Merge pull request #18663 from github/main

aibaars · web-flow · commit 49a306719e29 · 2025-02-03T18:11:55.000+01:00
Merge main into codeql-cli-2.20.4
diff --git a/cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll b/cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll
@@ -49,7 +49,11 @@ private Class getRootType(FieldAccess fa) {
   exists(VariableAccess root |
     root = fa.getQualifier+() and
     not exists(root.getQualifier()) and
-    result = root.getUnspecifiedType()
+    // We strip the type because the root may be a pointer. For example `p` in:
+    // struct S { char buffer[10]; };
+    // S* p = ...;
+    // strcpy(p->buffer, "abc");
+    result = root.getUnspecifiedType().stripType()
   )
 }
 
diff --git a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll
@@ -59,12 +59,15 @@ module InputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
     any(CommandInjectionAdditionalTaintStep s).step(n1, n2)
   }
 
-  // It's valid to use diff-informed data flow for this configuration because
-  // the location of the selected element in the query is contained inside the
-  // location of the sink. The query, as a predicate, is used negated in
-  // another query, but that's only to prevent overlapping results between two
-  // queries.
+  // The query, as a predicate, is used negated in another query, but that's
+  // only to prevent overlapping results between two queries.
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  // All queries use the argument as the primary location and do not use the
+  // sink as an associated location.
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(Expr argument | argumentToExec(argument, sink) | result = argument.getLocation())
+  }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll b/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll
@@ -46,6 +46,12 @@ module WebviewDebugEnabledConfig implements DataFlow::ConfigSig {
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    // This module is only used in `WebviewDebuggingEnabled.ql`, which doesn't
+    // select the source in any "$@" column.
+    none()
+  }
 }
 
 /**

Original file line number	Diff line number	Diff line change
`@@ -49,7 +49,11 @@ private Class getRootType(FieldAccess fa) {`
`49`	`49`	`exists(VariableAccess root \|`
`50`	`50`	`root = fa.getQualifier+() and`
`51`	`51`	`not exists(root.getQualifier()) and`
`52`		`- result = root.getUnspecifiedType()`
	`52`	+ // We strip the type because the root may be a pointer. For example `p` in:
	`53`	`+ // struct S { char buffer[10]; };`
	`54`	`+ // S* p = ...;`
	`55`	`+ // strcpy(p->buffer, "abc");`
	`56`	`+ result = root.getUnspecifiedType().stripType()`
`53`	`57`	`)`
`54`	`58`	`}`
`55`	`59`
Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,12 @@ module WebviewDebugEnabledConfig implements DataFlow::ConfigSig {`
`46`	`46`	`}`
`47`	`47`
`48`	`48`	`predicate observeDiffInformedIncrementalMode() { any() }`
	`49`	`+`
	`50`	`+ Location getASelectedSourceLocation(DataFlow::Node source) {`
	`51`	+ // This module is only used in `WebviewDebuggingEnabled.ql`, which doesn't
	`52`	`+ // select the source in any "$@" column.`
	`53`	`+ none()`
	`54`	`+ }`
`49`	`55`	`}`
`50`	`56`
`51`	`57`	`/**`