Merge branch 'main' into redsun82/swift-self-contained-cpp-code-gen

Author: redsun82

cpp/ql/lib/semmle/code/cpp/commons/Printf.qll

@@ -872,7 +872,7 @@ class FormatLiteral extends Literal {
 
   private Type getConversionType1(int n) {
     exists(string cnv | cnv = this.getConversionChar(n) |
-      cnv.regexpMatch("d|i") and
+      cnv = ["d", "i"] and
       result = this.getIntegralConversion(n) and
       not result.getUnderlyingType().(IntegralType).isExplicitlySigned() and
       not result.getUnderlyingType().(IntegralType).isExplicitlyUnsigned()
@@ -912,15 +912,15 @@ class FormatLiteral extends Literal {
 
   private Type getConversionType2(int n) {
     exists(string cnv | cnv = this.getConversionChar(n) |
-      cnv.regexpMatch("o|u|x|X") and
+      cnv = ["o", "u", "x", "X"] and
       result = this.getIntegralConversion(n) and
       result.getUnderlyingType().(IntegralType).isUnsigned()
     )
   }
 
   private Type getConversionType3(int n) {
     exists(string cnv | cnv = this.getConversionChar(n) |
-      cnv.regexpMatch("a|A|e|E|f|F|g|G") and result = this.getFloatingPointConversion(n)
+      cnv = ["a", "A", "e", "E", "f", "F", "g", "G"] and result = this.getFloatingPointConversion(n)
     )
   }
 

cpp/ql/src/Likely Bugs/Conversion/LossyFunctionResultCast.ql

@@ -19,7 +19,7 @@ predicate whitelist(Function f) {
       "nearbyintl", "rint", "rintf", "rintl", "round", "roundf", "roundl", "trunc", "truncf",
       "truncl"
     ] or
-  f.getName().matches("__builtin_%")
+  f.getName().matches("\\_\\_builtin\\_%")
 }
 
 predicate whitelistPow(FunctionCall fc) {

cpp/ql/src/experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql

@@ -58,7 +58,7 @@ where
       // unfortunately cannot use numeric value here because // O_CREAT is defined differently on different OSes:
       // https://github.com/red/red/blob/92feb0c0d5f91e087ab35fface6906afbf99b603/runtime/definitions.reds#L477-L491
       // this may introduce false negatives
-      fctmp.getArgument(1).(BitwiseOrExpr).getAChild*().getValueText().matches("O_CREAT") or
+      fctmp.getArgument(1).(BitwiseOrExpr).getAChild*().getValueText() = "O_CREAT" or
       fctmp.getArgument(1).getValueText().matches("%O_CREAT%")
     ) and
     fctmp.getNumberOfArguments() = 2 and

cpp/ql/src/jsf/4.05 Libraries/AV Rule 23.ql

@@ -13,7 +13,7 @@ import cpp
 
 from Function f
 where
-  f.getName().regexpMatch("atof|atoi|atol") and
+  f.getName() = ["atof", "atoi", "atol"] and
   f.getFile().getAbsolutePath().matches("%stdlib.h")
 select f.getACallToThisFunction(),
   "AV Rule 23: The library functions atof, atoi and atol from library <stdlib.h> shall not be used."

cpp/ql/src/jsf/4.05 Libraries/AV Rule 24.ql

@@ -13,7 +13,7 @@ import cpp
 
 from Function f
 where
-  f.getName().regexpMatch("abort|exit|getenv|system") and
+  f.getName() = ["abort", "exit", "getenv", "system"] and
   f.getFile().getAbsolutePath().matches("%stdlib.h")
 select f.getACallToThisFunction(),
   "The library functions abort, exit, getenv and system from library <stdlib.h> should not be used."

csharp/documentation/library-coverage/coverage.csv

@@ -1,6 +1,7 @@
 package,sink,source,summary,sink:code,sink:html,sink:remote,sink:sql,sink:xss,source:local,summary:taint,summary:value
 Dapper,55,,,,,,55,,,,
 Microsoft.ApplicationBlocks.Data,28,,,,,,28,,,,
+Microsoft.EntityFrameworkCore,6,,,,,,6,,,,
 Microsoft.Extensions.Primitives,,,54,,,,,,,54,
 Microsoft.VisualBasic,,,4,,,,,,,,4
 MySql.Data.MySqlClient,48,,,,,,48,,,,

csharp/documentation/library-coverage/coverage.rst

@@ -9,6 +9,6 @@ C# framework & library support
    Framework / library,Package,Flow sources,Taint & value steps,Sinks (total),`CWE-079` :sub:`Cross-site scripting`
    `ServiceStack <https://servicestack.net/>`_,"``ServiceStack.*``, ``ServiceStack``",,7,194,
    System,"``System.*``, ``System``",3,2336,28,5
-   Others,"``Dapper``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.Extensions.Primitives``, ``Microsoft.VisualBasic``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``",,149,131,
-   Totals,,3,2492,353,5
+   Others,"``Dapper``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Primitives``, ``Microsoft.VisualBasic``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``",,149,137,
+   Totals,,3,2492,359,5
 

csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll

@@ -515,9 +515,7 @@ Element interpretElement(
 /**
  * Holds if `c` has a `generated` summary.
  */
-predicate hasSummary(DataFlowCallable c, boolean generated) {
-  summaryElement(c, _, _, _, generated)
-}
+predicate hasSummary(Callable c, boolean generated) { summaryElement(c, _, _, _, generated) }
 
 cached
 private module Cached {

csharp/ql/lib/semmle/code/csharp/dataflow/FlowSummary.qll

@@ -1,6 +1,7 @@
 /** Provides classes and predicates for defining flow summaries. */
 
 import csharp
+private import dotnet
 private import internal.FlowSummaryImpl as Impl
 private import internal.DataFlowDispatch as DataFlowDispatch
 

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll

@@ -12,14 +12,6 @@ private import semmle.code.csharp.dispatch.RuntimeCallable
 private import semmle.code.csharp.frameworks.system.Collections
 private import semmle.code.csharp.frameworks.system.collections.Generic
 
-private predicate summarizedCallable(DataFlowCallable c) {
-  c instanceof FlowSummary::SummarizedCallable
-  or
-  FlowSummaryImpl::Private::summaryReturnNode(_, TJumpReturnKind(c, _))
-  or
-  c = interpretElement(_, _, _, _, _, _)
-}
-
 /**
  * Gets a source declaration of callable `c` that has a body or has
  * a flow summary.
@@ -29,9 +21,6 @@ private predicate summarizedCallable(DataFlowCallable c) {
  */
 DotNet::Callable getCallableForDataFlow(DotNet::Callable c) {
   exists(DotNet::Callable unboundDecl | unboundDecl = c.getUnboundDeclaration() |
-    summarizedCallable(unboundDecl) and
-    result = unboundDecl
-    or
     result.hasBody() and
     if unboundDecl.getFile().fromSource()
     then
@@ -81,17 +70,27 @@ newtype TReturnKind =
       v = def.getSourceVariable().getAssignable()
     )
   } or
-  TJumpReturnKind(DataFlowCallable target, ReturnKind rk) {
-    rk instanceof NormalReturnKind and
+  TJumpReturnKind(Callable target, ReturnKind rk) {
+    target.isUnboundDeclaration() and
     (
-      target instanceof Constructor or
-      not target.getReturnType() instanceof VoidType
+      rk instanceof NormalReturnKind and
+      (
+        target instanceof Constructor or
+        not target.getReturnType() instanceof VoidType
+      )
+      or
+      exists(target.getParameter(rk.(OutRefReturnKind).getPosition()))
     )
-    or
-    exists(target.getParameter(rk.(OutRefReturnKind).getPosition()))
   }
 
 private module Cached {
+  cached
+  newtype TDataFlowCallable =
+    TDotNetCallable(DotNet::Callable c) {
+      c.isUnboundDeclaration() and not c instanceof FlowSummary::SummarizedCallable
+    } or
+    TSummarizedCallable(FlowSummary::SummarizedCallable c)
+
   cached
   newtype TDataFlowCall =
     TNonDelegateCall(ControlFlow::Nodes::ElementNode cfn, DispatchCall dc) {
@@ -108,7 +107,7 @@ private module Cached {
       // No need to include calls that are compiled from source
       not call.getImplementation().getMethod().compiledFromSource()
     } or
-    TSummaryCall(FlowSummary::SummarizedCallable c, Node receiver) {
+    TSummaryCall(FlowSummaryImpl::Public::SummarizedCallable c, Node receiver) {
       FlowSummaryImpl::Private::summaryCallbackRange(c, receiver)
     }
 
@@ -144,7 +143,7 @@ private module DispatchImpl {
    * call is a delegate call, or if the qualifier accesses a parameter of
    * the enclosing callable `c` (including the implicit `this` parameter).
    */
-  predicate mayBenefitFromCallContext(NonDelegateDataFlowCall call, Callable c) {
+  predicate mayBenefitFromCallContext(NonDelegateDataFlowCall call, DataFlowCallable c) {
     c = call.getEnclosingCallable() and
     call.getDispatchCall().mayBenefitFromCallContext()
   }
@@ -154,7 +153,7 @@ private module DispatchImpl {
    * restricted to those `call`s for which a context might make a difference.
    */
   DataFlowCallable viableImplInCallContext(NonDelegateDataFlowCall call, DataFlowCall ctx) {
-    result =
+    result.getUnderlyingCallable() =
       call.getDispatchCall()
           .getADynamicTargetInCallContext(ctx.(NonDelegateDataFlowCall).getDispatchCall())
           .getUnboundDeclaration()
@@ -233,22 +232,38 @@ class ImplicitCapturedReturnKind extends ReturnKind, TImplicitCapturedReturnKind
  * one API entry point and out of another.
  */
 class JumpReturnKind extends ReturnKind, TJumpReturnKind {
-  private DataFlowCallable target;
+  private Callable target;
   private ReturnKind rk;
 
   JumpReturnKind() { this = TJumpReturnKind(target, rk) }
 
   /** Gets the target of the jump. */
-  DataFlowCallable getTarget() { result = target }
+  Callable getTarget() { result = target }
 
   /** Gets the return kind of the target. */
   ReturnKind getTargetReturnKind() { result = rk }
 
   override string toString() { result = "jump to " + target }
 }
 
-class DataFlowCallable extends DotNet::Callable {
-  DataFlowCallable() { this.isUnboundDeclaration() }
+/** A callable used for data flow. */
+class DataFlowCallable extends TDataFlowCallable {
+  /** Get the underlying source code callable, if any. */
+  DotNet::Callable asCallable() { this = TDotNetCallable(result) }
+
+  /** Get the underlying summarized callable, if any. */
+  FlowSummary::SummarizedCallable asSummarizedCallable() { this = TSummarizedCallable(result) }
+
+  /** Get the underlying callable. */
+  DotNet::Callable getUnderlyingCallable() {
+    result = this.asCallable() or result = this.asSummarizedCallable()
+  }
+
+  /** Gets a textual representation of this dataflow callable. */
+  string toString() { result = this.getUnderlyingCallable().toString() }
+
+  /** Get the location of this dataflow callable. */
+  Location getLocation() { result = this.getUnderlyingCallable().getLocation() }
 }
 
 /** A call relevant for data flow. */
@@ -306,18 +321,32 @@ class NonDelegateDataFlowCall extends DataFlowCall, TNonDelegateCall {
   DispatchCall getDispatchCall() { result = dc }
 
   override DataFlowCallable getARuntimeTarget() {
-    result = getCallableForDataFlow(dc.getADynamicTarget())
+    result.asCallable() = getCallableForDataFlow(dc.getADynamicTarget())
+    or
+    exists(Callable c, boolean static |
+      result.asSummarizedCallable() = c and
+      c = this.getATarget(static)
+    |
+      static = false
+      or
+      static = true and not c instanceof RuntimeCallable
+    )
+  }
+
+  /** Gets a static or dynamic target of this call. */
+  Callable getATarget(boolean static) {
+    result = dc.getADynamicTarget().getUnboundDeclaration() and static = false
     or
-    result = dc.getAStaticTarget().getUnboundDeclaration() and
-    summarizedCallable(result) and
-    not result instanceof RuntimeCallable
+    result = dc.getAStaticTarget().getUnboundDeclaration() and static = true
   }
 
   override ControlFlow::Nodes::ElementNode getControlFlowNode() { result = cfn }
 
   override DataFlow::ExprNode getNode() { result.getControlFlowNode() = cfn }
 
-  override DataFlowCallable getEnclosingCallable() { result = cfn.getEnclosingCallable() }
+  override DataFlowCallable getEnclosingCallable() {
+    result.getUnderlyingCallable() = cfn.getEnclosingCallable()
+  }
 
   override string toString() { result = cfn.toString() }
 
@@ -345,7 +374,9 @@ class ExplicitDelegateLikeDataFlowCall extends DelegateDataFlowCall, TExplicitDe
 
   override DataFlow::ExprNode getNode() { result.getControlFlowNode() = cfn }
 
-  override DataFlowCallable getEnclosingCallable() { result = cfn.getEnclosingCallable() }
+  override DataFlowCallable getEnclosingCallable() {
+    result.getUnderlyingCallable() = cfn.getEnclosingCallable()
+  }
 
   override string toString() { result = cfn.toString() }
 
@@ -363,13 +394,15 @@ class TransitiveCapturedDataFlowCall extends DataFlowCall, TTransitiveCapturedCa
 
   TransitiveCapturedDataFlowCall() { this = TTransitiveCapturedCall(cfn, target) }
 
-  override DataFlowCallable getARuntimeTarget() { result = target }
+  override DataFlowCallable getARuntimeTarget() { result.getUnderlyingCallable() = target }
 
   override ControlFlow::Nodes::ElementNode getControlFlowNode() { result = cfn }
 
   override DataFlow::ExprNode getNode() { none() }
 
-  override DataFlowCallable getEnclosingCallable() { result = cfn.getEnclosingCallable() }
+  override DataFlowCallable getEnclosingCallable() {
+    result.getUnderlyingCallable() = cfn.getEnclosingCallable()
+  }
 
   override string toString() { result = "[transitive] " + cfn.toString() }
 
@@ -384,14 +417,16 @@ class CilDataFlowCall extends DataFlowCall, TCilCall {
 
   override DataFlowCallable getARuntimeTarget() {
     // There is no dispatch library for CIL, so do not consider overrides for now
-    result = getCallableForDataFlow(call.getTarget())
+    result.getUnderlyingCallable() = getCallableForDataFlow(call.getTarget())
   }
 
   override ControlFlow::Nodes::ElementNode getControlFlowNode() { none() }
 
   override DataFlow::ExprNode getNode() { result.getExpr() = call }
 
-  override DataFlowCallable getEnclosingCallable() { result = call.getEnclosingCallable() }
+  override DataFlowCallable getEnclosingCallable() {
+    result.getUnderlyingCallable() = call.getEnclosingCallable()
+  }
 
   override string toString() { result = call.toString() }
 
@@ -406,7 +441,7 @@ class CilDataFlowCall extends DataFlowCall, TCilCall {
  * the method `Select`.
  */
 class SummaryCall extends DelegateDataFlowCall, TSummaryCall {
-  private FlowSummary::SummarizedCallable c;
+  private FlowSummaryImpl::Public::SummarizedCallable c;
   private Node receiver;
 
   SummaryCall() { this = TSummaryCall(c, receiver) }
@@ -422,7 +457,7 @@ class SummaryCall extends DelegateDataFlowCall, TSummaryCall {
 
   override DataFlow::Node getNode() { none() }
 
-  override DataFlowCallable getEnclosingCallable() { result = c }
+  override DataFlowCallable getEnclosingCallable() { result.asSummarizedCallable() = c }
 
   override string toString() { result = "[summary] call to " + receiver + " in " + c }