Merge branch 'main' into java/experimental/command-injection

Author: aegilops

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected

@@ -748,6 +748,46 @@ edges
 | test.cpp:381:5:381:9 | ... ++ | test.cpp:384:14:384:16 | end |
 | test.cpp:381:5:381:9 | ... ++ | test.cpp:384:14:384:16 | end |
 | test.cpp:384:14:384:16 | end | test.cpp:384:13:384:16 | Load: * ... |
+| test.cpp:388:14:388:27 | new[] | test.cpp:389:16:389:17 | xs |
+| test.cpp:388:14:388:27 | new[] | test.cpp:392:5:392:6 | xs |
+| test.cpp:389:16:389:17 | xs | test.cpp:392:5:392:8 | ... ++ |
+| test.cpp:389:16:389:17 | xs | test.cpp:392:5:392:8 | ... ++ |
+| test.cpp:389:16:389:17 | xs | test.cpp:392:5:392:8 | ... ++ |
+| test.cpp:389:16:389:17 | xs | test.cpp:392:5:392:8 | ... ++ |
+| test.cpp:389:16:389:17 | xs | test.cpp:393:9:393:10 | xs |
+| test.cpp:389:16:389:17 | xs | test.cpp:393:9:393:10 | xs |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:392:5:392:8 | ... ++ |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:392:5:392:8 | ... ++ |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:393:9:393:10 | xs |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:393:9:393:10 | xs |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:393:9:393:10 | xs |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:393:9:393:10 | xs |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:6 | xs |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:6 | xs |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:13 | Store: ... = ... |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:13 | Store: ... = ... |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:13 | Store: ... = ... |
+| test.cpp:392:5:392:8 | ... ++ | test.cpp:395:5:395:13 | Store: ... = ... |
+| test.cpp:393:9:393:10 | xs | test.cpp:395:5:395:6 | xs |
+| test.cpp:393:9:393:10 | xs | test.cpp:395:5:395:13 | Store: ... = ... |
+| test.cpp:393:9:393:10 | xs | test.cpp:395:5:395:13 | Store: ... = ... |
+| test.cpp:395:5:395:6 | xs | test.cpp:395:5:395:13 | Store: ... = ... |
+| test.cpp:404:3:404:25 | ... = ... | test.cpp:404:7:404:8 | val indirection [post update] [xs] |
+| test.cpp:404:7:404:8 | val indirection [post update] [xs] | test.cpp:407:3:407:5 | val indirection [xs] |
+| test.cpp:404:12:404:25 | new[] | test.cpp:404:3:404:25 | ... = ... |
+| test.cpp:406:3:406:25 | ... = ... | test.cpp:406:7:406:8 | val indirection [post update] [xs] |
+| test.cpp:406:7:406:8 | val indirection [post update] [xs] | test.cpp:407:3:407:5 | val indirection [xs] |
+| test.cpp:406:12:406:25 | new[] | test.cpp:406:3:406:25 | ... = ... |
+| test.cpp:407:3:407:5 | val indirection [xs] | test.cpp:407:7:407:8 | xs indirection |
+| test.cpp:407:3:407:18 | access to array | test.cpp:407:3:407:22 | Store: ... = ... |
+| test.cpp:407:7:407:8 | xs | test.cpp:407:3:407:18 | access to array |
+| test.cpp:407:7:407:8 | xs indirection | test.cpp:407:7:407:8 | xs |
+| test.cpp:417:16:417:33 | new[] | test.cpp:419:7:419:8 | xs |
+| test.cpp:419:7:419:8 | xs | test.cpp:419:7:419:11 | access to array |
+| test.cpp:419:7:419:11 | access to array | test.cpp:419:7:419:15 | Store: ... = ... |
+| test.cpp:427:14:427:27 | new[] | test.cpp:433:5:433:6 | xs |
+| test.cpp:433:5:433:6 | xs | test.cpp:433:5:433:17 | access to array |
+| test.cpp:433:5:433:17 | access to array | test.cpp:433:5:433:21 | Store: ... = ... |
 nodes
 | test.cpp:4:15:4:20 | call to malloc | semmle.label | call to malloc |
 | test.cpp:5:15:5:15 | p | semmle.label | p |
@@ -1087,6 +1127,36 @@ nodes
 | test.cpp:381:5:381:9 | ... ++ | semmle.label | ... ++ |
 | test.cpp:384:13:384:16 | Load: * ... | semmle.label | Load: * ... |
 | test.cpp:384:14:384:16 | end | semmle.label | end |
+| test.cpp:388:14:388:27 | new[] | semmle.label | new[] |
+| test.cpp:389:16:389:17 | xs | semmle.label | xs |
+| test.cpp:392:5:392:6 | xs | semmle.label | xs |
+| test.cpp:392:5:392:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:392:5:392:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:392:5:392:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:392:5:392:8 | ... ++ | semmle.label | ... ++ |
+| test.cpp:393:9:393:10 | xs | semmle.label | xs |
+| test.cpp:393:9:393:10 | xs | semmle.label | xs |
+| test.cpp:395:5:395:6 | xs | semmle.label | xs |
+| test.cpp:395:5:395:13 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:404:3:404:25 | ... = ... | semmle.label | ... = ... |
+| test.cpp:404:7:404:8 | val indirection [post update] [xs] | semmle.label | val indirection [post update] [xs] |
+| test.cpp:404:12:404:25 | new[] | semmle.label | new[] |
+| test.cpp:406:3:406:25 | ... = ... | semmle.label | ... = ... |
+| test.cpp:406:7:406:8 | val indirection [post update] [xs] | semmle.label | val indirection [post update] [xs] |
+| test.cpp:406:12:406:25 | new[] | semmle.label | new[] |
+| test.cpp:407:3:407:5 | val indirection [xs] | semmle.label | val indirection [xs] |
+| test.cpp:407:3:407:18 | access to array | semmle.label | access to array |
+| test.cpp:407:3:407:22 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:407:7:407:8 | xs | semmle.label | xs |
+| test.cpp:407:7:407:8 | xs indirection | semmle.label | xs indirection |
+| test.cpp:417:16:417:33 | new[] | semmle.label | new[] |
+| test.cpp:419:7:419:8 | xs | semmle.label | xs |
+| test.cpp:419:7:419:11 | access to array | semmle.label | access to array |
+| test.cpp:419:7:419:15 | Store: ... = ... | semmle.label | Store: ... = ... |
+| test.cpp:427:14:427:27 | new[] | semmle.label | new[] |
+| test.cpp:433:5:433:6 | xs | semmle.label | xs |
+| test.cpp:433:5:433:17 | access to array | semmle.label | access to array |
+| test.cpp:433:5:433:21 | Store: ... = ... | semmle.label | Store: ... = ... |
 subpaths
 #select
 | test.cpp:6:14:6:15 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:6:14:6:15 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
@@ -1113,3 +1183,7 @@ subpaths
 | test.cpp:359:14:359:32 | Load: * ... | test.cpp:355:14:355:27 | new[] | test.cpp:359:14:359:32 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 2. | test.cpp:355:14:355:27 | new[] | new[] | test.cpp:356:20:356:23 | size | size |
 | test.cpp:372:15:372:16 | Load: * ... | test.cpp:363:14:363:27 | new[] | test.cpp:372:15:372:16 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:363:14:363:27 | new[] | new[] | test.cpp:365:19:365:22 | size | size |
 | test.cpp:384:13:384:16 | Load: * ... | test.cpp:377:14:377:27 | new[] | test.cpp:384:13:384:16 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:377:14:377:27 | new[] | new[] | test.cpp:378:20:378:23 | size | size |
+| test.cpp:395:5:395:13 | Store: ... = ... | test.cpp:388:14:388:27 | new[] | test.cpp:395:5:395:13 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:388:14:388:27 | new[] | new[] | test.cpp:389:19:389:22 | size | size |
+| test.cpp:407:3:407:22 | Store: ... = ... | test.cpp:404:12:404:25 | new[] | test.cpp:407:3:407:22 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:404:12:404:25 | new[] | new[] | test.cpp:407:10:407:17 | ... - ... | ... - ... |
+| test.cpp:419:7:419:15 | Store: ... = ... | test.cpp:417:16:417:33 | new[] | test.cpp:419:7:419:15 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:417:16:417:33 | new[] | new[] | test.cpp:419:10:419:10 | i | i |
+| test.cpp:433:5:433:21 | Store: ... = ... | test.cpp:427:14:427:27 | new[] | test.cpp:433:5:433:21 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:427:14:427:27 | new[] | new[] | test.cpp:433:8:433:16 | ... ++ | ... ++ |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp

@@ -383,3 +383,53 @@ void test27(unsigned size, bool b) {
 
   int val = *end; // BAD
 }
+
+void test28(unsigned size) {
+  char *xs = new char[size];
+  char *end = &xs[size];
+    if (xs >= end)
+      return;
+    xs++;
+    if (xs >= end)
+      return;
+    xs[0] = 0;  // GOOD [FALSE POSITIVE]
+}
+
+struct test29_struct {
+  char* xs;
+};
+
+void test29(unsigned size) {
+  test29_struct val;
+  val.xs = new char[size];
+  size++;
+  val.xs = new char[size];
+  val.xs[size - 1] = 0; // GOOD [FALSE POSITIVE]
+}
+
+void test30(int *size)
+{
+  int new_size = 0, tmp_size = 0;
+
+  test30(&tmp_size);
+  if (tmp_size + 1 > new_size) {
+    new_size = tmp_size + 1;
+    char *xs = new char[new_size];
+    for (int i = 0; i < new_size; i++) {
+      xs[i] = 0;  // GOOD [FALSE POSITIVE]
+    }
+  }
+  *size = new_size;
+}
+
+void test31(unsigned size, unsigned src_pos)
+{
+  char *xs = new char[size];
+  if (src_pos > size) {
+    src_pos = size;
+  }
+  unsigned dst_pos = src_pos;
+  if(dst_pos < size - 3) {
+    xs[dst_pos++] = 0; // GOOD [FALSE POSITIVE]
+  }
+}

csharp/ql/test/query-tests/Security Features/CWE-011/options

@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj

csharp/ql/test/query-tests/Security Features/CWE-016/options

@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj

csharp/ql/test/query-tests/Security Features/CWE-020/options

@@ -1 +1,3 @@
-semmle-extractor-options: /r:${testdir}/../../../resources/assemblies/System.Web.dll /r:${testdir}/../../../resources/assemblies/System.Web.ApplicationServices.dll /r:${testdir}/../../../resources/assemblies/System.Data.dll /r:System.Text.RegularExpressions.dll /r:System.Collections.Specialized.dll /r:System.Data.Common.dll /r:System.Security.Cryptography.X509Certificates.dll /r:System.Runtime.InteropServices.dll
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
+semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Web.cs

csharp/ql/test/query-tests/Security Features/CWE-022/TaintedPath/options

@@ -1 +1,3 @@
-semmle-extractor-options: /r:System.IO.FileSystem.dll /r:System.Runtime.Extensions.dll /r:System.Collections.Specialized.dll ${testdir}/../../../../resources/stubs/System.Web.cs
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
+semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Web.cs

csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/options

@@ -1 +1,2 @@
-semmle-extractor-options: /r:System.IO.Compression.dll /r:System.IO.Compression.FileSystem.dll /r:System.IO.Compression.ZipFile.dll /r:System.IO.FileSystem.dll
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj

csharp/ql/test/query-tests/Security Features/CWE-078/options

@@ -1 +1,2 @@
-semmle-extractor-options: /r:System.ComponentModel.Primitives.dll /r:System.Diagnostics.Process.dll /r:System.Runtime.InteropServices.dll ${testdir}/../../../resources/stubs/System.Data.cs /r:System.Data.Common.dll
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/System.Data.SqlClient/4.8.3/System.Data.SqlClient.csproj

csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.cs

@@ -1,5 +1,3 @@
-// semmle-extractor-options: /r:${testdir}/../../../../resources/assemblies/System.Data.dll /r:${testdir}/../../../../resources/assemblies/System.Web.dll /r:${testdir}/../../../../resources/assemblies/System.Web.Mvc.dll /r:System.ComponentModel.Primitives.dll /r:System.Collections.Specialized.dll /r:${testdir}/../../../../resources/assemblies/System.Net.Http.dll
-
 using System;
 using System.Data.SqlClient;
 using System.Web;

csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.expected

@@ -1,8 +1,8 @@
 edges
-| StoredXSS.cs:24:60:24:86 | call to method GetString : String | StoredXSS.cs:24:44:24:86 | ... + ... |
+| StoredXSS.cs:22:60:22:86 | call to method GetString : String | StoredXSS.cs:22:44:22:86 | ... + ... |
 nodes
-| StoredXSS.cs:24:44:24:86 | ... + ... | semmle.label | ... + ... |
-| StoredXSS.cs:24:60:24:86 | call to method GetString : String | semmle.label | call to method GetString : String |
+| StoredXSS.cs:22:44:22:86 | ... + ... | semmle.label | ... + ... |
+| StoredXSS.cs:22:60:22:86 | call to method GetString : String | semmle.label | call to method GetString : String |
 subpaths
 #select
-| StoredXSS.cs:24:44:24:86 | ... + ... | StoredXSS.cs:24:60:24:86 | call to method GetString : String | StoredXSS.cs:24:44:24:86 | ... + ... | This HTML or JavaScript write depends on a $@. | StoredXSS.cs:24:60:24:86 | call to method GetString | stored (potentially user-provided) value |
+| StoredXSS.cs:22:44:22:86 | ... + ... | StoredXSS.cs:22:60:22:86 | call to method GetString : String | StoredXSS.cs:22:44:22:86 | ... + ... | This HTML or JavaScript write depends on a $@. | StoredXSS.cs:22:60:22:86 | call to method GetString | stored (potentially user-provided) value |