Merge branch 'main' of github.com:github/codeql into MagicMethods

Author: yoff

change-notes/1.25/analysis-python.md

@@ -20,3 +20,4 @@ The following changes in version 1.25 affect Python analysis in all applications
 ## Changes to libraries
 
 * Importing `semmle.python.web.HttpRequest` will no longer import `UntrustedStringKind` transitively. `UntrustedStringKind` is the most commonly used non-abstract subclass of `ExternalStringKind`. If not imported (by one mean or another), taint-tracking queries that concern `ExternalStringKind` will not produce any results. Please ensure such queries contain an explicit import (`import semmle.python.security.strings.Untrusted`).
+* Added support for tainted f-strings.

change-notes/1.26/analysis-cpp.md

@@ -14,10 +14,12 @@ The following changes in version 1.26 affect C/C++ analysis in all applications.
 | **Query**                  | **Expected impact**    | **Change**                                                       |
 |----------------------------|------------------------|------------------------------------------------------------------|
 | Inconsistent direction of for loop (`cpp/inconsistent-loop-direction`) | Fewer false positive results | The query now accounts for intentional wrapping of an unsigned loop counter. |
+| Overflow in uncontrolled allocation size (`cpp/uncontrolled-allocation-size`) | | The precision of this query has been decreased from "high" to "medium". As a result, the query is still run but results are no longer displayed on LGTM by default. |
 | Comparison result is always the same (`cpp/constant-comparison`) | More correct results | Bounds on expressions involving multiplication can now be determined in more cases. |
 
 ## Changes to libraries
 
-* The models library now models more taint flows through `std::string`.
+* The models library now models some taint flows through `std::array`, `std::vector`, `std::deque`, `std::list` and `std::forward_list`.
+* The models library now models many more taint flows through `std::string`.
 * The `SimpleRangeAnalysis` library now supports multiplications of the form
-  `e1 * e2` when `e1` and `e2` are unsigned.
+  `e1 * e2` and `x *= e2` when `e1` and `e2` are unsigned or constant.

change-notes/1.26/analysis-csharp.md

@@ -0,0 +1,29 @@
+# Improvements to C# analysis
+
+The following changes in version 1.26 affect C# analysis in all applications.
+
+## New queries
+
+| **Query**                   | **Tags**  | **Purpose**                                                        |
+|-----------------------------|-----------|--------------------------------------------------------------------|
+
+
+## Changes to existing queries
+
+| **Query**                    | **Expected impact**    | **Change**                        |
+|------------------------------|------------------------|-----------------------------------|
+
+
+## Removal of old queries
+
+## Changes to code extraction
+
+* Partial method bodies are extracted. Previously, partial method bodies were skipped completely.
+
+## Changes to libraries
+
+## Changes to autobuilder
+
+## Changes to tooling support
+
+* The Abstract Syntax Tree of C# files can be printed in Visual Studio Code.

change-notes/1.26/analysis-javascript.md

@@ -14,6 +14,8 @@
   - [pretty-format](https://www.npmjs.com/package/pretty-format)
   - [stringify-object](https://www.npmjs.com/package/stringify-object)
 
+* Analyzing files with the ".cjs" extension is now supported.
+
 ## New queries
 
 | **Query**                                                                       | **Tags**                                                          | **Purpose**                                                                                                                                                                            |
@@ -24,7 +26,7 @@
 
 | **Query**                      | **Expected impact**          | **Change**                                                                |
 |--------------------------------|------------------------------|---------------------------------------------------------------------------|
+| Incomplete URL substring sanitization (`js/incomplete-url-substring-sanitization`) | More results | This query now recognizes additional URLs when the substring check is an inclusion check. |
 
 
 ## Changes to libraries
-

cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql

@@ -4,7 +4,7 @@
  *              user can result in integer overflow.
  * @kind path-problem
  * @problem.severity error
- * @precision high
+ * @precision medium
  * @id cpp/uncontrolled-allocation-size
  * @tags reliability
  *       security

cpp/ql/src/experimental/semmle/code/cpp/models/interfaces/SimpleRangeAnalysisExpr.qll

@@ -0,0 +1,78 @@
+/**
+ * EXPERIMENTAL: The API of this module may change without notice.
+ *
+ * Provides a class for modeling `Expr`s with a restricted range.
+ */
+
+import cpp
+import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
+
+/**
+ * EXPERIMENTAL: The API of this class may change without notice.
+ *
+ * An expression for which a range can be deduced. Extend this class to add
+ * functionality to the range analysis library.
+ */
+abstract class SimpleRangeAnalysisExpr extends Expr {
+  /**
+   * Gets the lower bound of the expression.
+   *
+   * Implementations of this predicate should use
+   * `getFullyConvertedLowerBounds` and `getFullyConvertedUpperBounds` for
+   * recursive calls to get the bounds of their children.
+   */
+  abstract float getLowerBounds();
+
+  /**
+   * Gets the upper bound of the expression.
+   *
+   * Implementations of this predicate should use
+   * `getFullyConvertedLowerBounds` and `getFullyConvertedUpperBounds` for
+   * recursive calls to get the bounds of their children.
+   */
+  abstract float getUpperBounds();
+
+  /**
+   * Holds if the range this expression depends on the definition `srcDef` for
+   * StackVariable `srcVar`.
+   *
+   * Because this predicate cannot be recursive, most implementations should
+   * override `dependsOnChild` instead.
+   */
+  predicate dependsOnDef(RangeSsaDefinition srcDef, StackVariable srcVar) { none() }
+
+  /**
+   * Holds if this expression depends on the range of its unconverted
+   * subexpression `child`. This information is used to inform the range
+   * analysis about cyclic dependencies. Without this information, range
+   * analysis might work for simple cases but will go into infinite loops on
+   * complex code.
+   *
+   * For example, when modeling a function call whose return value depends on
+   * all of its arguments, implement this predicate as
+   * `child = this.getAnArgument()`.
+   */
+  abstract predicate dependsOnChild(Expr child);
+}
+
+import SimpleRangeAnalysisInternal
+
+/**
+ * This class exists to prevent the QL front end from emitting compile errors
+ * inside `SimpleRangeAnalysis.qll` about certain conjuncts being empty
+ * because the overrides of `SimpleRangeAnalysisExpr` that happen to be in
+ * scope do not make use of every feature it offers.
+ */
+private class Empty extends SimpleRangeAnalysisExpr {
+  Empty() {
+    // This predicate is complicated enough that the QL type checker doesn't
+    // see it as empty but simple enough that the optimizer should.
+    this = this and none()
+  }
+
+  override float getLowerBounds() { none() }
+
+  override float getUpperBounds() { none() }
+
+  override predicate dependsOnChild(Expr child) { none() }
+}