Skip to content

Commit 65a1769

Browse files
committed
Merge branch 'main' into asyncCalls
2 parents e1ecc46 + a93a84f commit 65a1769

File tree

319 files changed

+22965
-3238
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

319 files changed

+22965
-3238
lines changed

change-notes/1.26/analysis-cpp.md

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
# Improvements to C/C++ analysis
2+
3+
The following changes in version 1.26 affect C/C++ analysis in all applications.
4+
5+
## General improvements
6+
7+
## New queries
8+
9+
| **Query** | **Tags** | **Purpose** |
10+
|-----------------------------|-----------|--------------------------------------------------------------------|
11+
12+
## Changes to existing queries
13+
14+
| **Query** | **Expected impact** | **Change** |
15+
|----------------------------|------------------------|------------------------------------------------------------------|
16+
| Inconsistent direction of for loop (`cpp/inconsistent-loop-direction`) | Fewer false positive results | The query now accounts for intentional wrapping of an unsigned loop counter. |
17+
| Overflow in uncontrolled allocation size (`cpp/uncontrolled-allocation-size`) | | The precision of this query has been decreased from "high" to "medium". As a result, the query is still run but results are no longer displayed on LGTM by default. |
18+
| Comparison result is always the same (`cpp/constant-comparison`) | More correct results | Bounds on expressions involving multiplication can now be determined in more cases. |
19+
20+
## Changes to libraries
21+
22+
* The models library now models some taint flows through `std::array`, `std::vector`, `std::deque`, `std::list` and `std::forward_list`.
23+
* The models library now models many more taint flows through `std::string`.
24+
* The `SimpleRangeAnalysis` library now supports multiplications of the form
25+
`e1 * e2` and `x *= e2` when `e1` and `e2` are unsigned or constant.
Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
# Improvements to C# analysis
2+
3+
The following changes in version 1.26 affect C# analysis in all applications.
4+
5+
## New queries
6+
7+
| **Query** | **Tags** | **Purpose** |
8+
|-----------------------------|-----------|--------------------------------------------------------------------|
9+
10+
11+
## Changes to existing queries
12+
13+
| **Query** | **Expected impact** | **Change** |
14+
|------------------------------|------------------------|-----------------------------------|
15+
16+
17+
## Removal of old queries
18+
19+
## Changes to code extraction
20+
21+
* Partial method bodies are extracted. Previously, partial method bodies were skipped completely.
22+
23+
## Changes to libraries
24+
25+
## Changes to autobuilder
26+
27+
## Changes to tooling support
28+
29+
* The Abstract Syntax Tree of C# files can be printed in Visual Studio Code.
Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
# Improvements to JavaScript analysis
2+
3+
## General improvements
4+
5+
* Support for the following frameworks and libraries has been improved:
6+
- [fast-json-stable-stringify](https://www.npmjs.com/package/fast-json-stable-stringify)
7+
- [fast-safe-stringify](https://www.npmjs.com/package/fast-safe-stringify)
8+
- [javascript-stringify](https://www.npmjs.com/package/javascript-stringify)
9+
- [js-stringify](https://www.npmjs.com/package/js-stringify)
10+
- [json-stable-stringify](https://www.npmjs.com/package/json-stable-stringify)
11+
- [json-stringify-safe](https://www.npmjs.com/package/json-stringify-safe)
12+
- [json3](https://www.npmjs.com/package/json3)
13+
- [object-inspect](https://www.npmjs.com/package/object-inspect)
14+
- [pretty-format](https://www.npmjs.com/package/pretty-format)
15+
- [stringify-object](https://www.npmjs.com/package/stringify-object)
16+
17+
* Analyzing files with the ".cjs" extension is now supported.
18+
19+
## New queries
20+
21+
| **Query** | **Tags** | **Purpose** |
22+
|---------------------------------------------------------------------------------|-------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
23+
24+
25+
## Changes to existing queries
26+
27+
| **Query** | **Expected impact** | **Change** |
28+
|--------------------------------|------------------------------|---------------------------------------------------------------------------|
29+
| Incomplete URL substring sanitization (`js/incomplete-url-substring-sanitization`) | More results | This query now recognizes additional URLs when the substring check is an inclusion check. |
30+
31+
32+
## Changes to libraries

cpp/ql/src/Likely Bugs/Likely Typos/inconsistentLoopDirection.ql

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,12 @@ predicate illDefinedDecrForStmt(
5050
DataFlow::localFlowStep(DataFlow::exprNode(initialCondition), DataFlow::exprNode(lesserOperand)) and
5151
// `initialCondition` < `terminalCondition`
5252
(
53-
upperBound(initialCondition) < lowerBound(terminalCondition)
53+
upperBound(initialCondition) < lowerBound(terminalCondition) and
54+
(
55+
// exclude cases where the loop counter is `unsigned` (where wrapping behaviour can be used deliberately)
56+
v.getUnspecifiedType().(IntegralType).isSigned() or
57+
initialCondition.getValue().toInt() = 0
58+
)
5459
or
5560
(forstmt.conditionAlwaysFalse() or forstmt.conditionAlwaysTrue())
5661
)

cpp/ql/src/Metrics/Files/FNumberOfTests.ql

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,9 @@ Expr getTest() {
1818
or
1919
// boost tests; http://www.boost.org/
2020
result.(FunctionCall).getTarget().hasQualifiedName("boost::unit_test", "make_test_case")
21+
or
22+
// googletest tests; https://github.com/google/googletest/
23+
result.(FunctionCall).getTarget().hasQualifiedName("testing::internal", "MakeAndRegisterTestInfo")
2124
}
2225

2326
from File f, int n

cpp/ql/src/Microsoft/SAL.qll

Lines changed: 42 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,13 @@
1+
/**
2+
* Provides classes for identifying and reasoning about Microsoft source code
3+
* annotation language (SAL) macros.
4+
*/
5+
16
import cpp
27

8+
/**
9+
* A SAL macro defined in `sal.h` or a similar header file.
10+
*/
311
class SALMacro extends Macro {
412
SALMacro() {
513
exists(string filename | filename = this.getFile().getBaseName() |
@@ -20,27 +28,34 @@ class SALMacro extends Macro {
2028
}
2129

2230
pragma[noinline]
23-
predicate isTopLevelMacroAccess(MacroAccess ma) { not exists(ma.getParentInvocation()) }
31+
private predicate isTopLevelMacroAccess(MacroAccess ma) { not exists(ma.getParentInvocation()) }
2432

33+
/**
34+
* An invocation of a SAL macro (excluding invocations inside other macros).
35+
*/
2536
class SALAnnotation extends MacroInvocation {
2637
SALAnnotation() {
2738
this.getMacro() instanceof SALMacro and
2839
isTopLevelMacroAccess(this)
2940
}
3041

31-
/** Returns the `Declaration` annotated by `this`. */
42+
/** Gets the `Declaration` annotated by `this`. */
3243
Declaration getDeclaration() {
3344
annotatesAt(this, result.getADeclarationEntry(), _, _) and
3445
not result instanceof Type // exclude typedefs
3546
}
3647

37-
/** Returns the `DeclarationEntry` annotated by `this`. */
48+
/** Gets the `DeclarationEntry` annotated by `this`. */
3849
DeclarationEntry getDeclarationEntry() {
3950
annotatesAt(this, result, _, _) and
4051
not result instanceof TypeDeclarationEntry // exclude typedefs
4152
}
4253
}
4354

55+
/**
56+
* A SAL macro indicating that the return value of a function should always be
57+
* checked.
58+
*/
4459
class SALCheckReturn extends SALAnnotation {
4560
SALCheckReturn() {
4661
exists(SALMacro m | m = this.getMacro() |
@@ -50,6 +65,10 @@ class SALCheckReturn extends SALAnnotation {
5065
}
5166
}
5267

68+
/**
69+
* A SAL macro indicating that a pointer variable or return value should not be
70+
* `NULL`.
71+
*/
5372
class SALNotNull extends SALAnnotation {
5473
SALNotNull() {
5574
exists(SALMacro m | m = this.getMacro() |
@@ -69,6 +88,9 @@ class SALNotNull extends SALAnnotation {
6988
}
7089
}
7190

91+
/**
92+
* A SAL macro indicating that a value may be `NULL`.
93+
*/
7294
class SALMaybeNull extends SALAnnotation {
7395
SALMaybeNull() {
7496
exists(SALMacro m | m = this.getMacro() |
@@ -79,13 +101,29 @@ class SALMaybeNull extends SALAnnotation {
79101
}
80102
}
81103

104+
/**
105+
* A parameter annotated by one or more SAL annotations.
106+
*/
107+
class SALParameter extends Parameter {
108+
/** One of this parameter's annotations. */
109+
SALAnnotation a;
110+
111+
SALParameter() { annotatesAt(a, this.getADeclarationEntry(), _, _) }
112+
113+
predicate isIn() { a.getMacroName().toLowerCase().matches("%\\_in%") }
114+
115+
predicate isOut() { a.getMacroName().toLowerCase().matches("%\\_out%") }
116+
117+
predicate isInOut() { a.getMacroName().toLowerCase().matches("%\\_inout%") }
118+
}
119+
82120
///////////////////////////////////////////////////////////////////////////////
83121
// Implementation details
84122
/**
85123
* Holds if `a` annotates the declaration entry `d` and
86124
* its start position is the `idx`th position in `file` that holds a SAL element.
87125
*/
88-
predicate annotatesAt(SALAnnotation a, DeclarationEntry d, File file, int idx) {
126+
private predicate annotatesAt(SALAnnotation a, DeclarationEntry d, File file, int idx) {
89127
annotatesAtPosition(a.(SALElement).getStartPosition(), d, file, idx)
90128
}
91129

@@ -109,22 +147,6 @@ private predicate annotatesAtPosition(SALPosition pos, DeclarationEntry d, File
109147
)
110148
}
111149

112-
/**
113-
* A parameter annotated by one or more SAL annotations.
114-
*/
115-
class SALParameter extends Parameter {
116-
/** One of this parameter's annotations. */
117-
SALAnnotation a;
118-
119-
SALParameter() { annotatesAt(a, this.getADeclarationEntry(), _, _) }
120-
121-
predicate isIn() { a.getMacroName().toLowerCase().matches("%\\_in%") }
122-
123-
predicate isOut() { a.getMacroName().toLowerCase().matches("%\\_out%") }
124-
125-
predicate isInOut() { a.getMacroName().toLowerCase().matches("%\\_inout%") }
126-
}
127-
128150
/**
129151
* A SAL element, that is, a SAL annotation or a declaration entry
130152
* that may have SAL annotations.

cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
* user can result in integer overflow.
55
* @kind path-problem
66
* @problem.severity error
7-
* @precision high
7+
* @precision medium
88
* @id cpp/uncontrolled-allocation-size
99
* @tags reliability
1010
* security
Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
///// Library routines /////
2+
3+
int scanf(const char *format, ...);
4+
int sscanf(const char *str, const char *format, ...);
5+
int fscanf(const char *str, const char *format, ...);
6+
7+
///// EXAMPLES /////
8+
9+
int main(int argc, char **argv)
10+
{
11+
12+
// BAD, do not use scanf without specifying a length first
13+
char buf1[10];
14+
scanf("%s", buf1);
15+
16+
// GOOD, length is specified. The length should be one less than the size of the buffer, since the last character is the NULL terminator.
17+
char buf2[10];
18+
sscanf(buf2, "%9s");
19+
20+
// BAD, do not use scanf without specifying a length first
21+
char file[10];
22+
fscanf(file, "%s", buf2);
23+
24+
return 0;
25+
}
Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
<!DOCTYPE qhelp PUBLIC
2+
"-//Semmle//qhelp//EN"
3+
"qhelp.dtd">
4+
<qhelp>
5+
<overview>
6+
<p>It is bad practice to use any of the <code>scanf</code> functions without including a specified length within the format parameter, as it will be vulnerable to buffer overflows.</p>
7+
8+
</overview>
9+
10+
<recommendation>
11+
12+
<p>Specify a length within the format string parameter, and make this length one less than the size of the buffer, since the last character should be reserved for the NULL terminator.</p>
13+
14+
</recommendation>
15+
16+
<example>
17+
<p>The following example demonstrates safe and unsafe uses of <code>scanf</code> type functions.</p>
18+
<sample src="MemoryUnsafeFunctionScan.cpp" />
19+
20+
</example>
21+
22+
<references>
23+
</references>
24+
25+
</qhelp>
Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
/**
2+
* @name Scanf function without a specified length
3+
* @description Use of one of the scanf functions without a specified length.
4+
* @kind problem
5+
* @problem.severity warning
6+
* @id cpp/memory-unsafe-function-scan
7+
* @tags reliability
8+
* security
9+
* external/cwe/cwe-120
10+
*/
11+
12+
import cpp
13+
import semmle.code.cpp.commons.Scanf
14+
15+
from FunctionCall call, ScanfFunction sff
16+
where
17+
call.getTarget() = sff and
18+
call.getArgument(sff.getFormatParameterIndex()).getValue().regexpMatch(".*%l?s.*")
19+
select call, "Dangerous use of one of the scanf functions"

0 commit comments

Comments
 (0)