Merge branch 'main' into sashabu/repeated-initializers

Author: jketema

cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeAnalysisStage.qll

@@ -78,18 +78,15 @@ import experimental.semmle.code.cpp.semantic.SemanticLocation
 /**
  * Holds if `typ` is a small integral type with the given lower and upper bounds.
  */
-private predicate typeBound(SemIntegerType typ, int lowerbound, int upperbound) {
+private predicate typeBound(SemIntegerType typ, float lowerbound, float upperbound) {
   exists(int bitSize | bitSize = typ.getByteSize() * 8 |
-    bitSize < 32 and
-    (
-      if typ.isSigned()
-      then (
-        upperbound = 1.bitShiftLeft(bitSize - 1) - 1 and
-        lowerbound = -upperbound - 1
-      ) else (
-        lowerbound = 0 and
-        upperbound = 1.bitShiftLeft(bitSize) - 1
-      )
+    if typ.isSigned()
+    then (
+      upperbound = 2.pow(bitSize - 1) - 1 and
+      lowerbound = -upperbound - 1
+    ) else (
+      lowerbound = 0 and
+      upperbound = 2.pow(bitSize) - 1
     )
   )
 }
@@ -286,10 +283,10 @@ module RangeStage<DeltaSig D, BoundSig<D> Bounds, LangSig<D> LangParam, UtilSig<
     }
 
     /** Gets the lower bound of the resulting type. */
-    int getLowerBound() { typeBound(getTrackedType(this), result, _) }
+    float getLowerBound() { typeBound(getTrackedType(this), result, _) }
 
     /** Gets the upper bound of the resulting type. */
-    int getUpperBound() { typeBound(getTrackedType(this), _, result) }
+    float getUpperBound() { typeBound(getTrackedType(this), _, result) }
   }
 
   private module SignAnalysisInstantiated = SignAnalysis<D, UtilParam>; // TODO: will this cause reevaluation if it's instantiated with the same DeltaSig and UtilParam multiple times?

cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql

@@ -48,11 +48,11 @@ predicate case1(FunctionCall fc, Expr sizeArg, VariableAccess destArg) {
  * Holds if `fc` is a call to `strncat` with size argument `sizeArg` and destination
  * argument `destArg`, and `sizeArg` computes the value `sizeof (dest) - strlen (dest)`.
  */
-predicate case2(FunctionCall fc, Expr sizeArg, VariableAccess destArg) {
-  interestingCallWithArgs(fc, sizeArg, destArg) and
+predicate case2(FunctionCall fc, Expr sizeArg, Expr destArg) {
+  interestingCallWithArgs(fc, pragma[only_bind_into](sizeArg), pragma[only_bind_into](destArg)) and
   exists(SubExpr sub, int n |
     // The destination buffer is an array of size n
-    destArg.getUnspecifiedType().(ArrayType).getSize() = n and
+    pragma[only_bind_out](destArg.getUnspecifiedType().(ArrayType).getSize()) = n and
     // The size argument is equivalent to a subtraction
     globalValueNumber(sizeArg).getAnExpr() = sub and
     // ... where the left side of the subtraction is the constant n

cpp/ql/test/library-tests/ir/range-analysis/SimpleRangeAnalysis_tests.cpp

@@ -566,11 +566,11 @@ unsigned int test_ternary01(unsigned int x) {
   y1 = x < 100 ?
     (range(x), x) : // $ range=<=99
     (range(x), 10); // $ range=>=100
-  range(y1);
+  range(y1); // $ range=<=99
   y2 = x >= 100 ?
     (range(x), 10) : // $ range=>=100
     (range(x), x);  // $ range=<=99
-  range(y2);
+  range(y2); // $ range=<=99
   y3 = 0;
   y4 = 0;
   y5 = 0;
@@ -580,14 +580,14 @@ unsigned int test_ternary01(unsigned int x) {
   if (x < 300) {
     range(x); // $ range=<=299
     y3 = x ?:
-      (range(x), 5); // y3 < 300
-    range(y3);
+      (range(x), 5);
+    range(y3); // $ range=<=299
     y4 = x ?:
-      (range(x), 500); // y4 <= 500
-    range(y4);
+      (range(x), 500);
+    range(y4); // $ range=<=500
     y5 = (x+1) ?:
       (range(x), 500); // $ range===-1
-    range(y5); // y5 <= 300
+    range(y5); // $ range=<=500
     y6 = ((unsigned char)(x+1)) ?:
       (range(x), 5); // $ range=<=299
     range(y6); // y6 < 256
@@ -608,27 +608,27 @@ unsigned int test_ternary02(unsigned int x) {
   y1 = x > 100 ?
     (range(x), x) : // $ range=>=101
     (range(x), 110); // $ range=<=100
-  range(y1); // y1 > 100
+  range(y1); // $ range=>=101
   y2 = x <= 100 ?
     (range(x), 110) : // $ range=<=100
     (range(x), x); // $ range=>=101
-  range(y2); // y2 > 100
+  range(y2); // $ range=>=101
   y3 = 1000;
   y4 = 1000;
   y5 = 1000;
   if (x >= 300) {
     range(x); // $ range=>=300
     y3 = (x-300) ?:
       (range(x), 5); // $ range===300
-    range(y3); // y3 >= 0
+    range(y3); // $ range=>=0
     y4 = (x-200) ?:
       (range(x), 5); // $ range=<=200 range=>=300
-    range(y4); // y4 >= 100
+    range(y4); // $ SPURIOUS: range=>=5 MISSING: range=>=100
     y5 = ((unsigned char)(x-200)) ?:
       (range(x), 5); // $ range=>=300
     range(y5); // y6 >= 0
   }
-  range(y1 + y2 + y3 + y4 + y5); // $ MISSING: range=">=... = ...:... ? ... : ...+0" range=">=call to range+0"
+  range(y1 + y2 + y3 + y4 + y5); // $ range=">=call to range+207" MISSING: range=">=... = ...:... ? ... : ...+0" range=">=call to range+0"
   return y1 + y2 + y3 + y4 + y5;
 }
 
@@ -640,14 +640,14 @@ unsigned int test_comma01(unsigned int x) {
   unsigned int y1;
   unsigned int y2;
   y1 = (++y, y);
-  range(y1); // $ range="==... ? ... : ...+1"
+  range(y1); // $ range=<=101 range="==... ? ... : ...+1"
   y2 = (y++,
-        range(y), // $ range="==++ ...:... = ...+1" range="==... ? ... : ...+2"
+        range(y), // $ range=<=102 range="==++ ...:... = ...+1" range="==... ? ... : ...+2"
         y += 3,
-        range(y), // $ range="==++ ...:... = ...+4" range="==... +++3" range="==... ? ... : ...+5"
+        range(y), // $ range=<=105 range="==++ ...:... = ...+4" range="==... +++3" range="==... ? ... : ...+5"
         y);
-  range(y2); // $ range="==++ ...:... = ...+4" range="==... +++3" range="==... ? ... : ...+5"
-  range(y1 + y2); // $ MISSING: range=">=++ ...:... = ...+5" range=">=... +++4" range=">=... += ...:... = ...+1" range=">=... ? ... : ...+6"
+  range(y2); // $ range=<=105 range="==++ ...:... = ...+4" range="==... +++3" range="==... ? ... : ...+5"
+  range(y1 + y2); // $ range=<=206 range="<=... ? ... : ...+106" MISSING: range=">=++ ...:... = ...+5" range=">=... +++4" range=">=... += ...:... = ...+1" range=">=... ? ... : ...+6"
   return y1 + y2;
 }
 
@@ -683,27 +683,27 @@ int test_unsigned_mult01(unsigned int a, unsigned b) {
     range(a); // $ range=<=11 range=>=3
     range(b); // $ range=<=23 range=>=5
     int r = a*b;  // 15 .. 253
-    range(r);
+    range(r); // $ range=>=15 range=<=253
     total += r;
-    range(total); // $ MISSING: range=>=1
+    range(total); // $ range=>=15 range=<=253
   }
   if (3 <= a && a <= 11 && 0 <= b && b <= 23) {
     range(a); // $ range=<=11 range=>=3
     range(b); // $ range=<=23 range=>=0
     int r = a*b;  // 0 .. 253
-    range(r);
+    range(r); // $ range=>=0 range=<=253
     total += r;
-    range(total); // $ MISSING: range=">=(unsigned int)...+0" range=>=0
+    range(total); // $ range=>=0 range=<=506 range=">=(unsigned int)...+0" range="<=(unsigned int)...+253"
   }
   if (3 <= a && a <= 11 && 13 <= b && b <= 23) {
     range(a); // $ range=<=11 range=>=3
     range(b); // $ range=<=23 range=>=13
     int r = a*b;  // 39 .. 253
-    range(r);
+    range(r); // $ range=>=39 range=<=253
     total += r;
-    range(total); // $ MISSING: range=">=(unsigned int)...+1" range=>=1
+    range(total); // $ range=>=39 range=<=759 range=">=(unsigned int)...+39" range="<=(unsigned int)...+506" range="<=(unsigned int)...+253"
   }
-  range(total); // $ MISSING: range=">=(unsigned int)...+0" range=>=0
+  range(total); // $ range=>=0 range=<=759 range=">=(unsigned int)...+0" range="<=(unsigned int)...+506" range="<=(unsigned int)...+253"
   return total;
 }
 
@@ -713,25 +713,25 @@ int test_unsigned_mult02(unsigned b) {
   if (5 <= b && b <= 23) {
     range(b); // $ range=<=23 range=>=5
     int r = 11*b;  // 55 .. 253
-    range(r);
+    range(r); // $ range=>=55 range=<=253
     total += r;
-    range(total); // $ MISSING: range=>=1
+    range(total); // $ range=>=55 range=<=253
   }
   if (0 <= b && b <= 23) {
     range(b); // $ range=<=23 range=>=0
     int r = 11*b;  // 0 .. 253
-    range(r);
+    range(r); // $ range=>=0 range=<=253
     total += r;
-    range(total); // $ MISSING: range=">=(unsigned int)...+0" range=>=0
+    range(total); // $ range=>=0 range=<=506 range=">=(unsigned int)...+0" range="<=(unsigned int)...+253"
   }
   if (13 <= b && b <= 23) {
     range(b); // $ range=<=23 range=>=13
     int r = 11*b;  // 143 .. 253
-    range(r);
+    range(r); // $ range=>=143 range=<=253
     total += r;
-    range(total); // $ MISSING: range=">=(unsigned int)...+1" range=>=1
+    range(total); // $ range=>=143 range=<=759 range=">=(unsigned int)...+143" range="<=(unsigned int)...+506" range="<=(unsigned int)...+253"
   }
-  range(total); // $ MISSING: range=">=(unsigned int)...+0" range=>=0
+  range(total); // $ range=>=0 range=<=759 range=">=(unsigned int)...+0" range="<=(unsigned int)...+506" range="<=(unsigned int)...+253"
   return total;
 }
 

javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.qhelp

@@ -37,7 +37,7 @@
 		the hash of a password.
 	</p>
 
-	<sample src="examples/InsufficientPasswordHash.js"/>
+	<sample src="examples/InsufficientPasswordHash_NodeJS.js"/>
 
 	<p>
 		This is not secure, since the password can be efficiently
@@ -46,7 +46,7 @@
 		algorithm:
 	</p>
 
-	<sample src="examples/InsufficientPasswordHash_fixed.js"/>
+	<sample src="examples/InsufficientPasswordHash_NodeJS_fixed.js"/>
 </example>
 
 <references>

ql/ql/src/codeql_ql/ast/Ast.qll

@@ -972,7 +972,7 @@ class Class extends TClass, TypeDeclaration, ModuleDeclaration {
   }
 
   /** Gets the class type defined by this class declaration. */
-  Type getType() { result.getDeclaration() = this }
+  ClassType getType() { result.getDeclaration() = this }
 
   override AstNode getAChild(string pred) {
     result = super.getAChild(pred)

ql/ql/test/type/type.expected

@@ -1,6 +1,4 @@
 | Test.qll:4:15:4:18 | this | Test.qll:3:7:3:13 | Strings |
-| Test.qll:4:15:4:18 | this | Test.qll:3:7:3:13 | Strings.Strings |
-| Test.qll:4:15:4:18 | this | Test.qll:3:7:3:13 | Strings.extends |
 | Test.qll:4:22:4:76 | Set | file://:0:0:0:0 | string |
 | Test.qll:4:23:4:24 | String | file://:0:0:0:0 | string |
 | Test.qll:4:27:4:29 | String | file://:0:0:0:0 | string |
@@ -13,8 +11,6 @@
 | Test.qll:4:66:4:69 | String | file://:0:0:0:0 | string |
 | Test.qll:4:72:4:75 | String | file://:0:0:0:0 | string |
 | Test.qll:8:14:8:17 | this | Test.qll:7:7:7:12 | Floats |
-| Test.qll:8:14:8:17 | this | Test.qll:7:7:7:12 | Floats.Floats |
-| Test.qll:8:14:8:17 | this | Test.qll:7:7:7:12 | Floats.extends |
 | Test.qll:8:21:8:70 | Set | file://:0:0:0:0 | float |
 | Test.qll:8:22:8:24 | Float | file://:0:0:0:0 | float |
 | Test.qll:8:27:8:29 | Float | file://:0:0:0:0 | float |
@@ -35,14 +31,10 @@
 | Test.qll:13:45:13:49 | AddExpr | file://:0:0:0:0 | float |
 | Test.qll:13:49:13:49 | b | Test.qll:7:7:7:12 | Floats |
 | Test.qll:16:12:16:15 | this | Test.qll:15:7:15:10 | Base |
-| Test.qll:16:12:16:15 | this | Test.qll:15:7:15:10 | Base.Base |
-| Test.qll:16:12:16:15 | this | Test.qll:15:7:15:10 | Base.extends |
 | Test.qll:16:19:16:23 | String | file://:0:0:0:0 | string |
 | Test.qll:18:15:18:20 | result | file://:0:0:0:0 | int |
 | Test.qll:18:24:18:24 | Integer | file://:0:0:0:0 | int |
 | Test.qll:22:11:22:14 | this | Test.qll:21:7:21:9 | Sub |
-| Test.qll:22:11:22:14 | this | Test.qll:21:7:21:9 | Sub.Sub |
-| Test.qll:22:11:22:14 | this | Test.qll:21:7:21:9 | Sub.extends |
 | Test.qll:22:18:22:22 | String | file://:0:0:0:0 | string |
 | Test.qll:24:15:24:20 | result | file://:0:0:0:0 | int |
 | Test.qll:24:24:24:33 | Super | Test.qll:15:7:15:10 | Base |

swift/ql/src/diagnostics/SuccessfullyExtractedLines.ql

@@ -0,0 +1,15 @@
+/**
+ * @name Successfully extracted lines
+ * @description Count all lines in source code in which something was extracted. Entities spanning multiple lines like multi-line strings or comments only contribute one line to this count.
+ * @kind metric
+ * @id swift/diagnostics/successfully-extracted-lines
+ * @tags summary
+ */
+
+import swift
+
+select count(File f, int line |
+    exists(Location loc |
+      not loc instanceof UnknownLocation and loc.getFile() = f and loc.getStartLine() = line
+    )
+  )

swift/ql/test/query-tests/Diagnostics/SuccessfullyExtractedLines.expected

@@ -0,0 +1 @@
+| 4 |

swift/ql/test/query-tests/Diagnostics/SuccessfullyExtractedLines.qlref

@@ -0,0 +1 @@
+diagnostics/SuccessfullyExtractedLines.ql

swift/ql/test/query-tests/Diagnostics/ignored.swift

@@ -0,0 +1,3 @@
+//codeql-extractor-env: CODEQL_EXTRACTOR_SWIFT_RUN_UNDER=true
+
+func not_compiled() {}