diff --git a/actions/ql/lib/qlpack.yml b/actions/ql/lib/qlpack.yml index e76d300c761c..33b0c790dd6f 100644 --- a/actions/ql/lib/qlpack.yml +++ b/actions/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/actions-all -version: 0.4.38 +version: 0.4.39-dev library: true warnOnImplicitThis: true dependencies: diff --git a/actions/ql/src/qlpack.yml b/actions/ql/src/qlpack.yml index 07b33838f874..fb617417c3c2 100644 --- a/actions/ql/src/qlpack.yml +++ b/actions/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/actions-queries -version: 0.6.30 +version: 0.6.31-dev library: false warnOnImplicitThis: true groups: [actions, queries] diff --git a/cpp/ql/lib/qlpack.yml b/cpp/ql/lib/qlpack.yml index a94049121b5e..04f66548112b 100644 --- a/cpp/ql/lib/qlpack.yml +++ b/cpp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-all -version: 11.0.0 +version: 11.0.1-dev groups: cpp dbscheme: semmlecode.cpp.dbscheme extractor: cpp diff --git a/cpp/ql/src/qlpack.yml b/cpp/ql/src/qlpack.yml index 070a7b2926a4..3b6365f29c64 100644 --- a/cpp/ql/src/qlpack.yml +++ b/cpp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-queries -version: 1.6.5 +version: 1.6.6-dev groups: - cpp - queries diff --git a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml index 22871294a836..88080d5df9ae 100644 --- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-all -version: 1.7.69 +version: 1.7.70-dev groups: - csharp - solorigate diff --git a/csharp/ql/campaigns/Solorigate/src/qlpack.yml b/csharp/ql/campaigns/Solorigate/src/qlpack.yml index 436471955f8f..effa1c940c0b 100644 --- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-queries -version: 1.7.69 +version: 1.7.70-dev groups: - csharp - solorigate diff --git a/csharp/ql/lib/qlpack.yml b/csharp/ql/lib/qlpack.yml index bb0645906670..0749eea574d3 100644 --- a/csharp/ql/lib/qlpack.yml +++ b/csharp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-all -version: 7.0.0 +version: 7.0.1-dev groups: csharp dbscheme: semmlecode.csharp.dbscheme extractor: csharp diff --git a/csharp/ql/src/qlpack.yml b/csharp/ql/src/qlpack.yml index 0b112e385e99..9110c334a2e5 100644 --- a/csharp/ql/src/qlpack.yml +++ b/csharp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-queries -version: 1.7.5 +version: 1.7.6-dev groups: - csharp - queries diff --git a/go/ql/consistency-queries/qlpack.yml b/go/ql/consistency-queries/qlpack.yml index 53ca8acd9aa8..486dcf5c9f8f 100644 --- a/go/ql/consistency-queries/qlpack.yml +++ b/go/ql/consistency-queries/qlpack.yml @@ -1,5 +1,5 @@ name: codeql-go-consistency-queries -version: 1.0.52 +version: 1.0.53-dev groups: - go - queries diff --git a/go/ql/lib/qlpack.yml b/go/ql/lib/qlpack.yml index d8737a2eba28..f65b3855cf77 100644 --- a/go/ql/lib/qlpack.yml +++ b/go/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-all -version: 7.2.0 +version: 7.2.1-dev groups: go dbscheme: go.dbscheme extractor: go diff --git a/go/ql/src/qlpack.yml b/go/ql/src/qlpack.yml index 4d435e705032..2db1c639026b 100644 --- a/go/ql/src/qlpack.yml +++ b/go/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-queries -version: 1.6.5 +version: 1.6.6-dev groups: - go - queries diff --git a/java/ql/lib/qlpack.yml b/java/ql/lib/qlpack.yml index 39392cceea52..a847cb88c639 100644 --- a/java/ql/lib/qlpack.yml +++ b/java/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-all -version: 9.2.0 +version: 9.2.1-dev groups: java dbscheme: config/semmlecode.dbscheme extractor: java diff --git a/java/ql/src/qlpack.yml b/java/ql/src/qlpack.yml index 56f4305446bb..6f9c819f1098 100644 --- a/java/ql/src/qlpack.yml +++ b/java/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-queries -version: 1.11.5 +version: 1.11.6-dev groups: - java - queries diff --git a/javascript/ql/lib/qlpack.yml b/javascript/ql/lib/qlpack.yml index d5e18e49051b..584f2e135f77 100644 --- a/javascript/ql/lib/qlpack.yml +++ b/javascript/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-all -version: 2.8.0 +version: 2.8.1-dev groups: javascript dbscheme: semmlecode.javascript.dbscheme extractor: javascript diff --git a/javascript/ql/src/qlpack.yml b/javascript/ql/src/qlpack.yml index ddc3eaa3817a..b608077e3e0b 100644 --- a/javascript/ql/src/qlpack.yml +++ b/javascript/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-queries -version: 2.4.0 +version: 2.4.1-dev groups: - javascript - queries diff --git a/misc/suite-helpers/qlpack.yml b/misc/suite-helpers/qlpack.yml index a3699af86ca5..0dafb086b741 100644 --- a/misc/suite-helpers/qlpack.yml +++ b/misc/suite-helpers/qlpack.yml @@ -1,4 +1,4 @@ name: codeql/suite-helpers -version: 1.0.52 +version: 1.0.53-dev groups: shared warnOnImplicitThis: true diff --git a/python/ql/lib/CHANGELOG.md b/python/ql/lib/CHANGELOG.md index 7d4f024be7a9..a8122f03eb18 100644 --- a/python/ql/lib/CHANGELOG.md +++ b/python/ql/lib/CHANGELOG.md @@ -70,7 +70,7 @@ No user-facing changes. ### Minor Analysis Improvements -* Added new full SSRF sanitization barrier from the new AntiSSRF library. +* Added new full SSRF sanitization barrier from the new AntiSSRF library. * When a guard such as `isSafe(x)` is defined, we now also automatically handle `isSafe(x) == true` and `isSafe(x) != false`. ## 6.1.1 @@ -169,7 +169,7 @@ No user-facing changes. ### Minor Analysis Improvements - The modelling of Psycopg2 now supports the use of `psycopg2.pool` connection pools for handling database connections. -* Removed `lxml` as an XML bomb sink. The underlying libxml2 library now includes [entity reference loop detection](https://github.com/lxml/lxml/blob/f33ac2c2f5f9c4c4c1fc47f363be96db308f2fa6/doc/FAQ.txt#L1077) that prevents XML bomb attacks. +* Removed `lxml` as an XML bomb sink. The underlying libxml2 library now includes [entity reference loop detection](https://github.com/lxml/lxml/blob/f33ac2c2f5f9c4c4c1fc47f363be96db308f2fa6/doc/FAQ.txt#L1077) that prevents XML bomb attacks. ## 4.0.13 @@ -262,7 +262,7 @@ No user-facing changes. ### Minor Analysis Improvements * The sensitive data library has been improved so that `snake_case` style variable names are recognized more reliably. This may result in more sensitive data being identified, and more results from queries that use the sensitive data library. -- Additional taint steps through methods of `lxml.etree.Element` and `lxml.etree.ElementTree` objects from the `lxml` PyPI package have been modeled. +- Additional taint steps through methods of `lxml.etree.Element` and `lxml.etree.ElementTree` objects from the `lxml` PyPI package have been modeled. ## 3.1.0 @@ -316,7 +316,7 @@ No user-facing changes. ### Minor Analysis Improvements -* The common sanitizer guard `StringConstCompareBarrier` has been renamed to `ConstCompareBarrier` and expanded to cover comparisons with other constant values such as `None`. This may result in fewer false positive results for several queries. +* The common sanitizer guard `StringConstCompareBarrier` has been renamed to `ConstCompareBarrier` and expanded to cover comparisons with other constant values such as `None`. This may result in fewer false positive results for several queries. ## 2.0.0 @@ -545,7 +545,7 @@ No user-facing changes. ### New Features -* The `DataFlow::StateConfigSig` signature module has gained default implementations for `isBarrier/2` and `isAdditionalFlowStep/4`. +* The `DataFlow::StateConfigSig` signature module has gained default implementations for `isBarrier/2` and `isAdditionalFlowStep/4`. Hence it is no longer needed to provide `none()` implementations of these predicates if they are not needed. ### Minor Analysis Improvements @@ -572,7 +572,7 @@ No user-facing changes. * Deleted many deprecated predicates and classes with uppercase `API`, `HTTP`, `XSS`, `SQL`, etc. in their names. Use the PascalCased versions instead. * Deleted the deprecated `getName()` predicate from the `Container` class, use `getAbsolutePath()` instead. * Deleted many deprecated module names that started with a lowercase letter, use the versions that start with an uppercase letter instead. -* Deleted many deprecated predicates in `PointsTo.qll`. +* Deleted many deprecated predicates in `PointsTo.qll`. * Deleted many deprecated files from the `semmle.python.security` package. * Deleted the deprecated `BottleRoutePointToExtension` class from `Extensions.qll`. * Type tracking is now aware of flow summaries. This leads to a richer API graph, and may lead to more results in some queries. @@ -729,7 +729,7 @@ No user-facing changes. ### Deprecated APIs * Some unused predicates in `SsaDefinitions.qll`, `TObject.qll`, `protocols.qll`, and the `pointsto/` folder have been deprecated. -* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide. +* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide. The old name still exists as a deprecated alias. ### Minor Analysis Improvements @@ -748,9 +748,9 @@ No user-facing changes. ### Deprecated APIs -* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. +* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. The old name still exists as a deprecated alias. -* The utility files previously in the `semmle.python.security.performance` package have been moved to the `semmle.python.security.regexp` package. +* The utility files previously in the `semmle.python.security.performance` package have been moved to the `semmle.python.security.regexp` package. The previous files still exist as deprecated aliases. ### Minor Analysis Improvements @@ -843,9 +843,9 @@ No user-facing changes. ### Deprecated APIs -* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. +* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. The old name still exists as a deprecated alias. -* Some modules that started with a lowercase letter have been renamed to follow our style-guide. +* Some modules that started with a lowercase letter have been renamed to follow our style-guide. The old name still exists as a deprecated alias. ### New Features diff --git a/python/ql/lib/qlpack.yml b/python/ql/lib/qlpack.yml index a3dd754b2095..506fd493c790 100644 --- a/python/ql/lib/qlpack.yml +++ b/python/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-all -version: 7.2.0 +version: 7.2.1-dev groups: python dbscheme: semmlecode.python.dbscheme extractor: python diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll index 04e8ad0587f6..d91d51d0c66b 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll @@ -1138,7 +1138,9 @@ predicate clearsContent(Node n, ContentSet cs) { * Holds if the value that is being tracked is expected to be stored inside content `c` * at node `n`. */ -predicate expectsContent(Node n, ContentSet c) { none() } +predicate expectsContent(Node n, ContentSet c) { + FlowSummaryImpl::Private::Steps::summaryExpectsContent(n.(FlowSummaryNode).getSummaryNode(), c) +} /** * Holds if values stored inside attribute `c` are cleared at node `n`. diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/FlowSummaryImpl.qll b/python/ql/lib/semmle/python/dataflow/new/internal/FlowSummaryImpl.qll index 0931fcca0dc8..6d128776700a 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/FlowSummaryImpl.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/FlowSummaryImpl.qll @@ -91,6 +91,8 @@ module Input implements InputSig cs.isAnyTupleOrDictionaryElement() and result = "AnyTupleOrDictionaryElement" and arg = "" } + string encodeWithContent(ContentSet c, string arg) { result = "With" + encodeContent(c, arg) } + bindingset[token] ParameterPosition decodeUnknownParameterPosition(AccessPath::AccessPathTokenBase token) { // needed to support `Argument[x..y]` ranges diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackingImpl.qll b/python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackingImpl.qll index 13afd6a4276d..02fae4611f4f 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackingImpl.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackingImpl.qll @@ -170,7 +170,13 @@ module TypeTrackingInput implements Shared::TypeTrackingInput { /** Holds if there is a level step from `nodeFrom` to `nodeTo`, which may depend on the call graph. */ predicate levelStepCall(Node nodeFrom, LocalSourceNode nodeTo) { - instanceFieldStep(nodeFrom, nodeTo) + // HOTFIX: `instanceFieldStep` is temporarily disabled (via `and none()`). + // It uses `classInstanceTracker(cls)` -- itself a type-tracker run -- + // from inside `levelStepCall`, creating a structural mutual recursion + // that causes catastrophic query slowdowns on some OOP-heavy Python + // codebases (e.g. mypy and dask). The `and none()` should be removed + // once that recursion is redesigned. + instanceFieldStep(nodeFrom, nodeTo) and none() or inheritedFieldStep(nodeFrom, nodeTo) } diff --git a/python/ql/lib/semmle/python/frameworks/Stdlib.qll b/python/ql/lib/semmle/python/frameworks/Stdlib.qll index a9fd72530f51..df69a010fd8b 100644 --- a/python/ql/lib/semmle/python/frameworks/Stdlib.qll +++ b/python/ql/lib/semmle/python/frameworks/Stdlib.qll @@ -4199,11 +4199,9 @@ module StdlibPrivate { // The positional argument contains a mapping. // TODO: these values can be overwritten by keyword arguments // - dict mapping - exists(DataFlow::DictionaryElementContent dc, string key | key = dc.getKey() | - input = "Argument[0].DictionaryElement[" + key + "]" and - output = "ReturnValue.DictionaryElement[" + key + "]" and - preservesValue = true - ) + input = "Argument[0].WithAnyDictionaryElement" and + output = "ReturnValue" and + preservesValue = true or // - list-of-pairs mapping input = "Argument[0].ListElement.TupleElement[1]" and @@ -4240,9 +4238,7 @@ module StdlibPrivate { or input = "Argument[0].SetElement" or - exists(DataFlow::TupleElementContent tc, int i | i = tc.getIndex() | - input = "Argument[0].TupleElement[" + i.toString() + "]" - ) + input = "Argument[0].AnyTupleElement" // TODO: Once we have DictKeyContent, we need to transform that into ListElementContent ) and // Element content is mutated into list element content @@ -4266,11 +4262,9 @@ module StdlibPrivate { } override predicate propagatesFlow(string input, string output, boolean preservesValue) { - exists(DataFlow::TupleElementContent tc, int i | i = tc.getIndex() | - input = "Argument[0].TupleElement[" + i.toString() + "]" and - output = "ReturnValue.TupleElement[" + i.toString() + "]" and - preservesValue = true - ) + input = "Argument[0].WithAnyTupleElement" and + output = "ReturnValue" and + preservesValue = true or input = "Argument[0].ListElement" and output = "ReturnValue" and @@ -4294,9 +4288,7 @@ module StdlibPrivate { or input = "Argument[0].SetElement" or - exists(DataFlow::TupleElementContent tc, int i | i = tc.getIndex() | - input = "Argument[0].TupleElement[" + i.toString() + "]" - ) + input = "Argument[0].AnyTupleElement" // TODO: Once we have DictKeyContent, we need to transform that into ListElementContent ) and output = "ReturnValue.SetElement" and @@ -4342,9 +4334,7 @@ module StdlibPrivate { or input = "Argument[0].SetElement" or - exists(DataFlow::TupleElementContent tc, int i | i = tc.getIndex() | - input = "Argument[0].TupleElement[" + i.toString() + "]" - ) + input = "Argument[0].AnyTupleElement" // TODO: Once we have DictKeyContent, we need to transform that into ListElementContent ) and output = "ReturnValue.ListElement" and @@ -4372,9 +4362,7 @@ module StdlibPrivate { or content = "SetElement" or - exists(DataFlow::TupleElementContent tc, int i | i = tc.getIndex() | - content = "TupleElement[" + i.toString() + "]" - ) + content = "AnyTupleElement" | // TODO: Once we have DictKeyContent, we need to transform that into ListElementContent input = "Argument[0]." + content and @@ -4404,9 +4392,7 @@ module StdlibPrivate { or input = "Argument[0].SetElement" or - exists(DataFlow::TupleElementContent tc, int i | i = tc.getIndex() | - input = "Argument[0].TupleElement[" + i.toString() + "]" - ) + input = "Argument[0].AnyTupleElement" // TODO: Once we have DictKeyContent, we need to transform that into ListElementContent ) and output = "ReturnValue.ListElement" and @@ -4434,9 +4420,7 @@ module StdlibPrivate { or input = "Argument[0].SetElement" or - exists(DataFlow::TupleElementContent tc, int i | i = tc.getIndex() | - input = "Argument[0].TupleElement[" + i.toString() + "]" - ) + input = "Argument[0].AnyTupleElement" // TODO: Once we have DictKeyContent, we need to transform that into ListElementContent ) and output = "ReturnValue" and @@ -4468,9 +4452,7 @@ module StdlibPrivate { // We reduce generality slightly by not tracking tuple contents on list arguments beyond the first, for performance. // TODO: Once we have TupleElementAny, this generality can be increased. i = 0 and - exists(DataFlow::TupleElementContent tc, int j | j = tc.getIndex() | - input = "Argument[1].TupleElement[" + j.toString() + "]" - ) + input = "Argument[1].AnyTupleElement" // TODO: Once we have DictKeyContent, we need to transform that into ListElementContent ) and output = "Argument[0].Parameter[" + i.toString() + "]" and @@ -4499,9 +4481,7 @@ module StdlibPrivate { or input = "Argument[1].SetElement" or - exists(DataFlow::TupleElementContent tc, int i | i = tc.getIndex() | - input = "Argument[1].TupleElement[" + i.toString() + "]" - ) + input = "Argument[1].AnyTupleElement" // TODO: Once we have DictKeyContent, we need to transform that into ListElementContent ) and (output = "Argument[0].Parameter[0]" or output = "ReturnValue.ListElement") and @@ -4525,9 +4505,7 @@ module StdlibPrivate { or input = "Argument[0].SetElement" or - exists(DataFlow::TupleElementContent tc, int i | i = tc.getIndex() | - input = "Argument[0].TupleElement[" + i.toString() + "]" - ) + input = "Argument[0].AnyTupleElement" // TODO: Once we have DictKeyContent, we need to transform that into ListElementContent ) and output = "ReturnValue.ListElement.TupleElement[1]" and @@ -4552,12 +4530,7 @@ module StdlibPrivate { or input = "Argument[" + i.toString() + "].SetElement" or - // We reduce generality slightly by not tracking tuple contents on arguments beyond the first two, for performance. - // TODO: Once we have TupleElementAny, this generality can be increased. - i in [0 .. 1] and - exists(DataFlow::TupleElementContent tc, int j | j = tc.getIndex() | - input = "Argument[" + i.toString() + "].TupleElement[" + j.toString() + "]" - ) + input = "Argument[" + i.toString() + "].AnyTupleElement" // TODO: Once we have DictKeyContent, we need to transform that into ListElementContent ) and output = "ReturnValue.ListElement.TupleElement[" + i.toString() + "]" and @@ -4580,12 +4553,6 @@ module StdlibPrivate { override DataFlow::ArgumentNode getACallback() { none() } override predicate propagatesFlow(string input, string output, boolean preservesValue) { - exists(DataFlow::Content c | - input = "Argument[self]." + c.getMaDRepresentation() and - output = "ReturnValue." + c.getMaDRepresentation() and - preservesValue = true - ) - or input = "Argument[self]" and output = "ReturnValue" and preservesValue = true @@ -4741,12 +4708,10 @@ module StdlibPrivate { override DataFlow::ArgumentNode getACallback() { none() } override predicate propagatesFlow(string input, string output, boolean preservesValue) { - exists(DataFlow::DictionaryElementContent dc, string key | key = dc.getKey() | - input = "Argument[self].DictionaryElement[" + key + "]" and - output = "ReturnValue.TupleElement[1]" and - preservesValue = true - // TODO: put `key` into "ReturnValue.TupleElement[0]" - ) + input = "Argument[self].AnyDictionaryElement" and + output = "ReturnValue.TupleElement[1]" and + preservesValue = true + // TODO: put `key` into "ReturnValue.TupleElement[0]" } } @@ -4825,11 +4790,9 @@ module StdlibPrivate { } override predicate propagatesFlow(string input, string output, boolean preservesValue) { - exists(DataFlow::DictionaryElementContent dc, string key | key = dc.getKey() | - input = "Argument[self].DictionaryElement[" + key + "]" and - output = "ReturnValue.ListElement" and - preservesValue = true - ) + input = "Argument[self].AnyDictionaryElement" and + output = "ReturnValue.ListElement" and + preservesValue = true or input = "Argument[self]" and output = "ReturnValue" and @@ -4876,11 +4839,9 @@ module StdlibPrivate { } override predicate propagatesFlow(string input, string output, boolean preservesValue) { - exists(DataFlow::DictionaryElementContent dc, string key | key = dc.getKey() | - input = "Argument[self].DictionaryElement[" + key + "]" and - output = "ReturnValue.ListElement.TupleElement[1]" and - preservesValue = true - ) + input = "Argument[self].AnyDictionaryElement" and + output = "ReturnValue.ListElement.TupleElement[1]" and + preservesValue = true or // TODO: Add the keys to output list input = "Argument[self]" and diff --git a/python/ql/src/qlpack.yml b/python/ql/src/qlpack.yml index d302c790d801..a4a2db0e6603 100644 --- a/python/ql/src/qlpack.yml +++ b/python/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-queries -version: 1.8.5 +version: 1.8.6-dev groups: - python - queries diff --git a/python/ql/test/library-tests/dataflow/coverage/test_builtins.py b/python/ql/test/library-tests/dataflow/coverage/test_builtins.py index 8e87e56dc2e7..7ef7866ec175 100644 --- a/python/ql/test/library-tests/dataflow/coverage/test_builtins.py +++ b/python/ql/test/library-tests/dataflow/coverage/test_builtins.py @@ -589,11 +589,11 @@ def test_zip_tuple(): SINK(z[0][0]) # $ flow="SOURCE, l:-7 -> z[0][0]" SINK(z[0][1]) # $ flow="SOURCE, l:-7 -> z[0][1]" - SINK_F(z[0][2]) + SINK_F(z[0][2]) # $ SPURIOUS: flow="SOURCE, l:-7 -> z[0][2]" SINK_F(z[0][3]) SINK(z[1][0]) # $ flow="SOURCE, l:-11 -> z[1][0]" SINK_F(z[1][1]) # $ SPURIOUS: flow="SOURCE, l:-11 -> z[1][1]" - SINK(z[1][2]) # $ MISSING: flow="SOURCE, l:-11 -> z[1][2]" # Tuple contents are not tracked beyond the first two arguments for performance. + SINK(z[1][2]) # $ flow="SOURCE, l:-11 -> z[1][2]" SINK_F(z[1][3]) @expects(4) diff --git a/python/ql/test/library-tests/dataflow/typetracking/attribute_tests.py b/python/ql/test/library-tests/dataflow/typetracking/attribute_tests.py index b6bca72507f6..09fed01398ed 100644 --- a/python/ql/test/library-tests/dataflow/typetracking/attribute_tests.py +++ b/python/ql/test/library-tests/dataflow/typetracking/attribute_tests.py @@ -157,7 +157,7 @@ def possibly_uncalled_method(self): # $ MISSING: tracked=foo print(self.foo) # $ tracked MISSING: tracked=foo instance = MyClass2() -print(instance.foo) # $ tracked MISSING: tracked=foo +print(instance.foo) # $ MISSING: tracked=foo tracked instance.print_foo() # $ MISSING: tracked=foo @@ -195,7 +195,7 @@ def read_foo(self): # $ MISSING: tracked=foo sub1 = Sub1() sub1.read_foo() -print(sub1.foo) # $ tracked MISSING: tracked=foo +print(sub1.foo) # $ MISSING: tracked=foo tracked # attribute written in a subclass method, read in an inherited base class method @@ -210,7 +210,7 @@ def __init__(self): # $ tracked=bar sub2 = Sub2() sub2.read_bar() -print(sub2.bar) # $ tracked MISSING: tracked=bar +print(sub2.bar) # $ MISSING: tracked=bar tracked # attribute written in a base class method, read on an instance of the subclass @@ -223,4 +223,4 @@ class Sub3(Base3): pass sub3 = Sub3() -print(sub3.baz) # $ tracked MISSING: tracked=baz +print(sub3.baz) # $ MISSING: tracked=baz tracked diff --git a/python/ql/test/library-tests/frameworks/django-orm/testapp/orm_tests.py b/python/ql/test/library-tests/frameworks/django-orm/testapp/orm_tests.py index 3e8ba31d0196..7081f73b5251 100644 --- a/python/ql/test/library-tests/frameworks/django-orm/testapp/orm_tests.py +++ b/python/ql/test/library-tests/frameworks/django-orm/testapp/orm_tests.py @@ -362,7 +362,7 @@ def test_load_in_bulk(): # see https://docs.djangoproject.com/en/4.0/ref/models/querysets/#in-bulk d = TestLoad.objects.in_bulk([1]) for val in d.values(): - SINK(val.text) # $ MISSING: flow + SINK(val.text) # $ flow="SOURCE, l:-65 -> val.text" SINK(d[1].text) # $ flow="SOURCE, l:-66 -> d[1].text" diff --git a/python/ql/test/query-tests/Security/CWE-089-SqlInjection/SqlInjection.expected b/python/ql/test/query-tests/Security/CWE-089-SqlInjection/SqlInjection.expected index 8f60394d8a2b..4cbcb33440ba 100644 --- a/python/ql/test/query-tests/Security/CWE-089-SqlInjection/SqlInjection.expected +++ b/python/ql/test/query-tests/Security/CWE-089-SqlInjection/SqlInjection.expected @@ -1,7 +1,6 @@ #select | app.py:23:20:23:24 | ControlFlowNode for query | app.py:20:18:20:21 | ControlFlowNode for name | app.py:23:20:23:24 | ControlFlowNode for query | This SQL query depends on a $@. | app.py:20:18:20:21 | ControlFlowNode for name | user-provided value | | app.py:30:20:30:24 | ControlFlowNode for query | app.py:27:19:27:22 | ControlFlowNode for name | app.py:30:20:30:24 | ControlFlowNode for query | This SQL query depends on a $@. | app.py:27:19:27:22 | ControlFlowNode for name | user-provided value | -| app.py:37:20:37:24 | ControlFlowNode for query | app.py:34:19:34:22 | ControlFlowNode for name | app.py:37:20:37:24 | ControlFlowNode for query | This SQL query depends on a $@. | app.py:34:19:34:22 | ControlFlowNode for name | user-provided value | | app.py:44:20:44:24 | ControlFlowNode for query | app.py:41:19:41:22 | ControlFlowNode for name | app.py:44:20:44:24 | ControlFlowNode for query | This SQL query depends on a $@. | app.py:41:19:41:22 | ControlFlowNode for name | user-provided value | | app.py:51:20:51:24 | ControlFlowNode for query | app.py:48:19:48:22 | ControlFlowNode for name | app.py:51:20:51:24 | ControlFlowNode for query | This SQL query depends on a $@. | app.py:48:19:48:22 | ControlFlowNode for name | user-provided value | | sql_injection.py:21:24:21:77 | ControlFlowNode for BinaryExpr | sql_injection.py:14:15:14:22 | ControlFlowNode for username | sql_injection.py:21:24:21:77 | ControlFlowNode for BinaryExpr | This SQL query depends on a $@. | sql_injection.py:14:15:14:22 | ControlFlowNode for username | user-provided value | @@ -25,8 +24,6 @@ edges | app.py:21:5:21:9 | ControlFlowNode for query | app.py:23:20:23:24 | ControlFlowNode for query | provenance | | | app.py:27:19:27:22 | ControlFlowNode for name | app.py:28:5:28:9 | ControlFlowNode for query | provenance | | | app.py:28:5:28:9 | ControlFlowNode for query | app.py:30:20:30:24 | ControlFlowNode for query | provenance | | -| app.py:34:19:34:22 | ControlFlowNode for name | app.py:35:5:35:9 | ControlFlowNode for query | provenance | | -| app.py:35:5:35:9 | ControlFlowNode for query | app.py:37:20:37:24 | ControlFlowNode for query | provenance | | | app.py:41:19:41:22 | ControlFlowNode for name | app.py:42:5:42:9 | ControlFlowNode for query | provenance | | | app.py:42:5:42:9 | ControlFlowNode for query | app.py:44:20:44:24 | ControlFlowNode for query | provenance | | | app.py:48:19:48:22 | ControlFlowNode for name | app.py:49:5:49:9 | ControlFlowNode for query | provenance | | @@ -54,9 +51,6 @@ nodes | app.py:27:19:27:22 | ControlFlowNode for name | semmle.label | ControlFlowNode for name | | app.py:28:5:28:9 | ControlFlowNode for query | semmle.label | ControlFlowNode for query | | app.py:30:20:30:24 | ControlFlowNode for query | semmle.label | ControlFlowNode for query | -| app.py:34:19:34:22 | ControlFlowNode for name | semmle.label | ControlFlowNode for name | -| app.py:35:5:35:9 | ControlFlowNode for query | semmle.label | ControlFlowNode for query | -| app.py:37:20:37:24 | ControlFlowNode for query | semmle.label | ControlFlowNode for query | | app.py:41:19:41:22 | ControlFlowNode for name | semmle.label | ControlFlowNode for name | | app.py:42:5:42:9 | ControlFlowNode for query | semmle.label | ControlFlowNode for query | | app.py:44:20:44:24 | ControlFlowNode for query | semmle.label | ControlFlowNode for query | diff --git a/python/ql/test/query-tests/Security/CWE-089-SqlInjection/app.py b/python/ql/test/query-tests/Security/CWE-089-SqlInjection/app.py index 4de61346d8f5..8046f1ef52ed 100644 --- a/python/ql/test/query-tests/Security/CWE-089-SqlInjection/app.py +++ b/python/ql/test/query-tests/Security/CWE-089-SqlInjection/app.py @@ -31,10 +31,10 @@ async def unsafe2(name: str): # $ Source cursor.close() @app.get("/unsafe3/") -async def unsafe3(name: str): # $ Source +async def unsafe3(name: str): # $ MISSING: Source query = "select * from users where name=" + name cursor = hdb_con3.cursor() - cursor.execute(query) # $ Alert + cursor.execute(query) # $ MISSING: Alert cursor.close() @app.get("/unsafe4/") diff --git a/ruby/ql/lib/qlpack.yml b/ruby/ql/lib/qlpack.yml index 381cf9c693c1..6957217db6d1 100644 --- a/ruby/ql/lib/qlpack.yml +++ b/ruby/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-all -version: 6.0.0 +version: 6.0.1-dev groups: ruby extractor: ruby dbscheme: ruby.dbscheme diff --git a/ruby/ql/src/qlpack.yml b/ruby/ql/src/qlpack.yml index 63e1a8f21823..c34506fd2878 100644 --- a/ruby/ql/src/qlpack.yml +++ b/ruby/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-queries -version: 1.6.5 +version: 1.6.6-dev groups: - ruby - queries diff --git a/rust/ql/lib/qlpack.yml b/rust/ql/lib/qlpack.yml index 586eb2ae7f19..7750d2a6a3d4 100644 --- a/rust/ql/lib/qlpack.yml +++ b/rust/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/rust-all -version: 0.2.16 +version: 0.2.17-dev groups: rust extractor: rust dbscheme: rust.dbscheme diff --git a/rust/ql/src/qlpack.yml b/rust/ql/src/qlpack.yml index 050798f9ac97..591c913eb690 100644 --- a/rust/ql/src/qlpack.yml +++ b/rust/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/rust-queries -version: 0.1.37 +version: 0.1.38-dev groups: - rust - queries diff --git a/shared/concepts/qlpack.yml b/shared/concepts/qlpack.yml index 78a8e0303bdd..d8b7fb5b5542 100644 --- a/shared/concepts/qlpack.yml +++ b/shared/concepts/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/concepts -version: 0.0.26 +version: 0.0.27-dev groups: shared library: true dependencies: diff --git a/shared/controlflow/qlpack.yml b/shared/controlflow/qlpack.yml index b95c5308f109..d14ee7d34d79 100644 --- a/shared/controlflow/qlpack.yml +++ b/shared/controlflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/controlflow -version: 2.0.36 +version: 2.0.37-dev groups: shared library: true dependencies: diff --git a/shared/dataflow/qlpack.yml b/shared/dataflow/qlpack.yml index d7f25a4b2493..ae047432fc55 100644 --- a/shared/dataflow/qlpack.yml +++ b/shared/dataflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/dataflow -version: 2.1.8 +version: 2.1.9-dev groups: shared library: true dependencies: diff --git a/shared/mad/qlpack.yml b/shared/mad/qlpack.yml index 5e01e1e4f355..066ccfdf771e 100644 --- a/shared/mad/qlpack.yml +++ b/shared/mad/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/mad -version: 1.0.52 +version: 1.0.53-dev groups: shared library: true dependencies: diff --git a/shared/namebinding/qlpack.yml b/shared/namebinding/qlpack.yml index 8c40ac07c319..15876b502082 100644 --- a/shared/namebinding/qlpack.yml +++ b/shared/namebinding/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/namebinding -version: 0.0.1 +version: 0.0.2-dev groups: shared library: true dependencies: diff --git a/shared/quantum/qlpack.yml b/shared/quantum/qlpack.yml index 27ae4ab7ed22..546491e07687 100644 --- a/shared/quantum/qlpack.yml +++ b/shared/quantum/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/quantum -version: 0.0.30 +version: 0.0.31-dev groups: shared library: true dependencies: diff --git a/shared/rangeanalysis/qlpack.yml b/shared/rangeanalysis/qlpack.yml index 7d1dcaeddea8..cda17399a57b 100644 --- a/shared/rangeanalysis/qlpack.yml +++ b/shared/rangeanalysis/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/rangeanalysis -version: 1.0.52 +version: 1.0.53-dev groups: shared library: true dependencies: diff --git a/shared/regex/qlpack.yml b/shared/regex/qlpack.yml index 84307ddf1c67..de6b49e84839 100644 --- a/shared/regex/qlpack.yml +++ b/shared/regex/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/regex -version: 1.0.52 +version: 1.0.53-dev groups: shared library: true dependencies: diff --git a/shared/ssa/qlpack.yml b/shared/ssa/qlpack.yml index f377ac9a4463..67bed21c679e 100644 --- a/shared/ssa/qlpack.yml +++ b/shared/ssa/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ssa -version: 2.0.28 +version: 2.0.29-dev groups: shared library: true dependencies: diff --git a/shared/threat-models/qlpack.yml b/shared/threat-models/qlpack.yml index 66fd334702c0..9dd6aaa670a7 100644 --- a/shared/threat-models/qlpack.yml +++ b/shared/threat-models/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/threat-models -version: 1.0.52 +version: 1.0.53-dev library: true groups: shared dataExtensions: diff --git a/shared/tutorial/qlpack.yml b/shared/tutorial/qlpack.yml index bd20c00aff14..db557278bd87 100644 --- a/shared/tutorial/qlpack.yml +++ b/shared/tutorial/qlpack.yml @@ -1,7 +1,7 @@ name: codeql/tutorial description: Library for the CodeQL detective tutorials, helping new users learn to write CodeQL queries. -version: 1.0.52 +version: 1.0.53-dev groups: shared library: true warnOnImplicitThis: true diff --git a/shared/typeflow/qlpack.yml b/shared/typeflow/qlpack.yml index ea6c5bf49005..3e904af63e3a 100644 --- a/shared/typeflow/qlpack.yml +++ b/shared/typeflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typeflow -version: 1.0.52 +version: 1.0.53-dev groups: shared library: true dependencies: diff --git a/shared/typeinference/qlpack.yml b/shared/typeinference/qlpack.yml index 8fe69c97e663..f25557f4f136 100644 --- a/shared/typeinference/qlpack.yml +++ b/shared/typeinference/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typeinference -version: 0.0.33 +version: 0.0.34-dev groups: shared library: true dependencies: diff --git a/shared/typetracking/qlpack.yml b/shared/typetracking/qlpack.yml index cc4c1abdae5c..fd9fa8ec813c 100644 --- a/shared/typetracking/qlpack.yml +++ b/shared/typetracking/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typetracking -version: 2.0.36 +version: 2.0.37-dev groups: shared library: true dependencies: diff --git a/shared/typos/qlpack.yml b/shared/typos/qlpack.yml index 2c485456cdd4..9e8d3b21c015 100644 --- a/shared/typos/qlpack.yml +++ b/shared/typos/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typos -version: 1.0.52 +version: 1.0.53-dev groups: shared library: true warnOnImplicitThis: true diff --git a/shared/util/qlpack.yml b/shared/util/qlpack.yml index a2b2e5a457e3..2ab432b4e47e 100644 --- a/shared/util/qlpack.yml +++ b/shared/util/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/util -version: 2.0.39 +version: 2.0.40-dev groups: shared library: true dependencies: null diff --git a/shared/xml/qlpack.yml b/shared/xml/qlpack.yml index 6398c282016a..375658357125 100644 --- a/shared/xml/qlpack.yml +++ b/shared/xml/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/xml -version: 1.0.52 +version: 1.0.53-dev groups: shared library: true dependencies: diff --git a/shared/yaml/qlpack.yml b/shared/yaml/qlpack.yml index 1458b851b2a8..795bbb1b1a74 100644 --- a/shared/yaml/qlpack.yml +++ b/shared/yaml/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/yaml -version: 1.0.52 +version: 1.0.53-dev groups: shared library: true warnOnImplicitThis: true diff --git a/swift/ql/lib/qlpack.yml b/swift/ql/lib/qlpack.yml index c371ef64c15c..1000e5b25b90 100644 --- a/swift/ql/lib/qlpack.yml +++ b/swift/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/swift-all -version: 6.7.1 +version: 6.7.2-dev groups: swift extractor: swift dbscheme: swift.dbscheme diff --git a/swift/ql/src/qlpack.yml b/swift/ql/src/qlpack.yml index becbbca93e85..de366deabb73 100644 --- a/swift/ql/src/qlpack.yml +++ b/swift/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/swift-queries -version: 1.3.5 +version: 1.3.6-dev groups: - swift - queries