hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 11:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

add explicit this to member call

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2022-01-20 22:28:44 +01:00
parent ddfc3bc00f
commit f500bccbe4
17 changed files with 222 additions and 198 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cpp/ql/lib/semmle/code/cpp/commons/Printf.qll
View File

@@ -1122,7 +1122,7 @@ class FormatLiteral extends Literal {
* conversion specifier of this format string; has no result if this cannot
* be determined.
*/
int getMaxConvertedLength(int n) { result = max(getMaxConvertedLength(n, _)) }
int getMaxConvertedLength(int n) { result = max(this.getMaxConvertedLength(n, _)) }
/**
* Gets the maximum length of the string that can be produced by the nth
@@ -1353,7 +1353,7 @@ class FormatLiteral extends Literal {
* determining whether a buffer overflow is caused by long float to string
* conversions.
*/
int getMaxConvertedLengthLimited(int n) { result = max(getMaxConvertedLengthLimited(n, _)) }
int getMaxConvertedLengthLimited(int n) { result = max(this.getMaxConvertedLengthLimited(n, _)) }
/**
* Gets the maximum length of the string that can be produced by the nth

50
cpp/ql/lib/semmle/code/cpp/security/BufferWrite.qll
View File

@@ -76,7 +76,7 @@ abstract class BufferWrite extends Expr {
* can be found), specifying the reason for the estimation.
*/
int getMaxData(BufferWriteEstimationReason reason) {
reason instanceof UnspecifiedEstimateReason and result = getMaxData()
reason instanceof UnspecifiedEstimateReason and result = this.getMaxData()
}
/**
@@ -85,7 +85,7 @@ abstract class BufferWrite extends Expr {
* much smaller (8 bytes) than their true maximum length. This can be
* helpful in determining the cause of a buffer overflow issue.
*/
int getMaxDataLimited() { result = getMaxData() }
int getMaxDataLimited() { result = this.getMaxData() }
/**
* Gets an upper bound to the amount of data that's being written (if one
@@ -94,7 +94,7 @@ abstract class BufferWrite extends Expr {
* than their true maximum length. This can be helpful in determining the
* cause of a buffer overflow issue.
*/
int getMaxDataLimited(BufferWriteEstimationReason reason) { result = getMaxData(reason) }
int getMaxDataLimited(BufferWriteEstimationReason reason) { result = this.getMaxData(reason) }
/**
* Gets the size of a single character of the type this
@@ -159,9 +159,11 @@ class StrCopyBW extends BufferWriteCall {
this.getArgument(this.getParamSrc()).(AnalysedString).getMaxLength() * this.getCharSize()
}
override int getMaxData(BufferWriteEstimationReason reason) { result = getMaxDataImpl(reason) }
override int getMaxData(BufferWriteEstimationReason reason) {
result = this.getMaxDataImpl(reason)
}
override int getMaxData() { result = max(getMaxDataImpl(_)) }
override int getMaxData() { result = max(this.getMaxDataImpl(_)) }
}
/**
@@ -203,9 +205,11 @@ class StrCatBW extends BufferWriteCall {
this.getArgument(this.getParamSrc()).(AnalysedString).getMaxLength() * this.getCharSize()
}
override int getMaxData(BufferWriteEstimationReason reason) { result = getMaxDataImpl(reason) }
override int getMaxData(BufferWriteEstimationReason reason) {
result = this.getMaxDataImpl(reason)
}
override int getMaxData() { result = max(getMaxDataImpl(_)) }
override int getMaxData() { result = max(this.getMaxDataImpl(_)) }
}
/**
@@ -269,9 +273,11 @@ class SprintfBW extends BufferWriteCall {
)
}
override int getMaxData(BufferWriteEstimationReason reason) { result = getMaxDataImpl(reason) }
override int getMaxData(BufferWriteEstimationReason reason) {
result = this.getMaxDataImpl(reason)
}
override int getMaxData() { result = max(getMaxDataImpl(_)) }
override int getMaxData() { result = max(this.getMaxDataImpl(_)) }
private int getMaxDataLimitedImpl(BufferWriteEstimationReason reason) {
exists(FormatLiteral fl |
@@ -281,10 +287,10 @@ class SprintfBW extends BufferWriteCall {
}
override int getMaxDataLimited(BufferWriteEstimationReason reason) {
result = getMaxDataLimitedImpl(reason)
result = this.getMaxDataLimitedImpl(reason)
}
override int getMaxDataLimited() { result = max(getMaxDataLimitedImpl(_)) }
override int getMaxDataLimited() { result = max(this.getMaxDataLimitedImpl(_)) }
}
/**
@@ -382,9 +388,11 @@ class SnprintfBW extends BufferWriteCall {
)
}
override int getMaxData(BufferWriteEstimationReason reason) { result = getMaxDataImpl(reason) }
override int getMaxData(BufferWriteEstimationReason reason) {
result = this.getMaxDataImpl(reason)
}
override int getMaxData() { result = max(getMaxDataImpl(_)) }
override int getMaxData() { result = max(this.getMaxDataImpl(_)) }
private int getMaxDataLimitedImpl(BufferWriteEstimationReason reason) {
exists(FormatLiteral fl |
@@ -394,10 +402,10 @@ class SnprintfBW extends BufferWriteCall {
}
override int getMaxDataLimited(BufferWriteEstimationReason reason) {
result = getMaxDataLimitedImpl(reason)
result = this.getMaxDataLimitedImpl(reason)
}
override int getMaxDataLimited() { result = max(getMaxDataLimitedImpl(_)) }
override int getMaxDataLimited() { result = max(this.getMaxDataLimitedImpl(_)) }
}
/**
@@ -495,9 +503,11 @@ class ScanfBW extends BufferWrite {
)
}
override int getMaxData(BufferWriteEstimationReason reason) { result = getMaxDataImpl(reason) }
override int getMaxData(BufferWriteEstimationReason reason) {
result = this.getMaxDataImpl(reason)
}
override int getMaxData() { result = max(getMaxDataImpl(_)) }
override int getMaxData() { result = max(this.getMaxDataImpl(_)) }
override string getBWDesc() {
exists(FunctionCall fc |
@@ -536,7 +546,9 @@ class RealpathBW extends BufferWriteCall {
this = this // Suppress a compiler warning
}
override int getMaxData(BufferWriteEstimationReason reason) { result = getMaxDataImpl(reason) }
override int getMaxData(BufferWriteEstimationReason reason) {
result = this.getMaxDataImpl(reason)
}
override int getMaxData() { result = max(getMaxDataImpl(_)) }
override int getMaxData() { result = max(this.getMaxDataImpl(_)) }
}

2
csharp/ql/test/shared/FlowSummaries.qll
View File

@@ -38,7 +38,7 @@ abstract class IncludeSummarizedCallable extends RelevantSummarizedCallable {
this.getDeclaringType().hasQualifiedName(namespace, type) and
result =
namespace + ";" + type + ";" + this.getCallableOverride() + ";" + this.getName() + ";" + "("
+ parameterQualifiedTypeNamesToString() + ")"
+ this.parameterQualifiedTypeNamesToString() + ")"
)
}
}

172
java/ql/lib/semmle/code/java/frameworks/Servlets.qll
View File

@@ -10,7 +10,7 @@ import semmle.code.java.Type
*/
library class ServletRequest extends RefType {
ServletRequest() {
hasQualifiedName("javax.servlet", "ServletRequest") or
this.hasQualifiedName("javax.servlet", "ServletRequest") or
this instanceof HttpServletRequest
}
}
@@ -19,7 +19,7 @@ library class ServletRequest extends RefType {
* The interface `javax.servlet.http.HttpServletRequest`.
*/
library class HttpServletRequest extends RefType {
HttpServletRequest() { hasQualifiedName("javax.servlet.http", "HttpServletRequest") }
HttpServletRequest() { this.hasQualifiedName("javax.servlet.http", "HttpServletRequest") }
}
/**
@@ -28,13 +28,13 @@ library class HttpServletRequest extends RefType {
*/
library class ServletRequestGetParameterMethod extends Method {
ServletRequestGetParameterMethod() {
getDeclaringType() instanceof ServletRequest and
this.getDeclaringType() instanceof ServletRequest and
(
hasName("getParameter") or
hasName("getParameterValues")
this.hasName("getParameter") or
this.hasName("getParameterValues")
) and
getNumberOfParameters() = 1 and
getParameter(0).getType() instanceof TypeString
this.getNumberOfParameters() = 1 and
this.getParameter(0).getType() instanceof TypeString
}
}
@@ -43,9 +43,9 @@ library class ServletRequestGetParameterMethod extends Method {
*/
library class ServletRequestGetParameterNamesMethod extends Method {
ServletRequestGetParameterNamesMethod() {
getDeclaringType() instanceof ServletRequest and
hasName("getParameterNames") and
getNumberOfParameters() = 0
this.getDeclaringType() instanceof ServletRequest and
this.hasName("getParameterNames") and
this.getNumberOfParameters() = 0
}
}
@@ -54,9 +54,9 @@ library class ServletRequestGetParameterNamesMethod extends Method {
*/
library class ServletRequestGetParameterMapMethod extends Method {
ServletRequestGetParameterMapMethod() {
getDeclaringType() instanceof ServletRequest and
hasName("getParameterMap") and
getNumberOfParameters() = 0
this.getDeclaringType() instanceof ServletRequest and
this.hasName("getParameterMap") and
this.getNumberOfParameters() = 0
}
}
@@ -65,9 +65,9 @@ library class ServletRequestGetParameterMapMethod extends Method {
*/
library class HttpServletRequestGetQueryStringMethod extends Method {
HttpServletRequestGetQueryStringMethod() {
getDeclaringType() instanceof HttpServletRequest and
hasName("getQueryString") and
getNumberOfParameters() = 0
this.getDeclaringType() instanceof HttpServletRequest and
this.hasName("getQueryString") and
this.getNumberOfParameters() = 0
}
}
@@ -76,9 +76,9 @@ library class HttpServletRequestGetQueryStringMethod extends Method {
*/
class HttpServletRequestGetPathMethod extends Method {
HttpServletRequestGetPathMethod() {
getDeclaringType() instanceof HttpServletRequest and
hasName("getPathInfo") and
getNumberOfParameters() = 0
this.getDeclaringType() instanceof HttpServletRequest and
this.hasName("getPathInfo") and
this.getNumberOfParameters() = 0
}
}
@@ -87,10 +87,10 @@ class HttpServletRequestGetPathMethod extends Method {
*/
library class HttpServletRequestGetHeaderMethod extends Method {
HttpServletRequestGetHeaderMethod() {
getDeclaringType() instanceof HttpServletRequest and
hasName("getHeader") and
getNumberOfParameters() = 1 and
getParameter(0).getType() instanceof TypeString
this.getDeclaringType() instanceof HttpServletRequest and
this.hasName("getHeader") and
this.getNumberOfParameters() = 1 and
this.getParameter(0).getType() instanceof TypeString
}
}
@@ -99,10 +99,10 @@ library class HttpServletRequestGetHeaderMethod extends Method {
*/
library class HttpServletRequestGetHeadersMethod extends Method {
HttpServletRequestGetHeadersMethod() {
getDeclaringType() instanceof HttpServletRequest and
hasName("getHeaders") and
getNumberOfParameters() = 1 and
getParameter(0).getType() instanceof TypeString
this.getDeclaringType() instanceof HttpServletRequest and
this.hasName("getHeaders") and
this.getNumberOfParameters() = 1 and
this.getParameter(0).getType() instanceof TypeString
}
}
@@ -111,9 +111,9 @@ library class HttpServletRequestGetHeadersMethod extends Method {
*/
library class HttpServletRequestGetHeaderNamesMethod extends Method {
HttpServletRequestGetHeaderNamesMethod() {
getDeclaringType() instanceof HttpServletRequest and
hasName("getHeaderNames") and
getNumberOfParameters() = 0
this.getDeclaringType() instanceof HttpServletRequest and
this.hasName("getHeaderNames") and
this.getNumberOfParameters() = 0
}
}
@@ -122,9 +122,9 @@ library class HttpServletRequestGetHeaderNamesMethod extends Method {
*/
class HttpServletRequestGetRequestURLMethod extends Method {
HttpServletRequestGetRequestURLMethod() {
getDeclaringType() instanceof HttpServletRequest and
hasName("getRequestURL") and
getNumberOfParameters() = 0
this.getDeclaringType() instanceof HttpServletRequest and
this.hasName("getRequestURL") and
this.getNumberOfParameters() = 0
}
}
@@ -133,9 +133,9 @@ class HttpServletRequestGetRequestURLMethod extends Method {
*/
class HttpServletRequestGetRequestURIMethod extends Method {
HttpServletRequestGetRequestURIMethod() {
getDeclaringType() instanceof HttpServletRequest and
hasName("getRequestURI") and
getNumberOfParameters() = 0
this.getDeclaringType() instanceof HttpServletRequest and
this.hasName("getRequestURI") and
this.getNumberOfParameters() = 0
}
}
@@ -144,9 +144,9 @@ class HttpServletRequestGetRequestURIMethod extends Method {
*/
library class HttpServletRequestGetRemoteUserMethod extends Method {
HttpServletRequestGetRemoteUserMethod() {
getDeclaringType() instanceof HttpServletRequest and
hasName("getRemoteUser") and
getNumberOfParameters() = 0
this.getDeclaringType() instanceof HttpServletRequest and
this.hasName("getRemoteUser") and
this.getNumberOfParameters() = 0
}
}
@@ -155,8 +155,8 @@ library class HttpServletRequestGetRemoteUserMethod extends Method {
*/
library class ServletRequestGetBodyMethod extends Method {
ServletRequestGetBodyMethod() {
getDeclaringType() instanceof ServletRequest and
(hasName("getInputStream") or hasName("getReader"))
this.getDeclaringType() instanceof ServletRequest and
(this.hasName("getInputStream") or this.hasName("getReader"))
}
}
@@ -166,7 +166,7 @@ library class ServletRequestGetBodyMethod extends Method {
*/
class ServletResponse extends RefType {
ServletResponse() {
hasQualifiedName("javax.servlet", "ServletResponse") or
this.hasQualifiedName("javax.servlet", "ServletResponse") or
this instanceof HttpServletResponse
}
}
@@ -175,7 +175,7 @@ class ServletResponse extends RefType {
* The interface `javax.servlet.http.HttpServletResponse`.
*/
class HttpServletResponse extends RefType {
HttpServletResponse() { hasQualifiedName("javax.servlet.http", "HttpServletResponse") }
HttpServletResponse() { this.hasQualifiedName("javax.servlet.http", "HttpServletResponse") }
}
/**
@@ -183,11 +183,11 @@ class HttpServletResponse extends RefType {
*/
class HttpServletResponseSendErrorMethod extends Method {
HttpServletResponseSendErrorMethod() {
getDeclaringType() instanceof HttpServletResponse and
hasName("sendError") and
getNumberOfParameters() = 2 and
getParameter(0).getType().hasName("int") and
getParameter(1).getType() instanceof TypeString
this.getDeclaringType() instanceof HttpServletResponse and
this.hasName("sendError") and
this.getNumberOfParameters() = 2 and
this.getParameter(0).getType().hasName("int") and
this.getParameter(1).getType() instanceof TypeString
}
}
@@ -196,8 +196,8 @@ class HttpServletResponseSendErrorMethod extends Method {
*/
class ServletRequestGetRequestDispatcherMethod extends Method {
ServletRequestGetRequestDispatcherMethod() {
getDeclaringType() instanceof ServletRequest and
hasName("getRequestDispatcher")
this.getDeclaringType() instanceof ServletRequest and
this.hasName("getRequestDispatcher")
}
}
@@ -206,10 +206,10 @@ class ServletRequestGetRequestDispatcherMethod extends Method {
*/
class HttpServletResponseSendRedirectMethod extends Method {
HttpServletResponseSendRedirectMethod() {
getDeclaringType() instanceof HttpServletResponse and
hasName("sendRedirect") and
getNumberOfParameters() = 1 and
getParameter(0).getType() instanceof TypeString
this.getDeclaringType() instanceof HttpServletResponse and
this.hasName("sendRedirect") and
this.getNumberOfParameters() = 1 and
this.getParameter(0).getType() instanceof TypeString
}
}
@@ -218,9 +218,9 @@ class HttpServletResponseSendRedirectMethod extends Method {
*/
class ServletResponseGetWriterMethod extends Method {
ServletResponseGetWriterMethod() {
getDeclaringType() instanceof ServletResponse and
hasName("getWriter") and
getNumberOfParameters() = 0
this.getDeclaringType() instanceof ServletResponse and
this.hasName("getWriter") and
this.getNumberOfParameters() = 0
}
}
@@ -229,15 +229,15 @@ class ServletResponseGetWriterMethod extends Method {
*/
class ServletResponseGetOutputStreamMethod extends Method {
ServletResponseGetOutputStreamMethod() {
getDeclaringType() instanceof ServletResponse and
hasName("getOutputStream") and
getNumberOfParameters() = 0
this.getDeclaringType() instanceof ServletResponse and
this.hasName("getOutputStream") and
this.getNumberOfParameters() = 0
}
}
/** The class `javax.servlet.http.Cookie`. */
library class TypeCookie extends Class {
TypeCookie() { hasQualifiedName("javax.servlet.http", "Cookie") }
TypeCookie() { this.hasQualifiedName("javax.servlet.http", "Cookie") }
}
/**
@@ -245,9 +245,9 @@ library class TypeCookie extends Class {
*/
library class CookieGetValueMethod extends Method {
CookieGetValueMethod() {
getDeclaringType() instanceof TypeCookie and
hasName("getValue") and
getReturnType() instanceof TypeString
this.getDeclaringType() instanceof TypeCookie and
this.hasName("getValue") and
this.getReturnType() instanceof TypeString
}
}
@@ -256,10 +256,10 @@ library class CookieGetValueMethod extends Method {
*/
library class CookieGetNameMethod extends Method {
CookieGetNameMethod() {
getDeclaringType() instanceof TypeCookie and
hasName("getName") and
getReturnType() instanceof TypeString and
getNumberOfParameters() = 0
this.getDeclaringType() instanceof TypeCookie and
this.hasName("getName") and
this.getReturnType() instanceof TypeString and
this.getNumberOfParameters() = 0
}
}
@@ -268,10 +268,10 @@ library class CookieGetNameMethod extends Method {
*/
library class CookieGetCommentMethod extends Method {
CookieGetCommentMethod() {
getDeclaringType() instanceof TypeCookie and
hasName("getComment") and
getReturnType() instanceof TypeString and
getNumberOfParameters() = 0
this.getDeclaringType() instanceof TypeCookie and
this.hasName("getComment") and
this.getReturnType() instanceof TypeString and
this.getNumberOfParameters() = 0
}
}
@@ -280,8 +280,8 @@ library class CookieGetCommentMethod extends Method {
*/
class ResponseAddCookieMethod extends Method {
ResponseAddCookieMethod() {
getDeclaringType() instanceof HttpServletResponse and
hasName("addCookie")
this.getDeclaringType() instanceof HttpServletResponse and
this.hasName("addCookie")
}
}
@@ -290,8 +290,8 @@ class ResponseAddCookieMethod extends Method {
*/
class ResponseAddHeaderMethod extends Method {
ResponseAddHeaderMethod() {
getDeclaringType() instanceof HttpServletResponse and
hasName("addHeader")
this.getDeclaringType() instanceof HttpServletResponse and
this.hasName("addHeader")
}
}
@@ -300,8 +300,8 @@ class ResponseAddHeaderMethod extends Method {
*/
class ResponseSetHeaderMethod extends Method {
ResponseSetHeaderMethod() {
getDeclaringType() instanceof HttpServletResponse and
hasName("setHeader")
this.getDeclaringType() instanceof HttpServletResponse and
this.hasName("setHeader")
}
}
@@ -309,7 +309,7 @@ class ResponseSetHeaderMethod extends Method {
* A class that has `javax.servlet.Servlet` as an ancestor.
*/
class ServletClass extends Class {
ServletClass() { getAnAncestor().hasQualifiedName("javax.servlet", "Servlet") }
ServletClass() { this.getAnAncestor().hasQualifiedName("javax.servlet", "Servlet") }
}
/**
@@ -320,13 +320,13 @@ class ServletClass extends Class {
*/
class ServletWebXMLListenerType extends RefType {
ServletWebXMLListenerType() {
hasQualifiedName("javax.servlet", "ServletContextAttributeListener") or
hasQualifiedName("javax.servlet", "ServletContextListener") or
hasQualifiedName("javax.servlet", "ServletRequestAttributeListener") or
hasQualifiedName("javax.servlet", "ServletRequestListener") or
hasQualifiedName("javax.servlet.http", "HttpSessionAttributeListener") or
hasQualifiedName("javax.servlet.http", "HttpSessionIdListener") or
hasQualifiedName("javax.servlet.http", "HttpSessionListener")
this.hasQualifiedName("javax.servlet", "ServletContextAttributeListener") or
this.hasQualifiedName("javax.servlet", "ServletContextListener") or
this.hasQualifiedName("javax.servlet", "ServletRequestAttributeListener") or
this.hasQualifiedName("javax.servlet", "ServletRequestListener") or
this.hasQualifiedName("javax.servlet.http", "HttpSessionAttributeListener") or
this.hasQualifiedName("javax.servlet.http", "HttpSessionIdListener") or
this.hasQualifiedName("javax.servlet.http", "HttpSessionListener")
// Listeners that are not configured in `web.xml`:
// - `HttpSessionActivationListener`
// - `HttpSessionBindingListener`

4
java/ql/lib/semmle/code/java/security/Encryption.qll
View File

@@ -151,8 +151,8 @@ class SslUnwrapMethod extends Method {
/** The `getSession` method of the class `javax.net.ssl.SSLSession`.select */
class GetSslSessionMethod extends Method {
GetSslSessionMethod() {
hasName("getSession") and
getDeclaringType().getASupertype*() instanceof SSLSession
this.hasName("getSession") and
this.getDeclaringType().getASupertype*() instanceof SSLSession
}
}

2
java/ql/src/semmle/code/xml/MyBatisMapperXML.qll
View File

@@ -112,5 +112,5 @@ class MyBatisMapperInclude extends MyBatisMapperXMLElement {
* A `<foreach>` element in a `MyBatisMapperXMLElement`.
*/
class MyBatisMapperForeach extends MyBatisMapperXMLElement {
MyBatisMapperForeach() { getName() = "foreach" }
MyBatisMapperForeach() { this.getName() = "foreach" }
}

2
javascript/ql/lib/semmle/javascript/ApiGraphs.qll
View File

@@ -998,7 +998,7 @@ module API {
* Gets an API node where a RHS of the node is the `i`th argument to this call.
*/
pragma[noinline]
private Node getAParameterCandidate(int i) { result.getARhs() = getArgument(i) }
private Node getAParameterCandidate(int i) { result.getARhs() = this.getArgument(i) }
/** Gets the API node for a parameter of this invocation. */
Node getAParameter() { result = this.getParameter(_) }

96
javascript/ql/lib/semmle/javascript/Routing.qll
View File

@@ -137,12 +137,12 @@ module Routing {
* this subtree, and subsequently passed on to the successor.
*/
predicate mayResumeDispatch() {
getLastChild().mayResumeDispatch()
this.getLastChild().mayResumeDispatch()
or
exists(this.(RouteHandler).getAContinuationInvocation())
or
// Leaf nodes that aren't functions are assumed to invoke their continuation
not exists(getLastChild()) and
not exists(this.getLastChild()) and
not this instanceof RouteHandler
or
this instanceof MkRouter
@@ -150,7 +150,7 @@ module Routing {
/** Gets the parent of this node, provided that this node may invoke its continuation. */
private Node getContinuationParent() {
result = getParent() and
result = this.getParent() and
result.mayResumeDispatch()
}
@@ -170,7 +170,7 @@ module Routing {
*/
private predicate isFork() {
exists(Node child |
child = getAChild() and
child = this.getAChild() and
child.mayResumeDispatch() and
exists(child.getNextSibling())
)
@@ -184,11 +184,11 @@ module Routing {
* that is, a node that has siblings (i.e. multiple children).
*/
private string getPathFromFork(Node fork) {
isFork() and
this.isFork() and
this = fork and
result = ""
or
exists(Node parent | parent = getParent() |
exists(Node parent | parent = this.getParent() |
not exists(parent.getRelativePath()) and
result = parent.getPathFromFork(fork)
or
@@ -205,27 +205,27 @@ module Routing {
* that is, a node that has siblings (i.e. multiple children).
*/
private string getHttpMethodFromFork(Node fork) {
isFork() and
this.isFork() and
this = fork and
(
result = getOwnHttpMethod()
result = this.getOwnHttpMethod()
or
not exists(getOwnHttpMethod()) and
not exists(this.getOwnHttpMethod()) and
result = "*"
)
or
result = getParent().getHttpMethodFromFork(fork) and
result = this.getParent().getHttpMethodFromFork(fork) and
(
// Only the ancestor restricts the HTTP method
not exists(getOwnHttpMethod())
not exists(this.getOwnHttpMethod())
or
// Intersect permitted HTTP methods
result = getOwnHttpMethod()
result = this.getOwnHttpMethod()
)
or
// The ancestor allows any HTTP method, but this node restricts it
getParent().getHttpMethodFromFork(fork) = "*" and
result = getOwnHttpMethod()
this.getParent().getHttpMethodFromFork(fork) = "*" and
result = this.getOwnHttpMethod()
}
/**
@@ -256,13 +256,15 @@ module Routing {
* Holds if `node` has processed the incoming request strictly prior to this node.
*/
pragma[inline]
predicate isGuardedByNode(Node node) { isGuardedByNodeInternal(pragma[only_bind_out](node)) }
predicate isGuardedByNode(Node node) {
this.isGuardedByNodeInternal(pragma[only_bind_out](node))
}
/**
* Holds if the middleware corresponding to `node` has processed the incoming request strictly prior to this node.
*/
pragma[inline]
predicate isGuardedBy(DataFlow::Node node) { isGuardedByNode(getNode(node)) }
predicate isGuardedBy(DataFlow::Node node) { this.isGuardedByNode(getNode(node)) }
/**
* Gets an HTTP method name which this node will accept, or nothing if the node accepts all HTTP methods, not
@@ -271,16 +273,16 @@ module Routing {
HTTP::RequestMethodName getOwnHttpMethod() { none() } // Overridden in subclass
private Node getAUseSiteInRouteSetup() {
if getParent() instanceof RouteSetup
if this.getParent() instanceof RouteSetup
then result = this
else result = getParent().getAUseSiteInRouteSetup()
else result = this.getParent().getAUseSiteInRouteSetup()
}
/** Gets a place where this route node is installed as a route handler. */
Node getRouteInstallation() {
result = getAUseSiteInRouteSetup()
result = this.getAUseSiteInRouteSetup()
or
not exists(getAUseSiteInRouteSetup()) and
not exists(this.getAUseSiteInRouteSetup()) and
result = this
}
@@ -352,7 +354,7 @@ module Routing {
Node getChild(int n) { none() }
/** Gets the number of children of this route node. */
final int getNumChild() { result = count(int n | exists(getChild(n))) }
final int getNumChild() { result = count(int n | exists(this.getChild(n))) }
/**
* Gets a path prefix to be matched against the path of incoming requests.
@@ -416,7 +418,7 @@ module Routing {
* Gets a data flow node that flows to this use-site in one step.
*/
DataFlow::Node getSource() {
result = getALocalSource()
result = this.getALocalSource()
or
StepSummary::smallstep(result, this, routeStepSummary())
or
@@ -425,7 +427,7 @@ module Routing {
RouteHandlerTrackingStep::step(result, this)
or
exists(string prop |
StepSummary::smallstep(result, getSourceProp(prop).getALocalUse(), StoreStep(prop))
StepSummary::smallstep(result, this.getSourceProp(prop).getALocalUse(), StoreStep(prop))
)
or
this = getAnEnumeratedArrayElement(result)
@@ -435,32 +437,32 @@ module Routing {
private DataFlow::SourceNode getSourceProp(string prop) {
StepSummary::step(result, this, LoadStep(prop))
or
StepSummary::step(result, getSourceProp(prop), routeStepSummary())
StepSummary::step(result, this.getSourceProp(prop), routeStepSummary())
or
StepSummary::step(result, getSourceProp(prop), CopyStep(prop))
StepSummary::step(result, this.getSourceProp(prop), CopyStep(prop))
or
exists(string oldProp |
StepSummary::step(result, getSourceProp(oldProp), LoadStoreStep(prop, oldProp))
StepSummary::step(result, this.getSourceProp(oldProp), LoadStoreStep(prop, oldProp))
)
}
private DataFlow::Node getStrictSource() {
result = getSource() and
result = this.getSource() and
result != this
}
final override Routing::Node getChild(int n) {
n = 0 and
result = MkValueNode(getStrictSource())
result = MkValueNode(this.getStrictSource())
or
// If we cannot find the source of the use-site, but we know it's somehow a reference to a router,
// treat the router as the source. This is needed to handle chaining calls on the router, as the
// specific framework model knows about chaining steps, but the general `getSource()` predicate doesn't.
n = 0 and
not exists(getStrictSource()) and
not exists(this.getStrictSource()) and
exists(Router::Range router |
this = router.getAReference().getALocalUse() and
result = MkRouter(router, getContainer())
result = MkRouter(router, this.getContainer())
)
}
}
@@ -483,7 +485,7 @@ module Routing {
*/
abstract DataFlow::Node getArgumentNode(int n);
final override Node getChild(int n) { result = MkValueNode(getArgumentNode(n)) }
final override Node getChild(int n) { result = MkValueNode(this.getArgumentNode(n)) }
}
/** An argument to a `WithArguments` instance, seen as a use site. */
@@ -497,7 +499,7 @@ module Routing {
private class ImpliedArrayRoute extends ValueNode::WithArguments, DataFlow::ArrayCreationNode {
ImpliedArrayRoute() { this instanceof ValueNode::UseSite }
override DataFlow::Node getArgumentNode(int n) { result = getElement(n) }
override DataFlow::Node getArgumentNode(int n) { result = this.getElement(n) }
}
}
@@ -521,10 +523,10 @@ module Routing {
* A node in the routing tree which has no parent.
*/
class RootNode extends Node {
RootNode() { not exists(getParent()) }
RootNode() { not exists(this.getParent()) }
/** Gets a node that is part of this subtree. */
final Node getADescendant() { result = getAChild*() }
final Node getADescendant() { result = this.getAChild*() }
}
/**
@@ -546,7 +548,7 @@ module Routing {
*
* This is an alias for `getParent`, but may be preferred for readability.
*/
final Node getRouter() { result = getParent() }
final Node getRouter() { result = this.getParent() }
}
/**
@@ -568,7 +570,7 @@ module Routing {
Node getChild(int n) { none() }
/** Gets the number of children of this route node. */
final int getNumChild() { result = count(int n | exists(getChild(n))) }
final int getNumChild() { result = count(int n | exists(this.getChild(n))) }
/**
* Gets a path prefix to be matched against the path of incoming requests.
@@ -630,13 +632,13 @@ module Routing {
* This class can be extended to contribute new kinds of route handlers.
*/
abstract class MethodCall extends RouteSetup::Range, DataFlow::MethodCallNode {
override Node getChild(int n) { result = MkValueNode(getChildNode(n)) }
override Node getChild(int n) { result = MkValueNode(this.getChildNode(n)) }
/** Gets the `n`th child of this route setup. */
DataFlow::Node getChildNode(int n) { result = getArgument(n) }
DataFlow::Node getChildNode(int n) { result = this.getArgument(n) }
override predicate isInstalledAt(Router::Range router, ControlFlowNode cfgNode) {
this = router.getAReference().getAMethodCall() and cfgNode = getEnclosingExpr()
this = router.getAReference().getAMethodCall() and cfgNode = this.getEnclosingExpr()
}
}
@@ -679,14 +681,14 @@ module Routing {
result.isInstalledAt(router, any(ControlFlowNode cfg | cfg.getContainer() = container))
}
override Node getAChild() { result = MkRouteSetup(getARouteSetup()) }
override Node getAChild() { result = MkRouteSetup(this.getARouteSetup()) }
override Node getLastChild() {
result = getMostRecentRouteSetupAt(router, container.getExit())
}
override Node getFirstChild() {
result = getAChild() and not exists(result.getPreviousSibling())
result = this.getAChild() and not exists(result.getPreviousSibling())
}
}
}
@@ -753,14 +755,14 @@ module Routing {
ImpliedRouteSetup() {
FlowSteps::calls(this, target) and
routerIsLiveInContainer(router, target) and
routerIsLiveInContainer(router, getContainer())
routerIsLiveInContainer(router, this.getContainer())
}
override Routing::Node getChild(int n) { result = MkRouter(router, target) and n = 0 }
override predicate isInstalledAt(Router::Range r, ControlFlowNode cfgNode) {
r = router and
cfgNode = getEnclosingExpr()
cfgNode = this.getEnclosingExpr()
}
}
@@ -799,11 +801,11 @@ module Routing {
* if the default behavior is inadequate for that framework.
*/
DataFlow::CallNode getAContinuationInvocation() {
result = getAParameter().ref().getAnInvocation() and
result = this.getAParameter().ref().getAnInvocation() and
result.getNumArgument() = 0
or
result.(DataFlow::MethodCallNode).getMethodName() = "then" and
result.getArgument(0) = getAParameter().ref().getALocalUse()
result.getArgument(0) = this.getAParameter().ref().getALocalUse()
}
}
@@ -827,11 +829,11 @@ module Routing {
t.start() and
result = this
or
exists(DataFlow::TypeTracker t2 | result = ref(t2).track(t2, t))
exists(DataFlow::TypeTracker t2 | result = this.ref(t2).track(t2, t))
}
/** Gets a data flow node referring to this route handler parameter. */
DataFlow::SourceNode ref() { result = ref(DataFlow::TypeTracker::end()) }
DataFlow::SourceNode ref() { result = this.ref(DataFlow::TypeTracker::end()) }
/**
* Gets the corresponding route handler, that is, the function on which this is a parameter.

10
javascript/ql/lib/semmle/javascript/dependencies/FrameworkLibraries.qll
View File

@@ -75,7 +75,9 @@ abstract class FrameworkLibraryInstance extends TopLevel {
* via the `src` attribute of a `<script>` element.
*/
abstract class FrameworkLibraryReference extends HTML::Attribute {
FrameworkLibraryReference() { getName() = "src" and getElement() instanceof HTML::ScriptElement }
FrameworkLibraryReference() {
this.getName() = "src" and this.getElement() instanceof HTML::ScriptElement
}
/**
* Holds if this is a reference to version `v` of framework library `fl`.
@@ -160,7 +162,7 @@ abstract class FrameworkLibraryWithGenericURL extends FrameworkLibraryWithURLReg
string getAnAlias() { none() }
override string getAURLRegex() {
exists(string id | id = getId() or id = getAnAlias() |
exists(string id | id = this.getId() or id = this.getAnAlias() |
result = ".*(?:^|/)" + id + "-(" + semverRegex() + ")" + variantRegex() + "\\.js" or
result =
".*/(?:\\w+@)?(" + semverRegex() + ")/(?:(?:dist|js|" + id + ")/)?" + id + variantRegex() +
@@ -976,7 +978,9 @@ private class TwitterTextClassicInstance extends FrameworkLibraryInstance {
private class FrameworkLibraryReferenceToInstance extends FrameworkLibraryReference {
FrameworkLibraryInstance fli;
FrameworkLibraryReferenceToInstance() { fli = getElement().(HTML::ScriptElement).resolveSource() }
FrameworkLibraryReferenceToInstance() {
fli = this.getElement().(HTML::ScriptElement).resolveSource()
}
override predicate info(FrameworkLibrary fl, string v) { fli.info(fl, v) }
}

12
javascript/ql/lib/semmle/javascript/frameworks/Express.qll
View File

@@ -84,14 +84,14 @@ module Express {
}
private class RoutingTreeSetup extends Routing::RouteSetup::MethodCall {
RoutingTreeSetup() { asExpr() instanceof RouteSetup }
RoutingTreeSetup() { this.asExpr() instanceof RouteSetup }
override string getRelativePath() {
not getMethodName() = "param" and // do not treat parameter name as a path
result = getArgument(0).getStringValue()
not this.getMethodName() = "param" and // do not treat parameter name as a path
result = this.getArgument(0).getStringValue()
}
override HTTP::RequestMethodName getHttpMethod() { result.toLowerCase() = getMethodName() }
override HTTP::RequestMethodName getHttpMethod() { result.toLowerCase() = this.getMethodName() }
}
/**
@@ -117,7 +117,7 @@ module Express {
override predicate isInstalledAt(Routing::Router::Range router, ControlFlowNode cfgNode) {
router.getAReference().getALocalUse() = limitCall.getArgument(0) and
cfgNode = asExpr()
cfgNode = this.asExpr()
}
}
@@ -845,7 +845,7 @@ module Express {
}
/** Gets a data flow node referring to this router. */
DataFlow::SourceNode ref() { result = ref(DataFlow::TypeTracker::end()) }
DataFlow::SourceNode ref() { result = this.ref(DataFlow::TypeTracker::end()) }
/**
* Holds if `sink` may refer to this router.

41
javascript/ql/lib/semmle/javascript/frameworks/Fastify.qll
View File

@@ -161,7 +161,7 @@ module Fastify {
if methodName = "route"
then
result = this.flow().(DataFlow::MethodCallNode).getOptionArgument(0, getNthHandlerName(_))
else result = getLastArgument().flow()
else result = this.getLastArgument().flow()
}
}
@@ -185,22 +185,23 @@ module Fastify {
private class FullRoutingTreeSetup extends Routing::RouteSetup::MethodCall {
FullRoutingTreeSetup() {
asExpr() instanceof RouteSetup and
getMethodName() = "route"
this.asExpr() instanceof RouteSetup and
this.getMethodName() = "route"
}
override string getRelativePath() { result = getOptionArgument(0, "url").getStringValue() }
override string getRelativePath() { result = this.getOptionArgument(0, "url").getStringValue() }
override HTTP::RequestMethodName getHttpMethod() {
result = getOptionArgument(0, "method").getStringValue().toUpperCase()
result = this.getOptionArgument(0, "method").getStringValue().toUpperCase()
}
private DataFlow::Node getRawChild(int n) {
result = getOptionArgument(0, getNthHandlerName(n))
result = this.getOptionArgument(0, getNthHandlerName(n))
}
override DataFlow::Node getChildNode(int n) {
result = rank[n + 1](DataFlow::Node child, int k | child = getRawChild(k) | child order by k)
result =
rank[n + 1](DataFlow::Node child, int k | child = this.getRawChild(k) | child order by k)
}
}
@@ -209,34 +210,38 @@ module Fastify {
private DataFlow::SourceNode pluginBody(DataFlow::TypeBackTracker t) {
t.start() and
result = getArgument(0).getALocalSource()
result = this.getArgument(0).getALocalSource()
or
// step through calls to require('fastify-plugin')
result = pluginBody(t).(FastifyPluginCall).getArgument(0).getALocalSource()
result = this.pluginBody(t).(FastifyPluginCall).getArgument(0).getALocalSource()
or
exists(DataFlow::TypeBackTracker t2 | result = pluginBody(t2).backtrack(t2, t))
exists(DataFlow::TypeBackTracker t2 | result = this.pluginBody(t2).backtrack(t2, t))
}
/** Gets a functino flowing into the first argument. */
DataFlow::FunctionNode pluginBody() { result = pluginBody(DataFlow::TypeBackTracker::end()) }
override HTTP::RequestMethodName getHttpMethod() {
result = getOptionArgument(1, "method").getStringValue().toUpperCase()
DataFlow::FunctionNode pluginBody() {
result = this.pluginBody(DataFlow::TypeBackTracker::end())
}
override string getRelativePath() { result = getOptionArgument(1, "prefix").getStringValue() }
override HTTP::RequestMethodName getHttpMethod() {
result = this.getOptionArgument(1, "method").getStringValue().toUpperCase()
}
override string getRelativePath() {
result = this.getOptionArgument(1, "prefix").getStringValue()
}
override DataFlow::Node getChildNode(int n) {
n = 0 and
(
// If we can see the plugin body, use its server parameter as the child to ensure
// plugins or routes installed in the plugin are ordered
result = pluginBody().getParameter(0)
result = this.pluginBody().getParameter(0)
or
// If we can't see the plugin body, just use the plugin expression so we can
// check if something is guarded by that plugin.
not exists(pluginBody()) and
result = getArgument(0)
not exists(this.pluginBody()) and
result = this.getArgument(0)
)
}
}

2
javascript/ql/lib/semmle/javascript/frameworks/HTTP.qll
View File

@@ -101,7 +101,7 @@ module HTTP {
* Holds if this kind of HTTP request should not generally be considered free of side effects,
* such as for `POST` or `PUT` requests.
*/
predicate isUnsafe() { not isSafe() }
predicate isUnsafe() { not this.isSafe() }
}
/**

4
javascript/ql/lib/semmle/javascript/frameworks/Templating.qll
View File

@@ -161,12 +161,12 @@ module Templating {
/** Gets a data flow node corresponding to a use of the given template variable within this top-level. */
DataFlow::SourceNode getAnAccessPathUse(string accessPath) {
result = getAVariableUse(accessPath)
result = this.getAVariableUse(accessPath)
or
exists(string varName, string suffix |
accessPath = varName + "." + suffix and
suffix != "" and
result = AccessPath::getAReferenceTo(getAVariableUse(varName), suffix)
result = AccessPath::getAReferenceTo(this.getAVariableUse(varName), suffix)
)
}
}

2
javascript/ql/lib/semmle/javascript/security/dataflow/MissingRateLimiting.qll
View File

@@ -47,7 +47,7 @@ abstract class ExpensiveRouteHandler extends DataFlow::Node {
*/
deprecated class RateLimitedRouteHandlerExpr extends Express::RouteHandlerExpr {
RateLimitedRouteHandlerExpr() {
Routing::getNode(flow()).isGuardedBy(any(RateLimitingMiddleware m))
Routing::getNode(this.flow()).isGuardedBy(any(RateLimitingMiddleware m))
}
}

8
ruby/ql/lib/codeql/ruby/ast/Pattern.qll
View File

@@ -135,7 +135,7 @@ class ArrayPattern extends CasePattern, TArrayPattern {
(
n < this.restIndex()
or
not exists(restIndex())
not exists(this.restIndex())
)
}
@@ -156,7 +156,7 @@ class ArrayPattern extends CasePattern, TArrayPattern {
* ```
*/
LocalVariableWriteAccess getRestVariableAccess() {
toGenerated(result) = g.getChild(restIndex()).(Ruby::SplatParameter).getName()
toGenerated(result) = g.getChild(this.restIndex()).(Ruby::SplatParameter).getName()
}
/**
@@ -264,10 +264,10 @@ class HashPattern extends CasePattern, THashPattern {
private Ruby::KeywordPattern keyValuePair(int n) { result = g.getChild(n) }
/** Gets the key of the `n`th pair. */
StringlikeLiteral getKey(int n) { toGenerated(result) = keyValuePair(n).getKey() }
StringlikeLiteral getKey(int n) { toGenerated(result) = this.keyValuePair(n).getKey() }
/** Gets the value of the `n`th pair. */
CasePattern getValue(int n) { toGenerated(result) = keyValuePair(n).getValue() }
CasePattern getValue(int n) { toGenerated(result) = this.keyValuePair(n).getValue() }
/** Gets the value for a given key name. */
CasePattern getValueByKey(string key) {

4
ruby/ql/lib/codeql/ruby/controlflow/internal/ControlFlowGraphImpl.qll
View File

@@ -753,7 +753,7 @@ module Trees {
c.(MatchingCompletion).getValue() = false
or
exists(BooleanCompletion bc, boolean flag, MatchingCompletion mc |
lastCondition(last, bc, flag) and
this.lastCondition(last, bc, flag) and
c =
any(NestedMatchingCompletion nmc |
nmc.getInnerCompletion() = bc and nmc.getOuterCompletion() = mc
@@ -790,7 +790,7 @@ module Trees {
)
or
exists(boolean flag |
lastCondition(pred, c, flag) and
this.lastCondition(pred, c, flag) and
c.(BooleanCompletion).getValue() = flag and
first(this.getBody(), succ)
)

5
ruby/ql/test/TestUtilities/InlineFlowTest.qll
View File

@@ -78,7 +78,7 @@ class InlineFlowTest extends InlineExpectationsTest {
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasValueFlow" and
exists(DataFlow::Node src, DataFlow::Node sink | getValueFlowConfig().hasFlow(src, sink) |
exists(DataFlow::Node src, DataFlow::Node sink | this.getValueFlowConfig().hasFlow(src, sink) |
sink.getLocation() = location and
element = sink.toString() and
if exists(getSourceArgString(src)) then value = getSourceArgString(src) else value = ""
@@ -86,7 +86,8 @@ class InlineFlowTest extends InlineExpectationsTest {
or
tag = "hasTaintFlow" and
exists(DataFlow::Node src, DataFlow::Node sink |
getTaintFlowConfig().hasFlow(src, sink) and not getValueFlowConfig().hasFlow(src, sink)
this.getTaintFlowConfig().hasFlow(src, sink) and
not this.getValueFlowConfig().hasFlow(src, sink)
|
sink.getLocation() = location and
element = sink.toString() and