Merge remote-tracking branch 'upstream/main' into pointermodels

Author: geoffw0

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -6,6 +6,7 @@ private import semmle.code.cpp.ir.internal.IRCppLanguage
 private import SsaInternals as Ssa
 private import DataFlowImplCommon as DataFlowImplCommon
 private import codeql.util.Unit
+private import Node0ToString
 
 cached
 private module Cached {
@@ -138,11 +139,7 @@ abstract class InstructionNode0 extends Node0Impl {
 
   override DataFlowType getType() { result = getInstructionType(instr, _) }
 
-  override string toStringImpl() {
-    if instr.(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable
-    then result = "this"
-    else result = instr.getAst().toString()
-  }
+  override string toStringImpl() { result = instructionToString(instr) }
 
   override Location getLocationImpl() {
     if exists(instr.getAst().getLocation())
@@ -187,11 +184,7 @@ abstract class OperandNode0 extends Node0Impl {
 
   override DataFlowType getType() { result = getOperandType(op, _) }
 
-  override string toStringImpl() {
-    if op.getDef().(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable
-    then result = "this"
-    else result = op.getDef().getAst().toString()
-  }
+  override string toStringImpl() { result = operandToString(op) }
 
   override Location getLocationImpl() {
     if exists(op.getDef().getAst().getLocation())

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -15,6 +15,7 @@ private import ModelUtil
 private import SsaInternals as Ssa
 private import DataFlowImplCommon as DataFlowImplCommon
 private import codeql.util.Unit
+private import Node0ToString
 
 /**
  * The IR dataflow graph consists of the following nodes:
@@ -486,10 +487,13 @@ class Node extends TIRDataFlowNode {
 }
 
 private string toExprString(Node n) {
-  result = n.asExpr(0).toString()
-  or
-  not exists(n.asExpr()) and
-  result = n.asIndirectExpr(0, 1).toString() + " indirection"
+  not isDebugMode() and
+  (
+    result = n.asExpr(0).toString()
+    or
+    not exists(n.asExpr()) and
+    result = n.asIndirectExpr(0, 1).toString() + " indirection"
+  )
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DebugPrinting.qll

@@ -0,0 +1,9 @@
+/**
+ * This file activates debugging mode for dataflow node printing.
+ */
+
+private import Node0ToString
+
+private class DebugNode0ToString extends Node0ToString {
+  final override predicate isDebugMode() { any() }
+}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/Node0ToString.qll

@@ -0,0 +1,75 @@
+/**
+ * This file contains the abstract class that serves as the base class for
+ * dataflow node printing.
+ *
+ * By default, a non-debug string is produced. However, a debug-friendly
+ * string can be produced by importing `DebugPrinting.qll`.
+ */
+
+private import semmle.code.cpp.ir.IR
+private import codeql.util.Unit
+
+/**
+ * A class to control whether a debugging version of instructions and operands
+ * should be printed as part of the `toString` output of dataflow nodes.
+ *
+ * To enable debug printing import the `DebugPrinting.ql` file. By default,
+ * non-debug output will be used.
+ */
+class Node0ToString extends Unit {
+  abstract predicate isDebugMode();
+
+  private string normalInstructionToString(Instruction i) {
+    not this.isDebugMode() and
+    if i.(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable
+    then result = "this"
+    else result = i.getAst().toString()
+  }
+
+  private string normalOperandToString(Operand op) {
+    not this.isDebugMode() and
+    if op.getDef().(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable
+    then result = "this"
+    else result = op.getDef().getAst().toString()
+  }
+
+  /**
+   * Gets the string that should be used by `InstructionNode.toString`
+   */
+  string instructionToString(Instruction i) {
+    if this.isDebugMode()
+    then result = i.getDumpString()
+    else result = this.normalInstructionToString(i)
+  }
+
+  /**
+   * Gets the string that should be used by `OperandNode.toString`.
+   */
+  string operandToString(Operand op) {
+    if this.isDebugMode()
+    then result = op.getDumpString() + " @ " + op.getUse().getResultId()
+    else result = this.normalOperandToString(op)
+  }
+}
+
+private class NoDebugNode0ToString extends Node0ToString {
+  final override predicate isDebugMode() { none() }
+}
+
+/**
+ * Gets the string that should be used by `OperandNode.toString`.
+ */
+string operandToString(Operand op) { result = any(Node0ToString nts).operandToString(op) }
+
+/**
+ * Gets the string that should be used by `InstructionNode.toString`
+ */
+string instructionToString(Instruction i) { result = any(Node0ToString nts).instructionToString(i) }
+
+/**
+ * Holds if debugging mode is enabled.
+ *
+ * In debug mode the `toString` on dataflow nodes is more expensive to compute,
+ * but gives more precise information about the different dataflow nodes.
+ */
+predicate isDebugMode() { any(Node0ToString nts).isDebugMode() }

csharp/ql/lib/change-notes/2023-06-22-aws-lambda-models.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Additional support for `Amazon.Lambda` SDK

csharp/ql/lib/ext/Amazon.Lambda.model.yml

@@ -0,0 +1,31 @@
+extensions:
+  - addsTo:
+      pack: codeql/csharp-all
+      extensible: sourceModel
+    data:
+      - ["Amazon.Lambda.APIGatewayEvents","APIGatewayHttpApiV2ProxyRequest",true,"get_Headers","()","","ReturnValue","remote","manual"]
+      - ["Amazon.Lambda.APIGatewayEvents","APIGatewayHttpApiV2ProxyRequest",true,"get_Body","()","","ReturnValue","remote","manual"]
+      - ["Amazon.Lambda.APIGatewayEvents","APIGatewayHttpApiV2ProxyRequest",true,"get_RawPath","()","","ReturnValue","remote","manual"]
+      - ["Amazon.Lambda.APIGatewayEvents","APIGatewayHttpApiV2ProxyRequest",true,"get_RawQueryString","()","","ReturnValue","remote","manual"]
+      - ["Amazon.Lambda.APIGatewayEvents","APIGatewayHttpApiV2ProxyRequest",true,"get_Cookies","()","","ReturnValue","remote","manual"]
+      - ["Amazon.Lambda.APIGatewayEvents","APIGatewayHttpApiV2ProxyRequest",true,"get_PathParameters","()","","ReturnValue","remote","manual"]
+
+  - addsTo:
+      pack: codeql/csharp-all
+      extensible: sinkModel
+    data:
+      - ["Amazon.Lambda.Core","ILambdaLogger",true,"Log","(System.String)","","Argument[0]","log-injection","manual"]
+      - ["Amazon.Lambda.Core","ILambdaLogger",true,"LogLine","(System.String)","","Argument[0]","log-injection","manual"]
+      - ["Amazon.Lambda.Core","ILambdaLogger",true,"LogTrace","(System.String)","","Argument[0]","log-injection","manual"]
+      - ["Amazon.Lambda.Core","ILambdaLogger",true,"LogDebug","(System.String)","","Argument[0]","log-injection","manual"]
+      - ["Amazon.Lambda.Core","ILambdaLogger",true,"LogInformation","(System.String)","","Argument[0]","log-injection","manual"]
+      - ["Amazon.Lambda.Core","ILambdaLogger",true,"LogWarning","(System.String)","","Argument[0]","log-injection","manual"]
+      - ["Amazon.Lambda.Core","ILambdaLogger",true,"LogError","(System.String)","","Argument[0]","log-injection","manual"]
+      - ["Amazon.Lambda.Core","ILambdaLogger",true,"LogCritical","(System.String)","","Argument[0]","log-injection","manual"]
+      - ["Amazon.Lambda.Core","ILambdaLogger",true,"Log","(System.String,System.String)","","Argument[1]","log-injection","manual"]
+      - ["Amazon.Lambda.Core","ILambdaLogger",true,"Log","(Amazon.Lambda.Core.LogLevel,System.String)","","Argument[1]","log-injection","manual"]
+
+  - addsTo:
+      pack: codeql/csharp-all
+      extensible: summaryModel
+    data: []

csharp/ql/test/library-tests/frameworks/Aws/lambda.cs

@@ -0,0 +1,42 @@
+using System.Net;
+using System.Collections.Generic;
+
+using Amazon.Lambda.Core;
+using Amazon.Lambda.APIGatewayEvents;
+
+
+namespace LambdaTests {
+    public class Functions {
+        public APIGatewayProxyResponse Get(APIGatewayHttpApiV2ProxyRequest request, ILambdaContext context) {
+            string body = request.Body;  // source
+            string cookie = request.Cookies[0];  // source
+
+            string rawpath = request.RawPath;  // source
+            string rawquery = request.RawQueryString;  // source
+            request.PathParameters.TryGetValue("x", out var pathparameter);  // source
+
+            string header = request.Headers["test"];  // source
+            request.Headers.TryGetValue("test", out var header2);  // source
+
+
+            return new APIGatewayProxyResponse {
+                StatusCode = 200
+            };
+        }
+
+        public void Logging(ILambdaContext context, string data)
+        {
+            // logging
+            context.Logger.Log($"Log Data :: {data}");
+            context.Logger.LogLine($"Log Data :: {data}");
+            context.Logger.Log("Information", $"Log Data :: {data}");
+            context.Logger.Log(LogLevel.Information, $"Log Data :: {data}");
+            context.Logger.LogTrace($"Log Data :: {data}");
+            context.Logger.LogDebug($"Log Data :: {data}");
+            context.Logger.LogInformation($"Log Data :: {data}");
+            context.Logger.LogWarning($"Log Data :: {data}");
+            context.Logger.LogError($"Log Data :: {data}");
+            context.Logger.LogCritical($"Log Data :: {data}");
+        }
+    }
+}

csharp/ql/test/library-tests/frameworks/Aws/lambda.expected

@@ -0,0 +1,19 @@
+awsRemoteSources
+| lambda.cs:11:27:11:38 | access to property Body |
+| lambda.cs:12:29:12:43 | access to property Cookies |
+| lambda.cs:14:30:14:44 | access to property RawPath |
+| lambda.cs:15:31:15:52 | access to property RawQueryString |
+| lambda.cs:16:13:16:34 | access to property PathParameters |
+| lambda.cs:18:29:18:43 | access to property Headers |
+| lambda.cs:19:13:19:27 | access to property Headers |
+awsLoggingSinks
+| lambda.cs:30:32:30:52 | $"..." |
+| lambda.cs:31:36:31:56 | $"..." |
+| lambda.cs:32:47:32:67 | $"..." |
+| lambda.cs:33:54:33:74 | $"..." |
+| lambda.cs:34:37:34:57 | $"..." |
+| lambda.cs:35:37:35:57 | $"..." |
+| lambda.cs:36:43:36:63 | $"..." |
+| lambda.cs:37:39:37:59 | $"..." |
+| lambda.cs:38:37:38:57 | $"..." |
+| lambda.cs:39:40:39:60 | $"..." |

csharp/ql/test/library-tests/frameworks/Aws/lambda.ql

@@ -0,0 +1,6 @@
+import csharp
+import semmle.code.csharp.dataflow.internal.ExternalFlow
+
+query predicate awsRemoteSources(DataFlow::ExprNode node) { sourceNode(node, "remote") }
+
+query predicate awsLoggingSinks(DataFlow::ExprNode node) { sinkNode(node, "log-injection") }

csharp/ql/test/library-tests/frameworks/Aws/options

@@ -0,0 +1,3 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/Amazon.Lambda.Core/2.2.0/Amazon.Lambda.Core.csproj
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/Amazon.Lambda.APIGatewayEvents/2.7.0/Amazon.Lambda.APIGatewayEvents.csproj