Skip to content

Commit 7112aa2

Browse files
committed
Merge branch 'main' into python-add-typetracker
2 parents cec3694 + e7322d1 commit 7112aa2

File tree

708 files changed

+33214
-5768
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

708 files changed

+33214
-5768
lines changed

.codeqlmanifest.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
{ "provide": [ "*/ql/src/qlpack.yml",
22
"*/ql/test/qlpack.yml",
3+
"*/ql/examples/qlpack.yml",
34
"*/upgrades/qlpack.yml",
45
"misc/legacy-support/*/qlpack.yml",
56
"misc/suite-helpers/qlpack.yml" ] }

.vscode/settings.json

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
{
2+
"omnisharp.autoStart": false
3+
}

change-notes/1.25/analysis-csharp.md

Lines changed: 46 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -28,27 +28,51 @@ The following changes in version 1.25 affect C# analysis in all applications.
2828
such as `A<int>.B`, no longer are considered unbound generics. (Such nested types do,
2929
however, still have relevant `.getSourceDeclaration()`s, for example `A<>.B`.)
3030
* The data-flow library has been improved, which affects most security queries by potentially
31-
adding more results. Flow through methods now takes nested field reads/writes into account.
32-
For example, the library is able to track flow from `"taint"` to `Sink()` via the method
33-
`GetF2F1()` in
34-
```csharp
35-
class C1
36-
{
37-
string F1;
38-
}
39-
40-
class C2
41-
{
42-
C1 F2;
43-
44-
string GetF2F1() => F2.F1; // Nested field read
45-
46-
void M()
47-
{
48-
F2 = new C1() { F1 = "taint" };
49-
Sink(GetF2F1()); // NEW: "taint" reaches here
50-
}
51-
}
52-
```
31+
adding more results:
32+
- Flow through methods now takes nested field reads/writes into account.
33+
For example, the library is able to track flow from `"taint"` to `Sink()` via the method
34+
`GetF2F1()` in
35+
```csharp
36+
class C1
37+
{
38+
string F1;
39+
}
40+
41+
class C2
42+
{
43+
C1 F2;
44+
45+
string GetF2F1() => F2.F1; // Nested field read
46+
47+
void M()
48+
{
49+
F2 = new C1() { F1 = "taint" };
50+
Sink(GetF2F1()); // NEW: "taint" reaches here
51+
}
52+
}
53+
```
54+
- Flow through collections is now modeled precisely. For example, instead of modeling an array
55+
store `a[i] = x` as a taint-step from `x` to `a`, we now model it as a data-flow step that
56+
stores `x` into `a`. To get the value back out, a matching read step must be taken.
57+
58+
For source-code based data-flow analysis, the following constructs are modeled as stores into
59+
collections:
60+
- Direct array assignments, `a[i] = x`.
61+
- Array initializers, `new [] { x }`.
62+
- C# 6-style array initializers, `new C() { Array = { [i] = x } }`.
63+
- Call arguments that match a `params` parameter, where the C# compiler creates an array under-the-hood.
64+
- `yield return` statements.
65+
66+
The following source-code constructs read from a collection:
67+
- Direct array reads, `a[i]`.
68+
- `foreach` statements.
69+
70+
For calls out to library code, existing flow summaries have been refined to precisely
71+
capture how they interact with collection contents. For example, a call to
72+
`System.Collections.Generic.List<T>.Add(T)` stores the value of the argument into the
73+
qualifier, and a call to `System.Collections.Generic.List<T>.get_Item(int)` (that is, an
74+
indexer call) reads contents out of the qualifier. Moreover, the effect of
75+
collection-clearing methods such as `System.Collections.Generic.List<T>.Clear()` is now
76+
also modeled.
5377

5478
## Changes to autobuilder

change-notes/1.25/analysis-javascript.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,8 +6,10 @@
66
- [Promise](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise)
77
- [bluebird](http://bluebirdjs.com/)
88
- [express](https://www.npmjs.com/package/express)
9+
- [execa](https://www.npmjs.com/package/execa)
910
- [fancy-log](https://www.npmjs.com/package/fancy-log)
1011
- [fastify](https://www.npmjs.com/package/fastify)
12+
- [foreground-child](https://www.npmjs.com/package/foreground-child)
1113
- [fstream](https://www.npmjs.com/package/fstream)
1214
- [jGrowl](https://github.com/stanlemon/jGrowl)
1315
- [jQuery](https://jquery.com/)
@@ -17,6 +19,7 @@
1719
- [mssql](https://www.npmjs.com/package/mssql)
1820
- [mysql](https://www.npmjs.com/package/mysql)
1921
- [npmlog](https://www.npmjs.com/package/npmlog)
22+
- [opener](https://www.npmjs.com/package/opener)
2023
- [pg](https://www.npmjs.com/package/pg)
2124
- [sequelize](https://www.npmjs.com/package/sequelize)
2225
- [spanner](https://www.npmjs.com/package/spanner)

change-notes/1.25/analysis-python.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,3 +20,4 @@ The following changes in version 1.25 affect Python analysis in all applications
2020
## Changes to libraries
2121

2222
* Importing `semmle.python.web.HttpRequest` will no longer import `UntrustedStringKind` transitively. `UntrustedStringKind` is the most commonly used non-abstract subclass of `ExternalStringKind`. If not imported (by one mean or another), taint-tracking queries that concern `ExternalStringKind` will not produce any results. Please ensure such queries contain an explicit import (`import semmle.python.security.strings.Untrusted`).
23+
* Added support for tainted f-strings.

change-notes/1.26/analysis-cpp.md

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
# Improvements to C/C++ analysis
2+
3+
The following changes in version 1.26 affect C/C++ analysis in all applications.
4+
5+
## General improvements
6+
7+
## New queries
8+
9+
| **Query** | **Tags** | **Purpose** |
10+
|-----------------------------|-----------|--------------------------------------------------------------------|
11+
12+
## Changes to existing queries
13+
14+
| **Query** | **Expected impact** | **Change** |
15+
|----------------------------|------------------------|------------------------------------------------------------------|
16+
| Inconsistent direction of for loop (`cpp/inconsistent-loop-direction`) | Fewer false positive results | The query now accounts for intentional wrapping of an unsigned loop counter. |
17+
| Overflow in uncontrolled allocation size (`cpp/uncontrolled-allocation-size`) | | The precision of this query has been decreased from "high" to "medium". As a result, the query is still run but results are no longer displayed on LGTM by default. |
18+
| Comparison result is always the same (`cpp/constant-comparison`) | More correct results | Bounds on expressions involving multiplication can now be determined in more cases. |
19+
20+
## Changes to libraries
21+
22+
* The models library now models some taint flows through `std::array`, `std::vector`, `std::deque`, `std::list` and `std::forward_list`.
23+
* The models library now models many more taint flows through `std::string`.
24+
* The `SimpleRangeAnalysis` library now supports multiplications of the form
25+
`e1 * e2` and `x *= e2` when `e1` and `e2` are unsigned or constant.
Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
# Improvements to C# analysis
2+
3+
The following changes in version 1.26 affect C# analysis in all applications.
4+
5+
## New queries
6+
7+
| **Query** | **Tags** | **Purpose** |
8+
|-----------------------------|-----------|--------------------------------------------------------------------|
9+
10+
11+
## Changes to existing queries
12+
13+
| **Query** | **Expected impact** | **Change** |
14+
|------------------------------|------------------------|-----------------------------------|
15+
16+
17+
## Removal of old queries
18+
19+
## Changes to code extraction
20+
21+
* Partial method bodies are extracted. Previously, partial method bodies were skipped completely.
22+
23+
## Changes to libraries
24+
25+
## Changes to autobuilder
26+
27+
## Changes to tooling support
28+
29+
* The Abstract Syntax Tree of C# files can be printed in Visual Studio Code.
Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
# Improvements to JavaScript analysis
2+
3+
## General improvements
4+
5+
* Support for the following frameworks and libraries has been improved:
6+
- [fast-json-stable-stringify](https://www.npmjs.com/package/fast-json-stable-stringify)
7+
- [fast-safe-stringify](https://www.npmjs.com/package/fast-safe-stringify)
8+
- [javascript-stringify](https://www.npmjs.com/package/javascript-stringify)
9+
- [js-stringify](https://www.npmjs.com/package/js-stringify)
10+
- [json-stable-stringify](https://www.npmjs.com/package/json-stable-stringify)
11+
- [json-stringify-safe](https://www.npmjs.com/package/json-stringify-safe)
12+
- [json3](https://www.npmjs.com/package/json3)
13+
- [object-inspect](https://www.npmjs.com/package/object-inspect)
14+
- [pretty-format](https://www.npmjs.com/package/pretty-format)
15+
- [stringify-object](https://www.npmjs.com/package/stringify-object)
16+
17+
* Analyzing files with the ".cjs" extension is now supported.
18+
19+
## New queries
20+
21+
| **Query** | **Tags** | **Purpose** |
22+
|---------------------------------------------------------------------------------|-------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
23+
24+
25+
## Changes to existing queries
26+
27+
| **Query** | **Expected impact** | **Change** |
28+
|--------------------------------|------------------------------|---------------------------------------------------------------------------|
29+
| Incomplete URL substring sanitization (`js/incomplete-url-substring-sanitization`) | More results | This query now recognizes additional URLs when the substring check is an inclusion check. |
30+
31+
32+
## Changes to libraries

cpp/ql/examples/qlpack.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
name: codeql-cpp-examples
2+
version: 0.0.0
3+
libraryPathDependencies: codeql-cpp

cpp/ql/src/Likely Bugs/Likely Typos/inconsistentLoopDirection.ql

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,12 @@ predicate illDefinedDecrForStmt(
5050
DataFlow::localFlowStep(DataFlow::exprNode(initialCondition), DataFlow::exprNode(lesserOperand)) and
5151
// `initialCondition` < `terminalCondition`
5252
(
53-
upperBound(initialCondition) < lowerBound(terminalCondition)
53+
upperBound(initialCondition) < lowerBound(terminalCondition) and
54+
(
55+
// exclude cases where the loop counter is `unsigned` (where wrapping behaviour can be used deliberately)
56+
v.getUnspecifiedType().(IntegralType).isSigned() or
57+
initialCondition.getValue().toInt() = 0
58+
)
5459
or
5560
(forstmt.conditionAlwaysFalse() or forstmt.conditionAlwaysTrue())
5661
)

0 commit comments

Comments
 (0)