Merge branch 'main' into henrymercer/diagnostics-verify-one-based

Author: henrymercer

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlow.qll

@@ -361,3 +361,52 @@ module MergePathGraph<
     }
   }
 }
+
+/**
+ * Constructs a `PathGraph` from three `PathGraph`s by disjoint union.
+ */
+module MergePathGraph3<
+  PathNodeSig PathNode1, PathNodeSig PathNode2, PathNodeSig PathNode3,
+  PathGraphSig<PathNode1> Graph1, PathGraphSig<PathNode2> Graph2, PathGraphSig<PathNode3> Graph3>
+{
+  private module MergedInner = MergePathGraph<PathNode1, PathNode2, Graph1, Graph2>;
+
+  private module Merged =
+    MergePathGraph<MergedInner::PathNode, PathNode3, MergedInner::PathGraph, Graph3>;
+
+  /** A node in a graph of path explanations that is formed by disjoint union of the three given graphs. */
+  class PathNode instanceof Merged::PathNode {
+    /** Gets this as a projection on the first given `PathGraph`. */
+    PathNode1 asPathNode1() { result = super.asPathNode1().asPathNode1() }
+
+    /** Gets this as a projection on the second given `PathGraph`. */
+    PathNode2 asPathNode2() { result = super.asPathNode1().asPathNode2() }
+
+    /** Gets this as a projection on the third given `PathGraph`. */
+    PathNode3 asPathNode3() { result = super.asPathNode2() }
+
+    /** Gets a textual representation of this element. */
+    string toString() { result = super.toString() }
+
+    /**
+     * Holds if this element is at the specified location.
+     * The location spans column `startcolumn` of line `startline` to
+     * column `endcolumn` of line `endline` in file `filepath`.
+     * For more information, see
+     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+     */
+    predicate hasLocationInfo(
+      string filepath, int startline, int startcolumn, int endline, int endcolumn
+    ) {
+      super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+    }
+
+    /** Gets the underlying `Node`. */
+    Node getNode() { result = super.getNode() }
+  }
+
+  /**
+   * Provides the query predicates needed to include a graph in a path-problem query.
+   */
+  module PathGraph = Merged::PathGraph;
+}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlow.qll

@@ -361,3 +361,52 @@ module MergePathGraph<
     }
   }
 }
+
+/**
+ * Constructs a `PathGraph` from three `PathGraph`s by disjoint union.
+ */
+module MergePathGraph3<
+  PathNodeSig PathNode1, PathNodeSig PathNode2, PathNodeSig PathNode3,
+  PathGraphSig<PathNode1> Graph1, PathGraphSig<PathNode2> Graph2, PathGraphSig<PathNode3> Graph3>
+{
+  private module MergedInner = MergePathGraph<PathNode1, PathNode2, Graph1, Graph2>;
+
+  private module Merged =
+    MergePathGraph<MergedInner::PathNode, PathNode3, MergedInner::PathGraph, Graph3>;
+
+  /** A node in a graph of path explanations that is formed by disjoint union of the three given graphs. */
+  class PathNode instanceof Merged::PathNode {
+    /** Gets this as a projection on the first given `PathGraph`. */
+    PathNode1 asPathNode1() { result = super.asPathNode1().asPathNode1() }
+
+    /** Gets this as a projection on the second given `PathGraph`. */
+    PathNode2 asPathNode2() { result = super.asPathNode1().asPathNode2() }
+
+    /** Gets this as a projection on the third given `PathGraph`. */
+    PathNode3 asPathNode3() { result = super.asPathNode2() }
+
+    /** Gets a textual representation of this element. */
+    string toString() { result = super.toString() }
+
+    /**
+     * Holds if this element is at the specified location.
+     * The location spans column `startcolumn` of line `startline` to
+     * column `endcolumn` of line `endline` in file `filepath`.
+     * For more information, see
+     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+     */
+    predicate hasLocationInfo(
+      string filepath, int startline, int startcolumn, int endline, int endcolumn
+    ) {
+      super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+    }
+
+    /** Gets the underlying `Node`. */
+    Node getNode() { result = super.getNode() }
+  }
+
+  /**
+   * Provides the query predicates needed to include a graph in a path-problem query.
+   */
+  module PathGraph = Merged::PathGraph;
+}

csharp/documentation/library-coverage/coverage.csv

@@ -1,28 +1,28 @@
-package,sink,source,summary,sink:code,sink:encryption-decryptor,sink:encryption-encryptor,sink:encryption-keyprop,sink:encryption-symmetrickey,sink:html,sink:remote,sink:sql,sink:xss,source:file,source:local,source:remote,summary:taint,summary:value
-Dapper,55,,,,,,,,,,55,,,,,,
-JsonToItemsTaskFactory,,,7,,,,,,,,,,,,,7,
-Microsoft.ApplicationBlocks.Data,28,,,,,,,,,,28,,,,,,
-Microsoft.CSharp,,,24,,,,,,,,,,,,,24,
-Microsoft.EntityFrameworkCore,6,,,,,,,,,,6,,,,,,
-Microsoft.Extensions.Caching.Distributed,,,15,,,,,,,,,,,,,15,
-Microsoft.Extensions.Caching.Memory,,,46,,,,,,,,,,,,,45,1
-Microsoft.Extensions.Configuration,,,83,,,,,,,,,,,,,80,3
-Microsoft.Extensions.DependencyInjection,,,62,,,,,,,,,,,,,62,
-Microsoft.Extensions.DependencyModel,,,12,,,,,,,,,,,,,12,
-Microsoft.Extensions.FileProviders,,,16,,,,,,,,,,,,,16,
-Microsoft.Extensions.FileSystemGlobbing,,,15,,,,,,,,,,,,,13,2
-Microsoft.Extensions.Hosting,,,17,,,,,,,,,,,,,16,1
-Microsoft.Extensions.Http,,,10,,,,,,,,,,,,,10,
-Microsoft.Extensions.Logging,,,37,,,,,,,,,,,,,37,
-Microsoft.Extensions.Options,,,8,,,,,,,,,,,,,8,
-Microsoft.Extensions.Primitives,,,63,,,,,,,,,,,,,63,
-Microsoft.Interop,,,27,,,,,,,,,,,,,27,
-Microsoft.NET.Build.Tasks,,,1,,,,,,,,,,,,,1,
-Microsoft.NETCore.Platforms.BuildTasks,,,4,,,,,,,,,,,,,4,
-Microsoft.VisualBasic,,,10,,,,,,,,,,,,,5,5
-Microsoft.Win32,,,8,,,,,,,,,,,,,8,
-MySql.Data.MySqlClient,48,,,,,,,,,,48,,,,,,
-Newtonsoft.Json,,,91,,,,,,,,,,,,,73,18
-ServiceStack,194,,7,27,,,,,,75,92,,,,,7,
-System,65,8,12154,,8,8,9,,4,,33,3,1,3,4,10163,1991
-Windows.Security.Cryptography.Core,1,,,,,,,1,,,,,,,,,
+package,sink,source,summary,sink:code,sink:encryption-decryptor,sink:encryption-encryptor,sink:encryption-keyprop,sink:encryption-symmetrickey,sink:html,sink:remote,sink:sql,sink:xss,source:file,source:file-write,source:local,source:remote,summary:taint,summary:value
+Dapper,55,,,,,,,,,,55,,,,,,,
+JsonToItemsTaskFactory,,,7,,,,,,,,,,,,,,7,
+Microsoft.ApplicationBlocks.Data,28,,,,,,,,,,28,,,,,,,
+Microsoft.CSharp,,,24,,,,,,,,,,,,,,24,
+Microsoft.EntityFrameworkCore,6,,,,,,,,,,6,,,,,,,
+Microsoft.Extensions.Caching.Distributed,,,15,,,,,,,,,,,,,,15,
+Microsoft.Extensions.Caching.Memory,,,46,,,,,,,,,,,,,,45,1
+Microsoft.Extensions.Configuration,,,83,,,,,,,,,,,,,,80,3
+Microsoft.Extensions.DependencyInjection,,,62,,,,,,,,,,,,,,62,
+Microsoft.Extensions.DependencyModel,,,12,,,,,,,,,,,,,,12,
+Microsoft.Extensions.FileProviders,,,16,,,,,,,,,,,,,,16,
+Microsoft.Extensions.FileSystemGlobbing,,,15,,,,,,,,,,,,,,13,2
+Microsoft.Extensions.Hosting,,,17,,,,,,,,,,,,,,16,1
+Microsoft.Extensions.Http,,,10,,,,,,,,,,,,,,10,
+Microsoft.Extensions.Logging,,,37,,,,,,,,,,,,,,37,
+Microsoft.Extensions.Options,,,8,,,,,,,,,,,,,,8,
+Microsoft.Extensions.Primitives,,,63,,,,,,,,,,,,,,63,
+Microsoft.Interop,,,27,,,,,,,,,,,,,,27,
+Microsoft.NET.Build.Tasks,,,1,,,,,,,,,,,,,,1,
+Microsoft.NETCore.Platforms.BuildTasks,,,4,,,,,,,,,,,,,,4,
+Microsoft.VisualBasic,,,10,,,,,,,,,,,,,,5,5
+Microsoft.Win32,,,8,,,,,,,,,,,,,,8,
+MySql.Data.MySqlClient,48,,,,,,,,,,48,,,,,,,
+Newtonsoft.Json,,,91,,,,,,,,,,,,,,73,18
+ServiceStack,194,,7,27,,,,,,75,92,,,,,,7,
+System,65,25,12154,,8,8,9,,4,,33,3,1,17,3,4,10163,1991
+Windows.Security.Cryptography.Core,1,,,,,,,1,,,,,,,,,,

csharp/documentation/library-coverage/coverage.rst

@@ -8,7 +8,7 @@ C# framework & library support
 
    Framework / library,Package,Flow sources,Taint & value steps,Sinks (total),`CWE-079` :sub:`Cross-site scripting`
    `ServiceStack <https://servicestack.net/>`_,"``ServiceStack.*``, ``ServiceStack``",,7,194,
-   System,"``System.*``, ``System``",8,12154,65,7
+   System,"``System.*``, ``System``",25,12154,65,7
    Others,"``Dapper``, ``JsonToItemsTaskFactory``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.CSharp``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.NETCore.Platforms.BuildTasks``, ``Microsoft.VisualBasic``, ``Microsoft.Win32``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``, ``Windows.Security.Cryptography.Core``",,556,138,
-   Totals,,8,12717,397,7
+   Totals,,25,12717,397,7
 

csharp/ql/lib/ext/System.IO.model.yml

@@ -4,6 +4,23 @@ extensions:
       extensible: sourceModel
     data:
       - ["System.IO", "FileStream", False, "FileStream", "", "", "Argument[this]", "file", "manual"]
+      - ["System.IO", "FileStream", False, "FileStream", "", "", "Argument[this]", "file-write", "manual"]
+      - ["System.IO", "StreamWriter", False, "StreamWriter", "(System.String)", "", "Argument[this]", "file-write", "manual"]
+      - ["System.IO", "StreamWriter", False, "StreamWriter", "(System.String,System.Boolean)", "", "Argument[this]", "file-write", "manual"]
+      - ["System.IO", "StreamWriter", False, "StreamWriter", "(System.String,System.Boolean,System.Text.Encoding)", "", "Argument[this]", "file-write", "manual"]
+      - ["System.IO", "StreamWriter", False, "StreamWriter", "(System.String,System.Boolean,System.Text.Encoding,System.Int32)", "", "Argument[this]", "file-write", "manual"]
+      - ["System.IO", "StreamWriter", False, "StreamWriter", "(System.String,System.Text.Encoding,System.IO.FileStreamOptions)", "", "Argument[this]", "file-write", "manual"]
+      - ["System.IO", "StreamWriter", False, "StreamWriter", "(System.String,System.IO.FileStreamOptions)", "", "Argument[this]", "file-write", "manual"]
+      - ["System.IO", "File", False, "Open", "", "", "ReturnValue", "file-write", "manual"]
+      - ["System.IO", "File", False, "OpenWrite", "", "", "ReturnValue", "file-write", "manual"]
+      - ["System.IO", "File", False, "Create", "", "", "ReturnValue", "file-write", "manual"]
+      - ["System.IO", "File", False, "CreateText", "", "", "ReturnValue", "file-write", "manual"]
+      - ["System.IO", "File", False, "AppendText", "", "", "ReturnValue", "file-write", "manual"]
+      - ["System.IO", "FileInfo", False, "Open", "", "", "ReturnValue", "file-write", "manual"]
+      - ["System.IO", "FileInfo", False, "OpenWrite", "", "", "ReturnValue", "file-write", "manual"]
+      - ["System.IO", "FileInfo", False, "Create", "", "", "ReturnValue", "file-write", "manual"]
+      - ["System.IO", "FileInfo", False, "CreateText", "", "", "ReturnValue", "file-write", "manual"]
+      - ["System.IO", "FileInfo", False, "AppendText", "", "", "ReturnValue", "file-write", "manual"]
   - addsTo:
       pack: codeql/csharp-all
       extensible: summaryModel

csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll

@@ -215,7 +215,7 @@ module ModelValidation {
     )
     or
     exists(string kind | sourceModel(_, _, _, _, _, _, _, kind, _) |
-      not kind = ["local", "remote", "file"] and
+      not kind = ["local", "remote", "file", "file-write"] and
       result = "Invalid kind \"" + kind + "\" in source model."
     )
   }

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlow.qll

@@ -361,3 +361,52 @@ module MergePathGraph<
     }
   }
 }
+
+/**
+ * Constructs a `PathGraph` from three `PathGraph`s by disjoint union.
+ */
+module MergePathGraph3<
+  PathNodeSig PathNode1, PathNodeSig PathNode2, PathNodeSig PathNode3,
+  PathGraphSig<PathNode1> Graph1, PathGraphSig<PathNode2> Graph2, PathGraphSig<PathNode3> Graph3>
+{
+  private module MergedInner = MergePathGraph<PathNode1, PathNode2, Graph1, Graph2>;
+
+  private module Merged =
+    MergePathGraph<MergedInner::PathNode, PathNode3, MergedInner::PathGraph, Graph3>;
+
+  /** A node in a graph of path explanations that is formed by disjoint union of the three given graphs. */
+  class PathNode instanceof Merged::PathNode {
+    /** Gets this as a projection on the first given `PathGraph`. */
+    PathNode1 asPathNode1() { result = super.asPathNode1().asPathNode1() }
+
+    /** Gets this as a projection on the second given `PathGraph`. */
+    PathNode2 asPathNode2() { result = super.asPathNode1().asPathNode2() }
+
+    /** Gets this as a projection on the third given `PathGraph`. */
+    PathNode3 asPathNode3() { result = super.asPathNode2() }
+
+    /** Gets a textual representation of this element. */
+    string toString() { result = super.toString() }
+
+    /**
+     * Holds if this element is at the specified location.
+     * The location spans column `startcolumn` of line `startline` to
+     * column `endcolumn` of line `endline` in file `filepath`.
+     * For more information, see
+     * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+     */
+    predicate hasLocationInfo(
+      string filepath, int startline, int startcolumn, int endline, int endcolumn
+    ) {
+      super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+    }
+
+    /** Gets the underlying `Node`. */
+    Node getNode() { result = super.getNode() }
+  }
+
+  /**
+   * Provides the query predicates needed to include a graph in a path-problem query.
+   */
+  module PathGraph = Merged::PathGraph;
+}

csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll

@@ -18,12 +18,10 @@ private import semmle.code.csharp.dataflow.TaintTracking2
  */
 predicate xssFlow(XssNode source, XssNode sink, string message) {
   // standard taint-tracking
-  exists(
-    TaintTrackingConfiguration c, DataFlow2::PathNode sourceNode, DataFlow2::PathNode sinkNode
-  |
+  exists(XssTracking::PathNode sourceNode, XssTracking::PathNode sinkNode |
     sourceNode = source.asDataFlowNode() and
     sinkNode = sink.asDataFlowNode() and
-    c.hasFlowPath(sourceNode, sinkNode) and
+    XssTracking::flowPath(sourceNode, sinkNode) and
     message =
       "is written to HTML or JavaScript" +
         any(string explanation |
@@ -45,7 +43,7 @@ predicate xssFlow(XssNode source, XssNode sink, string message) {
 module PathGraph {
   /** Holds if `(pred,succ)` is an edge in the graph of data flow path explanations. */
   query predicate edges(XssNode pred, XssNode succ) {
-    exists(DataFlow2::PathNode a, DataFlow2::PathNode b | DataFlow2::PathGraph::edges(a, b) |
+    exists(XssTracking::PathNode a, XssTracking::PathNode b | XssTracking::PathGraph::edges(a, b) |
       pred.asDataFlowNode() = a and
       succ.asDataFlowNode() = b
     )
@@ -56,7 +54,7 @@ module PathGraph {
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
   query predicate nodes(XssNode n, string key, string val) {
-    DataFlow2::PathGraph::nodes(n.asDataFlowNode(), key, val)
+    XssTracking::PathGraph::nodes(n.asDataFlowNode(), key, val)
     or
     xssFlow(n, n, _) and
     key = "semmle.label" and
@@ -69,13 +67,13 @@ module PathGraph {
    * `ret -> out` is summarized as the edge `arg -> out`.
    */
   query predicate subpaths(XssNode arg, XssNode par, XssNode ret, XssNode out) {
-    DataFlow2::PathGraph::subpaths(arg.asDataFlowNode(), par.asDataFlowNode(), ret.asDataFlowNode(),
-      out.asDataFlowNode())
+    XssTracking::PathGraph::subpaths(arg.asDataFlowNode(), par.asDataFlowNode(),
+      ret.asDataFlowNode(), out.asDataFlowNode())
   }
 }
 
 private newtype TXssNode =
-  TXssDataFlowNode(DataFlow2::PathNode node) or
+  TXssDataFlowNode(XssTracking::PathNode node) or
   TXssAspNode(AspInlineMember m)
 
 /**
@@ -90,21 +88,25 @@ class XssNode extends TXssNode {
   /** Gets the location of this node. */
   Location getLocation() { none() }
 
-  /** Gets the data flow node corresponding to this node, if any. */
-  DataFlow2::PathNode asDataFlowNode() { result = this.(XssDataFlowNode).getDataFlowNode() }
+  /**
+   * Gets the data flow node corresponding to this node, if any.
+   */
+  XssTracking::PathNode asDataFlowNode() { result = this.(XssDataFlowNode).getDataFlowNode() }
 
   /** Gets the ASP inline code element corresponding to this node, if any. */
   AspInlineMember asAspInlineMember() { result = this.(XssAspNode).getAspInlineMember() }
 }
 
-/** A data flow node, viewed as an XSS flow node. */
+/**
+ * A data flow node, viewed as an XSS flow node.
+ */
 class XssDataFlowNode extends TXssDataFlowNode, XssNode {
-  DataFlow2::PathNode node;
+  XssTracking::PathNode node;
 
   XssDataFlowNode() { this = TXssDataFlowNode(node) }
 
   /** Gets the data flow node corresponding to this node. */
-  DataFlow2::PathNode getDataFlowNode() { result = node }
+  XssTracking::PathNode getDataFlowNode() { result = node }
 
   override string toString() { result = node.toString() }
 
@@ -136,9 +138,11 @@ abstract class Source extends DataFlow::Node { }
 abstract class Sanitizer extends DataFlow::ExprNode { }
 
 /**
+ * DEPRECATED: Use `XssTracking` instead.
+ *
  * A taint-tracking configuration for cross-site scripting (XSS) vulnerabilities.
  */
-class TaintTrackingConfiguration extends TaintTracking2::Configuration {
+deprecated class TaintTrackingConfiguration extends TaintTracking2::Configuration {
   TaintTrackingConfiguration() { this = "XSSDataFlowConfiguration" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -148,6 +152,29 @@ class TaintTrackingConfiguration extends TaintTracking2::Configuration {
   override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
 }
 
+/**
+ * A taint-tracking configuration for cross-site scripting (XSS) vulnerabilities.
+ */
+module XssTrackingConfig implements DataFlow::ConfigSig {
+  /**
+   * Holds if `source` is a relevant data flow source.
+   */
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  /**
+   * Holds if `sink` is a relevant data flow sink.
+   */
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  /**
+   * Holds if data flow through `node` is prohibited. This completely removes
+   * `node` from the data flow graph.
+   */
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+module XssTracking = TaintTracking::Global<XssTrackingConfig>;
+
 /** A source of remote user input. */
 private class RemoteSource extends Source instanceof RemoteFlowSource { }