Merge branch 'main' into skip-safe-conversions-in-range-analysis

Author: MathiasVP

cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeAnalysisStage.qll

@@ -1039,6 +1039,29 @@ module RangeStage<DeltaSig D, BoundSig<D> Bounds, LangSig<D> LangParam, UtilSig<
         or
         b = bRight and origdelta = odRight and reason = rRight and bLeft instanceof SemZeroBound
       )
+      or
+      exists(
+        SemRemExpr rem, SemZeroBound b1, SemZeroBound b2, D::Delta d_max, D::Delta d1, D::Delta d2,
+        boolean fbe1, boolean fbe2, D::Delta od1, D::Delta od2, SemReason r1, SemReason r2
+      |
+        rem = e and
+        not (upper = true and semPositive(rem.getRightOperand())) and
+        not (upper = true and semPositive(rem.getLeftOperand())) and
+        boundedRemExpr(rem, b1, true, d1, fbe1, od1, r1) and
+        boundedRemExpr(rem, b2, false, d2, fbe2, od2, r2) and
+        (
+          if D::toFloat(d1).abs() > D::toFloat(d2).abs()
+          then (
+            b = b1 and d_max = d1 and fromBackEdge = fbe1 and origdelta = od1 and reason = r1
+          ) else (
+            b = b2 and d_max = d2 and fromBackEdge = fbe2 and origdelta = od2 and reason = r2
+          )
+        )
+      |
+        upper = true and delta = D::fromFloat(D::toFloat(d_max).abs() - 1)
+        or
+        upper = false and delta = D::fromFloat(-D::toFloat(d_max).abs() + 1)
+      )
     )
   }
 
@@ -1065,4 +1088,11 @@ module RangeStage<DeltaSig D, BoundSig<D> Bounds, LangSig<D> LangParam, UtilSig<
       bounded(add.getRightOperand(), b, delta, upper, fromBackEdge, origdelta, reason)
     )
   }
+
+  private predicate boundedRemExpr(
+    SemRemExpr rem, SemZeroBound b, boolean upper, D::Delta delta, boolean fromBackEdge,
+    D::Delta origdelta, SemReason reason
+  ) {
+    bounded(rem.getRightOperand(), b, delta, upper, fromBackEdge, origdelta, reason)
+  }
 }

cpp/ql/test/library-tests/ir/range-analysis/SimpleRangeAnalysis_tests.cpp

@@ -18,20 +18,20 @@ int test2(struct List* p) {
   int count = 0;
   for (; p; p = p->next) {
     count = (count+1) % 10;
-    range(count); // $ range=<=9 range=<=count:p+1
+    range(count); // $ range=<=9 range=>=-9 range=<=count:p+1
   }
-  range(count); // $ range=<=9
+  range(count); // $ range=>=-9 range=<=9
   return count;
 }
 
 int test3(struct List* p) {
   int count = 0;
   for (; p; p = p->next) {
-    range(count++); // $ range=<=9
+    range(count++); // $ range=>=-9 range=<=9
     count = count % 10;
-    range(count); // $ range=<=9 range="<=... +++0" range=<=count:p+1
+    range(count); // $ range=<=9 range=>=-9 range="<=... +++0" range=<=count:p+1
   }
-  range(count); // $ range=<=9
+  range(count); // $ range=>=-9 range=<=9
   return count;
 }
 
@@ -964,7 +964,22 @@ void guard_bound_out_of_range(void) {
 
 void test_mod(int s) {
   int s2 = s % 5;
-  range(s2); // $ range=<=4 // -4 .. 4
+  range(s2); // $ range=>=-4 range=<=4
+}
+
+void test_mod_neg(int s) {
+  int s2 = s % -5;
+  range(s2); // $ range=>=-4 range=<=4
+}
+
+void test_mod_ternary(int s, bool b) {
+  int s2 = s % (b ? 5 : 500);
+  range(s2); // $ range=>=-499 range=<=499 range="<=... ? ... : ...-1"
+}
+
+void test_mod_ternary2(int s, bool b1, bool b2) {
+  int s2 = s % (b1 ? (b2 ? 5 : -5000) : -500000);
+  range(s2); // $ range=>=-499999 range=<=499999
 }
 
 void exit(int);

csharp/ql/lib/semmle/code/asp/WebConfig.qll

@@ -11,6 +11,13 @@ class WebConfigXml extends XmlFile {
   WebConfigXml() { this.getName().matches("%Web.config") }
 }
 
+/**
+ * A `Web.config` transformation file.
+ */
+class WebConfigReleaseTransformXml extends XmlFile {
+  WebConfigReleaseTransformXml() { this.getName().matches("%Web.Release.config") }
+}
+
 /** DEPRECATED: Alias for WebConfigXml */
 deprecated class WebConfigXML = WebConfigXml;
 
@@ -19,6 +26,11 @@ class ConfigurationXmlElement extends XmlElement {
   ConfigurationXmlElement() { this.getName().toLowerCase() = "configuration" }
 }
 
+/** A `<compilation>` tag in an ASP.NET configuration file. */
+class CompilationXmlElement extends XmlElement {
+  CompilationXmlElement() { this.getName().toLowerCase() = "compilation" }
+}
+
 /** DEPRECATED: Alias for ConfigurationXmlElement */
 deprecated class ConfigurationXMLElement = ConfigurationXmlElement;
 
@@ -149,3 +161,15 @@ class HttpCookiesElement extends XmlElement {
   /** DEPRECATED: Alias for isRequireSsl */
   deprecated predicate isRequireSSL() { this.isRequireSsl() }
 }
+
+/** A `Transform` attribute in a Web.config transformation file. */
+class TransformXmlAttribute extends XmlAttribute {
+  TransformXmlAttribute() { this.getName().toLowerCase() = "transform" }
+
+  /**
+   * Gets the list of attribute removals in `Transform=RemoveAttributes(list)`.
+   */
+  string getRemoveAttributes() {
+    result = this.getValue().regexpCapture("RemoveAttributes\\((.*)\\)", 1).splitAt(",")
+  }
+}

csharp/ql/src/Security Features/CWE-011/ASPNetDebug.ql

@@ -19,6 +19,17 @@ import semmle.code.asp.WebConfig
 
 from SystemWebXmlElement web, XmlAttribute debugAttribute
 where
-  debugAttribute = web.getAChild("compilation").getAttribute("debug") and
-  not debugAttribute.getValue().toLowerCase() = "false"
+  exists(CompilationXmlElement compilation | compilation.getParent() = web |
+    debugAttribute = compilation.getAttribute("debug") and
+    not debugAttribute.getValue().toLowerCase() = "false"
+  ) and
+  not exists(
+    TransformXmlAttribute attribute, CompilationXmlElement compilation,
+    WebConfigReleaseTransformXml file
+  |
+    compilation = attribute.getElement() and
+    file = compilation.getFile() and
+    attribute.getRemoveAttributes() = "debug" and
+    file.getParentContainer() = web.getFile().getParentContainer()
+  )
 select debugAttribute, "The 'debug' flag is set for an ASP.NET configuration file."

csharp/ql/src/change-notes/2023-03-23-cs-web-debug-binary.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query `cs/web/debug-binary` now disregards the `debug` attribute in case there is a transformation that removes it.

csharp/ql/test/query-tests/Security Features/CWE-011/ASPNetDebug.expected

@@ -1 +1,2 @@
-| bad/Web.config:4:5:7:7 | debug=true | The 'debug' flag is set for an ASP.NET configuration file. |
+| bad1/Web.config:4:5:7:7 | debug=true | The 'debug' flag is set for an ASP.NET configuration file. |
+| bad2/Web.config:4:5:7:7 | debug=true | The 'debug' flag is set for an ASP.NET configuration file. |

csharp/ql/test/query-tests/Security Features/CWE-011/bad/Web.config renamed to csharp/ql/test/query-tests/Security Features/CWE-011/bad1/Web.config

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
+  <system.web>
+    <compilation xdt:Transform="RemoveAttributes(debug)" />
+  </system.web>
+</configuration>

csharp/ql/test/query-tests/Security Features/CWE-011/bad2/Web.Debug.config

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+  <system.web>
+    <compilation
+      defaultLanguage="c#"
+      debug="true"
+    />
+  </system.web>
+</configuration>