Compare commits

...

486 Commits

Author SHA1 Message Date
Esben Sparre Andreasen
bd63f99015 change query id 2021-11-17 15:54:07 +01:00
Taus
b2e4276bc8 Merge pull request #6886 from aschackmull/java-python/perffix-transitive-step-x3
Java/Python: Fix some potential performance problems due to transitive deltas.
2021-10-15 11:06:35 +02:00
Tom Hvitved
86b1305e35 Merge pull request #6883 from hvitved/csharp/inline-expectations
C#: Adopt inline test expectations framework
2021-10-15 09:33:22 +02:00
Anders Schack-Mulligen
4de1deefc4 Merge pull request #6889 from tausbn/java-fix-import-order
Java: Fix import order in `SignAnalysisSpecific`
2021-10-15 09:17:50 +02:00
Anders Schack-Mulligen
0b82289950 Merge pull request #6828 from zbazztian/adjust-jsp-locations
Adjust locations of results in JSP files
2021-10-15 08:28:11 +02:00
Taus
a9c5fd2cc0 Java: Fix import order in SignAnalysisSpecific 2021-10-14 15:51:56 +00:00
Anders Schack-Mulligen
eb0a88d39c Merge pull request #6885 from aschackmull/java/perffix-transitve-step
Java: Fix performance problem due to transitive step.
2021-10-14 16:51:51 +02:00
Anders Schack-Mulligen
f6a517c998 Merge pull request #6882 from MathiasVP/fix-unnecessary-exists
C++/Python: Remove unnecessary `exists`
2021-10-14 16:44:05 +02:00
Anders Schack-Mulligen
310eec07c1 Java/Python: Fix some potential performance problems due to transitive deltas. 2021-10-14 16:10:00 +02:00
Anders Schack-Mulligen
cb5f2559ea Java: Fix performance problem due to transitive step. 2021-10-14 15:54:54 +02:00
Tom Hvitved
083214f85a C#: Use inline test expectations for FieldFlow.ql 2021-10-14 15:22:21 +02:00
Tom Hvitved
ed6a182cd1 C#: Adopt inline test expectations framework 2021-10-14 15:22:21 +02:00
Anders Schack-Mulligen
8b6baa250c Merge pull request #6878 from aschackmull/remove-singleton-setliteral
C++/C#/Java/JavaScript/Python: Remove singleton set literals.
2021-10-14 14:53:05 +02:00
Rasmus Wriedt Larsen
7cd5e681dd Merge pull request #6693 from yoff/python/promote-regex-injection
Python: Promote `py/regex-injection`
2021-10-14 14:49:05 +02:00
Mathias Vorreiter Pedersen
47a85bbb1d Merge pull request #6869 from MathiasVP/fix-prefix/suffix-equality
Java/JS/Python: Replace '.prefix'/'.suffix' with '.matches'
2021-10-14 13:47:03 +01:00
Rasmus Wriedt Larsen
a5ab0b9100 Merge pull request #6871 from tausbn/python-fix-uses-of-implicit-this
Python: Fix uses of "implicit `this`"
2021-10-14 14:38:13 +02:00
Anders Schack-Mulligen
10d6803b05 Merge pull request #6880 from hvitved/csharp/explicit-this
C#: Add explicit `this` qualifiers
2021-10-14 13:31:04 +02:00
Mathias Vorreiter Pedersen
8049d3f738 Python: Remove unnecessary 'exists'. 2021-10-14 12:02:57 +01:00
Mathias Vorreiter Pedersen
69ed7c543f C++: Remove unnecessary 'exists'. 2021-10-14 11:59:59 +01:00
Tom Hvitved
f5420333e2 Sync shared files 2021-10-14 11:49:02 +02:00
Anders Schack-Mulligen
57cb300759 C++/C#/Java/JavaScript/Python: Remove singleton set literals. 2021-10-14 11:34:22 +02:00
Erik Krogh Kristensen
a358a192c4 add explicit this to all calls to class predicates 2021-10-14 10:11:55 +02:00
Mathias Vorreiter Pedersen
a2371370ff Merge pull request #6865 from MathiasVP/fix-if-none
C++/C#/JS/Python: Replace 'if p() then q() else none()' with a conjunction
2021-10-13 19:47:55 +01:00
Mathias Vorreiter Pedersen
4991301f36 JS: Fix incorrect fix. 2021-10-13 19:45:02 +01:00
CodeQL CI
2b0415e238 Merge pull request #6741 from yoff/python/model-os-path-file-accesses
Approved by RasmusWL
2021-10-13 11:11:41 -07:00
Andrew Eisenberg
878203f1d0 Merge pull request #6862 from github/aeisenberg/tutorial
Move tutorial directly into each qlpack
2021-10-13 09:29:37 -07:00
Andrew Eisenberg
0d1632a5d2 Move tutorial directly into each qlpack
Previously, the tutorial was injected during build time. This is much
simpler.
2021-10-13 08:37:04 -07:00
Anders Schack-Mulligen
169cc75c88 Merge pull request #6840 from aschackmull/java/misc-perf
Java: Fix some performance issues.
2021-10-13 15:53:49 +02:00
Taus
a6115687aa Python: More implicit this 2021-10-13 13:43:37 +00:00
Taus
a9c8163ab3 Python: Fix uses of implicit this
Quoting the style guide:

"14. _Always_ qualify _calls_ to predicates of the same class with
`this`."
2021-10-13 13:43:36 +00:00
Philip Ginsbach
a204b7f3e7 Merge pull request #6866 from github/ginsbach/MoreInstanceofExtensions
more instanceof extensions
2021-10-13 14:21:50 +01:00
Jonas Jensen
c215838531 Merge pull request #6867 from nickrolfe/mergeback
Merge rc/3.3 into main
2021-10-13 15:19:18 +02:00
Mathias Vorreiter Pedersen
6ece3c2b46 Merge pull request #6870 from jbj/cp-fixes
C++: Fix potential Cartesian products
2021-10-13 14:15:33 +01:00
Jonas Jensen
e80c1ad91f C++: Fix resource-not-released-in-destructor CP
By moving a disjunct outside the scope of an `exists(Function f`
variable it doens't use, the code becomes clearer and can be optimized
better.

The CP in the QL code did not lead to a CP at evaluation time since the
optimizer was smart enough to compensate for it:

    376161  ~37597630%     {0} r1 = SCAN functions OUTPUT {}
    1       ~0%            {0} r2 = STREAM DEDUP r1

Before this change, the largest tuple count in `leakedInSameMethod` on
bitcoin/bitcoin was 2M. Now it's 400k.
2021-10-13 14:24:26 +02:00
Mathias Vorreiter Pedersen
a80860cdc6 Python: Replace '.prefix'/'.suffix' with '.matches'. 2021-10-13 13:23:12 +01:00
Mathias Vorreiter Pedersen
f3bb0a676e JS: Replace '.prefix'/'.suffix' with '.matches'. 2021-10-13 13:23:07 +01:00
Mathias Vorreiter Pedersen
d85d009a54 Java: Replace '.prefix'/'.suffix' with '.matches'. 2021-10-13 13:19:06 +01:00
Jonas Jensen
955344e175 C++: Inline a predicate that contains CPs
The `overflows` predicate had quite severe Cartesian products. We didn't
see them in practice because magic saved us, but we can't rely on magic
in the future, so it seems better to inline this predicate.

Tuple counts and speed look good both before and after.
2021-10-13 14:11:47 +02:00
Philip Ginsbach
c9c0c7f24f fix formatting 2021-10-13 13:10:37 +01:00
Mathias Vorreiter Pedersen
bdc54bcda7 Python: Replace 'if p() then q() else none()' with a conjunction. 2021-10-13 12:13:55 +01:00
Mathias Vorreiter Pedersen
887849857d JS: Replace 'if p() then q() else none()' with a conjunction. 2021-10-13 12:13:55 +01:00
Mathias Vorreiter Pedersen
7690625114 C#: Replace 'if p() then q() else none()' with a conjunction. 2021-10-13 12:11:50 +01:00
Mathias Vorreiter Pedersen
ba981c525b C++: Replace 'if p() then q() else none()' with a conjunction. 2021-10-13 12:11:42 +01:00
Philip Ginsbach
6b9ddf1f65 Guard non-extending subtype of G::Guard 2021-10-13 11:44:22 +01:00
Philip Ginsbach
e3e741251f ParameterNode non-extending subtype of ParameterNodeImpl 2021-10-13 11:42:41 +01:00
Philip Ginsbach
aa656f7542 ArgumentNode non-extending subtype of ArgumentNodeImpl 2021-10-13 11:41:40 +01:00
Philip Ginsbach
4a0aac8505 SuppressionScope non-extending subtype of SuppressionComment 2021-10-13 11:40:32 +01:00
Philip Ginsbach
d0ecabad19 DataFlowCall non-extending subtype of Call 2021-10-13 11:39:25 +01:00
Anders Schack-Mulligen
d4fd8780e9 Merge pull request #6863 from github/workflow/coverage/update
Update CSV framework coverage reports
2021-10-13 08:58:18 +02:00
Anders Schack-Mulligen
306388a6bc Update java/ql/src/Likely Bugs/Comparison/StringComparison.ql 2021-10-13 08:57:31 +02:00
github-actions[bot]
2f27a0c9f9 Add changed framework coverage reports 2021-10-13 00:09:35 +00:00
Andrew Eisenberg
8285878504 Merge pull request #6861 from github/aeisenberg/qlpack-defaultSuite
QlPacks: Add the defaultSuite to query packs that are missing it
2021-10-12 14:27:09 -07:00
Andrew Eisenberg
bbb2637bcc QlPacks: Add the defaultSuite to query packs that are missing it
Also, change some examples pack names from `codeql-lang-examples` to
`codeql/lang-examples`. This doesn't affect behaviour since internally,
the legacy name is converted to the modern name.
2021-10-12 11:54:50 -07:00
Rasmus Lerchedahl Petersen
83490e9a03 Python: update change note 2021-10-12 19:27:27 +02:00
Aditya Sharad
a517a05ca8 Merge pull request #6830 from github/henrymercer/report-extraction-errors-as-warnings
C++: Improve SARIF severity level reporting of extractor diagnostics
2021-10-12 09:59:27 -07:00
Anders Schack-Mulligen
0e5f89a03c Merge pull request #6463 from smowton/smowton/admin/gson-unsafe-deserialization
Java: add Gson support to unsafe-deserialization query
2021-10-12 16:15:27 +02:00
Mathias Vorreiter Pedersen
6853f491f4 Merge pull request #6794 from geoffw0/impropnullfp
C++: Improvements to cpp/improper-null-termination
2021-10-12 14:47:02 +01:00
Tom Hvitved
10739b11ee Merge pull request #6841 from hvitved/dataflow/incorrect-summary-chaining
Data flow: Add tests for missing summary flow
2021-10-12 15:44:21 +02:00
Rasmus Lerchedahl Petersen
6c108e43d9 Python: address review 2021-10-12 15:16:48 +02:00
Rasmus Lerchedahl Petersen
cf92e1eee7 Python: move getStringArgIndex 2021-10-12 15:11:00 +02:00
Chris Smowton
83c6406167 Update javadoc 2021-10-12 13:51:02 +01:00
Tom Hvitved
cc305ed766 Data flow: Sync 2021-10-12 14:37:33 +02:00
Tom Hvitved
296e268339 Apply suggestions from code review
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
2021-10-12 14:28:32 +02:00
Chris Smowton
3c96e62be7 Remove duplicate declaration 2021-10-12 12:35:05 +01:00
Chris Smowton
8816aa1431 Improve Android stub fidelity to the point that all relevant tests work
Note these still aren't entirely mechanically generated stubs matching the real Android 9.
2021-10-12 12:35:05 +01:00
Chris Smowton
205b6fe6d7 Fix bad merge on Uri.java 2021-10-12 12:35:05 +01:00
Chris Smowton
5da392ebfe Introduce TaintInheritingContent 2021-10-12 12:35:05 +01:00
Chris Smowton
1afc03b9b5 Remove redundant import 2021-10-12 12:35:05 +01:00
Chris Smowton
9e0b112f05 Remove now-unnecessary models and tests 2021-10-12 12:35:05 +01:00
Chris Smowton
490168fb05 Fix comments 2021-10-12 12:35:05 +01:00
Chris Smowton
1dffbcd0bd Fix tests disrupted by re-modelling and stubbing Android 9:
* Account for changed dataflow graph shape using external flow
* Account for BaseBundle only existing as of Android 5
* Properly implement Parcelable, which we previously got away with due to a partial stub
* Restore an Android 11 function that had been added to the Android 9 Context class (I won't get into enforcing the difference in this PR)
2021-10-12 12:35:05 +01:00
Chris Smowton
81c0e66b1d Add change note and update qhelp 2021-10-12 12:35:05 +01:00
Chris Smowton
fc0b18cf61 Add tests for Android flow steps 2021-10-12 12:35:05 +01:00
Chris Smowton
cd2c9e9ca3 Add Gson support to unsafe deserialization query 2021-10-12 12:35:04 +01:00
Anders Schack-Mulligen
6b4ca31783 Merge pull request #6849 from Marcono1234/marcono1234/improvements
Java: Serialization query improvements
2021-10-12 13:30:45 +02:00
Shati Patel
1c3239972c Merge pull request #6854 from shati-patel/packaging-beta-note
Docs: Update beta note for packaging
2021-10-12 10:33:59 +01:00
Taus
75c4d6a8a0 Merge pull request #6650 from yoff/python-dataflow/init-time
Python: Import time dataflow
2021-10-12 11:31:03 +02:00
Rasmus Lerchedahl Petersen
61008fd3d0 Merge branch 'main' of github.com:github/codeql into python/promote-regex-injection 2021-10-12 11:28:12 +02:00
Rasmus Lerchedahl Petersen
b093aaaf27 Python: switch to type tracking
for tracking compiled regexes
2021-10-12 11:23:27 +02:00
yoff
43f7eede0b Merge pull request #6182 from haby0/python/LogInjection
Python: CWE-117 Log injection
2021-10-12 10:54:45 +02:00
yoff
c007c9460c Merge pull request #6843 from RasmusWL/dataflow-bool-expr
Python: Add data-flow for `x or y` and `x and y`
2021-10-12 10:40:54 +02:00
Rasmus Lerchedahl Petersen
f34d1ee997 Python: Update test expectation following rename 2021-10-12 10:36:18 +02:00
Tom Hvitved
97bbb12e06 Merge pull request #6838 from hvitved/csharp/enumerate-files-dir-not-found
C#: Make `GetCSharpArgsLogs` robust against log directory not existing
2021-10-12 10:00:27 +02:00
haby0
d52f95d24d Auto Formatting 2021-10-12 09:36:44 +08:00
Mathias Vorreiter Pedersen
df8c399efb Merge pull request #6710 from ihsinme/ihsinme-patch-70
CPP: Add query for CWE-1041 Use of Redundant Code
2021-10-11 17:17:01 +01:00
ihsinme
4334acb6f2 Update FindWrapperFunctions.qhelp 2021-10-11 18:40:03 +03:00
yoff
0629ce00de Merge pull request #6214 from haby0/python/ClientSuppliedIpUsedInSecurityCheck
[Python] CWE-348:  Client supplied ip used in security check
2021-10-11 16:38:04 +02:00
Geoffrey White
ac6acfb660 C++: Use data flow. 2021-10-11 15:36:00 +01:00
Owen Mansel-Chan
058a04f756 Merge pull request #6795 from owen-mc/inline-expectation-test-trivial-change
Change class name in InlineExpectationTest to avoid clash
2021-10-11 15:35:17 +01:00
shati-patel
c7fbddce54 Docs: Update beta note for packaging 2021-10-11 15:02:25 +01:00
Marcono1234
ba0dbd5871 Java: Improve IncorrectSerializableMethods.ql; address review comments 2021-10-11 14:29:10 +02:00
Rasmus Lerchedahl Petersen
19f6cc00c8 Python: rewrite import time test 2021-10-11 14:28:25 +02:00
yoff
5aee715931 Apply suggestions from code review
Co-authored-by: Taus <tausbn@github.com>
2021-10-11 13:00:21 +02:00
Tom Hvitved
68ea3e7b49 Data flow: Add debugging predicates for rendering data flow graphs for summarized callables 2021-10-11 11:29:08 +02:00
Tom Hvitved
d5955f1ae1 Java: Add test for missing summary flow 2021-10-11 11:29:08 +02:00
Tom Hvitved
30bf2aade4 C#: Add test for missing summary flow 2021-10-11 11:29:08 +02:00
Tom Hvitved
61973c399e C#: Make GetCSharpArgsLogs robust against log directory not existing 2021-10-11 11:28:49 +02:00
Tom Hvitved
c75e2d306d Merge pull request #6852 from hvitved/csharp/interpret-element0-bad-magic
C#: Avoid bad magic in `interpretElement0`
2021-10-11 11:27:35 +02:00
haby0
c2d0fcfbe6 Update python/ql/test/experimental/query-tests/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.expected
Co-authored-by: yoff <lerchedahl@gmail.com>
2021-10-11 16:46:02 +08:00
haby0
29ddc76e2f Update python/ql/test/experimental/query-tests/Security/CWE-117/LogInjection.expected
Co-authored-by: yoff <lerchedahl@gmail.com>
2021-10-11 16:43:30 +08:00
Rasmus Wriedt Larsen
8444388ec7 Python: Update .expected 2021-10-11 09:48:56 +02:00
Rasmus Wriedt Larsen
1552c108b0 Python: Apply suggestions from code review
Co-authored-by: yoff <lerchedahl@gmail.com>
2021-10-11 09:34:15 +02:00
Tom Hvitved
b05d76a131 C#: Avoid bad magic in interpretElement0 2021-10-11 09:30:52 +02:00
Tony Torralba
0919746f1a Merge pull request #6844 from github/workflow/coverage/update
Update CSV framework coverage reports
2021-10-11 09:25:46 +02:00
github-actions[bot]
ea0a0522a7 Add changed framework coverage reports 2021-10-11 00:08:32 +00:00
Marcono1234
a7670fbcab Java: Enhance IncorrectSerializableMethods.ql 2021-10-11 02:05:53 +02:00
Marcono1234
12936ff5fe Java: Fix IncorrectSerializableMethods.ql using wrong readObject signature 2021-10-11 02:05:53 +02:00
Marcono1234
b009886664 Java: Add TypeObjectInputStream 2021-10-11 02:05:50 +02:00
Marcono1234
a74d423d82 Java: Improve AnnotationPresentCheck.ql 2021-10-11 01:03:46 +02:00
Rasmus Lerchedahl Petersen
64b1aeaecd Python: Shorten toString for module vars 2021-10-10 15:59:31 +02:00
Rasmus Lerchedahl Petersen
0aa632d149 Python: Move writing of module vars
into runtime jump steps.
2021-10-10 15:49:33 +02:00
yoff
9c9c5c09ff Merge pull request #6837 from RasmusWL/more-unsafe-deserialization-sinks
Python: More unsafe deserialization sinks
2021-10-10 14:33:53 +02:00
yoff
f6122c8a6c Merge pull request #6734 from erik-krogh/regBehind
JS/PY: do not filter away regular expressions with lookbehinds
2021-10-10 13:54:26 +02:00
Henry Mercer
5b26d41d27 C++: Improve SARIF severity level reporting of extractor diagnostics 2021-10-08 17:53:55 +01:00
Rasmus Wriedt Larsen
a50b193c40 Python: Model data-flow for x or y and x and y 2021-10-08 18:32:30 +02:00
Rasmus Wriedt Larsen
15476c2513 Python: Add data-flow tests for BoolExp
> 6.11. Boolean operations

> The expression x and y first evaluates x; if x is false, its value is
> returned; otherwise, y is evaluated and the resulting value is
> returned.

> The expression x or y first evaluates x; if x is true, its value is
> returned; otherwise, y is evaluated and the resulting value is
> returned.
2021-10-08 18:29:06 +02:00
Geoffrey White
79f13cae55 Merge pull request #6839 from geoffw0/toctoufp
CPP: Add test cases for cpp/toctou-race-condition
2021-10-08 16:15:00 +01:00
Rasmus Lerchedahl Petersen
705970cedd Python: Update tests to use correct tag 2021-10-08 16:57:36 +02:00
Cornelius Riemenschneider
84883d115d Merge pull request #6813 from adityasharad/docs/database-create-bazel
CLI docs: Add example for creating a database using a Bazel build command
2021-10-08 16:56:10 +02:00
Rasmus Lerchedahl Petersen
8ba01abcd6 Merge branch 'python-dataflow/init-time' of github.com:yoff/codeql into python-dataflow/init-time 2021-10-08 16:53:08 +02:00
Anders Schack-Mulligen
2185a654de Java: Fix some performance issues. 2021-10-08 15:53:14 +02:00
Anders Schack-Mulligen
5d0e72755d Merge pull request #6770 from aschackmull/java/stream-model
Java: Add models for java.util.stream.
2021-10-08 15:48:50 +02:00
Geoffrey White
1c56573194 C++: Add tests. 2021-10-08 14:30:27 +01:00
Geoffrey White
dd95131630 C++: Test spacing. 2021-10-08 14:28:42 +01:00
Rasmus Lerchedahl Petersen
4807f50c00 Merge branch 'main' of github.com:github/codeql into python-dataflow/init-time 2021-10-08 14:55:01 +02:00
ihsinme
8c42545d1c Update FindWrapperFunctions.qhelp 2021-10-08 13:10:36 +03:00
Rasmus Wriedt Larsen
fd0c386a4c Python: Add change-note 2021-10-08 12:06:18 +02:00
Rasmus Wriedt Larsen
5e6f042f6e Python: Model pickle.Unpickler 2021-10-08 11:55:54 +02:00
Rasmus Wriedt Larsen
75b06d8a25 Python: Model dill.load 2021-10-08 11:55:54 +02:00
Rasmus Wriedt Larsen
4820be3b10 Python: Model keyword arguments to dill.loads 2021-10-08 11:55:54 +02:00
Rasmus Wriedt Larsen
9180257afe Python: Refactor Dill.qll
So it matches the layout of all our other qll modules modeling a PyPI
package.
2021-10-08 11:55:54 +02:00
Rasmus Wriedt Larsen
f9333fc551 Python: Expand dill tests 2021-10-08 11:55:54 +02:00
Rasmus Wriedt Larsen
42980a1ab4 Python: Model shelve.open 2021-10-08 11:55:54 +02:00
Anders Schack-Mulligen
446c738f20 Merge pull request #6790 from aschackmull/dataflow/force-precision
Dataflow: Force high precision of certain Contents.
2021-10-08 11:44:26 +02:00
ihsinme
d79596354e Update cpp/ql/src/experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql
Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com>
2021-10-08 11:50:45 +03:00
Tom Hvitved
951df380a9 Merge pull request #6829 from hvitved/csharp/gvn-to-string-concat-range
C#: Speedup GVN string `concat`s by pulling ranges into separate predicates
2021-10-08 10:02:31 +02:00
Anders Schack-Mulligen
06e59f3b17 Merge pull request #6832 from github/workflow/coverage/update
Update CSV framework coverage reports
2021-10-08 09:53:49 +02:00
Anders Schack-Mulligen
1bec58dee5 Dataflow: Fix more qldoc: s/accesspath/access path/. 2021-10-08 09:41:26 +02:00
github-actions[bot]
062250741a Add changed framework coverage reports 2021-10-08 00:08:55 +00:00
Rasmus Wriedt Larsen
a81d359669 Python: Model marshal.load 2021-10-07 21:27:51 +02:00
Rasmus Wriedt Larsen
1b61296ea5 Python: Model pickle.load 2021-10-07 21:25:48 +02:00
Rasmus Wriedt Larsen
27c368a444 Python: Model keyword arguments to pickle.loads 2021-10-07 21:24:12 +02:00
Rasmus Wriedt Larsen
3592b09d56 Python: Expand stdlib decoding tests
The part about claiming there is decoding of the input to `shelve.open`
is sort of an odd one, since it's not the filename, but the contents of
the file that is decoded.

However, trying to only handle this problem through path injection is
not enough -- if a user is able to upload and access files through
`shelve.open` in a path injection safe manner, that still leads to code
execution.

So right now the best way we have of modeling this is to treat the
filename argument as being deserialized...
2021-10-07 21:11:51 +02:00
Rasmus Wriedt Larsen
a31bf75169 Python: Refactor pickle.loads() modeling 2021-10-07 20:28:30 +02:00
Robert Marsh
2539e3247a Merge pull request #6814 from MathiasVP/fix-qldoc-in-copy-instruction
C++/C#: Fix QLDoc of `CopyInstruction`
2021-10-07 11:18:38 -07:00
Aditya Sharad
2ed572095c CLI docs: Address comments on Bazel example 2021-10-07 10:51:11 -07:00
yoff
933412eb8d Apply suggestions from code review
Co-authored-by: Taus <tausbn@github.com>
2021-10-07 17:45:07 +02:00
Chris Smowton
9a80ab31c4 Merge pull request #6567 from luchua-bc/java/sensitive_android_file_leak
Java: CWE-200 - Query to detect exposure of sensitive information from android file intent
2021-10-07 15:19:39 +01:00
Chris Smowton
39640efc9b Remove no-longer-needed TaintPreservingCallables and update test expectations 2021-10-07 14:33:39 +01:00
Anders Schack-Mulligen
2b88a2aa0c Dataflow: Fix qldoc: s/accesspath/access path/. 2021-10-07 14:46:24 +02:00
Anders Schack-Mulligen
f885751107 Java: Add change note. 2021-10-07 14:42:19 +02:00
Tom Hvitved
764a987b09 C#: Speedup GVN string concats by pulling ranges into separate predicates 2021-10-07 13:51:05 +02:00
haby0
538bf7c321 Update python/ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql
Co-authored-by: yoff <lerchedahl@gmail.com>
2021-10-07 19:44:25 +08:00
Anders Schack-Mulligen
fc69acee46 Java: Add test. 2021-10-07 13:28:02 +02:00
Chris Smowton
b7448d55ed Introduce TaintInheritingContent instead of using parts of DataFlowPrivate 2021-10-07 11:20:19 +01:00
Henry Mercer
4b069d41f6 Merge pull request #6818 from github/henrymercer/js/add-classify-files-to-library-pack
JS: Move `ClassifyFiles.qll` to library pack
2021-10-07 11:18:20 +01:00
CodeQL CI
a0dd3d9e75 Merge pull request #6815 from asgerf/js/adjust-security-severity-scores
Approved by erik-krogh, esbena
2021-10-07 02:36:19 -07:00
Sebastian Bauersfeld
f651bc3668 Adjust locations of results in JSP files. This is necessary due to known limitations in VSCode which cause locations with zero character indices to be mapped to invalid ranges. This is hopefully a temporary workaround until this problem has been properly addressed. 2021-10-07 12:45:21 +07:00
Dave Bartolomeo
d8d9073bc2 Merge pull request #6826 from github/aeisenberg/add-library 2021-10-06 20:18:39 -04:00
Andrew Eisenberg
e2b1f6ac50 Packaging: Add library flag to upgrades packs
This flag was missing. It should be there. Otherwise, this
pack cannot be built.
2021-10-06 14:29:55 -07:00
Dave Bartolomeo
0452512de2 Merge pull request #6820 from github/aeisenberg/gitignore
Ignore .codeql folder
2021-10-06 12:59:45 -04:00
Chris Smowton
f88c8a64a1 Copyedit 2021-10-06 17:37:21 +01:00
Chris Smowton
b33daa3d3a Update Intent model tests, and fix models where required 2021-10-06 17:09:47 +01:00
Chris Smowton
4be2347a30 Adapt to use the new shared Intent models 2021-10-06 16:15:18 +01:00
Henry Mercer
83cbc86f50 JS: Move ClassifyFiles.qll to library pack
This allows us to use this library in packs that depend on the
`codeql/javascript-all` library pack.
2021-10-06 16:08:06 +01:00
Andrew Eisenberg
c9c45808b4 Merge pull request #6819 from github/aeisenberg/javascript/fix-compile-errors
Fixes compile errors by moving files
2021-10-06 07:59:50 -07:00
Chris Smowton
91d8b3da23 Sort Intent models 2021-10-06 12:30:40 +01:00
Chris Smowton
f24e310ace Update test expectation details 2021-10-06 12:25:23 +01:00
Chris Smowton
ffdfc0549a Update comment 2021-10-06 12:17:49 +01:00
luchua-bc
987bfa6ca7 Update condition check and qldoc 2021-10-06 12:17:49 +01:00
luchua-bc
8c2fddb297 Update the condition check and use DataFlow in the ql file 2021-10-06 12:17:49 +01:00
Chris Smowton
b0e652a3af Remove AsyncTask models 2021-10-06 12:17:49 +01:00
Chris Smowton
9e0cf5a2fd Update test expectations to include subpaths 2021-10-06 12:17:49 +01:00
Chris Smowton
3607d50994 Update remote flow source locations 2021-10-06 12:17:46 +01:00
luchua-bc
02bfa1ca57 Optimize the query 2021-10-06 12:16:04 +01:00
luchua-bc
0621e65827 Query to detect exposure of sensitive information from android file intent 2021-10-06 12:16:04 +01:00
Anders Schack-Mulligen
d0b307ecfb Merge pull request #6103 from atorralba/atorralba/promote-insecure-javamail
Java: Promote Insecure JavaMail SSL Configuration from experimental
2021-10-06 09:24:11 +02:00
Anders Schack-Mulligen
9505846088 Merge pull request #6821 from github/workflow/coverage/update
Update CSV framework coverage reports
2021-10-06 09:06:14 +02:00
github-actions[bot]
33ee947f8d Add changed framework coverage reports 2021-10-06 00:08:24 +00:00
Andrew Eisenberg
57ef989a89 Fixes compile errors by moving files
The two files moved in this commit are referenced from the
javascript/lib qlpack, but they are located in the
javascript/src qlpack. This causes compile errors when running
compile-ish commands for javascript queries. Moving the
files fixes it.
2021-10-05 14:00:02 -07:00
Andrew Eisenberg
0590e2a5fb Ignore .codeql folder 2021-10-05 13:42:36 -07:00
Chris Smowton
5b13232a9d Merge pull request #6739 from joefarebrother/android-intent-extra
Java: Model Android Bundle and Intent extras methods
2021-10-05 15:39:42 +01:00
Anders Schack-Mulligen
9133adac30 Java: Adjust csv validation. 2021-10-05 13:13:28 +02:00
Anders Schack-Mulligen
04892df45a Java: Include stream method overrides. 2021-10-05 13:13:28 +02:00
Anders Schack-Mulligen
af7d633f2f Java: Add Stream::mapMulti* and Stream::toList. 2021-10-05 13:13:28 +02:00
Anders Schack-Mulligen
ef80263106 Java: Add models for java.util.stream. 2021-10-05 13:13:27 +02:00
Anders Schack-Mulligen
5d63a76e25 Merge pull request #6797 from Marcono1234/marcono1234/remove-overwritten-NestedType-isStatic-qldoc
Java: Remove overwritten `NestedType.isStatic()` QLDoc
2021-10-05 13:05:53 +02:00
Joe Farebrother
b956238efa Fill in gen/get methods for tests 2021-10-05 12:01:25 +01:00
haby0
a17b0d4e5c Modify Sanitizer 2021-10-05 17:12:04 +08:00
Mathias Vorreiter Pedersen
b089e6d84e C++/C#: Fix QLDoc of 'CopyInstruction'. 2021-10-05 09:14:20 +01:00
Asger Feldthaus
3a20ca96c4 JS: Update CWE tags and severity score of code injection query
The derived security-severity score of the JS code injection query
was much lower than for other languages (6.1 versus 9.3), possibly due
some differences in CWE tags, such as the inclusion of CWE-079.

We also add the more specific CWE-095 ("eval injection") for consistency
with other languages. It is a child of CWE-094 ("code injection") which
was already tagged.
2021-10-05 10:12:19 +02:00
Asger Feldthaus
c4e8af983a JS: Update score and add CWE-730 to LoopBoundInjection
This is a denial-of-service query, but was missing the CWE-730 tag
("denial of service") and consequently had a lower score than the
other DoS queries.
2021-10-05 10:10:01 +02:00
Asger Feldthaus
682a71176d JS: Make TaintedFormatString have same severity as LogInjection
The CWE number for this query is associated with buffer overflows
from printf/scanf-style functions in C++, which has likely determined
its derived security score.

But in JavaScript, a tainted format string is unlikely to lead to
anything worse than log injection so we're manually update its score
to reflect this.
2021-10-05 10:10:01 +02:00
Asger Feldthaus
83ca4ef6d9 JS: Lower security-severity of queries with speculative threat model
In the CVSS calculator we model this by setting 'Attack Complexity' to
High and 'User Interaction' to Low (as opposed to None).

CVSS vector:
  CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N
2021-10-05 10:10:01 +02:00
Tony Torralba
a86cbd884e Apply suggestions from code review
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
2021-10-05 09:40:22 +02:00
Tony Torralba
3323f7ab1a Fix qhelp 2021-10-05 09:18:50 +02:00
Tony Torralba
9f54b1065a Apply suggestions from code review
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
2021-10-05 09:18:49 +02:00
Tony Torralba
9c1021134a Add some links to qhelp 2021-10-05 09:18:49 +02:00
Tony Torralba
2d1278ece5 Consider setStartTLSRequired for Apache SimpleEmail 2021-10-05 09:18:48 +02:00
Tony Torralba
baffb0ed89 Consider Jakarta Mail 2021-10-05 09:18:47 +02:00
Tony Torralba
a2e9c2f4ab Apply suggestions from code review
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
2021-10-05 09:18:47 +02:00
Tony Torralba
c13bf2a2a1 Add change note 2021-10-05 09:18:46 +02:00
Tony Torralba
73653f77aa Use InlineExpectationsTest 2021-10-05 09:18:45 +02:00
Tony Torralba
8c6d58e6d8 Refactored into libraries 2021-10-05 09:18:44 +02:00
Tony Torralba
0e149f0523 Move from experimental 2021-10-05 09:18:44 +02:00
CodeQL CI
40d98ad678 Merge pull request #6789 from asgerf/js/restrict-package-exports
Approved by erik-krogh
2021-10-05 06:20:23 +01:00
Aditya Sharad
9913221010 CLI docs: Add example for creating a database using a Bazel build command
We have internal material on this subject, so it makes sense to have a reference example.
Bazel builds could be in any compiled language, so follow the pattern
of the generic build script example.
Include the build flags that we recommend to customers,
which turn off Bazel's caching and distributed behaviour
so that CodeQL can observe the entire build.
2021-10-04 11:08:43 -07:00
yoff
f230a37004 Merge pull request #6804 from tausbn/python-fix-bad-magic-in-conditionblock-controls
Python: Fix bad magic in `controls/2`
2021-10-04 19:16:06 +02:00
Geoffrey White
11b8d4191f C++: Repair .expected following merge. 2021-10-04 16:53:33 +01:00
Geoffrey White
2c64fa50d2 Merge branch 'main' into impropnullfp 2021-10-04 16:51:21 +01:00
Mathias Vorreiter Pedersen
7f7f90681f Merge pull request #6808 from MathiasVP/add-cwes-to-incorrect-allocation-handling
C++: Add more CWEs to 'cpp/incorrect-allocation-error-handling'.
2021-10-04 17:02:08 +02:00
Marcono1234
0bce8234d8 Java: Remove overwritten NestedType.isStatic() QLDoc
Did not mention nested non-member interfaces and record classes.
The documentation of the overridden `isStatic()` predicate already mentions
that this predicate holds for explicitly and implicitly static elements, so
overwriting it is not necessary and only adds more maintenance work.
2021-10-04 16:30:57 +02:00
Anders Schack-Mulligen
745ece6e6d Merge pull request #6613 from Marcono1234/marcono1234/literals-test-split
Java: Split literals tests
2021-10-04 16:20:08 +02:00
Mathias Vorreiter Pedersen
eac0222f2c C++: Add more CWEs to 'cpp/incorrect-allocation-error-handling'. 2021-10-04 15:15:40 +01:00
Tom Hvitved
70e41b180e Merge pull request #6800 from hvitved/csharp/constant-cond-tuple-discard
C#: Filter discards in tuples in `ConstantCondition.ql`
2021-10-04 14:38:45 +02:00
Tom Hvitved
9762ce706b Merge pull request #6799 from hvitved/csharp/dead-store-using-discard
C#: Filter using `var _ = ... results` from `DeadStoreOfLocal.ql`
2021-10-04 14:38:15 +02:00
Chris Smowton
041aff6bfd Merge pull request #6802 from atorralba/atorralba/fix-flowtestcasegenerator-folder
Java: Fix flow test case generator's folder name
2021-10-04 13:36:01 +01:00
Nick Rolfe
2a44cd8c98 Merge pull request #6803 from nickrolfe/cpp_upgrade_script
C++: add upgrade script for dbscheme comment changes
2021-10-04 13:31:13 +01:00
Taus
54aec7bb96 Python: Fix bad magic in controls/2
The changes to `ModificationOfParameterWithDefault.ql` and the use of
`ConditionBlock::controls` therein caused the `BasicBlock` argument to
get magicked in, resulting in the following antijoin for the `forall`:

```
[2021-10-04 12:07:46] (108s) Tuple counts for GuardedControlFlow::ConditionBlock::controls_dispred#fbf#antijoin_rhs/5@d84e94 after 1m44s:
201222345 ~7%     {5} r1 = JOIN GuardedControlFlow::ConditionBlock::controls_dispred#fbf#shared#2 WITH Flow::BasicBlock::getASuccessor_dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Lhs.0 'arg1', Rhs.1 'arg4', Lhs.1 'arg0', Lhs.2 'arg2', Lhs.3 'arg3'
200599933 ~4%     {5} r2 = JOIN r1 WITH Flow::BasicBlock::dominates#ff ON FIRST 2 OUTPUT Lhs.2 'arg0', Lhs.0 'arg1', Lhs.3 'arg2', Lhs.4 'arg3', Lhs.1 'arg4'

0         ~0%     {4} r3 = JOIN GuardedControlFlow::ConditionBlock::controls_dispred#fbf#shared#1 WITH GuardedControlFlow::ConditionBlock#class#f ON FIRST 1 OUTPUT Lhs.0 'arg3', Lhs.2 'arg1', Lhs.1 'arg0', false

0         ~0%     {4} r4 = JOIN GuardedControlFlow::ConditionBlock::controls_dispred#fbf#shared WITH GuardedControlFlow::ConditionBlock#class#f ON FIRST 1 OUTPUT Lhs.0 'arg3', Lhs.2 'arg1', Lhs.1 'arg0', true

0         ~0%     {4} r5 = r3 UNION r4
0         ~0%     {5} r6 = JOIN r5 WITH Flow::BasicBlock::getASuccessor_dispred#ff ON FIRST 2 OUTPUT Lhs.2 'arg0', Lhs.1 'arg1', Lhs.3 'arg2', Lhs.0 'arg3', Rhs.0

200599933 ~4%     {5} r7 = r2 UNION r6
                return r7
```
(cancelled)

I observed that quick-eval'ing the `controls` predicate exhibit no such
bad join order (and terminated quickly) which lead me to conclude that
this was a case of bad magic.

Adding the `pragma[nomagic]` resulted in a return to the previous
performance.
2021-10-04 12:16:53 +00:00
Tony Torralba
064aba810b Remove hyphens from the flow testcase generator folder name
So that it can be imported from the autogenerated query `gen.ql`
2021-10-04 13:31:07 +02:00
Nick Rolfe
5aec84b672 C++: add upgrade script for dbscheme comment changes 2021-10-04 12:30:42 +01:00
Asger Feldthaus
cbd577694c JS: Autoformat 2021-10-04 13:30:15 +02:00
Tom Hvitved
a315640082 C#: Address review comments 2021-10-04 13:15:26 +02:00
Tom Hvitved
f06632a8e7 C#: Filter discards in tuples in ConstantCondition.ql 2021-10-04 13:04:18 +02:00
Rasmus Lerchedahl Petersen
aa91c26792 Python: Add missing taint steps 2021-10-04 12:12:07 +02:00
yoff
4521a9fdf0 Update python/ql/lib/semmle/python/frameworks/Stdlib.qll
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
2021-10-04 11:36:53 +02:00
Anders Schack-Mulligen
65a4f36cf8 Merge pull request #6767 from aschackmull/dataflow/callback-postupdate
Dataflow: Support side-effects for callbacks in summaries.
2021-10-04 11:13:18 +02:00
Tom Hvitved
70b9b002cb C#: Add change note 2021-10-04 10:48:07 +02:00
Tom Hvitved
682a2aae3a C#: Filter using var _ = ... results from DeadStoreOfLocal.ql 2021-10-04 10:45:44 +02:00
Jonas Jensen
ce27acd099 Merge pull request #6793 from MathiasVP/add-return-value-deref-to-model-util
C++: Handle return value dereferences in `ModelUtil.qll`
2021-10-04 09:22:52 +02:00
Marcono1234
fb1385b3e8 Java: Fix formatting of SpuriousJavadocParam.java 2021-10-03 00:13:36 +02:00
Owen Mansel-Chan
938d003e5e Fix example to use space after $ for consistency 2021-10-02 08:11:49 +01:00
Owen Mansel-Chan
25792b2a45 Change class name to avoid clash with Go and Javascript libraries 2021-10-02 08:04:17 +01:00
Mathias Vorreiter Pedersen
cc8b581c06 C++: Accept test changes. 2021-10-01 22:23:17 +02:00
Mathias Vorreiter Pedersen
cca77ed65c Merge branch 'main' into add-return-value-deref-to-model-util 2021-10-01 22:02:06 +02:00
Geoffrey White
b9a1a451a9 C++: Autoformat. 2021-10-01 19:21:30 +01:00
Tamás Vajk
62aa7b75bd Merge pull request #6792 from tamasvajk/fix/csv-workflow
Let 'ql/lib' folders trigger the CSV workflow
2021-10-01 19:44:48 +02:00
Mathias Vorreiter Pedersen
0679142607 C++: Accept test changes. 2021-10-01 18:27:55 +02:00
Mathias Vorreiter Pedersen
3463c28e24 C++: Add return value dereference to 'callOutput'. This will need to be modified once we get return value side effects in the IR. 2021-10-01 18:27:46 +02:00
Marcono1234
e3fed55945 Java: Add tests for text blocks 2021-10-01 18:16:11 +02:00
Joe Farebrother
085701c7db Remove models.csv 2021-10-01 17:11:12 +01:00
Geoffrey White
51188aa93f C++: Give the two queries medium precision (for now). 2021-10-01 17:04:22 +01:00
Joe Farebrother
5e4498a53a Add more models; fix tests 2021-10-01 16:53:53 +01:00
Geoffrey White
a62772c274 C++: Add change note. 2021-10-01 16:35:12 +01:00
Marcono1234
924b7320bc Java: Add test for NullLiteral 2021-10-01 17:27:54 +02:00
Marcono1234
bb6e6f4808 Java: Split literals tests
This allows changing individual tests in the future without having to adjust
the expected output of all other tests.
2021-10-01 17:27:50 +02:00
Geoffrey White
ada30800c9 C++: Exclude results where identity-like functions obscure operations on a variable. 2021-10-01 16:16:06 +01:00
Anders Schack-Mulligen
99ba80d492 C#: Adjust test output. 2021-10-01 16:57:30 +02:00
Tamas Vajk
ebe0988d9a Let 'ql/lib' folders trigger the CSV workflow 2021-10-01 16:30:56 +02:00
Geoffrey White
11d7a0b712 C++: Exclude results where the address of the variable is taken. 2021-10-01 14:39:02 +01:00
Geoffrey White
d41e517757 C++: Simplify mayAddNullTerminator. 2021-10-01 14:15:05 +01:00
Geoffrey White
ec2e4f432a C++: Add more test cases, inspired by FPs on LGTM with the query. 2021-10-01 14:03:41 +01:00
Geoffrey White
74957dcb2e C++: Test spacing. 2021-10-01 13:59:34 +01:00
Anders Schack-Mulligen
6359c44622 Java: Autoformat. 2021-10-01 14:05:47 +02:00
yoff
1ce9426adf Merge pull request #6761 from RasmusWL/cryptodome-sha3
Python/JS: Recognize SHA-3 hash functions
2021-10-01 13:33:36 +02:00
Anders Schack-Mulligen
98f68cb053 Dataflow: Sync. 2021-10-01 13:11:43 +02:00
Anders Schack-Mulligen
490df2027b Dataflow: Add language-specific predicate forceHighPrecision(). 2021-10-01 13:11:14 +02:00
Anders Schack-Mulligen
d4f1a9602f Dataflow: Force high precision of certain Contents. 2021-10-01 13:03:50 +02:00
Anders Schack-Mulligen
eb26b4a04b Merge pull request #6755 from alexet/alexet/cache-params-string
Java: Fix more performance issues with future versions of codeql.
2021-10-01 12:54:53 +02:00
Asger Feldthaus
c8e7df7900 JS: Add test case 2021-10-01 12:02:40 +02:00
Asger Feldthaus
600e5bad0d JS: Exclude methods declared private/protected 2021-10-01 11:46:32 +02:00
Asger Feldthaus
af1b04de9c JS: Restrict what property names that are considered public exports 2021-10-01 11:42:03 +02:00
Mathias Vorreiter Pedersen
a3cf721b9e Merge pull request #6713 from geoffw0/cwe139
C++: New query for 'Cleartext transmission of sensitive information'
2021-10-01 11:10:36 +02:00
Geoffrey White
679b0f9b73 C++: Autoformat. 2021-10-01 09:40:16 +01:00
Rasmus Lerchedahl Petersen
175a06fe73 Python: Fix compile error due to predicate rename 2021-10-01 10:33:42 +02:00
Anders Schack-Mulligen
799e099d1d Merge pull request #6784 from github/workflow/coverage/update
Update CSV framework coverage reports
2021-10-01 10:05:34 +02:00
github-actions[bot]
3d61c81456 Add changed framework coverage reports 2021-10-01 00:09:22 +00:00
Chris Smowton
f48c418d6d Merge pull request #5907 from x-f1v3/java/hardcoded-shiro-key
Java: CWE-798: Query to detect hard-coded SHIRO key
2021-09-30 17:58:12 +01:00
Chris Smowton
ec4cb7c90f Fix typo 2021-09-30 16:22:12 +01:00
Chris Smowton
cb4ce36d3c Update change note; drop unnecessary import 2021-09-30 15:00:13 +01:00
Chris Smowton
b0983cb726 Specifically include Base64 encode/decode as a likely intermediate step for hardcoded credentials 2021-09-30 14:57:49 +01:00
Chris Smowton
b57a58c253 Amend change note 2021-09-30 14:27:05 +01:00
f1v3
24c9bb2fb7 autoformat 2021-09-30 14:26:19 +01:00
f1v3
168fc4170d Apply suggestions from code review 2021-09-30 14:26:14 +01:00
f1v3
f3bde56de9 detects a hard-coded cipher key for shiro 2021-09-30 14:22:48 +01:00
Chris Smowton
60a023d064 Merge pull request #5852 from luchua-bc/java/hardcoded-azure-credential
Java: CWE-798 Query to detect hard-coded Azure credentials
2021-09-30 14:11:29 +01:00
Rasmus Lerchedahl Petersen
35d9005eae Python: typo again.. 2021-09-30 14:39:44 +02:00
Rasmus Lerchedahl Petersen
f3fc56a167 Python: typos 2021-09-30 14:39:05 +02:00
Rasmus Lerchedahl Petersen
d19d37bf9b Python: more suggestions from review 2021-09-30 14:36:26 +02:00
yoff
c1c63d0c28 Merge pull request #6738 from RasmusWL/qldoc-getArgByName
Python: Add QLDoc to `Function.getArgByName`
2021-09-30 14:11:18 +02:00
yoff
46e62cd963 Apply suggestions from code review
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
2021-09-30 14:00:18 +02:00
Rasmus Lerchedahl Petersen
02e91b3902 Python: Model functions that will raise
on non-existing files.
2021-09-30 13:36:24 +02:00
Jonas Jensen
45cf6344cd Merge pull request #6184 from github/rdmarsh2/improve-exec-tainted
C++: Refactor ExecTainted.ql to only report results after string concatenation
2021-09-29 19:21:13 +02:00
CodeQL CI
e9b4e571e1 Merge pull request #6775 from RasmusWL/fix-hasLocationInfo-url
Approved by aschackmull, erik-krogh, hvitved, jbj, tausbn
2021-09-29 16:51:08 +01:00
alexet
447eb23356 Java: Fix for tc magic issue with subtyping. 2021-09-29 16:01:08 +01:00
Joe Farebrother
3ae5f13c3d Generate tests and stubs 2021-09-29 15:44:21 +01:00
Tamás Vajk
089bb33113 Merge pull request #6773 from tamasvajk/fix/global-stmt-library
C#: Handle invalid code gracefully: global statements in library
2021-09-29 16:18:05 +02:00
Rasmus Wriedt Larsen
ba990f72f2 Another hasLocationInfo URL reference fix 2021-09-29 14:00:28 +02:00
Rasmus Wriedt Larsen
987b573709 Fix hasLocationInfo URL reference
Follow up to https://github.com/github/codeql/pull/5830
2021-09-29 13:47:58 +02:00
alexet
dea8dde566 Java: Improve performance of confusing overloading query. 2021-09-29 12:17:30 +01:00
Tamas Vajk
e17071723f C#: Handle invalid code gracefully: global statements in library 2021-09-29 10:23:33 +02:00
Mathias Vorreiter Pedersen
8dcf7926de Merge pull request #6760 from andersfugmann/relax_memberMayBeVarSize
Increase precision to high for cpp/static-buffer-overflow
2021-09-29 10:09:11 +02:00
Benjamin Muskalla
d09c3bf863 Merge pull request #6748 from bmuskalla/fixHiddenTypesTestGenerator
Java: Avoid stubbing methods with private parameter types
2021-09-29 09:27:13 +02:00
Anders Schack-Mulligen
1a92fa5d92 Merge pull request #6772 from github/workflow/coverage/update
Update CSV framework coverage reports
2021-09-29 09:25:19 +02:00
github-actions[bot]
8d2ad4ed17 Add changed framework coverage reports 2021-09-29 00:08:05 +00:00
Geoffrey White
89098f54be C++: Correct comment. 2021-09-28 20:03:42 +01:00
Benjamin Muskalla
5f659f6e48 Merge branch 'main' into fixHiddenTypesTestGenerator 2021-09-28 17:42:39 +02:00
Geoffrey White
10323ac819 Update cpp/ql/src/Security/CWE/CWE-311/CleartextStorage.inc.qhelp
Co-authored-by: Jonas Jensen <jbj@github.com>
2021-09-28 15:13:29 +01:00
Shati Patel
ee46717c76 Merge pull request #6771 from shati-patel/mergeback-3.2-main
Merge 3.2 into main
2021-09-28 14:52:17 +01:00
Jonas Jensen
914e621d1b Merge pull request #6678 from andersfugmann/refactor_use_of_isGuardPhi
C++: Refactor code to use predicate isGuardPhi/4
2021-09-28 15:45:05 +02:00
Shati Patel
976190e84d Merge pull request #6764 from shati-patel/slides-links
Docs: Fix a few links in the training slides
2021-09-28 14:35:46 +01:00
Mathias Vorreiter Pedersen
06eb93da3f Merge pull request #6769 from github/docfix-dead-links-in-readme
Fix dead links in README.md
2021-09-28 15:21:19 +02:00
Mathias Vorreiter Pedersen
7197f41e75 Fix dead links in README.md 2021-09-28 15:12:36 +02:00
Edoardo Pirovano
5488872044 Merge pull request #6505 from edoardopirovano/trailing-comma
QL Language Spec: Trailing comma in set literal
2021-09-28 13:45:09 +01:00
Chris Smowton
413ac4e8f4 Merge pull request #6684 from owen-mc/java/model/apache-collections-subpackages
Java: model remaining subpackages of Apache Commons Collections
2021-09-28 12:28:48 +01:00
Anders Schack-Mulligen
e95dc82087 Autoformat. 2021-09-28 13:00:50 +02:00
Tony Torralba
cec6cd0830 Merge pull request #6724 from atorralba/atorralba/android-contentprovider-sources
Java: Add sources for content providers in Android
2021-09-28 12:13:54 +02:00
Chris Smowton
39a12a8464 Remove models that are no longer required 2021-09-28 10:48:43 +01:00
Anders Schack-Mulligen
b11cb88a9f Dataflow: Sync to C#. 2021-09-28 11:45:33 +02:00
Anders Schack-Mulligen
9a9bbe3123 Dataflow: Support side-effects for callbacks in summaries. 2021-09-28 11:42:38 +02:00
Tony Torralba
46eb27cd01 Don't restrict inputs to be ParameterNodes
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
2021-09-28 11:21:56 +02:00
Anders Fugmann
ba98c0c1cb Merge remote-tracking branch 'upstream/main' into relax_memberMayBeVarSize 2021-09-28 11:15:11 +02:00
Anders Schack-Mulligen
fc8b439263 Merge pull request #6740 from aschackmull/java/callback-dispatch
Java: Add callback dispatch to more anonymous classes.
2021-09-28 10:49:27 +02:00
Anders Peter Fugmann
a358ea8667 C++: Apply documentation change suggestion
Co-authored-by: Jonas Jensen <jbj@github.com>
2021-09-28 10:38:02 +02:00
Anders Schack-Mulligen
c294b75f6c Merge pull request #6766 from github/workflow/coverage/update
Update CSV framework coverage reports
2021-09-28 10:35:43 +02:00
Shati Patel
d5e17f9ebf Merge pull request #6765 from shati-patel/docs-config-fixes
Docs: Fix inconsistencies in sphinx config files
2021-09-28 09:18:02 +01:00
Anders Peter Fugmann
c7ea7ca5cd C++: Apply documentation change suggestion
Co-authored-by: Jonas Jensen <jbj@github.com>
2021-09-28 09:40:25 +02:00
Anders Peter Fugmann
49c656d904 C++: Apply documentation change suggestion
Co-authored-by: Jonas Jensen <jbj@github.com>
2021-09-28 09:40:07 +02:00
Anders Fugmann
79549c2285 Merge remote-tracking branch 'upstream/main' into refactor_use_of_isGuardPhi 2021-09-28 09:38:16 +02:00
Owen Mansel-Chan
787f36f056 Add a change note 2021-09-28 07:32:28 +01:00
Robert Marsh
d47c4732e2 C++: Update change note date 2021-09-27 17:36:14 -07:00
github-actions[bot]
b7b229d59b Add changed framework coverage reports 2021-09-28 00:08:59 +00:00
Robert Marsh
dfb27d170c C++ fix test compilation errors 2021-09-27 13:58:54 -07:00
shati-patel
64fcbe05c3 Docs: Fix inconsistencies in sphinx config files 2021-09-27 18:54:23 +01:00
shati-patel
31c34870ef Fix warning about "Anonymous hyperlink mismatch" 2021-09-27 18:27:57 +01:00
shati-patel
3c17ac424d Docs: Fix some broken/redirected links 2021-09-27 18:27:30 +01:00
Felicity Chapman
bb6c079e5a Merge pull request #6762 from github/felicitymay-patch-1
Update links to match those on the staging site
2021-09-27 16:49:58 +01:00
Felicity Chapman
a3c1975a84 Update links to match those on the staging site 2021-09-27 16:35:22 +01:00
Owen Mansel-Chan
bdd78d2bc7 Fix stub 2021-09-27 16:24:41 +01:00
Owen Mansel-Chan
29db42c3cd Generate stubs 2021-09-27 16:24:40 +01:00
Owen Mansel-Chan
e6df8164cf Fix up old tests for new helper functions 2021-09-27 16:24:39 +01:00
Owen Mansel-Chan
cf03bd8bd1 Merge new and old tests
# Conflicts:
#	java/ql/test/library-tests/frameworks/apache-collections/TestNew.java
2021-09-27 16:24:38 +01:00
Owen Mansel-Chan
342c14887b Fix existing models for MapUtils 2021-09-27 16:24:37 +01:00
Owen Mansel-Chan
e1101e582e Minor improvement to existing tests 2021-09-27 16:24:37 +01:00
Owen Mansel-Chan
768203bd36 Remove redundant casts 2021-09-27 16:24:36 +01:00
Owen Mansel-Chan
c51fb00082 Add tests for non-public abstract classes 2021-09-27 16:24:35 +01:00
Owen Mansel-Chan
0a92b04c8b Fix up automatically generated tests 2021-09-27 16:24:34 +01:00
Owen Mansel-Chan
15161d8867 Make concrete subclasses of abstract classes 2021-09-27 16:24:33 +01:00
Owen Mansel-Chan
53ee465726 Fix errors in generated tests that stop compilation 2021-09-27 16:24:32 +01:00
Owen Mansel-Chan
a20acfee25 Add automatically generated tests
Also update test.ql to use the new InlineFlowTest.
2021-09-27 16:24:31 +01:00
Owen Mansel-Chan
f69787afd0 Miscellaneous model fixes 2021-09-27 16:24:30 +01:00
Owen Mansel-Chan
9b12980688 Do not model some protected methods 2021-09-27 16:24:29 +01:00
Owen Mansel-Chan
cb0f82c36e Do not modelled protected static inner classes 2021-09-27 16:24:29 +01:00
Owen Mansel-Chan
3b678bfbc5 Address review comments 2021-09-27 16:24:28 +01:00
Owen Mansel-Chan
e1750adc38 Address problems highlighted by generating tests 2021-09-27 16:24:27 +01:00
Owen Mansel-Chan
fd0fb9483e Model the remaining subpackages in Apache Commons Collections 2021-09-27 16:24:26 +01:00
Owen Mansel-Chan
3d1d491e6b Model java.lang.Object.clone() better for access paths.
Model value flow for Element, MapKey and MapValue. This assumes
that clone() is a shallow copy.
2021-09-27 16:24:25 +01:00
Edoardo Pirovano
18020707b8 QL Language Spec: Trailing comma in set literal 2021-09-27 15:57:39 +01:00
Anders Schack-Mulligen
cfa0d46b73 Merge pull request #6097 from atorralba/atorralba/promote-xslt-injection
Java: Promote XSLT Injection from experimental
2021-09-27 13:14:57 +02:00
Anders Schack-Mulligen
e027d514f1 Merge pull request #6037 from atorralba/atorralba/promote-spel-injection
Java: Promote SpEL Injection query from experimental
2021-09-27 13:13:35 +02:00
Tony Torralba
d5f675c2dc Fix unbound field
Add tests for non-exported providers
2021-09-27 12:58:28 +02:00
Rasmus Wriedt Larsen
ded3088529 Python/JS: Recognize SHA-3 hash functions
Official names are SHA3-224, SHA3-256, SHA3-384, SHA3-512 as per
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf
2021-09-27 12:08:40 +02:00
Tony Torralba
78c12dc505 Move to lib 2021-09-27 12:04:14 +02:00
Tony Torralba
ad08ccb50b Apply suggestion from code review 2021-09-27 12:00:21 +02:00
mc
95751fcc21 Update XsltInjection.qhelp
Made a few minor tweaks during editorial review
2021-09-27 12:00:21 +02:00
Tony Torralba
13417dbf14 Remove DataFlow references from XsltInjection.qll 2021-09-27 12:00:20 +02:00
Tony Torralba
ff21662b23 Refactor XsltInjection.qll 2021-09-27 12:00:18 +02:00
Tony Torralba
6967b06dee Decouple XsltInjection.qll to reuse the taint tracking configuration 2021-09-27 11:59:51 +02:00
Tony Torralba
fc58ada92e Add change note 2021-09-27 11:58:20 +02:00
Tony Torralba
108118afa3 Use InlineExpectationsTest 2021-09-27 11:58:18 +02:00
Tony Torralba
d8bb5273e7 Refactor to use CSV sink models 2021-09-27 11:57:58 +02:00
Tony Torralba
c792567904 Move from experimental 2021-09-27 11:57:53 +02:00
Tony Torralba
6d9a88d1c8 Move to lib 2021-09-27 11:43:46 +02:00
mc
3520fed752 Update SpelInjection.qhelp 2021-09-27 11:40:51 +02:00
Tony Torralba
d10dbbdd9d Apply suggestions from code review
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
2021-09-27 11:40:51 +02:00
Tony Torralba
6bf1e87bbe Remove CSV sinks; make imports private 2021-09-27 11:40:47 +02:00
Tony Torralba
91f46624b6 Refactor SpelInjection.qll 2021-09-27 11:40:26 +02:00
Tony Torralba
94f32d2985 Decouple SpelInjection.qll to reuse the taint tracking configuration 2021-09-27 11:39:30 +02:00
Tony Torralba
569426b04e Consider subtypes of Expression and ExpressionParser
Add parseRaw as additional taint step
2021-09-27 11:38:12 +02:00
Tony Torralba
b0852f6c16 Add change note 2021-09-27 11:37:46 +02:00
Tony Torralba
b985ddb868 Use InlineExpectationsTest 2021-09-27 11:37:41 +02:00
Tony Torralba
079769ed2e Refactored SpelInjection.qll to use CSV sink models 2021-09-27 11:36:56 +02:00
Tony Torralba
fc6af0476f Moved from experimental 2021-09-27 11:36:48 +02:00
Anders Fugmann
03bd7d7f96 C++: Update test results from OverflowStatic 2021-09-27 11:23:08 +02:00
Anders Schack-Mulligen
92ffd8c465 Merge pull request #6749 from aschackmull/java/istextblock
Java: Add StringLiteral.isTextBlock().
2021-09-27 10:54:31 +02:00
Jonas Jensen
b0836a620c Merge pull request #6757 from geoffw0/impropnulltest2
C++: Small improvement to cpp/improper-null-termination
2021-09-27 10:52:49 +02:00
James Fletcher
c977cfe40a Merge pull request #6754 from github/update-link
Update one more link in the QL training content
2021-09-27 08:33:42 +01:00
Anders Fugmann
e0921ac983 C++: Increase precision of cpp/static-buffer-overflow to high 2021-09-27 09:06:36 +02:00
Geoffrey White
7e7dfe2cc4 C++: Understand format arguments. 2021-09-24 19:25:43 +01:00
Geoffrey White
91a8b9fdd9 C++: Add suggested test (and a good variant). 2021-09-24 18:34:28 +01:00
james
1adc5c2a5b update links correctly 2021-09-24 17:00:59 +01:00
Geoffrey White
6901d9d9c2 C++: Add and use getRemoteSocket predicates. 2021-09-24 15:16:48 +01:00
Geoffrey White
9f59bc8f7b C++: Naive translation to use RemoteFlow*Function. 2021-09-24 15:12:14 +01:00
james
e664711f47 make links to slide decks relative 2021-09-24 14:56:48 +01:00
james
23e4ad1abb update one more link 2021-09-24 14:46:14 +01:00
alexet
49f8f46354 Java: Cache params string computation. 2021-09-24 14:12:26 +01:00
Anders Schack-Mulligen
854f2a046a Java: Add StringLiteral.isTextBlock(). 2021-09-24 13:11:18 +02:00
Benjamin Muskalla
70e1724463 Exclude methods with non-public parameter types 2021-09-24 12:41:12 +02:00
Anders Fugmann
cbdabe35de C++: Update test results to reflect changes 2021-09-24 12:29:28 +02:00
Anders Fugmann
032ac50034 C++: Do not warn on static buffer overflow using loop counters, if the loop counter has been widened 2021-09-24 08:31:36 +02:00
Anders Fugmann
3e5f7d0db5 C++: using buildin offsetof for an array member indexed after end is legal 2021-09-24 08:31:35 +02:00
Anders Fugmann
b08eabec68 C++: Relax predicate memberMayBeVarSize to mark all members of size 0 or 1 as variable sized 2021-09-24 08:31:35 +02:00
Anders Fugmann
a4a9e2aa96 C++: Weaken wording on overflow static alert text 2021-09-24 08:31:35 +02:00
haby0
9b969e15fc Modify according to @yoff suggestion 2021-09-24 12:56:10 +08:00
Rasmus Lerchedahl Petersen
f2fbeed490 Python: Model os.path-functions 2021-09-23 15:30:00 +02:00
Rasmus Lerchedahl Petersen
81adb7dd2a Python: Add tests for os.path-functions 2021-09-23 15:28:05 +02:00
Anders Schack-Mulligen
4841c3037d Java: Add callback dispatch to more anonymous classes. 2021-09-23 14:34:56 +02:00
Joe Farebrother
0919042692 Model Bundle and Intent extra methods 2021-09-23 12:03:45 +01:00
ihsinme
13741ba137 Update FindWrapperFunctions.ql 2021-09-23 12:55:03 +03:00
ihsinme
18de9f0aa3 Update FindWrapperFunctions.expected 2021-09-23 12:53:16 +03:00
Rasmus Wriedt Larsen
d4564d5dd1 Python: Add QLDoc to Function.getArgByName 2021-09-23 10:01:04 +02:00
Robert Marsh
49f8fd2164 C++: whitespace fix 2021-09-22 16:54:03 -07:00
Robert Marsh
0c5d642489 C++: Rename SystemFunction and restore QLDoc 2021-09-22 14:22:57 -07:00
Robert Marsh
6f03c3e252 C++: Accept command injection test changes
Making the DefaultTaintTracking configurations inactive removed many
unneeded nodes and edges from the PathGraph predicates.
2021-09-22 14:19:23 -07:00
Robert Marsh
8faeab18b9 C++: move ResolveCall.qll out of internal directory 2021-09-22 11:54:47 -07:00
Robert Marsh
21ed5c430d Merge branch 'main' into rdmarsh2/improve-exec-tainted
Manual fix for conflict in Models.qll
2021-09-22 11:51:18 -07:00
Erik Krogh Kristensen
805d1d170c do not filter away regular expressions with lookbehinds 2021-09-22 17:14:29 +02:00
haby0
6c07a3e260 Apply @yoff's suggestion 2021-09-22 18:50:58 +08:00
Robert Marsh
d6fd83dd6c C++: move resolveCall to its own file for perf
This avoids a performance issue in DataFlowImpl::localFlowStep when the
DataFlow::Configuration subclasses in DefaultTaintTracking are active
in the same query as other Configuration
subclasses.
ResolveCall.qll is kept internal for the moment.
2021-09-21 16:32:09 -07:00
ihsinme
88a257fcdc Apply suggestions from code review
Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com>
2021-09-21 20:32:08 +03:00
Tony Torralba
99881db8bd Add stubs 2021-09-21 12:10:05 +02:00
Tony Torralba
0c1f3ed0b3 Add tests for ContentProvider sources 2021-09-21 12:09:47 +02:00
Tony Torralba
a811ab3aff Add ContentProvider sources 2021-09-21 12:09:28 +02:00
Robert Marsh
a9add04ee3 C++: remove unneed import 2021-09-17 12:17:06 -07:00
Robert Marsh
d3d708bc68 C++: QLDoc for CommandExecution model 2021-09-17 12:16:20 -07:00
Geoffrey White
e7c82d7370 C++: Accept subpaths in tests. 2021-09-17 16:14:24 +01:00
Geoffrey White
24668b2281 Merge branch 'main' into cwe139 2021-09-17 16:04:51 +01:00
Geoffrey White
51243454c8 C++: Change note. 2021-09-17 15:10:55 +01:00
Geoffrey White
90bc138049 CPP: Fix QLDoc comments. 2021-09-17 14:12:04 +01:00
haby0
99167539fb Modify sinks 2021-09-17 17:29:40 +08:00
Geoffrey White
a3de94e868 C++: Assign precision and severity; medium for now, since there are FPs in SAMATE Juliet. 2021-09-17 10:05:06 +01:00
Felicity Chapman
7383988988 Merge pull request #6701 from github/docs-4908-training-note-links
Update links in training notes to use CodeQL microsite
2021-09-17 09:00:36 +01:00
james
e906ded0d1 remove java class 2021-09-17 08:48:26 +01:00
ihsinme
b6bcf9fa44 Add files via upload 2021-09-16 19:18:19 +03:00
ihsinme
b393c6a285 Add files via upload 2021-09-16 19:16:54 +03:00
james
c36292bfd0 a few more links 2021-09-16 17:03:29 +01:00
Rasmus Lerchedahl Petersen
64685f31dc Python: Add missing qldoc
Also do some general cleanup
How was this allowed comitted in the first place?
2021-09-16 16:51:43 +02:00
haby0
0277601705 Eliminate false positives caused by . 2021-09-16 20:59:34 +08:00
Rasmus Lerchedahl Petersen
72bf390ec5 Merge branch 'main' of github.com:github/codeql into python/promote-regex-injection 2021-09-16 14:50:17 +02:00
Robert Marsh
c85cc1455b C++: accept changes to new ExecTainted test 2021-09-15 11:27:13 -07:00
Robert Marsh
a3e1f54e33 C++: Refactor models to prevent IR reevaluation 2021-09-15 10:55:56 -07:00
Robert Marsh
509a3493b6 C++: support new subpaths predicate in ExecTainted 2021-09-15 10:55:56 -07:00
Robert Marsh
09ef8f639e C++: Improve performance by restricting isSource 2021-09-15 10:55:55 -07:00
Robert Marsh
83cc098412 C++: accept test output 2021-09-15 10:55:55 -07:00
Robert Marsh
3cd08bc724 C++: autoformat Printf.qll 2021-09-15 10:55:55 -07:00
Robert Marsh
fe1f9878ba C++: add GVN import to fix reevaluation 2021-09-15 10:55:54 -07:00
Robert Marsh
e874fbbea2 C++: Add path stitching in ExecTainted.ql 2021-09-15 10:55:54 -07:00
Robert Marsh
5dc6e13ab5 C++: use TaintTracking2 in ExecTainted.ql 2021-09-15 10:55:53 -07:00
Robert Marsh
4d2036fa26 C++: change note for cpp/command-line-injection 2021-09-15 10:55:53 -07:00
Robert Marsh
c30e7ec41a C++: raise precision of cpp/command-line-injection 2021-09-15 10:55:53 -07:00
Robert Marsh
181eb803e1 C++: Add QLDoc for getOutputArgument 2021-09-15 10:55:52 -07:00
Robert Marsh
37c92178a5 C++: exclude int/string conversion in ExecTainted 2021-09-15 10:55:52 -07:00
Robert Marsh
5e265f45e1 C++: ExecTainted tests for int/string conversions 2021-09-15 10:55:51 -07:00
Robert Marsh
9926892c8a C++: remove debugging predicates 2021-09-15 10:55:51 -07:00
Robert Marsh
9c478c502e C++: add some more tests for ExecTainted 2021-09-15 10:55:50 -07:00
Robert Marsh
562c8b97ad C++: add comment explaining concatenation logic 2021-09-15 10:55:50 -07:00
Robert Marsh
6f408f949c C++: Refactor ExecTainted.ql to need concatenation
This makes ExecTainted report results only when the tainted value does
not become the start of the string which is eventually run as a shell
command. The theory is that those cases are likely to be deliberate, and
part of the expected threat model of the program (e.g. $CC in make).
This lines up better with the results I considered fixable true
positives in LGTM testing
2021-09-15 10:55:49 -07:00
Robert Marsh
8f4df8603a C++: more tests for command injection 2021-09-15 10:55:49 -07:00
Felicity Chapman
05d83e487d Update all links to CodeQL microsite 2021-09-15 17:08:55 +01:00
haby0
c60eded2de Fix conflicting 2021-09-15 11:07:43 +08:00
haby0
9e63aa9d84 Update query 2021-09-14 21:12:49 +08:00
Rasmus Lerchedahl Petersen
c2d2037726 Python: Add change note and set precision 2021-09-14 13:45:51 +02:00
Rasmus Lerchedahl Petersen
1c7982b319 Python: Move query tests over 2021-09-14 13:29:21 +02:00
Rasmus Lerchedahl Petersen
36e27f2aa4 Python: Remove promoted code:
- queries (`py/regex-injection`)
- concepts (RegexExecution, RegexEscape)
- library models (Stdlib::Re)
2021-09-14 13:14:16 +02:00
Rasmus Lerchedahl Petersen
abbd1d1dc5 Python: Fix errors introduced during port
testing on a database helps..
2021-09-14 13:08:21 +02:00
Rasmus Lerchedahl Petersen
6c82daef3d Python: Move Regexinjection out of experimental
and fix up structure
2021-09-14 11:54:59 +02:00
Rasmus Lerchedahl Petersen
3d5192d6d3 Python: Fix typos 2021-09-14 11:54:11 +02:00
Rasmus Lerchedahl Petersen
a30f697537 Python: Add getName to RegexExecution concept 2021-09-14 11:53:40 +02:00
Anders Fugmann
3f5ab60fb4 C++: Add DEPRECATED to documentation block 2021-09-14 09:55:19 +02:00
Rasmus Lerchedahl Petersen
8f152a5bfb Python: Port regex concepts and adapt PolyRedos 2021-09-13 16:50:00 +02:00
Geoffrey White
67c6b35845 C++: We get many more real world results using taint tracking. 2021-09-13 15:03:28 +01:00
Geoffrey White
0e8064dbf9 C++: Add a test demonstrating taint. 2021-09-13 15:00:31 +01:00
Anders Fugmann
8e9ac18026 C++: Deprecate RangeSSA::isGuardPhi/3 2021-09-13 15:35:05 +02:00
Geoffrey White
ee7ccd7936 C++: Upgrade to path problem. 2021-09-13 13:52:12 +01:00
Geoffrey White
f58177f292 C++: Full dataflow version. 2021-09-13 10:53:09 +01:00
Felicity Chapman
1d76578202 Merge pull request #6659 from github/docs-311-update-version
Update version numbers for LGTM Enterprise 1.28
2021-09-13 10:26:52 +01:00
Geoffrey White
e696eaaa2f C++: Fix false positives involving STDIN_FILENO. 2021-09-13 09:50:19 +01:00
Geoffrey White
3ba9e80635 C++: Support various functions / variants. 2021-09-13 09:50:03 +01:00
Geoffrey White
1707d67adb C++: Support 'send' as well. 2021-09-13 09:49:40 +01:00
Geoffrey White
29ad3bf7f8 C++: Test dataflow and other slightly more complex cases. 2021-09-13 09:49:25 +01:00
Anders Fugmann
2c93bce9ad C++: Refactor code to use predicate isGuardPhi/4 2021-09-10 10:53:48 +02:00
Felicity Chapman
3b3350e648 Correct the Qllexer path for slides 2021-09-10 08:04:07 +01:00
Felicity Chapman
32b3e416b3 Update version numbers for LGTM E 1.28 2021-09-10 06:54:36 +01:00
Rasmus Lerchedahl Petersen
6c5596d17e Python: rewrite test 2021-09-09 13:45:44 +02:00
Rasmus Lerchedahl Petersen
e27b3162e5 Python: rewrite simpleLocalFlowStep
to take into account the split between
import time and runtime.
2021-09-09 12:43:08 +02:00
Rasmus Lerchedahl Petersen
a9c409403c Python: more tests and comments 2021-09-08 14:44:36 +02:00
Rasmus Lerchedahl Petersen
9b198c6d0a Python: Add some module initialization tests 2021-09-08 10:37:28 +02:00
Geoffrey White
cd5a5347fc C++: Add basic test. 2021-09-06 18:11:34 +01:00
Geoffrey White
246302453f C++: Add CleartextTransmission query. 2021-09-06 18:11:19 +01:00
haby0
e8d0827916 Add tornado source 2021-07-05 10:42:15 +08:00
haby0
b866f1b21e Add CWE-348 ClientSuppliedIpUsedInSecurityCheck 2021-07-02 19:30:33 +08:00
luchua-bc
7af1984348 Update the change note 2021-05-17 11:35:35 +00:00
luchua-bc
1a072f3bb9 Move APIs from predicates flagged auto-generated to the other section 2021-05-14 20:38:23 +00:00
luchua-bc
9ef58e378c Remove the sample Java file in the src folder 2021-05-14 11:01:25 +00:00
luchua-bc
4d014717b6 Add a change note and reset the qhelp file 2021-05-12 15:50:40 +00:00
luchua-bc
fc7d340a89 Query to detect hard-coded Azure credentials 2021-05-07 13:16:41 +00:00
1185 changed files with 51295 additions and 13570 deletions

View File

@@ -6,6 +6,8 @@ on:
- '.github/workflows/csv-coverage-pr-comment.yml'
- '*/ql/src/**/*.ql'
- '*/ql/src/**/*.qll'
- '*/ql/lib/**/*.ql'
- '*/ql/lib/**/*.qll'
- 'misc/scripts/library-coverage/*.py'
# input data files
- '*/documentation/library-coverage/cwe-sink.csv'

3
.gitignore vendored
View File

@@ -24,3 +24,6 @@
/codeql/
csharp/extractor/Semmle.Extraction.CSharp.Driver/Properties/launchSettings.json
# Avoid committing cached package components
.codeql

View File

@@ -4,8 +4,8 @@ This open source repository contains the standard CodeQL libraries and queries t
## How do I learn CodeQL and run queries?
There is [extensive documentation](https://help.semmle.com/QL/learn-ql/) on getting started with writing CodeQL.
You can use the [interactive query console](https://lgtm.com/help/lgtm/using-query-console) on LGTM.com or the [CodeQL for Visual Studio Code](https://help.semmle.com/codeql/codeql-for-vscode.html) extension to try out your queries on any open source project that's currently being analyzed.
There is [extensive documentation](https://codeql.github.com/docs/) on getting started with writing CodeQL.
You can use the [interactive query console](https://lgtm.com/help/lgtm/using-query-console) on LGTM.com or the [CodeQL for Visual Studio Code](https://codeql.github.com/docs/codeql-for-visual-studio-code/) extension to try out your queries on any open source project that's currently being analyzed.
## Contributing

View File

@@ -367,6 +367,7 @@
],
"Inline Test Expectations": [
"cpp/ql/test/TestUtilities/InlineExpectationsTest.qll",
"csharp/ql/test/TestUtilities/InlineExpectationsTest.qll",
"java/ql/test/TestUtilities/InlineExpectationsTest.qll",
"python/ql/test/TestUtilities/InlineExpectationsTest.qll"
],
@@ -461,5 +462,12 @@
"ReDoS Polynomial Python/JS": [
"javascript/ql/lib/semmle/javascript/security/performance/SuperlinearBackTracking.qll",
"python/ql/lib/semmle/python/security/performance/SuperlinearBackTracking.qll"
],
"CodeQL Tutorial": [
"cpp/ql/lib/tutorial.qll",
"csharp/ql/lib/tutorial.qll",
"java/ql/lib/tutorial.qll",
"javascript/ql/lib/tutorial.qll",
"python/ql/lib/tutorial.qll"
]
}

View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* A new query (`cpp/cleartext-transmission`) has been added. This is similar to the `cpp/cleartext-storage-file`, `cpp/cleartext-storage-buffer` and `cpp/cleartext-storage-database` queries but looks for cases where sensitive information is most likely transmitted over a network.

View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The "Uncontrolled data used in OS command" (`cpp/command-line-injection`) query has been enhanced to reduce false positive results and its `@precision` increased to `high`

View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* Increase precision to high for the "Static buffer overflow" query
(`cpp/static-buffer-overflow`). This means the query is run and displayed by default on Code Scanning and LGTM.

View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Several improvements made to the `NullTermination.qll` library and the 'Potential improper null termination' (cpp/improper-null-termination). These changes reduce the number of false positive results for this query and related query 'User-controlled data may not be null terminated' (cpp/user-controlled-null-termination-tainted).

View File

@@ -0,0 +1,3 @@
codescanning
* Problems with extraction that in most cases won't break the analysis in a significant way are now reported as warnings rather than errors.
* The failed extractor invocations query now has severity `error`.

View File

@@ -275,9 +275,8 @@ class Declaration extends Locatable, @declaration {
* `getTemplateArgumentKind(0)`.
*/
final Locatable getTemplateArgumentKind(int index) {
if exists(getTemplateArgumentValue(index))
then result = getTemplateArgumentType(index)
else none()
exists(getTemplateArgumentValue(index)) and
result = getTemplateArgumentType(index)
}
/** Gets the number of template arguments for this declaration. */

View File

@@ -38,7 +38,7 @@ class Container extends Locatable, @container {
* DEPRECATED: Use `getLocation` instead.
* Gets a URL representing the location of this container.
*
* For more information see [Providing URLs](https://help.semmle.com/QL/learn-ql/ql/locations.html#providing-urls).
* For more information see [Providing URLs](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/#providing-urls).
*/
deprecated string getURL() { none() } // overridden by subclasses

View File

@@ -61,7 +61,7 @@ class Location extends @location {
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn

View File

@@ -1650,7 +1650,6 @@ class RoutineType extends Type, @routinetype {
i = 0 and result = "" and not exists(this.getAParameterType())
or
(
exists(this.getParameterType(i)) and
if i < max(int j | exists(this.getParameterType(j)))
then
// Not the last one

View File

@@ -24,7 +24,7 @@ class XMLLocatable extends @xmllocatable, TXMLLocatable {
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn
@@ -108,7 +108,7 @@ class XMLParent extends @xmlparent {
}
/** Gets the text value contained in this XML parent. */
string getTextValue() { result = allCharactersString() }
string getTextValue() { result = this.allCharactersString() }
/** Gets a printable representation of this XML parent. */
string toString() { result = this.getName() }
@@ -119,7 +119,7 @@ class XMLFile extends XMLParent, File {
XMLFile() { xmlEncoding(this, _) }
/** Gets a printable representation of this XML file. */
override string toString() { result = getName() }
override string toString() { result = this.getName() }
/** Gets the name of this XML file. */
override string getName() { result = File.super.getAbsolutePath() }
@@ -129,14 +129,14 @@ class XMLFile extends XMLParent, File {
*
* Gets the path of this XML file.
*/
deprecated string getPath() { result = getAbsolutePath() }
deprecated string getPath() { result = this.getAbsolutePath() }
/**
* DEPRECATED: Use `getParentContainer().getAbsolutePath()` instead.
*
* Gets the path of the folder that contains this XML file.
*/
deprecated string getFolder() { result = getParentContainer().getAbsolutePath() }
deprecated string getFolder() { result = this.getParentContainer().getAbsolutePath() }
/** Gets the encoding of this XML file. */
string getEncoding() { xmlEncoding(this, result) }
@@ -200,7 +200,7 @@ class XMLDTD extends XMLLocatable, @xmldtd {
*/
class XMLElement extends @xmlelement, XMLParent, XMLLocatable {
/** Holds if this XML element has the given `name`. */
predicate hasName(string name) { name = getName() }
predicate hasName(string name) { name = this.getName() }
/** Gets the name of this XML element. */
override string getName() { xmlElements(this, result, _, _, _) }
@@ -239,7 +239,7 @@ class XMLElement extends @xmlelement, XMLParent, XMLLocatable {
string getAttributeValue(string name) { result = this.getAttribute(name).getValue() }
/** Gets a printable representation of this XML element. */
override string toString() { result = getName() }
override string toString() { result = this.getName() }
}
/**

View File

@@ -10,44 +10,11 @@ import semmle.code.cpp.dataflow.DataFlow
* char data[1]; // v
* };
* ```
* This requires that `v` is an array of size 0 or 1, and `v` is the last member of `c`.
* In addition, if the size of the structure is taken, there must be at least one instance
* where a `c` pointer is allocated with additional space.
* For example, holds for `c` if it occurs as
* ```
* malloc(sizeof(c) + 100 * sizeof(char))
* ```
* but not if it only ever occurs as
* ```
* malloc(sizeof(c))
* ```
* This requires that `v` is an array of size 0 or 1.
*/
predicate memberMayBeVarSize(Class c, MemberVariable v) {
exists(int i |
// `v` is the last field in `c`
i = max(int j | c.getCanonicalMember(j) instanceof Field | j) and
v = c.getCanonicalMember(i) and
// v is an array of size at most 1
v.getUnspecifiedType().(ArrayType).getArraySize() <= 1 and
not c instanceof Union
) and
// If the size is taken, then arithmetic is performed on the result at least once
(
// `sizeof(c)` is not taken
not exists(SizeofOperator so |
so.(SizeofTypeOperator).getTypeOperand().getUnspecifiedType() = c or
so.(SizeofExprOperator).getExprOperand().getUnspecifiedType() = c
)
or
// or `sizeof(c)` is taken
exists(SizeofOperator so |
so.(SizeofTypeOperator).getTypeOperand().getUnspecifiedType() = c or
so.(SizeofExprOperator).getExprOperand().getUnspecifiedType() = c
|
// and arithmetic is performed on the result
so.getParent*() instanceof AddExpr
)
)
c = v.getDeclaringType() and
v.getUnspecifiedType().(ArrayType).getArraySize() <= 1
}
/**
@@ -60,10 +27,6 @@ int getBufferSize(Expr bufferExpr, Element why) {
result = bufferVar.getUnspecifiedType().(ArrayType).getSize() and
why = bufferVar and
not memberMayBeVarSize(_, bufferVar) and
not exists(Union bufferType |
bufferType.getAMemberVariable() = why and
bufferVar.getUnspecifiedType().(ArrayType).getSize() <= 1
) and
not result = 0 // zero sized arrays are likely to have special usage, for example
or
// behaving a bit like a 'union' overlapping other fields.
@@ -85,13 +48,6 @@ int getBufferSize(Expr bufferExpr, Element why) {
parentPtr.getTarget().getUnspecifiedType().(PointerType).getBaseType() = parentClass and
result = getBufferSize(parentPtr, _) + bufferVar.getType().getSize() - parentClass.getSize()
)
or
exists(Union bufferType |
bufferType.getAMemberVariable() = why and
why = bufferVar and
bufferVar.getUnspecifiedType().(ArrayType).getSize() <= 1 and
result = bufferType.getSize()
)
)
or
// buffer is a fixed size dynamic allocation

View File

@@ -1,6 +1,7 @@
import cpp
private import semmle.code.cpp.models.interfaces.ArrayFunction
private import semmle.code.cpp.models.implementations.Strcat
import semmle.code.cpp.dataflow.DataFlow
private predicate mayAddNullTerminatorHelper(Expr e, VariableAccess va, Expr e0) {
exists(StackVariable v0, Expr val |
@@ -45,22 +46,28 @@ predicate mayAddNullTerminator(Expr e, VariableAccess va) {
ae.getRValue().getAChild*() = va
)
or
// Function call: library function, varargs function, function
// containing assembler code, or function where the relevant
// parameter is potentially added a null terminator.
// Function calls...
exists(Call c, Function f, int i |
e = c and
f = c.getTarget() and
not functionArgumentMustBeNullTerminated(f, i) and
c.getAnArgumentSubExpr(i) = va
|
not f.hasEntryPoint() and not functionArgumentMustBeNullTerminated(f, i)
// library function
not f.hasEntryPoint()
or
// function where the relevant parameter is potentially added a null terminator
mayAddNullTerminator(_, f.getParameter(i).getAnAccess())
or
// varargs function
f.isVarargs() and i >= f.getNumberOfParameters()
or
// function containing assembler code
exists(AsmStmt s | s.getEnclosingFunction() = f)
or
// function where the relevant parameter is returned (leaking it to be potentially null terminated elsewhere)
DataFlow::localFlow(DataFlow::parameterNode(f.getParameter(i)),
DataFlow::exprNode(any(ReturnStmt rs).getExpr()))
)
or
// Call without target (e.g., function pointer call)
@@ -93,6 +100,15 @@ predicate variableMustBeNullTerminated(VariableAccess va) {
fc.getArgument(i) = va
)
or
// String argument to a formatting function (such as `printf`)
exists(int n, FormatLiteral fl |
fc.(FormattingFunctionCall).getConversionArgument(n) = va and
fl = fc.(FormattingFunctionCall).getFormat() and
fl.getConversionType(n) instanceof PointerType and // `%s`, `%ws` etc
not fl.getConversionType(n) instanceof VoidPointerType and // exclude: `%p`
not fl.hasPrecision(n) // exclude: `%.*s`
)
or
// Call to a wrapper function that requires null termination
// (not itself adding a null terminator)
exists(Function wrapper, int i, Parameter p, VariableAccess use |

View File

@@ -253,6 +253,21 @@ class FormattingFunctionCall extends Expr {
// format arguments must be known
exists(getTarget().(FormattingFunction).getFirstFormatArgumentIndex())
}
/**
* Gets the argument, if any, to which the output is written. If `isStream` is
* `true`, the output argument is a stream (that is, this call behaves like
* `fprintf`). If `isStream` is `false`, the output argument is a buffer (that
* is, this call behaves like `sprintf`)
*/
Expr getOutputArgument(boolean isStream) {
result =
this.(Call)
.getArgument(this.(Call)
.getTarget()
.(FormattingFunction)
.getOutputParameterIndex(isStream))
}
}
/**

View File

@@ -194,7 +194,7 @@ class BasicBlock extends ControlFlowNodeBase {
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*
* Yields no result if this basic block spans multiple source files.
*/

View File

@@ -344,14 +344,13 @@ private int convertIntToType(int val, IntegralType t) {
then if val = 0 then result = 0 else result = 1
else
if t.isUnsigned()
then if val >= 0 and val.bitShiftRight(t.getSize() * 8) = 0 then result = val else none()
then val >= 0 and val.bitShiftRight(t.getSize() * 8) = 0 and result = val
else
if val >= 0 and val.bitShiftRight(t.getSize() * 8 - 1) = 0
then result = val
else
if (-(val + 1)).bitShiftRight(t.getSize() * 8 - 1) = 0
then result = val
else none()
else (
(-(val + 1)).bitShiftRight(t.getSize() * 8 - 1) = 0 and result = val
)
}
/**

View File

@@ -2139,7 +2139,8 @@ private predicate expensiveLen2unfolding(TypedContent tc, Configuration config)
) and
accessPathApproxCostLimits(apLimit, tupleLimit) and
apLimit < tails and
tupleLimit < (tails - 1) * nodes
tupleLimit < (tails - 1) * nodes and
not tc.forceHighPrecision()
)
}
@@ -2973,12 +2974,15 @@ private AccessPathApprox getATail(AccessPathApprox apa, Configuration config) {
* expected to be expensive. Holds with `unfold = true` otherwise.
*/
private predicate evalUnfold(AccessPathApprox apa, boolean unfold, Configuration config) {
exists(int aps, int nodes, int apLimit, int tupleLimit |
aps = countPotentialAps(apa, config) and
nodes = countNodesUsingAccessPath(apa, config) and
accessPathCostLimits(apLimit, tupleLimit) and
if apLimit < aps and tupleLimit < (aps - 1) * nodes then unfold = false else unfold = true
)
if apa.getHead().forceHighPrecision()
then unfold = true
else
exists(int aps, int nodes, int apLimit, int tupleLimit |
aps = countPotentialAps(apa, config) and
nodes = countNodesUsingAccessPath(apa, config) and
accessPathCostLimits(apLimit, tupleLimit) and
if apLimit < aps and tupleLimit < (aps - 1) * nodes then unfold = false else unfold = true
)
}
/**
@@ -3248,7 +3252,7 @@ class PathNode extends TPathNode {
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn
@@ -4033,7 +4037,7 @@ private module FlowExploration {
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn

View File

@@ -2139,7 +2139,8 @@ private predicate expensiveLen2unfolding(TypedContent tc, Configuration config)
) and
accessPathApproxCostLimits(apLimit, tupleLimit) and
apLimit < tails and
tupleLimit < (tails - 1) * nodes
tupleLimit < (tails - 1) * nodes and
not tc.forceHighPrecision()
)
}
@@ -2973,12 +2974,15 @@ private AccessPathApprox getATail(AccessPathApprox apa, Configuration config) {
* expected to be expensive. Holds with `unfold = true` otherwise.
*/
private predicate evalUnfold(AccessPathApprox apa, boolean unfold, Configuration config) {
exists(int aps, int nodes, int apLimit, int tupleLimit |
aps = countPotentialAps(apa, config) and
nodes = countNodesUsingAccessPath(apa, config) and
accessPathCostLimits(apLimit, tupleLimit) and
if apLimit < aps and tupleLimit < (aps - 1) * nodes then unfold = false else unfold = true
)
if apa.getHead().forceHighPrecision()
then unfold = true
else
exists(int aps, int nodes, int apLimit, int tupleLimit |
aps = countPotentialAps(apa, config) and
nodes = countNodesUsingAccessPath(apa, config) and
accessPathCostLimits(apLimit, tupleLimit) and
if apLimit < aps and tupleLimit < (aps - 1) * nodes then unfold = false else unfold = true
)
}
/**
@@ -3248,7 +3252,7 @@ class PathNode extends TPathNode {
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn
@@ -4033,7 +4037,7 @@ private module FlowExploration {
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn

View File

@@ -2139,7 +2139,8 @@ private predicate expensiveLen2unfolding(TypedContent tc, Configuration config)
) and
accessPathApproxCostLimits(apLimit, tupleLimit) and
apLimit < tails and
tupleLimit < (tails - 1) * nodes
tupleLimit < (tails - 1) * nodes and
not tc.forceHighPrecision()
)
}
@@ -2973,12 +2974,15 @@ private AccessPathApprox getATail(AccessPathApprox apa, Configuration config) {
* expected to be expensive. Holds with `unfold = true` otherwise.
*/
private predicate evalUnfold(AccessPathApprox apa, boolean unfold, Configuration config) {
exists(int aps, int nodes, int apLimit, int tupleLimit |
aps = countPotentialAps(apa, config) and
nodes = countNodesUsingAccessPath(apa, config) and
accessPathCostLimits(apLimit, tupleLimit) and
if apLimit < aps and tupleLimit < (aps - 1) * nodes then unfold = false else unfold = true
)
if apa.getHead().forceHighPrecision()
then unfold = true
else
exists(int aps, int nodes, int apLimit, int tupleLimit |
aps = countPotentialAps(apa, config) and
nodes = countNodesUsingAccessPath(apa, config) and
accessPathCostLimits(apLimit, tupleLimit) and
if apLimit < aps and tupleLimit < (aps - 1) * nodes then unfold = false else unfold = true
)
}
/**
@@ -3248,7 +3252,7 @@ class PathNode extends TPathNode {
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn
@@ -4033,7 +4037,7 @@ private module FlowExploration {
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn

View File

@@ -2139,7 +2139,8 @@ private predicate expensiveLen2unfolding(TypedContent tc, Configuration config)
) and
accessPathApproxCostLimits(apLimit, tupleLimit) and
apLimit < tails and
tupleLimit < (tails - 1) * nodes
tupleLimit < (tails - 1) * nodes and
not tc.forceHighPrecision()
)
}
@@ -2973,12 +2974,15 @@ private AccessPathApprox getATail(AccessPathApprox apa, Configuration config) {
* expected to be expensive. Holds with `unfold = true` otherwise.
*/
private predicate evalUnfold(AccessPathApprox apa, boolean unfold, Configuration config) {
exists(int aps, int nodes, int apLimit, int tupleLimit |
aps = countPotentialAps(apa, config) and
nodes = countNodesUsingAccessPath(apa, config) and
accessPathCostLimits(apLimit, tupleLimit) and
if apLimit < aps and tupleLimit < (aps - 1) * nodes then unfold = false else unfold = true
)
if apa.getHead().forceHighPrecision()
then unfold = true
else
exists(int aps, int nodes, int apLimit, int tupleLimit |
aps = countPotentialAps(apa, config) and
nodes = countNodesUsingAccessPath(apa, config) and
accessPathCostLimits(apLimit, tupleLimit) and
if apLimit < aps and tupleLimit < (aps - 1) * nodes then unfold = false else unfold = true
)
}
/**
@@ -3248,7 +3252,7 @@ class PathNode extends TPathNode {
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn
@@ -4033,7 +4037,7 @@ private module FlowExploration {
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn

View File

@@ -937,7 +937,7 @@ class CallContextSpecificCall extends CallContextCall, TSpecificCall {
}
override predicate relevantFor(DataFlowCallable callable) {
recordDataFlowCallSite(getCall(), callable)
recordDataFlowCallSite(this.getCall(), callable)
}
override predicate matchesCall(DataFlowCall call) { call = this.getCall() }
@@ -1236,6 +1236,13 @@ class TypedContent extends MkTypedContent {
/** Gets a textual representation of this content. */
string toString() { result = c.toString() }
/**
* Holds if access paths with this `TypedContent` at their head always should
* be tracked at high precision. This disables adaptive access path precision
* for such access paths.
*/
predicate forceHighPrecision() { forceHighPrecision(c) }
}
/**
@@ -1250,7 +1257,7 @@ abstract class AccessPathFront extends TAccessPathFront {
TypedContent getHead() { this = TFrontHead(result) }
predicate isClearedAt(Node n) { clearsContentCached(n, getHead().getContent()) }
predicate isClearedAt(Node n) { clearsContentCached(n, this.getHead().getContent()) }
}
class AccessPathFrontNil extends AccessPathFront, TFrontNil {

View File

@@ -2139,7 +2139,8 @@ private predicate expensiveLen2unfolding(TypedContent tc, Configuration config)
) and
accessPathApproxCostLimits(apLimit, tupleLimit) and
apLimit < tails and
tupleLimit < (tails - 1) * nodes
tupleLimit < (tails - 1) * nodes and
not tc.forceHighPrecision()
)
}
@@ -2973,12 +2974,15 @@ private AccessPathApprox getATail(AccessPathApprox apa, Configuration config) {
* expected to be expensive. Holds with `unfold = true` otherwise.
*/
private predicate evalUnfold(AccessPathApprox apa, boolean unfold, Configuration config) {
exists(int aps, int nodes, int apLimit, int tupleLimit |
aps = countPotentialAps(apa, config) and
nodes = countNodesUsingAccessPath(apa, config) and
accessPathCostLimits(apLimit, tupleLimit) and
if apLimit < aps and tupleLimit < (aps - 1) * nodes then unfold = false else unfold = true
)
if apa.getHead().forceHighPrecision()
then unfold = true
else
exists(int aps, int nodes, int apLimit, int tupleLimit |
aps = countPotentialAps(apa, config) and
nodes = countNodesUsingAccessPath(apa, config) and
accessPathCostLimits(apLimit, tupleLimit) and
if apLimit < aps and tupleLimit < (aps - 1) * nodes then unfold = false else unfold = true
)
}
/**
@@ -3248,7 +3252,7 @@ class PathNode extends TPathNode {
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn
@@ -4033,7 +4037,7 @@ private module FlowExploration {
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn

View File

@@ -219,15 +219,13 @@ class DataFlowExpr = Expr;
class DataFlowType = Type;
/** A function call relevant for data flow. */
class DataFlowCall extends Expr {
DataFlowCall() { this instanceof Call }
class DataFlowCall extends Expr instanceof Call {
/**
* Gets the nth argument for this call.
*
* The range of `n` is from `0` to `getNumberOfArguments() - 1`.
*/
Expr getArgument(int n) { result = this.(Call).getArgument(n) }
Expr getArgument(int n) { result = super.getArgument(n) }
/** Gets the data flow node corresponding to this call. */
ExprNode getNode() { result.getExpr() = this }
@@ -240,6 +238,12 @@ predicate isUnreachableInCall(Node n, DataFlowCall call) { none() } // stub impl
int accessPathLimit() { result = 5 }
/**
* Holds if access paths with `c` at their head always should be tracked at high
* precision. This disables adaptive access path precision for such access paths.
*/
predicate forceHighPrecision(Content c) { none() }
/** The unit type. */
private newtype TUnit = TMkUnit()

View File

@@ -101,7 +101,7 @@ class Node extends TNode {
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn

View File

@@ -75,24 +75,26 @@ abstract class Configuration extends DataFlow::Configuration {
predicate isSanitizer(DataFlow::Node node) { none() }
final override predicate isBarrier(DataFlow::Node node) {
isSanitizer(node) or
this.isSanitizer(node) or
defaultTaintSanitizer(node)
}
/** Holds if taint propagation into `node` is prohibited. */
predicate isSanitizerIn(DataFlow::Node node) { none() }
final override predicate isBarrierIn(DataFlow::Node node) { isSanitizerIn(node) }
final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
/** Holds if taint propagation out of `node` is prohibited. */
predicate isSanitizerOut(DataFlow::Node node) { none() }
final override predicate isBarrierOut(DataFlow::Node node) { isSanitizerOut(node) }
final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
/** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) { isSanitizerGuard(guard) }
final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
this.isSanitizerGuard(guard)
}
/**
* Holds if the additional taint propagation step from `node1` to `node2`
@@ -101,7 +103,7 @@ abstract class Configuration extends DataFlow::Configuration {
predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
final override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
isAdditionalTaintStep(node1, node2) or
this.isAdditionalTaintStep(node1, node2) or
defaultAdditionalTaintStep(node1, node2)
}

View File

@@ -75,24 +75,26 @@ abstract class Configuration extends DataFlow::Configuration {
predicate isSanitizer(DataFlow::Node node) { none() }
final override predicate isBarrier(DataFlow::Node node) {
isSanitizer(node) or
this.isSanitizer(node) or
defaultTaintSanitizer(node)
}
/** Holds if taint propagation into `node` is prohibited. */
predicate isSanitizerIn(DataFlow::Node node) { none() }
final override predicate isBarrierIn(DataFlow::Node node) { isSanitizerIn(node) }
final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
/** Holds if taint propagation out of `node` is prohibited. */
predicate isSanitizerOut(DataFlow::Node node) { none() }
final override predicate isBarrierOut(DataFlow::Node node) { isSanitizerOut(node) }
final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
/** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) { isSanitizerGuard(guard) }
final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
this.isSanitizerGuard(guard)
}
/**
* Holds if the additional taint propagation step from `node1` to `node2`
@@ -101,7 +103,7 @@ abstract class Configuration extends DataFlow::Configuration {
predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
final override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
isAdditionalTaintStep(node1, node2) or
this.isAdditionalTaintStep(node1, node2) or
defaultAdditionalTaintStep(node1, node2)
}

View File

@@ -4,7 +4,7 @@ private import semmle.code.cpp.ir.dataflow.DataFlow
private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
private import semmle.code.cpp.ir.dataflow.DataFlow3
private import semmle.code.cpp.ir.IR
private import semmle.code.cpp.ir.dataflow.internal.DataFlowDispatch as Dispatch
private import semmle.code.cpp.ir.dataflow.ResolveCall
private import semmle.code.cpp.controlflow.IRGuards
private import semmle.code.cpp.models.interfaces.Taint
private import semmle.code.cpp.models.interfaces.DataFlow
@@ -355,20 +355,6 @@ predicate taintedIncludingGlobalVars(Expr source, Element tainted, string global
*/
GlobalOrNamespaceVariable globalVarFromId(string id) { id = result.getQualifiedName() }
/**
* Resolve potential target function(s) for `call`.
*
* If `call` is a call through a function pointer (`ExprCall`) or
* targets a virtual method, simple data flow analysis is performed
* in order to identify target(s).
*/
Function resolveCall(Call call) {
exists(CallInstruction callInstruction |
callInstruction.getAST() = call and
result = Dispatch::viableCallable(callInstruction)
)
}
/**
* Provides definitions for augmenting source/sink pairs with data-flow paths
* between them. From a `@kind path-problem` query, import this module in the
@@ -479,7 +465,7 @@ module TaintedWithPath {
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn

View File

@@ -0,0 +1,23 @@
/**
* Provides a predicate for non-contextual virtual dispatch and function
* pointer resolution.
*/
import cpp
private import semmle.code.cpp.ir.ValueNumbering
private import internal.DataFlowDispatch
private import semmle.code.cpp.ir.IR
/**
* Resolve potential target function(s) for `call`.
*
* If `call` is a call through a function pointer (`ExprCall`) or its target is
* a virtual member function, simple data flow analysis is performed in order
* to identify the possible target(s).
*/
Function resolveCall(Call call) {
exists(CallInstruction callInstruction |
callInstruction.getAST() = call and
result = viableCallable(callInstruction)
)
}

View File

@@ -2139,7 +2139,8 @@ private predicate expensiveLen2unfolding(TypedContent tc, Configuration config)
) and
accessPathApproxCostLimits(apLimit, tupleLimit) and
apLimit < tails and
tupleLimit < (tails - 1) * nodes
tupleLimit < (tails - 1) * nodes and
not tc.forceHighPrecision()
)
}
@@ -2973,12 +2974,15 @@ private AccessPathApprox getATail(AccessPathApprox apa, Configuration config) {
* expected to be expensive. Holds with `unfold = true` otherwise.
*/
private predicate evalUnfold(AccessPathApprox apa, boolean unfold, Configuration config) {
exists(int aps, int nodes, int apLimit, int tupleLimit |
aps = countPotentialAps(apa, config) and
nodes = countNodesUsingAccessPath(apa, config) and
accessPathCostLimits(apLimit, tupleLimit) and
if apLimit < aps and tupleLimit < (aps - 1) * nodes then unfold = false else unfold = true
)
if apa.getHead().forceHighPrecision()
then unfold = true
else
exists(int aps, int nodes, int apLimit, int tupleLimit |
aps = countPotentialAps(apa, config) and
nodes = countNodesUsingAccessPath(apa, config) and
accessPathCostLimits(apLimit, tupleLimit) and
if apLimit < aps and tupleLimit < (aps - 1) * nodes then unfold = false else unfold = true
)
}
/**
@@ -3248,7 +3252,7 @@ class PathNode extends TPathNode {
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn
@@ -4033,7 +4037,7 @@ private module FlowExploration {
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn

View File

@@ -2139,7 +2139,8 @@ private predicate expensiveLen2unfolding(TypedContent tc, Configuration config)
) and
accessPathApproxCostLimits(apLimit, tupleLimit) and
apLimit < tails and
tupleLimit < (tails - 1) * nodes
tupleLimit < (tails - 1) * nodes and
not tc.forceHighPrecision()
)
}
@@ -2973,12 +2974,15 @@ private AccessPathApprox getATail(AccessPathApprox apa, Configuration config) {
* expected to be expensive. Holds with `unfold = true` otherwise.
*/
private predicate evalUnfold(AccessPathApprox apa, boolean unfold, Configuration config) {
exists(int aps, int nodes, int apLimit, int tupleLimit |
aps = countPotentialAps(apa, config) and
nodes = countNodesUsingAccessPath(apa, config) and
accessPathCostLimits(apLimit, tupleLimit) and
if apLimit < aps and tupleLimit < (aps - 1) * nodes then unfold = false else unfold = true
)
if apa.getHead().forceHighPrecision()
then unfold = true
else
exists(int aps, int nodes, int apLimit, int tupleLimit |
aps = countPotentialAps(apa, config) and
nodes = countNodesUsingAccessPath(apa, config) and
accessPathCostLimits(apLimit, tupleLimit) and
if apLimit < aps and tupleLimit < (aps - 1) * nodes then unfold = false else unfold = true
)
}
/**
@@ -3248,7 +3252,7 @@ class PathNode extends TPathNode {
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn
@@ -4033,7 +4037,7 @@ private module FlowExploration {
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn

View File

@@ -2139,7 +2139,8 @@ private predicate expensiveLen2unfolding(TypedContent tc, Configuration config)
) and
accessPathApproxCostLimits(apLimit, tupleLimit) and
apLimit < tails and
tupleLimit < (tails - 1) * nodes
tupleLimit < (tails - 1) * nodes and
not tc.forceHighPrecision()
)
}
@@ -2973,12 +2974,15 @@ private AccessPathApprox getATail(AccessPathApprox apa, Configuration config) {
* expected to be expensive. Holds with `unfold = true` otherwise.
*/
private predicate evalUnfold(AccessPathApprox apa, boolean unfold, Configuration config) {
exists(int aps, int nodes, int apLimit, int tupleLimit |
aps = countPotentialAps(apa, config) and
nodes = countNodesUsingAccessPath(apa, config) and
accessPathCostLimits(apLimit, tupleLimit) and
if apLimit < aps and tupleLimit < (aps - 1) * nodes then unfold = false else unfold = true
)
if apa.getHead().forceHighPrecision()
then unfold = true
else
exists(int aps, int nodes, int apLimit, int tupleLimit |
aps = countPotentialAps(apa, config) and
nodes = countNodesUsingAccessPath(apa, config) and
accessPathCostLimits(apLimit, tupleLimit) and
if apLimit < aps and tupleLimit < (aps - 1) * nodes then unfold = false else unfold = true
)
}
/**
@@ -3248,7 +3252,7 @@ class PathNode extends TPathNode {
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn
@@ -4033,7 +4037,7 @@ private module FlowExploration {
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn

View File

@@ -2139,7 +2139,8 @@ private predicate expensiveLen2unfolding(TypedContent tc, Configuration config)
) and
accessPathApproxCostLimits(apLimit, tupleLimit) and
apLimit < tails and
tupleLimit < (tails - 1) * nodes
tupleLimit < (tails - 1) * nodes and
not tc.forceHighPrecision()
)
}
@@ -2973,12 +2974,15 @@ private AccessPathApprox getATail(AccessPathApprox apa, Configuration config) {
* expected to be expensive. Holds with `unfold = true` otherwise.
*/
private predicate evalUnfold(AccessPathApprox apa, boolean unfold, Configuration config) {
exists(int aps, int nodes, int apLimit, int tupleLimit |
aps = countPotentialAps(apa, config) and
nodes = countNodesUsingAccessPath(apa, config) and
accessPathCostLimits(apLimit, tupleLimit) and
if apLimit < aps and tupleLimit < (aps - 1) * nodes then unfold = false else unfold = true
)
if apa.getHead().forceHighPrecision()
then unfold = true
else
exists(int aps, int nodes, int apLimit, int tupleLimit |
aps = countPotentialAps(apa, config) and
nodes = countNodesUsingAccessPath(apa, config) and
accessPathCostLimits(apLimit, tupleLimit) and
if apLimit < aps and tupleLimit < (aps - 1) * nodes then unfold = false else unfold = true
)
}
/**
@@ -3248,7 +3252,7 @@ class PathNode extends TPathNode {
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn
@@ -4033,7 +4037,7 @@ private module FlowExploration {
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn

View File

@@ -937,7 +937,7 @@ class CallContextSpecificCall extends CallContextCall, TSpecificCall {
}
override predicate relevantFor(DataFlowCallable callable) {
recordDataFlowCallSite(getCall(), callable)
recordDataFlowCallSite(this.getCall(), callable)
}
override predicate matchesCall(DataFlowCall call) { call = this.getCall() }
@@ -1236,6 +1236,13 @@ class TypedContent extends MkTypedContent {
/** Gets a textual representation of this content. */
string toString() { result = c.toString() }
/**
* Holds if access paths with this `TypedContent` at their head always should
* be tracked at high precision. This disables adaptive access path precision
* for such access paths.
*/
predicate forceHighPrecision() { forceHighPrecision(c) }
}
/**
@@ -1250,7 +1257,7 @@ abstract class AccessPathFront extends TAccessPathFront {
TypedContent getHead() { this = TFrontHead(result) }
predicate isClearedAt(Node n) { clearsContentCached(n, getHead().getContent()) }
predicate isClearedAt(Node n) { clearsContentCached(n, this.getHead().getContent()) }
}
class AccessPathFrontNil extends AccessPathFront, TFrontNil {

View File

@@ -466,6 +466,12 @@ predicate isUnreachableInCall(Node n, DataFlowCall call) { none() } // stub impl
int accessPathLimit() { result = 5 }
/**
* Holds if access paths with `c` at their head always should be tracked at high
* precision. This disables adaptive access path precision for such access paths.
*/
predicate forceHighPrecision(Content c) { none() }
/** The unit type. */
private newtype TUnit = TMkUnit()

View File

@@ -120,7 +120,7 @@ class Node extends TIRDataFlowNode {
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn

View File

@@ -38,5 +38,8 @@ Instruction callOutput(CallInstruction call, FunctionOutput output) {
effect.getPrimaryInstruction() = call and
output.isParameterDerefOrQualifierObject(effect.getIndex())
)
// TODO: return value dereference
or
// TODO: modify this when we get return value dereferences
result = call and
output.isReturnValueDeref()
}

View File

@@ -75,24 +75,26 @@ abstract class Configuration extends DataFlow::Configuration {
predicate isSanitizer(DataFlow::Node node) { none() }
final override predicate isBarrier(DataFlow::Node node) {
isSanitizer(node) or
this.isSanitizer(node) or
defaultTaintSanitizer(node)
}
/** Holds if taint propagation into `node` is prohibited. */
predicate isSanitizerIn(DataFlow::Node node) { none() }
final override predicate isBarrierIn(DataFlow::Node node) { isSanitizerIn(node) }
final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
/** Holds if taint propagation out of `node` is prohibited. */
predicate isSanitizerOut(DataFlow::Node node) { none() }
final override predicate isBarrierOut(DataFlow::Node node) { isSanitizerOut(node) }
final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
/** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) { isSanitizerGuard(guard) }
final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
this.isSanitizerGuard(guard)
}
/**
* Holds if the additional taint propagation step from `node1` to `node2`
@@ -101,7 +103,7 @@ abstract class Configuration extends DataFlow::Configuration {
predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
final override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
isAdditionalTaintStep(node1, node2) or
this.isAdditionalTaintStep(node1, node2) or
defaultAdditionalTaintStep(node1, node2)
}

View File

@@ -75,24 +75,26 @@ abstract class Configuration extends DataFlow::Configuration {
predicate isSanitizer(DataFlow::Node node) { none() }
final override predicate isBarrier(DataFlow::Node node) {
isSanitizer(node) or
this.isSanitizer(node) or
defaultTaintSanitizer(node)
}
/** Holds if taint propagation into `node` is prohibited. */
predicate isSanitizerIn(DataFlow::Node node) { none() }
final override predicate isBarrierIn(DataFlow::Node node) { isSanitizerIn(node) }
final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
/** Holds if taint propagation out of `node` is prohibited. */
predicate isSanitizerOut(DataFlow::Node node) { none() }
final override predicate isBarrierOut(DataFlow::Node node) { isSanitizerOut(node) }
final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
/** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) { isSanitizerGuard(guard) }
final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
this.isSanitizerGuard(guard)
}
/**
* Holds if the additional taint propagation step from `node1` to `node2`
@@ -101,7 +103,7 @@ abstract class Configuration extends DataFlow::Configuration {
predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
final override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
isAdditionalTaintStep(node1, node2) or
this.isAdditionalTaintStep(node1, node2) or
defaultAdditionalTaintStep(node1, node2)
}

View File

@@ -75,24 +75,26 @@ abstract class Configuration extends DataFlow::Configuration {
predicate isSanitizer(DataFlow::Node node) { none() }
final override predicate isBarrier(DataFlow::Node node) {
isSanitizer(node) or
this.isSanitizer(node) or
defaultTaintSanitizer(node)
}
/** Holds if taint propagation into `node` is prohibited. */
predicate isSanitizerIn(DataFlow::Node node) { none() }
final override predicate isBarrierIn(DataFlow::Node node) { isSanitizerIn(node) }
final override predicate isBarrierIn(DataFlow::Node node) { this.isSanitizerIn(node) }
/** Holds if taint propagation out of `node` is prohibited. */
predicate isSanitizerOut(DataFlow::Node node) { none() }
final override predicate isBarrierOut(DataFlow::Node node) { isSanitizerOut(node) }
final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
/** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) { isSanitizerGuard(guard) }
final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
this.isSanitizerGuard(guard)
}
/**
* Holds if the additional taint propagation step from `node1` to `node2`
@@ -101,7 +103,7 @@ abstract class Configuration extends DataFlow::Configuration {
predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
final override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
isAdditionalTaintStep(node1, node2) or
this.isAdditionalTaintStep(node1, node2) or
defaultAdditionalTaintStep(node1, node2)
}

View File

@@ -24,7 +24,7 @@ class IRBlockBase extends TIRBlock {
final string toString() { result = getFirstInstruction(this).toString() }
/** Gets the source location of the first non-`Phi` instruction in this block. */
final Language::Location getLocation() { result = getFirstInstruction().getLocation() }
final Language::Location getLocation() { result = this.getFirstInstruction().getLocation() }
/**
* INTERNAL: Do not use.
@@ -39,7 +39,7 @@ class IRBlockBase extends TIRBlock {
) and
this =
rank[result + 1](IRBlock funcBlock, int sortOverride, int sortKey1, int sortKey2 |
funcBlock.getEnclosingFunction() = getEnclosingFunction() and
funcBlock.getEnclosingFunction() = this.getEnclosingFunction() and
funcBlock.getFirstInstruction().hasSortKeys(sortKey1, sortKey2) and
// Ensure that the block containing `EnterFunction` always comes first.
if funcBlock.getFirstInstruction() instanceof EnterFunctionInstruction
@@ -59,15 +59,15 @@ class IRBlockBase extends TIRBlock {
* Get the `Phi` instructions that appear at the start of this block.
*/
final PhiInstruction getAPhiInstruction() {
Construction::getPhiInstructionBlockStart(result) = getFirstInstruction()
Construction::getPhiInstructionBlockStart(result) = this.getFirstInstruction()
}
/**
* Gets an instruction in this block. This includes `Phi` instructions.
*/
final Instruction getAnInstruction() {
result = getInstruction(_) or
result = getAPhiInstruction()
result = this.getInstruction(_) or
result = this.getAPhiInstruction()
}
/**
@@ -78,7 +78,9 @@ class IRBlockBase extends TIRBlock {
/**
* Gets the last instruction in this block.
*/
final Instruction getLastInstruction() { result = getInstruction(getInstructionCount() - 1) }
final Instruction getLastInstruction() {
result = this.getInstruction(this.getInstructionCount() - 1)
}
/**
* Gets the number of non-`Phi` instructions in this block.
@@ -149,7 +151,7 @@ class IRBlock extends IRBlockBase {
* Block `A` dominates block `B` if any control flow path from the entry block of the function to
* block `B` must pass through block `A`. A block always dominates itself.
*/
final predicate dominates(IRBlock block) { strictlyDominates(block) or this = block }
final predicate dominates(IRBlock block) { this.strictlyDominates(block) or this = block }
/**
* Gets a block on the dominance frontier of this block.
@@ -159,8 +161,8 @@ class IRBlock extends IRBlockBase {
*/
pragma[noinline]
final IRBlock dominanceFrontier() {
dominates(result.getAPredecessor()) and
not strictlyDominates(result)
this.dominates(result.getAPredecessor()) and
not this.strictlyDominates(result)
}
/**
@@ -189,7 +191,7 @@ class IRBlock extends IRBlockBase {
* Block `A` post-dominates block `B` if any control flow path from `B` to the exit block of the
* function must pass through block `A`. A block always post-dominates itself.
*/
final predicate postDominates(IRBlock block) { strictlyPostDominates(block) or this = block }
final predicate postDominates(IRBlock block) { this.strictlyPostDominates(block) or this = block }
/**
* Gets a block on the post-dominance frontier of this block.
@@ -199,16 +201,16 @@ class IRBlock extends IRBlockBase {
*/
pragma[noinline]
final IRBlock postPominanceFrontier() {
postDominates(result.getASuccessor()) and
not strictlyPostDominates(result)
this.postDominates(result.getASuccessor()) and
not this.strictlyPostDominates(result)
}
/**
* Holds if this block is reachable from the entry block of its function.
*/
final predicate isReachableFromFunctionEntry() {
this = getEnclosingIRFunction().getEntryBlock() or
getAPredecessor().isReachableFromFunctionEntry()
this = this.getEnclosingIRFunction().getEntryBlock() or
this.getAPredecessor().isReachableFromFunctionEntry()
}
}

View File

@@ -46,12 +46,12 @@ class Operand extends TStageOperand {
/**
* Gets the location of the source code for this operand.
*/
final Language::Location getLocation() { result = getUse().getLocation() }
final Language::Location getLocation() { result = this.getUse().getLocation() }
/**
* Gets the function that contains this operand.
*/
final IRFunction getEnclosingIRFunction() { result = getUse().getEnclosingIRFunction() }
final IRFunction getEnclosingIRFunction() { result = this.getUse().getEnclosingIRFunction() }
/**
* Gets the `Instruction` that consumes this operand.
@@ -74,7 +74,7 @@ class Operand extends TStageOperand {
*/
final Instruction getDef() {
result = this.getAnyDef() and
getDefinitionOverlap() instanceof MustExactlyOverlap
this.getDefinitionOverlap() instanceof MustExactlyOverlap
}
/**
@@ -82,7 +82,7 @@ class Operand extends TStageOperand {
*
* Gets the `Instruction` that consumes this operand.
*/
deprecated final Instruction getUseInstruction() { result = getUse() }
deprecated final Instruction getUseInstruction() { result = this.getUse() }
/**
* DEPRECATED: use `getAnyDef` or `getDef`. The exact replacement for this
@@ -91,7 +91,7 @@ class Operand extends TStageOperand {
*
* Gets the `Instruction` whose result is the value of the operand.
*/
deprecated final Instruction getDefinitionInstruction() { result = getAnyDef() }
deprecated final Instruction getDefinitionInstruction() { result = this.getAnyDef() }
/**
* Gets the overlap relationship between the operand's definition and its use.
@@ -101,7 +101,9 @@ class Operand extends TStageOperand {
/**
* Holds if the result of the definition instruction does not exactly overlap this use.
*/
final predicate isDefinitionInexact() { not getDefinitionOverlap() instanceof MustExactlyOverlap }
final predicate isDefinitionInexact() {
not this.getDefinitionOverlap() instanceof MustExactlyOverlap
}
/**
* Gets a prefix to use when dumping the operand in an operand list.
@@ -121,7 +123,7 @@ class Operand extends TStageOperand {
* For example: `this:r3_5`
*/
final string getDumpString() {
result = getDumpLabel() + getInexactSpecifier() + getDefinitionId()
result = this.getDumpLabel() + this.getInexactSpecifier() + this.getDefinitionId()
}
/**
@@ -129,9 +131,9 @@ class Operand extends TStageOperand {
* definition is not modeled in SSA.
*/
private string getDefinitionId() {
result = getAnyDef().getResultId()
result = this.getAnyDef().getResultId()
or
not exists(getAnyDef()) and result = "m?"
not exists(this.getAnyDef()) and result = "m?"
}
/**
@@ -140,7 +142,7 @@ class Operand extends TStageOperand {
* the empty string.
*/
private string getInexactSpecifier() {
if isDefinitionInexact() then result = "~" else result = ""
if this.isDefinitionInexact() then result = "~" else result = ""
}
/**
@@ -155,7 +157,7 @@ class Operand extends TStageOperand {
* the definition type, such as in the case of a partial read or a read from a pointer that
* has been cast to a different type.
*/
Language::LanguageType getLanguageType() { result = getAnyDef().getResultLanguageType() }
Language::LanguageType getLanguageType() { result = this.getAnyDef().getResultLanguageType() }
/**
* Gets the language-neutral type of the value consumed by this operand. This is usually the same
@@ -164,7 +166,7 @@ class Operand extends TStageOperand {
* from the definition type, such as in the case of a partial read or a read from a pointer that
* has been cast to a different type.
*/
final IRType getIRType() { result = getLanguageType().getIRType() }
final IRType getIRType() { result = this.getLanguageType().getIRType() }
/**
* Gets the type of the value consumed by this operand. This is usually the same as the
@@ -173,7 +175,7 @@ class Operand extends TStageOperand {
* the definition type, such as in the case of a partial read or a read from a pointer that
* has been cast to a different type.
*/
final Language::Type getType() { getLanguageType().hasType(result, _) }
final Language::Type getType() { this.getLanguageType().hasType(result, _) }
/**
* Holds if the value consumed by this operand is a glvalue. If this
@@ -182,13 +184,13 @@ class Operand extends TStageOperand {
* not hold, the value of the operand represents a value whose type is
* given by `getType()`.
*/
final predicate isGLValue() { getLanguageType().hasType(_, true) }
final predicate isGLValue() { this.getLanguageType().hasType(_, true) }
/**
* Gets the size of the value consumed by this operand, in bytes. If the operand does not have
* a known constant size, this predicate does not hold.
*/
final int getSize() { result = getLanguageType().getByteSize() }
final int getSize() { result = this.getLanguageType().getByteSize() }
}
/**
@@ -205,7 +207,7 @@ class MemoryOperand extends Operand {
/**
* Gets the kind of memory access performed by the operand.
*/
MemoryAccessKind getMemoryAccess() { result = getUse().getOpcode().getReadMemoryAccess() }
MemoryAccessKind getMemoryAccess() { result = this.getUse().getOpcode().getReadMemoryAccess() }
/**
* Holds if the memory access performed by this operand will not always read from every bit in the
@@ -215,7 +217,7 @@ class MemoryOperand extends Operand {
* conservative estimate of the memory that might actually be accessed at runtime (for example,
* the global side effects of a function call).
*/
predicate hasMayReadMemoryAccess() { getUse().getOpcode().hasMayReadMemoryAccess() }
predicate hasMayReadMemoryAccess() { this.getUse().getOpcode().hasMayReadMemoryAccess() }
/**
* Returns the operand that holds the memory address from which the current operand loads its
@@ -223,8 +225,8 @@ class MemoryOperand extends Operand {
* is `r1`.
*/
final AddressOperand getAddressOperand() {
getMemoryAccess().usesAddressOperand() and
result.getUse() = getUse()
this.getMemoryAccess().usesAddressOperand() and
result.getUse() = this.getUse()
}
}
@@ -294,7 +296,7 @@ class NonPhiMemoryOperand extends NonPhiOperand, MemoryOperand, TNonPhiMemoryOpe
result = unique(Instruction defInstr | hasDefinition(defInstr, _))
}
final override Overlap getDefinitionOverlap() { hasDefinition(_, result) }
final override Overlap getDefinitionOverlap() { this.hasDefinition(_, result) }
pragma[noinline]
private predicate hasDefinition(Instruction defInstr, Overlap overlap) {
@@ -449,13 +451,17 @@ class PhiInputOperand extends MemoryOperand, TPhiOperand {
final override Overlap getDefinitionOverlap() { result = overlap }
final override int getDumpSortOrder() { result = 11 + getPredecessorBlock().getDisplayIndex() }
final override string getDumpLabel() {
result = "from " + getPredecessorBlock().getDisplayIndex().toString() + ":"
final override int getDumpSortOrder() {
result = 11 + this.getPredecessorBlock().getDisplayIndex()
}
final override string getDumpId() { result = getPredecessorBlock().getDisplayIndex().toString() }
final override string getDumpLabel() {
result = "from " + this.getPredecessorBlock().getDisplayIndex().toString() + ":"
}
final override string getDumpId() {
result = this.getPredecessorBlock().getDisplayIndex().toString()
}
/**
* Gets the predecessor block from which this value comes.

View File

@@ -24,7 +24,7 @@ class IRBlockBase extends TIRBlock {
final string toString() { result = getFirstInstruction(this).toString() }
/** Gets the source location of the first non-`Phi` instruction in this block. */
final Language::Location getLocation() { result = getFirstInstruction().getLocation() }
final Language::Location getLocation() { result = this.getFirstInstruction().getLocation() }
/**
* INTERNAL: Do not use.
@@ -39,7 +39,7 @@ class IRBlockBase extends TIRBlock {
) and
this =
rank[result + 1](IRBlock funcBlock, int sortOverride, int sortKey1, int sortKey2 |
funcBlock.getEnclosingFunction() = getEnclosingFunction() and
funcBlock.getEnclosingFunction() = this.getEnclosingFunction() and
funcBlock.getFirstInstruction().hasSortKeys(sortKey1, sortKey2) and
// Ensure that the block containing `EnterFunction` always comes first.
if funcBlock.getFirstInstruction() instanceof EnterFunctionInstruction
@@ -59,15 +59,15 @@ class IRBlockBase extends TIRBlock {
* Get the `Phi` instructions that appear at the start of this block.
*/
final PhiInstruction getAPhiInstruction() {
Construction::getPhiInstructionBlockStart(result) = getFirstInstruction()
Construction::getPhiInstructionBlockStart(result) = this.getFirstInstruction()
}
/**
* Gets an instruction in this block. This includes `Phi` instructions.
*/
final Instruction getAnInstruction() {
result = getInstruction(_) or
result = getAPhiInstruction()
result = this.getInstruction(_) or
result = this.getAPhiInstruction()
}
/**
@@ -78,7 +78,9 @@ class IRBlockBase extends TIRBlock {
/**
* Gets the last instruction in this block.
*/
final Instruction getLastInstruction() { result = getInstruction(getInstructionCount() - 1) }
final Instruction getLastInstruction() {
result = this.getInstruction(this.getInstructionCount() - 1)
}
/**
* Gets the number of non-`Phi` instructions in this block.
@@ -149,7 +151,7 @@ class IRBlock extends IRBlockBase {
* Block `A` dominates block `B` if any control flow path from the entry block of the function to
* block `B` must pass through block `A`. A block always dominates itself.
*/
final predicate dominates(IRBlock block) { strictlyDominates(block) or this = block }
final predicate dominates(IRBlock block) { this.strictlyDominates(block) or this = block }
/**
* Gets a block on the dominance frontier of this block.
@@ -159,8 +161,8 @@ class IRBlock extends IRBlockBase {
*/
pragma[noinline]
final IRBlock dominanceFrontier() {
dominates(result.getAPredecessor()) and
not strictlyDominates(result)
this.dominates(result.getAPredecessor()) and
not this.strictlyDominates(result)
}
/**
@@ -189,7 +191,7 @@ class IRBlock extends IRBlockBase {
* Block `A` post-dominates block `B` if any control flow path from `B` to the exit block of the
* function must pass through block `A`. A block always post-dominates itself.
*/
final predicate postDominates(IRBlock block) { strictlyPostDominates(block) or this = block }
final predicate postDominates(IRBlock block) { this.strictlyPostDominates(block) or this = block }
/**
* Gets a block on the post-dominance frontier of this block.
@@ -199,16 +201,16 @@ class IRBlock extends IRBlockBase {
*/
pragma[noinline]
final IRBlock postPominanceFrontier() {
postDominates(result.getASuccessor()) and
not strictlyPostDominates(result)
this.postDominates(result.getASuccessor()) and
not this.strictlyPostDominates(result)
}
/**
* Holds if this block is reachable from the entry block of its function.
*/
final predicate isReachableFromFunctionEntry() {
this = getEnclosingIRFunction().getEntryBlock() or
getAPredecessor().isReachableFromFunctionEntry()
this = this.getEnclosingIRFunction().getEntryBlock() or
this.getAPredecessor().isReachableFromFunctionEntry()
}
}

View File

@@ -46,12 +46,12 @@ class Operand extends TStageOperand {
/**
* Gets the location of the source code for this operand.
*/
final Language::Location getLocation() { result = getUse().getLocation() }
final Language::Location getLocation() { result = this.getUse().getLocation() }
/**
* Gets the function that contains this operand.
*/
final IRFunction getEnclosingIRFunction() { result = getUse().getEnclosingIRFunction() }
final IRFunction getEnclosingIRFunction() { result = this.getUse().getEnclosingIRFunction() }
/**
* Gets the `Instruction` that consumes this operand.
@@ -74,7 +74,7 @@ class Operand extends TStageOperand {
*/
final Instruction getDef() {
result = this.getAnyDef() and
getDefinitionOverlap() instanceof MustExactlyOverlap
this.getDefinitionOverlap() instanceof MustExactlyOverlap
}
/**
@@ -82,7 +82,7 @@ class Operand extends TStageOperand {
*
* Gets the `Instruction` that consumes this operand.
*/
deprecated final Instruction getUseInstruction() { result = getUse() }
deprecated final Instruction getUseInstruction() { result = this.getUse() }
/**
* DEPRECATED: use `getAnyDef` or `getDef`. The exact replacement for this
@@ -91,7 +91,7 @@ class Operand extends TStageOperand {
*
* Gets the `Instruction` whose result is the value of the operand.
*/
deprecated final Instruction getDefinitionInstruction() { result = getAnyDef() }
deprecated final Instruction getDefinitionInstruction() { result = this.getAnyDef() }
/**
* Gets the overlap relationship between the operand's definition and its use.
@@ -101,7 +101,9 @@ class Operand extends TStageOperand {
/**
* Holds if the result of the definition instruction does not exactly overlap this use.
*/
final predicate isDefinitionInexact() { not getDefinitionOverlap() instanceof MustExactlyOverlap }
final predicate isDefinitionInexact() {
not this.getDefinitionOverlap() instanceof MustExactlyOverlap
}
/**
* Gets a prefix to use when dumping the operand in an operand list.
@@ -121,7 +123,7 @@ class Operand extends TStageOperand {
* For example: `this:r3_5`
*/
final string getDumpString() {
result = getDumpLabel() + getInexactSpecifier() + getDefinitionId()
result = this.getDumpLabel() + this.getInexactSpecifier() + this.getDefinitionId()
}
/**
@@ -129,9 +131,9 @@ class Operand extends TStageOperand {
* definition is not modeled in SSA.
*/
private string getDefinitionId() {
result = getAnyDef().getResultId()
result = this.getAnyDef().getResultId()
or
not exists(getAnyDef()) and result = "m?"
not exists(this.getAnyDef()) and result = "m?"
}
/**
@@ -140,7 +142,7 @@ class Operand extends TStageOperand {
* the empty string.
*/
private string getInexactSpecifier() {
if isDefinitionInexact() then result = "~" else result = ""
if this.isDefinitionInexact() then result = "~" else result = ""
}
/**
@@ -155,7 +157,7 @@ class Operand extends TStageOperand {
* the definition type, such as in the case of a partial read or a read from a pointer that
* has been cast to a different type.
*/
Language::LanguageType getLanguageType() { result = getAnyDef().getResultLanguageType() }
Language::LanguageType getLanguageType() { result = this.getAnyDef().getResultLanguageType() }
/**
* Gets the language-neutral type of the value consumed by this operand. This is usually the same
@@ -164,7 +166,7 @@ class Operand extends TStageOperand {
* from the definition type, such as in the case of a partial read or a read from a pointer that
* has been cast to a different type.
*/
final IRType getIRType() { result = getLanguageType().getIRType() }
final IRType getIRType() { result = this.getLanguageType().getIRType() }
/**
* Gets the type of the value consumed by this operand. This is usually the same as the
@@ -173,7 +175,7 @@ class Operand extends TStageOperand {
* the definition type, such as in the case of a partial read or a read from a pointer that
* has been cast to a different type.
*/
final Language::Type getType() { getLanguageType().hasType(result, _) }
final Language::Type getType() { this.getLanguageType().hasType(result, _) }
/**
* Holds if the value consumed by this operand is a glvalue. If this
@@ -182,13 +184,13 @@ class Operand extends TStageOperand {
* not hold, the value of the operand represents a value whose type is
* given by `getType()`.
*/
final predicate isGLValue() { getLanguageType().hasType(_, true) }
final predicate isGLValue() { this.getLanguageType().hasType(_, true) }
/**
* Gets the size of the value consumed by this operand, in bytes. If the operand does not have
* a known constant size, this predicate does not hold.
*/
final int getSize() { result = getLanguageType().getByteSize() }
final int getSize() { result = this.getLanguageType().getByteSize() }
}
/**
@@ -205,7 +207,7 @@ class MemoryOperand extends Operand {
/**
* Gets the kind of memory access performed by the operand.
*/
MemoryAccessKind getMemoryAccess() { result = getUse().getOpcode().getReadMemoryAccess() }
MemoryAccessKind getMemoryAccess() { result = this.getUse().getOpcode().getReadMemoryAccess() }
/**
* Holds if the memory access performed by this operand will not always read from every bit in the
@@ -215,7 +217,7 @@ class MemoryOperand extends Operand {
* conservative estimate of the memory that might actually be accessed at runtime (for example,
* the global side effects of a function call).
*/
predicate hasMayReadMemoryAccess() { getUse().getOpcode().hasMayReadMemoryAccess() }
predicate hasMayReadMemoryAccess() { this.getUse().getOpcode().hasMayReadMemoryAccess() }
/**
* Returns the operand that holds the memory address from which the current operand loads its
@@ -223,8 +225,8 @@ class MemoryOperand extends Operand {
* is `r1`.
*/
final AddressOperand getAddressOperand() {
getMemoryAccess().usesAddressOperand() and
result.getUse() = getUse()
this.getMemoryAccess().usesAddressOperand() and
result.getUse() = this.getUse()
}
}
@@ -294,7 +296,7 @@ class NonPhiMemoryOperand extends NonPhiOperand, MemoryOperand, TNonPhiMemoryOpe
result = unique(Instruction defInstr | hasDefinition(defInstr, _))
}
final override Overlap getDefinitionOverlap() { hasDefinition(_, result) }
final override Overlap getDefinitionOverlap() { this.hasDefinition(_, result) }
pragma[noinline]
private predicate hasDefinition(Instruction defInstr, Overlap overlap) {
@@ -449,13 +451,17 @@ class PhiInputOperand extends MemoryOperand, TPhiOperand {
final override Overlap getDefinitionOverlap() { result = overlap }
final override int getDumpSortOrder() { result = 11 + getPredecessorBlock().getDisplayIndex() }
final override string getDumpLabel() {
result = "from " + getPredecessorBlock().getDisplayIndex().toString() + ":"
final override int getDumpSortOrder() {
result = 11 + this.getPredecessorBlock().getDisplayIndex()
}
final override string getDumpId() { result = getPredecessorBlock().getDisplayIndex().toString() }
final override string getDumpLabel() {
result = "from " + this.getPredecessorBlock().getDisplayIndex().toString() + ":"
}
final override string getDumpId() {
result = this.getPredecessorBlock().getDisplayIndex().toString()
}
/**
* Gets the predecessor block from which this value comes.

View File

@@ -24,7 +24,7 @@ class IRBlockBase extends TIRBlock {
final string toString() { result = getFirstInstruction(this).toString() }
/** Gets the source location of the first non-`Phi` instruction in this block. */
final Language::Location getLocation() { result = getFirstInstruction().getLocation() }
final Language::Location getLocation() { result = this.getFirstInstruction().getLocation() }
/**
* INTERNAL: Do not use.
@@ -39,7 +39,7 @@ class IRBlockBase extends TIRBlock {
) and
this =
rank[result + 1](IRBlock funcBlock, int sortOverride, int sortKey1, int sortKey2 |
funcBlock.getEnclosingFunction() = getEnclosingFunction() and
funcBlock.getEnclosingFunction() = this.getEnclosingFunction() and
funcBlock.getFirstInstruction().hasSortKeys(sortKey1, sortKey2) and
// Ensure that the block containing `EnterFunction` always comes first.
if funcBlock.getFirstInstruction() instanceof EnterFunctionInstruction
@@ -59,15 +59,15 @@ class IRBlockBase extends TIRBlock {
* Get the `Phi` instructions that appear at the start of this block.
*/
final PhiInstruction getAPhiInstruction() {
Construction::getPhiInstructionBlockStart(result) = getFirstInstruction()
Construction::getPhiInstructionBlockStart(result) = this.getFirstInstruction()
}
/**
* Gets an instruction in this block. This includes `Phi` instructions.
*/
final Instruction getAnInstruction() {
result = getInstruction(_) or
result = getAPhiInstruction()
result = this.getInstruction(_) or
result = this.getAPhiInstruction()
}
/**
@@ -78,7 +78,9 @@ class IRBlockBase extends TIRBlock {
/**
* Gets the last instruction in this block.
*/
final Instruction getLastInstruction() { result = getInstruction(getInstructionCount() - 1) }
final Instruction getLastInstruction() {
result = this.getInstruction(this.getInstructionCount() - 1)
}
/**
* Gets the number of non-`Phi` instructions in this block.
@@ -149,7 +151,7 @@ class IRBlock extends IRBlockBase {
* Block `A` dominates block `B` if any control flow path from the entry block of the function to
* block `B` must pass through block `A`. A block always dominates itself.
*/
final predicate dominates(IRBlock block) { strictlyDominates(block) or this = block }
final predicate dominates(IRBlock block) { this.strictlyDominates(block) or this = block }
/**
* Gets a block on the dominance frontier of this block.
@@ -159,8 +161,8 @@ class IRBlock extends IRBlockBase {
*/
pragma[noinline]
final IRBlock dominanceFrontier() {
dominates(result.getAPredecessor()) and
not strictlyDominates(result)
this.dominates(result.getAPredecessor()) and
not this.strictlyDominates(result)
}
/**
@@ -189,7 +191,7 @@ class IRBlock extends IRBlockBase {
* Block `A` post-dominates block `B` if any control flow path from `B` to the exit block of the
* function must pass through block `A`. A block always post-dominates itself.
*/
final predicate postDominates(IRBlock block) { strictlyPostDominates(block) or this = block }
final predicate postDominates(IRBlock block) { this.strictlyPostDominates(block) or this = block }
/**
* Gets a block on the post-dominance frontier of this block.
@@ -199,16 +201,16 @@ class IRBlock extends IRBlockBase {
*/
pragma[noinline]
final IRBlock postPominanceFrontier() {
postDominates(result.getASuccessor()) and
not strictlyPostDominates(result)
this.postDominates(result.getASuccessor()) and
not this.strictlyPostDominates(result)
}
/**
* Holds if this block is reachable from the entry block of its function.
*/
final predicate isReachableFromFunctionEntry() {
this = getEnclosingIRFunction().getEntryBlock() or
getAPredecessor().isReachableFromFunctionEntry()
this = this.getEnclosingIRFunction().getEntryBlock() or
this.getAPredecessor().isReachableFromFunctionEntry()
}
}

View File

@@ -46,12 +46,12 @@ class Operand extends TStageOperand {
/**
* Gets the location of the source code for this operand.
*/
final Language::Location getLocation() { result = getUse().getLocation() }
final Language::Location getLocation() { result = this.getUse().getLocation() }
/**
* Gets the function that contains this operand.
*/
final IRFunction getEnclosingIRFunction() { result = getUse().getEnclosingIRFunction() }
final IRFunction getEnclosingIRFunction() { result = this.getUse().getEnclosingIRFunction() }
/**
* Gets the `Instruction` that consumes this operand.
@@ -74,7 +74,7 @@ class Operand extends TStageOperand {
*/
final Instruction getDef() {
result = this.getAnyDef() and
getDefinitionOverlap() instanceof MustExactlyOverlap
this.getDefinitionOverlap() instanceof MustExactlyOverlap
}
/**
@@ -82,7 +82,7 @@ class Operand extends TStageOperand {
*
* Gets the `Instruction` that consumes this operand.
*/
deprecated final Instruction getUseInstruction() { result = getUse() }
deprecated final Instruction getUseInstruction() { result = this.getUse() }
/**
* DEPRECATED: use `getAnyDef` or `getDef`. The exact replacement for this
@@ -91,7 +91,7 @@ class Operand extends TStageOperand {
*
* Gets the `Instruction` whose result is the value of the operand.
*/
deprecated final Instruction getDefinitionInstruction() { result = getAnyDef() }
deprecated final Instruction getDefinitionInstruction() { result = this.getAnyDef() }
/**
* Gets the overlap relationship between the operand's definition and its use.
@@ -101,7 +101,9 @@ class Operand extends TStageOperand {
/**
* Holds if the result of the definition instruction does not exactly overlap this use.
*/
final predicate isDefinitionInexact() { not getDefinitionOverlap() instanceof MustExactlyOverlap }
final predicate isDefinitionInexact() {
not this.getDefinitionOverlap() instanceof MustExactlyOverlap
}
/**
* Gets a prefix to use when dumping the operand in an operand list.
@@ -121,7 +123,7 @@ class Operand extends TStageOperand {
* For example: `this:r3_5`
*/
final string getDumpString() {
result = getDumpLabel() + getInexactSpecifier() + getDefinitionId()
result = this.getDumpLabel() + this.getInexactSpecifier() + this.getDefinitionId()
}
/**
@@ -129,9 +131,9 @@ class Operand extends TStageOperand {
* definition is not modeled in SSA.
*/
private string getDefinitionId() {
result = getAnyDef().getResultId()
result = this.getAnyDef().getResultId()
or
not exists(getAnyDef()) and result = "m?"
not exists(this.getAnyDef()) and result = "m?"
}
/**
@@ -140,7 +142,7 @@ class Operand extends TStageOperand {
* the empty string.
*/
private string getInexactSpecifier() {
if isDefinitionInexact() then result = "~" else result = ""
if this.isDefinitionInexact() then result = "~" else result = ""
}
/**
@@ -155,7 +157,7 @@ class Operand extends TStageOperand {
* the definition type, such as in the case of a partial read or a read from a pointer that
* has been cast to a different type.
*/
Language::LanguageType getLanguageType() { result = getAnyDef().getResultLanguageType() }
Language::LanguageType getLanguageType() { result = this.getAnyDef().getResultLanguageType() }
/**
* Gets the language-neutral type of the value consumed by this operand. This is usually the same
@@ -164,7 +166,7 @@ class Operand extends TStageOperand {
* from the definition type, such as in the case of a partial read or a read from a pointer that
* has been cast to a different type.
*/
final IRType getIRType() { result = getLanguageType().getIRType() }
final IRType getIRType() { result = this.getLanguageType().getIRType() }
/**
* Gets the type of the value consumed by this operand. This is usually the same as the
@@ -173,7 +175,7 @@ class Operand extends TStageOperand {
* the definition type, such as in the case of a partial read or a read from a pointer that
* has been cast to a different type.
*/
final Language::Type getType() { getLanguageType().hasType(result, _) }
final Language::Type getType() { this.getLanguageType().hasType(result, _) }
/**
* Holds if the value consumed by this operand is a glvalue. If this
@@ -182,13 +184,13 @@ class Operand extends TStageOperand {
* not hold, the value of the operand represents a value whose type is
* given by `getType()`.
*/
final predicate isGLValue() { getLanguageType().hasType(_, true) }
final predicate isGLValue() { this.getLanguageType().hasType(_, true) }
/**
* Gets the size of the value consumed by this operand, in bytes. If the operand does not have
* a known constant size, this predicate does not hold.
*/
final int getSize() { result = getLanguageType().getByteSize() }
final int getSize() { result = this.getLanguageType().getByteSize() }
}
/**
@@ -205,7 +207,7 @@ class MemoryOperand extends Operand {
/**
* Gets the kind of memory access performed by the operand.
*/
MemoryAccessKind getMemoryAccess() { result = getUse().getOpcode().getReadMemoryAccess() }
MemoryAccessKind getMemoryAccess() { result = this.getUse().getOpcode().getReadMemoryAccess() }
/**
* Holds if the memory access performed by this operand will not always read from every bit in the
@@ -215,7 +217,7 @@ class MemoryOperand extends Operand {
* conservative estimate of the memory that might actually be accessed at runtime (for example,
* the global side effects of a function call).
*/
predicate hasMayReadMemoryAccess() { getUse().getOpcode().hasMayReadMemoryAccess() }
predicate hasMayReadMemoryAccess() { this.getUse().getOpcode().hasMayReadMemoryAccess() }
/**
* Returns the operand that holds the memory address from which the current operand loads its
@@ -223,8 +225,8 @@ class MemoryOperand extends Operand {
* is `r1`.
*/
final AddressOperand getAddressOperand() {
getMemoryAccess().usesAddressOperand() and
result.getUse() = getUse()
this.getMemoryAccess().usesAddressOperand() and
result.getUse() = this.getUse()
}
}
@@ -294,7 +296,7 @@ class NonPhiMemoryOperand extends NonPhiOperand, MemoryOperand, TNonPhiMemoryOpe
result = unique(Instruction defInstr | hasDefinition(defInstr, _))
}
final override Overlap getDefinitionOverlap() { hasDefinition(_, result) }
final override Overlap getDefinitionOverlap() { this.hasDefinition(_, result) }
pragma[noinline]
private predicate hasDefinition(Instruction defInstr, Overlap overlap) {
@@ -449,13 +451,17 @@ class PhiInputOperand extends MemoryOperand, TPhiOperand {
final override Overlap getDefinitionOverlap() { result = overlap }
final override int getDumpSortOrder() { result = 11 + getPredecessorBlock().getDisplayIndex() }
final override string getDumpLabel() {
result = "from " + getPredecessorBlock().getDisplayIndex().toString() + ":"
final override int getDumpSortOrder() {
result = 11 + this.getPredecessorBlock().getDisplayIndex()
}
final override string getDumpId() { result = getPredecessorBlock().getDisplayIndex().toString() }
final override string getDumpLabel() {
result = "from " + this.getPredecessorBlock().getDisplayIndex().toString() + ":"
}
final override string getDumpId() {
result = this.getPredecessorBlock().getDisplayIndex().toString()
}
/**
* Gets the predecessor block from which this value comes.

View File

@@ -18,10 +18,11 @@ Overlap getOverlap(IntValue defStart, IntValue defEnd, IntValue useStart, IntVal
else
if isLE(defStart, useStart) and isGE(defEnd, useEnd)
then result instanceof MustTotallyOverlap
else
if isLE(defEnd, useStart) or isGE(defStart, useEnd)
then none()
else result instanceof MayPartiallyOverlap
else (
not isLE(defEnd, useStart) and
not isGE(defStart, useEnd) and
result instanceof MayPartiallyOverlap
)
}
/**

View File

@@ -36,3 +36,4 @@ private import implementations.Select
private import implementations.MySql
private import implementations.SqLite3
private import implementations.PostgreSql
private import implementations.System

View File

@@ -56,7 +56,7 @@ private class MallocAllocationFunction extends AllocationFunction {
]) and
sizeArg = 1
or
hasGlobalName(["HeapAlloc"]) and // HeapAlloc(heap, flags, size)
hasGlobalName("HeapAlloc") and // HeapAlloc(heap, flags, size)
sizeArg = 2
or
hasGlobalName([

View File

@@ -85,4 +85,6 @@ private class Recv extends AliasFunction, ArrayFunction, SideEffectFunction,
) and
description = "Buffer read by " + this.getName()
}
override predicate hasSocketInput(FunctionInput input) { input.isParameter(0) }
}

View File

@@ -60,4 +60,6 @@ private class Send extends AliasFunction, ArrayFunction, SideEffectFunction, Rem
override predicate hasRemoteFlowSink(FunctionInput input, string description) {
input.isParameterDeref(1) and description = "Buffer sent by " + this.getName()
}
override predicate hasSocketInput(FunctionInput input) { input.isParameter(0) }
}

View File

@@ -0,0 +1,43 @@
import cpp
import semmle.code.cpp.models.interfaces.SideEffect
import semmle.code.cpp.models.interfaces.Alias
import semmle.code.cpp.models.interfaces.CommandExecution
/**
* A function for running a command using a command interpreter.
*/
private class SystemFunction extends CommandExecutionFunction, ArrayFunction, AliasFunction,
SideEffectFunction {
SystemFunction() {
hasGlobalOrStdName("system") or // system(command)
hasGlobalName("popen") or // popen(command, mode)
// Windows variants
hasGlobalName("_popen") or // _popen(command, mode)
hasGlobalName("_wpopen") or // _wpopen(command, mode)
hasGlobalName("_wsystem") // _wsystem(command)
}
override predicate hasCommandArgument(FunctionInput input) { input.isParameterDeref(0) }
override predicate hasArrayWithNullTerminator(int bufParam) { bufParam = 0 or bufParam = 1 }
override predicate hasArrayInput(int bufParam) { bufParam = 0 or bufParam = 1 }
override predicate parameterNeverEscapes(int index) { index = 0 or index = 1 }
override predicate parameterEscapesOnlyViaReturn(int index) { none() }
override predicate parameterIsAlwaysReturned(int index) { none() }
override predicate hasOnlySpecificReadSideEffects() { any() }
override predicate hasOnlySpecificWriteSideEffects() {
hasGlobalOrStdName("system") or
hasGlobalName("_wsystem")
}
override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
(i = 0 or i = 1) and
buffer = true
}
}

View File

@@ -0,0 +1,23 @@
/**
* Provides classes for modeling functions that execute new programs by
* interpreting string data as shell commands. To use this QL library, create
* a QL class extending `CommandExecutionFunction` with a characteristic
* predicate that selects the function or set of functions you are modeling.
* Within that class, override the `hasCommandArgument` predicate to indicate
* which parameters are interpreted as shell commands.
*/
import cpp
import FunctionInputsAndOutputs
import semmle.code.cpp.models.Models
/**
* A function, such as `exec` or `popen` that starts a new process by
* interpreting a string as a shell command.
*/
abstract class CommandExecutionFunction extends Function {
/**
* Holds if `input` is interpreted as a shell command.
*/
abstract predicate hasCommandArgument(FunctionInput input);
}

View File

@@ -18,6 +18,12 @@ abstract class RemoteFlowSourceFunction extends Function {
* Holds if remote data described by `description` flows from `output` of a call to this function.
*/
abstract predicate hasRemoteFlowSource(FunctionOutput output, string description);
/**
* Holds if remote data from this source comes from a socket described by
* `input`. There is no result if a socket is not specified.
*/
predicate hasSocketInput(FunctionInput input) { none() }
}
/**
@@ -51,4 +57,10 @@ abstract class RemoteFlowSinkFunction extends Function {
* send over a network connection.
*/
abstract predicate hasRemoteFlowSink(FunctionInput input, string description);
/**
* Holds if data put into this sink is transmitted through a socket described
* by `input`. There is no result if a socket is not specified.
*/
predicate hasSocketInput(FunctionInput input) { none() }
}

View File

@@ -29,8 +29,7 @@ predicate nanExcludingComparison(ComparisonOperation guard, boolean polarity) {
*/
private predicate excludesNan(RangeSsaDefinition def, VariableAccess v) {
exists(VariableAccess inCond, ComparisonOperation guard, boolean branch, StackVariable lsv |
def.isGuardPhi(inCond, guard, branch) and
inCond.getTarget() = lsv and
def.isGuardPhi(lsv, inCond, guard, branch) and
v = def.getAUse(lsv) and
guard.getAnOperand() = inCond and
nanExcludingComparison(guard, branch)

View File

@@ -94,10 +94,11 @@ class RangeSsaDefinition extends ControlFlowNodeBase {
predicate isPhiNode(StackVariable v) { exists(RangeSSA x | x.phi_node(v, this.(BasicBlock))) }
/**
* DEPRECATED: Use isGuardPhi/4 instead
* If this definition is a phi node corresponding to a guard,
* then return the variable access and the guard.
*/
predicate isGuardPhi(VariableAccess va, Expr guard, boolean branch) {
deprecated predicate isGuardPhi(VariableAccess va, Expr guard, boolean branch) {
guard_defn(va, guard, this, branch)
}
@@ -142,9 +143,8 @@ class RangeSsaDefinition extends ControlFlowNodeBase {
// below excludes definitions which can only reach guard phi
// nodes by going through the corresponding guard.
not exists(VariableAccess access |
v = access.getTarget() and
pred.contains(access) and
this.isGuardPhi(access, _, _)
this.isGuardPhi(v, access, _, _)
)
)
}

View File

@@ -433,10 +433,7 @@ private predicate exprDependsOnDef(Expr e, RangeSsaDefinition srcDef, StackVaria
private predicate phiDependsOnDef(
RangeSsaDefinition phi, StackVariable v, RangeSsaDefinition srcDef, StackVariable srcVar
) {
exists(VariableAccess access, Expr guard |
access = v.getAnAccess() and
phi.isGuardPhi(access, guard, _)
|
exists(VariableAccess access, Expr guard | phi.isGuardPhi(v, access, guard, _) |
exprDependsOnDef(guard.(ComparisonOperation).getAnOperand(), srcDef, srcVar) or
exprDependsOnDef(access, srcDef, srcVar)
)
@@ -1204,8 +1201,7 @@ private float boolConversionUpperBound(Expr expr) {
*/
private float getPhiLowerBounds(StackVariable v, RangeSsaDefinition phi) {
exists(VariableAccess access, Expr guard, boolean branch, float defLB, float guardLB |
access = v.getAnAccess() and
phi.isGuardPhi(access, guard, branch) and
phi.isGuardPhi(v, access, guard, branch) and
lowerBoundFromGuard(guard, access, guardLB, branch) and
defLB = getFullyConvertedLowerBounds(access)
|
@@ -1230,8 +1226,7 @@ private float getPhiLowerBounds(StackVariable v, RangeSsaDefinition phi) {
/** See comment for `getPhiLowerBounds`, above. */
private float getPhiUpperBounds(StackVariable v, RangeSsaDefinition phi) {
exists(VariableAccess access, Expr guard, boolean branch, float defUB, float guardUB |
access = v.getAnAccess() and
phi.isGuardPhi(access, guard, branch) and
phi.isGuardPhi(v, access, guard, branch) and
upperBoundFromGuard(guard, access, guardUB, branch) and
defUB = getFullyConvertedUpperBounds(access)
|
@@ -1493,8 +1488,7 @@ private predicate isNEPhi(
exists(
ComparisonOperation cmp, boolean branch, Expr linearExpr, Expr rExpr, float p, float q, float r
|
access.getTarget() = v and
phi.isGuardPhi(access, cmp, branch) and
phi.isGuardPhi(v, access, cmp, branch) and
eqOpWithSwapAndNegate(cmp, linearExpr, rExpr, false, branch) and
v.getUnspecifiedType() instanceof IntegralOrEnumType and // Float `!=` is too imprecise
r = getValue(rExpr).toFloat() and
@@ -1503,8 +1497,7 @@ private predicate isNEPhi(
)
or
exists(Expr op, boolean branch, Expr linearExpr, float p, float q |
access.getTarget() = v and
phi.isGuardPhi(access, op, branch) and
phi.isGuardPhi(v, access, op, branch) and
eqZeroWithNegate(op, linearExpr, false, branch) and
v.getUnspecifiedType() instanceof IntegralOrEnumType and // Float `!` is too imprecise
linearAccess(linearExpr, access, p, q) and
@@ -1524,8 +1517,7 @@ private predicate isUnsupportedGuardPhi(Variable v, RangeSsaDefinition phi, Vari
or
eqZeroWithNegate(cmp, _, false, branch)
|
access.getTarget() = v and
phi.isGuardPhi(access, cmp, branch) and
phi.isGuardPhi(v, access, cmp, branch) and
not isNEPhi(v, phi, access, _)
)
}
@@ -1594,6 +1586,15 @@ private module SimpleRangeAnalysisCached {
result = min([max(getTruncatedUpperBounds(expr)), getGuardedUpperBound(expr)])
}
/** Holds if the upper bound of `expr` may have been widened. This means the the upper bound is in practice likely to be overly wide. */
cached
predicate upperBoundMayBeWidened(Expr e) {
isRecursiveExpr(e) and
// Widening is not a problem if the post-analysis in `getGuardedUpperBound` has overridden the widening.
// Note that the RHS of `<` may be multi-valued.
not getGuardedUpperBound(e) < getTruncatedUpperBounds(e)
}
/**
* Holds if `expr` has a provably empty range. For example:
*

View File

@@ -365,7 +365,7 @@ class GetsBW extends BufferWriteCall {
/**
* Gets the index of the parameter that is the maximum number of characters to be read.
*/
int getParamSize() { if exists(getArgument(1)) then result = 1 else none() }
int getParamSize() { exists(getArgument(1)) and result = 1 }
override Type getBufferType() { result = this.getTarget().getParameter(0).getUnspecifiedType() }

View File

@@ -4,42 +4,20 @@ import cpp
import semmle.code.cpp.security.FunctionWithWrappers
import semmle.code.cpp.models.interfaces.SideEffect
import semmle.code.cpp.models.interfaces.Alias
import semmle.code.cpp.models.interfaces.CommandExecution
/**
* A function for running a command using a command interpreter.
*/
class SystemFunction extends FunctionWithWrappers, ArrayFunction, AliasFunction, SideEffectFunction {
SystemFunction() {
hasGlobalOrStdName("system") or // system(command)
hasGlobalName("popen") or // popen(command, mode)
// Windows variants
hasGlobalName("_popen") or // _popen(command, mode)
hasGlobalName("_wpopen") or // _wpopen(command, mode)
hasGlobalName("_wsystem") // _wsystem(command)
}
override predicate interestingArg(int arg) { arg = 0 }
override predicate hasArrayWithNullTerminator(int bufParam) { bufParam = 0 or bufParam = 1 }
override predicate hasArrayInput(int bufParam) { bufParam = 0 or bufParam = 1 }
override predicate parameterNeverEscapes(int index) { index = 0 or index = 1 }
override predicate parameterEscapesOnlyViaReturn(int index) { none() }
override predicate parameterIsAlwaysReturned(int index) { none() }
override predicate hasOnlySpecificReadSideEffects() { any() }
override predicate hasOnlySpecificWriteSideEffects() {
hasGlobalOrStdName("system") or
hasGlobalName("_wsystem")
}
override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
(i = 0 or i = 1) and
buffer = true
class SystemFunction extends FunctionWithWrappers instanceof CommandExecutionFunction {
override predicate interestingArg(int arg) {
exists(FunctionInput input |
this.(CommandExecutionFunction).hasCommandArgument(input) and
(
input.isParameterDerefOrQualifierObject(arg) or
input.isParameterOrQualifierAddress(arg)
)
)
}
}

View File

@@ -17,7 +17,7 @@
import cpp
import PrintfLike
private import TaintTracking
private import semmle.code.cpp.ir.dataflow.ResolveCall
bindingset[index]
private string toCause(Function func, int index) {

View File

@@ -245,7 +245,7 @@ svnchurn(
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `file`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
locations_default(
/** The location of an element that is not an expression or a statement. */
@@ -262,7 +262,7 @@ locations_default(
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `file`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
locations_stmt(
/** The location of a statement. */
@@ -279,7 +279,7 @@ locations_stmt(
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `file`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
locations_expr(
/** The location of an expression. */

1207
cpp/ql/lib/tutorial.qll Normal file

File diff suppressed because it is too large Load Diff

View File

@@ -60,20 +60,18 @@ class SuppressionComment extends Comment {
/**
* The scope of an alert suppression comment.
*/
class SuppressionScope extends ElementBase {
SuppressionScope() { this instanceof SuppressionComment }
class SuppressionScope extends ElementBase instanceof SuppressionComment {
/**
* Holds if this element is at the specified location.
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn
) {
this.(SuppressionComment).covers(filepath, startline, startcolumn, endline, endcolumn)
super.covers(filepath, startline, startcolumn, endline, endcolumn)
}
}

View File

@@ -5,7 +5,7 @@
* @kind problem
* @problem.severity warning
* @security-severity 9.3
* @precision medium
* @precision high
* @id cpp/static-buffer-overflow
* @tags reliability
* security
@@ -55,6 +55,8 @@ predicate overflowOffsetInLoop(BufferAccess bufaccess, string msg) {
loop.counter().getAnAccess() = bufaccess.getArrayOffset() and
// Ensure that we don't have an upper bound on the array index that's less than the buffer size.
not upperBound(bufaccess.getArrayOffset().getFullyConverted()) < bufaccess.bufferSize() and
// The upper bounds analysis must not have been widended
not upperBoundMayBeWidened(bufaccess.getArrayOffset().getFullyConverted()) and
msg =
"Potential buffer-overflow: counter '" + loop.counter().toString() + "' <= " +
loop.limit().toString() + " but '" + bufaccess.buffer().getName() + "' has " +
@@ -130,11 +132,13 @@ predicate outOfBounds(BufferAccess bufaccess, string msg) {
(
access > size
or
access = size and not exists(AddressOfExpr addof | bufaccess = addof.getOperand())
access = size and
not exists(AddressOfExpr addof | bufaccess = addof.getOperand()) and
not exists(BuiltInOperationBuiltInOffsetOf offsetof | offsetof.getAChild() = bufaccess)
) and
msg =
"Potential buffer-overflow: '" + buf + "' has size " + size.toString() + " but '" + buf + "[" +
access.toString() + "]' is accessed here."
access.toString() + "]' may be accessed here."
)
}

View File

@@ -1,16 +0,0 @@
/**
* @name Extraction errors
* @description List all extraction errors for files in the source code directory.
* @kind diagnostic
* @id cpp/diagnostics/extraction-errors
*/
import cpp
import ExtractionErrors
from ExtractionError error
where
error instanceof ExtractionUnknownError or
exists(error.getFile().getRelativePath())
select error, "Extraction failed in " + error.getFile() + " with error " + error.getErrorMessage(),
error.getSeverity()

View File

@@ -1,12 +1,12 @@
/**
* Provides a common hierarchy of all types of errors that can occur during extraction.
* Provides a common hierarchy of all types of problems that can occur during extraction.
*/
import cpp
/*
* A note about how the C/C++ extractor emits diagnostics:
* When the extractor frontend encounters an error, it emits a diagnostic message,
* When the extractor frontend encounters a problem, it emits a diagnostic message,
* that includes a message, location and severity.
* However, that process is best-effort and may fail (e.g. due to lack of memory).
* Thus, if the extractor emitted at least one diagnostic of severity discretionary
@@ -15,17 +15,17 @@ import cpp
* In the common case, this means that a compilation during which one or more errors happened also gets
* the catch-all diagnostic.
* This diagnostic has the empty string as file path.
* We filter out these useless diagnostics if there is at least one error-level diagnostic
* We filter out these useless diagnostics if there is at least one warning-level diagnostic
* for the affected compilation in the database.
* Otherwise, we show it to indicate that something went wrong and that we
* don't know what exactly happened.
*/
/**
* An error that, if present, leads to a file being marked as non-successfully extracted.
* A problem with a file that, if present, leads to a file being marked as non-successfully extracted.
*/
class ReportableError extends Diagnostic {
ReportableError() {
class ReportableWarning extends Diagnostic {
ReportableWarning() {
(
this instanceof CompilerDiscretionaryError or
this instanceof CompilerError or
@@ -36,39 +36,35 @@ class ReportableError extends Diagnostic {
}
}
private newtype TExtractionError =
TReportableError(ReportableError err) or
private newtype TExtractionProblem =
TReportableWarning(ReportableWarning err) or
TCompilationFailed(Compilation c, File f) {
f = c.getAFileCompiled() and not c.normalTermination()
} or
// Show the catch-all diagnostic (see note above) only if we haven't seen any other error-level diagnostic
// for that compilation
TUnknownError(CompilerError err) {
not exists(ReportableError e | e.getCompilation() = err.getCompilation())
TUnknownProblem(CompilerError err) {
not exists(ReportableWarning e | e.getCompilation() = err.getCompilation())
}
/**
* Superclass for the extraction error hierarchy.
* Superclass for the extraction problem hierarchy.
*/
class ExtractionError extends TExtractionError {
/** Gets the string representation of the error. */
class ExtractionProblem extends TExtractionProblem {
/** Gets the string representation of the problem. */
string toString() { none() }
/** Gets the error message for this error. */
string getErrorMessage() { none() }
/** Gets the problem message for this problem. */
string getProblemMessage() { none() }
/** Gets the file this error occured in. */
/** Gets the file this problem occured in. */
File getFile() { none() }
/** Gets the location this error occured in. */
/** Gets the location this problem occured in. */
Location getLocation() { none() }
/** Gets the SARIF severity of this error. */
int getSeverity() {
// Unfortunately, we can't distinguish between errors and fatal errors in SARIF,
// so all errors have severity 2.
result = 2
}
/** Gets the SARIF severity of this problem. */
int getSeverity() { none() }
}
/**
@@ -79,7 +75,7 @@ class ExtractionError extends TExtractionError {
* - stack overflow
* - out of memory
*/
class ExtractionUnrecoverableError extends ExtractionError, TCompilationFailed {
class ExtractionUnrecoverableError extends ExtractionProblem, TCompilationFailed {
Compilation c;
File f;
@@ -89,49 +85,67 @@ class ExtractionUnrecoverableError extends ExtractionError, TCompilationFailed {
result = "Unrecoverable extraction error while compiling " + f.toString()
}
override string getErrorMessage() { result = "unrecoverable compilation failure." }
override string getProblemMessage() { result = "unrecoverable compilation failure." }
override File getFile() { result = f }
override Location getLocation() { result = f.getLocation() }
override int getSeverity() {
// These extractor errors break the analysis, so we mark them in SARIF as
// [errors](https://docs.oasis-open.org/sarif/sarif/v2.1.0/csprd01/sarif-v2.1.0-csprd01.html#_Toc10541338).
result = 2
}
}
/**
* A recoverable extraction error.
* A recoverable extraction warning.
* These are compiler errors from the frontend.
* Upon encountering one of these, we still continue extraction, but the
* database will be incomplete for that file.
*/
class ExtractionRecoverableError extends ExtractionError, TReportableError {
ReportableError err;
class ExtractionRecoverableWarning extends ExtractionProblem, TReportableWarning {
ReportableWarning err;
ExtractionRecoverableError() { this = TReportableError(err) }
ExtractionRecoverableWarning() { this = TReportableWarning(err) }
override string toString() { result = "Recoverable extraction error: " + err }
override string getErrorMessage() { result = err.getFullMessage() }
override string getProblemMessage() { result = err.getFullMessage() }
override File getFile() { result = err.getFile() }
override Location getLocation() { result = err.getLocation() }
override int getSeverity() {
// Recoverable extraction problems don't tend to break the analysis, so we mark them in SARIF as
// [warnings](https://docs.oasis-open.org/sarif/sarif/v2.1.0/csprd01/sarif-v2.1.0-csprd01.html#_Toc10541338).
result = 1
}
}
/**
* An unknown error happened during extraction.
* These are only displayed if we know that we encountered an error during extraction,
* An unknown problem happened during extraction.
* These are only displayed if we know that we encountered an problem during extraction,
* but, for some reason, failed to emit a proper diagnostic with location information
* and error message.
* and problem message.
*/
class ExtractionUnknownError extends ExtractionError, TUnknownError {
class ExtractionUnknownProblem extends ExtractionProblem, TUnknownProblem {
CompilerError err;
ExtractionUnknownError() { this = TUnknownError(err) }
ExtractionUnknownProblem() { this = TUnknownProblem(err) }
override string toString() { result = "Unknown extraction error: " + err }
override string toString() { result = "Unknown extraction problem: " + err }
override string getErrorMessage() { result = err.getFullMessage() }
override string getProblemMessage() { result = err.getFullMessage() }
override File getFile() { result = err.getFile() }
override Location getLocation() { result = err.getLocation() }
override int getSeverity() {
// Unknown extraction problems don't tend to break the analysis, so we mark them in SARIF as
// [warnings](https://docs.oasis-open.org/sarif/sarif/v2.1.0/csprd01/sarif-v2.1.0-csprd01.html#_Toc10541338).
result = 1
}
}

View File

@@ -0,0 +1,18 @@
/**
* @name Extraction warnings
* @description List all extraction warnings for files in the source code directory.
* @kind diagnostic
* @id cpp/diagnostics/extraction-warnings
*/
import cpp
import ExtractionProblems
from ExtractionProblem warning
where
warning instanceof ExtractionRecoverableWarning and exists(warning.getFile().getRelativePath())
or
warning instanceof ExtractionUnknownProblem
select warning,
"Extraction failed in " + warning.getFile() + " with warning " + warning.getProblemMessage(),
warning.getSeverity()

View File

@@ -13,6 +13,9 @@ string describe(Compilation c) {
else result = "extractor invocation " + concat(int i | | c.getArgument(i), " " order by i)
}
/** Gets the SARIF severity level that indicates an error. */
private int getErrorSeverity() { result = 2 }
from Compilation c
where not c.normalTermination()
select "Extraction aborted for " + describe(c)
select "Extraction aborted for " + describe(c), getErrorSeverity()

View File

@@ -1,15 +1,15 @@
/**
* @name Successfully extracted files
* @description Lists all files in the source code directory that were extracted without encountering an error in the file.
* @description Lists all files in the source code directory that were extracted without encountering a problem in the file.
* @kind diagnostic
* @id cpp/diagnostics/successfully-extracted-files
*/
import cpp
import ExtractionErrors
import ExtractionProblems
from File f
where
not exists(ExtractionError e | e.getFile() = f) and
not exists(ExtractionProblem e | e.getFile() = f) and
exists(f.getRelativePath())
select f, ""
select f, "File successfully extracted"

View File

@@ -198,7 +198,7 @@ class CommentBlock extends Comment {
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn

View File

@@ -166,6 +166,7 @@ class VarAnalyzableExpr extends AnalyzableExpr, VariableAccess {
* Holds if `t` is not an instance of `IntegralType`,
* or if `me` cannot be proven to not overflow
*/
pragma[inline]
predicate overflows(MulExpr me, Type t) {
t instanceof IntegralType
implies

View File

@@ -50,10 +50,7 @@ where
// If either of the operands is constant, then don't include it.
(
if cmp.getLeftOperand().isConstant()
then
if cmp.getRightOperand().isConstant()
then none() // Both operands are constant so don't create a message.
else reason = rightReason
then not cmp.getRightOperand().isConstant() and reason = rightReason
else
if cmp.getRightOperand().isConstant()
then reason = leftReason

View File

@@ -5,6 +5,7 @@
* @kind problem
* @id cpp/improper-null-termination
* @problem.severity warning
* @precision medium
* @security-severity 7.8
* @tags security
* external/cwe/cwe-170
@@ -53,6 +54,7 @@ class ImproperNullTerminationReachability extends StackVariableReachabilityWithR
override predicate isBarrier(ControlFlowNode node, StackVariable v) {
exprDefinition(v, node, _) or
mayAddNullTerminator(node, v.getAnAccess()) or
node.(AddressOfExpr).getOperand() = v.getAnAccess() or // address taken
isSinkActual(node, v) // only report first use
}
}

View File

@@ -18,7 +18,7 @@ class RangeFunction extends Function {
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
super.getLocation().hasLocationInfo(path, sl, sc, _, _) and

View File

@@ -9,7 +9,7 @@ int main(int argc, char** argv) {
system(command1);
}
{
{
// GOOD: the user string is encoded by a library routine.
char userNameQuoted[1000] = {0};
encodeShellString(userNameQuoted, 1000, userName);

View File

@@ -3,10 +3,10 @@
* @description Using user-supplied data in an OS command, without
* neutralizing special elements, can make code vulnerable
* to command injection.
* @kind problem
* @kind path-problem
* @problem.severity error
* @security-severity 9.8
* @precision low
* @precision high
* @id cpp/command-line-injection
* @tags security
* external/cwe/cwe-078
@@ -16,13 +16,204 @@
import cpp
import semmle.code.cpp.security.CommandExecution
import semmle.code.cpp.security.Security
import semmle.code.cpp.security.TaintTracking
import semmle.code.cpp.valuenumbering.GlobalValueNumbering
import semmle.code.cpp.ir.IR
import semmle.code.cpp.ir.dataflow.TaintTracking
import semmle.code.cpp.ir.dataflow.TaintTracking2
import semmle.code.cpp.security.FlowSources
import semmle.code.cpp.models.implementations.Strcat
from Expr taintedArg, Expr taintSource, string taintCause, string callChain
Expr sinkAsArgumentIndirection(DataFlow::Node sink) {
result =
sink.asOperand()
.(SideEffectOperand)
.getAddressOperand()
.getAnyDef()
.getUnconvertedResultExpression()
}
/**
* Holds if `fst` is a string that is used in a format or concatenation function resulting in `snd`,
* and is *not* placed at the start of the resulting string. This indicates that the author did not
* expect `fst` to control what program is run if the resulting string is eventually interpreted as
* a command line, for example as an argument to `system`.
*/
predicate interestingConcatenation(DataFlow::Node fst, DataFlow::Node snd) {
exists(FormattingFunctionCall call, int index, FormatLiteral literal |
sinkAsArgumentIndirection(fst) = call.getConversionArgument(index) and
snd.asDefiningArgument() = call.getOutputArgument(false) and
literal = call.getFormat() and
not literal.getConvSpecOffset(index) = 0 and
literal.getConversionChar(index) = ["s", "S"]
)
or
// strcat and friends
exists(StrcatFunction strcatFunc, CallInstruction call, ReadSideEffectInstruction rse |
call.getStaticCallTarget() = strcatFunc and
rse.getArgumentDef() = call.getArgument(strcatFunc.getParamSrc()) and
fst.asOperand() = rse.getSideEffectOperand() and
snd.asInstruction().(WriteSideEffectInstruction).getDestinationAddress() =
call.getArgument(strcatFunc.getParamDest())
)
or
exists(CallInstruction call, Operator op, ReadSideEffectInstruction rse |
call.getStaticCallTarget() = op and
op.hasQualifiedName("std", "operator+") and
op.getType().(UserType).hasQualifiedName("std", "basic_string") and
call.getArgument(1) = rse.getArgumentOperand().getAnyDef() and // left operand
fst.asOperand() = rse.getSideEffectOperand() and
call = snd.asInstruction()
)
}
class TaintToConcatenationConfiguration extends TaintTracking::Configuration {
TaintToConcatenationConfiguration() { this = "TaintToConcatenationConfiguration" }
override predicate isSource(DataFlow::Node source) { source instanceof FlowSource }
override predicate isSink(DataFlow::Node sink) { interestingConcatenation(sink, _) }
override predicate isSanitizer(DataFlow::Node node) {
node.asInstruction().getResultType() instanceof IntegralType
or
node.asInstruction().getResultType() instanceof FloatingPointType
}
}
class ExecTaintConfiguration extends TaintTracking2::Configuration {
ExecTaintConfiguration() { this = "ExecTaintConfiguration" }
override predicate isSource(DataFlow::Node source) {
exists(DataFlow::Node prevSink, TaintToConcatenationConfiguration conf |
conf.hasFlow(_, prevSink) and
interestingConcatenation(prevSink, source)
)
}
override predicate isSink(DataFlow::Node sink) {
shellCommand(sinkAsArgumentIndirection(sink), _)
}
override predicate isSanitizerOut(DataFlow::Node node) {
isSink(node) // Prevent duplicates along a call chain, since `shellCommand` will include wrappers
}
}
module StitchedPathGraph {
// There's a different PathNode class for each DataFlowImplN.qll, so we can't simply combine the
// PathGraph predicates directly. Instead, we use a newtype so there's a single type that
// contains both sets of PathNodes.
newtype TMergedPathNode =
TPathNode1(DataFlow::PathNode node) or
TPathNode2(DataFlow2::PathNode node)
// this wraps the toString and location predicates so we can use the merged node type in a
// selection
class MergedPathNode extends TMergedPathNode {
string toString() {
exists(DataFlow::PathNode n |
this = TPathNode1(n) and
result = n.toString()
)
or
exists(DataFlow2::PathNode n |
this = TPathNode2(n) and
result = n.toString()
)
}
DataFlow::Node getNode() {
exists(DataFlow::PathNode n |
this = TPathNode1(n) and
result = n.getNode()
)
or
exists(DataFlow2::PathNode n |
this = TPathNode2(n) and
result = n.getNode()
)
}
DataFlow::PathNode getPathNode1() { this = TPathNode1(result) }
DataFlow2::PathNode getPathNode2() { this = TPathNode2(result) }
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn
) {
exists(DataFlow::PathNode n |
this = TPathNode1(n) and
n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
)
or
exists(DataFlow2::PathNode n |
this = TPathNode2(n) and
n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
)
}
}
query predicate edges(MergedPathNode a, MergedPathNode b) {
exists(DataFlow::PathNode an, DataFlow::PathNode bn |
a = TPathNode1(an) and
b = TPathNode1(bn) and
DataFlow::PathGraph::edges(an, bn)
)
or
exists(DataFlow2::PathNode an, DataFlow2::PathNode bn |
a = TPathNode2(an) and
b = TPathNode2(bn) and
DataFlow2::PathGraph::edges(an, bn)
)
or
// This is where paths from the two configurations are connected. `interestingConcatenation`
// is the only thing in this module that's actually specific to the query - everything else is
// just using types and predicates from the DataFlow library.
interestingConcatenation(a.getNode(), b.getNode()) and
a instanceof TPathNode1 and
b instanceof TPathNode2
}
query predicate nodes(MergedPathNode mpn, string key, string val) {
// here we just need the union of the underlying `nodes` predicates
exists(DataFlow::PathNode n |
mpn = TPathNode1(n) and
DataFlow::PathGraph::nodes(n, key, val)
)
or
exists(DataFlow2::PathNode n |
mpn = TPathNode2(n) and
DataFlow2::PathGraph::nodes(n, key, val)
)
}
query predicate subpaths(
MergedPathNode arg, MergedPathNode par, MergedPathNode ret, MergedPathNode out
) {
// just forward subpaths from the underlying libraries. This might be slightly awkward when
// the concatenation is deep in a call chain.
DataFlow::PathGraph::subpaths(arg.getPathNode1(), par.getPathNode1(), ret.getPathNode1(),
out.getPathNode1())
or
DataFlow2::PathGraph::subpaths(arg.getPathNode2(), par.getPathNode2(), ret.getPathNode2(),
out.getPathNode2())
}
}
import StitchedPathGraph
from
DataFlow::PathNode sourceNode, DataFlow::PathNode concatSink, DataFlow2::PathNode concatSource,
DataFlow2::PathNode sinkNode, string taintCause, string callChain,
TaintToConcatenationConfiguration conf1, ExecTaintConfiguration conf2
where
shellCommand(taintedArg, callChain) and
tainted(taintSource, taintedArg) and
isUserInput(taintSource, taintCause)
select taintedArg,
"This argument to an OS command is derived from $@ and then passed to " + callChain, taintSource,
"user input (" + taintCause + ")"
taintCause = sourceNode.getNode().(FlowSource).getSourceType() and
conf1.hasFlowPath(sourceNode, concatSink) and
interestingConcatenation(concatSink.getNode(), concatSource.getNode()) and // this loses call context
conf2.hasFlowPath(concatSource, sinkNode) and
shellCommand(sinkAsArgumentIndirection(sinkNode.getNode()), callChain)
select sinkAsArgumentIndirection(sinkNode.getNode()), TPathNode1(sourceNode).(MergedPathNode),
TPathNode2(sinkNode).(MergedPathNode),
"This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to "
+ callChain, sourceNode, "user input (" + taintCause + ")", concatSource,
concatSource.toString()

View File

@@ -5,6 +5,7 @@
* @kind problem
* @id cpp/user-controlled-null-termination-tainted
* @problem.severity warning
* @precision medium
* @security-severity 10.0
* @tags security
* external/cwe/cwe-170

View File

@@ -9,7 +9,7 @@ storage.</p>
</overview>
<recommendation>
<p>Ensure that sensitive information is always encrypted before being stored, especially before writing to a file.
<p>Ensure that sensitive information is always encrypted before being stored to a file or transmitted over the network.
It may be wise to encrypt information before it is put into a buffer that may be readable in memory.</p>
<p>In general, decrypt sensitive information only at the point where it is necessary for it to be used in

View File

@@ -0,0 +1,5 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<include src="CleartextStorage.inc.qhelp" /></qhelp>

View File

@@ -0,0 +1,124 @@
/**
* @name Cleartext transmission of sensitive information
* @description Transmitting sensitive information across a network in
* cleartext can expose it to an attacker.
* @kind path-problem
* @problem.severity warning
* @security-severity 7.5
* @precision medium
* @id cpp/cleartext-transmission
* @tags security
* external/cwe/cwe-319
*/
import cpp
import semmle.code.cpp.security.SensitiveExprs
import semmle.code.cpp.dataflow.TaintTracking
import semmle.code.cpp.models.interfaces.FlowSource
import DataFlow::PathGraph
/**
* A function call that sends or receives data over a network.
*/
abstract class NetworkSendRecv extends FunctionCall {
/**
* Gets the expression for the socket or similar object used for sending or
* receiving data (if any).
*/
abstract Expr getSocketExpr();
/**
* Gets the expression for the buffer to be sent from / received into.
*/
abstract Expr getDataExpr();
}
/**
* A function call that sends data over a network.
*
* note: functions such as `write` may be writing to a network source or a file. We could attempt to determine which, and sort results into `cpp/cleartext-transmission` and perhaps `cpp/cleartext-storage-file`. In practice it usually isn't very important which query reports a result as long as its reported exactly once.
*/
class NetworkSend extends NetworkSendRecv {
RemoteFlowSinkFunction target;
NetworkSend() { target = this.getTarget() }
override Expr getSocketExpr() {
exists(FunctionInput input, int arg |
target.hasSocketInput(input) and
input.isParameter(arg) and
result = this.getArgument(arg)
)
}
override Expr getDataExpr() {
exists(FunctionInput input, int arg |
target.hasRemoteFlowSink(input, _) and
input.isParameterDeref(arg) and
result = this.getArgument(arg)
)
}
}
/**
* A function call that receives data over a network.
*/
class NetworkRecv extends NetworkSendRecv {
RemoteFlowSourceFunction target;
NetworkRecv() { target = this.getTarget() }
override Expr getSocketExpr() {
exists(FunctionInput input, int arg |
target.hasSocketInput(input) and
input.isParameter(arg) and
result = this.getArgument(arg)
)
}
override Expr getDataExpr() {
exists(FunctionOutput output, int arg |
target.hasRemoteFlowSource(output, _) and
output.isParameterDeref(arg) and
result = this.getArgument(arg)
)
}
}
/**
* Taint flow from a sensitive expression to a network operation with data
* tainted by that expression.
*/
class SensitiveSendRecvConfiguration extends TaintTracking::Configuration {
SensitiveSendRecvConfiguration() { this = "SensitiveSendRecvConfiguration" }
override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof SensitiveExpr }
override predicate isSink(DataFlow::Node sink) {
exists(NetworkSendRecv transmission |
sink.asExpr() = transmission.getDataExpr() and
// a zero socket descriptor is standard input, which is not interesting for this query.
not exists(Zero zero |
DataFlow::localFlow(DataFlow::exprNode(zero),
DataFlow::exprNode(transmission.getSocketExpr()))
)
)
}
}
from
SensitiveSendRecvConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink,
NetworkSendRecv transmission, string msg
where
config.hasFlowPath(source, sink) and
sink.getNode().asExpr() = transmission.getDataExpr() and
if transmission instanceof NetworkSend
then
msg =
"This operation transmits '" + sink.toString() +
"', which may contain unencrypted sensitive data from $@"
else
msg =
"This operation receives into '" + sink.toString() +
"', which may put unencrypted sensitive data into $@"
select transmission, source, sink, msg, source, source.getNode().asExpr().toString()

View File

@@ -121,16 +121,14 @@ predicate exprSourceType(Expr use, Type sourceType, Location sourceLoc) {
else
if use instanceof CrementOperation
then exprSourceType(use.(CrementOperation).getOperand(), sourceType, sourceLoc)
else
else (
// Conversions are not in the AST, so ignore them.
if use instanceof Conversion
then none()
else (
// Source expressions
sourceType = use.getUnspecifiedType() and
isPointerType(sourceType) and
sourceLoc = use.getLocation()
)
not use instanceof Conversion and
// Source expressions
sourceType = use.getUnspecifiedType() and
isPointerType(sourceType) and
sourceLoc = use.getLocation()
)
}
/**

View File

@@ -4,10 +4,13 @@
* @kind problem
* @id cpp/incorrect-allocation-error-handling
* @problem.severity warning
* @security-severity 7.5
* @precision medium
* @tags correctness
* security
* external/cwe/cwe-570
* external/cwe/cwe-252
* external/cwe/cwe-755
*/
import cpp

View File

@@ -24,7 +24,7 @@ class Top extends Element {
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
pragma[noopt]
final predicate hasLocationInfo(

View File

@@ -0,0 +1,18 @@
...
int myFclose(FILE * fmy)
{
if(!fclose(fmy)) {
fmy = NULL;
return 0;
}
return -1;
}
...
fe = fopen("myFile.txt", "wt");
...
fclose(fe); // BAD
...
fe = fopen("myFile.txt", "wt");
...
myFclose(fe); // GOOD
...

View File

@@ -0,0 +1,23 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>The presence of a shell function with additional check indicates the possible risks of the call. Use this check everywhere.</p>
</overview>
<example>
<p>The following example demonstrates fallacious and fixed methods of using wrapper functions.</p>
<sample src="FindWrapperFunctions.cpp" />
</example>
<references>
<li>
CERT C Coding Standard:
<a href="https://wiki.sei.cmu.edu/confluence/display/java/JNI00-J.+Define+wrappers+around+native+methods">JNI00-J. Define wrappers around native methods</a>.
</li>
</references>
</qhelp>

View File

@@ -0,0 +1,141 @@
/**
* @name Missed opportunity to call wrapper function
* @description If a wrapper function is defined for a given function, any call to the given function should be via the wrapper function.
* @kind problem
* @id cpp/call-to-function-without-wrapper
* @problem.severity warning
* @precision medium
* @tags correctness
* maintainability
* security
* external/cwe/cwe-1041
*/
import cpp
import semmle.code.cpp.valuenumbering.GlobalValueNumbering
import semmle.code.cpp.commons.Assertions
/**
* A function call that is used in error situations (logging, throwing an exception, abnormal termination).
*/
class CallUsedToHandleErrors extends FunctionCall {
CallUsedToHandleErrors() {
// call that is known to not return
not exists(this.(ControlFlowNode).getASuccessor())
or
// call throwing an exception
exists(ThrowExpr tex | tex = this.(ControlFlowNode).getASuccessor())
or
// call logging a message, possibly an error
exists(FormattingFunction ff | ff = this.(ControlFlowNode).getASuccessor())
or
// enabling recursive search
exists(CallUsedToHandleErrors fr | getTarget() = fr.getEnclosingFunction())
}
}
/** Holds if the conditions for a call outside the wrapper function are met. */
predicate conditionsOutsideWrapper(FunctionCall fcp) {
fcp.getNumberOfArguments() > 0 and
not exists(ConditionalStmt cdtmp | fcp.getEnclosingStmt().getParentStmt*() = cdtmp) and
not exists(Loop lptmp | fcp.getEnclosingStmt().getParentStmt*() = lptmp) and
not exists(ReturnStmt rttmp | fcp.getEnclosingStmt().getParentStmt*() = rttmp) and
not exists(FunctionCall fctmp2 | fcp = fctmp2.getAnArgument().getAChild*()) and
not exists(Assignment astmp | fcp = astmp.getRValue().getAChild*()) and
not exists(Initializer intmp | fcp = intmp.getExpr().getAChild*()) and
not exists(Assertion astmp | fcp = astmp.getAsserted().getAChild*()) and
not exists(Operation optmp | fcp = optmp.getAChild*()) and
not exists(ArrayExpr aetmp | fcp = aetmp.getAChild*()) and
not exists(ExprCall ectmp | fcp = ectmp.getAnArgument().getAChild*())
}
/** Holds if the conditions for calling `fcp` inside the `fnp` wrapper function are met. */
pragma[inline]
predicate conditionsInsideWrapper(FunctionCall fcp, Function fnp) {
not exists(FunctionCall fctmp2 |
fctmp2.getEnclosingFunction() = fnp and fcp = fctmp2.getAnArgument().getAChild*()
) and
not fcp instanceof CallUsedToHandleErrors and
not fcp.getAnArgument().isConstant() and
fcp.getEnclosingFunction() = fnp and
fnp.getNumberOfParameters() > 0 and
// the call arguments must be passed through the arguments of the wrapper function
forall(int i | i in [0 .. fcp.getNumberOfArguments() - 1] |
globalValueNumber(fcp.getArgument(i)) = globalValueNumber(fnp.getAParameter().getAnAccess())
) and
// there should be no more than one required call inside the wrapper function
not exists(FunctionCall fctmp |
fctmp.getTarget() = fcp.getTarget() and
fctmp.getFile() = fcp.getFile() and
fctmp != fcp and
fctmp.getEnclosingFunction() = fnp
) and
// inside the wrapper function there should be no calls without paths to the desired function
not exists(FunctionCall fctmp |
fctmp.getEnclosingFunction() = fnp and
fctmp.getFile() = fcp.getFile() and
fctmp != fcp and
(
fctmp = fcp.getAPredecessor+()
or
not exists(FunctionCall fctmp1 |
fctmp1 = fcp and
(
fctmp.getASuccessor+() = fctmp1 or
fctmp.getAPredecessor+() = fctmp1
)
)
)
)
}
/** Holds if the conditions for the wrapper function are met. */
pragma[inline]
predicate conditionsForWrapper(FunctionCall fcp, Function fnp) {
not exists(ExprCall ectmp | fnp = ectmp.getEnclosingFunction()) and
not exists(Loop lp | lp.getEnclosingFunction() = fnp) and
not exists(SwitchStmt sw | sw.getEnclosingFunction() = fnp) and
not fnp instanceof Operator and
// inside the wrapper function there should be checks of arguments or the result,
// perhaps by means of passing the latter as an argument to some function
(
exists(IfStmt ifs |
ifs.getEnclosingFunction() = fnp and
(
globalValueNumber(ifs.getCondition().getAChild*()) = globalValueNumber(fcp.getAnArgument()) and
ifs.getASuccessor*() = fcp
or
ifs.getCondition().getAChild() = fcp
)
)
or
exists(FunctionCall fctmp |
fctmp.getEnclosingFunction() = fnp and
globalValueNumber(fctmp.getAnArgument().getAChild*()) = globalValueNumber(fcp)
)
) and
// inside the wrapper function there must be a function call to handle the error
exists(CallUsedToHandleErrors fctmp |
fctmp.getEnclosingFunction() = fnp and
forall(int i | i in [0 .. fnp.getNumberOfParameters() - 1] |
fnp.getParameter(i).getAnAccess().getTarget() =
fcp.getAnArgument().(VariableAccess).getTarget() or
fnp.getParameter(i).getUnspecifiedType() instanceof Class or
fnp.getParameter(i).getUnspecifiedType().(ReferenceType).getBaseType() instanceof Class or
fnp.getParameter(i).getAnAccess().getTarget() =
fctmp.getAnArgument().(VariableAccess).getTarget()
)
)
}
from FunctionCall fc, Function fn
where
exists(FunctionCall fctmp |
conditionsInsideWrapper(fctmp, fn) and
conditionsForWrapper(fctmp, fn) and
conditionsOutsideWrapper(fc) and
fctmp.getTarget() = fc.getTarget() and
fc.getEnclosingFunction() != fn and
fc.getEnclosingFunction().getMetrics().getNumberOfCalls() > fn.getMetrics().getNumberOfCalls()
)
select fc, "Consider changing the call to $@", fn, fn.getName()

View File

@@ -61,7 +61,7 @@ class Copy extends @duplication_or_similarity {
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn

View File

@@ -8,7 +8,7 @@ import cpp
* column `startcolumn` of line `startline` to column `endcolumn` of line `endline`
* in file `filepath`.
*
* For more information, see [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* For more information, see [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
external predicate defectResults(
int id, string queryPath, string file, int startline, int startcol, int endline, int endcol,

View File

@@ -8,7 +8,7 @@ import cpp
* column `startcolumn` of line `startline` to column `endcolumn` of line `endline`
* in file `filepath`.
*
* For more information, see [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
* For more information, see [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
external predicate metricResults(
int id, string queryPath, string file, int startline, int startcol, int endline, int endcol,

View File

@@ -230,13 +230,13 @@ predicate leakedInSameMethod(Resource r, Expr acquire) {
)
)
)
or
exists(FunctionAccess fa, string kind |
// the address of a function that releases `r` is taken (and likely
// used to release `r` at some point).
r.acquisitionWithRequiredKind(acquire, kind) and
fa.getTarget() = r.getAReleaseExpr(kind).getEnclosingFunction()
)
)
or
exists(FunctionAccess fa, string kind |
// the address of a function that releases `r` is taken (and likely
// used to release `r` at some point).
r.acquisitionWithRequiredKind(acquire, kind) and
fa.getTarget() = r.getAReleaseExpr(kind).getEnclosingFunction()
)
}

View File

@@ -4,7 +4,7 @@
* (in that the `.expected` file should always be empty).
*
* To add this framework to a new language:
* - Add a file `InlineExpectationsTestPrivate.qll` that defines a `LineComment` class. This class
* - Add a file `InlineExpectationsTestPrivate.qll` that defines a `ExpectationComment` class. This class
* must support a `getContents` method that returns the contents of the given comment, _excluding_
* the comment indicator itself. It should also define `toString` and `getLocation` as usual.
*
@@ -60,8 +60,8 @@
*
* Example:
* ```cpp
* int i = x + 5; // $const=5
* int j = y + (7 - 3) // $const=7 const=3 const=4 // The result of the subtraction is a constant.
* int i = x + 5; // $ const=5
* int j = y + (7 - 3) // $ const=7 const=3 const=4 // The result of the subtraction is a constant.
* ```
*
* For tests that contain known missing and spurious results, it is possible to further
@@ -194,7 +194,7 @@ private int getEndOfColumnPosition(int start, string content) {
}
private predicate getAnExpectation(
LineComment comment, TColumn column, string expectation, string tags, string value
ExpectationComment comment, TColumn column, string expectation, string tags, string value
) {
exists(string content |
content = comment.getContents().regexpCapture(expectationCommentPattern(), 1) and
@@ -247,14 +247,14 @@ private newtype TFailureLocatable =
) {
test.hasActualResult(location, element, tag, value)
} or
TValidExpectation(LineComment comment, string tag, string value, string knownFailure) {
TValidExpectation(ExpectationComment comment, string tag, string value, string knownFailure) {
exists(TColumn column, string tags |
getAnExpectation(comment, column, _, tags, value) and
tag = tags.splitAt(",") and
knownFailure = getColumnString(column)
)
} or
TInvalidExpectation(LineComment comment, string expectation) {
TInvalidExpectation(ExpectationComment comment, string expectation) {
getAnExpectation(comment, _, expectation, _, _) and
not expectation.regexpMatch(expectationPattern())
}
@@ -292,7 +292,7 @@ class ActualResult extends FailureLocatable, TActualResult {
}
abstract private class Expectation extends FailureLocatable {
LineComment comment;
ExpectationComment comment;
override string toString() { result = comment.toString() }

View File

@@ -1,16 +1,16 @@
import cpp
private newtype TLineComment = MkLineComment(CppStyleComment c)
private newtype TExpectationComment = MkExpectationComment(CppStyleComment c)
/**
* Represents a line comment in the CPP style.
* Unlike the `CppStyleComment` class, however, the string returned by `getContents` does _not_
* include the preceding comment marker (`//`).
*/
class LineComment extends TLineComment {
class ExpectationComment extends TExpectationComment {
CppStyleComment comment;
LineComment() { this = MkLineComment(comment) }
ExpectationComment() { this = MkExpectationComment(comment) }
/** Returns the contents of the given comment, _without_ the preceding comment marker (`//`). */
string getContents() { result = comment.getContents().suffix(2) }

View File

@@ -0,0 +1 @@
| test.cpp:23:3:23:8 | call to fclose | Consider changing the call to $@ | test.cpp:9:6:9:13 | myFclose | myFclose |

View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql

View File

@@ -0,0 +1,27 @@
#define NULL (0)
typedef int FILE;
FILE *fopen(const char *filename, const char *mode);
int fclose(FILE *stream);
extern FILE * fe;
extern int printf(const char *fmt, ...);
void exit(int status);
void myFclose(FILE * fmy)
{
int i;
if(fmy) {
i = fclose(fmy);
fmy = NULL;
printf("close end is code %d",i);
if(i!=0) exit(1);
}
}
int main(int argc, char *argv[])
{
fe = fopen("myFile.txt", "wt");
fclose(fe); // BAD
fe = fopen("myFile.txt", "wt");
myFclose(fe); // GOOD
return 0;
}

Some files were not shown because too many files have changed in this diff Show More