Merge pull request #7514 from github/post-release-prep/codeql-cli-2.7.5

hvitved · web-flow · commit 3c837c322b28 · 2022-01-17T12:40:33.000+01:00
Post-release preparation for codeql-cli-2.7.5
diff --git a/cpp/ql/lib/CHANGELOG.md b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,5 @@
+## 0.0.6
+
 ## 0.0.5
 
 ## 0.0.4
diff --git a/cpp/ql/lib/change-notes/released/0.0.6.md b/cpp/ql/lib/change-notes/released/0.0.6.md
@@ -0,0 +1 @@
+## 0.0.6
diff --git a/cpp/ql/lib/codeql-pack.release.yml b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.5
+lastReleaseVersion: 0.0.6
diff --git a/cpp/ql/lib/qlpack.yml b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.0.6-dev
+version: 0.0.7-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
diff --git a/cpp/ql/src/CHANGELOG.md b/cpp/ql/src/CHANGELOG.md
@@ -1,3 +1,5 @@
+## 0.0.6
+
 ## 0.0.5
 
 ### New Queries
diff --git a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
@@ -22,11 +22,13 @@ import semmle.code.cpp.dataflow.DataFlow
  *  Holds if `sub` is guarded by a condition which ensures that
  * `left >= right`.
  */
-pragma[noinline]
+pragma[nomagic]
 predicate isGuarded(SubExpr sub, Expr left, Expr right) {
-  exists(GuardCondition guard, int k |
-    guard.controls(sub.getBasicBlock(), _) and
-    guard.ensuresLt(left, right, k, sub.getBasicBlock(), false) and
+  exprIsSubLeftOrLess(pragma[only_bind_into](sub), _) and // Manual magic
+  exists(GuardCondition guard, int k, BasicBlock bb |
+    pragma[only_bind_into](bb) = sub.getBasicBlock() and
+    guard.controls(pragma[only_bind_into](bb), _) and
+    guard.ensuresLt(left, right, k, bb, false) and
     k >= 0
   )
 }
@@ -36,47 +38,56 @@ predicate isGuarded(SubExpr sub, Expr left, Expr right) {
  * `sub.getLeftOperand()`.
  */
 predicate exprIsSubLeftOrLess(SubExpr sub, DataFlow::Node n) {
-  n.asExpr() = sub.getLeftOperand()
-  or
-  exists(DataFlow::Node other |
-    // dataflow
-    exprIsSubLeftOrLess(sub, other) and
-    (
-      DataFlow::localFlowStep(n, other) or
-      DataFlow::localFlowStep(other, n)
+  interestingSubExpr(sub, _) and // Manual magic
+  (
+    n.asExpr() = sub.getLeftOperand()
+    or
+    exists(DataFlow::Node other |
+      // dataflow
+      exprIsSubLeftOrLess(sub, other) and
+      (
+        DataFlow::localFlowStep(n, other) or
+        DataFlow::localFlowStep(other, n)
+      )
+    )
+    or
+    exists(DataFlow::Node other |
+      // guard constraining `sub`
+      exprIsSubLeftOrLess(sub, other) and
+      isGuarded(sub, other.asExpr(), n.asExpr()) // other >= n
+    )
+    or
+    exists(DataFlow::Node other, float p, float q |
+      // linear access of `other`
+      exprIsSubLeftOrLess(sub, other) and
+      linearAccess(n.asExpr(), other.asExpr(), p, q) and // n = p * other + q
+      p <= 1 and
+      q <= 0
+    )
+    or
+    exists(DataFlow::Node other, float p, float q |
+      // linear access of `n`
+      exprIsSubLeftOrLess(sub, other) and
+      linearAccess(other.asExpr(), n.asExpr(), p, q) and // other = p * n + q
+      p >= 1 and
+      q >= 0
     )
-  )
-  or
-  exists(DataFlow::Node other |
-    // guard constraining `sub`
-    exprIsSubLeftOrLess(sub, other) and
-    isGuarded(sub, other.asExpr(), n.asExpr()) // other >= n
-  )
-  or
-  exists(DataFlow::Node other, float p, float q |
-    // linear access of `other`
-    exprIsSubLeftOrLess(sub, other) and
-    linearAccess(n.asExpr(), other.asExpr(), p, q) and // n = p * other + q
-    p <= 1 and
-    q <= 0
-  )
-  or
-  exists(DataFlow::Node other, float p, float q |
-    // linear access of `n`
-    exprIsSubLeftOrLess(sub, other) and
-    linearAccess(other.asExpr(), n.asExpr(), p, q) and // other = p * n + q
-    p >= 1 and
-    q >= 0
   )
 }
 
-from RelationalOperation ro, SubExpr sub
-where
-  not isFromMacroDefinition(ro) and
+predicate interestingSubExpr(SubExpr sub, RelationalOperation ro) {
   not isFromMacroDefinition(sub) and
   ro.getLesserOperand().getValue().toInt() = 0 and
   ro.getGreaterOperand() = sub and
   sub.getFullyConverted().getUnspecifiedType().(IntegralType).isUnsigned() and
-  exprMightOverflowNegatively(sub.getFullyConverted()) and // generally catches false positives involving constants
-  not exprIsSubLeftOrLess(sub, DataFlow::exprNode(sub.getRightOperand())) // generally catches false positives where there's a relation between the left and right operands
+  // generally catches false positives involving constants
+  exprMightOverflowNegatively(sub.getFullyConverted())
+}
+
+from RelationalOperation ro, SubExpr sub
+where
+  interestingSubExpr(sub, ro) and
+  not isFromMacroDefinition(ro) and
+  // generally catches false positives where there's a relation between the left and right operands
+  not exprIsSubLeftOrLess(sub, DataFlow::exprNode(sub.getRightOperand()))
 select ro, "Unsigned subtraction can never be negative."
diff --git a/cpp/ql/src/change-notes/released/0.0.6.md b/cpp/ql/src/change-notes/released/0.0.6.md
@@ -0,0 +1 @@
+## 0.0.6
diff --git a/cpp/ql/src/codeql-pack.release.yml b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.5
+lastReleaseVersion: 0.0.6
diff --git a/cpp/ql/src/qlpack.yml b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 0.0.6-dev
+version: 0.0.7-dev
 groups: cpp
 dependencies:
     codeql/cpp-all: "*"
diff --git a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/0.0.6.md b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/0.0.6.md
@@ -0,0 +1 @@
+## 0.0.6
diff --git a/csharp/ql/campaigns/Solorigate/src/change-notes/released/0.0.6.md b/csharp/ql/campaigns/Solorigate/src/change-notes/released/0.0.6.md
@@ -0,0 +1 @@
+## 0.0.6
diff --git a/csharp/ql/campaigns/Solorigate/test/change-notes/released/0.0.7.md b/csharp/ql/campaigns/Solorigate/test/change-notes/released/0.0.7.md
@@ -0,0 +1 @@
+## 0.0.7
diff --git a/csharp/ql/lib/CHANGELOG.md b/csharp/ql/lib/CHANGELOG.md
@@ -1,3 +1,5 @@
+## 0.0.6
+
 ## 0.0.5
 
 ## 0.0.4
diff --git a/csharp/ql/lib/change-notes/released/0.0.6.md b/csharp/ql/lib/change-notes/released/0.0.6.md
@@ -0,0 +1 @@
+## 0.0.6
diff --git a/csharp/ql/lib/codeql-pack.release.yml b/csharp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.5
+lastReleaseVersion: 0.0.6
diff --git a/csharp/ql/lib/qlpack.yml b/csharp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 0.0.6-dev
+version: 0.0.7-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp
diff --git a/csharp/ql/src/CHANGELOG.md b/csharp/ql/src/CHANGELOG.md
@@ -1,3 +1,5 @@
+## 0.0.6
+
 ## 0.0.5
 
 ## 0.0.4
diff --git a/csharp/ql/src/change-notes/released/0.0.6.md b/csharp/ql/src/change-notes/released/0.0.6.md
@@ -0,0 +1 @@
+## 0.0.6
diff --git a/csharp/ql/src/codeql-pack.release.yml b/csharp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.5
+lastReleaseVersion: 0.0.6
diff --git a/csharp/ql/src/qlpack.yml b/csharp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 0.0.6-dev
+version: 0.0.7-dev
 groups: csharp
 suites: codeql-suites
 extractor: csharp
diff --git a/java/ql/lib/CHANGELOG.md b/java/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 0.0.6
+
+### Major Analysis Improvements
+
+* Data flow now propagates taint from remote source `Parameter` types to read steps of their fields (e.g. `tainted.publicField` or `tainted.getField()`). This also applies to their subtypes and the types of their fields, recursively.
+
 ## 0.0.5
 
 ### Bug Fixes
diff --git a/java/ql/lib/change-notes/released/0.0.6.md b/java/ql/lib/change-notes/released/0.0.6.md
@@ -1,4 +1,5 @@
----
-category: majorAnalysis
----
+## 0.0.6
+
+### Major Analysis Improvements
+
 * Data flow now propagates taint from remote source `Parameter` types to read steps of their fields (e.g. `tainted.publicField` or `tainted.getField()`). This also applies to their subtypes and the types of their fields, recursively.
diff --git a/java/ql/lib/codeql-pack.release.yml b/java/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.5
+lastReleaseVersion: 0.0.6
diff --git a/java/ql/lib/qlpack.yml b/java/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 0.0.6-dev
+version: 0.0.7-dev
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java
diff --git a/java/ql/src/CHANGELOG.md b/java/ql/src/CHANGELOG.md
@@ -1,3 +1,5 @@
+## 0.0.6
+
 ## 0.0.5
 
 ### Minor Analysis Improvements
diff --git a/java/ql/src/change-notes/released/0.0.6.md b/java/ql/src/change-notes/released/0.0.6.md
@@ -0,0 +1 @@
+## 0.0.6
diff --git a/java/ql/src/codeql-pack.release.yml b/java/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.5
+lastReleaseVersion: 0.0.6
diff --git a/java/ql/src/qlpack.yml b/java/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 0.0.6-dev
+version: 0.0.7-dev
 groups: java
 suites: codeql-suites
 extractor: java
diff --git a/javascript/ql/lib/CHANGELOG.md b/javascript/ql/lib/CHANGELOG.md
@@ -1,3 +1,5 @@
+## 0.0.7
+
 ## 0.0.6
 
 ### New Features
diff --git a/javascript/ql/lib/change-notes/released/0.0.7.md b/javascript/ql/lib/change-notes/released/0.0.7.md
@@ -0,0 +1 @@
+## 0.0.7
diff --git a/javascript/ql/lib/codeql-pack.release.yml b/javascript/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.6
+lastReleaseVersion: 0.0.7
diff --git a/javascript/ql/lib/qlpack.yml b/javascript/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/javascript-all
-version: 0.0.7-dev
+version: 0.0.8-dev
 groups: javascript
 dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript
diff --git a/javascript/ql/src/CHANGELOG.md b/javascript/ql/src/CHANGELOG.md
@@ -1,3 +1,12 @@
+## 0.0.7
+
+### Minor Analysis Improvements
+
+* Support for handlebars templates has improved. Raw interpolation tags of the form `{{& ... }}` are now recognized,
+  as well as whitespace-trimming tags like `{{~ ... }}`.
+* Data flow is now tracked across middleware functions in more cases, leading to more security results in general. Affected packages are `express` and `fastify`.
+* `js/missing-token-validation` has been made more precise, yielding both fewer false positives and more true positives.
+
 ## 0.0.6
 
 ### Major Analysis Improvements
diff --git a/javascript/ql/src/change-notes/2021-12-07-handlebars-more-raw-interpolation.md b/javascript/ql/src/change-notes/2021-12-07-handlebars-more-raw-interpolation.md
diff --git a/javascript/ql/src/change-notes/released/0.0.7.md b/javascript/ql/src/change-notes/released/0.0.7.md
@@ -1,5 +1,8 @@
----
-category: minorAnalysis
----
+## 0.0.7
+
+### Minor Analysis Improvements
+
+* Support for handlebars templates has improved. Raw interpolation tags of the form `{{& ... }}` are now recognized,
+  as well as whitespace-trimming tags like `{{~ ... }}`.
 * Data flow is now tracked across middleware functions in more cases, leading to more security results in general. Affected packages are `express` and `fastify`.
 * `js/missing-token-validation` has been made more precise, yielding both fewer false positives and more true positives.
diff --git a/javascript/ql/src/codeql-pack.release.yml b/javascript/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.6
+lastReleaseVersion: 0.0.7
diff --git a/javascript/ql/src/qlpack.yml b/javascript/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/javascript-queries
-version: 0.0.7-dev
+version: 0.0.8-dev
 groups: javascript
 suites: codeql-suites
 extractor: javascript
diff --git a/python/ql/lib/CHANGELOG.md b/python/ql/lib/CHANGELOG.md
@@ -1,3 +1,5 @@
+## 0.0.6
+
 ## 0.0.5
 
 ### Minor Analysis Improvements
diff --git a/python/ql/lib/change-notes/released/0.0.6.md b/python/ql/lib/change-notes/released/0.0.6.md
@@ -0,0 +1 @@
+## 0.0.6
diff --git a/python/ql/lib/codeql-pack.release.yml b/python/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.5
+lastReleaseVersion: 0.0.6
diff --git a/python/ql/lib/qlpack.yml b/python/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/python-all
-version: 0.0.6-dev
+version: 0.0.7-dev
 groups: python
 dbscheme: semmlecode.python.dbscheme
 extractor: python
diff --git a/python/ql/src/CHANGELOG.md b/python/ql/src/CHANGELOG.md
@@ -1,3 +1,13 @@
+## 0.0.6
+
+### New Queries
+
+* Two new queries have been added for detecting Server-side request forgery (SSRF). _Full server-side request forgery_ (`py/full-ssrf`) will only alert when the URL is fully user-controlled, and _Partial server-side request forgery_ (`py/partial-ssrf`) will alert when any part of the URL is user-controlled. Only `py/full-ssrf` will be run by default.
+
+### Minor Analysis Improvements
+
+* To support the new SSRF queries, the PyPI package `requests` has been modeled, along with `http.client.HTTP[S]Connection` from the standard library.
+
 ## 0.0.5
 
 ### Minor Analysis Improvements
diff --git a/python/ql/src/change-notes/2021-12-17-add-SSRF-analysis.md b/python/ql/src/change-notes/2021-12-17-add-SSRF-analysis.md
diff --git a/python/ql/src/change-notes/released/0.0.6.md b/python/ql/src/change-notes/released/0.0.6.md
@@ -1,4 +1,9 @@
----
-category: newQuery
----
+## 0.0.6
+
+### New Queries
+
 * Two new queries have been added for detecting Server-side request forgery (SSRF). _Full server-side request forgery_ (`py/full-ssrf`) will only alert when the URL is fully user-controlled, and _Partial server-side request forgery_ (`py/partial-ssrf`) will alert when any part of the URL is user-controlled. Only `py/full-ssrf` will be run by default.
+
+### Minor Analysis Improvements
+
+* To support the new SSRF queries, the PyPI package `requests` has been modeled, along with `http.client.HTTP[S]Connection` from the standard library.
diff --git a/python/ql/src/codeql-pack.release.yml b/python/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.5
+lastReleaseVersion: 0.0.6
diff --git a/python/ql/src/qlpack.yml b/python/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/python-queries
-version: 0.0.6-dev
+version: 0.0.7-dev
 groups: python
 dependencies:
     codeql/python-all: "*"
diff --git a/ruby/ql/lib/CHANGELOG.md b/ruby/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 0.0.6
+
+### Deprecated APIs
+
+* `ConstantWriteAccess.getQualifiedName()` has been deprecated in favor of `getAQualifiedName()` which can return multiple possible qualified names for a given constant write access.
+
 ## 0.0.5
 
 ### New Features
diff --git a/ruby/ql/lib/change-notes/released/0.0.6.md b/ruby/ql/lib/change-notes/released/0.0.6.md
@@ -1,4 +1,5 @@
----
-category: deprecated
----
+## 0.0.6
+
+### Deprecated APIs
+
 * `ConstantWriteAccess.getQualifiedName()` has been deprecated in favor of `getAQualifiedName()` which can return multiple possible qualified names for a given constant write access.
diff --git a/ruby/ql/lib/codeql-pack.release.yml b/ruby/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.5
+lastReleaseVersion: 0.0.6
diff --git a/ruby/ql/lib/qlpack.yml b/ruby/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/ruby-all
-version: 0.0.6-dev
+version: 0.0.7-dev
 groups: ruby
 extractor: ruby
 dbscheme: ruby.dbscheme
diff --git a/ruby/ql/src/CHANGELOG.md b/ruby/ql/src/CHANGELOG.md
@@ -1,3 +1,5 @@
+## 0.0.6
+
 ## 0.0.5
 
 ## 0.0.4
diff --git a/ruby/ql/src/change-notes/released/0.0.6.md b/ruby/ql/src/change-notes/released/0.0.6.md
diff --git a/ruby/ql/src/codeql-pack.release.yml b/ruby/ql/src/codeql-pack.release.yml
diff --git a/ruby/ql/src/qlpack.yml b/ruby/ql/src/qlpack.yml

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`---`
`2`		`-lastReleaseVersion: 0.0.5`
	`2`	`+lastReleaseVersion: 0.0.6`