Compare commits

..

28 Commits

Author SHA1 Message Date
Max Schaefer
35ce1ff582 Do not flag strings that have dots escaped in IncompleteHostnameRegExp. 2023-10-17 16:05:23 +01:00
Max Schaefer
6685ed328a Track which characters are escaped before flowing into a regular expression. 2023-10-17 16:04:47 +01:00
Rasmus Wriedt Larsen
28bedda5ea Merge pull request #14513 from RasmusWL/yield-modeling
Python: Improve `yield` modeling
2023-10-17 14:15:01 +02:00
Stephan Brandauer
9d719aa44e Merge pull request #13444 from github/java/update-mad-decls-after-triage-2023-06-13T14-50-57
Java: Update MaD Declarations after Triage
2023-10-17 13:54:10 +02:00
Mathias Vorreiter Pedersen
68f2501bf0 Merge pull request #14496 from geoffw0/memberinittest
Swift: Add data flow tests for member initialization.
2023-10-17 12:35:07 +01:00
Geoffrey White
5ffb773568 Swift: Explore instantiated / not instantiated classes. 2023-10-17 11:30:03 +01:00
Mathias Vorreiter Pedersen
0ad338f04a Merge pull request #14521 from geoffw0/defaultstep
Swift: Add CollectionContent to defaultImplicitTaintRead
2023-10-17 11:07:10 +01:00
Tony Torralba
96d6e8e3f2 Update change note 2023-10-17 11:57:53 +02:00
Tony Torralba
3cd06b0026 More review suggestions 2023-10-17 11:54:32 +02:00
Tony Torralba
62a9ffd277 Apply suggestions from code review 2023-10-17 11:51:55 +02:00
Rasmus Wriedt Larsen
80506f1028 Python: Accept .expected changes 2023-10-17 10:11:39 +02:00
Rasmus Wriedt Larsen
62a992473f Python: Update QLDoc 2023-10-17 10:09:19 +02:00
Rasmus Wriedt Larsen
2bf4c32433 Python: Add syntactic support for yield in contextlib.contextmanager 2023-10-17 09:51:20 +02:00
Rasmus Wriedt Larsen
2399793c8a Python: Expand contextmanager test even more 2023-10-17 09:41:30 +02:00
Erik Krogh Kristensen
24e779b826 Merge pull request #14520 from github/dependabot/cargo/ql/regex-1.10.2
Bump regex from 1.10.0 to 1.10.2 in /ql
2023-10-16 22:27:50 +02:00
dependabot[bot]
cf0173acad Bump regex from 1.10.0 to 1.10.2 in /ql
Bumps [regex](https://github.com/rust-lang/regex) from 1.10.0 to 1.10.2.
- [Release notes](https://github.com/rust-lang/regex/releases)
- [Changelog](https://github.com/rust-lang/regex/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rust-lang/regex/compare/1.10.0...1.10.2)

---
updated-dependencies:
- dependency-name: regex
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-16 17:49:47 +00:00
Michael B. Gale
d15c60ba76 Merge pull request #14516 from github/mbg/go/fix-dependabot-yml-again 2023-10-16 18:48:26 +01:00
Geoffrey White
c6ff42986d Swift: Change note. 2023-10-16 18:43:03 +01:00
Geoffrey White
990c40c8c8 Swift: Barrier for duplicate results in constant queries, resulting from sources like [1, 2, 3]. 2023-10-16 18:28:51 +01:00
Geoffrey White
6108f787dd Swift: Effect on query tests. 2023-10-16 18:28:51 +01:00
Geoffrey White
0509c0fdf3 Swift: Effect on dataflow tests. 2023-10-16 18:28:50 +01:00
Geoffrey White
89867d6214 Swift: Default content read step. 2023-10-16 18:28:50 +01:00
Michael B. Gale
8c818a8657 group => groups 2023-10-16 14:53:03 +01:00
Rasmus Wriedt Larsen
883bd9f3b3 Python: Add test for type-tracking with yield 2023-10-16 12:09:07 +02:00
Geoffrey White
cea87a53e0 Swift: Fix LocalTaint.expected. 2023-10-13 18:19:26 +01:00
Geoffrey White
33f83a2089 Swift: Add some failing data flow test cases. 2023-10-13 12:24:43 +01:00
Taus
e5b17af9b5 Java: Fix bad tool output 2023-06-14 12:16:44 +02:00
Taus
b860b21ced Update MaD Declarations after Triage 2023-06-13 16:50:58 +02:00
178 changed files with 829 additions and 638 deletions

View File

@@ -25,7 +25,7 @@ updates:
allow:
- dependency-name: "golang.org/x/mod"
- dependency-name: "golang.org/x/tools"
group:
groups:
extractor-dependencies:
patterns:
- "golang.org/x/*"

View File

@@ -1,10 +1,3 @@
## 0.10.1
### Minor Analysis Improvements
* Deleted the deprecated `AnalysedString` class, use the new name `AnalyzedString`.
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
## 0.10.0
### Minor Analysis Improvements

View File

@@ -1,6 +1,5 @@
## 0.10.1
### Minor Analysis Improvements
---
category: minorAnalysis
---
* Deleted the deprecated `AnalysedString` class, use the new name `AnalyzedString`.
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.

View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.10.1
lastReleaseVersion: 0.10.0

View File

@@ -1,5 +1,5 @@
name: codeql/cpp-all
version: 0.10.1
version: 0.10.1-dev
groups: cpp
dbscheme: semmlecode.cpp.dbscheme
extractor: cpp

View File

@@ -1,11 +1,3 @@
## 0.8.1
### New Queries
* The query `cpp/redundant-null-check-simple` has been promoted to Code Scanning. The query finds cases where a pointer is compared to null after it has already been dereferenced. Such comparisons likely indicate a bug at the place where the pointer is dereferenced, or where the pointer is compared to null.
Note: This query was incorrectly noted as being promoted to Code Scanning in CodeQL version 2.14.6.
## 0.8.0
### Query Metadata Changes

View File

@@ -1,7 +1,6 @@
## 0.8.1
### New Queries
---
category: newQuery
---
* The query `cpp/redundant-null-check-simple` has been promoted to Code Scanning. The query finds cases where a pointer is compared to null after it has already been dereferenced. Such comparisons likely indicate a bug at the place where the pointer is dereferenced, or where the pointer is compared to null.
Note: This query was incorrectly noted as being promoted to Code Scanning in CodeQL version 2.14.6.

View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.8.1
lastReleaseVersion: 0.8.0

View File

@@ -1,5 +1,5 @@
name: codeql/cpp-queries
version: 0.8.1
version: 0.8.1-dev
groups:
- cpp
- queries

View File

@@ -1,7 +1,3 @@
## 1.7.1
No user-facing changes.
## 1.7.0
No user-facing changes.

View File

@@ -1,3 +0,0 @@
## 1.7.1
No user-facing changes.

View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.1
lastReleaseVersion: 1.7.0

View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-all
version: 1.7.1
version: 1.7.1-dev
groups:
- csharp
- solorigate

View File

@@ -1,7 +1,3 @@
## 1.7.1
No user-facing changes.
## 1.7.0
No user-facing changes.

View File

@@ -1,3 +0,0 @@
## 1.7.1
No user-facing changes.

View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.1
lastReleaseVersion: 1.7.0

View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-queries
version: 1.7.1
version: 1.7.1-dev
groups:
- csharp
- solorigate

View File

@@ -1,9 +1,3 @@
## 0.8.1
### Minor Analysis Improvements
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
## 0.8.0
No user-facing changes.

View File

@@ -1,5 +1,4 @@
## 0.8.1
### Minor Analysis Improvements
---
category: minorAnalysis
---
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.

View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.8.1
lastReleaseVersion: 0.8.0

View File

@@ -1,5 +1,5 @@
name: codeql/csharp-all
version: 0.8.1
version: 0.8.1-dev
groups: csharp
dbscheme: semmlecode.csharp.dbscheme
extractor: csharp

View File

@@ -1,9 +1,3 @@
## 0.8.1
### Minor Analysis Improvements
* The `cs/web/insecure-direct-object-reference` and `cs/web/missing-function-level-access-control` have been improved to better recognize attributes on generic classes.
## 0.8.0
### New Queries

View File

@@ -1,5 +1,4 @@
## 0.8.1
### Minor Analysis Improvements
* The `cs/web/insecure-direct-object-reference` and `cs/web/missing-function-level-access-control` have been improved to better recognize attributes on generic classes.
---
category: minorAnalysis
---
* The `cs/web/insecure-direct-object-reference` and `cs/web/missing-function-level-access-control` have been improved to better recognize attributes on generic classes.

View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.8.1
lastReleaseVersion: 0.8.0

View File

@@ -1,5 +1,5 @@
name: codeql/csharp-queries
version: 0.8.1
version: 0.8.1-dev
groups:
- csharp
- queries

View File

@@ -1,11 +1,3 @@
## 0.7.1
### Minor Analysis Improvements
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
* Support has been added for file system access sinks in the following libraries: [net/http](https://pkg.go.dev/net/http), [Afero](https://github.com/spf13/afero), [beego](https://pkg.go.dev/github.com/astaxie/beego), [Echo](https://pkg.go.dev/github.com/labstack/echo), [Fiber](https://github.com/kataras/iris), [Gin](https://pkg.go.dev/github.com/gin-gonic/gin), [Iris](https://github.com/kataras/iris).
* Added `GoKit.qll` to `go.qll` enabling the GoKit framework by default
## 0.7.0
### Minor Analysis Improvements

View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added `GoKit.qll` to `go.qll` enabling the GoKit framework by default

View File

@@ -1,7 +1,4 @@
## 0.7.1
### Minor Analysis Improvements
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
* Support has been added for file system access sinks in the following libraries: [net/http](https://pkg.go.dev/net/http), [Afero](https://github.com/spf13/afero), [beego](https://pkg.go.dev/github.com/astaxie/beego), [Echo](https://pkg.go.dev/github.com/labstack/echo), [Fiber](https://github.com/kataras/iris), [Gin](https://pkg.go.dev/github.com/gin-gonic/gin), [Iris](https://github.com/kataras/iris).
* Added `GoKit.qll` to `go.qll` enabling the GoKit framework by default
---
category: minorAnalysis
---
* Support has been added for file system access sinks in the following libraries: [net/http](https://pkg.go.dev/net/http), [Afero](https://github.com/spf13/afero), [beego](https://pkg.go.dev/github.com/astaxie/beego), [Echo](https://pkg.go.dev/github.com/labstack/echo), [Fiber](https://github.com/kataras/iris), [Gin](https://pkg.go.dev/github.com/gin-gonic/gin), [Iris](https://github.com/kataras/iris).

View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.

View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.7.1
lastReleaseVersion: 0.7.0

View File

@@ -1,5 +1,5 @@
name: codeql/go-all
version: 0.7.1
version: 0.7.1-dev
groups: go
dbscheme: go.dbscheme
extractor: go

View File

@@ -1,9 +1,3 @@
## 0.7.1
### Minor Analysis Improvements
* The query "Incorrect conversion between integer types" (`go/incorrect-integer-conversion`) has been improved. It can now detect parsing an unsigned integer type (like `uint32`) and converting it to the signed integer type of the same size (like `int32`), which may lead to more results. It also treats `int` and `uint` more carefully, which may lead to more results or fewer incorrect results.
## 0.7.0
No user-facing changes.

View File

@@ -1,5 +1,4 @@
## 0.7.1
### Minor Analysis Improvements
---
category: minorAnalysis
---
* The query "Incorrect conversion between integer types" (`go/incorrect-integer-conversion`) has been improved. It can now detect parsing an unsigned integer type (like `uint32`) and converting it to the signed integer type of the same size (like `int32`), which may lead to more results. It also treats `int` and `uint` more carefully, which may lead to more results or fewer incorrect results.

View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.7.1
lastReleaseVersion: 0.7.0

View File

@@ -1,5 +1,5 @@
name: codeql/go-queries
version: 0.7.1
version: 0.7.1-dev
groups:
- go
- queries

View File

@@ -1,7 +1,3 @@
## 0.0.6
No user-facing changes.
## 0.0.5
No user-facing changes.

View File

@@ -1,3 +0,0 @@
## 0.0.6
No user-facing changes.

View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.0.6
lastReleaseVersion: 0.0.5

View File

@@ -1,5 +1,5 @@
name: codeql/java-automodel-queries
version: 0.0.6
version: 0.0.6-dev
groups:
- java
- automodel

View File

@@ -1,41 +1,3 @@
## 0.8.1
### New Features
* Added predicate `MemberRefExpr::getReceiverExpr`
### Minor Analysis Improvements
* The `isBarrier`, `isBarrierIn`, `isBarrierOut`, and `isAdditionalFlowStep` methods of the taint-tracking configurations for local queries in the `ArithmeticTaintedLocalQuery`, `ExternallyControlledFormatStringLocalQuery`, `ImproperValidationOfArrayIndexQuery`, `NumericCastTaintedQuery`, `ResponseSplittingLocalQuery`, `SqlTaintedLocalQuery`, and `XssLocalQuery` libraries have been changed to match their remote counterpart configurations.
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
* Deleted the deprecated `getAValue` predicate from the `Annotation` class.
* Deleted the deprecated alias `FloatingPointLiteral`, use `FloatLiteral` instead.
* Deleted the deprecated `getASuppressedWarningLiteral` predicate from the `SuppressWarningsAnnotation` class.
* Deleted the deprecated `getATargetExpression` predicate form the `TargetAnnotation` class.
* Deleted the deprecated `getRetentionPolicyExpression` predicate from the `RetentionAnnotation` class.
* Deleted the deprecated `conditionCheck` predicate from `Preconditions.qll`.
* Deleted the deprecated `semmle.code.java.security.performance` folder, use `semmle.code.java.security.regexp` instead.
* Deleted the deprecated `ExternalAPI` class from `ExternalApi.qll`, use `ExternalApi` instead.
* Modified the `EnvInput` class in `semmle.code.java.dataflow.FlowSources` to include `environment` and `file` source nodes.
There are no changes to results unless you add source models using the `environment` or `file` source kinds.
* Added `environment` source models for the following methods:
* `java.lang.System#getenv`
* `java.lang.System#getProperties`
* `java.lang.System#getProperty`
* `java.util.Properties#get`
* `java.util.Properties#getProperty`
* Added `file` source models for the following methods:
* the `java.io.FileInputStream` constructor
* `hudson.FilePath#newInputStreamDenyingSymlinkAsNeeded`
* `hudson.FilePath#openInputStream`
* `hudson.FilePath#read`
* `hudson.FilePath#readFromOffset`
* `hudson.FilePath#readToString`
* Modified the `DatabaseInput` class in `semmle.code.java.dataflow.FlowSources` to include `database` source nodes.
There are no changes to results unless you add source models using the `database` source kind.
* Added `database` source models for the following method:
* `java.sql.ResultSet#getString`
## 0.8.0
### New Features

View File

@@ -0,0 +1,22 @@
---
category: minorAnalysis
---
* Modified the `EnvInput` class in `semmle.code.java.dataflow.FlowSources` to include `environment` and `file` source nodes.
There are no changes to results unless you add source models using the `environment` or `file` source kinds.
* Added `environment` source models for the following methods:
* `java.lang.System#getenv`
* `java.lang.System#getProperties`
* `java.lang.System#getProperty`
* `java.util.Properties#get`
* `java.util.Properties#getProperty`
* Added `file` source models for the following methods:
* the `java.io.FileInputStream` constructor
* `hudson.FilePath#newInputStreamDenyingSymlinkAsNeeded`
* `hudson.FilePath#openInputStream`
* `hudson.FilePath#read`
* `hudson.FilePath#readFromOffset`
* `hudson.FilePath#readToString`
* Modified the `DatabaseInput` class in `semmle.code.java.dataflow.FlowSources` to include `database` source nodes.
There are no changes to results unless you add source models using the `database` source kind.
* Added `database` source models for the following method:
* `java.sql.ResultSet#getString`

View File

@@ -0,0 +1,4 @@
---
category: feature
---
* Added predicate `MemberRefExpr::getReceiverExpr`

View File

@@ -0,0 +1,12 @@
---
category: minorAnalysis
---
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
* Deleted the deprecated `getAValue` predicate from the `Annotation` class.
* Deleted the deprecated alias `FloatingPointLiteral`, use `FloatLiteral` instead.
* Deleted the deprecated `getASuppressedWarningLiteral` predicate from the `SuppressWarningsAnnotation` class.
* Deleted the deprecated `getATargetExpression` predicate form the `TargetAnnotation` class.
* Deleted the deprecated `getRetentionPolicyExpression` predicate from the `RetentionAnnotation` class.
* Deleted the deprecated `conditionCheck` predicate from `Preconditions.qll`.
* Deleted the deprecated `semmle.code.java.security.performance` folder, use `semmle.code.java.security.regexp` instead.
* Deleted the deprecated `ExternalAPI` class from `ExternalApi.qll`, use `ExternalApi` instead.

View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The `isBarrier`, `isBarrierIn`, `isBarrierOut`, and `isAdditionalFlowStep` methods of the taint-tracking configurations for local queries in the `ArithmeticTaintedLocalQuery`, `ExternallyControlledFormatStringLocalQuery`, `ImproperValidationOfArrayIndexQuery`, `NumericCastTaintedQuery`, `ResponseSplittingLocalQuery`, `SqlTaintedLocalQuery`, and `XssLocalQuery` libraries have been changed to match their remote counterpart configurations.

View File

@@ -0,0 +1,8 @@
---
category: minorAnalysis
---
* Added models for the following packages:
* com.alibaba.fastjson2
* javax.management
* org.apache.http.client.utils

View File

@@ -1,37 +0,0 @@
## 0.8.1
### New Features
* Added predicate `MemberRefExpr::getReceiverExpr`
### Minor Analysis Improvements
* The `isBarrier`, `isBarrierIn`, `isBarrierOut`, and `isAdditionalFlowStep` methods of the taint-tracking configurations for local queries in the `ArithmeticTaintedLocalQuery`, `ExternallyControlledFormatStringLocalQuery`, `ImproperValidationOfArrayIndexQuery`, `NumericCastTaintedQuery`, `ResponseSplittingLocalQuery`, `SqlTaintedLocalQuery`, and `XssLocalQuery` libraries have been changed to match their remote counterpart configurations.
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
* Deleted the deprecated `getAValue` predicate from the `Annotation` class.
* Deleted the deprecated alias `FloatingPointLiteral`, use `FloatLiteral` instead.
* Deleted the deprecated `getASuppressedWarningLiteral` predicate from the `SuppressWarningsAnnotation` class.
* Deleted the deprecated `getATargetExpression` predicate form the `TargetAnnotation` class.
* Deleted the deprecated `getRetentionPolicyExpression` predicate from the `RetentionAnnotation` class.
* Deleted the deprecated `conditionCheck` predicate from `Preconditions.qll`.
* Deleted the deprecated `semmle.code.java.security.performance` folder, use `semmle.code.java.security.regexp` instead.
* Deleted the deprecated `ExternalAPI` class from `ExternalApi.qll`, use `ExternalApi` instead.
* Modified the `EnvInput` class in `semmle.code.java.dataflow.FlowSources` to include `environment` and `file` source nodes.
There are no changes to results unless you add source models using the `environment` or `file` source kinds.
* Added `environment` source models for the following methods:
* `java.lang.System#getenv`
* `java.lang.System#getProperties`
* `java.lang.System#getProperty`
* `java.util.Properties#get`
* `java.util.Properties#getProperty`
* Added `file` source models for the following methods:
* the `java.io.FileInputStream` constructor
* `hudson.FilePath#newInputStreamDenyingSymlinkAsNeeded`
* `hudson.FilePath#openInputStream`
* `hudson.FilePath#read`
* `hudson.FilePath#readFromOffset`
* `hudson.FilePath#readToString`
* Modified the `DatabaseInput` class in `semmle.code.java.dataflow.FlowSources` to include `database` source nodes.
There are no changes to results unless you add source models using the `database` source kind.
* Added `database` source models for the following method:
* `java.sql.ResultSet#getString`

View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.8.1
lastReleaseVersion: 0.8.0

View File

@@ -0,0 +1,6 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["com.alibaba.fastjson2", "JSON", False, "parseArray", "(String,Class)", "", "Argument[0]", "ReturnValue.Element", "taint", "ai-manual"]

View File

@@ -0,0 +1,6 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["javax.management", "ObjectName", True, "ObjectName", "(String)", "", "Argument[0]", "Argument[this]", "taint", "ai-manual"]

View File

@@ -10,6 +10,7 @@ extensions:
- ["org.apache.http.client.utils", "URIBuilder", True, "setHost", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
- ["org.apache.http.client.utils", "URIBuilder", True, "setPath", "(String)", "", "Argument[0]", "Argument[this].SyntheticField[org.apache.http.client.utils.URIBuilder.path]", "taint", "ai-manual"]
- ["org.apache.http.client.utils", "URIBuilder", True, "setPathSegments", "(List)", "", "Argument[0]", "Argument[this].SyntheticField[org.apache.http.client.utils.URIBuilder.path]", "taint", "ai-manual"]
- ["org.apache.http.client.utils", "URIBuilder", True, "setPort", "(int)", "", "Argument[this]", "ReturnValue", "value", "ai-manual"]
- ["org.apache.http.client.utils", "URLEncodedUtils", True, "parse", "(URI,String)", "", "Argument[0]", "ReturnValue.Element", "taint", "ai-manual"]
- ["org.apache.http.client.utils", "URIUtils", True, "createURI", "(String,String,int,String,String,String)", "", "Argument[1]", "ReturnValue", "taint", "hq-manual"]
- ["org.apache.http.client.utils", "URIUtils", True, "extractHost", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "hq-manual"]

View File

@@ -1,5 +1,5 @@
name: codeql/java-all
version: 0.8.1
version: 0.8.1-dev
groups: java
dbscheme: config/semmlecode.dbscheme
extractor: java

View File

@@ -1,9 +1,3 @@
## 0.8.1
### Minor Analysis Improvements
* Most data flow queries that track flow from *remote* flow sources now use the current *threat model* configuration instead. This doesn't lead to any changes in the produced alerts (as the default configuration is *remote* flow sources) unless the threat model configuration is changed.
## 0.8.0
No user-facing changes.

View File

@@ -1,5 +1,4 @@
## 0.8.1
### Minor Analysis Improvements
* Most data flow queries that track flow from *remote* flow sources now use the current *threat model* configuration instead. This doesn't lead to any changes in the produced alerts (as the default configuration is *remote* flow sources) unless the threat model configuration is changed.
---
category: minorAnalysis
---
* Most data flow queries that track flow from *remote* flow sources now use the current *threat model* configuration instead. This doesn't lead to any changes in the produced alerts (as the default configuration is *remote* flow sources) unless the threat model configuration is changed.

View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.8.1
lastReleaseVersion: 0.8.0

View File

@@ -1,5 +1,5 @@
name: codeql/java-queries
version: 0.8.1
version: 0.8.1-dev
groups:
- java
- queries

View File

@@ -1,21 +1,3 @@
## 0.8.1
### Minor Analysis Improvements
* The contents of `.jsp` files are now extracted, and any `<script>` tags inside these files will be parsed as JavaScript.
* [Import attributes](https://github.com/tc39/proposal-import-attributes) are now supported in JavaScript code.
Note that import attributes are an evolution of an earlier proposal called "import assertions", which were implemented in TypeScript 4.5.
The QL library includes new predicates named `getImportAttributes()` that should be used in favor of the now deprecated `getImportAssertion()`;
in addition, the `getImportAttributes()` method of the `DynamicImportExpr` has been renamed to `getImportOptions()`.
* Deleted the deprecated `getAnImmediateUse`, `getAUse`, `getARhs`, and `getAValueReachingRhs` predicates from the `API::Node` class.
* Deleted the deprecated `mayReferToParameter` predicate from `DataFlow::Node`.
* Deleted the deprecated `getStaticMethod` and `getAStaticMethod` predicates from `DataFlow::ClassNode`.
* Deleted the deprecated `isLibaryFile` predicate from `ClassifyFiles.qll`, use `isLibraryFile` instead.
* Deleted many library models that were build on the AST. Use the new models that are build on the dataflow library instead.
* Deleted the deprecated `semmle.javascript.security.performance` folder, use `semmle.javascript.security.regexp` instead.
* Tagged template literals have been added to `DataFlow::CallNode`. This allows the analysis to find flow into functions called with a tagged template literal,
and the arguments to a tagged template literal are part of the API-graph in `ApiGraphs.qll`.
## 0.8.0
No user-facing changes.

View File

@@ -0,0 +1,5 @@
---
category: minorAnalysis
---
* Tagged template literals have been added to `DataFlow::CallNode`. This allows the analysis to find flow into functions called with a tagged template literal,
and the arguments to a tagged template literal are part of the API-graph in `ApiGraphs.qll`.

View File

@@ -0,0 +1,9 @@
---
category: minorAnalysis
---
* Deleted the deprecated `getAnImmediateUse`, `getAUse`, `getARhs`, and `getAValueReachingRhs` predicates from the `API::Node` class.
* Deleted the deprecated `mayReferToParameter` predicate from `DataFlow::Node`.
* Deleted the deprecated `getStaticMethod` and `getAStaticMethod` predicates from `DataFlow::ClassNode`.
* Deleted the deprecated `isLibaryFile` predicate from `ClassifyFiles.qll`, use `isLibraryFile` instead.
* Deleted many library models that were build on the AST. Use the new models that are build on the dataflow library instead.
* Deleted the deprecated `semmle.javascript.security.performance` folder, use `semmle.javascript.security.regexp` instead.

View File

@@ -0,0 +1,7 @@
---
category: minorAnalysis
---
* [Import attributes](https://github.com/tc39/proposal-import-attributes) are now supported in JavaScript code.
Note that import attributes are an evolution of an earlier proposal called "import assertions", which were implemented in TypeScript 4.5.
The QL library includes new predicates named `getImportAttributes()` that should be used in favor of the now deprecated `getImportAssertion()`;
in addition, the `getImportAttributes()` method of the `DynamicImportExpr` has been renamed to `getImportOptions()`.

View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The contents of `.jsp` files are now extracted, and any `<script>` tags inside these files will be parsed as JavaScript.

View File

@@ -1,17 +0,0 @@
## 0.8.1
### Minor Analysis Improvements
* The contents of `.jsp` files are now extracted, and any `<script>` tags inside these files will be parsed as JavaScript.
* [Import attributes](https://github.com/tc39/proposal-import-attributes) are now supported in JavaScript code.
Note that import attributes are an evolution of an earlier proposal called "import assertions", which were implemented in TypeScript 4.5.
The QL library includes new predicates named `getImportAttributes()` that should be used in favor of the now deprecated `getImportAssertion()`;
in addition, the `getImportAttributes()` method of the `DynamicImportExpr` has been renamed to `getImportOptions()`.
* Deleted the deprecated `getAnImmediateUse`, `getAUse`, `getARhs`, and `getAValueReachingRhs` predicates from the `API::Node` class.
* Deleted the deprecated `mayReferToParameter` predicate from `DataFlow::Node`.
* Deleted the deprecated `getStaticMethod` and `getAStaticMethod` predicates from `DataFlow::ClassNode`.
* Deleted the deprecated `isLibaryFile` predicate from `ClassifyFiles.qll`, use `isLibraryFile` instead.
* Deleted many library models that were build on the AST. Use the new models that are build on the dataflow library instead.
* Deleted the deprecated `semmle.javascript.security.performance` folder, use `semmle.javascript.security.regexp` instead.
* Tagged template literals have been added to `DataFlow::CallNode`. This allows the analysis to find flow into functions called with a tagged template literal,
and the arguments to a tagged template literal are part of the API-graph in `ApiGraphs.qll`.

View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.8.1
lastReleaseVersion: 0.8.0

View File

@@ -1,5 +1,5 @@
name: codeql/javascript-all
version: 0.8.1
version: 0.8.1-dev
groups: javascript
dbscheme: semmlecode.javascript.dbscheme
extractor: javascript

View File

@@ -1047,29 +1047,185 @@ deprecated module RegExpPatterns {
deprecated predicate commonTLD = commonTld/0;
}
/**
* Holds if `metachar` is a meta-character that is used to escape special characters
* into a form described by regular expression `regex`.
*/
predicate escapingScheme(string metachar, string regex) {
metachar = "&" and regex = "&.+;"
or
metachar = "%" and regex = "%.+"
or
metachar = "\\" and regex = "\\\\.+"
}
/**
* Gets a predecessor of `nd` that is not an SSA phi node.
*/
DataFlow::Node getASimplePredecessor(DataFlow::Node nd) {
result = nd.getAPredecessor() and
not exists(SsaDefinition ssa |
ssa = nd.(DataFlow::SsaDefinitionNode).getSsaVariable().getDefinition()
|
ssa instanceof SsaPhiNode or
ssa instanceof SsaVariableCapture
)
}
/**
* A call to `String.prototype.replace` that replaces all instances of a pattern.
*/
class Replacement extends StringReplaceCall {
Replacement() { this.isGlobal() }
/**
* Gets the input of this replacement.
*/
DataFlow::Node getInput() { result = this.getReceiver() }
/**
* Gets the output of this replacement.
*/
DataFlow::SourceNode getOutput() { result = this }
/**
* Holds if this replacement escapes `char` using `metachar`.
*
* For example, during HTML entity escaping `<` is escaped (to `&lt;`)
* using `&`.
*/
predicate escapes(string char, string metachar) {
exists(string regexp, string repl |
escapingScheme(metachar, regexp) and
this.replaces(char, repl) and
repl.regexpMatch(regexp)
)
}
/**
* Holds if this replacement unescapes `char` using `metachar`.
*
* For example, during HTML entity unescaping `<` is unescaped (from
* `&lt;`) using `<`.
*/
predicate unescapes(string metachar, string char) {
exists(string regexp, string orig |
escapingScheme(metachar, regexp) and
this.replaces(orig, char) and
orig.regexpMatch(regexp)
)
}
/**
* Gets the previous replacement in this chain of replacements.
*/
Replacement getPreviousReplacement() {
result.getOutput() = getASimplePredecessor*(this.getInput())
}
/**
* Gets an earlier replacement in this chain of replacements that
* performs an escaping.
*/
Replacement getAnEarlierEscaping(string metachar) {
exists(Replacement pred | pred = this.getPreviousReplacement() |
if pred.escapes(_, metachar)
then result = pred
else (
not pred.unescapes(metachar, _) and result = pred.getAnEarlierEscaping(metachar)
)
)
}
/**
* Gets an earlier replacement in this chain of replacements that
* performs a unescaping.
*/
Replacement getALaterUnescaping(string metachar) {
exists(Replacement succ | this = succ.getPreviousReplacement() |
if succ.unescapes(metachar, _)
then result = succ
else (
not succ.escapes(_, metachar) and result = succ.getALaterUnescaping(metachar)
)
)
}
}
/**
* Holds if data flows from `pred` to `succ` through a replacement step that
* backslash-escapes `escaped`.
*/
private predicate replacementStep(DataFlow::Node pred, DataFlow::Node succ, string escaped) {
exists(Replacement repl |
repl.getInput() = pred and
repl.getOutput() = succ and
repl.escapes(escaped, "\\")
)
}
/**
* Holds if data flows from `pred` to `succ` through a replacement step that
* either backslash-escapes `escaped` or (if `escaped` is empty) does not
* backslash-escape any character.
*/
private predicate regExpTaintStep(DataFlow::Node pred, DataFlow::Node succ, string escaped) {
TaintTracking::sharedTaintStep(pred, succ) and
(
replacementStep(pred, succ, escaped)
or
not replacementStep(pred, succ, _) and
escaped = ""
)
}
/**
* Gets the string that results from appending `newEscape` to `escaped`
* if `escaped` does not already contain `newEscape`.
*
* The parameter `newEscape` must be at most one character long.
*/
bindingset[escaped, newEscape]
private string addEscape(string escaped, string newEscape) {
newEscape = "" and result = escaped
or
escaped.charAt(_) = newEscape and result = escaped
or
newEscape.length() = 1 and
result = escaped + newEscape
}
/**
* Gets a node whose value may flow (inter-procedurally) to `re`, where it is interpreted
* as a part of a regular expression.
*
* The parameter `escaped` is the set of characters that are escaped along the way.
*/
private DataFlow::Node regExpSource(DataFlow::Node re, DataFlow::TypeBackTracker t) {
private DataFlow::Node regExpSource(DataFlow::Node re, string escaped, DataFlow::TypeBackTracker t) {
t.start() and
re = result and
escaped = "" and
isInterpretedAsRegExp(result)
or
exists(DataFlow::TypeBackTracker t2, DataFlow::Node succ | succ = regExpSource(re, t2) |
t2 = t.smallstep(result, succ)
exists(DataFlow::TypeBackTracker t2, DataFlow::Node succ, string escaped2 | succ = regExpSource(re, escaped2, t2) |
t2 = t.smallstep(result, succ) and
escaped = escaped2
or
TaintTracking::sharedTaintStep(result, succ) and
t = t2
exists(string newEscape | regExpTaintStep(result, succ, newEscape) |
t = t2 and
escaped = addEscape(escaped2, newEscape)
)
)
}
/**
* Gets a node whose value may flow (inter-procedurally) to `re`, where it is interpreted
* as a part of a regular expression.
*
* The parameter `escaped` is the set of characters that are escaped along the way.
*/
private DataFlow::Node regExpSource(DataFlow::Node re) {
result = regExpSource(re, DataFlow::TypeBackTracker::end())
private DataFlow::Node regExpSource(DataFlow::Node re, string escaped) {
result = regExpSource(re, escaped, DataFlow::TypeBackTracker::end())
}
/**
@@ -1099,6 +1255,12 @@ abstract class RegExpPatternSource extends DataFlow::Node {
* Gets the root term of the regular expression parsed from this pattern.
*/
abstract RegExpTerm getRegExpTerm();
/**
* Holds if `char` may be backslash-escaped before it is interpreted as
* a part of a regular expression.
*/
abstract predicate escapes(string char);
}
/**
@@ -1117,6 +1279,8 @@ private class RegExpLiteralPatternSource extends RegExpPatternSource, DataFlow::
override DataFlow::SourceNode getARegExpObject() { result = this }
override RegExpTerm getRegExpTerm() { result = astNode.getRoot() }
override predicate escapes(string char) { none() }
}
/**
@@ -1125,8 +1289,9 @@ private class RegExpLiteralPatternSource extends RegExpPatternSource, DataFlow::
*/
private class StringRegExpPatternSource extends RegExpPatternSource {
DataFlow::Node parse;
string escaped;
StringRegExpPatternSource() { this = regExpSource(parse) }
StringRegExpPatternSource() { this = regExpSource(parse, escaped) }
override DataFlow::Node getAParse() { result = parse }
@@ -1141,6 +1306,8 @@ private class StringRegExpPatternSource extends RegExpPatternSource {
override string getPattern() { result = this.getStringValue() }
override RegExpTerm getRegExpTerm() { result = this.asExpr().(StringLiteral).asRegExp() }
override predicate escapes(string char) { escaped.charAt(_) = char }
}
/**
@@ -1149,8 +1316,9 @@ private class StringRegExpPatternSource extends RegExpPatternSource {
*/
private class StringConcatRegExpPatternSource extends RegExpPatternSource {
DataFlow::Node parse;
string escaped;
StringConcatRegExpPatternSource() { this = regExpSource(parse) }
StringConcatRegExpPatternSource() { this = regExpSource(parse, escaped) }
override DataFlow::Node getAParse() { result = parse }
@@ -1165,6 +1333,8 @@ private class StringConcatRegExpPatternSource extends RegExpPatternSource {
override string getPattern() { result = this.getStringValue() }
override RegExpTerm getRegExpTerm() { result = this.asExpr().(AddExpr).asRegExp() }
override predicate escapes(string char) { escaped.charAt(_) = char }
}
module RegExp {

View File

@@ -12,7 +12,19 @@ private import codeql.regex.HostnameRegexp as Shared
module Impl implements Shared::HostnameRegexpSig<TreeImpl> {
class DataFlowNode = JS::DataFlow::Node;
class RegExpPatternSource = RegExp::RegExpPatternSource;
class RegExpPatternSource extends JS::DataFlow::Node instanceof RegExp::RegExpPatternSource {
RegExpPatternSource() {
not super.escapes(_)
}
RegExp::RegExpTerm getRegExpTerm() {
result = super.getRegExpTerm()
}
JS::DataFlow::Node getAParse() {
result = super.getAParse()
}
}
}
import Shared::Make<TreeImpl, Impl>

View File

@@ -1,9 +1,3 @@
## 0.8.1
### Minor Analysis Improvements
* Added the `AmdModuleDefinition::Range` class, making it possible to define custom aliases for the AMD `define` function.
## 0.8.0
No user-facing changes.

View File

@@ -16,111 +16,6 @@
import javascript
/**
* Gets a predecessor of `nd` that is not an SSA phi node.
*/
DataFlow::Node getASimplePredecessor(DataFlow::Node nd) {
result = nd.getAPredecessor() and
not exists(SsaDefinition ssa |
ssa = nd.(DataFlow::SsaDefinitionNode).getSsaVariable().getDefinition()
|
ssa instanceof SsaPhiNode or
ssa instanceof SsaVariableCapture
)
}
/**
* Holds if `metachar` is a meta-character that is used to escape special characters
* into a form described by regular expression `regex`.
*/
predicate escapingScheme(string metachar, string regex) {
metachar = "&" and regex = "&.+;"
or
metachar = "%" and regex = "%.+"
or
metachar = "\\" and regex = "\\\\.+"
}
/**
* A call to `String.prototype.replace` that replaces all instances of a pattern.
*/
class Replacement extends StringReplaceCall {
Replacement() { this.isGlobal() }
/**
* Gets the input of this replacement.
*/
DataFlow::Node getInput() { result = this.getReceiver() }
/**
* Gets the output of this replacement.
*/
DataFlow::SourceNode getOutput() { result = this }
/**
* Holds if this replacement escapes `char` using `metachar`.
*
* For example, during HTML entity escaping `<` is escaped (to `&lt;`)
* using `&`.
*/
predicate escapes(string char, string metachar) {
exists(string regexp, string repl |
escapingScheme(metachar, regexp) and
this.replaces(char, repl) and
repl.regexpMatch(regexp)
)
}
/**
* Holds if this replacement unescapes `char` using `metachar`.
*
* For example, during HTML entity unescaping `<` is unescaped (from
* `&lt;`) using `<`.
*/
predicate unescapes(string metachar, string char) {
exists(string regexp, string orig |
escapingScheme(metachar, regexp) and
this.replaces(orig, char) and
orig.regexpMatch(regexp)
)
}
/**
* Gets the previous replacement in this chain of replacements.
*/
Replacement getPreviousReplacement() {
result.getOutput() = getASimplePredecessor*(this.getInput())
}
/**
* Gets an earlier replacement in this chain of replacements that
* performs an escaping.
*/
Replacement getAnEarlierEscaping(string metachar) {
exists(Replacement pred | pred = this.getPreviousReplacement() |
if pred.escapes(_, metachar)
then result = pred
else (
not pred.unescapes(metachar, _) and result = pred.getAnEarlierEscaping(metachar)
)
)
}
/**
* Gets an earlier replacement in this chain of replacements that
* performs a unescaping.
*/
Replacement getALaterUnescaping(string metachar) {
exists(Replacement succ | this = succ.getPreviousReplacement() |
if succ.unescapes(metachar, _)
then result = succ
else (
not succ.escapes(_, metachar) and result = succ.getALaterUnescaping(metachar)
)
)
}
}
from Replacement primary, Replacement supplementary, string message, string metachar
where
primary.escapes(metachar, _) and

View File

@@ -1,5 +1,4 @@
## 0.8.1
### Minor Analysis Improvements
---
category: minorAnalysis
---
* Added the `AmdModuleDefinition::Range` class, making it possible to define custom aliases for the AMD `define` function.

View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.8.1
lastReleaseVersion: 0.8.0

View File

@@ -1,5 +1,5 @@
name: codeql/javascript-queries
version: 0.8.1
version: 0.8.1-dev
groups:
- javascript
- queries

View File

@@ -57,4 +57,9 @@
/^http:\/\/(..|...)\.example\.com\/index\.html/; // OK, wildcards are intentional
/^http:\/\/.\.example\.com\/index\.html/; // OK, the wildcard is intentional
/^(foo.example\.com|whatever)$/; // kinda OK - one disjunction doesn't even look like a hostname
function makeHostnameRegExp(hostname) {
return new RegExp(`^https://${hostname.replace(/[\.\\]/g, '\\$&')}$`);
}
makeHostnameRegExp('test.example.com'); // OK
});

View File

@@ -1,7 +1,3 @@
## 0.7.1
No user-facing changes.
## 0.7.0
No user-facing changes.

View File

@@ -1,3 +0,0 @@
## 0.7.1
No user-facing changes.

View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.7.1
lastReleaseVersion: 0.7.0

View File

@@ -1,4 +1,4 @@
name: codeql/suite-helpers
version: 0.7.1
version: 0.7.1-dev
groups: shared
warnOnImplicitThis: true

View File

@@ -1,16 +1,3 @@
## 0.11.1
### Minor Analysis Improvements
* Added better support for API graphs when encountering `from ... import *`. For example in the code `from foo import *; Bar()`, we will now find a result for `API::moduleImport("foo").getMember("Bar").getACall()`
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
* Deleted the deprecated `getAUse`, `getAnImmediateUse`, `getARhs`, and `getAValueReachingRhs` predicates from the `API::Node` class.
* Deleted the deprecated `fullyQualifiedToAPIGraphPath` class from `SubclassFinder.qll`, use `fullyQualifiedToApiGraphPath` instead.
* Deleted the deprecated `Paths.qll` file.
* Deleted the deprecated `semmle.python.security.performance` folder, use `semmle.python.security.regexp` instead.
* Deleted the deprecated `semmle.python.security.strings` and `semmle.python.web` folders.
* Improved modeling of decoding through pickle related functions (which can lead to code execution), resulting in additional sinks for the _Deserializing untrusted input_ query (`py/unsafe-deserialization`). Added support for `pandas.read_pickle`, `numpy.load` and `joblib.load`.
## 0.11.0
### Minor Analysis Improvements

View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Improved modeling of decoding through pickle related functions (which can lead to code execution), resulting in additional sinks for the _Deserializing untrusted input_ query (`py/unsafe-deserialization`). Added support for `pandas.read_pickle`, `numpy.load` and `joblib.load`.

View File

@@ -1,12 +1,9 @@
## 0.11.1
### Minor Analysis Improvements
* Added better support for API graphs when encountering `from ... import *`. For example in the code `from foo import *; Bar()`, we will now find a result for `API::moduleImport("foo").getMember("Bar").getACall()`
---
category: minorAnalysis
---
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
* Deleted the deprecated `getAUse`, `getAnImmediateUse`, `getARhs`, and `getAValueReachingRhs` predicates from the `API::Node` class.
* Deleted the deprecated `fullyQualifiedToAPIGraphPath` class from `SubclassFinder.qll`, use `fullyQualifiedToApiGraphPath` instead.
* Deleted the deprecated `Paths.qll` file.
* Deleted the deprecated `semmle.python.security.performance` folder, use `semmle.python.security.regexp` instead.
* Deleted the deprecated `semmle.python.security.strings` and `semmle.python.web` folders.
* Improved modeling of decoding through pickle related functions (which can lead to code execution), resulting in additional sinks for the _Deserializing untrusted input_ query (`py/unsafe-deserialization`). Added support for `pandas.read_pickle`, `numpy.load` and `joblib.load`.

View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added better support for API graphs when encountering `from ... import *`. For example in the code `from foo import *; Bar()`, we will now find a result for `API::moduleImport("foo").getMember("Bar").getACall()`

View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added support for functions decorated with `contextlib.contextmanager`.

View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.11.1
lastReleaseVersion: 0.11.0

View File

@@ -1,5 +1,5 @@
name: codeql/python-all
version: 0.11.1
version: 0.11.1-dev
groups: python
dbscheme: semmlecode.python.dbscheme
extractor: python

View File

@@ -240,6 +240,19 @@ predicate hasPropertyDecorator(Function func) {
)
}
/**
* Holds if the function `func` has a `contextlib.contextmanager`.
*/
predicate hasContextmanagerDecorator(Function func) {
exists(ControlFlowNode contextmanager |
contextmanager.(NameNode).getId() = "contextmanager" and contextmanager.(NameNode).isGlobal()
or
contextmanager.(AttrNode).getObject("contextmanager").(NameNode).getId() = "contextlib"
|
func.getADecorator() = contextmanager.getNode()
)
}
// =============================================================================
// Callables
// =============================================================================
@@ -1604,6 +1617,24 @@ class ExtractedReturnNode extends ReturnNode, CfgNode {
override ReturnKind getKind() { any() }
}
/**
* A data flow node that represents the value yielded by a callable with a
* `contextlib.contextmanager` decorator. We treat this as a normal return, which makes
* things just work when used in a `with` statement -- technically calling the function
* directly will give you a `contextlib._GeneratorContextManager` instance, so it's a
* slight workaround solution.
*
* See https://docs.python.org/3/library/contextlib.html#contextlib.contextmanager
*/
class YieldNodeInContextManagerFunction extends ReturnNode, CfgNode {
YieldNodeInContextManagerFunction() {
hasContextmanagerDecorator(node.getScope()) and
node = any(Yield yield).getValue().getAFlowNode()
}
override ReturnKind getKind() { any() }
}
/** A data-flow node that represents the output of a call. */
abstract class OutNode extends Node {
/** Gets the underlying call, where this node is a corresponding output of kind `kind`. */

View File

@@ -1,7 +1,3 @@
## 0.9.1
No user-facing changes.
## 0.9.0
### New Queries

View File

@@ -1,3 +0,0 @@
## 0.9.1
No user-facing changes.

View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.9.1
lastReleaseVersion: 0.9.0

View File

@@ -1,5 +1,5 @@
name: codeql/python-queries
version: 0.9.1
version: 0.9.1-dev
groups:
- python
- queries

View File

@@ -195,3 +195,42 @@ class MyClass(object):
def with_global_modifier(self):
global some_value
print(some_value) # $ tracked
# ------------------------------------------------------------------------------
# yield
# ------------------------------------------------------------------------------
def yielding_function():
x = tracked # $ tracked
yield x # $ tracked
def test_yield():
for x in yielding_function(): # $ MISSING: tracked
print(x) # $ MISSING: tracked
gen = yielding_function()
y = next(gen) # $ MISSING: tracked
print(y) # $ MISSING: tracked
# see https://docs.python.org/3.11/library/contextlib.html#contextlib.contextmanager
from contextlib import contextmanager
import contextlib
@contextmanager
def managed_resource():
x = tracked # $ tracked
yield x # $ tracked
def test_context_manager():
with managed_resource() as x: # $ tracked
print(x) # $ tracked
@contextlib.contextmanager
def managed_resource2():
x = tracked # $ tracked
yield x # $ tracked
def test_context_manager2():
with managed_resource2() as x: # $ tracked
print(x) # $ tracked

View File

@@ -32,6 +32,12 @@ edges
| TarSlipImprov.py:141:6:141:29 | ControlFlowNode for Attribute() | TarSlipImprov.py:141:34:141:36 | GSSA Variable tar |
| TarSlipImprov.py:141:34:141:36 | GSSA Variable tar | TarSlipImprov.py:142:9:142:13 | GSSA Variable entry |
| TarSlipImprov.py:142:9:142:13 | GSSA Variable entry | TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry |
| TarSlipImprov.py:151:14:151:50 | ControlFlowNode for closing() | TarSlipImprov.py:151:55:151:56 | SSA variable tf |
| TarSlipImprov.py:151:22:151:49 | ControlFlowNode for Attribute() | TarSlipImprov.py:151:14:151:50 | ControlFlowNode for closing() |
| TarSlipImprov.py:151:55:151:56 | SSA variable tf | TarSlipImprov.py:152:19:152:20 | ControlFlowNode for tf |
| TarSlipImprov.py:152:19:152:20 | ControlFlowNode for tf | TarSlipImprov.py:157:18:157:40 | ControlFlowNode for py2_tarxz() |
| TarSlipImprov.py:157:9:157:14 | SSA variable tar_cm | TarSlipImprov.py:162:20:162:23 | SSA variable tarc |
| TarSlipImprov.py:157:18:157:40 | ControlFlowNode for py2_tarxz() | TarSlipImprov.py:157:9:157:14 | SSA variable tar_cm |
| TarSlipImprov.py:159:9:159:14 | SSA variable tar_cm | TarSlipImprov.py:162:20:162:23 | SSA variable tarc |
| TarSlipImprov.py:159:18:159:52 | ControlFlowNode for closing() | TarSlipImprov.py:159:9:159:14 | SSA variable tar_cm |
| TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | TarSlipImprov.py:159:18:159:52 | ControlFlowNode for closing() |
@@ -122,6 +128,12 @@ nodes
| TarSlipImprov.py:141:34:141:36 | GSSA Variable tar | semmle.label | GSSA Variable tar |
| TarSlipImprov.py:142:9:142:13 | GSSA Variable entry | semmle.label | GSSA Variable entry |
| TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry |
| TarSlipImprov.py:151:14:151:50 | ControlFlowNode for closing() | semmle.label | ControlFlowNode for closing() |
| TarSlipImprov.py:151:22:151:49 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| TarSlipImprov.py:151:55:151:56 | SSA variable tf | semmle.label | SSA variable tf |
| TarSlipImprov.py:152:19:152:20 | ControlFlowNode for tf | semmle.label | ControlFlowNode for tf |
| TarSlipImprov.py:157:9:157:14 | SSA variable tar_cm | semmle.label | SSA variable tar_cm |
| TarSlipImprov.py:157:18:157:40 | ControlFlowNode for py2_tarxz() | semmle.label | ControlFlowNode for py2_tarxz() |
| TarSlipImprov.py:159:9:159:14 | SSA variable tar_cm | semmle.label | SSA variable tar_cm |
| TarSlipImprov.py:159:18:159:52 | ControlFlowNode for closing() | semmle.label | ControlFlowNode for closing() |
| TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
@@ -199,6 +211,7 @@ subpaths
| TarSlipImprov.py:130:5:130:7 | ControlFlowNode for tar | TarSlipImprov.py:129:6:129:26 | ControlFlowNode for Attribute() | TarSlipImprov.py:130:5:130:7 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:129:6:129:26 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:130:5:130:7 | ControlFlowNode for tar | ControlFlowNode for tar |
| TarSlipImprov.py:134:1:134:3 | ControlFlowNode for tar | TarSlipImprov.py:133:7:133:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:134:1:134:3 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:133:7:133:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:134:1:134:3 | ControlFlowNode for tar | ControlFlowNode for tar |
| TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry | TarSlipImprov.py:141:6:141:29 | ControlFlowNode for Attribute() | TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:141:6:141:29 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry | ControlFlowNode for entry |
| TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | TarSlipImprov.py:151:22:151:49 | ControlFlowNode for Attribute() | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:151:22:151:49 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | ControlFlowNode for tarc |
| TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | ControlFlowNode for tarc |
| TarSlipImprov.py:178:36:178:40 | ControlFlowNode for entry | TarSlipImprov.py:176:6:176:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:178:36:178:40 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:176:6:176:31 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:178:36:178:40 | ControlFlowNode for entry | ControlFlowNode for entry |
| TarSlipImprov.py:184:21:184:25 | ControlFlowNode for entry | TarSlipImprov.py:182:6:182:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:184:21:184:25 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:182:6:182:31 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:184:21:184:25 | ControlFlowNode for entry | ControlFlowNode for entry |

BIN
ql/Cargo.lock generated

Binary file not shown.

View File

@@ -9,4 +9,4 @@ edition = "2018"
lazy_static = "1.4.0"
chrono = "0.4.31"
rayon = "1.8.0"
regex = "1.10.0"
regex = "1.10.2"

View File

@@ -16,5 +16,5 @@ clap = { version = "4.2", features = ["derive"] }
tracing = "0.1"
tracing-subscriber = { version = "0.3.17", features = ["env-filter"] }
rayon = "1.8.0"
regex = "1.10.0"
regex = "1.10.2"
codeql-extractor = { path = "../../shared/tree-sitter-extractor" }

View File

@@ -1,14 +1,3 @@
## 0.8.1
### Minor Analysis Improvements
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
* Deleted the deprecated `isWeak` predicate from the `CryptographicOperation` class.
* Deleted the deprecated `getStringOrSymbol` and `isStringOrSymbol` predicates from the `ConstantValue` class.
* Deleted the deprecated `getAPI` from the `IOOrFileMethodCall` class.
* Deleted the deprecated `codeql.ruby.security.performance` folder, use `codeql.ruby.security.regexp` instead.
* GraphQL enums are no longer considered remote flow sources.
## 0.8.0
### Major Analysis Improvements

View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* GraphQL enums are no longer considered remote flow sources.

View File

@@ -1,10 +1,8 @@
## 0.8.1
### Minor Analysis Improvements
---
category: minorAnalysis
---
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
* Deleted the deprecated `isWeak` predicate from the `CryptographicOperation` class.
* Deleted the deprecated `getStringOrSymbol` and `isStringOrSymbol` predicates from the `ConstantValue` class.
* Deleted the deprecated `getAPI` from the `IOOrFileMethodCall` class.
* Deleted the deprecated `codeql.ruby.security.performance` folder, use `codeql.ruby.security.regexp` instead.
* GraphQL enums are no longer considered remote flow sources.

View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.8.1
lastReleaseVersion: 0.8.0

View File

@@ -1,5 +1,5 @@
name: codeql/ruby-all
version: 0.8.1
version: 0.8.1-dev
groups: ruby
extractor: ruby
dbscheme: ruby.dbscheme

View File

@@ -1,10 +1,3 @@
## 0.8.1
### New Queries
* Added a new experimental query, `rb/jwt-empty-secret-or-algorithm`, to detect when application uses an empty secret or weak algorithm.
* Added a new experimental query, `rb/jwt-missing-verification`, to detect when the application does not verify a JWT payload.
## 0.8.0
### Minor Analysis Improvements

View File

@@ -1,6 +1,5 @@
## 0.8.1
### New Queries
---
category: newQuery
---
* Added a new experimental query, `rb/jwt-empty-secret-or-algorithm`, to detect when application uses an empty secret or weak algorithm.
* Added a new experimental query, `rb/jwt-missing-verification`, to detect when the application does not verify a JWT payload.
* Added a new experimental query, `rb/jwt-missing-verification`, to detect when the application does not verify a JWT payload.

View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.8.1
lastReleaseVersion: 0.8.0

Some files were not shown because too many files have changed in this diff Show More