upgrade query to detect redash CVE too

Author: am0o0

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,11 @@
+## 0.7.3
+
+### Minor Analysis Improvements
+
+* Deleted the deprecated `hasCopyConstructor` predicate from the `Class` class in `Class.qll`.
+* Deleted many deprecated predicates and classes with uppercase `AST`, `SSA`, `CFG`, `API`, etc. in their names. Use the PascalCased versions instead.
+* Deleted the deprecated `CodeDuplication.qll` file.
+
 ## 0.7.2
 
 ### New Features

cpp/ql/lib/change-notes/released/0.7.3.md

@@ -0,0 +1,7 @@
+## 0.7.3
+
+### Minor Analysis Improvements
+
+* Deleted the deprecated `hasCopyConstructor` predicate from the `Class` class in `Class.qll`.
+* Deleted many deprecated predicates and classes with uppercase `AST`, `SSA`, `CFG`, `API`, etc. in their names. Use the PascalCased versions instead.
+* Deleted the deprecated `CodeDuplication.qll` file.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.7.2
+lastReleaseVersion: 0.7.3

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.7.3-dev
+version: 0.7.4-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -193,86 +193,89 @@ private class SingleUseOperandNode0 extends OperandNode0, TSingleUseOperandNode0
   SingleUseOperandNode0() { this = TSingleUseOperandNode0(op) }
 }
 
-/**
- * INTERNAL: Do not use.
- *
- * A node that represents the indirect value of an operand in the IR
- * after `index` number of loads.
- *
- * Note: Unlike `RawIndirectOperand`, a value of type `IndirectOperand` may
- * be an `OperandNode`.
- */
-class IndirectOperand extends Node {
-  Operand operand;
-  int indirectionIndex;
+private module IndirectOperands {
+  /**
+   * INTERNAL: Do not use.
+   *
+   * A node that represents the indirect value of an operand in the IR
+   * after `index` number of loads.
+   *
+   * Note: Unlike `RawIndirectOperand`, a value of type `IndirectOperand` may
+   * be an `OperandNode`.
+   */
+  abstract class IndirectOperand extends Node {
+    /** Gets the underlying operand and the underlying indirection index. */
+    abstract predicate hasOperandAndIndirectionIndex(Operand operand, int indirectionIndex);
+  }
 
-  IndirectOperand() {
-    this.(RawIndirectOperand).getOperand() = operand and
-    this.(RawIndirectOperand).getIndirectionIndex() = indirectionIndex
-    or
-    nodeHasOperand(this, Ssa::getIRRepresentationOfIndirectOperand(operand, indirectionIndex),
-      indirectionIndex - 1)
+  private class IndirectOperandFromRaw extends IndirectOperand instanceof RawIndirectOperand {
+    override predicate hasOperandAndIndirectionIndex(Operand operand, int indirectionIndex) {
+      operand = RawIndirectOperand.super.getOperand() and
+      indirectionIndex = RawIndirectOperand.super.getIndirectionIndex()
+    }
   }
 
-  /** Gets the underlying operand. */
-  Operand getOperand() { result = operand }
+  private class IndirectOperandFromIRRepr extends IndirectOperand {
+    Operand operand;
+    int indirectionIndex;
 
-  /** Gets the underlying indirection index. */
-  int getIndirectionIndex() { result = indirectionIndex }
+    IndirectOperandFromIRRepr() {
+      exists(Operand repr |
+        repr = Ssa::getIRRepresentationOfIndirectOperand(operand, indirectionIndex) and
+        nodeHasOperand(this, repr, indirectionIndex - 1)
+      )
+    }
 
-  /**
-   * Holds if this `IndirectOperand` is represented directly in the IR instead of
-   * a `RawIndirectionOperand` with operand `op` and indirection index `index`.
-   */
-  predicate isIRRepresentationOf(Operand op, int index) {
-    this instanceof OperandNode and
-    (
-      op = operand and
-      index = indirectionIndex
-    )
+    override predicate hasOperandAndIndirectionIndex(Operand op, int index) {
+      op = operand and index = indirectionIndex
+    }
   }
 }
 
-/**
- * INTERNAL: Do not use.
- *
- * A node that represents the indirect value of an instruction in the IR
- * after `index` number of loads.
- *
- * Note: Unlike `RawIndirectInstruction`, a value of type `IndirectInstruction` may
- * be an `InstructionNode`.
- */
-class IndirectInstruction extends Node {
-  Instruction instr;
-  int indirectionIndex;
+import IndirectOperands
 
-  IndirectInstruction() {
-    this.(RawIndirectInstruction).getInstruction() = instr and
-    this.(RawIndirectInstruction).getIndirectionIndex() = indirectionIndex
-    or
-    nodeHasInstruction(this, Ssa::getIRRepresentationOfIndirectInstruction(instr, indirectionIndex),
-      indirectionIndex - 1)
+private module IndirectInstructions {
+  /**
+   * INTERNAL: Do not use.
+   *
+   * A node that represents the indirect value of an instruction in the IR
+   * after `index` number of loads.
+   *
+   * Note: Unlike `RawIndirectInstruction`, a value of type `IndirectInstruction` may
+   * be an `InstructionNode`.
+   */
+  abstract class IndirectInstruction extends Node {
+    /** Gets the underlying operand and the underlying indirection index. */
+    abstract predicate hasInstructionAndIndirectionIndex(Instruction instr, int index);
   }
 
-  /** Gets the underlying instruction. */
-  Instruction getInstruction() { result = instr }
+  private class IndirectInstructionFromRaw extends IndirectInstruction instanceof RawIndirectInstruction
+  {
+    override predicate hasInstructionAndIndirectionIndex(Instruction instr, int index) {
+      instr = RawIndirectInstruction.super.getInstruction() and
+      index = RawIndirectInstruction.super.getIndirectionIndex()
+    }
+  }
 
-  /** Gets the underlying indirection index. */
-  int getIndirectionIndex() { result = indirectionIndex }
+  private class IndirectInstructionFromIRRepr extends IndirectInstruction {
+    Instruction instr;
+    int indirectionIndex;
 
-  /**
-   * Holds if this `IndirectInstruction` is represented directly in the IR instead of
-   * a `RawIndirectionInstruction` with instruction `i` and indirection index `index`.
-   */
-  predicate isIRRepresentationOf(Instruction i, int index) {
-    this instanceof InstructionNode and
-    (
-      i = instr and
-      index = indirectionIndex
-    )
+    IndirectInstructionFromIRRepr() {
+      exists(Instruction repr |
+        repr = Ssa::getIRRepresentationOfIndirectInstruction(instr, indirectionIndex) and
+        nodeHasInstruction(this, repr, indirectionIndex - 1)
+      )
+    }
+
+    override predicate hasInstructionAndIndirectionIndex(Instruction i, int index) {
+      i = instr and index = indirectionIndex
+    }
   }
 }
 
+import IndirectInstructions
+
 /** Gets the callable in which this node occurs. */
 DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.getEnclosingCallable() }
 
@@ -320,7 +323,7 @@ private class SideEffectArgumentNode extends ArgumentNode, SideEffectOperandNode
   override predicate argumentOf(DataFlowCall dfCall, ArgumentPosition pos) {
     this.getCallInstruction() = dfCall and
     pos.(IndirectionPosition).getArgumentIndex() = this.getArgumentIndex() and
-    pos.(IndirectionPosition).getIndirectionIndex() = super.getIndirectionIndex()
+    super.hasAddressOperandAndIndirectionIndex(_, pos.(IndirectionPosition).getIndirectionIndex())
   }
 }
 
@@ -845,7 +848,7 @@ predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preserves
  * One example would be to allow flow like `p.foo = p.bar;`, which is disallowed
  * by default as a heuristic.
  */
-predicate allowParameterReturnInSelf(ParameterNode p) { none() }
+predicate allowParameterReturnInSelf(ParameterNode p) { p instanceof IndirectParameterNode }
 
 private predicate fieldHasApproxName(Field f, string s) {
   s = f.getName().charAt(0) and

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -274,7 +274,7 @@ class Node extends TIRDataFlowNode {
    * represents the value of `**x` going into `f`.
    */
   Expr asIndirectArgument(int index) {
-    this.(SideEffectOperandNode).getIndirectionIndex() = index and
+    this.(SideEffectOperandNode).hasAddressOperandAndIndirectionIndex(_, index) and
     result = this.(SideEffectOperandNode).getArgument()
   }
 
@@ -317,7 +317,7 @@ class Node extends TIRDataFlowNode {
     index = 0 and
     result = this.(ExplicitParameterNode).getParameter()
     or
-    this.(IndirectParameterNode).getIndirectionIndex() = index and
+    this.(IndirectParameterNode).hasInstructionAndIndirectionIndex(_, index) and
     result = this.(IndirectParameterNode).getParameter()
   }
 
@@ -577,15 +577,20 @@ class SsaPhiNode extends Node, TSsaPhiNode {
  *
  * A node representing a value after leaving a function.
  */
-class SideEffectOperandNode extends Node, IndirectOperand {
+class SideEffectOperandNode extends Node instanceof IndirectOperand {
   CallInstruction call;
   int argumentIndex;
 
-  SideEffectOperandNode() { operand = call.getArgumentOperand(argumentIndex) }
+  SideEffectOperandNode() {
+    IndirectOperand.super.hasOperandAndIndirectionIndex(call.getArgumentOperand(argumentIndex), _)
+  }
 
   CallInstruction getCallInstruction() { result = call }
 
-  Operand getAddressOperand() { result = operand }
+  /** Gets the underlying operand and the underlying indirection index. */
+  predicate hasAddressOperandAndIndirectionIndex(Operand operand, int indirectionIndex) {
+    IndirectOperand.super.hasOperandAndIndirectionIndex(operand, indirectionIndex)
+  }
 
   int getArgumentIndex() { result = argumentIndex }
 
@@ -665,10 +670,10 @@ class InitialGlobalValue extends Node, TInitialGlobalValue {
  *
  * A node representing an indirection of a parameter.
  */
-class IndirectParameterNode extends Node, IndirectInstruction {
+class IndirectParameterNode extends Node instanceof IndirectInstruction {
   InitializeParameterInstruction init;
 
-  IndirectParameterNode() { this.getInstruction() = init }
+  IndirectParameterNode() { IndirectInstruction.super.hasInstructionAndIndirectionIndex(init, _) }
 
   int getArgumentIndex() { init.hasIndex(result) }
 
@@ -677,7 +682,12 @@ class IndirectParameterNode extends Node, IndirectInstruction {
 
   override Declaration getEnclosingCallable() { result = this.getFunction() }
 
-  override Declaration getFunction() { result = this.getInstruction().getEnclosingFunction() }
+  override Declaration getFunction() { result = init.getEnclosingFunction() }
+
+  /** Gets the underlying operand and the underlying indirection index. */
+  predicate hasInstructionAndIndirectionIndex(Instruction instr, int index) {
+    IndirectInstruction.super.hasInstructionAndIndirectionIndex(instr, index)
+  }
 
   override Location getLocationImpl() { result = this.getParameter().getLocation() }
 
@@ -699,7 +709,8 @@ class IndirectReturnNode extends Node {
   IndirectReturnNode() {
     this instanceof FinalParameterNode
     or
-    this.(IndirectOperand).getOperand() = any(ReturnValueInstruction ret).getReturnAddressOperand()
+    this.(IndirectOperand)
+        .hasOperandAndIndirectionIndex(any(ReturnValueInstruction ret).getReturnAddressOperand(), _)
   }
 
   override Declaration getEnclosingCallable() { result = this.getFunction() }
@@ -722,7 +733,7 @@ class IndirectReturnNode extends Node {
   int getIndirectionIndex() {
     result = this.(FinalParameterNode).getIndirectionIndex()
     or
-    result = this.(IndirectOperand).getIndirectionIndex()
+    this.(IndirectOperand).hasOperandAndIndirectionIndex(_, result)
   }
 }
 
@@ -1106,7 +1117,8 @@ predicate exprNodeShouldBeInstruction(Node node, Expr e) {
 /** Holds if `node` should be an `IndirectInstruction` that maps `node.asIndirectExpr()` to `e`. */
 predicate indirectExprNodeShouldBeIndirectInstruction(IndirectInstruction node, Expr e) {
   exists(Instruction instr |
-    instr = node.getInstruction() and not indirectExprNodeShouldBeIndirectOperand(_, e)
+    node.hasInstructionAndIndirectionIndex(instr, _) and
+    not indirectExprNodeShouldBeIndirectOperand(_, e)
   |
     e = instr.(VariableAddressInstruction).getAst().(Expr).getFullyConverted()
     or
@@ -1307,8 +1319,8 @@ pragma[noinline]
 private predicate indirectParameterNodeHasArgumentIndexAndIndex(
   IndirectParameterNode node, int argumentIndex, int indirectionIndex
 ) {
-  node.getArgumentIndex() = argumentIndex and
-  node.getIndirectionIndex() = indirectionIndex
+  node.hasInstructionAndIndirectionIndex(_, indirectionIndex) and
+  node.getArgumentIndex() = argumentIndex
 }
 
 /** A synthetic parameter to model the pointed-to object of a pointer parameter. */
@@ -1479,18 +1491,14 @@ VariableNode variableNode(Variable v) {
  */
 Node uninitializedNode(LocalVariable v) { none() }
 
-pragma[noinline]
 predicate hasOperandAndIndex(IndirectOperand indirectOperand, Operand operand, int indirectionIndex) {
-  indirectOperand.getOperand() = operand and
-  indirectOperand.getIndirectionIndex() = indirectionIndex
+  indirectOperand.hasOperandAndIndirectionIndex(operand, indirectionIndex)
 }
 
-pragma[noinline]
 predicate hasInstructionAndIndex(
   IndirectInstruction indirectInstr, Instruction instr, int indirectionIndex
 ) {
-  indirectInstr.getInstruction() = instr and
-  indirectInstr.getIndirectionIndex() = indirectionIndex
+  indirectInstr.hasInstructionAndIndirectionIndex(instr, indirectionIndex)
 }
 
 cached
@@ -1656,8 +1664,7 @@ module ExprFlowCached {
   private predicate isIndirectBaseOfArrayAccess(IndirectOperand n, Expr e) {
     exists(LoadInstruction load, PointerArithmeticInstruction pai |
       pai = load.getSourceAddress() and
-      pai.getLeftOperand() = n.getOperand() and
-      n.getIndirectionIndex() = 1 and
+      n.hasOperandAndIndirectionIndex(pai.getLeftOperand(), 1) and
       e = load.getConvertedResultExpression()
     )
   }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRFieldFlowSteps.qll

@@ -13,7 +13,7 @@ class FieldFlowPropertyProvider extends IRPropertyProvider {
   override string getOperandProperty(Operand operand, string key) {
     exists(PostFieldUpdateNode pfun, Content content |
       key = "store " + content.toString() and
-      operand = pfun.getPreUpdateNode().(IndirectOperand).getOperand() and
+      pfun.getPreUpdateNode().(IndirectOperand).hasOperandAndIndirectionIndex(operand, _) and
       result =
         strictconcat(string element, Node node |
           storeStep(node, content, pfun) and
@@ -25,7 +25,7 @@ class FieldFlowPropertyProvider extends IRPropertyProvider {
     or
     exists(Node node2, Content content |
       key = "read " + content.toString() and
-      operand = node2.(IndirectOperand).getOperand() and
+      node2.(IndirectOperand).hasOperandAndIndirectionIndex(operand, _) and
       result =
         strictconcat(string element, Node node1 |
           readStep(node1, content, node2) and

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/PrintIRUtilities.qll

@@ -18,9 +18,12 @@ private string stars(int k) {
 }
 
 string starsForNode(Node node) {
-  result = stars(node.(IndirectInstruction).getIndirectionIndex())
-  or
-  result = stars(node.(IndirectOperand).getIndirectionIndex())
+  exists(int indirectionIndex |
+    node.(IndirectInstruction).hasInstructionAndIndirectionIndex(_, indirectionIndex) or
+    node.(IndirectOperand).hasOperandAndIndirectionIndex(_, indirectionIndex)
+  |
+    result = stars(indirectionIndex)
+  )
   or
   not node instanceof IndirectInstruction and
   not node instanceof IndirectOperand and