Merge branch 'ruby-framework-grape' of github.com:felickz/codeql into ruby-framework-grape

Author: felickz

docs/codeql/ql-language-reference/annotations.rst

@@ -16,9 +16,9 @@ For example, to declare a module ``M`` as private, you could use:
     }
 
 Note that some annotations act on an entity itself, whilst others act on a particular *name* for the entity:
-  - Act on an **entity**: ``abstract``, ``cached``, ``external``, ``transient``, ``override``, ``pragma``, ``language``,
-    and ``bindingset``
-  - Act on a **name**: ``deprecated``, ``library``, ``private``, ``final``, and ``query``
+  - Act on an **entity**: ``abstract``, ``bindingset``, ``cached``, ``extensible``, ``external``, ``language``,
+    ``override``, ``pragma``, and ``transient``
+  - Act on a **name**: ``additional``, ``deprecated``, ``final``, ``library``, ``private``, and ``query``
 
 For example, if you annotate an entity with ``private``, then only that particular name is
 private. You could still access that entity under a different name (using an :ref:`alias <aliases>`).

docs/codeql/ql-language-reference/ql-language-specification.rst

@@ -761,17 +761,17 @@ Various kinds of syntax can have *annotations* applied to them. Annotations are
    annotation ::= simpleAnnotation | argsAnnotation
 
    simpleAnnotation ::= "abstract"
+                    |   "additional"
                     |   "cached"
-                    |   "external"
+                    |   "deprecated"
                     |   "extensible"
+                    |   "external"
                     |   "final"
-                    |   "transient"
                     |   "library"
-                    |   "private"
-                    |   "deprecated"
                     |   "override"
-                    |   "additional"
+                    |   "private"
                     |   "query"
+                    |   "transient"
 
    argsAnnotation ::= "pragma" "[" ("inline" | "inline_late" | "noinline" | "nomagic" | "noopt" | "assume_small_delta") "]"
                   |   "language" "[" "monotonicAggregates" "]"
@@ -791,28 +791,28 @@ The following table summarizes the syntactic constructs which can be marked with
 +================+=========+============+===================+=======================+=========+========+=========+=========+============+
 | ``abstract``   | yes     |            | yes               |                       |         |        |         |         |            |
 +----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
+| ``additional`` | yes     |            |                   | yes                   |         |        | yes     | yes     | yes        |
++----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
 | ``cached``     | yes     | yes        | yes               | yes                   |         |        | yes     |         |            |
 +----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
-| ``external``   |         |            |                   | yes                   |         |        |         |         |            |
+| ``deprecated`` | yes     |            | yes               | yes                   | yes     | yes    | yes     | yes     | yes        |
 +----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
 | ``extensible`` |         |            |                   | yes                   |         |        |         |         |            |
 +----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
-| ``final``      | yes     |            | yes               |                       |         | yes    |         | (yes)   |            |
+| ``external``   |         |            |                   | yes                   |         |        |         |         |            |
 +----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
-| ``transient``  |         |            |                   | yes                   |         |        |         |         |            |
+| ``final``      | yes     |            | yes               |                       |         | yes    |         | (yes)   |            |
 +----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
 | ``library``    | (yes)   |            |                   |                       |         |        |         |         |            |
 +----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
-| ``private``    | yes     |            | yes               | yes                   | yes     | yes    | yes     | yes     | yes        |
-+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
-| ``deprecated`` | yes     |            | yes               | yes                   | yes     | yes    | yes     | yes     | yes        |
-+----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
 | ``override``   |         |            | yes               |                       |         | yes    |         |         |            |
 +----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
-| ``additional`` | yes     |            |                   | yes                   |         |        | yes     | yes     | yes        |
+| ``private``    | yes     |            | yes               | yes                   | yes     | yes    | yes     | yes     | yes        |
 +----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
 | ``query``      |         |            |                   | yes                   |         |        |         | yes     |            |
 +----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
+| ``transient``  |         |            |                   | yes                   |         |        |         |         |            |
++----------------+---------+------------+-------------------+-----------------------+---------+--------+---------+---------+------------+
 
 The ``library`` annotation is only usable within a QLL file, not a QL file.
 The ``final`` annotation is usable on type aliases, but not on module aliases and predicate aliases.
@@ -933,7 +933,8 @@ A predicate definition adds a mapping from the predicate name and arity to the p
 
 When a predicate is a top-level clause in a module, it is called a non-member predicate. See below for "`Member predicates <#member-predicates>`__."
 
-A valid non-member predicate can be annotated with ``cached``, ``deprecated``, ``external``, ``transient``, ``private``, and ``query``. Note, the ``transient`` annotation can only be applied if the non-member predicate is also annotated with ``external``.
+A valid non-member predicate can be annotated with ``additional``, ``cached``, ``deprecated``, ``extensible``, ``external``, ``transient``, ``private``, and ``query``.
+Note, the ``transient`` annotation can only be applied if the non-member predicate is also annotated with ``external``.
 
 The head of the predicate gives a name, an optional *result type*, and a sequence of variables declarations that are *arguments*:
 
@@ -979,7 +980,7 @@ A class type is said to *final inherit* from base types that are final or refere
 
 A class adds a mapping from the class name to the class declaration to the current module's declared type environment.
 
-A valid class can be annotated with ``abstract``, ``final``, ``library``, and ``private``. Any other annotation renders the class invalid.
+A valid class can be annotated with ``abstract``, ``additional``, ``final``, ``library``, and ``private``. Any other annotation renders the class invalid.
 
 A valid class may not inherit from itself, or from more than one primitive type. The set of types that a valid class inherits from must be disjoint from the set of types that it final inherits from.
 
@@ -2292,17 +2293,17 @@ The complete grammar for QL is as follows:
    annotation ::= simpleAnnotation | argsAnnotation
 
    simpleAnnotation ::= "abstract"
+                    |   "additional"
                     |   "cached"
-                    |   "external"
+                    |   "deprecated"
                     |   "extensible"
+                    |   "external"
                     |   "final"
-                    |   "transient"
                     |   "library"
-                    |   "private"
-                    |   "deprecated"
                     |   "override"
-                    |   "additional"
+                    |   "private"
                     |   "query"
+                    |   "transient"
 
    argsAnnotation ::= "pragma" "[" ("inline" | "inline_late" | "noinline" | "nomagic" | "noopt" | "assume_small_delta") "]"
                   |   "language" "[" "monotonicAggregates" "]"

java/ql/lib/semmle/code/java/Overlay.qll

@@ -18,7 +18,7 @@ predicate isOverlay() { databaseMetadata("isOverlay", "true") }
 overlay[local]
 string getRawFile(@locatable el) {
   exists(@location loc, @file file |
-    hasLocation(el, loc) and
+    (hasLocation(el, loc) or xmllocations(el, loc)) and
     locations_default(loc, file, _, _, _, _) and
     files(file, result)
   )
@@ -73,40 +73,22 @@ private predicate discardReferableLocatable(@locatable el) {
   )
 }
 
+/** Gets the raw file for a configLocatable. */
 overlay[local]
-private predicate baseConfigLocatable(@configLocatable l) { not isOverlay() and exists(l) }
-
-overlay[local]
-private predicate overlayHasConfigLocatables() {
-  isOverlay() and
-  exists(@configLocatable el)
-}
-
-overlay[discard_entity]
-private predicate discardBaseConfigLocatable(@configLocatable el) {
-  // The properties extractor is currently not incremental, so if
-  // the overlay contains any config locatables, the overlay should
-  // contain a full extraction and all config locatables from base
-  // should be discarded.
-  baseConfigLocatable(el) and overlayHasConfigLocatables()
-}
-
-overlay[local]
-private predicate baseXmlLocatable(@xmllocatable l) {
-  not isOverlay() and not files(l, _) and not xmlNs(l, _, _, _)
+private string getRawFileForConfig(@configLocatable el) {
+  exists(@location loc, @file file |
+    configLocations(el, loc) and
+    locations_default(loc, file, _, _, _, _) and
+    files(file, result)
+  )
 }
 
 overlay[local]
-private predicate overlayHasXmlLocatable() {
-  isOverlay() and
-  exists(@xmllocatable l | not files(l, _) and not xmlNs(l, _, _, _))
+private string baseConfigLocatable(@configLocatable el) {
+  not isOverlay() and result = getRawFileForConfig(el)
 }
 
 overlay[discard_entity]
-private predicate discardBaseXmlLocatable(@xmllocatable el) {
-  // The XML extractor is currently not incremental, so if
-  // the overlay contains any XML locatables, the overlay should
-  // contain a full extraction and all XML locatables from base
-  // should be discarded.
-  baseXmlLocatable(el) and overlayHasXmlLocatable()
+private predicate discardBaseConfigLocatable(@configLocatable el) {
+  overlayChangedFiles(baseConfigLocatable(el))
 }

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowUtil.qll

@@ -83,6 +83,7 @@ overlay[caller?]
 pragma[inline]
 predicate localFlow(Node node1, Node node2) { node1 = node2 or localFlowStepPlus(node1, node2) }
 
+overlay[caller?]
 private predicate localFlowStepPlus(Node node1, Node node2) = fastTC(localFlowStep/2)(node1, node2)
 
 /**

java/ql/lib/semmle/code/java/regex/RegexFlowConfigs.qll

@@ -163,18 +163,22 @@ private module RegexFlowConfig implements DataFlow::ConfigSig {
 
 private module RegexFlow = DataFlow::Global<RegexFlowConfig>;
 
+private predicate usedAsRegexImpl(StringLiteral regex, string mode, boolean match_full_string) {
+  RegexFlow::flow(DataFlow::exprNode(regex), _) and
+  mode = "None" and // TODO: proper mode detection
+  (if matchesFullString(regex) then match_full_string = true else match_full_string = false)
+}
+
 /**
  * Holds if `regex` is used as a regex, with the mode `mode` (if known).
  * If regex mode is not known, `mode` will be `"None"`.
  *
  * As an optimisation, only regexes containing an infinite repitition quatifier (`+`, `*`, or `{x,}`)
  * and therefore may be relevant for ReDoS queries are considered.
  */
-predicate usedAsRegex(StringLiteral regex, string mode, boolean match_full_string) {
-  RegexFlow::flow(DataFlow::exprNode(regex), _) and
-  mode = "None" and // TODO: proper mode detection
-  (if matchesFullString(regex) then match_full_string = true else match_full_string = false)
-}
+overlay[local]
+predicate usedAsRegex(StringLiteral regex, string mode, boolean match_full_string) =
+  forceLocal(usedAsRegexImpl/3)(regex, mode, match_full_string)
 
 /**
  * Holds if `regex` is used as a regular expression that is matched against a full string,

java/ql/lib/semmle/code/xml/XML.qll

@@ -6,6 +6,7 @@ module;
 
 import semmle.files.FileSystem
 private import codeql.xml.Xml
+private import semmle.code.java.Overlay
 
 private module Input implements InputSig<File, Location> {
   class XmlLocatableBase = @xmllocatable or @xmlnamespaceable;
@@ -69,3 +70,13 @@ private module Input implements InputSig<File, Location> {
 }
 
 import Make<File, Location, Input>
+
+private class DiscardableXmlAttribute extends DiscardableLocatable, @xmlattribute { }
+
+private class DiscardableXmlElement extends DiscardableLocatable, @xmlelement { }
+
+private class DiscardableXmlComment extends DiscardableLocatable, @xmlcomment { }
+
+private class DiscardableXmlCharacters extends DiscardableLocatable, @xmlcharacters { }
+
+private class DiscardableXmlDtd extends DiscardableLocatable, @xmldtd { }

javascript/ql/lib/change-notes/2025-09-19-graphql-type-object.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added modeling of `GraphQLObjectType` resolver function parameters as remote sources.

javascript/ql/lib/ext/graph-ql.model.yml

@@ -4,3 +4,8 @@ extensions:
       extensible: summaryModel
     data:
       - ["graphql", "Member[graphql]", "Argument[0].Member[source,variableValues]", "Argument[0].Member[rootValue].AnyMember.Parameter[0]", "taint"]
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sourceModel
+    data:
+      - ["graphql", "Member[GraphQLObjectType].Argument[0].Member[fields].AnyMember.Member[resolve].Parameter[1]", "remote"]

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected

@@ -63,6 +63,7 @@
 | fastify.js:108:28:108:50 | reply.l ... tedCode | fastify.js:94:29:94:51 | request ... plyCode | fastify.js:108:28:108:50 | reply.l ... tedCode | This code execution depends on a $@. | fastify.js:94:29:94:51 | request ... plyCode | user-provided value |
 | graph-ql.js:20:19:20:22 | expr | graph-ql.js:28:32:28:39 | req.body | graph-ql.js:20:19:20:22 | expr | This code execution depends on a $@. | graph-ql.js:28:32:28:39 | req.body | user-provided value |
 | graph-ql.js:39:19:39:30 | name + title | graph-ql.js:28:32:28:39 | req.body | graph-ql.js:39:19:39:30 | name + title | This code execution depends on a $@. | graph-ql.js:28:32:28:39 | req.body | user-provided value |
+| graph-ql.js:66:23:66:27 | value | graph-ql.js:65:22:65:30 | { value } | graph-ql.js:66:23:66:27 | value | This code execution depends on a $@. | graph-ql.js:65:22:65:30 | { value } | user-provided value |
 | module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | This code execution depends on a $@. | module.js:9:16:9:29 | req.query.code | user-provided value |
 | module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | This code execution depends on a $@. | module.js:11:17:11:30 | req.query.code | user-provided value |
 | react-native.js:8:32:8:38 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:8:32:8:38 | tainted | This code execution depends on a $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
@@ -173,6 +174,8 @@ edges
 | graph-ql.js:39:19:39:22 | name | graph-ql.js:39:19:39:30 | name + title | provenance |  |
 | graph-ql.js:39:26:39:30 | title | graph-ql.js:39:19:39:30 | name + title | provenance |  |
 | graph-ql.js:54:21:54:29 | variables | graph-ql.js:38:13:38:27 | { name, title } | provenance |  |
+| graph-ql.js:65:22:65:30 | { value } | graph-ql.js:65:24:65:28 | value | provenance |  |
+| graph-ql.js:65:24:65:28 | value | graph-ql.js:66:23:66:27 | value | provenance |  |
 | react-native.js:7:7:7:13 | tainted | react-native.js:8:32:8:38 | tainted | provenance |  |
 | react-native.js:7:7:7:13 | tainted | react-native.js:10:23:10:29 | tainted | provenance |  |
 | react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:13 | tainted | provenance |  |
@@ -323,6 +326,9 @@ nodes
 | graph-ql.js:39:19:39:30 | name + title | semmle.label | name + title |
 | graph-ql.js:39:26:39:30 | title | semmle.label | title |
 | graph-ql.js:54:21:54:29 | variables | semmle.label | variables |
+| graph-ql.js:65:22:65:30 | { value } | semmle.label | { value } |
+| graph-ql.js:65:24:65:28 | value | semmle.label | value |
+| graph-ql.js:66:23:66:27 | value | semmle.label | value |
 | module.js:9:16:9:29 | req.query.code | semmle.label | req.query.code |
 | module.js:11:17:11:30 | req.query.code | semmle.label | req.query.code |
 | react-native.js:7:7:7:13 | tainted | semmle.label | tainted |

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected

@@ -72,6 +72,8 @@ edges
 | graph-ql.js:39:19:39:22 | name | graph-ql.js:39:19:39:30 | name + title | provenance |  |
 | graph-ql.js:39:26:39:30 | title | graph-ql.js:39:19:39:30 | name + title | provenance |  |
 | graph-ql.js:54:21:54:29 | variables | graph-ql.js:38:13:38:27 | { name, title } | provenance |  |
+| graph-ql.js:65:22:65:30 | { value } | graph-ql.js:65:24:65:28 | value | provenance |  |
+| graph-ql.js:65:24:65:28 | value | graph-ql.js:66:23:66:27 | value | provenance |  |
 | react-native.js:7:7:7:13 | tainted | react-native.js:8:32:8:38 | tainted | provenance |  |
 | react-native.js:7:7:7:13 | tainted | react-native.js:10:23:10:29 | tainted | provenance |  |
 | react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:13 | tainted | provenance |  |
@@ -224,6 +226,9 @@ nodes
 | graph-ql.js:39:19:39:30 | name + title | semmle.label | name + title |
 | graph-ql.js:39:26:39:30 | title | semmle.label | title |
 | graph-ql.js:54:21:54:29 | variables | semmle.label | variables |
+| graph-ql.js:65:22:65:30 | { value } | semmle.label | { value } |
+| graph-ql.js:65:24:65:28 | value | semmle.label | value |
+| graph-ql.js:66:23:66:27 | value | semmle.label | value |
 | module.js:9:16:9:29 | req.query.code | semmle.label | req.query.code |
 | module.js:11:17:11:30 | req.query.code | semmle.label | req.query.code |
 | react-native.js:7:7:7:13 | tainted | semmle.label | tainted |