Merge branch 'main' into rust-core-std-models

Author: paldepind

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2006-2020 GitHub, Inc.
+Copyright (c) 2006-2025 GitHub, Inc.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

actions/extractor/BUILD.bazel

@@ -4,6 +4,7 @@ codeql_pkg_files(
     name = "extractor",
     srcs = [
         "codeql-extractor.yml",
+        "//:LICENSE",
     ] + glob(["tools/**"]),
     strip_prefix = strip_prefix.from_pkg(),
     visibility = ["//actions:__pkg__"],

cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql

@@ -49,11 +49,17 @@ predicate interestingConcatenation(DataFlow::Node incoming, DataFlow::Node outgo
     call.getTarget() = op and
     op.hasQualifiedName("std", "operator+") and
     op.getType().(UserType).hasQualifiedName("std", "basic_string") and
-    incoming.asIndirectArgument() = call.getArgument(1) and // left operand
+    incoming.asIndirectArgument() = call.getArgument(1) and // right operand
     call = outgoing.asInstruction().getUnconvertedResultExpression()
   )
 }
 
+/**
+ * A state will represent the most recent concatenation that occurred in the data flow.
+ *  - `TConcatState` if the concetenation has not yet occurred.
+ *  - `TExecState(incoming, outgoing)`, representing the concatenation of data from `incoming`
+ *    into result `outgoing`.
+ */
 newtype TState =
   TConcatState() or
   TExecState(DataFlow::Node incoming, DataFlow::Node outgoing) {
@@ -74,7 +80,9 @@ class ExecState extends TExecState {
 
   DataFlow::Node getOutgoingNode() { result = outgoing }
 
-  /** Holds if this is a possible `ExecState` for `sink`. */
+  /**
+   * Holds if this is a possible `ExecState` at `sink`, that is, if `outgoing` flows to `sink`.
+   */
   predicate isFeasibleForSink(DataFlow::Node sink) { ExecState::flow(outgoing, sink) }
 
   string toString() { result = "ExecState" }
@@ -110,6 +118,12 @@ module ExecStateConfig implements DataFlow::ConfigSig {
 
 module ExecState = TaintTracking::Global<ExecStateConfig>;
 
+/**
+ * A full `TaintTracking` configuration from source to concatenation to sink, using a flow
+ * state to remember the concatenation. It's important that we track flow to the sink even though
+ * as soon as we reach the concatenation we know it will get there (due to the check of
+ * `isFeasibleForSink`), because this way we get a complete flow path.
+ */
 module ExecTaintConfig implements DataFlow::StateConfigSig {
   class FlowState = TState;
 

cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected

@@ -14,7 +14,7 @@ extern void encodeShellString(char *shellStr, int maxChars, const char* cStr);
 
 int main(int argc, char** argv) {
   char *userName = argv[2];
-  
+
   {
     // BAD: a string from the user is injected directly into
     // a command.
@@ -23,10 +23,10 @@ int main(int argc, char** argv) {
     system(command1);
   }
 
-  {  
+  {
     // GOOD: the user string is encoded by a library routine.
     char userNameQuoted[1000] = {0};
-    encodeShellString(userNameQuoted, 1000, userName); 
+    encodeShellString(userNameQuoted, 1000, userName);
     char command2[1000] = {0};
     sprintf(command2, "userinfo -v %s", userNameQuoted);
     system(command2);
@@ -36,16 +36,16 @@ int main(int argc, char** argv) {
 void test2(char* arg2) {
   // GOOD?: the user string is the *first* part of the command, like $CC in many environments
   char *envCC = getenv("CC");
-  
+
   char command[1000];
-  sprintf("%s %s", envCC, arg2);
+  sprintf(command, "%s %s", envCC, arg2);
   system(command);
 }
 
 void test3(char* arg1) {
   // GOOD?: the user string is a `$CFLAGS` environment variable
   char *envCflags = getenv("CFLAGS");
-  
+
   char command[1000];
   sprintf(command, "%s %s", arg1, envCflags);
   system(command);
@@ -54,6 +54,7 @@ void test3(char* arg1) {
 typedef unsigned long size_t;
 typedef void FILE;
 size_t fread(void *ptr, size_t size, size_t nmemb, FILE *stream);
+char *strncpy(char *s1, const char *s2, size_t n);
 char *strncat(char *s1, const char *s2, size_t n);
 
 void test4(FILE *f) {
@@ -160,7 +161,7 @@ void test15(FILE *f) {
   fread(temp, 1, 10, f);
 
   int x = atoi(temp);
-  
+
   char temp2[10];
   sprintf(temp2, "%d", x);
     sprintf(command, "tail -n %s foo.log", temp2);
@@ -222,4 +223,42 @@ void test19(FILE *f) {
   execl("/bin/sh", "sh", "-c", command);
 }
 
+void test20() {
+  // BAD: the user strings `var_b`, `var_c` are injected directly into a command
+  char buffer[1024 * 4];
+
+  strncpy(buffer, getenv("var_a"), 1024);
+  strncat(buffer, getenv("var_b"), 1024);
+  strncat(buffer, getenv("var_c"), 1024);
+  strncat(buffer, " ", 1024);
+  system(buffer);
+}
+
+void test21() {
+  // BAD: the user strings `var_b`, `var_c` are injected directly into a command
+  char buffer1[1024];
+  char buffer2[1024];
+
+  sprintf(buffer1, "%s %s",
+    getenv("var_a"),
+    getenv("var_b"));
+  sprintf(buffer2, "%s %s %s",
+    " ",
+    buffer1,
+    getenv("var_c"));
+  system(buffer2);
+}
+
+void test22() {
+  // BAD: the user strings `var_a` are injected directly into a command
+  char buffer[1024 * 11];
+  int i;
+
+  strncpy(buffer, "command ", 1024);
+  for (i = 0; i < 10; i++) {
+    strncat(buffer, getenv("var_a"), 1024);
+  }
+  system(buffer);
+}
+
 // open question: do we want to report certain sources even when they're the start of the string?

cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/test.cpp

@@ -68,7 +68,6 @@
 
 ### Minor Analysis Improvements
 
-* .NET 9 is now required to build the C# extractor.
 * The Models as Data models for .NET 8 Runtime now include generated models for higher order methods.
 
 ## 3.1.0

csharp/ql/lib/CHANGELOG.md

@@ -2,5 +2,4 @@
 
 ### Minor Analysis Improvements
 
-* .NET 9 is now required to build the C# extractor.
 * The Models as Data models for .NET 8 Runtime now include generated models for higher order methods.

csharp/ql/lib/change-notes/released/3.1.1.md

@@ -734,15 +734,15 @@ private predicate variableReadPseudo(ControlFlow::BasicBlock bb, int i, Ssa::Sou
 }
 
 pragma[noinline]
-private predicate adjacentDefRead(
+deprecated private predicate adjacentDefRead(
   Definition def, SsaInput::BasicBlock bb1, int i1, SsaInput::BasicBlock bb2, int i2,
   SsaInput::SourceVariable v
 ) {
   Impl::adjacentDefRead(def, bb1, i1, bb2, i2) and
   v = def.getSourceVariable()
 }
 
-private predicate adjacentDefReachesRead(
+deprecated private predicate adjacentDefReachesRead(
   Definition def, SsaInput::SourceVariable v, SsaInput::BasicBlock bb1, int i1,
   SsaInput::BasicBlock bb2, int i2
 ) {
@@ -760,18 +760,7 @@ private predicate adjacentDefReachesRead(
   )
 }
 
-/** Same as `adjacentDefRead`, but skips uncertain reads. */
-pragma[nomagic]
-private predicate adjacentDefSkipUncertainReads(
-  Definition def, SsaInput::BasicBlock bb1, int i1, SsaInput::BasicBlock bb2, int i2
-) {
-  exists(SsaInput::SourceVariable v |
-    adjacentDefReachesRead(def, v, bb1, i1, bb2, i2) and
-    SsaInput::variableRead(bb2, i2, v, true)
-  )
-}
-
-private predicate adjacentDefReachesUncertainRead(
+deprecated private predicate adjacentDefReachesUncertainRead(
   Definition def, SsaInput::BasicBlock bb1, int i1, SsaInput::BasicBlock bb2, int i2
 ) {
   exists(SsaInput::SourceVariable v |
@@ -933,10 +922,8 @@ private module Cached {
    */
   cached
   predicate firstReadSameVar(Definition def, ControlFlow::Node cfn) {
-    exists(ControlFlow::BasicBlock bb1, int i1, ControlFlow::BasicBlock bb2, int i2 |
-      def.definesAt(_, bb1, i1) and
-      adjacentDefSkipUncertainReads(def, bb1, i1, bb2, i2) and
-      cfn = bb2.getNode(i2)
+    exists(ControlFlow::BasicBlock bb, int i |
+      Impl::firstUse(def, bb, i, true) and cfn = bb.getNode(i)
     )
   }
 
@@ -947,25 +934,17 @@ private module Cached {
    */
   cached
   predicate adjacentReadPairSameVar(Definition def, ControlFlow::Node cfn1, ControlFlow::Node cfn2) {
-    exists(ControlFlow::BasicBlock bb1, int i1, ControlFlow::BasicBlock bb2, int i2 |
+    exists(
+      ControlFlow::BasicBlock bb1, int i1, ControlFlow::BasicBlock bb2, int i2,
+      Ssa::SourceVariable v
+    |
+      Impl::ssaDefReachesRead(v, def, bb1, i1) and
+      Impl::adjacentUseUse(bb1, i1, bb2, i2, v, true) and
       cfn1 = bb1.getNode(i1) and
-      variableReadActual(bb1, i1, _) and
-      adjacentDefSkipUncertainReads(def, bb1, i1, bb2, i2) and
       cfn2 = bb2.getNode(i2)
     )
   }
 
-  cached
-  predicate lastRefBeforeRedef(Definition def, ControlFlow::BasicBlock bb, int i, Definition next) {
-    Impl::lastRefRedef(def, bb, i, next) and
-    not SsaInput::variableRead(bb, i, def.getSourceVariable(), false)
-    or
-    exists(SsaInput::BasicBlock bb0, int i0 |
-      Impl::lastRefRedef(def, bb0, i0, next) and
-      adjacentDefReachesUncertainRead(def, bb, i, bb0, i0)
-    )
-  }
-
   cached
   Definition uncertainWriteDefinitionInput(UncertainWriteDefinition def) {
     Impl::uncertainWriteDefinitionInput(def, result)

csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll

@@ -1190,11 +1190,11 @@
 | cflow.cs:181:28:181:37 | enter (...) => ... | cflow.cs:181:28:181:37 | exit (...) => ... | 6 |
 | cflow.cs:182:28:182:61 | enter delegate(...) { ... } | cflow.cs:182:28:182:61 | exit delegate(...) { ... } | 8 |
 | cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:13:187:18 | ... == ... | 6 |
-| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:13:187:28 | [false] ... \|\| ... | 1 |
-| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:187:13:187:50 | [false] ... \|\| ... | 1 |
+| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:13:187:28 | ... \|\| ... | 1 |
+| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:187:13:187:50 | ... \|\| ... | 1 |
 | cflow.cs:187:23:187:23 | 2 | cflow.cs:187:23:187:28 | ... == ... | 3 |
 | cflow.cs:187:34:187:34 | 1 | cflow.cs:187:34:187:39 | ... == ... | 3 |
-| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:187:34:187:49 | [false] ... && ... | 1 |
+| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:187:34:187:49 | ... && ... | 1 |
 | cflow.cs:190:13:190:52 | ...; | cflow.cs:185:10:185:18 | exit LogicalOr | 5 |
 | cflow.cs:193:10:193:17 | enter Booleans | cflow.cs:195:17:195:32 | ... > ... | 8 |
 | cflow.cs:193:10:193:17 | exit Booleans | cflow.cs:193:10:193:17 | exit Booleans | 1 |

csharp/ql/test/library-tests/controlflow/graph/BasicBlock.expected

@@ -2303,27 +2303,27 @@ conditionBlock
 | cflow.cs:167:16:167:16 | access to local variable x | cflow.cs:174:9:176:9 | {...} | false |
 | cflow.cs:173:32:173:32 | access to local variable i | cflow.cs:146:10:146:12 | exit For (normal) | false |
 | cflow.cs:173:32:173:32 | access to local variable i | cflow.cs:174:9:176:9 | {...} | true |
-| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:13:187:28 | [false] ... \|\| ... | false |
-| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:13:187:50 | [false] ... \|\| ... | false |
+| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:13:187:28 | ... \|\| ... | false |
+| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:13:187:50 | ... \|\| ... | false |
 | cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:23:187:23 | 2 | false |
 | cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:34:187:34 | 1 | false |
-| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:34:187:49 | [false] ... && ... | false |
+| cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:187:34:187:49 | ... && ... | false |
 | cflow.cs:185:10:185:18 | enter LogicalOr | cflow.cs:190:13:190:52 | ...; | false |
-| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:13:187:50 | [false] ... \|\| ... | false |
-| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:34:187:34 | 1 | false |
-| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:34:187:49 | [false] ... && ... | false |
-| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:190:13:190:52 | ...; | false |
-| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:190:13:190:52 | ...; | false |
-| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:13:187:28 | [false] ... \|\| ... | false |
-| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:13:187:50 | [false] ... \|\| ... | false |
+| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:13:187:50 | ... \|\| ... | false |
+| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:34:187:34 | 1 | false |
+| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:34:187:49 | ... && ... | false |
+| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:190:13:190:52 | ...; | false |
+| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:190:13:190:52 | ...; | false |
+| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:13:187:28 | ... \|\| ... | false |
+| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:13:187:50 | ... \|\| ... | false |
 | cflow.cs:187:23:187:23 | 2 | cflow.cs:187:34:187:34 | 1 | false |
-| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:34:187:49 | [false] ... && ... | false |
+| cflow.cs:187:23:187:23 | 2 | cflow.cs:187:34:187:49 | ... && ... | false |
 | cflow.cs:187:23:187:23 | 2 | cflow.cs:190:13:190:52 | ...; | false |
-| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:13:187:50 | [false] ... \|\| ... | false |
-| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:34:187:49 | [false] ... && ... | false |
+| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:13:187:50 | ... \|\| ... | false |
+| cflow.cs:187:34:187:34 | 1 | cflow.cs:187:34:187:49 | ... && ... | false |
 | cflow.cs:187:34:187:34 | 1 | cflow.cs:190:13:190:52 | ...; | false |
-| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:187:13:187:50 | [false] ... \|\| ... | false |
-| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:190:13:190:52 | ...; | false |
+| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:187:13:187:50 | ... \|\| ... | false |
+| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:190:13:190:52 | ...; | false |
 | cflow.cs:193:10:193:17 | enter Booleans | cflow.cs:195:39:195:43 | this access | true |
 | cflow.cs:195:17:195:56 | ... && ... | cflow.cs:197:13:197:47 | [false] !... | false |
 | cflow.cs:195:17:195:56 | ... && ... | cflow.cs:197:13:197:47 | [true] !... | true |
@@ -2964,11 +2964,11 @@ conditionFlow
 | cflow.cs:173:32:173:41 | ... < ... | cflow.cs:146:10:146:12 | exit For (normal) | false |
 | cflow.cs:173:32:173:41 | ... < ... | cflow.cs:174:9:176:9 | {...} | true |
 | cflow.cs:187:13:187:18 | ... == ... | cflow.cs:187:23:187:23 | 2 | false |
-| cflow.cs:187:13:187:28 | [false] ... \|\| ... | cflow.cs:187:34:187:34 | 1 | false |
-| cflow.cs:187:13:187:50 | [false] ... \|\| ... | cflow.cs:190:13:190:52 | ...; | false |
-| cflow.cs:187:23:187:28 | ... == ... | cflow.cs:187:13:187:28 | [false] ... \|\| ... | false |
-| cflow.cs:187:34:187:39 | ... == ... | cflow.cs:187:34:187:49 | [false] ... && ... | false |
-| cflow.cs:187:34:187:49 | [false] ... && ... | cflow.cs:187:13:187:50 | [false] ... \|\| ... | false |
+| cflow.cs:187:13:187:28 | ... \|\| ... | cflow.cs:187:34:187:34 | 1 | false |
+| cflow.cs:187:13:187:50 | ... \|\| ... | cflow.cs:190:13:190:52 | ...; | false |
+| cflow.cs:187:23:187:28 | ... == ... | cflow.cs:187:13:187:28 | ... \|\| ... | false |
+| cflow.cs:187:34:187:39 | ... == ... | cflow.cs:187:34:187:49 | ... && ... | false |
+| cflow.cs:187:34:187:49 | ... && ... | cflow.cs:187:13:187:50 | ... \|\| ... | false |
 | cflow.cs:195:17:195:32 | ... > ... | cflow.cs:195:17:195:56 | ... && ... | false |
 | cflow.cs:195:17:195:32 | ... > ... | cflow.cs:195:39:195:43 | this access | true |
 | cflow.cs:197:13:197:47 | [false] !... | cflow.cs:200:9:205:9 | if (...) ... | false |