Skip to content

Commit 5a5d3f1

Browse files
committed
Merge remote-tracking branch 'upstream/master' into dataflow/no-more-summaries
2 parents 3e52aa1 + b4fbfa0 commit 5a5d3f1

234 files changed

Lines changed: 8547 additions & 5121 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

change-notes/1.24/analysis-csharp.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@ The following changes in version 1.24 affect C# analysis in all applications.
2121
| Potentially dangerous use of non-short-circuit logic (`cs/non-short-circuit`) | Fewer false positive results | Results have been removed when the expression contains an `out` parameter. |
2222
| Dereferenced variable may be null (`cs/dereferenced-value-may-be-null`) | More results | Results are reported from parameters with a default value of `null`. |
2323
| Useless assignment to local variable (`cs/useless-assignment-to-local`) | Fewer false positive results | Results have been removed when the value assigned is an (implicitly or explicitly) cast default-like value. For example, `var s = (string)null` and `string s = default`. |
24+
| XPath injection (`cs/xml/xpath-injection`) | More results | The query now recognizes calls to methods on `System.Xml.XPath.XPathNavigator` objects. |
2425

2526
## Removal of old queries
2627

change-notes/1.24/analysis-javascript.md

Lines changed: 18 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -6,16 +6,18 @@
66

77
* Alert suppression can now be done with single-line block comments (`/* ... */`) as well as line comments (`// ...`).
88

9-
* Imports with the `.js` extension can now be resolved to a TypeScript file,
9+
* Resolution of imports has improved, leading to more results from the security queries:
10+
- Imports with the `.js` extension can now be resolved to a TypeScript file,
1011
when the import refers to a file generated by TypeScript.
12+
- Imports that rely on path-mappings from a `tsconfig.json` file can now be resolved.
13+
- Export declarations of the form `export * as ns from "x"` are now analyzed more precisely.
1114

12-
* Imports that rely on path-mappings from a `tsconfig.json` file can now be resolved.
15+
* The analysis of sanitizers has improved, leading to more accurate results from the security queries.
16+
In particular:
17+
- Sanitizer guards now act across function boundaries in more cases.
18+
- Sanitizers can now better distinguish between a tainted value and an object _containing_ a tainted value.
1319

14-
* Export declarations of the form `export * as ns from "x"` are now analyzed more precisely.
15-
16-
* The analysis of sanitizer guards has improved, leading to fewer false-positive results from the security queries.
17-
18-
* The call graph construction has been improved, leading to more results from the security queries:
20+
* Call graph construction has been improved, leading to more results from the security queries:
1921
- Calls can now be resolved to indirectly-defined class members in more cases.
2022
- Calls through partial invocations such as `.bind` can now be resolved in more cases.
2123

@@ -40,11 +42,14 @@
4042
- [ncp](https://www.npmjs.com/package/ncp)
4143
- [node-dir](https://www.npmjs.com/package/node-dir)
4244
- [path-exists](https://www.npmjs.com/package/path-exists)
45+
- [pg](https://www.npmjs.com/package/pg)
4346
- [react](https://www.npmjs.com/package/react)
4447
- [recursive-readdir](https://www.npmjs.com/package/recursive-readdir)
4548
- [request](https://www.npmjs.com/package/request)
4649
- [rimraf](https://www.npmjs.com/package/rimraf)
4750
- [send](https://www.npmjs.com/package/send)
51+
- [SockJS](https://www.npmjs.com/package/sockjs)
52+
- [SockJS-client](https://www.npmjs.com/package/sockjs-client)
4853
- [typeahead.js](https://www.npmjs.com/package/typeahead.js)
4954
- [vinyl-fs](https://www.npmjs.com/package/vinyl-fs)
5055
- [write-file-atomic](https://www.npmjs.com/package/write-file-atomic)
@@ -80,8 +85,14 @@
8085
| Use of password hash with insufficient computational effort (`js/insufficient-password-hash`) | Fewer false positive results | This query now recognizes additional cases that do not require secure hashing. |
8186
| Useless regular-expression character escape (`js/useless-regexp-character-escape`) | Fewer false positive results | This query now distinguishes escapes in strings and regular expression literals. |
8287
| Identical operands (`js/redundant-operation`) | Fewer results | This query now recognizes cases where the operands change a value using ++/-- expressions. |
88+
| Superfluous trailing arguments (`js/superfluous-trailing-arguments`) | Fewer results | This query now recognizes cases where a function uses the `Function.arguments` value to process a variable number of parameters. |
8389

8490
## Changes to libraries
8591

8692
* The predicates `RegExpTerm.getSuccessor` and `RegExpTerm.getPredecessor` have been changed to reflect textual, not operational, matching order. This only makes a difference in lookbehind assertions, which are operationally matched backwards. Previously, `getSuccessor` would mimick this, so in an assertion `(?<=ab)` the term `b` would be considered the predecessor, not the successor, of `a`. Textually, however, `a` is still matched before `b`, and this is the order we now follow.
8793
* An extensible model of the `EventEmitter` pattern has been implemented.
94+
* Taint-tracking configurations now interact differently with the `data` flow label, which may affect queries
95+
that combine taint-tracking and flow labels.
96+
- Sources added by the 1-argument `isSource` predicate are associated with the `taint` label now, instead of the `data` label.
97+
- Sanitizers now only block the `taint` label. As a result, sanitizers no longer block the flow of tainted values wrapped inside a property of an object.
98+
To retain the old behavior, instead use a barrier, or block the `data` flow label using a labeled sanitizer.

change-notes/1.24/analysis-python.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,8 @@ The following changes in version 1.24 affect Python analysis in all applications
44

55
## General improvements
66

7+
Support for Django version 2.x and 3.x
8+
79
## New queries
810

911
| **Query** | **Tags** | **Purpose** |
@@ -13,6 +15,7 @@ The following changes in version 1.24 affect Python analysis in all applications
1315

1416
| **Query** | **Expected impact** | **Change** |
1517
|----------------------------|------------------------|------------------------------------------------------------------|
18+
| Uncontrolled command line (`py/command-line-injection`) | More results | We now model the `fabric` and `invoke` pacakges for command execution. |
1619

1720
### Web framework support
1821

cpp/ql/src/semmle/code/cpp/Function.qll

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -133,10 +133,16 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
133133
*/
134134
Type getUnspecifiedType() { result = getType().getUnspecifiedType() }
135135

136-
/** Gets the nth parameter of this function. */
136+
/**
137+
* Gets the nth parameter of this function. There is no result for the
138+
* implicit `this` parameter, and there is no `...` varargs pseudo-parameter.
139+
*/
137140
Parameter getParameter(int n) { params(unresolveElement(result), underlyingElement(this), n, _) }
138141

139-
/** Gets a parameter of this function. */
142+
/**
143+
* Gets a parameter of this function. There is no result for the implicit
144+
* `this` parameter, and there is no `...` varargs pseudo-parameter.
145+
*/
140146
Parameter getAParameter() { params(unresolveElement(result), underlyingElement(this), _, _) }
141147

142148
/**

cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -542,6 +542,7 @@ private predicate throughFlowNodeCand1(Node node, Configuration config) {
542542
}
543543

544544
/** Holds if flow may return from `callable`. */
545+
pragma[nomagic]
545546
private predicate returnFlowCallableNodeCand1(
546547
DataFlowCallable callable, ReturnKindExt kind, Configuration config
547548
) {

cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -542,6 +542,7 @@ private predicate throughFlowNodeCand1(Node node, Configuration config) {
542542
}
543543

544544
/** Holds if flow may return from `callable`. */
545+
pragma[nomagic]
545546
private predicate returnFlowCallableNodeCand1(
546547
DataFlowCallable callable, ReturnKindExt kind, Configuration config
547548
) {

cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -542,6 +542,7 @@ private predicate throughFlowNodeCand1(Node node, Configuration config) {
542542
}
543543

544544
/** Holds if flow may return from `callable`. */
545+
pragma[nomagic]
545546
private predicate returnFlowCallableNodeCand1(
546547
DataFlowCallable callable, ReturnKindExt kind, Configuration config
547548
) {

cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -542,6 +542,7 @@ private predicate throughFlowNodeCand1(Node node, Configuration config) {
542542
}
543543

544544
/** Holds if flow may return from `callable`. */
545+
pragma[nomagic]
545546
private predicate returnFlowCallableNodeCand1(
546547
DataFlowCallable callable, ReturnKindExt kind, Configuration config
547548
) {

cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -542,6 +542,7 @@ private predicate throughFlowNodeCand1(Node node, Configuration config) {
542542
}
543543

544544
/** Holds if flow may return from `callable`. */
545+
pragma[nomagic]
545546
private predicate returnFlowCallableNodeCand1(
546547
DataFlowCallable callable, ReturnKindExt kind, Configuration config
547548
) {

cpp/ql/src/semmle/code/cpp/exprs/BuiltInOperations.qll

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,22 @@ abstract class BuiltInOperation extends Expr {
88
override string getCanonicalQLClass() { result = "BuiltInOperation" }
99
}
1010

11+
/**
12+
* A C/C++ built-in operation that is used to support functions with variable numbers of arguments.
13+
* This includes `va_start`, `va_end`, `va_copy`, and `va_arg`.
14+
*/
15+
class VarArgsExpr extends BuiltInOperation {
16+
VarArgsExpr() {
17+
this instanceof BuiltInVarArgsStart
18+
or
19+
this instanceof BuiltInVarArgsEnd
20+
or
21+
this instanceof BuiltInVarArg
22+
or
23+
this instanceof BuiltInVarArgCopy
24+
}
25+
}
26+
1127
/**
1228
* A C/C++ `__builtin_va_start` built-in operation (used by some
1329
* implementations of `va_start`).
@@ -20,6 +36,16 @@ class BuiltInVarArgsStart extends BuiltInOperation, @vastartexpr {
2036
override string toString() { result = "__builtin_va_start" }
2137

2238
override string getCanonicalQLClass() { result = "BuiltInVarArgsStart" }
39+
40+
/**
41+
* Gets the `va_list` argument.
42+
*/
43+
final Expr getVAList() { result = getChild(0) }
44+
45+
/**
46+
* Gets the argument that specifies the last named parameter before the ellipsis.
47+
*/
48+
final VariableAccess getLastNamedParameter() { result = getChild(1) }
2349
}
2450

2551
/**
@@ -35,6 +61,11 @@ class BuiltInVarArgsEnd extends BuiltInOperation, @vaendexpr {
3561
override string toString() { result = "__builtin_va_end" }
3662

3763
override string getCanonicalQLClass() { result = "BuiltInVarArgsEnd" }
64+
65+
/**
66+
* Gets the `va_list` argument.
67+
*/
68+
final Expr getVAList() { result = getChild(0) }
3869
}
3970

4071
/**
@@ -48,6 +79,11 @@ class BuiltInVarArg extends BuiltInOperation, @vaargexpr {
4879
override string toString() { result = "__builtin_va_arg" }
4980

5081
override string getCanonicalQLClass() { result = "BuiltInVarArg" }
82+
83+
/**
84+
* Gets the `va_list` argument.
85+
*/
86+
final Expr getVAList() { result = getChild(0) }
5187
}
5288

5389
/**
@@ -63,6 +99,16 @@ class BuiltInVarArgCopy extends BuiltInOperation, @vacopyexpr {
6399
override string toString() { result = "__builtin_va_copy" }
64100

65101
override string getCanonicalQLClass() { result = "BuiltInVarArgCopy" }
102+
103+
/**
104+
* Gets the destination `va_list` argument.
105+
*/
106+
final Expr getDestinationVAList() { result = getChild(0) }
107+
108+
/**
109+
* Gets the the source `va_list` argument.
110+
*/
111+
final Expr getSourceVAList() { result = getChild(1) }
66112
}
67113

68114
/**

0 commit comments

Comments
 (0)