Merge remote-tracking branch 'upstream/main' into aibaars/rust-macros

MODULE.bazel

@@ -23,7 +23,7 @@ bazel_dep(name = "bazel_skylib", version = "1.6.1")
 bazel_dep(name = "abseil-cpp", version = "20240116.0", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "10.0.0")
-bazel_dep(name = "rules_kotlin", version = "1.9.4-codeql.1")
+bazel_dep(name = "rules_kotlin", version = "2.0.0-codeql.1")
 bazel_dep(name = "gazelle", version = "0.38.0")
 bazel_dep(name = "rules_dotnet", version = "0.15.1")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")

cpp/ql/lib/change-notes/2024-10-09-fopen-taint.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added taint flow model for `fopen` and related functions.

cpp/ql/lib/semmle/code/cpp/PrintAST.qll

@@ -80,6 +80,8 @@ private Declaration getAnEnclosingDeclaration(Locatable ast) {
   or
   result = ast.(Parameter).getFunction()
   or
+  result = ast.(Parameter).getCatchBlock().getEnclosingFunction()
+  or
   result = ast.(Expr).getEnclosingDeclaration()
   or
   result = ast.(Initializer).getDeclaration()
@@ -510,6 +512,22 @@ class DeclStmtNode extends StmtNode {
   }
 }
 
+/**
+ * A node representing a `Handler`.
+ */
+class HandlerNode extends ChildStmtNode {
+  Handler handler;
+
+  HandlerNode() { handler = stmt }
+
+  override BaseAstNode getChildInternal(int childIndex) {
+    result = super.getChildInternal(childIndex)
+    or
+    childIndex = -1 and
+    result.getAst() = handler.getParameter()
+  }
+}
+
 /**
  * A node representing a `Parameter`.
  */
@@ -754,6 +772,8 @@ private predicate namedStmtChildPredicates(Locatable s, Element e, string pred)
     or
     s.(ConstexprIfStmt).getElse() = e and pred = "getElse()"
     or
+    s.(Handler).getParameter() = e and pred = "getParameter()"
+    or
     s.(IfStmt).getInitialization() = e and pred = "getInitialization()"
     or
     s.(IfStmt).getCondition() = e and pred = "getCondition()"

cpp/ql/lib/semmle/code/cpp/models/implementations/Fopen.qll

@@ -7,7 +7,7 @@ import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.SideEffect
 
 /** The function `fopen` and friends. */
-private class Fopen extends Function, AliasFunction, SideEffectFunction {
+private class Fopen extends Function, AliasFunction, SideEffectFunction, TaintFunction {
   Fopen() {
     this.hasGlobalOrStdName(["fopen", "fopen_s", "freopen"])
     or
@@ -47,4 +47,22 @@ private class Fopen extends Function, AliasFunction, SideEffectFunction {
     i = 0 and
     buffer = true
   }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    (
+      this.hasGlobalOrStdName(["fopen", "freopen"]) or
+      this.hasGlobalName(["_wfopen", "_fsopen", "_wfsopen"])
+    ) and
+    input.isParameterDeref(0) and
+    output.isReturnValueDeref()
+    or
+    // The out parameter is a pointer to a `FILE*`.
+    this.hasGlobalOrStdName("fopen_s") and
+    input.isParameterDeref(1) and
+    output.isParameterDeref(0, 2)
+    or
+    this.hasGlobalName(["_open", "_wopen"]) and
+    input.isParameterDeref(0) and
+    output.isReturnValue()
+  }
 }

cpp/ql/test/examples/expressions/PrintAST.expected

@@ -870,6 +870,8 @@ Throw.cpp:
 #    8|               Type = [BoolType] bool
 #    8|               ValueCategory = prvalue
 #   12|       getChild(1): [Handler] <handler>
+#   12|         getParameter(): [Parameter] e
+#   12|             Type = [PointerType] E *
 #   12|         getBlock(): [CatchBlock] { ... }
 #   13|           getStmt(0): [ExprStmt] ExprStmt
 #   13|             getExpr(): [ReThrowExpr] re-throw exception 

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -6584,6 +6584,16 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | taint.cpp:767:21:767:24 | ref arg path | taint.cpp:768:8:768:11 | path |  |
 | taint.cpp:768:8:768:11 | path | taint.cpp:768:7:768:11 | * ... |  |
 | taint.cpp:778:37:778:42 | call to source | taint.cpp:779:7:779:9 | obj |  |
+| taint.cpp:785:23:785:28 | source | taint.cpp:785:23:785:28 | source |  |
+| taint.cpp:785:23:785:28 | source | taint.cpp:786:18:786:23 | source |  |
+| taint.cpp:785:23:785:28 | source | taint.cpp:790:15:790:20 | source |  |
+| taint.cpp:786:12:786:16 | call to fopen | taint.cpp:787:7:787:7 | f |  |
+| taint.cpp:786:18:786:23 | source | taint.cpp:786:12:786:16 | call to fopen | TAINT |
+| taint.cpp:789:8:789:9 | f2 | taint.cpp:790:11:790:12 | f2 |  |
+| taint.cpp:789:8:789:9 | f2 | taint.cpp:791:7:791:8 | f2 |  |
+| taint.cpp:790:10:790:12 | ref arg & ... | taint.cpp:790:11:790:12 | f2 [inner post update] |  |
+| taint.cpp:790:10:790:12 | ref arg & ... | taint.cpp:791:7:791:8 | f2 |  |
+| taint.cpp:790:11:790:12 | f2 | taint.cpp:790:10:790:12 | & ... |  |
 | vector.cpp:16:43:16:49 | source1 | vector.cpp:17:26:17:32 | source1 |  |
 | vector.cpp:16:43:16:49 | source1 | vector.cpp:31:38:31:44 | source1 |  |
 | vector.cpp:17:21:17:33 | call to vector | vector.cpp:19:14:19:14 | v |  |

cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp

@@ -777,4 +777,16 @@ TaintInheritingContentObject source(bool);
 void test_TaintInheritingContent() {
 	TaintInheritingContentObject obj = source(true);
 	sink(obj.flowFromObject); // $ ir MISSING: ast
+}
+
+FILE* fopen(const char*, const char*);
+int fopen_s(FILE** pFile, const char *filename, const char *mode);
+
+void fopen_test(char* source) {
+	FILE* f = fopen(source, "r");
+	sink(f); // $ ast,ir
+
+	FILE* f2;
+	fopen_s(&f2, source, "r");
+	sink(f2); // $ ast,ir
 }

cpp/ql/test/library-tests/ir/ir/PrintAST.expected

@@ -9055,6 +9055,8 @@ ir.cpp:
 #  733|                 Value = [Literal] 7
 #  733|                 ValueCategory = prvalue
 #  735|       getChild(1): [Handler] <handler>
+#  735|         getParameter(): [Parameter] s
+#  735|             Type = [PointerType] const char *
 #  735|         getBlock(): [CatchBlock] { ... }
 #  736|           getStmt(0): [ExprStmt] ExprStmt
 #  736|             getExpr(): [ThrowExpr] throw ...
@@ -9067,6 +9069,8 @@ ir.cpp:
 #  736|                     Type = [PointerType] const char *
 #  736|                     ValueCategory = prvalue(load)
 #  738|       getChild(2): [Handler] <handler>
+#  738|         getParameter(): [Parameter] e
+#  738|             Type = [LValueReferenceType] const String &
 #  738|         getBlock(): [CatchBlock] { ... }
 #  740|       getChild(3): [Handler] <handler>
 #  740|         getBlock(): [CatchAnyBlock] { ... }
@@ -12852,6 +12856,8 @@ ir.cpp:
 # 1200|                 Value = [Literal] 7
 # 1200|                 ValueCategory = prvalue
 # 1202|       getChild(1): [Handler] <handler>
+# 1202|         getParameter(): [Parameter] s
+# 1202|             Type = [PointerType] const char *
 # 1202|         getBlock(): [CatchBlock] { ... }
 # 1203|           getStmt(0): [ExprStmt] ExprStmt
 # 1203|             getExpr(): [ThrowExpr] throw ...
@@ -12864,6 +12870,8 @@ ir.cpp:
 # 1203|                     Type = [PointerType] const char *
 # 1203|                     ValueCategory = prvalue(load)
 # 1205|       getChild(2): [Handler] <handler>
+# 1205|         getParameter(): [Parameter] e
+# 1205|             Type = [LValueReferenceType] const String &
 # 1205|         getBlock(): [CatchBlock] { ... }
 # 1207|     getStmt(1): [ReturnStmt] return ...
 # 1211| [TopLevelFunction] void VectorTypes(int)
@@ -20586,6 +20594,8 @@ ir.cpp:
 # 2281|               Type = [Struct] String
 # 2281|               ValueCategory = lvalue
 # 2282|       getChild(1): [Handler] <handler>
+# 2282|         getParameter(): [Parameter] s
+# 2282|             Type = [PointerType] const char *
 # 2282|         getBlock(): [CatchBlock] { ... }
 # 2283|           getStmt(0): [ExprStmt] ExprStmt
 # 2283|             getExpr(): [ThrowExpr] throw ...
@@ -20598,6 +20608,8 @@ ir.cpp:
 # 2283|                     Type = [PointerType] const char *
 # 2283|                     ValueCategory = prvalue(load)
 # 2285|       getChild(2): [Handler] <handler>
+# 2285|         getParameter(): [Parameter] e
+# 2285|             Type = [LValueReferenceType] const String &
 # 2285|         getBlock(): [CatchBlock] { ... }
 # 2287|       getChild(3): [Handler] <handler>
 # 2287|         getBlock(): [CatchAnyBlock] { ... }
@@ -22845,6 +22857,8 @@ ir.cpp:
 # 2537|                 Value = [Literal] 42
 # 2537|                 ValueCategory = prvalue
 # 2539|       getChild(1): [Handler] <handler>
+# 2539|         getParameter(): [Parameter] (unnamed parameter 0)
+# 2539|             Type = [PlainCharType] char
 # 2539|         getBlock(): [CatchBlock] { ... }
 # 2541|         getImplicitDestructorCall(0): [DestructorCall] call to ~ClassWithDestructor
 # 2541|             Type = [VoidType] void

docs/codeql/index.html

@@ -101,7 +101,7 @@ <h2 class="Box-title text-mono f2 text-center">
                             latest version of CodeQL...</div>
                     </div>
                     <div class="Subhead border-0">
-                        <a href="codeql-overview/supported-languages-and-frameworks/">
+                        <a href="query-help/codeql-cwe-coverage/">
                             <div class="Subhead-heading f4 text-center">CodeQL coverage of CWEs</div>
                         </a>
                         <div class="Subhead-description">Detailed information on the coverage of Common Weakness Enumerations (CWEs) in the latest release...</div>

misc/bazel/registry/modules/rules_kotlin/1.9.4-codeql.1/MODULE.bazel → misc/bazel/registry/modules/rules_kotlin/2.0.0-codeql.1/MODULE.bazel

@@ -1,14 +1,16 @@
 module(
     name = "rules_kotlin",
-    version = "1.9.4-codeql.1",
+    version = "2.0.0-codeql.1",
+    compatibility_level = 1,
     repo_name = "rules_kotlin",
 )
 
-bazel_dep(name = "platforms", version = "0.0.6")
-bazel_dep(name = "bazel_skylib", version = "1.4.2")
+bazel_dep(name = "platforms", version = "0.0.10")
+bazel_dep(name = "bazel_skylib", version = "1.7.1")
 bazel_dep(name = "rules_java", version = "7.2.0")
 bazel_dep(name = "rules_python", version = "0.23.1")
 bazel_dep(name = "rules_cc", version = "0.0.8")
+bazel_dep(name = "rules_android", version = "0.1.1")
 
 rules_kotlin_extensions = use_extension(
     "//src/main/starlark/core/repositories:bzlmod_setup.bzl",
@@ -19,7 +21,9 @@ use_repo(
     "com_github_google_ksp",
     "com_github_jetbrains_kotlin",
     "com_github_pinterest_ktlint",
-    "rules_android",
+    "kotlinx_serialization_core_jvm",
+    "kotlinx_serialization_json",
+    "kotlinx_serialization_json_jvm",
 )
 
 register_toolchains("//kotlin/internal:default_toolchain")

misc/bazel/registry/modules/rules_kotlin/1.9.4-codeql.1/patches/codeql_add_language_version_option.patch → misc/bazel/registry/modules/rules_kotlin/2.0.0-codeql.1/patches/codeql_add_language_version_option.patch

@@ -1,13 +1,13 @@
 We need to build different extractor variants with different -language-version options, which is not allowed
 in current kotlin_rules
 diff --git a/src/main/starlark/core/options/opts.kotlinc.bzl b/src/main/starlark/core/options/opts.kotlinc.bzl
-index 9b15fb8..c0ac2cd 100644
+index 5e1461b..b93e6aa 100644
 --- a/src/main/starlark/core/options/opts.kotlinc.bzl
 +++ b/src/main/starlark/core/options/opts.kotlinc.bzl
-@@ -28,6 +28,11 @@ def _map_jvm_target_to_flag(version):
+@@ -33,6 +33,11 @@ def _map_jdk_release_to_flag(version):
          return None
-     return ["-jvm-target=%s" % version]
- 
+     return ["-Xjdk-release=%s" % version]
+
 +def _map_language_version_to_flag(version):
 +    if not version:
 +        return None
@@ -16,9 +16,9 @@ index 9b15fb8..c0ac2cd 100644
  _KOPTS_ALL = {
      "warn": struct(
          args = dict(
-@@ -349,6 +354,15 @@ _KOPTS_ALL = {
+@@ -417,6 +422,15 @@ _KOPTS_ALL = {
          value_to_flag = None,
-         map_value_to_flag = _map_jvm_target_to_flag,
+         map_value_to_flag = _map_jdk_release_to_flag,
      ),
 +    "language_version": struct(
 +        args = dict(
@@ -30,5 +30,5 @@ index 9b15fb8..c0ac2cd 100644
 +        map_value_to_flag = _map_language_version_to_flag,
 +    ),
  }
- 
- # Filters out options that are not available in current compiler release
+
+ # Filters out options that are not available in current compiler release

misc/bazel/registry/modules/rules_kotlin/1.9.4-codeql.1/patches/codeql_do_not_emit_jdeps.patch → misc/bazel/registry/modules/rules_kotlin/2.0.0-codeql.1/patches/codeql_do_not_emit_jdeps.patch

@@ -1,9 +1,11 @@
 Emitting jdeps is broken for the 2.0.0 kotlin extractor, and we don't need those files.
 Patching it here rather than passing `--@rules_kotlin//kotlin/settings:jvm_emit_jdeps=false`
 allows us to not have to specify that option (and therefore pull in `rules_kotlin`) in `semmle-code`.
---- a/kotlin/settings/BUILD.bazel	2000-01-01 01:00:00.000000000 +0100
-+++ b/kotlin/settings/BUILD.bazel	2024-04-10 14:51:16.060085986 +0200
-@@ -16,7 +16,7 @@
+diff --git a/kotlin/settings/BUILD.bazel b/kotlin/settings/BUILD.bazel
+index 2c93c11..f352b80 100644
+--- a/kotlin/settings/BUILD.bazel
++++ b/kotlin/settings/BUILD.bazel
+@@ -25,7 +25,7 @@ release_archive(
  # Flag that controls the emission of jdeps files during kotlin jvm compilation.
  bool_flag(
      name = "jvm_emit_jdeps",

misc/bazel/registry/modules/rules_kotlin/2.0.0-codeql.1/source.json

@@ -0,0 +1,9 @@
+{
+    "integrity": "sha256-2JcjzJ67t72y66yhr30jg+B0YVZDz5ejZrdYp2t9xEM=",
+    "url": "https://github.com/bazelbuild/rules_kotlin/releases/download/v2.0.0/rules_kotlin-v2.0.0.tar.gz",
+    "patches": {
+        "codeql_do_not_emit_jdeps.patch": "sha256-1ir4Aio1SICxnj1wafQ0GefT/m7bwn2n+SQwq19V3A8=",
+        "codeql_add_language_version_option.patch": "sha256-t8Fm0bYZ4Q4vTqcoXZjyK4WPEoAafjE4whJLNnrnRbg="
+    },
+    "patch_strip": 1
+}

misc/bazel/registry/modules/rules_kotlin/metadata.json

@@ -21,7 +21,7 @@
         "github:bazelbuild/rules_kotlin"
     ],
     "versions": [
-        "1.9.4-codeql.1"
+        "2.0.0-codeql.1"
     ],
     "yanked_versions": {}
 }

misc/codegen/lib/schemadefs.py

@@ -1,4 +1,8 @@
-from typing import Callable as _Callable, Dict as _Dict, ClassVar as _ClassVar
+from typing import (
+    Callable as _Callable,
+    Dict as _Dict,
+    ClassVar as _ClassVar,
+)
 from misc.codegen.lib import schema as _schema
 import inspect as _inspect
 from dataclasses import dataclass as _dataclass
@@ -271,14 +275,16 @@ def __or__(self, other: _schema.PropertyModifier):
 
 _ = _PropertyAnnotation()
 
+drop = object()
 
-def annotate(annotated_cls: type) -> _Callable[[type], _PropertyAnnotation]:
+
+def annotate(annotated_cls: type, replace_bases: _Dict[type, type] | None = None) -> _Callable[[type], _PropertyAnnotation]:
     """
-    Add or modify schema annotations after a class has been defined
-    For the moment, only docstring annotation is supported. In the future, any kind of
-    modification will be allowed.
+    Add or modify schema annotations after a class has been defined previously.
+
+    The name of the class used for annotation must be `_`.
 
-    The name of the class used for annotation must be `_`
+    `replace_bases` can be used to replace bases on the annotated class.
     """
     def decorator(cls: type) -> _PropertyAnnotation:
         if cls.__name__ != "_":
@@ -287,11 +293,15 @@ def decorator(cls: type) -> _PropertyAnnotation:
             annotated_cls.__doc__ = cls.__doc__
         for p, v in cls.__dict__.get("_pragmas", {}).items():
             _ClassPragma(p, value=v)(annotated_cls)
+        if replace_bases:
+            annotated_cls.__bases__ = tuple(replace_bases.get(b, b) for b in annotated_cls.__bases__)
         for a in dir(cls):
             if a.startswith(_schema.inheritable_pragma_prefix):
                 setattr(annotated_cls, a, getattr(cls, a))
         for p, a in cls.__annotations__.items():
-            if p in annotated_cls.__annotations__:
+            if a is drop:
+                del annotated_cls.__annotations__[p]
+            elif p in annotated_cls.__annotations__:
                 annotated_cls.__annotations__[p] |= a
             elif isinstance(a, (_PropertyAnnotation, _PropertyModifierList)):
                 raise _schema.Error(f"annotated property {p} not present in annotated class "