Merge branch 'main' of github.com:github/codeql into 'main'

Conflicts:
	docs/codeql/query-help/codeql-cwe-coverage.rst

Author: aibaars

.codeqlmanifest.json

@@ -5,5 +5,7 @@
                "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml",
                "*/ql/examples/qlpack.yml",
                "*/upgrades/qlpack.yml",
+               "javascript/ql/experimental/adaptivethreatmodeling/lib/qlpack.yml",
+               "javascript/ql/experimental/adaptivethreatmodeling/src/qlpack.yml",
                "misc/legacy-support/*/qlpack.yml",
                "misc/suite-helpers/qlpack.yml" ] }

cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll

@@ -126,13 +126,7 @@ class MallocSizeExpr extends BufferAccess, FunctionCall {
 }
 
 class NetworkFunctionCall extends FunctionCall {
-  NetworkFunctionCall() {
-    getTarget().hasName("ntohd") or
-    getTarget().hasName("ntohf") or
-    getTarget().hasName("ntohl") or
-    getTarget().hasName("ntohll") or
-    getTarget().hasName("ntohs")
-  }
+  NetworkFunctionCall() { getTarget().hasName(["ntohd", "ntohf", "ntohl", "ntohll", "ntohs"]) }
 }
 
 class NetworkToBufferSizeConfiguration extends DataFlow::Configuration {

cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql

@@ -103,12 +103,7 @@ private predicate posixSystemInfo(FunctionCall source, Element use) {
   //  - various filesystem parameters
   // int uname(struct utsname *buf)
   //  - OS name and version
-  (
-    source.getTarget().hasName("confstr") or
-    source.getTarget().hasName("statvfs") or
-    source.getTarget().hasName("fstatvfs") or
-    source.getTarget().hasName("uname")
-  ) and
+  source.getTarget().hasName(["confstr", "statvfs", "fstatvfs", "uname"]) and
   use = source.getArgument(1)
 }
 
@@ -128,14 +123,9 @@ private predicate posixPWInfo(FunctionCall source, Element use) {
   // struct group  *getgrnam(const char *name);
   // struct group  *getgrgid(gid_t);
   // struct group  *getgrent(void);
-  (
-    source.getTarget().hasName("getpwnam") or
-    source.getTarget().hasName("getpwuid") or
-    source.getTarget().hasName("getpwent") or
-    source.getTarget().hasName("getgrnam") or
-    source.getTarget().hasName("getgrgid") or
-    source.getTarget().hasName("getgrent")
-  ) and
+  source
+      .getTarget()
+      .hasName(["getpwnam", "getpwuid", "getpwent", "getgrnam", "getgrgid", "getgrent"]) and
   use = source
   or
   // int getpwnam_r(const char *name, struct passwd *pwd,
@@ -146,31 +136,15 @@ private predicate posixPWInfo(FunctionCall source, Element use) {
   //                char *buf, size_t buflen, struct group **result);
   // int getgrnam_r(const char *name, struct group *grp,
   //                char *buf, size_t buflen, struct group **result);
-  (
-    source.getTarget().hasName("getpwnam_r") or
-    source.getTarget().hasName("getpwuid_r") or
-    source.getTarget().hasName("getgrgid_r") or
-    source.getTarget().hasName("getgrnam_r")
-  ) and
-  (
-    use = source.getArgument(1) or
-    use = source.getArgument(2) or
-    use = source.getArgument(4)
-  )
+  source.getTarget().hasName(["getpwnam_r", "getpwuid_r", "getgrgid_r", "getgrnam_r"]) and
+  use = source.getArgument([1, 2, 4])
   or
   // int getpwent_r(struct passwd *pwd, char *buffer, size_t bufsize,
   //                struct passwd **result);
   // int getgrent_r(struct group *gbuf, char *buf,
   //                size_t buflen, struct group **gbufp);
-  (
-    source.getTarget().hasName("getpwent_r") or
-    source.getTarget().hasName("getgrent_r")
-  ) and
-  (
-    use = source.getArgument(0) or
-    use = source.getArgument(1) or
-    use = source.getArgument(3)
-  )
+  source.getTarget().hasName(["getpwent_r", "getgrent_r"]) and
+  use = source.getArgument([0, 1, 3])
 }
 
 /**
@@ -190,13 +164,11 @@ private predicate windowsSystemInfo(FunctionCall source, Element use) {
   // BOOL WINAPI GetVersionEx(_Inout_ LPOSVERSIONINFO lpVersionInfo);
   // void WINAPI GetSystemInfo(_Out_ LPSYSTEM_INFO lpSystemInfo);
   // void WINAPI GetNativeSystemInfo(_Out_ LPSYSTEM_INFO lpSystemInfo);
-  (
-    source.getTarget().hasGlobalName("GetVersionEx") or
-    source.getTarget().hasGlobalName("GetVersionExA") or
-    source.getTarget().hasGlobalName("GetVersionExW") or
-    source.getTarget().hasGlobalName("GetSystemInfo") or
-    source.getTarget().hasGlobalName("GetNativeSystemInfo")
-  ) and
+  source
+      .getTarget()
+      .hasGlobalName([
+          "GetVersionEx", "GetVersionExA", "GetVersionExW", "GetSystemInfo", "GetNativeSystemInfo"
+        ]) and
   use = source.getArgument(0)
 }
 
@@ -216,11 +188,11 @@ private predicate windowsFolderPath(FunctionCall source, Element use) {
   //   _In_  int    csidl,
   //   _In_  BOOL   fCreate
   // );
-  (
-    source.getTarget().hasGlobalName("SHGetSpecialFolderPath") or
-    source.getTarget().hasGlobalName("SHGetSpecialFolderPathA") or
-    source.getTarget().hasGlobalName("SHGetSpecialFolderPathW")
-  ) and
+  source
+      .getTarget()
+      .hasGlobalName([
+          "SHGetSpecialFolderPath", "SHGetSpecialFolderPathA", "SHGetSpecialFolderPathW"
+        ]) and
   use = source.getArgument(1)
   or
   // HRESULT SHGetKnownFolderPath(
@@ -239,11 +211,7 @@ private predicate windowsFolderPath(FunctionCall source, Element use) {
   //   _In_  DWORD  dwFlags,
   //   _Out_ LPTSTR pszPath
   // );
-  (
-    source.getTarget().hasGlobalName("SHGetFolderPath") or
-    source.getTarget().hasGlobalName("SHGetFolderPathA") or
-    source.getTarget().hasGlobalName("SHGetFolderPathW")
-  ) and
+  source.getTarget().hasGlobalName(["SHGetFolderPath", "SHGetFolderPathA", "SHGetFolderPathW"]) and
   use = source.getArgument(4)
   or
   // HRESULT SHGetFolderPathAndSubDir(
@@ -254,11 +222,11 @@ private predicate windowsFolderPath(FunctionCall source, Element use) {
   //   _In_  LPCTSTR pszSubDir,
   //   _Out_ LPTSTR  pszPath
   // );
-  (
-    source.getTarget().hasGlobalName("SHGetFolderPathAndSubDir") or
-    source.getTarget().hasGlobalName("SHGetFolderPathAndSubDirA") or
-    source.getTarget().hasGlobalName("SHGetFolderPathAndSubDirW")
-  ) and
+  source
+      .getTarget()
+      .hasGlobalName([
+          "SHGetFolderPathAndSubDir", "SHGetFolderPathAndSubDirA", "SHGetFolderPathAndSubDirW"
+        ]) and
   use = source.getArgument(5)
 }
 
@@ -273,11 +241,7 @@ class WindowsFolderPath extends SystemData {
 }
 
 private predicate logonUser(FunctionCall source, VariableAccess use) {
-  (
-    source.getTarget().hasGlobalName("LogonUser") or
-    source.getTarget().hasGlobalName("LogonUserW") or
-    source.getTarget().hasGlobalName("LogonUserA")
-  ) and
+  source.getTarget().hasGlobalName(["LogonUser", "LogonUserW", "LogonUserA"]) and
   use = source.getAnArgument()
 }
 
@@ -297,11 +261,7 @@ private predicate regQuery(FunctionCall source, VariableAccess use) {
   //   _Out_opt_   LPTSTR  lpValue,
   //   _Inout_opt_ PLONG   lpcbValue
   // );
-  (
-    source.getTarget().hasGlobalName("RegQueryValue") or
-    source.getTarget().hasGlobalName("RegQueryValueA") or
-    source.getTarget().hasGlobalName("RegQueryValueW")
-  ) and
+  source.getTarget().hasGlobalName(["RegQueryValue", "RegQueryValueA", "RegQueryValueW"]) and
   use = source.getArgument(2)
   or
   // LONG WINAPI RegQueryMultipleValues(
@@ -311,11 +271,11 @@ private predicate regQuery(FunctionCall source, VariableAccess use) {
   //   _Out_opt_   LPTSTR  lpValueBuf,
   //   _Inout_opt_ LPDWORD ldwTotsize
   // );
-  (
-    source.getTarget().hasGlobalName("RegQueryMultipleValues") or
-    source.getTarget().hasGlobalName("RegQueryMultipleValuesA") or
-    source.getTarget().hasGlobalName("RegQueryMultipleValuesW")
-  ) and
+  source
+      .getTarget()
+      .hasGlobalName([
+          "RegQueryMultipleValues", "RegQueryMultipleValuesA", "RegQueryMultipleValuesW"
+        ]) and
   use = source.getArgument(3)
   or
   // LONG WINAPI RegQueryValueEx(
@@ -326,11 +286,7 @@ private predicate regQuery(FunctionCall source, VariableAccess use) {
   //   _Out_opt_   LPBYTE  lpData,
   //   _Inout_opt_ LPDWORD lpcbData
   // );
-  (
-    source.getTarget().hasGlobalName("RegQueryValueEx") or
-    source.getTarget().hasGlobalName("RegQueryValueExA") or
-    source.getTarget().hasGlobalName("RegQueryValueExW")
-  ) and
+  source.getTarget().hasGlobalName(["RegQueryValueEx", "RegQueryValueExA", "RegQueryValueExW"]) and
   use = source.getArgument(4)
   or
   // LONG WINAPI RegGetValue(
@@ -342,11 +298,7 @@ private predicate regQuery(FunctionCall source, VariableAccess use) {
   //   _Out_opt_   PVOID   pvData,
   //   _Inout_opt_ LPDWORD pcbData
   // );
-  (
-    source.getTarget().hasGlobalName("RegGetValue") or
-    source.getTarget().hasGlobalName("RegGetValueA") or
-    source.getTarget().hasGlobalName("RegGetValueW")
-  ) and
+  source.getTarget().hasGlobalName(["RegGetValue", "RegGetValueA", "RegGetValueW"]) and
   use = source.getArgument(5)
 }
 
@@ -408,12 +360,7 @@ private predicate socketOutput(FunctionCall call, Expr data) {
     //                const struct sockaddr *dest_addr, socklen_t addrlen);
     // ssize_t sendmsg(int sockfd, const struct msghdr *msg, int flags);
     // int write(int handle, void *buffer, int nbyte);
-    (
-      call.getTarget().hasGlobalName("send") or
-      call.getTarget().hasGlobalName("sendto") or
-      call.getTarget().hasGlobalName("sendmsg") or
-      call.getTarget().hasGlobalName("write")
-    ) and
+    call.getTarget().hasGlobalName(["send", "sendto", "sendmsg", "write"]) and
     data = call.getArgument(1) and
     socketFileDescriptor(call.getArgument(0))
   )

cpp/ql/src/experimental/Security/CWE/CWE-273/PrivilegeDroppingOutoforder.ql

@@ -44,14 +44,13 @@ class SetuidLikeWrapperCall extends FunctionCall {
 
 class CallBeforeSetuidFunctionCall extends FunctionCall {
   CallBeforeSetuidFunctionCall() {
-    (
-      getTarget().hasGlobalName("setgid") or
-      getTarget().hasGlobalName("setresgid") or
-      // Compatibility may require skipping initgroups and setgroups return checks.
-      // A stricter best practice is to check the result and errnor for EPERM.
-      getTarget().hasGlobalName("initgroups") or
-      getTarget().hasGlobalName("setgroups")
-    ) and
+    getTarget()
+        .hasGlobalName([
+            "setgid", "setresgid",
+            // Compatibility may require skipping initgroups and setgroups return checks.
+            // A stricter best practice is to check the result and errnor for EPERM.
+            "initgroups", "setgroups"
+          ]) and
     // setgid/setresgid/etc with the root group are false positives.
     not argumentMayBeRoot(getArgument(0))
   }

cpp/ql/src/jsf/4.28 Portable Code/AV Rule 209.ql

@@ -15,13 +15,7 @@ import cpp
 
 from Element u, ArithmeticType at
 where
-  (
-    at.hasName("int") or
-    at.hasName("short") or
-    at.hasName("long") or
-    at.hasName("float") or
-    at.hasName("double")
-  ) and
+  at.hasName(["int", "short", "long", "float", "double"]) and
   u = at.getATypeNameUse() and
   not at instanceof WideCharType
 select u, "AV Rule 209: The basic types of int, short, long, float and double shall not be used."

csharp/ql/lib/semmle/code/csharp/Conversion.qll

@@ -552,11 +552,16 @@ private predicate defaultDynamicConversion(Type fromType, Type toType) {
   fromType instanceof RefType and toType instanceof DynamicType
 }
 
+pragma[noinline]
+private predicate systemDelegateBaseType(RefType t) {
+  t = any(SystemDelegateClass c).getABaseType*()
+}
+
 // This is a deliberate, small cartesian product, so we have manually lifted it to force the
 // evaluator to evaluate it in its entirety, rather than trying to optimize it in context.
 pragma[noinline]
 private predicate defaultDelegateConversion(RefType fromType, RefType toType) {
-  fromType instanceof DelegateType and toType = any(SystemDelegateClass c).getABaseType*()
+  fromType instanceof DelegateType and systemDelegateBaseType(toType)
 }
 
 private predicate convRefTypeRefType(RefType fromType, RefType toType) {

docs/codeql/codeql-cli/about-ql-packs.rst

@@ -7,7 +7,7 @@ QL packs are used to organize the files used in CodeQL analysis. They
 contain queries, library files, query suites, and important metadata.
 
 The `CodeQL repository <https://github.com/github/codeql>`__ contains QL packs for
-C/C++, C#, Java, JavaScript, and Python. The `CodeQL for Go
+C/C++, C#, Java, JavaScript, Python, and Ruby. The `CodeQL for Go
 <https://github.com/github/codeql-go/>`__ repository contains a QL pack for Go
 analysis. You can also make custom QL packs to contain your own queries and
 libraries.

docs/codeql/codeql-cli/creating-codeql-databases.rst

@@ -88,15 +88,15 @@ Creating databases for non-compiled languages
 ---------------------------------------------
 
 The CodeQL CLI includes extractors to create databases for non-compiled
-languages---specifically, JavaScript (and TypeScript) and Python. These
-extractors are automatically invoked when you specify JavaScript or Python as
+languages---specifically, JavaScript (and TypeScript), Python, and Ruby. These
+extractors are automatically invoked when you specify JavaScript, Python, or Ruby as
 the ``--language`` option when executing ``database create``. When creating
 databases for these languages you must ensure that all additional dependencies
 are available.
 
 .. pull-quote:: Important
 
-   When you run ``database create`` for JavaScript, TypeScript, and Python, you should not
+   When you run ``database create`` for JavaScript, TypeScript, Python, and Ruby, you should not
    specify a ``--command`` option. Otherwise this overrides the normal
    extractor invocation, which will create an empty database. If you create
    databases for multiple languages and one of them is a compiled language,
@@ -116,6 +116,8 @@ Here, we have specified a ``--source-root`` path, which is the location where
 database creation is executed, but is not necessarily the checkout root of the
 codebase. 
 
+By default, files in ``node_modules`` and ``bower_components`` directories are not extracted.
+
 Python
 ~~~~~~
 
@@ -127,14 +129,25 @@ When creating databases for Python you must ensure:
   packages that the codebase depends on.
 - You have installed the `virtualenv <https://pypi.org/project/virtualenv/>`__ pip module.
 
-In the command line you must specify ``--language=python``. For example
+In the command line you must specify ``--language=python``. For example::
 ::
 
    codeql database create --language=python <output-folder>/python-database
 
-executes the ``database create`` subcommand from the code's checkout root,
+This executes the ``database create`` subcommand from the code's checkout root,
 generating a new Python database at ``<output-folder>/python-database``.
 
+Ruby
+~~~~
+
+Creating databases for Ruby requires no additional dependencies. 
+In the command line you must specify ``--language=ruby``. For example::
+
+   codeql database create --language=ruby --source-root <folder-to-extract> <output-folder>/ruby-database
+
+Here, we have specified a ``--source-root`` path, which is the location where
+database creation is executed, but is not necessarily the checkout root of the
+codebase. 
 
 Creating databases for compiled languages
 -----------------------------------------

docs/codeql/codeql-cli/getting-started-with-the-codeql-cli.rst

@@ -100,7 +100,7 @@ further options on the command line.
 
 The `CodeQL repository <https://github.com/github/codeql>`__ contains 
 the queries and libraries required for CodeQL analysis of C/C++, C#, Java,
-JavaScript/TypeScript, and Python.
+JavaScript/TypeScript, Python, and Ruby.
 Clone a copy of this repository into ``codeql-home``. 
 
 By default, the root of the cloned repository will be called ``codeql``. 

docs/codeql/codeql-for-visual-studio-code/setting-up-codeql-in-visual-studio-code.rst

@@ -78,7 +78,7 @@ Using the starter workspace
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 The starter workspace is a Git repository. It contains:
 
-* The `repository of CodeQL libraries and queries <https://github.com/github/codeql>`__ for C/C++, C#, Java, JavaScript, and Python. This is included as a submodule, so it can be updated without affecting your custom queries.
+* The `repository of CodeQL libraries and queries <https://github.com/github/codeql>`__ for C/C++, C#, Java, JavaScript, Python, and Ruby. This is included as a submodule, so it can be updated without affecting your custom queries.
 * The `repository of CodeQL libraries and queries <https://github.com/github/codeql-go>`__ for Go. This is also included as a submodule.
 * A series of folders named ``codeql-custom-queries-<language>``. These are ready for you to start developing your own custom queries for each language, using the standard libraries. There are some example queries to get you started.