Merge remote-tracking branch 'upstream/master' into StackVariable

Conflicts:
      change-notes/1.24/analysis-cpp.md
      cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql

Author: jbj

README.md

@@ -5,7 +5,7 @@ This open source repository contains the standard CodeQL libraries and queries t
 ## How do I learn CodeQL and run queries?
 
 There is [extensive documentation](https://help.semmle.com/QL/learn-ql/) on getting started with writing CodeQL.
-You can use the [interactive query console](https://lgtm.com/help/lgtm/using-query-console) on LGTM.com or the [QL for Eclipse](https://lgtm.com/help/lgtm/running-queries-ide) plugin to try out your queries on any open source project that's currently being analyzed.
+You can use the [interactive query console](https://lgtm.com/help/lgtm/using-query-console) on LGTM.com or the [CodeQL for Visual Studio Code](https://help.semmle.com/codeql/codeql-for-vscode.html) extension to try out your queries on any open source project that's currently being analyzed.
 
 ## Contributing
 

change-notes/1.23/analysis-csharp.md

@@ -4,8 +4,6 @@ The following changes in version 1.23 affect C# analysis in all applications.
 
 ## New queries
 
-## New queries
-
 | **Query**                   | **Tags**  | **Purpose**                                                        |
 |-----------------------------|-----------|--------------------------------------------------------------------|
 | Deserialized delegate (`cs/deserialized-delegate`) | security, external/cwe/cwe-502 | Finds unsafe deserialization of delegate types. |

change-notes/1.24/analysis-cpp.md

@@ -13,8 +13,9 @@ The following changes in version 1.24 affect C/C++ analysis in all applications.
 
 | **Query**                  | **Expected impact**    | **Change**                                                       |
 |----------------------------|------------------------|------------------------------------------------------------------|
+| No space for zero terminator (`cpp/no-space-for-terminator`) | Fewer false positive results | This query has been modified to be more conservative when identifying which pointers point to null-terminated strings.  This approach produces fewer, more accurate results. |
 
-## Changes to QL libraries
+## Changes to libraries
 
 * The new class `StackVariable` should be used in place of `LocalScopeVariable`
   in most cases. The difference is that `StackVariable` does not include

change-notes/1.24/analysis-javascript.md

@@ -0,0 +1,27 @@
+# Improvements to JavaScript analysis
+
+## General improvements
+
+* Support for the following frameworks and libraries has been improved:
+  - [react](https://www.npmjs.com/package/react)
+  - [Handlebars](https://www.npmjs.com/package/handlebars)
+
+- Imports with the `.js` extension can now be resolved to a TypeScript file,
+  when the import refers to a file generated by TypeScript.
+
+## New queries
+
+| **Query**                                                                 | **Tags**                                                          | **Purpose**                                                                                                                                                                            |
+|---------------------------------------------------------------------------|-------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+
+
+## Changes to existing queries
+
+| **Query**                      | **Expected impact**          | **Change**                                                                |
+|--------------------------------|------------------------------|---------------------------------------------------------------------------|
+| Clear-text logging of sensitive information (`js/clear-text-logging`) | More results | More results involving `process.env` and indirect calls to logging methods are recognized. |
+| Incomplete string escaping or encoding (`js/incomplete-sanitization`) | Fewer false positive results | This query now recognizes additional cases where a single replacement is likely to be intentional. |
+| Unbound event handler receiver (`js/unbound-event-handler-receiver`) | Fewer false positive results | This query now recognizes additional ways event handler receivers can be bound. | 
+
+## Changes to libraries
+

config/identical-files.json

@@ -143,6 +143,11 @@
     "cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll",
     "csharp/ql/src/semmle/code/csharp/ir/implementation/Opcode.qll"
   ],
+  "IR SSASanity": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSASanity.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSASanity.qll",
+    "csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SSASanity.qll"
+  ],
   "C++ IR InstructionImports": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionImports.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/InstructionImports.qll",

cpp/ql/src/Likely Bugs/Likely Typos/CompareWhereAssignMeant.ql

@@ -15,7 +15,10 @@ import cpp
 
 from ExprInVoidContext op
 where
-  op instanceof EQExpr
-  or
-  op.(FunctionCall).getTarget().hasName("operator==")
+  not op.isUnevaluated() and
+  (
+    op instanceof EQExpr
+    or
+    op.(FunctionCall).getTarget().hasName("operator==")
+  )
 select op, "This '==' operator has no effect. The assignment ('=') operator was probably intended."

cpp/ql/src/Likely Bugs/Likely Typos/ExprHasNoEffect.ql

@@ -84,8 +84,10 @@ where
   not peivc.getEnclosingFunction().isDefaulted() and
   not exists(Macro m | peivc = m.getAnInvocation().getAnExpandedElement()) and
   not peivc.isFromTemplateInstantiation(_) and
+  not peivc.isFromUninstantiatedTemplate(_) and
   parent = peivc.getParent() and
   not parent.isInMacroExpansion() and
+  not peivc.isUnevaluated() and
   not parent instanceof PureExprInVoidContext and
   not peivc.getEnclosingFunction().isCompilerGenerated() and
   not peivc.getType() instanceof UnknownType and

cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow-bad.cpp

@@ -1,3 +1,3 @@
-bool not_in_range(T *ptr, T *ptr_end, size_t a) {
-    return ptr + a >= ptr_end || ptr + a < ptr; // BAD
+bool not_in_range(T *ptr, T *ptr_end, size_t i) {
+    return ptr + i >= ptr_end || ptr + i < ptr; // BAD
 }

cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow-good.cpp

@@ -1,3 +1,3 @@
-bool not_in_range(T *ptr, T *ptr_end, size_t a) {
-    return a >= ptr_end - ptr; // GOOD
+bool not_in_range(T *ptr, T *ptr_end, size_t i) {
+    return i >= ptr_end - ptr; // GOOD
 }

cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.qhelp

@@ -4,29 +4,27 @@
 <qhelp>
 <overview>
 <p>
-The expression <code>ptr + a &lt; ptr</code> is equivalent to <code>a &lt;
-0</code>, and an optimizing compiler is likely to make that replacement,
-thereby removing a range check that might have been necessary for security.
-If <code>a</code> is known to be non-negative, the compiler can even replace <code>ptr +
-a &lt; ptr</code> with <code>false</code>.
+When checking for integer overflow, you may often write tests like
+<code>p + i &lt; p</code>.  This works fine if <code>p</code> and
+<code>i</code> are unsigned integers, since any overflow in the addition
+will cause the value to simply "wrap around."  However, using this pattern when
+<code>p</code> is a pointer is problematic because pointer overflow has
+undefined behavior according to the C and C++ standards.  If the addition
+overflows and has an undefined result, the comparison will likewise be
+undefined; it may produce an unintended result, or may be deleted entirely by an
+optimizing compiler.
 </p>
 
-<p>
-The reason is that pointer arithmetic overflow in C/C++ is undefined
-behavior. The optimizing compiler can assume that the program has no
-undefined behavior, which means that adding a positive number to <code>ptr</code> cannot
-produce a pointer less than  <code>ptr</code>.
-</p>
 </overview>
 <recommendation>
 <p>
-To check whether an index <code>a</code> is less than the length of an array, 
-simply compare these two numbers as unsigned integers: <code>a &lt; ARRAY_LENGTH</code>. 
+To check whether an index <code>i</code> is less than the length of an array, 
+simply compare these two numbers as unsigned integers: <code>i &lt; ARRAY_LENGTH</code>. 
 If the length of the array is defined as the difference between two pointers 
-<code>ptr</code> and <code>p_end</code>, write <code>a &lt; p_end - ptr</code>.
-If a is <code>signed</code>, cast it to <code>unsigned</code> 
-in order to guard against negative <code>a</code>. For example, write 
-<code>(size_t)a &lt; p_end - ptr</code>.
+<code>ptr</code> and <code>p_end</code>, write <code>i &lt; p_end - ptr</code>.
+If <code>i</code> is signed, cast it to unsigned
+in order to guard against negative <code>i</code>. For example, write 
+<code>(size_t)i &lt; p_end - ptr</code>.
 </p>
 </recommendation>
 <example>
@@ -43,14 +41,14 @@ overflows and wraps around.
 <p>
 In both of these checks, the operations are performed in the wrong order.
 First, an expression that may cause undefined behavior is evaluated
-(<code>ptr + a</code>), and then the result is checked for being in range.
+(<code>ptr + i</code>), and then the result is checked for being in range.
 But once undefined behavior has happened in the pointer addition, it cannot
 be recovered from: it's too late to perform the range check after a possible
 pointer overflow.
 </p>
 
 <p>
-While it's not the subject of this query, the expression <code>ptr + a &lt;
+While it's not the subject of this query, the expression <code>ptr + i &lt;
 ptr_end</code> is also an invalid range check. It's undefined behavor in
 C/C++ to create a pointer that points more than one past the end of an
 allocation.