Merge branch 'main' into sj-patch-1

Author: sj

.github/workflows/check-change-note.yml

@@ -0,0 +1,21 @@
+on:
+  pull_request_target:
+    types: [labeled, unlabeled, opened, synchronize, reopened, ready_for_review]
+    paths:
+      - "*/ql/src/**/*.ql"
+      - "*/ql/src/**/*.qll"
+      - "!**/experimental/**"
+
+jobs:
+  check-change-note:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Fail if no change note found. To fix, either add one, or add the `no-change-note-required` label.
+        if: |
+          github.event.pull_request.draft == false &&
+          !contains(github.event.pull_request.labels.*.name, 'no-change-note-required')
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate |
+          jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' --exit-status

.github/workflows/codeql-analysis.yml

@@ -5,10 +5,14 @@ on:
     branches:
       - main
       - 'rc/*'
+    paths:
+      - 'csharp/**'
   pull_request:
     branches:
       - main
       - 'rc/*'
+    paths:
+      - 'csharp/**'
   schedule:
     - cron: '0 9 * * 1'
 

CODEOWNERS

@@ -4,17 +4,9 @@
 /javascript/ @github/codeql-javascript
 /python/ @github/codeql-python
 
-# Assign query help for docs review
-/cpp/**/*.qhelp @hubwriter
-/csharp/**/*.qhelp @jf205
-/java/**/*.qhelp @felicitymay
-/javascript/**/*.qhelp @mchammer01
-/python/**/*.qhelp @felicitymay
-/docs/language/ @shati-patel @jf205
-
 # Exclude help for experimental queries from docs review
 /cpp/**/experimental/**/*.qhelp @github/codeql-c-analysis @xcorail
 /csharp/**/experimental/**/*.qhelp @github/codeql-csharp @xcorail
 /java/**/experimental/**/*.qhelp @github/codeql-java @xcorail
 /javascript/**/experimental/**/*.qhelp @github/codeql-javascript @xcorail
-/python/**/experimental/**/*.qhelp @github/codeql-python @xcorail
+/python/**/experimental/**/*.qhelp @github/codeql-python @xcorail

cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql

@@ -8,6 +8,7 @@
  * @tags reliability
  *       security
  *       external/cwe/cwe-242
+ *       external/cwe/cwe-676
  */
 
 import cpp

cpp/ql/src/semmle/code/cpp/models/Models.qll

@@ -30,3 +30,6 @@ private import implementations.SmartPointer
 private import implementations.Sscanf
 private import implementations.Send
 private import implementations.Recv
+private import implementations.Accept
+private import implementations.Poll
+private import implementations.Select

cpp/ql/src/semmle/code/cpp/models/implementations/Accept.qll

@@ -0,0 +1,56 @@
+/**
+ * Provides implementation classes modeling `accept` and various similar
+ * functions. See `semmle.code.cpp.models.Models` for usage information.
+ */
+
+import semmle.code.cpp.Function
+import semmle.code.cpp.models.interfaces.ArrayFunction
+import semmle.code.cpp.models.interfaces.Taint
+import semmle.code.cpp.models.interfaces.Alias
+import semmle.code.cpp.models.interfaces.SideEffect
+
+/**
+ * The function `accept` and its assorted variants
+ */
+private class Accept extends ArrayFunction, AliasFunction, TaintFunction, SideEffectFunction {
+  Accept() { this.hasGlobalName(["accept", "accept4", "WSAAccept"]) }
+
+  override predicate hasArrayWithVariableSize(int bufParam, int countParam) {
+    bufParam = 1 and countParam = 2
+  }
+
+  override predicate hasArrayInput(int bufParam) { bufParam = 1 }
+
+  override predicate hasArrayOutput(int bufParam) { bufParam = 1 }
+
+  override predicate parameterNeverEscapes(int index) { exists(this.getParameter(index)) }
+
+  override predicate parameterEscapesOnlyViaReturn(int index) { none() }
+
+  override predicate parameterIsAlwaysReturned(int index) { none() }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    (input.isParameter(0) or input.isParameterDeref(1)) and
+    (output.isReturnValue() or output.isParameterDeref(1))
+  }
+
+  override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
+    i = 1 and buffer = true and mustWrite = false
+    or
+    i = 2 and buffer = false and mustWrite = false
+  }
+
+  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
+    i = 0 and buffer = true
+    or
+    i = 1 and buffer = false
+  }
+
+  override ParameterIndex getParameterSizeIndex(ParameterIndex i) { i = 1 and result = 2 }
+
+  // NOTE: We implement thse two predicates as none because we can't model the low-level changes made to
+  // the structure pointed to by the file-descriptor argument.
+  override predicate hasOnlySpecificReadSideEffects() { none() }
+
+  override predicate hasOnlySpecificWriteSideEffects() { none() }
+}

cpp/ql/src/semmle/code/cpp/models/implementations/Poll.qll

@@ -0,0 +1,44 @@
+/**
+ * Provides implementation classes modeling `poll` and various similar
+ * functions. See `semmle.code.cpp.models.Models` for usage information.
+ */
+
+import semmle.code.cpp.Function
+import semmle.code.cpp.models.interfaces.ArrayFunction
+import semmle.code.cpp.models.interfaces.Alias
+import semmle.code.cpp.models.interfaces.SideEffect
+
+/**
+ * The function `poll` and its assorted variants
+ */
+private class Poll extends ArrayFunction, AliasFunction, SideEffectFunction {
+  Poll() { this.hasGlobalName(["poll", "ppoll", "WSAPoll"]) }
+
+  override predicate hasArrayWithVariableSize(int bufParam, int countParam) {
+    bufParam = 0 and countParam = 1
+  }
+
+  override predicate hasArrayInput(int bufParam) { bufParam = 0 }
+
+  override predicate hasArrayOutput(int bufParam) { bufParam = 0 }
+
+  override predicate parameterNeverEscapes(int index) { exists(this.getParameter(index)) }
+
+  override predicate parameterEscapesOnlyViaReturn(int index) { none() }
+
+  override predicate parameterIsAlwaysReturned(int index) { none() }
+
+  override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
+    i = 0 and buffer = true and mustWrite = false
+  }
+
+  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
+    i = 0 and buffer = true
+    or
+    this.hasGlobalName("ppoll") and i = [2, 3] and buffer = false
+  }
+
+  override predicate hasOnlySpecificReadSideEffects() { any() }
+
+  override predicate hasOnlySpecificWriteSideEffects() { any() }
+}

cpp/ql/src/semmle/code/cpp/models/implementations/Select.qll

@@ -0,0 +1,40 @@
+/**
+ * Provides implementation classes modeling `select` and various similar
+ * functions. See `semmle.code.cpp.models.Models` for usage information.
+ */
+
+import semmle.code.cpp.Function
+import semmle.code.cpp.models.interfaces.ArrayFunction
+import semmle.code.cpp.models.interfaces.Alias
+import semmle.code.cpp.models.interfaces.SideEffect
+
+/**
+ * The function `select` and its assorted variants
+ */
+private class Select extends ArrayFunction, AliasFunction, SideEffectFunction {
+  Select() { this.hasGlobalName(["select", "pselect"]) }
+
+  override predicate hasArrayWithUnknownSize(int bufParam) { bufParam = [1 .. 3] }
+
+  override predicate hasArrayInput(int bufParam) { bufParam = [1 .. 3] }
+
+  override predicate hasArrayOutput(int bufParam) { bufParam = [1 .. 3] }
+
+  override predicate parameterNeverEscapes(int index) { exists(this.getParameter(index)) }
+
+  override predicate parameterEscapesOnlyViaReturn(int index) { none() }
+
+  override predicate parameterIsAlwaysReturned(int index) { none() }
+
+  override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
+    i = [1 .. 3] and buffer = true and mustWrite = false
+  }
+
+  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
+    i = [1 .. 5] and buffer = true
+  }
+
+  override predicate hasOnlySpecificReadSideEffects() { any() }
+
+  override predicate hasOnlySpecificWriteSideEffects() { any() }
+}

cpp/ql/test/library-tests/dataflow/taint-tests/bsd.cpp

@@ -0,0 +1,24 @@
+void sink(...);
+int source();
+
+// --- accept ---
+
+struct sockaddr {
+	unsigned char length;
+	int sa_family;
+	char* sa_data;
+};
+
+int accept(int, const sockaddr*, int*);
+
+void sink(sockaddr);
+
+void test_accept() {
+  int s = source();
+  sockaddr addr;
+  int size = sizeof(sockaddr);
+  int a = accept(s, &addr, &size);
+
+  sink(a); // $ ast=17:11 SPURIOUS: ast=18:12 MISSING: ir
+  sink(addr); // $ ast MISSING: ir
+}

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -135,6 +135,17 @@
 | arrayassignment.cpp:145:12:145:12 | 5 | arrayassignment.cpp:145:7:145:13 | access to array | TAINT |
 | arrayassignment.cpp:146:7:146:10 | arr3 | arrayassignment.cpp:146:7:146:13 | access to array |  |
 | arrayassignment.cpp:146:12:146:12 | 5 | arrayassignment.cpp:146:7:146:13 | access to array | TAINT |
+| bsd.cpp:17:11:17:16 | call to source | bsd.cpp:20:18:20:18 | s |  |
+| bsd.cpp:18:12:18:15 | addr | bsd.cpp:20:22:20:25 | addr |  |
+| bsd.cpp:18:12:18:15 | addr | bsd.cpp:23:8:23:11 | addr |  |
+| bsd.cpp:19:14:19:29 | sizeof(sockaddr) | bsd.cpp:20:29:20:32 | size |  |
+| bsd.cpp:20:11:20:16 | call to accept | bsd.cpp:22:8:22:8 | a |  |
+| bsd.cpp:20:18:20:18 | s | bsd.cpp:20:11:20:16 | call to accept | TAINT |
+| bsd.cpp:20:21:20:25 | & ... | bsd.cpp:20:11:20:16 | call to accept | TAINT |
+| bsd.cpp:20:22:20:25 | addr | bsd.cpp:20:11:20:16 | call to accept | TAINT |
+| bsd.cpp:20:22:20:25 | addr | bsd.cpp:20:21:20:25 | & ... |  |
+| bsd.cpp:20:28:20:32 | ref arg & ... | bsd.cpp:20:29:20:32 | size [inner post update] |  |
+| bsd.cpp:20:29:20:32 | size | bsd.cpp:20:28:20:32 | & ... |  |
 | constructor_delegation.cpp:8:2:8:8 | this | constructor_delegation.cpp:8:20:8:24 | constructor init of field x [pre-this] |  |
 | constructor_delegation.cpp:8:14:8:15 | _x | constructor_delegation.cpp:8:22:8:23 | _x |  |
 | constructor_delegation.cpp:8:22:8:23 | _x | constructor_delegation.cpp:8:20:8:24 | constructor init of field x | TAINT |