Merge branch 'github:main' into prompt-injection

Author: mbaluda

cpp/ql/lib/change-notes/2026-01-26-buffer-overflow-fps.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `Buffer.qll` library will no longer report incorrect buffer sizes on certain malformed databases. As a result, the queries `cpp/static-buffer-overflow`, `cpp/overflow-buffer`, `cpp/badly-bounded-write`, `cpp/overrunning-write`, `cpp/overrunning-write-with-float`, and `cpp/very-likely-overrunning-write` will report fewer false positives on such databases.

cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll

@@ -62,11 +62,13 @@ private Class getRootType(FieldAccess fa) {
  * unspecified type of `v` is a `ReferenceType`.
  */
 private int getVariableSize(Variable v) {
-  exists(Type t |
-    t = v.getUnspecifiedType() and
-    not t instanceof ReferenceType and
-    result = t.getSize()
-  )
+  result =
+    unique(Type t |
+      t = v.getUnspecifiedType() and
+      not t instanceof ReferenceType
+    |
+      t.getSize()
+    )
 }
 
 /**
@@ -79,30 +81,32 @@ private int getSize(VariableAccess va) {
     not v instanceof Field and
     result = getVariableSize(v)
     or
-    exists(Class c, int trueSize |
-      // Otherwise, we find the "outermost" object and compute the size
-      // as the difference between the size of the type of the "outermost
-      // object" and the offset of the field relative to that type.
-      // For example, consider the following structs:
-      // ```
-      // struct S {
-      //   uint32_t x;
-      //   uint32_t y;
-      // };
-      // struct S2 {
-      //   S s;
-      //   uint32_t z;
-      // };
-      // ```
-      // Given an object `S2 s2` the size of the buffer `&s2.s.y`
-      // is the size of the base object type (i.e., `S2`) minutes the offset
-      // of `y` relative to the type `S2` (i.e., `4`). So the size of the
-      // buffer is `12 - 4 = 8`.
-      c = getRootType(va) and
-      // we calculate the size based on the last field, to avoid including any padding after it
-      trueSize = max(Field f | | f.getOffsetInClass(c) + getVariableSize(f)) and
-      result = trueSize - v.(Field).getOffsetInClass(c)
-    )
+    result =
+      unique(Class c, int trueSize |
+        // Otherwise, we find the "outermost" object and compute the size
+        // as the difference between the size of the type of the "outermost
+        // object" and the offset of the field relative to that type.
+        // For example, consider the following structs:
+        // ```
+        // struct S {
+        //   uint32_t x;
+        //   uint32_t y;
+        // };
+        // struct S2 {
+        //   S s;
+        //   uint32_t z;
+        // };
+        // ```
+        // Given an object `S2 s2` the size of the buffer `&s2.s.y`
+        // is the size of the base object type (i.e., `S2`) minus the offset
+        // of `y` relative to the type `S2` (i.e., `4`). So the size of the
+        // buffer is `12 - 4 = 8`.
+        c = getRootType(va) and
+        // we calculate the size based on the last field, to avoid including any padding after it
+        trueSize = max(Field f | | f.getOffsetInClass(c) + getVariableSize(f))
+      |
+        trueSize - v.(Field).getOffsetInClass(c)
+      )
   )
 }
 
@@ -116,12 +120,8 @@ private int isSource(Expr bufferExpr, Element why) {
   exists(Variable bufferVar | bufferVar = bufferExpr.(VariableAccess).getTarget() |
     // buffer is a fixed size array
     exists(bufferVar.getUnspecifiedType().(ArrayType).getSize()) and
-    result =
-      unique(int size | // more generous than .getSize() itself, when the array is a class field or similar.
-        size = getSize(bufferExpr)
-      |
-        size
-      ) and
+    // more generous than .getSize() itself, when the array is a class field or similar.
+    result = getSize(bufferExpr) and
     why = bufferVar and
     not memberMayBeVarSize(_, bufferVar) and
     not exists(BuiltInOperationBuiltInOffsetOf offsetof | offsetof.getAChild*() = bufferExpr) and

cpp/ql/lib/semmle/code/cpp/internal/Overlay.qll

@@ -45,13 +45,13 @@ private string getSingleLocationFilePath(@element e) {
 overlay[local]
 private string getMultiLocationFilePath(@element e) {
   exists(@location_default loc |
-    exists(@var_decl vd | var_decls(vd, e, _, _, loc))
+    var_decls(_, e, _, _, loc)
     or
-    exists(@fun_decl fd | fun_decls(fd, e, _, _, loc))
+    fun_decls(_, e, _, _, loc)
     or
-    exists(@type_decl td | type_decls(td, e, loc))
+    type_decls(_, e, loc)
     or
-    exists(@namespace_decl nd | namespace_decls(nd, e, loc, _))
+    namespace_decls(_, e, loc, _)
   |
     result = getLocationFilePath(loc)
   )
@@ -62,7 +62,7 @@ private string getMultiLocationFilePath(@element e) {
  * overlay variant.
  */
 overlay[local]
-private predicate holdsInBase() { not isOverlay() }
+private predicate isBase() { not isOverlay() }
 
 /**
  * Discards an element from the base variant if:
@@ -71,7 +71,7 @@ private predicate holdsInBase() { not isOverlay() }
  */
 overlay[discard_entity]
 private predicate discardElement(@element e) {
-  holdsInBase() and
+  isBase() and
   (
     overlayChangedFiles(getSingleLocationFilePath(e))
     or

java/documentation/library-coverage/coverage.csv

@@ -96,7 +96,7 @@ java.security,21,,583,,,11,10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,285,29
 java.sql,15,1,292,,,,1,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,4,,9,,,,,,,,,,1,,,,274,18
 java.text,,,154,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,72,82
 java.time,,,131,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,27,104
-java.util,48,2,1339,,,,,,,,,1,,,,,,,,,,,34,,,,3,,,,5,2,,1,2,,,,,,,,,,,,,,2,,,558,781
+java.util,48,2,1340,,,,,,,,,1,,,,,,,,,,,34,,,,3,,,,5,2,,1,2,,,,,,,,,,,,,,2,,,558,782
 javafx.scene.web,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,
 javax.accessibility,,,63,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,28,35
 javax.activation,2,,7,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,1,,,,,,,,,,,,,,,,7,
@@ -153,7 +153,7 @@ org.acegisecurity,,,49,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,49,
 org.antlr.runtime,1,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,
 org.apache.commons.codec,,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,
 org.apache.commons.collections,,,800,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,17,783
-org.apache.commons.collections4,,,800,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,17,783
+org.apache.commons.collections4,,,806,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,17,789
 org.apache.commons.compress.archivers.tar,,,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,4,
 org.apache.commons.exec,10,,,,6,,,,,,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
 org.apache.commons.fileupload,,11,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,11,4,
@@ -262,7 +262,7 @@ org.springframework.web.portlet,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,
 org.springframework.web.reactive.function.client,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,
 org.springframework.web.servlet,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,
 org.springframework.web.socket,,8,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,8,6,
-org.springframework.web.util,,9,157,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,132,25
+org.springframework.web.util,,9,159,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,134,25
 org.thymeleaf,2,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,2,
 org.xml.sax,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
 org.xmlpull.v1,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,

java/documentation/library-coverage/coverage.rst

@@ -9,7 +9,7 @@ Java framework & library support
    Framework / library,Package,Flow sources,Taint & value steps,Sinks (total),`CWE‑022` :sub:`Path injection`,`CWE‑079` :sub:`Cross-site scripting`,`CWE‑089` :sub:`SQL injection`,`CWE‑090` :sub:`LDAP injection`,`CWE‑094` :sub:`Code injection`,`CWE‑918` :sub:`Request Forgery`
    Android,``android.*``,52,481,181,1,3,67,,,
    Android extensions,``androidx.*``,5,183,60,,,,,,
-   `Apache Commons Collections <https://commons.apache.org/proper/commons-collections/>`_,"``org.apache.commons.collections``, ``org.apache.commons.collections4``",,1600,,,,,,,
+   `Apache Commons Collections <https://commons.apache.org/proper/commons-collections/>`_,"``org.apache.commons.collections``, ``org.apache.commons.collections4``",,1606,,,,,,,
    `Apache Commons IO <https://commons.apache.org/proper/commons-io/>`_,``org.apache.commons.io``,,570,124,105,,,,,15
    `Apache Commons Lang <https://commons.apache.org/proper/commons-lang/>`_,``org.apache.commons.lang3``,,425,7,,,,,,
    `Apache Commons Text <https://commons.apache.org/proper/commons-text/>`_,``org.apache.commons.text``,,272,,,,,,,
@@ -26,7 +26,7 @@ Java framework & library support
    `JBoss Logging <https://github.com/jboss-logging/jboss-logging>`_,``org.jboss.logging``,,,324,,,,,,
    `JSON-java <https://github.com/stleary/JSON-java>`_,``org.json``,,236,,,,,,,
    `Jackson <https://github.com/FasterXML/jackson>`_,``com.fasterxml.jackson.*``,,9,2,2,,,,,
-   Java Standard Library,``java.*``,10,4628,260,99,,9,,,26
+   Java Standard Library,``java.*``,10,4629,260,99,,9,,,26
    Java extensions,"``javax.*``, ``jakarta.*``",101,4185,90,10,4,2,1,1,4
    `Jetty <https://eclipse.dev/jetty/>`_,``org.eclipse.jetty.client``,,,2,,,,,,2
    Kotlin Standard Library,``kotlin*``,,1849,16,14,,,,,2
@@ -37,9 +37,9 @@ Java framework & library support
    `Retrofit <https://square.github.io/retrofit/>`_,``retrofit2``,,1,1,,,,,,1
    `SLF4J <https://www.slf4j.org/>`_,``org.slf4j``,,6,55,,,,,,
    `SnakeYAML <https://github.com/snakeyaml/snakeyaml>`_,``org.yaml.snakeyaml``,,1,,,,,,,
-   `Spring <https://spring.io/>`_,``org.springframework.*``,46,492,143,26,,28,14,,35
+   `Spring <https://spring.io/>`_,``org.springframework.*``,46,494,143,26,,28,14,,35
    `Thymeleaf <https://www.thymeleaf.org/>`_,``org.thymeleaf``,,2,2,,,,,,
    `jOOQ <https://www.jooq.org/>`_,``org.jooq``,,,1,,,1,,,
    Others,"``actions.osgi``, ``antlr``, ``ch.ethz.ssh2``, ``cn.hutool.core.codec``, ``com.alibaba.com.caucho.hessian.io``, ``com.alibaba.druid.sql``, ``com.alibaba.fastjson2``, ``com.amazonaws.auth``, ``com.auth0.jwt.algorithms``, ``com.azure.identity``, ``com.caucho.burlap.io``, ``com.caucho.hessian.io``, ``com.cedarsoftware.util.io``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.esotericsoftware.yamlbeans``, ``com.hubspot.jinjava``, ``com.jcraft.jsch``, ``com.microsoft.sqlserver.jdbc``, ``com.mitchellbosecke.pebble``, ``com.opensymphony.xwork2``, ``com.sshtools.j2ssh.authentication``, ``com.sun.crypto.provider``, ``com.sun.jndi.ldap``, ``com.sun.net.httpserver``, ``com.sun.net.ssl``, ``com.sun.rowset``, ``com.sun.security.auth.module``, ``com.sun.security.ntlm``, ``com.sun.security.sasl.digest``, ``com.thoughtworks.xstream``, ``com.trilead.ssh2``, ``com.unboundid.ldap.sdk``, ``com.zaxxer.hikari``, ``flexjson``, ``hudson``, ``io.jsonwebtoken``, ``io.undertow.server.handlers.resource``, ``javafx.scene.web``, ``jenkins``, ``jodd.json``, ``liquibase.database.jvm``, ``liquibase.statement.core``, ``net.lingala.zip4j``, ``net.schmizz.sshj``, ``net.sf.json``, ``net.sf.saxon.s9api``, ``ognl``, ``org.acegisecurity``, ``org.antlr.runtime``, ``org.apache.commons.codec``, ``org.apache.commons.compress.archivers.tar``, ``org.apache.commons.exec``, ``org.apache.commons.fileupload``, ``org.apache.commons.httpclient.util``, ``org.apache.commons.jelly``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.lang``, ``org.apache.commons.logging``, ``org.apache.commons.net``, ``org.apache.commons.ognl``, ``org.apache.cxf.catalog``, ``org.apache.cxf.common.classloader``, ``org.apache.cxf.common.jaxb``, ``org.apache.cxf.common.logging``, ``org.apache.cxf.configuration.jsse``, ``org.apache.cxf.helpers``, ``org.apache.cxf.resource``, ``org.apache.cxf.staxutils``, ``org.apache.cxf.tools.corba.utils``, ``org.apache.cxf.tools.util``, ``org.apache.cxf.transform``, ``org.apache.directory.ldap.client.api``, ``org.apache.hadoop.fs``, ``org.apache.hadoop.hive.metastore``, ``org.apache.hadoop.hive.ql.exec``, ``org.apache.hadoop.hive.ql.metadata``, ``org.apache.hc.client5.http.async.methods``, ``org.apache.hc.client5.http.classic.methods``, ``org.apache.hc.client5.http.fluent``, ``org.apache.hive.hcatalog.templeton``, ``org.apache.ibatis.jdbc``, ``org.apache.ibatis.mapping``, ``org.apache.log4j``, ``org.apache.shiro.authc``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.apache.shiro.mgt``, ``org.apache.sshd.client.session``, ``org.apache.tools.ant``, ``org.apache.tools.zip``, ``org.codehaus.cargo.container.installer``, ``org.dom4j``, ``org.exolab.castor.xml``, ``org.fusesource.leveldbjni``, ``org.geogebra.web.full.main``, ``org.gradle.api.file``, ``org.ho.yaml``, ``org.influxdb``, ``org.jabsorb``, ``org.jboss.vfs``, ``org.jdbi.v3.core``, ``org.jenkins.ui.icon``, ``org.jenkins.ui.symbol``, ``org.keycloak.models.map.storage``, ``org.kohsuke.stapler``, ``org.lastaflute.web``, ``org.mvel2``, ``org.openjdk.jmh.runner.options``, ``org.owasp.esapi``, ``org.pac4j.jwt.config.encryption``, ``org.pac4j.jwt.config.signature``, ``org.scijava.log``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.libs.ws``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``, ``software.amazon.awssdk.transfer.s3.model``, ``sun.jvmstat.perfdata.monitor.protocol.local``, ``sun.jvmstat.perfdata.monitor.protocol.rmi``, ``sun.misc``, ``sun.net.ftp``, ``sun.net.www.protocol.http``, ``sun.security.acl``, ``sun.security.jgss.krb5``, ``sun.security.krb5``, ``sun.security.pkcs``, ``sun.security.pkcs11``, ``sun.security.provider``, ``sun.security.ssl``, ``sun.security.x509``, ``sun.tools.jconsole``",108,6034,757,131,6,14,18,,185
-   Totals,,363,26372,2681,404,16,134,33,1,409
+   Totals,,363,26381,2681,404,16,134,33,1,409