Merge branch 'main' into goSqlInjection

Author: smowton

.github/workflows/csharp-qltest.yml

@@ -67,7 +67,7 @@ jobs:
           mv "$CODEQL_PATH/csharp/tools/extractor-asp.jar" "${{ github.workspace }}/csharp/extractor-pack/tools"
           # Safe guard against using the bundled extractor
           rm -rf "$CODEQL_PATH/csharp"
-          codeql test run --threads=0 --ram 52000 --slice ${{ matrix.slice }} --search-path "${{ github.workspace }}/csharp/extractor-pack" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+          codeql test run --threads=0 --ram 50000 --slice ${{ matrix.slice }} --search-path "${{ github.workspace }}/csharp/extractor-pack" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
         env:
           GITHUB_TOKEN: ${{ github.token }}
   unit-tests:

.github/workflows/js-ml-tests.yml

@@ -47,7 +47,7 @@ jobs:
         run: |
           codeql query compile \
             --check-only \
-            --ram 52000 \
+            --ram 50000 \
             --additional-packs "${{ github.workspace }}" \
             --threads=0 \
             --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" \
@@ -58,7 +58,7 @@ jobs:
         run: |
           codeql test run \
             --threads=0 \
-            --ram 52000 \
+            --ram 50000 \
             --additional-packs "${{ github.workspace }}" \
             --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" \
             -- \

.github/workflows/ruby-qltest.yml

@@ -62,6 +62,6 @@ jobs:
           key: ruby-qltest
       - name: Run QL tests
         run: |
-          codeql test run --threads=0 --ram 52000 --search-path "${{ github.workspace }}/ruby/extractor-pack" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+          codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}/ruby/extractor-pack" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
         env:
           GITHUB_TOKEN: ${{ github.token }}

csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll

@@ -520,7 +520,8 @@ module Private {
   predicate summaryParameterNodeRange(SummarizedCallable c, ParameterPosition pos) {
     parameterReadState(c, _, pos)
     or
-    isParameterPostUpdate(_, c, pos)
+    // Same as `isParameterPostUpdate(_, c, pos)`, but can be used in a negative context
+    any(SummaryNodeState state).isOutputState(c, SummaryComponentStack::argument(pos))
   }
 
   private predicate callbackOutput(

go.work

@@ -520,7 +520,8 @@ module Private {
   predicate summaryParameterNodeRange(SummarizedCallable c, ParameterPosition pos) {
     parameterReadState(c, _, pos)
     or
-    isParameterPostUpdate(_, c, pos)
+    // Same as `isParameterPostUpdate(_, c, pos)`, but can be used in a negative context
+    any(SummaryNodeState state).isOutputState(c, SummaryComponentStack::argument(pos))
   }
 
   private predicate callbackOutput(

go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll

@@ -520,7 +520,8 @@ module Private {
   predicate summaryParameterNodeRange(SummarizedCallable c, ParameterPosition pos) {
     parameterReadState(c, _, pos)
     or
-    isParameterPostUpdate(_, c, pos)
+    // Same as `isParameterPostUpdate(_, c, pos)`, but can be used in a negative context
+    any(SummaryNodeState state).isOutputState(c, SummaryComponentStack::argument(pos))
   }
 
   private predicate callbackOutput(

java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll

@@ -561,6 +561,9 @@ module API {
     /** Gets a node whose type has the given qualified name, not including types from models. */
     Node getANodeOfTypeRaw(string moduleName, string exportedName) {
       result = Impl::MkTypeUse(moduleName, exportedName).(Node).getInstance()
+      or
+      exportedName = "" and
+      result = getAModuleImportRaw(moduleName)
     }
   }
 

javascript/ql/lib/semmle/javascript/ApiGraphs.qll

@@ -24,7 +24,7 @@ private module MongoDB {
     override predicate row(string row) {
       // In Mongo version 2.x, a client and a database handle were the same concept, but in 3.x
       // they were separated. To handle everything with a single model, we treat them as the same here.
-      row = "mongodb;Db;mongodb;MongoClient;"
+      row = "mongodb.Db;mongodb.MongoClient;"
     }
   }
 
@@ -42,11 +42,11 @@ private module MongoDB {
   /** A call to a MongoDB query method. */
   private class QueryCall extends DatabaseAccess, API::CallNode {
     QueryCall() {
-      this = ModelOutput::getATypeNode("mongodb", "Collection").getAMember().getACall() and
+      this = ModelOutput::getATypeNode("mongodb.Collection").getAMember().getACall() and
       not this.getCalleeName() = ["toString", "valueOf", "getLogger"]
       or
       this =
-        ModelOutput::getATypeNode("mongodb", ["Db", "MongoClient"])
+        ModelOutput::getATypeNode(["mongodb.Db", "mongodb.MongoClient"])
             .getMember(["watch", "aggregate"])
             .getACall()
     }
@@ -63,7 +63,7 @@ private module MongoDB {
 
   private class Insertion extends DatabaseAccess, API::CallNode {
     Insertion() {
-      this = ModelOutput::getATypeNode("mongodb", "Collection").getAMember().getACall() and
+      this = ModelOutput::getATypeNode("mongodb.Collection").getAMember().getACall() and
       this.getCalleeName().matches("insert%")
     }
 
@@ -105,9 +105,7 @@ private module Mongoose {
   private class QueryCall extends DatabaseAccess, API::CallNode {
     QueryCall() {
       this =
-        ModelOutput::getATypeNode("mongoose", "Query")
-            .getMember(["exec", "then", "catch"])
-            .getACall()
+        ModelOutput::getATypeNode("mongoose.Query").getMember(["exec", "then", "catch"]).getACall()
     }
 
     override DataFlow::Node getAQueryArgument() { result = this.getReceiver() }
@@ -132,10 +130,10 @@ private module Mongoose {
   private class QueryWithCallback extends DatabaseAccess, API::CallNode {
     QueryWithCallback() {
       this =
-        ModelOutput::getATypeNode("mongoose", ["Document", "Model", "Query"])
+        ModelOutput::getATypeNode(["mongoose.Document", "mongoose.Model", "mongoose.Query"])
             .getAMember()
             .getACall() and
-      this.getReturn() = ModelOutput::getATypeNode("mongoose", "Query") and
+      this.getReturn() = ModelOutput::getATypeNode("mongoose.Query") and
       exists(this.getLastArgument().getABoundFunctionValue(_))
     }
 
@@ -152,7 +150,7 @@ private module Mongoose {
 
     QueryAwait() {
       astNode.getOperand().flow() =
-        ModelOutput::getATypeNode("mongoose", "Query").getAValueReachableFromSource()
+        ModelOutput::getATypeNode("mongoose.Query").getAValueReachableFromSource()
     }
 
     override DataFlow::Node getAQueryArgument() { result = astNode.getOperand().flow() }
@@ -162,7 +160,7 @@ private module Mongoose {
 
   class Insertion extends DatabaseAccess, API::CallNode {
     Insertion() {
-      this = ModelOutput::getATypeNode("mongoose", "Model").getAMember().getACall() and
+      this = ModelOutput::getATypeNode("mongoose.Model").getAMember().getACall() and
       this.getCalleeName().matches("insert%")
     }
 
@@ -180,9 +178,9 @@ private module MarsDB {
     override predicate row(string row) {
       row =
         [
-          "mongoose;Query;marsdb;;Member[Collection].Instance",
-          "mongoose;Model;marsdb;;Member[Collection].Instance",
-          "mongoose;Query;mongoose;Query;Member[sortFunc].ReturnValue",
+          "mongoose.Query;marsdb;Member[Collection].Instance",
+          "mongoose.Model;marsdb;Member[Collection].Instance",
+          "mongoose.Query;mongoose.Query;Member[sortFunc].ReturnValue",
         ]
     }
   }

javascript/ql/lib/semmle/javascript/frameworks/NoSQL.qll

@@ -357,21 +357,21 @@ private module Sequelize {
   // Note: the sinks are specified directly in the MaD model
   class SequelizeSource extends ModelInput::SourceModelCsv {
     override predicate row(string row) {
-      row = "sequelize;Sequelize;Member[query].ReturnValue.Awaited;database-access-result"
+      row = "sequelize.Sequelize;Member[query].ReturnValue.Awaited;database-access-result"
     }
   }
 }
 
 private module SpannerCsv {
   class SpannerSinks extends ModelInput::SinkModelCsv {
     override predicate row(string row) {
-      // package; type; path; kind
+      // type; path; kind
       row =
         [
-          "@google-cloud/spanner;~SqlExecutorDirect;Argument[0];sql-injection",
-          "@google-cloud/spanner;~SqlExecutorDirect;Argument[0].Member[sql];sql-injection",
-          "@google-cloud/spanner;Transaction;Member[batchUpdate].Argument[0];sql-injection",
-          "@google-cloud/spanner;Transaction;Member[batchUpdate].Argument[0].ArrayElement.Member[sql];sql-injection",
+          "@google-cloud/spanner.~SqlExecutorDirect;Argument[0];sql-injection",
+          "@google-cloud/spanner.~SqlExecutorDirect;Argument[0].Member[sql];sql-injection",
+          "@google-cloud/spanner.Transaction;Member[batchUpdate].Argument[0];sql-injection",
+          "@google-cloud/spanner.Transaction;Member[batchUpdate].Argument[0].ArrayElement.Member[sql];sql-injection",
         ]
     }
   }
@@ -380,10 +380,10 @@ private module SpannerCsv {
     override predicate row(string row) {
       row =
         [
-          "@google-cloud/spanner;~SpannerObject;Member[executeSql].Argument[0..].Parameter[1];database-access-result",
-          "@google-cloud/spanner;~SpannerObject;Member[executeSql].ReturnValue.Awaited.Member[0];database-access-result",
-          "@google-cloud/spanner;~SpannerObject;Member[run].ReturnValue.Awaited;database-access-result",
-          "@google-cloud/spanner;~SpannerObject;Member[run].Argument[0..].Parameter[1];database-access-result",
+          "@google-cloud/spanner.~SpannerObject;Member[executeSql].Argument[0..].Parameter[1];database-access-result",
+          "@google-cloud/spanner.~SpannerObject;Member[executeSql].ReturnValue.Awaited.Member[0];database-access-result",
+          "@google-cloud/spanner.~SpannerObject;Member[run].ReturnValue.Awaited;database-access-result",
+          "@google-cloud/spanner.~SpannerObject;Member[run].Argument[0..].Parameter[1];database-access-result",
         ]
     }
   }