Overlay: Add overlay annotations to Java & shared libraries

2025-12-16 16:53:25 +01:00 · 2025-06-16 13:06:31 +02:00
parent 2218a981f6
commit c207cfdeb7
428 changed files with 966 additions and 0 deletions
--- a/shared/regex/codeql/regex/HostnameRegexp.qll
+++ b/shared/regex/codeql/regex/HostnameRegexp.qll
@@ -2,6 +2,8 @@
 * Provides predicates for reasoning about regular expressions
 * that match URLs and hostname patterns.
 */
+overlay[local?]
+module;

 private import RegexTreeView

--- a/shared/regex/codeql/regex/MissingRegExpAnchor.qll
+++ b/shared/regex/codeql/regex/MissingRegExpAnchor.qll
@@ -2,6 +2,8 @@
 * Provides predicates for reasoning about regular expressions
 * without anchors.
 */
+overlay[local?]
+module;

 private import RegexTreeView
 import HostnameRegexp as HostnameShared
--- a/shared/regex/codeql/regex/OverlyLargeRangeQuery.qll
+++ b/shared/regex/codeql/regex/OverlyLargeRangeQuery.qll
@@ -1,6 +1,8 @@
 /**
 * Classes and predicates for working with suspicious character ranges.
 */
+overlay[local?]
+module;

 private import RegexTreeView

--- a/shared/regex/codeql/regex/RegexTreeView.qll
+++ b/shared/regex/codeql/regex/RegexTreeView.qll
@@ -1,6 +1,8 @@
 /**
 * This file contains a `RegexTreeViewSig` module describing the syntax tree of regular expressions.
 */
+overlay[local?]
+module;

 /**
 * A signature describing the syntax tree of regular expressions.
--- a/shared/regex/codeql/regex/nfa/BadTagFilterQuery.qll
+++ b/shared/regex/codeql/regex/nfa/BadTagFilterQuery.qll
@@ -1,6 +1,8 @@
 /**
 * Provides predicates for reasoning about bad tag filter vulnerabilities.
 */
+overlay[local?]
+module;

 private import NfaUtils as NfaUtils
 private import RegexpMatching as RM
--- a/shared/regex/codeql/regex/nfa/ExponentialBackTracking.qll
+++ b/shared/regex/codeql/regex/nfa/ExponentialBackTracking.qll
@@ -61,6 +61,8 @@
 *   * Lastly we ensure that any state reached by repeating `n` copies of `w` has
 *     a suffix `x` (possible empty) that is most likely __not__ accepted.
 */
+overlay[local?]
+module;

 private import NfaUtils as NfaUtils
 private import codeql.regex.RegexTreeView
--- a/shared/regex/codeql/regex/nfa/NfaUtils.qll
+++ b/shared/regex/codeql/regex/nfa/NfaUtils.qll
@@ -1,6 +1,8 @@
 /**
 * A shared library for creating and reasoning about NFA's.
 */
+overlay[local?]
+module;

 private import codeql.regex.RegexTreeView
 private import codeql.util.Numbers
--- a/shared/regex/codeql/regex/nfa/RegexpMatching.qll
+++ b/shared/regex/codeql/regex/nfa/RegexpMatching.qll
@@ -2,6 +2,8 @@
 * Provides predicates for reasoning about which strings are matched by a regular expression,
 * and for testing which capture groups are filled when a particular regexp matches a string.
 */
+overlay[local?]
+module;

 private import NfaUtils as NfaUtils
 private import codeql.regex.RegexTreeView
--- a/shared/regex/codeql/regex/nfa/SuperlinearBackTracking.qll
+++ b/shared/regex/codeql/regex/nfa/SuperlinearBackTracking.qll
@@ -34,6 +34,8 @@
 * It has the same suffix detection issue as the `js/redos` query, which can cause false positives.
 * It also doesn't find all transitions in the product automaton, which can cause false negatives.
 */
+overlay[local?]
+module;

 private import NfaUtils as NfaUtils
 private import codeql.regex.RegexTreeView
@@ -99,6 +101,7 @@ module Make<RegexTreeViewSig TreeImpl> {
    /**
     * Holds if the tuple `(r1, r2, r3)` might be on path from a start-state to an end-state in the product automaton.
     */
+    overlay[caller]
    pragma[inline]
    predicate isFeasibleTuple(State r1, State r2, State r3) {
      // The first element is either inside a repetition (or the start state itself)