hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into main

Browse Source
This commit is contained in:
Raul Garcia
2023-03-29 20:27:03 -07:00
committed by GitHub
parent 05137d0c54 434b1b35d8
commit cf8a683d7d
512 changed files with 20623 additions and 5243 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
.github/workflows/ruby-build.yml vendored
View File

@@ -50,7 +50,7 @@ jobs:
echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
- name: Install cargo-cross
if: runner.os == 'Linux'
run: cargo install cross --version 0.2.1
run: cargo install cross --version 0.2.5
- uses: ./.github/actions/os-version
id: os_version
- name: Cache entire extractor
@@ -85,7 +85,12 @@ jobs:
# This ensures we don't depend on glibc > 2.17.
- name: Release build (linux)
if: steps.cache-extractor.outputs.cache-hit != 'true' && runner.os == 'Linux'
run: cd extractor && cross build --release
run: |
cd extractor
cross build --release
mv target/x86_64-unknown-linux-gnu/release/extractor target/release/
mv target/x86_64-unknown-linux-gnu/release/autobuilder target/release/
mv target/x86_64-unknown-linux-gnu/release/generator target/release/
- name: Release build (windows and macos)
if: steps.cache-extractor.outputs.cache-hit != 'true' && runner.os != 'Linux'
run: cd extractor && cargo build --release

1
.github/workflows/ruby-qltest.yml vendored
View File

@@ -4,6 +4,7 @@ on:
push:
paths:
- "ruby/**"
- "shared/**"
- .github/workflows/ruby-build.yml
- .github/actions/fetch-codeql/action.yml
- codeql-workspace.yml

4
cpp/ql/lib/change-notes/2023-03-28-dataflow-rm-footgun.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: fix
---
* Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular `DataFlow::hasFlowPath`, `DataFlow::hasFlow`, `DataFlow::hasFlowTo`, and `DataFlow::hasFlowToExpr` were accidentally exposed in a single version.

198
cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeAnalysisStage.qll
View File

@@ -591,24 +591,6 @@ module RangeStage<DeltaSig D, BoundSig<D> Bounds, LangSig<D> LangParam, UtilSig<
delta = D::fromInt(0) and
(upper = true or upper = false)
or
exists(SemExpr x | e2.(SemAddExpr).hasOperands(e1, x) |
// `x instanceof ConstantIntegerExpr` is covered by valueFlowStep
not x instanceof SemConstantIntegerExpr and
not e1 instanceof SemConstantIntegerExpr and
if strictlyPositiveIntegralExpr(x)
then upper = false and delta = D::fromInt(1)
else
if semPositive(x)
then upper = false and delta = D::fromInt(0)
else
if strictlyNegativeIntegralExpr(x)
then upper = true and delta = D::fromInt(-1)
else
if semNegative(x)
then upper = true and delta = D::fromInt(0)
else none()
)
or
exists(SemExpr x, SemSubExpr sub |
e2 = sub and
sub.getLeftOperand() = e1 and
@@ -1043,13 +1025,193 @@ module RangeStage<DeltaSig D, BoundSig<D> Bounds, LangSig<D> LangParam, UtilSig<
delta = D::fromFloat(f) and
if semPositive(e) then f >= 0 else any()
)
or
exists(
SemBound bLeft, SemBound bRight, D::Delta dLeft, D::Delta dRight, boolean fbeLeft,
boolean fbeRight, D::Delta odLeft, D::Delta odRight, SemReason rLeft, SemReason rRight
|
boundedAddOperand(e, upper, bLeft, false, dLeft, fbeLeft, odLeft, rLeft) and
boundedAddOperand(e, upper, bRight, true, dRight, fbeRight, odRight, rRight) and
delta = D::fromFloat(D::toFloat(dLeft) + D::toFloat(dRight)) and
fromBackEdge = fbeLeft.booleanOr(fbeRight)
|
b = bLeft and origdelta = odLeft and reason = rLeft and bRight instanceof SemZeroBound
or
b = bRight and origdelta = odRight and reason = rRight and bLeft instanceof SemZeroBound
)
or
exists(
SemRemExpr rem, SemZeroBound b1, SemZeroBound b2, D::Delta d_max, D::Delta d1, D::Delta d2,
boolean fbe1, boolean fbe2, D::Delta od1, D::Delta od2, SemReason r1, SemReason r2
|
rem = e and
not (upper = true and semPositive(rem.getRightOperand())) and
not (upper = true and semPositive(rem.getLeftOperand())) and
boundedRemExpr(rem, b1, true, d1, fbe1, od1, r1) and
boundedRemExpr(rem, b2, false, d2, fbe2, od2, r2) and
(
if D::toFloat(d1).abs() > D::toFloat(d2).abs()
then (
b = b1 and d_max = d1 and fromBackEdge = fbe1 and origdelta = od1 and reason = r1
) else (
b = b2 and d_max = d2 and fromBackEdge = fbe2 and origdelta = od2 and reason = r2
)
)
|
upper = true and delta = D::fromFloat(D::toFloat(d_max).abs() - 1)
or
upper = false and delta = D::fromFloat(-D::toFloat(d_max).abs() + 1)
)
or
exists(
D::Delta dLeft, D::Delta dRight, boolean fbeLeft, boolean fbeRight, D::Delta odLeft,
D::Delta odRight, SemReason rLeft, SemReason rRight
|
boundedMulOperand(e, upper, true, dLeft, fbeLeft, odLeft, rLeft) and
boundedMulOperand(e, upper, false, dRight, fbeRight, odRight, rRight) and
delta = D::fromFloat(D::toFloat(dLeft) * D::toFloat(dRight)) and
fromBackEdge = fbeLeft.booleanOr(fbeRight)
|
b instanceof SemZeroBound and origdelta = odLeft and reason = rLeft
or
b instanceof SemZeroBound and origdelta = odRight and reason = rRight
)
)
}
pragma[nomagic]
private predicate boundedConditionalExpr(
SemConditionalExpr cond, SemBound b, boolean upper, boolean branch, D::Delta delta,
boolean fromBackEdge, D::Delta origdelta, SemReason reason
) {
bounded(cond.getBranchExpr(branch), b, delta, upper, fromBackEdge, origdelta, reason)
}
pragma[nomagic]
private predicate boundedAddOperand(
SemAddExpr add, boolean upper, SemBound b, boolean isLeft, D::Delta delta, boolean fromBackEdge,
D::Delta origdelta, SemReason reason
) {
// `semValueFlowStep` already handles the case where one of the operands is a constant.
not semValueFlowStep(add, _, _) and
(
isLeft = true and
bounded(add.getLeftOperand(), b, delta, upper, fromBackEdge, origdelta, reason)
or
isLeft = false and
bounded(add.getRightOperand(), b, delta, upper, fromBackEdge, origdelta, reason)
)
}
private predicate boundedRemExpr(
SemRemExpr rem, SemZeroBound b, boolean upper, D::Delta delta, boolean fromBackEdge,
D::Delta origdelta, SemReason reason
) {
bounded(rem.getRightOperand(), b, delta, upper, fromBackEdge, origdelta, reason)
}
/**
* Define `cmp(true) = <=` and `cmp(false) = >=`.
*
* Holds if `mul = left * right`, and in order to know if `mul cmp(upper) 0 + k` (for
* some `k`) we need to know that `left cmp(upperLeft) 0 + k1` and
* `right cmp(upperRight) 0 + k2` (for some `k1` and `k2`).
*/
pragma[nomagic]
private predicate boundedMulOperandCand(
SemMulExpr mul, SemExpr left, SemExpr right, boolean upper, boolean upperLeft,
boolean upperRight
) {
not boundFlowStepMul(mul, _, _) and
mul.getLeftOperand() = left and
mul.getRightOperand() = right and
(
semPositive(left) and
(
// left, right >= 0
semPositive(right) and
(
// max(left * right) = max(left) * max(right)
upper = true and
upperLeft = true and
upperRight = true
or
// min(left * right) = min(left) * min(right)
upper = false and
upperLeft = false and
upperRight = false
)
or
// left >= 0, right <= 0
semNegative(right) and
(
// max(left * right) = min(left) * max(right)
upper = true and
upperLeft = false and
upperRight = true
or
// min(left * right) = max(left) * min(right)
upper = false and
upperLeft = true and
upperRight = false
)
)
or
semNegative(left) and
(
// left <= 0, right >= 0
semPositive(right) and
(
// max(left * right) = max(left) * min(right)
upper = true and
upperLeft = true and
upperRight = false
or
// min(left * right) = min(left) * max(right)
upper = false and
upperLeft = false and
upperRight = true
)
or
// left, right <= 0
semNegative(right) and
(
// max(left * right) = min(left) * min(right)
upper = true and
upperLeft = false and
upperRight = false
or
// min(left * right) = max(left) * max(right)
upper = false and
upperLeft = true and
upperRight = true
)
)
)
}
/**
* Holds if `isLeft = true` and `mul`'s left operand is bounded by `delta`,
* or if `isLeft = false` and `mul`'s right operand is bounded by `delta`.
*
* If `upper = true` the computed bound contributes to an upper bound of `mul`,
* and if `upper = false` it contributes to a lower bound.
* The `fromBackEdge`, `origdelta`, `reason` triple are defined by the recursive
* call to `bounded`.
*/
pragma[nomagic]
private predicate boundedMulOperand(
SemMulExpr mul, boolean upper, boolean isLeft, D::Delta delta, boolean fromBackEdge,
D::Delta origdelta, SemReason reason
) {
exists(boolean upperLeft, boolean upperRight, SemExpr left, SemExpr right |
boundedMulOperandCand(mul, left, right, upper, upperLeft, upperRight)
|
isLeft = true and
bounded(left, any(SemZeroBound zb), delta, upperLeft, fromBackEdge, origdelta, reason)
or
isLeft = false and
bounded(right, any(SemZeroBound zb), delta, upperRight, fromBackEdge, origdelta, reason)
)
}
}

1
cpp/ql/lib/qlpack.yml
View File

@@ -8,3 +8,4 @@ upgrades: upgrades
dependencies:
codeql/ssa: ${workspace}
codeql/tutorial: ${workspace}
codeql/util: ${workspace}

1
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
View File

@@ -8,6 +8,7 @@ private import DataFlowImplCommon
private import DataFlowImplSpecific::Private
private import DataFlowImplSpecific::Public
private import DataFlowImplCommonPublic
private import codeql.util.Unit
import DataFlow
/**

6
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll
View File

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
private import DataFlowImpl
import DataFlowImplCommonPublic
import FlowStateString
private import codeql.util.Unit
/**
* A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
}
private import Impl<Config> as I
import I
/**
* A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
}
module PathGraph = I::PathGraph;
private predicate hasFlow(Node source, Node sink, Configuration config) {
exists(PathNode source0, PathNode sink0 |
hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
}
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
flowPath(source, sink) and source.getConfiguration() = config
I::flowPath(source, sink) and source.getConfiguration() = config
}
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

6
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
View File

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
private import DataFlowImpl
import DataFlowImplCommonPublic
import FlowStateString
private import codeql.util.Unit
/**
* A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
}
private import Impl<Config> as I
import I
/**
* A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
}
module PathGraph = I::PathGraph;
private predicate hasFlow(Node source, Node sink, Configuration config) {
exists(PathNode source0, PathNode sink0 |
hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
}
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
flowPath(source, sink) and source.getConfiguration() = config
I::flowPath(source, sink) and source.getConfiguration() = config
}
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

6
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
View File

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
private import DataFlowImpl
import DataFlowImplCommonPublic
import FlowStateString
private import codeql.util.Unit
/**
* A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
}
private import Impl<Config> as I
import I
/**
* A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
}
module PathGraph = I::PathGraph;
private predicate hasFlow(Node source, Node sink, Configuration config) {
exists(PathNode source0, PathNode sink0 |
hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
}
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
flowPath(source, sink) and source.getConfiguration() = config
I::flowPath(source, sink) and source.getConfiguration() = config
}
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

6
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
View File

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
private import DataFlowImpl
import DataFlowImplCommonPublic
import FlowStateString
private import codeql.util.Unit
/**
* A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
}
private import Impl<Config> as I
import I
/**
* A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
}
module PathGraph = I::PathGraph;
private predicate hasFlow(Node source, Node sink, Configuration config) {
exists(PathNode source0, PathNode sink0 |
hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
}
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
flowPath(source, sink) and source.getConfiguration() = config
I::flowPath(source, sink) and source.getConfiguration() = config
}
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

6
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
View File

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
private import DataFlowImpl
import DataFlowImplCommonPublic
import FlowStateString
private import codeql.util.Unit
/**
* A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
}
private import Impl<Config> as I
import I
/**
* A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
}
module PathGraph = I::PathGraph;
private predicate hasFlow(Node source, Node sink, Configuration config) {
exists(PathNode source0, PathNode sink0 |
hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
}
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
flowPath(source, sink) and source.getConfiguration() = config
I::flowPath(source, sink) and source.getConfiguration() = config
}
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

10
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll
View File

@@ -3,6 +3,7 @@ private import DataFlowUtil
private import DataFlowDispatch
private import FlowVar
private import DataFlowImplConsistency
private import codeql.util.Unit
/** Gets the callable in which this node occurs. */
DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.getEnclosingCallable() }
@@ -264,15 +265,6 @@ int accessPathLimit() { result = 5 }
*/
predicate forceHighPrecision(Content c) { none() }
/** The unit type. */
private newtype TUnit = TMkUnit()
/** The trivial type with a single element. */
class Unit extends TUnit {
/** Gets a textual representation of this element. */
string toString() { result = "unit" }
}
/** Holds if `n` should be hidden from path explanations. */
predicate nodeIsHidden(Node n) { none() }

1
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
View File

@@ -8,6 +8,7 @@ private import DataFlowImplCommon
private import DataFlowImplSpecific::Private
private import DataFlowImplSpecific::Public
private import DataFlowImplCommonPublic
private import codeql.util.Unit
import DataFlow
/**

6
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll
View File

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
private import DataFlowImpl
import DataFlowImplCommonPublic
import FlowStateString
private import codeql.util.Unit
/**
* A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
}
private import Impl<Config> as I
import I
/**
* A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
}
module PathGraph = I::PathGraph;
private predicate hasFlow(Node source, Node sink, Configuration config) {
exists(PathNode source0, PathNode sink0 |
hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
}
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
flowPath(source, sink) and source.getConfiguration() = config
I::flowPath(source, sink) and source.getConfiguration() = config
}
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

6
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
View File

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
private import DataFlowImpl
import DataFlowImplCommonPublic
import FlowStateString
private import codeql.util.Unit
/**
* A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
}
private import Impl<Config> as I
import I
/**
* A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
}
module PathGraph = I::PathGraph;
private predicate hasFlow(Node source, Node sink, Configuration config) {
exists(PathNode source0, PathNode sink0 |
hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
}
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
flowPath(source, sink) and source.getConfiguration() = config
I::flowPath(source, sink) and source.getConfiguration() = config
}
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

6
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
View File

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
private import DataFlowImpl
import DataFlowImplCommonPublic
import FlowStateString
private import codeql.util.Unit
/**
* A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
}
private import Impl<Config> as I
import I
/**
* A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
}
module PathGraph = I::PathGraph;
private predicate hasFlow(Node source, Node sink, Configuration config) {
exists(PathNode source0, PathNode sink0 |
hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
}
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
flowPath(source, sink) and source.getConfiguration() = config
I::flowPath(source, sink) and source.getConfiguration() = config
}
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

6
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
View File

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
private import DataFlowImpl
import DataFlowImplCommonPublic
import FlowStateString
private import codeql.util.Unit
/**
* A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
}
private import Impl<Config> as I
import I
/**
* A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
}
module PathGraph = I::PathGraph;
private predicate hasFlow(Node source, Node sink, Configuration config) {
exists(PathNode source0, PathNode sink0 |
hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
}
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
flowPath(source, sink) and source.getConfiguration() = config
I::flowPath(source, sink) and source.getConfiguration() = config
}
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

10
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
View File

@@ -6,6 +6,7 @@ private import DataFlowImplConsistency
private import semmle.code.cpp.ir.internal.IRCppLanguage
private import SsaInternals as Ssa
private import DataFlowImplCommon as DataFlowImplCommon
private import codeql.util.Unit
cached
private module Cached {
@@ -799,15 +800,6 @@ int accessPathLimit() { result = 5 }
*/
predicate forceHighPrecision(Content c) { none() }
/** The unit type. */
private newtype TUnit = TMkUnit()
/** The trivial type with a single element. */
class Unit extends TUnit {
/** Gets a textual representation of this element. */
string toString() { result = "unit" }
}
/** Holds if `n` should be hidden from path explanations. */
predicate nodeIsHidden(Node n) {
n instanceof OperandNode and

9
cpp/ql/src/experimental/Likely Bugs/OverrunWriteProductFlow.ql
View File

@@ -62,11 +62,16 @@ predicate hasSize(AllocationExpr alloc, DataFlow::Node n, string state) {
predicate isSinkPairImpl(
CallInstruction c, DataFlow::Node bufSink, DataFlow::Node sizeSink, int delta, Expr eBuf
) {
exists(int bufIndex, int sizeIndex, Instruction sizeInstr, Instruction bufInstr |
exists(
int bufIndex, int sizeIndex, Instruction sizeInstr, Instruction bufInstr, ArrayFunction func
|
bufInstr = bufSink.asInstruction() and
c.getArgument(bufIndex) = bufInstr and
sizeInstr = sizeSink.asInstruction() and
c.getStaticCallTarget().(ArrayFunction).hasArrayWithVariableSize(bufIndex, sizeIndex) and
c.getStaticCallTarget() = func and
pragma[only_bind_into](func)
.hasArrayWithVariableSize(pragma[only_bind_into](bufIndex),
pragma[only_bind_into](sizeIndex)) and
bounded(c.getArgument(sizeIndex), sizeInstr, delta) and
eBuf = bufInstr.getUnconvertedResultExpression()
)

52
cpp/ql/test/library-tests/CPP-205/elements.expected
View File

@@ -1,35 +1,21 @@
| CPP-205.cpp:0:0:0:0 | CPP-205.cpp | |
| CPP-205.cpp:1:20:1:20 | T | |
| CPP-205.cpp:1:20:1:20 | definition of T | |
| CPP-205.cpp:2:5:2:5 | definition of fn | function declaration entry for int fn<int>(int) |
| CPP-205.cpp:2:5:2:5 | fn | function int fn<int>(int) |
| CPP-205.cpp:2:5:2:6 | definition of fn | function declaration entry for int fn<T>(T) |
| CPP-205.cpp:2:5:2:6 | fn | function int fn<T>(T) |
| CPP-205.cpp:2:10:2:12 | definition of out | parameter declaration entry for int fn<T>(T) |
| CPP-205.cpp:2:10:2:12 | definition of out | parameter declaration entry for int fn<int>(int) |
| CPP-205.cpp:2:10:2:12 | out | parameter for int fn<T>(T) |
| CPP-205.cpp:2:10:2:12 | out | parameter for int fn<int>(int) |
| CPP-205.cpp:2:15:5:1 | { ... } | |
| CPP-205.cpp:2:15:5:1 | { ... } | |
| CPP-205.cpp:3:3:3:33 | declaration | |
| CPP-205.cpp:3:3:3:33 | declaration | |
| CPP-205.cpp:3:15:3:15 | declaration of y | |
| CPP-205.cpp:3:15:3:15 | y | |
| CPP-205.cpp:3:17:3:31 | 5 | |
| CPP-205.cpp:4:3:4:11 | return ... | |
| CPP-205.cpp:4:3:4:11 | return ... | |
| CPP-205.cpp:4:10:4:10 | 0 | |
| CPP-205.cpp:4:10:4:10 | 0 | |
| CPP-205.cpp:2:5:2:5 | definition of fn | function declaration entry for int fn<int>(int), isFromTemplateInstantiation(fn) |
| CPP-205.cpp:2:5:2:5 | fn | function int fn<int>(int), isFromTemplateInstantiation(fn) |
| CPP-205.cpp:2:5:2:6 | definition of fn | function declaration entry for int fn<T>(T), isFromUninstantiatedTemplate(fn) |
| CPP-205.cpp:2:5:2:6 | fn | function int fn<T>(T), isFromUninstantiatedTemplate(fn) |
| CPP-205.cpp:2:10:2:12 | definition of out | isFromTemplateInstantiation(fn), parameter declaration entry for int fn<int>(int) |
| CPP-205.cpp:2:10:2:12 | definition of out | isFromUninstantiatedTemplate(fn), parameter declaration entry for int fn<T>(T) |
| CPP-205.cpp:2:10:2:12 | out | isFromTemplateInstantiation(fn), parameter for int fn<int>(int) |
| CPP-205.cpp:2:10:2:12 | out | isFromUninstantiatedTemplate(fn), parameter for int fn<T>(T) |
| CPP-205.cpp:2:15:5:1 | { ... } | isFromTemplateInstantiation(fn) |
| CPP-205.cpp:2:15:5:1 | { ... } | isFromUninstantiatedTemplate(fn) |
| CPP-205.cpp:3:3:3:33 | declaration | isFromTemplateInstantiation(fn) |
| CPP-205.cpp:3:3:3:33 | declaration | isFromUninstantiatedTemplate(fn) |
| CPP-205.cpp:3:15:3:15 | declaration of y | isFromUninstantiatedTemplate(fn) |
| CPP-205.cpp:3:15:3:15 | y | isFromUninstantiatedTemplate(fn) |
| CPP-205.cpp:3:17:3:31 | 5 | isFromTemplateInstantiation(fn) |
| CPP-205.cpp:4:3:4:11 | return ... | isFromTemplateInstantiation(fn) |
| CPP-205.cpp:4:3:4:11 | return ... | isFromUninstantiatedTemplate(fn) |
| CPP-205.cpp:4:10:4:10 | 0 | isFromTemplateInstantiation(fn) |
| CPP-205.cpp:4:10:4:10 | 0 | isFromUninstantiatedTemplate(fn) |
| CPP-205.cpp:7:5:7:8 | definition of main | function declaration entry for int main() |
| CPP-205.cpp:7:5:7:8 | main | function int main() |
| CPP-205.cpp:7:12:9:1 | { ... } | |
| CPP-205.cpp:8:3:8:15 | return ... | |
| CPP-205.cpp:8:10:8:11 | call to fn | |
| CPP-205.cpp:8:13:8:13 | 0 | |
| file://:0:0:0:0 | (unnamed parameter 0) | parameter for __va_list_tag& __va_list_tag::operator=(__va_list_tag const&) |
| file://:0:0:0:0 | (unnamed parameter 0) | parameter for __va_list_tag& __va_list_tag::operator=(__va_list_tag&&) |
| file://:0:0:0:0 | __super | |
| file://:0:0:0:0 | __va_list_tag | |
| file://:0:0:0:0 | operator= | function __va_list_tag& __va_list_tag::operator=(__va_list_tag const&) |
| file://:0:0:0:0 | operator= | function __va_list_tag& __va_list_tag::operator=(__va_list_tag&&) |
| file://:0:0:0:0 | y | |

14
cpp/ql/test/library-tests/CPP-205/elements.ql
View File

@@ -14,10 +14,20 @@ string describe(Element e) {
result =
"parameter declaration entry for " +
getIdentityString(e.(ParameterDeclarationEntry).getFunctionDeclarationEntry().getFunction())
or
exists(Element template |
e.isFromTemplateInstantiation(template) and
result = "isFromTemplateInstantiation(" + template.toString() + ")"
)
or
exists(Element template |
e.isFromUninstantiatedTemplate(template) and
result = "isFromUninstantiatedTemplate(" + template.toString() + ")"
)
}
from Element e
where
not e.getLocation() instanceof UnknownLocation and
e.getLocation().getFile().getBaseName() != "" and
not e instanceof Folder
select e, concat(describe(e), ", ")
select e, strictconcat(describe(e), ", ")

189
cpp/ql/test/library-tests/ir/range-analysis/SimpleRangeAnalysis_tests.cpp
View File

@@ -18,20 +18,20 @@ int test2(struct List* p) {
int count = 0;
for (; p; p = p->next) {
count = (count+1) % 10;
range(count); // $ range=<=9
range(count); // $ range=>=-9 range=<=9
}
range(count); // $ range=<=9
range(count); // $ range=>=-9 range=<=9
return count;
}
int test3(struct List* p) {
int count = 0;
for (; p; p = p->next) {
range(count++); // $ range=<=9
range(count++); // $ range=>=-9 range=<=9
count = count % 10;
range(count); // $ range=<=9
range(count); // $ range=>=-9 range=<=9
}
range(count); // $ range=<=9
range(count); // $ range=>=-9 range=<=9
return count;
}
@@ -40,13 +40,13 @@ int test4() {
int total = 0;
for (i = 0; i < 2; i = i+1) {
range(i); // $ range=<=1 range=>=0
range(total);
range(total); // $ range=>=0
total += i;
range(total);
range(total); // $ range=<=i+1 range=<=i+1 range=>=0 range=>=i+0
}
range(total);
range(total); // $ range=>=0
range(i); // $ range===2
range(total + i); // $ range=>=i+1
range(total + i); // $ range===i+2 range=>=2 range=>=i+0
return total + i;
}
@@ -55,13 +55,13 @@ int test5() {
int total = 0;
for (i = 0; i < 2; i++) {
range(i); // $ range=<=1 range=>=0
range(total);
range(total); // $ range=>=0
total += i;
range(total);
range(total); // $ range=<=i+1 range=>=0 range=>=i+0
}
range(total);
range(total); // $ range=>=0
range(i); // $ range===2
range(total + i); // $ range=>=i+1
range(total + i); // $ range===i+2 range=>=2 range=>=i+0
return total + i;
}
@@ -70,9 +70,9 @@ int test6() {
int total = 0;
for (i = 0; i+2 < 4; i = i+1) {
range(i); // $ range=<=1 range=>=0
range(total);
range(total); // $ range=>=0
total += i;
range(total);
range(total); // $ range=<=i+1 range=>=0 range=>=i+0
}
return total + i;
}
@@ -175,12 +175,12 @@ int test12() {
size_type Start = 0;
while (Start <= test12_helper()-1)
{
range(Start); // $ range=>=0
range(Start);
const size_type Length = test12_helper();
Start += Length + 1;
range(Start); // $ range=>=1 range=>=Start+1 range=">=call to test12_helper+1"
range(Start);
}
range(Start); // $ range=>=0
range(Start);
return 1;
}
@@ -194,8 +194,8 @@ int test13(char c, int i) {
range(y); // $ range===-1
int z = i+1;
range(z); // $ range===i+1
range(c + i + uc + x + y + z); // $ range=>=1 range=">=... - ...+0"
range((double)(c + i + uc + x + y + z)); // $ range=>=1 range=">=... - ...+0"
range(c + i + uc + x + y + z);
range((double)(c + i + uc + x + y + z));
return (double)(c + i + uc + x + y + z);
}
@@ -233,9 +233,9 @@ int test_unary(int a) {
range(b); // $ range=<=11 range=>=3
int c = -a;
range(c); // $ range=<=-3 range=>=-11
range(b+c); // $ range=<=10 range="<=+ ...:a-1" range=">=- ...+1" range=>=-10
range(b+c); // $ range=<=8 range=>=-8
total += b+c;
range(total);
range(total); // $ range=<=8 range=>=-8
}
if (0 <= a && a <= 11) {
range(a); // $ range=<=11 range=>=0
@@ -243,9 +243,9 @@ int test_unary(int a) {
range(b); // $ range=<=11 range=>=0
int c = -a;
range(c); // $ range=<=0 range=>=-11
range(b+c); // $ range=<=11 range="<=+ ...:a+0" range=">=- ...+0" range=>=-11
range(b+c); // $ range=<=11 range=>=-11
total += b+c;
range(total);
range(total); // $ range=<=0+11 range=<=19 range=>=0-11 range=>=-19
}
if (-7 <= a && a <= 11) {
range(a); // $ range=<=11 range=>=-7
@@ -253,9 +253,9 @@ int test_unary(int a) {
range(b); // $ range=<=11 range=>=-7
int c = -a;
range(c); // $ range=<=7 range=>=-11
range(b+c);
range(b+c); // $ range=<=18 range=>=-18
total += b+c;
range(total);
range(total); // $ range="<=- ...+18" range=">=- ...-18" range=<=0+29 range=<=37 range=>=0-29 range=>=-37
}
if (-7 <= a && a <= 1) {
range(a); // $ range=<=1 range=>=-7
@@ -263,9 +263,9 @@ int test_unary(int a) {
range(b); // $ range=<=1 range=>=-7
int c = -a;
range(c); // $ range=<=7 range=>=-1
range(b+c);
range(b+c); // $ range=<=8 range=>=-8
total += b+c;
range(total);
range(total); // $ range="<=- ...+8" range="<=- ...+26" range=">=- ...-8" range=">=- ...-26" range=<=0+37 range=<=45 range=>=0-37 range=>=-45
}
if (-7 <= a && a <= 0) {
range(a); // $ range=<=0 range=>=-7
@@ -273,9 +273,9 @@ int test_unary(int a) {
range(b); // $ range=<=0 range=>=-7
int c = -a;
range(c); // $ range=<=7 range=>=0
range(b+c); // $ range="<=- ...+0" range=">=+ ...:a+0" range=>=-7 range=<=7
range(b+c); // $ range=>=-7 range=<=7
total += b+c;
range(total);
range(total); // $ range="<=- ...+7" range="<=- ...+15" range="<=- ...+33" range=">=- ...-7" range=">=- ...-15" range=">=- ...-33" range=<=0+44 range=<=52 range=>=0-44 range=>=-52
}
if (-7 <= a && a <= -2) {
range(a); // $ range=<=-2 range=>=-7
@@ -283,11 +283,11 @@ int test_unary(int a) {
range(b); // $ range=<=-2 range=>=-7
int c = -a;
range(c); // $ range=<=7 range=>=2
range(b+c); // $ range="<=- ...-1" range=">=+ ...:a+1" range=>=-6 range=<=6
range(b+c); // $ range=<=5 range=>=-5
total += b+c;
range(total);
range(total); // $ range="<=- ...+5" range="<=- ...+12" range="<=- ...+20" range="<=- ...+38" range=">=- ...-5" range=">=- ...-12" range=">=- ...-20" range=">=- ...-38" range=<=0+49 range=<=57 range=>=0-49 range=>=-57
}
range(total);
range(total); // $ range="<=- ...+5" range="<=- ...+12" range="<=- ...+20" range="<=- ...+38" range=">=- ...-5" range=">=- ...-12" range=">=- ...-20" range=">=- ...-38" range=<=0+49 range=<=57 range=>=0-49 range=>=-57
return total;
}
@@ -300,17 +300,17 @@ int test_mult01(int a, int b) {
range(a); // $ range=<=11 range=>=3
range(b); // $ range=<=23 range=>=5
int r = a*b; // 15 .. 253
range(r);
range(r); // $ range=<=253 range=>=15
total += r;
range(total); // $ range=>=1
range(total); // $ range=<=253 range=>=15
}
if (3 <= a && a <= 11 && 0 <= b && b <= 23) {
range(a); // $ range=<=11 range=>=3
range(b); // $ range=<=23 range=>=0
int r = a*b; // 0 .. 253
range(r);
range(r); // $ range=<=253 range=>=0
total += r;
range(total); // $ range=>=0 range=>=3+0
range(total); // $ range=<=3+253 range=<=506 range=>=0 range=>=3+0
}
if (3 <= a && a <= 11 && -13 <= b && b <= 23) {
range(a); // $ range=<=11 range=>=3
@@ -324,19 +324,19 @@ int test_mult01(int a, int b) {
range(a); // $ range=<=11 range=>=3
range(b); // $ range=<=0 range=>=-13
int r = a*b; // -143 .. 0
range(r);
range(r); // $ range=<=0 range=>=-143
total += r;
range(total); // $ range=<=3+0
range(total); // $ range=<=3+0 range=>=3-143
}
if (3 <= a && a <= 11 && -13 <= b && b <= -7) {
range(a); // $ range=<=11 range=>=3
range(b); // $ range=<=-7 range=>=-13
int r = a*b; // -143 .. -21
range(r);
range(r); // $ range=<=-21 range=>=-143
total += r;
range(total); // $ range=<=3-1
range(total); // $ range=<=3-21 range=>=3-143 range=>=3-286
}
range(total); // $ range=<=3+0
range(total); // $ range=<=3+0 range=>=3-143 range=>=3-286
return total;
}
@@ -348,17 +348,17 @@ int test_mult02(int a, int b) {
range(a); // $ range=<=11 range=>=0
range(b); // $ range=<=23 range=>=5
int r = a*b; // 0 .. 253
range(r);
range(r); // $ range=<=253 range=>=0
total += r;
range(total); // $ range=>=0
range(total); // $ range=>=0 range=<=253
}
if (0 <= a && a <= 11 && 0 <= b && b <= 23) {
range(a); // $ range=<=11 range=>=0
range(b); // $ range=<=23 range=>=0
int r = a*b; // 0 .. 253
range(r);
range(r); // $ range=<=253 range=>=0
total += r;
range(total); // $ range=>=0 range=>=0+0
range(total); // $ range=>=0 range=>=0+0 range=<=0+253 range=<=506
}
if (0 <= a && a <= 11 && -13 <= b && b <= 23) {
range(a); // $ range=<=11 range=>=0
@@ -372,19 +372,19 @@ int test_mult02(int a, int b) {
range(a); // $ range=<=11 range=>=0
range(b); // $ range=<=0 range=>=-13
int r = a*b; // -143 .. 0
range(r);
range(r); // $ range=<=0 range=>=-143
total += r;
range(total); // $ range=<=0+0
range(total); // $ range=<=0+0 range=>=0-143
}
if (0 <= a && a <= 11 && -13 <= b && b <= -7) {
range(a); // $ range=<=11 range=>=0
range(b); // $ range=<=-7 range=>=-13
int r = a*b; // -143 .. 0
range(r);
range(r); // $ range=<=0 range=>=-143
total += r;
range(total); // $ range=<=0+0
range(total); // $ range=<=0+0 range=>=0-143 range=>=0-286
}
range(total); // $ range=<=0+0
range(total); // $ range=<=0+0 range=>=0-143 range=>=0-286
return total;
}
@@ -445,15 +445,15 @@ int test_mult04(int a, int b) {
range(b); // $ range=<=23 range=>=5
int r = a*b; // -391 .. 0
total += r;
range(total); // $ range=<=0
range(total); // $ range=<=0 range=>=-391
}
if (-17 <= a && a <= 0 && 0 <= b && b <= 23) {
range(a); // $ range=<=0 range=>=-17
range(b); // $ range=<=23 range=>=0
int r = a*b; // -391 .. 0
range(r);
range(r); // $ range=<=0 range=>=-391
total += r;
range(total); // $ range="<=- ...+0" range=<=0
range(total); // $ range="<=- ...+0" range=<=0 range=">=- ...-391" range=>=-782
}
if (-17 <= a && a <= 0 && -13 <= b && b <= 23) {
range(a); // $ range=<=0 range=>=-17
@@ -467,19 +467,19 @@ int test_mult04(int a, int b) {
range(a); // $ range=<=0 range=>=-17
range(b); // $ range=<=0 range=>=-13
int r = a*b; // 0 .. 221
range(r);
range(r); // $ range=<=221 range=>=0
total += r;
range(total); // $ range=">=- ...+0"
range(total); // $ range="<=- ...+221" range=">=- ...+0"
}
if (-17 <= a && a <= 0 && -13 <= b && b <= -7) {
range(a); // $ range=<=0 range=>=-17
range(b); // $ range=<=-7 range=>=-13
int r = a*b; // 0 .. 221
range(r);
range(r); // $ range=<=221 range=>=0
total += r;
range(total); // $ range=">=- ...+0"
range(total); // $ range=">=- ...+0" range="<=- ...+221" range="<=- ...+442"
}
range(total); // $ range=">=- ...+0"
range(total); // $ range=">=- ...+0" range="<=- ...+221" range="<=- ...+442"
return total;
}
@@ -491,17 +491,17 @@ int test_mult05(int a, int b) {
range(a); // $ range=<=-2 range=>=-17
range(b); // $ range=<=23 range=>=5
int r = a*b; // -391 .. -10
range(r);
range(r); // $ range=<=-10 range=>=-391
total += r;
range(total); // $ range=<=-1
range(total); // $ range=<=-10 range=>=-391
}
if (-17 <= a && a <= -2 && 0 <= b && b <= 23) {
range(a); // $ range=<=-2 range=>=-17
range(b); // $ range=<=23 range=>=0
int r = a*b; // -391 .. 0
range(r);
range(r); // $ range=<=0 range=>=-391
total += r;
range(total); // $ range="<=- ...+0" range=<=0
range(total); // $ range="<=- ...+0" range=<=0 range=">=- ...-391" range=>=-782
}
if (-17 <= a && a <= -2 && -13 <= b && b <= 23) {
range(a); // $ range=<=-2 range=>=-17
@@ -515,19 +515,19 @@ int test_mult05(int a, int b) {
range(a); // $ range=<=-2 range=>=-17
range(b); // $ range=<=0 range=>=-13
int r = a*b; // 0 .. 221
range(r);
range(r); // $ range=<=221 range=>=0
total += r;
range(total); // $ range=">=- ...+0"
range(total); // $ range="<=- ...+221" range=">=- ...+0"
}
if (-17 <= a && a <= -2 && -13 <= b && b <= -7) {
range(a); // $ range=<=-2 range=>=-17
range(b); // $ range=<=-7 range=>=-13
int r = a*b; // 14 .. 221
range(r);
range(r); // $ range=<=221 range=>=14
total += r;
range(total); // $ range=">=- ...+1"
range(total); // $ range="<=- ...+221" range="<=- ...+442" range=">=- ...+14"
}
range(total); // $ range=">=- ...+0"
range(total); // $ range=">=- ...+0" range="<=- ...+221" range="<=- ...+442"
return total;
}
@@ -598,7 +598,7 @@ unsigned int test_ternary01(unsigned int x) {
(range(x), 500); // $ range=<=299
range(y8); // y8 <= 300
}
range(y1 + y2 + y3 + y4 + y5 + y6 + y7 + y8); // $ range=">=... = ...:... ? ... : ...+0" range=">=call to range+0"
range(y1 + y2 + y3 + y4 + y5 + y6 + y7 + y8); // $ MISSING: range=">=... = ...:... ? ... : ...+0" range=">=call to range+0"
return y1 + y2 + y3 + y4 + y5 + y6 + y7 + y8;
}
@@ -628,7 +628,7 @@ unsigned int test_ternary02(unsigned int x) {
(range(x), 5); // $ range=>=300
range(y5); // y6 >= 0
}
range(y1 + y2 + y3 + y4 + y5); // $ range=">=... = ...:... ? ... : ...+0" range=">=call to range+0"
range(y1 + y2 + y3 + y4 + y5); // $ MISSING: range=">=... = ...:... ? ... : ...+0" range=">=call to range+0"
return y1 + y2 + y3 + y4 + y5;
}
@@ -647,7 +647,7 @@ unsigned int test_comma01(unsigned int x) {
range(y), // $ range="==++ ...:... = ...+4" range="==... +++3" range="==... ? ... : ...+5"
y);
range(y2); // $ range="==++ ...:... = ...+4" range="==... +++3" range="==... ? ... : ...+5"
range(y1 + y2); // $ range=">=++ ...:... = ...+5" range=">=... +++4" range=">=... += ...:... = ...+1" range=">=... ? ... : ...+6"
range(y1 + y2); // $ MISSING: range=">=++ ...:... = ...+5" range=">=... +++4" range=">=... += ...:... = ...+1" range=">=... ? ... : ...+6"
return y1 + y2;
}
@@ -685,7 +685,7 @@ int test_unsigned_mult01(unsigned int a, unsigned b) {
int r = a*b; // 15 .. 253
range(r);
total += r;
range(total); // $ range=>=1
range(total); // $ MISSING: range=>=1
}
if (3 <= a && a <= 11 && 0 <= b && b <= 23) {
range(a); // $ range=<=11 range=>=3
@@ -693,7 +693,7 @@ int test_unsigned_mult01(unsigned int a, unsigned b) {
int r = a*b; // 0 .. 253
range(r);
total += r;
range(total); // $ range=">=(unsigned int)...+0" range=>=0
range(total); // $ MISSING: range=">=(unsigned int)...+0" range=>=0
}
if (3 <= a && a <= 11 && 13 <= b && b <= 23) {
range(a); // $ range=<=11 range=>=3
@@ -701,9 +701,9 @@ int test_unsigned_mult01(unsigned int a, unsigned b) {
int r = a*b; // 39 .. 253
range(r);
total += r;
range(total); // $ range=">=(unsigned int)...+1" range=>=1
range(total); // $ MISSING: range=">=(unsigned int)...+1" range=>=1
}
range(total); // $ range=">=(unsigned int)...+0" range=>=0
range(total); // $ MISSING: range=">=(unsigned int)...+0" range=>=0
return total;
}
@@ -715,23 +715,23 @@ int test_unsigned_mult02(unsigned b) {
int r = 11*b; // 55 .. 253
range(r);
total += r;
range(total); // $ range=>=1
range(total); // $ MISSING: range=>=1
}
if (0 <= b && b <= 23) {
range(b); // $ range=<=23 range=>=0
int r = 11*b; // 0 .. 253
range(r);
total += r;
range(total); // $ range=">=(unsigned int)...+0" range=>=0
range(total); // $ MISSING: range=">=(unsigned int)...+0" range=>=0
}
if (13 <= b && b <= 23) {
range(b); // $ range=<=23 range=>=13
int r = 11*b; // 143 .. 253
range(r);
total += r;
range(total); // $ range=">=(unsigned int)...+1" range=>=1
range(total); // $ MISSING: range=">=(unsigned int)...+1" range=>=1
}
range(total); // $ range=">=(unsigned int)...+0" range=>=0
range(total); // $ MISSING: range=">=(unsigned int)...+0" range=>=0
return total;
}
@@ -741,7 +741,7 @@ unsigned long mult_rounding() {
range(y); // $ range===1000000003
range(x); // $ range===1000000003
xy = x * y;
range(xy);
range(xy); // $ range===2147483647
return xy; // BUG: upper bound should be >= 1000000006000000009UL
}
@@ -761,13 +761,13 @@ unsigned long mult_lower_bound(unsigned int ui, unsigned long ul) {
range(ui); // $ range=>=10
range((unsigned long)ui); // $ range=>=10
unsigned long result = (unsigned long)ui * ui;
range(result);
range(result); // $ range=>=100 range=>=100
return result; // BUG: upper bound should be >= 18446744065119617025
}
if (ul >= 10) {
range(ul); // $ range=>=10
unsigned long result = ul * ul;
range(result);
range(result); // $ range=>=100
return result; // BUG: lower bound should be 0 (overflow is possible)
}
return 0;
@@ -777,7 +777,7 @@ unsigned long mul_assign(unsigned int ui) {
if (ui <= 10 && ui >= 2) {
range(ui); // $ range=<=10 range=>=2
ui *= ui + 0;
range(ui);
range(ui); // $ range=<=100 range=>=4
return ui; // 4 .. 100
}
@@ -790,7 +790,7 @@ unsigned long mul_assign(unsigned int ui) {
range(ulconst); // $ range===10
ulconst *= 4;
range(ulconst); // $ range===40
range(uiconst + ulconst); // $ range=">=... *= ...+1" range=>=41
range(uiconst + ulconst); // $ range===80
return uiconst + ulconst; // 40 .. 40 for both
}
@@ -813,7 +813,7 @@ int mul_by_constant(int i, int j) {
range(i); // $ range===-1
range((int)0xffFFffFF); // $ range===-1
i = i * (int)0xffFFffFF; // fully converted literal is -1
range(i); // 1 .. 1
range(i); // $ range===1
}
i = i * -1;
range( i); // -2^31 .. 2^31-1
@@ -942,7 +942,7 @@ void widen_recursive_expr() {
for (s = 0; s < 10; s++) {
range(s); // $ range=<=9 range=>=0
int result = s + s;
range(result); // 0 .. 18
range(result); // $ range=<=18 range=<=s+9 range=>=0 range=>=s+0
}
}
@@ -960,7 +960,22 @@ void guard_bound_out_of_range(void) {
void test_mod(int s) {
int s2 = s % 5;
range(s2); // $ range=<=4 // -4 .. 4
range(s2); // $ range=>=-4 range=<=4
}
void test_mod_neg(int s) {
int s2 = s % -5;
range(s2); // $ range=>=-4 range=<=4
}
void test_mod_ternary(int s, bool b) {
int s2 = s % (b ? 5 : 500);
range(s2); // $ range=>=-499 range=<=499
}
void test_mod_ternary2(int s, bool b1, bool b2) {
int s2 = s % (b1 ? (b2 ? 5 : -5000) : -500000);
range(s2); // $ range=>=-499999 range=<=499999
}
void exit(int);

2
cpp/ql/test/library-tests/ir/range-analysis/test.cpp
View File

@@ -7,7 +7,7 @@
}
if (y - 2 == x && y > 300) {
range(x + y); // $ range=>=300 range=>=x+1 range=>=y-1
range(x + y); // $ range=<=802 range=>=600
return x + y;
}

174
cpp/ql/test/library-tests/lambdas/captures/elements.expected
View File

@@ -1,26 +1,9 @@
| captures.cpp:0:0:0:0 | captures.cpp |
| captures.cpp:1:8:1:8 | declaration of operator= |
| captures.cpp:1:8:1:8 | declaration of operator= |
| captures.cpp:1:8:1:8 | operator= |
| captures.cpp:1:8:1:8 | operator= |
| captures.cpp:1:8:1:10 | definition of foo |
| captures.cpp:1:8:1:10 | foo |
| captures.cpp:2:8:2:8 | a |
| captures.cpp:2:8:2:8 | definition of a |
| captures.cpp:2:14:2:14 | definition of x |
| captures.cpp:2:14:2:14 | x |
| captures.cpp:2:17:6:3 | { ... } |
| captures.cpp:3:5:3:5 | (unnamed constructor) |
| captures.cpp:3:5:3:5 | (unnamed constructor) |
| captures.cpp:3:5:3:5 | (unnamed constructor) |
| captures.cpp:3:5:3:5 | declaration of (unnamed constructor) |
| captures.cpp:3:5:3:5 | declaration of (unnamed constructor) |
| captures.cpp:3:5:3:5 | definition of (unnamed constructor) |
| captures.cpp:3:5:3:5 | definition of operator= |
| captures.cpp:3:5:3:5 | operator= |
| captures.cpp:3:5:5:5 | [...](...){...} |
| captures.cpp:3:5:5:5 | {...} |
| captures.cpp:3:5:5:6 | ExprStmt |
| captures.cpp:3:6:3:6 | definition of x |
| captures.cpp:3:6:3:6 | x |
| captures.cpp:3:6:3:6 | x |
@@ -29,7 +12,6 @@
| captures.cpp:3:9:3:9 | definition of (captured this) |
| captures.cpp:3:9:3:12 | (captured this) |
| captures.cpp:3:9:3:12 | this |
| captures.cpp:3:15:3:15 | definition of operator() |
| captures.cpp:3:15:3:15 | operator() |
| captures.cpp:3:15:5:5 | { ... } |
| captures.cpp:4:7:4:7 | (captured this) |
@@ -41,26 +23,14 @@
| captures.cpp:4:9:4:13 | x |
| captures.cpp:4:13:4:13 | 1 |
| captures.cpp:5:5:5:5 | return ... |
| captures.cpp:6:3:6:3 | return ... |
| captures.cpp:8:8:8:8 | b |
| captures.cpp:8:8:8:8 | definition of b |
| captures.cpp:8:14:8:14 | definition of x |
| captures.cpp:8:14:8:14 | x |
| captures.cpp:8:17:12:3 | { ... } |
| captures.cpp:9:5:9:5 | (unnamed constructor) |
| captures.cpp:9:5:9:5 | (unnamed constructor) |
| captures.cpp:9:5:9:5 | (unnamed constructor) |
| captures.cpp:9:5:9:5 | declaration of (unnamed constructor) |
| captures.cpp:9:5:9:5 | declaration of (unnamed constructor) |
| captures.cpp:9:5:9:5 | definition of (unnamed constructor) |
| captures.cpp:9:5:9:5 | definition of operator= |
| captures.cpp:9:5:9:5 | operator= |
| captures.cpp:9:5:11:5 | [...](...){...} |
| captures.cpp:9:5:11:5 | this |
| captures.cpp:9:5:11:5 | x |
| captures.cpp:9:5:11:5 | {...} |
| captures.cpp:9:5:11:6 | ExprStmt |
| captures.cpp:9:9:9:9 | definition of operator() |
| captures.cpp:9:9:9:9 | operator() |
| captures.cpp:9:9:11:5 | { ... } |
| captures.cpp:10:7:10:7 | (captured this) |
@@ -78,48 +48,23 @@
| captures.cpp:10:9:10:13 | x |
| captures.cpp:10:13:10:13 | 1 |
| captures.cpp:11:5:11:5 | return ... |
| captures.cpp:12:3:12:3 | return ... |
| captures.cpp:14:15:14:15 | c |
| captures.cpp:14:15:14:15 | definition of c |
| captures.cpp:14:21:14:21 | definition of x |
| captures.cpp:14:21:14:21 | x |
| captures.cpp:14:24:18:3 | { ... } |
| captures.cpp:15:5:15:5 | (unnamed constructor) |
| captures.cpp:15:5:15:5 | (unnamed constructor) |
| captures.cpp:15:5:15:5 | (unnamed constructor) |
| captures.cpp:15:5:15:5 | declaration of (unnamed constructor) |
| captures.cpp:15:5:15:5 | declaration of (unnamed constructor) |
| captures.cpp:15:5:15:5 | definition of (unnamed constructor) |
| captures.cpp:15:5:15:5 | definition of operator= |
| captures.cpp:15:5:15:5 | operator= |
| captures.cpp:15:5:17:5 | [...](...){...} |
| captures.cpp:15:5:17:5 | {...} |
| captures.cpp:15:5:17:6 | ExprStmt |
| captures.cpp:15:6:15:6 | definition of x |
| captures.cpp:15:6:15:6 | x |
| captures.cpp:15:6:15:6 | x |
| captures.cpp:15:6:15:6 | x |
| captures.cpp:15:9:15:9 | definition of operator() |
| captures.cpp:15:9:15:9 | operator() |
| captures.cpp:15:9:17:5 | { ... } |
| captures.cpp:16:7:16:7 | call to c |
| captures.cpp:16:7:16:11 | ExprStmt |
| captures.cpp:16:9:16:9 | 0 |
| captures.cpp:16:13:16:49 | // `x` is unused, but still captured. |
| captures.cpp:17:5:17:5 | return ... |
| captures.cpp:18:3:18:3 | return ... |
| captures.cpp:21:5:21:5 | d |
| captures.cpp:21:5:21:5 | definition of d |
| captures.cpp:21:11:21:11 | definition of x |
| captures.cpp:21:11:21:11 | x |
| captures.cpp:21:18:21:18 | definition of y |
| captures.cpp:21:18:21:18 | y |
| captures.cpp:21:21:27:1 | { ... } |
| captures.cpp:22:3:24:4 | declaration |
| captures.cpp:22:8:22:15 | definition of myLambda |
| captures.cpp:22:8:22:15 | myLambda |
| captures.cpp:22:18:24:3 | [...](...){...} |
| captures.cpp:22:18:24:3 | initializer for myLambda |
| captures.cpp:22:18:24:3 | y |
| captures.cpp:22:18:24:3 | {...} |
| captures.cpp:22:19:22:19 | (reference dereference) |
@@ -131,10 +76,6 @@
| captures.cpp:22:19:22:19 | (unnamed parameter 0) |
| captures.cpp:22:19:22:19 | constructor init of field x |
| captures.cpp:22:19:22:19 | constructor init of field y |
| captures.cpp:22:19:22:19 | declaration of (unnamed constructor) |
| captures.cpp:22:19:22:19 | definition of (unnamed constructor) |
| captures.cpp:22:19:22:19 | definition of (unnamed constructor) |
| captures.cpp:22:19:22:19 | definition of operator= |
| captures.cpp:22:19:22:19 | operator= |
| captures.cpp:22:19:22:19 | return ... |
| captures.cpp:22:19:22:19 | x |
@@ -144,9 +85,7 @@
| captures.cpp:22:23:22:23 | x |
| captures.cpp:22:23:22:23 | x |
| captures.cpp:22:23:22:23 | x |
| captures.cpp:22:25:22:25 | definition of operator() |
| captures.cpp:22:25:22:25 | operator() |
| captures.cpp:22:30:22:30 | definition of z |
| captures.cpp:22:30:22:30 | z |
| captures.cpp:22:40:24:3 | { ... } |
| captures.cpp:23:5:23:21 | return ... |
@@ -161,30 +100,7 @@
| captures.cpp:23:16:23:16 | y |
| captures.cpp:23:16:23:16 | y |
| captures.cpp:23:20:23:20 | z |
| captures.cpp:26:3:26:24 | return ... |
| captures.cpp:26:10:26:17 | (const lambda [] type at line 22, col. 19)... |
| captures.cpp:26:10:26:17 | myLambda |
| captures.cpp:26:18:26:18 | call to operator() |
| captures.cpp:26:19:26:22 | 1000 |
| end_pos.cpp:0:0:0:0 | end_pos.cpp |
| end_pos.cpp:2:1:2:14 | #define OPEN { |
| end_pos.cpp:3:6:3:10 | definition of igFun |
| end_pos.cpp:3:6:3:10 | igFun |
| end_pos.cpp:3:14:12:1 | { ... } |
| end_pos.cpp:4:5:4:8 | OPEN |
| end_pos.cpp:4:5:5:5 | { ... } |
| end_pos.cpp:6:5:6:15 | declaration |
| end_pos.cpp:6:9:6:10 | definition of ii |
| end_pos.cpp:6:9:6:10 | ii |
| end_pos.cpp:6:13:6:14 | 0 |
| end_pos.cpp:6:13:6:14 | initializer for ii |
| end_pos.cpp:7:5:7:69 | // EDG used to not give the initialization for this ii capture an |
| end_pos.cpp:8:5:8:20 | // end location: |
| end_pos.cpp:9:5:11:6 | declaration |
| end_pos.cpp:9:10:9:11 | definition of fp |
| end_pos.cpp:9:10:9:11 | fp |
| end_pos.cpp:9:14:11:5 | [...](...){...} |
| end_pos.cpp:9:14:11:5 | initializer for fp |
| end_pos.cpp:9:14:11:5 | {...} |
| end_pos.cpp:9:15:9:15 | (reference dereference) |
| end_pos.cpp:9:15:9:15 | (unnamed constructor) |
@@ -192,10 +108,6 @@
| end_pos.cpp:9:15:9:15 | (unnamed constructor) |
| end_pos.cpp:9:15:9:15 | (unnamed parameter 0) |
| end_pos.cpp:9:15:9:15 | constructor init of field ii |
| end_pos.cpp:9:15:9:15 | declaration of (unnamed constructor) |
| end_pos.cpp:9:15:9:15 | definition of (unnamed constructor) |
| end_pos.cpp:9:15:9:15 | definition of (unnamed constructor) |
| end_pos.cpp:9:15:9:15 | definition of operator= |
| end_pos.cpp:9:15:9:15 | ii |
| end_pos.cpp:9:15:9:15 | operator= |
| end_pos.cpp:9:15:9:15 | return ... |
@@ -205,14 +117,10 @@
| end_pos.cpp:9:17:9:18 | (reference to) |
| end_pos.cpp:9:17:9:18 | ii |
| end_pos.cpp:9:17:9:18 | ii |
| end_pos.cpp:9:20:9:20 | definition of operator() |
| end_pos.cpp:9:20:9:20 | operator() |
| end_pos.cpp:9:27:11:5 | { ... } |
| end_pos.cpp:10:9:10:17 | return ... |
| end_pos.cpp:10:16:10:16 | 1 |
| end_pos.cpp:12:1:12:1 | return ... |
| file://:0:0:0:0 | |
| file://:0:0:0:0 | (global namespace) |
| file://:0:0:0:0 | (reference to) |
| file://:0:0:0:0 | (unnamed parameter 0) |
| file://:0:0:0:0 | (unnamed parameter 0) |
@@ -229,90 +137,8 @@
| file://:0:0:0:0 | (unnamed parameter 0) |
| file://:0:0:0:0 | (unnamed parameter 0) |
| file://:0:0:0:0 | (unnamed parameter 0) |
| file://:0:0:0:0 | (unnamed parameter 0) |
| file://:0:0:0:0 | (unnamed parameter 0) |
| file://:0:0:0:0 | (unnamed parameter 0) |
| file://:0:0:0:0 | (unnamed parameter 0) |
| file://:0:0:0:0 | ..()(..) |
| file://:0:0:0:0 | ..()(..) |
| file://:0:0:0:0 | ..(*)(..) |
| file://:0:0:0:0 | ..(*)(..) |
| file://:0:0:0:0 | ..(*)(..) |
| file://:0:0:0:0 | ..(..) |
| file://:0:0:0:0 | __super |
| file://:0:0:0:0 | __va_list_tag |
| file://:0:0:0:0 | __va_list_tag & |
| file://:0:0:0:0 | __va_list_tag && |
| file://:0:0:0:0 | auto |
| file://:0:0:0:0 | const __va_list_tag |
| file://:0:0:0:0 | const __va_list_tag & |
| file://:0:0:0:0 | const foo |
| file://:0:0:0:0 | const foo & |
| file://:0:0:0:0 | const lambda [] type at line 3, col. 5 |
| file://:0:0:0:0 | const lambda [] type at line 3, col. 5 & |
| file://:0:0:0:0 | const lambda [] type at line 3, col. 5 * |
| file://:0:0:0:0 | const lambda [] type at line 9, col. 5 |
| file://:0:0:0:0 | const lambda [] type at line 9, col. 5 & |
| file://:0:0:0:0 | const lambda [] type at line 9, col. 5 * |
| file://:0:0:0:0 | const lambda [] type at line 9, col. 15 |
| file://:0:0:0:0 | const lambda [] type at line 9, col. 15 & |
| file://:0:0:0:0 | const lambda [] type at line 9, col. 15 * |
| file://:0:0:0:0 | const lambda [] type at line 15, col. 5 |
| file://:0:0:0:0 | const lambda [] type at line 15, col. 5 & |
| file://:0:0:0:0 | const lambda [] type at line 15, col. 5 * |
| file://:0:0:0:0 | const lambda [] type at line 22, col. 19 |
| file://:0:0:0:0 | const lambda [] type at line 22, col. 19 & |
| file://:0:0:0:0 | const lambda [] type at line 22, col. 19 * |
| file://:0:0:0:0 | declaration of 1st parameter |
| file://:0:0:0:0 | declaration of 1st parameter |
| file://:0:0:0:0 | declaration of 1st parameter |
| file://:0:0:0:0 | declaration of 1st parameter |
| file://:0:0:0:0 | declaration of 1st parameter |
| file://:0:0:0:0 | declaration of 1st parameter |
| file://:0:0:0:0 | declaration of 1st parameter |
| file://:0:0:0:0 | declaration of 1st parameter |
| file://:0:0:0:0 | declaration of 1st parameter |
| file://:0:0:0:0 | declaration of 1st parameter |
| file://:0:0:0:0 | declaration of 1st parameter |
| file://:0:0:0:0 | declaration of 1st parameter |
| file://:0:0:0:0 | declaration of 1st parameter |
| file://:0:0:0:0 | declaration of 1st parameter |
| file://:0:0:0:0 | declaration of 1st parameter |
| file://:0:0:0:0 | declaration of 1st parameter |
| file://:0:0:0:0 | declaration of 1st parameter |
| file://:0:0:0:0 | decltype([...](...){...}) |
| file://:0:0:0:0 | decltype([...](...){...}) |
| file://:0:0:0:0 | decltype([...](...){...}) |
| file://:0:0:0:0 | decltype([...](...){...}) |
| file://:0:0:0:0 | decltype([...](...){...}) |
| file://:0:0:0:0 | definition of fp_offset |
| file://:0:0:0:0 | definition of gp_offset |
| file://:0:0:0:0 | definition of overflow_arg_area |
| file://:0:0:0:0 | definition of reg_save_area |
| file://:0:0:0:0 | foo & |
| file://:0:0:0:0 | foo && |
| file://:0:0:0:0 | foo * |
| file://:0:0:0:0 | foo *const |
| file://:0:0:0:0 | fp_offset |
| file://:0:0:0:0 | gp_offset |
| file://:0:0:0:0 | int & |
| file://:0:0:0:0 | lambda [] type at line 3, col. 5 & |
| file://:0:0:0:0 | lambda [] type at line 3, col. 5 && |
| file://:0:0:0:0 | lambda [] type at line 3, col. 5 * |
| file://:0:0:0:0 | lambda [] type at line 9, col. 5 & |
| file://:0:0:0:0 | lambda [] type at line 9, col. 5 && |
| file://:0:0:0:0 | lambda [] type at line 9, col. 5 * |
| file://:0:0:0:0 | lambda [] type at line 9, col. 15 & |
| file://:0:0:0:0 | lambda [] type at line 9, col. 15 && |
| file://:0:0:0:0 | lambda [] type at line 9, col. 15 * |
| file://:0:0:0:0 | lambda [] type at line 15, col. 5 & |
| file://:0:0:0:0 | lambda [] type at line 15, col. 5 && |
| file://:0:0:0:0 | lambda [] type at line 15, col. 5 * |
| file://:0:0:0:0 | lambda [] type at line 22, col. 19 & |
| file://:0:0:0:0 | lambda [] type at line 22, col. 19 && |
| file://:0:0:0:0 | lambda [] type at line 22, col. 19 * |
| file://:0:0:0:0 | operator= |
| file://:0:0:0:0 | operator= |
| file://:0:0:0:0 | overflow_arg_area |
| file://:0:0:0:0 | reg_save_area |
| file://:0:0:0:0 | void * |

13
cpp/ql/test/library-tests/lambdas/captures/elements.ql
View File

@@ -1,8 +1,13 @@
import cpp
predicate interesting(Element e) {
e instanceof LambdaCapture or
e instanceof LambdaExpression or
e = any(LambdaExpression le).getLambdaFunction() or
e = any(LambdaExpression le).getInitializer() or
e instanceof Closure
}
from Element e
where
not e instanceof BuiltInType and
not e instanceof Specifier and
not e instanceof Folder
where interesting(e.getEnclosingElement*())
select e

3
cpp/ql/test/library-tests/templates/extern/declarations.expected vendored Normal file
View File

@@ -0,0 +1,3 @@
| extern.cpp:1:20:1:20 | T |
| extern.cpp:2:5:2:5 | f |
| extern.cpp:2:7:2:7 | (unnamed parameter 0) |

5
cpp/ql/test/library-tests/templates/extern/declarations.ql vendored Normal file
View File

@@ -0,0 +1,5 @@
import cpp
from Declaration d
where d.getLocation().getFile().getBaseName() != ""
select d

8
cpp/ql/test/library-tests/templates/extern/elements.expected vendored
View File

@@ -1,8 +0,0 @@
| extern.cpp:0:0:0:0 | extern.cpp |
| extern.cpp:1:20:1:20 | T |
| extern.cpp:1:20:1:20 | definition of T |
| extern.cpp:2:5:2:5 | declaration of f |
| extern.cpp:2:5:2:5 | f |
| extern.cpp:2:7:2:7 | (unnamed parameter 0) |
| extern.cpp:2:7:2:7 | declaration of 1st parameter |
| extern.cpp:4:1:4:58 | // Currently we don't have an element for this declaration |

8
cpp/ql/test/library-tests/templates/extern/elements.ql vendored
View File

@@ -1,8 +0,0 @@
import cpp
from Element e
where
exists(e.getLocation()) and
not e.getLocation() instanceof UnknownLocation and
not e instanceof Folder
select e

4
csharp/ql/lib/change-notes/2023-03-28-dataflow-rm-footgun.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: fix
---
* Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular `DataFlow::hasFlowPath`, `DataFlow::hasFlow`, `DataFlow::hasFlowTo`, and `DataFlow::hasFlowToExpr` were accidentally exposed in a single version.

24
csharp/ql/lib/semmle/code/asp/WebConfig.qll
View File

@@ -11,6 +11,13 @@ class WebConfigXml extends XmlFile {
WebConfigXml() { this.getName().matches("%Web.config") }
}
/**
* A `Web.config` transformation file.
*/
class WebConfigReleaseTransformXml extends XmlFile {
WebConfigReleaseTransformXml() { this.getName().matches("%Web.Release.config") }
}
/** DEPRECATED: Alias for WebConfigXml */
deprecated class WebConfigXML = WebConfigXml;
@@ -19,6 +26,11 @@ class ConfigurationXmlElement extends XmlElement {
ConfigurationXmlElement() { this.getName().toLowerCase() = "configuration" }
}
/** A `<compilation>` tag in an ASP.NET configuration file. */
class CompilationXmlElement extends XmlElement {
CompilationXmlElement() { this.getName().toLowerCase() = "compilation" }
}
/** DEPRECATED: Alias for ConfigurationXmlElement */
deprecated class ConfigurationXMLElement = ConfigurationXmlElement;
@@ -149,3 +161,15 @@ class HttpCookiesElement extends XmlElement {
/** DEPRECATED: Alias for isRequireSsl */
deprecated predicate isRequireSSL() { this.isRequireSsl() }
}
/** A `Transform` attribute in a Web.config transformation file. */
class TransformXmlAttribute extends XmlAttribute {
TransformXmlAttribute() { this.getName().toLowerCase() = "transform" }
/**
* Gets the list of attribute removals in `Transform=RemoveAttributes(list)`.
*/
string getRemoveAttributes() {
result = this.getValue().regexpCapture("RemoveAttributes\\((.*)\\)", 1).splitAt(",")
}
}

1
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
View File

@@ -8,6 +8,7 @@ private import DataFlowImplCommon
private import DataFlowImplSpecific::Private
private import DataFlowImplSpecific::Public
private import DataFlowImplCommonPublic
private import codeql.util.Unit
import DataFlow
/**

6
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl1.qll
View File

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
private import DataFlowImpl
import DataFlowImplCommonPublic
import FlowStateString
private import codeql.util.Unit
/**
* A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
}
private import Impl<Config> as I
import I
/**
* A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
}
module PathGraph = I::PathGraph;
private predicate hasFlow(Node source, Node sink, Configuration config) {
exists(PathNode source0, PathNode sink0 |
hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
}
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
flowPath(source, sink) and source.getConfiguration() = config
I::flowPath(source, sink) and source.getConfiguration() = config
}
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

6
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
View File

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
private import DataFlowImpl
import DataFlowImplCommonPublic
import FlowStateString
private import codeql.util.Unit
/**
* A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
}
private import Impl<Config> as I
import I
/**
* A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
}
module PathGraph = I::PathGraph;
private predicate hasFlow(Node source, Node sink, Configuration config) {
exists(PathNode source0, PathNode sink0 |
hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
}
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
flowPath(source, sink) and source.getConfiguration() = config
I::flowPath(source, sink) and source.getConfiguration() = config
}
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

6
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
View File

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
private import DataFlowImpl
import DataFlowImplCommonPublic
import FlowStateString
private import codeql.util.Unit
/**
* A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
}
private import Impl<Config> as I
import I
/**
* A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
}
module PathGraph = I::PathGraph;
private predicate hasFlow(Node source, Node sink, Configuration config) {
exists(PathNode source0, PathNode sink0 |
hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
}
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
flowPath(source, sink) and source.getConfiguration() = config
I::flowPath(source, sink) and source.getConfiguration() = config
}
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

6
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
View File

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
private import DataFlowImpl
import DataFlowImplCommonPublic
import FlowStateString
private import codeql.util.Unit
/**
* A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
}
private import Impl<Config> as I
import I
/**
* A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
}
module PathGraph = I::PathGraph;
private predicate hasFlow(Node source, Node sink, Configuration config) {
exists(PathNode source0, PathNode sink0 |
hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
}
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
flowPath(source, sink) and source.getConfiguration() = config
I::flowPath(source, sink) and source.getConfiguration() = config
}
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

6
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
View File

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
private import DataFlowImpl
import DataFlowImplCommonPublic
import FlowStateString
private import codeql.util.Unit
/**
* A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
}
private import Impl<Config> as I
import I
/**
* A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
}
module PathGraph = I::PathGraph;
private predicate hasFlow(Node source, Node sink, Configuration config) {
exists(PathNode source0, PathNode sink0 |
hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
}
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
flowPath(source, sink) and source.getConfiguration() = config
I::flowPath(source, sink) and source.getConfiguration() = config
}
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

6
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplForContentDataFlow.qll
View File

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
private import DataFlowImpl
import DataFlowImplCommonPublic
import FlowStateString
private import codeql.util.Unit
/**
* A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
}
private import Impl<Config> as I
import I
/**
* A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
}
module PathGraph = I::PathGraph;
private predicate hasFlow(Node source, Node sink, Configuration config) {
exists(PathNode source0, PathNode sink0 |
hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
}
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
flowPath(source, sink) and source.getConfiguration() = config
I::flowPath(source, sink) and source.getConfiguration() = config
}
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

14
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
View File

@@ -19,6 +19,7 @@ private import semmle.code.csharp.frameworks.system.Collections
private import semmle.code.csharp.frameworks.system.threading.Tasks
private import semmle.code.cil.Ssa::Ssa as CilSsa
private import semmle.code.cil.internal.SsaImpl as CilSsaImpl
private import codeql.util.Unit
/** Gets the callable in which this node occurs. */
DataFlowCallable nodeGetEnclosingCallable(NodeImpl n) { result = n.getEnclosingCallableImpl() }
@@ -2163,15 +2164,6 @@ int accessPathLimit() { result = 5 }
*/
predicate forceHighPrecision(Content c) { c instanceof ElementContent }
/** The unit type. */
private newtype TUnit = TMkUnit()
/** The trivial type with a single element. */
class Unit extends TUnit {
/** Gets a textual representation of this element. */
string toString() { result = "unit" }
}
class LambdaCallKind = Unit;
/** Holds if `creation` is an expression that creates a delegate for `c`. */
@@ -2183,7 +2175,7 @@ predicate lambdaCreation(ExprNode creation, LambdaCallKind kind, DataFlowCallabl
e.(AddressOfExpr).getOperand().(CallableAccess).getTarget().getUnboundDeclaration()
]
) and
kind = TMkUnit()
exists(kind)
}
private class LambdaConfiguration extends ControlFlowReachabilityConfiguration {
@@ -2214,7 +2206,7 @@ predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
or
receiver = call.(SummaryCall).getReceiver()
) and
kind = TMkUnit()
exists(kind)
}
/** Extra data-flow steps needed for lambda flow analysis. */

1
csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll
View File

@@ -10,6 +10,7 @@ private import FlowSummaryImplSpecific
private import DataFlowImplSpecific::Private
private import DataFlowImplSpecific::Public
private import DataFlowImplCommon
private import codeql.util.Unit
/** Provides classes and predicates for defining flow summaries. */
module Public {

15
csharp/ql/src/Security Features/CWE-011/ASPNetDebug.ql
View File

@@ -19,6 +19,17 @@ import semmle.code.asp.WebConfig
from SystemWebXmlElement web, XmlAttribute debugAttribute
where
debugAttribute = web.getAChild("compilation").getAttribute("debug") and
not debugAttribute.getValue().toLowerCase() = "false"
exists(CompilationXmlElement compilation | compilation.getParent() = web |
debugAttribute = compilation.getAttribute("debug") and
not debugAttribute.getValue().toLowerCase() = "false"
) and
not exists(
TransformXmlAttribute attribute, CompilationXmlElement compilation,
WebConfigReleaseTransformXml file
|
compilation = attribute.getElement() and
file = compilation.getFile() and
attribute.getRemoveAttributes() = "debug" and
file.getParentContainer() = web.getFile().getParentContainer()
)
select debugAttribute, "The 'debug' flag is set for an ASP.NET configuration file."

4
csharp/ql/src/change-notes/2023-03-23-cs-web-debug-binary.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The query `cs/web/debug-binary` now disregards the `debug` attribute in case there is a transformation that removes it.

2
csharp/ql/src/utils/modelgenerator/internal/CaptureModelsSpecific.qll
View File

@@ -18,8 +18,6 @@ module TaintTracking = CS::TaintTracking;
class Type = CS::Type;
class Unit = DataFlowPrivate::Unit;
/**
* Holds if any of the parameters of `api` are `System.Func<>`.
*/

3
csharp/ql/test/query-tests/Security Features/CWE-011/ASPNetDebug.expected
View File

@@ -1 +1,2 @@
| bad/Web.config:4:5:7:7 | debug=true | The 'debug' flag is set for an ASP.NET configuration file. |
| bad1/Web.config:4:5:7:7 | debug=true | The 'debug' flag is set for an ASP.NET configuration file. |
| bad2/Web.config:4:5:7:7 | debug=true | The 'debug' flag is set for an ASP.NET configuration file. |

0
csharp/ql/test/query-tests/Security Features/CWE-011/bad/Web.config → csharp/ql/test/query-tests/Security Features/CWE-011/bad1/Web.config
View File

6
csharp/ql/test/query-tests/Security Features/CWE-011/bad2/Web.Debug.config Normal file
View File

@@ -0,0 +1,6 @@
<?xml version="1.0" encoding="utf-8" ?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.web>
<compilation xdt:Transform="RemoveAttributes(debug)" />
</system.web>
</configuration>

9
csharp/ql/test/query-tests/Security Features/CWE-011/bad2/Web.config Normal file
View File

@@ -0,0 +1,9 @@
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<compilation
defaultLanguage="c#"
debug="true"
/>
</system.web>
</configuration>

0
csharp/ql/test/query-tests/Security Features/CWE-011/Web.config → csharp/ql/test/query-tests/Security Features/CWE-011/good1/Web.config
View File

6
csharp/ql/test/query-tests/Security Features/CWE-011/good2/Web.Release.config Normal file
View File

@@ -0,0 +1,6 @@
<?xml version="1.0" encoding="utf-8" ?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.web>
<compilation xdt:Transform="RemoveAttributes(debug)" />
</system.web>
</configuration>

9
csharp/ql/test/query-tests/Security Features/CWE-011/good2/Web.config Normal file
View File

@@ -0,0 +1,9 @@
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<compilation
defaultLanguage="c#"
debug="true"
/>
</system.web>
</configuration>

1
docs/codeql/codeql-language-guides/codeql-for-java.rst
View File

@@ -45,4 +45,3 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat
- :doc:`Working with source locations <working-with-source-locations>`: You can use the location of entities within Java code to look for potential errors. Locations allow you to deduce the presence, or absence, of white space which, in some cases, may indicate a problem.
- :doc:`Abstract syntax tree classes for working with Java programs <abstract-syntax-tree-classes-for-working-with-java-programs>`: CodeQL has a large selection of classes for representing the abstract syntax tree of Java programs.

2
docs/codeql/codeql-language-guides/codeql-for-javascript.rst
View File

@@ -28,8 +28,6 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat
- :doc:`Using flow labels for precise data flow analysis <using-flow-labels-for-precise-data-flow-analysis>`: You can associate flow labels with each value tracked by the flow analysis to determine whether the flow contains potential vulnerabilities.
- :doc:`Specifying remote flow sources for JavaScript <specifying-additional-remote-flow-sources-for-javascript>`: You can model potential sources of untrusted user input in your code without making changes to the CodeQL standard library by specifying extra remote flow sources in an external file.
- :doc:`Using type tracking for API modeling <using-type-tracking-for-api-modeling>`: You can track data through an API by creating a model using the CodeQL type-tracking library for JavaScript.
- :doc:`Abstract syntax tree classes for working with JavaScript and TypeScript programs <abstract-syntax-tree-classes-for-working-with-javascript-and-typescript-programs>`: CodeQL has a large selection of classes for representing the abstract syntax tree of JavaScript and TypeScript programs.

417
docs/codeql/codeql-language-guides/customizing-library-models-for-java.rst Normal file
View File

@@ -0,0 +1,417 @@
.. _customizing-library-models-for-java:
:orphan:
:nosearch:
Customizing Library Models for Java
===================================
.. include:: ../reusables/beta-note-customizing-library-models.rst
The Java analysis can be customized by adding library models (summaries, sinks and sources) in data extension files.
A model is a definition of a behavior of a library element, such as a method, that is used to improve the data flow analysis precision by identifying more results.
Most of the security related queries are taint tracking queries that try to find paths from a source of untrusted input to a sink that represents a vulnerability. Sources are the starting points of a taint tracking data flow analysis, and sinks are the end points of a taint tracking data flow analysis.
Furthermore, the taint tracking queries also need to know how data can flow through elements that are not included in the source code. These are named summaries: they are models of elements that allow us to synthesize the elements flow behavior without having them in the source code. This is especially helpful when using a third party (or the standard) library.
The models are defined using data extensions where each tuple constitutes a model.
A data extension file for Java is a YAML file in the form:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/java-all
extensible: <name of extensible predicate>
data:
- <tuple1>
- <tuple2>
- ...
Data extensions contribute to the extensible predicates defined in the CodeQL library. For more information on how to define data extensions and extensible predicates as well as how to wire them up, see the :ref:`data-extensions` documentation.
The CodeQL library for Java exposes the following extensible predicates:
- **sourceModel**\(package, type, subtypes, name, signature, ext, output, kind, provenance). This is used for **source** models.
- **sinkModel**\(package, type, subtypes, name, signature, ext, input, kind, provenance). This is used for **sink** models.
- **summaryModel**\(package, type, subtypes, name, signature, ext, input, output, kind, provenance). This is used for **summary** models.
- **neutralModel**\(package, type, name, signature, provenance). This is used for **neutral** models, which only have minor impact on the data flow analysis.
The extensible predicates are populated using data extensions specified in YAML files.
In the sections below, we will provide examples of how to add tuples to the different extensible predicates.
The extensible predicates are used to customize and improve the existing data flow queries, by providing sources, sinks, and flow through (summaries) for library elements.
The :ref:`reference-material` section will provide details on the *mini DSLs* that define models for each extensible predicate.
Example: Taint sink in the **java.sql** package
------------------------------------------------
In this example we will show how to model the argument of the **execute** method as a SQL injection sink.
This is the **execute** method in the **Statement** class, which is located in the **java.sql** package.
Note that this sink is already added to the CodeQL Java analysis.
.. code-block:: java
public static void taintsink(Connection conn, String query) throws SQLException {
Statement stmt = conn.createStatement();
stmt.execute(query); // The argument to this method is a SQL injection sink.
}
We need to add a tuple to the **sinkModel**\(package, type, subtypes, name, signature, ext, input, kind, provenance) extensible predicate. To do this, add the following to a data extension file:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["java.sql", "Statement", True, "execute", "(String)", "", "Argument[0]", "sql", "manual"]
Since we are adding a new sink, we need to add a tuple to the **sinkModel** extensible predicate.
The first five values identify the callable (in this case a method) to be modeled as a sink.
- The first value **java.sql** is the package name.
- The second value **Statement** is the name of the class (type) that contains the method.
- The third value **True** is a flag that indicates whether or not the sink also applies to all overrides of the method.
- The fourth value **execute** is the method name.
- The fifth value **(String)** is the method input type signature.
The sixth value should be left empty and is out of scope for this documentation.
The remaining values are used to define the **access path**, the **kind**, and the **provenance** (origin) of the sink.
- The seventh value **Argument[0]** is the **access path** to the first argument passed to the method, which means that this is the location of the sink.
- The eighth value **sql** is the kind of the sink. The sink kind is used to define the queries where the sink is in scope. In this case - the SQL injection queries.
- The ninth value **manual** is the provenance of the sink, which is used to identify the origin of the sink.
Example: Taint source from the **java.net** package
----------------------------------------------------
In this example we show how to model the return value from the **getInputStream** method as a **remote** source.
This is the **getInputStream** method in the **Socket** class, which is located in the **java.net** package.
Note that this source is already added to the CodeQL Java analysis.
.. code-block:: java
public static void tainted(Socket socket) throws IOException {
InputStream stream = socket.getInputStream(); // The return value of this method is a remote source of taint.
...
}
We need to add a tuple to the **sourceModel**\(package, type, subtypes, name, signature, ext, output, kind, provenance) extensible predicate. To do this, add the following to a data extension file:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/java-all
extensible: sourceModel
data:
- ["java.net", "Socket", False, "getInputStream", "()", "", "ReturnValue", "remote", "manual"]
Since we are adding a new source, we need to add a tuple to the **sourceModel** extensible predicate.
The first five values identify the callable (in this case a method) to be modeled as a source.
- The first value **java.net** is the package name.
- The second value **Socket** is the name of the class (type) that contains the source.
- The third value **False** is a flag that indicates whether or not the source also applies to all overrides of the method.
- The fourth value **getInputStream** is the method name.
- The fifth value **()** is the method input type signature.
The sixth value should be left empty and is out of scope for this documentation.
The remaining values are used to define the **access path**, the **kind**, and the **provenance** (origin) of the source.
- The seventh value **ReturnValue** is the access path to the return of the method, which means that it is the return value that should be considered a source of tainted input.
- The eighth value **remote** is the kind of the source. The source kind is used to define the queries where the source is in scope. **remote** applies to many of the security related queries as it means a remote source of untrusted data. As an example the SQL injection query uses **remote** sources.
- The ninth value **manual** is the provenance of the source, which is used to identify the origin of the source.
Example: Add flow through the **concat** method
------------------------------------------------
In this example we show how to model flow through a method for a simple case.
This pattern covers many of the cases where we need to define flow through a method.
Note that the flow through the **concat** method is already added to the CodeQL Java analysis.
.. code-block:: java
public static void taintflow(String s1, String s2) {
String t = s1.concat(s2); // There is taint flow from s1 and s2 to t.
...
}
We need to add tuples to the **summaryModel**\(package, type, subtypes, name, signature, ext, input, output, kind, provenance) extensible predicate. To do this, add the following to a data extension file:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["java.lang", "String", False, "concat", "(String)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.lang", "String", False, "concat", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
Reasoning:
Since we are adding flow through a method, we need to add tuples to the **summaryModel** extensible predicate.
Each tuple defines flow from one argument to the return value.
The first row defines flow from the qualifier (**s1** in the example) to the return value (**t** in the example) and the second row defines flow from the first argument (**s2** in the example) to the return value (**t** in the example).
The first five values identify the callable (in this case a method) to be modeled as a summary.
These are the same for both of the rows above as we are adding two summaries for the same method.
- The first value **java.lang** is the package name.
- The second value **String** is the class (type) name.
- The third value **False** is a flag that indicates whether or not the summary also applies to all overrides of the method.
- The fourth value **concat** is the method name.
- The fifth value **(String)** is the method input type signature.
The sixth value should be left empty and is out of scope for this documentation.
The remaining values are used to define the **access path**, the **kind**, and the **provenance** (origin) of the summary.
- The seventh value is the access path to the input (where data flows from). **Argument[this]** is the access path to the qualifier (**s1** in the example) and **Argument[0]** is the access path to the first argument (**s2** in the example).
- The eighth value **ReturnValue** is the access path to the output (where data flows to), in this case **ReturnValue**, which means that the input flows to the return value.
- The ninth value **taint** is the kind of the flow. **taint** means that taint is propagated through the call.
- The tenth value **manual** is the provenance of the summary, which is used to identify the origin of the summary.
Example: Add flow through the **map** method
---------------------------------------------
In this example, we will see a more complex example of modeling flow through a method.
This pattern shows how to model flow through higher order methods and collection types.
Note that the flow through the **map** method is already added to the CodeQL Java analysis.
.. code-block:: java
public static void taintflow(Stream<String> s) {
Stream<String> l = s.map(e -> e.concat("\n"));
...
}
To do this, add the following to a data extension file:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["java.util.stream", "Stream", True, "map", "(Function)", "", "Argument[this].Element", "Argument[0].Parameter[0]", "value", "manual"]
- ["java.util.stream", "Stream", True, "map", "(Function)", "", "Argument[0].ReturnValue", "ReturnValue.Element", "value", "manual"]
Since we are adding flow through a method, we need to add tuples to the **summaryModel** extensible predicate.
Each tuple defines part of the flow that comprises the total flow through the **map** method.
The first five values identify the callable (in this case a method) to be modeled as a summary.
These are the same for both of the rows above as we are adding two summaries for the same method.
- The first value **java.util.stream** is the package name.
- The second value **Stream** is the class (type) name.
- The third value **True** is a flag that indicates whether or not the summary also applies to all overrides of the method.
- The fourth value **map** is the method name.
- The fifth value **Function** is the method input type signature.
The sixth value should be left empty and is out of scope for this documentation.
The remaining values are used to define the **access path**, the **kind**, and the **provenance** (origin) of the summary definition.
- The seventh value is the access path to the **input** (where data flows from).
- The eighth value is the access path to the **output** (where data flows to).
For the first row:
- The seventh value is **Argument[this].Element**, which is the access path to the elements of the qualifier (the elements of the stream **s** in the example).
- The eight value is **Argument[0].Parameter[0]**, which is the access path to the first parameter of the **Function** argument of **map** (the lambda parameter **e** in the example).
For the second row:
- The seventh value is **Argument[0].ReturnValue**, which is the access path to the return value of the **Function** argument of **map** (the return value of the lambda in the example).
- The eighth value is **ReturnValue.Element**, which is the access path to the elements of the return value of **map** (the elements of the stream **l** in the example).
For the remaining values for both rows:
- The ninth value **value** is the kind of the flow. **value** means that the value is preserved.
- The tenth value **manual** is the provenance of the summary, which is used to identify the origin of the summary.
That is, the first row models that there is value flow from the elements of the qualifier stream into the first argument of the function provided to **map** and the second row models that there is value flow from the return value of the function to the elements of the stream returned from **map**.
Example: Add a **neutral** method
----------------------------------
In this example we will show how to model the **now** method as being neutral.
A neutral model is used to define that there is no flow through a method.
Note that the neutral model for the **now** method is already added to the CodeQL Java analysis.
.. code-block:: java
public static void taintflow() {
Instant t = Instant.now(); // There is no flow from now to t.
...
}
We need to add a tuple to the **neutralModel**\(package, type, name, signature, provenance) extensible predicate. To do this, add the following to a data extension file:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/java-all
extensible: neutralModel
data:
- ["java.time", "Instant", "now", "()", "manual"]
Since we are adding a neutral model, we need to add tuples to the **neutralModel** extensible predicate.
The first five values identify the callable (in this case a method) to be modeled as a neutral and the fifth value is the provenance (origin) of the neutral.
- The first value **java.time** is the package name.
- The second value **Instant** is the class (type) name.
- The third value **now** is the method name.
- The fourth value **()** is the method input type signature.
- The fifth value **manual** is the provenance of the neutral.
.. _reference-material:
Reference material
------------------
The following sections provide reference material for extensible predicates.
This includes descriptions of each of the arguments (e.g. access paths, kinds and provenance).
Extensible predicates
---------------------
Below is a description of the columns for each extensible predicate.
Sources, sinks, summaries and neutrals are commonly known as models.
The semantics of many of the columns of the extensible predicates are shared.
The shared columns are:
- **package**: Name of the package containing the element(s) to be modeled.
- **type**: Name of the type containing the element(s) to be modeled.
- **subtypes**: A boolean flag indicating whether the model should also apply to all overrides of the selected element(s).
- **name**: Name of the element (optional). If this is left blank, it means all elements matching the previous selection criteria.
- **signature**: Type signature of the selected element (optional). If this is left blank, it means all elements matching the previous selection criteria.
- **ext**: Specifies additional API-graph-like edges (mostly empty) and out of scope for this document.
- **provenance**: Provenance (origin) of the model definition.
The columns **package**, **type**, **subtypes**, **name**, and **signature** are used to select the element(s) that the model applies to.
The :ref:`access-paths` section describes how access paths are composed.
This is the most complicated part of the extensible predicates and the **mini DSL** for access paths is shared across all extensible predicates.
sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Taint source. Most taint tracking queries will use all sources added to this extensible predicate regardless of their kind.
- **output**: Access path to the source, where the possibly tainted data flows from.
- **kind**: Kind of the source.
- **provenance**: Provenance (origin) of the source definition.
As most sources are used by all taint tracking queries there are only a few different source kinds.
The following source kinds are supported:
- **remote**: A remote source of possibly tainted data. This is the most common kind for a source. Sources of this kind are used for almost all taint tracking queries.
Below is an enumeration of the remaining source kinds, but they are out of scope for this documentation:
- **contentprovider**, **android-widget**, **android-external-storage-dir**.
sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Taint sink. As opposed to source kinds, there are many different kinds of sinks as these tend to be more query specific.
- **input**: Access path to the sink, where we want to check if tainted data can flow into.
- **kind**: Kind of the sink.
The following sink kinds are supported:
- **sql**: A SQL injection vulnerability sink.
- **xss**: A cross-site scripting vulnerability sink.
- **logging**: A log output sink.
Below is an enumeration of the remaining sinks, but they are out of scope for this documentation:
- **open-url**, **jndi-injection**, **ldap**, **jdbc-url**
- **mvel**, **xpath**, **groovy**, **ognl-injection**
- **intent-start**, **pending-intent-sent**, **url-open-stream**, **url-redirect**
- **create-file**, **read-file**, **write-file**, **set-hostname-verifier**
- **header-splitting**, **information-leak**, **xslt**, **jexl**
- **bean-validation**, **ssti**, **fragment-injection**, **regex-use[**\ `arg`\ **]**
summaryModel(package, type, subtypes, name, signature, ext, input, output, kind, provenance)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Flow through (summary). This extensible predicate is used to model flow through elements.
- **input**: Access path to the input of the element (where data will flow from to the output).
- **output**: Access path to the output of the element (where data will flow to from the input).
- **kind**: Kind of the flow through.
- **provenance**: Provenance (origin) of the flow through.
The following kinds are supported:
- **taint**: This means the output is not necessarily equal to the input, but it was derived from the input in an unrestrictive way. An attacker who controls the input will have significant control over the output as well.
- **value**: This means that the output equals the input or a copy of the input such that all of its properties are preserved.
neutralModel(package, type, name, signature, provenance)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This extensible predicate is not typically needed externally, but included here for completeness.
It only has minor impact on the data flow analysis.
Manual neutrals are considered high confidence dispatch call targets and can reduce the number of dispatch call targets during data flow analysis (a performance optimization).
- **provenance**: Provenance (origin) of the flow through.
.. _access-paths:
Access paths
------------
The **input**, and **output** columns consist of a **.**-separated list of components, which is evaluated from left to right, with each step selecting a new set of values derived from the previous set of values.
The following components are supported:
- **Argument[**\ `n`\ **]** selects the argument at index `n` (zero-indexed).
- **Argument[**\ `this`\ **]** selects the qualifier (instance parameter).
- **Argument[**\ `n1..n2`\ **]** selects the arguments in the given range (both ends included).
- **Parameter[**\ `n`\ **]** selects the parameter at index `n` (zero-indexed).
- **Parameter[**\ `n1..n2`\ **]** selects the parameters in the given range (both ends included).
- **ReturnValue** selects the return value.
- **Field[**\ `name`\ **]** selects the field with the fully qualified name `name`.
- **SyntheticField[**\ `name`\ **]** selects the synthetic field with name `name`.
- **SyntheticGlobal[**\ `name`\ **]** selects the synthetic global with name `name`.
- **ArrayElement** selects the elements of an array.
- **Element** selects the elements of a collection-like container.
- **MapKey** selects the element keys of a map.
- **MapValue** selects the element values of a map.
Provenance
----------
The **provenance** column is used to specify the provenance (origin) of the model definition and how the model was verified.
The following values are supported:
- **manual**: The model was manually created and added to the extensible predicate.
or values in the form **origin-verification**, where origin is one of:
- **ai**: The model was generated by AI.
- **df**: The model was generated by the dataflow model generator.
- **tb**: The model was generated by the type based model generator.
- **hq**: The model was generated using a heuristic query.
and verification is one of:
- **manual**: The model was verified by a human.
- **generated**: The model was generated, but not verified by a human.
The provenance is used to distinguish between models that are manually added (or verified) to the extensible predicate and models that are automatically generated.
Furthermore, it impacts the data flow analysis in the following way:
- A **manual** model takes precedence over **generated** models. If a **manual** model exists for an element then all **generated** models are ignored.
- A **generated** model is ignored during analysis, if the source code of the element it is modeling is available.
That is, generated models are less trusted than manual models and only used if neither source code nor a manual model is available.
.. include:: ../reusables/data-extensions.rst

479
docs/codeql/codeql-language-guides/customizing-library-models-for-javascript.rst Normal file
View File

@@ -0,0 +1,479 @@
.. _customizing-library-models-for-javascript:
:orphan:
:nosearch:
Customizing Library Models for JavaScript
=========================================
.. include:: ../reusables/beta-note-customizing-library-models.rst
JavaScript analysis can be customized by adding library models in data extension files.
A data extension for JavaScript is a YAML file of the form:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/javascript-all
extensible: <name of extensible predicate>
data:
- <tuple1>
- <tuple2>
- ...
The CodeQL library for JavaScript exposes the following extensible predicates:
- **sourceModel**\(type, path, kind)
- **sinkModel**\(type, path, kind)
- **typeModel**\(type1, type2, path)
- **summaryModel**\(type, path, input, output, kind)
See the [CLI documentation for how to load and use data extensions in a CodeQL evaluation run](https://docs.google.com/document/d/14IYCHX8wWuU-HTvJ2gPSdXQKHKYbWCHQKOgn8oLaa80/edit#heading=h.m0v53lpi6w2n) (internal access required).
We'll explain how to use these using a few examples, and provide some reference material at the end of this article.
Example: Taint sink in the 'execa' package
------------------------------------------
In this example, we'll show how to add the following argument, passed to **execa**, as a command-line injection sink:
.. code-block:: js
import { shell } from "execa";
shell(cmd); // <-- add 'cmd' as a taint sink
Note that this sink is already recognized by the CodeQL JS analysis, but for this example, you could use the following data extension:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/javascript-all
extensible: sinkModel
data:
- ["execa", "Member[shell].Argument[0]", "command-line-injection"]
- Since we're adding a new sink, we add a tuple to the **sinkModel** extensible predicate.
- The first column, **"execa"**, identifies a set of values from which to begin the search for the sink.
The string **"execa"** means we start at the places where the codebase imports the NPM package **execa**.
- The second column is an access path that is evaluated from left to right, starting at the values that were identified by the first column.
- **Member[shell]** selects accesses to the **shell** member of the **execa** package.
- **Argument[0]** selects the first argument to calls to that member.
- **command-line-injection** indicates that this is considered a sink for the command injection query.
Example: Taint sources from window 'message' events
---------------------------------------------------
In this example, we'll show how the **event.data** expression below could be marked as a remote flow source:
.. code-block:: js
window.addEventListener("message", function (event) {
let data = event.data; // <-- add 'event.data' as a taint source
});
Note that this source is already known by the CodeQL JS analysis, but for this example, you could use the following data extension:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/javascript-all
extensible: sourceModel
data:
- [
"global",
"Member[addEventListener].Argument[1].Parameter[0].Member[data]",
"remote",
]
- Since we're adding a new taint source, we add a tuple to the **sourceModel** extensible predicate.
- The first column, **"global"**, begins the search at references to the global object (also known as **window** in browser contexts). This is a special JavaScript object that contains all global variables and methods.
- **Member[addEventListener]** selects accesses to the **addEventListener** member.
- **Argument[1]** selects the second argument of calls to that member (the argument containing the callback).
- **Parameter[0]** selects the first parameter of the callback (the parameter named **event**).
- **Member[data]** selects accesses to the **data** property of the event object.
- Finally, the kind **remote** indicates that this is considered a source of remote flow.
In the next section, we'll show how to restrict the model to recognize events of a specific type.
Continued example: Restricting the event type
---------------------------------------------
The model above treats all events as sources of remote flow, not just **message** events.
For example, it would also pick up this irrelevant source:
.. code-block:: js
window.addEventListener("onclick", function (event) {
let data = event.data; // <-- 'event.data' became a spurious taint source
});
We can refine the model by adding the **WithStringArgument** component to restrict the set of calls being considered:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/javascript-all
extensible: sourceModel
data:
- [
"global",
"Member[addEventListener].WithStringArgument[0=message].Argument[1].Parameter[0].Member[data]",
"remote",
]
The **WithStringArgument[0=message]** component here selects the subset of calls to **addEventListener** where the first argument is a string literal with the value **"message"**.
Example: Using types to add MySQL injection sinks
-------------------------------------------------
In this example, we'll show how to add the following SQL injection sink:
.. code-block:: ts
import { Connection } from "mysql";
function submit(connection: Connection, q: string) {
connection.query(q); // <-- add 'q' as a SQL injection sink
}
We can recognize this using the following extension:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/javascript-all
extensible: sinkModel
data:
- ["mysql.Connection", "Member[query].Argument[0]", "sql-injection"]
- The first column, **"mysql.Connection"**, begins the search at any expression whose value is known to be an instance of
the **Connection** type from the **mysql** package. This will select the **connection** parameter above because of its type annotation.
- **Member[query]** selects the **query** member from the connection object.
- **Argument[0]** selects the first argument of a call to that member.
- **sql-injection** indicates that this is considered a sink for the SQL injection query.
This works in this example because the **connection** parameter has a type annotation that matches what the model is looking for.
Note that there is a significant difference between the following two rows:
.. code-block:: yaml
data:
- ["mysql.Connection", "", ...]
- ["mysql", "Member[Connection]", ...]
The first row matches instances of **mysql.Connection**, which are objects that encapsulate a MySQL connection.
The second row would match something like **require('mysql').Connection**, which is not itself a connection object.
In the next section, we'll show how to generalize the model to handle the absence of type annotations.
Continued example: Dealing with untyped code
--------------------------------------------
Suppose we want the model from above to detect the sink in this snippet:
.. code-block:: js
import { getConnection } from "@example/db";
let connection = getConnection();
connection.query(q); // <-- add 'q' as a SQL injection sink
There is no type annotation on **connection**, and there is no indication of what **getConnection()** returns.
Using a **typeModel** tuple we can tell our model that this function returns an instance of **mysql.Connection**:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/javascript-all
extensible: typeModel
data:
- ["mysql.Connection", "@example/db", "Member[getConnection].ReturnValue"]
- Since we're providing type information, we add a tuple to the **typeModel** extensible predicate.
- The first column, **"mysql.Connection"**, names the type that we're adding a new definition for.
- The second column, **"@example/db"**, begins the search at imports of the hypothetical NPM package **@example/db**.
- **Member[getConnection]** selects references to the **getConnection** member from that package.
- **ReturnValue** selects the return value from a call to that member.
The new model states that the return value of **getConnection()** has type **mysql.Connection**.
Combining this with the sink model we added earlier, the sink in the example is detected by the model.
The mechanism used here is how library models work for both TypeScript and plain JavaScript.
A good library model contains **typeModel** tuples to ensure it works even in codebases without type annotations.
For example, the **mysql** model that is included with the CodeQL JS analysis includes this type definition (among many others):
.. code-block:: yaml
- ["mysql.Connection", "mysql", "Member[createConnection].ReturnValue"]
Example: Adding flow through 'decodeURIComponent'
-------------------------------------------------
In this example, we'll show how to add flow through calls to `decodeURIComponent`:
.. code-block:: js
let y = decodeURIComponent(x); // add taint flow from 'x' to 'y'
Note that this flow is already recognized by the CodeQL JS analysis, but for this example, you could use the following data extension:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/javascript-all
extensible: summaryModel
data:
- [
"global",
"Member[decodeURIComponent]",
"Argument[0]",
"ReturnValue",
"taint",
]
- Since we're adding flow through a function call, we add a tuple to the **summaryModel** extensible predicate.
- The first column, **"global"**, begins the search for relevant calls at references to the global object.
In JavaScript, global variables are properties of the global object, so this lets us access global variables or functions.
- The second column, **Member[decodeURIComponent]**, is a path leading to the function calls we wish to model.
In this case, we select references to the **decodeURIComponent** member from the global object, that is,
the global variable named **decodeURIComponent**.
- The third column, **Argument[0]**, indicates the input of the flow. In this case, the first argument to the function call.
- The fourth column, **ReturnValue**, indicates the output of the flow. In this case, the return value of the function call.
- The last column, **taint**, indicates the kind of flow to add. The value **taint** means the output is not necessarily equal
to the input, but was derived from the input in a taint-preserving way.
Example: Adding flow through 'underscore.forEach'
-------------------------------------------------
In this example, we'll show how to add flow through calls to **forEach** from the **underscore** package:
.. code-block:: js
require('underscore').forEach([x, y], (v) => { ... }); // add value flow from 'x' and 'y' to 'v'
Note that this flow is already recognized by the CodeQL JS analysis, but for this example, you could use the following data extension:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/javascript-all
extensible: summaryModel
data:
- [
"underscore",
"Member[forEach]",
"Argument[0].ArrayElement",
"Argument[1].Parameter[0]",
"value",
]
- Since we're adding flow through a function call, we add a tuple to the **summaryModel** extensible predicate.
- The first column, **"underscore"**, begins the search for relevant calls at places where the **underscore** package is imported.
- The second column, **Member[forEach]**, selects references to the **forEach** member from the **underscore** package.
- The third column specifies the input of the flow:
- **Argument[0]** selects the first argument of **forEach**, which is the array being iterated over.
- **ArrayElement** selects the elements of that array (the expressions **x** and **y**).
- The fourth column specifies the output of the flow:
- **Argument[1]** selects the second argument of **forEach** (the argument containing the callback function).
- **Parameter[0]** selects the first parameter of the callback function (the parameter named **v**).
- The last column, **value**, indicates the kind of flow to add. The value **value** means the input value is unchanged as
it flows to the output.
Reference material
------------------
The following sections provide reference material for extensible predicates, access paths, types, and kinds.
Extensible predicates
---------------------
sourceModel(type, path, kind)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Adds a new taint source. Most taint-tracking queries will use the new source.
- **type**: Name of a type from which to evaluate **path**.
- **path**: Access path leading to the source.
- **kind**: Kind of source to add. Currently only **remote** is used.
Example:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/javascript-all
extensible: sourceModel
data:
- ["global", "Member[user].Member[name]", "remote"]
sinkModel(type, path, kind)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Adds a new taint sink. Sinks are query-specific and will typically affect one or two queries.
- **type**: Name of a type from which to evaluate **path**.
- **path**: Access path leading to the sink.
- **kind**: Kind of sink to add. See the section on sink kinds for a list of supported kinds.
Example:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/javascript-all
extensible: sinkModel
data:
- ["global", "Member[eval].Argument[0]", "code-injection"]
summaryModel(type, path, input, output, kind)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Adds flow through a function call.
- **type**: Name of a type from which to evaluate **path**.
- **path**: Access path leading to a function call.
- **input**: Path relative to the function call that leads to input of the flow.
- **output**: Path relative to the function call leading to the output of the flow.
- **kind**: Kind of summary to add. Can be **taint** for taint-propagating flow, or **value** for value-preserving flow.
Example:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/javascript-all
extensible: summaryModel
data:
- [
"global",
"Member[decodeURIComponent]",
"Argument[0]",
"ReturnValue",
"taint",
]
typeModel(type1, type2, path)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Adds a new definition of a type.
- **type1**: Name of the type to define.
- **type2**: Name of the type from which to evaluate **path**.
- **path**: Access path leading from **type2** to **type1**.
Example:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/javascript-all
extensible: typeModel
data:
- [
"mysql.Connection",
"@example/db",
"Member[getConnection].ReturnValue",
]
Types
-----
A type is a string that identifies a set of values.
In each of the extensible predicates mentioned in previous section, the first column is always the name of a type.
A type can be defined by adding **typeModel** tuples for that type. Additionally, the following built-in types are available:
- The name of an NPM package matches imports of that package. For example, the type **express** matches the expression **require("express")**. If the package name includes dots, it must be surrounded by single quotes, such as in **'lodash.escape'**.
- The type **global** identifies the global object, also known as **window**. In JavaScript, global variables are properties of the global object, so global variables can be identified using this type. (This type also matches imports of the NPM package named **global**, which is a package that happens to export the global object.)
- A qualified type name of form **<package>.<type>** identifies expressions of type **<type>** from **<package>**. For example, **mysql.Connection** identifies expression of type **Connection** from the **mysql** package. Note that this only works if type annotations are present in the codebase, or if sufficient **typeModel** tuples have been provided for that type.
Access paths
------------
The **path**, **input**, and **output** columns consist of a **.**-separated list of components, which is evaluated from left to right, with each step selecting a new set of values derived from the previous set of values.
The following components are supported:
- **Argument[**\ `number`\ **]** selects the argument at the given index.
- **Argument[this]** selects the receiver of a method call.
- **Parameter[**\ `number`\ **]** selects the parameter at the given index.
- **Parameter[this]** selects the **this** parameter of a function.
- **ReturnValue** selects the return value of a function or call.
- **Member[**\ `name`\ **]** selects the property with the given name.
- **AnyMember** selects any property regardless of name.
- **ArrayElement** selects an element of an array.
- **Element** selects an element of an array, iterator, or set object.
- **MapValue** selects a value of a map object.
- **Awaited** selects the value of a promise.
- **Instance** selects instances of a class.
The following components are called "call site filters". They select a subset of the previously-selected calls, if the call fits certain criteria:
- **WithArity[**\ `number`\ **]** selects the subset of calls that have the given number of arguments.
- **WithStringArgument[**\ `number`\ **=**\ `value`\ **]** selects the subset of calls where the argument at the given index is a string literal with the given value.
Components related to decorators:
- **DecoratedClass** selects a class that has the current value as a decorator. For example, **Member[Component].DecoratedClass** selects any class that is decorated with **@Component**.
- **DecoratedParameter** selects a parameter that is decorated by the current value.
- **DecoratedMember** selects a method, field, or accessor that is decorated by the current value.
Additional notes about the syntax of operands:
- Multiple operands may be given to a single component, as a shorthand for the union of the operands. For example, **Member[foo,bar]** matches the union of **Member[foo]** and **Member[bar]**.
- Numeric operands to **Argument**, **Parameter**, and **WithArity** may be given as an interval. For example, **Argument[0..2]** matches argument 0, 1, or 2.
- **Argument[N-1]** selects the last argument of a call, and **Parameter[N-1]** selects the last parameter of a function, with **N-2** being the second-to-last and so on.
Kinds
-----
Source kinds
~~~~~~~~~~~~
- **remote**: A generic source of remote flow. Most taint-tracking queries will use such a source. Currently this is the only supported source kind.
Sink kinds
~~~~~~~~~~
Unlike sources, sinks tend to be highly query-specific, rarely affecting more than one or two queries. Not every query supports customizable sinks. If the following sinks are not suitable for your use case, you should add a new query.
- **code-injection**: A sink that can be used to inject code, such as in calls to **eval**.
- **command-line-injection**: A sink that can be used to inject shell commands, such as in calls to **child_process.spawn**.
- **path-injection**: A sink that can be used for path injection in a file system access, such as in calls to **fs.readFile**.
- **sql-injection**: A sink that can be used for SQL injection, such as in a MySQL **query** call.
- **nosql-injection**: A sink that can be used for NoSQL injection, such as in a MongoDB **findOne** call.
- **html-injection**: A sink that can be used for HTML injection, such as in a jQuery **$()** call.
- **request-forgery**: A sink that controls the URL of a request, such as in a **fetch** call.
- **url-redirection**: A sink that can be used to redirect the user to a malicious URL.
- **unsafe-deserialization**: A deserialization sink that can lead to code execution or other unsafe behaviour, such as an unsafe YAML parser.
Summary kinds
~~~~~~~~~~~~~
- **taint**: A summary that propagates taint. This means the output is not necessarily equal to the input, but it was derived from the input in an unrestrictive way. An attacker who controls the input will have significant control over the output as well.
- **value**: A summary that preserves the value of the input or creates a copy of the input such that all of its object properties are preserved.

6
docs/codeql/codeql-language-guides/functions-in-python.rst
View File

@@ -75,12 +75,12 @@ This query uses ``Call`` and ``Name`` to find calls to the function ``eval`` - w
select call, "call to 'eval'."
The ``Call`` class represents calls in Python. The ``Call.getFunc()`` predicate gets the expression being called. ``Name.getId()`` gets the identifier (as a string) of the ``Name`` expression.
Due to the dynamic nature of Python, this query will select any call of the form ``eval(...)`` regardless of whether it is a call to the built-in function ``eval`` or not.
In a later tutorial we will see how to use the type-inference library to find calls to the built-in function ``eval`` regardless of name of the variable called.
This query will select any call of the form ``eval(...)`` regardless of whether it is a call to the built-in function ``eval`` or not.
Due to the dynamic nature of Python, such syntactic queries can be inaccurate. If one is looking for invocations of the built-in function ``eval``,
it is preferred to use the API graph, see ":doc:`Using API graphs in Python <using-api-graphs-in-python>`."
Further reading
---------------
.. include:: ../reusables/python-further-reading.rst
.. include:: ../reusables/codeql-ref-tools-further-reading.rst

9
docs/codeql/codeql-language-guides/specifying-additional-remote-flow-sources-for-javascript.rst
View File

@@ -3,13 +3,14 @@
Specifying additional remote flow sources for JavaScript
========================================================
You can model potential sources of untrusted user input in your code without making changes to the CodeQL standard library by specifying extra remote flow sources in an external file.
.. pull-quote::
Note
Deprecation Notice
Specifying remote flow sources in external files is currently in beta and subject to change.
Specifying remote flow sources with the JSON format described here is soon to be deprecated
and will be removed in the future.
You can model potential sources of untrusted user input in your code without making changes to the CodeQL standard library by specifying extra remote flow sources in an external file.
As mentioned in the :ref:`Data flow cheat sheet for JavaScript <data-flow-cheat-sheet-for-javascript--untrusted-data>`, the CodeQL libraries for JavaScript
provide a class `RemoteFlowSource <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/security/dataflow/RemoteFlowSources.qll/type.RemoteFlowSources$Cached$RemoteFlowSource.html>`__ to represent sources of untrusted user input, sometimes also referred to as remote flow

7
docs/codeql/reusables/beta-note-customizing-library-models.rst Normal file
View File

@@ -0,0 +1,7 @@
.. pull-quote::
Beta Notice - Unstable API
Library customization using data extensions is currently in beta and subject to change.
Breaking changes to this format may occur while in beta.

10
docs/codeql/reusables/data-extensions.rst Normal file
View File

@@ -0,0 +1,10 @@
.. _data-extensions:
Data Extensions
===============
.. pull-quote::
Beta Notice - Internal documentation
Data extensions are documented internally in a `Google doc <https://docs.google.com/document/d/14IYCHX8wWuU-HTvJ2gPSdXQKHKYbWCHQKOgn8oLaa80>`_.

5
docs/codeql/reusables/supported-frameworks.rst
View File

@@ -223,7 +223,9 @@ and the CodeQL library pack ``codeql/python-all`` (`changelog <https://github.co
aioch, Database
aiomysql, Database
aiopg, Database
aiosqlite, Database
asyncpg, Database
cassandra-driver, Database
clickhouse-driver, Database
cx_Oracle, Database
mysql-connector-python, Database
@@ -233,9 +235,9 @@ and the CodeQL library pack ``codeql/python-all`` (`changelog <https://github.co
oracledb, Database
phoenixdb, Database
psycopg2, Database
pyodbc, Database
pymssql, Database
PyMySQL, Database
pyodbc, Database
sqlite3, Database
Flask-SQLAlchemy, Database ORM
peewee, Database ORM
@@ -276,4 +278,3 @@ and the CodeQL library pack ``codeql/ruby-all`` (`changelog <https://github.com/
Ruby on Rails, Web framework
rubyzip, Compression library
typhoeus, HTTP client

4
docs/codeql/reusables/supported-versions-compilers.rst
View File

@@ -11,11 +11,11 @@
Microsoft extensions (up to VS 2019),
Arm Compiler 5 [3]_","``.cpp``, ``.c++``, ``.cxx``, ``.hpp``, ``.hh``, ``.h++``, ``.hxx``, ``.c``, ``.cc``, ``.h``"
C#,C# up to 10.0,"Microsoft Visual Studio up to 2019 with .NET up to 4.8,
C#,C# up to 11,"Microsoft Visual Studio up to 2019 with .NET up to 4.8,
.NET Core up to 3.1
.NET 5, .NET 6","``.sln``, ``.csproj``, ``.cs``, ``.cshtml``, ``.xaml``"
.NET 5, .NET 6, .NET 7","``.sln``, ``.csproj``, ``.cs``, ``.cshtml``, ``.xaml``"
Go (aka Golang), "Go up to 1.20", "Go 1.11 or more recent", ``.go``
Java,"Java 7 to 20 [4]_","javac (OpenJDK and Oracle JDK),

4
go/ql/lib/change-notes/2023-03-28-dataflow-rm-footgun.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: fix
---
* Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular `DataFlow::hasFlowPath`, `DataFlow::hasFlow`, `DataFlow::hasFlowTo`, and `DataFlow::hasFlowToExpr` were accidentally exposed in a single version.

1
go/ql/lib/qlpack.yml
View File

@@ -7,5 +7,6 @@ library: true
upgrades: upgrades
dependencies:
codeql/tutorial: ${workspace}
codeql/util: ${workspace}
dataExtensions:
- ext/*.model.yml

1
go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl.qll
View File

@@ -8,6 +8,7 @@ private import DataFlowImplCommon
private import DataFlowImplSpecific::Private
private import DataFlowImplSpecific::Public
private import DataFlowImplCommonPublic
private import codeql.util.Unit
import DataFlow
/**

6
go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl1.qll
View File

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
private import DataFlowImpl
import DataFlowImplCommonPublic
import FlowStateString
private import codeql.util.Unit
/**
* A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
}
private import Impl<Config> as I
import I
/**
* A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
}
module PathGraph = I::PathGraph;
private predicate hasFlow(Node source, Node sink, Configuration config) {
exists(PathNode source0, PathNode sink0 |
hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
}
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
flowPath(source, sink) and source.getConfiguration() = config
I::flowPath(source, sink) and source.getConfiguration() = config
}
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

6
go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl2.qll
View File

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
private import DataFlowImpl
import DataFlowImplCommonPublic
import FlowStateString
private import codeql.util.Unit
/**
* A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
}
private import Impl<Config> as I
import I
/**
* A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
}
module PathGraph = I::PathGraph;
private predicate hasFlow(Node source, Node sink, Configuration config) {
exists(PathNode source0, PathNode sink0 |
hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
}
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
flowPath(source, sink) and source.getConfiguration() = config
I::flowPath(source, sink) and source.getConfiguration() = config
}
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

6
go/ql/lib/semmle/go/dataflow/internal/DataFlowImplForStringsNewReplacer.qll
View File

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
private import DataFlowImpl
import DataFlowImplCommonPublic
import FlowStateString
private import codeql.util.Unit
/**
* A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
}
private import Impl<Config> as I
import I
/**
* A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
}
module PathGraph = I::PathGraph;
private predicate hasFlow(Node source, Node sink, Configuration config) {
exists(PathNode source0, PathNode sink0 |
hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
}
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
flowPath(source, sink) and source.getConfiguration() = config
I::flowPath(source, sink) and source.getConfiguration() = config
}
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

10
go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll
View File

@@ -3,6 +3,7 @@ private import DataFlowUtil
private import DataFlowImplCommon
private import ContainerFlow
private import FlowSummaryImpl as FlowSummaryImpl
private import codeql.util.Unit
import DataFlowNodes::Private
private newtype TReturnKind =
@@ -339,15 +340,6 @@ predicate forceHighPrecision(Content c) {
c instanceof ArrayContent or c instanceof CollectionContent
}
/** The unit type. */
private newtype TUnit = TMkUnit()
/** The trivial type with a single element. */
class Unit extends TUnit {
/** Gets a textual representation of this element. */
string toString() { result = "unit" }
}
/**
* Gets the `i`th argument of call `c`, where the receiver of a method call
* counts as argument -1.

1
go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll
View File

@@ -10,6 +10,7 @@ private import FlowSummaryImplSpecific
private import DataFlowImplSpecific::Private
private import DataFlowImplSpecific::Public
private import DataFlowImplCommon
private import codeql.util.Unit
/** Provides classes and predicates for defining flow summaries. */
module Public {

9
go/ql/lib/semmle/go/dataflow/internal/TaintTrackingUtil.qll
View File

@@ -4,6 +4,7 @@
private import go
private import FlowSummaryImpl as FlowSummaryImpl
private import codeql.util.Unit
/**
* Holds if taint can flow from `src` to `sink` in zero or more
@@ -66,14 +67,6 @@ predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::Content c) {
)
}
private newtype TUnit = TMkUnit()
/** A singleton class containing a single dummy "unit" value. */
private class Unit extends TUnit {
/** Gets a textual representation of this element. */
string toString() { result = "unit" }
}
/**
* A unit class for adding additional taint steps.
*

21
java/documentation/library-coverage/coverage.csv
View File

@@ -33,29 +33,28 @@ freemarker.cache,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,
freemarker.template,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,7,,,,,,,,,,,,
groovy.lang,26,,,,,,26,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
groovy.util,5,,,,,,5,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
hudson.model,4,,1,,2,,,,,,,,,,,,,1,,1,,,,,,,,,,,,,,,,,,,,,1,
hudson.os,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
hudson.remoting,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
hudson.util,4,,1,,3,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,1,
hudson,44,,16,,19,,,,,,,,,,,,,6,,17,,,,,,,,,,,,,2,,,,,,,,16,
io.netty.bootstrap,3,,,,,,,,,,,,,,,,,3,,,,,,,,,,,,,,,,,,,,,,,,
io.netty.channel,9,,,,,,,,,,,,,,,,,9,,,,,,,,,,,,,,,,,,,,,,,,
io.netty.handler.codec.http,3,,1,,,,,,,,,,,,,,,2,,1,,,,,,,,,,,,,,,,,,,,,1,
io.netty.buffer,,,207,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,130,77
io.netty.channel,9,2,,,,,,,,,,,,,,,,9,,,,,,,,,,,,,,,,,,,,,,2,,
io.netty.handler.codec,3,13,260,,,,,,,,,,,,,,,2,,1,,,,,,,,,,,,,,,,,,,,13,144,116
io.netty.handler.ssl,2,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,
io.netty.handler.stream,1,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,
io.netty.resolver,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
io.netty.util.internal,2,,2,,1,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,2,
io.netty.util,2,,23,,1,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,21,2
jakarta.faces.context,2,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,7,,
jakarta.json,,,123,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,100,23
jakarta.ws.rs.client,1,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,
jakarta.ws.rs.container,,9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,,
jakarta.ws.rs.core,2,,149,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,94,55
java.awt,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3
java.beans,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
java.io,42,,40,,17,,,,,,,,,,,,,,,3,,,,,,,,,,,,,22,,,,,,,,39,1
java.lang,16,,76,,,,,,,,,,,,8,,,,,3,,4,,,1,,,,,,,,,,,,,,,,53,23
java.io,42,,45,,17,,,,,,,,,,,,,,,3,,,,,,,,,,,,,22,,,,,,,,43,2
java.lang,16,,90,,,,,,,,,,,,8,,,,,3,,4,,,1,,,,,,,,,,,,,,,,55,35
java.net,12,3,17,,,,,,,,,,,,,,,12,,,,,,,,,,,,,,,,,,,,,,3,17,
java.nio,25,,29,,19,,,,,,,,,,,,,,,4,,,,,,,,,,,,,2,,,,,,,,29,
java.nio,25,,30,,19,,,,,,,,,,,,,,,4,,,,,,,,,,,,,2,,,,,,,,30,
java.sql,13,,3,,,,,,,,4,,,,,,,,,,,,,,,,,,9,,,,,,,,,,,,2,1
java.util,44,,465,,,,,,,,,,,,34,,,,,,,,5,2,,1,2,,,,,,,,,,,,,,38,427
java.util,44,,478,,,,,,,,,,,,34,,,,,,,,5,2,,1,2,,,,,,,,,,,,,,41,437
javafx.scene.web,1,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,
javax.faces.context,2,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,7,,
javax.imageio.stream,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
1 package sink source summary sink:bean-validation sink:create-file sink:fragment-injection sink:groovy sink:header-splitting sink:information-leak sink:intent-start sink:jdbc-url sink:jexl sink:jndi-injection sink:ldap sink:logging sink:mvel sink:ognl-injection sink:open-url sink:pending-intent-sent sink:read-file sink:regex-use sink:regex-use[-1] sink:regex-use[0] sink:regex-use[] sink:regex-use[f-1] sink:regex-use[f1] sink:regex-use[f] sink:set-hostname-verifier sink:sql sink:ssti sink:url-open-stream sink:url-redirect sink:write-file sink:xpath sink:xslt sink:xss source:android-external-storage-dir source:android-widget source:contentprovider source:remote summary:taint summary:value
33 freemarker.template 7 7
34 groovy.lang 26 26
35 groovy.util 5 5
36 hudson.model hudson 4 44 1 16 2 19 1 6 1 17 2 1 16
hudson.os 1 1
hudson.remoting 1 1
hudson.util 4 1 3 1 1
37 io.netty.bootstrap 3 3
38 io.netty.channel io.netty.buffer 9 207 9 130 77
39 io.netty.handler.codec.http io.netty.channel 3 9 2 1 2 9 1 2 1
40 io.netty.handler.codec 3 13 260 2 1 13 144 116
41 io.netty.handler.ssl 2 2
42 io.netty.handler.stream 1 1
43 io.netty.resolver 1 1
44 io.netty.util.internal io.netty.util 2 2 23 1 1 2 21 2
45 jakarta.faces.context 2 7 2 7
46 jakarta.json 123 100 23
47 jakarta.ws.rs.client 1 1
48 jakarta.ws.rs.container 9 9
49 jakarta.ws.rs.core 2 149 2 94 55
50 java.awt 3 3
51 java.beans 1 1
52 java.io 42 40 45 17 3 22 39 43 1 2
53 java.lang 16 76 90 8 3 4 1 53 55 23 35
54 java.net 12 3 17 12 3 17
55 java.nio 25 29 30 19 4 2 29 30
56 java.sql 13 3 4 9 2 1
57 java.util 44 465 478 34 5 2 1 2 38 41 427 437
58 javafx.scene.web 1 1
59 javax.faces.context 2 7 2 7
60 javax.imageio.stream 1 1

6
java/documentation/library-coverage/coverage.rst
View File

@@ -18,10 +18,10 @@ Java framework & library support
`Google Guava <https://guava.dev/>`_,``com.google.common.*``,,730,39,,6,,,,,
JBoss Logging,``org.jboss.logging``,,,324,,,,,,,
`JSON-java <https://github.com/stleary/JSON-java>`_,``org.json``,,236,,,,,,,,
Java Standard Library,``java.*``,3,631,152,36,,,9,,,12
Java Standard Library,``java.*``,3,667,152,36,,,9,,,12
Java extensions,"``javax.*``, ``jakarta.*``",63,611,34,1,,4,,1,1,2
Kotlin Standard Library,``kotlin*``,,1835,12,10,,,,,,2
`Spring <https://spring.io/>`_,``org.springframework.*``,29,480,101,,,,19,14,,29
Others,"``cn.hutool.core.codec``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.core``, ``com.fasterxml.jackson.databind``, ``com.hubspot.jinjava``, ``com.mitchellbosecke.pebble``, ``com.opensymphony.xwork2.ognl``, ``com.rabbitmq.client``, ``com.thoughtworks.xstream``, ``com.unboundid.ldap.sdk``, ``com.zaxxer.hikari``, ``flexjson``, ``freemarker.cache``, ``freemarker.template``, ``groovy.lang``, ``groovy.util``, ``hudson.model``, ``hudson.os``, ``hudson.remoting``, ``hudson.util``, ``io.netty.bootstrap``, ``io.netty.channel``, ``io.netty.handler.codec.http``, ``io.netty.handler.ssl``, ``io.netty.handler.stream``, ``io.netty.resolver``, ``io.netty.util.internal``, ``javafx.scene.web``, ``jodd.json``, ``net.sf.saxon.s9api``, ``ognl``, ``okhttp3``, ``org.apache.commons.codec``, ``org.apache.commons.compress.archivers.tar``, ``org.apache.commons.jelly``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.logging``, ``org.apache.commons.ognl``, ``org.apache.directory.ldap.client.api``, ``org.apache.hadoop.hive.metastore``, ``org.apache.hive.hcatalog.templeton``, ``org.apache.ibatis.jdbc``, ``org.apache.log4j``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.apache.tools.ant``, ``org.apache.tools.zip``, ``org.apache.velocity.app``, ``org.apache.velocity.runtime``, ``org.codehaus.cargo.container.installer``, ``org.codehaus.groovy.control``, ``org.dom4j``, ``org.geogebra.web.full.main``, ``org.hibernate``, ``org.jdbi.v3.core``, ``org.jooq``, ``org.kohsuke.stapler``, ``org.mvel2``, ``org.openjdk.jmh.runner.options``, ``org.scijava.log``, ``org.slf4j``, ``org.thymeleaf``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``, ``retrofit2``",60,314,328,12,,,18,18,,28
Totals,,217,8508,1647,150,6,10,113,33,1,113
Others,"``cn.hutool.core.codec``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.core``, ``com.fasterxml.jackson.databind``, ``com.hubspot.jinjava``, ``com.mitchellbosecke.pebble``, ``com.opensymphony.xwork2.ognl``, ``com.rabbitmq.client``, ``com.thoughtworks.xstream``, ``com.unboundid.ldap.sdk``, ``com.zaxxer.hikari``, ``flexjson``, ``freemarker.cache``, ``freemarker.template``, ``groovy.lang``, ``groovy.util``, ``hudson``, ``io.netty.bootstrap``, ``io.netty.buffer``, ``io.netty.channel``, ``io.netty.handler.codec``, ``io.netty.handler.ssl``, ``io.netty.handler.stream``, ``io.netty.resolver``, ``io.netty.util``, ``javafx.scene.web``, ``jodd.json``, ``net.sf.saxon.s9api``, ``ognl``, ``okhttp3``, ``org.apache.commons.codec``, ``org.apache.commons.compress.archivers.tar``, ``org.apache.commons.jelly``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.logging``, ``org.apache.commons.ognl``, ``org.apache.directory.ldap.client.api``, ``org.apache.hadoop.hive.metastore``, ``org.apache.hive.hcatalog.templeton``, ``org.apache.ibatis.jdbc``, ``org.apache.log4j``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.apache.tools.ant``, ``org.apache.tools.zip``, ``org.apache.velocity.app``, ``org.apache.velocity.runtime``, ``org.codehaus.cargo.container.installer``, ``org.codehaus.groovy.control``, ``org.dom4j``, ``org.geogebra.web.full.main``, ``org.hibernate``, ``org.jdbi.v3.core``, ``org.jooq``, ``org.kohsuke.stapler``, ``org.mvel2``, ``org.openjdk.jmh.runner.options``, ``org.scijava.log``, ``org.slf4j``, ``org.thymeleaf``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``, ``retrofit2``",75,813,364,26,,,18,18,,33
Totals,,232,9043,1683,164,6,10,113,33,1,118

4
java/ql/lib/change-notes/2023-02-28-netty.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added sources and flow step models for the Netty framework up to version 4.1.

7
java/ql/lib/change-notes/2023-03-27-hudson-models.md Normal file
View File

@@ -0,0 +1,7 @@
---
category: minorAnalysis
---
* Added more sink and summary dataflow models for the following packages:
* `hudson.model`
* `hudson.scm`
* `hudson.util`

8
java/ql/lib/change-notes/2023-03-27-more-hudson-models.md Normal file
View File

@@ -0,0 +1,8 @@
---
category: minorAnalysis
---
* Added more sink and summary dataflow models for the following packages:
* `hudson.cli`
* `hudson.lifecycle`
* `hudson`
* `hudson.util.io`

4
java/ql/lib/change-notes/2023-03-28-dataflow-rm-footgun.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: fix
---
* Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular `DataFlow::hasFlowPath`, `DataFlow::hasFlow`, `DataFlow::hasFlowTo`, and `DataFlow::hasFlowToExpr` were accidentally exposed in a single version.

5
java/ql/lib/change-notes/2023-03-28-deprecated-exectainted.md Normal file
View File

@@ -0,0 +1,5 @@
---
category: deprecated
---
* The `execTainted` predicate in `CommandLineQuery.qll` has been deprecated and replaced with the predicate `execIsTainted`.

4
java/ql/lib/change-notes/2023-03-29-rangeanalysis-add.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Improved the handling of addition in the range analysis. This can cause in minor changes to the results produced by `java/index-out-of-bounds` and `java/constant-comparison`.

7
java/ql/lib/ext/hudson.cli.model.yml Normal file
View File

@@ -0,0 +1,7 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["hudson.cli", "FullDuplexHttpStream", True, "FullDuplexHttpStream", "(URL,String,String)", "", "Argument[0]", "open-url", "ai-generated"]
- ["hudson.cli", "FullDuplexHttpStream", True, "FullDuplexHttpStream", "(URL,String,String)", "", "Argument[1]", "open-url", "manual"]

6
java/ql/lib/ext/hudson.lifecycle.model.yml Normal file
View File

@@ -0,0 +1,6 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["hudson.lifecycle", "Lifecycle", True, "rewriteHudsonWar", "(File)", "", "Argument[0]", "create-file", "ai-generated"]

14
java/ql/lib/ext/hudson.model.model.yml
View File

@@ -1,14 +1,18 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["hudson.model", "DirectoryBrowserSupport$Path", False, "Path", "(String,String,boolean,long,boolean,long)", "", "Argument[0]", "Argument[this].SyntheticField[hudson.model.DirectoryBrowserSupport$Path.href]", "taint", "ai-generated"]
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["hudson.model", "DownloadService", True, "loadJSON", "(URL)", "", "Argument[0]", "open-url", "ai-generated"]
- ["hudson.model", "DownloadService", True, "loadJSONHTML", "(URL)", "", "Argument[0]", "open-url", "ai-generated"]
- ["hudson.model", "DirectoryBrowserSupport", False, "DirectoryBrowserSupport", "(ModelObject,FilePath,String,String,boolean)", "", "Argument[1]", "read-file", "ai-generated"]
- ["hudson.model", "Items", True, "load", "(ItemGroup,File)", "", "Argument[1]", "read-file", "ai-generated"]
- ["hudson.model", "UpdateCenter$UpdateCenterConfiguration", True, "download", "(DownloadJob,URL)", "", "Argument[1]", "open-url", "ai-generated"]
- ["hudson.model", "UpdateCenter$UpdateCenterConfiguration", True, "install", "(DownloadJob,File,File)", "", "Argument[1]", "create-file", "ai-generated"] # should be delete-file
- ["hudson.model", "UpdateCenter$UpdateCenterConfiguration", True, "install", "(DownloadJob,File,File)", "", "Argument[2]", "create-file", "ai-generated"]
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["hudson.model", "Node", True, "createPath", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
- ["hudson.model", "DirectoryBrowserSupport$Path", False, "Path", "(String,String,boolean,long,boolean,long)", "", "Argument[0]", "Argument[this].SyntheticField[hudson.model.DirectoryBrowserSupport$Path.href]", "taint", "ai-generated"]

26
java/ql/lib/ext/hudson.model.yml Normal file
View File

@@ -0,0 +1,26 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["hudson", "FilePath", False, "copyFrom", "(FilePath)", "", "Argument[0]", "read-file", "manual"]
- ["hudson", "FilePath", False, "copyFrom", "(URL)", "", "Argument[0]", "read-file", "manual"]
- ["hudson", "FilePath", False, "copyFrom", "(FileItem)", "", "Argument[0]", "read-file", "ai-generated"]
- ["hudson", "FilePath", False, "copyRecursiveTo", "(DirScanner,FilePath,String,TarCompression)", "", "Argument[1]", "create-file", "ai-generated"]
- ["hudson", "FilePath", False, "copyRecursiveTo", "(DirScanner,FilePath,String)", "", "Argument[1]", "write-file", "ai-generated"]
- ["hudson", "FilePath", False, "copyRecursiveTo", "(String,FilePath)", "", "Argument[1]", "create-file", "ai-generated"]
- ["hudson", "FilePath", False, "copyRecursiveTo", "(String,String,FilePath)", "", "Argument[0]", "read-file", "ai-generated"]
- ["hudson", "FilePath", False, "copyRecursiveTo", "(String,String,FilePath)", "", "Argument[2]", "create-file", "ai-generated"]
- ["hudson", "FilePath", False, "copyTo", "(FilePath)", "", "Argument[0]", "create-file", "ai-generated"]
- ["hudson", "FilePath", False, "installIfNecessaryFrom", "(URL,TaskListener,String)", "", "Argument[0]", "open-url", "ai-generated"]
- ["hudson", "FilePath", False, "newInputStreamDenyingSymlinkAsNeeded", "(File,String,boolean)", "", "Argument[0]", "read-file", "ai-generated"]
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["hudson", "FilePath", False, "child", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
- ["hudson", "FilePath", False, "list", "(String,String,boolean)", "", "Argument[this]", "ReturnValue", "taint", "ai-generated"]
- ["hudson", "FilePath", False, "list", "(String,String)", "", "Argument[this]", "ReturnValue", "taint", "ai-generated"]
- ["hudson", "FilePath", False, "list", "(String)", "", "Argument[this]", "ReturnValue", "taint", "ai-generated"]
- ["hudson", "FilePath", False, "normalize", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
- ["hudson", "FilePath", False, "sibling", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]

18
java/ql/lib/ext/hudson.scm.model.yml Normal file
View File

@@ -0,0 +1,18 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["hudson.scm", "ChangeLogParser", True, "parse", "(AbstractBuild,File)", "", "Argument[1]", "read-file", "ai-generated"]
- ["hudson.scm", "ChangeLogParser", True, "parse", "(Run,RepositoryBrowser,File)", "", "Argument[2]", "read-file", "ai-generated"]
- ["hudson.scm", "SCM", True, "checkout", "(AbstractBuild,Launcher,FilePath,BuildListener,File)", "", "Argument[2]", "create-file", "ai-generated"]
- ["hudson.scm", "SCM", True, "checkout", "(Run,Launcher,FilePath,TaskListener,File,SCMRevisionState)", "", "Argument[2]", "create-file", "ai-generated"]
- ["hudson.scm", "SCM", True, "compareRemoteRevisionWith", "(Job,Launcher,FilePath,TaskListener,SCMRevisionState)", "", "Argument[2]", "read-file", "ai-generated"]
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["hudson.scm", "SCM", True, "getModuleRoot", "(FilePath,AbstractBuild)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
- ["hudson.scm", "SCM", True, "getModuleRoot", "(FilePath)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
- ["hudson.scm", "SCM", True, "getModuleRoots", "(FilePath,AbstractBuild)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
- ["hudson.scm", "SCM", True, "getModuleRoots", "(FilePath)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]

7
java/ql/lib/ext/hudson.util.io.model.yml Normal file
View File

@@ -0,0 +1,7 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["hudson.util.io", "ReopenableFileOutputStream", True, "ReopenableFileOutputStream", "(File)", "", "Argument[0]", "create-file", "ai-generated"]
- ["hudson.util.io", "RewindableFileOutputStream", True, "RewindableFileOutputStream", "(File)", "", "Argument[0]", "create-file", "ai-generated"]

24
java/ql/lib/ext/hudson.util.model.yml
View File

@@ -1,11 +1,25 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["hudson.util", "AtomicFileWriter", True, "AtomicFileWriter", "(File)", "", "Argument[0]", "create-file", "ai-generated"]
- ["hudson.util", "AtomicFileWriter", True, "AtomicFileWriter", "(Path,Charset,boolean,boolean)", "", "Argument[0]", "create-file", "ai-generated"]
- ["hudson.util", "AtomicFileWriter", True, "AtomicFileWriter", "(Path,Charset)", "", "Argument[0]", "create-file", "ai-generated"]
- ["hudson.util", "ClasspathBuilder", True, "add", "(FilePath)", "", "Argument[0]", "read-file", "ai-generated"]
- ["hudson.util", "IOUtils", True, "mkdirs", "(File)", "", "Argument[0]", "create-file", "ai-generated"]
- ["hudson.util", "StreamTaskListener", True, "StreamTaskListener", "(File,boolean,Charset)", "", "Argument[0]", "create-file", "ai-generated"]
- ["hudson.util", "TextFile", True, "delete", "()", "", "Argument[this]", "create-file", "manual"]
- ["hudson.util", "TextFile", True, "fastTail", "", "", "Argument[this]", "read-file", "manual"]
- ["hudson.util", "TextFile", True, "head", "", "", "Argument[this]", "read-file", "manual"]
- ["hudson.util", "TextFile", True, "lines", "()", "", "Argument[this]", "read-file", "manual"]
- ["hudson.util", "TextFile", True, "read", "()", "", "Argument[this]", "read-file", "manual"]
- ["hudson.util", "TextFile", True, "readTrim", "()", "", "Argument[this]", "read-file", "manual"]
- ["hudson.util", "TextFile", True, "write", "(String)", "", "Argument[0]", "write-file", "manual"]
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["hudson.util", "QuotedStringTokenizer", True, "tokenize", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["hudson.util", "StreamTaskListener", True, "StreamTaskListener", "(File,boolean,Charset)", "", "Argument[0]", "create-file", "ai-generated"]
- ["hudson.util", "TextFile", True, "TextFile", "(File)", "", "Argument[0]", "Argument[this]", "taint", "ai-generated"]

212
java/ql/lib/ext/io.netty.buffer.model.yml Normal file
View File

@@ -0,0 +1,212 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["io.netty.buffer", "ByteBufConvertible", True, "asByteBuf", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "array", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "asReadOnly", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "capacity", "(int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "copy", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "discardReadBytes", "()", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "discardSomeReadBytes", "()", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "duplicate", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "ensureWritable", "(int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "getBytes", "(int,byte[])", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "getBytes", "(int,byte[],int,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "getBytes", "(int,ByteBuf)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "getBytes", "(int,ByteBuffer)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "getBytes", "(int,ByteBuf,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "getBytes", "(int,ByteBuf,int,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "getBytes", "(int,OutputStream,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "markReaderIndex", "()", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "markWriterIndex", "()", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "nioBuffer", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "nioBuffers", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "order", "(ByteOrder)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "readBytes", "(byte[])", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "readBytes", "(byte[],int,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "readBytes", "(ByteBuf)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "readBytes", "(ByteBuffer)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "readBytes", "(ByteBuf,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "readBytes", "(ByteBuf,int,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "readBytes", "(OutputStream,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "readerIndex", "(int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "resetReaderIndex", "()", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "resetWriterIndex", "()", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "retainedDuplicate", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "retainedSlice", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setBoolean", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setByte", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setBytes", "(int,byte[])", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setBytes", "(int,byte[],int,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setBytes", "(int,ByteBuf)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setBytes", "(int,ByteBuffer)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setBytes", "(int,ByteBuf,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setBytes", "(int,ByteBuf,int,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setChar", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setDouble", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setDoubleLE", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setFloat", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setFloatLE", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setIndex", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setInt", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setIntLE", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setLong", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setLongLE", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setMedium", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setMediumLE", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setShort", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setShortLE", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setZero", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "skipBytes", "(int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "slice", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "toString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "unwrap", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeBoolean", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeByte", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeBytes", "(byte[])", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeBytes", "(byte[],int,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeBytes", "(ByteBuf)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeBytes", "(ByteBuffer)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeBytes", "(ByteBuf,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeBytes", "(ByteBuf,int,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeChar", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeDouble", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeDoubleLE", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeFloat", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeFloatLE", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeInt", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeIntLE", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeLong", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeLongLE", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeMedium", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeMediumLE", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeShort", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeShortLE", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeZero", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writerIndex", "(int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBufHolder", True, "copy", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBufHolder", True, "content", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBufHolder", True, "duplicate", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBufHolder", True, "retainedDuplicate", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBufHolder", True, "replace", "(ByteBuf)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "getBytes", "(int,byte[])", "", "Argument[this]", "Argument[1]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "getBytes", "(int,byte[],int,int)", "", "Argument[this]", "Argument[1]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "getBytes", "(int,ByteBuf)", "", "Argument[this]", "Argument[1]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "getBytes", "(int,ByteBuffer)", "", "Argument[this]", "Argument[1]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "getBytes", "(int,ByteBuf,int)", "", "Argument[this]", "Argument[1]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "getBytes", "(int,ByteBuf,int,int)", "", "Argument[this]", "Argument[1]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "getBytes", "(int,FileChannel,long,int)", "", "Argument[this]", "Argument[1]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "getBytes", "(int,GatheringByteChannel,int)", "", "Argument[this]", "Argument[1]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "getBytes", "(int,OutputStream,int)", "", "Argument[this]", "Argument[1]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "getChar", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "getCharSequence", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "readBytes", "(byte[])", "", "Argument[this]", "Argument[0]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "readBytes", "(byte[],int,int)", "", "Argument[this]", "Argument[0]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "readBytes", "(ByteBuf)", "", "Argument[this]", "Argument[0]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "readBytes", "(ByteBuffer)", "", "Argument[this]", "Argument[0]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "readBytes", "(ByteBuf,int)", "", "Argument[this]", "Argument[0]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "readBytes", "(ByteBuf,int,int)", "", "Argument[this]", "Argument[0]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "readBytes", "(FileChannel,long,int)", "", "Argument[this]", "Argument[0]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "readBytes", "(GatheringByteChannel,int)", "", "Argument[this]", "Argument[0]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "readBytes", "(OutputStream,int)", "", "Argument[this]", "Argument[0]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "readBytes", "(int)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "readChar", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "readCharSequence", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "readSlice", "(int)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "readRetainedSlice", "(int)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setBytes", "(int,byte[])", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setBytes", "(int,byte[],int,int)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setBytes", "(int,ByteBuf)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setBytes", "(int,ByteBuffer)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setBytes", "(int,ByteBuf,int)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setBytes", "(int,ByteBuf,int,int)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setBytes", "(int,FileChannel,long,int)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setBytes", "(int,ScatteringByteChannel,int)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setBytes", "(int,InputStream,int)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setChar", "", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "setCharSequence", "", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeByte", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeBytes", "(byte[])", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeBytes", "(byte[],int,int)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeBytes", "(ByteBuf)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeBytes", "(ByteBuffer)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeBytes", "(ByteBuf,int)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeBytes", "(ByteBuf,int,int)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeBytes", "(FileChannel,long,int)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeBytes", "(ScatteringByteChannel,int)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeBytes", "(InputStream,int)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeChar", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "ByteBuf", True, "writeCharSequence", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "CompositeByteBuf", False, "CompositeByteBuf", "(ByteBufAllocator,boolean,int,ByteBuf[])", "", "Argument[3].ArrayElement", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "CompositeByteBuf", False, "CompositeByteBuf", "(ByteBufAllocator,boolean,int,Iterable)", "", "Argument[3].Element", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "CompositeByteBuf", True, "addComponent", "(ByteBuf)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "CompositeByteBuf", True, "addComponent", "(int,ByteBuf)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "CompositeByteBuf", True, "addComponent", "(boolean,ByteBuf)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "CompositeByteBuf", True, "addComponent", "(boolean,int,ByteBuf)", "", "Argument[2]", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "CompositeByteBuf", True, "addComponents", "(ByteBuf[])", "", "Argument[0].ArrayElement", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "CompositeByteBuf", True, "addComponents", "(int,ByteBuf[])", "", "Argument[1].ArrayElement", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "CompositeByteBuf", True, "addComponents", "(boolean,ByteBuf[])", "", "Argument[1].ArrayElement", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "CompositeByteBuf", True, "addComponents", "(Iterable)", "", "Argument[0].Element", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "CompositeByteBuf", True, "addComponents", "(int,Iterable)", "", "Argument[1].Element", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "CompositeByteBuf", True, "addComponents", "(boolean,Iterable)", "", "Argument[1].Element", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "CompositeByteBuf", True, "addFlattenedComponents", "(boolean,ByteBuf)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "CompositeByteBuf", True, "addComponent", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "CompositeByteBuf", True, "addComponents", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "CompositeByteBuf", True, "addFlattenedComponents", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "CompositeByteBuf", True, "component", "(int)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "CompositeByteBuf", True, "componentAtOffset", "(int)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "CompositeByteBuf", True, "consolidate", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "CompositeByteBuf", True, "consolidate", "(int,int)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "CompositeByteBuf", True, "decompose", "(int,int)", "", "Argument[this]", "ReturnValue.Element", "taint", "manual"]
- ["io.netty.buffer", "Unpooled", False, "copiedBuffer", "(byte[])", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "Unpooled", False, "copiedBuffer", "(byte[][])", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "Unpooled", False, "copiedBuffer", "(byte[],int,int)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "Unpooled", False, "copiedBuffer", "(ByteBuf)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "Unpooled", False, "copiedBuffer", "(ByteBuf[])", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "Unpooled", False, "copiedBuffer", "(ByteBuffer)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "Unpooled", False, "copiedBuffer", "(ByteBuffer[])", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "Unpooled", False, "copiedBuffer", "(char[],Charset)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "Unpooled", False, "copiedBuffer", "(char[],int,int,Charset)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "Unpooled", False, "copiedBuffer", "(CharSequence,Charset)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "Unpooled", False, "copiedBuffer", "(CharSequence,int,int,Charset)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "Unpooled", False, "unmodifiableBuffer", "(ByteBuf)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "Unpooled", False, "unmodifiableBuffer", "(ByteBuf[])", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "Unpooled", False, "unreleasableBuffer", "(ByteBuf)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "Unpooled", False, "wrappedBuffer", "(byte[])", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "Unpooled", False, "wrappedBuffer", "(byte[][])", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "Unpooled", False, "wrappedBuffer", "(byte[],int,int)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "Unpooled", False, "wrappedBuffer", "(ByteBuf)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "Unpooled", False, "wrappedBuffer", "(ByteBuf[])", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "Unpooled", False, "wrappedBuffer", "(ByteBuffer)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "Unpooled", False, "wrappedBuffer", "(ByteBuffer[])", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "Unpooled", False, "wrappedBuffer", "(int,byte[][])", "", "Argument[1].ArrayElement", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "Unpooled", False, "wrappedBuffer", "(int,ByteBuf[])", "", "Argument[1].ArrayElement", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "Unpooled", False, "wrappedBuffer", "(int,ByteBuffer[])", "", "Argument[1].ArrayElement", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "Unpooled", False, "wrappedUnmodifiableBuffer", "(ByteBuf[])", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBufUtil", False, "copy", "(AsciiString,ByteBuf)", "", "Argument[0]", "Argument[1]", "taint", "manual"]
- ["io.netty.buffer", "ByteBufUtil", False, "copy", "(AsciiString,int,ByteBuf,int)", "", "Argument[0]", "Argument[2]", "taint", "manual"]
- ["io.netty.buffer", "ByteBufUtil", False, "copy", "(AsciiString,int,ByteBuf,int,int)", "", "Argument[0]", "Argument[2]", "taint", "manual"]
- ["io.netty.buffer", "ByteBufUtil", False, "decodeHexDump", "(CharSequence)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBufUtil", False, "decodeHexDump", "(CharSequence,int,int)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBufUtil", False, "encodeString", "(ByteBufAllocator,CharBuffer,Charset)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBufUtil", False, "encodeString", "(ByteBufAllocator,CharBuffer,Charset,int)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBufUtil", False, "ensureAccessible", "(ByteBuf)", "", "Argument[0]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBufUtil", False, "getBytes", "(ByteBuf)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBufUtil", False, "getBytes", "(ByteBuf,int,int)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBufUtil", False, "getBytes", "(ByteBuf,int,int,boolean)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBufUtil", False, "readBytes", "(ByteBufAllocator,ByteBuf,int)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBufUtil", False, "reserveAndWriteUtf8", "(ByteBuf,CharSequence,int)", "", "Argument[1]", "Argument[0]", "taint", "manual"]
- ["io.netty.buffer", "ByteBufUtil", False, "reserveAndWriteUtf8", "(ByteBuf,CharSequence,int,int,int)", "", "Argument[1]", "Argument[0]", "taint", "manual"]
- ["io.netty.buffer", "ByteBufUtil", False, "setShortBE", "(ByteBuf,int,int)", "", "Argument[0]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBufUtil", False, "writeAscii", "(ByteBuf,CharSequence)", "", "Argument[1]", "Argument[0]", "taint", "manual"]
- ["io.netty.buffer", "ByteBufUtil", False, "writeAscii", "(ByteBufAllocator,CharSequence)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBufUtil", False, "writeShortBE", "(ByteBuf,int)", "", "Argument[0]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBufUtil", False, "writeMediumBE", "(ByteBuf,int)", "", "Argument[0]", "ReturnValue", "value", "manual"]
- ["io.netty.buffer", "ByteBufUtil", False, "writeUtf8", "(ByteBuf,CharSequence)", "", "Argument[1]", "Argument[0]", "taint", "manual"]
- ["io.netty.buffer", "ByteBufUtil", False, "writeUtf8", "(ByteBuf,CharSequence,int,int)", "", "Argument[1]", "Argument[0]", "taint", "manual"]
- ["io.netty.buffer", "ByteBufUtil", False, "writeUtf8", "(ByteBufAllocator,CharSequence)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
- ["io.netty.buffer", "ByteBufInputStream", True, "ByteBufInputStream", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "ByteBufOutputStream", True, "ByteBufOutputStream", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.buffer", "ByteBufOutputStream", True, "buffer", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]

6
java/ql/lib/ext/io.netty.channel.model.yml
View File

@@ -12,3 +12,9 @@ extensions:
- ["io.netty.channel", "DefaultChannelPipeline", False, "connect", "(SocketAddress,ChannelPromise)", "", "Argument[0]", "open-url", "ai-generated"]
- ["io.netty.channel", "DefaultChannelPipeline", False, "connect", "(SocketAddress,SocketAddress,ChannelPromise)", "", "Argument[0]", "open-url", "ai-generated"]
- ["io.netty.channel", "DefaultChannelPipeline", False, "connect", "(SocketAddress,SocketAddress)", "", "Argument[0]", "open-url", "ai-generated"]
- addsTo:
pack: codeql/java-all
extensible: sourceModel
data:
- ["io.netty.channel", "ChannelInboundHandler", True, "channelRead", "", "", "Parameter[1]", "remote", "manual"]
- ["io.netty.channel", "SimpleChannelInboundHandler", True, "channelRead0", "", "", "Parameter[1]", "remote", "manual"]

8
java/ql/lib/ext/io.netty.handler.codec.base64.model.yml Normal file
View File

@@ -0,0 +1,8 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["io.netty.handler.codec.base64", "Base64", True, "decode", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.base64", "Base64", True, "encode", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]

19
java/ql/lib/ext/io.netty.handler.codec.http.cookie.model.yml Normal file
View File

@@ -0,0 +1,19 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["io.netty.handler.codec.http.cookie", "Cookie", True, "domain", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http.cookie", "Cookie", True, "name", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http.cookie", "Cookie", True, "path", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http.cookie", "Cookie", True, "value", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http.cookie", "Cookie", True, "setDomain", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.cookie", "Cookie", True, "setPath", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.cookie", "Cookie", True, "setValue", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.cookie", "ServerCookieDecoder", True, "decode", "(String)", "", "Argument[0]", "ReturnValue.Element", "taint", "manual"]
- ["io.netty.handler.codec.http.cookie", "ServerCookieDecoder", True, "decodeAll", "(String)", "", "Argument[0]", "ReturnValue.Element", "taint", "manual"]
- ["io.netty.handler.codec.http.cookie", "ServerCookieEncoder", True, "encode", "(Cookie)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http.cookie", "ServerCookieEncoder", True, "encode", "(Cookie[])", "", "Argument[0].ArrayElement", "ReturnValue.Element", "taint", "manual"]
- ["io.netty.handler.codec.http.cookie", "ServerCookieEncoder", True, "encode", "(Collection)", "", "Argument[0].Element", "ReturnValue.Element", "taint", "manual"]
- ["io.netty.handler.codec.http.cookie", "ServerCookieEncoder", True, "encode", "(Iterable)", "", "Argument[0].Element", "ReturnValue.Element", "taint", "manual"]
- ["io.netty.handler.codec.http.cookie", "ServerCookieEncoder", True, "encode", "(String,String)", "", "Argument[1..2]", "ReturnValue", "taint", "manual"]

93
java/ql/lib/ext/io.netty.handler.codec.http.model.yml
View File

@@ -1,12 +1,83 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["io.netty.handler.codec.http", "DefaultFullHttpRequest", True, "DefaultFullHttpRequest", "(HttpVersion,HttpMethod,String,ByteBuf)", "", "Argument[2]", "open-url", "ai-generated"]
- ["io.netty.handler.codec.http", "DefaultHttpRequest", True, "DefaultHttpRequest", "(HttpVersion,HttpMethod,String)", "", "Argument[2]", "open-url", "ai-generated"]
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["io.netty.handler.codec.http", "QueryStringEncoder", True, "QueryStringEncoder", "(String)", "", "Argument[0]", "Argument[this]", "taint", "ai-generated"]
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["io.netty.handler.codec.http", "DefaultFullHttpRequest", True, "DefaultFullHttpRequest", "(HttpVersion,HttpMethod,String,ByteBuf)", "", "Argument[2]", "open-url", "ai-generated"]
- ["io.netty.handler.codec.http", "DefaultHttpRequest", True, "DefaultHttpRequest", "(HttpVersion,HttpMethod,String)", "", "Argument[2]", "open-url", "ai-generated"]
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["io.netty.handler.codec.http", "QueryStringEncoder", True, "QueryStringEncoder", "(String)", "", "Argument[0]", "Argument[this]", "taint", "ai-generated"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "add", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "add", "(CharSequence,Iterable)", "", "Argument[0]", "Argument[this].Element.MapKey", "taint", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "add", "(CharSequence,Iterable)", "", "Argument[1].Element", "Argument[this].Element.MapValue", "taint", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "add", "(CharSequence,Object)", "", "Argument[0]", "Argument[this].Element.MapKey", "taint", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "add", "(CharSequence,Object)", "", "Argument[1]", "Argument[this].Element.MapValue", "taint", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "add", "(String,Iterable)", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "add", "(String,Iterable)", "", "Argument[1].Element", "Argument[this].Element.MapValue", "taint", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "add", "(String,Object)", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "add", "(String,Object)", "", "Argument[1]", "Argument[this].Element.MapValue", "taint", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "add", "(HttpHeaders)", "", "Argument[0].Element.MapKey", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "add", "(HttpHeaders)", "", "Argument[0].Element.MapValue", "Argument[this].Element.MapValue", "taint", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "addInt", "(CharSequence,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "addInt", "(CharSequence,int)", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "addShort", "(CharSequence,short)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "addShort", "(CharSequence,short)", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "copy", "()", "", "Argument[this].Element.MapKey", "ReturnValue.Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "copy", "()", "", "Argument[this].Element.MapValue", "ReturnValue.Element.MapValue", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "entries", "()", "", "Argument[this].Element.MapKey", "ReturnValue.Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "entries", "()", "", "Argument[this].Element.MapValue", "ReturnValue.Element.MapValue", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "get", "", "", "Argument[this].Element.MapValue", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "get", "", "", "Argument[1]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "getAll", "", "", "Argument[this].Element.MapValue", "ReturnValue.Element", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "getAllAsString", "", "", "Argument[this].Element.MapValue", "ReturnValue.Element", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "getAsString", "", "", "Argument[this].Element.MapValue", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "getHeader", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "getHeader", "", "", "Argument[2]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "getHost", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "getHost", "", "", "Argument[1]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "iteratorAsString", "()", "", "Argument[this].Element.MapKey", "ReturnValue.Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "iteratorAsString", "()", "", "Argument[this].Element.MapValue", "ReturnValue.Element.MapValue", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "iteratorCharSequence", "()", "", "Argument[this].Element.MapKey", "ReturnValue.Element.MapKey", "taint", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "iteratorCharSequence", "()", "", "Argument[this].Element.MapValue", "ReturnValue.Element.MapValue", "taint", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "names", "()", "", "Argument[this].Element.MapKey", "ReturnValue.Element", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "newEntity", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "remove", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "set", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "set", "(CharSequence,Iterable)", "", "Argument[0]", "Argument[this].Element.MapKey", "taint", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "set", "(CharSequence,Iterable)", "", "Argument[1].Element", "Argument[this].Element.MapValue", "taint", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "set", "(CharSequence,Object)", "", "Argument[0]", "Argument[this].Element.MapKey", "taint", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "set", "(CharSequence,Object)", "", "Argument[1]", "Argument[this].Element.MapValue", "taint", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "set", "(String,Iterable)", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "set", "(String,Iterable)", "", "Argument[1].Element", "Argument[this].Element.MapValue", "taint", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "set", "(String,Object)", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "set", "(String,Object)", "", "Argument[1]", "Argument[this].Element.MapValue", "taint", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "set", "(HttpHeaders)", "", "Argument[0].Element.MapKey", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "set", "(HttpHeaders)", "", "Argument[0].Element.MapValue", "Argument[this].Element.MapValue", "taint", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "setAll", "(HttpHeaders)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "setAll", "(HttpHeaders)", "", "Argument[0].Element.MapKey", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "setAll", "(HttpHeaders)", "", "Argument[0].Element.MapValue", "Argument[this].Element.MapValue", "taint", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "setInt", "(CharSequence,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "setInt", "(CharSequence,int)", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "setShort", "(CharSequence,short)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "setShort", "(CharSequence,short)", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "valueStringIterator", "(CharSequence)", "", "Argument[this].Element.MapValue", "ReturnValue.Element", "value", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "valueCharSequenceIterator", "(CharSequence)", "", "Argument[this].Element.MapValue", "ReturnValue.Element", "taint", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "toString", "", "", "Argument[this].Element.MapKey", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http", "HttpHeaders", True, "toString", "", "", "Argument[this].Element.MapValue", "ReturnValue", "taint", "manual"]
# Currently all write steps to http messages are taint flow. It may reduce FPs to use a synthetic field for headers instead.
- ["io.netty.handler.codec.http", "HttpMessage", True, "headers", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http", "LastHttpContent", True, "trailingHeaders", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http", "HttpRequest", True, "getUri", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http", "HttpRequest", True, "uri", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http", "HttpRequest", True, "setUri", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http", "QueryStringDecoder", True, "QueryStringDecoder", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http", "QueryStringDecoder", True, "decodeComponent", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http", "QueryStringDecoder", True, "parameters", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http", "QueryStringDecoder", True, "path", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http", "QueryStringDecoder", True, "rawPath", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http", "QueryStringDecoder", True, "rawQuery", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http", "QueryStringDecoder", True, "toString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http", "QueryStringDecoder", True, "uri", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]

37
java/ql/lib/ext/io.netty.handler.codec.http.multipart.model.yml
View File

@@ -4,3 +4,40 @@ extensions:
extensible: sinkModel
data:
- ["io.netty.handler.codec.http.multipart", "HttpPostRequestEncoder", True, "addBodyFileUpload", "(String,File,String,boolean)", "", "Argument[1]", "read-file", "ai-generated"]
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["io.netty.handler.codec.http.multipart", "InterfaceHttpPostRequestDecoder", True, "currentPartialHttpData", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http.multipart", "InterfaceHttpPostRequestDecoder", True, "getBodyHttpData", "(String)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http.multipart", "InterfaceHttpPostRequestDecoder", True, "getBodyHttpDatas", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http.multipart", "InterfaceHttpPostRequestDecoder", True, "getBodyHttpDatas", "(String)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http.multipart", "InterfaceHttpPostRequestDecoder", True, "next", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http.multipart", "InterfaceHttpPostRequestDecoder", True, "offer", "(HttpContent)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.multipart", "InterfaceHttpPostRequestDecoder", True, "offer", "(HttpContent)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec.http.multipart", "HttpPostRequestDecoder", True, "HttpPostRequestDecoder", "(HttpRequest)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.multipart", "HttpPostRequestDecoder", True, "HttpPostRequestDecoder", "(HttpDataFactory,HttpRequest)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.multipart", "HttpPostRequestDecoder", True, "HttpPostRequestDecoder", "(HttpDataFactory,HttpRequest,Charset)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.multipart", "HttpPostStandardRequestDecoder", True, "HttpPostStandardRequestDecoder", "(HttpRequest)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.multipart", "HttpPostStandardRequestDecoder", True, "HttpPostStandardRequestDecoder", "(HttpDataFactory,HttpRequest)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.multipart", "HttpPostStandardRequestDecoder", True, "HttpPostStandardRequestDecoder", "(HttpDataFactory,HttpRequest,Charset)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.multipart", "HttpPostMultipartRequestDecoder", True, "HttpPostMultipartRequestDecoder", "(HttpRequest)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.multipart", "HttpPostMultipartRequestDecoder", True, "HttpPostMultipartRequestDecoder", "(HttpDataFactory,HttpRequest)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.multipart", "HttpPostMultipartRequestDecoder", True, "HttpPostMultipartRequestDecoder", "(HttpDataFactory,HttpRequest,Charset)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.multipart", "InterfaceHttpData", True, "getName", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http.multipart", "HttpData", True, "addContent", "(ByteBuf,boolean)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.multipart", "HttpData", True, "get", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http.multipart", "HttpData", True, "getByteBuf", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http.multipart", "HttpData", True, "getChunk", "(int)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http.multipart", "HttpData", True, "getString", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http.multipart", "HttpData", True, "getString", "(Charset)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http.multipart", "Attribute", True, "getValue", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http.multipart", "Attribute", True, "setValue", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.multipart", "FileUpload", True, "getContentTransferEncoding", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http.multipart", "FileUpload", True, "getContentType", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http.multipart", "FileUpload", True, "getFilename", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http.multipart", "FileUpload", True, "setContentTransferEncoding", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.multipart", "FileUpload", True, "setContentType", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.multipart", "FileUpload", True, "setFilename", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.multipart", "HttpData", True, "setContent", "(ByteBuf)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.multipart", "HttpData", True, "setContent", "(InputStream)", "", "Argument[0]", "Argument[this]", "taint", "manual"]

25
java/ql/lib/ext/io.netty.handler.codec.http.websocketx.model.yml Normal file
View File

@@ -0,0 +1,25 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["io.netty.handler.codec.http.websocketx", "CloseWebSocketFrame", True, "CloseWebSocketFrame", "(boolean,int,ByteBuf)", "", "Argument[2]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.websocketx", "CloseWebSocketFrame", True, "CloseWebSocketFrame", "(boolean,int,int,String)", "", "Argument[3]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.websocketx", "CloseWebSocketFrame", True, "CloseWebSocketFrame", "(int,String)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.websocketx", "CloseWebSocketFrame", True, "CloseWebSocketFrame", "(WebSocketCloseStatus,String)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.websocketx", "CloseWebSocketFrame", True, "reasonText", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http.websocketx", "BinaryWebSocketFrame", True, "BinaryWebSocketFrame", "(boolean,int,ByteBuf)", "", "Argument[2]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.websocketx", "BinaryWebSocketFrame", True, "BinaryWebSocketFrame", "(ByteBuf)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.websocketx", "ContinuationWebSocketFrame", True, "ContinuationWebSocketFrame", "(boolean,int,ByteBuf)", "", "Argument[2]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.websocketx", "ContinuationWebSocketFrame", True, "ContinuationWebSocketFrame", "(boolean,int,String)", "", "Argument[2]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.websocketx", "ContinuationWebSocketFrame", True, "ContinuationWebSocketFrame", "(ByteBuf)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.websocketx", "ContinuationWebSocketFrame", True, "text", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http.websocketx", "PingWebSocketFrame", True, "PingWebSocketFrame", "(boolean,int,ByteBuf)", "", "Argument[2]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.websocketx", "PingWebSocketFrame", True, "PingWebSocketFrame", "(ByteBuf)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.websocketx", "PongWebSocketFrame", True, "PongWebSocketFrame", "(boolean,int,ByteBuf)", "", "Argument[2]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.websocketx", "PongWebSocketFrame", True, "PongWebSocketFrame", "(ByteBuf)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.websocketx", "TextWebSocketFrame", True, "TextWebSocketFrame", "(boolean,int,ByteBuf)", "", "Argument[2]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.websocketx", "TextWebSocketFrame", True, "TextWebSocketFrame", "(boolean,int,String)", "", "Argument[2]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.websocketx", "TextWebSocketFrame", True, "TextWebSocketFrame", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.websocketx", "TextWebSocketFrame", True, "TextWebSocketFrame", "(ByteBuf)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.handler.codec.http.websocketx", "TextWebSocketFrame", True, "text", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]

49
java/ql/lib/ext/io.netty.handler.codec.http2.model.yml Normal file
View File

@@ -0,0 +1,49 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sourceModel
data:
- ["io.netty.handler.codec.http2", "Http2FrameListener", True, "onDataRead", "", "", "Parameter[2]", "remote", "manual"]
- ["io.netty.handler.codec.http2", "Http2FrameListener", True, "onHeadersRead", "", "", "Parameter[2]", "remote", "manual"]
- ["io.netty.handler.codec.http2", "Http2FrameListener", True, "onPushPromiseRead", "", "", "Parameter[3]", "remote", "manual"]
- ["io.netty.handler.codec.http2", "Http2FrameListener", True, "onUnknownFrame", "", "", "Parameter[4]", "remote", "manual"]
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["io.netty.handler.codec.http2", "Http2Headers", True, "authority", "()", "", "Argument[this].Element.MapValue", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec.http2", "Http2Headers", True, "authority", "(CharSequence)", "", "Argument[0]", "Argument[this].Element.MapValue", "value", "manual"]
- ["io.netty.handler.codec.http2", "Http2Headers", True, "authority", "(CharSequence)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec.http2", "Http2Headers", True, "method", "()", "", "Argument[this].Element.MapValue", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec.http2", "Http2Headers", True, "method", "(CharSequence)", "", "Argument[0]", "Argument[this].Element.MapValue", "value", "manual"]
- ["io.netty.handler.codec.http2", "Http2Headers", True, "method", "(CharSequence)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec.http2", "Http2Headers", True, "path", "()", "", "Argument[this].Element.MapValue", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec.http2", "Http2Headers", True, "path", "(CharSequence)", "", "Argument[0]", "Argument[this].Element.MapValue", "value", "manual"]
- ["io.netty.handler.codec.http2", "Http2Headers", True, "path", "(CharSequence)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec.http2", "Http2Headers", True, "scheme", "()", "", "Argument[this].Element.MapValue", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec.http2", "Http2Headers", True, "scheme", "(CharSequence)", "", "Argument[0]", "Argument[this].Element.MapValue", "value", "manual"]
- ["io.netty.handler.codec.http2", "Http2Headers", True, "scheme", "(CharSequence)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec.http2", "Http2Headers", True, "status", "()", "", "Argument[this].Element.MapValue", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec.http2", "Http2Headers", True, "status", "(CharSequence)", "", "Argument[0]", "Argument[this].Element.MapValue", "value", "manual"]
- ["io.netty.handler.codec.http2", "Http2Headers", True, "status", "(CharSequence)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec.http2", "Http2Headers", True, "valueIterator", "(CharSequence)", "", "Argument[this].Element.MapValue", "ReturnValue.Element", "value", "manual"]
- ["io.netty.handler.codec.http2", "Http2HeadersFrame", True, "headers", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http2", "Http2PushPromiseFrame", True, "http2Headers", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "addHttp2ToHttpHeaders", "(int,Http2Headers,FullHttpMessage,boolean)", "", "Argument[1].Element.MapKey", "Argument[2]", "taint", "manual"]
- ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "addHttp2ToHttpHeaders", "(int,Http2Headers,FullHttpMessage,boolean)", "", "Argument[1].Element.MapValue", "Argument[2]", "taint", "manual"]
- ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "addHttp2ToHttpHeaders", "(int,Http2Headers,HttpHeaders,HttpVersion,boolean,boolean)", "", "Argument[1].Element.MapKey", "Argument[2].Element.MapKey", "taint", "manual"]
- ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "addHttp2ToHttpHeaders", "(int,Http2Headers,HttpHeaders,HttpVersion,boolean,boolean)", "", "Argument[1].Element.MapValue", "Argument[2].Element.MapValue", "taint", "manual"]
- ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "toFullHttpRequest", "", "", "Argument[1].Element.MapKey", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "toFullHttpRequest", "", "", "Argument[1].Element.MapValue", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "toFullHttpRequest", "(int,Http2Headers,ByteBuf,boolean)", "", "Argument[2]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "toFullHttpResponse", "", "", "Argument[1].Element.MapKey", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "toFullHttpResponse", "", "", "Argument[1].Element.MapValue", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "toFullHttpResponse", "(int,Http2Headers,ByteBuf,boolean)", "", "Argument[2]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "toHttp2Headers", "(HttpHeaders,boolean)", "", "Argument[0].Element.MapKey", "ReturnValue.Element.MapKey", "taint", "manual"]
- ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "toHttp2Headers", "(HttpHeaders,boolean)", "", "Argument[0].Element.MapValue", "ReturnValue.Element.MapValue", "taint", "manual"]
- ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "toHttp2Headers", "(HttpHeaders,Http2Headers)", "", "Argument[0].Element.MapKey", "Argument[1].Element.MapKey", "taint", "manual"]
- ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "toHttp2Headers", "(HttpHeaders,Http2Headers)", "", "Argument[0].Element.MapValue", "Argument[1].Element.MapValue", "taint", "manual"]
- ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "toHttpRequest", "", "", "Argument[1].Element.MapKey", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "toHttpRequest", "", "", "Argument[1].Element.MapValue", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "toHttpResponse", "", "", "Argument[1].Element.MapKey", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec.http2", "HttpConversionUtil", False, "toHttpResponse", "", "", "Argument[1].Element.MapValue", "ReturnValue", "taint", "manual"]

103
java/ql/lib/ext/io.netty.handler.codec.model.yml Normal file
View File

@@ -0,0 +1,103 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sourceModel
data:
- ["io.netty.handler.codec", "ByteToMessageDecoder", True, "callDecode", "", "", "Parameter[1]", "remote", "manual"]
- ["io.netty.handler.codec", "ByteToMessageDecoder", True, "decode", "", "", "Parameter[1]", "remote", "manual"]
- ["io.netty.handler.codec", "ByteToMessageDecoder", True, "decodeLast", "", "", "Parameter[1]", "remote", "manual"]
- ["io.netty.handler.codec", "ByteToMessageCodec", True, "decode", "", "", "Parameter[1]", "remote", "manual"]
- ["io.netty.handler.codec", "ByteToMessageCodec", True, "decodeLast", "", "", "Parameter[1]", "remote", "manual"]
- ["io.netty.handler.codec", "MessageToMessageDecoder", True, "acceptInboundMessage", "", "", "Parameter[0]", "remote", "manual"]
- ["io.netty.handler.codec", "MessageToMessageDecoder", True, "decode", "", "", "Parameter[1]", "remote", "manual"]
- ["io.netty.handler.codec", "MessageToMessageCodec", True, "acceptInboundMessage", "", "", "Parameter[0]", "remote", "manual"]
- ["io.netty.handler.codec", "MessageToMessageCodec", True, "decode", "", "", "Parameter[1]", "remote", "manual"]
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["io.netty.handler.codec", "ByteToMessageDecoder$Cumulator", True, "cumulate", "(ByteBufAllocator,ByteBuf,ByteBuf)", "", "Argument[1..2]", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec", "HeadersUtils", False, "getAsString", "(Headers,Object)", "", "Argument[0].Element.MapValue", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec", "HeadersUtils", False, "getAllAsString", "(Headers,Object)", "", "Argument[0].Element.MapValue", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec", "HeadersUtils", False, "namesAsString", "(Headers)", "", "Argument[0].Element.MapKey", "ReturnValue.Element", "value", "manual"]
- ["io.netty.handler.codec", "HeadersUtils", False, "iteratorAsString", "(Iterable)", "", "Argument[0].Element.MapKey", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec", "HeadersUtils", False, "iteratorAsString", "(Iterable)", "", "Argument[0].Element.MapValue", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec", "HeadersUtils", False, "toString", "(Class,Iterator,int)", "", "Argument[1].Element.MapKey", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec", "HeadersUtils", False, "toString", "(Class,Iterator,int)", "", "Argument[1].Element.MapValue", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec", "Headers", True, "get", "(Object)", "", "Argument[this].Element.MapValue", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec", "Headers", True, "get", "(Object,Object)", "", "Argument[this].Element.MapValue", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec", "Headers", True, "get", "(Object,Object)", "", "Argument[1]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "getAll", "(Object)", "", "Argument[this].Element.MapValue", "ReturnValue.Element", "taint", "manual"]
- ["io.netty.handler.codec", "Headers", True, "getAllAndRemove", "(Object)", "", "Argument[this].Element.MapValue", "ReturnValue.Element", "taint", "manual"]
- ["io.netty.handler.codec", "Headers", True, "getAndRemove", "(Object)", "", "Argument[this].Element.MapValue", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec", "Headers", True, "getAndRemove", "(Object)", "", "Argument[this].Element.MapValue", "ReturnValue", "taint", "manual"]
- ["io.netty.handler.codec", "Headers", True, "getAndRemove", "(Object,Object)", "", "Argument[1]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "names", "()", "", "Argument[this].Element.MapKey", "ReturnValue.Element", "taint", "manual"]
- ["io.netty.handler.codec", "Headers", True, "add", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "add", "(Headers)", "", "Argument[0].Element.MapKey", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "add", "(Headers)", "", "Argument[0].Element.MapValue", "Argument[this].Element.MapValue", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "add", "(Object,Iterable)", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "add", "(Object,Iterable)", "", "Argument[1].Element", "Argument[this].Element.MapValue", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "add", "(Object,Object[])", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "add", "(Object,Object[])", "", "Argument[1].ArrayElement", "Argument[this].Element.MapValue", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "add", "(Object,Object)", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "add", "(Object,Object)", "", "Argument[1]", "Argument[this].Element.MapValue", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "addObject", "(Object,Iterable)", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "addObject", "(Object,Iterable)", "", "Argument[1].Element", "Argument[this].Element.MapValue", "taint", "manual"]
- ["io.netty.handler.codec", "Headers", True, "addObject", "(Object,Object[])", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "addObject", "(Object,Object[])", "", "Argument[1].ArrayElement", "Argument[this].Element.MapValue", "taint", "manual"]
- ["io.netty.handler.codec", "Headers", True, "addObject", "(Object,Object)", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "addObject", "(Object,Object)", "", "Argument[1]", "Argument[this].Element.MapValue", "taint", "manual"]
- ["io.netty.handler.codec", "Headers", True, "addBoolean", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "addBoolean", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "addByte", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "addByte", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "addChar", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "addChar", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "addDouble", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "addDouble", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "addFloat", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "addFloat", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "addInt", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "addInt", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "addLong", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "addLong", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "addShort", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "addShort", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "addTimeMillis", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "addTimeMillis", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "set", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "set", "(Headers)", "", "Argument[0].Element.MapKey", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "set", "(Headers)", "", "Argument[0].Element.MapValue", "Argument[this].Element.MapValue", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "set", "(Object,Iterable)", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "set", "(Object,Iterable)", "", "Argument[1].Element", "Argument[this].Element.MapValue", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "set", "(Object,Object[])", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "set", "(Object,Object[])", "", "Argument[1].ArrayElement", "Argument[this].Element.MapValue", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "set", "(Object,Object)", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "set", "(Object,Object)", "", "Argument[1]", "Argument[this].Element.MapValue", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "setAll", "(Headers)", "", "Argument[0].Element.MapKey", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "setAll", "(Headers)", "", "Argument[0].Element.MapValue", "Argument[this].Element.MapValue", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "setObject", "(Object,Iterable)", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "setObject", "(Object,Iterable)", "", "Argument[1].Element", "Argument[this].Element.MapValue", "taint", "manual"]
- ["io.netty.handler.codec", "Headers", True, "setObject", "(Object,Object[])", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "setObject", "(Object,Object[])", "", "Argument[1].ArrayElement", "Argument[this].Element.MapValue", "taint", "manual"]
- ["io.netty.handler.codec", "Headers", True, "setObject", "(Object,Object)", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "setObject", "(Object,Object)", "", "Argument[1]", "Argument[this].Element.MapValue", "taint", "manual"]
- ["io.netty.handler.codec", "Headers", True, "setBoolean", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "setBoolean", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "setByte", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "setByte", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "setChar", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "setChar", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "setDouble", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "setDouble", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "setFloat", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "setFloat", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "setInt", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "setInt", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "setLong", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "setLong", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "setShort", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "setShort", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "setTimeMillis", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.handler.codec", "Headers", True, "setTimeMillis", "", "", "Argument[0]", "Argument[this].Element.MapKey", "value", "manual"]

27
java/ql/lib/ext/io.netty.util.model.yml Normal file
View File

@@ -0,0 +1,27 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["io.netty.util", "ReferenceCounted", True, "retain", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.util", "ReferenceCounted", True, "touch", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["io.netty.util", "AsciiString", False, "AsciiString", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["io.netty.util", "AsciiString", False, "array", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.util", "AsciiString", False, "cached", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["io.netty.util", "AsciiString", False, "concat", "(CharSequence)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.util", "AsciiString", False, "concat", "(CharSequence)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["io.netty.util", "AsciiString", False, "copy", "(int,byte[],int,int)", "", "Argument[this]", "Argument[1]", "taint", "manual"]
- ["io.netty.util", "AsciiString", False, "copy", "(int,char[],int,int)", "", "Argument[this]", "Argument[1]", "taint", "manual"]
- ["io.netty.util", "AsciiString", False, "of", "(CharSequence)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["io.netty.util", "AsciiString", False, "replace", "(char,char)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.util", "AsciiString", False, "split", "(char)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.util", "AsciiString", False, "split", "(String,int)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.util", "AsciiString", False, "split", "(char)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.util", "AsciiString", False, "subSequence", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.util", "AsciiString", False, "toByteArray", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.util", "AsciiString", False, "toCharArray", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.util", "AsciiString", False, "toString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.util", "AsciiString", False, "toLowerCase", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.util", "AsciiString", False, "toUpperCase", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.util", "AsciiString", False, "trim", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["io.netty.util", "AsciiString", False, "trim", "(CharSequence)", "", "Argument[0]", "ReturnValue", "taint", "manual"]

9
java/ql/lib/semmle/code/Unit.qll
View File

@@ -1,10 +1,3 @@
/** Provides the `Unit` class. */
/** The unit type. */
private newtype TUnit = TMkUnit()
/** The trivial type with a single element. */
class Unit extends TUnit {
/** Gets a textual representation of this element. */
string toString() { result = "unit" }
}
import codeql.util.Unit

74
java/ql/lib/semmle/code/java/dataflow/RangeAnalysis.qll
View File

@@ -421,32 +421,6 @@ private predicate boundFlowStep(Expr e2, Expr e1, int delta, boolean upper) {
delta = 0 and
(upper = true or upper = false)
or
exists(Expr x |
e2.(AddExpr).hasOperands(e1, x)
or
exists(AssignAddExpr add | add = e2 |
add.getDest() = e1 and add.getRhs() = x
or
add.getDest() = x and add.getRhs() = e1
)
|
// `x instanceof ConstantIntegerExpr` is covered by valueFlowStep
not x instanceof ConstantIntegerExpr and
not e1 instanceof ConstantIntegerExpr and
if strictlyPositiveIntegralExpr(x)
then upper = false and delta = 1
else
if positive(x)
then upper = false and delta = 0
else
if strictlyNegativeIntegralExpr(x)
then upper = true and delta = -1
else
if negative(x)
then upper = true and delta = 0
else none()
)
or
exists(Expr x |
exists(SubExpr sub |
e2 = sub and
@@ -896,6 +870,20 @@ private predicate bounded(
or
upper = false and delta = d1.minimum(d2)
)
or
exists(
Bound b1, Bound b2, int d1, int d2, boolean fbe1, boolean fbe2, int od1, int od2, Reason r1,
Reason r2
|
boundedAddition(e, upper, b1, true, d1, fbe1, od1, r1) and
boundedAddition(e, upper, b2, false, d2, fbe2, od2, r2) and
delta = d1 + d2 and
fromBackEdge = fbe1.booleanOr(fbe2)
|
b = b1 and origdelta = od1 and reason = r1 and b2 instanceof ZeroBound
or
b = b2 and origdelta = od2 and reason = r2 and b1 instanceof ZeroBound
)
}
private predicate boundedConditionalExpr(
@@ -904,3 +892,37 @@ private predicate boundedConditionalExpr(
) {
bounded(cond.getBranchExpr(branch), b, delta, upper, fromBackEdge, origdelta, reason)
}
private predicate nonConstAdd(Expr add, Expr operand, boolean isLeft) {
exists(Expr other |
add.(AddExpr).getLeftOperand() = operand and
add.(AddExpr).getRightOperand() = other and
isLeft = true
or
add.(AddExpr).getLeftOperand() = other and
add.(AddExpr).getRightOperand() = operand and
isLeft = false
or
add.(AssignAddExpr).getDest() = operand and
add.(AssignAddExpr).getRhs() = other and
isLeft = true
or
add.(AssignAddExpr).getDest() = other and
add.(AssignAddExpr).getRhs() = operand and
isLeft = false
|
// `ConstantIntegerExpr` is covered by valueFlowStep
not other instanceof ConstantIntegerExpr and
not operand instanceof ConstantIntegerExpr
)
}
private predicate boundedAddition(
Expr add, boolean upper, Bound b, boolean isLeft, int delta, boolean fromBackEdge, int origdelta,
Reason reason
) {
exists(Expr op |
nonConstAdd(add, op, isLeft) and
bounded(op, b, delta, upper, fromBackEdge, origdelta, reason)
)
}

1
java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll
View File

@@ -8,6 +8,7 @@ private import DataFlowImplCommon
private import DataFlowImplSpecific::Private
private import DataFlowImplSpecific::Public
private import DataFlowImplCommonPublic
private import codeql.util.Unit
import DataFlow
/**

6
java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl1.qll
View File

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
private import DataFlowImpl
import DataFlowImplCommonPublic
import FlowStateString
private import codeql.util.Unit
/**
* A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
}
private import Impl<Config> as I
import I
/**
* A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
}
module PathGraph = I::PathGraph;
private predicate hasFlow(Node source, Node sink, Configuration config) {
exists(PathNode source0, PathNode sink0 |
hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
}
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
flowPath(source, sink) and source.getConfiguration() = config
I::flowPath(source, sink) and source.getConfiguration() = config
}
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

6
java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
View File

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
private import DataFlowImpl
import DataFlowImplCommonPublic
import FlowStateString
private import codeql.util.Unit
/**
* A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
}
private import Impl<Config> as I
import I
/**
* A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
}
module PathGraph = I::PathGraph;
private predicate hasFlow(Node source, Node sink, Configuration config) {
exists(PathNode source0, PathNode sink0 |
hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
}
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
flowPath(source, sink) and source.getConfiguration() = config
I::flowPath(source, sink) and source.getConfiguration() = config
}
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

6
java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
View File

@@ -11,6 +11,7 @@ import DataFlowImplSpecific::Public
private import DataFlowImpl
import DataFlowImplCommonPublic
import FlowStateString
private import codeql.util.Unit
/**
* A configuration of interprocedural data flow analysis. This defines
@@ -328,7 +329,6 @@ private module Config implements FullStateConfigSig {
}
private import Impl<Config> as I
import I
/**
* A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
@@ -379,6 +379,8 @@ class PathNode instanceof I::PathNode {
final predicate isSinkGroup(string group) { super.isSinkGroup(group) }
}
module PathGraph = I::PathGraph;
private predicate hasFlow(Node source, Node sink, Configuration config) {
exists(PathNode source0, PathNode sink0 |
hasFlowPath(source0, sink0, config) and
@@ -388,7 +390,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
}
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
flowPath(source, sink) and source.getConfiguration() = config
I::flowPath(source, sink) and source.getConfiguration() = config
}
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

Some files were not shown because too many files have changed in this diff Show More