Merge remote-tracking branch 'upstream/main' into aibaars/rust-macros

Author: aibaars

MODULE.bazel

@@ -23,7 +23,7 @@ bazel_dep(name = "bazel_skylib", version = "1.6.1")
 bazel_dep(name = "abseil-cpp", version = "20240116.0", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "10.0.0")
-bazel_dep(name = "rules_kotlin", version = "1.9.4-codeql.1")
+bazel_dep(name = "rules_kotlin", version = "2.0.0-codeql.1")
 bazel_dep(name = "gazelle", version = "0.38.0")
 bazel_dep(name = "rules_dotnet", version = "0.15.1")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")

cpp/ql/lib/change-notes/2024-10-09-fopen-taint.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added taint flow model for `fopen` and related functions.

cpp/ql/lib/semmle/code/cpp/PrintAST.qll

@@ -80,6 +80,8 @@ private Declaration getAnEnclosingDeclaration(Locatable ast) {
   or
   result = ast.(Parameter).getFunction()
   or
+  result = ast.(Parameter).getCatchBlock().getEnclosingFunction()
+  or
   result = ast.(Expr).getEnclosingDeclaration()
   or
   result = ast.(Initializer).getDeclaration()
@@ -510,6 +512,22 @@ class DeclStmtNode extends StmtNode {
   }
 }
 
+/**
+ * A node representing a `Handler`.
+ */
+class HandlerNode extends ChildStmtNode {
+  Handler handler;
+
+  HandlerNode() { handler = stmt }
+
+  override BaseAstNode getChildInternal(int childIndex) {
+    result = super.getChildInternal(childIndex)
+    or
+    childIndex = -1 and
+    result.getAst() = handler.getParameter()
+  }
+}
+
 /**
  * A node representing a `Parameter`.
  */
@@ -754,6 +772,8 @@ private predicate namedStmtChildPredicates(Locatable s, Element e, string pred)
     or
     s.(ConstexprIfStmt).getElse() = e and pred = "getElse()"
     or
+    s.(Handler).getParameter() = e and pred = "getParameter()"
+    or
     s.(IfStmt).getInitialization() = e and pred = "getInitialization()"
     or
     s.(IfStmt).getCondition() = e and pred = "getCondition()"

cpp/ql/lib/semmle/code/cpp/models/implementations/Fopen.qll

@@ -7,7 +7,7 @@ import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.SideEffect
 
 /** The function `fopen` and friends. */
-private class Fopen extends Function, AliasFunction, SideEffectFunction {
+private class Fopen extends Function, AliasFunction, SideEffectFunction, TaintFunction {
   Fopen() {
     this.hasGlobalOrStdName(["fopen", "fopen_s", "freopen"])
     or
@@ -47,4 +47,22 @@ private class Fopen extends Function, AliasFunction, SideEffectFunction {
     i = 0 and
     buffer = true
   }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    (
+      this.hasGlobalOrStdName(["fopen", "freopen"]) or
+      this.hasGlobalName(["_wfopen", "_fsopen", "_wfsopen"])
+    ) and
+    input.isParameterDeref(0) and
+    output.isReturnValueDeref()
+    or
+    // The out parameter is a pointer to a `FILE*`.
+    this.hasGlobalOrStdName("fopen_s") and
+    input.isParameterDeref(1) and
+    output.isParameterDeref(0, 2)
+    or
+    this.hasGlobalName(["_open", "_wopen"]) and
+    input.isParameterDeref(0) and
+    output.isReturnValue()
+  }
 }

cpp/ql/test/examples/expressions/PrintAST.expected

@@ -870,6 +870,8 @@ Throw.cpp:
 #    8|               Type = [BoolType] bool
 #    8|               ValueCategory = prvalue
 #   12|       getChild(1): [Handler] <handler>
+#   12|         getParameter(): [Parameter] e
+#   12|             Type = [PointerType] E *
 #   12|         getBlock(): [CatchBlock] { ... }
 #   13|           getStmt(0): [ExprStmt] ExprStmt
 #   13|             getExpr(): [ReThrowExpr] re-throw exception 

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -6584,6 +6584,16 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | taint.cpp:767:21:767:24 | ref arg path | taint.cpp:768:8:768:11 | path |  |
 | taint.cpp:768:8:768:11 | path | taint.cpp:768:7:768:11 | * ... |  |
 | taint.cpp:778:37:778:42 | call to source | taint.cpp:779:7:779:9 | obj |  |
+| taint.cpp:785:23:785:28 | source | taint.cpp:785:23:785:28 | source |  |
+| taint.cpp:785:23:785:28 | source | taint.cpp:786:18:786:23 | source |  |
+| taint.cpp:785:23:785:28 | source | taint.cpp:790:15:790:20 | source |  |
+| taint.cpp:786:12:786:16 | call to fopen | taint.cpp:787:7:787:7 | f |  |
+| taint.cpp:786:18:786:23 | source | taint.cpp:786:12:786:16 | call to fopen | TAINT |
+| taint.cpp:789:8:789:9 | f2 | taint.cpp:790:11:790:12 | f2 |  |
+| taint.cpp:789:8:789:9 | f2 | taint.cpp:791:7:791:8 | f2 |  |
+| taint.cpp:790:10:790:12 | ref arg & ... | taint.cpp:790:11:790:12 | f2 [inner post update] |  |
+| taint.cpp:790:10:790:12 | ref arg & ... | taint.cpp:791:7:791:8 | f2 |  |
+| taint.cpp:790:11:790:12 | f2 | taint.cpp:790:10:790:12 | & ... |  |
 | vector.cpp:16:43:16:49 | source1 | vector.cpp:17:26:17:32 | source1 |  |
 | vector.cpp:16:43:16:49 | source1 | vector.cpp:31:38:31:44 | source1 |  |
 | vector.cpp:17:21:17:33 | call to vector | vector.cpp:19:14:19:14 | v |  |

cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp

@@ -777,4 +777,16 @@ TaintInheritingContentObject source(bool);
 void test_TaintInheritingContent() {
 	TaintInheritingContentObject obj = source(true);
 	sink(obj.flowFromObject); // $ ir MISSING: ast
+}
+
+FILE* fopen(const char*, const char*);
+int fopen_s(FILE** pFile, const char *filename, const char *mode);
+
+void fopen_test(char* source) {
+	FILE* f = fopen(source, "r");
+	sink(f); // $ ast,ir
+
+	FILE* f2;
+	fopen_s(&f2, source, "r");
+	sink(f2); // $ ast,ir
 }

cpp/ql/test/library-tests/ir/ir/PrintAST.expected

@@ -9055,6 +9055,8 @@ ir.cpp:
 #  733|                 Value = [Literal] 7
 #  733|                 ValueCategory = prvalue
 #  735|       getChild(1): [Handler] <handler>
+#  735|         getParameter(): [Parameter] s
+#  735|             Type = [PointerType] const char *
 #  735|         getBlock(): [CatchBlock] { ... }
 #  736|           getStmt(0): [ExprStmt] ExprStmt
 #  736|             getExpr(): [ThrowExpr] throw ...
@@ -9067,6 +9069,8 @@ ir.cpp:
 #  736|                     Type = [PointerType] const char *
 #  736|                     ValueCategory = prvalue(load)
 #  738|       getChild(2): [Handler] <handler>
+#  738|         getParameter(): [Parameter] e
+#  738|             Type = [LValueReferenceType] const String &
 #  738|         getBlock(): [CatchBlock] { ... }
 #  740|       getChild(3): [Handler] <handler>
 #  740|         getBlock(): [CatchAnyBlock] { ... }
@@ -12852,6 +12856,8 @@ ir.cpp:
 # 1200|                 Value = [Literal] 7
 # 1200|                 ValueCategory = prvalue
 # 1202|       getChild(1): [Handler] <handler>
+# 1202|         getParameter(): [Parameter] s
+# 1202|             Type = [PointerType] const char *
 # 1202|         getBlock(): [CatchBlock] { ... }
 # 1203|           getStmt(0): [ExprStmt] ExprStmt
 # 1203|             getExpr(): [ThrowExpr] throw ...
@@ -12864,6 +12870,8 @@ ir.cpp:
 # 1203|                     Type = [PointerType] const char *
 # 1203|                     ValueCategory = prvalue(load)
 # 1205|       getChild(2): [Handler] <handler>
+# 1205|         getParameter(): [Parameter] e
+# 1205|             Type = [LValueReferenceType] const String &
 # 1205|         getBlock(): [CatchBlock] { ... }
 # 1207|     getStmt(1): [ReturnStmt] return ...
 # 1211| [TopLevelFunction] void VectorTypes(int)
@@ -20586,6 +20594,8 @@ ir.cpp:
 # 2281|               Type = [Struct] String
 # 2281|               ValueCategory = lvalue
 # 2282|       getChild(1): [Handler] <handler>
+# 2282|         getParameter(): [Parameter] s
+# 2282|             Type = [PointerType] const char *
 # 2282|         getBlock(): [CatchBlock] { ... }
 # 2283|           getStmt(0): [ExprStmt] ExprStmt
 # 2283|             getExpr(): [ThrowExpr] throw ...
@@ -20598,6 +20608,8 @@ ir.cpp:
 # 2283|                     Type = [PointerType] const char *
 # 2283|                     ValueCategory = prvalue(load)
 # 2285|       getChild(2): [Handler] <handler>
+# 2285|         getParameter(): [Parameter] e
+# 2285|             Type = [LValueReferenceType] const String &
 # 2285|         getBlock(): [CatchBlock] { ... }
 # 2287|       getChild(3): [Handler] <handler>
 # 2287|         getBlock(): [CatchAnyBlock] { ... }
@@ -22845,6 +22857,8 @@ ir.cpp:
 # 2537|                 Value = [Literal] 42
 # 2537|                 ValueCategory = prvalue
 # 2539|       getChild(1): [Handler] <handler>
+# 2539|         getParameter(): [Parameter] (unnamed parameter 0)
+# 2539|             Type = [PlainCharType] char
 # 2539|         getBlock(): [CatchBlock] { ... }
 # 2541|         getImplicitDestructorCall(0): [DestructorCall] call to ~ClassWithDestructor
 # 2541|             Type = [VoidType] void

docs/codeql/index.html

@@ -101,7 +101,7 @@ <h2 class="Box-title text-mono f2 text-center">
                             latest version of CodeQL...</div>
                     </div>
                     <div class="Subhead border-0">
-                        <a href="codeql-overview/supported-languages-and-frameworks/">
+                        <a href="query-help/codeql-cwe-coverage/">
                             <div class="Subhead-heading f4 text-center">CodeQL coverage of CWEs</div>
                         </a>
                         <div class="Subhead-description">Detailed information on the coverage of Common Weakness Enumerations (CWEs) in the latest release...</div>