Merge branch 'main' into criemen/js-bazel

Author: criemen

cpp/ql/lib/semmle/code/cpp/models/implementations/Inet.qll

@@ -157,7 +157,7 @@ private class Getaddrinfo extends TaintFunction, ArrayFunction, RemoteFlowSource
   override predicate hasArrayWithNullTerminator(int bufParam) { bufParam in [0, 1] }
 
   override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
-    output.isParameterDeref(3) and
+    output.isParameterDeref(3, 2) and
     description = "address returned by " + this.getName()
   }
 }

cpp/ql/lib/semmle/code/cpp/models/implementations/Send.qll

@@ -58,7 +58,7 @@ private class Send extends AliasFunction, ArrayFunction, SideEffectFunction, Rem
   override ParameterIndex getParameterSizeIndex(ParameterIndex i) { i = 1 and result = 2 }
 
   override predicate hasRemoteFlowSink(FunctionInput input, string description) {
-    input.isParameterDeref(1) and description = "buffer sent by " + this.getName()
+    input.isParameterDeref(1, 1) and description = "buffer sent by " + this.getName()
   }
 
   override predicate hasSocketInput(FunctionInput input) { input.isParameter(0) }

cpp/ql/lib/semmle/code/cpp/models/interfaces/FunctionInputsAndOutputs.qll

@@ -8,7 +8,7 @@ import semmle.code.cpp.Parameter
 
 private newtype TFunctionInput =
   TInParameter(ParameterIndex i) or
-  TInParameterDeref(ParameterIndex i) or
+  TInParameterDeref(ParameterIndex i, int indirectionIndex) { indirectionIndex = [1, 2] } or
   TInQualifierObject() or
   TInQualifierAddress() or
   TInReturnValueDeref()
@@ -245,15 +245,18 @@ class InParameter extends FunctionInput, TInParameter {
  */
 class InParameterDeref extends FunctionInput, TInParameterDeref {
   ParameterIndex index;
+  int indirectionIndex;
 
-  InParameterDeref() { this = TInParameterDeref(index) }
+  InParameterDeref() { this = TInParameterDeref(index, indirectionIndex) }
 
   override string toString() { result = "InParameterDeref " + index.toString() }
 
   /** Gets the zero-based index of the parameter. */
   ParameterIndex getIndex() { result = index }
 
-  override predicate isParameterDeref(ParameterIndex i) { i = index }
+  override predicate isParameterDeref(ParameterIndex i, int indirection) {
+    i = index and indirectionIndex = indirection
+  }
 }
 
 /**
@@ -321,10 +324,10 @@ class InReturnValueDeref extends FunctionInput, TInReturnValueDeref {
 }
 
 private newtype TFunctionOutput =
-  TOutParameterDeref(ParameterIndex i) or
+  TOutParameterDeref(ParameterIndex i, int indirectionIndex) { indirectionIndex = [1, 2] } or
   TOutQualifierObject() or
   TOutReturnValue() or
-  TOutReturnValueDeref()
+  TOutReturnValueDeref(int indirections) { indirections = [1, 2] }
 
 /**
  * An output from a function. This can be:
@@ -498,17 +501,16 @@ class FunctionOutput extends TFunctionOutput {
  */
 class OutParameterDeref extends FunctionOutput, TOutParameterDeref {
   ParameterIndex index;
+  int indirectionIndex;
 
-  OutParameterDeref() { this = TOutParameterDeref(index) }
+  OutParameterDeref() { this = TOutParameterDeref(index, indirectionIndex) }
 
   override string toString() { result = "OutParameterDeref " + index.toString() }
 
   ParameterIndex getIndex() { result = index }
 
-  override predicate isParameterDeref(ParameterIndex i) { i = index }
-
   override predicate isParameterDeref(ParameterIndex i, int ind) {
-    this.isParameterDeref(i) and ind = 1
+    i = index and ind = indirectionIndex
   }
 }
 
@@ -572,4 +574,8 @@ class OutReturnValueDeref extends FunctionOutput, TOutReturnValueDeref {
   override string toString() { result = "OutReturnValueDeref" }
 
   override predicate isReturnValueDeref() { any() }
+
+  override predicate isReturnValueDeref(int indirectionIndex) {
+    this = TOutReturnValueDeref(indirectionIndex)
+  }
 }

cpp/ql/test/library-tests/dataflow/source-sink-tests/remote-flow.expected

@@ -1,2 +1,2 @@
-failures
 testFailures
+failures

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -6646,6 +6646,17 @@ WARNING: Module TaintTracking has been deprecated and may be removed in future (
 | taint.cpp:738:17:738:31 | call to indirect_source | taint.cpp:739:30:739:35 | source |  |
 | taint.cpp:739:22:739:28 | call to realloc | taint.cpp:740:7:740:10 | dest |  |
 | taint.cpp:739:30:739:35 | source | taint.cpp:739:22:739:28 | call to realloc | TAINT |
+| taint.cpp:743:40:743:45 | buffer | taint.cpp:744:5:744:10 | buffer |  |
+| taint.cpp:743:40:743:45 | buffer | taint.cpp:745:27:745:32 | buffer |  |
+| taint.cpp:744:4:744:10 | * ... | taint.cpp:744:3:744:10 | * ... | TAINT |
+| taint.cpp:744:5:744:10 | buffer | taint.cpp:744:4:744:10 | * ... | TAINT |
+| taint.cpp:744:14:744:19 | call to source | taint.cpp:744:3:744:21 | ... = ... |  |
+| taint.cpp:745:19:745:25 | call to realloc | taint.cpp:743:40:743:45 | buffer |  |
+| taint.cpp:745:19:745:25 | call to realloc | taint.cpp:745:3:745:37 | ... = ... |  |
+| taint.cpp:745:19:745:25 | call to realloc | taint.cpp:746:10:746:15 | buffer |  |
+| taint.cpp:745:27:745:32 | buffer | taint.cpp:745:19:745:25 | call to realloc | TAINT |
+| taint.cpp:746:9:746:15 | * ... | taint.cpp:746:8:746:15 | * ... | TAINT |
+| taint.cpp:746:10:746:15 | buffer | taint.cpp:746:9:746:15 | * ... | TAINT |
 | vector.cpp:16:43:16:49 | source1 | vector.cpp:17:26:17:32 | source1 |  |
 | vector.cpp:16:43:16:49 | source1 | vector.cpp:31:38:31:44 | source1 |  |
 | vector.cpp:17:21:17:33 | call to vector | vector.cpp:19:14:19:14 | v |  |

cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp

@@ -738,4 +738,10 @@ void test_realloc() {
 	char *source = indirect_source();
 	char *dest = (char*)realloc(source, 16);
 	sink(dest); // $ ir MISSING: ast
+}
+
+void test_realloc_2_indirections(int **buffer) {
+  **buffer = source();
+  buffer = (int**)realloc(buffer, 16);
+  sink(**buffer); // $ ir MISSING: ast
 }

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/AssemblyCache.cs

@@ -27,12 +27,18 @@ public AssemblyCache(IEnumerable<string> paths, ProgressMonitor progressMonitor)
                 if (File.Exists(path))
                 {
                     pendingDllsToIndex.Enqueue(path);
+                    continue;
                 }
-                else
+
+                if (Directory.Exists(path))
                 {
                     progressMonitor.FindingFiles(path);
                     AddReferenceDirectory(path);
                 }
+                else
+                {
+                    progressMonitor.LogInfo("AssemblyCache: Path not found: " + path);
+                }
             }
             IndexReferences();
         }

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/Assets.cs

@@ -0,0 +1,164 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+using Newtonsoft.Json.Linq;
+using Semmle.Util;
+
+namespace Semmle.Extraction.CSharp.DependencyFetching
+{
+    /// <summary>
+    /// Class for parsing project.assets.json files.
+    /// </summary>
+    internal class Assets
+    {
+        private readonly ProgressMonitor progressMonitor;
+
+        private static readonly string[] netFrameworks = new[] {
+            "microsoft.aspnetcore.app.ref",
+            "microsoft.netcore.app.ref",
+            "microsoft.netframework.referenceassemblies",
+            "microsoft.windowsdesktop.app.ref",
+            "netstandard.library.ref"
+        };
+
+        internal Assets(ProgressMonitor progressMonitor)
+        {
+            this.progressMonitor = progressMonitor;
+        }
+
+        /// <summary>
+        /// Class needed for deserializing parts of an assets file.
+        /// It holds information about a reference.
+        ///
+        /// Type carries the type of the reference.
+        /// We are only interested in package references.
+        ///
+        /// Compile holds information about the files needed for compilation.
+        /// However, if it is a .NET framework reference we assume that all files in the
+        /// package are needed for compilation.
+        /// </summary>
+        private record class ReferenceInfo(string? Type, Dictionary<string, object>? Compile);
+
+        /// <summary>
+        /// Add the package dependencies from the assets file to dependencies.
+        /// 
+        /// Parse a part of the JSon assets file and add the paths
+        /// to the dependencies required for compilation (and collect
+        /// information about used packages).
+        ///
+        /// Example:
+        /// {
+        ///   "Castle.Core/4.4.1": {
+        ///     "type": "package",
+        ///     "compile": {
+        ///       "lib/netstandard1.5/Castle.Core.dll": {
+        ///         "related": ".xml"
+        ///        }
+        ///     }
+        ///   },
+        ///   "Json.Net/1.0.33": {
+        ///     "type": "package",
+        ///     "compile": {
+        ///       "lib/netstandard2.0/Json.Net.dll": {}
+        ///     },
+        ///     "runtime": {
+        ///       "lib/netstandard2.0/Json.Net.dll": {}
+        ///     }
+        ///   }
+        /// }
+        /// 
+        /// Returns dependencies
+        ///   RequiredPaths = {
+        ///     "castle.core/4.4.1/lib/netstandard1.5/Castle.Core.dll",
+        ///     "json.net/1.0.33/lib/netstandard2.0/Json.Net.dll"
+        ///   }
+        ///   UsedPackages = {
+        ///     "castle.core",
+        ///     "json.net"
+        ///   }
+        /// </summary>
+        private DependencyContainer AddPackageDependencies(JObject json, DependencyContainer dependencies)
+        {
+            // If there are more than one framework we need to pick just one.
+            // To ensure stability we pick one based on the lexicographic order of
+            // the framework names.
+            var references = json
+                .GetProperty("targets")?
+                .Properties()?
+                .MaxBy(p => p.Name)?
+                .Value
+                .ToObject<Dictionary<string, ReferenceInfo>>();
+
+            if (references is null)
+            {
+                progressMonitor.LogDebug("No references found in the targets section in the assets file.");
+                return dependencies;
+            }
+
+            // Find all the compile dependencies for each reference and
+            // create the relative path to the dependency.
+            references
+                .ForEach(r =>
+                {
+                    var info = r.Value;
+                    var name = r.Key.ToLowerInvariant();
+                    if (info.Type != "package")
+                    {
+                        return;
+                    }
+
+                    // If this is a .NET framework reference then include everything.
+                    if (netFrameworks.Any(framework => name.StartsWith(framework)))
+                    {
+                        dependencies.Add(name);
+                    }
+                    else
+                    {
+                        info.Compile?
+                            .ForEach(r => dependencies.Add(name, r.Key));
+                    }
+                });
+
+            return dependencies;
+        }
+
+        /// <summary>
+        /// Parse `json` as project.assets.json content and add relative paths to the dependencies
+        /// (together with used package information) required for compilation.
+        /// </summary>
+        /// <returns>True if parsing succeeds, otherwise false.</returns>
+        public bool TryParse(string json, DependencyContainer dependencies)
+        {
+            try
+            {
+                var obj = JObject.Parse(json);
+                AddPackageDependencies(obj, dependencies);
+                return true;
+            }
+            catch (Exception e)
+            {
+                progressMonitor.LogDebug($"Failed to parse assets file (unexpected error): {e.Message}");
+                return false;
+            }
+        }
+
+        public static DependencyContainer GetCompilationDependencies(ProgressMonitor progressMonitor, IEnumerable<string> assets)
+        {
+            var parser = new Assets(progressMonitor);
+            var dependencies = new DependencyContainer();
+            assets.ForEach(asset =>
+            {
+                var json = File.ReadAllText(asset);
+                parser.TryParse(json, dependencies);
+            });
+            return dependencies;
+        }
+    }
+
+    internal static class JsonExtensions
+    {
+        internal static JObject? GetProperty(this JObject json, string property) =>
+            json[property] as JObject;
+    }
+}

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyContainer.cs

@@ -0,0 +1,69 @@
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+
+namespace Semmle.Extraction.CSharp.DependencyFetching
+{
+    /// <summary>
+    /// Container class for dependencies found in the assets file.
+    /// </summary>
+    internal class DependencyContainer
+    {
+        private readonly List<string> requiredPaths = new();
+        private readonly HashSet<string> usedPackages = new();
+
+        /// <summary>
+        /// In most cases paths in asset files point to dll's or the empty _._ file, which
+        /// is sometimes there to avoid the directory being empty.
+        /// That is, if the path specifically adds a .dll we use that, otherwise we as a fallback
+        /// add the entire directory (which should be fine in case of _._ as well).
+        /// </summary>
+        private static string ParseFilePath(string path)
+        {
+            if (path.EndsWith(".dll"))
+            {
+                return path;
+            }
+            return Path.GetDirectoryName(path) ?? path;
+        }
+
+        private static string GetPackageName(string package) =>
+            package
+                .Split(Path.DirectorySeparatorChar)
+                .First();
+
+        /// <summary>
+        /// Paths to dependencies required for compilation.
+        /// </summary>
+        public IEnumerable<string> RequiredPaths => requiredPaths;
+
+        /// <summary>
+        /// Packages that are used as a part of the required dependencies.
+        /// </summary>
+        public HashSet<string> UsedPackages => usedPackages;
+
+        /// <summary>
+        /// Add a dependency inside a package.
+        /// </summary>
+        public void Add(string package, string dependency)
+        {
+            var p = package.Replace('/', Path.DirectorySeparatorChar);
+            var d = dependency.Replace('/', Path.DirectorySeparatorChar);
+
+            var path = Path.Combine(p, ParseFilePath(d));
+            requiredPaths.Add(path);
+            usedPackages.Add(GetPackageName(p));
+        }
+
+        /// <summary>
+        /// Add a dependency to an entire package
+        /// </summary>
+        public void Add(string package)
+        {
+            var p = package.Replace('/', Path.DirectorySeparatorChar);
+
+            requiredPaths.Add(p);
+            usedPackages.Add(GetPackageName(p));
+        }
+    }
+}