From eacc600b29a241f6ec434daf1f13c6c143f7cbd0 Mon Sep 17 00:00:00 2001 From: Jonas Jensen Date: Mon, 20 Jan 2025 14:55:35 +0100 Subject: [PATCH 1/3] Java: annotate a query as not selecting sources This is for performance in diff-informed mode but also for avoiding spurious entries in the code scanning timeline and alert list. --- .../code/java/security/WebviewDebuggingEnabledQuery.qll | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll b/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll index 90e47521bf0..080a7bb482f 100644 --- a/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll +++ b/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll @@ -46,6 +46,12 @@ module WebviewDebugEnabledConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSourceLocation(DataFlow::Node source) { + // This module is only used in `WebviewDebuggingEnabled.ql`, which doesn't + // select the source in any "$@" column. + none() + } } /** From 7ad6f13bf548bebd98d21c2e3bde7c433d5e04ad Mon Sep 17 00:00:00 2001 From: Jonas Jensen Date: Mon, 27 Jan 2025 13:54:22 +0100 Subject: [PATCH 2/3] Java: adjust CommandLineQuery locations It turns out these locations need to be precise. --- .../semmle/code/java/security/CommandLineQuery.qll | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll index 468ab9506a5..a1c75f93802 100644 --- a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll +++ b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll @@ -59,12 +59,15 @@ module InputToArgumentToExecFlowConfig implements DataFlow::ConfigSig { any(CommandInjectionAdditionalTaintStep s).step(n1, n2) } - // It's valid to use diff-informed data flow for this configuration because - // the location of the selected element in the query is contained inside the - // location of the sink. The query, as a predicate, is used negated in - // another query, but that's only to prevent overlapping results between two - // queries. + // The query, as a predicate, is used negated in another query, but that's + // only to prevent overlapping results between two queries. predicate observeDiffInformedIncrementalMode() { any() } + + // All queries use the argument as the primary location and do not use the + // sink as an associated location. + Location getASelectedSinkLocation(DataFlow::Node sink) { + exists(Expr argument | argumentToExec(argument, sink) | result = argument.getLocation()) + } } /** From 0e6936d418f0b9ad6e999521747479170ba45a79 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Mon, 3 Feb 2025 12:42:11 +0000 Subject: [PATCH 3/3] C++: Strip the type when computing the base type of a chain of qualifiers. --- cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll b/cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll index df2d04a97d7..70d6795f76b 100644 --- a/cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll +++ b/cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll @@ -49,7 +49,11 @@ private Class getRootType(FieldAccess fa) { exists(VariableAccess root | root = fa.getQualifier+() and not exists(root.getQualifier()) and - result = root.getUnspecifiedType() + // We strip the type because the root may be a pointer. For example `p` in: + // struct S { char buffer[10]; }; + // S* p = ...; + // strcpy(p->buffer, "abc"); + result = root.getUnspecifiedType().stripType() ) }