Merge branch 'master' into js/format-string-taint-step

Author: Esben Sparre Andreasen

change-notes/1.18/analysis-javascript.md

@@ -12,7 +12,9 @@
 
 * Modelling of taint flow through the array operations `map` and `join` has been improved. This may give additional results for the security queries.
 
-* The taint tracking library recognizes more ways in which taint propagates. In particular, some flow through string formatters is now recognized.
+* The taint tracking library recognizes more ways in which taint propagates. In particular, some flow through string formatters is now recognized. This may give additional results for the security queries.
+
+* The taint tracking library now recognizes additional sanitization patterns. This may give fewer false-positive results for the security queries.
 
 * Support for popular libraries has been improved. Consequently, queries may produce more results on code bases that use the following libraries:
   - [bluebird](http://bluebirdjs.com)

cpp/ql/src/AlertSuppression.ql

@@ -56,12 +56,12 @@ class SuppressionComment extends CppStyleComment {
  */
 class SuppressionScope extends @comment {
   SuppressionScope() {
-    this instanceof SuppressionComment
+    mkElement(this) instanceof SuppressionComment
   }
 
   /** Gets a suppression comment with this scope. */
   SuppressionComment getSuppressionComment() {
-    result = this
+    result = mkElement(this)
   }
 
   /**
@@ -72,7 +72,7 @@ class SuppressionScope extends @comment {
   * [LGTM locations](https://lgtm.com/help/ql/locations).
   */
   predicate hasLocationInfo(string filepath, int startline, int startcolumn, int endline, int endcolumn) {
-    this.(SuppressionComment).covers(filepath, startline, startcolumn, endline, endcolumn)
+    mkElement(this).(SuppressionComment).covers(filepath, startline, startcolumn, endline, endcolumn)
   }
 
   /** Gets a textual representation of this element. */

cpp/ql/src/Architecture/Refactoring Opportunities/ClassesWithManyFields.ql

@@ -13,7 +13,7 @@ import cpp
 
 string kindstr(Class c)
 {
-  exists(int kind | usertypes(c, _, kind) |
+  exists(int kind | usertypes(unresolveElement(c), _, kind) |
     (kind = 1 and result = "Struct") or
     (kind = 2 and result = "Class") or
     (kind = 6 and result = "Template class")
@@ -48,37 +48,38 @@ predicate masterVde(VariableDeclarationEntry master, VariableDeclarationEntry vd
 
 class VariableDeclarationGroup extends @var_decl {
   VariableDeclarationGroup() {
-    not previousVde(_, this)
+    not previousVde(_, mkElement(this))
   }
   Class getClass() {
-    vdeInfo(this, result, _, _)
+    vdeInfo(mkElement(this), result, _, _)
   }
 
   // pragma[noopt] since otherwise the two locationInfo relations get join-ordered
   // after each other
   pragma[noopt]
   predicate hasLocationInfo(string path, int startline, int startcol, int endline, int endcol) {
-    exists(VariableDeclarationEntry last, Location lstart, Location lend |
-      masterVde(this, last) and
+    exists(Element thisElement, VariableDeclarationEntry last, Location lstart, Location lend |
+      thisElement = mkElement(this) and
+      masterVde(thisElement, last) and
       this instanceof VariableDeclarationGroup and
       not previousVde(last, _) and
-      exists(VariableDeclarationEntry vde | vde=this and vde instanceof VariableDeclarationEntry and vde.getLocation() = lstart) and
+      exists(VariableDeclarationEntry vde | vde=mkElement(this) and vde instanceof VariableDeclarationEntry and vde.getLocation() = lstart) and
       last.getLocation() = lend and
       lstart.hasLocationInfo(path, startline, startcol, _, _) and
       lend.hasLocationInfo(path, _, _, endline, endcol)
     )
   }
 
   string toString() {
-    if previousVde(this, _) then
+    if previousVde(mkElement(this), _) then
       result = "group of "
              + strictcount(string name
                          | exists(VariableDeclarationEntry vde
-                                | masterVde(this, vde) and
+                                | masterVde(mkElement(this), vde) and
                                   name = vde.getName()))
              + " fields here"
     else
-      result = "declaration of " + this.(VariableDeclarationEntry).getVariable().getName()
+      result = "declaration of " + mkElement(this).(VariableDeclarationEntry).getVariable().getName()
   }
 }
 

cpp/ql/src/CPython/Extensions.qll

@@ -3,12 +3,9 @@ import CPython.ArgParse
 
 
 /* Root class of all 'C' objects */
-abstract class CObject extends @element {
+abstract class CObject extends Element {
 
     abstract string getTrapID();
-
-    /** Gets a textual representation of this element. */
-    abstract string toString();
 }
 
 

cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql

@@ -98,7 +98,7 @@ predicate flowsToDefImpl(
   or
   // `x++`
   exists (CrementOperation crem
-  | def = crem and
+  | mkElement(def) = crem and
     crem.getOperand() = v.getAnAccess() and
     flowsToExpr(source, crem.getOperand(), pathMightOverflow))
   or

cpp/ql/src/Metrics/Dependencies/ExternalDependencies.qll

@@ -66,7 +66,7 @@ class Library extends LibraryT {
       result = lib.getAFile()
     ) or exists(@external_package ep |
       this = LibraryTExternalPackage(ep, _, _) and
-      header_to_external_package(result, ep)
+      header_to_external_package(unresolveElement(result), ep)
     )
   }
 }

cpp/ql/src/Metrics/Files/FCommentRatio.ql

@@ -12,6 +12,6 @@
 import cpp
 
 from File f, int comments, int total
-where f.fromSource() and numlines(f, total, _, comments) and total > 0
+where f.fromSource() and numlines(unresolveElement(f), total, _, comments) and total > 0
 select f, 100.0 * (comments.(float) / total.(float)) as ratio
 order by ratio desc

cpp/ql/src/PointsTo/PreparedStagedPointsTo.ql

@@ -7,6 +7,6 @@
 
  import semmle.code.cpp.pointsto.PointsTo
 
- select count(int set, Element location | setlocations(set, location)),
-        count(int set, Element element | pointstosets(set, element))
+ select count(int set, Element location | setlocations(set, unresolveElement(location))),
+        count(int set, Element element | pointstosets(set, unresolveElement(element)))
 

cpp/ql/src/Security/CWE/CWE-764/LockFlow.qll

@@ -27,7 +27,7 @@ predicate tryLockCondition(VariableAccess access,
     (cond = call.getParent*() and
      cond.isCondition() and
      failNode = cond.getASuccessor() and
-     failNode instanceof BasicBlockWithReturn))
+     unresolveElement(failNode) instanceof BasicBlockWithReturn))
 }
 
 /**

cpp/ql/src/Security/CWE/CWE-764/UnreleasedLock.ql

@@ -29,7 +29,7 @@ predicate failedLock(MutexType t, BasicBlock lockblock, BasicBlock failblock) {
   exists (ControlFlowNode lock |
     lock = lockblock.getEnd() and
     lock = t.getLockAccess() and
-    lock.getAFalseSuccessor() = failblock
+    lock.getAFalseSuccessor() = mkElement(failblock)
   )
 }