Merge remote-tracking branch 'origin/main' into nickrolfe/constant_regexp

Author: nickrolfe

.github/workflows/ql-for-ql-build.yml

@@ -16,9 +16,10 @@ jobs:
       - uses: actions/checkout@v2
       - name: Find codeql
         id: find-codeql
-        uses: github/codeql-action/init@erik-krogh/ql
+        uses: github/codeql-action/init@aa93aea877e5fb8841bcb1193f672abf6e9f2980
         with:
           languages: javascript # does not matter
+          tools: latest
       - name: Get CodeQL version
         id: get-codeql-version
         run: |
@@ -159,7 +160,7 @@ jobs:
           PACK: ${{ runner.temp }}/pack
       - name: Hack codeql-action options
         run: |
-          JSON=$(jq -nc --arg pack "${PACK}" '.resolve.queries=["--search-path", $pack] | .resolve.extractor=["--search-path", $pack] | .database.init=["--search-path", $pack]')
+          JSON=$(jq -nc --arg pack "${PACK}" '.database."run-queries"=["--search-path", $pack] | .resolve.queries=["--search-path", $pack] | .resolve.extractor=["--search-path", $pack] | .database.init=["--search-path", $pack]')
           echo "CODEQL_ACTION_EXTRA_OPTIONS=${JSON}" >> ${GITHUB_ENV}
         env:
           PACK: ${{ runner.temp }}/pack
@@ -171,22 +172,25 @@ jobs:
           echo "paths:" > ${CONF}
           echo "  - ${FOLDER}" >> ${CONF}
           echo "paths-ignore:" >> ${CONF}
-          echo "  - ql/ql/test" >> ${CONF}
+          echo "  - ql/ql/test" >> ${CONF} 
+          echo "disable-default-queries: true" >> ${CONF}
+          echo "packs:" >> ${CONF}
+          echo "  - codeql/ql" >> ${CONF}
           echo "Config file: "
           cat ${CONF}
         env: 
           CONF: ./ql-for-ql-config.yml
           FOLDER: ${{ matrix.folder }}
-
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@erik-krogh/ql
+        uses: github/codeql-action/init@aa93aea877e5fb8841bcb1193f672abf6e9f2980
         with:
           languages: ql
           db-location: ${{ runner.temp }}/db
           config-file: ./ql-for-ql-config.yml
+          tools: latest
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@erik-krogh/ql
+        uses: github/codeql-action/analyze@aa93aea877e5fb8841bcb1193f672abf6e9f2980
         with: 
           category: "ql-for-ql-${{ matrix.folder }}"
       - name: Copy sarif file to CWD

.github/workflows/ql-for-ql-dataset_measure.yml

@@ -26,7 +26,7 @@ jobs:
 
       - name: Find codeql
         id: find-codeql
-        uses: github/codeql-action/init@erik-krogh/ql
+        uses: github/codeql-action/init@aa93aea877e5fb8841bcb1193f672abf6e9f2980
         with:
           languages: javascript # does not matter
       - uses: actions/cache@v2

.github/workflows/ql-for-ql-tests.yml

@@ -20,7 +20,7 @@ jobs:
       - uses: actions/checkout@v2
       - name: Find codeql
         id: find-codeql
-        uses: github/codeql-action/init@erik-krogh/ql
+        uses: github/codeql-action/init@aa93aea877e5fb8841bcb1193f672abf6e9f2980
         with:
           languages: javascript # does not matter
       - uses: actions/cache@v2

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll

@@ -161,8 +161,13 @@ class IRBlock extends IRBlockBase {
    */
   pragma[noinline]
   final IRBlock dominanceFrontier() {
-    this.dominates(result.getAPredecessor()) and
-    not this.strictlyDominates(result)
+    this.getASuccessor() = result and
+    not this.immediatelyDominates(result)
+    or
+    exists(IRBlock prev | result = prev.dominanceFrontier() |
+      this.immediatelyDominates(prev) and
+      not this.immediatelyDominates(result)
+    )
   }
 
   /**
@@ -201,8 +206,13 @@ class IRBlock extends IRBlockBase {
    */
   pragma[noinline]
   final IRBlock postDominanceFrontier() {
-    this.postDominates(result.getASuccessor()) and
-    not this.strictlyPostDominates(result)
+    this.getAPredecessor() = result and
+    not this.immediatelyPostDominates(result)
+    or
+    exists(IRBlock prev | result = prev.postDominanceFrontier() |
+      this.immediatelyPostDominates(prev) and
+      not this.immediatelyPostDominates(result)
+    )
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRBlock.qll

@@ -161,8 +161,13 @@ class IRBlock extends IRBlockBase {
    */
   pragma[noinline]
   final IRBlock dominanceFrontier() {
-    this.dominates(result.getAPredecessor()) and
-    not this.strictlyDominates(result)
+    this.getASuccessor() = result and
+    not this.immediatelyDominates(result)
+    or
+    exists(IRBlock prev | result = prev.dominanceFrontier() |
+      this.immediatelyDominates(prev) and
+      not this.immediatelyDominates(result)
+    )
   }
 
   /**
@@ -201,8 +206,13 @@ class IRBlock extends IRBlockBase {
    */
   pragma[noinline]
   final IRBlock postDominanceFrontier() {
-    this.postDominates(result.getASuccessor()) and
-    not this.strictlyPostDominates(result)
+    this.getAPredecessor() = result and
+    not this.immediatelyPostDominates(result)
+    or
+    exists(IRBlock prev | result = prev.postDominanceFrontier() |
+      this.immediatelyPostDominates(prev) and
+      not this.immediatelyPostDominates(result)
+    )
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -154,13 +154,6 @@ private predicate ignoreSideEffects(Expr expr) {
  * around extractor bugs. Once the relevant extractor bugs are fixed, this predicate can be removed.
  */
 private predicate isInvalidFunction(Function func) {
-  exists(Literal literal |
-    // Constructor field inits within a compiler-generated copy constructor have a source expression
-    // that is a `Literal` with no value.
-    literal = func.(Constructor).getAnInitializer().(ConstructorFieldInit).getExpr() and
-    not exists(literal.getValue())
-  )
-  or
   exists(ThisExpr thisExpr |
     // An instantiation of a member function template is not treated as a `MemberFunction` if it has
     // only non-type template arguments.

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll

@@ -161,8 +161,13 @@ class IRBlock extends IRBlockBase {
    */
   pragma[noinline]
   final IRBlock dominanceFrontier() {
-    this.dominates(result.getAPredecessor()) and
-    not this.strictlyDominates(result)
+    this.getASuccessor() = result and
+    not this.immediatelyDominates(result)
+    or
+    exists(IRBlock prev | result = prev.dominanceFrontier() |
+      this.immediatelyDominates(prev) and
+      not this.immediatelyDominates(result)
+    )
   }
 
   /**
@@ -201,8 +206,13 @@ class IRBlock extends IRBlockBase {
    */
   pragma[noinline]
   final IRBlock postDominanceFrontier() {
-    this.postDominates(result.getASuccessor()) and
-    not this.strictlyPostDominates(result)
+    this.getAPredecessor() = result and
+    not this.immediatelyPostDominates(result)
+    or
+    exists(IRBlock prev | result = prev.postDominanceFrontier() |
+      this.immediatelyPostDominates(prev) and
+      not this.immediatelyPostDominates(result)
+    )
   }
 
   /**

cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.qhelp

@@ -3,17 +3,17 @@
   "qhelp.dtd">
 <qhelp>
 <overview>
-<p>Exposing system data or debugging information may help an adversary to learn about the system and form an attack plan.  An attacker can use error messages that reveal technologies, operating systems, and product versions to tune their attack against known vulnerabilities in these technologies.</p>
+<p>Exposing system data or debugging information may help a malicious user learn about the system and form an attack plan.  An attacker can use error messages that reveal technologies, operating systems, and product versions to tune their attack against known vulnerabilities in the software.</p>
 
-<p>This query finds locations where system configuration information might be revealed to a user.</p>
+<p>This query finds locations where system configuration information might be revealed to a remote user.</p>
 </overview>
 
 <recommendation>
-<p>Do not expose system configuration information to users.  Be wary of the difference between information that could be helpful to users, and unnecessary details that could be useful to an adversary.</p>
+<p>Do not expose system configuration information to remote users.  Be wary of the difference between information that could be helpful to users, and unnecessary details that could be useful to a malicious user.</p>
 </recommendation>
 
 <example>
-<p>In this example the value of the <code>PATH</code> environment variable is revealed in full to the user when a particular error occurs.  This might reveal information such as the software installed on your system to an adversary who does not have legitimate access to that information.</p>
+<p>In this example the value of the <code>PATH</code> environment variable is revealed in full to the user when a particular error occurs.  This might reveal information such as the software installed on your system to a malicious user who does not have legitimate access to that information.</p>
 
 <sample src="ExposedSystemDataIncorrect.cpp" />