Merge branch 'main' into no-dtt-in-tainted-arithmetic

Author: MathiasVP

cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/BuildScripts.cs

@@ -145,9 +145,9 @@ IEnumerable<string> IBuildActions.EnumerateDirectories(string dir)
 
         bool IBuildActions.IsMacOs() => IsMacOs;
 
-        public bool IsArm { get; set; }
+        public bool IsRunningOnAppleSilicon { get; set; }
 
-        bool IBuildActions.IsArm() => IsArm;
+        bool IBuildActions.IsRunningOnAppleSilicon() => IsRunningOnAppleSilicon;
 
         string IBuildActions.PathCombine(params string[] parts)
         {

cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql

@@ -52,24 +52,25 @@ predicate isUnboundedWrite(BufferWrite bw) {
  * Holds if `e` is a source buffer going into an unbounded write `bw` or a
  * qualifier of (a qualifier of ...) such a source.
  */
-predicate unboundedWriteSource(Expr e, BufferWrite bw) {
-  isUnboundedWrite(bw) and e = bw.getASource()
+predicate unboundedWriteSource(Expr e, BufferWrite bw, boolean qualifier) {
+  isUnboundedWrite(bw) and e = bw.getASource() and qualifier = false
   or
-  exists(FieldAccess fa | unboundedWriteSource(fa, bw) and e = fa.getQualifier())
+  exists(FieldAccess fa | unboundedWriteSource(fa, bw, _) and e = fa.getQualifier()) and
+  qualifier = true
 }
 
 predicate isSource(FS::FlowSource source, string sourceType) { source.getSourceType() = sourceType }
 
-predicate isSink(DataFlow::Node sink, BufferWrite bw) {
-  unboundedWriteSource(sink.asIndirectExpr(), bw)
+predicate isSink(DataFlow::Node sink, BufferWrite bw, boolean qualifier) {
+  unboundedWriteSource(sink.asIndirectExpr(), bw, qualifier)
   or
   // `gets` and `scanf` reads from stdin so there's no real input.
   // The `BufferWrite` library models this as the call itself being
   // the source. In this case we mark the output argument as being
   // the sink so that we report a path where source = sink (because
   // the same output argument is also included in `isSource`).
   bw.getASource() = bw and
-  unboundedWriteSource(sink.asDefiningArgument(), bw)
+  unboundedWriteSource(sink.asDefiningArgument(), bw, qualifier)
 }
 
 predicate lessThanOrEqual(IRGuardCondition g, Expr e, boolean branch) {
@@ -84,9 +85,9 @@ predicate lessThanOrEqual(IRGuardCondition g, Expr e, boolean branch) {
 module Config implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { isSource(source, _) }
 
-  predicate isSink(DataFlow::Node sink) { isSink(sink, _) }
+  predicate isSink(DataFlow::Node sink) { isSink(sink, _, _) }
 
-  predicate isBarrierOut(DataFlow::Node node) { isSink(node) }
+  predicate isBarrierOut(DataFlow::Node node) { isSink(node, _, false) }
 
   predicate isBarrier(DataFlow::Node node) {
     // Block flow if the node is guarded by any <, <= or = operations.
@@ -116,7 +117,7 @@ from BufferWrite bw, Flow::PathNode source, Flow::PathNode sink, string sourceTy
 where
   Flow::flowPath(source, sink) and
   isSource(source.getNode(), sourceType) and
-  isSink(sink.getNode(), bw)
+  isSink(sink.getNode(), bw, _)
 select bw, source, sink,
   "This '" + bw.getBWDesc() + "' with input from $@ may overflow the destination.",
   source.getNode(), sourceType

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected

@@ -1,16 +1,32 @@
 edges
 | main.cpp:6:27:6:30 | argv indirection | main.cpp:10:20:10:23 | argv indirection |
-| main.cpp:10:20:10:23 | argv indirection | tests.cpp:618:32:618:35 | argv indirection |
+| main.cpp:10:20:10:23 | argv indirection | tests.cpp:631:32:631:35 | argv indirection |
 | tests.cpp:613:19:613:24 | source indirection | tests.cpp:615:17:615:22 | source indirection |
-| tests.cpp:618:32:618:35 | argv indirection | tests.cpp:643:9:643:15 | access to array indirection |
-| tests.cpp:643:9:643:15 | access to array indirection | tests.cpp:613:19:613:24 | source indirection |
+| tests.cpp:622:19:622:24 | source indirection | tests.cpp:625:2:625:16 | ... = ... indirection |
+| tests.cpp:625:2:625:16 | ... = ... indirection | tests.cpp:625:4:625:7 | s indirection [post update] [home indirection] |
+| tests.cpp:625:4:625:7 | s indirection [post update] [home indirection] | tests.cpp:628:14:628:14 | s indirection [home indirection] |
+| tests.cpp:628:14:628:14 | s indirection [home indirection] | tests.cpp:628:14:628:19 | home indirection |
+| tests.cpp:628:14:628:14 | s indirection [home indirection] | tests.cpp:628:16:628:19 | home indirection |
+| tests.cpp:628:16:628:19 | home indirection | tests.cpp:628:14:628:19 | home indirection |
+| tests.cpp:631:32:631:35 | argv indirection | tests.cpp:656:9:656:15 | access to array indirection |
+| tests.cpp:631:32:631:35 | argv indirection | tests.cpp:657:9:657:15 | access to array indirection |
+| tests.cpp:656:9:656:15 | access to array indirection | tests.cpp:613:19:613:24 | source indirection |
+| tests.cpp:657:9:657:15 | access to array indirection | tests.cpp:622:19:622:24 | source indirection |
 nodes
 | main.cpp:6:27:6:30 | argv indirection | semmle.label | argv indirection |
 | main.cpp:10:20:10:23 | argv indirection | semmle.label | argv indirection |
 | tests.cpp:613:19:613:24 | source indirection | semmle.label | source indirection |
 | tests.cpp:615:17:615:22 | source indirection | semmle.label | source indirection |
-| tests.cpp:618:32:618:35 | argv indirection | semmle.label | argv indirection |
-| tests.cpp:643:9:643:15 | access to array indirection | semmle.label | access to array indirection |
+| tests.cpp:622:19:622:24 | source indirection | semmle.label | source indirection |
+| tests.cpp:625:2:625:16 | ... = ... indirection | semmle.label | ... = ... indirection |
+| tests.cpp:625:4:625:7 | s indirection [post update] [home indirection] | semmle.label | s indirection [post update] [home indirection] |
+| tests.cpp:628:14:628:14 | s indirection [home indirection] | semmle.label | s indirection [home indirection] |
+| tests.cpp:628:14:628:19 | home indirection | semmle.label | home indirection |
+| tests.cpp:628:16:628:19 | home indirection | semmle.label | home indirection |
+| tests.cpp:631:32:631:35 | argv indirection | semmle.label | argv indirection |
+| tests.cpp:656:9:656:15 | access to array indirection | semmle.label | access to array indirection |
+| tests.cpp:657:9:657:15 | access to array indirection | semmle.label | access to array indirection |
 subpaths
 #select
 | tests.cpp:615:2:615:7 | call to strcpy | main.cpp:6:27:6:30 | argv indirection | tests.cpp:615:17:615:22 | source indirection | This 'call to strcpy' with input from $@ may overflow the destination. | main.cpp:6:27:6:30 | argv indirection | a command-line argument |
+| tests.cpp:628:2:628:7 | call to strcpy | main.cpp:6:27:6:30 | argv indirection | tests.cpp:628:14:628:19 | home indirection | This 'call to strcpy' with input from $@ may overflow the destination. | main.cpp:6:27:6:30 | argv indirection | a command-line argument |

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp

@@ -615,6 +615,19 @@ void test24(char* source) {
 	strcpy(buffer, source); // BAD
 }
 
+struct my_struct {
+	char* home;
+};
+
+void test25(char* source) {
+	my_struct s;
+
+	s.home = source;
+
+	char buf[100];
+	strcpy(buf, s.home); // BAD
+}
+
 int tests_main(int argc, char *argv[])
 {
 	long long arr17[19];
@@ -641,6 +654,7 @@ int tests_main(int argc, char *argv[])
 	test22(argc == 0, argv[0]);
 	test23();
 	test24(argv[0]);
+	test25(argv[0]);
 
 	return 0;
 }

csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/BuildScripts.cs

@@ -159,9 +159,9 @@ IEnumerable<string> IBuildActions.EnumerateDirectories(string dir)
 
         bool IBuildActions.IsMacOs() => IsMacOs;
 
-        public bool IsArm { get; set; }
+        public bool IsRunningOnAppleSilicon { get; set; }
 
-        bool IBuildActions.IsArm() => IsArm;
+        bool IBuildActions.IsRunningOnAppleSilicon() => IsRunningOnAppleSilicon;
 
         public string PathCombine(params string[] parts)
         {

csharp/autobuilder/Semmle.Autobuild.Shared/BuildActions.cs

@@ -3,6 +3,7 @@
 using System.Diagnostics;
 using System.Diagnostics.CodeAnalysis;
 using System.IO;
+using System.Linq;
 using System.Runtime.InteropServices;
 using System.Xml;
 using Semmle.Util;
@@ -119,10 +120,10 @@ public interface IBuildActions
         bool IsMacOs();
 
         /// <summary>
-        /// Gets a value indicating whether we are running on arm.
+        /// Gets a value indicating whether we are running on Apple Silicon.
         /// </summary>
-        /// <returns>True if we are running on arm.</returns>
-        bool IsArm();
+        /// <returns>True if we are running on Apple Silicon.</returns>
+        bool IsRunningOnAppleSilicon();
 
         /// <summary>
         /// Combine path segments, Path.Combine().
@@ -240,9 +241,25 @@ int IBuildActions.RunProcess(string cmd, string args, string? workingDirectory,
 
         bool IBuildActions.IsMacOs() => RuntimeInformation.IsOSPlatform(OSPlatform.OSX);
 
-        bool IBuildActions.IsArm() =>
-            RuntimeInformation.ProcessArchitecture == Architecture.Arm64 ||
-            RuntimeInformation.ProcessArchitecture == Architecture.Arm;
+        bool IBuildActions.IsRunningOnAppleSilicon()
+        {
+            var thisBuildActions = (IBuildActions)this;
+
+            if (!thisBuildActions.IsMacOs())
+            {
+                return false;
+            }
+
+            try
+            {
+                thisBuildActions.RunProcess("sysctl", "machdep.cpu.brand_string", workingDirectory: null, env: null, out var stdOut);
+                return stdOut?.Any(s => s?.ToLowerInvariant().Contains("apple") == true) ?? false;
+            }
+            catch (Exception)
+            {
+                return false;
+            }
+        }
 
         string IBuildActions.PathCombine(params string[] parts) => Path.Combine(parts);
 

csharp/autobuilder/Semmle.Autobuild.Shared/MsBuildRule.cs

@@ -15,14 +15,12 @@ internal static class MsBuildCommandExtensions
         /// <returns></returns>
         public static CommandBuilder MsBuildCommand(this CommandBuilder cmdBuilder, IAutobuilder<AutobuildOptionsShared> builder)
         {
-            var isArmMac = builder.Actions.IsMacOs() && builder.Actions.IsArm();
-
             // mono doesn't ship with `msbuild` on Arm-based Macs, but we can fall back to
             // msbuild that ships with `dotnet` which can be invoked with `dotnet msbuild`
             // perhaps we should do this on all platforms?
-            return isArmMac ?
-                cmdBuilder.RunCommand("dotnet").Argument("msbuild") :
-                cmdBuilder.RunCommand("msbuild");
+            return builder.Actions.IsRunningOnAppleSilicon()
+                ? cmdBuilder.RunCommand("dotnet").Argument("msbuild")
+                : cmdBuilder.RunCommand("msbuild");
         }
     }
 

csharp/ql/integration-tests/posix-only/standalone_dependencies_nuget/skip-on-platform-osx-arm

@@ -0,0 +1 @@
+Skipping the test on the ARM runners, as we're running into trouble with Mono and nuget.

ql/Cargo.lock

@@ -14,7 +14,7 @@ tree-sitter-blame = {path = "../buramu/tree-sitter-blame"}
 tree-sitter-json = {git = "https://github.com/tausbn/tree-sitter-json.git", rev = "745663ee997f1576fe1e7187e6347e0db36ec7a9"}
 clap = { version = "4.2", features = ["derive"] }
 tracing = "0.1"
-tracing-subscriber = { version = "0.3.17", features = ["env-filter"] }
+tracing-subscriber = { version = "0.3.18", features = ["env-filter"] }
 rayon = "1.8.0"
 regex = "1.10.2"
 codeql-extractor = { path = "../../shared/tree-sitter-extractor" }