Skip to content

Commit fd581f7

Browse files
erik-krogherik-krogh
committed
Merge branch 'main' into XMLXml
2 parents 21bec8a + 642c992 commit fd581f7

87 files changed

Lines changed: 1431 additions & 1284 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

cpp/ql/lib/semmle/code/cpp/File.qll

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -218,8 +218,6 @@ class Folder extends Container, @folder {
218218
class File extends Container, @file {
219219
override string getAbsolutePath() { files(underlyingElement(this), result) }
220220

221-
override string toString() { result = Container.super.toString() }
222-
223221
override string getAPrimaryQlClass() { result = "File" }
224222

225223
override Location getLocation() {

cpp/ql/src/Likely Bugs/Memory Management/UsingExpiredStackAddress.ql

Lines changed: 35 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -106,6 +106,26 @@ predicate inheritanceConversionTypes(
106106
toType = convert.getResultType()
107107
}
108108

109+
private signature class ConversionInstruction extends UnaryInstruction;
110+
111+
module Conversion<ConversionInstruction I> {
112+
signature predicate hasTypes(I instr, Type fromType, Type toType);
113+
114+
module Using<hasTypes/3 project> {
115+
pragma[nomagic]
116+
predicate hasOperandAndTypes(I convert, Instruction unary, Type fromType, Type toType) {
117+
project(convert, fromType, toType) and
118+
unary = convert.getUnary()
119+
}
120+
}
121+
}
122+
123+
pragma[nomagic]
124+
predicate hasObjectAndField(FieldAddressInstruction fai, Instruction object, Field f) {
125+
fai.getObjectAddress() = object and
126+
fai.getField() = f
127+
}
128+
109129
/** Gets the HashCons value of an address computed by `instr`, if any. */
110130
TGlobalAddress globalAddress(Instruction instr) {
111131
result = TGlobalVariable(instr.(VariableAddressInstruction).getAstVariable())
@@ -117,25 +137,27 @@ TGlobalAddress globalAddress(Instruction instr) {
117137
result = TLoad(globalAddress(load.getSourceAddress()))
118138
)
119139
or
120-
exists(ConvertInstruction convert, Type fromType, Type toType | instr = convert |
121-
uncheckedConversionTypes(convert, fromType, toType) and
122-
result = TConversion("unchecked", globalAddress(convert.getUnary()), fromType, toType)
140+
exists(Type fromType, Type toType, Instruction unary |
141+
Conversion<ConvertInstruction>::Using<uncheckedConversionTypes/3>::hasOperandAndTypes(instr,
142+
unary, fromType, toType) and
143+
result = TConversion("unchecked", globalAddress(unary), fromType, toType)
123144
)
124145
or
125-
exists(CheckedConvertOrNullInstruction convert, Type fromType, Type toType | instr = convert |
126-
checkedConversionTypes(convert, fromType, toType) and
127-
result = TConversion("checked", globalAddress(convert.getUnary()), fromType, toType)
146+
exists(Type fromType, Type toType, Instruction unary |
147+
Conversion<CheckedConvertOrNullInstruction>::Using<checkedConversionTypes/3>::hasOperandAndTypes(instr,
148+
unary, fromType, toType) and
149+
result = TConversion("checked", globalAddress(unary), fromType, toType)
128150
)
129151
or
130-
exists(InheritanceConversionInstruction convert, Type fromType, Type toType | instr = convert |
131-
inheritanceConversionTypes(convert, fromType, toType) and
132-
result = TConversion("inheritance", globalAddress(convert.getUnary()), fromType, toType)
152+
exists(Type fromType, Type toType, Instruction unary |
153+
Conversion<InheritanceConversionInstruction>::Using<inheritanceConversionTypes/3>::hasOperandAndTypes(instr,
154+
unary, fromType, toType) and
155+
result = TConversion("inheritance", globalAddress(unary), fromType, toType)
133156
)
134157
or
135-
exists(FieldAddressInstruction fai | instr = fai |
136-
result =
137-
TFieldAddress(globalAddress(pragma[only_bind_into](fai.getObjectAddress())),
138-
pragma[only_bind_out](fai.getField()))
158+
exists(FieldAddressInstruction fai, Instruction object, Field f | instr = fai |
159+
hasObjectAndField(fai, object, f) and
160+
result = TFieldAddress(globalAddress(object), f)
139161
)
140162
or
141163
result = globalAddress(instr.(PointerOffsetInstruction).getLeft())

csharp/ql/lib/semmle/code/cil/Types.qll

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -309,8 +309,6 @@ class FunctionPointerType extends Type, CustomModifierReceiver, Parameterizable,
309309
/** Gets the calling convention. */
310310
int getCallingConvention() { cil_function_pointer_calling_conventions(this, result) }
311311

312-
override string toString() { result = Type.super.toString() }
313-
314312
/** Holds if the return type is `void`. */
315313
predicate returnsVoid() { this.getReturnType() instanceof VoidType }
316314

csharp/ql/lib/semmle/code/csharp/Callable.qll

Lines changed: 0 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -215,11 +215,7 @@ class Callable extends DotNet::Callable, Parameterizable, ExprOrStmtParent, @cal
215215
/** Gets a `Call` that has this callable as a target. */
216216
Call getACall() { this = result.getTarget() }
217217

218-
override Parameter getParameter(int n) { result = Parameterizable.super.getParameter(n) }
219-
220218
override Parameter getAParameter() { result = Parameterizable.super.getAParameter() }
221-
222-
override int getNumberOfParameters() { result = Parameterizable.super.getNumberOfParameters() }
223219
}
224220

225221
/**
@@ -276,8 +272,6 @@ class Method extends Callable, Virtualizable, Attributable, @method {
276272
predicate hasParams() { exists(this.getParamsType()) }
277273

278274
// Remove when `Callable.isOverridden()` is removed
279-
override predicate isOverridden() { Virtualizable.super.isOverridden() }
280-
281275
override predicate fromSource() {
282276
Callable.super.fromSource() and
283277
not this.isCompilerGenerated()
@@ -472,8 +466,6 @@ class RecordCloneMethod extends Method, DotNet::RecordCloneCallable {
472466
override Constructor getConstructor() {
473467
result = DotNet::RecordCloneCallable.super.getConstructor()
474468
}
475-
476-
override string toString() { result = Method.super.toString() }
477469
}
478470

479471
/**

csharp/ql/lib/semmle/code/csharp/Namespace.qll

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -116,10 +116,6 @@ class Namespace extends DotNet::Namespace, TypeContainer, Declaration, @namespac
116116
override Location getALocation() { result = this.getADeclaration().getALocation() }
117117

118118
override string toString() { result = DotNet::Namespace.super.toString() }
119-
120-
override predicate hasQualifiedName(string a, string b) {
121-
DotNet::Namespace.super.hasQualifiedName(a, b)
122-
}
123119
}
124120

125121
/**

csharp/ql/lib/semmle/code/csharp/Property.qll

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -42,8 +42,6 @@ class DeclarationWithAccessors extends AssignableMember, Virtualizable, Attribut
4242
}
4343

4444
override Type getType() { none() }
45-
46-
override string toString() { result = AssignableMember.super.toString() }
4745
}
4846

4947
/**

csharp/ql/lib/semmle/code/csharp/frameworks/microsoft/AspNetCore.qll

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -357,3 +357,36 @@ class MicrosoftAspNetCoreHttpHtmlString extends Class {
357357
this.hasQualifiedName("Microsoft.AspNetCore.Html", "HtmlString")
358358
}
359359
}
360+
361+
/**
362+
* The `Microsoft.AspNetCore.Builder.EndpointRouteBuilderExtensions` class.
363+
*/
364+
class MicrosoftAspNetCoreBuilderEndpointRouteBuilderExtensions extends Class {
365+
MicrosoftAspNetCoreBuilderEndpointRouteBuilderExtensions() {
366+
this.hasQualifiedName("Microsoft.AspNetCore.Builder", "EndpointRouteBuilderExtensions")
367+
}
368+
369+
/** Gets the `Map` extension method. */
370+
Method getMapMethod() { result = this.getAMethod("Map") }
371+
372+
/** Gets the `MapGet` extension method. */
373+
Method getMapGetMethod() { result = this.getAMethod("MapGet") }
374+
375+
/** Gets the `MapPost` extension method. */
376+
Method getMapPostMethod() { result = this.getAMethod("MapPost") }
377+
378+
/** Gets the `MapPut` extension method. */
379+
Method getMapPutMethod() { result = this.getAMethod("MapPut") }
380+
381+
/** Gets the `MapDelete` extension method. */
382+
Method getMapDeleteMethod() { result = this.getAMethod("MapDelete") }
383+
384+
/** Get a `Map` like extenion methods. */
385+
Method getAMapMethod() {
386+
result =
387+
[
388+
this.getMapMethod(), this.getMapGetMethod(), this.getMapPostMethod(),
389+
this.getMapPutMethod(), this.getMapDeleteMethod()
390+
]
391+
}
392+
}

csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -171,6 +171,35 @@ class ActionMethodParameter extends RemoteFlowSource, DataFlow::ParameterNode {
171171
/** A data flow source of remote user input (ASP.NET Core). */
172172
abstract class AspNetCoreRemoteFlowSource extends RemoteFlowSource { }
173173

174+
private predicate reachesMapGetArg(DataFlow::Node n) {
175+
exists(MethodCall mc |
176+
mc.getTarget() = any(MicrosoftAspNetCoreBuilderEndpointRouteBuilderExtensions c).getAMapMethod() and
177+
n.asExpr() = mc.getArgument(2)
178+
)
179+
or
180+
exists(DataFlow::Node mid | reachesMapGetArg(mid) |
181+
DataFlow::localFlowStep(n, mid) or
182+
n.asExpr() = mid.asExpr().(DelegateCreation).getArgument()
183+
)
184+
}
185+
186+
/** A parameter to a routing method delegate. */
187+
class AspNetCoreRoutingMethodParameter extends AspNetCoreRemoteFlowSource, DataFlow::ParameterNode {
188+
AspNetCoreRoutingMethodParameter() {
189+
exists(DataFlow::Node n, Callable c |
190+
reachesMapGetArg(n) and
191+
c.getAParameter() = this.asParameter() and
192+
c.isSourceDeclaration()
193+
|
194+
n.asExpr() = c
195+
or
196+
n.asExpr().(CallableAccess).getTarget().getUnboundDeclaration() = c
197+
)
198+
}
199+
200+
override string getSourceType() { result = "ASP.NET Core routing endpoint." }
201+
}
202+
174203
/**
175204
* Data flow for ASP.NET Core.
176205
*

csharp/ql/src/change-notes/2022-08-16-aspnetcore-remoteflowsources.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
---
2+
category: minorAnalysis
3+
---
4+
* Parameters of delegates passed to routing endpoint calls like `MapGet` in ASP.NET Core are now considered remote flow sources.

csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedExpr.qll

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -817,10 +817,6 @@ class TranslatedNonFieldVariableAccess extends TranslatedVariableAccess {
817817
else result = this.getInstruction(AddressTag())
818818
}
819819

820-
override Instruction getInstructionOperand(InstructionTag tag, OperandTag operandTag) {
821-
result = TranslatedVariableAccess.super.getInstructionOperand(tag, operandTag)
822-
}
823-
824820
override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) {
825821
TranslatedVariableAccess.super.hasInstruction(opcode, tag, resultType)
826822
or

0 commit comments

Comments
 (0)