Merge branch 'github:main' into main

Author: Malayke

cpp/ql/src/Critical/FlowAfterFree.qll

@@ -87,6 +87,8 @@ module FlowFromFree<isSinkSig/2 isASink, isExcludedSig/2 isExcluded> {
       |
         e = any(StoreInstruction store).getDestinationAddress().getUnconvertedResultExpression()
       )
+      or
+      n.asExpr() instanceof ArrayExpr
     }
   }
 

cpp/ql/src/jsf/4.16 Initialization/AV Rule 145.ql

@@ -32,18 +32,41 @@ predicate hasReferenceInitializer(EnumConstant c) {
   )
 }
 
+/**
+ * Gets the `rnk`'th (1-based) enumeration constant in `e` that does not have a
+ * reference initializer (i.e., an initializer that refers to an enumeration
+ * constant from the same enumeration).
+ */
+EnumConstant getNonReferenceInitializedEnumConstantByRank(Enum e, int rnk) {
+  result =
+    rank[rnk](EnumConstant cand, int pos, string filepath, int startline, int startcolumn |
+      e.getEnumConstant(pos) = cand and
+      not hasReferenceInitializer(cand) and
+      cand.getLocation().hasLocationInfo(filepath, startline, startcolumn, _, _)
+    |
+      cand order by pos, filepath, startline, startcolumn
+    )
+}
+
+/**
+ * Holds if `ec` is not the last enumeration constant in `e` that has a non-
+ * reference initializer.
+ */
+predicate hasNextWithoutReferenceInitializer(Enum e, EnumConstant ec) {
+  exists(int rnk |
+    ec = getNonReferenceInitializedEnumConstantByRank(e, rnk) and
+    exists(getNonReferenceInitializedEnumConstantByRank(e, rnk + 1))
+  )
+}
+
 // There exists another constant whose value is implicit, but it's
 // not the last one: the last value is okay to use to get the highest
 // enum value automatically. It can be followed by aliases though.
 predicate enumThatHasConstantWithImplicitValue(Enum e) {
-  exists(EnumConstant ec, int pos |
-    ec = e.getEnumConstant(pos) and
+  exists(EnumConstant ec |
+    ec = e.getAnEnumConstant() and
     not hasInitializer(ec) and
-    exists(EnumConstant ec2, int pos2 |
-      ec2 = e.getEnumConstant(pos2) and
-      pos2 > pos and
-      not hasReferenceInitializer(ec2)
-    )
+    hasNextWithoutReferenceInitializer(e, ec)
   )
 }
 

cpp/ql/test/query-tests/Critical/MemoryFreed/DoubleFree.expected

@@ -9,7 +9,6 @@ edges
 | test_free.cpp:83:12:83:12 | pointer to operator delete output argument | test_free.cpp:85:12:85:12 | a |
 | test_free.cpp:101:10:101:10 | pointer to free output argument | test_free.cpp:103:10:103:10 | a |
 | test_free.cpp:128:10:128:11 | pointer to free output argument | test_free.cpp:129:10:129:11 | * ... |
-| test_free.cpp:131:10:131:13 | pointer to free output argument | test_free.cpp:132:10:132:13 | access to array |
 | test_free.cpp:152:27:152:27 | pointer to free output argument | test_free.cpp:154:10:154:10 | a |
 | test_free.cpp:207:10:207:10 | pointer to free output argument | test_free.cpp:209:10:209:10 | a |
 nodes
@@ -33,8 +32,6 @@ nodes
 | test_free.cpp:103:10:103:10 | a | semmle.label | a |
 | test_free.cpp:128:10:128:11 | pointer to free output argument | semmle.label | pointer to free output argument |
 | test_free.cpp:129:10:129:11 | * ... | semmle.label | * ... |
-| test_free.cpp:131:10:131:13 | pointer to free output argument | semmle.label | pointer to free output argument |
-| test_free.cpp:132:10:132:13 | access to array | semmle.label | access to array |
 | test_free.cpp:152:27:152:27 | pointer to free output argument | semmle.label | pointer to free output argument |
 | test_free.cpp:154:10:154:10 | a | semmle.label | a |
 | test_free.cpp:207:10:207:10 | pointer to free output argument | semmle.label | pointer to free output argument |
@@ -51,6 +48,5 @@ subpaths
 | test_free.cpp:85:12:85:12 | a | test_free.cpp:83:12:83:12 | pointer to operator delete output argument | test_free.cpp:85:12:85:12 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:83:5:83:13 | delete | delete |
 | test_free.cpp:103:10:103:10 | a | test_free.cpp:101:10:101:10 | pointer to free output argument | test_free.cpp:103:10:103:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:101:5:101:8 | call to free | call to free |
 | test_free.cpp:129:10:129:11 | * ... | test_free.cpp:128:10:128:11 | pointer to free output argument | test_free.cpp:129:10:129:11 | * ... | Memory pointed to by '* ...' may already have been freed by $@. | test_free.cpp:128:5:128:8 | call to free | call to free |
-| test_free.cpp:132:10:132:13 | access to array | test_free.cpp:131:10:131:13 | pointer to free output argument | test_free.cpp:132:10:132:13 | access to array | Memory pointed to by 'access to array' may already have been freed by $@. | test_free.cpp:131:5:131:8 | call to free | call to free |
 | test_free.cpp:154:10:154:10 | a | test_free.cpp:152:27:152:27 | pointer to free output argument | test_free.cpp:154:10:154:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:152:22:152:25 | call to free | call to free |
 | test_free.cpp:209:10:209:10 | a | test_free.cpp:207:10:207:10 | pointer to free output argument | test_free.cpp:209:10:209:10 | a | Memory pointed to by 'a' may already have been freed by $@. | test_free.cpp:207:5:207:8 | call to free | call to free |

cpp/ql/test/query-tests/Critical/MemoryFreed/test_free.cpp

@@ -129,7 +129,7 @@ void test_ptr_deref(void ** a) {
     free(*a); // BAD
     *a = malloc(10);
     free(a[0]); // GOOD
-    free(a[1]); // GOOD [FALSE POSITIVE]
+    free(a[1]); // GOOD
 }
 
 struct list {

java/ql/lib/semmle/code/java/security/AndroidCertificatePinningQuery.qll

@@ -108,9 +108,9 @@ private class MissingPinningSink extends DataFlow::Node {
 /** Configuration for finding uses of non trusted URLs. */
 private module UntrustedUrlConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node node) {
-    trustedDomain(_) and
     exists(string lit | lit = node.asExpr().(CompileTimeConstantExpr).getStringValue() |
       lit.matches("%://%") and // it's a URL
+      not lit.regexpMatch("^(classpath|file|jar):.*") and // discard non-network URIs
       not exists(string dom | trustedDomain(dom) and lit.matches("%" + dom + "%"))
     )
   }
@@ -121,16 +121,10 @@ private module UntrustedUrlConfig implements DataFlow::ConfigSig {
 private module UntrustedUrlFlow = TaintTracking::Global<UntrustedUrlConfig>;
 
 /** Holds if `node` is a network communication call for which certificate pinning is not implemented. */
-predicate missingPinning(DataFlow::Node node, string domain) {
+predicate missingPinning(MissingPinningSink node, string domain) {
   isAndroid() and
-  node instanceof MissingPinningSink and
-  (
-    not trustedDomain(_) and domain = ""
-    or
-    exists(DataFlow::Node src |
-      UntrustedUrlFlow::flow(src, node) and
-      domain = getDomain(src.asExpr())
-    )
+  exists(DataFlow::Node src | UntrustedUrlFlow::flow(src, node) |
+    if trustedDomain(_) then domain = getDomain(src.asExpr()) else domain = ""
   )
 }
 

java/ql/src/change-notes/2023-12-12-android-certificate-pinning-precision.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query `java/android/missing-certificate-pinning` should no longer alert about requests pointing to the local filesystem.

java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test1/Test.java

@@ -1,12 +1,24 @@
 import java.net.URL;
 import java.net.URLConnection;
 
-class Test{
+class Test {
     URLConnection test1() throws Exception {
         return new URL("https://good.example.com").openConnection();
     }
 
     URLConnection test2() throws Exception {
         return new URL("https://bad.example.com").openConnection(); // $hasUntrustedResult
     }
-}
+
+    URLConnection test3() throws Exception {
+        return new URL("classpath:example/directory/test.class").openConnection();
+    }
+
+    URLConnection test4() throws Exception {
+        return new URL("file:///example/file").openConnection();
+    }
+
+    URLConnection test5() throws Exception {
+        return new URL("jar:file:///C:/example/test.jar!/test.xml").openConnection();
+    }
+}

java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test2/Test.java

@@ -1,8 +1,20 @@
 import java.net.URL;
 import java.net.URLConnection;
 
-class Test{
+class Test {
     URLConnection test2() throws Exception {
         return new URL("https://example.com").openConnection(); // $hasNoTrustedResult
     }
-}
+
+    URLConnection test3() throws Exception {
+        return new URL("classpath:example/directory/test.class").openConnection();
+    }
+
+    URLConnection test4() throws Exception {
+        return new URL("file:///example/file").openConnection();
+    }
+
+    URLConnection test5() throws Exception {
+        return new URL("jar:file:///C:/example/test.jar!/test.xml").openConnection();
+    }
+}

java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test3/Test.java

@@ -2,16 +2,21 @@
 import okhttp3.CertificatePinner;
 import okhttp3.Request;
 
-class Test{
+class Test {
     void test1() throws Exception {
-    CertificatePinner certificatePinner = new CertificatePinner.Builder()
-         .add("good.example.com", "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
-         .build();
-     OkHttpClient client = new OkHttpClient.Builder()
-         .certificatePinner(certificatePinner)
-         .build();
+        CertificatePinner certificatePinner = new CertificatePinner.Builder()
+                .add("good.example.com", "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
+                .build();
+        OkHttpClient client =
+                new OkHttpClient.Builder().certificatePinner(certificatePinner).build();
 
-     client.newCall(new Request.Builder().url("https://good.example.com").build()).execute();
-     client.newCall(new Request.Builder().url("https://bad.example.com").build()).execute(); // $hasUntrustedResult
+        client.newCall(new Request.Builder().url("https://good.example.com").build()).execute();
+        client.newCall(new Request.Builder().url("https://bad.example.com").build()).execute(); // $hasUntrustedResult
+        client.newCall(new Request.Builder().url("classpath:example/directory/test.class").build())
+                .execute();
+        client.newCall(new Request.Builder().url("file:///example/file").build()).execute();
+        client.newCall(
+                new Request.Builder().url("jar:file:///C:/example/test.jar!/test.xml").build())
+                .execute();
     }
-}
+}

java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test4/Test.java

@@ -8,19 +8,20 @@
 import javax.net.ssl.SSLContext;
 import android.content.res.Resources;
 
-class Test{
+class Test {
     void test1(Resources resources) throws Exception {
         KeyStore keyStore = KeyStore.getInstance("BKS");
         keyStore.load(resources.openRawResource(R.raw.cert), null);
 
-        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+        TrustManagerFactory tmf =
+                TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
         tmf.init(keyStore);
 
         SSLContext sslContext = SSLContext.getInstance("TLS");
         sslContext.init(null, tmf.getTrustManagers(), null);
 
         URL url = new URL("http://www.example.com/");
-        HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection(); 
+        HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection();
 
         urlConnection.setSSLSocketFactory(sslContext.getSocketFactory());
     }
@@ -29,4 +30,4 @@ void test2() throws Exception {
         URL url = new URL("http://www.example.com/");
         HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection(); // $hasNoTrustedResult
     }
-}
+}