Compare commits

...

1405 Commits

Author SHA1 Message Date
Calum Grant
bd925d2bee C#: Fix prefixing assembly IDs to type IDs. 2019-11-10 13:05:08 +00:00
Taus
aa7a997c7a Merge pull request #2248 from RasmusWL/python-sensitive-data-fewer-fp
Python: Limit what functions we treat as returning sensitive data
2019-11-04 15:09:52 +01:00
Rasmus Wriedt Larsen
ca22ec6104 Merge pull request #2042 from tausbn/python-fix-unused-import-fps
Python: Fix false positives in `py/unused-import`.
2019-11-04 14:47:30 +01:00
semmle-qlci
fa5388b5f3 Merge pull request #2209 from hvitved/csharp/deserialized-delegate
Approved by calumgrant, jf205
2019-11-04 12:32:04 +00:00
Rasmus Wriedt Larsen
b075103198 Merge pull request #2163 from tausbn/python-undefined-export-fp
Python: Modernise and fix FP in `py/undefined-export`
2019-11-04 13:10:48 +01:00
Geoffrey White
3e8b28a0a8 Merge pull request #2213 from jbj/BarrierGuard
C++: Implement DataFlow::BarrierGuard for AST+IR
2019-11-04 11:08:36 +00:00
Rasmus Wriedt Larsen
6593477d0b Python: Limit what functions we treat as returning sensitive data
Before this change, any function that has a parameter that was called
password/credentials would be treated as returning sensitive data of that
kind. `py/clear-text-logging-sensitive-data` would alert if one of these are
logged, which has a LOT of false-positives.
2019-11-04 11:32:21 +01:00
Tom Hvitved
cc7c30def8 Merge pull request #2179 from calumgrant/cs/local-disposal
C#: Fix a FP in cs/local-not-disposed
2019-11-04 11:23:50 +01:00
Taus Brock-Nannestad
d2f985038c Python: Fix missing modernisation. 2019-11-04 10:48:42 +01:00
Felicity Chapman
3eea0452b1 Merge pull request #2180 from shati-patel/docs/renaming
Docs: Update terminology
2019-11-04 09:14:18 +00:00
Max Schaefer
ef1778a8a7 Merge pull request #2212 from yh-semmle/java13-ql
Java: support JDK 13
2019-11-04 06:32:57 +00:00
yh-semmle
e232f538e9 Java 13: update test options 2019-11-02 16:09:32 -04:00
yh-semmle
e8a65101bc Java 13: add db stats for @yieldstmt 2019-11-02 16:09:32 -04:00
yh-semmle
de0869c216 Java 13: remove superfluous disjunct in JumpStmt.getAPotentialTarget() 2019-11-02 16:09:31 -04:00
yh-semmle
8fb4dbe092 Java 13: account for changes to switch expressions 2019-11-02 16:09:31 -04:00
yh-semmle
9f37237b4a Java 13: add stmt kind @yieldstmt to dbscheme 2019-11-02 16:09:31 -04:00
Jonas Jensen
426565ae68 Merge pull request #2239 from DX-MON/master
Query cpp/unused-static-variable was producing incorrect results for constexpr variables
2019-11-01 18:59:52 +01:00
Shati Patel
bd08e8baaf Docs: Rename Sphinx project to "Learning CodeQL" 2019-11-01 11:22:36 +00:00
shati-patel
d94e91b39b Apply suggestions from code review
Co-Authored-By: Felicity Chapman <felicitymay@github.com>
2019-11-01 11:03:12 +00:00
semmle-qlci
e8e2f7bb20 Merge pull request #2240 from max-schaefer/js/indirect-command-argument-data-flow
Approved by esbena
2019-11-01 11:00:22 +00:00
Dave Bartolomeo
ea23c2daac Merge pull request #2188 from jbj/printast-override
C++: Add a sample class in PrintAST.ql
2019-10-31 17:02:20 -07:00
Dave Bartolomeo
e6f632b44e Merge pull request #2228 from jbj/DefaultTaintTracking-getASTVariable
C++: Use getASTVariable in DefaultTaintTracking
2019-10-31 17:00:49 -07:00
Dave Bartolomeo
2f63ab0250 Merge pull request #2150 from rdmarsh2/rdmarsh/cpp/ir-buffer-read-call-se
C++: buffer read side effects on unmodeled funcs
2019-10-31 16:59:51 -07:00
Rachel Mant
413f49bba5 Query cpp/unused-static-variable was producing incorrect results for constexpr variables 2019-10-31 22:50:44 +00:00
Robert Marsh
9477bd5698 Merge branch 'master' of github.com:Semmle/ql into rdmarsh/cpp/ir-buffer-read-call-se 2019-10-31 11:00:01 -07:00
semmle-qlci
d03aecaa98 Merge pull request #2235 from max-schaefer/js/issue-2233
Approved by esbena
2019-10-31 14:17:58 +00:00
Max Schaefer
8aae1f443f JavaScript: Use type tracking instead of auxiliary data-flow configuration to track indirect command arguments. 2019-10-31 12:13:55 +00:00
Max Schaefer
311cbd824c JavaScript: Recognize ":" pseudo-directive. 2019-10-31 11:39:09 +00:00
Tom Hvitved
ceea96e03f C#: Update change note 2019-10-31 12:00:16 +01:00
semmle-qlci
2a3980222b Merge pull request #2201 from max-schaefer/js/avoid-duplicate-source-and-sink-nodes
Approved by asger-semmle
2019-10-31 10:47:30 +00:00
Robert Marsh
24c9b8b9b1 C++: fix unbound variables 2019-10-30 14:06:19 -07:00
Geoffrey White
ee3b49af3a Merge pull request #2219 from jbj/rangeanalysis-best-bound
C++: Restrict the output of IR Range Analysis to the best bounds
2019-10-30 17:18:59 +00:00
Jonas Jensen
1e6c983d62 C++: Use getASTVariable in DefaultTaintTracking
This library is not yet used in a query or test, so it broke silently
when `VariableAddressInstruction.getVariable` was removed.
2019-10-30 13:42:17 +01:00
semmle-qlci
a778efe71e Merge pull request #2216 from asger-semmle/xss-encodeURIComponent
Approved by max-schaefer
2019-10-30 11:49:31 +00:00
Aditya Sharad
ecd4c08cb4 Merge pull request #2225 from hvitved/csharp/autobuilder-tests
C#: Update autobuilder tests
2019-10-29 12:21:04 -07:00
Luke Cartey
d9d4aa30a9 Merge pull request #2214 from hmakholm/pr/upgrade-packs
Make each upgrade directory a QL pack
2019-10-29 16:45:02 +00:00
semmle-qlci
fde56cf290 Merge pull request #2223 from hvitved/csharp/autobuilder-curl-redirect
Approved by jbj
2019-10-29 15:38:02 +00:00
Rasmus Wriedt Larsen
87ec58aff1 Merge pull request #2221 from tausbn/python-unreachable-catch-all-assert
Python: Do not report unreachable "catch-all" cases in `elif`-chains.
2019-10-29 16:36:51 +01:00
Max Schaefer
b42026a90a JavaScript: Update expected output. 2019-10-29 15:36:24 +00:00
Max Schaefer
530fa2c11c JavaScript: Collapse edges instead of hiding nodes.
Instead of skipping over initial and final nodes, we now introduce edges from source and to sink nodes that circumvent these nodes entirely.
2019-10-29 15:30:24 +00:00
Max Schaefer
dc1d1c2f22 JavaScript: Update expected output. 2019-10-29 15:30:06 +00:00
Max Schaefer
278ea90049 JavaScript: Collapse flow labels at start/end nodes to avoid duplication. 2019-10-29 15:24:40 +00:00
Max Schaefer
316962233c JavaScript: Factor out MidPathNode into its own class. 2019-10-29 15:24:40 +00:00
Max Schaefer
7c56c9f999 JavaScript: Move suppression of hidden nodes into edges predicate.
They should really only be hidden for display purposes.
2019-10-29 15:19:26 +00:00
Max Schaefer
3373742077 JavaScript: Turn PathNode::getASuccessorInternal and PathNode::getAHiddenSuccessor into top-level predicates. 2019-10-29 15:19:26 +00:00
Max Schaefer
b6f4785645 JavaScript: Rename MkPathNode to MkMidNode. 2019-10-29 15:19:26 +00:00
Max Schaefer
d71faaa5f9 JavaScript: Introduce PathNode::wraps. 2019-10-29 15:19:26 +00:00
Max Schaefer
98e0932de5 JavaScript: Make Configuration::isLive nullary.
This makes it more obvious to the evaluator that it is a good predicate to pick as a sentinel, and in practice we mostly just have one configuration in scope anyway.
2019-10-29 15:19:26 +00:00
Tom Hvitved
edbdfdfa27 C#: Update autobuilder tests 2019-10-29 16:14:58 +01:00
Max Schaefer
6964945c74 JavaScript: Restrict edges to only contain nodes. 2019-10-29 15:03:52 +00:00
Taus Brock-Nannestad
5e62da7690 Python: Do not report unreachable "catch-all" cases in elif-chains.
This was brought up on the LGTM.com forums here:
https://discuss.lgtm.com/t/warn-when-always-failing-assert-is-reachable-rather-than-unreachable/2436

Essentially, in a complex chain of `elif` statements, like

```python
if x < 0:
    ...
elif x >= 0:
    ...
else:
    ...
```

the `else` clause is redundant, since the preceding conditions completely
exhaust the possible values for `x` (assuming `x` is an integer). Rather than
promoting the final `elif` clause to an `else` clause, it is common to instead
raise an explicit exception in the `else` clause. During execution, this
exception will never actually be raised, but its presence indicates that the
preceding conditions are intended to cover all possible cases.

I think it's a fair point. This is a clear instance where the alert, even if it
is technically correct, is not useful for the end user.

Also, I decided to make the exclusion fairly restrictive: it only applies if
the unreachable statement is an `assert False, ...` or `raise ...`, and only
if said statement is the first in the `else` block. Any other statements will
still be reported.
2019-10-29 15:30:32 +01:00
Tom Hvitved
6a77751713 C#: Add -L flag to autobuilder curl invocation
Turns out that `https://dot.net/v1/dotnet-install.sh` has moved to
`https://dotnet.microsoft.com/download/dotnet-core/scripts/v1/dotnet-install.sh`.
Instead of updating the URL in the code, I prefer to keep the old URL (which is
still referenced in the documentation), and let `curl` handle the redirect.
2019-10-29 14:15:17 +01:00
Shati Patel
e2b446db19 Docs: Update Python 2019-10-29 12:36:16 +00:00
Shati Patel
3337eaf0f9 Docs: Update JavaScript/TypeScript 2019-10-29 12:36:06 +00:00
Jonas Jensen
b6038f3caa C++: Remove best-bound logic from test
This logic, in an improved form, is now part of the library itself.
2019-10-29 11:54:32 +01:00
Jonas Jensen
311963906b C++: Only give the best delta in range analysis
This mirrors Java's 6b85fe087a.
2019-10-29 11:49:49 +01:00
Taus
6e6dab9ab8 Merge pull request #2178 from RasmusWL/python-minor-qldoc-fix
Python: Fix qldoc for TaintTracking Configuration
2019-10-29 10:40:12 +01:00
Jonas Jensen
ff62afb575 C++: Rename parameter to b to match QLDoc 2019-10-29 10:38:23 +01:00
semmle-qlci
2cddb82f10 Merge pull request #2210 from max-schaefer/js/better-destructuring-type-inference
Approved by asger-semmle, esbena
2019-10-29 08:08:51 +00:00
Jonas Jensen
0b2c2620cd Merge pull request #2184 from dave-bartolomeo/dave/AliasedUse
C++/C#: Add `AliasedUse` instruction to all functions
2019-10-29 08:37:57 +01:00
Asger F
94dd9a1c04 JS: Block XSS flow through encodeURIComponent 2019-10-28 17:12:40 +00:00
Henning Makholm
ae554cf1e9 Make each upgrade directory a QL pack 2019-10-28 17:14:31 +01:00
Taus
04e3683035 Merge pull request #2194 from RasmusWL/python-improve-getbasetype-qldoc
Python: Improve qldoc for ClassValue::getABaseType
2019-10-28 17:07:19 +01:00
Jonas Jensen
b13535ac7d C++: Implement DataFlow::BarrierGuard for AST+IR
The change note is copied from the Java change note.
2019-10-28 16:22:23 +01:00
Anders Schack-Mulligen
0ffcf9ce64 Merge pull request #2192 from JLLeitschuh/feature/JLL/http_response_splitting_netty
Add CWE-113 check for io.netty.handler.codec.http.DefaultHttpHeaders
2019-10-28 15:01:20 +01:00
semmle-qlci
70b114b827 Merge pull request #2208 from hvitved/csharp/codeql/no-bundled-nuget
Approved by p0
2019-10-28 13:47:50 +00:00
Tom Hvitved
c3f23f542a C#: Add change note 2019-10-28 13:15:20 +01:00
Tom Hvitved
1fc786bea7 C#: Add precision tag to cs/deserialized-delegate 2019-10-28 13:11:10 +01:00
shati-patel
d94b0cab29 Update docs/language/learn-ql/java/introduce-libraries-java.rst
Co-Authored-By: Felicity Chapman <felicitymay@github.com>
2019-10-28 12:05:51 +00:00
semmle-qlci
30a907861b Merge pull request #2193 from max-schaefer/js/autobuilder-exclude-node_modules
Approved by asger-semmle
2019-10-28 11:26:51 +00:00
Tom Hvitved
8a08038ff3 C#: Use system-nuget in Autobuilder when SEMMLE_PLATFORM_TOOLS is not set 2019-10-28 10:59:26 +01:00
Geoffrey White
8839bdd688 Merge pull request #1428 from jbj/infinite-loops-visible
C++: Make cpp/comparison-with-wider-type visible
2019-10-28 09:49:38 +00:00
semmle-qlci
33374ee089 Merge pull request #2202 from asger-semmle/express-sendfile
Approved by esbena
2019-10-28 09:24:34 +00:00
Max Schaefer
b333c6a214 Merge pull request #2106 from asger-semmle/call-graph-3
JS: Call graph changes
2019-10-28 09:24:10 +00:00
Pavel Avgustinov
d501316c76 Merge pull request #2195 from hmakholm/pr/chain-to-codeql
codeqlmanifest: explicitly chain to ./codeql if we have it
2019-10-26 21:55:50 +01:00
Dave Bartolomeo
cc5a689293 C++/C#: Fix up after merge from master 2019-10-25 14:11:34 -07:00
Dave Bartolomeo
f5e320e988 Merge from master 2019-10-25 13:24:19 -07:00
Dave Bartolomeo
56cbd0c152 C++/C#: Make AliasedUse access only non-local memory
The `AliasedUse` instruction is supposed to represent future uses of aliased memory after the function returns. Since local variables from that function are no longer allocated after the function returns, the `AliasedUse` instruction should access only the set of aliased locations that does not include locals from the current stack frame.
2019-10-25 13:10:39 -07:00
Jonathan Leitschuh
934eed97df Apply suggestions from code review for netty DefaultHttpHeaders
Co-Authored-By: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
2019-10-25 12:30:16 -04:00
semmle-qlci
d2f3574427 Merge pull request #2165 from erik-krogh/dosHigh
Approved by asger-semmle
2019-10-25 16:28:07 +01:00
Jonas Jensen
d63cc3d287 Merge remote-tracking branch 'upstream/master' into infinite-loops-visible
Moved the change note to 1.23.
2019-10-25 15:44:03 +02:00
Max Schaefer
d4b9beb010 JavaScript: Teach autobuilder not to extract node_modules and bower_components folders. 2019-10-25 14:25:02 +01:00
Max Schaefer
bd6109484d JavaScript: Rename node_modules to vendor in AutoBuildTests. 2019-10-25 14:25:02 +01:00
Max Schaefer
89f68f47a0 JavaScript: Improve type inference for captured variables. 2019-10-25 14:22:24 +01:00
Max Schaefer
6269dd99ab JavaScript: Improve type inference for destructuring assignments. 2019-10-25 14:22:24 +01:00
Asger F
04ee483c9e JS: update test output 2019-10-25 14:10:18 +01:00
Asger F
4e3f6c5107 JS: Add change note 2019-10-25 13:09:39 +01:00
Asger F
7ed31baeea JS: Rename to upward navigation 2019-10-25 13:07:07 +01:00
Asger F
39e2d1480e JS: Default to imprecision zero by default 2019-10-25 12:20:16 +01:00
Rasmus Wriedt Larsen
f1004b10ba Merge pull request #2147 from tausbn/python-cyclic-import-package-fp
Python: Fix cyclic import FP relating to packages.
2019-10-25 11:57:55 +02:00
Asger F
5636d42c13 JS: Update test 2019-10-25 09:57:10 +01:00
Asger F
ad645d3d50 JS: Restrict sendfile sink 2019-10-25 09:57:10 +01:00
semmle-qlci
89896c02c4 Merge pull request #2176 from Semmle/esbena-patch-1
Approved by erik-krogh
2019-10-25 09:26:12 +01:00
Jonas Jensen
22de0efc58 Merge pull request #2008 from dave-bartolomeo/dave/IRType2
C++: Implement language-neutral IR type system
2019-10-25 09:42:23 +02:00
yh-semmle
80fd5b2ada Merge pull request #2175 from aschackmull/java/continue-in-false-loop
Java: Port C++ query cpp/continue-in-false-loop to Java.
2019-10-24 20:47:59 -04:00
Dave Bartolomeo
80e29dce8b C++: Fix comment and remove unnecessary max() 2019-10-24 14:15:59 -07:00
Dave Bartolomeo
1223388ab6 C++: Fix test expectations 2019-10-24 13:54:21 -07:00
Dave Bartolomeo
956c18f976 C++/C#: Fix formatting 2019-10-24 13:54:09 -07:00
Ziemowit Łąski
01035f15cf Merge pull request #2123 from geoffw0/comparison2
CPP: Reword ComparisonPrecedence.ql query message.
2019-10-24 12:05:59 -07:00
Tom Hvitved
6d22e351f1 Merge pull request #2151 from raulgarciamsft/users/raul/oss
Users/raul/oss
2019-10-24 19:35:40 +02:00
Geoffrey White
f2656d8556 CPP: Autoformat. 2019-10-24 17:29:05 +01:00
Geoffrey White
73c677d417 Merge pull request #2189 from jbj/eivc-2019
C++: Minor tweaks to ExprInVoidContext
2019-10-24 16:50:35 +01:00
Henning Makholm
8dd0fcbf46 codeqlmanifest: explicitly chain to ./codeql if we have it 2019-10-24 17:40:43 +02:00
Jonas Jensen
8f58e7e6c9 C++: Clarify qldoc 2019-10-24 17:34:01 +02:00
Geoffrey White
e48936244d CPP: Reword the query message. 2019-10-24 16:22:51 +01:00
Rasmus Wriedt Larsen
c50d366527 Python: Improve qldoc for ClassValue::getABaseType
Hopefully it is more clear that you can get multiple results from getABaseType
because of multiple inheritance, and not because we are following the chain of
inheritance
2019-10-24 17:10:42 +02:00
Jonas Jensen
73e217a51e C++: Un-deprecate class Qualifier
It turns out this was used in the internal repo.
2019-10-24 16:47:29 +02:00
Jonathan Leitschuh
dcbd6e0a11 Add CWE-113 check for io.netty.handler.codec.http.DefaultHttpHeaders
Closes #2185
2019-10-24 10:27:40 -04:00
Hening Makholm
c927a4c354 Merge pull request #2191 from lcartey/lgtm-selectors
Update new-style suite definitions
2019-10-24 16:15:56 +02:00
Calum Grant
ad867bb855 Merge pull request #2186 from hvitved/csharp/new-env-variables
C#: Teach extractor and autobuilder about new environment variables
2019-10-24 15:12:13 +01:00
Shati Patel
6090867542 Docs: Update Java 2019-10-24 14:59:55 +01:00
Shati Patel
fbc11e505f Docs: Update Go 2019-10-24 14:59:40 +01:00
Shati Patel
f9e76b27f5 Docs: Update C# 2019-10-24 14:59:32 +01:00
Luke Cartey
6bcfb4e5cc Update new-style suite definitions
Capture path-problem as well as problem queries.
2019-10-24 14:54:13 +01:00
Jonas Jensen
6c069ff444 C++: The update of a for-loop is ExprInVoidContext 2019-10-24 15:27:54 +02:00
Jonas Jensen
edc9e23a9d C++: Deprecate class Qualifier
It's not used anywhere outside `VoidContext.qll`, where it was defined.
The use in `VoidContext.qll` is 10 years old and was a workaround for an
extractor bug that no longer exists.
2019-10-24 15:22:44 +02:00
Anders Schack-Mulligen
fe2988ab39 Merge pull request #2152 from yh-semmle/java-alert-suppression-annotations
Java: support LGTM alert suppression using `@SuppressWarnings` annotations
2019-10-24 15:04:29 +02:00
Jonas Jensen
8e31b8167a C++: Add a sample class in PrintAST.ql
I've found myself typing out this class whenever I want to print the AST
of one function. I hope it will be useful to others too.
2019-10-24 14:46:10 +02:00
Tom Hvitved
4ac32c4b12 C#: Fix more tests 2019-10-24 13:00:14 +02:00
Asger F
7dd7463288 Merge pull request #2169 from erik-krogh/importMeta
JS: add initial support for import.meta expressions in TypeScript
2019-10-24 11:20:04 +01:00
Calum Grant
b9ba534bcb C#: Update qltest output. 2019-10-24 11:06:34 +01:00
Tom Hvitved
83ec2d6162 C#: Teach extractor and autobuilder about new environment variables 2019-10-24 11:15:33 +02:00
Erik Krogh Kristensen
ab42b5de80 fix line end at end of dbscheme 2019-10-24 10:17:06 +02:00
Erik Krogh Kristensen
a584d7c850 change update script description
Co-Authored-By: Max Schaefer <54907921+max-schaefer@users.noreply.github.com>
2019-10-24 10:17:06 +02:00
Erik Krogh Kristensen
834b572f45 add initial support for expressions in TypeScript 2019-10-24 10:17:00 +02:00
Jonas Jensen
4b27b2ac05 Merge pull request #2173 from zlaski-semmle/zlaski/bad-addition-qhelp-reword
Reword and reformat Qhelp for BadAdditionOverflowCheck query
2019-10-24 09:26:41 +02:00
Calum Grant
6ac163abac C#: Add change note 2019-10-23 21:59:42 +01:00
Calum Grant
df1e215d98 C#: Add ?? as a local dataflow step. 2019-10-23 21:47:03 +01:00
Dave Bartolomeo
d03a4f86e5 C++/C#: Add AliasedUse instruction to all functions
This new instruction is the dual of the existing `AliasedDefinition` instruction. Whereas that instruction defines the contents of aliased memory before the function was called, `AliasedUse` represents the potential use of all aliased memory after the function returns. This ensures that writes to aliased memory do not appear "dead", even if there are no further reads from aliased memory within the function itself.
2019-10-23 11:59:05 -07:00
Geoffrey White
0427b1eb3f C#: Fix more tests. 2019-10-23 18:20:44 +01:00
Shati Patel
2aefcbd42c Docs: Update C/C++ 2019-10-23 18:17:52 +01:00
Shati Patel
6cf8f06191 Docs: Update COBOL 2019-10-23 18:17:10 +01:00
Shati Patel
9b8516cbd6 Remove some mentions of "CodeQL" and fix typos 2019-10-23 17:40:48 +01:00
Anders Schack-Mulligen
3462624995 Java: Add test. 2019-10-23 16:24:26 +02:00
Calum Grant
48c0d9ecca C#: Add qltests for ?? dataflow. 2019-10-23 15:17:26 +01:00
Rasmus Wriedt Larsen
8767d29d21 Python: Use src for naming in TaintTrackign::Configuration
We picked `src` since this is used much more than `source` in our existing code.
2019-10-23 15:56:37 +02:00
Shati Patel
60226801aa Docs: Update terminology
A more in-depth attempt at changing terminology for GHU.
I've only updated the non-language specific topics so far.
2019-10-23 14:54:02 +01:00
semmle-qlci
fc8c1e195a Merge pull request #2177 from asger-semmle/nodejs-detector-class-expression
Approved by max-schaefer
2019-10-23 14:33:07 +01:00
Calum Grant
6b15bf62fd C#: Rewrite null-coalsecing logic 2019-10-23 13:49:22 +01:00
Calum Grant
01ad93d199 C#: Fix for false positive. 2019-10-23 12:26:01 +01:00
Asger F
45667cc127 TS: Tolerate syntax errors in class declaration 2019-10-23 11:40:34 +01:00
Calum Grant
ee7cf17b15 C#: Add test case for local disposal. 2019-10-23 11:22:52 +01:00
Taus
30483db621 Merge pull request #2146 from RasmusWL/python-improve-iter-returns-non-iterator
Python: improve py/iter-returns-non-iterator
2019-10-23 11:53:00 +02:00
Esben Sparre Andreasen
207692a7a1 add missing .ql extension to suite file name 2019-10-23 11:18:48 +02:00
Rasmus Wriedt Larsen
5c5eaacc09 Python: Remove cached annotation in py/iter-returns-non-iterator 2019-10-23 10:46:07 +02:00
Rasmus Wriedt Larsen
a98466392d Python: Improve tests and docs for py/iter-returns-non-iterator 2019-10-23 10:46:07 +02:00
shati-patel
41969a3d92 Merge pull request #2174 from jf205/go-docs/sd-3871
docs: add ql for go topic
2019-10-23 09:25:30 +01:00
james
efe84a6d93 docs: ql-for-go.rst 2019-10-23 09:16:38 +01:00
Geoffrey White
e331a24dbb C#: Fix autoformat. 2019-10-23 08:48:07 +01:00
Ziemowit Laski
ac7a1230e6 [zlaski/bad-addition-qhelp-reword] Left-justify help text so that it renders proerly in MD. 2019-10-22 14:00:02 -07:00
Ziemowit Laski
ad4cd6f2bb [zlaski/bad-addition-qhelp-reword] Initial change. 2019-10-22 13:43:35 -07:00
Dave Bartolomeo
0219dbeeed C++: Fix override warning 2019-10-22 11:50:48 -07:00
Robert Marsh
219fcb7889 Merge pull request #2160 from jf205/review-cpp-docs
docs: editorial suggestions to new C/C++ topics
2019-10-22 10:59:59 -07:00
Robert Marsh
9f0499cce9 Merge pull request #2063 from jbj/dataflow-ref-parameter
C++: Data flow through reference parameters
2019-10-22 09:40:15 -07:00
Pavel Avgustinov
325dbfe9c0 Merge pull request #2172 from hmakholm/qlpack.yml
qlpack files are now YAML rather than JSON
2019-10-22 17:19:52 +01:00
Geoffrey White
9949d8a000 C#: Fix warnings. 2019-10-22 17:10:11 +01:00
semmle-qlci
cbfa1cd058 Merge pull request #2168 from xiemaisi/js/remove-duplicate-configuration
Approved by erik-krogh
2019-10-22 17:02:26 +01:00
Geoffrey White
b218a87ecc C#: Override tags. 2019-10-22 16:57:12 +01:00
Henning Makholm
f4a6261f7c add a codeql manifest too 2019-10-22 17:36:35 +02:00
Henning Makholm
347d97c14c qlpack.json is now qlpack.yml 2019-10-22 17:36:35 +02:00
Pavel Avgustinov
72de1b25ab Merge pull request #2164 from hmakholm/suites
Add some new-style suite definitions
2019-10-22 16:35:19 +01:00
Geoffrey White
ae20e9ace1 CPP: Fix autoformat. 2019-10-22 16:28:53 +01:00
Anders Schack-Mulligen
da57dbc528 Java: Port C++ query cpp/continue-in-false-loop. 2019-10-22 17:07:57 +02:00
Taus
a19569ce3e Merge pull request #2161 from RasmusWL/python-fix-cookieset-tostring
Python: Fix toString for CookieSet classes
2019-10-22 16:48:31 +02:00
James Fletcher
25e3258b10 Merge pull request #2170 from shati-patel/link
Docs: Fix broken link
2019-10-22 15:43:03 +01:00
Geoffrey White
41984a8731 CPP: Fix more qhelp. 2019-10-22 15:38:44 +01:00
Geoffrey White
78e56d9f7f C#: Sync identical files. 2019-10-22 15:24:50 +01:00
Geoffrey White
2fa80c7da5 CPP: Fix qhelp. 2019-10-22 15:21:27 +01:00
Shati Patel
50c7816a66 Fix broken link 2019-10-22 15:12:06 +01:00
Geoffrey White
33867dd859 C#: Fixes. 2019-10-22 15:05:32 +01:00
Geoffrey White
63003894c3 CPP: Fixes. 2019-10-22 14:51:17 +01:00
Henning Makholm
fd768a1af6 Add some new-style suite definitions 2019-10-22 15:51:00 +02:00
Taus Brock-Nannestad
32de65c0c6 Python: Add discussed test case (a false negative). 2019-10-22 15:10:40 +02:00
Taus Brock-Nannestad
83bf54c524 Python: Move false positive (now a true negative) into subfolder. 2019-10-22 15:08:29 +02:00
semmle-qlci
cb3a05c6de Merge pull request #2166 from xiemaisi/js/fix-typo
Approved by esben-semmle
2019-10-22 12:38:10 +01:00
Max Schaefer
1c23615742 JavaScript: Fix typo in doc comment. 2019-10-22 10:44:25 +01:00
Geoffrey White
faf1a2acbe CPP: Fix typos. 2019-10-22 09:56:50 +01:00
Geoffrey White
47169e2ece C#: Fix autoformat. 2019-10-22 09:56:49 +01:00
Geoffrey White
3b674de12c C#: Disable precision tags for now. 2019-10-22 09:56:49 +01:00
Geoffrey White
49e7addaa4 C#: Autoformat. 2019-10-22 09:56:42 +01:00
Geoffrey White
31dd3cae84 CPP: Autoformat. 2019-10-22 09:55:48 +01:00
Raul Garcia (MSFT)
cb8dcf7db2 Publishing queries to the OSS Semmle repository 2019-10-22 09:55:39 +01:00
Rasmus Wriedt Larsen
e487fd3648 Python: Improve alert message for py/iter-returns-non-iterator
Fixes https://github.com/Semmle/ql/issues/1427
2019-10-22 10:27:55 +02:00
Rasmus Wriedt Larsen
6056b457e9 Python: Autoformat py/iter-returns-non-iterator 2019-10-22 10:25:01 +02:00
semmle-qlci
1c79ec550e Merge pull request #2092 from esben-semmle/js/brittle-system-reflection-command
Approved by mchammer01, xiemaisi
2019-10-22 08:36:44 +01:00
Erik Krogh Kristensen
1ae8e25603 change precision of js/loop-bound-injection and fix a false positive 2019-10-22 09:21:19 +02:00
semmle-qlci
eb9d90dff6 Merge pull request #2143 from esben-semmle/js/fix-all-sanitisers
Approved by xiemaisi
2019-10-22 07:16:27 +01:00
semmle-qlci
0dcb189e67 Merge pull request #2162 from xiemaisi/js/remove-deprecated-queries
Approved by esben-semmle
2019-10-22 07:15:58 +01:00
Dave Bartolomeo
63038896f4 C++: Accept test output after changes 2019-10-21 17:06:32 -07:00
Dave Bartolomeo
2cd694756b C++: Remove mistakenly-added file 2019-10-21 15:58:38 -07:00
Dave Bartolomeo
1c8e275b40 C++/C#: Autoformat all the things 2019-10-21 15:00:05 -07:00
Esben Sparre Andreasen
5a983cb535 JS: add query js/shell-command-injection-from-environment 2019-10-21 23:31:55 +02:00
Dave Bartolomeo
7241c1aae6 C++/C#: More sanity checks for IRType 2019-10-21 14:22:46 -07:00
Dave Bartolomeo
958754bed8 C++: Use max to handle mixed 32/64-bit extraction 2019-10-21 11:56:12 -07:00
Dave Bartolomeo
5776077bf6 C++: Add comment about enum signedness 2019-10-21 11:37:18 -07:00
Dave Bartolomeo
debb662b8c C++: Reformat comment 2019-10-21 10:55:59 -07:00
Dave Bartolomeo
71a6b5dffe C++/C#: Fix some duplicate IRType problems, and add a sanity test 2019-10-21 10:46:30 -07:00
Max Schaefer
b9203377c7 JavaScript: Remove a duplicate Configuration class. 2019-10-21 17:32:02 +01:00
Taus Brock-Nannestad
ab2c8f312c Python: Apply autoformat. 2019-10-21 17:40:36 +02:00
Taus Brock-Nannestad
4fe1ba0ea4 Python: Refactor py/undefined-export for more clarity. 2019-10-21 17:40:36 +02:00
Taus Brock-Nannestad
8a1d1e7b7a Python: Modernise and false positive in py/undefined-export. 2019-10-21 16:07:48 +02:00
Max Schaefer
90cefead84 Merge pull request #1988 from erik-krogh/unreacableOverloads
JS: Unreachable overloads
2019-10-21 14:57:29 +01:00
Max Schaefer
55fb86d618 JavaScript: Remove deprecated queries.
These queries have all been deprecated since 1.17 (released in July 2018). I think it's time to say goodbye.
2019-10-21 14:42:02 +01:00
Rasmus Wriedt Larsen
016c95a69c Merge pull request #2078 from taus-semmle/python-unreachable-suppressed
Python: Teach `py/unreachable-statement` about `contextlib.suppress`.
2019-10-21 15:14:39 +02:00
Taus Brock-Nannestad
b2f7b0921b Python: Add false negative test case. 2019-10-21 14:31:05 +02:00
Taus Brock-Nannestad
99b99ef2b6 Python: Teach py/unreachable-statement about contextlib.suppress. 2019-10-21 14:31:05 +02:00
Erik Krogh Kristensen
9eda120de4 implement a new query to detect unreachable overloaded methods in TypeScript 2019-10-21 13:34:42 +02:00
james
ec15add112 docs: fix headings 2019-10-21 12:03:59 +01:00
Asger F
8aa34e6a54 JS: Add XSS test case for new PostMessageEventHandler cases 2019-10-21 11:32:22 +01:00
Asger F
0ad9067b7d JS: pragma[noopt] -> pragma[noinline] 2019-10-21 11:32:22 +01:00
Asger F
96b6c83eba JS: Tests and fixes for PartialInvokeNode 2019-10-21 11:32:22 +01:00
James Fletcher
31bd2abd87 Update docs/language/learn-ql/cpp/value-numbering-hash-cons.rst
Co-Authored-By: shati-patel <42641846+shati-patel@users.noreply.github.com>
2019-10-21 11:26:27 +01:00
james
d4e9aa53f3 docs: edits to new cpp topics 2019-10-21 10:34:28 +01:00
Rasmus Wriedt Larsen
9cf0e244b1 Python: Fix toString for CookieSet classes
The old implementation would result in empty recursion.
2019-10-21 11:26:10 +02:00
James Fletcher
82ca45f0b5 Merge pull request #2131 from shati-patel/spec-links
Docs: Update links to avoid redirects within help.semmle.com
2019-10-21 10:02:34 +01:00
Calum Grant
4ee3f2c46e Merge pull request #2139 from hvitved/csharp/dataflow/callcontext-bool-pruning
C#: Data-flow pruning based on call contexts
2019-10-21 09:49:05 +01:00
Jonas Jensen
c0fdcf3089 Merge pull request #2094 from rdmarsh2/rdmarsh/docs/cpp/advanced-library-guide
C++/Docs: Add guides to advanced AST libraries
2019-10-21 10:40:53 +02:00
Jonas Jensen
defe99503d Merge pull request #2113 from raulgarciamsft/users/raulga/boost
Users/raulga/boost
2019-10-20 13:14:44 +02:00
Robert Marsh
fc7dbeb0a9 Docs: quotes around "then" block and "else" block 2019-10-18 13:00:02 -07:00
Dave Bartolomeo
f871c72660 C++: Fix PR feedback 2019-10-18 12:54:03 -07:00
Dave Bartolomeo
8ec15933f5 C++/C#: Blob -> Opaque 2019-10-18 12:51:25 -07:00
Robert Marsh
e57fef093b C++: accept syntax-zoo changes 2019-10-18 10:08:53 -07:00
Asger F
3dcb134e6b JS: Improve documentation 2019-10-18 17:00:38 +01:00
yh-semmle
afcde14403 Merge pull request #2085 from aschackmull/java/overflow-check-fp
Java: Add another overflow check pattern to UselessComparisonTest.
2019-10-18 11:01:24 -04:00
Geoffrey White
446763d331 CPP: Fix typo. 2019-10-18 14:47:21 +01:00
yh-semmle
155d14a185 Java: simplify Extents.qll 2019-10-18 09:46:00 -04:00
yh-semmle
4348241f72 Java: simplify java/alert-suppression-annotations 2019-10-18 09:45:49 -04:00
Geoffrey White
411f74db70 CPP: Delete comment. 2019-10-18 14:44:38 +01:00
semmle-qlci
0ad802bad0 Merge pull request #2145 from xiemaisi/js/es2020
Approved by esben-semmle
2019-10-18 14:06:45 +01:00
Taus
45158a7177 Merge pull request #2053 from RasmusWL/python-modernise-falcon-library
Python modernise falcon library
2019-10-18 14:47:33 +02:00
Taus Brock-Nannestad
70d9d1bd0e Python: Add false positive test case for cyclic import. 2019-10-18 14:03:23 +02:00
Anders Schack-Mulligen
582a91f1e9 Java: Add change note. 2019-10-18 11:59:09 +02:00
Anders Schack-Mulligen
27b8a46dac Java: Exclude loop conditions from overflow check heuristic. 2019-10-18 11:58:46 +02:00
Taus
37291c5642 Merge pull request #2100 from RasmusWL/python-fix-hasFlowPath
Python: Fix hasFlowPath default implementation of isSink/2
2019-10-18 11:16:58 +02:00
Geoffrey White
5a97a16945 CPP: Autoformat. 2019-10-18 09:46:04 +01:00
Jonas Jensen
dcc446660e Merge pull request #2149 from rdmarsh2/rdmarsh/cpp/ir-side-effect-primary
C++: Add getPrimaryInstruction to specific side effects
2019-10-18 10:31:01 +02:00
yh-semmle
1d415b3680 Java: enable java/alert-suppression-annotations in LGTM suite 2019-10-17 22:09:04 -04:00
yh-semmle
ee2c97f147 Java: add extra test for java/alert-suppression-annotations 2019-10-17 22:09:04 -04:00
yh-semmle
62521dca32 Java: account for multiple strings in java/alert-suppression-annotations 2019-10-17 22:09:04 -04:00
yh-semmle
f3a980deb6 Java: clarify predicate name in java/alert-suppression-annotations 2019-10-17 22:09:03 -04:00
yh-semmle
d165ce95f2 Java: tidy QLDoc in Extents.qll 2019-10-17 22:09:03 -04:00
yh-semmle
e3f828c588 Java: refine ranges in java/alert-suppression-annotations 2019-10-17 22:09:03 -04:00
yh-semmle
b2bc8382b0 Java: add alert-suppression query for @SuppressWarnings("lgtm[...]") 2019-10-17 22:09:02 -04:00
Robert Marsh
30e501e110 C++/Docs: reword "divide" to "partition"
Co-Authored-By: Jonas Jensen <jbj@knef.dk>
2019-10-17 12:22:37 -07:00
Robert Marsh
5451c394a2 C++/C#: autoformat 2019-10-17 12:20:36 -07:00
Robert Marsh
b29f88450b C++: buffer read side effects on unmodeled funcs 2019-10-17 12:10:23 -07:00
Robert Marsh
b8bbce0eb6 C#: sync IR 2019-10-17 11:00:04 -07:00
Nick Rolfe
176d7672a1 Merge pull request #2148 from Semmle/cpp-454-invalid_key-diagnostic_for
Drop unique diagnostic key on diagnostic_for tuple
2019-10-17 16:51:03 +01:00
Matthew Gretton-Dann
4e345fb921 C++: Add upgrade script 2019-10-17 15:37:34 +01:00
Matthew Gretton-Dann
bc0d73b86e C++: Remove unique diagniostic key on diagnostic_for. 2019-10-17 15:34:51 +01:00
Esben Sparre Andreasen
80a32aebc1 JS: add SystemCommandExecution::isShellInterpreted 2019-10-17 13:29:24 +02:00
Max Schaefer
a4bffe35fd JavaScript: Add support for globalThis. 2019-10-17 12:04:01 +01:00
semmle-qlci
9995c12132 Merge pull request #2144 from shati-patel/monospace-links
Approved by jf205
2019-10-17 11:55:58 +01:00
Taus Brock-Nannestad
067bdf5ec4 Python: Disregard packages when looking for cyclic imports. 2019-10-17 12:47:34 +02:00
Shati Patel
54d7bba3dd Docs: Remove unused styling 2019-10-17 11:31:35 +01:00
Jonas Jensen
9bc7ce1fac Merge pull request #2141 from geoffw0/newtest
CPP: AV Rule 114 test cases
2019-10-17 09:28:10 +02:00
Esben Sparre Andreasen
93b1e59d62 JS: fix spelling: sanitisers -> sanitizers 2019-10-17 09:05:03 +02:00
Robert Marsh
30d7238921 C++: fix missing getPrimaryInstruction 2019-10-16 17:05:37 -07:00
Robert Marsh
fffe3c2432 C++: add sanity test for side effect primaries 2019-10-16 16:53:55 -07:00
Dave Bartolomeo
6e61b1dcd0 C++: Fix up after merge from master
The one interesting piece that needed to be fixed up was the type of an `Indirect[Read|Write]SideEffect` operand/result. If the parameter type is a pointer or reference to an incomplete type, we need to set the type of the side effect memory access to `Unknown`, because we don't model incomplete types in the IR type system.

I also added minimal support for `__assume` (generated as a `NoOp`), because lack of `__assume` support got in the way of debugging the other issue above.
2019-10-16 15:55:56 -07:00
Robert Marsh
3c127fb829 C++/Docs: expand on VN/HC and add wikipedia links 2019-10-16 13:09:36 -07:00
Robert Marsh
0cc0977a09 C++/Docs: more examples and rewording for guards 2019-10-16 12:45:59 -07:00
Dave Bartolomeo
167d2289c4 Merge from master 2019-10-16 10:10:10 -07:00
Max Schaefer
dfed7502b6 Merge pull request #2142 from Semmle/jf205-patch-1
docs: update path to support docs in readme.md
2019-10-16 16:58:34 +01:00
James Fletcher
d1a8152f29 update path to support docs in readme.md 2019-10-16 16:55:28 +01:00
semmle-qlci
280a62ed30 Merge pull request #2138 from Semmle/xiemaisi-patch-1
Approved by erik-krogh
2019-10-16 15:14:29 +01:00
Pavel Avgustinov
7fa6c54731 Merge pull request #2119 from hmakholm/pr/qlpacks
Add qlpack.json files
2019-10-16 14:27:10 +01:00
Geoffrey White
6f96d1759f Merge pull request #2077 from jbj/cfg-enable-pr
C++: enable the QL-based CFG code
2019-10-16 14:06:22 +01:00
Geoffrey White
5f1fdd08a7 CPP: Post-2115. 2019-10-16 13:51:06 +01:00
Geoffrey White
096af3c3f3 CPP: Add test cases involving __builtin_complex. 2019-10-16 13:46:11 +01:00
Tom Hvitved
c57015af7d C#: Data-flow pruning based on call contexts 2019-10-16 13:51:32 +02:00
Max Schaefer
f963ebcddc JavaScript: Remove stray comma from @tags. 2019-10-16 12:42:33 +01:00
Tom Hvitved
853cbd8728 C#: Add dataflow tests exhibiting missing call-context based pruning 2019-10-16 13:39:35 +02:00
Max Schaefer
712762481c Merge pull request #2001 from esben-semmle/js/identity-escape
JS: add query js/useless-regexp-character-escape
2019-10-16 10:27:50 +01:00
Geoffrey White
33ae7ee802 Merge pull request #2130 from jbj/cfg-pos-int
C++: Implement Pos and Spec as int, not newtype
2019-10-16 09:56:14 +01:00
Jonas Jensen
bca1be0601 Merge pull request #2135 from zlaski-semmle/zlaski/memset-model
[zlaski/memset-model] Add side effect modeling to Memset.
2019-10-16 08:49:24 +02:00
Esben Sparre Andreasen
e1d7434be4 JS: add query js/useless-regexp-character-escape 2019-10-16 00:15:54 +02:00
Ziemowit Laski
fcc1938143 [zlaski/memset-model] Ctrl+Shift+F. 2019-10-15 15:03:58 -07:00
Ziemowit Laski
2ca52a4124 [zlaski/memset-model] Add side effect modeling to Memset. 2019-10-15 14:43:39 -07:00
Robert Marsh
9aea2eda9b Apply suggestions from code review
Co-Authored-By: James Fletcher <42464962+jf205@users.noreply.github.com>
2019-10-15 14:11:45 -07:00
Jonas Jensen
25130f200b Merge pull request #2132 from hmakholm/pr/gitignore-codeql
.gitignore += codeql
2019-10-15 21:57:39 +02:00
Henning Makholm
12c44b1994 .gitignore += codeql
It is useful (though not necessary) to be able to place codeql in a Semmle/ql checkout.
2019-10-15 20:59:14 +02:00
Jonas Jensen
4c15ea581a C++: Autoformat CFG.qll 2019-10-15 19:32:55 +02:00
igfoo
61d21c1ec0 Merge pull request #2127 from matt-gretton-dann/cpp-451-invalid_key-for-var_decls-fun_decls
Use correct keysets for var_decls and fun_decls
2019-10-15 17:56:04 +01:00
yh-semmle
5aced3e432 Merge pull request #2128 from AlexTereshenkov/move-qll-java
Move qll file to support import from custom QL queries
2019-10-15 11:39:10 -04:00
Sam Lanning
54af67c40f Merge pull request #2126 from AlexTereshenkov/issue-template-general
Add general question issue template
2019-10-15 08:26:24 -07:00
Shati Patel
a2162ba6f3 Docs: Update some more links 2019-10-15 16:19:18 +01:00
Shati Patel
1a319b03cd Docs: Update links to language specification 2019-10-15 16:02:45 +01:00
Anders Schack-Mulligen
309961d493 Merge pull request #2118 from yh-semmle/java-non-sync-override
Java: restrict `java/non-sync-override` to immediate overrides
2019-10-15 16:40:00 +02:00
Jonas Jensen
a9984e9d8b C++: Implement Pos and Spec as int, not newtype
This change gives a slight performance improvement and makes the QL code
shorter. It introduces some magic numbers in the code, but those are
confined to the `Pos` and `Spec` classes.

We get a speed-up because the evaluator has built-in support for integer
literals in the `OUTPUT` of `JOIN` operations, whereas `newtype`s have
to be explicitly joined on. As a result, a predicate like
`CFG::straightLineSparse#ffff` drops from 262 pipeline nodes to 242.

I measured performance on https://github.com/jluttine/suitesparse, which
is one of the projects that had the biggest slowdown when enabling the
QL CFG on lgtm.com. I took two measurements before this change and two
after. The `CFG.qll` stage took 117s and 112s before, and it took 106s
and 107s after.
2019-10-15 16:22:37 +02:00
alexey
715f1ddaca Move qll file to support import from custom QL queries 2019-10-15 14:55:09 +01:00
Matthew Gretton-Dann
692c29d095 C++: Test fun_decl for INVALID_KEYs 2019-10-15 14:47:32 +01:00
Matthew Gretton-Dann
0f6d64e27e C++: Update schema stats 2019-10-15 14:42:57 +01:00
Matthew Gretton-Dann
e4174ff610 C++: Add schema upgrade script 2019-10-15 14:42:57 +01:00
Matthew Gretton-Dann
f98d20c33a C++: Update var_decls, fun_decls keysets. 2019-10-15 14:42:57 +01:00
Tom Hvitved
b142113037 Merge pull request #2087 from calumgrant/cs/localexprflow
C#: Implement localExprFlow and localExprTaint
2019-10-15 15:33:50 +02:00
Tom Hvitved
3f170142c9 Merge pull request #2086 from calumgrant/cs/indexer-detection
C#: Fix an InvalidCastException
2019-10-15 15:33:32 +02:00
alexey
a2478296db Add general question issue template 2019-10-15 12:13:45 +01:00
Rasmus Wriedt Larsen
d3f3cefa54 Python: Autoformat (4 spaces) falcon library 2019-10-15 11:23:51 +02:00
Rasmus Wriedt Larsen
7a112f37cb Python: Modernise falcon library 2019-10-15 11:22:46 +02:00
Tom Hvitved
cae7f9d805 Merge pull request #2099 from aschackmull/java/callcontext-bool-pruning
Java: Data-flow pruning based on call contexts.
2019-10-15 09:36:36 +02:00
Robert Marsh
47668f275f C++/Docs: move controls predicate to top of file 2019-10-14 11:54:55 -07:00
Jonas Jensen
527ec4a9e4 Merge pull request #2122 from geoffw0/bitsign2
CPP: BitwiseSignCheck.ql fix
2019-10-14 15:47:36 +02:00
Matthew Gretton-Dann
53720a30e9 Merge pull request #2115 from nickrolfe/builtin_complex
C++: support `__builtin_complex`
2019-10-14 14:40:43 +01:00
Max Schaefer
dca808126f Merge pull request #2032 from erik-krogh/lessSpaces
JS: remove false positive in js/missing-space-in-concatenation
2019-10-14 14:25:40 +01:00
Anders Schack-Mulligen
2be5c38615 Java: Address comments. 2019-10-14 14:59:14 +02:00
semmle-qlci
82db8c8856 Merge pull request #2108 from asger-semmle/typescript-3.6.3
Approved by esben-semmle
2019-10-14 12:33:06 +01:00
Nick Rolfe
22fa657818 C++: update stats for @builtincomplex 2019-10-14 11:31:59 +01:00
Nick Rolfe
564e4511bc C++: add upgrade script 2019-10-14 11:31:59 +01:00
Nick Rolfe
6c83c76268 C++: add a test for __builtin_complex 2019-10-14 11:31:59 +01:00
Nick Rolfe
682832fc55 C++: add an expr kind for __builtin_complex 2019-10-14 11:31:58 +01:00
Geoffrey White
62311eb37d CPP: Change note. 2019-10-14 11:03:49 +01:00
Geoffrey White
ff8e04aa99 CPP: Fix bug. 2019-10-14 11:00:43 +01:00
Geoffrey White
62625cc454 CPP: Extend the test. 2019-10-14 10:44:04 +01:00
Henning Makholm
29167bbff8 Add qlpack.json files
Eventually these files will subsume the current `queries.xml` files
at the top of query-containing and library directories. For now they're
just here to support internal testing of the tooling support for them
we're writing on.

Format and contents is a work in progress. If you're not in Semmle,
don't depend on anything here making sense (or staying stable) until
you see the version tags increase to something nonzero.
2019-10-12 17:38:01 +02:00
yh-semmle
b37d92ac95 Java: add change note for java/non-sync-override 2019-10-11 19:36:45 -04:00
zlaski-semmle
ae0c4e449f Merge pull request #1925 from geoffw0/qldoceg10
CPP: Add syntax examples to QLDoc in Access.qll, Declaration.qll
2019-10-11 12:19:18 -07:00
Geoffrey White
0398681b84 CPP: Autoformat. 2019-10-11 17:30:29 +01:00
shati-patel
26fd0df023 Merge pull request #2117 from felicitymay/codeowners
Update CODEOWNERS file
2019-10-11 15:55:39 +01:00
Felicity Chapman
850cc53278 Update CODEOWNERS file 2019-10-11 15:37:36 +01:00
shati-patel
c8595d1da1 Merge pull request #2111 from jf205/fix-heading
docs: fix heading levels in c/c++ topic
2019-10-11 10:21:08 +01:00
Anders Schack-Mulligen
bc2d31bef2 Merge pull request #2114 from yh-semmle/java-expr-parent
Java: refine type of parent column in `exprs` relation
2019-10-11 09:58:11 +02:00
yh-semmle
64db00ae6d Java: refine type of parent column in exprs relation 2019-10-10 19:57:53 -04:00
yh-semmle
35552a8c0e Java: restrict java/non-sync-override to immediate overrides 2019-10-10 19:56:42 -04:00
Raul Garcia (MSFT)
7b0e83fead Porting Boost.org TLS queries 2019-10-10 16:05:14 -07:00
semmle-qlci
75bf339a9b Merge pull request #2112 from shati-patel/quick-fix
Approved by jf205
2019-10-10 16:04:30 +01:00
Shati Patel
b6311836a0 Docs: small fixes 2019-10-10 15:50:50 +01:00
Jonas Jensen
c99845ce5d Merge pull request #2035 from geoffw0/comparison
CPP: Unclear comparison precedence template fix
2019-10-10 16:31:54 +02:00
james
09cd86c005 docs: heading levels 2019-10-10 14:38:14 +01:00
Rasmus Wriedt Larsen
bf197b9f20 Add testcase 2019-10-10 15:34:54 +02:00
Rasmus Wriedt Larsen
36bb5f54ce Python: Fix hasFlowPath default implementation of isSink/2
If hasFlowPath was used, and isSink/2 was not overridden,
hasFlowPath(src, sink) would not use isSink/1 to restrict the allowed TaintSink.
This resulted in false-positives when we had flows with unrelated TaintSinks.

FP: 1a8e7ffc2e/files/webapp/graphite/dashboard/views.py (x2d486922081db956):1

Fixes https://github.com/Semmle/ql/issues/2081
2019-10-10 15:34:54 +02:00
semmle-qlci
7ba04768cd Merge pull request #2098 from asger-semmle/ts-computed-field-name-context
Approved by esben-semmle
2019-10-10 12:06:46 +01:00
Asger F
3e83d8486f TS: Update @types/node 2019-10-10 10:56:07 +01:00
Asger F
c10e48ddea TS: Bump to TypeScript 3.6.3 2019-10-10 10:24:48 +01:00
semmle-qlci
3726b79a23 Merge pull request #2103 from asger-semmle/remove-rollup-deps
Approved by esben-semmle
2019-10-10 10:10:45 +01:00
Geoffrey White
d8f3422375 CPP: Reword and clarify. 2019-10-10 10:04:32 +01:00
Geoffrey White
393c9e9247 CPP: QLDoc example for ImplicitThisFieldAccess. 2019-10-10 10:04:32 +01:00
Geoffrey White
1c0fdef0a8 CPP: Add a simplified test case for ImplicitThisFieldAccess. 2019-10-10 10:04:32 +01:00
Geoffrey White
e45ea90428 CPP: Backticks. 2019-10-10 10:04:31 +01:00
Geoffrey White
5fe69c7658 CPP: QLDoc fix for Stmt.qll. 2019-10-10 10:04:31 +01:00
Geoffrey White
85063760af CPP: Examples Declaration.qll. 2019-10-10 10:04:31 +01:00
Geoffrey White
3e46494c3a CPP: Clarify the Declaration / DeclarationEntry relationship around definitions, as there has been confusion over this. 2019-10-10 10:04:31 +01:00
Geoffrey White
bc4363bc22 CPP: Add a test of FunctionAccess and cases for FieldAccess. 2019-10-10 10:04:31 +01:00
Geoffrey White
4543aaf5dd CPP: Examples Access.qll. 2019-10-10 10:04:31 +01:00
Geoffrey White
cdf48cf0d4 CPP: Change note. 2019-10-10 09:23:03 +01:00
Geoffrey White
b10988faec CPP: Fix the query. 2019-10-10 09:15:19 +01:00
Geoffrey White
3f167a6f15 CPP: Add a test involving templates. 2019-10-10 09:15:19 +01:00
Geoffrey White
4fc73cab63 CPP: Add a test of ComparisonPrecedence.ql. 2019-10-10 09:15:19 +01:00
Robert Marsh
62c73a5f70 C++/Docs: more work on guards.rst
Added some examples and reworded portions of guards.rst. There's still
more to do - examples for ensures and compares predicates, and possibly
rewording the description of the compares predicates
2019-10-09 16:13:53 -07:00
zlaski-semmle
8896fa5bc9 Merge pull request #1924 from geoffw0/quickfix
CPP: Tiny qldoc fixes.
2019-10-09 14:52:54 -07:00
Robert Marsh
500a81ad1e C++/Docs: remove reference to IR GVN 2019-10-09 10:45:39 -07:00
Alexander Eyers-Taylor
70caa9b82c Merge pull request #2105 from shati-patel/qldoc-spec
Terminology update
2019-10-09 17:02:35 +01:00
semmle-qlci
6e8764d592 Merge pull request #2104 from Semmle/training-typo
Approved by jf205
2019-10-09 16:03:25 +01:00
Nick Rolfe
91d3389e58 QL training: fix typos 2019-10-09 15:55:41 +01:00
shati-patel
9bb1b4f68a Terminology update
Method -> member predicate
2019-10-09 15:08:18 +01:00
Esben Sparre Andreasen
0e79d3db46 Merge pull request #2065 from erik-krogh/noReturn
JS: use of returnless function
2019-10-09 13:44:39 +02:00
Asger F
cf24fa22c8 JS: Dont use deprecated class 2019-10-09 12:16:12 +01:00
Asger F
45b108842b JS: Update CallGraph test output 2019-10-09 12:16:11 +01:00
Asger F
b392559b39 JS: Accept that types may degrade CG precision 2019-10-09 12:16:11 +01:00
Asger F
ddf0d5379d JS: Angular: replace getAnInitialUse with parameterNode 2019-10-09 12:16:11 +01:00
Asger F
07df479b94 JS: IllegalInvocation: be more convservative 2019-10-09 12:16:11 +01:00
Asger F
ad8667d6db JS: IllegalInvocation regression test 2019-10-09 12:16:11 +01:00
Asger F
d3f587c12a JS: Restrict class values flowing through globals 2019-10-09 12:16:11 +01:00
Asger F
dbfd0ae03b JS: InconsistentNew regression test 2019-10-09 12:16:11 +01:00
Asger F
bdc409ccb6 JS: Move getACallee into CallGraphs module 2019-10-09 12:16:11 +01:00
Asger F
4a0e54a69f JS: Add library doc comment 2019-10-09 12:16:11 +01:00
Asger F
8404522c08 JS: Performance tweaks 2019-10-09 12:16:11 +01:00
Asger F
34497f6d19 JS: Use getABoundFunctionValue in PostMessageEventHandler 2019-10-09 12:16:11 +01:00
Asger F
d6d89a0703 JS: Move call graph computation into CallGraphs.qll 2019-10-09 12:16:10 +01:00
Asger F
96a13ff5d6 JS: Add goog.bind and angular.bind as partial invokes 2019-10-09 12:16:10 +01:00
Asger F
3bf86ee468 JS: Rename AdditionalPartialInvoke -> PartialInvoke::Range 2019-10-09 12:16:10 +01:00
Asger F
d6ba966c4e JS: Add getBoundFunction() 2019-10-09 12:16:10 +01:00
Asger F
6534219831 JS: Move AdditionalPartialInvokeNode to Nodes.qll 2019-10-09 12:16:10 +01:00
Asger F
15f0e85853 JS: Restructure call graph computation 2019-10-09 12:16:10 +01:00
Asger F
c5f29e0a1d JS: Simplify call graph metric 2019-10-09 12:16:10 +01:00
Asger F
7355fdf900 JS: Update trap output 2019-10-09 11:59:42 +01:00
Asger F
1f2c331ad9 TS: Remove dependency on rollup 2019-10-09 11:42:13 +01:00
Esben Sparre Andreasen
ea63414e97 Merge pull request #2016 from asger-semmle/jquery
Add type tracking and type info to jQuery model
2019-10-09 10:55:57 +02:00
Anders Schack-Mulligen
312c573eb6 Java: Remove unneeded import. 2019-10-09 10:10:36 +02:00
Anders Schack-Mulligen
e123f97303 Java: Remove useless pruning. 2019-10-09 09:35:30 +02:00
Jonas Jensen
daabb2c5d0 Merge pull request #2082 from rdmarsh2/rdmarsh/cpp/ir-getASTVariable
IR: add getASTVariable to VariableInstruction
2019-10-09 08:56:01 +02:00
Robert Marsh
07e7d061cd C++/Docs: expand on gvn and hashcons design 2019-10-08 13:41:26 -07:00
Robert Marsh
aee87ebaaa C++/Docs: respond to simple PR comments 2019-10-08 10:53:54 -07:00
Robert Marsh
a90e8684e4 C++: Apply suggestions from code review
Co-Authored-By: Jonas Jensen <jbj@knef.dk>
2019-10-08 10:40:08 -07:00
Anders Schack-Mulligen
5e0ce81030 Java: Refactor to improve join-pipeline. 2019-10-08 17:15:06 +02:00
Asger F
c09e748bca JS: Migrate JQueryMethodCall to new API 2019-10-08 14:05:10 +01:00
semmle-qlci
c8e5be74d5 Merge pull request #2093 from asger-semmle/ts-unused-var-fix
Approved by erik-krogh
2019-10-08 13:51:46 +01:00
Asger F
e4e10a3222 JS: Bump extractor version string 2019-10-08 13:51:13 +01:00
Asger F
1fc01d9b5d JS: Add change note 2019-10-08 13:51:13 +01:00
Asger F
8146619913 JS: Set context of computed field names to enclosing ctor 2019-10-08 13:51:12 +01:00
Asger F
2235072841 JS: Add tests 2019-10-08 13:51:12 +01:00
Jonas Jensen
5d7a0b8dd5 Merge remote-tracking branch 'upstream/master' into dataflow-ref-parameter
I've accepted the new test output, which shows that this branch fixes
two false negatives in the test cases from #2088.
2019-10-08 13:09:20 +02:00
Asger F
ea35b8418a JS: Add change note 2019-10-08 12:05:31 +01:00
Jonas Jensen
19f642fc8d Merge commit '7434702' into dataflow-ref-parameter
This merges #1735 into this branch to resolve the semantic merge
conflicts between them.
2019-10-08 12:55:47 +02:00
Asger F
90ad55e8ce JS: Update DOM test 2019-10-08 11:50:18 +01:00
Erik Krogh Kristensen
0933235132 whitelist calls to functions that always throw an exception 2019-10-08 11:54:57 +02:00
Erik Krogh Kristensen
a2993f1849 massively improve performance for detecting one-shot closures 2019-10-08 11:54:57 +02:00
Erik Krogh Kristensen
0b8ea3c504 remove redundant check in returnsVoid 2019-10-08 11:54:57 +02:00
Erik Krogh Kristensen
5ce356f509 two small doc fixes from docteam
Co-Authored-By: shati-patel <42641846+shati-patel@users.noreply.github.com>
2019-10-08 11:54:57 +02:00
Erik Krogh Kristensen
c6918ef38e changes to documentation and small change in returnsVoid based on code-review 2019-10-08 11:54:57 +02:00
Erik Krogh Kristensen
8c7f316a57 add qldoc to benignContext predicate
Co-Authored-By: Esben Sparre Andreasen <42067045+esben-semmle@users.noreply.github.com>
2019-10-08 11:54:57 +02:00
Erik Krogh Kristensen
63b3005217 remove punctuation in query name 2019-10-08 11:54:57 +02:00
Erik Krogh Kristensen
b0b2d02855 small doc update
Co-Authored-By: mc <42146119+mchammer01@users.noreply.github.com>
2019-10-08 11:54:57 +02:00
Erik Krogh Kristensen
55f2f62c7a changes based on code review 2019-10-08 11:54:57 +02:00
Erik Krogh Kristensen
49bd553916 change query severity to warning 2019-10-08 11:54:57 +02:00
Erik Krogh Kristensen
ea3c2fb2fa add fix suggestion to qhelp of js/use-of-returnless-function 2019-10-08 11:54:57 +02:00
Erik Krogh Kristensen
64bcc10af3 remove redundancy in qhelp 2019-10-08 11:54:57 +02:00
Erik Krogh Kristensen
666e11a506 apply suggestions from code review
Co-Authored-By: Esben Sparre Andreasen <42067045+esben-semmle@users.noreply.github.com>
2019-10-08 11:54:57 +02:00
Erik Krogh Kristensen
1c424310ae revert the last small change to ExprHasNoEffect.qll 2019-10-08 11:54:57 +02:00
Erik Krogh Kristensen
34d0f72706 small refactor and added docstring based on code review 2019-10-08 11:54:57 +02:00
Erik Krogh Kristensen
92623a3e32 cleanup and refactor of promise case based on code-review 2019-10-08 11:54:57 +02:00
Erik Krogh Kristensen
0b48999718 refactored the attribute checks based on code-review 2019-10-08 11:54:57 +02:00
Erik Krogh Kristensen
1bbe1ecdba the js/use-of-returnless-function query now support multiple callees 2019-10-08 11:54:57 +02:00
Erik Krogh Kristensen
7025ba36c0 refactor of js/use-of-returnless-function 2019-10-08 11:54:57 +02:00
Erik Krogh Kristensen
00bf82d3c7 small changes to benignContext predicate based on code review 2019-10-08 11:54:56 +02:00
Erik Krogh Kristensen
dedae5ba1d refactor isExplicitConditional into a library file, and use it from js/use-of-returnless-function 2019-10-08 11:54:56 +02:00
Erik Krogh Kristensen
bda37b6d6f refactor of benignContext predicate based on code review 2019-10-08 11:54:56 +02:00
Erik Krogh Kristensen
cdde8aea58 revert changes to js/useless-expression 2019-10-08 11:54:56 +02:00
Erik Krogh Kristensen
be18adca3c update description in change-notes 2019-10-08 11:54:56 +02:00
Erik Krogh Kristensen
9788b16dee add change note for js/use-of-returnless-function 2019-10-08 11:54:08 +02:00
Erik Krogh Kristensen
bed14244ae add query for detecting uses return-values from functions that does not return a value 2019-10-08 11:53:14 +02:00
Anders Schack-Mulligen
20084fb3c0 Java: Fix pruning in partialPathStep. 2019-10-08 11:28:53 +02:00
Anders Schack-Mulligen
bf14889077 Java: Refactor to improve performance. 2019-10-08 11:28:35 +02:00
Esben Sparre Andreasen
24a5301d87 Merge pull request #2056 from erik-krogh/suspiciousMethodName
JS: add query for detecting suspicious method names in TypeScript
2019-10-08 10:49:57 +02:00
Robert Marsh
d8f539d78b C++/Docs: Add guides to advanced AST libraries 2019-10-07 16:14:10 -07:00
Asger F
d0cce12db9 JS: Bump extractor version 2019-10-07 16:51:57 +01:00
Asger F
52bd19b951 JS: Run Java formatter 2019-10-07 16:51:57 +01:00
Asger F
316580334a TS: Fix extraction of default-exported class 2019-10-07 16:46:59 +01:00
Calum Grant
d6bbc51996 C#: Autoformat QL. 2019-10-07 16:10:46 +01:00
Calum Grant
d5a48a34e6 C#: Remove redundant test for indexers. Tested in library-tests\overrides. 2019-10-07 15:56:36 +01:00
semmle-qlci
ff5a98b260 Merge pull request #2074 from taus-semmle/python-unreachable-nonlocal
Approved by RasmusWL
2019-10-07 15:45:24 +01:00
semmle-qlci
e36e16af48 Merge pull request #2079 from taus-semmle/python-unused-local-nonlocal
Approved by RasmusWL
2019-10-07 15:38:21 +01:00
Anders Schack-Mulligen
3c4e877913 Java: Minor refactor. 2019-10-07 16:18:48 +02:00
Anders Schack-Mulligen
f8123679a1 Java: Qldoc updates. 2019-10-07 16:12:31 +02:00
Anders Schack-Mulligen
38aba7bfc1 Java: Fix qltest. 2019-10-07 15:51:42 +02:00
Anders Schack-Mulligen
75ebc098bb Java: Fix semantic merge conflict. 2019-10-07 15:42:26 +02:00
Asger F
8fcf0ed30c JS: Update Angular/JQLiteObject test 2019-10-07 14:31:09 +01:00
Anders Schack-Mulligen
b581e38782 Java: Autoformat and sync post rebase. 2019-10-07 15:26:39 +02:00
Cornelius Riemenschneider
9ef61bd43c Address more parts of Anders review. 2019-10-07 15:19:20 +02:00
Erik Krogh Kristensen
3a55880d51 update expected output for js/suspicious-method-name-declaration 2019-10-07 15:18:37 +02:00
Cornelius Riemenschneider
812a0bcb16 Address some parts of Anders' review. 2019-10-07 15:17:17 +02:00
Cornelius Riemenschneider
0f5dd5d7c7 Add one more test with a more complicated guard. 2019-10-07 15:14:42 +02:00
Cornelius Riemenschneider
393fb02dfa Fix undesirable join order. 2019-10-07 15:14:41 +02:00
Tom Hvitved
ee5503146e Add stub implementations for isUnreachableInCall() 2019-10-07 15:13:49 +02:00
Tom Hvitved
eabfa31767 Synchronize data flow files 2019-10-07 15:13:48 +02:00
Tom Hvitved
46933ef65e Java: Autoformat 2019-10-07 15:12:13 +02:00
Cornelius Riemenschneider
d79eaffd3a Prune unreachable paths in the Java dataflow library based on call context.
We now detect patterns like
f(bool cond){
       if(cond)
        then A
        else B
and prune branches for calls like f(true) or f(false).
This pruning is done both in the local (bigstep) flow graph
as well as in the inter-procedural dataflow graph.
2019-10-07 15:10:54 +02:00
Cornelius Riemenschneider
dba93b30e7 Add tests exhibiting false positives in the dataflow library, where call context is not used to prune branches. 2019-10-07 14:59:55 +02:00
Rasmus Wriedt Larsen
3f45d8614b Merge pull request #2047 from taus-semmle/python-modernise-and-fix-cyclic-import-fp
Python: modernise and fix cyclic import false positive.
2019-10-07 14:28:36 +02:00
semmle-qlci
fbb7747bd1 Merge pull request #2073 from hvitved/csharp/splitting-joins
Approved by calumgrant
2019-10-07 12:22:57 +01:00
Asger F
755f76a308 JS: Mention the ::Range classes 2019-10-07 08:29:42 +01:00
Asger F
34b4eb69db JS: Cache JSDocTypeExpr.resolvedName() 2019-10-07 08:29:42 +01:00
Asger F
c1e9eec267 JS: Modernize jQuery attribute defs 2019-10-07 08:29:42 +01:00
Asger F
a224186fab JS: Migrate AngularJS.JQLiteObject 2019-10-07 08:29:42 +01:00
Asger F
afdcb1e075 JS: Handle jQuery objects from Parameter.getAnInitialUse() 2019-10-07 08:29:42 +01:00
Asger F
284a24c18e JS: Update tests with deprecation warning 2019-10-07 08:29:42 +01:00
Asger F
fb181c2d14 JS: Use type info and type tracking in jQuery 2019-10-07 08:29:42 +01:00
Calum Grant
369c456353 Merge pull request #2090 from hvitved/csharp/local-function-trap
C#: Use containing type instead of containing method in local function TRAP label
2019-10-07 08:29:13 +01:00
Tom Hvitved
8ba94140b1 C#: Use containing type instead of containing method in local function TRAP label
This is in order to handle the case where the enclosing callable of a local
function is a lambda expression.
2019-10-06 21:05:34 +02:00
Tom Hvitved
28021d6715 C#: Add test for local function in lambda 2019-10-06 20:50:24 +02:00
Jonas Jensen
6c87d75190 Merge pull request #2088 from geoffw0/swap3
CPP: Add taint tests.
2019-10-04 20:44:18 +02:00
Robert Marsh
7fefe4385a Merge pull request #1963 from jbj/predictableInstruction
C++: Implement predictableInstruction without Expr
2019-10-04 10:04:52 -07:00
Geoffrey White
050d99fa87 CPP: Add test cases. 2019-10-04 17:44:27 +01:00
Calum Grant
2706238413 C#: Update queries to use localExprFlow. 2019-10-04 16:53:02 +01:00
Calum Grant
af25536648 C#: Add localExprFlow and localExprTaint, and change notes. 2019-10-04 16:46:02 +01:00
ian-semmle
ebc10cf5db Merge pull request #2084 from matt-gretton-dann/cpp-445-synthetic_destructor_call-INVALID_KEY-warnings
Update keysets for synthetic_destructor_call and *variables tuple
2019-10-04 16:38:35 +01:00
Calum Grant
ba6eb22cc9 C#: Roslyn workaround for when IPropertySymbol.IsIndexer seems to be working incorrectly. 2019-10-04 16:28:28 +01:00
Tom Hvitved
b55e2948be Merge pull request #1986 from calumgrant/cs/switch-cfg
C#: Fix CFG for switch statements where the default case is not the last
2019-10-04 16:54:04 +02:00
Erik Krogh Kristensen
14cc352bd9 small documentation change based on review 2019-10-04 15:26:32 +02:00
Geoffrey White
0e478d1c0e Merge pull request #2066 from jbj/dataflow-conditionAlwaysTrue-perf
C++: Improve join orders for QL CFG
2019-10-04 14:16:41 +01:00
Geoffrey White
e465f4cc81 Merge pull request #2064 from jbj/leapyear-extends-abstract
C++: Avoid `extends Operation` in LeapYear.qll
2019-10-04 14:15:21 +01:00
Erik Krogh Kristensen
144e831515 mention that "function" should not be used when declaring a call signature in an interface 2019-10-04 15:05:11 +02:00
Anders Schack-Mulligen
066a2f0d12 Java: Add another overflow check pattern to UselessComparisonTest. 2019-10-04 15:04:40 +02:00
Erik Krogh Kristensen
bf1fd83851 fix typo in predicate name 2019-10-04 15:04:39 +02:00
Erik Krogh Kristensen
b741a65e9b documentation changes based on review
Co-Authored-By: shati-patel <42641846+shati-patel@users.noreply.github.com>
2019-10-04 14:42:16 +02:00
Jonas Jensen
a7641a8765 C++: Clarify OutNode and ReturnNode QLDoc 2019-10-04 14:33:04 +02:00
Anders Schack-Mulligen
273ef46c22 Merge pull request #2080 from hvitved/dataflow/ap-tostring
Java/C++/C#: Tweak `AccessPathNil::toString()`
2019-10-04 14:02:10 +02:00
Erik Krogh Kristensen
c8d60c9e2a update @description of js/suspicious-method-name-declaration 2019-10-04 11:40:33 +02:00
Tom Hvitved
7f6e253425 Java: Update expected test output 2019-10-04 11:09:44 +02:00
Tom Hvitved
9b58d799cb Java/C++/C#: Tweak AccessPathNil::toString()
Move the type annotation outside the brackets, to avoid prefixes such as
`[ : T]`.
2019-10-04 11:09:44 +02:00
Erik Krogh Kristensen
712a337bdd qhelp adjustments based on code-review 2019-10-04 11:06:11 +02:00
Erik Krogh Kristensen
ced5e3ea29 qhelp adjustment from code-review
Co-Authored-By: Esben Sparre Andreasen <42067045+esben-semmle@users.noreply.github.com>
2019-10-04 11:02:15 +02:00
Robert Marsh
6e587f3f2a IR: Add VariableInstruction.getASTVariable 2019-10-03 13:12:06 -07:00
Robert Marsh
c1e3821ab0 IR: rename getVariable to getIRVariable 2019-10-03 13:10:49 -07:00
Taus Brock-Nannestad
26da6a1178 Python: Apply autoformat. 2019-10-03 17:58:52 +02:00
Taus Brock-Nannestad
5946a4a066 Python: Teach py/unused-local-variable about nonlocal. 2019-10-03 17:56:29 +02:00
Calum Grant
48dee29620 Merge pull request #2021 from hvitved/csharp/local-not-disposed
C#: Refactor `cs/local-not-disposed` using data flow library
2019-10-03 15:21:06 +01:00
Matthew Gretton-Dann
d06e3d79c6 C++: Add DB Upgrade script 2019-10-03 15:16:50 +01:00
Matthew Gretton-Dann
618d0a9603 C++: Update DB Stats 2019-10-03 15:16:50 +01:00
Matthew Gretton-Dann
a7f682a9be C++: Update *variables keysets. 2019-10-03 15:16:50 +01:00
Matthew Gretton-Dann
d62730a9f3 C++: Update synthetic_destructor_call keysets.
Reorder the [ destructor_call, expr ] tuple.
Add a [ expr, i ] tuple.
2019-10-03 15:16:50 +01:00
Matthew Gretton-Dann
06d1d6ed5d C++: Fix synthetic_destructor_call key uniqueness. 2019-10-03 15:16:50 +01:00
Jonas Jensen
dca39f0fad Merge pull request #2027 from zlaski-semmle/zlaski/memset-model
[zlaski/memset-model] QL model for `memset` and friends
2019-10-03 14:31:23 +02:00
Jonas Jensen
01a3a037bc C++: Make complex_numbers/expr.ql less brittle
This test used `getAQlClass`, which caused it to break when new classes
were added anywhere in the libraries. That's now avoided by switching to
`getCanonicalQLClass`. It turns out that `getCanonicalQLClass` didn't
support arithmetic expressions on complex numbers, so that support had
to be added.
2019-10-03 13:19:16 +02:00
AlexTereshenkov
3e6f8fb6be Add bind-socket-all-network-interfaces Python query (#2048)
Add bind-socket-all-network-interfaces Python query
2019-10-03 11:23:11 +01:00
Jonas Jensen
41d344a8b7 C++: Support if constexpr in QL CFG
This fixes the test `cpp/ql/test/library-tests/constexpr_if/cfg.ql`,
which broke when the QL CFG was enabled.

The new cases are just copy-pastes of the `IfStmt` cases (they don't
share a useful common superclass) with added checks for whether their
constant value equals 0.
2019-10-03 12:21:41 +02:00
Jonas Jensen
2eed38e2d4 C++: Accept slight CFG regression in static init
Hopefully it does not make a difference in practice whether
uninstantiated template functions are considered to have control flow
through initializers of their static variables.
2019-10-03 11:48:03 +02:00
semmle-qlci
a019c456e9 Merge pull request #1985 from shati-patel/ql-etudes
Approved by jf205
2019-10-03 09:16:22 +01:00
semmle-qlci
a8a7de963c Merge pull request #2070 from shati-patel/hb/updates
Approved by jf205
2019-10-03 09:14:58 +01:00
Jonas Jensen
8bed418022 C++: enable the QL-based CFG code 2019-10-03 10:04:24 +02:00
yh-semmle
3313af5189 Merge pull request #2036 from aschackmull/java/eq-ssa-guard
Java: Improve guards for equal ssa variables.
2019-10-02 12:00:59 -04:00
Taus Brock-Nannestad
384013e0dc Python: Add tests for reachability when using nonlocal. 2019-10-02 17:13:00 +02:00
Tom Hvitved
e5380aa6a7 Merge pull request #2038 from aschackmull/java/dataflow-fixes
Java/C++/C#: Misc. dataflow fixes.
2019-10-02 16:39:01 +02:00
Calum Grant
eb893fbc5d Merge pull request #2024 from hvitved/csharp/conversion-unbound
C#: Handle unbound types in conversion library
2019-10-02 15:36:38 +01:00
Tom Hvitved
b66479c028 C#: Add change note 2019-10-02 16:31:26 +02:00
Tom Hvitved
17085dc05c C#: Fix typo 2019-10-02 16:26:38 +02:00
Tom Hvitved
6ebefbb67d C#: Improve a few join-orders in Splitting.qll 2019-10-02 16:23:08 +02:00
Erik Krogh Kristensen
2b5e3aebb7 change tabs to spaces 2019-10-02 15:03:38 +02:00
Erik Krogh Kristensen
0c46e5c1a8 update description of js/suspicious-method-name-declaration 2019-10-02 15:01:25 +02:00
Erik Krogh Kristensen
c0b7538cf0 made the blacklist for methods named "function" work again 2019-10-02 14:56:41 +02:00
Erik Krogh Kristensen
e5290f3bb0 remove some parentheses 2019-10-02 14:51:47 +02:00
Erik Krogh Kristensen
22aac8e723 ensure that the existence of non-synthetic constructor is checked correctly 2019-10-02 14:49:33 +02:00
Anders Schack-Mulligen
f87cb4d6ac Java/C++/C#: Address review comments and fix test. 2019-10-02 14:32:17 +02:00
Shati Patel
9c54eef45a QL HB: Update aggregation section 2019-10-02 12:48:16 +01:00
Shati Patel
3dd2a6c325 QL etudes: Add further explanation + link 2019-10-02 12:21:23 +01:00
Anders Schack-Mulligen
0154e31e64 Java: Add change note. 2019-10-02 11:47:53 +02:00
Calum Grant
28c34ad41e C#: Address review comments. 2019-10-02 10:42:06 +01:00
Calum Grant
39f550b6d2 Merge pull request #2054 from hvitved/csharp/autobuilder/log-cleanup
C#: Cleanup more files after failed autobuilder attempt
2019-10-01 15:55:58 +01:00
Calum Grant
b4da63b3f2 Merge pull request #2061 from hvitved/csharp/local-function-label
C#: Prepend enclosing method in local function TRAP labels
2019-10-01 15:19:04 +01:00
Erik Krogh Kristensen
a66e33ea5e add references to TypeScript spec for "new" and "constructor" keywords 2019-10-01 15:56:45 +02:00
Jonas Jensen
3c7d79481f C++: Autoformat FlowVar.qll 2019-10-01 15:54:41 +02:00
Erik Krogh Kristensen
584b9d4e30 update expected test output 2019-10-01 15:53:37 +02:00
Erik Krogh Kristensen
2ad85d16bd refactor a list of negated conjunctions to a disjunction 2019-10-01 15:53:22 +02:00
Erik Krogh Kristensen
6c176fc967 introduce name as a variable, and adjust alert messages 2019-10-01 15:28:57 +02:00
Erik Krogh Kristensen
26a0bfac39 refactor js/suspicious-method-name-declaration to use isSynthetic predicate 2019-10-01 15:06:45 +02:00
Erik Krogh Kristensen
1e2aad5a29 fix pointer in .qlref, and update expected test results 2019-10-01 14:56:00 +02:00
Erik Krogh Kristensen
aa1368741b rename suspicious-method-name to suspicious-method-name-declaration 2019-10-01 14:37:07 +02:00
Jonas Jensen
0990ceb09a C++: Remove bbNotInLoop and its caller in FlowVar
This change is needed when enabling the QL CFG on certain snapshots such
as notaz/picodrive. It removes the `bbNotInLoop` predicate, which was
always a liability because it's inherently quadratic. The real slowdown
came in `skipLoop`, where all true-upon-entry loops were crossed with
all definitions of variables that should take their definition from the
loop body.
2019-10-01 14:33:28 +02:00
Jonas Jensen
eed24f1933 C++: Improve join orders with QL CFG
Size estimates are slightly different when we enable the QL CFG, and
this caused bad join orders in these predicates.
2019-10-01 14:33:28 +02:00
ian-semmle
e048207e2f Merge pull request #2055 from matt-gretton-dann/cpp-439-test-cases
C++: Add test cases for constant initializers
2019-10-01 12:43:46 +01:00
Shati Patel
427325b04a QL etudes: Update with Robert's suggestions 2019-10-01 11:23:41 +01:00
Jonas Jensen
34b625900a C++: Avoid extends Operation in LeapYear.qll
The `Operation` class is abstract, and extending it caused cached stages
to be recomputed all the way down to the AST. This meant that the leap
year queries evaluated their own copy of SSA and data flow.
2019-10-01 11:50:33 +02:00
Jonas Jensen
7434702958 Merge pull request #1735 from rdmarsh2/rdmarsh/cpp/ir-dataflow-def-by-ref-2
C++: side effect IR instructions for pointer arguments
2019-10-01 11:35:19 +02:00
Calum Grant
fdc29aa81d Merge pull request #2062 from hvitved/csharp/suppress-similar-file
C#: Suppress `cs/similar-file` alerts
2019-10-01 10:21:55 +01:00
Jonas Jensen
7c319efb8b C++: Data flow through reference parameters 2019-10-01 10:43:49 +02:00
Tom Hvitved
413926f675 C#: Prepend enclosing method in local function TRAP labels 2019-10-01 10:25:18 +02:00
Robert Marsh
d1e2ddcf99 C#: sync unalised_ssa IR stage and add to check 2019-09-30 12:53:00 -07:00
Robert Marsh
ee3b40bd89 C#: sync changes and accept test output 2019-09-30 12:00:55 -07:00
Robert Marsh
a45a6e48f8 C++: remove side effect operands from non-reads 2019-09-30 12:00:55 -07:00
Robert Marsh
9f20cb83c3 C++/C#: Autoformat 2019-09-30 12:00:55 -07:00
Robert Marsh
fcfc11052a C++: add QLDoc to side effect functions 2019-09-30 12:00:54 -07:00
Robert Marsh
8649978a43 C++: add indexes for specific side effects 2019-09-30 12:00:53 -07:00
Robert Marsh
24574be007 C++: add SizedBuffer side effect instructions 2019-09-30 12:00:53 -07:00
Robert Marsh
554d6390f7 C++: clean up after rebase 2019-09-30 12:00:53 -07:00
Robert Marsh
49088e7f09 C++: Fix formatting and dropped line 2019-09-30 12:00:53 -07:00
Robert Marsh
3d562243e4 C++: add side effects for outparams 2019-09-30 12:00:52 -07:00
Ziemowit Laski
a0cbd87d1f [zlaski/memset-model] Rename predicate usage as per PR/1938. 2019-09-30 10:47:59 -07:00
Ziemowit Laski
ae169e9c33 [zlaski/memset-model] Add AliasFunction as base class of MemsetFunction; override predicates parameterNeverEscapes, parameterEscapesOnlyViaReturn and parameterIsAlwaysReturned. 2019-09-30 10:44:12 -07:00
Ziemowit Laski
aaa2a60b93 [zlaski/memset-model] Remove taint tracking from Memset.qll. Add Memset.qll to Models.qll. 2019-09-30 10:44:12 -07:00
Ziemowit Laski
144aacb09d [zlaski/memset-model] New Memset.qll file. 2019-09-30 10:44:12 -07:00
Tom Hvitved
4f2ca11d2c C#: Suppress cs/similar-file alerts 2019-09-30 19:26:02 +02:00
Calum Grant
ad8ae35c82 Merge pull request #1956 from hvitved/csharp/get-an-out-node
C#: Refactor `getAnOutNode()` predicate
2019-09-30 16:58:21 +01:00
Matthew Gretton-Dann
b76f66e83b C++: Add test cases for constant initializers
Adds test cases for initialisation of constants which aren't simple
zeros.  Example: int x = int();
2019-09-30 14:57:26 +01:00
Taus
fb20cab4c8 Merge pull request #2012 from RasmusWL/python-modernise-cls-self-checks
Python: modernise cls self argument name checks
2019-09-30 15:50:32 +02:00
Jonas Jensen
f417640da4 Merge pull request #1938 from dave-bartolomeo/dave/InNOut
C++: Rename predicates in `FunctionInputsAndOutputs.qll` and add QLDoc
2019-09-30 13:30:19 +02:00
Erik Krogh Kristensen
0320f0f26b add query for detecting suspisous method names in TypeScript 2019-09-30 13:05:50 +02:00
Tom Hvitved
c18d0430de C#: Cleanup more files after failed autobuilder attempt 2019-09-30 12:08:25 +02:00
Taus
9a8b62250f Merge pull request #2043 from RasmusWL/python-modernise-django
Python: modernise django library
2019-09-30 11:57:09 +02:00
Taus
04f14f1fe7 Merge pull request #2040 from RasmusWL/python-modernise-cherrypy
Python: Modernise cherrypy library
2019-09-30 11:53:59 +02:00
Taus
fc4a583cd9 Merge pull request #2034 from RasmusWL/python-modernise-bottle
Python: modernise bottle
2019-09-30 11:52:16 +02:00
ian-semmle
610188984d Merge pull request #2031 from matt-gretton-dann/cpp-444-fix-vector_size-INVALID_KEY
Update tests for changes to reporting of vector_size attribute
2019-09-30 10:45:37 +01:00
Tom Hvitved
b7595ed60e C#: Remove duplicated class 2019-09-30 09:11:47 +02:00
Dave Bartolomeo
420713204a C++, C#: Fix typo 2019-09-29 22:44:17 -07:00
Dave Bartolomeo
043e5f716b C++, C#: Autoformat 2019-09-29 22:39:09 -07:00
Dave Bartolomeo
c1e5db0b96 C++ More PR feedback 2019-09-27 17:54:18 -07:00
Dave Bartolomeo
bcd987cdf1 Merge from master and share value numbering 2019-09-27 17:40:43 -07:00
Dave Bartolomeo
f76334c24a C++, C#: Share unaliased SSA files between languages
Most of the C# diffs are from bringing those files in sync with the latest C++ files.
2019-09-27 13:46:42 -07:00
Dave Bartolomeo
5585ccd509 C#: Fix up after merge 2019-09-27 12:33:33 -07:00
Taus
387e21e12c Merge pull request #2044 from AlexTereshenkov/add-py-query-tag
Add tags tag to a Python query
2019-09-27 17:54:54 +02:00
Calum Grant
abdf7ce223 Merge pull request #2045 from AndreiDiaconu1/ircsharp-various-fixes
C# IR: Minor sanity fixes
2019-09-27 15:51:07 +01:00
Calum Grant
09f441a27e Merge pull request #2009 from AndreiDiaconu1/ircsharp-rangeanalysis
C# IR: Add range analysis library
2019-09-27 14:27:41 +01:00
Taus Brock-Nannestad
c5c84a11d8 Python: Autoformat. 2019-09-27 15:22:12 +02:00
Taus Brock-Nannestad
aa16d20d5a Python: Fix false positive for cyclic imports guarded by if False:. 2019-09-27 15:22:12 +02:00
AndreiDiaconu1
c5cd5f489f Autoformat 2019-09-27 13:07:20 +01:00
Taus Brock-Nannestad
921371d544 Python: Modernise the cyclic import queries. 2019-09-27 13:51:56 +02:00
alexey
70eca91d28 Add tags tag to a Python query 2019-09-27 12:36:38 +01:00
AndreiDiaconu1
f5b31ae9f5 Static fields
The translation of static fields now uses `VariableAddress` instead of `FieldAddress`. This fixes the logic as well as the "field address without qualifier address" sanity check.
2019-09-27 12:21:47 +01:00
AndreiDiaconu1
21513102f7 Compiler generated constructor
Fixed a problem when the translating the compiler generated constructors that caused some sanity errors (since they have no body, when translating the constructor block fragmentation happened). Fixed this by skipping the translation of the body, if it does not exist (when translating a function).
2019-09-27 12:20:39 +01:00
Rasmus Wriedt Larsen
fc59b10ba4 Python: Autoformat (4 spaces) django library 2019-09-27 13:15:28 +02:00
Rasmus Wriedt Larsen
f4e0abd4c4 Python: Modernise django library 2019-09-27 13:14:52 +02:00
Rasmus Wriedt Larsen
bc8e4d2005 Python: Autoformat (4 spaces) cherrypy library 2019-09-27 13:06:09 +02:00
Taus Brock-Nannestad
9878e4fe26 Python: Apply four-space autoformat. 2019-09-27 13:04:17 +02:00
Taus Brock-Nannestad
4341e88fc4 Python: Clean up comments in preparation for autoformat. 2019-09-27 13:03:27 +02:00
Matthew Gretton-Dann
cc016d583d C++: Add further vector_size attribute tests 2019-09-27 11:28:31 +01:00
Matthew Gretton-Dann
c10ed5e114 C++: Update results for vector_size atrr changes 2019-09-27 11:28:31 +01:00
Taus Brock-Nannestad
25985e901b Python: Remove a few false positives from py/unused-import. 2019-09-27 11:46:59 +02:00
Rasmus Wriedt Larsen
ff28b3f1b4 Python: Modernise cherrypy library 2019-09-27 11:23:33 +02:00
Dave Bartolomeo
9b8b364c8f Merge from master 2019-09-26 22:15:02 -07:00
Dave Bartolomeo
c389432922 C++, C#: Sync IRType.qll between languages 2019-09-26 22:11:24 -07:00
Dave Bartolomeo
c8d154e9cc C#: Fix dump of IR types 2019-09-26 15:54:09 -07:00
Dave Bartolomeo
e30e163081 C#: Implement IRType
This commit implements the language-neutral IR type system for C#. It mostly follows the same pattern as C++, modified to fit the C# type system. All object references, pointers, and lvalues are represented as `IRAddress` types. All structs and generic parameters are implemented as `IRBlobType`. Function addresses get a single `IRFunctionAddressType`.

I had to fix a couple places in the original IR type system where I didn't realize I was still depending on language-specific types. As part of this, `CSharpType` and `CppType` now have a `hasUnspecifiedType()` predicate, which is equivalent to `hasType()`, except that it holds only for the unspecified version of the type. This predicate can go away once we remove the IR's references to the underlying `Type` objects.

All C# IR tests pass without modification, but only because this commit continues to print the name of `IRUnknownType` as `null`, and `IRFunctionAddressType` as `glval<null>`. These will be fixed separately in a subsequent commit in this PR.
2019-09-26 15:47:52 -07:00
Dave Bartolomeo
28aa7dcae2 C++: Fix PR feedback 2019-09-26 13:56:43 -07:00
Geoffrey White
18b28b1b57 Merge pull request #1959 from jbj/const-pmf
C++: Classify more expressions as constant
2019-09-26 17:13:27 +01:00
AndreiDiaconu1
a7a5eaa23f Address PR comments 2019-09-26 16:49:18 +01:00
Anders Schack-Mulligen
f97958296d Java/C++/C#: Sync. 2019-09-26 17:12:08 +02:00
Erik Krogh Kristensen
7fb8f8453d fix for when the concatenation root is in parentheses 2019-09-26 16:35:38 +02:00
Rasmus Wriedt Larsen
4a5aae0db8 Python: autoformat (4 spaces) NonCls.ql NonSelf.ql 2019-09-26 16:31:14 +02:00
Rasmus Wriedt Larsen
457794e030 Python: Consistenly use parameter instead of argument in docs
The Python 3 FAQ states that this is the right thing [0]

It sadly doesn't align 100% with PEP8, which calls them for "arguments" [1], but
after discussion with Taus, we decided to go with "parameter" everywhere to be
consistent.

[0] https://docs.python.org/3/faq/programming.html#faq-argument-vs-parameter
[1] https://www.python.org/dev/peps/pep-0008/#function-and-method-arguments
2019-09-26 16:31:09 +02:00
Anders Schack-Mulligen
0afea80d53 Java: Improve guards for equal ssa variables. 2019-09-26 16:29:13 +02:00
Anders Schack-Mulligen
4221639155 Java: Improve taint/value distinction for flow through with fields. 2019-09-26 16:25:15 +02:00
Calum Grant
e1594a4b0b Merge pull request #2017 from AndreiDiaconu1/ircsharp-various
C# IR: Some minor additions
2019-09-26 15:02:59 +01:00
Rasmus Wriedt Larsen
41f16aaf7a Python: Autoformat (4 spaces) bottle library 2019-09-26 15:05:51 +02:00
Rasmus Wriedt Larsen
12c49031e8 Python: Modernise bottle library 2019-09-26 15:03:47 +02:00
Max Schaefer
1e7b4c2989 Merge pull request #1953 from asger-semmle/typescript-call-signature-api
TS: Make overload index and functions signature more available
2019-09-26 12:42:04 +01:00
Rasmus Wriedt Larsen
546405a379 Python: Add more tests for cls/self argument names 2019-09-26 13:25:14 +02:00
Rasmus Wriedt Larsen
5271d6a063 Python: Add min/max #parameters to FunctionValue
So we don't loose this information on the newly migrated/modernise zope
interface
2019-09-26 13:25:14 +02:00
Rasmus Wriedt Larsen
a81bf720f5 Python: Modernise the py/not-named-self query. 2019-09-26 13:25:14 +02:00
Rasmus Wriedt Larsen
c6d9eb9254 Python: Move more tests for argument names into own file
Plus fixup of expected output from unrelated tests
2019-09-26 13:25:14 +02:00
Rasmus Wriedt Larsen
3f974fbc14 Python: Modernise the py/not-named-cls query. 2019-09-26 13:25:14 +02:00
Erik Krogh Kristensen
69365ccd03 remove false positive in missingSpaceInAppend by requring the presence of a word-like fragment 2019-09-26 12:59:05 +02:00
AndreiDiaconu1
0999780d82 Address PR comments 2019-09-26 11:51:54 +01:00
AndreiDiaconu1
3a5140c0f5 Indexers and events
Added test for indexers.
Added support for event accesses and added test.
2019-09-26 11:46:16 +01:00
AndreiDiaconu1
16d8d2efa1 Remove useless translation 2019-09-26 11:46:16 +01:00
jf205
47a094239c Merge pull request #2028 from RasmusWL/learnql-fix-formatting
Learn QL: Minor formatting fix in python/statements-expressions
2019-09-26 10:34:31 +01:00
Asger F
c2f6855a7b JS: Update tests 2019-09-26 10:17:58 +01:00
Asger F
cafa9edf69 JS: upgrade script, stats, version string 2019-09-26 10:17:58 +01:00
Asger F
b4f67f20af JS: Extract types and signatures for functions 2019-09-26 10:17:58 +01:00
Asger F
999d10e1f0 JS: Use consistent indentation 2019-09-26 10:17:58 +01:00
Asger F
405d43d539 JS: Merge CallSignatureTypes test 2019-09-26 10:17:58 +01:00
Asger F
97494290de JS: Add getOverloadIndex() 2019-09-26 10:17:58 +01:00
Asger F
8ca294ae41 JS: Merge TypeScript/CallSignatures test 2019-09-26 10:17:58 +01:00
Rasmus Wriedt Larsen
c47a4e0c44 Learn QL: Minor formatting fix in python/statements-expressions 2019-09-26 11:16:24 +02:00
Taus
3f3b0e5149 Merge pull request #2013 from RasmusWL/python-random-bag
Python: small improvements
2019-09-26 11:08:36 +02:00
jf205
af1bfb2f7e Merge pull request #2025 from RasmusWL/python-fix-example-link
Learn QL: Fix query link in Python Points-to tutorial
2019-09-26 08:26:13 +01:00
Tom Hvitved
7f18f35f31 C#: Update test 2019-09-25 21:20:45 +02:00
Rasmus Wriedt Larsen
c6c565bc37 Learn QL: Fix query link in Python Points-to tutorial 2019-09-25 18:20:48 +02:00
Tom Hvitved
3da438bb84 C#: Handle unbound types in conversion library
A constructed type, `C<T>`, where `T` is the type parameter of `C`, is represented
in the database as the corresponding unbound generict type `C<>`. Consequently, the
type conversion library, which only considers `ConstructedType`s, does not handle
all implicit conversions. For example, in

```
interface I<in T1, T2> where T1 : C
```

there should be an implicit conversion from `I<C, T2>` to `I<T1, T2>` (=`I<>`).
2019-09-25 16:24:38 +02:00
Shati Patel
886b258385 QL etudes: Update linked queries 2019-09-25 14:35:25 +01:00
Tom Hvitved
c810776413 C#: Update reference conversion test 2019-09-25 15:14:21 +02:00
Shati Patel
0b0f69fe2d QL etudes: Tidy up alternative solns 2019-09-25 12:50:05 +01:00
semmle-qlci
24240177c5 Merge pull request #2023 from ian-semmle/agglit
Approved by jbj
2019-09-25 11:35:33 +01:00
Tom Hvitved
5a198a39df C#: Autoformat 2019-09-25 11:52:19 +02:00
Ian Lynagh
142e1cb9fb C++: Implement AggregateLiteral.mayBeImpure() 2019-09-25 10:34:30 +01:00
Anders Schack-Mulligen
7c1594df13 Java: Slight precision improvement for getter/setter detection. 2019-09-25 10:14:49 +02:00
Tom Hvitved
afdb788333 C#: Refactor cs/local-not-disposed using data flow library 2019-09-25 09:33:39 +02:00
Tom Hvitved
665564f809 C#: Add more tests for cs/local-not-disposed 2019-09-25 09:33:39 +02:00
Jonas Jensen
0aafa0b0e2 C++: Accept test changes in IR sanity queries
These looks harmless.
2019-09-25 08:55:55 +02:00
Jonas Jensen
67ae00f0f0 Merge pull request #2019 from zlaski-semmle/zlaski/what-buffer-function
Rename references to `BufferFunction` with `ArrayFunction`
2019-09-25 08:33:01 +02:00
Ziemowit Laski
a6d619cfe1 [zlaski/what-buffer-function] Rename CustomModels to Models 2019-09-24 18:17:34 -07:00
Ziemowit Laski
7e14e2a950 [zlaski/what-buffer-function] Rename references to BufferFunction to ArrayFunction. 2019-09-24 18:02:14 -07:00
Dave Bartolomeo
0e432c2405 Merge pull request #1937 from matt-gretton-dann/cpp-432-namespacembrs-unique-key
C++: Update test for fix to namespace members
2019-09-24 10:11:55 -07:00
Shati Patel
3441696100 Apply suggestions from code review 2019-09-24 17:28:14 +01:00
AndreiDiaconu1
d6e4a2afef Autoformat 2019-09-24 17:26:13 +01:00
Dave Bartolomeo
f5dc8ba3ce Merge pull request #2005 from AndreiDiaconu1/ircsharp-unaliased
C# IR: Unaliased SSA
2019-09-24 09:05:48 -07:00
Rasmus Wriedt Larsen
752615fb56 Python: Fix doc for Expr::isDeletion 2019-09-24 16:56:07 +02:00
Rasmus Wriedt Larsen
f870b21d2f Python: Use Builtin::special for floats ClassValue
We could find no reason for using `Builtin::builtin` instead of
`Builtin::special`. Since all the other base types use `special`, and the old
Object API is using `special`, let's also do that :)
2019-09-24 16:55:49 +02:00
semmle-qlci
0d3edae3fc Merge pull request #2004 from xiemaisi/js/fix-xss-sanitisers
Approved by asger-semmle
2019-09-24 15:44:23 +01:00
Taus
594a50e066 Merge pull request #1955 from RasmusWL/python-modernise-explicit-return-in-init
Python: Modernise the `py/explicit-return-in-init` query.
2019-09-24 16:23:37 +02:00
AndreiDiaconu1
3f4713f0f5 Add tests and query 2019-09-24 14:53:12 +01:00
AndreiDiaconu1
1b47f80a7a C# implementation 2019-09-24 14:53:12 +01:00
AndreiDiaconu1
f25602bf1c Initial, C++ implementation 2019-09-24 14:53:12 +01:00
AndreiDiaconu1
9228cf83fa Address PR comments 2019-09-24 14:49:09 +01:00
Ian Lynagh
49276e09c5 C++: Add aggregate literals to sideEffects test 2019-09-24 11:28:57 +01:00
Dave Bartolomeo
300e580874 C++: Implement language-neutral IR type system
The C++ IR currently has a very clunky way of specifying the type of an IR entity (`Instruction`, `Operand`, `IRVariable`, etc.). There are three separate predicates: `getType()`, `isGLValue()`, and `getSize()`. All three are necessary, rather than just having a `getType()` predicate, because some IR entities have types that are not represented via an existing `Type` object in the AST. Examples include the type for an lvalue returned from a `VariableAddress` instruction, the type for an array slice being zero-initialized in a variable initializer, and several others. It is very easy for QL code to just check the `getType()` predicate, while forgetting to use `isGLValue()` to determine if that type is the actual type of the entity (the prvalue case) or the type referred to by a glvalue entity. Furthermore, the C++ type system creates potentially many different `Type` objects for the same underlying type (e.g. typedefs, using declarations, `const`/`volatile` qualifiers, etc.), making it more difficult to tell when two entities have semantically equivalent types.

In addition, other languages for which we want to enable the IR have somewhat different type systems. The various language type systems differ in their structure, although they tend to share the basic building blocks necessary for the IR.

To address all of the above problems, I've introduced a new class hierarchy, rooted at the class `IRType`, that represents a bare-bones type system that is independent of source language (at least across C/C++/C#/Java). A type's identity is based on its kind (signed integer, unsigned integer, floating-point, Boolean, blob, etc.), size and in the case of blob types, a "tag" to differentiate between different classes and structs. No distinction is made between, say `signed int` and plain `int`, or between different language integer types that have the same signedness and size (e.g. `unsigned int` vs. `wchar_t` on Linux). `IRType` is intended for use by language-agnostic IR-based analyses, including range analysis, dataflow, SSA construction, and alias analysis. The set of available `IRType`s is determined by predicate provided by the language library implementation (e.g. `hasSignedIntegerType(int byteSize)`.

In addition to `IRType`, each language now defines a type alias named `LanguageType`, representing the type of an IR entity in more language-specific terms. The only predicate requried on `LanguageType` is `getIRType()`, which returns the single `IRType` object for the language-neutral representation of that `LanguageType`. All other predicates on and subclasses of `LanguageType` are language-specific. There may be many instances of `LanguageType` that map to a given `IRType`, to allow for typedefs, etc.

Most of the changes are mechanical changes in the IR construction code, to return the correct type for each IR entity. SSA construction has also been updated to avoid dependencies on language-specific types.

I have not yet removed the original `getType()` predicates that just return `Type`. These can be removed once we move the remaining existing libraries to use `IRType`.

Test results are, by design, pretty much unchanged. Once case changed for inline asm, because the previously IR generation for it played a little fast and loose with the input/output expressions. The test case now includes both input and output variables. The generated IR for `Conditional_LValue` is now more correct, because we now have a way to represent an lvalue of an lvalue. `syntax-zoo` is still a hot mess. Most of the changed outputs are due to wobble from having multiple functions with the same name, but with a slightly different order of evaluation due to the type changes. Others are wobble from already-invalid IR. A couple non-wobbly places have improved slightly, though.

The C# part of this change is waiting for #2005 to be merged, since that has some of the necessary C# implementation.
2019-09-23 16:14:00 -07:00
Calum Grant
b85896299d Merge pull request #2000 from AndreiDiaconu1/ircsharp-fixes
C# IR: Minor fixes and changes
2019-09-23 18:14:50 +01:00
AndreiDiaconu1
a86a15d280 Fix problem with IsExpr
The translation of `IsExpr` created a sanity check to fail since it generated
a Phi node that had only one source: if a variable was declared as part of the `IsExpr`, a conditional branch was generated, and the variable was defined only in the true successor; this has been changes so that the declaration happens before the conditional branch, and the variable is uninitialized (this removed the need for the `isInitializedByElement` predicate from `TranslatedDeclarationBase`, so that has been removed) and only the assignment happens in the true successor block (so now the two inputs of the Phi node are the result of the `Uninitialized` instruction and the `Store` instruction from the true successor block).
2019-09-23 17:37:50 +01:00
Shati Patel
c156d6a555 Autoformat QL 2019-09-23 17:34:08 +01:00
AndreiDiaconu1
17e6b80a34 Added C# implementation 2019-09-23 17:31:24 +01:00
AndreiDiaconu1
1dab4e0e26 Initial commit, C++ files 2019-09-23 17:31:24 +01:00
Max Schaefer
d4fca84898 JavaScript: Improve XSS sanitizer detection.
We now use local data flow to detect more regexp-based sanitizers.
2019-09-23 17:07:06 +01:00
Matthew Gretton-Dann
6b28f33713 C++: Update test for fix to namespace members
Generation of IDs for namespace members has been fixed to generate
unique IDs for variables of the same name but in different namespaces.

Update the same_name test to validate this.
2019-09-23 16:04:59 +01:00
Jonas Jensen
22e57a6559 Merge pull request #1860 from matt-gretton-dann/add-using-aliases
Add support for using aliases
2019-09-23 16:53:51 +02:00
Jonas Jensen
898976121b Merge pull request #1987 from geoffw0/toomanyformat
CPP: WrongNumberOfFormatArguments.ql Fix
2019-09-23 16:05:11 +02:00
AndreiDiaconu1
7f76947af0 Autoformat 2019-09-23 15:03:38 +01:00
AndreiDiaconu1
ae503b2982 Remove incorrect Load
Removed an incorrect `Load` op generated by propery accesses.
2019-09-23 14:43:08 +01:00
AndreiDiaconu1
3c95205f2e Minor fixes for array related translation
More accurate type sizes using language specific predicates from `IRCSharpLanguage.qll`.
Added immediate operands for some `PointerX` (add, sub) instructions.
Some other minor consistency fixes.
2019-09-23 14:37:31 +01:00
Robert Marsh
90c91a78f8 Merge pull request #1976 from pavgust/fix/hashcons-perf
C++: HashCons: Further performance improvements
2019-09-23 06:37:03 -07:00
Rasmus Wriedt Larsen
a0ecbc555d Merge pull request #1998 from taus-semmle/python-support-aiter
Python: Add `__aiter__` as a recognised iterator method.
2019-09-23 15:32:53 +02:00
Matthew Gretton-Dann
4606587fe8 C++: Apply style guide to TypedefType.qll 2019-09-23 13:57:50 +01:00
Matthew Gretton-Dann
af3b0d9e73 C++: Update stats. 2019-09-23 13:57:50 +01:00
Matthew Gretton-Dann
c8dfa46c63 C++: Add upgrade script for using aliases. 2019-09-23 13:57:50 +01:00
Matthew Gretton-Dann
fc75a6af5a C++: Add tests for using aliases 2019-09-23 13:57:50 +01:00
Matthew Gretton-Dann
9ff38ebeee C++: Update tests for new CTypedefType. 2019-09-23 13:57:50 +01:00
Matthew Gretton-Dann
5468b8def7 C++: Add support for C++ using aliases
Previously these were identified as typedefs.
2019-09-23 13:57:50 +01:00
Geoffrey White
b3df289a80 CPP: Fix test. 2019-09-23 13:56:24 +01:00
Geoffrey White
2d8e4b3176 CPP: Additional cases resembling the ticket. 2019-09-23 13:04:14 +01:00
semmle-qlci
825a3d2917 Merge pull request #1954 from asger-semmle/type-tracking-through-captured-vars
Approved by xiemaisi
2019-09-23 12:10:30 +01:00
semmle-qlci
e2c941c577 Merge pull request #1916 from erik-krogh/taintedLength
Approved by asger-semmle, xiemaisi
2019-09-23 11:47:48 +01:00
Taus Brock-Nannestad
e1012d8d5a Python: Add __aiter__ as a recognised iterator method. 2019-09-23 12:26:16 +02:00
Geoffrey White
040bd89163 CPP: Correct expected results. 2019-09-23 11:02:36 +01:00
Rasmus Wriedt Larsen
d6a7b6f7f1 Python: Fix documentation markup for IdentityEqMethod 2019-09-23 11:22:56 +02:00
Rasmus Wriedt Larsen
d273974045 Python: Don't flag return procedure_call() in __init__ as error
This commit fixes the results for
0d8a429b7e/files/mayaTools/cgm/lib/classes/AttrFactory.py (L90)

```
def __init__(...):
    if error_case:
        return guiFactory.warning(...)
```

that was wrongly reporting _Explicit return in __init__ method._ as an error.
2019-09-23 11:22:55 +02:00
Rasmus Wriedt Larsen
6e50a0ef84 Python: Modernise the py/explicit-return-in-init query.
Add explicit test case to show that we don't doulbe report this problem.
2019-09-23 11:22:55 +02:00
Rasmus Wriedt Larsen
f0479687d8 Python: Fix documentation for Function.isInitMethod 2019-09-23 11:22:55 +02:00
Shati Patel
f88f7962e7 QL etudes: Update predicate 2019-09-23 10:19:49 +01:00
Anders Schack-Mulligen
f8f3a4b25f Java: Minor additional type pruning. 2019-09-23 11:07:10 +02:00
Shati Patel
f94b01cb40 QL etudes: Address comments + fix sphinx warning 2019-09-23 09:52:43 +01:00
semmle-qlci
7a57a3c743 Merge pull request #1996 from xiemaisi/js/fix-illegal-invocation-refl
Approved by esben-semmle
2019-09-23 09:16:33 +01:00
Max Schaefer
149ae5d7ab JavaScript: Fix IllegalInvocation.
This fixes false positives that arise when a call such as `f.apply` can either be interpreted as a reflective invocation of `f`, or a normal call to method `apply` of `f`.
2019-09-23 07:44:14 +01:00
Tom Hvitved
e4d17a9b04 C#: Refactor getAnOutNode() predicate 2019-09-22 18:55:34 +02:00
Erik Krogh Kristensen
814c5537be update name of loop bound injection in change-notes 2019-09-20 22:56:08 +02:00
Asger F
69a88c4fcd JS: Fix typo and add metadata to DomValueRefs 2019-09-20 15:43:08 +01:00
Asger F
1ce0a48996 JS: Update tests 2019-09-20 15:41:36 +01:00
Geoffrey White
9100ab9360 CPP: Autoformat. 2019-09-20 15:30:59 +01:00
Anders Schack-Mulligen
42a970b905 Java: Update qldoc. 2019-09-20 16:21:03 +02:00
Geoffrey White
accb8246d4 CPP: Change note. 2019-09-20 15:15:35 +01:00
Anders Schack-Mulligen
d9aa46d3b0 Java: Add missing field pruning. 2019-09-20 16:13:48 +02:00
Anders Schack-Mulligen
648335d46d Java: Remove two unnecessary unbinds. 2019-09-20 16:12:56 +02:00
Geoffrey White
f7607313e7 CPP: Fix FPs. 2019-09-20 15:12:55 +01:00
Geoffrey White
9a407eb43c CPP: Test format args with mismatching declarations. 2019-09-20 14:54:44 +01:00
Calum Grant
b31cd8ab32 Merge pull request #1982 from hvitved/csharp/null-maybe-dynamic
C#: Remove false positives from `cs/dereferenced-value-may-be-null`
2019-09-20 14:46:01 +01:00
Calum Grant
8408e90b5f C#: Change note & docs. 2019-09-20 14:44:07 +01:00
Shati Patel
56bc8cb035 QL etudes: Add river crossing puzzle
WIP
2019-09-20 14:23:47 +01:00
Calum Grant
fdc8abce4d C#: Fix CFG by removing unnecessary edge. 2019-09-20 14:22:31 +01:00
Calum Grant
d696235668 C#: Updated CFG for switch statements - note that the last() predicate is incorrect. 2019-09-20 14:22:31 +01:00
Calum Grant
81110dca0a C#: Add new test for switch statements. 2019-09-20 14:22:31 +01:00
Calum Grant
478095223e Merge pull request #1983 from hvitved/csharp/unit-test-windows
C#: Fix broken unit test on Windows
2019-09-20 13:52:01 +01:00
Pavel Avgustinov
1c971d3f88 HashCons: Further performance improvements
The key insight here is that `HC_FieldCons` and `HC_Array` are
functionally determined by the things that arise in another
recursive call. Lifting them to their own predicate, therefore,
reduces nonlinearity and constrains the join order in a way that
cannot be asymptotically bad -- and, indeed, makes quite a big
difference in practice.
2019-09-20 12:00:33 +01:00
Tom Hvitved
cb6e1536a3 C#: Fix broken unit test on Windows 2019-09-20 11:40:18 +02:00
semmle-qlci
6d9d859119 Merge pull request #1934 from asger-semmle/node-js-classification
Approved by esben-semmle
2019-09-20 09:50:34 +01:00
Tom Hvitved
fb68d839a9 C#: Add change note 2019-09-20 10:40:20 +02:00
Max Schaefer
4fe74c0b2a Merge pull request #1960 from Semmle/rc/1.22
Merge rc/1.22 into master
2019-09-20 09:08:40 +01:00
Tom Hvitved
aa0c78cd85 C#: Teach guards library about more null guards 2019-09-20 09:58:04 +02:00
Tom Hvitved
40fafc5fda C#: Teach comparison library about dynamic comparison operations 2019-09-20 09:51:35 +02:00
Tom Hvitved
c923cc6378 C#: Add tests for dynamic comparisons 2019-09-20 09:19:03 +02:00
Tom Hvitved
cb7db8f4c0 C#: Add more nullness tests 2019-09-20 09:18:55 +02:00
Robert Marsh
d3f2d8169e Merge pull request #1967 from jbj/tainttracking-ir-2
C++: DefaultTaintTracking flow from a to a[i]
2019-09-19 15:00:29 -07:00
Robert Marsh
9c6a0ffc48 Merge pull request #1979 from nickrolfe/wrong_type_uninstantiated
C++: ignore uninstantiated templates in WrongTypeFormatArguments.ql
2019-09-19 14:51:45 -07:00
Nick Rolfe
56f4f86921 C++: ignore uninstantiated templates in WrongTypeFormatArguments.ql 2019-09-19 21:18:47 +01:00
semmle-qlci
0387177acd Merge pull request #1851 from hvitved/csharp/early-identify-duplicate-extraction
Approved by calumgrant
2019-09-19 19:45:33 +01:00
Robert Marsh
fd88f7a3ce Merge pull request #1884 from jbj/dataflow-addressof
C++: Data flow through address-of operator (&)
2019-09-19 09:15:43 -07:00
Robert Marsh
340c8026de Merge pull request #1965 from jbj/bitfield-template
C++: Ignore templates in AmbiguouslySignedBitField.ql
2019-09-19 07:46:54 -07:00
semmle-qlci
6b783141e9 Merge pull request #1962 from shati-patel/sphinx/collapse
Approved by jf205
2019-09-19 15:33:45 +01:00
Calum Grant
3a51e02f66 Merge pull request #1923 from AndreiDiaconu1/ircsharp-pointers-typespec
C# IR: Fix loads and assign ops, add pointers, ref, in, out params
2019-09-19 15:25:54 +01:00
Shati Patel
2956cb781b Sphinx: Change to pointer 2019-09-19 15:07:18 +01:00
Jonas Jensen
29c93488bc C++: DefaultTaintTracking flow from a to a[i]
Switching `security.TaintTracking` to use `DefaultTaintTracking` causes
us to lose a result from `UnboundedWrite.ql`, while this commit restores
it:

diff --git a/semmlecode-cpp-tests/DO_NOT_DISTRIBUTE/security-tests/CWE-120/CERT/STR35-C/UnboundedWrite.expected b/semmlecode-cpp-tests/DO_NOT_DISTRIBUTE/security-tests/CWE-120/CERT/STR35-C/UnboundedWrite.expected
index 1eba0e52f0e..d947b33b9d9 100644
--- a/semmlecode-cpp-tests/DO_NOT_DISTRIBUTE/security-tests/CWE-120/CERT/STR35-C/UnboundedWrite.expected
+++ b/semmlecode-cpp-tests/DO_NOT_DISTRIBUTE/security-tests/CWE-120/CERT/STR35-C/UnboundedWrite.expected
@@ -1,2 +1,3 @@
+| main.c:54:7:54:12 | call to strcat | This 'call to strcat' with input from $@ may overflow the destination. | main.c:93:15:93:18 | argv | argv |
 | main.c:99:9:99:12 | call to gets | This 'call to gets' with input from $@ may overflow the destination. | main.c:99:9:99:12 | call to gets | call to gets |
 | main.c:213:17:213:19 | buf | This 'scanf string argument' with input from $@ may overflow the destination. | main.c:213:17:213:19 | buf | buf |
2019-09-19 14:52:40 +02:00
Jonas Jensen
34a5368101 C++: Ignore templates in AmbiguouslySignedBitField
If it's possible that the type is not fully resolved, it's better to
avoid giving an alert.

This fixes a FP in https://github.com/heremaps/flatdata.
2019-09-19 14:21:53 +02:00
Jonas Jensen
0ed0951d43 C++: Demonstrate AmbiguouslySignedBitField FP 2019-09-19 14:19:34 +02:00
semmle-qlci
6f2e485ace Merge pull request #1950 from xiemaisi/js/rate-limiter-flexible
Approved by esben-semmle
2019-09-19 12:45:45 +01:00
Tom Hvitved
61bd9f2f17 C#: Address review comments 2019-09-19 13:39:16 +02:00
Jonas Jensen
30d1c327cf C++: Implement predictableInstruction without Expr
This is one step toward implementing the taint-tracking wrapper in terms
of `Instruction` rather than `Expr`.

This leads to a few duplicate results in `TaintedAllocationSize.ql`
because the library now considers `sizeof(int)` to be just as
predictable as `4`, whereas the `security.TaintTracking` library does
not consider `sizeof` to be predictable. I think it's simpler to accept
the duplicate results since they are ultimately a quirk of the query,
not the library.

The following is the diff between (a) replacing `TaintTracking.qll` with
a link to `DefaultTaintTracking.qll` and (b) additionally applying this
commit.

diff --git a b
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
@@ -1,5 +1,8 @@
 | test.cpp:42:31:42:36 | call to malloc | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
+| test.cpp:43:31:43:36 | call to malloc | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:43:38:43:63 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
+| test.cpp:45:31:45:36 | call to malloc | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:48:25:48:30 | call to malloc | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:49:17:49:30 | new[] | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
+| test.cpp:52:21:52:27 | call to realloc | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:52:35:52:60 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
--- a/semmlecode-cpp-tests/DO_NOT_DISTRIBUTE/security-tests/CWE-190/CERT/INT04-C/int04.expected
+++ b/semmlecode-cpp-tests/DO_NOT_DISTRIBUTE/security-tests/CWE-190/CERT/INT04-C/int04.expected
@@ -1 +1,2 @@
 | int04c.c:21:29:21:51 | ... * ... | This allocation size is derived from $@ and might overflow | int04c.c:14:30:14:35 | call to getenv | user input (getenv) |
+| int04c.c:22:33:22:38 | call to malloc | This allocation size is derived from $@ and might overflow | int04c.c:14:30:14:35 | call to getenv | user input (getenv) |
2019-09-19 13:11:27 +02:00
Taus
dcd62e5d97 Merge pull request #1961 from RasmusWL/python-split-function-tests
Python: split tests for Functions into more files
2019-09-19 13:07:46 +02:00
Shati Patel
0a710f2770 Sphinx: Make clickable section more obvious 2019-09-19 12:00:26 +01:00
Felicity Chapman
d9df5afc44 Merge pull request #1958 from jf205/slide-buttons
docs: a few slide improvements
2019-09-19 11:39:41 +01:00
Erik Krogh Kristensen
7671b6759b import DataFlow::PathGraph from the ql file instead of the qll file 2019-09-19 11:59:45 +02:00
Rasmus Wriedt Larsen
3c33e863ad Python: split tests for Functions into more files
Makes it easier to see what the testcases are relevant for what queries.
2019-09-19 11:54:28 +02:00
Erik Krogh Kristensen
bbf7e56e47 remove unused import in query 2019-09-19 11:49:20 +02:00
Shati Patel
7aefb839a7 Sphinx: Add support for collapsible sections 2019-09-19 10:44:34 +01:00
AndreiDiaconu1
c64db777ee More auto formatting 2019-09-19 10:31:25 +01:00
AndreiDiaconu1
e18b36bebf Make preds private, autoformat 2019-09-19 10:31:25 +01:00
AndreiDiaconu1
3a83dc54aa Update indexing logic 2019-09-19 10:31:25 +01:00
AndreiDiaconu1
47750513de Address PR comment and fix bug
Fixes a bug where loads for array indexes would be ignored, even though the only ignored load in an array access should be the qualifier's.
2019-09-19 10:31:25 +01:00
AndreiDiaconu1
fa74ed3419 Address PR comments 2019-09-19 10:31:25 +01:00
AndreiDiaconu1
515642eadc C# IR: pointers and pointer ops, unsafe, fixed
Added support for pointers and pointer operations and made sure all loads are correct.
Added support for the unsafe stmt.
Added basic support for the fixed stmt (for now we ignore the pinning).
2019-09-19 10:31:25 +01:00
AndreiDiaconu1
aef26cc534 C# IR: Fix Load inconsistencies, in, out, ref
Fixed a bug where assignments of the form `Object obj1 = obj2` would not generate a load instruction for `obj2` (see `raw_ir.expected`).
Added an extra `Load` for object creations that involve structs. This is because the variable that represents the struct should hold the actual struct, not a reference to it.
Refactored the piece of code that decided if a particular expr needs a load instruction and improved the code sharing between `TranslatedExpr.qll` and `TranslatedElement.qll` by creating 2 predicates that tell if a certain expr does or does not need a load.
Added support for `in`, `out` and `ref` parameters.
2019-09-19 10:31:23 +01:00
Erik Krogh Kristensen
3ef187f7f2 Add external/cwe/cwe-834 tag in change notes for js/loop-bound-injectoin
Co-Authored-By: Max Schaefer <max@semmle.com>
2019-09-19 11:30:15 +02:00
AndreiDiaconu1
9ac052711b C# IR: Fix problem with AssignOperations 2019-09-19 10:30:15 +01:00
Calum Grant
23087672bf Merge pull request #1920 from AndreiDiaconu1/ircsharp-usingstmt
C# IR: using, checked, unchecked stmts
2019-09-19 10:26:59 +01:00
Calum Grant
dd3fb6ca52 Merge pull request #1929 from hvitved/csharp/cfg/finally
C#: Fix CFG for nested `finally` blocks
2019-09-19 10:13:31 +01:00
Max Schaefer
fa91ecb0d3 Merge pull request #1952 from hvitved/merge-rc
Merge rc/1.22 into master
2019-09-19 09:42:19 +01:00
Max Schaefer
4e1e7bc127 JavaScript: Apply review suggestion.
Co-Authored-By: Esben Sparre Andreasen <42067045+esben-semmle@users.noreply.github.com>
2019-09-19 09:40:28 +01:00
james
4adda1056f docs: better fix for width on notes 2019-09-19 09:27:28 +01:00
Jonas Jensen
307b92feed C++: Unknown template literals are constant 2019-09-19 10:23:26 +02:00
james
8b13e32598 docs: add icons on slides with notes 2019-09-19 08:44:36 +01:00
james
1d0a96f0a1 docs: mention icons on training homepage 2019-09-19 08:44:13 +01:00
james
86069df9ee docs: mention graphviz in readme 2019-09-19 08:44:08 +01:00
james
9242507487 docs: removed unused extension from conf.py 2019-09-19 08:44:01 +01:00
james
b07e1fa08d docs: slightly adjust width of lists in notes 2019-09-19 08:43:48 +01:00
Esben Sparre Andreasen
b631bfc8eb Merge branch 'master' into node-js-classification 2019-09-19 09:42:26 +02:00
Jonas Jensen
9b805c01cc Merge pull request #1951 from pavgust/fix/hashcons-perf
C++: Fix HashCons library performance
2019-09-19 08:10:34 +02:00
Raul Garcia
c66e5dd13a Merge pull request #1 from Semmle/master
Switching Base
2019-09-18 13:39:16 -07:00
Tom Hvitved
11f9967491 C#: Address review comments 2019-09-18 17:36:31 +02:00
AndreiDiaconu1
99c6a328c4 Autoformat 2019-09-18 16:20:06 +01:00
Asger F
71763af2d5 JS: Further restrict receiver type inference 2019-09-18 16:18:10 +01:00
Asger F
e724f92ee8 JS: Also summarize loads 2019-09-18 16:18:10 +01:00
Asger F
ffc69cb61e JS: Summarize functions in type tracking 2019-09-18 16:17:59 +01:00
Asger F
3479f02082 JS: Add test showing lack of flow out of inner function 2019-09-18 16:17:22 +01:00
Asger F
76438f98ad JS: Add DomValuesRefs metric 2019-09-18 16:17:21 +01:00
Asger F
0924de4c56 JS: Simplify call graph metric 2019-09-18 16:17:21 +01:00
Tom Hvitved
cf4db48eb1 Merge branch 'rc/1.22' into master 2019-09-18 16:53:55 +02:00
Anders Schack-Mulligen
327ade1f34 Merge pull request #1940 from hvitved/dataflow/pathnode-successor
Java/C++/C#: Simplify `PathNode` successor logic
2019-09-18 16:13:39 +02:00
Jonas Jensen
e0d1da3b67 C++: Test for template enum constant CFG 2019-09-18 15:17:24 +02:00
semmle-qlci
cd362d82a5 Merge pull request #1948 from hvitved/csharp/autoformat
Approved by calumgrant
2019-09-18 14:17:02 +01:00
semmle-qlci
57a6c0c20d Merge pull request #1918 from esben-semmle/js/improve-getAResponseDataNode
Approved by asger-semmle
2019-09-18 14:03:45 +01:00
Jonas Jensen
7d8396fa65 C++: Constant template pointer-to-member literals 2019-09-18 14:44:25 +02:00
Jonas Jensen
d644150ead C++: Test for template pointer-to-member CFG 2019-09-18 14:30:18 +02:00
Jonas Jensen
0f2731064d C++: Annotate tellDifferent with template status
This is helpful for turning real-world cases into test cases.
2019-09-18 14:23:52 +02:00
Jonas Jensen
c90fd32a78 C++: Pointer-to-member-function is constant 2019-09-18 13:55:56 +02:00
Pavel Avgustinov
eca31908ab HashCons: Make some functionality apparent.
The user knows that an expression functionally determines its
hashCons value, and that an expression functionally determines
its number of children, but this is not provable from the
definitions, and so not usable by the optimiser. By storing
the result of those known-functional calls in a variable,
rather than repeating the call, we enable better join orders.
2019-09-18 12:54:48 +01:00
Pavel Avgustinov
03502863cf Distribute a recursive call into a recursive disjunction.
As the linearity of the disjuncts is different, this enables us to
pick better join orders for each disjunct separately.
2019-09-18 12:54:48 +01:00
Jonas Jensen
55edfe4224 C++: Test for pointer-to-member-function CFG 2019-09-18 13:37:52 +02:00
Tom Hvitved
6318cc9a71 Java: Update expected test output 2019-09-18 13:36:15 +02:00
Tom Hvitved
09e4e7901a C#: Update expected test output 2019-09-18 13:36:15 +02:00
Tom Hvitved
d8074ddfa6 Sync files 2019-09-18 13:36:15 +02:00
Tom Hvitved
48aec33769 Java/C++/C#: Simplify PathNode successor logic 2019-09-18 13:36:14 +02:00
semmle-qlci
479fca9e30 Merge pull request #1946 from xiemaisi/js/top-level-await
Approved by asger-semmle
2019-09-18 12:32:09 +01:00
semmle-qlci
b4b7314757 Merge pull request #1941 from xiemaisi/js/fix-incorrect-suffix-check-performance
Approved by asger-semmle
2019-09-18 12:31:46 +01:00
Max Schaefer
3970ead7ab JavaScript: Add support for rate-limiter-flexible package. 2019-09-18 12:25:33 +01:00
Taus
bbc98513c0 Merge pull request #1942 from RasmusWL/python-modernise-consistent-tuple-size
Python: Modernise the `py/mixed-tuple-returns` query.
2019-09-18 13:19:36 +02:00
Geoffrey White
ae9f35be00 Merge pull request #1947 from jbj/autoformat-followup
C++: Autoformat five files
2019-09-18 12:15:47 +01:00
Tom Hvitved
bb83b92c6b C#: Autoformat 2019-09-18 12:02:59 +02:00
Jonas Jensen
571c96bb2f C++: Autoformat five files
These files have come out of autoformat since the big commit that
autoformatted everything.
2019-09-18 11:55:19 +02:00
Jonas Jensen
e7d8fa4251 Merge pull request #1945 from geoffw0/more-tests
CPP: Add a test of ConditionalDeclExpr.
2019-09-18 11:11:16 +02:00
Max Schaefer
9ff5c7007a JavaScript: Add support for top-level await. 2019-09-18 09:56:21 +01:00
AndreiDiaconu1
0e32639af9 Address PR comments 2019-09-18 09:53:14 +01:00
Geoffrey White
07e29bb627 CPP: Add a test of ConditionalDeclExpr. 2019-09-17 17:38:54 +01:00
AndreiDiaconu1
f589033364 PR fixes 2019-09-17 16:17:39 +01:00
AndreiDiaconu1
5e0addc776 C# IR: using, checked, unchecked stmts
Added basic support for the using stmt, checked stmt, unchecked stmt
Note that the translations do not use the compiler generated element framework and hence they are just rough approximations. For accuracy, in the future their translation should use it.
2019-09-17 16:16:32 +01:00
Rasmus Wriedt Larsen
631603fa92 Python: Modernise the py/mixed-tuple-returns query. 2019-09-17 16:07:56 +02:00
Esben Sparre Andreasen
ac6554b7da Merge branch 'master' into js/improve-getAResponseDataNode 2019-09-17 13:18:41 +02:00
Jonas Jensen
b2df18ab78 C++: Document tests better
This addresses PR comments by @rdmarsh2.
2019-09-17 13:17:25 +02:00
Jonas Jensen
ef601cf78e C++: Annotate changes in struct_init.c test 2019-09-17 13:16:36 +02:00
Jonas Jensen
655f940085 C++: Accept changes in CWE-{119,120} tests
These new results seem better than the previous ones, but the previous
ones are still there. Perhaps the `Buffer.qll` library could use some
adjustment, but this seems like an improvement in isolation.
2019-09-17 13:16:36 +02:00
Jonas Jensen
fd6d06fe6f C++: Data flow through address-of operator (&)
The data flow library conflates pointers and their objects in some
places but not others. For example, a member function call `x.f()` will
cause flow from `x` of type `T` to `this` of type `T*` inside `f`. It
might be ideal to avoid that conflation, but that's not realistic
without using the IR.

We've had good experience in the taint tracking library with conflating
pointers and objects, and it improves results for field flow, so perhaps
it's time to try it out for all data flow.
2019-09-17 13:16:34 +02:00
Asger F
f8eff06aa1 JS: Change note 2019-09-17 11:20:39 +01:00
Tom Hvitved
396a72db5f Merge pull request #1898 from AndreiDiaconu1/ircsharp-collections
C# IR: Object creation refactor and collection initializers
2019-09-17 10:48:07 +02:00
Dave Bartolomeo
21f6ab787d C++: Rename predicates in FunctionInputsAndOutputs.qll and add QLDoc 2019-09-16 12:06:06 -07:00
Tom Hvitved
1f927516d8 Merge pull request #1936 from calumgrant/cs/nameof-qualified-namespace
C# extractor: Handle nameof(A.B) where A.B is a qualified namespace
2019-09-16 19:28:48 +02:00
Geoffrey White
3df31e6ccf CPP: Tiny qldoc fixes. 2019-09-16 16:52:48 +01:00
Calum Grant
4e6216379d Merge pull request #1935 from AndreiDiaconu1/ircsharp-forinitfix
C# IR: Fix for init
2019-09-16 16:24:30 +01:00
AndreiDiaconu1
43accd37e1 Address PR comments 2019-09-16 15:42:45 +01:00
Max Schaefer
df739e0fca JavaScript: Fix performance regression in IncorrectSuffixCheck. 2019-09-16 15:25:17 +01:00
Calum Grant
8eeded5982 C#: Handle nameof(A.B) where A.B is a nested namespace. 2019-09-16 15:12:10 +01:00
AndreiDiaconu1
fcb3d99351 C# IR: Fix for init 2019-09-16 11:57:37 +01:00
semmle-qlci
e6b748a8e7 Merge pull request #1875 from esben-semmle/js/blacklist-more-hardcoded-passwords
Approved by xiemaisi
2019-09-16 10:57:35 +01:00
Tom Hvitved
4f897b2628 C#: Address review comments 2019-09-16 10:45:37 +02:00
Esben Sparre Andreasen
a5645e168a JS: exclude keys from whitelist 2019-09-16 10:13:18 +02:00
Esben Sparre Andreasen
c9d31e90fe JS: add change notes 2019-09-16 10:11:43 +02:00
Esben Sparre Andreasen
0e2d2f8662 JS: whitelist some hardcoded dummy-passwords in two queries 2019-09-16 10:11:43 +02:00
Esben Sparre Andreasen
aa3f4a7048 JS: change passwords in tests 2019-09-16 10:09:59 +02:00
jf205
526c123016 Merge pull request #1931 from shati-patel/docs/ql-lexer
Docs/QL lexer: Require whitespace character after annotation
2019-09-14 07:00:31 +01:00
Dave Bartolomeo
553238a9e8 Merge pull request #1922 from jbj/qlcfg-const-pointer-to-member
C++: Add PointerToFieldLiteral class
2019-09-13 10:44:52 -07:00
Shati Patel
9187db585c QL lexer: Require whitespace character after annotation 2019-09-13 16:13:13 +01:00
Asger F
a8e8ae868a JS: Update extractor version string 2019-09-13 15:48:31 +01:00
Asger F
173f32d2ba JS: Recognize 'require' calls in more cases 2019-09-13 15:48:31 +01:00
Asger F
3b7ecd5ccf JS: Add NumModules metric 2019-09-13 15:48:31 +01:00
semmle-qlci
82097f63ac Merge pull request #1903 from jf205/js-links
Approved by asger-semmle
2019-09-13 15:25:02 +01:00
Erik Krogh Kristensen
9dc9adda64 fix capitalization in test case
Co-Authored-By: shati-patel <42641846+shati-patel@users.noreply.github.com>
2019-09-13 14:54:18 +01:00
Erik Krogh Kristensen
3fb64abb09 fix consistency and spelling in the documentation
suggestions from the documentation team

Co-Authored-By: shati-patel <42641846+shati-patel@users.noreply.github.com>
2019-09-13 14:52:11 +01:00
Erik Krogh Kristensen
c4f27ed4cc rename TaintedLength to LoopBoundInjection 2019-09-13 11:12:01 +01:00
Erik Krogh Kristensen
673e883c21 use superscript to denote the size of the tainted object 2019-09-13 11:00:11 +01:00
semmle-qlci
d0d3882121 Merge pull request #1919 from esben-semmle/js/fixup-1
Approved by asger-semmle, xiemaisi
2019-09-13 10:40:38 +01:00
semmle-qlci
1313821a25 Merge pull request #1904 from erik-semmle/passportModel
Approved by asger-semmle, esben-semmle
2019-09-13 10:38:14 +01:00
Erik Krogh Kristensen
5b2b60f132 change DOS to DoS, and other small documentation fixes
Co-Authored-By: Max Schaefer <max@semmle.com>
2019-09-13 10:26:01 +01:00
Tom Hvitved
f5cae9b6ea Merge pull request #1881 from aschackmull/java/pathgraph-nodes
Java/C++/C#: Add nodes predicate to PathGraph.
2019-09-13 10:32:47 +02:00
Dave Bartolomeo
e8cf3f876e Merge pull request #1660 from zlaski-semmle/zlaski/builtin-va-list
Add a `__builtin_va_list` type, to complement `__builtin_va_*`
2019-09-12 14:04:55 -07:00
Dave Bartolomeo
9072f6231f Merge pull request #1928 from jbj/autoformat-ssa
C++: Autoformat IR SSA files
2019-09-12 14:03:20 -07:00
zlaski-semmle
45640395a9 Merge pull request #1803 from geoffw0/qldoceg9
CPP: Add syntax examples to QLDoc in Variable.qll
2019-09-12 12:32:58 -07:00
Robert Marsh
7f6108259e Merge pull request #1927 from jbj/instructionNode
C++: Add DataFlow::instructionNode
2019-09-12 12:06:01 -07:00
Rebecca Valentine
f503e042fc Merge pull request #1877 from taus-semmle/python-modernise-non-iterator-query
Python: Modernise the `py/non-iterable-in-for-loop` query.
2019-09-12 11:14:40 -07:00
Calum Grant
b7db15646c Merge pull request #1858 from AndreiDiaconu1/ircsharp-continue
C# IR: Add support for `ContinueStmt`
2019-09-12 17:37:01 +01:00
Erik Krogh Kristensen
c2efb0afe7 two tiny qldoc changes 2019-09-12 16:58:07 +01:00
Erik Krogh Kristensen
119b1ffb80 changes based on review from max 2019-09-12 16:30:42 +01:00
Erik Krogh Kristensen
dc891dc420 added js/loop-bound-injection to javascript security suite 2019-09-12 15:50:50 +01:00
Erik Krogh Kristensen
17a71a97c5 add loop-bound-injection to change-notes 2019-09-12 15:28:14 +01:00
Erik Krogh Kristensen
3d359bc8dc Merge remote-tracking branch 'upstream/master' into taintedLength 2019-09-12 15:24:36 +01:00
Erik Krogh Kristensen
30f1bcf5bc updated query ID and expected output 2019-09-12 15:24:33 +01:00
Jonas Jensen
0c092e21b0 C++: Autoformat IR SSA files
One autoformat omission had also slipped into
`DefaultTaintTracking.qll`.
2019-09-12 15:45:08 +02:00
Jonas Jensen
10270cb36d C++: Turn a comment into QLDoc 2019-09-12 15:44:04 +02:00
AndreiDiaconu1
e55f16d990 Fix comment 2019-09-12 13:57:28 +01:00
AndreiDiaconu1
91fdfd48e5 Fixed CP problem 2019-09-12 13:09:49 +01:00
Jonas Jensen
c7e6081079 C++: Add DataFlow::instructionNode
This is for symmetry with `exprNode` etc., and it should be handy for
the same reasons. I found one caller of `asInstruction` that got simpler
by using the new predicate instead.
2019-09-12 11:44:17 +02:00
Tom Hvitved
5070270605 C#: Fix CFG for nested finally blocks 2019-09-12 11:44:04 +02:00
Tom Hvitved
b9fa837963 C#: Add new CFG test for try/finally 2019-09-12 11:44:04 +02:00
Tom Hvitved
3d32f3d173 C#: Restructure existing CFG tests for try/finally 2019-09-12 11:44:04 +02:00
AndreiDiaconu1
47120bc923 PR fixes 2019-09-12 10:34:00 +01:00
Calum Grant
e330d5a6c6 Merge pull request #1549 from hvitved/csharp/cfg/loop-unrolling
C#: Loop unrolling for `foreach` statements
2019-09-12 10:24:26 +01:00
AndreiDiaconu1
420abbf3dc C# IR: Support for ContinueStmt
Added support for continue stmt.
Minimal refactoring of the `TranslatedSpecificJump` classes.
Added a new test file, `jumps.cs` and updated the expected output.
2019-09-12 10:01:48 +01:00
Anders Schack-Mulligen
6299625b3d C#: Adjust qltest expected output. 2019-09-12 11:00:49 +02:00
Anders Schack-Mulligen
61e4e61087 C++: Adjust qltest expected output. 2019-09-12 11:00:49 +02:00
Anders Schack-Mulligen
2d620698d8 Java: Adjust qltest expected output. 2019-09-12 11:00:49 +02:00
Anders Schack-Mulligen
95e2f162d9 Java/C++/C#: Adjust toString of empty accesspath. 2019-09-12 11:00:49 +02:00
Anders Schack-Mulligen
0a4b15d40b Java/C++/C#: Add nodes predicate to PathGraph. 2019-09-12 11:00:49 +02:00
Erik Krogh Kristensen
2db0cdf4e2 two small qhelp fixes 2019-09-12 10:00:08 +01:00
semmle-qlci
10076a6b2b Merge pull request #1886 from jbj/ir-taint-shared
Approved by rdmarsh2
2019-09-12 06:48:24 +01:00
Robert Marsh
e71a39f6b6 Merge pull request #1912 from jbj/tainttracking-ir-1
C++: Stub replacement for security.TaintTracking
2019-09-11 13:44:39 -07:00
Tom Hvitved
8f3f9406e2 C#: Early identification of duplicate extraction 2019-09-11 20:47:20 +02:00
Geoffrey White
d1cc28e253 CPP: Address review comments. 2019-09-11 17:14:05 +01:00
Geoffrey White
ee07c705a4 CPP: More review suggestions. 2019-09-11 17:14:05 +01:00
Geoffrey White
8134d80c46 CPP: Review suggestions. 2019-09-11 17:14:05 +01:00
Geoffrey White
120b0c0c2c CPP: Modernize the TemplateVariables test and have the TemplateVariables actually included in the scope of the test. 2019-09-11 17:14:05 +01:00
Geoffrey White
68196df561 CPP: Examples Variable.qll. 2019-09-11 17:11:53 +01:00
semmle-qlci
72db219c13 Merge pull request #1910 from xiemaisi/js/unused-index-variable
Approved by esben-semmle, shati-semmle
2019-09-11 14:33:32 +01:00
Jonas Jensen
6912cafc54 C++: Use the RelationalOperation class 2019-09-11 15:21:49 +02:00
Jonas Jensen
0d0ab9157c C++: Address review comments 2019-09-11 15:20:36 +02:00
Taus Brock-Nannestad
1013fb7b25 Update .expected file for Python 3 tests. 2019-09-11 14:13:05 +02:00
Calum Grant
b85823bec5 Merge pull request #1857 from AndreiDiaconu1/ircsharp-forstmt
C# IR: More support for `ForStmt`s
2019-09-11 13:11:05 +01:00
Jonas Jensen
6021b4f04a C++: Remove local flow from additional taint step
This case was not supposed to be there -- that was the whole point of
having the `localAdditionalTaintStep` predicate.
2019-09-11 14:09:17 +02:00
Erik Krogh Kristensen
493a31d98d more fixes based on review 2019-09-11 12:53:59 +01:00
Jonas Jensen
ee16b239de C++: Add PointerToFieldLiteral class
Marking these expressions as constants fixes the CFG discrepancies that
can be observed on the affected test and on snapshots of MySQL.
2019-09-11 13:40:24 +02:00
Max Schaefer
500cde68c3 JavaScript: Add new query UnusedIndexVariable. 2019-09-11 11:36:50 +01:00
Esben Sparre Andreasen
9aa0e711b2 JS: update expected output 2019-09-11 12:33:41 +02:00
Erik Krogh Kristensen
bec522f0df small changes based on review feedback 2019-09-11 11:26:59 +01:00
Esben Sparre Andreasen
086c473c18 JS: sharpen js/http-to-file-access 2019-09-11 12:05:33 +02:00
Esben Sparre Andreasen
0e31cad027 JS: simplify this.getStringValue() to getStringValue() 2019-09-11 10:56:49 +02:00
Esben Sparre Andreasen
ee106ccff9 JS: simplify asExpr().getStringValue() calls 2019-09-11 10:56:57 +02:00
Esben Sparre Andreasen
aab17850d1 JS: eliminate redundant ConstantString casts 2019-09-11 10:56:49 +02:00
AndreiDiaconu1
195b99cf96 PR fixes 2019-09-11 09:54:01 +01:00
semmle-qlci
16c95d8c5e Merge pull request #1876 from esben-semmle/js/more-delimiter-stripping-whitelisting
Approved by xiemaisi
2019-09-11 09:16:57 +01:00
Esben Sparre Andreasen
f3de75ae07 JS: update a js/code-injection test 2019-09-11 09:45:54 +02:00
Esben Sparre Andreasen
e41080fb40 JS: add RemoteServerResponse as a heuristic remote flow source 2019-09-11 09:38:18 +02:00
Esben Sparre Andreasen
f7bfc472c1 JS: treat server responses as untrusted for command injections 2019-09-11 09:38:18 +02:00
Esben Sparre Andreasen
3e42b078e8 JS: minor additions to ClientRequest::getAResponseDataNode 2019-09-11 09:24:59 +02:00
Robert Marsh
6d8a4388cb Merge pull request #1883 from jbj/partial-definitions-const
C++: Don't create partial defs for calls to const functions
2019-09-10 12:46:39 -07:00
Erik Krogh Kristensen
72bbd4ded1 fix spelling mistake 2019-09-10 17:13:44 +01:00
Erik Krogh Kristensen
62d1f66fda avoid extending the abstract LoopStmt class 2019-09-10 17:08:00 +01:00
Erik Krogh Kristensen
6bb9781466 remove <br/> tags 2019-09-10 16:57:15 +01:00
semmle-qlci
05247849b0 Merge pull request #1913 from xiemaisi/csharp/update-a-qlref
Approved by hvitved
2019-09-10 16:04:19 +01:00
Jonas Jensen
bd59029e2b C++: Add pointer-to-member test to syntax-zoo
This test was inspired by problems observed in a MySQL snapshot. The
results show there are problems with both the QL CFG and the IR.
2019-09-10 16:23:23 +02:00
Erik Krogh Kristensen
97fc10e669 Add query for detecting potential DOS form a tainted .length property 2019-09-10 14:59:48 +01:00
Max Schaefer
ea81531a7b C#: Update a .qlref.
This currently relies on the fact that qltest includes `ql/csharp/ql/src/Metrics` in addition to `ql/csharp/ql/src` on its search path when run internally, which is inconsistent with the other languages. Since this is the only test that relies on it, I'd like to update it and get rid of the extra search root eventually.
2019-09-10 13:01:04 +01:00
Jonas Jensen
de4e2a259e C++: Stub replacement for security.TaintTracking
This commit adds a `semmle.code.cpp.ir.dataflow.DefaultTaintTracking`
library that's API-compatible with the
`semmle.code.cpp.security.TaintTracking` library. The new library is
implemented on top of the IR data flow library.

The idea is to evolve this library until it can replace
`semmle.code.cpp.security.TaintTracking` without decreasing our SAMATE
score. Then we'll have the IR in production use, and we will have one
less taint-tracking library in production.
2019-09-10 13:40:45 +02:00
semmle-qlci
df1bf4a95b Merge pull request #1907 from asger-semmle/mongoose-types
Approved by xiemaisi
2019-09-10 12:05:57 +01:00
Sam Lanning
2f54437c10 Merge pull request #1889 from AlexTereshenkov/master
Add a new issue template for false positive in LGTM.com
2019-09-10 11:33:09 +01:00
AlexTereshenkov
49ee205b46 Update issue templates 2019-09-10 11:02:02 +01:00
AlexTereshenkov
77871f6d51 Update .github/ISSUE_TEMPLATE/lgtm-com---false-positive.md
Co-Authored-By: Sam Lanning <sam@lanni.ng>
2019-09-10 10:25:03 +01:00
AndreiDiaconu1
442c9f2cc8 Delete useless file 2019-09-10 09:52:35 +01:00
AndreiDiaconu1
241a40c145 C# IR: Initializers
Add support for collection initializers.
Instead of using `AssignExpr` for the translation of object initializers, `MemberInitializer` is now used.
2019-09-10 09:32:00 +01:00
AndreiDiaconu1
0528d8ef39 C# IR: Object creation refactoring
The way object creation was translated has been changed: now creations are treated as expressions.
The main motivation for this was the inability to have creation expressions as arguments to
function calls (a test case has been added to showcase this).
All code that dealt with creation expressions has been moved from `TranslatedInitialization.qll` to `TranslatedExpr.qll`.
Some light refactoring has also been done, mainly removing code that was useless after the changes mentioned above.
2019-09-10 09:20:21 +01:00
AndreiDiaconu1
d9f3c14c9c C# IR: Add support for multiple decls and updates
Added support for multiple declarations and updates in a for stmt.
Added test cases and updated the expected output.
2019-09-10 09:17:41 +01:00
Jonas Jensen
d6fba0ef46 C++: Don't create partial defs for calls to const
These partial defs don't do any harm, but they could hurt performance.
In typical C++ snapshots, between 5% and 20% of all calls are to `const`
functions.
2019-09-10 09:49:16 +02:00
Jonas Jensen
fd3615d120 C++: Show that there are too many partial defs 2019-09-10 09:44:07 +02:00
jf205
ad4715fd52 Merge pull request #1908 from shati-semmle/ql-hb/fixes
QL handbook: Add examples and fix typos
2019-09-10 08:42:14 +01:00
Jonas Jensen
7b09e4177e C++: Add localExprTaint for IR
This is for ODASA-8053.
2019-09-10 09:40:31 +02:00
Jonas Jensen
80a0027808 C++: Shared TaintTrackingImpl for IR TaintTracking 2019-09-10 09:40:27 +02:00
Jonas Jensen
770212567f C++: Fix up IR data flow QLDoc 2019-09-10 09:34:54 +02:00
Tom Hvitved
41cd13a637 C#: Update expected test output 2019-09-10 09:17:50 +02:00
Robert Marsh
2806a52ec5 Merge pull request #1888 from jbj/ir-dataflow-node-ipa
C++: Hide that IR DataFlow::Node is Instruction
2019-09-09 11:00:37 -07:00
Geoffrey White
4283a1508d Merge pull request #1870 from jbj/autoformat-all
C++: Autoformat everything
2019-09-09 16:05:32 +01:00
Shati Patel
cfa51a0e8b QL HB: Add predicate call example [SD-3864] 2019-09-09 16:01:42 +01:00
Shati Patel
f5de1dc999 QL HB: Explain use of cast [SD-3865] 2019-09-09 16:01:41 +01:00
Shati Patel
4f2c9fa3cb QL HB: Expand bindingset example [SD-3863] 2019-09-09 16:01:14 +01:00
Shati Patel
acca48bd8f QL HB: Fix typo [SD-3862] 2019-09-09 16:01:07 +01:00
Max Schaefer
bdba647bf5 Merge pull request #1893 from erik-semmle/addXLinkHref
JS: add xlink:href as xss target when using setAttribute
2019-09-09 15:56:47 +01:00
Jonas Jensen
79f456e8bd Merge pull request #1905 from ian-semmle/mangling_more
C++: Resolve all classes
2019-09-09 16:48:30 +02:00
Asger F
194a1c3530 JS: Change note 2019-09-09 15:42:43 +01:00
Calum Grant
79a750dfaf Merge pull request #1845 from AndreiDiaconu1/ircsharp-compiler-generated
C# IR: Framework for translating compiler generated elements
2019-09-09 15:42:07 +01:00
Asger F
ad5abc61cc JS: Move typed test into separate test 2019-09-09 15:35:26 +01:00
Asger F
ea446f2aa1 JS: Use type info in mongodb/mongoose model 2019-09-09 15:35:26 +01:00
Asger F
8e397ad203 JS: Use type tracking in mongodb/mongoose model 2019-09-09 15:35:23 +01:00
semmle-qlci
e899250e87 Merge pull request #1894 from asger-semmle/fp-incorrect-suffix-check
Approved by xiemaisi
2019-09-09 15:33:47 +01:00
semmle-qlci
89cba089b4 Merge pull request #1892 from asger-semmle/event-handler-sink
Approved by esben-semmle
2019-09-09 15:33:21 +01:00
Erik Krogh Kristensen
03b210a8e1 made the two Passport classes in the Express model private 2019-09-09 13:04:47 +01:00
Erik Krogh Kristensen
3ebe6608c2 updated expected values for the Express test 2019-09-09 13:02:35 +01:00
erik-semmle
d01f84f015 fix comment in passport test
Co-Authored-By: Esben Sparre Andreasen <42067045+esben-semmle@users.noreply.github.com>
2019-09-09 12:59:38 +01:00
Asger F
b6690bb644 JS: Add change note 2019-09-09 12:45:03 +01:00
Tom Hvitved
170621d1cc C#: Address review comments 2019-09-09 13:38:23 +02:00
AndreiDiaconu1
53ebe23db6 Better retrieval for the GetEnumerator call 2019-09-09 12:33:19 +01:00
Felicity Chapman
28fece0f75 Merge pull request #1906 from jf205/readme-updates
docs: update readme following recent project changes
2019-09-09 12:27:24 +01:00
semmle-qlci
2283195ebd Merge pull request #1871 from asger-semmle/type-tracking-through-imports
Approved by xiemaisi
2019-09-09 12:25:06 +01:00
Erik Krogh Kristensen
26f6b1d186 add model for passport.use in the Express model 2019-09-09 12:01:11 +01:00
james
54342a6daa docs: update readme 2019-09-09 11:57:08 +01:00
Geoffrey White
22e1715368 Merge pull request #1900 from jbj/dataflow-this-by-ref
C++: Fix flow out of `this` by reference
2019-09-09 11:15:32 +01:00
james
e8f867204d docs: fix broken links in js topics 2019-09-09 11:15:18 +01:00
Geoffrey White
26490bd97f Merge pull request #1885 from jbj/dataflow-D.cpp
C++: Add D.cpp, ported from D.java
2019-09-09 10:55:33 +01:00
Asger F
65862c922c JS: Update tests 2019-09-09 10:53:13 +01:00
Asger F
631ff27d31 JS: Use ValueNode for all ImportSpecifiers 2019-09-09 10:53:13 +01:00
Asger F
61e1d793df JS: Fixes in DeadStoreOfLocal 2019-09-09 10:51:21 +01:00
Asger F
5573279580 JS: regression test for DeadStoreOfLocal 2019-09-09 10:51:21 +01:00
Asger F
3b962dce22 JS: Add explicit type tracking test 2019-09-09 10:51:21 +01:00
Asger F
afcdc12e7b JS: Use ValueNode, not SSA node, to model NamedImportSpecifier 2019-09-09 10:51:17 +01:00
semmle-qlci
57afde0240 Merge pull request #1872 from esben-semmle/js/extraction_metrics
Approved by xiemaisi
2019-09-09 10:45:33 +01:00
Jonas Jensen
4ef5c9af62 C++: Autoformat everything
Some files that will change in #1736 have been spared.

    ./build -j4 target/jars/qlformat
    find ql/cpp/ql -name "*.ql"  -print0 | xargs -0 target/jars/qlformat --input
    find ql/cpp/ql -name "*.qll" -print0 | xargs -0 target/jars/qlformat --input
    (cd ql && git checkout 'cpp/ql/src/semmle/code/cpp/ir/implementation/**/*SSA*.qll')
    buildutils-internal/scripts/pr-checks/sync-identical-files.py --latest
2019-09-09 11:25:53 +02:00
Tom Hvitved
77d7db323d Merge pull request #1895 from calumgrant/cs/date-queries
C#: Tidy up cs/unsafe-year-construction and cs/mishandling-japanese-era
2019-09-09 11:24:49 +02:00
Jonas Jensen
1784122929 C++: Fixes from Geoffrey's review round 4 2019-09-09 11:21:55 +02:00
Jonas Jensen
969d76671e C++: Tidy up long comments that attach to items 2019-09-09 11:04:05 +02:00
Jonas Jensen
4769d00c50 C++: Fix autoformat of //-comments after +
The autoformatter would associate these comments to the following term
instead of the preceding term.
2019-09-09 11:04:05 +02:00
Jonas Jensen
3324bfb198 C++: Fix long comments without * on each line
Comments like these will make the autoformatter produce bad indentation.

For the record (not for explainability), these issues were found with

    git grep -P -A1 '^( */\*| +\*( |$))(.(?!\*/))*$' cpp/ql/src/'**/*.ql*' |grep -B10 'qll\?- [^*]*$'
2019-09-09 11:04:04 +02:00
Jonas Jensen
44aca8a0f4 C++: Prepare BufferWrite.qll for autoformat
The autoformatter cannot process these long end-of-line comments
properly when the line starts with `or`.
2019-09-09 11:04:04 +02:00
Jonas Jensen
29c83537b4 C++: Fixes from Geoffrey's review round 3 2019-09-09 11:04:04 +02:00
Jonas Jensen
c8725766bd C++: Fixes from Geoffrey's review round 2 2019-09-09 11:04:04 +02:00
Jonas Jensen
64e2277904 C++: Don't use @param in QLDoc
It superficially looks like `@param` is supported in QLDoc, but this is
mostly an accident of how its parser works. Attributes starting with `@`
are only intended to be used in the top-level QLDoc of a query, and
there can only be one of each attribute. If there are multiple `@param`
entries, the QLDoc parser will only keep the first one.

Even though `parseConvSpec` in `Scanf.qll` documented multiple
parameters, only the first one would be shown in an IDE. The
corresponding predicate in `Print.qll` documented only its first
parameter, perhaps because of an autoformatting accident earlier in
time. I've attempted to reconstruct documentation for its other
parameters based on its sibling in `Scanf.qll`.
2019-09-09 11:04:04 +02:00
Jonas Jensen
8524b95baa C++: Simplify has{Copy,Move}Signature
These functions were overly complicated, and the comments explaining the
complications did not auto-format well. A reference type cannot have
specifiers on it, so it's fine to call `getUnspecifiedType` before
checking if it's a reference type.
2019-09-09 11:04:04 +02:00
Jonas Jensen
8e98d42504 C++: Turn more "short" comments into "long"
The autoformatter is opinionated about comment styles and assumes that
"short" comments attach to the following item while "long" comments are
items themselves. I found top-level short comments with the following
two commands and then searched the output for empty lines that came
after the comment.

    git grep -A1 '^/\* .*\*/' cpp/ql/src
    git grep -A1 '^//' 'cpp/ql/src/**/*.ql*'
2019-09-09 11:04:04 +02:00
Jonas Jensen
95f53639b1 C++: Fixes to avoid confusing autoformat
These issues were found by Geoffrey in PR review.
2019-09-09 11:04:04 +02:00
Jonas Jensen
b14b65ecf0 C++: Don't use deprecated predicates in test
This made the `expected` file contain QL line numbers.
2019-09-09 11:04:04 +02:00
Jonas Jensen
ea3d066661 C++: Add D.cpp, ported from D.java
The original port of the Java field-flow tests did not include this
file. It's added here for completeness, and the results are the same as
for Java.
2019-09-09 10:45:06 +02:00
Erik Krogh Kristensen
2729566bbf add setAttributeNS('xlink', 'href',..) example in XSS test 2019-09-09 09:41:08 +01:00
Jonas Jensen
745e321e3b Merge pull request #1901 from jf205/cpp-links
docs: fix broken `Expr` links
2019-09-09 10:38:02 +02:00
Jonas Jensen
10b69358ae C++: Fix flow from this by ref. 2019-09-09 10:36:58 +02:00
Jonas Jensen
08b63d4342 C++: Test to show lack of flow from this by ref.
The `test_nonMemberSetA` also shows how the lack of flow through `&` is
a problem for non-member getters, but that's addressed on a separate
branch.
2019-09-09 10:36:11 +02:00
Jonas Jensen
ef96288303 C++: Make PartialDefinitionNode private
This class is undocumented and exposes implementation details through
its `getPartialDefinition` member. It does not need to be public.
2019-09-09 10:34:51 +02:00
Esben Sparre Andreasen
2a22471975 JS: address review comments 2019-09-09 10:31:40 +02:00
Tom Hvitved
ef4f954b58 Merge pull request #1797 from jbj/dataflow-TTwo
C++/C#/Java: data flow AccessPath up to length 2
2019-09-09 10:28:48 +02:00
james
9437c2d007 docs: fix broken Expr links 2019-09-09 09:25:19 +01:00
Esben Sparre Andreasen
ec58ccc0ec JS: fixup dbscheme in upgrade directory 2019-09-09 09:05:12 +02:00
Esben Sparre Andreasen
5d6997c1c9 JS: additional extraction metrics cleanup 2019-09-09 09:05:12 +02:00
Esben Sparre Andreasen
03d38ca54b JS: simplify cache interaction 2019-09-09 09:05:12 +02:00
Esben Sparre Andreasen
6dbe827dd3 JS: add QL classes for the extraction metrics 2019-09-09 09:05:12 +02:00
Esben Sparre Andreasen
5665cf9328 JS: record metrics during extraction 2019-09-09 09:05:12 +02:00
Esben Sparre Andreasen
7fcde4c130 JS: add extraction metrics to the dbscheme 2019-09-09 09:05:12 +02:00
Esben Sparre Andreasen
27e36cfe05 JS: apply google-java-format to extractor source code 2019-09-09 09:05:12 +02:00
Jonas Jensen
d51e5212fb Merge remote-tracking branch 'upstream/master' into dataflow-TTwo
Conflicts:
      cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
      cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
      cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
      cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
      cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
      cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
      cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
      cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
      cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
      cpp/ql/test/library-tests/dataflow/fields/flow.expected
      csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
      csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
      csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
      csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
      csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
      java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
      java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
      java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
      java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
      java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
2019-09-08 21:08:43 +02:00
Rebecca Valentine
9eebe00b33 Merge pull request #1869 from taus-semmle/python-fix-typehint-divergence
Python: Prevent divergence in type-hint analysis. (ODASA-8075)
2019-09-06 14:33:20 -07:00
Erik Krogh Kristensen
c780956f0d add setAttributeNS method in the XSS test 2019-09-06 21:56:29 +01:00
AndreiDiaconu1
320cd6b96c More PR fixes 2019-09-06 18:10:54 +01:00
AndreiDiaconu1
765414430d More PR fixes 2019-09-06 18:10:54 +01:00
AndreiDiaconu1
9ecbb4a3f3 More fixes for the PR comments 2019-09-06 18:10:54 +01:00
AndreiDiaconu1
fe3645f26d Fix some PR comments 2019-09-06 18:09:15 +01:00
AndreiDiaconu1
db213bbf80 Fixed sanity checks
The foreach was erroneously labelling the `True` and `False` edges as backedges.
Added a case for the compiler generated while in the predicate `getInstructionBackEdgeSuccessor/2`
from the file `IRConstruction.qll` so that only the edges from inside the body are labeled as back edges.
2019-09-06 18:09:15 +01:00
AndreiDiaconu1
46d7b9e3bf Lock stmt
Added support for the lock stmt
Added a test case and updated the expected output
2019-09-06 18:09:15 +01:00
AndreiDiaconu1
4dd548bfa2 Foreach stmt
Addded support for the foreach stmt (for now only the "canonical" desugaring).
Added a test and updated the expected output.
2019-09-06 18:09:15 +01:00
AndreiDiaconu1
a5ec763035 Delegate creation and call
Added support for delegate creation and call.
Added a test case and updated the expected output.
2019-09-06 18:08:03 +01:00
AndreiDiaconu1
331707f3a3 Framework for the translation of compiler elements
Added a framework for the translation of compiler generated elements, so that the process of adding a new desugaring process is almost mechanical.
The files in `internal` serve as the superclasses for all the compiler generated elements.
The file `Common.qll` captures common patterns for the compiler generated code to improve code sharing (by pattern I mean an element that appears in multiple desugarings). For example the `try...finally` pattern appears in the desugaring process of both the `lock` and the `foreach` stmts, so a class the provides a blueprint for this pattern is exposed. Several other patterns are present.
The expected output has also been updated (after a rebase) and it should be ignored.
2019-09-06 18:08:03 +01:00
AndreiDiaconu1
80b7512fe2 Initial restructure
The `raw/internal` folder has been restructured to better enhance code sharing between compiler generated elements and AST generated elements.
The translated calls classes have been refactored to better fit the C# library.
A new folder has been added, `common` that provides blueprints for the classes that deal with translations of calls, declarations, exprs and conditions.
Several `TranslatedX.qll` files have been modified so that they use those blueprint classes.
2019-09-06 18:08:03 +01:00
Ian Lynagh
4190a53574 C++: Update test output 2019-09-06 17:31:08 +01:00
Ian Lynagh
a32214d41e C++: Resolve all classes
We used to only resolve top-level classes.
2019-09-06 17:31:08 +01:00
Felicity Chapman
4952ad5cff Merge pull request #1896 from shati-semmle/vale-typo
Vale linter: fix typo
2019-09-06 16:56:22 +01:00
shati-semmle
4d98b4c3a1 Vale linter: fix typo 2019-09-06 16:47:20 +01:00
Calum Grant
3734552081 C#: Add change note for datetime queries. 2019-09-06 16:45:02 +01:00
Calum Grant
f9b99ae245 C#: Adjust date query severity and add precisions. Tidy up tags. 2019-09-06 16:44:29 +01:00
Nick Rolfe
09036a3bdf Merge pull request #1760 from ian-semmle/mangling
C++: Use mangled names to resolve classes
2019-09-06 16:38:47 +01:00
Asger F
dfd18a51ee JS: Change note 2019-09-06 16:03:16 +01:00
shati-semmle
486707c90e Merge pull request #1891 from jf205/slide-fixes
docs: improve slide layout for printing
2019-09-06 15:52:32 +01:00
Asger F
7007698de4 JS: Fix the FP 2019-09-06 15:39:40 +01:00
Asger F
ebd7875cae JS: Add regression test 2019-09-06 15:38:55 +01:00
yh-semmle
79a0a56adf Merge pull request #1890 from aschackmull/java/best-bound-rangeanalysis
Java: Restrict the output of Range Analysis to the best bounds.
2019-09-06 10:35:11 -04:00
Erik Krogh Kristensen
ccdc821c5d add xlink:href as xss target when using setAttribute 2019-09-06 14:43:47 +01:00
Asger F
f7654d6f1c JS: Add test 2019-09-06 14:42:07 +01:00
james
f78ce146f1 docs: improve slide layout for printing 2019-09-06 14:42:06 +01:00
Anders Schack-Mulligen
6b85fe087a Java: Restrict the output of Range Analysis to the best bounds. 2019-09-06 15:39:46 +02:00
AlexTereshenkov
523d055194 Add a new issue template for false positive in LGTM.com
Add a new issue template for false positive in LGTM.com
2019-09-06 14:39:06 +01:00
Calum Grant
d2336dc8cf Merge pull request #1882 from aschackmull/lang/autoformat
Java/C#/JavaScript: Autoformat
2019-09-06 14:37:40 +01:00
Asger F
fa95871f46 JS: Add event handler sink to code injection 2019-09-06 14:33:00 +01:00
Jonas Jensen
e4c9dd79ca C++: Hide that IR DataFlow::Node is Instruction
We haven't come to a conclusion on whether these two types will remain
identical forever. To make sure we're able to change it in the future,
this change makes it impossible to cast between the two types. Callers
must use the `asInstruction` member predicate to convert.
2019-09-06 15:31:41 +02:00
shati-semmle
434c20f294 Merge pull request #1887 from jf205/slide-fixes
docs: a couple of slide fixes
2019-09-06 14:28:14 +01:00
james
ecc2449c1c docs: updated slide background 2019-09-06 14:00:57 +01:00
james
f93359a472 docs: slides fix for edge and ff 2019-09-06 14:00:19 +01:00
Taus Brock-Nannestad
8882f1410a Add test cases for nested subscripts. 2019-09-06 12:01:18 +02:00
Anders Schack-Mulligen
ae351be968 C++: Sync files. 2019-09-06 09:05:29 +02:00
Anders Schack-Mulligen
ca45fb5a60 JavaScript: Autoformat. 2019-09-06 09:04:51 +02:00
Anders Schack-Mulligen
343230402a C#: Autoformat. 2019-09-06 09:04:16 +02:00
Anders Schack-Mulligen
aa07020d9d Java: Autoformat. 2019-09-06 09:03:45 +02:00
Robert Marsh
94c625f03f Merge pull request #1777 from jbj/ast-field-flow-defbyref
C++: Don't use definitionByReference for data flow
2019-09-05 10:23:28 -07:00
semmle-qlci
33329f95c2 Merge pull request #1874 from asger-semmle/express-types
Approved by esben-semmle, xiemaisi
2019-09-05 16:42:28 +01:00
semmle-qlci
48b6b67994 Merge pull request #1880 from ian-semmle/clang
Approved by jbj
2019-09-05 16:13:53 +01:00
shati-semmle
6b0bbd5a9e Merge pull request #1878 from jf205/training-homepage/sd-3764
docs: rework ql training homepage (sd-3764)
2019-09-05 16:05:14 +01:00
Ian Lynagh
1d56407c72 C++: Pull some of library-tests/dataflow/dataflow-tests into clang.cpp
g++ doesn't support this code:

    sorry, unimplemented: non-trivial designated initializers not supported
       twoIntFields sSwapped = { .m2 = source(), .m1 = 0 };

so we need to build it in clang mode.
2019-09-05 15:12:17 +01:00
james
131e88dfbe Merge remote-tracking branch 'origin/training-homepage/sd-3764' into training-homepage/sd-3764 2019-09-05 14:53:04 +01:00
james
09a0b562e5 docs: fix typo 2019-09-05 14:50:14 +01:00
jf205
ce2326cc6e Update docs/language/README.rst
Co-Authored-By: shati-semmle <42641846+shati-semmle@users.noreply.github.com>
2019-09-05 14:29:23 +01:00
jf205
1f67d71f5f Update docs/language/learn-ql/ql-training.rst
Co-Authored-By: shati-semmle <42641846+shati-semmle@users.noreply.github.com>
2019-09-05 14:29:11 +01:00
jf205
4ec828a719 Update docs/language/learn-ql/ql-training.rst
Co-Authored-By: shati-semmle <42641846+shati-semmle@users.noreply.github.com>
2019-09-05 14:24:36 +01:00
semmle-qlci
fd2e8486e4 Merge pull request #1862 from asger-semmle/prototype-pollution-angular-merge
Approved by esben-semmle
2019-09-05 12:50:58 +01:00
semmle-qlci
e6bfe2bd5d Merge pull request #1873 from asger-semmle/type-inf-consistency
Approved by xiemaisi
2019-09-05 12:46:59 +01:00
james
1a7c79bd7c docs: update layout.html 2019-09-05 12:33:55 +01:00
james
99614d98e1 docs: specify sphinx 1.7.9 in readme 2019-09-05 12:33:55 +01:00
james
16aaa95566 docs: fix a couple of links 2019-09-05 12:33:54 +01:00
james
6f9d4c8562 docs: remove VA section from writing-queries.rst 2019-09-05 12:33:49 +01:00
james
49955c56be docs: rework ql-training.rst 2019-09-05 12:33:42 +01:00
james
593818b71a docs: reorganize and add some ref bookmarks to learn-ql index 2019-09-05 12:33:33 +01:00
Taus Brock-Nannestad
2d45c23d19 Comment out diverging example for now.
Otherwise it'll keep timing out until the fix has been pushed to LGTM.com
2019-09-05 13:18:01 +02:00
Asger F
61c4d30dd6 JS: Use express module instead 2019-09-05 12:09:24 +01:00
Ian Lynagh
99dd8d0c51 C++: Add an upgrade script 2019-09-05 12:01:02 +01:00
Ian Lynagh
acc1d664f6 C++: Updates stats to include mangled_name table 2019-09-05 12:01:02 +01:00
Ian Lynagh
0c09af977c C++: Use mangled_name in ResolveClass.qll
The old code is still around to handle upgraded databases.
2019-09-05 12:01:02 +01:00
Taus Brock-Nannestad
d336140c19 Python: Modernise the py/non-iterable-in-for-loop query.
Also adds a small test case exhibiting the same false positive seen in
ODASA-8042.
2019-09-05 12:24:51 +02:00
Esben Sparre Andreasen
a9665f53b8 JS: whitelist quote stripping for js/incomplete-sanitization 2019-09-05 09:47:49 +01:00
james
65573492e7 docs: rename ql-training-rst > ql-training 2019-09-05 08:40:36 +01:00
james
c8dd5e620c docs: add ql-training page to learn-ql project 2019-09-05 08:40:33 +01:00
Jonas Jensen
79c713bd87 C++: Remark in DefinitionByReference charpred 2019-09-05 09:36:46 +02:00
Jonas Jensen
114c2fe0d4 Merge remote-tracking branch 'upstream/master' into ast-field-flow-defbyref 2019-09-05 09:33:45 +02:00
Robert Marsh
1bb57daf6f Merge pull request #1866 from jbj/dataflow-test-alias-nested
C++: Tests for aliasing of nested structs
2019-09-04 10:48:20 -07:00
Robert Marsh
a3290503ec Merge pull request #1806 from jbj/localExprFlow
C++: Add localExprFlow and localExprTaint
2019-09-04 10:38:46 -07:00
Asger F
0e4c34bd81 JS: Add deprecated predicate alias 2019-09-04 16:14:51 +01:00
Asger F
93a3f571ec JS: Add change note 2019-09-04 16:14:51 +01:00
Asger F
27567e41c5 JS: Add angular.fromJson as JSON parser 2019-09-04 16:14:51 +01:00
Asger F
5aa948cd17 JS: Add angular.merge sink to prototype pollution query 2019-09-04 16:14:51 +01:00
Felicity Chapman
ef7984d1cb Merge pull request #1842 from jf205/add-java-slides/sd-3762
docs: add rst versions of java training slides
2019-09-04 13:53:13 +01:00
jf205
64c4548aca Update docs/language/ql-training-rst/slide-snippets/local-data-flow.rst
Co-Authored-By: Luke Cartey <5377966+lukecartey@users.noreply.github.com>
2019-09-04 12:53:51 +01:00
james
f0e2a2ea71 docs: update images 2019-09-04 12:51:14 +01:00
Taus Brock-Nannestad
4440e02fa5 Add test case for divergence. 2019-09-04 13:23:06 +02:00
Jonas Jensen
cdcc716675 Merge pull request #1867 from geoffw0/erafix9
CPP: Add date to JapaneseEraDate.ql
2019-09-04 13:16:04 +02:00
Jonas Jensen
bd32931f45 Merge pull request #1868 from geoffw0/tinyfix
CPP: Tiny fixes
2019-09-04 13:15:38 +02:00
Asger F
9f8bf90424 JS: Update Express test 2019-09-04 11:43:21 +01:00
Asger F
744f0b1aa3 JS: Use type info to recognize routers 2019-09-04 11:43:21 +01:00
Asger F
c06fd451d6 JS: Handle router chaining in type tracking predicate 2019-09-04 11:43:21 +01:00
Asger F
f3aea0706a JS: Use type info in Express Request/Response 2019-09-04 11:43:21 +01:00
Geoffrey White
707f95c829 CPP: Alignment. 2019-09-04 09:59:21 +01:00
Geoffrey White
13e2109a38 CPP: Remove an unnecessary include. 2019-09-04 09:42:07 +01:00
Jonas Jensen
8579d7d1cf C++: Tests for aliasing of nested structs
This test shows that local pointers into structs do propagate data flow
like pass-by-reference does in calls.
2019-09-04 10:26:49 +02:00
Jonas Jensen
3ba650911c Merge pull request #1847 from geoffw0/erafix8
CPP: Deal with two very similar Japanese era queries
2019-09-04 09:57:10 +02:00
Jonas Jensen
0e54709d47 Merge pull request #1859 from geoffw0/qldocpartialdef
CPP: Document PartialDefinitions
2019-09-04 09:54:55 +02:00
Jonas Jensen
067c55adb9 C++: Fix ConditionDeclExpr data flow
Data flow probably never worked when a variable declared in a
`ConditionDeclExpr` was modeled with `BlockVar`. That combination did
not come up in testing before the last commit.
2019-09-04 09:33:00 +02:00
Geoffrey White
84112d3630 CPP: Change note. 2019-09-03 18:30:24 +01:00
Geoffrey White
3a3bef3a03 CPP: Add the new Japanese era. 2019-09-03 18:28:24 +01:00
Geoffrey White
bac39e6288 CPP: Add test cases. 2019-09-03 17:46:30 +01:00
Taus Brock-Nannestad
1b432076c4 Python: Prevent divergence in type-hint analysis. (ODASA-8075) 2019-09-03 13:38:46 +02:00
james
acb3e742e6 docs: toctree path 2019-09-03 12:34:58 +01:00
Nick Rolfe
641232a9d7 Merge pull request #1855 from mgrettondann/cpp-343-lambda-names-simplification
C++: Update tests for lambda description changes
2019-09-03 11:45:50 +01:00
james
8c88cbba3a docs: address review comments 2019-09-03 11:16:45 +01:00
semmle-qlci
6778f28424 Merge pull request #1854 from asger-semmle/prototype-pollution-precision
Approved by esben-semmle, xiemaisi
2019-09-03 10:50:24 +01:00
Jonas Jensen
d7681bf122 C++: Don't use definitionByReference for data flow
The data flow library conflates pointers and objects enough for the
`definitionByReference` predicate to be too strict in some cases. It was
too permissive in other cases that are now (or will be) handled better
by field flow.

See also the change note entry.
2019-09-03 11:49:01 +02:00
semmle-qlci
e4d59c361a Merge pull request #1856 from asger-semmle/ts-base-types
Approved by xiemaisi
2019-09-03 10:12:30 +01:00
Geoffrey White
84da3e3431 CPP: Effect of 'Support nested field flow'. 2019-09-03 09:27:50 +01:00
Geoffrey White
8105d153b1 CPP: Add a test of PartialDefinitions. 2019-09-03 09:27:50 +01:00
Geoffrey White
0f295c65f9 CPP: Add QLDoc to the PartialDefinitions class. 2019-09-03 09:27:50 +01:00
Geoffrey White
d092905c66 Merge pull request #1772 from jbj/ast-field-flow-nested
C++: Support nested field flow
2019-09-03 09:12:47 +01:00
Tom Hvitved
4b32ee77e6 C#: Add change note 2019-09-03 09:35:58 +02:00
Jonas Jensen
d3a6ae5657 C++: Support nested field flow
This is the C/C++ side of PR #1766.
2019-09-03 08:50:15 +02:00
Asger F
7790d4b667 JS: Make getALocalValue overriders include super 2019-09-02 16:45:06 +01:00
Asger F
2006826101 JS: Avoid breaking local object analysis 2019-09-02 16:45:06 +01:00
Asger F
9f2f10fa15 JS: Make type inference flow go through ssa definition node 2019-09-02 16:45:06 +01:00
semmle-qlci
c8ffbf3b87 Merge pull request #1852 from xiemaisi/js/async-generator-methods
Approved by esben-semmle
2019-09-02 16:18:04 +01:00
Matthew Gretton-Dann
03eb1ff785 C++: Update taint-tests for changed lambda support 2019-09-02 15:18:27 +01:00
Jonas Jensen
9c9b7ac651 C#/C++/Java: Revert AccessPathNil.toString changes
This caused too many `*.expected` files to change, also in our internal
repo.
2019-09-02 15:59:36 +02:00
Asger F
8737dbb73d JS: Add test 2019-09-02 14:31:40 +01:00
Asger F
54d47f60da JS: Include base types in TypeName 2019-09-02 14:18:48 +01:00
Jonas Jensen
a98992f0f9 C#/C++/Java: distinguish toString of nil from cons 2019-09-02 14:22:03 +02:00
Jonas Jensen
cdede8744f C#/C++/Java: Prettier PartialAccessPath.toString 2019-09-02 14:05:50 +02:00
Asger F
e9159acecb TS: Fix skewed arrays due to recursive call 2019-09-02 13:03:25 +01:00
Jonas Jensen
c3bc9f8575 C#/C++/Java: Unbreak partial data flow support
Partial data flow had a semantic merge conflict with this branch. The
problem is that partial data flow doesn't (and shouldn't) cause the
initial pruning steps to run, but the length-2 access paths depend on
the `consCand` information that comes from that initial pruning. The
solution is to restore the old `AccessPath` class, now called
`PartialAccessPath` for use only by partial data flow.

With this change, partial data flow will in some cases allow more field
flow than non-partial data flow.
2019-09-02 14:02:39 +02:00
Geoffrey White
c4d74c3922 CPP: Replace query paths with @name and @id. 2019-09-02 12:36:36 +01:00
Jonas Jensen
dec0c3a0ee C#/C++/Java: Make AccessPath abstract
This was requested by @hvitved in code review. There is no difference in
the generated DIL.
2019-09-02 13:14:30 +02:00
Jonas Jensen
b1be123e31 C#/C++/Java: Prettier AccessPath.toString
The `ppReprType` predicate should now be `none()` instead of `result=""`
to signal that there is nothing to print. That seems clearer to me.
2019-09-02 13:14:20 +02:00
Jonas Jensen
dbe8034e04 C#: Accept test results 2019-09-02 13:14:17 +02:00
Jonas Jensen
6c96a8d339 Java: Accept test changes
Note: the results in `partial` have regressed and will need to be fixed
in a follow-up commit.
2019-09-02 13:14:17 +02:00
Jonas Jensen
9f0f2f7c04 C++: Accept test changes 2019-09-02 13:14:17 +02:00
Jonas Jensen
b2c94cc6b4 C++/C#/Java: Restore the AccessPathCons class 2019-09-02 13:14:13 +02:00
Jonas Jensen
fbe34015f3 C++/C#/Java: AccessPath class names reflect length
One -> ConsNil
Two -> ConsCons
2019-09-02 13:13:59 +02:00
Jonas Jensen
e8006bb2cc C++/C#/Java: data flow AccessPath up to length 2
This commit does not include updates to test results.
2019-09-02 13:13:46 +02:00
Geoffrey White
aa009d07fd Merge pull request #1787 from jbj/ast-field-flow-local-fields
C++: Local field flow using global library
2019-09-02 11:17:37 +01:00
Asger F
c71a66a045 JS: Add change note 2019-09-02 11:05:07 +01:00
Asger F
a41a23fdba JS: Raise precision of prototype-pollution query 2019-09-02 11:00:24 +01:00
Jonas Jensen
e9a029cba3 C++: Local field flow using global library
This commit removes fields from the responsibilities of `FlowVar.qll`.
The treatment of fields in that file was slow and imprecise.

It then adds another copy of the shared global data flow library, used
only to find local field flow, and it exposes that local field flow
through `localFlow` and `localFlowStep`.

This has a performance cost. It adds two cached stages to any query that
uses `localFlow`: the stage from `DataFlowImplCommon`, which is shared
with all queries that use global data flow, and a new stage just for
`localFlowStep`.
2019-09-02 11:17:27 +02:00
Jonas Jensen
4f57f37b31 C++: Test to show false flow through object copy 2019-09-02 11:16:48 +02:00
Max Schaefer
91e46cd6fd JavaScript: Fix parsing of asynchronous generator methods. 2019-09-02 09:56:42 +01:00
semmle-qlci
6d55d1f7c0 Merge pull request #1707 from asger-semmle/canonical-name-call-graph
Approved by xiemaisi
2019-09-02 09:45:24 +01:00
Jonas Jensen
8ee87fd9fc C++: Make TaintTracking2 QLDoc more like DataFlow2 2019-09-02 09:43:52 +02:00
Max Schaefer
742c9708a9 Merge pull request #1828 from asger-semmle/jsdoc-relation
JS: Make getDocumentation handle chain assignments
2019-09-02 08:43:40 +01:00
Jonas Jensen
26c81eaae9 C++: Mention localExpr{Flow,Taint} in module QLDoc 2019-09-02 09:43:23 +02:00
semmle-qlci
0cf872ed32 Merge pull request #1846 from hvitved/csharp/autoformat
Approved by jbj
2019-09-02 08:31:43 +01:00
Jonas Jensen
f1d7fde49d C++: Use localExprFlow in existing queries
This shortens the queries a bit and ensures test coverage of the new
predicate.
2019-09-02 09:29:12 +02:00
Jonas Jensen
63311739a5 C++: Add localExprFlow and localExprTaint
This is for ODASA-8053.
2019-09-02 09:29:10 +02:00
Tom Hvitved
675255755b C#: Speedup Completion::isValidFor() 2019-09-01 10:34:52 +02:00
Tom Hvitved
508055fdc8 C#: Add a few pragma[nomagic] 2019-09-01 10:34:51 +02:00
Tom Hvitved
1e7ee8ddad C#: Loop unrolling for foreach statements 2019-09-01 10:34:51 +02:00
Tom Hvitved
1bfef706e2 C#: Add loop unrolling tests 2019-09-01 10:34:51 +02:00
Tom Hvitved
bb735c0220 C#: Teach guards library about collections 2019-09-01 10:34:51 +02:00
semmle-qlci
00fe4734ac Merge pull request #1850 from hvitved/csharp/remove-ref-equal
Approved by calumgrant
2019-09-01 09:31:50 +01:00
yh-semmle
c359675fa9 Merge pull request #1802 from aschackmull/java/taint-step-extension-point
Java: Add a global extension point for taint steps.
2019-08-30 17:19:58 -04:00
yh-semmle
f54545522e Merge pull request #1759 from aschackmull/java/flow-exploration
Java/C++/C#: Add support for dataflow exploration by partial paths.
2019-08-30 17:00:17 -04:00
Asger F
45941869ad JS: Change note 2019-08-30 18:25:39 +01:00
Asger F
89b91af6db JS: Make getDocumentation handle chain assignments 2019-08-30 18:20:54 +01:00
Asger F
9533ca0926 JS: Change note 2019-08-30 18:19:49 +01:00
Asger F
3926436bd4 JS: Explain use of t.call() 2019-08-30 18:19:19 +01:00
Asger F
d6578e10c8 JS: Handle constructor calls to avoid regression 2019-08-30 18:19:19 +01:00
Asger F
1b6cc4ebcc JS: Update test 2019-08-30 18:19:19 +01:00
Asger F
a13fb8e2ba JS: Handle RHS in more cases 2019-08-30 18:19:19 +01:00
Asger F
1e5f0a4e2f JS: Update DataFlow tests 2019-08-30 18:19:19 +01:00
Asger F
5512846e6f JS: Update TypeTracking test 2019-08-30 18:19:19 +01:00
Asger F
bd6768e2c8 JS: Fix closure namespace prefix and update tests 2019-08-30 18:19:19 +01:00
Asger F
b1f9db9145 JS: Make getAFunctionValue follow global access paths 2019-08-30 18:19:19 +01:00
Asger F
8d59df229a JS: Allow calls to externs 2019-08-30 18:19:19 +01:00
Asger F
cfa2ec1084 JS: Remove fake JSONType from es5.js externs 2019-08-30 18:19:19 +01:00
Asger F
e7166c2a1c JS: Workaround for JSON externs 2019-08-30 18:19:19 +01:00
Asger F
221d94961a JS: Resolve simple calls based on qualified name 2019-08-30 18:19:19 +01:00
Asger F
ca71d3117e JS: Use access paths from Closure module 2019-08-30 18:19:19 +01:00
Asger F
8c5b6b256b JS: Remove globalFlowPred() 2019-08-30 18:19:18 +01:00
Asger F
96d9e66ced JS: cache things 2019-08-30 18:19:18 +01:00
Asger F
313579c258 JS: Restrict flow to access paths assigned in a unique file 2019-08-30 18:19:18 +01:00
Asger F
48b70c4f1d JS: Add type-tracking test case 2019-08-30 18:19:18 +01:00
Asger F
7315a2baee JS: Make type tracking work through access paths 2019-08-30 18:19:18 +01:00
Asger F
2105e0bdee JS: use JSDoc types in class tracking 2019-08-30 18:19:18 +01:00
Asger F
6b05aa129c JS: Use global access paths to recognize .prototype 2019-08-30 18:19:18 +01:00
semmle-qlci
61034be186 Merge pull request #1844 from asger-semmle/more-type-info
Approved by xiemaisi
2019-08-30 18:17:07 +01:00
Taus
89778ef61d Merge pull request #1849 from markshannon/python-add-syntax-comments
Python: Add syntax example comments for automatic document generation.
2019-08-30 17:46:50 +02:00
Asger F
3186942906 JS: Add change note 2019-08-30 16:05:13 +01:00
Asger F
f219598281 JS: Update DeclarationFiles test 2019-08-30 16:02:42 +01:00
Asger F
5874c14a9c JS: Avoid materializing JSONValue.getFile() 2019-08-30 16:02:42 +01:00
Asger F
6c0f9be6df JS: Avoid materializing HTML::Element.getFile() 2019-08-30 16:02:42 +01:00
Asger F
33267067e0 JS: Deprecate and remove path resolution for reference comments 2019-08-30 16:02:42 +01:00
Asger F
fa3532ca8c TS: Handle locally defined packages 2019-08-30 16:02:42 +01:00
Asger F
d8cda5e268 JS: Add Firebase test with types 2019-08-30 16:02:41 +01:00
Asger F
ec81e368da JS: Use type info in Firebase model 2019-08-30 16:02:41 +01:00
Asger F
f4144831ab TS: Emit module bindings for all files in node_modules 2019-08-30 16:02:41 +01:00
Asger F
efa7e1112b JS: Add Node.hasUnderlyingType 2019-08-30 16:02:41 +01:00
Mark Shannon
ad463038f8 Python: Clarify comment about 'syntax:' comment and add ... to for and async for comments. 2019-08-30 15:34:14 +01:00
Jonas Jensen
c3e1fb424e Merge pull request #1658 from zlaski-semmle/zlaski/cpp387
[CPP-387] Create a new PR against new location of introduce-libraries…
2019-08-30 16:25:13 +02:00
Taus
f8bd3770d6 Merge pull request #1848 from markshannon/python-rationalize-taint-tracking
Python: Move TaintTracking.qll
2019-08-30 16:21:49 +02:00
Tom Hvitved
6dc869d5c6 C#: Remove reference equality 2019-08-30 15:52:42 +02:00
semmle-qlci
a97aefe0c3 Merge pull request #1835 from xiemaisi/js/dom-fixes
Approved by asger-semmle
2019-08-30 14:45:06 +01:00
Tom Hvitved
3e716bf806 Merge pull request #1749 from calumgrant/cs/extractor-tidy
C#: Refactor extractor trap generation code
2019-08-30 15:44:35 +02:00
Taus
a2841b4245 Merge pull request #1763 from markshannon/python-cwe-312
Python: Two new queries for CWE-312.
2019-08-30 15:28:56 +02:00
Tom Hvitved
c9275fdc0a Merge pull request #1692 from calumgrant/cs/roslyn-3.2
C#: Upgrade to Roslyn 3.2
2019-08-30 15:09:11 +02:00
Anders Schack-Mulligen
8a318ce4e7 Java: Extend test with graph. 2019-08-30 14:35:21 +02:00
Anders Schack-Mulligen
455bb6cd15 Java/C++/C#: Add change notes. 2019-08-30 14:35:21 +02:00
Anders Schack-Mulligen
6582734733 Java: Add test. 2019-08-30 14:32:55 +02:00
Anders Schack-Mulligen
5e6326d1d5 Java/C++/C#: Add support for dataflow exploration by partial paths. 2019-08-30 14:32:55 +02:00
Anders Schack-Mulligen
6749f7a1b7 Merge pull request #1843 from lukecartey/java/add-missing-sql-apis
Java: Add missing SQL query APIs.
2019-08-30 14:27:40 +02:00
Mark Shannon
637677d515 Python: Move TaintTracking.qll from semmle.python.security to semmle.python.dataflow, for consistency with other code. 2019-08-30 12:57:47 +01:00
Mark Shannon
a256945938 Python: Add syntax example comments for document generation. 2019-08-30 12:46:08 +01:00
semmle-qlci
394563de43 Merge pull request #1807 from hvitved/csharp/dataflow/barrier-guard
Approved by calumgrant
2019-08-30 12:40:25 +01:00
Taus
3d3797f829 Merge pull request #1830 from markshannon/python-update-docs
Python: Update the documentation
2019-08-30 13:01:50 +02:00
Max Schaefer
b6220998d1 JavaScript: Restrict setAttribute sink to potentially dangerous attribute names. 2019-08-30 11:57:29 +01:00
Calum Grant
c7b685b3b8 C#: Fix changed qltest. 2019-08-30 11:47:43 +01:00
Calum Grant
611af1e2c2 C#: Upgrade to Roslyn 3.2. 2019-08-30 11:47:43 +01:00
Mark Shannon
3f740d6efe Python: Update CWE-312 queries to use new taint-tracking configuration. 2019-08-30 11:21:04 +01:00
Luke Cartey
e118f9a5f9 Add change note. 2019-08-30 10:48:37 +01:00
Luke Cartey
dfa371c65b Java: Add missing SQL query APIs.
* executeLargeUpdate
 * prepareCall
2019-08-30 10:40:49 +01:00
Mark Shannon
811815aa4e Merge branch 'master' into python-cwe-312 2019-08-30 10:39:04 +01:00
Calum Grant
ec61877ce8 Merge pull request #1805 from hvitved/csharp/dataflow/nested-fields
C#: Nested field flow
2019-08-30 10:26:10 +01:00
Calum Grant
0129b42c54 C#: Address review comments. 2019-08-30 10:11:01 +01:00
Calum Grant
7df90f13ed C#: Address review comments. Tidy up tuple generation, consolidating code and use run-time type information instead of FirstParam/NextParam. 2019-08-30 10:11:01 +01:00
Calum Grant
40f56ff4b3 C#: Code tidy. Rename variables, delete dead code, format whitespace, improve comments. 2019-08-30 10:11:01 +01:00
Calum Grant
b3d5e405a6 C#: Fix violations 2019-08-30 10:11:01 +01:00
Calum Grant
97522c506e C#: Add more CIL consistency tests. 2019-08-30 10:11:01 +01:00
Calum Grant
b776421602 C#: Fix up tests. Fix cil_class, and add locations for constructed methods and types. 2019-08-30 10:11:01 +01:00
Calum Grant
02fd51ae61 C#: Resolve merge conflicts. 2019-08-30 10:11:00 +01:00
Calum Grant
b500a02b1e C#: Compare CIL entities directly by handle rather than by label.
C#: Remove IDs from the CIL extractor and make consistent with C# extractor.
C#: Fix method collisions.
2019-08-30 10:11:00 +01:00
Calum Grant
685c494bcb C#: Make the trap compression algorithm configurable. 2019-08-30 10:11:00 +01:00
Calum Grant
fe7e90e25a C#: Remove the tuples from the C# extractor. 2019-08-30 10:11:00 +01:00
Calum Grant
486c192dda C#: Refactoring expression and statement population. 2019-08-30 10:11:00 +01:00
Calum Grant
e41e8d6547 C#: Remove ITrapBuilder in favour of TextWriter. 2019-08-30 10:00:06 +01:00
Calum Grant
aeb38a1757 C#: Refactoring tuple writing to remove Tuple intermediate object and write straight to trap file. 2019-08-30 10:00:06 +01:00
Calum Grant
bd1b0018b0 C#: Rename some methods. 2019-08-30 10:00:06 +01:00
Calum Grant
58e6d236ff C#: Tidy up CommentProcessing. 2019-08-30 10:00:06 +01:00
Taus
4f26b58a1a Merge pull request #1747 from markshannon/python-extend-taint-tracking-config
Python: Extend taint-tracking configuration to match API of Javascript implementation.
2019-08-30 10:39:53 +02:00
Tom Hvitved
75eb7f92a2 C++: Sync identical files 2019-08-30 09:54:05 +02:00
Tom Hvitved
9f59e385d1 C#: Autoformat 2019-08-30 09:53:50 +02:00
Tom Hvitved
6e7ef66642 C#: Revert to using GuardedDataFlowNode in TaintedPath.qll 2019-08-30 09:37:23 +02:00
Tom Hvitved
751985dcf2 C#: Address review comments 2019-08-30 09:37:23 +02:00
Tom Hvitved
ae5fb7f330 C#: Introduce BarrierGuards 2019-08-30 09:37:16 +02:00
Tom Hvitved
c642e726c6 Merge pull request #1555 from calumgrant/cs/typemention-fixes
C#: Fix various extraction errors
2019-08-30 09:34:18 +02:00
zlaski-semmle
f2025116d5 Merge pull request #1771 from geoffw0/qldoceg8
CPP: Add syntax examples to QLDoc in NameQualifiers.qll
2019-08-29 15:16:37 -07:00
Geoffrey White
b254e1f48e CPP: Change note. 2019-08-29 18:24:29 +01:00
Calum Grant
4dd4167a5a C#: Update test output (following merge). 2019-08-29 18:22:37 +01:00
Geoffrey White
2b1871fd2b CPP: Remove the old test. I don't think preserving a duplicate test of deprecated queries is helpful. 2019-08-29 18:18:23 +01:00
Geoffrey White
ed7586d829 CPP: Add a combined test for the combined query. 2019-08-29 18:18:22 +01:00
Calum Grant
424ab3ed6a C#: Analysis change notes. 2019-08-29 18:12:58 +01:00
Calum Grant
83d1e0eaa6 C#: Name DotNet::Namespace a declaration. 2019-08-29 18:12:58 +01:00
Calum Grant
83ab044a73 C#: Update expected test output. 2019-08-29 18:12:58 +01:00
Calum Grant
dfbb1946d3 C#: Minor edits 2019-08-29 18:11:00 +01:00
Calum Grant
5613769654 C#: Add NamespaceAccess, and make namespaces declarations. 2019-08-29 18:11:00 +01:00
Calum Grant
0e62377dd2 C#: Treat _ as an ordinary variable in a foreach. 2019-08-29 18:11:00 +01:00
Calum Grant
8aeeec01ff C#: Add namespace_access_expr because of nameof(Namespace) 2019-08-29 18:11:00 +01:00
Calum Grant
ae36359058 C#: Fix typementions of arrays. 2019-08-29 18:11:00 +01:00
Geoffrey White
ed53aef4dd CPP: Deprecate the two old queries. 2019-08-29 17:47:42 +01:00
Geoffrey White
7c14c68486 CPP: Add a new, combined Japanese era query. 2019-08-29 17:47:42 +01:00
Geoffrey White
b441b65918 CPP: Give the two japanese era queries unique @names. 2019-08-29 17:47:42 +01:00
Nick Rolfe
36b42def1c Merge pull request #1841 from ian-semmle/valuetext
C++: Split valuetext off into its own table
2019-08-29 17:42:14 +01:00
Geoffrey White
11da14c5f2 Merge pull request #1838 from jbj/leap-year-name
C++: Change name of UncheckedReturnValueForTimeFunctions.ql
2019-08-29 17:32:31 +01:00
Mark Shannon
4f172bd075 Python: Add change note for CWE-312 queries. 2019-08-29 16:05:11 +01:00
Mark Shannon
989d7aeace Merge branch 'master' into python-cwe-312 2019-08-29 15:57:49 +01:00
Mark Shannon
d096644773 Python docs: Fix typos and rst formatting issue. 2019-08-29 15:55:05 +01:00
Geoffrey White
1215da2d6c Merge pull request #1827 from jbj/sbb-tidy
C++: Tidy up SubBasicBlocks.qll
2019-08-29 15:42:40 +01:00
Geoffrey White
a84f19238b CPP: Add a scoped enum example. 2019-08-29 15:38:17 +01:00
Ian Lynagh
c08eb7e8c7 C++: Tweak the getValueText() code 2019-08-29 14:59:05 +01:00
james
0b31ca46b1 docs: fix speaker note bug 2019-08-29 14:55:02 +01:00
Jonas Jensen
be7be1fb38 C++: Improve name/descr. of leap year queries 2019-08-29 15:53:51 +02:00
Mark Shannon
22f55d25c2 Python taint-tracking. Reorder columns in some tests for easier comprehension of expected output. 2019-08-29 14:36:10 +01:00
Mark Shannon
e51b797c03 Python taint-tracking. Add an adapter for old 'dataflow config'. 2019-08-29 14:30:09 +01:00
Mark Shannon
179f4ee88f Python taint-tracking: Add documented example test. 2019-08-29 13:03:58 +01:00
Tom Hvitved
982f90dc2b C#: Refactor local data flow step relations 2019-08-29 13:35:19 +02:00
james
387147ede2 docs: fix include in data flow slides 2019-08-29 11:53:19 +01:00
semmle-qlci
f980d20d6d Merge pull request #1809 from hvitved/csharp/cfg/tests
Approved by calumgrant
2019-08-29 11:35:21 +01:00
james
b89f0161aa docs: make use of includes for local and global data flow slides 2019-08-29 11:03:45 +01:00
james
ec9ca6852b docs: add template slide deck 2019-08-29 11:03:45 +01:00
Mark Shannon
10fddbc19b Python new taint-tracking: Fix some typos and clarify documentation. 2019-08-29 11:03:35 +01:00
james
7fa7f2dd65 docs: add rst versions of java slide decks and improve a few c++ slides 2019-08-29 11:03:19 +01:00
Ian Lynagh
28832c9021 C++: Add a comment 2019-08-29 10:32:34 +01:00
Mark Shannon
5bb528d236 Python taint-tracking: Fix performance of 'flowsTo' and 'testEvaluates'. 2019-08-29 10:31:50 +01:00
Mark Shannon
3872c7a1f9 Python taint-tracking. Rework handling of sequences and dicts of taint for performance. 2019-08-29 10:31:50 +01:00
Mark Shannon
a36453b2e2 Python taint-tracking. Fix performance for a couple of predicates. 2019-08-29 10:31:50 +01:00
Mark Shannon
76c11c4575 Python: Update a test result. 2019-08-29 10:31:50 +01:00
Mark Shannon
45abe09494 Python taint-tracking: Improve layout and documentation. 2019-08-29 10:31:50 +01:00
Mark Shannon
91aefab7aa Python: Reorganise code a bit to minimize diff for PR. 2019-08-29 10:31:50 +01:00
Mark Shannon
e5900921e7 Python taint-tracking: Remove warnings from test output. 2019-08-29 10:31:50 +01:00
Mark Shannon
691165d1c6 Python: Check-in two missing files. 2019-08-29 10:31:50 +01:00
Mark Shannon
c7ec5690a5 Python taint-tracking: make sure all features of legacy extensions are supported. 2019-08-29 10:31:50 +01:00
Mark Shannon
64c160b75c Python taint-tracking: Fix ambiguous flow through class instantiation. Tweak the path query to ensure edge to sink is always present. 2019-08-29 10:31:50 +01:00
Mark Shannon
d31e55f88e Python taint-tracking: Avoid ambiguous flows through calls. Fix up tests. 2019-08-29 10:31:50 +01:00
Mark Shannon
78ce19678a Python taint-tracking: Fix up SQL injection query. 2019-08-29 10:31:50 +01:00
Mark Shannon
3f8066878a Python taint-tracking: Fix up handling of contexts for __init__ and for context-free taints. 2019-08-29 10:31:50 +01:00
Mark Shannon
fe9c9d479d Python taint-tracking. Fix bug in legacy API. 2019-08-29 10:31:50 +01:00
Mark Shannon
7c4a18eee3 Python taint-tracking: Fix up handling of legacy (config-less) taint-tracking 2019-08-29 10:31:50 +01:00
Mark Shannon
2d9d292ee4 Python: Fix up pi-node handling in taint-tracking. 2019-08-29 10:31:50 +01:00
Mark Shannon
955e54b360 Python: Update unitialized local to use new taint-tracking config. 2019-08-29 10:31:50 +01:00
Mark Shannon
24b4a4102c Python taint-tracking: Further enhancements to new implementation for better debugging and backwards compatibility. 2019-08-29 10:31:50 +01:00
Mark Shannon
1addfaac1a Python taint-tracking: update test results. 2019-08-29 10:31:50 +01:00
Mark Shannon
a7845ae0e1 Python taint-tracking: Remove old implementation. 2019-08-29 10:31:50 +01:00
Mark Shannon
133909d7fe Python taint-tracking: Lengthen steps to better conform to old edge relation. 2019-08-29 10:31:50 +01:00
Mark Shannon
da6a66975c Python taint-tracking. Further improvements to new taint-tracking. 2019-08-29 10:31:50 +01:00
Mark Shannon
74f1dd3ec0 Python taint-tracking. Add some tests and fix up various parts of the implementation. 2019-08-29 10:31:50 +01:00
Mark Shannon
eed2090168 Python taint-tracking. Fill in most of new configuration-base taint-tracking implementation. 2019-08-29 10:31:47 +01:00
Mark Shannon
e8bd9e7341 Python: Add new API for taint-tracking configuration. As yet, unsupported. 2019-08-29 10:27:08 +01:00
Anders Schack-Mulligen
ae98d4fd8e Java: Change extension point to use a unit type. 2019-08-29 11:05:45 +02:00
Calum Grant
d2bee79370 Merge pull request #1600 from AndreiDiaconu1/ircsharp
C#: Initial port of IR for C#
2019-08-29 09:26:34 +01:00
Ian Lynagh
395197432f C++: Update stats for valuetext 2019-08-28 22:52:14 +01:00
Rebecca Valentine
36f99c19bc Merge pull request #1840 from markshannon/python-better-hasattribute-handling
Python: Add 'hasAttribute' predicate to ObjectInternal and Value.
2019-08-28 10:45:44 -07:00
Rebecca Valentine
cac775880f Merge pull request #1839 from markshannon/python-rationalize-library
Python: rationalize library a bit.
2019-08-28 10:15:36 -07:00
Rebecca Valentine
602b99e01f Merge pull request #1834 from markshannon/python-verify-unreachable-code
Python: Add test to verify fix.
2019-08-28 10:15:26 -07:00
Rebecca Valentine
ac78d10277 Merge pull request #1821 from markshannon/python-speedup-binary-points-to
Python points-to: Speed up binaryPointsTo predicate.
2019-08-28 10:14:40 -07:00
Mark Shannon
5892ce2a2b Python: Implement 'hasAttribute()' on ObjectInternal and use it to implement the same predicate on Value, ModuleObject and ClassObject. 2019-08-28 17:18:25 +01:00
Geoffrey White
2e0c1af6c4 Merge pull request #1836 from jbj/xheader-undef
C++: Support x-macros that are #undef'ed in header
2019-08-28 17:16:50 +01:00
Ian Lynagh
cc031183bc C++: Add an upgrade script 2019-08-28 16:06:28 +01:00
AndreiDiaconu1
deeff07322 Fixed unused predicate error 2019-08-28 15:50:39 +01:00
Mark Shannon
f64f6e6d2e Python: Move classes for lists of AST nodes into AstExtended.qll 2019-08-28 15:43:02 +01:00
Tom Hvitved
853a3aa998 Merge pull request #1799 from aschackmull/java/fieldflow-perf
Java/C++/C#: Improve performance of data flow with fields.
2019-08-28 16:30:25 +02:00
Geoffrey White
fbeed9113b Merge pull request #1837 from jbj/change-note-1.23
C++: New empty change-notes file for 1.23
2019-08-28 14:57:47 +01:00
Ian Lynagh
6d18b4e894 C++: If we don't have a valuetext, then see if one of our conversions does 2019-08-28 14:49:51 +01:00
Mark Shannon
97f9920a69 Python: Move NameNode class in Flow.qll with other CFG classes. 2019-08-28 14:39:27 +01:00
Mark Shannon
68da13cdc2 Python remove a couple of small AST related modules, moving contents to more appropriate modules. 2019-08-28 14:28:04 +01:00
Ian Lynagh
95794f9227 C++: Handle values with no valuetext 2019-08-28 14:27:08 +01:00
AndreiDiaconu1
489dbe1d01 Fixed errors
Added some new classes for built in operations that for the moment
have no effect (added to remove errors)
2019-08-28 14:23:42 +01:00
Ian Lynagh
754612d257 C++: Split valuetext off into its own table 2019-08-28 14:09:13 +01:00
Luke Cartey
1669d283fe Merge pull request #1795 from aschackmull/java/localexprflow
Java: Add localExprFlow and localExprTaint.
2019-08-28 14:04:49 +01:00
Jonas Jensen
d4f8e73a66 C++: Change name of UncheckedReturn...Functions.ql
The previous name was identical to the name of
`Adding365DaysPerYear.ql`. It may have been a copy-paste error.
2019-08-28 14:05:31 +02:00
Jonas Jensen
c8a9ec465e C++: New change-notes file for 1.23 2019-08-28 13:36:57 +02:00
AndreiDiaconu1
05ae04df72 Synced files 2019-08-28 12:30:17 +01:00
AndreiDiaconu1
66948b4f57 Fixed PR errors 2019-08-28 12:25:14 +01:00
AndreiDiaconu1
c74898ec9f Synced files
Synced the files that are needed for this PR
2019-08-28 12:25:14 +01:00
AndreiDiaconu1
7390606370 Tidy up + more comment
Tidied up the code for review
Added more comments
2019-08-28 12:25:14 +01:00
AndreiDiaconu1
0c6ffc9f4d Casts and IsExpr
Fixed some inconsistencies with casts
Fixed some bugs related to which translated elements need loads
Added support for IsExpr expressions
2019-08-28 12:25:14 +01:00
AndreiDiaconu1
c8a3f6fac8 Added cast exprs + deleted commented code 2019-08-28 12:25:14 +01:00
AndreiDiaconu1
34bafa7230 Fixed sanity checks
Fixed a bug in `TranslatedArrayExpr` that would prevent the element to produce the correct instruction result, hence creating problems with loads and stores.
`ElementsAddress` opcode now inherits from the `UnaryOpcode`, as it should.
2019-08-28 12:25:14 +01:00
AndreiDiaconu1
23694bdd14 Work on classes + refactor
Began working o inheritance, polymorphism and constructor init. Correct code is produced for them (though some more work is needed to accurately treat conversions between classes).
Removed commented code.
Added classes to properly deal with constructor init and modified and refactored TranslatedFunction to accomodate for the changes.
2019-08-28 12:25:14 +01:00
AndreiDiaconu1
9018b25177 Properties
Properties and property access produce correct code.
Fixed a function qualifier bug in `TranslatedCall.qll`.
Added a new class to translate `ExprStmt`s whose expr is an `AssignExpr` whose lvalue is an accessor call: we translate only the accessor call in for the translated AST.
2019-08-28 12:25:14 +01:00
AndreiDiaconu1
1acabc7d87 Jump statements
Broke down the class `TranslatedJump` to have more control on the IR control flow.
Now GotoLabelStmt, GotoCaseStmt, GotoDefaultStmt and BreakStmt are translated separately.
This also fixes an issue when having a switch as the last statement of a void function would create an incorrect CFG.
2019-08-28 12:25:13 +01:00
AndreiDiaconu1
2724075dec Added stmts
Added support for `ForStmt` and `DoWhileStmt`
Added test cases
2019-08-28 12:25:13 +01:00
AndreiDiaconu1
b6287b904c Preliminary refactoring
Some preliminary refactoring of the TranslatedDeclaration.qll file
2019-08-28 12:25:13 +01:00
AndreiDiaconu1
1e4b3fafb6 Updated expected for crement ops 2019-08-28 12:25:13 +01:00
AndreiDiaconu1
940ba694d2 Arithmetic increment and decrement expressions
Correct code is now produced for increment and decrement expressions
Modified producesExprResult() and TTranslatedLoad() so that no loads are done from outside the crement exprs and that the VariableAddress generated from the access of the operator variable is recognized as an expr that produces result.
2019-08-28 12:25:13 +01:00
AndreiDiaconu1
3bc6456572 Work on throw statements, bug fixes, small refactor.
Throw statements now give correct code, apart from the case of rethrows: need to make explicit the fact that a finally block is executed even if stack unwinding happens.
Added 2 new classes to TranslatedStmt.qll, one for throws that have an exception, one for rethrows.
Fixed a bug in TranslatedDeclarationEntry.qll where some local declaration would be missed.
Changed toString into getQualifiedName for more clarity when generating the instructions in Instruction.qll.
Some general refactoring in TranslatedExpr.qll and TranslatedStmt.qll.
2019-08-28 12:25:13 +01:00
AndreiDiaconu1
b90bc96cb5 Objects tests and fix in PrintIR
Added tests to showcase the instructions generated for object creation and object initialization
Updated raw_ir.expected
PrintIR now uses the qualified name (with types) when printing the IR for more clarity
2019-08-28 12:25:13 +01:00
Andrei Diaconu
8661074fc3 Object creation and initialization + refactoring
Correct code is now generated from ObjectCreation exprs and ObjectInitializer exprs.
Removed TranslatedFieldInitialization and its subclasses and further refactored TranslatedInitialization
2019-08-28 12:25:13 +01:00
Andrei Diaconu
dae37e5472 Fixed bugs, updated tests
Fixed a bug in TranslatedExpr: decl + init where the rhs is a reference now work as expected
Uncommented the code for the switch statement
2019-08-28 12:25:13 +01:00
Andrei Diaconu
be01b031b0 Fixed and refactored code for arrays
Introduced 2 new tags to support multidimensional arrays
Multidimensional arrays produce correct code
All types of initializations for arrays work correctly
2019-08-28 12:25:13 +01:00
Andrei Diaconu
35b028e626 Initial work for objects and statements
Objects now work, although I will refactor the code quite a bit for clarity
If and while statements now produce good code
Began work on try statements
2019-08-28 12:25:13 +01:00
Andrei Diaconu
4462babc0b Added support for switch stmt (CS 6.0 style) 2019-08-28 12:25:13 +01:00
AndreiDiaconu1
de6f547088 Synced more files 2019-08-28 12:25:13 +01:00
AndreiDiaconu1
49777636aa Applied the review comments 2019-08-28 12:25:13 +01:00
AndreiDiaconu1
ffb22bfff8 Locatable -> Language::AST 2019-08-28 12:25:13 +01:00
Andrei Diaconu
9105641741 Update csharp/ql/src/semmle/code/csharp/ir/IRSanity.ql
Co-Authored-By: Dave Bartolomeo <42150477+dave-bartolomeo@users.noreply.github.com>
2019-08-28 12:25:13 +01:00
Andrei Diaconu
81d8905a0f Update csharp/ql/src/semmle/code/csharp/ir/PrintIR.ql
Co-Authored-By: Dave Bartolomeo <42150477+dave-bartolomeo@users.noreply.github.com>
2019-08-28 12:25:13 +01:00
Andrei Diaconu
ce06bd8af3 Update csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IRSanity.ql
Co-Authored-By: Dave Bartolomeo <42150477+dave-bartolomeo@users.noreply.github.com>
2019-08-28 12:25:13 +01:00
Andrei Diaconu
d8f8b47605 Update csharp/ql/src/semmle/code/csharp/ir/implementation/raw/PrintIR.ql
Co-Authored-By: Dave Bartolomeo <42150477+dave-bartolomeo@users.noreply.github.com>
2019-08-28 12:25:13 +01:00
Dave Bartolomeo
073812b6f1 Rename Cpp -> CSharp 2019-08-28 12:25:13 +01:00
Dave Bartolomeo
609ca034c0 C#/C++: Share IR implementation 2019-08-28 12:25:13 +01:00
Andrei Diaconu
50ba4d1fda Deleted folder 2019-08-28 12:25:13 +01:00
Andrei Diaconu
45455a12d6 Fixed function calls
Function calls now produce correct code.
Added 2 test cases to showcase this.
2019-08-28 12:25:13 +01:00
Andrei Diaconu
26bf7e116d Arrays fixed, simple variable initialization fixed.
Correct code is now generated for array initialization and element access.
Created a new binary Opcode, `IndexedElementAddress`, used to get the address of an array element, similar to how CIL does it.
Fixed simple variable initialization.
2019-08-28 12:25:13 +01:00
Andrei Diaconu
2a41e7b5c0 Fixed issues mentioned in the PR comments
Modified _.getCallable() to _.getFunction()
Deleted both *ssa folders from ir/implementation
Deleted the ValueCategory.qll file
2019-08-28 12:25:13 +01:00
Andrei Diaconu
aea0356994 Fixed var addressing and other changes
Now variables addressing correctly gets translated
Added a new test case to showcase this
Changed VoidType to ObjectType for the type of the 2 instructions
generated by as the prelude of a translated function
(UnmodeledDefinition and AliasedDefinition)
2019-08-28 12:25:13 +01:00
Andrei Diaconu
7ef9bf6eea Fixed whitespace errors in PR 2019-08-28 12:25:13 +01:00
Andrei Diaconu
025d68f07a General tidy up and refactor
Refactored the C++ specific names
Tidied the code
Updated TODOs
2019-08-28 12:25:13 +01:00
Andrei Diaconu
c733bc0ae9 Functional basic porting
Ported basic functionalities from the C++ IR
Added a simple test that passes the IR sanity check and produces
sensible IR (together with the .expected files) to the C# test folder
2019-08-28 12:25:13 +01:00
Andrei Diaconu
fc69c1201d Initial copy of C++ IR with some modifications 2019-08-28 12:25:13 +01:00
Jonas Jensen
2c253f360a C++: Support x-macros that are #undef'ed in header
This fixes a false positive on https://github.com/zduka/tpp.
2019-08-28 13:03:16 +02:00
Jonas Jensen
e7dfb3e61b C++: Test for x-macro FP observed in the wild 2019-08-28 13:03:09 +02:00
Mark Shannon
1c8ce418d9 Python: Add test to confirm #1212 is fixed. 2019-08-28 12:01:04 +01:00
Max Schaefer
78ce290de3 JavaScript: Fix DomMethodCallExpr.interpretsArgumentsAsHTML. 2019-08-28 11:22:03 +01:00
Jonas Jensen
8c610e4f68 C++: Don't use deprecated interface in test 2019-08-28 08:31:05 +02:00
Jonas Jensen
b98d6379e9 C++: Restore and deprecate getPosInBasicBlock
This predicte was still used in a test, so it might be used in external
code too.
2019-08-28 08:29:06 +02:00
Mark Shannon
dafed6b93e Python docs: remove confusing reference to SSA as 'dataflow' and add a reference to the taint-tracking library from the library overview page. 2019-08-27 14:45:33 +01:00
Mark Shannon
562f4ef604 Python docs: Remove all references to ClassExpr and FunctionExpr; we want to remove them eventually. 2019-08-27 14:20:08 +01:00
Mark Shannon
6edf9efe1b Python docs: Replace remaining references to old 'Object' API are replaced by new 'Value' API. 2019-08-27 14:15:27 +01:00
Jonas Jensen
4cae5917cb C++: Remove one nomagic and explain the other 2019-08-26 21:48:18 +02:00
Jonas Jensen
2332dada1a C++: s/pos/index/ in SubBasicBlocks 2019-08-26 21:35:58 +02:00
Jonas Jensen
92c354e8e8 C++: Simplify SubBasicBlock::getNumberOfNodes 2019-08-26 21:11:42 +02:00
Jonas Jensen
2b94bb9eda C++: Use the word "rank" to denote a rank
Previously, the word "position" was used ambiguously in this library.
2019-08-26 16:13:08 +02:00
Jonas Jensen
17ee3f555c C++: Sync the two copies of SubBasicBlocks.qll
These files are now added to `identical-files.json` so they will remain
in sync.
2019-08-26 16:01:36 +02:00
Ziemowit Laski
7f00d3fdf3 [PR/1660] Fix up charpred. 2019-08-25 20:34:18 -07:00
Ziemowit Laski
161b0e2f5b [PR/1660] Rename BuiltinVarList to BuiltinVarArgsList. 2019-08-25 19:44:37 -07:00
Ziemowit Laski
18611bcfb4 [CPP-387] Remove duplicate EnumConstant entry. 2019-08-25 16:42:06 -07:00
Ziemowit Laski
b3730a0955 [CPP-387] Remove duplicate FriendDecl entry. 2019-08-25 16:40:44 -07:00
Ziemowit Laski
c29b63809b [CPP-387] Add ClassDerivatio, VirtualClassDerivation, ExprCall. Remove ParenthesizedBracedInitializerList. 2019-08-25 16:37:59 -07:00
Mark Shannon
9b1fbac929 Python points-to: Speed up binaryPointsTo predicate. 2019-08-25 15:14:42 +01:00
Mark Shannon
8909c3d6ab Python: Fix tags and message for CWE-312 queries. 2019-08-23 15:20:19 +01:00
Tom Hvitved
16f40fd45a C#: Consolidate CFG tests 2019-08-23 15:25:01 +02:00
Anders Schack-Mulligen
2bea0a459a Java/C++/C#: Sync. 2019-08-23 11:34:17 +02:00
Anders Schack-Mulligen
6e97f22b43 Java/C++/C#: Improve performance of pruning in field flow. 2019-08-23 11:32:45 +02:00
Tom Hvitved
c5d9d74c0a C#: Nested field flow 2019-08-23 09:25:05 +02:00
Ziemowit Laski
e6f7f16aee [CPP-387] Address more feedback. 2019-08-22 17:52:12 -07:00
Taus Brock-Nannestad
92f48191c2 Update test results for UndefinedGlobal.ql. 2019-08-22 17:53:36 +02:00
Anders Schack-Mulligen
ef0c6d01eb Java: Add a global extension point for taint steps. 2019-08-22 16:38:59 +02:00
Taus Brock-Nannestad
b82ebf2a37 Add tests. 2019-08-22 16:30:14 +02:00
Mark Shannon
4759044ee4 Python tests: Fix up tests for CWE-312 to not use external locations. 2019-08-22 15:27:49 +01:00
Mark Shannon
9df205b288 Python tests: Fix up CWE-327 tests to use new sensitive-data library. 2019-08-22 15:27:48 +01:00
Mark Shannon
6cd0087d9d Python: Use Value API for sensitive data analysis. 2019-08-22 15:27:48 +01:00
Mark Shannon
81c65cd37c Add missing html tag 2019-08-22 15:27:48 +01:00
Mark Shannon
816938369e Python: Add tests for clear-text storage and logging. 2019-08-22 15:27:48 +01:00
Mark Shannon
15bb8b5f70 Python add new queries for clear-text logging and storage. 2019-08-22 15:27:48 +01:00
Mark Shannon
79ebd5652a Python: Add library support for cookies. Update and extend sensitive data library. 2019-08-22 15:27:48 +01:00
Taus Brock-Nannestad
b9ef8a0526 Python: Extend hasAttribute to unknown-but-defined module variables. 2019-08-22 16:22:53 +02:00
Anders Schack-Mulligen
3aedadcb35 Java: Add localExprFlow and localExprTaint. 2019-08-22 11:25:23 +02:00
Ziemowit Laski
f3fc1be6fc [CPP-387] Address review comments; some line reordering. 2019-08-21 17:14:14 -07:00
Ziemowit Laski
d102b66af1 [CPP-387] Finished multi-line syntax examples. Awaiting feedback. 2019-08-20 16:08:39 -07:00
Ziemowit Laski
d9b0b64af1 [CPP-387] Begin pretty-printing code examples. 2019-08-19 20:52:40 -07:00
Geoffrey White
abd4d39710 CPP: Examples NameQualifiers.qll. 2019-08-19 15:06:39 +01:00
Geoffrey White
3eec627321 CPP: Add a test of NameQualifiableElement and NameQualifyingElement. 2019-08-19 15:05:50 +01:00
Ziemowit Laski
52cd025c2d Incorporate PR feedback. 2019-08-14 22:06:45 -07:00
Ziemowit Laski
7f42dd2a08 More minor tweaks. File is now in new location. 2019-08-14 14:36:58 -07:00
Ziemowit Laski
72e6d18d36 Merge branch 'master' of git.semmle.com:Semmle/ql
git pull upstream master
2019-08-14 12:31:04 -07:00
Ziemowit Laski
7d93cd0b92 Merge branch 'zlaski-semmle-zlaski/cpp387'
Conflict resolution step as per GitHub PR page
2019-08-13 18:29:21 -07:00
Ziemowit Laski
2522529cdb Merge branch 'zlaski/cpp387' of https://github.com/zlaski-semmle/ql into zlaski-semmle-zlaski/cpp387
Conflict resolution step as per GitHub PR page
2019-08-13 18:27:56 -07:00
Ziemowit Laski
8a58a1939e Combine adjacent elements with the same formatting. 2019-08-13 18:15:38 -07:00
zlaski
a69b26c7f8 [CPP-386] A few more. 2019-08-13 17:52:38 -07:00
zlaski
23776c5290 [CPP-386] Minor tweaks. 2019-08-13 17:18:10 -07:00
zlaski
0dbc8e3950 [CPP-386] Closer to finality. 2019-08-13 16:35:27 -07:00
Ziemowit Laski
50813541f4 Squelch Jenkins error (hopefully).
More progress.  Attempts to create bold monospace have failed.
2019-08-12 14:19:36 -07:00
Ziemowit Laski
e98ff57e6f Progress. 2019-08-12 08:53:36 -07:00
Ziemowit Laski
6eda7f354a Remove builtin functions and macros; minor fixes and tweaks. 2019-08-09 13:06:14 -07:00
Ziemowit Laski
810c884921 Rough first draft of final document. 2019-08-08 14:48:19 -07:00
Ziemowit Laski
1a3a2871dc More declarations. 2019-08-07 19:37:24 -07:00
Ziemowit Laski
f734d7e281 [CPP-387] Incremental progress. 2019-08-05 13:22:20 -07:00
Ziemowit Laski
0ca6d0c1b9 [CPP-387] Start on Declarations section. 2019-08-02 16:07:55 -07:00
Ziemowit Laski
94ccc5fa73 [CPP-387] Fill in a few more types. Remove the Superclass column as it is redundant and may lead to documentation inconsistencies. 2019-08-01 16:27:06 -07:00
Ziemowit Laski
4aa9049c47 [CPP-387] Finished declarations, started on types. 2019-08-01 14:51:17 -07:00
Ziemowit Laski
4afd6587e4 [CPP-387] Have almost all expressions done... 2019-07-31 19:57:46 -07:00
Ziemowit Laski
78ebdad1ea Add a __builtin_va_list type, to complement __builtin_va_*
expressions.
2019-07-30 16:36:37 -07:00
Ziemowit Laski
2a12bf8e62 [CPP-387] Add placeholder for declarations. 2019-07-30 15:55:04 -07:00
Ziemowit Laski
49adba0b51 [CPP-387] Create a new PR against new location of introduce-libraries-cpp.rst. 2019-07-30 12:32:01 -07:00
Jonas Jensen
2ea0d54490 C++: wording: "in LGTM", not "on"
Co-Authored-By: semmledocs-ac <42443977+semmledocs-ac@users.noreply.github.com>
2019-07-10 11:36:30 +02:00
Jonas Jensen
83e618d49e C++: Make cpp/comparison-with-wider-type visible
The results from this query look good on real-world projects, so let's
make it visible by default.
2019-07-09 14:48:36 +02:00
3116 changed files with 166368 additions and 73875 deletions

5
.codeqlmanifest.json Normal file
View File

@@ -0,0 +1,5 @@
{ "provide": [ "*/ql/src/qlpack.yml",
"*/upgrades/qlpack.yml",
"misc/legacy-support/*/qlpack.yml",
"misc/suite-helpers/qlpack.yml",
"codeql/.codeqlmanifest.json" ] }

View File

@@ -0,0 +1,24 @@
---
name: LGTM.com - false positive
about: Tell us about an alert that shouldn't be reported
title: LGTM.com - false positive
labels: false-positive
assignees: ''
---
**Description of the false positive**
<!-- Please explain briefly why you think it shouldn't be included. -->
**URL to the alert on the project page on LGTM.com**
<!--
1. Open the project on LGTM.com.
For example, https://lgtm.com/projects/g/pallets/click/.
2. Switch to the `Alerts` tab. For example, https://lgtm.com/projects/g/pallets/click/alerts/.
3. Scroll to the alert that you would like to report.
4. Click on the right most icon `View this alert within the complete file`.
5. A new browser tab opens. Copy and paste the page URL here.
For example, https://lgtm.com/projects/g/pallets/click/snapshot/719fb7d8322b0767cdd1e5903ba3eb3233ba8dd5/files/click/_winconsole.py#xa08d213ab3289f87:1.
-->

14
.github/ISSUE_TEMPLATE/ql---general.md vendored Normal file
View File

@@ -0,0 +1,14 @@
---
name: General issue
about: Tell us if you think something is wrong or if you have a question
title: General issue
labels: question
assignees: ''
---
**Description of the issue**
<!-- Please explain briefly what is the problem.
If it is about an LGTM project, please include its URL.-->

3
.gitignore vendored
View File

@@ -12,3 +12,6 @@
# Visual studio temporaries, except a file used by QL4VS
.vs/*
!.vs/VSWorkspaceSettings.json
# It's useful (though not required) to be able to unpack codeql in the ql checkout itself
/codeql/

View File

@@ -2,9 +2,9 @@
/java/ @Semmle/java
/javascript/ @Semmle/js
/cpp/ @Semmle/cpp-analysis
/cpp/**/*.qhelp @semmledocs-ac
/cpp/**/*.qhelp @hubwriter
/csharp/**/*.qhelp @jf205
/java/**/*.qhelp @felicity-semmle
/javascript/**/*.qhelp @mc-semmle
/python/**/*.qhelp @felicity-semmle
/docs/language/ @felicity-semmle @jf205
/java/**/*.qhelp @felicitymay
/javascript/**/*.qhelp @mchammer01
/python/**/*.qhelp @felicitymay
/docs/language/ @shati-patel @jf205

View File

@@ -36,6 +36,7 @@
| Shift out of range (`js/shift-out-of-range`| Fewer false positive results | This rule now correctly handles BigInt shift operands. |
| Superfluous trailing arguments (`js/superfluous-trailing-arguments`) | Fewer false-positive results. | This rule no longer flags calls to placeholder functions that trivially throw an exception. |
| Undocumented parameter (`js/jsdoc/missing-parameter`) | No changes to results | This rule is now run on LGTM, although its results are still not shown by default. |
| Missing space in string concatenation (`js/missing-space-in-concatenation`) | Fewer false positive results | The rule now requires a word-like part exists in the string concatenation. |
## Changes to QL libraries

View File

@@ -0,0 +1,56 @@
# Improvements to C/C++ analysis
The following changes in version 1.23 affect C/C++ analysis in all applications.
## General improvements
## New queries
| **Query** | **Tags** | **Purpose** |
|-----------------------------|-----------|--------------------------------------------------------------------|
| Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) | reliability, japanese-era | This query is a combination of two old queries that were identical in purpose but separate as an implementation detail. This new query replaces Hard-coded Japanese era start date in call (`cpp/japanese-era/constructor-or-method-with-exact-era-date`) and Hard-coded Japanese era start date in struct (`cpp/japanese-era/struct-with-exact-era-date`). |
## Changes to existing queries
| **Query** | **Expected impact** | **Change** |
|----------------------------|------------------------|------------------------------------------------------------------|
| Query name (`query id`) | Expected impact | Message. |
| Hard-coded Japanese era start date in call (`cpp/japanese-era/constructor-or-method-with-exact-era-date`) | Deprecated | This query has been deprecated. Use the new combined query Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) instead. |
| Hard-coded Japanese era start date in struct (`cpp/japanese-era/struct-with-exact-era-date`) | Deprecated | This query has been deprecated. Use the new combined query Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) instead. |
| Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) | More correct results | This query now checks for the beginning date of the Reiwa era (1st May 2019). |
| Sign check of bitwise operation (`cpp/bitwise-sign-check`) | Fewer false positive results | Results involving `>=` or `<=` are no longer reported. |
| Too few arguments to formatting function (`cpp/wrong-number-format-arguments`) | Fewer false positive results | Fixed false positives resulting from mistmatching declarations of a formatting function. |
| Too many arguments to formatting function (`cpp/too-many-format-arguments`) | Fewer false positive results | Fixed false positives resulting from mistmatching declarations of a formatting function. |
| Unclear comparison precedence (`cpp/comparison-precedence`) | Fewer false positive results | False positives involving template classes and functions have been fixed. |
| Comparison of narrow type with wide type in loop condition (`cpp/comparison-with-wider-type`) | Higher precision | The precision of this query has been increased to "high" as the alerts from this query have proved to be valuable on real-world projects. With this precision, results are now displayed by default in LGTM. |
## Changes to QL libraries
* The data-flow library has been extended with a new feature to aid debugging.
Instead of specifying `isSink(Node n) { any() }` on a configuration to
explore the possible flow from a source, it is recommended to use the new
`Configuration::hasPartialFlow` predicate, as this gives a more complete
picture of the partial flow paths from a given source. The feature is
disabled by default and can be enabled for individual configurations by
overriding `int explorationLimit()`.
* The data-flow library now supports flow out of C++ reference parameters.
* The data-flow library now allows flow through the address-of operator (`&`).
* The `DataFlow::DefinitionByReferenceNode` class now considers `f(x)` to be a
definition of `x` when `x` is a variable of pointer type. It no longer
considers deep paths such as `f(&x.myField)` to be definitions of `x`. These
changes are in line with the user expectations we've observed.
* The data-flow library now makes it easier to specify barriers/sanitizers
arising from guards by overriding the predicate
`isBarrierGuard`/`isSanitizerGuard` on data-flow and taint-tracking
configurations respectively.
* There is now a `DataFlow::localExprFlow` predicate and a
`TaintTracking::localExprTaint` predicate to make it easy to use the most
common case of local data flow and taint: from one `Expr` to another.
* The member predicates of the `FunctionInput` and `FunctionOutput` classes have been renamed for
clarity (e.g. `isOutReturnPointer()` to `isReturnValueDeref()`). The existing member predicates
have been deprecated, and will be removed in a future release. Code that uses the old member
predicates should be updated to use the corresponding new member predicate.
* The control-flow graph is now computed in QL, not in the extractor. This can
lead to regressions (or improvements) in how queries are optimized because
optimization in QL relies on static size estimates, and the control-flow edge
relations will now have different size estimates than before.

View File

@@ -0,0 +1,49 @@
# Improvements to C# analysis
The following changes in version 1.23 affect C# analysis in all applications.
## New queries
## New queries
| **Query** | **Tags** | **Purpose** |
|-----------------------------|-----------|--------------------------------------------------------------------|
| Deserialized delegate (`cs/deserialized-delegate`) | security, external/cwe/cwe-502 | Finds unsafe deserialization of delegate types. |
| Unsafe year argument for 'DateTime' constructor (`cs/unsafe-year-construction`) | reliability, date-time | Finds incorrect manipulation of `DateTime` values, which could lead to invalid dates. |
| Mishandling the Japanese era start date (`cs/mishandling-japanese-era`) | reliability, date-time | Finds hard-coded Japanese era start dates that could be invalid. |
## Changes to existing queries
| **Query** | **Expected impact** | **Change** |
|------------------------------|------------------------|-----------------------------------|
| Dereferenced variable may be null (`cs/dereferenced-value-may-be-null`) | Fewer false positive results | More `null` checks are now taken into account, including `null` checks for `dynamic` expressions and `null` checks such as `object alwaysNull = null; if (x != alwaysNull) ...`. |
| Missing Dispose call on local IDisposable (`cs/local-not-disposed`) | Fewer false positive results | The query has been rewritten in order to identify more dispose patterns. For example, a local `IDisposable` that is disposed of by passing through a fluent API is no longer reported. |
## Removal of old queries
## Changes to code extraction
* `nameof` expressions are now extracted correctly when the name is a namespace.
## Changes to QL libraries
* The new class `NamespaceAccess` models accesses to namespaces, for example in `nameof` expressions.
* The data-flow library now makes it easier to specify barriers/sanitizers
arising from guards by overriding the predicate
`isBarrierGuard`/`isSanitizerGuard` on data-flow and taint-tracking
configurations respectively.
* The data-flow library has been extended with a new feature to aid debugging.
Instead of specifying `isSink(Node n) { any() }` on a configuration to
explore the possible flow from a source, it is recommended to use the new
`Configuration::hasPartialFlow` predicate, as this gives a more complete
picture of the partial flow paths from a given source. The feature is
disabled by default and can be enabled for individual configurations by
overriding `int explorationLimit()`.
* `foreach` statements where the body is guaranteed to be executed at least once, such as `foreach (var x in new string[]{ "a", "b", "c" }) { ... }`, are now recognized by all analyses based on the control flow graph (such as SSA, data flow and taint tracking).
* Fixed the control flow graph for `switch` statements where the `default` case was not the last case. This had caused the remaining cases to be unreachable. `SwitchStmt.getCase(int i)` now puts the `default` case last.
* There is now a `DataFlow::localExprFlow` predicate and a
`TaintTracking::localExprTaint` predicate to make it easy to use the most
common case of local data flow and taint: from one `Expr` to another.
* Data is now tracked through null-coalescing expressions (`??`).
## Changes to autobuilder

View File

@@ -0,0 +1,30 @@
# Improvements to Java analysis
The following changes in version 1.23 affect Java analysis in all applications.
## New queries
| **Query** | **Tags** | **Purpose** |
|-----------------------------|-----------|--------------------------------------------------------------------|
| Continue statement that does not continue (`java/continue-in-false-loop`) | correctness | Finds `continue` statements in `do { ... } while (false)` loops. |
## Changes to existing queries
| **Query** | **Expected impact** | **Change** |
|------------------------------|------------------------|-----------------------------------|
| Dereferenced variable may be null (`java/dereferenced-value-may-be-null`) | Fewer false positives | Certain indirect null guards involving two auxiliary variables known to be equal can now be detected. |
| Non-synchronized override of synchronized method (`java/non-sync-override`) | Fewer false positives | Results are now only reported if the immediately overridden method is synchronized. |
| Query built from user-controlled sources (`java/sql-injection`) | More results | The query now identifies arguments to `Statement.executeLargeUpdate` and `Connection.prepareCall` as SQL expressions sinks. |
| Query built from local-user-controlled sources (`java/sql-injection-local`) | More results | The query now identifies arguments to `Statement.executeLargeUpdate` and `Connection.prepareCall` as SQL expressions sinks. |
| Query built without neutralizing special characters (`java/concatenated-sql-query`) | More results | The query now identifies arguments to `Statement.executeLargeUpdate` and `Connection.prepareCall` as SQL expressions sinks. |
| Useless comparison test (`java/constant-comparison`) | Fewer false positives | Additional overflow check patterns are now recognized and no longer reported. |
## Changes to QL libraries
* The data-flow library has been extended with a new feature to aid debugging.
Instead of specifying `isSink(Node n) { any() }` on a configuration to
explore the possible flow from a source, it is recommended to use the new
`Configuration::hasPartialFlow` predicate, as this gives a more complete
picture of the partial flow paths from a given source. The feature is
disabled by default and can be enabled for individual configurations by
overriding `int explorationLimit()`.

View File

@@ -0,0 +1,69 @@
# Improvements to JavaScript analysis
## General improvements
* Suppor for `globalThis` has been added.
* Support for the following frameworks and libraries has been improved:
- [firebase](https://www.npmjs.com/package/firebase)
- [mongodb](https://www.npmjs.com/package/mongodb)
- [mongoose](https://www.npmjs.com/package/mongoose)
- [rate-limiter-flexible](https://www.npmjs.com/package/rate-limiter-flexible)
* The call graph has been improved to resolve method calls in more cases. This may produce more security alerts.
* TypeScript 3.6 features are supported.
## New queries
| **Query** | **Tags** | **Purpose** |
|---------------------------------------------------------------------------|-------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Unused index variable (`js/unused-index-variable`) | correctness | Highlights loops that iterate over an array, but do not use the index variable to access array elements, indicating a possible typo or logic error. Results are shown on LGTM by default. |
| Loop bound injection (`js/loop-bound-injection`) | security, external/cwe/cwe-834 | Highlights loops where a user-controlled object with an arbitrary .length value can trick the server to loop indefinitely. Results are shown on LGTM by default. |
| Suspicious method name (`js/suspicious-method-name-declaration`) | correctness, typescript, methods | Highlights suspiciously named methods where the developer likely meant to write a constructor or function. Results are shown on LGTM by default. |
| Shell command built from environment values (`js/shell-command-injection-from-environment`) | correctness, security, external/cwe/cwe-078, external/cwe/cwe-088 | Highlights shell commands that may change behavior inadvertently depending on the execution environment, indicating a possible violation of [CWE-78](https://cwe.mitre.org/data/definitions/78.html). Results are shown on LGTM by default.|
| Use of returnless function (`js/use-of-returnless-function`) | maintainability, correctness | Highlights calls where the return value is used, but the callee never returns a value. Results are shown on LGTM by default. |
| Useless regular expression character escape (`js/useless-regexp-character-escape`) | correctness, security, external/cwe/cwe-20 | Highlights regular expression strings with useless character escapes, indicating a possible violation of [CWE-20](https://cwe.mitre.org/data/definitions/20.html). Results are shown on LGTM by default. |
| Unreachable method overloads (`js/unreachable-method-overloads`) | correctness, typescript | Highlights method overloads that are impossible to use from client code. Results are shown on LGTM by default. |
## Changes to existing queries
| **Query** | **Expected impact** | **Change** |
|--------------------------------|------------------------------|---------------------------------------------------------------------------|
| Incomplete string escaping or encoding (`js/incomplete-sanitization`) | Fewer false-positive results | This rule now recognizes additional ways delimiters can be stripped away. |
| Client-side cross-site scripting (`js/xss`) | More results, fewer false-positive results | More potential vulnerabilities involving functions that manipulate DOM attributes are now recognized, and more sanitizers are detected. |
| Code injection (`js/code-injection`) | More results | More potential vulnerabilities involving functions that manipulate DOM event handler attributes are now recognized. |
| Hard-coded credentials (`js/hardcoded-credentials`) | Fewer false-positive results | This rule now flags fewer password examples. |
| Illegal invocation (`js/illegal-invocation`) | Fewer false-positive results | This rule now correctly handles methods named `call` and `apply`. |
| Incorrect suffix check (`js/incorrect-suffix-check`) | Fewer false-positive results | The query recognizes valid checks in more cases. |
| Network data written to file (`js/http-to-file-access`) | Fewer false-positive results | This query has been renamed to better match its intended purpose, and now only considers network data untrusted. |
| Password in configuration file (`js/password-in-configuration-file`) | Fewer false-positive results | This rule now flags fewer password examples. |
| Prototype pollution (`js/prototype-pollution`) | More results | The query now highlights vulnerable uses of jQuery and Angular, and the results are shown on LGTM by default. |
| Reflected cross-site scripting (`js/reflected-xss`) | Fewer false-positive results | The query now recognizes more sanitizers. |
| Stored cross-site scripting (`js/stored-xss`) | Fewer false-positive results | The query now recognizes more sanitizers. |
| Uncontrolled command line (`js/command-line-injection`) | More results | This query now treats responses from servers as untrusted. |
| Uncontrolled data used in path expression (`js/path-injection`) | Fewer false-positive results | This query now recognizes calls to Express `sendFile` as safe in some cases. |
| Unknown directive (`js/unknown-directive`) | Fewer false positive results | This query no longer flags uses of ":", which is sometimes used like a directive. |
## Changes to QL libraries
* `Expr.getDocumentation()` now handles chain assignments.
## Removal of deprecated queries
The following queries (deprecated since 1.17) are no longer available in the distribution:
* Builtin redefined (js/builtin-redefinition)
* Inefficient method definition (js/method-definition-in-constructor)
* Bad parity check (js/incomplete-parity-check)
* Potentially misspelled property or variable name (js/wrong-capitalization)
* Unknown JSDoc tag (js/jsdoc/unknown-tag-type)
* Invalid JSLint directive (js/jslint/invalid-directive)
* Malformed JSLint directive (js/jslint/malformed-directive)
* Use of HTML comments (js/html-comment)
* Multi-line string literal (js/multi-line-string)
* Octal literal (js/octal-literal)
* Reserved word used as variable name (js/use-of-reserved-word)
* Trailing comma in array or object expressions (js/trailing-comma-in-array-or-object)
* Call to parseInt without radix (js/parseint-without-radix)

View File

@@ -0,0 +1,22 @@
# Improvements to Python analysis
## General improvements
## New queries
| **Query** | **Tags** | **Purpose** |
|-----------|----------|-------------|
| Clear-text logging of sensitive information (`py/clear-text-logging-sensitive-data`) | security, external/cwe/cwe-312 | Finds instances where sensitive information is logged without encryption or hashing. Results are shown on LGTM by default. |
| Clear-text storage of sensitive information (`py/clear-text-storage-sensitive-data`) | security, external/cwe/cwe-312 | Finds instances where sensitive information is stored without encryption or hashing. Results are shown on LGTM by default. |
| Binding a socket to all network interfaces (`py/bind-socket-all-network-interfaces`) | security | Finds instances where a socket is bound to all network interfaces. Results are shown on LGTM by default. |
## Changes to existing queries
| **Query** | **Expected impact** | **Change** |
|----------------------------|------------------------|------------|
| Unreachable code | Fewer false positives | Analysis now accounts for uses of `contextlib.suppress` to suppress exceptions. |
| `__iter__` method returns a non-iterator | Better alert message | Alert now highlights which class is expected to be an iterator. |

View File

@@ -0,0 +1,23 @@
[[ condition: enterprise-only ]]
# Improvements to JavaScript analysis
## Changes to code extraction
* Asynchronous generator methods are now parsed correctly and no longer cause a spurious syntax error.
* Files in `node_modules` and `bower_components` folders are no longer extracted by default. If you still want to extract files from these folders, you can add the following filters to your `lgtm.yml` file (or add them to existing filters):
```yaml
extraction:
javascript:
index:
filters:
- include: "**/node_modules"
- include: "**/bower_components"
```
* Recognition of CommonJS modules has improved. As a result, some files that were previously extracted as
global scripts are now extracted as modules.
* Top-level `await` is now supported.
* A bug was fixed in how the TypeScript extractor handles default-exported anonymous classes.
* A bug was fixed in how the TypeScript extractor handles computed instance field names.

View File

@@ -3,4 +3,4 @@
Now that all of the QL documentation is in this repository,
notes on the languages, compilers, and frameworks supported have moved.
They're now stored as part of the Sphinx ``support`` project with the other documentation:
``docs/ql-documentation/support``.
``docs/language/support``.

View File

@@ -9,6 +9,7 @@
"cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll",
"cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll",
"cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll",
"cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll",
"cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll",
"cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll",
"cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll",
@@ -28,6 +29,8 @@
"TaintTracking::Configuration Java/C++/C#": [
"cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
"cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
"cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
"cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
"csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
"csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
"csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
@@ -36,45 +39,109 @@
"java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
"java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll"
],
"C++ SubBasicBlocks": [
"cpp/ql/src/semmle/code/cpp/controlflow/SubBasicBlocks.qll",
"cpp/ql/src/semmle/code/cpp/dataflow/internal/SubBasicBlocks.qll"
],
"IR Instruction": [
"cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll",
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll",
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll"
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/raw/Instruction.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/Instruction.qll"
],
"IR IRBlock": [
"cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRBlock.qll",
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll",
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll"
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IRBlock.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IRBlock.qll"
],
"IR IRVariable": [
"cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRVariable.qll",
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll",
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll"
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IRVariable.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IRVariable.qll"
],
"IR IRFunction": [
"cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRFunction.qll",
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRFunction.qll",
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRFunction.qll"
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRFunction.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IRFunction.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IRFunction.qll"
],
"IR Operand": [
"cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Operand.qll",
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll",
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll"
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/raw/Operand.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/Operand.qll"
],
"IR IRType": [
"cpp/ql/src/semmle/code/cpp/ir/implementation/IRType.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/IRType.qll"
],
"IR Operand Tag": [
"cpp/ql/src/semmle/code/cpp/ir/implementation/internal/OperandTag.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/internal/OperandTag.qll"
],
"IR TIRVariable":[
"cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TIRVariable.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/internal/TIRVariable.qll"
],
"IR IR": [
"cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IR.qll",
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IR.qll",
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll"
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IR.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IR.qll"
],
"IR IRSanity": [
"cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRSanity.qll",
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRSanity.qll",
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRSanity.qll"
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRSanity.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IRSanity.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IRSanity.qll"
],
"IR PrintIR": [
"cpp/ql/src/semmle/code/cpp/ir/implementation/raw/PrintIR.qll",
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.qll",
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll"
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/raw/PrintIR.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/PrintIR.qll"
],
"IR IntegerConstant": [
"cpp/ql/src/semmle/code/cpp/ir/internal/IntegerConstant.qll",
"csharp/ql/src/semmle/code/csharp/ir/internal/IntegerConstant.qll"
],
"IR IntegerInteval": [
"cpp/ql/src/semmle/code/cpp/ir/internal/IntegerInterval.qll",
"csharp/ql/src/semmle/code/csharp/ir/internal/IntegerInterval.qll"
],
"IR IntegerPartial": [
"cpp/ql/src/semmle/code/cpp/ir/internal/IntegerPartial.qll",
"csharp/ql/src/semmle/code/csharp/ir/internal/IntegerPartial.qll"
],
"IR Overlap": [
"cpp/ql/src/semmle/code/cpp/ir/internal/Overlap.qll",
"csharp/ql/src/semmle/code/csharp/ir/internal/Overlap.qll"
],
"IR EdgeKind": [
"cpp/ql/src/semmle/code/cpp/ir/implementation/EdgeKind.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/EdgeKind.qll"
],
"IR MemoryAccessKind": [
"cpp/ql/src/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/MemoryAccessKind.qll"
],
"IR TempVariableTag": [
"cpp/ql/src/semmle/code/cpp/ir/implementation/TempVariableTag.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/TempVariableTag.qll"
],
"IR Opcode": [
"cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/Opcode.qll"
],
"C++ IR InstructionImports": [
"cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionImports.qll",
@@ -106,22 +173,39 @@
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintIRImports.qll",
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintIRImports.qll"
],
"C++ SSA SSAConstructionImports": [
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstructionImports.qll",
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstructionImports.qll"
],
"C++ SSA AliasAnalysis": [
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll",
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll"
],
"C++ SSA SSAConstruction": [
"C++ IR ValueNumberingImports": [
"cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll",
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll",
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingImports.qll"
],
"IR SSA SimpleSSA": [
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll"
],
"IR SSA SSAConstruction": [
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll",
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll"
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll"
],
"C++ SSA PrintSSA": [
"IR SSA PrintSSA": [
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll",
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll"
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll"
],
"C++ IR ValueNumber": [
"IR ValueNumber": [
"cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll",
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll",
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll"
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/raw/gvn/ValueNumbering.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll"
],
"C++ IR ConstantAnalysis": [
"cpp/ql/src/semmle/code/cpp/ir/implementation/raw/constant/ConstantAnalysis.qll",
@@ -148,5 +232,33 @@
"C++ IR PrintDominance": [
"cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintDominance.qll",
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintDominance.qll"
],
"C# IR InstructionImports": [
"csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/InstructionImports.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/InstructionImports.qll"
],
"C# IR IRImports": [
"csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/IRImports.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/IRImports.qll"
],
"C# IR IRBlockImports": [
"csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/IRBlockImports.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/IRBlockImports.qll"
],
"C# IR IRVariableImports": [
"csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/IRVariableImports.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/IRVariableImports.qll"
],
"C# IR OperandImports": [
"csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/OperandImports.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/OperandImports.qll"
],
"C# IR PrintIRImports": [
"csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/PrintIRImports.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/PrintIRImports.qll"
],
"C# IR ValueNumberingImports": [
"csharp/ql/src/semmle/code/csharp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll",
"csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll"
]
}

View File

@@ -16,64 +16,56 @@ class SuppressionComment extends CppStyleComment {
SuppressionComment() {
text = getContents().suffix(2) and
( // match `lgtm[...]` anywhere in the comment
(
// match `lgtm[...]` anywhere in the comment
annotation = text.regexpFind("(?i)\\blgtm\\s*\\[[^\\]]*\\]", _, _)
or
// match `lgtm` at the start of the comment and after semicolon
annotation = text.regexpFind("(?i)(?<=^|;)\\s*lgtm(?!\\B|\\s*\\[)", _, _)
.trim()
annotation = text.regexpFind("(?i)(?<=^|;)\\s*lgtm(?!\\B|\\s*\\[)", _, _).trim()
)
}
/** Gets the text in this comment, excluding the leading //. */
string getText() {
result = text
}
string getText() { result = text }
/** Gets the suppression annotation in this comment. */
string getAnnotation() {
result = annotation
}
string getAnnotation() { result = annotation }
/**
* Holds if this comment applies to the range from column `startcolumn` of line `startline`
* to column `endcolumn` of line `endline` in file `filepath`.
*/
* Holds if this comment applies to the range from column `startcolumn` of line `startline`
* to column `endcolumn` of line `endline` in file `filepath`.
*/
predicate covers(string filepath, int startline, int startcolumn, int endline, int endcolumn) {
this.getLocation().hasLocationInfo(filepath, startline, _, endline, endcolumn) and
startcolumn = 1
}
/** Gets the scope of this suppression. */
SuppressionScope getScope() {
result = this
}
SuppressionScope getScope() { result = this }
}
/**
* The scope of an alert suppression comment.
*/
class SuppressionScope extends ElementBase {
SuppressionScope() {
this instanceof SuppressionComment
}
SuppressionScope() { this instanceof SuppressionComment }
/**
* Holds if this element is at the specified location.
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
*/
predicate hasLocationInfo(string filepath, int startline, int startcolumn, int endline, int endcolumn) {
* Holds if this element is at the specified location.
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
*/
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn
) {
this.(SuppressionComment).covers(filepath, startline, startcolumn, endline, endcolumn)
}
}
from SuppressionComment c
select c, // suppression comment
c.getText(), // text of suppression comment (excluding delimiters)
c.getAnnotation(), // text of suppression annotation
c.getScope() // scope of suppression
select c, // suppression comment
c.getText(), // text of suppression comment (excluding delimiters)
c.getAnnotation(), // text of suppression annotation
c.getScope() // scope of suppression

View File

@@ -42,9 +42,7 @@ newtype TVariableDeclarationInfo =
*/
class VariableDeclarationLine extends TVariableDeclarationInfo {
Class c;
File f;
int line;
VariableDeclarationLine() {

View File

@@ -0,0 +1,17 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
When eras change, date and time conversions that rely on a hard-coded era start date need to be reviewed. Conversions relying on Japanese dates in the current era can produce an ambiguous date.
The values for the current Japanese era dates should be read from a source that will be updated, such as the Windows registry.
</p>
</overview>
<references>
<li>
<a href="https://blogs.msdn.microsoft.com/shawnste/2018/04/12/the-japanese-calendars-y2k-moment/">The Japanese Calendar's Y2K Moment</a>.
</li>
</references>
</qhelp>

View File

@@ -0,0 +1,72 @@
/**
* @name Hard-coded Japanese era start date
* @description Japanese era changes can lead to code behaving differently. Avoid hard-coding Japanese era start dates.
* @kind problem
* @problem.severity warning
* @id cpp/japanese-era/exact-era-date
* @precision medium
* @tags reliability
* japanese-era
*/
import cpp
import semmle.code.cpp.commons.DateTime
predicate assignedYear(Struct s, YearFieldAccess year, int value) {
exists(Operation yearAssignment |
s.getAField().getAnAccess() = year and
yearAssignment.getAnOperand() = year and
yearAssignment.getAnOperand().getValue().toInt() = value
)
}
predicate assignedMonth(Struct s, MonthFieldAccess month, int value) {
exists(Operation monthAssignment |
s.getAField().getAnAccess() = month and
monthAssignment.getAnOperand() = month and
monthAssignment.getAnOperand().getValue().toInt() = value
)
}
predicate assignedDay(Struct s, DayFieldAccess day, int value) {
exists(Operation dayAssignment |
s.getAField().getAnAccess() = day and
dayAssignment.getAnOperand() = day and
dayAssignment.getAnOperand().getValue().toInt() = value
)
}
predicate eraDate(int year, int month, int day) {
year = 1989 and month = 1 and day = 8
or
year = 2019 and month = 5 and day = 1
}
predicate badStructInitialization(Element target, string message) {
exists(
StructLikeClass s, YearFieldAccess year, MonthFieldAccess month, DayFieldAccess day,
int yearValue, int monthValue, int dayValue
|
eraDate(yearValue, monthValue, dayValue) and
assignedYear(s, year, yearValue) and
assignedMonth(s, month, monthValue) and
assignedDay(s, day, dayValue) and
target = year and
message = "A time struct that is initialized with exact Japanese calendar era start date."
)
}
predicate badCall(Element target, string message) {
exists(Call cc, int i |
eraDate(cc.getArgument(i).getValue().toInt(), cc.getArgument(i + 1).getValue().toInt(),
cc.getArgument(i + 2).getValue().toInt()) and
target = cc and
message = "Call that appears to have hard-coded Japanese era start date as parameter."
)
}
from Element target, string message
where
badStructInitialization(target, message) or
badCall(target, message)
select target, message

View File

@@ -14,15 +14,14 @@
import cpp
predicate declarationHasSideEffects(Variable v) {
exists(Class c | c = v.getUnspecifiedType() |
c.hasConstructor() or c.hasDestructor()
)
exists(Class c | c = v.getUnspecifiedType() | c.hasConstructor() or c.hasDestructor())
}
from Variable v
where
v.isStatic() and
v.hasDefinition() and
not v.isConstexpr() and
not exists(VariableAccess a | a.getTarget() = v) and
not v instanceof MemberVariable and
not declarationHasSideEffects(v) and

View File

@@ -26,20 +26,18 @@ class MinusOne extends NullValue {
*/
predicate mayCallFunction(Expr call, Function f) {
call.(FunctionCall).getTarget() = f or
call.(VariableCall).getVariable().getAnAssignedValue().
getAChild*().(FunctionAccess).getTarget() = f
call.(VariableCall).getVariable().getAnAssignedValue().getAChild*().(FunctionAccess).getTarget() =
f
}
predicate fopenCallOrIndirect(Expr e) {
// direct fopen call
fopenCall(e) and
// We are only interested in fopen calls that are
// actually closed somehow, as FileNeverClosed
// will catch those that aren't.
fopenCallMayBeClosed(e)
or
exists(ReturnStmt rtn |
// indirect fopen call
mayCallFunction(e, rtn.getEnclosingFunction()) and
@@ -86,7 +84,6 @@ class FOpenVariableReachability extends LocalScopeVariableReachabilityWithReassi
exists(node.(AnalysedExpr).getNullSuccessor(v)) or
fcloseCallOrIndirect(node, v) or
assignedToFieldOrGlobal(v, node) or
// node may be used directly in query
v.getFunction() = node.(ReturnStmt).getEnclosingFunction()
}
@@ -122,12 +119,10 @@ class FOpenReachability extends LocalScopeVariableReachabilityExt {
}
override predicate isBarrier(
ControlFlowNode source, ControlFlowNode node, ControlFlowNode next,
LocalScopeVariable v)
{
ControlFlowNode source, ControlFlowNode node, ControlFlowNode next, LocalScopeVariable v
) {
isSource(source, v) and
next = node.getASuccessor() and
// the file (stored in any variable `v0`) opened at `source` is closed or
// assigned to a global at node, or NULL checked on the edge node -> next.
exists(LocalScopeVariable v0 | fopenVariableReaches(v0, source, node) |
@@ -172,6 +167,4 @@ where
fopenVariableReaches(v, def, ret) and
ret.getAChild*() = v.getAnAccess()
)
select
def, "The file opened here may not be closed at $@.",
ret, "this exit point"
select def, "The file opened here may not be closed at $@.", ret, "this exit point"

View File

@@ -18,20 +18,18 @@ import semmle.code.cpp.controlflow.LocalScopeVariableReachability
*/
predicate mayCallFunction(Expr call, Function f) {
call.(FunctionCall).getTarget() = f or
call.(VariableCall).getVariable().getAnAssignedValue().
getAChild*().(FunctionAccess).getTarget() = f
call.(VariableCall).getVariable().getAnAssignedValue().getAChild*().(FunctionAccess).getTarget() =
f
}
predicate allocCallOrIndirect(Expr e) {
// direct alloc call
isAllocationExpr(e) and
// We are only interested in alloc calls that are
// actually freed somehow, as MemoryNeverFreed
// will catch those that aren't.
allocMayBeFreed(e)
or
exists(ReturnStmt rtn |
// indirect alloc call
mayCallFunction(e, rtn.getEnclosingFunction()) and
@@ -64,7 +62,6 @@ predicate verifiedRealloc(FunctionCall reallocCall, Variable v, ControlFlowNode
newV.getAnAssignedValue() = reallocCall and
node.(AnalysedExpr).getNonNullSuccessor(newV) = verified and
// note: this case uses naive flow logic (getAnAssignedValue).
// special case: if the result of the 'realloc' is assigned to the
// same variable, we don't descriminate properly between the old
// and the new allocation; better to not consider this a free at
@@ -116,7 +113,6 @@ class AllocVariableReachability extends LocalScopeVariableReachabilityWithReassi
exists(node.(AnalysedExpr).getNullSuccessor(v)) or
freeCallOrIndirect(node, v) or
assignedToFieldOrGlobal(v, node) or
// node may be used directly in query
v.getFunction() = node.(ReturnStmt).getEnclosingFunction()
}
@@ -152,12 +148,10 @@ class AllocReachability extends LocalScopeVariableReachabilityExt {
}
override predicate isBarrier(
ControlFlowNode source, ControlFlowNode node, ControlFlowNode next,
LocalScopeVariable v)
{
ControlFlowNode source, ControlFlowNode node, ControlFlowNode next, LocalScopeVariable v
) {
isSource(source, v) and
next = node.getASuccessor() and
// the memory (stored in any variable `v0`) allocated at `source` is freed or
// assigned to a global at node, or NULL checked on the edge node -> next.
exists(LocalScopeVariable v0 | allocatedVariableReaches(v0, source, node) |
@@ -202,6 +196,4 @@ where
allocatedVariableReaches(v, def, ret) and
ret.getAChild*() = v.getAnAccess()
)
select
def, "The memory allocated here may not be released at $@.",
ret, "this exit point"
select def, "The memory allocated here may not be released at $@.", ret, "this exit point"

View File

@@ -47,7 +47,7 @@ predicate allocExprOrIndirect(Expr alloc, string kind) {
or
exists(Expr e |
allocExprOrIndirect(e, kind) and
DataFlow::localFlow(DataFlow::exprNode(e), DataFlow::exprNode(rtn.getExpr()))
DataFlow::localExprFlow(e, rtn.getExpr())
)
)
)

View File

@@ -8,9 +8,11 @@
* external/cwe/cwe-457
*/
import cpp
/*
* See also InitialisationNotRun.ql and GlobalUseBeforeInit.ql
*/
// See also InitialisationNotRun.ql and GlobalUseBeforeInit.ql
import cpp
/**
* Holds if `s` defines variable `v` (conservative).

View File

@@ -33,12 +33,10 @@ predicate sourceSized(FunctionCall fc, Expr src) {
fc.getArgument(2) = size and
src = v.getAnAccess() and
size.getAChild+() = v.getAnAccess() and
// exception: `dest` is also referenced in the size argument
not exists(Variable other |
dest = other.getAnAccess() and size.getAChild+() = other.getAnAccess()
) and
// exception: `src` and `dest` are both arrays of the same type and size
not exists(ArrayType srctype, ArrayType desttype |
dest.getType().getUnderlyingType() = desttype and

View File

@@ -33,7 +33,6 @@ class BufferAccess extends ArrayExpr {
staticBuffer(this.getArrayBase(), _, size) and
size != 0
) and
// exclude accesses in macro implementation of `strcmp`,
// which are carefully controlled but can look dangerous.
not exists(Macro m |
@@ -95,7 +94,7 @@ class CallWithBufferSize extends FunctionCall {
int statedSizeValue() {
exists(Expr statedSizeSrc |
DataFlow::localFlow(DataFlow::exprNode(statedSizeSrc), DataFlow::exprNode(statedSizeExpr())) and
DataFlow::localExprFlow(statedSizeSrc, statedSizeExpr()) and
result = statedSizeSrc.getValue().toInt()
)
}

View File

@@ -13,14 +13,11 @@ private import Options as CustomOptions
/**
* Default predicates that specify information about the behavior of
* the program being analyzed.
* the program being analyzed.
*/
class Options extends string
{
Options() {
this = "Options"
}
class Options extends string {
Options() { this = "Options" }
/**
* Holds if we wish to override the "may return NULL" inference for this
* call. If this holds, then rather than trying to infer whether this
@@ -60,7 +57,8 @@ class Options extends string
* `noreturn` attribute.
*/
predicate exits(Function f) {
f.getAnAttribute().hasName("noreturn") or
f.getAnAttribute().hasName("noreturn")
or
exists(string name | f.hasGlobalName(name) |
name = "exit" or
name = "_exit" or
@@ -68,7 +66,8 @@ class Options extends string
name = "__assert_fail" or
name = "longjmp" or
name = "__builtin_unreachable"
) or
)
or
CustomOptions::exits(f) // old Options.qll
}
@@ -108,14 +107,11 @@ class Options extends string
fc.isInMacroExpansion()
or
// common way of sleeping using select:
(fc.getTarget().hasGlobalName("select") and
fc.getArgument(0).getValue() = "0")
fc.getTarget().hasGlobalName("select") and
fc.getArgument(0).getValue() = "0"
or
CustomOptions::okToIgnoreReturnValue(fc) // old Options.qll
}
}
Options getOptions()
{
any()
}
Options getOptions() { any() }

View File

@@ -1,26 +1,36 @@
/**
* Provides heuristics to find "todo" and "fixme" comments (in all caps).
*/
import cpp
string getCommentTextCaptioned(Comment c, string caption) {
(caption = "TODO" or caption = "FIXME") and
exists (string commentContents, string commentBody, int offset, string interestingSuffix, int endOfLine, string dontCare, string captionedLine, string followingLine
| commentContents = c.getContents()
and commentContents.matches("%" + caption + "%")
and // Add some '\n's so that any interesting line, and its
// following line, will definitely begin and end with '\n'.
commentBody = commentContents.regexpReplaceAll("(?s)^/\\*(.*)\\*/$|^//(.*)$", "\n$1$2\n\n")
and dontCare = commentBody.regexpFind("\\n[/* \\t\\x0B\\f\\r]*" + caption, _, offset)
and interestingSuffix = commentBody.suffix(offset)
and endOfLine = interestingSuffix.indexOf("\n", 1, 0)
and captionedLine = interestingSuffix.prefix(endOfLine).regexpReplaceAll("^[/*\\s]*" + caption + "\\s*:?", "").trim()
and followingLine = interestingSuffix.prefix(interestingSuffix.indexOf("\n", 2, 0)).suffix(endOfLine).trim()
and if captionedLine = ""
then result = caption + " comment"
else if followingLine = ""
then result = caption + " comment: " + captionedLine
else result = caption + " comment: " + captionedLine + " [...]"
)
(caption = "TODO" or caption = "FIXME") and
exists(
string commentContents, string commentBody, int offset, string interestingSuffix, int endOfLine,
string dontCare, string captionedLine, string followingLine
|
commentContents = c.getContents() and
commentContents.matches("%" + caption + "%") and
// Add some '\n's so that any interesting line, and its
// following line, will definitely begin and end with '\n'.
commentBody = commentContents.regexpReplaceAll("(?s)^/\\*(.*)\\*/$|^//(.*)$", "\n$1$2\n\n") and
dontCare = commentBody.regexpFind("\\n[/* \\t\\x0B\\f\\r]*" + caption, _, offset) and
interestingSuffix = commentBody.suffix(offset) and
endOfLine = interestingSuffix.indexOf("\n", 1, 0) and
captionedLine = interestingSuffix
.prefix(endOfLine)
.regexpReplaceAll("^[/*\\s]*" + caption + "\\s*:?", "")
.trim() and
followingLine = interestingSuffix
.prefix(interestingSuffix.indexOf("\n", 2, 0))
.suffix(endOfLine)
.trim() and
if captionedLine = ""
then result = caption + " comment"
else
if followingLine = ""
then result = caption + " comment: " + captionedLine
else result = caption + " comment: " + captionedLine + " [...]"
)
}

View File

@@ -6,44 +6,42 @@ import cpp
bindingset[line]
private predicate looksLikeCode(string line) {
exists(string trimmed |
// trim leading and trailing whitespace, and HTML codes:
// trim leading and trailing whitespace, and HTML codes:
// * HTML entities in common notation (e.g. &amp;gt; and &amp;eacute;)
// * HTML entities in decimal notation (e.g. a&amp;#768;)
// * HTML entities in hexadecimal notation (e.g. &amp;#x705F;)
trimmed = line.regexpReplaceAll("(?i)(^\\s+|&#?[a-z0-9]{1,31};|\\s+$)", "")
|
(
// Match comment lines ending with '{', '}' or ';'
trimmed.regexpMatch(".*[{};]") and
(
// Match comment lines ending with '{', '}' or ';'
trimmed.regexpMatch(".*[{};]") and
(
// If this line looks like code because it ends with a closing
// brace that's preceded by something other than whitespace ...
trimmed.regexpMatch(".*.\\}")
implies
// ... then there has to be ") {" (or some variation)
// on the line, suggesting it's a statement like `if`
// or a function definition. Otherwise it's likely to be a
// benign use of braces such as a JSON example or explanatory
// pseudocode.
trimmed.regexpMatch(".*(\\)|const|volatile|override|final|noexcept|&)\\s*\\{.*")
)
) or (
// Match comment lines that look like preprocessor code
trimmed.regexpMatch("#\\s*(include|define|undef|if|ifdef|ifndef|elif|else|endif|error|pragma)\\b.*")
// If this line looks like code because it ends with a closing
// brace that's preceded by something other than whitespace ...
trimmed.regexpMatch(".*.\\}")
implies
// ... then there has to be ") {" (or some variation)
// on the line, suggesting it's a statement like `if`
// or a function definition. Otherwise it's likely to be a
// benign use of braces such as a JSON example or explanatory
// pseudocode.
trimmed.regexpMatch(".*(\\)|const|volatile|override|final|noexcept|&)\\s*\\{.*")
)
) and (
// Exclude lines that start with '>' or contain '@{' or '@}'.
// To account for the code generated by protobuf, we also insist that the comment
// does not begin with `optional` or `repeated` and end with a `;`, which would
// normally be a quoted bit of literal `.proto` specification above the associated
// declaration.
// To account for emacs folding markers, we ignore any line containing
// `{{{` or `}}}`.
// Finally, some code tends to embed GUIDs in comments, so we also exclude those.
not trimmed
or
// Match comment lines that look like preprocessor code
trimmed
.regexpMatch("#\\s*(include|define|undef|if|ifdef|ifndef|elif|else|endif|error|pragma)\\b.*")
) and
// Exclude lines that start with '>' or contain '@{' or '@}'.
// To account for the code generated by protobuf, we also insist that the comment
// does not begin with `optional` or `repeated` and end with a `;`, which would
// normally be a quoted bit of literal `.proto` specification above the associated
// declaration.
// To account for emacs folding markers, we ignore any line containing
// `{{{` or `}}}`.
// Finally, some code tends to embed GUIDs in comments, so we also exclude those.
not trimmed
.regexpMatch("(>.*|.*[\\\\@][{}].*|(optional|repeated) .*;|.*(\\{\\{\\{|\\}\\}\\}).*|\\{[-0-9a-zA-Z]+\\})")
)
)
}
@@ -76,7 +74,6 @@ private predicate preprocLine(File f, int line) {
private int lineInFile(CppStyleComment c, File f) {
f = c.getFile() and
result = c.getLocation().getStartLine() and
// Ignore comments on the same line as a preprocessor directive.
not preprocLine(f, result)
}
@@ -119,12 +116,11 @@ class CommentBlock extends Comment {
this instanceof CppStyleComment
implies
not exists(CppStyleComment pred, File f | lineInFile(pred, f) + 1 = lineInFile(this, f))
) and (
// Ignore comments on the same line as a preprocessor directive.
not exists(Location l |
l = this.getLocation() and
preprocLine(l.getFile(), l.getStartLine())
)
) and
// Ignore comments on the same line as a preprocessor directive.
not exists(Location l |
l = this.getLocation() and
preprocLine(l.getFile(), l.getStartLine())
)
}

View File

@@ -11,26 +11,26 @@
* @tags maintainability
* documentation
*/
import cpp
import cpp
predicate isCommented(FunctionDeclarationEntry f) {
exists(Comment c | c.getCommentedElement() = f)
}
// Uses of 'f' in 'other'
Call uses(File other, Function f) {
result.getTarget() = f and result.getFile() = other
}
Call uses(File other, Function f) { result.getTarget() = f and result.getFile() = other }
from File callerFile, Function f, Call use, int numCalls
where numCalls = strictcount(File other | exists(uses(other, f)) and other != f.getFile())
and not isCommented(f.getADeclarationEntry())
and not f instanceof Constructor
and not f instanceof Destructor
and not f.hasName("operator=")
and f.getMetrics().getNumberOfLinesOfCode() >= 5
and numCalls > 1
and use = uses(callerFile, f)
and callerFile != f.getFile()
select f, "Functions called from other files should be documented (called from $@).", use, use.getFile().getRelativePath()
where
numCalls = strictcount(File other | exists(uses(other, f)) and other != f.getFile()) and
not isCommented(f.getADeclarationEntry()) and
not f instanceof Constructor and
not f instanceof Destructor and
not f.hasName("operator=") and
f.getMetrics().getNumberOfLinesOfCode() >= 5 and
numCalls > 1 and
use = uses(callerFile, f) and
callerFile != f.getFile()
select f, "Functions called from other files should be documented (called from $@).", use,
use.getFile().getRelativePath()

View File

@@ -9,6 +9,7 @@
* documentation
* external/cwe/cwe-546
*/
import cpp
import Documentation.CaptionedComments

View File

@@ -9,10 +9,10 @@
* documentation
* external/cwe/cwe-546
*/
import cpp
import Documentation.CaptionedComments
from Comment c, string message
where message = getCommentTextCaptioned(c, "TODO")
select c, message

View File

@@ -10,10 +10,14 @@
* statistical
* non-attributable
*/
import cpp
from MetricFunction f, int n
where n = f.getNumberOfLines() and n > 100 and
f.getCommentRatio() <= 0.02 and
not f.isMultiplyDefined()
select f, "Poorly documented function: fewer than 2% comments for a function of " + n.toString() + " lines."
where
n = f.getNumberOfLines() and
n > 100 and
f.getCommentRatio() <= 0.02 and
not f.isMultiplyDefined()
select f,
"Poorly documented function: fewer than 2% comments for a function of " + n.toString() + " lines."

View File

@@ -11,20 +11,20 @@
import cpp
predicate markedAsNonterminating(Loop l) {
exists(Comment c | c.getContents().matches("%@non-terminating@%") |
c.getCommentedElement() = l
)
exists(Comment c | c.getContents().matches("%@non-terminating@%") | c.getCommentedElement() = l)
}
Stmt exitFrom(Loop l) {
l.getAChild+() = result and
(result instanceof ReturnStmt or
exists(BreakStmt break | break = result |
not l.getAChild*() = break.getTarget())
(
result instanceof ReturnStmt
or
exists(BreakStmt break | break = result | not l.getAChild*() = break.getTarget())
)
}
from Loop l, Stmt exit
where markedAsNonterminating(l) and
exit = exitFrom(l)
where
markedAsNonterminating(l) and
exit = exitFrom(l)
select exit, "$@ should not be exited.", l, "This permanent loop"

View File

@@ -1,7 +1,7 @@
/**
* @name Unbounded loop
* @description All loops should have a fixed upper bound; the counter should also be incremented along all paths within the loop.
This check excludes loops that are meant to be nonterminating (like schedulers).
* This check excludes loops that are meant to be nonterminating (like schedulers).
* @kind problem
* @id cpp/jpl-c/loop-bounds
* @problem.severity warning
@@ -30,7 +30,8 @@ predicate upperBoundCheck(Loop loop, VariableAccess checked) {
rop.getGreaterOperand().(VariableAccess).getTarget().isConst() or
validVarForBound(loop, rop.getGreaterOperand().(VariableAccess).getTarget())
) and
not rop.getGreaterOperand() instanceof CharLiteral)
not rop.getGreaterOperand() instanceof CharLiteral
)
}
predicate lowerBoundCheck(Loop loop, VariableAccess checked) {
@@ -43,20 +44,23 @@ predicate lowerBoundCheck(Loop loop, VariableAccess checked) {
rop.getLesserOperand().(VariableAccess).getTarget().isConst() or
validVarForBound(loop, rop.getLesserOperand().(VariableAccess).getTarget())
) and
not rop.getLesserOperand() instanceof CharLiteral)
not rop.getLesserOperand() instanceof CharLiteral
)
}
VariableAccess getAnIncrement(Variable var) {
result.getTarget() = var and
(
result.getParent() instanceof IncrementOperation
or
or
exists(AssignAddExpr a | a.getLValue() = result and a.getRValue().getValue().toInt() > 0)
or
or
exists(AssignExpr a | a.getLValue() = result |
a.getRValue() =
any(AddExpr ae | ae.getAnOperand() = var.getAnAccess() and
ae.getAnOperand().getValue().toInt() > 0))
a.getRValue() = any(AddExpr ae |
ae.getAnOperand() = var.getAnAccess() and
ae.getAnOperand().getValue().toInt() > 0
)
)
)
}
@@ -64,62 +68,75 @@ VariableAccess getADecrement(Variable var) {
result.getTarget() = var and
(
result.getParent() instanceof DecrementOperation
or
or
exists(AssignSubExpr a | a.getLValue() = result and a.getRValue().getValue().toInt() > 0)
or
or
exists(AssignExpr a | a.getLValue() = result |
a.getRValue() =
any(SubExpr ae | ae.getLeftOperand() = var.getAnAccess() and
ae.getRightOperand().getValue().toInt() > 0))
a.getRValue() = any(SubExpr ae |
ae.getLeftOperand() = var.getAnAccess() and
ae.getRightOperand().getValue().toInt() > 0
)
)
)
}
predicate inScope(Loop l, Stmt s) {
l.getAChild*() = s
}
predicate inScope(Loop l, Stmt s) { l.getAChild*() = s }
predicate reachesNoInc(VariableAccess source, ControlFlowNode target) {
(upperBoundCheck(_, source) and source.getASuccessor() = target) or
exists(ControlFlowNode mid | reachesNoInc(source, mid) and not mid = getAnIncrement(source.getTarget()) |
target = mid.getASuccessor() and
inScope(source.getEnclosingStmt(), target.getEnclosingStmt()))
upperBoundCheck(_, source) and source.getASuccessor() = target
or
exists(ControlFlowNode mid |
reachesNoInc(source, mid) and not mid = getAnIncrement(source.getTarget())
|
target = mid.getASuccessor() and
inScope(source.getEnclosingStmt(), target.getEnclosingStmt())
)
}
predicate reachesNoDec(VariableAccess source, ControlFlowNode target) {
(lowerBoundCheck(_, source) and source.getASuccessor() = target) or
exists(ControlFlowNode mid | reachesNoDec(source, mid) and not mid = getADecrement(source.getTarget()) |
target = mid.getASuccessor() and
inScope(source.getEnclosingStmt(), target.getEnclosingStmt()))
}
predicate hasSafeBound(Loop l) {
exists(VariableAccess bound | upperBoundCheck(l, bound) |
not reachesNoInc(bound, bound)
) or exists(VariableAccess bound | lowerBoundCheck(l, bound) |
not reachesNoDec(bound, bound)
) or exists(l.getControllingExpr().getValue())
}
predicate markedAsNonterminating(Loop l) {
exists(Comment c | c.getContents().matches("%@non-terminating@%") |
c.getCommentedElement() = l
lowerBoundCheck(_, source) and source.getASuccessor() = target
or
exists(ControlFlowNode mid |
reachesNoDec(source, mid) and not mid = getADecrement(source.getTarget())
|
target = mid.getASuccessor() and
inScope(source.getEnclosingStmt(), target.getEnclosingStmt())
)
}
predicate hasSafeBound(Loop l) {
exists(VariableAccess bound | upperBoundCheck(l, bound) | not reachesNoInc(bound, bound))
or
exists(VariableAccess bound | lowerBoundCheck(l, bound) | not reachesNoDec(bound, bound))
or
exists(l.getControllingExpr().getValue())
}
predicate markedAsNonterminating(Loop l) {
exists(Comment c | c.getContents().matches("%@non-terminating@%") | c.getCommentedElement() = l)
}
from Loop loop, string msg
where not hasSafeBound(loop) and
not markedAsNonterminating(loop) and
(
(
not upperBoundCheck(loop, _) and
not lowerBoundCheck(loop, _) and
msg = "This loop does not have a fixed bound."
) or exists(VariableAccess bound | upperBoundCheck(loop, bound) and
reachesNoInc(bound, bound) and
msg = "The loop counter " + bound.getTarget().getName() + " is not always incremented in the loop body."
) or exists(VariableAccess bound | lowerBoundCheck(loop, bound) and
reachesNoDec(bound, bound) and
msg = "The loop counter " + bound.getTarget().getName() + " is not always decremented in the loop body."
)
where
not hasSafeBound(loop) and
not markedAsNonterminating(loop) and
(
not upperBoundCheck(loop, _) and
not lowerBoundCheck(loop, _) and
msg = "This loop does not have a fixed bound."
or
exists(VariableAccess bound |
upperBoundCheck(loop, bound) and
reachesNoInc(bound, bound) and
msg = "The loop counter " + bound.getTarget().getName() +
" is not always incremented in the loop body."
)
or
exists(VariableAccess bound |
lowerBoundCheck(loop, bound) and
reachesNoDec(bound, bound) and
msg = "The loop counter " + bound.getTarget().getName() +
" is not always decremented in the loop body."
)
)
select loop, msg

View File

@@ -13,14 +13,14 @@
import cpp
class RecursiveCall extends FunctionCall {
RecursiveCall() {
this.getTarget().calls*(this.getEnclosingFunction())
}
RecursiveCall() { this.getTarget().calls*(this.getEnclosingFunction()) }
}
from RecursiveCall call, string msg
where if (call.getTarget() = call.getEnclosingFunction()) then
msg = "This call directly invokes its containing function $@."
else
msg = "The function " + call.getEnclosingFunction() + " is indirectly recursive via this call to $@."
where
if call.getTarget() = call.getEnclosingFunction()
then msg = "This call directly invokes its containing function $@."
else
msg = "The function " + call.getEnclosingFunction() +
" is indirectly recursive via this call to $@."
select call, msg, call.getTarget(), call.getTarget().getName()

View File

@@ -23,12 +23,17 @@ class Initialization extends Function {
class Allocation extends FunctionCall {
Allocation() {
exists(string name | name = this.getTarget().getName() |
name = "malloc" or name = "calloc" or name = "alloca" or
name = "sbrk" or name = "valloc")
name = "malloc" or
name = "calloc" or
name = "alloca" or
name = "sbrk" or
name = "valloc"
)
}
}
from Function f, Allocation a
where not f instanceof Initialization and
a.getEnclosingFunction() = f
where
not f instanceof Initialization and
a.getEnclosingFunction() = f
select a, "Dynamic memory allocation is only allowed during initialization."

View File

@@ -14,8 +14,10 @@ import cpp
class ForbiddenCall extends FunctionCall {
ForbiddenCall() {
exists(string name | name = this.getTarget().getName() |
name = "task_delay" or name = "taskDelay" or
name = "sleep" or name = "nanosleep" or
name = "task_delay" or
name = "taskDelay" or
name = "sleep" or
name = "nanosleep" or
name = "clock_nanosleep"
)
}

View File

@@ -12,20 +12,22 @@
import Semaphores
LockOperation maybeLocked(Function f) {
result.getEnclosingFunction() = f or
exists(Function g | f.calls(g) |
result = maybeLocked(g)
)
result.getEnclosingFunction() = f
or
exists(Function g | f.calls(g) | result = maybeLocked(g))
}
predicate intraproc(LockOperation inner, string msg, LockOperation outer) {
inner = outer.getAReachedNode() and outer.getLocked() != inner.getLocked() and
inner = outer.getAReachedNode() and
outer.getLocked() != inner.getLocked() and
msg = "This lock operation is nested in a $@."
}
predicate interproc(FunctionCall inner, string msg, LockOperation outer) {
inner = outer.getAReachedNode() and
exists(LockOperation lock | lock = maybeLocked(inner.getTarget()) and lock.getLocked() != outer.getLocked() |
exists(LockOperation lock |
lock = maybeLocked(inner.getTarget()) and lock.getLocked() != outer.getLocked()
|
msg = "This call may perform a " + lock.say() + " while under the effect of a $@."
)
}

View File

@@ -11,6 +11,8 @@
import Semaphores
from FunctionCall call, string kind
where (call instanceof SemaphoreCreation and kind = "semaphores") or
(call instanceof LockingPrimitive and kind = "locking primitives")
where
call instanceof SemaphoreCreation and kind = "semaphores"
or
call instanceof LockingPrimitive and kind = "locking primitives"
select call, "Use of " + kind + " should be avoided."

View File

@@ -18,11 +18,15 @@ predicate lockOrder(LockOperation outer, LockOperation inner) {
int orderCount(Declaration outerLock, Declaration innerLock) {
result = strictcount(LockOperation outer, LockOperation inner |
outer.getLocked() = outerLock and inner.getLocked() = innerLock and
lockOrder(outer, inner))
outer.getLocked() = outerLock and
inner.getLocked() = innerLock and
lockOrder(outer, inner)
)
}
from LockOperation outer, LockOperation inner
where lockOrder(outer, inner)
and orderCount(outer.getLocked(), inner.getLocked()) <= orderCount(inner.getLocked(), outer.getLocked())
where
lockOrder(outer, inner) and
orderCount(outer.getLocked(), inner.getLocked()) <= orderCount(inner.getLocked(),
outer.getLocked())
select inner, "Out-of-order locks: A " + inner.say() + " usually precedes a $@.", outer, outer.say()

View File

@@ -4,29 +4,31 @@
import cpp
class SemaphoreCreation extends FunctionCall {
SemaphoreCreation() {
exists(string name | name = this.getTarget().getName() |
name = "semBCreate" or name = "semMCreate" or name = "semCCreate" or
name = "semBCreate" or
name = "semMCreate" or
name = "semCCreate" or
name = "semRWCreate"
)
}
Variable getSemaphore() {
result.getAnAccess() = this.getParent().(Assignment).getLValue()
}
Variable getSemaphore() { result.getAnAccess() = this.getParent().(Assignment).getLValue() }
}
abstract class LockOperation extends FunctionCall {
abstract UnlockOperation getMatchingUnlock();
abstract Declaration getLocked();
abstract string say();
ControlFlowNode getAReachedNode() {
result = this or
result = this
or
exists(ControlFlowNode mid | mid = getAReachedNode() |
not(mid != this.getMatchingUnlock()) and
not mid != this.getMatchingUnlock() and
result = mid.getASuccessor()
)
}
@@ -39,24 +41,21 @@ abstract class UnlockOperation extends FunctionCall {
class SemaphoreTake extends LockOperation {
SemaphoreTake() {
exists(string name | name = this.getTarget().getName() |
name = "semTake" or
name = "semTake"
or
// '_' is a wildcard, so this matches calls like
// semBTakeScalable or semMTake_inline.
name.matches("sem_Take%")
)
}
override Variable getLocked() {
result.getAnAccess() = this.getArgument(0)
}
override Variable getLocked() { result.getAnAccess() = this.getArgument(0) }
override UnlockOperation getMatchingUnlock() {
result.(SemaphoreGive).getLocked() = this.getLocked()
}
override string say() {
result = "semaphore take of " + getLocked().getName()
}
override string say() { result = "semaphore take of " + getLocked().getName() }
}
class SemaphoreGive extends UnlockOperation {
@@ -67,14 +66,9 @@ class SemaphoreGive extends UnlockOperation {
)
}
Variable getLocked() {
result.getAnAccess() = this.getArgument(0)
}
override LockOperation getMatchingLock() {
this = result.getMatchingUnlock()
}
Variable getLocked() { result.getAnAccess() = this.getArgument(0) }
override LockOperation getMatchingLock() { this = result.getMatchingUnlock() }
}
class LockingPrimitive extends FunctionCall, LockOperation {
@@ -84,18 +78,16 @@ class LockingPrimitive extends FunctionCall, LockOperation {
)
}
override Function getLocked() {
result = this.getTarget()
}
override Function getLocked() { result = this.getTarget() }
override UnlockOperation getMatchingUnlock() {
result.(UnlockingPrimitive).getTarget().getName() =
this.getTarget().getName().replaceAll("Lock", "Unlock")
result.(UnlockingPrimitive).getTarget().getName() = this
.getTarget()
.getName()
.replaceAll("Lock", "Unlock")
}
override string say() {
result = "call to " + getLocked().getName()
}
override string say() { result = "call to " + getLocked().getName() }
}
class UnlockingPrimitive extends FunctionCall, UnlockOperation {
@@ -105,11 +97,7 @@ class UnlockingPrimitive extends FunctionCall, UnlockOperation {
)
}
Function getLocked() {
result = getMatchingLock().getLocked()
}
Function getLocked() { result = getMatchingLock().getLocked() }
override LockOperation getMatchingLock() {
this = result.getMatchingUnlock()
}
override LockOperation getMatchingLock() { this = result.getMatchingUnlock() }
}

View File

@@ -15,8 +15,11 @@ import cpp
class ForbiddenFunction extends Function {
ForbiddenFunction() {
exists(string name | name = this.getName() |
name = "setjmp" or name = "longjmp" or
name = "sigsetjmp" or name = "siglongjmp")
name = "setjmp" or
name = "longjmp" or
name = "sigsetjmp" or
name = "siglongjmp"
)
}
}

View File

@@ -8,15 +8,14 @@
* readability
* external/jpl
*/
import cpp
predicate hasInitializer(EnumConstant c) {
c.getInitializer().fromSource()
}
predicate hasInitializer(EnumConstant c) { c.getInitializer().fromSource() }
/** Does this have an initializer that is not just a ref to another constant in the same enum? */
predicate hasNonReferenceInitializer(EnumConstant c) {
exists (Initializer init |
exists(Initializer init |
init = c.getInitializer() and
init.fromSource() and
not init.getExpr().(EnumConstantAccess).getTarget().getDeclaringEnum() = c.getDeclaringEnum()
@@ -24,14 +23,13 @@ predicate hasNonReferenceInitializer(EnumConstant c) {
}
predicate hasReferenceInitializer(EnumConstant c) {
exists (Initializer init |
exists(Initializer init |
init = c.getInitializer() and
init.fromSource() and
init.getExpr().(EnumConstantAccess).getTarget().getDeclaringEnum() = c.getDeclaringEnum()
)
}
// There exists another constant whose value is implicit, but it's
// not the last one: the last value is okay to use to get the highest
// enum value automatically. It can be followed by aliases though.
@@ -48,15 +46,16 @@ predicate enumThatHasConstantWithImplicitValue(Enum e) {
}
from Enum e, int i
where // e is at position i, and has an explicit value in the source - but
// not just a reference to another enum constant
hasNonReferenceInitializer(e.getEnumConstant(i)) and
// but e is not the first or the last constant of the enum
i != 0 and
exists(e.getEnumConstant(i+1)) and
// and there exists another constant whose value is implicit, but it's
// not the last one: the last value is okay to use to get the highest
// enum value automatically. It can be followed by aliases though.
enumThatHasConstantWithImplicitValue(e)
select e, "In an enumerator list, the = construct should not be used to explicitly initialize members other than the first, unless all items are explicitly initialized."
where
// e is at position i, and has an explicit value in the source - but
// not just a reference to another enum constant
hasNonReferenceInitializer(e.getEnumConstant(i)) and
// but e is not the first or the last constant of the enum
i != 0 and
exists(e.getEnumConstant(i + 1)) and
// and there exists another constant whose value is implicit, but it's
// not the last one: the last value is okay to use to get the highest
// enum value automatically. It can be followed by aliases though.
enumThatHasConstantWithImplicitValue(e)
select e,
"In an enumerator list, the = construct should not be used to explicitly initialize members other than the first, unless all items are explicitly initialized."

View File

@@ -11,7 +11,8 @@
import cpp
from VariableDeclarationEntry v
where v.getVariable() instanceof GlobalVariable and
where
v.getVariable() instanceof GlobalVariable and
v.hasSpecifier("extern") and
not v.getFile() instanceof HeaderFile
select v, v.getName() + " should be declared only in a header file that is included as needed."

View File

@@ -13,9 +13,11 @@
import cpp
from GlobalVariable v
where forex(VariableAccess va | va.getTarget() = v | va.getFile() = v.getDefinitionLocation().getFile())
and not v.hasSpecifier("static")
and strictcount(v.getAnAccess().getEnclosingFunction()) > 1 // If = 1, variable should be function-scope.
and not v.getADeclarationEntry().getFile() instanceof HeaderFile // intended to be accessed elsewhere
select v, "The global variable " + v.getName() + " is not accessed outside of " + v.getFile().getBaseName()
+ " and could be made static."
where
forex(VariableAccess va | va.getTarget() = v | va.getFile() = v.getDefinitionLocation().getFile()) and
not v.hasSpecifier("static") and
strictcount(v.getAnAccess().getEnclosingFunction()) > 1 and // If = 1, variable should be function-scope.
not v.getADeclarationEntry().getFile() instanceof HeaderFile // intended to be accessed elsewhere
select v,
"The global variable " + v.getName() + " is not accessed outside of " + v.getFile().getBaseName() +
" and could be made static."

View File

@@ -12,8 +12,11 @@
import cpp
from GlobalVariable v, Function f
where v.getAnAccess().getEnclosingFunction() = f and
strictcount(v.getAnAccess().getEnclosingFunction()) = 1 and
forall(VariableAccess a | a = v.getAnAccess() | exists(a.getEnclosingFunction())) and
not v.getADeclarationEntry().getFile() instanceof HeaderFile // intended to be accessed elsewhere
select v, "The variable " + v.getName() + " is only accessed in $@ and should be scoped accordingly.", f, f.getName()
where
v.getAnAccess().getEnclosingFunction() = f and
strictcount(v.getAnAccess().getEnclosingFunction()) = 1 and
forall(VariableAccess a | a = v.getAnAccess() | exists(a.getEnclosingFunction())) and
not v.getADeclarationEntry().getFile() instanceof HeaderFile // intended to be accessed elsewhere
select v,
"The variable " + v.getName() + " is only accessed in $@ and should be scoped accordingly.", f,
f.getName()

View File

@@ -8,27 +8,29 @@
* readability
* external/jpl
*/
import cpp
class LocalVariableOrParameter extends Variable {
LocalVariableOrParameter() {
this instanceof LocalVariable or
this instanceof LocalVariable
or
// A function declaration (i.e. "int foo(int bar);") doesn't usefully
// shadow globals; the parameter should be on the version of the function
// that has a body.
exists(Parameter p | p = this |
p.getFunction().getDefinitionLocation().getFile() = this.getFile() and
exists(p.getFunction().getBlock()))
p.getFunction().getDefinitionLocation().getFile() = this.getFile() and
exists(p.getFunction().getBlock())
)
}
string type() {
if this instanceof Parameter
then result = "Parameter "
else result = "Local variable "
if this instanceof Parameter then result = "Parameter " else result = "Local variable "
}
}
from LocalVariableOrParameter lv, GlobalVariable gv
where lv.getName() = gv.getName() and
lv.getFile() = gv.getFile()
where
lv.getName() = gv.getName() and
lv.getFile() = gv.getFile()
select lv, lv.type() + lv.getName() + " hides the global variable $@.", gv, gv.getName()

View File

@@ -11,7 +11,8 @@
import cpp
/** In its full generality, the rule applies to all functions that
/**
* In its full generality, the rule applies to all functions that
* return non-void, including things like 'printf' and 'close',
* which are routinely not checked because the behavior on success
* is the same as the behavior on failure. The recommendation is
@@ -27,13 +28,15 @@ predicate whitelist(Function f) {
}
from FunctionCall c, string msg
where not c.getTarget().getType() instanceof VoidType
and not whitelist(c.getTarget())
and
(
(c instanceof ExprInVoidContext and msg = "The return value of non-void function $@ is not checked.")
or
(definition(_, c.getParent()) and not definitionUsePair(_, c.getParent(), _) and
msg = "$@'s return value is stored but not checked.")
)
where
not c.getTarget().getType() instanceof VoidType and
not whitelist(c.getTarget()) and
(
c instanceof ExprInVoidContext and
msg = "The return value of non-void function $@ is not checked."
or
definition(_, c.getParent()) and
not definitionUsePair(_, c.getParent(), _) and
msg = "$@'s return value is stored but not checked."
)
select c, msg, c.getTarget() as f, f.getName()

View File

@@ -12,16 +12,18 @@
import JPL_C.Tasks
predicate flow(Parameter p, ControlFlowNode n) {
(exists(p.getAnAccess()) and n = p.getFunction().getBlock()) or
exists(ControlFlowNode mid | flow(p, mid) and not mid = p.getAnAccess() and n = mid.getASuccessor())
exists(p.getAnAccess()) and n = p.getFunction().getBlock()
or
exists(ControlFlowNode mid |
flow(p, mid) and not mid = p.getAnAccess() and n = mid.getASuccessor()
)
}
VariableAccess firstAccess(Parameter p) {
flow(p, result) and result = p.getAnAccess()
}
VariableAccess firstAccess(Parameter p) { flow(p, result) and result = p.getAnAccess() }
from Parameter p, VariableAccess va
where va = firstAccess(p) and p.getFunction() instanceof PublicFunction and
not exists(Expr e | e.isCondition() | e.getAChild*() = va)
where
va = firstAccess(p) and
p.getFunction() instanceof PublicFunction and
not exists(Expr e | e.isCondition() | e.getAChild*() = va)
select va, "This use of parameter " + p.getName() + " has not been checked."

View File

@@ -12,9 +12,9 @@
import semmle.code.cpp.commons.Assertions
from Assertion a, string value, string msg
where value = a.getAsserted().getValue() and
if value.toInt() = 0 then
msg = "This assertion is always false."
else
msg = "This assertion is always true."
where
value = a.getAsserted().getValue() and
if value.toInt() = 0
then msg = "This assertion is always false."
else msg = "This assertion is always true."
select a.getAsserted(), msg

View File

@@ -12,6 +12,7 @@
import semmle.code.cpp.commons.Assertions
from Function f
where f.getMetrics().getNumberOfLinesOfCode() > 10 and
where
f.getMetrics().getNumberOfLinesOfCode() > 10 and
not exists(Assertion a | a.getAsserted().getEnclosingFunction() = f)
select f, "All functions of more than 10 lines should have at least one assertion."

View File

@@ -13,11 +13,16 @@ import cpp
predicate allowedTypedefs(TypedefType t) {
exists(string name | name = t.getName() |
name = "I64" or name = "U64" or
name = "I32" or name = "U32" or
name = "I16" or name = "U16" or
name = "I8" or name = "U8" or
name = "F64" or name = "F32"
name = "I64" or
name = "U64" or
name = "I32" or
name = "U32" or
name = "I16" or
name = "U16" or
name = "I8" or
name = "U8" or
name = "F64" or
name = "F32"
)
}
@@ -25,7 +30,8 @@ predicate allowedTypedefs(TypedefType t) {
* Gets a type which appears literally in the declaration of `d`.
*/
Type getAnImmediateUsedType(Declaration d) {
d.isDefined() and (
d.isDefined() and
(
result = d.(Function).getType() or
result = d.(Variable).getType()
)
@@ -48,7 +54,11 @@ predicate problematic(IntegralType t) {
}
from Declaration d, Type usedType
where usedType = getAUsedType*(getAnImmediateUsedType(d)) and problematic(usedType)
where
usedType = getAUsedType*(getAnImmediateUsedType(d)) and
problematic(usedType) and
// Ignore violations for which we do not have a valid location.
and not(d.getLocation() instanceof UnknownLocation)
select d, d.getName() + " uses the basic integral type " + usedType.getName() + " rather than a typedef with size and signedness."
not d.getLocation() instanceof UnknownLocation
select d,
d.getName() + " uses the basic integral type " + usedType.getName() +
" rather than a typedef with size and signedness."

View File

@@ -12,7 +12,9 @@
import cpp
from BinaryOperation parent, BinaryOperation child
where parent.getAnOperand() = child and not child.isParenthesised() and
where
parent.getAnOperand() = child and
not child.isParenthesised() and
(parent instanceof BinaryBitwiseOperation or child instanceof BinaryBitwiseOperation) and
// Some benign cases...
not (parent instanceof BitwiseAndExpr and child instanceof BitwiseAndExpr) and

View File

@@ -46,10 +46,9 @@ predicate inherentlyUnsafe(Function f) {
exists(Variable v | v.getAnAssignedValue().getEnclosingFunction() = f |
v instanceof GlobalVariable or
v.isStatic()
) or
exists(FunctionCall c | c.getEnclosingFunction() = f |
inherentlyUnsafe(c.getTarget())
)
or
exists(FunctionCall c | c.getEnclosingFunction() = f | inherentlyUnsafe(c.getTarget()))
}
/**
@@ -59,7 +58,9 @@ predicate inherentlyUnsafe(Function f) {
* not inherently unsafe.
*/
predicate safeToCall(Function f) {
forall(PointerType paramPointerType | paramPointerType = getAPointerType(f.getAParameter().getType()) |
forall(PointerType paramPointerType |
paramPointerType = getAPointerType(f.getAParameter().getType())
|
paramPointerType.getBaseType().isConst()
) and
not inherentlyUnsafe(f)
@@ -78,12 +79,16 @@ class BooleanExpression extends Expr {
}
predicate hasSideEffect(Expr e) {
e instanceof Assignment or
e instanceof CrementOperation or
e instanceof ExprCall or
e instanceof Assignment
or
e instanceof CrementOperation
or
e instanceof ExprCall
or
exists(Function f | f = e.(FunctionCall).getTarget() and not safeFunctionWhitelist(f) |
inherentlyUnsafe(f) or not safeToCall(f)
) or
)
or
hasSideEffect(e.getAChild())
}

View File

@@ -12,12 +12,13 @@
import cpp
from PreprocessorDirective p
where not p instanceof Include and
not p instanceof Macro and
not p instanceof PreprocessorIf and
not p instanceof PreprocessorElif and
not p instanceof PreprocessorElse and
not p instanceof PreprocessorIfdef and
not p instanceof PreprocessorIfndef and
not p instanceof PreprocessorEndif
where
not p instanceof Include and
not p instanceof Macro and
not p instanceof PreprocessorIf and
not p instanceof PreprocessorElif and
not p instanceof PreprocessorElse and
not p instanceof PreprocessorIfdef and
not p instanceof PreprocessorIfndef and
not p instanceof PreprocessorEndif
select p, "This preprocessor directive is not allowed."

View File

@@ -12,6 +12,7 @@
import cpp
from PreprocessorDirective i
where (i instanceof PreprocessorIf or i instanceof PreprocessorIfdef or i instanceof PreprocessorIfndef)
and not i.getFile() instanceof HeaderFile
where
(i instanceof PreprocessorIf or i instanceof PreprocessorIfdef or i instanceof PreprocessorIfndef) and
not i.getFile() instanceof HeaderFile
select i, "Use of conditional compilation must be kept to a minimum."

View File

@@ -12,6 +12,10 @@
import cpp
from Macro m, string msg
where (m.getHead().matches("%...%") and msg = "The macro " + m.getHead() + " is variadic, and hence not allowed.") or
(m.getBody().matches("%##%") and msg = "The macro " + m.getHead() + " uses token pasting and is not allowed.")
where
m.getHead().matches("%...%") and
msg = "The macro " + m.getHead() + " is variadic, and hence not allowed."
or
m.getBody().matches("%##%") and
msg = "The macro " + m.getHead() + " uses token pasting and is not allowed."
select m, msg

View File

@@ -12,8 +12,10 @@
import cpp
int lineInBlock(File f) {
exists(Block block, Location blockLocation | block.getFile() = f and blockLocation = block.getLocation()|
result in [blockLocation.getStartLine()..blockLocation.getEndLine()]
exists(Block block, Location blockLocation |
block.getFile() = f and blockLocation = block.getLocation()
|
result in [blockLocation.getStartLine() .. blockLocation.getEndLine()]
)
}

View File

@@ -12,43 +12,35 @@
import cpp
class FileWithDirectives extends File {
FileWithDirectives() {
exists(Directive d | d.getFile() = this)
}
FileWithDirectives() { exists(Directive d | d.getFile() = this) }
int getDirectiveLine(Directive d) {
d.getFile() = this and d.getLocation().getStartLine() = result
}
int getDirectiveIndex(Directive d) {
exists(int line | line = getDirectiveLine(d) |
line = rank[result](getDirectiveLine(_))
)
exists(int line | line = getDirectiveLine(d) | line = rank[result](getDirectiveLine(_)))
}
int depth(Directive d) {
exists(int index | index = getDirectiveIndex(d) |
(index = 1 and result = d.depthChange()) or
exists(Directive prev | getDirectiveIndex(prev) = index-1 |
index = 1 and result = d.depthChange()
or
exists(Directive prev | getDirectiveIndex(prev) = index - 1 |
result = d.depthChange() + depth(prev)
)
)
}
Directive lastDirective() {
getDirectiveIndex(result) = max(getDirectiveIndex(_))
}
Directive lastDirective() { getDirectiveIndex(result) = max(getDirectiveIndex(_)) }
}
abstract class Directive extends PreprocessorDirective {
abstract int depthChange();
abstract predicate mismatched();
int depth() {
exists(FileWithDirectives f |
f.depth(this) = result
)
}
int depth() { exists(FileWithDirectives f | f.depth(this) = result) }
}
class IfDirective extends Directive {
@@ -59,6 +51,7 @@ class IfDirective extends Directive {
}
override int depthChange() { result = 1 }
override predicate mismatched() { none() }
}
@@ -69,24 +62,26 @@ class ElseDirective extends Directive {
}
override int depthChange() { result = 0 }
override predicate mismatched() { depth() < 1 }
}
class EndifDirective extends Directive {
EndifDirective() {
this instanceof PreprocessorEndif
}
EndifDirective() { this instanceof PreprocessorEndif }
override int depthChange() { result = -1 }
override predicate mismatched() { depth() < 0 }
}
from FileWithDirectives f, Directive d, string msg
where d.getFile() = f and
if d.mismatched() then (
msg = "'" + d + "' has no matching #if in file " + f.getBaseName() + "."
) else (
d = f.lastDirective() and d.depth() > 0 and msg = "File " + f.getBaseName() +
" ends with " + d.depth() + " unterminated #if directives."
where
d.getFile() = f and
if d.mismatched()
then msg = "'" + d + "' has no matching #if in file " + f.getBaseName() + "."
else (
d = f.lastDirective() and
d.depth() > 0 and
msg = "File " + f.getBaseName() + " ends with " + d.depth() + " unterminated #if directives."
)
select d, msg

View File

@@ -22,16 +22,16 @@ class OneLineStmt extends Stmt {
}
}
int numStmt(File f, int line) {
result = strictcount(OneLineStmt o | o.onLine(f, line))
}
int numStmt(File f, int line) { result = strictcount(OneLineStmt o | o.onLine(f, line)) }
from File f, int line, OneLineStmt o, int cnt
where numStmt(f, line) = cnt
and cnt > 1
and o.onLine(f, line)
and o.getLocation().getStartColumn() =
min(OneLineStmt other, int toMin
| other.onLine(f, line) and toMin = other.getLocation().getStartColumn()
| toMin)
where
numStmt(f, line) = cnt and
cnt > 1 and
o.onLine(f, line) and
o.getLocation().getStartColumn() = min(OneLineStmt other, int toMin |
other.onLine(f, line) and toMin = other.getLocation().getStartColumn()
|
toMin
)
select o, "This line contains " + cnt + " statements; only one is allowed."

View File

@@ -12,7 +12,8 @@
import cpp
from DeclStmt d
where exists(Variable v1, Variable v2 | v1 = d.getADeclaration() and v2 = d.getADeclaration() |
where
exists(Variable v1, Variable v2 | v1 = d.getADeclaration() and v2 = d.getADeclaration() |
v1 != v2 and
v1.getLocation().getStartLine() = v2.getLocation().getStartLine()
)

View File

@@ -26,6 +26,7 @@ string paramWarning(Function f) {
}
from Function f, string msg
where msg = lengthWarning(f) or
msg = paramWarning(f)
where
msg = lengthWarning(f) or
msg = paramWarning(f)
select f, msg

View File

@@ -15,7 +15,7 @@ string var(Variable v) {
exists(int level | level = v.getType().getPointerIndirectionLevel() |
level > 2 and
result = "The type of " + v.getName() + " uses " + level +
" levels of pointer indirection -- maximum allowed is 2."
" levels of pointer indirection -- maximum allowed is 2."
)
}
@@ -23,7 +23,7 @@ string fun(Function f) {
exists(int level | level = f.getType().getPointerIndirectionLevel() |
level > 2 and
result = "The return type of " + f.getName() + " uses " + level +
" levels of pointer indirection -- maximum allowed is 2."
" levels of pointer indirection -- maximum allowed is 2."
)
}

View File

@@ -12,7 +12,8 @@
import cpp
from PointerDereferenceExpr e, int n
where not e.getParent+() instanceof PointerDereferenceExpr
and n = strictcount(PointerDereferenceExpr child | child.getParent+() = e)
and n > 1
where
not e.getParent+() instanceof PointerDereferenceExpr and
n = strictcount(PointerDereferenceExpr child | child.getParent+() = e) and
n > 1
select e, "This expression involves " + n + " levels of pointer dereference; 2 are allowed."

View File

@@ -12,9 +12,11 @@
import cpp
from Macro m
where forex(MacroInvocation mi | mi.getMacro() = m |
where
forex(MacroInvocation mi | mi.getMacro() = m |
exists(PointerDereferenceExpr e, Location miLoc, Location eLoc | e = mi.getAGeneratedElement() |
miLoc = mi.getLocation() and eLoc = e.getLocation() and
miLoc = mi.getLocation() and
eLoc = e.getLocation() and
eLoc.getStartColumn() = miLoc.getStartColumn() and
eLoc.getStartLine() = miLoc.getStartLine()
)

View File

@@ -20,7 +20,9 @@ predicate permissibleConversion(Type t) {
}
from Expr e, Type converted
where e.getType() instanceof FunctionPointerType and
where
e.getType() instanceof FunctionPointerType and
e.getFullyConverted().getType() = converted and
not permissibleConversion(converted)
select e, "Function pointer converted to " + converted.getName() + ", which is not an integral type."
select e,
"Function pointer converted to " + converted.getName() + ", which is not an integral type."

View File

@@ -12,8 +12,16 @@
import cpp
int firstCodeLine(File f) {
result = min(Declaration d, Location l, int toMin | (l = d.getLocation() and
l.getFile() = f and not d.isInMacroExpansion()) and (toMin = l.getStartLine()) | toMin)
result = min(Declaration d, Location l, int toMin |
(
l = d.getLocation() and
l.getFile() = f and
not d.isInMacroExpansion()
) and
toMin = l.getStartLine()
|
toMin
)
}
int badIncludeLine(File f, Include i) {
@@ -23,7 +31,9 @@ int badIncludeLine(File f, Include i) {
}
from File f, Include i, int line
where line = badIncludeLine(f, i) and
where
line = badIncludeLine(f, i) and
line = min(badIncludeLine(f, _))
select i, "'" + i.toString() + "' is preceded by code -- it should be moved above line " +
firstCodeLine(f) + " in " + f.getBaseName() + "."
select i,
"'" + i.toString() + "' is preceded by code -- it should be moved above line " + firstCodeLine(f) +
" in " + f.getBaseName() + "."

View File

@@ -22,7 +22,8 @@ class Task extends Function {
*/
class PublicFunction extends Function {
PublicFunction() {
not this.isStatic() and (
not this.isStatic() and
(
strictcount(Task t | t.calls+(this)) > 1 or
not exists(Task t | t.getFile() = this.getFile())
)

View File

@@ -14,17 +14,22 @@
* language-features
* external/cwe/cwe-190
*/
import cpp
from BitField bf
where not bf.getUnspecifiedType().(IntegralType).isExplicitlySigned()
and not bf.getUnspecifiedType().(IntegralType).isExplicitlyUnsigned()
and not bf.getUnspecifiedType() instanceof Enum
and not bf.getUnspecifiedType() instanceof BoolType
where
not bf.getUnspecifiedType().(IntegralType).isExplicitlySigned() and
not bf.getUnspecifiedType().(IntegralType).isExplicitlyUnsigned() and
not bf.getUnspecifiedType() instanceof Enum and
not bf.getUnspecifiedType() instanceof BoolType and
// At least for C programs on Windows, BOOL is a common typedef for a type
// representing BoolType.
and not bf.getType().hasName("BOOL")
not bf.getType().hasName("BOOL") and
// If this is true, then there cannot be unsigned sign extension or overflow.
and not bf.getDeclaredNumBits() = bf.getType().getSize() * 8
and not bf.isAnonymous()
select bf, "Bit field " + bf.getName() + " of type " + bf.getUnderlyingType().getName() + " should have explicitly unsigned integral, explicitly signed integral, or enumeration type."
not bf.getDeclaredNumBits() = bf.getType().getSize() * 8 and
not bf.isAnonymous() and
not bf.isFromUninstantiatedTemplate(_)
select bf,
"Bit field " + bf.getName() + " of type " + bf.getUnderlyingType().getName() +
" should have explicitly unsigned integral, explicitly signed integral, or enumeration type."

View File

@@ -2,36 +2,39 @@
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
Checking for overflow of integer addition needs to be done with
care, because automatic type promotion can prevent the check
from working correctly.
</p>
</overview>
<recommendation>
<p>
Use an explicit cast to make sure that the result of the addition is
not implicitly converted to a larger type.
</p>
</recommendation>
<example>
<sample src="BadAdditionOverflowCheckExample1.cpp" />
<p>
On a typical architecture where <tt>short</tt> is 16 bits
and <tt>int</tt> is 32 bits, the operands of the addition are
automatically promoted to <tt>int</tt>, so it cannot overflow
and the result of the comparison is always false.
</p>
<p>
The code below implements the check correctly, by using an
explicit cast to make sure that the result of the addition
is <tt>unsigned short</tt>.
</p>
<sample src="BadAdditionOverflowCheckExample2.cpp" />
</example>
<references>
<li><a href="http://c-faq.com/expr/preservingrules.html">Preserving Rules</a></li>
<li><a href="https://www.securecoding.cert.org/confluence/plugins/servlet/mobile#content/view/20086942">Understand integer conversion rules</a></li>
</references>
<overview>
<p>
Checking for overflow of integer addition needs to be done with
care, because automatic type promotion can prevent the check
from working as intended, with the same value (<code>true</code>
or <code>false</code>) always being returned.
</p>
</overview>
<recommendation>
<p>
Use an explicit cast to make sure that the result of the addition is
not implicitly converted to a larger type.
</p>
</recommendation>
<example>
<sample src="BadAdditionOverflowCheckExample1.cpp" />
<p>
On a typical architecture where <code>short</code> is 16 bits
and <code>int</code> is 32 bits, the operands of the addition are
automatically promoted to <code>int</code>, so it cannot overflow
and the result of the comparison is always false.
</p>
<p>
The code below implements the check correctly, by using an
explicit cast to make sure that the result of the addition
is <code>unsigned short</code> (which may overflow, in which case
the comparison would evaluate to <code>true</code>).
</p>
<sample src="BadAdditionOverflowCheckExample2.cpp" />
</example>
<references>
<li><a href="http://c-faq.com/expr/preservingrules.html">Preserving Rules</a></li>
<li><a href="https://www.securecoding.cert.org/confluence/plugins/servlet/mobile#content/view/20086942">Understand integer conversion rules</a></li>
</references>
</qhelp>

View File

@@ -13,8 +13,9 @@ private import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
* swapping the operands both ways round.
*/
private predicate addExpr(AddExpr plus, Expr a, Expr b) {
(a = plus.getLeftOperand() and b = plus.getRightOperand()) or
(b = plus.getLeftOperand() and a = plus.getRightOperand())
a = plus.getLeftOperand() and b = plus.getRightOperand()
or
b = plus.getLeftOperand() and a = plus.getRightOperand()
}
/**
@@ -29,12 +30,12 @@ private predicate addExpr(AddExpr plus, Expr a, Expr b) {
* false.
*/
predicate badAdditionOverflowCheck(RelationalOperation cmp, AddExpr plus) {
exists (Variable v, VariableAccess a1, VariableAccess a2, Expr b
| addExpr(plus, a1, b) and
exists(Variable v, VariableAccess a1, VariableAccess a2, Expr b |
addExpr(plus, a1, b) and
a1 = v.getAnAccess() and
a2 = v.getAnAccess() and
not exists (a1.getQualifier()) and // Avoid structure fields
not exists (a2.getQualifier()) and // Avoid structure fields
not exists(a1.getQualifier()) and // Avoid structure fields
not exists(a2.getQualifier()) and // Avoid structure fields
// Simple type-based check that the addition cannot overflow.
exprMinVal(plus) <= exprMinVal(a1) + exprMinVal(b) and
exprMaxVal(plus) > exprMaxVal(a1) and
@@ -43,5 +44,6 @@ predicate badAdditionOverflowCheck(RelationalOperation cmp, AddExpr plus) {
exprMinVal(plus.getExplicitlyConverted()) <= exprMinVal(plus) and
exprMaxVal(plus.getExplicitlyConverted()) >= exprMaxVal(plus) and
cmp.getAnOperand() = plus and
cmp.getAnOperand() = a2)
cmp.getAnOperand() = a2
)
}

View File

@@ -1,3 +1,4 @@
bool checkOverflow(unsigned short x, unsigned short y) {
return (x + y < x); // BAD: x and y are automatically promoted to int.
// BAD: comparison is always false due to type promotion
return (x + y < x);
}

View File

@@ -10,12 +10,14 @@
* correctness
* types
*/
import cpp
from EqualityOperation t, RemExpr lhs, Literal rhs
where t.getLeftOperand() = lhs and
t.getRightOperand() = rhs and
lhs.getLeftOperand().getUnspecifiedType().(IntegralType).isSigned() and
lhs.getRightOperand().getValue() = "2" and
rhs.getValue() = "1"
where
t.getLeftOperand() = lhs and
t.getRightOperand() = rhs and
lhs.getLeftOperand().getUnspecifiedType().(IntegralType).isSigned() and
lhs.getRightOperand().getValue() = "2" and
rhs.getValue() = "1"
select t, "Possibly invalid test for oddness. This will fail for negative numbers."

View File

@@ -9,12 +9,21 @@
* @tags reliability
* correctness
*/
import cpp
from RelationalOperation e, BinaryBitwiseOperation lhs
where lhs = e.getGreaterOperand() and
lhs.getActualType().(IntegralType).isSigned() and
forall(int op | op = lhs.(BitwiseAndExpr).getAnOperand().getValue().toInt() | op < 0) and
e.getLesserOperand().getValue() = "0" and
not e.isAffectedByMacro()
where
// `lhs > 0` (or `0 < lhs`)
// (note that `lhs < 0`, `lhs >= 0` or `lhs <= 0` all imply that the signedness of
// `lhs` is understood, so should not be flagged).
(e instanceof GTExpr or e instanceof LTExpr) and
e.getGreaterOperand() = lhs and
e.getLesserOperand().getValue() = "0" and
// lhs is signed
lhs.getActualType().(IntegralType).isSigned() and
// if `lhs` has the form `x & c`, with constant `c`, `c` is negative
forall(int op | op = lhs.(BitwiseAndExpr).getAnOperand().getValue().toInt() | op < 0) and
// exception for cases involving macros
not e.isAffectedByMacro()
select e, "Potential unsafe sign check of a bitwise operation."

View File

@@ -10,9 +10,12 @@
* @tags maintainability
* readability
*/
import cpp
from ComparisonOperation co, ComparisonOperation chco
where co.getAChild() = chco and not chco.isParenthesised()
select co, "Check the comparison operator precedence."
where
co.getAChild() = chco and
not chco.isParenthesised() and
not co.isFromUninstantiatedTemplate(_)
select co, "Comparison as an operand to another comparison."

View File

@@ -25,11 +25,15 @@ import PointlessSelfComparison
* `parent = 2 * child`
*/
private predicate linearChild(Expr parent, Expr child, float multiplier) {
(child = parent.(AddExpr).getAChild() and multiplier = 1.0) or
(child = parent.(SubExpr).getLeftOperand() and multiplier = 1.0) or
(child = parent.(SubExpr).getRightOperand() and multiplier = -1.0) or
(child = parent.(UnaryPlusExpr).getOperand() and multiplier = 1.0) or
(child = parent.(UnaryMinusExpr).getOperand() and multiplier = -1.0)
child = parent.(AddExpr).getAChild() and multiplier = 1.0
or
child = parent.(SubExpr).getLeftOperand() and multiplier = 1.0
or
child = parent.(SubExpr).getRightOperand() and multiplier = -1.0
or
child = parent.(UnaryPlusExpr).getOperand() and multiplier = 1.0
or
child = parent.(UnaryMinusExpr).getOperand() and multiplier = -1.0
}
/**
@@ -41,18 +45,19 @@ private predicate linearChild(Expr parent, Expr child, float multiplier) {
* In this example, `x` has multiplier 4, `y` has multiplier -1, and `z`
* has multiplier -3 (multipliers from the right hand child are negated).
*/
private predicate cmpLinearSubExpr(
ComparisonOperation cmp, Expr child, float multiplier) {
not convertedExprMightOverflow(child)
and
((child = cmp.getLeftOperand() and multiplier = 1.0)
or
(child = cmp.getRightOperand() and multiplier = -1.0)
or
exists (Expr parent, float m1, float m2
| cmpLinearSubExpr(cmp, parent, m1) and
linearChild(parent, child, m2) and
multiplier = m1 * m2))
private predicate cmpLinearSubExpr(ComparisonOperation cmp, Expr child, float multiplier) {
not convertedExprMightOverflow(child) and
(
child = cmp.getLeftOperand() and multiplier = 1.0
or
child = cmp.getRightOperand() and multiplier = -1.0
or
exists(Expr parent, float m1, float m2 |
cmpLinearSubExpr(cmp, parent, m1) and
linearChild(parent, child, m2) and
multiplier = m1 * m2
)
)
}
/**
@@ -60,9 +65,10 @@ private predicate cmpLinearSubExpr(
* `child` is an access of variable `v`.
*/
private predicate cmpLinearSubVariable(
ComparisonOperation cmp, Variable v, VariableAccess child, float multiplier) {
ComparisonOperation cmp, Variable v, VariableAccess child, float multiplier
) {
v = child.getTarget() and
not exists (child.getQualifier()) and
not exists(child.getQualifier()) and
cmpLinearSubExpr(cmp, child, multiplier)
}
@@ -75,23 +81,19 @@ private predicate cmpLinearSubVariable(
* `v + x - v < y`
* `v + x + v < y + 2*v`
*/
private predicate cancelingSubExprs(
ComparisonOperation cmp, VariableAccess a1, VariableAccess a2) {
exists (Variable v
| exists (float m | m < 0 and cmpLinearSubVariable(cmp, v, a1, m)) and
exists (float m | m > 0 and cmpLinearSubVariable(cmp, v, a2, m)))
private predicate cancelingSubExprs(ComparisonOperation cmp, VariableAccess a1, VariableAccess a2) {
exists(Variable v |
exists(float m | m < 0 and cmpLinearSubVariable(cmp, v, a1, m)) and
exists(float m | m > 0 and cmpLinearSubVariable(cmp, v, a2, m))
)
}
from ComparisonOperation cmp, VariableAccess a1, VariableAccess a2
where
cancelingSubExprs(cmp, a1, a2)
cancelingSubExprs(cmp, a1, a2) and
// Most practical examples found by this query are instances of
// BadAdditionOverflowCheck or PointlessSelfComparison.
and not badAdditionOverflowCheck(cmp, _)
and not pointlessSelfComparison(cmp)
select
cmp,
"Comparison can be simplified by canceling $@ with $@.",
a1, a1.getTarget().getName(),
not badAdditionOverflowCheck(cmp, _) and
not pointlessSelfComparison(cmp)
select cmp, "Comparison can be simplified by canceling $@ with $@.", a1, a1.getTarget().getName(),
a2, a2.getTarget().getName()

View File

@@ -10,11 +10,15 @@
* @tags reliability
* correctness
*/
import cpp
from EqualityOperation ro, Expr left, Expr right
where left = ro.getLeftOperand() and right = ro.getRightOperand() and
ro.getAnOperand().getExplicitlyConverted().getType().getUnderlyingType() instanceof FloatingPointType and
not ro.getAnOperand().isConstant() and // comparisons to constants generate too many false positives
not left.(VariableAccess).getTarget() = right.(VariableAccess).getTarget() // skip self comparison
where
left = ro.getLeftOperand() and
right = ro.getRightOperand() and
ro.getAnOperand().getExplicitlyConverted().getType().getUnderlyingType() instanceof
FloatingPointType and
not ro.getAnOperand().isConstant() and // comparisons to constants generate too many false positives
not left.(VariableAccess).getTarget() = right.(VariableAccess).getTarget() // skip self comparison
select ro, "Equality test on floating point values may not behave as expected."

View File

@@ -15,6 +15,7 @@
* external/cwe/cwe-197
* external/cwe/cwe-681
*/
import cpp
import semmle.code.cpp.controlflow.SSA
@@ -28,9 +29,12 @@ import semmle.code.cpp.controlflow.SSA
* controlled, so we consider it less likely to cause an overflow.
*/
predicate likelySmall(Expr e) {
e.isConstant() or
e.getType().getSize() <= 1 or
e.(ArrayExpr).getArrayBase().getType().(ArrayType).getBaseType().isConst() or
e.isConstant()
or
e.getType().getSize() <= 1
or
e.(ArrayExpr).getArrayBase().getType().(ArrayType).getBaseType().isConst()
or
exists(SsaDefinition def, Variable v |
def.getAUse(v) = e and
likelySmall(def.getDefiningValue(v))
@@ -41,9 +45,7 @@ predicate likelySmall(Expr e) {
* Gets an operand of a multiply expression (we need the restriction
* to multiply expressions to get the correct transitive closure).
*/
Expr getMulOperand(MulExpr me) {
result = me.getAnOperand()
}
Expr getMulOperand(MulExpr me) { result = me.getAnOperand() }
/**
* Gets the number of non-constant operands of a multiply expression,
@@ -56,53 +58,50 @@ Expr getMulOperand(MulExpr me) {
*/
int getEffectiveMulOperands(MulExpr me) {
result = count(Expr op |
op = getMulOperand*(me) and
not op instanceof MulExpr and
not likelySmall(op)
)
op = getMulOperand*(me) and
not op instanceof MulExpr and
not likelySmall(op)
)
}
from MulExpr me, Type t1, Type t2
where t1 = me.getType().getUnderlyingType() and
t2 = me.getConversion().getType().getUnderlyingType() and
t1.getSize() < t2.getSize() and
(
(
t1.getUnspecifiedType() instanceof IntegralType and
t2.getUnspecifiedType() instanceof IntegralType
) or (
t1.getUnspecifiedType() instanceof FloatingPointType and
t2.getUnspecifiedType() instanceof FloatingPointType
)
) and
// exclude explicit conversions
me.getConversion().isCompilerGenerated() and
// require the multiply to have two non-constant operands
// (the intuition here is that multiplying two unknowns is
// much more likely to produce a result that needs significantly
// more bits than the operands did, and thus requires a larger
// type).
getEffectiveMulOperands(me) >= 2 and
// exclude varargs promotions
not exists(FunctionCall fc, int vararg |
fc.getArgument(vararg) = me and
vararg >= fc.getTarget().getNumberOfParameters()
) and
// exclude cases where the type was made bigger by a literal
// (compared to other cases such as assignment, this is more
// likely to be a trivial accident rather than suggesting a
// larger type is needed for the result).
not exists(Expr other, Expr e |
other = me.getParent().(BinaryOperation).getAnOperand() and
not other = me and
(
e = other or
e = other.(BinaryOperation).getAnOperand*()
) and
e.(Literal).getType().getSize() = t2.getSize()
)
select me, "Multiplication result may overflow '" + me.getType().toString() + "' before it is converted to '" + me.getFullyConverted().getType().toString() + "'."
where
t1 = me.getType().getUnderlyingType() and
t2 = me.getConversion().getType().getUnderlyingType() and
t1.getSize() < t2.getSize() and
(
t1.getUnspecifiedType() instanceof IntegralType and
t2.getUnspecifiedType() instanceof IntegralType
or
t1.getUnspecifiedType() instanceof FloatingPointType and
t2.getUnspecifiedType() instanceof FloatingPointType
) and
// exclude explicit conversions
me.getConversion().isCompilerGenerated() and
// require the multiply to have two non-constant operands
// (the intuition here is that multiplying two unknowns is
// much more likely to produce a result that needs significantly
// more bits than the operands did, and thus requires a larger
// type).
getEffectiveMulOperands(me) >= 2 and
// exclude varargs promotions
not exists(FunctionCall fc, int vararg |
fc.getArgument(vararg) = me and
vararg >= fc.getTarget().getNumberOfParameters()
) and
// exclude cases where the type was made bigger by a literal
// (compared to other cases such as assignment, this is more
// likely to be a trivial accident rather than suggesting a
// larger type is needed for the result).
not exists(Expr other, Expr e |
other = me.getParent().(BinaryOperation).getAnOperand() and
not other = me and
(
e = other or
e = other.(BinaryOperation).getAnOperand*()
) and
e.(Literal).getType().getSize() = t2.getSize()
)
select me,
"Multiplication result may overflow '" + me.getType().toString() + "' before it is converted to '"
+ me.getFullyConverted().getType().toString() + "'."

View File

@@ -11,6 +11,7 @@
* @tags maintainability
* readability
*/
import cpp
private import semmle.code.cpp.commons.Exclusions
private import semmle.code.cpp.rangeanalysis.PointlessComparison
@@ -25,38 +26,40 @@ import UnsignedGEZero
// So to reduce the number of false positives, we do not report a result if
// the comparison is in a macro expansion. Similarly for template
// instantiations.
from
ComparisonOperation cmp, SmallSide ss,
float left, float right, boolean value,
string reason
from ComparisonOperation cmp, SmallSide ss, float left, float right, boolean value, string reason
where
not cmp.isInMacroExpansion() and
not cmp.isFromTemplateInstantiation(_) and
not functionContainsDisabledCode(cmp.getEnclosingFunction()) and
reachablePointlessComparison(cmp, left, right, value, ss) and
// a comparison between an enum and zero is always valid because whether
// the underlying type of an enum is signed is compiler-dependent
not exists (Expr e, ConstantZero z
| relOpWithSwap(cmp, e.getFullyConverted(), z, _, _) and
e.getUnderlyingType() instanceof Enum) and
not exists(Expr e, ConstantZero z |
relOpWithSwap(cmp, e.getFullyConverted(), z, _, _) and
e.getUnderlyingType() instanceof Enum
) and
// Construct a reason for the message. Something like: x >= 5 and 3 >= y.
exists (string cmpOp, string leftReason, string rightReason
| ((ss = LeftIsSmaller() and cmpOp = " <= ") or
(ss = RightIsSmaller() and cmpOp = " >= ")) and
exists(string cmpOp, string leftReason, string rightReason |
(
ss = LeftIsSmaller() and cmpOp = " <= "
or
ss = RightIsSmaller() and cmpOp = " >= "
) and
leftReason = cmp.getLeftOperand().toString() + cmpOp + left.toString() and
rightReason = right.toString() + cmpOp + cmp.getRightOperand().toString() and
// If either of the operands is constant, then don't include it.
(if cmp.getLeftOperand().isConstant()
then if cmp.getRightOperand().isConstant()
then none() // Both operands are constant so don't create a message.
else reason = rightReason
else if cmp.getRightOperand().isConstant()
then reason = leftReason
else reason = leftReason + " and " + rightReason)) and
(
if cmp.getLeftOperand().isConstant()
then
if cmp.getRightOperand().isConstant()
then none() // Both operands are constant so don't create a message.
else reason = rightReason
else
if cmp.getRightOperand().isConstant()
then reason = leftReason
else reason = leftReason + " and " + rightReason
)
) and
// Don't report results which have already been reported by UnsignedGEZero.
not unsignedGEZero(cmp, _)
select
cmp, "Comparison is always " + value.toString() + " because " + reason + "."
select cmp, "Comparison is always " + value.toString() + " because " + reason + "."

View File

@@ -1,8 +1,8 @@
/**
* @name Self comparison
* @description Comparing a variable to itself always produces the
same result, unless the purpose is to check for
integer overflow or floating point NaN.
* same result, unless the purpose is to check for
* integer overflow or floating point NaN.
* @kind problem
* @problem.severity warning
* @precision high
@@ -15,15 +15,15 @@ import cpp
import PointlessSelfComparison
from ComparisonOperation cmp
where pointlessSelfComparison(cmp)
and not nanTest(cmp)
and not overflowTest(cmp)
and not exists(MacroInvocation mi |
// cmp is in mi
mi.getAnExpandedElement() = cmp and
// and cmp was apparently not passed in as a macro parameter
cmp.getLocation().getStartLine() = mi.getLocation().getStartLine() and
cmp.getLocation().getStartColumn() = mi.getLocation().getStartColumn()
)
where
pointlessSelfComparison(cmp) and
not nanTest(cmp) and
not overflowTest(cmp) and
not exists(MacroInvocation mi |
// cmp is in mi
mi.getAnExpandedElement() = cmp and
// and cmp was apparently not passed in as a macro parameter
cmp.getLocation().getStartLine() = mi.getLocation().getStartLine() and
cmp.getLocation().getStartColumn() = mi.getLocation().getStartColumn()
)
select cmp, "Self comparison."

View File

@@ -21,15 +21,16 @@ import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
* `<=`, `>=`).
*/
predicate pointlessSelfComparison(ComparisonOperation cmp) {
exists (Variable v, VariableAccess lhs, VariableAccess rhs
| lhs = cmp.getLeftOperand() and
exists(Variable v, VariableAccess lhs, VariableAccess rhs |
lhs = cmp.getLeftOperand() and
rhs = cmp.getRightOperand() and
lhs = v.getAnAccess() and
rhs = v.getAnAccess() and
not exists (lhs.getQualifier()) and // Avoid structure fields
not exists (rhs.getQualifier()) and // Avoid structure fields
not exists(lhs.getQualifier()) and // Avoid structure fields
not exists(rhs.getQualifier()) and // Avoid structure fields
not convertedExprMightOverflow(lhs) and
not convertedExprMightOverflow(rhs))
not convertedExprMightOverflow(rhs)
)
}
/**
@@ -44,10 +45,10 @@ predicate pointlessSelfComparison(ComparisonOperation cmp) {
*/
predicate nanTest(EqualityOperation cmp) {
pointlessSelfComparison(cmp) and
exists (Type t
| t = cmp.getLeftOperand().getUnspecifiedType()
| t instanceof FloatingPointType or
t instanceof TemplateParameter)
exists(Type t | t = cmp.getLeftOperand().getUnspecifiedType() |
t instanceof FloatingPointType or
t instanceof TemplateParameter
)
}
/**

View File

@@ -10,6 +10,7 @@
* @tags maintainability
* readability
*/
import cpp
import UnsignedGEZero

View File

@@ -18,20 +18,16 @@ class ConstantZero extends Expr {
class UnsignedGEZero extends GEExpr {
UnsignedGEZero() {
this.getRightOperand() instanceof ConstantZero and
// left operand was a signed or unsigned IntegralType before conversions
// (not a pointer, checking a pointer >= 0 is an entirely different mistake)
// (not an enum, as the fully converted type of an enum is compiler dependent
// so checking an enum >= 0 is always reasonable)
getLeftOperand().getUnderlyingType() instanceof IntegralType and
exists(Expr ue |
// ue is some conversion of the left operand
ue = getLeftOperand().getConversion*() and
// ue is unsigned
ue.getUnderlyingType().(IntegralType).isUnsigned() and
// ue may be converted to zero or more strictly larger possibly signed types
// before it is fully converted
forall(Expr following | following = ue.getConversion+() |
@@ -45,7 +41,6 @@ predicate unsignedGEZero(UnsignedGEZero ugez, string msg) {
not exists(MacroInvocation mi |
// ugez is in mi
mi.getAnExpandedElement() = ugez and
// and ugez was apparently not passed in as a macro parameter
ugez.getLocation().getStartLine() = mi.getLocation().getStartLine() and
ugez.getLocation().getStartColumn() = mi.getLocation().getStartColumn()

View File

@@ -16,8 +16,8 @@ import cpp
* Gets a `do` ... `while` loop with a constant false condition.
*/
DoStmt getAFalseLoop() {
result.getControllingExpr().getValue() = "0"
and not result.getControllingExpr().isAffectedByMacro()
result.getControllingExpr().getValue() = "0" and
not result.getControllingExpr().isAffectedByMacro()
}
/**
@@ -30,22 +30,19 @@ DoStmt enclosingLoop(Stmt s) {
exists(Stmt parent |
parent = s.getParent() and
(
(
parent instanceof Loop and
result = parent
) or (
not parent instanceof Loop and
not parent instanceof SwitchStmt and
result = enclosingLoop(parent)
)
parent instanceof Loop and
result = parent
or
not parent instanceof Loop and
not parent instanceof SwitchStmt and
result = enclosingLoop(parent)
)
)
}
from DoStmt loop, ContinueStmt continue
where loop = getAFalseLoop()
and loop = enclosingLoop(continue)
select continue,
"This 'continue' never re-runs the loop - the $@ is always false.",
loop.getControllingExpr(),
"loop condition"
where
loop = getAFalseLoop() and
loop = enclosingLoop(continue)
select continue, "This 'continue' never re-runs the loop - the $@ is always false.",
loop.getControllingExpr(), "loop condition"

View File

@@ -8,20 +8,21 @@
* @precision high
* @tags reliability
*/
import cpp
import semmle.code.cpp.commons.Buffer
from Function f, FunctionCall c, int i, ArrayType argType, ArrayType paramType, int a, int b
where f = c.getTarget() and
argType = c.getArgument(i).getType() and
paramType = f.getParameter(i).getType() and
a = argType.getArraySize() and
b = paramType.getArraySize() and
argType.getBaseType().getSize() = paramType.getBaseType().getSize() and
a < b and
not memberMayBeVarSize(_, c.getArgument(i).(VariableAccess).getTarget()) and
// filter out results for inconsistent declarations
strictcount(f.getParameter(i).getType().getSize()) = 1
select c.getArgument(i), "Array of size " + a +
" passed to $@ which expects an array of size " + b + ".",
f, f.getName()
where
f = c.getTarget() and
argType = c.getArgument(i).getType() and
paramType = f.getParameter(i).getType() and
a = argType.getArraySize() and
b = paramType.getArraySize() and
argType.getBaseType().getSize() = paramType.getBaseType().getSize() and
a < b and
not memberMayBeVarSize(_, c.getArgument(i).(VariableAccess).getTarget()) and
// filter out results for inconsistent declarations
strictcount(f.getParameter(i).getType().getSize()) = 1
select c.getArgument(i),
"Array of size " + a + " passed to $@ which expects an array of size " + b + ".", f, f.getName()

View File

@@ -20,26 +20,17 @@ import semmle.code.cpp.dataflow.DataFlow
import DataFlow::PathGraph
class CastToPointerArithFlow extends DataFlow::Configuration {
CastToPointerArithFlow() {
this = "CastToPointerArithFlow"
}
CastToPointerArithFlow() { this = "CastToPointerArithFlow" }
override predicate isSource(DataFlow::Node node) {
not node.asExpr() instanceof Conversion and
introducesNewField(
node.asExpr().getType().(DerivedType).getBaseType(),
node.asExpr().getConversion*().getType().(DerivedType).getBaseType()
)
introducesNewField(node.asExpr().getType().(DerivedType).getBaseType(),
node.asExpr().getConversion*().getType().(DerivedType).getBaseType())
}
override predicate isSink(DataFlow::Node node) {
exists(PointerAddExpr pae |
pae.getAnOperand() = node.asExpr()
) or
exists(ArrayExpr ae |
ae.getArrayBase() = node.asExpr()
)
exists(PointerAddExpr pae | pae.getAnOperand() = node.asExpr()) or
exists(ArrayExpr ae | ae.getArrayBase() = node.asExpr())
}
}
@@ -52,12 +43,19 @@ predicate introducesNewField(Class derived, Class base) {
exists(Field f |
f.getDeclaringType() = derived and
derived.getABaseClass+() = base
) or
)
or
introducesNewField(derived.getABaseClass(), base)
)
}
from DataFlow::PathNode source, DataFlow::PathNode sink, CastToPointerArithFlow cfg
where cfg.hasFlowPath(source, sink)
and source.getNode().asExpr().getFullyConverted().getUnspecifiedType() = sink.getNode().asExpr().getFullyConverted().getUnspecifiedType()
select sink, source, sink, "Pointer arithmetic here may be done with the wrong type because of the cast $@.", source, "here"
where
cfg.hasFlowPath(source, sink) and
source.getNode().asExpr().getFullyConverted().getUnspecifiedType() = sink
.getNode()
.asExpr()
.getFullyConverted()
.getUnspecifiedType()
select sink, source, sink,
"Pointer arithmetic here may be done with the wrong type because of the cast $@.", source, "here"

View File

@@ -6,18 +6,25 @@
* @problem.severity warning
* @tags reliability
*/
import cpp
from Expr e1, Cast e2, IntegralType it1, IntegralType it2
where e2 = e1.getConversion() and
e2.isImplicit() and
it1 = e1.getUnderlyingType() and
it2 = e2.getUnderlyingType() and
(
it1.isUnsigned() and it2.isSigned() and it1.getSize() >= it2.getSize()
or it1.isSigned() and it2.isUnsigned()
) and
not (e1.isConstant() and 0 <= e1.getValue().toInt() and
e1.getValue().toInt() <= ((it2.getSize()*8-1)*(2.log())).exp())
and not e1.isConstant()
select e1, "Conversion between signed and unsigned types "+it1.toString()+" and "+it2.toString()+"."
where
e2 = e1.getConversion() and
e2.isImplicit() and
it1 = e1.getUnderlyingType() and
it2 = e2.getUnderlyingType() and
(
it1.isUnsigned() and it2.isSigned() and it1.getSize() >= it2.getSize()
or
it1.isSigned() and it2.isUnsigned()
) and
not (
e1.isConstant() and
0 <= e1.getValue().toInt() and
e1.getValue().toInt() <= ((it2.getSize() * 8 - 1) * 2.log()).exp()
) and
not e1.isConstant()
select e1,
"Conversion between signed and unsigned types " + it1.toString() + " and " + it2.toString() + "."

View File

@@ -14,10 +14,9 @@
import cpp
from BitField fi, VariableAccess va
where fi.getNumBits() > va.getFullyConverted().getType().getSize() * 8
and va.getExplicitlyConverted().getType().getSize() > va.getFullyConverted().getType().getSize()
and va.getTarget() = fi
and not va.getActualType() instanceof BoolType
where
fi.getNumBits() > va.getFullyConverted().getType().getSize() * 8 and
va.getExplicitlyConverted().getType().getSize() > va.getFullyConverted().getType().getSize() and
va.getTarget() = fi and
not va.getActualType() instanceof BoolType
select va, "Implicit downcast of bitfield $@", fi, fi.toString()

View File

@@ -44,25 +44,31 @@ predicate whitelistPow(FunctionCall fc) {
fc.getTarget().getName() = "pow" or
fc.getTarget().getName() = "powf" or
fc.getTarget().getName() = "powl"
) and exists(float value |
) and
exists(float value |
value = fc.getArgument(0).getValue().toFloat() and
(value.floor() - value).abs() < 0.001
)
}
predicate whiteListWrapped(FunctionCall fc) {
whitelist(fc.getTarget()) or
whitelistPow(fc) or
whitelist(fc.getTarget())
or
whitelistPow(fc)
or
exists(Expr e, ReturnStmt rs |
whiteListWrapped(e) and
DataFlow::localFlow(DataFlow::exprNode(e), DataFlow::exprNode(rs.getExpr())) and
DataFlow::localExprFlow(e, rs.getExpr()) and
fc.getTarget() = rs.getEnclosingFunction()
)
}
from FunctionCall c, FloatingPointType t1, IntegralType t2
where t1 = c.getTarget().getType().getUnderlyingType() and
t2 = c.getActualType() and
c.hasImplicitConversion() and
not whiteListWrapped(c)
select c, "Return value of type " + t1.toString() + " is implicitly converted to " + t2.toString() + " here."
where
t1 = c.getTarget().getType().getUnderlyingType() and
t2 = c.getActualType() and
c.hasImplicitConversion() and
not whiteListWrapped(c)
select c,
"Return value of type " + t1.toString() + " is implicitly converted to " + t2.toString() +
" here."

View File

@@ -11,6 +11,7 @@
* correctness
* types
*/
import cpp
predicate lossyPointerCast(Expr e, PointerType pt, IntegralType it) {
@@ -25,4 +26,4 @@ predicate lossyPointerCast(Expr e, PointerType pt, IntegralType it) {
from Expr e, PointerType pt, IntegralType it
where lossyPointerCast(e, pt, it)
select e, "Converted from " + pt.getName() + " to smaller type "+it.getName()
select e, "Converted from " + pt.getName() + " to smaller type " + it.getName()

View File

@@ -9,22 +9,26 @@
* correctness
* types
*/
import cpp
predicate commonErrorCode(string value) {
value = "0" or value = "1" or value = "-1"
or value = "18446744073709551615" // 2^64-1, i.e. -1 as an unsigned int64
or value = "4294967295" // 2^32-1, i.e. -1 as an unsigned int32
or value = "3735928559" // 0xdeadbeef
or value = "3735929054" // 0xdeadc0de
or value = "3405691582" // 0xcafebabe
value = "0" or
value = "1" or
value = "-1" or
value = "18446744073709551615" or // 2^64-1, i.e. -1 as an unsigned int64
value = "4294967295" or // 2^32-1, i.e. -1 as an unsigned int32
value = "3735928559" or // 0xdeadbeef
value = "3735929054" or // 0xdeadc0de
value = "3405691582" // 0xcafebabe
}
from Expr e
where e.isConstant() and
not commonErrorCode(e.getValue()) and
e.getFullyConverted().getType() instanceof PointerType and
not e.getType() instanceof ArrayType and
not e.getType() instanceof PointerType and
not e.isInMacroExpansion()
where
e.isConstant() and
not commonErrorCode(e.getValue()) and
e.getFullyConverted().getType() instanceof PointerType and
not e.getType() instanceof ArrayType and
not e.getType() instanceof PointerType and
not e.isInMacroExpansion()
select e, "Nonzero value " + e.getValueText() + " cast to pointer."

View File

@@ -33,11 +33,9 @@ predicate flowsToExpr(Expr source, Expr sink, boolean pathMightOverflow) {
* checking whether the current expression might overflow.
*/
predicate flowsToExprImpl(Expr source, Expr sink, boolean pathMightOverflow) {
(
source = sink and
pathMightOverflow = false and
source.(FunctionCall).getTarget().(Snprintf).returnsFullFormatLength()
)
source = sink and
pathMightOverflow = false and
source.(FunctionCall).getTarget().(Snprintf).returnsFullFormatLength()
or
exists(RangeSsaDefinition def, LocalScopeVariable v |
flowsToDef(source, def, v, pathMightOverflow) and

View File

@@ -10,12 +10,14 @@
* @tags reliability
* correctness
*/
import cpp
from FormatLiteral fl, FormattingFunctionCall ffc, int expected, int given
where ffc = fl.getUse()
and expected = fl.getNumArgNeeded()
and given = ffc.getNumFormatArgument()
and expected < given
and fl.specsAreKnown()
select ffc, "Format expects "+expected.toString()+" arguments but given "+given.toString()
where
ffc = fl.getUse() and
expected = fl.getNumArgNeeded() and
given = ffc.getNumFormatArgument() and
expected < given and
fl.specsAreKnown()
select ffc, "Format expects " + expected.toString() + " arguments but given " + given.toString()

View File

@@ -11,12 +11,14 @@
* security
* external/cwe/cwe-685
*/
import cpp
from FormatLiteral fl, FormattingFunctionCall ffc, int expected, int given
where ffc = fl.getUse()
and expected = fl.getNumArgNeeded()
and given = ffc.getNumFormatArgument()
and expected > given
and fl.specsAreKnown()
select ffc, "Format expects "+expected.toString()+" arguments but given "+given.toString()
where
ffc = fl.getUse() and
expected = fl.getNumArgNeeded() and
given = ffc.getNumFormatArgument() and
expected > given and
fl.specsAreKnown()
select ffc, "Format expects " + expected.toString() + " arguments but given " + given.toString()

View File

@@ -16,17 +16,19 @@ import cpp
/**
* Holds if the argument corresponding to the `pos` conversion specifier
* of `ffc` is expected to have type `expected`.
* of `ffc` is expected to have type `expected`.
*/
pragma[noopt]
private predicate formattingFunctionCallExpectedType(FormattingFunctionCall ffc, int pos, Type expected) {
exists(FormattingFunction f, int i, FormatLiteral fl |
ffc instanceof FormattingFunctionCall and
ffc.getTarget() = f and
f.getFormatParameterIndex() = i and
ffc.getArgument(i) = fl and
fl.getConversionType(pos) = expected
)
private predicate formattingFunctionCallExpectedType(
FormattingFunctionCall ffc, int pos, Type expected
) {
exists(FormattingFunction f, int i, FormatLiteral fl |
ffc instanceof FormattingFunctionCall and
ffc.getTarget() = f and
f.getFormatParameterIndex() = i and
ffc.getArgument(i) = fl and
fl.getConversionType(pos) = expected
)
}
/**
@@ -50,7 +52,9 @@ predicate formatArgType(FormattingFunctionCall ffc, int pos, Type expected, Expr
* `expected` and the corresponding argument `arg` has type `actual`.
*/
pragma[noopt]
predicate formatOtherArgType(FormattingFunctionCall ffc, int pos, Type expected, Expr arg, Type actual) {
predicate formatOtherArgType(
FormattingFunctionCall ffc, int pos, Type expected, Expr arg, Type actual
) {
exists(Expr argConverted |
(arg = ffc.getMinFieldWidthArgument(pos) or arg = ffc.getPrecisionArgument(pos)) and
argConverted = arg.getFullyConverted() and
@@ -63,14 +67,14 @@ predicate formatOtherArgType(FormattingFunctionCall ffc, int pos, Type expected,
* A type that may be expected by a printf format parameter, or that may
* be pointed to by such a type (e.g. `wchar_t`, from `wchar_t *`).
*/
class ExpectedType extends Type
{
class ExpectedType extends Type {
ExpectedType() {
exists(Type t |
exists(Type t |
(
formatArgType(_, _, t, _, _) or
formatOtherArgType(_, _, t, _, _)
) and this = t.getUnspecifiedType()
) and
this = t.getUnspecifiedType()
)
}
}
@@ -78,7 +82,7 @@ class ExpectedType extends Type
/**
* Holds if it is safe to display a value of type `actual` when `printf`
* expects a value of type `expected`.
*
*
* Note that variadic arguments undergo default argument promotions before
* they reach `printf`, notably `bool`, `char`, `short` and `enum` types
* are promoted to `int` (or `unsigned int`, as appropriate) and `float`s
@@ -89,69 +93,72 @@ predicate trivialConversion(ExpectedType expected, Type actual) {
formatArgType(_, _, exp, _, act) and
expected = exp.getUnspecifiedType() and
actual = act.getUnspecifiedType()
) and (
(
// allow a pointer type to be displayed with `%p`
expected instanceof VoidPointerType and actual instanceof PointerType
) or (
// allow a function pointer type to be displayed with `%p`
expected instanceof VoidPointerType and actual instanceof FunctionPointerType and expected.getSize() = actual.getSize()
) or (
// allow an `enum` type to be displayed with `%i`, `%c` etc
expected instanceof IntegralType and actual instanceof Enum
) or (
// allow any `char *` type to be displayed with `%s`
expected instanceof CharPointerType and actual instanceof CharPointerType
) or (
// allow `wchar_t *`, or any pointer to an integral type of the same size, to be displayed
// with `%ws`
expected.(PointerType).getBaseType().hasName("wchar_t") and
exists(Wchar_t t |
actual.getUnspecifiedType().(PointerType).getBaseType().(IntegralType).getSize() = t.getSize()
)
) or (
// allow an `int` (or anything promoted to `int`) to be displayed with `%c`
expected instanceof CharType and actual instanceof IntType
) or (
// allow an `int` (or anything promoted to `int`) to be displayed with `%wc`
expected instanceof Wchar_t and actual instanceof IntType
) or (
expected instanceof UnsignedCharType and actual instanceof IntType
) or (
// allow any integral type of the same size
// (this permits signedness changes)
expected.(IntegralType).getSize() = actual.(IntegralType).getSize()
) or (
// allow a pointer to any integral type of the same size
// (this permits signedness changes)
expected.(PointerType).getBaseType().(IntegralType).getSize() = actual.(PointerType).getBaseType().(IntegralType).getSize()
) or (
expected = actual
) and
(
// allow a pointer type to be displayed with `%p`
expected instanceof VoidPointerType and actual instanceof PointerType
or
// allow a function pointer type to be displayed with `%p`
expected instanceof VoidPointerType and
actual instanceof FunctionPointerType and
expected.getSize() = actual.getSize()
or
// allow an `enum` type to be displayed with `%i`, `%c` etc
expected instanceof IntegralType and actual instanceof Enum
or
// allow any `char *` type to be displayed with `%s`
expected instanceof CharPointerType and actual instanceof CharPointerType
or
// allow `wchar_t *`, or any pointer to an integral type of the same size, to be displayed
// with `%ws`
expected.(PointerType).getBaseType().hasName("wchar_t") and
exists(Wchar_t t |
actual.getUnspecifiedType().(PointerType).getBaseType().(IntegralType).getSize() = t.getSize()
)
or
// allow an `int` (or anything promoted to `int`) to be displayed with `%c`
expected instanceof CharType and actual instanceof IntType
or
// allow an `int` (or anything promoted to `int`) to be displayed with `%wc`
expected instanceof Wchar_t and actual instanceof IntType
or
expected instanceof UnsignedCharType and actual instanceof IntType
or
// allow any integral type of the same size
// (this permits signedness changes)
expected.(IntegralType).getSize() = actual.(IntegralType).getSize()
or
// allow a pointer to any integral type of the same size
// (this permits signedness changes)
expected.(PointerType).getBaseType().(IntegralType).getSize() = actual
.(PointerType)
.getBaseType()
.(IntegralType)
.getSize()
or
expected = actual
)
}
/**
* Gets the size of the `int` type.
*/
int sizeof_IntType() {
exists(IntType it | result = it.getSize())
}
int sizeof_IntType() { exists(IntType it | result = it.getSize()) }
from FormattingFunctionCall ffc, int n, Expr arg, Type expected, Type actual
where (
(
formatArgType(ffc, n, expected, arg, actual) and
not exists(Type anyExpected |
formatArgType(ffc, n, anyExpected, arg, actual) and
trivialConversion(anyExpected.getUnspecifiedType(), actual.getUnspecifiedType())
)
)
or
(
formatOtherArgType(ffc, n, expected, arg, actual) and
not actual.getUnspecifiedType().(IntegralType).getSize() = sizeof_IntType()
)
)
and not arg.isAffectedByMacro()
select arg, "This argument should be of type '"+expected.getName()+"' but is of type '"+actual.getUnspecifiedType().getName() + "'"
where
(
formatArgType(ffc, n, expected, arg, actual) and
not exists(Type anyExpected |
formatArgType(ffc, n, anyExpected, arg, actual) and
trivialConversion(anyExpected.getUnspecifiedType(), actual.getUnspecifiedType())
)
or
formatOtherArgType(ffc, n, expected, arg, actual) and
not actual.getUnspecifiedType().(IntegralType).getSize() = sizeof_IntType()
) and
not arg.isAffectedByMacro() and
not arg.isFromUninstantiatedTemplate(_)
select arg,
"This argument should be of type '" + expected.getName() + "' but is of type '" +
actual.getUnspecifiedType().getName() + "'"

View File

@@ -11,6 +11,7 @@
* non-attributable
* external/cwe/cwe-252
*/
import cpp
predicate exclude(Function f) {
@@ -39,7 +40,7 @@ predicate checkExpr(Expr e, string operation, Variable v) {
predicate checkedFunctionCall(FunctionCall fc, string operation) {
relevantFunctionCall(fc, _) and
exists (Variable v, Expr check | v.getAnAssignedValue() = fc |
exists(Variable v, Expr check | v.getAnAssignedValue() = fc |
checkExpr(check, operation, v) and
check != fc
)
@@ -47,13 +48,11 @@ predicate checkedFunctionCall(FunctionCall fc, string operation) {
predicate relevantFunctionCall(FunctionCall fc, Function f) {
fc.getTarget() = f and
exists (Variable v | v.getAnAssignedValue() = fc) and
exists(Variable v | v.getAnAssignedValue() = fc) and
not okToIgnore(fc)
}
predicate okToIgnore(FunctionCall fc) {
fc.isInMacroExpansion()
}
predicate okToIgnore(FunctionCall fc) { fc.isInMacroExpansion() }
predicate functionStats(Function f, string operation, int used, int total, int percentage) {
exists(PointerType pt | pt.getATypeNameUse() = f.getADeclarationEntry()) and
@@ -67,7 +66,9 @@ where
relevantFunctionCall(unchecked, f) and
not checkedFunctionCall(unchecked, operation) and
functionStats(f, operation, _, _, percent) and
percent >= 70
and unchecked.getFile().getAbsolutePath().matches("%fbcode%")
and not unchecked.getFile().getAbsolutePath().matches("%\\_build%")
select unchecked, "After " + percent.toString() + "% of calls to " + f.getName() + " there is a call to " + operation + " on the return value. The call may be missing in this case."
percent >= 70 and
unchecked.getFile().getAbsolutePath().matches("%fbcode%") and
not unchecked.getFile().getAbsolutePath().matches("%\\_build%")
select unchecked,
"After " + percent.toString() + "% of calls to " + f.getName() + " there is a call to " +
operation + " on the return value. The call may be missing in this case."

View File

@@ -14,11 +14,10 @@
* non-attributable
* external/cwe/cwe-476
*/
import cpp
predicate assertMacro(Macro m) {
m.getHead().toLowerCase().matches("%assert%")
}
predicate assertMacro(Macro m) { m.getHead().toLowerCase().matches("%assert%") }
predicate assertInvocation(File f, int line) {
exists(MacroInvocation i, Location l | assertMacro(i.getMacro()) and l = i.getLocation() |
@@ -28,61 +27,92 @@ predicate assertInvocation(File f, int line) {
predicate nullCheckAssert(Expr e, Variable v, Declaration qualifier) {
nullCheckInCondition(e, v, qualifier) and
exists(File f, int i | e.getLocation().getStartLine() = i and e.getFile() = f and assertInvocation(f, i))
exists(File f, int i |
e.getLocation().getStartLine() = i and e.getFile() = f and assertInvocation(f, i)
)
}
VariableAccess qualifiedAccess(Variable v, Declaration qualifier) {
result = v.getAnAccess() and
(
result.getQualifier().(VariableAccess).getTarget() = qualifier
or exists(PointerDereferenceExpr e, VariableAccess va
| result.getQualifier() = e
| e.getOperand() = va and va.getTarget() = qualifier)
or (not exists(result.getQualifier()) and qualifier = result.getEnclosingFunction())
or (result.getQualifier() instanceof ThisExpr and qualifier = result.getEnclosingFunction())
result.getQualifier().(VariableAccess).getTarget() = qualifier
or
exists(PointerDereferenceExpr e, VariableAccess va | result.getQualifier() = e |
e.getOperand() = va and va.getTarget() = qualifier
)
or
not exists(result.getQualifier()) and qualifier = result.getEnclosingFunction()
or
result.getQualifier() instanceof ThisExpr and qualifier = result.getEnclosingFunction()
)
}
predicate nullCheckInCondition(Expr e, Variable v, Declaration qualifier) {
// if(v)
exists(FunctionCall fc | relevantFunctionCall(fc, _) and fc = assignedValueForVariableAndQualifier(v, qualifier) |
e = qualifiedAccess(v, qualifier)
)
or exists(AssignExpr a | a = e and a.getLValue() = qualifiedAccess(v, qualifier))
// if(v == NULL), if(v != NULL), if(NULL != v), if(NULL == v)
or exists(EqualityOperation eq | eq = e and nullCheckInCondition(eq.getAnOperand(), v, qualifier) and
eq.getAnOperand().getValue() = "0")
// if(v && something)
or exists(LogicalAndExpr exp | exp = e and nullCheckInCondition(exp.getAnOperand(), v, qualifier))
// if(v || something)
or exists(LogicalOrExpr exp | exp = e and nullCheckInCondition(exp.getAnOperand(), v, qualifier))
// if(!v)
or exists(NotExpr exp | exp = e and nullCheckInCondition(exp.getAnOperand(), v, qualifier))
or exists(FunctionCall c | c = e and nullCheckInCondition(c.getAnArgument(), v, qualifier) and
c.getTarget().getName() = "__builtin_expect")
or exists(ConditionDeclExpr d | d = e and nullCheckInCondition(d.getVariableAccess(), v, qualifier))
// if(v)
exists(FunctionCall fc |
relevantFunctionCall(fc, _) and fc = assignedValueForVariableAndQualifier(v, qualifier)
|
e = qualifiedAccess(v, qualifier)
)
or
exists(AssignExpr a | a = e and a.getLValue() = qualifiedAccess(v, qualifier))
or
// if(v == NULL), if(v != NULL), if(NULL != v), if(NULL == v)
exists(EqualityOperation eq |
eq = e and
nullCheckInCondition(eq.getAnOperand(), v, qualifier) and
eq.getAnOperand().getValue() = "0"
)
or
// if(v && something)
exists(LogicalAndExpr exp | exp = e and nullCheckInCondition(exp.getAnOperand(), v, qualifier))
or
// if(v || something)
exists(LogicalOrExpr exp | exp = e and nullCheckInCondition(exp.getAnOperand(), v, qualifier))
or
// if(!v)
exists(NotExpr exp | exp = e and nullCheckInCondition(exp.getAnOperand(), v, qualifier))
or
exists(FunctionCall c |
c = e and
nullCheckInCondition(c.getAnArgument(), v, qualifier) and
c.getTarget().getName() = "__builtin_expect"
)
or
exists(ConditionDeclExpr d | d = e and nullCheckInCondition(d.getVariableAccess(), v, qualifier))
}
predicate hasNullCheck(Function enclosing, Variable v, Declaration qualifier) {
exists(Expr exp | nullCheckInCondition(exp, v, qualifier) and exp.getEnclosingFunction() = enclosing |
exists(ControlStructure s | exp = s.getControllingExpr())
or exists(ConditionalExpr e | exp = e.getCondition())
or exists(ReturnStmt s | exp = s.getExpr() and not exp instanceof VariableAccess)
or exists(AssignExpr e | exp = e.getRValue() and not exp instanceof VariableAccess)
or exists(AggregateLiteral al | exp = al.getAChild() and not exp instanceof VariableAccess)
or exists(Variable other | exp = other.getInitializer().getExpr() and not exp instanceof VariableAccess)
exists(Expr exp |
nullCheckInCondition(exp, v, qualifier) and exp.getEnclosingFunction() = enclosing
|
exists(ControlStructure s | exp = s.getControllingExpr())
or
exists(ConditionalExpr e | exp = e.getCondition())
or
exists(ReturnStmt s | exp = s.getExpr() and not exp instanceof VariableAccess)
or
exists(AssignExpr e | exp = e.getRValue() and not exp instanceof VariableAccess)
or
exists(AggregateLiteral al | exp = al.getAChild() and not exp instanceof VariableAccess)
or
exists(Variable other |
exp = other.getInitializer().getExpr() and not exp instanceof VariableAccess
)
)
}
Expr assignedValueForVariableAndQualifier(Variable v, Declaration qualifier) {
(result = v.getInitializer().getExpr() and qualifier = result.getEnclosingFunction())
or exists(AssignExpr e | e.getLValue() = qualifiedAccess(v, qualifier) and result = e.getRValue())
result = v.getInitializer().getExpr() and qualifier = result.getEnclosingFunction()
or
exists(AssignExpr e | e.getLValue() = qualifiedAccess(v, qualifier) and result = e.getRValue())
}
predicate checkedFunctionCall(FunctionCall fc) {
relevantFunctionCall(fc, _) and
exists (Variable v, Declaration qualifier | fc = assignedValueForVariableAndQualifier(v, qualifier) |
exists(Variable v, Declaration qualifier |
fc = assignedValueForVariableAndQualifier(v, qualifier)
|
hasNullCheck(fc.getEnclosingFunction(), v, qualifier)
)
}
@@ -91,27 +121,33 @@ predicate uncheckedFunctionCall(FunctionCall fc) {
relevantFunctionCall(fc, _) and
not checkedFunctionCall(fc) and
not exists(File f, int line | f = fc.getFile() and line = fc.getLocation().getEndLine() |
assertInvocation(f, line+1) or assertInvocation(f, line)
assertInvocation(f, line + 1) or assertInvocation(f, line)
) and
not exists(Variable v, Declaration qualifier
| fc = assignedValueForVariableAndQualifier(v, qualifier)
| nullCheckAssert(_, v, qualifier)) and
not exists(ControlStructure s
| callResultNullCheckInCondition(s.getControllingExpr(), fc)) and
not exists(FunctionCall other, Variable v, Declaration qualifier, Expr arg
| fc = assignedValueForVariableAndQualifier(v, qualifier)
| arg = other.getAnArgument() and
nullCheckInCondition(arg, v, qualifier) and
not arg instanceof VariableAccess)
not exists(Variable v, Declaration qualifier |
fc = assignedValueForVariableAndQualifier(v, qualifier)
|
nullCheckAssert(_, v, qualifier)
) and
not exists(ControlStructure s | callResultNullCheckInCondition(s.getControllingExpr(), fc)) and
not exists(FunctionCall other, Variable v, Declaration qualifier, Expr arg |
fc = assignedValueForVariableAndQualifier(v, qualifier)
|
arg = other.getAnArgument() and
nullCheckInCondition(arg, v, qualifier) and
not arg instanceof VariableAccess
)
}
Declaration functionQualifier(FunctionCall fc) {
fc.getQualifier().(VariableAccess).getTarget() = result
or exists(PointerDereferenceExpr e, VariableAccess va
| fc.getQualifier() = e and e.getOperand() = va and va.getTarget() = result)
or (not exists(fc.getQualifier()) and result = fc.getEnclosingFunction())
or (fc.getQualifier() instanceof ThisExpr and result = fc.getEnclosingFunction())
fc.getQualifier().(VariableAccess).getTarget() = result
or
exists(PointerDereferenceExpr e, VariableAccess va |
fc.getQualifier() = e and e.getOperand() = va and va.getTarget() = result
)
or
not exists(fc.getQualifier()) and result = fc.getEnclosingFunction()
or
fc.getQualifier() instanceof ThisExpr and result = fc.getEnclosingFunction()
}
predicate callTargetAndEnclosing(FunctionCall fc, Function target, Function enclosing) {
@@ -123,28 +159,38 @@ predicate callArgumentVariable(FunctionCall fc, Variable v, int i) {
}
predicate callResultNullCheckInCondition(Expr e, FunctionCall fc) {
// if(v)
exists(FunctionCall other | e = other and
relevantFunctionCall(fc,_) and not checkedFunctionCall(fc)
and exists(Function called, Function enclosing |
callTargetAndEnclosing(fc, called, enclosing) and
callTargetAndEnclosing(other, called, enclosing)) and
forall(Variable v, int i | callArgumentVariable(fc, v, i) | callArgumentVariable(other, v, i)) and
(
functionQualifier(fc) = functionQualifier(other)
or
(not exists(functionQualifier(fc)) and not exists(functionQualifier(other)))
)
// if(v)
exists(FunctionCall other |
e = other and
relevantFunctionCall(fc, _) and
not checkedFunctionCall(fc) and
exists(Function called, Function enclosing |
callTargetAndEnclosing(fc, called, enclosing) and
callTargetAndEnclosing(other, called, enclosing)
) and
forall(Variable v, int i | callArgumentVariable(fc, v, i) | callArgumentVariable(other, v, i)) and
(
functionQualifier(fc) = functionQualifier(other)
or
not exists(functionQualifier(fc)) and not exists(functionQualifier(other))
)
// if(v == NULL), if(v != NULL), if(NULL != v), if(NULL == v)
or exists(EqualityOperation eq | eq = e and callResultNullCheckInCondition(eq.getAnOperand(), fc) and
eq.getAnOperand().getValue() = "0")
// if(v && something)
or exists(LogicalAndExpr exp | exp = e and callResultNullCheckInCondition(exp.getAnOperand(), fc))
// if(v || something)
or exists(LogicalOrExpr exp | exp = e and callResultNullCheckInCondition(exp.getAnOperand(), fc))
// if(!v)
or exists(NotExpr exp | exp = e and callResultNullCheckInCondition(exp.getAnOperand(), fc))
)
or
// if(v == NULL), if(v != NULL), if(NULL != v), if(NULL == v)
exists(EqualityOperation eq |
eq = e and
callResultNullCheckInCondition(eq.getAnOperand(), fc) and
eq.getAnOperand().getValue() = "0"
)
or
// if(v && something)
exists(LogicalAndExpr exp | exp = e and callResultNullCheckInCondition(exp.getAnOperand(), fc))
or
// if(v || something)
exists(LogicalOrExpr exp | exp = e and callResultNullCheckInCondition(exp.getAnOperand(), fc))
or
// if(!v)
exists(NotExpr exp | exp = e and callResultNullCheckInCondition(exp.getAnOperand(), fc))
}
predicate dereferenced(Variable v, Declaration qualifier, Function f) {
@@ -152,11 +198,13 @@ predicate dereferenced(Variable v, Declaration qualifier, Function f) {
e.getOperand() = qualifiedAccess(v, qualifier) and
e.getEnclosingFunction() = f and
not exists(SizeofExprOperator s | s.getExprOperand() = e)
) or
)
or
exists(FunctionCall c |
c.getQualifier() = qualifiedAccess(v, qualifier) and
c.getEnclosingFunction() = f
) or
)
or
exists(VariableAccess va |
va.getQualifier() = qualifiedAccess(v, qualifier) and
va.getEnclosingFunction() = f
@@ -165,15 +213,15 @@ predicate dereferenced(Variable v, Declaration qualifier, Function f) {
predicate relevantFunctionCall(FunctionCall fc, Function f) {
fc.getTarget() = f and
exists (Variable v, Declaration qualifier
| fc = assignedValueForVariableAndQualifier(v, qualifier)
| dereferenced(v, qualifier, fc.getEnclosingFunction())) and
exists(Variable v, Declaration qualifier |
fc = assignedValueForVariableAndQualifier(v, qualifier)
|
dereferenced(v, qualifier, fc.getEnclosingFunction())
) and
not okToIgnore(fc)
}
predicate okToIgnore(FunctionCall fc) {
fc.isInMacroExpansion()
}
predicate okToIgnore(FunctionCall fc) { fc.isInMacroExpansion() }
predicate functionStats(Function f, int percentage) {
exists(int used, int total |
@@ -190,4 +238,6 @@ where
uncheckedFunctionCall(unchecked) and
functionStats(f, percent) and
percent >= 70
select unchecked, "The result of this call to " + f.getName() + " is not checked for null, but " + percent + "% of calls to " + f.getName() + " check for null."
select unchecked,
"The result of this call to " + f.getName() + " is not checked for null, but " + percent +
"% of calls to " + f.getName() + " check for null."

View File

@@ -1,5 +1,5 @@
/**
* @name Hard-coded Japanese era start date
* @name Hard-coded Japanese era start date in call
* @description Japanese era changes can lead to code behaving differently. Avoid hard-coding Japanese era start dates.
* @kind problem
* @problem.severity warning
@@ -7,6 +7,9 @@
* @precision medium
* @tags reliability
* japanese-era
* @deprecated This query is deprecated, use
* Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`)
* instead.
*/
import cpp

View File

@@ -1,5 +1,5 @@
/**
* @name Hard-coded Japanese era start date
* @name Hard-coded Japanese era start date in struct
* @description Japanese era changes can lead to code behaving differently. Avoid hard-coding Japanese era start dates.
* @kind problem
* @problem.severity warning
@@ -7,13 +7,15 @@
* @precision medium
* @tags reliability
* japanese-era
* @deprecated This query is deprecated, use
* Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`)
* instead.
*/
import cpp
import semmle.code.cpp.commons.DateTime
predicate assignedYear(Struct s, YearFieldAccess year, int value)
{
predicate assignedYear(Struct s, YearFieldAccess year, int value) {
exists(Operation yearAssignment |
s.getAField().getAnAccess() = year and
yearAssignment.getAnOperand() = year and
@@ -21,8 +23,7 @@ predicate assignedYear(Struct s, YearFieldAccess year, int value)
)
}
predicate assignedMonth(Struct s, MonthFieldAccess month, int value)
{
predicate assignedMonth(Struct s, MonthFieldAccess month, int value) {
exists(Operation monthAssignment |
s.getAField().getAnAccess() = month and
monthAssignment.getAnOperand() = month and
@@ -30,8 +31,7 @@ predicate assignedMonth(Struct s, MonthFieldAccess month, int value)
)
}
predicate assignedDay(Struct s, DayFieldAccess day, int value)
{
predicate assignedDay(Struct s, DayFieldAccess day, int value) {
exists(Operation dayAssignment |
s.getAField().getAnAccess() = day and
dayAssignment.getAnOperand() = day and
@@ -39,8 +39,7 @@ predicate assignedDay(Struct s, DayFieldAccess day, int value)
)
}
from
StructLikeClass s, YearFieldAccess year, MonthFieldAccess month, DayFieldAccess day
from StructLikeClass s, YearFieldAccess year, MonthFieldAccess month, DayFieldAccess day
where
assignedYear(s, year, 1989) and
assignedMonth(s, month, 1) and

View File

@@ -1,6 +1,8 @@
/**
* @name Year field changed using an arithmetic operation is used on an unchecked time conversion function
* @description A year field changed using an arithmetic operation is used on a time conversion function, but the return value of the function is not checked for success or failure.
* @name Arithmetic operation assumes 365 days per year
* @description When an arithmetic operation modifies a date by a constant
* value of 365, it may be a sign that leap years are not taken
* into account.
* @kind problem
* @problem.severity warning
* @id cpp/leap-year/adding-365-days-per-year

Some files were not shown because too many files have changed in this diff Show More