Skip to content

Commit 763b18c

Browse files
committed
Merge remote-tracking branch 'upstream/master' into StackVariable
Conflicts: change-notes/1.24/analysis-cpp.md cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
2 parents d816701 + d22df24 commit 763b18c

File tree

308 files changed

+6719
-1904
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

308 files changed

+6719
-1904
lines changed

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ This open source repository contains the standard CodeQL libraries and queries t
55
## How do I learn CodeQL and run queries?
66

77
There is [extensive documentation](https://help.semmle.com/QL/learn-ql/) on getting started with writing CodeQL.
8-
You can use the [interactive query console](https://lgtm.com/help/lgtm/using-query-console) on LGTM.com or the [QL for Eclipse](https://lgtm.com/help/lgtm/running-queries-ide) plugin to try out your queries on any open source project that's currently being analyzed.
8+
You can use the [interactive query console](https://lgtm.com/help/lgtm/using-query-console) on LGTM.com or the [CodeQL for Visual Studio Code](https://help.semmle.com/codeql/codeql-for-vscode.html) extension to try out your queries on any open source project that's currently being analyzed.
99

1010
## Contributing
1111

change-notes/1.23/analysis-csharp.md

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,8 +4,6 @@ The following changes in version 1.23 affect C# analysis in all applications.
44

55
## New queries
66

7-
## New queries
8-
97
| **Query** | **Tags** | **Purpose** |
108
|-----------------------------|-----------|--------------------------------------------------------------------|
119
| Deserialized delegate (`cs/deserialized-delegate`) | security, external/cwe/cwe-502 | Finds unsafe deserialization of delegate types. |

change-notes/1.24/analysis-cpp.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,8 +13,9 @@ The following changes in version 1.24 affect C/C++ analysis in all applications.
1313

1414
| **Query** | **Expected impact** | **Change** |
1515
|----------------------------|------------------------|------------------------------------------------------------------|
16+
| No space for zero terminator (`cpp/no-space-for-terminator`) | Fewer false positive results | This query has been modified to be more conservative when identifying which pointers point to null-terminated strings. This approach produces fewer, more accurate results. |
1617

17-
## Changes to QL libraries
18+
## Changes to libraries
1819

1920
* The new class `StackVariable` should be used in place of `LocalScopeVariable`
2021
in most cases. The difference is that `StackVariable` does not include
Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
# Improvements to JavaScript analysis
2+
3+
## General improvements
4+
5+
* Support for the following frameworks and libraries has been improved:
6+
- [react](https://www.npmjs.com/package/react)
7+
- [Handlebars](https://www.npmjs.com/package/handlebars)
8+
9+
- Imports with the `.js` extension can now be resolved to a TypeScript file,
10+
when the import refers to a file generated by TypeScript.
11+
12+
## New queries
13+
14+
| **Query** | **Tags** | **Purpose** |
15+
|---------------------------------------------------------------------------|-------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
16+
17+
18+
## Changes to existing queries
19+
20+
| **Query** | **Expected impact** | **Change** |
21+
|--------------------------------|------------------------------|---------------------------------------------------------------------------|
22+
| Clear-text logging of sensitive information (`js/clear-text-logging`) | More results | More results involving `process.env` and indirect calls to logging methods are recognized. |
23+
| Incomplete string escaping or encoding (`js/incomplete-sanitization`) | Fewer false positive results | This query now recognizes additional cases where a single replacement is likely to be intentional. |
24+
| Unbound event handler receiver (`js/unbound-event-handler-receiver`) | Fewer false positive results | This query now recognizes additional ways event handler receivers can be bound. |
25+
26+
## Changes to libraries
27+

config/identical-files.json

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -143,6 +143,11 @@
143143
"cpp/ql/src/semmle/code/cpp/ir/implementation/Opcode.qll",
144144
"csharp/ql/src/semmle/code/csharp/ir/implementation/Opcode.qll"
145145
],
146+
"IR SSASanity": [
147+
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSASanity.qll",
148+
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSASanity.qll",
149+
"csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SSASanity.qll"
150+
],
146151
"C++ IR InstructionImports": [
147152
"cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/InstructionImports.qll",
148153
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/InstructionImports.qll",

cpp/ql/src/Likely Bugs/Likely Typos/CompareWhereAssignMeant.ql

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,10 @@ import cpp
1515

1616
from ExprInVoidContext op
1717
where
18-
op instanceof EQExpr
19-
or
20-
op.(FunctionCall).getTarget().hasName("operator==")
18+
not op.isUnevaluated() and
19+
(
20+
op instanceof EQExpr
21+
or
22+
op.(FunctionCall).getTarget().hasName("operator==")
23+
)
2124
select op, "This '==' operator has no effect. The assignment ('=') operator was probably intended."

cpp/ql/src/Likely Bugs/Likely Typos/ExprHasNoEffect.ql

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -84,8 +84,10 @@ where
8484
not peivc.getEnclosingFunction().isDefaulted() and
8585
not exists(Macro m | peivc = m.getAnInvocation().getAnExpandedElement()) and
8686
not peivc.isFromTemplateInstantiation(_) and
87+
not peivc.isFromUninstantiatedTemplate(_) and
8788
parent = peivc.getParent() and
8889
not parent.isInMacroExpansion() and
90+
not peivc.isUnevaluated() and
8991
not parent instanceof PureExprInVoidContext and
9092
not peivc.getEnclosingFunction().isCompilerGenerated() and
9193
not peivc.getType() instanceof UnknownType and
Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,3 @@
1-
bool not_in_range(T *ptr, T *ptr_end, size_t a) {
2-
return ptr + a >= ptr_end || ptr + a < ptr; // BAD
1+
bool not_in_range(T *ptr, T *ptr_end, size_t i) {
2+
return ptr + i >= ptr_end || ptr + i < ptr; // BAD
33
}
Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,3 @@
1-
bool not_in_range(T *ptr, T *ptr_end, size_t a) {
2-
return a >= ptr_end - ptr; // GOOD
1+
bool not_in_range(T *ptr, T *ptr_end, size_t i) {
2+
return i >= ptr_end - ptr; // GOOD
33
}

cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.qhelp

Lines changed: 17 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -4,29 +4,27 @@
44
<qhelp>
55
<overview>
66
<p>
7-
The expression <code>ptr + a &lt; ptr</code> is equivalent to <code>a &lt;
8-
0</code>, and an optimizing compiler is likely to make that replacement,
9-
thereby removing a range check that might have been necessary for security.
10-
If <code>a</code> is known to be non-negative, the compiler can even replace <code>ptr +
11-
a &lt; ptr</code> with <code>false</code>.
7+
When checking for integer overflow, you may often write tests like
8+
<code>p + i &lt; p</code>. This works fine if <code>p</code> and
9+
<code>i</code> are unsigned integers, since any overflow in the addition
10+
will cause the value to simply "wrap around." However, using this pattern when
11+
<code>p</code> is a pointer is problematic because pointer overflow has
12+
undefined behavior according to the C and C++ standards. If the addition
13+
overflows and has an undefined result, the comparison will likewise be
14+
undefined; it may produce an unintended result, or may be deleted entirely by an
15+
optimizing compiler.
1216
</p>
1317

14-
<p>
15-
The reason is that pointer arithmetic overflow in C/C++ is undefined
16-
behavior. The optimizing compiler can assume that the program has no
17-
undefined behavior, which means that adding a positive number to <code>ptr</code> cannot
18-
produce a pointer less than <code>ptr</code>.
19-
</p>
2018
</overview>
2119
<recommendation>
2220
<p>
23-
To check whether an index <code>a</code> is less than the length of an array,
24-
simply compare these two numbers as unsigned integers: <code>a &lt; ARRAY_LENGTH</code>.
21+
To check whether an index <code>i</code> is less than the length of an array,
22+
simply compare these two numbers as unsigned integers: <code>i &lt; ARRAY_LENGTH</code>.
2523
If the length of the array is defined as the difference between two pointers
26-
<code>ptr</code> and <code>p_end</code>, write <code>a &lt; p_end - ptr</code>.
27-
If a is <code>signed</code>, cast it to <code>unsigned</code>
28-
in order to guard against negative <code>a</code>. For example, write
29-
<code>(size_t)a &lt; p_end - ptr</code>.
24+
<code>ptr</code> and <code>p_end</code>, write <code>i &lt; p_end - ptr</code>.
25+
If <code>i</code> is signed, cast it to unsigned
26+
in order to guard against negative <code>i</code>. For example, write
27+
<code>(size_t)i &lt; p_end - ptr</code>.
3028
</p>
3129
</recommendation>
3230
<example>
@@ -43,14 +41,14 @@ overflows and wraps around.
4341
<p>
4442
In both of these checks, the operations are performed in the wrong order.
4543
First, an expression that may cause undefined behavior is evaluated
46-
(<code>ptr + a</code>), and then the result is checked for being in range.
44+
(<code>ptr + i</code>), and then the result is checked for being in range.
4745
But once undefined behavior has happened in the pointer addition, it cannot
4846
be recovered from: it's too late to perform the range check after a possible
4947
pointer overflow.
5048
</p>
5149

5250
<p>
53-
While it's not the subject of this query, the expression <code>ptr + a &lt;
51+
While it's not the subject of this query, the expression <code>ptr + i &lt;
5452
ptr_end</code> is also an invalid range check. It's undefined behavor in
5553
C/C++ to create a pointer that points more than one past the end of an
5654
allocation.

0 commit comments

Comments
 (0)