cklin
diff --git a/‎.codeqlmanifest.json
Lines changed: 30 additions & 0 deletions b/‎.codeqlmanifest.json
Lines changed: 30 additions & 0 deletions
diff --git a/‎codeql-workspace.yml
Lines changed: 0 additions & 32 deletions b/‎codeql-workspace.yml
Lines changed: 0 additions & 32 deletions
diff --git a/‎config/identical-files.json
Lines changed: 4 additions & 2 deletions b/‎config/identical-files.json
Lines changed: 4 additions & 2 deletions
diff --git a/‎cpp/ql/src/experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql
Lines changed: 38 additions & 7 deletions b/‎cpp/ql/src/experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql
Lines changed: 38 additions & 7 deletions
diff --git a/‎cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser/NoCheckBeforeUnsafePutUser.expected
Lines changed: 3 additions & 1 deletion b/‎cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser/NoCheckBeforeUnsafePutUser.expected
Lines changed: 3 additions & 1 deletion
diff --git a/‎cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser/test.cpp
Lines changed: 13 additions & 9 deletions b/‎cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser/test.cpp
Lines changed: 13 additions & 9 deletions
diff --git a/‎csharp/documentation/library-coverage/coverage.csv
Lines changed: 20 additions & 3 deletions b/‎csharp/documentation/library-coverage/coverage.csv
Lines changed: 20 additions & 3 deletions
diff --git a/‎csharp/documentation/library-coverage/coverage.rst
Lines changed: 3 additions & 3 deletions b/‎csharp/documentation/library-coverage/coverage.rst
Lines changed: 3 additions & 3 deletions
diff --git a/‎docs/codeql/codeql-cli/creating-codeql-databases.rst
Lines changed: 2 additions & 1 deletion b/‎docs/codeql/codeql-cli/creating-codeql-databases.rst
Lines changed: 2 additions & 1 deletion
diff --git a/‎docs/codeql/support/reusables/versions-compilers.rst
Lines changed: 2 additions & 2 deletions b/‎docs/codeql/support/reusables/versions-compilers.rst
Lines changed: 2 additions & 2 deletions
@@ -0,0 +1,30 @@
+{
+    "provide": [
+        "*/ql/src/qlpack.yml",
+        "*/ql/lib/qlpack.yml",
+        "*/ql/test/qlpack.yml",
+        "*/ql/examples/qlpack.yml",
+        "*/ql/consistency-queries/qlpack.yml",
+        "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml",
+        "go/ql/config/legacy-support/qlpack.yml",
+        "go/build/codeql-extractor-go/codeql-extractor.yml",
+        "javascript/ql/experimental/adaptivethreatmodeling/lib/qlpack.yml",
+        "javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/qlpack.yml",
+        "javascript/ql/experimental/adaptivethreatmodeling/src/qlpack.yml",
+        "csharp/ql/campaigns/Solorigate/lib/qlpack.yml",
+        "csharp/ql/campaigns/Solorigate/src/qlpack.yml",
+        "csharp/ql/campaigns/Solorigate/test/qlpack.yml",
+        "misc/legacy-support/*/qlpack.yml",
+        "misc/suite-helpers/qlpack.yml",
+        "ruby/extractor-pack/codeql-extractor.yml",
+        "swift/extractor-pack/codeql-extractor.yml",
+        "ql/extractor-pack/codeql-extractor.yml"
+    ],
+    "versionPolicies": {
+      "default": {
+        "requireChangeNotes": true,
+        "committedPrereleaseSuffix": "dev",
+        "committedVersion": "nextPatchRelease"
+      }
+    }
+}
@@ -525,7 +525,8 @@
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/AccessPathSyntax.qll",
     "java/ql/lib/semmle/code/java/dataflow/internal/AccessPathSyntax.qll",
     "javascript/ql/lib/semmle/javascript/frameworks/data/internal/AccessPathSyntax.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/AccessPathSyntax.qll"
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/AccessPathSyntax.qll",
+    "python/ql/lib/semmle/python/frameworks/data/internal/AccessPathSyntax.qll"
   ],
   "IncompleteUrlSubstringSanitization": [
     "javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qll",
@@ -543,7 +544,8 @@
   ],
   "ApiGraphModels": [
     "javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll",
-    "ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll"
+    "ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll",
+    "python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModels.qll"
   ],
   "TaintedFormatStringQuery Ruby/JS": [
     "javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringQuery.qll",
 
@@ -17,6 +17,36 @@
 import cpp
 import semmle.code.cpp.dataflow.DataFlow
 
+/**
+ * A Linux system call.
+ */
+class SystemCallFunction extends Function {
+  SystemCallFunction() {
+    exists(MacroInvocation m |
+      m.getMacro().getName().matches("SYSCALL\\_DEFINE%") and
+      this = m.getEnclosingFunction()
+    )
+  }
+}
+
+/**
+ * A value that comes from a Linux system call (sources).
+ */
+class SystemCallSource extends DataFlow::Node {
+  SystemCallSource() {
+    exists(FunctionCall fc |
+      fc.getTarget() instanceof SystemCallFunction and
+      (
+        this.asDefiningArgument() = fc.getAnArgument().getAChild*() or
+        this.asExpr() = fc
+      )
+    )
+  }
+}
+
+/**
+ * Macros used to check the value (barriers).
+ */
 class WriteAccessCheckMacro extends Macro {
   VariableAccess va;
 
@@ -28,6 +58,9 @@ class WriteAccessCheckMacro extends Macro {
   VariableAccess getArgument() { result = va }
 }
 
+/**
+ * The `unsafe_put_user` macro and its uses (sinks).
+ */
 class UnSafePutUserMacro extends Macro {
   PointerDereferenceExpr writeUserPtr;
 
@@ -42,15 +75,13 @@ class UnSafePutUserMacro extends Macro {
   }
 }
 
-class ExploitableUserModePtrParam extends Parameter {
+class ExploitableUserModePtrParam extends SystemCallSource {
   ExploitableUserModePtrParam() {
-    not exists(WriteAccessCheckMacro writeAccessCheck |
-      DataFlow::localFlow(DataFlow::parameterNode(this),
-        DataFlow::exprNode(writeAccessCheck.getArgument()))
-    ) and
     exists(UnSafePutUserMacro unsafePutUser |
-      DataFlow::localFlow(DataFlow::parameterNode(this),
-        DataFlow::exprNode(unsafePutUser.getUserModePtr()))
+      DataFlow::localFlow(this, DataFlow::exprNode(unsafePutUser.getUserModePtr()))
+    ) and
+    not exists(WriteAccessCheckMacro writeAccessCheck |
+      DataFlow::localFlow(this, DataFlow::exprNode(writeAccessCheck.getArgument()))
     )
   }
 }
 
@@ -1 +1,3 @@
-| test.cpp:14:16:14:16 | p | unsafe_put_user write user-mode pointer $@ without check. | test.cpp:14:16:14:16 | p | p |
+| test.cpp:20:21:20:22 | ref arg & ... | unsafe_put_user write user-mode pointer $@ without check. | test.cpp:20:21:20:22 | ref arg & ... | ref arg & ... |
+| test.cpp:41:21:41:22 | ref arg & ... | unsafe_put_user write user-mode pointer $@ without check. | test.cpp:41:21:41:22 | ref arg & ... | ref arg & ... |
+| test.cpp:69:21:69:27 | ref arg & ... | unsafe_put_user write user-mode pointer $@ without check. | test.cpp:69:21:69:27 | ref arg & ... | ref arg & ... |
@@ -1,7 +1,11 @@
 
 typedef unsigned long size_t;
 
-void SYSC_SOMESYSTEMCALL(void *param);
+#define SYSCALL_DEFINE(name, ...) \
+	void do_sys_##name(); \
+	void sys_##name(...) { do_sys_##name(); } \
+	void do_sys_##name()
+SYSCALL_DEFINE(somesystemcall, void *param) {};
 
 bool user_access_begin_impl(const void *where, size_t sz);
 void user_access_end_impl();
@@ -13,14 +17,14 @@ void unsafe_put_user_impl(int what, const void *where, size_t sz);
 
 void test1(int p)
 {
-	SYSC_SOMESYSTEMCALL(&p);
+	sys_somesystemcall(&p);
 
 	unsafe_put_user(123, &p); // BAD
 }
 
 void test2(int p)
 {
-	SYSC_SOMESYSTEMCALL(&p);
+	sys_somesystemcall(&p);
 
 	if (user_access_begin(&p, sizeof(p)))
 	{
@@ -34,16 +38,16 @@ void test3()
 {
 	int v;
 
-	SYSC_SOMESYSTEMCALL(&v);
+	sys_somesystemcall(&v);
 
-	unsafe_put_user(123, &v); // BAD [NOT DETECTED]
+	unsafe_put_user(123, &v); // BAD
 }
 
 void test4()
 {
 	int v;
 
-	SYSC_SOMESYSTEMCALL(&v);
+	sys_somesystemcall(&v);
 
 	if (user_access_begin(&v, sizeof(v)))
 	{
@@ -62,16 +66,16 @@ void test5()
 {
 	data myData;
 
-	SYSC_SOMESYSTEMCALL(&myData);
+	sys_somesystemcall(&myData);
 
-	unsafe_put_user(123, &(myData.x)); // BAD [NOT DETECTED]
+	unsafe_put_user(123, &(myData.x)); // BAD
 }
 
 void test6()
 {
 	data myData;
 
-	SYSC_SOMESYSTEMCALL(&myData);
+	sys_somesystemcall(&myData);
 
 	if (user_access_begin(&myData, sizeof(myData)))
 	{
 
@@ -1,10 +1,27 @@
 package,sink,source,summary,sink:code,sink:html,sink:remote,sink:sql,sink:xss,source:local,summary:taint,summary:value
 Dapper,55,,,,,,55,,,,
+JsonToItemsTaskFactory,,,7,,,,,,,7,
 Microsoft.ApplicationBlocks.Data,28,,,,,,28,,,,
+Microsoft.CSharp,,,24,,,,,,,24,
 Microsoft.EntityFrameworkCore,6,,,,,,6,,,,
-Microsoft.Extensions.Primitives,,,54,,,,,,,54,
-Microsoft.VisualBasic,,,4,,,,,,,,4
+Microsoft.Extensions.Caching.Distributed,,,15,,,,,,,15,
+Microsoft.Extensions.Caching.Memory,,,46,,,,,,,45,1
+Microsoft.Extensions.Configuration,,,83,,,,,,,80,3
+Microsoft.Extensions.DependencyInjection,,,62,,,,,,,62,
+Microsoft.Extensions.DependencyModel,,,12,,,,,,,12,
+Microsoft.Extensions.FileProviders,,,15,,,,,,,15,
+Microsoft.Extensions.FileSystemGlobbing,,,15,,,,,,,13,2
+Microsoft.Extensions.Hosting,,,17,,,,,,,16,1
+Microsoft.Extensions.Http,,,10,,,,,,,10,
+Microsoft.Extensions.Logging,,,37,,,,,,,37,
+Microsoft.Extensions.Options,,,8,,,,,,,8,
+Microsoft.Extensions.Primitives,,,63,,,,,,,63,
+Microsoft.Interop,,,27,,,,,,,27,
+Microsoft.NET.Build.Tasks,,,1,,,,,,,1,
+Microsoft.NETCore.Platforms.BuildTasks,,,4,,,,,,,4,
+Microsoft.VisualBasic,,,9,,,,,,,5,4
+Microsoft.Win32,,,8,,,,,,,8,
 MySql.Data.MySqlClient,48,,,,,,48,,,,
 Newtonsoft.Json,,,91,,,,,,,73,18
 ServiceStack,194,,7,27,,75,92,,,7,
-System,28,3,2336,,4,,23,1,3,611,1725
+System,28,3,12038,,4,,23,1,3,10096,1942
@@ -8,7 +8,7 @@ C# framework & library support
 
    Framework / library,Package,Flow sources,Taint & value steps,Sinks (total),`CWE-079` :sub:`Cross-site scripting`
    `ServiceStack <https://servicestack.net/>`_,"``ServiceStack.*``, ``ServiceStack``",,7,194,
-   System,"``System.*``, ``System``",3,2336,28,5
-   Others,"``Dapper``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Primitives``, ``Microsoft.VisualBasic``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``",,149,137,
-   Totals,,3,2492,359,5
+   System,"``System.*``, ``System``",3,12038,28,5
+   Others,"``Dapper``, ``JsonToItemsTaskFactory``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.CSharp``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.NETCore.Platforms.BuildTasks``, ``Microsoft.VisualBasic``, ``Microsoft.Win32``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``",,554,137,
+   Totals,,3,12599,359,5
 
@@ -226,7 +226,8 @@ commands that you can specify for compiled languages.
 
 - Java project built using Gradle::
 
-     codeql database create java-database --language=java --command='gradle clean test'
+     # Use `--no-daemon` because a build delegated to an existing daemon cannot be detected by CodeQL:
+     codeql database create java-database --language=java --command='gradle --no-daemon clean test'
 
 - Java project built using Maven::
 
 
@@ -20,10 +20,10 @@
    Java,"Java 7 to 18 [4]_","javac (OpenJDK and Oracle JDK),
 
    Eclipse compiler for Java (ECJ) [5]_",``.java``
-   JavaScript,ECMAScript 2021 or lower,Not applicable,"``.js``, ``.jsx``, ``.mjs``, ``.es``, ``.es6``, ``.htm``, ``.html``, ``.xhtm``, ``.xhtml``, ``.vue``, ``.hbs``, ``.ejs``, ``.njk``, ``.json``, ``.yaml``, ``.yml``, ``.raml``, ``.xml`` [6]_"
+   JavaScript,ECMAScript 2022 or lower,Not applicable,"``.js``, ``.jsx``, ``.mjs``, ``.es``, ``.es6``, ``.htm``, ``.html``, ``.xhtm``, ``.xhtml``, ``.vue``, ``.hbs``, ``.ejs``, ``.njk``, ``.json``, ``.yaml``, ``.yml``, ``.raml``, ``.xml`` [6]_"
    Python,"2.7, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10",Not applicable,``.py``
    Ruby [7]_,"up to 3.0.2",Not applicable,"``.rb``, ``.erb``, ``.gemspec``, ``Gemfile``"
-   TypeScript [8]_,"2.6-4.6",Standard TypeScript compiler,"``.ts``, ``.tsx``"
+   TypeScript [8]_,"2.6-4.7",Standard TypeScript compiler,"``.ts``, ``.tsx``, ``.mts``, ``.cts``"
 
 .. container:: footnote-group
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,11 @@`
`1`	`1`
`2`	`2`	`typedef unsigned long size_t;`
`3`	`3`
`4`		`-void SYSC_SOMESYSTEMCALL(void *param);`
	`4`	`+#define SYSCALL_DEFINE(name, ...) \`
	`5`	`+ void do_sys_##name(); \`
	`6`	`+ void sys_##name(...) { do_sys_##name(); } \`
	`7`	`+ void do_sys_##name()`
	`8`	`+SYSCALL_DEFINE(somesystemcall, void *param) {};`
`5`	`9`
`6`	`10`	`bool user_access_begin_impl(const void *where, size_t sz);`
`7`	`11`	`void user_access_end_impl();`
`@@ -13,14 +17,14 @@ void unsafe_put_user_impl(int what, const void *where, size_t sz);`
`13`	`17`
`14`	`18`	`void test1(int p)`
`15`	`19`	`{`
`16`		`- SYSC_SOMESYSTEMCALL(&p);`
	`20`	`+ sys_somesystemcall(&p);`
`17`	`21`
`18`	`22`	`unsafe_put_user(123, &p); // BAD`
`19`	`23`	`}`
`20`	`24`
`21`	`25`	`void test2(int p)`
`22`	`26`	`{`
`23`		`- SYSC_SOMESYSTEMCALL(&p);`
	`27`	`+ sys_somesystemcall(&p);`
`24`	`28`
`25`	`29`	`if (user_access_begin(&p, sizeof(p)))`
`26`	`30`	`{`
`@@ -34,16 +38,16 @@ void test3()`
`34`	`38`	`{`
`35`	`39`	`int v;`
`36`	`40`
`37`		`- SYSC_SOMESYSTEMCALL(&v);`
	`41`	`+ sys_somesystemcall(&v);`
`38`	`42`
`39`		`- unsafe_put_user(123, &v); // BAD [NOT DETECTED]`
	`43`	`+ unsafe_put_user(123, &v); // BAD`
`40`	`44`	`}`
`41`	`45`
`42`	`46`	`void test4()`
`43`	`47`	`{`
`44`	`48`	`int v;`
`45`	`49`
`46`		`- SYSC_SOMESYSTEMCALL(&v);`
	`50`	`+ sys_somesystemcall(&v);`
`47`	`51`
`48`	`52`	`if (user_access_begin(&v, sizeof(v)))`
`49`	`53`	`{`
`@@ -62,16 +66,16 @@ void test5()`
`62`	`66`	`{`
`63`	`67`	`data myData;`
`64`	`68`
`65`		`- SYSC_SOMESYSTEMCALL(&myData);`
	`69`	`+ sys_somesystemcall(&myData);`
`66`	`70`
`67`		`- unsafe_put_user(123, &(myData.x)); // BAD [NOT DETECTED]`
	`71`	`+ unsafe_put_user(123, &(myData.x)); // BAD`
`68`	`72`	`}`
`69`	`73`
`70`	`74`	`void test6()`
`71`	`75`	`{`
`72`	`76`	`data myData;`
`73`	`77`
`74`		`- SYSC_SOMESYSTEMCALL(&myData);`
	`78`	`+ sys_somesystemcall(&myData);`
`75`	`79`
`76`	`80`	`if (user_access_begin(&myData, sizeof(myData)))`
`77`	`81`	`{`