github
diff --git a/‎.codeqlmanifest.json‎
Lines changed: 1 addition & 0 deletions b/‎.codeqlmanifest.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎change-notes/1.23/analysis-cpp.md‎
Lines changed: 4 additions & 0 deletions b/‎change-notes/1.23/analysis-cpp.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎change-notes/1.23/analysis-csharp.md‎
Lines changed: 2 additions & 0 deletions b/‎change-notes/1.23/analysis-csharp.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎change-notes/1.23/analysis-javascript.md‎
Lines changed: 1 addition & 0 deletions b/‎change-notes/1.23/analysis-javascript.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎cpp/ql/src/Best Practices/Unused Entities/UnusedStaticVariables.ql‎
Lines changed: 1 addition & 0 deletions b/‎cpp/ql/src/Best Practices/Unused Entities/UnusedStaticVariables.ql‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/PrintAST.ql‎
Lines changed: 12 additions & 0 deletions b/‎cpp/ql/src/semmle/code/cpp/PrintAST.ql‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll‎
Lines changed: 11 additions & 5 deletions b/‎cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll‎
Lines changed: 11 additions & 5 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll‎
Lines changed: 1 addition & 1 deletion b/‎cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll‎
Lines changed: 9 additions & 4 deletions b/‎cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll‎
Lines changed: 9 additions & 4 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll‎
Lines changed: 9 additions & 0 deletions b/‎cpp/ql/src/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll‎
Lines changed: 9 additions & 0 deletions
@@ -1,4 +1,5 @@
 { "provide": [ "*/ql/src/qlpack.yml",
+               "*/upgrades/qlpack.yml",
                "misc/legacy-support/*/qlpack.yml",
                "misc/suite-helpers/qlpack.yml",
                "codeql/.codeqlmanifest.json" ] }
@@ -39,6 +39,10 @@ The following changes in version 1.23 affect C/C++ analysis in all applications.
   definition of `x` when `x` is a variable of pointer type. It no longer
   considers deep paths such as `f(&x.myField)` to be definitions of `x`. These
   changes are in line with the user expectations we've observed.
+* The data-flow library now makes it easier to specify barriers/sanitizers
+  arising from guards by overriding the predicate
+  `isBarrierGuard`/`isSanitizerGuard` on data-flow and taint-tracking
+  configurations respectively.
 * There is now a `DataFlow::localExprFlow` predicate and a
   `TaintTracking::localExprTaint` predicate to make it easy to use the most
   common case of local data flow and taint: from one `Expr` to another.
 
@@ -8,6 +8,7 @@ The following changes in version 1.23 affect C# analysis in all applications.
 
 | **Query**                   | **Tags**  | **Purpose**                                                        |
 |-----------------------------|-----------|--------------------------------------------------------------------|
+| Deserialized delegate (`cs/deserialized-delegate`) | security, external/cwe/cwe-502 | Finds unsafe deserialization of delegate types. |
 | Deserialization of untrusted data (`cs/unsafe-deserialization-untrusted-input`) | security | Finds flow of untrusted input to calls to unsafe deserializers. |
 | Unsafe year argument for 'DateTime' constructor (`cs/unsafe-year-construction`) | reliability, date-time | Finds incorrect manipulation of `DateTime` values, which could lead to invalid dates. |
 | Unsafe deserializer (`cs/unsafe-deserialization`) | security | Finds calls to unsafe deserializers. |
@@ -45,5 +46,6 @@ The following changes in version 1.23 affect C# analysis in all applications.
 * There is now a `DataFlow::localExprFlow` predicate and a
   `TaintTracking::localExprTaint` predicate to make it easy to use the most
   common case of local data flow and taint: from one `Expr` to another.
+* Data is now tracked through null-coalescing expressions (`??`).
 
 ## Changes to autobuilder
@@ -44,6 +44,7 @@
 | Stored cross-site scripting (`js/stored-xss`) | Fewer false-positive results | The query now recognizes more sanitizers. |
 | Uncontrolled command line (`js/command-line-injection`) | More results | This query now treats responses from servers as untrusted. |
 | Uncontrolled data used in path expression (`js/path-injection`) | Fewer false-positive results | This query now recognizes calls to Express `sendFile` as safe in some cases. |
+| Unknown directive (`js/unknown-directive`) | Fewer false positive results | This query no longer flags uses of ":", which is sometimes used like a directive. |
 
 ## Changes to QL libraries
 
 
@@ -21,6 +21,7 @@ from Variable v
 where
   v.isStatic() and
   v.hasDefinition() and
+  not v.isConstexpr() and
   not exists(VariableAccess a | a.getTarget() = v) and
   not v instanceof MemberVariable and
   not declarationHasSideEffects(v) and
 
@@ -7,3 +7,15 @@
 
 import cpp
 import PrintAST
+
+/**
+ * Temporarily tweak this class or make a copy to control which functions are
+ * printed.
+ */
+class Cfg extends PrintASTConfiguration {
+  /**
+   * TWEAK THIS PREDICATE AS NEEDED.
+   * Holds if the AST for `func` should be printed.
+   */
+  override predicate shouldPrintFunction(Function func) { any() }
+}
@@ -5,6 +5,8 @@
 private import cpp
 private import semmle.code.cpp.dataflow.internal.FlowVar
 private import semmle.code.cpp.models.interfaces.DataFlow
+private import semmle.code.cpp.controlflow.Guards
+private import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 
 cached
 private newtype TNode =
@@ -680,12 +682,16 @@ VariableAccess getAnAccessToAssignedVariable(Expr assign) {
  *
  * It is important that all extending classes in scope are disjoint.
  */
-class BarrierGuard extends Expr {
-  /** NOT YET SUPPORTED. Holds if this guard validates `e` upon evaluating to `branch`. */
-  abstract deprecated predicate checks(Expr e, boolean branch);
+class BarrierGuard extends GuardCondition {
+  /** Override this predicate to hold if this guard validates `e` upon evaluating to `b`. */
+  abstract predicate checks(Expr e, boolean b);
 
   /** Gets a node guarded by this guard. */
-  final Node getAGuardedNode() {
-    none() // stub
+  final ExprNode getAGuardedNode() {
+    exists(GVN value, boolean branch |
+      result.getExpr() = value.getAnExpr() and
+      this.checks(value.getAnExpr(), branch) and
+      this.controls(result.getExpr().getBasicBlock(), branch)
+    )
   }
 }
@@ -37,7 +37,7 @@ private class DefaultTaintTrackingCfg extends DataFlow::Configuration {
 }
 
 private predicate accessesVariable(CopyInstruction copy, Variable var) {
-  exists(VariableAddressInstruction va | va.getVariable().getAST() = var |
+  exists(VariableAddressInstruction va | va.getASTVariable() = var |
     copy.(StoreInstruction).getDestinationAddress() = va
     or
     copy.(LoadInstruction).getSourceAddress() = va
 
@@ -5,6 +5,7 @@
 private import cpp
 private import semmle.code.cpp.ir.IR
 private import semmle.code.cpp.controlflow.IRGuards
+private import semmle.code.cpp.ir.ValueNumbering
 
 /**
  * A newtype wrapper to prevent accidental casts between `Node` and
@@ -220,7 +221,7 @@ predicate localFlow(Node source, Node sink) { localFlowStep*(source, sink) }
 predicate localExprFlow(Expr e1, Expr e2) { localFlow(exprNode(e1), exprNode(e2)) }
 
 /**
- * A guard that validates some expression.
+ * A guard that validates some instruction.
  *
  * To use this in a configuration, extend the class and provide a
  * characteristic predicate precisely specifying the guard, and override
@@ -229,11 +230,15 @@ predicate localExprFlow(Expr e1, Expr e2) { localFlow(exprNode(e1), exprNode(e2)
  * It is important that all extending classes in scope are disjoint.
  */
 class BarrierGuard extends IRGuardCondition {
-  /** NOT YET SUPPORTED. Holds if this guard validates `e` upon evaluating to `b`. */
-  abstract deprecated predicate checks(Instruction e, boolean b);
+  /** Override this predicate to hold if this guard validates `instr` upon evaluating to `b`. */
+  abstract predicate checks(Instruction instr, boolean b);
 
   /** Gets a node guarded by this guard. */
   final Node getAGuardedNode() {
-    none() // stub
+    exists(ValueNumber value, boolean edge |
+      result.asInstruction() = value.getAnInstruction() and
+      this.checks(value.getAnInstruction(), edge) and
+      this.controls(result.asInstruction().getBlock(), edge)
+    )
   }
 }
@@ -5,6 +5,7 @@ private newtype TMemoryAccessKind =
   TBufferMayMemoryAccess() or
   TEscapedMemoryAccess() or
   TEscapedMayMemoryAccess() or
+  TNonLocalMayMemoryAccess() or
   TPhiMemoryAccess() or
   TUnmodeledMemoryAccess() or
   TChiTotalMemoryAccess() or
@@ -80,6 +81,14 @@ class EscapedMayMemoryAccess extends MemoryAccessKind, TEscapedMayMemoryAccess {
   override string toString() { result = "escaped(may)" }
 }
 
+/**
+ * The operand or result may access all memory whose address has escaped, other than data on the
+ * stack frame of the current function.
+ */
+class NonLocalMayMemoryAccess extends MemoryAccessKind, TNonLocalMayMemoryAccess {
+  override string toString() { result = "nonlocal(may)" }
+}
+
 /**
  * The operand is a Phi operand, which accesses the same memory as its
  * definition.
Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@ private class DefaultTaintTrackingCfg extends DataFlow::Configuration {`
`37`	`37`	`}`
`38`	`38`
`39`	`39`	`private predicate accessesVariable(CopyInstruction copy, Variable var) {`
`40`		`- exists(VariableAddressInstruction va \| va.getVariable().getAST() = var \|`
	`40`	`+ exists(VariableAddressInstruction va \| va.getASTVariable() = var \|`
`41`	`41`	`copy.(StoreInstruction).getDestinationAddress() = va`
`42`	`42`	`or`
`43`	`43`	`copy.(LoadInstruction).getSourceAddress() = va`