Merge branch 'main' into mathiasvp/replace-ast-with-ir-use-usedataflow

Author: MathiasVP

cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.c

@@ -1,11 +1,11 @@
-int write_default_config_bad() {
+void write_default_config_bad() {
 	// BAD - this is world-writable so any user can overwrite the config
-	FILE* out = creat(OUTFILE, 0666);
-	fprintf(out, DEFAULT_CONFIG);
+	int out = creat(OUTFILE, 0666);
+	dprintf(out, DEFAULT_CONFIG);
 }
 
-int write_default_config_good() {
+void write_default_config_good() {
 	// GOOD - this allows only the current user to modify the file
-	FILE* out = creat(OUTFILE, S_IWUSR | S_IRUSR);
-	fprintf(out, DEFAULT_CONFIG);
+	int out = creat(OUTFILE, S_IWUSR | S_IRUSR);
+	dprintf(out, DEFAULT_CONFIG);
 }

csharp/ql/lib/change-notes/2023-03-02-unsafemembers.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `unsafe` predicate for `Modifiable` has been extended to cover delegate return types and identify pointer like types at any nest level. This is relevant for `unsafe` declarations extracted from assemblies.

csharp/ql/lib/semmle/code/csharp/Member.qll

@@ -98,10 +98,21 @@ class Modifiable extends Declaration, @modifiable {
 
   /** Holds if this declaration is `unsafe`. */
   predicate isUnsafe() {
-    this.hasModifier("unsafe") or
-    this.(Parameterizable).getAParameter().getType() instanceof PointerType or
-    this.(Property).getType() instanceof PointerType or
-    this.(Callable).getReturnType() instanceof PointerType
+    this.hasModifier("unsafe")
+    or
+    exists(Type t, Type child |
+      t = this.(Parameterizable).getAParameter().getType() or
+      t = this.(Property).getType() or
+      t = this.(Callable).getReturnType() or
+      t = this.(DelegateType).getReturnType()
+    |
+      child = t.getAChild*() and
+      (
+        child instanceof PointerType
+        or
+        child instanceof FunctionPointerType
+      )
+    )
   }
 
   /** Holds if this declaration is `async`. */

csharp/ql/src/Stubs/Stubs.qll

@@ -132,11 +132,11 @@ abstract private class GeneratedType extends Type, GeneratedElement {
     else (
       not this instanceof DelegateType and
       result =
-        this.stubAttributes() + stubAccessibility(this) + this.stubAbstractModifier() +
-          this.stubStaticModifier() + this.stubPartialModifier() + this.stubKeyword() + " " +
-          this.getUndecoratedName() + stubGenericArguments(this) + this.stubBaseTypesString() +
-          stubTypeParametersConstraints(this) + "\n{\n" + this.stubPrivateConstructor() +
-          this.stubMembers(assembly) + "}\n\n"
+        this.stubAttributes() + stubUnsafe(this) + stubAccessibility(this) +
+          this.stubAbstractModifier() + this.stubStaticModifier() + this.stubPartialModifier() +
+          this.stubKeyword() + " " + this.getUndecoratedName() + stubGenericArguments(this) +
+          this.stubBaseTypesString() + stubTypeParametersConstraints(this) + "\n{\n" +
+          this.stubPrivateConstructor() + this.stubMembers(assembly) + "}\n\n"
       or
       result =
         this.stubAttributes() + stubUnsafe(this) + stubAccessibility(this) + this.stubKeyword() +

csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected

@@ -1 +1 @@
-| // This file contains auto-generated code.\n// Generated from `Test, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null`.\n\nnamespace A1\n{\npublic class C1\n{\n}\n\n}\nnamespace A2\n{\nnamespace B2\n{\npublic class C2\n{\n}\n\n}\n}\nnamespace A3\n{\npublic class C3\n{\n}\n\n}\nnamespace A4\n{\npublic class C4\n{\n}\n\nnamespace B4\n{\npublic class D4\n{\n}\n\n}\n}\nnamespace Test\n{\npublic class Class1\n{\npublic class Class11 : Test.Class1.Interface1, Test.Class1.Interface2\n{\n    int Test.Class1.Interface2.this[int i] { get => throw null; }\n    public void Method1() => throw null;\n    void Test.Class1.Interface2.Method2() => throw null;\n}\n\n\npublic class Class12 : Test.Class1.Class11\n{\n}\n\n\npublic abstract class Class13\n{\n    protected internal virtual void M() => throw null;\n    public virtual void M1<T>() where T: Test.Class1.Class13 => throw null;\n    public abstract void M2();\n}\n\n\npublic abstract class Class14 : Test.Class1.Class13\n{\n    protected internal override void M() => throw null;\n    public override void M1<T>() => throw null;\n    public abstract override void M2();\n}\n\n\npublic delegate void Delegate1<T>(T i, int j);\n\n\npublic class GenericType<T>\n{\npublic class X\n{\n}\n\n\n}\n\n\npublic interface Interface1\n{\n    void Method1();\n}\n\n\nprotected internal interface Interface2\n{\n    int this[int i] { get; }\n    void Method2();\n}\n\n\npublic struct Struct1\n{\n    public void Method(Test.Class1.Struct1 s = default(Test.Class1.Struct1)) => throw null;\n    public int i;\n    public static int j = default;\n    public System.ValueTuple<int> t1;\n    public (int,int) t2;\n}\n\n\n    public event Test.Class1.Delegate1<int> Event1;\n    public Test.Class1.GenericType<int>.X Prop { get => throw null; }\n}\n\npublic class Class10\n{\n    unsafe public void M1(delegate* unmanaged<System.IntPtr,void> f) => throw null;\n}\n\npublic class Class11 : Test.IInterface2<Test.Class11>, Test.IInterface3<Test.Class11>\n{\n    static Test.Class11 Test.IInterface2<Test.Class11>.operator *(Test.Class11 left, Test.Class11 right) => throw null;\n    public static Test.Class11 operator +(Test.Class11 left, Test.Class11 right) => throw null;\n    public static Test.Class11 operator -(Test.Class11 left, Test.Class11 right) => throw null;\n    static Test.Class11 Test.IInterface2<Test.Class11>.operator /(Test.Class11 left, Test.Class11 right) => throw null;\n    public void M1() => throw null;\n    void Test.IInterface2<Test.Class11>.M2() => throw null;\n    public static explicit operator System.Int16(Test.Class11 n) => throw null;\n    static explicit Test.IInterface2<Test.Class11>.operator int(Test.Class11 n) => throw null;\n}\n\npublic class Class3\n{\n    public object Item { get => throw null; set => throw null; }\n    [System.Runtime.CompilerServices.IndexerName("MyItem")]\n    public object this[string index] { get => throw null; set => throw null; }\n}\n\npublic class Class4\n{\n    unsafe public void M(int* p) => throw null;\n}\n\npublic class Class5 : Test.IInterface1\n{\n    public void M2() => throw null;\n}\n\npublic class Class6<T> where T: class, Test.IInterface1\n{\n    public virtual void M1<T>() where T: class, Test.IInterface1, new() => throw null;\n}\n\npublic class Class7 : Test.Class6<Test.Class5>\n{\n    public override void M1<T>() where T: class => throw null;\n}\n\npublic class Class8\n{\n    public static int @this = default;\n}\n\npublic class Class9\n{\npublic class Nested : Test.Class9\n{\n}\n\n\n    public Test.Class9.Nested NestedInstance { get => throw null; }\n}\n\npublic enum Enum1 : int\n{\n    None1 = 0,\n    Some11 = 1,\n    Some12 = 2,\n}\n\npublic enum Enum2 : int\n{\n    None2 = 2,\n    Some21 = 1,\n    Some22 = 3,\n}\n\npublic enum Enum3 : int\n{\n    None3 = 2,\n    Some31 = 1,\n    Some32 = 0,\n}\n\npublic enum Enum4 : int\n{\n    None4 = 2,\n    Some41 = 7,\n    Some42 = 6,\n}\n\npublic enum EnumLong : long\n{\n    None = 10,\n    Some = 223372036854775807,\n}\n\npublic interface IInterface1\n{\n    void M1() => throw null;\n    void M2();\n}\n\npublic interface IInterface2<T> where T: Test.IInterface2<T>\n{\n    static abstract T operator *(T left, T right);\n    static abstract T operator +(T left, T right);\n    static virtual T operator -(T left, T right) => throw null;\n    static virtual T operator /(T left, T right) => throw null;\n    void M1();\n    void M2();\n    static abstract explicit operator System.Int16(T n);\n    static abstract explicit operator int(T n);\n}\n\npublic interface IInterface3<T> where T: Test.IInterface3<T>\n{\n    static abstract T operator +(T left, T right);\n    static virtual T operator -(T left, T right) => throw null;\n    void M1();\n    static abstract explicit operator System.Int16(T n);\n}\n\n}\n\n\n |
+| // This file contains auto-generated code.\n// Generated from `Test, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null`.\n\nnamespace A1\n{\npublic class C1\n{\n}\n\n}\nnamespace A2\n{\nnamespace B2\n{\npublic class C2\n{\n}\n\n}\n}\nnamespace A3\n{\npublic class C3\n{\n}\n\n}\nnamespace A4\n{\npublic class C4\n{\n}\n\nnamespace B4\n{\npublic class D4\n{\n}\n\n}\n}\nnamespace Test\n{\npublic class Class1\n{\npublic class Class11 : Test.Class1.Interface1, Test.Class1.Interface2\n{\n    int Test.Class1.Interface2.this[int i] { get => throw null; }\n    public void Method1() => throw null;\n    void Test.Class1.Interface2.Method2() => throw null;\n}\n\n\npublic class Class12 : Test.Class1.Class11\n{\n}\n\n\npublic abstract class Class13\n{\n    protected internal virtual void M() => throw null;\n    public virtual void M1<T>() where T: Test.Class1.Class13 => throw null;\n    public abstract void M2();\n}\n\n\npublic abstract class Class14 : Test.Class1.Class13\n{\n    protected internal override void M() => throw null;\n    public override void M1<T>() => throw null;\n    public abstract override void M2();\n}\n\n\npublic delegate void Delegate1<T>(T i, int j);\n\n\npublic class GenericType<T>\n{\npublic class X\n{\n}\n\n\n}\n\n\npublic interface Interface1\n{\n    void Method1();\n}\n\n\nprotected internal interface Interface2\n{\n    int this[int i] { get; }\n    void Method2();\n}\n\n\npublic struct Struct1\n{\n    public void Method(Test.Class1.Struct1 s = default(Test.Class1.Struct1)) => throw null;\n    public int i;\n    public static int j = default;\n    public System.ValueTuple<int> t1;\n    public (int,int) t2;\n}\n\n\n    public event Test.Class1.Delegate1<int> Event1;\n    public Test.Class1.GenericType<int>.X Prop { get => throw null; }\n}\n\npublic class Class10\n{\n    unsafe public void M1(delegate* unmanaged<System.IntPtr,void> f) => throw null;\n}\n\npublic class Class11 : Test.IInterface2<Test.Class11>, Test.IInterface3<Test.Class11>\n{\n    static Test.Class11 Test.IInterface2<Test.Class11>.operator *(Test.Class11 left, Test.Class11 right) => throw null;\n    public static Test.Class11 operator +(Test.Class11 left, Test.Class11 right) => throw null;\n    public static Test.Class11 operator -(Test.Class11 left, Test.Class11 right) => throw null;\n    static Test.Class11 Test.IInterface2<Test.Class11>.operator /(Test.Class11 left, Test.Class11 right) => throw null;\n    public void M1() => throw null;\n    void Test.IInterface2<Test.Class11>.M2() => throw null;\n    public static explicit operator System.Int16(Test.Class11 n) => throw null;\n    static explicit Test.IInterface2<Test.Class11>.operator int(Test.Class11 n) => throw null;\n}\n\npublic class Class3\n{\n    public object Item { get => throw null; set => throw null; }\n    [System.Runtime.CompilerServices.IndexerName("MyItem")]\n    public object this[string index] { get => throw null; set => throw null; }\n}\n\npublic class Class4\n{\n    unsafe public void M(int* p) => throw null;\n}\n\npublic class Class5 : Test.IInterface1\n{\n    public void M2() => throw null;\n}\n\npublic class Class6<T> where T: class, Test.IInterface1\n{\n    public virtual void M1<T>() where T: class, Test.IInterface1, new() => throw null;\n}\n\npublic class Class7 : Test.Class6<Test.Class5>\n{\n    public override void M1<T>() where T: class => throw null;\n}\n\npublic class Class8\n{\n    public static int @this = default;\n}\n\npublic class Class9\n{\npublic class Nested : Test.Class9\n{\n}\n\n\n    public Test.Class9.Nested NestedInstance { get => throw null; }\n}\n\npublic enum Enum1 : int\n{\n    None1 = 0,\n    Some11 = 1,\n    Some12 = 2,\n}\n\npublic enum Enum2 : int\n{\n    None2 = 2,\n    Some21 = 1,\n    Some22 = 3,\n}\n\npublic enum Enum3 : int\n{\n    None3 = 2,\n    Some31 = 1,\n    Some32 = 0,\n}\n\npublic enum Enum4 : int\n{\n    None4 = 2,\n    Some41 = 7,\n    Some42 = 6,\n}\n\npublic enum EnumLong : long\n{\n    None = 10,\n    Some = 223372036854775807,\n}\n\npublic interface IInterface1\n{\n    void M1() => throw null;\n    void M2();\n}\n\npublic interface IInterface2<T> where T: Test.IInterface2<T>\n{\n    static abstract T operator *(T left, T right);\n    static abstract T operator +(T left, T right);\n    static virtual T operator -(T left, T right) => throw null;\n    static virtual T operator /(T left, T right) => throw null;\n    void M1();\n    void M2();\n    static abstract explicit operator System.Int16(T n);\n    static abstract explicit operator int(T n);\n}\n\npublic interface IInterface3<T> where T: Test.IInterface3<T>\n{\n    static abstract T operator +(T left, T right);\n    static virtual T operator -(T left, T right) => throw null;\n    void M1();\n    static abstract explicit operator System.Int16(T n);\n}\n\nunsafe public class MyUnsafeClass\n{\n    unsafe public static void M1(delegate* <void> f) => throw null;\n    unsafe public static void M2(int*[] x) => throw null;\n    unsafe public static System.Char* M3() => throw null;\n    public static void M4(int x) => throw null;\n}\n\n}\n\n\n |

csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected

@@ -172,6 +172,14 @@ public class Class11 : IInterface2<Class11>, IInterface3<Class11>
         static explicit IInterface2<Class11>.operator int(Class11 n) => 0;
     }
 
+    public unsafe class MyUnsafeClass
+    {
+        public static void M1(delegate*<void> f) => throw null;
+        public static void M2(int*[] x) => throw null;
+        public static char* M3() => throw null;
+        public static void M4(int x) => throw null;
+    }
+
     public enum Enum1
     {
         None1,

csharp/ql/test/query-tests/Stubs/All/AllStubs.expected

@@ -1,12 +1,12 @@
 // This file contains auto-generated code.
+// Generated from `Microsoft.AspNetCore.Antiforgery, Version=7.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60`.
 
 namespace Microsoft
 {
     namespace AspNetCore
     {
         namespace Antiforgery
         {
-            // Generated from `Microsoft.AspNetCore.Antiforgery.AntiforgeryOptions` in `Microsoft.AspNetCore.Antiforgery, Version=6.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60`
             public class AntiforgeryOptions
             {
                 public AntiforgeryOptions() => throw null;
@@ -17,7 +17,6 @@ public class AntiforgeryOptions
                 public bool SuppressXFrameOptionsHeader { get => throw null; set => throw null; }
             }
 
-            // Generated from `Microsoft.AspNetCore.Antiforgery.AntiforgeryTokenSet` in `Microsoft.AspNetCore.Antiforgery, Version=6.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60`
             public class AntiforgeryTokenSet
             {
                 public AntiforgeryTokenSet(string requestToken, string cookieToken, string formFieldName, string headerName) => throw null;
@@ -27,14 +26,12 @@ public class AntiforgeryTokenSet
                 public string RequestToken { get => throw null; }
             }
 
-            // Generated from `Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException` in `Microsoft.AspNetCore.Antiforgery, Version=6.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60`
             public class AntiforgeryValidationException : System.Exception
             {
                 public AntiforgeryValidationException(string message) => throw null;
                 public AntiforgeryValidationException(string message, System.Exception innerException) => throw null;
             }
 
-            // Generated from `Microsoft.AspNetCore.Antiforgery.IAntiforgery` in `Microsoft.AspNetCore.Antiforgery, Version=6.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60`
             public interface IAntiforgery
             {
                 Microsoft.AspNetCore.Antiforgery.AntiforgeryTokenSet GetAndStoreTokens(Microsoft.AspNetCore.Http.HttpContext httpContext);
@@ -44,7 +41,6 @@ public interface IAntiforgery
                 System.Threading.Tasks.Task ValidateRequestAsync(Microsoft.AspNetCore.Http.HttpContext httpContext);
             }
 
-            // Generated from `Microsoft.AspNetCore.Antiforgery.IAntiforgeryAdditionalDataProvider` in `Microsoft.AspNetCore.Antiforgery, Version=6.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60`
             public interface IAntiforgeryAdditionalDataProvider
             {
                 string GetAdditionalData(Microsoft.AspNetCore.Http.HttpContext context);
@@ -57,7 +53,6 @@ namespace Extensions
     {
         namespace DependencyInjection
         {
-            // Generated from `Microsoft.Extensions.DependencyInjection.AntiforgeryServiceCollectionExtensions` in `Microsoft.AspNetCore.Antiforgery, Version=6.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60`
             public static class AntiforgeryServiceCollectionExtensions
             {
                 public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddAntiforgery(this Microsoft.Extensions.DependencyInjection.IServiceCollection services) => throw null;