github
diff --git a/‎change-notes/1.19/analysis-javascript.md‎
Lines changed: 2 additions & 0 deletions b/‎change-notes/1.19/analysis-javascript.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql‎
Lines changed: 1 addition & 1 deletion b/‎cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎cpp/ql/src/Likely Bugs/UseInOwnInitializer.ql‎
Lines changed: 15 additions & 4 deletions b/‎cpp/ql/src/Likely Bugs/UseInOwnInitializer.ql‎
Lines changed: 15 additions & 4 deletions
diff --git a/‎cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql‎
Lines changed: 2 additions & 2 deletions b/‎cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/Type.qll‎
Lines changed: 4 additions & 0 deletions b/‎cpp/ql/src/semmle/code/cpp/Type.qll‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/commons/CommonType.qll‎
Lines changed: 13 additions & 9 deletions b/‎cpp/ql/src/semmle/code/cpp/commons/CommonType.qll‎
Lines changed: 13 additions & 9 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/controlflow/internal/PrimitiveBasicBlocks.qll‎
Lines changed: 13 additions & 4 deletions b/‎cpp/ql/src/semmle/code/cpp/controlflow/internal/PrimitiveBasicBlocks.qll‎
Lines changed: 13 additions & 4 deletions
diff --git a/‎javascript/ql/src/Expressions/UnboundEventHandlerReceiver.ql‎
Lines changed: 5 additions & 1 deletion b/‎javascript/ql/src/Expressions/UnboundEventHandlerReceiver.ql‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎javascript/ql/src/Security/CWE-078/CommandInjection.ql‎
Lines changed: 4 additions & 1 deletion b/‎javascript/ql/src/Security/CWE-078/CommandInjection.ql‎
Lines changed: 4 additions & 1 deletion
@@ -34,3 +34,5 @@
 | Whitespace contradicts operator precedence | Fewer false-positive results | This rule no longer flags operators with asymmetric whitespace. |
 
 ## Changes to QL libraries
+
+* The flow configuration framework now supports distinguishing and tracking different kinds of taint, specified by an extensible class `FlowLabel` (which can also be referred to by its alias `TaintKind`).
@@ -25,7 +25,7 @@ predicate stringType(Type t, Type charType) {
       charType = t.(ArrayType).getBaseType()
     ) and (
       charType.getUnspecifiedType() instanceof CharType or
-      charType.getUnspecifiedType() instanceof WideCharType
+      charType.getUnspecifiedType() instanceof Wchar_t
     )
   )
   or
 
@@ -11,10 +11,21 @@
 
 import cpp
 
-from Initializer init, Variable v, VariableAccess va
-where init.getDeclaration() = v
-  and va.getTarget() = v
-  and va.getParent*() = init
+class VariableAccessInInitializer extends VariableAccess {
+  Variable var;
+  Initializer init;
+  VariableAccessInInitializer() {
+    init.getDeclaration() = var and
+    init.getExpr().getAChild*() = this
+  }
+
+  predicate initializesItself(Variable v, Initializer i) {
+    v = var and i = init and var = this.getTarget()
+  }
+}
+
+from Initializer init, Variable v, VariableAccessInInitializer va
+where va.initializesItself(v, init)
   and (
     va.hasLValueToRValueConversion() or
     exists (Assignment assn | assn.getLValue() = va) or
 
@@ -19,7 +19,7 @@ import cpp
 class AnyCharPointerType extends PointerType {
   AnyCharPointerType() {
     this.getBaseType().getUnderlyingType() instanceof CharType or
-    this.getBaseType().getUnderlyingType() instanceof WideCharType
+    this.getBaseType().getUnderlyingType() instanceof Wchar_t
   }
 }
 
@@ -29,7 +29,7 @@ class AnyCharPointerType extends PointerType {
 class AnyCharArrayType extends ArrayType {
   AnyCharArrayType() {
     this.getBaseType().getUnderlyingType() instanceof CharType or
-    this.getBaseType().getUnderlyingType() instanceof WideCharType
+    this.getBaseType().getUnderlyingType() instanceof Wchar_t
   }
 }
 
 
@@ -601,6 +601,10 @@ class VoidType extends BuiltInType {
 
 /**
  * The C/C++ wide character type.
+ * 
+ * Note that on some platforms `wchar_t` doesn't exist as a built-in
+ * type but a typedef is provided.  Consider using the `Wchar_t` QL
+ * class to include these types.
  */
 class WideCharType extends IntegralType {
 
 
@@ -1,7 +1,7 @@
 import semmle.code.cpp.Type
 
 /**
- * The C/C++ char* type.
+ * The C/C++ `char*` type.
  */
 class CharPointerType extends PointerType {
 
@@ -10,7 +10,7 @@ class CharPointerType extends PointerType {
 }
 
 /**
- * The C/C++ int* type.
+ * The C/C++ `int*` type.
  */
 class IntPointerType extends PointerType {
 
@@ -20,7 +20,7 @@ class IntPointerType extends PointerType {
 
 
 /**
- * The C/C++ void* type.
+ * The C/C++ `void*` type.
  */
 class VoidPointerType extends PointerType {
 
@@ -29,7 +29,7 @@ class VoidPointerType extends PointerType {
 }
 
 /**
- * The C/C++ size_t type.
+ * The C/C++ `size_t` type.
  */
 class Size_t extends Type {
   Size_t() {
@@ -39,7 +39,7 @@ class Size_t extends Type {
 }
 
 /**
- * The C/C++ ssize_t type.
+ * The C/C++ `ssize_t` type.
  */
 class Ssize_t extends Type {
   Ssize_t() {
@@ -49,7 +49,7 @@ class Ssize_t extends Type {
 }
 
 /**
- * The C/C++ ptrdiff_t type.
+ * The C/C++ `ptrdiff_t` type.
  */
 class Ptrdiff_t extends Type {
   Ptrdiff_t() {
@@ -59,7 +59,7 @@ class Ptrdiff_t extends Type {
 }
 
 /**
- * The C/C++ intmax_t type.
+ * The C/C++ `intmax_t` type.
  */
 class Intmax_t extends Type {
   Intmax_t() {
@@ -69,7 +69,7 @@ class Intmax_t extends Type {
 }
 
 /**
- * The C/C++ uintmax_t type.
+ * The C/C++ `uintmax_t` type.
  */
 class Uintmax_t extends Type {
   Uintmax_t() {
@@ -79,7 +79,11 @@ class Uintmax_t extends Type {
 }
 
 /**
- * The C/C++ wchar_t type.
+ * The C/C++ `wchar_t` type.
+ *
+ * Note that on some platforms `wchar_t` doesn't exist as a built-in
+ * type but a typedef is provided.  This QL class includes both cases
+ * (see also `WideCharType`).
  */
 class Wchar_t extends Type {
   Wchar_t() {
 
@@ -31,8 +31,11 @@ private cached module Cached {
     // or the node's predecessor has more than one successor,
     // then the node is the start of a new primitive basic block.
     or
-    strictcount (Node pred, Node other
-    | successors_extended(pred,node) and successors_extended(pred,other)) > 1
+    strictcount(Node pred | successors_extended(pred, node)) > 1
+    or
+    exists(ControlFlowNode pred | successors_extended(pred, node) |
+      strictcount(ControlFlowNode other | successors_extended(pred, other)) > 1
+    )
 
     // If the node has zero predecessors then it is the start of
     // a BB. However, the C++ AST contains many nodes with zero
@@ -63,8 +66,14 @@ private cached module Cached {
   /** Holds if `node` is the `pos`th control-flow node in primitive basic block `bb`. */
   cached
   predicate primitive_basic_block_member(Node node, PrimitiveBasicBlock bb, int pos) {
-    pos = getMemberIndex(node) and
-    member_step*(bb, node)
+    primitive_basic_block_entry_node(bb) and
+    (
+      pos = 0 and
+      node = bb
+      or
+      pos = getMemberIndex(node) and
+      member_step+(bb, node)
+    )
   }
 
   /** Gets the number of control-flow nodes in the primitive basic block `bb`. */
 
@@ -45,7 +45,11 @@ private predicate isBoundInMethod(MethodDeclaration method) {
   )
   or
   exists (Expr decoration, string name |
-    decoration = method.getADecorator().getExpression() and
+    (
+      decoration = method.getADecorator().getExpression()
+      or
+      decoration = method.getDeclaringType().(ClassDefinition).getADecorator().getExpression()
+    ) and
     name.regexpMatch("(?i).*(bind|bound).*") |
     // @autobind
     decoration.(Identifier).getName() = name or
 
@@ -17,5 +17,8 @@ import semmle.javascript.security.dataflow.CommandInjection::CommandInjection
 
 from Configuration cfg, DataFlow::Node source, DataFlow::Node sink, DataFlow::Node highlight
 where cfg.hasFlow(source, sink) and
-      if cfg.isSink(sink, _) then cfg.isSink(sink, highlight) else highlight = sink
+      if cfg.isSinkWithHighlight(sink, _) then
+        cfg.isSinkWithHighlight(sink, highlight)
+      else
+        highlight = sink
 select highlight, "This command depends on $@.", source, "a user-provided value"
Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ predicate stringType(Type t, Type charType) {`
`25`	`25`	`charType = t.(ArrayType).getBaseType()`
`26`	`26`	`) and (`
`27`	`27`	`charType.getUnspecifiedType() instanceof CharType or`
`28`		`- charType.getUnspecifiedType() instanceof WideCharType`
	`28`	`+ charType.getUnspecifiedType() instanceof Wchar_t`
`29`	`29`	`)`
`30`	`30`	`)`
`31`	`31`	`or`
Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ import cpp`
`19`	`19`	`class AnyCharPointerType extends PointerType {`
`20`	`20`	`AnyCharPointerType() {`
`21`	`21`	`this.getBaseType().getUnderlyingType() instanceof CharType or`
`22`		`- this.getBaseType().getUnderlyingType() instanceof WideCharType`
	`22`	`+ this.getBaseType().getUnderlyingType() instanceof Wchar_t`
`23`	`23`	`}`
`24`	`24`	`}`
`25`	`25`
`@@ -29,7 +29,7 @@ class AnyCharPointerType extends PointerType {`
`29`	`29`	`class AnyCharArrayType extends ArrayType {`
`30`	`30`	`AnyCharArrayType() {`
`31`	`31`	`this.getBaseType().getUnderlyingType() instanceof CharType or`
`32`		`- this.getBaseType().getUnderlyingType() instanceof WideCharType`
	`32`	`+ this.getBaseType().getUnderlyingType() instanceof Wchar_t`
`33`	`33`	`}`
`34`	`34`	`}`
`35`	`35`