mirror of
https://github.com/github/codeql.git
synced 2026-05-30 19:11:23 +02:00
Compare commits
2 Commits
dependabot
...
codeql-cli
| Author | SHA1 | Date | |
|---|---|---|---|
|
868ccfbb04 | ||
|
|
4fe2f6d2b4 |
@@ -27,7 +27,7 @@ bazel_dep(name = "abseil-cpp", version = "20260107.1", repo_name = "absl")
|
||||
bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
|
||||
bazel_dep(name = "fmt", version = "12.1.0-codeql.1")
|
||||
bazel_dep(name = "rules_kotlin", version = "2.2.2-codeql.1")
|
||||
bazel_dep(name = "gazelle", version = "0.50.0")
|
||||
bazel_dep(name = "gazelle", version = "0.47.0")
|
||||
bazel_dep(name = "rules_dotnet", version = "0.21.5-codeql.1")
|
||||
bazel_dep(name = "googletest", version = "1.17.0.bcr.2")
|
||||
bazel_dep(name = "rules_rust", version = "0.69.0")
|
||||
|
||||
@@ -1,3 +1,7 @@
|
||||
## 0.4.33
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.4.32
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
3
actions/ql/lib/change-notes/released/0.4.33.md
Normal file
3
actions/ql/lib/change-notes/released/0.4.33.md
Normal file
@@ -0,0 +1,3 @@
|
||||
## 0.4.33
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.4.32
|
||||
lastReleaseVersion: 0.4.33
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/actions-all
|
||||
version: 0.4.33-dev
|
||||
version: 0.4.33
|
||||
library: true
|
||||
warnOnImplicitThis: true
|
||||
dependencies:
|
||||
|
||||
@@ -1,3 +1,7 @@
|
||||
## 0.6.25
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.6.24
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -26,23 +26,10 @@ string permissionsForJob(Job job) {
|
||||
"{" + concat(string permission | permission = jobNeedsPermission(job) | permission, ", ") + "}"
|
||||
}
|
||||
|
||||
predicate jobHasPermissions(Job job) {
|
||||
exists(job.getPermissions())
|
||||
or
|
||||
exists(job.getEnclosingWorkflow().getPermissions())
|
||||
or
|
||||
// The workflow is reusable and cannot be triggered in any other way; check callers
|
||||
exists(ReusableWorkflow r | r = job.getEnclosingWorkflow() |
|
||||
not exists(Event e | e = r.getOn().getAnEvent() | e.getName() != "workflow_call") and
|
||||
forall(Job caller | caller = job.getEnclosingWorkflow().(ReusableWorkflow).getACaller() |
|
||||
jobHasPermissions(caller)
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
from Job job, string permissions
|
||||
where
|
||||
not jobHasPermissions(job) and
|
||||
not exists(job.getPermissions()) and
|
||||
not exists(job.getEnclosingWorkflow().getPermissions()) and
|
||||
// exists a trigger event that is not a workflow_call
|
||||
exists(Event e |
|
||||
e = job.getATriggerEvent() and
|
||||
|
||||
@@ -20,6 +20,6 @@ from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sin
|
||||
where
|
||||
ArtifactPoisoningFlow::flowPath(source, sink) and
|
||||
event = getRelevantEventInPrivilegedContext(sink.getNode())
|
||||
select source.getNode(), source, sink,
|
||||
"Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@).",
|
||||
event, event.getName()
|
||||
select sink.getNode(), source, sink,
|
||||
"Potential artifact poisoning in $@, which may be controlled by an external user ($@).", sink,
|
||||
sink.getNode().toString(), event, event.getName()
|
||||
|
||||
@@ -20,5 +20,6 @@ from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sin
|
||||
where
|
||||
ArtifactPoisoningFlow::flowPath(source, sink) and
|
||||
inNonPrivilegedContext(sink.getNode().asExpr())
|
||||
select source.getNode(), source, sink,
|
||||
"Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user."
|
||||
select sink.getNode(), source, sink,
|
||||
"Potential artifact poisoning in $@, which may be controlled by an external user.", sink,
|
||||
sink.getNode().toString()
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: majorAnalysis
|
||||
---
|
||||
* Fixed alert messages in `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` as they previously included a redundant placeholder in the alert message that would on occasion contain a long block of yml that makes the alert difficult to understand. Also clarify the wording to make it clear that it is not the artifact that is being poisoned, but instead a potentially untrusted artifact that is consumed. Also change the alert location to be the source, to align more with other queries reporting an artifact (e.g. zipslip) which is more useful.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The query `actions/missing-workflow-permissions` no longer produces false positive results on reusable workflows where all callers set permissions.
|
||||
3
actions/ql/src/change-notes/released/0.6.25.md
Normal file
3
actions/ql/src/change-notes/released/0.6.25.md
Normal file
@@ -0,0 +1,3 @@
|
||||
## 0.6.25
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.6.24
|
||||
lastReleaseVersion: 0.6.25
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/actions-queries
|
||||
version: 0.6.25-dev
|
||||
version: 0.6.25
|
||||
library: false
|
||||
warnOnImplicitThis: true
|
||||
groups: [actions, queries]
|
||||
|
||||
@@ -1,9 +0,0 @@
|
||||
on:
|
||||
workflow_call:
|
||||
|
||||
jobs:
|
||||
build:
|
||||
name: Build and test
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/deploy-pages
|
||||
@@ -1,11 +0,0 @@
|
||||
on:
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
id-token: write
|
||||
pages: write
|
||||
|
||||
jobs:
|
||||
call-workflow:
|
||||
uses: ./.github/workflows/perms11.yml
|
||||
@@ -55,21 +55,21 @@ nodes
|
||||
| .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | semmle.label | ./gradlew buildScanPublishPrevious\n |
|
||||
subpaths
|
||||
#select
|
||||
| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run |
|
||||
| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning11.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning12.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning21.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning22.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning31.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning32.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning33.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning34.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning41.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning42.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning71.yml:4:5:4:16 | workflow_run | workflow_run |
|
||||
| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning81.yml:3:5:3:23 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning96.yml:2:3:2:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning101.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/test18.yml:3:5:3:16 | workflow_run | workflow_run |
|
||||
| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/test25.yml:2:3:2:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | python foo/x.py | .github/workflows/artifactpoisoning12.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | sh foo/cmd\n | .github/workflows/artifactpoisoning21.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | sh cmd | .github/workflows/artifactpoisoning22.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | ./foo/cmd | .github/workflows/artifactpoisoning31.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | .github/workflows/artifactpoisoning32.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | .github/workflows/artifactpoisoning33.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | npm install\nnpm run lint\n | .github/workflows/artifactpoisoning34.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | ./foo/cmd | .github/workflows/artifactpoisoning41.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | ./cmd | .github/workflows/artifactpoisoning42.yml:4:3:4:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning71.yml:4:5:4:16 | workflow_run | workflow_run |
|
||||
| .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | python test.py | .github/workflows/artifactpoisoning81.yml:3:5:3:23 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Uses Step | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | make snapshot | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | npm install | .github/workflows/artifactpoisoning96.yml:2:3:2:14 | workflow_run | workflow_run |
|
||||
| .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | .github/workflows/artifactpoisoning101.yml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/test18.yml:36:15:40:58 | Uses Step | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Uses Step | .github/workflows/test18.yml:3:5:3:16 | workflow_run | workflow_run |
|
||||
| .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | ./gradlew buildScanPublishPrevious\n | .github/workflows/test25.yml:2:3:2:14 | workflow_run | workflow_run |
|
||||
|
||||
@@ -7,12 +7,10 @@ ql/cpp/ql/src/Diagnostics/ExtractedFiles.ql
|
||||
ql/cpp/ql/src/Diagnostics/ExtractionWarnings.ql
|
||||
ql/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
|
||||
ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
|
||||
@@ -30,7 +28,6 @@ ql/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
|
||||
ql/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
|
||||
|
||||
@@ -1,3 +1,23 @@
|
||||
## 9.0.0
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
* The `SourceModelCsv`, `SinkModelCsv`, and `SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from `ExternalFlow.qll`. New models should be added as `.model.yml` files in the `ext/` directory.
|
||||
|
||||
### New Features
|
||||
|
||||
* Added a subclass `MesonPrivateTestFile` of `ConfigurationTestFile` that represents files created by Meson to test the build configuration.
|
||||
* Added a class `ConstructorDirectFieldInit` to represent field initializations that occur in member initializer lists.
|
||||
* Added a class `ConstructorDefaultFieldInit` to represent default field initializations.
|
||||
* Added a class `DataFlow::IndirectParameterNode` to represent the indirection of a parameter as a dataflow node.
|
||||
* Added a predicate `Node::asIndirectInstruction` which returns the `Instruction` that defines the indirect dataflow node, if any.
|
||||
* Added a class `IndirectUninitializedNode` to represent the indirection of an uninitialized local variable as a dataflow node.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Added `HttpReceiveHttpRequest`, `HttpReceiveRequestEntityBody`, and `HttpReceiveClientCertificate` from Win32's `http.h` as remote flow sources.
|
||||
* Added dataflow through members initialized via non-static data member initialization (NSDMI).
|
||||
|
||||
## 8.0.3
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: feature
|
||||
---
|
||||
* Added a class `IndirectUninitializedNode` to represent the indirection of an uninitialized local variable as a dataflow node.
|
||||
@@ -1,5 +0,0 @@
|
||||
---
|
||||
category: feature
|
||||
---
|
||||
* Added a class `DataFlow::IndirectParameterNode` to represent the indirection of a parameter as a dataflow node.
|
||||
* Added a predicate `Node::asIndirectInstruction` which returns the `Instruction` that defines the indirect dataflow node, if any.
|
||||
@@ -1,5 +0,0 @@
|
||||
---
|
||||
category: feature
|
||||
---
|
||||
* Added a class `ConstructorDirectFieldInit` to represent field initializations that occur in member initializer lists.
|
||||
* Added a class `ConstructorDefaultFieldInit` to represent default field initializations.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: breaking
|
||||
---
|
||||
* The `SourceModelCsv`, `SinkModelCsv`, and `SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from `ExternalFlow.qll`. New models should be added as `.model.yml` files in the `ext/` directory.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added dataflow through members initialized via non-static data member initialization (NSDMI).
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added `HttpReceiveHttpRequest`, `HttpReceiveRequestEntityBody`, and `HttpReceiveClientCertificate` from Win32's `http.h` as remote flow sources.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: feature
|
||||
---
|
||||
* Added a subclass `MesonPrivateTestFile` of `ConfigurationTestFile` that represents files created by Meson to test the build configuration.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: feature
|
||||
---
|
||||
* Added a subclass `AutoconfConfigureTestFile` of `ConfigurationTestFile` that represents files created by GNU autoconf configure scripts to test the build configuration.
|
||||
19
cpp/ql/lib/change-notes/released/9.0.0.md
Normal file
19
cpp/ql/lib/change-notes/released/9.0.0.md
Normal file
@@ -0,0 +1,19 @@
|
||||
## 9.0.0
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
* The `SourceModelCsv`, `SinkModelCsv`, and `SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from `ExternalFlow.qll`. New models should be added as `.model.yml` files in the `ext/` directory.
|
||||
|
||||
### New Features
|
||||
|
||||
* Added a subclass `MesonPrivateTestFile` of `ConfigurationTestFile` that represents files created by Meson to test the build configuration.
|
||||
* Added a class `ConstructorDirectFieldInit` to represent field initializations that occur in member initializer lists.
|
||||
* Added a class `ConstructorDefaultFieldInit` to represent default field initializations.
|
||||
* Added a class `DataFlow::IndirectParameterNode` to represent the indirection of a parameter as a dataflow node.
|
||||
* Added a predicate `Node::asIndirectInstruction` which returns the `Instruction` that defines the indirect dataflow node, if any.
|
||||
* Added a class `IndirectUninitializedNode` to represent the indirection of an uninitialized local variable as a dataflow node.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Added `HttpReceiveHttpRequest`, `HttpReceiveRequestEntityBody`, and `HttpReceiveClientCertificate` from Win32's `http.h` as remote flow sources.
|
||||
* Added dataflow through members initialized via non-static data member initialization (NSDMI).
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 8.0.3
|
||||
lastReleaseVersion: 9.0.0
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/cpp-all
|
||||
version: 8.0.4-dev
|
||||
version: 9.0.0
|
||||
groups: cpp
|
||||
dbscheme: semmlecode.cpp.dbscheme
|
||||
extractor: cpp
|
||||
|
||||
@@ -42,10 +42,3 @@ class MesonPrivateTestFile extends ConfigurationTestFile {
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A file created by a GNU autoconf configure script to test the system configuration.
|
||||
*/
|
||||
class AutoconfConfigureTestFile extends ConfigurationTestFile {
|
||||
AutoconfConfigureTestFile() { this.getBaseName().regexpMatch("conftest[0-9]*\\.c(pp)?") }
|
||||
}
|
||||
|
||||
@@ -1,3 +1,17 @@
|
||||
## 1.6.0
|
||||
|
||||
### Query Metadata Changes
|
||||
|
||||
* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The "Extraction warnings" (`cpp/diagnostics/extraction-warnings`) diagnostics query no longer yields `ExtractionRecoverableWarning`s for `build-mode: none` databases. The results were found to significantly increase the sizes of the produced SARIF files, making them unprocessable in some cases.
|
||||
* Fixed an issue with the "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query causing false positive results in `build-mode: none` databases.
|
||||
* Fixed an issue with the "Uncontrolled format string" (`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.
|
||||
* Fixed an issue with the "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query causing false positive results in `build-mode: none` databases.
|
||||
* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in `build-mode: none` databases.
|
||||
|
||||
## 1.5.15
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
* @kind problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 8.1
|
||||
* @precision high
|
||||
* @precision medium
|
||||
* @id cpp/integer-multiplication-cast-to-long
|
||||
* @tags reliability
|
||||
* security
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @security-severity 7.5
|
||||
* @precision high
|
||||
* @precision medium
|
||||
* @id cpp/wrong-type-format-argument
|
||||
* @tags reliability
|
||||
* correctness
|
||||
|
||||
@@ -14,9 +14,6 @@ function may behave unpredictably.</p>
|
||||
<p>This may indicate a misspelled function name, or that the required header containing
|
||||
the function declaration has not been included.</p>
|
||||
|
||||
<p>Note: This query is not compatible with <code>build mode: none</code> databases, and produces
|
||||
no results on those databases.</p>
|
||||
|
||||
</overview>
|
||||
<recommendation>
|
||||
<p>Provide an explicit declaration of the function before invoking it.</p>
|
||||
@@ -29,4 +26,4 @@ no results on those databases.</p>
|
||||
<references>
|
||||
<li>SEI CERT C Coding Standard: <a href="https://wiki.sei.cmu.edu/confluence/display/c/DCL31-C.+Declare+identifiers+before+using+them">DCL31-C. Declare identifiers before using them</a></li>
|
||||
</references>
|
||||
</qhelp>
|
||||
</qhelp>
|
||||
@@ -5,7 +5,7 @@
|
||||
* may lead to unpredictable behavior.
|
||||
* @kind problem
|
||||
* @problem.severity warning
|
||||
* @precision high
|
||||
* @precision medium
|
||||
* @id cpp/implicit-function-declaration
|
||||
* @tags correctness
|
||||
* maintainability
|
||||
@@ -17,11 +17,6 @@ import TooFewArguments
|
||||
import TooManyArguments
|
||||
import semmle.code.cpp.commons.Exclusions
|
||||
|
||||
/*
|
||||
* This query is not compatible with build mode: none databases, and produces
|
||||
* no results on those databases.
|
||||
*/
|
||||
|
||||
predicate locInfo(Locatable e, File file, int line, int col) {
|
||||
e.getFile() = file and
|
||||
e.getLocation().getStartLine() = line and
|
||||
@@ -44,7 +39,6 @@ predicate isCompiledAsC(File f) {
|
||||
from FunctionDeclarationEntry fdeIm, FunctionCall fc
|
||||
where
|
||||
isCompiledAsC(fdeIm.getFile()) and
|
||||
not any(Compilation c).buildModeNone() and
|
||||
not isFromMacroDefinition(fc) and
|
||||
fdeIm.isImplicit() and
|
||||
sameLocation(fdeIm, fc) and
|
||||
|
||||
@@ -79,7 +79,9 @@ private predicate hasZeroParamDecl(Function f) {
|
||||
|
||||
// True if this file (or header) was compiled as a C file
|
||||
private predicate isCompiledAsC(File f) {
|
||||
exists(File src | src.compiledAsC() | src.getAnIncludedFile*() = f)
|
||||
f.compiledAsC()
|
||||
or
|
||||
exists(File src | isCompiledAsC(src) | src.getAnIncludedFile() = f)
|
||||
}
|
||||
|
||||
predicate mistypedFunctionArguments(FunctionCall fc, Function f, Parameter p) {
|
||||
|
||||
@@ -28,7 +28,9 @@ private predicate hasZeroParamDecl(Function f) {
|
||||
|
||||
/* Holds if this file (or header) was compiled as a C file. */
|
||||
private predicate isCompiledAsC(File f) {
|
||||
exists(File src | src.compiledAsC() | src.getAnIncludedFile*() = f)
|
||||
f.compiledAsC()
|
||||
or
|
||||
exists(File src | isCompiledAsC(src) | src.getAnIncludedFile() = f)
|
||||
}
|
||||
|
||||
/** Holds if `fc` is a call to `f` with too few arguments. */
|
||||
|
||||
@@ -19,7 +19,9 @@ private predicate hasZeroParamDecl(Function f) {
|
||||
|
||||
// True if this file (or header) was compiled as a C file
|
||||
private predicate isCompiledAsC(File f) {
|
||||
exists(File src | src.compiledAsC() | src.getAnIncludedFile*() = f)
|
||||
f.compiledAsC()
|
||||
or
|
||||
exists(File src | isCompiledAsC(src) | src.getAnIncludedFile() = f)
|
||||
}
|
||||
|
||||
predicate tooManyArguments(FunctionCall fc, Function f) {
|
||||
|
||||
@@ -6,7 +6,7 @@
|
||||
* @kind problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 7.8
|
||||
* @precision high
|
||||
* @precision medium
|
||||
* @tags reliability
|
||||
* security
|
||||
* external/cwe/cwe-190
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in `build-mode: none` databases.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: queryMetadata
|
||||
---
|
||||
* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Fixed an issue with the "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query causing false positive results in `build-mode: none` databases.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Fixed an issue with the "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query causing false positive results in `build-mode: none` databases.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Fixed an issue with the "Uncontrolled format string" (`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The "Implicit function declaration" (`cpp/implicit-function-declaration`) query no longer produces results on `build mode: none` databases. These results were found to be very noisy and fundamentally imprecise in this mode.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The "Extraction warnings" (`cpp/diagnostics/extraction-warnings`) diagnostics query no longer yields `ExtractionRecoverableWarning`s for `build-mode: none` databases. The results were found to significantly increase the sizes of the produced SARIF files, making them unprocessable in some cases.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The "Comparison of narrow type with wide type in loop condition" (`cpp/comparison-with-wider-type`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The "Implicit function declaration" (`cpp/implicit-function-declaration`) query has been upgraded to `high` precision.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
|
||||
13
cpp/ql/src/change-notes/released/1.6.0.md
Normal file
13
cpp/ql/src/change-notes/released/1.6.0.md
Normal file
@@ -0,0 +1,13 @@
|
||||
## 1.6.0
|
||||
|
||||
### Query Metadata Changes
|
||||
|
||||
* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The "Extraction warnings" (`cpp/diagnostics/extraction-warnings`) diagnostics query no longer yields `ExtractionRecoverableWarning`s for `build-mode: none` databases. The results were found to significantly increase the sizes of the produced SARIF files, making them unprocessable in some cases.
|
||||
* Fixed an issue with the "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query causing false positive results in `build-mode: none` databases.
|
||||
* Fixed an issue with the "Uncontrolled format string" (`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.
|
||||
* Fixed an issue with the "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query causing false positive results in `build-mode: none` databases.
|
||||
* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in `build-mode: none` databases.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.5.15
|
||||
lastReleaseVersion: 1.6.0
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/cpp-queries
|
||||
version: 1.5.16-dev
|
||||
version: 1.6.0
|
||||
groups:
|
||||
- cpp
|
||||
- queries
|
||||
|
||||
@@ -1,2 +0,0 @@
|
||||
| conftest.c.c:4:3:4:8 | call to strlen | This expression has no effect (because $@ has no external side effects). | conftest.h:3:8:3:13 | strlen | strlen |
|
||||
| conftest_abc.c:4:3:4:8 | call to strlen | This expression has no effect (because $@ has no external side effects). | conftest.h:3:8:3:13 | strlen | strlen |
|
||||
@@ -1 +0,0 @@
|
||||
Likely Bugs/Likely Typos/ExprHasNoEffect.ql
|
||||
@@ -1,6 +0,0 @@
|
||||
#include "conftest.h"
|
||||
|
||||
int main2() {
|
||||
strlen(""); // GOOD: conftest files are ignored
|
||||
return 0;
|
||||
}
|
||||
@@ -1,6 +0,0 @@
|
||||
#include "conftest.h"
|
||||
|
||||
int main3() {
|
||||
strlen(""); // BAD: not a `conftest` file, as `conftest` is not directly followed by the extension or a sequence of numbers.
|
||||
return 0;
|
||||
}
|
||||
@@ -1,6 +0,0 @@
|
||||
#include "conftest.h"
|
||||
|
||||
int main4() {
|
||||
strlen(""); // GOOD: conftest files are ignored
|
||||
return 0;
|
||||
}
|
||||
@@ -1,3 +0,0 @@
|
||||
typedef long long size_t;
|
||||
|
||||
size_t strlen(const char *s);
|
||||
@@ -1,6 +0,0 @@
|
||||
#include "conftest.h"
|
||||
|
||||
int main5() {
|
||||
strlen(""); // GOOD: conftest files are ignored
|
||||
return 0;
|
||||
}
|
||||
@@ -1,6 +0,0 @@
|
||||
#include "conftest.h"
|
||||
|
||||
int main1() {
|
||||
strlen(""); // BAD: not a `conftest` file, as `conftest` is not directly followed by the extension or a sequence of numbers.
|
||||
return 0;
|
||||
}
|
||||
@@ -1,3 +1,7 @@
|
||||
## 1.7.64
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.7.63
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
## 1.7.64
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.7.63
|
||||
lastReleaseVersion: 1.7.64
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-solorigate-all
|
||||
version: 1.7.64-dev
|
||||
version: 1.7.64
|
||||
groups:
|
||||
- csharp
|
||||
- solorigate
|
||||
|
||||
@@ -1,3 +1,7 @@
|
||||
## 1.7.64
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.7.63
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
## 1.7.64
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.7.63
|
||||
lastReleaseVersion: 1.7.64
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-solorigate-queries
|
||||
version: 1.7.64-dev
|
||||
version: 1.7.64
|
||||
groups:
|
||||
- csharp
|
||||
- solorigate
|
||||
|
||||
@@ -1,3 +1,13 @@
|
||||
## 5.4.12
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The extractor no longer synthesizes expanded forms of compound assignments. This may have a small impact on the results of queries that explicitly or implicitly rely on the expanded form of compound assignments.
|
||||
* The `cs/log-forging` query no longer treats arguments to extension methods with
|
||||
source code on `ILogger` types as sinks. Instead, taint is tracked interprocedurally
|
||||
through extension method bodies, reducing false positives when extension methods
|
||||
sanitize input internally.
|
||||
|
||||
## 5.4.11
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -77,7 +77,7 @@ predicate missedAllOpportunity(ForeachStmtGenericEnumerable fes) {
|
||||
// The then case of the if assigns false to something and breaks out of the loop.
|
||||
exists(Assignment a, BoolLiteral bl |
|
||||
a = is.getThen().getAChild*() and
|
||||
bl = a.getRightOperand() and
|
||||
bl = a.getRValue() and
|
||||
bl.toString() = "false"
|
||||
) and
|
||||
is.getThen().getAChild*() instanceof BreakStmt
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The extractor no longer synthesizes expanded forms of compound assignments. This may have a small impact on the results of queries that explicitly or implicitly rely on the expanded form of compound assignments.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: deprecated
|
||||
---
|
||||
* The predicates `get[L|R]Value` in the class `Assignment` have been deprecated. Use `get[Left|Right]Operand` instead.
|
||||
@@ -1,6 +1,8 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
## 5.4.12
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The extractor no longer synthesizes expanded forms of compound assignments. This may have a small impact on the results of queries that explicitly or implicitly rely on the expanded form of compound assignments.
|
||||
* The `cs/log-forging` query no longer treats arguments to extension methods with
|
||||
source code on `ILogger` types as sinks. Instead, taint is tracked interprocedurally
|
||||
through extension method bodies, reducing false positives when extension methods
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 5.4.11
|
||||
lastReleaseVersion: 5.4.12
|
||||
|
||||
@@ -96,7 +96,7 @@ private class MethodUse extends Use, QualifiableExpr {
|
||||
private class AccessUse extends Access, Use {
|
||||
AccessUse() {
|
||||
not this.getTarget().(Parameter).getCallable() instanceof Accessor and
|
||||
not this = any(LocalVariableDeclAndInitExpr d).getLeftOperand() and
|
||||
not this = any(LocalVariableDeclAndInitExpr d).getLValue() and
|
||||
not this.isImplicit() and
|
||||
not this instanceof MethodAccess and // handled by `MethodUse`
|
||||
not this instanceof TypeAccess and // handled by `TypeMentionUse`
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-all
|
||||
version: 5.4.12-dev
|
||||
version: 5.4.12
|
||||
groups: csharp
|
||||
dbscheme: semmlecode.csharp.dbscheme
|
||||
extractor: csharp
|
||||
|
||||
@@ -235,7 +235,7 @@ private class RefArg extends AssignableAccess {
|
||||
module AssignableInternal {
|
||||
private predicate tupleAssignmentDefinition(AssignExpr ae, Expr leaf) {
|
||||
exists(TupleExpr te |
|
||||
ae.getLeftOperand() = te and
|
||||
ae.getLValue() = te and
|
||||
te.getAnArgument+() = leaf and
|
||||
// `leaf` is either an assignable access or a local variable declaration
|
||||
not leaf instanceof TupleExpr
|
||||
@@ -249,8 +249,8 @@ module AssignableInternal {
|
||||
*/
|
||||
private predicate tupleAssignmentPair(AssignExpr ae, Expr left, Expr right) {
|
||||
tupleAssignmentDefinition(ae, _) and
|
||||
left = ae.getLeftOperand() and
|
||||
right = ae.getRightOperand()
|
||||
left = ae.getLValue() and
|
||||
right = ae.getRValue()
|
||||
or
|
||||
exists(TupleExpr l, TupleExpr r, int i | tupleAssignmentPair(ae, l, r) |
|
||||
left = l.getArgument(i) and
|
||||
@@ -291,7 +291,7 @@ module AssignableInternal {
|
||||
cached
|
||||
newtype TAssignableDefinition =
|
||||
TAssignmentDefinition(Assignment a) {
|
||||
not a.getLeftOperand() instanceof TupleExpr and
|
||||
not a.getLValue() instanceof TupleExpr and
|
||||
not a instanceof AssignCallOperation and
|
||||
not a instanceof AssignCoalesceExpr
|
||||
} or
|
||||
@@ -358,7 +358,7 @@ module AssignableInternal {
|
||||
// Not defined by dispatch in order to avoid too conservative negative recursion error
|
||||
cached
|
||||
AssignableAccess getTargetAccess(AssignableDefinition def) {
|
||||
def = TAssignmentDefinition(any(Assignment a | a.getLeftOperand() = result))
|
||||
def = TAssignmentDefinition(any(Assignment a | a.getLValue() = result))
|
||||
or
|
||||
def = TTupleAssignmentDefinition(_, result)
|
||||
or
|
||||
@@ -381,8 +381,8 @@ module AssignableInternal {
|
||||
tupleAssignmentPair(ae, ac, result)
|
||||
)
|
||||
or
|
||||
exists(Assignment ass | ac = ass.getLeftOperand() |
|
||||
result = ass.getRightOperand() and
|
||||
exists(Assignment ass | ac = ass.getLValue() |
|
||||
result = ass.getRValue() and
|
||||
not ass instanceof AssignOperation
|
||||
)
|
||||
or
|
||||
@@ -527,7 +527,7 @@ module AssignableDefinitions {
|
||||
Assignment getAssignment() { result = a }
|
||||
|
||||
override Expr getSource() {
|
||||
result = a.getRightOperand() and
|
||||
result = a.getRValue() and
|
||||
not a instanceof AddOrRemoveEventExpr
|
||||
}
|
||||
|
||||
|
||||
@@ -232,9 +232,14 @@ private module Identity {
|
||||
*/
|
||||
pragma[nomagic]
|
||||
private predicate convTypeArguments(Type fromTypeArgument, Type toTypeArgument, int i) {
|
||||
fromTypeArgument = getTypeArgumentRanked(_, _, pragma[only_bind_into](i)) and
|
||||
toTypeArgument = getTypeArgumentRanked(_, _, pragma[only_bind_into](i)) and
|
||||
convIdentity(fromTypeArgument, toTypeArgument)
|
||||
exists(int j |
|
||||
fromTypeArgument = getTypeArgumentRanked(_, _, i) and
|
||||
toTypeArgument = getTypeArgumentRanked(_, _, j) and
|
||||
i <= j and
|
||||
j <= i
|
||||
|
|
||||
convIdentity(fromTypeArgument, toTypeArgument)
|
||||
)
|
||||
}
|
||||
|
||||
pragma[nomagic]
|
||||
@@ -924,16 +929,19 @@ private module Variance {
|
||||
private predicate convTypeArguments(
|
||||
TypeArgument fromTypeArgument, TypeArgument toTypeArgument, int i, TVariance v
|
||||
) {
|
||||
fromTypeArgument = getTypeArgumentRanked(_, _, pragma[only_bind_into](i), _) and
|
||||
toTypeArgument = getTypeArgumentRanked(_, _, pragma[only_bind_into](i), _) and
|
||||
(
|
||||
exists(int j |
|
||||
fromTypeArgument = getTypeArgumentRanked(_, _, i, _) and
|
||||
toTypeArgument = getTypeArgumentRanked(_, _, j, _) and
|
||||
i <= j and
|
||||
j <= i
|
||||
|
|
||||
convIdentity(fromTypeArgument, toTypeArgument) and
|
||||
v = TNone()
|
||||
or
|
||||
convRefTypeTypeArgumentOut(fromTypeArgument, toTypeArgument, i) and
|
||||
convRefTypeTypeArgumentOut(fromTypeArgument, toTypeArgument, j) and
|
||||
v = TOut()
|
||||
or
|
||||
convRefTypeTypeArgumentIn(toTypeArgument, fromTypeArgument, i) and
|
||||
convRefTypeTypeArgumentIn(toTypeArgument, fromTypeArgument, j) and
|
||||
v = TIn()
|
||||
)
|
||||
}
|
||||
|
||||
@@ -343,10 +343,10 @@ final class AssignmentNode extends ControlFlowElementNode {
|
||||
result.(TypeMentionNode).getTarget() = controlFlowElement
|
||||
or
|
||||
childIndex = 0 and
|
||||
result.(ElementNode).getElement() = assignment.getLeftOperand()
|
||||
result.(ElementNode).getElement() = assignment.getLValue()
|
||||
or
|
||||
childIndex = 1 and
|
||||
result.(ElementNode).getElement() = assignment.getRightOperand()
|
||||
result.(ElementNode).getElement() = assignment.getRValue()
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -535,8 +535,8 @@ class Setter extends Accessor, @setter {
|
||||
exists(AssignExpr assign |
|
||||
this.getStatementBody().getNumberOfStmts() = 1 and
|
||||
assign.getParent() = this.getStatementBody().getAChild() and
|
||||
assign.getLeftOperand() = result.getAnAccess() and
|
||||
assign.getRightOperand() = accessToValue()
|
||||
assign.getLValue() = result.getAnAccess() and
|
||||
assign.getRValue() = accessToValue()
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
@@ -136,7 +136,7 @@ private module GuardsInput implements
|
||||
IdExpr() { this instanceof AssignExpr or this instanceof CastExpr }
|
||||
|
||||
Expr getEqualChildExpr() {
|
||||
result = this.(AssignExpr).getRightOperand()
|
||||
result = this.(AssignExpr).getRValue()
|
||||
or
|
||||
result = this.(CastExpr).getExpr()
|
||||
}
|
||||
@@ -836,7 +836,7 @@ module Internal {
|
||||
|
||||
/** Holds if expression `e2` is a `null` value whenever `e1` is. */
|
||||
predicate nullValueImpliedUnary(Expr e1, Expr e2) {
|
||||
e1 = e2.(AssignExpr).getRightOperand()
|
||||
e1 = e2.(AssignExpr).getRValue()
|
||||
or
|
||||
e1 = e2.(Cast).getExpr()
|
||||
or
|
||||
@@ -923,7 +923,7 @@ module Internal {
|
||||
/** Holds if expression `e2` is a non-`null` value whenever `e1` is. */
|
||||
predicate nonNullValueImpliedUnary(Expr e1, Expr e2) {
|
||||
e1 = e2.(CastExpr).getExpr() or
|
||||
e1 = e2.(AssignExpr).getRightOperand() or
|
||||
e1 = e2.(AssignExpr).getRValue() or
|
||||
e1 = e2.(NullCoalescingOperation).getAnOperand()
|
||||
}
|
||||
|
||||
|
||||
@@ -521,7 +521,7 @@ module Expressions {
|
||||
// ```
|
||||
// need special treatment, because the accesses `[0]`, `[1]`, and `[2]`
|
||||
// have no qualifier.
|
||||
this = any(MemberInitializer mi).getLeftOperand()
|
||||
this = any(MemberInitializer mi).getLValue()
|
||||
) and
|
||||
not exists(AssignableDefinitions::OutRefDefinition def | def.getTargetAccess() = this)
|
||||
}
|
||||
|
||||
@@ -31,7 +31,7 @@ private Expr maybeNullExpr(Expr reason) {
|
||||
or
|
||||
result instanceof AsExpr and reason = result
|
||||
or
|
||||
result.(AssignExpr).getRightOperand() = maybeNullExpr(reason)
|
||||
result.(AssignExpr).getRValue() = maybeNullExpr(reason)
|
||||
or
|
||||
result.(CastExpr).getExpr() = maybeNullExpr(reason)
|
||||
or
|
||||
|
||||
@@ -29,8 +29,4 @@ module CsharpDataFlow implements InputSig<Location> {
|
||||
predicate neverSkipInPathGraph(Node n) {
|
||||
exists(n.(AssignableDefinitionNode).getDefinition().getTargetAccess())
|
||||
}
|
||||
|
||||
DataFlowType getSourceContextParameterNodeType(Node p) {
|
||||
exists(p) and result.isSourceContextParameterType()
|
||||
}
|
||||
}
|
||||
|
||||
@@ -528,7 +528,7 @@ module LocalFlow {
|
||||
e2 =
|
||||
any(AssignExpr ae |
|
||||
ae.getParent() = any(ControlFlowElement cfe | not cfe instanceof ExprStmt) and
|
||||
e1 = ae.getRightOperand()
|
||||
e1 = ae.getRValue()
|
||||
)
|
||||
or
|
||||
e1 = e2.(ObjectCreation).getInitializer()
|
||||
@@ -554,7 +554,7 @@ module LocalFlow {
|
||||
e2 = we
|
||||
)
|
||||
or
|
||||
exists(AssignExpr ae | ae.getLeftOperand().(TupleExpr) = e2 and ae.getRightOperand() = e1)
|
||||
exists(AssignExpr ae | ae.getLValue().(TupleExpr) = e2 and ae.getRValue() = e1)
|
||||
or
|
||||
exists(ControlFlowElement cfe | cfe = e2.(TupleExpr).(PatternExpr).getPatternMatch() |
|
||||
cfe.(IsExpr).getExpr() = e1
|
||||
@@ -795,7 +795,7 @@ private predicate fieldOrPropertyStore(ContentSet c, Expr src, Expr q, boolean p
|
||||
q = we and
|
||||
mi = we.getInitializer().getAMemberInitializer() and
|
||||
f = mi.getInitializedMember() and
|
||||
src = mi.getRightOperand() and
|
||||
src = mi.getRValue() and
|
||||
postUpdate = false
|
||||
)
|
||||
or
|
||||
@@ -804,7 +804,7 @@ private predicate fieldOrPropertyStore(ContentSet c, Expr src, Expr q, boolean p
|
||||
mi = q.(ObjectInitializer).getAMemberInitializer() and
|
||||
q.getParent() instanceof ObjectCreation and
|
||||
f = mi.getInitializedMember() and
|
||||
src = mi.getRightOperand() and
|
||||
src = mi.getRValue() and
|
||||
postUpdate = false
|
||||
)
|
||||
or
|
||||
@@ -879,8 +879,8 @@ private predicate arrayStore(Expr src, Expr a, boolean postUpdate) {
|
||||
// Member initializer, `new C { Array = { [i] = src } }`
|
||||
exists(MemberInitializer mi |
|
||||
mi = a.(ObjectInitializer).getAMemberInitializer() and
|
||||
mi.getLeftOperand() instanceof ArrayAccess and
|
||||
mi.getRightOperand() = src and
|
||||
mi.getLValue() instanceof ArrayAccess and
|
||||
mi.getRValue() = src and
|
||||
postUpdate = false
|
||||
)
|
||||
}
|
||||
@@ -1179,8 +1179,7 @@ private module Cached {
|
||||
cached
|
||||
newtype TDataFlowType =
|
||||
TGvnDataFlowType(Gvn::GvnType t) or
|
||||
TDelegateDataFlowType(Callable lambda) { lambdaCreationExpr(_, lambda) } or
|
||||
TSourceContextParameterType()
|
||||
TDelegateDataFlowType(Callable lambda) { lambdaCreationExpr(_, lambda) }
|
||||
}
|
||||
|
||||
import Cached
|
||||
@@ -2395,8 +2394,6 @@ class DataFlowType extends TDataFlowType {
|
||||
|
||||
Callable asDelegate() { this = TDelegateDataFlowType(result) }
|
||||
|
||||
predicate isSourceContextParameterType() { this = TSourceContextParameterType() }
|
||||
|
||||
/**
|
||||
* Gets an expression that creates a delegate of this type.
|
||||
*
|
||||
@@ -2415,9 +2412,6 @@ class DataFlowType extends TDataFlowType {
|
||||
result = this.asGvnType().toString()
|
||||
or
|
||||
result = this.asDelegate().toString()
|
||||
or
|
||||
this.isSourceContextParameterType() and
|
||||
result = "<source context parameter type>"
|
||||
}
|
||||
}
|
||||
|
||||
@@ -2475,11 +2469,6 @@ private predicate compatibleTypesDelegateLeft(DataFlowType dt1, DataFlowType dt2
|
||||
)
|
||||
}
|
||||
|
||||
pragma[nomagic]
|
||||
private predicate compatibleTypesSourceContextParameterTypeLeft(DataFlowType dt1, DataFlowType dt2) {
|
||||
dt1.isSourceContextParameterType() and not exists(dt2.asDelegate())
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `t1` and `t2` are compatible, that is, whether data can flow from
|
||||
* a node of type `t1` to a node of type `t2`.
|
||||
@@ -2510,10 +2499,6 @@ predicate compatibleTypes(DataFlowType dt1, DataFlowType dt2) {
|
||||
compatibleTypesDelegateLeft(dt2, dt1)
|
||||
or
|
||||
dt1.asDelegate() = dt2.asDelegate()
|
||||
or
|
||||
compatibleTypesSourceContextParameterTypeLeft(dt1, dt2)
|
||||
or
|
||||
compatibleTypesSourceContextParameterTypeLeft(dt2, dt1)
|
||||
}
|
||||
|
||||
pragma[nomagic]
|
||||
@@ -2526,8 +2511,6 @@ predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) {
|
||||
uselessTypebound(t2)
|
||||
or
|
||||
compatibleTypesDelegateLeft(t1, t2)
|
||||
or
|
||||
compatibleTypesSourceContextParameterTypeLeft(t1, t2)
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -2599,7 +2582,7 @@ module PostUpdateNodes {
|
||||
call.getExpr() = init.(CollectionInitializer).getAnElementInitializer()
|
||||
or
|
||||
// E.g. `new Dictionary<int, string>() { [0] = "a", [1] = "b" }`
|
||||
call.getExpr() = init.(ObjectInitializer).getAMemberInitializer().getLeftOperand()
|
||||
call.getExpr() = init.(ObjectInitializer).getAMemberInitializer().getLValue()
|
||||
)
|
||||
}
|
||||
|
||||
@@ -2812,7 +2795,7 @@ predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preserves
|
||||
preservesValue = true
|
||||
or
|
||||
exists(AddEventExpr aee |
|
||||
nodeFrom.asExpr() = aee.getRightOperand() and
|
||||
nodeFrom.asExpr() = aee.getRValue() and
|
||||
nodeTo.asExpr().(EventRead).getTarget() = aee.getTarget() and
|
||||
preservesValue = false
|
||||
)
|
||||
|
||||
@@ -337,7 +337,7 @@ private module CallGraph {
|
||||
pred = succ.(DelegateCreation).getArgument()
|
||||
or
|
||||
exists(AddEventExpr ae | succ.(EventAccess).getTarget() = ae.getTarget() |
|
||||
pred = ae.getRightOperand()
|
||||
pred = ae.getRValue()
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
@@ -21,7 +21,7 @@ private module Impl {
|
||||
/** Holds if SSA definition `def` equals `e + delta`. */
|
||||
predicate ssaUpdateStep(ExplicitDefinition def, ExprNode e, int delta) {
|
||||
exists(ControlFlow::Node cfn | cfn = def.getControlFlowNode() |
|
||||
e = cfn.(ExprNode::Assignment).getRightOperand() and
|
||||
e = cfn.(ExprNode::Assignment).getRValue() and
|
||||
delta = 0 and
|
||||
not cfn instanceof ExprNode::AssignOperation
|
||||
or
|
||||
@@ -39,7 +39,7 @@ private module Impl {
|
||||
|
||||
/** Holds if `e1 + delta` equals `e2`. */
|
||||
predicate valueFlowStep(ExprNode e2, ExprNode e1, int delta) {
|
||||
e2.(ExprNode::AssignExpr).getRightOperand() = e1 and delta = 0
|
||||
e2.(ExprNode::AssignExpr).getRValue() = e1 and delta = 0
|
||||
or
|
||||
e2.(ExprNode::UnaryPlusExpr).getOperand() = e1 and delta = 0
|
||||
or
|
||||
@@ -207,13 +207,13 @@ module ExprNode {
|
||||
override CS::Assignment e;
|
||||
|
||||
/** Gets the left operand of this assignment. */
|
||||
ExprNode getLeftOperand() {
|
||||
result = unique(ExprNode res | hasChild(e, e.getLeftOperand(), this, res) | res)
|
||||
ExprNode getLValue() {
|
||||
result = unique(ExprNode res | hasChild(e, e.getLValue(), this, res) | res)
|
||||
}
|
||||
|
||||
/** Gets the right operand of this assignment. */
|
||||
ExprNode getRightOperand() {
|
||||
result = unique(ExprNode res | hasChild(e, e.getRightOperand(), this, res) | res)
|
||||
ExprNode getRValue() {
|
||||
result = unique(ExprNode res | hasChild(e, e.getRValue(), this, res) | res)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -225,10 +225,6 @@ module ExprNode {
|
||||
/** A compound assignment operation. */
|
||||
class AssignOperation extends Assignment, BinaryOperation {
|
||||
override CS::AssignOperation e;
|
||||
|
||||
override ExprNode getLeftOperand() { result = Assignment.super.getLeftOperand() }
|
||||
|
||||
override ExprNode getRightOperand() { result = Assignment.super.getRightOperand() }
|
||||
}
|
||||
|
||||
/** A unary operation. */
|
||||
|
||||
@@ -168,7 +168,7 @@ private module Impl {
|
||||
/** Returned an expression that is assigned to `f`. */
|
||||
ExprNode getAssignedValueToField(Field f) {
|
||||
result.getExpr() in [
|
||||
f.getAnAssignedValue(), any(AssignOperation a | a.getLeftOperand() = f.getAnAccess())
|
||||
f.getAnAssignedValue(), any(AssignOperation a | a.getLValue() = f.getAnAccess())
|
||||
]
|
||||
}
|
||||
|
||||
@@ -231,7 +231,7 @@ private module Impl {
|
||||
/** Returns a sub expression of `e` for expression types where the sign depends on the child. */
|
||||
ExprNode getASubExprWithSameSign(ExprNode e) {
|
||||
exists(Expr e_, Expr child | hasChild(e_, child, e, result) |
|
||||
child = e_.(AssignExpr).getRightOperand() or
|
||||
child = e_.(AssignExpr).getRValue() or
|
||||
child = e_.(UnaryPlusExpr).getOperand() or
|
||||
child = e_.(PostIncrExpr).getOperand() or
|
||||
child = e_.(PostDecrExpr).getOperand() or
|
||||
|
||||
@@ -55,5 +55,5 @@ ExprNode ssaRead(Definition v, int delta) {
|
||||
or
|
||||
v.(ExplicitDefinition).getControlFlowNode().(ExprNode::Assignment) = result and delta = 0
|
||||
or
|
||||
result.(ExprNode::AssignExpr).getRightOperand() = ssaRead(v, delta)
|
||||
result.(ExprNode::AssignExpr).getRValue() = ssaRead(v, delta)
|
||||
}
|
||||
|
||||
@@ -1348,7 +1348,7 @@ private module Internal {
|
||||
any(DynamicMemberAccess dma | this = TDispatchDynamicEventAccess(_, dma, _)).getQualifier()
|
||||
}
|
||||
|
||||
override Expr getArgument(int i) { i = 0 and result = this.getCall().getRightOperand() }
|
||||
override Expr getArgument(int i) { i = 0 and result = this.getCall().getRValue() }
|
||||
}
|
||||
|
||||
/** A call to a constructor using dynamic types. */
|
||||
|
||||
@@ -112,7 +112,7 @@ class BaseAccess extends Access, @base_access_expr {
|
||||
class MemberAccess extends Access, QualifiableExpr, @member_access_expr {
|
||||
override predicate hasImplicitThisQualifier() {
|
||||
QualifiableExpr.super.hasImplicitThisQualifier() and
|
||||
not exists(MemberInitializer mi | mi.getLeftOperand() = this)
|
||||
not exists(MemberInitializer mi | mi.getLValue() = this)
|
||||
}
|
||||
|
||||
override Member getQualifiedDeclaration() { result = this.getTarget() }
|
||||
|
||||
@@ -20,22 +20,14 @@ class Assignment extends BinaryOperation, @assign_expr {
|
||||
expr_parent(_, 1, this)
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `getLeftOperand` instead.
|
||||
*
|
||||
* Gets the left operand of this assignment.
|
||||
*/
|
||||
deprecated Expr getLValue() { result = this.getLeftOperand() }
|
||||
/** Gets the left operand of this assignment. */
|
||||
Expr getLValue() { result = this.getLeftOperand() }
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `getRightOperand` instead.
|
||||
*
|
||||
* Gets the right operand of this assignment.
|
||||
*/
|
||||
deprecated Expr getRValue() { result = this.getRightOperand() }
|
||||
/** Gets the right operand of this assignment. */
|
||||
Expr getRValue() { result = this.getRightOperand() }
|
||||
|
||||
/** Gets the variable being assigned to, if any. */
|
||||
Variable getTargetVariable() { result.getAnAccess() = this.getLeftOperand() }
|
||||
Variable getTargetVariable() { result.getAnAccess() = this.getLValue() }
|
||||
|
||||
override string getOperator() { none() }
|
||||
}
|
||||
@@ -48,12 +40,7 @@ class LocalVariableDeclAndInitExpr extends LocalVariableDeclExpr, Assignment {
|
||||
|
||||
override LocalVariable getTargetVariable() { result = this.getVariable() }
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `getLeftOperand` instead.
|
||||
*/
|
||||
deprecated override LocalVariableAccess getLValue() { result = this.getLeftOperand() }
|
||||
|
||||
override LocalVariableAccess getLeftOperand() { result = Assignment.super.getLeftOperand() }
|
||||
override LocalVariableAccess getLValue() { result = Assignment.super.getLValue() }
|
||||
|
||||
override string toString() { result = LocalVariableDeclExpr.super.toString() + " = ..." }
|
||||
|
||||
@@ -236,12 +223,9 @@ deprecated class AssignUnsighedRightShiftExpr = AssignUnsignedRightShiftExpr;
|
||||
*/
|
||||
class AddOrRemoveEventExpr extends AssignOperation, @assign_event_expr {
|
||||
/** Gets the event targeted by this event assignment. */
|
||||
Event getTarget() { result = this.getLeftOperand().getTarget() }
|
||||
Event getTarget() { result = this.getLValue().getTarget() }
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `getLeftOperand` instead.
|
||||
*/
|
||||
deprecated override EventAccess getLValue() { result = this.getLeftOperand() }
|
||||
override EventAccess getLValue() { result = this.getChild(0) }
|
||||
|
||||
override EventAccess getLeftOperand() { result = this.getChild(0) }
|
||||
}
|
||||
|
||||
@@ -773,7 +773,7 @@ class EventCall extends AccessorCall, EventAccessExpr {
|
||||
override EventAccessor getTarget() {
|
||||
exists(Event e, AddOrRemoveEventExpr aoree |
|
||||
e = this.getEvent() and
|
||||
aoree.getLeftOperand() = this
|
||||
aoree.getLValue() = this
|
||||
|
|
||||
aoree instanceof AddEventExpr and result = e.getAddEventAccessor()
|
||||
or
|
||||
@@ -784,8 +784,8 @@ class EventCall extends AccessorCall, EventAccessExpr {
|
||||
override Expr getArgument(int i) {
|
||||
i = 0 and
|
||||
exists(AddOrRemoveEventExpr aoree |
|
||||
aoree.getLeftOperand() = this and
|
||||
result = aoree.getRightOperand()
|
||||
aoree.getLValue() = this and
|
||||
result = aoree.getRValue()
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
@@ -95,7 +95,7 @@ class MemberInitializer extends AssignExpr {
|
||||
MemberInitializer() { this.getParent() instanceof ObjectInitializer }
|
||||
|
||||
/** Gets the initialized member. */
|
||||
Member getInitializedMember() { result.getAnAccess() = this.getLeftOperand() }
|
||||
Member getInitializedMember() { result.getAnAccess() = this.getLValue() }
|
||||
|
||||
override string getAPrimaryQlClass() { result = "MemberInitializer" }
|
||||
}
|
||||
|
||||
@@ -1099,7 +1099,7 @@ class QualifiableExpr extends Expr, @qualifiable_expr {
|
||||
}
|
||||
|
||||
private Expr getAnAssignOrForeachChild() {
|
||||
result = any(AssignExpr e).getLeftOperand()
|
||||
result = any(AssignExpr e).getLValue()
|
||||
or
|
||||
result = any(ForeachStmt fs).getVariableDeclTuple()
|
||||
or
|
||||
|
||||
@@ -41,6 +41,6 @@ class ReturnedByMockObject extends ObjectCreation {
|
||||
* Gets a value used to initialize a member of this object creation.
|
||||
*/
|
||||
Expr getAMemberInitializationValue() {
|
||||
result = this.getInitializer().(ObjectInitializer).getAMemberInitializer().getRightOperand()
|
||||
result = this.getInitializer().(ObjectInitializer).getAMemberInitializer().getRValue()
|
||||
}
|
||||
}
|
||||
|
||||
@@ -17,14 +17,14 @@ abstract class SqlExpr extends Expr {
|
||||
class CommandTextAssignmentSqlExpr extends SqlExpr, AssignExpr {
|
||||
CommandTextAssignmentSqlExpr() {
|
||||
exists(Property p, SystemDataIDbCommandInterface i, Property text |
|
||||
p = this.getLeftOperand().(PropertyAccess).getTarget() and
|
||||
p = this.getLValue().(PropertyAccess).getTarget() and
|
||||
text = i.getCommandTextProperty()
|
||||
|
|
||||
p.overridesOrImplementsOrEquals(text)
|
||||
)
|
||||
}
|
||||
|
||||
override Expr getSql() { result = this.getRightOperand() }
|
||||
override Expr getSql() { result = this.getRValue() }
|
||||
}
|
||||
|
||||
/** A construction of an unknown `IDbCommand` object. */
|
||||
|
||||
@@ -100,20 +100,20 @@ Expr getAValueForCookiePolicyProp(string prop) {
|
||||
Expr getAValueForProp(ObjectCreation create, Assignment a, string prop) {
|
||||
// values set in object init
|
||||
exists(MemberInitializer init, Expr src, PropertyAccess pa |
|
||||
a.getLeftOperand() = pa and
|
||||
a.getLValue() = pa and
|
||||
pa.getTarget().hasName(prop) and
|
||||
init = create.getInitializer().(ObjectInitializer).getAMemberInitializer() and
|
||||
init.getLeftOperand() = pa and
|
||||
DataFlow::localExprFlow(src, init.getRightOperand()) and
|
||||
init.getLValue() = pa and
|
||||
DataFlow::localExprFlow(src, init.getRValue()) and
|
||||
result = src
|
||||
)
|
||||
or
|
||||
// values set on var that create is assigned to
|
||||
exists(Expr src, PropertyAccess pa |
|
||||
a.getLeftOperand() = pa and
|
||||
a.getLValue() = pa and
|
||||
pa.getTarget().hasName(prop) and
|
||||
DataFlow::localExprFlow(create, pa.getQualifier()) and
|
||||
DataFlow::localExprFlow(src, a.getRightOperand()) and
|
||||
DataFlow::localExprFlow(src, a.getRValue()) and
|
||||
result = src
|
||||
)
|
||||
}
|
||||
@@ -138,15 +138,15 @@ private module OnAppendCookieTrackingConfig<propertyName/0 getPropertyName> impl
|
||||
exists(PropertyWrite pw, Assignment delegateAssign, Callable c |
|
||||
pw.getProperty().getName() = "OnAppendCookie" and
|
||||
pw.getProperty().getDeclaringType() instanceof MicrosoftAspNetCoreBuilderCookiePolicyOptions and
|
||||
delegateAssign.getLeftOperand() = pw and
|
||||
delegateAssign.getLValue() = pw and
|
||||
(
|
||||
exists(LambdaExpr lambda |
|
||||
delegateAssign.getRightOperand() = lambda and
|
||||
delegateAssign.getRValue() = lambda and
|
||||
lambda = c
|
||||
)
|
||||
or
|
||||
exists(DelegateCreation delegate |
|
||||
delegateAssign.getRightOperand() = delegate and
|
||||
delegateAssign.getRValue() = delegate and
|
||||
delegate.getArgument().(CallableAccess).getTarget() = c
|
||||
)
|
||||
) and
|
||||
@@ -159,9 +159,9 @@ private module OnAppendCookieTrackingConfig<propertyName/0 getPropertyName> impl
|
||||
exists(PropertyWrite pw, Assignment a |
|
||||
pw.getProperty().getDeclaringType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
|
||||
pw.getProperty().getName() = getPropertyName() and
|
||||
a.getLeftOperand() = pw and
|
||||
a.getLValue() = pw and
|
||||
exists(Expr val |
|
||||
DataFlow::localExprFlow(val, a.getRightOperand()) and
|
||||
DataFlow::localExprFlow(val, a.getRValue()) and
|
||||
val.getValue() = "true"
|
||||
) and
|
||||
sink.asExpr() = pw.getQualifier()
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user