Merge branch 'main' into mathiasvp/read-step-without-memory-operands

Author: MathiasVP

change-notes/1.25/analysis-javascript.md

@@ -30,7 +30,7 @@
   - [yargs](https://www.npmjs.com/package/yargs)
   - [webpack-dev-server](https://www.npmjs.com/package/webpack-dev-server)
 
-* TypeScript 3.9 is now supported.
+* TypeScript 4.0 is now supported.
 
 * TypeScript code embedded in HTML and Vue files is now extracted and analyzed.
 

change-notes/1.25/analysis-python.md

@@ -20,4 +20,3 @@ The following changes in version 1.25 affect Python analysis in all applications
 ## Changes to libraries
 
 * Importing `semmle.python.web.HttpRequest` will no longer import `UntrustedStringKind` transitively. `UntrustedStringKind` is the most commonly used non-abstract subclass of `ExternalStringKind`. If not imported (by one mean or another), taint-tracking queries that concern `ExternalStringKind` will not produce any results. Please ensure such queries contain an explicit import (`import semmle.python.security.strings.Untrusted`).
-* Added support for tainted f-strings.

change-notes/1.26/analysis-csharp.md

@@ -19,6 +19,8 @@ The following changes in version 1.26 affect C# analysis in all applications.
 ## Changes to code extraction
 
 * Partial method bodies are extracted. Previously, partial method bodies were skipped completely.
+* Inferring the lengths of implicitely sized arrays is fixed. Previously, multidimensional arrays were always extracted with the same length for
+each dimension. With the fix, the array sizes `2` and `1` are extracted for `new int[,]{{1},{2}}`. Previously `2` and `2` were extracted.
 
 ## Changes to libraries
 

change-notes/1.26/analysis-javascript.md

@@ -27,6 +27,7 @@
 | **Query**                      | **Expected impact**          | **Change**                                                                |
 |--------------------------------|------------------------------|---------------------------------------------------------------------------|
 | Incomplete URL substring sanitization (`js/incomplete-url-substring-sanitization`) | More results | This query now recognizes additional URLs when the substring check is an inclusion check. |
+| Ambiguous HTML id attribute (`js/duplicate-html-id`) | Results no longer shown | Precision tag reduced to "low". The query is no longer run by default. |
 
 
 ## Changes to libraries

change-notes/1.26/analysis-python.md

@@ -0,0 +1,22 @@
+# Improvements to Python analysis
+
+The following changes in version 1.26 affect Python analysis in all applications.
+
+## General improvements
+
+
+## New queries
+
+| **Query**                   | **Tags**  | **Purpose**                                                        |
+|-----------------------------|-----------|--------------------------------------------------------------------|
+
+
+## Changes to existing queries
+
+| **Query**                  | **Expected impact**    | **Change**                                                       |
+|----------------------------|------------------------|------------------------------------------------------------------|
+
+
+## Changes to libraries
+
+* Added taint tracking support for string formatting through f-strings.

config/identical-files.json

@@ -325,6 +325,10 @@
     "csharp/ql/src/experimental/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll"
   ],
+  "Inline Test Expectations": [
+    "cpp/ql/test/TestUtilities/InlineExpectationsTest.qll",
+    "python/ql/test/TestUtilities/InlineExpectationsTest.qll"
+  ],
   "XML": [
     "cpp/ql/src/semmle/code/cpp/XML.qll",
     "csharp/ql/src/semmle/code/csharp/XML.qll",

cpp/ql/src/experimental/Likely Bugs/RedundantNullCheckParam.cpp

@@ -0,0 +1,11 @@
+void test(char *arg1, int *arg2) {
+    if (arg1[0] == 'A') {
+        if (arg2 != NULL) { //maybe redundant
+            *arg2 = 42;
+        }
+    }
+    if (arg1[1] == 'B')
+    {
+        *arg2 = 54; //dereferenced without checking first
+    }
+}

cpp/ql/src/experimental/Likely Bugs/RedundantNullCheckParam.qhelp

@@ -0,0 +1,29 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>This rule finds comparisons of a function parameter to null that occur when in another path the parameter is dereferenced without a guard check.  It's
+likely either the check is not required and can be removed, or it should be added before the dereference
+so that a null pointer dereference does not occur.</p>
+</overview>
+
+<recommendation>
+<p>A check should be added to before the dereference, in a way that prevents a null pointer value from
+being dereferenced.  If it's clear that the pointer cannot be null, consider removing the check instead.</p>
+</recommendation>
+
+<example>
+<sample src="RedundantNullCheckParam.cpp" />
+</example>
+
+<references>
+<li>
+  <a href="https://www.owasp.org/index.php/Null_Dereference">
+    Null Dereference
+  </a> 
+</li>
+</references>
+
+</qhelp>

cpp/ql/src/experimental/Likely Bugs/RedundantNullCheckParam.ql

@@ -0,0 +1,56 @@
+/**
+ * @name Redundant null check or missing null check of parameter
+ * @description Checking a parameter for nullness in one path,
+ *              and not in another is likely to be a sign that either
+ *              the check can be removed, or added in the other case.
+ * @kind problem
+ * @id cpp/redundant-null-check-param
+ * @problem.severity recommendation
+ * @tags reliability
+ *       security
+ *       external/cwe/cwe-476
+ */
+
+import cpp
+
+predicate blockDominates(Block check, Block access) {
+  check.getLocation().getStartLine() <= access.getLocation().getStartLine() and
+  check.getLocation().getEndLine() >= access.getLocation().getEndLine()
+}
+
+predicate isCheckedInstruction(VariableAccess unchecked, VariableAccess checked) {
+  checked = any(VariableAccess va | va.getTarget() = unchecked.getTarget()) and
+  //Simple test if the first access in this code path is dereferenced
+  not dereferenced(checked) and
+  blockDominates(checked.getEnclosingBlock(), unchecked.getEnclosingBlock())
+}
+
+predicate candidateResultUnchecked(VariableAccess unchecked) {
+  not isCheckedInstruction(unchecked, _)
+}
+
+predicate candidateResultChecked(VariableAccess check, EqualityOperation eqop) {
+  //not dereferenced to check against pointer, not its pointed value
+  not dereferenced(check) and
+  //assert macros are not taken into account
+  not check.isInMacroExpansion() and
+  // is part of a comparison against some constant NULL
+  eqop.getAnOperand() = check and
+  eqop.getAnOperand() instanceof NullValue
+}
+
+from VariableAccess unchecked, VariableAccess check, EqualityOperation eqop, Parameter param
+where
+  // a dereference
+  dereferenced(unchecked) and
+  // for a function parameter
+  unchecked.getTarget() = param and
+  // this function parameter is not overwritten
+  count(param.getAnAssignment()) = 0 and
+  check.getTarget() = param and
+  // which is once checked
+  candidateResultChecked(check, eqop) and
+  // and which has not been checked before in this code path
+  candidateResultUnchecked(unchecked)
+select check, "This null check is redundant or there is a missing null check before $@ ", unchecked,
+  "where dereferencing happens"

cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll

@@ -123,8 +123,18 @@ module Consistency {
     n.getEnclosingCallable() != call.getEnclosingCallable()
   }
 
+  // This predicate helps the compiler forget that in some languages
+  // it is impossible for a result of `getPreUpdateNode` to be an
+  // instance of `PostUpdateNode`.
+  private Node getPre(PostUpdateNode n) {
+    result = n.getPreUpdateNode()
+    or
+    none()
+  }
+
   query predicate postIsNotPre(PostUpdateNode n, string msg) {
-    n.getPreUpdateNode() = n and msg = "PostUpdateNode should not equal its pre-update node."
+    getPre(n) = n and
+    msg = "PostUpdateNode should not equal its pre-update node."
   }
 
   query predicate postHasUniquePre(PostUpdateNode n, string msg) {
@@ -152,12 +162,6 @@ module Consistency {
     msg = "Origin of readStep is missing a PostUpdateNode."
   }
 
-  query predicate storeIsPostUpdate(Node n, string msg) {
-    storeStep(_, _, n) and
-    not n instanceof PostUpdateNode and
-    msg = "Store targets should be PostUpdateNodes."
-  }
-
   query predicate argHasPostUpdate(ArgumentNode n, string msg) {
     not hasPost(n) and
     not isImmutableOrUnobservable(n) and