Merge branch 'main' into add-activerecord-annotate

Author: thiggy1342

.github/workflows/ql-for-ql-build.yml

@@ -19,7 +19,6 @@ jobs:
         uses: github/codeql-action/init@aa93aea877e5fb8841bcb1193f672abf6e9f2980
         with:
           languages: javascript # does not matter
-          tools: latest
       - name: Get CodeQL version
         id: get-codeql-version
         run: |
@@ -184,7 +183,6 @@ jobs:
           languages: ql
           db-location: ${{ runner.temp }}/db
           config-file: ./ql-for-ql-config.yml
-          tools: latest
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@aa93aea877e5fb8841bcb1193f672abf6e9f2980
@@ -224,4 +222,4 @@ jobs:
         uses: actions/upload-artifact@v3
         with:
             name: combined.sarif
-            path: combined.sarif
+            path: combined.sarif

java/ql/lib/change-notes/2022-07-13-properites.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added data-flow models for `java.util.Properites`. Additional results may be found where relevant data is stored in and then retrieved from a `Properties` instance.

java/ql/lib/semmle/code/java/dataflow/internal/ContainerFlow.qll

@@ -241,6 +241,9 @@ private class ContainerFlowSummaries extends SummaryModelCsv {
         "java.util;NavigableSet;true;pollLast;();;Argument[-1].Element;ReturnValue;value;manual",
         "java.util;NavigableSet;true;subSet;(Object,boolean,Object,boolean);;Argument[-1].Element;ReturnValue.Element;value;manual",
         "java.util;NavigableSet;true;tailSet;(Object,boolean);;Argument[-1].Element;ReturnValue.Element;value;manual",
+        "java.util;Properties;true;getProperty;(String);;Argument[-1].MapValue;ReturnValue;value;manual",
+        "java.util;Properties;true;getProperty;(String,String);;Argument[-1].MapValue;ReturnValue;value;manual",
+        "java.util;Properties;true;getProperty;(String,String);;Argument[1];ReturnValue;value;manual",
         "java.util;Scanner;true;next;(Pattern);;Argument[-1];ReturnValue;taint;manual",
         "java.util;Scanner;true;next;(String);;Argument[-1];ReturnValue;taint;manual",
         "java.util;SortedMap;true;headMap;(Object);;Argument[-1].MapKey;ReturnValue.MapKey;value;manual",

java/ql/lib/semmle/code/java/frameworks/Properties.qll

@@ -10,13 +10,11 @@ class TypeProperty extends Class {
 }
 
 /** The `getProperty` method of the class `java.util.Properties`. */
-class PropertiesGetPropertyMethod extends ValuePreservingMethod {
+class PropertiesGetPropertyMethod extends Method {
   PropertiesGetPropertyMethod() {
     getDeclaringType() instanceof TypeProperty and
     hasName("getProperty")
   }
-
-  override predicate returnsValue(int arg) { arg = 1 }
 }
 
 /** The `get` method of the class `java.util.Properties`. */

java/ql/test/library-tests/dataflow/collections/Test.java

@@ -78,4 +78,14 @@ public void run3() {
       sink(x18); // Flow
     });
   }
+
+  public void run4() {
+    Properties p = new Properties();
+    p.put("key", tainted);
+    sink(p.getProperty("key")); // Flow
+    sink(p.getProperty("key", "defaultValue")); // Flow
+    
+    Properties clean = new Properties();
+    sink(clean.getProperty("key", tainted)); // Flow
+  }
 }

java/ql/test/library-tests/dataflow/collections/flow.expected

@@ -11,3 +11,6 @@
 | Test.java:49:20:49:26 | tainted | Test.java:60:12:60:14 | x14 |
 | Test.java:73:11:73:17 | tainted | Test.java:75:10:75:12 | x17 |
 | Test.java:73:11:73:17 | tainted | Test.java:78:12:78:14 | x18 |
+| Test.java:84:18:84:24 | tainted | Test.java:85:10:85:29 | getProperty(...) |
+| Test.java:84:18:84:24 | tainted | Test.java:86:10:86:45 | getProperty(...) |
+| Test.java:89:35:89:41 | tainted | Test.java:89:10:89:42 | getProperty(...) |

javascript/ql/examples/queries/dataflow/TemplateInjection/TemplateInjection.ql

@@ -14,7 +14,7 @@ import DataFlow::PathGraph
 /**
  * Gets the name of an unescaped placeholder in a lodash template.
  *
- * For example, the string `<h1><%= title %></h1>` contains the placeholder `title`.
+ * For example, the string `"<h1><%= title %></h1>"` contains the placeholder "title".
  */
 bindingset[s]
 string getAPlaceholderInString(string s) {

javascript/ql/lib/definitions.qll

@@ -45,7 +45,7 @@ private predicate variableDefLookup(VarAccess va, AstNode def, string kind) {
 
 /**
  * Holds if variable access `va` is of kind `kind` and refers to the
- * variable declaration.
+ * variable declaration `decl`.
  *
  * For example, in the statement `var x = 42, y = x;`, the initializing
  * expression of `y` is a variable access `x` of kind `"V"` that refers to

javascript/ql/lib/semmle/javascript/BasicBlocks.qll

@@ -146,7 +146,7 @@ class BasicBlock extends @cfg_node, NodeInStmtContainer {
   /** Holds if this basic block uses variable `v` in its `i`th node `u`. */
   predicate useAt(int i, Variable v, VarUse u) { useAt(this, i, v, u) }
 
-  /** Holds if this basic block defines variable `v` in its `i`th node `u`. */
+  /** Holds if this basic block defines variable `v` in its `i`th node `d`. */
   predicate defAt(int i, Variable v, VarDef d) { defAt(this, i, v, d) }
 
   /**

javascript/ql/lib/semmle/javascript/CharacterEscapes.qll

@@ -75,7 +75,7 @@ module CharacterEscapes {
   }
 
   /**
-   * Gets a character in `n` that is preceded by a single useless backslash, resulting in a likely regular expression mistake explained by `mistake`.
+   * Gets a character in `src` that is preceded by a single useless backslash, resulting in a likely regular expression mistake explained by `mistake`.
    *
    * The character is the `i`th character of the raw string value of `rawStringNode`.
    */