From 2058c4a79ce93c9b24e2b22deb234e594a281e21 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 28 Nov 2025 02:08:19 +0000 Subject: [PATCH 01/10] Remove redundant char pred --- go/ql/lib/semmle/go/dataflow/GlobalValueNumbering.qll | 2 -- 1 file changed, 2 deletions(-) diff --git a/go/ql/lib/semmle/go/dataflow/GlobalValueNumbering.qll b/go/ql/lib/semmle/go/dataflow/GlobalValueNumbering.qll index ba3a3c733023..e566ca41c2fd 100644 --- a/go/ql/lib/semmle/go/dataflow/GlobalValueNumbering.qll +++ b/go/ql/lib/semmle/go/dataflow/GlobalValueNumbering.qll @@ -255,8 +255,6 @@ private predicate globalValueNumbers(DataFlow::CallNode ce, int start, GVN head, * methods. */ class GVN extends GvnBase { - GVN() { this instanceof GvnBase } - /** Gets a data-flow node that has this GVN. */ DataFlow::Node getANode() { this = globalValueNumber(result) } From fb0b4071a7d2bd9b3807999aa9ef996207a404e8 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 28 Nov 2025 02:09:17 +0000 Subject: [PATCH 02/10] Remove redundant import --- go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll | 1 - 1 file changed, 1 deletion(-) diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll index d48335d299f4..a388e4bab040 100644 --- a/go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll +++ b/go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll @@ -1347,7 +1347,6 @@ module Public { } } -private import Private private import Public class SummaryPostUpdateNode extends FlowSummaryNode, PostUpdateNode { From 303deab608f686bb02af86ac6685954105b3e285 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 28 Nov 2025 02:12:12 +0000 Subject: [PATCH 03/10] Remove redundant conjunct --- .../semmle/go/dataflow/GlobalVariableSideEffects/Flows.ql | 1 - 1 file changed, 1 deletion(-) diff --git a/go/ql/test/library-tests/semmle/go/dataflow/GlobalVariableSideEffects/Flows.ql b/go/ql/test/library-tests/semmle/go/dataflow/GlobalVariableSideEffects/Flows.ql index 171aee868248..e6ba4ce067b5 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/GlobalVariableSideEffects/Flows.ql +++ b/go/ql/test/library-tests/semmle/go/dataflow/GlobalVariableSideEffects/Flows.ql @@ -2,7 +2,6 @@ import go import utils.test.InlineFlowTest string getArgString(DataFlow::Node src, DataFlow::Node sink) { - exists(src) and result = "\"" + sink.toString() + " (from source " + src.(DataFlow::CallNode).getArgument(0).getExactValue() + ")\"" From 0b79087782116a0f7612ad0a444d3fc2f1409c4f Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 28 Nov 2025 02:26:14 +0000 Subject: [PATCH 04/10] Make predicate name start with `has` instead of `get` --- go/ql/src/experimental/CWE-918/validator.qll | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/go/ql/src/experimental/CWE-918/validator.qll b/go/ql/src/experimental/CWE-918/validator.qll index 5b9840b8494c..2c9dc0592f36 100644 --- a/go/ql/src/experimental/CWE-918/validator.qll +++ b/go/ql/src/experimental/CWE-918/validator.qll @@ -24,7 +24,7 @@ class FieldWithTags extends FieldDecl { * For example: the tag `json:"word" binding:"required,alpha"` yields `key: "json", value: "word"` * and `key: "binding" values: "required","alpha"`. */ - predicate getTagByKeyValue(string key, string value) { + predicate hasTagKeyValue(string key, string value) { exists(string tag, string key_value, string values | this.getTag().toString() = tag and // Each key_value is like key:"value1,value2" @@ -50,7 +50,7 @@ class AlphanumericStructFieldRead extends DataFlow::Node { exists(FieldWithTags decl, Field field, string tag | this = field.getARead() and field.getDeclaration() = decl.getNameExpr(0) and - decl.getTagByKeyValue(key, tag) and + decl.hasTagKeyValue(key, tag) and isAlphanumericValidationKind(tag) ) } From fe1c4e2eee2f7b713c372896d7effa2c555cf877 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 28 Nov 2025 02:26:39 +0000 Subject: [PATCH 05/10] Make class qldoc start with "A". --- .../frameworks/DecompressionBombsCustomizations.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go/ql/src/experimental/frameworks/DecompressionBombsCustomizations.qll b/go/ql/src/experimental/frameworks/DecompressionBombsCustomizations.qll index 50fc7d06b567..063836b55134 100644 --- a/go/ql/src/experimental/frameworks/DecompressionBombsCustomizations.qll +++ b/go/ql/src/experimental/frameworks/DecompressionBombsCustomizations.qll @@ -511,7 +511,7 @@ module DecompressionBombs { } /** - * Provides decompression bomb sinks for packages that use some standard IO interfaces/methods for reading decompressed data + * A standard IO function for reading decompressed data. */ class GeneralReadIoSink extends Sink { GeneralReadIoSink() { From b8ccaf3b112bd8309222b1d2f167acc37148cb3f Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 28 Nov 2025 02:26:58 +0000 Subject: [PATCH 06/10] Improve formatting of tags metadata --- go/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql | 3 ++- .../src/Security/CWE-020/UntrustedDataToUnknownExternalAPI.ql | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/go/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql b/go/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql index 6e8d99471ee4..b9bf1be2c1db 100644 --- a/go/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql +++ b/go/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql @@ -6,7 +6,8 @@ * @precision low * @problem.severity error * @security-severity 7.8 - * @tags security external/cwe/cwe-020 + * @tags security + * external/cwe/cwe-020 */ import go diff --git a/go/ql/src/Security/CWE-020/UntrustedDataToUnknownExternalAPI.ql b/go/ql/src/Security/CWE-020/UntrustedDataToUnknownExternalAPI.ql index 451980479040..89ce5949245b 100644 --- a/go/ql/src/Security/CWE-020/UntrustedDataToUnknownExternalAPI.ql +++ b/go/ql/src/Security/CWE-020/UntrustedDataToUnknownExternalAPI.ql @@ -6,7 +6,8 @@ * @precision low * @problem.severity error * @security-severity 7.8 - * @tags security external/cwe/cwe-020 + * @tags security + * external/cwe/cwe-020 */ import go From 62238fcbd7660251dbc74eb0634535ec577d5d22 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 28 Nov 2025 03:33:18 +0000 Subject: [PATCH 07/10] Fix variable name in qldoc --- java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJB.qll | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJB.qll b/java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJB.qll index d59976c0c6c8..a866d84df21d 100644 --- a/java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJB.qll +++ b/java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJB.qll @@ -677,7 +677,7 @@ Type inheritsMatchingMethodExceptThrows(SessionEjb ejb, Method m) { } /** - * Holds if `ejb` inherits an `ejbCreate` or `@Init` method matching `create` method `m`. + * Holds if `ejb` inherits an `ejbCreate` or `@Init` method matching `create` method `icm`. * (Ignores `throws` clauses.) */ predicate inheritsMatchingCreateMethodIgnoreThrows( @@ -704,7 +704,7 @@ predicate inheritsMatchingCreateMethodIgnoreThrows( } /** - * If `ejb` inherits an `ejbCreate` or `@Init` method matching `create` method `m` except for the `throws` clause, + * If `ejb` inherits an `ejbCreate` or `@Init` method matching `create` method `icm` except for the `throws` clause, * then return any type in the `throws` clause that does not match. */ Type inheritsMatchingCreateMethodExceptThrows(StatefulSessionEjb ejb, EjbInterfaceCreateMethod icm) { From 22b614ac48adf8c2ce3f2581121cbe58ed7eff83 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 28 Nov 2025 03:34:17 +0000 Subject: [PATCH 08/10] Use set literals --- java/ql/lib/semmle/code/java/JDK.qll | 7 +------ .../code/java/frameworks/struts/StrutsActions.qll | 15 ++------------- 2 files changed, 3 insertions(+), 19 deletions(-) diff --git a/java/ql/lib/semmle/code/java/JDK.qll b/java/ql/lib/semmle/code/java/JDK.qll index bdc2fb92fa05..f965fbfe6ba6 100644 --- a/java/ql/lib/semmle/code/java/JDK.qll +++ b/java/ql/lib/semmle/code/java/JDK.qll @@ -321,12 +321,7 @@ class WriteObjectMethod extends Method { class ReadObjectMethod extends Method { ReadObjectMethod() { this.getDeclaringType() instanceof TypeObjectInputStream and - ( - this.hasName("readObject") or - this.hasName("readObjectOverride") or - this.hasName("readUnshared") or - this.hasName("resolveObject") - ) + this.hasName(["readObject", "readObjectOverride", "readUnshared", "resolveObject"]) } } diff --git a/java/ql/lib/semmle/code/java/frameworks/struts/StrutsActions.qll b/java/ql/lib/semmle/code/java/frameworks/struts/StrutsActions.qll index 641fb0c6e6f4..729268d4008a 100644 --- a/java/ql/lib/semmle/code/java/frameworks/struts/StrutsActions.qll +++ b/java/ql/lib/semmle/code/java/frameworks/struts/StrutsActions.qll @@ -40,12 +40,7 @@ class Struts2ActionClass extends Class { getStrutsMapperClass(this) = "org.apache.struts2.dispatcher.mapper.RestfulActionMapper" then // The "Restful" action mapper maps rest APIs to specific methods - result.hasName("index") or - result.hasName("create") or - result.hasName("editNew") or - result.hasName("view") or - result.hasName("remove") or - result.hasName("update") + result.hasName(["index", "create", "editNew", "view", "remove", "update"]) else if getStrutsMapperClass(this) = "org.apache.struts2.rest.RestActionMapper" or @@ -53,13 +48,7 @@ class Struts2ActionClass extends Class { then // The "Rest" action mapper is provided with the rest plugin, and maps rest APIs to specific // methods based on a "ruby-on-rails" style. - result.hasName("index") or - result.hasName("show") or - result.hasName("edit") or - result.hasName("editNew") or - result.hasName("create") or - result.hasName("update") or - result.hasName("destroy") + result.hasName(["index", "show", "edit", "editNew", "create", "update", "destroy"]) else if exists(getStrutsMapperClass(this)) then From 220fd08428eead21d1277cdb0dd571382d07e7ad Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 28 Nov 2025 03:34:30 +0000 Subject: [PATCH 09/10] Improve formatting of tags #2 --- java/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/java/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql b/java/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql index a75672445fb1..ec1024fde022 100644 --- a/java/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql +++ b/java/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql @@ -6,7 +6,8 @@ * @precision low * @problem.severity error * @security-severity 7.8 - * @tags security external/cwe/cwe-020 + * @tags security + * external/cwe/cwe-020 */ import java From 992bd68d4b5cddac12514c2d7c5c6a74e6a0fd44 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 28 Nov 2025 03:48:50 +0000 Subject: [PATCH 10/10] Use set literals #2 --- .../ql/lib/semmle/code/java/NumberFormatException.qll | 7 +------ java/ql/lib/semmle/code/java/frameworks/JAXB.qll | 5 +---- .../code/java/frameworks/spring/SpringController.qll | 11 ++++------- 3 files changed, 6 insertions(+), 17 deletions(-) diff --git a/java/ql/lib/semmle/code/java/NumberFormatException.qll b/java/ql/lib/semmle/code/java/NumberFormatException.qll index 83f66d1a709d..96174cd1ddca 100644 --- a/java/ql/lib/semmle/code/java/NumberFormatException.qll +++ b/java/ql/lib/semmle/code/java/NumberFormatException.qll @@ -46,12 +46,7 @@ private class SpecialClassInstanceExpr extends ClassInstanceExpr { } predicate throwsNfe() { - this.isStringConstructor("Byte") or - this.isStringConstructor("Short") or - this.isStringConstructor("Integer") or - this.isStringConstructor("Long") or - this.isStringConstructor("Float") or - this.isStringConstructor("Double") + this.isStringConstructor(["Byte", "Short", "Integer", "Long", "Float", "Double"]) } } diff --git a/java/ql/lib/semmle/code/java/frameworks/JAXB.qll b/java/ql/lib/semmle/code/java/frameworks/JAXB.qll index 96075bbccf3c..1283aa3d21e2 100644 --- a/java/ql/lib/semmle/code/java/frameworks/JAXB.qll +++ b/java/ql/lib/semmle/code/java/frameworks/JAXB.qll @@ -107,10 +107,7 @@ class XmlAccessType extends EnumConstant { */ class JaxbMemberAnnotation extends JaxbAnnotationType { JaxbMemberAnnotation() { - this.hasName("XmlElement") or - this.hasName("XmlAttribute") or - this.hasName("XmlElementRefs") or - this.hasName("XmlElements") + this.hasName(["XmlElement", "XmlAttribute", "XmlElementRefs", "XmlElements"]) } } diff --git a/java/ql/lib/semmle/code/java/frameworks/spring/SpringController.qll b/java/ql/lib/semmle/code/java/frameworks/spring/SpringController.qll index ee00433da129..a444dc96d5a4 100644 --- a/java/ql/lib/semmle/code/java/frameworks/spring/SpringController.qll +++ b/java/ql/lib/semmle/code/java/frameworks/spring/SpringController.qll @@ -187,13 +187,10 @@ class SpringServletInputAnnotation extends Annotation { a = this.getType() and a.getPackage().getName() = "org.springframework.web.bind.annotation" | - a.hasName("MatrixVariable") or - a.hasName("RequestParam") or - a.hasName("RequestHeader") or - a.hasName("CookieValue") or - a.hasName("RequestPart") or - a.hasName("PathVariable") or - a.hasName("RequestBody") + a.hasName([ + "MatrixVariable", "RequestParam", "RequestHeader", "CookieValue", "RequestPart", + "PathVariable", "RequestBody" + ]) ) } }