Merge remote-tracking branch 'upstream/master' into XssDom

Author: erik-krogh

change-notes/1.24/analysis-cpp.md

@@ -25,6 +25,7 @@ The following changes in version 1.24 affect C/C++ analysis in all applications.
 | Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) |  | This query is no longer run on LGTM. |
 | No space for zero terminator (`cpp/no-space-for-terminator`) | Fewer false positive results | This query has been modified to be more conservative when identifying which pointers point to null-terminated strings.  This approach produces fewer, more accurate results. |
 | Overflow in uncontrolled allocation size (`cpp/uncontrolled-allocation-size`) | Fewer false positive results | Cases where the tainted allocation size is range checked are now more reliably excluded. |
+| Overflow in uncontrolled allocation size (`cpp/uncontrolled-allocation-size`) | Fewer false positive results | The query now produces fewer, more accurate results. |
 | Overloaded assignment does not return 'this' (`cpp/assignment-does-not-return-this`) | Fewer false positive results | This query no longer reports incorrect results in template classes. |
 | Unsafe array for days of the year (`cpp/leap-year/unsafe-array-for-days-of-the-year`) |  | This query is no longer run on LGTM. |
 | Unsigned comparison to zero (`cpp/unsigned-comparison-zero`) | More correct results | This query now also looks for comparisons of the form `0 <= x`. |

change-notes/1.24/analysis-javascript.md

@@ -86,7 +86,7 @@
 | Useless regular-expression character escape (`js/useless-regexp-character-escape`) | Fewer false positive results | This query now distinguishes escapes in strings and regular expression literals. |
 | Identical operands (`js/redundant-operation`) | Fewer results | This query now recognizes cases where the operands change a value using ++/-- expressions. |
 | Superfluous trailing arguments (`js/superfluous-trailing-arguments`) | Fewer results | This query now recognizes cases where a function uses the `Function.arguments` value to process a variable number of parameters. |
-| Incomplete URL scheme check (`js/incomplete-url-scheme-check`) | More results | This query now recognizes more variations of URL scheme checks. |
+| Incomplete URL scheme check (`js/incomplete-url-scheme-check`) | More results | This query now recognizes additional variations of URL scheme checks. |
 
 ## Changes to libraries
 

change-notes/1.25/analysis-javascript.md

@@ -0,0 +1,22 @@
+# Improvements to JavaScript analysis
+
+## General improvements
+
+
+## New queries
+
+| **Query**                                                                       | **Tags**                                                          | **Purpose**                                                                                                                                                                            |
+|---------------------------------------------------------------------------------|-------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+
+
+## Changes to existing queries
+
+| **Query**                      | **Expected impact**          | **Change**                                                                |
+|--------------------------------|------------------------------|---------------------------------------------------------------------------|
+| Misspelled variable name (`js/misspelled-variable-name`) | Message changed | The message for this query now correctly identifies the misspelled variable in additional cases. |
+| Uncontrolled data used in path expression (`js/path-injection`) | More results | This query now recognizes additional file system calls. |
+| Uncontrolled command line (`js/command-line-injection`) | More results | This query now recognizes additional command execution calls. |
+
+## Changes to libraries
+
+* Added data flow for `Map` and `Set`, and added matching type-tracking steps that can accessed using the `CollectionsTypeTracking` module.

cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql

@@ -15,31 +15,31 @@ import cpp
 import semmle.code.cpp.security.TaintTracking
 import TaintedWithPath
 
-predicate taintedChild(Expr e, Expr tainted) {
-  (
-    isAllocationExpr(e)
-    or
-    any(MulExpr me | me.getAChild() instanceof SizeofOperator) = e
-  ) and
-  tainted = e.getAChild() and
+/**
+ * Holds if `alloc` is an allocation, and `tainted` is a child of it that is a
+ * taint sink.
+ */
+predicate allocSink(Expr alloc, Expr tainted) {
+  isAllocationExpr(alloc) and
+  tainted = alloc.getAChild() and
   tainted.getUnspecifiedType() instanceof IntegralType
 }
 
 class TaintedAllocationSizeConfiguration extends TaintTrackingConfiguration {
-  override predicate isSink(Element tainted) { taintedChild(_, tainted) }
+  override predicate isSink(Element tainted) { allocSink(_, tainted) }
 }
 
 predicate taintedAllocSize(
-  Expr e, Expr source, PathNode sourceNode, PathNode sinkNode, string taintCause
+  Expr source, Expr alloc, PathNode sourceNode, PathNode sinkNode, string taintCause
 ) {
   isUserInput(source, taintCause) and
   exists(Expr tainted |
-    taintedChild(e, tainted) and
+    allocSink(alloc, tainted) and
     taintedWithPath(source, tainted, sourceNode, sinkNode)
   )
 }
 
-from Expr e, Expr source, PathNode sourceNode, PathNode sinkNode, string taintCause
-where taintedAllocSize(e, source, sourceNode, sinkNode, taintCause)
-select e, sourceNode, sinkNode, "This allocation size is derived from $@ and might overflow",
+from Expr source, Expr alloc, PathNode sourceNode, PathNode sinkNode, string taintCause
+where taintedAllocSize(source, alloc, sourceNode, sinkNode, taintCause)
+select alloc, sourceNode, sinkNode, "This allocation size is derived from $@ and might overflow",
   source, "user input (" + taintCause + ")"

cpp/ql/src/semmle/code/cpp/Type.qll

@@ -697,28 +697,188 @@ class Int128Type extends IntegralType {
   override string getCanonicalQLClass() { result = "Int128Type" }
 }
 
+private newtype TTypeDomain =
+  TRealDomain() or
+  TComplexDomain() or
+  TImaginaryDomain()
+
 /**
- * The C/C++ floating point types. See 4.5.  This includes `float`,
- * `double` and `long double` types.
- * ```
- * float f;
- * double d;
- * long double ld;
- * ```
+ * The type domain of a floating-point type. One of `RealDomain`, `ComplexDomain`, or
+ * `ImaginaryDomain`.
+ */
+class TypeDomain extends TTypeDomain {
+  /** Gets a textual representation of this type domain. */
+  string toString() { none() }
+}
+
+/**
+ * The type domain of a floating-point type that represents a real number.
+ */
+class RealDomain extends TypeDomain, TRealDomain {
+  final override string toString() { result = "real" }
+}
+
+/**
+ * The type domain of a floating-point type that represents a complex number.
+ */
+class ComplexDomain extends TypeDomain, TComplexDomain {
+  final override string toString() { result = "complex" }
+}
+
+/**
+ * The type domain of a floating-point type that represents an imaginary number.
+ */
+class ImaginaryDomain extends TypeDomain, TImaginaryDomain {
+  final override string toString() { result = "imaginary" }
+}
+
+/**
+ * Data for floating-point types.
+ *
+ * kind: The original type kind. Can be any floating-point type kind.
+ * base: The numeric base of the number's representation. Can be 2 (binary) or 10 (decimal).
+ * domain: The type domain of the type. Can be `RealDomain`, `ComplexDomain`, or `ImaginaryDomain`.
+ * realKind: The type kind of the corresponding real type. For example, the corresponding real type
+ *   of `_Complex double` is `double`.
+ * extended: `true` if the number is an extended-precision floating-point number, such as
+ *   `_Float32x`.
+ */
+private predicate floatingPointTypeMapping(
+  int kind, int base, TTypeDomain domain, int realKind, boolean extended
+) {
+  // float
+  kind = 24 and base = 2 and domain = TRealDomain() and realKind = 24 and extended = false
+  or
+  // double
+  kind = 25 and base = 2 and domain = TRealDomain() and realKind = 25 and extended = false
+  or
+  // long double
+  kind = 26 and base = 2 and domain = TRealDomain() and realKind = 26 and extended = false
+  or
+  // _Complex float
+  kind = 27 and base = 2 and domain = TComplexDomain() and realKind = 24 and extended = false
+  or
+  // _Complex double
+  kind = 28 and base = 2 and domain = TComplexDomain() and realKind = 25 and extended = false
+  or
+  // _Complex long double
+  kind = 29 and base = 2 and domain = TComplexDomain() and realKind = 26 and extended = false
+  or
+  // _Imaginary float
+  kind = 30 and base = 2 and domain = TImaginaryDomain() and realKind = 24 and extended = false
+  or
+  // _Imaginary double
+  kind = 31 and base = 2 and domain = TImaginaryDomain() and realKind = 25 and extended = false
+  or
+  // _Imaginary long double
+  kind = 32 and base = 2 and domain = TImaginaryDomain() and realKind = 26 and extended = false
+  or
+  // __float128
+  kind = 38 and base = 2 and domain = TRealDomain() and realKind = 38 and extended = false
+  or
+  // _Complex __float128
+  kind = 39 and base = 2 and domain = TComplexDomain() and realKind = 38 and extended = false
+  or
+  // _Decimal32
+  kind = 40 and base = 10 and domain = TRealDomain() and realKind = 40 and extended = false
+  or
+  // _Decimal64
+  kind = 41 and base = 10 and domain = TRealDomain() and realKind = 41 and extended = false
+  or
+  // _Decimal128
+  kind = 42 and base = 10 and domain = TRealDomain() and realKind = 42 and extended = false
+  or
+  // _Float32
+  kind = 45 and base = 2 and domain = TRealDomain() and realKind = 45 and extended = false
+  or
+  // _Float32x
+  kind = 46 and base = 2 and domain = TRealDomain() and realKind = 46 and extended = true
+  or
+  // _Float64
+  kind = 47 and base = 2 and domain = TRealDomain() and realKind = 47 and extended = false
+  or
+  // _Float64x
+  kind = 48 and base = 2 and domain = TRealDomain() and realKind = 48 and extended = true
+  or
+  // _Float128
+  kind = 49 and base = 2 and domain = TRealDomain() and realKind = 49 and extended = false
+  or
+  // _Float128x
+  kind = 50 and base = 2 and domain = TRealDomain() and realKind = 50 and extended = true
+}
+
+/**
+ * The C/C++ floating point types. See 4.5.  This includes `float`, `double` and `long double`, the
+ * fixed-size floating-point types like `_Float32`, the extended-precision floating-point types like
+ * `_Float64x`, and the decimal floating-point types like `_Decimal32`. It also includes the complex
+ * and imaginary versions of all of these types.
  */
 class FloatingPointType extends ArithmeticType {
+  final int base;
+  final TypeDomain domain;
+  final int realKind;
+  final boolean extended;
+
   FloatingPointType() {
     exists(int kind |
       builtintypes(underlyingElement(this), _, kind, _, _, _) and
-      (
-        kind >= 24 and kind <= 32
-        or
-        kind >= 38 and kind <= 42
-        or
-        kind >= 45 and kind <= 50
-      )
+      floatingPointTypeMapping(kind, base, domain, realKind, extended)
     )
   }
+
+  /** Gets the numeric base of this type's representation: 2 (binary) or 10 (decimal). */
+  final int getBase() { result = base }
+
+  /**
+   * Gets the type domain of this type. Can be `RealDomain`, `ComplexDomain`, or `ImaginaryDomain`.
+   */
+  final TypeDomain getDomain() { result = domain }
+
+  /**
+   * Gets the corresponding real type of this type. For example, the corresponding real type of
+   * `_Complex double` is `double`.
+   */
+  final RealNumberType getRealType() {
+    builtintypes(unresolveElement(result), _, realKind, _, _, _)
+  }
+
+  /** Holds if this type is an extended precision floating-point type, such as `_Float32x`. */
+  final predicate isExtendedPrecision() { extended = true }
+}
+
+/**
+ * A floating-point type representing a real number.
+ */
+class RealNumberType extends FloatingPointType {
+  RealNumberType() { domain instanceof RealDomain }
+}
+
+/**
+ * A floating-point type representing a complex number.
+ */
+class ComplexNumberType extends FloatingPointType {
+  ComplexNumberType() { domain instanceof ComplexDomain }
+}
+
+/**
+ * A floating-point type representing an imaginary number.
+ */
+class ImaginaryNumberType extends FloatingPointType {
+  ImaginaryNumberType() { domain instanceof ImaginaryDomain }
+}
+
+/**
+ * A floating-point type whose representation is base 2.
+ */
+class BinaryFloatingPointType extends FloatingPointType {
+  BinaryFloatingPointType() { base = 2 }
+}
+
+/**
+ * A floating-point type whose representation is base 10.
+ */
+class DecimalFloatingPointType extends FloatingPointType {
+  DecimalFloatingPointType() { base = 10 }
 }
 
 /**
@@ -727,7 +887,7 @@ class FloatingPointType extends ArithmeticType {
  * float f;
  * ```
  */
-class FloatType extends FloatingPointType {
+class FloatType extends RealNumberType, BinaryFloatingPointType {
   FloatType() { builtintypes(underlyingElement(this), _, 24, _, _, _) }
 
   override string getCanonicalQLClass() { result = "FloatType" }
@@ -739,7 +899,7 @@ class FloatType extends FloatingPointType {
  * double d;
  * ```
  */
-class DoubleType extends FloatingPointType {
+class DoubleType extends RealNumberType, BinaryFloatingPointType {
   DoubleType() { builtintypes(underlyingElement(this), _, 25, _, _, _) }
 
   override string getCanonicalQLClass() { result = "DoubleType" }
@@ -751,7 +911,7 @@ class DoubleType extends FloatingPointType {
  * long double ld;
  * ```
  */
-class LongDoubleType extends FloatingPointType {
+class LongDoubleType extends RealNumberType, BinaryFloatingPointType {
   LongDoubleType() { builtintypes(underlyingElement(this), _, 26, _, _, _) }
 
   override string getCanonicalQLClass() { result = "LongDoubleType" }
@@ -763,7 +923,7 @@ class LongDoubleType extends FloatingPointType {
  * __float128 f128;
  * ```
  */
-class Float128Type extends FloatingPointType {
+class Float128Type extends RealNumberType, BinaryFloatingPointType {
   Float128Type() { builtintypes(underlyingElement(this), _, 38, _, _, _) }
 
   override string getCanonicalQLClass() { result = "Float128Type" }
@@ -775,7 +935,7 @@ class Float128Type extends FloatingPointType {
  * _Decimal32 d32;
  * ```
  */
-class Decimal32Type extends FloatingPointType {
+class Decimal32Type extends RealNumberType, DecimalFloatingPointType {
   Decimal32Type() { builtintypes(underlyingElement(this), _, 40, _, _, _) }
 
   override string getCanonicalQLClass() { result = "Decimal32Type" }
@@ -787,7 +947,7 @@ class Decimal32Type extends FloatingPointType {
  * _Decimal64 d64;
  * ```
  */
-class Decimal64Type extends FloatingPointType {
+class Decimal64Type extends RealNumberType, DecimalFloatingPointType {
   Decimal64Type() { builtintypes(underlyingElement(this), _, 41, _, _, _) }
 
   override string getCanonicalQLClass() { result = "Decimal64Type" }
@@ -799,7 +959,7 @@ class Decimal64Type extends FloatingPointType {
  * _Decimal128 d128;
  * ```
  */
-class Decimal128Type extends FloatingPointType {
+class Decimal128Type extends RealNumberType, DecimalFloatingPointType {
   Decimal128Type() { builtintypes(underlyingElement(this), _, 42, _, _, _) }
 
   override string getCanonicalQLClass() { result = "Decimal128Type" }

cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -186,7 +186,12 @@ private class ArrayContent extends Content, TArrayContent {
  * value of `node1`.
  */
 predicate storeStep(Node node1, Content f, PostUpdateNode node2) {
-  none() // stub implementation
+  exists(FieldAddressInstruction fa, StoreInstruction store |
+    node1.asInstruction() = store and
+    store.getDestinationAddress() = fa and
+    node2.asInstruction().(ChiInstruction).getPartial() = store and
+    f.(FieldContent).getField() = fa.getField()
+  )
 }
 
 /**
@@ -195,7 +200,12 @@ predicate storeStep(Node node1, Content f, PostUpdateNode node2) {
  * `node2`.
  */
 predicate readStep(Node node1, Content f, Node node2) {
-  none() // stub implementation
+  exists(FieldAddressInstruction fa, LoadInstruction load |
+    load.getSourceAddress() = fa and
+    node1.asInstruction() = load.getSourceValueOperand().getAnyDef() and
+    fa.getField() = f.(FieldContent).getField() and
+    load = node2.asInstruction()
+  )
 }
 
 /**