Merge remote-tracking branch 'origin/main' into python/support-grouped-exceptions

Author: yoff

cpp/ql/lib/change-notes/2022-12-19-argv-as-parameter-flowsource.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `ArgvSource` flow source now uses the second parameter of `main` as its source instead of the uses of this parameter.

cpp/ql/lib/semmle/code/cpp/security/FlowSources.qll

@@ -92,7 +92,7 @@ private class ArgvSource extends LocalFlowSource {
     exists(Function main, Parameter argv |
       main.hasGlobalName("main") and
       main.getParameter(1) = argv and
-      this.asExpr() = argv.getAnAccess()
+      this.asParameter() = argv
     )
   }
 

cpp/ql/src/AlertSuppression.ql

@@ -5,78 +5,35 @@
  * @id cpp/alert-suppression
  */
 
-import cpp
-
-/**
- * An alert suppression comment.
- */
-class SuppressionComment extends Comment {
-  string annotation;
-  string text;
-
-  SuppressionComment() {
-    (
-      this instanceof CppStyleComment and
-      // strip the beginning slashes
-      text = this.getContents().suffix(2)
-      or
-      this instanceof CStyleComment and
-      // strip both the beginning /* and the end */ the comment
-      exists(string text0 |
-        text0 = this.getContents().suffix(2) and
-        text = text0.prefix(text0.length() - 2)
-      ) and
-      // The /* */ comment must be a single-line comment
-      not text.matches("%\n%")
+private import codeql.suppression.AlertSuppression as AS
+private import semmle.code.cpp.Element
+
+class SingleLineComment extends Comment {
+  private string text;
+
+  SingleLineComment() {
+    this instanceof CppStyleComment and
+    // strip the beginning slashes
+    text = this.getContents().suffix(2)
+    or
+    this instanceof CStyleComment and
+    // strip both the beginning /* and the end */ the comment
+    exists(string text0 |
+      text0 = this.getContents().suffix(2) and
+      text = text0.prefix(text0.length() - 2)
     ) and
-    (
-      // match `lgtm[...]` anywhere in the comment
-      annotation = text.regexpFind("(?i)\\blgtm\\s*\\[[^\\]]*\\]", _, _)
-      or
-      // match `lgtm` at the start of the comment and after semicolon
-      annotation = text.regexpFind("(?i)(?<=^|;)\\s*lgtm(?!\\B|\\s*\\[)", _, _).trim()
-    )
+    // The /* */ comment must be a single-line comment
+    not text.matches("%\n%")
   }
 
-  /** Gets the text in this comment, excluding the leading //. */
-  string getText() { result = text }
-
-  /** Gets the suppression annotation in this comment. */
-  string getAnnotation() { result = annotation }
-
-  /**
-   * Holds if this comment applies to the range from column `startcolumn` of line `startline`
-   * to column `endcolumn` of line `endline` in file `filepath`.
-   */
-  predicate covers(string filepath, int startline, int startcolumn, int endline, int endcolumn) {
-    this.getLocation().hasLocationInfo(filepath, startline, _, endline, endcolumn) and
-    startcolumn = 1
-  }
-
-  /** Gets the scope of this suppression. */
-  SuppressionScope getScope() { result = this }
-}
-
-/**
- * The scope of an alert suppression comment.
- */
-class SuppressionScope extends ElementBase instanceof SuppressionComment {
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
   predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
   ) {
-    super.covers(filepath, startline, startcolumn, endline, endcolumn)
+    this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
   }
+
+  /** Gets the text in this comment, excluding the leading //. */
+  string getText() { result = text }
 }
 
-from SuppressionComment c
-select c, // suppression comment
-  c.getText(), // text of suppression comment (excluding delimiters)
-  c.getAnnotation(), // text of suppression annotation
-  c.getScope() // scope of suppression
+import AS::Make<SingleLineComment>

cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql

@@ -91,8 +91,6 @@ class TaintedPathConfiguration extends TaintTracking::Configuration {
     )
   }
 
-  override predicate isSanitizerIn(DataFlow::Node node) { this.isSource(node) }
-
   override predicate isSanitizer(DataFlow::Node node) {
     node.asExpr().(Call).getTarget().getUnspecifiedType() instanceof ArithmeticType
     or

cpp/ql/src/qlpack.yml

@@ -6,6 +6,7 @@ groups:
 dependencies:
     codeql/cpp-all: ${workspace}
     codeql/suite-helpers: ${workspace}
+    codeql/util: ${workspace}
 suites: codeql-suites
 extractor: cpp
 defaultSuiteFile: codeql-suites/cpp-code-scanning.qls

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/WordexpTainted.expected

@@ -1,11 +1,11 @@
 edges
-| test.cpp:23:20:23:23 | argv | test.cpp:29:13:29:20 | (const char *)... |
-| test.cpp:23:20:23:23 | argv | test.cpp:29:13:29:20 | filePath |
+| test.cpp:22:27:22:30 | argv | test.cpp:29:13:29:20 | (const char *)... |
+| test.cpp:22:27:22:30 | argv | test.cpp:29:13:29:20 | filePath |
 nodes
-| test.cpp:23:20:23:23 | argv | semmle.label | argv |
+| test.cpp:22:27:22:30 | argv | semmle.label | argv |
 | test.cpp:29:13:29:20 | (const char *)... | semmle.label | (const char *)... |
 | test.cpp:29:13:29:20 | filePath | semmle.label | filePath |
 subpaths
 #select
-| test.cpp:29:13:29:20 | (const char *)... | test.cpp:23:20:23:23 | argv | test.cpp:29:13:29:20 | (const char *)... | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. |
-| test.cpp:29:13:29:20 | filePath | test.cpp:23:20:23:23 | argv | test.cpp:29:13:29:20 | filePath | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. |
+| test.cpp:29:13:29:20 | (const char *)... | test.cpp:22:27:22:30 | argv | test.cpp:29:13:29:20 | (const char *)... | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. |
+| test.cpp:29:13:29:20 | filePath | test.cpp:22:27:22:30 | argv | test.cpp:29:13:29:20 | filePath | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. |