Merge branch 'main' into mathiasvp/make_shared_make_unique-models

Author: MathiasVP

change-notes/1.26/analysis-cpp.md

@@ -20,8 +20,10 @@ The following changes in version 1.26 affect C/C++ analysis in all applications.
 
 ## Changes to libraries
 
+* The QL class `Block`, denoting the `{ ... }` statement, is renamed to `BlockStmt`.
 * The models library now models many taint flows through `std::array`, `std::vector`, `std::deque`, `std::list` and `std::forward_list`.
 * The models library now models many more taint flows through `std::string`.
+* The models library now models some taint flows through `std::ostream`.
 * The models library now models some taint flows through `std::shared_ptr`, `std::unique_ptr`, `std::make_shared` and `std::make_unique`.
 * The `SimpleRangeAnalysis` library now supports multiplications of the form
   `e1 * e2` and `x *= e2` when `e1` and `e2` are unsigned or constant.

change-notes/1.26/analysis-java.md

@@ -0,0 +1,21 @@
+# Improvements to Java analysis
+
+The following changes in version 1.26 affect Java analysis in all applications.
+
+## General improvements
+
+## New queries
+
+| **Query**                   | **Tags**  | **Purpose**                                                        |
+|-----------------------------|-----------|--------------------------------------------------------------------|
+
+
+## Changes to existing queries
+
+| **Query**                    | **Expected impact**    | **Change**                        |
+|------------------------------|------------------------|-----------------------------------|
+
+
+## Changes to libraries
+
+* The QL class `Block`, denoting the `{ ... }` statement, is renamed to `BlockStmt`.

change-notes/1.26/analysis-javascript.md

@@ -30,6 +30,7 @@
 | Incomplete URL substring sanitization (`js/incomplete-url-substring-sanitization`) | More results | This query now recognizes additional URLs when the substring check is an inclusion check. |
 | Ambiguous HTML id attribute (`js/duplicate-html-id`) | Results no longer shown | Precision tag reduced to "low". The query is no longer run by default. |
 | Unused loop iteration variable (`js/unused-loop-variable`) | Fewer results | This query no longer flags variables in a destructuring array assignment that are not the last variable in the destructed array. |
+| Unsafe shell command constructed from library input (`js/shell-command-constructed-from-input`) | More results | This query now recognizes more commands where colon, dash, and underscore are used. |
 | Unsafe jQuery plugin (`js/unsafe-jquery-plugin`) | More results | This query now detects more unsafe uses of nested option properties. |
 
 

cpp/ql/examples/snippets/emptyblock.ql

@@ -9,6 +9,6 @@
 
 import cpp
 
-from Block blk
+from BlockStmt blk
 where blk.getNumStmt() = 0
 select blk

cpp/ql/examples/snippets/emptythen.ql

@@ -13,5 +13,5 @@
 import cpp
 
 from IfStmt i
-where i.getThen().(Block).getNumStmt() = 0
+where i.getThen().(BlockStmt).getNumStmt() = 0
 select i

cpp/ql/examples/snippets/singletonblock.ql

@@ -8,6 +8,6 @@
 
 import cpp
 
-from Block b
+from BlockStmt b
 where b.getNumStmt() = 1
 select b

cpp/ql/src/Best Practices/BlockWithTooManyStatements.ql

@@ -14,7 +14,7 @@ import cpp
 
 class ComplexStmt extends Stmt {
   ComplexStmt() {
-    exists(Block body |
+    exists(BlockStmt body |
       body = this.(Loop).getStmt() or
       body = this.(SwitchStmt).getStmt()
     |
@@ -24,7 +24,7 @@ class ComplexStmt extends Stmt {
   }
 }
 
-from Block b, int n, ComplexStmt complexStmt
+from BlockStmt b, int n, ComplexStmt complexStmt
 where
   n = strictcount(ComplexStmt s | s = b.getAStmt()) and
   n > 3 and

cpp/ql/src/Best Practices/Hiding/DeclarationHidesVariable.ql

@@ -17,7 +17,7 @@ where
   shadowing(lv1, lv2) and
   not lv1.isCompilerGenerated() and
   not lv2.isCompilerGenerated() and
-  not lv1.getParentScope().(Block).isInMacroExpansion() and
-  not lv2.getParentScope().(Block).isInMacroExpansion()
+  not lv1.getParentScope().(BlockStmt).isInMacroExpansion() and
+  not lv2.getParentScope().(BlockStmt).isInMacroExpansion()
 select lv1, "Variable " + lv1.getName() + " hides another variable of the same name (on $@).", lv2,
   "line " + lv2.getLocation().getStartLine().toString()

cpp/ql/src/Best Practices/Likely Errors/EmptyBlock.ql

@@ -14,7 +14,7 @@
 
 import cpp
 
-predicate emptyBlock(ControlStructure s, Block b) {
+predicate emptyBlock(ControlStructure s, BlockStmt b) {
   b = s.getAChild() and
   not exists(b.getAChild()) and
   not b.isInMacroExpansion() and
@@ -23,7 +23,7 @@ predicate emptyBlock(ControlStructure s, Block b) {
 
 class AffectedFile extends File {
   AffectedFile() {
-    exists(Block b |
+    exists(BlockStmt b |
       emptyBlock(_, b) and
       this = b.getFile()
     )
@@ -37,7 +37,7 @@ class AffectedFile extends File {
 class BlockOrNonChild extends Element {
   BlockOrNonChild() {
     (
-      this instanceof Block
+      this instanceof BlockStmt
       or
       this instanceof Comment
       or
@@ -78,7 +78,7 @@ class BlockOrNonChild extends Element {
 /**
  * A block that contains a non-child element.
  */
-predicate emptyBlockContainsNonchild(Block b) {
+predicate emptyBlockContainsNonchild(BlockStmt b) {
   emptyBlock(_, b) and
   exists(BlockOrNonChild c, AffectedFile file |
     c.(BlockOrNonChild).getStartRankIn(file) = 1 + b.(BlockOrNonChild).getStartRankIn(file) and
@@ -91,7 +91,7 @@ predicate emptyBlockContainsNonchild(Block b) {
  * A block that is entirely on one line, which also contains a comment.  Chances
  * are the comment is intended to refer to the block.
  */
-predicate lineComment(Block b) {
+predicate lineComment(BlockStmt b) {
   emptyBlock(_, b) and
   exists(Location bLocation, File f, int line |
     bLocation = b.getLocation() and
@@ -106,7 +106,7 @@ predicate lineComment(Block b) {
   )
 }
 
-from ControlStructure s, Block eb
+from ControlStructure s, BlockStmt eb
 where
   emptyBlock(s, eb) and
   not emptyBlockContainsNonchild(eb) and

cpp/ql/src/Critical/DeadCodeGoto.ql

@@ -12,15 +12,15 @@
 import cpp
 import semmle.code.cpp.commons.Exclusions
 
-Stmt getNextRealStmt(Block b, int i) {
+Stmt getNextRealStmt(BlockStmt b, int i) {
   result = b.getStmt(i + 1) and
   not result instanceof EmptyStmt
   or
   b.getStmt(i + 1) instanceof EmptyStmt and
   result = getNextRealStmt(b, i + 1)
 }
 
-from JumpStmt js, Block b, int i, Stmt s
+from JumpStmt js, BlockStmt b, int i, Stmt s
 where
   b.getStmt(i) = js and
   s = getNextRealStmt(b, i) and