Merge branch 'main' into formatTaint

Author: erik-krogh

.github/workflows/swift-autobuilder.yml

@@ -0,0 +1,27 @@
+name: "Swift: Build and test Xcode autobuilder"
+
+on:
+  pull_request:
+    paths:
+      - "swift/xcode-autobuilder/**"
+      - "misc/bazel/**"
+      - "*.bazel*"
+      - .github/workflows/swift-autobuilder.yml
+    branches:
+      - main
+
+jobs:
+  autobuilder:
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: bazelbuild/setup-bazelisk@v2
+      - uses: actions/setup-python@v4
+        with:
+          python-version-file: 'swift/.python-version'
+      - name: Build the Xcode autobuilder
+        run: |
+          bazel build //swift/xcode-autobuilder
+      - name: Test the Xcode autobuilder
+        run: |
+          bazel test //swift/xcode-autobuilder/tests

.github/workflows/swift-codegen.yml

@@ -10,6 +10,9 @@ on:
       - .github/actions/fetch-codeql/action.yml
     branches:
       - main
+defaults:
+  run:
+    working-directory: swift
 
 jobs:
   codegen:
@@ -18,7 +21,9 @@ jobs:
       - uses: actions/checkout@v3
       - uses: ./.github/actions/fetch-codeql
       - uses: bazelbuild/setup-bazelisk@v2
-      - uses: actions/setup-python@v3
+      - uses: actions/setup-python@v4
+        with:
+          python-version-file: 'swift/.python-version'
       - uses: pre-commit/[email protected]
         name: Check that python code is properly formatted
         with:

.github/workflows/swift-integration-tests.yml

@@ -28,7 +28,9 @@ jobs:
       - uses: actions/checkout@v3
       - uses: ./.github/actions/fetch-codeql
       - uses: bazelbuild/setup-bazelisk@v2
-      - uses: actions/setup-python@v3
+      - uses: actions/setup-python@v4
+        with:
+          python-version-file: 'swift/.python-version'
       - name: Build Swift extractor
         run: |
           bazel run //swift:create-extractor-pack

.github/workflows/swift-qltest.yml

@@ -33,6 +33,9 @@ jobs:
       - uses: actions/checkout@v3
       - uses: ./.github/actions/fetch-codeql
       - uses: bazelbuild/setup-bazelisk@v2
+      - uses: actions/setup-python@v4
+        with:
+          python-version-file: 'swift/.python-version'
       - name: Build Swift extractor
         run: |
           bazel run //swift:create-extractor-pack

CODEOWNERS

@@ -20,9 +20,9 @@
 /java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll @github/codeql-java @github/codeql-go
 
 # CodeQL tools and associated docs
-/docs/codeql-cli/ @github/codeql-cli-reviewers
-/docs/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers
-/docs/ql-language-reference/ @github/codeql-frontend-reviewers
+/docs/codeql/codeql-cli/ @github/codeql-cli-reviewers
+/docs/codeql/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers
+/docs/codeql/ql-language-reference/ @github/codeql-frontend-reviewers
 /docs/query-*-style-guide.md @github/codeql-analysis-reviewers
 
 # QL for QL reviewers

cpp/ql/src/Best Practices/Unused Entities/UnusedStaticFunctions.ql

@@ -13,16 +13,32 @@
 
 import cpp
 
+pragma[noinline]
+predicate possiblyIncompleteFile(File f) {
+  exists(Diagnostic d | d.getFile() = f and d.getSeverity() >= 3)
+}
+
 predicate immediatelyReachableFunction(Function f) {
-  not f.isStatic() or
-  exists(BlockExpr be | be.getFunction() = f) or
-  f instanceof MemberFunction or
-  f instanceof TemplateFunction or
-  f.getFile() instanceof HeaderFile or
-  f.getAnAttribute().hasName("constructor") or
-  f.getAnAttribute().hasName("destructor") or
-  f.getAnAttribute().hasName("used") or
+  not f.isStatic()
+  or
+  exists(BlockExpr be | be.getFunction() = f)
+  or
+  f instanceof MemberFunction
+  or
+  f instanceof TemplateFunction
+  or
+  f.getFile() instanceof HeaderFile
+  or
+  f.getAnAttribute().hasName("constructor")
+  or
+  f.getAnAttribute().hasName("destructor")
+  or
+  f.getAnAttribute().hasName("used")
+  or
   f.getAnAttribute().hasName("unused")
+  or
+  // a compiler error in the same file suggests we may be missing data
+  possiblyIncompleteFile(f.getFile())
 }
 
 predicate immediatelyReachableVariable(Variable v) {

cpp/ql/src/change-notes/2022-09-21-unused-static-function.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed false positives from the "Unused static function" (`cpp/unused-static-function`) query in files that had errors during compilation.

cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.c

@@ -0,0 +1,19 @@
+
+int main(int argc, char** argv) {
+  char *filePath = argv[2];
+
+  {
+    // BAD: the user-controlled string is injected
+    // directly into `wordexp` which performs command substitution
+
+    wordexp_t we;
+    wordexp(filePath, &we, 0);
+  }
+
+  {
+    // GOOD: command substitution is disabled
+
+    wordexp_t we;
+    wordexp(filePath, &we, WRDE_NOCMD);
+  }
+}

cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.qhelp

@@ -0,0 +1,42 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>The code passes user input to <code>wordexp</code>. This leaves the code
+vulnerable to attack by command injection, because <code>wordexp</code> performs command substitution.
+Command substitution is a feature that replaces <code>$(command)</code> or <code>`command`</code> with the
+output of the given command, allowing the user to run arbitrary code on the system.
+</p>
+
+</overview>
+<recommendation>
+
+<p>When calling <code>wordexp</code>, pass the <code>WRDE_NOCMD</code> flag to prevent command substitution.</p>
+
+</recommendation>
+<example>
+<p>The following example passes a user-supplied file path to <code>wordexp</code> in two ways. The
+first way uses <code>wordexp</code> with no specified flags. As such, it is vulnerable to command
+injection.
+The second way uses <code>wordexp</code> with the <code>WRDE_NOCMD</code> flag. As such, no command substitution
+is performed, making this safe from command injection.</p>
+<sample src="WordexpTainted.c" />
+
+</example>
+<references>
+
+<li>CERT C Coding Standard:
+<a href="https://www.securecoding.cert.org/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems">STR02-C.
+Sanitize data passed to complex subsystems</a>.</li>
+<li>
+OWASP:
+<a href="https://www.owasp.org/index.php/Command_Injection">Command Injection</a>.
+</li>
+
+
+<!--  LocalWords: CWE STR
+ -->
+
+</references>
+</qhelp>

cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql

@@ -0,0 +1,57 @@
+/**
+ * @name Uncontrolled data used in `wordexp` command
+ * @description Using user-supplied data in a `wordexp` command, without
+ *              disabling command substitution, can make code vulnerable
+ *              to command injection.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id cpp/wordexp-injection
+ * @tags security
+ *       external/cwe/cwe-078
+ */
+
+import cpp
+import semmle.code.cpp.ir.dataflow.TaintTracking
+import semmle.code.cpp.security.FlowSources
+import DataFlow::PathGraph
+
+/**
+ * The `wordexp` function, which can perform command substitution.
+ */
+private class WordexpFunction extends Function {
+  WordexpFunction() { hasGlobalName("wordexp") }
+}
+
+/**
+ * Holds if `fc` disables command substitution by containing `WRDE_NOCMD` as a flag argument.
+ */
+private predicate isCommandSubstitutionDisabled(FunctionCall fc) {
+  fc.getArgument(2).getValue().toInt().bitAnd(4) = 4
+  /* 4 = WRDE_NOCMD. Check whether the flag is set.  */
+}
+
+/**
+ * A configuration to track user-supplied data to the `wordexp` function.
+ */
+class WordexpTaintConfiguration extends TaintTracking::Configuration {
+  WordexpTaintConfiguration() { this = "WordexpTaintConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof FlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(FunctionCall fc | fc.getTarget() instanceof WordexpFunction |
+      fc.getArgument(0) = sink.asExpr() and
+      not isCommandSubstitutionDisabled(fc)
+    )
+  }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    node.asExpr().getUnspecifiedType() instanceof IntegralType
+  }
+}
+
+from WordexpTaintConfiguration conf, DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode
+where conf.hasFlowPath(sourceNode, sinkNode)
+select sinkNode.getNode(), sourceNode, sinkNode,
+  "Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection."