Merge remote-tracking branch 'upstream/master' into exceptionXss

Author: erik-krogh

README.md

@@ -5,7 +5,7 @@ This open source repository contains the standard CodeQL libraries and queries t
 ## How do I learn CodeQL and run queries?
 
 There is [extensive documentation](https://help.semmle.com/QL/learn-ql/) on getting started with writing CodeQL.
-You can use the [interactive query console](https://lgtm.com/help/lgtm/using-query-console) on LGTM.com or the [QL for Eclipse](https://lgtm.com/help/lgtm/running-queries-ide) plugin to try out your queries on any open source project that's currently being analyzed.
+You can use the [interactive query console](https://lgtm.com/help/lgtm/using-query-console) on LGTM.com or the [CodeQL for Visual Studio Code](https://help.semmle.com/codeql/codeql-for-vscode.html) extension to try out your queries on any open source project that's currently being analyzed.
 
 ## Contributing
 

change-notes/1.23/analysis-csharp.md

@@ -4,8 +4,6 @@ The following changes in version 1.23 affect C# analysis in all applications.
 
 ## New queries
 
-## New queries
-
 | **Query**                   | **Tags**  | **Purpose**                                                        |
 |-----------------------------|-----------|--------------------------------------------------------------------|
 | Deserialized delegate (`cs/deserialized-delegate`) | security, external/cwe/cwe-502 | Finds unsafe deserialization of delegate types. |

change-notes/1.24/analysis-javascript.md

@@ -0,0 +1,24 @@
+# Improvements to JavaScript analysis
+
+## General improvements
+
+* Support for the following frameworks and libraries has been improved:
+  - [react](https://www.npmjs.com/package/react)
+  - [Handlebars](https://www.npmjs.com/package/handlebars)
+
+## New queries
+
+| **Query**                                                                 | **Tags**                                                          | **Purpose**                                                                                                                                                                            |
+|---------------------------------------------------------------------------|-------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+
+
+## Changes to existing queries
+
+| **Query**                      | **Expected impact**          | **Change**                                                                |
+|--------------------------------|------------------------------|---------------------------------------------------------------------------|
+| Clear-text logging of sensitive information (`js/clear-text-logging`) | More results | More results involving `process.env` and indirect calls to logging methods are recognized. |
+| Incomplete string escaping or encoding (`js/incomplete-sanitization`) | Fewer false positive results | This query now recognizes additional cases where a single replacement is likely to be intentional. |
+| Unbound event handler receiver (`js/unbound-event-handler-receiver`) | Fewer false positive results | This query now recognizes additional ways event handler receivers can be bound. | 
+
+## Changes to libraries
+

cpp/ql/src/Likely Bugs/Likely Typos/CompareWhereAssignMeant.ql

@@ -15,7 +15,10 @@ import cpp
 
 from ExprInVoidContext op
 where
-  op instanceof EQExpr
-  or
-  op.(FunctionCall).getTarget().hasName("operator==")
+  not op.isUnevaluated() and
+  (
+    op instanceof EQExpr
+    or
+    op.(FunctionCall).getTarget().hasName("operator==")
+  )
 select op, "This '==' operator has no effect. The assignment ('=') operator was probably intended."

cpp/ql/src/Likely Bugs/Likely Typos/ExprHasNoEffect.ql

@@ -84,8 +84,10 @@ where
   not peivc.getEnclosingFunction().isDefaulted() and
   not exists(Macro m | peivc = m.getAnInvocation().getAnExpandedElement()) and
   not peivc.isFromTemplateInstantiation(_) and
+  not peivc.isFromUninstantiatedTemplate(_) and
   parent = peivc.getParent() and
   not parent.isInMacroExpansion() and
+  not peivc.isUnevaluated() and
   not parent instanceof PureExprInVoidContext and
   not peivc.getEnclosingFunction().isCompilerGenerated() and
   not peivc.getType() instanceof UnknownType and

cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow-bad.cpp

@@ -1,3 +1,3 @@
-bool not_in_range(T *ptr, T *ptr_end, size_t a) {
-    return ptr + a >= ptr_end || ptr + a < ptr; // BAD
+bool not_in_range(T *ptr, T *ptr_end, size_t i) {
+    return ptr + i >= ptr_end || ptr + i < ptr; // BAD
 }

cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow-good.cpp

@@ -1,3 +1,3 @@
-bool not_in_range(T *ptr, T *ptr_end, size_t a) {
-    return a >= ptr_end - ptr; // GOOD
+bool not_in_range(T *ptr, T *ptr_end, size_t i) {
+    return i >= ptr_end - ptr; // GOOD
 }

cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.qhelp

@@ -4,29 +4,27 @@
 <qhelp>
 <overview>
 <p>
-The expression <code>ptr + a &lt; ptr</code> is equivalent to <code>a &lt;
-0</code>, and an optimizing compiler is likely to make that replacement,
-thereby removing a range check that might have been necessary for security.
-If <code>a</code> is known to be non-negative, the compiler can even replace <code>ptr +
-a &lt; ptr</code> with <code>false</code>.
+When checking for integer overflow, you may often write tests like
+<code>p + i &lt; p</code>.  This works fine if <code>p</code> and
+<code>i</code> are unsigned integers, since any overflow in the addition
+will cause the value to simply "wrap around."  However, using this pattern when
+<code>p</code> is a pointer is problematic because pointer overflow has
+undefined behavior according to the C and C++ standards.  If the addition
+overflows and has an undefined result, the comparison will likewise be
+undefined; it may produce an unintended result, or may be deleted entirely by an
+optimizing compiler.
 </p>
 
-<p>
-The reason is that pointer arithmetic overflow in C/C++ is undefined
-behavior. The optimizing compiler can assume that the program has no
-undefined behavior, which means that adding a positive number to <code>ptr</code> cannot
-produce a pointer less than  <code>ptr</code>.
-</p>
 </overview>
 <recommendation>
 <p>
-To check whether an index <code>a</code> is less than the length of an array, 
-simply compare these two numbers as unsigned integers: <code>a &lt; ARRAY_LENGTH</code>. 
+To check whether an index <code>i</code> is less than the length of an array, 
+simply compare these two numbers as unsigned integers: <code>i &lt; ARRAY_LENGTH</code>. 
 If the length of the array is defined as the difference between two pointers 
-<code>ptr</code> and <code>p_end</code>, write <code>a &lt; p_end - ptr</code>.
-If a is <code>signed</code>, cast it to <code>unsigned</code> 
-in order to guard against negative <code>a</code>. For example, write 
-<code>(size_t)a &lt; p_end - ptr</code>.
+<code>ptr</code> and <code>p_end</code>, write <code>i &lt; p_end - ptr</code>.
+If <code>i</code> is signed, cast it to unsigned
+in order to guard against negative <code>i</code>. For example, write 
+<code>(size_t)i &lt; p_end - ptr</code>.
 </p>
 </recommendation>
 <example>
@@ -43,14 +41,14 @@ overflows and wraps around.
 <p>
 In both of these checks, the operations are performed in the wrong order.
 First, an expression that may cause undefined behavior is evaluated
-(<code>ptr + a</code>), and then the result is checked for being in range.
+(<code>ptr + i</code>), and then the result is checked for being in range.
 But once undefined behavior has happened in the pointer addition, it cannot
 be recovered from: it's too late to perform the range check after a possible
 pointer overflow.
 </p>
 
 <p>
-While it's not the subject of this query, the expression <code>ptr + a &lt;
+While it's not the subject of this query, the expression <code>ptr + i &lt;
 ptr_end</code> is also an invalid range check. It's undefined behavor in
 C/C++ to create a pointer that points more than one past the end of an
 allocation.

cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.qhelp

@@ -3,9 +3,20 @@
   "qhelp.dtd">
 <qhelp>
 <overview>
-  <p>Using TLS or SSLv23 protool from the boost::asio library, but not disabling deprecated protocols or disabling minimum-recommended protocols.</p>
+  <p>Using the TLS or SSLv23 protocol from the boost::asio library, but not disabling deprecated protocols may expose the software to known vulnerabilities or permit weak encryption algorithms to be used.  Disabling the minimum-recommended protocols is also flagged.</p>
 </overview>
 
+<recommendation>
+<p>When using the TLS or SSLv23 protocol, set the <code>no_tlsv1</code> and <code>no_tlsv1_1</code> options, but do not set <code>no_tlsv1_2</code>. When using the SSLv23 protocol, also set the <code>no_sslv3</code> option.</p>
+</recommendation>
+
+<example>
+<p>In the following example, the <code>no_tlsv1_1</code> option has not been set.  Use of TLS 1.1 is not recommended.</p>
+<sample src="TlsSettingsMisconfigurationBad.cpp"/>
+<p>In the corrected example, the <code>no_tlsv1</code> and <code>no_tlsv1_1</code> options have both been set, ensuring the use of TLS 1.2 or later.</p>
+<sample src="TlsSettingsMisconfigurationGood.cpp"/>
+</example>
+
 <references>
   <li>
     <a href="https://www.boost.org/doc/libs/1_71_0/doc/html/boost_asio.html">Boost.Asio documentation</a>.

cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql

@@ -1,6 +1,6 @@
 /**
  * @name Boost_asio TLS Settings Misconfiguration
- * @description Using TLS or SSLv23 protool from the boost::asio library, but not disabling deprecated protocols or disabling minimum-recommended protocols
+ * @description Using the TLS or SSLv23 protocol from the boost::asio library, but not disabling deprecated protocols, or disabling minimum-recommended protocols.
  * @kind problem
  * @problem.severity error
  * @id cpp/boost/tls_settings_misconfiguration