Merge branch 'main' into skip-safe-conversions-in-range-analysis

Author: MathiasVP

.github/workflows/check-change-note.yml

@@ -8,6 +8,7 @@ on:
       - "*/ql/src/**/*.qll"
       - "*/ql/lib/**/*.ql"
       - "*/ql/lib/**/*.qll"
+      - "*/ql/lib/**/*.yml"
       - "!**/experimental/**"
       - "!ql/**"
       - "!swift/**"

.github/workflows/close-stale.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/stale@v7
+    - uses: actions/stale@v8
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `Stale` label in order to avoid having this issue closed in 7 days.'

cpp/ql/lib/change-notes/2023-03-20-boost-deprecated-dataflow-configurations.md

@@ -1,4 +1,4 @@
 ---
 category: deprecated
 ---
-* The `SslContextCallAbstractConfig`, `SslContextCallConfig`, `SslContextCallBannedProtocolConfig`, `SslContextCallTls12ProtocolConfig`, `SslContextCallTls13ProtocolConfig`, `SslContextCallTlsProtocolConfig`, `SslContextFlowsToSetOptionConfig`, `SslOptionConfig` dataflow configurations from `BoostorgAsio` have been deprecated. Please use `SslContextCallConfigSig`, `SslContextCallMake`, `SslContextCallFlow`, `SslContextCallBannedProtocolFlow`, `SslContextCallTls12ProtocolFlow`, `SslContextCallTls13ProtocolFlow`, `SslContextCallTlsProtocolFlow`, `SslContextFlowsToSetOptionFlow`.
+* The `SslContextCallAbstractConfig`, `SslContextCallConfig`, `SslContextCallBannedProtocolConfig`, `SslContextCallTls12ProtocolConfig`, `SslContextCallTls13ProtocolConfig`, `SslContextCallTlsProtocolConfig`, `SslContextFlowsToSetOptionConfig`, `SslOptionConfig` dataflow configurations from `BoostorgAsio` have been deprecated. Please use `SslContextCallConfigSig`, `SslContextCallGlobal`, `SslContextCallFlow`, `SslContextCallBannedProtocolFlow`, `SslContextCallTls12ProtocolFlow`, `SslContextCallTls13ProtocolFlow`, `SslContextCallTlsProtocolFlow`, `SslContextFlowsToSetOptionFlow`.

cpp/ql/lib/change-notes/2023-03-23-dataflow-renaming.md

@@ -0,0 +1,6 @@
+---
+category: deprecated
+---
+* The recently introduced new data flow and taint tracking APIs have had a
+  number of module and predicate renamings. The old APIs remain in place for
+  now.

cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/ExtendedRangeAnalysis.qll

@@ -3,3 +3,4 @@ import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 // Import each extension we want to enable
 import extensions.SubtractSelf
 import extensions.ConstantBitwiseAndExprRange
+import extensions.StrlenLiteralRangeExpr

cpp/ql/lib/experimental/semmle/code/cpp/rangeanalysis/extensions/StrlenLiteralRangeExpr.qll

@@ -0,0 +1,18 @@
+private import cpp
+private import experimental.semmle.code.cpp.models.interfaces.SimpleRangeAnalysisExpr
+
+/**
+ * Provides range analysis information for calls to `strlen` on literal strings.
+ * For example, the range of `strlen("literal")` will be 7.
+ */
+class StrlenLiteralRangeExpr extends SimpleRangeAnalysisExpr, FunctionCall {
+  StrlenLiteralRangeExpr() {
+    getTarget().hasGlobalOrStdName("strlen") and getArgument(0).isConstant()
+  }
+
+  override int getLowerBounds() { result = getArgument(0).getValue().length() }
+
+  override int getUpperBounds() { result = getArgument(0).getValue().length() }
+
+  override predicate dependsOnChild(Expr e) { none() }
+}

cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll

@@ -54,7 +54,7 @@ module PrivateCleartextWrite {
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
   }
 
-  module WriteFlow = TaintTracking::Make<WriteConfig>;
+  module WriteFlow = TaintTracking::Global<WriteConfig>;
 
   class PrivateDataSource extends Source {
     PrivateDataSource() { this.getExpr() instanceof PrivateDataExpr }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlow.qll

@@ -2,7 +2,7 @@
  * Provides an implementation of global (interprocedural) data flow. This file
  * re-exports the local (intraprocedural) data flow analysis from
  * `DataFlowImplSpecific::Public` and adds a global analysis, mainly exposed
- * through the `Make` and `MakeWithState` modules.
+ * through the `Global` and `GlobalWithState` modules.
  */
 
 private import DataFlowImplCommon
@@ -73,10 +73,10 @@ signature module ConfigSig {
    */
   default FlowFeature getAFeature() { none() }
 
-  /** Holds if sources should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sources should be grouped in the result of `flowPath`. */
   default predicate sourceGrouping(Node source, string sourceGroup) { none() }
 
-  /** Holds if sinks should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sinks should be grouped in the result of `flowPath`. */
   default predicate sinkGrouping(Node sink, string sinkGroup) { none() }
 
   /**
@@ -166,10 +166,10 @@ signature module StateConfigSig {
    */
   default FlowFeature getAFeature() { none() }
 
-  /** Holds if sources should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sources should be grouped in the result of `flowPath`. */
   default predicate sourceGrouping(Node source, string sourceGroup) { none() }
 
-  /** Holds if sinks should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sinks should be grouped in the result of `flowPath`. */
   default predicate sinkGrouping(Node sink, string sinkGroup) { none() }
 
   /**
@@ -182,15 +182,15 @@ signature module StateConfigSig {
 }
 
 /**
- * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+ * Gets the exploration limit for `partialFlow` and `partialFlowRev`
  * measured in approximate number of interprocedural steps.
  */
 signature int explorationLimitSig();
 
 /**
- * The output of a data flow computation.
+ * The output of a global data flow computation.
  */
-signature module DataFlowSig {
+signature module GlobalFlowSig {
   /**
    * A `Node` augmented with a call context (except for sinks) and an access path.
    * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
@@ -203,28 +203,28 @@ signature module DataFlowSig {
    * The corresponding paths are generated from the end-points and the graph
    * included in the module `PathGraph`.
    */
-  predicate hasFlowPath(PathNode source, PathNode sink);
+  predicate flowPath(PathNode source, PathNode sink);
 
   /**
    * Holds if data can flow from `source` to `sink`.
    */
-  predicate hasFlow(Node source, Node sink);
+  predicate flow(Node source, Node sink);
 
   /**
    * Holds if data can flow from some source to `sink`.
    */
-  predicate hasFlowTo(Node sink);
+  predicate flowTo(Node sink);
 
   /**
    * Holds if data can flow from some source to `sink`.
    */
-  predicate hasFlowToExpr(DataFlowExpr sink);
+  predicate flowToExpr(DataFlowExpr sink);
 }
 
 /**
- * Constructs a standard data flow computation.
+ * Constructs a global data flow computation.
  */
-module Make<ConfigSig Config> implements DataFlowSig {
+module Global<ConfigSig Config> implements GlobalFlowSig {
   private module C implements FullStateConfigSig {
     import DefaultState<Config>
     import Config
@@ -233,17 +233,27 @@ module Make<ConfigSig Config> implements DataFlowSig {
   import Impl<C>
 }
 
+/** DEPRECATED: Use `Global` instead. */
+deprecated module Make<ConfigSig Config> implements GlobalFlowSig {
+  import Global<Config>
+}
+
 /**
- * Constructs a data flow computation using flow state.
+ * Constructs a global data flow computation using flow state.
  */
-module MakeWithState<StateConfigSig Config> implements DataFlowSig {
+module GlobalWithState<StateConfigSig Config> implements GlobalFlowSig {
   private module C implements FullStateConfigSig {
     import Config
   }
 
   import Impl<C>
 }
 
+/** DEPRECATED: Use `GlobalWithState` instead. */
+deprecated module MakeWithState<StateConfigSig Config> implements GlobalFlowSig {
+  import GlobalWithState<Config>
+}
+
 signature class PathNodeSig {
   /** Gets a textual representation of this element. */
   string toString();

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll

@@ -91,10 +91,10 @@ signature module FullStateConfigSig {
    */
   FlowFeature getAFeature();
 
-  /** Holds if sources should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sources should be grouped in the result of `flowPath`. */
   predicate sourceGrouping(Node source, string sourceGroup);
 
-  /** Holds if sinks should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sinks should be grouped in the result of `flowPath`. */
   predicate sinkGrouping(Node sink, string sinkGroup);
 
   /**
@@ -445,11 +445,7 @@ module Impl<FullStateConfigSig Config> {
   }
 
   private module Stage1 implements StageSig {
-    class Ap extends int {
-      // workaround for bad functionality-induced joins (happens when using `Unit`)
-      pragma[nomagic]
-      Ap() { this in [0 .. 1] and this < 1 }
-    }
+    class Ap = Unit;
 
     private class Cc = boolean;
 
@@ -3633,7 +3629,7 @@ module Impl<FullStateConfigSig Config> {
    * The corresponding paths are generated from the end-points and the graph
    * included in the module `PathGraph`.
    */
-  predicate hasFlowPath(PathNode source, PathNode sink) {
+  predicate flowPath(PathNode source, PathNode sink) {
     exists(PathNodeImpl flowsource, PathNodeImpl flowsink |
       source = flowsource and sink = flowsink
     |
@@ -3643,6 +3639,9 @@ module Impl<FullStateConfigSig Config> {
     )
   }
 
+  /** DEPRECATED: Use `flowPath` instead. */
+  deprecated predicate hasFlowPath = flowPath/2;
+
   private predicate flowsTo(PathNodeImpl flowsource, PathNodeSink flowsink, Node source, Node sink) {
     flowsource.isSource() and
     flowsource.getNodeEx().asNode() = source and
@@ -3653,17 +3652,26 @@ module Impl<FullStateConfigSig Config> {
   /**
    * Holds if data can flow from `source` to `sink`.
    */
-  predicate hasFlow(Node source, Node sink) { flowsTo(_, _, source, sink) }
+  predicate flow(Node source, Node sink) { flowsTo(_, _, source, sink) }
+
+  /** DEPRECATED: Use `flow` instead. */
+  deprecated predicate hasFlow = flow/2;
 
   /**
    * Holds if data can flow from some source to `sink`.
    */
-  predicate hasFlowTo(Node sink) { sink = any(PathNodeSink n).getNodeEx().asNode() }
+  predicate flowTo(Node sink) { sink = any(PathNodeSink n).getNodeEx().asNode() }
+
+  /** DEPRECATED: Use `flowTo` instead. */
+  deprecated predicate hasFlowTo = flowTo/1;
 
   /**
    * Holds if data can flow from some source to `sink`.
    */
-  predicate hasFlowToExpr(DataFlowExpr sink) { hasFlowTo(exprNode(sink)) }
+  predicate flowToExpr(DataFlowExpr sink) { flowTo(exprNode(sink)) }
+
+  /** DEPRECATED: Use `flowToExpr` instead. */
+  deprecated predicate hasFlowToExpr = flowToExpr/1;
 
   private predicate finalStats(
     boolean fwd, int nodes, int fields, int conscand, int states, int tuples
@@ -4574,7 +4582,7 @@ module Impl<FullStateConfigSig Config> {
      *
      * To use this in a `path-problem` query, import the module `PartialPathGraph`.
      */
-    predicate hasPartialFlow(PartialPathNode source, PartialPathNode node, int dist) {
+    predicate partialFlow(PartialPathNode source, PartialPathNode node, int dist) {
       partialFlow(source, node) and
       dist = node.getSourceDistance()
     }
@@ -4594,7 +4602,7 @@ module Impl<FullStateConfigSig Config> {
      * Note that reverse flow has slightly lower precision than the corresponding
      * forward flow, as reverse flow disregards type pruning among other features.
      */
-    predicate hasPartialFlowRev(PartialPathNode node, PartialPathNode sink, int dist) {
+    predicate partialFlowRev(PartialPathNode node, PartialPathNode sink, int dist) {
       revPartialFlow(node, sink) and
       dist = node.getSinkDistance()
     }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Make` and `MakeWithState` instead.
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.
@@ -388,7 +388,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  hasFlowPath(source, sink) and source.getConfiguration() = config
+  flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }