Merge branch 'main' into add-activerecord-annotate

Author: thiggy1342

.github/workflows/ql-for-ql-build.yml

@@ -10,9 +10,10 @@ env:
   CARGO_TERM_COLOR: always
 
 jobs:
-  queries:
-    runs-on: ubuntu-latest
+  analyze:
+    runs-on: ubuntu-latest-xl
     steps:
+      ### Build the queries ###
       - uses: actions/checkout@v3
       - name: Find codeql
         id: find-codeql
@@ -48,11 +49,7 @@ jobs:
           name: query-pack-zip
           path: ${{ runner.temp }}/query-pack.zip
 
-  extractors:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
+      ### Build the extractor ###
       - name: Cache entire extractor
         id: cache-extractor
         uses: actions/cache@v3
@@ -96,15 +93,8 @@ jobs:
             ql/target/release/ql-extractor
             ql/target/release/ql-extractor.exe
           retention-days: 1
-  package:
-    runs-on: ubuntu-latest
-
-    needs:
-      - extractors
-      - queries
 
-    steps:
-      - uses: actions/checkout@v3
+      ### Package the queries and extractor ###
       - uses: actions/download-artifact@v3
         with:
           name: query-pack-zip
@@ -132,16 +122,8 @@ jobs:
           name: codeql-ql-pack
           path: codeql-ql.zip
           retention-days: 1
-  analyze:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        folder: [cpp, csharp, java, javascript, python, ql, ruby, swift, go]
-
-    needs:
-      - package
 
-    steps:
+      ### Run the analysis ###
       - name: Download pack
         uses: actions/download-artifact@v3
         with:
@@ -161,22 +143,18 @@ jobs:
         env:
           PACK: ${{ runner.temp }}/pack
 
-      - name: Checkout repository
-        uses: actions/checkout@v3
       - name: Create CodeQL config file
         run: |
-          echo "paths:" > ${CONF}
-          echo "  - ${FOLDER}" >> ${CONF}
           echo "paths-ignore:" >> ${CONF}
           echo "  - ql/ql/test" >> ${CONF} 
+          echo "  - \"*/ql/lib/upgrades/\"" >> ${CONF} 
           echo "disable-default-queries: true" >> ${CONF}
           echo "packs:" >> ${CONF}
           echo "  - codeql/ql" >> ${CONF}
           echo "Config file: "
           cat ${CONF}
         env: 
           CONF: ./ql-for-ql-config.yml
-          FOLDER: ${{ matrix.folder }}
       - name: Initialize CodeQL
         uses: github/codeql-action/init@aa93aea877e5fb8841bcb1193f672abf6e9f2980
         with:
@@ -187,39 +165,24 @@ jobs:
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@aa93aea877e5fb8841bcb1193f672abf6e9f2980
         with: 
-          category: "ql-for-ql-${{ matrix.folder }}"
+          category: "ql-for-ql"
       - name: Copy sarif file to CWD
-        run: cp ../results/ql.sarif ./${{ matrix.folder }}.sarif
+        run: cp ../results/ql.sarif ./ql-for-ql.sarif
       - name: Fixup the $scema in sarif  # Until https://github.com/microsoft/sarif-vscode-extension/pull/436/ is part in a stable release
         run: |
-          sed -i 's/\$schema.*/\$schema": "https:\/\/raw.githubusercontent.com\/oasis-tcs\/sarif-spec\/master\/Schemata\/sarif-schema-2.1.0",/' ${{ matrix.folder }}.sarif 
+          sed -i 's/\$schema.*/\$schema": "https:\/\/raw.githubusercontent.com\/oasis-tcs\/sarif-spec\/master\/Schemata\/sarif-schema-2.1.0",/' ql-for-ql.sarif 
       - name: Sarif as artifact
         uses: actions/upload-artifact@v3
         with:
-          name: ${{ matrix.folder }}.sarif
-          path: ${{ matrix.folder }}.sarif
-
-  combine:
-    runs-on: ubuntu-latest
-    needs:
-      - analyze
-
-    steps:
-      - uses: actions/checkout@v3
-      - name: Make a folder for artifacts. 
-        run: mkdir -p results
-      - name: Download all sarif files
-        uses: actions/download-artifact@v3
-        with: 
-            path: results
-      - uses: actions/setup-node@v3
-        with:
-            node-version: 16
-      - name: Combine all sarif files
-        run: | 
-          node ./ql/scripts/merge-sarif.js results/**/*.sarif combined.sarif
-      - name: Upload combined sarif file
+          name: ql-for-ql.sarif
+          path: ql-for-ql.sarif
+      - name: Split out the sarif file into langs
+        run: |
+          mkdir split-sarif
+          node ./ql/scripts/split-sarif.js ql-for-ql.sarif split-sarif
+      - name: Upload langs as artifacts
         uses: actions/upload-artifact@v3
         with:
-            name: combined.sarif
-            path: combined.sarif
+          name: ql-for-ql-langs
+          path: split-sarif
+          retention-days: 1

java/documentation/library-coverage/coverage.csv

@@ -36,7 +36,7 @@ java.lang,13,,58,,,,,,,,,,,8,,,,,4,,,1,,,,,,,,,,,,,,,46,12
 java.net,10,3,7,,,,,,,,,,,,,,10,,,,,,,,,,,,,,,,,,,3,7,
 java.nio,15,,6,,13,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,6,
 java.sql,11,,,,,,,,,4,,,,,,,,,,,,,,,,7,,,,,,,,,,,,
-java.util,44,,438,,,,,,,,,,,34,,,,,,5,2,,1,2,,,,,,,,,,,,,24,414
+java.util,44,,441,,,,,,,,,,,34,,,,,,5,2,,1,2,,,,,,,,,,,,,24,417
 javax.faces.context,2,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,7,,
 javax.jms,,9,57,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,57,
 javax.json,,,123,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,100,23

java/documentation/library-coverage/coverage.rst

@@ -15,9 +15,9 @@ Java framework & library support
    `Apache HttpComponents <https://hc.apache.org/>`_,"``org.apache.hc.core5.*``, ``org.apache.http``",5,136,28,,,3,,,,25
    `Google Guava <https://guava.dev/>`_,``com.google.common.*``,,728,39,,6,,,,,
    `JSON-java <https://github.com/stleary/JSON-java>`_,``org.json``,,236,,,,,,,,
-   Java Standard Library,``java.*``,3,549,130,28,,,7,,,10
+   Java Standard Library,``java.*``,3,552,130,28,,,7,,,10
    Java extensions,"``javax.*``, ``jakarta.*``",63,609,32,,,4,,1,1,2
    `Spring <https://spring.io/>`_,``org.springframework.*``,29,476,101,,,,19,14,,29
    Others,"``androidx.slice``, ``cn.hutool.core.codec``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.core``, ``com.fasterxml.jackson.databind``, ``com.opensymphony.xwork2.ognl``, ``com.rabbitmq.client``, ``com.unboundid.ldap.sdk``, ``com.zaxxer.hikari``, ``flexjson``, ``groovy.lang``, ``groovy.util``, ``jodd.json``, ``kotlin.jvm.internal``, ``net.sf.saxon.s9api``, ``ognl``, ``okhttp3``, ``org.apache.commons.codec``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.logging``, ``org.apache.commons.ognl``, ``org.apache.directory.ldap.client.api``, ``org.apache.ibatis.jdbc``, ``org.apache.log4j``, ``org.apache.logging.log4j``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.codehaus.groovy.control``, ``org.dom4j``, ``org.hibernate``, ``org.jboss.logging``, ``org.jdbi.v3.core``, ``org.jooq``, ``org.mvel2``, ``org.scijava.log``, ``org.slf4j``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``, ``retrofit2``",65,395,932,,,,14,18,,3
-   Totals,,217,6410,1474,117,6,10,107,33,1,84
+   Totals,,217,6413,1474,117,6,10,107,33,1,84
 

javascript/ql/lib/semmle/javascript/Routing.qll

@@ -148,6 +148,18 @@ module Routing {
       this instanceof MkRouter
     }
 
+    /**
+     * Like `mayResumeDispatch` but without the assumption that functions with an unknown
+     * implementation invoke their continuation.
+     */
+    predicate definitelyResumesDispatch() {
+      this.getLastChild().definitelyResumesDispatch()
+      or
+      exists(this.(RouteHandler).getAContinuationInvocation())
+      or
+      this instanceof MkRouter
+    }
+
     /** Gets the parent of this node, provided that this node may invoke its continuation. */
     private Node getContinuationParent() {
       result = this.getParent() and

javascript/ql/lib/semmle/javascript/dataflow/TypeTracking.qll

@@ -312,7 +312,7 @@ class TypeBackTracker extends TTypeBackTracker {
    *   result = < some API call >.getArgument(< n >)
    *   or
    *   exists (DataFlow::TypeBackTracker t2 |
-   *     t = t2.smallstep(result, myType(t2))
+   *     t2 = t.smallstep(result, myType(t2))
    *   )
    * }
    *

javascript/ql/lib/semmle/javascript/frameworks/Express.qll

@@ -33,6 +33,11 @@ module Express {
     or
     // `app = [new] express.Router()`
     result = DataFlow::moduleMember("express", "Router").getAnInvocation()
+    or
+    exists(DataFlow::SourceNode app |
+      app.hasUnderlyingType("probot/lib/application", "Application") and
+      result = app.getAMethodCall("route")
+    )
   }
 
   /**
@@ -1043,4 +1048,22 @@ module Express {
 
     override DataFlow::SourceNode getOutput() { result = this.getCallback(2).getParameter(1) }
   }
+
+  private class ResumeDispatchRefinement extends Routing::RouteHandler {
+    ResumeDispatchRefinement() { this.getFunction() instanceof RouteHandler }
+
+    override predicate mayResumeDispatch() { this.getAParameter().getName() = "next" }
+
+    override predicate definitelyResumesDispatch() { this.getAParameter().getName() = "next" }
+  }
+
+  private class ExpressStaticResumeDispatchRefinement extends Routing::Node {
+    ExpressStaticResumeDispatchRefinement() {
+      this = Routing::getNode(DataFlow::moduleMember("express", "static").getACall())
+    }
+
+    override predicate mayResumeDispatch() { none() }
+
+    override predicate definitelyResumesDispatch() { none() }
+  }
 }

javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll

@@ -80,7 +80,7 @@ module UnsafeHtmlConstruction {
     t.start() and
     result = sink
     or
-    exists(DataFlow::TypeBackTracker t2 | t = t2.smallstep(result, isUsedInXssSink(t2, sink)))
+    exists(DataFlow::TypeBackTracker t2 | t2 = t.smallstep(result, isUsedInXssSink(t2, sink)))
     or
     exists(DataFlow::TypeBackTracker t2 |
       t.continue() = t2 and

javascript/ql/src/Declarations/UnusedVariable.ql

@@ -144,6 +144,9 @@ predicate whitelisted(UnusedLocal v) {
   // exclude variables mentioned in JSDoc comments in externs
   mentionedInJSDocComment(v)
   or
+  // the attributes in .vue files are not extracted, so we can get false positives in those.
+  v.getADeclaration().getFile().getExtension() = "vue"
+  or
   // exclude variables used to filter out unwanted properties
   isPropertyFilter(v)
   or

javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.ql

@@ -50,7 +50,7 @@ private DataFlow::Node endsInCodeInjectionSink(DataFlow::TypeBackTracker t) {
     not result instanceof StringOps::ConcatenationRoot // the heuristic CodeInjection sink looks for string-concats, we are not interrested in those here.
   )
   or
-  exists(DataFlow::TypeBackTracker t2 | t = t2.smallstep(result, endsInCodeInjectionSink(t2)))
+  exists(DataFlow::TypeBackTracker t2 | t2 = t.smallstep(result, endsInCodeInjectionSink(t2)))
 }
 
 /**

javascript/ql/src/Security/CWE-178/CaseSensitiveMiddlewarePath.qhelp

@@ -0,0 +1,44 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Using a case-sensitive regular expression path in a middleware route enables an attacker to bypass that middleware
+when accessing an endpoint with a case-insensitive path.
+Paths specified using a string are case-insensitive, whereas regular expressions are case-sensitive by default.
+</p>
+</overview>
+
+<recommendation>
+<p>
+When using a regular expression as a middleware path, make sure the regular expression is
+case-insensitive by adding the <code>i</code> flag.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example restricts access to paths in the <code>/admin</code> path to users logged in as
+administrators:
+</p>
+<sample src="examples/CaseSensitiveMiddlewarePath.js" />
+<p>
+A path such as <code>/admin/users/45</code> can only be accessed by an administrator. However, the path
+<code>/ADMIN/USERS/45</code> can be accessed by anyone because the upper-case path doesn't match the case-sensitive regular expression, whereas
+Express considers it to match the path string <code>/admin/users</code>.
+</p>
+<p>
+The issue can be fixed by adding the <code>i</code> flag to the regular expression:
+</p>
+<sample src="examples/CaseSensitiveMiddlewarePathGood.js" />
+</example>
+
+<references>
+<li>
+MDN
+<a href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#advanced_searching_with_flags">Regular Expression Flags</a>.
+</li>
+</references>
+</qhelp>