Merge branch 'main' into redsun82/rust-trait-path

Author: Paolo Tranquilli

cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql

@@ -49,11 +49,17 @@ predicate interestingConcatenation(DataFlow::Node incoming, DataFlow::Node outgo
     call.getTarget() = op and
     op.hasQualifiedName("std", "operator+") and
     op.getType().(UserType).hasQualifiedName("std", "basic_string") and
-    incoming.asIndirectArgument() = call.getArgument(1) and // left operand
+    incoming.asIndirectArgument() = call.getArgument(1) and // right operand
     call = outgoing.asInstruction().getUnconvertedResultExpression()
   )
 }
 
+/**
+ * A state will represent the most recent concatenation that occurred in the data flow.
+ *  - `TConcatState` if the concetenation has not yet occurred.
+ *  - `TExecState(incoming, outgoing)`, representing the concatenation of data from `incoming`
+ *    into result `outgoing`.
+ */
 newtype TState =
   TConcatState() or
   TExecState(DataFlow::Node incoming, DataFlow::Node outgoing) {
@@ -74,7 +80,9 @@ class ExecState extends TExecState {
 
   DataFlow::Node getOutgoingNode() { result = outgoing }
 
-  /** Holds if this is a possible `ExecState` for `sink`. */
+  /**
+   * Holds if this is a possible `ExecState` at `sink`, that is, if `outgoing` flows to `sink`.
+   */
   predicate isFeasibleForSink(DataFlow::Node sink) { ExecState::flow(outgoing, sink) }
 
   string toString() { result = "ExecState" }
@@ -110,6 +118,12 @@ module ExecStateConfig implements DataFlow::ConfigSig {
 
 module ExecState = TaintTracking::Global<ExecStateConfig>;
 
+/**
+ * A full `TaintTracking` configuration from source to concatenation to sink, using a flow
+ * state to remember the concatenation. It's important that we track flow to the sink even though
+ * as soon as we reach the concatenation we know it will get there (due to the check of
+ * `isFeasibleForSink`), because this way we get a complete flow path.
+ */
 module ExecTaintConfig implements DataFlow::StateConfigSig {
   class FlowState = TState;
 

cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected

@@ -14,7 +14,7 @@ extern void encodeShellString(char *shellStr, int maxChars, const char* cStr);
 
 int main(int argc, char** argv) {
   char *userName = argv[2];
-  
+
   {
     // BAD: a string from the user is injected directly into
     // a command.
@@ -23,10 +23,10 @@ int main(int argc, char** argv) {
     system(command1);
   }
 
-  {  
+  {
     // GOOD: the user string is encoded by a library routine.
     char userNameQuoted[1000] = {0};
-    encodeShellString(userNameQuoted, 1000, userName); 
+    encodeShellString(userNameQuoted, 1000, userName);
     char command2[1000] = {0};
     sprintf(command2, "userinfo -v %s", userNameQuoted);
     system(command2);
@@ -36,16 +36,16 @@ int main(int argc, char** argv) {
 void test2(char* arg2) {
   // GOOD?: the user string is the *first* part of the command, like $CC in many environments
   char *envCC = getenv("CC");
-  
+
   char command[1000];
-  sprintf("%s %s", envCC, arg2);
+  sprintf(command, "%s %s", envCC, arg2);
   system(command);
 }
 
 void test3(char* arg1) {
   // GOOD?: the user string is a `$CFLAGS` environment variable
   char *envCflags = getenv("CFLAGS");
-  
+
   char command[1000];
   sprintf(command, "%s %s", arg1, envCflags);
   system(command);
@@ -54,6 +54,7 @@ void test3(char* arg1) {
 typedef unsigned long size_t;
 typedef void FILE;
 size_t fread(void *ptr, size_t size, size_t nmemb, FILE *stream);
+char *strncpy(char *s1, const char *s2, size_t n);
 char *strncat(char *s1, const char *s2, size_t n);
 
 void test4(FILE *f) {
@@ -160,7 +161,7 @@ void test15(FILE *f) {
   fread(temp, 1, 10, f);
 
   int x = atoi(temp);
-  
+
   char temp2[10];
   sprintf(temp2, "%d", x);
     sprintf(command, "tail -n %s foo.log", temp2);
@@ -222,4 +223,42 @@ void test19(FILE *f) {
   execl("/bin/sh", "sh", "-c", command);
 }
 
+void test20() {
+  // BAD: the user strings `var_b`, `var_c` are injected directly into a command
+  char buffer[1024 * 4];
+
+  strncpy(buffer, getenv("var_a"), 1024);
+  strncat(buffer, getenv("var_b"), 1024);
+  strncat(buffer, getenv("var_c"), 1024);
+  strncat(buffer, " ", 1024);
+  system(buffer);
+}
+
+void test21() {
+  // BAD: the user strings `var_b`, `var_c` are injected directly into a command
+  char buffer1[1024];
+  char buffer2[1024];
+
+  sprintf(buffer1, "%s %s",
+    getenv("var_a"),
+    getenv("var_b"));
+  sprintf(buffer2, "%s %s %s",
+    " ",
+    buffer1,
+    getenv("var_c"));
+  system(buffer2);
+}
+
+void test22() {
+  // BAD: the user strings `var_a` are injected directly into a command
+  char buffer[1024 * 11];
+  int i;
+
+  strncpy(buffer, "command ", 1024);
+  for (i = 0; i < 10; i++) {
+    strncat(buffer, getenv("var_a"), 1024);
+  }
+  system(buffer);
+}
+
 // open question: do we want to report certain sources even when they're the start of the string?

cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/test.cpp

@@ -0,0 +1,165 @@
+.. _codeql-cli-2.20.5:
+
+==========================
+CodeQL 2.20.5 (2025-02-20)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.20.5 runs a total of 450 security queries when configured with the Default suite (covering 168 CWE). The Extended suite enables an additional 136 queries (covering 34 more CWE). 4 security queries have been added with this release.
+
+CodeQL CLI
+----------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+*   Removed support for :code:`QlBuiltins::BigInt`\ s in the :code:`avg()` aggregate.
+    
+*   A number of breaking changes have been made to the C and C++ CodeQL test environment as used by :code:`codeql test run`\ :
+
+    *   The :code:`-Xclang-only=<arg>` option is no longer supported by :code:`semmle-extractor-options`. Instead, when either :code:`--clang` or :code:`--clang_version` is specified the option should be replaced by :code:`<arg>` only, otherwise the option should be omitted.
+    *   The :code:`--sys_include <arg>` and :code:`--preinclude <arg>` options are no longer supported by :code:`semmle-extractor-options`. Instead, :code:`--edg <option_name> --edg <arg>` should be specified.
+    *   The :code:`-idirafter <arg>` option is no longer supported by :code:`semmle-extractor-options`. Instead, :code:`--edg --sys_include --edg <arg>` should be specified.
+    *   The :code:`-imacros <arg>` option is no longer supported by :code:`semmle-extractor-options`. Instead, :code:`--edg --preinclude_macros --edg <arg>` should be specified.
+    *   The :code:`/FI <arg>` option is no longer supported by :code:`semmle-extractor-options`. Instead, :code:`--edg --preinclude --edg <arg>` should be specified.
+    *   The :code:`-Wreserved-user-defined-literal`, :code:`-Wno-reserved-user-defined-literal`, :code:`-fwritable-strings`, :code:`/Zc:rvalueCast`, :code:`/Zc:rvalueCast-`, and :code:`/Zc:wchar_t-` options are no longer supported by :code:`semmle-extractor-options`. Instead, :code:`--edg --reserved_user_defined_literal`, :code:`--edg --no-reserved_user_defined_literal`, :code:`--edg --no_const_string_literals`, :code:`--edg --no_preserve_lvalues_with_same_type_casts`, :code:`--edg --preserve_lvalues_with_same_type_casts`, and :code:`--edg --no_wchar_t_keyword` should be specified, respectively.
+    *   The :code:`/Fo <arg>` option is no longer supported by :code:`semmle-extractor-options`. The option should be omitted.
+
+Query Packs
+-----------
+
+Bug Fixes
+~~~~~~~~~
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Fixed a recently-introduced bug that prevented taint tracking through :code:`URLSearchParams` objects.
+    The original behaviour has been restored and taint should once again be tracked through such objects.
+*   Fixed a rare issue that would occur when a function declaration inside a block statement was referenced before it was declared.
+    Such code is reliant on legacy web semantics, which is non-standard but nevertheless implemented by most engines.
+    CodeQL now takes legacy web semantics into account and resolves references to these functions correctly.
+*   Fixed a bug that would cause parse errors in :code:`.jsx` files in rare cases where the file contained syntax that was misinterpreted as Flow syntax.
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+GitHub Actions
+""""""""""""""
+
+*   The following queries have been removed from the :code:`code-scanning` and :code:`security-extended` suites.
+    Any existing alerts for these queries will be closed automatically.
+
+    *   :code:`actions/if-expression-always-true/critical`
+    *   :code:`actions/if-expression-always-true/high`
+    *   :code:`actions/unnecessary-use-of-advanced-config`
+    
+*   The following query has been moved from the :code:`code-scanning` suite to the :code:`security-extended` suite. Any existing alerts for this query will be closed automatically unless the analysis is configured to use the :code:`security-extended` suite.
+
+    *   :code:`actions/unpinned-tag`
+    
+*   The following queries have been added to the :code:`security-extended` suite.
+
+    *   :code:`actions/unversioned-immutable-action`
+    *   :code:`actions/envpath-injection/medium`
+    *   :code:`actions/envvar-injection/medium`
+    *   :code:`actions/code-injection/medium`
+    *   :code:`actions/artifact-poisoning/medium`
+    *   :code:`actions/untrusted-checkout/medium`
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Golang
+""""""
+
+*   Added `github.com/gorilla/mux.Vars <https://pkg.go.dev/github.com/gorilla/mux#Vars>`__ to path sanitizers (disabled if `github.com/gorilla/mix.Router.SkipClean <https://pkg.go.dev/github.com/gorilla/mux#Router.SkipClean>`__ has been called).
+
+GitHub Actions
+""""""""""""""
+
+*   Fixed false positives in the query :code:`actions/unpinned-tag` (CWE-829), which will no longer flag uses of Docker-based GitHub actions pinned by the container's SHA256 digest.
+
+New Queries
+~~~~~~~~~~~
+
+Java/Kotlin
+"""""""""""
+
+*   Added a new query, :code:`java/csrf-unprotected-request-type`, to detect Cross-Site Request Forgery (CSRF) vulnerabilities due to using HTTP request types that are not default-protected from CSRF.
+
+Language Libraries
+------------------
+
+Bug Fixes
+~~~~~~~~~
+
+Python
+""""""
+
+*   Fixed a bug in the extractor where a comment inside a subscript could sometimes cause the AST to be missing nodes.
+*   Using the :code:`break` and :code:`continue` keywords outside of a loop, which is a syntax error but is accepted by our parser, would cause the control-flow construction to fail. This is now no longer the case.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C#
+""
+
+*   Full support for C# 13 / .NET 9. All new language features are now supported by the extractor. QL library and data flow support for the new C# 13 language constructs and generated MaD models for the .NET 9 runtime.
+*   C# 13: Add generated models for .NET 9.
+*   The models for :code:`System.Net.Http.HttpRequestMessage` and :code:`System.UriBuilder` have been modified to better model the flow of tainted URIs.
+*   Blazor :code:`[Parameter]` fields bound to a variable from the route specified in the :code:`@page` directive are now modeled as remote flow sources.
+
+Golang
+""""""
+
+*   Taint models have been added for the :code:`weak` package, which was added in Go 1.24.
+*   Taint models have been added for the interfaces :code:`TextAppender` and :code:`BinaryAppender` in the :code:`encoding` package, which were added in Go 1.24.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Added support for regular expressions using the :code:`v` flag.
+
+Deprecated APIs
+~~~~~~~~~~~~~~~
+
+C#
+""
+
+*   The predicates :code:`immediatelyControls` and :code:`controls` on the :code:`ConditionBlock` class have been deprecated in favor of the newly added :code:`dominatingEdge` predicate.
+
+Golang
+""""""
+
+*   The class :code:`NamedType` has been deprecated. Use the new class :code:`DefinedType` instead. This better matches the terminology used in the Go language specification, which was changed in Go 1.9.
+*   The member predicate :code:`getNamedType` on :code:`GoMicro::ServiceInterfaceType` has been deprecated. Use the new member predicate :code:`getDefinedType` instead.
+*   The member predicate :code:`getNamedType` on :code:`Twirp::ServiceInterfaceType` has been deprecated. Use the new member predicate :code:`getDefinedType` instead.
+
+Ruby
+""""
+
+*   The predicates :code:`immediatelyControls` and :code:`controls` on the :code:`ConditionBlock` class have been deprecated in favor of the newly added :code:`dominatingEdge` predicate.
+
+Swift
+"""""
+
+*   The predicates :code:`immediatelyControls` and :code:`controls` on the :code:`ConditionBlock` class have been deprecated in favor of the newly added :code:`dominatingEdge` predicate.
+
+New Features
+~~~~~~~~~~~~
+
+GitHub Actions
+""""""""""""""
+
+*   The "Unpinned tag for a non-immutable Action in workflow" query (:code:`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (:code:`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see `Creating a CodeQL Model Pack <https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack>`__.

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.5.rst

@@ -11,6 +11,7 @@ A list of queries for each suite and language `is available here <https://docs.g
 .. toctree::
    :maxdepth: 1
 
+   codeql-cli-2.20.5
    codeql-cli-2.20.4
    codeql-cli-2.20.3
    codeql-cli-2.20.2

docs/codeql/codeql-overview/codeql-changelog/index.rst

@@ -66,7 +66,9 @@ write_file(
         'DST_DIR="$(dirname "$(rlocation "$1")")"',
         'mkdir -p "$DST_DIR/src/codegen/grammar"',
     ] + [
-        'cp -f --no-preserve=mode "$(rlocation "$%s")" "$DST_DIR/%s"' % item
+        # using cat instead of cp to honor default umask
+        # (also, macOS does not support `cp --no-preserve=mode`)
+        'cat "$(rlocation "$%s")" > "$DST_DIR/%s"' % item
         for item in enumerate(_codegen_outs, 2)
     ],
     is_executable = True,

rust/ast-generator/BUILD.bazel

@@ -19,11 +19,17 @@ pub fn extractor_cli_config(_attr: TokenStream, item: TokenStream) -> TokenStrea
         .fields
         .iter()
         .map(|f| {
+            let ty_tip = get_type_tip(&f.ty);
             if f.ident.as_ref().is_some_and(|i| i != "inputs")
-                && get_type_tip(&f.ty).is_some_and(|i| i == "Vec")
+                && ty_tip.is_some_and(|i| i == "Vec")
             {
                 quote! {
-                    #[serde(deserialize_with="deserialize_newline_or_comma_separated")]
+                    #[serde(deserialize_with="deserialize::deserialize_newline_or_comma_separated_vec")]
+                    #f
+                }
+            } else if ty_tip.is_some_and(|i| i == "FxHashMap" || i == "HashMap") {
+                quote! {
+                    #[serde(deserialize_with="deserialize::deserialize_newline_or_comma_separated_map")]
                     #f
                 }
             } else {
@@ -60,7 +66,7 @@ pub fn extractor_cli_config(_attr: TokenStream, item: TokenStream) -> TokenStrea
                 quote! {
                     #f
                 }
-            } else if type_tip.is_some_and(|i| i == "Vec") {
+            } else if type_tip.is_some_and(|i| i == "Vec" || i == "FxHashMap" || i == "HashMap") {
                 quote! {
                     #[arg(long)]
                     #id: Option<String>