Skip to content

Commit afcb767

Browse files
committed
Merge branch 'main' into js-followMsg
2 parents 6ec03d4 + 3384521 commit afcb767

File tree

292 files changed

+22975
-27675
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

292 files changed

+22975
-27675
lines changed

.github/workflows/check-qldoc.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,8 @@ jobs:
2727
run: |
2828
EXIT_CODE=0
2929
# TODO: remove the swift exception from the regex when we fix generated QLdoc
30-
changed_lib_packs="$(git diff --name-only --diff-filter=ACMRT HEAD^ HEAD | { grep -Po '^(?!swift)[a-z]*/ql/lib' || true; } | sort -u)"
30+
# TODO: remove the shared exception from the regex when coverage of qlpacks without dbschemes is supported
31+
changed_lib_packs="$(git diff --name-only --diff-filter=ACMRT HEAD^ HEAD | { grep -Po '^(?!(swift|shared))[a-z]*/ql/lib' || true; } | sort -u)"
3132
for pack_dir in ${changed_lib_packs}; do
3233
lang="${pack_dir%/ql/lib}"
3334
codeql generate library-doc-coverage --output="${RUNNER_TEMP}/${lang}-current.txt" --dir="${pack_dir}"

.github/workflows/ruby-build.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -95,6 +95,7 @@ jobs:
9595
uses: ./.github/actions/fetch-codeql
9696
- name: Build Query Pack
9797
run: |
98+
codeql pack create ../shared/ssa --output target/packs
9899
codeql pack create ql/lib --output target/packs
99100
codeql pack install ql/src
100101
codeql pack create ql/src --output target/packs

codeql-workspace.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ provide:
44
- "*/ql/test/qlpack.yml"
55
- "*/ql/examples/qlpack.yml"
66
- "*/ql/consistency-queries/qlpack.yml"
7+
- "shared/*/qlpack.yml"
78
- "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml"
89
- "go/ql/config/legacy-support/qlpack.yml"
910
- "go/build/codeql-extractor-go/codeql-extractor.yml"

config/identical-files.json

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -461,12 +461,6 @@
461461
"javascript/ql/lib/IDEContextual.qll",
462462
"python/ql/lib/analysis/IDEContextual.qll"
463463
],
464-
"SSA C#": [
465-
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll",
466-
"ruby/ql/lib/codeql/ruby/dataflow/internal/SsaImplCommon.qll",
467-
"cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll",
468-
"swift/ql/lib/codeql/swift/dataflow/internal/SsaImplCommon.qll"
469-
],
470464
"CryptoAlgorithms Python/JS/Ruby": [
471465
"javascript/ql/lib/semmle/javascript/security/CryptoAlgorithms.qll",
472466
"python/ql/lib/semmle/python/concepts/CryptoAlgorithms.qll",
Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
---
2+
category: fix
3+
---
4+
* Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.

cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/Bound.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,7 @@ class ValueNumberBound extends Bound, TBoundValueNumber {
7373
this = TBoundValueNumber(valueNumber(result)) and delta = 0
7474
}
7575

76-
override string toString() { result = vn.getExampleInstruction().toString() }
76+
override string toString() { result = "ValueNumberBound" }
7777

7878
override Location getLocation() { result = vn.getLocation() }
7979

cpp/ql/lib/experimental/semmle/code/cpp/semantic/SemanticExprSpecific.qll

Lines changed: 6 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -112,12 +112,11 @@ module SemanticExprConfig {
112112

113113
predicate hasDominanceInformation(BasicBlock block) { any() }
114114

115-
int getBasicBlockUniqueId(BasicBlock block) {
116-
// REVIEW: `getDisplayIndex()` is not intended for use in real queries, but for now it's the
117-
// best we can do because `equivalentRelation` won't accept a predicate whose parameters are IPA
118-
// types.
119-
result = block.getDisplayIndex()
120-
}
115+
private predicate id(Cpp::Locatable x, Cpp::Locatable y) { x = y }
116+
117+
private predicate idOf(Cpp::Locatable x, int y) = equivalenceRelation(id/2)(x, y)
118+
119+
int getBasicBlockUniqueId(BasicBlock block) { idOf(block.getFirstInstruction().getAst(), result) }
121120

122121
newtype TSsaVariable =
123122
TSsaInstruction(IR::Instruction instr) { instr.hasMemoryResult() } or
@@ -267,17 +266,7 @@ module SemanticExprConfig {
267266

268267
ValueNumberBound() { bound = this }
269268

270-
override string toString() {
271-
result =
272-
min(SsaVariable v |
273-
v.asInstruction() = bound.getValueNumber().getAnInstruction()
274-
|
275-
v
276-
order by
277-
v.asInstruction().getBlock().getDisplayIndex(),
278-
v.asInstruction().getDisplayIndexInBlock()
279-
).toString()
280-
}
269+
override string toString() { result = bound.toString() }
281270
}
282271

283272
predicate zeroBound(Bound bound) { bound instanceof IRBound::ZeroBound }

cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeAnalysis.qll

Lines changed: 22 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -542,12 +542,32 @@ private predicate unequalIntegralSsa(
542542
) {
543543
exists(SemExpr e, int d1, int d2 |
544544
unequalFlowStepIntegralSsa(v, pos, e, d1, reason) and
545-
bounded(e, b, d2, true, _, _, _) and
546-
bounded(e, b, d2, false, _, _, _) and
545+
boundedUpper(e, b, d1) and
546+
boundedLower(e, b, d2) and
547547
delta = d2 + d1
548548
)
549549
}
550550

551+
/**
552+
* Holds if `b + delta` is an upper bound for `e`.
553+
*
554+
* This predicate only exists to prevent a bad standard order in `unequalIntegralSsa`.
555+
*/
556+
pragma[nomagic]
557+
private predicate boundedUpper(SemExpr e, SemBound b, int delta) {
558+
bounded(e, b, delta, true, _, _, _)
559+
}
560+
561+
/**
562+
* Holds if `b + delta` is a lower bound for `e`.
563+
*
564+
* This predicate only exists to prevent a bad standard order in `unequalIntegralSsa`.
565+
*/
566+
pragma[nomagic]
567+
private predicate boundedLower(SemExpr e, SemBound b, int delta) {
568+
bounded(e, b, delta, false, _, _, _)
569+
}
570+
551571
/** Weakens a delta to lie in the range `[-1..1]`. */
552572
bindingset[delta, upper]
553573
private int weakenDelta(boolean upper, int delta) {

cpp/ql/lib/qlpack.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,3 +5,5 @@ dbscheme: semmlecode.cpp.dbscheme
55
extractor: cpp
66
library: true
77
upgrades: upgrades
8+
dependencies:
9+
codeql/ssa: 0.0.1

cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -172,7 +172,12 @@ abstract class Configuration extends DataFlow::Configuration {
172172
}
173173

174174
override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
175-
(this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
175+
(
176+
this.isSink(node) or
177+
this.isSink(node, _) or
178+
this.isAdditionalTaintStep(node, _) or
179+
this.isAdditionalTaintStep(node, _, _, _)
180+
) and
176181
defaultImplicitTaintRead(node, c)
177182
}
178183

cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -172,7 +172,12 @@ abstract class Configuration extends DataFlow::Configuration {
172172
}
173173

174174
override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
175-
(this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
175+
(
176+
this.isSink(node) or
177+
this.isSink(node, _) or
178+
this.isAdditionalTaintStep(node, _) or
179+
this.isAdditionalTaintStep(node, _, _, _)
180+
) and
176181
defaultImplicitTaintRead(node, c)
177182
}
178183

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ private import DataFlowUtil
44
private import DataFlowImplCommon as DataFlowImplCommon
55
private import semmle.code.cpp.models.interfaces.Allocation as Alloc
66
private import semmle.code.cpp.models.interfaces.DataFlow as DataFlow
7-
private import SsaImplCommon as SsaImplCommon
7+
private import codeql.ssa.Ssa as SsaImplCommon
88

99
private module SourceVariables {
1010
private newtype TSourceVariable =

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -172,7 +172,12 @@ abstract class Configuration extends DataFlow::Configuration {
172172
}
173173

174174
override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
175-
(this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
175+
(
176+
this.isSink(node) or
177+
this.isSink(node, _) or
178+
this.isAdditionalTaintStep(node, _) or
179+
this.isAdditionalTaintStep(node, _, _, _)
180+
) and
176181
defaultImplicitTaintRead(node, c)
177182
}
178183

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -172,7 +172,12 @@ abstract class Configuration extends DataFlow::Configuration {
172172
}
173173

174174
override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
175-
(this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
175+
(
176+
this.isSink(node) or
177+
this.isSink(node, _) or
178+
this.isAdditionalTaintStep(node, _) or
179+
this.isAdditionalTaintStep(node, _, _, _)
180+
) and
176181
defaultImplicitTaintRead(node, c)
177182
}
178183

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -172,7 +172,12 @@ abstract class Configuration extends DataFlow::Configuration {
172172
}
173173

174174
override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
175-
(this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
175+
(
176+
this.isSink(node) or
177+
this.isSink(node, _) or
178+
this.isAdditionalTaintStep(node, _) or
179+
this.isAdditionalTaintStep(node, _, _, _)
180+
) and
176181
defaultImplicitTaintRead(node, c)
177182
}
178183

0 commit comments

Comments
 (0)