more command line shenanigans

Java: Remove some redundant string concatenations, and a double space

.github/workflows/csv-coverage-pr-artifacts.yml

@@ -41,7 +41,7 @@ jobs:
         git log -1 --format='%H'
       working-directory: base
     - name: Set up Python 3.8
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v4
       with:
         python-version: 3.8
     - name: Download CodeQL CLI

.github/workflows/csv-coverage-pr-comment.yml

@@ -22,7 +22,7 @@ jobs:
     - name: Clone self (github/codeql)
       uses: actions/checkout@v3
     - name: Set up Python 3.8
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v4
       with:
         python-version: 3.8
 

.github/workflows/csv-coverage-timeseries.yml

@@ -19,7 +19,7 @@ jobs:
         path: codeqlModels
         fetch-depth: 0
     - name: Set up Python 3.8
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v4
       with:
         python-version: 3.8
     - name: Download CodeQL CLI

.github/workflows/csv-coverage-update.yml

@@ -22,7 +22,7 @@ jobs:
         path: ql
         fetch-depth: 0
     - name: Set up Python 3.8
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v4
       with:
         python-version: 3.8
     - name: Download CodeQL CLI

.github/workflows/csv-coverage.yml

@@ -23,7 +23,7 @@ jobs:
         path: codeqlModels
         ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}
     - name: Set up Python 3.8
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v4
       with:
         python-version: 3.8
     - name: Download CodeQL CLI

.github/workflows/ql-for-ql-build.yml

@@ -187,7 +187,6 @@ jobs:
           languages: ql
           db-location: ${{ runner.temp }}/db
           config-file: ./ql-for-ql-config.yml
-          tools: latest
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@aa93aea877e5fb8841bcb1193f672abf6e9f2980
@@ -200,4 +199,3 @@ jobs:
         with:
           name: ${{ matrix.folder }}.sarif
           path: ${{ matrix.folder }}.sarif
-

.github/workflows/query-list.yml

@@ -23,7 +23,7 @@ jobs:
       with:
         path: codeql 
     - name: Set up Python 3.8
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v4
       with:
         python-version: 3.8
     - name: Download CodeQL CLI

.github/workflows/swift-codegen.yml

@@ -22,7 +22,7 @@ jobs:
         run: |
           bazel run //swift/codegen
           git add swift
-          git diff --exit-code --stat HEAD
+          git diff --exit-code HEAD
       - name: Generate C++ files
         run: |
           bazel run //swift/codegen:codegen -- --generate=trap,cpp --cpp-output=$PWD/swift-generated-headers

config/identical-files.json

@@ -75,7 +75,8 @@
   "DataFlow Java/C# Flow Summaries": [
     "java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImpl.qll"
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImpl.qll",
+    "swift/ql/lib/codeql/swift/dataflow/internal/FlowSummaryImpl.qll"
   ],
   "SsaReadPosition Java/C#": [
     "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
@@ -527,7 +528,8 @@
     "java/ql/lib/semmle/code/java/dataflow/internal/AccessPathSyntax.qll",
     "javascript/ql/lib/semmle/javascript/frameworks/data/internal/AccessPathSyntax.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/AccessPathSyntax.qll",
-    "python/ql/lib/semmle/python/frameworks/data/internal/AccessPathSyntax.qll"
+    "python/ql/lib/semmle/python/frameworks/data/internal/AccessPathSyntax.qll",
+    "swift/ql/lib/codeql/swift/dataflow/internal/AccessPathSyntax.qll"
   ],
   "IncompleteUrlSubstringSanitization": [
     "javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qll",

cpp/ql/lib/semmle/code/cpp/commons/Printf.qll

@@ -168,7 +168,7 @@ private predicate callsVariadicFormatter(
 ) {
   // calls a variadic formatter with `formatParamIndex`, `outputParamIndex` linked
   exists(FunctionCall fc, int format, int output |
-    variadicFormatter(fc.getTarget(), type, format, output) and
+    variadicFormatter(pragma[only_bind_into](fc.getTarget()), type, format, output) and
     fc.getEnclosingFunction() = f and
     fc.getArgument(format) = f.getParameter(formatParamIndex).getAnAccess() and
     fc.getArgument(output) = f.getParameter(outputParamIndex).getAnAccess()
@@ -176,7 +176,7 @@ private predicate callsVariadicFormatter(
   or
   // calls a variadic formatter with only `formatParamIndex` linked
   exists(FunctionCall fc, string calledType, int format, int output |
-    variadicFormatter(fc.getTarget(), calledType, format, output) and
+    variadicFormatter(pragma[only_bind_into](fc.getTarget()), calledType, format, output) and
     fc.getEnclosingFunction() = f and
     fc.getArgument(format) = f.getParameter(formatParamIndex).getAnAccess() and
     not fc.getArgument(output) = f.getParameter(_).getAnAccess() and

cpp/ql/test/library-tests/controlflow/dereferenced/dereferenced.cpp

@@ -0,0 +1,49 @@
+
+int *global_ptr;
+const char *global_string = "hello, world";
+
+void test1(int *ptr, int &ref)
+{
+	const char *str;
+	int v, *p;
+	char c;
+
+	v = *ptr; // `ptr` dereferenced
+	v = ptr[0]; // `ptr` dereferenced
+	p = ptr;
+
+	*ptr = 0; // `ptr` dereferenced
+	ptr[0] = 0; // `ptr` dereferenced
+	ptr = 0;
+
+	(*ptr)++; // `ptr`, `*ptr` dereferenced
+	*(ptr++); // `ptr++` dereferenced
+	ptr++;
+
+	v = ref; // (`ref` implicitly dereferenced, not detected)
+	p = &ref;
+	ref = 0; // (`ref` implicitly dereferenced, not detected)
+	ref++; // (`ref` implicitly dereferenced, not detected)
+
+	*global_ptr; // `global_ptr` dereferenced
+	str = global_string;
+	c = global_string[5]; // `global_string` dereferenced
+}
+
+struct myStruct
+{
+	int x;
+	void f() {};
+	void (*g)();
+};
+
+void test1(myStruct *ms)
+{
+	void (*h)();
+
+	ms;
+	ms->x; // `ms` dereferenced
+	ms->f(); // `ms` dereferenced
+	ms->g(); // `ms` dereferenced
+	h = ms->g; // `ms` dereferenced
+}

cpp/ql/test/library-tests/controlflow/dereferenced/dereferenced.expected

@@ -0,0 +1,13 @@
+| dereferenced.cpp:11:6:11:9 | * ... | dereferenced.cpp:11:7:11:9 | ptr |
+| dereferenced.cpp:12:6:12:11 | access to array | dereferenced.cpp:12:6:12:8 | ptr |
+| dereferenced.cpp:15:2:15:5 | * ... | dereferenced.cpp:15:3:15:5 | ptr |
+| dereferenced.cpp:16:2:16:7 | access to array | dereferenced.cpp:16:2:16:4 | ptr |
+| dereferenced.cpp:19:3:19:6 | * ... | dereferenced.cpp:19:4:19:6 | ptr |
+| dereferenced.cpp:19:4:19:6 | ptr | dereferenced.cpp:19:3:19:6 | * ... |
+| dereferenced.cpp:20:2:20:9 | * ... | dereferenced.cpp:20:4:20:8 | ... ++ |
+| dereferenced.cpp:28:2:28:12 | * ... | dereferenced.cpp:28:3:28:12 | global_ptr |
+| dereferenced.cpp:30:6:30:21 | access to array | dereferenced.cpp:30:6:30:18 | global_string |
+| dereferenced.cpp:45:6:45:6 | x | dereferenced.cpp:45:2:45:3 | ms |
+| dereferenced.cpp:46:6:46:6 | call to f | dereferenced.cpp:46:2:46:3 | ms |
+| dereferenced.cpp:47:6:47:6 | g | dereferenced.cpp:47:2:47:3 | ms |
+| dereferenced.cpp:48:10:48:10 | g | dereferenced.cpp:48:6:48:7 | ms |

cpp/ql/test/library-tests/controlflow/dereferenced/dereferenced.ql

@@ -0,0 +1,6 @@
+import cpp
+import semmle.code.cpp.controlflow.Dereferenced
+
+from Expr op, Expr e
+where dereferencedByOperation(op, e) // => dereferenced(e)
+select op, e

cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected

@@ -218,10 +218,10 @@ postWithInFlow
 | lambdas.cpp:20:11:20:11 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:20:11:20:11 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:20:11:20:11 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
+| lambdas.cpp:23:3:23:3 | (reference dereference) [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:23:3:23:14 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:23:3:23:14 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:23:3:23:14 | v [post update] | PostUpdateNode should not be the target of local flow. |
-| lambdas.cpp:23:15:23:15 | (reference dereference) [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:28:7:28:7 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:28:10:31:2 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |
 | lambdas.cpp:28:10:31:2 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. |

cpp/ql/test/library-tests/ir/ir/operand_locations.expected

@@ -4833,6 +4833,9 @@
 | ir.cpp:1043:24:1043:24 | SideEffect | ~m1043_20 |
 | ir.cpp:1043:31:1043:31 | Address | &:r1043_9 |
 | ir.cpp:1043:36:1043:55 | Address | &:r1043_11 |
+| ir.cpp:1043:43:1043:43 | Address | &:r1043_16 |
+| ir.cpp:1043:43:1043:43 | Arg(this) | this:r1043_16 |
+| ir.cpp:1043:43:1043:43 | SideEffect | ~m1043_20 |
 | ir.cpp:1043:43:1043:54 | Address | &:r1043_22 |
 | ir.cpp:1043:43:1043:54 | Address | &:r1043_24 |
 | ir.cpp:1043:43:1043:54 | Address | &:r1043_25 |
@@ -4853,11 +4856,8 @@
 | ir.cpp:1043:45:1043:49 | SideEffect | ~m1043_4 |
 | ir.cpp:1043:45:1043:49 | Unary | r1043_13 |
 | ir.cpp:1043:45:1043:49 | Unary | r1043_15 |
-| ir.cpp:1043:52:1043:52 | Address | &:r1043_16 |
-| ir.cpp:1043:52:1043:52 | Arg(this) | this:r1043_16 |
-| ir.cpp:1043:52:1043:52 | SideEffect | ~m1043_20 |
-| ir.cpp:1043:54:1043:54 | Load | ~m1043_20 |
-| ir.cpp:1043:54:1043:54 | Right | r1043_26 |
+| ir.cpp:1043:53:1043:53 | Load | ~m1043_20 |
+| ir.cpp:1043:53:1043:53 | Right | r1043_26 |
 | ir.cpp:1043:58:1043:58 | ChiPartial | partial:m1043_9 |
 | ir.cpp:1043:58:1043:58 | ChiTotal | total:m1043_3 |
 | ir.cpp:1043:58:1043:58 | StoreValue | r1043_8 |
@@ -4972,6 +4972,9 @@
 | ir.cpp:1047:34:1047:34 | SideEffect | ~m1047_20 |
 | ir.cpp:1047:41:1047:41 | Address | &:r1047_9 |
 | ir.cpp:1047:46:1047:65 | Address | &:r1047_11 |
+| ir.cpp:1047:53:1047:53 | Address | &:r1047_16 |
+| ir.cpp:1047:53:1047:53 | Arg(this) | this:r1047_16 |
+| ir.cpp:1047:53:1047:53 | SideEffect | ~m1047_20 |
 | ir.cpp:1047:53:1047:64 | Address | &:r1047_23 |
 | ir.cpp:1047:53:1047:64 | Load | ~m1047_20 |
 | ir.cpp:1047:53:1047:64 | StoreValue | r1047_24 |
@@ -4986,9 +4989,6 @@
 | ir.cpp:1047:55:1047:59 | SideEffect | ~m1047_4 |
 | ir.cpp:1047:55:1047:59 | Unary | r1047_13 |
 | ir.cpp:1047:55:1047:59 | Unary | r1047_15 |
-| ir.cpp:1047:62:1047:62 | Address | &:r1047_16 |
-| ir.cpp:1047:62:1047:62 | Arg(this) | this:r1047_16 |
-| ir.cpp:1047:62:1047:62 | SideEffect | ~m1047_20 |
 | ir.cpp:1047:63:1047:63 | Right | r1047_22 |
 | ir.cpp:1047:68:1047:68 | StoreValue | r1047_8 |
 | ir.cpp:1047:68:1047:68 | Unary | r1047_7 |
@@ -5097,6 +5097,9 @@
 | ir.cpp:1051:39:1051:39 | SideEffect | ~m1051_20 |
 | ir.cpp:1051:46:1051:46 | Address | &:r1051_9 |
 | ir.cpp:1051:51:1051:70 | Address | &:r1051_11 |
+| ir.cpp:1051:58:1051:58 | Address | &:r1051_16 |
+| ir.cpp:1051:58:1051:58 | Arg(this) | this:r1051_16 |
+| ir.cpp:1051:58:1051:58 | SideEffect | ~m1051_20 |
 | ir.cpp:1051:58:1051:69 | Address | &:r1051_22 |
 | ir.cpp:1051:58:1051:69 | Address | &:r1051_24 |
 | ir.cpp:1051:58:1051:69 | Address | &:r1051_26 |
@@ -5117,9 +5120,6 @@
 | ir.cpp:1051:60:1051:64 | SideEffect | ~m1051_4 |
 | ir.cpp:1051:60:1051:64 | Unary | r1051_13 |
 | ir.cpp:1051:60:1051:64 | Unary | r1051_15 |
-| ir.cpp:1051:67:1051:67 | Address | &:r1051_16 |
-| ir.cpp:1051:67:1051:67 | Arg(this) | this:r1051_16 |
-| ir.cpp:1051:67:1051:67 | SideEffect | ~m1051_20 |
 | ir.cpp:1051:73:1051:73 | ChiPartial | partial:m1051_9 |
 | ir.cpp:1051:73:1051:73 | ChiTotal | total:m1051_3 |
 | ir.cpp:1051:73:1051:73 | StoreValue | r1051_8 |
@@ -5184,6 +5184,9 @@
 | ir.cpp:1054:49:1054:49 | SideEffect | ~m1054_20 |
 | ir.cpp:1054:56:1054:56 | Address | &:r1054_9 |
 | ir.cpp:1054:61:1054:88 | Address | &:r1054_11 |
+| ir.cpp:1054:68:1054:68 | Address | &:r1054_16 |
+| ir.cpp:1054:68:1054:68 | Arg(this) | this:r1054_16 |
+| ir.cpp:1054:68:1054:68 | SideEffect | ~m1054_20 |
 | ir.cpp:1054:68:1054:87 | Address | &:r1054_37 |
 | ir.cpp:1054:68:1054:87 | Load | ~m1054_20 |
 | ir.cpp:1054:68:1054:87 | StoreValue | r1054_38 |
@@ -5198,9 +5201,6 @@
 | ir.cpp:1054:70:1054:74 | SideEffect | ~m1054_4 |
 | ir.cpp:1054:70:1054:74 | Unary | r1054_13 |
 | ir.cpp:1054:70:1054:74 | Unary | r1054_15 |
-| ir.cpp:1054:77:1054:77 | Address | &:r1054_16 |
-| ir.cpp:1054:77:1054:77 | Arg(this) | this:r1054_16 |
-| ir.cpp:1054:77:1054:77 | SideEffect | ~m1054_20 |
 | ir.cpp:1054:78:1054:82 | Address | &:r1054_22 |
 | ir.cpp:1054:78:1054:82 | Address | &:r1054_24 |
 | ir.cpp:1054:78:1054:82 | Left | r1054_25 |

cpp/ql/test/library-tests/lambdas/captures/elements.expected

@@ -156,10 +156,10 @@
 | captures.cpp:23:12:23:16 | x |
 | captures.cpp:23:12:23:16 | y |
 | captures.cpp:23:12:23:20 | ... + ... |
+| captures.cpp:23:16:23:16 | (reference dereference) |
 | captures.cpp:23:16:23:16 | definition of y |
 | captures.cpp:23:16:23:16 | y |
 | captures.cpp:23:16:23:16 | y |
-| captures.cpp:23:18:23:18 | (reference dereference) |
 | captures.cpp:23:20:23:20 | z |
 | captures.cpp:26:3:26:24 | return ... |
 | captures.cpp:26:10:26:17 | (const lambda [] type at line 22, col. 19)... |

csharp/ql/src/utils/model-generator/CaptureSinkModels.ql

@@ -1,6 +1,6 @@
 /**
  * @name Capture sink models.
- * @description Finds public methods that act as sinks as they flow into a a known sink.
+ * @description Finds public methods that act as sinks as they flow into a known sink.
  * @kind diagnostic
  * @id cs/utils/model-generator/sink-models
  * @tags model-generator

java/kotlin-extractor/kotlin_plugin_versions.py

@@ -15,11 +15,11 @@ def is_windows():
     return False
 
 def version_tuple_to_string(version):
-    return f'{version[0]}.{version[1]}.{version[2]}'
+    return f'{version[0]}.{version[1]}.{version[2]}{version[3]}'
 
 def version_string_to_tuple(version):
-    m = re.match(r'([0-9]+)\.([0-9]+)\.([0-9]+)', version)
-    return tuple([int(m.group(i)) for i in range(1, 4)])
+    m = re.match(r'([0-9]+)\.([0-9]+)\.([0-9]+)(.*)', version)
+    return tuple([int(m.group(i)) for i in range(1, 4)] + [m.group(4)])
 
 many_versions = [ '1.4.32', '1.5.0', '1.5.10', '1.5.21', '1.5.31', '1.6.10', '1.7.0-RC', '1.6.20' ]
 

java/kotlin-extractor/src/main/kotlin/KotlinFileExtractor.kt

@@ -21,7 +21,9 @@ import org.jetbrains.kotlin.ir.types.*
 import org.jetbrains.kotlin.ir.util.*
 import org.jetbrains.kotlin.load.java.sources.JavaSourceElement
 import org.jetbrains.kotlin.load.java.structure.JavaClass
+import org.jetbrains.kotlin.load.java.structure.JavaMethod
 import org.jetbrains.kotlin.load.java.structure.JavaTypeParameter
+import org.jetbrains.kotlin.load.java.structure.JavaTypeParameterListOwner
 import org.jetbrains.kotlin.name.FqName
 import org.jetbrains.kotlin.types.Variance
 import org.jetbrains.kotlin.util.OperatorNameConventions
@@ -514,7 +516,7 @@ open class KotlinFileExtractor(
                 else
                     null
             } ?: vp.type
-            val javaType = ((vp.parent as? IrFunction)?.let { getJavaMethod(it) })?.valueParameters?.getOrNull(idx)?.type
+            val javaType = (vp.parent as? IrFunction)?.let { getJavaCallable(it)?.let { jCallable -> getJavaValueParameterType(jCallable, idx) } }
             val typeWithWildcards = addJavaLoweringWildcards(maybeErasedType, !hasWildcardSuppressionAnnotation(vp), javaType)
             val substitutedType = typeSubstitution?.let { it(typeWithWildcards, TypeContext.OTHER, pluginContext) } ?: typeWithWildcards
             val id = useValueParameter(vp, parent)
@@ -691,8 +693,8 @@ open class KotlinFileExtractor(
         with("function", f) {
             DeclarationStackAdjuster(f).use {
 
-                val javaMethod = getJavaMethod(f)
-                getFunctionTypeParameters(f).mapIndexed { idx, tp -> extractTypeParameter(tp, idx, javaMethod?.typeParameters?.getOrNull(idx)) }
+                val javaCallable = getJavaCallable(f)
+                getFunctionTypeParameters(f).mapIndexed { idx, tp -> extractTypeParameter(tp, idx, (javaCallable as? JavaTypeParameterListOwner)?.typeParameters?.getOrNull(idx)) }
 
                 val id =
                     idOverride
@@ -726,7 +728,7 @@ open class KotlinFileExtractor(
 
                 val paramsSignature = allParamTypes.joinToString(separator = ",", prefix = "(", postfix = ")") { it.javaResult.signature!! }
 
-                val adjustedReturnType = addJavaLoweringWildcards(getAdjustedReturnType(f), false, javaMethod?.returnType)
+                val adjustedReturnType = addJavaLoweringWildcards(getAdjustedReturnType(f), false, (javaCallable as? JavaMethod)?.returnType)
                 val substReturnType = typeSubstitution?.let { it(adjustedReturnType, TypeContext.RETURN, pluginContext) } ?: adjustedReturnType
 
                 val locId = locOverride ?: getLocation(f, classTypeArgsIncludingOuterClasses)

java/kotlin-extractor/src/main/kotlin/KotlinUsesExtractor.kt

@@ -9,7 +9,6 @@ import org.jetbrains.kotlin.backend.common.ir.allOverridden
 import org.jetbrains.kotlin.backend.common.ir.isFinalClass
 import org.jetbrains.kotlin.backend.common.lower.parents
 import org.jetbrains.kotlin.backend.common.lower.parentsWithSelf
-import org.jetbrains.kotlin.backend.jvm.ir.getJvmNameFromAnnotation
 import org.jetbrains.kotlin.backend.jvm.ir.propertyIfAccessor
 import org.jetbrains.kotlin.builtins.StandardNames
 import org.jetbrains.kotlin.descriptors.*
@@ -84,7 +83,25 @@ open class KotlinUsesExtractor(
         makeDescription(StandardNames.FqNames.map, "<get-values>") to "values",
         makeDescription(FqName("java.util.Map"), "<get-values>") to "values",
         makeDescription(StandardNames.FqNames.map, "<get-entries>") to "entrySet",
-        makeDescription(FqName("java.util.Map"), "<get-entries>") to "entrySet"
+        makeDescription(FqName("java.util.Map"), "<get-entries>") to "entrySet",
+        makeDescription(StandardNames.FqNames.mutableList, "removeAt") to "remove",
+        makeDescription(FqName("java.util.List"), "removeAt") to "remove",
+        makeDescription(StandardNames.FqNames._enum.toSafe(), "<get-ordinal>") to "ordinal",
+        makeDescription(FqName("java.lang.Enum"), "<get-ordinal>") to "ordinal",
+        makeDescription(StandardNames.FqNames._enum.toSafe(), "<get-name>") to "name",
+        makeDescription(FqName("java.lang.Enum"), "<get-name>") to "name",
+        makeDescription(StandardNames.FqNames.number.toSafe(), "toByte") to "byteValue",
+        makeDescription(FqName("java.lang.Number"), "toByte") to "byteValue",
+        makeDescription(StandardNames.FqNames.number.toSafe(), "toShort") to "shortValue",
+        makeDescription(FqName("java.lang.Number"), "toShort") to "shortValue",
+        makeDescription(StandardNames.FqNames.number.toSafe(), "toInt") to "intValue",
+        makeDescription(FqName("java.lang.Number"), "toInt") to "intValue",
+        makeDescription(StandardNames.FqNames.number.toSafe(), "toLong") to "longValue",
+        makeDescription(FqName("java.lang.Number"), "toLong") to "longValue",
+        makeDescription(StandardNames.FqNames.number.toSafe(), "toFloat") to "floatValue",
+        makeDescription(FqName("java.lang.Number"), "toFloat") to "floatValue",
+        makeDescription(StandardNames.FqNames.number.toSafe(), "toDouble") to "doubleValue",
+        makeDescription(FqName("java.lang.Number"), "toDouble") to "doubleValue",
     )
 
     private val specialFunctionShortNames = specialFunctions.keys.map { it.functionName }.toSet()
@@ -92,7 +109,7 @@ open class KotlinUsesExtractor(
     fun getSpecialJvmName(f: IrFunction): String? {
         if (specialFunctionShortNames.contains(f.name) && f is IrSimpleFunction) {
             f.allOverridden(true).forEach { overriddenFunc ->
-                overriddenFunc.parentAsClass.fqNameWhenAvailable?.let { parentFqName ->
+                overriddenFunc.parentClassOrNull?.fqNameWhenAvailable?.let { parentFqName ->
                     specialFunctions[MethodKey(parentFqName, f.name)]?.let {
                         return it
                     }
@@ -996,7 +1013,7 @@ open class KotlinUsesExtractor(
             getFunctionTypeParameters(f),
             classTypeArgsIncludingOuterClasses,
             overridesCollectionsMethodWithAlteredParameterTypes(f),
-            getJavaMethod(f),
+            getJavaCallable(f),
             !hasWildcardSuppressionAnnotation(f)
         )
 
@@ -1028,7 +1045,7 @@ open class KotlinUsesExtractor(
         // parameter erasure to match the way this class will appear to an external consumer of the .class file.
         overridesCollectionsMethod: Boolean,
         // The Java signature of this callable, if known.
-        javaSignature: JavaMethod?,
+        javaSignature: JavaMember?,
         // If true, Java wildcards implied by Kotlin type parameter variance should be added by default to this function's value parameters' types.
         // (Return-type wildcard addition is always off by default)
         addParameterWildcardsByDefault: Boolean,
@@ -1056,7 +1073,7 @@ open class KotlinUsesExtractor(
             // If this has happened, erase the type again to get the correct Java signature.
             val maybeAmendedForCollections = if (overridesCollectionsMethod) eraseCollectionsMethodParameterType(it.value.type, name, it.index) else it.value.type
             // Add any wildcard types that the Kotlin compiler would add in the Java lowering of this function:
-            val withAddedWildcards = addJavaLoweringWildcards(maybeAmendedForCollections, addParameterWildcardsByDefault, javaSignature?.let { sig -> sig.valueParameters[it.index].type })
+            val withAddedWildcards = addJavaLoweringWildcards(maybeAmendedForCollections, addParameterWildcardsByDefault, javaSignature?.let { sig -> getJavaValueParameterType(sig, it.index) })
             // Now substitute any class type parameters in:
             val maybeSubbed = withAddedWildcards.substituteTypeAndArguments(substitutionMap, TypeContext.OTHER, pluginContext)
             // Finally, mimic the Java extractor's behaviour by naming functions with type parameters for their erased types;
@@ -1103,7 +1120,13 @@ open class KotlinUsesExtractor(
     }
 
     @OptIn(ObsoleteDescriptorBasedAPI::class)
-    fun getJavaMethod(f: IrFunction) = (f.descriptor.source as? JavaSourceElement)?.javaElement as? JavaMethod
+    fun getJavaCallable(f: IrFunction) = (f.descriptor.source as? JavaSourceElement)?.javaElement as? JavaMember
+
+    fun getJavaValueParameterType(m: JavaMember, idx: Int) = when(m) {
+        is JavaMethod -> m.valueParameters[idx].type
+        is JavaConstructor -> m.valueParameters[idx].type
+        else -> null
+    }
 
     fun hasWildcardSuppressionAnnotation(d: IrDeclaration) =
         d.hasAnnotation(jvmWildcardSuppressionAnnotaton) ||

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowUtil.qll

@@ -304,6 +304,33 @@ class ContentSet instanceof Content {
   }
 }
 
+/**
+ * Holds if the guard `g` validates the expression `e` upon evaluating to `branch`.
+ *
+ * The expression `e` is expected to be a syntactic part of the guard `g`.
+ * For example, the guard `g` might be a call `isSafe(x)` and the expression `e`
+ * the argument `x`.
+ */
+signature predicate guardChecksSig(Guard g, Expr e, boolean branch);
+
+/**
+ * Provides a set of barrier nodes for a guard that validates an expression.
+ *
+ * This is expected to be used in `isBarrier`/`isSanitizer` definitions
+ * in data flow and taint tracking.
+ */
+module BarrierGuard<guardChecksSig/3 guardChecks> {
+  /** Gets a node that is safely guarded by the given guard check. */
+  Node getABarrierNode() {
+    exists(Guard g, SsaVariable v, boolean branch, RValue use |
+      guardChecks(g, v.getAUse(), branch) and
+      use = v.getAUse() and
+      g.controls(use.getBasicBlock(), branch) and
+      result.asExpr() = use
+    )
+  }
+}
+
 /**
  * A guard that validates some expression.
  *

java/ql/src/Likely Bugs/Cloning/MissingCallToSuperClone.ql

@@ -20,5 +20,5 @@ where
   c.fromSource() and
   exists(sc.getBody()) and
   not exists(CloneMethod ssc | sc.callsSuper(ssc))
-select sc, "This clone method does not call super.clone(), but is " + "overridden and called $@.",
-  c, "in a subclass"
+select sc, "This clone method does not call super.clone(), but is overridden and called $@.", c,
+  "in a subclass"

java/ql/src/Likely Bugs/Likely Typos/ConstructorTypo.ql

@@ -17,4 +17,4 @@ from Method m
 where
   m.hasName(m.getDeclaringType().getName()) and
   m.fromSource()
-select m, "This method has the same name as its declaring class." + " Should it be a constructor?"
+select m, "This method has the same name as its declaring class. Should it be a constructor?"

java/ql/src/Likely Bugs/Serialization/NonSerializableField.ql

@@ -96,5 +96,4 @@ where
   not exceptions(c, f) and
   reason = nonSerialReason(f.getType())
 select f,
-  "This field is in a serializable class, " + " but is not serializable itself because " + reason +
-    "."
+  "This field is in a serializable class, but is not serializable itself because " + reason + "."

java/ql/src/Security/CWE/CWE-022/TaintedPath.ql

@@ -19,15 +19,13 @@ import semmle.code.java.security.PathCreation
 import DataFlow::PathGraph
 import TaintedPathCommon
 
-class ContainsDotDotSanitizer extends DataFlow::BarrierGuard {
-  ContainsDotDotSanitizer() {
-    this.(MethodAccess).getMethod().hasName("contains") and
-    this.(MethodAccess).getAnArgument().(StringLiteral).getValue() = ".."
-  }
-
-  override predicate checks(Expr e, boolean branch) {
-    e = this.(MethodAccess).getQualifier() and branch = false
-  }
+predicate containsDotDotSanitizer(Guard g, Expr e, boolean branch) {
+  exists(MethodAccess contains | g = contains |
+    contains.getMethod().hasName("contains") and
+    contains.getAnArgument().(StringLiteral).getValue() = ".." and
+    e = contains.getQualifier() and
+    branch = false
+  )
 }
 
 class TaintedPathConfig extends TaintTracking::Configuration {
@@ -41,10 +39,8 @@ class TaintedPathConfig extends TaintTracking::Configuration {
 
   override predicate isSanitizer(DataFlow::Node node) {
     exists(Type t | t = node.getType() | t instanceof BoxedType or t instanceof PrimitiveType)
-  }
-
-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-    guard instanceof ContainsDotDotSanitizer
+    or
+    node = DataFlow::BarrierGuard<containsDotDotSanitizer/3>::getABarrierNode()
   }
 }
 

java/ql/src/utils/model-generator/CaptureSinkModels.ql

@@ -1,6 +1,6 @@
 /**
  * @name Capture sink models.
- * @description Finds public methods that act as sinks as they flow into a a known sink.
+ * @description Finds public methods that act as sinks as they flow into a known sink.
  * @kind diagnostic
  * @id java/utils/model-generator/sink-models
  * @tags model-generator

java/ql/test/kotlin/library-tests/enum/enumUser.kt

@@ -0,0 +1 @@
+fun usesEnum(e: Enum<*>) = e.ordinal.toString() + e.name

java/ql/test/kotlin/library-tests/enum/test.expected

@@ -0,0 +1,27 @@
+| addAll |
+| addRange |
+| allOf |
+| asIterator |
+| clone |
+| compareTo |
+| complement |
+| complementOf |
+| copyOf |
+| describeConstable |
+| equals |
+| finalize |
+| getDeclaringClass |
+| hasMoreElements |
+| hashCode |
+| name |
+| nextElement |
+| noneOf |
+| of |
+| ordinal |
+| range |
+| resolveConstantDesc |
+| toString |
+| typeCheck |
+| usesEnum |
+| valueOf |
+| writeReplace |

java/ql/test/kotlin/library-tests/enum/test.ql

@@ -0,0 +1,5 @@
+import java
+
+from Method m
+where m.getDeclaringType().getName().matches("Enum%")
+select m.getName()

java/ql/test/kotlin/library-tests/exprs/PrintAst.expected

@@ -2057,44 +2057,44 @@ exprs.kt:
 #   39|         27: [LocalVariableDeclStmt] var ...;
 #   39|           1: [LocalVariableDeclExpr] by6
 #   39|             0: [ValueEQExpr] ... (value equals) ...
-#   39|               0: [MethodAccess] toInt(...)
+#   39|               0: [MethodAccess] intValue(...)
 #   39|                 -1: [VarAccess] byx
-#   39|               1: [MethodAccess] toInt(...)
+#   39|               1: [MethodAccess] intValue(...)
 #   39|                 -1: [VarAccess] byy
 #   40|         28: [LocalVariableDeclStmt] var ...;
 #   40|           1: [LocalVariableDeclExpr] by7
 #   40|             0: [ValueNEExpr] ... (value not-equals) ...
-#   40|               0: [MethodAccess] toInt(...)
+#   40|               0: [MethodAccess] intValue(...)
 #   40|                 -1: [VarAccess] byx
-#   40|               1: [MethodAccess] toInt(...)
+#   40|               1: [MethodAccess] intValue(...)
 #   40|                 -1: [VarAccess] byy
 #   41|         29: [LocalVariableDeclStmt] var ...;
 #   41|           1: [LocalVariableDeclExpr] by8
 #   41|             0: [LTExpr] ... < ...
-#   41|               0: [MethodAccess] toInt(...)
+#   41|               0: [MethodAccess] intValue(...)
 #   41|                 -1: [VarAccess] byx
-#   41|               1: [MethodAccess] toInt(...)
+#   41|               1: [MethodAccess] intValue(...)
 #   41|                 -1: [VarAccess] byy
 #   42|         30: [LocalVariableDeclStmt] var ...;
 #   42|           1: [LocalVariableDeclExpr] by9
 #   42|             0: [LEExpr] ... <= ...
-#   42|               0: [MethodAccess] toInt(...)
+#   42|               0: [MethodAccess] intValue(...)
 #   42|                 -1: [VarAccess] byx
-#   42|               1: [MethodAccess] toInt(...)
+#   42|               1: [MethodAccess] intValue(...)
 #   42|                 -1: [VarAccess] byy
 #   43|         31: [LocalVariableDeclStmt] var ...;
 #   43|           1: [LocalVariableDeclExpr] by10
 #   43|             0: [GTExpr] ... > ...
-#   43|               0: [MethodAccess] toInt(...)
+#   43|               0: [MethodAccess] intValue(...)
 #   43|                 -1: [VarAccess] byx
-#   43|               1: [MethodAccess] toInt(...)
+#   43|               1: [MethodAccess] intValue(...)
 #   43|                 -1: [VarAccess] byy
 #   44|         32: [LocalVariableDeclStmt] var ...;
 #   44|           1: [LocalVariableDeclExpr] by11
 #   44|             0: [GEExpr] ... >= ...
-#   44|               0: [MethodAccess] toInt(...)
+#   44|               0: [MethodAccess] intValue(...)
 #   44|                 -1: [VarAccess] byx
-#   44|               1: [MethodAccess] toInt(...)
+#   44|               1: [MethodAccess] intValue(...)
 #   44|                 -1: [VarAccess] byy
 #   45|         33: [LocalVariableDeclStmt] var ...;
 #   45|           1: [LocalVariableDeclExpr] by12
@@ -2132,44 +2132,44 @@ exprs.kt:
 #   53|         40: [LocalVariableDeclStmt] var ...;
 #   53|           1: [LocalVariableDeclExpr] s6
 #   53|             0: [ValueEQExpr] ... (value equals) ...
-#   53|               0: [MethodAccess] toInt(...)
+#   53|               0: [MethodAccess] intValue(...)
 #   53|                 -1: [VarAccess] sx
-#   53|               1: [MethodAccess] toInt(...)
+#   53|               1: [MethodAccess] intValue(...)
 #   53|                 -1: [VarAccess] sy
 #   54|         41: [LocalVariableDeclStmt] var ...;
 #   54|           1: [LocalVariableDeclExpr] s7
 #   54|             0: [ValueNEExpr] ... (value not-equals) ...
-#   54|               0: [MethodAccess] toInt(...)
+#   54|               0: [MethodAccess] intValue(...)
 #   54|                 -1: [VarAccess] sx
-#   54|               1: [MethodAccess] toInt(...)
+#   54|               1: [MethodAccess] intValue(...)
 #   54|                 -1: [VarAccess] sy
 #   55|         42: [LocalVariableDeclStmt] var ...;
 #   55|           1: [LocalVariableDeclExpr] s8
 #   55|             0: [LTExpr] ... < ...
-#   55|               0: [MethodAccess] toInt(...)
+#   55|               0: [MethodAccess] intValue(...)
 #   55|                 -1: [VarAccess] sx
-#   55|               1: [MethodAccess] toInt(...)
+#   55|               1: [MethodAccess] intValue(...)
 #   55|                 -1: [VarAccess] sy
 #   56|         43: [LocalVariableDeclStmt] var ...;
 #   56|           1: [LocalVariableDeclExpr] s9
 #   56|             0: [LEExpr] ... <= ...
-#   56|               0: [MethodAccess] toInt(...)
+#   56|               0: [MethodAccess] intValue(...)
 #   56|                 -1: [VarAccess] sx
-#   56|               1: [MethodAccess] toInt(...)
+#   56|               1: [MethodAccess] intValue(...)
 #   56|                 -1: [VarAccess] sy
 #   57|         44: [LocalVariableDeclStmt] var ...;
 #   57|           1: [LocalVariableDeclExpr] s10
 #   57|             0: [GTExpr] ... > ...
-#   57|               0: [MethodAccess] toInt(...)
+#   57|               0: [MethodAccess] intValue(...)
 #   57|                 -1: [VarAccess] sx
-#   57|               1: [MethodAccess] toInt(...)
+#   57|               1: [MethodAccess] intValue(...)
 #   57|                 -1: [VarAccess] sy
 #   58|         45: [LocalVariableDeclStmt] var ...;
 #   58|           1: [LocalVariableDeclExpr] s11
 #   58|             0: [GEExpr] ... >= ...
-#   58|               0: [MethodAccess] toInt(...)
+#   58|               0: [MethodAccess] intValue(...)
 #   58|                 -1: [VarAccess] sx
-#   58|               1: [MethodAccess] toInt(...)
+#   58|               1: [MethodAccess] intValue(...)
 #   58|                 -1: [VarAccess] sy
 #   59|         46: [LocalVariableDeclStmt] var ...;
 #   59|           1: [LocalVariableDeclExpr] s12

java/ql/test/kotlin/library-tests/exprs/binop.expected

@@ -14,24 +14,24 @@
 | exprs.kt:36:15:36:23 | ... - ... | exprs.kt:36:15:36:17 | byx | exprs.kt:36:21:36:23 | byy |
 | exprs.kt:37:15:37:23 | ... / ... | exprs.kt:37:15:37:17 | byx | exprs.kt:37:21:37:23 | byy |
 | exprs.kt:38:15:38:23 | ... % ... | exprs.kt:38:15:38:17 | byx | exprs.kt:38:21:38:23 | byy |
-| exprs.kt:39:15:39:24 | ... (value equals) ... | exprs.kt:39:15:39:17 | toInt(...) | exprs.kt:39:22:39:24 | toInt(...) |
-| exprs.kt:40:15:40:24 | ... (value not-equals) ... | exprs.kt:40:15:40:17 | toInt(...) | exprs.kt:40:22:40:24 | toInt(...) |
-| exprs.kt:41:15:41:23 | ... < ... | exprs.kt:41:15:41:17 | toInt(...) | exprs.kt:41:21:41:23 | toInt(...) |
-| exprs.kt:42:15:42:24 | ... <= ... | exprs.kt:42:15:42:17 | toInt(...) | exprs.kt:42:22:42:24 | toInt(...) |
-| exprs.kt:43:16:43:24 | ... > ... | exprs.kt:43:16:43:18 | toInt(...) | exprs.kt:43:22:43:24 | toInt(...) |
-| exprs.kt:44:16:44:25 | ... >= ... | exprs.kt:44:16:44:18 | toInt(...) | exprs.kt:44:23:44:25 | toInt(...) |
+| exprs.kt:39:15:39:24 | ... (value equals) ... | exprs.kt:39:15:39:17 | intValue(...) | exprs.kt:39:22:39:24 | intValue(...) |
+| exprs.kt:40:15:40:24 | ... (value not-equals) ... | exprs.kt:40:15:40:17 | intValue(...) | exprs.kt:40:22:40:24 | intValue(...) |
+| exprs.kt:41:15:41:23 | ... < ... | exprs.kt:41:15:41:17 | intValue(...) | exprs.kt:41:21:41:23 | intValue(...) |
+| exprs.kt:42:15:42:24 | ... <= ... | exprs.kt:42:15:42:17 | intValue(...) | exprs.kt:42:22:42:24 | intValue(...) |
+| exprs.kt:43:16:43:24 | ... > ... | exprs.kt:43:16:43:18 | intValue(...) | exprs.kt:43:22:43:24 | intValue(...) |
+| exprs.kt:44:16:44:25 | ... >= ... | exprs.kt:44:16:44:18 | intValue(...) | exprs.kt:44:23:44:25 | intValue(...) |
 | exprs.kt:45:16:45:26 | ... == ... | exprs.kt:45:16:45:18 | byx | exprs.kt:45:24:45:26 | byy |
 | exprs.kt:46:16:46:26 | ... != ... | exprs.kt:46:16:46:18 | byx | exprs.kt:46:24:46:26 | byy |
 | exprs.kt:49:14:49:20 | ... + ... | exprs.kt:49:14:49:15 | sx | exprs.kt:49:19:49:20 | sy |
 | exprs.kt:50:14:50:20 | ... - ... | exprs.kt:50:14:50:15 | sx | exprs.kt:50:19:50:20 | sy |
 | exprs.kt:51:14:51:20 | ... / ... | exprs.kt:51:14:51:15 | sx | exprs.kt:51:19:51:20 | sy |
 | exprs.kt:52:14:52:20 | ... % ... | exprs.kt:52:14:52:15 | sx | exprs.kt:52:19:52:20 | sy |
-| exprs.kt:53:14:53:21 | ... (value equals) ... | exprs.kt:53:14:53:15 | toInt(...) | exprs.kt:53:20:53:21 | toInt(...) |
-| exprs.kt:54:14:54:21 | ... (value not-equals) ... | exprs.kt:54:14:54:15 | toInt(...) | exprs.kt:54:20:54:21 | toInt(...) |
-| exprs.kt:55:14:55:20 | ... < ... | exprs.kt:55:14:55:15 | toInt(...) | exprs.kt:55:19:55:20 | toInt(...) |
-| exprs.kt:56:14:56:21 | ... <= ... | exprs.kt:56:14:56:15 | toInt(...) | exprs.kt:56:20:56:21 | toInt(...) |
-| exprs.kt:57:15:57:21 | ... > ... | exprs.kt:57:15:57:16 | toInt(...) | exprs.kt:57:20:57:21 | toInt(...) |
-| exprs.kt:58:15:58:22 | ... >= ... | exprs.kt:58:15:58:16 | toInt(...) | exprs.kt:58:21:58:22 | toInt(...) |
+| exprs.kt:53:14:53:21 | ... (value equals) ... | exprs.kt:53:14:53:15 | intValue(...) | exprs.kt:53:20:53:21 | intValue(...) |
+| exprs.kt:54:14:54:21 | ... (value not-equals) ... | exprs.kt:54:14:54:15 | intValue(...) | exprs.kt:54:20:54:21 | intValue(...) |
+| exprs.kt:55:14:55:20 | ... < ... | exprs.kt:55:14:55:15 | intValue(...) | exprs.kt:55:19:55:20 | intValue(...) |
+| exprs.kt:56:14:56:21 | ... <= ... | exprs.kt:56:14:56:15 | intValue(...) | exprs.kt:56:20:56:21 | intValue(...) |
+| exprs.kt:57:15:57:21 | ... > ... | exprs.kt:57:15:57:16 | intValue(...) | exprs.kt:57:20:57:21 | intValue(...) |
+| exprs.kt:58:15:58:22 | ... >= ... | exprs.kt:58:15:58:16 | intValue(...) | exprs.kt:58:21:58:22 | intValue(...) |
 | exprs.kt:59:15:59:23 | ... == ... | exprs.kt:59:15:59:16 | sx | exprs.kt:59:22:59:23 | sy |
 | exprs.kt:60:15:60:23 | ... != ... | exprs.kt:60:15:60:16 | sx | exprs.kt:60:22:60:23 | sy |
 | exprs.kt:63:14:63:20 | ... + ... | exprs.kt:63:14:63:15 | lx | exprs.kt:63:19:63:20 | ly |

java/ql/test/kotlin/library-tests/exprs/exprs.expected

@@ -1014,40 +1014,40 @@
 | exprs.kt:38:21:38:23 | byy | exprs.kt:4:1:136:1 | topLevelMethod | VarAccess |
 | exprs.kt:39:5:39:24 | by6 | exprs.kt:4:1:136:1 | topLevelMethod | LocalVariableDeclExpr |
 | exprs.kt:39:15:39:17 | byx | exprs.kt:4:1:136:1 | topLevelMethod | VarAccess |
-| exprs.kt:39:15:39:17 | toInt(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
+| exprs.kt:39:15:39:17 | intValue(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:39:15:39:24 | ... (value equals) ... | exprs.kt:4:1:136:1 | topLevelMethod | ValueEQExpr |
 | exprs.kt:39:22:39:24 | byy | exprs.kt:4:1:136:1 | topLevelMethod | VarAccess |
-| exprs.kt:39:22:39:24 | toInt(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
+| exprs.kt:39:22:39:24 | intValue(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:40:5:40:24 | by7 | exprs.kt:4:1:136:1 | topLevelMethod | LocalVariableDeclExpr |
 | exprs.kt:40:15:40:17 | byx | exprs.kt:4:1:136:1 | topLevelMethod | VarAccess |
-| exprs.kt:40:15:40:17 | toInt(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
+| exprs.kt:40:15:40:17 | intValue(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:40:15:40:24 | ... (value not-equals) ... | exprs.kt:4:1:136:1 | topLevelMethod | ValueNEExpr |
 | exprs.kt:40:22:40:24 | byy | exprs.kt:4:1:136:1 | topLevelMethod | VarAccess |
-| exprs.kt:40:22:40:24 | toInt(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
+| exprs.kt:40:22:40:24 | intValue(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:41:5:41:23 | by8 | exprs.kt:4:1:136:1 | topLevelMethod | LocalVariableDeclExpr |
 | exprs.kt:41:15:41:17 | byx | exprs.kt:4:1:136:1 | topLevelMethod | VarAccess |
-| exprs.kt:41:15:41:17 | toInt(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
+| exprs.kt:41:15:41:17 | intValue(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:41:15:41:23 | ... < ... | exprs.kt:4:1:136:1 | topLevelMethod | LTExpr |
 | exprs.kt:41:21:41:23 | byy | exprs.kt:4:1:136:1 | topLevelMethod | VarAccess |
-| exprs.kt:41:21:41:23 | toInt(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
+| exprs.kt:41:21:41:23 | intValue(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:42:5:42:24 | by9 | exprs.kt:4:1:136:1 | topLevelMethod | LocalVariableDeclExpr |
 | exprs.kt:42:15:42:17 | byx | exprs.kt:4:1:136:1 | topLevelMethod | VarAccess |
-| exprs.kt:42:15:42:17 | toInt(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
+| exprs.kt:42:15:42:17 | intValue(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:42:15:42:24 | ... <= ... | exprs.kt:4:1:136:1 | topLevelMethod | LEExpr |
 | exprs.kt:42:22:42:24 | byy | exprs.kt:4:1:136:1 | topLevelMethod | VarAccess |
-| exprs.kt:42:22:42:24 | toInt(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
+| exprs.kt:42:22:42:24 | intValue(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:43:5:43:24 | by10 | exprs.kt:4:1:136:1 | topLevelMethod | LocalVariableDeclExpr |
 | exprs.kt:43:16:43:18 | byx | exprs.kt:4:1:136:1 | topLevelMethod | VarAccess |
-| exprs.kt:43:16:43:18 | toInt(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
+| exprs.kt:43:16:43:18 | intValue(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:43:16:43:24 | ... > ... | exprs.kt:4:1:136:1 | topLevelMethod | GTExpr |
 | exprs.kt:43:22:43:24 | byy | exprs.kt:4:1:136:1 | topLevelMethod | VarAccess |
-| exprs.kt:43:22:43:24 | toInt(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
+| exprs.kt:43:22:43:24 | intValue(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:44:5:44:25 | by11 | exprs.kt:4:1:136:1 | topLevelMethod | LocalVariableDeclExpr |
 | exprs.kt:44:16:44:18 | byx | exprs.kt:4:1:136:1 | topLevelMethod | VarAccess |
-| exprs.kt:44:16:44:18 | toInt(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
+| exprs.kt:44:16:44:18 | intValue(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:44:16:44:25 | ... >= ... | exprs.kt:4:1:136:1 | topLevelMethod | GEExpr |
 | exprs.kt:44:23:44:25 | byy | exprs.kt:4:1:136:1 | topLevelMethod | VarAccess |
-| exprs.kt:44:23:44:25 | toInt(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
+| exprs.kt:44:23:44:25 | intValue(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:45:5:45:26 | by12 | exprs.kt:4:1:136:1 | topLevelMethod | LocalVariableDeclExpr |
 | exprs.kt:45:16:45:18 | byx | exprs.kt:4:1:136:1 | topLevelMethod | VarAccess |
 | exprs.kt:45:16:45:26 | ... == ... | exprs.kt:4:1:136:1 | topLevelMethod | EQExpr |
@@ -1075,41 +1075,41 @@
 | exprs.kt:52:14:52:20 | ... % ... | exprs.kt:4:1:136:1 | topLevelMethod | RemExpr |
 | exprs.kt:52:19:52:20 | sy | exprs.kt:4:1:136:1 | topLevelMethod | VarAccess |
 | exprs.kt:53:5:53:21 | s6 | exprs.kt:4:1:136:1 | topLevelMethod | LocalVariableDeclExpr |
+| exprs.kt:53:14:53:15 | intValue(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:53:14:53:15 | sx | exprs.kt:4:1:136:1 | topLevelMethod | VarAccess |
-| exprs.kt:53:14:53:15 | toInt(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:53:14:53:21 | ... (value equals) ... | exprs.kt:4:1:136:1 | topLevelMethod | ValueEQExpr |
+| exprs.kt:53:20:53:21 | intValue(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:53:20:53:21 | sy | exprs.kt:4:1:136:1 | topLevelMethod | VarAccess |
-| exprs.kt:53:20:53:21 | toInt(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:54:5:54:21 | s7 | exprs.kt:4:1:136:1 | topLevelMethod | LocalVariableDeclExpr |
+| exprs.kt:54:14:54:15 | intValue(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:54:14:54:15 | sx | exprs.kt:4:1:136:1 | topLevelMethod | VarAccess |
-| exprs.kt:54:14:54:15 | toInt(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:54:14:54:21 | ... (value not-equals) ... | exprs.kt:4:1:136:1 | topLevelMethod | ValueNEExpr |
+| exprs.kt:54:20:54:21 | intValue(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:54:20:54:21 | sy | exprs.kt:4:1:136:1 | topLevelMethod | VarAccess |
-| exprs.kt:54:20:54:21 | toInt(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:55:5:55:20 | s8 | exprs.kt:4:1:136:1 | topLevelMethod | LocalVariableDeclExpr |
+| exprs.kt:55:14:55:15 | intValue(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:55:14:55:15 | sx | exprs.kt:4:1:136:1 | topLevelMethod | VarAccess |
-| exprs.kt:55:14:55:15 | toInt(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:55:14:55:20 | ... < ... | exprs.kt:4:1:136:1 | topLevelMethod | LTExpr |
+| exprs.kt:55:19:55:20 | intValue(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:55:19:55:20 | sy | exprs.kt:4:1:136:1 | topLevelMethod | VarAccess |
-| exprs.kt:55:19:55:20 | toInt(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:56:5:56:21 | s9 | exprs.kt:4:1:136:1 | topLevelMethod | LocalVariableDeclExpr |
+| exprs.kt:56:14:56:15 | intValue(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:56:14:56:15 | sx | exprs.kt:4:1:136:1 | topLevelMethod | VarAccess |
-| exprs.kt:56:14:56:15 | toInt(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:56:14:56:21 | ... <= ... | exprs.kt:4:1:136:1 | topLevelMethod | LEExpr |
+| exprs.kt:56:20:56:21 | intValue(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:56:20:56:21 | sy | exprs.kt:4:1:136:1 | topLevelMethod | VarAccess |
-| exprs.kt:56:20:56:21 | toInt(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:57:5:57:21 | s10 | exprs.kt:4:1:136:1 | topLevelMethod | LocalVariableDeclExpr |
+| exprs.kt:57:15:57:16 | intValue(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:57:15:57:16 | sx | exprs.kt:4:1:136:1 | topLevelMethod | VarAccess |
-| exprs.kt:57:15:57:16 | toInt(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:57:15:57:21 | ... > ... | exprs.kt:4:1:136:1 | topLevelMethod | GTExpr |
+| exprs.kt:57:20:57:21 | intValue(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:57:20:57:21 | sy | exprs.kt:4:1:136:1 | topLevelMethod | VarAccess |
-| exprs.kt:57:20:57:21 | toInt(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:58:5:58:22 | s11 | exprs.kt:4:1:136:1 | topLevelMethod | LocalVariableDeclExpr |
+| exprs.kt:58:15:58:16 | intValue(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:58:15:58:16 | sx | exprs.kt:4:1:136:1 | topLevelMethod | VarAccess |
-| exprs.kt:58:15:58:16 | toInt(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:58:15:58:22 | ... >= ... | exprs.kt:4:1:136:1 | topLevelMethod | GEExpr |
+| exprs.kt:58:21:58:22 | intValue(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:58:21:58:22 | sy | exprs.kt:4:1:136:1 | topLevelMethod | VarAccess |
-| exprs.kt:58:21:58:22 | toInt(...) | exprs.kt:4:1:136:1 | topLevelMethod | MethodAccess |
 | exprs.kt:59:5:59:23 | s12 | exprs.kt:4:1:136:1 | topLevelMethod | LocalVariableDeclExpr |
 | exprs.kt:59:15:59:16 | sx | exprs.kt:4:1:136:1 | topLevelMethod | VarAccess |
 | exprs.kt:59:15:59:23 | ... == ... | exprs.kt:4:1:136:1 | topLevelMethod | EQExpr |

java/ql/test/kotlin/library-tests/java-kotlin-collection-type-generic-methods/test.expected

@@ -33,7 +33,7 @@ methodWithDuplicate
 | AbstractList | indexOf | Object |
 | AbstractList | lastIndexOf | Object |
 | AbstractList | listIterator | int |
-| AbstractList | removeAt | int |
+| AbstractList | remove | int |
 | AbstractList | removeRange | int |
 | AbstractList | set | E |
 | AbstractList | set | int |
@@ -48,7 +48,7 @@ methodWithDuplicate
 | AbstractList<E> | indexOf | Object |
 | AbstractList<E> | lastIndexOf | Object |
 | AbstractList<E> | listIterator | int |
-| AbstractList<E> | removeAt | int |
+| AbstractList<E> | remove | int |
 | AbstractList<E> | removeRange | int |
 | AbstractList<E> | set | E |
 | AbstractList<E> | set | int |
@@ -90,7 +90,7 @@ methodWithDuplicate
 | AbstractMutableCollection | add | E |
 | AbstractMutableList | add | E |
 | AbstractMutableList | add | int |
-| AbstractMutableList | removeAt | int |
+| AbstractMutableList | remove | int |
 | AbstractMutableList | set | E |
 | AbstractMutableList | set | int |
 | AbstractMutableMap | put | K |
@@ -383,8 +383,8 @@ methodWithDuplicate
 | MutableList | addAll | int |
 | MutableList | listIterator | int |
 | MutableList | remove | Object |
+| MutableList | remove | int |
 | MutableList | removeAll | Collection<?> |
-| MutableList | removeAt | int |
 | MutableList | replaceAll | UnaryOperator<E> |
 | MutableList | retainAll | Collection<?> |
 | MutableList | set | E |

java/ql/test/kotlin/library-tests/java-lang-number-conversions/Test.java

@@ -0,0 +1,27 @@
+public class Test {
+
+  byte b;
+  short s;
+  int i;
+  long l;
+  float f;
+  double d;  
+
+  public void test(Number n, Byte b2) {
+
+    b = n.byteValue();
+    s = n.shortValue();
+    i = n.intValue();
+    l = n.longValue();
+    f = n.floatValue();
+    d = n.doubleValue();
+    b = b2.byteValue();
+    s = b2.shortValue();
+    i = b2.intValue();
+    l = b2.longValue();
+    f = b2.floatValue();
+    d = b2.doubleValue();
+
+  }
+
+}

java/ql/test/kotlin/library-tests/java-lang-number-conversions/test.expected

@@ -0,0 +1,50 @@
+| java.lang.Byte | byteValue |
+| java.lang.Byte | compare |
+| java.lang.Byte | compareTo |
+| java.lang.Byte | compareUnsigned |
+| java.lang.Byte | decode |
+| java.lang.Byte | describeConstable |
+| java.lang.Byte | doubleValue |
+| java.lang.Byte | equals |
+| java.lang.Byte | floatValue |
+| java.lang.Byte | hashCode |
+| java.lang.Byte | intValue |
+| java.lang.Byte | longValue |
+| java.lang.Byte | parseByte |
+| java.lang.Byte | shortValue |
+| java.lang.Byte | toString |
+| java.lang.Byte | toUnsignedInt |
+| java.lang.Byte | toUnsignedLong |
+| java.lang.Byte | valueOf |
+| java.lang.Number | byteValue |
+| java.lang.Number | doubleValue |
+| java.lang.Number | floatValue |
+| java.lang.Number | intValue |
+| java.lang.Number | longValue |
+| java.lang.Number | shortValue |
+| kotlin.Byte | byteValue |
+| kotlin.Byte | compareTo |
+| kotlin.Byte | dec |
+| kotlin.Byte | describeConstable |
+| kotlin.Byte | div |
+| kotlin.Byte | doubleValue |
+| kotlin.Byte | floatValue |
+| kotlin.Byte | inc |
+| kotlin.Byte | intValue |
+| kotlin.Byte | longValue |
+| kotlin.Byte | minus |
+| kotlin.Byte | plus |
+| kotlin.Byte | rangeTo |
+| kotlin.Byte | rem |
+| kotlin.Byte | shortValue |
+| kotlin.Byte | times |
+| kotlin.Byte | toChar |
+| kotlin.Byte | unaryMinus |
+| kotlin.Byte | unaryPlus |
+| kotlin.Number | byteValue |
+| kotlin.Number | doubleValue |
+| kotlin.Number | floatValue |
+| kotlin.Number | intValue |
+| kotlin.Number | longValue |
+| kotlin.Number | shortValue |
+| kotlin.Number | toChar |

java/ql/test/kotlin/library-tests/java-lang-number-conversions/test.kt

@@ -0,0 +1 @@
+fun f(n: Number, b: Byte) = n.toByte() + n.toShort() + n.toInt() + n.toLong() + n.toFloat() + n.toDouble() + b.toByte() + b.toShort() + b.toInt() + b.toLong() + b.toFloat() + b.toDouble()

java/ql/test/kotlin/library-tests/java-lang-number-conversions/test.ql

@@ -0,0 +1,5 @@
+import java
+
+from Method m
+where m.getDeclaringType().getName() = ["Number", "Byte"]
+select m.getDeclaringType().getQualifiedName(), m.toString()

java/ql/test/kotlin/library-tests/java-list-kotlin-user/MyList.java

@@ -0,0 +1,11 @@
+import java.util.AbstractList;
+
+public class MyList<T> extends AbstractList<T> {
+
+  public T get(int idx) { return null; } 
+
+  public T remove(int idx) { return null; }
+
+  public int size() { return 0; }
+
+}

java/ql/test/kotlin/library-tests/java-list-kotlin-user/test.expected

@@ -0,0 +1,3 @@
+| get |
+| remove |
+| size |

java/ql/test/kotlin/library-tests/java-list-kotlin-user/test.kt

@@ -0,0 +1,2 @@
+
+fun f(l: MyList<String>) = l.get(0)

java/ql/test/kotlin/library-tests/java-list-kotlin-user/test.ql

@@ -0,0 +1,5 @@
+import java
+
+from Method m
+where m.getDeclaringType().getName().matches("MyList%")
+select m.toString()

java/ql/test/query-tests/NonSerializableField/NonSerializableField.expected

@@ -1,18 +1,18 @@
-| NonSerializableFieldTest.java:25:8:25:19 | problematic1 | This field is in a serializable class,  but is not serializable itself because NS is not serializable. |
-| NonSerializableFieldTest.java:26:14:26:25 | problematic2 | This field is in a serializable class,  but is not serializable itself because NS is not serializable. |
-| NonSerializableFieldTest.java:27:16:27:27 | problematic3 | This field is in a serializable class,  but is not serializable itself because ? is not serializable. |
-| NonSerializableFieldTest.java:27:16:27:27 | problematic3 | This field is in a serializable class,  but is not serializable itself because NS is not serializable. |
-| NonSerializableFieldTest.java:28:16:28:27 | problematic4 | This field is in a serializable class,  but is not serializable itself because ? is not serializable. |
-| NonSerializableFieldTest.java:28:16:28:27 | problematic4 | This field is in a serializable class,  but is not serializable itself because NS is not serializable. |
-| NonSerializableFieldTest.java:29:30:29:41 | problematic5 | This field is in a serializable class,  but is not serializable itself because Map<?,NS> is not serializable. |
-| NonSerializableFieldTest.java:30:9:30:20 | problematic6 | This field is in a serializable class,  but is not serializable itself because Map<> is not serializable. |
-| NonSerializableFieldTest.java:31:24:31:35 | problematic7 | This field is in a serializable class,  but is not serializable itself because ? extends NS is not serializable. |
-| NonSerializableFieldTest.java:32:22:32:33 | problematic8 | This field is in a serializable class,  but is not serializable itself because ? super NS is not serializable. |
-| NonSerializableFieldTest.java:33:7:33:18 | problematic9 | This field is in a serializable class,  but is not serializable itself because T is not serializable. |
-| NonSerializableFieldTest.java:34:13:34:25 | problematic10 | This field is in a serializable class,  but is not serializable itself because T is not serializable. |
-| NonSerializableFieldTest.java:35:13:35:25 | problematic11 | This field is in a serializable class,  but is not serializable itself because ? is not serializable. |
-| NonSerializableFieldTest.java:36:15:36:27 | problematic12 | This field is in a serializable class,  but is not serializable itself because ? is not serializable. |
-| NonSerializableFieldTest.java:37:34:37:46 | problematic13 | This field is in a serializable class,  but is not serializable itself because Map<?,Double> is not serializable. |
-| NonSerializableFieldTest.java:38:21:38:33 | problematic14 | This field is in a serializable class,  but is not serializable itself because ? is not serializable. |
-| NonSerializableFieldTest.java:79:10:79:20 | problematic | This field is in a serializable class,  but is not serializable itself because NS is not serializable. |
-| NonSerializableFieldTest.java:109:26:109:45 | nonSerializableField | This field is in a serializable class,  but is not serializable itself because NonSerializableClass is not serializable. |
+| NonSerializableFieldTest.java:25:8:25:19 | problematic1 | This field is in a serializable class, but is not serializable itself because NS is not serializable. |
+| NonSerializableFieldTest.java:26:14:26:25 | problematic2 | This field is in a serializable class, but is not serializable itself because NS is not serializable. |
+| NonSerializableFieldTest.java:27:16:27:27 | problematic3 | This field is in a serializable class, but is not serializable itself because ? is not serializable. |
+| NonSerializableFieldTest.java:27:16:27:27 | problematic3 | This field is in a serializable class, but is not serializable itself because NS is not serializable. |
+| NonSerializableFieldTest.java:28:16:28:27 | problematic4 | This field is in a serializable class, but is not serializable itself because ? is not serializable. |
+| NonSerializableFieldTest.java:28:16:28:27 | problematic4 | This field is in a serializable class, but is not serializable itself because NS is not serializable. |
+| NonSerializableFieldTest.java:29:30:29:41 | problematic5 | This field is in a serializable class, but is not serializable itself because Map<?,NS> is not serializable. |
+| NonSerializableFieldTest.java:30:9:30:20 | problematic6 | This field is in a serializable class, but is not serializable itself because Map<> is not serializable. |
+| NonSerializableFieldTest.java:31:24:31:35 | problematic7 | This field is in a serializable class, but is not serializable itself because ? extends NS is not serializable. |
+| NonSerializableFieldTest.java:32:22:32:33 | problematic8 | This field is in a serializable class, but is not serializable itself because ? super NS is not serializable. |
+| NonSerializableFieldTest.java:33:7:33:18 | problematic9 | This field is in a serializable class, but is not serializable itself because T is not serializable. |
+| NonSerializableFieldTest.java:34:13:34:25 | problematic10 | This field is in a serializable class, but is not serializable itself because T is not serializable. |
+| NonSerializableFieldTest.java:35:13:35:25 | problematic11 | This field is in a serializable class, but is not serializable itself because ? is not serializable. |
+| NonSerializableFieldTest.java:36:15:36:27 | problematic12 | This field is in a serializable class, but is not serializable itself because ? is not serializable. |
+| NonSerializableFieldTest.java:37:34:37:46 | problematic13 | This field is in a serializable class, but is not serializable itself because Map<?,Double> is not serializable. |
+| NonSerializableFieldTest.java:38:21:38:33 | problematic14 | This field is in a serializable class, but is not serializable itself because ? is not serializable. |
+| NonSerializableFieldTest.java:79:10:79:20 | problematic | This field is in a serializable class, but is not serializable itself because NS is not serializable. |
+| NonSerializableFieldTest.java:109:26:109:45 | nonSerializableField | This field is in a serializable class, but is not serializable itself because NonSerializableClass is not serializable. |

javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointFeatures.qll

@@ -16,8 +16,102 @@ private import FunctionBodyFeatures as FunctionBodyFeatures
 private string getTokenFeature(DataFlow::Node endpoint, string featureName) {
   // Performance optimization: Restrict feature extraction to endpoints we've explicitly asked to featurize.
   endpoint = any(FeaturizationConfig cfg).getAnEndpointToFeaturize() and
-  exists(EndpointFeature f | f.getName() = featureName and result = f.getValue(endpoint)) and
-  featureName = getASupportedFeatureName()
+  (
+    // Features for endpoints that are contained within a function.
+    exists(Function function |
+      function = FunctionBodyFeatures::getRepresentativeFunctionForEndpoint(endpoint)
+    |
+      // The name of the function that encloses the endpoint.
+      featureName = "enclosingFunctionName" and result = FunctionNames::getNameToFeaturize(function)
+      or
+      // A feature containing natural language tokens from the function that encloses the endpoint in
+      // the order that they appear in the source code.
+      featureName = "enclosingFunctionBody" and
+      result = FunctionBodyFeatures::getBodyTokensFeature(function)
+    )
+    or
+    result =
+      strictconcat(DataFlow::CallNode call, string component |
+        component = getACallBasedTokenFeatureComponent(endpoint, call, featureName)
+      |
+        component, " "
+      )
+    or
+    // The access path of the function being called, both with and without structural info, if the
+    // function being called originates from an external API. For example, the endpoint here:
+    //
+    // ```js
+    // const mongoose = require('mongoose'),
+    //   User = mongoose.model('User', null);
+    // User.findOne(ENDPOINT);
+    // ```
+    //
+    // would have a callee access path with structural info of
+    // `mongoose member model instanceorreturn member findOne instanceorreturn`, and a callee access
+    // path without structural info of `mongoose model findOne`.
+    //
+    // These features indicate that the callee comes from (reading the access path backwards) an
+    // instance of the `findOne` member of an instance of the `model` member of the `mongoose`
+    // external library.
+    exists(AccessPaths::Boolean includeStructuralInfo |
+      featureName =
+        "calleeAccessPath" +
+          any(string x | if includeStructuralInfo = true then x = "WithStructuralInfo" else x = "") and
+      result =
+        concat(API::Node node, string accessPath |
+          node.getInducingNode().(DataFlow::CallNode).getAnArgument() = endpoint and
+          AccessPaths::accessPaths(node, includeStructuralInfo, accessPath, _)
+        |
+          accessPath, " "
+        )
+    )
+  )
+}
+
+/**
+ * Gets a value of the function-call-related token-based feature named `featureName` associated
+ * with the function call `call` and the endpoint `endpoint`.
+ *
+ * This may in general report multiple strings, each containing a space-separated list of tokens.
+ *
+ * **Technical details:** This predicate can have multiple values per endpoint and feature name. As
+ * a result, the results from this predicate must be concatenated together.  However concatenating
+ * other features like the function body tokens is expensive, so for performance reasons we separate
+ * out this predicate from those other features.
+ */
+private string getACallBasedTokenFeatureComponent(
+  DataFlow::Node endpoint, DataFlow::CallNode call, string featureName
+) {
+  // Performance optimization: Restrict feature extraction to endpoints we've explicitly asked to featurize.
+  endpoint = any(FeaturizationConfig cfg).getAnEndpointToFeaturize() and
+  // Features for endpoints that are an argument to a function call.
+  endpoint = call.getAnArgument() and
+  (
+    // The name of the function being called, e.g. in a call `Artist.findOne(...)`, this is `findOne`.
+    featureName = "calleeName" and result = call.getCalleeName()
+    or
+    // The name of the receiver of the call, e.g. in a call `Artist.findOne(...)`, this is `Artist`.
+    featureName = "receiverName" and result = call.getReceiver().asExpr().(VarRef).getName()
+    or
+    // The argument index of the endpoint, e.g. in `f(a, endpoint, b)`, this is 1.
+    featureName = "argumentIndex" and
+    result = any(int argIndex | call.getArgument(argIndex) = endpoint).toString()
+    or
+    // The name of the API that the function being called originates from, if the function being
+    // called originates from an external API. For example, the endpoint here:
+    //
+    // ```js
+    // const mongoose = require('mongoose'),
+    //   User = mongoose.model('User', null);
+    // User.findOne(ENDPOINT);
+    // ```
+    //
+    // would have a callee API name of `mongoose`.
+    featureName = "calleeApiName" and
+    exists(API::Node apiNode |
+      AccessPaths::accessPaths(apiNode, false, _, result) and call = apiNode.getInducingNode()
+    )
+  )
 }
 
 /**
@@ -69,8 +163,7 @@ private module AccessPaths {
     API::Node node, Boolean includeStructuralInfo, string accessPath, string apiName
   ) {
     //node = API::moduleImport(result)
-    node = API::moduleImport(apiName) and
-    accessPath = apiName
+    node = API::moduleImport(apiName) and accessPath = apiName
     or
     exists(API::Node previousNode, string previousAccessPath |
       previousNode.getDepth() < node.getDepth() and
@@ -192,27 +285,11 @@ private module FunctionNames {
 
 /** Get a name of a supported generic token-based feature. */
 string getASupportedFeatureName() {
-  // allowlist of vetted features that are permitted in production
   result =
-    any(EndpointFeature f |
-      f instanceof EnclosingFunctionName or
-      f instanceof CalleeName or
-      f instanceof ReceiverName or
-      f instanceof ArgumentIndex or
-      f instanceof CalleeApiName or
-      f instanceof CalleeAccessPath or
-      f instanceof CalleeAccessPathWithStructuralInfo or
-      f instanceof EnclosingFunctionBody or
-      f instanceof ContextFunctionInterfaces or
-      f instanceof ContextSurroundingFunctionParameters or
-      f instanceof FileImports or
-      f instanceof CalleeImports or
-      f instanceof CalleeFlexibleAccessPath or
-      f instanceof InputAccessPathFromCallee or
-      f instanceof InputArgumentIndex or
-      f instanceof AssignedToPropName or
-      f instanceof StringConcatenatedWith
-    ).getName()
+    [
+      "enclosingFunctionName", "calleeName", "receiverName", "argumentIndex", "calleeApiName",
+      "calleeAccessPath", "calleeAccessPathWithStructuralInfo", "enclosingFunctionBody"
+    ]
 }
 
 /**
@@ -226,700 +303,3 @@ predicate tokenFeatures(DataFlow::Node endpoint, string featureName, string feat
   endpoint = any(FeaturizationConfig cfg).getAnEndpointToFeaturize() and
   featureValue = getTokenFeature(endpoint, featureName)
 }
-
-/**
- * See EndpointFeature
- */
-private newtype TEndpointFeature =
-  TEnclosingFunctionName() or
-  TCalleeName() or
-  TReceiverName() or
-  TArgumentIndex() or
-  TCalleeApiName() or
-  TCalleeAccessPath() or
-  TCalleeAccessPathWithStructuralInfo() or
-  TEnclosingFunctionBody() or
-  TFileImports() or
-  TCalleeImports() or
-  TCalleeFlexibleAccessPath() or
-  TInputAccessPathFromCallee() or
-  TInputArgumentIndex() or
-  TContextFunctionInterfaces() or
-  TContextSurroundingFunctionParameters() or
-  TAssignedToPropName() or
-  TStringConcatenatedWith()
-
-/**
- * An implementation of an endpoint feature: produces feature names and values for used in ML.
- */
-abstract class EndpointFeature extends TEndpointFeature {
-  /**
-   * Gets the name of the feature. Used by the ML model.
-   * Changes to the name of a feature requires training the model again.
-   */
-  abstract string getName();
-
-  /**
-   * Gets the value of the feature. Used by the ML model.
-   * Changes to the value of a feature requires training the model again.
-   */
-  abstract string getValue(DataFlow::Node endpoint);
-
-  string toString() { result = this.getName() }
-}
-
-/**
- * The feature for the name of the function that encloses the endpoint.
- */
-class EnclosingFunctionName extends EndpointFeature, TEnclosingFunctionName {
-  override string getName() { result = "enclosingFunctionName" }
-
-  override string getValue(DataFlow::Node endpoint) {
-    result =
-      FunctionNames::getNameToFeaturize(FunctionBodyFeatures::getRepresentativeFunctionForEndpoint(endpoint))
-  }
-}
-
-/**
- * The feature for the name of the function being called, e.g. in a call `Artist.findOne(...)`, this is `findOne`.
- */
-class CalleeName extends EndpointFeature, TCalleeName {
-  override string getName() { result = "calleeName" }
-
-  override string getValue(DataFlow::Node endpoint) {
-    result =
-      strictconcat(DataFlow::CallNode call, string component |
-        endpoint = call.getAnArgument() and component = call.getCalleeName()
-      |
-        component, " "
-      )
-  }
-}
-
-/**
- * The feature for the name of the receiver of the call, e.g. in a call `Artist.findOne(...)`, this is `Artist`.
- */
-class ReceiverName extends EndpointFeature, TReceiverName {
-  override string getName() { result = "receiverName" }
-
-  override string getValue(DataFlow::Node endpoint) {
-    result =
-      strictconcat(DataFlow::CallNode call, string component |
-        endpoint = call.getAnArgument() and
-        component = call.getReceiver().asExpr().(VarRef).getName()
-      |
-        component, " "
-      )
-  }
-}
-
-/**
- * The feature for the argument index of the endpoint, e.g. in `f(a, endpoint, b)`, this is 1.
- */
-class ArgumentIndex extends EndpointFeature, TArgumentIndex {
-  override string getName() { result = "argumentIndex" }
-
-  override string getValue(DataFlow::Node endpoint) {
-    result =
-      strictconcat(DataFlow::CallNode call, string component |
-        endpoint = call.getAnArgument() and
-        component = any(int argIndex | call.getArgument(argIndex) = endpoint).toString()
-      |
-        component, " "
-      )
-  }
-}
-
-/**
- * The feature for the name of the API that the function being called originates from, if the function being
- * called originates from an external API. For example, the endpoint here:
- *
- * ```js
- * const mongoose = require('mongoose'),
- *   User = mongoose.model('User', null);
- * User.findOne(ENDPOINT);
- * ```
- */
-class CalleeApiName extends EndpointFeature, TCalleeApiName {
-  override string getName() { result = "calleeApiName" }
-
-  override string getValue(DataFlow::Node endpoint) {
-    result =
-      strictconcat(API::Node apiNode, string component |
-        endpoint = apiNode.getInducingNode().(DataFlow::CallNode).getAnArgument() and
-        AccessPaths::accessPaths(apiNode, false, _, component)
-      |
-        component, " "
-      )
-  }
-}
-
-/**
- * The access path of the function being called, both without structural info, if the
- * function being called originates from an external API. For example, the endpoint here:
- *
- * ```js
- * const mongoose = require('mongoose'),
- *   User = mongoose.model('User', null);
- * User.findOne(ENDPOINT);
- * ```
- *
- * would have a callee access path without structural info of `mongoose model findOne`.
- */
-class CalleeAccessPath extends EndpointFeature, TCalleeAccessPath {
-  override string getName() { result = "calleeAccessPath" }
-
-  override string getValue(DataFlow::Node endpoint) {
-    result =
-      concat(API::Node node, string accessPath |
-        node.getInducingNode().(DataFlow::CallNode).getAnArgument() = endpoint and
-        AccessPaths::accessPaths(node, false, accessPath, _)
-      |
-        accessPath, " "
-      )
-  }
-}
-
-/**
- * The access path of the function being called, both with structural info, if the
- * function being called originates from an external API. For example, the endpoint here:
- *
- * ```js
- * const mongoose = require('mongoose'),
- *   User = mongoose.model('User', null);
- * User.findOne(ENDPOINT);
- * ```
- *
- * would have a callee access path with structural info of
- * `mongoose member model instanceorreturn member findOne instanceorreturn`
- *
- * These features indicate that the callee comes from (reading the access path backwards) an
- * instance of the `findOne` member of an instance of the `model` member of the `mongoose`
- * external library.
- */
-class CalleeAccessPathWithStructuralInfo extends EndpointFeature,
-  TCalleeAccessPathWithStructuralInfo {
-  override string getName() { result = "calleeAccessPathWithStructuralInfo" }
-
-  override string getValue(DataFlow::Node endpoint) {
-    result =
-      concat(API::Node node, string accessPath |
-        node.getInducingNode().(DataFlow::CallNode).getAnArgument() = endpoint and
-        AccessPaths::accessPaths(node, true, accessPath, _)
-      |
-        accessPath, " "
-      )
-  }
-}
-
-/**
- * The feature for the natural language tokens from the function that encloses the endpoint in
- *    the order that they appear in the source code.
- */
-class EnclosingFunctionBody extends EndpointFeature, TEnclosingFunctionBody {
-  override string getName() { result = "enclosingFunctionBody" }
-
-  override string getValue(DataFlow::Node endpoint) {
-    endpoint = any(FeaturizationConfig cfg).getAnEndpointToFeaturize() and
-    result =
-      FunctionBodyFeatures::getBodyTokensFeature(FunctionBodyFeatures::getRepresentativeFunctionForEndpoint(endpoint))
-  }
-}
-
-/**
- * The feature for the imports defined in the file containing an endpoint.
- *
- * ### Example
- *
- * ```javascript
- * import { findOne } from 'mongoose';
- * import * as _ from 'lodash';
- * const pg = require('pg');
- *
- * // ...
- * ```
- *
- * In this file, all endpoints will have the value `lodash mongoose pg` for the feature `fileImports`.
- */
-class FileImports extends EndpointFeature, TFileImports {
-  override string getName() { result = "fileImports" }
-
-  override string getValue(DataFlow::Node endpoint) {
-    result = SyntacticUtilities::getImportPathsForFile(endpoint.getFile())
-  }
-}
-
-/**
- * The feature for the function parameters of the functions that enclose an endpoint.
- *
- * ### Example
- * ```javascript
- * function f(a, b) {
- *   // ...
- *   const g = (c, d) => x.foo(endpoint);
- * //                          ^^^^^^^^
- * }
- * ```
- * In the above example, the feature for the marked endpoint has value '(a, b)\n(c, d)'.
- */
-class ContextSurroundingFunctionParameters extends EndpointFeature,
-  TContextSurroundingFunctionParameters {
-  override string getName() { result = "contextSurroundingFunctionParameters" }
-
-  Function getRelevantFunction(DataFlow::Node endpoint) {
-    result = endpoint.asExpr().getEnclosingFunction*()
-  }
-
-  override string getValue(DataFlow::Node endpoint) {
-    result =
-      concat(string functionParameterLine, Function f |
-        f = getRelevantFunction(endpoint) and
-        functionParameterLine = SyntacticUtilities::getFunctionParametersFeatureComponent(f)
-      |
-        functionParameterLine, "\n"
-        order by
-          f.getLocation().getStartLine(), f.getLocation().getStartColumn()
-      )
-  }
-}
-
-/**
- * The feature that gives the name an endpoint is assigned to (if any).
- *
- * ### Example
- * ```javascript
- * const div = document.createElement('div');
- * div.innerHTML = endpoint; // feature value is 'innerHTML'
- * ```
- */
-class AssignedToPropName extends EndpointFeature, TAssignedToPropName {
-  override string getName() { result = "assignedToPropName" }
-
-  override string getValue(DataFlow::Node endpoint) {
-    exists(DataFlow::PropWrite w | w.getRhs().asExpr().getUnderlyingValue().flow() = endpoint |
-      result = w.getPropertyName()
-    )
-  }
-}
-
-/**
- * The feature that shows the text an endpoint is being concatenated with.class
- *
- * ### Example
- *
- * ```javascript
- * const x = 'foo' + endpoint + 'bar'; // feature value is `'foo' -endpoint- 'bar'`
- */
-class StringConcatenatedWith extends EndpointFeature, TStringConcatenatedWith {
-  override string getName() { result = "stringConcatenatedWith" }
-
-  override string getValue(DataFlow::Node endpoint) {
-    exists(StringOps::ConcatenationRoot root |
-      root.getALeaf() = endpoint and
-      result =
-        concat(StringOps::ConcatenationLeaf p |
-            p.getRoot() = root and
-            (
-              p.getStartLine() < endpoint.getStartLine()
-              or
-              p.getStartLine() = endpoint.getStartLine() and
-              p.getStartColumn() < endpoint.getStartColumn()
-            )
-          |
-            SyntacticUtilities::renderStringConcatOperand(p), " + "
-            order by
-              p.getStartLine(), p.getStartColumn()
-          ) + " -endpoint- " +
-          concat(StringOps::ConcatenationLeaf p |
-            p.getRoot() = root and
-            (
-              p.getStartLine() > endpoint.getStartLine()
-              or
-              p.getStartLine() = endpoint.getStartLine() and
-              p.getStartColumn() > endpoint.getStartColumn()
-            )
-          |
-            SyntacticUtilities::renderStringConcatOperand(p), " + "
-            order by
-              p.getStartLine(), p.getStartColumn()
-          )
-    )
-  }
-}
-
-/**
- * The feature for the imports used in the callee of an invocation.
- *
- * ### Example
- *
- * ```javascript
- * import * as _ from 'lodash';
- *
- * // ...
- * _.deepClone(someObject);
- * //          ^^^^^^^^^^ will have the value `lodash` for the feature `calleeImports`.
- * ```
- */
-class CalleeImports extends EndpointFeature, TCalleeImports {
-  override string getName() { result = "calleeImports" }
-
-  override string getValue(DataFlow::Node endpoint) {
-    not result = SyntacticUtilities::getUnknownSymbol() and
-    exists(DataFlow::InvokeNode invk |
-      (
-        invk.getAnArgument() = endpoint or
-        SyntacticUtilities::getANestedInitializerValue(invk.getAnArgument()
-              .asExpr()
-              .getUnderlyingValue()).flow() = endpoint
-      ) and
-      result =
-        concat(string importPath |
-          importPath = SyntacticUtilities::getCalleeImportPath(invk.getCalleeNode())
-        |
-          importPath, " " order by importPath
-        )
-    )
-  }
-}
-
-/**
- * The feature for the interfaces of all named functions in the same file as the endpoint.
- *
- * ### Example
- * ```javascript
- * // Will return: "f(a, b, c)\ng(x, y, z)\nh(u, v)" for this file.
- * function f(a, b, c) { ... }
- *
- * function g(x, y, z) {
- *   function h(u, v) { ... }
- *   ...
- * }
- * ```
- *
- * The feature value for the marked endpoint will be `f(a, b, c)\ng(x, y, z)\nh(u, v)`.
- */
-class ContextFunctionInterfaces extends EndpointFeature, TContextFunctionInterfaces {
-  override string getName() { result = "contextFunctionInterfaces" }
-
-  override string getValue(DataFlow::Node endpoint) {
-    result = SyntacticUtilities::getFunctionInterfacesForFile(endpoint.getFile())
-  }
-}
-
-/**
- * Syntactic utilities for feature value computation.
- */
-private module SyntacticUtilities {
-  bindingset[start, end]
-  string renderStringConcatOperands(DataFlow::Node root, int start, int end) {
-    result =
-      concat(int i, string operand |
-        i = [start .. end] and
-        operand = renderStringConcatOperand(StringConcatenation::getOperand(root, i))
-      |
-        operand, " + " order by i
-      )
-  }
-
-  string renderStringConcatOperand(DataFlow::Node operand) {
-    if exists(unique(string v | operand.mayHaveStringValue(v)))
-    then result = "'" + any(string v | operand.mayHaveStringValue(v)) + "'"
-    else result = getSimpleAccessPath(operand)
-  }
-
-  /** Gets all the imports defined in the file containing the endpoint. */
-  string getImportPathsForFile(File file) {
-    result =
-      concat(string importPath |
-        importPath = SyntacticUtilities::getImportPathForFile(file)
-      |
-        importPath, " " order by importPath
-      )
-  }
-
-  /** Gets an import located in `file`. */
-  string getImportPathForFile(File file) {
-    result = any(Import imp | imp.getFile() = file).getImportedPath().getValue()
-  }
-
-  /**
-   * Gets the feature component for the parameters of a function.
-   *
-   * ```javascript
-   * function f(a, b, c) { // will return "(a, b, c)" for this function
-   *  return a + b + c;
-   * }
-   *
-   * async function g(a) { // will return "(a)" for this function
-   *   return 2*a
-   * };
-   *
-   * const h = (b) => 3*b; // will return "(b)" for this function
-   * ```
-   */
-  string getFunctionParametersFeatureComponent(Function f) {
-    result =
-      "(" +
-        concat(string parameter, int i |
-          parameter = getParameterNameOrUnknown(f.getParameter(i))
-        |
-          parameter, ", " order by i
-        ) + ")"
-  }
-
-  /**
-   * Gets the function interfaces of all named functions in a file, concatenated together.
-   *
-   * ```javascript
-   * // Will return: "f(a, b, c)\ng(x, y, z)\nh(u, v)" for this file.
-   * function f(a, b, c) { ... }
-   *
-   * function g(x, y, z) {
-   *   function h(u, v) { ... }
-   *   ...
-   * }
-   */
-  string getFunctionInterfacesForFile(File file) {
-    result =
-      concat(Function func, string line |
-        func.getFile() = file and
-        exists(func.getName()) and
-        line = func.getName() + getFunctionParametersFeatureComponent(func)
-      |
-        line, "\n" order by line
-      )
-  }
-
-  /**
-   * Gets a property initializer value in an object literal or one of its nested object literals.
-   */
-  Expr getANestedInitializerValue(ObjectExpr o) {
-    exists(Expr init | init = o.getAProperty().getInit().getUnderlyingValue() |
-      result = [init, getANestedInitializerValue(init)]
-    )
-  }
-
-  /**
-   * Computes a simple access path for how a callee can refer to a value that appears in an argument to a call.
-   *
-   * Supports:
-   * - direct arguments
-   * - properties of (nested) objects that are arguments
-   *
-   * Unknown cases and property names results in `?`.
-   */
-  string getSimpleParameterAccessPath(DataFlow::Node node) {
-    if exists(DataFlow::CallNode call | node = call.getArgument(_))
-    then exists(DataFlow::CallNode call, int i | node = call.getArgument(i) | result = i + "")
-    else result = getSimplePropertyAccessPath(node)
-  }
-
-  /**
-   * Computes a simple access path for how a user can refer to a value that appears in an (nested) object.
-   *
-   * Supports:
-   * - properties of (nested) objects
-   *
-   * Unknown cases and property names results in `?`.
-   */
-  string getSimplePropertyAccessPath(DataFlow::Node node) {
-    if exists(ObjectExpr o | o.getAProperty().getInit().getUnderlyingValue() = node.asExpr())
-    then
-      exists(DataFlow::PropWrite w |
-        w.getRhs() = node and
-        result = getSimpleParameterAccessPath(w.getBase()) + "." + getPropertyNameOrUnknown(w)
-      )
-    else result = getUnknownSymbol()
-  }
-
-  /**
-   * Gets the imported package path that this node depends on, if any.
-   *
-   * Otherwise, returns '?'.
-   *
-   * XXX Be careful with using this in your features, as it might teach the model
-   * a fixed list of "dangerous" libraries that could lead to bad generalization.
-   */
-  string getCalleeImportPath(DataFlow::Node node) {
-    exists(DataFlow::Node src | src = node.getALocalSource() |
-      if src instanceof DataFlow::ModuleImportNode
-      then result = src.(DataFlow::ModuleImportNode).getPath()
-      else
-        if src instanceof DataFlow::PropRead
-        then result = getCalleeImportPath(src.(DataFlow::PropRead).getBase())
-        else
-          if src instanceof DataFlow::InvokeNode
-          then result = getCalleeImportPath(src.(DataFlow::InvokeNode).getCalleeNode())
-          else
-            if src.asExpr() instanceof AwaitExpr
-            then result = getCalleeImportPath(src.asExpr().(AwaitExpr).getOperand().flow())
-            else result = getUnknownSymbol()
-    )
-  }
-
-  /**
-   * Computes a simple access path for a node.
-   *
-   * Supports:
-   * - variable reads (including `this` and `super`)
-   * - imports
-   * - await
-   * - property reads
-   * - invocations
-   *
-   * Unknown cases and property names results in `?`.
-   */
-  string getSimpleAccessPath(DataFlow::Node node) {
-    exists(Expr e | e = node.asExpr().getUnderlyingValue() |
-      if e instanceof SuperAccess
-      then result = "super"
-      else
-        if e instanceof ThisAccess
-        then result = "this"
-        else
-          if e instanceof VarAccess
-          then result = e.(VarAccess).getName()
-          else
-            if e instanceof Import
-            then result = "import(" + getSimpleImportPath(e) + ")"
-            else
-              if e instanceof AwaitExpr
-              then result = "(await " + getSimpleAccessPath(e.(AwaitExpr).getOperand().flow()) + ")"
-              else
-                if node instanceof DataFlow::PropRead
-                then
-                  result =
-                    getSimpleAccessPath(node.(DataFlow::PropRead).getBase()) + "." +
-                      getPropertyNameOrUnknown(node)
-                else
-                  if node instanceof DataFlow::InvokeNode
-                  then
-                    result = getSimpleAccessPath(node.(DataFlow::InvokeNode).getCalleeNode()) + "()"
-                  else result = getUnknownSymbol()
-    )
-  }
-
-  string getUnknownSymbol() { result = "?" }
-
-  /**
-   * Gets the imported path.
-   *
-   * XXX To avoid teaching the ML model about npm packages, only relative paths are supported
-   *
-   * Unknown paths result in `?`.
-   */
-  string getSimpleImportPath(Import i) {
-    if exists(i.getImportedPath().getValue())
-    then
-      exists(string p | p = i.getImportedPath().getValue() |
-        if p.matches(".%") then result = "\"p\"" else result = "!" // hide absolute imports from the ML training
-      )
-    else result = getUnknownSymbol()
-  }
-
-  /**
-   * Gets the property name of a property reference or `?` if it is unknown.
-   */
-  string getPropertyNameOrUnknown(DataFlow::PropRef ref) {
-    if exists(ref.getPropertyName())
-    then result = ref.getPropertyName()
-    else result = getUnknownSymbol()
-  }
-
-  /**
-   * Gets the parameter name if it exists, or `?` if it is unknown.
-   */
-  string getParameterNameOrUnknown(Parameter p) {
-    if exists(p.getName()) then result = p.getName() else result = getUnknownSymbol()
-  }
-}
-
-/**
- * The feature for the access path of the callee node of a call that has an argument that "contains" the endpoint.
- *
- * "Containment" is syntactic, and currently means that the endpoint is an argument to the call, or that the endpoint is a (nested) property value of an argument.
- *
- * This feature is intended as a superior version of the many `Callee*` features.
- *
- * Examples:
- * ```
- * foo(endpoint); // -> foo
- * foo.bar(endpoint); // -> foo.bar
- * foo.bar({ baz: endpoint }); // -> foo.bar
- * this.foo.bar(endpoint); // -> this.foo.bar
- * foo[complex()].bar(endpoint); // -> foo.?.bar
- * ```
- */
-class CalleeFlexibleAccessPath extends EndpointFeature, TCalleeFlexibleAccessPath {
-  override string getName() { result = "CalleeFlexibleAccessPath" }
-
-  override string getValue(DataFlow::Node endpoint) {
-    exists(DataFlow::InvokeNode invk |
-      result = SyntacticUtilities::getSimpleAccessPath(invk.getCalleeNode()) and
-      // ignore the unknown path
-      not result = SyntacticUtilities::getUnknownSymbol() and
-      (
-        invk.getAnArgument() = endpoint or
-        SyntacticUtilities::getANestedInitializerValue(invk.getAnArgument()
-              .asExpr()
-              .getUnderlyingValue()).flow() = endpoint
-      )
-    )
-  }
-}
-
-/**
- * The feature for how a callee can refer to a the endpoint that is "contained" in some argument to a call
- *
- * "Containment" is syntactic, and currently means that the endpoint is an argument to the call, or that the endpoint is a (nested) property value of an argument.
- *
- * This feature, together with `InputArgumentIndex` is intended as a far superior version of the `ArgumentIndexFeature`.
- *
- * Examples:
- * ```
- * foo({ bar: endpoint }); // -> bar
- * foo(x, { bar: { baz: endpoint } }); // -> bar.baz
- * ```
- */
-class InputAccessPathFromCallee extends EndpointFeature, TInputAccessPathFromCallee {
-  override string getName() { result = "InputAccessPathFromCallee" }
-
-  override string getValue(DataFlow::Node endpoint) {
-    exists(DataFlow::InvokeNode invk |
-      result = SyntacticUtilities::getSimpleParameterAccessPath(endpoint) and
-      SyntacticUtilities::getANestedInitializerValue(invk.getAnArgument()
-            .asExpr()
-            .getUnderlyingValue()).flow() = endpoint
-    )
-  }
-}
-
-/**
- * The feature for how the index of an argument that "contains" and endpoint.
- *
- * "Containment" is syntactic, and currently means that the endpoint is an argument to the call, or that the endpoint is a (nested) property value of an argument.
- *
- * This feature is intended as a superior version of the `ArgumentIndexFeature`.
- *
- * Examples:
- * ```
- * foo(endpoint); // -> 0
- * foo({ bar: endpoint }); // -> 0
- * foo(x, { bar: { baz: endpoint } }); // -> 1
- * ```
- */
-class InputArgumentIndex extends EndpointFeature, TInputArgumentIndex {
-  override string getName() { result = "InputArgumentIndex" }
-
-  override string getValue(DataFlow::Node endpoint) {
-    exists(DataFlow::InvokeNode invk, DataFlow::Node arg, int i | arg = invk.getArgument(i) |
-      result = i + "" and
-      (
-        invk.getArgument(i) = endpoint
-        or
-        SyntacticUtilities::getANestedInitializerValue(arg.asExpr().getUnderlyingValue()).flow() =
-          endpoint
-      )
-    )
-  }
-}

javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/debug/CompareFeatures.ql

@@ -1,23 +0,0 @@
-import experimental.adaptivethreatmodeling.TaintedPathATM
-import experimental.adaptivethreatmodeling.EndpointFeatures
-import experimental.adaptivethreatmodeling.EndpointScoring
-
-string getValueOrNone(EndpointFeature feature, DataFlow::Node endpoint) {
-  if exists(feature.getValue(endpoint)) then feature.getValue(endpoint) = result else isNone(result)
-}
-
-predicate isNone(string value) { value = "" }
-
-// query for comparing feature values
-from
-  DataFlow::Node endpoint, EndpointFeature feature1, EndpointFeature feature2, string featureValue1,
-  string featureValue2
-where
-  feature1 instanceof Input_ArgumentIndex and
-  feature2 instanceof ArgumentIndex and
-  featureValue1 = getValueOrNone(feature1, endpoint) and
-  featureValue2 = getValueOrNone(feature2, endpoint) and
-  featureValue1 != featureValue2 and
-  isNone([featureValue1, featureValue2])
-select endpoint, endpoint.getFile().getBaseName() as file, endpoint.getStartLine() as line,
-  featureValue1, featureValue2

javascript/ql/experimental/adaptivethreatmodeling/src/codeql-pack.lock.yml

@@ -1,6 +1,6 @@
 ---
 dependencies:
-  dsp-testing/javascript-experimental-atm-model:
-    version: 0.0.12_Tue-Jun-14-03-05-53-2022.red-cartoon-ymtlr8js.a59fcdfa6281cd8a88be64c8902fa51fd473b9857f7556a7691a84bb90f85eb8
+  codeql/javascript-experimental-atm-model:
+    version: 0.2.0
 compiled: false
 lockVersion: 1.0.0

javascript/ql/experimental/adaptivethreatmodeling/src/qlpack.yml

@@ -4,8 +4,8 @@ version: 0.3.1
 suites: codeql-suites
 defaultSuiteFile: codeql-suites/javascript-atm-code-scanning.qls
 groups:
-  - javascript
-  - experimental
+    - javascript
+    - experimental
 dependencies:
-  codeql/javascript-experimental-atm-lib: "*"
-  dsp-testing/javascript-experimental-atm-model: 0.0.12_Tue-Jun-14-03-05-53-2022.red-cartoon-ymtlr8js.a59fcdfa6281cd8a88be64c8902fa51fd473b9857f7556a7691a84bb90f85eb8
+    codeql/javascript-experimental-atm-lib: "*"
+    codeql/javascript-experimental-atm-model: "0.2.0"

javascript/ql/experimental/adaptivethreatmodeling/test/generic_feature_testing/EmptyFeature.ql

@@ -1,9 +0,0 @@
-import javascript
-import experimental.adaptivethreatmodeling.EndpointFeatures
-import experimental.adaptivethreatmodeling.FeaturizationConfig
-import TestUtil
-
-// every feature must produce a value for at least one endpoint, otherwise the feature is completely broken, or a relevant test example is missing
-from EndpointFeature feature
-where forall(Endpoint endpoint | not exists(feature.getValue(endpoint)))
-select feature.getName()

javascript/ql/experimental/adaptivethreatmodeling/test/generic_feature_testing/FeatureValue.expected

@@ -1,202 +0,0 @@
-| test.html:2:61:2:68 | endpoint | CalleeFlexibleAccessPath | $event.target.files.item |
-| test.html:2:61:2:68 | endpoint | InputArgumentIndex | 0 |
-| test.html:2:61:2:68 | endpoint | argumentIndex | 0 |
-| test.html:2:61:2:68 | endpoint | calleeAccessPath |  |
-| test.html:2:61:2:68 | endpoint | calleeAccessPathWithStructuralInfo |  |
-| test.html:2:61:2:68 | endpoint | calleeName | item |
-| test.html:2:61:2:68 | endpoint | contextFunctionInterfaces |  |
-| test.html:2:61:2:68 | endpoint | contextSurroundingFunctionParameters |  |
-| test.html:2:61:2:68 | endpoint | fileImports |  |
-| test.js:6:7:6:14 | endpoint | CalleeFlexibleAccessPath | f |
-| test.js:6:7:6:14 | endpoint | InputArgumentIndex | 0 |
-| test.js:6:7:6:14 | endpoint | argumentIndex | 0 |
-| test.js:6:7:6:14 | endpoint | calleeAccessPath | lib3 |
-| test.js:6:7:6:14 | endpoint | calleeAccessPathWithStructuralInfo | lib3 instanceorreturn |
-| test.js:6:7:6:14 | endpoint | calleeApiName | lib3 |
-| test.js:6:7:6:14 | endpoint | calleeImports | ? lib3 |
-| test.js:6:7:6:14 | endpoint | calleeName | f |
-| test.js:6:7:6:14 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
-| test.js:6:7:6:14 | endpoint | contextSurroundingFunctionParameters | () |
-| test.js:6:7:6:14 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
-| test.js:6:7:6:14 | endpoint | enclosingFunctionName |  |
-| test.js:6:7:6:14 | endpoint | fileImports | foo lib1 lib2 lib3 |
-| test.js:7:11:7:18 | endpoint | CalleeFlexibleAccessPath | f |
-| test.js:7:11:7:18 | endpoint | InputAccessPathFromCallee | 0.p |
-| test.js:7:11:7:18 | endpoint | InputArgumentIndex | 0 |
-| test.js:7:11:7:18 | endpoint | calleeAccessPath |  |
-| test.js:7:11:7:18 | endpoint | calleeAccessPathWithStructuralInfo |  |
-| test.js:7:11:7:18 | endpoint | calleeImports | ? lib3 |
-| test.js:7:11:7:18 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
-| test.js:7:11:7:18 | endpoint | contextSurroundingFunctionParameters | () |
-| test.js:7:11:7:18 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
-| test.js:7:11:7:18 | endpoint | enclosingFunctionName |  |
-| test.js:7:11:7:18 | endpoint | fileImports | foo lib1 lib2 lib3 |
-| test.js:8:15:8:22 | endpoint | CalleeFlexibleAccessPath | f |
-| test.js:8:15:8:22 | endpoint | InputAccessPathFromCallee | 0.p.q |
-| test.js:8:15:8:22 | endpoint | InputArgumentIndex | 0 |
-| test.js:8:15:8:22 | endpoint | calleeAccessPath |  |
-| test.js:8:15:8:22 | endpoint | calleeAccessPathWithStructuralInfo |  |
-| test.js:8:15:8:22 | endpoint | calleeImports | ? lib3 |
-| test.js:8:15:8:22 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
-| test.js:8:15:8:22 | endpoint | contextSurroundingFunctionParameters | () |
-| test.js:8:15:8:22 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
-| test.js:8:15:8:22 | endpoint | enclosingFunctionName |  |
-| test.js:8:15:8:22 | endpoint | fileImports | foo lib1 lib2 lib3 |
-| test.js:9:9:9:16 | endpoint | CalleeFlexibleAccessPath | o.m |
-| test.js:9:9:9:16 | endpoint | InputArgumentIndex | 0 |
-| test.js:9:9:9:16 | endpoint | argumentIndex | 0 |
-| test.js:9:9:9:16 | endpoint | calleeAccessPath | lib2 m |
-| test.js:9:9:9:16 | endpoint | calleeAccessPathWithStructuralInfo | lib2 member m instanceorreturn |
-| test.js:9:9:9:16 | endpoint | calleeApiName | lib2 |
-| test.js:9:9:9:16 | endpoint | calleeImports | ? lib2 |
-| test.js:9:9:9:16 | endpoint | calleeName | m |
-| test.js:9:9:9:16 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
-| test.js:9:9:9:16 | endpoint | contextSurroundingFunctionParameters | () |
-| test.js:9:9:9:16 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
-| test.js:9:9:9:16 | endpoint | enclosingFunctionName |  |
-| test.js:9:9:9:16 | endpoint | fileImports | foo lib1 lib2 lib3 |
-| test.js:9:9:9:16 | endpoint | receiverName | o |
-| test.js:10:13:10:20 | endpoint | CalleeFlexibleAccessPath | o.m |
-| test.js:10:13:10:20 | endpoint | InputAccessPathFromCallee | 0.p |
-| test.js:10:13:10:20 | endpoint | InputArgumentIndex | 0 |
-| test.js:10:13:10:20 | endpoint | calleeAccessPath |  |
-| test.js:10:13:10:20 | endpoint | calleeAccessPathWithStructuralInfo |  |
-| test.js:10:13:10:20 | endpoint | calleeImports | ? lib2 |
-| test.js:10:13:10:20 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
-| test.js:10:13:10:20 | endpoint | contextSurroundingFunctionParameters | () |
-| test.js:10:13:10:20 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
-| test.js:10:13:10:20 | endpoint | enclosingFunctionName |  |
-| test.js:10:13:10:20 | endpoint | fileImports | foo lib1 lib2 lib3 |
-| test.js:11:17:11:24 | endpoint | CalleeFlexibleAccessPath | o.m |
-| test.js:11:17:11:24 | endpoint | InputAccessPathFromCallee | 0.p.q |
-| test.js:11:17:11:24 | endpoint | InputArgumentIndex | 0 |
-| test.js:11:17:11:24 | endpoint | calleeAccessPath |  |
-| test.js:11:17:11:24 | endpoint | calleeAccessPathWithStructuralInfo |  |
-| test.js:11:17:11:24 | endpoint | calleeImports | ? lib2 |
-| test.js:11:17:11:24 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
-| test.js:11:17:11:24 | endpoint | contextSurroundingFunctionParameters | () |
-| test.js:11:17:11:24 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
-| test.js:11:17:11:24 | endpoint | enclosingFunctionName |  |
-| test.js:11:17:11:24 | endpoint | fileImports | foo lib1 lib2 lib3 |
-| test.js:12:11:12:18 | endpoint | CalleeFlexibleAccessPath | F |
-| test.js:12:11:12:18 | endpoint | InputArgumentIndex | 0 |
-| test.js:12:11:12:18 | endpoint | calleeAccessPath |  |
-| test.js:12:11:12:18 | endpoint | calleeAccessPathWithStructuralInfo |  |
-| test.js:12:11:12:18 | endpoint | calleeImports | lib1 |
-| test.js:12:11:12:18 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
-| test.js:12:11:12:18 | endpoint | contextSurroundingFunctionParameters | () |
-| test.js:12:11:12:18 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
-| test.js:12:11:12:18 | endpoint | enclosingFunctionName |  |
-| test.js:12:11:12:18 | endpoint | fileImports | foo lib1 lib2 lib3 |
-| test.js:13:17:13:24 | endpoint | CalleeFlexibleAccessPath | o.m().m().m |
-| test.js:13:17:13:24 | endpoint | InputArgumentIndex | 0 |
-| test.js:13:17:13:24 | endpoint | argumentIndex | 0 |
-| test.js:13:17:13:24 | endpoint | calleeAccessPath | lib2 m m m |
-| test.js:13:17:13:24 | endpoint | calleeAccessPathWithStructuralInfo | lib2 member m instanceorreturn member m instanceorreturn member m instanceorreturn |
-| test.js:13:17:13:24 | endpoint | calleeApiName | lib2 |
-| test.js:13:17:13:24 | endpoint | calleeImports | ? lib2 |
-| test.js:13:17:13:24 | endpoint | calleeName | m |
-| test.js:13:17:13:24 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
-| test.js:13:17:13:24 | endpoint | contextSurroundingFunctionParameters | () |
-| test.js:13:17:13:24 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
-| test.js:13:17:13:24 | endpoint | enclosingFunctionName |  |
-| test.js:13:17:13:24 | endpoint | fileImports | foo lib1 lib2 lib3 |
-| test.js:14:9:14:16 | endpoint | CalleeFlexibleAccessPath | f() |
-| test.js:14:9:14:16 | endpoint | InputArgumentIndex | 0 |
-| test.js:14:9:14:16 | endpoint | argumentIndex | 0 |
-| test.js:14:9:14:16 | endpoint | calleeAccessPath | lib3 |
-| test.js:14:9:14:16 | endpoint | calleeAccessPathWithStructuralInfo | lib3 instanceorreturn instanceorreturn |
-| test.js:14:9:14:16 | endpoint | calleeApiName | lib3 |
-| test.js:14:9:14:16 | endpoint | calleeImports | ? lib3 |
-| test.js:14:9:14:16 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
-| test.js:14:9:14:16 | endpoint | contextSurroundingFunctionParameters | () |
-| test.js:14:9:14:16 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
-| test.js:14:9:14:16 | endpoint | enclosingFunctionName |  |
-| test.js:14:9:14:16 | endpoint | fileImports | foo lib1 lib2 lib3 |
-| test.js:15:12:15:19 | endpoint | CalleeFlexibleAccessPath | o.?.m |
-| test.js:15:12:15:19 | endpoint | InputArgumentIndex | 0 |
-| test.js:15:12:15:19 | endpoint | argumentIndex | 0 |
-| test.js:15:12:15:19 | endpoint | calleeAccessPath | lib2 m |
-| test.js:15:12:15:19 | endpoint | calleeAccessPathWithStructuralInfo | lib2 member member m instanceorreturn |
-| test.js:15:12:15:19 | endpoint | calleeApiName | lib2 |
-| test.js:15:12:15:19 | endpoint | calleeImports | ? lib2 |
-| test.js:15:12:15:19 | endpoint | calleeName | m |
-| test.js:15:12:15:19 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
-| test.js:15:12:15:19 | endpoint | contextSurroundingFunctionParameters | () |
-| test.js:15:12:15:19 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
-| test.js:15:12:15:19 | endpoint | enclosingFunctionName |  |
-| test.js:15:12:15:19 | endpoint | fileImports | foo lib1 lib2 lib3 |
-| test.js:16:16:16:23 | endpoint | CalleeFlexibleAccessPath | o.m.?.p.m |
-| test.js:16:16:16:23 | endpoint | InputArgumentIndex | 0 |
-| test.js:16:16:16:23 | endpoint | argumentIndex | 0 |
-| test.js:16:16:16:23 | endpoint | calleeAccessPath | lib2 m p m |
-| test.js:16:16:16:23 | endpoint | calleeAccessPathWithStructuralInfo | lib2 member m member member p member m instanceorreturn |
-| test.js:16:16:16:23 | endpoint | calleeApiName | lib2 |
-| test.js:16:16:16:23 | endpoint | calleeImports | ? lib2 |
-| test.js:16:16:16:23 | endpoint | calleeName | m |
-| test.js:16:16:16:23 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
-| test.js:16:16:16:23 | endpoint | contextSurroundingFunctionParameters | () |
-| test.js:16:16:16:23 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
-| test.js:16:16:16:23 | endpoint | enclosingFunctionName |  |
-| test.js:16:16:16:23 | endpoint | fileImports | foo lib1 lib2 lib3 |
-| test.js:17:15:17:22 | endpoint | CalleeFlexibleAccessPath | (await p) |
-| test.js:17:15:17:22 | endpoint | InputArgumentIndex | 0 |
-| test.js:17:15:17:22 | endpoint | argumentIndex | 0 |
-| test.js:17:15:17:22 | endpoint | calleeAccessPath | lib1 p |
-| test.js:17:15:17:22 | endpoint | calleeAccessPathWithStructuralInfo | lib1 member p instanceorreturn |
-| test.js:17:15:17:22 | endpoint | calleeApiName | lib1 |
-| test.js:17:15:17:22 | endpoint | calleeImports | lib1 |
-| test.js:17:15:17:22 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
-| test.js:17:15:17:22 | endpoint | contextSurroundingFunctionParameters | () |
-| test.js:17:15:17:22 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
-| test.js:17:15:17:22 | endpoint | enclosingFunctionName |  |
-| test.js:17:15:17:22 | endpoint | fileImports | foo lib1 lib2 lib3 |
-| test.js:18:27:18:34 | endpoint | CalleeFlexibleAccessPath | import(!).bar.baz |
-| test.js:18:27:18:34 | endpoint | InputArgumentIndex | 0 |
-| test.js:18:27:18:34 | endpoint | argumentIndex | 0 |
-| test.js:18:27:18:34 | endpoint | calleeAccessPath | foo bar baz |
-| test.js:18:27:18:34 | endpoint | calleeAccessPathWithStructuralInfo | foo member bar member baz instanceorreturn |
-| test.js:18:27:18:34 | endpoint | calleeApiName | foo |
-| test.js:18:27:18:34 | endpoint | calleeImports | foo |
-| test.js:18:27:18:34 | endpoint | calleeName | baz |
-| test.js:18:27:18:34 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
-| test.js:18:27:18:34 | endpoint | contextSurroundingFunctionParameters | () |
-| test.js:18:27:18:34 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
-| test.js:18:27:18:34 | endpoint | enclosingFunctionName |  |
-| test.js:18:27:18:34 | endpoint | fileImports | foo lib1 lib2 lib3 |
-| test.js:20:13:20:20 | endpoint | CalleeFlexibleAccessPath | bar |
-| test.js:20:13:20:20 | endpoint | InputArgumentIndex | 0 |
-| test.js:20:13:20:20 | endpoint | argumentIndex | 0 |
-| test.js:20:13:20:20 | endpoint | calleeAccessPath | lib1 bar |
-| test.js:20:13:20:20 | endpoint | calleeAccessPathWithStructuralInfo | lib1 member bar instanceorreturn |
-| test.js:20:13:20:20 | endpoint | calleeApiName | lib1 |
-| test.js:20:13:20:20 | endpoint | calleeImports | lib1 |
-| test.js:20:13:20:20 | endpoint | calleeName | bar |
-| test.js:20:13:20:20 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
-| test.js:20:13:20:20 | endpoint | contextSurroundingFunctionParameters | () |
-| test.js:20:13:20:20 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
-| test.js:20:13:20:20 | endpoint | enclosingFunctionName |  |
-| test.js:20:13:20:20 | endpoint | fileImports | foo lib1 lib2 lib3 |
-| test.js:22:21:22:28 | endpoint | InputArgumentIndex | 0 |
-| test.js:22:21:22:28 | endpoint | argumentIndex | 0 |
-| test.js:22:21:22:28 | endpoint | calleeAccessPath | lib3 |
-| test.js:22:21:22:28 | endpoint | calleeAccessPathWithStructuralInfo | lib3 instanceorreturn |
-| test.js:22:21:22:28 | endpoint | calleeApiName | lib3 |
-| test.js:22:21:22:28 | endpoint | calleeImports | ? lib2 lib3 |
-| test.js:22:21:22:28 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
-| test.js:22:21:22:28 | endpoint | contextSurroundingFunctionParameters | () |
-| test.js:22:21:22:28 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
-| test.js:22:21:22:28 | endpoint | enclosingFunctionName |  |
-| test.js:22:21:22:28 | endpoint | fileImports | foo lib1 lib2 lib3 |
-| test.js:33:50:33:57 | endpoint | calleeAccessPath |  |
-| test.js:33:50:33:57 | endpoint | calleeAccessPathWithStructuralInfo |  |
-| test.js:33:50:33:57 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
-| test.js:33:50:33:57 | endpoint | contextSurroundingFunctionParameters |  |
-| test.js:33:50:33:57 | endpoint | fileImports | foo lib1 lib2 lib3 |
-| test.js:33:50:33:57 | endpoint | stringConcatenatedWith | f() + '<a target="_blank" href="' -endpoint- '"></a>' |
-| test.js:35:18:35:25 | endpoint | calleeAccessPath |  |
-| test.js:35:18:35:25 | endpoint | calleeAccessPathWithStructuralInfo |  |
-| test.js:35:18:35:25 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
-| test.js:35:18:35:25 | endpoint | contextSurroundingFunctionParameters |  |
-| test.js:35:18:35:25 | endpoint | fileImports | foo lib1 lib2 lib3 |
-| test.js:35:18:35:25 | endpoint | stringConcatenatedWith | 'foo' -endpoint- 'bar' |

javascript/ql/experimental/adaptivethreatmodeling/test/generic_feature_testing/FeatureValue.ql

@@ -1,7 +0,0 @@
-import javascript
-import experimental.adaptivethreatmodeling.EndpointFeatures
-import TestUtil
-
-// detailed output for the nearby tests
-from Endpoint endpoint, EndpointFeature feature
-select endpoint, feature.getName(), feature.getValue(endpoint)

javascript/ql/experimental/adaptivethreatmodeling/test/generic_feature_testing/NonFeaturizedEndpoint.ql

@@ -1,8 +0,0 @@
-import javascript
-import experimental.adaptivethreatmodeling.EndpointFeatures
-import TestUtil
-
-// every endpoint should have at least one feature value, otherwise the test source is likely malformed
-from Endpoint endpoint
-where not exists(EndpointFeature f | exists(f.getValue(endpoint)))
-select endpoint

javascript/ql/experimental/adaptivethreatmodeling/test/generic_feature_testing/NonFunctionalFeature.ql

@@ -1,8 +0,0 @@
-import javascript
-import experimental.adaptivethreatmodeling.EndpointFeatures
-import TestUtil
-
-// every feature must produce a single value for each endpoint that it computes a value for, per the contract of the `scoreEndpoints` HOP
-from Endpoint endpoint, EndpointFeature feature, int arity
-where arity = count(feature.getValue(endpoint)) and arity > 1
-select endpoint, feature.getName(), arity

javascript/ql/experimental/adaptivethreatmodeling/test/generic_feature_testing/TestUtil.qll

@@ -1,6 +0,0 @@
-import javascript
-import extraction.NoFeaturizationRestrictionsConfig
-
-class Endpoint extends DataFlow::Node {
-  Endpoint() { this.asExpr().(VarAccess).getName() = "endpoint" }
-}

javascript/ql/experimental/adaptivethreatmodeling/test/generic_feature_testing/test.html

@@ -1,3 +0,0 @@
-<div class="form-group">
-    <input (change)="restoreBackup($event.target.files.item(endpoint))" />
-</div>

javascript/ql/experimental/adaptivethreatmodeling/test/generic_feature_testing/test.js

@@ -1,35 +0,0 @@
-import { bar, F, p } from 'lib1';
-import * as o from 'lib2';
-const f = require('lib3');
-
-(async function () {
-    f(endpoint, 12);
-    f({p: endpoint});
-    f({p: {q: endpoint}});
-    o.m(endpoint);
-    o.m({p: endpoint});
-    o.m({p: {q: endpoint}});
-    new F(endpoint);
-    o.m().m().m(endpoint);
-    f()(endpoint);
-    o[x].m(endpoint);
-    o.m[x].p.m(endpoint);
-    (await p)(endpoint);
-    import("foo").bar.baz(endpoint);
-    function foo() {
-        bar(endpoint);
-    }
-    (f() ? f : o.m)(endpoint);
-});
-
-function f({ endpoint }) {}
-
-const g = async () => undefined;
-
-const o = { m: () => undefined }
-
-const url = f();
-
-const x = f() + "<a target=\"_blank\" href=\"" + endpoint + "\"></a>";
-
-const y = "foo"+ endpoint + "bar";

javascript/ql/lib/semmle/javascript/internal/ConceptsImports.qll

@@ -4,3 +4,4 @@
  */
 
 import semmle.javascript.dataflow.DataFlow::DataFlow as DataFlow
+import semmle.javascript.security.CryptoAlgorithms as CryptoAlgorithms

javascript/ql/lib/semmle/javascript/internal/ConceptsShared.qll

@@ -11,3 +11,79 @@
  */
 
 private import ConceptsImports
+
+/**
+ * Provides models for cryptographic concepts.
+ *
+ * Note: The `CryptographicAlgorithm` class currently doesn't take weak keys into
+ * consideration for the `isWeak` member predicate. So RSA is always considered
+ * secure, although using a low number of bits will actually make it insecure. We plan
+ * to improve our libraries in the future to more precisely capture this aspect.
+ */
+module Cryptography {
+  class CryptographicAlgorithm = CryptoAlgorithms::CryptographicAlgorithm;
+
+  class EncryptionAlgorithm = CryptoAlgorithms::EncryptionAlgorithm;
+
+  class HashingAlgorithm = CryptoAlgorithms::HashingAlgorithm;
+
+  class PasswordHashingAlgorithm = CryptoAlgorithms::PasswordHashingAlgorithm;
+
+  /**
+   * A data-flow node that is an application of a cryptographic algorithm. For example,
+   * encryption, decryption, signature-validation.
+   *
+   * Extend this class to refine existing API models. If you want to model new APIs,
+   * extend `CryptographicOperation::Range` instead.
+   */
+  class CryptographicOperation extends DataFlow::Node instanceof CryptographicOperation::Range {
+    /** Gets the algorithm used, if it matches a known `CryptographicAlgorithm`. */
+    CryptographicAlgorithm getAlgorithm() { result = super.getAlgorithm() }
+
+    /** Gets an input the algorithm is used on, for example the plain text input to be encrypted. */
+    DataFlow::Node getAnInput() { result = super.getAnInput() }
+
+    /**
+     * Gets the block mode used to perform this cryptographic operation.
+     * This may have no result - for example if the `CryptographicAlgorithm` used
+     * is a stream cipher rather than a block cipher.
+     */
+    BlockMode getBlockMode() { result = super.getBlockMode() }
+  }
+
+  /** Provides classes for modeling new applications of a cryptographic algorithms. */
+  module CryptographicOperation {
+    /**
+     * A data-flow node that is an application of a cryptographic algorithm. For example,
+     * encryption, decryption, signature-validation.
+     *
+     * Extend this class to model new APIs. If you want to refine existing API models,
+     * extend `CryptographicOperation` instead.
+     */
+    abstract class Range extends DataFlow::Node {
+      /** Gets the algorithm used, if it matches a known `CryptographicAlgorithm`. */
+      abstract CryptographicAlgorithm getAlgorithm();
+
+      /** Gets an input the algorithm is used on, for example the plain text input to be encrypted. */
+      abstract DataFlow::Node getAnInput();
+
+      /**
+       * Gets the block mode used to perform this cryptographic operation.
+       * This may have no result - for example if the `CryptographicAlgorithm` used
+       * is a stream cipher rather than a block cipher.
+       */
+      abstract BlockMode getBlockMode();
+    }
+  }
+
+  /**
+   * A cryptographic block cipher mode of operation. This can be used to encrypt
+   * data of arbitrary length using a block encryption algorithm.
+   */
+  class BlockMode extends string {
+    BlockMode() { this = ["ECB", "CBC", "GCM", "CCM", "CFB", "OFB", "CTR", "OPENPGP"] }
+
+    /** Holds if this block mode is considered to be insecure. */
+    predicate isWeak() { this = "ECB" }
+  }
+}

javascript/ql/lib/semmle/javascript/security/CryptoAlgorithms.qll

@@ -81,6 +81,9 @@ class EncryptionAlgorithm extends MkEncryptionAlgorithm, CryptographicAlgorithm
   override string getName() { result = name }
 
   override predicate isWeak() { isWeak = true }
+
+  /** Holds if this algorithm is a stream cipher. */
+  predicate isStreamCipher() { isStreamCipher(name) }
 }
 
 /**

javascript/ql/lib/semmle/javascript/security/internal/CryptoAlgorithmNames.qll

@@ -67,6 +67,6 @@ predicate isStrongPasswordHashingAlgorithm(string name) {
 predicate isWeakPasswordHashingAlgorithm(string name) { name = "EVPKDF" }
 
 /**
- * Holds if `name` corresponds to a weak block cipher mode of operation.
+ * Holds if `name` corresponds to a stream cipher.
  */
-predicate isWeakBlockMode(string name) { name = "ECB" }
+predicate isStreamCipher(string name) { name = ["CHACHA", "RC4", "ARC4", "ARCFOUR", "RABBIT"] }

javascript/ql/src/meta/alerts/LibraryInputs.ql

@@ -0,0 +1,14 @@
+/**
+ * @name Library inputs
+ * @description An input coming from the client of a library
+ * @kind problem
+ * @problem.severity recommendation
+ * @id js/meta/alerts/library-inputs
+ * @tags meta
+ * @precision very-low
+ */
+
+import javascript
+import semmle.javascript.PackageExports
+
+select getALibraryInputParameter(), "Library input"

python/ql/lib/semmle/python/Concepts.qll

@@ -1211,38 +1211,5 @@ module Cryptography {
     }
   }
 
-  import semmle.python.concepts.CryptoAlgorithms
-
-  /**
-   * A data-flow node that is an application of a cryptographic algorithm. For example,
-   * encryption, decryption, signature-validation.
-   *
-   * Extend this class to refine existing API models. If you want to model new APIs,
-   * extend `CryptographicOperation::Range` instead.
-   */
-  class CryptographicOperation extends DataFlow::Node instanceof CryptographicOperation::Range {
-    /** Gets the algorithm used, if it matches a known `CryptographicAlgorithm`. */
-    CryptographicAlgorithm getAlgorithm() { result = super.getAlgorithm() }
-
-    /** Gets an input the algorithm is used on, for example the plain text input to be encrypted. */
-    DataFlow::Node getAnInput() { result = super.getAnInput() }
-  }
-
-  /** Provides classes for modeling new applications of a cryptographic algorithms. */
-  module CryptographicOperation {
-    /**
-     * A data-flow node that is an application of a cryptographic algorithm. For example,
-     * encryption, decryption, signature-validation.
-     *
-     * Extend this class to model new APIs. If you want to refine existing API models,
-     * extend `CryptographicOperation` instead.
-     */
-    abstract class Range extends DataFlow::Node {
-      /** Gets the algorithm used, if it matches a known `CryptographicAlgorithm`. */
-      abstract CryptographicAlgorithm getAlgorithm();
-
-      /** Gets an input the algorithm is used on, for example the plain text input to be encrypted. */
-      abstract DataFlow::Node getAnInput();
-    }
-  }
+  import semmle.python.internal.ConceptsShared::Cryptography
 }

python/ql/lib/semmle/python/concepts/CryptoAlgorithms.qll

@@ -81,6 +81,9 @@ class EncryptionAlgorithm extends MkEncryptionAlgorithm, CryptographicAlgorithm
   override string getName() { result = name }
 
   override predicate isWeak() { isWeak = true }
+
+  /** Holds if this algorithm is a stream cipher. */
+  predicate isStreamCipher() { isStreamCipher(name) }
 }
 
 /**

python/ql/lib/semmle/python/concepts/internal/CryptoAlgorithmNames.qll

@@ -67,6 +67,6 @@ predicate isStrongPasswordHashingAlgorithm(string name) {
 predicate isWeakPasswordHashingAlgorithm(string name) { name = "EVPKDF" }
 
 /**
- * Holds if `name` corresponds to a weak block cipher mode of operation.
+ * Holds if `name` corresponds to a stream cipher.
  */
-predicate isWeakBlockMode(string name) { name = "ECB" }
+predicate isStreamCipher(string name) { name = ["CHACHA", "RC4", "ARC4", "ARCFOUR", "RABBIT"] }

python/ql/lib/semmle/python/frameworks/Aiohttp.qll

@@ -662,7 +662,7 @@ private module AiohttpClientModel {
     private API::Node instance() { result = classRef().getReturn() }
 
     /** A method call on a ClientSession that sends off a request */
-    private class OutgoingRequestCall extends HTTP::Client::Request::Range, DataFlow::CallCfgNode {
+    private class OutgoingRequestCall extends HTTP::Client::Request::Range, API::CallNode {
       string methodName;
 
       OutgoingRequestCall() {
@@ -685,8 +685,14 @@ private module AiohttpClientModel {
       override predicate disablesCertificateValidation(
         DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
       ) {
-        // TODO: Look into disabling certificate validation
-        none()
+        exists(API::Node param | param = this.getKeywordParameter(["ssl", "verify_ssl"]) |
+          disablingNode = param.getARhs() and
+          argumentOrigin = param.getAValueReachingRhs() and
+          // aiohttp.client treats `None` as the default and all other "falsey" values as `False`.
+          argumentOrigin.asExpr().(ImmutableLiteral).booleanValue() = false and
+          not argumentOrigin.asExpr() instanceof None
+        )
+        // TODO: Handling of SSLContext passed as ssl/ssl_context arguments
       }
     }
   }

python/ql/lib/semmle/python/frameworks/Cryptodome.qll

@@ -108,20 +108,20 @@ private module CryptodomeModel {
     DataFlow::CallCfgNode {
     string methodName;
     string cipherName;
+    API::CallNode newCall;
 
     CryptodomeGenericCipherOperation() {
       methodName in [
           "encrypt", "decrypt", "verify", "update", "hexverify", "encrypt_and_digest",
           "decrypt_and_verify"
         ] and
-      this =
+      newCall =
         API::moduleImport(["Crypto", "Cryptodome"])
             .getMember("Cipher")
             .getMember(cipherName)
             .getMember("new")
-            .getReturn()
-            .getMember(methodName)
-            .getACall()
+            .getACall() and
+      this = newCall.getReturn().getMember(methodName).getACall()
     }
 
     override Cryptography::CryptographicAlgorithm getAlgorithm() { result.matchesName(cipherName) }
@@ -155,6 +155,20 @@ private module CryptodomeModel {
           this.getArgByName("mac_tag")
         ]
     }
+
+    override Cryptography::BlockMode getBlockMode() {
+      // `modeName` is of the form "MODE_<BlockMode>"
+      exists(string modeName |
+        newCall.getArg(1) =
+          API::moduleImport(["Crypto", "Cryptodome"])
+              .getMember("Cipher")
+              .getMember(cipherName)
+              .getMember(modeName)
+              .getAUse()
+      |
+        result = modeName.splitAt("_", 1)
+      )
+    }
   }
 
   /**
@@ -192,6 +206,8 @@ private module CryptodomeModel {
         result in [this.getArg(1), this.getArgByName("signature")]
       )
     }
+
+    override Cryptography::BlockMode getBlockMode() { none() }
   }
 
   /**
@@ -215,5 +231,7 @@ private module CryptodomeModel {
     override Cryptography::CryptographicAlgorithm getAlgorithm() { result.matchesName(hashName) }
 
     override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("data")] }
+
+    override Cryptography::BlockMode getBlockMode() { none() }
   }
 }

python/ql/lib/semmle/python/frameworks/Cryptography.qll

@@ -170,8 +170,19 @@ private module CryptographyModel {
             .getMember(algorithmName)
     }
 
+    /** Gets a reference to a `cryptography.hazmat.primitives.ciphers.modes` Class */
+    API::Node modeClassRef(string modeName) {
+      result =
+        API::moduleImport("cryptography")
+            .getMember("hazmat")
+            .getMember("primitives")
+            .getMember("ciphers")
+            .getMember("modes")
+            .getMember(modeName)
+    }
+
     /** Gets a reference to a Cipher instance using algorithm with `algorithmName`. */
-    API::Node cipherInstance(string algorithmName) {
+    API::Node cipherInstance(string algorithmName, string modeName) {
       exists(API::CallNode call | result = call.getReturn() |
         call =
           API::moduleImport("cryptography")
@@ -182,7 +193,12 @@ private module CryptographyModel {
               .getACall() and
         algorithmClassRef(algorithmName).getReturn().getAUse() in [
             call.getArg(0), call.getArgByName("algorithm")
-          ]
+          ] and
+        exists(DataFlow::Node modeArg | modeArg in [call.getArg(1), call.getArgByName("mode")] |
+          if modeArg = modeClassRef(_).getReturn().getAUse()
+          then modeArg = modeClassRef(modeName).getReturn().getAUse()
+          else modeName = "<None or unknown>"
+        )
       )
     }
 
@@ -192,10 +208,11 @@ private module CryptographyModel {
     class CryptographyGenericCipherOperation extends Cryptography::CryptographicOperation::Range,
       DataFlow::MethodCallNode {
       string algorithmName;
+      string modeName;
 
       CryptographyGenericCipherOperation() {
         this =
-          cipherInstance(algorithmName)
+          cipherInstance(algorithmName, modeName)
               .getMember(["decryptor", "encryptor"])
               .getReturn()
               .getMember(["update", "update_into"])
@@ -207,6 +224,8 @@ private module CryptographyModel {
       }
 
       override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("data")] }
+
+      override Cryptography::BlockMode getBlockMode() { result = modeName }
     }
   }
 
@@ -257,6 +276,8 @@ private module CryptographyModel {
       }
 
       override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("data")] }
+
+      override Cryptography::BlockMode getBlockMode() { none() }
     }
   }
 }

python/ql/lib/semmle/python/frameworks/Httpx.qll

@@ -18,7 +18,12 @@ private import semmle.python.ApiGraphs
  * - https://www.python-httpx.org/
  */
 private module HttpxModel {
-  private class RequestCall extends HTTP::Client::Request::Range, DataFlow::CallCfgNode {
+  /**
+   * An outgoing HTTP request, from the `httpx` library.
+   *
+   * See https://www.python-httpx.org/api/
+   */
+  private class RequestCall extends HTTP::Client::Request::Range, API::CallNode {
     string methodName;
 
     RequestCall() {
@@ -39,15 +44,18 @@ private module HttpxModel {
     override predicate disablesCertificateValidation(
       DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
     ) {
-      // TODO: Look into disabling certificate validation
-      none()
+      disablingNode = this.getKeywordParameter("verify").getARhs() and
+      argumentOrigin = this.getKeywordParameter("verify").getAValueReachingRhs() and
+      // unlike `requests`, httpx treats `None` as turning off verify (and not as the default)
+      argumentOrigin.asExpr().(ImmutableLiteral).booleanValue() = false
+      // TODO: Handling of insecure SSLContext passed to verify argument
     }
   }
 
   /**
    * Provides models for the `httpx.[Async]Client` class
    *
-   * See https://www.python-httpx.org/async/
+   * See https://www.python-httpx.org/api/#client
    */
   module Client {
     /** Get a reference to the `httpx.Client` or `httpx.AsyncClient` class. */
@@ -55,16 +63,13 @@ private module HttpxModel {
       result = API::moduleImport("httpx").getMember(["Client", "AsyncClient"])
     }
 
-    /** Get a reference to an `httpx.Client` or `httpx.AsyncClient` instance. */
-    private API::Node instance() { result = classRef().getReturn() }
-
     /** A method call on a Client that sends off a request */
     private class OutgoingRequestCall extends HTTP::Client::Request::Range, DataFlow::CallCfgNode {
       string methodName;
 
       OutgoingRequestCall() {
         methodName in [HTTP::httpVerbLower(), "request", "stream"] and
-        this = instance().getMember(methodName).getACall()
+        this = classRef().getReturn().getMember(methodName).getACall()
       }
 
       override DataFlow::Node getAUrlPart() {
@@ -80,8 +85,16 @@ private module HttpxModel {
       override predicate disablesCertificateValidation(
         DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
       ) {
-        // TODO: Look into disabling certificate validation
-        none()
+        exists(API::CallNode constructor |
+          constructor = classRef().getACall() and
+          this = constructor.getReturn().getMember(methodName).getACall()
+        |
+          disablingNode = constructor.getKeywordParameter("verify").getARhs() and
+          argumentOrigin = constructor.getKeywordParameter("verify").getAValueReachingRhs() and
+          // unlike `requests`, httpx treats `None` as turning off verify (and not as the default)
+          argumentOrigin.asExpr().(ImmutableLiteral).booleanValue() = false
+          // TODO: Handling of insecure SSLContext passed to verify argument
+        )
       }
     }
   }

python/ql/lib/semmle/python/frameworks/Requests.qll

@@ -20,9 +20,14 @@ private import semmle.python.frameworks.Stdlib
  *
  * See
  * - https://pypi.org/project/requests/
- * - https://docs.python-requests.org/en/latest/
+ * - https://requests.readthedocs.io/en/latest/
  */
 private module Requests {
+  /**
+   * An outgoing HTTP request, from the `requests` library.
+   *
+   * See https://requests.readthedocs.io/en/latest/api/#requests.request
+   */
   private class OutgoingRequestCall extends HTTP::Client::Request::Range, API::CallNode {
     string methodName;
 
@@ -58,6 +63,7 @@ private module Requests {
     ) {
       disablingNode = this.getKeywordParameter("verify").getARhs() and
       argumentOrigin = this.getKeywordParameter("verify").getAValueReachingRhs() and
+      // requests treats `None` as the default and all other "falsey" values as `False`.
       argumentOrigin.asExpr().(ImmutableLiteral).booleanValue() = false and
       not argumentOrigin.asExpr() instanceof None
     }
@@ -81,7 +87,7 @@ private module Requests {
   /**
    * Provides models for the `requests.models.Response` class
    *
-   * See https://docs.python-requests.org/en/latest/api/#requests.Response.
+   * See https://requests.readthedocs.io/en/latest/api/#requests.Response.
    */
   module Response {
     /** Gets a reference to the `requests.models.Response` class. */

python/ql/lib/semmle/python/frameworks/Rsa.qll

@@ -41,6 +41,8 @@ private module Rsa {
     override DataFlow::Node getAnInput() {
       result in [this.getArg(0), this.getArgByName("message")]
     }
+
+    override Cryptography::BlockMode getBlockMode() { none() }
   }
 
   /**
@@ -54,6 +56,8 @@ private module Rsa {
     override Cryptography::CryptographicAlgorithm getAlgorithm() { result.getName() = "RSA" }
 
     override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("crypto")] }
+
+    override Cryptography::BlockMode getBlockMode() { none() }
   }
 
   /**
@@ -79,6 +83,8 @@ private module Rsa {
     override DataFlow::Node getAnInput() {
       result in [this.getArg(0), this.getArgByName("message")]
     }
+
+    override Cryptography::BlockMode getBlockMode() { none() }
   }
 
   /**
@@ -100,6 +106,8 @@ private module Rsa {
       or
       result in [this.getArg(1), this.getArgByName("signature")]
     }
+
+    override Cryptography::BlockMode getBlockMode() { none() }
   }
 
   /**
@@ -122,6 +130,8 @@ private module Rsa {
     override DataFlow::Node getAnInput() {
       result in [this.getArg(0), this.getArgByName("message")]
     }
+
+    override Cryptography::BlockMode getBlockMode() { none() }
   }
 
   /**
@@ -137,5 +147,7 @@ private module Rsa {
     override DataFlow::Node getAnInput() {
       result in [this.getArg(0), this.getArgByName("hash_value")]
     }
+
+    override Cryptography::BlockMode getBlockMode() { none() }
   }
 }

python/ql/lib/semmle/python/frameworks/Stdlib.qll

@@ -2671,6 +2671,8 @@ private module StdlibPrivate {
     override Cryptography::CryptographicAlgorithm getAlgorithm() { result.matchesName(hashName) }
 
     override DataFlow::Node getAnInput() { result = this.getParameter(1, "data").getARhs() }
+
+    override Cryptography::BlockMode getBlockMode() { none() }
   }
 
   /**
@@ -2686,6 +2688,8 @@ private module StdlibPrivate {
     override Cryptography::CryptographicAlgorithm getAlgorithm() { result.matchesName(hashName) }
 
     override DataFlow::Node getAnInput() { result = this.getArg(0) }
+
+    override Cryptography::BlockMode getBlockMode() { none() }
   }
 
   /** Helper predicate for the `HashLibGenericHashOperation` charpred, to prevent a bad join order. */
@@ -2709,6 +2713,8 @@ private module StdlibPrivate {
     HashlibGenericHashOperation() { hashClass = hashlibMember(hashName) }
 
     override Cryptography::CryptographicAlgorithm getAlgorithm() { result.matchesName(hashName) }
+
+    override Cryptography::BlockMode getBlockMode() { none() }
   }
 
   /**

python/ql/lib/semmle/python/frameworks/Stdlib/Urllib.qll

@@ -42,7 +42,8 @@ private module Urllib {
       override predicate disablesCertificateValidation(
         DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
       ) {
-        // TODO: Look into disabling certificate validation
+        // cannot enable/disable certificate validation on this object, only when used
+        // with `urlopen`, which is modeled below
         none()
       }
     }
@@ -63,7 +64,8 @@ private module Urllib {
       override predicate disablesCertificateValidation(
         DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
       ) {
-        // TODO: Look into disabling certificate validation
+        // will validate certificate by default, see https://github.com/python/cpython/blob/243ed5439c32e8517aa745bc2ca9774d99c99d0f/Lib/http/client.py#L1420-L1421
+        // TODO: Handling of insecure SSLContext passed to context argument
         none()
       }
     }

python/ql/lib/semmle/python/frameworks/Stdlib/Urllib2.qll

@@ -30,7 +30,8 @@ private module Urllib2 {
     override predicate disablesCertificateValidation(
       DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
     ) {
-      // TODO: Look into disabling certificate validation
+      // cannot enable/disable certificate validation on this object, only when used
+      // with `urlopen`, which is modeled below
       none()
     }
   }
@@ -49,7 +50,8 @@ private module Urllib2 {
     override predicate disablesCertificateValidation(
       DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
     ) {
-      // TODO: Look into disabling certificate validation
+      // will validate certificate by default
+      // TODO: Handling of insecure SSLContext passed to context argument
       none()
     }
   }

python/ql/lib/semmle/python/frameworks/Urllib3.qll

@@ -42,9 +42,6 @@ private module Urllib3 {
             .getASubclass+()
     }
 
-    /** Gets a reference to an instance of a `urllib3.request.RequestMethods` subclass. */
-    private API::Node instance() { result = classRef().getReturn() }
-
     /**
      * A call to a method making an outgoing request.
      *
@@ -52,10 +49,11 @@ private module Urllib3 {
      * - https://urllib3.readthedocs.io/en/stable/reference/urllib3.request.html#urllib3.request.RequestMethods
      * - https://urllib3.readthedocs.io/en/stable/reference/urllib3.connectionpool.html#urllib3.HTTPConnectionPool.urlopen
      */
-    private class RequestCall extends HTTP::Client::Request::Range, DataFlow::CallCfgNode {
+    private class RequestCall extends HTTP::Client::Request::Range, API::CallNode {
       RequestCall() {
         this =
-          instance()
+          classRef()
+              .getReturn()
               .getMember(["request", "request_encode_url", "request_encode_body", "urlopen"])
               .getACall()
       }
@@ -67,8 +65,22 @@ private module Urllib3 {
       override predicate disablesCertificateValidation(
         DataFlow::Node disablingNode, DataFlow::Node argumentOrigin
       ) {
-        // TODO: Look into disabling certificate validation
-        none()
+        exists(API::CallNode constructor |
+          constructor = classRef().getACall() and
+          this = constructor.getReturn().getAMember().getACall()
+        |
+          // cert_reqs
+          // see https://urllib3.readthedocs.io/en/stable/user-guide.html?highlight=cert_reqs#certificate-verification
+          disablingNode = constructor.getKeywordParameter("cert_reqs").getARhs() and
+          argumentOrigin = constructor.getKeywordParameter("cert_reqs").getAValueReachingRhs() and
+          argumentOrigin.asExpr().(StrConst).getText() = "CERT_NONE"
+          or
+          // assert_hostname
+          // see https://urllib3.readthedocs.io/en/stable/reference/urllib3.connectionpool.html?highlight=assert_hostname#urllib3.HTTPSConnectionPool
+          disablingNode = constructor.getKeywordParameter("assert_hostname").getARhs() and
+          argumentOrigin = constructor.getKeywordParameter("assert_hostname").getAValueReachingRhs() and
+          argumentOrigin.asExpr().(BooleanLiteral).booleanValue() = false
+        )
       }
     }
   }

python/ql/lib/semmle/python/internal/ConceptsImports.qll

@@ -4,3 +4,4 @@
  */
 
 import semmle.python.dataflow.new.DataFlow
+import semmle.python.concepts.CryptoAlgorithms as CryptoAlgorithms

python/ql/lib/semmle/python/internal/ConceptsShared.qll

@@ -11,3 +11,79 @@
  */
 
 private import ConceptsImports
+
+/**
+ * Provides models for cryptographic concepts.
+ *
+ * Note: The `CryptographicAlgorithm` class currently doesn't take weak keys into
+ * consideration for the `isWeak` member predicate. So RSA is always considered
+ * secure, although using a low number of bits will actually make it insecure. We plan
+ * to improve our libraries in the future to more precisely capture this aspect.
+ */
+module Cryptography {
+  class CryptographicAlgorithm = CryptoAlgorithms::CryptographicAlgorithm;
+
+  class EncryptionAlgorithm = CryptoAlgorithms::EncryptionAlgorithm;
+
+  class HashingAlgorithm = CryptoAlgorithms::HashingAlgorithm;
+
+  class PasswordHashingAlgorithm = CryptoAlgorithms::PasswordHashingAlgorithm;
+
+  /**
+   * A data-flow node that is an application of a cryptographic algorithm. For example,
+   * encryption, decryption, signature-validation.
+   *
+   * Extend this class to refine existing API models. If you want to model new APIs,
+   * extend `CryptographicOperation::Range` instead.
+   */
+  class CryptographicOperation extends DataFlow::Node instanceof CryptographicOperation::Range {
+    /** Gets the algorithm used, if it matches a known `CryptographicAlgorithm`. */
+    CryptographicAlgorithm getAlgorithm() { result = super.getAlgorithm() }
+
+    /** Gets an input the algorithm is used on, for example the plain text input to be encrypted. */
+    DataFlow::Node getAnInput() { result = super.getAnInput() }
+
+    /**
+     * Gets the block mode used to perform this cryptographic operation.
+     * This may have no result - for example if the `CryptographicAlgorithm` used
+     * is a stream cipher rather than a block cipher.
+     */
+    BlockMode getBlockMode() { result = super.getBlockMode() }
+  }
+
+  /** Provides classes for modeling new applications of a cryptographic algorithms. */
+  module CryptographicOperation {
+    /**
+     * A data-flow node that is an application of a cryptographic algorithm. For example,
+     * encryption, decryption, signature-validation.
+     *
+     * Extend this class to model new APIs. If you want to refine existing API models,
+     * extend `CryptographicOperation` instead.
+     */
+    abstract class Range extends DataFlow::Node {
+      /** Gets the algorithm used, if it matches a known `CryptographicAlgorithm`. */
+      abstract CryptographicAlgorithm getAlgorithm();
+
+      /** Gets an input the algorithm is used on, for example the plain text input to be encrypted. */
+      abstract DataFlow::Node getAnInput();
+
+      /**
+       * Gets the block mode used to perform this cryptographic operation.
+       * This may have no result - for example if the `CryptographicAlgorithm` used
+       * is a stream cipher rather than a block cipher.
+       */
+      abstract BlockMode getBlockMode();
+    }
+  }
+
+  /**
+   * A cryptographic block cipher mode of operation. This can be used to encrypt
+   * data of arbitrary length using a block encryption algorithm.
+   */
+  class BlockMode extends string {
+    BlockMode() { this = ["ECB", "CBC", "GCM", "CCM", "CFB", "OFB", "CTR", "OPENPGP"] }
+
+    /** Holds if this block mode is considered to be insecure. */
+    predicate isWeak() { this = "ECB" }
+  }
+}

python/ql/src/Security/CWE-295/RequestWithoutValidation.ql

@@ -15,12 +15,14 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.Concepts
 private import semmle.python.ApiGraphs
 
-from API::CallNode call, DataFlow::Node falseyOrigin, string verb
+from
+  HTTP::Client::Request request, DataFlow::Node disablingNode, DataFlow::Node origin, string ending
 where
-  verb = HTTP::httpVerbLower() and
-  call = API::moduleImport("requests").getMember(verb).getACall() and
-  falseyOrigin = call.getKeywordParameter("verify").getAValueReachingRhs() and
-  // requests treats `None` as the default and all other "falsey" values as `False`.
-  falseyOrigin.asExpr().(ImmutableLiteral).booleanValue() = false and
-  not falseyOrigin.asExpr() instanceof None
-select call, "Call to requests." + verb + " with verify=$@", falseyOrigin, "False"
+  request.disablesCertificateValidation(disablingNode, origin) and
+  // Showing the origin is only useful when it's a different node than the one disabling
+  // certificate validation, for example in `requests.get(..., verify=arg)`, `arg` would
+  // be the `disablingNode`, and the `origin` would be the place were `arg` got its
+  // value from.
+  if disablingNode = origin then ending = "." else ending = " by the value from $@."
+select request, "This request may run without certificate validation because it is $@" + ending,
+  disablingNode, "disabled here", origin, "here"

python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql

@@ -13,13 +13,18 @@
 import python
 import semmle.python.Concepts
 
-from Cryptography::CryptographicOperation operation, Cryptography::CryptographicAlgorithm algorithm
+from
+  Cryptography::CryptographicOperation operation, Cryptography::CryptographicAlgorithm algorithm,
+  string msgPrefix
 where
   algorithm = operation.getAlgorithm() and
-  algorithm.isWeak() and
   // `Cryptography::HashingAlgorithm` and `Cryptography::PasswordHashingAlgorithm` are
   // handled by `py/weak-sensitive-data-hashing`
-  algorithm instanceof Cryptography::EncryptionAlgorithm
-select operation,
-  "The cryptographic algorithm " + algorithm.getName() +
-    " is broken or weak, and should not be used."
+  algorithm instanceof Cryptography::EncryptionAlgorithm and
+  (
+    algorithm.isWeak() and
+    msgPrefix = "The cryptographic algorithm " + operation.getAlgorithm().getName()
+  )
+  or
+  operation.getBlockMode().isWeak() and msgPrefix = "The block mode " + operation.getBlockMode()
+select operation, msgPrefix + " is broken or weak, and should not be used."

python/ql/src/Security/CWE-732/WeakFilePermissions.ql

@@ -12,6 +12,7 @@
  */
 
 import python
+import semmle.python.ApiGraphs
 
 bindingset[p]
 int world_permission(int p) { result = p % 8 }
@@ -33,20 +34,20 @@ string permissive_permission(int p) {
   world_permission(p) = 0 and result = "group " + access(group_permission(p))
 }
 
-predicate chmod_call(CallNode call, FunctionValue chmod, NumericValue num) {
-  Value::named("os.chmod") = chmod and
-  chmod.getACall() = call and
-  call.getArg(1).pointsTo(num)
+predicate chmod_call(API::CallNode call, string name, int mode) {
+  call = API::moduleImport("os").getMember("chmod").getACall() and
+  mode = call.getParameter(1, "mode").getAValueReachingRhs().asExpr().(IntegerLiteral).getValue() and
+  name = "chmod"
 }
 
-predicate open_call(CallNode call, FunctionValue open, NumericValue num) {
-  Value::named("os.open") = open and
-  open.getACall() = call and
-  call.getArg(2).pointsTo(num)
+predicate open_call(API::CallNode call, string name, int mode) {
+  call = API::moduleImport("os").getMember("open").getACall() and
+  mode = call.getParameter(2, "mode").getAValueReachingRhs().asExpr().(IntegerLiteral).getValue() and
+  name = "open"
 }
 
-from CallNode call, FunctionValue func, NumericValue num, string permission
+from API::CallNode call, string name, int mode, string permission
 where
-  (chmod_call(call, func, num) or open_call(call, func, num)) and
-  permission = permissive_permission(num.getIntValue())
-select call, "Overly permissive mask in " + func.getName() + " sets file to " + permission + "."
+  (chmod_call(call, name, mode) or open_call(call, name, mode)) and
+  permission = permissive_permission(mode)
+select call, "Overly permissive mask in " + name + " sets file to " + permission + "."

python/ql/src/change-notes/2022-05-16-broken-crypto-block-mode.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query "Use of a broken or weak cryptographic algorithm" (`py/weak-cryptographic-algorithm`) now report if a cryptographic operation is potentially insecure due to use of a weak block mode.

python/ql/src/change-notes/2022-06-08-request-without-certificate-validation-modeling.md

@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* Improved library modeling for the query "Request without certificate validation" (`py/request-without-cert-validation`), so it now also covers `httpx`, `aiohttp.client`, and `urllib3`.

python/ql/src/experimental/Security/CWE-079/ReflectedXSS.ql

@@ -0,0 +1,23 @@
+/**
+ * @name Reflected server-side cross-site scripting
+ * @description Writing user input directly to a web page
+ *              allows for a cross-site scripting vulnerability.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 2.9
+ * @sub-severity high
+ * @id py/reflective-xss
+ * @tags security
+ *       external/cwe/cwe-079
+ *       external/cwe/cwe-116
+ */
+
+// determine precision above
+import python
+import experimental.semmle.python.security.dataflow.ReflectedXSS
+import DataFlow::PathGraph
+
+from ReflectedXssConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
+  source.getNode(), "a user-provided value"

python/ql/src/experimental/semmle/python/Concepts.qll

@@ -602,3 +602,77 @@ class JwtDecoding extends DataFlow::Node instanceof JwtDecoding::Range {
 
 /** DEPRECATED: Alias for JwtDecoding */
 deprecated class JWTDecoding = JwtDecoding;
+
+/** Provides classes for modeling Email APIs. */
+module EmailSender {
+  /**
+   * A data-flow node that sends an email.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `EmailSender` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    /**
+     * Gets a data flow node holding the plaintext version of the email body.
+     */
+    abstract DataFlow::Node getPlainTextBody();
+
+    /**
+     * Gets a data flow node holding the html version of the email body.
+     */
+    abstract DataFlow::Node getHtmlBody();
+
+    /**
+     * Gets a data flow node holding the recipients of the email.
+     */
+    abstract DataFlow::Node getTo();
+
+    /**
+     * Gets a data flow node holding the senders of the email.
+     */
+    abstract DataFlow::Node getFrom();
+
+    /**
+     * Gets a data flow node holding the subject of the email.
+     */
+    abstract DataFlow::Node getSubject();
+  }
+}
+
+/**
+ * A data-flow node that sends an email.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `EmailSender::Range` instead.
+ */
+class EmailSender extends DataFlow::Node instanceof EmailSender::Range {
+  /**
+   * Gets a data flow node holding the plaintext version of the email body.
+   */
+  DataFlow::Node getPlainTextBody() { result = super.getPlainTextBody() }
+
+  /**
+   * Gets a data flow node holding the html version of the email body.
+   */
+  DataFlow::Node getHtmlBody() { result = super.getHtmlBody() }
+
+  /**
+   * Gets a data flow node holding the recipients of the email.
+   */
+  DataFlow::Node getTo() { result = super.getTo() }
+
+  /**
+   * Gets a data flow node holding the senders of the email.
+   */
+  DataFlow::Node getFrom() { result = super.getFrom() }
+
+  /**
+   * Gets a data flow node holding the subject of the email.
+   */
+  DataFlow::Node getSubject() { result = super.getSubject() }
+
+  /**
+   * Gets a data flow node that refers to the HTML body or plaintext body of the email.
+   */
+  DataFlow::Node getABody() { result in [super.getPlainTextBody(), super.getHtmlBody()] }
+}

python/ql/src/experimental/semmle/python/Frameworks.qll

@@ -15,3 +15,6 @@ private import experimental.semmle.python.libraries.Python_JWT
 private import experimental.semmle.python.libraries.Authlib
 private import experimental.semmle.python.libraries.PythonJose
 private import experimental.semmle.python.frameworks.CopyFile
+private import experimental.semmle.python.frameworks.Sendgrid
+private import experimental.semmle.python.libraries.FlaskMail
+private import experimental.semmle.python.libraries.SmtpLib

python/ql/src/experimental/semmle/python/frameworks/Django.qll

@@ -8,8 +8,8 @@ private import semmle.python.frameworks.Django
 private import semmle.python.dataflow.new.DataFlow
 private import experimental.semmle.python.Concepts
 private import semmle.python.ApiGraphs
-import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.Concepts
+import semmle.python.dataflow.new.RemoteFlowSources
 
 private module ExperimentalPrivateDjango {
   private module DjangoMod {
@@ -189,5 +189,90 @@ private module ExperimentalPrivateDjango {
         }
       }
     }
+
+    module Email {
+      /** https://docs.djangoproject.com/en/3.2/topics/email/ */
+      private API::Node djangoMail() {
+        result = API::moduleImport("django").getMember("core").getMember("mail")
+      }
+
+      /**
+       * Gets a call to `django.core.mail.send_mail()`.
+       *
+       * Given the following example:
+       *
+       * ```py
+       * send_mail("Subject", "plain-text body", "from@example.com", ["to@example.com"], html_message=django.http.request.GET.get("html"))
+       * ```
+       *
+       * * `this` would be `send_mail("Subject", "plain-text body", "from@example.com", ["to@example.com"], html_message=django.http.request.GET.get("html"))`.
+       * * `getPlainTextBody()`'s result would be `"plain-text body"`.
+       * * `getHtmlBody()`'s result would be `django.http.request.GET.get("html")`.
+       * * `getTo()`'s result would be `["to@example.com"]`.
+       * * `getFrom()`'s result would be `"from@example.com"`.
+       * * `getSubject()`'s result would be `"Subject"`.
+       */
+      private class DjangoSendMail extends DataFlow::CallCfgNode, EmailSender::Range {
+        DjangoSendMail() { this = djangoMail().getMember("send_mail").getACall() }
+
+        override DataFlow::Node getPlainTextBody() {
+          result in [this.getArg(1), this.getArgByName("message")]
+        }
+
+        override DataFlow::Node getHtmlBody() {
+          result in [this.getArg(8), this.getArgByName("html_message")]
+        }
+
+        override DataFlow::Node getTo() {
+          result in [this.getArg(3), this.getArgByName("recipient_list")]
+        }
+
+        override DataFlow::Node getFrom() {
+          result in [this.getArg(2), this.getArgByName("from_email")]
+        }
+
+        override DataFlow::Node getSubject() {
+          result in [this.getArg(0), this.getArgByName("subject")]
+        }
+      }
+
+      /**
+       * Gets a call to `django.core.mail.mail_admins()` or `django.core.mail.mail_managers()`.
+       *
+       * Given the following example:
+       *
+       * ```py
+       * mail_admins("Subject", "plain-text body", html_message=django.http.request.GET.get("html"))
+       * ```
+       *
+       * * `this` would be `mail_admins("Subject", "plain-text body", html_message=django.http.request.GET.get("html"))`.
+       * * `getPlainTextBody()`'s result would be `"plain-text body"`.
+       * * `getHtmlBody()`'s result would be `django.http.request.GET.get("html")`.
+       * * `getTo()`'s result would be `none`.
+       * * `getFrom()`'s result would be `none`.
+       * * `getSubject()`'s result would be `"Subject"`.
+       */
+      private class DjangoMailInternal extends DataFlow::CallCfgNode, EmailSender::Range {
+        DjangoMailInternal() {
+          this = djangoMail().getMember(["mail_admins", "mail_managers"]).getACall()
+        }
+
+        override DataFlow::Node getPlainTextBody() {
+          result in [this.getArg(1), this.getArgByName("message")]
+        }
+
+        override DataFlow::Node getHtmlBody() {
+          result in [this.getArg(4), this.getArgByName("html_message")]
+        }
+
+        override DataFlow::Node getTo() { none() }
+
+        override DataFlow::Node getFrom() { none() }
+
+        override DataFlow::Node getSubject() {
+          result in [this.getArg(0), this.getArgByName("subject")]
+        }
+      }
+    }
   }
 }

python/ql/src/experimental/semmle/python/frameworks/Sendgrid.qll

@@ -0,0 +1,187 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `sendgrid` PyPI package.
+ * See https://github.com/sendgrid/sendgrid-python.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import experimental.semmle.python.Concepts
+private import semmle.python.ApiGraphs
+
+private module Sendgrid {
+  /** Gets a reference to the `sendgrid` module. */
+  private API::Node sendgrid() { result = API::moduleImport("sendgrid") }
+
+  /** Gets a reference to `sendgrid.helpers.mail` */
+  private API::Node sendgridMailHelper() {
+    result = sendgrid().getMember("helpers").getMember("mail")
+  }
+
+  /** Gets a reference to `sendgrid.helpers.mail.Mail` */
+  private API::Node sendgridMailInstance() { result = sendgridMailHelper().getMember("Mail") }
+
+  /** Gets a reference to a `SendGridAPIClient` instance. */
+  private API::Node sendgridApiClient() {
+    result = sendgrid().getMember("SendGridAPIClient").getReturn()
+  }
+
+  /** Gets a reference to a `SendGridAPIClient` instance call with `send` or `post`. */
+  private DataFlow::CallCfgNode sendgridApiSendCall() {
+    result = sendgridApiClient().getMember("send").getACall()
+    or
+    result =
+      sendgridApiClient()
+          .getMember("client")
+          .getMember("mail")
+          .getMember("send")
+          .getMember("post")
+          .getACall()
+  }
+
+  /**
+   * Gets a reference to `sg.send()` and `sg.client.mail.send.post()`.
+   *
+   * Given the following example:
+   *
+   * ```py
+   *  from_email = Email("from@example.com")
+   *  to_email = To("to@example.com")
+   *  subject = "Sending with SendGrid is Fun"
+   *  content = Content("text/html", request.args["html_content"])
+   *
+   *  mail = Mail(from_email, to_email, subject, content)
+   *
+   *  sg = SendGridAPIClient(api_key='SENDGRID_API_KEY')
+   *  response = sg.client.mail.send.post(request_body=mail.get())
+   *  ```
+   *
+   * * `this` would be `sg.client.mail.send.post(request_body=mail.get())`.
+   * * `getPlainTextBody()`'s result would be `none()`.
+   * * `getHtmlBody()`'s result would be `request.args["html_content"]`.
+   * * `getTo()`'s result would be `"to@example.com"`.
+   * * `getFrom()`'s result would be `"from@example.com"`.
+   * * `getSubject()`'s result would be `"Sending with SendGrid is Fun"`.
+   */
+  private class SendGridMail extends DataFlow::CallCfgNode, EmailSender::Range {
+    SendGridMail() { this = sendgridApiSendCall() }
+
+    private DataFlow::CallCfgNode getMailCall() {
+      exists(DataFlow::Node n |
+        n in [this.getArg(0), this.getArgByName("request_body")] and
+        result = [n, n.(DataFlow::MethodCallNode).getObject()].getALocalSource()
+      )
+    }
+
+    private DataFlow::Node sendgridContent(DataFlow::CallCfgNode contentCall, string mime) {
+      mime in ["text/plain", "text/html", "text/x-amp-html"] and
+      exists(StrConst mimeNode |
+        mimeNode.getText() = mime and
+        DataFlow::exprNode(mimeNode).(DataFlow::LocalSourceNode).flowsTo(contentCall.getArg(0)) and
+        result = contentCall.getArg(1)
+      )
+    }
+
+    private DataFlow::Node sendgridWrite(string attributeName) {
+      attributeName in ["plain_text_content", "html_content", "from_email", "subject"] and
+      exists(DataFlow::AttrWrite attrWrite |
+        attrWrite.getObject().getALocalSource() = this.getMailCall() and
+        attrWrite.getAttributeName() = attributeName and
+        result = attrWrite.getValue()
+      )
+    }
+
+    override DataFlow::Node getPlainTextBody() {
+      result in [
+          this.getMailCall().getArg(3), this.getMailCall().getArgByName("plain_text_content")
+        ]
+      or
+      result in [
+          this.sendgridContent([
+              this.getMailCall().getArg(3), this.getMailCall().getArgByName("plain_text_content")
+            ].getALocalSource(), "text/plain"),
+          this.sendgridContent(sendgridMailInstance().getMember("add_content").getACall(),
+            "text/plain")
+        ]
+      or
+      result = this.sendgridWrite("plain_text_content")
+    }
+
+    override DataFlow::Node getHtmlBody() {
+      result in [this.getMailCall().getArg(4), this.getMailCall().getArgByName("html_content")]
+      or
+      result = this.getMailCall().getAMethodCall("set_html").getArg(0)
+      or
+      result =
+        this.sendgridContent([
+            this.getMailCall().getArg(4), this.getMailCall().getArgByName("html_content")
+          ].getALocalSource(), ["text/html", "text/x-amp-html"])
+      or
+      result = this.sendgridWrite("html_content")
+      or
+      exists(KeyValuePair content, Dict generalDict, KeyValuePair typePair, KeyValuePair valuePair |
+        content.getKey().(StrConst).getText() = "content" and
+        content.getValue().(List).getAnElt() = generalDict and
+        // declare KeyValuePairs keys and values
+        typePair.getKey().(StrConst).getText() = "type" and
+        typePair.getValue().(StrConst).getText() = ["text/html", "text/x-amp-html"] and
+        valuePair.getKey().(StrConst).getText() = "value" and
+        result.asExpr() = valuePair.getValue() and
+        // correlate generalDict with previously set KeyValuePairs
+        generalDict.getAnItem() in [typePair, valuePair] and
+        [this.getArg(0), this.getArgByName("request_body")].getALocalSource().asExpr() =
+          any(Dict d | d.getAnItem() = content)
+      )
+      or
+      exists(KeyValuePair footer, Dict generalDict, KeyValuePair enablePair, KeyValuePair htmlPair |
+        footer.getKey().(StrConst).getText() = ["footer", "subscription_tracking"] and
+        footer.getValue() = generalDict and
+        // check footer is enabled
+        enablePair.getKey().(StrConst).getText() = "enable" and
+        exists(enablePair.getValue().(True)) and
+        // get html content
+        htmlPair.getKey().(StrConst).getText() = "html" and
+        result.asExpr() = htmlPair.getValue() and
+        // correlate generalDict with previously set KeyValuePairs
+        generalDict.getAnItem() in [enablePair, htmlPair] and
+        exists(KeyValuePair k |
+          k.getKey() =
+            [this.getArg(0), this.getArgByName("request_body")]
+                .getALocalSource()
+                .asExpr()
+                .(Dict)
+                .getAKey() and
+          k.getValue() = any(Dict d | d.getAKey() = footer.getKey())
+        )
+      )
+    }
+
+    override DataFlow::Node getTo() {
+      result in [this.getMailCall().getArg(1), this.getMailCall().getArgByName("to_emails")]
+      or
+      result = this.getMailCall().getAMethodCall("To").getArg(0)
+      or
+      result =
+        this.getMailCall()
+            .getAMethodCall(["to", "add_to", "cc", "add_cc", "bcc", "add_bcc"])
+            .getArg(0)
+    }
+
+    override DataFlow::Node getFrom() {
+      result in [this.getMailCall().getArg(0), this.getMailCall().getArgByName("from_email")]
+      or
+      result = this.getMailCall().getAMethodCall("Email").getArg(0)
+      or
+      result = this.getMailCall().getAMethodCall(["from_email", "set_from"]).getArg(0)
+      or
+      result = this.sendgridWrite("from_email")
+    }
+
+    override DataFlow::Node getSubject() {
+      result in [this.getMailCall().getArg(2), this.getMailCall().getArgByName("subject")]
+      or
+      result = this.getMailCall().getAMethodCall(["subject", "set_subject"]).getArg(0)
+      or
+      result = this.sendgridWrite("subject")
+    }
+  }
+}

python/ql/src/experimental/semmle/python/libraries/FlaskMail.qll

@@ -0,0 +1,81 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `flask` PyPI package.
+ * See https://flask.palletsprojects.com/en/1.1.x/.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import experimental.semmle.python.Concepts
+private import semmle.python.ApiGraphs
+
+/** https://pythonhosted.org/Flask-Mail/#module-flask_mail */
+private module FlaskMail {
+  /** Gets a reference to `flask_mail`, `flask_sendmail` and `flask.ext.sendmail`. */
+  private API::Node flaskMail() {
+    result = API::moduleImport(["flask_mail", "flask_sendmail", "flask.ext.sendmail"])
+  }
+
+  /** Gets a reference to `flask_mail.Mail()`, `flask_sendmail.Mail()` and `flask.ext.sendmail.Mail()`. */
+  private API::Node flaskMailInstance() { result = flaskMail().getMember("Mail").getReturn() }
+
+  /**
+   * Gets a call to `mail.send()`.
+   *
+   * Given the following example:
+   *
+   * ```py
+   * msg = Message(subject="Subject",
+   *                sender="from@example.com",
+   *                recipients=["to@example.com"],
+   *                body="plain-text body",
+   *                html=request.args["html"])
+   * mail.send(msg)
+   *  ```
+   *
+   * * `this` would be `mail.send(msg)`.
+   * * `getPlainTextBody()`'s result would be `"plain-text body"`.
+   * * `getHtmlBody()`'s result would be `request.args["html"]`.
+   * * `getTo()`'s result would be `["to@example.com"]`.
+   * * `getFrom()`'s result would be `"from@example.com"`.
+   * * `getSubject()`'s result would be `"Subject"`.
+   */
+  private class FlaskMail extends DataFlow::CallCfgNode, EmailSender::Range {
+    FlaskMail() {
+      this =
+        [flaskMailInstance(), flaskMailInstance().getMember("connect").getReturn()]
+            .getMember(["send", "send_message"])
+            .getACall()
+    }
+
+    private DataFlow::CallCfgNode getMessage() { result = this.getArg(0).getALocalSource() }
+
+    bindingset[argumentPosition]
+    private DataFlow::Node getFlaskMailArgument(int argumentPosition, string argumentName) {
+      argumentPosition in [[0 .. 3], 5] and
+      argumentName in ["body", "html", "recipients", "sender", "subject"] and
+      result in [
+          this.getMessage().getArg(argumentPosition), this.getMessage().getArgByName(argumentName)
+        ]
+      or
+      exists(DataFlow::AttrWrite write |
+        write.getObject().getALocalSource() = this.getMessage() and
+        write.getAttributeName() = argumentName and
+        result = write.getValue()
+      )
+    }
+
+    override DataFlow::Node getPlainTextBody() { result = this.getFlaskMailArgument(2, "body") }
+
+    override DataFlow::Node getHtmlBody() { result = this.getFlaskMailArgument(3, "html") }
+
+    override DataFlow::Node getTo() {
+      result = this.getFlaskMailArgument(1, "recipients")
+      or
+      result = this.getMessage().getAMethodCall("add_recipient").getACall().getArg(0)
+    }
+
+    override DataFlow::Node getFrom() { result = this.getFlaskMailArgument(5, "sender") }
+
+    override DataFlow::Node getSubject() { result = this.getFlaskMailArgument(0, "subject") }
+  }
+}

python/ql/src/experimental/semmle/python/libraries/SmtpLib.qll

@@ -0,0 +1,177 @@
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import experimental.semmle.python.Concepts
+private import semmle.python.ApiGraphs
+private import semmle.python.dataflow.new.TaintTracking2
+
+module SmtpLib {
+  /** Gets a reference to `smtplib.SMTP_SSL` */
+  private API::Node smtpConnectionInstance() {
+    result = API::moduleImport("smtplib").getMember("SMTP_SSL")
+  }
+
+  /** Gets a reference to `email.mime.multipart.MIMEMultipart` */
+  private API::Node smtpMimeMultipartInstance() {
+    result =
+      API::moduleImport("email").getMember("mime").getMember("multipart").getMember("MIMEMultipart")
+  }
+
+  /** Gets a reference to `email.mime.text.MIMEText` */
+  private API::Node smtpMimeTextInstance() {
+    result = API::moduleImport("email").getMember("mime").getMember("text").getMember("MIMEText")
+  }
+
+  private DataFlow::CallCfgNode mimeText(string mimetype) {
+    result = smtpMimeTextInstance().getACall() and
+    [result.getArg(1), result.getArgByName("_subtype")].asExpr().(StrConst).getText() = mimetype
+  }
+
+  /**
+   * Gets flow from `MIMEText()` to `MIMEMultipart(_subparts=(part1, part2))`'s `_subparts`
+   * argument. Used because of the impossibility to get local source nodes from `_subparts`'
+   * `(List|Tuple)` elements.
+   */
+  private class SMTPMessageConfig extends TaintTracking2::Configuration {
+    SMTPMessageConfig() { this = "SMTPMessageConfig" }
+
+    override predicate isSource(DataFlow::Node source) { source = mimeText(_) }
+
+    override predicate isSink(DataFlow::Node sink) {
+      sink = smtpMimeMultipartInstance().getACall().getArgByName("_subparts")
+    }
+  }
+
+  /**
+   * Using the `MimeText` call retrieves the content argument whose type argument equals `mimetype`.
+   * This call flows into `MIMEMultipart`'s `_subparts` argument or the `.attach()` method call
+   * and both local source nodes correlate to `smtp`'s `sendmail` call 3rd argument's local source.
+   *
+   * Given the following example with `getSmtpMessage(any(SmtpLibSendMail s), "html")`:
+   *
+   * ```py
+   * part1 = MIMEText(text, "plain")
+   * part2 = MIMEText(html, "html")
+   * message = MIMEMultipart(_subparts=(part1, part2))
+   * server.sendmail(sender_email, receiver_email, message.as_string())
+   * ```
+   *
+   * * `source` would be `MIMEText(text, "html")`.
+   * * `sink` would be `MIMEMultipart(_subparts=(part1, part2))`.
+   * * Then `message` local source node is correlated to `sink`.
+   * * Then the flow from `source` to `_subparts` is checked.
+   *
+   * Given the following example with `getSmtpMessage(any(SmtpLibSendMail s), "html")`:
+   *
+   * ```py
+   * part1 = MIMEText(text, "plain")
+   * part2 = MIMEText(html, "html")
+   * message = MIMEMultipart("alternative")
+   * message.attach(part1)
+   * message.attach(part2)
+   * server.sendmail(sender_email, receiver_email, message.as_string())
+   * ```
+   *
+   * * `source` would be `MIMEText(text, "html")`.
+   * * `sink` would be `message.attach(part2)`.
+   * * Then `sink`'s object (`message`) local source is correlated to `server.sendmail`
+   * 3rd argument local source (`MIMEMultipart("alternative")`).
+   * * Then the flow from `source` to `sink` 1st argument is checked.
+   */
+  bindingset[mimetype]
+  private DataFlow::Node getSmtpMessage(DataFlow::CallCfgNode sendCall, string mimetype) {
+    exists(DataFlow::Node source, DataFlow::Node sink |
+      source = mimeText(mimetype) and
+      (
+        // via _subparts
+        sink = smtpMimeMultipartInstance().getACall() and
+        sink =
+          [sendCall.getArg(2), sendCall.getArg(2).(DataFlow::MethodCallNode).getObject()]
+              .getALocalSource() and
+        any(SMTPMessageConfig a)
+            .hasFlow(source, sink.(DataFlow::CallCfgNode).getArgByName("_subparts"))
+        or
+        // via .attach()
+        sink = smtpMimeMultipartInstance().getReturn().getMember("attach").getACall() and
+        sink.(DataFlow::MethodCallNode).getObject().getALocalSource() =
+          [sendCall.getArg(2), sendCall.getArg(2).(DataFlow::MethodCallNode).getObject()]
+              .getALocalSource() and
+        source.(DataFlow::CallCfgNode).flowsTo(sink.(DataFlow::CallCfgNode).getArg(0))
+      ) and
+      result = source.(DataFlow::CallCfgNode).getArg(0)
+    )
+  }
+
+  /**
+   * Gets a message subscript write by correlating subscript's object local source with
+   * `smtp`'s `sendmail` call 3rd argument's local source.
+   *
+   * Given the following example with `getSMTPSubscriptByIndex(any(SmtpLibSendMail s), "Subject")`:
+   *
+   * ```py
+   * message = MIMEMultipart("alternative")
+   * message["Subject"] = "multipart test"
+   * server.sendmail(sender_email, receiver_email, message.as_string())
+   * ```
+   *
+   * * `def` would be `message["Subject"]` (`DefinitionNode`)
+   * * `sub` would be `message["Subject"]` (`Subscript`)
+   * * `result` would be `"multipart test"`
+   */
+  private DataFlow::Node getSMTPSubscriptByIndex(DataFlow::CallCfgNode sendCall, string index) {
+    exists(DefinitionNode def, Subscript sub |
+      sub = def.getNode() and
+      DataFlow::exprNode(sub.getObject()).getALocalSource() =
+        [sendCall.getArg(2), sendCall.getArg(2).(DataFlow::MethodCallNode).getObject()]
+            .getALocalSource() and
+      sub.getIndex().(StrConst).getText() = index and
+      result.asCfgNode() = def.getValue()
+    )
+  }
+
+  /**
+   * Gets a reference to `smtplib.SMTP_SSL().sendmail()`.
+   *
+   * Given the following example:
+   *
+   * ```py
+   * part1 = MIMEText(text, "plain")
+   * part2 = MIMEText(html, "html")
+   *
+   * message = MIMEMultipart(_subparts=(part1, part2))
+   * message["Subject"] = "multipart test"
+   * message["From"] = sender_email
+   * message["To"] = receiver_email
+   *
+   * server.login(sender_email, "SERVER_PASSWORD")
+   * server.sendmail(sender_email, receiver_email, message.as_string())
+   * ```
+   *
+   * * `this` would be `server.sendmail(sender_email, receiver_email, message.as_string())`.
+   * * `getPlainTextBody()`'s result would be `text`.
+   * * `getHtmlBody()`'s result would be `html`.
+   * * `getTo()`'s result would be `receiver_email`.
+   * * `getFrom()`'s result would be `sender_email`.
+   * * `getSubject()`'s result would be `"multipart test"`.
+   */
+  private class SmtpLibSendMail extends DataFlow::CallCfgNode, EmailSender::Range {
+    SmtpLibSendMail() {
+      this = smtpConnectionInstance().getReturn().getMember("sendmail").getACall()
+    }
+
+    override DataFlow::Node getPlainTextBody() { result = getSmtpMessage(this, "plain") }
+
+    override DataFlow::Node getHtmlBody() { result = getSmtpMessage(this, "html") }
+
+    override DataFlow::Node getTo() {
+      result in [this.getArg(1), getSMTPSubscriptByIndex(this, "To")]
+    }
+
+    override DataFlow::Node getFrom() {
+      result in [this.getArg(0), getSMTPSubscriptByIndex(this, "From")]
+    }
+
+    override DataFlow::Node getSubject() {
+      result in [this.getArg(2), getSMTPSubscriptByIndex(this, "Subject")]
+    }
+  }
+}

python/ql/src/experimental/semmle/python/security/dataflow/ReflectedXSS.qll

@@ -0,0 +1,46 @@
+/**
+ * Provides a taint-tracking configuration for detecting reflected server-side
+ * cross-site scripting vulnerabilities.
+ */
+
+import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import semmle.python.dataflow.new.RemoteFlowSources
+import semmle.python.dataflow.new.BarrierGuards
+import experimental.semmle.python.Concepts
+import semmle.python.Concepts
+import semmle.python.ApiGraphs
+
+/**
+ * A taint-tracking configuration for detecting reflected server-side cross-site
+ * scripting vulnerabilities.
+ */
+class ReflectedXssConfiguration extends TaintTracking::Configuration {
+  ReflectedXssConfiguration() { this = "ReflectedXssConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink = any(EmailSender email).getHtmlBody() }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof StringConstCompare
+  }
+
+  override predicate isSanitizer(DataFlow::Node sanitizer) {
+    sanitizer = any(HtmlEscaping esc).getOutput()
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    exists(DataFlow::CallCfgNode htmlContentCall |
+      htmlContentCall =
+        API::moduleImport("sendgrid")
+            .getMember("helpers")
+            .getMember("mail")
+            .getMember("HtmlContent")
+            .getACall() and
+      nodeTo = htmlContentCall and
+      nodeFrom = htmlContentCall.getArg(0)
+    )
+  }
+}

python/ql/test/experimental/meta/ConceptsTest.qll

@@ -487,7 +487,8 @@ class CryptographicOperationTest extends InlineExpectationsTest {
 
   override string getARelevantTag() {
     result in [
-        "CryptographicOperation", "CryptographicOperationInput", "CryptographicOperationAlgorithm"
+        "CryptographicOperation", "CryptographicOperationInput", "CryptographicOperationAlgorithm",
+        "CryptographicOperationBlockMode"
       ]
   }
 
@@ -507,6 +508,10 @@ class CryptographicOperationTest extends InlineExpectationsTest {
         element = cryptoOperation.toString() and
         value = cryptoOperation.getAlgorithm().getName() and
         tag = "CryptographicOperationAlgorithm"
+        or
+        element = cryptoOperation.toString() and
+        value = cryptoOperation.getBlockMode() and
+        tag = "CryptographicOperationBlockMode"
       )
     )
   }

python/ql/test/experimental/query-tests/Security/CWE-079/ReflectedXSS.expected

@@ -0,0 +1,96 @@
+edges
+| flask_mail.py:13:22:13:28 | ControlFlowNode for request | flask_mail.py:13:22:13:33 | ControlFlowNode for Attribute |
+| flask_mail.py:13:22:13:28 | ControlFlowNode for request | flask_mail.py:18:14:18:25 | ControlFlowNode for Attribute |
+| flask_mail.py:13:22:13:33 | ControlFlowNode for Attribute | flask_mail.py:13:22:13:41 | ControlFlowNode for Subscript |
+| flask_mail.py:18:14:18:20 | ControlFlowNode for request | flask_mail.py:18:14:18:25 | ControlFlowNode for Attribute |
+| flask_mail.py:18:14:18:25 | ControlFlowNode for Attribute | flask_mail.py:18:14:18:33 | ControlFlowNode for Subscript |
+| flask_mail.py:31:24:31:30 | ControlFlowNode for request | flask_mail.py:31:24:31:35 | ControlFlowNode for Attribute |
+| flask_mail.py:31:24:31:35 | ControlFlowNode for Attribute | flask_mail.py:31:24:31:43 | ControlFlowNode for Subscript |
+| sendgrid_mail.py:14:22:14:28 | ControlFlowNode for request | sendgrid_mail.py:14:22:14:33 | ControlFlowNode for Attribute |
+| sendgrid_mail.py:14:22:14:33 | ControlFlowNode for Attribute | sendgrid_mail.py:14:22:14:49 | ControlFlowNode for Subscript |
+| sendgrid_mail.py:26:34:26:40 | ControlFlowNode for request | sendgrid_mail.py:26:34:26:45 | ControlFlowNode for Attribute |
+| sendgrid_mail.py:26:34:26:45 | ControlFlowNode for Attribute | sendgrid_mail.py:26:34:26:61 | ControlFlowNode for Subscript |
+| sendgrid_mail.py:26:34:26:61 | ControlFlowNode for Subscript | sendgrid_mail.py:26:22:26:62 | ControlFlowNode for HtmlContent() |
+| sendgrid_mail.py:37:41:37:47 | ControlFlowNode for request | sendgrid_mail.py:37:41:37:52 | ControlFlowNode for Attribute |
+| sendgrid_mail.py:37:41:37:52 | ControlFlowNode for Attribute | sendgrid_mail.py:37:41:37:68 | ControlFlowNode for Subscript |
+| sendgrid_via_mail_send_post_request_body_bad.py:16:51:16:57 | ControlFlowNode for request | sendgrid_via_mail_send_post_request_body_bad.py:16:51:16:62 | ControlFlowNode for Attribute |
+| sendgrid_via_mail_send_post_request_body_bad.py:16:51:16:57 | ControlFlowNode for request | sendgrid_via_mail_send_post_request_body_bad.py:27:50:27:61 | ControlFlowNode for Attribute |
+| sendgrid_via_mail_send_post_request_body_bad.py:16:51:16:57 | ControlFlowNode for request | sendgrid_via_mail_send_post_request_body_bad.py:41:50:41:61 | ControlFlowNode for Attribute |
+| sendgrid_via_mail_send_post_request_body_bad.py:16:51:16:62 | ControlFlowNode for Attribute | sendgrid_via_mail_send_post_request_body_bad.py:16:51:16:78 | ControlFlowNode for Subscript |
+| sendgrid_via_mail_send_post_request_body_bad.py:16:51:16:78 | ControlFlowNode for Subscript | sendgrid_via_mail_send_post_request_body_bad.py:16:26:16:79 | ControlFlowNode for Attribute() |
+| sendgrid_via_mail_send_post_request_body_bad.py:27:50:27:56 | ControlFlowNode for request | sendgrid_via_mail_send_post_request_body_bad.py:27:50:27:61 | ControlFlowNode for Attribute |
+| sendgrid_via_mail_send_post_request_body_bad.py:27:50:27:56 | ControlFlowNode for request | sendgrid_via_mail_send_post_request_body_bad.py:41:50:41:61 | ControlFlowNode for Attribute |
+| sendgrid_via_mail_send_post_request_body_bad.py:27:50:27:61 | ControlFlowNode for Attribute | sendgrid_via_mail_send_post_request_body_bad.py:27:50:27:76 | ControlFlowNode for Subscript |
+| sendgrid_via_mail_send_post_request_body_bad.py:27:50:27:76 | ControlFlowNode for Subscript | sendgrid_via_mail_send_post_request_body_bad.py:27:25:27:77 | ControlFlowNode for Attribute() |
+| sendgrid_via_mail_send_post_request_body_bad.py:41:50:41:56 | ControlFlowNode for request | sendgrid_via_mail_send_post_request_body_bad.py:41:50:41:61 | ControlFlowNode for Attribute |
+| sendgrid_via_mail_send_post_request_body_bad.py:41:50:41:61 | ControlFlowNode for Attribute | sendgrid_via_mail_send_post_request_body_bad.py:41:50:41:78 | ControlFlowNode for Subscript |
+| sendgrid_via_mail_send_post_request_body_bad.py:41:50:41:78 | ControlFlowNode for Subscript | sendgrid_via_mail_send_post_request_body_bad.py:41:25:41:79 | ControlFlowNode for Attribute() |
+| smtplib_bad_subparts.py:17:12:17:18 | ControlFlowNode for request | smtplib_bad_subparts.py:17:12:17:23 | ControlFlowNode for Attribute |
+| smtplib_bad_subparts.py:17:12:17:23 | ControlFlowNode for Attribute | smtplib_bad_subparts.py:17:12:17:33 | ControlFlowNode for Subscript |
+| smtplib_bad_subparts.py:17:12:17:33 | ControlFlowNode for Subscript | smtplib_bad_subparts.py:24:22:24:25 | ControlFlowNode for html |
+| smtplib_bad_via_attach.py:20:12:20:18 | ControlFlowNode for request | smtplib_bad_via_attach.py:20:12:20:23 | ControlFlowNode for Attribute |
+| smtplib_bad_via_attach.py:20:12:20:23 | ControlFlowNode for Attribute | smtplib_bad_via_attach.py:20:12:20:31 | ControlFlowNode for Subscript |
+| smtplib_bad_via_attach.py:20:12:20:31 | ControlFlowNode for Subscript | smtplib_bad_via_attach.py:27:22:27:25 | ControlFlowNode for html |
+nodes
+| django_mail.py:14:48:14:82 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| django_mail.py:23:30:23:64 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| django_mail.py:25:32:25:66 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| flask_mail.py:13:22:13:28 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| flask_mail.py:13:22:13:33 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| flask_mail.py:13:22:13:41 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| flask_mail.py:18:14:18:20 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| flask_mail.py:18:14:18:25 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| flask_mail.py:18:14:18:33 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| flask_mail.py:31:24:31:30 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| flask_mail.py:31:24:31:35 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| flask_mail.py:31:24:31:43 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| sendgrid_mail.py:14:22:14:28 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| sendgrid_mail.py:14:22:14:33 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| sendgrid_mail.py:14:22:14:49 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| sendgrid_mail.py:26:22:26:62 | ControlFlowNode for HtmlContent() | semmle.label | ControlFlowNode for HtmlContent() |
+| sendgrid_mail.py:26:34:26:40 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| sendgrid_mail.py:26:34:26:45 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| sendgrid_mail.py:26:34:26:61 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| sendgrid_mail.py:37:41:37:47 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| sendgrid_mail.py:37:41:37:52 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| sendgrid_mail.py:37:41:37:68 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| sendgrid_via_mail_send_post_request_body_bad.py:16:26:16:79 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| sendgrid_via_mail_send_post_request_body_bad.py:16:51:16:57 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| sendgrid_via_mail_send_post_request_body_bad.py:16:51:16:62 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| sendgrid_via_mail_send_post_request_body_bad.py:16:51:16:78 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| sendgrid_via_mail_send_post_request_body_bad.py:27:25:27:77 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| sendgrid_via_mail_send_post_request_body_bad.py:27:50:27:56 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| sendgrid_via_mail_send_post_request_body_bad.py:27:50:27:61 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| sendgrid_via_mail_send_post_request_body_bad.py:27:50:27:76 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| sendgrid_via_mail_send_post_request_body_bad.py:41:25:41:79 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| sendgrid_via_mail_send_post_request_body_bad.py:41:50:41:56 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| sendgrid_via_mail_send_post_request_body_bad.py:41:50:41:61 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| sendgrid_via_mail_send_post_request_body_bad.py:41:50:41:78 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| smtplib_bad_subparts.py:17:12:17:18 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| smtplib_bad_subparts.py:17:12:17:23 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| smtplib_bad_subparts.py:17:12:17:33 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| smtplib_bad_subparts.py:24:22:24:25 | ControlFlowNode for html | semmle.label | ControlFlowNode for html |
+| smtplib_bad_via_attach.py:20:12:20:18 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| smtplib_bad_via_attach.py:20:12:20:23 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| smtplib_bad_via_attach.py:20:12:20:31 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| smtplib_bad_via_attach.py:27:22:27:25 | ControlFlowNode for html | semmle.label | ControlFlowNode for html |
+subpaths
+#select
+| django_mail.py:14:48:14:82 | ControlFlowNode for Attribute() | django_mail.py:14:48:14:82 | ControlFlowNode for Attribute() | django_mail.py:14:48:14:82 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | django_mail.py:14:48:14:82 | ControlFlowNode for Attribute() | a user-provided value |
+| django_mail.py:23:30:23:64 | ControlFlowNode for Attribute() | django_mail.py:23:30:23:64 | ControlFlowNode for Attribute() | django_mail.py:23:30:23:64 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | django_mail.py:23:30:23:64 | ControlFlowNode for Attribute() | a user-provided value |
+| django_mail.py:25:32:25:66 | ControlFlowNode for Attribute() | django_mail.py:25:32:25:66 | ControlFlowNode for Attribute() | django_mail.py:25:32:25:66 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | django_mail.py:25:32:25:66 | ControlFlowNode for Attribute() | a user-provided value |
+| flask_mail.py:13:22:13:41 | ControlFlowNode for Subscript | flask_mail.py:13:22:13:28 | ControlFlowNode for request | flask_mail.py:13:22:13:41 | ControlFlowNode for Subscript | Cross-site scripting vulnerability due to $@. | flask_mail.py:13:22:13:28 | ControlFlowNode for request | a user-provided value |
+| flask_mail.py:18:14:18:33 | ControlFlowNode for Subscript | flask_mail.py:13:22:13:28 | ControlFlowNode for request | flask_mail.py:18:14:18:33 | ControlFlowNode for Subscript | Cross-site scripting vulnerability due to $@. | flask_mail.py:13:22:13:28 | ControlFlowNode for request | a user-provided value |
+| flask_mail.py:18:14:18:33 | ControlFlowNode for Subscript | flask_mail.py:18:14:18:20 | ControlFlowNode for request | flask_mail.py:18:14:18:33 | ControlFlowNode for Subscript | Cross-site scripting vulnerability due to $@. | flask_mail.py:18:14:18:20 | ControlFlowNode for request | a user-provided value |
+| flask_mail.py:31:24:31:43 | ControlFlowNode for Subscript | flask_mail.py:31:24:31:30 | ControlFlowNode for request | flask_mail.py:31:24:31:43 | ControlFlowNode for Subscript | Cross-site scripting vulnerability due to $@. | flask_mail.py:31:24:31:30 | ControlFlowNode for request | a user-provided value |
+| sendgrid_mail.py:14:22:14:49 | ControlFlowNode for Subscript | sendgrid_mail.py:14:22:14:28 | ControlFlowNode for request | sendgrid_mail.py:14:22:14:49 | ControlFlowNode for Subscript | Cross-site scripting vulnerability due to $@. | sendgrid_mail.py:14:22:14:28 | ControlFlowNode for request | a user-provided value |
+| sendgrid_mail.py:26:22:26:62 | ControlFlowNode for HtmlContent() | sendgrid_mail.py:26:34:26:40 | ControlFlowNode for request | sendgrid_mail.py:26:22:26:62 | ControlFlowNode for HtmlContent() | Cross-site scripting vulnerability due to $@. | sendgrid_mail.py:26:34:26:40 | ControlFlowNode for request | a user-provided value |
+| sendgrid_mail.py:37:41:37:68 | ControlFlowNode for Subscript | sendgrid_mail.py:37:41:37:47 | ControlFlowNode for request | sendgrid_mail.py:37:41:37:68 | ControlFlowNode for Subscript | Cross-site scripting vulnerability due to $@. | sendgrid_mail.py:37:41:37:47 | ControlFlowNode for request | a user-provided value |
+| sendgrid_via_mail_send_post_request_body_bad.py:16:26:16:79 | ControlFlowNode for Attribute() | sendgrid_via_mail_send_post_request_body_bad.py:16:51:16:57 | ControlFlowNode for request | sendgrid_via_mail_send_post_request_body_bad.py:16:26:16:79 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | sendgrid_via_mail_send_post_request_body_bad.py:16:51:16:57 | ControlFlowNode for request | a user-provided value |
+| sendgrid_via_mail_send_post_request_body_bad.py:27:25:27:77 | ControlFlowNode for Attribute() | sendgrid_via_mail_send_post_request_body_bad.py:16:51:16:57 | ControlFlowNode for request | sendgrid_via_mail_send_post_request_body_bad.py:27:25:27:77 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | sendgrid_via_mail_send_post_request_body_bad.py:16:51:16:57 | ControlFlowNode for request | a user-provided value |
+| sendgrid_via_mail_send_post_request_body_bad.py:27:25:27:77 | ControlFlowNode for Attribute() | sendgrid_via_mail_send_post_request_body_bad.py:27:50:27:56 | ControlFlowNode for request | sendgrid_via_mail_send_post_request_body_bad.py:27:25:27:77 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | sendgrid_via_mail_send_post_request_body_bad.py:27:50:27:56 | ControlFlowNode for request | a user-provided value |
+| sendgrid_via_mail_send_post_request_body_bad.py:41:25:41:79 | ControlFlowNode for Attribute() | sendgrid_via_mail_send_post_request_body_bad.py:16:51:16:57 | ControlFlowNode for request | sendgrid_via_mail_send_post_request_body_bad.py:41:25:41:79 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | sendgrid_via_mail_send_post_request_body_bad.py:16:51:16:57 | ControlFlowNode for request | a user-provided value |
+| sendgrid_via_mail_send_post_request_body_bad.py:41:25:41:79 | ControlFlowNode for Attribute() | sendgrid_via_mail_send_post_request_body_bad.py:27:50:27:56 | ControlFlowNode for request | sendgrid_via_mail_send_post_request_body_bad.py:41:25:41:79 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | sendgrid_via_mail_send_post_request_body_bad.py:27:50:27:56 | ControlFlowNode for request | a user-provided value |
+| sendgrid_via_mail_send_post_request_body_bad.py:41:25:41:79 | ControlFlowNode for Attribute() | sendgrid_via_mail_send_post_request_body_bad.py:41:50:41:56 | ControlFlowNode for request | sendgrid_via_mail_send_post_request_body_bad.py:41:25:41:79 | ControlFlowNode for Attribute() | Cross-site scripting vulnerability due to $@. | sendgrid_via_mail_send_post_request_body_bad.py:41:50:41:56 | ControlFlowNode for request | a user-provided value |
+| smtplib_bad_subparts.py:24:22:24:25 | ControlFlowNode for html | smtplib_bad_subparts.py:17:12:17:18 | ControlFlowNode for request | smtplib_bad_subparts.py:24:22:24:25 | ControlFlowNode for html | Cross-site scripting vulnerability due to $@. | smtplib_bad_subparts.py:17:12:17:18 | ControlFlowNode for request | a user-provided value |
+| smtplib_bad_via_attach.py:27:22:27:25 | ControlFlowNode for html | smtplib_bad_via_attach.py:20:12:20:18 | ControlFlowNode for request | smtplib_bad_via_attach.py:27:22:27:25 | ControlFlowNode for html | Cross-site scripting vulnerability due to $@. | smtplib_bad_via_attach.py:20:12:20:18 | ControlFlowNode for request | a user-provided value |

python/ql/test/experimental/query-tests/Security/CWE-079/ReflectedXSS.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE-079/ReflectedXSS.ql

python/ql/test/experimental/query-tests/Security/CWE-079/django_mail.py

@@ -0,0 +1,25 @@
+import django.http
+from django.core.mail import send_mail, mail_admins, mail_managers
+
+
+def django_response(request):
+    """
+      The Django.core.mail#send_mail function source code can be found in the link below:
+      https://github.com/django/django/blob/ca9872905559026af82000e46cde6f7dedc897b6/django/core/mail/__init__.py#L38
+
+      send_mass_mail does not provide html_message as an argument to it's function. See the link below for more info: 
+      https://github.com/django/django/blob/ca9872905559026af82000e46cde6f7dedc897b6/django/core/mail/__init__.py#L64
+      """
+    send_mail("Subject", "plain-text body", "from@example.com",
+              ["to@example.com"], html_message=django.http.request.GET.get("html"))
+
+
+def django_response(request):
+    """
+    The Django.core.mail#mail_admins and Django.core.mail#mail_managers functions source code can be found in the link below:
+    https://github.com/django/django/blob/ca9872905559026af82000e46cde6f7dedc897b6/django/core/mail/__init__.py#L90-L121
+    """
+    mail_admins("Subject", "plain-text body",
+                html_message=django.http.request.GET.get("html"))
+    mail_managers("Subject", "plain-text body",
+                  html_message=django.http.request.GET.get("html"))

python/ql/test/experimental/query-tests/Security/CWE-079/flask_mail.py

@@ -0,0 +1,32 @@
+from flask import request, Flask
+from flask_mail import Mail, Message
+
+app = Flask(__name__)
+mail = Mail(app)
+
+@app.route("/send")
+def send():
+  msg = Message(subject="Subject",
+                sender="from@example.com",
+                recipients=["to@example.com"],
+                body="plain-text body",
+                html=request.args["html"])
+
+  # The message can contain a body and/or HTML:
+  msg.body = "plain-text body"
+  # The email's HTML can be set via msg.html or as an initialize argument when creating a Message object.
+  msg.html = request.args["html"]
+
+  mail.send(msg)
+
+@app.route("/connect")
+def connect():
+  """
+  Minimal example to test mail.connect() usage
+  """
+  with mail.connect() as conn:
+    msg = Message(subject="Subject",
+                  sender="from@example.com",
+                  recipients=["to@example.com"],
+                  html=request.args["html"])
+    conn.send(msg)

python/ql/test/experimental/query-tests/Security/CWE-079/sendgrid_mail.py

@@ -0,0 +1,57 @@
+from flask import request, Flask
+from sendgrid import SendGridAPIClient
+from sendgrid.helpers.mail import Mail, Email, To, Content, MimeType, HtmlContent
+
+app = Flask(__name__)
+
+
+@app.route("/send")
+def send():
+    message = Mail(
+        from_email='from_email@example.com',
+        to_emails='to@example.com',
+        subject='Sending with Twilio SendGrid is Fun',
+        html_content=request.args["html_content"])
+
+    sg = SendGridAPIClient('SENDGRID_API_KEY')
+    sg.send(message)
+
+
+@app.route("/send-HtmlContent")
+def send():
+    message = Mail(
+        from_email='from_email@example.com',
+        to_emails='to@example.com',
+        subject='Sending with Twilio SendGrid is Fun',
+        html_content=HtmlContent(request.args["html_content"]))
+
+    sg = SendGridAPIClient('SENDGRID_API_KEY')
+    sg.send(message)
+
+
+@app.route("/send_post")
+def send_post():
+    from_email = Email("test@example.com")
+    to_email = To("test@example.com")
+    subject = "Sending with SendGrid is Fun"
+    html_content = Content("text/html", request.args["html_content"])
+    plain_content = Content("text/plain", request.args["plain_content"])
+
+    mail = Mail(from_email, to_email, subject, plain_content, html_content)
+
+    sg = SendGridAPIClient(api_key='SENDGRID_API_KEY')
+    response = sg.client.mail.send.post(request_body=mail.get())
+
+
+@app.route("/send_post2")
+def send_post2():
+    from_email = Email("test@example.com")
+    to_email = To("test@example.com")
+    subject = "Sending with SendGrid is Fun"
+    html_content = Content(MimeType.html, request.args["html_content"])
+    plain_content = Content(MimeType.text, request.args["plain_content"])
+
+    mail = Mail(from_email, to_email, subject, plain_content, html_content)
+
+    sg = SendGridAPIClient(api_key='SENDGRID_API_KEY')
+    response = sg.client.mail.send.post(request_body=mail.get())

python/ql/test/experimental/query-tests/Security/CWE-079/sendgrid_via_mail_send_post_request_body_bad.py

@@ -0,0 +1,48 @@
+import sendgrid
+import os
+from flask import request, Flask
+
+app = Flask(__name__)
+
+
+@app.route("/sendgrid")
+def send():
+    sg = sendgrid.SendGridAPIClient(os.environ.get('SENDGRID_API_KEY'))
+
+    data = {
+        "content": [
+            {
+                "type": "text/html",
+                "value": "<html>{}</html>".format(request.args["html_content"])
+            }
+        ],
+        "from": {
+            "email": "sam.smith@example.com",
+            "name": "Sam Smith"
+        },
+        "headers": {},
+        "mail_settings": {
+            "footer": {
+                "enable": True,
+                "html": "<html>{}</html>".format(request.args["html_footer"]),
+                "text": "Thanks,/n The SendGrid Team"
+            },
+        },
+        "reply_to": {
+            "email": "sam.smith@example.com",
+            "name": "Sam Smith"
+        },
+        "send_at": 1409348513,
+        "subject": "Hello, World!",
+        "template_id": "[YOUR TEMPLATE ID GOES HERE]",
+        "tracking_settings": {
+            "subscription_tracking": {
+                "enable": True,
+                "html": "<html>{}</html>".format(request.args["html_tracking"]),
+                "substitution_tag": "<%click here%>",
+                "text": "If you would like to unsubscribe and stop receiving these emails <% click here %>."
+            }
+        }
+    }
+
+    response = sg.client.mail.send.post(request_body=data)

python/ql/test/experimental/query-tests/Security/CWE-079/smtplib_bad_subparts.py

@@ -0,0 +1,42 @@
+# This test checks that the developer doesn't pass a MIMEText instance to a MIMEMultipart initializer via the subparts parameter.
+from flask import Flask, request
+import json
+import smtplib
+import ssl
+from email.mime.text import MIMEText
+from email.mime.multipart import MIMEMultipart
+
+app = Flask(__name__)
+
+
+@app.route("/")
+def email_person():
+    sender_email = "sender@gmail.com"
+    receiver_email = "receiver@example.com"
+
+    name = request.args['search']
+    # Create the plain-text and HTML version of your message
+    text = "hello there"
+    html = f"hello {name}"
+
+    # Turn these into plain/html MIMEText objects
+    part1 = MIMEText(text, "plain")
+    part2 = MIMEText(html, "html")
+
+    message = MIMEMultipart(_subparts=(part1, part2))
+    message["Subject"] = "multipart test"
+    message["From"] = sender_email
+    message["To"] = receiver_email
+
+    # Create secure connection with server and send email
+    context = ssl.create_default_context()
+    server = smtplib.SMTP_SSL("smtp.gmail.com", 465, context=context)
+
+    server.login(sender_email, "SERVER_PASSWORD")
+    server.sendmail(
+        sender_email, receiver_email, message.as_string()
+    )
+
+
+# if __name__ == "__main__":
+#     app.run(debug=True)

python/ql/test/experimental/query-tests/Security/CWE-079/smtplib_bad_via_attach.py

@@ -0,0 +1,45 @@
+# This test checks that the developer doesn't pass a MIMEText instance to a MIMEMultipart message.
+from flask import Flask, request
+import json
+import smtplib, ssl
+from email.mime.text import MIMEText
+from email.mime.multipart import MIMEMultipart
+
+app = Flask(__name__)
+
+@app.route("/")
+def email_person():
+    sender_email = "sender@gmail.com"
+    receiver_email = "receiver@example.com"
+
+    message = MIMEMultipart("alternative")
+    message["Subject"] = "multipart test"
+    message["From"] = sender_email
+    message["To"] = receiver_email
+
+    name = request.args['name']
+    # Create the plain-text and HTML version of your message
+    text = "hello there"
+    html = f"hello {name}"  
+
+    # Turn these into plain/html MIMEText objects
+    part1 = MIMEText(text, "plain")
+    part2 = MIMEText(html, "html")
+
+    # Add HTML/plain-text parts to MIMEMultipart message
+    # The email client will try to render the last part first
+    message.attach(part1)
+    message.attach(part2)
+
+    # Create secure connection with server and send email
+    context = ssl.create_default_context()
+    server = smtplib.SMTP_SSL("smtp.gmail.com", 465, context=context)
+
+    server.login(sender_email, "SERVER_PASSWORD")
+    server.sendmail(
+        sender_email, receiver_email, message.as_string()
+    )
+
+
+# if __name__ == "__main__":
+#     app.run(debug=True)

python/ql/test/library-tests/frameworks/aiohttp/client_request.py

@@ -1,5 +1,6 @@
 import aiohttp
 import asyncio
+import ssl
 
 s = aiohttp.ClientSession()
 resp = s.request("method", "url") # $ clientRequestUrlPart="url"
@@ -13,4 +14,22 @@ with aiohttp.ClientSession() as session:
 s = aiohttp.ClientSession()
 resp = s.post("url") # $ clientRequestUrlPart="url"
 resp = s.patch("url") # $ clientRequestUrlPart="url"
-resp = s.options("url") # $ clientRequestUrlPart="url"
+resp = s.options("url") # $ clientRequestUrlPart="url"
+
+# disabling of SSL validation
+# see https://docs.aiohttp.org/en/stable/client_reference.html#aiohttp.ClientSession.request
+s.get("url", ssl=False) # $ clientRequestUrlPart="url" clientRequestCertValidationDisabled
+s.get("url", ssl=0) # $ clientRequestUrlPart="url" clientRequestCertValidationDisabled
+# None is treated as default and so does _not_ disable the check
+s.get("url", ssl=None) # $ clientRequestUrlPart="url"
+
+# deprecated since 3.0, but still supported
+s.get("url", verify_ssl=False) # $ clientRequestUrlPart="url" clientRequestCertValidationDisabled
+
+# A manually constructed SSLContext does not have safe defaults, so is effectively the
+# same as turning off SSL validation
+context = ssl.SSLContext()
+assert context.check_hostname == False
+assert context.verify_mode == ssl.VerifyMode.CERT_NONE
+
+s.get("url", ssl=context) # $ clientRequestUrlPart="url" MISSING: clientRequestCertValidationDisabled

python/ql/test/library-tests/frameworks/crypto/test_aes.py

@@ -21,14 +21,14 @@ padding = b"\0"*padding_len
 cipher = AES.new(key, AES.MODE_CBC, iv=iv)
 # using separate .encrypt calls on individual lines does not work
 whole_plantext = secret_message + padding
-encrypted = cipher.encrypt(whole_plantext) # $ CryptographicOperation CryptographicOperationAlgorithm=AES CryptographicOperationInput=whole_plantext
+encrypted = cipher.encrypt(whole_plantext) # $ CryptographicOperation CryptographicOperationAlgorithm=AES CryptographicOperationInput=whole_plantext CryptographicOperationBlockMode=CBC
 
 print("encrypted={}".format(encrypted))
 
 print()
 
 cipher = AES.new(key, AES.MODE_CBC, iv=iv)
-decrypted = cipher.decrypt(encrypted) # $ CryptographicOperation CryptographicOperationAlgorithm=AES CryptographicOperationInput=encrypted
+decrypted = cipher.decrypt(encrypted) # $ CryptographicOperation CryptographicOperationAlgorithm=AES CryptographicOperationInput=encrypted CryptographicOperationBlockMode=CBC
 
 decrypted = decrypted[:-padding_len]
 

python/ql/test/library-tests/frameworks/cryptodome/test_aes.py

@@ -21,14 +21,14 @@ padding = b"\0"*padding_len
 cipher = AES.new(key, AES.MODE_CBC, iv=iv)
 # using separate .encrypt calls on individual lines does not work
 whole_plantext = secret_message + padding
-encrypted = cipher.encrypt(whole_plantext) # $ CryptographicOperation CryptographicOperationAlgorithm=AES CryptographicOperationInput=whole_plantext
+encrypted = cipher.encrypt(whole_plantext) # $ CryptographicOperation CryptographicOperationAlgorithm=AES CryptographicOperationInput=whole_plantext CryptographicOperationBlockMode=CBC
 
 print("encrypted={}".format(encrypted))
 
 print()
 
 cipher = AES.new(key, AES.MODE_CBC, iv=iv)
-decrypted = cipher.decrypt(encrypted) # $ CryptographicOperation CryptographicOperationAlgorithm=AES CryptographicOperationInput=encrypted
+decrypted = cipher.decrypt(encrypted) # $ CryptographicOperation CryptographicOperationAlgorithm=AES CryptographicOperationInput=encrypted CryptographicOperationBlockMode=CBC
 
 decrypted = decrypted[:-padding_len]