github
diff --git a/‎change-notes/1.26/analysis-javascript.md‎
Lines changed: 2 additions & 0 deletions b/‎change-notes/1.26/analysis-javascript.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll‎
Lines changed: 2 additions & 1 deletion b/‎cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll‎
Lines changed: 6 additions & 0 deletions b/‎cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Operand.qll‎
Lines changed: 2 additions & 1 deletion b/‎cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Operand.qll‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll‎
Lines changed: 2 additions & 1 deletion b/‎cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll‎
Lines changed: 6 additions & 0 deletions b/‎cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/ir/internal/Overlap.qll‎
Lines changed: 15 additions & 0 deletions b/‎cpp/ql/src/semmle/code/cpp/ir/internal/Overlap.qll‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎cpp/ql/test/library-tests/special_members/generated_copy/functions.expected‎
Lines changed: 0 additions & 2 deletions b/‎cpp/ql/test/library-tests/special_members/generated_copy/functions.expected‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected‎
Lines changed: 1 addition & 3 deletions b/‎cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected‎
Lines changed: 1 addition & 3 deletions
diff --git a/‎csharp/extractor/Semmle.Extraction.CSharp/Entities/Field.cs‎
Lines changed: 21 additions & 7 deletions b/‎csharp/extractor/Semmle.Extraction.CSharp/Entities/Field.cs‎
Lines changed: 21 additions & 7 deletions
@@ -14,6 +14,7 @@
   - [json-stringify-safe](https://www.npmjs.com/package/json-stringify-safe)
   - [json3](https://www.npmjs.com/package/json3)
   - [lodash](https://www.npmjs.com/package/lodash)
+  - [needle](https://www.npmjs.com/package/needle)
   - [object-inspect](https://www.npmjs.com/package/object-inspect)
   - [pretty-format](https://www.npmjs.com/package/pretty-format)
   - [stringify-object](https://www.npmjs.com/package/stringify-object)
@@ -39,6 +40,7 @@
 | Unsafe shell command constructed from library input (`js/shell-command-constructed-from-input`) | More results | This query now recognizes more commands where colon, dash, and underscore are used. |
 | Unsafe jQuery plugin (`js/unsafe-jquery-plugin`) | More results | This query now detects more unsafe uses of nested option properties. |
 | Client-side URL redirect (`js/client-side-unvalidated-url-redirection`) | More results | This query now recognizes some unsafe uses of `importScripts()` inside WebWorkers. |
+| Missing CSRF middleware (`js/missing-token-validation`) | More results | This query now recognizes writes to cookie and session variables as potentially vulnerable to CSRF attacks. |
 
 
 ## Changes to libraries
 
@@ -79,7 +79,8 @@ private PhiOperandBase phiOperand(
 }
 
 /**
- * A source operand of an `Instruction`. The operand represents a value consumed by the instruction.
+ * An operand of an `Instruction`. The operand represents a use of the result of one instruction
+ * (the defining instruction) in another instruction (the use instruction)
  */
 class Operand extends TOperand {
   /** Gets a textual representation of this element. */
 
@@ -133,6 +133,12 @@ abstract class MemoryLocation extends TMemoryLocation {
   predicate isAlwaysAllocatedOnStack() { none() }
 }
 
+/**
+ * Represents a set of `MemoryLocation`s that cannot overlap with
+ * `MemoryLocation`s outside of the set. The `VirtualVariable` will be
+ * represented by a `MemoryLocation` that totally overlaps all other
+ * `MemoryLocations` in the set.
+ */
 abstract class VirtualVariable extends MemoryLocation { }
 
 abstract class AllocationMemoryLocation extends MemoryLocation {
 
@@ -79,7 +79,8 @@ private PhiOperandBase phiOperand(
 }
 
 /**
- * A source operand of an `Instruction`. The operand represents a value consumed by the instruction.
+ * An operand of an `Instruction`. The operand represents a use of the result of one instruction
+ * (the defining instruction) in another instruction (the use instruction)
  */
 class Operand extends TOperand {
   /** Gets a textual representation of this element. */
 
@@ -79,7 +79,8 @@ private PhiOperandBase phiOperand(
 }
 
 /**
- * A source operand of an `Instruction`. The operand represents a value consumed by the instruction.
+ * An operand of an `Instruction`. The operand represents a use of the result of one instruction
+ * (the defining instruction) in another instruction (the use instruction)
  */
 class Operand extends TOperand {
   /** Gets a textual representation of this element. */
 
@@ -59,6 +59,12 @@ class MemoryLocation extends TMemoryLocation {
   final string getUniqueId() { result = var.getUniqueId() }
 }
 
+/**
+ * Represents a set of `MemoryLocation`s that cannot overlap with
+ * `MemoryLocation`s outside of the set. The `VirtualVariable` will be
+ * represented by a `MemoryLocation` that totally overlaps all other
+ * `MemoryLocations` in the set.
+ */
 class VirtualVariable extends MemoryLocation { }
 
 /** A virtual variable that groups all escaped memory within a function. */
 
@@ -3,18 +3,33 @@ private newtype TOverlap =
   TMustTotallyOverlap() or
   TMustExactlyOverlap()
 
+/**
+ * Represents a possible overlap between two memory ranges.
+ */
 abstract class Overlap extends TOverlap {
   abstract string toString();
 }
 
+/**
+ * Represents a partial overlap between two memory ranges, which may or may not
+ * actually occur in practice.
+ */
 class MayPartiallyOverlap extends Overlap, TMayPartiallyOverlap {
   final override string toString() { result = "MayPartiallyOverlap" }
 }
 
+/**
+ * Represents an overlap in which the first memory range is known to include all
+ * bits of the second memory range, but may be larger or have a different type.
+ */
 class MustTotallyOverlap extends Overlap, TMustTotallyOverlap {
   final override string toString() { result = "MustTotallyOverlap" }
 }
 
+/**
+ * Represents an overlap between two memory ranges that have the same extent and
+ * the same type.
+ */
 class MustExactlyOverlap extends Overlap, TMustExactlyOverlap {
   final override string toString() { result = "MustExactlyOverlap" }
 }
@@ -78,8 +78,6 @@
 | copy.cpp:111:9:111:9 | MoveAssign | deleted |  |
 | copy.cpp:111:9:111:9 | operator= | deleted |  |
 | copy.cpp:113:17:113:25 | operator= |  |  |
-| copy.cpp:120:9:120:9 | OnlyCtor |  |  |
-| copy.cpp:120:9:120:9 | OnlyCtor |  |  |
 | copy.cpp:120:9:120:9 | OnlyCtor | deleted |  |
 | copy.cpp:120:9:120:9 | operator= | deleted |  |
 | copy.cpp:126:11:126:19 | operator= |  |  |
 
@@ -539,8 +539,6 @@ uniqueNodeLocation
 | file://:0:0:0:0 | p#0 | Node should have one location but has 0. |
 | file://:0:0:0:0 | p#0 | Node should have one location but has 0. |
 | file://:0:0:0:0 | p#0 | Node should have one location but has 0. |
-| file://:0:0:0:0 | p#0 | Node should have one location but has 0. |
-| file://:0:0:0:0 | p#0 | Node should have one location but has 0. |
 | file://:0:0:0:0 | p#1 | Node should have one location but has 0. |
 | file://:0:0:0:0 | p#1 | Node should have one location but has 0. |
 | file://:0:0:0:0 | p#1 | Node should have one location but has 0. |
@@ -1418,7 +1416,7 @@ uniqueNodeLocation
 | whilestmt.c:39:6:39:11 | ReturnVoid | Node should have one location but has 4. |
 | whilestmt.c:39:6:39:11 | SideEffect | Node should have one location but has 4. |
 missingLocation
-| Nodes without location: 36 |
+| Nodes without location: 34 |
 uniqueNodeToString
 | break_labels.c:2:11:2:11 | i | Node should have one toString but has 2. |
 | break_labels.c:2:11:2:11 | i | Node should have one toString but has 2. |
 
@@ -68,13 +68,12 @@ public override void Populate(TextWriter trapFile)
                 Context.PopulateLater(() =>
                 {
                     var loc = Context.Create(initializer.GetLocation());
-                    var simpleAssignExpr = new Expression(new ExpressionInfo(Context, Type, loc, ExprKind.SIMPLE_ASSIGN, this, child++, false, null));
-                    Expression.CreateFromNode(new ExpressionNodeInfo(Context, initializer.Initializer.Value, simpleAssignExpr, 0));
-                    var access = new Expression(new ExpressionInfo(Context, Type, Location, ExprKind.FIELD_ACCESS, simpleAssignExpr, 1, false, null));
-                    trapFile.expr_access(access, this);
+
+                    var fieldAccess = AddInitializerAssignment(trapFile, initializer.Initializer.Value, loc, null, ref child);
+
                     if (!symbol.IsStatic)
                     {
-                        This.CreateImplicit(Context, Entities.Type.Create(Context, symbol.ContainingType), Location, access, -1);
+                        This.CreateImplicit(Context, Entities.Type.Create(Context, symbol.ContainingType), Location, fieldAccess, -1);
                     }
                 });
             }
@@ -85,8 +84,13 @@ public override void Populate(TextWriter trapFile)
                 Where(n => n.EqualsValue != null))
             {
                 // Mark fields that have explicit initializers.
-                var expr = new Expression(new ExpressionInfo(Context, Type, Context.Create(initializer.EqualsValue.Value.FixedLocation()), Kinds.ExprKind.FIELD_ACCESS, this, child++, false, null));
-                trapFile.expr_access(expr, this);
+                var constValue = symbol.HasConstantValue
+                    ? Expression.ValueAsString(symbol.ConstantValue)
+                    : null;
+
+                var loc = Context.Create(initializer.GetLocation());
+
+                AddInitializerAssignment(trapFile, initializer.EqualsValue.Value, loc, constValue, ref child);
             }
 
             if (IsSourceDeclaration)
@@ -96,6 +100,16 @@ public override void Populate(TextWriter trapFile)
                     TypeMention.Create(Context, syntax.Type, this, Type);
         }
 
+        private Expression AddInitializerAssignment(TextWriter trapFile, ExpressionSyntax initializer, Extraction.Entities.Location loc,
+            string constValue, ref int child)
+        {
+            var simpleAssignExpr = new Expression(new ExpressionInfo(Context, Type, loc, ExprKind.SIMPLE_ASSIGN, this, child++, false, constValue));
+            Expression.CreateFromNode(new ExpressionNodeInfo(Context, initializer, simpleAssignExpr, 0));
+            var access = new Expression(new ExpressionInfo(Context, Type, Location, ExprKind.FIELD_ACCESS, simpleAssignExpr, 1, false, constValue));
+            trapFile.expr_access(access, this);
+            return access;
+        }
+
         readonly Lazy<AnnotatedType> type;
         public AnnotatedType Type => type.Value;
Original file line number	Diff line number	Diff line change
`@@ -79,7 +79,8 @@ private PhiOperandBase phiOperand(`
`79`	`79`	`}`
`80`	`80`
`81`	`81`	`/**`
`82`		- * A source operand of an `Instruction`. The operand represents a value consumed by the instruction.
	`82`	+ * An operand of an `Instruction`. The operand represents a use of the result of one instruction
	`83`	`+ * (the defining instruction) in another instruction (the use instruction)`
`83`	`84`	`*/`
`84`	`85`	`class Operand extends TOperand {`
`85`	`86`	`/** Gets a textual representation of this element. */`