Merge branch 'github:main' into main-1

krishnprakash · web-flow · commit 4024e83fad43 · 2025-03-10T07:17:48.000+05:30
diff --git a/.vscode/tasks.json b/.vscode/tasks.json
@@ -50,6 +50,11 @@
                 "${input:name}",
                 "${input:categoryQuery}"
             ],
+            "options": {
+                "env": {
+                    "EDITOR": "code -r",
+                }
+            },
             "presentation": {
                 "reveal": "never",
                 "close": true
@@ -67,6 +72,11 @@
                 "${input:name}",
                 "${input:categoryLibrary}"
             ],
+            "options": {
+                "env": {
+                    "EDITOR": "code -r"
+                }
+            },
             "presentation": {
                 "reveal": "never",
                 "close": true
diff --git a/actions/ql/src/change-notes/2025-02-27-immutable-actions-list.md b/actions/ql/src/change-notes/2025-02-27-immutable-actions-list.md
@@ -2,6 +2,7 @@
 category: fix
 ---
 * The `actions/unversioned-immutable-action` query will no longer report any alerts, since the
-  Immutable Actions feature is not yet available for customer use. The query remains in the
-  default Code Scanning suites for use internal to GitHub. Once the Immutable Actions feature is
-  available, the query will be updated to report alerts again.
+  Immutable Actions feature is not yet available for customer use. The query has also been moved
+  to the experimental folder and will not be used in code scanning unless it is explicitly added
+  to a code scanning configuration. Once the Immutable Actions feature is available, the query will
+  be updated to report alerts again.
diff --git a/actions/ql/src/experimental/Security/CWE-829/UnversionedImmutableAction.md b/actions/ql/src/experimental/Security/CWE-829/UnversionedImmutableAction.md
diff --git a/actions/ql/src/experimental/Security/CWE-829/UnversionedImmutableAction.ql b/actions/ql/src/experimental/Security/CWE-829/UnversionedImmutableAction.ql
@@ -8,6 +8,7 @@
  * @tags security
  *       actions
  *       internal
+ *       experimental
  *       external/cwe/cwe-829
  */
 
diff --git a/actions/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref b/actions/ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref
@@ -1 +1 @@
-Security/CWE-829/UnversionedImmutableAction.ql
+experimental/Security/CWE-829/UnversionedImmutableAction.ql
diff --git a/cpp/ql/src/Metrics/Internal/IncludeResolutionStatus.ql b/cpp/ql/src/Metrics/Internal/IncludeResolutionStatus.ql
@@ -1,7 +1,7 @@
 /**
  * @name Include file resolution status
- * @description A count of successful includes and includes that failed to resolve.
- *                This query is for internal use only and may change without notice.
+ * @description Counts unresolved and resolved #includes.
+ *              This query is for internal use only and may change without notice.
  * @kind table
  * @id cpp/include-resolution-status
  */
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Assembly.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Assembly.cs
@@ -31,7 +31,7 @@ public override void Populate(TextWriter trapFile)
         {
             if (assemblyPath is not null)
             {
-                var isBuildlessOutputAssembly = isOutputAssembly && Context.ExtractionContext.Mode.HasFlag(ExtractorMode.Standalone);
+                var isBuildlessOutputAssembly = isOutputAssembly && Context.ExtractionContext.IsStandalone;
                 var identifier = isBuildlessOutputAssembly
                     ? ""
                     : assembly.ToString() ?? "";
@@ -72,7 +72,7 @@ public static Assembly CreateOutputAssembly(Context cx)
 
         public override void WriteId(EscapingTextWriter trapFile)
         {
-            if (isOutputAssembly && Context.ExtractionContext.Mode.HasFlag(ExtractorMode.Standalone))
+            if (isOutputAssembly && Context.ExtractionContext.IsStandalone)
             {
                 trapFile.Write("buildlessOutputAssembly");
             }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Invocation.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Invocation.cs
@@ -133,7 +133,7 @@ public IMethodSymbol? TargetSymbol
                         .Where(method => method.Parameters.Length >= Syntax.ArgumentList.Arguments.Count)
                         .Where(method => method.Parameters.Count(p => !p.HasExplicitDefaultValue) <= Syntax.ArgumentList.Arguments.Count);
 
-                    return Context.ExtractionContext.Mode.HasFlag(ExtractorMode.Standalone) ?
+                    return Context.ExtractionContext.IsStandalone ?
                         candidates.FirstOrDefault() :
                         candidates.SingleOrDefault();
                 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/NamedType.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/NamedType.cs
@@ -166,7 +166,9 @@ private class UnderlyingTupleTypeFactory : CachedEntityFactory<INamedTypeSymbol,
         // Create typerefs for constructed error types in case they are fully defined elsewhere.
         // We cannot use `!this.NeedsPopulation` because this would not be stable as it would depend on
         // the assembly that was being extracted at the time.
-        private bool UsesTypeRef => Symbol.TypeKind == TypeKind.Error || SymbolEqualityComparer.Default.Equals(Symbol.OriginalDefinition, Symbol);
+        private bool UsesTypeRef =>
+            Symbol.TypeKind == TypeKind.Error ||
+            SymbolEqualityComparer.Default.Equals(Symbol.OriginalDefinition, Symbol);
 
         public override Type TypeRef => UsesTypeRef ? (Type)NamedTypeRef.Create(Context, Symbol) : this;
     }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/Type.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/Type.cs
@@ -25,6 +25,40 @@ public static bool ConstructedOrParentIsConstructed(INamedTypeSymbol symbol)
                 symbol.ContainingType is not null && ConstructedOrParentIsConstructed(symbol.ContainingType);
         }
 
+
+        /// <summary>
+        /// A hashset containing the C# contextual keywords that could be confused with types (and typing).
+        ///
+        /// For the list of all contextual keywords, see
+        /// https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/keywords/#contextual-keywords
+        /// </summary>
+        private readonly HashSet<string> ContextualKeywordTypes = [
+            "dynamic",
+            "nint",
+            "nuint",
+            "var"
+            ];
+
+        /// <summary>
+        /// Returns true in case we suspect this is a broken type.
+        /// </summary>
+        /// <param name="symbol">Type symbol</param>
+        private bool IsBrokenType(ITypeSymbol symbol)
+        {
+            if (!Context.ExtractionContext.IsStandalone ||
+                !symbol.FromSource() ||
+                symbol.IsAnonymousType)
+            {
+                return false;
+            }
+
+            // (1) public class { ... } is a broken type as it doesn't have a name.
+            // (2) public class var { ... } is an allowed type, but it overrides the `var` keyword for all uses.
+            //     The same goes for other contextual keywords that could be used as type names.
+            //     It is probably a better heuristic to treat these as broken types.
+            return string.IsNullOrEmpty(symbol.Name) || ContextualKeywordTypes.Contains(symbol.Name);
+        }
+
         public Kinds.TypeKind GetTypeKind(Context cx, bool constructUnderlyingTupleType)
         {
             switch (Symbol.SpecialType)
@@ -48,6 +82,9 @@ public Kinds.TypeKind GetTypeKind(Context cx, bool constructUnderlyingTupleType)
                     if (Symbol.IsBoundNullable())
                         return Kinds.TypeKind.NULLABLE;
 
+                    if (IsBrokenType(Symbol))
+                        return Kinds.TypeKind.UNKNOWN;
+
                     switch (Symbol.TypeKind)
                     {
                         case TypeKind.Class: return Kinds.TypeKind.CLASS;
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Extractor/BinaryLogExtractionContext.cs b/csharp/extractor/Semmle.Extraction.CSharp/Extractor/BinaryLogExtractionContext.cs
@@ -47,7 +47,7 @@ public BinaryLogExtractionContext(string cwd, string[] args, string outputPath,
 
         public static string? GetAdjustedPath(ExtractionContext extractionContext, string sourcePath)
         {
-            if (extractionContext.Mode.HasFlag(ExtractorMode.BinaryLog)
+            if (extractionContext.IsBinaryLog
                 && extractionContext is BinaryLogExtractionContext binaryLogExtractionContext
                 && binaryLogExtractionContext.GetAdjustedPath(sourcePath) is string adjustedPath)
             {
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Extractor/Context.cs b/csharp/extractor/Semmle.Extraction.CSharp/Extractor/Context.cs
@@ -267,7 +267,7 @@ private void Populate(ISymbol? optionalSymbol, Entities.CachedEntity entity)
 
             bool duplicationGuard, deferred;
 
-            if (ExtractionContext.Mode is ExtractorMode.Standalone)
+            if (ExtractionContext.IsStandalone)
             {
                 duplicationGuard = false;
                 deferred = false;
@@ -376,7 +376,7 @@ private void ExtractionError(InternalError error)
 
         private void ReportError(InternalError error)
         {
-            if (!ExtractionContext.Mode.HasFlag(ExtractorMode.Standalone))
+            if (!ExtractionContext.IsStandalone)
                 throw error;
 
             ExtractionError(error);
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Extractor/ExtractionContext.cs b/csharp/extractor/Semmle.Extraction.CSharp/Extractor/ExtractionContext.cs
@@ -15,6 +15,8 @@ public class ExtractionContext
         public ExtractorMode Mode { get; }
         public string OutputPath { get; }
         public IEnumerable<CompilationInfo> CompilationInfos { get; }
+        public bool IsStandalone => Mode.HasFlag(ExtractorMode.Standalone);
+        public bool IsBinaryLog => Mode.HasFlag(ExtractorMode.BinaryLog);
 
         /// <summary>
         /// Creates a new extractor instance for one compilation unit.
diff --git a/csharp/ql/lib/semmle/code/csharp/Type.qll b/csharp/ql/lib/semmle/code/csharp/Type.qll
@@ -1214,6 +1214,8 @@ class ArglistType extends Type, @arglist_type {
 class UnknownType extends Type, @unknown_type {
   /** Holds if this is the canonical unknown type, and not a type that failed to extract properly. */
   predicate isCanonical() { types(this, _, "<unknown type>") }
+
+  override string getAPrimaryQlClass() { result = "UnknownType" }
 }
 
 /**
diff --git a/csharp/ql/test/library-tests/standalone/brokentypes/BrokenTypes.cs b/csharp/ql/test/library-tests/standalone/brokentypes/BrokenTypes.cs
@@ -0,0 +1,28 @@
+// Broken type without a name.
+public class { }
+
+// Legal declaration, but we want don't want to use it.
+public class var { }
+
+public class C
+{
+    public string Prop { get; set; }
+}
+
+
+public class Program
+{
+    public static void Main()
+    {
+        C x1 = new C();
+        string y1 = x1.Prop;
+
+        var x2 = new C(); // Has type `var` as this overrides the implicitly typed keyword `var`.
+        var y2 = x2.Prop; // Unknown type as `x2` has type `var`.
+
+        C2 x3 = new C2(); // Unknown type.
+        var y3 = x3.Prop; // Unknown property of unknown type.
+
+        string s = x1.Prop + x3.Prop;
+    }
+}
diff --git a/csharp/ql/test/library-tests/standalone/brokentypes/brokenTypes.expected b/csharp/ql/test/library-tests/standalone/brokentypes/brokenTypes.expected
@@ -0,0 +1,36 @@
+| BrokenTypes.cs:2:14:2:13 | call to constructor Object | object | ObjectType |
+| BrokenTypes.cs:5:14:5:16 | call to constructor Object | object | ObjectType |
+| BrokenTypes.cs:7:14:7:14 | call to constructor Object | object | ObjectType |
+| BrokenTypes.cs:13:14:13:20 | call to constructor Object | object | ObjectType |
+| BrokenTypes.cs:17:11:17:12 | access to local variable x1 | C | Class |
+| BrokenTypes.cs:17:11:17:22 | C x1 = ... | C | Class |
+| BrokenTypes.cs:17:16:17:22 | object creation of type C | C | Class |
+| BrokenTypes.cs:18:16:18:17 | access to local variable y1 | string | StringType |
+| BrokenTypes.cs:18:16:18:27 | String y1 = ... | string | StringType |
+| BrokenTypes.cs:18:21:18:22 | access to local variable x1 | C | Class |
+| BrokenTypes.cs:18:21:18:27 | access to property Prop | string | StringType |
+| BrokenTypes.cs:20:13:20:14 | access to local variable x2 | var | UnknownType |
+| BrokenTypes.cs:20:13:20:24 | var x2 = ... | var | UnknownType |
+| BrokenTypes.cs:20:18:20:24 | (...) ... | var | UnknownType |
+| BrokenTypes.cs:20:18:20:24 | object creation of type C | C | Class |
+| BrokenTypes.cs:21:13:21:14 | access to local variable y2 | var | UnknownType |
+| BrokenTypes.cs:21:13:21:24 | var y2 = ... | var | UnknownType |
+| BrokenTypes.cs:21:18:21:19 | access to local variable x2 | var | UnknownType |
+| BrokenTypes.cs:21:18:21:24 | (...) ... | var | UnknownType |
+| BrokenTypes.cs:21:18:21:24 | access to property (unknown) |  | UnknownType |
+| BrokenTypes.cs:23:12:23:13 | access to local variable x3 | <unknown type> | UnknownType |
+| BrokenTypes.cs:23:12:23:24 | <unknown type> x3 = ... | <unknown type> | UnknownType |
+| BrokenTypes.cs:23:17:23:24 | object creation of type <unknown type> | <unknown type> | UnknownType |
+| BrokenTypes.cs:24:13:24:14 | access to local variable y3 | var | UnknownType |
+| BrokenTypes.cs:24:13:24:24 | var y3 = ... | var | UnknownType |
+| BrokenTypes.cs:24:18:24:19 | access to local variable x3 | <unknown type> | UnknownType |
+| BrokenTypes.cs:24:18:24:24 | (...) ... | var | UnknownType |
+| BrokenTypes.cs:24:18:24:24 | access to property (unknown) |  | UnknownType |
+| BrokenTypes.cs:26:16:26:16 | access to local variable s | string | StringType |
+| BrokenTypes.cs:26:16:26:36 | String s = ... | string | StringType |
+| BrokenTypes.cs:26:20:26:21 | access to local variable x1 | C | Class |
+| BrokenTypes.cs:26:20:26:26 | access to property Prop | string | StringType |
+| BrokenTypes.cs:26:20:26:36 | (...) ... | string | StringType |
+| BrokenTypes.cs:26:20:26:36 | ... + ... |  | UnknownType |
+| BrokenTypes.cs:26:30:26:31 | access to local variable x3 | <unknown type> | UnknownType |
+| BrokenTypes.cs:26:30:26:36 | access to property (unknown) |  | UnknownType |
diff --git a/csharp/ql/test/library-tests/standalone/brokentypes/brokenTypes.ql b/csharp/ql/test/library-tests/standalone/brokentypes/brokenTypes.ql
@@ -0,0 +1,5 @@
+import csharp
+
+from Expr e, Type t
+where e.fromSource() and t = e.getType()
+select e, t.toStringWithTypes(), t.getAPrimaryQlClass()
diff --git a/csharp/ql/test/library-tests/standalone/brokentypes/options b/csharp/ql/test/library-tests/standalone/brokentypes/options
@@ -0,0 +1 @@
+semmle-extractor-options: --standalone
diff --git a/java/ql/consistency-queries/SsaConsistency.ql b/java/ql/consistency-queries/SsaConsistency.ql
@@ -0,0 +1,3 @@
+import java
+import semmle.code.java.dataflow.internal.SsaImpl
+import Impl::Consistency
diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/BaseSSA.qll b/java/ql/lib/semmle/code/java/dataflow/internal/BaseSSA.qll
@@ -168,12 +168,15 @@ private module SsaInput implements SsaImplCommon::InputSig<Location> {
    * Holds if the `i`th of basic block `bb` reads source variable `v`.
    */
   predicate variableRead(BasicBlock bb, int i, SourceVariable v, boolean certain) {
-    exists(VarRead use |
-      v.getAnAccess() = use and bb.getNode(i) = use.getControlFlowNode() and certain = true
+    hasDominanceInformation(bb) and
+    (
+      exists(VarRead use |
+        v.getAnAccess() = use and bb.getNode(i) = use.getControlFlowNode() and certain = true
+      )
+      or
+      variableCapture(v, _, bb, i) and
+      certain = false
     )
-    or
-    variableCapture(v, _, bb, i) and
-    certain = false
   }
 }
 
diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/SsaImpl.qll b/java/ql/lib/semmle/code/java/dataflow/internal/SsaImpl.qll
@@ -204,12 +204,15 @@ private module SsaInput implements SsaImplCommon::InputSig<Location> {
    * This includes implicit reads via calls.
    */
   predicate variableRead(BasicBlock bb, int i, SourceVariable v, boolean certain) {
-    exists(VarRead use |
-      v.getAnAccess() = use and bb.getNode(i) = use.getControlFlowNode() and certain = true
+    hasDominanceInformation(bb) and
+    (
+      exists(VarRead use |
+        v.getAnAccess() = use and bb.getNode(i) = use.getControlFlowNode() and certain = true
+      )
+      or
+      variableCapture(v, _, bb, i) and
+      certain = false
     )
-    or
-    variableCapture(v, _, bb, i) and
-    certain = false
   }
 }
 
diff --git a/misc/scripts/create-change-note.py b/misc/scripts/create-change-note.py
@@ -1,6 +1,7 @@
 #!/usr/bin/env python3
 
-# Creates a change note and opens it in VSCode for editing.
+# Creates a change note and opens it in $EDITOR (or VSCode if the environment
+# variable is not set) for editing.
 
 # Expects to receive the following arguments:
 # - What language the change note is for
@@ -51,5 +52,6 @@
 with open(change_note_file, "w") as f:
     f.write(change_note)
 
-# Open the change note file in VSCode, reusing the existing window if possible
-os.system(f"code -r {change_note_file}")
+editor = os.environ.get('EDITOR', 'code -r')
+
+os.system(f"{editor} {change_note_file}")
diff --git a/ruby/ql/test/library-tests/dataflow/barrier-guards/barrier-guards.expected b/ruby/ql/test/library-tests/dataflow/barrier-guards/barrier-guards.expected
@@ -12,7 +12,6 @@ newStyleBarrierGuards
 | barrier-guards.rb:28:5:28:7 | foo |
 | barrier-guards.rb:37:21:38:19 | [input] SSA phi read(foo) |
 | barrier-guards.rb:38:5:38:7 | foo |
-| barrier-guards.rb:43:16:46:5 | [input] SSA phi read(foo) |
 | barrier-guards.rb:45:9:45:11 | foo |
 | barrier-guards.rb:70:22:71:19 | [input] SSA phi read(foo) |
 | barrier-guards.rb:71:5:71:7 | foo |
@@ -51,9 +50,7 @@ newStyleBarrierGuards
 | barrier-guards.rb:199:4:199:15 | [input] SSA phi read(foo) |
 | barrier-guards.rb:199:4:199:31 | [input] SSA phi read(foo) |
 | barrier-guards.rb:199:20:199:31 | [input] SSA phi read(foo) |
-| barrier-guards.rb:203:4:203:15 | [input] SSA phi read(foo) |
 | barrier-guards.rb:203:36:203:47 | [input] SSA phi read(foo) |
-| barrier-guards.rb:207:21:207:21 | [input] SSA phi read(foo) |
 | barrier-guards.rb:207:22:208:19 | [input] SSA phi read(foo) |
 | barrier-guards.rb:208:5:208:7 | foo |
 | barrier-guards.rb:211:22:212:19 | [input] SSA phi read(foo) |
@@ -64,8 +61,6 @@ newStyleBarrierGuards
 | barrier-guards.rb:219:21:219:32 | [input] SSA phi read(foo) |
 | barrier-guards.rb:219:95:220:19 | [input] SSA phi read(foo) |
 | barrier-guards.rb:220:5:220:7 | foo |
-| barrier-guards.rb:227:21:227:21 | [input] SSA phi read(foo) |
-| barrier-guards.rb:227:22:228:7 | [input] SSA phi read(foo) |
 | barrier-guards.rb:232:18:233:19 | [input] SSA phi read(foo) |
 | barrier-guards.rb:233:5:233:7 | foo |
 | barrier-guards.rb:237:19:237:38 | [input] SSA phi read(foo) |
diff --git a/rust/ql/test/query-tests/security/CWE-089/CONSISTENCY/SsaConsistency.expected b/rust/ql/test/query-tests/security/CWE-089/CONSISTENCY/SsaConsistency.expected
@@ -0,0 +1,4 @@
+uselessPhiNode
+| sqlx.rs:155:5:157:5 | phi | 1 |
+phiWithoutTwoPriorRefs
+| sqlx.rs:155:5:157:5 | phi | 1 |
diff --git a/shared/ssa/codeql/ssa/Ssa.qll b/shared/ssa/codeql/ssa/Ssa.qll

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-Security/CWE-829/UnversionedImmutableAction.ql`
	`1`	`+experimental/Security/CWE-829/UnversionedImmutableAction.ql`
Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ public override void Populate(TextWriter trapFile)`
`31`	`31`	`{`
`32`	`32`	`if (assemblyPath is not null)`
`33`	`33`	`{`
`34`		`- var isBuildlessOutputAssembly = isOutputAssembly && Context.ExtractionContext.Mode.HasFlag(ExtractorMode.Standalone);`
	`34`	`+ var isBuildlessOutputAssembly = isOutputAssembly && Context.ExtractionContext.IsStandalone;`
`35`	`35`	`var identifier = isBuildlessOutputAssembly`
`36`	`36`	`? ""`
`37`	`37`	`: assembly.ToString() ?? "";`
`@@ -72,7 +72,7 @@ public static Assembly CreateOutputAssembly(Context cx)`
`72`	`72`
`73`	`73`	`public override void WriteId(EscapingTextWriter trapFile)`
`74`	`74`	`{`
`75`		`- if (isOutputAssembly && Context.ExtractionContext.Mode.HasFlag(ExtractorMode.Standalone))`
	`75`	`+ if (isOutputAssembly && Context.ExtractionContext.IsStandalone)`
`76`	`76`	`{`
`77`	`77`	`trapFile.Write("buildlessOutputAssembly");`
`78`	`78`	`}`
Original file line number	Diff line number	Diff line change
`@@ -133,7 +133,7 @@ public IMethodSymbol? TargetSymbol`
`133`	`133`	`.Where(method => method.Parameters.Length >= Syntax.ArgumentList.Arguments.Count)`
`134`	`134`	`.Where(method => method.Parameters.Count(p => !p.HasExplicitDefaultValue) <= Syntax.ArgumentList.Arguments.Count);`
`135`	`135`
`136`		`- return Context.ExtractionContext.Mode.HasFlag(ExtractorMode.Standalone) ?`
	`136`	`+ return Context.ExtractionContext.IsStandalone ?`
`137`	`137`	`candidates.FirstOrDefault() :`
`138`	`138`	`candidates.SingleOrDefault();`
`139`	`139`	`}`