github
diff --git a/‎change-notes/1.26/analysis-cpp.md‎
Lines changed: 3 additions & 2 deletions b/‎change-notes/1.26/analysis-cpp.md‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎change-notes/1.26/analysis-javascript.md‎
Lines changed: 2 additions & 0 deletions b/‎change-notes/1.26/analysis-javascript.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/exprs/Expr.qll‎
Lines changed: 11 additions & 0 deletions b/‎cpp/ql/src/semmle/code/cpp/exprs/Expr.qll‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/models/Models.qll‎
Lines changed: 1 addition & 0 deletions b/‎cpp/ql/src/semmle/code/cpp/models/Models.qll‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll‎
Lines changed: 102 additions & 0 deletions b/‎cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll‎
Lines changed: 102 additions & 0 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll‎
Lines changed: 82 additions & 4 deletions b/‎cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll‎
Lines changed: 82 additions & 4 deletions
@@ -19,6 +19,7 @@ The following changes in version 1.26 affect C/C++ analysis in all applications.
 
 ## Changes to libraries
 
-* The models library now models more taint flows through `std::string`.
+* The models library now models some taint flows through `std::array`, `std::vector`, `std::deque`, `std::list` and `std::forward_list`.
+* The models library now models many more taint flows through `std::string`.
 * The `SimpleRangeAnalysis` library now supports multiplications of the form
-  `e1 * e2` when `e1` and `e2` are unsigned.
+  `e1 * e2` and `x *= e2` when `e1` and `e2` are unsigned or constant.
@@ -14,6 +14,8 @@
   - [pretty-format](https://www.npmjs.com/package/pretty-format)
   - [stringify-object](https://www.npmjs.com/package/stringify-object)
 
+* Analyzing files with the ".cjs" extension is now supported.
+
 ## New queries
 
 | **Query**                                                                       | **Tags**                                                          | **Purpose**                                                                                                                                                                            |
 
@@ -539,6 +539,17 @@ class BinaryOperation extends Operation, @bin_op_expr {
   /** Gets the right operand of this binary operation. */
   Expr getRightOperand() { this.hasChild(result, 1) }
 
+  /**
+   * Holds if `e1` and `e2` (in either order) are the two operands of this
+   * binary operation.
+   */
+  predicate hasOperands(Expr e1, Expr e2) {
+    exists(int i | i in [0, 1] |
+      this.hasChild(e1, i) and
+      this.hasChild(e2, 1 - i)
+    )
+  }
+
   override string toString() { result = "... " + this.getOperator() + " ..." }
 
   override predicate mayBeImpure() {
 
@@ -13,6 +13,7 @@ private import implementations.Strcat
 private import implementations.Strcpy
 private import implementations.Strdup
 private import implementations.Strftime
+private import implementations.StdContainer
 private import implementations.StdString
 private import implementations.Swap
 private import implementations.GetDelim
@@ -0,0 +1,102 @@
+/**
+ * Provides models for C++ containers `std::array`, `std::vector`, `std::deque`, `std::list` and `std::forward_list`.
+ */
+
+import semmle.code.cpp.models.interfaces.Taint
+
+/**
+ * Additional model for standard container constructors that reference the
+ * value type of the container (that is, the `T` in `std::vector<T>`).  For
+ * example the fill constructor:
+ * ```
+ * std::vector<std::string> v(100, potentially_tainted_string);
+ * ```
+ */
+class StdSequenceContainerConstructor extends Constructor, TaintFunction {
+  StdSequenceContainerConstructor() {
+    this.getDeclaringType().hasQualifiedName("std", "vector") or
+    this.getDeclaringType().hasQualifiedName("std", "deque") or
+    this.getDeclaringType().hasQualifiedName("std", "list") or
+    this.getDeclaringType().hasQualifiedName("std", "forward_list")
+  }
+
+  /**
+   * Gets the index of a parameter to this function that is a reference to the
+   * value type of the container.
+   */
+  int getAValueTypeParameterIndex() {
+    getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
+      getDeclaringType().getTemplateArgument(0) // i.e. the `T` of this `std::vector<T>`
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // taint flow from any parameter of the value type to the returned object
+    input.isParameterDeref(getAValueTypeParameterIndex()) and
+    output.isReturnValue() // TODO: this should be `isQualifierObject` by our current definitions, but that flow is not yet supported.
+  }
+}
+
+/**
+ * The standard container functions `push_back` and `push_front`.
+ */
+class StdSequenceContainerPush extends TaintFunction {
+  StdSequenceContainerPush() {
+    this.hasQualifiedName("std", "vector", "push_back") or
+    this.hasQualifiedName("std", "deque", "push_back") or
+    this.hasQualifiedName("std", "deque", "push_front") or
+    this.hasQualifiedName("std", "list", "push_back") or
+    this.hasQualifiedName("std", "list", "push_front") or
+    this.hasQualifiedName("std", "forward_list", "push_front")
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from parameter to qualifier
+    input.isParameterDeref(0) and
+    output.isQualifierObject()
+  }
+}
+
+/**
+ * The standard container functions `front` and `back`.
+ */
+class StdSequenceContainerFrontBack extends TaintFunction {
+  StdSequenceContainerFrontBack() {
+    this.hasQualifiedName("std", "array", "front") or
+    this.hasQualifiedName("std", "array", "back") or
+    this.hasQualifiedName("std", "vector", "front") or
+    this.hasQualifiedName("std", "vector", "back") or
+    this.hasQualifiedName("std", "deque", "front") or
+    this.hasQualifiedName("std", "deque", "back") or
+    this.hasQualifiedName("std", "list", "front") or
+    this.hasQualifiedName("std", "list", "back") or
+    this.hasQualifiedName("std", "forward_list", "front")
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from object to returned reference
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
+  }
+}
+
+/**
+ * The standard container `swap` functions.
+ */
+class StdSequenceContainerSwap extends TaintFunction {
+  StdSequenceContainerSwap() {
+    this.hasQualifiedName("std", "array", "swap") or
+    this.hasQualifiedName("std", "vector", "swap") or
+    this.hasQualifiedName("std", "deque", "swap") or
+    this.hasQualifiedName("std", "list", "swap") or
+    this.hasQualifiedName("std", "forward_list", "swap")
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // container1.swap(container2)
+    input.isQualifierObject() and
+    output.isParameterDeref(0)
+    or
+    input.isParameterDeref(0) and
+    output.isQualifierObject()
+  }
+}
@@ -8,10 +8,13 @@ class StdBasicString extends TemplateClass {
 }
 
 /**
- * The standard function `std::string.c_str`.
+ * The `std::string` functions `c_str` and  `data`.
  */
 class StdStringCStr extends TaintFunction {
-  StdStringCStr() { this.hasQualifiedName("std", "basic_string", "c_str") }
+  StdStringCStr() {
+    this.hasQualifiedName("std", "basic_string", "c_str") or
+    this.hasQualifiedName("std", "basic_string", "data")
+  }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from string itself (qualifier) to return value
@@ -40,12 +43,16 @@ class StdStringPlus extends TaintFunction {
 }
 
 /**
- * The `std::string` functions `operator+=` and `append`.
+ * The `std::string` functions `operator+=`, `append`, `insert` and
+ * `replace`. All of these functions combine the existing string
+ * with a new string (or character) from one of the arguments.
  */
 class StdStringAppend extends TaintFunction {
   StdStringAppend() {
     this.hasQualifiedName("std", "basic_string", "operator+=") or
-    this.hasQualifiedName("std", "basic_string", "append")
+    this.hasQualifiedName("std", "basic_string", "append") or
+    this.hasQualifiedName("std", "basic_string", "insert") or
+    this.hasQualifiedName("std", "basic_string", "replace")
   }
 
   /**
@@ -58,6 +65,35 @@ class StdStringAppend extends TaintFunction {
     getParameter(result).getType() = getDeclaringType().getTemplateArgument(0) // i.e. `std::basic_string::CharT`
   }
 
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from string and parameter to string (qualifier) and return value
+    (
+      input.isQualifierObject() or
+      input.isParameterDeref(getAStringParameter())
+    ) and
+    (
+      output.isQualifierObject() or
+      output.isReturnValueDeref()
+    )
+  }
+}
+
+/**
+ * The standard function `std::string.assign`.
+ */
+class StdStringAssign extends TaintFunction {
+  StdStringAssign() { this.hasQualifiedName("std", "basic_string", "assign") }
+
+  /**
+   * Gets the index of a parameter to this function that is a string (or
+   * character).
+   */
+  int getAStringParameter() {
+    getParameter(result).getType() instanceof PointerType or
+    getParameter(result).getType() instanceof ReferenceType or
+    getParameter(result).getType() = getDeclaringType().getTemplateArgument(0) // i.e. `std::basic_string::CharT`
+  }
+
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from parameter to string itself (qualifier) and return value
     input.isParameterDeref(getAStringParameter()) and
@@ -67,3 +103,45 @@ class StdStringAppend extends TaintFunction {
     )
   }
 }
+
+/**
+ * The standard function `std::string.copy`.
+ */
+class StdStringCopy extends TaintFunction {
+  StdStringCopy() { this.hasQualifiedName("std", "basic_string", "copy") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // copy(dest, num, pos)
+    input.isQualifierObject() and
+    output.isParameterDeref(0)
+  }
+}
+
+/**
+ * The standard function `std::string.substr`.
+ */
+class StdStringSubstr extends TaintFunction {
+  StdStringSubstr() { this.hasQualifiedName("std", "basic_string", "substr") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // substr(pos, num)
+    input.isQualifierObject() and
+    output.isReturnValue()
+  }
+}
+
+/**
+ * The standard function `std::string.swap`.
+ */
+class StdStringSwap extends TaintFunction {
+  StdStringSwap() { this.hasQualifiedName("std", "basic_string", "swap") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // str1.swap(str2)
+    input.isQualifierObject() and
+    output.isParameterDeref(0)
+    or
+    input.isParameterDeref(0) and
+    output.isQualifierObject()
+  }
+}