Merge branch 'main' into redsun82/rust-fix-test

2025-12-17 01:03:14 +01:00 · 2025-02-28 09:31:25 +01:00
parent 855dc09ea5 93b11146d8
commit b73e8dc74b
14 changed files with 416 additions and 20 deletions
--- a/actions/ql/extensions/immutable-actions-list/ext/immutable_actions.yml
+++ b/actions/ql/extensions/immutable-actions-list/ext/immutable_actions.yml
@@ -0,0 +1,28 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: immutableActionsDataModel
+    data:
+      - ["actions/checkout"]
+      - ["actions/cache"]
+      - ["actions/setup-node"]
+      - ["actions/upload-artifact"]
+      - ["actions/setup-python"]
+      - ["actions/download-artifact"]
+      - ["actions/github-script"]
+      - ["actions/setup-java"]
+      - ["actions/setup-go"]
+      - ["actions/upload-pages-artifact"]
+      - ["actions/deploy-pages"]
+      - ["actions/setup-dotnet"]
+      - ["actions/stale"]
+      - ["actions/labeler"]
+      - ["actions/create-github-app-token"]
+      - ["actions/configure-pages"]
+      - ["github/codeql-action/analyze"]
+      - ["github/codeql-action/autobuild"]
+      - ["github/codeql-action/init"]
+      - ["github/codeql-action/resolve-environment"]
+      - ["github/codeql-action/start-proxy"]
+      - ["github/codeql-action/upload-sarif"]
+      - ["octokit/request-action"]
--- a/actions/ql/extensions/immutable-actions-list/qlpack.yml
+++ b/actions/ql/extensions/immutable-actions-list/qlpack.yml
@@ -0,0 +1,14 @@
+# Model pack containing the list of known immutable actions. The Immutable Actions feature is not
+# yet released, so this pack will only be used within GitHub. Once the feature is available to
+# customers, we will move the contents of this pack back into the standard library pack.
+name: codeql/immutable-actions-list
+version: 0.0.1-dev
+library: true
+warnOnImplicitThis: true
+extensionTargets:
+  # We expect to need this model pack even after GA of Actions analysis, so make it compatible with
+  # all future prereleases plus 1.x.x. We should be able to remove this back before we need to
+  # bump the major version to 2.
+  codeql/actions-all: ">=0.4.3 <2.0.0"
+dataExtensions:
+- ext/**/*.yml
--- a/actions/ql/lib/ext/config/immutable_actions.yml
+++ b/actions/ql/lib/ext/config/immutable_actions.yml
@@ -2,21 +2,9 @@ extensions:
  - addsTo:
      pack: codeql/actions-all
      extensible: immutableActionsDataModel
-    data:
-      - ["actions/checkout"]
-      - ["actions/cache"]
-      - ["actions/setup-node"]
-      - ["actions/upload-artifact"]
-      - ["actions/setup-python"]
-      - ["actions/download-artifact"]
-      - ["actions/github-script"]
-      - ["actions/setup-java"]
-      - ["actions/setup-go"]
-      - ["actions/upload-pages-artifact"]
-      - ["actions/deploy-pages"]
-      - ["actions/setup-dotnet"]
-      - ["actions/stale"]
-      - ["actions/labeler"]
-      - ["actions/create-github-app-token"]
-      - ["actions/configure-pages"]
-      - ["octokit/request-action"]
+    # Since the Immutable Actions feature is not yet available to customers, we won't alert about
+    # any unversioned immutable action references for now. Within GitHub, we'll include the
+    # `codeql/immutable-actions-list` model pack, which will provide the necessary list of actions
+    # for internal use. Once the feature is available to customers, we'll move that list back into
+    # this file.
+    data: []
--- a/actions/ql/lib/ext/config/trusted_actions_owner.yml
+++ b/actions/ql/lib/ext/config/trusted_actions_owner.yml
@@ -5,4 +5,4 @@ extensions:
    data:      
      - ["actions"]
      - ["github"]
-      - ["advanced-security"]
+      - ["advanced-security"]
--- a/actions/ql/src/change-notes/2025-02-27-immutable-actions-list.md
+++ b/actions/ql/src/change-notes/2025-02-27-immutable-actions-list.md
@@ -0,0 +1,7 @@
+---
+category: fix
+---
+* The `actions/unversioned-immutable-action` query will no longer report any alerts, since the
+  Immutable Actions feature is not yet available for customer use. The query remains in the
+  default Code Scanning suites for use internal to GitHub. Once the Immutable Actions feature is
+  available, the query will be updated to report alerts again.
--- a/actions/ql/test/qlpack.yml
+++ b/actions/ql/test/qlpack.yml
@@ -3,6 +3,10 @@ groups: [codeql, test]
 dependencies:
  codeql/actions-all: ${workspace}
  codeql/actions-queries: ${workspace}
+  # Use the `immutable-actions-list` model pack so that we have some actual data to test against.
+  # We can remove this dependency when we incorporate the data from that model pack back into the
+  # standard library pack.
+  codeql/immutable-actions-list: ${workspace}
 extractor: actions
 tests: .
 warnOnImplicitThis: true
--- a/codeql-workspace.yml
+++ b/codeql-workspace.yml
@@ -17,7 +17,7 @@ provide:
  - "misc/legacy-support/*/qlpack.yml"
  - "misc/suite-helpers/qlpack.yml"
  - ".github/codeql/extensions/**/codeql-pack.yml"
-
+  - "actions/ql/extensions/**/qlpack.yml"
 versionPolicies:
  default:
    requireChangeNotes: true
--- a/go/.gitignore
+++ b/go/.gitignore
@@ -0,0 +1,4 @@
+# artifacts of running `make test`
+data/
+lock
+size
--- a/go/ql/lib/change-notes/2025-02-25-go-database-rqlite-sources.md
+++ b/go/ql/lib/change-notes/2025-02-25-go-database-rqlite-sources.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added `database` source models for the `github.com/rqlite/gorqlite` package.
--- a/go/ql/lib/change-notes/2025-02-27-go-version-1-24.md
+++ b/go/ql/lib/change-notes/2025-02-27-go-version-1-24.md
@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* Go 1.24 is now supported. This includes the new language feature of generic type aliases.
--- a/go/ql/lib/ext/github.com.rqlite.gorqlite.model.yml
+++ b/go/ql/lib/ext/github.com.rqlite.gorqlite.model.yml
@@ -3,8 +3,21 @@ extensions:
      pack: codeql/go-all
      extensible: packageGrouping
    data:
+      - ["gorqlite", "github.com/kanikanema/gorqlite"]
      - ["gorqlite", "github.com/rqlite/gorqlite"]
      - ["gorqlite", "github.com/raindog308/gorqlite"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["group:gorqlite", "Connection", True, "Query", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryContext", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryOne", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryOneContext", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryOneParameterized", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryOneParameterizedContext", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryParameterized", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["group:gorqlite", "Connection", True, "QueryParameterizedContext", "", "", "ReturnValue[0]", "database", "manual"]
  - addsTo:
      pack: codeql/go-all
      extensible: sinkModel
@@ -33,3 +46,9 @@ extensions:
      - ["group:gorqlite", "Connection", True, "WriteOneParameterizedContext", "", "", "Argument[1]", "sql-injection", "manual"]
      - ["group:gorqlite", "Connection", True, "WriteParameterized", "", "", "Argument[0]", "sql-injection", "manual"]
      - ["group:gorqlite", "Connection", True, "WriteParameterizedContext", "", "", "Argument[1]", "sql-injection", "manual"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: summaryModel
+    data:
+      - ["group:gorqlite", "QueryResult", True, "Map", "", "", "Argument[receiver]", "ReturnValue[0]", "taint", "manual"]
+      - ["group:gorqlite", "QueryResult", True, "Slice", "", "", "Argument[receiver]", "ReturnValue[0]", "taint", "manual"]
--- a/go/ql/lib/semmle/go/frameworks/Gorqlite.qll
+++ b/go/ql/lib/semmle/go/frameworks/Gorqlite.qll
@@ -0,0 +1,35 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `gorqlite` package.
+ */
+
+import go
+
+/**
+ * Provides classes modeling security-relevant aspects of the `gorqlite` package.
+ */
+module Gorqlite {
+  private string packagePath() {
+    result =
+      package([
+          "github.com/rqlite/gorqlite", "github.com/raindog308/gorqlite",
+          "github.com/kanikanema/gorqlite"
+        ], "")
+  }
+
+  // These are expressed using TaintTracking::FunctionModel because varargs functions don't work with Models-as-Data summaries yet.
+  private class QueryResultScan extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    QueryResultScan() {
+      // signature: func (qr *QueryResult) Scan(dest ...interface{}) error
+      this.hasQualifiedName(packagePath(), "QueryResult", "Scan") and
+      inp.isReceiver() and
+      outp.isParameter(_)
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}
--- a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test_rqlite_gorqlite.go
+++ b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test_rqlite_gorqlite.go
@@ -0,0 +1,84 @@
+package test
+
+//go:generate depstubber -vendor github.com/rqlite/gorqlite Connection,QueryResult
+
+import (
+	"context"
+
+	"github.com/rqlite/gorqlite"
+)
+
+func parameterize(query string) gorqlite.ParameterizedStatement {
+	return gorqlite.ParameterizedStatement{
+		Query:     query,
+		Arguments: []interface{}{},
+	}
+}
+
+func test_rqlite_gorqlite(conn *gorqlite.Connection, ctx context.Context, query []string) {
+	v1, err := conn.Query(query) // $ source
+	if err != nil {
+		return
+	}
+
+	sink(v1) // $ hasTaintFlow="v1"
+
+	v2, err := conn.QueryContext(ctx, query) // $ source
+	if err != nil {
+		return
+	}
+
+	sink(v2) // $ hasTaintFlow="v2"
+
+	v3, err := conn.QueryOne(query[0]) // $ source
+	if err != nil {
+		return
+	}
+
+	r3, err := v3.Slice()
+	if err != nil {
+		return
+	}
+
+	sink(r3) // $ hasTaintFlow="r3"
+
+	v4, err := conn.QueryOneContext(ctx, query[0]) // $ source
+	if err != nil {
+		return
+	}
+
+	var r41, r42, r43 string
+	v4.Scan(&r41, &r42, &r43)
+
+	v5, err := conn.QueryOneParameterized(parameterize(query[0])) // $ source
+	if err != nil {
+		return
+	}
+
+	r5, err := v5.Map()
+
+	r5Name := r5["name"]
+
+	sink(r5Name) // $ hasTaintFlow="r5Name"
+
+	v6, err := conn.QueryOneParameterizedContext(ctx, parameterize(query[0])) // $ source
+	if err != nil {
+		return
+	}
+
+	sink(v6) // $ hasTaintFlow="v6"
+
+	v7, err := conn.QueryParameterized([]gorqlite.ParameterizedStatement{parameterize(query[0])}) // $ source
+	if err != nil {
+		return
+	}
+
+	sink(v7) // $ hasTaintFlow="v7"
+
+	v8, err := conn.QueryParameterizedContext(ctx, []gorqlite.ParameterizedStatement{parameterize(query[0])}) // $ source
+	if err != nil {
+		return
+	}
+
+	sink(v8) // $ hasTaintFlow="v8"
+}
--- a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/vendor/github.com/rqlite/gorqlite/stub.go
+++ b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/vendor/github.com/rqlite/gorqlite/stub.go
@@ -0,0 +1,205 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/rqlite/gorqlite, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/rqlite/gorqlite (exports: Connection,QueryResult; functions: )
+
+// Package gorqlite is a stub of github.com/rqlite/gorqlite, generated by depstubber.
+package gorqlite
+
+import (
+	context "context"
+)
+
+type Connection struct {
+	ID string
+}
+
+func (_ *Connection) Close() {}
+
+func (_ *Connection) ConsistencyLevel() (string, error) {
+	return "", nil
+}
+
+func (_ *Connection) Leader() (string, error) {
+	return "", nil
+}
+
+func (_ *Connection) Peers() ([]string, error) {
+	return nil, nil
+}
+
+func (_ *Connection) Query(_ []string) ([]QueryResult, error) {
+	return nil, nil
+}
+
+func (_ *Connection) QueryContext(_ context.Context, _ []string) ([]QueryResult, error) {
+	return nil, nil
+}
+
+func (_ *Connection) QueryOne(_ string) (QueryResult, error) {
+	return QueryResult{}, nil
+}
+
+func (_ *Connection) QueryOneContext(_ context.Context, _ string) (QueryResult, error) {
+	return QueryResult{}, nil
+}
+
+func (_ *Connection) QueryOneParameterized(_ ParameterizedStatement) (QueryResult, error) {
+	return QueryResult{}, nil
+}
+
+func (_ *Connection) QueryOneParameterizedContext(_ context.Context, _ ParameterizedStatement) (QueryResult, error) {
+	return QueryResult{}, nil
+}
+
+func (_ *Connection) QueryParameterized(_ []ParameterizedStatement) ([]QueryResult, error) {
+	return nil, nil
+}
+
+func (_ *Connection) QueryParameterizedContext(_ context.Context, _ []ParameterizedStatement) ([]QueryResult, error) {
+	return nil, nil
+}
+
+func (_ *Connection) Queue(_ []string) (int64, error) {
+	return 0, nil
+}
+
+func (_ *Connection) QueueContext(_ context.Context, _ []string) (int64, error) {
+	return 0, nil
+}
+
+func (_ *Connection) QueueOne(_ string) (int64, error) {
+	return 0, nil
+}
+
+func (_ *Connection) QueueOneContext(_ context.Context, _ string) (int64, error) {
+	return 0, nil
+}
+
+func (_ *Connection) QueueOneParameterized(_ ParameterizedStatement) (int64, error) {
+	return 0, nil
+}
+
+func (_ *Connection) QueueOneParameterizedContext(_ context.Context, _ ParameterizedStatement) (int64, error) {
+	return 0, nil
+}
+
+func (_ *Connection) QueueParameterized(_ []ParameterizedStatement) (int64, error) {
+	return 0, nil
+}
+
+func (_ *Connection) QueueParameterizedContext(_ context.Context, _ []ParameterizedStatement) (int64, error) {
+	return 0, nil
+}
+
+func (_ *Connection) Request(_ []string) ([]RequestResult, error) {
+	return nil, nil
+}
+
+func (_ *Connection) RequestContext(_ context.Context, _ []string) ([]RequestResult, error) {
+	return nil, nil
+}
+
+func (_ *Connection) RequestParameterized(_ []ParameterizedStatement) ([]RequestResult, error) {
+	return nil, nil
+}
+
+func (_ *Connection) RequestParameterizedContext(_ context.Context, _ []ParameterizedStatement) ([]RequestResult, error) {
+	return nil, nil
+}
+
+func (_ *Connection) SetConsistencyLevel(_ interface{}) error {
+	return nil
+}
+
+func (_ *Connection) SetExecutionWithTransaction(_ bool) error {
+	return nil
+}
+
+func (_ *Connection) Write(_ []string) ([]WriteResult, error) {
+	return nil, nil
+}
+
+func (_ *Connection) WriteContext(_ context.Context, _ []string) ([]WriteResult, error) {
+	return nil, nil
+}
+
+func (_ *Connection) WriteOne(_ string) (WriteResult, error) {
+	return WriteResult{}, nil
+}
+
+func (_ *Connection) WriteOneContext(_ context.Context, _ string) (WriteResult, error) {
+	return WriteResult{}, nil
+}
+
+func (_ *Connection) WriteOneParameterized(_ ParameterizedStatement) (WriteResult, error) {
+	return WriteResult{}, nil
+}
+
+func (_ *Connection) WriteOneParameterizedContext(_ context.Context, _ ParameterizedStatement) (WriteResult, error) {
+	return WriteResult{}, nil
+}
+
+func (_ *Connection) WriteParameterized(_ []ParameterizedStatement) ([]WriteResult, error) {
+	return nil, nil
+}
+
+func (_ *Connection) WriteParameterizedContext(_ context.Context, _ []ParameterizedStatement) ([]WriteResult, error) {
+	return nil, nil
+}
+
+type ParameterizedStatement struct {
+	Query     string
+	Arguments []interface{}
+}
+
+type QueryResult struct {
+	Err    error
+	Timing float64
+}
+
+func (_ *QueryResult) Columns() []string {
+	return nil
+}
+
+func (_ *QueryResult) Map() (map[string]interface{}, error) {
+	return nil, nil
+}
+
+func (_ *QueryResult) Next() bool {
+	return false
+}
+
+func (_ *QueryResult) NumRows() int64 {
+	return 0
+}
+
+func (_ *QueryResult) RowNumber() int64 {
+	return 0
+}
+
+func (_ *QueryResult) Scan(_ ...interface{}) error {
+	return nil
+}
+
+func (_ *QueryResult) Slice() ([]interface{}, error) {
+	return nil, nil
+}
+
+func (_ *QueryResult) Types() []string {
+	return nil
+}
+
+type RequestResult struct {
+	Err   error
+	Query *QueryResult
+	Write *WriteResult
+}
+
+type WriteResult struct {
+	Err          error
+	Timing       float64
+	RowsAffected int64
+	LastInsertID int64
+}