Merge branch 'master' into shelljs

Author: asger-semmle

change-notes/1.21/analysis-cpp.md

@@ -18,6 +18,7 @@
 | Memory is never freed (`cpp/memory-never-freed`) | More correct results | Support added for more Microsoft-specific allocation functions, including `LocalAlloc`, `GlobalAlloc`, `HeapAlloc` and `CoTaskMemAlloc`. |
 | Resource not released in destructor (`cpp/resource-not-released-in-destructor`) | Fewer false positive results | Resource allocation and deallocation functions are now determined more accurately. |
 | Comparison result is always the same | Fewer false positive results | The range analysis library is now more conservative about floating point values being possibly `NaN` |
+| Use of potentially dangerous function | More correct results | Calls to `localtime`, `ctime` and `asctime` are now detected by this query. |
 | Wrong type of arguments to formatting function (`cpp/wrong-type-format-argument`) | More correct results and fewer false positive results | This query now more accurately identifies wide and non-wide string/character format arguments on different platforms.  Platform detection has also been made more accurate for the purposes of this query. |
 | Wrong type of arguments to formatting function (`cpp/wrong-type-format-argument`) | Fewer false positive results | Non-standard uses of %L are now understood. |
 

change-notes/1.21/analysis-csharp.md

@@ -4,7 +4,7 @@
 
 | **Query**                    | **Expected impact**    | **Change**                        |
 |------------------------------|------------------------|-----------------------------------|
-
+| Class defines a field that uses an ICryptoTransform class in a way that would be unsafe for concurrent threads (`cs/thread-unsafe-icryptotransform-field-in-class`) | Fewer false positive results | The criteria for a result has changed to include nested properties, nested fields and collections. The format of the alert message has changed to highlight the static field. |
 
 ## Changes to code extraction
 

change-notes/1.21/analysis-java.md

@@ -9,6 +9,7 @@
 
 | **Query**                  | **Expected impact**    | **Change**                                                       |
 |----------------------------|------------------------|------------------------------------------------------------------|
+| Implicit conversion from array to string (`java/print-array`) | Fewer false positive results | Results in slf4j logging calls are no longer reported as slf4j supports array printing. |
 
 ## Changes to QL libraries
 

change-notes/1.21/analysis-javascript.md

@@ -5,7 +5,9 @@
 * Support for the following frameworks and libraries has been improved:
   - [koa](https://github.com/koajs/koa)
   - [socket.io](http://socket.io)
+  - [Node.js](http://nodejs.org)
   - [Firebase](https://firebase.google.com/)
+  - [Express](https://expressjs.com/)
   - [shelljs](https://www.npmjs.com/package/shelljs)
 
 * The security queries now track data flow through Base64 decoders such as the Node.js `Buffer` class, the DOM function `atob`, and a number of npm packages intcluding [`abab`](https://www.npmjs.com/package/abab), [`atob`](https://www.npmjs.com/package/atob), [`btoa`](https://www.npmjs.com/package/btoa), [`base-64`](https://www.npmjs.com/package/base-64), [`js-base64`](https://www.npmjs.com/package/js-base64), [`Base64.js`](https://www.npmjs.com/package/Base64) and [`base64-js`](https://www.npmjs.com/package/base64-js).

change-notes/1.21/analysis-python.md

@@ -0,0 +1,26 @@
+# Improvements to Python analysis
+
+
+## General improvements
+
+> Changes that affect alerts in many files or from many queries
+> For example, changes to file classification
+
+## New queries
+  | **Query** | **Tags** | **Purpose** |
+  |-----------|----------|-------------|
+  | Accepting unknown SSH host keys when using Paramiko (`py/paramiko-missing-host-key-validation`) | security, external/cwe/cwe-295 | Finds instances where Paramiko is configured to accept unknown host keys. Results are shown on LGTM by default. |
+
+
+## Changes to existing queries
+
+  | **Query** | **Expected impact** | **Change** |
+  |-----------|---------------------|------------|
+
+## Changes to code extraction
+
+* *Series of bullet points*
+
+## Changes to QL libraries
+
+* *Series of bullet points*

cpp/ql/src/Best Practices/SloppyGlobal.ql

@@ -2,8 +2,8 @@
  * @name Short global name
  * @description Global variables should have descriptive names, to help document their use, avoid namespace pollution and reduce the risk of shadowing with local variables.
  * @kind problem
- * @problem.severity warning
- * @precision high
+ * @problem.severity recommendation
+ * @precision very-high
  * @id cpp/short-global-name
  * @tags maintainability
  */

cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScaling.ql

@@ -9,111 +9,8 @@
  * @tags security
  *       external/cwe/cwe-468
  */
-import cpp
-import semmle.code.cpp.controlflow.SSA
 import IncorrectPointerScalingCommon
 
-private predicate isPointerType(Type t) {
-  t instanceof PointerType or
-  t instanceof ArrayType
-}
-
-private Type baseType(Type t) {
-  (
-    exists (PointerType dt
-    | dt = t.getUnspecifiedType() and
-      result = dt.getBaseType().getUnspecifiedType()) or
-    exists (ArrayType at
-    | at = t.getUnspecifiedType() and
-      (not at.getBaseType().getUnspecifiedType() instanceof ArrayType) and
-      result = at.getBaseType().getUnspecifiedType()) or
-    exists (ArrayType at, ArrayType at2
-    | at = t.getUnspecifiedType() and
-      at2 = at.getBaseType().getUnspecifiedType() and
-      result = baseType(at2))
-  )
-  // Make sure that the type has a size and that it isn't ambiguous.  
-  and strictcount(result.getSize()) = 1
-}
-
-/**
- * Holds if there is a pointer expression with type `sourceType` at
- * location `sourceLoc` which might be the source expression for `use`.
- *
- * For example, with
- * ```
- * int intArray[5] = { 1, 2, 3, 4, 5 };
- * char *charPointer = (char *)intArray;
- * return *(charPointer + i);
- * ```
- * the array initializer on the first line is a source expression
- * for the use of `charPointer` on the third line.
- *
- * The source will either be an `Expr` or a `Parameter`.
- */
-private
-predicate exprSourceType(Expr use, Type sourceType, Location sourceLoc) {
-  // Reaching definitions.
-  if exists (SsaDefinition def, LocalScopeVariable v | use = def.getAUse(v)) then
-    exists (SsaDefinition def, LocalScopeVariable v
-    | use = def.getAUse(v)
-    | defSourceType(def, v, sourceType, sourceLoc))
-
-  // Pointer arithmetic
-  else if use instanceof PointerAddExpr then
-    exprSourceType(use.(PointerAddExpr).getLeftOperand(), sourceType, sourceLoc)
-  else if use instanceof PointerSubExpr then
-    exprSourceType(use.(PointerSubExpr).getLeftOperand(), sourceType, sourceLoc)
-  else if use instanceof AddExpr then
-    exprSourceType(use.(AddExpr).getAnOperand(), sourceType, sourceLoc)
-  else if use instanceof SubExpr then
-    exprSourceType(use.(SubExpr).getAnOperand(), sourceType, sourceLoc)
-  else if use instanceof CrementOperation then
-    exprSourceType(use.(CrementOperation).getOperand(), sourceType, sourceLoc)
-
-  // Conversions are not in the AST, so ignore them.
-  else if use instanceof Conversion then
-    none()
-
-  // Source expressions
-  else
-    (sourceType = use.getType().getUnspecifiedType() and
-     isPointerType(sourceType) and
-     sourceLoc = use.getLocation())
-}
-
-/**
- * Holds if there is a pointer expression with type `sourceType` at
- * location `sourceLoc` which might define the value of `v` at `def`.
- */
-private
-predicate defSourceType(SsaDefinition def, LocalScopeVariable v,
-                        Type sourceType, Location sourceLoc) {
-  exprSourceType(def.getDefiningValue(v), sourceType, sourceLoc)
-  or
-  defSourceType(def.getAPhiInput(v), v, sourceType, sourceLoc)
-  or
-  exists (Parameter p
-  | p = v and
-    def.definedByParameter(p) and
-    sourceType = p.getType().getUnspecifiedType() and
-    strictcount(p.getType()) = 1 and
-    isPointerType(sourceType) and
-    sourceLoc = p.getLocation())
-}
-
-/**
- * Gets the pointer arithmetic expression that `e` is (directly) used
- * in, if any.
- *
- * For example, in `(char*)(p + 1)`, for `p`, ths result is `p + 1`.
- */
-private Expr pointerArithmeticParent(Expr e) {
-  e = result.(PointerAddExpr).getLeftOperand() or
-  e = result.(PointerSubExpr).getLeftOperand() or
-  e = result.(PointerDiffExpr).getAnOperand()
-}
-
 from Expr dest, Type destType, Type sourceType, Type sourceBase,
      Type destBase, Location sourceLoc
 where exists(pointerArithmeticParent(dest))

cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingChar.ql

@@ -9,103 +9,8 @@
  * @tags security
  *       external/cwe/cwe-468
  */
-import cpp
-import semmle.code.cpp.controlflow.SSA
 import IncorrectPointerScalingCommon
 
-private predicate isPointerType(Type t) {
-  t instanceof PointerType or
-  t instanceof ArrayType
-}
-
-private Type baseType(Type t) {
-  exists (DerivedType dt
-  | dt = t.getUnspecifiedType() and
-    isPointerType(dt) and
-    result = dt.getBaseType().getUnspecifiedType())
-
-  // Make sure that the type has a size and that it isn't ambiguous.
-  and strictcount(result.getSize()) = 1
-}
-
-/**
- * Holds if there is a pointer expression with type `sourceType` at
- * location `sourceLoc` which might be the source expression for `use`.
- *
- * For example, with
- * ```
- * int intArray[5] = { 1, 2, 3, 4, 5 };
- * char *charPointer = (char *)intArray;
- * return *(charPointer + i);
- * ```
- * the array initializer on the first line is a source expression
- * for the use of `charPointer` on the third line.
- *
- * The source will either be an `Expr` or a `Parameter`.
- */
-private
-predicate exprSourceType(Expr use, Type sourceType, Location sourceLoc) {
-  // Reaching definitions.
-  if exists (SsaDefinition def, LocalScopeVariable v | use = def.getAUse(v)) then
-    exists (SsaDefinition def, LocalScopeVariable v
-    | use = def.getAUse(v)
-    | defSourceType(def, v, sourceType, sourceLoc))
-
-  // Pointer arithmetic
-  else if use instanceof PointerAddExpr then
-    exprSourceType(use.(PointerAddExpr).getLeftOperand(), sourceType, sourceLoc)
-  else if use instanceof PointerSubExpr then
-    exprSourceType(use.(PointerSubExpr).getLeftOperand(), sourceType, sourceLoc)
-  else if use instanceof AddExpr then
-    exprSourceType(use.(AddExpr).getAnOperand(), sourceType, sourceLoc)
-  else if use instanceof SubExpr then
-    exprSourceType(use.(SubExpr).getAnOperand(), sourceType, sourceLoc)
-  else if use instanceof CrementOperation then
-    exprSourceType(use.(CrementOperation).getOperand(), sourceType, sourceLoc)
-
-  // Conversions are not in the AST, so ignore them.
-  else if use instanceof Conversion then
-    none()
-
-  // Source expressions
-  else
-    (sourceType = use.getType().getUnspecifiedType() and
-     isPointerType(sourceType) and
-     sourceLoc = use.getLocation())
-}
-
-/**
- * Holds if there is a pointer expression with type `sourceType` at
- * location `sourceLoc` which might define the value of `v` at `def`.
- */
-private
-predicate defSourceType(SsaDefinition def, LocalScopeVariable v,
-                        Type sourceType, Location sourceLoc) {
-  exprSourceType(def.getDefiningValue(v), sourceType, sourceLoc)
-  or
-  defSourceType(def.getAPhiInput(v), v, sourceType, sourceLoc)
-  or
-  exists (Parameter p
-  | p = v and
-    def.definedByParameter(p) and
-    sourceType = p.getType().getUnspecifiedType() and
-    strictcount(p.getType()) = 1 and
-    isPointerType(sourceType) and
-    sourceLoc = p.getLocation())
-}
-
-/**
- * Gets the pointer arithmetic expression that `e` is (directly) used
- * in, if any.
- *
- * For example, in `(char*)(p + 1)`, for `p`, ths result is `p + 1`.
- */
-private Expr pointerArithmeticParent(Expr e) {
-  e = result.(PointerAddExpr).getLeftOperand() or
-  e = result.(PointerSubExpr).getLeftOperand() or
-  e = result.(PointerDiffExpr).getAnOperand()
-}
-
 from Expr dest, Type destType, Type sourceType, Type sourceBase,
      Type destBase, Location sourceLoc
 where exists(pointerArithmeticParent(dest))

cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingCommon.qll

@@ -46,3 +46,109 @@ predicate addWithSizeof(Expr e, Expr sizeofExpr, Type sizeofParam) {
   | e = subExpr.getLeftOperand() and
     multiplyWithSizeof(subExpr.getRightOperand(), sizeofExpr, sizeofParam))
 }
+
+/**
+ * Holds if `t` is a pointer or array type.
+ */
+predicate isPointerType(Type t) {
+  t instanceof PointerType or
+  t instanceof ArrayType
+}
+
+/**
+ * Gets the base type of a pointer or array type.  In the case of an array of
+ * arrays, the inner base type is returned.
+ */
+Type baseType(Type t) {
+  (
+    exists (PointerType dt
+    | dt = t.getUnspecifiedType() and
+      result = dt.getBaseType().getUnspecifiedType()) or
+    exists (ArrayType at
+    | at = t.getUnspecifiedType() and
+      (not at.getBaseType().getUnspecifiedType() instanceof ArrayType) and
+      result = at.getBaseType().getUnspecifiedType()) or
+    exists (ArrayType at, ArrayType at2
+    | at = t.getUnspecifiedType() and
+      at2 = at.getBaseType().getUnspecifiedType() and
+      result = baseType(at2))
+  )
+  // Make sure that the type has a size and that it isn't ambiguous.  
+  and strictcount(result.getSize()) = 1
+}
+
+/**
+ * Holds if there is a pointer expression with type `sourceType` at
+ * location `sourceLoc` which might be the source expression for `use`.
+ *
+ * For example, with
+ * ```
+ * int intArray[5] = { 1, 2, 3, 4, 5 };
+ * char *charPointer = (char *)intArray;
+ * return *(charPointer + i);
+ * ```
+ * the array initializer on the first line is a source expression
+ * for the use of `charPointer` on the third line.
+ *
+ * The source will either be an `Expr` or a `Parameter`.
+ */
+predicate exprSourceType(Expr use, Type sourceType, Location sourceLoc) {
+  // Reaching definitions.
+  if exists (SsaDefinition def, LocalScopeVariable v | use = def.getAUse(v)) then
+    exists (SsaDefinition def, LocalScopeVariable v
+    | use = def.getAUse(v)
+    | defSourceType(def, v, sourceType, sourceLoc))
+
+  // Pointer arithmetic
+  else if use instanceof PointerAddExpr then
+    exprSourceType(use.(PointerAddExpr).getLeftOperand(), sourceType, sourceLoc)
+  else if use instanceof PointerSubExpr then
+    exprSourceType(use.(PointerSubExpr).getLeftOperand(), sourceType, sourceLoc)
+  else if use instanceof AddExpr then
+    exprSourceType(use.(AddExpr).getAnOperand(), sourceType, sourceLoc)
+  else if use instanceof SubExpr then
+    exprSourceType(use.(SubExpr).getAnOperand(), sourceType, sourceLoc)
+  else if use instanceof CrementOperation then
+    exprSourceType(use.(CrementOperation).getOperand(), sourceType, sourceLoc)
+
+  // Conversions are not in the AST, so ignore them.
+  else if use instanceof Conversion then
+    none()
+
+  // Source expressions
+  else
+    (sourceType = use.getType().getUnspecifiedType() and
+     isPointerType(sourceType) and
+     sourceLoc = use.getLocation())
+}
+
+/**
+ * Holds if there is a pointer expression with type `sourceType` at
+ * location `sourceLoc` which might define the value of `v` at `def`.
+ */
+predicate defSourceType(SsaDefinition def, LocalScopeVariable v,
+                        Type sourceType, Location sourceLoc) {
+  exprSourceType(def.getDefiningValue(v), sourceType, sourceLoc)
+  or
+  defSourceType(def.getAPhiInput(v), v, sourceType, sourceLoc)
+  or
+  exists (Parameter p
+  | p = v and
+    def.definedByParameter(p) and
+    sourceType = p.getType().getUnspecifiedType() and
+    strictcount(p.getType()) = 1 and
+    isPointerType(sourceType) and
+    sourceLoc = p.getLocation())
+}
+
+/**
+ * Gets the pointer arithmetic expression that `e` is (directly) used
+ * in, if any.
+ *
+ * For example, in `(char*)(p + 1)`, for `p`, ths result is `p + 1`.
+ */
+Expr pointerArithmeticParent(Expr e) {
+  e = result.(PointerAddExpr).getLeftOperand() or
+  e = result.(PointerSubExpr).getLeftOperand() or
+  e = result.(PointerDiffExpr).getAnOperand()
+}