Merge branch 'main' into redsun82/codegen-annotate

Author: Paolo Tranquilli

MODULE.bazel

@@ -23,7 +23,7 @@ bazel_dep(name = "bazel_skylib", version = "1.6.1")
 bazel_dep(name = "abseil-cpp", version = "20240116.0", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "10.0.0")
-bazel_dep(name = "rules_kotlin", version = "1.9.4-codeql.1")
+bazel_dep(name = "rules_kotlin", version = "2.0.0-codeql.1")
 bazel_dep(name = "gazelle", version = "0.38.0")
 bazel_dep(name = "rules_dotnet", version = "0.15.1")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")

cpp/ql/lib/change-notes/2024-10-09-fopen-taint.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added taint flow model for `fopen` and related functions.

cpp/ql/lib/semmle/code/cpp/models/implementations/Fopen.qll

@@ -7,7 +7,7 @@ import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.SideEffect
 
 /** The function `fopen` and friends. */
-private class Fopen extends Function, AliasFunction, SideEffectFunction {
+private class Fopen extends Function, AliasFunction, SideEffectFunction, TaintFunction {
   Fopen() {
     this.hasGlobalOrStdName(["fopen", "fopen_s", "freopen"])
     or
@@ -47,4 +47,22 @@ private class Fopen extends Function, AliasFunction, SideEffectFunction {
     i = 0 and
     buffer = true
   }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    (
+      this.hasGlobalOrStdName(["fopen", "freopen"]) or
+      this.hasGlobalName(["_wfopen", "_fsopen", "_wfsopen"])
+    ) and
+    input.isParameterDeref(0) and
+    output.isReturnValueDeref()
+    or
+    // The out parameter is a pointer to a `FILE*`.
+    this.hasGlobalOrStdName("fopen_s") and
+    input.isParameterDeref(1) and
+    output.isParameterDeref(0, 2)
+    or
+    this.hasGlobalName(["_open", "_wopen"]) and
+    input.isParameterDeref(0) and
+    output.isReturnValue()
+  }
 }

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -6584,6 +6584,16 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | taint.cpp:767:21:767:24 | ref arg path | taint.cpp:768:8:768:11 | path |  |
 | taint.cpp:768:8:768:11 | path | taint.cpp:768:7:768:11 | * ... |  |
 | taint.cpp:778:37:778:42 | call to source | taint.cpp:779:7:779:9 | obj |  |
+| taint.cpp:785:23:785:28 | source | taint.cpp:785:23:785:28 | source |  |
+| taint.cpp:785:23:785:28 | source | taint.cpp:786:18:786:23 | source |  |
+| taint.cpp:785:23:785:28 | source | taint.cpp:790:15:790:20 | source |  |
+| taint.cpp:786:12:786:16 | call to fopen | taint.cpp:787:7:787:7 | f |  |
+| taint.cpp:786:18:786:23 | source | taint.cpp:786:12:786:16 | call to fopen | TAINT |
+| taint.cpp:789:8:789:9 | f2 | taint.cpp:790:11:790:12 | f2 |  |
+| taint.cpp:789:8:789:9 | f2 | taint.cpp:791:7:791:8 | f2 |  |
+| taint.cpp:790:10:790:12 | ref arg & ... | taint.cpp:790:11:790:12 | f2 [inner post update] |  |
+| taint.cpp:790:10:790:12 | ref arg & ... | taint.cpp:791:7:791:8 | f2 |  |
+| taint.cpp:790:11:790:12 | f2 | taint.cpp:790:10:790:12 | & ... |  |
 | vector.cpp:16:43:16:49 | source1 | vector.cpp:17:26:17:32 | source1 |  |
 | vector.cpp:16:43:16:49 | source1 | vector.cpp:31:38:31:44 | source1 |  |
 | vector.cpp:17:21:17:33 | call to vector | vector.cpp:19:14:19:14 | v |  |

cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp

@@ -777,4 +777,16 @@ TaintInheritingContentObject source(bool);
 void test_TaintInheritingContent() {
 	TaintInheritingContentObject obj = source(true);
 	sink(obj.flowFromObject); // $ ir MISSING: ast
+}
+
+FILE* fopen(const char*, const char*);
+int fopen_s(FILE** pFile, const char *filename, const char *mode);
+
+void fopen_test(char* source) {
+	FILE* f = fopen(source, "r");
+	sink(f); // $ ast,ir
+
+	FILE* f2;
+	fopen_s(&f2, source, "r");
+	sink(f2); // $ ast,ir
 }

csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImpl.qll

@@ -53,7 +53,6 @@ private predicate idOf(AstNode x, int y) = equivalenceRelation(id/2)(x, y)
 private module CfgInput implements CfgShared::InputSig<Location> {
   private import ControlFlowGraphImpl as Impl
   private import Completion as Comp
-  private import Splitting as Splitting
   private import SuccessorType as ST
   private import semmle.code.csharp.Caching
 
@@ -80,10 +79,6 @@ private module CfgInput implements CfgShared::InputSig<Location> {
     Impl::scopeLast(scope, last, c)
   }
 
-  class SplitKindBase = Splitting::TSplitKind;
-
-  class Split = Splitting::Split;
-
   class SuccessorType = ST::SuccessorType;
 
   SuccessorType getAMatchingSuccessorType(Completion c) { result = c.getAMatchingSuccessorType() }
@@ -102,7 +97,21 @@ private module CfgInput implements CfgShared::InputSig<Location> {
   }
 }
 
-import CfgShared::Make<Location, CfgInput>
+private module CfgSplittingInput implements CfgShared::SplittingInputSig<Location, CfgInput> {
+  private import Splitting as S
+
+  class SplitKindBase = S::TSplitKind;
+
+  class Split = S::Split;
+}
+
+private module ConditionalCompletionSplittingInput implements
+  CfgShared::ConditionalCompletionSplittingInputSig<Location, CfgInput, CfgSplittingInput>
+{
+  import Splitting::ConditionalCompletionSplitting::ConditionalCompletionSplittingInput
+}
+
+import CfgShared::MakeWithSplitting<Location, CfgInput, CfgSplittingInput, ConditionalCompletionSplittingInput>
 
 /**
  * A compilation.

csharp/ql/lib/semmle/code/csharp/controlflow/internal/Splitting.qll

@@ -5,7 +5,8 @@
  */
 
 import csharp
-private import Completion
+private import Completion as Comp
+private import Comp
 private import ControlFlowGraphImpl
 private import semmle.code.csharp.controlflow.ControlFlowGraph::ControlFlow as Cfg
 private import semmle.code.csharp.controlflow.internal.PreSsa
@@ -260,100 +261,77 @@ module ConditionalCompletionSplitting {
 
     ConditionalCompletionSplit() { this = TConditionalCompletionSplit(completion) }
 
+    ConditionalCompletion getCompletion() { result = completion }
+
     override string toString() { result = completion.toString() }
   }
 
-  private class ConditionalCompletionSplitKind extends SplitKind, TConditionalCompletionSplitKind {
+  private class ConditionalCompletionSplitKind_ extends SplitKind, TConditionalCompletionSplitKind {
     override int getListOrder() { result = InitializerSplitting::getNextListOrder() }
 
     override predicate isEnabled(AstNode cfe) { this.appliesTo(cfe) }
 
     override string toString() { result = "ConditionalCompletion" }
   }
 
-  int getNextListOrder() { result = InitializerSplitting::getNextListOrder() + 1 }
+  module ConditionalCompletionSplittingInput {
+    private import Completion as Comp
 
-  private class ConditionalCompletionSplitImpl extends SplitImpl instanceof ConditionalCompletionSplit
-  {
-    ConditionalCompletion completion;
+    class ConditionalCompletion = Comp::ConditionalCompletion;
 
-    ConditionalCompletionSplitImpl() { this = TConditionalCompletionSplit(completion) }
+    class ConditionalCompletionSplitKind extends ConditionalCompletionSplitKind_, TSplitKind { }
 
-    override ConditionalCompletionSplitKind getKind() { any() }
+    class ConditionalCompletionSplit = ConditionalCompletionSplitting::ConditionalCompletionSplit;
 
-    override predicate hasEntry(AstNode pred, AstNode succ, Completion c) {
-      succ(pred, succ, c) and
-      last(succ, _, completion) and
+    bindingset[parent, parentCompletion]
+    predicate condPropagateExpr(
+      AstNode parent, ConditionalCompletion parentCompletion, AstNode child,
+      ConditionalCompletion childCompletion
+    ) {
+      child = parent.(LogicalNotExpr).getOperand() and
+      childCompletion.getDual() = parentCompletion
+      or
+      childCompletion = parentCompletion and
       (
-        last(succ.(LogicalNotExpr).getOperand(), pred, c) and
-        completion.(BooleanCompletion).getDual() = c
+        child = parent.(LogicalAndExpr).getAnOperand()
         or
-        last(succ.(LogicalAndExpr).getAnOperand(), pred, c) and
-        completion = c
+        child = parent.(LogicalOrExpr).getAnOperand()
         or
-        last(succ.(LogicalOrExpr).getAnOperand(), pred, c) and
-        completion = c
+        parent = any(ConditionalExpr ce | child = [ce.getThen(), ce.getElse()])
         or
-        succ =
-          any(ConditionalExpr ce |
-            last([ce.getThen(), ce.getElse()], pred, c) and
-            completion = c
-          )
+        child = parent.(SwitchExpr).getACase()
         or
-        succ =
+        child = parent.(SwitchCaseExpr).getBody()
+        or
+        parent =
           any(NullCoalescingExpr nce |
-            exists(Expr operand |
-              last(operand, pred, c) and
-              completion = c
-            |
-              if c instanceof NullnessCompletion
-              then operand = nce.getRightOperand()
-              else operand = nce.getAnOperand()
-            )
+            if childCompletion instanceof NullnessCompletion
+            then child = nce.getRightOperand()
+            else child = nce.getAnOperand()
           )
+      )
+      or
+      child = parent.(NotPatternExpr).getPattern() and
+      childCompletion.getDual() = parentCompletion
+      or
+      child = parent.(IsExpr).getPattern() and
+      parentCompletion.(BooleanCompletion).getValue() =
+        childCompletion.(MatchingCompletion).getValue()
+      or
+      childCompletion = parentCompletion and
+      (
+        child = parent.(AndPatternExpr).getAnOperand()
         or
-        last(succ.(SwitchExpr).getACase(), pred, c) and
-        completion = c
-        or
-        last(succ.(SwitchCaseExpr).getBody(), pred, c) and
-        completion = c
-        or
-        last(succ.(NotPatternExpr).getPattern(), pred, c) and
-        completion.(MatchingCompletion).getDual() = c
-        or
-        last(succ.(IsExpr).getPattern(), pred, c) and
-        completion.(BooleanCompletion).getValue() = c.(MatchingCompletion).getValue()
-        or
-        last(succ.(AndPatternExpr).getAnOperand(), pred, c) and
-        completion = c
-        or
-        last(succ.(OrPatternExpr).getAnOperand(), pred, c) and
-        completion = c
+        child = parent.(OrPatternExpr).getAnOperand()
         or
-        last(succ.(RecursivePatternExpr).getAChildExpr(), pred, c) and
-        completion = c
+        child = parent.(RecursivePatternExpr).getAChildExpr()
         or
-        last(succ.(PropertyPatternExpr).getPattern(_), pred, c) and
-        completion = c
+        child = parent.(PropertyPatternExpr).getPattern(_)
       )
     }
-
-    override predicate hasEntryScope(CfgScope scope, AstNode first) { none() }
-
-    override predicate hasExit(AstNode pred, AstNode succ, Completion c) {
-      this.appliesTo(pred) and
-      succ(pred, succ, c) and
-      if c instanceof ConditionalCompletion then completion = c else any()
-    }
-
-    override predicate hasExitScope(CfgScope scope, AstNode last, Completion c) {
-      this.appliesTo(last) and
-      scopeLast(scope, last, c) and
-      if c instanceof ConditionalCompletion then completion = c else any()
-    }
-
-    override predicate hasSuccessor(AstNode pred, AstNode succ, Completion c) { none() }
   }
+
+  int getNextListOrder() { result = InitializerSplitting::getNextListOrder() + 1 }
 }
 
 module AssertionSplitting {

docs/codeql/index.html

@@ -101,7 +101,7 @@ <h2 class="Box-title text-mono f2 text-center">
                             latest version of CodeQL...</div>
                     </div>
                     <div class="Subhead border-0">
-                        <a href="codeql-overview/supported-languages-and-frameworks/">
+                        <a href="query-help/codeql-cwe-coverage/">
                             <div class="Subhead-heading f4 text-center">CodeQL coverage of CWEs</div>
                         </a>
                         <div class="Subhead-description">Detailed information on the coverage of Common Weakness Enumerations (CWEs) in the latest release...</div>

misc/bazel/registry/modules/rules_kotlin/1.9.4-codeql.1/source.json

@@ -1,14 +1,16 @@
 module(
     name = "rules_kotlin",
-    version = "1.9.4-codeql.1",
+    version = "2.0.0-codeql.1",
+    compatibility_level = 1,
     repo_name = "rules_kotlin",
 )
 
-bazel_dep(name = "platforms", version = "0.0.6")
-bazel_dep(name = "bazel_skylib", version = "1.4.2")
+bazel_dep(name = "platforms", version = "0.0.10")
+bazel_dep(name = "bazel_skylib", version = "1.7.1")
 bazel_dep(name = "rules_java", version = "7.2.0")
 bazel_dep(name = "rules_python", version = "0.23.1")
 bazel_dep(name = "rules_cc", version = "0.0.8")
+bazel_dep(name = "rules_android", version = "0.1.1")
 
 rules_kotlin_extensions = use_extension(
     "//src/main/starlark/core/repositories:bzlmod_setup.bzl",
@@ -19,7 +21,9 @@ use_repo(
     "com_github_google_ksp",
     "com_github_jetbrains_kotlin",
     "com_github_pinterest_ktlint",
-    "rules_android",
+    "kotlinx_serialization_core_jvm",
+    "kotlinx_serialization_json",
+    "kotlinx_serialization_json_jvm",
 )
 
 register_toolchains("//kotlin/internal:default_toolchain")