Merge branch 'main' into python-port-code-injection

Author: RasmusWL

change-notes/1.26/analysis-javascript.md

@@ -3,6 +3,8 @@
 ## General improvements
 
 * Support for the following frameworks and libraries has been improved:
+  - [AWS Serverless](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html)
+  - [Alibaba Serverless](https://www.alibabacloud.com/help/doc-detail/156876.htm)
   - [bluebird](https://www.npmjs.com/package/bluebird)
   - [express](https://www.npmjs.com/package/express)
   - [fast-json-stable-stringify](https://www.npmjs.com/package/fast-json-stable-stringify)

config/identical-files.json

@@ -62,6 +62,14 @@
     "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll",
     "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll"
   ],
+  "Bound Java/C#": [
+    "java/ql/src/semmle/code/java/dataflow/Bound.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/Bound.qll"
+  ],
+  "ModulusAnalysis Java/C#": [
+    "java/ql/src/semmle/code/java/dataflow/ModulusAnalysis.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/ModulusAnalysis.qll"
+  ],
   "C++ SubBasicBlocks": [
     "cpp/ql/src/semmle/code/cpp/controlflow/SubBasicBlocks.qll",
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/SubBasicBlocks.qll"

cpp/change-notes/2020-09-29-range-analysis-rollup.md

@@ -0,0 +1,14 @@
+lgtm,codescanning
+* The `SimpleRangeAnalysis` library has gained support for several language
+  constructs it did not support previously. These improvements primarily affect
+  the queries `cpp/constant-comparison`, `cpp/comparison-with-wider-type`, and
+  `cpp/integer-multiplication-cast-to-long`. The newly supported language
+  features are:
+    * Multiplication of unsigned numbers.
+    * Multiplication by a constant.
+    * Reference-typed function parameters.
+    * Comparing a variable not equal to an endpoint of its range, thus narrowing the range by one.
+    * Using `if (x)` or `if (!x)` or similar to test for equality to zero.
+* The `SimpleRangeAnalysis` library can now be extended with custom rules. See
+  examples in
+  `cpp/ql/src/experimental/semmle/code/cpp/rangeanalysis/extensions/`.

cpp/ql/src/Critical/OverflowDestination.ql

@@ -23,10 +23,7 @@ import semmle.code.cpp.security.TaintTracking
  * ```
  */
 predicate sourceSized(FunctionCall fc, Expr src) {
-  exists(string name |
-    (name = "strncpy" or name = "strncat" or name = "memcpy" or name = "memmove") and
-    fc.getTarget().hasGlobalOrStdName(name)
-  ) and
+  fc.getTarget().hasGlobalOrStdName(["strncpy", "strncat", "memcpy", "memmove"]) and
   exists(Expr dest, Expr size, Variable v |
     fc.getArgument(0) = dest and
     fc.getArgument(1) = src and

cpp/ql/src/Critical/SizeCheck2.ql

@@ -15,12 +15,7 @@
 import cpp
 
 class Allocation extends FunctionCall {
-  Allocation() {
-    exists(string name |
-      this.getTarget().hasGlobalOrStdName(name) and
-      (name = "malloc" or name = "calloc" or name = "realloc")
-    )
-  }
+  Allocation() { this.getTarget().hasGlobalOrStdName(["malloc", "calloc", "realloc"]) }
 
   private string getName() { this.getTarget().hasGlobalOrStdName(result) }
 

cpp/ql/src/JPL_C/LOC-2/Rule 11/SimpleControlFlowJmp.ql

@@ -13,14 +13,7 @@
 import cpp
 
 class ForbiddenFunction extends Function {
-  ForbiddenFunction() {
-    exists(string name | name = this.getName() |
-      name = "setjmp" or
-      name = "longjmp" or
-      name = "sigsetjmp" or
-      name = "siglongjmp"
-    )
-  }
+  ForbiddenFunction() { this.getName() = ["setjmp", "longjmp", "sigsetjmp", "siglongjmp"] }
 }
 
 from FunctionCall call

cpp/ql/src/Likely Bugs/Leap Year/UncheckedReturnValueForTimeFunctions.ql

@@ -40,9 +40,7 @@ class DateStructModifiedFieldAccess extends LeapYearFieldAccess {
  */
 class SafeTimeGatheringFunction extends Function {
   SafeTimeGatheringFunction() {
-    this.getQualifiedName() = "GetFileTime" or
-    this.getQualifiedName() = "GetSystemTime" or
-    this.getQualifiedName() = "NtQuerySystemTime"
+    this.getQualifiedName() = ["GetFileTime", "GetSystemTime", "NtQuerySystemTime"]
   }
 }
 
@@ -51,15 +49,11 @@ class SafeTimeGatheringFunction extends Function {
  */
 class TimeConversionFunction extends Function {
   TimeConversionFunction() {
-    this.getQualifiedName() = "FileTimeToSystemTime" or
-    this.getQualifiedName() = "SystemTimeToFileTime" or
-    this.getQualifiedName() = "SystemTimeToTzSpecificLocalTime" or
-    this.getQualifiedName() = "SystemTimeToTzSpecificLocalTimeEx" or
-    this.getQualifiedName() = "TzSpecificLocalTimeToSystemTime" or
-    this.getQualifiedName() = "TzSpecificLocalTimeToSystemTimeEx" or
-    this.getQualifiedName() = "RtlLocalTimeToSystemTime" or
-    this.getQualifiedName() = "RtlTimeToSecondsSince1970" or
-    this.getQualifiedName() = "_mkgmtime"
+    this.getQualifiedName() =
+      ["FileTimeToSystemTime", "SystemTimeToFileTime", "SystemTimeToTzSpecificLocalTime",
+          "SystemTimeToTzSpecificLocalTimeEx", "TzSpecificLocalTimeToSystemTime",
+          "TzSpecificLocalTimeToSystemTimeEx", "RtlLocalTimeToSystemTime",
+          "RtlTimeToSecondsSince1970", "_mkgmtime"]
   }
 }
 

cpp/ql/src/Microsoft/SAL.qll

@@ -10,13 +10,8 @@ import cpp
  */
 class SALMacro extends Macro {
   SALMacro() {
-    exists(string filename | filename = this.getFile().getBaseName() |
-      filename = "sal.h" or
-      filename = "specstrings_strict.h" or
-      filename = "specstrings.h" or
-      filename = "w32p.h" or
-      filename = "minwindef.h"
-    ) and
+    this.getFile().getBaseName() =
+      ["sal.h", "specstrings_strict.h", "specstrings.h", "w32p.h", "minwindef.h"] and
     (
       // Dialect for Windows 8 and above
       this.getName().matches("\\_%\\_")
@@ -58,10 +53,7 @@ class SALAnnotation extends MacroInvocation {
  */
 class SALCheckReturn extends SALAnnotation {
   SALCheckReturn() {
-    exists(SALMacro m | m = this.getMacro() |
-      m.getName() = "_Check_return_" or
-      m.getName() = "_Must_inspect_result_"
-    )
+    this.getMacro().(SALMacro).getName() = ["_Check_return_", "_Must_inspect_result_"]
   }
 }
 

cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql

@@ -56,7 +56,7 @@ class VarargsFunction extends Function {
   }
 
   string normalTerminator(int cnt) {
-    (result = "0" or result = "-1") and
+    result = ["0", "-1"] and
     cnt = trailingArgValueCount(result) and
     2 * cnt > totalCount() and
     not exists(FunctionCall fc, int index |

cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql

@@ -66,10 +66,7 @@ class IFStream extends Type {
  */
 class CinVariable extends NamespaceVariable {
   CinVariable() {
-    (
-      getName() = "cin" or
-      getName() = "wcin"
-    ) and
+    getName() = ["cin", "wcin"] and
     getNamespace().getName() = "std"
   }
 }