Skip to content

Commit b8cba38

Browse files
committed
Merge branch 'main' of github.com:github/codeql into python-port-unsafe-deserialization
2 parents 3a281a1 + 92ccb79 commit b8cba38

File tree

350 files changed

+22672
-5773
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

350 files changed

+22672
-5773
lines changed

change-notes/1.26/analysis-cpp.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,6 @@ The following changes in version 1.26 affect C/C++ analysis in all applications.
2525
* The models library now models many more taint flows through `std::string`.
2626
* The models library now models many taint flows through `std::istream` and `std::ostream`.
2727
* The models library now models some taint flows through `std::shared_ptr`, `std::unique_ptr`, `std::make_shared` and `std::make_unique`.
28-
* The models library now models some taint flows through `std::pair`, `std::map` and `std::unordered_map`.
28+
* The models library now models many taint flows through `std::pair`, `std::map`, `std::unordered_map`, `std::set` and `std::unordered_set`.
2929
* The `SimpleRangeAnalysis` library now supports multiplications of the form
3030
`e1 * e2` and `x *= e2` when `e1` and `e2` are unsigned or constant.

change-notes/1.26/analysis-javascript.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,8 @@
33
## General improvements
44

55
* Support for the following frameworks and libraries has been improved:
6+
- [AWS Serverless](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html)
7+
- [Alibaba Serverless](https://www.alibabacloud.com/help/doc-detail/156876.htm)
68
- [bluebird](https://www.npmjs.com/package/bluebird)
79
- [express](https://www.npmjs.com/package/express)
810
- [fast-json-stable-stringify](https://www.npmjs.com/package/fast-json-stable-stringify)

cpp/ql/src/Critical/OverflowDestination.ql

Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -23,10 +23,7 @@ import semmle.code.cpp.security.TaintTracking
2323
* ```
2424
*/
2525
predicate sourceSized(FunctionCall fc, Expr src) {
26-
exists(string name |
27-
(name = "strncpy" or name = "strncat" or name = "memcpy" or name = "memmove") and
28-
fc.getTarget().hasGlobalOrStdName(name)
29-
) and
26+
fc.getTarget().hasGlobalOrStdName(["strncpy", "strncat", "memcpy", "memmove"]) and
3027
exists(Expr dest, Expr size, Variable v |
3128
fc.getArgument(0) = dest and
3229
fc.getArgument(1) = src and

cpp/ql/src/Critical/SizeCheck2.ql

Lines changed: 1 addition & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -15,12 +15,7 @@
1515
import cpp
1616

1717
class Allocation extends FunctionCall {
18-
Allocation() {
19-
exists(string name |
20-
this.getTarget().hasGlobalOrStdName(name) and
21-
(name = "malloc" or name = "calloc" or name = "realloc")
22-
)
23-
}
18+
Allocation() { this.getTarget().hasGlobalOrStdName(["malloc", "calloc", "realloc"]) }
2419

2520
private string getName() { this.getTarget().hasGlobalOrStdName(result) }
2621

cpp/ql/src/JPL_C/LOC-2/Rule 11/SimpleControlFlowJmp.ql

Lines changed: 1 addition & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -13,14 +13,7 @@
1313
import cpp
1414

1515
class ForbiddenFunction extends Function {
16-
ForbiddenFunction() {
17-
exists(string name | name = this.getName() |
18-
name = "setjmp" or
19-
name = "longjmp" or
20-
name = "sigsetjmp" or
21-
name = "siglongjmp"
22-
)
23-
}
16+
ForbiddenFunction() { this.getName() = ["setjmp", "longjmp", "sigsetjmp", "siglongjmp"] }
2417
}
2518

2619
from FunctionCall call

cpp/ql/src/Likely Bugs/Leap Year/UncheckedReturnValueForTimeFunctions.ql

Lines changed: 6 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -40,9 +40,7 @@ class DateStructModifiedFieldAccess extends LeapYearFieldAccess {
4040
*/
4141
class SafeTimeGatheringFunction extends Function {
4242
SafeTimeGatheringFunction() {
43-
this.getQualifiedName() = "GetFileTime" or
44-
this.getQualifiedName() = "GetSystemTime" or
45-
this.getQualifiedName() = "NtQuerySystemTime"
43+
this.getQualifiedName() = ["GetFileTime", "GetSystemTime", "NtQuerySystemTime"]
4644
}
4745
}
4846

@@ -51,15 +49,11 @@ class SafeTimeGatheringFunction extends Function {
5149
*/
5250
class TimeConversionFunction extends Function {
5351
TimeConversionFunction() {
54-
this.getQualifiedName() = "FileTimeToSystemTime" or
55-
this.getQualifiedName() = "SystemTimeToFileTime" or
56-
this.getQualifiedName() = "SystemTimeToTzSpecificLocalTime" or
57-
this.getQualifiedName() = "SystemTimeToTzSpecificLocalTimeEx" or
58-
this.getQualifiedName() = "TzSpecificLocalTimeToSystemTime" or
59-
this.getQualifiedName() = "TzSpecificLocalTimeToSystemTimeEx" or
60-
this.getQualifiedName() = "RtlLocalTimeToSystemTime" or
61-
this.getQualifiedName() = "RtlTimeToSecondsSince1970" or
62-
this.getQualifiedName() = "_mkgmtime"
52+
this.getQualifiedName() =
53+
["FileTimeToSystemTime", "SystemTimeToFileTime", "SystemTimeToTzSpecificLocalTime",
54+
"SystemTimeToTzSpecificLocalTimeEx", "TzSpecificLocalTimeToSystemTime",
55+
"TzSpecificLocalTimeToSystemTimeEx", "RtlLocalTimeToSystemTime",
56+
"RtlTimeToSecondsSince1970", "_mkgmtime"]
6357
}
6458
}
6559

cpp/ql/src/Microsoft/SAL.qll

Lines changed: 3 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -10,13 +10,8 @@ import cpp
1010
*/
1111
class SALMacro extends Macro {
1212
SALMacro() {
13-
exists(string filename | filename = this.getFile().getBaseName() |
14-
filename = "sal.h" or
15-
filename = "specstrings_strict.h" or
16-
filename = "specstrings.h" or
17-
filename = "w32p.h" or
18-
filename = "minwindef.h"
19-
) and
13+
this.getFile().getBaseName() =
14+
["sal.h", "specstrings_strict.h", "specstrings.h", "w32p.h", "minwindef.h"] and
2015
(
2116
// Dialect for Windows 8 and above
2217
this.getName().matches("\\_%\\_")
@@ -58,10 +53,7 @@ class SALAnnotation extends MacroInvocation {
5853
*/
5954
class SALCheckReturn extends SALAnnotation {
6055
SALCheckReturn() {
61-
exists(SALMacro m | m = this.getMacro() |
62-
m.getName() = "_Check_return_" or
63-
m.getName() = "_Must_inspect_result_"
64-
)
56+
this.getMacro().(SALMacro).getName() = ["_Check_return_", "_Must_inspect_result_"]
6557
}
6658
}
6759

cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,7 @@ class VarargsFunction extends Function {
5656
}
5757

5858
string normalTerminator(int cnt) {
59-
(result = "0" or result = "-1") and
59+
result = ["0", "-1"] and
6060
cnt = trailingArgValueCount(result) and
6161
2 * cnt > totalCount() and
6262
not exists(FunctionCall fc, int index |

cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql

Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -66,10 +66,7 @@ class IFStream extends Type {
6666
*/
6767
class CinVariable extends NamespaceVariable {
6868
CinVariable() {
69-
(
70-
getName() = "cin" or
71-
getName() = "wcin"
72-
) and
69+
getName() = ["cin", "wcin"] and
7370
getNamespace().getName() = "std"
7471
}
7572
}

cpp/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql

Lines changed: 1 addition & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -14,12 +14,7 @@ import cpp
1414

1515
predicate potentiallyDangerousFunction(Function f, string message) {
1616
exists(string name | f.hasGlobalName(name) |
17-
(
18-
name = "gmtime" or
19-
name = "localtime" or
20-
name = "ctime" or
21-
name = "asctime"
22-
) and
17+
name = ["gmtime", "localtime", "ctime", "asctime"] and
2318
message = "Call to " + name + " is potentially dangerous"
2419
)
2520
}

0 commit comments

Comments
 (0)