Merge branch 'main' into impropnullfp

Author: geoffw0

.github/workflows/csv-coverage-pr-artifacts.yml

@@ -6,6 +6,8 @@ on:
       - '.github/workflows/csv-coverage-pr-comment.yml'
       - '*/ql/src/**/*.ql'
       - '*/ql/src/**/*.qll'
+      - '*/ql/lib/**/*.ql'
+      - '*/ql/lib/**/*.qll'
       - 'misc/scripts/library-coverage/*.py'
       # input data files
       - '*/documentation/library-coverage/cwe-sink.csv'

README.md

@@ -4,8 +4,8 @@ This open source repository contains the standard CodeQL libraries and queries t
 
 ## How do I learn CodeQL and run queries?
 
-There is [extensive documentation](https://help.semmle.com/QL/learn-ql/) on getting started with writing CodeQL.
-You can use the [interactive query console](https://lgtm.com/help/lgtm/using-query-console) on LGTM.com or the [CodeQL for Visual Studio Code](https://help.semmle.com/codeql/codeql-for-vscode.html) extension to try out your queries on any open source project that's currently being analyzed.
+There is [extensive documentation](https://codeql.github.com/docs/) on getting started with writing CodeQL.
+You can use the [interactive query console](https://lgtm.com/help/lgtm/using-query-console) on LGTM.com or the [CodeQL for Visual Studio Code](https://codeql.github.com/docs/codeql-for-visual-studio-code/) extension to try out your queries on any open source project that's currently being analyzed.
 
 ## Contributing
 

cpp/change-notes/2021-06-10-cleartext-transmission.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* A new query (`cpp/cleartext-transmission`) has been added. This is similar to the `cpp/cleartext-storage-file`, `cpp/cleartext-storage-buffer` and `cpp/cleartext-storage-database` queries but looks for cases where sensitive information is most likely transmitted over a network.

cpp/change-notes/2021-09-27-command-line-injection.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The "Uncontrolled data used in OS command" (`cpp/command-line-injection`) query has been enhanced to reduce false positive results and its `@precision` increased to `high`

cpp/change-notes/2021-09-27-overflow-static.md

@@ -0,0 +1,3 @@
+lgtm,codescanning
+* Increase precision to high for the "Static buffer overflow" query
+  (`cpp/static-buffer-overflow`). This means the query is run and displayed by default on Code Scanning and LGTM.

cpp/ql/lib/semmle/code/cpp/File.qll

@@ -38,7 +38,7 @@ class Container extends Locatable, @container {
    * DEPRECATED: Use `getLocation` instead.
    * Gets a URL representing the location of this container.
    *
-   * For more information see [Providing URLs](https://help.semmle.com/QL/learn-ql/ql/locations.html#providing-urls).
+   * For more information see [Providing URLs](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/#providing-urls).
    */
   deprecated string getURL() { none() } // overridden by subclasses
 

cpp/ql/lib/semmle/code/cpp/Location.qll

@@ -61,7 +61,7 @@ class Location extends @location {
    * The location spans column `startcolumn` of line `startline` to
    * column `endcolumn` of line `endline` in file `filepath`.
    * For more information, see
-   * [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
    */
   predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn

cpp/ql/lib/semmle/code/cpp/XML.qll

@@ -24,7 +24,7 @@ class XMLLocatable extends @xmllocatable, TXMLLocatable {
    * The location spans column `startcolumn` of line `startline` to
    * column `endcolumn` of line `endline` in file `filepath`.
    * For more information, see
-   * [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
    */
   predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn

cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll

@@ -10,44 +10,11 @@ import semmle.code.cpp.dataflow.DataFlow
  *   char data[1]; // v
  * };
  * ```
- * This requires that `v` is an array of size 0 or 1, and `v` is the last member of `c`.
- * In addition, if the size of the structure is taken, there must be at least one instance
- * where a `c` pointer is allocated with additional space.
- * For example, holds for `c` if it occurs as
- * ```
- * malloc(sizeof(c) + 100 * sizeof(char))
- * ```
- * but not if it only ever occurs as
- * ```
- * malloc(sizeof(c))
- * ```
+ * This requires that `v` is an array of size 0 or 1.
  */
 predicate memberMayBeVarSize(Class c, MemberVariable v) {
-  exists(int i |
-    // `v` is the last field in `c`
-    i = max(int j | c.getCanonicalMember(j) instanceof Field | j) and
-    v = c.getCanonicalMember(i) and
-    // v is an array of size at most 1
-    v.getUnspecifiedType().(ArrayType).getArraySize() <= 1 and
-    not c instanceof Union
-  ) and
-  // If the size is taken, then arithmetic is performed on the result at least once
-  (
-    // `sizeof(c)` is not taken
-    not exists(SizeofOperator so |
-      so.(SizeofTypeOperator).getTypeOperand().getUnspecifiedType() = c or
-      so.(SizeofExprOperator).getExprOperand().getUnspecifiedType() = c
-    )
-    or
-    // or `sizeof(c)` is taken
-    exists(SizeofOperator so |
-      so.(SizeofTypeOperator).getTypeOperand().getUnspecifiedType() = c or
-      so.(SizeofExprOperator).getExprOperand().getUnspecifiedType() = c
-    |
-      // and arithmetic is performed on the result
-      so.getParent*() instanceof AddExpr
-    )
-  )
+  c = v.getDeclaringType() and
+  v.getUnspecifiedType().(ArrayType).getArraySize() <= 1
 }
 
 /**
@@ -60,10 +27,6 @@ int getBufferSize(Expr bufferExpr, Element why) {
     result = bufferVar.getUnspecifiedType().(ArrayType).getSize() and
     why = bufferVar and
     not memberMayBeVarSize(_, bufferVar) and
-    not exists(Union bufferType |
-      bufferType.getAMemberVariable() = why and
-      bufferVar.getUnspecifiedType().(ArrayType).getSize() <= 1
-    ) and
     not result = 0 // zero sized arrays are likely to have special usage, for example
     or
     // behaving a bit like a 'union' overlapping other fields.
@@ -85,13 +48,6 @@ int getBufferSize(Expr bufferExpr, Element why) {
       parentPtr.getTarget().getUnspecifiedType().(PointerType).getBaseType() = parentClass and
       result = getBufferSize(parentPtr, _) + bufferVar.getType().getSize() - parentClass.getSize()
     )
-    or
-    exists(Union bufferType |
-      bufferType.getAMemberVariable() = why and
-      why = bufferVar and
-      bufferVar.getUnspecifiedType().(ArrayType).getSize() <= 1 and
-      result = bufferType.getSize()
-    )
   )
   or
   // buffer is a fixed size dynamic allocation

cpp/ql/lib/semmle/code/cpp/commons/NullTermination.qll

@@ -100,6 +100,15 @@ predicate variableMustBeNullTerminated(VariableAccess va) {
       fc.getArgument(i) = va
     )
     or
+    // String argument to a formatting function (such as `printf`)
+    exists(int n, FormatLiteral fl |
+      fc.(FormattingFunctionCall).getConversionArgument(n) = va and
+      fl = fc.(FormattingFunctionCall).getFormat() and
+      fl.getConversionType(n) instanceof PointerType and // `%s`, `%ws` etc
+      not fl.getConversionType(n) instanceof VoidPointerType and // exclude: `%p`
+      not fl.hasPrecision(n) // exclude: `%.*s`
+    )
+    or
     // Call to a wrapper function that requires null termination
     // (not itself adding a null terminator)
     exists(Function wrapper, int i, Parameter p, VariableAccess use |