Merge branch 'main' into jhelie/add-xss-through-dom

Author: jhelie

config/identical-files.json

@@ -94,8 +94,8 @@
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
   ],
   "Model as Data Generation Java/C# - CaptureModels": [
-    "java/ql/src/utils/model-generator/internal/CaptureModels.qll",
-    "csharp/ql/src/utils/model-generator/internal/CaptureModels.qll"
+    "java/ql/src/utils/modelgenerator/internal/CaptureModels.qll",
+    "csharp/ql/src/utils/modelgenerator/internal/CaptureModels.qll"
   ],
   "Sign Java/C#": [
     "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/Sign.qll",

cpp/ql/test/library-tests/dataflow/taint-tests/bsd.cpp

@@ -9,7 +9,7 @@ struct sockaddr {
 	char* sa_data;
 };
 
-int accept(int, const sockaddr*, int*);
+int accept(int, sockaddr*, int*);
 
 void sink(sockaddr);
 
@@ -20,5 +20,5 @@ void test_accept() {
   int a = accept(s, &addr, &size);
 
   sink(a); // $ ast=17:11 ir SPURIOUS: ast=18:12
-  sink(addr); // $ ast,ir
+  sink(addr); // $ ast=17:11 ir SPURIOUS: ast=18:12
 }

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -142,9 +142,14 @@
 | bsd.cpp:19:14:19:29 | sizeof(sockaddr) | bsd.cpp:20:29:20:32 | size |  |
 | bsd.cpp:20:11:20:16 | call to accept | bsd.cpp:22:8:22:8 | a |  |
 | bsd.cpp:20:18:20:18 | s | bsd.cpp:20:11:20:16 | call to accept | TAINT |
+| bsd.cpp:20:18:20:18 | s | bsd.cpp:20:21:20:25 | ref arg & ... | TAINT |
 | bsd.cpp:20:21:20:25 | & ... | bsd.cpp:20:11:20:16 | call to accept | TAINT |
+| bsd.cpp:20:21:20:25 | & ... | bsd.cpp:20:21:20:25 | ref arg & ... | TAINT |
+| bsd.cpp:20:21:20:25 | ref arg & ... | bsd.cpp:20:22:20:25 | addr [inner post update] |  |
+| bsd.cpp:20:21:20:25 | ref arg & ... | bsd.cpp:23:8:23:11 | addr |  |
 | bsd.cpp:20:22:20:25 | addr | bsd.cpp:20:11:20:16 | call to accept | TAINT |
 | bsd.cpp:20:22:20:25 | addr | bsd.cpp:20:21:20:25 | & ... |  |
+| bsd.cpp:20:22:20:25 | addr | bsd.cpp:20:21:20:25 | ref arg & ... | TAINT |
 | bsd.cpp:20:28:20:32 | ref arg & ... | bsd.cpp:20:29:20:32 | size [inner post update] |  |
 | bsd.cpp:20:29:20:32 | size | bsd.cpp:20:28:20:32 | & ... |  |
 | constructor_delegation.cpp:8:2:8:8 | this | constructor_delegation.cpp:8:20:8:24 | constructor init of field x [pre-this] |  |

csharp/ql/src/utils/model-generator/CaptureDiscardedSummaryModels.ql

@@ -5,8 +5,8 @@
  */
 
 import semmle.code.csharp.dataflow.ExternalFlow
-import internal.CaptureModels
-import internal.CaptureSummaryFlow
+import utils.modelgenerator.internal.CaptureModels
+import utils.modelgenerator.internal.CaptureSummaryFlow
 
 from DataFlowTargetApi api, string flow
 where flow = captureFlow(api) and hasSummary(api, false)

csharp/ql/src/utils/model-generator/CaptureNegativeSummaryModels.ql

@@ -7,8 +7,8 @@
  */
 
 import semmle.code.csharp.dataflow.ExternalFlow
-import internal.CaptureModels
-import internal.CaptureSummaryFlow
+import utils.modelgenerator.internal.CaptureModels
+import utils.modelgenerator.internal.CaptureSummaryFlow
 
 from DataFlowTargetApi api, string noflow
 where

csharp/ql/src/utils/model-generator/CaptureSinkModels.ql

@@ -6,7 +6,7 @@
  * @tags model-generator
  */
 
-import internal.CaptureModels
+import utils.modelgenerator.internal.CaptureModels
 
 class Activate extends ActiveConfiguration {
   override predicate activateToSinkConfig() { any() }

csharp/ql/src/utils/model-generator/CaptureSourceModels.ql

@@ -6,7 +6,7 @@
  * @tags model-generator
  */
 
-import internal.CaptureModels
+import utils.modelgenerator.internal.CaptureModels
 
 class Activate extends ActiveConfiguration {
   override predicate activateFromSourceConfig() { any() }

csharp/ql/src/utils/model-generator/CaptureSummaryModels.ql

@@ -7,8 +7,8 @@
  */
 
 import semmle.code.csharp.dataflow.ExternalFlow
-import internal.CaptureModels
-import internal.CaptureSummaryFlow
+import utils.modelgenerator.internal.CaptureModels
+import utils.modelgenerator.internal.CaptureSummaryFlow
 
 from DataFlowTargetApi api, string flow
 where flow = captureFlow(api) and not hasSummary(api, false)

csharp/ql/src/utils/model-generator/CaptureTypeBasedSummaryModels.ql

@@ -7,7 +7,7 @@
  */
 
 import semmle.code.csharp.dataflow.ExternalFlow
-import internal.CaptureTypeBasedSummaryModels
+import utils.modelgenerator.internal.CaptureTypeBasedSummaryModels
 
 from TypeBasedFlowTargetApi api, string flow
 where flow = captureFlow(api)

csharp/ql/src/utils/model-generator/internal/CaptureModels.qll renamed to csharp/ql/src/utils/modelgenerator/internal/CaptureModels.qll

@@ -64,6 +64,7 @@ private string getSyntheticField(TypeParameter tp) {
  */
 private string implicit(DotNet::Callable callable, TypeParameter tp) {
   classTypeParameter(callable, tp) and
+  not callable.(Modifiable).isStatic() and
   exists(string access |
     if genericCollectionType(callable.getDeclaringType(), tp)
     then access = ".Element"
@@ -188,7 +189,7 @@ class TypeBasedFlowTargetApi extends Specific::TargetApiSpecific {
    * Gets the string representation of all type based summaries for `this`
    * inspired by the Theorems for Free approach.
    *
-   * Examples could be (see C# psuedo code below)
+   * Examples could be (see C# pseudo code below)
    * (1) `Get` returns a value of type `T`. We assume that the returned
    *     value was fetched from a (synthetic) field.
    * (2) `Set` consumes a value of type `T`. We assume that the value is stored in

csharp/ql/src/utils/model-generator/internal/CaptureModelsSpecific.qll renamed to csharp/ql/src/utils/modelgenerator/internal/CaptureModelsSpecific.qll

@@ -6,8 +6,8 @@
 import java
 
 /**
- * The type `t` is a parameterization of `g`, where the `i`-th type parameter of
- * `g` is instantiated to `a`?
+ * Holds if the type `t` is a parameterization of `g`, where the `i`-th type parameter of
+ * `g` is instantiated to `arg`.
  *
  * For example, `List<Integer>` parameterizes `List<T>`, instantiating its `0`-th
  * type parameter to `Integer`, while the raw type `List` also parameterizes

csharp/ql/src/utils/model-generator/internal/CaptureSummaryFlow.qll renamed to csharp/ql/src/utils/modelgenerator/internal/CaptureSummaryFlow.qll

@@ -195,6 +195,9 @@ class TypeVariable extends BoundedType, Modifiable, @typevariable {
     result = this.getASuppliedType().(TypeVariable).getAnUltimatelySuppliedType()
   }
 
+  /** Gets the index of `this` type variable. */
+  int getIndex() { typeVars(this, _, result, _, _) }
+
   override string getAPrimaryQlClass() { result = "TypeVariable" }
 }
 

csharp/ql/src/utils/model-generator/internal/CaptureTypeBasedSummaryModels.qll renamed to csharp/ql/src/utils/modelgenerator/internal/CaptureTypeBasedSummaryModels.qll

@@ -6,8 +6,8 @@
  * @tags model-generator
  */
 
-import internal.CaptureModels
-import internal.CaptureSummaryFlow
+import utils.modelgenerator.internal.CaptureModels
+import utils.modelgenerator.internal.CaptureSummaryFlow
 
 from DataFlowTargetApi api, string noflow
 where noflow = captureNoFlow(api)

java/ql/lib/semmle/code/java/Collections.qll

@@ -6,7 +6,7 @@
  * @tags model-generator
  */
 
-import internal.CaptureModels
+import utils.modelgenerator.internal.CaptureModels
 
 class Activate extends ActiveConfiguration {
   override predicate activateToSinkConfig() { any() }

java/ql/lib/semmle/code/java/Generics.qll

@@ -6,7 +6,7 @@
  * @tags model-generator
  */
 
-import internal.CaptureModels
+import utils.modelgenerator.internal.CaptureModels
 
 class Activate extends ActiveConfiguration {
   override predicate activateFromSourceConfig() { any() }

java/ql/src/utils/model-generator/CaptureNegativeSummaryModels.ql

@@ -6,8 +6,8 @@
  * @tags model-generator
  */
 
-import internal.CaptureModels
-import internal.CaptureSummaryFlow
+import utils.modelgenerator.internal.CaptureModels
+import utils.modelgenerator.internal.CaptureSummaryFlow
 
 from DataFlowTargetApi api, string flow
 where flow = captureFlow(api)

java/ql/src/utils/model-generator/CaptureSinkModels.ql

@@ -0,0 +1,13 @@
+/**
+ * @name Capture typed based summary models.
+ * @description Finds applicable summary models to be used by other queries.
+ * @kind diagnostic
+ * @id java/utils/model-generator/summary-models-typed-based
+ * @tags model-generator
+ */
+
+import utils.modelgenerator.internal.CaptureTypeBasedSummaryModels
+
+from TypeBasedFlowTargetApi api, string flow
+where flow = captureFlow(api)
+select flow order by flow

java/ql/src/utils/model-generator/CaptureSourceModels.ql

@@ -67,6 +67,8 @@ private predicate isRelevantForModels(J::Callable api) {
  */
 predicate isRelevantForDataFlowModels = isRelevantForModels/1;
 
+predicate isRelevantForTypeBasedFlowModels = isRelevantForModels/1;
+
 /**
  * A class of Callables that are relevant for generating summary, source and sinks models for.
  *
@@ -141,7 +143,7 @@ string asPartialNegativeModel(TargetApiSpecific api) {
   )
 }
 
-private predicate isPrimitiveTypeUsedForBulkData(J::Type t) {
+predicate isPrimitiveTypeUsedForBulkData(J::Type t) {
   t.hasName(["byte", "char", "Byte", "Character"])
 }