Merge branch 'main' into main

Author: fabienpe

cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll

@@ -49,7 +49,11 @@ private Class getRootType(FieldAccess fa) {
   exists(VariableAccess root |
     root = fa.getQualifier+() and
     not exists(root.getQualifier()) and
-    result = root.getUnspecifiedType()
+    // We strip the type because the root may be a pointer. For example `p` in:
+    // struct S { char buffer[10]; };
+    // S* p = ...;
+    // strcpy(p->buffer, "abc");
+    result = root.getUnspecifiedType().stripType()
   )
 }
 

cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql

@@ -171,7 +171,9 @@ where
   not arg.isAffectedByMacro() and
   not arg.isFromUninstantiatedTemplate(_) and
   not actual.stripType() instanceof ErroneousType and
-  not arg.(Call).mayBeFromImplicitlyDeclaredFunction()
+  not arg.(Call).mayBeFromImplicitlyDeclaredFunction() and
+  // Make sure that the format function definition is consistent
+  count(ffc.getTarget().getFormatParameterIndex()) = 1
 select arg,
   "This format specifier for type '" + expected.getName() + "' does not match the argument type '" +
     actual.getUnspecifiedType().getName() + "'."

cpp/ql/src/change-notes/2025-01-31-format-args.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The "Wrong type of arguments to formatting function" query (`cpp/wrong-type-format-argument`) now produces fewer FPs if the formatting function has multiple definitions.

cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/tests.c

@@ -10,3 +10,21 @@ void f(UNKNOWN_CHAR * str) {
     fprintf(0, "%s", ""); // GOOD
     printf("%s", str); // GOOD - erroneous type is ignored
 }
+
+#define va_list void*
+#define va_start(x, y) x = 0;
+#define va_arg(x, y) ((y)x)
+#define va_end(x)
+int vprintf(const char * format, va_list args);
+
+int my_printf(const char * format, ...) {
+    va_list args;
+    va_start(args, format);
+    int result = vprintf(format, args);
+    va_end(args);
+    return result;
+}
+
+void linker_awareness_test() {
+    my_printf("%s%d", "", 1);  // GOOD
+}

cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/tests2.c

@@ -0,0 +1,14 @@
+#define va_list void*
+#define va_start(x, y) x = 0;
+#define va_arg(x, y) ((y)x)
+#define va_end(x)
+
+int vprintf(const char * format, va_list args);
+
+int my_printf(void * p,const char * format, ...) {
+    va_list args;
+    va_start(args, format);
+    int result = vprintf(format, args);
+    va_end(args);
+    return result;
+}

csharp/documentation/library-coverage/coverage.csv

@@ -48,5 +48,5 @@ MySql.Data.MySqlClient,48,,,,,,,,,,,,48,,,,,,,,,,
 Newtonsoft.Json,,,91,,,,,,,,,,,,,,,,,,,73,18
 ServiceStack,194,,7,27,,,,,75,,,,92,,,,,,,,,7,
 SourceGenerators,,,5,,,,,,,,,,,,,,,,,,,,5
-System,54,47,10819,,6,5,5,,,4,1,,33,2,,6,15,17,4,3,,5512,5307
+System,54,47,10864,,6,5,5,,,4,1,,33,2,,6,15,17,4,3,,5547,5317
 Windows.Security.Cryptography.Core,1,,,,,,,1,,,,,,,,,,,,,,,

csharp/documentation/library-coverage/coverage.rst

@@ -8,7 +8,7 @@ C# framework & library support
 
    Framework / library,Package,Flow sources,Taint & value steps,Sinks (total),`CWE-079` :sub:`Cross-site scripting`
    `ServiceStack <https://servicestack.net/>`_,"``ServiceStack.*``, ``ServiceStack``",,7,194,
-   System,"``System.*``, ``System``",47,10819,54,5
+   System,"``System.*``, ``System``",47,10864,54,5
    Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``JsonToItemsTaskFactory``, ``Microsoft.Android.Build``, ``Microsoft.Apple.Build``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.AspNetCore.Components``, ``Microsoft.AspNetCore.Http``, ``Microsoft.AspNetCore.Mvc``, ``Microsoft.AspNetCore.WebUtilities``, ``Microsoft.CSharp``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.DotNet.Build.Tasks``, ``Microsoft.DotNet.PlatformAbstractions``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.JSInterop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.NET.Sdk.WebAssembly``, ``Microsoft.NET.WebAssembly.Webcil``, ``Microsoft.VisualBasic``, ``Microsoft.WebAssembly.Build.Tasks``, ``Microsoft.Win32``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",61,2075,152,4
-   Totals,,108,12901,400,9
+   Totals,,108,12946,400,9
 

csharp/extractor/Semmle.Extraction.CSharp/Entities/Accessor.cs

@@ -30,6 +30,10 @@ protected Accessor(Context cx, IMethodSymbol init, IPropertySymbol property)
             return props.SingleOrDefault();
         }
 
+        public override bool NeedsPopulation =>
+            base.NeedsPopulation &&
+            !Symbol.IsPartialDefinition; // Accessors always have an implementing declaration as well.
+
         public override void Populate(TextWriter trapFile)
         {
             PopulateMethod(trapFile);

csharp/extractor/Semmle.Extraction.CSharp/Entities/Indexer.cs

@@ -22,16 +22,16 @@ public override void Populate(TextWriter trapFile)
             foreach (var l in Locations)
                 trapFile.indexer_location(this, l);
 
-            var getter = Symbol.GetMethod;
-            var setter = Symbol.SetMethod;
+            var getter = BodyDeclaringSymbol.GetMethod;
+            var setter = BodyDeclaringSymbol.SetMethod;
 
             if (getter is null && setter is null)
                 Context.ModelError(Symbol, "No indexer accessor defined");
 
-            if (!(getter is null))
+            if (getter is not null)
                 Method.Create(Context, getter);
 
-            if (!(setter is null))
+            if (setter is not null)
                 Method.Create(Context, setter);
 
             for (var i = 0; i < Symbol.Parameters.Length; ++i)

csharp/extractor/Semmle.Extraction.CSharp/Entities/Property.cs

@@ -21,6 +21,10 @@ protected Property(Context cx, IPropertySymbol init)
 
         private Type Type => type.Value;
 
+        protected override IPropertySymbol BodyDeclaringSymbol => Symbol.PartialImplementationPart ?? Symbol;
+
+        public override Microsoft.CodeAnalysis.Location? ReportingLocation => BodyDeclaringSymbol.Locations.BestOrDefault();
+
         public override void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.WriteSubId(Type);
@@ -43,13 +47,13 @@ public override void Populate(TextWriter trapFile)
             var type = Type;
             trapFile.properties(this, Symbol.GetName(), ContainingType!, type.TypeRef, Create(Context, Symbol.OriginalDefinition));
 
-            var getter = Symbol.GetMethod;
-            var setter = Symbol.SetMethod;
+            var getter = BodyDeclaringSymbol.GetMethod;
+            var setter = BodyDeclaringSymbol.SetMethod;
 
-            if (!(getter is null))
+            if (getter is not null)
                 Method.Create(Context, getter);
 
-            if (!(setter is null))
+            if (setter is not null)
                 Method.Create(Context, setter);
 
             var declSyntaxReferences = IsSourceDeclaration ?

csharp/ql/lib/change-notes/2025-01-22-partial-members.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* C# 13: Added support for partial properties and indexers.

csharp/ql/lib/change-notes/2025-01-29-params-models.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+C# 13: Added MaD models for some overload implementations using `ReadOnlySpan` parameters (like `String.Format(System.String, System.ReadOnlySpan<System.Object>))`).

csharp/ql/lib/ext/System.IO.model.yml

@@ -63,6 +63,7 @@ extensions:
       - ["System.IO", "Path", False, "Combine", "(System.String,System.String,System.String,System.String)", "", "Argument[2]", "ReturnValue", "taint", "manual"]
       - ["System.IO", "Path", False, "Combine", "(System.String,System.String,System.String,System.String)", "", "Argument[3]", "ReturnValue", "taint", "manual"]
       - ["System.IO", "Path", False, "Combine", "(System.String[])", "", "Argument[0].Element", "ReturnValue", "taint", "manual"]
+      - ["System.IO", "Path", False, "Combine", "(System.ReadOnlySpan<System.String>)", "", "Argument[0].Element", "ReturnValue", "taint", "manual"]
       - ["System.IO", "Path", False, "GetDirectoryName", "(System.ReadOnlySpan<System.Char>)", "", "Argument[0].Element", "ReturnValue", "taint", "manual"]
       - ["System.IO", "Path", False, "GetDirectoryName", "(System.String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["System.IO", "Path", False, "GetExtension", "(System.ReadOnlySpan<System.Char>)", "", "Argument[0].Element", "ReturnValue", "taint", "manual"]
@@ -96,6 +97,7 @@ extensions:
       - ["System.IO", "Stream", True, "ReadExactly", "(System.Span<System.Byte>)", "", "Argument[this]", "Argument[0].Element", "taint", "manual"]
       - ["System.IO", "Stream", True, "ReadExactly", "(System.Byte[],System.Int32,System.Int32)", "", "Argument[this]", "Argument[0].Element", "taint", "manual"]
       - ["System.IO", "Stream", True, "Write", "(System.Byte[],System.Int32,System.Int32)", "", "Argument[0].Element", "Argument[this]", "taint", "manual"]
+      - ["System.IO", "Stream", True, "Write", "(System.ReadOnlySpan<System.Byte>)", "", "Argument[0].Element", "Argument[this]", "taint", "manual"]
       - ["System.IO", "Stream", False, "WriteAsync", "(System.Byte[],System.Int32,System.Int32)", "", "Argument[0].Element", "Argument[this]", "taint", "manual"]
       - ["System.IO", "Stream", True, "WriteAsync", "(System.Byte[],System.Int32,System.Int32,System.Threading.CancellationToken)", "", "Argument[0].Element", "Argument[this]", "taint", "manual"]
       - ["System.IO", "StreamReader", False, "StreamReader", "(System.IO.Stream)", "", "Argument[0]", "Argument[this]", "taint", "manual"]

csharp/ql/lib/ext/System.Text.model.yml

@@ -70,6 +70,15 @@ extensions:
       - ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.String,System.Object[])", "", "Argument[1]", "Argument[this]", "taint", "manual"]
       - ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.String,System.Object[])", "", "Argument[2].Element", "Argument[this]", "taint", "manual"]
       - ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.String,System.Object[])", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.String,System.ReadOnlySpan<System.Object>)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
+      - ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.String,System.ReadOnlySpan<System.Object>)", "", "Argument[2].Element", "Argument[this]", "taint", "manual"]
+      - ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.String,System.ReadOnlySpan<System.Object>)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.Text.CompositeFormat,System.Object[])", "", "Argument[1]", "Argument[this]", "taint", "manual"]
+      - ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.Text.CompositeFormat,System.Object[])", "", "Argument[2].Element", "Argument[this]", "taint", "manual"]
+      - ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.Text.CompositeFormat,System.Object[])", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.Text.CompositeFormat,System.ReadOnlySpan<System.Object>)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
+      - ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.Text.CompositeFormat,System.ReadOnlySpan<System.Object>)", "", "Argument[2].Element", "Argument[this]", "taint", "manual"]
+      - ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.Text.CompositeFormat,System.ReadOnlySpan<System.Object>)", "", "Argument[this]", "ReturnValue", "value", "manual"]
       - ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.Object)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
       - ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.Object)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
       - ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.Object)", "", "Argument[this]", "ReturnValue", "value", "manual"]
@@ -85,16 +94,29 @@ extensions:
       - ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.Object[])", "", "Argument[0]", "Argument[this]", "taint", "manual"]
       - ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.Object[])", "", "Argument[1].Element", "Argument[this]", "taint", "manual"]
       - ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.Object[])", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.ReadOnlySpan<System.Object>)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.ReadOnlySpan<System.Object>)", "", "Argument[1].Element", "Argument[this]", "taint", "manual"]
+      - ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.ReadOnlySpan<System.Object>)", "", "Argument[this]", "ReturnValue", "value", "manual"]
       - ["System.Text", "StringBuilder", False, "AppendJoin", "(System.Char,System.Object[])", "", "Argument[1].Element", "Argument[this]", "taint", "manual"]
       - ["System.Text", "StringBuilder", False, "AppendJoin", "(System.Char,System.Object[])", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["System.Text", "StringBuilder", False, "AppendJoin", "(System.Char,System.ReadOnlySpan<System.Object>)", "", "Argument[1].Element", "Argument[this]", "taint", "manual"]
+      - ["System.Text", "StringBuilder", False, "AppendJoin", "(System.Char,System.ReadOnlySpan<System.Object>)", "", "Argument[this]", "ReturnValue", "value", "manual"]
       - ["System.Text", "StringBuilder", False, "AppendJoin", "(System.Char,System.String[])", "", "Argument[1].Element", "Argument[this]", "taint", "manual"]
       - ["System.Text", "StringBuilder", False, "AppendJoin", "(System.Char,System.String[])", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["System.Text", "StringBuilder", False, "AppendJoin", "(System.Char,System.ReadOnlySpan<System.String>)", "", "Argument[1].Element", "Argument[this]", "taint", "manual"]
+      - ["System.Text", "StringBuilder", False, "AppendJoin", "(System.Char,System.ReadOnlySpan<System.String>)", "", "Argument[this]", "ReturnValue", "value", "manual"]
       - ["System.Text", "StringBuilder", False, "AppendJoin", "(System.String,System.Object[])", "", "Argument[0]", "Argument[this]", "taint", "manual"]
       - ["System.Text", "StringBuilder", False, "AppendJoin", "(System.String,System.Object[])", "", "Argument[1].Element", "Argument[this]", "taint", "manual"]
       - ["System.Text", "StringBuilder", False, "AppendJoin", "(System.String,System.Object[])", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["System.Text", "StringBuilder", False, "AppendJoin", "(System.String,System.ReadOnlySpan<System.Object>)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["System.Text", "StringBuilder", False, "AppendJoin", "(System.String,System.ReadOnlySpan<System.Object>)", "", "Argument[1].Element", "Argument[this]", "taint", "manual"]
+      - ["System.Text", "StringBuilder", False, "AppendJoin", "(System.String,System.ReadOnlySpan<System.Object>)", "", "Argument[this]", "ReturnValue", "value", "manual"]
       - ["System.Text", "StringBuilder", False, "AppendJoin", "(System.String,System.String[])", "", "Argument[0]", "Argument[this]", "taint", "manual"]
       - ["System.Text", "StringBuilder", False, "AppendJoin", "(System.String,System.String[])", "", "Argument[1].Element", "Argument[this]", "taint", "manual"]
       - ["System.Text", "StringBuilder", False, "AppendJoin", "(System.String,System.String[])", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["System.Text", "StringBuilder", False, "AppendJoin", "(System.String,System.ReadOnlySpan<System.String>)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["System.Text", "StringBuilder", False, "AppendJoin", "(System.String,System.ReadOnlySpan<System.String>)", "", "Argument[1].Element", "Argument[this]", "taint", "manual"]
+      - ["System.Text", "StringBuilder", False, "AppendJoin", "(System.String,System.ReadOnlySpan<System.String>)", "", "Argument[this]", "ReturnValue", "value", "manual"]
       - ["System.Text", "StringBuilder", False, "AppendJoin<T>", "(System.Char,System.Collections.Generic.IEnumerable<T>)", "", "Argument[1].Element", "Argument[this]", "taint", "manual"]
       - ["System.Text", "StringBuilder", False, "AppendJoin<T>", "(System.Char,System.Collections.Generic.IEnumerable<T>)", "", "Argument[this]", "ReturnValue", "value", "manual"]
       - ["System.Text", "StringBuilder", False, "AppendJoin<T>", "(System.String,System.Collections.Generic.IEnumerable<T>)", "", "Argument[0]", "Argument[this]", "taint", "manual"]