Merge branch 'main' into experimental-decompression-api

Author: thiggy1342

csharp/ql/src/utils/model-generator/CaptureSinkModels.ql

@@ -1,6 +1,6 @@
 /**
  * @name Capture sink models.
- * @description Finds public methods that act as sinks as they flow into a a known sink.
+ * @description Finds public methods that act as sinks as they flow into a known sink.
  * @kind diagnostic
  * @id cs/utils/model-generator/sink-models
  * @tags model-generator

java/kotlin-extractor/kotlin_plugin_versions.py

@@ -15,11 +15,11 @@ def is_windows():
     return False
 
 def version_tuple_to_string(version):
-    return f'{version[0]}.{version[1]}.{version[2]}'
+    return f'{version[0]}.{version[1]}.{version[2]}{version[3]}'
 
 def version_string_to_tuple(version):
-    m = re.match(r'([0-9]+)\.([0-9]+)\.([0-9]+)', version)
-    return tuple([int(m.group(i)) for i in range(1, 4)])
+    m = re.match(r'([0-9]+)\.([0-9]+)\.([0-9]+)(.*)', version)
+    return tuple([int(m.group(i)) for i in range(1, 4)] + [m.group(4)])
 
 many_versions = [ '1.4.32', '1.5.0', '1.5.10', '1.5.21', '1.5.31', '1.6.10', '1.7.0-RC', '1.6.20' ]
 

java/ql/src/utils/model-generator/CaptureSinkModels.ql

@@ -1,6 +1,6 @@
 /**
  * @name Capture sink models.
- * @description Finds public methods that act as sinks as they flow into a a known sink.
+ * @description Finds public methods that act as sinks as they flow into a known sink.
  * @kind diagnostic
  * @id java/utils/model-generator/sink-models
  * @tags model-generator

javascript/ql/src/meta/alerts/LibraryInputs.ql

@@ -0,0 +1,14 @@
+/**
+ * @name Library inputs
+ * @description An input coming from the client of a library
+ * @kind problem
+ * @problem.severity recommendation
+ * @id js/meta/alerts/library-inputs
+ * @tags meta
+ * @precision very-low
+ */
+
+import javascript
+import semmle.javascript.PackageExports
+
+select getALibraryInputParameter(), "Library input"

ruby/ql/lib/change-notes/released/0.2.3.md

@@ -0,0 +1,5 @@
+## 0.2.3
+
+### Minor Analysis Improvements
+
+- Calls to `Zip::File.open` and `Zip::File.new` have been added as `FileSystemAccess` sinks. As a result queries like `rb/path-injection` now flag up cases where users may access arbitrary archive files.

ruby/ql/lib/codeql/ruby/ApiGraphs.qll

@@ -780,6 +780,24 @@ module API {
       or
       pos.isBlock() and
       result = Label::blockParameter()
+      or
+      pos.isAny() and
+      (
+        result = Label::parameter(_)
+        or
+        result = Label::keywordParameter(_)
+        or
+        result = Label::blockParameter()
+        // NOTE: `self` should NOT be included, as described in the QLDoc for `isAny()`
+      )
+      or
+      pos.isAnyNamed() and
+      result = Label::keywordParameter(_)
+      //
+      // Note: there is currently no API graph label for `self`.
+      // It was omitted since in practice it means going back to where you came from.
+      // For example, `base.getMethod("foo").getSelf()` would just be `base`.
+      // However, it's possible we'll need it later, for identifying `self` parameters or post-update nodes.
     }
 
     /** Gets the API graph label corresponding to the given parameter position. */
@@ -796,6 +814,24 @@ module API {
       or
       pos.isBlock() and
       result = Label::blockParameter()
+      or
+      pos.isAny() and
+      (
+        result = Label::parameter(_)
+        or
+        result = Label::keywordParameter(_)
+        or
+        result = Label::blockParameter()
+        // NOTE: `self` should NOT be included, as described in the QLDoc for `isAny()`
+      )
+      or
+      pos.isAnyNamed() and
+      result = Label::keywordParameter(_)
+      //
+      // Note: there is currently no API graph label for `self`.
+      // It was omitted since in practice it means going back to where you came from.
+      // For example, `base.getMethod("foo").getSelf()` would just be `base`.
+      // However, it's possible we'll need it later, for identifying `self` parameters or post-update nodes.
     }
   }
 }

ruby/ql/lib/codeql/ruby/Frameworks.qll

@@ -8,10 +8,12 @@ private import codeql.ruby.frameworks.ActiveRecord
 private import codeql.ruby.frameworks.ActiveStorage
 private import codeql.ruby.frameworks.ActionView
 private import codeql.ruby.frameworks.ActiveSupport
+private import codeql.ruby.frameworks.Archive
 private import codeql.ruby.frameworks.GraphQL
 private import codeql.ruby.frameworks.Rails
 private import codeql.ruby.frameworks.Stdlib
 private import codeql.ruby.frameworks.Files
 private import codeql.ruby.frameworks.HttpClients
 private import codeql.ruby.frameworks.XmlParsing
 private import codeql.ruby.frameworks.ActionDispatch
+private import codeql.ruby.frameworks.PosixSpawn

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll

@@ -260,7 +260,9 @@ private module Cached {
       or
       FlowSummaryImplSpecific::ParsePositions::isParsedKeywordParameterPosition(_, name)
     } or
-    THashSplatArgumentPosition()
+    THashSplatArgumentPosition() or
+    TAnyArgumentPosition() or
+    TAnyKeywordArgumentPosition()
 
   cached
   newtype TParameterPosition =
@@ -280,7 +282,8 @@ private module Cached {
       FlowSummaryImplSpecific::ParsePositions::isParsedKeywordArgumentPosition(_, name)
     } or
     THashSplatParameterPosition() or
-    TAnyParameterPosition()
+    TAnyParameterPosition() or
+    TAnyKeywordParameterPosition()
 }
 
 import Cached
@@ -482,11 +485,14 @@ class ParameterPosition extends TParameterPosition {
   predicate isHashSplat() { this = THashSplatParameterPosition() }
 
   /**
-   * Holds if this position represents any parameter. This includes both positional
-   * and named parameters.
+   * Holds if this position represents any parameter, except `self` parameters. This
+   * includes both positional, named, and block parameters.
    */
   predicate isAny() { this = TAnyParameterPosition() }
 
+  /** Holds if this position represents any positional parameter. */
+  predicate isAnyNamed() { this = TAnyKeywordParameterPosition() }
+
   /** Gets a textual representation of this position. */
   string toString() {
     this.isSelf() and result = "self"
@@ -502,6 +508,8 @@ class ParameterPosition extends TParameterPosition {
     this.isHashSplat() and result = "**"
     or
     this.isAny() and result = "any"
+    or
+    this.isAnyNamed() and result = "any-named"
   }
 }
 
@@ -519,6 +527,15 @@ class ArgumentPosition extends TArgumentPosition {
   /** Holds if this position represents a keyword argument named `name`. */
   predicate isKeyword(string name) { this = TKeywordArgumentPosition(name) }
 
+  /**
+   * Holds if this position represents any argument, except `self` arguments. This
+   * includes both positional, named, and block arguments.
+   */
+  predicate isAny() { this = TAnyArgumentPosition() }
+
+  /** Holds if this position represents any positional parameter. */
+  predicate isAnyNamed() { this = TAnyKeywordArgumentPosition() }
+
   /**
    * Holds if this position represents a synthesized argument containing all keyword
    * arguments wrapped in a hash.
@@ -535,12 +552,16 @@ class ArgumentPosition extends TArgumentPosition {
     or
     exists(string name | this.isKeyword(name) and result = "keyword " + name)
     or
+    this.isAny() and result = "any"
+    or
+    this.isAnyNamed() and result = "any-named"
+    or
     this.isHashSplat() and result = "**"
   }
 }
 
 /** Holds if arguments at position `apos` match parameters at position `ppos`. */
-pragma[inline]
+pragma[nomagic]
 predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) {
   ppos.isSelf() and apos.isSelf()
   or
@@ -556,5 +577,11 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) {
   or
   ppos.isHashSplat() and apos.isHashSplat()
   or
-  ppos.isAny() and exists(apos)
+  ppos.isAny() and not apos.isSelf()
+  or
+  apos.isAny() and not ppos.isSelf()
+  or
+  ppos.isAnyNamed() and apos.isKeyword(_)
+  or
+  apos.isAnyNamed() and ppos.isKeyword(_)
 }

ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImplSpecific.qll

@@ -293,6 +293,12 @@ ArgumentPosition parseParamBody(string s) {
   or
   s = "block" and
   result.isBlock()
+  or
+  s = "any" and
+  result.isAny()
+  or
+  s = "any-named" and
+  result.isAnyNamed()
 }
 
 /** Gets the parameter position obtained by parsing `X` in `Argument[X]`. */
@@ -317,4 +323,10 @@ ParameterPosition parseArgBody(string s) {
   or
   s = "block" and
   result.isBlock()
+  or
+  s = "any" and
+  result.isAny()
+  or
+  s = "any-named" and
+  result.isAnyNamed()
 }

ruby/ql/lib/codeql/ruby/frameworks/ActiveSupport.qll

@@ -6,6 +6,10 @@
 private import ruby
 private import codeql.ruby.Concepts
 private import codeql.ruby.DataFlow
+private import codeql.ruby.dataflow.FlowSummary
+private import codeql.ruby.Concepts
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.frameworks.stdlib.Logger::Logger as StdlibLogger
 
 /**
  * Modeling for `ActiveSupport`.
@@ -32,6 +36,107 @@ module ActiveSupport {
 
         override DataFlow::Node getCode() { result = this.getReceiver() }
       }
+
+      /**
+       * Flow summary for methods which transform the receiver in some way, possibly preserving taint.
+       */
+      private class StringTransformSummary extends SummarizedCallable {
+        // We're modelling a lot of different methods, so we make up a name for this summary.
+        StringTransformSummary() { this = "ActiveSupportStringTransform" }
+
+        override MethodCall getACall() {
+          result.getMethodName() =
+            [
+              "camelize", "camelcase", "classify", "dasherize", "deconstantize", "demodulize",
+              "foreign_key", "humanize", "indent", "parameterize", "pluralize", "singularize",
+              "squish", "strip_heredoc", "tableize", "titlecase", "titleize", "underscore",
+              "upcase_first"
+            ]
+        }
+
+        override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+          input = "Argument[self]" and output = "ReturnValue" and preservesValue = false
+        }
+      }
+    }
+
+    /**
+     * Extensions to the `Enumerable` module.
+     */
+    module Enumerable {
+      private class ArrayIndex extends int {
+        ArrayIndex() { this = any(DataFlow::Content::KnownElementContent c).getIndex().getInt() }
+      }
+
+      private class CompactBlankSummary extends SimpleSummarizedCallable {
+        CompactBlankSummary() { this = "compact_blank" }
+
+        override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+          input = "Argument[self].Element[any]" and
+          output = "ReturnValue.Element[?]" and
+          preservesValue = true
+        }
+      }
+
+      private class ExcludingSummary extends SimpleSummarizedCallable {
+        ExcludingSummary() { this = ["excluding", "without"] }
+
+        override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+          input = "Argument[self].Element[any]" and
+          output = "ReturnValue.Element[?]" and
+          preservesValue = true
+        }
+      }
+
+      private class InOrderOfSummary extends SimpleSummarizedCallable {
+        InOrderOfSummary() { this = "in_order_of" }
+
+        override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+          input = "Argument[self].Element[any]" and
+          output = "ReturnValue.Element[?]" and
+          preservesValue = true
+        }
+      }
+
+      /**
+       * Like `Array#push` but doesn't update the receiver.
+       */
+      private class IncludingSummary extends SimpleSummarizedCallable {
+        IncludingSummary() { this = "including" }
+
+        override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+          (
+            exists(ArrayIndex i |
+              input = "Argument[self].Element[" + i + "]" and
+              output = "ReturnValue.Element[" + i + "]"
+            )
+            or
+            input = "Argument[self].Element[?]" and
+            output = "ReturnValue.Element[?]"
+            or
+            exists(int i | i in [0 .. (mc.getNumberOfArguments() - 1)] |
+              input = "Argument[" + i + "]" and
+              output = "ReturnValue.Element[?]"
+            )
+          ) and
+          preservesValue = true
+        }
+      }
+      // TODO: index_by, index_with, pick, pluck (they require Hash dataflow)
+    }
+  }
+
+  /**
+   * `ActiveSupport::Logger`
+   */
+  module Logger {
+    private class ActiveSupportLoggerInstantiation extends StdlibLogger::LoggerInstantiation {
+      ActiveSupportLoggerInstantiation() {
+        this =
+          API::getTopLevelMember("ActiveSupport")
+              .getMember(["Logger", "TaggedLogging"])
+              .getAnInstantiation()
+      }
     }
   }
 }