Merge branch 'main' into redsun82/env-dump-integration-test

github · Jan 23, 2025 · 13f1f8f · 13f1f8f
2 parents cf430da + e096bdb
commit 13f1f8f
Show file tree

Hide file tree

Showing 23 changed files with 1,468 additions and 1,284 deletions.
diff --git a/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll b/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll
@@ -981,7 +981,8 @@ private module Cached {
     or
     exists(CompareValueNumber cmp, Operand left, Operand right, AbstractValue v |
       test = cmp and
-      cmp.hasOperands(left, right) and
+      pragma[only_bind_into](cmp)
+          .hasOperands(pragma[only_bind_into](left), pragma[only_bind_into](right)) and
       isConvertedBool(left.getDef()) and
       int_value(right.getDef()) = 0 and
       unary_compares_eq(valueNumberOfOperand(left), op, k, areEqual, v)

diff --git a/csharp/ql/test/library-tests/dataflow/collections/CollectionFlow.cs b/csharp/ql/test/library-tests/dataflow/collections/CollectionFlow.cs
@@ -13,6 +13,8 @@ public static void Sink<T>(T t) { }
 
     public static void SinkElem<T>(T[] ts) => Sink(ts[0]);
 
+    public static void SinkLastElem<T>(T[] ts) => Sink(ts[^1]);
+
     public static void SinkListElem<T>(IList<T> list) => Sink(list[0]);
 
     public static void SinkDictValue<T>(IDictionary<int, T> dict) => Sink(dict[0]);
@@ -21,6 +23,8 @@ public static void Sink<T>(T t) { }
 
     public static T First<T>(T[] ts) => ts[0];
 
+    public static T Last<T>(T[] ts) => ts[^1];
+
     public static T ListFirst<T>(IList<T> list) => list[0];
 
     public static T DictIndexZero<T>(IDictionary<int, T> dict) => dict[0];
@@ -73,6 +77,15 @@ public void ArrayInitializerCSharp6NoFlow(A other)
         Sink(First(c.As)); // no flow
     }
 
+    public void ArrayInitializerImplicitIndexFlow()
+    {
+        var a = new A();
+        var c = new CollectionFlow() { As = { [^1] = a } };
+        Sink(c.As[^1]); // flow
+        SinkLastElem(c.As); // flow
+        Sink(Last(c.As)); // flow
+    }
+
     public void ArrayAssignmentFlow()
     {
         var a = new A();
@@ -93,6 +106,16 @@ public void ArrayAssignmentNoFlow(A other)
         Sink(First(@as)); // no flow
     }
 
+    public void ArrayAssignmentImplicitIndexFlow()
+    {
+        var a = new A();
+        var @as = new A[1];
+        @as[^1] = a;
+        Sink(@as[^1]); // flow
+        SinkLastElem(@as); // flow
+        Sink(Last(@as)); // flow
+    }
+
     public void ListAssignmentFlow()
     {
         var a = new A();

diff --git a/csharp/ql/test/library-tests/dataflow/collections/CollectionFlow.expected b/csharp/ql/test/library-tests/dataflow/collections/CollectionFlow.expected
diff --git a/csharp/ql/test/library-tests/index/Index.cs b/csharp/ql/test/library-tests/index/Index.cs
@@ -0,0 +1,24 @@
+using System;
+
+public class Container
+{
+    public object[] Buffer { get; } = new object[10];
+}
+
+public class TestIndex
+{
+    public void M()
+    {
+        var c = new Container()
+        {
+            Buffer =
+            {
+                [0] = new object(),
+                [1] = new object(),
+                [^1] = new object()
+            }
+        };
+        c.Buffer[4] = new object();
+        c.Buffer[^3] = new object();
+    }
+}
diff --git a/csharp/ql/test/library-tests/index/Index.expected b/csharp/ql/test/library-tests/index/Index.expected
@@ -0,0 +1,2 @@
+| Index.cs:18:18:18:19 | ^... | Index.cs:18:19:18:19 | 1 |
+| Index.cs:22:18:22:19 | ^... | Index.cs:22:19:22:19 | 3 |
diff --git a/csharp/ql/test/library-tests/index/Index.ql b/csharp/ql/test/library-tests/index/Index.ql
@@ -0,0 +1,4 @@
+import csharp
+
+from IndexExpr e
+select e, e.getExpr()
diff --git a/rust/README.md b/rust/README.md
@@ -11,10 +11,18 @@ If you don't have the `semmle-code` repo you may need to install Bazel manually,
 
 ### Building the Rust Extractor
 
-This approach uses a released `codeql` version and is simpler to use for QL development. From your `semmle-code` directory run:
+This approach uses a released `codeql` version and is simpler to use for QL development. From anywhere under your `semmle-code` or `codeql` directory you can run:
 ```bash
 bazel run @codeql//rust:install
 ```
+
+You can use shorter versions of the above command:
+```bash
+bazel run //rust:install  # if under the `codeql` checkout
+bazel run rust:install  # if at the root of the `codeql` checkout
+bazel run :install  # if at the `rust` directory of the `codeql` checkout
+```
+
 You now need to create a [per-user CodeQL configuration file](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/specifying-command-options-in-a-codeql-configuration-file#using-a-codeql-configuration-file) and specify the option:
 ```
 --search-path PATH/TO/semmle-code/ql
@@ -40,4 +48,17 @@ TODO
 
 ### Code Generation
 
-TODO
+If you make changes to either
+* `ast-generator/`, or
+* `schema/*.py`
+
+you'll need to regenerate code. You can do so running
+```sh
+bazel run @codeql//rust/codegen
+```
+
+Sometimes, especially if resolving conflicts on generated files, you might need to run
+```sh
+bazel run @codeql//rust/codegen -- --force
+```
+for code generation to succeed.
diff --git a/rust/ql/lib/codeql/rust/Concepts.qll b/rust/ql/lib/codeql/rust/Concepts.qll
@@ -7,6 +7,7 @@
 private import codeql.rust.dataflow.DataFlow
 private import codeql.threatmodels.ThreatModels
 private import codeql.rust.Frameworks
+private import codeql.rust.dataflow.FlowSource
 
 /**
  * A data flow source for a specific threat-model.
@@ -66,6 +67,13 @@ module CommandLineArgsSource {
   }
 }
 
+/**
+ * An externally modeled source for command line arguments.
+ */
+class ModeledCommandLineArgsSource extends CommandLineArgsSource::Range {
+  ModeledCommandLineArgsSource() { sourceNode(this, "command-line-source") }
+}
+
 /**
  * A data flow source corresponding to the program's environment.
  */
@@ -85,6 +93,13 @@ module EnvironmentSource {
   }
 }
 
+/**
+ * An externally modeled source for data from the program's environment.
+ */
+class ModeledEnvironmentSource extends EnvironmentSource::Range {
+  ModeledEnvironmentSource() { sourceNode(this, "environment-source") }
+}
+
 /**
  * A data flow source for remote (network) data.
  */
@@ -104,6 +119,13 @@ module RemoteSource {
   }
 }
 
+/**
+ * An externally modeled source for remote (network) data.
+ */
+class ModeledRemoteSource extends RemoteSource::Range {
+  ModeledRemoteSource() { sourceNode(this, "remote") }
+}
+
 /**
  * A data flow node that constructs a SQL statement (for later execution).
  *

diff --git a/rust/ql/lib/codeql/rust/Frameworks.qll b/rust/ql/lib/codeql/rust/Frameworks.qll
@@ -2,7 +2,5 @@
  * This file imports all models of frameworks and libraries.
  */
 
-private import codeql.rust.frameworks.Reqwest
 private import codeql.rust.frameworks.rustcrypto.RustCrypto
-private import codeql.rust.frameworks.stdlib.Env
 private import codeql.rust.frameworks.Sqlx
diff --git a/rust/ql/lib/codeql/rust/frameworks/Reqwest.qll b/rust/ql/lib/codeql/rust/frameworks/Reqwest.qll
diff --git a/rust/ql/lib/codeql/rust/frameworks/reqwest.model.yml b/rust/ql/lib/codeql/rust/frameworks/reqwest.model.yml
@@ -1,4 +1,10 @@
 extensions:
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: sourceModel
+    data:
+      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "crate::get", "ReturnValue", "remote", "manual"]
+      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "crate::blocking::get", "ReturnValue", "remote", "manual"]
   - addsTo:
       pack: codeql/rust-all
       extensible: summaryModel

diff --git a/rust/ql/lib/codeql/rust/frameworks/stdlib/Env.qll b/rust/ql/lib/codeql/rust/frameworks/stdlib/Env.qll
diff --git a/rust/ql/lib/codeql/rust/frameworks/stdlib/env.model.yml b/rust/ql/lib/codeql/rust/frameworks/stdlib/env.model.yml
@@ -0,0 +1,14 @@
+extensions:
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: sourceModel
+    data:
+      - ["lang:std", "crate::env::args", "ReturnValue", "command-line-source", "manual"]
+      - ["lang:std", "crate::env::args_os", "ReturnValue", "command-line-source", "manual"]
+      - ["lang:std", "crate::env::current_dir", "ReturnValue", "command-line-source", "manual"]
+      - ["lang:std", "crate::env::current_exe", "ReturnValue", "command-line-source", "manual"]
+      - ["lang:std", "crate::env::home_dir", "ReturnValue", "command-line-source", "manual"]
+      - ["lang:std", "crate::env::var", "ReturnValue", "environment-source", "manual"]
+      - ["lang:std", "crate::env::var_os", "ReturnValue", "environment-source", "manual"]
+      - ["lang:std", "crate::env::vars", "ReturnValue", "environment-source", "manual"]
+      - ["lang:std", "crate::env::vars_os", "ReturnValue", "environment-source", "manual"]
diff --git a/rust/ql/lib/codeql/rust/security/WeakSensitiveDataHashingExtensions.qll b/rust/ql/lib/codeql/rust/security/WeakSensitiveDataHashingExtensions.qll
@@ -174,7 +174,8 @@ module ComputationallyExpensiveHashFunction {
 }
 
 /**
- * An externally modeled operation that hashes data, for example a call to `md5::Md5::digest(data)`.
+ * An externally modeled operation that hashes data, for example a call to `md5::Md5::digest(data)`. The
+ * model should identify the argument of a call that is the data to be hashed.
  */
 class ModeledHashOperation extends Cryptography::CryptographicOperation::Range {
   DataFlow::Node input;

diff --git a/rust/ql/lib/utils/test/TranslateModels.qll b/rust/ql/lib/utils/test/TranslateModels.qll
@@ -0,0 +1,9 @@
+private import codeql.dataflow.test.ProvenancePathGraph as Graph
+private import codeql.rust.dataflow.internal.ModelsAsData as MaD
+
+private signature predicate provenanceSig(string model);
+
+/** Translates models-as-data provenance information into a format that can be used in tests. */
+module TranslateModels<provenanceSig/1 provenance> {
+  import Graph::TranslateModels<MaD::interpretModelForTest/2, provenance/1>
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		\| Index.cs:18:18:18:19 \| ^... \| Index.cs:18:19:18:19 \| 1 \|
		\| Index.cs:22:18:22:19 \| ^... \| Index.cs:22:19:22:19 \| 3 \|