Merge branch 'github:main' into main-1

Author: krishnprakash

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternalsCommon.qll

@@ -630,10 +630,18 @@ private module Cached {
     Operand operand, int indirectionIndex, Operand operandRepr, int indirectionIndexRepr
   ) {
     indirectionIndex = [1 .. countIndirectionsForCppType(getLanguageType(operand))] and
-    exists(Instruction load |
-      isDereference(load, operand, false) and
-      operandRepr = unique( | | getAUse(load)) and
-      indirectionIndexRepr = indirectionIndex - 1
+    (
+      exists(Instruction load |
+        isDereference(load, operand, false) and
+        operandRepr = unique( | | getAUse(load)) and
+        indirectionIndexRepr = indirectionIndex - 1
+      )
+      or
+      exists(CopyValueInstruction copy |
+        copy.getSourceValueOperand() = operand and
+        operandRepr = unique( | | getAUse(copy)) and
+        indirectionIndexRepr = indirectionIndex
+      )
     )
   }
 
@@ -649,11 +657,19 @@ private module Cached {
     Instruction instr, int indirectionIndex, Instruction instrRepr, int indirectionIndexRepr
   ) {
     indirectionIndex = [1 .. countIndirectionsForCppType(getResultLanguageType(instr))] and
-    exists(Instruction load, Operand address |
-      address = unique( | | getAUse(instr)) and
-      isDereference(load, address, false) and
-      instrRepr = load and
-      indirectionIndexRepr = indirectionIndex - 1
+    (
+      exists(Instruction load, Operand address |
+        address = unique( | | getAUse(instr)) and
+        isDereference(load, address, false) and
+        instrRepr = load and
+        indirectionIndexRepr = indirectionIndex - 1
+      )
+      or
+      exists(CopyValueInstruction copy |
+        copy.getSourceValueOperand() = unique( | | getAUse(instr)) and
+        instrRepr = copy and
+        indirectionIndexRepr = indirectionIndex
+      )
     )
   }
 

cpp/ql/test/library-tests/dataflow/dataflow-tests/localFlow-ir.expected

@@ -53,11 +53,9 @@
 | example.c:26:18:26:24 | *& ... | example.c:26:2:26:7 | *coords |
 | example.c:26:18:26:24 | getX output argument | example.c:26:2:26:7 | *coords |
 | example.c:26:18:26:24 | pointer to getX output argument | example.c:26:2:26:7 | coords |
-| example.c:26:19:26:24 | *coords | example.c:26:18:26:24 | *& ... |
 | example.c:26:19:26:24 | coords | example.c:26:18:26:24 | & ... |
 | example.c:28:22:28:25 | & ... | example.c:28:14:28:25 | & ... |
 | example.c:28:22:28:25 | *& ... | example.c:28:14:28:25 | *& ... |
-| example.c:28:23:28:25 | *pos | example.c:28:22:28:25 | *& ... |
 | example.c:28:23:28:25 | pos | example.c:28:22:28:25 | & ... |
 | test.cpp:6:12:6:17 | call to source | test.cpp:6:12:6:17 | call to source |
 | test.cpp:6:12:6:17 | call to source | test.cpp:7:8:7:9 | t1 |
@@ -134,7 +132,6 @@
 | test.cpp:384:10:384:13 | *& ... | test.cpp:384:10:384:13 | *& ... |
 | test.cpp:384:10:384:13 | memcpy output argument | test.cpp:385:8:385:10 | tmp |
 | test.cpp:384:10:384:13 | pointer to memcpy output argument | test.cpp:385:8:385:10 | tmp |
-| test.cpp:384:11:384:13 | *tmp | test.cpp:384:10:384:13 | *& ... |
 | test.cpp:384:11:384:13 | tmp | test.cpp:384:10:384:13 | & ... |
 | test.cpp:384:16:384:23 | & ... | test.cpp:384:16:384:23 | & ... |
 | test.cpp:384:16:384:23 | *& ... | test.cpp:384:3:384:8 | **call to memcpy |
@@ -143,7 +140,6 @@
 | test.cpp:384:16:384:23 | *& ... | test.cpp:384:16:384:23 | *& ... |
 | test.cpp:384:16:384:23 | **& ... | test.cpp:384:3:384:8 | **call to memcpy |
 | test.cpp:384:16:384:23 | **& ... | test.cpp:384:10:384:13 | memcpy output argument |
-| test.cpp:384:17:384:23 | *source1 | test.cpp:384:16:384:23 | *& ... |
 | test.cpp:384:17:384:23 | source1 | test.cpp:384:16:384:23 | & ... |
 | test.cpp:388:53:388:59 | source1 | test.cpp:391:16:391:23 | *& ... |
 | test.cpp:388:66:388:66 | b | test.cpp:393:7:393:7 | b |
@@ -153,15 +149,13 @@
 | test.cpp:390:18:390:21 | & ... | test.cpp:391:10:391:13 | & ... |
 | test.cpp:390:18:390:21 | *& ... | test.cpp:390:18:390:21 | *& ... |
 | test.cpp:390:18:390:21 | *& ... | test.cpp:391:10:391:13 | *& ... |
-| test.cpp:390:19:390:21 | *tmp | test.cpp:390:18:390:21 | *& ... |
 | test.cpp:390:19:390:21 | tmp | test.cpp:390:18:390:21 | & ... |
 | test.cpp:391:10:391:13 | & ... | test.cpp:391:3:391:8 | call to memcpy |
 | test.cpp:391:10:391:13 | & ... | test.cpp:391:10:391:13 | & ... |
 | test.cpp:391:10:391:13 | & ... | test.cpp:392:8:392:10 | tmp |
 | test.cpp:391:10:391:13 | *& ... | test.cpp:391:10:391:13 | *& ... |
 | test.cpp:391:10:391:13 | memcpy output argument | test.cpp:392:8:392:10 | tmp |
 | test.cpp:391:10:391:13 | pointer to memcpy output argument | test.cpp:392:8:392:10 | tmp |
-| test.cpp:391:11:391:13 | *tmp | test.cpp:391:10:391:13 | *& ... |
 | test.cpp:391:11:391:13 | tmp | test.cpp:391:10:391:13 | & ... |
 | test.cpp:391:16:391:23 | & ... | test.cpp:391:16:391:23 | & ... |
 | test.cpp:391:16:391:23 | *& ... | test.cpp:391:3:391:8 | **call to memcpy |
@@ -170,7 +164,6 @@
 | test.cpp:391:16:391:23 | *& ... | test.cpp:391:16:391:23 | *& ... |
 | test.cpp:391:16:391:23 | **& ... | test.cpp:391:3:391:8 | **call to memcpy |
 | test.cpp:391:16:391:23 | **& ... | test.cpp:391:10:391:13 | memcpy output argument |
-| test.cpp:391:17:391:23 | *source1 | test.cpp:391:16:391:23 | *& ... |
 | test.cpp:391:17:391:23 | source1 | test.cpp:391:16:391:23 | & ... |
 | test.cpp:392:8:392:10 | tmp | test.cpp:394:10:394:12 | tmp |
 | test.cpp:392:8:392:10 | tmp | test.cpp:394:10:394:12 | tmp |
@@ -209,5 +202,4 @@
 | test.cpp:1087:3:1087:3 | a [post update] | test.cpp:1088:8:1088:9 | & ... |
 | test.cpp:1087:15:1087:21 | 0 | test.cpp:1087:3:1087:21 | ... = ... |
 | test.cpp:1087:15:1087:21 | *0 | test.cpp:1087:3:1087:21 | *... = ... |
-| test.cpp:1088:9:1088:9 | *a | test.cpp:1088:8:1088:9 | *& ... |
 | test.cpp:1088:9:1088:9 | a | test.cpp:1088:8:1088:9 | & ... |

csharp/ql/lib/semmle/code/csharp/controlflow/internal/Completion.qll

@@ -293,6 +293,8 @@ private predicate isMatchingConstant(PatternExpr pe, boolean value) {
   value = true
   or
   exists(Type t, Type strippedType |
+    not t instanceof UnknownType and
+    not strippedType instanceof UnknownType and
     typePatternMustHaveMatchingCompletion(pe, t, strippedType) and
     not typePatternCommonSubType(t, strippedType) and
     value = false

csharp/ql/src/change-notes/2025-03-10-unknown-type-matching.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Increase query precision for `cs/useless-assignment-to-local` and `cs/constant-condition` when *unknown* types are involved (mostly relevant for `build-mode: none` databases).

csharp/ql/src/codeql-suites/csharp-ccr.qls

@@ -7,3 +7,4 @@
       - cs/reference-equality-on-valuetypes
       - cs/self-assignment
       - cs/inefficient-containskey
+      - cs/call-to-object-tostring

csharp/ql/test/query-tests/standalone/Bad Practices/Control-Flow/ConstantCondition/ConstantCondition.cs

@@ -0,0 +1,27 @@
+using System;
+
+partial class C1
+{
+    public C2 Prop { get; set; }
+}
+
+class C2 { }
+
+class ConstantMatching
+{
+    void M1()
+    {
+        var c1 = new C1();
+        if (c1.Prop is int) // $ Alert
+        {
+        }
+
+        // Should not be considered a constant condition as
+        // we don't know anything about D.
+        var d = new D();
+        if (d.Prop is C2)
+        {
+        }
+    }
+}
+

csharp/ql/test/query-tests/standalone/Bad Practices/Control-Flow/ConstantCondition/ConstantCondition.expected

@@ -0,0 +1,2 @@
+| ConstantCondition.cs:15:13:15:26 | ... is ... | Condition always evaluates to 'false'. |
+| ConstantCondition.cs:15:24:15:26 | access to type Int32 | Pattern never matches. |

csharp/ql/test/query-tests/standalone/Bad Practices/Control-Flow/ConstantCondition/ConstantCondition.qlref

@@ -0,0 +1,2 @@
+query: Bad Practices/Control-Flow/ConstantCondition.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

csharp/ql/test/query-tests/standalone/IncomparableEquals/options renamed to csharp/ql/test/query-tests/standalone/Bad Practices/Control-Flow/ConstantCondition/options

@@ -0,0 +1 @@
+semmle-extractor-options: --standalone

csharp/ql/test/query-tests/standalone/IncomparableEquals/IncomparableEquals.cs renamed to csharp/ql/test/query-tests/standalone/Likely Bugs/IncomparableEquals/IncomparableEquals.cs

@@ -25,7 +25,7 @@
    Python [8]_,"2.7, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12, 3.13",Not applicable,``.py``
    Ruby [9]_,"up to 3.3",Not applicable,"``.rb``, ``.erb``, ``.gemspec``, ``Gemfile``"
    Swift [10]_,"Swift 5.4-6.0","Swift compiler","``.swift``"
-   TypeScript [11]_,"2.6-5.7",Standard TypeScript compiler,"``.ts``, ``.tsx``, ``.mts``, ``.cts``"
+   TypeScript [11]_,"2.6-5.8",Standard TypeScript compiler,"``.ts``, ``.tsx``, ``.mts``, ``.cts``"
 
 .. container:: footnote-group
 

csharp/ql/test/query-tests/standalone/IncomparableEquals/IncomparableEquals.expected renamed to csharp/ql/test/query-tests/standalone/Likely Bugs/IncomparableEquals/IncomparableEquals.expected

@@ -2,7 +2,7 @@
     "name": "typescript-parser-wrapper",
     "private": true,
     "dependencies": {
-        "typescript": "^5.7.2"
+        "typescript": "^5.8.2"
     },
     "scripts": {
         "build": "tsc --project tsconfig.json",

csharp/ql/test/query-tests/standalone/IncomparableEquals/IncomparableEquals.qlref renamed to csharp/ql/test/query-tests/standalone/Likely Bugs/IncomparableEquals/IncomparableEquals.qlref

@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* Added support for TypeScript 5.8.

csharp/ql/test/query-tests/standalone/ObjectComparison/options renamed to csharp/ql/test/query-tests/standalone/Likely Bugs/IncomparableEquals/options

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added support for the `react-relay` library.

csharp/ql/test/query-tests/standalone/ObjectComparison/ObjectComparison.cs renamed to csharp/ql/test/query-tests/standalone/Likely Bugs/ObjectComparison/ObjectComparison.cs

@@ -0,0 +1,15 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sourceModel
+    data:
+      - ["react-relay", "Member[useFragment].ReturnValue", "response"]
+      - ["react-relay", "Member[useLazyLoadQuery].ReturnValue", "response"]
+      - ["react-relay", "Member[usePreloadedQuery].ReturnValue", "response"]
+      - ["react-relay", "Member[useClientQuery].ReturnValue", "response"]
+      - ["react-relay", "Member[useRefetchableFragment].ReturnValue.Member[0]", "response"]
+      - ["react-relay", "Member[usePaginationFragment].ReturnValue.Member[data]", "response"]
+      - ["react-relay", "Member[useMutation].ReturnValue.Member[0].Argument[0].Member[onCompleted].Parameter[0]", "response"]
+      - ["react-relay", "Member[useSubscription].Argument[0].Member[onNext].Parameter[0]", "response"]
+      - ["react-relay", "Member[fetchQuery].ReturnValue.Member[subscribe].Argument[0].Member[next].Parameter[0]", "response"]
+      - ["relay-runtime", "Member[readFragment].ReturnValue", "response"]

csharp/ql/test/query-tests/standalone/ObjectComparison/ObjectComparison.expected renamed to csharp/ql/test/query-tests/standalone/Likely Bugs/ObjectComparison/ObjectComparison.expected

@@ -140,22 +140,17 @@ module MembershipCandidate {
     EnumerationRegExp() {
       this.isRootTerm() and
       RegExp::isFullyAnchoredTerm(this) and
-      exists(RegExpTerm child | this.getAChild*() = child |
-        child instanceof RegExpSequence or
-        child instanceof RegExpCaret or
-        child instanceof RegExpDollar or
-        child instanceof RegExpConstant or
-        child instanceof RegExpAlt or
-        child instanceof RegExpGroup
-      ) and
-      // exclude "length matches" that match every string
-      not this.getAChild*() instanceof RegExpDot
+      not exists(RegExpTerm child | child.getRootTerm() = this |
+        child instanceof RegExpDot or
+        child instanceof RegExpCharacterClass or
+        child instanceof RegExpUnicodePropertyEscape
+      )
     }
 
     /**
      * Gets a string matched by this regular expression.
      */
-    string getAMember() { result = this.getAChild*().getAMatchedString() }
+    string getAMember() { result = any(RegExpTerm t | t.getRootTerm() = this).getAMatchedString() }
   }
 
   /**

csharp/ql/test/query-tests/standalone/ObjectComparison/ObjectComparison.qlref renamed to csharp/ql/test/query-tests/standalone/Likely Bugs/ObjectComparison/ObjectComparison.qlref

@@ -188,27 +188,35 @@ module Routing {
       )
     }
 
-    /**
-     * Gets the path prefix needed to reach this node from the given ancestor, that is, the concatenation
-     * of all relative paths between this node and the ancestor.
-     *
-     * To restrict the size of the predicate, this is only available for the ancestors that are "fork" nodes,
-     * that is, a node that has siblings (i.e. multiple children).
-     */
-    private string getPathFromFork(Node fork) {
+    private string getPathFromForkInternal(Node fork) {
       this.isFork() and
       this = fork and
       result = ""
       or
       exists(Node parent | parent = this.getParent() |
         not exists(parent.getRelativePath()) and
-        result = parent.getPathFromFork(fork)
+        result = parent.getPathFromForkInternal(fork)
         or
-        result = parent.getPathFromFork(fork) + parent.getRelativePath() and
+        result = parent.getPathFromForkInternal(fork) + parent.getRelativePath() and
         result.length() < 100
       )
     }
 
+    /**
+     * Gets the path prefix needed to reach this node from the given ancestor, that is, the concatenation
+     * of all relative paths between this node and the ancestor.
+     *
+     * To restrict the size of the predicate, this is only available for the ancestors that are "fork" nodes,
+     * that is, a node that has siblings (i.e. multiple children).
+     * And only a single (shortest) path is returned, even if there are multiple paths
+     * leading to this node.
+     */
+    pragma[nomagic]
+    private string getPathFromFork(Node fork) {
+      result =
+        min(string res | res = this.getPathFromForkInternal(fork) | res order by res.length(), res)
+    }
+
     /**
      * Gets an HTTP method required to reach this node from the given ancestor, or `*` if any method
      * can be used.

csharp/ql/test/query-tests/standalone/Likely Bugs/ObjectComparison/options

@@ -0,0 +1,7 @@
+---
+category: fix
+---
+* Fixed a bug that would in rare cases cause some regexp-based checks
+  to be seen as generic taint sanitisers, even though the underlying regexp
+  is not restrictive enough. The regexps are now analysed more precisely,
+  and unrestrictive regexp checks will no longer block taint flow.

docs/codeql/reusables/supported-versions-compilers.rst

@@ -4,7 +4,7 @@
  *              via default taint-tracking steps.
  * @kind problem
  * @problem.severity recommendation
- * @tags meta
+ * @tags meta-expensive
  * @id js/meta/alerts/tainted-nodes
  * @precision very-low
  */

javascript/extractor/lib/typescript/package-lock.json

@@ -238,6 +238,7 @@ flow
 | promise.js:18:22:18:29 | source() | promise.js:24:10:24:10 | e |
 | promise.js:33:21:33:28 | source() | promise.js:38:10:38:10 | e |
 | promise.js:43:20:43:27 | source() | promise.js:43:8:43:28 | Promise ... urce()) |
+| regexp-sanitiser.js:2:19:2:26 | source() | regexp-sanitiser.js:4:14:4:18 | taint |
 | rxjs.js:3:1:3:8 | source() | rxjs.js:10:14:10:17 | data |
 | rxjs.js:13:1:13:8 | source() | rxjs.js:17:23:17:23 | x |
 | rxjs.js:13:1:13:8 | source() | rxjs.js:18:23:18:23 | x |

javascript/extractor/lib/typescript/package.json

@@ -161,6 +161,7 @@ flow
 | partialCalls.js:4:17:4:24 | source() | partialCalls.js:30:14:30:20 | x.value |
 | partialCalls.js:4:17:4:24 | source() | partialCalls.js:41:10:41:18 | id(taint) |
 | partialCalls.js:4:17:4:24 | source() | partialCalls.js:51:14:51:14 | x |
+| regexp-sanitiser.js:2:19:2:26 | source() | regexp-sanitiser.js:4:14:4:18 | taint |
 | sanitizer-function.js:12:17:12:24 | source() | sanitizer-function.js:14:10:14:14 | taint |
 | sanitizer-function.js:12:17:12:24 | source() | sanitizer-function.js:17:14:17:18 | taint |
 | sanitizer-function.js:12:17:12:24 | source() | sanitizer-function.js:21:14:21:18 | taint |

javascript/ql/lib/change-notes/2025-02-17-typescript-5-8.md

@@ -0,0 +1,6 @@
+function foo() {
+    const taint = source();
+    if (/^asd[\s\S]*$/.test(taint)) {
+        sink(taint); // NOT OK
+    }
+}