Merge branch 'main' into post-release-prep/codeql-cli-2.7.5

python/ql/lib/change-notes/2022-01-11-remove-upgrades-packs.md

@@ -0,0 +1,4 @@
+---
+category: deprecated
+---
+* The `codeql/python-upgrades` CodeQL pack has been removed. All upgrades scripts have been merged into the `codeql/python-all` CodeQL pack.

python/ql/lib/qlpack.yml

@@ -4,5 +4,4 @@ groups: python
 dbscheme: semmlecode.python.dbscheme
 extractor: python
 library: true
-dependencies:
-    codeql/python-upgrades: ^0.0.3
+upgrades: upgrades

python/ql/lib/semmle/python/Comparisons.qll

@@ -514,7 +514,7 @@ class ComparisonControlBlock extends ConditionBlock {
 
   Comparison getTest() { this.getLastNode() = result }
 
-  /** Whether this conditional guard implies that, in block `b`,  the result of `that` is `thatIsTrue` */
+  /** Whether this conditional guard implies that, in block `b`, the result of `that` is `thatIsTrue` */
   predicate impliesThat(BasicBlock b, Comparison that, boolean thatIsTrue) {
     exists(boolean controlSense |
       this.controls(b, controlSense) and

python/ql/lib/semmle/python/Operations.qll

@@ -98,7 +98,7 @@ class LShift extends LShift_ {
   override string getSpecialMethodName() { result = "__lshift__" }
 }
 
-/** A modulo (`%`) binary operator, which includes  string formatting */
+/** A modulo (`%`) binary operator, which includes string formatting */
 class Mod extends Mod_ {
   override string getSpecialMethodName() { result = "__mod__" }
 }

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll

@@ -3,6 +3,17 @@ private import DataFlowImplSpecific::Public
 import Cached
 
 module DataFlowImplCommonPublic {
+  /** A state value to track during data flow. */
+  class FlowState = string;
+
+  /**
+   * The default state, which is used when the state is unspecified for a source
+   * or a sink.
+   */
+  class FlowStateEmpty extends FlowState {
+    FlowStateEmpty() { this = "" }
+  }
+
   private newtype TFlowFeature =
     TFeatureHasSourceCallContext() or
     TFeatureHasSinkCallContext() or

python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll

@@ -10,6 +10,12 @@ private import semmle.python.ApiGraphs
  */
 predicate defaultTaintSanitizer(DataFlow::Node node) { none() }
 
+/**
+ * Holds if `guard` should be a sanitizer guard in all global taint flow configurations
+ * but not in local taint.
+ */
+predicate defaultTaintSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
+
 /**
  * Holds if default `TaintTracking::Configuration`s should allow implicit reads
  * of `c` at sinks and inputs to additional taint steps.

python/ql/lib/semmle/python/dataflow/new/internal/tainttracking1/TaintTrackingImpl.qll

@@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration {
    * The smaller this predicate is, the faster `hasFlow()` will converge.
    */
   // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSource(DataFlow::Node source);
+  override predicate isSource(DataFlow::Node source) { none() }
 
   /**
    * Holds if `sink` is a relevant taint sink.
@@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration {
    * The smaller this predicate is, the faster `hasFlow()` will converge.
    */
   // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSink(DataFlow::Node sink);
+  override predicate isSink(DataFlow::Node sink) { none() }
 
   /** Holds if the node `node` is a taint sanitizer. */
   predicate isSanitizer(DataFlow::Node node) { none() }
@@ -93,7 +93,7 @@ abstract class Configuration extends DataFlow::Configuration {
   predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
 
   final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard)
+    this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
   }
 
   /**

python/ql/lib/semmle/python/dataflow/new/internal/tainttracking2/TaintTrackingImpl.qll

@@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration {
    * The smaller this predicate is, the faster `hasFlow()` will converge.
    */
   // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSource(DataFlow::Node source);
+  override predicate isSource(DataFlow::Node source) { none() }
 
   /**
    * Holds if `sink` is a relevant taint sink.
@@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration {
    * The smaller this predicate is, the faster `hasFlow()` will converge.
    */
   // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSink(DataFlow::Node sink);
+  override predicate isSink(DataFlow::Node sink) { none() }
 
   /** Holds if the node `node` is a taint sanitizer. */
   predicate isSanitizer(DataFlow::Node node) { none() }
@@ -93,7 +93,7 @@ abstract class Configuration extends DataFlow::Configuration {
   predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
 
   final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard)
+    this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
   }
 
   /**

python/ql/lib/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll

@@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration {
    * The smaller this predicate is, the faster `hasFlow()` will converge.
    */
   // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSource(DataFlow::Node source);
+  override predicate isSource(DataFlow::Node source) { none() }
 
   /**
    * Holds if `sink` is a relevant taint sink.
@@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration {
    * The smaller this predicate is, the faster `hasFlow()` will converge.
    */
   // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSink(DataFlow::Node sink);
+  override predicate isSink(DataFlow::Node sink) { none() }
 
   /** Holds if the node `node` is a taint sanitizer. */
   predicate isSanitizer(DataFlow::Node node) { none() }
@@ -93,7 +93,7 @@ abstract class Configuration extends DataFlow::Configuration {
   predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
 
   final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard)
+    this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
   }
 
   /**

python/ql/lib/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll

@@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration {
    * The smaller this predicate is, the faster `hasFlow()` will converge.
    */
   // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSource(DataFlow::Node source);
+  override predicate isSource(DataFlow::Node source) { none() }
 
   /**
    * Holds if `sink` is a relevant taint sink.
@@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration {
    * The smaller this predicate is, the faster `hasFlow()` will converge.
    */
   // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSink(DataFlow::Node sink);
+  override predicate isSink(DataFlow::Node sink) { none() }
 
   /** Holds if the node `node` is a taint sanitizer. */
   predicate isSanitizer(DataFlow::Node node) { none() }
@@ -93,7 +93,7 @@ abstract class Configuration extends DataFlow::Configuration {
   predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
 
   final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard)
+    this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
   }
 
   /**

python/ql/lib/semmle/python/essa/Essa.qll

@@ -8,7 +8,7 @@ import semmle.python.essa.Definitions
 
 /** An (enhanced) SSA variable derived from `SsaSourceVariable`. */
 class EssaVariable extends TEssaDefinition {
-  /** Gets the (unique) definition of this  variable. */
+  /** Gets the (unique) definition of this variable. */
   EssaDefinition getDefinition() { this = result }
 
   /**

python/ql/lib/semmle/python/essa/SsaDefinitions.qll

@@ -127,7 +127,7 @@ module SsaSource {
     not test_contains(_, call)
   }
 
-  /** Holds if an attribute is deleted  at `def` and `use` is the use of `v` for that deletion */
+  /** Holds if an attribute is deleted at `def` and `use` is the use of `v` for that deletion */
   cached
   predicate attribute_deletion_refinement(Variable v, NameNode use, DeletionNode def) {
     use.uses(v) and

python/ql/lib/semmle/python/security/performance/ReDoSUtil.qll

@@ -539,6 +539,55 @@ private class EdgeLabel extends TInputSymbol {
   }
 }
 
+/**
+ * A RegExp term that acts like a plus.
+ * Either it's a RegExpPlus, or it is a range {1,X} where X is >= 30.
+ * 30 has been chosen as a threshold because for exponential blowup 2^30 is enough to get a decent DOS attack.
+ */
+private class EffectivelyPlus extends RegExpTerm {
+  EffectivelyPlus() {
+    this instanceof RegExpPlus
+    or
+    exists(RegExpRange range |
+      range.getLowerBound() = 1 and
+      (range.getUpperBound() >= 30 or not exists(range.getUpperBound()))
+    |
+      this = range
+    )
+  }
+}
+
+/**
+ * A RegExp term that acts like a star.
+ * Either it's a RegExpStar, or it is a range {0,X} where X is >= 30.
+ */
+private class EffectivelyStar extends RegExpTerm {
+  EffectivelyStar() {
+    this instanceof RegExpStar
+    or
+    exists(RegExpRange range |
+      range.getLowerBound() = 0 and
+      (range.getUpperBound() >= 30 or not exists(range.getUpperBound()))
+    |
+      this = range
+    )
+  }
+}
+
+/**
+ * A RegExp term that acts like a question mark.
+ * Either it's a RegExpQuestion, or it is a range {0,1}.
+ */
+private class EffectivelyQuestion extends RegExpTerm {
+  EffectivelyQuestion() {
+    this instanceof RegExpOpt
+    or
+    exists(RegExpRange range | range.getLowerBound() = 0 and range.getUpperBound() = 1 |
+      this = range
+    )
+  }
+}
+
 /**
  * Gets the state before matching `t`.
  */
@@ -559,14 +608,14 @@ State after(RegExpTerm t) {
   or
   exists(RegExpGroup grp | t = grp.getAChild() | result = after(grp))
   or
-  exists(RegExpStar star | t = star.getAChild() | result = before(star))
+  exists(EffectivelyStar star | t = star.getAChild() | result = before(star))
   or
-  exists(RegExpPlus plus | t = plus.getAChild() |
+  exists(EffectivelyPlus plus | t = plus.getAChild() |
     result = before(plus) or
     result = after(plus)
   )
   or
-  exists(RegExpOpt opt | t = opt.getAChild() | result = after(opt))
+  exists(EffectivelyQuestion opt | t = opt.getAChild() | result = after(opt))
   or
   exists(RegExpRoot root | t = root | result = AcceptAnySuffix(root))
 }
@@ -617,15 +666,17 @@ predicate delta(State q1, EdgeLabel lbl, State q2) {
   or
   exists(RegExpGroup grp | lbl = Epsilon() | q1 = before(grp) and q2 = before(grp.getChild(0)))
   or
-  exists(RegExpStar star | lbl = Epsilon() |
+  exists(EffectivelyStar star | lbl = Epsilon() |
     q1 = before(star) and q2 = before(star.getChild(0))
     or
     q1 = before(star) and q2 = after(star)
   )
   or
-  exists(RegExpPlus plus | lbl = Epsilon() | q1 = before(plus) and q2 = before(plus.getChild(0)))
+  exists(EffectivelyPlus plus | lbl = Epsilon() |
+    q1 = before(plus) and q2 = before(plus.getChild(0))
+  )
   or
-  exists(RegExpOpt opt | lbl = Epsilon() |
+  exists(EffectivelyQuestion opt | lbl = Epsilon() |
     q1 = before(opt) and q2 = before(opt.getChild(0))
     or
     q1 = before(opt) and q2 = after(opt)

python/ql/src/Security/CWE-327/TlsLibraryModel.qll

@@ -88,7 +88,7 @@ abstract class TlsLibrary extends string {
   /** The name of a specific protocol version. */
   abstract string specific_version_name(ProtocolVersion version);
 
-  /** Gets a name, which is a member of `version_constants`,  that can be used to specify the protocol family `family`. */
+  /** Gets a name, which is a member of `version_constants`, that can be used to specify the protocol family `family`. */
   abstract string unspecific_version_name(ProtocolFamily family);
 
   /** Gets an API node representing the module or class holding the version constants. */

python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql

@@ -5,8 +5,7 @@
  * @kind path-problem
  * @problem.severity error
  * @id py/ldap-injection
- * @tags experimental	
- *       security	
+ * @tags security	
  *       external/cwe/cwe-090
  */
 

python/ql/src/experimental/Security/CWE-287/ImproperLdapAuth.ql

@@ -4,8 +4,7 @@
  * @kind problem
  * @problem.severity warning
  * @id py/improper-ldap-auth
- * @tags experimental
- *       security
+ * @tags security
  *       external/cwe/cwe-287
  */
 

python/ql/src/experimental/Security/CWE-522/LDAPInsecureAuth.ql

@@ -4,8 +4,7 @@
  * @kind path-problem
  * @problem.severity error
  * @id py/insecure-ldap-auth
- * @tags experimental
- *       security
+ * @tags security
  *       external/cwe/cwe-522
  *       external/cwe/cwe-523
  */

python/ql/src/experimental/Security/CWE-943/NoSQLInjection.ql

@@ -5,8 +5,7 @@
  * @kind path-problem
  * @problem.severity error
  * @id py/nosql-injection
- * @tags experimental
- *       security
+ * @tags security
  *       external/cwe/cwe-943
  */
 

python/ql/test/query-tests/Statements/unreachable/global.py

@@ -0,0 +1,10 @@
+# FP involving global variables modified in a different scope
+
+i = 0
+def update_i():
+    global i
+    i = i + 1
+
+update_i()
+if i > 0:
+    print("i is greater than 0") # FP: This is reachable

python/upgrades/CHANGELOG.md

@@ -1,5 +0,0 @@
-## 0.0.6
-
-## 0.0.5
-
-## 0.0.4

python/upgrades/change-notes/released/0.0.4.md

@@ -1 +0,0 @@
-## 0.0.4

python/upgrades/change-notes/released/0.0.5.md

@@ -1 +0,0 @@
-## 0.0.5

python/upgrades/change-notes/released/0.0.6.md

@@ -1 +0,0 @@
-## 0.0.6

python/upgrades/codeql-pack.release.yml

@@ -1,2 +0,0 @@
----
-lastReleaseVersion: 0.0.6

python/upgrades/qlpack.lock.yml

@@ -1,4 +0,0 @@
----
-dependencies: {}
-compiled: false
-lockVersion: 1.0.0

python/upgrades/qlpack.yml

@@ -1,5 +0,0 @@
-name: codeql/python-upgrades
-groups: python
-upgrades: .
-library: true
-version: 0.0.7-dev