Merge branch 'main' into wild-crest-ql

Author: redsun82

MODULE.bazel

@@ -21,7 +21,7 @@ bazel_dep(name = "rules_java", version = "9.6.1")
 bazel_dep(name = "rules_pkg", version = "1.2.0")
 bazel_dep(name = "rules_nodejs", version = "6.7.3")
 bazel_dep(name = "rules_python", version = "1.9.0")
-bazel_dep(name = "rules_shell", version = "0.6.1")
+bazel_dep(name = "rules_shell", version = "0.7.1")
 bazel_dep(name = "bazel_skylib", version = "1.9.0")
 bazel_dep(name = "abseil-cpp", version = "20260107.1", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")

cpp/ql/lib/change-notes/2026-03-24-field-init.md

@@ -0,0 +1,5 @@
+---
+category: feature
+---
+* Added a class `ConstructorDirectFieldInit` to represent field initializations that occur in member initializer lists.
+* Added a class `ConstructorDefaultFieldInit` to represent default field initializations.

cpp/ql/lib/change-notes/2026-03-26-convert-csv-models-to-yml.md

@@ -0,0 +1,4 @@
+---
+category: breaking
+---
+* The `SourceModelCsv`, `SinkModelCsv`, and `SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from `ExternalFlow.qll`. New models should be added as `.model.yml` files in the `ext/` directory.

cpp/ql/lib/ext/ZMQ.model.yml

@@ -0,0 +1,22 @@
+# ZeroMQ networking library models
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: sourceModel
+    data: # namespace, type, subtypes, name, signature, ext, output, kind, provenance
+      - ["", "", False, "zmq_recv", "", "", "Argument[*1]", "remote", "manual"]
+      - ["", "", False, "zmq_recvmsg", "", "", "Argument[*1]", "remote", "manual"]
+      - ["", "", False, "zmq_msg_recv", "", "", "Argument[*0]", "remote", "manual"]
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: sinkModel
+    data: # namespace, type, subtypes, name, signature, ext, input, kind, provenance
+      - ["", "", False, "zmq_send", "", "", "Argument[*1]", "remote-sink", "manual"]
+      - ["", "", False, "zmq_sendmsg", "", "", "Argument[*1]", "remote-sink", "manual"]
+      - ["", "", False, "zmq_msg_send", "", "", "Argument[*0]", "remote-sink", "manual"]
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["", "", False, "zmq_msg_init_data", "", "", "Argument[*1]", "Argument[*0]", "taint", "manual"]
+      - ["", "", False, "zmq_msg_data", "", "", "Argument[*0]", "ReturnValue[*]", "taint", "manual"]

cpp/ql/lib/ext/getc.model.yml

@@ -0,0 +1,19 @@
+# Models for getc and similar character-reading functions
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: sourceModel
+    data: # namespace, type, subtypes, name, signature, ext, output, kind, provenance
+      - ["", "", False, "getc", "", "", "ReturnValue", "remote", "manual"]
+      - ["", "", False, "getwc", "", "", "ReturnValue", "remote", "manual"]
+      - ["", "", False, "_getc_nolock", "", "", "ReturnValue", "remote", "manual"]
+      - ["", "", False, "_getwc_nolock", "", "", "ReturnValue", "remote", "manual"]
+      - ["", "", False, "getch", "", "", "ReturnValue", "local", "manual"]
+      - ["", "", False, "_getch", "", "", "ReturnValue", "local", "manual"]
+      - ["", "", False, "_getwch", "", "", "ReturnValue", "local", "manual"]
+      - ["", "", False, "_getch_nolock", "", "", "ReturnValue", "local", "manual"]
+      - ["", "", False, "_getwch_nolock", "", "", "ReturnValue", "local", "manual"]
+      - ["", "", False, "getchar", "", "", "ReturnValue", "local", "manual"]
+      - ["", "", False, "getwchar", "", "", "ReturnValue", "local", "manual"]
+      - ["", "", False, "_getchar_nolock", "", "", "ReturnValue", "local", "manual"]
+      - ["", "", False, "_getwchar_nolock", "", "", "ReturnValue", "local", "manual"]

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -1,9 +1,10 @@
 /**
  * INTERNAL use only. This is an experimental API subject to change without notice.
  *
- * Provides classes and predicates for dealing with flow models specified in CSV format.
+ * Provides classes and predicates for dealing with flow models specified
+ * in data extension files.
  *
- * The CSV specification has the following columns:
+ * The extensible relations have the following columns:
  * - Sources:
  *   `namespace; type; subtypes; name; signature; ext; output; kind`
  * - Sinks:
@@ -104,117 +105,9 @@ private import internal.FlowSummaryImpl::Private
 private import internal.FlowSummaryImpl::Private::External
 private import internal.ExternalFlowExtensions::Extensions as Extensions
 private import codeql.mad.ModelValidation as SharedModelVal
-private import codeql.util.Unit
 private import codeql.mad.static.ModelsAsData as SharedMaD
 
-/**
- * A unit class for adding additional source model rows.
- *
- * Extend this class to add additional source definitions.
- */
-class SourceModelCsv extends Unit {
-  /** Holds if `row` specifies a source definition. */
-  abstract predicate row(string row);
-}
-
-/**
- * A unit class for adding additional sink model rows.
- *
- * Extend this class to add additional sink definitions.
- */
-class SinkModelCsv extends Unit {
-  /** Holds if `row` specifies a sink definition. */
-  abstract predicate row(string row);
-}
-
-/**
- * A unit class for adding additional summary model rows.
- *
- * Extend this class to add additional flow summary definitions.
- */
-class SummaryModelCsv extends Unit {
-  /** Holds if `row` specifies a summary definition. */
-  abstract predicate row(string row);
-}
-
-/** Holds if `row` is a source model. */
-predicate sourceModel(string row) { any(SourceModelCsv s).row(row) }
-
-/** Holds if `row` is a sink model. */
-predicate sinkModel(string row) { any(SinkModelCsv s).row(row) }
-
-/** Holds if `row` is a summary model. */
-predicate summaryModel(string row) { any(SummaryModelCsv s).row(row) }
-
 private module MadInput implements SharedMaD::InputSig {
-  /** Holds if a source model exists for the given parameters. */
-  predicate additionalSourceModel(
-    string namespace, string type, boolean subtypes, string name, string signature, string ext,
-    string output, string kind, string provenance, string model
-  ) {
-    exists(string row |
-      sourceModel(row) and
-      row.splitAt(";", 0) = namespace and
-      row.splitAt(";", 1) = type and
-      row.splitAt(";", 2) = subtypes.toString() and
-      subtypes = [true, false] and
-      row.splitAt(";", 3) = name and
-      row.splitAt(";", 4) = signature and
-      row.splitAt(";", 5) = ext and
-      row.splitAt(";", 6) = output and
-      row.splitAt(";", 7) = kind
-    ) and
-    provenance = "manual" and
-    model = ""
-  }
-
-  /** Holds if a sink model exists for the given parameters. */
-  predicate additionalSinkModel(
-    string namespace, string type, boolean subtypes, string name, string signature, string ext,
-    string input, string kind, string provenance, string model
-  ) {
-    exists(string row |
-      sinkModel(row) and
-      row.splitAt(";", 0) = namespace and
-      row.splitAt(";", 1) = type and
-      row.splitAt(";", 2) = subtypes.toString() and
-      subtypes = [true, false] and
-      row.splitAt(";", 3) = name and
-      row.splitAt(";", 4) = signature and
-      row.splitAt(";", 5) = ext and
-      row.splitAt(";", 6) = input and
-      row.splitAt(";", 7) = kind
-    ) and
-    provenance = "manual" and
-    model = ""
-  }
-
-  /**
-   * Holds if a summary model exists for the given parameters.
-   *
-   * This predicate does not expand `@` to `*`s.
-   */
-  predicate additionalSummaryModel(
-    string namespace, string type, boolean subtypes, string name, string signature, string ext,
-    string input, string output, string kind, string provenance, string model
-  ) {
-    exists(string row |
-      summaryModel(row) and
-      row.splitAt(";", 0) = namespace and
-      row.splitAt(";", 1) = type and
-      row.splitAt(";", 2) = subtypes.toString() and
-      subtypes = [true, false] and
-      row.splitAt(";", 3) = name and
-      row.splitAt(";", 4) = signature and
-      row.splitAt(";", 5) = ext and
-      row.splitAt(";", 6) = input and
-      row.splitAt(";", 7) = output and
-      row.splitAt(";", 8) = kind
-    ) and
-    provenance = "manual" and
-    model = ""
-  }
-
   string namespaceSegmentSeparator() { result = "::" }
 }
 
@@ -250,8 +143,8 @@ predicate summaryModel(
   )
 }
 
-/** Provides a query predicate to check the CSV data for validation errors. */
-module CsvValidation {
+/** Provides a query predicate to check the data for validation errors. */
+module ModelValidation {
   private string getInvalidModelInput() {
     exists(string pred, AccessPath input, string part |
       sinkModel(_, _, _, _, _, _, input, _, _, _) and pred = "sink"
@@ -294,40 +187,6 @@ module CsvValidation {
 
   private module KindVal = SharedModelVal::KindValidation<KindValConfig>;
 
-  private string getInvalidModelSubtype() {
-    exists(string pred, string row |
-      sourceModel(row) and pred = "source"
-      or
-      sinkModel(row) and pred = "sink"
-      or
-      summaryModel(row) and pred = "summary"
-    |
-      exists(string b |
-        b = row.splitAt(";", 2) and
-        not b = ["true", "false"] and
-        result = "Invalid boolean \"" + b + "\" in " + pred + " model."
-      )
-    )
-  }
-
-  private string getInvalidModelColumnCount() {
-    exists(string pred, string row, int expect |
-      sourceModel(row) and expect = 8 and pred = "source"
-      or
-      sinkModel(row) and expect = 8 and pred = "sink"
-      or
-      summaryModel(row) and expect = 9 and pred = "summary"
-    |
-      exists(int cols |
-        cols = 1 + max(int n | exists(row.splitAt(";", n))) and
-        cols != expect and
-        result =
-          "Wrong number of columns in " + pred + " model row, expected " + expect + ", got " + cols +
-            "."
-      )
-    )
-  }
-
   private string getInvalidModelSignature() {
     exists(string pred, string namespace, string type, string name, string signature, string ext |
       sourceModel(namespace, type, _, name, signature, ext, _, _, _, _) and pred = "source"
@@ -366,13 +225,12 @@ module CsvValidation {
     )
   }
 
-  /** Holds if some row in a CSV-based flow model appears to contain typos. */
+  /** Holds if some row in a MaD flow model appears to contain typos. */
   query predicate invalidModelRow(string msg) {
     msg =
       [
         getInvalidModelSignature(), getInvalidModelInput(), getInvalidModelOutput(),
-        getInvalidModelSubtype(), getInvalidModelColumnCount(), KindVal::getInvalidModelKind(),
-        getIncorrectConstructorSummaryOutput()
+        KindVal::getInvalidModelKind(), getIncorrectConstructorSummaryOutput()
       ]
   }
 }
@@ -1026,7 +884,7 @@ private module Cached {
   }
 
   /**
-   * Holds if `node` is specified as a source with the given kind in a CSV flow
+   * Holds if `node` is specified as a source with the given kind in a MaD flow
    * model.
    */
   cached
@@ -1037,7 +895,7 @@ private module Cached {
   }
 
   /**
-   * Holds if `node` is specified as a sink with the given kind in a CSV flow
+   * Holds if `node` is specified as a sink with the given kind in a MaD flow
    * model.
    */
   cached

cpp/ql/lib/semmle/code/cpp/exprs/Call.qll

@@ -585,12 +585,15 @@ class ConstructorDelegationInit extends ConstructorBaseInit, @ctordelegatinginit
 
 /**
  * An initialization of a member variable performed as part of a
- * constructor's explicit initializer list or implicit actions.
+ * constructor's initializer list or by default initialization.
+ *
  * In the example below, member variable `b` is being initialized by
- * constructor parameter `a`:
+ * constructor parameter `a`, and `c` is initialized by default
+ * initialization:
  * ```
  * struct S {
  *   int b;
+ *   int c = 3;
  *   S(int a): b(a) {}
  * } s(2);
  * ```
@@ -616,6 +619,28 @@ class ConstructorFieldInit extends ConstructorInit, @ctorfieldinit {
   override predicate mayBeGloballyImpure() { this.getExpr().mayBeGloballyImpure() }
 }
 
+/**
+ * An initialization of a member variable performed as part of a
+ * constructor's explicit initializer list.
+ */
+class ConstructorDirectFieldInit extends ConstructorFieldInit {
+  ConstructorDirectFieldInit() { exists(this.getChild(0)) }
+
+  override string getAPrimaryQlClass() { result = "ConstructorDirectFieldInit" }
+}
+
+/**
+ * An initialization of a member variable performed by default
+ * initialization.
+ */
+class ConstructorDefaultFieldInit extends ConstructorFieldInit {
+  ConstructorDefaultFieldInit() {
+    not exists(this.getChild(0)) and exists(this.getTarget().getInitializer())
+  }
+
+  override string getAPrimaryQlClass() { result = "ConstructorDefaultFieldInit" }
+}
+
 /**
  * A call to a destructor of a base class or field as part of a destructor's
  * compiler-generated actions.

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll

@@ -238,7 +238,12 @@ private module TrackVirtualDispatch<methodDispatchSig/1 virtualDispatch0> {
 
   private import TypeTracking<Location, TtInput>::TypeTrack<qualifierSource/1>::Graph<qualifierOfVirtualCall/1>
 
-  private predicate edgePlus(PathNode n1, PathNode n2) = fastTC(edges/2)(n1, n2)
+  private predicate isSource(PathNode n) { n.isSource() }
+
+  private predicate isSink(PathNode n) { n.isSink() }
+
+  private predicate edgePlus(PathNode n1, PathNode n2) =
+    doublyBoundedFastTC(edges/2, isSource/1, isSink/1)(n1, n2)
 
   /**
    * Gets the most specific implementation of `mf` that may be called when the
@@ -255,6 +260,15 @@ private module TrackVirtualDispatch<methodDispatchSig/1 virtualDispatch0> {
     )
   }
 
+  pragma[nomagic]
+  private MemberFunction mostSpecificForSource(PathNode p1, MemberFunction mf) {
+    p1.isSource() and
+    exists(Class derived |
+      qualifierSourceImpl(p1.getNode(), derived) and
+      result = mostSpecific(mf, derived)
+    )
+  }
+
   /**
    * Gets a possible pair of end-points `(p1, p2)` where:
    * - `p1` is a derived-to-base conversion that converts from some
@@ -264,16 +278,16 @@ private module TrackVirtualDispatch<methodDispatchSig/1 virtualDispatch0> {
    * - `callable` is the most specific implementation that may be called when
    * the qualifier has type `derived`.
    */
+  bindingset[p1, p2]
+  pragma[inline_late]
   private predicate pairCand(
     PathNode p1, PathNode p2, DataFlowPrivate::DataFlowCallable callable,
     DataFlowPrivate::DataFlowCall call
   ) {
-    exists(Class derived, MemberFunction mf |
-      qualifierSourceImpl(p1.getNode(), derived) and
+    p2.isSink() and
+    exists(MemberFunction mf |
       qualifierOfVirtualCallImpl(p2.getNode(), call.asCallInstruction(), mf) and
-      p1.isSource() and
-      p2.isSink() and
-      callable.asSourceCallable() = mostSpecific(mf, derived)
+      callable.asSourceCallable() = mostSpecificForSource(p1, mf)
     )
   }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll

@@ -878,7 +878,11 @@ module Public {
 
     /** Gets the parameter through which this value is assigned. */
     Parameter getParameter() {
-      result = this.getCallInstruction().getStaticCallTarget().getParameter(this.getArgumentIndex())
+      result =
+        this.getCallInstruction()
+            .getStaticCallTarget()
+            .(Function)
+            .getParameter(this.getArgumentIndex())
     }
   }