diff --git a/.github/labeler.yml b/.github/labeler.yml index 503833fc4d7..5401e6afd71 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -11,7 +11,7 @@ Go: - change-notes/**/*go.* Java: - - any: [ 'java/**/*', '!java/kotlin-extractor/**/*', '!java/kotlin-explorer/**/*', '!java/ql/test/kotlin/**/*' ] + - any: [ 'java/**/*', '!java/kotlin-extractor/**/*', '!java/ql/test/kotlin/**/*' ] - change-notes/**/*java.* JS: @@ -20,7 +20,6 @@ JS: Kotlin: - java/kotlin-extractor/**/* - - java/kotlin-explorer/**/* - java/ql/test/kotlin/**/* Python: diff --git a/.github/workflows/csv-coverage-pr-artifacts.yml b/.github/workflows/csv-coverage-pr-artifacts.yml index 19ad488a3ab..b560d98a79d 100644 --- a/.github/workflows/csv-coverage-pr-artifacts.yml +++ b/.github/workflows/csv-coverage-pr-artifacts.yml @@ -10,6 +10,7 @@ on: - "*/ql/src/**/*.qll" - "*/ql/lib/**/*.ql" - "*/ql/lib/**/*.qll" + - "*/ql/lib/ext/**/*.yml" - "misc/scripts/library-coverage/*.py" # input data files - "*/documentation/library-coverage/cwe-sink.csv" diff --git a/CODEOWNERS b/CODEOWNERS index 6e2dd9dc66b..b2eb53f0bb0 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -8,7 +8,6 @@ /swift/ @github/codeql-swift /misc/codegen/ @github/codeql-swift /java/kotlin-extractor/ @github/codeql-kotlin -/java/kotlin-explorer/ @github/codeql-kotlin # ML-powered queries /javascript/ql/experimental/adaptivethreatmodeling/ @github/codeql-ml-powered-queries-reviewers diff --git a/config/identical-files.json b/config/identical-files.json index 29fae2d3855..3c16c953129 100644 --- a/config/identical-files.json +++ b/config/identical-files.json @@ -511,7 +511,8 @@ "SensitiveDataHeuristics Python/JS": [ "javascript/ql/lib/semmle/javascript/security/internal/SensitiveDataHeuristics.qll", "python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qll", - "ruby/ql/lib/codeql/ruby/security/internal/SensitiveDataHeuristics.qll" + "ruby/ql/lib/codeql/ruby/security/internal/SensitiveDataHeuristics.qll", + "swift/ql/lib/codeql/swift/security/internal/SensitiveDataHeuristics.qll" ], "CFG": [ "csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImplShared.qll", @@ -598,4 +599,4 @@ "python/ql/lib/semmle/python/security/internal/EncryptionKeySizes.qll", "java/ql/lib/semmle/code/java/security/internal/EncryptionKeySizes.qll" ] -} \ No newline at end of file +} diff --git a/cpp/ql/lib/change-notes/2022-08-06-delete-deps.md b/cpp/ql/lib/change-notes/2022-08-06-delete-deps.md new file mode 100644 index 00000000000..c234c189484 --- /dev/null +++ b/cpp/ql/lib/change-notes/2022-08-06-delete-deps.md @@ -0,0 +1,6 @@ +--- +category: minorAnalysis +--- +* Deleted the deprecated `hasCopyConstructor` predicate from the `Class` class in `Class.qll`. +* Deleted many deprecated predicates and classes with uppercase `AST`, `SSA`, `CFG`, `API`, etc. in their names. Use the PascalCased versions instead. +* Deleted the deprecated `CodeDuplication.qll` file. \ No newline at end of file diff --git a/cpp/ql/lib/semmle/code/cpp/Class.qll b/cpp/ql/lib/semmle/code/cpp/Class.qll index 2aba033329d..5f79ceefd26 100644 --- a/cpp/ql/lib/semmle/code/cpp/Class.qll +++ b/cpp/ql/lib/semmle/code/cpp/Class.qll @@ -176,20 +176,6 @@ class Class extends UserType { /** Holds if this class, struct or union has a constructor. */ predicate hasConstructor() { exists(this.getAConstructor()) } - /** - * Holds if this class has a copy constructor that is either explicitly - * declared (though possibly `= delete`) or is auto-generated, non-trivial - * and called from somewhere. - * - * DEPRECATED: There is more than one reasonable definition of what it means - * to have a copy constructor, and we do not want to promote one particular - * definition by naming it with this predicate. Having a copy constructor - * could mean that such a member is declared or defined in the source or that - * it is callable by a particular caller. For C++11, there's also a question - * of whether to include members that are defaulted or deleted. - */ - deprecated predicate hasCopyConstructor() { this.getAMemberFunction() instanceof CopyConstructor } - /** * Like accessOfBaseMember but returns multiple results if there are multiple * paths to `base` through the inheritance graph. diff --git a/cpp/ql/lib/semmle/code/cpp/PrintAST.qll b/cpp/ql/lib/semmle/code/cpp/PrintAST.qll index b4d89eb8c1d..11e1791ba60 100644 --- a/cpp/ql/lib/semmle/code/cpp/PrintAST.qll +++ b/cpp/ql/lib/semmle/code/cpp/PrintAST.qll @@ -27,9 +27,6 @@ class PrintAstConfiguration extends TPrintAstConfiguration { predicate shouldPrintFunction(Function func) { any() } } -/** DEPRECATED: Alias for PrintAstConfiguration */ -deprecated class PrintASTConfiguration = PrintAstConfiguration; - private predicate shouldPrintFunction(Function func) { exists(PrintAstConfiguration config | config.shouldPrintFunction(func)) } @@ -239,9 +236,6 @@ class PrintAstNode extends TPrintAstNode { } } -/** DEPRECATED: Alias for PrintAstNode */ -deprecated class PrintASTNode = PrintAstNode; - /** * Class that restricts the elements that we compute `qlClass` for. */ @@ -286,9 +280,6 @@ abstract class BaseAstNode extends PrintAstNode { deprecated Locatable getAST() { result = this.getAst() } } -/** DEPRECATED: Alias for BaseAstNode */ -deprecated class BaseASTNode = BaseAstNode; - /** * A node representing an AST node other than a `DeclarationEntry`. */ @@ -296,9 +287,6 @@ abstract class AstNode extends BaseAstNode, TAstNode { AstNode() { this = TAstNode(ast) } } -/** DEPRECATED: Alias for AstNode */ -deprecated class ASTNode = AstNode; - /** * A node representing an `Expr`. */ diff --git a/cpp/ql/lib/semmle/code/cpp/controlflow/SSA.qll b/cpp/ql/lib/semmle/code/cpp/controlflow/SSA.qll index 4732cd06184..f9dad008661 100644 --- a/cpp/ql/lib/semmle/code/cpp/controlflow/SSA.qll +++ b/cpp/ql/lib/semmle/code/cpp/controlflow/SSA.qll @@ -14,9 +14,6 @@ library class StandardSsa extends SsaHelper { StandardSsa() { this = 0 } } -/** DEPRECATED: Alias for StandardSsa */ -deprecated class StandardSSA = StandardSsa; - /** * A definition of one or more SSA variables, including phi node definitions. * An _SSA variable_, as defined in the literature, is effectively the pair of diff --git a/cpp/ql/lib/semmle/code/cpp/controlflow/SSAUtils.qll b/cpp/ql/lib/semmle/code/cpp/controlflow/SSAUtils.qll index 45ef36f339d..5e9f85581b8 100644 --- a/cpp/ql/lib/semmle/code/cpp/controlflow/SSAUtils.qll +++ b/cpp/ql/lib/semmle/code/cpp/controlflow/SSAUtils.qll @@ -312,6 +312,3 @@ library class SsaHelper extends int { ssa_use(v, result, _, _) } } - -/** DEPRECATED: Alias for SsaHelper */ -deprecated class SSAHelper = SsaHelper; diff --git a/cpp/ql/lib/semmle/code/cpp/controlflow/internal/CFG.qll b/cpp/ql/lib/semmle/code/cpp/controlflow/internal/CFG.qll index 25fdba90d52..99aed9702a9 100644 --- a/cpp/ql/lib/semmle/code/cpp/controlflow/internal/CFG.qll +++ b/cpp/ql/lib/semmle/code/cpp/controlflow/internal/CFG.qll @@ -1385,9 +1385,6 @@ private module Cached { conditionalSuccessor(n1, _, n2) } - /** DEPRECATED: Alias for qlCfgSuccessor */ - deprecated predicate qlCFGSuccessor = qlCfgSuccessor/2; - /** * Holds if `n2` is a control-flow node such that the control-flow * edge `(n1, n2)` may be taken when `n1` is an expression that is true. @@ -1398,9 +1395,6 @@ private module Cached { not conditionalSuccessor(n1, false, n2) } - /** DEPRECATED: Alias for qlCfgTrueSuccessor */ - deprecated predicate qlCFGTrueSuccessor = qlCfgTrueSuccessor/2; - /** * Holds if `n2` is a control-flow node such that the control-flow * edge `(n1, n2)` may be taken when `n1` is an expression that is false. @@ -1410,7 +1404,4 @@ private module Cached { conditionalSuccessor(n1, false, n2) and not conditionalSuccessor(n1, true, n2) } - - /** DEPRECATED: Alias for qlCfgFalseSuccessor */ - deprecated predicate qlCFGFalseSuccessor = qlCfgFalseSuccessor/2; } diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll index ddf98ac0f2f..984c5ae2018 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll @@ -1135,8 +1135,8 @@ module Impl { DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow ); - bindingset[node, state, t, ap] - predicate filter(NodeEx node, FlowState state, Typ t, Ap ap); + bindingset[node, state, t0, ap] + predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t); bindingset[typ, contentType] predicate typecheckStore(Typ typ, DataFlowType contentType); @@ -1199,17 +1199,21 @@ module Impl { NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, TypOption argT, ApOption argAp, Typ t, Ap ap, ApApprox apa ) { - fwdFlow0(node, state, cc, summaryCtx, argT, argAp, t, ap, apa) and - PrevStage::revFlow(node, state, apa) and - filter(node, state, t, ap) + fwdFlow1(node, state, cc, summaryCtx, argT, argAp, _, t, ap, apa) } - pragma[inline] - additional predicate fwdFlow( + private predicate fwdFlow1( NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, TypOption argT, - ApOption argAp, Typ t, Ap ap + ApOption argAp, Typ t0, Typ t, Ap ap, ApApprox apa ) { - fwdFlow(node, state, cc, summaryCtx, argT, argAp, t, ap, _) + fwdFlow0(node, state, cc, summaryCtx, argT, argAp, t0, ap, apa) and + PrevStage::revFlow(node, state, apa) and + filter(node, state, t0, ap, t) + } + + pragma[nomagic] + private predicate typeStrengthen(Typ t0, Ap ap, Typ t) { + fwdFlow1(_, _, _, _, _, _, t0, t, ap, _) and t0 != t } pragma[assume_small_delta] @@ -1339,6 +1343,11 @@ module Impl { private predicate fwdFlowConsCand(Typ t2, Ap cons, Content c, Typ t1, Ap tail) { fwdFlowStore(_, t1, tail, c, t2, _, _, _, _, _, _) and cons = apCons(c, t1, tail) + or + exists(Typ t0 | + typeStrengthen(t0, cons, t2) and + fwdFlowConsCand(t0, cons, c, t1, tail) + ) } pragma[nomagic] @@ -1359,7 +1368,7 @@ module Impl { ParamNodeOption summaryCtx, TypOption argT, ApOption argAp ) { exists(ApHeadContent apc | - fwdFlow(node1, state, cc, summaryCtx, argT, argAp, t, ap) and + fwdFlow(node1, state, cc, summaryCtx, argT, argAp, t, ap, _) and apc = getHeadContent(ap) and readStepCand0(node1, apc, c, node2) ) @@ -1520,14 +1529,14 @@ module Impl { NodeEx node, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap ) { revFlow0(node, state, returnCtx, returnAp, ap) and - fwdFlow(node, state, _, _, _, _, _, ap) + fwdFlow(node, state, _, _, _, _, _, ap, _) } pragma[nomagic] private predicate revFlow0( NodeEx node, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap ) { - fwdFlow(node, state, _, _, _, _, _, ap) and + fwdFlow(node, state, _, _, _, _, _, ap, _) and sinkNode(node, state) and ( if hasSinkCallCtx() @@ -1780,13 +1789,13 @@ module Impl { boolean fwd, int nodes, int fields, int conscand, int states, int tuples ) { fwd = true and - nodes = count(NodeEx node | fwdFlow(node, _, _, _, _, _, _, _)) and + nodes = count(NodeEx node | fwdFlow(node, _, _, _, _, _, _, _, _)) and fields = count(Content f0 | fwdConsCand(f0, _, _)) and conscand = count(Content f0, Typ t, Ap ap | fwdConsCand(f0, t, ap)) and - states = count(FlowState state | fwdFlow(_, state, _, _, _, _, _, _)) and + states = count(FlowState state | fwdFlow(_, state, _, _, _, _, _, _, _)) and tuples = count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, TypOption argT, - ApOption argAp, Typ t, Ap ap | fwdFlow(n, state, cc, summaryCtx, argT, argAp, t, ap)) + ApOption argAp, Typ t, Ap ap | fwdFlow(n, state, cc, summaryCtx, argT, argAp, t, ap, _)) or fwd = false and nodes = count(NodeEx node | revFlow(node, _, _, _, _)) and @@ -1963,10 +1972,10 @@ module Impl { ) } - bindingset[node, state, t, ap] - predicate filter(NodeEx node, FlowState state, Typ t, Ap ap) { + bindingset[node, state, t0, ap] + predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t) { PrevStage::revFlowState(state) and - exists(t) and + t0 = t and exists(ap) and not stateBarrier(node, state) and ( @@ -2197,8 +2206,8 @@ module Impl { import BooleanCallContext predicate localStep( - NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, - DataFlowType t, LocalCc lcc + NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, Typ t, + LocalCc lcc ) { localFlowBigStep(node1, state1, node2, state2, preservesValue, t, _) and exists(lcc) @@ -2218,10 +2227,16 @@ module Impl { ) } - bindingset[node, state, t, ap] - predicate filter(NodeEx node, FlowState state, Typ t, Ap ap) { + bindingset[node, state, t0, ap] + predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t) { exists(state) and - (if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t) else any()) and + // We can get away with not using type strengthening here, since we aren't + // going to use the tracked types in the construction of Stage 4 access + // paths. For Stage 4 and onwards, the tracked types must be consistent as + // the cons candidates including types are used to construct subsequent + // access path approximations. + t0 = t and + (if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t0) else any()) and ( notExpectsContent(node) or @@ -2241,6 +2256,16 @@ module Impl { import MkStage::Stage } + bindingset[node, t0] + private predicate strengthenType(NodeEx node, DataFlowType t0, DataFlowType t) { + if castingNodeEx(node) + then + exists(DataFlowType nt | nt = node.getDataFlowType() | + if typeStrongerThan(nt, t0) then t = nt else (compatibleTypes(nt, t0) and t = t0) + ) + else t = t0 + } + private module Stage4Param implements MkStage::StageParam { private module PrevStage = Stage3; @@ -2274,8 +2299,8 @@ module Impl { pragma[nomagic] predicate localStep( - NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, - DataFlowType t, LocalCc lcc + NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, Typ t, + LocalCc lcc ) { localFlowBigStep(node1, state1, node2, state2, preservesValue, t, _) and PrevStage::revFlow(node1, pragma[only_bind_into](state1), _) and @@ -2333,11 +2358,11 @@ module Impl { ) } - bindingset[node, state, t, ap] - predicate filter(NodeEx node, FlowState state, Typ t, Ap ap) { + bindingset[node, state, t0, ap] + predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t) { exists(state) and not clear(node, ap) and - (if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t) else any()) and + strengthenType(node, t0, t) and ( notExpectsContent(node) or @@ -2365,7 +2390,7 @@ module Impl { exists(AccessPathFront apf | Stage4::revFlow(node, state, TReturnCtxMaybeFlowThrough(_), _, apf) and Stage4::fwdFlow(node, state, any(Stage4::CcCall ccc), _, _, TAccessPathFrontSome(argApf), _, - apf) + apf, _) ) } @@ -2579,8 +2604,8 @@ module Impl { import LocalCallContext predicate localStep( - NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, - DataFlowType t, LocalCc lcc + NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, Typ t, + LocalCc lcc ) { localFlowBigStep(node1, state1, node2, state2, preservesValue, t, lcc) and PrevStage::revFlow(node1, pragma[only_bind_into](state1), _) and @@ -2609,9 +2634,9 @@ module Impl { ) } - bindingset[node, state, t, ap] - predicate filter(NodeEx node, FlowState state, Typ t, Ap ap) { - (if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t) else any()) and + bindingset[node, state, t0, ap] + predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t) { + strengthenType(node, t0, t) and exists(state) and exists(ap) } @@ -2632,7 +2657,7 @@ module Impl { Stage5::parameterMayFlowThrough(p, _) and Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0) and Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()), _, - TAccessPathApproxSome(apa), _, apa0) + TAccessPathApproxSome(apa), _, apa0, _) ) } @@ -2649,7 +2674,7 @@ module Impl { TSummaryCtxSome(ParamNodeEx p, FlowState state, DataFlowType t, AccessPath ap) { exists(AccessPathApprox apa | ap.getApprox() = apa | Stage5::parameterMayFlowThrough(p, apa) and - Stage5::fwdFlow(p, state, _, _, _, _, t, apa) and + Stage5::fwdFlow(p, state, _, _, Option::some(t), _, _, apa, _) and Stage5::revFlow(p, state, _) ) } @@ -2820,9 +2845,7 @@ module Impl { ap = TAccessPathNil() or // ... or a step from an existing PathNode to another node. - pathStep(_, node, state, cc, sc, t, ap) and - Stage5::revFlow(node, state, ap.getApprox()) and - (if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t) else any()) + pathStep(_, node, state, cc, sc, t, ap) } or TPathNodeSink(NodeEx node, FlowState state) { exists(PathNodeMid sink | @@ -3340,13 +3363,24 @@ module Impl { ap = mid.getAp() } + private predicate pathStep( + PathNodeMid mid, NodeEx node, FlowState state, CallContext cc, SummaryCtx sc, DataFlowType t, + AccessPath ap + ) { + exists(DataFlowType t0 | + pathStep0(mid, node, state, cc, sc, t0, ap) and + Stage5::revFlow(node, state, ap.getApprox()) and + strengthenType(node, t0, t) + ) + } + /** * Holds if data may flow from `mid` to `node`. The last step in or out of * a callable is recorded by `cc`. */ pragma[assume_small_delta] pragma[nomagic] - private predicate pathStep( + private predicate pathStep0( PathNodeMid mid, NodeEx node, FlowState state, CallContext cc, SummaryCtx sc, DataFlowType t, AccessPath ap ) { @@ -3964,7 +3998,7 @@ module Impl { ap = TPartialNil() and exists(explorationLimit()) or - partialPathNodeMk0(node, state, cc, sc1, sc2, sc3, sc4, t, ap) and + partialPathStep(_, node, state, cc, sc1, sc2, sc3, sc4, t, ap) and distSrc(node.getEnclosingCallable()) <= explorationLimit() } or TPartialPathNodeRev( @@ -3990,11 +4024,20 @@ module Impl { } pragma[nomagic] - private predicate partialPathNodeMk0( - NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2, - TSummaryCtx3 sc3, TSummaryCtx4 sc4, DataFlowType t, PartialAccessPath ap + private predicate partialPathStep( + PartialPathNodeFwd mid, NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, + TSummaryCtx2 sc2, TSummaryCtx3 sc3, TSummaryCtx4 sc4, DataFlowType t, PartialAccessPath ap ) { - partialPathStep(_, node, state, cc, sc1, sc2, sc3, sc4, t, ap) and + partialPathStep1(mid, node, state, cc, sc1, sc2, sc3, sc4, _, t, ap) + } + + pragma[nomagic] + private predicate partialPathStep1( + PartialPathNodeFwd mid, NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, + TSummaryCtx2 sc2, TSummaryCtx3 sc3, TSummaryCtx4 sc4, DataFlowType t0, DataFlowType t, + PartialAccessPath ap + ) { + partialPathStep0(mid, node, state, cc, sc1, sc2, sc3, sc4, t0, ap) and not fullBarrier(node) and not stateBarrier(node, state) and not clearsContentEx(node, ap.getHead()) and @@ -4002,9 +4045,14 @@ module Impl { notExpectsContent(node) or expectsContentEx(node, ap.getHead()) ) and - if node.asNode() instanceof CastingNode - then compatibleTypes(node.getDataFlowType(), t) - else any() + strengthenType(node, t0, t) + } + + pragma[nomagic] + private predicate partialPathTypeStrengthen( + DataFlowType t0, PartialAccessPath ap, DataFlowType t + ) { + partialPathStep1(_, _, _, _, _, _, _, _, t0, t, ap) and t0 != t } /** @@ -4183,7 +4231,8 @@ module Impl { } } - private predicate partialPathStep( + pragma[nomagic] + private predicate partialPathStep0( PartialPathNodeFwd mid, NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2, TSummaryCtx3 sc3, TSummaryCtx4 sc4, DataFlowType t, PartialAccessPath ap ) { @@ -4309,6 +4358,11 @@ module Impl { DataFlowType t1, PartialAccessPath ap1, Content c, DataFlowType t2, PartialAccessPath ap2 ) { partialPathStoreStep(_, t1, ap1, c, _, t2, ap2) + or + exists(DataFlowType t0 | + partialPathTypeStrengthen(t0, ap2, t2) and + apConsFwd(t1, ap1, c, t0, ap2) + ) } pragma[nomagic] diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll index 9b4e0e6a4f9..115989e3dea 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll @@ -205,6 +205,8 @@ predicate clearsContent(Node n, Content c) { */ predicate expectsContent(Node n, ContentSet c) { none() } +predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { none() } + /** Gets the type of `n` used for type pruning. */ Type getNodeType(Node n) { suppressUnusedNode(n) and diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll index ddf98ac0f2f..984c5ae2018 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll @@ -1135,8 +1135,8 @@ module Impl { DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow ); - bindingset[node, state, t, ap] - predicate filter(NodeEx node, FlowState state, Typ t, Ap ap); + bindingset[node, state, t0, ap] + predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t); bindingset[typ, contentType] predicate typecheckStore(Typ typ, DataFlowType contentType); @@ -1199,17 +1199,21 @@ module Impl { NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, TypOption argT, ApOption argAp, Typ t, Ap ap, ApApprox apa ) { - fwdFlow0(node, state, cc, summaryCtx, argT, argAp, t, ap, apa) and - PrevStage::revFlow(node, state, apa) and - filter(node, state, t, ap) + fwdFlow1(node, state, cc, summaryCtx, argT, argAp, _, t, ap, apa) } - pragma[inline] - additional predicate fwdFlow( + private predicate fwdFlow1( NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, TypOption argT, - ApOption argAp, Typ t, Ap ap + ApOption argAp, Typ t0, Typ t, Ap ap, ApApprox apa ) { - fwdFlow(node, state, cc, summaryCtx, argT, argAp, t, ap, _) + fwdFlow0(node, state, cc, summaryCtx, argT, argAp, t0, ap, apa) and + PrevStage::revFlow(node, state, apa) and + filter(node, state, t0, ap, t) + } + + pragma[nomagic] + private predicate typeStrengthen(Typ t0, Ap ap, Typ t) { + fwdFlow1(_, _, _, _, _, _, t0, t, ap, _) and t0 != t } pragma[assume_small_delta] @@ -1339,6 +1343,11 @@ module Impl { private predicate fwdFlowConsCand(Typ t2, Ap cons, Content c, Typ t1, Ap tail) { fwdFlowStore(_, t1, tail, c, t2, _, _, _, _, _, _) and cons = apCons(c, t1, tail) + or + exists(Typ t0 | + typeStrengthen(t0, cons, t2) and + fwdFlowConsCand(t0, cons, c, t1, tail) + ) } pragma[nomagic] @@ -1359,7 +1368,7 @@ module Impl { ParamNodeOption summaryCtx, TypOption argT, ApOption argAp ) { exists(ApHeadContent apc | - fwdFlow(node1, state, cc, summaryCtx, argT, argAp, t, ap) and + fwdFlow(node1, state, cc, summaryCtx, argT, argAp, t, ap, _) and apc = getHeadContent(ap) and readStepCand0(node1, apc, c, node2) ) @@ -1520,14 +1529,14 @@ module Impl { NodeEx node, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap ) { revFlow0(node, state, returnCtx, returnAp, ap) and - fwdFlow(node, state, _, _, _, _, _, ap) + fwdFlow(node, state, _, _, _, _, _, ap, _) } pragma[nomagic] private predicate revFlow0( NodeEx node, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap ) { - fwdFlow(node, state, _, _, _, _, _, ap) and + fwdFlow(node, state, _, _, _, _, _, ap, _) and sinkNode(node, state) and ( if hasSinkCallCtx() @@ -1780,13 +1789,13 @@ module Impl { boolean fwd, int nodes, int fields, int conscand, int states, int tuples ) { fwd = true and - nodes = count(NodeEx node | fwdFlow(node, _, _, _, _, _, _, _)) and + nodes = count(NodeEx node | fwdFlow(node, _, _, _, _, _, _, _, _)) and fields = count(Content f0 | fwdConsCand(f0, _, _)) and conscand = count(Content f0, Typ t, Ap ap | fwdConsCand(f0, t, ap)) and - states = count(FlowState state | fwdFlow(_, state, _, _, _, _, _, _)) and + states = count(FlowState state | fwdFlow(_, state, _, _, _, _, _, _, _)) and tuples = count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, TypOption argT, - ApOption argAp, Typ t, Ap ap | fwdFlow(n, state, cc, summaryCtx, argT, argAp, t, ap)) + ApOption argAp, Typ t, Ap ap | fwdFlow(n, state, cc, summaryCtx, argT, argAp, t, ap, _)) or fwd = false and nodes = count(NodeEx node | revFlow(node, _, _, _, _)) and @@ -1963,10 +1972,10 @@ module Impl { ) } - bindingset[node, state, t, ap] - predicate filter(NodeEx node, FlowState state, Typ t, Ap ap) { + bindingset[node, state, t0, ap] + predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t) { PrevStage::revFlowState(state) and - exists(t) and + t0 = t and exists(ap) and not stateBarrier(node, state) and ( @@ -2197,8 +2206,8 @@ module Impl { import BooleanCallContext predicate localStep( - NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, - DataFlowType t, LocalCc lcc + NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, Typ t, + LocalCc lcc ) { localFlowBigStep(node1, state1, node2, state2, preservesValue, t, _) and exists(lcc) @@ -2218,10 +2227,16 @@ module Impl { ) } - bindingset[node, state, t, ap] - predicate filter(NodeEx node, FlowState state, Typ t, Ap ap) { + bindingset[node, state, t0, ap] + predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t) { exists(state) and - (if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t) else any()) and + // We can get away with not using type strengthening here, since we aren't + // going to use the tracked types in the construction of Stage 4 access + // paths. For Stage 4 and onwards, the tracked types must be consistent as + // the cons candidates including types are used to construct subsequent + // access path approximations. + t0 = t and + (if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t0) else any()) and ( notExpectsContent(node) or @@ -2241,6 +2256,16 @@ module Impl { import MkStage::Stage } + bindingset[node, t0] + private predicate strengthenType(NodeEx node, DataFlowType t0, DataFlowType t) { + if castingNodeEx(node) + then + exists(DataFlowType nt | nt = node.getDataFlowType() | + if typeStrongerThan(nt, t0) then t = nt else (compatibleTypes(nt, t0) and t = t0) + ) + else t = t0 + } + private module Stage4Param implements MkStage::StageParam { private module PrevStage = Stage3; @@ -2274,8 +2299,8 @@ module Impl { pragma[nomagic] predicate localStep( - NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, - DataFlowType t, LocalCc lcc + NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, Typ t, + LocalCc lcc ) { localFlowBigStep(node1, state1, node2, state2, preservesValue, t, _) and PrevStage::revFlow(node1, pragma[only_bind_into](state1), _) and @@ -2333,11 +2358,11 @@ module Impl { ) } - bindingset[node, state, t, ap] - predicate filter(NodeEx node, FlowState state, Typ t, Ap ap) { + bindingset[node, state, t0, ap] + predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t) { exists(state) and not clear(node, ap) and - (if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t) else any()) and + strengthenType(node, t0, t) and ( notExpectsContent(node) or @@ -2365,7 +2390,7 @@ module Impl { exists(AccessPathFront apf | Stage4::revFlow(node, state, TReturnCtxMaybeFlowThrough(_), _, apf) and Stage4::fwdFlow(node, state, any(Stage4::CcCall ccc), _, _, TAccessPathFrontSome(argApf), _, - apf) + apf, _) ) } @@ -2579,8 +2604,8 @@ module Impl { import LocalCallContext predicate localStep( - NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, - DataFlowType t, LocalCc lcc + NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, Typ t, + LocalCc lcc ) { localFlowBigStep(node1, state1, node2, state2, preservesValue, t, lcc) and PrevStage::revFlow(node1, pragma[only_bind_into](state1), _) and @@ -2609,9 +2634,9 @@ module Impl { ) } - bindingset[node, state, t, ap] - predicate filter(NodeEx node, FlowState state, Typ t, Ap ap) { - (if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t) else any()) and + bindingset[node, state, t0, ap] + predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t) { + strengthenType(node, t0, t) and exists(state) and exists(ap) } @@ -2632,7 +2657,7 @@ module Impl { Stage5::parameterMayFlowThrough(p, _) and Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0) and Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()), _, - TAccessPathApproxSome(apa), _, apa0) + TAccessPathApproxSome(apa), _, apa0, _) ) } @@ -2649,7 +2674,7 @@ module Impl { TSummaryCtxSome(ParamNodeEx p, FlowState state, DataFlowType t, AccessPath ap) { exists(AccessPathApprox apa | ap.getApprox() = apa | Stage5::parameterMayFlowThrough(p, apa) and - Stage5::fwdFlow(p, state, _, _, _, _, t, apa) and + Stage5::fwdFlow(p, state, _, _, Option::some(t), _, _, apa, _) and Stage5::revFlow(p, state, _) ) } @@ -2820,9 +2845,7 @@ module Impl { ap = TAccessPathNil() or // ... or a step from an existing PathNode to another node. - pathStep(_, node, state, cc, sc, t, ap) and - Stage5::revFlow(node, state, ap.getApprox()) and - (if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t) else any()) + pathStep(_, node, state, cc, sc, t, ap) } or TPathNodeSink(NodeEx node, FlowState state) { exists(PathNodeMid sink | @@ -3340,13 +3363,24 @@ module Impl { ap = mid.getAp() } + private predicate pathStep( + PathNodeMid mid, NodeEx node, FlowState state, CallContext cc, SummaryCtx sc, DataFlowType t, + AccessPath ap + ) { + exists(DataFlowType t0 | + pathStep0(mid, node, state, cc, sc, t0, ap) and + Stage5::revFlow(node, state, ap.getApprox()) and + strengthenType(node, t0, t) + ) + } + /** * Holds if data may flow from `mid` to `node`. The last step in or out of * a callable is recorded by `cc`. */ pragma[assume_small_delta] pragma[nomagic] - private predicate pathStep( + private predicate pathStep0( PathNodeMid mid, NodeEx node, FlowState state, CallContext cc, SummaryCtx sc, DataFlowType t, AccessPath ap ) { @@ -3964,7 +3998,7 @@ module Impl { ap = TPartialNil() and exists(explorationLimit()) or - partialPathNodeMk0(node, state, cc, sc1, sc2, sc3, sc4, t, ap) and + partialPathStep(_, node, state, cc, sc1, sc2, sc3, sc4, t, ap) and distSrc(node.getEnclosingCallable()) <= explorationLimit() } or TPartialPathNodeRev( @@ -3990,11 +4024,20 @@ module Impl { } pragma[nomagic] - private predicate partialPathNodeMk0( - NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2, - TSummaryCtx3 sc3, TSummaryCtx4 sc4, DataFlowType t, PartialAccessPath ap + private predicate partialPathStep( + PartialPathNodeFwd mid, NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, + TSummaryCtx2 sc2, TSummaryCtx3 sc3, TSummaryCtx4 sc4, DataFlowType t, PartialAccessPath ap ) { - partialPathStep(_, node, state, cc, sc1, sc2, sc3, sc4, t, ap) and + partialPathStep1(mid, node, state, cc, sc1, sc2, sc3, sc4, _, t, ap) + } + + pragma[nomagic] + private predicate partialPathStep1( + PartialPathNodeFwd mid, NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, + TSummaryCtx2 sc2, TSummaryCtx3 sc3, TSummaryCtx4 sc4, DataFlowType t0, DataFlowType t, + PartialAccessPath ap + ) { + partialPathStep0(mid, node, state, cc, sc1, sc2, sc3, sc4, t0, ap) and not fullBarrier(node) and not stateBarrier(node, state) and not clearsContentEx(node, ap.getHead()) and @@ -4002,9 +4045,14 @@ module Impl { notExpectsContent(node) or expectsContentEx(node, ap.getHead()) ) and - if node.asNode() instanceof CastingNode - then compatibleTypes(node.getDataFlowType(), t) - else any() + strengthenType(node, t0, t) + } + + pragma[nomagic] + private predicate partialPathTypeStrengthen( + DataFlowType t0, PartialAccessPath ap, DataFlowType t + ) { + partialPathStep1(_, _, _, _, _, _, _, _, t0, t, ap) and t0 != t } /** @@ -4183,7 +4231,8 @@ module Impl { } } - private predicate partialPathStep( + pragma[nomagic] + private predicate partialPathStep0( PartialPathNodeFwd mid, NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2, TSummaryCtx3 sc3, TSummaryCtx4 sc4, DataFlowType t, PartialAccessPath ap ) { @@ -4309,6 +4358,11 @@ module Impl { DataFlowType t1, PartialAccessPath ap1, Content c, DataFlowType t2, PartialAccessPath ap2 ) { partialPathStoreStep(_, t1, ap1, c, _, t2, ap2) + or + exists(DataFlowType t0 | + partialPathTypeStrengthen(t0, ap2, t2) and + apConsFwd(t1, ap1, c, t0, ap2) + ) } pragma[nomagic] diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll index cc8d0cdbe94..33ff6f74775 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll @@ -753,6 +753,8 @@ predicate clearsContent(Node n, Content c) { */ predicate expectsContent(Node n, ContentSet c) { none() } +predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { none() } + /** Gets the type of `n` used for type pruning. */ DataFlowType getNodeType(Node n) { suppressUnusedNode(n) and diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll index 551653c3aca..0cd152e2473 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll @@ -364,7 +364,25 @@ abstract private class OperandBasedUse extends UseImpl { OperandBasedUse() { any() } final override predicate hasIndexInBlock(IRBlock block, int index) { - operand.getUse() = block.getInstruction(index) + // See the comment in `ssa0`'s `OperandBasedUse` for an explanation of this + // predicate's implementation. + exists(BaseSourceVariableInstruction base | base = this.getBase() | + if base.getAst() = any(Cpp::PostfixCrementOperation c).getOperand() + then + exists(Operand op, int indirectionIndex, int indirection | + indirectionIndex = this.getIndirectionIndex() and + indirection = this.getIndirection() and + op = + min(Operand cand, int i | + isUse(_, cand, base, indirection, indirectionIndex) and + block.getInstruction(i) = cand.getUse() + | + cand order by i + ) and + block.getInstruction(index) = op.getUse() + ) + else operand.getUse() = block.getInstruction(index) + ) } final Operand getOperand() { result = operand } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll index dca2b3850ba..d8571b8b74a 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll @@ -144,6 +144,20 @@ class AllocationInstruction extends CallInstruction { AllocationInstruction() { this.getStaticCallTarget() instanceof Cpp::AllocationFunction } } +private predicate isIndirectionType(Type t) { t instanceof Indirection } + +private predicate hasUnspecifiedBaseType(Indirection t, Type base) { + base = t.getBaseType().getUnspecifiedType() +} + +/** + * Holds if `t2` is the same type as `t1`, but after stripping away `result` number + * of indirections. + * Furthermore, specifies in `t2` been deeply stripped and typedefs has been resolved. + */ +private int getNumberOfIndirectionsImpl(Type t1, Type t2) = + shortestDistances(isIndirectionType/1, hasUnspecifiedBaseType/2)(t1, t2, result) + /** * An abstract class for handling indirections. * @@ -162,7 +176,10 @@ abstract class Indirection extends Type { * For example, the number of indirections of a variable `p` of type * `int**` is `3` (i.e., `p`, `*p` and `**p`). */ - abstract int getNumberOfIndirections(); + final int getNumberOfIndirections() { + result = + getNumberOfIndirectionsImpl(this.getType(), any(Type end | not end instanceof Indirection)) + } /** * Holds if `deref` is an instruction that behaves as a `LoadInstruction` @@ -200,19 +217,11 @@ private class PointerOrArrayOrReferenceTypeIndirection extends Indirection insta PointerOrArrayOrReferenceTypeIndirection() { baseType = PointerOrArrayOrReferenceType.super.getBaseType() } - - override int getNumberOfIndirections() { - result = 1 + countIndirections(this.getBaseType().getUnspecifiedType()) - } } private class PointerWrapperTypeIndirection extends Indirection instanceof PointerWrapper { PointerWrapperTypeIndirection() { baseType = PointerWrapper.super.getBaseType() } - override int getNumberOfIndirections() { - result = 1 + countIndirections(this.getBaseType().getUnspecifiedType()) - } - override predicate isAdditionalDereference(Instruction deref, Operand address) { exists(CallInstruction call | operandForFullyConvertedCall(getAUse(deref), call) and @@ -233,10 +242,6 @@ private module IteratorIndirections { baseType = super.getValueType() } - override int getNumberOfIndirections() { - result = 1 + countIndirections(this.getBaseType().getUnspecifiedType()) - } - override predicate isAdditionalDereference(Instruction deref, Operand address) { exists(CallInstruction call | operandForFullyConvertedCall(getAUse(deref), call) and diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ssa0/SsaInternals.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ssa0/SsaInternals.qll index aa6a43a2580..38f9bbeec8e 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ssa0/SsaInternals.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ssa0/SsaInternals.qll @@ -122,7 +122,46 @@ abstract private class OperandBasedUse extends UseImpl { override string toString() { result = operand.toString() } final override predicate hasIndexInBlock(IRBlock block, int index) { - operand.getUse() = block.getInstruction(index) + // Ideally, this would just be implemented as: + // ``` + // operand.getUse() = block.getInstruction(index) + // ``` + // but because the IR generated for a snippet such as + // ``` + // int x = *p++; + // ``` + // looks like + // ``` + // r1(glval) = VariableAddress[x] : + // r2(glval) = VariableAddress[p] : + // r3(int *) = Load[p] : &:r2, m1 + // r4(int) = Constant[1] : + // r5(int *) = PointerAdd[4] : r3, r4 + // m3(int *) = Store[p] : &:r2, r5 + // r6(int *) = CopyValue : r3 + // r7(int) = Load[?] : &:r6, ~m2 + // m2(int) = Store[x] : &:r1, r7 + // ``` + // we need to ensure that the `r3` operand of the `CopyValue` instruction isn't seen as a fresh use + // of `p` that happens after the increment. So if the base instruction of this use comes from a + // post-fix crement operation we set the index of the SSA use that wraps the `r3` operand at the + // `CopyValue` instruction to be the same index as the `r3` operand at the `PointerAdd` instruction. + // This ensures that the SSA library doesn't create flow from the `PointerAdd` to `r6`. + exists(BaseSourceVariableInstruction base | base = this.getBase() | + if base.getAst() = any(Cpp::PostfixCrementOperation c).getOperand() + then + exists(Operand op | + op = + min(Operand cand, int i | + isUse(_, cand, base, _, _) and + block.getInstruction(i) = cand.getUse() + | + cand order by i + ) and + block.getInstruction(index) = op.getUse() + ) + else operand.getUse() = block.getInstruction(index) + ) } final override Cpp::Location getLocation() { result = operand.getLocation() } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll index 0aa7c552638..1b5ea432946 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll @@ -210,9 +210,6 @@ class Instruction extends Construction::TStageInstruction { */ final Language::AST getAst() { result = Construction::getInstructionAst(this) } - /** DEPRECATED: Alias for getAst */ - deprecated Language::AST getAST() { result = this.getAst() } - /** * Gets the location of the source code for this instruction. */ @@ -463,9 +460,6 @@ class VariableInstruction extends Instruction { * Gets the AST variable that this instruction's IR variable refers to, if one exists. */ final Language::Variable getAstVariable() { result = var.(IRUserVariable).getVariable() } - - /** DEPRECATED: Alias for getAstVariable */ - deprecated Language::Variable getASTVariable() { result = this.getAstVariable() } } /** diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll index 1dd116d6c0e..10fddf6352b 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll @@ -577,9 +577,6 @@ private Overlap getVariableMemoryLocationOverlap( */ predicate canReuseSsaForOldResult(Instruction instr) { OldSsa::canReuseSsaForMemoryResult(instr) } -/** DEPRECATED: Alias for canReuseSsaForOldResult */ -deprecated predicate canReuseSSAForOldResult = canReuseSsaForOldResult/1; - bindingset[result, b] private boolean unbindBool(boolean b) { result != b.booleanNot() } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll index dc785f3e0b1..63dc4142a13 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll @@ -422,12 +422,6 @@ private module Cached { ) } - /** DEPRECATED: Alias for getInstructionAst */ - cached - deprecated Language::AST getInstructionAST(Instruction instr) { - result = getInstructionAst(instr) - } - cached Language::LanguageType getInstructionResultType(Instruction instr) { result = instr.(RawIR::Instruction).getResultLanguageType() @@ -993,9 +987,6 @@ predicate canReuseSsaForMemoryResult(Instruction instruction) { // We don't support reusing SSA for any location that could create a `Chi` instruction. } -/** DEPRECATED: Alias for canReuseSsaForMemoryResult */ -deprecated predicate canReuseSSAForMemoryResult = canReuseSsaForMemoryResult/1; - /** * Expose some of the internal predicates to PrintSSA.qll. We do this by publicly importing those modules in the * `DebugSsa` module, which is then imported by PrintSSA. @@ -1005,9 +996,6 @@ module DebugSsa { import DefUse } -/** DEPRECATED: Alias for DebugSsa */ -deprecated module DebugSSA = DebugSsa; - import CachedForDebugging cached diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TInstruction.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TInstruction.qll index 169de03c2dc..bb3eb683653 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TInstruction.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TInstruction.qll @@ -73,9 +73,6 @@ module UnaliasedSsaInstructions { } } -/** DEPRECATED: Alias for UnaliasedSsaInstructions */ -deprecated module UnaliasedSSAInstructions = UnaliasedSsaInstructions; - /** * Provides wrappers for the constructors of each branch of `TInstruction` that is used by the * aliased SSA stage. @@ -107,6 +104,3 @@ module AliasedSsaInstructions { result = TAliasedSsaUnreachedInstruction(irFunc) } } - -/** DEPRECATED: Alias for AliasedSsaInstructions */ -deprecated module AliasedSSAInstructions = AliasedSsaInstructions; diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TOperand.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TOperand.qll index 607b88fa58d..8a330114fe9 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TOperand.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TOperand.qll @@ -74,20 +74,12 @@ private module Shared { class TNonSsaMemoryOperand = Internal::TNonSsaMemoryOperand; - /** DEPRECATED: Alias for TNonSsaMemoryOperand */ - deprecated class TNonSSAMemoryOperand = TNonSsaMemoryOperand; - /** * Returns the non-Phi memory operand with the specified parameters. */ TNonSsaMemoryOperand nonSsaMemoryOperand(TRawInstruction useInstr, MemoryOperandTag tag) { result = Internal::TNonSsaMemoryOperand(useInstr, tag) } - - /** DEPRECATED: Alias for nonSsaMemoryOperand */ - deprecated TNonSSAMemoryOperand nonSSAMemoryOperand(TRawInstruction useInstr, MemoryOperandTag tag) { - result = nonSsaMemoryOperand(useInstr, tag) - } } /** @@ -167,9 +159,6 @@ module UnaliasedSsaOperands { TChiOperand chiOperand(Unaliased::Instruction useInstr, ChiOperandTag tag) { none() } } -/** DEPRECATED: Alias for UnaliasedSsaOperands */ -deprecated module UnaliasedSSAOperands = UnaliasedSsaOperands; - /** * Provides wrappers for the constructors of each branch of `TOperand` that is used by the * aliased SSA stage. @@ -217,6 +206,3 @@ module AliasedSsaOperands { result = Internal::TAliasedChiOperand(useInstr, tag) } } - -/** DEPRECATED: Alias for AliasedSsaOperands */ -deprecated module AliasedSSAOperands = AliasedSsaOperands; diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll index 0aa7c552638..1b5ea432946 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll @@ -210,9 +210,6 @@ class Instruction extends Construction::TStageInstruction { */ final Language::AST getAst() { result = Construction::getInstructionAst(this) } - /** DEPRECATED: Alias for getAst */ - deprecated Language::AST getAST() { result = this.getAst() } - /** * Gets the location of the source code for this instruction. */ @@ -463,9 +460,6 @@ class VariableInstruction extends Instruction { * Gets the AST variable that this instruction's IR variable refers to, if one exists. */ final Language::Variable getAstVariable() { result = var.(IRUserVariable).getVariable() } - - /** DEPRECATED: Alias for getAstVariable */ - deprecated Language::Variable getASTVariable() { result = this.getAstVariable() } } /** diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll index 1cfd8a2041e..8c0695247f8 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll @@ -375,11 +375,6 @@ Locatable getInstructionAst(TStageInstruction instr) { ) } -/** DEPRECATED: Alias for getInstructionAst */ -deprecated Locatable getInstructionAST(TStageInstruction instr) { - result = getInstructionAst(instr) -} - CppType getInstructionResultType(TStageInstruction instr) { getInstructionTranslatedElement(instr).hasInstruction(_, getInstructionTag(instr), result) or diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll index 3080848b153..5832aa9f928 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll @@ -76,9 +76,6 @@ abstract class TranslatedExpr extends TranslatedElement { final override Locatable getAst() { result = expr } - /** DEPRECATED: Alias for getAst */ - deprecated override Locatable getAST() { result = this.getAst() } - final override Declaration getFunction() { result = getEnclosingDeclaration(expr) } /** diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll index 0aa7c552638..1b5ea432946 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll @@ -210,9 +210,6 @@ class Instruction extends Construction::TStageInstruction { */ final Language::AST getAst() { result = Construction::getInstructionAst(this) } - /** DEPRECATED: Alias for getAst */ - deprecated Language::AST getAST() { result = this.getAst() } - /** * Gets the location of the source code for this instruction. */ @@ -463,9 +460,6 @@ class VariableInstruction extends Instruction { * Gets the AST variable that this instruction's IR variable refers to, if one exists. */ final Language::Variable getAstVariable() { result = var.(IRUserVariable).getVariable() } - - /** DEPRECATED: Alias for getAstVariable */ - deprecated Language::Variable getASTVariable() { result = this.getAstVariable() } } /** diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll index dc785f3e0b1..63dc4142a13 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll @@ -422,12 +422,6 @@ private module Cached { ) } - /** DEPRECATED: Alias for getInstructionAst */ - cached - deprecated Language::AST getInstructionAST(Instruction instr) { - result = getInstructionAst(instr) - } - cached Language::LanguageType getInstructionResultType(Instruction instr) { result = instr.(RawIR::Instruction).getResultLanguageType() @@ -993,9 +987,6 @@ predicate canReuseSsaForMemoryResult(Instruction instruction) { // We don't support reusing SSA for any location that could create a `Chi` instruction. } -/** DEPRECATED: Alias for canReuseSsaForMemoryResult */ -deprecated predicate canReuseSSAForMemoryResult = canReuseSsaForMemoryResult/1; - /** * Expose some of the internal predicates to PrintSSA.qll. We do this by publicly importing those modules in the * `DebugSsa` module, which is then imported by PrintSSA. @@ -1005,9 +996,6 @@ module DebugSsa { import DefUse } -/** DEPRECATED: Alias for DebugSsa */ -deprecated module DebugSSA = DebugSsa; - import CachedForDebugging cached diff --git a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll index f5b0b3af930..5c33ecf5f99 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll @@ -46,9 +46,6 @@ predicate canReuseSsaForVariable(IRAutomaticVariable var) { not allocationEscapes(var) } -/** DEPRECATED: Alias for canReuseSsaForVariable */ -deprecated predicate canReuseSSAForVariable = canReuseSsaForVariable/1; - private newtype TMemoryLocation = MkMemoryLocation(Allocation var) { isVariableModeled(var) } private MemoryLocation getMemoryLocation(Allocation var) { result.getAllocation() = var } @@ -80,9 +77,6 @@ class MemoryLocation extends TMemoryLocation { predicate canReuseSsaForOldResult(Instruction instr) { none() } -/** DEPRECATED: Alias for canReuseSsaForOldResult */ -deprecated predicate canReuseSSAForOldResult = canReuseSsaForOldResult/1; - /** * Represents a set of `MemoryLocation`s that cannot overlap with * `MemoryLocation`s outside of the set. The `VirtualVariable` will be diff --git a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/RangeSSA.qll b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/RangeSSA.qll index 2503e4713d8..849dd70a9a3 100644 --- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/RangeSSA.qll +++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/RangeSSA.qll @@ -40,9 +40,6 @@ library class RangeSsa extends SsaHelper { } } -/** DEPRECATED: Alias for RangeSsa */ -deprecated class RangeSSA = RangeSsa; - private predicate guard_defn(VariableAccess v, Expr guard, BasicBlock b, boolean branch) { guardCondition(guard, v, branch) and guardSuccessor(guard, branch, b) diff --git a/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll b/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll index 5135aab8d83..51dad0fc18c 100644 --- a/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll +++ b/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll @@ -16,9 +16,6 @@ class UntrustedExternalApiDataNode extends ExternalApiDataNode { DataFlow::Node getAnUntrustedSource() { UntrustedDataToExternalApiFlow::flow(result, this) } } -/** DEPRECATED: Alias for UntrustedExternalApiDataNode */ -deprecated class UntrustedExternalAPIDataNode = UntrustedExternalApiDataNode; - /** An external API which is used with untrusted data. */ private newtype TExternalApi = /** An untrusted API method `m` where untrusted data is passed at `index`. */ @@ -51,6 +48,3 @@ class ExternalApiUsedWithUntrustedData extends TExternalApi { ) } } - -/** DEPRECATED: Alias for ExternalApiUsedWithUntrustedData */ -deprecated class ExternalAPIUsedWithUntrustedData = ExternalApiUsedWithUntrustedData; diff --git a/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll b/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll index 2505f718bc6..2d9502f2f43 100644 --- a/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll +++ b/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll @@ -41,9 +41,6 @@ class ExternalApiDataNode extends DataFlow::Node { string getFunctionDescription() { result = this.getExternalFunction().toString() } } -/** DEPRECATED: Alias for ExternalApiDataNode */ -deprecated class ExternalAPIDataNode = ExternalApiDataNode; - /** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */ deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration { UntrustedDataToExternalApiConfig() { this = "UntrustedDataToExternalAPIConfig" } @@ -58,9 +55,6 @@ deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configu override predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode } } -/** DEPRECATED: Alias for UntrustedDataToExternalApiConfig */ -deprecated class UntrustedDataToExternalAPIConfig = UntrustedDataToExternalApiConfig; - /** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */ private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { diff --git a/cpp/ql/src/Security/CWE/CWE-020/SafeExternalAPIFunction.qll b/cpp/ql/src/Security/CWE/CWE-020/SafeExternalAPIFunction.qll index de59e82e552..aecbe148290 100644 --- a/cpp/ql/src/Security/CWE/CWE-020/SafeExternalAPIFunction.qll +++ b/cpp/ql/src/Security/CWE/CWE-020/SafeExternalAPIFunction.qll @@ -10,9 +10,6 @@ private import semmle.code.cpp.models.interfaces.SideEffect */ abstract class SafeExternalApiFunction extends Function { } -/** DEPRECATED: Alias for SafeExternalApiFunction */ -deprecated class SafeExternalAPIFunction = SafeExternalApiFunction; - /** The default set of "safe" external APIs. */ private class DefaultSafeExternalApiFunction extends SafeExternalApiFunction { DefaultSafeExternalApiFunction() { diff --git a/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll b/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll index 5135aab8d83..51dad0fc18c 100644 --- a/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll +++ b/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll @@ -16,9 +16,6 @@ class UntrustedExternalApiDataNode extends ExternalApiDataNode { DataFlow::Node getAnUntrustedSource() { UntrustedDataToExternalApiFlow::flow(result, this) } } -/** DEPRECATED: Alias for UntrustedExternalApiDataNode */ -deprecated class UntrustedExternalAPIDataNode = UntrustedExternalApiDataNode; - /** An external API which is used with untrusted data. */ private newtype TExternalApi = /** An untrusted API method `m` where untrusted data is passed at `index`. */ @@ -51,6 +48,3 @@ class ExternalApiUsedWithUntrustedData extends TExternalApi { ) } } - -/** DEPRECATED: Alias for ExternalApiUsedWithUntrustedData */ -deprecated class ExternalAPIUsedWithUntrustedData = ExternalApiUsedWithUntrustedData; diff --git a/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIsSpecific.qll b/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIsSpecific.qll index 93da5497a22..87e1d6bd7c5 100644 --- a/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIsSpecific.qll +++ b/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIsSpecific.qll @@ -41,9 +41,6 @@ class ExternalApiDataNode extends DataFlow::Node { string getFunctionDescription() { result = this.getExternalFunction().toString() } } -/** DEPRECATED: Alias for ExternalApiDataNode */ -deprecated class ExternalAPIDataNode = ExternalApiDataNode; - /** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */ deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration { UntrustedDataToExternalApiConfig() { this = "UntrustedDataToExternalAPIConfigIR" } @@ -53,9 +50,6 @@ deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configu override predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode } } -/** DEPRECATED: Alias for UntrustedDataToExternalApiConfig */ -deprecated class UntrustedDataToExternalAPIConfig = UntrustedDataToExternalApiConfig; - /** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */ private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } diff --git a/cpp/ql/src/Security/CWE/CWE-020/ir/SafeExternalAPIFunction.qll b/cpp/ql/src/Security/CWE/CWE-020/ir/SafeExternalAPIFunction.qll index de59e82e552..aecbe148290 100644 --- a/cpp/ql/src/Security/CWE/CWE-020/ir/SafeExternalAPIFunction.qll +++ b/cpp/ql/src/Security/CWE/CWE-020/ir/SafeExternalAPIFunction.qll @@ -10,9 +10,6 @@ private import semmle.code.cpp.models.interfaces.SideEffect */ abstract class SafeExternalApiFunction extends Function { } -/** DEPRECATED: Alias for SafeExternalApiFunction */ -deprecated class SafeExternalAPIFunction = SafeExternalApiFunction; - /** The default set of "safe" external APIs. */ private class DefaultSafeExternalApiFunction extends SafeExternalApiFunction { DefaultSafeExternalApiFunction() { diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.qhelp b/cpp/ql/src/experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.qhelp new file mode 100644 index 00000000000..72491838fd2 --- /dev/null +++ b/cpp/ql/src/experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.qhelp @@ -0,0 +1,33 @@ + + + + +

+Detects if (a+b>c) a=c-b, which incorrectly implements +a = min(a,c-b) if a+b overflows. +

+

+Also detects variants such as if (b+a>c) a=c-b (swapped +terms in addition), if (a+b>c) { a=c-b } (assignment +inside block), c<a+b (swapped operands), and +>=, <, <= instead of +> (all operators). +

+

+This integer overflow is the root cause of the buffer overflow in +the SHA-3 reference implementation (CVE-2022-37454). +

+ + +

+Replace by if (a>c-b) a=c-b. This avoids the overflow +and makes it easy to see that a = min(a,c-b). +

+ + +
  • CVE-2022-37454: The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.
    • +
  • GitHub Advisory Database: CVE-2022-37454: Buffer overflow in sponge queue functions
    • +     +     diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql b/cpp/ql/src/experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql new file mode 100644 index 00000000000..3667f068a25 --- /dev/null +++ b/cpp/ql/src/experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql @@ -0,0 +1,42 @@ +/** + * @name Integer addition may overflow inside if statement + * @description Writing 'if (a+b>c) a=c-b' incorrectly implements + * 'a = min(a,c-b)' if 'a+b' overflows. This integer + * overflow is the root cause of the buffer overflow + * in the SHA-3 reference implementation (CVE-2022-37454). + * @kind problem + * @problem.severity warning + * @id cpp/if-statement-addition-overflow + * @tags: experimental + * correctness + * security + * external/cwe/cwe-190 + */ + +import cpp +import semmle.code.cpp.valuenumbering.GlobalValueNumbering +import semmle.code.cpp.valuenumbering.HashCons +import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis +import semmle.code.cpp.controlflow.Guards + +from + GuardCondition guard, Expr expr, ExprStmt exprstmt, BasicBlock block, AssignExpr assignexpr, + AddExpr addexpr, SubExpr subexpr +where + (guard.ensuresLt(expr, addexpr, 0, block, _) or guard.ensuresLt(addexpr, expr, 0, block, _)) and + addexpr.getUnspecifiedType() instanceof IntegralType and + exprMightOverflowPositively(addexpr) and + block.getANode() = exprstmt and + exprstmt.getExpr() = assignexpr and + assignexpr.getRValue() = subexpr and + ( + hashCons(addexpr.getLeftOperand()) = hashCons(assignexpr.getLValue()) and + globalValueNumber(addexpr.getRightOperand()) = globalValueNumber(subexpr.getRightOperand()) + or + hashCons(addexpr.getRightOperand()) = hashCons(assignexpr.getLValue()) and + globalValueNumber(addexpr.getLeftOperand()) = globalValueNumber(subexpr.getRightOperand()) + ) and + globalValueNumber(expr) = globalValueNumber(subexpr.getLeftOperand()) +select guard, + "\"if (a+b>c) a=c-b\" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as \"if (a>c-b) a=c-b\" which avoids the overflow.", + addexpr, "addition" diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql b/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql index 610eb572d8c..478ab2cc92a 100644 --- a/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql +++ b/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql @@ -179,6 +179,24 @@ predicate isSinkImpl( pointerAddInstructionHasBounds(pai, sink1, sink2, delta) } +/** + * Yields any instruction that is control-flow reachable from `instr`. + */ +bindingset[instr, result] +pragma[inline_late] +Instruction getASuccessor(Instruction instr) { + exists(IRBlock b, int instrIndex, int resultIndex | + result.getBlock() = b and + instr.getBlock() = b and + b.getInstruction(instrIndex) = instr and + b.getInstruction(resultIndex) = result + | + resultIndex >= instrIndex + ) + or + instr.getBlock().getASuccessor+() = result.getBlock() +} + /** * Holds if `sink` is a sink for `InvalidPointerToDerefConfig` and `i` is a `StoreInstruction` that * writes to an address that non-strictly upper-bounds `sink`, or `i` is a `LoadInstruction` that @@ -186,8 +204,9 @@ predicate isSinkImpl( */ pragma[inline] predicate isInvalidPointerDerefSink(DataFlow::Node sink, Instruction i, string operation, int delta) { - exists(AddressOperand addr | - bounded1(addr.getDef(), sink.asInstruction(), delta) and + exists(AddressOperand addr, Instruction s | + s = sink.asInstruction() and + bounded1(addr.getDef(), s, delta) and delta >= 0 and i.getAnOperand() = addr | @@ -247,7 +266,8 @@ newtype TMergedPathNode = TPathNodeSink(Instruction i) { exists(DataFlow::Node n | InvalidPointerToDerefFlow::flowTo(n) and - isInvalidPointerDerefSink(n, i, _, _) + isInvalidPointerDerefSink(n, i, _, _) and + i = getASuccessor(n.asInstruction()) ) } @@ -377,15 +397,19 @@ predicate hasFlowPath( } from - MergedPathNode source, MergedPathNode sink, int k2, int k3, string kstr, - InvalidPointerToDerefFlow::PathNode source3, PointerArithmeticInstruction pai, string operation, - Expr offset, DataFlow::Node n + MergedPathNode source, MergedPathNode sink, int k, string kstr, PointerArithmeticInstruction pai, + string operation, Expr offset, DataFlow::Node n where - hasFlowPath(source, sink, source3, pai, operation, k3) and - invalidPointerToDerefSource(pai, source3.getNode(), k2) and + k = + min(int k2, int k3, InvalidPointerToDerefFlow::PathNode source3 | + hasFlowPath(source, sink, source3, pai, operation, k3) and + invalidPointerToDerefSource(pai, source3.getNode(), k2) + | + k2 + k3 + ) and offset = pai.getRight().getUnconvertedResultExpression() and n = source.asPathNode1().getNode() and - if (k2 + k3) = 0 then kstr = "" else kstr = " + " + (k2 + k3) + if k = 0 then kstr = "" else kstr = " + " + k select sink, source, sink, "This " + operation + " might be out of bounds, as the pointer might be equal to $@ + $@" + kstr + ".", n, n.toString(), offset, offset.toString() diff --git a/cpp/ql/src/external/CodeDuplication.qll b/cpp/ql/src/external/CodeDuplication.qll deleted file mode 100644 index be2dc162e74..00000000000 --- a/cpp/ql/src/external/CodeDuplication.qll +++ /dev/null @@ -1,373 +0,0 @@ -/** Provides classes for detecting duplicate or similar code. */ - -import cpp - -deprecated private newtype TDuplicationOrSimilarity = MKDuplicationOrSimilarity() - -/** - * DEPRECATED: This class is no longer used. - * - * A token block used for detection of duplicate and similar code. - */ -deprecated class Copy extends TDuplicationOrSimilarity { - /** Gets the index of the token in this block starting at the location `loc`, if any. */ - int tokenStartingAt(Location loc) { none() } - - /** Gets the index of the token in this block ending at the location `loc`, if any. */ - int tokenEndingAt(Location loc) { none() } - - /** Gets the line on which the first token in this block starts. */ - int sourceStartLine() { none() } - - /** Gets the column on which the first token in this block starts. */ - int sourceStartColumn() { none() } - - /** Gets the line on which the last token in this block ends. */ - int sourceEndLine() { none() } - - /** Gets the column on which the last token in this block ends. */ - int sourceEndColumn() { none() } - - /** Gets the number of lines containing at least (part of) one token in this block. */ - int sourceLines() { result = this.sourceEndLine() + 1 - this.sourceStartLine() } - - /** Gets an opaque identifier for the equivalence class of this block. */ - int getEquivalenceClass() { none() } - - /** Gets the source file in which this block appears. */ - File sourceFile() { none() } - - /** - * Holds if this element is at the specified location. - * The location spans column `startcolumn` of line `startline` to - * column `endcolumn` of line `endline` in file `filepath`. - * For more information, see - * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). - */ - predicate hasLocationInfo( - string filepath, int startline, int startcolumn, int endline, int endcolumn - ) { - this.sourceFile().getAbsolutePath() = filepath and - startline = this.sourceStartLine() and - startcolumn = this.sourceStartColumn() and - endline = this.sourceEndLine() and - endcolumn = this.sourceEndColumn() - } - - /** Gets a textual representation of this element. */ - string toString() { none() } -} - -/** - * DEPRECATED: This class is no longer used. - * - * A block of duplicated code. - */ -deprecated class DuplicateBlock extends Copy { - override string toString() { - result = "Duplicate code: " + this.sourceLines() + " duplicated lines." - } -} - -/** - * DEPRECATED: This class is no longer used. - * - * A block of similar code. - */ -deprecated class SimilarBlock extends Copy { - override string toString() { - result = "Similar code: " + this.sourceLines() + " almost duplicated lines." - } -} - -/** - * DEPRECATED: The `CodeDuplication` library will be removed in a future release. - * - * Gets a function with a body and a location. - */ -deprecated FunctionDeclarationEntry sourceMethod() { - result.isDefinition() and - exists(result.getLocation()) and - numlines(unresolveElement(result.getFunction()), _, _, _) -} - -/** - * DEPRECATED: The `CodeDuplication` library will be removed in a future release. - * - * Gets the number of member functions in `c` with a body and a location. - */ -deprecated int numberOfSourceMethods(Class c) { - result = - count(FunctionDeclarationEntry m | - m = sourceMethod() and - m.getFunction().getDeclaringType() = c - ) -} - -deprecated private predicate blockCoversStatement(int equivClass, int first, int last, Stmt stmt) { - exists(DuplicateBlock b, Location loc | - stmt.getLocation() = loc and - first = b.tokenStartingAt(loc) and - last = b.tokenEndingAt(loc) and - b.getEquivalenceClass() = equivClass - ) -} - -deprecated private Stmt statementInMethod(FunctionDeclarationEntry m) { - result.getParent+() = m.getBlock() and - not result.getLocation() instanceof UnknownStmtLocation and - not result instanceof BlockStmt -} - -deprecated private predicate duplicateStatement( - FunctionDeclarationEntry m1, FunctionDeclarationEntry m2, Stmt s1, Stmt s2 -) { - exists(int equivClass, int first, int last | - s1 = statementInMethod(m1) and - s2 = statementInMethod(m2) and - blockCoversStatement(equivClass, first, last, s1) and - blockCoversStatement(equivClass, first, last, s2) and - s1 != s2 and - m1 != m2 - ) -} - -/** - * DEPRECATED: Information on duplicated statements is no longer available. - * - * Holds if `m1` is a function with `total` lines, and `m2` is a function - * that has `duplicate` lines in common with `m1`. - */ -deprecated predicate duplicateStatements( - FunctionDeclarationEntry m1, FunctionDeclarationEntry m2, int duplicate, int total -) { - duplicate = strictcount(Stmt s | duplicateStatement(m1, m2, s, _)) and - total = strictcount(statementInMethod(m1)) -} - -/** - * DEPRECATED: Information on duplicated methods is no longer available. - * - * Holds if `m` and other are identical functions. - */ -deprecated predicate duplicateMethod(FunctionDeclarationEntry m, FunctionDeclarationEntry other) { - exists(int total | duplicateStatements(m, other, total, total)) -} - -/** - * DEPRECATED: Information on similar lines is no longer available. - * - * INTERNAL: do not use. - * - * Holds if `line` in `f` is similar to a line somewhere else. - */ -deprecated predicate similarLines(File f, int line) { - exists(SimilarBlock b | b.sourceFile() = f and line in [b.sourceStartLine() .. b.sourceEndLine()]) -} - -deprecated private predicate similarLinesPerEquivalenceClass(int equivClass, int lines, File f) { - lines = - strictsum(SimilarBlock b, int toSum | - (b.sourceFile() = f and b.getEquivalenceClass() = equivClass) and - toSum = b.sourceLines() - | - toSum - ) -} - -deprecated private predicate similarLinesCoveredFiles(File f, File otherFile) { - exists(int numLines | numLines = f.getMetrics().getNumberOfLines() | - exists(int coveredApprox | - coveredApprox = - strictsum(int num | - exists(int equivClass | - similarLinesPerEquivalenceClass(equivClass, num, f) and - similarLinesPerEquivalenceClass(equivClass, num, otherFile) and - f != otherFile - ) - ) and - (coveredApprox * 100) / numLines > 75 - ) - ) -} - -/** - * DEPRECATED: Information on similar lines is no longer available. - * - * Holds if `coveredLines` lines of `f` are similar to lines in `otherFile`. - */ -deprecated predicate similarLinesCovered(File f, int coveredLines, File otherFile) { - exists(int numLines | numLines = f.getMetrics().getNumberOfLines() | - similarLinesCoveredFiles(f, otherFile) and - exists(int notCovered | - notCovered = - count(int j | - j in [1 .. numLines] and - not similarLines(f, j) - ) and - coveredLines = numLines - notCovered - ) - ) -} - -/** - * DEPRECATED: Information on duplicate lines is no longer available. - * - * INTERNAL: do not use. - * - * Holds if `line` in `f` is duplicated by a line somewhere else. - */ -deprecated predicate duplicateLines(File f, int line) { - exists(DuplicateBlock b | - b.sourceFile() = f and line in [b.sourceStartLine() .. b.sourceEndLine()] - ) -} - -deprecated private predicate duplicateLinesPerEquivalenceClass(int equivClass, int lines, File f) { - lines = - strictsum(DuplicateBlock b, int toSum | - (b.sourceFile() = f and b.getEquivalenceClass() = equivClass) and - toSum = b.sourceLines() - | - toSum - ) -} - -/** - * DEPRECATED: Information on duplicate lines is no longer available. - * - * Holds if `coveredLines` lines of `f` are duplicates of lines in `otherFile`. - */ -deprecated predicate duplicateLinesCovered(File f, int coveredLines, File otherFile) { - exists(int numLines | numLines = f.getMetrics().getNumberOfLines() | - exists(int coveredApprox | - coveredApprox = - strictsum(int num | - exists(int equivClass | - duplicateLinesPerEquivalenceClass(equivClass, num, f) and - duplicateLinesPerEquivalenceClass(equivClass, num, otherFile) and - f != otherFile - ) - ) and - (coveredApprox * 100) / numLines > 75 - ) and - exists(int notCovered | - notCovered = - count(int j | - j in [1 .. numLines] and - not duplicateLines(f, j) - ) and - coveredLines = numLines - notCovered - ) - ) -} - -/** - * DEPRECATED: Information on similar files is no longer available. - * - * Holds if most of `f` (`percent`%) is similar to `other`. - */ -deprecated predicate similarFiles(File f, File other, int percent) { - exists(int covered, int total | - similarLinesCovered(f, covered, other) and - total = f.getMetrics().getNumberOfLines() and - covered * 100 / total = percent and - percent > 80 - ) and - not duplicateFiles(f, other, _) -} - -/** - * DEPRECATED: Information on duplicate files is no longer available. - * - * Holds if most of `f` (`percent`%) is duplicated by `other`. - */ -deprecated predicate duplicateFiles(File f, File other, int percent) { - exists(int covered, int total | - duplicateLinesCovered(f, covered, other) and - total = f.getMetrics().getNumberOfLines() and - covered * 100 / total = percent and - percent > 70 - ) -} - -/** - * DEPRECATED: Information on duplicate classes is no longer available. - * - * Holds if most member functions of `c` (`numDup` out of `total`) are - * duplicates of member functions in `other`. - */ -deprecated predicate mostlyDuplicateClassBase(Class c, Class other, int numDup, int total) { - numDup = - strictcount(FunctionDeclarationEntry m1 | - exists(FunctionDeclarationEntry m2 | - duplicateMethod(m1, m2) and - m1 = sourceMethod() and - exists(Function f | f = m1.getFunction() and f.getDeclaringType() = c) and - exists(Function f | f = m2.getFunction() and f.getDeclaringType() = other) and - c != other - ) - ) and - total = numberOfSourceMethods(c) and - (numDup * 100) / total > 80 -} - -/** - * DEPRECATED: Information on duplicate classes is no longer available. - * - * Holds if most member functions of `c` are duplicates of member functions in - * `other`. Provides the human-readable `message` to describe the amount of - * duplication. - */ -deprecated predicate mostlyDuplicateClass(Class c, Class other, string message) { - exists(int numDup, int total | - mostlyDuplicateClassBase(c, other, numDup, total) and - ( - total != numDup and - exists(string s1, string s2, string s3, string name | - s1 = " out of " and - s2 = " methods in " and - s3 = " are duplicated in $@." and - name = c.getName() - | - message = numDup + s1 + total + s2 + name + s3 - ) - or - total = numDup and - exists(string s1, string s2, string name | - s1 = "All methods in " and s2 = " are identical in $@." and name = c.getName() - | - message = s1 + name + s2 - ) - ) - ) -} - -/** - * DEPRECATED: Information on file duplication is no longer available. - * - * Holds if `f` and `other` are similar or duplicates. - */ -deprecated predicate fileLevelDuplication(File f, File other) { - similarFiles(f, other, _) or duplicateFiles(f, other, _) -} - -/** - * DEPRECATED: Information on class duplication is no longer available. - * - * Holds if most member functions of `c` are duplicates of member functions in - * `other`. - */ -deprecated predicate classLevelDuplication(Class c, Class other) { - mostlyDuplicateClass(c, other, _) -} - -/** - * DEPRECATED: The CodeDuplication library will be removed in a future release. - * - * Holds if `line` in `f` should be allowed to be duplicated. This is the case - * for `#include` directives. - */ -deprecated predicate whitelistedLineForDuplication(File f, int line) { - exists(Include i | i.getFile() = f and i.getLocation().getStartLine() = line) -} diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/IfStatementAdditionOverflow.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/IfStatementAdditionOverflow.expected new file mode 100644 index 00000000000..2e31f173faa --- /dev/null +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/IfStatementAdditionOverflow.expected @@ -0,0 +1,35 @@ +| test.cpp:18:6:18:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:18:6:18:8 | ... + ... | addition | +| test.cpp:19:6:19:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:19:6:19:8 | ... + ... | addition | +| test.cpp:20:6:20:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:20:6:20:8 | ... + ... | addition | +| test.cpp:21:6:21:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:21:6:21:8 | ... + ... | addition | +| test.cpp:22:6:22:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:22:8:22:10 | ... + ... | addition | +| test.cpp:23:6:23:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:23:8:23:10 | ... + ... | addition | +| test.cpp:24:6:24:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:24:8:24:10 | ... + ... | addition | +| test.cpp:25:6:25:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:25:8:25:10 | ... + ... | addition | +| test.cpp:27:6:27:11 | ... >= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:27:6:27:8 | ... + ... | addition | +| test.cpp:28:6:28:11 | ... >= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:28:6:28:8 | ... + ... | addition | +| test.cpp:29:6:29:11 | ... >= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:29:6:29:8 | ... + ... | addition | +| test.cpp:30:6:30:11 | ... >= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:30:6:30:8 | ... + ... | addition | +| test.cpp:31:6:31:11 | ... >= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:31:9:31:11 | ... + ... | addition | +| test.cpp:32:6:32:11 | ... >= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:32:9:32:11 | ... + ... | addition | +| test.cpp:33:6:33:11 | ... >= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:33:9:33:11 | ... + ... | addition | +| test.cpp:34:6:34:11 | ... >= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:34:9:34:11 | ... + ... | addition | +| test.cpp:36:6:36:10 | ... < ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:36:6:36:8 | ... + ... | addition | +| test.cpp:37:6:37:10 | ... < ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:37:6:37:8 | ... + ... | addition | +| test.cpp:38:6:38:10 | ... < ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:38:6:38:8 | ... + ... | addition | +| test.cpp:39:6:39:10 | ... < ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:39:6:39:8 | ... + ... | addition | +| test.cpp:40:6:40:10 | ... < ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:40:8:40:10 | ... + ... | addition | +| test.cpp:41:6:41:10 | ... < ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:41:8:41:10 | ... + ... | addition | +| test.cpp:42:6:42:10 | ... < ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:42:8:42:10 | ... + ... | addition | +| test.cpp:43:6:43:10 | ... < ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:43:8:43:10 | ... + ... | addition | +| test.cpp:45:6:45:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:45:6:45:8 | ... + ... | addition | +| test.cpp:46:6:46:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:46:6:46:8 | ... + ... | addition | +| test.cpp:47:6:47:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:47:6:47:8 | ... + ... | addition | +| test.cpp:48:6:48:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:48:6:48:8 | ... + ... | addition | +| test.cpp:49:6:49:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:49:9:49:11 | ... + ... | addition | +| test.cpp:50:6:50:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:50:9:50:11 | ... + ... | addition | +| test.cpp:51:6:51:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:51:9:51:11 | ... + ... | addition | +| test.cpp:52:6:52:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:52:9:52:11 | ... + ... | addition | +| test.cpp:54:6:54:10 | ... > ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:54:6:54:8 | ... + ... | addition | +| test.cpp:61:6:61:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:61:6:61:8 | ... + ... | addition | +| test.cpp:62:6:62:11 | ... <= ... | "if (a+b>c) a=c-b" was detected where the $@ may potentially overflow/wraparound. The code can be rewritten as "if (a>c-b) a=c-b" which avoids the overflow. | test.cpp:62:6:62:8 | ... + ... | addition | diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/IfStatementAdditionOverflow.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/IfStatementAdditionOverflow.qlref new file mode 100644 index 00000000000..0873051581d --- /dev/null +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/IfStatementAdditionOverflow.qlref @@ -0,0 +1 @@ +experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/test.cpp new file mode 100644 index 00000000000..7c5ab91832e --- /dev/null +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/test.cpp @@ -0,0 +1,63 @@ + +int getAnInt(); +double getADouble(); +unsigned short getAnUnsignedShort(); + +void test() +{ + int a = getAnInt(); + int b = getAnInt(); + int c = getAnInt(); + int x = getAnInt(); + int y = getAnInt(); + double d = getADouble(); + unsigned short a1 = getAnUnsignedShort(); + unsigned short b1 = getAnUnsignedShort(); + unsigned short c1 = getAnUnsignedShort(); + + if (a+b>c) a = c-b; // BAD + if (a+b>c) { a = c-b; } // BAD + if (b+a>c) a = c-b; // BAD + if (b+a>c) { a = c-b; } // BAD + if (c>a+b) a = c-b; // BAD + if (c>a+b) { a = c-b; } // BAD + if (c>b+a) a = c-b; // BAD + if (c>b+a) { a = c-b; } // BAD + + if (a+b>=c) a = c-b; // BAD + if (a+b>=c) { a = c-b; } // BAD + if (b+a>=c) a = c-b; // BAD + if (b+a>=c) { a = c-b; } // BAD + if (c>=a+b) a = c-b; // BAD + if (c>=a+b) { a = c-b; } // BAD + if (c>=b+a) a = c-b; // BAD + if (c>=b+a) { a = c-b; } // BAD + + if (a+bd) a = d-b; // BAD + if (a+(double)b>c) a = c-b; // GOOD + if (a+(-x)>c) a = c-(-y); // GOOD + if (a+b>c) { b++; a = c-b; } // GOOD + if (a+d>c) a = c-d; // GOOD + if (a1+b1>c1) a1 = c1-b1; // GOOD + + if (a+b<=c) { /* ... */ } else { a = c-b; } // BAD + if (a+b<=c) { return; } a = c-b; // BAD +} diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected index 09c75e7369c..0d92ae6db5a 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected @@ -663,14 +663,7 @@ edges | test.cpp:326:15:326:23 | ... + ... | test.cpp:342:8:342:17 | * ... | | test.cpp:338:8:338:15 | * ... | test.cpp:342:8:342:17 | * ... | | test.cpp:341:8:341:17 | * ... | test.cpp:342:8:342:17 | * ... | -| test.cpp:342:8:342:17 | * ... | test.cpp:333:5:333:21 | Store: ... = ... | -| test.cpp:342:8:342:17 | * ... | test.cpp:341:5:341:21 | Store: ... = ... | | test.cpp:347:14:347:27 | new[] | test.cpp:348:15:348:16 | xs | -| test.cpp:348:15:348:16 | xs | test.cpp:350:16:350:19 | ... ++ | -| test.cpp:348:15:348:16 | xs | test.cpp:350:16:350:19 | ... ++ | -| test.cpp:350:16:350:19 | ... ++ | test.cpp:350:15:350:19 | Load: * ... | -| test.cpp:350:16:350:19 | ... ++ | test.cpp:350:16:350:19 | ... ++ | -| test.cpp:350:16:350:19 | ... ++ | test.cpp:350:16:350:19 | ... ++ | | test.cpp:355:14:355:27 | new[] | test.cpp:356:15:356:16 | xs | | test.cpp:356:15:356:16 | xs | test.cpp:356:15:356:23 | ... + ... | | test.cpp:356:15:356:16 | xs | test.cpp:356:15:356:23 | ... + ... | @@ -732,6 +725,29 @@ edges | test.cpp:368:5:368:10 | ... += ... | test.cpp:372:16:372:16 | p | | test.cpp:371:7:371:7 | p | test.cpp:372:15:372:16 | Load: * ... | | test.cpp:372:16:372:16 | p | test.cpp:372:15:372:16 | Load: * ... | +| test.cpp:377:14:377:27 | new[] | test.cpp:378:15:378:16 | xs | +| test.cpp:378:15:378:16 | xs | test.cpp:378:15:378:23 | ... + ... | +| test.cpp:378:15:378:16 | xs | test.cpp:378:15:378:23 | ... + ... | +| test.cpp:378:15:378:16 | xs | test.cpp:378:15:378:23 | ... + ... | +| test.cpp:378:15:378:16 | xs | test.cpp:378:15:378:23 | ... + ... | +| test.cpp:378:15:378:16 | xs | test.cpp:381:5:381:7 | end | +| test.cpp:378:15:378:16 | xs | test.cpp:381:5:381:9 | ... ++ | +| test.cpp:378:15:378:16 | xs | test.cpp:381:5:381:9 | ... ++ | +| test.cpp:378:15:378:16 | xs | test.cpp:384:14:384:16 | end | +| test.cpp:378:15:378:23 | ... + ... | test.cpp:378:15:378:23 | ... + ... | +| test.cpp:378:15:378:23 | ... + ... | test.cpp:378:15:378:23 | ... + ... | +| test.cpp:378:15:378:23 | ... + ... | test.cpp:381:5:381:7 | end | +| test.cpp:378:15:378:23 | ... + ... | test.cpp:381:5:381:7 | end | +| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:13:384:16 | Load: * ... | +| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:13:384:16 | Load: * ... | +| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:13:384:16 | Load: * ... | +| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:13:384:16 | Load: * ... | +| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:14:384:16 | end | +| test.cpp:378:15:378:23 | ... + ... | test.cpp:384:14:384:16 | end | +| test.cpp:381:5:381:7 | end | test.cpp:384:13:384:16 | Load: * ... | +| test.cpp:381:5:381:9 | ... ++ | test.cpp:384:14:384:16 | end | +| test.cpp:381:5:381:9 | ... ++ | test.cpp:384:14:384:16 | end | +| test.cpp:384:14:384:16 | end | test.cpp:384:13:384:16 | Load: * ... | nodes | test.cpp:4:15:4:20 | call to malloc | semmle.label | call to malloc | | test.cpp:5:15:5:15 | p | semmle.label | p | @@ -1031,17 +1047,11 @@ nodes | test.cpp:326:15:326:16 | xs | semmle.label | xs | | test.cpp:326:15:326:23 | ... + ... | semmle.label | ... + ... | | test.cpp:326:15:326:23 | ... + ... | semmle.label | ... + ... | -| test.cpp:333:5:333:21 | Store: ... = ... | semmle.label | Store: ... = ... | | test.cpp:338:8:338:15 | * ... | semmle.label | * ... | -| test.cpp:341:5:341:21 | Store: ... = ... | semmle.label | Store: ... = ... | | test.cpp:341:8:341:17 | * ... | semmle.label | * ... | | test.cpp:342:8:342:17 | * ... | semmle.label | * ... | | test.cpp:347:14:347:27 | new[] | semmle.label | new[] | | test.cpp:348:15:348:16 | xs | semmle.label | xs | -| test.cpp:350:15:350:19 | Load: * ... | semmle.label | Load: * ... | -| test.cpp:350:16:350:19 | ... ++ | semmle.label | ... ++ | -| test.cpp:350:16:350:19 | ... ++ | semmle.label | ... ++ | -| test.cpp:350:16:350:19 | ... ++ | semmle.label | ... ++ | | test.cpp:355:14:355:27 | new[] | semmle.label | new[] | | test.cpp:356:15:356:16 | xs | semmle.label | xs | | test.cpp:356:15:356:23 | ... + ... | semmle.label | ... + ... | @@ -1066,6 +1076,17 @@ nodes | test.cpp:371:7:371:7 | p | semmle.label | p | | test.cpp:372:15:372:16 | Load: * ... | semmle.label | Load: * ... | | test.cpp:372:16:372:16 | p | semmle.label | p | +| test.cpp:377:14:377:27 | new[] | semmle.label | new[] | +| test.cpp:378:15:378:16 | xs | semmle.label | xs | +| test.cpp:378:15:378:23 | ... + ... | semmle.label | ... + ... | +| test.cpp:378:15:378:23 | ... + ... | semmle.label | ... + ... | +| test.cpp:378:15:378:23 | ... + ... | semmle.label | ... + ... | +| test.cpp:378:15:378:23 | ... + ... | semmle.label | ... + ... | +| test.cpp:381:5:381:7 | end | semmle.label | end | +| test.cpp:381:5:381:9 | ... ++ | semmle.label | ... ++ | +| test.cpp:381:5:381:9 | ... ++ | semmle.label | ... ++ | +| test.cpp:384:13:384:16 | Load: * ... | semmle.label | Load: * ... | +| test.cpp:384:14:384:16 | end | semmle.label | end | subpaths #select | test.cpp:6:14:6:15 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:6:14:6:15 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size | @@ -1088,9 +1109,7 @@ subpaths | test.cpp:264:13:264:14 | Load: * ... | test.cpp:260:13:260:24 | new[] | test.cpp:264:13:264:14 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:260:13:260:24 | new[] | new[] | test.cpp:261:19:261:21 | len | len | | test.cpp:274:5:274:10 | Store: ... = ... | test.cpp:270:13:270:24 | new[] | test.cpp:274:5:274:10 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:270:13:270:24 | new[] | new[] | test.cpp:271:19:271:21 | len | len | | test.cpp:308:5:308:29 | Store: ... = ... | test.cpp:304:15:304:26 | new[] | test.cpp:308:5:308:29 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:304:15:304:26 | new[] | new[] | test.cpp:308:8:308:10 | ... + ... | ... + ... | -| test.cpp:333:5:333:21 | Store: ... = ... | test.cpp:325:14:325:27 | new[] | test.cpp:333:5:333:21 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:325:14:325:27 | new[] | new[] | test.cpp:326:20:326:23 | size | size | -| test.cpp:341:5:341:21 | Store: ... = ... | test.cpp:325:14:325:27 | new[] | test.cpp:341:5:341:21 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:325:14:325:27 | new[] | new[] | test.cpp:326:20:326:23 | size | size | -| test.cpp:350:15:350:19 | Load: * ... | test.cpp:347:14:347:27 | new[] | test.cpp:350:15:350:19 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:347:14:347:27 | new[] | new[] | test.cpp:348:20:348:23 | size | size | | test.cpp:358:14:358:26 | Load: * ... | test.cpp:355:14:355:27 | new[] | test.cpp:358:14:358:26 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:355:14:355:27 | new[] | new[] | test.cpp:356:20:356:23 | size | size | | test.cpp:359:14:359:32 | Load: * ... | test.cpp:355:14:355:27 | new[] | test.cpp:359:14:359:32 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 2. | test.cpp:355:14:355:27 | new[] | new[] | test.cpp:356:20:356:23 | size | size | | test.cpp:372:15:372:16 | Load: * ... | test.cpp:363:14:363:27 | new[] | test.cpp:372:15:372:16 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:363:14:363:27 | new[] | new[] | test.cpp:365:19:365:22 | size | size | +| test.cpp:384:13:384:16 | Load: * ... | test.cpp:377:14:377:27 | new[] | test.cpp:384:13:384:16 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:377:14:377:27 | new[] | new[] | test.cpp:378:20:378:23 | size | size | diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp index 3711f272e76..05b0f1c07ca 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp @@ -330,7 +330,7 @@ void test23(unsigned size, int val) { if(*current - xs < 1) return; - *--(*current) = 0; // GOOD [FALSE POSITIVE] + *--(*current) = 0; // GOOD return; } @@ -338,7 +338,7 @@ void test23(unsigned size, int val) { if(*current - xs < 2) return; - *--(*current) = 0; // GOOD [FALSE POSITIVE] + *--(*current) = 0; // GOOD *--(*current) = 0; // GOOD } } @@ -347,7 +347,7 @@ void test24(unsigned size) { char *xs = new char[size]; char *end = xs + size; if (xs < end) { - int val = *xs++; // GOOD [FALSE POSITIVE] + int val = *xs++; // GOOD } } @@ -372,3 +372,14 @@ void test26(unsigned size) { int val = *p; // GOOD [FALSE POSITIVE] } } + +void test27(unsigned size, bool b) { + char *xs = new char[size]; + char *end = xs + size; + + if (b) { + end++; + } + + int val = *end; // BAD +} diff --git a/cpp/ql/test/library-tests/dataflow/fields/Nodes.qll b/cpp/ql/test/library-tests/dataflow/fields/Nodes.qll index 7313518af91..8c4c547f4c8 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/Nodes.qll +++ b/cpp/ql/test/library-tests/dataflow/fields/Nodes.qll @@ -34,9 +34,6 @@ class AstNode extends Node, TAstNode { override Location getLocation() { result = n.getLocation() } } -/** DEPRECATED: Alias for AstNode */ -deprecated class ASTNode = AstNode; - class IRNode extends Node, TIRNode { IR::DataFlow::Node n; diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected index 907cccd197b..f6a7625b57a 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected @@ -6584,6 +6584,13 @@ | taint.cpp:691:18:691:18 | s [post update] | taint.cpp:695:7:695:7 | s | | | taint.cpp:691:20:691:20 | ref arg x | taint.cpp:694:9:694:9 | x | | | taint.cpp:694:7:694:7 | s [post update] | taint.cpp:695:7:695:7 | s | | +| taint.cpp:700:13:700:18 | call to source | taint.cpp:702:11:702:11 | s | | +| taint.cpp:701:9:701:9 | p | taint.cpp:702:4:702:4 | p | | +| taint.cpp:702:4:702:4 | p | taint.cpp:702:4:702:6 | ... ++ | | +| taint.cpp:702:4:702:6 | ... ++ | taint.cpp:702:3:702:6 | * ... | TAINT | +| taint.cpp:702:4:702:6 | ... ++ | taint.cpp:703:8:703:8 | p | TAINT | +| taint.cpp:702:10:702:11 | * ... | taint.cpp:702:3:702:11 | ... = ... | | +| taint.cpp:702:11:702:11 | s | taint.cpp:702:10:702:11 | * ... | TAINT | | vector.cpp:16:43:16:49 | source1 | vector.cpp:17:26:17:32 | source1 | | | vector.cpp:16:43:16:49 | source1 | vector.cpp:31:38:31:44 | source1 | | | vector.cpp:17:21:17:33 | call to vector | vector.cpp:19:14:19:14 | v | | diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp index 9806ddb395e..fa6074e44f6 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp @@ -693,4 +693,13 @@ void test_argument_source_field_to_obj() { sink(s); // $ SPURIOUS: ast,ir sink(s.x); // $ ast,ir sink(s.y); // clean +} + +namespace strings { + void test_write_to_read_then_incr_then_deref() { + char* s = source(); + char* p; + *p++ = *s; + sink(p); // $ ast ir + } } \ No newline at end of file diff --git a/csharp/extractor/Semmle.Extraction.CSharp.Standalone/Extractor.cs b/csharp/extractor/Semmle.Extraction.CSharp.Standalone/Extractor.cs index 97a25d200f7..a9f43af2bea 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.Standalone/Extractor.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.Standalone/Extractor.cs @@ -33,7 +33,9 @@ namespace Semmle.Extraction.CSharp.Standalone CSharp.Extractor.Analyse(stopwatch, analyser, options, references => GetResolvedReferencesStandalone(referencePaths, references), (analyser, syntaxTrees) => CSharp.Extractor.ReadSyntaxTrees(sources, analyser, null, null, syntaxTrees), - (syntaxTrees, references) => CSharpCompilation.Create("csharp.dll", syntaxTrees, references), + (syntaxTrees, references) => CSharpCompilation.Create( + "csharp.dll", syntaxTrees, references, new CSharpCompilationOptions(OutputKind.ConsoleApplication, allowUnsafe: true) + ), (compilation, options) => analyser.Initialize(compilation, options), () => { }, _ => { }, diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs index 698be2e2c35..a77c0b30095 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs @@ -211,6 +211,11 @@ namespace Semmle.Extraction.CSharp.Entities return Default.CreateGenerated(cx, parent, childIndex, location, ValueAsString(null)); } + if (type.SpecialType is SpecialType.None) + { + return ImplicitCast.CreateGenerated(cx, parent, childIndex, type, defaultValue, location); + } + if (type.SpecialType is SpecialType.System_DateTime) { return DateTimeObjectCreation.CreateGenerated(cx, parent, childIndex, type, defaultValue, location); diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ImplicitCast.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ImplicitCast.cs index 2d617cdb1b9..ebd7379ee67 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ImplicitCast.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ImplicitCast.cs @@ -1,3 +1,4 @@ +using System.Linq; using Microsoft.CodeAnalysis; using Semmle.Extraction.Kinds; @@ -11,33 +12,73 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions private set; } - public ImplicitCast(ExpressionNodeInfo info) + private ImplicitCast(ExpressionNodeInfo info) : base(new ExpressionInfo(info.Context, info.ConvertedType, info.Location, ExprKind.CAST, info.Parent, info.Child, true, info.ExprValue)) { Expr = Factory.Create(new ExpressionNodeInfo(Context, info.Node, this, 0)); } - public ImplicitCast(ExpressionNodeInfo info, IMethodSymbol method) + private ImplicitCast(ExpressionNodeInfo info, IMethodSymbol method) : base(new ExpressionInfo(info.Context, info.ConvertedType, info.Location, ExprKind.OPERATOR_INVOCATION, info.Parent, info.Child, true, info.ExprValue)) { Expr = Factory.Create(info.SetParent(this, 0)); - var target = Method.Create(Context, method); - if (target is not null) - Context.TrapWriter.Writer.expr_call(this, target); - else - Context.ModelError(info.Node, "Failed to resolve target for operator invocation"); + AddOperatorCall(method); } - /// - /// Creates a new expression, adding casts as required. - /// - /// The extraction context. - /// The expression node. - /// The parent of the expression. - /// The child number. - /// A type hint. - /// A new expression. + private ImplicitCast(ExpressionInfo info, IMethodSymbol method, object value) : base(info) + { + Expr = Literal.CreateGenerated(Context, this, 0, method.Parameters[0].Type, value, info.Location); + + AddOperatorCall(method); + } + + private void AddOperatorCall(IMethodSymbol method) + { + var target = Method.Create(Context, method); + Context.TrapWriter.Writer.expr_call(this, target); + } + + private static IMethodSymbol? GetImplicitConversionMethod(ITypeSymbol type, object value) => + type + .GetMembers() + .OfType() + .Where(method => + method.GetName() == "op_Implicit" && + method.Parameters.Length == 1 && + method.Parameters[0].Type.Name == value.GetType().Name + ) + .FirstOrDefault(); + + // Creates a new generated expression with an implicit cast added, if needed. + public static Expression CreateGenerated(Context cx, IExpressionParentEntity parent, int childIndex, ITypeSymbol type, object value, + Extraction.Entities.Location location) + { + ExpressionInfo create(ExprKind kind, string? v) => + new ExpressionInfo( + cx, + AnnotatedTypeSymbol.CreateNotAnnotated(type), + location, + kind, + parent, + childIndex, + true, + v); + + var method = GetImplicitConversionMethod(type, value); + if (method is not null) + { + var info = create(ExprKind.OPERATOR_INVOCATION, null); + return new ImplicitCast(info, method, value); + } + else + { + cx.ModelError(location, "Failed to resolve target for implicit operator invocation for a parameter default."); + return new Expression(create(ExprKind.UNKNOWN, ValueAsString(value))); + } + } + + // Creates a new expression, adding casts as required. public static Expression Create(ExpressionNodeInfo info) { var resolvedType = info.ResolvedType; diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs index 22bf9f69670..3729a5d2528 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs @@ -243,7 +243,12 @@ namespace Semmle.Extraction.CSharp.Entities if (methodKind == MethodKind.ExplicitInterfaceImplementation) { // Retrieve the original method kind - methodKind = methodDecl.ExplicitInterfaceImplementations.Select(m => m.MethodKind).FirstOrDefault(); + if (methodDecl.ExplicitInterfaceImplementations.IsEmpty) + { + throw new InternalError(methodDecl, "Couldn't get the original method kind for an explicit interface implementation"); + } + + methodKind = methodDecl.ExplicitInterfaceImplementations.Select(m => m.MethodKind).First(); } switch (methodKind) diff --git a/csharp/extractor/Semmle.Extraction.CSharp/SymbolExtensions.cs b/csharp/extractor/Semmle.Extraction.CSharp/SymbolExtensions.cs index cd182fe4640..aaef1702532 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp/SymbolExtensions.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp/SymbolExtensions.cs @@ -25,7 +25,7 @@ namespace Semmle.Extraction.CSharp Nullability = nullability; } - public static AnnotatedTypeSymbol? CreateNotAnnotated(ITypeSymbol symbol) => + public static AnnotatedTypeSymbol? CreateNotAnnotated(ITypeSymbol? symbol) => symbol is null ? (AnnotatedTypeSymbol?)null : new AnnotatedTypeSymbol(symbol, NullableAnnotation.None); } diff --git a/csharp/ql/integration-tests/posix-only/dotnet_test/test.py b/csharp/ql/integration-tests/posix-only/dotnet_test/test.py index 7bc159e6720..f69d01b2188 100644 --- a/csharp/ql/integration-tests/posix-only/dotnet_test/test.py +++ b/csharp/ql/integration-tests/posix-only/dotnet_test/test.py @@ -1,5 +1,10 @@ from create_database_utils import * from diagnostics_test_utils import * -run_codeql_database_create(['dotnet test'], db=None, lang="csharp") +# Implicitly build and then run tests. +run_codeql_database_create(['dotnet test'], test_db="test-db", lang="csharp") check_diagnostics() + +# Explicitly build and then run tests. +run_codeql_database_create(['dotnet clean', 'rm -rf test-db', 'dotnet build -o myout', 'dotnet test myout/dotnet_test.dll'], test_db="test2-db", lang="csharp") +check_diagnostics(test_db="test2-db") diff --git a/csharp/ql/integration-tests/posix-only/dotnet_test_mstest/UnitTest1.cs b/csharp/ql/integration-tests/posix-only/dotnet_test_mstest/UnitTest1.cs new file mode 100644 index 00000000000..7e3b2ce1d1c --- /dev/null +++ b/csharp/ql/integration-tests/posix-only/dotnet_test_mstest/UnitTest1.cs @@ -0,0 +1,10 @@ +namespace dotnet_test_mstest; + +[TestClass] +public class UnitTest1 +{ + [TestMethod] + public void TestMethod1() + { + } +} diff --git a/csharp/ql/integration-tests/posix-only/dotnet_test_mstest/Usings.cs b/csharp/ql/integration-tests/posix-only/dotnet_test_mstest/Usings.cs new file mode 100644 index 00000000000..540383dcf43 --- /dev/null +++ b/csharp/ql/integration-tests/posix-only/dotnet_test_mstest/Usings.cs @@ -0,0 +1 @@ +global using Microsoft.VisualStudio.TestTools.UnitTesting; diff --git a/csharp/ql/integration-tests/posix-only/dotnet_test_mstest/dotnet_test_mstest.csproj b/csharp/ql/integration-tests/posix-only/dotnet_test_mstest/dotnet_test_mstest.csproj new file mode 100644 index 00000000000..95c7586e04e --- /dev/null +++ b/csharp/ql/integration-tests/posix-only/dotnet_test_mstest/dotnet_test_mstest.csproj @@ -0,0 +1,19 @@ + + + + net7.0 + enable + enable + + false + Exe + + + + + + + + + + diff --git a/csharp/ql/integration-tests/posix-only/dotnet_test_mstest/test.py b/csharp/ql/integration-tests/posix-only/dotnet_test_mstest/test.py new file mode 100644 index 00000000000..ff14366807d --- /dev/null +++ b/csharp/ql/integration-tests/posix-only/dotnet_test_mstest/test.py @@ -0,0 +1,14 @@ +import platform +from create_database_utils import * +from diagnostics_test_utils import * + +# Implicitly build and then run tests. +run_codeql_database_create(['dotnet test'], test_db="test-db", lang="csharp") +check_diagnostics() + +# Fix `dotnet test` picking `x64` on arm-based macOS +architecture = '-a arm64' if platform.machine() == 'arm64' else '' + +# Explicitly build and then run tests. +run_codeql_database_create(['dotnet clean', 'rm -rf test-db', 'dotnet build -o myout --os win', 'dotnet test myout/dotnet_test_mstest.exe ' + architecture], test_db="test2-db", lang="csharp") +check_diagnostics(test_db="test2-db") diff --git a/csharp/ql/lib/change-notes/2023-06-02-delete-deps.md b/csharp/ql/lib/change-notes/2023-06-02-delete-deps.md new file mode 100644 index 00000000000..13402f08147 --- /dev/null +++ b/csharp/ql/lib/change-notes/2023-06-02-delete-deps.md @@ -0,0 +1,8 @@ +--- +category: minorAnalysis +--- +* Deleted the deprecated `WebConfigXML`, `ConfigurationXMLElement`, `LocationXMLElement`, `SystemWebXMLElement`, `SystemWebServerXMLElement`, `CustomErrorsXMLElement`, and `HttpRuntimeXMLElement` classes from `WebConfig.qll`. The non-deprecated names with PascalCased Xml suffixes should be used instead. +* Deleted the deprecated `Record` class from both `Types.qll` and `Type.qll`. +* Deleted the deprecated `StructuralComparisonConfiguration` class from `StructuralComparison.qll`, use `sameGvn` instead. +* Deleted the deprecated `isParameterOf` predicate from the `ParameterNode` class. +* Deleted the deprecated `SafeExternalAPICallable`, `ExternalAPIDataNode`, `UntrustedDataToExternalAPIConfig`, `UntrustedExternalAPIDataNode`, and `ExternalAPIUsedWithUntrustedData` classes from `ExternalAPIsQuery.qll`. The non-deprecated names with PascalCased Api suffixes should be used instead. diff --git a/csharp/ql/lib/change-notes/2023-06-06-dotnettest.md b/csharp/ql/lib/change-notes/2023-06-06-dotnettest.md new file mode 100644 index 00000000000..e7179b93189 --- /dev/null +++ b/csharp/ql/lib/change-notes/2023-06-06-dotnettest.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* C#: Analysis of the `dotnet test` command supplied with a `dll` or `exe` file as argument no longer fails due to the addition of an erroneous `-p:SharedCompilation=false` argument. \ No newline at end of file diff --git a/csharp/ql/lib/change-notes/2023-06-08-type-strengthening.md b/csharp/ql/lib/change-notes/2023-06-08-type-strengthening.md new file mode 100644 index 00000000000..60daaa53058 --- /dev/null +++ b/csharp/ql/lib/change-notes/2023-06-08-type-strengthening.md @@ -0,0 +1,4 @@ +--- +category: majorAnalysis +--- +* The data flow library now performs type strengthening. This increases precision for all data flow queries by excluding paths that can be inferred to be impossible due to incompatible types. diff --git a/csharp/ql/lib/semmle/code/asp/WebConfig.qll b/csharp/ql/lib/semmle/code/asp/WebConfig.qll index 49e42fce5c1..fdc251b4242 100644 --- a/csharp/ql/lib/semmle/code/asp/WebConfig.qll +++ b/csharp/ql/lib/semmle/code/asp/WebConfig.qll @@ -18,9 +18,6 @@ class WebConfigReleaseTransformXml extends XmlFile { WebConfigReleaseTransformXml() { this.getName().matches("%Web.Release.config") } } -/** DEPRECATED: Alias for WebConfigXml */ -deprecated class WebConfigXML = WebConfigXml; - /** A `` tag in an ASP.NET configuration file. */ class ConfigurationXmlElement extends XmlElement { ConfigurationXmlElement() { this.getName().toLowerCase() = "configuration" } @@ -31,9 +28,6 @@ class CompilationXmlElement extends XmlElement { CompilationXmlElement() { this.getName().toLowerCase() = "compilation" } } -/** DEPRECATED: Alias for ConfigurationXmlElement */ -deprecated class ConfigurationXMLElement = ConfigurationXmlElement; - /** A `` tag in an ASP.NET configuration file. */ class LocationXmlElement extends XmlElement { LocationXmlElement() { @@ -42,9 +36,6 @@ class LocationXmlElement extends XmlElement { } } -/** DEPRECATED: Alias for LocationXmlElement */ -deprecated class LocationXMLElement = LocationXmlElement; - /** A `` tag in an ASP.NET configuration file. */ class SystemWebXmlElement extends XmlElement { SystemWebXmlElement() { @@ -57,9 +48,6 @@ class SystemWebXmlElement extends XmlElement { } } -/** DEPRECATED: Alias for SystemWebXmlElement */ -deprecated class SystemWebXMLElement = SystemWebXmlElement; - /** A `` tag in an ASP.NET configuration file. */ class SystemWebServerXmlElement extends XmlElement { SystemWebServerXmlElement() { @@ -72,9 +60,6 @@ class SystemWebServerXmlElement extends XmlElement { } } -/** DEPRECATED: Alias for SystemWebServerXmlElement */ -deprecated class SystemWebServerXMLElement = SystemWebServerXmlElement; - /** A `` tag in an ASP.NET configuration file. */ class CustomErrorsXmlElement extends XmlElement { CustomErrorsXmlElement() { @@ -83,9 +68,6 @@ class CustomErrorsXmlElement extends XmlElement { } } -/** DEPRECATED: Alias for CustomErrorsXmlElement */ -deprecated class CustomErrorsXMLElement = CustomErrorsXmlElement; - /** A `` tag in an ASP.NET configuration file. */ class HttpRuntimeXmlElement extends XmlElement { HttpRuntimeXmlElement() { @@ -94,9 +76,6 @@ class HttpRuntimeXmlElement extends XmlElement { } } -/** DEPRECATED: Alias for HttpRuntimeXmlElement */ -deprecated class HttpRuntimeXMLElement = HttpRuntimeXmlElement; - /** A `` tag under `` in an ASP.NET configuration file. */ class FormsElement extends XmlElement { FormsElement() { diff --git a/csharp/ql/lib/semmle/code/cil/Types.qll b/csharp/ql/lib/semmle/code/cil/Types.qll index 0e41fe748f4..2cfc09daf99 100644 --- a/csharp/ql/lib/semmle/code/cil/Types.qll +++ b/csharp/ql/lib/semmle/code/cil/Types.qll @@ -60,11 +60,6 @@ class Class extends ValueOrRefType { Class() { this.isClass() } } -/** A `record`. */ -deprecated class Record extends Class { - Record() { this.isRecord() } -} - /** An `interface`. */ class Interface extends ValueOrRefType { Interface() { this.isInterface() } diff --git a/csharp/ql/lib/semmle/code/csharp/Type.qll b/csharp/ql/lib/semmle/code/csharp/Type.qll index 8bb92c8c86a..85fde20e07d 100644 --- a/csharp/ql/lib/semmle/code/csharp/Type.qll +++ b/csharp/ql/lib/semmle/code/csharp/Type.qll @@ -780,16 +780,6 @@ class Class extends RefType, @class_type { override string getAPrimaryQlClass() { result = "Class" } } -/** - * DEPRECATED: Use `RecordClass` instead. - */ -deprecated class Record extends Class { - Record() { this.isRecord() } - - /** Gets the clone method of this record. */ - RecordCloneMethod getCloneMethod() { result = this.getAMember() } -} - /** * A `record`, for example * diff --git a/csharp/ql/lib/semmle/code/csharp/commons/StructuralComparison.qll b/csharp/ql/lib/semmle/code/csharp/commons/StructuralComparison.qll index 21102edb755..ca009448c10 100644 --- a/csharp/ql/lib/semmle/code/csharp/commons/StructuralComparison.qll +++ b/csharp/ql/lib/semmle/code/csharp/commons/StructuralComparison.qll @@ -200,45 +200,3 @@ predicate sameGvn(ControlFlowElement x, ControlFlowElement y) { pragma[only_bind_into](toGvn(pragma[only_bind_out](x))) = pragma[only_bind_into](toGvn(pragma[only_bind_out](y))) } - -/** - * DEPRECATED: Use `sameGvn` instead. - * - * A configuration for performing structural comparisons of program elements - * (expressions and statements). - * - * The predicate `candidate()` must be overridden, in order to identify the - * elements for which to perform structural comparison. - * - * Each use of the library is identified by a unique string value. - */ -abstract deprecated class StructuralComparisonConfiguration extends string { - bindingset[this] - StructuralComparisonConfiguration() { any() } - - /** - * Holds if elements `x` and `y` are candidates for testing structural - * equality. - * - * Subclasses are expected to override this predicate to identify the - * top-level elements which they want to compare. Care should be - * taken to avoid identifying too many pairs of elements, as in general - * there are very many structurally equal subtrees in a program, and - * in order to keep the computation feasible we must focus attention. - * - * Note that this relation is not expected to be symmetric -- it's - * fine to include a pair `(x, y)` but not `(y, x)`. - * In fact, not including the symmetrically implied fact will save - * half the computation time on the structural comparison. - */ - abstract predicate candidate(ControlFlowElement x, ControlFlowElement y); - - /** - * Holds if elements `x` and `y` structurally equal. `x` and `y` must be - * flagged as candidates for structural equality, that is, - * `candidate(x, y)` must hold. - */ - predicate same(ControlFlowElement x, ControlFlowElement y) { - this.candidate(x, y) and sameGvn(x, y) - } -} diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll index ddf98ac0f2f..984c5ae2018 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll @@ -1135,8 +1135,8 @@ module Impl { DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow ); - bindingset[node, state, t, ap] - predicate filter(NodeEx node, FlowState state, Typ t, Ap ap); + bindingset[node, state, t0, ap] + predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t); bindingset[typ, contentType] predicate typecheckStore(Typ typ, DataFlowType contentType); @@ -1199,17 +1199,21 @@ module Impl { NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, TypOption argT, ApOption argAp, Typ t, Ap ap, ApApprox apa ) { - fwdFlow0(node, state, cc, summaryCtx, argT, argAp, t, ap, apa) and - PrevStage::revFlow(node, state, apa) and - filter(node, state, t, ap) + fwdFlow1(node, state, cc, summaryCtx, argT, argAp, _, t, ap, apa) } - pragma[inline] - additional predicate fwdFlow( + private predicate fwdFlow1( NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, TypOption argT, - ApOption argAp, Typ t, Ap ap + ApOption argAp, Typ t0, Typ t, Ap ap, ApApprox apa ) { - fwdFlow(node, state, cc, summaryCtx, argT, argAp, t, ap, _) + fwdFlow0(node, state, cc, summaryCtx, argT, argAp, t0, ap, apa) and + PrevStage::revFlow(node, state, apa) and + filter(node, state, t0, ap, t) + } + + pragma[nomagic] + private predicate typeStrengthen(Typ t0, Ap ap, Typ t) { + fwdFlow1(_, _, _, _, _, _, t0, t, ap, _) and t0 != t } pragma[assume_small_delta] @@ -1339,6 +1343,11 @@ module Impl { private predicate fwdFlowConsCand(Typ t2, Ap cons, Content c, Typ t1, Ap tail) { fwdFlowStore(_, t1, tail, c, t2, _, _, _, _, _, _) and cons = apCons(c, t1, tail) + or + exists(Typ t0 | + typeStrengthen(t0, cons, t2) and + fwdFlowConsCand(t0, cons, c, t1, tail) + ) } pragma[nomagic] @@ -1359,7 +1368,7 @@ module Impl { ParamNodeOption summaryCtx, TypOption argT, ApOption argAp ) { exists(ApHeadContent apc | - fwdFlow(node1, state, cc, summaryCtx, argT, argAp, t, ap) and + fwdFlow(node1, state, cc, summaryCtx, argT, argAp, t, ap, _) and apc = getHeadContent(ap) and readStepCand0(node1, apc, c, node2) ) @@ -1520,14 +1529,14 @@ module Impl { NodeEx node, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap ) { revFlow0(node, state, returnCtx, returnAp, ap) and - fwdFlow(node, state, _, _, _, _, _, ap) + fwdFlow(node, state, _, _, _, _, _, ap, _) } pragma[nomagic] private predicate revFlow0( NodeEx node, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap ) { - fwdFlow(node, state, _, _, _, _, _, ap) and + fwdFlow(node, state, _, _, _, _, _, ap, _) and sinkNode(node, state) and ( if hasSinkCallCtx() @@ -1780,13 +1789,13 @@ module Impl { boolean fwd, int nodes, int fields, int conscand, int states, int tuples ) { fwd = true and - nodes = count(NodeEx node | fwdFlow(node, _, _, _, _, _, _, _)) and + nodes = count(NodeEx node | fwdFlow(node, _, _, _, _, _, _, _, _)) and fields = count(Content f0 | fwdConsCand(f0, _, _)) and conscand = count(Content f0, Typ t, Ap ap | fwdConsCand(f0, t, ap)) and - states = count(FlowState state | fwdFlow(_, state, _, _, _, _, _, _)) and + states = count(FlowState state | fwdFlow(_, state, _, _, _, _, _, _, _)) and tuples = count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, TypOption argT, - ApOption argAp, Typ t, Ap ap | fwdFlow(n, state, cc, summaryCtx, argT, argAp, t, ap)) + ApOption argAp, Typ t, Ap ap | fwdFlow(n, state, cc, summaryCtx, argT, argAp, t, ap, _)) or fwd = false and nodes = count(NodeEx node | revFlow(node, _, _, _, _)) and @@ -1963,10 +1972,10 @@ module Impl { ) } - bindingset[node, state, t, ap] - predicate filter(NodeEx node, FlowState state, Typ t, Ap ap) { + bindingset[node, state, t0, ap] + predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t) { PrevStage::revFlowState(state) and - exists(t) and + t0 = t and exists(ap) and not stateBarrier(node, state) and ( @@ -2197,8 +2206,8 @@ module Impl { import BooleanCallContext predicate localStep( - NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, - DataFlowType t, LocalCc lcc + NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, Typ t, + LocalCc lcc ) { localFlowBigStep(node1, state1, node2, state2, preservesValue, t, _) and exists(lcc) @@ -2218,10 +2227,16 @@ module Impl { ) } - bindingset[node, state, t, ap] - predicate filter(NodeEx node, FlowState state, Typ t, Ap ap) { + bindingset[node, state, t0, ap] + predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t) { exists(state) and - (if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t) else any()) and + // We can get away with not using type strengthening here, since we aren't + // going to use the tracked types in the construction of Stage 4 access + // paths. For Stage 4 and onwards, the tracked types must be consistent as + // the cons candidates including types are used to construct subsequent + // access path approximations. + t0 = t and + (if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t0) else any()) and ( notExpectsContent(node) or @@ -2241,6 +2256,16 @@ module Impl { import MkStage::Stage } + bindingset[node, t0] + private predicate strengthenType(NodeEx node, DataFlowType t0, DataFlowType t) { + if castingNodeEx(node) + then + exists(DataFlowType nt | nt = node.getDataFlowType() | + if typeStrongerThan(nt, t0) then t = nt else (compatibleTypes(nt, t0) and t = t0) + ) + else t = t0 + } + private module Stage4Param implements MkStage::StageParam { private module PrevStage = Stage3; @@ -2274,8 +2299,8 @@ module Impl { pragma[nomagic] predicate localStep( - NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, - DataFlowType t, LocalCc lcc + NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, Typ t, + LocalCc lcc ) { localFlowBigStep(node1, state1, node2, state2, preservesValue, t, _) and PrevStage::revFlow(node1, pragma[only_bind_into](state1), _) and @@ -2333,11 +2358,11 @@ module Impl { ) } - bindingset[node, state, t, ap] - predicate filter(NodeEx node, FlowState state, Typ t, Ap ap) { + bindingset[node, state, t0, ap] + predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t) { exists(state) and not clear(node, ap) and - (if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t) else any()) and + strengthenType(node, t0, t) and ( notExpectsContent(node) or @@ -2365,7 +2390,7 @@ module Impl { exists(AccessPathFront apf | Stage4::revFlow(node, state, TReturnCtxMaybeFlowThrough(_), _, apf) and Stage4::fwdFlow(node, state, any(Stage4::CcCall ccc), _, _, TAccessPathFrontSome(argApf), _, - apf) + apf, _) ) } @@ -2579,8 +2604,8 @@ module Impl { import LocalCallContext predicate localStep( - NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, - DataFlowType t, LocalCc lcc + NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, Typ t, + LocalCc lcc ) { localFlowBigStep(node1, state1, node2, state2, preservesValue, t, lcc) and PrevStage::revFlow(node1, pragma[only_bind_into](state1), _) and @@ -2609,9 +2634,9 @@ module Impl { ) } - bindingset[node, state, t, ap] - predicate filter(NodeEx node, FlowState state, Typ t, Ap ap) { - (if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t) else any()) and + bindingset[node, state, t0, ap] + predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t) { + strengthenType(node, t0, t) and exists(state) and exists(ap) } @@ -2632,7 +2657,7 @@ module Impl { Stage5::parameterMayFlowThrough(p, _) and Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0) and Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()), _, - TAccessPathApproxSome(apa), _, apa0) + TAccessPathApproxSome(apa), _, apa0, _) ) } @@ -2649,7 +2674,7 @@ module Impl { TSummaryCtxSome(ParamNodeEx p, FlowState state, DataFlowType t, AccessPath ap) { exists(AccessPathApprox apa | ap.getApprox() = apa | Stage5::parameterMayFlowThrough(p, apa) and - Stage5::fwdFlow(p, state, _, _, _, _, t, apa) and + Stage5::fwdFlow(p, state, _, _, Option::some(t), _, _, apa, _) and Stage5::revFlow(p, state, _) ) } @@ -2820,9 +2845,7 @@ module Impl { ap = TAccessPathNil() or // ... or a step from an existing PathNode to another node. - pathStep(_, node, state, cc, sc, t, ap) and - Stage5::revFlow(node, state, ap.getApprox()) and - (if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t) else any()) + pathStep(_, node, state, cc, sc, t, ap) } or TPathNodeSink(NodeEx node, FlowState state) { exists(PathNodeMid sink | @@ -3340,13 +3363,24 @@ module Impl { ap = mid.getAp() } + private predicate pathStep( + PathNodeMid mid, NodeEx node, FlowState state, CallContext cc, SummaryCtx sc, DataFlowType t, + AccessPath ap + ) { + exists(DataFlowType t0 | + pathStep0(mid, node, state, cc, sc, t0, ap) and + Stage5::revFlow(node, state, ap.getApprox()) and + strengthenType(node, t0, t) + ) + } + /** * Holds if data may flow from `mid` to `node`. The last step in or out of * a callable is recorded by `cc`. */ pragma[assume_small_delta] pragma[nomagic] - private predicate pathStep( + private predicate pathStep0( PathNodeMid mid, NodeEx node, FlowState state, CallContext cc, SummaryCtx sc, DataFlowType t, AccessPath ap ) { @@ -3964,7 +3998,7 @@ module Impl { ap = TPartialNil() and exists(explorationLimit()) or - partialPathNodeMk0(node, state, cc, sc1, sc2, sc3, sc4, t, ap) and + partialPathStep(_, node, state, cc, sc1, sc2, sc3, sc4, t, ap) and distSrc(node.getEnclosingCallable()) <= explorationLimit() } or TPartialPathNodeRev( @@ -3990,11 +4024,20 @@ module Impl { } pragma[nomagic] - private predicate partialPathNodeMk0( - NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2, - TSummaryCtx3 sc3, TSummaryCtx4 sc4, DataFlowType t, PartialAccessPath ap + private predicate partialPathStep( + PartialPathNodeFwd mid, NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, + TSummaryCtx2 sc2, TSummaryCtx3 sc3, TSummaryCtx4 sc4, DataFlowType t, PartialAccessPath ap ) { - partialPathStep(_, node, state, cc, sc1, sc2, sc3, sc4, t, ap) and + partialPathStep1(mid, node, state, cc, sc1, sc2, sc3, sc4, _, t, ap) + } + + pragma[nomagic] + private predicate partialPathStep1( + PartialPathNodeFwd mid, NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, + TSummaryCtx2 sc2, TSummaryCtx3 sc3, TSummaryCtx4 sc4, DataFlowType t0, DataFlowType t, + PartialAccessPath ap + ) { + partialPathStep0(mid, node, state, cc, sc1, sc2, sc3, sc4, t0, ap) and not fullBarrier(node) and not stateBarrier(node, state) and not clearsContentEx(node, ap.getHead()) and @@ -4002,9 +4045,14 @@ module Impl { notExpectsContent(node) or expectsContentEx(node, ap.getHead()) ) and - if node.asNode() instanceof CastingNode - then compatibleTypes(node.getDataFlowType(), t) - else any() + strengthenType(node, t0, t) + } + + pragma[nomagic] + private predicate partialPathTypeStrengthen( + DataFlowType t0, PartialAccessPath ap, DataFlowType t + ) { + partialPathStep1(_, _, _, _, _, _, _, _, t0, t, ap) and t0 != t } /** @@ -4183,7 +4231,8 @@ module Impl { } } - private predicate partialPathStep( + pragma[nomagic] + private predicate partialPathStep0( PartialPathNodeFwd mid, NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2, TSummaryCtx3 sc3, TSummaryCtx4 sc4, DataFlowType t, PartialAccessPath ap ) { @@ -4309,6 +4358,11 @@ module Impl { DataFlowType t1, PartialAccessPath ap1, Content c, DataFlowType t2, PartialAccessPath ap2 ) { partialPathStoreStep(_, t1, ap1, c, _, t2, ap2) + or + exists(DataFlowType t0 | + partialPathTypeStrengthen(t0, ap2, t2) and + apConsFwd(t1, ap1, c, t0, ap2) + ) } pragma[nomagic] diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll index d683e03dc2d..578c8fb8ed5 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll @@ -1984,6 +1984,21 @@ private class DataFlowUnknownType extends DataFlowType { DataFlowUnknownType() { this = Gvn::getGlobalValueNumber(any(UnknownType ut)) } } +private predicate uselessTypebound(DataFlowType t) { + t instanceof DataFlowUnknownType or + t instanceof Gvn::TypeParameterGvnType +} + +pragma[nomagic] +predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { + t1 != t2 and + t1 = getANonTypeParameterSubTypeRestricted(t2) + or + t1 instanceof RelevantDataFlowType and + not uselessTypebound(t1) and + uselessTypebound(t2) +} + /** * Holds if `t1` and `t2` are compatible, that is, whether data can flow from * a node of type `t1` to a node of type `t2`. diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPublic.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPublic.qll index b22712087f2..b3599e3404e 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPublic.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPublic.qll @@ -106,16 +106,6 @@ class ParameterNode extends Node instanceof ParameterNodeImpl { result = c.asCallable().getParameter(ppos.getPosition()) ) } - - /** - * DEPRECATED - * - * Holds if this node is the parameter of callable `c` at the specified - * (zero-based) position. - */ - deprecated predicate isParameterOf(DataFlowCallable c, int i) { - super.isParameterOf(c, any(ParameterPosition pos | i = pos.getPosition())) - } } /** A definition, viewed as a node in a data flow graph. */ diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll index 235897f0742..975dae84fcb 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll @@ -14,9 +14,6 @@ private import semmle.code.csharp.dataflow.FlowSummary */ abstract class SafeExternalApiCallable extends Callable { } -/** DEPRECATED: Alias for SafeExternalApiCallable */ -deprecated class SafeExternalAPICallable = SafeExternalApiCallable; - private class SummarizedCallableSafe extends SafeExternalApiCallable instanceof SummarizedCallable { } @@ -87,9 +84,6 @@ class ExternalApiDataNode extends DataFlow::Node { } } -/** DEPRECATED: Alias for ExternalApiDataNode */ -deprecated class ExternalAPIDataNode = ExternalApiDataNode; - /** * DEPRECATED: Use `RemoteSourceToExternalApi` instead. * @@ -113,9 +107,6 @@ private module RemoteSourceToExternalApiConfig implements DataFlow::ConfigSig { /** A module for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */ module RemoteSourceToExternalApi = TaintTracking::Global; -/** DEPRECATED: Alias for UntrustedDataToExternalApiConfig */ -deprecated class UntrustedDataToExternalAPIConfig = UntrustedDataToExternalApiConfig; - /** A node representing untrusted data being passed to an external API. */ class UntrustedExternalApiDataNode extends ExternalApiDataNode { UntrustedExternalApiDataNode() { RemoteSourceToExternalApi::flow(_, this) } @@ -124,9 +115,6 @@ class UntrustedExternalApiDataNode extends ExternalApiDataNode { DataFlow::Node getAnUntrustedSource() { RemoteSourceToExternalApi::flow(result, this) } } -/** DEPRECATED: Alias for UntrustedExternalApiDataNode */ -deprecated class UntrustedExternalAPIDataNode = UntrustedExternalApiDataNode; - /** An external API which is used with untrusted data. */ private newtype TExternalApi = /** An untrusted API method `m` where untrusted data is passed at `index`. */ @@ -161,6 +149,3 @@ class ExternalApiUsedWithUntrustedData extends TExternalApi { ) } } - -/** DEPRECATED: Alias for ExternalApiUsedWithUntrustedData */ -deprecated class ExternalAPIUsedWithUntrustedData = ExternalApiUsedWithUntrustedData; diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll index 9171bae41b4..3f9c5947b68 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll @@ -149,9 +149,6 @@ class LdapEncodeSanitizer extends Sanitizer { } } -/** DEPRECATED: Alias for LdapEncodeSanitizer */ -deprecated class LDAPEncodeSanitizer = LdapEncodeSanitizer; - private class SimpleTypeSanitizer extends Sanitizer, SimpleTypeSanitizedExpr { } private class GuidSanitizer extends Sanitizer, GuidSanitizedExpr { } diff --git a/csharp/ql/src/Bad Practices/Implementation Hiding/ExposeRepresentation.ql b/csharp/ql/src/Bad Practices/Implementation Hiding/ExposeRepresentation.ql index e9f9b6cb8c6..3aec796daf7 100644 --- a/csharp/ql/src/Bad Practices/Implementation Hiding/ExposeRepresentation.ql +++ b/csharp/ql/src/Bad Practices/Implementation Hiding/ExposeRepresentation.ql @@ -78,4 +78,4 @@ where exposesByStore(c, f, why, whyText) select c, "'" + c.getName() + "' exposes the internal representation stored in field '" + f.getName() + - "'. The value may be modified $@.", why.getLocation(), whyText + "'. The value may be modified $@.", why, whyText diff --git a/csharp/ql/src/Complexity/ComplexCondition.ql b/csharp/ql/src/Complexity/ComplexCondition.ql index 2ebbaa8a362..2813db1cda5 100644 --- a/csharp/ql/src/Complexity/ComplexCondition.ql +++ b/csharp/ql/src/Complexity/ComplexCondition.ql @@ -26,4 +26,4 @@ where operators = count(BinaryLogicalOperation op | logicalParent*(op, e) and nontrivialLogicalOperator(op)) and operators > 3 -select e.getLocation(), "Complex condition: too many logical operations in this expression." +select e, "Complex condition: too many logical operations in this expression." diff --git a/csharp/ql/src/experimental/ir/implementation/internal/TInstruction.qll b/csharp/ql/src/experimental/ir/implementation/internal/TInstruction.qll index 169de03c2dc..bb3eb683653 100644 --- a/csharp/ql/src/experimental/ir/implementation/internal/TInstruction.qll +++ b/csharp/ql/src/experimental/ir/implementation/internal/TInstruction.qll @@ -73,9 +73,6 @@ module UnaliasedSsaInstructions { } } -/** DEPRECATED: Alias for UnaliasedSsaInstructions */ -deprecated module UnaliasedSSAInstructions = UnaliasedSsaInstructions; - /** * Provides wrappers for the constructors of each branch of `TInstruction` that is used by the * aliased SSA stage. @@ -107,6 +104,3 @@ module AliasedSsaInstructions { result = TAliasedSsaUnreachedInstruction(irFunc) } } - -/** DEPRECATED: Alias for AliasedSsaInstructions */ -deprecated module AliasedSSAInstructions = AliasedSsaInstructions; diff --git a/csharp/ql/src/experimental/ir/implementation/internal/TOperand.qll b/csharp/ql/src/experimental/ir/implementation/internal/TOperand.qll index 6327c603901..cf8a6a9b7b1 100644 --- a/csharp/ql/src/experimental/ir/implementation/internal/TOperand.qll +++ b/csharp/ql/src/experimental/ir/implementation/internal/TOperand.qll @@ -59,20 +59,12 @@ private module Shared { class TNonSsaMemoryOperand = Internal::TNonSsaMemoryOperand; - /** DEPRECATED: Alias for TNonSsaMemoryOperand */ - deprecated class TNonSSAMemoryOperand = TNonSsaMemoryOperand; - /** * Returns the non-Phi memory operand with the specified parameters. */ TNonSsaMemoryOperand nonSsaMemoryOperand(TRawInstruction useInstr, MemoryOperandTag tag) { result = Internal::TNonSsaMemoryOperand(useInstr, tag) } - - /** DEPRECATED: Alias for nonSsaMemoryOperand */ - deprecated TNonSSAMemoryOperand nonSSAMemoryOperand(TRawInstruction useInstr, MemoryOperandTag tag) { - result = nonSsaMemoryOperand(useInstr, tag) - } } /** @@ -156,6 +148,3 @@ module UnaliasedSsaOperands { */ TChiOperand chiOperand(Unaliased::Instruction useInstr, ChiOperandTag tag) { none() } } - -/** DEPRECATED: Alias for UnaliasedSsaOperands */ -deprecated module UnaliasedSSAOperands = UnaliasedSsaOperands; diff --git a/csharp/ql/src/experimental/ir/implementation/raw/Instruction.qll b/csharp/ql/src/experimental/ir/implementation/raw/Instruction.qll index 0aa7c552638..1b5ea432946 100644 --- a/csharp/ql/src/experimental/ir/implementation/raw/Instruction.qll +++ b/csharp/ql/src/experimental/ir/implementation/raw/Instruction.qll @@ -210,9 +210,6 @@ class Instruction extends Construction::TStageInstruction { */ final Language::AST getAst() { result = Construction::getInstructionAst(this) } - /** DEPRECATED: Alias for getAst */ - deprecated Language::AST getAST() { result = this.getAst() } - /** * Gets the location of the source code for this instruction. */ @@ -463,9 +460,6 @@ class VariableInstruction extends Instruction { * Gets the AST variable that this instruction's IR variable refers to, if one exists. */ final Language::Variable getAstVariable() { result = var.(IRUserVariable).getVariable() } - - /** DEPRECATED: Alias for getAstVariable */ - deprecated Language::Variable getASTVariable() { result = this.getAstVariable() } } /** diff --git a/csharp/ql/src/experimental/ir/implementation/raw/internal/IRConstruction.qll b/csharp/ql/src/experimental/ir/implementation/raw/internal/IRConstruction.qll index c75c279226d..8297fedb28e 100644 --- a/csharp/ql/src/experimental/ir/implementation/raw/internal/IRConstruction.qll +++ b/csharp/ql/src/experimental/ir/implementation/raw/internal/IRConstruction.qll @@ -378,12 +378,6 @@ private module Cached { result = getInstructionTranslatedElement(instruction).getAst() } - /** DEPRECATED: Alias for getInstructionAst */ - cached - deprecated Language::AST getInstructionAST(Instruction instruction) { - result = getInstructionAst(instruction) - } - cached CSharpType getInstructionResultType(Instruction instruction) { getInstructionTranslatedElement(instruction) diff --git a/csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedCondition.qll b/csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedCondition.qll index 43db3c90065..afe98fdb410 100644 --- a/csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedCondition.qll +++ b/csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedCondition.qll @@ -17,9 +17,6 @@ abstract class TranslatedCondition extends ConditionBase { final override Language::AST getAst() { result = expr } - /** DEPRECATED: Alias for getAst */ - deprecated override Language::AST getAST() { result = this.getAst() } - final Expr getExpr() { result = expr } final override Callable getFunction() { result = expr.getEnclosingCallable() } diff --git a/csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedDeclaration.qll b/csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedDeclaration.qll index 20d2b1e3459..23242c75c74 100644 --- a/csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedDeclaration.qll +++ b/csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedDeclaration.qll @@ -30,9 +30,6 @@ abstract class TranslatedLocalDeclaration extends TranslatedElement, TTranslated final override string toString() { result = expr.toString() } final override Language::AST getAst() { result = expr } - - /** DEPRECATED: Alias for getAst */ - deprecated override Language::AST getAST() { result = this.getAst() } } /** diff --git a/csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedElement.qll b/csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedElement.qll index 4c5ab431dd5..c314d79e3ea 100644 --- a/csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedElement.qll +++ b/csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedElement.qll @@ -366,9 +366,6 @@ abstract class TranslatedElement extends TTranslatedElement { */ abstract Language::AST getAst(); - /** DEPRECATED: Alias for getAst */ - deprecated Language::AST getAST() { result = this.getAst() } - /** * Get the first instruction to be executed in the evaluation of this element. */ diff --git a/csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedExpr.qll b/csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedExpr.qll index 67ebf19b766..68070261227 100644 --- a/csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedExpr.qll +++ b/csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedExpr.qll @@ -63,9 +63,6 @@ abstract class TranslatedExpr extends TranslatedExprBase { final override Language::AST getAst() { result = expr } - /** DEPRECATED: Alias for getAst */ - deprecated override Language::AST getAST() { result = this.getAst() } - final override Callable getFunction() { result = expr.getEnclosingCallable() } /** diff --git a/csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedFunction.qll b/csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedFunction.qll index 24f340a8718..f0970984d46 100644 --- a/csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedFunction.qll +++ b/csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedFunction.qll @@ -30,9 +30,6 @@ class TranslatedFunction extends TranslatedElement, TTranslatedFunction { final override Language::AST getAst() { result = callable } - /** DEPRECATED: Alias for getAst */ - deprecated override Language::AST getAST() { result = this.getAst() } - /** * Gets the function being translated. */ @@ -287,9 +284,6 @@ class TranslatedParameter extends TranslatedElement, TTranslatedParameter { final override Language::AST getAst() { result = param } - /** DEPRECATED: Alias for getAst */ - deprecated override Language::AST getAST() { result = this.getAst() } - final override Callable getFunction() { result = param.getCallable() } final override Instruction getFirstInstruction() { diff --git a/csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedInitialization.qll b/csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedInitialization.qll index bc127680ca4..c7cb9232d55 100644 --- a/csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedInitialization.qll +++ b/csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedInitialization.qll @@ -52,9 +52,6 @@ abstract class TranslatedInitialization extends TranslatedElement, TTranslatedIn final override Language::AST getAst() { result = expr } - /** DEPRECATED: Alias for getAst */ - deprecated override Language::AST getAST() { result = this.getAst() } - /** * Gets the expression that is doing the initialization. */ @@ -210,9 +207,6 @@ abstract class TranslatedElementInitialization extends TranslatedElement { final override Language::AST getAst() { result = initList } - /** DEPRECATED: Alias for getAst */ - deprecated override Language::AST getAST() { result = this.getAst() } - final override Callable getFunction() { result = initList.getEnclosingCallable() } final override Instruction getFirstInstruction() { @@ -319,9 +313,6 @@ abstract class TranslatedConstructorCallFromConstructor extends TranslatedElemen final override Language::AST getAst() { result = call } - /** DEPRECATED: Alias for getAst */ - deprecated override Language::AST getAST() { result = this.getAst() } - final override TranslatedElement getChild(int id) { id = 0 and result = this.getConstructorCall() } diff --git a/csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedStmt.qll b/csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedStmt.qll index 1afc48d0409..71d8c42e170 100644 --- a/csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedStmt.qll +++ b/csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedStmt.qll @@ -26,9 +26,6 @@ abstract class TranslatedStmt extends TranslatedElement, TTranslatedStmt { final override Language::AST getAst() { result = stmt } - /** DEPRECATED: Alias for getAst */ - deprecated override Language::AST getAST() { result = this.getAst() } - final override Callable getFunction() { result = stmt.getEnclosingCallable() } } diff --git a/csharp/ql/src/experimental/ir/implementation/raw/internal/desugar/internal/TranslatedCompilerGeneratedElement.qll b/csharp/ql/src/experimental/ir/implementation/raw/internal/desugar/internal/TranslatedCompilerGeneratedElement.qll index 30440235443..2e5908b8194 100644 --- a/csharp/ql/src/experimental/ir/implementation/raw/internal/desugar/internal/TranslatedCompilerGeneratedElement.qll +++ b/csharp/ql/src/experimental/ir/implementation/raw/internal/desugar/internal/TranslatedCompilerGeneratedElement.qll @@ -20,7 +20,4 @@ abstract class TranslatedCompilerGeneratedElement extends TranslatedElement, final override Callable getFunction() { result = generatedBy.getEnclosingCallable() } final override Language::AST getAst() { result = generatedBy } - - /** DEPRECATED: Alias for getAst */ - deprecated override Language::AST getAST() { result = this.getAst() } } diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Instruction.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Instruction.qll index 0aa7c552638..1b5ea432946 100644 --- a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Instruction.qll +++ b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Instruction.qll @@ -210,9 +210,6 @@ class Instruction extends Construction::TStageInstruction { */ final Language::AST getAst() { result = Construction::getInstructionAst(this) } - /** DEPRECATED: Alias for getAst */ - deprecated Language::AST getAST() { result = this.getAst() } - /** * Gets the location of the source code for this instruction. */ @@ -463,9 +460,6 @@ class VariableInstruction extends Instruction { * Gets the AST variable that this instruction's IR variable refers to, if one exists. */ final Language::Variable getAstVariable() { result = var.(IRUserVariable).getVariable() } - - /** DEPRECATED: Alias for getAstVariable */ - deprecated Language::Variable getASTVariable() { result = this.getAstVariable() } } /** diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll index dc785f3e0b1..63dc4142a13 100644 --- a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll +++ b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll @@ -422,12 +422,6 @@ private module Cached { ) } - /** DEPRECATED: Alias for getInstructionAst */ - cached - deprecated Language::AST getInstructionAST(Instruction instr) { - result = getInstructionAst(instr) - } - cached Language::LanguageType getInstructionResultType(Instruction instr) { result = instr.(RawIR::Instruction).getResultLanguageType() @@ -993,9 +987,6 @@ predicate canReuseSsaForMemoryResult(Instruction instruction) { // We don't support reusing SSA for any location that could create a `Chi` instruction. } -/** DEPRECATED: Alias for canReuseSsaForMemoryResult */ -deprecated predicate canReuseSSAForMemoryResult = canReuseSsaForMemoryResult/1; - /** * Expose some of the internal predicates to PrintSSA.qll. We do this by publicly importing those modules in the * `DebugSsa` module, which is then imported by PrintSSA. @@ -1005,9 +996,6 @@ module DebugSsa { import DefUse } -/** DEPRECATED: Alias for DebugSsa */ -deprecated module DebugSSA = DebugSsa; - import CachedForDebugging cached diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll index f5b0b3af930..5c33ecf5f99 100644 --- a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll +++ b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll @@ -46,9 +46,6 @@ predicate canReuseSsaForVariable(IRAutomaticVariable var) { not allocationEscapes(var) } -/** DEPRECATED: Alias for canReuseSsaForVariable */ -deprecated predicate canReuseSSAForVariable = canReuseSsaForVariable/1; - private newtype TMemoryLocation = MkMemoryLocation(Allocation var) { isVariableModeled(var) } private MemoryLocation getMemoryLocation(Allocation var) { result.getAllocation() = var } @@ -80,9 +77,6 @@ class MemoryLocation extends TMemoryLocation { predicate canReuseSsaForOldResult(Instruction instr) { none() } -/** DEPRECATED: Alias for canReuseSsaForOldResult */ -deprecated predicate canReuseSSAForOldResult = canReuseSsaForOldResult/1; - /** * Represents a set of `MemoryLocation`s that cannot overlap with * `MemoryLocation`s outside of the set. The `VirtualVariable` will be diff --git a/csharp/ql/test/TestUtilities/InlineFlowTest.qll b/csharp/ql/test/TestUtilities/InlineFlowTest.qll index f69b81caf64..a31d531e1b6 100644 --- a/csharp/ql/test/TestUtilities/InlineFlowTest.qll +++ b/csharp/ql/test/TestUtilities/InlineFlowTest.qll @@ -13,7 +13,7 @@ * * ``` * - * To declare expecations, you can use the $hasTaintFlow or $hasValueFlow comments within the test source files. + * To declare expectations, you can use the $hasTaintFlow or $hasValueFlow comments within the test source files. * Example of the corresponding test file, e.g. Test.cs * ```csharp * public class Test diff --git a/csharp/ql/test/library-tests/dataflow/collections/CollectionFlow.expected b/csharp/ql/test/library-tests/dataflow/collections/CollectionFlow.expected index d5bbeef765a..1aabed1e806 100644 --- a/csharp/ql/test/library-tests/dataflow/collections/CollectionFlow.expected +++ b/csharp/ql/test/library-tests/dataflow/collections/CollectionFlow.expected @@ -214,8 +214,8 @@ edges | CollectionFlow.cs:385:58:385:61 | dict : Dictionary [element, property Value] : A | CollectionFlow.cs:385:67:385:70 | access to parameter dict : Dictionary [element, property Value] : A | | CollectionFlow.cs:385:67:385:70 | access to parameter dict : Dictionary [element, property Value] : A | CollectionFlow.cs:385:67:385:73 | access to indexer : A | | CollectionFlow.cs:387:59:387:62 | dict : Dictionary [element, property Value] : A | CollectionFlow.cs:387:68:387:71 | access to parameter dict : Dictionary [element, property Value] : A | -| CollectionFlow.cs:387:68:387:71 | access to parameter dict : Dictionary [element, property Value] : A | CollectionFlow.cs:387:68:387:79 | call to method First> : Object [property Value] : A | -| CollectionFlow.cs:387:68:387:79 | call to method First> : Object [property Value] : A | CollectionFlow.cs:387:68:387:85 | access to property Value : A | +| CollectionFlow.cs:387:68:387:71 | access to parameter dict : Dictionary [element, property Value] : A | CollectionFlow.cs:387:68:387:79 | call to method First> : KeyValuePair [property Value] : A | +| CollectionFlow.cs:387:68:387:79 | call to method First> : KeyValuePair [property Value] : A | CollectionFlow.cs:387:68:387:85 | access to property Value : A | | CollectionFlow.cs:389:60:389:63 | dict : Dictionary [element, property Value] : A | CollectionFlow.cs:389:69:389:72 | access to parameter dict : Dictionary [element, property Value] : A | | CollectionFlow.cs:389:69:389:72 | access to parameter dict : Dictionary [element, property Value] : A | CollectionFlow.cs:389:69:389:79 | access to property Values : ICollection [element] : A | | CollectionFlow.cs:389:69:389:79 | access to property Values : ICollection [element] : A | CollectionFlow.cs:389:69:389:87 | call to method First : A | @@ -223,8 +223,8 @@ edges | CollectionFlow.cs:391:67:391:70 | access to parameter dict : Dictionary [element, property Key] : A | CollectionFlow.cs:391:67:391:75 | access to property Keys : ICollection [element] : A | | CollectionFlow.cs:391:67:391:75 | access to property Keys : ICollection [element] : A | CollectionFlow.cs:391:67:391:83 | call to method First : A | | CollectionFlow.cs:393:57:393:60 | dict : Dictionary [element, property Key] : A | CollectionFlow.cs:393:66:393:69 | access to parameter dict : Dictionary [element, property Key] : A | -| CollectionFlow.cs:393:66:393:69 | access to parameter dict : Dictionary [element, property Key] : A | CollectionFlow.cs:393:66:393:77 | call to method First> : Object [property Key] : A | -| CollectionFlow.cs:393:66:393:77 | call to method First> : Object [property Key] : A | CollectionFlow.cs:393:66:393:81 | access to property Key : A | +| CollectionFlow.cs:393:66:393:69 | access to parameter dict : Dictionary [element, property Key] : A | CollectionFlow.cs:393:66:393:77 | call to method First> : KeyValuePair [property Key] : A | +| CollectionFlow.cs:393:66:393:77 | call to method First> : KeyValuePair [property Key] : A | CollectionFlow.cs:393:66:393:81 | access to property Key : A | | CollectionFlow.cs:395:49:395:52 | args : A[] [element] : A | CollectionFlow.cs:395:63:395:66 | access to parameter args : A[] [element] : A | | CollectionFlow.cs:395:49:395:52 | args : null [element] : A | CollectionFlow.cs:395:63:395:66 | access to parameter args : null [element] : A | | CollectionFlow.cs:395:63:395:66 | access to parameter args : A[] [element] : A | CollectionFlow.cs:395:63:395:69 | access to array element | @@ -440,7 +440,7 @@ nodes | CollectionFlow.cs:385:67:385:73 | access to indexer : A | semmle.label | access to indexer : A | | CollectionFlow.cs:387:59:387:62 | dict : Dictionary [element, property Value] : A | semmle.label | dict : Dictionary [element, property Value] : A | | CollectionFlow.cs:387:68:387:71 | access to parameter dict : Dictionary [element, property Value] : A | semmle.label | access to parameter dict : Dictionary [element, property Value] : A | -| CollectionFlow.cs:387:68:387:79 | call to method First> : Object [property Value] : A | semmle.label | call to method First> : Object [property Value] : A | +| CollectionFlow.cs:387:68:387:79 | call to method First> : KeyValuePair [property Value] : A | semmle.label | call to method First> : KeyValuePair [property Value] : A | | CollectionFlow.cs:387:68:387:85 | access to property Value : A | semmle.label | access to property Value : A | | CollectionFlow.cs:389:60:389:63 | dict : Dictionary [element, property Value] : A | semmle.label | dict : Dictionary [element, property Value] : A | | CollectionFlow.cs:389:69:389:72 | access to parameter dict : Dictionary [element, property Value] : A | semmle.label | access to parameter dict : Dictionary [element, property Value] : A | @@ -452,7 +452,7 @@ nodes | CollectionFlow.cs:391:67:391:83 | call to method First : A | semmle.label | call to method First : A | | CollectionFlow.cs:393:57:393:60 | dict : Dictionary [element, property Key] : A | semmle.label | dict : Dictionary [element, property Key] : A | | CollectionFlow.cs:393:66:393:69 | access to parameter dict : Dictionary [element, property Key] : A | semmle.label | access to parameter dict : Dictionary [element, property Key] : A | -| CollectionFlow.cs:393:66:393:77 | call to method First> : Object [property Key] : A | semmle.label | call to method First> : Object [property Key] : A | +| CollectionFlow.cs:393:66:393:77 | call to method First> : KeyValuePair [property Key] : A | semmle.label | call to method First> : KeyValuePair [property Key] : A | | CollectionFlow.cs:393:66:393:81 | access to property Key : A | semmle.label | access to property Key : A | | CollectionFlow.cs:395:49:395:52 | args : A[] [element] : A | semmle.label | args : A[] [element] : A | | CollectionFlow.cs:395:49:395:52 | args : null [element] : A | semmle.label | args : null [element] : A | diff --git a/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.cs b/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.cs index 05772dfb29a..7a0e896e54d 100644 --- a/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.cs +++ b/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.cs @@ -149,9 +149,9 @@ namespace My.Qltest static T Apply(Func f, S s) => throw null; - static S[] Map(S[] elements, Func f) => throw null; + static T[] Map(S[] elements, Func f) => throw null; - static void Apply2(Action f, S s1, S s2) => throw null; + static void Apply2(Action f, D d1, D d2) => throw null; static void Parse(string s, out int i) => throw null; @@ -235,4 +235,4 @@ namespace My.Qltest static void Sink(object o) { } } -} \ No newline at end of file +} diff --git a/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.expected b/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.expected index 09ce9945cdf..c69a86a5cb3 100644 --- a/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.expected +++ b/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.expected @@ -12,10 +12,10 @@ edges | ExternalFlow.cs:30:13:30:16 | [post] this access : D [field Field] : Object | ExternalFlow.cs:31:18:31:21 | this access : D [field Field] : Object | | ExternalFlow.cs:30:26:30:37 | object creation of type Object : Object | ExternalFlow.cs:30:13:30:16 | [post] this access : D [field Field] : Object | | ExternalFlow.cs:31:18:31:21 | this access : D [field Field] : Object | ExternalFlow.cs:31:18:31:39 | call to method StepFieldGetter | -| ExternalFlow.cs:36:19:36:62 | (...) ... : Object [field Field] : Object | ExternalFlow.cs:36:18:36:69 | access to field Field | +| ExternalFlow.cs:36:19:36:62 | (...) ... : D [field Field] : Object | ExternalFlow.cs:36:18:36:69 | access to field Field | | ExternalFlow.cs:36:22:36:25 | [post] this access : D [field Field] : Object | ExternalFlow.cs:37:18:37:21 | this access : D [field Field] : Object | | ExternalFlow.cs:36:22:36:55 | call to method StepFieldSetter : D [field Field2, field Field] : Object | ExternalFlow.cs:36:22:36:62 | access to field Field2 : Object [field Field] : Object | -| ExternalFlow.cs:36:22:36:62 | access to field Field2 : Object [field Field] : Object | ExternalFlow.cs:36:19:36:62 | (...) ... : Object [field Field] : Object | +| ExternalFlow.cs:36:22:36:62 | access to field Field2 : Object [field Field] : Object | ExternalFlow.cs:36:19:36:62 | (...) ... : D [field Field] : Object | | ExternalFlow.cs:36:43:36:54 | object creation of type Object : Object | ExternalFlow.cs:36:22:36:25 | [post] this access : D [field Field] : Object | | ExternalFlow.cs:36:43:36:54 | object creation of type Object : Object | ExternalFlow.cs:36:22:36:55 | call to method StepFieldSetter : D [field Field2, field Field] : Object | | ExternalFlow.cs:37:18:37:21 | this access : D [field Field] : Object | ExternalFlow.cs:37:18:37:27 | access to field Field | @@ -38,8 +38,7 @@ edges | ExternalFlow.cs:72:23:72:23 | o : Object | ExternalFlow.cs:72:35:72:35 | access to parameter o | | ExternalFlow.cs:77:24:77:58 | call to method Map : T[] [element] : Object | ExternalFlow.cs:78:18:78:21 | access to local variable objs : T[] [element] : Object | | ExternalFlow.cs:77:46:77:57 | object creation of type Object : Object | ExternalFlow.cs:77:24:77:58 | call to method Map : T[] [element] : Object | -| ExternalFlow.cs:78:18:78:21 | access to local variable objs : T[] [element] : Object | ExternalFlow.cs:78:18:78:24 | access to array element : Object | -| ExternalFlow.cs:78:18:78:24 | access to array element : Object | ExternalFlow.cs:78:18:78:24 | (...) ... | +| ExternalFlow.cs:78:18:78:21 | access to local variable objs : T[] [element] : Object | ExternalFlow.cs:78:18:78:24 | access to array element | | ExternalFlow.cs:83:30:83:45 | { ..., ... } : null [element] : Object | ExternalFlow.cs:84:29:84:32 | access to local variable objs : null [element] : Object | | ExternalFlow.cs:83:32:83:43 | object creation of type Object : Object | ExternalFlow.cs:83:30:83:45 | { ..., ... } : null [element] : Object | | ExternalFlow.cs:84:25:84:41 | call to method Map : T[] [element] : Object | ExternalFlow.cs:85:18:85:22 | access to local variable objs2 : T[] [element] : Object | @@ -91,7 +90,7 @@ nodes | ExternalFlow.cs:31:18:31:21 | this access : D [field Field] : Object | semmle.label | this access : D [field Field] : Object | | ExternalFlow.cs:31:18:31:39 | call to method StepFieldGetter | semmle.label | call to method StepFieldGetter | | ExternalFlow.cs:36:18:36:69 | access to field Field | semmle.label | access to field Field | -| ExternalFlow.cs:36:19:36:62 | (...) ... : Object [field Field] : Object | semmle.label | (...) ... : Object [field Field] : Object | +| ExternalFlow.cs:36:19:36:62 | (...) ... : D [field Field] : Object | semmle.label | (...) ... : D [field Field] : Object | | ExternalFlow.cs:36:22:36:25 | [post] this access : D [field Field] : Object | semmle.label | [post] this access : D [field Field] : Object | | ExternalFlow.cs:36:22:36:55 | call to method StepFieldSetter : D [field Field2, field Field] : Object | semmle.label | call to method StepFieldSetter : D [field Field2, field Field] : Object | | ExternalFlow.cs:36:22:36:62 | access to field Field2 : Object [field Field] : Object | semmle.label | access to field Field2 : Object [field Field] : Object | @@ -124,8 +123,7 @@ nodes | ExternalFlow.cs:77:24:77:58 | call to method Map : T[] [element] : Object | semmle.label | call to method Map : T[] [element] : Object | | ExternalFlow.cs:77:46:77:57 | object creation of type Object : Object | semmle.label | object creation of type Object : Object | | ExternalFlow.cs:78:18:78:21 | access to local variable objs : T[] [element] : Object | semmle.label | access to local variable objs : T[] [element] : Object | -| ExternalFlow.cs:78:18:78:24 | (...) ... | semmle.label | (...) ... | -| ExternalFlow.cs:78:18:78:24 | access to array element : Object | semmle.label | access to array element : Object | +| ExternalFlow.cs:78:18:78:24 | access to array element | semmle.label | access to array element | | ExternalFlow.cs:83:30:83:45 | { ..., ... } : null [element] : Object | semmle.label | { ..., ... } : null [element] : Object | | ExternalFlow.cs:83:32:83:43 | object creation of type Object : Object | semmle.label | object creation of type Object : Object | | ExternalFlow.cs:84:25:84:41 | call to method Map : T[] [element] : Object | semmle.label | call to method Map : T[] [element] : Object | @@ -184,7 +182,7 @@ subpaths | ExternalFlow.cs:60:47:60:47 | access to parameter o | ExternalFlow.cs:60:64:60:75 | object creation of type Object : Object | ExternalFlow.cs:60:47:60:47 | access to parameter o | $@ | ExternalFlow.cs:60:64:60:75 | object creation of type Object : Object | object creation of type Object : Object | | ExternalFlow.cs:66:18:66:18 | access to local variable o | ExternalFlow.cs:65:45:65:56 | object creation of type Object : Object | ExternalFlow.cs:66:18:66:18 | access to local variable o | $@ | ExternalFlow.cs:65:45:65:56 | object creation of type Object : Object | object creation of type Object : Object | | ExternalFlow.cs:72:35:72:35 | access to parameter o | ExternalFlow.cs:71:32:71:43 | object creation of type Object : Object | ExternalFlow.cs:72:35:72:35 | access to parameter o | $@ | ExternalFlow.cs:71:32:71:43 | object creation of type Object : Object | object creation of type Object : Object | -| ExternalFlow.cs:78:18:78:24 | (...) ... | ExternalFlow.cs:77:46:77:57 | object creation of type Object : Object | ExternalFlow.cs:78:18:78:24 | (...) ... | $@ | ExternalFlow.cs:77:46:77:57 | object creation of type Object : Object | object creation of type Object : Object | +| ExternalFlow.cs:78:18:78:24 | access to array element | ExternalFlow.cs:77:46:77:57 | object creation of type Object : Object | ExternalFlow.cs:78:18:78:24 | access to array element | $@ | ExternalFlow.cs:77:46:77:57 | object creation of type Object : Object | object creation of type Object : Object | | ExternalFlow.cs:85:18:85:25 | access to array element | ExternalFlow.cs:83:32:83:43 | object creation of type Object : Object | ExternalFlow.cs:85:18:85:25 | access to array element | $@ | ExternalFlow.cs:83:32:83:43 | object creation of type Object : Object | object creation of type Object : Object | | ExternalFlow.cs:92:18:92:18 | (...) ... | ExternalFlow.cs:90:21:90:34 | object creation of type String : String | ExternalFlow.cs:92:18:92:18 | (...) ... | $@ | ExternalFlow.cs:90:21:90:34 | object creation of type String : String | object creation of type String : String | | ExternalFlow.cs:102:22:102:22 | access to parameter d | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | ExternalFlow.cs:102:22:102:22 | access to parameter d | $@ | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | object creation of type Object : Object | diff --git a/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.ext.yml b/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.ext.yml index f626949e6f4..a2bf0d8b525 100644 --- a/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.ext.yml +++ b/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.ext.yml @@ -16,8 +16,8 @@ extensions: - ["My.Qltest", "D", false, "StepElementSetter", "(System.Object)", "", "Argument[0]", "Argument[this].Element", "value", "manual"] - ["My.Qltest", "D", false, "Apply<,>", "(System.Func,S)", "", "Argument[1]", "Argument[0].Parameter[0]", "value", "manual"] - ["My.Qltest", "D", false, "Apply<,>", "(System.Func,S)", "", "Argument[0].ReturnValue", "ReturnValue", "value", "manual"] - - ["My.Qltest", "D", false, "Apply2<>", "(System.Action,S,S)", "", "Argument[1].Field[My.Qltest.D.Field]", "Argument[0].Parameter[0]", "value", "manual"] - - ["My.Qltest", "D", false, "Apply2<>", "(System.Action,S,S)", "", "Argument[2].Field[My.Qltest.D.Field2]", "Argument[0].Parameter[0]", "value", "manual"] + - ["My.Qltest", "D", false, "Apply2", "(System.Action,My.Qltest.D,My.Qltest.D)", "", "Argument[1].Field[My.Qltest.D.Field]", "Argument[0].Parameter[0]", "value", "manual"] + - ["My.Qltest", "D", false, "Apply2", "(System.Action,My.Qltest.D,My.Qltest.D)", "", "Argument[2].Field[My.Qltest.D.Field2]", "Argument[0].Parameter[0]", "value", "manual"] - ["My.Qltest", "D", false, "Map<,>", "(S[],System.Func)", "", "Argument[0].Element", "Argument[1].Parameter[0]", "value", "manual"] - ["My.Qltest", "D", false, "Map<,>", "(S[],System.Func)", "", "Argument[1].ReturnValue", "ReturnValue.Element", "value", "manual"] - ["My.Qltest", "D", false, "Parse", "(System.String,System.Int32)", "", "Argument[0]", "Argument[1]", "taint", "manual"] diff --git a/csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected b/csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected index bce1914e42b..767e66301ce 100644 --- a/csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected +++ b/csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected @@ -267,7 +267,7 @@ edges | GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:514:31:514:32 | [post] access to local variable y1 : SimpleClass [field field] : String | | GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:514:36:514:37 | [post] access to local variable y2 : SimpleClass [field field] : String | | GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:514:42:514:43 | [post] access to local variable y3 : SimpleClass [field field] : String | -| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:525:33:525:33 | [post] access to local variable x : SimpleClass [field field] : String | +| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:525:33:525:33 | [post] access to local variable x : SubSimpleClass [field field] : String | | GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:532:20:532:20 | [post] access to parameter x : SimpleClass [field field] : String | | GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:532:25:532:25 | [post] access to local variable y : SimpleClass [field field] : String | | GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:544:20:544:20 | [post] access to local variable x : SimpleClass [field field] : String | @@ -286,8 +286,8 @@ edges | GlobalDataFlow.cs:515:15:515:16 | access to local variable y1 : SimpleClass [field field] : String | GlobalDataFlow.cs:515:15:515:22 | access to field field | | GlobalDataFlow.cs:516:15:516:16 | access to local variable y2 : SimpleClass [field field] : String | GlobalDataFlow.cs:516:15:516:22 | access to field field | | GlobalDataFlow.cs:517:15:517:16 | access to local variable y3 : SimpleClass [field field] : String | GlobalDataFlow.cs:517:15:517:22 | access to field field | -| GlobalDataFlow.cs:525:33:525:33 | [post] access to local variable x : SimpleClass [field field] : String | GlobalDataFlow.cs:526:15:526:15 | access to local variable x : SimpleClass [field field] : String | -| GlobalDataFlow.cs:526:15:526:15 | access to local variable x : SimpleClass [field field] : String | GlobalDataFlow.cs:526:15:526:21 | access to field field | +| GlobalDataFlow.cs:525:33:525:33 | [post] access to local variable x : SubSimpleClass [field field] : String | GlobalDataFlow.cs:526:15:526:15 | access to local variable x : SubSimpleClass [field field] : String | +| GlobalDataFlow.cs:526:15:526:15 | access to local variable x : SubSimpleClass [field field] : String | GlobalDataFlow.cs:526:15:526:21 | access to field field | | GlobalDataFlow.cs:532:20:532:20 | [post] access to parameter x : SimpleClass [field field] : String | GlobalDataFlow.cs:533:15:533:15 | access to parameter x : SimpleClass [field field] : String | | GlobalDataFlow.cs:532:25:532:25 | [post] access to local variable y : SimpleClass [field field] : String | GlobalDataFlow.cs:534:15:534:15 | access to local variable y : SimpleClass [field field] : String | | GlobalDataFlow.cs:533:15:533:15 | access to parameter x : SimpleClass [field field] : String | GlobalDataFlow.cs:533:15:533:21 | access to field field | @@ -579,8 +579,8 @@ nodes | GlobalDataFlow.cs:516:15:516:22 | access to field field | semmle.label | access to field field | | GlobalDataFlow.cs:517:15:517:16 | access to local variable y3 : SimpleClass [field field] : String | semmle.label | access to local variable y3 : SimpleClass [field field] : String | | GlobalDataFlow.cs:517:15:517:22 | access to field field | semmle.label | access to field field | -| GlobalDataFlow.cs:525:33:525:33 | [post] access to local variable x : SimpleClass [field field] : String | semmle.label | [post] access to local variable x : SimpleClass [field field] : String | -| GlobalDataFlow.cs:526:15:526:15 | access to local variable x : SimpleClass [field field] : String | semmle.label | access to local variable x : SimpleClass [field field] : String | +| GlobalDataFlow.cs:525:33:525:33 | [post] access to local variable x : SubSimpleClass [field field] : String | semmle.label | [post] access to local variable x : SubSimpleClass [field field] : String | +| GlobalDataFlow.cs:526:15:526:15 | access to local variable x : SubSimpleClass [field field] : String | semmle.label | access to local variable x : SubSimpleClass [field field] : String | | GlobalDataFlow.cs:526:15:526:21 | access to field field | semmle.label | access to field field | | GlobalDataFlow.cs:532:20:532:20 | [post] access to parameter x : SimpleClass [field field] : String | semmle.label | [post] access to parameter x : SimpleClass [field field] : String | | GlobalDataFlow.cs:532:25:532:25 | [post] access to local variable y : SimpleClass [field field] : String | semmle.label | [post] access to local variable y : SimpleClass [field field] : String | diff --git a/csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected b/csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected index 5dae90d82a6..dec8a134712 100644 --- a/csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected +++ b/csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected @@ -293,7 +293,7 @@ edges | GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:514:31:514:32 | [post] access to local variable y1 : SimpleClass [field field] : String | | GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:514:36:514:37 | [post] access to local variable y2 : SimpleClass [field field] : String | | GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:514:42:514:43 | [post] access to local variable y3 : SimpleClass [field field] : String | -| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:525:33:525:33 | [post] access to local variable x : SimpleClass [field field] : String | +| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:525:33:525:33 | [post] access to local variable x : SubSimpleClass [field field] : String | | GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:532:20:532:20 | [post] access to parameter x : SimpleClass [field field] : String | | GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:532:25:532:25 | [post] access to local variable y : SimpleClass [field field] : String | | GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:544:20:544:20 | [post] access to local variable x : SimpleClass [field field] : String | @@ -312,8 +312,8 @@ edges | GlobalDataFlow.cs:515:15:515:16 | access to local variable y1 : SimpleClass [field field] : String | GlobalDataFlow.cs:515:15:515:22 | access to field field | | GlobalDataFlow.cs:516:15:516:16 | access to local variable y2 : SimpleClass [field field] : String | GlobalDataFlow.cs:516:15:516:22 | access to field field | | GlobalDataFlow.cs:517:15:517:16 | access to local variable y3 : SimpleClass [field field] : String | GlobalDataFlow.cs:517:15:517:22 | access to field field | -| GlobalDataFlow.cs:525:33:525:33 | [post] access to local variable x : SimpleClass [field field] : String | GlobalDataFlow.cs:526:15:526:15 | access to local variable x : SimpleClass [field field] : String | -| GlobalDataFlow.cs:526:15:526:15 | access to local variable x : SimpleClass [field field] : String | GlobalDataFlow.cs:526:15:526:21 | access to field field | +| GlobalDataFlow.cs:525:33:525:33 | [post] access to local variable x : SubSimpleClass [field field] : String | GlobalDataFlow.cs:526:15:526:15 | access to local variable x : SubSimpleClass [field field] : String | +| GlobalDataFlow.cs:526:15:526:15 | access to local variable x : SubSimpleClass [field field] : String | GlobalDataFlow.cs:526:15:526:21 | access to field field | | GlobalDataFlow.cs:532:20:532:20 | [post] access to parameter x : SimpleClass [field field] : String | GlobalDataFlow.cs:533:15:533:15 | access to parameter x : SimpleClass [field field] : String | | GlobalDataFlow.cs:532:25:532:25 | [post] access to local variable y : SimpleClass [field field] : String | GlobalDataFlow.cs:534:15:534:15 | access to local variable y : SimpleClass [field field] : String | | GlobalDataFlow.cs:533:15:533:15 | access to parameter x : SimpleClass [field field] : String | GlobalDataFlow.cs:533:15:533:21 | access to field field | @@ -633,8 +633,8 @@ nodes | GlobalDataFlow.cs:516:15:516:22 | access to field field | semmle.label | access to field field | | GlobalDataFlow.cs:517:15:517:16 | access to local variable y3 : SimpleClass [field field] : String | semmle.label | access to local variable y3 : SimpleClass [field field] : String | | GlobalDataFlow.cs:517:15:517:22 | access to field field | semmle.label | access to field field | -| GlobalDataFlow.cs:525:33:525:33 | [post] access to local variable x : SimpleClass [field field] : String | semmle.label | [post] access to local variable x : SimpleClass [field field] : String | -| GlobalDataFlow.cs:526:15:526:15 | access to local variable x : SimpleClass [field field] : String | semmle.label | access to local variable x : SimpleClass [field field] : String | +| GlobalDataFlow.cs:525:33:525:33 | [post] access to local variable x : SubSimpleClass [field field] : String | semmle.label | [post] access to local variable x : SubSimpleClass [field field] : String | +| GlobalDataFlow.cs:526:15:526:15 | access to local variable x : SubSimpleClass [field field] : String | semmle.label | access to local variable x : SubSimpleClass [field field] : String | | GlobalDataFlow.cs:526:15:526:21 | access to field field | semmle.label | access to field field | | GlobalDataFlow.cs:532:20:532:20 | [post] access to parameter x : SimpleClass [field field] : String | semmle.label | [post] access to parameter x : SimpleClass [field field] : String | | GlobalDataFlow.cs:532:25:532:25 | [post] access to local variable y : SimpleClass [field field] : String | semmle.label | [post] access to local variable y : SimpleClass [field field] : String | diff --git a/csharp/ql/test/library-tests/frameworks/EntityFramework/Dataflow.expected b/csharp/ql/test/library-tests/frameworks/EntityFramework/Dataflow.expected index 811f1a04d8b..a9d4895fb46 100644 --- a/csharp/ql/test/library-tests/frameworks/EntityFramework/Dataflow.expected +++ b/csharp/ql/test/library-tests/frameworks/EntityFramework/Dataflow.expected @@ -74,14 +74,14 @@ edges | EntityFramework.cs:196:13:196:23 | [post] access to property Persons : DbSet [element, property Name] : String | EntityFramework.cs:196:13:196:15 | [post] access to local variable ctx : MyContext [property Persons, element, property Name] : String | | EntityFramework.cs:196:29:196:29 | access to parameter p : Person [property Name] : String | EntityFramework.cs:196:13:196:23 | [post] access to property Persons : DbSet [element, property Name] : String | | EntityFramework.cs:197:13:197:15 | access to local variable ctx : MyContext [property Persons, element, property Name] : String | EntityFramework.cs:204:18:204:28 | access to property Persons : DbSet [element, property Name] : String | -| EntityFramework.cs:204:18:204:28 | access to property Persons : DbSet [element, property Name] : String | EntityFramework.cs:204:18:204:36 | call to method First : Object [property Name] : String | -| EntityFramework.cs:204:18:204:36 | call to method First : Object [property Name] : String | EntityFramework.cs:204:18:204:41 | access to property Name | -| EntityFramework.cs:212:18:212:30 | access to property Addresses : DbSet
    [element, property Street] : String | EntityFramework.cs:212:18:212:38 | call to method First
    : Object [property Street] : String | -| EntityFramework.cs:212:18:212:38 | call to method First
    : Object [property Street] : String | EntityFramework.cs:212:18:212:45 | access to property Street | -| EntityFramework.cs:219:18:219:28 | access to property Persons : DbSet [element, property Addresses, element, property Street] : String | EntityFramework.cs:219:18:219:36 | call to method First : Object [property Addresses, element, property Street] : String | -| EntityFramework.cs:219:18:219:36 | call to method First : Object [property Addresses, element, property Street] : String | EntityFramework.cs:219:18:219:46 | access to property Addresses : ICollection
    [element, property Street] : String | -| EntityFramework.cs:219:18:219:46 | access to property Addresses : ICollection
    [element, property Street] : String | EntityFramework.cs:219:18:219:54 | call to method First
    : Object [property Street] : String | -| EntityFramework.cs:219:18:219:54 | call to method First
    : Object [property Street] : String | EntityFramework.cs:219:18:219:61 | access to property Street | +| EntityFramework.cs:204:18:204:28 | access to property Persons : DbSet [element, property Name] : String | EntityFramework.cs:204:18:204:36 | call to method First : Person [property Name] : String | +| EntityFramework.cs:204:18:204:36 | call to method First : Person [property Name] : String | EntityFramework.cs:204:18:204:41 | access to property Name | +| EntityFramework.cs:212:18:212:30 | access to property Addresses : DbSet
    [element, property Street] : String | EntityFramework.cs:212:18:212:38 | call to method First
    : Address [property Street] : String | +| EntityFramework.cs:212:18:212:38 | call to method First
    : Address [property Street] : String | EntityFramework.cs:212:18:212:45 | access to property Street | +| EntityFramework.cs:219:18:219:28 | access to property Persons : DbSet [element, property Addresses, element, property Street] : String | EntityFramework.cs:219:18:219:36 | call to method First : Person [property Addresses, element, property Street] : String | +| EntityFramework.cs:219:18:219:36 | call to method First : Person [property Addresses, element, property Street] : String | EntityFramework.cs:219:18:219:46 | access to property Addresses : ICollection
    [element, property Street] : String | +| EntityFramework.cs:219:18:219:46 | access to property Addresses : ICollection
    [element, property Street] : String | EntityFramework.cs:219:18:219:54 | call to method First
    : Address [property Street] : String | +| EntityFramework.cs:219:18:219:54 | call to method First
    : Address [property Street] : String | EntityFramework.cs:219:18:219:61 | access to property Street | | EntityFrameworkCore.cs:82:31:82:39 | "tainted" : String | EntityFrameworkCore.cs:83:18:83:28 | access to local variable taintSource | | EntityFrameworkCore.cs:82:31:82:39 | "tainted" : String | EntityFrameworkCore.cs:84:35:84:45 | access to local variable taintSource : String | | EntityFrameworkCore.cs:82:31:82:39 | "tainted" : String | EntityFrameworkCore.cs:85:18:85:42 | (...) ... | @@ -165,14 +165,14 @@ edges | EntityFrameworkCore.cs:229:13:229:23 | [post] access to property Persons : DbSet [element, property Name] : String | EntityFrameworkCore.cs:229:13:229:15 | [post] access to local variable ctx : MyContext [property Persons, element, property Name] : String | | EntityFrameworkCore.cs:229:29:229:29 | access to parameter p : Person [property Name] : String | EntityFrameworkCore.cs:229:13:229:23 | [post] access to property Persons : DbSet [element, property Name] : String | | EntityFrameworkCore.cs:230:13:230:15 | access to local variable ctx : MyContext [property Persons, element, property Name] : String | EntityFrameworkCore.cs:237:18:237:28 | access to property Persons : DbSet [element, property Name] : String | -| EntityFrameworkCore.cs:237:18:237:28 | access to property Persons : DbSet [element, property Name] : String | EntityFrameworkCore.cs:237:18:237:36 | call to method First : Object [property Name] : String | -| EntityFrameworkCore.cs:237:18:237:36 | call to method First : Object [property Name] : String | EntityFrameworkCore.cs:237:18:237:41 | access to property Name | -| EntityFrameworkCore.cs:245:18:245:30 | access to property Addresses : DbSet
    [element, property Street] : String | EntityFrameworkCore.cs:245:18:245:38 | call to method First
    : Object [property Street] : String | -| EntityFrameworkCore.cs:245:18:245:38 | call to method First
    : Object [property Street] : String | EntityFrameworkCore.cs:245:18:245:45 | access to property Street | -| EntityFrameworkCore.cs:252:18:252:28 | access to property Persons : DbSet [element, property Addresses, element, property Street] : String | EntityFrameworkCore.cs:252:18:252:36 | call to method First : Object [property Addresses, element, property Street] : String | -| EntityFrameworkCore.cs:252:18:252:36 | call to method First : Object [property Addresses, element, property Street] : String | EntityFrameworkCore.cs:252:18:252:46 | access to property Addresses : ICollection
    [element, property Street] : String | -| EntityFrameworkCore.cs:252:18:252:46 | access to property Addresses : ICollection
    [element, property Street] : String | EntityFrameworkCore.cs:252:18:252:54 | call to method First
    : Object [property Street] : String | -| EntityFrameworkCore.cs:252:18:252:54 | call to method First
    : Object [property Street] : String | EntityFrameworkCore.cs:252:18:252:61 | access to property Street | +| EntityFrameworkCore.cs:237:18:237:28 | access to property Persons : DbSet [element, property Name] : String | EntityFrameworkCore.cs:237:18:237:36 | call to method First : Person [property Name] : String | +| EntityFrameworkCore.cs:237:18:237:36 | call to method First : Person [property Name] : String | EntityFrameworkCore.cs:237:18:237:41 | access to property Name | +| EntityFrameworkCore.cs:245:18:245:30 | access to property Addresses : DbSet
    [element, property Street] : String | EntityFrameworkCore.cs:245:18:245:38 | call to method First
    : Address [property Street] : String | +| EntityFrameworkCore.cs:245:18:245:38 | call to method First
    : Address [property Street] : String | EntityFrameworkCore.cs:245:18:245:45 | access to property Street | +| EntityFrameworkCore.cs:252:18:252:28 | access to property Persons : DbSet [element, property Addresses, element, property Street] : String | EntityFrameworkCore.cs:252:18:252:36 | call to method First : Person [property Addresses, element, property Street] : String | +| EntityFrameworkCore.cs:252:18:252:36 | call to method First : Person [property Addresses, element, property Street] : String | EntityFrameworkCore.cs:252:18:252:46 | access to property Addresses : ICollection
    [element, property Street] : String | +| EntityFrameworkCore.cs:252:18:252:46 | access to property Addresses : ICollection
    [element, property Street] : String | EntityFrameworkCore.cs:252:18:252:54 | call to method First
    : Address [property Street] : String | +| EntityFrameworkCore.cs:252:18:252:54 | call to method First
    : Address [property Street] : String | EntityFrameworkCore.cs:252:18:252:61 | access to property Street | nodes | EntityFramework.cs:59:13:62:13 | { ..., ... } : Person [property Name] : String | semmle.label | { ..., ... } : Person [property Name] : String | | EntityFramework.cs:61:24:61:32 | "tainted" : String | semmle.label | "tainted" : String | @@ -237,15 +237,15 @@ nodes | EntityFramework.cs:196:29:196:29 | access to parameter p : Person [property Name] : String | semmle.label | access to parameter p : Person [property Name] : String | | EntityFramework.cs:197:13:197:15 | access to local variable ctx : MyContext [property Persons, element, property Name] : String | semmle.label | access to local variable ctx : MyContext [property Persons, element, property Name] : String | | EntityFramework.cs:204:18:204:28 | access to property Persons : DbSet [element, property Name] : String | semmle.label | access to property Persons : DbSet [element, property Name] : String | -| EntityFramework.cs:204:18:204:36 | call to method First : Object [property Name] : String | semmle.label | call to method First : Object [property Name] : String | +| EntityFramework.cs:204:18:204:36 | call to method First : Person [property Name] : String | semmle.label | call to method First : Person [property Name] : String | | EntityFramework.cs:204:18:204:41 | access to property Name | semmle.label | access to property Name | | EntityFramework.cs:212:18:212:30 | access to property Addresses : DbSet
    [element, property Street] : String | semmle.label | access to property Addresses : DbSet
    [element, property Street] : String | -| EntityFramework.cs:212:18:212:38 | call to method First
    : Object [property Street] : String | semmle.label | call to method First
    : Object [property Street] : String | +| EntityFramework.cs:212:18:212:38 | call to method First
    : Address [property Street] : String | semmle.label | call to method First
    : Address [property Street] : String | | EntityFramework.cs:212:18:212:45 | access to property Street | semmle.label | access to property Street | | EntityFramework.cs:219:18:219:28 | access to property Persons : DbSet [element, property Addresses, element, property Street] : String | semmle.label | access to property Persons : DbSet [element, property Addresses, element, property Street] : String | -| EntityFramework.cs:219:18:219:36 | call to method First : Object [property Addresses, element, property Street] : String | semmle.label | call to method First : Object [property Addresses, element, property Street] : String | +| EntityFramework.cs:219:18:219:36 | call to method First : Person [property Addresses, element, property Street] : String | semmle.label | call to method First : Person [property Addresses, element, property Street] : String | | EntityFramework.cs:219:18:219:46 | access to property Addresses : ICollection
    [element, property Street] : String | semmle.label | access to property Addresses : ICollection
    [element, property Street] : String | -| EntityFramework.cs:219:18:219:54 | call to method First
    : Object [property Street] : String | semmle.label | call to method First
    : Object [property Street] : String | +| EntityFramework.cs:219:18:219:54 | call to method First
    : Address [property Street] : String | semmle.label | call to method First
    : Address [property Street] : String | | EntityFramework.cs:219:18:219:61 | access to property Street | semmle.label | access to property Street | | EntityFrameworkCore.cs:82:31:82:39 | "tainted" : String | semmle.label | "tainted" : String | | EntityFrameworkCore.cs:83:18:83:28 | access to local variable taintSource | semmle.label | access to local variable taintSource | @@ -318,15 +318,15 @@ nodes | EntityFrameworkCore.cs:229:29:229:29 | access to parameter p : Person [property Name] : String | semmle.label | access to parameter p : Person [property Name] : String | | EntityFrameworkCore.cs:230:13:230:15 | access to local variable ctx : MyContext [property Persons, element, property Name] : String | semmle.label | access to local variable ctx : MyContext [property Persons, element, property Name] : String | | EntityFrameworkCore.cs:237:18:237:28 | access to property Persons : DbSet [element, property Name] : String | semmle.label | access to property Persons : DbSet [element, property Name] : String | -| EntityFrameworkCore.cs:237:18:237:36 | call to method First : Object [property Name] : String | semmle.label | call to method First : Object [property Name] : String | +| EntityFrameworkCore.cs:237:18:237:36 | call to method First : Person [property Name] : String | semmle.label | call to method First : Person [property Name] : String | | EntityFrameworkCore.cs:237:18:237:41 | access to property Name | semmle.label | access to property Name | | EntityFrameworkCore.cs:245:18:245:30 | access to property Addresses : DbSet
    [element, property Street] : String | semmle.label | access to property Addresses : DbSet
    [element, property Street] : String | -| EntityFrameworkCore.cs:245:18:245:38 | call to method First
    : Object [property Street] : String | semmle.label | call to method First
    : Object [property Street] : String | +| EntityFrameworkCore.cs:245:18:245:38 | call to method First
    : Address [property Street] : String | semmle.label | call to method First
    : Address [property Street] : String | | EntityFrameworkCore.cs:245:18:245:45 | access to property Street | semmle.label | access to property Street | | EntityFrameworkCore.cs:252:18:252:28 | access to property Persons : DbSet [element, property Addresses, element, property Street] : String | semmle.label | access to property Persons : DbSet [element, property Addresses, element, property Street] : String | -| EntityFrameworkCore.cs:252:18:252:36 | call to method First : Object [property Addresses, element, property Street] : String | semmle.label | call to method First : Object [property Addresses, element, property Street] : String | +| EntityFrameworkCore.cs:252:18:252:36 | call to method First : Person [property Addresses, element, property Street] : String | semmle.label | call to method First : Person [property Addresses, element, property Street] : String | | EntityFrameworkCore.cs:252:18:252:46 | access to property Addresses : ICollection
    [element, property Street] : String | semmle.label | access to property Addresses : ICollection
    [element, property Street] : String | -| EntityFrameworkCore.cs:252:18:252:54 | call to method First
    : Object [property Street] : String | semmle.label | call to method First
    : Object [property Street] : String | +| EntityFrameworkCore.cs:252:18:252:54 | call to method First
    : Address [property Street] : String | semmle.label | call to method First
    : Address [property Street] : String | | EntityFrameworkCore.cs:252:18:252:61 | access to property Street | semmle.label | access to property Street | subpaths #select diff --git a/csharp/ql/test/library-tests/parameters/Parameters.cs b/csharp/ql/test/library-tests/parameters/Parameters.cs index ebe17322bad..ee62454b404 100644 --- a/csharp/ql/test/library-tests/parameters/Parameters.cs +++ b/csharp/ql/test/library-tests/parameters/Parameters.cs @@ -25,7 +25,14 @@ public class Parameters public void M17([Optional, DefaultParameterValue(null)] object arg7) => throw null; public void M18([Optional, DefaultParameterValue(3)] int? arg8) => throw null; public void M19([Optional, DecimalConstant(1, 0, 0, 0, 103)] decimal arg9) => throw null; + public void M20([Optional, DefaultParameterValue(7)] MyStruct arg10) => throw null; + public void M21([Optional, DefaultParameterValue("mystring")] MyStruct arg10) => throw null; - public struct MyStruct { } + public struct MyStruct + { + public static implicit operator MyStruct(int i) => new MyStruct(); + public static implicit operator MyStruct(string s) => new MyStruct(); + + } public enum MyEnum { A = 1, B = 2 } } \ No newline at end of file diff --git a/csharp/ql/test/library-tests/parameters/Parameters.cs_ b/csharp/ql/test/library-tests/parameters/Parameters.cs_ index 8fce6f198c3..136e7262b98 100644 --- a/csharp/ql/test/library-tests/parameters/Parameters.cs_ +++ b/csharp/ql/test/library-tests/parameters/Parameters.cs_ @@ -25,7 +25,14 @@ public class ParametersDll public void M17([Optional, DefaultParameterValue(null)] object arg7) => throw null; public void M18([Optional, DefaultParameterValue(3)] int? arg8) => throw null; public void M19([Optional, DecimalConstant(1, 0, 0, 0, 103)] decimal arg9) => throw null; + public void M20([Optional, DefaultParameterValue(7)] MyStruct arg10) => throw null; + public void M21([Optional, DefaultParameterValue("mystring")] MyStruct arg10) => throw null; - public struct MyStruct { } + public struct MyStruct + { + public static implicit operator MyStruct(int i) => new MyStruct(); + public static implicit operator MyStruct(string s) => new MyStruct(); + + } public enum MyEnum { A = 1, B = 2 } } \ No newline at end of file diff --git a/csharp/ql/test/library-tests/parameters/Parameters.dll b/csharp/ql/test/library-tests/parameters/Parameters.dll index b40c91369cb..3358306fc89 100644 Binary files a/csharp/ql/test/library-tests/parameters/Parameters.dll and b/csharp/ql/test/library-tests/parameters/Parameters.dll differ diff --git a/csharp/ql/test/library-tests/parameters/Parameters.expected b/csharp/ql/test/library-tests/parameters/Parameters.expected index 4ac08438d3a..820ec37b9ab 100644 --- a/csharp/ql/test/library-tests/parameters/Parameters.expected +++ b/csharp/ql/test/library-tests/parameters/Parameters.expected @@ -5,12 +5,16 @@ noDefaultValue | Parameters.cs:8:17:8:18 | M2 | Parameters.cs:8:24:8:24 | a | 0 | | Parameters.cs:12:17:12:18 | M6 | Parameters.cs:12:29:12:30 | s1 | 0 | | Parameters.cs:13:17:13:18 | M7 | Parameters.cs:13:27:13:28 | e1 | 0 | +| Parameters.cs:33:32:33:39 | implicit conversion | Parameters.cs:33:54:33:54 | i | 0 | +| Parameters.cs:34:32:34:39 | implicit conversion | Parameters.cs:34:57:34:57 | s | 0 | | Parameters.dll:0:0:0:0 | M1 | Parameters.dll:0:0:0:0 | a | 0 | | Parameters.dll:0:0:0:0 | M1 | Parameters.dll:0:0:0:0 | b | 1 | | Parameters.dll:0:0:0:0 | M1 | Parameters.dll:0:0:0:0 | c | 2 | | Parameters.dll:0:0:0:0 | M2 | Parameters.dll:0:0:0:0 | a | 0 | | Parameters.dll:0:0:0:0 | M6 | Parameters.dll:0:0:0:0 | s1 | 0 | | Parameters.dll:0:0:0:0 | M7 | Parameters.dll:0:0:0:0 | e1 | 0 | +| Parameters.dll:0:0:0:0 | implicit conversion | Parameters.dll:0:0:0:0 | i | 0 | +| Parameters.dll:0:0:0:0 | implicit conversion | Parameters.dll:0:0:0:0 | s | 0 | withDefaultValue | Parameters.cs:8:17:8:18 | M2 | Parameters.cs:8:34:8:34 | b | 1 | Parameters.cs:8:38:8:41 | null | null | | Parameters.cs:8:17:8:18 | M2 | Parameters.cs:8:51:8:51 | c | 2 | Parameters.cs:8:55:8:70 | "default string" | default string | @@ -39,6 +43,8 @@ withDefaultValue | Parameters.cs:25:17:25:19 | M17 | Parameters.cs:25:68:25:71 | arg7 | 0 | Parameters.cs:25:21:25:71 | default | null | | Parameters.cs:26:17:26:19 | M18 | Parameters.cs:26:63:26:66 | arg8 | 0 | Parameters.cs:26:21:26:66 | 3 | 3 | | Parameters.cs:27:17:27:19 | M19 | Parameters.cs:27:74:27:77 | arg9 | 0 | Parameters.cs:27:21:27:77 | 10.3 | 10.3 | +| Parameters.cs:28:17:28:19 | M20 | Parameters.cs:28:67:28:71 | arg10 | 0 | Parameters.cs:28:21:28:71 | call to operator implicit conversion | - | +| Parameters.cs:29:17:29:19 | M21 | Parameters.cs:29:76:29:80 | arg10 | 0 | Parameters.cs:29:21:29:80 | call to operator implicit conversion | - | | Parameters.dll:0:0:0:0 | M2 | Parameters.dll:0:0:0:0 | b | 1 | Parameters.dll:0:0:0:0 | default | null | | Parameters.dll:0:0:0:0 | M2 | Parameters.dll:0:0:0:0 | c | 2 | Parameters.dll:0:0:0:0 | "default string" | default string | | Parameters.dll:0:0:0:0 | M3 | Parameters.dll:0:0:0:0 | a | 0 | Parameters.dll:0:0:0:0 | 1 | 1 | @@ -66,8 +72,15 @@ withDefaultValue | Parameters.dll:0:0:0:0 | M17 | Parameters.dll:0:0:0:0 | arg7 | 0 | Parameters.dll:0:0:0:0 | default | null | | Parameters.dll:0:0:0:0 | M18 | Parameters.dll:0:0:0:0 | arg8 | 0 | Parameters.dll:0:0:0:0 | 3 | 3 | | Parameters.dll:0:0:0:0 | M19 | Parameters.dll:0:0:0:0 | arg9 | 0 | Parameters.dll:0:0:0:0 | 10.3 | 10.3 | +| Parameters.dll:0:0:0:0 | M20 | Parameters.dll:0:0:0:0 | arg10 | 0 | Parameters.dll:0:0:0:0 | call to operator implicit conversion | - | +| Parameters.dll:0:0:0:0 | M21 | Parameters.dll:0:0:0:0 | arg10 | 0 | Parameters.dll:0:0:0:0 | call to operator implicit conversion | - | dateTimeDefaults | Parameters.cs:22:17:22:19 | M14 | Parameters.cs:22:64:22:67 | arg4 | Parameters.cs:22:21:22:67 | object creation of type DateTime | DateTime(long) | 14 | | Parameters.cs:23:17:23:19 | M15 | Parameters.cs:23:68:23:71 | arg5 | Parameters.cs:23:21:23:71 | object creation of type DateTime | DateTime(long) | 10001 | | Parameters.dll:0:0:0:0 | M14 | Parameters.dll:0:0:0:0 | arg4 | Parameters.dll:0:0:0:0 | object creation of type DateTime | DateTime(long) | 14 | | Parameters.dll:0:0:0:0 | M15 | Parameters.dll:0:0:0:0 | arg5 | Parameters.dll:0:0:0:0 | object creation of type DateTime | DateTime(long) | 10001 | +implicitConversionDefaults +| Parameters.cs:28:17:28:19 | M20 | Parameters.cs:28:67:28:71 | arg10 | Parameters.cs:28:21:28:71 | call to operator implicit conversion | Parameters.cs:28:21:28:71 | 7 | Int32 | 7 | +| Parameters.cs:29:17:29:19 | M21 | Parameters.cs:29:76:29:80 | arg10 | Parameters.cs:29:21:29:80 | call to operator implicit conversion | Parameters.cs:29:21:29:80 | "mystring" | String | mystring | +| Parameters.dll:0:0:0:0 | M20 | Parameters.dll:0:0:0:0 | arg10 | Parameters.dll:0:0:0:0 | call to operator implicit conversion | Parameters.dll:0:0:0:0 | 7 | Int32 | 7 | +| Parameters.dll:0:0:0:0 | M21 | Parameters.dll:0:0:0:0 | arg10 | Parameters.dll:0:0:0:0 | call to operator implicit conversion | Parameters.dll:0:0:0:0 | "mystring" | String | mystring | diff --git a/csharp/ql/test/library-tests/parameters/Parameters.ql b/csharp/ql/test/library-tests/parameters/Parameters.ql index 09eadc693f0..209cdc12577 100644 --- a/csharp/ql/test/library-tests/parameters/Parameters.ql +++ b/csharp/ql/test/library-tests/parameters/Parameters.ql @@ -16,11 +16,15 @@ query predicate noDefaultValue(Parameterizable container, Parameter p, int i) { not compilerGeneratedAttribute(container) } -query predicate withDefaultValue(Parameterizable container, Parameter p, int i, Expr e, string value) { +private predicate defaultValue(Parameterizable container, Parameter p, int i, Expr e) { fromTestLocation(container) and p.hasDefaultValue() and container.getParameter(i) = p and - p.getDefaultValue() = e and + p.getDefaultValue() = e +} + +query predicate withDefaultValue(Parameterizable container, Parameter p, int i, Expr e, string value) { + defaultValue(container, p, i, e) and (if exists(e.getValue()) then value = e.getValue() else value = "-") and not compilerGeneratedAttribute(container) } @@ -28,11 +32,17 @@ query predicate withDefaultValue(Parameterizable container, Parameter p, int i, query predicate dateTimeDefaults( Parameterizable container, Parameter p, ObjectCreation o, string constructor, string value ) { - fromTestLocation(container) and - p.hasDefaultValue() and - container.getAParameter() = p and - p.getDefaultValue() = o and + defaultValue(container, p, _, o) and o.getTarget().toStringWithTypes() = constructor and o.getAnArgument().getValue() = value and not compilerGeneratedAttribute(container) } + +query predicate implicitConversionDefaults( + Parameterizable container, Parameter p, OperatorCall o, Expr e, string type, string value +) { + defaultValue(container, p, _, o) and + o.getAnArgument() = e and + type = e.getType().toString() and + value = e.getValue() +} diff --git a/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/ExposeRepresentation/ExposeRepresentation.expected b/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/ExposeRepresentation/ExposeRepresentation.expected index 92f7365adeb..f4b2fcbf837 100644 --- a/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/ExposeRepresentation/ExposeRepresentation.expected +++ b/csharp/ql/test/query-tests/Bad Practices/Implementation Hiding/ExposeRepresentation/ExposeRepresentation.expected @@ -1,2 +1,2 @@ -| ExposeRepresentation.cs:8:21:8:23 | Set | 'Set' exposes the internal representation stored in field 'rarray'. The value may be modified $@. | ExposeRepresentation.cs:16:9:16:9 | ExposeRepresentation.cs:16:9:16:9 | through the variable a | -| ExposeRepresentationBad.cs:18:22:18:24 | Get | 'Get' exposes the internal representation stored in field 'rarray'. The value may be modified $@. | ExposeRepresentationBad.cs:24:23:24:29 | ExposeRepresentationBad.cs:24:23:24:29 | after this call to Get | +| ExposeRepresentation.cs:8:21:8:23 | Set | 'Set' exposes the internal representation stored in field 'rarray'. The value may be modified $@. | ExposeRepresentation.cs:16:9:16:9 | access to local variable a | through the variable a | +| ExposeRepresentationBad.cs:18:22:18:24 | Get | 'Get' exposes the internal representation stored in field 'rarray'. The value may be modified $@. | ExposeRepresentationBad.cs:24:23:24:29 | call to method Get | after this call to Get | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.expected b/csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.expected index 4cc2e788074..011ec3faee0 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.expected @@ -1,10 +1,10 @@ edges -| InsecureRandomness.cs:28:13:28:16 | [post] access to local variable data : Byte[] [element] : Int32 | InsecureRandomness.cs:29:57:29:60 | access to local variable data : Byte[] [element] : Int32 | -| InsecureRandomness.cs:28:23:28:43 | (...) ... : Int32 | InsecureRandomness.cs:28:13:28:16 | [post] access to local variable data : Byte[] [element] : Int32 | -| InsecureRandomness.cs:28:29:28:43 | call to method Next : Int32 | InsecureRandomness.cs:28:23:28:43 | (...) ... : Int32 | +| InsecureRandomness.cs:28:13:28:16 | [post] access to local variable data : Byte[] [element] : Byte | InsecureRandomness.cs:29:57:29:60 | access to local variable data : Byte[] [element] : Byte | +| InsecureRandomness.cs:28:23:28:43 | (...) ... : Byte | InsecureRandomness.cs:28:13:28:16 | [post] access to local variable data : Byte[] [element] : Byte | +| InsecureRandomness.cs:28:29:28:43 | call to method Next : Int32 | InsecureRandomness.cs:28:23:28:43 | (...) ... : Byte | | InsecureRandomness.cs:29:13:29:18 | [post] access to local variable result : StringBuilder [element] : String | InsecureRandomness.cs:31:16:31:21 | access to local variable result : StringBuilder [element] : String | | InsecureRandomness.cs:29:27:29:61 | call to method GetString : String | InsecureRandomness.cs:29:13:29:18 | [post] access to local variable result : StringBuilder [element] : String | -| InsecureRandomness.cs:29:57:29:60 | access to local variable data : Byte[] [element] : Int32 | InsecureRandomness.cs:29:27:29:61 | call to method GetString : String | +| InsecureRandomness.cs:29:57:29:60 | access to local variable data : Byte[] [element] : Byte | InsecureRandomness.cs:29:27:29:61 | call to method GetString : String | | InsecureRandomness.cs:31:16:31:21 | access to local variable result : StringBuilder [element] : String | InsecureRandomness.cs:31:16:31:32 | call to method ToString : String | | InsecureRandomness.cs:31:16:31:32 | call to method ToString : String | InsecureRandomness.cs:12:27:12:50 | call to method InsecureRandomString | | InsecureRandomness.cs:60:31:60:39 | call to method Next : Int32 | InsecureRandomness.cs:62:16:62:21 | access to local variable result : String | @@ -16,12 +16,12 @@ nodes | InsecureRandomness.cs:12:27:12:50 | call to method InsecureRandomString | semmle.label | call to method InsecureRandomString | | InsecureRandomness.cs:13:20:13:56 | call to method InsecureRandomStringFromSelection | semmle.label | call to method InsecureRandomStringFromSelection | | InsecureRandomness.cs:14:20:14:54 | call to method InsecureRandomStringFromIndexer | semmle.label | call to method InsecureRandomStringFromIndexer | -| InsecureRandomness.cs:28:13:28:16 | [post] access to local variable data : Byte[] [element] : Int32 | semmle.label | [post] access to local variable data : Byte[] [element] : Int32 | -| InsecureRandomness.cs:28:23:28:43 | (...) ... : Int32 | semmle.label | (...) ... : Int32 | +| InsecureRandomness.cs:28:13:28:16 | [post] access to local variable data : Byte[] [element] : Byte | semmle.label | [post] access to local variable data : Byte[] [element] : Byte | +| InsecureRandomness.cs:28:23:28:43 | (...) ... : Byte | semmle.label | (...) ... : Byte | | InsecureRandomness.cs:28:29:28:43 | call to method Next : Int32 | semmle.label | call to method Next : Int32 | | InsecureRandomness.cs:29:13:29:18 | [post] access to local variable result : StringBuilder [element] : String | semmle.label | [post] access to local variable result : StringBuilder [element] : String | | InsecureRandomness.cs:29:27:29:61 | call to method GetString : String | semmle.label | call to method GetString : String | -| InsecureRandomness.cs:29:57:29:60 | access to local variable data : Byte[] [element] : Int32 | semmle.label | access to local variable data : Byte[] [element] : Int32 | +| InsecureRandomness.cs:29:57:29:60 | access to local variable data : Byte[] [element] : Byte | semmle.label | access to local variable data : Byte[] [element] : Byte | | InsecureRandomness.cs:31:16:31:21 | access to local variable result : StringBuilder [element] : String | semmle.label | access to local variable result : StringBuilder [element] : String | | InsecureRandomness.cs:31:16:31:32 | call to method ToString : String | semmle.label | call to method ToString : String | | InsecureRandomness.cs:60:31:60:39 | call to method Next : Int32 | semmle.label | call to method Next : Int32 | diff --git a/csharp/tools/tracing-config.lua b/csharp/tools/tracing-config.lua index 79b2ea2ca1c..f04169caff5 100644 --- a/csharp/tools/tracing-config.lua +++ b/csharp/tools/tracing-config.lua @@ -21,6 +21,7 @@ function RegisterExtractorPack(id) -- if that's `build`, we append `-p:UseSharedCompilation=false` to the command line, -- otherwise we do nothing. local match = false + local testMatch = false local dotnetRunNeedsSeparator = false; local dotnetRunInjectionIndex = nil; local argv = compilerArguments.argv @@ -37,7 +38,7 @@ function RegisterExtractorPack(id) if (not match) then Log(1, 'Dotnet subcommand detected: %s', arg) end - if arg == 'build' or arg == 'msbuild' or arg == 'publish' or arg == 'pack' or arg == 'test' then + if arg == 'build' or arg == 'msbuild' or arg == 'publish' or arg == 'pack' then match = true break end @@ -48,6 +49,16 @@ function RegisterExtractorPack(id) dotnetRunNeedsSeparator = true dotnetRunInjectionIndex = i + 1 end + if arg == 'test' then + match = true + testMatch = true + end + -- for `dotnet test`, we should not append `-p:UseSharedCompilation=false` to the command line + -- if an `exe` or `dll` is passed as an argument as the call is forwarded to vstest. + if testMatch and (arg:match('%.exe$') or arg:match('%.dll')) then + match = false + break + end end -- if we see a separator to `dotnet run`, inject just prior to the existing separator if arg == '--' then diff --git a/docs/codeql/ql-language-reference/modules.rst b/docs/codeql/ql-language-reference/modules.rst index ee0d1f7966b..42344c72e3d 100644 --- a/docs/codeql/ql-language-reference/modules.rst +++ b/docs/codeql/ql-language-reference/modules.rst @@ -139,7 +139,7 @@ Parameterized modules ===================== Parameterized modules are QL's approach to generic programming. -Similar to explicit modules, parameterized modules are defined within other modules using the keywork ``module``. +Similar to explicit modules, parameterized modules are defined within other modules using the keyword ``module``. In addition to the module name, parameterized modules declare one or more parameters between the name and the module body. For example, consider the module ``M``, which takes two predicate parameters and defines a new predicate diff --git a/docs/codeql/reusables/supported-versions-compilers.rst b/docs/codeql/reusables/supported-versions-compilers.rst index da873041fb9..0d38f92a8c8 100644 --- a/docs/codeql/reusables/supported-versions-compilers.rst +++ b/docs/codeql/reusables/supported-versions-compilers.rst @@ -25,7 +25,7 @@ Python [8]_,"2.7, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11",Not applicable,``.py`` Ruby [9]_,"up to 3.2",Not applicable,"``.rb``, ``.erb``, ``.gemspec``, ``Gemfile``" Swift [10]_,"Swift 5.4-5.7","Swift compiler","``.swift``" - TypeScript [11]_,"2.6-5.0",Standard TypeScript compiler,"``.ts``, ``.tsx``, ``.mts``, ``.cts``" + TypeScript [11]_,"2.6-5.1",Standard TypeScript compiler,"``.ts``, ``.tsx``, ``.mts``, ``.cts``" .. container:: footnote-group diff --git a/go/Makefile b/go/Makefile index 7e119b36f03..8f28079f008 100644 --- a/go/Makefile +++ b/go/Makefile @@ -14,7 +14,7 @@ CODEQL_PLATFORM = osx64 endif endif -CODEQL_TOOLS = $(addprefix codeql-tools/,autobuild.cmd autobuild.sh pre-finalize.cmd pre-finalize.sh index.cmd index.sh tracing-config.lua) +CODEQL_TOOLS = $(addprefix codeql-tools/,autobuild.cmd autobuild.sh pre-finalize.cmd pre-finalize.sh index.cmd index.sh identify-environment.cmd identify-environment.sh tracing-config.lua) EXTRACTOR_PACK_OUT = build/codeql-extractor-go diff --git a/go/extractor/cli/go-autobuilder/go-autobuilder.go b/go/extractor/cli/go-autobuilder/go-autobuilder.go index 9fcad68d42a..fc56d4b8715 100644 --- a/go/extractor/cli/go-autobuilder/go-autobuilder.go +++ b/go/extractor/cli/go-autobuilder/go-autobuilder.go @@ -44,7 +44,7 @@ Build behavior: to 'false' disables the GOPATH set-up, CODEQL_EXTRACTOR_GO_BUILD_COMMAND (or alternatively LGTM_INDEX_BUILD_COMMAND), can be set to a newline-separated list of commands to run in order to install dependencies, and LGTM_INDEX_IMPORT_PATH can be used to override the package import path, - which is otherwise inferred from the SEMMLE_REPO_URL or GITHUB_REPOSITORY environment variables. + which is otherwise inferred from the SEMMLE_REPO_URL or GITHUB_REPOSITORY environment variables. In resource-constrained environments, the environment variable CODEQL_EXTRACTOR_GO_MAX_GOROUTINES (or its legacy alias SEMMLE_MAX_GOROUTINES) can be used to limit the number of parallel goroutines @@ -910,6 +910,17 @@ func getVersionWhenGoModVersionSupported(v versionInfo) (msg, version string) { // Check the versions of Go found in the environment and in the `go.mod` file, and return a // version to install. If the version is the empty string then no installation is required. +// We never return a version of Go that is outside of the supported range. +// +// +-----------------------+-----------------------+-----------------------+-----------------------------------------------------+------------------------------------------------+ +// | Found in go.mod > | *None* | *Below min supported* | *In supported range* | *Above max supported | +// | Installed \/ | | | | | +// |-----------------------|-----------------------|-----------------------|-----------------------------------------------------|------------------------------------------------| +// | *None* | Install max supported | Install min supported | Install version from go.mod | Install max supported | +// | *Below min supported* | Install max supported | Install min supported | Install version from go.mod | Install max supported | +// | *In supported range* | No action | No action | Install version from go.mod if newer than installed | Install max supported if newer than installed | +// | *Above max supported* | Install max supported | Install min supported | Install version from go.mod | No action | +// +-----------------------+-----------------------+-----------------------+-----------------------------------------------------+------------------------------------------------+ func getVersionToInstall(v versionInfo) (msg, version string) { if !v.goModVersionFound { return getVersionWhenGoModVersionNotFound(v) @@ -931,9 +942,9 @@ func getVersionToInstall(v versionInfo) (msg, version string) { func outputEnvironmentJson(version string) { var content string if version == "" { - content = `{ "include": [] }` + content = `{ "go": {} }` } else { - content = `{ "include": [ { "go": { "version": "` + version + `" } } ] }` + content = `{ "go": { "version": "` + version + `" } }` } _, err := fmt.Fprint(os.Stdout, content) diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl.qll index ddf98ac0f2f..984c5ae2018 100644 --- a/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl.qll +++ b/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl.qll @@ -1135,8 +1135,8 @@ module Impl { DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow ); - bindingset[node, state, t, ap] - predicate filter(NodeEx node, FlowState state, Typ t, Ap ap); + bindingset[node, state, t0, ap] + predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t); bindingset[typ, contentType] predicate typecheckStore(Typ typ, DataFlowType contentType); @@ -1199,17 +1199,21 @@ module Impl { NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, TypOption argT, ApOption argAp, Typ t, Ap ap, ApApprox apa ) { - fwdFlow0(node, state, cc, summaryCtx, argT, argAp, t, ap, apa) and - PrevStage::revFlow(node, state, apa) and - filter(node, state, t, ap) + fwdFlow1(node, state, cc, summaryCtx, argT, argAp, _, t, ap, apa) } - pragma[inline] - additional predicate fwdFlow( + private predicate fwdFlow1( NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, TypOption argT, - ApOption argAp, Typ t, Ap ap + ApOption argAp, Typ t0, Typ t, Ap ap, ApApprox apa ) { - fwdFlow(node, state, cc, summaryCtx, argT, argAp, t, ap, _) + fwdFlow0(node, state, cc, summaryCtx, argT, argAp, t0, ap, apa) and + PrevStage::revFlow(node, state, apa) and + filter(node, state, t0, ap, t) + } + + pragma[nomagic] + private predicate typeStrengthen(Typ t0, Ap ap, Typ t) { + fwdFlow1(_, _, _, _, _, _, t0, t, ap, _) and t0 != t } pragma[assume_small_delta] @@ -1339,6 +1343,11 @@ module Impl { private predicate fwdFlowConsCand(Typ t2, Ap cons, Content c, Typ t1, Ap tail) { fwdFlowStore(_, t1, tail, c, t2, _, _, _, _, _, _) and cons = apCons(c, t1, tail) + or + exists(Typ t0 | + typeStrengthen(t0, cons, t2) and + fwdFlowConsCand(t0, cons, c, t1, tail) + ) } pragma[nomagic] @@ -1359,7 +1368,7 @@ module Impl { ParamNodeOption summaryCtx, TypOption argT, ApOption argAp ) { exists(ApHeadContent apc | - fwdFlow(node1, state, cc, summaryCtx, argT, argAp, t, ap) and + fwdFlow(node1, state, cc, summaryCtx, argT, argAp, t, ap, _) and apc = getHeadContent(ap) and readStepCand0(node1, apc, c, node2) ) @@ -1520,14 +1529,14 @@ module Impl { NodeEx node, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap ) { revFlow0(node, state, returnCtx, returnAp, ap) and - fwdFlow(node, state, _, _, _, _, _, ap) + fwdFlow(node, state, _, _, _, _, _, ap, _) } pragma[nomagic] private predicate revFlow0( NodeEx node, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap ) { - fwdFlow(node, state, _, _, _, _, _, ap) and + fwdFlow(node, state, _, _, _, _, _, ap, _) and sinkNode(node, state) and ( if hasSinkCallCtx() @@ -1780,13 +1789,13 @@ module Impl { boolean fwd, int nodes, int fields, int conscand, int states, int tuples ) { fwd = true and - nodes = count(NodeEx node | fwdFlow(node, _, _, _, _, _, _, _)) and + nodes = count(NodeEx node | fwdFlow(node, _, _, _, _, _, _, _, _)) and fields = count(Content f0 | fwdConsCand(f0, _, _)) and conscand = count(Content f0, Typ t, Ap ap | fwdConsCand(f0, t, ap)) and - states = count(FlowState state | fwdFlow(_, state, _, _, _, _, _, _)) and + states = count(FlowState state | fwdFlow(_, state, _, _, _, _, _, _, _)) and tuples = count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, TypOption argT, - ApOption argAp, Typ t, Ap ap | fwdFlow(n, state, cc, summaryCtx, argT, argAp, t, ap)) + ApOption argAp, Typ t, Ap ap | fwdFlow(n, state, cc, summaryCtx, argT, argAp, t, ap, _)) or fwd = false and nodes = count(NodeEx node | revFlow(node, _, _, _, _)) and @@ -1963,10 +1972,10 @@ module Impl { ) } - bindingset[node, state, t, ap] - predicate filter(NodeEx node, FlowState state, Typ t, Ap ap) { + bindingset[node, state, t0, ap] + predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t) { PrevStage::revFlowState(state) and - exists(t) and + t0 = t and exists(ap) and not stateBarrier(node, state) and ( @@ -2197,8 +2206,8 @@ module Impl { import BooleanCallContext predicate localStep( - NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, - DataFlowType t, LocalCc lcc + NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, Typ t, + LocalCc lcc ) { localFlowBigStep(node1, state1, node2, state2, preservesValue, t, _) and exists(lcc) @@ -2218,10 +2227,16 @@ module Impl { ) } - bindingset[node, state, t, ap] - predicate filter(NodeEx node, FlowState state, Typ t, Ap ap) { + bindingset[node, state, t0, ap] + predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t) { exists(state) and - (if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t) else any()) and + // We can get away with not using type strengthening here, since we aren't + // going to use the tracked types in the construction of Stage 4 access + // paths. For Stage 4 and onwards, the tracked types must be consistent as + // the cons candidates including types are used to construct subsequent + // access path approximations. + t0 = t and + (if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t0) else any()) and ( notExpectsContent(node) or @@ -2241,6 +2256,16 @@ module Impl { import MkStage::Stage } + bindingset[node, t0] + private predicate strengthenType(NodeEx node, DataFlowType t0, DataFlowType t) { + if castingNodeEx(node) + then + exists(DataFlowType nt | nt = node.getDataFlowType() | + if typeStrongerThan(nt, t0) then t = nt else (compatibleTypes(nt, t0) and t = t0) + ) + else t = t0 + } + private module Stage4Param implements MkStage::StageParam { private module PrevStage = Stage3; @@ -2274,8 +2299,8 @@ module Impl { pragma[nomagic] predicate localStep( - NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, - DataFlowType t, LocalCc lcc + NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, Typ t, + LocalCc lcc ) { localFlowBigStep(node1, state1, node2, state2, preservesValue, t, _) and PrevStage::revFlow(node1, pragma[only_bind_into](state1), _) and @@ -2333,11 +2358,11 @@ module Impl { ) } - bindingset[node, state, t, ap] - predicate filter(NodeEx node, FlowState state, Typ t, Ap ap) { + bindingset[node, state, t0, ap] + predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t) { exists(state) and not clear(node, ap) and - (if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t) else any()) and + strengthenType(node, t0, t) and ( notExpectsContent(node) or @@ -2365,7 +2390,7 @@ module Impl { exists(AccessPathFront apf | Stage4::revFlow(node, state, TReturnCtxMaybeFlowThrough(_), _, apf) and Stage4::fwdFlow(node, state, any(Stage4::CcCall ccc), _, _, TAccessPathFrontSome(argApf), _, - apf) + apf, _) ) } @@ -2579,8 +2604,8 @@ module Impl { import LocalCallContext predicate localStep( - NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, - DataFlowType t, LocalCc lcc + NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, Typ t, + LocalCc lcc ) { localFlowBigStep(node1, state1, node2, state2, preservesValue, t, lcc) and PrevStage::revFlow(node1, pragma[only_bind_into](state1), _) and @@ -2609,9 +2634,9 @@ module Impl { ) } - bindingset[node, state, t, ap] - predicate filter(NodeEx node, FlowState state, Typ t, Ap ap) { - (if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t) else any()) and + bindingset[node, state, t0, ap] + predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t) { + strengthenType(node, t0, t) and exists(state) and exists(ap) } @@ -2632,7 +2657,7 @@ module Impl { Stage5::parameterMayFlowThrough(p, _) and Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0) and Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()), _, - TAccessPathApproxSome(apa), _, apa0) + TAccessPathApproxSome(apa), _, apa0, _) ) } @@ -2649,7 +2674,7 @@ module Impl { TSummaryCtxSome(ParamNodeEx p, FlowState state, DataFlowType t, AccessPath ap) { exists(AccessPathApprox apa | ap.getApprox() = apa | Stage5::parameterMayFlowThrough(p, apa) and - Stage5::fwdFlow(p, state, _, _, _, _, t, apa) and + Stage5::fwdFlow(p, state, _, _, Option::some(t), _, _, apa, _) and Stage5::revFlow(p, state, _) ) } @@ -2820,9 +2845,7 @@ module Impl { ap = TAccessPathNil() or // ... or a step from an existing PathNode to another node. - pathStep(_, node, state, cc, sc, t, ap) and - Stage5::revFlow(node, state, ap.getApprox()) and - (if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t) else any()) + pathStep(_, node, state, cc, sc, t, ap) } or TPathNodeSink(NodeEx node, FlowState state) { exists(PathNodeMid sink | @@ -3340,13 +3363,24 @@ module Impl { ap = mid.getAp() } + private predicate pathStep( + PathNodeMid mid, NodeEx node, FlowState state, CallContext cc, SummaryCtx sc, DataFlowType t, + AccessPath ap + ) { + exists(DataFlowType t0 | + pathStep0(mid, node, state, cc, sc, t0, ap) and + Stage5::revFlow(node, state, ap.getApprox()) and + strengthenType(node, t0, t) + ) + } + /** * Holds if data may flow from `mid` to `node`. The last step in or out of * a callable is recorded by `cc`. */ pragma[assume_small_delta] pragma[nomagic] - private predicate pathStep( + private predicate pathStep0( PathNodeMid mid, NodeEx node, FlowState state, CallContext cc, SummaryCtx sc, DataFlowType t, AccessPath ap ) { @@ -3964,7 +3998,7 @@ module Impl { ap = TPartialNil() and exists(explorationLimit()) or - partialPathNodeMk0(node, state, cc, sc1, sc2, sc3, sc4, t, ap) and + partialPathStep(_, node, state, cc, sc1, sc2, sc3, sc4, t, ap) and distSrc(node.getEnclosingCallable()) <= explorationLimit() } or TPartialPathNodeRev( @@ -3990,11 +4024,20 @@ module Impl { } pragma[nomagic] - private predicate partialPathNodeMk0( - NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2, - TSummaryCtx3 sc3, TSummaryCtx4 sc4, DataFlowType t, PartialAccessPath ap + private predicate partialPathStep( + PartialPathNodeFwd mid, NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, + TSummaryCtx2 sc2, TSummaryCtx3 sc3, TSummaryCtx4 sc4, DataFlowType t, PartialAccessPath ap ) { - partialPathStep(_, node, state, cc, sc1, sc2, sc3, sc4, t, ap) and + partialPathStep1(mid, node, state, cc, sc1, sc2, sc3, sc4, _, t, ap) + } + + pragma[nomagic] + private predicate partialPathStep1( + PartialPathNodeFwd mid, NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, + TSummaryCtx2 sc2, TSummaryCtx3 sc3, TSummaryCtx4 sc4, DataFlowType t0, DataFlowType t, + PartialAccessPath ap + ) { + partialPathStep0(mid, node, state, cc, sc1, sc2, sc3, sc4, t0, ap) and not fullBarrier(node) and not stateBarrier(node, state) and not clearsContentEx(node, ap.getHead()) and @@ -4002,9 +4045,14 @@ module Impl { notExpectsContent(node) or expectsContentEx(node, ap.getHead()) ) and - if node.asNode() instanceof CastingNode - then compatibleTypes(node.getDataFlowType(), t) - else any() + strengthenType(node, t0, t) + } + + pragma[nomagic] + private predicate partialPathTypeStrengthen( + DataFlowType t0, PartialAccessPath ap, DataFlowType t + ) { + partialPathStep1(_, _, _, _, _, _, _, _, t0, t, ap) and t0 != t } /** @@ -4183,7 +4231,8 @@ module Impl { } } - private predicate partialPathStep( + pragma[nomagic] + private predicate partialPathStep0( PartialPathNodeFwd mid, NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2, TSummaryCtx3 sc3, TSummaryCtx4 sc4, DataFlowType t, PartialAccessPath ap ) { @@ -4309,6 +4358,11 @@ module Impl { DataFlowType t1, PartialAccessPath ap1, Content c, DataFlowType t2, PartialAccessPath ap2 ) { partialPathStoreStep(_, t1, ap1, c, _, t2, ap2) + or + exists(DataFlowType t0 | + partialPathTypeStrengthen(t0, ap2, t2) and + apConsFwd(t1, ap1, c, t0, ap2) + ) } pragma[nomagic] diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll index d45587aa3d4..e0adc9f5790 100644 --- a/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll +++ b/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll @@ -200,6 +200,8 @@ predicate expectsContent(Node n, ContentSet c) { FlowSummaryImpl::Private::Steps::summaryExpectsContent(n, c) } +predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { none() } + /** Gets the type of `n` used for type pruning. */ DataFlowType getNodeType(Node n) { result = TTodoDataFlowType() and exists(n) } diff --git a/go/ql/test/TestUtilities/InlineFlowTest.qll b/go/ql/test/TestUtilities/InlineFlowTest.qll index f080de86e16..0726265699f 100644 --- a/go/ql/test/TestUtilities/InlineFlowTest.qll +++ b/go/ql/test/TestUtilities/InlineFlowTest.qll @@ -7,7 +7,7 @@ * import TestUtilities.InlineFlowTest * ``` * - * To declare expecations, you can use the $hasTaintFlow or $hasValueFlow comments within the test source files. + * To declare expectations, you can use the $hasTaintFlow or $hasValueFlow comments within the test source files. * Example of the corresponding test file, e.g. Test.java * ```go * public class Test { diff --git a/java/documentation/library-coverage/coverage.csv b/java/documentation/library-coverage/coverage.csv index 0bd4f53a9a7..447797aff24 100644 --- a/java/documentation/library-coverage/coverage.csv +++ b/java/documentation/library-coverage/coverage.csv @@ -1,167 +1,174 @@ -package,sink,source,summary,sink:bean-validation,sink:create-file,sink:fragment-injection,sink:groovy,sink:header-splitting,sink:information-leak,sink:intent-start,sink:jdbc-url,sink:jexl,sink:jndi-injection,sink:ldap,sink:logging,sink:mvel,sink:ognl-injection,sink:open-url,sink:pending-intent-sent,sink:read-file,sink:regex-use,sink:regex-use[-1],sink:regex-use[0],sink:regex-use[],sink:regex-use[f-1],sink:regex-use[f1],sink:regex-use[f],sink:set-hostname-verifier,sink:sql,sink:ssti,sink:url-redirect,sink:write-file,sink:xpath,sink:xslt,sink:xss,source:android-external-storage-dir,source:android-widget,source:contentprovider,source:remote,summary:taint,summary:value -android.app,35,,103,,,11,,,,7,,,,,,,,,17,,,,,,,,,,,,,,,,,,,,,18,85 -android.content,24,31,154,,,,,,,16,,,,,,,,,,,,,,,,,,,8,,,,,,,4,,27,,63,91 -android.database,59,,41,,,,,,,,,,,,,,,,,,,,,,,,,,59,,,,,,,,,,,41, -android.net,,,60,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,45,15 -android.os,,2,122,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,41,81 -android.support.v4.app,11,,,,,11,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, -android.util,6,16,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,,16,, -android.webkit,3,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,,,2,, -android.widget,,1,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,1, -androidx.core.app,6,,95,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,12,83 -androidx.fragment.app,11,,,,,11,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, -androidx.slice,2,5,88,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,5,,27,61 -cn.hutool.core.codec,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1, -com.esotericsoftware.kryo.io,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1, -com.esotericsoftware.kryo5.io,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1, -com.fasterxml.jackson.core,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1, -com.fasterxml.jackson.databind,,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6, -com.google.common.base,4,,87,,,,,,,,,,,,,,,,,,,,3,1,,,,,,,,,,,,,,,,63,24 -com.google.common.cache,,,17,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,17 -com.google.common.collect,,,553,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,551 -com.google.common.flogger,29,,,,,,,,,,,,,,29,,,,,,,,,,,,,,,,,,,,,,,,,, -com.google.common.io,8,,73,,2,,,,,,,,,,,,,,,5,,,,,,,,,,,,1,,,,,,,,72,1 -com.google.gson,,,39,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,25,14 -com.hubspot.jinjava,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,, -com.mitchellbosecke.pebble,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,, -com.opensymphony.xwork2.ognl,3,,,,,,,,,,,,,,,,3,,,,,,,,,,,,,,,,,,,,,,,, -com.rabbitmq.client,,21,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,21,7, -com.thoughtworks.xstream,1,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,, -com.unboundid.ldap.sdk,17,,,,,,,,,,,,,17,,,,,,,,,,,,,,,,,,,,,,,,,,, -com.zaxxer.hikari,2,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, -flexjson,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1 -freemarker.cache,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,, -freemarker.template,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,7,,,,,,,,,,, -groovy.lang,26,,,,,,26,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, -groovy.text,1,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, -groovy.util,5,,,,,,5,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, -hudson,44,,16,,19,,,,,,,,,,,,,6,,17,,,,,,,,,,,,2,,,,,,,,16, -io.jsonwebtoken,,2,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,4, -io.netty.bootstrap,3,,,,,,,,,,,,,,,,,3,,,,,,,,,,,,,,,,,,,,,,, -io.netty.buffer,,,207,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,130,77 -io.netty.channel,9,2,,,,,,,,,,,,,,,,9,,,,,,,,,,,,,,,,,,,,,2,, -io.netty.handler.codec,4,13,259,,,,,,,,,,,,,,,3,,1,,,,,,,,,,,,,,,,,,,13,143,116 -io.netty.handler.ssl,2,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,, -io.netty.handler.stream,1,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,, -io.netty.resolver,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1, -io.netty.util,2,,23,,1,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,21,2 -jakarta.faces.context,2,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,7,, -jakarta.json,,,123,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,100,23 -jakarta.ws.rs.client,1,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,, -jakarta.ws.rs.container,,9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,, -jakarta.ws.rs.core,2,,149,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,94,55 -java.awt,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3 -java.beans,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1, -java.io,44,,45,,18,,,,,,,,,,,,,,,4,,,,,,,,,,,,22,,,,,,,,43,2 -java.lang,18,,92,,,,,,,,,,,,8,,,,,5,,4,,,1,,,,,,,,,,,,,,,56,36 -java.net,13,3,20,,,,,,,,,,,,,,,13,,,,,,,,,,,,,,,,,,,,,3,20, -java.nio,38,,31,,22,,,,,,,,,,,,,,,13,,,,,,,,,,,,3,,,,,,,,31, -java.sql,13,,3,,,,,,,,4,,,,,,,,,,,,,,,,,,9,,,,,,,,,,,2,1 -java.util,44,,484,,,,,,,,,,,,34,,,,,,,,5,2,,1,2,,,,,,,,,,,,,44,440 -javafx.scene.web,1,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,, -javax.faces.context,2,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,7,, -javax.imageio.stream,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1, -javax.jms,,9,57,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,57, -javax.json,,,123,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,100,23 -javax.management.remote,2,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,, -javax.naming,7,,1,,,,,,,,,,6,1,,,,,,,,,,,,,,,,,,,,,,,,,,1, -javax.net.ssl,2,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,, -javax.script,1,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,, -javax.servlet,5,21,2,,,,,3,1,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,21,2, -javax.validation,1,1,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,, -javax.ws.rs.client,1,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,, -javax.ws.rs.container,,9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,, -javax.ws.rs.core,3,,149,,,,,1,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,94,55 -javax.xml.transform,2,,6,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,6, -javax.xml.xpath,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,,,,,,, -jodd.json,,,10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,10 -kotlin,16,,1843,,11,,,,,,,,,,,,,2,,3,,,,,,,,,,,,,,,,,,,,1836,7 -net.sf.saxon.s9api,5,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,5,,,,,,, -ognl,6,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,, -okhttp3,4,,47,,,,,,,,,,,,,,,4,,,,,,,,,,,,,,,,,,,,,,22,25 -org.apache.commons.codec,,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6, -org.apache.commons.collections,,,800,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,17,783 -org.apache.commons.collections4,,,800,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,17,783 -org.apache.commons.compress.archivers.tar,,,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,4, -org.apache.commons.httpclient.util,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1, -org.apache.commons.io,111,,560,,93,,,,,,,,,,,,,15,,1,,,,,,,,,,,,2,,,,,,,,546,14 -org.apache.commons.jelly,6,,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,, -org.apache.commons.jexl2,15,,,,,,,,,,,15,,,,,,,,,,,,,,,,,,,,,,,,,,,,, -org.apache.commons.jexl3,15,,,,,,,,,,,15,,,,,,,,,,,,,,,,,,,,,,,,,,,,, -org.apache.commons.lang3,6,,424,,,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,293,131 -org.apache.commons.logging,6,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,,,, -org.apache.commons.net,9,12,,,,,,,,,,,,,,,,6,,3,,,,,,,,,,,,,,,,,,,12,, -org.apache.commons.ognl,6,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,, -org.apache.commons.text,,,272,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,220,52 -org.apache.directory.ldap.client.api,1,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,, -org.apache.hadoop.fs,,,10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,10, -org.apache.hadoop.hive.metastore,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,,,,,,,,,,, -org.apache.hc.client5.http.async.methods,84,,,,,,,,,,,,,,,,,84,,,,,,,,,,,,,,,,,,,,,,, -org.apache.hc.client5.http.classic.methods,37,,,,,,,,,,,,,,,,,37,,,,,,,,,,,,,,,,,,,,,,, -org.apache.hc.client5.http.fluent,19,,,,,,,,,,,,,,,,,19,,,,,,,,,,,,,,,,,,,,,,, -org.apache.hc.core5.benchmark,1,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,, -org.apache.hc.core5.function,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1, -org.apache.hc.core5.http,73,2,45,,,,,,,,,,,,,,,72,,,,,,,,,,,,,,,,,1,,,,2,45, -org.apache.hc.core5.net,,,18,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,18, -org.apache.hc.core5.util,,,24,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,18,6 -org.apache.hive.hcatalog.templeton,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,, -org.apache.http,48,3,94,,,,,,,,,,,,,,,46,,,,,,,,,,,,,,,,,2,,,,3,86,8 -org.apache.ibatis.jdbc,6,,57,,,,,,,,,,,,,,,,,,,,,,,,,,6,,,,,,,,,,,57, -org.apache.log4j,11,,,,,,,,,,,,,,11,,,,,,,,,,,,,,,,,,,,,,,,,, -org.apache.logging.log4j,359,,8,,,,,,,,,,,,359,,,,,,,,,,,,,,,,,,,,,,,,,4,4 -org.apache.shiro.codec,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1, -org.apache.shiro.jndi,1,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,, -org.apache.tools.ant,11,,,,3,,,,,,,,,,,,,,,8,,,,,,,,,,,,,,,,,,,,, -org.apache.tools.zip,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1, -org.apache.velocity.app,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,4,,,,,,,,,,, -org.apache.velocity.runtime,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,4,,,,,,,,,,, -org.codehaus.cargo.container.installer,3,,,,2,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,, -org.codehaus.groovy.control,1,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, -org.dom4j,20,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,20,,,,,,,, -org.eclipse.jetty.client,1,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,, -org.geogebra.web.full.main,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,, -org.hibernate,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,7,,,,,,,,,,,, -org.jboss.logging,324,,,,,,,,,,,,,,324,,,,,,,,,,,,,,,,,,,,,,,,,, -org.jdbi.v3.core,6,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, -org.jooq,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,, -org.json,,,236,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,198,38 -org.kohsuke.stapler,3,,1,,,,,,,,,,,,,,,1,,1,,,,,,,,,,,1,,,,,,,,,1, -org.mvel2,16,,,,,,,,,,,,,,,16,,,,,,,,,,,,,,,,,,,,,,,,, -org.openjdk.jmh.runner.options,1,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, -org.scijava.log,13,,,,,,,,,,,,,,13,,,,,,,,,,,,,,,,,,,,,,,,,, -org.slf4j,55,,6,,,,,,,,,,,,55,,,,,,,,,,,,,,,,,,,,,,,,,2,4 -org.springframework.beans,,,30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,30 -org.springframework.boot.jdbc,1,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, -org.springframework.cache,,,13,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,13 -org.springframework.context,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3, -org.springframework.data.repository,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1 -org.springframework.http,14,,71,,,,,,,,,,,,,,,14,,,,,,,,,,,,,,,,,,,,,,61,10 -org.springframework.jdbc.core,19,,,,,,,,,,,,,,,,,,,,,,,,,,,,19,,,,,,,,,,,, -org.springframework.jdbc.datasource,4,,,,,,,,,,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, -org.springframework.jdbc.object,9,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,,,,,,,,,,,, -org.springframework.jndi,1,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,, -org.springframework.ldap,47,,,,,,,,,,,,33,14,,,,,,,,,,,,,,,,,,,,,,,,,,, -org.springframework.security.web.savedrequest,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,, -org.springframework.ui,,,32,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,32 -org.springframework.util,3,,142,,2,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,90,52 -org.springframework.validation,,,13,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,13, -org.springframework.web.client,13,3,,,,,,,,,,,,,,,,13,,,,,,,,,,,,,,,,,,,,,3,, -org.springframework.web.context.request,,8,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,8,, -org.springframework.web.multipart,,12,13,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,12,13, -org.springframework.web.reactive.function.client,2,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,, -org.springframework.web.util,,,165,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,140,25 -org.thymeleaf,2,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,2, -org.xml.sax,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1, -org.xmlpull.v1,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,, -play.libs.ws,2,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,, -play.mvc,,13,24,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,13,24, -ratpack.core.form,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3, -ratpack.core.handling,,6,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,4, -ratpack.core.http,,10,10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,10,10, -ratpack.exec,,,48,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,48 -ratpack.form,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3, -ratpack.func,,,35,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,35 -ratpack.handling,,6,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,4, -ratpack.http,,10,10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,10,10, -ratpack.util,,,35,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,35 -retrofit2,1,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,, +package,sink,source,summary,sink:bean-validation,sink:file-content-store,sink:fragment-injection,sink:groovy-injection,sink:hostname-verification,sink:html-injection,sink:information-leak,sink:intent-redirection,sink:jexl-injection,sink:jndi-injection,sink:js-injection,sink:ldap-injection,sink:log-injection,sink:mvel-injection,sink:ognl-injection,sink:path-injection,sink:pending-intents,sink:regex-use,sink:regex-use[-1],sink:regex-use[0],sink:regex-use[],sink:regex-use[f-1],sink:regex-use[f1],sink:regex-use[f],sink:request-forgery,sink:response-splitting,sink:sql-injection,sink:template-injection,sink:url-redirection,sink:xpath-injection,sink:xslt-injection,source:android-external-storage-dir,source:contentprovider,source:remote,summary:taint,summary:value +android.app,35,,103,,,11,,,,,7,,,,,,,,,17,,,,,,,,,,,,,,,,,,18,85 +android.content,24,31,154,,,,,,,,16,,,,,,,,,,,,,,,,,,,8,,,,,4,27,,63,91 +android.database,59,,41,,,,,,,,,,,,,,,,,,,,,,,,,,,59,,,,,,,,41, +android.net,,,60,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,45,15 +android.os,,2,122,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,41,81 +android.support.v4.app,11,,,,,11,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, +android.util,6,16,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,16,, +android.webkit,3,2,,,,,,,2,,,,,1,,,,,,,,,,,,,,,,,,,,,,,2,, +android.widget,,1,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,1, +androidx.core.app,6,,95,,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,12,83 +androidx.fragment.app,11,,,,,11,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, +androidx.slice,2,5,88,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,5,,27,61 +cn.hutool.core.codec,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1, +com.alibaba.druid.sql,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1, +com.esotericsoftware.kryo.io,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1, +com.esotericsoftware.kryo5.io,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1, +com.fasterxml.jackson.core,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1, +com.fasterxml.jackson.databind,2,,6,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,6, +com.google.common.base,4,,87,,,,,,,,,,,,,,,,,,,,3,1,,,,,,,,,,,,,,63,24 +com.google.common.cache,,,17,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,17 +com.google.common.collect,,,553,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,551 +com.google.common.flogger,29,,,,,,,,,,,,,,,29,,,,,,,,,,,,,,,,,,,,,,, +com.google.common.io,8,,73,,1,,,,,,,,,,,,,,7,,,,,,,,,,,,,,,,,,,72,1 +com.google.gson,,,44,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,30,14 +com.hubspot.jinjava,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,, +com.jcraft.jsch,1,,1,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,1, +com.mitchellbosecke.pebble,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,, +com.opensymphony.xwork2.ognl,3,,,,,,,,,,,,,,,,,3,,,,,,,,,,,,,,,,,,,,, +com.rabbitmq.client,,21,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,21,7, +com.thoughtworks.xstream,1,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,, +com.unboundid.ldap.sdk,17,,,,,,,,,,,,,,17,,,,,,,,,,,,,,,,,,,,,,,, +com.zaxxer.hikari,2,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,, +flexjson,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1 +freemarker.cache,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,, +freemarker.template,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,7,,,,,,,, +groovy.lang,26,,,,,,26,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, +groovy.text,1,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, +groovy.util,5,,,,,,5,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, +hudson,44,,16,,2,,,,,,,,,,,,,,36,,,,,,,,,6,,,,,,,,,,16, +io.jsonwebtoken,,2,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,4, +io.netty.bootstrap,3,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,,,,,,,,,, +io.netty.buffer,,,207,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,130,77 +io.netty.channel,9,2,,,,,,,,,,,,,,,,,,,,,,,,,,9,,,,,,,,,2,, +io.netty.handler.codec,4,13,259,,,,,,,,,,,,,,,,1,,,,,,,,,3,,,,,,,,,13,143,116 +io.netty.handler.ssl,4,,,,,,,,,,,,,,,,,,4,,,,,,,,,,,,,,,,,,,, +io.netty.handler.stream,1,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,, +io.netty.resolver,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1, +io.netty.util,2,,23,,,,,,,,,,,,,,,,1,,,,,,,,,1,,,,,,,,,,21,2 +jakarta.faces.context,2,7,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,7,, +jakarta.json,,,123,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,100,23 +jakarta.ws.rs.client,1,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,, +jakarta.ws.rs.container,,9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,, +jakarta.ws.rs.core,2,,149,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,94,55 +java.awt,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3 +java.beans,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1, +java.io,49,,45,,22,,,,,,,,,,,,,,27,,,,,,,,,,,,,,,,,,,43,2 +java.lang,18,,92,,,,,,,,,,,,,8,,,5,,,4,,,1,,,,,,,,,,,,,56,36 +java.net,13,3,20,,,,,,,,,,,,,,,,,,,,,,,,,13,,,,,,,,,3,20, +java.nio,47,,35,,3,,,,,,,,,,,,,,44,,,,,,,,,,,,,,,,,,,35, +java.sql,13,,2,,,,,,,,,,,,,,,,,,,,,,,,,4,,9,,,,,,,,2, +java.util,44,,484,,,,,,,,,,,,,34,,,,,,,5,2,,1,2,,,,,,,,,,,44,440 +javafx.scene.web,1,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,, +javax.faces.context,2,7,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,7,, +javax.imageio.stream,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1, +javax.jms,,9,57,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,57, +javax.json,,,123,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,100,23 +javax.management.remote,2,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,,,,, +javax.naming,7,,1,,,,,,,,,,6,,1,,,,,,,,,,,,,,,,,,,,,,,1, +javax.net.ssl,2,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, +javax.script,1,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,, +javax.servlet,5,21,2,,,,,,,1,,,,,,,,,1,,,,,,,,,,3,,,,,,,,21,2, +javax.validation,1,1,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,, +javax.ws.rs.client,1,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,, +javax.ws.rs.container,,9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,, +javax.ws.rs.core,3,,149,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,2,,,,,,94,55 +javax.xml.transform,2,,6,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,1,,,,6, +javax.xml.xpath,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,,,,, +jodd.json,,,10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,10 +kotlin,16,,1847,,,,,,,,,,,,,,,,14,,,,,,,,,2,,,,,,,,,,1836,11 +net.sf.saxon.s9api,5,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,5,,,,, +ognl,6,,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,, +okhttp3,4,,48,,,,,,,,,,,,,,,,,,,,,,,,,4,,,,,,,,,,23,25 +org.antlr.runtime,1,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,, +org.apache.commons.codec,,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6, +org.apache.commons.collections,,,800,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,17,783 +org.apache.commons.collections4,,,800,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,17,783 +org.apache.commons.compress.archivers.tar,,,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,4, +org.apache.commons.httpclient.util,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1, +org.apache.commons.io,111,,560,,2,,,,,,,,,,,,,,94,,,,,,,,,15,,,,,,,,,,546,14 +org.apache.commons.jelly,6,,,,,,,,,,,,,,,,,,,,,,,,,,,6,,,,,,,,,,, +org.apache.commons.jexl2,15,,,,,,,,,,,15,,,,,,,,,,,,,,,,,,,,,,,,,,, +org.apache.commons.jexl3,15,,,,,,,,,,,15,,,,,,,,,,,,,,,,,,,,,,,,,,, +org.apache.commons.lang3,6,,424,,,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,293,131 +org.apache.commons.logging,6,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,, +org.apache.commons.net,9,12,,,,,,,,,,,,,,,,,3,,,,,,,,,6,,,,,,,,,12,, +org.apache.commons.ognl,6,,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,, +org.apache.commons.text,,,272,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,220,52 +org.apache.directory.ldap.client.api,1,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,, +org.apache.hadoop.fs,,,10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,10, +org.apache.hadoop.hive.metastore,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,,,,,,,, +org.apache.hc.client5.http.async.methods,84,,,,,,,,,,,,,,,,,,,,,,,,,,,84,,,,,,,,,,, +org.apache.hc.client5.http.classic.methods,37,,,,,,,,,,,,,,,,,,,,,,,,,,,37,,,,,,,,,,, +org.apache.hc.client5.http.fluent,19,,,,,,,,,,,,,,,,,,,,,,,,,,,19,,,,,,,,,,, +org.apache.hc.core5.benchmark,1,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,, +org.apache.hc.core5.function,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1, +org.apache.hc.core5.http,73,2,45,,,,,,1,,,,,,,,,,,,,,,,,,,72,,,,,,,,,2,45, +org.apache.hc.core5.net,,,18,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,18, +org.apache.hc.core5.util,,,24,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,18,6 +org.apache.hive.hcatalog.templeton,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,, +org.apache.http,48,3,94,,,,,,2,,,,,,,,,,,,,,,,,,,46,,,,,,,,,3,86,8 +org.apache.ibatis.jdbc,6,,57,,,,,,,,,,,,,,,,,,,,,,,,,,,6,,,,,,,,57, +org.apache.log4j,11,,,,,,,,,,,,,,,11,,,,,,,,,,,,,,,,,,,,,,, +org.apache.logging.log4j,359,,8,,,,,,,,,,,,,359,,,,,,,,,,,,,,,,,,,,,,4,4 +org.apache.shiro.codec,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1, +org.apache.shiro.jndi,1,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,, +org.apache.tools.ant,11,,,,,,,,,,,,,,,,,,11,,,,,,,,,,,,,,,,,,,, +org.apache.tools.zip,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1, +org.apache.velocity.app,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,4,,,,,,,, +org.apache.velocity.runtime,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,4,,,,,,,, +org.codehaus.cargo.container.installer,3,,,,,,,,,,,,,,,,,,2,,,,,,,,,1,,,,,,,,,,, +org.codehaus.groovy.control,1,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, +org.dom4j,20,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,20,,,,,, +org.eclipse.jetty.client,1,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,, +org.fusesource.leveldbjni,1,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,, +org.geogebra.web.full.main,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,, +org.hibernate,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,7,,,,,,,,, +org.influxdb,1,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,, +org.jboss.logging,324,,,,,,,,,,,,,,,324,,,,,,,,,,,,,,,,,,,,,,, +org.jdbi.v3.core,6,,,,,,,,,,,,,,,,,,,,,,,,,,,6,,,,,,,,,,, +org.jooq,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,, +org.json,,,236,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,198,38 +org.kohsuke.stapler,3,,1,,,,,,,,,,,,,,,,1,,,,,,,,,1,,,,1,,,,,,1, +org.mvel2,16,,,,,,,,,,,,,,,,16,,,,,,,,,,,,,,,,,,,,,, +org.openjdk.jmh.runner.options,1,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,, +org.scijava.log,13,,,,,,,,,,,,,,,13,,,,,,,,,,,,,,,,,,,,,,, +org.slf4j,55,,6,,,,,,,,,,,,,55,,,,,,,,,,,,,,,,,,,,,,2,4 +org.springframework.beans,,,30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,30 +org.springframework.boot.jdbc,1,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,, +org.springframework.cache,,,13,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,13 +org.springframework.context,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3, +org.springframework.core.io,2,,,,,,,,,,,,,,,,,,1,,,,,,,,,1,,,,,,,,,,, +org.springframework.data.repository,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1 +org.springframework.http,14,,71,,,,,,,,,,,,,,,,,,,,,,,,,14,,,,,,,,,,61,10 +org.springframework.jdbc.core,19,,,,,,,,,,,,,,,,,,,,,,,,,,,,,19,,,,,,,,, +org.springframework.jdbc.datasource,4,,,,,,,,,,,,,,,,,,,,,,,,,,,4,,,,,,,,,,, +org.springframework.jdbc.object,9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,,,,,,,,, +org.springframework.jndi,1,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,, +org.springframework.ldap,47,,,,,,,,,,,,33,,14,,,,,,,,,,,,,,,,,,,,,,,, +org.springframework.security.web.savedrequest,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,, +org.springframework.ui,,,32,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,32 +org.springframework.util,3,,142,,,,,,,,,,,,,,,,3,,,,,,,,,,,,,,,,,,,90,52 +org.springframework.validation,,,13,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,13, +org.springframework.web.client,13,3,,,,,,,,,,,,,,,,,,,,,,,,,,13,,,,,,,,,3,, +org.springframework.web.context.request,,8,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,8,, +org.springframework.web.multipart,,12,13,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,12,13, +org.springframework.web.reactive.function.client,2,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,, +org.springframework.web.util,,,165,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,140,25 +org.thymeleaf,2,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,2, +org.xml.sax,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1, +org.xmlpull.v1,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,, +org.yaml.snakeyaml,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1, +play.libs.ws,2,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,, +play.mvc,,13,24,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,13,24, +ratpack.core.form,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3, +ratpack.core.handling,,6,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,4, +ratpack.core.http,,10,10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,10,10, +ratpack.exec,,,48,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,48 +ratpack.form,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3, +ratpack.func,,,35,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,35 +ratpack.handling,,6,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,4, +ratpack.http,,10,10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,10,10, +ratpack.util,,,35,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,35 +retrofit2,1,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,, diff --git a/java/documentation/library-coverage/coverage.rst b/java/documentation/library-coverage/coverage.rst index b87eeb390fe..8464e0ca23e 100644 --- a/java/documentation/library-coverage/coverage.rst +++ b/java/documentation/library-coverage/coverage.rst @@ -6,22 +6,22 @@ Java framework & library support :class: fullWidthTable :widths: auto - Framework / library,Package,Flow sources,Taint & value steps,Sinks (total),`CWE‑022` :sub:`Path injection`,`CWE‑079` :sub:`Cross-site scripting`,`CWE‑089` :sub:`SQL injection`,`CWE‑090` :sub:`LDAP injection`,`CWE‑094` :sub:`Code injection`,`CWE‑319` :sub:`Cleartext transmission` + Framework / library,Package,Flow sources,Taint & value steps,Sinks (total),`CWE‑022` :sub:`Path injection`,`CWE‑079` :sub:`Cross-site scripting`,`CWE‑089` :sub:`SQL injection`,`CWE‑090` :sub:`LDAP injection`,`CWE‑094` :sub:`Code injection`,`CWE‑918` :sub:`Request Forgery` Android,``android.*``,52,481,138,,3,67,,, Android extensions,``androidx.*``,5,183,19,,,,,, `Apache Commons Collections `_,"``org.apache.commons.collections``, ``org.apache.commons.collections4``",,1600,,,,,,, - `Apache Commons IO `_,``org.apache.commons.io``,,560,111,93,,,,,15 + `Apache Commons IO `_,``org.apache.commons.io``,,560,111,94,,,,,15 `Apache Commons Lang `_,``org.apache.commons.lang3``,,424,6,,,,,, `Apache Commons Text `_,``org.apache.commons.text``,,272,,,,,,, `Apache HttpComponents `_,"``org.apache.hc.core5.*``, ``org.apache.http``",5,182,122,,3,,,,119 `Apache Log4j 2 `_,``org.apache.logging.log4j``,,8,359,,,,,, - `Google Guava `_,``com.google.common.*``,,730,41,2,,,,, + `Google Guava `_,``com.google.common.*``,,730,41,7,,,,, JBoss Logging,``org.jboss.logging``,,,324,,,,,, `JSON-java `_,``org.json``,,236,,,,,,, - Java Standard Library,``java.*``,3,679,170,40,,9,,,13 - Java extensions,"``javax.*``, ``jakarta.*``",63,611,34,1,4,,1,1,2 - Kotlin Standard Library,``kotlin*``,,1843,16,11,,,,,2 - `Spring `_,``org.springframework.*``,29,483,113,2,,28,14,,29 - Others,"``cn.hutool.core.codec``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.core``, ``com.fasterxml.jackson.databind``, ``com.google.gson``, ``com.hubspot.jinjava``, ``com.mitchellbosecke.pebble``, ``com.opensymphony.xwork2.ognl``, ``com.rabbitmq.client``, ``com.thoughtworks.xstream``, ``com.unboundid.ldap.sdk``, ``com.zaxxer.hikari``, ``flexjson``, ``freemarker.cache``, ``freemarker.template``, ``groovy.lang``, ``groovy.text``, ``groovy.util``, ``hudson``, ``io.jsonwebtoken``, ``io.netty.bootstrap``, ``io.netty.buffer``, ``io.netty.channel``, ``io.netty.handler.codec``, ``io.netty.handler.ssl``, ``io.netty.handler.stream``, ``io.netty.resolver``, ``io.netty.util``, ``javafx.scene.web``, ``jodd.json``, ``net.sf.saxon.s9api``, ``ognl``, ``okhttp3``, ``org.apache.commons.codec``, ``org.apache.commons.compress.archivers.tar``, ``org.apache.commons.httpclient.util``, ``org.apache.commons.jelly``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.logging``, ``org.apache.commons.net``, ``org.apache.commons.ognl``, ``org.apache.directory.ldap.client.api``, ``org.apache.hadoop.fs``, ``org.apache.hadoop.hive.metastore``, ``org.apache.hc.client5.http.async.methods``, ``org.apache.hc.client5.http.classic.methods``, ``org.apache.hc.client5.http.fluent``, ``org.apache.hive.hcatalog.templeton``, ``org.apache.ibatis.jdbc``, ``org.apache.log4j``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.apache.tools.ant``, ``org.apache.tools.zip``, ``org.apache.velocity.app``, ``org.apache.velocity.runtime``, ``org.codehaus.cargo.container.installer``, ``org.codehaus.groovy.control``, ``org.dom4j``, ``org.eclipse.jetty.client``, ``org.geogebra.web.full.main``, ``org.hibernate``, ``org.jdbi.v3.core``, ``org.jooq``, ``org.kohsuke.stapler``, ``org.mvel2``, ``org.openjdk.jmh.runner.options``, ``org.scijava.log``, ``org.slf4j``, ``org.thymeleaf``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.libs.ws``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``, ``retrofit2``",98,890,520,26,,18,18,,185 - Totals,,255,9182,1973,175,10,122,33,1,365 + Java Standard Library,``java.*``,3,682,184,76,,9,,,17 + Java extensions,"``javax.*``, ``jakarta.*``",63,611,34,2,4,,1,1,2 + Kotlin Standard Library,``kotlin*``,,1847,16,14,,,,,2 + `Spring `_,``org.springframework.*``,29,483,115,4,,28,14,,35 + Others,"``cn.hutool.core.codec``, ``com.alibaba.druid.sql``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.core``, ``com.fasterxml.jackson.databind``, ``com.google.gson``, ``com.hubspot.jinjava``, ``com.jcraft.jsch``, ``com.mitchellbosecke.pebble``, ``com.opensymphony.xwork2.ognl``, ``com.rabbitmq.client``, ``com.thoughtworks.xstream``, ``com.unboundid.ldap.sdk``, ``com.zaxxer.hikari``, ``flexjson``, ``freemarker.cache``, ``freemarker.template``, ``groovy.lang``, ``groovy.text``, ``groovy.util``, ``hudson``, ``io.jsonwebtoken``, ``io.netty.bootstrap``, ``io.netty.buffer``, ``io.netty.channel``, ``io.netty.handler.codec``, ``io.netty.handler.ssl``, ``io.netty.handler.stream``, ``io.netty.resolver``, ``io.netty.util``, ``javafx.scene.web``, ``jodd.json``, ``net.sf.saxon.s9api``, ``ognl``, ``okhttp3``, ``org.antlr.runtime``, ``org.apache.commons.codec``, ``org.apache.commons.compress.archivers.tar``, ``org.apache.commons.httpclient.util``, ``org.apache.commons.jelly``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.logging``, ``org.apache.commons.net``, ``org.apache.commons.ognl``, ``org.apache.directory.ldap.client.api``, ``org.apache.hadoop.fs``, ``org.apache.hadoop.hive.metastore``, ``org.apache.hc.client5.http.async.methods``, ``org.apache.hc.client5.http.classic.methods``, ``org.apache.hc.client5.http.fluent``, ``org.apache.hive.hcatalog.templeton``, ``org.apache.ibatis.jdbc``, ``org.apache.log4j``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.apache.tools.ant``, ``org.apache.tools.zip``, ``org.apache.velocity.app``, ``org.apache.velocity.runtime``, ``org.codehaus.cargo.container.installer``, ``org.codehaus.groovy.control``, ``org.dom4j``, ``org.eclipse.jetty.client``, ``org.fusesource.leveldbjni``, ``org.geogebra.web.full.main``, ``org.hibernate``, ``org.influxdb``, ``org.jdbi.v3.core``, ``org.jooq``, ``org.kohsuke.stapler``, ``org.mvel2``, ``org.openjdk.jmh.runner.options``, ``org.scijava.log``, ``org.slf4j``, ``org.thymeleaf``, ``org.xml.sax``, ``org.xmlpull.v1``, ``org.yaml.snakeyaml``, ``play.libs.ws``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``, ``retrofit2``",98,899,528,66,,18,18,,195 + Totals,,255,9198,1997,263,10,122,33,1,385 diff --git a/java/kotlin-explorer/.gitignore b/java/kotlin-explorer/.gitignore deleted file mode 100644 index 9c076360bbb..00000000000 --- a/java/kotlin-explorer/.gitignore +++ /dev/null @@ -1,10 +0,0 @@ -.classpath -.gradle -.idea -.project -.settings -bin/ -build/ -gradle/ -gradlew -gradlew.bat diff --git a/java/kotlin-explorer/README b/java/kotlin-explorer/README deleted file mode 100644 index 0f500d7c25b..00000000000 --- a/java/kotlin-explorer/README +++ /dev/null @@ -1,9 +0,0 @@ - -This shows what is encoded in the kotlin.Metadata section shown in the -output of `javap -v SomeKotlinClass`. - -It is not currently able to extract the information from .class files -itself; the values are hard coded in src/main/kotlin/Explorer.kt - -Run `gradle run` in this directory to run it. - diff --git a/java/kotlin-explorer/build.gradle b/java/kotlin-explorer/build.gradle deleted file mode 100644 index b122d811d4f..00000000000 --- a/java/kotlin-explorer/build.gradle +++ /dev/null @@ -1,28 +0,0 @@ -plugins { - id 'org.jetbrains.kotlin.jvm' version "${kotlinVersion}" - id 'org.jetbrains.dokka' version '1.4.32' - id "com.vanniktech.maven.publish" version '0.15.1' - id 'application' -} - -group 'com.github.codeql' -version '0.0.1' - -dependencies { - implementation "org.jetbrains.kotlin:kotlin-stdlib" - implementation "org.jetbrains.kotlinx:kotlinx-metadata-jvm:0.3.0" -} - -repositories { - mavenCentral() -} - -tasks.withType(org.jetbrains.kotlin.gradle.tasks.KotlinCompile).configureEach { - kotlinOptions { - jvmTarget = "1.8" - } -} - -application { - mainClass = 'com.github.codeql.ExplorerKt' -} diff --git a/java/kotlin-explorer/gradle.properties b/java/kotlin-explorer/gradle.properties deleted file mode 100644 index 0854241bcda..00000000000 --- a/java/kotlin-explorer/gradle.properties +++ /dev/null @@ -1,7 +0,0 @@ -kotlin.code.style=official -kotlinVersion=1.5.21 - -GROUP=com.github.codeql -VERSION_NAME=0.0.1 -POM_DESCRIPTION=CodeQL Kotlin explorer - diff --git a/java/kotlin-explorer/settings.gradle b/java/kotlin-explorer/settings.gradle deleted file mode 100644 index 18f679f7b75..00000000000 --- a/java/kotlin-explorer/settings.gradle +++ /dev/null @@ -1,8 +0,0 @@ -pluginManagement { - repositories { - mavenCentral() - gradlePluginPortal() - } -} - -rootProject.name = 'codeql-kotlin-explorer' diff --git a/java/kotlin-explorer/src/main/kotlin/Explorer.kt b/java/kotlin-explorer/src/main/kotlin/Explorer.kt deleted file mode 100644 index 31c3eb18dcb..00000000000 --- a/java/kotlin-explorer/src/main/kotlin/Explorer.kt +++ /dev/null @@ -1,217 +0,0 @@ -package com.github.codeql -import kotlinx.metadata.internal.metadata.jvm.deserialization.JvmMetadataVersion -import kotlinx.metadata.jvm.* -import kotlinx.metadata.* - -fun main(args : Array) { - /* - Values from `javap -v` on TestKt.class from: - - class MyClass {} - - class MyParamClass {} - - fun f(x: MyClass, y: MyClass?, - l1: MyParamClass, - l2: MyParamClass, - l3: MyParamClass?, - l4: MyParamClass?) { - } - */ - val kind = 2 - val metadataVersion = intArrayOf(1, 5, 1) - val data1 = arrayOf("\u0000\u0018\n\u0000\n\u0002\u0010\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0003\u001aX\u0010\u0000\u001a\u00020\u00012\u0006\u0010\u0002\u001a\u00020\u00032\b\u0010\u0004\u001a\u0004\u0018\u00010\u00032\u000c\u0010\u0005\u001a\b\u0012\u0004\u0012\u00020\u00030\u00062\u000e\u0010\u0007\u001a\n\u0012\u0006\u0012\u0004\u0018\u00010\u00030\u00062\u000e\u0010\b\u001a\n\u0012\u0004\u0012\u00020\u0003\u0018\u00010\u00062\u0010\u0010\t\u001a\u000c\u0012\u0006\u0012\u0004\u0018\u00010\u0003\u0018\u00010\u0006") - val data2 = arrayOf("f","","x","LMyClass;","y","l1","LMyParamClass;","l2","l3","l4") - val extraString = null - val packageName = null - val extraInt = 48 - val kch = KotlinClassHeader(kind, metadataVersion, data1, data2, extraString, packageName, extraInt) - - val md = KotlinClassMetadata.read(kch) - when (md) { - is KotlinClassMetadata.Class -> println("Metadata for Class not yet supported") - is KotlinClassMetadata.FileFacade -> { - println("Metadata for FileFacade:") - val kmp = md.toKmPackage() - kmp.accept(MyPackageVisitor(0)) - } - is KotlinClassMetadata.SyntheticClass -> println("Metadata for SyntheticClass not yet supported") - is KotlinClassMetadata.MultiFileClassFacade -> println("Metadata for MultiFileClassFacade not yet supported") - is KotlinClassMetadata.MultiFileClassPart -> println("Metadata for MultiFileClassPart not yet supported") - is KotlinClassMetadata.Unknown -> println("Unknown kind") - else -> println("Unexpected kind") - } -} - -fun pr(indent: Int, s: String) { - println(" ".repeat(indent) + s) -} - -class MyPackageVisitor(val indent: Int): KmPackageVisitor() { - override fun visitFunction(flags: Flags, name: String): KmFunctionVisitor? { - pr(indent, "=> Function; flags:$flags, name:$name") - return MyFunctionVisitor(indent + 1) - } - - override fun visitProperty(flags: Flags, name: String, getterFlags: Flags, setterFlags: Flags): KmPropertyVisitor? { - pr(indent, "=> Properties not yet handled") - return null - } - - override fun visitTypeAlias(flags: Flags, name: String): KmTypeAliasVisitor? { - pr(indent, "=> Type aliases not yet handled") - return null - } - - override fun visitExtensions(type: KmExtensionType): KmPackageExtensionVisitor? { - pr(indent, "=> Package extensions; type:$type") - when (type) { - JvmPackageExtensionVisitor.TYPE -> return MyJvmPackageExtensionVisitor(indent + 1) - else -> { - pr(indent, "- Not yet handled") - return null - } - } - } -} - -class MyFunctionVisitor(val indent: Int): KmFunctionVisitor() { - override fun visitTypeParameter(flags: Flags, name: String, id: Int, variance: KmVariance): KmTypeParameterVisitor? { - pr(indent, "=> Type parameter; flags:$flags, name:$name, id:$id, variance:$variance") - pr(indent, " -> Not yet handled") - return null - } - override fun visitReceiverParameterType(flags: Flags): KmTypeVisitor? { - pr(indent, "=> Receiver parameter type; flags:$flags") - pr(indent, " -> Not yet handled") - return null - } - - override fun visitValueParameter(flags: Flags, name: String): KmValueParameterVisitor? { - pr(indent, "=> Value parameter; flags:$flags, name:$name") - return MyValueParameterVisitor(indent + 1) - } - - override fun visitReturnType(flags: Flags): KmTypeVisitor? { - pr(indent, "=> Return type; flags:$flags") - return MyTypeVisitor(indent + 1) - } - - override fun visitVersionRequirement(): KmVersionRequirementVisitor? { - pr(indent, "=> VersionRequirement not yet handled") - return null - } - - override fun visitContract(): KmContractVisitor? { - pr(indent, "=> Contract not yet handled") - return null - } - - override fun visitExtensions(type: KmExtensionType): KmFunctionExtensionVisitor? { - pr(indent, "=> Function extensions; type:$type") - when (type) { - JvmFunctionExtensionVisitor.TYPE -> return MyJvmFunctionExtensionVisitor(indent + 1) - else -> { - pr(indent, "- Not yet handled") - return null - } - } - } -} - -class MyValueParameterVisitor(val indent: Int): KmValueParameterVisitor() { - override fun visitType(flags: Flags): KmTypeVisitor? { - pr(indent, "=> Type; flags:$flags") - return MyTypeVisitor(indent + 1) - } - - override fun visitVarargElementType(flags: Flags): KmTypeVisitor? { - pr(indent, "=> VarargElementType not yet handled") - return null - } - - override fun visitExtensions(type: KmExtensionType): KmValueParameterExtensionVisitor? { - pr(indent, "=> Value parameter extensions; type:$type; not yet handled") - return null - } -} - -class MyTypeVisitor(val indent: Int): KmTypeVisitor() { - override fun visitClass(name: ClassName) { - pr(indent, "=> Class; name:$name") - } - - override fun visitTypeAlias(name: ClassName) { - pr(indent, "=> Type alias; name:$name") - } - - override fun visitTypeParameter(id: Int) { - pr(indent, "=> Type parameter; id:$id") - } - - override fun visitArgument(flags: Flags, variance: KmVariance): KmTypeVisitor? { - pr(indent, "=> Argument; flags:$flags, variance:$variance") - return MyTypeVisitor(indent + 1) - } - - override fun visitStarProjection() { - pr(indent, "=> Star projection") - } - - override fun visitAbbreviatedType(flags: Flags): KmTypeVisitor? { - pr(indent, "=> AbbreviatedType not yet handled") - return null - } - - override fun visitOuterType(flags: Flags): KmTypeVisitor? { - pr(indent, "=> OuterType not yet handled") - return null - } - - override fun visitFlexibleTypeUpperBound(flags: Flags, typeFlexibilityId: String?): KmTypeVisitor? { - pr(indent, "=> FlexibleTypeUpperBound not yet handled") - return null - } - - override fun visitExtensions(type: KmExtensionType): KmTypeExtensionVisitor? { - pr(indent, "=> Type extensions; type:$type") - when (type) { - JvmTypeExtensionVisitor.TYPE -> return MyJvmTypeExtensionVisitor(indent + 1) - else -> { - pr(indent, "- Not yet handled") - return null - } - } - } -} - -class MyJvmTypeExtensionVisitor(val indent: Int): JvmTypeExtensionVisitor() { - override fun visit(isRaw: Boolean) { - pr(indent, "=> isRaw:$isRaw") - } - - override fun visitAnnotation(annotation: KmAnnotation) { - pr(indent, "=> Annotation; annotation:$annotation") - } -} - -class MyJvmPackageExtensionVisitor(val indent: Int): JvmPackageExtensionVisitor() { - override fun visitLocalDelegatedProperty(flags: Flags, name: String, getterFlags: Flags, setterFlags: Flags): KmPropertyVisitor? { - pr(indent, "=> Local delegate not yet handled") - return null - } - - override fun visitModuleName(name: String) { - pr(indent, "=> Module name; name:$name") - } -} - -class MyJvmFunctionExtensionVisitor(val indent: Int): JvmFunctionExtensionVisitor() { - override fun visit(signature: JvmMethodSignature?) { - pr(indent, "=> signature:$signature") - } - - override fun visitLambdaClassOriginName(internalName: String) { - pr(indent, "=> LambdaClassOriginName; internalName:$internalName") - } -} diff --git a/java/kotlin-extractor/kotlin_plugin_versions.py b/java/kotlin-extractor/kotlin_plugin_versions.py index c5d9e433613..bf1c211073a 100755 --- a/java/kotlin-extractor/kotlin_plugin_versions.py +++ b/java/kotlin-extractor/kotlin_plugin_versions.py @@ -24,7 +24,6 @@ def version_string_to_tuple(version): # Version number used by CI. ci_version = '1.8.10' -# Version numbers in the list need to be in semantically increasing order many_versions = [ '1.4.32', '1.5.0', '1.5.10', '1.5.20', '1.5.30', '1.6.0', '1.6.20', '1.7.0', '1.7.20', '1.8.0', '1.9.0-Beta' ] many_versions_tuples = [version_string_to_tuple(v) for v in many_versions] @@ -42,18 +41,13 @@ def get_single_version(fakeVersionOutput = None): if m is None: raise Exception('Cannot detect version of kotlinc (got ' + str(versionOutput) + ')') current_version = version_string_to_tuple(m.group(1)) - matching_minor_versions = [ version for version in many_versions_tuples if version[0:2] == current_version[0:2] ] - if len(matching_minor_versions) == 0: - raise Exception(f'Cannot find a matching minor version for kotlinc version {current_version} (got {versionOutput}; know about {str(many_versions)})') - matching_minor_versions.sort(reverse = True) + many_versions_tuples.sort(reverse = True) - for version in matching_minor_versions: + for version in many_versions_tuples: if version[0:3] <= current_version[0:3]: return version_tuple_to_string(version) - return version_tuple_to_string(matching_minor_versions[-1]) - raise Exception(f'No suitable kotlinc version found for {current_version} (got {versionOutput}; know about {str(many_versions)})') def get_latest_url(): diff --git a/java/ql/lib/change-notes/2023-05-19-path-injection-sinks-mad.md b/java/ql/lib/change-notes/2023-05-19-path-injection-sinks-mad.md new file mode 100644 index 00000000000..ae5cd306c2b --- /dev/null +++ b/java/ql/lib/change-notes/2023-05-19-path-injection-sinks-mad.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Path creation sinks modeled in `PathCreation.qll` have been added to the models-as-data sink kind `path-injection`. diff --git a/java/ql/lib/change-notes/2023-06-01-new-models.md b/java/ql/lib/change-notes/2023-06-01-new-models.md new file mode 100644 index 00000000000..d05b3d4d59d --- /dev/null +++ b/java/ql/lib/change-notes/2023-06-01-new-models.md @@ -0,0 +1,7 @@ +--- +category: minorAnalysis +--- +* Added models for the following packages: + + * java.lang + * java.nio.file diff --git a/java/ql/lib/change-notes/2023-06-02-delete-deps.md b/java/ql/lib/change-notes/2023-06-02-delete-deps.md new file mode 100644 index 00000000000..01b2fd5a457 --- /dev/null +++ b/java/ql/lib/change-notes/2023-06-02-delete-deps.md @@ -0,0 +1,6 @@ +--- +category: minorAnalysis +--- +* Deleted the deprecated `getRHS` predicate from the `LValue` class, use `getRhs` instead. +* Deleted the deprecated `getCFGNode` predicate from the `SsaVariable` class, use `getCfgNode` instead. +* Deleted many deprecated predicates and classes with uppercase `XML`, `JSON`, `URL`, `API`, etc. in their names. Use the PascalCased versions instead. \ No newline at end of file diff --git a/java/ql/lib/change-notes/2023-06-06-kotlin-use-with-flow.md b/java/ql/lib/change-notes/2023-06-06-kotlin-use-with-flow.md new file mode 100644 index 00000000000..b21f31aae5f --- /dev/null +++ b/java/ql/lib/change-notes/2023-06-06-kotlin-use-with-flow.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Added flow through the block arguments of `kotlin.io.use` and `kotlin.with`. diff --git a/java/ql/lib/change-notes/2023-06-06-new-models.md b/java/ql/lib/change-notes/2023-06-06-new-models.md new file mode 100644 index 00000000000..cbb80968749 --- /dev/null +++ b/java/ql/lib/change-notes/2023-06-06-new-models.md @@ -0,0 +1,15 @@ +--- +category: minorAnalysis +--- +* Added models for the following packages: + + * com.alibaba.druid.sql + * com.fasterxml.jackson.databind + * com.jcraft.jsch + * io.netty.handler.ssl + * okhttp3 + * org.antlr.runtime + * org.fusesource.leveldbjni + * org.influxdb + * org.springframework.core.io + * org.yaml.snakeyaml diff --git a/java/ql/lib/change-notes/2023-06-08-type-strengthening.md b/java/ql/lib/change-notes/2023-06-08-type-strengthening.md new file mode 100644 index 00000000000..60daaa53058 --- /dev/null +++ b/java/ql/lib/change-notes/2023-06-08-type-strengthening.md @@ -0,0 +1,4 @@ +--- +category: majorAnalysis +--- +* The data flow library now performs type strengthening. This increases precision for all data flow queries by excluding paths that can be inferred to be impossible due to incompatible types. diff --git a/java/ql/lib/ext/com.alibaba.druid.sql.model.yml b/java/ql/lib/ext/com.alibaba.druid.sql.model.yml new file mode 100644 index 00000000000..952cd6e8f1b --- /dev/null +++ b/java/ql/lib/ext/com.alibaba.druid.sql.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/java-all + extensible: summaryModel + data: + - ["com.alibaba.druid.sql", "SQLUtils", False, "toMySqlString", "(SQLObject)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"] diff --git a/java/ql/lib/ext/com.fasterxml.jackson.databind.model.yml b/java/ql/lib/ext/com.fasterxml.jackson.databind.model.yml index 3768007ebe7..988820e84dd 100644 --- a/java/ql/lib/ext/com.fasterxml.jackson.databind.model.yml +++ b/java/ql/lib/ext/com.fasterxml.jackson.databind.model.yml @@ -9,3 +9,9 @@ extensions: - ["com.fasterxml.jackson.databind", "ObjectMapper", True, "valueToTree", "", "", "Argument[0].MapValue", "ReturnValue", "taint", "manual"] - ["com.fasterxml.jackson.databind", "ObjectMapper", True, "valueToTree", "", "", "Argument[0].MapValue.Element", "ReturnValue", "taint", "manual"] - ["com.fasterxml.jackson.databind", "ObjectReader", False, "createParser", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + - ["com.fasterxml.jackson.databind", "ObjectMapper", True, "readValue", "(File,Class)", "", "Argument[0]", "path-injection", "ai-manual"] + - ["com.fasterxml.jackson.databind", "ObjectMapper", True, "writeValue", "(File,Object)", "", "Argument[0]", "path-injection", "ai-manual"] diff --git a/java/ql/lib/ext/com.google.gson.model.yml b/java/ql/lib/ext/com.google.gson.model.yml index 96f5355b2dc..abc3693ae00 100644 --- a/java/ql/lib/ext/com.google.gson.model.yml +++ b/java/ql/lib/ext/com.google.gson.model.yml @@ -26,18 +26,23 @@ extensions: - ["com.google.gson", "JsonElement", True, "getAsJsonPrimitive", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"] - ["com.google.gson", "JsonElement", True, "getAsString", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"] - ["com.google.gson", "JsonElement", True, "toString", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"] - - ["com.google.gson", "JsonArray", True, "add", "", "", "Argument[0]", "Argument[this].Element", "value", "manual"] + - ["com.google.gson", "JsonArray", True, "add", "(Boolean)", "", "Argument[0]", "Argument[this].Element", "taint", "manual"] + - ["com.google.gson", "JsonArray", True, "add", "(Character)", "", "Argument[0]", "Argument[this].Element", "taint", "manual"] + - ["com.google.gson", "JsonArray", True, "add", "(JsonElement)", "", "Argument[0]", "Argument[this].Element", "value", "manual"] + - ["com.google.gson", "JsonArray", True, "add", "(Number)", "", "Argument[0]", "Argument[this].Element", "taint", "manual"] + - ["com.google.gson", "JsonArray", True, "add", "(String)", "", "Argument[0]", "Argument[this].Element", "taint", "manual"] + - ["com.google.gson", "JsonArray", True, "addAll", "(JsonArray)", "", "Argument[0].Element", "Argument[this].Element", "value", "manual"] - ["com.google.gson", "JsonArray", True, "asList", "", "", "Argument[this].Element", "ReturnValue.Element", "value", "manual"] - ["com.google.gson", "JsonArray", True, "get", "", "", "Argument[this].Element", "ReturnValue", "value", "manual"] - ["com.google.gson", "JsonArray", True, "set", "", "", "Argument[1]", "Argument[this].Element", "value", "manual"] - ["com.google.gson", "JsonObject", True, "add", "", "", "Argument[0]", "Argument[this].MapKey", "value", "manual"] - ["com.google.gson", "JsonObject", True, "add", "", "", "Argument[1]", "Argument[this].MapValue", "value", "manual"] - ["com.google.gson", "JsonObject", True, "addProperty", "(String,String)", "", "Argument[0]", "Argument[this].MapKey", "value", "manual"] - - ["com.google.gson", "JsonObject", True, "addProperty", "(String,String)", "", "Argument[1]", "Argument[this].MapValue", "value", "manual"] + - ["com.google.gson", "JsonObject", True, "addProperty", "(String,String)", "", "Argument[1]", "Argument[this].MapValue", "taint", "manual"] - ["com.google.gson", "JsonObject", True, "asMap", "", "", "Argument[this].MapKey", "ReturnValue.MapKey", "value", "manual"] - ["com.google.gson", "JsonObject", True, "asMap", "", "", "Argument[this].MapValue", "ReturnValue.MapValue", "value", "manual"] - ["com.google.gson", "JsonObject", True, "entrySet", "", "", "Argument[this].MapKey", "ReturnValue.Element.MapKey", "value", "manual"] - - ["com.google.gson", "JsonObject", True, "entrySet", "", "", "Argument[this].MapKey", "ReturnValue.Element.MapValue", "value", "manual"] + - ["com.google.gson", "JsonObject", True, "entrySet", "", "", "Argument[this].MapValue", "ReturnValue.Element.MapValue", "value", "manual"] - ["com.google.gson", "JsonObject", True, "get", "", "", "Argument[this].MapValue", "ReturnValue", "value", "manual"] - ["com.google.gson", "JsonObject", True, "keySet", "", "", "Argument[this].MapKey", "ReturnValue.Element", "value", "manual"] - ["com.google.gson", "JsonPrimitive", True, "JsonPrimitive", "(Character)", "", "Argument[0]", "Argument[this]", "taint", "manual"] diff --git a/java/ql/lib/ext/com.jcraft.jsch.model.yml b/java/ql/lib/ext/com.jcraft.jsch.model.yml new file mode 100644 index 00000000000..3d658630d56 --- /dev/null +++ b/java/ql/lib/ext/com.jcraft.jsch.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + - ["com.jcraft.jsch", "JSch", True, "getSession", "(String,String,int)", "", "Argument[1]", "request-forgery", "ai-manual"] + - addsTo: + pack: codeql/java-all + extensible: summaryModel + data: + - ["com.jcraft.jsch", "ChannelSftp", True, "realpath", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"] diff --git a/java/ql/lib/ext/io.netty.handler.ssl.model.yml b/java/ql/lib/ext/io.netty.handler.ssl.model.yml index 42cf9892f81..f63a7a3906f 100644 --- a/java/ql/lib/ext/io.netty.handler.ssl.model.yml +++ b/java/ql/lib/ext/io.netty.handler.ssl.model.yml @@ -5,3 +5,5 @@ extensions: data: - ["io.netty.handler.ssl", "OpenSslServerContext", False, "OpenSslServerContext", "(File,File)", "", "Argument[0]", "path-injection", "ai-manual"] - ["io.netty.handler.ssl", "SslContextBuilder", False, "forServer", "(File,File)", "", "Argument[0]", "path-injection", "ai-manual"] + - ["io.netty.handler.ssl", "SslContextBuilder", False, "trustManager", "(File)", "", "Argument[0]", "path-injection", "ai-manual"] + - ["io.netty.handler.ssl", "SslContextBuilder", False, "trustManager", "(InputStream)", "", "Argument[0]", "path-injection", "ai-manual"] diff --git a/java/ql/lib/ext/java.io.model.yml b/java/ql/lib/ext/java.io.model.yml index e0920d7df16..83e57a68c74 100644 --- a/java/ql/lib/ext/java.io.model.yml +++ b/java/ql/lib/ext/java.io.model.yml @@ -3,6 +3,10 @@ extensions: pack: codeql/java-all extensible: sinkModel data: + - ["java.io", "File", False, "File", "(File,String)", "", "Argument[1]", "path-injection", "manual"] # old PathCreation + - ["java.io", "File", False, "File", "(String)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation + - ["java.io", "File", False, "File", "(String,String)", "", "Argument[0..1]", "path-injection", "manual"] # old PathCreation + - ["java.io", "File", False, "File", "(URI)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation - ["java.io", "File", True, "createTempFile", "(String,String,File)", "", "Argument[2]", "path-injection", "ai-manual"] - ["java.io", "File", True, "renameTo", "(File)", "", "Argument[0]", "path-injection", "ai-manual"] - ["java.io", "FileInputStream", True, "FileInputStream", "(File)", "", "Argument[0]", "path-injection", "ai-manual"] @@ -11,6 +15,7 @@ extensions: - ["java.io", "FileOutputStream", False, "write", "", "", "Argument[0]", "file-content-store", "manual"] - ["java.io", "FileReader", True, "FileReader", "(File)", "", "Argument[0]", "path-injection", "ai-manual"] - ["java.io", "FileReader", True, "FileReader", "(String)", "", "Argument[0]", "path-injection", "ai-manual"] + - ["java.io", "FileReader", True, "FileReader", "(String,Charset)", "", "Argument[0]", "path-injection", "manual"] - ["java.io", "FileSystem", True, "createDirectory", "(File)", "", "Argument[0]", "path-injection", "ai-manual"] - ["java.io", "FileWriter", False, "FileWriter", "", "", "Argument[0]", "path-injection", "manual"] - ["java.io", "PrintStream", False, "PrintStream", "(File)", "", "Argument[0]", "path-injection", "manual"] diff --git a/java/ql/lib/ext/java.lang.model.yml b/java/ql/lib/ext/java.lang.model.yml index 169440fe591..012fb65baab 100644 --- a/java/ql/lib/ext/java.lang.model.yml +++ b/java/ql/lib/ext/java.lang.model.yml @@ -21,14 +21,17 @@ extensions: - ["java.lang", "Runtime", True, "exec", "(String,String[])", "", "Argument[0]", "command-injection", "ai-manual"] - ["java.lang", "Runtime", True, "exec", "(String,String[],File)", "", "Argument[0]", "command-injection", "ai-manual"] - ["java.lang", "Runtime", True, "exec", "(String,String[],File)", "", "Argument[2]", "command-injection", "ai-manual"] + # These are potential vulnerabilities, but not for command-injection. No query for this kind of vulnerability currently exists. + # - ["java.lang", "Runtime", False, "load", "(String)", "", "Argument[0]", "command-injection", "ai-manual"] + # - ["java.lang", "Runtime", False, "loadLibrary", "(String)", "", "Argument[0]", "command-injection", "ai-manual"] - ["java.lang", "String", False, "matches", "(String)", "", "Argument[0]", "regex-use[f-1]", "manual"] - ["java.lang", "String", False, "replaceAll", "(String,String)", "", "Argument[0]", "regex-use[-1]", "manual"] - ["java.lang", "String", False, "replaceFirst", "(String,String)", "", "Argument[0]", "regex-use[-1]", "manual"] - ["java.lang", "String", False, "split", "(String)", "", "Argument[0]", "regex-use[-1]", "manual"] - ["java.lang", "String", False, "split", "(String,int)", "", "Argument[0]", "regex-use[-1]", "manual"] - # These are modeled in plain CodeQL. TODO: migrate them. - # - ["java.lang", "System", False, "load", "(String)", "", "Argument[0]", "command-injection", "ai-manual"] # This is actually injecting a library. - # - ["java.lang", "System", False, "loadLibrary", "(String)", "", "Argument[0]", "command-injection", "ai-manual"] # This is actually injecting a library. + # These are potential vulnerabilities, but not for command-injection. No query for this kind of vulnerability currently exists. + # - ["java.lang", "System", False, "load", "(String)", "", "Argument[0]", "command-injection", "ai-manual"] + # - ["java.lang", "System", False, "loadLibrary", "(String)", "", "Argument[0]", "command-injection", "ai-manual"] - ["java.lang", "System$Logger", True, "log", "(Level,Object)", "", "Argument[1]", "log-injection", "manual"] - ["java.lang", "System$Logger", True, "log", "(Level,ResourceBundle,String,Object[])", "", "Argument[2..3]", "log-injection", "manual"] - ["java.lang", "System$Logger", True, "log", "(Level,ResourceBundle,String,Throwable)", "", "Argument[2]", "log-injection", "manual"] diff --git a/java/ql/lib/ext/java.nio.file.model.yml b/java/ql/lib/ext/java.nio.file.model.yml index e4519fbc071..5e3f32b5e6f 100644 --- a/java/ql/lib/ext/java.nio.file.model.yml +++ b/java/ql/lib/ext/java.nio.file.model.yml @@ -18,6 +18,7 @@ extensions: - ["java.nio.file", "Files", False, "delete", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"] - ["java.nio.file", "Files", False, "deleteIfExists", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"] - ["java.nio.file", "Files", False, "deleteIfExists", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"] + - ["java.nio.file", "Files", False, "getFileStore", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"] # the FileStore class is unlikely to be used for later sanitization - ["java.nio.file", "Files", False, "lines", "(Path,Charset)", "", "Argument[0]", "path-injection", "ai-manual"] - ["java.nio.file", "Files", False, "lines", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"] - ["java.nio.file", "Files", False, "move", "", "", "Argument[1]", "path-injection", "manual"] @@ -26,6 +27,7 @@ extensions: - ["java.nio.file", "Files", False, "newBufferedWriter", "", "", "Argument[0]", "path-injection", "manual"] - ["java.nio.file", "Files", False, "newInputStream", "(Path,OpenOption[])", "", "Argument[0]", "path-injection", "ai-manual"] - ["java.nio.file", "Files", False, "newOutputStream", "", "", "Argument[0]", "path-injection", "manual"] + - ["java.nio.file", "Files", False, "probeContentType", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"] # accesses the file based on user input, but only reads its content type from it - ["java.nio.file", "Files", False, "readAllBytes", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"] - ["java.nio.file", "Files", False, "readAllLines", "(Path,Charset)", "", "Argument[0]", "path-injection", "ai-manual"] - ["java.nio.file", "Files", False, "readAllLines", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"] @@ -40,12 +42,23 @@ extensions: - ["java.nio.file", "Files", True, "delete", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"] - ["java.nio.file", "Files", True, "newInputStream", "(Path,OpenOption[])", "", "Argument[0]", "path-injection", "ai-manual"] - ["java.nio.file", "Files", True, "newOutputStream", "(Path,OpenOption[])", "", "Argument[0]", "path-injection", "ai-manual"] + - ["java.nio.file", "FileSystem", False, "getPath", "", "", "Argument[0..1]", "path-injection", "manual"] # old PathCreation + - ["java.nio.file", "Path", False, "of", "(String,String[])", "", "Argument[0..1]", "path-injection", "manual"] # old PathCreation + - ["java.nio.file", "Path", False, "of", "(URI)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation + - ["java.nio.file", "Path", False, "resolve", "(String)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation + - ["java.nio.file", "Path", False, "resolveSibling", "(String)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation + - ["java.nio.file", "Paths", False, "get", "(String,String[])", "", "Argument[0..1]", "path-injection", "manual"] # old PathCreation + - ["java.nio.file", "Paths", False, "get", "(URI)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation - ["java.nio.file", "SecureDirectoryStream", True, "deleteDirectory", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"] - ["java.nio.file", "SecureDirectoryStream", True, "deleteFile", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"] - addsTo: pack: codeql/java-all extensible: summaryModel data: + - ["java.nio.file", "Files", False, "find", "(Path,int,BiPredicate,FileVisitOption[])", "", "Argument[0]", "ReturnValue.Element", "taint", "ai-manual"] + - ["java.nio.file", "Files", False, "find", "(Path,int,BiPredicate,FileVisitOption[])", "", "Argument[2]", "ReturnValue.Element", "taint", "ai-manual"] + - ["java.nio.file", "Files", False, "list", "(Path)", "", "Argument[0]", "ReturnValue.Element", "taint", "ai-manual"] + - ["java.nio.file", "Files", False, "readSymbolicLink", "(Path)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"] # this can be used to enumerate a file system - ["java.nio.file", "Files", True, "newBufferedReader", "(Path,Charset)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"] - ["java.nio.file", "Files", True, "newBufferedReader", "(Path)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"] - ["java.nio.file", "Files", True, "newByteChannel", "(Path,OpenOption[])", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"] diff --git a/java/ql/lib/ext/java.sql.model.yml b/java/ql/lib/ext/java.sql.model.yml index c93a89cfd2c..58985c886b5 100644 --- a/java/ql/lib/ext/java.sql.model.yml +++ b/java/ql/lib/ext/java.sql.model.yml @@ -21,7 +21,6 @@ extensions: extensible: summaryModel data: - ["java.sql", "Connection", True, "nativeSQL", "(String)", "", "Argument[0]", "ReturnValue", "taint", "hq-manual"] - - ["java.sql", "PreparedStatement", True, "setString", "(int,String)", "", "Argument[1]", "Argument[this]", "value", "manual"] - ["java.sql", "ResultSet", True, "getString", "(String)", "", "Argument[this]", "ReturnValue", "taint", "manual"] - addsTo: @@ -31,13 +30,14 @@ extensions: - ["java.sql", "Connection", "createStatement", "()", "summary", "manual"] - ["java.sql", "PreparedStatement", "executeUpdate", "()", "summary", "manual"] - ["java.sql", "PreparedStatement", "executeQuery", "()", "summary", "manual"] + - ["java.sql", "PreparedStatement", "setInt", "(int,int)", "summary", "manual"] + - ["java.sql", "PreparedStatement", "setLong", "(int,long)", "summary", "manual"] + - ["java.sql", "PreparedStatement", "setString", "(int,String)", "summary", "manual"] - ["java.sql", "ResultSet", "next", "()", "summary", "manual"] - ["java.sql", "Statement", "close", "()", "summary", "manual"] # The below APIs have numeric flow and are currently being stored as neutral models. # These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future. - - ["java.sql", "PreparedStatement", "setInt", "(int,int)", "summary", "manual"] # value-numeric - - ["java.sql", "PreparedStatement", "setLong", "(int,long)", "summary", "manual"] # value-numeric - ["java.sql", "ResultSet", "getInt", "(int)", "summary", "manual"] # taint-numeric - ["java.sql", "ResultSet", "getInt", "(String)", "summary", "manual"] # taint-numeric - ["java.sql", "ResultSet", "getLong", "(String)", "summary", "manual"] # taint-numeric diff --git a/java/ql/lib/ext/kotlin.io.model.yml b/java/ql/lib/ext/kotlin.io.model.yml index 98de45df9d6..b748e04a292 100644 --- a/java/ql/lib/ext/kotlin.io.model.yml +++ b/java/ql/lib/ext/kotlin.io.model.yml @@ -11,6 +11,8 @@ extensions: pack: codeql/java-all extensible: summaryModel data: + - ["kotlin.io", "CloseableKt", False, "use", "", "", "Argument[0]", "Argument[1].Parameter[0]", "value", "manual"] + - ["kotlin.io", "CloseableKt", False, "use", "", "", "Argument[1].ReturnValue", "ReturnValue", "value", "manual"] - ["kotlin.io", "FilesKt", False, "normalize", "(File)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"] - ["kotlin.io", "FilesKt", False, "relativeTo", "(File,File)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"] - ["kotlin.io", "FilesKt", False, "relativeTo", "(File,File)", "", "Argument[1]", "ReturnValue", "taint", "ai-manual"] diff --git a/java/ql/lib/ext/kotlin.model.yml b/java/ql/lib/ext/kotlin.model.yml new file mode 100644 index 00000000000..ea275a78515 --- /dev/null +++ b/java/ql/lib/ext/kotlin.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/java-all + extensible: summaryModel + data: + - ["kotlin", "StandardKt", False, "with", "", "", "Argument[0]", "Argument[1].Parameter[0]", "value", "manual"] + - ["kotlin", "StandardKt", False, "with", "", "", "Argument[1].ReturnValue", "ReturnValue", "value", "manual"] diff --git a/java/ql/lib/ext/okhttp3.model.yml b/java/ql/lib/ext/okhttp3.model.yml index 2368292dab7..a0662408708 100644 --- a/java/ql/lib/ext/okhttp3.model.yml +++ b/java/ql/lib/ext/okhttp3.model.yml @@ -58,3 +58,4 @@ extensions: - ["okhttp3", "HttpUrl$Builder", False, "setQueryParameter", "", "", "Argument[this]", "ReturnValue", "value", "manual"] - ["okhttp3", "HttpUrl$Builder", False, "setQueryParameter", "", "", "Argument[0]", "Argument[this]", "taint", "manual"] - ["okhttp3", "HttpUrl$Builder", False, "username", "", "", "Argument[this]", "ReturnValue", "value", "manual"] + - ["okhttp3", "Request$Builder", True, "build", "()", "", "Argument[this]", "ReturnValue", "taint", "ai-manual"] diff --git a/java/ql/lib/ext/org.antlr.runtime.model.yml b/java/ql/lib/ext/org.antlr.runtime.model.yml new file mode 100644 index 00000000000..db66062c682 --- /dev/null +++ b/java/ql/lib/ext/org.antlr.runtime.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + - ["org.antlr.runtime", "ANTLRFileStream", True, "ANTLRFileStream", "(String,String)", "", "Argument[0]", "path-injection", "ai-manual"] diff --git a/java/ql/lib/ext/org.fusesource.leveldbjni.model.yml b/java/ql/lib/ext/org.fusesource.leveldbjni.model.yml new file mode 100644 index 00000000000..2c3f221abd7 --- /dev/null +++ b/java/ql/lib/ext/org.fusesource.leveldbjni.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + - ["org.fusesource.leveldbjni", "JniDBFactory", True, "open", "(File,Options)", "", "Argument[0]", "path-injection", "ai-manual"] diff --git a/java/ql/lib/ext/org.influxdb.model.yml b/java/ql/lib/ext/org.influxdb.model.yml new file mode 100644 index 00000000000..00dc8277407 --- /dev/null +++ b/java/ql/lib/ext/org.influxdb.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + - ["org.influxdb", "InfluxDBFactory", False, "connect", "(String,String,String,Builder)", "", "Argument[0]", "request-forgery", "ai-manual"] diff --git a/java/ql/lib/ext/org.springframework.core.io.model.yml b/java/ql/lib/ext/org.springframework.core.io.model.yml new file mode 100644 index 00000000000..b6dd35c8096 --- /dev/null +++ b/java/ql/lib/ext/org.springframework.core.io.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + - ["org.springframework.core.io", "ResourceLoader", True, "getResource", "(String)", "", "Argument[0]", "path-injection", "ai-manual"] + - ["org.springframework.core.io", "ResourceLoader", True, "getResource", "(String)", "", "Argument[0]", "request-forgery", "manual"] diff --git a/java/ql/lib/ext/org.yaml.snakeyaml.model.yml b/java/ql/lib/ext/org.yaml.snakeyaml.model.yml new file mode 100644 index 00000000000..e52ef0679bc --- /dev/null +++ b/java/ql/lib/ext/org.yaml.snakeyaml.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/java-all + extensible: summaryModel + data: + - ["org.yaml.snakeyaml", "Yaml", True, "load", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"] diff --git a/java/ql/lib/semmle/code/java/Expr.qll b/java/ql/lib/semmle/code/java/Expr.qll index 0e0d0acea3f..92c81650bc3 100644 --- a/java/ql/lib/semmle/code/java/Expr.qll +++ b/java/ql/lib/semmle/code/java/Expr.qll @@ -1809,9 +1809,6 @@ class LValue extends VarAccess { * are source expressions of the assignment. */ Expr getRhs() { exists(Assignment e | e.getDest() = this and e.getSource() = result) } - - /** DEPRECATED: Alias for getRhs */ - deprecated Expr getRHS() { result = this.getRhs() } } /** diff --git a/java/ql/lib/semmle/code/java/Type.qll b/java/ql/lib/semmle/code/java/Type.qll index f60fdcc8e5d..fcf31e3be0d 100644 --- a/java/ql/lib/semmle/code/java/Type.qll +++ b/java/ql/lib/semmle/code/java/Type.qll @@ -987,6 +987,17 @@ private string getAPublicObjectMethodSignature() { ) } +pragma[nomagic] +private predicate interfaceInheritsOverridingNonAbstractMethod(Interface interface, Method m) { + interface.inherits(m) and + not m.isAbstract() and + m.overrides(_) +} + +bindingset[m] +pragma[inline_late] +private Method getAnOverridden(Method m) { m.overrides(result) } + private Method getAnAbstractMethod(Interface interface) { interface.inherits(result) and result.isAbstract() and @@ -995,9 +1006,8 @@ private Method getAnAbstractMethod(Interface interface) { // Make sure that there is no other non-abstract method // (e.g. `default`) which overrides the abstract one not exists(Method m | - interface.inherits(m) and - not m.isAbstract() and - m.overrides(result) + interfaceInheritsOverridingNonAbstractMethod(interface, m) and + result = getAnOverridden(m) ) } diff --git a/java/ql/lib/semmle/code/java/controlflow/internal/Preconditions.qll b/java/ql/lib/semmle/code/java/controlflow/internal/Preconditions.qll index 6b7736cb70d..3563176f4b0 100644 --- a/java/ql/lib/semmle/code/java/controlflow/internal/Preconditions.qll +++ b/java/ql/lib/semmle/code/java/controlflow/internal/Preconditions.qll @@ -6,15 +6,6 @@ import java -/** - * DEPRECATED: Use `conditionCheckMethodArgument` instead. - * Holds if `m` is a non-overridable method that checks that its first argument - * is equal to `checkTrue` and throws otherwise. - */ -deprecated predicate conditionCheckMethod(Method m, boolean checkTrue) { - conditionCheckMethodArgument(m, 0, checkTrue) -} - /** * Holds if `m` is a non-overridable method that checks that its zero-indexed `argument` * is equal to `checkTrue` and throws otherwise. diff --git a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll index 5fb9ce0f8f1..bb8485cd601 100644 --- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll +++ b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll @@ -265,13 +265,57 @@ module ModelValidation { ) } + private class OutdatedSinkKind extends string { + OutdatedSinkKind() { + this = + [ + "sql", "url-redirect", "xpath", "ssti", "logging", "groovy", "jexl", "mvel", "xslt", + "ldap", "pending-intent-sent", "intent-start", "set-hostname-verifier", + "header-splitting", "xss", "write-file", "create-file", "read-file", "open-url", + "jdbc-url" + ] + } + + private string replacementKind() { + this = ["sql", "xpath", "groovy", "jexl", "mvel", "xslt", "ldap"] and + result = this + "-injection" + or + this = "url-redirect" and result = "url-redirection" + or + this = "ssti" and result = "template-injection" + or + this = "logging" and result = "log-injection" + or + this = "pending-intent-sent" and result = "pending-intents" + or + this = "intent-start" and result = "intent-redirection" + or + this = "set-hostname-verifier" and result = "hostname-verification" + or + this = "header-splitting" and result = "response-splitting" + or + this = "xss" and result = "html-injection\" or \"js-injection" + or + this = "write-file" and result = "file-content-store" + or + this = ["create-file", "read-file"] and result = "path-injection" + or + this = ["open-url", "jdbc-url"] and result = "request-forgery" + } + + string outdatedMessage() { + result = + "The kind \"" + this + "\" is outdated. Use \"" + this.replacementKind() + "\" instead." + } + } + private string getInvalidModelKind() { exists(string kind | summaryModel(_, _, _, _, _, _, _, _, kind, _) | not kind = ["taint", "value"] and result = "Invalid kind \"" + kind + "\" in summary model." ) or - exists(string kind | sinkModel(_, _, _, _, _, _, _, kind, _) | + exists(string kind, string msg | sinkModel(_, _, _, _, _, _, _, kind, _) | not kind = [ "request-forgery", "jndi-injection", "ldap-injection", "sql-injection", "log-injection", @@ -283,7 +327,11 @@ module ModelValidation { ] and not kind.matches("regex-use%") and not kind.matches("qltest%") and - result = "Invalid kind \"" + kind + "\" in sink model." + msg = "Invalid kind \"" + kind + "\" in sink model." and + // The part of this message that refers to outdated sink kinds can be deleted after June 1st, 2024. + if kind instanceof OutdatedSinkKind + then result = msg + " " + kind.(OutdatedSinkKind).outdatedMessage() + else result = msg ) or exists(string kind | sourceModel(_, _, _, _, _, _, _, kind, _) | diff --git a/java/ql/lib/semmle/code/java/dataflow/SSA.qll b/java/ql/lib/semmle/code/java/dataflow/SSA.qll index d4ff7ed0ac7..dd478b2a869 100644 --- a/java/ql/lib/semmle/code/java/dataflow/SSA.qll +++ b/java/ql/lib/semmle/code/java/dataflow/SSA.qll @@ -931,9 +931,6 @@ class SsaVariable extends TSsaVariable { this = TSsaUntracked(_, result) } - /** DEPRECATED: Alias for getCfgNode */ - deprecated ControlFlowNode getCFGNode() { result = this.getCfgNode() } - /** Gets a textual representation of this SSA variable. */ string toString() { none() } diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/BaseSSA.qll b/java/ql/lib/semmle/code/java/dataflow/internal/BaseSSA.qll index 6f53dbd02c1..6e41c803553 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/BaseSSA.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/BaseSSA.qll @@ -483,9 +483,6 @@ class BaseSsaVariable extends TBaseSsaVariable { this = TSsaEntryDef(_, result) } - /** DEPRECATED: Alias for getCfgNode */ - deprecated ControlFlowNode getCFGNode() { result = this.getCfgNode() } - string toString() { none() } Location getLocation() { result = this.getCfgNode().getLocation() } diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll index ddf98ac0f2f..984c5ae2018 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll @@ -1135,8 +1135,8 @@ module Impl { DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow ); - bindingset[node, state, t, ap] - predicate filter(NodeEx node, FlowState state, Typ t, Ap ap); + bindingset[node, state, t0, ap] + predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t); bindingset[typ, contentType] predicate typecheckStore(Typ typ, DataFlowType contentType); @@ -1199,17 +1199,21 @@ module Impl { NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, TypOption argT, ApOption argAp, Typ t, Ap ap, ApApprox apa ) { - fwdFlow0(node, state, cc, summaryCtx, argT, argAp, t, ap, apa) and - PrevStage::revFlow(node, state, apa) and - filter(node, state, t, ap) + fwdFlow1(node, state, cc, summaryCtx, argT, argAp, _, t, ap, apa) } - pragma[inline] - additional predicate fwdFlow( + private predicate fwdFlow1( NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, TypOption argT, - ApOption argAp, Typ t, Ap ap + ApOption argAp, Typ t0, Typ t, Ap ap, ApApprox apa ) { - fwdFlow(node, state, cc, summaryCtx, argT, argAp, t, ap, _) + fwdFlow0(node, state, cc, summaryCtx, argT, argAp, t0, ap, apa) and + PrevStage::revFlow(node, state, apa) and + filter(node, state, t0, ap, t) + } + + pragma[nomagic] + private predicate typeStrengthen(Typ t0, Ap ap, Typ t) { + fwdFlow1(_, _, _, _, _, _, t0, t, ap, _) and t0 != t } pragma[assume_small_delta] @@ -1339,6 +1343,11 @@ module Impl { private predicate fwdFlowConsCand(Typ t2, Ap cons, Content c, Typ t1, Ap tail) { fwdFlowStore(_, t1, tail, c, t2, _, _, _, _, _, _) and cons = apCons(c, t1, tail) + or + exists(Typ t0 | + typeStrengthen(t0, cons, t2) and + fwdFlowConsCand(t0, cons, c, t1, tail) + ) } pragma[nomagic] @@ -1359,7 +1368,7 @@ module Impl { ParamNodeOption summaryCtx, TypOption argT, ApOption argAp ) { exists(ApHeadContent apc | - fwdFlow(node1, state, cc, summaryCtx, argT, argAp, t, ap) and + fwdFlow(node1, state, cc, summaryCtx, argT, argAp, t, ap, _) and apc = getHeadContent(ap) and readStepCand0(node1, apc, c, node2) ) @@ -1520,14 +1529,14 @@ module Impl { NodeEx node, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap ) { revFlow0(node, state, returnCtx, returnAp, ap) and - fwdFlow(node, state, _, _, _, _, _, ap) + fwdFlow(node, state, _, _, _, _, _, ap, _) } pragma[nomagic] private predicate revFlow0( NodeEx node, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap ) { - fwdFlow(node, state, _, _, _, _, _, ap) and + fwdFlow(node, state, _, _, _, _, _, ap, _) and sinkNode(node, state) and ( if hasSinkCallCtx() @@ -1780,13 +1789,13 @@ module Impl { boolean fwd, int nodes, int fields, int conscand, int states, int tuples ) { fwd = true and - nodes = count(NodeEx node | fwdFlow(node, _, _, _, _, _, _, _)) and + nodes = count(NodeEx node | fwdFlow(node, _, _, _, _, _, _, _, _)) and fields = count(Content f0 | fwdConsCand(f0, _, _)) and conscand = count(Content f0, Typ t, Ap ap | fwdConsCand(f0, t, ap)) and - states = count(FlowState state | fwdFlow(_, state, _, _, _, _, _, _)) and + states = count(FlowState state | fwdFlow(_, state, _, _, _, _, _, _, _)) and tuples = count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, TypOption argT, - ApOption argAp, Typ t, Ap ap | fwdFlow(n, state, cc, summaryCtx, argT, argAp, t, ap)) + ApOption argAp, Typ t, Ap ap | fwdFlow(n, state, cc, summaryCtx, argT, argAp, t, ap, _)) or fwd = false and nodes = count(NodeEx node | revFlow(node, _, _, _, _)) and @@ -1963,10 +1972,10 @@ module Impl { ) } - bindingset[node, state, t, ap] - predicate filter(NodeEx node, FlowState state, Typ t, Ap ap) { + bindingset[node, state, t0, ap] + predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t) { PrevStage::revFlowState(state) and - exists(t) and + t0 = t and exists(ap) and not stateBarrier(node, state) and ( @@ -2197,8 +2206,8 @@ module Impl { import BooleanCallContext predicate localStep( - NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, - DataFlowType t, LocalCc lcc + NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, Typ t, + LocalCc lcc ) { localFlowBigStep(node1, state1, node2, state2, preservesValue, t, _) and exists(lcc) @@ -2218,10 +2227,16 @@ module Impl { ) } - bindingset[node, state, t, ap] - predicate filter(NodeEx node, FlowState state, Typ t, Ap ap) { + bindingset[node, state, t0, ap] + predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t) { exists(state) and - (if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t) else any()) and + // We can get away with not using type strengthening here, since we aren't + // going to use the tracked types in the construction of Stage 4 access + // paths. For Stage 4 and onwards, the tracked types must be consistent as + // the cons candidates including types are used to construct subsequent + // access path approximations. + t0 = t and + (if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t0) else any()) and ( notExpectsContent(node) or @@ -2241,6 +2256,16 @@ module Impl { import MkStage::Stage } + bindingset[node, t0] + private predicate strengthenType(NodeEx node, DataFlowType t0, DataFlowType t) { + if castingNodeEx(node) + then + exists(DataFlowType nt | nt = node.getDataFlowType() | + if typeStrongerThan(nt, t0) then t = nt else (compatibleTypes(nt, t0) and t = t0) + ) + else t = t0 + } + private module Stage4Param implements MkStage::StageParam { private module PrevStage = Stage3; @@ -2274,8 +2299,8 @@ module Impl { pragma[nomagic] predicate localStep( - NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, - DataFlowType t, LocalCc lcc + NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, Typ t, + LocalCc lcc ) { localFlowBigStep(node1, state1, node2, state2, preservesValue, t, _) and PrevStage::revFlow(node1, pragma[only_bind_into](state1), _) and @@ -2333,11 +2358,11 @@ module Impl { ) } - bindingset[node, state, t, ap] - predicate filter(NodeEx node, FlowState state, Typ t, Ap ap) { + bindingset[node, state, t0, ap] + predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t) { exists(state) and not clear(node, ap) and - (if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t) else any()) and + strengthenType(node, t0, t) and ( notExpectsContent(node) or @@ -2365,7 +2390,7 @@ module Impl { exists(AccessPathFront apf | Stage4::revFlow(node, state, TReturnCtxMaybeFlowThrough(_), _, apf) and Stage4::fwdFlow(node, state, any(Stage4::CcCall ccc), _, _, TAccessPathFrontSome(argApf), _, - apf) + apf, _) ) } @@ -2579,8 +2604,8 @@ module Impl { import LocalCallContext predicate localStep( - NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, - DataFlowType t, LocalCc lcc + NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, Typ t, + LocalCc lcc ) { localFlowBigStep(node1, state1, node2, state2, preservesValue, t, lcc) and PrevStage::revFlow(node1, pragma[only_bind_into](state1), _) and @@ -2609,9 +2634,9 @@ module Impl { ) } - bindingset[node, state, t, ap] - predicate filter(NodeEx node, FlowState state, Typ t, Ap ap) { - (if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t) else any()) and + bindingset[node, state, t0, ap] + predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t) { + strengthenType(node, t0, t) and exists(state) and exists(ap) } @@ -2632,7 +2657,7 @@ module Impl { Stage5::parameterMayFlowThrough(p, _) and Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0) and Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()), _, - TAccessPathApproxSome(apa), _, apa0) + TAccessPathApproxSome(apa), _, apa0, _) ) } @@ -2649,7 +2674,7 @@ module Impl { TSummaryCtxSome(ParamNodeEx p, FlowState state, DataFlowType t, AccessPath ap) { exists(AccessPathApprox apa | ap.getApprox() = apa | Stage5::parameterMayFlowThrough(p, apa) and - Stage5::fwdFlow(p, state, _, _, _, _, t, apa) and + Stage5::fwdFlow(p, state, _, _, Option::some(t), _, _, apa, _) and Stage5::revFlow(p, state, _) ) } @@ -2820,9 +2845,7 @@ module Impl { ap = TAccessPathNil() or // ... or a step from an existing PathNode to another node. - pathStep(_, node, state, cc, sc, t, ap) and - Stage5::revFlow(node, state, ap.getApprox()) and - (if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t) else any()) + pathStep(_, node, state, cc, sc, t, ap) } or TPathNodeSink(NodeEx node, FlowState state) { exists(PathNodeMid sink | @@ -3340,13 +3363,24 @@ module Impl { ap = mid.getAp() } + private predicate pathStep( + PathNodeMid mid, NodeEx node, FlowState state, CallContext cc, SummaryCtx sc, DataFlowType t, + AccessPath ap + ) { + exists(DataFlowType t0 | + pathStep0(mid, node, state, cc, sc, t0, ap) and + Stage5::revFlow(node, state, ap.getApprox()) and + strengthenType(node, t0, t) + ) + } + /** * Holds if data may flow from `mid` to `node`. The last step in or out of * a callable is recorded by `cc`. */ pragma[assume_small_delta] pragma[nomagic] - private predicate pathStep( + private predicate pathStep0( PathNodeMid mid, NodeEx node, FlowState state, CallContext cc, SummaryCtx sc, DataFlowType t, AccessPath ap ) { @@ -3964,7 +3998,7 @@ module Impl { ap = TPartialNil() and exists(explorationLimit()) or - partialPathNodeMk0(node, state, cc, sc1, sc2, sc3, sc4, t, ap) and + partialPathStep(_, node, state, cc, sc1, sc2, sc3, sc4, t, ap) and distSrc(node.getEnclosingCallable()) <= explorationLimit() } or TPartialPathNodeRev( @@ -3990,11 +4024,20 @@ module Impl { } pragma[nomagic] - private predicate partialPathNodeMk0( - NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2, - TSummaryCtx3 sc3, TSummaryCtx4 sc4, DataFlowType t, PartialAccessPath ap + private predicate partialPathStep( + PartialPathNodeFwd mid, NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, + TSummaryCtx2 sc2, TSummaryCtx3 sc3, TSummaryCtx4 sc4, DataFlowType t, PartialAccessPath ap ) { - partialPathStep(_, node, state, cc, sc1, sc2, sc3, sc4, t, ap) and + partialPathStep1(mid, node, state, cc, sc1, sc2, sc3, sc4, _, t, ap) + } + + pragma[nomagic] + private predicate partialPathStep1( + PartialPathNodeFwd mid, NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, + TSummaryCtx2 sc2, TSummaryCtx3 sc3, TSummaryCtx4 sc4, DataFlowType t0, DataFlowType t, + PartialAccessPath ap + ) { + partialPathStep0(mid, node, state, cc, sc1, sc2, sc3, sc4, t0, ap) and not fullBarrier(node) and not stateBarrier(node, state) and not clearsContentEx(node, ap.getHead()) and @@ -4002,9 +4045,14 @@ module Impl { notExpectsContent(node) or expectsContentEx(node, ap.getHead()) ) and - if node.asNode() instanceof CastingNode - then compatibleTypes(node.getDataFlowType(), t) - else any() + strengthenType(node, t0, t) + } + + pragma[nomagic] + private predicate partialPathTypeStrengthen( + DataFlowType t0, PartialAccessPath ap, DataFlowType t + ) { + partialPathStep1(_, _, _, _, _, _, _, _, t0, t, ap) and t0 != t } /** @@ -4183,7 +4231,8 @@ module Impl { } } - private predicate partialPathStep( + pragma[nomagic] + private predicate partialPathStep0( PartialPathNodeFwd mid, NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2, TSummaryCtx3 sc3, TSummaryCtx4 sc4, DataFlowType t, PartialAccessPath ap ) { @@ -4309,6 +4358,11 @@ module Impl { DataFlowType t1, PartialAccessPath ap1, Content c, DataFlowType t2, PartialAccessPath ap2 ) { partialPathStoreStep(_, t1, ap1, c, _, t2, ap2) + or + exists(DataFlowType t0 | + partialPathTypeStrengthen(t0, ap2, t2) and + apConsFwd(t1, ap1, c, t0, ap2) + ) } pragma[nomagic] diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll index 22f84241c96..01bf90cb7ba 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll @@ -176,7 +176,7 @@ predicate expectsContent(Node n, ContentSet c) { * possible flow. A single type is used for all numeric types to account for * numeric conversions, and otherwise the erasure is used. */ -DataFlowType getErasedRepr(Type t) { +RefType getErasedRepr(Type t) { exists(Type e | e = t.getErasure() | if e instanceof NumericOrCharType then result.(BoxedType).getPrimitiveType().getName() = "double" @@ -189,6 +189,13 @@ DataFlowType getErasedRepr(Type t) { t instanceof NullType and result instanceof TypeObject } +class DataFlowType extends SrcRefType { + DataFlowType() { this = getErasedRepr(_) } +} + +pragma[nomagic] +predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { t1.getASourceSupertype+() = t2 } + pragma[noinline] DataFlowType getNodeType(Node n) { result = getErasedRepr(n.getTypeBound()) @@ -259,8 +266,6 @@ class DataFlowCallable extends TDataFlowCallable { class DataFlowExpr = Expr; -class DataFlowType = RefType; - private newtype TDataFlowCall = TCall(Call c) or TSummaryCall(SummarizedCallable c, Node receiver) { diff --git a/java/ql/lib/semmle/code/java/deadcode/EntryPoints.qll b/java/ql/lib/semmle/code/java/deadcode/EntryPoints.qll index 2213960222e..5c037258309 100644 --- a/java/ql/lib/semmle/code/java/deadcode/EntryPoints.qll +++ b/java/ql/lib/semmle/code/java/deadcode/EntryPoints.qll @@ -456,9 +456,6 @@ class ArbitraryXmlEntryPoint extends ReflectivelyConstructedClass { } } -/** DEPRECATED: Alias for ArbitraryXmlEntryPoint */ -deprecated class ArbitraryXMLEntryPoint = ArbitraryXmlEntryPoint; - /** A Selenium PageObject, created by a call to PageFactory.initElements(..). */ class SeleniumPageObjectEntryPoint extends ReflectivelyConstructedClass instanceof SeleniumPageObject { } diff --git a/java/ql/lib/semmle/code/java/frameworks/Networking.qll b/java/ql/lib/semmle/code/java/frameworks/Networking.qll index 8f86c8f75e7..c473cc9fc09 100644 --- a/java/ql/lib/semmle/code/java/frameworks/Networking.qll +++ b/java/ql/lib/semmle/code/java/frameworks/Networking.qll @@ -38,9 +38,6 @@ class UrlConnectionGetInputStreamMethod extends Method { } } -/** DEPRECATED: Alias for UrlConnectionGetInputStreamMethod */ -deprecated class URLConnectionGetInputStreamMethod = UrlConnectionGetInputStreamMethod; - /** The method `java.net.Socket::getInputStream`. */ class SocketGetInputStreamMethod extends Method { SocketGetInputStreamMethod() { diff --git a/java/ql/lib/semmle/code/java/frameworks/Servlets.qll b/java/ql/lib/semmle/code/java/frameworks/Servlets.qll index 82e837862be..f2de51b2aab 100644 --- a/java/ql/lib/semmle/code/java/frameworks/Servlets.qll +++ b/java/ql/lib/semmle/code/java/frameworks/Servlets.qll @@ -128,9 +128,6 @@ class HttpServletRequestGetRequestUrlMethod extends Method { } } -/** DEPRECATED: Alias for HttpServletRequestGetRequestUrlMethod */ -deprecated class HttpServletRequestGetRequestURLMethod = HttpServletRequestGetRequestUrlMethod; - /** * The method `getRequestURI()` declared in `javax.servlet.http.HttpServletRequest`. */ @@ -339,9 +336,6 @@ class ServletWebXmlListenerType extends RefType { } } -/** DEPRECATED: Alias for ServletWebXmlListenerType */ -deprecated class ServletWebXMLListenerType = ServletWebXmlListenerType; - /** Holds if `m` is a request handler method (for example `doGet` or `doPost`). */ predicate isServletRequestMethod(Method m) { m.getDeclaringType() instanceof ServletClass and diff --git a/java/ql/lib/semmle/code/java/frameworks/UnboundId.qll b/java/ql/lib/semmle/code/java/frameworks/UnboundId.qll index e19a6b43019..8bab6dfe581 100644 --- a/java/ql/lib/semmle/code/java/frameworks/UnboundId.qll +++ b/java/ql/lib/semmle/code/java/frameworks/UnboundId.qll @@ -29,9 +29,6 @@ class TypeUnboundIdLdapConnection extends Class { } } -/** DEPRECATED: Alias for TypeUnboundIdLdapConnection */ -deprecated class TypeUnboundIdLDAPConnection = TypeUnboundIdLdapConnection; - /*--- Methods ---*/ /** A method with the name `setBaseDN` declared in `com.unboundid.ldap.sdk.SearchRequest`. */ class MethodUnboundIdSearchRequestSetBaseDN extends Method { @@ -103,9 +100,6 @@ class MethodUnboundIdLdapConnectionSearch extends Method { } } -/** DEPRECATED: Alias for MethodUnboundIdLdapConnectionSearch */ -deprecated class MethodUnboundIdLDAPConnectionSearch = MethodUnboundIdLdapConnectionSearch; - /** A method with the name `asyncSearch` declared in `com.unboundid.ldap.sdk.LDAPConnection`. */ class MethodUnboundIdLdapConnectionAsyncSearch extends Method { MethodUnboundIdLdapConnectionAsyncSearch() { @@ -114,10 +108,6 @@ class MethodUnboundIdLdapConnectionAsyncSearch extends Method { } } -/** DEPRECATED: Alias for MethodUnboundIdLdapConnectionAsyncSearch */ -deprecated class MethodUnboundIdLDAPConnectionAsyncSearch = - MethodUnboundIdLdapConnectionAsyncSearch; - /** A method with the name `searchForEntry` declared in `com.unboundid.ldap.sdk.LDAPConnection`. */ class MethodUnboundIdLdapConnectionSearchForEntry extends Method { MethodUnboundIdLdapConnectionSearchForEntry() { @@ -125,7 +115,3 @@ class MethodUnboundIdLdapConnectionSearchForEntry extends Method { this.hasName("searchForEntry") } } - -/** DEPRECATED: Alias for MethodUnboundIdLdapConnectionSearchForEntry */ -deprecated class MethodUnboundIdLDAPConnectionSearchForEntry = - MethodUnboundIdLdapConnectionSearchForEntry; diff --git a/java/ql/lib/semmle/code/java/frameworks/jackson/JacksonSerializability.qll b/java/ql/lib/semmle/code/java/frameworks/jackson/JacksonSerializability.qll index 79fd19f4ef2..f1395431a3c 100644 --- a/java/ql/lib/semmle/code/java/frameworks/jackson/JacksonSerializability.qll +++ b/java/ql/lib/semmle/code/java/frameworks/jackson/JacksonSerializability.qll @@ -20,9 +20,6 @@ class JacksonJsonIgnoreAnnotation extends NonReflectiveAnnotation { } } -/** DEPRECATED: Alias for JacksonJsonIgnoreAnnotation */ -deprecated class JacksonJSONIgnoreAnnotation = JacksonJsonIgnoreAnnotation; - /** A type whose values may be serialized using the Jackson JSON framework. */ abstract class JacksonSerializableType extends Type { } diff --git a/java/ql/lib/semmle/code/java/frameworks/javaee/PersistenceXML.qll b/java/ql/lib/semmle/code/java/frameworks/javaee/PersistenceXML.qll index faca537d171..7564dafa37e 100644 --- a/java/ql/lib/semmle/code/java/frameworks/javaee/PersistenceXML.qll +++ b/java/ql/lib/semmle/code/java/frameworks/javaee/PersistenceXML.qll @@ -26,9 +26,6 @@ class PersistenceXmlFile extends XmlFile { } } -/** DEPRECATED: Alias for PersistenceXmlFile */ -deprecated class PersistenceXMLFile = PersistenceXmlFile; - /** The root `persistence` XML element in a `persistence.xml` file. */ class PersistenceXmlRoot extends XmlElement { PersistenceXmlRoot() { diff --git a/java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJBJarXML.qll b/java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJBJarXML.qll index 9323b3852b4..f44d77d89bd 100644 --- a/java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJBJarXML.qll +++ b/java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJBJarXML.qll @@ -35,9 +35,6 @@ class EjbJarXmlFile extends XmlFile { } } -/** DEPRECATED: Alias for EjbJarXmlFile */ -deprecated class EjbJarXMLFile = EjbJarXmlFile; - /** The root `ejb-jar` XML element in an `ejb-jar.xml` file. */ class EjbJarRootElement extends XmlElement { EjbJarRootElement() { diff --git a/java/ql/lib/semmle/code/java/frameworks/javaee/jsf/JSFFacesContextXML.qll b/java/ql/lib/semmle/code/java/frameworks/javaee/jsf/JSFFacesContextXML.qll index f85f36c37a3..13ed765638d 100644 --- a/java/ql/lib/semmle/code/java/frameworks/javaee/jsf/JSFFacesContextXML.qll +++ b/java/ql/lib/semmle/code/java/frameworks/javaee/jsf/JSFFacesContextXML.qll @@ -16,9 +16,6 @@ class FacesConfigXmlFile extends XmlFile { } } -/** DEPRECATED: Alias for FacesConfigXmlFile */ -deprecated class FacesConfigXMLFile = FacesConfigXmlFile; - /** * An XML element in a `FacesConfigXMLFile`. */ @@ -31,9 +28,6 @@ class FacesConfigXmlElement extends XmlElement { string getValue() { result = this.allCharactersString().trim() } } -/** DEPRECATED: Alias for FacesConfigXmlElement */ -deprecated class FacesConfigXMLElement = FacesConfigXmlElement; - /** * An element in a JSF config file that declares a managed bean. */ diff --git a/java/ql/lib/semmle/code/java/frameworks/spring/SpringAutowire.qll b/java/ql/lib/semmle/code/java/frameworks/spring/SpringAutowire.qll index 1dd6dfd292f..966db95afce 100644 --- a/java/ql/lib/semmle/code/java/frameworks/spring/SpringAutowire.qll +++ b/java/ql/lib/semmle/code/java/frameworks/spring/SpringAutowire.qll @@ -100,9 +100,6 @@ class SpringBeanXmlAutowiredSetterMethod extends Method { } } -/** DEPRECATED: Alias for SpringBeanXmlAutowiredSetterMethod */ -deprecated class SpringBeanXMLAutowiredSetterMethod = SpringBeanXmlAutowiredSetterMethod; - /** * A callable that is annotated with `@Autowired`. * diff --git a/java/ql/lib/semmle/code/java/frameworks/spring/SpringCamel.qll b/java/ql/lib/semmle/code/java/frameworks/spring/SpringCamel.qll index 9bbdaad9687..985565255b6 100644 --- a/java/ql/lib/semmle/code/java/frameworks/spring/SpringCamel.qll +++ b/java/ql/lib/semmle/code/java/frameworks/spring/SpringCamel.qll @@ -13,9 +13,6 @@ class SpringCamelXmlElement extends SpringXmlElement { SpringCamelXmlElement() { this.getNamespace().getUri() = "http://camel.apache.org/schema/spring" } } -/** DEPRECATED: Alias for SpringCamelXmlElement */ -deprecated class SpringCamelXMLElement = SpringCamelXmlElement; - /** * An element in a Spring beans file that defines an Apache Camel context. * @@ -25,9 +22,6 @@ class SpringCamelXmlContext extends SpringCamelXmlElement { SpringCamelXmlContext() { this.getName() = "camelContext" } } -/** DEPRECATED: Alias for SpringCamelXmlContext */ -deprecated class SpringCamelXMLContext = SpringCamelXmlContext; - /** * An element in a Spring beans file that defines an Apache Camel route context. * @@ -38,9 +32,6 @@ class SpringCamelXmlRouteContext extends SpringCamelXmlElement { SpringCamelXmlRouteContext() { this.getName() = "routeContext" } } -/** DEPRECATED: Alias for SpringCamelXmlRouteContext */ -deprecated class SpringCamelXMLRouteContext = SpringCamelXmlRouteContext; - /** * An element in a Spring beans files that defines an Apache Camel route. * @@ -58,9 +49,6 @@ class SpringCamelXmlRoute extends SpringCamelXmlElement { } } -/** DEPRECATED: Alias for SpringCamelXmlRoute */ -deprecated class SpringCamelXMLRoute = SpringCamelXmlRoute; - /** * An element in a Spring bean file that is logically contained in an Apache Camel route. */ @@ -71,9 +59,6 @@ class SpringCamelXmlRouteElement extends SpringCamelXmlElement { } } -/** DEPRECATED: Alias for SpringCamelXmlRouteElement */ -deprecated class SpringCamelXMLRouteElement = SpringCamelXmlRouteElement; - /** * A reference to a Spring bean in an Apache Camel route defined in a Spring beans file. * @@ -98,9 +83,6 @@ class SpringCamelXmlBeanRef extends SpringCamelXmlRouteElement { RefType getBeanType() { result.getQualifiedName() = this.getAttribute("beanType").getValue() } } -/** DEPRECATED: Alias for SpringCamelXmlBeanRef */ -deprecated class SpringCamelXMLBeanRef = SpringCamelXmlBeanRef; - /** * A declaration of a target in an Apache Camel route defined in a Spring beans file. * @@ -120,9 +102,6 @@ class SpringCamelXmlToElement extends SpringCamelXmlRouteElement { deprecated string getURI() { result = this.getUri() } } -/** DEPRECATED: Alias for SpringCamelXmlToElement */ -deprecated class SpringCamelXMLToElement = SpringCamelXmlToElement; - /** * A declaration of a Apache Camel "method" expression defined in a Spring beans file. * @@ -147,6 +126,3 @@ class SpringCamelXmlMethodElement extends SpringCamelXmlElement { */ RefType getBeanType() { result.getQualifiedName() = this.getAttribute("beanType").getValue() } } - -/** DEPRECATED: Alias for SpringCamelXmlMethodElement */ -deprecated class SpringCamelXMLMethodElement = SpringCamelXmlMethodElement; diff --git a/java/ql/lib/semmle/code/java/frameworks/spring/SpringComponentScan.qll b/java/ql/lib/semmle/code/java/frameworks/spring/SpringComponentScan.qll index f3380c45458..d285e9d0e6a 100644 --- a/java/ql/lib/semmle/code/java/frameworks/spring/SpringComponentScan.qll +++ b/java/ql/lib/semmle/code/java/frameworks/spring/SpringComponentScan.qll @@ -23,9 +23,6 @@ class SpringXmlComponentScan extends SpringXmlElement { string getAProfileExpr() { result = this.getSpringBeanFile().getAProfileExpr() } } -/** DEPRECATED: Alias for SpringXmlComponentScan */ -deprecated class SpringXMLComponentScan = SpringXmlComponentScan; - /** * An annotation of a class that configures which packages are considered to be "base" packages * when performing the Spring component scan. diff --git a/java/ql/lib/semmle/code/java/frameworks/spring/SpringFlex.qll b/java/ql/lib/semmle/code/java/frameworks/spring/SpringFlex.qll index 0d18749a63e..af0afa91f4c 100644 --- a/java/ql/lib/semmle/code/java/frameworks/spring/SpringFlex.qll +++ b/java/ql/lib/semmle/code/java/frameworks/spring/SpringFlex.qll @@ -57,11 +57,6 @@ class SpringRemotingDestinationClass extends Class { */ SpringRemotingDestination getRemotingDestinationXml() { this = result.getSpringBean().getClass() } - /** DEPRECATED: Alias for getRemotingDestinationXml */ - deprecated SpringRemotingDestination getRemotingDestinationXML() { - result = this.getRemotingDestinationXml() - } - /** * Holds if the class is operating on an "include" or "exclude" basis. * diff --git a/java/ql/lib/semmle/code/java/frameworks/spring/SpringXMLElement.qll b/java/ql/lib/semmle/code/java/frameworks/spring/SpringXMLElement.qll index efc7dfdaaf2..312cd659b39 100644 --- a/java/ql/lib/semmle/code/java/frameworks/spring/SpringXMLElement.qll +++ b/java/ql/lib/semmle/code/java/frameworks/spring/SpringXMLElement.qll @@ -37,6 +37,3 @@ class SpringXmlElement extends XmlElement { string getContentString() { result = this.allCharactersString() } } - -/** DEPRECATED: Alias for SpringXmlElement */ -deprecated class SpringXMLElement = SpringXmlElement; diff --git a/java/ql/lib/semmle/code/java/frameworks/struts/StrutsConventions.qll b/java/ql/lib/semmle/code/java/frameworks/struts/StrutsConventions.qll index fd9f14d4c6f..b3adfa8d80e 100644 --- a/java/ql/lib/semmle/code/java/frameworks/struts/StrutsConventions.qll +++ b/java/ql/lib/semmle/code/java/frameworks/struts/StrutsConventions.qll @@ -77,9 +77,6 @@ StrutsXmlFile getRootXmlFile(RefType refType) { ) } -/** DEPRECATED: Alias for getRootXmlFile */ -deprecated StrutsXMLFile getRootXMLFile(RefType refType) { result = getRootXmlFile(refType) } - /** * Gets the suffix used for automatically identifying actions when using the convention plugin. * diff --git a/java/ql/lib/semmle/code/java/frameworks/struts/StrutsXML.qll b/java/ql/lib/semmle/code/java/frameworks/struts/StrutsXML.qll index 3009056cce3..273034978d1 100644 --- a/java/ql/lib/semmle/code/java/frameworks/struts/StrutsXML.qll +++ b/java/ql/lib/semmle/code/java/frameworks/struts/StrutsXML.qll @@ -5,9 +5,6 @@ import java */ predicate isStrutsXmlIncluded() { exists(StrutsXmlFile strutsXml) } -/** DEPRECATED: Alias for isStrutsXmlIncluded */ -deprecated predicate isStrutsXMLIncluded = isStrutsXmlIncluded/0; - /** * A struts 2 configuration file. */ @@ -51,9 +48,6 @@ abstract class StrutsXmlFile extends XmlFile { } } -/** DEPRECATED: Alias for StrutsXmlFile */ -deprecated class StrutsXMLFile = StrutsXmlFile; - /** * A Struts 2 "root" configuration XML file directly read by struts. * @@ -66,9 +60,6 @@ class StrutsRootXmlFile extends StrutsXmlFile { } } -/** DEPRECATED: Alias for StrutsRootXmlFile */ -deprecated class StrutsRootXMLFile = StrutsRootXmlFile; - /** * A Struts 2 configuration XML file included, directly or indirectly, by a root Struts configuration. */ @@ -76,9 +67,6 @@ class StrutsIncludedXmlFile extends StrutsXmlFile { StrutsIncludedXmlFile() { exists(StrutsXmlInclude include | this = include.getIncludedFile()) } } -/** DEPRECATED: Alias for StrutsIncludedXmlFile */ -deprecated class StrutsIncludedXMLFile = StrutsIncludedXmlFile; - /** * A Folder which has one or more Struts 2 root configurations. */ @@ -116,9 +104,6 @@ class StrutsXmlElement extends XmlElement { string getValue() { result = this.allCharactersString().trim() } } -/** DEPRECATED: Alias for StrutsXmlElement */ -deprecated class StrutsXMLElement = StrutsXmlElement; - /** * A `` element within a `struts.xml` file. * @@ -141,9 +126,6 @@ class StrutsXmlInclude extends StrutsXmlElement { } } -/** DEPRECATED: Alias for StrutsXmlInclude */ -deprecated class StrutsXMLInclude = StrutsXmlInclude; - /** * Escape a string for use as the matcher in a string.match(..) call. */ @@ -192,9 +174,6 @@ class StrutsXmlAction extends StrutsXmlElement { } } -/** DEPRECATED: Alias for StrutsXmlAction */ -deprecated class StrutsXMLAction = StrutsXmlAction; - /** * A `` property, representing a configuration parameter to struts. */ @@ -205,6 +184,3 @@ class StrutsXmlConstant extends StrutsXmlElement { string getConstantValue() { result = this.getAttribute("value").getValue() } } - -/** DEPRECATED: Alias for StrutsXmlConstant */ -deprecated class StrutsXMLConstant = StrutsXmlConstant; diff --git a/java/ql/lib/semmle/code/java/security/Encryption.qll b/java/ql/lib/semmle/code/java/security/Encryption.qll index c0c35103331..88a1996ffd9 100644 --- a/java/ql/lib/semmle/code/java/security/Encryption.qll +++ b/java/ql/lib/semmle/code/java/security/Encryption.qll @@ -25,9 +25,6 @@ class HttpsUrlConnection extends RefType { HttpsUrlConnection() { this.hasQualifiedName("javax.net.ssl", "HttpsURLConnection") } } -/** DEPRECATED: Alias for HttpsUrlConnection */ -deprecated class HttpsURLConnection = HttpsUrlConnection; - class SslSocketFactory extends RefType { SslSocketFactory() { this.hasQualifiedName("javax.net.ssl", "SSLSocketFactory") } } diff --git a/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll b/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll index 89b24006475..beef024eb15 100644 --- a/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll +++ b/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll @@ -12,9 +12,6 @@ import semmle.code.java.dataflow.TaintTracking */ abstract class SafeExternalApiMethod extends Method { } -/** DEPRECATED: Alias for SafeExternalApiMethod */ -deprecated class SafeExternalAPIMethod = SafeExternalApiMethod; - /** The default set of "safe" external APIs. */ private class DefaultSafeExternalApiMethod extends SafeExternalApiMethod { DefaultSafeExternalApiMethod() { @@ -95,9 +92,6 @@ class ExternalApiDataNode extends DataFlow::Node { string getMethodDescription() { result = this.getMethod().getQualifiedName() } } -/** DEPRECATED: Alias for ExternalApiDataNode */ -deprecated class ExternalAPIDataNode = ExternalApiDataNode; - /** * DEPRECATED: Use `UntrustedDataToExternalApiFlow` instead. * @@ -125,9 +119,6 @@ module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig { */ module UntrustedDataToExternalApiFlow = TaintTracking::Global; -/** DEPRECATED: Alias for UntrustedDataToExternalApiConfig */ -deprecated class UntrustedDataToExternalAPIConfig = UntrustedDataToExternalApiConfig; - /** A node representing untrusted data being passed to an external API. */ class UntrustedExternalApiDataNode extends ExternalApiDataNode { UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flowTo(this) } @@ -136,9 +127,6 @@ class UntrustedExternalApiDataNode extends ExternalApiDataNode { DataFlow::Node getAnUntrustedSource() { UntrustedDataToExternalApiFlow::flow(result, this) } } -/** DEPRECATED: Alias for UntrustedExternalApiDataNode */ -deprecated class UntrustedExternalAPIDataNode = UntrustedExternalApiDataNode; - /** An external API which is used with untrusted data. */ private newtype TExternalApi = /** An untrusted API method `m` where untrusted data is passed at `index`. */ @@ -172,6 +160,3 @@ class ExternalApiUsedWithUntrustedData extends TExternalApi { ) } } - -/** DEPRECATED: Alias for ExternalApiUsedWithUntrustedData */ -deprecated class ExternalAPIUsedWithUntrustedData = ExternalApiUsedWithUntrustedData; diff --git a/java/ql/lib/semmle/code/java/security/LogInjection.qll b/java/ql/lib/semmle/code/java/security/LogInjection.qll index 2314d807a60..7fb85f6d8f1 100644 --- a/java/ql/lib/semmle/code/java/security/LogInjection.qll +++ b/java/ql/lib/semmle/code/java/security/LogInjection.qll @@ -46,16 +46,33 @@ private class LineBreaksLogInjectionSanitizer extends LogInjectionSanitizer { } } +private predicate stringMethodAccess( + MethodAccess ma, CompileTimeConstantExpr arg0, CompileTimeConstantExpr arg1 +) { + ma.getMethod().getDeclaringType() instanceof TypeString and + arg0 = ma.getArgument(0) and + arg1 = ma.getArgument(1) +} + +private predicate stringMethodArgument(CompileTimeConstantExpr arg) { + stringMethodAccess(_, arg, _) or stringMethodAccess(_, _, arg) +} + +bindingset[match] +pragma[inline_late] +private predicate stringMethodArgumentValueMatches(CompileTimeConstantExpr const, string match) { + stringMethodArgument(const) and + const.getStringValue().matches(match) +} + /** * Holds if the return value of `ma` is sanitized against log injection attacks * by removing line breaks from it. */ private predicate logInjectionSanitizer(MethodAccess ma) { exists(CompileTimeConstantExpr target, CompileTimeConstantExpr replacement | - ma.getMethod().getDeclaringType() instanceof TypeString and - target = ma.getArgument(0) and - replacement = ma.getArgument(1) and - not replacement.getStringValue().matches(["%\n%", "%\r%"]) + stringMethodAccess(ma, target, replacement) and + not stringMethodArgumentValueMatches(replacement, ["%\n%", "%\r%"]) | ma.getMethod().hasName("replace") and not replacement.getIntValue() = [10, 13] and @@ -68,7 +85,7 @@ private predicate logInjectionSanitizer(MethodAccess ma) { ( // Replace anything not in an allow list target.getStringValue().matches("[^%]") and - not target.getStringValue().matches("%" + ["\n", "\r", "\\n", "\\r", "\\R"] + "%") + not stringMethodArgumentValueMatches(target, "%" + ["\n", "\r", "\\n", "\\r", "\\R"] + "%") or // Replace line breaks target.getStringValue() = ["\n", "\r", "\\n", "\\r", "\\R"] diff --git a/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll b/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll index 4fa64846c91..a90a23c2165 100644 --- a/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll @@ -5,7 +5,6 @@ import semmle.code.java.frameworks.Networking import semmle.code.java.dataflow.DataFlow import semmle.code.java.dataflow.FlowSources private import semmle.code.java.dataflow.ExternalFlow -import semmle.code.java.security.PathCreation import semmle.code.java.security.PathSanitizer /** @@ -55,11 +54,7 @@ private class TaintPreservingUriCtorParam extends Parameter { module TaintedPathConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } - predicate isSink(DataFlow::Node sink) { - sink.asExpr() = any(PathCreation p).getAnInput() - or - sinkNode(sink, "path-injection") - } + predicate isSink(DataFlow::Node sink) { sinkNode(sink, "path-injection") } predicate isBarrier(DataFlow::Node sanitizer) { sanitizer.getType() instanceof BoxedType or @@ -82,11 +77,7 @@ module TaintedPathFlow = TaintTracking::Global; module TaintedPathLocalConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput } - predicate isSink(DataFlow::Node sink) { - sink.asExpr() = any(PathCreation p).getAnInput() - or - sinkNode(sink, "path-injection") - } + predicate isSink(DataFlow::Node sink) { sinkNode(sink, "path-injection") } predicate isBarrier(DataFlow::Node sanitizer) { sanitizer.getType() instanceof BoxedType or diff --git a/java/ql/lib/semmle/code/java/security/XmlParsers.qll b/java/ql/lib/semmle/code/java/security/XmlParsers.qll index a079267b131..ded513ec656 100644 --- a/java/ql/lib/semmle/code/java/security/XmlParsers.qll +++ b/java/ql/lib/semmle/code/java/security/XmlParsers.qll @@ -337,9 +337,6 @@ class SaxBuilder extends RefType { } } -/** DEPRECATED: Alias for SaxBuilder */ -deprecated class SAXBuilder = SaxBuilder; - /** * A call to `SAXBuilder.build.` */ @@ -359,9 +356,6 @@ class SaxBuilderParse extends XmlParserCall { } } -/** DEPRECATED: Alias for SaxBuilderParse */ -deprecated class SAXBuilderParse = SaxBuilderParse; - private module SafeSaxBuilderToSaxBuilderParseFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeSaxBuilder } @@ -386,9 +380,6 @@ class SaxBuilderConfig extends ParserConfig { } } -/** DEPRECATED: Alias for SaxBuilderConfig */ -deprecated class SAXBuilderConfig = SaxBuilderConfig; - /** A safely configured `SaxBuilder`. */ class SafeSaxBuilder extends VarAccess { SafeSaxBuilder() { @@ -404,9 +395,6 @@ class SafeSaxBuilder extends VarAccess { } } -/** DEPRECATED: Alias for SafeSaxBuilder */ -deprecated class SafeSAXBuilder = SafeSaxBuilder; - /* * The case in * https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxb-unmarshaller @@ -420,17 +408,11 @@ class SaxParser extends RefType { SaxParser() { this.hasQualifiedName("javax.xml.parsers", "SAXParser") } } -/** DEPRECATED: Alias for SaxParser */ -deprecated class SAXParser = SaxParser; - /** The class `javax.xml.parsers.SAXParserFactory`. */ class SaxParserFactory extends RefType { SaxParserFactory() { this.hasQualifiedName("javax.xml.parsers", "SAXParserFactory") } } -/** DEPRECATED: Alias for SaxParserFactory */ -deprecated class SAXParserFactory = SaxParserFactory; - /** A call to `SAXParser.parse`. */ class SaxParserParse extends XmlParserCall { SaxParserParse() { @@ -446,9 +428,6 @@ class SaxParserParse extends XmlParserCall { override predicate isSafe() { SafeSaxParserFlow::flowToExpr(this.getQualifier()) } } -/** DEPRECATED: Alias for SaxParserParse */ -deprecated class SAXParserParse = SaxParserParse; - /** A `ParserConfig` that is specific to `SaxParserFactory`. */ class SaxParserFactoryConfig extends ParserConfig { SaxParserFactoryConfig() { @@ -460,9 +439,6 @@ class SaxParserFactoryConfig extends ParserConfig { } } -/** DEPRECATED: Alias for SaxParserFactoryConfig */ -deprecated class SAXParserFactoryConfig = SaxParserFactoryConfig; - /** * A safely configured `SAXParserFactory`. */ @@ -496,9 +472,6 @@ class SafeSaxParserFactory extends VarAccess { } } -/** DEPRECATED: Alias for SafeSaxParserFactory */ -deprecated class SafeSAXParserFactory = SafeSaxParserFactory; - private module SafeSaxParserFactoryToNewSaxParserFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeSaxParserFactory } @@ -540,9 +513,6 @@ class SafeSaxParser extends MethodAccess { } } -/** DEPRECATED: Alias for SafeSaxParser */ -deprecated class SafeSAXParser = SafeSaxParser; - /* SAXReader: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#saxreader */ /** * The class `org.dom4j.io.SAXReader`. @@ -551,9 +521,6 @@ class SaxReader extends RefType { SaxReader() { this.hasQualifiedName("org.dom4j.io", "SAXReader") } } -/** DEPRECATED: Alias for SaxReader */ -deprecated class SAXReader = SaxReader; - /** A call to `SAXReader.read`. */ class SaxReaderRead extends XmlParserCall { SaxReaderRead() { @@ -569,9 +536,6 @@ class SaxReaderRead extends XmlParserCall { override predicate isSafe() { SafeSaxReaderFlow::flowToExpr(this.getQualifier()) } } -/** DEPRECATED: Alias for SaxReaderRead */ -deprecated class SAXReaderRead = SaxReaderRead; - /** A `ParserConfig` specific to `SaxReader`. */ class SaxReaderConfig extends ParserConfig { SaxReaderConfig() { @@ -583,9 +547,6 @@ class SaxReaderConfig extends ParserConfig { } } -/** DEPRECATED: Alias for SaxReaderConfig */ -deprecated class SAXReaderConfig = SaxReaderConfig; - private module SafeSaxReaderFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeSaxReader } @@ -626,9 +587,6 @@ class SafeSaxReader extends VarAccess { } } -/** DEPRECATED: Alias for SafeSaxReader */ -deprecated class SafeSAXReader = SafeSaxReader; - /* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlreader */ /** The class `org.xml.sax.XMLReader`. */ class XmlReader extends RefType { @@ -640,9 +598,6 @@ class InputSource extends Class { InputSource() { this.hasQualifiedName("org.xml.sax", "InputSource") } } -/** DEPRECATED: Alias for XmlReader */ -deprecated class XMLReader = XmlReader; - /** A call to `XMLReader.read`. */ class XmlReaderParse extends XmlParserCall { XmlReaderParse() { @@ -661,9 +616,6 @@ class XmlReaderParse extends XmlParserCall { } } -/** DEPRECATED: Alias for XmlReaderParse */ -deprecated class XMLReaderParse = XmlReaderParse; - /** A `ParserConfig` specific to the `XmlReader`. */ class XmlReaderConfig extends ParserConfig { XmlReaderConfig() { @@ -675,9 +627,6 @@ class XmlReaderConfig extends ParserConfig { } } -/** DEPRECATED: Alias for XmlReaderConfig */ -deprecated class XMLReaderConfig = XmlReaderConfig; - private module ExplicitlySafeXmlReaderFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node src) { src.asExpr() instanceof ExplicitlySafeXmlReader } @@ -697,9 +646,6 @@ class SafeXmlReaderFlowSink extends Expr { } } -/** DEPRECATED: Alias for SafeXmlReaderFlowSink */ -deprecated class SafeXMLReaderFlowSink = SafeXmlReaderFlowSink; - /** An `XmlReader` that is explicitly configured to be safe. */ class ExplicitlySafeXmlReader extends VarAccess { ExplicitlySafeXmlReader() { @@ -739,9 +685,6 @@ class ExplicitlySafeXmlReader extends VarAccess { } } -/** DEPRECATED: Alias for ExplicitlySafeXmlReader */ -deprecated class ExplicitlySafeXMLReader = ExplicitlySafeXmlReader; - private module CreatedSafeXmlReaderFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node src) { src.asExpr() instanceof CreatedSafeXmlReader } @@ -778,9 +721,6 @@ class CreatedSafeXmlReader extends Call { } } -/** DEPRECATED: Alias for CreatedSafeXmlReader */ -deprecated class CreatedSafeXMLReader = CreatedSafeXmlReader; - /* * SAXSource in * https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxb-unmarshaller @@ -791,9 +731,6 @@ class SaxSource extends RefType { SaxSource() { this.hasQualifiedName("javax.xml.transform.sax", "SAXSource") } } -/** DEPRECATED: Alias for SaxSource */ -deprecated class SAXSource = SaxSource; - /** A call to the constructor of `SAXSource` with `XmlReader` and `InputSource`. */ class ConstructedSaxSource extends ClassInstanceExpr { ConstructedSaxSource() { @@ -814,9 +751,6 @@ class ConstructedSaxSource extends ClassInstanceExpr { } } -/** DEPRECATED: Alias for ConstructedSaxSource */ -deprecated class ConstructedSAXSource = ConstructedSaxSource; - /** A call to the `SAXSource.setXMLReader` method. */ class SaxSourceSetReader extends MethodAccess { SaxSourceSetReader() { @@ -828,9 +762,6 @@ class SaxSourceSetReader extends MethodAccess { } } -/** DEPRECATED: Alias for SaxSourceSetReader */ -deprecated class SAXSourceSetReader = SaxSourceSetReader; - /** A `SaxSource` that is safe to use. */ class SafeSaxSource extends Expr { SafeSaxSource() { @@ -847,9 +778,6 @@ class SafeSaxSource extends Expr { } } -/** DEPRECATED: Alias for SafeSaxSource */ -deprecated class SafeSAXSource = SafeSaxSource; - /* Transformer: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory */ /** An access to a method use for configuring a transformer or schema. */ abstract class TransformerConfig extends MethodAccess { @@ -1063,9 +991,6 @@ class SaxTransformerFactoryNewXmlFilter extends XmlParserCall { override predicate isSafe() { SafeTransformerFactoryFlow::flowToExpr(this.getQualifier()) } } -/** DEPRECATED: Alias for SaxTransformerFactoryNewXmlFilter */ -deprecated class SAXTransformerFactoryNewXMLFilter = SaxTransformerFactoryNewXmlFilter; - /* Schema: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#schemafactory */ /** The class `javax.xml.validation.SchemaFactory`. */ class SchemaFactory extends RefType { @@ -1197,9 +1122,6 @@ class SimpleXmlPersisterCall extends XmlParserCall { override predicate isSafe() { none() } } -/** DEPRECATED: Alias for SimpleXmlPersisterCall */ -deprecated class SimpleXMLPersisterCall = SimpleXmlPersisterCall; - /** A call to `provide` in `Provider`. */ class SimpleXmlProviderCall extends XmlParserCall { SimpleXmlProviderCall() { @@ -1218,9 +1140,6 @@ class SimpleXmlProviderCall extends XmlParserCall { override predicate isSafe() { none() } } -/** DEPRECATED: Alias for SimpleXmlProviderCall */ -deprecated class SimpleXMLProviderCall = SimpleXmlProviderCall; - /** A call to `read` in `NodeBuilder`. */ class SimpleXmlNodeBuilderCall extends XmlParserCall { SimpleXmlNodeBuilderCall() { @@ -1236,9 +1155,6 @@ class SimpleXmlNodeBuilderCall extends XmlParserCall { override predicate isSafe() { none() } } -/** DEPRECATED: Alias for SimpleXmlNodeBuilderCall */ -deprecated class SimpleXMLNodeBuilderCall = SimpleXmlNodeBuilderCall; - /** A call to the `format` method of the `Formatter`. */ class SimpleXmlFormatterCall extends XmlParserCall { SimpleXmlFormatterCall() { @@ -1254,9 +1170,6 @@ class SimpleXmlFormatterCall extends XmlParserCall { override predicate isSafe() { none() } } -/** DEPRECATED: Alias for SimpleXmlFormatterCall */ -deprecated class SimpleXMLFormatterCall = SimpleXmlFormatterCall; - /** A configuration for secure processing. */ Expr configSecureProcessing() { result.(ConstantStringExpr).getStringValue() = diff --git a/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll b/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll index 4fad191a3e4..074153ffd8f 100644 --- a/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll @@ -4,6 +4,7 @@ import java import semmle.code.java.dataflow.TaintTracking import semmle.code.java.security.PathSanitizer private import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.security.PathCreation /** * A method that returns the name of an archive entry. @@ -40,5 +41,28 @@ module ZipSlipFlow = TaintTracking::Global; * A sink that represents a file creation, such as a file write, copy or move operation. */ private class FileCreationSink extends DataFlow::Node { - FileCreationSink() { sinkNode(this, "path-injection") } + FileCreationSink() { + sinkNode(this, "path-injection") and + not isPathCreation(this) + } +} + +/** + * Holds if `sink` is a path creation node that doesn't imply a read/write filesystem operation. + * This is to avoid creating new spurious alerts, since `PathCreation` sinks weren't + * previously part of this query. + */ +private predicate isPathCreation(DataFlow::Node sink) { + exists(PathCreation pc | + pc.getAnInput() = sink.asExpr() + or + pc.getAnInput().(Argument).isVararg() and sink.(DataFlow::ImplicitVarargsArray).getCall() = pc + | + // exclude actual read/write operations included in `PathCreation` + not pc.(Call) + .getCallee() + .getDeclaringType() + .hasQualifiedName("java.io", + ["FileInputStream", "FileOutputStream", "FileReader", "FileWriter"]) + ) } diff --git a/java/ql/lib/semmle/code/xml/WebXML.qll b/java/ql/lib/semmle/code/xml/WebXML.qll index c15793b58a4..c356081c95f 100644 --- a/java/ql/lib/semmle/code/xml/WebXML.qll +++ b/java/ql/lib/semmle/code/xml/WebXML.qll @@ -5,9 +5,6 @@ import java */ predicate isWebXmlIncluded() { exists(WebXmlFile webXml) } -/** DEPRECATED: Alias for isWebXmlIncluded */ -deprecated predicate isWebXMLIncluded = isWebXmlIncluded/0; - /** * A deployment descriptor file, typically called `web.xml`. */ @@ -31,9 +28,6 @@ class WebXmlFile extends XmlFile { } } -/** DEPRECATED: Alias for WebXmlFile */ -deprecated class WebXMLFile = WebXmlFile; - /** * An XML element in a `WebXMLFile`. */ @@ -46,9 +40,6 @@ class WebXmlElement extends XmlElement { string getValue() { result = this.allCharactersString().trim() } } -/** DEPRECATED: Alias for WebXmlElement */ -deprecated class WebXMLElement = WebXmlElement; - /** * A `` element in a `web.xml` file. */ diff --git a/java/ql/src/Metrics/Summaries/LinesOfCode.ql b/java/ql/src/Metrics/Summaries/LinesOfCode.ql index c1b43c2a3d9..62c19d1b932 100644 --- a/java/ql/src/Metrics/Summaries/LinesOfCode.ql +++ b/java/ql/src/Metrics/Summaries/LinesOfCode.ql @@ -1,8 +1,8 @@ /** * @id java/summary/lines-of-code * @name Total lines of Java code in the database - * @description The total number of lines of code across all files. This is a useful metric of the size of a database. - * For all files that were seen during the build, this query counts the lines of code, excluding whitespace + * @description The total number of lines of code across all Java files. This is a useful metric of the size of a database. + * For all Java files that were seen during the build, this query counts the lines of code, excluding whitespace * or comments. * @kind metric * @tags summary @@ -11,4 +11,4 @@ import java -select sum(CompilationUnit f | f.fromSource() | f.getNumberOfLinesOfCode()) +select sum(CompilationUnit f | f.fromSource() and f.isJavaSourceFile() | f.getNumberOfLinesOfCode()) diff --git a/java/ql/src/Metrics/Summaries/LinesOfCodeKotlin.ql b/java/ql/src/Metrics/Summaries/LinesOfCodeKotlin.ql new file mode 100644 index 00000000000..0093bc0a98f --- /dev/null +++ b/java/ql/src/Metrics/Summaries/LinesOfCodeKotlin.ql @@ -0,0 +1,18 @@ +/** + * @id java/summary/lines-of-code-kotlin + * @name Total lines of Kotlin code in the database + * @description The total number of lines of code across all Kotlin files. This is a useful metric of the size of a database. + * For all Kotlin files that were seen during the build, this query counts the lines of code, excluding whitespace + * or comments. + * @kind metric + * @tags summary + * lines-of-code + */ + +import java + +select sum(CompilationUnit f | + f.fromSource() and f.isKotlinSourceFile() + | + f.getNumberOfLinesOfCode() + ) diff --git a/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql b/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql index 2d73514d97b..96e8e66c7cd 100644 --- a/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql +++ b/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql @@ -14,6 +14,7 @@ */ import java +import semmle.code.java.security.PathCreation import semmle.code.java.security.TaintedPathQuery import TaintedPathFlow::PathGraph diff --git a/java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql b/java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql index c017b8a3aa9..8e56121883f 100644 --- a/java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql +++ b/java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql @@ -14,6 +14,7 @@ */ import java +import semmle.code.java.security.PathCreation import semmle.code.java.security.TaintedPathQuery import TaintedPathLocalFlow::PathGraph diff --git a/java/ql/src/Violations of Best Practice/Implementation Hiding/ExposeRepresentation.ql b/java/ql/src/Violations of Best Practice/Implementation Hiding/ExposeRepresentation.ql index 9f24744fa0c..2889de0b5cf 100644 --- a/java/ql/src/Violations of Best Practice/Implementation Hiding/ExposeRepresentation.ql +++ b/java/ql/src/Violations of Best Practice/Implementation Hiding/ExposeRepresentation.ql @@ -128,4 +128,4 @@ where not exists(Property p | p.getBackingField() = f) select c, c.getName() + " exposes the internal representation stored in field " + f.getName() + - ". The value may be modified $@.", why.getLocation(), whyText + ". The value may be modified $@.", why, whyText diff --git a/java/ql/src/change-notes/2023-06-05-lines-of-code.md b/java/ql/src/change-notes/2023-06-05-lines-of-code.md new file mode 100644 index 00000000000..a96c891e506 --- /dev/null +++ b/java/ql/src/change-notes/2023-06-05-lines-of-code.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* The `java/summary/lines-of-code` query now only counts lines of Java code. The new `java/summary/lines-of-code-kotlin` counts lines of Kotlin code. diff --git a/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql index 8e113837bca..ba3411e4da2 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql @@ -16,7 +16,6 @@ import java import semmle.code.java.dataflow.TaintTracking import semmle.code.java.dataflow.ExternalFlow import semmle.code.java.dataflow.FlowSources -import semmle.code.java.security.PathCreation import JFinalController import semmle.code.java.security.PathSanitizer import InjectFilePathFlow::PathGraph @@ -52,7 +51,7 @@ module InjectFilePathConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } predicate isSink(DataFlow::Node sink) { - sink.asExpr() = any(PathCreation p).getAnInput() and + sinkNode(sink, "path-injection") and not sink instanceof NormalizedPathNode } diff --git a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisCommonLib.qll b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisCommonLib.qll index 85d3f36dfdf..377c7f74bd4 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisCommonLib.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisCommonLib.qll @@ -56,9 +56,6 @@ predicate myBatisMapperXmlElementFromMethod(Method method, MyBatisMapperXmlEleme ) } -/** DEPRECATED: Alias for myBatisMapperXmlElementFromMethod */ -deprecated predicate myBatisMapperXMLElementFromMethod = myBatisMapperXmlElementFromMethod/2; - /** Holds if the specified `method` has Ibatis Sql operation annotation `isoa`. */ predicate myBatisSqlOperationAnnotationFromMethod(Method method, IbatisSqlOperationAnnotation isoa) { exists(MyBatisSqlOperationAnnotationMethod msoam | diff --git a/java/ql/src/experimental/Security/CWE/CWE-200/AndroidWebResourceResponse.qll b/java/ql/src/experimental/Security/CWE/CWE-200/AndroidWebResourceResponse.qll index bd177b30213..05055bdfa84 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-200/AndroidWebResourceResponse.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-200/AndroidWebResourceResponse.qll @@ -55,10 +55,14 @@ class WebResourceResponseSink extends DataFlow::Node { } /** - * A value step from the URL argument of `WebView::loadUrl` to the URL parameter of + * A taint step from the URL argument of `WebView::loadUrl` to the URL/WebResourceRequest parameter of * `WebViewClient::shouldInterceptRequest`. + * + * TODO: This ought to be a value step when it is targeting the URL parameter, + * and it ought to check the parameter type in both cases to ensure that we only + * hit the overloads we intend to. */ -private class FetchUrlStep extends AdditionalValueStep { +private class FetchUrlStep extends AdditionalTaintStep { override predicate step(DataFlow::Node pred, DataFlow::Node succ) { exists( // webview.loadUrl(url) -> webview.setWebViewClient(new WebViewClient() { shouldInterceptRequest(view, url) }); diff --git a/java/ql/src/experimental/semmle/code/xml/StrutsXML.qll b/java/ql/src/experimental/semmle/code/xml/StrutsXML.qll index 874d8448640..8d829612d95 100644 --- a/java/ql/src/experimental/semmle/code/xml/StrutsXML.qll +++ b/java/ql/src/experimental/semmle/code/xml/StrutsXML.qll @@ -10,9 +10,6 @@ class StrutsXmlFile extends XmlFile { } } -/** DEPRECATED: Alias for StrutsXmlFile */ -deprecated class StrutsXMLFile = StrutsXmlFile; - /** * An XML element in a `StrutsXMLFile`. */ @@ -25,9 +22,6 @@ class StrutsXmlElement extends XmlElement { string getValue() { result = this.allCharactersString().trim() } } -/** DEPRECATED: Alias for StrutsXmlElement */ -deprecated class StrutsXMLElement = StrutsXmlElement; - /** * A `` element in a `StrutsXMLFile`. */ diff --git a/java/ql/src/semmle/code/xml/MyBatisMapperXML.qll b/java/ql/src/semmle/code/xml/MyBatisMapperXML.qll index c7de1b8b945..529a627e96f 100644 --- a/java/ql/src/semmle/code/xml/MyBatisMapperXML.qll +++ b/java/ql/src/semmle/code/xml/MyBatisMapperXML.qll @@ -14,9 +14,6 @@ class MyBatisMapperXmlFile extends XmlFile { } } -/** DEPRECATED: Alias for MyBatisMapperXmlFile */ -deprecated class MyBatisMapperXMLFile = MyBatisMapperXmlFile; - /** * An XML element in a `MyBatisMapperXMLFile`. */ @@ -36,9 +33,6 @@ class MyBatisMapperXmlElement extends XmlElement { } } -/** DEPRECATED: Alias for MyBatisMapperXmlElement */ -deprecated class MyBatisMapperXMLElement = MyBatisMapperXmlElement; - /** * An MyBatis Mapper sql operation element. */ diff --git a/java/ql/test/TestUtilities/InlineFlowTest.qll b/java/ql/test/TestUtilities/InlineFlowTest.qll index 1731b73f24e..5e37770a279 100644 --- a/java/ql/test/TestUtilities/InlineFlowTest.qll +++ b/java/ql/test/TestUtilities/InlineFlowTest.qll @@ -7,7 +7,7 @@ * import TestUtilities.InlineFlowTest * ``` * - * To declare expecations, you can use the $hasTaintFlow or $hasValueFlow comments within the test source files. + * To declare expectations, you can use the $hasTaintFlow or $hasValueFlow comments within the test source files. * Example of the corresponding test file, e.g. Test.java * ```java * public class Test { diff --git a/java/ql/test/experimental/query-tests/security/CWE-020/Log4jInjectionTest.expected b/java/ql/test/experimental/query-tests/security/CWE-020/Log4jInjectionTest.expected index f3d88d25805..93b2b060685 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-020/Log4jInjectionTest.expected +++ b/java/ql/test/experimental/query-tests/security/CWE-020/Log4jInjectionTest.expected @@ -2075,28 +2075,28 @@ edges | Log4jJndiInjectionTest.java:1085:39:1085:46 | source(...) : String | Log4jJndiInjectionTest.java:1085:25:1085:46 | (...)... | | Log4jJndiInjectionTest.java:1088:47:1088:54 | source(...) : String | Log4jJndiInjectionTest.java:1088:38:1088:54 | (...)... | | Log4jJndiInjectionTest.java:1089:53:1089:60 | source(...) : String | Log4jJndiInjectionTest.java:1089:44:1089:60 | (...)... | -| Log4jJndiInjectionTest.java:1091:13:1091:15 | map [post update] : Map [] : String | Log4jJndiInjectionTest.java:1092:34:1092:36 | map | -| Log4jJndiInjectionTest.java:1091:28:1091:44 | (...)... : String | Log4jJndiInjectionTest.java:1091:13:1091:15 | map [post update] : Map [] : String | +| Log4jJndiInjectionTest.java:1091:13:1091:15 | map [post update] : HashMap [] : String | Log4jJndiInjectionTest.java:1092:34:1092:36 | map | +| Log4jJndiInjectionTest.java:1091:28:1091:44 | (...)... : String | Log4jJndiInjectionTest.java:1091:13:1091:15 | map [post update] : HashMap [] : String | | Log4jJndiInjectionTest.java:1091:37:1091:44 | source(...) : String | Log4jJndiInjectionTest.java:1091:28:1091:44 | (...)... : String | -| Log4jJndiInjectionTest.java:1095:31:1095:88 | with(...) : MapMessage | Log4jJndiInjectionTest.java:1096:26:1096:29 | mmsg | -| Log4jJndiInjectionTest.java:1095:71:1095:87 | (...)... : String | Log4jJndiInjectionTest.java:1095:31:1095:88 | with(...) : MapMessage | +| Log4jJndiInjectionTest.java:1095:31:1095:88 | with(...) : StringMapMessage | Log4jJndiInjectionTest.java:1096:26:1096:29 | mmsg | +| Log4jJndiInjectionTest.java:1095:71:1095:87 | (...)... : String | Log4jJndiInjectionTest.java:1095:31:1095:88 | with(...) : StringMapMessage | | Log4jJndiInjectionTest.java:1095:80:1095:87 | source(...) : String | Log4jJndiInjectionTest.java:1095:71:1095:87 | (...)... : String | -| Log4jJndiInjectionTest.java:1100:13:1100:16 | mmsg [post update] : MapMessage | Log4jJndiInjectionTest.java:1101:26:1101:29 | mmsg | -| Log4jJndiInjectionTest.java:1100:35:1100:51 | (...)... : String | Log4jJndiInjectionTest.java:1100:13:1100:16 | mmsg [post update] : MapMessage | +| Log4jJndiInjectionTest.java:1100:13:1100:16 | mmsg [post update] : StringMapMessage | Log4jJndiInjectionTest.java:1101:26:1101:29 | mmsg | +| Log4jJndiInjectionTest.java:1100:35:1100:51 | (...)... : String | Log4jJndiInjectionTest.java:1100:13:1100:16 | mmsg [post update] : StringMapMessage | | Log4jJndiInjectionTest.java:1100:44:1100:51 | source(...) : String | Log4jJndiInjectionTest.java:1100:35:1100:51 | (...)... : String | -| Log4jJndiInjectionTest.java:1105:13:1105:16 | mmsg [post update] : MapMessage | Log4jJndiInjectionTest.java:1106:26:1106:29 | mmsg | -| Log4jJndiInjectionTest.java:1105:34:1105:50 | (...)... : String | Log4jJndiInjectionTest.java:1105:13:1105:16 | mmsg [post update] : MapMessage | +| Log4jJndiInjectionTest.java:1105:13:1105:16 | mmsg [post update] : StringMapMessage | Log4jJndiInjectionTest.java:1106:26:1106:29 | mmsg | +| Log4jJndiInjectionTest.java:1105:34:1105:50 | (...)... : String | Log4jJndiInjectionTest.java:1105:13:1105:16 | mmsg [post update] : StringMapMessage | | Log4jJndiInjectionTest.java:1105:43:1105:50 | source(...) : String | Log4jJndiInjectionTest.java:1105:34:1105:50 | (...)... : String | -| Log4jJndiInjectionTest.java:1111:13:1111:15 | map [post update] : Map [] : String | Log4jJndiInjectionTest.java:1112:25:1112:27 | map : Map [] : String | -| Log4jJndiInjectionTest.java:1111:33:1111:49 | (...)... : String | Log4jJndiInjectionTest.java:1111:13:1111:15 | map [post update] : Map [] : String | +| Log4jJndiInjectionTest.java:1111:13:1111:15 | map [post update] : HashMap [] : String | Log4jJndiInjectionTest.java:1112:25:1112:27 | map : HashMap [] : String | +| Log4jJndiInjectionTest.java:1111:33:1111:49 | (...)... : String | Log4jJndiInjectionTest.java:1111:13:1111:15 | map [post update] : HashMap [] : String | | Log4jJndiInjectionTest.java:1111:42:1111:49 | source(...) : String | Log4jJndiInjectionTest.java:1111:33:1111:49 | (...)... : String | -| Log4jJndiInjectionTest.java:1112:13:1112:16 | mmsg [post update] : MapMessage | Log4jJndiInjectionTest.java:1113:26:1113:29 | mmsg | -| Log4jJndiInjectionTest.java:1112:25:1112:27 | map : Map [] : String | Log4jJndiInjectionTest.java:1112:13:1112:16 | mmsg [post update] : MapMessage | +| Log4jJndiInjectionTest.java:1112:13:1112:16 | mmsg [post update] : StringMapMessage | Log4jJndiInjectionTest.java:1113:26:1113:29 | mmsg | +| Log4jJndiInjectionTest.java:1112:25:1112:27 | map : HashMap [] : String | Log4jJndiInjectionTest.java:1112:13:1112:16 | mmsg [post update] : StringMapMessage | | Log4jJndiInjectionTest.java:1116:61:1116:68 | source(...) : String | Log4jJndiInjectionTest.java:1116:52:1116:68 | (...)... | | Log4jJndiInjectionTest.java:1117:81:1117:88 | source(...) : String | Log4jJndiInjectionTest.java:1117:72:1117:88 | (...)... | -| Log4jJndiInjectionTest.java:1119:13:1119:15 | map [post update] : Map [] : String | Log4jJndiInjectionTest.java:1120:43:1120:45 | map | -| Log4jJndiInjectionTest.java:1119:13:1119:15 | map [post update] : Map [] : String | Log4jJndiInjectionTest.java:1121:63:1121:65 | map | -| Log4jJndiInjectionTest.java:1119:33:1119:49 | (...)... : String | Log4jJndiInjectionTest.java:1119:13:1119:15 | map [post update] : Map [] : String | +| Log4jJndiInjectionTest.java:1119:13:1119:15 | map [post update] : HashMap [] : String | Log4jJndiInjectionTest.java:1120:43:1120:45 | map | +| Log4jJndiInjectionTest.java:1119:13:1119:15 | map [post update] : HashMap [] : String | Log4jJndiInjectionTest.java:1121:63:1121:65 | map | +| Log4jJndiInjectionTest.java:1119:33:1119:49 | (...)... : String | Log4jJndiInjectionTest.java:1119:13:1119:15 | map [post update] : HashMap [] : String | | Log4jJndiInjectionTest.java:1119:42:1119:49 | source(...) : String | Log4jJndiInjectionTest.java:1119:33:1119:49 | (...)... : String | nodes | Log4jJndiInjectionTest.java:24:16:24:45 | getParameter(...) : String | semmle.label | getParameter(...) : String | @@ -4168,33 +4168,33 @@ nodes | Log4jJndiInjectionTest.java:1088:47:1088:54 | source(...) : String | semmle.label | source(...) : String | | Log4jJndiInjectionTest.java:1089:44:1089:60 | (...)... | semmle.label | (...)... | | Log4jJndiInjectionTest.java:1089:53:1089:60 | source(...) : String | semmle.label | source(...) : String | -| Log4jJndiInjectionTest.java:1091:13:1091:15 | map [post update] : Map [] : String | semmle.label | map [post update] : Map [] : String | +| Log4jJndiInjectionTest.java:1091:13:1091:15 | map [post update] : HashMap [] : String | semmle.label | map [post update] : HashMap [] : String | | Log4jJndiInjectionTest.java:1091:28:1091:44 | (...)... : String | semmle.label | (...)... : String | | Log4jJndiInjectionTest.java:1091:37:1091:44 | source(...) : String | semmle.label | source(...) : String | | Log4jJndiInjectionTest.java:1092:34:1092:36 | map | semmle.label | map | -| Log4jJndiInjectionTest.java:1095:31:1095:88 | with(...) : MapMessage | semmle.label | with(...) : MapMessage | +| Log4jJndiInjectionTest.java:1095:31:1095:88 | with(...) : StringMapMessage | semmle.label | with(...) : StringMapMessage | | Log4jJndiInjectionTest.java:1095:71:1095:87 | (...)... : String | semmle.label | (...)... : String | | Log4jJndiInjectionTest.java:1095:80:1095:87 | source(...) : String | semmle.label | source(...) : String | | Log4jJndiInjectionTest.java:1096:26:1096:29 | mmsg | semmle.label | mmsg | -| Log4jJndiInjectionTest.java:1100:13:1100:16 | mmsg [post update] : MapMessage | semmle.label | mmsg [post update] : MapMessage | +| Log4jJndiInjectionTest.java:1100:13:1100:16 | mmsg [post update] : StringMapMessage | semmle.label | mmsg [post update] : StringMapMessage | | Log4jJndiInjectionTest.java:1100:35:1100:51 | (...)... : String | semmle.label | (...)... : String | | Log4jJndiInjectionTest.java:1100:44:1100:51 | source(...) : String | semmle.label | source(...) : String | | Log4jJndiInjectionTest.java:1101:26:1101:29 | mmsg | semmle.label | mmsg | -| Log4jJndiInjectionTest.java:1105:13:1105:16 | mmsg [post update] : MapMessage | semmle.label | mmsg [post update] : MapMessage | +| Log4jJndiInjectionTest.java:1105:13:1105:16 | mmsg [post update] : StringMapMessage | semmle.label | mmsg [post update] : StringMapMessage | | Log4jJndiInjectionTest.java:1105:34:1105:50 | (...)... : String | semmle.label | (...)... : String | | Log4jJndiInjectionTest.java:1105:43:1105:50 | source(...) : String | semmle.label | source(...) : String | | Log4jJndiInjectionTest.java:1106:26:1106:29 | mmsg | semmle.label | mmsg | -| Log4jJndiInjectionTest.java:1111:13:1111:15 | map [post update] : Map [] : String | semmle.label | map [post update] : Map [] : String | +| Log4jJndiInjectionTest.java:1111:13:1111:15 | map [post update] : HashMap [] : String | semmle.label | map [post update] : HashMap [] : String | | Log4jJndiInjectionTest.java:1111:33:1111:49 | (...)... : String | semmle.label | (...)... : String | | Log4jJndiInjectionTest.java:1111:42:1111:49 | source(...) : String | semmle.label | source(...) : String | -| Log4jJndiInjectionTest.java:1112:13:1112:16 | mmsg [post update] : MapMessage | semmle.label | mmsg [post update] : MapMessage | -| Log4jJndiInjectionTest.java:1112:25:1112:27 | map : Map [] : String | semmle.label | map : Map [] : String | +| Log4jJndiInjectionTest.java:1112:13:1112:16 | mmsg [post update] : StringMapMessage | semmle.label | mmsg [post update] : StringMapMessage | +| Log4jJndiInjectionTest.java:1112:25:1112:27 | map : HashMap [] : String | semmle.label | map : HashMap [] : String | | Log4jJndiInjectionTest.java:1113:26:1113:29 | mmsg | semmle.label | mmsg | | Log4jJndiInjectionTest.java:1116:52:1116:68 | (...)... | semmle.label | (...)... | | Log4jJndiInjectionTest.java:1116:61:1116:68 | source(...) : String | semmle.label | source(...) : String | | Log4jJndiInjectionTest.java:1117:72:1117:88 | (...)... | semmle.label | (...)... | | Log4jJndiInjectionTest.java:1117:81:1117:88 | source(...) : String | semmle.label | source(...) : String | -| Log4jJndiInjectionTest.java:1119:13:1119:15 | map [post update] : Map [] : String | semmle.label | map [post update] : Map [] : String | +| Log4jJndiInjectionTest.java:1119:13:1119:15 | map [post update] : HashMap [] : String | semmle.label | map [post update] : HashMap [] : String | | Log4jJndiInjectionTest.java:1119:33:1119:49 | (...)... : String | semmle.label | (...)... : String | | Log4jJndiInjectionTest.java:1119:42:1119:49 | source(...) : String | semmle.label | source(...) : String | | Log4jJndiInjectionTest.java:1120:43:1120:45 | map | semmle.label | map | diff --git a/java/ql/test/experimental/query-tests/security/CWE-073/FilePathInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-073/FilePathInjection.expected index 5720de5c4b9..cd2b49f28c1 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-073/FilePathInjection.expected +++ b/java/ql/test/experimental/query-tests/security/CWE-073/FilePathInjection.expected @@ -2,7 +2,12 @@ edges | FilePathInjection.java:21:21:21:34 | getPara(...) : String | FilePathInjection.java:26:47:26:59 | finalFilePath | | FilePathInjection.java:64:21:64:34 | getPara(...) : String | FilePathInjection.java:72:47:72:59 | finalFilePath | | FilePathInjection.java:87:21:87:34 | getPara(...) : String | FilePathInjection.java:95:47:95:59 | finalFilePath | +| FilePathInjection.java:177:50:177:58 | file : File | FilePathInjection.java:182:30:182:33 | file | | FilePathInjection.java:205:17:205:44 | getParameter(...) : String | FilePathInjection.java:209:24:209:31 | filePath | +| FilePathInjection.java:205:17:205:44 | getParameter(...) : String | FilePathInjection.java:209:24:209:31 | filePath : String | +| FilePathInjection.java:209:15:209:32 | new File(...) : File | FilePathInjection.java:217:19:217:22 | file : File | +| FilePathInjection.java:209:24:209:31 | filePath : String | FilePathInjection.java:209:15:209:32 | new File(...) : File | +| FilePathInjection.java:217:19:217:22 | file : File | FilePathInjection.java:177:50:177:58 | file : File | nodes | FilePathInjection.java:21:21:21:34 | getPara(...) : String | semmle.label | getPara(...) : String | | FilePathInjection.java:26:47:26:59 | finalFilePath | semmle.label | finalFilePath | @@ -10,11 +15,17 @@ nodes | FilePathInjection.java:72:47:72:59 | finalFilePath | semmle.label | finalFilePath | | FilePathInjection.java:87:21:87:34 | getPara(...) : String | semmle.label | getPara(...) : String | | FilePathInjection.java:95:47:95:59 | finalFilePath | semmle.label | finalFilePath | +| FilePathInjection.java:177:50:177:58 | file : File | semmle.label | file : File | +| FilePathInjection.java:182:30:182:33 | file | semmle.label | file | | FilePathInjection.java:205:17:205:44 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| FilePathInjection.java:209:15:209:32 | new File(...) : File | semmle.label | new File(...) : File | | FilePathInjection.java:209:24:209:31 | filePath | semmle.label | filePath | +| FilePathInjection.java:209:24:209:31 | filePath : String | semmle.label | filePath : String | +| FilePathInjection.java:217:19:217:22 | file : File | semmle.label | file : File | subpaths #select | FilePathInjection.java:26:47:26:59 | finalFilePath | FilePathInjection.java:21:21:21:34 | getPara(...) : String | FilePathInjection.java:26:47:26:59 | finalFilePath | External control of file name or path due to $@. | FilePathInjection.java:21:21:21:34 | getPara(...) | user-provided value | | FilePathInjection.java:72:47:72:59 | finalFilePath | FilePathInjection.java:64:21:64:34 | getPara(...) : String | FilePathInjection.java:72:47:72:59 | finalFilePath | External control of file name or path due to $@. | FilePathInjection.java:64:21:64:34 | getPara(...) | user-provided value | | FilePathInjection.java:95:47:95:59 | finalFilePath | FilePathInjection.java:87:21:87:34 | getPara(...) : String | FilePathInjection.java:95:47:95:59 | finalFilePath | External control of file name or path due to $@. | FilePathInjection.java:87:21:87:34 | getPara(...) | user-provided value | +| FilePathInjection.java:182:30:182:33 | file | FilePathInjection.java:205:17:205:44 | getParameter(...) : String | FilePathInjection.java:182:30:182:33 | file | External control of file name or path due to $@. | FilePathInjection.java:205:17:205:44 | getParameter(...) | user-provided value | | FilePathInjection.java:209:24:209:31 | filePath | FilePathInjection.java:205:17:205:44 | getParameter(...) : String | FilePathInjection.java:209:24:209:31 | filePath | External control of file name or path due to $@. | FilePathInjection.java:205:17:205:44 | getParameter(...) | user-provided value | diff --git a/java/ql/test/experimental/query-tests/security/CWE-200/InsecureWebResourceResponse.expected b/java/ql/test/experimental/query-tests/security/CWE-200/InsecureWebResourceResponse.expected index 37741e5f605..07ce59763ad 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-200/InsecureWebResourceResponse.expected +++ b/java/ql/test/experimental/query-tests/security/CWE-200/InsecureWebResourceResponse.expected @@ -1,152 +1,152 @@ edges -| InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) : Intent | InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : Object | -| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : Object | InsecureWebResourceResponse.java:30:25:30:32 | inputUrl : Object | -| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : Object | InsecureWebResourceResponse.java:32:25:32:32 | inputUrl : Object | -| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : Object | InsecureWebResourceResponse.java:34:25:34:32 | inputUrl : Object | -| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : Object | InsecureWebResourceResponse.java:36:26:36:33 | inputUrl : Object | -| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : Object | InsecureWebResourceResponse.java:38:26:38:33 | inputUrl : Object | -| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : Object | InsecureWebResourceResponse.java:40:25:40:32 | inputUrl : Object | -| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : Object | InsecureWebResourceResponse.java:42:25:42:32 | inputUrl : Object | -| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : Object | InsecureWebResourceResponse.java:44:26:44:33 | inputUrl : Object | -| InsecureWebResourceResponse.java:30:25:30:32 | inputUrl : Object | InsecureWebResourceResponse.java:59:34:59:43 | url : Object | -| InsecureWebResourceResponse.java:32:25:32:32 | inputUrl : Object | InsecureWebResourceResponse.java:80:34:80:43 | url : Object | -| InsecureWebResourceResponse.java:34:25:34:32 | inputUrl : Object | InsecureWebResourceResponse.java:106:34:106:43 | url : Object | -| InsecureWebResourceResponse.java:36:26:36:33 | inputUrl : Object | InsecureWebResourceResponse.java:131:36:131:45 | url : Object | -| InsecureWebResourceResponse.java:38:26:38:33 | inputUrl : Object | InsecureWebResourceResponse.java:156:35:156:44 | url : Object | -| InsecureWebResourceResponse.java:40:25:40:32 | inputUrl : Object | InsecureWebResourceResponse.java:181:34:181:43 | url : Object | -| InsecureWebResourceResponse.java:42:25:42:32 | inputUrl : Object | InsecureWebResourceResponse.java:188:34:188:43 | url : Object | -| InsecureWebResourceResponse.java:44:26:44:33 | inputUrl : Object | InsecureWebResourceResponse.java:217:35:217:44 | url : Object | -| InsecureWebResourceResponse.java:59:34:59:43 | url : Object | InsecureWebResourceResponse.java:75:20:75:22 | url : Object | -| InsecureWebResourceResponse.java:63:77:63:86 | url : Object | InsecureWebResourceResponse.java:65:41:65:43 | url : Object | +| InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) : Intent | InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | +| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | InsecureWebResourceResponse.java:30:25:30:32 | inputUrl : String | +| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | InsecureWebResourceResponse.java:32:25:32:32 | inputUrl : String | +| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | InsecureWebResourceResponse.java:34:25:34:32 | inputUrl : String | +| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | InsecureWebResourceResponse.java:36:26:36:33 | inputUrl : String | +| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | InsecureWebResourceResponse.java:38:26:38:33 | inputUrl : String | +| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | InsecureWebResourceResponse.java:40:25:40:32 | inputUrl : String | +| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | InsecureWebResourceResponse.java:42:25:42:32 | inputUrl : String | +| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | InsecureWebResourceResponse.java:44:26:44:33 | inputUrl : String | +| InsecureWebResourceResponse.java:30:25:30:32 | inputUrl : String | InsecureWebResourceResponse.java:59:34:59:43 | url : String | +| InsecureWebResourceResponse.java:32:25:32:32 | inputUrl : String | InsecureWebResourceResponse.java:80:34:80:43 | url : String | +| InsecureWebResourceResponse.java:34:25:34:32 | inputUrl : String | InsecureWebResourceResponse.java:106:34:106:43 | url : String | +| InsecureWebResourceResponse.java:36:26:36:33 | inputUrl : String | InsecureWebResourceResponse.java:131:36:131:45 | url : String | +| InsecureWebResourceResponse.java:38:26:38:33 | inputUrl : String | InsecureWebResourceResponse.java:156:35:156:44 | url : String | +| InsecureWebResourceResponse.java:40:25:40:32 | inputUrl : String | InsecureWebResourceResponse.java:181:34:181:43 | url : String | +| InsecureWebResourceResponse.java:42:25:42:32 | inputUrl : String | InsecureWebResourceResponse.java:188:34:188:43 | url : String | +| InsecureWebResourceResponse.java:44:26:44:33 | inputUrl : String | InsecureWebResourceResponse.java:217:35:217:44 | url : String | +| InsecureWebResourceResponse.java:59:34:59:43 | url : String | InsecureWebResourceResponse.java:75:20:75:22 | url : String | +| InsecureWebResourceResponse.java:63:77:63:86 | url : String | InsecureWebResourceResponse.java:65:41:65:43 | url : String | | InsecureWebResourceResponse.java:65:31:65:44 | parse(...) : Uri | InsecureWebResourceResponse.java:66:71:66:73 | uri : Uri | -| InsecureWebResourceResponse.java:65:41:65:43 | url : Object | InsecureWebResourceResponse.java:65:31:65:44 | parse(...) : Uri | +| InsecureWebResourceResponse.java:65:41:65:43 | url : String | InsecureWebResourceResponse.java:65:31:65:44 | parse(...) : Uri | | InsecureWebResourceResponse.java:66:51:66:84 | new FileInputStream(...) : FileInputStream | InsecureWebResourceResponse.java:68:71:68:81 | inputStream | | InsecureWebResourceResponse.java:66:71:66:73 | uri : Uri | InsecureWebResourceResponse.java:66:71:66:83 | getPath(...) : String | | InsecureWebResourceResponse.java:66:71:66:83 | getPath(...) : String | InsecureWebResourceResponse.java:66:51:66:84 | new FileInputStream(...) : FileInputStream | -| InsecureWebResourceResponse.java:75:20:75:22 | url : Object | InsecureWebResourceResponse.java:63:77:63:86 | url : Object | -| InsecureWebResourceResponse.java:75:20:75:22 | url : Object | InsecureWebResourceResponse.java:84:77:84:86 | url : Object | -| InsecureWebResourceResponse.java:75:20:75:22 | url : Object | InsecureWebResourceResponse.java:110:77:110:86 | url : Object | -| InsecureWebResourceResponse.java:75:20:75:22 | url : Object | InsecureWebResourceResponse.java:192:77:192:102 | request : Object | -| InsecureWebResourceResponse.java:75:20:75:22 | url : Object | InsecureWebResourceResponse.java:232:69:232:78 | url : Object | -| InsecureWebResourceResponse.java:80:34:80:43 | url : Object | InsecureWebResourceResponse.java:101:20:101:22 | url : Object | -| InsecureWebResourceResponse.java:84:77:84:86 | url : Object | InsecureWebResourceResponse.java:86:41:86:43 | url : Object | +| InsecureWebResourceResponse.java:75:20:75:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String | +| InsecureWebResourceResponse.java:75:20:75:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String | +| InsecureWebResourceResponse.java:75:20:75:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String | +| InsecureWebResourceResponse.java:75:20:75:22 | url : String | InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest | +| InsecureWebResourceResponse.java:75:20:75:22 | url : String | InsecureWebResourceResponse.java:232:69:232:78 | url : String | +| InsecureWebResourceResponse.java:80:34:80:43 | url : String | InsecureWebResourceResponse.java:101:20:101:22 | url : String | +| InsecureWebResourceResponse.java:84:77:84:86 | url : String | InsecureWebResourceResponse.java:86:41:86:43 | url : String | | InsecureWebResourceResponse.java:86:31:86:44 | parse(...) : Uri | InsecureWebResourceResponse.java:88:66:88:68 | uri : Uri | -| InsecureWebResourceResponse.java:86:41:86:43 | url : Object | InsecureWebResourceResponse.java:86:31:86:44 | parse(...) : Uri | +| InsecureWebResourceResponse.java:86:41:86:43 | url : String | InsecureWebResourceResponse.java:86:31:86:44 | parse(...) : Uri | | InsecureWebResourceResponse.java:88:42:88:90 | new File(...) : File | InsecureWebResourceResponse.java:89:75:89:83 | cacheFile : File | | InsecureWebResourceResponse.java:88:66:88:68 | uri : Uri | InsecureWebResourceResponse.java:88:66:88:89 | getLastPathSegment(...) : String | | InsecureWebResourceResponse.java:88:66:88:89 | getLastPathSegment(...) : String | InsecureWebResourceResponse.java:88:42:88:90 | new File(...) : File | | InsecureWebResourceResponse.java:89:55:89:84 | new FileInputStream(...) : FileInputStream | InsecureWebResourceResponse.java:91:75:91:85 | inputStream | | InsecureWebResourceResponse.java:89:75:89:83 | cacheFile : File | InsecureWebResourceResponse.java:89:55:89:84 | new FileInputStream(...) : FileInputStream | -| InsecureWebResourceResponse.java:101:20:101:22 | url : Object | InsecureWebResourceResponse.java:63:77:63:86 | url : Object | -| InsecureWebResourceResponse.java:101:20:101:22 | url : Object | InsecureWebResourceResponse.java:84:77:84:86 | url : Object | -| InsecureWebResourceResponse.java:101:20:101:22 | url : Object | InsecureWebResourceResponse.java:110:77:110:86 | url : Object | -| InsecureWebResourceResponse.java:101:20:101:22 | url : Object | InsecureWebResourceResponse.java:192:77:192:102 | request : Object | -| InsecureWebResourceResponse.java:101:20:101:22 | url : Object | InsecureWebResourceResponse.java:232:69:232:78 | url : Object | -| InsecureWebResourceResponse.java:106:34:106:43 | url : Object | InsecureWebResourceResponse.java:127:20:127:22 | url : Object | -| InsecureWebResourceResponse.java:110:77:110:86 | url : Object | InsecureWebResourceResponse.java:112:41:112:43 | url : Object | +| InsecureWebResourceResponse.java:101:20:101:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String | +| InsecureWebResourceResponse.java:101:20:101:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String | +| InsecureWebResourceResponse.java:101:20:101:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String | +| InsecureWebResourceResponse.java:101:20:101:22 | url : String | InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest | +| InsecureWebResourceResponse.java:101:20:101:22 | url : String | InsecureWebResourceResponse.java:232:69:232:78 | url : String | +| InsecureWebResourceResponse.java:106:34:106:43 | url : String | InsecureWebResourceResponse.java:127:20:127:22 | url : String | +| InsecureWebResourceResponse.java:110:77:110:86 | url : String | InsecureWebResourceResponse.java:112:41:112:43 | url : String | | InsecureWebResourceResponse.java:112:31:112:44 | parse(...) : Uri | InsecureWebResourceResponse.java:113:35:113:37 | uri : Uri | -| InsecureWebResourceResponse.java:112:41:112:43 | url : Object | InsecureWebResourceResponse.java:112:31:112:44 | parse(...) : Uri | +| InsecureWebResourceResponse.java:112:41:112:43 | url : String | InsecureWebResourceResponse.java:112:31:112:44 | parse(...) : Uri | | InsecureWebResourceResponse.java:113:35:113:37 | uri : Uri | InsecureWebResourceResponse.java:113:35:113:47 | getPath(...) : String | | InsecureWebResourceResponse.java:113:35:113:47 | getPath(...) : String | InsecureWebResourceResponse.java:113:35:113:60 | substring(...) : String | | InsecureWebResourceResponse.java:113:35:113:60 | substring(...) : String | InsecureWebResourceResponse.java:115:75:115:78 | path : String | | InsecureWebResourceResponse.java:115:55:115:108 | new FileInputStream(...) : FileInputStream | InsecureWebResourceResponse.java:117:75:117:85 | inputStream | | InsecureWebResourceResponse.java:115:75:115:78 | path : String | InsecureWebResourceResponse.java:115:75:115:107 | substring(...) : String | | InsecureWebResourceResponse.java:115:75:115:107 | substring(...) : String | InsecureWebResourceResponse.java:115:55:115:108 | new FileInputStream(...) : FileInputStream | -| InsecureWebResourceResponse.java:127:20:127:22 | url : Object | InsecureWebResourceResponse.java:63:77:63:86 | url : Object | -| InsecureWebResourceResponse.java:127:20:127:22 | url : Object | InsecureWebResourceResponse.java:84:77:84:86 | url : Object | -| InsecureWebResourceResponse.java:127:20:127:22 | url : Object | InsecureWebResourceResponse.java:110:77:110:86 | url : Object | -| InsecureWebResourceResponse.java:127:20:127:22 | url : Object | InsecureWebResourceResponse.java:192:77:192:102 | request : Object | -| InsecureWebResourceResponse.java:127:20:127:22 | url : Object | InsecureWebResourceResponse.java:232:69:232:78 | url : Object | -| InsecureWebResourceResponse.java:131:36:131:45 | url : Object | InsecureWebResourceResponse.java:152:20:152:22 | url : Object | -| InsecureWebResourceResponse.java:152:20:152:22 | url : Object | InsecureWebResourceResponse.java:63:77:63:86 | url : Object | -| InsecureWebResourceResponse.java:152:20:152:22 | url : Object | InsecureWebResourceResponse.java:84:77:84:86 | url : Object | -| InsecureWebResourceResponse.java:152:20:152:22 | url : Object | InsecureWebResourceResponse.java:110:77:110:86 | url : Object | -| InsecureWebResourceResponse.java:152:20:152:22 | url : Object | InsecureWebResourceResponse.java:192:77:192:102 | request : Object | -| InsecureWebResourceResponse.java:152:20:152:22 | url : Object | InsecureWebResourceResponse.java:232:69:232:78 | url : Object | -| InsecureWebResourceResponse.java:156:35:156:44 | url : Object | InsecureWebResourceResponse.java:177:20:177:22 | url : Object | -| InsecureWebResourceResponse.java:177:20:177:22 | url : Object | InsecureWebResourceResponse.java:63:77:63:86 | url : Object | -| InsecureWebResourceResponse.java:177:20:177:22 | url : Object | InsecureWebResourceResponse.java:84:77:84:86 | url : Object | -| InsecureWebResourceResponse.java:177:20:177:22 | url : Object | InsecureWebResourceResponse.java:110:77:110:86 | url : Object | -| InsecureWebResourceResponse.java:177:20:177:22 | url : Object | InsecureWebResourceResponse.java:192:77:192:102 | request : Object | -| InsecureWebResourceResponse.java:177:20:177:22 | url : Object | InsecureWebResourceResponse.java:232:69:232:78 | url : Object | -| InsecureWebResourceResponse.java:181:34:181:43 | url : Object | InsecureWebResourceResponse.java:184:20:184:22 | url : Object | -| InsecureWebResourceResponse.java:184:20:184:22 | url : Object | InsecureWebResourceResponse.java:63:77:63:86 | url : Object | -| InsecureWebResourceResponse.java:184:20:184:22 | url : Object | InsecureWebResourceResponse.java:84:77:84:86 | url : Object | -| InsecureWebResourceResponse.java:184:20:184:22 | url : Object | InsecureWebResourceResponse.java:110:77:110:86 | url : Object | -| InsecureWebResourceResponse.java:184:20:184:22 | url : Object | InsecureWebResourceResponse.java:192:77:192:102 | request : Object | -| InsecureWebResourceResponse.java:184:20:184:22 | url : Object | InsecureWebResourceResponse.java:232:69:232:78 | url : Object | -| InsecureWebResourceResponse.java:188:34:188:43 | url : Object | InsecureWebResourceResponse.java:209:20:209:22 | url : Object | -| InsecureWebResourceResponse.java:192:77:192:102 | request : Object | InsecureWebResourceResponse.java:194:31:194:37 | request : Object | -| InsecureWebResourceResponse.java:194:31:194:37 | request : Object | InsecureWebResourceResponse.java:194:31:194:46 | getUrl(...) : Uri | +| InsecureWebResourceResponse.java:127:20:127:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String | +| InsecureWebResourceResponse.java:127:20:127:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String | +| InsecureWebResourceResponse.java:127:20:127:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String | +| InsecureWebResourceResponse.java:127:20:127:22 | url : String | InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest | +| InsecureWebResourceResponse.java:127:20:127:22 | url : String | InsecureWebResourceResponse.java:232:69:232:78 | url : String | +| InsecureWebResourceResponse.java:131:36:131:45 | url : String | InsecureWebResourceResponse.java:152:20:152:22 | url : String | +| InsecureWebResourceResponse.java:152:20:152:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String | +| InsecureWebResourceResponse.java:152:20:152:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String | +| InsecureWebResourceResponse.java:152:20:152:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String | +| InsecureWebResourceResponse.java:152:20:152:22 | url : String | InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest | +| InsecureWebResourceResponse.java:152:20:152:22 | url : String | InsecureWebResourceResponse.java:232:69:232:78 | url : String | +| InsecureWebResourceResponse.java:156:35:156:44 | url : String | InsecureWebResourceResponse.java:177:20:177:22 | url : String | +| InsecureWebResourceResponse.java:177:20:177:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String | +| InsecureWebResourceResponse.java:177:20:177:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String | +| InsecureWebResourceResponse.java:177:20:177:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String | +| InsecureWebResourceResponse.java:177:20:177:22 | url : String | InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest | +| InsecureWebResourceResponse.java:177:20:177:22 | url : String | InsecureWebResourceResponse.java:232:69:232:78 | url : String | +| InsecureWebResourceResponse.java:181:34:181:43 | url : String | InsecureWebResourceResponse.java:184:20:184:22 | url : String | +| InsecureWebResourceResponse.java:184:20:184:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String | +| InsecureWebResourceResponse.java:184:20:184:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String | +| InsecureWebResourceResponse.java:184:20:184:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String | +| InsecureWebResourceResponse.java:184:20:184:22 | url : String | InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest | +| InsecureWebResourceResponse.java:184:20:184:22 | url : String | InsecureWebResourceResponse.java:232:69:232:78 | url : String | +| InsecureWebResourceResponse.java:188:34:188:43 | url : String | InsecureWebResourceResponse.java:209:20:209:22 | url : String | +| InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest | InsecureWebResourceResponse.java:194:31:194:37 | request : WebResourceRequest | +| InsecureWebResourceResponse.java:194:31:194:37 | request : WebResourceRequest | InsecureWebResourceResponse.java:194:31:194:46 | getUrl(...) : Uri | | InsecureWebResourceResponse.java:194:31:194:46 | getUrl(...) : Uri | InsecureWebResourceResponse.java:196:66:196:68 | uri : Uri | | InsecureWebResourceResponse.java:196:42:196:90 | new File(...) : File | InsecureWebResourceResponse.java:197:75:197:83 | cacheFile : File | | InsecureWebResourceResponse.java:196:66:196:68 | uri : Uri | InsecureWebResourceResponse.java:196:66:196:89 | getLastPathSegment(...) : String | | InsecureWebResourceResponse.java:196:66:196:89 | getLastPathSegment(...) : String | InsecureWebResourceResponse.java:196:42:196:90 | new File(...) : File | | InsecureWebResourceResponse.java:197:55:197:84 | new FileInputStream(...) : FileInputStream | InsecureWebResourceResponse.java:199:75:199:85 | inputStream | | InsecureWebResourceResponse.java:197:75:197:83 | cacheFile : File | InsecureWebResourceResponse.java:197:55:197:84 | new FileInputStream(...) : FileInputStream | -| InsecureWebResourceResponse.java:209:20:209:22 | url : Object | InsecureWebResourceResponse.java:63:77:63:86 | url : Object | -| InsecureWebResourceResponse.java:209:20:209:22 | url : Object | InsecureWebResourceResponse.java:84:77:84:86 | url : Object | -| InsecureWebResourceResponse.java:209:20:209:22 | url : Object | InsecureWebResourceResponse.java:110:77:110:86 | url : Object | -| InsecureWebResourceResponse.java:209:20:209:22 | url : Object | InsecureWebResourceResponse.java:192:77:192:102 | request : Object | -| InsecureWebResourceResponse.java:209:20:209:22 | url : Object | InsecureWebResourceResponse.java:232:69:232:78 | url : Object | -| InsecureWebResourceResponse.java:217:35:217:44 | url : Object | InsecureWebResourceResponse.java:226:20:226:22 | url : Object | -| InsecureWebResourceResponse.java:226:20:226:22 | url : Object | InsecureWebResourceResponse.java:63:77:63:86 | url : Object | -| InsecureWebResourceResponse.java:226:20:226:22 | url : Object | InsecureWebResourceResponse.java:84:77:84:86 | url : Object | -| InsecureWebResourceResponse.java:226:20:226:22 | url : Object | InsecureWebResourceResponse.java:110:77:110:86 | url : Object | -| InsecureWebResourceResponse.java:226:20:226:22 | url : Object | InsecureWebResourceResponse.java:192:77:192:102 | request : Object | -| InsecureWebResourceResponse.java:226:20:226:22 | url : Object | InsecureWebResourceResponse.java:232:69:232:78 | url : Object | -| InsecureWebResourceResponse.java:232:69:232:78 | url : Object | InsecureWebResourceResponse.java:234:33:234:35 | url : Object | +| InsecureWebResourceResponse.java:209:20:209:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String | +| InsecureWebResourceResponse.java:209:20:209:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String | +| InsecureWebResourceResponse.java:209:20:209:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String | +| InsecureWebResourceResponse.java:209:20:209:22 | url : String | InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest | +| InsecureWebResourceResponse.java:209:20:209:22 | url : String | InsecureWebResourceResponse.java:232:69:232:78 | url : String | +| InsecureWebResourceResponse.java:217:35:217:44 | url : String | InsecureWebResourceResponse.java:226:20:226:22 | url : String | +| InsecureWebResourceResponse.java:226:20:226:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String | +| InsecureWebResourceResponse.java:226:20:226:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String | +| InsecureWebResourceResponse.java:226:20:226:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String | +| InsecureWebResourceResponse.java:226:20:226:22 | url : String | InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest | +| InsecureWebResourceResponse.java:226:20:226:22 | url : String | InsecureWebResourceResponse.java:232:69:232:78 | url : String | +| InsecureWebResourceResponse.java:232:69:232:78 | url : String | InsecureWebResourceResponse.java:234:33:234:35 | url : String | | InsecureWebResourceResponse.java:234:23:234:36 | parse(...) : Uri | InsecureWebResourceResponse.java:235:63:235:65 | uri : Uri | -| InsecureWebResourceResponse.java:234:33:234:35 | url : Object | InsecureWebResourceResponse.java:234:23:234:36 | parse(...) : Uri | +| InsecureWebResourceResponse.java:234:33:234:35 | url : String | InsecureWebResourceResponse.java:234:23:234:36 | parse(...) : Uri | | InsecureWebResourceResponse.java:235:43:235:76 | new FileInputStream(...) : FileInputStream | InsecureWebResourceResponse.java:237:63:237:73 | inputStream | | InsecureWebResourceResponse.java:235:63:235:65 | uri : Uri | InsecureWebResourceResponse.java:235:63:235:75 | getPath(...) : String | | InsecureWebResourceResponse.java:235:63:235:75 | getPath(...) : String | InsecureWebResourceResponse.java:235:43:235:76 | new FileInputStream(...) : FileInputStream | -| InsecureWebViewActivity.java:27:27:27:37 | getIntent(...) : Intent | InsecureWebViewActivity.java:27:27:27:64 | getStringExtra(...) : Object | -| InsecureWebViewActivity.java:27:27:27:64 | getStringExtra(...) : Object | InsecureWebViewActivity.java:28:20:28:27 | inputUrl : Object | -| InsecureWebViewActivity.java:28:20:28:27 | inputUrl : Object | InsecureWebViewActivity.java:42:28:42:37 | url : Object | -| InsecureWebViewActivity.java:42:28:42:37 | url : Object | InsecureWebViewActivity.java:43:25:43:27 | url : Object | -| InsecureWebViewActivity.java:43:25:43:27 | url : Object | InsecureWebViewActivity.java:53:77:53:86 | url : Object | -| InsecureWebViewActivity.java:53:77:53:86 | url : Object | InsecureWebViewActivity.java:55:41:55:43 | url : Object | +| InsecureWebViewActivity.java:27:27:27:37 | getIntent(...) : Intent | InsecureWebViewActivity.java:27:27:27:64 | getStringExtra(...) : String | +| InsecureWebViewActivity.java:27:27:27:64 | getStringExtra(...) : String | InsecureWebViewActivity.java:28:20:28:27 | inputUrl : String | +| InsecureWebViewActivity.java:28:20:28:27 | inputUrl : String | InsecureWebViewActivity.java:42:28:42:37 | url : String | +| InsecureWebViewActivity.java:42:28:42:37 | url : String | InsecureWebViewActivity.java:43:25:43:27 | url : String | +| InsecureWebViewActivity.java:43:25:43:27 | url : String | InsecureWebViewActivity.java:53:77:53:86 | url : String | +| InsecureWebViewActivity.java:53:77:53:86 | url : String | InsecureWebViewActivity.java:55:41:55:43 | url : String | | InsecureWebViewActivity.java:55:31:55:44 | parse(...) : Uri | InsecureWebViewActivity.java:56:71:56:73 | uri : Uri | -| InsecureWebViewActivity.java:55:41:55:43 | url : Object | InsecureWebViewActivity.java:55:31:55:44 | parse(...) : Uri | +| InsecureWebViewActivity.java:55:41:55:43 | url : String | InsecureWebViewActivity.java:55:31:55:44 | parse(...) : Uri | | InsecureWebViewActivity.java:56:51:56:84 | new FileInputStream(...) : FileInputStream | InsecureWebViewActivity.java:58:71:58:81 | inputStream | | InsecureWebViewActivity.java:56:71:56:73 | uri : Uri | InsecureWebViewActivity.java:56:71:56:83 | getPath(...) : String | | InsecureWebViewActivity.java:56:71:56:83 | getPath(...) : String | InsecureWebViewActivity.java:56:51:56:84 | new FileInputStream(...) : FileInputStream | nodes | InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent | -| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : Object | semmle.label | getStringExtra(...) : Object | -| InsecureWebResourceResponse.java:30:25:30:32 | inputUrl : Object | semmle.label | inputUrl : Object | -| InsecureWebResourceResponse.java:32:25:32:32 | inputUrl : Object | semmle.label | inputUrl : Object | -| InsecureWebResourceResponse.java:34:25:34:32 | inputUrl : Object | semmle.label | inputUrl : Object | -| InsecureWebResourceResponse.java:36:26:36:33 | inputUrl : Object | semmle.label | inputUrl : Object | -| InsecureWebResourceResponse.java:38:26:38:33 | inputUrl : Object | semmle.label | inputUrl : Object | -| InsecureWebResourceResponse.java:40:25:40:32 | inputUrl : Object | semmle.label | inputUrl : Object | -| InsecureWebResourceResponse.java:42:25:42:32 | inputUrl : Object | semmle.label | inputUrl : Object | -| InsecureWebResourceResponse.java:44:26:44:33 | inputUrl : Object | semmle.label | inputUrl : Object | -| InsecureWebResourceResponse.java:59:34:59:43 | url : Object | semmle.label | url : Object | -| InsecureWebResourceResponse.java:63:77:63:86 | url : Object | semmle.label | url : Object | +| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | semmle.label | getStringExtra(...) : String | +| InsecureWebResourceResponse.java:30:25:30:32 | inputUrl : String | semmle.label | inputUrl : String | +| InsecureWebResourceResponse.java:32:25:32:32 | inputUrl : String | semmle.label | inputUrl : String | +| InsecureWebResourceResponse.java:34:25:34:32 | inputUrl : String | semmle.label | inputUrl : String | +| InsecureWebResourceResponse.java:36:26:36:33 | inputUrl : String | semmle.label | inputUrl : String | +| InsecureWebResourceResponse.java:38:26:38:33 | inputUrl : String | semmle.label | inputUrl : String | +| InsecureWebResourceResponse.java:40:25:40:32 | inputUrl : String | semmle.label | inputUrl : String | +| InsecureWebResourceResponse.java:42:25:42:32 | inputUrl : String | semmle.label | inputUrl : String | +| InsecureWebResourceResponse.java:44:26:44:33 | inputUrl : String | semmle.label | inputUrl : String | +| InsecureWebResourceResponse.java:59:34:59:43 | url : String | semmle.label | url : String | +| InsecureWebResourceResponse.java:63:77:63:86 | url : String | semmle.label | url : String | | InsecureWebResourceResponse.java:65:31:65:44 | parse(...) : Uri | semmle.label | parse(...) : Uri | -| InsecureWebResourceResponse.java:65:41:65:43 | url : Object | semmle.label | url : Object | +| InsecureWebResourceResponse.java:65:41:65:43 | url : String | semmle.label | url : String | | InsecureWebResourceResponse.java:66:51:66:84 | new FileInputStream(...) : FileInputStream | semmle.label | new FileInputStream(...) : FileInputStream | | InsecureWebResourceResponse.java:66:71:66:73 | uri : Uri | semmle.label | uri : Uri | | InsecureWebResourceResponse.java:66:71:66:83 | getPath(...) : String | semmle.label | getPath(...) : String | | InsecureWebResourceResponse.java:68:71:68:81 | inputStream | semmle.label | inputStream | -| InsecureWebResourceResponse.java:75:20:75:22 | url : Object | semmle.label | url : Object | -| InsecureWebResourceResponse.java:80:34:80:43 | url : Object | semmle.label | url : Object | -| InsecureWebResourceResponse.java:84:77:84:86 | url : Object | semmle.label | url : Object | +| InsecureWebResourceResponse.java:75:20:75:22 | url : String | semmle.label | url : String | +| InsecureWebResourceResponse.java:80:34:80:43 | url : String | semmle.label | url : String | +| InsecureWebResourceResponse.java:84:77:84:86 | url : String | semmle.label | url : String | | InsecureWebResourceResponse.java:86:31:86:44 | parse(...) : Uri | semmle.label | parse(...) : Uri | -| InsecureWebResourceResponse.java:86:41:86:43 | url : Object | semmle.label | url : Object | +| InsecureWebResourceResponse.java:86:41:86:43 | url : String | semmle.label | url : String | | InsecureWebResourceResponse.java:88:42:88:90 | new File(...) : File | semmle.label | new File(...) : File | | InsecureWebResourceResponse.java:88:66:88:68 | uri : Uri | semmle.label | uri : Uri | | InsecureWebResourceResponse.java:88:66:88:89 | getLastPathSegment(...) : String | semmle.label | getLastPathSegment(...) : String | | InsecureWebResourceResponse.java:89:55:89:84 | new FileInputStream(...) : FileInputStream | semmle.label | new FileInputStream(...) : FileInputStream | | InsecureWebResourceResponse.java:89:75:89:83 | cacheFile : File | semmle.label | cacheFile : File | | InsecureWebResourceResponse.java:91:75:91:85 | inputStream | semmle.label | inputStream | -| InsecureWebResourceResponse.java:101:20:101:22 | url : Object | semmle.label | url : Object | -| InsecureWebResourceResponse.java:106:34:106:43 | url : Object | semmle.label | url : Object | -| InsecureWebResourceResponse.java:110:77:110:86 | url : Object | semmle.label | url : Object | +| InsecureWebResourceResponse.java:101:20:101:22 | url : String | semmle.label | url : String | +| InsecureWebResourceResponse.java:106:34:106:43 | url : String | semmle.label | url : String | +| InsecureWebResourceResponse.java:110:77:110:86 | url : String | semmle.label | url : String | | InsecureWebResourceResponse.java:112:31:112:44 | parse(...) : Uri | semmle.label | parse(...) : Uri | -| InsecureWebResourceResponse.java:112:41:112:43 | url : Object | semmle.label | url : Object | +| InsecureWebResourceResponse.java:112:41:112:43 | url : String | semmle.label | url : String | | InsecureWebResourceResponse.java:113:35:113:37 | uri : Uri | semmle.label | uri : Uri | | InsecureWebResourceResponse.java:113:35:113:47 | getPath(...) : String | semmle.label | getPath(...) : String | | InsecureWebResourceResponse.java:113:35:113:60 | substring(...) : String | semmle.label | substring(...) : String | @@ -154,16 +154,16 @@ nodes | InsecureWebResourceResponse.java:115:75:115:78 | path : String | semmle.label | path : String | | InsecureWebResourceResponse.java:115:75:115:107 | substring(...) : String | semmle.label | substring(...) : String | | InsecureWebResourceResponse.java:117:75:117:85 | inputStream | semmle.label | inputStream | -| InsecureWebResourceResponse.java:127:20:127:22 | url : Object | semmle.label | url : Object | -| InsecureWebResourceResponse.java:131:36:131:45 | url : Object | semmle.label | url : Object | -| InsecureWebResourceResponse.java:152:20:152:22 | url : Object | semmle.label | url : Object | -| InsecureWebResourceResponse.java:156:35:156:44 | url : Object | semmle.label | url : Object | -| InsecureWebResourceResponse.java:177:20:177:22 | url : Object | semmle.label | url : Object | -| InsecureWebResourceResponse.java:181:34:181:43 | url : Object | semmle.label | url : Object | -| InsecureWebResourceResponse.java:184:20:184:22 | url : Object | semmle.label | url : Object | -| InsecureWebResourceResponse.java:188:34:188:43 | url : Object | semmle.label | url : Object | -| InsecureWebResourceResponse.java:192:77:192:102 | request : Object | semmle.label | request : Object | -| InsecureWebResourceResponse.java:194:31:194:37 | request : Object | semmle.label | request : Object | +| InsecureWebResourceResponse.java:127:20:127:22 | url : String | semmle.label | url : String | +| InsecureWebResourceResponse.java:131:36:131:45 | url : String | semmle.label | url : String | +| InsecureWebResourceResponse.java:152:20:152:22 | url : String | semmle.label | url : String | +| InsecureWebResourceResponse.java:156:35:156:44 | url : String | semmle.label | url : String | +| InsecureWebResourceResponse.java:177:20:177:22 | url : String | semmle.label | url : String | +| InsecureWebResourceResponse.java:181:34:181:43 | url : String | semmle.label | url : String | +| InsecureWebResourceResponse.java:184:20:184:22 | url : String | semmle.label | url : String | +| InsecureWebResourceResponse.java:188:34:188:43 | url : String | semmle.label | url : String | +| InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest | semmle.label | request : WebResourceRequest | +| InsecureWebResourceResponse.java:194:31:194:37 | request : WebResourceRequest | semmle.label | request : WebResourceRequest | | InsecureWebResourceResponse.java:194:31:194:46 | getUrl(...) : Uri | semmle.label | getUrl(...) : Uri | | InsecureWebResourceResponse.java:196:42:196:90 | new File(...) : File | semmle.label | new File(...) : File | | InsecureWebResourceResponse.java:196:66:196:68 | uri : Uri | semmle.label | uri : Uri | @@ -171,24 +171,24 @@ nodes | InsecureWebResourceResponse.java:197:55:197:84 | new FileInputStream(...) : FileInputStream | semmle.label | new FileInputStream(...) : FileInputStream | | InsecureWebResourceResponse.java:197:75:197:83 | cacheFile : File | semmle.label | cacheFile : File | | InsecureWebResourceResponse.java:199:75:199:85 | inputStream | semmle.label | inputStream | -| InsecureWebResourceResponse.java:209:20:209:22 | url : Object | semmle.label | url : Object | -| InsecureWebResourceResponse.java:217:35:217:44 | url : Object | semmle.label | url : Object | -| InsecureWebResourceResponse.java:226:20:226:22 | url : Object | semmle.label | url : Object | -| InsecureWebResourceResponse.java:232:69:232:78 | url : Object | semmle.label | url : Object | +| InsecureWebResourceResponse.java:209:20:209:22 | url : String | semmle.label | url : String | +| InsecureWebResourceResponse.java:217:35:217:44 | url : String | semmle.label | url : String | +| InsecureWebResourceResponse.java:226:20:226:22 | url : String | semmle.label | url : String | +| InsecureWebResourceResponse.java:232:69:232:78 | url : String | semmle.label | url : String | | InsecureWebResourceResponse.java:234:23:234:36 | parse(...) : Uri | semmle.label | parse(...) : Uri | -| InsecureWebResourceResponse.java:234:33:234:35 | url : Object | semmle.label | url : Object | +| InsecureWebResourceResponse.java:234:33:234:35 | url : String | semmle.label | url : String | | InsecureWebResourceResponse.java:235:43:235:76 | new FileInputStream(...) : FileInputStream | semmle.label | new FileInputStream(...) : FileInputStream | | InsecureWebResourceResponse.java:235:63:235:65 | uri : Uri | semmle.label | uri : Uri | | InsecureWebResourceResponse.java:235:63:235:75 | getPath(...) : String | semmle.label | getPath(...) : String | | InsecureWebResourceResponse.java:237:63:237:73 | inputStream | semmle.label | inputStream | | InsecureWebViewActivity.java:27:27:27:37 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent | -| InsecureWebViewActivity.java:27:27:27:64 | getStringExtra(...) : Object | semmle.label | getStringExtra(...) : Object | -| InsecureWebViewActivity.java:28:20:28:27 | inputUrl : Object | semmle.label | inputUrl : Object | -| InsecureWebViewActivity.java:42:28:42:37 | url : Object | semmle.label | url : Object | -| InsecureWebViewActivity.java:43:25:43:27 | url : Object | semmle.label | url : Object | -| InsecureWebViewActivity.java:53:77:53:86 | url : Object | semmle.label | url : Object | +| InsecureWebViewActivity.java:27:27:27:64 | getStringExtra(...) : String | semmle.label | getStringExtra(...) : String | +| InsecureWebViewActivity.java:28:20:28:27 | inputUrl : String | semmle.label | inputUrl : String | +| InsecureWebViewActivity.java:42:28:42:37 | url : String | semmle.label | url : String | +| InsecureWebViewActivity.java:43:25:43:27 | url : String | semmle.label | url : String | +| InsecureWebViewActivity.java:53:77:53:86 | url : String | semmle.label | url : String | | InsecureWebViewActivity.java:55:31:55:44 | parse(...) : Uri | semmle.label | parse(...) : Uri | -| InsecureWebViewActivity.java:55:41:55:43 | url : Object | semmle.label | url : Object | +| InsecureWebViewActivity.java:55:41:55:43 | url : String | semmle.label | url : String | | InsecureWebViewActivity.java:56:51:56:84 | new FileInputStream(...) : FileInputStream | semmle.label | new FileInputStream(...) : FileInputStream | | InsecureWebViewActivity.java:56:71:56:73 | uri : Uri | semmle.label | uri : Uri | | InsecureWebViewActivity.java:56:71:56:83 | getPath(...) : String | semmle.label | getPath(...) : String | diff --git a/java/ql/test/experimental/query-tests/security/CWE-200/SensitiveAndroidFileLeak.expected b/java/ql/test/experimental/query-tests/security/CWE-200/SensitiveAndroidFileLeak.expected index 43a64e4226a..9c5b6ce8b69 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-200/SensitiveAndroidFileLeak.expected +++ b/java/ql/test/experimental/query-tests/security/CWE-200/SensitiveAndroidFileLeak.expected @@ -1,47 +1,47 @@ edges | FileService.java:20:31:20:43 | intent : Intent | FileService.java:21:28:21:33 | intent : Intent | -| FileService.java:21:28:21:33 | intent : Intent | FileService.java:21:28:21:64 | getStringExtra(...) : Object | -| FileService.java:21:28:21:64 | getStringExtra(...) : Object | FileService.java:25:42:25:50 | localPath : Object | +| FileService.java:21:28:21:33 | intent : Intent | FileService.java:21:28:21:64 | getStringExtra(...) : String | +| FileService.java:21:28:21:64 | getStringExtra(...) : String | FileService.java:25:42:25:50 | localPath : String | | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] | FileService.java:40:41:40:55 | params : Object[] | -| FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] [[]] : Object | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] | -| FileService.java:25:42:25:50 | localPath : Object | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] [[]] : Object | -| FileService.java:25:42:25:50 | localPath : Object | FileService.java:32:13:32:28 | sourceUri : Object | -| FileService.java:32:13:32:28 | sourceUri : Object | FileService.java:35:17:35:25 | sourceUri : Object | -| FileService.java:34:20:36:13 | {...} : Object[] [[]] : Object | FileService.java:34:20:36:13 | new Object[] : Object[] [[]] : Object | -| FileService.java:35:17:35:25 | sourceUri : Object | FileService.java:34:20:36:13 | {...} : Object[] [[]] : Object | -| FileService.java:40:41:40:55 | params : Object[] | FileService.java:44:33:44:52 | (...)... : Object | -| FileService.java:44:33:44:52 | (...)... : Object | FileService.java:45:53:45:59 | ...[...] | +| FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] [[]] : String | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] | +| FileService.java:25:42:25:50 | localPath : String | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] [[]] : String | +| FileService.java:25:42:25:50 | localPath : String | FileService.java:32:13:32:28 | sourceUri : String | +| FileService.java:32:13:32:28 | sourceUri : String | FileService.java:35:17:35:25 | sourceUri : String | +| FileService.java:34:20:36:13 | {...} : Object[] [[]] : String | FileService.java:34:20:36:13 | new Object[] : Object[] [[]] : String | +| FileService.java:35:17:35:25 | sourceUri : String | FileService.java:34:20:36:13 | {...} : Object[] [[]] : String | +| FileService.java:40:41:40:55 | params : Object[] | FileService.java:44:33:44:52 | (...)... : String[] | +| FileService.java:44:33:44:52 | (...)... : String[] | FileService.java:45:53:45:59 | ...[...] | | LeakFileActivity2.java:15:13:15:18 | intent : Intent | LeakFileActivity2.java:16:26:16:31 | intent : Intent | | LeakFileActivity2.java:16:26:16:31 | intent : Intent | FileService.java:20:31:20:43 | intent : Intent | | LeakFileActivity.java:14:35:14:38 | data : Intent | LeakFileActivity.java:18:40:18:59 | contentIntent : Intent | | LeakFileActivity.java:18:40:18:59 | contentIntent : Intent | LeakFileActivity.java:19:31:19:43 | contentIntent : Intent | -| LeakFileActivity.java:19:31:19:43 | contentIntent : Intent | LeakFileActivity.java:19:31:19:53 | getData(...) : Object | -| LeakFileActivity.java:19:31:19:53 | getData(...) : Object | LeakFileActivity.java:21:58:21:72 | streamsToUpload : Object | -| LeakFileActivity.java:21:58:21:72 | streamsToUpload : Object | LeakFileActivity.java:21:58:21:82 | getPath(...) | +| LeakFileActivity.java:19:31:19:43 | contentIntent : Intent | LeakFileActivity.java:19:31:19:53 | getData(...) : Uri | +| LeakFileActivity.java:19:31:19:53 | getData(...) : Uri | LeakFileActivity.java:21:58:21:72 | streamsToUpload : Uri | +| LeakFileActivity.java:21:58:21:72 | streamsToUpload : Uri | LeakFileActivity.java:21:58:21:82 | getPath(...) | nodes | FileService.java:20:31:20:43 | intent : Intent | semmle.label | intent : Intent | | FileService.java:21:28:21:33 | intent : Intent | semmle.label | intent : Intent | -| FileService.java:21:28:21:64 | getStringExtra(...) : Object | semmle.label | getStringExtra(...) : Object | +| FileService.java:21:28:21:64 | getStringExtra(...) : String | semmle.label | getStringExtra(...) : String | | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] | semmle.label | makeParamsToExecute(...) : Object[] | -| FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] [[]] : Object | semmle.label | makeParamsToExecute(...) : Object[] [[]] : Object | -| FileService.java:25:42:25:50 | localPath : Object | semmle.label | localPath : Object | -| FileService.java:32:13:32:28 | sourceUri : Object | semmle.label | sourceUri : Object | -| FileService.java:34:20:36:13 | new Object[] : Object[] [[]] : Object | semmle.label | new Object[] : Object[] [[]] : Object | -| FileService.java:34:20:36:13 | {...} : Object[] [[]] : Object | semmle.label | {...} : Object[] [[]] : Object | -| FileService.java:35:17:35:25 | sourceUri : Object | semmle.label | sourceUri : Object | +| FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] [[]] : String | semmle.label | makeParamsToExecute(...) : Object[] [[]] : String | +| FileService.java:25:42:25:50 | localPath : String | semmle.label | localPath : String | +| FileService.java:32:13:32:28 | sourceUri : String | semmle.label | sourceUri : String | +| FileService.java:34:20:36:13 | new Object[] : Object[] [[]] : String | semmle.label | new Object[] : Object[] [[]] : String | +| FileService.java:34:20:36:13 | {...} : Object[] [[]] : String | semmle.label | {...} : Object[] [[]] : String | +| FileService.java:35:17:35:25 | sourceUri : String | semmle.label | sourceUri : String | | FileService.java:40:41:40:55 | params : Object[] | semmle.label | params : Object[] | -| FileService.java:44:33:44:52 | (...)... : Object | semmle.label | (...)... : Object | +| FileService.java:44:33:44:52 | (...)... : String[] | semmle.label | (...)... : String[] | | FileService.java:45:53:45:59 | ...[...] | semmle.label | ...[...] | | LeakFileActivity2.java:15:13:15:18 | intent : Intent | semmle.label | intent : Intent | | LeakFileActivity2.java:16:26:16:31 | intent : Intent | semmle.label | intent : Intent | | LeakFileActivity.java:14:35:14:38 | data : Intent | semmle.label | data : Intent | | LeakFileActivity.java:18:40:18:59 | contentIntent : Intent | semmle.label | contentIntent : Intent | | LeakFileActivity.java:19:31:19:43 | contentIntent : Intent | semmle.label | contentIntent : Intent | -| LeakFileActivity.java:19:31:19:53 | getData(...) : Object | semmle.label | getData(...) : Object | -| LeakFileActivity.java:21:58:21:72 | streamsToUpload : Object | semmle.label | streamsToUpload : Object | +| LeakFileActivity.java:19:31:19:53 | getData(...) : Uri | semmle.label | getData(...) : Uri | +| LeakFileActivity.java:21:58:21:72 | streamsToUpload : Uri | semmle.label | streamsToUpload : Uri | | LeakFileActivity.java:21:58:21:82 | getPath(...) | semmle.label | getPath(...) | subpaths -| FileService.java:25:42:25:50 | localPath : Object | FileService.java:32:13:32:28 | sourceUri : Object | FileService.java:34:20:36:13 | new Object[] : Object[] [[]] : Object | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] [[]] : Object | +| FileService.java:25:42:25:50 | localPath : String | FileService.java:32:13:32:28 | sourceUri : String | FileService.java:34:20:36:13 | new Object[] : Object[] [[]] : String | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] [[]] : String | #select | FileService.java:45:53:45:59 | ...[...] | LeakFileActivity2.java:15:13:15:18 | intent : Intent | FileService.java:45:53:45:59 | ...[...] | Leaking arbitrary Android file from $@. | LeakFileActivity2.java:15:13:15:18 | intent | this user input | | FileService.java:45:53:45:59 | ...[...] | LeakFileActivity2.java:16:26:16:31 | intent : Intent | FileService.java:45:53:45:59 | ...[...] | Leaking arbitrary Android file from $@. | LeakFileActivity2.java:16:26:16:31 | intent | this user input | diff --git a/java/ql/test/experimental/query-tests/security/CWE-470/UnsafeReflection.expected b/java/ql/test/experimental/query-tests/security/CWE-470/UnsafeReflection.expected index b6f894c3e5f..606cf994976 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-470/UnsafeReflection.expected +++ b/java/ql/test/experimental/query-tests/security/CWE-470/UnsafeReflection.expected @@ -6,17 +6,17 @@ edges | UnsafeReflection.java:34:33:34:70 | getParameter(...) : String | UnsafeReflection.java:39:58:39:71 | parameterValue | | UnsafeReflection.java:46:24:46:82 | beanIdOrClassName : String | UnsafeReflection.java:53:30:53:46 | beanIdOrClassName : String | | UnsafeReflection.java:46:132:46:168 | body : Map | UnsafeReflection.java:49:37:49:40 | body : Map | -| UnsafeReflection.java:49:23:49:59 | (...)... : Object | UnsafeReflection.java:53:67:53:73 | rawData : Object | +| UnsafeReflection.java:49:23:49:59 | (...)... : List | UnsafeReflection.java:53:67:53:73 | rawData : List | | UnsafeReflection.java:49:37:49:40 | body : Map | UnsafeReflection.java:49:37:49:59 | get(...) : Object | -| UnsafeReflection.java:49:37:49:59 | get(...) : Object | UnsafeReflection.java:49:23:49:59 | (...)... : Object | +| UnsafeReflection.java:49:37:49:59 | get(...) : Object | UnsafeReflection.java:49:23:49:59 | (...)... : List | | UnsafeReflection.java:53:30:53:46 | beanIdOrClassName : String | UnsafeReflection.java:104:34:104:57 | beanIdOrClassName : String | -| UnsafeReflection.java:53:67:53:73 | rawData : Object | UnsafeReflection.java:104:102:104:118 | data : Object | +| UnsafeReflection.java:53:67:53:73 | rawData : List | UnsafeReflection.java:104:102:104:118 | data : List | | UnsafeReflection.java:62:33:62:70 | getParameter(...) : String | UnsafeReflection.java:68:76:68:89 | parameterValue | | UnsafeReflection.java:77:33:77:70 | getParameter(...) : String | UnsafeReflection.java:83:76:83:89 | parameterValue | | UnsafeReflection.java:92:33:92:70 | getParameter(...) : String | UnsafeReflection.java:98:76:98:89 | parameterValue | | UnsafeReflection.java:104:34:104:57 | beanIdOrClassName : String | UnsafeReflection.java:119:21:119:26 | method | | UnsafeReflection.java:104:34:104:57 | beanIdOrClassName : String | UnsafeReflection.java:119:35:119:38 | bean | -| UnsafeReflection.java:104:102:104:118 | data : Object | UnsafeReflection.java:119:41:119:44 | data | +| UnsafeReflection.java:104:102:104:118 | data : List | UnsafeReflection.java:119:41:119:44 | data | nodes | UnsafeReflection.java:21:28:21:60 | getParameter(...) : String | semmle.label | getParameter(...) : String | | UnsafeReflection.java:22:33:22:70 | getParameter(...) : String | semmle.label | getParameter(...) : String | @@ -29,11 +29,11 @@ nodes | UnsafeReflection.java:39:58:39:71 | parameterValue | semmle.label | parameterValue | | UnsafeReflection.java:46:24:46:82 | beanIdOrClassName : String | semmle.label | beanIdOrClassName : String | | UnsafeReflection.java:46:132:46:168 | body : Map | semmle.label | body : Map | -| UnsafeReflection.java:49:23:49:59 | (...)... : Object | semmle.label | (...)... : Object | +| UnsafeReflection.java:49:23:49:59 | (...)... : List | semmle.label | (...)... : List | | UnsafeReflection.java:49:37:49:40 | body : Map | semmle.label | body : Map | | UnsafeReflection.java:49:37:49:59 | get(...) : Object | semmle.label | get(...) : Object | | UnsafeReflection.java:53:30:53:46 | beanIdOrClassName : String | semmle.label | beanIdOrClassName : String | -| UnsafeReflection.java:53:67:53:73 | rawData : Object | semmle.label | rawData : Object | +| UnsafeReflection.java:53:67:53:73 | rawData : List | semmle.label | rawData : List | | UnsafeReflection.java:62:33:62:70 | getParameter(...) : String | semmle.label | getParameter(...) : String | | UnsafeReflection.java:68:76:68:89 | parameterValue | semmle.label | parameterValue | | UnsafeReflection.java:77:33:77:70 | getParameter(...) : String | semmle.label | getParameter(...) : String | @@ -41,7 +41,7 @@ nodes | UnsafeReflection.java:92:33:92:70 | getParameter(...) : String | semmle.label | getParameter(...) : String | | UnsafeReflection.java:98:76:98:89 | parameterValue | semmle.label | parameterValue | | UnsafeReflection.java:104:34:104:57 | beanIdOrClassName : String | semmle.label | beanIdOrClassName : String | -| UnsafeReflection.java:104:102:104:118 | data : Object | semmle.label | data : Object | +| UnsafeReflection.java:104:102:104:118 | data : List | semmle.label | data : List | | UnsafeReflection.java:119:21:119:26 | method | semmle.label | method | | UnsafeReflection.java:119:35:119:38 | bean | semmle.label | bean | | UnsafeReflection.java:119:41:119:44 | data | semmle.label | data | diff --git a/java/ql/test/experimental/query-tests/security/CWE-552/UnsafeUrlForward.expected b/java/ql/test/experimental/query-tests/security/CWE-552/UnsafeUrlForward.expected index 11a8bc6c248..57874f96e18 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-552/UnsafeUrlForward.expected +++ b/java/ql/test/experimental/query-tests/security/CWE-552/UnsafeUrlForward.expected @@ -3,13 +3,14 @@ edges | UnsafeLoadSpringResource.java:31:27:31:57 | new ClassPathResource(...) : ClassPathResource | UnsafeLoadSpringResource.java:35:31:35:33 | clr | | UnsafeLoadSpringResource.java:31:49:31:56 | fileName : String | UnsafeLoadSpringResource.java:31:27:31:57 | new ClassPathResource(...) : ClassPathResource | | UnsafeLoadSpringResource.java:68:32:68:77 | fileName : String | UnsafeLoadSpringResource.java:76:38:76:45 | fileName | +| UnsafeLoadSpringResource.java:108:32:108:77 | fileName : String | UnsafeLoadSpringResource.java:116:51:116:58 | fileName | | UnsafeRequestPath.java:20:17:20:63 | getServletPath(...) : String | UnsafeRequestPath.java:23:33:23:36 | path | | UnsafeResourceGet2.java:16:32:16:79 | getRequestParameterMap(...) : Map | UnsafeResourceGet2.java:17:20:17:25 | params : Map | -| UnsafeResourceGet2.java:17:20:17:25 | params : Map | UnsafeResourceGet2.java:17:20:17:40 | get(...) : Object | -| UnsafeResourceGet2.java:17:20:17:40 | get(...) : Object | UnsafeResourceGet2.java:19:93:19:99 | loadUrl | +| UnsafeResourceGet2.java:17:20:17:25 | params : Map | UnsafeResourceGet2.java:17:20:17:40 | get(...) : String | +| UnsafeResourceGet2.java:17:20:17:40 | get(...) : String | UnsafeResourceGet2.java:19:93:19:99 | loadUrl | | UnsafeResourceGet2.java:32:32:32:79 | getRequestParameterMap(...) : Map | UnsafeResourceGet2.java:33:20:33:25 | params : Map | -| UnsafeResourceGet2.java:33:20:33:25 | params : Map | UnsafeResourceGet2.java:33:20:33:40 | get(...) : Object | -| UnsafeResourceGet2.java:33:20:33:40 | get(...) : Object | UnsafeResourceGet2.java:37:20:37:22 | url | +| UnsafeResourceGet2.java:33:20:33:25 | params : Map | UnsafeResourceGet2.java:33:20:33:40 | get(...) : String | +| UnsafeResourceGet2.java:33:20:33:40 | get(...) : String | UnsafeResourceGet2.java:37:20:37:22 | url | | UnsafeResourceGet.java:32:23:32:56 | getParameter(...) : String | UnsafeResourceGet.java:41:20:41:22 | url | | UnsafeResourceGet.java:111:24:111:58 | getParameter(...) : String | UnsafeResourceGet.java:115:68:115:78 | requestPath | | UnsafeResourceGet.java:143:23:143:56 | getParameter(...) : String | UnsafeResourceGet.java:150:20:150:22 | url | @@ -35,15 +36,17 @@ nodes | UnsafeLoadSpringResource.java:35:31:35:33 | clr | semmle.label | clr | | UnsafeLoadSpringResource.java:68:32:68:77 | fileName : String | semmle.label | fileName : String | | UnsafeLoadSpringResource.java:76:38:76:45 | fileName | semmle.label | fileName | +| UnsafeLoadSpringResource.java:108:32:108:77 | fileName : String | semmle.label | fileName : String | +| UnsafeLoadSpringResource.java:116:51:116:58 | fileName | semmle.label | fileName | | UnsafeRequestPath.java:20:17:20:63 | getServletPath(...) : String | semmle.label | getServletPath(...) : String | | UnsafeRequestPath.java:23:33:23:36 | path | semmle.label | path | | UnsafeResourceGet2.java:16:32:16:79 | getRequestParameterMap(...) : Map | semmle.label | getRequestParameterMap(...) : Map | | UnsafeResourceGet2.java:17:20:17:25 | params : Map | semmle.label | params : Map | -| UnsafeResourceGet2.java:17:20:17:40 | get(...) : Object | semmle.label | get(...) : Object | +| UnsafeResourceGet2.java:17:20:17:40 | get(...) : String | semmle.label | get(...) : String | | UnsafeResourceGet2.java:19:93:19:99 | loadUrl | semmle.label | loadUrl | | UnsafeResourceGet2.java:32:32:32:79 | getRequestParameterMap(...) : Map | semmle.label | getRequestParameterMap(...) : Map | | UnsafeResourceGet2.java:33:20:33:25 | params : Map | semmle.label | params : Map | -| UnsafeResourceGet2.java:33:20:33:40 | get(...) : Object | semmle.label | get(...) : Object | +| UnsafeResourceGet2.java:33:20:33:40 | get(...) : String | semmle.label | get(...) : String | | UnsafeResourceGet2.java:37:20:37:22 | url | semmle.label | url | | UnsafeResourceGet.java:32:23:32:56 | getParameter(...) : String | semmle.label | getParameter(...) : String | | UnsafeResourceGet.java:41:20:41:22 | url | semmle.label | url | @@ -83,6 +86,7 @@ subpaths #select | UnsafeLoadSpringResource.java:35:31:35:33 | clr | UnsafeLoadSpringResource.java:27:32:27:77 | fileName : String | UnsafeLoadSpringResource.java:35:31:35:33 | clr | Potentially untrusted URL forward due to $@. | UnsafeLoadSpringResource.java:27:32:27:77 | fileName | user-provided value | | UnsafeLoadSpringResource.java:76:38:76:45 | fileName | UnsafeLoadSpringResource.java:68:32:68:77 | fileName : String | UnsafeLoadSpringResource.java:76:38:76:45 | fileName | Potentially untrusted URL forward due to $@. | UnsafeLoadSpringResource.java:68:32:68:77 | fileName | user-provided value | +| UnsafeLoadSpringResource.java:116:51:116:58 | fileName | UnsafeLoadSpringResource.java:108:32:108:77 | fileName : String | UnsafeLoadSpringResource.java:116:51:116:58 | fileName | Potentially untrusted URL forward due to $@. | UnsafeLoadSpringResource.java:108:32:108:77 | fileName | user-provided value | | UnsafeRequestPath.java:23:33:23:36 | path | UnsafeRequestPath.java:20:17:20:63 | getServletPath(...) : String | UnsafeRequestPath.java:23:33:23:36 | path | Potentially untrusted URL forward due to $@. | UnsafeRequestPath.java:20:17:20:63 | getServletPath(...) | user-provided value | | UnsafeResourceGet2.java:19:93:19:99 | loadUrl | UnsafeResourceGet2.java:16:32:16:79 | getRequestParameterMap(...) : Map | UnsafeResourceGet2.java:19:93:19:99 | loadUrl | Potentially untrusted URL forward due to $@. | UnsafeResourceGet2.java:16:32:16:79 | getRequestParameterMap(...) | user-provided value | | UnsafeResourceGet2.java:37:20:37:22 | url | UnsafeResourceGet2.java:32:32:32:79 | getRequestParameterMap(...) : Map | UnsafeResourceGet2.java:37:20:37:22 | url | Potentially untrusted URL forward due to $@. | UnsafeResourceGet2.java:32:32:32:79 | getRequestParameterMap(...) | user-provided value | diff --git a/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery.expected b/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery.expected index 0c641999e27..28471144374 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery.expected +++ b/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery.expected @@ -1,11 +1,11 @@ edges | SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) : Map | SensitiveGetQuery2.java:14:30:14:32 | map : Map | -| SensitiveGetQuery2.java:14:21:14:48 | (...)... : Object | SensitiveGetQuery2.java:15:29:15:36 | password | -| SensitiveGetQuery2.java:14:21:14:48 | (...)... : Object | SensitiveGetQuery2.java:15:29:15:36 | password : Object | +| SensitiveGetQuery2.java:14:21:14:48 | (...)... : String | SensitiveGetQuery2.java:15:29:15:36 | password | +| SensitiveGetQuery2.java:14:21:14:48 | (...)... : String | SensitiveGetQuery2.java:15:29:15:36 | password : String | | SensitiveGetQuery2.java:14:30:14:32 | map : Map | SensitiveGetQuery2.java:14:30:14:48 | get(...) : Object | -| SensitiveGetQuery2.java:14:30:14:48 | get(...) : Object | SensitiveGetQuery2.java:14:21:14:48 | (...)... : Object | -| SensitiveGetQuery2.java:15:29:15:36 | password : Object | SensitiveGetQuery2.java:18:40:18:54 | password : Object | -| SensitiveGetQuery2.java:18:40:18:54 | password : Object | SensitiveGetQuery2.java:19:61:19:68 | password | +| SensitiveGetQuery2.java:14:30:14:48 | get(...) : Object | SensitiveGetQuery2.java:14:21:14:48 | (...)... : String | +| SensitiveGetQuery2.java:15:29:15:36 | password : String | SensitiveGetQuery2.java:18:40:18:54 | password : String | +| SensitiveGetQuery2.java:18:40:18:54 | password : String | SensitiveGetQuery2.java:19:61:19:68 | password | | SensitiveGetQuery3.java:12:21:12:60 | getRequestParameter(...) : String | SensitiveGetQuery3.java:13:57:13:64 | password | | SensitiveGetQuery3.java:17:10:17:40 | getParameter(...) : String | SensitiveGetQuery3.java:12:21:12:60 | getRequestParameter(...) : String | | SensitiveGetQuery4.java:14:24:14:66 | getRequestParameter(...) : String | SensitiveGetQuery4.java:16:37:16:47 | accessToken | @@ -16,12 +16,12 @@ edges | SensitiveGetQuery.java:17:40:17:54 | password : String | SensitiveGetQuery.java:18:61:18:68 | password | nodes | SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) : Map | semmle.label | getParameterMap(...) : Map | -| SensitiveGetQuery2.java:14:21:14:48 | (...)... : Object | semmle.label | (...)... : Object | +| SensitiveGetQuery2.java:14:21:14:48 | (...)... : String | semmle.label | (...)... : String | | SensitiveGetQuery2.java:14:30:14:32 | map : Map | semmle.label | map : Map | | SensitiveGetQuery2.java:14:30:14:48 | get(...) : Object | semmle.label | get(...) : Object | | SensitiveGetQuery2.java:15:29:15:36 | password | semmle.label | password | -| SensitiveGetQuery2.java:15:29:15:36 | password : Object | semmle.label | password : Object | -| SensitiveGetQuery2.java:18:40:18:54 | password : Object | semmle.label | password : Object | +| SensitiveGetQuery2.java:15:29:15:36 | password : String | semmle.label | password : String | +| SensitiveGetQuery2.java:18:40:18:54 | password : String | semmle.label | password : String | | SensitiveGetQuery2.java:19:61:19:68 | password | semmle.label | password | | SensitiveGetQuery3.java:12:21:12:60 | getRequestParameter(...) : String | semmle.label | getRequestParameter(...) : String | | SensitiveGetQuery3.java:13:57:13:64 | password | semmle.label | password | diff --git a/java/ql/test/experimental/query-tests/security/CWE-755/NFEAndroidDoS.expected b/java/ql/test/experimental/query-tests/security/CWE-755/NFEAndroidDoS.expected index 73657a38158..5f0e5b028f9 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-755/NFEAndroidDoS.expected +++ b/java/ql/test/experimental/query-tests/security/CWE-755/NFEAndroidDoS.expected @@ -1,25 +1,25 @@ edges -| NFEAndroidDoS.java:13:24:13:34 | getIntent(...) : Intent | NFEAndroidDoS.java:13:24:13:61 | getStringExtra(...) : Object | -| NFEAndroidDoS.java:13:24:13:61 | getStringExtra(...) : Object | NFEAndroidDoS.java:14:21:14:51 | parseDouble(...) | -| NFEAndroidDoS.java:22:21:22:31 | getIntent(...) : Intent | NFEAndroidDoS.java:22:21:22:55 | getStringExtra(...) : Object | -| NFEAndroidDoS.java:22:21:22:55 | getStringExtra(...) : Object | NFEAndroidDoS.java:23:15:23:40 | parseInt(...) | -| NFEAndroidDoS.java:25:22:25:32 | getIntent(...) : Intent | NFEAndroidDoS.java:25:22:25:57 | getStringExtra(...) : Object | -| NFEAndroidDoS.java:25:22:25:57 | getStringExtra(...) : Object | NFEAndroidDoS.java:26:16:26:42 | parseInt(...) | -| NFEAndroidDoS.java:43:24:43:34 | getIntent(...) : Intent | NFEAndroidDoS.java:43:24:43:61 | getStringExtra(...) : Object | -| NFEAndroidDoS.java:43:24:43:61 | getStringExtra(...) : Object | NFEAndroidDoS.java:44:21:44:43 | new Double(...) | -| NFEAndroidDoS.java:43:24:43:61 | getStringExtra(...) : Object | NFEAndroidDoS.java:47:21:47:47 | valueOf(...) | +| NFEAndroidDoS.java:13:24:13:34 | getIntent(...) : Intent | NFEAndroidDoS.java:13:24:13:61 | getStringExtra(...) : String | +| NFEAndroidDoS.java:13:24:13:61 | getStringExtra(...) : String | NFEAndroidDoS.java:14:21:14:51 | parseDouble(...) | +| NFEAndroidDoS.java:22:21:22:31 | getIntent(...) : Intent | NFEAndroidDoS.java:22:21:22:55 | getStringExtra(...) : String | +| NFEAndroidDoS.java:22:21:22:55 | getStringExtra(...) : String | NFEAndroidDoS.java:23:15:23:40 | parseInt(...) | +| NFEAndroidDoS.java:25:22:25:32 | getIntent(...) : Intent | NFEAndroidDoS.java:25:22:25:57 | getStringExtra(...) : String | +| NFEAndroidDoS.java:25:22:25:57 | getStringExtra(...) : String | NFEAndroidDoS.java:26:16:26:42 | parseInt(...) | +| NFEAndroidDoS.java:43:24:43:34 | getIntent(...) : Intent | NFEAndroidDoS.java:43:24:43:61 | getStringExtra(...) : String | +| NFEAndroidDoS.java:43:24:43:61 | getStringExtra(...) : String | NFEAndroidDoS.java:44:21:44:43 | new Double(...) | +| NFEAndroidDoS.java:43:24:43:61 | getStringExtra(...) : String | NFEAndroidDoS.java:47:21:47:47 | valueOf(...) | nodes | NFEAndroidDoS.java:13:24:13:34 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent | -| NFEAndroidDoS.java:13:24:13:61 | getStringExtra(...) : Object | semmle.label | getStringExtra(...) : Object | +| NFEAndroidDoS.java:13:24:13:61 | getStringExtra(...) : String | semmle.label | getStringExtra(...) : String | | NFEAndroidDoS.java:14:21:14:51 | parseDouble(...) | semmle.label | parseDouble(...) | | NFEAndroidDoS.java:22:21:22:31 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent | -| NFEAndroidDoS.java:22:21:22:55 | getStringExtra(...) : Object | semmle.label | getStringExtra(...) : Object | +| NFEAndroidDoS.java:22:21:22:55 | getStringExtra(...) : String | semmle.label | getStringExtra(...) : String | | NFEAndroidDoS.java:23:15:23:40 | parseInt(...) | semmle.label | parseInt(...) | | NFEAndroidDoS.java:25:22:25:32 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent | -| NFEAndroidDoS.java:25:22:25:57 | getStringExtra(...) : Object | semmle.label | getStringExtra(...) : Object | +| NFEAndroidDoS.java:25:22:25:57 | getStringExtra(...) : String | semmle.label | getStringExtra(...) : String | | NFEAndroidDoS.java:26:16:26:42 | parseInt(...) | semmle.label | parseInt(...) | | NFEAndroidDoS.java:43:24:43:34 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent | -| NFEAndroidDoS.java:43:24:43:61 | getStringExtra(...) : Object | semmle.label | getStringExtra(...) : Object | +| NFEAndroidDoS.java:43:24:43:61 | getStringExtra(...) : String | semmle.label | getStringExtra(...) : String | | NFEAndroidDoS.java:44:21:44:43 | new Double(...) | semmle.label | new Double(...) | | NFEAndroidDoS.java:47:21:47:47 | valueOf(...) | semmle.label | valueOf(...) | subpaths diff --git a/java/ql/test/ext/TestModels/Test.java b/java/ql/test/ext/TestModels/Test.java index 83efd12e967..6bbc7a07879 100644 --- a/java/ql/test/ext/TestModels/Test.java +++ b/java/ql/test/ext/TestModels/Test.java @@ -82,7 +82,7 @@ public class Test { Connection con = DriverManager.getConnection(""); PreparedStatement ps1 = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); ps1.setString(1, (String)source()); - sink(ps1); // $hasValueFlow + sink(ps1); // safe // java.util.concurrent.atomic AtomicReference ar = new AtomicReference(source()); diff --git a/java/ql/test/kotlin/library-tests/dataflow/summaries/use.kt b/java/ql/test/kotlin/library-tests/dataflow/summaries/use.kt new file mode 100644 index 00000000000..07beffd2be2 --- /dev/null +++ b/java/ql/test/kotlin/library-tests/dataflow/summaries/use.kt @@ -0,0 +1,11 @@ +import java.io.Closeable + +class UseFlowTest { + fun taint(t: T) = t + fun sink(s: Closeable) { } + + fun test(input: Closeable) { + taint(input).use { it -> sink(it) } // $ hasValueFlow + sink(taint(input).use { it }) // $ hasValueFlow + } +} diff --git a/java/ql/test/kotlin/library-tests/dataflow/summaries/with.kt b/java/ql/test/kotlin/library-tests/dataflow/summaries/with.kt new file mode 100644 index 00000000000..d495f95c854 --- /dev/null +++ b/java/ql/test/kotlin/library-tests/dataflow/summaries/with.kt @@ -0,0 +1,9 @@ +class WithFlowTest { + fun taint(t: T) = t + fun sink(s: String) { } + + fun test(input: String) { + with(taint(input)) { sink(this) } // $ hasValueFlow + sink(with(taint(input)) { this }) // $ hasValueFlow + } +} diff --git a/java/ql/test/library-tests/dispatch/CallableViaSummary.java b/java/ql/test/library-tests/dispatch/CallableViaSummary.java new file mode 100644 index 00000000000..da7c7d86efd --- /dev/null +++ b/java/ql/test/library-tests/dispatch/CallableViaSummary.java @@ -0,0 +1,31 @@ +import java.util.*; + +public class CallableViaSummary { + public interface Element { + public void handle(String message); + } + + public void main(String[] args) { + List elements = new ArrayList<>(); + + List elements2 = new ArrayList<>(); + + elements.add(new Element() { + @Override + public void handle(String message) { + System.out.println(message); + } + }); + + elements.add(message -> System.out.println(message)); + + // This dispatches to the two added elements because + // the summary of ArrayList causes flow via type tracking. + elements.get(0).handle("Hello, world!"); + + // This does not dispatch to anything, showing that the + // open-world assumption does not apply + // (and hence that type tracking is necessary above). + elements2.get(0).handle("Hello, world!"); + } +} \ No newline at end of file diff --git a/java/ql/test/library-tests/dispatch/viaSummary.expected b/java/ql/test/library-tests/dispatch/viaSummary.expected new file mode 100644 index 00000000000..7c311587d9a --- /dev/null +++ b/java/ql/test/library-tests/dispatch/viaSummary.expected @@ -0,0 +1,2 @@ +| CallableViaSummary.java:24:9:24:47 | handle(...) | CallableViaSummary.java:15:25:15:30 | handle | +| CallableViaSummary.java:24:9:24:47 | handle(...) | CallableViaSummary.java:20:22:20:59 | handle | diff --git a/java/ql/test/library-tests/dispatch/viaSummary.ql b/java/ql/test/library-tests/dispatch/viaSummary.ql new file mode 100644 index 00000000000..a7a88d0749d --- /dev/null +++ b/java/ql/test/library-tests/dispatch/viaSummary.ql @@ -0,0 +1,9 @@ +import java +import semmle.code.java.dispatch.VirtualDispatch + +from MethodAccess ma, Method m +where + m = viableImpl(ma) and + m.fromSource() and + ma.getFile().toString() = "CallableViaSummary" +select ma, m diff --git a/java/ql/test/library-tests/frameworks/apache-collections/Test.java b/java/ql/test/library-tests/frameworks/apache-collections/Test.java index 188849457ac..09906405d75 100644 --- a/java/ql/test/library-tests/frameworks/apache-collections/Test.java +++ b/java/ql/test/library-tests/frameworks/apache-collections/Test.java @@ -721,14 +721,14 @@ public class Test { { // "org.apache.commons.collections4;MapUtils;true;getMap;;;MapValue of Argument[0];ReturnValue;value;manual" Map out = null; - Map in = newTreeMapWithMapValue((String)source()); + Map in = newTreeMapWithMapValue((Map)source()); out = MapUtils.getMap(in, null, null); sink(out); // $ hasValueFlow } { // "org.apache.commons.collections4;MapUtils;true;getMap;;;MapValue of Argument[0];ReturnValue;value;manual" Map out = null; - Map in = newTreeMapWithMapValue((String)source()); + Map in = newTreeMapWithMapValue((Map)source()); out = MapUtils.getMap(in, null); sink(out); // $ hasValueFlow } @@ -7257,4 +7257,4 @@ public class Test { } } -} \ No newline at end of file +} diff --git a/java/ql/test/library-tests/frameworks/gson/Test.java b/java/ql/test/library-tests/frameworks/gson/Test.java index eb3e1e526f0..b1dc845f091 100644 --- a/java/ql/test/library-tests/frameworks/gson/Test.java +++ b/java/ql/test/library-tests/frameworks/gson/Test.java @@ -25,7 +25,7 @@ public class Test { K getMapKeyDefault(Map.Entry container) { return container.getKey(); } JsonElement getMapValueDefault(JsonObject container) { return container.get(null); } V getMapValueDefault(Map.Entry container) { return container.getValue(); } - JsonArray newWithElementDefault(String element) { JsonArray a = new JsonArray(); a.add(element); return a; } + JsonArray newWithElementDefault(JsonElement element) { JsonArray a = new JsonArray(); a.add(element); return a; } JsonObject newWithMapKeyDefault(String key) { JsonObject o = new JsonObject(); o.add(key, (JsonElement) null); return o; } JsonObject newWithMapValueDefault(JsonElement element) { JsonObject o = new JsonObject(); o.add(null, element); return o; } Object source() { return null; } @@ -232,51 +232,58 @@ public class Test { sink(out); // $ hasTaintFlow } { - // "com.google.gson;JsonArray;true;add;;;Argument[0];Argument[this].Element;value;manual" + // "com.google.gson;JsonArray;true;add;(Boolean);;Argument[0];Argument[this].Element;taint;manual" JsonArray out = null; Boolean in = (Boolean)source(); out.add(in); - sink(getElement(out)); // $ hasValueFlow + sink(getElement(out)); // $ hasTaintFlow } { - // "com.google.gson;JsonArray;true;add;;;Argument[0];Argument[this].Element;value;manual" + // "com.google.gson;JsonArray;true;add;(Character);;Argument[0];Argument[this].Element;taint;manual" JsonArray out = null; Character in = (Character)source(); out.add(in); - sink(getElement(out)); // $ hasValueFlow + sink(getElement(out)); // $ hasTaintFlow } { - // "com.google.gson;JsonArray;true;add;;;Argument[0];Argument[this].Element;value;manual" + // "com.google.gson;JsonArray;true;add;(JsonElement);;Argument[0];Argument[this].Element;value;manual" JsonArray out = null; JsonElement in = (JsonElement)source(); out.add(in); sink(getElement(out)); // $ hasValueFlow } { - // "com.google.gson;JsonArray;true;add;;;Argument[0];Argument[this].Element;value;manual" + // "com.google.gson;JsonArray;true;add;(Number);;Argument[0];Argument[this].Element;taint;manual" JsonArray out = null; Number in = (Number)source(); out.add(in); - sink(getElement(out)); // $ hasValueFlow + sink(getElement(out)); // $ hasTaintFlow } { - // "com.google.gson;JsonArray;true;add;;;Argument[0];Argument[this].Element;value;manual" + // "com.google.gson;JsonArray;true;add;(String);;Argument[0];Argument[this].Element;taint;manual" JsonArray out = null; String in = (String)source(); out.add(in); + sink(getElement(out)); // $ hasTaintFlow + } + { + // "com.google.gson;JsonArray;true;addAll;(JsonArray);;Argument[0].Element;Argument[this].Element;value;manual" + JsonArray out = null; + JsonArray in = newWithElementDefault((JsonElement) source()); + out.addAll(in); sink(getElement(out)); // $ hasValueFlow } { // "com.google.gson;JsonArray;true;asList;;;Argument[this].Element;ReturnValue.Element;value;manual" List out = null; - JsonArray in = (JsonArray)newWithElementDefault((String) source()); + JsonArray in = newWithElementDefault((JsonElement) source()); out = in.asList(); sink(getElement(out)); // $ hasValueFlow } { // "com.google.gson;JsonArray;true;get;;;Argument[this].Element;ReturnValue;value;manual" JsonElement out = null; - JsonArray in = (JsonArray)newWithElementDefault((String) source()); + JsonArray in = newWithElementDefault((JsonElement) source()); out = in.get(0); sink(out); // $ hasValueFlow } @@ -400,51 +407,51 @@ public class Test { sink(getMapKeyDefault(out)); // $ hasValueFlow } { - // "com.google.gson;JsonObject;true;addProperty;(String,String);;Argument[1];Argument[this].MapValue;value;manual" + // "com.google.gson;JsonObject;true;addProperty;(String,String);;Argument[1];Argument[this].MapValue;taint;manual" JsonObject out = null; String in = (String)source(); out.addProperty((String)null, in); - sink(getMapValueDefault(out)); // $ hasValueFlow + sink(getMapValueDefault(out)); // $ hasTaintFlow } { // "com.google.gson;JsonObject;true;asMap;;;Argument[this].MapKey;ReturnValue.MapKey;value;manual" Map out = null; - JsonObject in = (JsonObject)newWithMapKeyDefault((String) source()); + JsonObject in = newWithMapKeyDefault((String) source()); out = in.asMap(); sink(getMapKey(out)); // $ hasValueFlow } { // "com.google.gson;JsonObject;true;asMap;;;Argument[this].MapValue;ReturnValue.MapValue;value;manual" Map out = null; - JsonObject in = (JsonObject)newWithMapValueDefault((JsonElement) source()); + JsonObject in = newWithMapValueDefault((JsonElement) source()); out = in.asMap(); sink(getMapValue(out)); // $ hasValueFlow } { // "com.google.gson;JsonObject;true;entrySet;;;Argument[this].MapKey;ReturnValue.Element.MapKey;value;manual" Set> out = null; - JsonObject in = (JsonObject)newWithMapKeyDefault((String) source()); + JsonObject in = newWithMapKeyDefault((String) source()); out = in.entrySet(); sink(getMapKeyDefault(getElement(out))); // $ hasValueFlow } { - // "com.google.gson;JsonObject;true;entrySet;;;Argument[this].MapKey;ReturnValue.Element.MapValue;value;manual" + // "com.google.gson;JsonObject;true;entrySet;;;Argument[this].MapValue;ReturnValue.Element.MapValue;value;manual" Set> out = null; - JsonObject in = (JsonObject) newWithMapKeyDefault((String) source()); + JsonObject in = newWithMapValueDefault((JsonElement) source()); out = in.entrySet(); sink(getMapValueDefault(getElement(out))); // $ hasValueFlow } { // "com.google.gson;JsonObject;true;get;;;Argument[this].MapValue;ReturnValue;value;manual" JsonElement out = null; - JsonObject in = (JsonObject)newWithMapValueDefault((JsonElement) source()); + JsonObject in = newWithMapValueDefault((JsonElement) source()); out = in.get(null); sink(out); // $ hasValueFlow } { // "com.google.gson;JsonObject;true;keySet;;;Argument[this].MapKey;ReturnValue.Element;value;manual" Set out = null; - JsonObject in = (JsonObject)newWithMapKeyDefault((String) source()); + JsonObject in = newWithMapKeyDefault((String) source()); out = in.keySet(); sink(getElement(out)); // $ hasValueFlow } diff --git a/java/ql/test/query-tests/ExposeRepresentation/ExposeRepresentation.expected b/java/ql/test/query-tests/ExposeRepresentation/ExposeRepresentation.expected index 0056c25bb53..3162056ab42 100644 --- a/java/ql/test/query-tests/ExposeRepresentation/ExposeRepresentation.expected +++ b/java/ql/test/query-tests/ExposeRepresentation/ExposeRepresentation.expected @@ -1,7 +1,7 @@ -| ExposesRep.java:11:19:11:28 | getStrings | getStrings exposes the internal representation stored in field strings. The value may be modified $@. | User.java:5:5:5:19 | User.java:5:5:5:19 | after this call to getStrings | -| ExposesRep.java:11:19:11:28 | getStrings | getStrings exposes the internal representation stored in field strings. The value may be modified $@. | User.java:13:12:13:26 | User.java:13:12:13:26 | after this call to getStrings | -| ExposesRep.java:11:19:11:28 | getStrings | getStrings exposes the internal representation stored in field strings. The value may be modified $@. | User.java:38:12:38:26 | User.java:38:12:38:26 | after this call to getStrings | -| ExposesRep.java:13:30:13:41 | getStringMap | getStringMap exposes the internal representation stored in field stringMap. The value may be modified $@. | User.java:9:5:9:21 | User.java:9:5:9:21 | after this call to getStringMap | -| ExposesRep.java:17:15:17:24 | setStrings | setStrings exposes the internal representation stored in field strings. The value may be modified $@. | User.java:22:5:22:6 | User.java:22:5:22:6 | through the variable ss | -| ExposesRep.java:21:15:21:26 | setStringMap | setStringMap exposes the internal representation stored in field stringMap. The value may be modified $@. | User.java:27:5:27:5 | User.java:27:5:27:5 | through the variable m | -| ExposesRep.java:29:14:29:21 | getArray | getArray exposes the internal representation stored in field array. The value may be modified $@. | User.java:31:5:31:18 | User.java:31:5:31:18 | after this call to getArray | +| ExposesRep.java:11:19:11:28 | getStrings | getStrings exposes the internal representation stored in field strings. The value may be modified $@. | User.java:5:5:5:19 | getStrings(...) | after this call to getStrings | +| ExposesRep.java:11:19:11:28 | getStrings | getStrings exposes the internal representation stored in field strings. The value may be modified $@. | User.java:13:12:13:26 | getStrings(...) | after this call to getStrings | +| ExposesRep.java:11:19:11:28 | getStrings | getStrings exposes the internal representation stored in field strings. The value may be modified $@. | User.java:38:12:38:26 | getStrings(...) | after this call to getStrings | +| ExposesRep.java:13:30:13:41 | getStringMap | getStringMap exposes the internal representation stored in field stringMap. The value may be modified $@. | User.java:9:5:9:21 | getStringMap(...) | after this call to getStringMap | +| ExposesRep.java:17:15:17:24 | setStrings | setStrings exposes the internal representation stored in field strings. The value may be modified $@. | User.java:22:5:22:6 | ss | through the variable ss | +| ExposesRep.java:21:15:21:26 | setStringMap | setStringMap exposes the internal representation stored in field stringMap. The value may be modified $@. | User.java:27:5:27:5 | m | through the variable m | +| ExposesRep.java:29:14:29:21 | getArray | getArray exposes the internal representation stored in field array. The value may be modified $@. | User.java:31:5:31:18 | getArray(...) | after this call to getArray | diff --git a/java/ql/test/query-tests/Metrics/GeneratedVsManualCoverage/TopJdkApisTest/TopJdkApisTest.expected b/java/ql/test/query-tests/Metrics/GeneratedVsManualCoverage/TopJdkApisTest/TopJdkApisTest.expected index b362ef171f5..4fee1c07e06 100644 --- a/java/ql/test/query-tests/Metrics/GeneratedVsManualCoverage/TopJdkApisTest/TopJdkApisTest.expected +++ b/java/ql/test/query-tests/Metrics/GeneratedVsManualCoverage/TopJdkApisTest/TopJdkApisTest.expected @@ -8,7 +8,7 @@ | java.nio | 0 | 0 | 2 | 3 | 5 | 0.4 | 0.0 | 0.4 | 0.0 | NaN | 0.6 | | java.nio.charset | 0 | 0 | 0 | 1 | 1 | 0.0 | 0.0 | 0.0 | NaN | NaN | 1.0 | | java.nio.file | 0 | 0 | 7 | 1 | 8 | 0.875 | 0.0 | 0.875 | 0.0 | NaN | 0.125 | -| java.sql | 0 | 0 | 2 | 14 | 16 | 0.125 | 0.0 | 0.125 | 0.0 | NaN | 0.875 | +| java.sql | 0 | 0 | 1 | 15 | 16 | 0.0625 | 0.0 | 0.0625 | 0.0 | NaN | 0.9375 | | java.text | 0 | 0 | 0 | 5 | 5 | 0.0 | 0.0 | 0.0 | NaN | NaN | 1.0 | | java.time | 0 | 0 | 0 | 17 | 17 | 0.0 | 0.0 | 0.0 | NaN | NaN | 1.0 | | java.time.chrono | 0 | 0 | 0 | 1 | 1 | 0.0 | 0.0 | 0.0 | NaN | NaN | 1.0 | diff --git a/java/ql/test/query-tests/Telemetry/SupportedExternalSinks/SupportedExternalSinks.expected b/java/ql/test/query-tests/Telemetry/SupportedExternalSinks/SupportedExternalSinks.expected index 6cb849601d5..5f0ed7d05df 100644 --- a/java/ql/test/query-tests/Telemetry/SupportedExternalSinks/SupportedExternalSinks.expected +++ b/java/ql/test/query-tests/Telemetry/SupportedExternalSinks/SupportedExternalSinks.expected @@ -1,2 +1,3 @@ +| java.io.File#File(String) | 1 | | java.io.FileWriter#FileWriter(File) | 1 | | java.net.URL#openStream() | 1 | diff --git a/java/ql/test/query-tests/security/CWE-078/ExecTaintedLocal.expected b/java/ql/test/query-tests/security/CWE-078/ExecTaintedLocal.expected index 4616bd7c808..fd2c8fb4d5c 100644 --- a/java/ql/test/query-tests/security/CWE-078/ExecTaintedLocal.expected +++ b/java/ql/test/query-tests/security/CWE-078/ExecTaintedLocal.expected @@ -7,8 +7,8 @@ edges | Test.java:7:44:7:69 | ... + ... : String | Test.java:7:25:7:70 | new ..[] { .. } : String[] [[]] : String | | Test.java:10:29:10:74 | {...} : String[] [[]] : String | Test.java:10:29:10:74 | new String[] | | Test.java:10:61:10:73 | ... + ... : String | Test.java:10:29:10:74 | {...} : String[] [[]] : String | -| Test.java:16:5:16:7 | cmd [post update] : List [] : String | Test.java:18:29:18:31 | cmd | -| Test.java:16:13:16:25 | ... + ... : String | Test.java:16:5:16:7 | cmd [post update] : List [] : String | +| Test.java:16:5:16:7 | cmd [post update] : ArrayList [] : String | Test.java:18:29:18:31 | cmd | +| Test.java:16:13:16:25 | ... + ... : String | Test.java:16:5:16:7 | cmd [post update] : ArrayList [] : String | | Test.java:22:5:22:8 | cmd1 [post update] : String[] [[]] : String | Test.java:24:29:24:32 | cmd1 | | Test.java:22:15:22:27 | ... + ... : String | Test.java:22:5:22:8 | cmd1 [post update] : String[] [[]] : String | | Test.java:28:38:28:47 | arg : String | Test.java:29:44:29:64 | ... + ... : String | @@ -26,7 +26,7 @@ nodes | Test.java:10:29:10:74 | new String[] | semmle.label | new String[] | | Test.java:10:29:10:74 | {...} : String[] [[]] : String | semmle.label | {...} : String[] [[]] : String | | Test.java:10:61:10:73 | ... + ... : String | semmle.label | ... + ... : String | -| Test.java:16:5:16:7 | cmd [post update] : List [] : String | semmle.label | cmd [post update] : List [] : String | +| Test.java:16:5:16:7 | cmd [post update] : ArrayList [] : String | semmle.label | cmd [post update] : ArrayList [] : String | | Test.java:16:13:16:25 | ... + ... : String | semmle.label | ... + ... : String | | Test.java:18:29:18:31 | cmd | semmle.label | cmd | | Test.java:22:5:22:8 | cmd1 [post update] : String[] [[]] : String | semmle.label | cmd1 [post update] : String[] [[]] : String | diff --git a/javascript/extractor/lib/typescript/package.json b/javascript/extractor/lib/typescript/package.json index 0c8de4f1bbc..3190b683d34 100644 --- a/javascript/extractor/lib/typescript/package.json +++ b/javascript/extractor/lib/typescript/package.json @@ -2,7 +2,7 @@ "name": "typescript-parser-wrapper", "private": true, "dependencies": { - "typescript": "5.0.2" + "typescript": "5.1.3" }, "scripts": { "build": "tsc --project tsconfig.json", diff --git a/javascript/extractor/lib/typescript/src/main.ts b/javascript/extractor/lib/typescript/src/main.ts index 2e9f26b6953..2594f4e35f5 100644 --- a/javascript/extractor/lib/typescript/src/main.ts +++ b/javascript/extractor/lib/typescript/src/main.ts @@ -579,7 +579,6 @@ function handleOpenProjectCommand(command: OpenProjectCommand) { // inverse mapping, nor a way to enumerate all known module names. So we discover all // modules on the type roots (usually "node_modules/@types" but this is configurable). let typeRoots = ts.getEffectiveTypeRoots(config.options, { - directoryExists: (path) => ts.sys.directoryExists(path), getCurrentDirectory: () => basePath, }); diff --git a/javascript/extractor/lib/typescript/yarn.lock b/javascript/extractor/lib/typescript/yarn.lock index 88d32ae6b3a..355c257cf69 100644 --- a/javascript/extractor/lib/typescript/yarn.lock +++ b/javascript/extractor/lib/typescript/yarn.lock @@ -7,7 +7,7 @@ resolved "https://registry.yarnpkg.com/@types/node/-/node-18.15.3.tgz#f0b991c32cfc6a4e7f3399d6cb4b8cf9a0315014" integrity sha512-p6ua9zBxz5otCmbpb5D3U4B5Nanw6Pk3PPyX05xnxbB/fRv71N7CPmORg7uAD5P70T0xmx1pzAx/FUfa5X+3cw== -typescript@5.0.2: - version "5.0.2" - resolved "https://registry.yarnpkg.com/typescript/-/typescript-5.0.2.tgz#891e1a90c5189d8506af64b9ef929fca99ba1ee5" - integrity sha512-wVORMBGO/FAs/++blGNeAVdbNKtIh1rbBL2EyQ1+J9lClJ93KiiKe8PmFIVdXhHcyv44SL9oglmfeSsndo0jRw== +typescript@5.1.3: + version "5.1.3" + resolved "https://registry.yarnpkg.com/typescript/-/typescript-5.1.3.tgz#8d84219244a6b40b6fb2b33cc1c062f715b9e826" + integrity sha512-XH627E9vkeqhlZFQuL+UsyAXEnibT0kWR2FWONlr4sTjvxyJYnyefgrkyECLzM5NenmKzRAy2rR/OlYLA1HkZw== diff --git a/javascript/extractor/src/com/semmle/js/extractor/Main.java b/javascript/extractor/src/com/semmle/js/extractor/Main.java index 4f8bb2c1ced..2a188676924 100644 --- a/javascript/extractor/src/com/semmle/js/extractor/Main.java +++ b/javascript/extractor/src/com/semmle/js/extractor/Main.java @@ -41,7 +41,7 @@ public class Main { * A version identifier that should be updated every time the extractor changes in such a way that * it may produce different tuples for the same file under the same {@link ExtractorConfig}. */ - public static final String EXTRACTOR_VERSION = "2023-03-16"; + public static final String EXTRACTOR_VERSION = "2023-04-19"; public static final Pattern NEWLINE = Pattern.compile("\n"); diff --git a/javascript/extractor/src/com/semmle/ts/extractor/TypeScriptASTConverter.java b/javascript/extractor/src/com/semmle/ts/extractor/TypeScriptASTConverter.java index e34d552b777..7b68106bb3f 100644 --- a/javascript/extractor/src/com/semmle/ts/extractor/TypeScriptASTConverter.java +++ b/javascript/extractor/src/com/semmle/ts/extractor/TypeScriptASTConverter.java @@ -1552,8 +1552,13 @@ public class TypeScriptASTConverter { } private Node convertJsxAttribute(JsonObject node, SourceLocation loc) throws ParseError { + JsonObject nameNode = node.get("name").getAsJsonObject(); + if (nameNode.get("name") != null) { + // it's a namespaced attribute + nameNode = nameNode.get("name").getAsJsonObject(); + } return new JSXAttribute( - loc, convertJSXName(convertChild(node, "name")), convertChild(node, "initializer")); + loc, convertJSXName(((Expression)convertNode(nameNode, null))), convertChild(node, "initializer")); // 2 } private Node convertJsxClosingElement(JsonObject node, SourceLocation loc) throws ParseError { diff --git a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ATMConfig.qll b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ATMConfig.qll index 5532c8d4726..6836e14e72c 100644 --- a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ATMConfig.qll +++ b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ATMConfig.qll @@ -166,6 +166,3 @@ abstract class AtmConfig extends JS::TaintTracking::Configuration { ) } } - -/** DEPRECATED: Alias for AtmConfig */ -deprecated class ATMConfig = AtmConfig; diff --git a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/FunctionBodyFeatures.qll b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/FunctionBodyFeatures.qll index 62531a9d423..0fc660796c4 100644 --- a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/FunctionBodyFeatures.qll +++ b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/FunctionBodyFeatures.qll @@ -41,9 +41,6 @@ AstNode getAnAstNodeToFeaturize(Function f) { not result = f.getIdentifier() } -/** DEPRECATED: Alias for getAnAstNodeToFeaturize */ -deprecated ASTNode getAnASTNodeToFeaturize(Function f) { result = getAnAstNodeToFeaturize(f) } - /** * Gets a function that contains the endpoint. * @@ -130,9 +127,6 @@ AstNode getAnAstNodeWithAFeature(Function f) { result = getAnAstNodeToFeaturize(f) } -/** DEPRECATED: Alias for getAnAstNodeWithAFeature */ -deprecated ASTNode getAnASTNodeWithAFeature(Function f) { result = getAnAstNodeWithAFeature(f) } - /** Returns the number of source-code characters in a function. */ int getNumCharsInFunction(Function f) { result = diff --git a/javascript/ql/lib/Expressions/DOMProperties.qll b/javascript/ql/lib/Expressions/DOMProperties.qll index 17f53f8a366..fdb7e6024c2 100644 --- a/javascript/ql/lib/Expressions/DOMProperties.qll +++ b/javascript/ql/lib/Expressions/DOMProperties.qll @@ -4,9 +4,6 @@ import semmle.javascript.Externs -/** DEPRECATED: Alias for isDomRootType */ -deprecated predicate isDOMRootType = isDomRootType/1; - /** Holds if `p` is declared as a property of a DOM class or interface. */ pragma[nomagic] predicate isDomProperty(string p) { @@ -14,6 +11,3 @@ predicate isDomProperty(string p) { isDomRootType(emd.getDeclaringType().getASupertype*()) ) } - -/** DEPRECATED: Alias for isDomProperty */ -deprecated predicate isDOMProperty = isDomProperty/1; diff --git a/javascript/ql/lib/change-notes/2023-04-19-typescript-5-1.md b/javascript/ql/lib/change-notes/2023-04-19-typescript-5-1.md new file mode 100644 index 00000000000..7260bd3d389 --- /dev/null +++ b/javascript/ql/lib/change-notes/2023-04-19-typescript-5-1.md @@ -0,0 +1,4 @@ +--- +category: majorAnalysis +--- +* Added support for TypeScript 5.1. \ No newline at end of file diff --git a/javascript/ql/lib/change-notes/2023-06-02-delete-deps.md b/javascript/ql/lib/change-notes/2023-06-02-delete-deps.md new file mode 100644 index 00000000000..9edbce9771e --- /dev/null +++ b/javascript/ql/lib/change-notes/2023-06-02-delete-deps.md @@ -0,0 +1,10 @@ +--- +category: minorAnalysis +--- +* Deleted many deprecated predicates and classes with uppercase `XML`, `JSON`, `URL`, `API`, etc. in their names. Use the PascalCased versions instead. +* Deleted the deprecated `localTaintStep` predicate from `DataFlow.qll`. +* Deleted the deprecated `stringStep`, and `localTaintStep` predicates from `TaintTracking.qll`. +* Deleted many modules that started with a lowercase letter. Use the versions that start with an uppercase letter instead. +* Deleted the deprecated `HtmlInjectionConfiguration` and `JQueryHtmlOrSelectorInjectionConfiguration` classes from `DomBasedXssQuery.qll`, use `Configuration` instead. +* Deleted the deprecated `DefiningIdentifier` class and the `Definitions.qll` file it was in. Use `SsaDefinition` instead. +* Deleted the deprecated `definitionReaches`, `localDefinitionReaches`, `getAPseudoDefinitionInput`, `nextDefAfter`, and `localDefinitionOverwrites` predicates from `DefUse.qll`. \ No newline at end of file diff --git a/javascript/ql/lib/semmle/javascript/AST.qll b/javascript/ql/lib/semmle/javascript/AST.qll index 895922f952f..e4a1cf944c4 100644 --- a/javascript/ql/lib/semmle/javascript/AST.qll +++ b/javascript/ql/lib/semmle/javascript/AST.qll @@ -184,9 +184,6 @@ class AstNode extends @ast_node, NodeInStmtContainer { } } -/** DEPRECATED: Alias for AstNode */ -deprecated class ASTNode = AstNode; - /** * Holds if the given file is a `.d.ts` file. */ @@ -339,9 +336,6 @@ class EventHandlerCode extends @event_handler, CodeInAttribute { } */ class JavaScriptUrl extends @javascript_url, CodeInAttribute { } -/** DEPRECATED: Alias for JavaScriptUrl */ -deprecated class JavaScriptURL = JavaScriptUrl; - /** * A toplevel syntactic entity containing Closure-style externs definitions. * diff --git a/javascript/ql/lib/semmle/javascript/ApiGraphs.qll b/javascript/ql/lib/semmle/javascript/ApiGraphs.qll index c543607e73f..080a1bc1209 100644 --- a/javascript/ql/lib/semmle/javascript/ApiGraphs.qll +++ b/javascript/ql/lib/semmle/javascript/ApiGraphs.qll @@ -636,9 +636,6 @@ module API { /** Gets an API-node for this entry point. */ API::Node getANode() { result = root().getASuccessor(Label::entryPoint(this)) } - - /** DEPRECATED. Use `getANode()` instead. */ - deprecated API::Node getNode() { result = this.getANode() } } /** diff --git a/javascript/ql/lib/semmle/javascript/DefUse.qll b/javascript/ql/lib/semmle/javascript/DefUse.qll index 8ad710fdc57..a9d021f939e 100644 --- a/javascript/ql/lib/semmle/javascript/DefUse.qll +++ b/javascript/ql/lib/semmle/javascript/DefUse.qll @@ -243,71 +243,3 @@ class VarUse extends ControlFlowNode, @varref instanceof RValue { */ SsaVariable getSsaVariable() { result.getAUse() = this } } - -/** - * Holds if the definition of `v` in `def` reaches `use` along some control flow path - * without crossing another definition of `v`. - * DEPRECATED: Use the `SSA.qll` library instead. - */ -deprecated predicate definitionReaches(Variable v, VarDef def, VarUse use) { - v = use.getVariable() and - exists(BasicBlock bb, int i, int next | next = nextDefAfter(bb, v, i, def) | - exists(int j | j in [i + 1 .. next - 1] | bb.useAt(j, v, use)) - or - exists(BasicBlock succ | succ = bb.getASuccessor() | - succ.isLiveAtEntry(v, use) and - next = bb.length() - ) - ) -} - -/** - * Holds if the definition of local variable `v` in `def` reaches `use` along some control flow path - * without crossing another definition of `v`. - * DEPRECATED: Use the `SSA.qll` library instead. - */ -deprecated predicate localDefinitionReaches(LocalVariable v, VarDef def, VarUse use) { - exists(SsaExplicitDefinition ssa | - ssa.defines(def, v) and - ssa = getAPseudoDefinitionInput*(use.getSsaVariable().getDefinition()) - ) -} - -/** - * Holds if `nd` is a pseudo-definition and the result is one of its inputs. - * DEPRECATED: Use the `SSA.qll` library instead. - */ -deprecated private SsaDefinition getAPseudoDefinitionInput(SsaDefinition nd) { - result = nd.(SsaPseudoDefinition).getAnInput() -} - -/** - * Holds if `d` is a definition of `v` at index `i` in `bb`, and the result is the next index - * in `bb` after `i` at which the same variable is defined, or `bb.length()` if there is none. - */ -deprecated private int nextDefAfter(BasicBlock bb, Variable v, int i, VarDef d) { - bb.defAt(i, v, d) and - result = - min(int jj | - (bb.defAt(jj, v, _) or jj = bb.length()) and - jj > i - ) -} - -/** - * Holds if the `later` definition of `v` could overwrite its `earlier` definition. - * - * This is the case if there is a path from `earlier` to `later` that does not cross - * another definition of `v`. - * DEPRECATED: Use the `SSA.qll` library instead. - */ -deprecated predicate localDefinitionOverwrites(LocalVariable v, VarDef earlier, VarDef later) { - exists(BasicBlock bb, int next | next = nextDefAfter(bb, v, _, earlier) | - bb.defAt(next, v, later) - or - exists(BasicBlock succ | succ = bb.getASuccessor() | - succ.localMayBeOverwritten(v, later) and - next = bb.length() - ) - ) -} diff --git a/javascript/ql/lib/semmle/javascript/E4X.qll b/javascript/ql/lib/semmle/javascript/E4X.qll index 47f1b8e4189..cd112d60664 100644 --- a/javascript/ql/lib/semmle/javascript/E4X.qll +++ b/javascript/ql/lib/semmle/javascript/E4X.qll @@ -16,9 +16,6 @@ module E4X { */ class XmlAnyName extends Expr, @e4x_xml_anyname { } - /** DEPRECATED: Alias for XmlAnyName */ - deprecated class XMLAnyName = XmlAnyName; - /** * An E4X qualified identifier. * @@ -57,9 +54,6 @@ module E4X { } } - /** DEPRECATED: Alias for XmlQualifiedIdentifier */ - deprecated class XMLQualifiedIdentifier = XmlQualifiedIdentifier; - /** * An E4X attribute selector. * @@ -89,9 +83,6 @@ module E4X { } } - /** DEPRECATED: Alias for XmlAttributeSelector */ - deprecated class XMLAttributeSelector = XmlAttributeSelector; - /** * An E4X filter expression. * @@ -117,9 +108,6 @@ module E4X { } } - /** DEPRECATED: Alias for XmlFilterExpression */ - deprecated class XMLFilterExpression = XmlFilterExpression; - /** * An E4X "dot-dot" expression. * @@ -144,7 +132,4 @@ module E4X { result = this.getBase().getFirstControlFlowNode() } } - - /** DEPRECATED: Alias for XmlDotDotExpression */ - deprecated class XMLDotDotExpression = XmlDotDotExpression; } diff --git a/javascript/ql/lib/semmle/javascript/GlobalAccessPaths.qll b/javascript/ql/lib/semmle/javascript/GlobalAccessPaths.qll index e9828e5bf25..35ba8cfe601 100644 --- a/javascript/ql/lib/semmle/javascript/GlobalAccessPaths.qll +++ b/javascript/ql/lib/semmle/javascript/GlobalAccessPaths.qll @@ -234,7 +234,8 @@ module AccessPath { or baseName = fromRhs(write.getBase(), root) or - baseName = fromRhs(GetLaterAccess::getLaterBaseAccess(write), root) + baseName = fromRhs(GetLaterAccess::getLaterBaseAccess(write), root) and + not baseName.matches("%.%") ) or exists(GlobalVariable var | diff --git a/javascript/ql/lib/semmle/javascript/JSON.qll b/javascript/ql/lib/semmle/javascript/JSON.qll index c0d78c078da..1e56fc00657 100644 --- a/javascript/ql/lib/semmle/javascript/JSON.qll +++ b/javascript/ql/lib/semmle/javascript/JSON.qll @@ -61,9 +61,6 @@ class JsonValue extends @json_value, Locatable { override string getAPrimaryQlClass() { result = "JsonValue" } } -/** DEPRECATED: Alias for JsonValue */ -deprecated class JSONValue = JsonValue; - /** * A JSON-encoded primitive value. * @@ -85,9 +82,6 @@ abstract class JsonPrimitiveValue extends JsonValue { string getRawValue() { json_literals(_, result, this) } } -/** DEPRECATED: Alias for JsonPrimitiveValue */ -deprecated class JSONPrimitiveValue = JsonPrimitiveValue; - /** * A JSON-encoded null value. * @@ -101,9 +95,6 @@ class JsonNull extends @json_null, JsonPrimitiveValue { override string getAPrimaryQlClass() { result = "JsonNull" } } -/** DEPRECATED: Alias for JsonNull */ -deprecated class JSONNull = JsonNull; - /** * A JSON-encoded Boolean value. * @@ -118,9 +109,6 @@ class JsonBoolean extends @json_boolean, JsonPrimitiveValue { override string getAPrimaryQlClass() { result = "JsonBoolean" } } -/** DEPRECATED: Alias for JsonBoolean */ -deprecated class JSONBoolean = JsonBoolean; - /** * A JSON-encoded number. * @@ -135,9 +123,6 @@ class JsonNumber extends @json_number, JsonPrimitiveValue { override string getAPrimaryQlClass() { result = "JsonNumber" } } -/** DEPRECATED: Alias for JsonNumber */ -deprecated class JSONNumber = JsonNumber; - /** * A JSON-encoded string value. * @@ -151,9 +136,6 @@ class JsonString extends @json_string, JsonPrimitiveValue { override string getAPrimaryQlClass() { result = "JsonString" } } -/** DEPRECATED: Alias for JsonString */ -deprecated class JSONString = JsonString; - /** * A JSON-encoded array. * @@ -170,9 +152,6 @@ class JsonArray extends @json_array, JsonValue { string getElementStringValue(int i) { result = this.getElementValue(i).getStringValue() } } -/** DEPRECATED: Alias for JsonArray */ -deprecated class JSONArray = JsonArray; - /** * A JSON-encoded object. * @@ -189,9 +168,6 @@ class JsonObject extends @json_object, JsonValue { string getPropStringValue(string name) { result = this.getPropValue(name).getStringValue() } } -/** DEPRECATED: Alias for JsonObject */ -deprecated class JSONObject = JsonObject; - /** * An error reported by the JSON parser. */ @@ -200,6 +176,3 @@ class JsonParseError extends @json_parse_error, Error { override string getMessage() { json_errors(this, result) } } - -/** DEPRECATED: Alias for JsonParseError */ -deprecated class JSONParseError = JsonParseError; diff --git a/javascript/ql/lib/semmle/javascript/JSX.qll b/javascript/ql/lib/semmle/javascript/JSX.qll index fa8f79fb2bb..6fd7c775d4e 100644 --- a/javascript/ql/lib/semmle/javascript/JSX.qll +++ b/javascript/ql/lib/semmle/javascript/JSX.qll @@ -30,9 +30,6 @@ class JsxNode extends Expr, @jsx_element { override string getAPrimaryQlClass() { result = "JsxNode" } } -/** DEPRECATED: Alias for JsxNode */ -deprecated class JSXNode = JsxNode; - /** * A JSX element. * @@ -81,9 +78,6 @@ class JsxElement extends JsxNode { deprecated predicate isHTMLElement() { this.isHtmlElement() } } -/** DEPRECATED: Alias for JsxElement */ -deprecated class JSXElement = JsxElement; - /** * A JSX fragment. * @@ -105,9 +99,6 @@ class JsxFragment extends JsxNode { override string getAPrimaryQlClass() { result = "JsxFragment" } } -/** DEPRECATED: Alias for JsxFragment */ -deprecated class JSXFragment = JsxFragment; - /** * An attribute of a JSX element, including spread attributes. * @@ -154,9 +145,6 @@ class JsxAttribute extends AstNode, @jsx_attribute { override string getAPrimaryQlClass() { result = "JsxAttribute" } } -/** DEPRECATED: Alias for JsxAttribute */ -deprecated class JSXAttribute = JsxAttribute; - /** * A spread attribute of a JSX element. * @@ -175,9 +163,6 @@ class JsxSpreadAttribute extends JsxAttribute { } } -/** DEPRECATED: Alias for JsxSpreadAttribute */ -deprecated class JSXSpreadAttribute = JsxSpreadAttribute; - /** * A namespace-qualified name such as `n:a`. * @@ -201,9 +186,6 @@ class JsxQualifiedName extends Expr, @jsx_qualified_name { override string getAPrimaryQlClass() { result = "JsxQualifiedName" } } -/** DEPRECATED: Alias for JsxQualifiedName */ -deprecated class JSXQualifiedName = JsxQualifiedName; - /** * A name of an JSX element or attribute (which is * always an identifier, a dot expression, or a qualified @@ -244,9 +226,6 @@ class JsxName extends Expr { } } -/** DEPRECATED: Alias for JsxName */ -deprecated class JSXName = JsxName; - /** * An interpolating expression that interpolates nothing. * @@ -260,9 +239,6 @@ class JsxEmptyExpr extends Expr, @jsx_empty_expr { override string getAPrimaryQlClass() { result = "JsxEmptyExpr" } } -/** DEPRECATED: Alias for JsxEmptyExpr */ -deprecated class JSXEmptyExpr = JsxEmptyExpr; - /** * A legacy `@jsx` pragma. * @@ -284,6 +260,3 @@ class JsxPragma extends JSDocTag { /** DEPRECATED: Alias for getDomName */ deprecated string getDOMName() { result = this.getDomName() } } - -/** DEPRECATED: Alias for JsxPragma */ -deprecated class JSXPragma = JsxPragma; diff --git a/javascript/ql/lib/semmle/javascript/JsonStringifiers.qll b/javascript/ql/lib/semmle/javascript/JsonStringifiers.qll index 0ca2ec2ac2e..d128dd9a653 100644 --- a/javascript/ql/lib/semmle/javascript/JsonStringifiers.qll +++ b/javascript/ql/lib/semmle/javascript/JsonStringifiers.qll @@ -77,6 +77,3 @@ class PrettyJsonTaintStep extends TaintTracking::SharedTaintStep { ) } } - -/** DEPRECATED: Alias for PrettyJsonTaintStep */ -deprecated class PrettyJSONTaintStep = PrettyJsonTaintStep; diff --git a/javascript/ql/lib/semmle/javascript/NPM.qll b/javascript/ql/lib/semmle/javascript/NPM.qll index e1059d94930..0bf92c5d29a 100644 --- a/javascript/ql/lib/semmle/javascript/NPM.qll +++ b/javascript/ql/lib/semmle/javascript/NPM.qll @@ -262,9 +262,6 @@ class PackageJson extends JsonObject { Module getTypingsModule() { result.getFile() = this.getTypingsFile() } } -/** DEPRECATED: Alias for PackageJson */ -deprecated class PackageJSON = PackageJson; - /** * A representation of bug tracker information for an NPM package. */ @@ -370,9 +367,6 @@ class NpmPackage extends @folder { /** Gets the `package.json` object of this package. */ PackageJson getPackageJson() { result = pkg } - /** DEPRECATED: Alias for getPackageJson */ - deprecated PackageJSON getPackageJSON() { result = this.getPackageJson() } - /** Gets the name of this package. */ string getPackageName() { result = this.getPackageJson().getPackageName() } @@ -411,9 +405,6 @@ class NpmPackage extends @folder { predicate declaresDependency(string p, string v) { pkg.declaresDependency(p, v) } } -/** DEPRECATED: Alias for NpmPackage */ -deprecated class NPMPackage = NpmPackage; - /** * Gets the parent folder of `c`, provided that they belong to the same NPM * package; that is, `c` must not be a `node_modules` folder. diff --git a/javascript/ql/lib/semmle/javascript/NodeModuleResolutionImpl.qll b/javascript/ql/lib/semmle/javascript/NodeModuleResolutionImpl.qll index 468d31c2c02..7231143ed55 100644 --- a/javascript/ql/lib/semmle/javascript/NodeModuleResolutionImpl.qll +++ b/javascript/ql/lib/semmle/javascript/NodeModuleResolutionImpl.qll @@ -198,7 +198,7 @@ class MainModulePath extends PathExpr, @json_string { } /** DEPRECATED: Alias for getPackageJson */ - deprecated PackageJSON getPackageJSON() { result = this.getPackageJson() } + deprecated PackageJson getPackageJSON() { result = this.getPackageJson() } override string getValue() { result = this.(JsonString).getValue() } @@ -259,7 +259,7 @@ private class FilesPath extends PathExpr, @json_string { PackageJson getPackageJson() { result = pkg } /** DEPRECATED: Alias for getPackageJson */ - deprecated PackageJSON getPackageJSON() { result = this.getPackageJson() } + deprecated PackageJson getPackageJSON() { result = this.getPackageJson() } override string getValue() { result = this.(JsonString).getValue() } diff --git a/javascript/ql/lib/semmle/javascript/PrintAst.qll b/javascript/ql/lib/semmle/javascript/PrintAst.qll index 5c4960e041c..0defda1dc6b 100644 --- a/javascript/ql/lib/semmle/javascript/PrintAst.qll +++ b/javascript/ql/lib/semmle/javascript/PrintAst.qll @@ -391,9 +391,6 @@ private module PrintJavaScript { } } - /** DEPRECATED: Alias for JsxNodeNode */ - deprecated class JSXNodeNode = JsxNodeNode; - /** * An aggregate node representing all the attributes in a `JSXNode`. */ @@ -409,17 +406,11 @@ private module PrintJavaScript { */ JsxElement getJsxElement() { result = n } - /** DEPRECATED: Alias for getJsxElement */ - deprecated JSXElement getJSXElement() { result = this.getJsxElement() } - override PrintAstNode getChild(int childIndex) { result.(ElementNode).getElement() = n.getAttribute(childIndex) } } - /** DEPRECATED: Alias for JsxAttributesNode */ - deprecated class JSXAttributesNode = JsxAttributesNode; - /** * An aggregate node representing all the body elements in a `JSXNode`. */ @@ -435,17 +426,11 @@ private module PrintJavaScript { */ JsxNode getJsxNode() { result = n } - /** DEPRECATED: Alias for getJsxNode */ - deprecated JSXNode getJSXNode() { result = this.getJsxNode() } - override PrintAstNode getChild(int childIndex) { result.(ElementNode).getElement() = n.getBodyElement(childIndex) } } - /** DEPRECATED: Alias for JsxBodyElementsNode */ - deprecated class JSXBodyElementsNode = JsxBodyElementsNode; - /** * A node representing any `ASTNode` that has type-parameters. * @@ -582,9 +567,6 @@ private module PrintJson { } } - /** DEPRECATED: Alias for JsonNode */ - deprecated class JSONNode = JsonNode; - /** Provied predicates for pretty printing JSON. */ private module PrettyPrinting { /** @@ -655,9 +637,6 @@ module PrintYaml { } } - /** DEPRECATED: Alias for YamlNodeNode */ - deprecated class YAMLNodeNode = YamlNodeNode; - /** * A print node representing a `YAMLMapping`. * @@ -671,9 +650,6 @@ module PrintYaml { } } - /** DEPRECATED: Alias for YamlMappingNode */ - deprecated class YAMLMappingNode = YamlMappingNode; - /** * A print node representing the `i`th mapping in `mapping`. */ @@ -703,14 +679,8 @@ module PrintYaml { childIndex = 1 and result.(YamlNodeNode).getValue() = mapping.getValueNode(i) } } - - /** DEPRECATED: Alias for YamlMappingMapNode */ - deprecated class YAMLMappingMapNode = YamlMappingMapNode; } -/** DEPRECATED: Alias for PrintYaml */ -deprecated module PrintYAML = PrintYaml; - /** * Classes for printing HTML AST. */ @@ -741,9 +711,6 @@ module PrintHtml { } } - /** DEPRECATED: Alias for HtmlElementNode */ - deprecated class HTMLElementNode = HtmlElementNode; - /** * A print node representing an HTML node in a .html file. */ @@ -757,9 +724,6 @@ module PrintHtml { } } - /** DEPRECATED: Alias for HtmlScriptElementNode */ - deprecated class HTMLScriptElementNode = HtmlScriptElementNode; - /** * A print node representing the code inside a `