Merge branch 'main' into sensitive-improvements

Author: RasmusWL

.codeqlmanifest.json

@@ -1,5 +1,6 @@
 { "provide": [ "*/ql/src/qlpack.yml",
                "*/ql/test/qlpack.yml",
+               "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml",
                "*/ql/examples/qlpack.yml",
                "*/upgrades/qlpack.yml",
                "misc/legacy-support/*/qlpack.yml",

cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql

@@ -9,6 +9,7 @@
  * @tags reliability
  *       security
  *       external/cwe/cwe-190
+ *       external/cwe/cwe-789
  */
 
 import cpp

cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql

@@ -28,7 +28,7 @@ Function getAnInsecureEncryptionFunction() {
 /**
  * A function with additional evidence it is related to encryption.
  */
-Function getAdditionalEvidenceFunction() {
+Function getAnAdditionalEvidenceFunction() {
   (
     isEncryptionAdditionalEvidence(result.getName()) or
     isEncryptionAdditionalEvidence(result.getAParameter().getName())
@@ -47,7 +47,7 @@ Macro getAnInsecureEncryptionMacro() {
 /**
  * A macro with additional evidence it is related to encryption.
  */
-Macro getAdditionalEvidenceMacro() {
+Macro getAnAdditionalEvidenceMacro() {
   isEncryptionAdditionalEvidence(result.getName()) and
   exists(result.getAnInvocation())
 }
@@ -63,61 +63,78 @@ EnumConstant getAnInsecureEncryptionEnumConst() { isInsecureEncryption(result.ge
 EnumConstant getAdditionalEvidenceEnumConst() { isEncryptionAdditionalEvidence(result.getName()) }
 
 /**
- * A function call we have a high confidence is related to use of an insecure
- * encryption algorithm.
+ * A function call we have a high confidence is related to use of an insecure encryption algorithm, along
+ * with an associated `Element` which might be the best point to blame, and a description of that element.
  */
-class InsecureFunctionCall extends FunctionCall {
-  Element blame;
-  string explain;
+predicate getInsecureEncryptionEvidence(FunctionCall fc, Element blame, string description) {
+  // find use of an insecure algorithm name
+  (
+    fc.getTarget() = getAnInsecureEncryptionFunction() and
+    blame = fc and
+    description = "call to " + fc.getTarget().getName()
+    or
+    exists(MacroInvocation mi |
+      (
+        mi.getAnExpandedElement() = fc or
+        mi.getAnExpandedElement() = fc.getAnArgument()
+      ) and
+      mi.getMacro() = getAnInsecureEncryptionMacro() and
+      blame = mi and
+      description = "invocation of macro " + mi.getMacro().getName()
+    )
+    or
+    exists(EnumConstantAccess ec |
+      ec = fc.getAnArgument() and
+      ec.getTarget() = getAnInsecureEncryptionEnumConst() and
+      blame = ec and
+      description = "access of enum constant " + ec.getTarget().getName()
+    )
+  ) and
+  // find additional evidence that this function is related to encryption.
+  (
+    fc.getTarget() = getAnAdditionalEvidenceFunction()
+    or
+    exists(MacroInvocation mi |
+      (
+        mi.getAnExpandedElement() = fc or
+        mi.getAnExpandedElement() = fc.getAnArgument()
+      ) and
+      mi.getMacro() = getAnAdditionalEvidenceMacro()
+    )
+    or
+    exists(EnumConstantAccess ec |
+      ec = fc.getAnArgument() and
+      ec.getTarget() = getAdditionalEvidenceEnumConst()
+    )
+  )
+}
+
+/**
+ * An element that is the `blame` of an `InsecureFunctionCall`.
+ */
+class BlamedElement extends Element {
+  string description;
+
+  BlamedElement() { getInsecureEncryptionEvidence(_, this, description) }
 
-  InsecureFunctionCall() {
-    // find use of an insecure algorithm name
-    (
-      getTarget() = getAnInsecureEncryptionFunction() and
-      blame = this and
-      explain = "function call"
-      or
-      exists(MacroInvocation mi |
-        (
-          mi.getAnExpandedElement() = this or
-          mi.getAnExpandedElement() = this.getAnArgument()
-        ) and
-        mi.getMacro() = getAnInsecureEncryptionMacro() and
-        blame = mi and
-        explain = "macro invocation"
-      )
-      or
-      exists(EnumConstantAccess ec |
-        ec = this.getAnArgument() and
-        ec.getTarget() = getAnInsecureEncryptionEnumConst() and
-        blame = ec and
-        explain = "enum constant access"
-      )
-    ) and
-    // find additional evidence that this function is related to encryption.
-    (
-      getTarget() = getAdditionalEvidenceFunction()
-      or
-      exists(MacroInvocation mi |
-        (
-          mi.getAnExpandedElement() = this or
-          mi.getAnExpandedElement() = this.getAnArgument()
-        ) and
-        mi.getMacro() = getAdditionalEvidenceMacro()
-      )
-      or
-      exists(EnumConstantAccess ec |
-        ec = this.getAnArgument() and
-        ec.getTarget() = getAdditionalEvidenceEnumConst()
-      )
+  /**
+   * Holds if this is the `num`-th `BlamedElement` in `f`.
+   */
+  predicate hasFileRank(File f, int num) {
+    exists(int loc |
+      getLocation().charLoc(f, loc, _) and
+      loc =
+        rank[num](BlamedElement other, int loc2 | other.getLocation().charLoc(f, loc2, _) | loc2)
     )
   }
 
-  Element getBlame() { result = blame }
-
-  string getDescription() { result = explain }
+  string getDescription() { result = description }
 }
 
-from InsecureFunctionCall c
-select c.getBlame(),
-  "This " + c.getDescription() + " specifies a broken or weak cryptographic algorithm."
+from File f, BlamedElement firstResult, BlamedElement thisResult
+where
+  firstResult.hasFileRank(f, 1) and
+  thisResult.hasFileRank(f, _)
+select firstResult,
+  "This file makes use of a broken or weak cryptographic algorithm (specified by $@).", thisResult,
+  thisResult.getDescription()

cpp/ql/src/semmle/code/cpp/Location.qll

@@ -128,7 +128,9 @@ deprecated library class LocationExpr extends Location, @location_expr { }
  * Gets the length of the longest line in file `f`.
  */
 pragma[nomagic]
-private int maxCols(File f) { result = max(Location l | l.getFile() = f | l.getEndColumn()) }
+private int maxCols(File f) {
+  result = max(Location l | l.getFile() = f | l.getStartColumn().maximum(l.getEndColumn()))
+}
 
 /**
  * A C/C++ element that has a location in a file

cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll

@@ -411,7 +411,7 @@ predicate addressOperandAllocationAndOffset(
     allocation.getABaseInstruction() = base and
     hasBaseAndOffset(addrOperand, base, bitOffset) and
     not exists(Instruction previousBase |
-      hasBaseAndOffset(addrOperand, previousBase, _) and
+      hasBaseAndOffset(addrOperand, pragma[only_bind_out](previousBase), _) and
       previousBase = base.getAnOperand().getDef()
     )
   )

cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll

@@ -10,6 +10,64 @@ private import semmle.code.cpp.ir.implementation.Opcode
 private import semmle.code.cpp.models.interfaces.PointerWrapper
 private import semmle.code.cpp.models.interfaces.SideEffect
 
+private predicate isDeeplyConst(Type t) {
+  t.isConst() and
+  isDeeplyConstBelow(t)
+  or
+  isDeeplyConst(t.(Decltype).getBaseType())
+  or
+  isDeeplyConst(t.(ReferenceType).getBaseType())
+  or
+  exists(SpecifiedType specType | specType = t |
+    specType.getASpecifier().getName() = "const" and
+    isDeeplyConstBelow(specType.getBaseType())
+  )
+  or
+  isDeeplyConst(t.(ArrayType).getBaseType())
+}
+
+private predicate isDeeplyConstBelow(Type t) {
+  t instanceof BuiltInType
+  or
+  not t instanceof PointerWrapper and
+  t instanceof Class
+  or
+  t instanceof Enum
+  or
+  isDeeplyConstBelow(t.(Decltype).getBaseType())
+  or
+  isDeeplyConst(t.(PointerType).getBaseType())
+  or
+  isDeeplyConst(t.(ReferenceType).getBaseType())
+  or
+  isDeeplyConstBelow(t.(SpecifiedType).getBaseType())
+  or
+  isDeeplyConst(t.(ArrayType).getBaseType())
+  or
+  isDeeplyConst(t.(GNUVectorType).getBaseType())
+  or
+  isDeeplyConst(t.(FunctionPointerIshType).getBaseType())
+  or
+  isDeeplyConst(t.(PointerWrapper).getTemplateArgument(0))
+  or
+  isDeeplyConst(t.(PointerToMemberType).getBaseType())
+  or
+  isDeeplyConstBelow(t.(TypedefType).getBaseType())
+}
+
+private predicate isConstPointerLike(Type t) {
+  (
+    t instanceof PointerWrapper
+    or
+    t instanceof PointerType
+    or
+    t instanceof ArrayType
+    or
+    t instanceof ReferenceType
+  ) and
+  isDeeplyConstBelow(t)
+}
+
 /**
  * Holds if the specified call has a side effect that does not come from a `SideEffectFunction`
  * model.
@@ -45,7 +103,7 @@ private predicate hasDefaultSideEffect(Call call, ParameterIndex i, boolean buff
       ) and
       (
         isWrite = true and
-        not call.getTarget().getParameter(i).getType().isDeeplyConstBelow()
+        not isConstPointerLike(call.getTarget().getParameter(i).getUnderlyingType())
         or
         isWrite = false
       )

cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll

@@ -411,7 +411,7 @@ predicate addressOperandAllocationAndOffset(
     allocation.getABaseInstruction() = base and
     hasBaseAndOffset(addrOperand, base, bitOffset) and
     not exists(Instruction previousBase |
-      hasBaseAndOffset(addrOperand, previousBase, _) and
+      hasBaseAndOffset(addrOperand, pragma[only_bind_out](previousBase), _) and
       previousBase = base.getAnOperand().getDef()
     )
   )