Merge branch 'main' into redsun82/rules_rust

Author: redsun82

.github/codeql/codeql-config.yml

@@ -10,4 +10,6 @@ paths-ignore:
   - '/javascript/ql/test'
   - '/javascript/ql/integration-tests'
   - '/javascript/extractor/tests'
+  - '/javascript/extractor/parser-tests'
+  - '/javascript/ql/src/'
   - '/rust/ql'

cpp/ql/lib/change-notes/2025-03-13-ascertaindef.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added `Node.asUncertainDefinition` and `Node.asCertainDefinition` to the `DataFlow::Node` class for querying whether a definition overwrites the entire destination buffer.

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -313,13 +313,79 @@ class Node extends TIRDataFlowNode {
    * `n.asExpr() instanceof IncrementOperation` since the result of evaluating
    * the expression `x++` is passed to `sink`.
    */
-  Expr asDefinition() {
-    exists(StoreInstruction store |
+  Expr asDefinition() { result = this.asDefinition(_) }
+
+  /**
+   * Gets the definition associated with this node, if any.
+   *
+   * For example, consider the following example
+   * ```cpp
+   * int x = 42;     // 1
+   * x = 34;         // 2
+   * ++x;            // 3
+   * x++;            // 4
+   * x += 1;         // 5
+   * int y = x += 2; // 6
+   * ```
+   * - For (1) the result is `42`.
+   * - For (2) the result is `x = 34`.
+   * - For (3) the result is `++x`.
+   * - For (4) the result is `x++`.
+   * - For (5) the result is `x += 1`.
+   * - For (6) there are two results:
+   *   - For the definition generated by `x += 2` the result is `x += 2`
+   *   - For the definition generated by `int y = ...` the result is
+   *     also `x += 2`.
+   *
+   * For assignments, `node.asDefinition(_)` and `node.asExpr()` will both exist
+   * for the same dataflow node. However, for expression such as `x++` that
+   * both write to `x` and read the current value of `x`, `node.asDefinition(_)`
+   * will give the node corresponding to the value after the increment, and
+   * `node.asExpr()` will give the node corresponding to the value before the
+   * increment. For an example of this, consider the following:
+   *
+   * ```cpp
+   * sink(x++);
+   * ```
+   * in the above program, there will not be flow from a node `n` such that
+   * `n.asDefinition(_) instanceof IncrementOperation` to the argument of `sink`
+   * since the value passed to `sink` is the value before to the increment.
+   * However, there will be dataflow from a node `n` such that
+   * `n.asExpr() instanceof IncrementOperation` since the result of evaluating
+   * the expression `x++` is passed to `sink`.
+   *
+   * If `uncertain = false` then the definition is guaranteed to overwrite
+   * the entire buffer pointed to by the destination address of the definition.
+   * Otherwise, `uncertain = true`.
+   *
+   * For example, the write `int x; x = 42;` is guaranteed to overwrite all the
+   * bytes allocated to `x`, while the assignment `int p[10]; p[3] = 42;` has
+   * `uncertain = true` since the write will not overwrite the entire buffer
+   * pointed to by `p`.
+   */
+  Expr asDefinition(boolean uncertain) {
+    exists(StoreInstruction store, Ssa::DefinitionExt def |
       store = this.asInstruction() and
-      result = asDefinitionImpl(store)
+      result = asDefinitionImpl(store) and
+      Ssa::defToNode(this, def, _, _, _, _) and
+      if def.isCertain() then uncertain = false else uncertain = true
     )
   }
 
+  /**
+   * Gets the definition associated with this node, if this node is a certain definition.
+   *
+   * See `Node.asDefinition/1` for a description of certain and uncertain definitions.
+   */
+  Expr asCertainDefinition() { result = this.asDefinition(false) }
+
+  /**
+   * Gets the definition associated with this node, if this node is an uncertain definition.
+   *
+   * See `Node.asDefinition/1` for a description of certain and uncertain definitions.
+   */
+  Expr asUncertainDefinition() { result = this.asDefinition(true) }
+
   /**
    * Gets the indirect definition at a given indirection corresponding to this
    * node, if any.

cpp/ql/src/JPL_C/LOC-3/Rule 17/BasicIntTypes.ql

@@ -12,7 +12,11 @@
 import cpp
 
 predicate allowedTypedefs(TypedefType t) {
-  t.getName() = ["I64", "U64", "I32", "U32", "I16", "U16", "I8", "U8", "F64", "F32"]
+  t.getName() =
+    [
+      "I64", "U64", "I32", "U32", "I16", "U16", "I8", "U8", "F64", "F32", "int64_t", "uint64_t",
+      "int32_t", "uint32_t", "int16_t", "uint16_t", "int8_t", "uint8_t"
+    ]
 }
 
 /**
@@ -46,6 +50,8 @@ from Declaration d, Type usedType
 where
   usedType = getAUsedType*(getAnImmediateUsedType(d)) and
   problematic(usedType) and
+  // Allow uses of boolean types where defined by the language.
+  not usedType instanceof BoolType and
   // Ignore violations for which we do not have a valid location.
   not d.getLocation() instanceof UnknownLocation
 select d,

cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql

@@ -37,7 +37,7 @@ module Config implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     isSink(node) and node.asExpr().getUnspecifiedType() instanceof ArithmeticType
     or
-    node.asInstruction().(StoreInstruction).getResultType() instanceof ArithmeticType
+    node.asCertainDefinition().getUnspecifiedType() instanceof ArithmeticType
   }
 }
 

cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql

@@ -37,7 +37,7 @@ module Config implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     isSink(node) and node.asExpr().getUnspecifiedType() instanceof ArithmeticType
     or
-    node.asInstruction().(StoreInstruction).getResultType() instanceof ArithmeticType
+    node.asCertainDefinition().getUnspecifiedType() instanceof ArithmeticType
   }
 }
 

cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql

@@ -42,7 +42,7 @@ module Config implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     isSink(node) and isArithmeticNonCharType(node.asExpr().getUnspecifiedType())
     or
-    isArithmeticNonCharType(node.asInstruction().(StoreInstruction).getResultType())
+    isArithmeticNonCharType(node.asCertainDefinition().getUnspecifiedType())
   }
 }
 

cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql

@@ -37,7 +37,7 @@ private module Config implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     isSink(node) and node.asExpr().getUnspecifiedType() instanceof ArithmeticType
     or
-    node.asInstruction().(StoreInstruction).getResultType() instanceof ArithmeticType
+    node.asCertainDefinition().getUnspecifiedType() instanceof ArithmeticType
     or
     mayAddNullTerminator(_, node.asIndirectExpr())
   }

cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql

@@ -75,9 +75,11 @@ module Config implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { isSink(sink, _, _) }
 
   predicate isBarrier(DataFlow::Node node) {
-    exists(StoreInstruction store | store = node.asInstruction() |
+    exists(StoreInstruction store, Expr e |
+      store = node.asInstruction() and e = node.asCertainDefinition()
+    |
       // Block flow to "likely small expressions"
-      bounded(store.getSourceValue().getUnconvertedResultExpression())
+      bounded(e)
       or
       // Block flow to "small types"
       store.getResultType().getUnspecifiedType().(IntegralType).getSize() <= 1

cpp/ql/src/change-notes/2025-03-11-basic-int-types.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query "Use of basic integral type" (`cpp/jpl-c/basic-int-types`) no longer produces alerts for the standard fixed width integer types (`int8_t`, `uint8_t`, etc.), and the `_Bool` and `bool` types.

cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 17/BasicIntTypes.expected

@@ -1,3 +1 @@
 | test.c:6:26:6:26 | x | x uses the basic integral type unsigned char rather than a typedef with size and signedness. |
-| test.c:7:20:7:20 | x | x uses the basic integral type unsigned char rather than a typedef with size and signedness. |
-| test.c:10:16:10:20 | test7 | test7 uses the basic integral type unsigned char rather than a typedef with size and signedness. |

csharp/ql/src/Useless code/IntGetHashCode.ql

@@ -16,5 +16,12 @@ import semmle.code.csharp.frameworks.System
 from MethodCall mc, IntegralType t
 where
   mc.getTarget() instanceof GetHashCodeMethod and
-  t = mc.getQualifier().getType()
+  t = mc.getQualifier().getType() and
+  (
+    t instanceof ByteType or
+    t instanceof SByteType or
+    t instanceof ShortType or
+    t instanceof UShortType or
+    t instanceof IntType
+  )
 select mc, "Calling GetHashCode() on type " + t.toStringWithTypes() + " is redundant."

csharp/ql/src/change-notes/2025-03-13-useless-gethashcode-call.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Increase query precision for `cs/useless-gethashcode-call` by not flagging calls to `GetHashCode` on `uint`, `long` and `ulong`.

csharp/ql/src/codeql-suites/csharp-ccr.qls

@@ -10,3 +10,4 @@
       - cs/call-to-object-tostring
       - cs/local-not-disposed
       - cs/constant-condition
+      - cs/useless-gethashcode-call

csharp/ql/test/query-tests/Useless Code/IntGetHashCode/IntGetHashCode.cs

@@ -3,16 +3,16 @@ class IntGetHashCode
     void Test()
     {
         // These are all bad:
+        default(int).GetHashCode(); // $ Alert
+        default(short).GetHashCode(); // $ Alert
+        default(ushort).GetHashCode(); // $ Alert
+        default(byte).GetHashCode(); // $ Alert
+        default(sbyte).GetHashCode(); // $ Alert
+
+        // These are all good:
         default(uint).GetHashCode();
-        default(int).GetHashCode();
         default(long).GetHashCode();
         default(ulong).GetHashCode();
-        default(short).GetHashCode();
-        default(ushort).GetHashCode();
-        default(byte).GetHashCode();
-        default(sbyte).GetHashCode();
-
-        // These are all good:
         default(double).GetHashCode();
         default(float).GetHashCode();
         default(char).GetHashCode();

csharp/ql/test/query-tests/Useless Code/IntGetHashCode/IntGetHashCode.expected

@@ -1,8 +1,5 @@
-| IntGetHashCode.cs:6:9:6:35 | call to method GetHashCode | Calling GetHashCode() on type uint is redundant. |
-| IntGetHashCode.cs:7:9:7:34 | call to method GetHashCode | Calling GetHashCode() on type int is redundant. |
-| IntGetHashCode.cs:8:9:8:35 | call to method GetHashCode | Calling GetHashCode() on type long is redundant. |
-| IntGetHashCode.cs:9:9:9:36 | call to method GetHashCode | Calling GetHashCode() on type ulong is redundant. |
-| IntGetHashCode.cs:10:9:10:36 | call to method GetHashCode | Calling GetHashCode() on type short is redundant. |
-| IntGetHashCode.cs:11:9:11:37 | call to method GetHashCode | Calling GetHashCode() on type ushort is redundant. |
-| IntGetHashCode.cs:12:9:12:35 | call to method GetHashCode | Calling GetHashCode() on type byte is redundant. |
-| IntGetHashCode.cs:13:9:13:36 | call to method GetHashCode | Calling GetHashCode() on type sbyte is redundant. |
+| IntGetHashCode.cs:6:9:6:34 | call to method GetHashCode | Calling GetHashCode() on type int is redundant. |
+| IntGetHashCode.cs:7:9:7:36 | call to method GetHashCode | Calling GetHashCode() on type short is redundant. |
+| IntGetHashCode.cs:8:9:8:37 | call to method GetHashCode | Calling GetHashCode() on type ushort is redundant. |
+| IntGetHashCode.cs:9:9:9:35 | call to method GetHashCode | Calling GetHashCode() on type byte is redundant. |
+| IntGetHashCode.cs:10:9:10:36 | call to method GetHashCode | Calling GetHashCode() on type sbyte is redundant. |

csharp/ql/test/query-tests/Useless Code/IntGetHashCode/IntGetHashCode.qlref

@@ -1 +1,2 @@
-Useless code/IntGetHashCode.ql
+query: Useless code/IntGetHashCode.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

javascript/ql/lib/change-notes/2025-03-13-unescape.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added taint-steps for `unescape()`.

javascript/ql/lib/semmle/javascript/Promises.qll

@@ -4,6 +4,7 @@
 
 import javascript
 private import dataflow.internal.StepSummary
+private import semmle.javascript.dataflow.internal.FlowSteps
 
 /**
  * A call to the `Promise` constructor, such as `new Promise((resolve, reject) => { ... })`.
@@ -397,6 +398,17 @@ module PromiseFlow {
       value = call.getCallback(0).getExceptionalReturn() and
       obj = call
     )
+    or
+    exists(DataFlow::FunctionNode f | f.getFunction().isAsync() |
+      // ordinary return
+      prop = valueProp() and
+      value = f.getAReturn() and
+      obj = f.getReturnNode()
+      or
+      // exceptional return
+      prop = errorProp() and
+      localExceptionStepWithAsyncFlag(value, obj, true)
+    )
   }
 
   /**
@@ -525,30 +537,6 @@ private class PromiseTaintStep extends TaintTracking::LegacyTaintStep {
  * Defines flow steps for return on async functions.
  */
 private module AsyncReturnSteps {
-  private predicate valueProp = Promises::valueProp/0;
-
-  private predicate errorProp = Promises::errorProp/0;
-
-  private import semmle.javascript.dataflow.internal.FlowSteps
-
-  /**
-   * A data-flow step for ordinary and exceptional returns from async functions.
-   */
-  private class AsyncReturn extends LegacyPreCallGraphStep {
-    override predicate storeStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
-      exists(DataFlow::FunctionNode f | f.getFunction().isAsync() |
-        // ordinary return
-        prop = valueProp() and
-        pred = f.getAReturn() and
-        succ = f.getReturnNode()
-        or
-        // exceptional return
-        prop = errorProp() and
-        localExceptionStepWithAsyncFlag(pred, succ, true)
-      )
-    }
-  }
-
   /**
    * A data-flow step for ordinary return from an async function in a taint configuration.
    */

javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll

@@ -494,7 +494,7 @@ module TaintTracking {
           succ = c and
           c =
             DataFlow::globalVarRef([
-                "encodeURI", "decodeURI", "encodeURIComponent", "decodeURIComponent"
+                "encodeURI", "decodeURI", "encodeURIComponent", "decodeURIComponent", "unescape"
               ]).getACall() and
           pred = c.getArgument(0)
         )

javascript/ql/test/ApiGraphs/async-await/wrap-async-in-thunk.js

@@ -0,0 +1,26 @@
+import * as t from "testlib";
+
+async function getData1() {
+    const data = await fetch("https://example.com/content");
+    return data.json(); /* def=moduleImport("testlib").getMember("exports").getMember("foo").getParameter(0).getReturn().getPromised() */
+}
+
+export function use1() {
+    t.foo(() => getData1());
+}
+
+async function getData2() {
+    const data = await fetch("https://example.com/content");
+    return data.json(); /* def=moduleImport("testlib").getMember("exports").getMember("foo").getParameter(0).getReturn().getPromised() */
+}
+
+export function use2() {
+    t.foo(getData2);
+}
+
+export function use3() {
+    t.foo(async () => {
+        const data = await fetch("https://example.com/content");
+        return data.json(); /* def=moduleImport("testlib").getMember("exports").getMember("foo").getParameter(0).getReturn().getPromised() */
+    });
+}

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected

@@ -223,6 +223,7 @@
 | tst.js:477:18:477:40 | locatio ... bstr(1) | tst.js:477:18:477:30 | location.hash | tst.js:477:18:477:40 | locatio ... bstr(1) | Cross-site scripting vulnerability due to $@. | tst.js:477:18:477:30 | location.hash | user-provided value |
 | tst.js:484:33:484:63 | decodeU ... n.hash) | tst.js:484:43:484:62 | window.location.hash | tst.js:484:33:484:63 | decodeU ... n.hash) | Cross-site scripting vulnerability due to $@. | tst.js:484:43:484:62 | window.location.hash | user-provided value |
 | tst.js:492:18:492:54 | target. ... "), '') | tst.js:491:16:491:39 | documen ... .search | tst.js:492:18:492:54 | target. ... "), '') | Cross-site scripting vulnerability due to $@. | tst.js:491:16:491:39 | documen ... .search | user-provided value |
+| tst.js:499:18:499:33 | unescape(source) | tst.js:498:16:498:26 | window.name | tst.js:499:18:499:33 | unescape(source) | Cross-site scripting vulnerability due to $@. | tst.js:498:16:498:26 | window.name | user-provided value |
 | typeahead.js:25:18:25:20 | val | typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:25:18:25:20 | val | Cross-site scripting vulnerability due to $@. | typeahead.js:20:22:20:45 | documen ... .search | user-provided value |
 | v-html.vue:2:8:2:23 | v-html=tainted | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted | Cross-site scripting vulnerability due to $@. | v-html.vue:6:42:6:58 | document.location | user-provided value |
 | various-concat-obfuscations.js:4:4:4:31 | "<div>" ... </div>" | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:4:4:4:31 | "<div>" ... </div>" | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value |
@@ -745,6 +746,9 @@ edges
 | tst.js:491:7:491:39 | target | tst.js:492:18:492:23 | target | provenance |  |
 | tst.js:491:16:491:39 | documen ... .search | tst.js:491:7:491:39 | target | provenance |  |
 | tst.js:492:18:492:23 | target | tst.js:492:18:492:54 | target. ... "), '') | provenance |  |
+| tst.js:498:7:498:26 | source | tst.js:499:27:499:32 | source | provenance |  |
+| tst.js:498:16:498:26 | window.name | tst.js:498:7:498:26 | source | provenance |  |
+| tst.js:499:27:499:32 | source | tst.js:499:18:499:33 | unescape(source) | provenance |  |
 | typeahead.js:20:13:20:45 | target | typeahead.js:21:12:21:17 | target | provenance |  |
 | typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:20:13:20:45 | target | provenance |  |
 | typeahead.js:21:12:21:17 | target | typeahead.js:24:30:24:32 | val | provenance |  |
@@ -1397,6 +1401,10 @@ nodes
 | tst.js:491:16:491:39 | documen ... .search | semmle.label | documen ... .search |
 | tst.js:492:18:492:23 | target | semmle.label | target |
 | tst.js:492:18:492:54 | target. ... "), '') | semmle.label | target. ... "), '') |
+| tst.js:498:7:498:26 | source | semmle.label | source |
+| tst.js:498:16:498:26 | window.name | semmle.label | window.name |
+| tst.js:499:18:499:33 | unescape(source) | semmle.label | unescape(source) |
+| tst.js:499:27:499:32 | source | semmle.label | source |
 | typeahead.js:20:13:20:45 | target | semmle.label | target |
 | typeahead.js:20:22:20:45 | documen ... .search | semmle.label | documen ... .search |
 | typeahead.js:21:12:21:17 | target | semmle.label | target |

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected

@@ -607,6 +607,10 @@ nodes
 | tst.js:491:16:491:39 | documen ... .search | semmle.label | documen ... .search |
 | tst.js:492:18:492:23 | target | semmle.label | target |
 | tst.js:492:18:492:54 | target. ... "), '') | semmle.label | target. ... "), '') |
+| tst.js:498:7:498:26 | source | semmle.label | source |
+| tst.js:498:16:498:26 | window.name | semmle.label | window.name |
+| tst.js:499:18:499:33 | unescape(source) | semmle.label | unescape(source) |
+| tst.js:499:27:499:32 | source | semmle.label | source |
 | typeahead.js:9:28:9:30 | loc | semmle.label | loc |
 | typeahead.js:10:16:10:18 | loc | semmle.label | loc |
 | typeahead.js:20:13:20:45 | target | semmle.label | target |
@@ -1186,6 +1190,9 @@ edges
 | tst.js:491:7:491:39 | target | tst.js:492:18:492:23 | target | provenance |  |
 | tst.js:491:16:491:39 | documen ... .search | tst.js:491:7:491:39 | target | provenance |  |
 | tst.js:492:18:492:23 | target | tst.js:492:18:492:54 | target. ... "), '') | provenance |  |
+| tst.js:498:7:498:26 | source | tst.js:499:27:499:32 | source | provenance |  |
+| tst.js:498:16:498:26 | window.name | tst.js:498:7:498:26 | source | provenance |  |
+| tst.js:499:27:499:32 | source | tst.js:499:18:499:33 | unescape(source) | provenance |  |
 | typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc | provenance |  |
 | typeahead.js:20:13:20:45 | target | typeahead.js:21:12:21:17 | target | provenance |  |
 | typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:20:13:20:45 | target | provenance |  |