Merge branch 'main' into mathiasvp/replace-ast-with-ir-use-usedataflow

Author: MathiasVP

cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected

@@ -101,7 +101,10 @@ postWithInFlow
 | test.cpp:531:40:531:40 | e [inner post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:537:5:537:6 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:537:6:537:6 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:542:23:542:23 | x [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:542:5:542:6 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:542:6:542:6 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:548:25:548:25 | x [inner post update] | PostUpdateNode should not be the target of local flow. |
+| test.cpp:552:25:552:25 | y [inner post update] | PostUpdateNode should not be the target of local flow. |
 viableImplInCallContextTooLarge
 uniqueParameterNodeAtPosition
 uniqueParameterNodePosition

cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp

@@ -532,12 +532,23 @@ void test_set_through_const_pointer(int *e)
   sink(*e); // $ ir MISSING: ast
 }
 
-void sink_then_source(int* p) {
-    sink(*p);
-    *p = source(); // $ SPURIOUS: ir=537:10 ir=541:9
+void sink_then_source_1(int* p) {
+    sink(*p); // $ SPURIOUS: ir=537:10 ir=547:9
+    *p = source();
+}
+
+void sink_then_source_2(int* p, int y) {
+    sink(y); // $ SPURIOUS: ast ir=542:10 ir=551:9
+    *p = source();
 }
 
 void test_sink_then_source() {
+  {
     int x;
-    sink_then_source(&x);
+    sink_then_source_1(&x);
+  }
+  {
+    int y;
+    sink_then_source_2(&y, y);
+  }
 }

cpp/ql/test/library-tests/dataflow/dataflow-tests/uninitialized.expected

@@ -37,4 +37,6 @@
 | test.cpp:517:7:517:16 | stackArray | test.cpp:519:3:519:12 | stackArray |
 | test.cpp:517:7:517:16 | stackArray | test.cpp:520:3:520:12 | stackArray |
 | test.cpp:517:7:517:16 | stackArray | test.cpp:521:8:521:17 | stackArray |
-| test.cpp:541:9:541:9 | x | test.cpp:542:23:542:23 | x |
+| test.cpp:547:9:547:9 | x | test.cpp:548:25:548:25 | x |
+| test.cpp:551:9:551:9 | y | test.cpp:552:25:552:25 | y |
+| test.cpp:551:9:551:9 | y | test.cpp:552:28:552:28 | y |

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -27,6 +27,10 @@ class int_iterator_by_trait {
 template<>
 struct std::iterator_traits<int_iterator_by_trait> {
     typedef input_iterator_tag iterator_category;
+    typedef int value_type;
+    typedef size_t difference_type;
+    typedef int* pointer;
+    typedef int& reference;
 };
 
 class non_iterator {
@@ -69,6 +73,10 @@ class insert_iterator_by_trait {
 template<>
 struct std::iterator_traits<insert_iterator_by_trait> {
     typedef output_iterator_tag iterator_category;
+    typedef int value_type;
+    typedef size_t difference_type;
+    typedef int* pointer;
+    typedef int& reference;
 };
 
 class container {
@@ -84,7 +92,7 @@ void test_insert_iterator() {
 
     insert_iterator_by_trait i1 = c1.begin();
     *i1-- = source();
-    sink(c1); // $ ast MISSING: ir
+    sink(c1); // $ ast,ir
 
     insert_iterator_by_trait i2 = c2.begin();
     *i2-- = 0;
@@ -101,12 +109,12 @@ void test_assign_through_iterator() {
 	a = c1.begin();
 	b = c1.begin();
 	*a = source();
-	sink(a); // $ ast MISSING: ir
+	sink(a); // $ ast,ir
 
 	c = c1.begin();
 	sink(b); // MISSING: ast,ir
-	sink(c); // $ ast MISSING: ir
-	sink(c1); // $ ast MISSING: ir
+	sink(c); // $ ast,ir
+	sink(c1); // $ ast,ir
 }
 
 void test_nonmember_iterator() {

cpp/ql/test/library-tests/dataflow/taint-tests/standalone_iterators.cpp

@@ -46,7 +46,7 @@ The `CodeQL repository <https://github.com/github/codeql>`__ on GitHub contains
 If you have that folder (or a different CodeQL pack) available in your workspace, you can access existing queries under ``<language>/ql/src/<category>``, for example ``java/ql/src/Likely Bugs``.
 
 #. Open a query (``.ql``) file. It is displayed in the editor, with IntelliSense features such as syntax highlighting and autocomplete suggestions.
-#. Right-click in the query window and select **CodeQL: Run Query**. (Alternatively, run the command from the Command Palette.)
+#. Right-click in the query window and select **CodeQL: Run Query on Selected Database**. (Alternatively, run the command from the Command Palette.)
 
 The CodeQL extension runs the query on the current database and reports progress in the bottom right corner of the application.
 When the results are ready, they're displayed in the Results view.
@@ -73,7 +73,7 @@ Running a quick query
 
 When working on a new query, you can open a "quick query" tab to easily execute your code and view the results, without having to save a ``.ql`` file in your workspace.
 Open a quick query editing tab by selecting **CodeQL: Quick Query** from the Command Palette.
-To run the query, use **CodeQL: Run Query**.
+To run the query, use **CodeQL: Run Query on Selected Database**.
 
 You can see all quick queries that you've run in the current session in the Query History view. Click an entry to see the exact text of the quick query that produced the results.
 
@@ -85,7 +85,7 @@ Running a specific part of a query or library
 ----------------------------------------------
 
 This is helpful if you're debugging a query or library and you want to locate the part that is wrong.
-Instead of using **CodeQL: Run Query** to run the whole query (the :ref:`select clause <select-clauses>` and any :ref:`query predicates <query-predicates>`), you can use **CodeQL: Quick Evaluation** to run a specific part of a ``.ql`` or ``.qll`` file.
+Instead of using **CodeQL: Run Query on Selected Database** to run the whole query (the :ref:`select clause <select-clauses>` and any :ref:`query predicates <query-predicates>`), you can use **CodeQL: Quick Evaluation** to run a specific part of a ``.ql`` or ``.qll`` file.
 
 **CodeQL: Quick Evaluation** evaluates a code snippet (instead of the whole query) and displays results of that selection in the Results view.
 Possible targets for quick evaluation include:

docs/codeql/codeql-for-visual-studio-code/analyzing-your-projects.rst

@@ -24,7 +24,7 @@ Running path queries in VS Code
 -----------------------------------
 
 #. Open a path query in the editor.
-#. Right-click in the query window and select **CodeQL: Run Query**. (Alternatively, run the command from the Command Palette.)
+#. Right-click in the query window and select **CodeQL: Run Query on Selected Database**. (Alternatively, run the command from the Command Palette.)
 #. Once the query has finished running, you can see the results in the Results view as usual (under ``alerts`` in the dropdown menu). Each query result describes the flow of information between a source and a sink.
 #. Expand the result to see the individual steps that the data follows. 
 #. Click each step to jump to it in the source code and investigate the problem further.

docs/codeql/codeql-for-visual-studio-code/exploring-data-flow-with-path-queries.rst

@@ -1,6 +1,6 @@
 4. Save the query in its default location (a temporary "Quick Queries" directory under the workspace for ``GitHub.vscode-codeql/quick-queries``).
 
-#. Right-click in the query tab and select **CodeQL: Run Query**. (Alternatively, run the command from the Command Palette.)
+#. Right-click in the query tab and select **CodeQL: Run Query on Selected Database**. (Alternatively, run the command from the Command Palette.)
 
    The query will take a few moments to return results. When the query completes, the results are displayed in a CodeQL Query Results view, next to the main editor view.
 

docs/codeql/reusables/vs-code-basic-instructions/run-quick-query-2.rst

@@ -87,7 +87,13 @@ File tryExtensions(Folder dir, string basename, int priority) {
  * Or `name`, if `name` has no file extension.
  */
 bindingset[name]
-private string getStem(string name) { result = name.regexpCapture("(.+?)(?:\\.([^.]+))?", 1) }
+private string getStem(string name) {
+  // everything before the last dot
+  result = name.regexpCapture("(.+?)(?:\\.([^.]+))?", 1)
+  or
+  // everything before the first dot
+  result = name.regexpCapture("^([^.]*)\\..*$", 1)
+}
 
 /**
  * Gets a file that a main module from `pkg` exported as `mainPath` with the given `priority`.

javascript/ql/lib/semmle/javascript/NodeModuleResolutionImpl.qll

@@ -117,6 +117,12 @@ nodes
 | lib.js:128:9:128:20 | obj[path[0]] |
 | lib.js:128:13:128:16 | path |
 | lib.js:128:13:128:19 | path[0] |
+| otherlib/src/otherlibimpl.js:1:37:1:40 | path |
+| otherlib/src/otherlibimpl.js:1:37:1:40 | path |
+| otherlib/src/otherlibimpl.js:2:3:2:14 | obj[path[0]] |
+| otherlib/src/otherlibimpl.js:2:3:2:14 | obj[path[0]] |
+| otherlib/src/otherlibimpl.js:2:7:2:10 | path |
+| otherlib/src/otherlibimpl.js:2:7:2:13 | path[0] |
 | sublib/other.js:5:28:5:31 | path |
 | sublib/other.js:5:28:5:31 | path |
 | sublib/other.js:6:7:6:18 | obj[path[0]] |
@@ -295,6 +301,11 @@ edges
 | lib.js:128:13:128:16 | path | lib.js:128:13:128:19 | path[0] |
 | lib.js:128:13:128:19 | path[0] | lib.js:128:9:128:20 | obj[path[0]] |
 | lib.js:128:13:128:19 | path[0] | lib.js:128:9:128:20 | obj[path[0]] |
+| otherlib/src/otherlibimpl.js:1:37:1:40 | path | otherlib/src/otherlibimpl.js:2:7:2:10 | path |
+| otherlib/src/otherlibimpl.js:1:37:1:40 | path | otherlib/src/otherlibimpl.js:2:7:2:10 | path |
+| otherlib/src/otherlibimpl.js:2:7:2:10 | path | otherlib/src/otherlibimpl.js:2:7:2:13 | path[0] |
+| otherlib/src/otherlibimpl.js:2:7:2:13 | path[0] | otherlib/src/otherlibimpl.js:2:3:2:14 | obj[path[0]] |
+| otherlib/src/otherlibimpl.js:2:7:2:13 | path[0] | otherlib/src/otherlibimpl.js:2:3:2:14 | obj[path[0]] |
 | sublib/other.js:5:28:5:31 | path | sublib/other.js:6:11:6:14 | path |
 | sublib/other.js:5:28:5:31 | path | sublib/other.js:6:11:6:14 | path |
 | sublib/other.js:6:11:6:14 | path | sublib/other.js:6:11:6:17 | path[0] |
@@ -367,6 +378,7 @@ edges
 | lib.js:108:3:108:10 | obj[one] | lib.js:104:13:104:21 | arguments | lib.js:108:3:108:10 | obj[one] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:104:13:104:21 | arguments | library input |
 | lib.js:119:13:119:24 | obj[path[0]] | lib.js:118:29:118:32 | path | lib.js:119:13:119:24 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:118:29:118:32 | path | library input |
 | lib.js:128:9:128:20 | obj[path[0]] | lib.js:127:14:127:17 | path | lib.js:128:9:128:20 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:127:14:127:17 | path | library input |
+| otherlib/src/otherlibimpl.js:2:3:2:14 | obj[path[0]] | otherlib/src/otherlibimpl.js:1:37:1:40 | path | otherlib/src/otherlibimpl.js:2:3:2:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | otherlib/src/otherlibimpl.js:1:37:1:40 | path | library input |
 | sublib/other.js:6:7:6:18 | obj[path[0]] | sublib/other.js:5:28:5:31 | path | sublib/other.js:6:7:6:18 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | sublib/other.js:5:28:5:31 | path | library input |
 | sublib/sub.js:2:3:2:14 | obj[path[0]] | sublib/sub.js:1:37:1:40 | path | sublib/sub.js:2:3:2:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | sublib/sub.js:1:37:1:40 | path | library input |
 | tst.js:8:5:8:17 | object[taint] | tst.js:5:24:5:37 | req.query.data | tst.js:8:5:8:17 | object[taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:5:24:5:37 | req.query.data | user controlled input |

javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.expected

@@ -0,0 +1,4 @@
+{
+    "name": "otherlib",
+    "main": "dist/otherlibimpl.node.cjs.js"
+}

javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/otherlib/package.json

@@ -0,0 +1,3 @@
+module.exports.set = function (obj, path, value) {
+  obj[path[0]][path[1]] = value; // NOT OK
+}

javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/otherlib/src/otherlibimpl.js

@@ -28,8 +28,8 @@
 assert hasattr(arguments, "ignore_missing_query_packs")
 
 # Define which languages and query packs to consider
-languages = [ "cpp", "csharp", "go", "java", "javascript", "python", "ruby"]
-packs = [ "code-scanning", "security-and-quality", "security-extended" ]
+languages = [ "cpp", "csharp", "go", "java", "javascript", "python", "ruby", "swift" ]
+packs = [ "code-scanning", "security-and-quality", "security-extended", "security-experimental" ]
 
 class CodeQL:
     def __init__(self):

misc/scripts/generate-code-scanning-query-list.py

@@ -16,7 +16,7 @@ clap = "3.0"
 tracing = "0.1"
 tracing-subscriber = { version = "0.3.3", features = ["env-filter"] }
 rayon = "1.5.0"
-num_cpus = "1.13.0"
-regex = "1.5.5"
+num_cpus = "1.14.0"
+regex = "1.7.1"
 encoding = "0.2"
 lazy_static = "1.4.0"

ruby/Cargo.lock

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Access to headers stored in the `env` of Rack requests is now recognized as a source of remote input.

ruby/extractor/Cargo.toml

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Data flowing from the `locals` argument of a Rails `render` call is now tracked to uses of that data in an associated view.

ruby/ql/lib/change-notes/2023-01-12-rack.md

@@ -16,6 +16,7 @@ private import codeql.ruby.frameworks.ActiveSupport
 private import codeql.ruby.frameworks.Archive
 private import codeql.ruby.frameworks.Arel
 private import codeql.ruby.frameworks.GraphQL
+private import codeql.ruby.frameworks.Rack
 private import codeql.ruby.frameworks.Rails
 private import codeql.ruby.frameworks.Railties
 private import codeql.ruby.frameworks.Stdlib