Merge branch 'main' into crypto

Author: RasmusWL

.github/workflows/check-change-note.yml

@@ -0,0 +1,21 @@
+on:
+  pull_request_target:
+    types: [labeled, unlabeled, opened, synchronize, reopened, ready_for_review]
+    paths:
+      - "*/ql/src/**/*.ql"
+      - "*/ql/src/**/*.qll"
+      - "!**/experimental/**"
+
+jobs:
+  check-change-note:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Fail if no change note found. To fix, either add one, or add the `no-change-note-required` label.
+        if: |
+          github.event.pull_request.draft == false &&
+          !contains(github.event.pull_request.labels.*.name, 'no-change-note-required')
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate |
+          jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' --exit-status

.github/workflows/codeql-analysis.yml

@@ -5,10 +5,14 @@ on:
     branches:
       - main
       - 'rc/*'
+    paths:
+      - 'csharp/**'
   pull_request:
     branches:
       - main
       - 'rc/*'
+    paths:
+      - 'csharp/**'
   schedule:
     - cron: '0 9 * * 1'
 

CODEOWNERS

@@ -3,18 +3,3 @@
 /java/ @github/codeql-java
 /javascript/ @github/codeql-javascript
 /python/ @github/codeql-python
-
-# Assign query help for docs review
-/cpp/**/*.qhelp @hubwriter
-/csharp/**/*.qhelp @jf205
-/java/**/*.qhelp @felicitymay
-/javascript/**/*.qhelp @mchammer01
-/python/**/*.qhelp @felicitymay
-/docs/language/ @shati-patel @jf205
-
-# Exclude help for experimental queries from docs review
-/cpp/**/experimental/**/*.qhelp @github/codeql-c-analysis
-/csharp/**/experimental/**/*.qhelp @github/codeql-csharp
-/java/**/experimental/**/*.qhelp @github/codeql-java
-/javascript/**/experimental/**/*.qhelp @github/codeql-javascript
-/python/**/experimental/**/*.qhelp @github/codeql-python

cpp/change-notes/2020-02-04-unsigned-difference-expression-compared-zero.md renamed to cpp/change-notes/2021-02-04-unsigned-difference-expression-compared-zero.md

@@ -8,6 +8,7 @@
  * @tags reliability
  *       security
  *       external/cwe/cwe-242
+ *       external/cwe/cwe-676
  */
 
 import cpp

cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql

@@ -467,7 +467,7 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
       // ... and likewise for destructors.
       this.(Destructor).getADestruction().mayBeGloballyImpure()
     else
-      // Unless it's a function that we know is side-effect-free, it may
+      // Unless it's a function that we know is side-effect free, it may
       // have side-effects.
       not this.hasGlobalOrStdName([
           "strcmp", "wcscmp", "_mbscmp", "strlen", "wcslen", "_mbslen", "_mbslen_l", "_mbstrlen",

cpp/ql/src/semmle/code/cpp/Function.qll

@@ -30,3 +30,6 @@ private import implementations.SmartPointer
 private import implementations.Sscanf
 private import implementations.Send
 private import implementations.Recv
+private import implementations.Accept
+private import implementations.Poll
+private import implementations.Select

cpp/ql/src/semmle/code/cpp/models/Models.qll

@@ -0,0 +1,56 @@
+/**
+ * Provides implementation classes modeling `accept` and various similar
+ * functions. See `semmle.code.cpp.models.Models` for usage information.
+ */
+
+import semmle.code.cpp.Function
+import semmle.code.cpp.models.interfaces.ArrayFunction
+import semmle.code.cpp.models.interfaces.Taint
+import semmle.code.cpp.models.interfaces.Alias
+import semmle.code.cpp.models.interfaces.SideEffect
+
+/**
+ * The function `accept` and its assorted variants
+ */
+private class Accept extends ArrayFunction, AliasFunction, TaintFunction, SideEffectFunction {
+  Accept() { this.hasGlobalName(["accept", "accept4", "WSAAccept"]) }
+
+  override predicate hasArrayWithVariableSize(int bufParam, int countParam) {
+    bufParam = 1 and countParam = 2
+  }
+
+  override predicate hasArrayInput(int bufParam) { bufParam = 1 }
+
+  override predicate hasArrayOutput(int bufParam) { bufParam = 1 }
+
+  override predicate parameterNeverEscapes(int index) { exists(this.getParameter(index)) }
+
+  override predicate parameterEscapesOnlyViaReturn(int index) { none() }
+
+  override predicate parameterIsAlwaysReturned(int index) { none() }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    (input.isParameter(0) or input.isParameterDeref(1)) and
+    (output.isReturnValue() or output.isParameterDeref(1))
+  }
+
+  override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
+    i = 1 and buffer = true and mustWrite = false
+    or
+    i = 2 and buffer = false and mustWrite = false
+  }
+
+  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
+    i = 0 and buffer = true
+    or
+    i = 1 and buffer = false
+  }
+
+  override ParameterIndex getParameterSizeIndex(ParameterIndex i) { i = 1 and result = 2 }
+
+  // NOTE: We implement thse two predicates as none because we can't model the low-level changes made to
+  // the structure pointed to by the file-descriptor argument.
+  override predicate hasOnlySpecificReadSideEffects() { none() }
+
+  override predicate hasOnlySpecificWriteSideEffects() { none() }
+}

cpp/ql/src/semmle/code/cpp/models/implementations/Accept.qll

@@ -0,0 +1,44 @@
+/**
+ * Provides implementation classes modeling `poll` and various similar
+ * functions. See `semmle.code.cpp.models.Models` for usage information.
+ */
+
+import semmle.code.cpp.Function
+import semmle.code.cpp.models.interfaces.ArrayFunction
+import semmle.code.cpp.models.interfaces.Alias
+import semmle.code.cpp.models.interfaces.SideEffect
+
+/**
+ * The function `poll` and its assorted variants
+ */
+private class Poll extends ArrayFunction, AliasFunction, SideEffectFunction {
+  Poll() { this.hasGlobalName(["poll", "ppoll", "WSAPoll"]) }
+
+  override predicate hasArrayWithVariableSize(int bufParam, int countParam) {
+    bufParam = 0 and countParam = 1
+  }
+
+  override predicate hasArrayInput(int bufParam) { bufParam = 0 }
+
+  override predicate hasArrayOutput(int bufParam) { bufParam = 0 }
+
+  override predicate parameterNeverEscapes(int index) { exists(this.getParameter(index)) }
+
+  override predicate parameterEscapesOnlyViaReturn(int index) { none() }
+
+  override predicate parameterIsAlwaysReturned(int index) { none() }
+
+  override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
+    i = 0 and buffer = true and mustWrite = false
+  }
+
+  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
+    i = 0 and buffer = true
+    or
+    this.hasGlobalName("ppoll") and i = [2, 3] and buffer = false
+  }
+
+  override predicate hasOnlySpecificReadSideEffects() { any() }
+
+  override predicate hasOnlySpecificWriteSideEffects() { any() }
+}

cpp/ql/src/semmle/code/cpp/models/implementations/Poll.qll

@@ -3,7 +3,10 @@ import semmle.code.cpp.models.interfaces.Taint
 import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.SideEffect
 
-/** Pure string functions. */
+/**
+ * A function that operates on strings and is pure. That is, its evaluation is
+ * guaranteed to be side-effect free.
+ */
 private class PureStrFunction extends AliasFunction, ArrayFunction, TaintFunction,
   SideEffectFunction {
   PureStrFunction() {
@@ -89,7 +92,9 @@ private string strcmp() {
     ]
 }
 
-/** String standard `strlen` function, and related functions for computing string lengths. */
+/**
+ * A function such as `strlen` that returns the length of the given string.
+ */
 private class StrLenFunction extends AliasFunction, ArrayFunction, SideEffectFunction {
   StrLenFunction() {
     hasGlobalOrStdOrBslName(["strlen", "strnlen", "wcslen"])
@@ -123,7 +128,10 @@ private class StrLenFunction extends AliasFunction, ArrayFunction, SideEffectFun
   }
 }
 
-/** Pure functions. */
+/**
+ * A function that is pure, that is, its evaluation is guaranteed to be
+ * side-effect free. Excludes functions modeled by `PureStrFunction` and `PureMemFunction`.
+ */
 private class PureFunction extends TaintFunction, SideEffectFunction {
   PureFunction() { hasGlobalOrStdOrBslName(["abs", "labs"]) }
 
@@ -140,7 +148,10 @@ private class PureFunction extends TaintFunction, SideEffectFunction {
   override predicate hasOnlySpecificWriteSideEffects() { any() }
 }
 
-/** Pure raw-memory functions. */
+/**
+ * A function that operates on memory buffers and is pure. That is, its
+ * evaluation is guaranteed to be side-effect free.
+ */
 private class PureMemFunction extends AliasFunction, ArrayFunction, TaintFunction,
   SideEffectFunction {
   PureMemFunction() {