github
diff --git a/‎change-notes/1.23/analysis-csharp.md‎
Lines changed: 1 addition & 0 deletions b/‎change-notes/1.23/analysis-csharp.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎change-notes/1.23/analysis-javascript.md‎
Lines changed: 4 additions & 0 deletions b/‎change-notes/1.23/analysis-javascript.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎config/identical-files.json‎
Lines changed: 2 additions & 0 deletions b/‎config/identical-files.json‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/Variable.qll‎
Lines changed: 123 additions & 17 deletions b/‎cpp/ql/src/semmle/code/cpp/Variable.qll‎
Lines changed: 123 additions & 17 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/commons/CommonType.qll‎
Lines changed: 14 additions & 0 deletions b/‎cpp/ql/src/semmle/code/cpp/commons/CommonType.qll‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll‎
Lines changed: 6 additions & 1 deletion b/‎cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll‎
Lines changed: 6 additions & 1 deletion b/‎cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll‎
Lines changed: 6 additions & 1 deletion b/‎cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll‎
Lines changed: 6 additions & 1 deletion b/‎cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll‎
Lines changed: 6 additions & 1 deletion b/‎cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll‎
Lines changed: 6 additions & 1 deletion
@@ -36,5 +36,6 @@ The following changes in version 1.23 affect C# analysis in all applications.
   picture of the partial flow paths from a given source. The feature is
   disabled by default and can be enabled for individual configurations by
   overriding `int explorationLimit()`.
+* `foreach` statements where the body is guaranteed to be executed at least once, such as `foreach (var x in new string[]{ "a", "b", "c" }) { ... }`, are now recognized by all analyses based on the control flow graph (such as SSA, data flow and taint tracking).
 
 ## Changes to autobuilder
@@ -13,16 +13,20 @@
 
 | **Query**                                                                 | **Tags**                                                          | **Purpose**                                                                                                                                                                            |
 |---------------------------------------------------------------------------|-------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Unused index variable (`js/unused-index-variable`)                        | correctness                                                       | Highlights loops that iterate over an array, but do not use the index variable to access array elements, indicating a possible typo or logic error. |
 
 
 ## Changes to existing queries
 
 | **Query**                      | **Expected impact**          | **Change**                                                                |
 |--------------------------------|------------------------------|---------------------------------------------------------------------------|
+| Incomplete string escaping or encoding (`js/incomplete-sanitization`) | Fewer false-positive results | This rule now recognizes additional ways delimiters can be stripped away. |
 | Client-side cross-site scripting (`js/xss`) | More results | More potential vulnerabilities involving functions that manipulate DOM attributes are now recognized. |
 | Code injection (`js/code-injection`) | More results | More potential vulnerabilities involving functions that manipulate DOM event handler attributes are now recognized. |
+| Hard-coded credentials (`js/hardcoded-credentials`) | Fewer false-positive results | This rule now flags fewer password examples. |
 | Incorrect suffix check (`js/incorrect-suffix-check`) | Fewer false-positive results | The query recognizes valid checks in more cases. 
 | Network data written to file (`js/http-to-file-access`) | Fewer false-positive results | This query has been renamed to better match its intended purpose, and now only considers network data untrusted. | 
+| Password in configuration file (`js/password-in-configuration-file`) | Fewer false-positive results | This rule now flags fewer password examples. |
 | Prototype pollution (`js/prototype-pollution`) | More results | The query now highlights vulnerable uses of jQuery and Angular, and the results are shown on LGTM by default. |
 | Uncontrolled command line (`js/command-line-injection`) | More results | This query now treats responses from servers as untrusted. |
 
 
@@ -29,6 +29,8 @@
   "TaintTracking::Configuration Java/C++/C#": [
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
     "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
     "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll",
     "csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll",
 
@@ -4,7 +4,21 @@ import semmle.code.cpp.Initializer
 private import semmle.code.cpp.internal.ResolveClass
 
 /**
- * A C/C++ variable.
+ * A C/C++ variable. For example, in the following code there are four
+ * variables, `a`, `b`, `c` and `d`:
+ * ```
+ * extern int a;
+ * int a;
+ *
+ * void myFunction(int b) {
+ *   int c;
+ * }
+ *
+ * namespace N {
+ *   extern int d;
+ *   int d = 1;
+ * }
+ * ```
  *
  * For local variables, there is a one-to-one correspondence between
  * `Variable` and `VariableDeclarationEntry`.
@@ -162,7 +176,22 @@ class Variable extends Declaration, @variable {
 }
 
 /**
- * A particular declaration or definition of a C/C++ variable.
+ * A particular declaration or definition of a C/C++ variable. For example, in
+ * the following code there are six variable declaration entries - two each for
+ * `a` and `d`, and one each for `b` and `c`:
+ * ```
+ * extern int a;
+ * int a;
+ *
+ * void myFunction(int b) {
+ *   int c;
+ * }
+ *
+ * namespace N {
+ *   extern int d;
+ *   int d = 1;
+ * }
+ * ```
  */
 class VariableDeclarationEntry extends DeclarationEntry, @var_decl {
   override Variable getDeclaration() { result = getVariable() }
@@ -183,13 +212,13 @@ class VariableDeclarationEntry extends DeclarationEntry, @var_decl {
    * because the parameter may have a different name in the declaration
    * than in the definition. For example:
    *
-   *    ```
-   *    // Declaration. Parameter is named "x".
-   *    int f(int x);
+   * ```
+   * // Declaration. Parameter is named "x".
+   * int f(int x);
    *
-   *    // Definition. Parameter is named "y".
-   *    int f(int y) { return y; }
-   *    ```
+   * // Definition. Parameter is named "y".
+   * int f(int y) { return y; }
+   * ```
    */
   override string getName() { var_decls(underlyingElement(this), _, _, result, _) and result != "" }
 
@@ -215,7 +244,13 @@ class VariableDeclarationEntry extends DeclarationEntry, @var_decl {
 
 /**
  * A parameter as described within a particular declaration or definition
- * of a C/C++ function.
+ * of a C/C++ function. For example the declaration of `a` in the following
+ * code:
+ * ```
+ * void myFunction(int a) {
+ *   int b;
+ * }
+ * ```
  */
 class ParameterDeclarationEntry extends VariableDeclarationEntry {
   ParameterDeclarationEntry() { param_decl_bind(underlyingElement(this), _, _) }
@@ -272,8 +307,17 @@ class ParameterDeclarationEntry extends VariableDeclarationEntry {
 
 /**
  * A C/C++ variable with block scope [N4140 3.3.3]. In other words, a local
- * variable or a function parameter. Local variables can be static; use the
- * `isStatic` member predicate to detect those.
+ * variable or a function parameter. For example, the variables `a`, `b` and
+ * `c` in the following code:
+ * ```
+ * void myFunction(int a) {
+ *   int b;
+ *   static int c;
+ * }
+ * ```
+ * 
+ * Local variables can be static; use the `isStatic` member predicate to
+ * detect those.
  */
 class LocalScopeVariable extends Variable, @localscopevariable {
   /** Gets the function to which this variable belongs. */
@@ -292,6 +336,14 @@ deprecated class StackVariable extends Variable {
 /**
  * A C/C++ local variable. In other words, any variable that has block
  * scope [N4140 3.3.3], but is not a parameter of a `Function` or `CatchBlock`.
+ * For example the variables `b` and `c` in the following code:
+ * ```
+ * void myFunction(int a) {
+ *   int b;
+ *   static int c;
+ * }
+ * ```
+ * 
  * Local variables can be static; use the `isStatic` member predicate to detect
  * those.
  *
@@ -310,7 +362,15 @@ class LocalVariable extends LocalScopeVariable, @localvariable {
 }
 
 /**
- * A C/C++ variable which has global scope or namespace scope.
+ * A C/C++ variable which has global scope or namespace scope. For example the
+ * variables `a` and `b` in the following code:
+ * ```
+ * int a;
+ *
+ * namespace N {
+ *   int b;
+ * }
+ * ```
  */
 class GlobalOrNamespaceVariable extends Variable, @globalvariable {
   override string getName() { globalvariables(underlyingElement(this), _, result) }
@@ -321,7 +381,15 @@ class GlobalOrNamespaceVariable extends Variable, @globalvariable {
 }
 
 /**
- * A C/C++ variable which has namespace scope.
+ * A C/C++ variable which has namespace scope. For example the variable `b`
+ * in the following code:
+ * ```
+ * int a;
+ *
+ * namespace N {
+ *   int b;
+ * }
+ * ```
  */
 class NamespaceVariable extends GlobalOrNamespaceVariable {
   NamespaceVariable() {
@@ -330,7 +398,15 @@ class NamespaceVariable extends GlobalOrNamespaceVariable {
 }
 
 /**
- * A C/C++ variable which has global scope.
+ * A C/C++ variable which has global scope. For example the variable `a`
+ * in the following code:
+ * ```
+ * int a;
+ *
+ * namespace N {
+ *   int b;
+ * }
+ * ```
  *
  * Note that variables declared in anonymous namespaces have namespace scope,
  * even though they are accessed in the same manner as variables declared in
@@ -341,7 +417,15 @@ class GlobalVariable extends GlobalOrNamespaceVariable {
 }
 
 /**
- * A C structure member or C++ member variable.
+ * A C structure member or C++ member variable. For example the member
+ * variables `m` and `s` in the following code:
+ * ```
+ * class MyClass {
+ * public:
+ *   int m;
+ *   static int s;
+ * };
+ * ```
  *
  * This includes static member variables in C++. To exclude static member
  * variables, use `Field` instead of `MemberVariable`.
@@ -395,7 +479,12 @@ deprecated class FunctionPointerMemberVariable extends MemberVariable {
 }
 
 /**
- * A C++14 variable template.
+ * A C++14 variable template. For example, in the following code the variable
+ * template `v` defines a family of variables:
+ * ```
+ * template<class T>
+ * T v;
+ * ```
  */
 class TemplateVariable extends Variable {
   TemplateVariable() { is_variable_template(underlyingElement(this)) }
@@ -410,7 +499,24 @@ class TemplateVariable extends Variable {
  * A non-static local variable or parameter that is not part of an
  * uninstantiated template. Uninstantiated templates are purely syntax, and
  * only on instantiation will they be complete with information about types,
- * conversions, call targets, etc.
+ * conversions, call targets, etc. For example in the following code, the
+ * variables `a` in `myFunction` and `b` in the instantiation
+ * `myTemplateFunction<int>`, but not `b` in the template
+ * `myTemplateFunction<T>`:
+ * ```
+ * void myFunction() {
+ *   T a;
+ * }
+ *
+ * template<type T>
+ * void myTemplateFunction() {
+ *   T b;
+ * }
+ * 
+ * ...
+ * 
+ * myTemplateFunction<int>();
+ * ```
  */
 class SemanticStackVariable extends LocalScopeVariable {
   SemanticStackVariable() {
 
@@ -166,3 +166,17 @@ class MicrosoftInt64Type extends IntegralType {
     not isExplicitlySigned()
   }
 }
+
+/**
+ * The `__builtin_va_list` type, used to provide variadic functionality.
+ *
+ * This is a complement to the `__builtin_va_start`, `__builtin_va_end`,
+ * `__builtin_va_copy` and `__builtin_va_arg` expressions.
+ */
+class BuiltInVarArgsList extends Type {
+  BuiltInVarArgsList() {
+    this.hasName("__builtin_va_list")
+  }
+
+  override string getCanonicalQLClass() { result = "BuiltInVarArgsList" }
+}
@@ -1260,7 +1260,7 @@ abstract private class AccessPath extends TAccessPath {
 
 private class AccessPathNil extends AccessPath, TNil {
   override string toString() {
-    exists(DataFlowType t | this = TNil(t) | result = concat(ppReprType(t)))
+    exists(DataFlowType t | this = TNil(t) | result = concat(" : " + ppReprType(t)))
   }
 
   override AccessPathFront getFront() {
@@ -1647,6 +1647,11 @@ private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1
 module PathGraph {
   /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
   query predicate edges(PathNode a, PathNode b) { pathSucc(a, b) }
+
+  /** Holds if `n` is a node in the graph of data flow path explanations. */
+  query predicate nodes(PathNode n, string key, string val) {
+    reach(n) and key = "semmle.label" and val = n.toString()
+  }
 }
 
 /**
 
@@ -1260,7 +1260,7 @@ abstract private class AccessPath extends TAccessPath {
 
 private class AccessPathNil extends AccessPath, TNil {
   override string toString() {
-    exists(DataFlowType t | this = TNil(t) | result = concat(ppReprType(t)))
+    exists(DataFlowType t | this = TNil(t) | result = concat(" : " + ppReprType(t)))
   }
 
   override AccessPathFront getFront() {
@@ -1647,6 +1647,11 @@ private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1
 module PathGraph {
   /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
   query predicate edges(PathNode a, PathNode b) { pathSucc(a, b) }
+
+  /** Holds if `n` is a node in the graph of data flow path explanations. */
+  query predicate nodes(PathNode n, string key, string val) {
+    reach(n) and key = "semmle.label" and val = n.toString()
+  }
 }
 
 /**
 
@@ -1260,7 +1260,7 @@ abstract private class AccessPath extends TAccessPath {
 
 private class AccessPathNil extends AccessPath, TNil {
   override string toString() {
-    exists(DataFlowType t | this = TNil(t) | result = concat(ppReprType(t)))
+    exists(DataFlowType t | this = TNil(t) | result = concat(" : " + ppReprType(t)))
   }
 
   override AccessPathFront getFront() {
@@ -1647,6 +1647,11 @@ private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1
 module PathGraph {
   /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
   query predicate edges(PathNode a, PathNode b) { pathSucc(a, b) }
+
+  /** Holds if `n` is a node in the graph of data flow path explanations. */
+  query predicate nodes(PathNode n, string key, string val) {
+    reach(n) and key = "semmle.label" and val = n.toString()
+  }
 }
 
 /**
 
@@ -1260,7 +1260,7 @@ abstract private class AccessPath extends TAccessPath {
 
 private class AccessPathNil extends AccessPath, TNil {
   override string toString() {
-    exists(DataFlowType t | this = TNil(t) | result = concat(ppReprType(t)))
+    exists(DataFlowType t | this = TNil(t) | result = concat(" : " + ppReprType(t)))
   }
 
   override AccessPathFront getFront() {
@@ -1647,6 +1647,11 @@ private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1
 module PathGraph {
   /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
   query predicate edges(PathNode a, PathNode b) { pathSucc(a, b) }
+
+  /** Holds if `n` is a node in the graph of data flow path explanations. */
+  query predicate nodes(PathNode n, string key, string val) {
+    reach(n) and key = "semmle.label" and val = n.toString()
+  }
 }
 
 /**
 
@@ -1260,7 +1260,7 @@ abstract private class AccessPath extends TAccessPath {
 
 private class AccessPathNil extends AccessPath, TNil {
   override string toString() {
-    exists(DataFlowType t | this = TNil(t) | result = concat(ppReprType(t)))
+    exists(DataFlowType t | this = TNil(t) | result = concat(" : " + ppReprType(t)))
   }
 
   override AccessPathFront getFront() {
@@ -1647,6 +1647,11 @@ private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1
 module PathGraph {
   /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
   query predicate edges(PathNode a, PathNode b) { pathSucc(a, b) }
+
+  /** Holds if `n` is a node in the graph of data flow path explanations. */
+  query predicate nodes(PathNode n, string key, string val) {
+    reach(n) and key = "semmle.label" and val = n.toString()
+  }
 }
 
 /**