Merge branch 'main' of https://github.com/github/codeql

Author: sabrowning1

cpp/ql/lib/semmle/code/cpp/models/Models.qll

@@ -35,6 +35,7 @@ private import implementations.Accept
 private import implementations.Poll
 private import implementations.Select
 private import implementations.MySql
+private import implementations.ODBC
 private import implementations.SqLite3
 private import implementations.PostgreSql
 private import implementations.System

cpp/ql/lib/semmle/code/cpp/models/implementations/ODBC.qll

@@ -0,0 +1,28 @@
+/**
+ * Provides implementation classes modeling the ODBC C/C++ API.
+ * See `semmle.code.cpp.models.Models` for usage information.
+ */
+
+private import semmle.code.cpp.models.interfaces.Sql
+private import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs
+
+/**
+ * The `SQLExecDirect`, and `SQLPrepare` from the ODBC C/C++ API:
+ * https://learn.microsoft.com/en-us/sql/odbc/reference/syntax/sqlexecdirect-function?view=sql-server-ver16
+ * https://learn.microsoft.com/en-us/sql/odbc/reference/syntax/sqlprepare-function?view=sql-server-ver16
+ *
+ * Note, `SQLExecute` is not included because it operates on a SQLHSTMT type, not a string.
+ * The SQLHSTMT parameter for `SQLExecute` is set through a `SQLPrepare`, which is modeled.
+ * The other source of input to a `SQLExecute` is via a `SQLBindParameter`, which sanitizes user input,
+ * and would be considered a barrier to SQL injection.
+ */
+private class ODBCExecutionFunction extends SqlExecutionFunction {
+  ODBCExecutionFunction() { this.hasGlobalName(["SQLExecDirect", "SQLPrepare"]) }
+
+  override predicate hasSqlArgument(FunctionInput input) { input.isParameterDeref(1) }
+}
+// NOTE: no need to define a barrier explicitly.
+// `SQLBindParameter` is the typical means for sanitizing user input.
+//       https://learn.microsoft.com/en-us/sql/odbc/reference/syntax/sqlbindparameter-function?view=sql-server-ver16
+// First a query is establisehed via `SQLPrepare`, then parameters are bound via `SQLBindParameter`, before
+// the query is executed via `SQLExecute`. We are not modeling SQLExecute, so we do not need to model SQLBindParameter.

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/ModulusAnalysis.qll

@@ -78,6 +78,8 @@ module Sem implements Semantic {
 
   predicate guardDirectlyControlsSsaRead = semGuardDirectlyControlsSsaRead/3;
 
+  predicate guardControlsSsaRead = semGuardControlsSsaRead/3;
+
   class Type = SemType;
 
   class IntegerType = SemIntegerType;
@@ -169,8 +171,8 @@ module AllBounds implements BoundSig<SemLocation, Sem, FloatDelta> {
 private module ModulusAnalysisInstantiated implements ModulusAnalysisSig<Sem> {
   class ModBound = AllBounds::SemBound;
 
-  private import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.ModulusAnalysis as MA
-  import MA::ModulusAnalysis<FloatDelta, AllBounds, Util>
+  private import codeql.rangeanalysis.ModulusAnalysis as MA
+  import MA::ModulusAnalysis<SemLocation, Sem, FloatDelta, AllBounds, Util>
 }
 
 module Util = RangeUtil<FloatDelta, CppLangImplConstant>;

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/ModulusAnalysisSpecific.qll

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added SQL API models for `ODBC`.