Merge branch 'main' into django-3.2

Author: RasmusWL

cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.c

@@ -0,0 +1,17 @@
+while(flagsLoop)
+{
+  ...
+  if(flagsIf) break;
+  ...
+}while(flagsLoop); // BAD: when exiting through `break`, it is possible to get into an eternal loop.
+...
+while(flagsLoop)
+{
+  ...
+  if(flagsIf) break;
+  ...
+} // GOOD: correct cycle
+...
+if(intA+intB) return 1; // BAD: possibly no comparison
+...
+if(intA+intB>intC) return 1; // GOOD: correct comparison

cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.qhelp

@@ -0,0 +1,28 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>In some situations, after code refactoring, parts of the old constructs may remain. They are correctly accepted by the compiler, but can critically affect program execution. For example, if you switch from `do {...} while ();` to `while () {...}` forgetting to remove the old construct completely, you get `while(){...}while();` which may be vulnerable. These code snippets look suspicious and require the developer's attention.</p>
+
+
+</overview>
+<recommendation>
+
+<p>We recommend that you use more explicit code transformations.</p>
+
+</recommendation>
+<example>
+<p>The following example demonstrates the erroneous and corrected sections of the code.</p>
+<sample src="InsufficientControlFlowManagementAfterRefactoringTheCode.c" />
+
+</example>
+<references>
+
+<li>
+  CWE Common Weakness Enumeration:
+  <a href="https://cwe.mitre.org/data/definitions/691.html"> CWE-691: Insufficient Control Flow Management</a>.
+</li>
+
+</references>
+</qhelp>

cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql

@@ -0,0 +1,119 @@
+/**
+ * @name Errors After Refactoring
+ * @description --In some situations, after code refactoring, parts of the old constructs may remain.
+ *              --They are correctly accepted by the compiler, but can critically affect program execution.
+ *              --For example, if you switch from `do {...} while ();` to `while () {...}` with errors, you run the risk of running out of resources.
+ *              --These code snippets look suspicious and require the developer's attention.
+ * @kind problem
+ * @id cpp/errors-after-refactoring
+ * @problem.severity warning
+ * @precision medium
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-691
+ */
+
+import cpp
+import semmle.code.cpp.valuenumbering.HashCons
+import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+
+/**
+ * Using `while` directly after the body of another` while`.
+ */
+class UsingWhileAfterWhile extends WhileStmt {
+  /**
+   * Using a loop call after another loop has finished running can result in an eternal loop.
+   * For example, perhaps as a result of refactoring, the `do ... while ()` loop was incorrectly corrected.
+   * Even in the case of deliberate use of such an expression, it is better to correct it.
+   */
+  UsingWhileAfterWhile() {
+    exists(WhileStmt wh1 |
+      wh1.getStmt().getAChild*().(BreakStmt).(ControlFlowNode).getASuccessor().getASuccessor() =
+        this and
+      hashCons(wh1.getCondition()) = hashCons(this.getCondition()) and
+      this.getStmt() instanceof EmptyStmt
+    )
+    or
+    exists(ForStmt fr1 |
+      fr1.getStmt().getAChild*().(BreakStmt).(ControlFlowNode).getASuccessor().getASuccessor() =
+        this and
+      hashCons(fr1.getCondition()) = hashCons(this.getCondition()) and
+      this.getStmt() instanceof EmptyStmt
+    )
+  }
+}
+
+/**
+ * Using arithmetic in a condition.
+ */
+class UsingArithmeticInComparison extends BinaryArithmeticOperation {
+  /**
+   * Using arithmetic operations in a comparison operation can be dangerous.
+   * For example, part of the comparison may have been lost as a result of refactoring.
+   * Even if you deliberately use such an expression, it is better to add an explicit comparison.
+   */
+  UsingArithmeticInComparison() {
+    this.getParent*() instanceof IfStmt and
+    not this.getAChild*().isConstant() and
+    not this.getParent*() instanceof Call and
+    not this.getParent*() instanceof AssignExpr and
+    not this.getParent*() instanceof ArrayExpr and
+    not this.getParent*() instanceof RemExpr and
+    not this.getParent*() instanceof AssignBitwiseOperation and
+    not this.getParent*() instanceof AssignArithmeticOperation and
+    not this.getParent*() instanceof EqualityOperation and
+    not this.getParent*() instanceof RelationalOperation
+  }
+
+  /** Holds when the expression is inside the loop body. */
+  predicate insideTheLoop() { exists(Loop lp | lp.getStmt().getAChild*() = this.getParent*()) }
+
+  /** Holds when the expression is used in binary operations. */
+  predicate workingWithValue() {
+    this.getParent*() instanceof BinaryBitwiseOperation or
+    this.getParent*() instanceof NotExpr
+  }
+
+  /** Holds when the expression contains a pointer. */
+  predicate workingWithPointer() {
+    this.getAChild*().getFullyConverted().getType() instanceof DerivedType
+  }
+
+  /** Holds when a null comparison expression exists. */
+  predicate compareWithZero() {
+    exists(Expr exp |
+      exp instanceof ComparisonOperation and
+      (
+        globalValueNumber(exp.getAChild*()) = globalValueNumber(this) or
+        hashCons(exp.getAChild*()) = hashCons(this)
+      ) and
+      (
+        exp.(ComparisonOperation).getLeftOperand().getValue() = "0" or
+        exp.(ComparisonOperation).getRightOperand().getValue() = "0"
+      )
+    )
+  }
+
+  /** Holds when a comparison expression exists. */
+  predicate compareWithOutZero() {
+    exists(Expr exp |
+      exp instanceof ComparisonOperation and
+      (
+        globalValueNumber(exp.getAChild*()) = globalValueNumber(this) or
+        hashCons(exp.getAChild*()) = hashCons(this)
+      )
+    )
+  }
+}
+
+from Expr exp
+where
+  exp instanceof UsingArithmeticInComparison and
+  not exp.(UsingArithmeticInComparison).workingWithValue() and
+  not exp.(UsingArithmeticInComparison).workingWithPointer() and
+  not exp.(UsingArithmeticInComparison).insideTheLoop() and
+  not exp.(UsingArithmeticInComparison).compareWithZero() and
+  exp.(UsingArithmeticInComparison).compareWithOutZero()
+  or
+  exists(WhileStmt wst | wst instanceof UsingWhileAfterWhile and exp = wst.getCondition())
+select exp, "this expression needs your attention"

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementAfterRefactoringTheCode.expected

@@ -0,0 +1,4 @@
+| test.c:15:6:15:16 | ... + ... | this expression needs your attention |
+| test.c:17:17:17:27 | ... + ... | this expression needs your attention |
+| test.c:22:10:22:15 | ... > ... | this expression needs your attention |
+| test.c:26:10:26:15 | ... > ... | this expression needs your attention |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementAfterRefactoringTheCode.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/test.c

@@ -12,14 +12,18 @@ void workFunction_0(char *s) {
 void workFunction_1(char *s) {
   int intA,intB;
 
-  if(intA + intB) return; // BAD [NOT DETECTED]
+  if(intA + intB) return; // BAD
   if(intA + intB>4) return; // GOOD
-  if(intA>0 && (intA + intB)) return; // BAD [NOT DETECTED]
+  if(intA>0 && (intA + intB)) return; // BAD
   while(intA>0)
   {
     if(intB - intA<10) break;
     intA--;
-  }while(intA>0); // BAD [NOT DETECTED]
+  }while(intA>0); // BAD
+  for(intA=100; intA>0; intA--)
+  {
+    if(intB - intA<10) break;
+  }while(intA>0); // BAD
   while(intA>0)
   {
     if(intB - intA<10) break;

csharp/ql/src/Metrics/Summaries/LinesOfCode.ql

@@ -0,0 +1,11 @@
+/**
+ * @id cs/summary/lines-of-code
+ * @name Total lines of code in the database
+ * @description The total number of lines of code across all files. This is a useful metric of the size of a database. For all files that were seen during the build, this query counts the lines of code, excluding whitespace or comments.
+ * @kind metric
+ * @tags summary
+ */
+
+import csharp
+
+select sum(File f | f.fromSource() | f.getNumberOfLinesOfCode())

csharp/ql/src/semmle/code/cil/internal/SsaImplCommon.qll

@@ -316,6 +316,15 @@ private module SsaDefReaches {
     )
   }
 
+  /**
+   * Holds if the reference to `def` at index `i` in basic block `bb` is the
+   * last reference to `v` inside `bb`.
+   */
+  pragma[noinline]
+  predicate lastSsaRef(Definition def, SourceVariable v, BasicBlock bb, int i) {
+    ssaDefRank(def, v, bb, i, _) = maxSsaRefRank(bb, v)
+  }
+
   predicate defOccursInBlock(Definition def, BasicBlock bb, SourceVariable v) {
     exists(ssaDefRank(def, v, bb, _, _))
   }
@@ -351,8 +360,7 @@ private module SsaDefReaches {
    */
   predicate defAdjacentRead(Definition def, BasicBlock bb1, BasicBlock bb2, int i2) {
     varBlockReaches(def, bb1, bb2) and
-    ssaRefRank(bb2, i2, def.getSourceVariable(), SsaRead()) = 1 and
-    variableRead(bb2, i2, _, _)
+    ssaRefRank(bb2, i2, def.getSourceVariable(), SsaRead()) = 1
   }
 }
 
@@ -434,15 +442,22 @@ predicate adjacentDefRead(Definition def, BasicBlock bb1, int i1, BasicBlock bb2
     bb2 = bb1
   )
   or
-  exists(SourceVariable v | ssaDefRank(def, v, bb1, i1, _) = maxSsaRefRank(bb1, v)) and
+  lastSsaRef(def, _, bb1, i1) and
   defAdjacentRead(def, bb1, bb2, i2)
 }
 
+pragma[noinline]
+private predicate adjacentDefRead(
+  Definition def, BasicBlock bb1, int i1, BasicBlock bb2, int i2, SourceVariable v
+) {
+  adjacentDefRead(def, bb1, i1, bb2, i2) and
+  v = def.getSourceVariable()
+}
+
 private predicate adjacentDefReachesRead(
   Definition def, BasicBlock bb1, int i1, BasicBlock bb2, int i2
 ) {
-  adjacentDefRead(def, bb1, i1, bb2, i2) and
-  exists(SourceVariable v | v = def.getSourceVariable() |
+  exists(SourceVariable v | adjacentDefRead(def, bb1, i1, bb2, i2, v) |
     ssaRef(bb1, i1, v, SsaDef())
     or
     variableRead(bb1, i1, v, true)
@@ -475,17 +490,19 @@ predicate adjacentDefNoUncertainReads(Definition def, BasicBlock bb1, int i1, Ba
  */
 pragma[nomagic]
 predicate lastRefRedef(Definition def, BasicBlock bb, int i, Definition next) {
-  exists(int rnk, SourceVariable v, int j | rnk = ssaDefRank(def, v, bb, i, _) |
+  exists(SourceVariable v |
     // Next reference to `v` inside `bb` is a write
-    next.definesAt(v, bb, j) and
-    rnk + 1 = ssaRefRank(bb, j, v, SsaDef())
+    exists(int rnk, int j |
+      rnk = ssaDefRank(def, v, bb, i, _) and
+      next.definesAt(v, bb, j) and
+      rnk + 1 = ssaRefRank(bb, j, v, SsaDef())
+    )
     or
     // Can reach a write using one or more steps
-    rnk = maxSsaRefRank(bb, v) and
+    lastSsaRef(def, v, bb, i) and
     exists(BasicBlock bb2 |
       varBlockReaches(def, bb, bb2) and
-      next.definesAt(v, bb2, j) and
-      1 = ssaRefRank(bb2, j, v, SsaDef())
+      1 = ssaDefRank(next, v, bb2, _, SsaDef())
     )
   )
 }
@@ -539,7 +556,8 @@ pragma[nomagic]
 predicate lastRef(Definition def, BasicBlock bb, int i) {
   lastRefRedef(def, bb, i, _)
   or
-  exists(SourceVariable v | ssaDefRank(def, v, bb, i, _) = maxSsaRefRank(bb, v) |
+  lastSsaRef(def, _, bb, i) and
+  (
     // Can reach exit directly
     bb instanceof ExitBasicBlock
     or

csharp/ql/src/semmle/code/csharp/controlflow/internal/pressa/SsaImplCommon.qll

@@ -316,6 +316,15 @@ private module SsaDefReaches {
     )
   }
 
+  /**
+   * Holds if the reference to `def` at index `i` in basic block `bb` is the
+   * last reference to `v` inside `bb`.
+   */
+  pragma[noinline]
+  predicate lastSsaRef(Definition def, SourceVariable v, BasicBlock bb, int i) {
+    ssaDefRank(def, v, bb, i, _) = maxSsaRefRank(bb, v)
+  }
+
   predicate defOccursInBlock(Definition def, BasicBlock bb, SourceVariable v) {
     exists(ssaDefRank(def, v, bb, _, _))
   }
@@ -351,8 +360,7 @@ private module SsaDefReaches {
    */
   predicate defAdjacentRead(Definition def, BasicBlock bb1, BasicBlock bb2, int i2) {
     varBlockReaches(def, bb1, bb2) and
-    ssaRefRank(bb2, i2, def.getSourceVariable(), SsaRead()) = 1 and
-    variableRead(bb2, i2, _, _)
+    ssaRefRank(bb2, i2, def.getSourceVariable(), SsaRead()) = 1
   }
 }
 
@@ -434,15 +442,22 @@ predicate adjacentDefRead(Definition def, BasicBlock bb1, int i1, BasicBlock bb2
     bb2 = bb1
   )
   or
-  exists(SourceVariable v | ssaDefRank(def, v, bb1, i1, _) = maxSsaRefRank(bb1, v)) and
+  lastSsaRef(def, _, bb1, i1) and
   defAdjacentRead(def, bb1, bb2, i2)
 }
 
+pragma[noinline]
+private predicate adjacentDefRead(
+  Definition def, BasicBlock bb1, int i1, BasicBlock bb2, int i2, SourceVariable v
+) {
+  adjacentDefRead(def, bb1, i1, bb2, i2) and
+  v = def.getSourceVariable()
+}
+
 private predicate adjacentDefReachesRead(
   Definition def, BasicBlock bb1, int i1, BasicBlock bb2, int i2
 ) {
-  adjacentDefRead(def, bb1, i1, bb2, i2) and
-  exists(SourceVariable v | v = def.getSourceVariable() |
+  exists(SourceVariable v | adjacentDefRead(def, bb1, i1, bb2, i2, v) |
     ssaRef(bb1, i1, v, SsaDef())
     or
     variableRead(bb1, i1, v, true)
@@ -475,17 +490,19 @@ predicate adjacentDefNoUncertainReads(Definition def, BasicBlock bb1, int i1, Ba
  */
 pragma[nomagic]
 predicate lastRefRedef(Definition def, BasicBlock bb, int i, Definition next) {
-  exists(int rnk, SourceVariable v, int j | rnk = ssaDefRank(def, v, bb, i, _) |
+  exists(SourceVariable v |
     // Next reference to `v` inside `bb` is a write
-    next.definesAt(v, bb, j) and
-    rnk + 1 = ssaRefRank(bb, j, v, SsaDef())
+    exists(int rnk, int j |
+      rnk = ssaDefRank(def, v, bb, i, _) and
+      next.definesAt(v, bb, j) and
+      rnk + 1 = ssaRefRank(bb, j, v, SsaDef())
+    )
     or
     // Can reach a write using one or more steps
-    rnk = maxSsaRefRank(bb, v) and
+    lastSsaRef(def, v, bb, i) and
     exists(BasicBlock bb2 |
       varBlockReaches(def, bb, bb2) and
-      next.definesAt(v, bb2, j) and
-      1 = ssaRefRank(bb2, j, v, SsaDef())
+      1 = ssaDefRank(next, v, bb2, _, SsaDef())
     )
   )
 }
@@ -539,7 +556,8 @@ pragma[nomagic]
 predicate lastRef(Definition def, BasicBlock bb, int i) {
   lastRefRedef(def, bb, i, _)
   or
-  exists(SourceVariable v | ssaDefRank(def, v, bb, i, _) = maxSsaRefRank(bb, v) |
+  lastSsaRef(def, _, bb, i) and
+  (
     // Can reach exit directly
     bb instanceof ExitBasicBlock
     or