Skip to content

Commit 9477bd5

Browse files
author
Robert Marsh
committed
Merge branch 'master' of github.com:Semmle/ql into rdmarsh/cpp/ir-buffer-read-call-se
2 parents 24c9b8b + d03aeca commit 9477bd5

File tree

654 files changed

+21901
-7903
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

654 files changed

+21901
-7903
lines changed

.codeqlmanifest.json

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
{ "provide": [ "*/ql/src/qlpack.yml",
2+
"*/upgrades/qlpack.yml",
3+
"misc/legacy-support/*/qlpack.yml",
4+
"misc/suite-helpers/qlpack.yml",
5+
"codeql/.codeqlmanifest.json" ] }

change-notes/1.23/analysis-cpp.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@ The following changes in version 1.23 affect C/C++ analysis in all applications.
2222
| Too few arguments to formatting function (`cpp/wrong-number-format-arguments`) | Fewer false positive results | Fixed false positives resulting from mistmatching declarations of a formatting function. |
2323
| Too many arguments to formatting function (`cpp/too-many-format-arguments`) | Fewer false positive results | Fixed false positives resulting from mistmatching declarations of a formatting function. |
2424
| Unclear comparison precedence (`cpp/comparison-precedence`) | Fewer false positive results | False positives involving template classes and functions have been fixed. |
25+
| Comparison of narrow type with wide type in loop condition (`cpp/comparison-with-wider-type`) | Higher precision | The precision of this query has been increased to "high" as the alerts from this query have proved to be valuable on real-world projects. With this precision, results are now displayed by default in LGTM. |
2526

2627
## Changes to QL libraries
2728

@@ -32,6 +33,7 @@ The following changes in version 1.23 affect C/C++ analysis in all applications.
3233
picture of the partial flow paths from a given source. The feature is
3334
disabled by default and can be enabled for individual configurations by
3435
overriding `int explorationLimit()`.
36+
* The data-flow library now supports flow out of C++ reference parameters.
3537
* The data-flow library now allows flow through the address-of operator (`&`).
3638
* The `DataFlow::DefinitionByReferenceNode` class now considers `f(x)` to be a
3739
definition of `x` when `x` is a variable of pointer type. It no longer

change-notes/1.23/analysis-java.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,12 @@
22

33
The following changes in version 1.23 affect Java analysis in all applications.
44

5+
## New queries
6+
7+
| **Query** | **Tags** | **Purpose** |
8+
|-----------------------------|-----------|--------------------------------------------------------------------|
9+
| Continue statement that does not continue (`java/continue-in-false-loop`) | correctness | Finds `continue` statements in `do { ... } while (false)` loops. |
10+
511
## Changes to existing queries
612

713
| **Query** | **Expected impact** | **Change** |
@@ -11,6 +17,7 @@ The following changes in version 1.23 affect Java analysis in all applications.
1117
| Query built from user-controlled sources (`java/sql-injection`) | More results | The query now identifies arguments to `Statement.executeLargeUpdate` and `Connection.prepareCall` as SQL expressions sinks. |
1218
| Query built from local-user-controlled sources (`java/sql-injection-local`) | More results | The query now identifies arguments to `Statement.executeLargeUpdate` and `Connection.prepareCall` as SQL expressions sinks. |
1319
| Query built without neutralizing special characters (`java/concatenated-sql-query`) | More results | The query now identifies arguments to `Statement.executeLargeUpdate` and `Connection.prepareCall` as SQL expressions sinks. |
20+
| Useless comparison test (`java/constant-comparison`) | Fewer false positives | Additional overflow check patterns are now recognized and no longer reported. |
1421

1522
## Changes to QL libraries
1623

change-notes/1.23/analysis-javascript.md

Lines changed: 28 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,8 @@
22

33
## General improvements
44

5+
* Suppor for `globalThis` has been added.
6+
57
* Support for the following frameworks and libraries has been improved:
68
- [firebase](https://www.npmjs.com/package/firebase)
79
- [mongodb](https://www.npmjs.com/package/mongodb)
@@ -10,15 +12,20 @@
1012

1113
* The call graph has been improved to resolve method calls in more cases. This may produce more security alerts.
1214

15+
* TypeScript 3.6 features are supported.
16+
17+
1318
## New queries
1419

1520
| **Query** | **Tags** | **Purpose** |
1621
|---------------------------------------------------------------------------|-------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
1722
| Unused index variable (`js/unused-index-variable`) | correctness | Highlights loops that iterate over an array, but do not use the index variable to access array elements, indicating a possible typo or logic error. Results are shown on LGTM by default. |
18-
| Loop bound injection (`js/loop-bound-injection`) | security, external/cwe/cwe-834 | Highlights loops where a user-controlled object with an arbitrary .length value can trick the server to loop indefinitely. Results are not shown on LGTM by default. |
23+
| Loop bound injection (`js/loop-bound-injection`) | security, external/cwe/cwe-834 | Highlights loops where a user-controlled object with an arbitrary .length value can trick the server to loop indefinitely. Results are shown on LGTM by default. |
1924
| Suspicious method name (`js/suspicious-method-name-declaration`) | correctness, typescript, methods | Highlights suspiciously named methods where the developer likely meant to write a constructor or function. Results are shown on LGTM by default. |
25+
| Shell command built from environment values (`js/shell-command-injection-from-environment`) | correctness, security, external/cwe/cwe-078, external/cwe/cwe-088 | Highlights shell commands that may change behavior inadvertently depending on the execution environment, indicating a possible violation of [CWE-78](https://cwe.mitre.org/data/definitions/78.html). Results are shown on LGTM by default.|
2026
| Use of returnless function (`js/use-of-returnless-function`) | maintainability, correctness | Highlights calls where the return value is used, but the callee never returns a value. Results are shown on LGTM by default. |
2127
| Useless regular expression character escape (`js/useless-regexp-character-escape`) | correctness, security, external/cwe/cwe-20 | Highlights regular expression strings with useless character escapes, indicating a possible violation of [CWE-20](https://cwe.mitre.org/data/definitions/20.html). Results are shown on LGTM by default. |
28+
| Unreachable method overloads (`js/unreachable-method-overloads`) | correctness, typescript | Highlights method overloads that are impossible to use from client code. Results are shown on LGTM by default. |
2229

2330
## Changes to existing queries
2431

@@ -36,7 +43,27 @@
3643
| Reflected cross-site scripting (`js/reflected-xss`) | Fewer false-positive results | The query now recognizes more sanitizers. |
3744
| Stored cross-site scripting (`js/stored-xss`) | Fewer false-positive results | The query now recognizes more sanitizers. |
3845
| Uncontrolled command line (`js/command-line-injection`) | More results | This query now treats responses from servers as untrusted. |
46+
| Uncontrolled data used in path expression (`js/path-injection`) | Fewer false-positive results | This query now recognizes calls to Express `sendFile` as safe in some cases. |
47+
| Unknown directive (`js/unknown-directive`) | Fewer false positive results | This query no longer flags uses of ":", which is sometimes used like a directive. |
3948

4049
## Changes to QL libraries
4150

4251
* `Expr.getDocumentation()` now handles chain assignments.
52+
53+
## Removal of deprecated queries
54+
55+
The following queries (deprecated since 1.17) are no longer available in the distribution:
56+
57+
* Builtin redefined (js/builtin-redefinition)
58+
* Inefficient method definition (js/method-definition-in-constructor)
59+
* Bad parity check (js/incomplete-parity-check)
60+
* Potentially misspelled property or variable name (js/wrong-capitalization)
61+
* Unknown JSDoc tag (js/jsdoc/unknown-tag-type)
62+
* Invalid JSLint directive (js/jslint/invalid-directive)
63+
* Malformed JSLint directive (js/jslint/malformed-directive)
64+
* Use of HTML comments (js/html-comment)
65+
* Multi-line string literal (js/multi-line-string)
66+
* Octal literal (js/octal-literal)
67+
* Reserved word used as variable name (js/use-of-reserved-word)
68+
* Trailing comma in array or object expressions (js/trailing-comma-in-array-or-object)
69+
* Call to parseInt without radix (js/parseint-without-radix)

change-notes/1.23/analysis-python.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,3 +12,11 @@
1212
| Clear-text logging of sensitive information (`py/clear-text-logging-sensitive-data`) | security, external/cwe/cwe-312 | Finds instances where sensitive information is logged without encryption or hashing. Results are shown on LGTM by default. |
1313
| Clear-text storage of sensitive information (`py/clear-text-storage-sensitive-data`) | security, external/cwe/cwe-312 | Finds instances where sensitive information is stored without encryption or hashing. Results are shown on LGTM by default. |
1414
| Binding a socket to all network interfaces (`py/bind-socket-all-network-interfaces`) | security | Finds instances where a socket is bound to all network interfaces. Results are shown on LGTM by default. |
15+
16+
17+
## Changes to existing queries
18+
19+
| **Query** | **Expected impact** | **Change** |
20+
|----------------------------|------------------------|------------|
21+
| Unreachable code | Fewer false positives | Analysis now accounts for uses of `contextlib.suppress` to suppress exceptions. |
22+
| `__iter__` method returns a non-iterator | Better alert message | Alert now highlights which class is expected to be an iterator. |

change-notes/1.23/extractor-javascript.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,17 @@
55
## Changes to code extraction
66

77
* Asynchronous generator methods are now parsed correctly and no longer cause a spurious syntax error.
8+
* Files in `node_modules` and `bower_components` folders are no longer extracted by default. If you still want to extract files from these folders, you can add the following filters to your `lgtm.yml` file (or add them to existing filters):
9+
10+
```yaml
11+
extraction:
12+
javascript:
13+
index:
14+
filters:
15+
- include: "**/node_modules"
16+
- include: "**/bower_components"
17+
```
18+
819
* Recognition of CommonJS modules has improved. As a result, some files that were previously extracted as
920
global scripts are now extracted as modules.
1021
* Top-level `await` is now supported.

config/identical-files.json

Lines changed: 32 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -76,7 +76,11 @@
7676
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll",
7777
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll",
7878
"csharp/ql/src/semmle/code/csharp/ir/implementation/raw/Operand.qll",
79-
"csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/Operand.qll"
79+
"csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/Operand.qll"
80+
],
81+
"IR IRType": [
82+
"cpp/ql/src/semmle/code/cpp/ir/implementation/IRType.qll",
83+
"csharp/ql/src/semmle/code/csharp/ir/implementation/IRType.qll"
8084
],
8185
"IR Operand Tag": [
8286
"cpp/ql/src/semmle/code/cpp/ir/implementation/internal/OperandTag.qll",
@@ -169,22 +173,39 @@
169173
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintIRImports.qll",
170174
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintIRImports.qll"
171175
],
176+
"C++ SSA SSAConstructionImports": [
177+
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstructionImports.qll",
178+
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstructionImports.qll"
179+
],
172180
"C++ SSA AliasAnalysis": [
173181
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll",
174182
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll"
175183
],
176-
"C++ SSA SSAConstruction": [
184+
"C++ IR ValueNumberingImports": [
185+
"cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll",
186+
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll",
187+
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingImports.qll"
188+
],
189+
"IR SSA SimpleSSA": [
190+
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll",
191+
"csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll"
192+
],
193+
"IR SSA SSAConstruction": [
177194
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll",
178-
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll"
195+
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll",
196+
"csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll"
179197
],
180-
"C++ SSA PrintSSA": [
198+
"IR SSA PrintSSA": [
181199
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll",
182-
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll"
200+
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll",
201+
"csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll"
183202
],
184-
"C++ IR ValueNumber": [
203+
"IR ValueNumber": [
185204
"cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll",
186205
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll",
187-
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll"
206+
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll",
207+
"csharp/ql/src/semmle/code/csharp/ir/implementation/raw/gvn/ValueNumbering.qll",
208+
"csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll"
188209
],
189210
"C++ IR ConstantAnalysis": [
190211
"cpp/ql/src/semmle/code/cpp/ir/implementation/raw/constant/ConstantAnalysis.qll",
@@ -235,5 +256,9 @@
235256
"C# IR PrintIRImports": [
236257
"csharp/ql/src/semmle/code/csharp/ir/implementation/raw/internal/PrintIRImports.qll",
237258
"csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/internal/PrintIRImports.qll"
259+
],
260+
"C# IR ValueNumberingImports": [
261+
"csharp/ql/src/semmle/code/csharp/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll",
262+
"csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll"
238263
]
239264
}

cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.qhelp

Lines changed: 35 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -2,36 +2,39 @@
22
"-//Semmle//qhelp//EN"
33
"qhelp.dtd">
44
<qhelp>
5-
<overview>
6-
<p>
7-
Checking for overflow of integer addition needs to be done with
8-
care, because automatic type promotion can prevent the check
9-
from working correctly.
10-
</p>
11-
</overview>
12-
<recommendation>
13-
<p>
14-
Use an explicit cast to make sure that the result of the addition is
15-
not implicitly converted to a larger type.
16-
</p>
17-
</recommendation>
18-
<example>
19-
<sample src="BadAdditionOverflowCheckExample1.cpp" />
20-
<p>
21-
On a typical architecture where <tt>short</tt> is 16 bits
22-
and <tt>int</tt> is 32 bits, the operands of the addition are
23-
automatically promoted to <tt>int</tt>, so it cannot overflow
24-
and the result of the comparison is always false.
25-
</p>
26-
<p>
27-
The code below implements the check correctly, by using an
28-
explicit cast to make sure that the result of the addition
29-
is <tt>unsigned short</tt>.
30-
</p>
31-
<sample src="BadAdditionOverflowCheckExample2.cpp" />
32-
</example>
33-
<references>
34-
<li><a href="http://c-faq.com/expr/preservingrules.html">Preserving Rules</a></li>
35-
<li><a href="https://www.securecoding.cert.org/confluence/plugins/servlet/mobile#content/view/20086942">Understand integer conversion rules</a></li>
36-
</references>
5+
6+
<overview>
7+
<p>
8+
Checking for overflow of integer addition needs to be done with
9+
care, because automatic type promotion can prevent the check
10+
from working as intended, with the same value (<code>true</code>
11+
or <code>false</code>) always being returned.
12+
</p>
13+
</overview>
14+
<recommendation>
15+
<p>
16+
Use an explicit cast to make sure that the result of the addition is
17+
not implicitly converted to a larger type.
18+
</p>
19+
</recommendation>
20+
<example>
21+
<sample src="BadAdditionOverflowCheckExample1.cpp" />
22+
<p>
23+
On a typical architecture where <code>short</code> is 16 bits
24+
and <code>int</code> is 32 bits, the operands of the addition are
25+
automatically promoted to <code>int</code>, so it cannot overflow
26+
and the result of the comparison is always false.
27+
</p>
28+
<p>
29+
The code below implements the check correctly, by using an
30+
explicit cast to make sure that the result of the addition
31+
is <code>unsigned short</code> (which may overflow, in which case
32+
the comparison would evaluate to <code>true</code>).
33+
</p>
34+
<sample src="BadAdditionOverflowCheckExample2.cpp" />
35+
</example>
36+
<references>
37+
<li><a href="http://c-faq.com/expr/preservingrules.html">Preserving Rules</a></li>
38+
<li><a href="https://www.securecoding.cert.org/confluence/plugins/servlet/mobile#content/view/20086942">Understand integer conversion rules</a></li>
39+
</references>
3740
</qhelp>
Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
11
bool checkOverflow(unsigned short x, unsigned short y) {
2-
return (x + y < x); // BAD: x and y are automatically promoted to int.
2+
// BAD: comparison is always false due to type promotion
3+
return (x + y < x);
34
}

cpp/ql/src/Likely Bugs/Arithmetic/ComparisonPrecedence.ql

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,4 +18,4 @@ where
1818
co.getAChild() = chco and
1919
not chco.isParenthesised() and
2020
not co.isFromUninstantiatedTemplate(_)
21-
select co, "Check the comparison operator precedence."
21+
select co, "Comparison as an operand to another comparison."

0 commit comments

Comments
 (0)