Skip to content

Commit 7f5e263

Browse files
author
Max Schaefer
authored
Merge pull request #1032 from xiemaisi/master-for-merge
Merge master into rc/1.20
2 parents 245b47a + a3f452b commit 7f5e263

File tree

452 files changed

+34120
-31653
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

452 files changed

+34120
-31653
lines changed

change-notes/1.20/analysis-cpp.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,3 +44,4 @@
4444
* There is a new `Namespace.isInline()` predicate, which holds if the namespace was declared as `inline namespace`.
4545
* The `Expr.isConstant()` predicate now also holds for _address constant expressions_, which are addresses that will be constant after the program has been linked. These address constants do not have a result for `Expr.getValue()`.
4646
* There are new `Function.isDeclaredConstexpr()` and `Function.isConstexpr()` predicates. They can be used to tell whether a function was declared as `constexpr`, and whether it actually is `constexpr`.
47+
* There is a new `Variable.isConstexpr()` predicate. It can be used to tell whether a variable is `constexpr`.

change-notes/1.20/analysis-javascript.md

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
* Support for many frameworks and libraries has been improved, in particular including the following:
66
- [a-sync-waterfall](https://www.npmjs.com/package/a-sync-waterfall)
77
- [Electron](https://electronjs.org)
8+
- [Express](https://npmjs.org/express)
89
- [hapi](https://hapijs.com/)
910
- [js-cookie](https://github.com/js-cookie/js-cookie)
1011
- [React](https://reactjs.org/)
@@ -30,7 +31,7 @@
3031
| Incomplete URL substring sanitization | correctness, security, external/cwe/cwe-020 | Highlights URL sanitizers that are likely to be incomplete, indicating a violation of [CWE-020](https://cwe.mitre.org/data/definitions/20.html). Results shown on LGTM by default. |
3132
| Incorrect suffix check (`js/incorrect-suffix-check`) | correctness, security, external/cwe/cwe-020 | Highlights error-prone suffix checks based on `indexOf`, indicating a potential violation of [CWE-20](https://cwe.mitre.org/data/definitions/20.html). Results are shown on LGTM by default. |
3233
| Loop iteration skipped due to shifting (`js/loop-iteration-skipped-due-to-shifting`) | correctness | Highlights code that removes an element from an array while iterating over it, causing the loop to skip over some elements. Results are shown on LGTM by default. |
33-
| Unbound event handler receiver (`js/unbound-event-handler-receiver`) | Fewer false positive results | Additional ways that class methods can be bound are recognized. |
34+
| Unused property (`js/unused-property`) | maintainability | Highlights properties that are unused. Results are shown on LGTM by default. |
3435
| Useless comparison test (`js/useless-comparison-test`) | correctness | Highlights code that is unreachable due to a numeric comparison that is always true or always false. Results are shown on LGTM by default. |
3536

3637
## Changes to existing queries
@@ -43,9 +44,10 @@
4344
| Insecure randomness | More results | This rule now flags insecure uses of `crypto.pseudoRandomBytes`. |
4445
| Reflected cross-site scripting | Fewer false-positive results. | This rule now recognizes custom sanitizers. |
4546
| Stored cross-site scripting | Fewer false-positive results. | This rule now recognizes custom sanitizers. |
47+
| Unbound event handler receiver (`js/unbound-event-handler-receiver`) | Fewer false positive results | Additional ways that class methods can be bound are recognized. |
4648
| Uncontrolled data used in network request | More results | This rule now recognizes host values that are vulnerable to injection. |
4749
| Unused parameter | Fewer false-positive results | This rule no longer flags parameters with leading underscore. |
48-
| Unused variable, import, function or class | Fewer false-positive results | This rule now flags fewer variables that are implictly used by JSX elements, and no longer flags variables with leading underscore. |
50+
| Unused variable, import, function or class | Fewer false-positive results | This rule now flags fewer variables that are implictly used by JSX elements, no longer flags variables with leading underscore, and no longer flags variables in dead code. |
4951
| Uncontrolled data used in path expression | Fewer false-positive results | This rule now recognizes the Express `root` option, which prevents path traversal. |
5052
| Unneeded defensive code | More true-positive results, fewer false-positive results. | This rule now recognizes additional defensive code patterns. |
5153
| Useless conditional | Fewer results | Additional defensive coding patterns are now ignored. |

change-notes/1.20/analysis-python.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@ The API has been improved to declutter the global namespace and improve discover
2828
| **Query** | **Expected impact** | **Change** |
2929
|----------------------------|------------------------|------------------------------------------------------------------|
3030
| Comparison using is when operands support \_\_eq\_\_ (`py/comparison-using-is`) | Fewer false positive results | Results where one of the objects being compared is an enum member are no longer reported. |
31+
| Modification of parameter with default (`py/modification-of-default-value`) | More true positive results | Instances where the mutable default value is mutated inside other functions are now also reported. |
3132
| Mutation of descriptor in \_\_get\_\_ or \_\_set\_\_ method (`py/mutable-descriptor`) | Fewer false positive results | Results where the mutation does not occur when calling one of the `__get__`, `__set__` or `__delete__` methods are no longer reported. |
3233
| Unused import (`py/unused-import`) | Fewer false positive results | Results where the imported module is used in a `doctest` string are no longer reported. |
3334
| Unused import (`py/unused-import`) | Fewer false positive results | Results where the imported module is used in a type-hint comment are no longer reported. |
@@ -40,6 +41,8 @@ The API has been improved to declutter the global namespace and improve discover
4041

4142
* Added support for the `dill` pickle library.
4243
* Added support for the `bottle` web framework.
44+
* Added support for the `CherryPy` web framework.
45+
* Added support for the `falcon` web API framework.
4346
* Added support for the `turbogears` web framework.
4447

4548

change-notes/1.20/support/python-frameworks.csv

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
11
Name, Category
22
Bottle, Web framework
3+
CherryPy, Web framework
34
Django, Web application framework
5+
Falcon, Web API framework
46
Flask, Microframework
57
Pyramid, Web application framework
68
Tornado, Web application framework and asynchronous networking library

cpp/config/suites/c/experimental

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
+ semmlecode-cpp-queries/Likely Bugs/RedundantNullCheckSimple.ql: /Correctness/Common Errors

cpp/config/suites/cpp/experimental

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
+ semmlecode-cpp-queries/Likely Bugs/RedundantNullCheckSimple.ql: /Correctness/Common Errors
Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,72 @@
1+
/**
2+
* @name Redundant null check due to previous dereference
3+
* @description Checking a pointer for nullness after dereferencing it is
4+
* likely to be a sign that either the check can be removed, or
5+
* it should be moved before the dereference.
6+
* @kind problem
7+
* @problem.severity error
8+
* @id cpp/redundant-null-check-simple
9+
* @tags reliability
10+
* correctness
11+
* external/cwe/cwe-476
12+
*/
13+
14+
/*
15+
* Note: this query is not assigned a precision yet because we don't want it on
16+
* LGTM until its performance is well understood. It's also lacking qhelp.
17+
*/
18+
19+
import semmle.code.cpp.ir.IR
20+
21+
class NullInstruction extends ConstantValueInstruction {
22+
NullInstruction() {
23+
this.getValue() = "0" and
24+
this.getResultType().getUnspecifiedType() instanceof PointerType
25+
}
26+
}
27+
28+
/**
29+
* An instruction that will never have slicing on its result.
30+
*/
31+
class SingleValuedInstruction extends Instruction {
32+
SingleValuedInstruction() {
33+
this.getResultMemoryAccess() instanceof IndirectMemoryAccess
34+
or
35+
not this.hasMemoryResult()
36+
}
37+
}
38+
39+
predicate explicitNullTestOfInstruction(Instruction checked, Instruction bool) {
40+
bool = any(CompareInstruction cmp |
41+
exists(NullInstruction null |
42+
cmp.getLeft() = null and cmp.getRight() = checked
43+
or
44+
cmp.getLeft() = checked and cmp.getRight() = null
45+
|
46+
cmp instanceof CompareEQInstruction
47+
or
48+
cmp instanceof CompareNEInstruction
49+
)
50+
)
51+
or
52+
bool = any(ConvertInstruction convert |
53+
checked = convert.getUnary() and
54+
convert.getResultType() instanceof BoolType and
55+
checked.getResultType() instanceof PointerType
56+
)
57+
}
58+
59+
from LoadInstruction checked, LoadInstruction deref, SingleValuedInstruction sourceValue
60+
where
61+
explicitNullTestOfInstruction(checked, _) and
62+
sourceValue = deref.getSourceAddress().(LoadInstruction).getSourceValue() and
63+
sourceValue = checked.getSourceValue() and
64+
// This also holds if the blocks are equal, meaning that the check could come
65+
// before the deref. That's still not okay because when they're in the same
66+
// basic block then the deref is unavoidable even if the check concluded that
67+
// the pointer was null. To follow this idea to its full generality, we
68+
// should also give an alert when `check` post-dominates `deref`.
69+
deref.getBlock().dominates(checked.getBlock()) and
70+
not checked.getAST().isInMacroExpansion()
71+
select checked, "This null check is redundant because the value is $@ in any case", deref,
72+
"dereferenced here"

cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55
* to command injection.
66
* @kind problem
77
* @problem.severity error
8-
* @precision high
8+
* @precision low
99
* @id cpp/command-line-injection
1010
* @tags security
1111
* external/cwe/cwe-078

cpp/ql/src/semmle/code/cpp/Variable.qll

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -121,6 +121,13 @@ class Variable extends Declaration, @variable {
121121
result.getLValue() = this.getAnAccess()
122122
}
123123

124+
/**
125+
* Holds if this variable is `constexpr`.
126+
*/
127+
predicate isConstexpr() {
128+
this.hasSpecifier("is_constexpr")
129+
}
130+
124131
/**
125132
* Holds if this variable is constructed from `v` as a result
126133
* of template instantiation. If so, it originates either from a template

cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ import cpp
55
private import semmle.code.cpp.dataflow.internal.FlowVar
66
private import semmle.code.cpp.models.interfaces.DataFlow
77

8+
cached
89
private newtype TNode =
910
TExprNode(Expr e) or
1011
TParameterNode(Parameter p) { exists(p.getFunction().getBlock()) } or
@@ -195,6 +196,7 @@ UninitializedNode uninitializedNode(LocalVariable v) {
195196
* Holds if data flows from `nodeFrom` to `nodeTo` in exactly one local
196197
* (intra-procedural) step.
197198
*/
199+
cached
198200
predicate localFlowStep(Node nodeFrom, Node nodeTo) {
199201
// Expr -> Expr
200202
exprToExprStep_nocfg(nodeFrom.asExpr(), nodeTo.asExpr())

0 commit comments

Comments
 (0)