the data flow. +- ``isAdditionalFlowStep`` - optional, adds additional flow steps. The data flow analysis is performed using the predicate ``flow(DataFlow::Node source, DataFlow::Node sink)``: @@ -210,7 +210,7 @@ The data flow analysis is performed using the predicate ``flow(DataFlow::Node so Using global taint tracking ~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Global taint tracking is to global data flow as local taint tracking is to local data flow. That is, global taint tracking extends global data flow with additional non-value-preserving steps. You use the global taint tracking library by applying the module ``TaintTracking::Global`` to your configuration instead of ``DataFlow::Global``: +Global taint tracking is to global data flow what local taint tracking is to local data flow. That is, global taint tracking extends global data flow with additional non-value-preserving steps. You use the global taint tracking library by applying the module ``TaintTracking::Global`` to your configuration instead of ``DataFlow::Global``: .. code-block:: ql From 26b8758108c3217fe66fc565c12aa8c5468107c7 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 16 Jan 2025 13:48:46 +0000 Subject: [PATCH 06/14] Fix indentation in code block --- .../codeql/codeql-language-guides/analyzing-data-flow-in-go.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst index 181009d34ef..6b5d793a466 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst @@ -122,7 +122,7 @@ Then we can make the source more specific, for example an access to a parameter. .. code-block:: ql -import go + import go from Function osOpen, CallExpr call, Parameter p where From 549baba330a06f0730fc69297e0f4f066354e72c Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com> Date: Thu, 16 Jan 2025 15:03:40 +0000 Subject: [PATCH 07/14] Update docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst Co-authored-by: Chris Smowton --- .../codeql/codeql-language-guides/analyzing-data-flow-in-go.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst index 6b5d793a466..75796d3a1ee 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst @@ -25,7 +25,7 @@ Using local data flow The ``DataFlow`` module defines the class ``Node`` denoting any element that data can flow through. The ``Node`` class has a number of useful subclasses, such as ``ExprNode`` for expressions, ``ParameterNode`` for parameters, and ``InstructionNode`` for control-flow nodes. -You can map between data flow nodes and expressions/control-flow nodes/parameters using the member predicates ``asExpr``, ``asParameter`` and ``asInstructionNode``: +You can map between data flow nodes and expressions/control-flow nodes/parameters using the member predicates ``asExpr``, ``asParameter`` and ``asInstruction``: .. code-block:: ql From ed44db71d226e4e1fa310908ba06eee6b9bd1d7c Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 17 Jan 2025 14:49:35 +0000 Subject: [PATCH 08/14] Explain `StringOps::Formatting::Range`, with a link --- docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst index 75796d3a1ee..4af9c81a6b3 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst @@ -132,6 +132,7 @@ Then we can make the source more specific, for example an access to a parameter. select p This query finds calls to formatting functions where the format string is not hard-coded. +Note that `StringOps::Formatting::Range `_ is a class that represents all functions which have a format string, and its member predicate `getFormatStringIndex` gives the index of the argument which is the format string. .. code-block:: ql From d1d6b520e18fbbe4e2d21dfdd37b4831e9833dfe Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 17 Jan 2025 14:08:55 +0000 Subject: [PATCH 09/14] (Multiple languages) "global data flow paths" --- .../codeql-language-guides/analyzing-data-flow-in-cpp.rst | 2 +- .../codeql-language-guides/analyzing-data-flow-in-csharp.rst | 2 +- .../codeql/codeql-language-guides/analyzing-data-flow-in-go.rst | 2 +- .../codeql-language-guides/analyzing-data-flow-in-java.rst | 2 +- .../analyzing-data-flow-in-javascript-and-typescript.rst | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-cpp.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-cpp.rst index 13ab457cd4b..1ec677663fe 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-cpp.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-cpp.rst @@ -314,7 +314,7 @@ Exercise 2: Write a query that finds all hard-coded strings used to create a ``h Exercise 3: Write a class that represents flow sources from ``getenv``. (`Answer <#exercise-3>`__) -Exercise 4: Using the answers from 2 and 3, write a query which finds all global data flows from ``getenv`` to ``gethostbyname``. (`Answer <#exercise-4>`__) +Exercise 4: Using the answers from 2 and 3, write a query which finds all global data flow paths from ``getenv`` to ``gethostbyname``. (`Answer <#exercise-4>`__) Answers ------- diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-csharp.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-csharp.rst index f6c018c0f86..6657778ec4a 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-csharp.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-csharp.rst @@ -288,7 +288,7 @@ Exercise 2: Find all hard-coded strings passed to ``System.Uri``, using global d Exercise 3: Define a class that represents flow sources from ``System.Environment.GetEnvironmentVariable``. (`Answer <#exercise-3>`__) -Exercise 4: Using the answers from 2 and 3, write a query to find all global data flow from ``System.Environment.GetEnvironmentVariable`` to ``System.Uri``. (`Answer <#exercise-4>`__) +Exercise 4: Using the answers from 2 and 3, write a query which finds all global data flow paths from ``System.Environment.GetEnvironmentVariable`` to ``System.Uri``. (`Answer <#exercise-4>`__) Extending library data flow --------------------------- diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst index 4af9c81a6b3..e709b541201 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst @@ -253,7 +253,7 @@ Exercise 2: Write a query that finds all hard-coded strings used to create a ``u Exercise 3: Write a class that represents flow sources from ``os.Getenv(..)``. (`Answer <#exercise-3>`__) -Exercise 4: Using the answers from 2 and 3, write a query which finds all global data flows from ``os.Getenv`` to ``url.URL``. (`Answer <#exercise-4>`__) +Exercise 4: Using the answers from 2 and 3, write a query which finds all global data flow paths from ``os.Getenv`` to ``url.URL``. (`Answer <#exercise-4>`__) Answers ------- diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst index f26b1abc86e..9f8af1642e9 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst @@ -263,7 +263,7 @@ Exercise 2: Write a query that finds all hard-coded strings used to create a ``j Exercise 3: Write a class that represents flow sources from ``java.lang.System.getenv(..)``. (`Answer <#exercise-3>`__) -Exercise 4: Using the answers from 2 and 3, write a query which finds all global data flows from ``getenv`` to ``java.net.URL``. (`Answer <#exercise-4>`__) +Exercise 4: Using the answers from 2 and 3, write a query which finds all global data flow paths from ``getenv`` to ``java.net.URL``. (`Answer <#exercise-4>`__) Answers ------- diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-javascript-and-typescript.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-javascript-and-typescript.rst index 1dfcd0b713b..c6b5cb11647 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-javascript-and-typescript.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-javascript-and-typescript.rst @@ -468,7 +468,7 @@ using global data flow. (`Answer <#exercise-2>`__). Exercise 3: Write a class which represents flow sources from the array elements of the result of a call, for example the expression ``myObject.myMethod(myArgument)[myIndex]``. Hint: array indices are properties with numeric names; you can use regular expression matching to check this. (`Answer <#exercise-3>`__) -Exercise 4: Using the answers from 2 and 3, write a query which finds all global data flows from array elements of the result of a call to the ``tagName`` argument to the +Exercise 4: Using the answers from 2 and 3, write a query which finds all global data flow paths from array elements of the result of a call to the ``tagName`` argument to the ``createElement`` function. (`Answer <#exercise-4>`__) Answers From 4585c8caf29b73bd9ac3096801aa052ffeb2601e Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 17 Jan 2025 14:17:55 +0000 Subject: [PATCH 10/14] (Multiple languages) Clarify defn of barriers --- .../codeql-language-guides/analyzing-data-flow-in-csharp.rst | 4 ++-- .../codeql-language-guides/analyzing-data-flow-in-go.rst | 2 +- .../codeql-language-guides/analyzing-data-flow-in-java.rst | 2 +- .../codeql-language-guides/analyzing-data-flow-in-python.rst | 4 ++-- .../codeql-language-guides/analyzing-data-flow-in-ruby.rst | 4 ++-- .../codeql-language-guides/analyzing-data-flow-in-swift.rst | 4 ++-- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-csharp.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-csharp.rst index 6657778ec4a..0369fec6ffb 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-csharp.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-csharp.rst @@ -170,8 +170,8 @@ These predicates are defined in the configuration: - ``isSource`` - defines where data may flow from. - ``isSink`` - defines where data may flow to. -- ``isBarrier`` - optionally, restricts the data flow. -- ``isAdditionalFlowStep`` - optionally, adds additional flow steps. +- ``isBarrier`` - optional, defines where data flow is blocked. +- ``isAdditionalFlowStep`` - optional, adds additional flow steps. The data flow analysis is performed using the predicate ``flow(DataFlow::Node source, DataFlow::Node sink)``: diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst index e709b541201..684d05802c3 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst @@ -188,7 +188,7 @@ These predicates are defined in the configuration: - ``isSource`` - defines where data may flow from. - ``isSink`` - defines where data may flow to. -- ``isBarrier`` - optional, restricts the data flow. +- ``isBarrier`` - optional, defines where data flow is blocked. - ``isAdditionalFlowStep`` - optional, adds additional flow steps. The data flow analysis is performed using the predicate ``flow(DataFlow::Node source, DataFlow::Node sink)``: diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst index 9f8af1642e9..d08b9e2103b 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst @@ -196,7 +196,7 @@ These predicates are defined in the configuration: - ``isSource`` - defines where data may flow from. - ``isSink`` - defines where data may flow to. -- ``isBarrier`` - optional, restricts the data flow. +- ``isBarrier`` - optional, defines where data flow is blocked. - ``isAdditionalFlowStep`` - optional, adds additional flow steps. The data flow analysis is performed using the predicate ``flow(DataFlow::Node source, DataFlow::Node sink)``: diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-python.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-python.rst index 8adbfb09a5c..8a50f9bfa07 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-python.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-python.rst @@ -228,8 +228,8 @@ These predicates are defined in the configuration: - ``isSource`` - defines where data may flow from. - ``isSink`` - defines where data may flow to. -- ``isBarrier`` - optionally, restricts the data flow. -- ``isAdditionalFlowStep`` - optionally, adds additional flow steps. +- ``isBarrier`` - optional, defines where data flow is blocked. +- ``isAdditionalFlowStep`` - optional, adds additional flow steps. The data flow analysis is performed using the predicate ``flow(DataFlow::Node source, DataFlow::Node sink)``: diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-ruby.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-ruby.rst index 44428000875..dfd2486fda7 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-ruby.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-ruby.rst @@ -248,8 +248,8 @@ These predicates are defined in the configuration: - ``isSource`` - defines where data may flow from. - ``isSink`` - defines where data may flow to. -- ``isBarrier`` - optionally, restricts the data flow. -- ``isAdditionalFlowStep`` - optionally, adds additional flow steps. +- ``isBarrier`` - optional, defines where data flow is blocked. +- ``isAdditionalFlowStep`` - optional, adds additional flow steps. The data flow analysis is performed using the predicate ``flow(DataFlow::Node source, DataFlow::Node sink)``: diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-swift.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-swift.rst index 76cb8da18a1..544b5755d22 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-swift.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-swift.rst @@ -185,8 +185,8 @@ These predicates are defined in the configuration: - ``isSource`` - defines where data may flow from. - ``isSink`` - defines where data may flow to. -- ``isBarrier`` - optionally, restricts the data flow. -- ``isAdditionalFlowStep`` - optionally, adds additional flow steps. +- ``isBarrier`` - optional, defines where data flow is blocked. +- ``isAdditionalFlowStep`` - optional, adds additional flow steps. The last line (``module MyDataFlow = ...``) instantiates the parameterized module for data flow analysis by passing the configuration to the parameterized module. Data flow analysis can then be performed using ``MyDataFlow::flow(DataFlow::Node source, DataFlow::Node sink)``: From 6d9daec514e4fc7986f3479ba3a9666573206a05 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 17 Jan 2025 16:44:55 +0000 Subject: [PATCH 11/14] (Multiple languages) Use active voice --- .../codeql-language-guides/analyzing-data-flow-in-cpp.rst | 2 +- .../codeql-language-guides/analyzing-data-flow-in-csharp.rst | 2 +- .../codeql/codeql-language-guides/analyzing-data-flow-in-go.rst | 2 +- .../codeql-language-guides/analyzing-data-flow-in-java.rst | 2 +- .../codeql-language-guides/analyzing-data-flow-in-python.rst | 2 +- .../codeql-language-guides/analyzing-data-flow-in-ruby.rst | 2 +- .../codeql-language-guides/analyzing-data-flow-in-swift.rst | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-cpp.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-cpp.rst index 1ec677663fe..e04cdac3deb 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-cpp.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-cpp.rst @@ -172,7 +172,7 @@ Global data flow tracks data flow throughout the entire program, and is therefor Using global data flow ~~~~~~~~~~~~~~~~~~~~~~ -The global data flow library is used by implementing the signature ``DataFlow::ConfigSig`` and applying the module ``DataFlow::Global`` as follows: +We can use the global data flow library by implementing the signature ``DataFlow::ConfigSig`` and applying the module ``DataFlow::Global``: .. code-block:: ql diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-csharp.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-csharp.rst index 0369fec6ffb..7cdff875a79 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-csharp.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-csharp.rst @@ -148,7 +148,7 @@ Global data flow tracks data flow throughout the entire program, and is therefor Using global data flow ~~~~~~~~~~~~~~~~~~~~~~ -The global data flow library is used by implementing the signature ``DataFlow::ConfigSig`` and applying the module ``DataFlow::Global``: +We can use the global data flow library by implementing the signature ``DataFlow::ConfigSig`` and applying the module ``DataFlow::Global``: .. code-block:: ql diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst index 684d05802c3..cd081c29651 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst @@ -166,7 +166,7 @@ Global data flow tracks data flow throughout the entire program, and is therefor Using global data flow ~~~~~~~~~~~~~~~~~~~~~~ -The global data flow library is used by implementing the signature ``DataFlow::ConfigSig`` and applying the module ``DataFlow::Global``: +We can use the global data flow library by implementing the signature ``DataFlow::ConfigSig`` and applying the module ``DataFlow::Global``: .. code-block:: ql diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst index d08b9e2103b..cae8a71e155 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst @@ -173,7 +173,7 @@ Global data flow tracks data flow throughout the entire program, and is therefor Using global data flow ~~~~~~~~~~~~~~~~~~~~~~ -You use the global data flow library by implementing the signature ``DataFlow::ConfigSig`` and applying the module ``DataFlow::Global``: +We can use the global data flow library by implementing the signature ``DataFlow::ConfigSig`` and applying the module ``DataFlow::Global``: .. code-block:: ql diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-python.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-python.rst index 8a50f9bfa07..8e96440ed37 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-python.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-python.rst @@ -206,7 +206,7 @@ Global data flow tracks data flow throughout the entire program, and is therefor Using global data flow ~~~~~~~~~~~~~~~~~~~~~~ -The global data flow library is used by implementing the signature ``DataFlow::ConfigSig`` and applying the module ``DataFlow::Global``: +We can use the global data flow library by implementing the signature ``DataFlow::ConfigSig`` and applying the module ``DataFlow::Global``: .. code-block:: ql diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-ruby.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-ruby.rst index dfd2486fda7..52a74baa7d5 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-ruby.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-ruby.rst @@ -226,7 +226,7 @@ However, global data flow is less precise than local data flow, and the analysis Using global data flow ~~~~~~~~~~~~~~~~~~~~~~ -You can use the global data flow library by implementing the signature ``DataFlow::ConfigSig`` and applying the module ``DataFlow::Global``: +We can use the global data flow library by implementing the signature ``DataFlow::ConfigSig`` and applying the module ``DataFlow::Global``: .. code-block:: ql diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-swift.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-swift.rst index 544b5755d22..b255f070e98 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-swift.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-swift.rst @@ -163,7 +163,7 @@ However, global data flow is less precise than local data flow, and the analysis Using global data flow ~~~~~~~~~~~~~~~~~~~~~~ -You can use the global data flow library by implementing the module ``DataFlow::ConfigSig``: +We can use the global data flow library by implementing the signature ``DataFlow::ConfigSig`` and applying the module ``DataFlow::Global``: .. code-block:: ql From d46899d37b5bf1589cdbec498866ccbc3d06a4b9 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 17 Jan 2025 16:56:16 +0000 Subject: [PATCH 12/14] (Multiple languages) Be clearer about which query is being discussed --- .../codeql-language-guides/analyzing-data-flow-in-csharp.rst | 2 +- .../codeql-language-guides/analyzing-data-flow-in-go.rst | 4 ++-- .../codeql-language-guides/analyzing-data-flow-in-java.rst | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-csharp.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-csharp.rst index 7cdff875a79..f8e6ec7ab63 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-csharp.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-csharp.rst @@ -117,7 +117,7 @@ Then we can make the source more specific, for example an access to a public par and call.getEnclosingCallable().(Member).isPublic() select p, "Opening a file from a public method." -This query finds calls to ``String.Format`` where the format string isn't hard-coded: +The following query finds calls to ``String.Format`` where the format string isn't hard-coded: .. code-block:: ql diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst index cd081c29651..7dd34a30d3c 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst @@ -93,7 +93,7 @@ For example, you can find taint propagation from a parameter ``source`` to an ex Examples ~~~~~~~~ -This query finds the filename passed to ``os.Open(..)``. +This query finds the filename passed to ``os.Open(..)``: .. code-block:: ql @@ -131,7 +131,7 @@ Then we can make the source more specific, for example an access to a parameter. DataFlow::localFlow(DataFlow::parameterNode(p), DataFlow::exprNode(call.getArgument(0))) select p -This query finds calls to formatting functions where the format string is not hard-coded. +The following query finds calls to formatting functions where the format string is not hard-coded. Note that `StringOps::Formatting::Range `_ is a class that represents all functions which have a format string, and its member predicate `getFormatStringIndex` gives the index of the argument which is the format string. .. code-block:: ql diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst index cae8a71e155..8fc81e08785 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst @@ -97,7 +97,7 @@ For example, you can find taint propagation from a parameter ``source`` to an ex Examples ~~~~~~~~ -This query finds the filename passed to ``new FileReader(..)``. +This query finds the filename passed to ``new FileReader(..)``: .. code-block:: ql @@ -137,7 +137,7 @@ Then we can make the source more specific, for example an access to a public par DataFlow::localFlow(DataFlow::parameterNode(p), DataFlow::exprNode(call.getArgument(0))) select p -This query finds calls to formatting functions where the format string is not hard-coded. +The following query finds calls to formatting functions where the format string is not hard-coded. .. code-block:: ql From 7ff9fcb44524d3dcee27369cba56c8526e801047 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 17 Jan 2025 16:59:37 +0000 Subject: [PATCH 13/14] (Multiple languages) Simplify taint tracking example --- .../codeql-language-guides/analyzing-data-flow-in-csharp.rst | 3 +-- .../codeql-language-guides/analyzing-data-flow-in-go.rst | 3 +-- .../codeql-language-guides/analyzing-data-flow-in-java.rst | 3 +-- .../codeql-language-guides/analyzing-data-flow-in-python.rst | 3 +-- .../codeql-language-guides/analyzing-data-flow-in-ruby.rst | 3 +-- .../codeql-language-guides/analyzing-data-flow-in-swift.rst | 3 +-- 6 files changed, 6 insertions(+), 12 deletions(-) diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-csharp.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-csharp.rst index f8e6ec7ab63..cffc6eab674 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-csharp.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-csharp.rst @@ -65,8 +65,7 @@ Local taint tracking extends local data flow by including non-value-preserving f .. code-block:: csharp - var temp = x; - var y = temp + ", " + temp; + var y = "Hello " + x; If ``x`` is a tainted string then ``y`` is also tainted. diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst index 7dd34a30d3c..f2fc0d9ec78 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst @@ -76,8 +76,7 @@ Local taint tracking extends local data flow by including non-value-preserving f .. code-block:: go - temp := x; - y := temp + ", " + temp; + y := "Hello " + x; If ``x`` is a tainted string then ``y`` is also tainted. diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst index 8fc81e08785..effac879192 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst @@ -74,8 +74,7 @@ Local taint tracking extends local data flow by including non-value-preserving f .. code-block:: java - String temp = x; - String y = temp + ", " + temp; + String y = "Hello " + x; If ``x`` is a tainted string then ``y`` is also tainted. diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-python.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-python.rst index 8e96440ed37..4bce178d41f 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-python.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-python.rst @@ -62,8 +62,7 @@ Local taint tracking extends local data flow by including non-value-preserving f .. code-block:: python - temp = x - y = temp + ", " + temp + y = "Hello " + x If ``x`` is a tainted string then ``y`` is also tainted. diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-ruby.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-ruby.rst index 52a74baa7d5..53d6dfa2d1c 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-ruby.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-ruby.rst @@ -74,8 +74,7 @@ For example: .. code-block:: ruby - temp = x - y = temp + ", " + temp + y = "Hello " + x If ``x`` is a tainted string then ``y`` is also tainted. diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-swift.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-swift.rst index b255f070e98..b41c82ca7ef 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-swift.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-swift.rst @@ -72,8 +72,7 @@ For example: .. code-block:: swift - temp = x - y = temp + ", " + temp + y = "Hello " + x If ``x`` is a tainted string then ``y`` is also tainted. From da86668cfd243a0a00651989fa6562adb25e33a8 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 17 Jan 2025 17:00:02 +0000 Subject: [PATCH 14/14] (Multiple languages) Use slightly clearer wording --- .../codeql-language-guides/analyzing-data-flow-in-csharp.rst | 2 +- .../codeql/codeql-language-guides/analyzing-data-flow-in-go.rst | 2 +- .../codeql-language-guides/analyzing-data-flow-in-java.rst | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-csharp.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-csharp.rst index cffc6eab674..7e60956a5a9 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-csharp.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-csharp.rst @@ -103,7 +103,7 @@ Unfortunately this will only give the expression in the argument, not the values and DataFlow::localFlow(DataFlow::exprNode(src), DataFlow::exprNode(call.getArgument(0))) select src -Then we can make the source more specific, for example an access to a public parameter. This query finds instances where a public parameter is used to open a file: +To restrict sources to only an access to a public parameter, rather than arbitrary expressions, we can modify this query as follows: .. code-block:: ql diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst index f2fc0d9ec78..537a2308203 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-go.rst @@ -117,7 +117,7 @@ Unfortunately, this only gives the expression in the argument, not the values wh DataFlow::localFlow(DataFlow::exprNode(src), DataFlow::exprNode(call.getArgument(0))) select src -Then we can make the source more specific, for example an access to a parameter. This query finds where a public parameter is passed to ``os.Open(..)``: +To restrict sources to only parameters, rather than arbitrary expressions, we can modify this query as follows: .. code-block:: ql diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst index effac879192..bade378d3a0 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst @@ -122,7 +122,7 @@ Unfortunately, this only gives the expression in the argument, not the values wh DataFlow::localFlow(DataFlow::exprNode(src), DataFlow::exprNode(call.getArgument(0))) select src -Then we can make the source more specific, for example an access to a public parameter. This query finds where a public parameter is passed to ``new FileReader(..)``: +To restrict sources to only an access to a public parameter, rather than arbitrary expressions, we can modify this query as follows: .. code-block:: ql