hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into use-shared-guards-library

Browse Source
This commit is contained in:
Mathias Vorreiter Pedersen
2025-10-01 11:59:17 +01:00
parent 353ee8baa0 f5ae5bed47
commit b0e9238ddf
340 changed files with 11572 additions and 3477 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@@ -76,3 +76,6 @@ node_modules/
# some upgrade/downgrade checks create these files
**/upgrades/*/*.dbscheme.stats
**/downgrades/*/*.dbscheme.stats
# Mergetool files
*.orig

4
actions/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.4.18
No user-facing changes.
## 0.4.17
No user-facing changes.

3
actions/ql/lib/change-notes/released/0.4.18.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.4.18
No user-facing changes.

2
actions/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.4.17
lastReleaseVersion: 0.4.18

2
actions/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/actions-all
version: 0.4.18-dev
version: 0.4.19-dev
library: true
warnOnImplicitThis: true
dependencies:

4
actions/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.6.10
No user-facing changes.
## 0.6.9
### Minor Analysis Improvements

3
actions/ql/src/change-notes/released/0.6.10.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.6.10
No user-facing changes.

2
actions/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.6.9
lastReleaseVersion: 0.6.10

2
actions/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/actions-queries
version: 0.6.10-dev
version: 0.6.11-dev
library: false
warnOnImplicitThis: true
groups: [actions, queries]

4
cpp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 5.6.1
No user-facing changes.
## 5.6.0
### Deprecated APIs

3
cpp/ql/lib/change-notes/released/5.6.1.md Normal file
View File

@@ -0,0 +1,3 @@
## 5.6.1
No user-facing changes.

2
cpp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 5.6.0
lastReleaseVersion: 5.6.1

2
cpp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-all
version: 5.6.1-dev
version: 5.6.2-dev
groups: cpp
dbscheme: semmlecode.cpp.dbscheme
extractor: cpp

4
cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll
View File

@@ -104,7 +104,9 @@ private module StepsInput implements Impl::Private::StepsInputSig {
result.getStaticCallTarget().getUnderlyingCallable() = sc
}
Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponent sc) { none() }
DataFlowCallable getSourceNodeEnclosingCallable(Input::SourceBase source) { none() }
Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponentStack s) { none() }
Node getSinkNode(Input::SinkBase sink, Impl::Private::SummaryComponent sc) { none() }
}

4
cpp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.5.1
No user-facing changes.
## 1.5.0
### Major Analysis Improvements

3
cpp/ql/src/change-notes/released/1.5.1.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.5.1
No user-facing changes.

2
cpp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.5.0
lastReleaseVersion: 1.5.1

2
cpp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-queries
version: 1.5.1-dev
version: 1.5.2-dev
groups:
- cpp
- queries

1
cpp/ql/test/library-tests/permissive/accesses.expected
View File

@@ -1 +0,0 @@
| permissive.cpp:6:5:6:7 | str |

1
cpp/ql/test/library-tests/permissive/calls.expected
View File

@@ -1 +0,0 @@
| permissive.cpp:6:3:6:3 | call to f | permissive.cpp:2:13:2:13 | f |

8
cpp/ql/test/library-tests/permissive/permissive.cpp
View File

@@ -1,8 +0,0 @@
// semmle-extractor-options: --edg --permissive
static void f(char* foo) {}
static void g(void) {
const char* str = "foo";
f(str);
}

4
csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.7.49
No user-facing changes.
## 1.7.48
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.49.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.7.49
No user-facing changes.

2
csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.48
lastReleaseVersion: 1.7.49

2
csharp/ql/campaigns/Solorigate/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-all
version: 1.7.49-dev
version: 1.7.50-dev
groups:
- csharp
- solorigate

4
csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.7.49
No user-facing changes.
## 1.7.48
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.49.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.7.49
No user-facing changes.

2
csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.48
lastReleaseVersion: 1.7.49

2
csharp/ql/campaigns/Solorigate/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-queries
version: 1.7.49-dev
version: 1.7.50-dev
groups:
- csharp
- solorigate

4
csharp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 5.2.5
No user-facing changes.
## 5.2.4
No user-facing changes.

3
csharp/ql/lib/change-notes/released/5.2.5.md Normal file
View File

@@ -0,0 +1,3 @@
## 5.2.5
No user-facing changes.

2
csharp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 5.2.4
lastReleaseVersion: 5.2.5

2
csharp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-all
version: 5.2.5-dev
version: 5.2.6-dev
groups: csharp
dbscheme: semmlecode.csharp.dbscheme
extractor: csharp

6
csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll
View File

@@ -183,7 +183,7 @@ private module TypesInput implements Impl::Private::TypesInputSig {
)
}
DataFlowType getSourceType(Input::SourceBase source, Impl::Private::SummaryComponent sc) {
DataFlowType getSourceType(Input::SourceBase source, Impl::Private::SummaryComponentStack s) {
none()
}
@@ -195,7 +195,9 @@ private module StepsInput implements Impl::Private::StepsInputSig {
sc = viableCallable(result).asSummarizedCallable()
}
Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponent sc) { none() }
DataFlowCallable getSourceNodeEnclosingCallable(Input::SourceBase source) { none() }
Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponentStack s) { none() }
Node getSinkNode(Input::SinkBase sink, Impl::Private::SummaryComponent sc) { none() }
}

7
csharp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,10 @@
## 1.4.1
### Minor Analysis Improvements
* The modeling of null guards based on complex pattern expressions has been improved, which in turn improves the query `cs/dereferenced-value-may-be-null` by removing false positives.
* The query `cs/xmldoc/missing-summary` has been removed from the `code-quality` suite, to align with other languages.
## 1.4.0
### Deprecated Queries

4
csharp/ql/src/change-notes/2025-09-16-code-quality-doc-query.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Remove the query `cs/xmldoc/missing-summary` from the `code-quality` suite (align with other languages).

8
csharp/ql/src/change-notes/2025-09-17-nullguard-pattern.md → csharp/ql/src/change-notes/released/1.4.1.md
View File

@@ -1,4 +1,6 @@
---
category: minorAnalysis
---
## 1.4.1
### Minor Analysis Improvements
* The modeling of null guards based on complex pattern expressions has been improved, which in turn improves the query `cs/dereferenced-value-may-be-null` by removing false positives.
* The query `cs/xmldoc/missing-summary` has been removed from the `code-quality` suite, to align with other languages.

2
csharp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.4.0
lastReleaseVersion: 1.4.1

2
csharp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-queries
version: 1.4.1-dev
version: 1.4.2-dev
groups:
- csharp
- queries

176
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst Normal file
View File

@@ -0,0 +1,176 @@
.. _codeql-cli-2.23.1:
==========================
CodeQL 2.23.1 (2025-09-23)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.23.1 runs a total of 478 security queries when configured with the Default suite (covering 166 CWE). The Extended suite enables an additional 135 queries (covering 35 more CWE). 3 security queries have been added with this release.
CodeQL CLI
----------
New Features
~~~~~~~~~~~~
* CodeQL now adds the sources and sinks of path alerts to the :code:`relatedLocations` property of SARIF results if they are not included as the primary location or within the alert message. This means that path alerts will show on PRs if a source or sink is added or modified, even for queries that don't follow the common convention of selecting the sink as the primary location and mentioning the source in the alert message.
* CodeQL now populates file coverage information for GitHub Actions on
\ `the tool status page for code scanning <https://docs.github.com/en/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page#viewing-the-tool-status-page-for-a-repository>`__.
Query Packs
-----------
Bug Fixes
~~~~~~~~~
C/C++
"""""
* The predicate :code:`occurenceCount` in the file module :code:`MagicConstants` has been deprecated. Use :code:`occurrenceCount` instead.
* The predicate :code:`additionalAdditionOrSubstractionCheckForLeapYear` in the file module :code:`LeapYear` has been deprecated. Use :code:`additionalAdditionOrSubtractionCheckForLeapYear` instead.
C#
""
* The message for :code:`csharp/diagnostic/database-quality` has been updated to include detailed database health metrics. Additionally, the threshold for reporting database health issues has been lowered from 95% to 85% (if any metric falls below this percentage). These changes are visible on the tool status page.
Java/Kotlin
"""""""""""
* The message for :code:`java/diagnostic/database-quality` has been updated to include detailed database health metrics. Additionally, the threshold for reporting database health issues has been lowered from 95% to 85% (if any metric falls below this percentage). These changes are visible on the tool status page.
Rust
""""
* The message for :code:`rust/diagnostic/database-quality` has been updated to include detailed database health metrics. These changes are visible on the tool status page.
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The queries :code:`cpp/wrong-type-format-argument`, :code:`cpp/comparison-with-wider-type`, :code:`cpp/integer-multiplication-cast-to-long`, :code:`cpp/implicit-function-declaration` and :code:`cpp/suspicious-add-sizeof` have had their precisions reduced from :code:`high` to :code:`medium`. They will also now give alerts for projects built with :code:`build-mode: none`.
* The queries :code:`cpp/wrong-type-format-argument`, :code:`cpp/comparison-with-wider-type`, :code:`cpp/integer-multiplication-cast-to-long` and :code:`cpp/suspicious-add-sizeof` are no longer included in the :code:`code-scanning` suite.
Java/Kotlin
"""""""""""
* The implementation of :code:`java/dereferenced-value-may-be-null` has been completely replaced with a new general control-flow reachability library. This improves precision by reducing false positives. However, since the entire calculation has been reworked, there can be small corner cases where precision regressions might occur and new false positives may occur, but these cases should be rare.
JavaScript/TypeScript
"""""""""""""""""""""
* Added support for TypeScript 5.9
* Added support for :code:`import defer` syntax in JavaScript and TypeScript.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C#
""
* The query :code:`cs/call-to-object-tostring` has been improved to remove false positives for enum types.
JavaScript/TypeScript
"""""""""""""""""""""
* Data flow is now tracked through the :code:`Promise.try` and :code:`Array.prototype.with` functions.
* Query :code:`js/index-out-of-bounds` no longer produces a false-positive when a strictly-less-than check overrides a previous less-than-or-equal test.
* The query :code:`js/remote-property-injection` now detects property injection vulnerabilities through object enumeration patterns such as :code:`Object.keys()`.
* The query "Permissive CORS configuration" (:code:`js/cors-permissive-configuration`) has been promoted from experimental and is now part of the default security suite. Thank you to @maikypedia who `submitted the original experimental query <https://github.com/github/codeql/pull/14342>`__!
Python
""""""
* The queries :code:`py/missing-call-to-init`, :code:`py/missing-calls-to-del`, :code:`py/multiple-calls-to-init`, and :code:`py/multiple-calls-to-del` queries have been modernized; no longer relying on outdated libraries, producing more precise results with more descriptive alert messages, and improved documentation.
GitHub Actions
""""""""""""""
* Actions analysis now reports file coverage information on the CodeQL status page.
Deprecated Queries
~~~~~~~~~~~~~~~~~~
C#
""
* The query :code:`cs/captured-foreach-variable` has been deprecated as the semantics of capturing a 'foreach' variable and using it outside the loop has been stable since C# version 5.
New Queries
~~~~~~~~~~~
Rust
""""
* Added a new query, :code:`rust/request-forgery`, for detecting server-side request forgery vulnerabilities.
Language Libraries
------------------
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Golang
""""""
* The second argument of the :code:`CreateTemp` function, from the :code:`os` package, is no longer a path-injection sink due to proper sanitization by Go.
* The query "Uncontrolled data used in path expression" (:code:`go/path-injection`) now detects sanitizing a path by adding :code:`os.PathSeparator` or ``\`` to the beginning.
Java/Kotlin
"""""""""""
* Improved support for various assertion libraries, in particular JUnit. This affects the control-flow graph slightly, and in turn affects several queries (mainly quality queries). Most queries should see improved precision (new true positives and fewer false positives), in particular :code:`java/constant-comparison`, :code:`java/index-out-of-bounds`, :code:`java/dereferenced-value-may-be-null`, and :code:`java/useless-null-check`. Some medium precision queries like :code:`java/toctou-race-condition` and :code:`java/unreleased-lock` may see mixed result changes (both slight improvements and slight regressions).
* Added taint flow model for :code:`java.crypto.KDF`.
* Added taint flow model for :code:`java.lang.ScopedValue`.
JavaScript/TypeScript
"""""""""""""""""""""
* Added modeling for promisification libraries :code:`@gar/promisify`, :code:`es6-promisify`, :code:`util.promisify`, :code:`thenify-all`, :code:`call-me-maybe`, :code:`@google-cloud/promisify`, and :code:`util-promisify`.
* Data flow is now tracked through promisified user-defined functions.
Swift
"""""
* Updated to allow analysis of Swift 6.1.3.
Rust
""""
* Added cryptography related models for the :code:`cookie` and :code:`biscotti` crates.
Deprecated APIs
~~~~~~~~~~~~~~~
C/C++
"""""
* The predicate :code:`getAContructorCall` in the class :code:`SslContextClass` has been deprecated. Use :code:`getAConstructorCall` instead.
New Features
~~~~~~~~~~~~
C/C++
"""""
* Added predicates :code:`getTransitiveNumberOfVlaDimensionStmts`, :code:`getTransitiveVlaDimensionStmt`, and :code:`getParentVlaDecl` to :code:`VlaDeclStmt` for handling :code:`VlaDeclStmt`\ s whose base type is defined in terms of another :code:`VlaDeclStmt` via a :code:`typedef`.
Java/Kotlin
"""""""""""
* The Java extractor and QL libraries now support Java 25.
* Added support for Java 25 compact source files (JEP 512). The new predicate :code:`Class.isImplicit()` identifies classes that are implicitly declared when using compact source files, and the new predicate :code:`CompilationUnit.isCompactSourceFile()` identifies compilation units that contain compact source files.
* Added support for Java 25 module import declarations.
* Add :code:`ModuleImportDeclaration` class.

1
docs/codeql/codeql-overview/codeql-changelog/index.rst
View File

@@ -11,6 +11,7 @@ A list of queries for each suite and language `is available here <https://docs.g
.. toctree::
:maxdepth: 1
codeql-cli-2.23.1
codeql-cli-2.23.0
codeql-cli-2.22.4
codeql-cli-2.22.3

6
docs/codeql/ql-language-reference/annotations.rst
View File

@@ -16,9 +16,9 @@ For example, to declare a module ``M`` as private, you could use:
}
Note that some annotations act on an entity itself, whilst others act on a particular *name* for the entity:
- Act on an **entity**: ``abstract``, ``cached``, ``external``, ``transient``, ``override``, ``pragma``, ``language``,
and ``bindingset``
- Act on a **name**: ``deprecated``, ``library``, ``private``, ``final``, and ``query``
- Act on an **entity**: ``abstract``, ``bindingset``, ``cached``, ``extensible``, ``external``, ``language``,
``override``, ``pragma``, and ``transient``
- Act on a **name**: ``additional``, ``deprecated``, ``final``, ``library``, ``private``, and ``query``
For example, if you annotate an entity with ``private``, then only that particular name is
private. You could still access that entity under a different name (using an :ref:`alias <aliases>`).

67
docs/codeql/ql-language-reference/ql-language-specification.rst
View File

@@ -761,17 +761,17 @@ Various kinds of syntax can have *annotations* applied to them. Annotations are
annotation ::= simpleAnnotation | argsAnnotation
simpleAnnotation ::= "abstract"
| "cached"
| "external"
| "extensible"
| "final"
| "transient"
| "library"
| "private"
| "deprecated"
| "override"
| "additional"
| "cached"
| "deprecated"
| "extensible"
| "external"
| "final"
| "library"
| "override"
| "private"
| "query"
| "transient"
argsAnnotation ::= "pragma" "[" ("inline" | "inline_late" | "noinline" | "nomagic" | "noopt" | "assume_small_delta") "]"
| "language" "[" "monotonicAggregates" "]"
@@ -791,28 +791,28 @@ The following table summarizes the syntactic constructs which can be marked with
+================+=========+============+===================+=======================+=========+========+=========+=========+============+
| ``abstract`` | yes | | yes | | | | | | |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``additional`` | yes | | | yes | | | yes | yes | yes |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``cached`` | yes | yes | yes | yes | | | yes | | |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``external`` | | | | yes | | | | | |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``extensible`` | | | | yes | | | | | |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``final`` | yes | | yes | | | yes | | (yes) | |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``transient`` | | | | yes | | | | | |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``library`` | (yes) | | | | | | | | |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``private`` | yes | | yes | yes | yes | yes | yes | yes | yes |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``deprecated`` | yes | | yes | yes | yes | yes | yes | yes | yes |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``extensible`` | | | | yes | | | | | |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``external`` | | | | yes | | | | | |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``final`` | yes | | yes | | | yes | | (yes) | |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``library`` | (yes) | | | | | | | | |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``override`` | | | yes | | | yes | | | |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``additional`` | yes | | | yes | | | yes | yes | yes |
| ``private`` | yes | | yes | yes | yes | yes | yes | yes | yes |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``query`` | | | | yes | | | | yes | |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
| ``transient`` | | | | yes | | | | | |
+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
The ``library`` annotation is only usable within a QLL file, not a QL file.
The ``final`` annotation is usable on type aliases, but not on module aliases and predicate aliases.
@@ -933,7 +933,8 @@ A predicate definition adds a mapping from the predicate name and arity to the p
When a predicate is a top-level clause in a module, it is called a non-member predicate. See below for "`Member predicates <#member-predicates>`__."
A valid non-member predicate can be annotated with ``cached``, ``deprecated``, ``external``, ``transient``, ``private``, and ``query``. Note, the ``transient`` annotation can only be applied if the non-member predicate is also annotated with ``external``.
A valid non-member predicate can be annotated with ``additional``, ``cached``, ``deprecated``, ``extensible``, ``external``, ``transient``, ``private``, and ``query``.
Note, the ``transient`` annotation can only be applied if the non-member predicate is also annotated with ``external``.
The head of the predicate gives a name, an optional *result type*, and a sequence of variables declarations that are *arguments*:
@@ -979,7 +980,7 @@ A class type is said to *final inherit* from base types that are final or refere
A class adds a mapping from the class name to the class declaration to the current module's declared type environment.
A valid class can be annotated with ``abstract``, ``final``, ``library``, and ``private``. Any other annotation renders the class invalid.
A valid class can be annotated with ``abstract``, ``additional``, ``final``, ``library``, and ``private``. Any other annotation renders the class invalid.
A valid class may not inherit from itself, or from more than one primitive type. The set of types that a valid class inherits from must be disjoint from the set of types that it final inherits from.
@@ -2292,17 +2293,17 @@ The complete grammar for QL is as follows:
annotation ::= simpleAnnotation | argsAnnotation
simpleAnnotation ::= "abstract"
| "cached"
| "external"
| "extensible"
| "final"
| "transient"
| "library"
| "private"
| "deprecated"
| "override"
| "additional"
| "cached"
| "deprecated"
| "extensible"
| "external"
| "final"
| "library"
| "override"
| "private"
| "query"
| "transient"
argsAnnotation ::= "pragma" "[" ("inline" | "inline_late" | "noinline" | "nomagic" | "noopt" | "assume_small_delta") "]"
| "language" "[" "monotonicAggregates" "]"

2
docs/codeql/reusables/extractors.rst
View File

@@ -20,7 +20,7 @@
- ``python``
* - Ruby
- ``ruby``
- Rust
* - Rust
- ``rust``
* - Swift
- ``swift``

9
docs/codeql/reusables/supported-frameworks.rst
View File

@@ -324,12 +324,15 @@ All support is experimental.
Name, Category
`actix-web <https://crates.io/crates/actix-web>`__, Web framework
alloc, Standard library
`async-std <https://crates.io/crates/async-std>`__, Asynchronous programming library
`biscotti <https://crates.io/crates/biscotti>`__, Cookie management
`clap <http://crates.io/crates/clap>`__, Utility library
`cookie <https://crates.io/crates/cookie>`__, Cookie management
core, Standard library
`digest <https://crates.io/crates/digest>`__, Cryptography library
`futures-executor <https://crates.io/crates/futures-executor>`__, Utility library
`futures <https://crates.io/crates/futures>`__, Asynchronous programming library
`futures-rustls <https://crates.io/crates/futures-rustls>`__, Network communicator
`hyper <https://crates.io/crates/hyper>`__, HTTP library
`hyper-util <https://crates.io/crates/hyper-util>`__, HTTP library
`libc <https://crates.io/crates/libc>`__, Utility library
`log <https://crates.io/crates/log>`__, Logging library
`md5 <https://crates.io/crates/md5>`__, Utility library
@@ -345,12 +348,14 @@ All support is experimental.
`rusqlite <https://crates.io/crates/rusqlite>`__, Database
std, Standard library
`rust-crypto <https://crates.io/crates/rust-crypto>`__, Cryptography library
`rustls <https://crates.io/crates/rustls>`__, Network communicator
`serde <https://crates.io/crates/serde>`__, Serialization
`smallvec <https://crates.io/crates/smallvec>`__, Utility library
`sqlx <https://crates.io/crates/sqlx>`__, Database
`tokio <https://crates.io/crates/tokio>`__, Asynchronous IO
`tokio-postgres <https://crates.io/crates/tokio-postgres>`__, Database
`url <https://crates.io/crates/url>`__, Utility library
`warp <https://crates.io/crates/warp>`__, Web framework
Swift built-in support
================================

68
go/extractor/util/registryproxy.go
View File

@@ -4,6 +4,7 @@ import (
"encoding/json"
"fmt"
"log/slog"
"net/url"
"os"
"os/exec"
"strings"
@@ -14,6 +15,7 @@ const PROXY_PORT = "CODEQL_PROXY_PORT"
const PROXY_CA_CERTIFICATE = "CODEQL_PROXY_CA_CERTIFICATE"
const PROXY_URLS = "CODEQL_PROXY_URLS"
const GOPROXY_SERVER = "goproxy_server"
const GIT_SOURCE = "git_source"
type RegistryConfig struct {
Type string `json:"type"`
@@ -26,9 +28,11 @@ var proxy_address string
// The path to the temporary file that stores the proxy certificate, if any.
var proxy_cert_file string
// An array of registry configurations that are relevant to Go.
// This excludes other registry configurations that may be available, but are not relevant to Go.
var proxy_configs []RegistryConfig
// An array of goproxy server URLs.
var goproxy_servers []string
// An array of Git URLs.
var git_sources []string
// Stores the environment variables that we wish to pass on to `go` commands.
var proxy_vars []string = nil
@@ -53,7 +57,13 @@ func getEnvVars() []string {
if proxy_host, proxy_host_set := os.LookupEnv(PROXY_HOST); proxy_host_set && proxy_host != "" {
if proxy_port, proxy_port_set := os.LookupEnv(PROXY_PORT); proxy_port_set && proxy_port != "" {
proxy_address = fmt.Sprintf("http://%s:%s", proxy_host, proxy_port)
result = append(result, fmt.Sprintf("HTTP_PROXY=%s", proxy_address), fmt.Sprintf("HTTPS_PROXY=%s", proxy_address))
result = append(
result,
fmt.Sprintf("HTTP_PROXY=%s", proxy_address),
fmt.Sprintf("HTTPS_PROXY=%s", proxy_address),
fmt.Sprintf("http_proxy=%s", proxy_address),
fmt.Sprintf("https_proxy=%s", proxy_address),
)
slog.Info("Found private registry proxy", slog.String("proxy_address", proxy_address))
}
@@ -91,20 +101,49 @@ func getEnvVars() []string {
// filter others out at this point.
for _, cfg := range val {
if cfg.Type == GOPROXY_SERVER {
proxy_configs = append(proxy_configs, cfg)
goproxy_servers = append(goproxy_servers, cfg.URL)
slog.Info("Found GOPROXY server", slog.String("url", cfg.URL))
} else if cfg.Type == GIT_SOURCE {
parsed, err := url.Parse(cfg.URL)
if err == nil && parsed.Hostname() != "" {
git_source := parsed.Hostname() + parsed.Path + "*"
git_sources = append(git_sources, git_source)
slog.Info("Found Git source", slog.String("source", git_source))
} else {
slog.Warn("Not a valid URL for Git source", slog.String("url", cfg.URL))
}
}
}
if len(proxy_configs) > 0 {
goprivate := []string{}
if len(goproxy_servers) > 0 {
goproxy_val := "https://proxy.golang.org,direct"
for _, cfg := range proxy_configs {
goproxy_val = cfg.URL + "," + goproxy_val
for _, url := range goproxy_servers {
goproxy_val = url + "," + goproxy_val
}
result = append(result, fmt.Sprintf("GOPROXY=%s", goproxy_val), "GOPRIVATE=", "GONOPROXY=")
result = append(result, fmt.Sprintf("GOPROXY=%s", goproxy_val), "GONOPROXY=")
}
if len(git_sources) > 0 {
goprivate = append(goprivate, git_sources...)
if proxy_cert_file != "" {
slog.Info("Configuring `git` to use proxy certificate", slog.String("path", proxy_cert_file))
cmd := exec.Command("git", "config", "--global", "http.sslCAInfo", proxy_cert_file)
out, cmdErr := cmd.CombinedOutput()
slog.Info(string(out))
if cmdErr != nil {
slog.Error("Failed to configure `git` to accept the certificate file", slog.String("error", cmdErr.Error()))
}
}
}
result = append(result, fmt.Sprintf("GOPRIVATE=%s", strings.Join(goprivate, ",")))
}
}
@@ -113,11 +152,6 @@ func getEnvVars() []string {
// Applies private package proxy related environment variables to `cmd`.
func ApplyProxyEnvVars(cmd *exec.Cmd) {
slog.Debug(
"Applying private registry proxy environment variables",
slog.String("cmd_args", strings.Join(cmd.Args, " ")),
)
// If we haven't done so yet, check whether the proxy environment variables are set
// and extract information from them.
if !proxy_vars_checked {
@@ -131,4 +165,10 @@ func ApplyProxyEnvVars(cmd *exec.Cmd) {
if proxy_vars != nil {
cmd.Env = append(os.Environ(), proxy_vars...)
}
slog.Debug(
"Applying private registry proxy environment variables",
slog.String("cmd_args", strings.Join(cmd.Args, " ")),
slog.String("proxy_vars", strings.Join(proxy_vars, ",")),
)
}

28
go/extractor/util/registryproxy_test.go
View File

@@ -47,3 +47,31 @@ func TestParseRegistryConfigs(t *testing.T) {
t.Fatalf("Expected `URL` to be `https://proxy.example.com/mod`, but got `%s`", first.URL)
}
}
func TestParseRegistryConfigsMultiple(t *testing.T) {
multiple := parseRegistryConfigsSuccess(t, "[{ \"type\": \"git_source\", \"url\": \"https://github.com/github\" }, { \"type\": \"goproxy_server\", \"url\": \"https://proxy.example.com/mod\" }]")
if len(multiple) != 2 {
t.Fatalf("Expected `parseRegistryConfigs` to return two configurations, but got %d.", len(multiple))
}
first := multiple[0]
if first.Type != "git_source" {
t.Fatalf("Expected `Type` to be `git_source`, but got `%s`", first.Type)
}
if first.URL != "https://github.com/github" {
t.Fatalf("Expected `URL` to be `https://github.com/github`, but got `%s`", first.URL)
}
second := multiple[1]
if second.Type != "goproxy_server" {
t.Fatalf("Expected `Type` to be `goproxy_server`, but got `%s`", second.Type)
}
if second.URL != "https://proxy.example.com/mod" {
t.Fatalf("Expected `URL` to be `https://proxy.example.com/mod`, but got `%s`", second.URL)
}
}

4
go/ql/consistency-queries/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.0.32
No user-facing changes.
## 1.0.31
No user-facing changes.

3
go/ql/consistency-queries/change-notes/released/1.0.32.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.0.32
No user-facing changes.

2
go/ql/consistency-queries/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.0.31
lastReleaseVersion: 1.0.32

2
go/ql/consistency-queries/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql-go-consistency-queries
version: 1.0.32-dev
version: 1.0.33-dev
groups:
- go
- queries

4
go/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 4.3.5
No user-facing changes.
## 4.3.4
### Minor Analysis Improvements

3
go/ql/lib/change-notes/released/4.3.5.md Normal file
View File

@@ -0,0 +1,3 @@
## 4.3.5
No user-facing changes.

2
go/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 4.3.4
lastReleaseVersion: 4.3.5

2
go/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/go-all
version: 4.3.5-dev
version: 4.3.6-dev
groups: go
dbscheme: go.dbscheme
extractor: go

4
go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll
View File

@@ -117,7 +117,9 @@ private module StepsInput implements Impl::Private::StepsInputSig {
)
}
Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponent sc) { none() }
DataFlowCallable getSourceNodeEnclosingCallable(Input::SourceBase source) { none() }
Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponentStack s) { none() }
Node getSinkNode(Input::SinkBase sink, Impl::Private::SummaryComponent sc) { none() }
}

4
go/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.4.6
No user-facing changes.
## 1.4.5
No user-facing changes.

6
go/ql/src/InconsistentCode/MistypedExponentiation.ql
View File

@@ -13,12 +13,16 @@
import go
private Expr getConstantInitialiser(Expr e) {
exists(DeclaredConstant c | e = c.getAReference() | result = c.getInit())
}
/** Holds if `e` is not 0 and is either an octal or hexadecimal literal, or the number one. */
predicate maybeXorBitPattern(Expr e) {
// 0 makes no sense as an xor bit pattern
not e.getNumericValue() = 0 and
// include octal and hex literals
e.(IntLit).getText().matches("0%")
[e, getConstantInitialiser(e)].(IntLit).getText().matches("0%")
or
e.getNumericValue() = 1
}

3
go/ql/src/change-notes/released/1.4.6.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.4.6
No user-facing changes.

2
go/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.4.5
lastReleaseVersion: 1.4.6

2
go/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/go-queries
version: 1.4.6-dev
version: 1.4.7-dev
groups:
- go
- queries

7
go/ql/test/query-tests/InconsistentCode/MistypedExponentiation/main.go
View File

@@ -22,6 +22,13 @@ func main() {
mask := (((1 << 10) - 1) ^ 7) // OK
const (
c1 = 0x1234
c2 = 0x5678
)
fmt.Println(c1 ^ c2) // OK
// This is not ok, but isn't detected because the multiplication binds tighter
// than the xor operator and so the query doesn't see a constant on the left
// hand side of ^.

0
rust/ql/test/library-tests/operations/Operations.expected → java/ql/integration-tests/java/evaluation-to-constant-errortype/ConstantExpAppearsNonConstant.expected
View File

2
java/ql/integration-tests/java/evaluation-to-constant-errortype/ConstantExpAppearsNonConstant.qlref Normal file
View File

@@ -0,0 +1,2 @@
query: Likely Bugs/Arithmetic/ConstantExpAppearsNonConstant.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

7
java/ql/integration-tests/java/evaluation-to-constant-errortype/Test.java Normal file
View File

@@ -0,0 +1,7 @@
class Test {
public static void updateFlashlights(Minecraft mc){
if(mc.world != null){
}
}
}

2
java/ql/integration-tests/java/evaluation-to-constant-errortype/test.py Normal file
View File

@@ -0,0 +1,2 @@
def test(codeql, java):
codeql.database.create(build_mode="none")

4
java/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 7.7.1
No user-facing changes.
## 7.7.0
### New Features

3
java/ql/lib/change-notes/released/7.7.1.md Normal file
View File

@@ -0,0 +1,3 @@
## 7.7.1
No user-facing changes.

2
java/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 7.7.0
lastReleaseVersion: 7.7.1

2
java/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/java-all
version: 7.7.1-dev
version: 7.7.2-dev
groups: java
dbscheme: config/semmlecode.dbscheme
extractor: java

64
java/ql/lib/semmle/code/java/Overlay.qll
View File

@@ -18,7 +18,7 @@ predicate isOverlay() { databaseMetadata("isOverlay", "true") }
overlay[local]
string getRawFile(@locatable el) {
exists(@location loc, @file file |
hasLocation(el, loc) and
(hasLocation(el, loc) or xmllocations(el, loc)) and
locations_default(loc, file, _, _, _, _) and
files(file, result)
)
@@ -73,40 +73,60 @@ private predicate discardReferableLocatable(@locatable el) {
)
}
/** Gets the raw file for a configLocatable. */
overlay[local]
private predicate baseConfigLocatable(@configLocatable l) { not isOverlay() and exists(l) }
private string getRawFileForConfig(@configLocatable el) {
exists(@location loc, @file file |
configLocations(el, loc) and
locations_default(loc, file, _, _, _, _) and
files(file, result)
)
}
overlay[local]
private predicate overlayHasConfigLocatables() {
private string baseConfigLocatable(@configLocatable el) {
not isOverlay() and result = getRawFileForConfig(el)
}
overlay[local]
private predicate overlayConfigExtracted(string file) {
isOverlay() and
exists(@configLocatable el)
exists(@configLocatable el | file = getRawFileForConfig(el))
}
overlay[discard_entity]
private predicate discardBaseConfigLocatable(@configLocatable el) {
// The properties extractor is currently not incremental, so if
// the overlay contains any config locatables, the overlay should
// contain a full extraction and all config locatables from base
// should be discarded.
baseConfigLocatable(el) and overlayHasConfigLocatables()
overlayChangedFiles(baseConfigLocatable(el))
or
// The config extractor is currently not incremental and may extract more
// property files than those included in overlayChangedFiles.
overlayConfigExtracted(baseConfigLocatable(el))
}
/**
* An `@xmllocatable` that should be discarded in the base variant if its file is
* extracted in the overlay variant.
*/
overlay[local]
abstract class DiscardableXmlLocatable extends @xmllocatable {
/** Gets the raw file for an xmllocatable in base. */
string getRawFileInBase() { not isOverlay() and result = getRawFile(this) }
/** Gets a textual representation of this discardable xmllocatable. */
string toString() { none() }
}
overlay[local]
private predicate baseXmlLocatable(@xmllocatable l) {
not isOverlay() and not files(l, _) and not xmlNs(l, _, _, _)
}
overlay[local]
private predicate overlayHasXmlLocatable() {
private predicate overlayXmlExtracted(string file) {
isOverlay() and
exists(@xmllocatable l | not files(l, _) and not xmlNs(l, _, _, _))
exists(@xmllocatable el | not files(el, _) and not xmlNs(el, _, _, _) and file = getRawFile(el))
}
overlay[discard_entity]
private predicate discardBaseXmlLocatable(@xmllocatable el) {
// The XML extractor is currently not incremental, so if
// the overlay contains any XML locatables, the overlay should
// contain a full extraction and all XML locatables from base
// should be discarded.
baseXmlLocatable(el) and overlayHasXmlLocatable()
private predicate discardXmlLocatable(@xmllocatable el) {
overlayChangedFiles(el.(DiscardableXmlLocatable).getRawFileInBase())
or
// The XML extractor is currently not incremental and may extract more
// XML files than those included in overlayChangedFiles.
overlayXmlExtracted(el.(DiscardableXmlLocatable).getRawFileInBase())
}

1
java/ql/lib/semmle/code/java/dataflow/internal/DataFlowUtil.qll
View File

@@ -83,6 +83,7 @@ overlay[caller?]
pragma[inline]
predicate localFlow(Node node1, Node node2) { node1 = node2 or localFlowStepPlus(node1, node2) }
overlay[caller?]
private predicate localFlowStepPlus(Node node1, Node node2) = fastTC(localFlowStep/2)(node1, node2)
/**

6
java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
View File

@@ -132,7 +132,7 @@ private module TypesInput implements Impl::Private::TypesInputSig {
exists(rk)
}
DataFlowType getSourceType(Input::SourceBase source, Impl::Private::SummaryComponent sc) {
DataFlowType getSourceType(Input::SourceBase source, Impl::Private::SummaryComponentStack s) {
none()
}
@@ -144,7 +144,9 @@ private module StepsInput implements Impl::Private::StepsInputSig {
sc = viableCallable(result).asSummarizedCallable()
}
Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponent sc) { none() }
DataFlowCallable getSourceNodeEnclosingCallable(Input::SourceBase source) { none() }
Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponentStack s) { none() }
Node getSinkNode(Input::SinkBase sink, Impl::Private::SummaryComponent sc) { none() }
}

14
java/ql/lib/semmle/code/java/regex/RegexFlowConfigs.qll
View File

@@ -163,6 +163,12 @@ private module RegexFlowConfig implements DataFlow::ConfigSig {
private module RegexFlow = DataFlow::Global<RegexFlowConfig>;
private predicate usedAsRegexImpl(StringLiteral regex, string mode, boolean match_full_string) {
RegexFlow::flow(DataFlow::exprNode(regex), _) and
mode = "None" and // TODO: proper mode detection
(if matchesFullString(regex) then match_full_string = true else match_full_string = false)
}
/**
* Holds if `regex` is used as a regex, with the mode `mode` (if known).
* If regex mode is not known, `mode` will be `"None"`.
@@ -170,11 +176,9 @@ private module RegexFlow = DataFlow::Global<RegexFlowConfig>;
* As an optimisation, only regexes containing an infinite repitition quatifier (`+`, `*`, or `{x,}`)
* and therefore may be relevant for ReDoS queries are considered.
*/
predicate usedAsRegex(StringLiteral regex, string mode, boolean match_full_string) {
RegexFlow::flow(DataFlow::exprNode(regex), _) and
mode = "None" and // TODO: proper mode detection
(if matchesFullString(regex) then match_full_string = true else match_full_string = false)
}
overlay[local]
predicate usedAsRegex(StringLiteral regex, string mode, boolean match_full_string) =
forceLocal(usedAsRegexImpl/3)(regex, mode, match_full_string)
/**
* Holds if `regex` is used as a regular expression that is matched against a full string,

11
java/ql/lib/semmle/code/xml/XML.qll
View File

@@ -6,6 +6,7 @@ module;
import semmle.files.FileSystem
private import codeql.xml.Xml
private import semmle.code.java.Overlay
private module Input implements InputSig<File, Location> {
class XmlLocatableBase = @xmllocatable or @xmlnamespaceable;
@@ -69,3 +70,13 @@ private module Input implements InputSig<File, Location> {
}
import Make<File, Location, Input>
private class DiscardableXmlAttribute extends DiscardableXmlLocatable, @xmlattribute { }
private class DiscardableXmlElement extends DiscardableXmlLocatable, @xmlelement { }
private class DiscardableXmlComment extends DiscardableXmlLocatable, @xmlcomment { }
private class DiscardableXmlCharacters extends DiscardableXmlLocatable, @xmlcharacters { }
private class DiscardableXmlDtd extends DiscardableXmlLocatable, @xmldtd { }

4
java/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.8.1
No user-facing changes.
## 1.8.0
### Major Analysis Improvements

2
java/ql/src/Likely Bugs/Arithmetic/ConstantExpAppearsNonConstant.ql
View File

@@ -19,7 +19,7 @@ predicate isConstantExp(Expr e) {
// A literal is constant.
e instanceof Literal
or
e instanceof TypeAccess
e instanceof TypeAccess and not e.(TypeAccess).getType() instanceof ErrorType
or
e instanceof ArrayTypeAccess
or

10
java/ql/src/Likely Bugs/Concurrency/StartInConstructor.ql
View File

@@ -15,6 +15,10 @@
import java
private predicate hasASubclass(RefType t) {
exists(RefType sub | sub != t | sub.getAnAncestor() = t)
}
/**
* Holds if this type is either `final` or
* `private` and without subtypes.
@@ -24,7 +28,11 @@ private predicate cannotBeExtended(RefType t) {
or
// If the class is private, all possible subclasses are known.
t.isPrivate() and
not exists(RefType sub | sub != t | sub.getAnAncestor() = t)
not hasASubclass(t)
or
// If the class only has private constructors, all possible subclasses are known.
forex(Constructor c | c.getDeclaringType() = t | c.isPrivate()) and
not hasASubclass(t)
}
from MethodCall m, Constructor c, Class clazz

3
java/ql/src/change-notes/released/1.8.1.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.8.1
No user-facing changes.

2
java/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.8.0
lastReleaseVersion: 1.8.1

2
java/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/java-queries
version: 1.8.1-dev
version: 1.8.2-dev
groups:
- java
- queries

16
java/ql/test/query-tests/StartInConstructor/Test.java
View File

@@ -30,4 +30,18 @@ public class Test {
}
}
}
public static class AllPrivateConstructors {
Thread myThread;
private AllPrivateConstructors() {
myThread = new Thread("myThread");
// OK - class cannot be extended outside this file, and is not in fact extended
myThread.start();
}
public static AllPrivateConstructors create() {
return new AllPrivateConstructors();
}
}
}

8
javascript/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,11 @@
## 2.6.12
### Minor Analysis Improvements
* Added modeling of `GraphQLObjectType` resolver function parameters as remote sources.
* Support for the [graphql](https://www.npmjs.com/package/graphql) library has been improved. Data flow from GraphQL query sources and variables to resolver function parameters is now tracked.
* Added support for the `aws-sdk` and `@aws-sdk/client-dynamodb`, `@aws-sdk/client-athena`, `@aws-sdk/client-s3`, and `@aws-sdk/client-rds-data` packages.
## 2.6.11
### Minor Analysis Improvements

4
javascript/ql/lib/change-notes/2025-07-28-dynamodb.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Added support for the `aws-sdk` and `@aws-sdk/client-dynamodb`, `@aws-sdk/client-athena`, `@aws-sdk/client-s3`, and `@aws-sdk/client-rds-data` packages.

4
javascript/ql/lib/change-notes/2025-09-17-graphql-enhance.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Support for the [graphql](https://www.npmjs.com/package/graphql) library has been improved. Data flow from GraphQL query sources and variables to resolver function parameters is now tracked.

7
javascript/ql/lib/change-notes/released/2.6.12.md Normal file
View File

@@ -0,0 +1,7 @@
## 2.6.12
### Minor Analysis Improvements
* Added modeling of `GraphQLObjectType` resolver function parameters as remote sources.
* Support for the [graphql](https://www.npmjs.com/package/graphql) library has been improved. Data flow from GraphQL query sources and variables to resolver function parameters is now tracked.
* Added support for the `aws-sdk` and `@aws-sdk/client-dynamodb`, `@aws-sdk/client-athena`, `@aws-sdk/client-s3`, and `@aws-sdk/client-rds-data` packages.

2
javascript/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 2.6.11
lastReleaseVersion: 2.6.12

5
javascript/ql/lib/ext/graph-ql.model.yml
View File

@@ -4,3 +4,8 @@ extensions:
extensible: summaryModel
data:
- ["graphql", "Member[graphql]", "Argument[0].Member[source,variableValues]", "Argument[0].Member[rootValue].AnyMember.Parameter[0]", "taint"]
- addsTo:
pack: codeql/javascript-all
extensible: sourceModel
data:
- ["graphql", "Member[GraphQLObjectType].Argument[0].Member[fields].AnyMember.Member[resolve].Parameter[1]", "remote"]

2
javascript/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/javascript-all
version: 2.6.12-dev
version: 2.6.13-dev
groups: javascript
dbscheme: semmlecode.javascript.dbscheme
extractor: javascript

4
javascript/ql/lib/semmle/javascript/dataflow/internal/FlowSummaryPrivate.qll
View File

@@ -150,7 +150,9 @@ private module FlowSummaryStepInput implements Private::StepsInputSig {
)
}
DataFlow::Node getSourceNode(SourceBase source, Private::SummaryComponent sc) { none() }
DataFlowCallable getSourceNodeEnclosingCallable(SourceBase source) { none() }
DataFlow::Node getSourceNode(SourceBase source, Private::SummaryComponentStack s) { none() }
DataFlow::Node getSinkNode(SinkBase sink, Private::SummaryComponent sc) { none() }
}

34
javascript/ql/lib/semmle/javascript/frameworks/Express.qll
View File

@@ -781,6 +781,40 @@ module Express {
override RouteHandler getRouteHandler() { result = response.getRouteHandler() }
}
/**
* A call to `res.json()` or `res.jsonp()`.
*
* This sets the `content-type` header.
*/
private class ResponseJsonCall extends DataFlow::MethodCallNode, Http::HeaderDefinition {
private ResponseSource response;
ResponseJsonCall() { this = response.ref().getAMethodCall(["json", "jsonp"]) }
override RouteHandler getRouteHandler() { result = response.getRouteHandler() }
override string getAHeaderName() { result = "content-type" }
override predicate defines(string headerName, string headerValue) {
// Note: for `jsonp` the actual content-type header will be `text/javascript` or similar, but to avoid
// generating a spurious HTML injection sink, we treat it as `application/json` here.
headerName = "content-type" and headerValue = "application/json"
}
}
/**
* An argument passed to the `json` or `jsonp` method of an HTTP response object.
*/
private class ResponseJsonCallArgument extends Http::ResponseSendArgument {
ResponseJsonCall call;
ResponseJsonCallArgument() { this = call.getArgument(0) }
override RouteHandler getRouteHandler() { result = call.getRouteHandler() }
override HeaderDefinition getAnAssociatedHeaderDefinition() { result = call }
}
/**
* An invocation of the `cookie` method on an HTTP response object.
*/

6
javascript/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 2.1.1
No user-facing changes.
## 2.1.0
### Major Analysis Improvements
@@ -10,7 +14,7 @@
* Data flow is now tracked through the `Promise.try` and `Array.prototype.with` functions.
* Query `js/index-out-of-bounds` no longer produces a false-positive when a strictly-less-than check overrides a previous less-than-or-equal test.
* The query `js/remote-property-injection` now detects property injection vulnerabilities through object enumeration patterns such as `Object.keys()`.
* The query "Permissive CORS configuration" (`js/cors-permissive-configuration`) has been promoted from experimental and is now part of the default security suite.
* The query "Permissive CORS configuration" (`js/cors-permissive-configuration`) has been promoted from experimental and is now part of the default security suite. Thank you to @maikypedia who [submitted the original experimental query](https://github.com/github/codeql/pull/14342)!
## 2.0.3

2
javascript/ql/src/change-notes/released/2.1.0.md
View File

@@ -10,4 +10,4 @@
* Data flow is now tracked through the `Promise.try` and `Array.prototype.with` functions.
* Query `js/index-out-of-bounds` no longer produces a false-positive when a strictly-less-than check overrides a previous less-than-or-equal test.
* The query `js/remote-property-injection` now detects property injection vulnerabilities through object enumeration patterns such as `Object.keys()`.
* The query "Permissive CORS configuration" (`js/cors-permissive-configuration`) has been promoted from experimental and is now part of the default security suite.
* The query "Permissive CORS configuration" (`js/cors-permissive-configuration`) has been promoted from experimental and is now part of the default security suite. Thank you to @maikypedia who [submitted the original experimental query](https://github.com/github/codeql/pull/14342)!

3
javascript/ql/src/change-notes/released/2.1.1.md Normal file
View File

@@ -0,0 +1,3 @@
## 2.1.1
No user-facing changes.

2
javascript/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 2.1.0
lastReleaseVersion: 2.1.1

2
javascript/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/javascript-queries
version: 2.1.1-dev
version: 2.1.2-dev
groups:
- javascript
- queries

10
javascript/ql/test/library-tests/frameworks/Express/src/json.js Normal file
View File

@@ -0,0 +1,10 @@
const express = require('express');
const app = express();
app.get('/test/json', function(req, res) {
res.json(req.query.data);
});
app.get('/test/jsonp', function(req, res) {
res.jsonp(req.query.data);
});

85
javascript/ql/test/library-tests/frameworks/Express/tests.expected
View File

@@ -131,6 +131,12 @@ test_isRequest
| src/inheritedFromNode.js:4:24:4:26 | req |
| src/inheritedFromNode.js:4:24:4:26 | req |
| src/inheritedFromNode.js:7:2:7:4 | req |
| src/json.js:4:32:4:34 | req |
| src/json.js:4:32:4:34 | req |
| src/json.js:5:14:5:16 | req |
| src/json.js:8:33:8:35 | req |
| src/json.js:8:33:8:35 | req |
| src/json.js:9:15:9:17 | req |
| src/middleware-flow.js:5:20:5:22 | req |
| src/middleware-flow.js:5:20:5:22 | req |
| src/middleware-flow.js:6:5:6:7 | req |
@@ -201,6 +207,8 @@ test_RouteSetup
| src/express.js:65:1:69:2 | app.get ... es);\\n}) | src/express.js:2:11:2:19 | express() | false |
| src/express.js:71:1:75:2 | app.get ... es);\\n}) | src/express.js:2:11:2:19 | express() | false |
| src/inheritedFromNode.js:4:1:8:2 | app.pos ... url;\\n}) | src/inheritedFromNode.js:2:11:2:19 | express() | false |
| src/json.js:4:1:6:2 | app.get ... ta);\\n}) | src/json.js:2:13:2:21 | express() | false |
| src/json.js:8:1:10:2 | app.get ... ta);\\n}) | src/json.js:2:13:2:21 | express() | false |
| src/middleware-flow.js:13:5:13:25 | router. ... tallDb) | src/middleware-flow.js:2:13:2:21 | express() | true |
| src/middleware-flow.js:17:5:21:6 | router. ... \\n }) | src/middleware-flow.js:2:13:2:21 | express() | false |
| src/middleware-flow.js:39:1:43:2 | unrelat ... .db;\\n}) | src/middleware-flow.js:37:22:37:30 | express() | false |
@@ -345,6 +353,14 @@ test_isResponse
| src/inheritedFromNode.js:4:29:4:31 | res |
| src/inheritedFromNode.js:5:2:5:4 | res |
| src/inheritedFromNode.js:6:2:6:4 | res |
| src/json.js:4:37:4:39 | res |
| src/json.js:4:37:4:39 | res |
| src/json.js:5:5:5:7 | res |
| src/json.js:5:5:5:28 | res.jso ... y.data) |
| src/json.js:8:38:8:40 | res |
| src/json.js:8:38:8:40 | res |
| src/json.js:9:5:9:7 | res |
| src/json.js:9:5:9:29 | res.jso ... y.data) |
| src/middleware-flow.js:5:25:5:27 | res |
| src/middleware-flow.js:17:30:17:32 | res |
| src/middleware-flow.js:23:23:23:25 | res |
@@ -575,6 +591,12 @@ test_RequestExpr
| src/inheritedFromNode.js:4:24:4:26 | req | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
| src/inheritedFromNode.js:4:24:4:26 | req | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
| src/inheritedFromNode.js:7:2:7:4 | req | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
| src/json.js:4:32:4:34 | req | src/json.js:4:23:6:1 | functio ... ata);\\n} |
| src/json.js:4:32:4:34 | req | src/json.js:4:23:6:1 | functio ... ata);\\n} |
| src/json.js:5:14:5:16 | req | src/json.js:4:23:6:1 | functio ... ata);\\n} |
| src/json.js:8:33:8:35 | req | src/json.js:8:24:10:1 | functio ... ata);\\n} |
| src/json.js:8:33:8:35 | req | src/json.js:8:24:10:1 | functio ... ata);\\n} |
| src/json.js:9:15:9:17 | req | src/json.js:8:24:10:1 | functio ... ata);\\n} |
| src/middleware-flow.js:5:20:5:22 | req | src/middleware-flow.js:5:1:10:1 | functio ... xt();\\n} |
| src/middleware-flow.js:5:20:5:22 | req | src/middleware-flow.js:5:1:10:1 | functio ... xt();\\n} |
| src/middleware-flow.js:6:5:6:7 | req | src/middleware-flow.js:5:1:10:1 | functio ... xt();\\n} |
@@ -627,6 +649,7 @@ test_appCreation
| src/express4.js:2:11:2:19 | express() |
| src/express.js:2:11:2:19 | express() |
| src/inheritedFromNode.js:2:11:2:19 | express() |
| src/json.js:2:13:2:21 | express() |
| src/middleware-flow.js:2:13:2:21 | express() |
| src/middleware-flow.js:37:22:37:30 | express() |
| src/params.js:2:11:2:19 | express() |
@@ -651,6 +674,8 @@ test_ResponseBody
| src/express.js:61:12:61:25 | req.params.foo | src/express.js:59:23:63:1 | functio ... res);\\n} |
| src/express.js:67:12:67:25 | req.params.foo | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/express.js:73:12:73:19 | req.path | src/express.js:71:23:75:1 | functio ... res);\\n} |
| src/json.js:5:14:5:27 | req.query.data | src/json.js:4:23:6:1 | functio ... ata);\\n} |
| src/json.js:9:15:9:28 | req.query.data | src/json.js:8:24:10:1 | functio ... ata);\\n} |
| src/params.js:8:18:8:22 | value | src/params.js:4:18:12:1 | (req, r ... }\\n} |
| src/params.js:15:12:15:18 | "Hello" | src/params.js:14:24:16:1 | functio ... lo");\\n} |
test_ResponseExpr
@@ -820,6 +845,14 @@ test_ResponseExpr
| src/inheritedFromNode.js:4:29:4:31 | res | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
| src/inheritedFromNode.js:5:2:5:4 | res | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
| src/inheritedFromNode.js:6:2:6:4 | res | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
| src/json.js:4:37:4:39 | res | src/json.js:4:23:6:1 | functio ... ata);\\n} |
| src/json.js:4:37:4:39 | res | src/json.js:4:23:6:1 | functio ... ata);\\n} |
| src/json.js:5:5:5:7 | res | src/json.js:4:23:6:1 | functio ... ata);\\n} |
| src/json.js:5:5:5:28 | res.jso ... y.data) | src/json.js:4:23:6:1 | functio ... ata);\\n} |
| src/json.js:8:38:8:40 | res | src/json.js:8:24:10:1 | functio ... ata);\\n} |
| src/json.js:8:38:8:40 | res | src/json.js:8:24:10:1 | functio ... ata);\\n} |
| src/json.js:9:5:9:7 | res | src/json.js:8:24:10:1 | functio ... ata);\\n} |
| src/json.js:9:5:9:29 | res.jso ... y.data) | src/json.js:8:24:10:1 | functio ... ata);\\n} |
| src/middleware-flow.js:5:25:5:27 | res | src/middleware-flow.js:5:1:10:1 | functio ... xt();\\n} |
| src/middleware-flow.js:17:30:17:32 | res | src/middleware-flow.js:17:24:21:5 | (req, r ... ;\\n } |
| src/middleware-flow.js:23:23:23:25 | res | src/middleware-flow.js:23:17:23:41 | (req, r ... q.db; } |
@@ -940,6 +973,8 @@ test_RouteHandler
| src/express.js:65:27:69:1 | functio ... res);\\n} | src/express.js:65:36:65:38 | req | src/express.js:65:41:65:43 | res |
| src/express.js:71:23:75:1 | functio ... res);\\n} | src/express.js:71:32:71:34 | req | src/express.js:71:37:71:39 | res |
| src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} | src/inheritedFromNode.js:4:24:4:26 | req | src/inheritedFromNode.js:4:29:4:31 | res |
| src/json.js:4:23:6:1 | functio ... ata);\\n} | src/json.js:4:32:4:34 | req | src/json.js:4:37:4:39 | res |
| src/json.js:8:24:10:1 | functio ... ata);\\n} | src/json.js:8:33:8:35 | req | src/json.js:8:38:8:40 | res |
| src/middleware-flow.js:5:1:10:1 | functio ... xt();\\n} | src/middleware-flow.js:5:20:5:22 | req | src/middleware-flow.js:5:25:5:27 | res |
| src/middleware-flow.js:17:24:21:5 | (req, r ... ;\\n } | src/middleware-flow.js:17:25:17:27 | req | src/middleware-flow.js:17:30:17:32 | res |
| src/middleware-flow.js:23:17:23:41 | (req, r ... q.db; } | src/middleware-flow.js:23:18:23:20 | req | src/middleware-flow.js:23:23:23:25 | res |
@@ -972,6 +1007,8 @@ test_HeaderDefinition
| src/express.js:66:3:66:42 | res.hea ... plain") | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/express.js:72:3:72:41 | res.hea ... /html") | src/express.js:71:23:75:1 | functio ... res);\\n} |
| src/inheritedFromNode.js:6:2:6:16 | res.setHeader() | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
| src/json.js:5:5:5:28 | res.jso ... y.data) | src/json.js:4:23:6:1 | functio ... ata);\\n} |
| src/json.js:9:5:9:29 | res.jso ... y.data) | src/json.js:8:24:10:1 | functio ... ata);\\n} |
| src/responseExprs.js:19:5:19:16 | res.append() | src/responseExprs.js:16:30:42:1 | functio ... }\\n} |
| src/responseExprs.js:37:5:37:28 | f(res.a ... ppend() | src/responseExprs.js:16:30:42:1 | functio ... }\\n} |
| src/responseExprs.js:37:7:37:18 | res.append() | src/responseExprs.js:16:30:42:1 | functio ... }\\n} |
@@ -1036,6 +1073,8 @@ test_RouteHandlerExpr
| src/express.js:65:27:69:1 | functio ... res);\\n} | src/express.js:65:1:69:2 | app.get ... es);\\n}) | true |
| src/express.js:71:23:75:1 | functio ... res);\\n} | src/express.js:71:1:75:2 | app.get ... es);\\n}) | true |
| src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} | src/inheritedFromNode.js:4:1:8:2 | app.pos ... url;\\n}) | true |
| src/json.js:4:23:6:1 | functio ... ata);\\n} | src/json.js:4:1:6:2 | app.get ... ta);\\n}) | true |
| src/json.js:8:24:10:1 | functio ... ata);\\n} | src/json.js:8:1:10:2 | app.get ... ta);\\n}) | true |
| src/middleware-flow.js:13:16:13:24 | installDb | src/middleware-flow.js:13:5:13:25 | router. ... tallDb) | false |
| src/middleware-flow.js:17:24:21:5 | (req, r ... ;\\n } | src/middleware-flow.js:17:5:21:6 | router. ... \\n }) | true |
| src/middleware-flow.js:27:23:27:32 | routers[p] | src/middleware-flow.js:27:9:27:33 | router. ... ers[p]) | true |
@@ -1068,6 +1107,7 @@ test_isRouterCreation
| src/express4.js:2:11:2:19 | express() |
| src/express.js:2:11:2:19 | express() |
| src/inheritedFromNode.js:2:11:2:19 | express() |
| src/json.js:2:13:2:21 | express() |
| src/middleware-flow.js:2:13:2:21 | express() |
| src/middleware-flow.js:37:22:37:30 | express() |
| src/params.js:2:11:2:19 | express() |
@@ -1111,6 +1151,8 @@ test_RequestInputAccess
| src/express.js:67:12:67:25 | req.params.foo | parameter | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/express.js:73:12:73:19 | req.path | url | src/express.js:71:23:75:1 | functio ... res);\\n} |
| src/inheritedFromNode.js:7:2:7:8 | req.url | url | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
| src/json.js:5:14:5:27 | req.query.data | parameter | src/json.js:4:23:6:1 | functio ... ata);\\n} |
| src/json.js:9:15:9:28 | req.query.data | parameter | src/json.js:8:24:10:1 | functio ... ata);\\n} |
| src/params.js:4:35:4:39 | value | parameter | src/params.js:4:18:12:1 | (req, r ... }\\n} |
| src/params.js:5:17:5:28 | req.query.xx | parameter | src/params.js:4:18:12:1 | (req, r ... }\\n} |
| src/params.js:6:17:6:24 | req.body | body | src/params.js:4:18:12:1 | (req, r ... }\\n} |
@@ -1125,6 +1167,8 @@ test_ResponseSendArgument
| src/express.js:61:12:61:25 | req.params.foo | src/express.js:59:23:63:1 | functio ... res);\\n} |
| src/express.js:67:12:67:25 | req.params.foo | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/express.js:73:12:73:19 | req.path | src/express.js:71:23:75:1 | functio ... res);\\n} |
| src/json.js:5:14:5:27 | req.query.data | src/json.js:4:23:6:1 | functio ... ata);\\n} |
| src/json.js:9:15:9:28 | req.query.data | src/json.js:8:24:10:1 | functio ... ata);\\n} |
| src/params.js:8:18:8:22 | value | src/params.js:4:18:12:1 | (req, r ... }\\n} |
| src/params.js:15:12:15:18 | "Hello" | src/params.js:14:24:16:1 | functio ... lo");\\n} |
test_RouteSetup_getRouter
@@ -1182,6 +1226,8 @@ test_RouteSetup_getRouter
| src/express.js:65:1:69:2 | app.get ... es);\\n}) | src/express.js:2:11:2:19 | express() |
| src/express.js:71:1:75:2 | app.get ... es);\\n}) | src/express.js:2:11:2:19 | express() |
| src/inheritedFromNode.js:4:1:8:2 | app.pos ... url;\\n}) | src/inheritedFromNode.js:2:11:2:19 | express() |
| src/json.js:4:1:6:2 | app.get ... ta);\\n}) | src/json.js:2:13:2:21 | express() |
| src/json.js:8:1:10:2 | app.get ... ta);\\n}) | src/json.js:2:13:2:21 | express() |
| src/middleware-flow.js:13:5:13:25 | router. ... tallDb) | src/middleware-flow.js:2:13:2:21 | express() |
| src/middleware-flow.js:17:5:21:6 | router. ... \\n }) | src/middleware-flow.js:2:13:2:21 | express() |
| src/middleware-flow.js:27:9:27:33 | router. ... ers[p]) | src/middleware-flow.js:2:13:2:21 | express() |
@@ -1226,6 +1272,8 @@ test_RouteSetup_getServer
| src/express.js:65:1:69:2 | app.get ... es);\\n}) | src/express.js:2:11:2:19 | express() |
| src/express.js:71:1:75:2 | app.get ... es);\\n}) | src/express.js:2:11:2:19 | express() |
| src/inheritedFromNode.js:4:1:8:2 | app.pos ... url;\\n}) | src/inheritedFromNode.js:2:11:2:19 | express() |
| src/json.js:4:1:6:2 | app.get ... ta);\\n}) | src/json.js:2:13:2:21 | express() |
| src/json.js:8:1:10:2 | app.get ... ta);\\n}) | src/json.js:2:13:2:21 | express() |
| src/middleware-flow.js:13:5:13:25 | router. ... tallDb) | src/middleware-flow.js:2:13:2:21 | express() |
| src/middleware-flow.js:17:5:21:6 | router. ... \\n }) | src/middleware-flow.js:2:13:2:21 | express() |
| src/middleware-flow.js:39:1:43:2 | unrelat ... .db;\\n}) | src/middleware-flow.js:37:22:37:30 | express() |
@@ -1266,6 +1314,8 @@ test_StandardRouteHandler
| src/express.js:65:27:69:1 | functio ... res);\\n} | src/express.js:2:11:2:19 | express() | src/express.js:65:36:65:38 | req | src/express.js:65:41:65:43 | res |
| src/express.js:71:23:75:1 | functio ... res);\\n} | src/express.js:2:11:2:19 | express() | src/express.js:71:32:71:34 | req | src/express.js:71:37:71:39 | res |
| src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} | src/inheritedFromNode.js:2:11:2:19 | express() | src/inheritedFromNode.js:4:24:4:26 | req | src/inheritedFromNode.js:4:29:4:31 | res |
| src/json.js:4:23:6:1 | functio ... ata);\\n} | src/json.js:2:13:2:21 | express() | src/json.js:4:32:4:34 | req | src/json.js:4:37:4:39 | res |
| src/json.js:8:24:10:1 | functio ... ata);\\n} | src/json.js:2:13:2:21 | express() | src/json.js:8:33:8:35 | req | src/json.js:8:38:8:40 | res |
| src/middleware-flow.js:5:1:10:1 | functio ... xt();\\n} | src/middleware-flow.js:2:13:2:21 | express() | src/middleware-flow.js:5:20:5:22 | req | src/middleware-flow.js:5:25:5:27 | res |
| src/middleware-flow.js:17:24:21:5 | (req, r ... ;\\n } | src/middleware-flow.js:2:13:2:21 | express() | src/middleware-flow.js:17:25:17:27 | req | src/middleware-flow.js:17:30:17:32 | res |
| src/middleware-flow.js:39:23:43:1 | (req, r ... s.db;\\n} | src/middleware-flow.js:37:22:37:30 | express() | src/middleware-flow.js:39:24:39:26 | req | src/middleware-flow.js:39:29:39:31 | res |
@@ -1322,6 +1372,8 @@ test_HeaderDefinition_defines
| src/express.js:60:3:60:47 | res.hea ... n/xml") | content-type | application/xml |
| src/express.js:66:3:66:42 | res.hea ... plain") | content-type | text/plain |
| src/express.js:72:3:72:41 | res.hea ... /html") | content-type | text/html |
| src/json.js:5:5:5:28 | res.jso ... y.data) | content-type | application/json |
| src/json.js:9:5:9:29 | res.jso ... y.data) | content-type | application/json |
test_RouteHandlerExpr_getBody
| src/advanced-routehandler-registration.js:51:9:51:60 | (req, r ... tever") | src/advanced-routehandler-registration.js:51:9:51:60 | (req, r ... tever") |
| src/advanced-routehandler-registration.js:64:9:64:53 | (req, r ... q, res) | src/advanced-routehandler-registration.js:64:9:64:53 | (req, r ... q, res) |
@@ -1346,6 +1398,8 @@ test_RouteHandlerExpr_getBody
| src/express.js:65:27:69:1 | functio ... res);\\n} | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/express.js:71:23:75:1 | functio ... res);\\n} | src/express.js:71:23:75:1 | functio ... res);\\n} |
| src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
| src/json.js:4:23:6:1 | functio ... ata);\\n} | src/json.js:4:23:6:1 | functio ... ata);\\n} |
| src/json.js:8:24:10:1 | functio ... ata);\\n} | src/json.js:8:24:10:1 | functio ... ata);\\n} |
| src/middleware-flow.js:13:16:13:24 | installDb | src/middleware-flow.js:5:1:10:1 | functio ... xt();\\n} |
| src/middleware-flow.js:17:24:21:5 | (req, r ... ;\\n } | src/middleware-flow.js:17:24:21:5 | (req, r ... ;\\n } |
| src/middleware-flow.js:39:23:43:1 | (req, r ... s.db;\\n} | src/middleware-flow.js:39:23:43:1 | (req, r ... s.db;\\n} |
@@ -1466,6 +1520,8 @@ test_RouteSetup_getARouteHandler
| src/express.js:65:1:69:2 | app.get ... es);\\n}) | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/express.js:71:1:75:2 | app.get ... es);\\n}) | src/express.js:71:23:75:1 | functio ... res);\\n} |
| src/inheritedFromNode.js:4:1:8:2 | app.pos ... url;\\n}) | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
| src/json.js:4:1:6:2 | app.get ... ta);\\n}) | src/json.js:4:23:6:1 | functio ... ata);\\n} |
| src/json.js:8:1:10:2 | app.get ... ta);\\n}) | src/json.js:8:24:10:1 | functio ... ata);\\n} |
| src/middleware-flow.js:13:5:13:25 | router. ... tallDb) | src/middleware-flow.js:5:1:10:1 | functio ... xt();\\n} |
| src/middleware-flow.js:17:5:21:6 | router. ... \\n }) | src/middleware-flow.js:17:24:21:5 | (req, r ... ;\\n } |
| src/middleware-flow.js:27:9:27:33 | router. ... ers[p]) | src/middleware-flow.js:23:17:23:41 | (req, r ... q.db; } |
@@ -1526,6 +1582,8 @@ test_RouteSetup_getRequestMethod
| src/express.js:65:1:69:2 | app.get ... es);\\n}) | GET |
| src/express.js:71:1:75:2 | app.get ... es);\\n}) | GET |
| src/inheritedFromNode.js:4:1:8:2 | app.pos ... url;\\n}) | POST |
| src/json.js:4:1:6:2 | app.get ... ta);\\n}) | GET |
| src/json.js:8:1:10:2 | app.get ... ta);\\n}) | GET |
| src/middleware-flow.js:17:5:21:6 | router. ... \\n }) | GET |
| src/middleware-flow.js:27:9:27:33 | router. ... ers[p]) | GET |
| src/middleware-flow.js:39:1:43:2 | unrelat ... .db;\\n}) | GET |
@@ -1699,6 +1757,12 @@ test_RouteHandler_getARequestExpr
| src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} | src/inheritedFromNode.js:4:24:4:26 | req |
| src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} | src/inheritedFromNode.js:4:24:4:26 | req |
| src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} | src/inheritedFromNode.js:7:2:7:4 | req |
| src/json.js:4:23:6:1 | functio ... ata);\\n} | src/json.js:4:32:4:34 | req |
| src/json.js:4:23:6:1 | functio ... ata);\\n} | src/json.js:4:32:4:34 | req |
| src/json.js:4:23:6:1 | functio ... ata);\\n} | src/json.js:5:14:5:16 | req |
| src/json.js:8:24:10:1 | functio ... ata);\\n} | src/json.js:8:33:8:35 | req |
| src/json.js:8:24:10:1 | functio ... ata);\\n} | src/json.js:8:33:8:35 | req |
| src/json.js:8:24:10:1 | functio ... ata);\\n} | src/json.js:9:15:9:17 | req |
| src/middleware-flow.js:5:1:10:1 | functio ... xt();\\n} | src/middleware-flow.js:5:20:5:22 | req |
| src/middleware-flow.js:5:1:10:1 | functio ... xt();\\n} | src/middleware-flow.js:5:20:5:22 | req |
| src/middleware-flow.js:5:1:10:1 | functio ... xt();\\n} | src/middleware-flow.js:6:5:6:7 | req |
@@ -1909,6 +1973,14 @@ test_RouteHandler_getAResponseExpr
| src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} | src/inheritedFromNode.js:4:29:4:31 | res |
| src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} | src/inheritedFromNode.js:5:2:5:4 | res |
| src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} | src/inheritedFromNode.js:6:2:6:4 | res |
| src/json.js:4:23:6:1 | functio ... ata);\\n} | src/json.js:4:37:4:39 | res |
| src/json.js:4:23:6:1 | functio ... ata);\\n} | src/json.js:4:37:4:39 | res |
| src/json.js:4:23:6:1 | functio ... ata);\\n} | src/json.js:5:5:5:7 | res |
| src/json.js:4:23:6:1 | functio ... ata);\\n} | src/json.js:5:5:5:28 | res.jso ... y.data) |
| src/json.js:8:24:10:1 | functio ... ata);\\n} | src/json.js:8:38:8:40 | res |
| src/json.js:8:24:10:1 | functio ... ata);\\n} | src/json.js:8:38:8:40 | res |
| src/json.js:8:24:10:1 | functio ... ata);\\n} | src/json.js:9:5:9:7 | res |
| src/json.js:8:24:10:1 | functio ... ata);\\n} | src/json.js:9:5:9:29 | res.jso ... y.data) |
| src/middleware-flow.js:5:1:10:1 | functio ... xt();\\n} | src/middleware-flow.js:5:25:5:27 | res |
| src/middleware-flow.js:17:24:21:5 | (req, r ... ;\\n } | src/middleware-flow.js:17:30:17:32 | res |
| src/middleware-flow.js:23:17:23:41 | (req, r ... q.db; } | src/middleware-flow.js:23:23:23:25 | res |
@@ -2041,6 +2113,8 @@ test_RouteSetup_getRouteHandlerExpr
| src/express.js:65:1:69:2 | app.get ... es);\\n}) | 0 | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/express.js:71:1:75:2 | app.get ... es);\\n}) | 0 | src/express.js:71:23:75:1 | functio ... res);\\n} |
| src/inheritedFromNode.js:4:1:8:2 | app.pos ... url;\\n}) | 0 | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
| src/json.js:4:1:6:2 | app.get ... ta);\\n}) | 0 | src/json.js:4:23:6:1 | functio ... ata);\\n} |
| src/json.js:8:1:10:2 | app.get ... ta);\\n}) | 0 | src/json.js:8:24:10:1 | functio ... ata);\\n} |
| src/middleware-flow.js:13:5:13:25 | router. ... tallDb) | 0 | src/middleware-flow.js:13:16:13:24 | installDb |
| src/middleware-flow.js:17:5:21:6 | router. ... \\n }) | 0 | src/middleware-flow.js:17:24:21:5 | (req, r ... ;\\n } |
| src/middleware-flow.js:27:9:27:33 | router. ... ers[p]) | 0 | src/middleware-flow.js:27:23:27:32 | routers[p] |
@@ -2073,6 +2147,8 @@ test_HeaderDefinition_getAHeaderName
| src/express.js:60:3:60:47 | res.hea ... n/xml") | content-type |
| src/express.js:66:3:66:42 | res.hea ... plain") | content-type |
| src/express.js:72:3:72:41 | res.hea ... /html") | content-type |
| src/json.js:5:5:5:28 | res.jso ... y.data) | content-type |
| src/json.js:9:5:9:29 | res.jso ... y.data) | content-type |
test_RouteHandlerExpr_getAsSubRouter
| src/csurf-example.js:13:17:13:19 | api | src/csurf-example.js:30:16:30:35 | new express.Router() |
| src/express2.js:6:9:6:14 | router | src/express2.js:2:14:2:23 | e.Router() |
@@ -2089,6 +2165,8 @@ test_RouteHandler_getAResponseHeader
| src/express.js:65:27:69:1 | functio ... res);\\n} | content-type | src/express.js:66:3:66:42 | res.hea ... plain") |
| src/express.js:71:23:75:1 | functio ... res);\\n} | access-control-allow-credentials | src/express.js:12:3:12:54 | arg.hea ... , true) |
| src/express.js:71:23:75:1 | functio ... res);\\n} | content-type | src/express.js:72:3:72:41 | res.hea ... /html") |
| src/json.js:4:23:6:1 | functio ... ata);\\n} | content-type | src/json.js:5:5:5:28 | res.jso ... y.data) |
| src/json.js:8:24:10:1 | functio ... ata);\\n} | content-type | src/json.js:9:5:9:29 | res.jso ... y.data) |
test_RouteSetup_getARouteHandlerExpr
| src/advanced-routehandler-registration.js:10:3:10:24 | app.get ... es0[p]) | src/advanced-routehandler-registration.js:10:14:10:23 | routes0[p] |
| src/advanced-routehandler-registration.js:19:3:19:18 | app.use(handler) | src/advanced-routehandler-registration.js:19:11:19:17 | handler |
@@ -2149,6 +2227,8 @@ test_RouteSetup_getARouteHandlerExpr
| src/express.js:65:1:69:2 | app.get ... es);\\n}) | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/express.js:71:1:75:2 | app.get ... es);\\n}) | src/express.js:71:23:75:1 | functio ... res);\\n} |
| src/inheritedFromNode.js:4:1:8:2 | app.pos ... url;\\n}) | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
| src/json.js:4:1:6:2 | app.get ... ta);\\n}) | src/json.js:4:23:6:1 | functio ... ata);\\n} |
| src/json.js:8:1:10:2 | app.get ... ta);\\n}) | src/json.js:8:24:10:1 | functio ... ata);\\n} |
| src/middleware-flow.js:13:5:13:25 | router. ... tallDb) | src/middleware-flow.js:13:16:13:24 | installDb |
| src/middleware-flow.js:17:5:21:6 | router. ... \\n }) | src/middleware-flow.js:17:24:21:5 | (req, r ... ;\\n } |
| src/middleware-flow.js:27:9:27:33 | router. ... ers[p]) | src/middleware-flow.js:27:23:27:32 | routers[p] |
@@ -2181,6 +2261,7 @@ test_RouterDefinition_RouterDefinition
| src/express4.js:2:11:2:19 | express() |
| src/express.js:2:11:2:19 | express() |
| src/inheritedFromNode.js:2:11:2:19 | express() |
| src/json.js:2:13:2:21 | express() |
| src/middleware-flow.js:2:13:2:21 | express() |
| src/middleware-flow.js:37:22:37:30 | express() |
| src/params.js:2:11:2:19 | express() |
@@ -2216,6 +2297,8 @@ test_RouterDefinition_getARouteHandler
| src/express.js:2:11:2:19 | express() | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/express.js:2:11:2:19 | express() | src/express.js:71:23:75:1 | functio ... res);\\n} |
| src/inheritedFromNode.js:2:11:2:19 | express() | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
| src/json.js:2:13:2:21 | express() | src/json.js:4:23:6:1 | functio ... ata);\\n} |
| src/json.js:2:13:2:21 | express() | src/json.js:8:24:10:1 | functio ... ata);\\n} |
| src/middleware-flow.js:2:13:2:21 | express() | src/middleware-flow.js:5:1:10:1 | functio ... xt();\\n} |
| src/middleware-flow.js:2:13:2:21 | express() | src/middleware-flow.js:17:24:21:5 | (req, r ... ;\\n } |
| src/middleware-flow.js:37:22:37:30 | express() | src/middleware-flow.js:39:23:43:1 | (req, r ... s.db;\\n} |
@@ -2334,6 +2417,8 @@ test_RouteSetup_getLastRouteHandlerExpr
| src/express.js:65:1:69:2 | app.get ... es);\\n}) | src/express.js:65:27:69:1 | functio ... res);\\n} |
| src/express.js:71:1:75:2 | app.get ... es);\\n}) | src/express.js:71:23:75:1 | functio ... res);\\n} |
| src/inheritedFromNode.js:4:1:8:2 | app.pos ... url;\\n}) | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
| src/json.js:4:1:6:2 | app.get ... ta);\\n}) | src/json.js:4:23:6:1 | functio ... ata);\\n} |
| src/json.js:8:1:10:2 | app.get ... ta);\\n}) | src/json.js:8:24:10:1 | functio ... ata);\\n} |
| src/middleware-flow.js:13:5:13:25 | router. ... tallDb) | src/middleware-flow.js:13:16:13:24 | installDb |
| src/middleware-flow.js:17:5:21:6 | router. ... \\n }) | src/middleware-flow.js:17:24:21:5 | (req, r ... ;\\n } |
| src/middleware-flow.js:27:9:27:33 | router. ... ers[p]) | src/middleware-flow.js:27:23:27:32 | routers[p] |

6
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected
View File

@@ -63,6 +63,7 @@
| fastify.js:108:28:108:50 | reply.l ... tedCode | fastify.js:94:29:94:51 | request ... plyCode | fastify.js:108:28:108:50 | reply.l ... tedCode | This code execution depends on a $@. | fastify.js:94:29:94:51 | request ... plyCode | user-provided value |
| graph-ql.js:20:19:20:22 | expr | graph-ql.js:28:32:28:39 | req.body | graph-ql.js:20:19:20:22 | expr | This code execution depends on a $@. | graph-ql.js:28:32:28:39 | req.body | user-provided value |
| graph-ql.js:39:19:39:30 | name + title | graph-ql.js:28:32:28:39 | req.body | graph-ql.js:39:19:39:30 | name + title | This code execution depends on a $@. | graph-ql.js:28:32:28:39 | req.body | user-provided value |
| graph-ql.js:66:23:66:27 | value | graph-ql.js:65:22:65:30 | { value } | graph-ql.js:66:23:66:27 | value | This code execution depends on a $@. | graph-ql.js:65:22:65:30 | { value } | user-provided value |
| module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | This code execution depends on a $@. | module.js:9:16:9:29 | req.query.code | user-provided value |
| module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | This code execution depends on a $@. | module.js:11:17:11:30 | req.query.code | user-provided value |
| react-native.js:8:32:8:38 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:8:32:8:38 | tainted | This code execution depends on a $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
@@ -173,6 +174,8 @@ edges
| graph-ql.js:39:19:39:22 | name | graph-ql.js:39:19:39:30 | name + title | provenance | |
| graph-ql.js:39:26:39:30 | title | graph-ql.js:39:19:39:30 | name + title | provenance | |
| graph-ql.js:54:21:54:29 | variables | graph-ql.js:38:13:38:27 | { name, title } | provenance | |
| graph-ql.js:65:22:65:30 | { value } | graph-ql.js:65:24:65:28 | value | provenance | |
| graph-ql.js:65:24:65:28 | value | graph-ql.js:66:23:66:27 | value | provenance | |
| react-native.js:7:7:7:13 | tainted | react-native.js:8:32:8:38 | tainted | provenance | |
| react-native.js:7:7:7:13 | tainted | react-native.js:10:23:10:29 | tainted | provenance | |
| react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:13 | tainted | provenance | |
@@ -323,6 +326,9 @@ nodes
| graph-ql.js:39:19:39:30 | name + title | semmle.label | name + title |
| graph-ql.js:39:26:39:30 | title | semmle.label | title |
| graph-ql.js:54:21:54:29 | variables | semmle.label | variables |
| graph-ql.js:65:22:65:30 | { value } | semmle.label | { value } |
| graph-ql.js:65:24:65:28 | value | semmle.label | value |
| graph-ql.js:66:23:66:27 | value | semmle.label | value |
| module.js:9:16:9:29 | req.query.code | semmle.label | req.query.code |
| module.js:11:17:11:30 | req.query.code | semmle.label | req.query.code |
| react-native.js:7:7:7:13 | tainted | semmle.label | tainted |

5
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected
View File

@@ -72,6 +72,8 @@ edges
| graph-ql.js:39:19:39:22 | name | graph-ql.js:39:19:39:30 | name + title | provenance | |
| graph-ql.js:39:26:39:30 | title | graph-ql.js:39:19:39:30 | name + title | provenance | |
| graph-ql.js:54:21:54:29 | variables | graph-ql.js:38:13:38:27 | { name, title } | provenance | |
| graph-ql.js:65:22:65:30 | { value } | graph-ql.js:65:24:65:28 | value | provenance | |
| graph-ql.js:65:24:65:28 | value | graph-ql.js:66:23:66:27 | value | provenance | |
| react-native.js:7:7:7:13 | tainted | react-native.js:8:32:8:38 | tainted | provenance | |
| react-native.js:7:7:7:13 | tainted | react-native.js:10:23:10:29 | tainted | provenance | |
| react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:13 | tainted | provenance | |
@@ -224,6 +226,9 @@ nodes
| graph-ql.js:39:19:39:30 | name + title | semmle.label | name + title |
| graph-ql.js:39:26:39:30 | title | semmle.label | title |
| graph-ql.js:54:21:54:29 | variables | semmle.label | variables |
| graph-ql.js:65:22:65:30 | { value } | semmle.label | { value } |
| graph-ql.js:65:24:65:28 | value | semmle.label | value |
| graph-ql.js:66:23:66:27 | value | semmle.label | value |
| module.js:9:16:9:29 | req.query.code | semmle.label | req.query.code |
| module.js:11:17:11:30 | req.query.code | semmle.label | req.query.code |
| react-native.js:7:7:7:13 | tainted | semmle.label | tainted |

Some files were not shown because too many files have changed in this diff Show More