Merge branch 'master' into master

Author: raulgarciamsft

.editorconfig

@@ -1,2 +1,2 @@
-[*.{ql,qll,qlref,dbscheme,qhelp}]
+[*.{ql,qll,qlref,dbscheme,qhelp,html,js,mjs,ts,json,yml}]
 end_of_line = lf

.gitattributes

@@ -15,3 +15,9 @@
 *.qlref eol=lf
 *.dbscheme eol=lf
 *.qhelp eol=lf
+*.html eol=lf
+*.js eol=lf
+*.mjs eol=lf
+*.ts eol=lf
+*.json eol=lf
+*.yml eol=lf

.gitignore

@@ -9,6 +9,6 @@
 */ql/test/**/*.testproj
 */ql/test/**/*.actual
 /.vs/slnx.sqlite
-/.vs/ql3/v15/Browse.VC.opendb
-/.vs/ql3/v15/Browse.VC.db
+/.vs/ql/v15/Browse.VC.opendb
+/.vs/ql/v15/Browse.VC.db
 /.vs/ProjectSettings.json

CODEOWNERS

@@ -1,2 +1,3 @@
 /csharp/ @Semmle/cs
+/java/ @Semmle/java
 /javascript/ @Semmle/js

change-notes/1.19/analysis-cpp.md

@@ -0,0 +1,20 @@
+# Improvements to C/C++ analysis
+
+## General improvements
+
+## New queries
+
+| **Query**                   | **Tags**  | **Purpose**                                                        |
+|-----------------------------|-----------|--------------------------------------------------------------------|
+| *@name of query (Query ID)* | *Tags*    |*Aim of the new query and whether it is enabled by default or not*  |
+
+## Changes to existing queries
+
+| **Query**                  | **Expected impact**    | **Change**                                                       |
+|----------------------------|------------------------|------------------------------------------------------------------|
+| *@name of query (Query ID)*| *Impact on results*    | *How/why the query has changed*                                  |
+
+
+## Changes to QL libraries
+
+* Added a hash consing library for structural comparison of expressions.

change-notes/1.19/analysis-javascript.md

@@ -2,17 +2,25 @@
 
 ## General improvements
 
+* Modelling of taint flow through array operations has been improved. This may give additional results for the security queries.
+
+* Support for popular libraries has been improved. Consequently, queries may produce more results on code bases that use the following features:
+  - file system access, for example through [fs-extra](https://github.com/jprichardson/node-fs-extra) or [globby](https://www.npmjs.com/package/globby)
+
+
 ## New queries
 
-| **Query**                   | **Tags**  | **Purpose**                                                        |
-|-----------------------------|-----------|--------------------------------------------------------------------|
-| *@name of query (Query ID)* | *Tags*    |*Aim of the new query and whether it is enabled by default or not*  |
+| **Query**                                     | **Tags**                                             | **Purpose**                                                                                                                                                                 |
+|-----------------------------------------------|------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Enabling Node.js integration for Electron web content renderers (`js/enabling-electron-renderer-node-integration`) | security, frameworks/electron, external/cwe/cwe-094  | Highlights Electron web content renderer preferences with Node.js integration enabled, indicating a violation of [CWE-94](https://cwe.mitre.org/data/definitions/94.html). Results are not shown on LGTM by default. |
+| Stored cross-site scripting (`js/stored-xss`) | security, external/cwe/cwe-079, external/cwe/cwe-116 | Highlights uncontrolled stored values flowing into HTML content, indicating a violation of [CWE-079](https://cwe.mitre.org/data/definitions/79.html). Results shown on LGTM by default. |
 
 ## Changes to existing queries
 
 | **Query**                      | **Expected impact**        | **Change**                                   |
 |--------------------------------|----------------------------|----------------------------------------------|
 | Regular expression injection | Fewer false-positive results | This rule now identifies calls to `String.prototype.search` with more precision. |
-
+| Unbound event handler receiver | Fewer false-positive results | This rule now recognizes additional ways class methods can be bound. |
+| Remote property injection | Fewer results | The precision of this rule has been revised to "medium". Results are no longer shown on LGTM by default. |
 
 ## Changes to QL libraries

config/identical-files.json

@@ -54,5 +54,10 @@
     "C++ SSA SSAConstruction": [
         "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll",
         "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll"
+    ],
+    "C++ IR ValueNumber": [
+        "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll",
+        "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll",
+        "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll"
     ]
 }

cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql

@@ -29,7 +29,7 @@ from BufferAccess ba, string bufferDesc, int accessSize, int accessType,
 where accessSize = ba.getSize()
   and bufferSize = getBufferSize(ba.getBuffer(bufferDesc, accessType),
                                  bufferAlloc)
-  and accessSize > bufferSize
+  and (accessSize > bufferSize or (accessSize <= 0 and accessType = 3))
   and if accessType = 1 then (
         message = "This '" + ba.getName() + "' operation accesses "
                 + plural(accessSize, " byte", " bytes")
@@ -41,8 +41,13 @@ where accessSize = ba.getSize()
                 + " but the $@ is only "
                 + plural(bufferSize, " byte", " bytes") + "."
       ) else (
-        message = "This array indexing operation accesses byte offset "
-                + (accessSize - 1) + " but the $@ is only "
-                + plural(bufferSize, " byte", " bytes") + "."
+        if accessSize > 0 then (
+          message = "This array indexing operation accesses byte offset "
+                  + (accessSize - 1) + " but the $@ is only "
+                  + plural(bufferSize, " byte", " bytes") + "."
+        ) else (
+          message = "This array indexing operation accesses a negative index "
+                  + ((accessSize/ba.getActualType().getSize()) - 1) + " on the $@."
+        )
       )
 select ba, message, bufferAlloc, bufferDesc

cpp/ql/src/filters/ImportAdditionalLibraries.ql

@@ -14,6 +14,7 @@ import semmle.code.cpp.dataflow.DataFlow2
 import semmle.code.cpp.dataflow.DataFlow3
 import semmle.code.cpp.dataflow.DataFlow4
 import semmle.code.cpp.dataflow.TaintTracking
+import semmle.code.cpp.valuenumbering.HashCons
 
 from File f, string tag
 where none()

cpp/ql/src/semmle/code/cpp/ir/PrintIR.qll

@@ -0,0 +1 @@
+import implementation.aliased_ssa.PrintIR