Compare commits

...

832 Commits

Author SHA1 Message Date
Calum Grant
649e313cb5 Add severity scores 2021-04-20 20:51:29 +01:00
Taus
76700d17d6 Merge pull request #5684 from RasmusWL/flask-more-taint-tests
Python: Add taint tests for .get() in flask
2021-04-20 14:08:08 +02:00
Jonas Jensen
d4fdd50e2c Merge pull request #5723 from MathiasVP/cleanup-smart-ptr-model
C++: Simplify smart pointer model
2021-04-20 13:25:02 +02:00
Tom Hvitved
1f9239089f Merge pull request #5695 from hvitved/csharp/dispose-not-called-on-exc-perf
C#: Improve performance of `DisposeNotCalledOnException.ql`
2021-04-20 11:52:18 +02:00
Tom Hvitved
b2a7a3ed30 Merge pull request #5674 from hvitved/csharp/ssa/call-graph-perf
C#: Improve performance of `SsaImpl::CallGraph::SimpleDelegateAnalysis`
2021-04-20 11:51:52 +02:00
Geoffrey White
2b7e599dc4 Merge pull request #5703 from MathiasVP/improve-access-of-memory-location-after-end-of-buffer-using-strncat
C++: Improve cpp/access-memory-location-after-end-buffer-strncat
2021-04-20 10:44:24 +01:00
Mathias Vorreiter Pedersen
61d4d17225 C++: Simplify smart pointer model and accept test changes. 2021-04-20 09:57:58 +02:00
yo-h
cb524b6c19 Merge pull request #5611 from github/yo-h/java16
Java: adjust test `options` for JDK 16 upgrade
2021-04-19 15:12:23 -04:00
Anders Schack-Mulligen
5458c02cc2 Merge pull request #5456 from aschackmull/java/adopt-flow-summary
Java: Use shared flow summary library for CSV models.
2021-04-19 16:21:10 +02:00
Anders Schack-Mulligen
33db0c13cd Merge pull request #5689 from github/aeisenberg/rework-staleness
Actions: Change staleness calculation
2021-04-19 15:57:41 +02:00
Anders Schack-Mulligen
80eb0a2df6 Apply suggestions from code review
Co-authored-by: Chris Smowton <smowton@github.com>
2021-04-19 15:45:58 +02:00
CodeQL CI
437bba1e3c Merge pull request #5716 from erik-krogh/vscodeRegress
Approved by esbena
2021-04-19 06:30:02 -07:00
Anders Schack-Mulligen
7d84cfacef Java: Add MapKeyContent and MapValueContent. 2021-04-19 14:06:27 +02:00
Anders Schack-Mulligen
39862740e0 Java: Convert support for fluent interfaces. 2021-04-19 14:06:27 +02:00
Anders Schack-Mulligen
579c955892 Java: Adjust some tests. 2021-04-19 14:06:27 +02:00
Anders Schack-Mulligen
175c71221a Java: Adjust some test output with more edges/nodes. 2021-04-19 14:06:27 +02:00
Anders Schack-Mulligen
60965b0d8c Java: Adjust some csv models. 2021-04-19 14:02:19 +02:00
Anders Schack-Mulligen
a27dac029f Java: Use shared flow summary library for csv models. 2021-04-19 14:02:19 +02:00
Chris Smowton
36abf8733e Merge pull request #5714 from aschackmull/java/add-misc-qltests
Java: Add a few qltests
2021-04-19 13:00:10 +01:00
Erik Krogh Kristensen
9e6f28e335 fix bad join order in Xss.qll 2021-04-19 13:17:49 +02:00
Anders Schack-Mulligen
29aec0d770 Java: Adjust expected output. 2021-04-19 13:16:46 +02:00
Anders Schack-Mulligen
c5193cf03f Apply suggestions from code review 2021-04-19 13:14:56 +02:00
Anders Schack-Mulligen
06514159be Java: Add XXE tests. 2021-04-19 10:58:21 +02:00
Anders Schack-Mulligen
daad62c4e0 Java: Add TaintedPath test. 2021-04-19 10:07:03 +02:00
Jonas Jensen
1ab75eb6f4 Merge pull request #5708 from github/fix-id-in-JsonpInjection-1
Java: Fix id in experimental JsonpInjection.ql query
2021-04-19 08:23:34 +02:00
yoff
118840dad4 Merge pull request #5690 from tausbn/python-disallow-post-update-nodes-as-local-source-nodes
Python: Disallow `PostUpdateNode` as `LocalSourceNode`
2021-04-19 06:56:11 +02:00
Mathias Vorreiter Pedersen
e36b42a03f Java: Fix invalid id in experimental query
The invalid id broke CI here: https://github.com/github/codeql/pull/5703 (see https://github.slack.com/archives/CPSEA0G22/p1618602834224600)
2021-04-17 09:47:15 +02:00
Mathias Vorreiter Pedersen
95742aec69 C++: Accept test changes for the other experimental query in the directory. This is only a change in line numbers. 2021-04-16 21:29:17 +02:00
Mathias Vorreiter Pedersen
64f8316a6d C++: Tidy up the ql file and accept test changes. 2021-04-16 21:22:13 +02:00
Mathias Vorreiter Pedersen
1e327289b2 C++: Add false negative test. 2021-04-16 18:38:51 +02:00
Mathias Vorreiter Pedersen
50abb6e3a1 C++: Cleanup test.c 2021-04-16 17:32:44 +02:00
Shati Patel
5c2bf68a05 Merge pull request #5692 from tamasvajk/feature/doc-cs9
Update supported C#/.NET versions
2021-04-16 16:22:06 +01:00
Tom Hvitved
40b74167e0 C#: Improve performance of DisposeNotCalledOnException.ql 2021-04-16 14:34:16 +02:00
Rasmus Wriedt Larsen
3c8ea167c4 Merge pull request #5668 from tausbn/python-use-api-graphs-in-fabric
Python: Use API graphs in Fabric model
2021-04-16 14:27:55 +02:00
Rasmus Wriedt Larsen
6ed1016bb8 Merge pull request #5669 from tausbn/python-use-api-graphs-for-invoke
Python: Use API graphs for Invoke
2021-04-16 14:27:19 +02:00
Taus
92b4eb7f02 Python: Cleanup and more explanation
Goes into some detail about the intended semantics of local source nodes
and `flowsTo`.
2021-04-16 11:54:20 +00:00
Geoffrey White
e1028a2765 Merge pull request #5667 from MathiasVP/use-range-analysis-in-overflow
C++: Use range analysis in Overflow.qll
2021-04-16 12:00:28 +01:00
Taus
5c79ad2412 Python: Apply suggestions from code review
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
2021-04-16 11:38:29 +02:00
Taus
af0c32c01d Python: Apply suggestions from code review
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
2021-04-16 11:35:12 +02:00
Anders Schack-Mulligen
605f28f741 Merge pull request #5686 from smowton/haby0/JsonHijacking
Java: JSONP Injection w/cleanups
2021-04-16 11:09:17 +02:00
Tamas Vajk
b0975bb3ea Update supported C#/.NET versions 2021-04-16 09:15:43 +02:00
Taus
451d36dc97 Python: Allow _some_ PostUpdateNodes
Specifically, allow the ones arising from calls, but not reads or
writes. This should fix the tests.
2021-04-15 21:26:12 +00:00
Taus
c9c8259ed0 Python: Disallow PostUpdateNode as LocalSourceNode
Previously, in cases like

```python
def foo(x):
    x.bar()
    x.baz()
    x.quux()
```

we would have flow from the first `x` to each use _and_ flow from the
post-update node for each method call to each subsequent use, and all
of these would be `LocalSourceNode`s. For large functions with the above
pattern, this would lead to a quadratic blowup in `hasLocalSource`.

With this commit, only the first of these will count as a
`LocalSourceNode`, and the blowup disappears.
2021-04-15 17:56:14 +00:00
Andrew Eisenberg
5d827b6fc8 Actions: Change staleness calculation
Calculate staleness on issues that have the
`Stale` label. Leave all other issues untouched.
2021-04-15 10:14:13 -07:00
Chris Smowton
c37994089c Revert changes to unrelated query 2021-04-15 16:24:29 +01:00
Chris Smowton
254de76078 Remove unnecessary stubs 2021-04-15 16:20:27 +01:00
haby0
dedf765542 Update java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
Co-authored-by: Chris Smowton <smowton@github.com>
2021-04-15 22:59:22 +08:00
Rasmus Wriedt Larsen
b359205d17 Python: Add taint tests for .get() in flask 2021-04-15 14:53:44 +02:00
CodeQL CI
578ce1e512 Merge pull request #5683 from asgerf/js/typescript-template-literal-type-crash
Approved by erik-krogh
2021-04-15 05:11:11 -07:00
Mathias Vorreiter Pedersen
7fbc62358e C++: Accept test changes after making the exprMightOverFlow predicates more sound. 2021-04-15 13:57:44 +02:00
haby0
0e183ab4a4 Finish comment 2021-04-15 19:49:06 +08:00
Chris Smowton
fa36ba901a Merge pull request #5471 from artem-smotrakov/el-injection
Java: Query for detecting Jakarta Expression Language injections
2021-04-15 12:39:34 +01:00
haby0
d269a7e717 CWE-598 reduction 2021-04-15 19:33:15 +08:00
haby0
216f204438 delete FilterClass 2021-04-15 19:28:25 +08:00
haby0
583d0889e2 delete tomcat-embed-core stub, update the ServletGetMethod class 2021-04-15 17:40:51 +08:00
haby0
5d05e4d224 Update java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
Co-authored-by: Chris Smowton <smowton@github.com>
2021-04-15 17:28:53 +08:00
Tom Hvitved
0f24db8759 C#: Improve performance of SsaImpl::CallGraph::SimpleDelegateAnalysis 2021-04-15 11:25:27 +02:00
Asger Feldthaus
f8570bb293 JS: Update TRAP 2021-04-15 10:16:46 +01:00
Asger Feldthaus
cb736c8c82 JS: Change note 2021-04-15 09:37:57 +01:00
Tom Hvitved
972cc47f67 Merge pull request #5673 from hvitved/csharp/customizations
C#: Add `Customizations.qll`
2021-04-15 10:24:29 +02:00
Asger Feldthaus
b4a2a9db25 JS: Fix extraction of non-substitution template literal types 2021-04-15 09:23:45 +01:00
haby0
b3bdf89fc2 rm VerificationMethodFlowConfig, use springframework-5.2.3 stub 2021-04-15 10:25:40 +08:00
CodeQL CI
4be183c7f6 Merge pull request #5675 from erik-krogh/libXss
Approved by esbena
2021-04-14 14:34:23 -07:00
Robert Marsh
fe57876fd8 Merge pull request #5643 from dbartol/smart-pointers/side-effect-refactor
C++: Refactor some side effect generation code
2021-04-14 09:59:41 -07:00
Artem Smotrakov
97186b3d30 Added comments for tests 2021-04-14 19:30:58 +03:00
Andrew Eisenberg
56ba0f080a Merge pull request #5659 from github/aeisenberg/mark-as-stale
Actions: Add workflow for marking stale questions
2021-04-14 08:37:55 -07:00
Andrew Eisenberg
392adf2a25 Workflows: Remove dry-run flag for labeller 2021-04-14 08:25:34 -07:00
Dave Bartolomeo
b29f35f564 Fix formatting 2021-04-14 11:15:16 -04:00
Geoffrey White
64fed4cb10 Merge pull request #5677 from MathiasVP/fix-duplicate-ids-in-experimental
C++: Fix duplicate names in experimental queries
2021-04-14 15:58:49 +01:00
Jonas Jensen
b4f01c9afa Merge pull request #5578 from MathiasVP/ast-flow-smart-pointers
C++: AST dataflow through smart pointers
2021-04-14 16:39:05 +02:00
Mathias Vorreiter Pedersen
53a320a810 C++: Fix duplicate names. 2021-04-14 16:33:18 +02:00
Mathias Vorreiter Pedersen
bb447d7174 C++: Make sure missingGuardAgainstOverflow (and underflow) holds when range analysis fails to deduce a bound. 2021-04-14 16:30:43 +02:00
yoff
447f339857 Merge pull request #5641 from tausbn/python-use-localsourcenode-in-typetrackers
Python: Use API graphs in PEP249 support
2021-04-14 15:39:49 +02:00
Mathias Vorreiter Pedersen
92508beb82 Merge pull request #5600 from ihsinme/ihsinme-patch-258
CPP: Add query for CWE-691 Insufficient Control Flow Management When Using Bit Operations
2021-04-14 14:55:30 +02:00
Anders Schack-Mulligen
f43d427875 Merge pull request #5645 from Marcono1234/marcono1234/primary-ql-class
Java: Override getAPrimaryQlClass() for more classes
2021-04-14 14:51:29 +02:00
Mathias Vorreiter Pedersen
bc7cc2f7ce C++: Remove rule that wasn't needed. 2021-04-14 14:50:27 +02:00
Mathias Vorreiter Pedersen
da36508714 Revert "C++: As response to the review comments this commit adds a reference-to-pointer state to AddressFlow. A call to an unwrapper function now adds a pointer -> reference-to-pointer transition, and a ReferenceDereference adds a reference-to-pointer -> pointer transition."
This reverts commit 5aeaab7c6d.
2021-04-14 14:41:22 +02:00
Chris Smowton
591ac38c31 Merge pull request #5591 from Marcono1234/marcono1234/member-nested-type
Java: Add MemberType
2021-04-14 12:29:54 +01:00
Taus
54c79bff74 Merge pull request #5666 from RasmusWL/django-refactor
Python: Refactoring and exposing of Django views/fields/forms
2021-04-14 13:07:20 +02:00
Mathias Vorreiter Pedersen
2e40d01397 Update cpp/ql/src/semmle/code/cpp/security/Overflow.qll
Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
2021-04-14 13:01:31 +02:00
Rasmus Wriedt Larsen
44d2bf42d7 Merge pull request #5671 from tausbn/python-use-api-graphs-in-werkzeug
Python: Use API graphs in Werkzeug
2021-04-14 12:57:58 +02:00
Erik Krogh Kristensen
fd23e0bdda use more API nodes in XmlParsers, and recognize more results from parsing XML 2021-04-14 11:48:31 +02:00
Anders Schack-Mulligen
3b6cd0f681 Merge pull request #5661 from smowton/smowton/cleanup/call-is-exprparent
Make Call a subclass of ExprParent.
2021-04-14 10:49:33 +02:00
Rasmus Wriedt Larsen
9de8085571 Merge pull request #5665 from tausbn/python-use-api-graphs-in-tornado
Python: Tornado cleanup using API graphs
2021-04-14 10:22:21 +02:00
Rasmus Wriedt Larsen
2d0c9b6bf2 Merge pull request #5670 from tausbn/python-use-api-graphs-in-dill
Python: Use API graphs in Dill model
2021-04-14 10:08:02 +02:00
Rasmus Wriedt Larsen
55723618a9 Python: Apply suggestions from code review
Co-authored-by: Taus <tausbn@github.com>
2021-04-14 10:05:50 +02:00
Chris Smowton
2965a1f204 Use Thread$State as an inner-class example
Map<>$Entry currently has odd generic notation that may be about to change.
2021-04-14 08:43:05 +01:00
Chris Smowton
5158e7964e Add change note 2021-04-14 08:25:12 +01:00
Tom Hvitved
36fe72246b C#: Add change note 2021-04-14 09:22:16 +02:00
Tom Hvitved
4810308b16 C#: Add Customizations.qll 2021-04-14 09:16:31 +02:00
haby0
77208bcc91 Fix the error that there is no VerificationMethodToIfFlowConfig 2021-04-14 13:14:43 +08:00
haby0
e2ed0d02b0 Delete existsFilterVerificationMethod and existsServletVerificationMethod, add from get handler to filter 2021-04-14 12:34:52 +08:00
haby0
37dae67a0d Fix RequestResponseFlowConfig.isSink error 2021-04-14 09:55:24 +08:00
Robert Marsh
419d25cbcf Merge pull request #5325 from ihsinme/ihsinme-patch-245
CPP: Add query for CWE-783 Operator Precedence Logic Error When Use Bool Type
2021-04-13 13:24:39 -07:00
Taus
981c5deb57 Merge pull request #5639 from tausbn/python-api-graphs-missing-builtins
Python: Add missing builtins to `API::builtin`
2021-04-13 21:27:52 +02:00
Marcono1234
d853f0c400 Java: Add MemberType 2021-04-13 18:55:20 +02:00
Taus
a6bb9ebb9f Python: Re-introduce abstract toString
This seems like the easier solution in the short run.
2021-04-13 16:08:41 +00:00
Taus
079c7e089d Python: Autoformat 2021-04-13 16:05:45 +00:00
Taus
273e8ce4ef Python: Add change note 2021-04-13 16:04:07 +00:00
haby0
00235ed3b3 Update java/ql/src/semmle/code/java/frameworks/Servlets.qll
Co-authored-by: Chris Smowton <smowton@github.com>
2021-04-13 23:58:52 +08:00
haby0
25b012db48 Update java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
Co-authored-by: Chris Smowton <smowton@github.com>
2021-04-13 23:58:28 +08:00
Taus
5f7d3d0d36 Python: Use API graphs in Werkzeug 2021-04-13 15:57:21 +00:00
haby0
7be45e7c5e Update java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
Co-authored-by: Chris Smowton <smowton@github.com>
2021-04-13 23:56:17 +08:00
haby0
6e73d13670 Update java/ql/src/semmle/code/java/frameworks/Servlets.qll
Co-authored-by: Chris Smowton <smowton@github.com>
2021-04-13 23:48:45 +08:00
Taus
2890fe6d61 Python: Use API graphs in Dill model
If only all rewrites were this smooth...
2021-04-13 15:26:54 +00:00
Taus
7ed09904b4 Python: Use API graphs for Invoke
A few stragglers remain, as they are modelling the use of decorators.

They will be dealt with at a later date.
2021-04-13 15:21:19 +00:00
Mathias Vorreiter Pedersen
aa52585120 C++: Add change-note. 2021-04-13 17:17:05 +02:00
Marcono1234
89a5acf6e8 Java: Revert overriding XMLFile.getAPrimaryQlClass()
Library file has to be kept in sync with the other languages, however except
cpp none of them have the getAPrimaryQlClass() predicate declared in a
superclass. Therefore for simplicity revert the change for Java.
2021-04-13 17:09:15 +02:00
Taus
7f131c1f35 Python: Get rid of _attr predicates 2021-04-13 14:55:44 +00:00
Taus
1008411594 Python: Use API graphs in Fabric model 2021-04-13 14:49:44 +00:00
Mathias Vorreiter Pedersen
d1457995dd C++: Use range analysis in Overflow.qll 2021-04-13 16:39:28 +02:00
Taus
a404faa302 Python: Use American English in change note
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
2021-04-13 15:05:44 +02:00
Taus
7825a2cdfc Python: Add change note 2021-04-13 12:48:45 +00:00
Taus
1a4845f417 Python: Restrict types a bit
The `CallCfgNode` restrictions are familiar and useful.

Restricting `InstanceSource` to extend `LocalSourceNode` is novel, but I
think it makes sense. It will act as a good reminder to anyone extending
`InstanceSource` that the node in question is a `LocalSourceNode`, which
will be enforced by the return type of the internal type tracker anyway.
2021-04-13 12:28:38 +00:00
Taus
f93b68d4dc Python: Get rid of _attr methods 2021-04-13 12:25:38 +00:00
Taus
98d936d8b3 Python: Tornado cleanup using API graphs
I wasn't able to roll out API graphs as widely in Tornado as I had
hoped, since we're lacking the "def" part. This means most of the
`InstanceSource` machinery will have to stay.
2021-04-13 12:25:38 +00:00
CodeQL CI
f341d5010d Merge pull request #5662 from asgerf/js/simpler-json-api
Approved by erik-krogh
2021-04-13 04:37:56 -07:00
Tom Hvitved
9b0ef2fe21 Merge pull request #5654 from hvitved/csharp/autobuilder/pwsh
C#: First try `pwsh` and then `powershell` when calling `dotnet-install.ps1`
2021-04-13 13:15:01 +02:00
Chris Smowton
58d198261e Merge pull request #5663 from smowton/luchua/java/sensitive-cookie-not-httponly
Java: CWE-1004 Query to check sensitive cookies without the HttpOnly flag set w/minor corrections
2021-04-13 12:08:53 +01:00
CodeQL CI
646639bc73 Merge pull request #5460 from erik-krogh/forgery-2
Approved by asgerf
2021-04-13 03:57:04 -07:00
Chris Smowton
f22b11881e Minimise stubs
By removing all business logic from the stubs, we better test that our analysis treats them as opaque and does not rely on their internal structure
2021-04-13 10:36:28 +01:00
Chris Smowton
45e1a61d7b Mark test as bad-but-missed
This test ought ideally to be caught, but isn't by the current version of the query.
2021-04-13 10:36:27 +01:00
Asger Feldthaus
e77117f902 JS: Autoformat 2021-04-13 10:29:14 +01:00
Asger Feldthaus
929d9da4b4 JS: Migrate to new JSON API 2021-04-13 10:29:13 +01:00
Asger Feldthaus
7c13163413 JS: Lift JSON accessors to JSONValue 2021-04-13 10:29:13 +01:00
Tom Hvitved
15c103e42d C#: Remove code duplication in BuildScripts.cs 2021-04-13 10:57:15 +02:00
Chris Smowton
dee974ff2d Make Call a subclass of ExprParent. All of its subclasses are in any case (via Expr or Stmt) 2021-04-13 09:13:47 +01:00
Marcono1234
c37dbb2e68 Java: Override getAPrimaryQlClass() for more classes 2021-04-13 08:46:01 +01:00
Mathias Vorreiter Pedersen
3cfd30ef6f Merge pull request #5629 from hvitved/cpp/remove-unique
C++: Remove `unique` wrapper from `DataFlow::Node::getEnclosingCallable`
2021-04-13 09:42:34 +02:00
haby0
be39883166 Change the class name and comment,Use .(CompileTimeConstantExpr).getStringValue() 2021-04-13 14:10:10 +08:00
Dave Bartolomeo
afd2f58f9f C++: Fix PR feedback 2021-04-12 18:21:05 -04:00
Dave Bartolomeo
697b2dcde8 C++: Add missing store step for single-field struct use
We have special code to handle field flow for single-field structs, but that special case was too specific. Some `Store`s to single-field structs have no `Chi` instruction, which is the case that we handled already. However, it is possible for the `Store` to have a `Chi` instruction (e.g. for `{AllAliased}`), but still have a use of the result of the `Store` directly. We now add a `PostUpdateNode` for the result of the `Store` itself in those cases, just like we already did if the `Store` had no `Chi`.
2021-04-12 18:11:41 -04:00
Robert Marsh
0102d68f38 Merge pull request #5658 from MathiasVP/fix-partial-def-diff-test
C++: Fix performance in test
2021-04-12 13:08:30 -07:00
Andrew Eisenberg
e0fcb15739 Actions: Add workflow for marking stale questions
This PR adds a workflow for marking and closing issues as stale. Issues must be labeled as _question_. PRs are never marked as stale.
2021-04-12 13:05:53 -07:00
Artem Smotrakov
b96b665262 Renaming in java/ql/src/experimental/Security/CWE/CWE-094 2021-04-12 21:40:49 +03:00
Mathias Vorreiter Pedersen
037e6369ce C++: Ensure all values are bound in both disjunctions. 2021-04-12 18:27:21 +02:00
luchua-bc
d7f26dfc18 Update stub classes and qldoc 2021-04-12 16:19:23 +00:00
Taus
fda750ef26 Merge pull request #5642 from tausbn/python-use-api-graphs-in-stdlib
Python: Use API graphs in `Stdlib.qll`
2021-04-12 18:05:38 +02:00
Chris Smowton
423ff32d04 Merge pull request #5384 from luchua-bc/java/insecure-spring-actuator-config
Java: CWE-016 Query to detect insecure configuration of Spring Boot Actuator
2021-04-12 17:04:47 +01:00
Taus
6d4ddc0329 Merge pull request #5614 from tausbn/python-allow-absolute-imports-from-source-directory
Python: Allow absolute imports from source directory
2021-04-12 18:02:00 +02:00
CodeQL CI
bc56d16c18 Merge pull request #5485 from RasmusWL/django-queryset-chains
Approved by tausbn
2021-04-12 08:49:31 -07:00
Tom Hvitved
dfc91b8331 C#: Simplify dotnet-install.ps1 invocation
Using the pattern from https://docs.microsoft.com/en-us/dotnet/core/tools/dotnet-install-script.
2021-04-12 17:33:33 +02:00
Chris Smowton
bb23866cec Add missing doc comments 2021-04-12 16:33:01 +01:00
Tom Hvitved
d35a501121 Merge pull request #5583 from lcartey/cs/restrict-jump-to-def
C#: Exclude jump-to-def information for elements with too many locations
2021-04-12 16:52:20 +02:00
ihsinme
a43698802f Update InsufficientControlFlowManagementWhenUsingBitOperations.ql 2021-04-12 17:36:50 +03:00
CodeQL CI
310a2c8bb3 Merge pull request #5655 from erik-krogh/cert
Approved by esbena
2021-04-12 07:31:04 -07:00
Chris Smowton
2656a52880 Merge pull request #5538 from luchua-bc/java/credentials-in-properties
Java: CWE-555 Query to detect plaintext credentials in Java properties files
2021-04-12 15:22:21 +01:00
Chris Smowton
abeefcaced Merge pull request #4947 from porcupineyhairs/DexLoading
Java : add query to detect insecure loading of Dex File
2021-04-12 15:22:12 +01:00
Mathias Vorreiter Pedersen
5aeaab7c6d C++: As response to the review comments this commit adds a reference-to-pointer state to AddressFlow. A call to an unwrapper function now adds a pointer -> reference-to-pointer transition, and a ReferenceDereference adds a reference-to-pointer -> pointer transition. 2021-04-12 16:01:01 +02:00
Chris Smowton
11bf982728 Remove superfluous linebreaks in qhelp file 2021-04-12 14:36:42 +01:00
Erik Krogh Kristensen
32737a17fb add change note 2021-04-12 15:09:13 +02:00
Erik Krogh Kristensen
172d6139e2 support all ClientRequests in js/disabling-certificate-validation 2021-04-12 15:06:10 +02:00
luchua-bc
c281e54d22 Remove unused files and update qldoc 2021-04-12 13:05:01 +00:00
Tom Hvitved
57016ddbde C++: Remove unique wrapper from DataFlow::Node::getEnclosingCallable() 2021-04-12 14:41:52 +02:00
Tom Hvitved
7d2a60e910 Merge pull request #5640 from hvitved/dataflow/path-step-perf
Data flow: Prevent bad join-order in `pathStep`
2021-04-12 14:40:46 +02:00
Tom Hvitved
5446532e1d C#: Update auto-builder tests 2021-04-12 14:01:55 +02:00
Anders Schack-Mulligen
acd4cf2878 Merge pull request #5636 from aschackmull/java/shared-flow-summaries
Java: Adopt shared flow summaries
2021-04-12 13:35:31 +02:00
CodeQL CI
e8d835b422 Merge pull request #5638 from erik-krogh/smartInliner
Approved by esbena
2021-04-12 04:17:25 -07:00
Tom Hvitved
c7686b1838 C#: First try pwsh and then powershell when calling dotnet-install.ps1 2021-04-12 13:01:14 +02:00
Tom Hvitved
cf5f838b13 Data flow: Remove recommendation to use unique in Node::getEnclosingCallable() 2021-04-12 12:04:23 +02:00
Anders Schack-Mulligen
e003b04061 Merge pull request #5637 from Marcono1234/marcono1234/toString-method
Java: Add ToStringMethod
2021-04-12 11:43:55 +02:00
Max Schaefer
cd57e61f65 Rename MkHasUnderlyingType to MkTypeUse. 2021-04-12 11:30:15 +02:00
Erik Krogh Kristensen
91d28fb8b0 cleanup in API-graphs 2021-04-12 11:30:15 +02:00
CodeQL CI
63f087a8e9 Merge pull request #5653 from erik-krogh/givenCommand
Approved by asgerf
2021-04-12 02:01:32 -07:00
Rasmus Wriedt Larsen
364d48948f Merge pull request #3810 from dilanbhalla/syntaxpython
Python: Function/Class Naming Convention (Syntax)
2021-04-12 10:42:17 +02:00
Erik Krogh Kristensen
17c4bbbc4e allow parameters that end with "Command" in js/shell-command-constructed-from-input 2021-04-12 09:57:40 +02:00
haby0
1b948ac2e2 Combine two Configurations into one 2021-04-12 15:44:39 +08:00
yo-h
4f2060f96b Merge commit '2d618d6b928d8b76ac8033b3b63d9bde71caa325' into yo-h/java16 2021-04-11 23:55:33 -04:00
Taus
10be2735ec Python: Get rid of _attr predicates
Also changes all `CfgNode`s representing calls to `CallCfgNode`s.
2021-04-10 12:12:18 +00:00
haby0
d90527bead JsonpInjectionExpr updated to JsonpBuilderExpr 2021-04-10 10:33:21 +08:00
Marcono1234
9349e6922d Java: Add ToStringMethod 2021-04-10 04:00:44 +02:00
haby0
eeae91e620 Update java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
Co-authored-by: Chris Smowton <smowton@github.com>
2021-04-10 09:48:55 +08:00
haby0
046aeaa38c Update java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
Co-authored-by: Chris Smowton <smowton@github.com>
2021-04-10 09:37:29 +08:00
haby0
8b756d7f1b Update java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
Co-authored-by: Chris Smowton <smowton@github.com>
2021-04-10 09:27:03 +08:00
haby0
650446f761 Update java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
Co-authored-by: Chris Smowton <smowton@github.com>
2021-04-10 09:26:32 +08:00
haby0
a5ebe8c600 Update java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
Co-authored-by: Chris Smowton <smowton@github.com>
2021-04-10 09:26:08 +08:00
porcupineyhairs
8687c5c145 Apply suggestions from code review
Co-authored-by: Chris Smowton <smowton@github.com>
2021-04-10 04:18:35 +05:30
haby0
8a7d28a2ed Update java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
Co-authored-by: Chris Smowton <smowton@github.com>
2021-04-10 04:29:49 +08:00
haby0
4c21980d4f Update java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
Co-authored-by: Chris Smowton <smowton@github.com>
2021-04-10 04:29:30 +08:00
haby0
9635a36044 Update java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
Co-authored-by: Chris Smowton <smowton@github.com>
2021-04-10 04:29:06 +08:00
haby0
760231c004 Update java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
Co-authored-by: Chris Smowton <smowton@github.com>
2021-04-10 04:28:17 +08:00
haby0
c77c7b0a98 Update java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
Co-authored-by: Chris Smowton <smowton@github.com>
2021-04-10 04:27:16 +08:00
haby0
837f20108d Update java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
Co-authored-by: Chris Smowton <smowton@github.com>
2021-04-10 04:25:43 +08:00
haby0
157e4670fd Update java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
Co-authored-by: Chris Smowton <smowton@github.com>
2021-04-10 04:25:11 +08:00
haby0
79c1374925 Update java/ql/src/semmle/code/java/frameworks/Servlets.qll
Co-authored-by: Chris Smowton <smowton@github.com>
2021-04-10 04:24:49 +08:00
haby0
1510048f7a Update java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
Co-authored-by: Chris Smowton <smowton@github.com>
2021-04-10 04:23:13 +08:00
haby0
d8165145c7 Update java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
Co-authored-by: Chris Smowton <smowton@github.com>
2021-04-10 04:22:44 +08:00
haby0
ebd38eaf3b Update java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
Co-authored-by: Chris Smowton <smowton@github.com>
2021-04-10 04:22:08 +08:00
haby0
b8c11503f0 Update java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
Co-authored-by: Chris Smowton <smowton@github.com>
2021-04-10 04:21:49 +08:00
Dave Bartolomeo
0a86642056 C++: Refactor some side effect generation code
This change was necessary for my upcoming changes to introduce side effect instructions for indirections of smart pointers. The code to decide which parameters have which side effects appeared in both the IPA constructor for `TTranslatedSideEffect` and in `TranslatedCall`. These two versions didn't quite agree, especially once the `SideEffectFunction` model provides its own side effects instead of the defaults.
The relevant code has now been factored out into `SideEffects.qll`. This queries the model if one exists, and provides default side effects if no model exists. This fixes at least one existing issue, where we were emitting a buffer read side effect for `*this` instead of an indirect read side effect. This accounts for all of the IR diffs in the tests.
2021-04-09 16:14:03 -04:00
luchua-bc
4e3791dc0d Remove LoadCredentialsConfiguration and update qldoc 2021-04-09 19:36:35 +00:00
Taus
720fbaf301 Python: Fix test error.
Somehow, having to type "Node" all day long made me turn "json" into
"node"...

Also removes some bits that weren't needed after all.
2021-04-09 19:04:49 +00:00
Mathias Vorreiter Pedersen
1510fe370d C++: Add cases for const pointer wrapper references to AddressFlow and FlowVar. 2021-04-09 20:58:05 +02:00
Mathias Vorreiter Pedersen
2329b31601 C++: Replace the new SmartPointerPartialDefinition with additional steps in AddressFlow.qll 2021-04-09 20:49:45 +02:00
Mathias Vorreiter Pedersen
a460e3ad3d Merge branch 'main' into ast-flow-smart-pointers 2021-04-09 19:41:10 +02:00
Taus
cc4827600b Python: Use API graphs in Stdlib.qll
Eliminates _almost_ all of the bespoke type trackers found here. The
ones that remain do not fit easily inside the framework of API graphs
(at least, not yet), and I did not see any easy ways to clean them up.
They have, however, been rewritten to use `LocalSourceNode` internally,
which was the primary goal of this exercise.

I'm sure we could also clean up many of the inner modules given the more
lean presentation we have now, but this can wait for a different PR.
2021-04-09 17:11:47 +00:00
luchua-bc
04b0682bbf Use isAdditionalTaintStep and make the query more readable 2021-04-09 16:14:51 +00:00
Tom Hvitved
fd8f745468 Java: Adopt shared flow summary library and refactor data-flow nodes. 2021-04-09 16:57:03 +02:00
Shati Patel
2d618d6b92 Merge pull request #5625 from shati-patel/docs/cli-manual
Docs: Link to CodeQL CLI manual from the sidebar
2021-04-09 15:30:24 +01:00
Tom Hvitved
f130616369 Data flow: Make getLocalCc private again 2021-04-09 16:22:58 +02:00
Taus
d2b874f217 Python: Use API graphs in PEP249 support
Because the replacement extension point now extends `API::Node`, I
modified the `toString` method of the latter to have an empty body.
The alternative would be to require everyone to provide a `toString`
predicate for their extensions, but seeing as these will usually be
pointing to already existing API graph nodes, this seems silly.

(This may be the reason why the equivalent method in the JS libs has
such an implementation.)
2021-04-09 14:19:00 +00:00
Jonas Jensen
e1d0bbb021 Merge pull request #5607 from MathiasVP/smart-pointer-ast-read-store-steps
C++: read and store steps for smart pointers in AST dataflow
2021-04-09 16:11:48 +02:00
CodeQL CI
6fd4a8afff Merge pull request #5567 from asgerf/js/sql-models
Approved by esbena
2021-04-09 07:11:10 -07:00
CodeQL CI
be2fe6e171 Merge pull request #5630 from erik-krogh/urlStep
Approved by esbena
2021-04-09 07:05:43 -07:00
CodeQL CI
8d2768b2ce Merge pull request #5634 from erik-krogh/fileSource
Approved by asgerf
2021-04-09 07:04:42 -07:00
Anders Schack-Mulligen
701e815368 Merge pull request #5628 from hvitved/java/remove-unique
Java: Remove `unique` wrapper from `DataFlow::Node::getEnclosingCallable()`
2021-04-09 15:21:26 +02:00
Mathias Vorreiter Pedersen
cd310eb9d5 C++: Remove unused import. 2021-04-09 15:08:48 +02:00
Tamás Vajk
992a4df12f Merge pull request #5619 from tamasvajk/feature/fix-default-argument-value-extraction
C# Improve default argument value extraction
2021-04-09 14:58:35 +02:00
Mathias Vorreiter Pedersen
996cda9b97 C++: Fix incorrect test annotation. 2021-04-09 14:46:46 +02:00
Tom Hvitved
6874b8d4b3 Data flow: Prevent bad join-order in pathStep 2021-04-09 14:24:47 +02:00
Mathias Vorreiter Pedersen
80d5b17900 C++: Remove the dataflow rule for smart_ptr -> *smart_ptr. 2021-04-09 14:20:51 +02:00
Mathias Vorreiter Pedersen
cae0060a89 C++: Replace the new rules in DataFlowUtil with a dataflow model for pointer wrapper classes. 2021-04-09 14:06:58 +02:00
Taus
affdedd840 Python: Add missing builtins to API::builtin
We were missing out on `None`, `True`, and `False` as these do not
appear as actual attributes of the `builtins` module in Python 3
(because they are elevated to the status of keywords there)

The simple solution, then, is to just always include them directly.
2021-04-09 12:02:07 +00:00
Tamas Vajk
46197e6e69 Address review comments 2021-04-09 13:39:37 +02:00
Erik Krogh Kristensen
595bdedb22 rename predicate to getStem, and update regexp 2021-04-09 13:07:54 +02:00
Mathias Vorreiter Pedersen
0a6aef71a2 C++: Respond to review comments. 2021-04-09 12:29:13 +02:00
CodeQL CI
652e8b4872 Merge pull request #5586 from asgerf/js/tsconfig-file-inclusion-handling
Approved by esbena
2021-04-09 02:50:51 -07:00
Tom Hvitved
c9c4c067b6 Merge pull request #5633 from hvitved/csharp/get-a-source-type-perf
C#: Improve performance of `Dispatch::SimpleTypeDataFlow::getASourceType()`
2021-04-09 11:42:34 +02:00
Tamás Vajk
a335bb0115 Merge pull request #5609 from tamasvajk/feature/dapper
C#: Dapper support
2021-04-09 10:52:17 +02:00
CodeQL CI
ad267404c9 Merge pull request #5137 from asgerf/js/redux-less
Approved by erik-krogh
2021-04-09 01:24:19 -07:00
Tamas Vajk
d7f0b9a7fa Add change note 2021-04-09 09:58:37 +02:00
Tamas Vajk
749db379ca Address code review findings 2021-04-09 09:55:37 +02:00
Tamas Vajk
dbb3d3dc17 Add change note 2021-04-09 09:50:55 +02:00
luchua-bc
11304b2ae1 Update qldoc and change the wrapper method implementation 2021-04-09 02:21:59 +00:00
Erik Krogh Kristensen
7f01586bf1 fix bad join order in getDocumentedParameter 2021-04-09 01:15:46 +02:00
Erik Krogh Kristensen
e5bce548de add nomagic on mayHaveStringValue 2021-04-09 00:08:51 +02:00
Erik Krogh Kristensen
956311457d fixed bad SourceNode X SourceNode join in HTTP model 2021-04-08 21:15:50 +02:00
ihsinme
9b3ccade43 Update test.c 2021-04-08 22:06:35 +03:00
ihsinme
02eb447a35 Update InsufficientControlFlowManagementWhenUsingBitOperations.expected 2021-04-08 22:04:08 +03:00
ihsinme
a6b486a448 Update InsufficientControlFlowManagementWhenUsingBitOperations.ql 2021-04-08 22:01:43 +03:00
Dilan
d73ba13b28 autoformat fix 2021-04-08 11:41:58 -07:00
Artem Smotrakov
b39a3ab12c Added setVariable() sink 2021-04-08 20:41:43 +03:00
Tamás Vajk
8adaee05b6 Merge pull request #5453 from tamasvajk/feature/use_codeql_stubs
C#: Adjust make_stubs.py to use codeql instead of odasa
2021-04-08 16:16:05 +02:00
Anders Schack-Mulligen
6109ef5e88 Merge pull request #5475 from Marcono1234/marcono1234/minus-literal
Java: Improve documentation regarding minus in front of numeric literals
2021-04-08 16:11:14 +02:00
Asger Feldthaus
7d300b53d7 JS: Autoformat 2021-04-08 15:06:48 +01:00
Anders Schack-Mulligen
d42a01cb3a qldoc fixup 2021-04-08 15:45:21 +02:00
Tamas Vajk
e5160929eb Remove ODASA reference from make_stubs.py 2021-04-08 15:04:02 +02:00
Erik Krogh Kristensen
30ba69d991 treat "files" in a package.json as main modules, if "main" is not present 2021-04-08 14:42:12 +02:00
Tom Hvitved
036e181bc1 C#: Improve performance of Dispatch::SimpleTypeDataFlow::getASourceType() 2021-04-08 14:27:28 +02:00
Tom Hvitved
716568ebd1 Merge pull request #5623 from hvitved/csharp/enclosing
C#: Compute enclosing callable as a transitive closure
2021-04-08 14:20:09 +02:00
Tom Hvitved
9820116734 Merge pull request #5603 from hvitved/csharp/dataflow/no-unique
C#: Remove `unique` wrappers from `DataFlow::Node::get(EnclosingCallable|ControlFlowNode)`
2021-04-08 14:19:34 +02:00
Asger Feldthaus
52a2260dc7 JS: Rename change note file 2021-04-08 12:52:23 +01:00
Rasmus Wriedt Larsen
c738f387b1 Merge pull request #5624 from tausbn/python-make-callcfgnode-a-localsourcenode
Python: Improve `CallCfgNode` interface
2021-04-08 13:38:24 +02:00
Taus
cf5f760ecd Merge pull request #5582 from RasmusWL/all-tuple
Python: Add support for `__all__` assigned to tuple
2021-04-08 13:03:27 +02:00
Rasmus Wriedt Larsen
83477439a1 Python: Make django views/fields/forms class modeling extensible
This also requires that we make this part of the modeling public, which I guess
is step we want to take eventually anyway!

I'm not quite sure whether the modules `Django::Views` and `Django::Forms` are
actually helpful, or whether we should just have their modules available as
`Django::View`, `Django::Form`, and `Django::Field`...
2021-04-08 12:45:37 +02:00
Rasmus Wriedt Larsen
b7483a5394 Python: Add modeledSubclassRef for Django views/fields/forms 2021-04-08 12:45:36 +02:00
Rasmus Wriedt Larsen
322bdcb703 Python: Port Django view modeling to API graphs 2021-04-08 12:45:35 +02:00
Rasmus Wriedt Larsen
8ce5c46e05 Python: Minor refactor
modName/clsName _is_ shorter, but also looks way worse :D
2021-04-08 12:45:34 +02:00
Tamas Vajk
a790eb8110 Fix for unconstrained generic types 2021-04-08 12:20:01 +02:00
Tamas Vajk
a8cbdc92b9 Add more test cases 2021-04-08 12:17:19 +02:00
Tamas Vajk
551a7ce9e5 Fix expression value of struct default argument values 2021-04-08 12:14:53 +02:00
Tamas Vajk
c069c3384e Fix tests 2021-04-08 12:07:36 +02:00
Tamas Vajk
cb9a9db356 C# Improve default argument value extraction 2021-04-08 12:07:22 +02:00
Tamas Vajk
2ac1e60406 C#: Add parameter default value tests 2021-04-08 12:04:18 +02:00
Jonas Jensen
51bab81f56 Merge pull request #5622 from MathiasVP/inline-is-before
C++: Inline Location::isBefore
2021-04-08 11:24:33 +02:00
Erik Krogh Kristensen
99dd5330c2 add taint-step for URL construction in js/request-forgery 2021-04-08 11:10:33 +02:00
CodeQL CI
a9527fd913 Merge pull request #5621 from erik-krogh/shellSink
Approved by esbena
2021-04-08 09:47:45 +01:00
Tom Hvitved
2faf52b6bd Java: Remove unique wrapper from DataFlow::Node::getEnclosingCallable()` 2021-04-08 10:07:19 +02:00
Dilan
675de07c3e autoformat ql 2021-04-07 15:04:18 -07:00
ihsinme
ed34c96357 Update InsufficientControlFlowManagementWhenUsingBitOperations.ql 2021-04-07 21:40:49 +03:00
ihsinme
eb9b41acab Apply suggestions from code review
Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com>
2021-04-07 21:31:12 +03:00
Artem Smotrakov
a764a79090 Always bind arguments in TaintPropagatingCall 2021-04-07 21:12:21 +03:00
Artem Smotrakov
c13ee0859a LambdaExpression should extend JakartaType 2021-04-07 21:02:21 +03:00
Shati Patel
4cf0b8e725 Merge pull request #5626 from shati-patel/docs/broken-links
Docs: Fix broken link to cached "RemoteFlowSource"
2021-04-07 19:01:33 +01:00
Artem Smotrakov
3d8e173c57 Removed a reference to Apache Commons EL 2021-04-07 20:59:07 +03:00
Artem Smotrakov
80ac2aff26 Fixed typos
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
2021-04-07 20:55:03 +03:00
Shati Patel
f372274857 Docs: Fix broken links 2021-04-07 18:02:29 +01:00
Shati Patel
2373bf2dfb Docs: Link to CodeQL CLI manual from the sidebar 2021-04-07 17:55:05 +01:00
Tom Hvitved
1cf30d2a9e C#: Compute enclosing callable as a transitive closure 2021-04-07 17:44:41 +02:00
Jonas Jensen
ab58cb3d44 Merge pull request #5604 from MathiasVP/fix-false-positive-in-assign-where-compare-meant
C++: Fix FP in cpp/assign-where-compare-meant
2021-04-07 16:54:45 +02:00
CodeQL CI
f0491af64c Merge pull request #5529 from erik-krogh/socketInput
Approved by esbena
2021-04-07 15:03:13 +01:00
Asger F
0c724a8427 Merge pull request #5304 from asgerf/js/non-alert-data
JS: Implement new metric queries for line counting
2021-04-07 14:52:51 +01:00
Mathias Vorreiter Pedersen
03b12dbc6d C++: Inline Location::isBefore. 2021-04-07 15:45:08 +02:00
Erik Krogh Kristensen
365b4d722d backtrack string-concatenations from shell-execution sinks 2021-04-07 15:34:54 +02:00
Taus
903f364dab Python: Improve CallCfgNode interface
Call nodes are always local sources (specifically sources of the return
value of the call), and so inheriting from `LocalSourceNode` will have
no effect on results, but _should_ make it a bit more smooth to use the
API.
2021-04-07 13:31:12 +00:00
CodeQL CI
073a43ce74 Merge pull request #5606 from erik-krogh/shellInput
Approved by esbena
2021-04-07 14:30:31 +01:00
Shati Patel
461d4e45af Merge pull request #5608 from shati-patel/docs/telemetry-settings
Docs: Mention telemetry in "customizing settings"
2021-04-07 13:44:32 +01:00
Erik Krogh Kristensen
c9f54ea1ad update expected output 2021-04-07 12:37:17 +00:00
Asger Feldthaus
ee13ff71d6 JS: Add another change note 2021-04-07 12:29:06 +01:00
Asger Feldthaus
26cddc7d04 JS: Update test output 2021-04-07 12:28:45 +01:00
Taus
6c69c1aeeb Python: Minor cleanup 2021-04-07 10:47:21 +00:00
Asger Feldthaus
69973d0fa2 JS: Autoformat 2021-04-07 11:24:11 +01:00
ihsinme
ed2a8db8c9 Add files via upload 2021-04-07 13:10:01 +03:00
ihsinme
9c3b7e81c7 Add files via upload 2021-04-07 13:10:00 +03:00
Erik Krogh Kristensen
a66083d685 change "Uncontrolled path" to "Path concatenation" 2021-04-07 08:23:07 +00:00
CodeQL CI
fd4e8f8282 Merge pull request #5526 from erik-krogh/quotedShell
Approved by esbena
2021-04-07 08:39:01 +01:00
CodeQL CI
61880ba90a Merge pull request #5530 from erik-krogh/moreFS
Approved by esbena
2021-04-07 08:37:23 +01:00
Robert Marsh
e22ec50dee Merge pull request #5613 from github/hmakholm/pr/fix-redos
Fix ReDOS in cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
2021-04-06 15:54:27 -07:00
Taus
a93132daae Merge branch 'python-allow-absolute-imports-from-source-directory' of https://github.com/tausbn/codeql into python-allow-absolute-imports-from-source-directory 2021-04-06 19:58:57 +00:00
Taus
43ae7462b4 Python: Only track modules that are imported
This greatly restricts the set of modules that have a new name under
this scheme.

One change to the tests was needed, which reflects the fact that the
two `main.py` files no longer have the name `main` (which makes sense,
since they're never imported under this name).
2021-04-06 21:56:12 +02:00
Taus
b44db460f6 Python: Only track modules that are imported 2021-04-06 19:55:43 +00:00
Henning Makholm
2d615ef503 Fix ReDOS in cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
The sub-regex `(\s|.)*` aims to capture arbitrary string content
(in contrast to `.*` which doesn't match newlines), but it is
unsafe, since non-newline whitespace can match both alternatives.

This caused an evaluator crash in the wild.

Replace with `[\s\S]*`, which matches everything in a safe way.
2021-04-06 20:10:57 +02:00
yo-h
cc63563a88 Merge remote-tracking branch 'upstream-public/main' into yo-h/java16 2021-04-06 13:16:02 -04:00
Taus Brock-Nannestad
8e11abca40 Revert "Merge pull request #5552 from RasmusWL/revert-import-change"
This reverts commit 49d1937dc4, reversing
changes made to d4877a9038.
2021-04-06 17:39:41 +02:00
Tamas Vajk
ffcb345916 C#: Add Dapper support to SQL injection queries 2021-04-06 17:06:20 +02:00
Shati Patel
9a41c80626 Merge pull request #5574 from github/smowton/admin/update-supported-go-version
Update supported Go version to 1.16
2021-04-06 14:54:36 +01:00
Shati Patel
695b02a94c Docs: Mention telemetry in "customizing settings" 2021-04-06 14:30:17 +01:00
Erik Krogh Kristensen
2c1cc9ead6 use local variable instead of module.exports in example
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
2021-04-06 15:17:31 +02:00
Tom Hvitved
f45916efda Merge pull request #5605 from hvitved/csharp/exclude-dependency-queries
C#: Remove mentions of `exclude-dependency-queries.yml`
2021-04-06 14:58:49 +02:00
Mathias Vorreiter Pedersen
8382e85901 C++: Add flow into the source of read step and out of the target of a store step for smart pointers in AST dataflow. 2021-04-06 14:05:55 +02:00
Mathias Vorreiter Pedersen
f07d844362 C++: Add a test containing missing read/store dataflow steps for smart pointers. 2021-04-06 13:59:27 +02:00
Tamas Vajk
98001c494f C#: Add Dapper stub and new SqlInjection test cases 2021-04-06 13:30:31 +02:00
Erik Krogh Kristensen
41b89669a9 add joined paths as a sink to js/shell-command-constructed-from-input 2021-04-06 12:14:00 +02:00
Rasmus Wriedt Larsen
bc49bc7095 Python: Add variable with underscore to __all__ tests 2021-04-06 11:54:25 +02:00
Tom Hvitved
e0e58b24ea C#: Remove mentions of exclude-dependency-queries.yml 2021-04-06 11:50:36 +02:00
Rasmus Wriedt Larsen
224d3790b5 Python: Highlight all_indirect.py is not super important
At least not in my mind
2021-04-06 11:50:04 +02:00
Rasmus Wriedt Larsen
b11703cc74 Python: all_dybamic2 => all_indirect 2021-04-06 11:49:55 +02:00
Mathias Vorreiter Pedersen
5eb1f8abbd C++: Add change-note. 2021-04-06 11:47:57 +02:00
Rasmus Wriedt Larsen
0ebb24ebeb Merge pull request #5398 from yoff/python-api-enhancements
Python: Add small api enhancements determined useful during documentation work
2021-04-06 11:44:51 +02:00
Tom Hvitved
667b26b5d9 Merge pull request #5540 from hvitved/csharp/ssa-impl-tweaks
C#: Performance tweaks in `SsaImplCommon.qll`
2021-04-06 11:43:08 +02:00
Mathias Vorreiter Pedersen
a5f4d43d61 C++: Fix false positive by adding another allow-list pattern in AssignWhereCompareMeant. 2021-04-06 11:01:38 +02:00
Mathias Vorreiter Pedersen
7045597139 C++: Add testcase with false positive from #5318. 2021-04-06 10:58:15 +02:00
Erik Krogh Kristensen
c194598d37 recognize headers/url from the HTTP request to a server WebSocket. 2021-04-06 10:11:27 +02:00
Tom Hvitved
e852540254 C#: Remove unique wrappers from DataFlow::Node::get(EnclosingCallable|ControlFlowNode) 2021-04-06 09:56:09 +02:00
Rasmus Lerchedahl Petersen
c777f1d8d7 Merge branch 'main' of github.com:github/codeql into python-api-enhancements 2021-04-06 09:31:26 +02:00
Mathias Vorreiter Pedersen
32a8b9a857 C++: Move copy constructor to its own line and accept test changes. 2021-04-06 08:56:14 +02:00
yoff
a23d8deb10 Merge pull request #5483 from RasmusWL/minor-fixup-django
Python: Better text for getSourceType in Django
2021-04-06 08:30:58 +02:00
Asger Feldthaus
32500c834d JS: Change note 2021-04-01 16:41:03 +01:00
Asger Feldthaus
acc28df785 JS: Bugfix in tsconfig file inclusion handling 2021-04-01 16:33:05 +01:00
Asger Feldthaus
564a6873f8 JS: Add baseUrl test 2021-04-01 16:33:05 +01:00
Asger Feldthaus
c4ab6fb7b4 JS: Add ImportGraph meta query 2021-04-01 16:33:05 +01:00
Asger Feldthaus
f07030ba97 JS: Update AdditionalFlowStep -> SharedFlowStep 2021-04-01 13:16:47 +01:00
Asger Feldthaus
a9566728b5 JS: Update an import of Unit type 2021-04-01 13:16:47 +01:00
Asger Feldthaus
7119eda009 JS: Add redux change note 2021-04-01 13:16:47 +01:00
Asger Feldthaus
86bc0eb853 JS: Autoformat 2021-04-01 13:16:47 +01:00
Asger Feldthaus
b43989e6a1 JS: Use API nodes to track dispatch/dispatched value sources 2021-04-01 13:16:47 +01:00
Asger Feldthaus
2850b8e952 JS: Fix RangeAnalysis after BasicBlock.dominates change 2021-04-01 13:16:47 +01:00
Asger Feldthaus
cbfa5ad303 JS: Change type of a parameter 2021-04-01 13:16:47 +01:00
Asger Feldthaus
cee1a12489 JS: Fix typo in qldoc 2021-04-01 13:16:47 +01:00
Asger Feldthaus
c926a47d50 JS: QLDoc and test for HeuristicConnectEntryPoint 2021-04-01 13:16:47 +01:00
Asger Feldthaus
cca38a64be JS: Add test for flow to a closure body under a type guard 2021-04-01 13:16:46 +01:00
Asger Feldthaus
53def60e4f JS: Add test for if-based type check 2021-04-01 13:16:46 +01:00
Asger Feldthaus
1ce7c3448f JS: Address some review comments 2021-04-01 13:16:46 +01:00
Asger Feldthaus
fd7cbd0c96 JS: Tweak BasicBlock.dominates and friends 2021-04-01 13:16:46 +01:00
Asger Feldthaus
8fa3fb0561 JS: Redux model 2021-04-01 13:16:46 +01:00
Asger Feldthaus
314839fc09 JS: Add @reduxjs/toolkit to composed functions 2021-04-01 13:16:46 +01:00
Asger Feldthaus
c1651ad30c JS: Factor out Unit type 2021-04-01 13:16:46 +01:00
Asger Feldthaus
125d1465c8 JS: Add DataFlow::functionForwardingStep 2021-04-01 13:16:46 +01:00
Asger Feldthaus
a3421e7ab2 JS: Add getALocalUse 2021-04-01 13:16:45 +01:00
CodeQL CI
20416ae034 Merge pull request #5585 from asgerf/js/more-metadata
Approved by esbena
2021-04-01 13:13:01 +01:00
Asger Feldthaus
c96ee8671e JS: Update more query metadata 2021-04-01 12:15:54 +01:00
Luke Cartey
480ce39618 C#: Exclude jump-to-def information for elements with too many locations
In databases which include multiple duplicated files, we can get an
explosion of definition locations that can cause this query to produce
too many results for the CodeQL toolchain. This commit restricts the
definitions.ql query to producing definition/uses for definitions with
fewer than 10 locations. This replicates the logic used in the C++
definitions.qll library which faces similar problems.
2021-04-01 11:23:31 +01:00
CodeQL CI
a1fab8ac52 Merge pull request #5581 from asgerf/js/dependency-info
Approved by esbena
2021-04-01 09:07:21 +01:00
Shati Patel
36bdee0e8b Merge pull request #5571 from github/docs/bug-fix
Docs: Typo fix
2021-03-31 21:59:43 +01:00
Mathias Vorreiter Pedersen
ecbce88ec7 C++: Fix comment. 2021-03-31 22:23:50 +02:00
Rasmus Wriedt Larsen
95ac2c8edd Python: Add another dynamic __all__ test 2021-03-31 17:31:55 +02:00
CodeQL CI
f08a0e5653 Merge pull request #5580 from asgerf/js/more-metadata-fix
Approved by esbena
2021-03-31 16:29:33 +01:00
Rasmus Wriedt Larsen
ab3edf37d7 Python: Handle __all__ assigned to a tuple
Examples where this is used in real code:

- 76c0b32f82/django/core/files/temp.py (L24)
- 76c0b32f82/django/contrib/gis/gdal/__init__.py (L44-L49)
2021-03-31 17:25:19 +02:00
Rasmus Wriedt Larsen
43306f4700 Python: Add tests for Module.declaredInAll 2021-03-31 17:24:17 +02:00
Asger Feldthaus
8c8e4e6a70 JS: Add test 2021-03-31 16:17:54 +01:00
Asger Feldthaus
068a9d88e7 JS: Ensure Dependency.info() exists even if version range could not be parsed 2021-03-31 16:08:08 +01:00
Asger Feldthaus
c541390c1b JS: Remove precision tag from ExternalDependencies.ql 2021-03-31 13:54:15 +01:00
Mathias Vorreiter Pedersen
9ff894bf83 C++: Add support for AST dataflow out of functions that take a smart pointer by value. 2021-03-31 13:54:32 +02:00
Mathias Vorreiter Pedersen
e9e93c0eea Merge pull request #5558 from geoffw0/replace-tostring
Replace toString use
2021-03-31 13:50:41 +02:00
Geoffrey White
85ecfe2723 Update cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com>
2021-03-31 11:34:56 +01:00
Mathias Vorreiter Pedersen
8159098dc0 C++: Add test from issue #5190. 2021-03-31 11:32:01 +02:00
Calum Grant
49d1937dc4 Merge pull request #5552 from RasmusWL/revert-import-change
Python: Revert #5506 due to bad performance
2021-03-31 09:51:39 +01:00
Asger F
d4877a9038 Merge pull request #5572 from asgerf/js/remove-flow-summary-kinds
JS: Change kind of summary-extraction queries to table
2021-03-31 09:28:56 +01:00
Asger Feldthaus
57784dc746 JS: Update test output 2021-03-31 09:23:47 +01:00
Chris Smowton
4f9b6d1192 Update supported Go version to 1.16 2021-03-31 08:56:27 +01:00
Asger Feldthaus
bc5b477f79 JS: Change kind of summary-extraction queries to table 2021-03-30 21:26:58 +01:00
Dave Bartolomeo
0cc8eaf3b4 Merge pull request #5543 from MathiasVP/smart-ptr-like-class
C++: Add a class that models wrapped pointer types
2021-03-30 16:00:13 -04:00
Rasmus Wriedt Larsen
51c27de049 Merge branch 'main' into revert-import-change 2021-03-30 21:51:53 +02:00
Shati Patel
b9788eb53c Merge pull request #5568 from shati-patel/docs-binding-sets
Docs: Mention that binding sets are available for classes
2021-03-30 18:08:23 +01:00
Sarita Iyer
649286995a Merge pull request #5562 from saritai/saritai/cli-remove-1.23-references
Remove Enterprise 1.23 special instructions and replace references
2021-03-30 13:07:42 -04:00
Shati Patel
fb004bacc3 Describe predicates first 2021-03-30 17:31:20 +01:00
Shati Patel
67835ee273 Address review comments 2021-03-30 17:29:43 +01:00
Shati Patel
23df459c16 remove accidental punctuation 2021-03-30 17:23:33 +01:00
Mathias Vorreiter Pedersen
fe76b0849b Merge pull request #5569 from geoffw0/memoryfree
C++: Add a test of memory freed queries with strdup.
2021-03-30 17:22:18 +02:00
Mathias Vorreiter Pedersen
92839123ae Merge pull request #5570 from geoffw0/mutextest
C++: Add mutex test cases.
2021-03-30 17:16:19 +02:00
Geoffrey White
a8284d5b97 C++: Add mutex test case. 2021-03-30 15:39:21 +01:00
Sarah Edwards
e0a73ce797 Merge pull request #5560 from skedwards88/patch-1
download LGTM database from a project slug
2021-03-30 06:58:28 -07:00
Geoffrey White
244966e216 C++: Add a test with strdup. 2021-03-30 14:49:05 +01:00
Shati Patel
62de15cd22 Docs: Mention that binding sets are available for classes 2021-03-30 14:46:59 +01:00
Asger Feldthaus
f8bbda0cdc JS: Change note 2021-03-30 13:54:01 +01:00
Asger Feldthaus
9db235ac36 JS: Improve @google-cloud/spanner model 2021-03-30 13:54:00 +01:00
Asger Feldthaus
35f294f096 JS: Improve sequelize model 2021-03-30 13:54:00 +01:00
Mathias Vorreiter Pedersen
4b51e22bb4 Merge pull request #5565 from geoffw0/avrule79
C++: Test strdup with AV rule 79
2021-03-30 14:34:46 +02:00
Geoffrey White
ec952248a9 C++: Test strdup with AV Rule 79. 2021-03-30 12:58:04 +01:00
Geoffrey White
f27203cc43 C++: Test spacing. 2021-03-30 12:57:43 +01:00
luchua-bc
1349bf7b0b Create a .qll file to reuse the code and add check of Spring properties 2021-03-30 11:25:29 +00:00
Asger Feldthaus
93500bd95a JS: Improve mssql model 2021-03-30 11:34:01 +01:00
Asger Feldthaus
95937c9ac7 JS: Improve sqlite3 model 2021-03-30 11:34:01 +01:00
Asger Feldthaus
0b21b273ed JS: Improve pg model 2021-03-30 11:33:59 +01:00
Asger Feldthaus
937a620f4d JS: Improve mysql2 model 2021-03-30 11:33:42 +01:00
CodeQL CI
e8d7925084 Merge pull request #5555 from asgerf/js/misc-steps
Approved by esbena
2021-03-30 11:30:12 +01:00
CodeQL CI
25e26b9ac0 Merge pull request #5554 from asgerf/js/non-recursive-propref
Approved by esbena
2021-03-30 11:29:32 +01:00
CodeQL CI
6cceb73807 Merge pull request #5553 from asgerf/js/pg-promise
Approved by esbena
2021-03-30 11:28:24 +01:00
Geoffrey White
d2b991bcb5 Merge pull request #5541 from MathiasVP/definitions-for-unique_ptr
C++: Add shared_ptr and unique_ptr implementations
2021-03-30 09:47:56 +01:00
Mathias Vorreiter Pedersen
09ba25fe9b C++: Accept test changes. I'm actually not sure why we lose these results (and lose the field conflation, yay) It might be due to #3364. 2021-03-30 10:24:01 +02:00
Mathias Vorreiter Pedersen
8c95a9ae39 Merge branch 'main' into definitions-for-unique_ptr 2021-03-30 10:20:36 +02:00
Laura Coursen
2dadc752d6 Merge pull request #5563 from lecoursen/stronger-rec-to-use-lgtm.com-branch
Make stronger recommendations around the use of the lgtm.com branch
2021-03-29 14:29:24 -05:00
Laura Coursen
d57ec5d1ac Merge branch 'stronger-rec-to-use-lgtm.com-branch' of https://github.com/lecoursen/codeql into stronger-rec-to-use-lgtm.com-branch 2021-03-29 14:05:46 -05:00
Laura Coursen
e3b052199a Suggest lgtm.com branch first 2021-03-29 14:04:59 -05:00
Laura Coursen
eb01ffbdae Use correct terminology
Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>
2021-03-29 14:03:30 -05:00
Ethan Palm
2f98212eca Merge pull request #5561 from ethanpalm/fix-broken-links
Fix broken links
2021-03-29 14:28:49 -04:00
Laura Coursen
8f1c7c57a8 Add 💅 2021-03-29 12:53:16 -05:00
Ethan P
909dc84bb6 Update broken link 2021-03-29 13:46:45 -04:00
Laura Coursen
a18cd74756 Fix typo 2021-03-29 12:42:09 -05:00
Laura Coursen
21576387f3 Add 💅 2021-03-29 12:41:48 -05:00
Laura Coursen
50523e0ac0 Clarify use cases for lgtm.com branch 2021-03-29 12:40:31 -05:00
Ethan P
d126c0a1d3 Fix broken links 2021-03-29 13:38:04 -04:00
Sarita Iyer
3db5dd4661 removed 1.23 instructions and replaced references
Removed special instructions for LGTM 1.23, and replaced leftover references to 1.23 with 1.27.
2021-03-29 13:37:55 -04:00
Sarah Edwards
108bcef104 download LGTM database from a project slug 2021-03-29 10:37:00 -07:00
Henry Mercer
0f710b1981 Merge pull request #5545 from github/henrymercer/ql-pack-version-doc-update
CodeQL CLI Docs: Mention that QL packs use SemVer versioning
2021-03-29 18:18:45 +01:00
Calum Grant
c26d05b1d5 Merge pull request #5532 from RasmusWL/python-cleanup
Python: Delete filter queries, code duplication library, and precision tag from metric queries
2021-03-29 17:16:43 +01:00
Mathias Vorreiter Pedersen
5a4efab742 C++: Add tests for shared_ptr. 2021-03-29 18:04:20 +02:00
Rasmus Wriedt Larsen
96a66fa4ee Python: Apply suggestions from code review 2021-03-29 17:02:56 +02:00
Asger Feldthaus
67ad6d9a0f JS: Update test output 2021-03-29 15:30:29 +01:00
Asger Feldthaus
faf07dac91 JS: Autoformat 2021-03-29 14:52:37 +01:00
Asger Feldthaus
3e26236648 JS: Add recursion guard test 2021-03-29 14:32:13 +01:00
Asger Feldthaus
2770a53d38 JS: More babel.transform steps 2021-03-29 13:00:23 +01:00
Asger Feldthaus
c103939c2d JS: Fix handling of createRequire 2021-03-29 12:47:23 +01:00
Asger Feldthaus
49ca88957c JS: Use types 2021-03-29 12:25:15 +01:00
Asger Feldthaus
603843e698 JS: Add task tests 2021-03-29 12:05:47 +01:00
CodeQL CI
3613ceb07f Merge pull request #5535 from tausbn/python-prevent-bad-TCs
Approved by yoff
2021-03-29 12:03:08 +01:00
Asger F
f1d0b50670 Update javascript/ql/src/semmle/javascript/frameworks/SQL.qll
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
2021-03-29 11:54:45 +01:00
Asger Feldthaus
f453fe26c6 JS: Autoformat 2021-03-29 11:28:46 +01:00
Asger Feldthaus
b381f4826c JS: Add change note 2021-03-29 11:25:28 +01:00
Asger Feldthaus
149af57eac JS: Add model of pg-promise 2021-03-29 11:25:28 +01:00
Asger Feldthaus
88fee2748e JS: Add change note 2021-03-29 11:21:03 +01:00
haby0
0775d35591 update VerificationMethodFlowConfig, add if test 2021-03-29 12:02:37 +08:00
ihsinme
3f215d0954 Update OperatorPrecedenceLogicErrorWhenUseBoolType.ql 2021-03-28 23:43:22 +03:00
ihsinme
093c63ea3b Update OperatorPrecedenceLogicErrorWhenUseBoolType.expected 2021-03-28 23:42:36 +03:00
luchua-bc
5ce3f9d6ff Update qldoc and enhance the query 2021-03-28 16:10:35 +00:00
Rasmus Wriedt Larsen
92e0e195a4 Revert "Merge pull request #5506 from tausbn/python-allow-absolute-imports-from-source-directory"
This reverts commit 8d15680af4, reversing
changes made to 63831cc62b.

This PR caused performance problems, so reverting now to clear up immediate
problems.
2021-03-27 18:08:20 +01:00
luchua-bc
a53cbc1631 Update qldoc and make the query more readable 2021-03-27 00:11:01 +00:00
Geoffrey White
c6e7b8d4fd C++: Repair test. 2021-03-26 19:12:09 +00:00
Geoffrey White
4100d68a71 C++: Test failures. 2021-03-26 18:21:05 +00:00
Geoffrey White
725122decc C++: Replace toString logic. 2021-03-26 17:29:05 +00:00
luchua-bc
a72b1340eb Add a comment on how to run the query 2021-03-26 16:51:43 +00:00
Taus Brock-Nannestad
f17bbd9982 Python: Fix another bad TC.
This one is a bit awkward, since the previous version was supposed to
improve indexing. Unfortunately this is vastly outweighed by the slow
convergence of the TC. Right now we pay the cost of inverting the
`hasFlowSource` relation, but this is still cheaper.
2021-03-26 16:38:13 +01:00
Henry Mercer
c83daa66e7 CodeQL CLI Docs: Mention that QL packs use SemVer versioning 2021-03-26 15:30:23 +00:00
Mathias Vorreiter Pedersen
b466f0515d C++: Respond to more review comments. (1) Use getClassAndName to ensure a good join order, and (2) unify the two abstract predicates on PointerWrapper. 2021-03-26 16:16:23 +01:00
Mathias Vorreiter Pedersen
0ce08617ba C++: Respond to review comments. 2021-03-26 13:42:18 +01:00
Tom Hvitved
e345064a53 C#: Performance tweaks in SsaImplCommon.qll 2021-03-26 13:24:34 +01:00
Jonas Jensen
7f16c52217 Merge pull request #3364 from github/rdmarsh/cpp/use-taint-configuration-dtt
C++: use TaintTracking::Configuration in DefaultTaintTracking
2021-03-26 12:39:25 +01:00
Tom Hvitved
1dbfe2369d Merge pull request #5542 from hvitved/csharp/update-suites
C#: Remove deleted queries from suites
2021-03-26 12:13:09 +01:00
CodeQL CI
f584ff9acf Merge pull request #5533 from asgerf/js/fix-query-metadata
Approved by esbena
2021-03-26 11:09:54 +00:00
Mathias Vorreiter Pedersen
8dc7b6403a C++: Add shared_ptr and unique_ptr implementations. Also add some very basic tests. 2021-03-26 12:03:59 +01:00
Mathias Vorreiter Pedersen
d20a0c9e82 C++: Add a class that models wrapped pointer types. 2021-03-26 11:50:06 +01:00
Asger Feldthaus
cc2a531684 JS: Cache PropRef.getBase 2021-03-26 10:48:25 +00:00
Tom Hvitved
9d1ef21d85 C#: Remove deleted queries from suites 2021-03-26 11:17:27 +01:00
Mathias Vorreiter Pedersen
c7c65736a9 C++: Accept test changes. These happened because of the incorrect usage of multiple configurations in 6c1ec6d96b. 2021-03-26 10:57:58 +01:00
Jonas Jensen
86755c6a98 Merge pull request #5515 from criemen/fix-query-metadata
C++: Fix query metadata warnings.
2021-03-26 10:19:46 +01:00
Anders Schack-Mulligen
506c95d098 Merge pull request #5372 from smowton/smowton/feature/commons-lang-models-to-csv
Java: Convert existing Commons Lang models to CSV
2021-03-26 10:18:23 +01:00
Tom Hvitved
d4ce42ac4f Merge pull request #5416 from hvitved/csharp/rework-summaries
C#: Rework flow summary implementation
2021-03-26 09:47:15 +01:00
Tom Hvitved
e93b72d563 Merge pull request #5459 from hvitved/csharp/update-nuget
C#: Update more nuget packages
2021-03-26 09:28:09 +01:00
Mathias Vorreiter Pedersen
983b64a05f Merge branch 'main' into rdmarsh/cpp/use-taint-configuration-dtt 2021-03-26 09:11:12 +01:00
Tom Hvitved
57fd2e3578 C#: Rename parameter in fieldOf() 2021-03-26 08:49:06 +01:00
luchua-bc
d33b04cd96 Query to detect plaintext credentials in Java properties files 2021-03-26 02:33:40 +00:00
Porcuiney Hairs
2ca95166d9 Java : add query to detect insecure loading of Dex File 2021-03-26 01:59:11 +05:30
yoff
208d5157fa Merge pull request #5500 from RasmusWL/django-forms
Python: Model RemoteFlowSources on Django forms/fields
2021-03-25 20:43:19 +01:00
Taus Brock-Nannestad
c2f112cb92 Python: Filter _before_ the cartesian product
It's always a sad thing to see a good plan go wrong:

86860032 ~0%      {4} r26 = JOIN r19 WITH DataFlowPublic::TupleElementContent#class#ff CARTESIAN PRODUCT OUTPUT Lhs.0 'nodeFrom', Lhs.1 'nodeTo', Rhs.0, Rhs.1
129256   ~3%      {4} r27 = SELECT r26 ON In.3 <= 7
129256   ~0%      {3} r28 = SCAN r27 OUTPUT In.0 'nodeFrom', In.2 'c', In.1 'nodeTo'

Happily, now it looks like this:

129256  ~0%      {3} r20 = JOIN r19 WITH DataFlowPrivate::small_tuple#f CARTESIAN PRODUCT OUTPUT Lhs.0 'nodeFrom', Rhs.0, Lhs.1 'nodeTo'
2021-03-25 19:06:05 +01:00
Erik Krogh Kristensen
5e59f6d558 Update javascript/ql/src/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentCustomizations.qll
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
2021-03-25 19:03:37 +01:00
Taus Brock-Nannestad
8734df334b Python: Slight cleanup 2021-03-25 18:35:16 +01:00
Taus Brock-Nannestad
229250dc54 Python: Limit size of TupleElementContent
A more principled approach is possible here, but in the short term
this will prevent an explosion.

For reference, openstack/cinder has roughly 19000 `ForTarget`s and
tuples of size up to 5300, and we were calculating the cartesian
product of these.
2021-03-25 18:28:49 +01:00
yoff
716e0f1404 Merge pull request #5517 from tausbn/python-prevent-potentially-bad-join-order
Python: Prevent potentially bad join order
2021-03-25 18:14:47 +01:00
Tom Hvitved
f100c8a9c0 C++: Make Windows autobuilder tests pass again 2021-03-25 17:43:48 +01:00
Tom Hvitved
ed78acb1d4 C#: Update more nuget packages 2021-03-25 17:32:12 +01:00
Taus Brock-Nannestad
dbef36cbbb Python: Prevent bad TC and add a bit of caching
Using `simpleLocalFlowStep+` with the first argument specialised to
`CfgNode` was causing the compiler to turn this into a very slowly
converging manual TC computation.

Instead, we use `simpleLocalFlowStep*` (which is fast) and then join
that with a single step from any `CfgNode`. This should amount to the
same thing.

I also noticed that the charpred for `LocalSourceNode` was getting
recomputed a lot, so this is now cached. (The recomputation was
especially bad since it relied on `simpleLocalFlowStep+`, but anyway
it's a good idea not to recompute this.)
2021-03-25 17:28:37 +01:00
Chris Smowton
eaa2d4d831 Stop using wildcard Argument
All instances are replaced with a specific Argument or range.
2021-03-25 15:42:35 +00:00
Chris Smowton
2f34588770 Constructor models: use Argument[-1] for the result, not ReturnValue 2021-03-25 15:23:08 +00:00
Asger Feldthaus
a456458a38 JS: Add change note for code duplication library removal 2021-03-25 15:21:48 +00:00
Asger Feldthaus
446ad5ec9e JS: Remove code duplication library 2021-03-25 15:20:59 +00:00
Asger Feldthaus
c812bd948a JS: Add @problem.severity to an example query 2021-03-25 15:14:48 +00:00
Asger Feldthaus
7aae51c876 JS: Add change note for filter query removal 2021-03-25 15:13:51 +00:00
Anders Schack-Mulligen
28fb0edfbe Merge pull request #4920 from luchua-bc/java/hash-without-salt
Java: Query to detect hash without salt
2021-03-25 16:13:26 +01:00
Asger Feldthaus
6cab85712f JS: Delete filter queries 2021-03-25 15:12:35 +00:00
Asger Feldthaus
1c27ca610a JS: Remove precision atags from metric queries 2021-03-25 15:12:09 +00:00
Chris Smowton
a5220bf616 Convert StrBuilder models to CSV 2021-03-25 15:11:52 +00:00
Chris Smowton
25a0e09130 Convert StringUtils models to CSV 2021-03-25 15:11:52 +00:00
Chris Smowton
1beac06236 Translate ArrayUtils models to CSV 2021-03-25 15:11:51 +00:00
Chris Smowton
7fb5bd0cab Add tests for and slightly expand models of Commons Lang's ArrayUtils class 2021-03-25 15:11:51 +00:00
Rasmus Wriedt Larsen
9abe02f419 Python: Fix query metadata for old queries that have been ported
I'm not sure even I want to keep these around much longer. They seem to be
causing more problem than they are doing good.
2021-03-25 16:01:56 +01:00
Jonas Jensen
bc9682c22d Merge pull request #5528 from MathiasVP/fix-join-order-in-avrule-79
C++: Fix join order in AV rule 79
2021-03-25 15:45:41 +01:00
Rasmus Wriedt Larsen
ed2cb739c5 Merge pull request #5486 from yoff/python-document-api-import-node
Python, doc: Note ephemeral nature of import nodes
2021-03-25 15:45:10 +01:00
Anders Schack-Mulligen
344c2d3c3d Update java/ql/src/experimental/Security/CWE/CWE-759/HashWithoutSalt.ql 2021-03-25 15:42:57 +01:00
Tom Hvitved
90868a4788 Merge pull request #5524 from hvitved/csharp/cleanup
C#: Remove legacy queries and `@precision` tags from metric queries
2021-03-25 15:36:12 +01:00
Rasmus Wriedt Larsen
203b0e3d88 Python: Add change note 2021-03-25 15:34:09 +01:00
Tom Hvitved
cdd613358b C#: Sync SSA files 2021-03-25 15:33:06 +01:00
Tom Hvitved
7e20829f36 Merge remote-tracking branch 'upstream/main' into csharp/rework-summaries 2021-03-25 15:32:32 +01:00
Tom Hvitved
6a3859fc83 C#: Remove unnecessary pre call in FlowSummaryImpl.qll 2021-03-25 15:31:43 +01:00
Rasmus Wriedt Larsen
bd4934380a Python: Remove code duplication library 2021-03-25 15:27:55 +01:00
Tom Hvitved
33c990f6b0 Merge pull request #5440 from hvitved/csharp/cil/ssa
C#: Add CIL SSA library
2021-03-25 15:22:40 +01:00
Erik Krogh Kristensen
3d49b8cb91 consider quoted string concatenations as sanitizers for js/shell-command-injection-from-environment 2021-03-25 15:17:02 +01:00
yo-h
0fe4baec34 Merge pull request #5525 from aschackmull/java/cleanup
Java: Delete filter queries, code duplication library, and precision tag from metric queries.
2021-03-25 10:09:41 -04:00
Rasmus Wriedt Larsen
09fbf480db Python: Remove precision tag from metric queries 2021-03-25 15:06:47 +01:00
Rasmus Wriedt Larsen
e3b2e0a1de Python: Delete filter queries 2021-03-25 15:06:46 +01:00
Erik Krogh Kristensen
3b82452d76 detect fs modules that pass through a reduce call 2021-03-25 14:47:43 +01:00
Anders Schack-Mulligen
75afa011ff Java: Add metadata to several more experimental queries. 2021-03-25 13:09:26 +01:00
CodeQL CI
e90035a5a5 Merge pull request #5439 from erik-krogh/topPack
Approved by esbena
2021-03-25 11:49:03 +00:00
Mathias Vorreiter Pedersen
24360d3a4c C++: Fix join order in AV rule 79 by joining with GVN after the recursive call. 2021-03-25 12:00:49 +01:00
Erik Krogh Kristensen
77ba7b473d Merge branch 'main' into topPack 2021-03-25 11:52:58 +01:00
CodeQL CI
0511e72520 Merge pull request #5458 from erik-krogh/shellTrue
Approved by asgerf
2021-03-25 10:49:24 +00:00
luchua-bc
57bd3f3c14 Optimize the taint flow source 2021-03-25 10:44:26 +00:00
Tom Hvitved
6bfc49c069 C#: Address review comments 2021-03-25 11:43:25 +01:00
yoff
32b264bdee Apply suggestions from code review
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
2021-03-25 10:48:59 +01:00
Anders Schack-Mulligen
d53c334488 Merge branch 'java/fix-experimental-query-metadata' into java/cleanup 2021-03-25 10:36:36 +01:00
Anders Schack-Mulligen
28ff3f412d Java: Add severity and precision metadata to experimental queries. 2021-03-25 10:29:47 +01:00
Cornelius Riemenschneider
867471b122 C++: Delete old queries. 2021-03-25 10:23:17 +01:00
CodeQL CI
9d52db3ca7 Merge pull request #5507 from erik-krogh/joins
Approved by asgerf
2021-03-25 09:18:26 +00:00
Anders Schack-Mulligen
5b905cfe18 Java: Add change note for code duplication library removal. 2021-03-25 10:12:58 +01:00
Anders Schack-Mulligen
1564aee57a Java: Add change note for filter query removal. 2021-03-25 10:11:30 +01:00
Anders Schack-Mulligen
c82b5eb040 Java: Remove code duplication library. 2021-03-25 10:06:10 +01:00
Asger Feldthaus
dbc6cf63c2 JS: Fix bad join order in PropertyProjection 2021-03-25 09:00:10 +00:00
Asger Feldthaus
bd3f6d1234 JS: Add o[o.length] = y taint step 2021-03-25 09:00:10 +00:00
Asger Feldthaus
51f489211b JS: Support react-native-base64 2021-03-25 09:00:10 +00:00
Asger Feldthaus
5d9778c64d JS: Step through babel.transform 2021-03-25 09:00:10 +00:00
Asger Feldthaus
3e67ebacb0 JS: Support lodash-es 2021-03-25 09:00:10 +00:00
Erik Krogh Kristensen
3b6b40489f Merge branch 'main' into topPack 2021-03-25 09:58:15 +01:00
Anders Schack-Mulligen
4b7440d4d5 Java: Remove precision tag from metric queries. 2021-03-25 09:52:05 +01:00
Tom Hvitved
419fbe77ab C#: Remove @precision tags from metric queries 2021-03-25 09:50:24 +01:00
Tom Hvitved
b83da2255c C#: Add change note 2021-03-25 09:50:24 +01:00
Tom Hvitved
b94c189946 C#: Remove VulnerablePackage.ql query 2021-03-25 09:50:24 +01:00
Tom Hvitved
7e33b571c9 C#: Add change note 2021-03-25 09:50:24 +01:00
Tom Hvitved
eeb8c74666 C#: Remove filter and external queries
These are legacy queries that are no longer used.
2021-03-25 09:50:01 +01:00
Anders Schack-Mulligen
70824b3f0b Java: Delete filter queries. 2021-03-25 09:47:31 +01:00
Esben Sparre Andreasen
801eb538db Merge pull request #5514 from github/aibaars/fix-javascript-metadata
Javascript: remove bad QLDoc tag
2021-03-25 08:56:08 +01:00
luchua-bc
fe0e7f5eac Change method check to taint flow 2021-03-25 01:45:13 +00:00
luchua-bc
08c3bf26d5 Update the query to accommodate more cases 2021-03-24 23:32:27 +00:00
Taus Brock-Nannestad
0ae8b69102 Python: Prevent joining on scope in PointsToContext::appliesTo
One of those cases where I _wish_ `pragma[inline]` also meant "don't
join on the stuff inside this predicate -- it's inlined for a reason".

Unsurprisingly, joining on the scope first works poorly.
2021-03-24 23:12:48 +01:00
Taus Brock-Nannestad
28d6cad3d0 Python: Prevent joining on name as the first thing
Many instances of `lookup` are restricted by the presence of
`attributeRequired`, but this does not work well if we join on
`name`. A few instances of `only_bind_into` prevents this.
2021-03-24 23:11:09 +01:00
yo-h
72ae902e0d Merge pull request #5371 from aschackmull/java/framework-coverage
Java: Add query for CSV framework coverage.
2021-03-24 17:36:13 -04:00
Erik Krogh Kristensen
c146b27c1a Merge branch 'main' into shellTrue 2021-03-24 20:09:23 +01:00
CodeQL CI
8ff9c98d26 Merge pull request #5449 from erik-krogh/asExec
Approved by esbena
2021-03-24 19:04:30 +00:00
Aditya Sharad
32dc894d54 Merge pull request #5516 from github/adityasharad/actions/remove-docs-review-workflow
Actions: Remove docs-review workflow
2021-03-24 11:48:03 -07:00
Aditya Sharad
a0465d20cb Actions: Remove docs-review workflow
Being replaced by internal automation that polls the repo for open labelled PRs, since this workflow currently cannot tag the docs team in a comment.
2021-03-24 11:26:00 -07:00
Taus Brock-Nannestad
ed8ffab356 Python: Prevent potentially bad join order
This has no effect on the current compilation (indeed,
`ssa_filter_definition_bool` is not currently inlined), but will
prevent this from ever occurring, should the heuristics for inlining
ever change...
2021-03-24 19:20:19 +01:00
Cornelius Riemenschneider
47530d7526 C++: Fix query metadata warnings. 2021-03-24 18:01:21 +01:00
Arthur Baars
b25dc03dac Javascript: remove bad QLDoc tag 2021-03-24 16:47:27 +01:00
Asger Feldthaus
e13a9c9716 JS: Avoid recursion through SourceNode::Range, again 2021-03-24 15:26:50 +00:00
Anders Schack-Mulligen
d3485cac34 Merge pull request #5512 from aschackmull/java/csv-argument-ranges
Java: Support argument and parameter ranges in CSV models.
2021-03-24 15:03:22 +01:00
yoff
8d15680af4 Merge pull request #5506 from tausbn/python-allow-absolute-imports-from-source-directory
Python: Allow absolute imports in directories with scripts
2021-03-24 14:42:14 +01:00
Anders Schack-Mulligen
4955f95f64 Apply suggestions from code review
Clarify documentation.

Co-authored-by: Chris Smowton <smowton@github.com>
2021-03-24 14:32:18 +01:00
Anders Schack-Mulligen
63831cc62b Merge pull request #5099 from porcupineyhairs/javaLogInjection
Java : Add Log Injection Vulnerability
2021-03-24 14:30:34 +01:00
yoff
b023d73016 Merge pull request #5504 from RasmusWL/type-tracking-first-predicate-private
Python: Ensure first type-tracking predicate is private
2021-03-24 14:23:27 +01:00
Rasmus Wriedt Larsen
1473778bb8 Merge pull request #5493 from yoff/python-add-experimental-structure
Python: Add stub structure to `experimental` for external contributions
2021-03-24 14:11:13 +01:00
Rasmus Wriedt Larsen
70974ea197 Python: Fix grammar in QLDoc
Co-authored-by: yoff <lerchedahl@gmail.com>
2021-03-24 14:06:06 +01:00
Taus Brock-Nannestad
47686a6e4c Python: Disregard all files matching .py% 2021-03-24 14:03:00 +01:00
Taus Brock-Nannestad
8d30ee5c3c Python: Include unmarked Python file in snapshot
Sadly, it seems we're not interpreting this as Python code, even if we
explicitly ask to have it included.
2021-03-24 14:01:13 +01:00
Anders Schack-Mulligen
a1ccbcdaf1 Merge pull request #5260 from artem-smotrakov/spring-http-invoker
Java: Query for detecting unsafe deserialization with Spring exporters
2021-03-24 13:57:17 +01:00
Asger Feldthaus
de879c0707 JS: Make PropRef.getBase non-recursive 2021-03-24 12:57:16 +00:00
Asger Feldthaus
2f2d72f282 JS: Improve react-router support 2021-03-24 12:53:26 +00:00
Asger Feldthaus
88932a495c JS: Handle redux-form HOCs 2021-03-24 12:53:26 +00:00
Rasmus Wriedt Larsen
59200386a7 Python: Fix mistake in refactor 2021-03-24 13:51:29 +01:00
Tom Hvitved
f2fb26df37 C#: Document input/output stack restrictions 2021-03-24 13:48:32 +01:00
CodeQL CI
e3ab94fc6b Merge pull request #5498 from asgerf/js/flow-through-accessors
Approved by erik-krogh, max-schaefer
2021-03-24 12:46:05 +00:00
Anders Schack-Mulligen
41168e2b36 Java: Support argument and parameter ranges. 2021-03-24 13:32:30 +01:00
Anders Schack-Mulligen
234f62fd05 Java: Merge packages that likely belong to the same framework. 2021-03-24 13:17:04 +01:00
Taus Brock-Nannestad
6d86239929 Python: Test all cases
Note that the test in `no_py_extension` isn't complete, since we're
not extracting the `main` file there.
2021-03-24 13:15:59 +01:00
Erik Krogh Kristensen
9610ed163a remove SourceNode type to preserve behavior 2021-03-24 11:59:56 +01:00
CodeQL CI
12a6410a0a Merge pull request #5478 from asgerf/js/shared-flow-step
Approved by erik-krogh
2021-03-24 10:58:30 +00:00
Tom Hvitved
c5c80204d5 C#: Rework flow summary implementation 2021-03-24 11:27:01 +01:00
Tom Hvitved
c96b8301ed C#: Add change note 2021-03-24 09:58:44 +01:00
haby0
3df23eecb6 Merge remote-tracking branch 'upstream/main' into JsonHijacking 2021-03-24 15:52:01 +08:00
Anders Schack-Mulligen
02a5c0875e Merge pull request #5502 from smowton/smowton/fix/less-fluent-method-inferred-edges
Java: partial revert: only introduce inferred taint edges from callsite-crossing value edges if an original taint edge targets the *start* of the value edge.
2021-03-24 08:41:51 +01:00
Rasmus Lerchedahl Petersen
a9af135d7e Python: Remove getALocalTaintSource
and `taintFlowsTo` for now..
2021-03-24 01:22:21 +01:00
yoff
ac0430883a Update docs/codeql/codeql-language-guides/using-api-graphs-in-python.rst
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
2021-03-24 01:08:12 +01:00
yoff
61cff8faed Update python/ql/src/experimental/semmle/python/Concepts.qll
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
2021-03-24 01:06:03 +01:00
Erik Krogh Kristensen
b8bfdcc719 improve performance in ServiceDefinitions by inlining, and refactoring away a SourceNode 2021-03-23 19:13:40 +01:00
Erik Krogh Kristensen
93bcc3724a use pragma to improve 2 join-orders in TaintTracking 2021-03-23 19:12:33 +01:00
Taus Brock-Nannestad
17d1768259 Python: Allow absolute imports in directories with scripts
Fixes the import logic to account for absolute imports.

We do this by classifying which files and folders may serve as the
entry point for execution, based on a few simple heuristics. If the
file `module.py` is in the same folder as a file `main.py` that may be
executed directly, then we allow `module` to be a valid name for
`module.py` so that `import module` will work as expected.
2021-03-23 18:32:17 +01:00
Taus Brock-Nannestad
4289e358bf Python: Add module import test case
This one will require some explanation...

First, the file structure. This commit adds a test consisting
representing a few different kinds of imports.

- Absolute imports, from `module.py` to `main.py` when the latter is
  executed directly.
- A package (contained in the `package` folder)
- A namespace package (contained in the `namespace_package` folder)

All of these are inside a folder called `code` for reasons I will
detail later.

The file `main.py` is identified as a script, by the presence of the
`!#` comment in its first line.

The files themselves are executable, and `python3 main.py` will print
out all modules in the order they are imported.

The test itself is very simple. It simply lists all modules and their
corresponding names. As is plainly visible, without modification we
only pick up `package` and its component modules as having names. This
is the bit that needs to be fixed.

Convincing the test runner to extract this test in a way that mimics
reality is, unfortunately, a bit complicated. By default, the test
runner itself includes any Python files in the test directory as
modules in the invocation of the extractor, and so we must hide
everything in the `code` subdirectory.

Secondly, a `--path` argument (set to the test directory) is
automatically added, and this would also interfere with extraction,
and hence we must prevent this. Luckily, if we supply our own `--path`
argument -- even if it doesn't make any sense -- then the other
argument is left out.

Finally, we must actually tell the extractor to extract the files (or
it would just happily pass the test with zero files extracted), so the
`-R .` argument ensures that we recurse over the files in the test
directory after all.
2021-03-23 18:21:58 +01:00
Tom Hvitved
6d6150d051 C#: Change some data-flow toString()s 2021-03-23 16:42:58 +01:00
Rasmus Wriedt Larsen
deefbefffc Python: Minor refactor to use CallCfgNode 2021-03-23 16:42:41 +01:00
Rasmus Wriedt Larsen
1f5e52e822 Python: Cleanup "first" type-tracking predicate to be private
Since it's exposed nicely in the version that doesn't have a
`DataFlow::TypeTracker` parameter, these should be private.

Also found one instance where I had accidentially used DataFlow::Node instead of
LocalSourceNode
2021-03-23 16:40:56 +01:00
Asger Feldthaus
98cee7d339 JS: Update Collection step test and its output 2021-03-23 14:53:15 +00:00
Asger Feldthaus
c067d519d9 JS: Inline some public predicates in GlobalAccessPaths 2021-03-23 14:53:15 +00:00
Asger Feldthaus
61e89d4841 JS: Cache StepSummary and PropertyName 2021-03-23 14:53:14 +00:00
Asger Feldthaus
0056c39bdd JS: Deprecate AdditionalFlowStep 2021-03-23 14:53:14 +00:00
Asger Feldthaus
9e6aac8ef4 JS: Deprecate CollectionFlowStep 2021-03-23 14:53:14 +00:00
Asger Feldthaus
f8f3770a58 JS: BadRandomness can just use type-tracking now 2021-03-23 14:53:14 +00:00
Asger Feldthaus
52c2e37aca JS: Update CollectionStep usage in HTTP 2021-03-23 14:53:14 +00:00
Asger Feldthaus
2759d53f42 JS: SetKeys 2021-03-23 14:53:14 +00:00
Asger Feldthaus
c5ddd40dc3 JS: MapAndSetValues 2021-03-23 14:53:14 +00:00
Asger Feldthaus
9abaad65c6 JS: MapSet 2021-03-23 14:53:14 +00:00
Asger Feldthaus
530be38b84 JS: MapGet 2021-03-23 14:53:14 +00:00
Asger Feldthaus
4a45731c85 JS: SetMapForEach 2021-03-23 14:53:14 +00:00
Asger Feldthaus
c9c99464cf JS: ForOfStep (unify with Arrays version) 2021-03-23 14:53:13 +00:00
Asger Feldthaus
1a5eede39f JS: SetConstructor 2021-03-23 14:53:13 +00:00
Asger Feldthaus
5c9a239776 JS: SetAdd 2021-03-23 14:53:13 +00:00
Asger Feldthaus
98398a9efd JS: add two-prop version of loadStoreStep and infer pseudo properties
Initial step towards migrating CollectionFlowStep to PreCallGraphStep
2021-03-23 14:53:13 +00:00
Asger Feldthaus
67ec5d325c JS: Stop caching AdditionalFlowStep 2021-03-23 14:53:13 +00:00
Asger Feldthaus
adaf3234ec JS: IteratorExceptionStep 2021-03-23 14:53:13 +00:00
Asger Feldthaus
7021be05c5 JS: FlowStepThroughImport 2021-03-23 14:53:13 +00:00
Asger Feldthaus
52279d4bea JS: Rename some test predicates to reflect reality 2021-03-23 14:53:13 +00:00
Asger Feldthaus
fae907df65 JS: Update some uses in tests 2021-03-23 14:53:13 +00:00
Asger Feldthaus
bda074835e JS: Replace uses in ExternalApiUsedWithUntrustedData 2021-03-23 14:53:12 +00:00
Asger Feldthaus
2012e97842 JS: NextJSStaticReactComponentPropsStep 2021-03-23 14:53:12 +00:00
Asger Feldthaus
64c7d4e597 JS: NextJSStaticPropsStep 2021-03-23 14:53:12 +00:00
Asger Feldthaus
0035defd72 JS: ExceptionStep 2021-03-23 14:53:12 +00:00
Asger Feldthaus
5051f10586 JS: ImmutableConstructionStep 2021-03-23 14:53:12 +00:00
Asger Feldthaus
3e54136086 JS: Rename EventEmitterFlowStep to reflect reality 2021-03-23 14:53:12 +00:00
Asger Feldthaus
5fe3c1a0a9 JS: EventEmitterTaintStep 2021-03-23 14:53:12 +00:00
Asger Feldthaus
3a2f87f0a7 JS: AdditionalTypeTrackingStep -> SharedTypeTrackingStep 2021-03-23 14:53:12 +00:00
Asger Feldthaus
b8049f19e2 JS: SharedFlowStepFromPreCallGraph 2021-03-23 14:53:12 +00:00
Asger Feldthaus
8f750d4ad3 JS: UrlSearchParamsTaintStep 2021-03-23 14:53:12 +00:00
Asger Feldthaus
f84a05526d JS: ArraySliceStep 2021-03-23 14:53:11 +00:00
Asger Feldthaus
633152940c JS: ArrayConcatStep 2021-03-23 14:53:11 +00:00
Asger Feldthaus
17d1e6d614 JS: ArraySpliceStep 2021-03-23 14:53:11 +00:00
Asger Feldthaus
5d6c6b4b9b JS: ArrayCreationStep 2021-03-23 14:53:11 +00:00
Asger Feldthaus
5bfd2ad07f JS: ArrayPopStep 2021-03-23 14:53:11 +00:00
Asger Feldthaus
36a8134490 JS: ArrayIndexingAccess 2021-03-23 14:53:11 +00:00
Asger Feldthaus
b7ae62c3a3 JS: ArrayAppendStep 2021-03-23 14:53:11 +00:00
Asger Feldthaus
1c815f12da JS: ArrayCopySpread 2021-03-23 14:53:11 +00:00
Asger Feldthaus
151420fd0f JS: ArrayFrom 2021-03-23 14:53:11 +00:00
Asger Feldthaus
e42f8439de JS: Replace uses of AdditionalFlowStep with SharedFlowStep 2021-03-23 14:53:10 +00:00
Asger Feldthaus
24539dc0ee JS: Remove unneeded default case in loadStoreStep 2021-03-23 14:53:10 +00:00
CodeQL CI
a43bb1fb6d Merge pull request #5499 from asgerf/js/non-recursive-sourcenode
Approved by erik-krogh
2021-03-23 14:52:10 +00:00
Asger Feldthaus
23d2f11840 JS: Handle inheritance 2021-03-23 14:39:37 +00:00
Chris Smowton
fa90655dd0 Partial revert: only introduce inferred taint edges from callsite-crossing value edges if an original taint edge targets the *start* of the value edge.
Previously we would also take a taint edge targeting a result and a value-preserving edge propagating another argument to the result to imply a taint edge targeting that argument.
2021-03-23 14:35:03 +00:00
Asger Feldthaus
3d94ccf5dd JS: Support accessor-calls in object literals via local flow 2021-03-23 14:16:06 +00:00
Mathias Vorreiter Pedersen
ce638096de Merge pull request #5492 from geoffw0/samateissue
C++: Test taint regression
2021-03-23 14:01:03 +01:00
Rasmus Wriedt Larsen
f2bc413318 Python: remove single commented out line of code 2021-03-23 14:00:38 +01:00
Tom Hvitved
3c26779f40 Merge pull request #5415 from tamasvajk/feature/async-flow
C#: add store step for return statements inside async methods
2021-03-23 13:59:19 +01:00
Rasmus Wriedt Larsen
a4924856a2 Python: Model known form/field subclasses in Django
I used some ad-hoc QL queries to help me find all these extra instances, but not
quite ready to share that code yet :P
2021-03-23 13:57:39 +01:00
Rasmus Wriedt Larsen
8d0f6086af Python: Model django forms/fields
I'm not feeling 100% confident about `SelfRefMixin`, but since I needed it for
both DjangoViewClass and DjangoFormClass, I wanted to avoid copy-pasting this
code around. However, I'm not so opitimistic about it that I want to add it to a
sharable utility qll file :D
2021-03-23 13:57:38 +01:00
Anders Schack-Mulligen
27408fefe2 Merge pull request #5008 from torque59/cwe-346
Java: Queries to detect remote source flow origins to CORS header.
2021-03-23 13:54:00 +01:00
Anders Schack-Mulligen
9a56601dd3 Merge pull request #5164 from luchua-bc/java/insecure-ldap-endpoint
Java: CWE-297 Query to detect insecure LDAP endpoint configuration
2021-03-23 13:53:51 +01:00
Asger Feldthaus
b5be9d07aa JS: Add change note 2021-03-23 12:51:14 +00:00
Geoffrey White
b38a9d51e6 C++: Effect of 'Don't override getParameterSizeIndex in the model for Accept'... 2021-03-23 12:26:59 +00:00
Geoffrey White
13eb9e0833 C++: Fix the test. 2021-03-23 12:26:58 +00:00
Geoffrey White
30e1b88b7f C++: Extend test. 2021-03-23 12:26:58 +00:00
Asger Feldthaus
6c8b4a82c1 JS: Autoformat 2021-03-23 11:55:37 +00:00
Geoffrey White
da08c6e63e Merge pull request #5496 from MathiasVP/accept-model-getParameterSizeIndex-should-be-none
C++: Don't override getParameterSizeIndex in Accept
2021-03-23 11:42:50 +00:00
Asger Feldthaus
98143b071d JS: Autoformat 2021-03-23 11:26:29 +00:00
Anders Schack-Mulligen
1e6b5391d6 Merge pull request #4994 from haby0/main
Java: CWE-652: Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
2021-03-23 12:05:53 +01:00
Taus
b46a3616d8 Merge pull request #5490 from RasmusWL/private-imports
Python: Make import private for better auto-complete
2021-03-23 12:00:35 +01:00
Mathias Vorreiter Pedersen
585606a933 C++: Respond to review comments. 2021-03-23 11:14:29 +01:00
Mathias Vorreiter Pedersen
0b4650a4c9 C++: Accept test changes. 2021-03-23 10:27:19 +01:00
Tom Hvitved
20aa05b090 C#: Add CIL SSA library 2021-03-23 10:07:36 +01:00
Mathias Vorreiter Pedersen
7d0cfc69f1 C++: Don't override getParameterSizeIndex in the model for Accept. This fixes IR construction of calls to accept. 2021-03-23 09:53:09 +01:00
Mathias Vorreiter Pedersen
0ff7cc845c C++: Add reduced testcase that broke IR construction in #5492. 2021-03-23 09:53:04 +01:00
yoff
921b560e89 Merge pull request #5489 from tausbn/python-make-getacall-return-a-callcfgnode
Python: Make `API::Node::getACall` return a `CallCfgNode`
2021-03-23 09:31:38 +01:00
Rasmus Lerchedahl Petersen
198a4ca79b Python: Add files to experimental 2021-03-22 21:42:06 +01:00
Marcono1234
993999f64f Java: Add test for negative numeric literals 2021-03-22 17:43:34 +01:00
Asger Feldthaus
6b19e69d30 JS: Fix some join orders 2021-03-22 16:17:19 +00:00
Rasmus Wriedt Larsen
1890e63d4c Python: Make import private for better auto-complete
With the non-private imports, auto-completing on `API::` gave ALL results
available from `import python`, as well as the ones specified in the `API`
module.

The non-private import in Attributes.qll did the same for `DataFlow::`.
2021-03-22 16:45:44 +01:00
Taus Brock-Nannestad
4a6589d0ae Python: Make API::Node::getACall return a CallCfgNode
This should eliminate the need for explicit casting to
`CallCfgNode` (which does not appear in our code as far as I can see,
but was observed in an external contribution).
2021-03-22 16:37:24 +01:00
Asger Feldthaus
42e6c7eb2e JS: Remove field from InvokeNode 2021-03-22 15:19:31 +00:00
Asger Feldthaus
c03e9d6c75 JS: Address review comments 2021-03-22 15:19:31 +00:00
Asger Feldthaus
5bfdca895b JS: Remove recursive def of SourceNode::Range 2021-03-22 15:07:38 +00:00
Asger Feldthaus
230b9cf5d3 JS: Avoid recursion in SourceNode::Range 2021-03-22 15:07:38 +00:00
Rasmus Lerchedahl Petersen
c1e3ccfb6c Python, doc: Note ephemeral nature of import nodes 2021-03-22 15:07:51 +01:00
Rasmus Wriedt Larsen
c8a6e837b5 Python: Model QuerySet chains in django 2021-03-22 14:38:54 +01:00
Tamas Vajk
7a0bfd1a69 Skip through any stub preamble 2021-03-22 12:29:13 +01:00
Asger Feldthaus
54a91c73b0 JS: Tweak summarizedHigherOrderCall 2021-03-22 10:56:03 +00:00
Mathias Vorreiter Pedersen
d09458a486 C++: Add another taint tracking copy to identical-files.json 2021-03-22 11:35:59 +01:00
Mathias Vorreiter Pedersen
7ec86b5e7f C++: AdjustedConfiguration should not extend the same dataflow configuration as FromGlobalVarTaintTrackingCfg as this causes multiple configurations to be in scope for dataflow. 2021-03-22 11:35:29 +01:00
haby0
fe046ec71e Merge remote-tracking branch 'upstream/main' into main 2021-03-22 17:25:37 +08:00
Rasmus Wriedt Larsen
3a83ecf067 Python: Add test for taint in django forms/fields 2021-03-22 10:03:32 +01:00
Rasmus Wriedt Larsen
f800bf243f Python: Better text for getSourceType in Django 2021-03-22 01:39:19 +01:00
Rasmus Wriedt Larsen
701b935564 Python: Add example of QuerySet chain (django) 2021-03-22 00:57:43 +01:00
Marcono1234
1534b387bb Java: Improve documentation regarding minus in front of numeric literals 2021-03-22 00:54:14 +01:00
Artem Smotrakov
6c24699403 Cover both javax.el and jakarta.el packages 2021-03-21 21:19:39 +03:00
Artem Smotrakov
adb1ed380a Added tests for Jakarta expression injection 2021-03-21 21:19:39 +03:00
Artem Smotrakov
73e940de74 Added query for Jakarta EL injections
- Added JakartaExpressionInjection.ql
- Added a qhelp file with examples
2021-03-21 21:19:39 +03:00
yo-h
0200aedc2e Java 16: adjust test options 2021-03-21 12:55:25 -04:00
ihsinme
26bac9f425 Apply suggestions from code review
Co-authored-by: Robert Marsh <rdmarsh2@gmail.com>
2021-03-21 15:25:29 +03:00
Asger Feldthaus
a54e810804 JS: Include accessor-calls in CallGraph.ql 2021-03-20 13:59:38 +00:00
Asger Feldthaus
f4a476ea4e JS: Change type ValueNode -> Node 2021-03-20 09:05:04 +00:00
Dilan
1385b22642 pr fixes, typo in qhelp file and helper method for queries 2021-03-19 16:43:29 -07:00
Asger Feldthaus
405c1f3fc7 JS: Update test suite 2021-03-19 16:45:31 +00:00
Asger Feldthaus
fa2ae1420a JS: Rename Diagnostics folder to Summary 2021-03-19 16:43:23 +00:00
Asger Feldthaus
347cbe422d JS: Remove the other summary queries 2021-03-19 16:42:43 +00:00
Asger Feldthaus
0c0556bb38 JS: Update LinesOfCode.ql to match the style from C++ 2021-03-19 16:42:05 +00:00
Asger Feldthaus
6ca425f033 JS: Implement new metric queries for line counting 2021-03-19 16:34:29 +00:00
Asger Feldthaus
ea8c8df653 JS: Fix bad join orders in summarizedHigherOrderCall 2021-03-19 15:30:49 +00:00
Mathias Vorreiter Pedersen
6c1ec6d96b C++: Accept test changes. 2021-03-19 16:09:05 +01:00
Erik Krogh Kristensen
8949b9eb0a add shell interpreted arrays as sinks for js/shell-command-constructed-from-input 2021-03-19 15:59:06 +01:00
Asger Feldthaus
01fd00de56 JS: Fix join order in argumentPassing 2021-03-19 11:49:06 +00:00
Asger F
2f3d516413 JS: Track flow into ES accessors 2021-03-19 11:11:25 +00:00
Asger F
4f46908224 JS: Add test with ES getters/setters 2021-03-19 11:07:15 +00:00
Tamas Vajk
79d6731ed8 C#: Adjust make_stubs.py to use codeql instead of odasa 2021-03-19 11:01:28 +01:00
Erik Krogh Kristensen
36b0ab1de5 Apply suggestions from code review
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
2021-03-19 10:29:38 +01:00
Erik Krogh Kristensen
a28a36ab29 add change-note 2021-03-19 10:10:56 +01:00
Erik Krogh Kristensen
e90fb1a225 reuse classes modelling standard library functions 2021-03-19 10:09:33 +01:00
Erik Krogh Kristensen
d489d63b8e recognize object transformations in module.exports when looking for library inputs 2021-03-18 20:54:33 +01:00
Erik Krogh Kristensen
28ad667578 add model for async-execute 2021-03-18 19:40:46 +01:00
Erik Krogh Kristensen
af5a61782c also look for main modules in a lib folder 2021-03-18 14:51:11 +01:00
Erik Krogh Kristensen
0e98ea0c10 remove spurious import of PackageExports 2021-03-18 14:09:08 +01:00
Erik Krogh Kristensen
67a5831ac0 update expected output 2021-03-18 13:59:44 +01:00
Erik Krogh Kristensen
c0bb169342 recognize a src/index.js file as a main module for a package 2021-03-18 13:41:36 +01:00
Erik Krogh Kristensen
add0c88530 loosen the requirement that the package.json file must be the top-most package.json 2021-03-18 13:39:12 +01:00
Erik Krogh Kristensen
d998d06b94 add link to source in alert-message for js/shell-command-constructed-from-input 2021-03-18 13:37:18 +01:00
Porcuiney Hairs
a88c3682ff remove sanitiserGuards 2021-03-18 16:12:00 +05:30
Porcuiney Hairs
84c9137152 Include suggestions from review 2021-03-18 16:12:00 +05:30
porcupineyhairs
f27d2bdf6d Update java/ql/src/experimental/semmle/code/java/Logging.qll
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
2021-03-18 16:12:00 +05:30
Porcuiney Hairs
d0c82d3756 Add flogger and android logging support 2021-03-18 16:12:00 +05:30
Porcuiney Hairs
17d7ba8049 Add Log Injection Vulnerability 2021-03-18 16:12:00 +05:30
Rasmus Lerchedahl Petersen
b3ff3f7ee7 PythonÆ adjust test expectations
I suspect it has to do with ParameterNode being a LocalSourceNode,
but I really have no idea...
2021-03-17 15:11:17 +01:00
Rasmus Lerchedahl Petersen
8f467003d2 Python: More review suggestions 2021-03-17 15:11:17 +01:00
yoff
63b732ce1f Apply suggestions from code review
Co-authored-by: Taus <tausbn@github.com>
2021-03-17 15:11:17 +01:00
Rasmus Lerchedahl Petersen
4d856d4461 Python: Add small api enhancements
determined useful during documentation work.
2021-03-17 15:11:17 +01:00
Mathias Vorreiter Pedersen
3914a93504 C++: Remove commonTaintStep from DefaultTaintTracking. 2021-03-17 11:56:59 +01:00
haby0
c516d69b98 Merge remote-tracking branch 'upstream/main' into main 2021-03-17 16:42:48 +08:00
Tamas Vajk
0b1705f302 C#: Adjust Callable::canReturn to handle Task-like async return types 2021-03-17 09:25:57 +01:00
haby0
15206fd2ce JsonpInjection.ql autoformatted 2021-03-17 15:52:05 +08:00
haby0
98204a15a6 Fix the problem 2021-03-17 15:28:04 +08:00
Mathias Vorreiter Pedersen
43fbcc1c8a C++: Convert all the dataflow configurations to taint configurations. 2021-03-16 22:36:17 +01:00
Mathias Vorreiter Pedersen
dd6b27df24 C++: Fix test annotation. 2021-03-16 22:35:47 +01:00
Tamas Vajk
cd820917bc Remove duplicate yield return entries from global dataflow test 2021-03-16 21:28:58 +01:00
Tamas Vajk
2541e9cb6a C#: Handle async data flow in expression bodied callables 2021-03-16 16:32:47 +01:00
Tamas Vajk
048c72a0f2 C#: Remove YieldReturnKind 2021-03-16 16:20:04 +01:00
Tamas Vajk
aa2abf76ba Make ReturnNodes disjoint (normal, yield, async) 2021-03-16 16:17:27 +01:00
Tamas Vajk
732ef92830 C#: add store step for return statements inside async methods 2021-03-16 15:18:00 +01:00
Tamas Vajk
c684b74b3d C#: Add async dataflow tests 2021-03-16 14:46:16 +01:00
Mathias Vorreiter Pedersen
0ffb80e3b1 Merge branch 'main' into rdmarsh/cpp/use-taint-configuration-dtt 2021-03-15 09:42:32 +01:00
luchua-bc
1a2e341b7c Refactor the business logic of the query into a separate predicate 2021-03-12 12:19:37 +00:00
luchua-bc
c8b1bc3a89 Enhance the query 2021-03-11 21:41:34 +00:00
Mathias Vorreiter Pedersen
5667901a2a C++: Accept test changes after merge from main (which changed the path explanations). 2021-03-11 21:16:57 +01:00
luchua-bc
0a35feef76 Exclude CSRF cookies to reduce FPs 2021-03-11 17:28:07 +00:00
luchua-bc
57953c523c Update qldoc 2021-03-11 17:16:36 +00:00
Mathias Vorreiter Pedersen
a2d75c4fed Merge branch 'main' into rdmarsh/cpp/use-taint-configuration-dtt 2021-03-11 18:06:37 +01:00
luchua-bc
eeac7e322a Query to detect insecure configuration of Spring Boot Actuator 2021-03-11 13:46:32 +00:00
Artem Smotrakov
4b7c57c077 Added a comment for getBeanIdentifier()
Co-authored-by: Chris Smowton <smowton@github.com>
2021-03-11 11:52:07 +01:00
Artem Smotrakov
0a5d58ed8a Cover more configurations in UnsafeSpringExporterInConfigurationClass.ql 2021-03-10 21:15:19 +03:00
luchua-bc
a0a1ddee86 Update class name 2021-03-10 17:07:31 +00:00
Mathias Vorreiter Pedersen
bc36e0db43 C++: Accept more test changes. 2021-03-10 16:51:13 +01:00
Mathias Vorreiter Pedersen
cc592b124b Merge branch 'main' into rdmarsh/cpp/use-taint-configuration-dtt 2021-03-10 15:59:48 +01:00
Mathias Vorreiter Pedersen
0b6589c8be C++: Accept test changes. 2021-03-10 15:47:06 +01:00
luchua-bc
f0ddfc9283 Minor qldoc changes 2021-03-10 12:18:55 +00:00
luchua-bc
72f28513eb Move test check to the sink 2021-03-10 12:12:27 +00:00
Anders Schack-Mulligen
4941d9b7bf Java: Add query for CSV framework coverage. 2021-03-10 12:03:44 +01:00
Artem Smotrakov
df60268023 Split qhelp files 2021-03-10 10:49:47 +03:00
luchua-bc
48975fa7d2 Replace sanitizers 2021-03-10 00:17:26 +00:00
Mathias Vorreiter Pedersen
19d08d7b40 Merge branch 'main' into rdmarsh/cpp/use-taint-configuration-dtt 2021-03-09 12:35:44 +01:00
Artem Smotrakov
a78f2115f2 Split SpringExporterUnsafeDeserialization.ql 2021-03-09 00:06:38 +03:00
Mathias Vorreiter Pedersen
bb53780ba9 C++: Add flow through unary instructions and pointer/indirection conflation for parameters. These rules are copy/pasted from DefaultTaintTracking. The conflation rules will hopefully be removed as part of #5089. 2021-03-08 09:42:47 +01:00
luchua-bc
0ef3eee4ed Revamp the source and the sink of the query 2021-03-06 22:41:54 +00:00
Artem Smotrakov
891b975899 Use correct file names in SpringExporterUnsafeDeserialization.qhelp 2021-03-06 22:07:43 +01:00
Artem Smotrakov
bda223771b Added another example for SpringExporterUnsafeDeserialization.ql 2021-03-06 22:05:00 +01:00
Artem Smotrakov
82cb4a8d68 Renamed SpringHttpInvokerUnsafeDeserialization.ql 2021-03-06 21:48:35 +01:00
Artem Smotrakov
dcabce679a Cover beans from XML configs in SpringHttpInvokerUnsafeDeserialization.ql 2021-03-06 21:40:35 +01:00
luchua-bc
31eaa80f5b Revamp the source 2021-03-06 00:56:15 +00:00
haby0
ecdadd1826 move the query to experimental folder 2021-03-05 14:38:04 +08:00
luchua-bc
a93aabab40 Add the toString() method 2021-03-05 03:05:49 +00:00
luchua-bc
919c6b4b0a Optimize flow steps 2021-03-05 02:50:54 +00:00
Francis Alexander
abdebc29f9 Move to experimental and review feedback 2021-03-05 07:26:29 +05:30
Mathias Vorreiter Pedersen
23876cb581 C++: Only allow taint to a FieldAddressInstruction if it's a union type. 2021-03-04 16:29:44 +01:00
ihsinme
10cc574289 Add files via upload 2021-03-04 16:15:26 +03:00
ihsinme
01c13c4703 Add files via upload 2021-03-04 16:14:11 +03:00
haby0
c5577cb09a Fix the problem 2021-03-04 19:54:49 +08:00
luchua-bc
1784c202a7 Clean up the query 2021-03-03 17:03:37 +00:00
luchua-bc
502cf38fcc Use concise API 2021-03-03 14:07:43 +00:00
luchua-bc
1b1c3f953b Remove localflow from the source 2021-03-03 13:54:26 +00:00
luchua-bc
b366ffa69e Revamp source of the query 2021-03-03 13:38:18 +00:00
Artem Smotrakov
617ba65ef5 Improved docs for SpringHttpInvokerUnsafeDeserialization.ql 2021-03-02 21:36:14 +01:00
Mathias Vorreiter Pedersen
eb4f1e1ba0 C++: Restore some of the lost test results by doing operand -> instruction taint steps in IR TaintTracking. 2021-03-02 15:45:40 +01:00
Mathias Vorreiter Pedersen
23d3109071 C++: Use taintedWithPath in more tests. This is the predicate that's currently hooked up to the new IR taint tracking library. 2021-03-02 13:40:39 +01:00
Mathias Vorreiter Pedersen
6ba35f4aac C++: Fix function renaming and accept test change. 2021-03-02 11:31:24 +01:00
Mathias Vorreiter Pedersen
9f02c144a8 C++: Remove files that were incorrectly added when resolving merge conflicts. 2021-03-02 11:14:49 +01:00
Mathias Vorreiter Pedersen
ffc6af73b7 C++: Accept test changes. 2021-03-02 11:00:43 +01:00
Mathias Vorreiter Pedersen
748f5344ff Merge branch 'main' into rdmarsh/cpp/use-taint-configuration-dtt 2021-03-02 10:43:37 +01:00
luchua-bc
95d1994196 Query to check sensitive cookies without the HttpOnly flag set 2021-03-01 22:06:52 +00:00
Artem Smotrakov
15a43ffe36 Simplified returnsRemoteInvocationSerializingExporter() 2021-02-27 13:41:20 +01:00
haby0
f795d5e0d3 update JSONP Injection ql 2021-02-27 16:25:17 +08:00
haby0
0521ef87da Merge remote-tracking branch 'upstream/main' into JsonHijacking 2021-02-25 16:31:14 +08:00
Artem Smotrakov
e02b51f42b Improved SpringHttpInvokerUnsafeDeserialization.qhelp 2021-02-24 22:35:20 +01:00
Artem Smotrakov
aac0c27dcd Added tests for SpringHttpInvokerUnsafeDeserialization.ql 2021-02-24 22:35:20 +01:00
Artem Smotrakov
95284ad71d Added SpringHttpInvokerUnsafeDeserialization.qhelp and example 2021-02-24 22:35:20 +01:00
Artem Smotrakov
476309af6d Added SpringHttpInvokerUnsafeDeserialization.ql 2021-02-24 22:35:20 +01:00
haby0
6fe8bafc7d *)update 2021-02-24 20:59:51 +08:00
haby0
872a000a33 *)update to JSONP injection 2021-02-24 20:36:12 +08:00
Francis Alexander
45bdb22db8 Switch from sanitizer to tainttracking, formatting and qldoc changes 2021-02-21 16:45:48 +05:30
haby0
8119fd2ad1 *)add JsonHijacking ql query 2021-02-18 18:11:10 +08:00
Francis Alexander
2baf2aa5c1 Apply suggestions from code review - improved sanitizer checks.
Co-authored-by: Alvaro Muñoz <pwntester@github.com>
2021-02-17 18:58:32 +05:30
Francis Alexander
40f4e71b86 Merge branch 'main' into cwe-346 2021-02-17 18:55:31 +05:30
Francis Alexander
58971f9f4e Switch qualified name to available CollectionType 2021-02-17 16:01:27 +05:30
Francis Alexander
520ba47293 Sanitizer improvements from code review 2021-02-17 08:35:50 +05:30
luchua-bc
e698ee77f7 Update qldoc and test method 2021-02-16 14:11:39 +00:00
haby0
2c96e6cf96 Merge remote-tracking branch 'upstream/main' into main 2021-02-16 17:54:01 +08:00
luchua-bc
5ce3af0591 Enhance the query and update qldoc 2021-02-15 21:38:54 +00:00
haby0
92c00cb741 Update java/ql/src/Security/CWE/CWE-652/XQueryInjection.ql
Co-authored-by: Chris Smowton <smowton@github.com>
2021-02-16 00:09:21 +08:00
haby0
f1e44bce4a Update java/ql/src/Security/CWE/CWE-652/XQueryInjection.ql
Co-authored-by: Chris Smowton <smowton@github.com>
2021-02-16 00:07:44 +08:00
luchua-bc
a03e6faf37 Optimize the query and update qldoc 2021-02-15 14:10:17 +00:00
Francis Alexander
409d95c522 Sanitizer checks to decrease FP 2021-02-15 14:01:14 +05:30
luchua-bc
23f620d255 Query to detect insecure LDAP endpoint configuration 2021-02-15 05:31:29 +00:00
luchua-bc
6a6727fc80 Reduce the scope of the query to reduce FPs 2021-02-14 15:01:06 +00:00
haby0
6901cd4899 Merge branch 'main' of https://github.com/haby0/codeql into main 2021-02-12 11:18:33 +08:00
haby0
22e741c7a3 *)add XQExpression.executeCommand(0) sink 2021-02-12 11:17:42 +08:00
haby0
dbb3d458f5 *)add XQExpression.executeCommand(0) sink 2021-02-12 10:47:41 +08:00
haby0
a6a0fa28c4 *)add XQExpression.executeQuery(0) sink 2021-02-11 16:05:48 +08:00
haby0
97690b4eb7 Update java/ql/src/Security/CWE/CWE-652/XQueryInjection.qhelp
Co-authored-by: Felicity Chapman <felicitymay@github.com>
2021-02-08 19:15:28 +08:00
luchua-bc
ff1ed3a012 Revamp the query to use three configurations to detect password hash without salt 2021-01-29 03:39:02 +00:00
haby0
81c56b9bed Update java/ql/src/Security/CWE/CWE-652/XQueryInjection.ql
Co-authored-by: Chris Smowton <smowton@github.com>
2021-01-27 19:47:12 +08:00
haby0
31deca016f Update java/ql/src/Security/CWE/CWE-652/XQueryInjection.ql
Co-authored-by: Chris Smowton <smowton@github.com>
2021-01-27 19:46:45 +08:00
haby0
ca2e6587fe Update java/ql/src/Security/CWE/CWE-652/XQueryInjection.qhelp
Co-authored-by: Chris Smowton <smowton@github.com>
2021-01-27 19:46:15 +08:00
haby0
b5ae417851 *)update CWE-652 qhelp references 2021-01-27 10:19:04 +08:00
haby0
b76854a384 *)add CWE-652 test case 2021-01-27 10:14:33 +08:00
Francis Alexander
19872e9aed More Feedback integration 2021-01-26 17:24:17 +05:30
Francis Alexander
985d3d469a PR feedback integration 2021-01-25 23:26:36 +05:30
haby0
42f55e1ebe Merge pull request #1 from smowton/smowton/admin/rewrite-xquery
Rewrite XQuery injection to use an additional taint step instead of multiple configurations
2021-01-25 19:49:20 +08:00
Chris Smowton
d34233b44f Rewrite XQuery injection to use an additional taint step instead of multiple configurations.
Also remove a needless barrier -- the method in question doesn't conduct taint by default, so excluding particular instances of that call is not necessary.
2021-01-25 11:18:45 +00:00
haby0
16308fe557 Update java/ql/src/Security/CWE/CWE-652/XQueryInjectionLib.qll
Co-authored-by: Chris Smowton <smowton@github.com>
2021-01-25 19:16:18 +08:00
haby0
14a23eed4f Update java/ql/src/Security/CWE/CWE-652/XQueryInjectionLib.qll
Co-authored-by: Chris Smowton <smowton@github.com>
2021-01-25 19:15:59 +08:00
Francis Alexander
75b79039a1 Example fixes 2021-01-24 20:46:37 +05:30
Francis Alexander
81e372d078 Formatting changes 2021-01-24 20:44:21 +05:30
Francis Alexander
a64fc2b24e Java: Queries to detect remote source flow to CORS header 2021-01-24 18:58:39 +05:30
haby0
0b326aae20 *)update XQueryInjectionLib.qll 2021-01-23 18:27:38 +08:00
haby0
44d99f8cd4 *)update XQueryInjection.ql 2021-01-23 18:26:58 +08:00
haby0
ec4c155043 *)update XQueryInjection.qhelp 2021-01-23 18:26:15 +08:00
haby0
a56dd60baa *)add CWE-652 XQueryInjection detection 2021-01-21 19:18:10 +08:00
luchua-bc
b9809b071e Update the query to work with wrapper classes 2021-01-18 19:22:34 +00:00
luchua-bc
048167d39a Revamp the query to reduce FPs introduced by wrapper calls 2021-01-18 04:23:30 +00:00
luchua-bc
3af8773dd6 Add more cases 2021-01-15 16:20:31 +00:00
luchua-bc
86c04e6971 Detect the scenario of passwords concatenated with a salt to reduce FPs 2021-01-11 16:59:57 +00:00
luchua-bc
39103af718 Remove additional taint step 2021-01-08 13:02:57 +00:00
luchua-bc
b56fe2b25f Remove specific method name in additional taint step 2021-01-07 16:31:21 +00:00
luchua-bc
19ff00bad4 Enhance the additional step flow and update qldoc 2021-01-07 13:15:30 +00:00
luchua-bc
ce2db21f15 Query to detect hash without salt 2021-01-06 17:30:04 +00:00
Robert Marsh
77729918c1 Merge branch 'main' into rdmarsh/cpp/use-taint-configuration-dtt
Update for submodule pointer
2020-11-18 13:09:02 -08:00
Robert Marsh
5aed82a210 C++: Autoformat more 2020-11-17 13:44:20 -08:00
Robert Marsh
04641a3f2d Merge branch 'main' into rdmarsh/cpp/use-taint-configuration-dtt 2020-11-17 12:55:12 -08:00
Robert Marsh
c2e44fa180 C++: autoformat 2020-11-17 09:28:39 -08:00
Robert Marsh
db8766ca69 Merge branch 'main' into rdmarsh/cpp/use-taint-configuration-dtt 2020-11-16 17:46:20 -08:00
Robert Marsh
525aeb6551 C++: autoformat 2020-11-13 16:14:07 -08:00
Robert Marsh
29eacbd28b Merge branch 'main' into rdmarsh/cpp/use-taint-configuration-dtt
Update for submodule bump
2020-11-13 12:22:41 -08:00
Robert Marsh
bd00988c37 C++: accept test output for DefaultTaintTracking 2020-11-12 14:38:53 -08:00
Robert Marsh
68040b717e C++: autoformat 2020-11-12 14:32:19 -08:00
Robert Marsh
275d75295c Merge branch 'main' into rdmarsh/cpp/use-taint-configuration-dtt
Fix test conflict
2020-11-12 13:28:10 -08:00
Robert Marsh
049bff09e6 Merge branch 'main' into rdmarsh/cpp/use-taint-configuration-dtt
Make this branch a valid taget for a submodule bump
2020-11-10 14:25:05 -08:00
Robert Marsh
2a6ba40a93 C++: Accept more test changes 2020-11-10 13:59:35 -08:00
Robert Marsh
04ad94d1cc C++: model taint from pointers to aliased buffers 2020-11-09 13:52:08 -08:00
Robert Marsh
afbeca0d54 C++: Accept test outputs 2020-11-09 13:24:31 -08:00
Robert Marsh
95ed5465de C++: improve handling of function arguments in DTT 2020-11-09 13:02:06 -08:00
Robert Marsh
fbe857d1fa C++: require that other operands be predictable
This brings back a constraint that was lost when switching
DefaultTaintTracking to use a TaintTracking::Configuration
2020-11-09 13:00:55 -08:00
Robert Marsh
7d79be71d1 C++: taint tracking conf in DefaultTaintTracking
Switch from using additional flow steps with a DataFlow::Configuration
in DefaultTaintTracking to using a TaintTracking::Configuration. This
makes future improvements to TaintTracking::Configuration reflected in
DefaultTaintTracking without further effort. It also removes the
predictability constraint in DefaultTaintTracking, which increases the
number of results, with both new true positives and new false positives.
Those may need to be addressed on a per-query basis.

There are some additional regressions from losing pointer/object
conflation for arguments. Those can be worked around by adding that
conflation to TaintTracking::Configuration until precise indirect
parameter flow is ready.
2020-11-09 13:00:55 -08:00
dilanbhalla
26b030f8cc fixed pr suggestions 2020-07-07 10:52:26 -07:00
dilanbhalla
dc73fcc4e8 moved to experimental 2020-07-01 09:54:58 -07:00
dilanbhalla
dc58f6fa87 function/class synatax 2020-06-25 11:39:09 -07:00
1241 changed files with 26995 additions and 15855 deletions

30
.github/workflows/close-stale.yml vendored Normal file
View File

@@ -0,0 +1,30 @@
name: Mark stale issues
on:
workflow_dispatch:
schedule:
- cron: "30 1 * * *"
jobs:
stale:
if: github.repository == 'github/codeql'
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v3
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `Stale` label in order to avoid having this issue closed in 7 days.'
close-issue-message: 'This issue was closed because it has been inactive for 7 days.'
days-before-stale: 14
days-before-close: 7
only-labels: awaiting-response
# do not mark PRs as stale
days-before-pr-stale: -1
days-before-pr-close: -1
# Uncomment for dry-run
# debug-only: true
# operations-per-run: 1000

View File

@@ -1,29 +0,0 @@
# When a PR is labelled with 'ready-for-docs-review',
# this workflow comments on the PR to notify the GitHub CodeQL docs team.
name: Request docs review
on:
# Runs in the context of the base repo.
# This gives the workflow write access to comment on PRs.
# The workflow should not check out or build the given ref,
# or use untrusted data from the event payload in a command line.
pull_request_target:
types: [labeled]
jobs:
request-docs-review:
name: Request docs review
# Run only on labelled PRs to the main repository.
# Do not run on PRs to forks.
if:
github.event.label.name == 'ready-for-docs-review'
&& github.event.pull_request.draft == false
&& github.event.pull_request.base.repo.full_name == 'github/codeql'
runs-on: ubuntu-latest
steps:
- name: Comment to request docs review
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_NUMBER: ${{ github.event.pull_request.number }}
run: |
gh pr comment "$PR_NUMBER" --repo "github/codeql" \
--body "Hello @github/docs-content-codeql - this PR is ready for docs review."

View File

@@ -36,6 +36,7 @@
"cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
"cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
"cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
"cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
"csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
"csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
"csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
@@ -55,6 +56,10 @@
"csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
"python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll"
],
"DataFlow Java/C# Flow Summaries": [
"java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
"csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll"
],
"SsaReadPosition Java/C#": [
"java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
"csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
@@ -376,7 +381,6 @@
],
"DuplicationProblems.inc.qhelp": [
"cpp/ql/src/Metrics/Files/DuplicationProblems.inc.qhelp",
"csharp/ql/src/Metrics/Files/DuplicationProblems.inc.qhelp",
"javascript/ql/src/Metrics/DuplicationProblems.inc.qhelp",
"python/ql/src/Metrics/DuplicationProblems.inc.qhelp"
],
@@ -429,7 +433,8 @@
"SSA C#": [
"csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll",
"csharp/ql/src/semmle/code/csharp/controlflow/internal/pressa/SsaImplCommon.qll",
"csharp/ql/src/semmle/code/csharp/dataflow/internal/basessa/SsaImplCommon.qll"
"csharp/ql/src/semmle/code/csharp/dataflow/internal/basessa/SsaImplCommon.qll",
"csharp/ql/src/semmle/code/cil/internal/SsaImplCommon.qll"
],
"CryptoAlgorithms Python/JS": [
"javascript/ql/src/semmle/javascript/security/CryptoAlgorithms.qll",

View File

@@ -5,6 +5,7 @@ using System;
using System.Linq;
using Microsoft.Build.Construction;
using System.Xml;
using System.IO;
namespace Semmle.Autobuild.Cpp.Tests
{
@@ -43,6 +44,8 @@ namespace Semmle.Autobuild.Cpp.Tests
public IDictionary<string, int> RunProcess = new Dictionary<string, int>();
public IDictionary<string, string> RunProcessOut = new Dictionary<string, string>();
public IDictionary<string, string> RunProcessWorkingDirectory = new Dictionary<string, string>();
public HashSet<string> CreateDirectories { get; } = new HashSet<string>();
public HashSet<(string, string)> DownloadFiles { get; } = new HashSet<(string, string)>();
int IBuildActions.RunProcess(string cmd, string args, string? workingDirectory, IDictionary<string, string>? env, out IList<string> stdOut)
{
@@ -135,6 +138,14 @@ namespace Semmle.Autobuild.Cpp.Tests
string IBuildActions.GetFullPath(string path) => path;
string? IBuildActions.GetFileName(string? path) => Path.GetFileName(path?.Replace('\\', '/'));
public string? GetDirectoryName(string? path)
{
var dir = Path.GetDirectoryName(path?.Replace('\\', '/'));
return dir is null ? path : path?.Substring(0, dir.Length);
}
void IBuildActions.WriteAllText(string filename, string contents)
{
}
@@ -153,6 +164,18 @@ namespace Semmle.Autobuild.Cpp.Tests
s = s.Replace($"%{kvp.Key}%", kvp.Value);
return s;
}
public void CreateDirectory(string path)
{
if (!CreateDirectories.Contains(path))
throw new ArgumentException($"Missing CreateDirectory, {path}");
}
public void DownloadFile(string address, string fileName)
{
if (!DownloadFiles.Contains((address, fileName)))
throw new ArgumentException($"Missing DownloadFile, {address}, {fileName}");
}
}
/// <summary>
@@ -213,6 +236,7 @@ namespace Semmle.Autobuild.Cpp.Tests
Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_SOURCE_ARCHIVE_DIR"] = "";
Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_ROOT"] = $@"C:\codeql\{codeqlUpperLanguage.ToLowerInvariant()}";
Actions.GetEnvironmentVariable["CODEQL_JAVA_HOME"] = @"C:\codeql\tools\java";
Actions.GetEnvironmentVariable["CODEQL_PLATFORM"] = "win64";
Actions.GetEnvironmentVariable["SEMMLE_DIST"] = @"C:\odasa";
Actions.GetEnvironmentVariable["SEMMLE_JAVA_HOME"] = @"C:\odasa\tools\java";
Actions.GetEnvironmentVariable["SEMMLE_PLATFORM_TOOLS"] = @"C:\odasa\tools";
@@ -273,7 +297,8 @@ namespace Semmle.Autobuild.Cpp.Tests
[Fact]
public void TestCppAutobuilderSuccess()
{
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\csharp\nuget\nuget.exe restore C:\Project\test.sln"] = 1;
Actions.RunProcess[@"cmd.exe /C nuget restore C:\Project\test.sln -DisableParallelProcessing"] = 1;
Actions.RunProcess[@"cmd.exe /C C:\Project\.nuget\nuget.exe restore C:\Project\test.sln -DisableParallelProcessing"] = 0;
Actions.RunProcess[@"cmd.exe /C CALL ^""C:\Program Files ^(x86^)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat^"" && set Platform=&& type NUL && C:\odasa\tools\odasa index --auto msbuild C:\Project\test.sln /p:UseSharedCompilation=false /t:rebuild /p:Platform=""x86"" /p:Configuration=""Release"" /p:MvcBuildViews=true"] = 0;
Actions.RunProcessOut[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = "";
Actions.RunProcess[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe -prerelease -legacy -property installationPath"] = 1;
@@ -286,11 +311,13 @@ namespace Semmle.Autobuild.Cpp.Tests
Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe"] = true;
Actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest.slx";
Actions.EnumerateDirectories[@"C:\Project"] = "";
Actions.CreateDirectories.Add(@"C:\Project\.nuget");
Actions.DownloadFiles.Add(("https://dist.nuget.org/win-x86-commandline/latest/nuget.exe", @"C:\Project\.nuget\nuget.exe"));
var autobuilder = CreateAutoBuilder(true);
var solution = new TestSolution(@"C:\Project\test.sln");
autobuilder.ProjectsOrSolutionsToBuild.Add(solution);
TestAutobuilderScript(autobuilder, 0, 2);
TestAutobuilderScript(autobuilder, 0, 3);
}
}
}

View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The 'Assignment where comparison was intended' (cpp/assign-where-compare-meant) query has been improved to flag fewer benign assignments in conditionals.

View File

@@ -0,0 +1,2 @@
lgtm
* The queries cpp/tainted-arithmetic, cpp/uncontrolled-arithmetic, and cpp/arithmetic-with-extreme-values have been improved to produce fewer false positives.

View File

@@ -5,6 +5,7 @@
* @kind problem
* @id cpp/offset-use-before-range-check
* @problem.severity warning
* @problem.security-severity 8.1
* @precision medium
* @tags reliability
* security

View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/descriptor-may-not-be-closed
* @problem.severity warning
* @problem.security-severity 7.8
* @tags efficiency
* security
* external/cwe/cwe-775

View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/descriptor-never-closed
* @problem.severity warning
* @problem.security-severity 7.8
* @tags efficiency
* security
* external/cwe/cwe-775

View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/file-may-not-be-closed
* @problem.severity warning
* @problem.security-severity 7.8
* @tags efficiency
* security
* external/cwe/cwe-775

View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/file-never-closed
* @problem.severity warning
* @problem.security-severity 7.8
* @tags efficiency
* security
* external/cwe/cwe-775

View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/inconsistent-nullness-testing
* @problem.severity warning
* @problem.security-severity 7.5
* @tags reliability
* security
* external/cwe/cwe-476

View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/memory-may-not-be-freed
* @problem.severity warning
* @problem.security-severity 7.5
* @tags efficiency
* security
* external/cwe/cwe-401

View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/memory-never-freed
* @problem.severity warning
* @problem.security-severity 7.5
* @tags efficiency
* security
* external/cwe/cwe-401

View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/missing-null-test
* @problem.severity recommendation
* @problem.security-severity 7.5
* @tags reliability
* security
* external/cwe/cwe-476

View File

@@ -3,6 +3,7 @@
* @description An object that was allocated with 'malloc' or 'new' is being freed using a mismatching 'free' or 'delete'.
* @kind problem
* @problem.severity warning
* @problem.security-severity 7.5
* @precision high
* @id cpp/new-free-mismatch
* @tags reliability

View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/overflow-calculated
* @problem.severity warning
* @problem.security-severity 9.8
* @tags reliability
* security
* external/cwe/cwe-131

View File

@@ -5,6 +5,7 @@
* @kind problem
* @id cpp/overflow-destination
* @problem.severity warning
* @problem.security-severity 8.8
* @precision low
* @tags reliability
* security

View File

@@ -4,6 +4,7 @@
* may result in a buffer overflow.
* @kind problem
* @problem.severity warning
* @problem.security-severity 8.8
* @precision medium
* @id cpp/static-buffer-overflow
* @tags reliability

View File

@@ -4,6 +4,7 @@
* an instance of the type of the pointer may result in a buffer overflow
* @kind problem
* @problem.severity warning
* @problem.security-severity 8.1
* @precision medium
* @id cpp/allocation-too-small
* @tags reliability

View File

@@ -4,6 +4,7 @@
* multiple instances of the type of the pointer may result in a buffer overflow
* @kind problem
* @problem.severity warning
* @problem.security-severity 8.1
* @precision medium
* @id cpp/suspicious-allocation-size
* @tags reliability

View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/use-after-free
* @problem.severity warning
* @problem.security-severity 8.8
* @tags reliability
* security
* external/cwe/cwe-416

View File

@@ -6,6 +6,7 @@
* to a larger type.
* @kind problem
* @problem.severity error
* @problem.security-severity 8.1
* @precision very-high
* @id cpp/bad-addition-overflow-check
* @tags reliability

View File

@@ -4,6 +4,7 @@
* be a sign that the result can overflow the type converted from.
* @kind problem
* @problem.severity warning
* @problem.security-severity 8.1
* @precision high
* @id cpp/integer-multiplication-cast-to-long
* @tags reliability

View File

@@ -6,6 +6,7 @@
* use the width of the base type, leading to misaligned reads.
* @kind path-problem
* @problem.severity warning
* @problem.security-severity 8.8
* @precision high
* @tags correctness
* reliability

View File

@@ -6,6 +6,7 @@
* from an untrusted source, this can be used for exploits.
* @kind problem
* @problem.severity recommendation
* @problem.security-severity 9.8
* @precision high
* @id cpp/non-constant-format
* @tags maintainability

View File

@@ -54,7 +54,7 @@ class BooleanControllingAssignmentInExpr extends BooleanControllingAssignment {
override predicate isWhitelisted() {
this.getConversion().(ParenthesisExpr).isParenthesised()
or
// whitelist this assignment if all comparison operations in the expression that this
// Allow this assignment if all comparison operations in the expression that this
// assignment is part of, are not parenthesized. In that case it seems like programmer
// is fine with unparenthesized comparison operands to binary logical operators, and
// the parenthesis around this assignment was used to call it out as an assignment.
@@ -62,6 +62,21 @@ class BooleanControllingAssignmentInExpr extends BooleanControllingAssignment {
forex(ComparisonOperation op | op = getComparisonOperand*(this.getParent+()) |
not op.isParenthesised()
)
or
// Match a pattern like:
// ```
// if((a = b) && use_value(a)) { ... }
// ```
// where the assignment is meant to update the value of `a` before it's used in some other boolean
// subexpression that is guarenteed to be evaluate _after_ the assignment.
this.isParenthesised() and
exists(LogicalAndExpr parent, Variable var, VariableAccess access |
var = this.getLValue().(VariableAccess).getTarget() and
access = var.getAnAccess() and
not access.isUsedAsLValue() and
parent.getRightOperand() = access.getParent*() and
parent.getLeftOperand() = this.getParent*()
)
}
}

View File

@@ -3,6 +3,7 @@
* @description Using alloca in a loop can lead to a stack overflow
* @kind problem
* @problem.severity warning
* @problem.security-severity 7.5
* @precision high
* @id cpp/alloca-in-loop
* @tags reliability

View File

@@ -5,6 +5,7 @@
* @kind problem
* @id cpp/improper-null-termination
* @problem.severity warning
* @problem.security-severity 7.8
* @tags security
* external/cwe/cwe-170
* external/cwe/cwe-665

View File

@@ -4,6 +4,7 @@
* as the third argument may result in a buffer overflow.
* @kind problem
* @problem.severity warning
* @problem.security-severity 8.8
* @precision medium
* @id cpp/bad-strncpy-size
* @tags reliability

View File

@@ -4,6 +4,7 @@
* as the third argument may result in a buffer overflow.
* @kind problem
* @problem.severity warning
* @problem.security-severity 8.8
* @precision medium
* @id cpp/unsafe-strncat
* @tags reliability

View File

@@ -5,6 +5,7 @@
* @kind problem
* @id cpp/uninitialized-local
* @problem.severity warning
* @problem.security-severity 7.8
* @precision medium
* @tags security
* external/cwe/cwe-665

View File

@@ -4,6 +4,7 @@
* may result in a buffer overflow
* @kind problem
* @problem.severity warning
* @problem.security-severity 9.8
* @precision medium
* @id cpp/unsafe-strcat
* @tags reliability

View File

@@ -5,7 +5,6 @@
* @kind treemap
* @treemap.warnOn highValues
* @metricType externalDependency
* @precision medium
* @id cpp/external-dependencies
* @tags modularity
*/

View File

@@ -7,7 +7,6 @@
* @treemap.warnOn highValues
* @metricType file
* @metricAggregate avg sum max
* @precision very-high
* @id cpp/lines-of-code-in-files
* @tags maintainability
* complexity

View File

@@ -5,7 +5,6 @@
* @treemap.warnOn highValues
* @metricType file
* @metricAggregate avg sum max
* @precision high
* @id cpp/lines-of-commented-out-code-in-files
* @tags documentation
*/

View File

@@ -7,7 +7,6 @@
* @treemap.warnOn lowValues
* @metricType file
* @metricAggregate avg sum max
* @precision very-high
* @id cpp/lines-of-comments-in-files
* @tags maintainability
* documentation

View File

@@ -8,7 +8,6 @@
* @treemap.warnOn highValues
* @metricType file
* @metricAggregate avg sum max
* @precision high
* @id cpp/duplicated-lines-in-files
* @tags testability
* modularity

View File

@@ -5,7 +5,6 @@
* @treemap.warnOn lowValues
* @metricType file
* @metricAggregate avg sum max
* @precision medium
* @id cpp/tests-in-files
* @tags maintainability
*/

View File

@@ -5,6 +5,7 @@
* @kind path-problem
* @precision low
* @problem.severity error
* @problem.security-severity 8.6
* @tags security external/cwe/cwe-20
*/

View File

@@ -5,6 +5,7 @@
* @kind path-problem
* @precision low
* @problem.severity error
* @problem.security-severity 8.6
* @tags security external/cwe/cwe-20
*/

View File

@@ -4,6 +4,7 @@
* attacker to access unexpected resources.
* @kind path-problem
* @problem.severity warning
* @problem.security-severity 8.8
* @precision medium
* @id cpp/path-injection
* @tags security

View File

@@ -5,6 +5,7 @@
* to command injection.
* @kind problem
* @problem.severity error
* @problem.security-severity 9.8
* @precision low
* @id cpp/command-line-injection
* @tags security

View File

@@ -4,6 +4,7 @@
* allows for a cross-site scripting vulnerability.
* @kind path-problem
* @problem.severity error
* @problem.security-severity 6.1
* @precision high
* @id cpp/cgi-xss
* @tags security

View File

@@ -5,6 +5,7 @@
* to SQL Injection.
* @kind path-problem
* @problem.severity error
* @problem.security-severity 9.8
* @precision high
* @id cpp/sql-injection
* @tags security

View File

@@ -5,6 +5,7 @@
* commands.
* @kind path-problem
* @problem.severity warning
* @problem.security-severity 8.2
* @precision medium
* @id cpp/uncontrolled-process-operation
* @tags security

View File

@@ -6,6 +6,7 @@
* @kind problem
* @id cpp/overflow-buffer
* @problem.severity recommendation
* @problem.security-severity 8.8
* @tags security
* external/cwe/cwe-119
* external/cwe/cwe-121

View File

@@ -5,6 +5,7 @@
* overflow.
* @kind problem
* @problem.severity error
* @problem.security-severity 9.1
* @precision high
* @id cpp/badly-bounded-write
* @tags reliability

View File

@@ -4,6 +4,7 @@
* of data written may overflow.
* @kind problem
* @problem.severity error
* @problem.security-severity 9.1
* @precision medium
* @id cpp/overrunning-write
* @tags reliability

View File

@@ -5,6 +5,7 @@
* take extreme values.
* @kind problem
* @problem.severity error
* @problem.security-severity 9.1
* @precision medium
* @id cpp/overrunning-write-with-float
* @tags reliability

View File

@@ -4,6 +4,7 @@
* of data written may overflow.
* @kind path-problem
* @problem.severity error
* @problem.security-severity 9.1
* @precision medium
* @id cpp/unbounded-write
* @tags reliability

View File

@@ -5,6 +5,7 @@
* a specific value to terminate the argument list.
* @kind problem
* @problem.severity warning
* @problem.security-severity 9.8
* @precision medium
* @id cpp/unterminated-variadic-call
* @tags reliability

View File

@@ -6,6 +6,7 @@
* @kind problem
* @id cpp/unclear-array-index-validation
* @problem.severity warning
* @problem.security-severity 9.8
* @tags security
* external/cwe/cwe-129
*/

View File

@@ -5,6 +5,7 @@
* terminator can cause a buffer overrun.
* @kind problem
* @problem.severity error
* @problem.security-severity 9.8
* @precision high
* @id cpp/no-space-for-terminator
* @tags reliability

View File

@@ -5,6 +5,7 @@
* or data representation problems.
* @kind path-problem
* @problem.severity warning
* @problem.security-severity 9.8
* @precision high
* @id cpp/tainted-format-string
* @tags reliability

View File

@@ -5,6 +5,7 @@
* or data representation problems.
* @kind path-problem
* @problem.severity warning
* @problem.security-severity 9.8
* @precision high
* @id cpp/tainted-format-string-through-global
* @tags reliability

View File

@@ -5,6 +5,7 @@
* @kind problem
* @id cpp/user-controlled-null-termination-tainted
* @problem.severity warning
* @problem.security-severity 5.5
* @tags security
* external/cwe/cwe-170
*/

View File

@@ -4,6 +4,7 @@
* not validated can cause overflows.
* @kind problem
* @problem.severity warning
* @problem.security-severity 8.1
* @precision low
* @id cpp/tainted-arithmetic
* @tags security

View File

@@ -4,6 +4,7 @@
* validated can cause overflows.
* @kind path-problem
* @problem.severity warning
* @problem.security-severity 8.1
* @precision medium
* @id cpp/uncontrolled-arithmetic
* @tags security

View File

@@ -6,6 +6,7 @@
* @kind problem
* @id cpp/arithmetic-with-extreme-values
* @problem.severity warning
* @problem.security-severity 8.1
* @precision low
* @tags security
* reliability

View File

@@ -5,6 +5,7 @@
* @id cpp/comparison-with-wider-type
* @kind problem
* @problem.severity warning
* @problem.security-severity 7.8
* @precision high
* @tags reliability
* security

View File

@@ -5,6 +5,7 @@
* @kind problem
* @id cpp/integer-overflow-tainted
* @problem.severity warning
* @problem.security-severity 8.1
* @precision low
* @tags security
* external/cwe/cwe-190

View File

@@ -4,6 +4,7 @@
* user can result in integer overflow.
* @kind path-problem
* @problem.severity error
* @problem.security-severity 8.1
* @precision medium
* @id cpp/uncontrolled-allocation-size
* @tags reliability

View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/unsigned-difference-expression-compared-zero
* @problem.severity warning
* @problem.security-severity 8.2
* @precision medium
* @tags security
* correctness

View File

@@ -5,6 +5,7 @@
* vulnerable to spoofing attacks.
* @kind path-problem
* @problem.severity warning
* @problem.security-severity 7.7
* @precision medium
* @id cpp/user-controlled-bypass
* @tags security

View File

@@ -4,6 +4,7 @@
* to an attacker.
* @kind path-problem
* @problem.severity warning
* @problem.security-severity 7.5
* @precision medium
* @id cpp/cleartext-storage-buffer
* @tags security

View File

@@ -4,6 +4,7 @@
* to an attacker.
* @kind problem
* @problem.severity warning
* @problem.security-severity 6.5
* @precision medium
* @id cpp/cleartext-storage-file
* @tags security

View File

@@ -4,6 +4,7 @@
* database can expose it to an attacker.
* @kind path-problem
* @problem.severity warning
* @problem.security-severity 6.5
* @precision medium
* @id cpp/cleartext-storage-database
* @tags security

View File

@@ -4,6 +4,7 @@
* an attacker to compromise security.
* @kind problem
* @problem.severity error
* @problem.security-severity 7.5
* @precision medium
* @id cpp/weak-cryptographic-algorithm
* @tags security

View File

@@ -4,6 +4,7 @@
* attackers to retrieve portions of memory.
* @kind problem
* @problem.severity error
* @problem.security-severity 7.5
* @precision very-high
* @id cpp/openssl-heartbleed
* @tags security

View File

@@ -5,6 +5,7 @@
* the two operations.
* @kind problem
* @problem.severity warning
* @problem.security-severity 7.0
* @precision medium
* @id cpp/toctou-race-condition
* @tags security

View File

@@ -4,6 +4,7 @@
* @id cpp/unsafe-create-process-call
* @kind problem
* @problem.severity error
* @problem.security-severity 7.8
* @precision medium
* @msrc.severity important
* @tags security
@@ -93,7 +94,7 @@ class QuotedCommandInCreateProcessFunctionConfiguration extends DataFlow2::Confi
bindingset[s]
predicate isQuotedOrNoSpaceApplicationNameOnCmd(string s) {
s.regexpMatch("\"([^\"])*\"(\\s|.)*") // The first element (path) is quoted
s.regexpMatch("\"([^\"])*\"[\\s\\S]*") // The first element (path) is quoted
or
s.regexpMatch("[^\\s]+") // There are no spaces in the string
}

View File

@@ -6,6 +6,7 @@
* @kind problem
* @id cpp/incorrect-string-type-conversion
* @problem.severity error
* @problem.security-severity 9.8
* @precision high
* @tags security
* external/cwe/cwe-704

View File

@@ -3,6 +3,7 @@
* @description Creating a file that is world-writable can allow an attacker to write to the file.
* @kind problem
* @problem.severity warning
* @problem.security-severity 7.8
* @precision medium
* @id cpp/world-writable-file-creation
* @tags security

View File

@@ -7,6 +7,7 @@
* @id cpp/unsafe-dacl-security-descriptor
* @kind problem
* @problem.severity error
* @problem.security-severity 7.8
* @precision high
* @tags security
* external/cwe/cwe-732

View File

@@ -6,6 +6,7 @@
* @kind problem
* @id cpp/infinite-loop-with-unsatisfiable-exit-condition
* @problem.severity warning
* @problem.security-severity 7.5
* @tags security
* external/cwe/cwe-835
*/

View File

@@ -6,6 +6,7 @@
* @kind problem
* @id cpp/redundant-null-check-param
* @problem.severity recommendation
* @problem.security-severity 7.5
* @tags reliability
* security
* external/cwe/cwe-476

View File

@@ -6,6 +6,7 @@
* @kind problem
* @id cpp/late-check-of-function-argument
* @problem.severity warning
* @problem.security-severity 8.6
* @precision medium
* @tags correctness
* security

View File

@@ -3,6 +3,7 @@
* @description Use of one of the scanf functions without a specified length.
* @kind problem
* @problem.severity warning
* @problem.security-severity 9.8
* @id cpp/memory-unsafe-function-scan
* @tags reliability
* security

View File

@@ -3,6 +3,7 @@
* @description Using a multiplication result that may overflow in the size of an allocation may lead to buffer overflows when the allocated memory is used.
* @kind path-problem
* @problem.severity warning
* @problem.security-severity 8.1
* @precision low
* @tags security
* correctness

View File

@@ -6,6 +6,7 @@
* from these methods is not checked.
* @kind problem
* @problem.severity recommendation
* @problem.security-severity 9.8
* @id cpp/drop-linux-privileges-outoforder
* @tags security
* external/cwe/cwe-273

View File

@@ -5,6 +5,7 @@
* @kind problem
* @id cpp/memory-leak-on-failed-call-to-realloc
* @problem.severity warning
* @problem.security-severity 7.5
* @precision medium
* @tags correctness
* security

View File

@@ -72,9 +72,9 @@ class WrongCheckErrorOperatorNew extends FunctionCall {
}
/**
* Holds if `(std::nothrow)` exists in call `operator new`.
* Holds if `(std::nothrow)` or `(std::noexcept)` exists in call `operator new`.
*/
predicate isExistsNothrow() { this.getAChild().toString() = "nothrow" }
predicate isExistsNothrow() { getTarget().isNoExcept() or getTarget().isNoThrow() }
}
from WrongCheckErrorOperatorNew op

View File

@@ -0,0 +1,4 @@
if(len>0 & memset(buf,0,len)) return 1; // BAD: `memset` will be called regardless of the value of the `len` variable. moreover, one cannot be sure that it will happen after verification
...
if(len>0 && memset(buf,0,len)) return 1; // GOOD: `memset` will be called after the `len` variable has been checked.
...

View File

@@ -0,0 +1,28 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>Using bitwise operations can be a mistake in some situations. For example, if parameters are evaluated in an expression and the function should be called only upon certain test results. These bitwise operations look suspicious and require developer attention.</p>
</overview>
<recommendation>
<p>We recommend that you evaluate the correctness of using the specified bit operations.</p>
</recommendation>
<example>
<p>The following example demonstrates the erroneous and fixed use of bit and logical operations.</p>
<sample src="InsufficientControlFlowManagementWhenUsingBitOperations.c" />
</example>
<references>
<li>
CWE Common Weakness Enumeration:
<a href="https://cwe.mitre.org/data/definitions/691.html"> CWE-691: Insufficient Control Flow Management</a>.
</li>
</references>
</qhelp>

View File

@@ -0,0 +1,78 @@
/**
* @name Errors When Using Bit Operations
* @description Unlike the binary operations `||` and `&&`, there is no sequence point after evaluating an
* operand of a bitwise operation like `|` or `&`. If left-to-right evaluation is expected this may be confusing.
* @kind problem
* @id cpp/errors-when-using-bit-operations
* @problem.severity warning
* @precision medium
* @tags correctness
* security
* external/cwe/cwe-691
*/
import cpp
import semmle.code.cpp.valuenumbering.GlobalValueNumbering
/**
* Dangerous uses of bit operations.
* For example: `if(intA>0 & intA<10 & charBuf&myFunc(charBuf[intA]))`.
* In this case, the function will be called in any case, and even the sequence of the call is not guaranteed.
*/
class DangerousBitOperations extends BinaryBitwiseOperation {
FunctionCall bfc;
/**
* The assignment indicates the conscious use of the bit operator.
* Use in comparison, conversion, or return value indicates conscious use of the bit operator.
* The use of shifts and bitwise operations on any element of an expression indicates a conscious use of the bitwise operator.
*/
DangerousBitOperations() {
bfc = this.getRightOperand() and
not this.getParent*() instanceof Assignment and
not this.getParent*() instanceof Initializer and
not this.getParent*() instanceof ReturnStmt and
not this.getParent*() instanceof EqualityOperation and
not this.getParent*() instanceof UnaryLogicalOperation and
not this.getParent*() instanceof BinaryLogicalOperation and
not this.getAChild*() instanceof BitwiseXorExpr and
not this.getAChild*() instanceof LShiftExpr and
not this.getAChild*() instanceof RShiftExpr
}
/** Holds when part of a bit expression is used in a logical operation. */
predicate useInLogicalOperations() {
exists(BinaryLogicalOperation blop, Expr exp |
blop.getAChild*() = exp and
exp.(FunctionCall).getTarget() = bfc.getTarget() and
not exp.getParent() instanceof ComparisonOperation and
not exp.getParent() instanceof BinaryBitwiseOperation
)
}
/** Holds when part of a bit expression is used as part of another supply. For example, as an argument to another function. */
predicate useInOtherCalls() {
bfc.hasQualifier() or
bfc.getTarget() instanceof Operator or
exists(FunctionCall fc | fc.getAnArgument().getAChild*() = this) or
bfc.getTarget() instanceof BuiltInFunction
}
/** Holds when the bit expression contains both arguments and a function call. */
predicate dangerousArgumentChecking() {
not this.getLeftOperand() instanceof Call and
globalValueNumber(this.getLeftOperand().getAChild*()) = globalValueNumber(bfc.getAnArgument())
}
/** Holds when function calls are present in the bit expression. */
predicate functionCallsInBitsExpression() {
this.getLeftOperand().getAChild*() instanceof FunctionCall
}
}
from DangerousBitOperations dbo
where
not dbo.useInOtherCalls() and
dbo.useInLogicalOperations() and
(not dbo.functionCallsInBitsExpression() or dbo.dangerousArgumentChecking())
select dbo, "This bitwise operation appears in a context where a Boolean operation is expected."

View File

@@ -0,0 +1,11 @@
if(len=funcReadData()==0) return 1; // BAD: variable `len` will not equal the value returned by function `funcReadData()`
...
if((len=funcReadData())==0) return 1; // GOOD: variable `len` equal the value returned by function `funcReadData()`
...
bool a=true;
a++;// BAD: variable `a` does not change its meaning
bool b;
b=-a;// BAD: variable `b` equal `true`
...
a=false;// GOOD: variable `a` equal `false`
b=!a;// GOOD: variable `b` equal `false`

View File

@@ -0,0 +1,28 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>Finding places of confusing use of boolean type. For example, a unary minus does not work before a boolean type and an increment always gives true.</p>
</overview>
<recommendation>
<p>we recommend making the code simpler.</p>
</recommendation>
<example>
<p>The following example demonstrates erroneous and fixed methods for using a boolean data type.</p>
<sample src="OperatorPrecedenceLogicErrorWhenUseBoolType.c" />
</example>
<references>
<li>
CERT C Coding Standard:
<a href="https://wiki.sei.cmu.edu/confluence/display/c/EXP00-C.+Use+parentheses+for+precedence+of+operation">EXP00-C. Use parentheses for precedence of operation</a>.
</li>
</references>
</qhelp>

View File

@@ -0,0 +1,54 @@
/**
* @name Operator Precedence Logic Error When Use Bool Type
* @description --Finding places of confusing use of boolean type.
* --For example, a unary minus does not work before a boolean type and an increment always gives true.
* @kind problem
* @id cpp/operator-precedence-logic-error-when-use-bool-type
* @problem.severity warning
* @precision medium
* @tags correctness
* security
* external/cwe/cwe-783
* external/cwe/cwe-480
*/
import cpp
import semmle.code.cpp.valuenumbering.HashCons
/** Holds if `exp` increments a boolean value. */
predicate incrementBoolType(IncrementOperation exp) {
exp.getOperand().getType() instanceof BoolType
}
/** Holds if `exp` applies the unary minus operator to a boolean type. */
predicate revertSignBoolType(UnaryMinusExpr exp) {
exp.getAnOperand().getType() instanceof BoolType and
exp.getFullyConverted().getType() instanceof BoolType
}
/** Holds, if this is an expression, uses comparison and assignment outside of execution precedence. */
predicate assignBoolType(Expr exp) {
exists(ComparisonOperation co |
exp.(AssignExpr).getRValue() = co and
exp.isCondition() and
not co.isParenthesised() and
not exp.(AssignExpr).getLValue().getType() instanceof BoolType and
not exists(Expr exbl |
hashCons(exbl.(AssignExpr).getLValue()) = hashCons(exp.(AssignExpr).getLValue()) and
not exbl.isCondition() and
exbl.(AssignExpr).getRValue().getType() instanceof BoolType and
exbl.(AssignExpr).getLValue().getType() = exp.(AssignExpr).getLValue().getType()
) and
co.getLeftOperand() instanceof FunctionCall and
not co.getRightOperand().getType() instanceof BoolType and
not co.getRightOperand().getValue() = "0" and
not co.getRightOperand().getValue() = "1"
)
}
from Expr exp
where
incrementBoolType(exp) or
revertSignBoolType(exp) or
assignBoolType(exp)
select exp, "this expression needs attention"

View File

@@ -3,7 +3,7 @@
* @description The expression `buffer [strlen (buffer)] = 0` is potentially dangerous, if the variable `buffer` does not have a terminal zero, then access beyond the bounds of the allocated memory is possible, which will lead to undefined behavior.
* If terminal zero is present, then the specified expression is meaningless.
* @kind problem
* @id cpp/access-memory-location-after-end-buffer
* @id cpp/access-memory-location-after-end-buffer-strlen
* @problem.severity warning
* @precision medium
* @tags correctness

View File

@@ -2,7 +2,7 @@
* @name Access Of Memory Location After The End Of A Buffer Using Strncat
* @description Calls of the form `strncat(dest, source, sizeof (dest) - strlen (dest))` set the third argument to one more than possible. So when `dest` is full, the expression `sizeof(dest) - strlen (dest)` will be equal to one, and not zero as the programmer might think. Making a call of this type may result in a zero byte being written just outside the `dest` buffer.
* @kind problem
* @id cpp/access-memory-location-after-end-buffer
* @id cpp/access-memory-location-after-end-buffer-strncat
* @problem.severity warning
* @precision medium
* @tags correctness
@@ -11,54 +11,32 @@
*/
import cpp
import semmle.code.cpp.models.implementations.Strcat
import semmle.code.cpp.valuenumbering.GlobalValueNumbering
/**
* A call to `strncat` of the form `strncat(buff, str, someExpr - strlen(buf))`, for some expression `someExpr` equal to `sizeof(buff)`.
* Holds if `call` is a call to `strncat` such that `sizeArg` and `destArg` are the size and
* destination arguments, respectively.
*/
class WrongCallStrncat extends FunctionCall {
Expr leftsomeExpr;
WrongCallStrncat() {
this.getTarget().hasGlobalOrStdName("strncat") and
// the expression of the first argument in `strncat` and `strnlen` is identical
globalValueNumber(this.getArgument(0)) =
globalValueNumber(this.getArgument(2).(SubExpr).getRightOperand().(StrlenCall).getStringExpr()) and
// using a string constant often speaks of manually calculating the length of the required buffer.
(
not this.getArgument(1) instanceof StringLiteral and
not this.getArgument(1) instanceof CharLiteral
) and
// for use in predicates
leftsomeExpr = this.getArgument(2).(SubExpr).getLeftOperand()
}
/**
* Holds if the left side of the expression `someExpr` equal to `sizeof(buf)`.
*/
predicate isExpressionEqualSizeof() {
// the left side of the expression `someExpr` is `sizeof(buf)`.
globalValueNumber(this.getArgument(0)) =
globalValueNumber(leftsomeExpr.(SizeofExprOperator).getExprOperand())
or
// value of the left side of the expression `someExpr` equal `sizeof(buf)` value, and `buf` is array.
leftsomeExpr.getValue().toInt() = this.getArgument(0).getType().getSize()
}
/**
* Holds if the left side of the expression `someExpr` equal to variable containing the length of the memory allocated for the buffer.
*/
predicate isVariableEqualValueSizegBuffer() {
// the left side of expression `someExpr` is the variable that was used in the function of allocating memory for the buffer`.
exists(AllocationExpr alc |
leftsomeExpr.(VariableAccess).getTarget() =
alc.(FunctionCall).getArgument(0).(VariableAccess).getTarget()
)
}
predicate interestringCallWithArgs(Call call, Expr sizeArg, Expr destArg) {
exists(StrcatFunction strcat |
strcat = call.getTarget() and
sizeArg = call.getArgument(strcat.getParamSize()) and
destArg = call.getArgument(strcat.getParamDest())
)
}
from WrongCallStrncat sc
from FunctionCall call, Expr sizeArg, Expr destArg, SubExpr sub, int n
where
sc.isExpressionEqualSizeof() or
sc.isVariableEqualValueSizegBuffer()
select sc, "if the used buffer is full, writing out of the buffer is possible"
interestringCallWithArgs(call, sizeArg, destArg) and
// The destination buffer is an array of size n
destArg.getUnspecifiedType().(ArrayType).getSize() = n and
// The size argument is equivalent to a subtraction
globalValueNumber(sizeArg).getAnExpr() = sub and
// ... where the left side of the subtraction is the constant n
globalValueNumber(sub.getLeftOperand()).getAnExpr().getValue().toInt() = n and
// ... and the right side of the subtraction is a call to `strlen` where the argument is the
// destination buffer.
globalValueNumber(sub.getRightOperand()).getAnExpr().(StrlenCall).getStringExpr() =
globalValueNumber(destArg).getAnExpr()
select call, "Possible out-of-bounds write due to incorrect size argument."

View File

@@ -1,12 +0,0 @@
/**
* @name Defect filter
* @description Only include results in large files (200) lines of code, and change the message.
* @tags filter
*/
import cpp
import external.DefectFilter
from DefectResult res
where res.getFile().getMetrics().getNumberOfLinesOfCode() > 200
select res, "Large files: " + res.getMessage()

View File

@@ -1,18 +0,0 @@
/**
* @name Defect from external data
* @description Insert description here...
* @kind problem
* @problem.severity warning
* @tags external-data
*/
import cpp
import external.ExternalArtifact
from ExternalData d, File u
where
d.getQueryPath() = "external-data.ql" and
u.getShortName() = d.getField(0)
select u,
d.getField(5) + ", " + d.getFieldAsDate(1) + ", " + d.getField(2) + ", " + d.getFieldAsFloat(3) +
", " + d.getFieldAsInt(4) + ": " + d.getNumFields()

View File

@@ -1,12 +0,0 @@
/**
* @name Metric filter
* @description Only include results in large files (200) lines of code.
* @tags filter
*/
import cpp
import external.MetricFilter
from MetricResult res
where res.getFile().getMetrics().getNumberOfLinesOfCode() > 200
select res, res.getValue()

View File

@@ -1,16 +0,0 @@
/**
* @name Filter: exclude results from files that are autogenerated
* @description Use this filter to return results only if they are
* located in files that are maintained manually.
* @kind problem
* @id cpp/autogenerated-filter
* @tags filter
*/
import cpp
import semmle.code.cpp.AutogeneratedFile
import external.DefectFilter
from DefectResult res
where not res.getFile() instanceof AutogeneratedFile
select res, res.getMessage()

View File

@@ -1,16 +0,0 @@
/**
* @name Metric filter: exclude results from files that are autogenerated
* @description Use this filter to return results only if they are
* located in files that are maintained manually.
* @kind treemap
* @id cpp/autogenerated-for-metric-filter
* @tags filter
*/
import cpp
import semmle.code.cpp.AutogeneratedFile
import external.MetricFilter
from MetricResult res
where not res.getFile() instanceof AutogeneratedFile
select res, res.getValue()

View File

@@ -1,16 +0,0 @@
/**
* @name Filter: exclude results from files for which we do not have
* source code
* @description Use this filter to return results only if they are
* located in files for which we have source code.
* @kind problem
* @id cpp/from-source-filter
* @tags filter
*/
import cpp
import external.DefectFilter
from DefectResult res
where res.getFile().fromSource()
select res, res.getMessage()

View File

@@ -1,36 +0,0 @@
/**
* @name Filter: exclude results on lines covered by a macro expansion
* @description Use this filter to return results only when there is no
* macro expansion whose location spans all the lines of
* the result's location.
* @kind problem
* @id cpp/macros-filter
* @tags filter
*/
import cpp
import external.DefectFilter
predicate macroLocation(File f, int startLine, int endLine) {
exists(MacroInvocation mi, Location l |
l = mi.getLocation() and
l.getFile() = f and
l.getStartLine() = startLine and
l.getEndLine() = endLine
)
}
predicate macroCovering(DefectResult r) {
exists(File f, int macroStart, int macroEnd, int defectStart, int defectEnd |
f = r.getFile() and
defectStart = r.getStartLine() and
defectEnd = r.getEndLine() and
macroLocation(f, macroStart, macroEnd) and
macroStart <= defectStart and
macroEnd >= defectEnd
)
}
from DefectResult res
where not macroCovering(res)
select res, res.getMessage()

View File

@@ -91,16 +91,17 @@ private predicate exprReleases(Expr e, Expr released, string kind) {
// `e` is a call to a release function and `released` is the released argument
releaseExpr(e, released, kind)
or
exists(Function f, int arg |
exists(int arg, VariableAccess access, Function f |
// `e` is a call to a function that releases one of it's parameters,
// and `released` is the corresponding argument
(
e.(FunctionCall).getTarget() = f or
e.(FunctionCall).getTarget().(MemberFunction).getAnOverridingFunction+() = f
) and
access = f.getParameter(arg).getAnAccess() and
e.(FunctionCall).getArgument(arg) = released and
exprReleases(_,
exprOrDereference(globalValueNumber(f.getParameter(arg).getAnAccess()).getAnExpr()), kind)
pragma[only_bind_into](exprOrDereference(globalValueNumber(access).getAnExpr())), kind)
)
or
exists(Function f, ThisExpr innerThis |
@@ -112,7 +113,7 @@ private predicate exprReleases(Expr e, Expr released, string kind) {
) and
e.(FunctionCall).getQualifier() = exprOrDereference(released) and
innerThis.getEnclosingFunction() = f and
exprReleases(_, globalValueNumber(innerThis).getAnExpr(), kind)
exprReleases(_, pragma[only_bind_into](globalValueNumber(innerThis).getAnExpr()), kind)
)
}

View File

@@ -72,6 +72,7 @@ class Location extends @location {
}
/** Holds if `this` comes on a line strictly before `l`. */
pragma[inline]
predicate isBefore(Location l) {
this.getFile() = l.getFile() and this.getEndLine() < l.getStartLine()
}

Some files were not shown because too many files have changed in this diff Show More