Merge branch 'main' into varfps

Author: geoffw0

config/identical-files.json

@@ -282,6 +282,7 @@
     "java/ql/lib/semmle/code/java/internal/OverlayXml.qll",
     "go/ql/lib/semmle/go/internal/OverlayXml.qll",
     "python/ql/lib/semmle/python/internal/OverlayXml.qll",
-    "csharp/ql/lib/semmle/code/csharp/internal/OverlayXml.qll"
+    "csharp/ql/lib/semmle/code/csharp/internal/OverlayXml.qll",
+    "cpp/ql/lib/semmle/code/cpp/internal/OverlayXml.qll"
   ]
 }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll

@@ -148,6 +148,19 @@ module SourceSinkInterpretationInput implements
     )
   }
 
+  predicate barrierElement(
+    Element n, string output, string kind, Public::Provenance provenance, string model
+  ) {
+    none()
+  }
+
+  predicate barrierGuardElement(
+    Element n, string input, Public::AcceptingValue acceptingvalue, string kind,
+    Public::Provenance provenance, string model
+  ) {
+    none()
+  }
+
   private newtype TInterpretNode =
     TElement_(Element n) or
     TNode_(Node n)

cpp/ql/lib/semmle/code/cpp/internal/Overlay.qll

@@ -2,6 +2,8 @@
  * Defines entity discard predicates for C++ overlay analysis.
  */
 
+private import OverlayXml
+
 /**
  * Holds always for the overlay variant and never for the base variant.
  * This local predicate is used to define local predicates that behave

cpp/ql/lib/semmle/code/cpp/internal/OverlayXml.qll

@@ -0,0 +1,46 @@
+overlay[local]
+module;
+
+/**
+ * A local predicate that always holds for the overlay variant and never holds for the base variant.
+ * This is used to define local predicates that behave differently for the base and overlay variant.
+ */
+private predicate isOverlay() { databaseMetadata("isOverlay", "true") }
+
+private string getXmlFile(@xmllocatable locatable) {
+  exists(@location_default location, @file file | xmllocations(locatable, location) |
+    locations_default(location, file, _, _, _, _) and
+    files(file, result)
+  )
+}
+
+private string getXmlFileInBase(@xmllocatable locatable) {
+  not isOverlay() and
+  result = getXmlFile(locatable)
+}
+
+/**
+ * Holds if the given `file` was extracted as part of the overlay and was extracted by the HTML/XML
+ * extractor.
+ */
+private predicate overlayXmlExtracted(string file) {
+  isOverlay() and
+  exists(@xmllocatable locatable |
+    not files(locatable, _) and not xmlNs(locatable, _, _, _) and file = getXmlFile(locatable)
+  )
+}
+
+/**
+ * Holds if the given XML `locatable` should be discarded, because it is part of the overlay base
+ * and is in a file that was also extracted as part of the overlay database.
+ */
+overlay[discard_entity]
+private predicate discardXmlLocatable(@xmllocatable locatable) {
+  exists(string file | file = getXmlFileInBase(locatable) |
+    overlayChangedFiles(file)
+    or
+    // The HTML/XML extractor is currently not incremental and may extract more files than those
+    // included in overlayChangedFiles.
+    overlayXmlExtracted(file)
+  )
+}

csharp/documentation/library-coverage/coverage.csv

@@ -40,6 +40,7 @@ Microsoft.VisualBasic,,,6,,,,,,,,,,,,,,,,,,,1,5
 Microsoft.Win32,,4,2,,,,,,,,,,,,,,,,,,4,,2
 Mono.Linker,,,278,,,,,,,,,,,,,,,,,,,127,151
 MySql.Data.MySqlClient,48,,,,,,,,,,,,48,,,,,,,,,,
+NHibernate,3,,,,,,,,,,,,3,,,,,,,,,,
 Newtonsoft.Json,,,91,,,,,,,,,,,,,,,,,,,73,18
 ServiceStack,194,,7,27,,,,,75,,,,92,,,,,,,,,7,
 SourceGenerators,,,5,,,,,,,,,,,,,,,,,,,,5

csharp/documentation/library-coverage/coverage.rst

@@ -9,6 +9,6 @@ C# framework & library support
    Framework / library,Package,Flow sources,Taint & value steps,Sinks (total),`CWE-079` :sub:`Cross-site scripting`
    `ServiceStack <https://servicestack.net/>`_,"``ServiceStack.*``, ``ServiceStack``",,7,194,
    System,"``System.*``, ``System``",47,12241,54,5
-   Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.AspNetCore.Components``, ``Microsoft.AspNetCore.Http``, ``Microsoft.AspNetCore.Mvc``, ``Microsoft.AspNetCore.WebUtilities``, ``Microsoft.CSharp``, ``Microsoft.Data.SqlClient``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.DotNet.Build.Tasks``, ``Microsoft.DotNet.PlatformAbstractions``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.JSInterop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.VisualBasic``, ``Microsoft.Win32``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",60,2257,159,4
-   Totals,,107,14505,407,9
+   Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.AspNetCore.Components``, ``Microsoft.AspNetCore.Http``, ``Microsoft.AspNetCore.Mvc``, ``Microsoft.AspNetCore.WebUtilities``, ``Microsoft.CSharp``, ``Microsoft.Data.SqlClient``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.DotNet.Build.Tasks``, ``Microsoft.DotNet.PlatformAbstractions``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.JSInterop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.VisualBasic``, ``Microsoft.Win32``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``NHibernate``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",60,2257,162,4
+   Totals,,107,14505,410,9
 

csharp/ql/lib/change-notes/2025-12-03-implicit-map-value-reads.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added implicit reads of `System.Collections.Generic.KeyValuePair.Value` at taint-tracking sinks and at inputs to additional taint steps. As a result, taint-tracking queries will now produce more results when a container is tainted.

csharp/ql/lib/ext/NHibernate.model.yml

@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/csharp-all
+      extensible: sinkModel
+    data:
+      - ["NHibernate", "ISession", True, "CreateSQLQuery", "(System.String)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["NHibernate", "IStatelessSession", True, "CreateSQLQuery", "(System.String)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["NHibernate.Impl", "AbstractSessionImpl", True, "CreateSQLQuery", "(System.String)", "", "Argument[0]", "sql-injection", "manual"]

csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll

@@ -842,6 +842,40 @@ module Internal {
     e3 = any(NullCoalescingExpr nce | e1 = nce.getLeftOperand() and e2 = nce.getRightOperand())
   }
 
+  predicate nullValueImplied(Expr e) {
+    nullValue(e)
+    or
+    exists(Expr e1 | nullValueImplied(e1) and nullValueImpliedUnary(e1, e))
+    or
+    exists(Expr e1, Expr e2 |
+      nullValueImplied(e1) and nullValueImplied(e2) and nullValueImpliedBinary(e1, e2, e)
+    )
+    or
+    e =
+      any(Ssa::Definition def |
+        forex(Ssa::Definition u | u = def.getAnUltimateDefinition() | nullDef(u))
+      ).getARead()
+  }
+
+  private predicate nullDef(Ssa::ExplicitDefinition def) {
+    nullValueImplied(def.getADefinition().getSource())
+  }
+
+  predicate nonNullValueImplied(Expr e) {
+    nonNullValue(e)
+    or
+    exists(Expr e1 | nonNullValueImplied(e1) and nonNullValueImpliedUnary(e1, e))
+    or
+    e =
+      any(Ssa::Definition def |
+        forex(Ssa::Definition u | u = def.getAnUltimateDefinition() | nonNullDef(u))
+      ).getARead()
+  }
+
+  private predicate nonNullDef(Ssa::ExplicitDefinition def) {
+    nonNullValueImplied(def.getADefinition().getSource())
+  }
+
   /** A callable that always returns a non-`null` value. */
   private class NonNullCallable extends Callable {
     NonNullCallable() { this = any(SystemObjectClass c).getGetTypeMethod() }
@@ -936,154 +970,21 @@ module Internal {
     e = any(BinaryArithmeticOperation bao | result = bao.getAnOperand())
   }
 
-  // The predicates in this module should be evaluated in the same stage as the CFG
-  // construction stage. This is to avoid recomputation of pre-basic-blocks and
-  // pre-SSA predicates
-  private module PreCfg {
-    private import semmle.code.csharp.controlflow.internal.PreBasicBlocks as PreBasicBlocks
-    private import semmle.code.csharp.controlflow.internal.PreSsa
-
-    private predicate nullDef(PreSsa::Definition def) {
-      nullValueImplied(def.getDefinition().getSource())
-    }
-
-    private predicate nonNullDef(PreSsa::Definition def) {
-      nonNullValueImplied(def.getDefinition().getSource())
-    }
-
-    private predicate emptyDef(PreSsa::Definition def) {
-      emptyValue(def.getDefinition().getSource())
-    }
-
-    private predicate nonEmptyDef(PreSsa::Definition def) {
-      nonEmptyValue(def.getDefinition().getSource())
-    }
-
-    deprecated predicate isGuard(Expr e, GuardValue val) {
-      (
-        e.getType() instanceof BoolType and
-        not e instanceof BoolLiteral and
-        not e instanceof SwitchCaseExpr and
-        not e instanceof PatternExpr and
-        exists(val.asBooleanValue())
-        or
-        e instanceof DereferenceableExpr and
-        val.isNullness(_)
-      ) and
-      not e = any(ExprStmt es).getExpr() and
-      not e = any(LocalVariableDeclStmt s).getAVariableDeclExpr()
-    }
-
-    cached
-    private module CachedWithCfg {
-      private import semmle.code.csharp.Caching
-
-      private predicate firstReadSameVarUniquePredecessor(
-        PreSsa::Definition def, AssignableRead read
-      ) {
-        read = def.getAFirstRead() and
-        (
-          not PreSsa::adjacentReadPairSameVar(_, read)
-          or
-          read = unique(AssignableRead read0 | PreSsa::adjacentReadPairSameVar(read0, read))
-        )
-      }
-
-      cached
-      predicate nullValueImplied(Expr e) {
-        nullValue(e)
-        or
-        exists(Expr e1 | nullValueImplied(e1) and nullValueImpliedUnary(e1, e))
-        or
-        exists(Expr e1, Expr e2 |
-          nullValueImplied(e1) and nullValueImplied(e2) and nullValueImpliedBinary(e1, e2, e)
-        )
-        or
-        e =
-          any(PreSsa::Definition def |
-            forex(PreSsa::Definition u | u = def.getAnUltimateDefinition() | nullDef(u))
-          ).getARead()
-      }
-
-      cached
-      predicate nonNullValueImplied(Expr e) {
-        nonNullValue(e)
-        or
-        exists(Expr e1 | nonNullValueImplied(e1) and nonNullValueImpliedUnary(e1, e))
-        or
-        e =
-          any(PreSsa::Definition def |
-            forex(PreSsa::Definition u | u = def.getAnUltimateDefinition() | nonNullDef(u))
-          ).getARead()
-      }
-
-      private predicate adjacentReadPairSameVarUniquePredecessor(
-        AssignableRead read1, AssignableRead read2
-      ) {
-        PreSsa::adjacentReadPairSameVar(read1, read2) and
-        (
-          read1 = read2 and
-          read1 = unique(AssignableRead other | PreSsa::adjacentReadPairSameVar(other, read2))
-          or
-          read1 =
-            unique(AssignableRead other |
-              PreSsa::adjacentReadPairSameVar(other, read2) and other != read2
-            )
-        )
-      }
-
-      cached
-      predicate emptyValue(Expr e) {
-        e.(ArrayCreation).getALengthArgument().getValue().toInt() = 0
-        or
-        e.(ArrayInitializer).hasNoElements()
-        or
-        exists(Expr mid | emptyValue(mid) |
-          mid = e.(AssignExpr).getRValue()
-          or
-          mid = e.(Cast).getExpr()
-        )
-        or
-        exists(PreSsa::Definition def | emptyDef(def) | firstReadSameVarUniquePredecessor(def, e))
-        or
-        exists(MethodCall mc |
-          mc.getTarget().getAnUltimateImplementee().getUnboundDeclaration() =
-            any(SystemCollectionsGenericICollectionInterface c).getClearMethod() and
-          adjacentReadPairSameVarUniquePredecessor(mc.getQualifier(), e)
-        )
-      }
-
-      cached
-      predicate nonEmptyValue(Expr e) {
-        forex(Expr length | length = e.(ArrayCreation).getALengthArgument() |
-          length.getValue().toInt() != 0
-        )
-        or
-        e.(ArrayInitializer).getNumberOfElements() > 0
-        or
-        exists(Expr mid | nonEmptyValue(mid) |
-          mid = e.(AssignExpr).getRValue()
-          or
-          mid = e.(Cast).getExpr()
-        )
-        or
-        exists(PreSsa::Definition def | nonEmptyDef(def) |
-          firstReadSameVarUniquePredecessor(def, e)
-        )
-        or
-        exists(MethodCall mc |
-          mc.getTarget().getAnUltimateImplementee().getUnboundDeclaration() =
-            any(SystemCollectionsGenericICollectionInterface c).getAddMethod() and
-          adjacentReadPairSameVarUniquePredecessor(mc.getQualifier(), e)
-        )
-      }
-    }
-
-    import CachedWithCfg
+  deprecated predicate isGuard(Expr e, GuardValue val) {
+    (
+      e.getType() instanceof BoolType and
+      not e instanceof BoolLiteral and
+      not e instanceof SwitchCaseExpr and
+      not e instanceof PatternExpr and
+      exists(val.asBooleanValue())
+      or
+      e instanceof DereferenceableExpr and
+      val.isNullness(_)
+    ) and
+    not e = any(ExprStmt es).getExpr() and
+    not e = any(LocalVariableDeclStmt s).getAVariableDeclExpr()
   }
 
-  import PreCfg
-
   private predicate interestingDescendantCandidate(Expr e) {
     guardControls(e, _, _)
     or