Merge branch 'main' into redsun82/kotlin-language-version-min-1.9

Author: redsun82

cpp/ql/lib/change-notes/2026-03-20-add-indirect-uninitialized-node.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added a class `IndirectUninitializedNode` to represent the indirection of an uninitialized local variable as a dataflow node.

cpp/ql/lib/change-notes/2026-03-23-indirect-parameter-nodes-and-indirect-instructions.md

@@ -0,0 +1,5 @@
+---
+category: feature
+---
+* Added a class `DataFlow::IndirectParameterNode` to represent the indirection of a parameter as a dataflow node.
+* Added a predicate `Node::asIndirectInstruction` which returns the `Instruction` that defines the indirect dataflow node, if any.

cpp/ql/lib/semmle/code/cpp/commons/Printf.qll

@@ -163,20 +163,31 @@ predicate primitiveVariadicFormatter(
   )
 }
 
+/**
+ * Gets a function call whose target is a variadic formatter with the given
+ * `type`, `format` parameter index and `output` parameter index.
+ *
+ * Join-order helper for `callsVariadicFormatter`.
+ */
+pragma[nomagic]
+private predicate callsVariadicFormatterCall(FunctionCall fc, string type, int format, int output) {
+  variadicFormatter(fc.getTarget(), type, format, output)
+}
+
 private predicate callsVariadicFormatter(
   Function f, string type, int formatParamIndex, int outputParamIndex
 ) {
   // calls a variadic formatter with `formatParamIndex`, `outputParamIndex` linked
   exists(FunctionCall fc, int format, int output |
-    variadicFormatter(pragma[only_bind_into](fc.getTarget()), type, format, output) and
+    callsVariadicFormatterCall(fc, type, format, output) and
     fc.getEnclosingFunction() = f and
     fc.getArgument(format) = f.getParameter(formatParamIndex).getAnAccess() and
     fc.getArgument(output) = f.getParameter(outputParamIndex).getAnAccess()
   )
   or
   // calls a variadic formatter with only `formatParamIndex` linked
   exists(FunctionCall fc, string calledType, int format, int output |
-    variadicFormatter(pragma[only_bind_into](fc.getTarget()), calledType, format, output) and
+    callsVariadicFormatterCall(fc, calledType, format, output) and
     fc.getEnclosingFunction() = f and
     fc.getArgument(format) = f.getParameter(formatParamIndex).getAnAccess() and
     not fc.getArgument(output) = f.getParameter(_).getAnAccess() and

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll

@@ -321,6 +321,12 @@ module Public {
      */
     Operand asIndirectOperand(int index) { hasOperandAndIndex(this, result, index) }
 
+    /**
+     * Gets the instruction that is indirectly tracked by this node behind
+     * `index` number of indirections.
+     */
+    Instruction asIndirectInstruction(int index) { hasInstructionAndIndex(this, result, index) }
+
     /**
      * Holds if this node is at index `i` in basic block `block`.
      *
@@ -617,6 +623,25 @@ module Public {
      */
     LocalVariable asUninitialized() { result = this.(UninitializedNode).getLocalVariable() }
 
+    /**
+     * Gets the uninitialized local variable corresponding to this node behind
+     * `index` number of indirections, if any.
+     */
+    LocalVariable asIndirectUninitialized(int index) {
+      exists(IndirectUninitializedNode indirectUninitializedNode |
+        this = indirectUninitializedNode and
+        indirectUninitializedNode.getIndirectionIndex() = index
+      |
+        result = indirectUninitializedNode.getLocalVariable()
+      )
+    }
+
+    /**
+     * Gets the uninitialized local variable corresponding to this node behind
+     * a number indirections, if any.
+     */
+    LocalVariable asIndirectUninitialized() { result = this.asIndirectUninitialized(_) }
+
     /**
      * Gets the positional parameter corresponding to the node that represents
      * the value of the parameter after `index` number of loads, if any. For
@@ -761,16 +786,13 @@ module Public {
     final override Type getType() { result = this.getPreUpdateNode().getType() }
   }
 
-  /**
-   * The value of an uninitialized local variable, viewed as a node in a data
-   * flow graph.
-   */
-  class UninitializedNode extends Node {
+  abstract private class AbstractUninitializedNode extends Node {
     LocalVariable v;
+    int indirectionIndex;
 
-    UninitializedNode() {
+    AbstractUninitializedNode() {
       exists(SsaImpl::Definition def, SsaImpl::SourceVariable sv |
-        def.getIndirectionIndex() = 0 and
+        def.getIndirectionIndex() = indirectionIndex and
         def.getValue().asInstruction() instanceof UninitializedInstruction and
         SsaImpl::defToNode(this, def, sv) and
         v = sv.getBaseVariable().(SsaImpl::BaseIRVariable).getIRVariable().getAst()
@@ -781,6 +803,25 @@ module Public {
     LocalVariable getLocalVariable() { result = v }
   }
 
+  /**
+   * The value of an uninitialized local variable, viewed as a node in a data
+   * flow graph.
+   */
+  class UninitializedNode extends AbstractUninitializedNode {
+    UninitializedNode() { indirectionIndex = 0 }
+  }
+
+  /**
+   * The value of an uninitialized local variable behind one or more levels of
+   * indirection, viewed as a node in a data flow graph.
+   */
+  class IndirectUninitializedNode extends AbstractUninitializedNode {
+    IndirectUninitializedNode() { indirectionIndex > 0 }
+
+    /** Gets the indirection index of this node. */
+    int getIndirectionIndex() { result = indirectionIndex }
+  }
+
   /**
    * The value of a parameter at function entry, viewed as a node in a data
    * flow graph. This includes both explicit parameters such as `x` in `f(x)`
@@ -795,6 +836,12 @@ module Public {
   /** An explicit positional parameter, including `this`, but not `...`. */
   final class DirectParameterNode = AbstractDirectParameterNode;
 
+  /**
+   * A node representing an indirection of a positional parameter,
+   * including `*this`, but not `*...`.
+   */
+  final class IndirectParameterNode = AbstractIndirectParameterNode;
+
   final class ExplicitParameterNode = AbstractExplicitParameterNode;
 
   /** An implicit `this` parameter. */
@@ -954,11 +1001,6 @@ module Public {
 
 private import Public
 
-/**
- * A node representing an indirection of a parameter.
- */
-final class IndirectParameterNode = AbstractIndirectParameterNode;
-
 /**
  * A class that lifts pre-SSA dataflow nodes to regular dataflow nodes.
  */

csharp/ql/lib/change-notes/2026-03-19-fix-log-forging-extension-methods.md

@@ -0,0 +1,7 @@
+---
+category: minorAnalysis
+---
+* The `cs/log-forging` query no longer treats arguments to extension methods with
+  source code on `ILogger` types as sinks. Instead, taint is tracked interprocedurally
+  through extension method bodies, reducing false positives when extension methods
+  sanitize input internally.

csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll

@@ -52,9 +52,17 @@ private class HtmlSanitizer extends Sanitizer {
 }
 
 /**
- * An argument to a call to a method on a logger class.
+ * An argument to a call to a method on a logger class, excluding extension methods
+ * with source code which are analyzed interprocedurally.
  */
-private class LogForgingLogMessageSink extends Sink, LogMessageSink { }
+private class LogForgingLogMessageSink extends Sink, LogMessageSink {
+  LogForgingLogMessageSink() {
+    not exists(ExtensionMethodCall mc |
+      this.getExpr() = mc.getAnArgument() and
+      mc.getTarget().fromSource()
+    )
+  }
+}
 
 /**
  * An argument to a call to a method on a trace class.

csharp/ql/test/query-tests/Security Features/CWE-117/LogForging.cs

@@ -33,6 +33,11 @@ public void ProcessRequest(HttpContext ctx)
         Microsoft.Extensions.Logging.ILogger logger2 = null;
         // BAD: Logged as-is
         logger2.LogError(username); // $ Alert
+
+        // GOOD: uses safe extension method that sanitizes internally
+        logger.WarnSafe(username + " logged in");
+        // BAD: uses unsafe extension method that does not sanitize
+        logger.WarnUnsafe(username + " logged in");
     }
 
     public bool IsReusable
@@ -43,3 +48,16 @@ public bool IsReusable
         }
     }
 }
+
+static class UserLoggerExtensions
+{
+    public static void WarnSafe(this ILogger logger, string message)
+    {
+        logger.Warn(message.ReplaceLineEndings(""));
+    }
+
+    public static void WarnUnsafe(this ILogger logger, string message)
+    {
+        logger.Warn(message); // $ Alert
+    }
+}

csharp/ql/test/query-tests/Security Features/CWE-117/LogForging.expected

@@ -2,14 +2,18 @@
 | LogForging.cs:21:21:21:43 | ... + ... | LogForging.cs:18:27:18:49 | access to property QueryString : NameValueCollection | LogForging.cs:21:21:21:43 | ... + ... | This log entry depends on a $@. | LogForging.cs:18:27:18:49 | access to property QueryString | user-provided value |
 | LogForging.cs:31:50:31:72 | ... + ... | LogForging.cs:18:27:18:49 | access to property QueryString : NameValueCollection | LogForging.cs:31:50:31:72 | ... + ... | This log entry depends on a $@. | LogForging.cs:18:27:18:49 | access to property QueryString | user-provided value |
 | LogForging.cs:35:26:35:33 | access to local variable username | LogForging.cs:18:27:18:49 | access to property QueryString : NameValueCollection | LogForging.cs:35:26:35:33 | access to local variable username | This log entry depends on a $@. | LogForging.cs:18:27:18:49 | access to property QueryString | user-provided value |
+| LogForging.cs:61:21:61:27 | access to parameter message | LogForging.cs:18:27:18:49 | access to property QueryString : NameValueCollection | LogForging.cs:61:21:61:27 | access to parameter message | This log entry depends on a $@. | LogForging.cs:18:27:18:49 | access to property QueryString | user-provided value |
 | LogForgingAsp.cs:17:21:17:43 | ... + ... | LogForgingAsp.cs:13:32:13:39 | username : String | LogForgingAsp.cs:17:21:17:43 | ... + ... | This log entry depends on a $@. | LogForgingAsp.cs:13:32:13:39 | username | user-provided value |
 edges
 | LogForging.cs:18:16:18:23 | access to local variable username : String | LogForging.cs:21:21:21:43 | ... + ... | provenance |  |
 | LogForging.cs:18:16:18:23 | access to local variable username : String | LogForging.cs:31:50:31:72 | ... + ... | provenance |  |
 | LogForging.cs:18:16:18:23 | access to local variable username : String | LogForging.cs:35:26:35:33 | access to local variable username | provenance |  |
+| LogForging.cs:18:16:18:23 | access to local variable username : String | LogForging.cs:40:27:40:49 | ... + ... : String | provenance |  |
 | LogForging.cs:18:27:18:49 | access to property QueryString : NameValueCollection | LogForging.cs:18:16:18:23 | access to local variable username : String | provenance |  |
 | LogForging.cs:18:27:18:49 | access to property QueryString : NameValueCollection | LogForging.cs:18:27:18:61 | access to indexer : String | provenance | MaD:1 |
 | LogForging.cs:18:27:18:61 | access to indexer : String | LogForging.cs:18:16:18:23 | access to local variable username : String | provenance |  |
+| LogForging.cs:40:27:40:49 | ... + ... : String | LogForging.cs:59:63:59:69 | message : String | provenance |  |
+| LogForging.cs:59:63:59:69 | message : String | LogForging.cs:61:21:61:27 | access to parameter message | provenance |  |
 | LogForgingAsp.cs:13:32:13:39 | username : String | LogForgingAsp.cs:17:21:17:43 | ... + ... | provenance |  |
 models
 | 1 | Summary: System.Collections.Specialized; NameValueCollection; false; get_Item; (System.String); ; Argument[this]; ReturnValue; taint; df-generated |
@@ -20,6 +24,9 @@ nodes
 | LogForging.cs:21:21:21:43 | ... + ... | semmle.label | ... + ... |
 | LogForging.cs:31:50:31:72 | ... + ... | semmle.label | ... + ... |
 | LogForging.cs:35:26:35:33 | access to local variable username | semmle.label | access to local variable username |
+| LogForging.cs:40:27:40:49 | ... + ... : String | semmle.label | ... + ... : String |
+| LogForging.cs:59:63:59:69 | message : String | semmle.label | message : String |
+| LogForging.cs:61:21:61:27 | access to parameter message | semmle.label | access to parameter message |
 | LogForgingAsp.cs:13:32:13:39 | username : String | semmle.label | username : String |
 | LogForgingAsp.cs:17:21:17:43 | ... + ... | semmle.label | ... + ... |
 subpaths

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.1.rst

@@ -129,7 +129,7 @@ Java/Kotlin
 """""""""""
 
 *   The Java extractor and QL libraries now support Java 23.
-*   Kotlin versions up to 2.1.0\ *x* are now supported.
+*   Kotlin versions up to 2.1.0*x* are now supported.
 
 Python
 """"""

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst

@@ -144,7 +144,7 @@ New Features
 Java/Kotlin
 """""""""""
 
-*   Kotlin versions up to 2.2.0\ *x* are now supported. Support for the Kotlin 1.5.x series is dropped (so the minimum Kotlin version is now 1.6.0).
+*   Kotlin versions up to 2.2.0*x* are now supported. Support for the Kotlin 1.5.x series is dropped (so the minimum Kotlin version is now 1.6.0).
 
 Swift
 """""