Merge branch 'main' into codeql-cli-2.8.0-copy

Author: tamasvajk

.github/workflows/codeqltest.yml

@@ -97,7 +97,7 @@ jobs:
 
   test-win:
     name: Test Windows
-    runs-on: windows-latest
+    runs-on: windows-2019
     steps:
     - name: Set up Go 1.17
       uses: actions/setup-go@v1

extractor/dbscheme/tables.go

@@ -497,6 +497,9 @@ var ChanTypeExprs = map[ast.ChanDir]*BranchType{
 	ast.SEND | ast.RECV: ExprKind.NewBranch("@sendrcvchantypeexpr", ChanTypeExpr),
 }
 
+// ErrorExpr is an AST node type that is not used anywhere
+var ErrorExpr = ExprKind.NewBranch("@errorexpr")
+
 // StmtKind is a case type for distinguishing different kinds of statement AST nodes
 var StmtKind = NewCaseType(StmtType, "kind")
 

ql/examples/qlpack.yml

@@ -1,4 +1,6 @@
 name: codeql/go-examples
-version: 0.0.2
+groups: 
+  - go
+  - examples
 dependencies:
-    codeql/go-all: "*"
+  codeql/go-all: "*"

ql/examples/snippets/incompleteswitchoverenum.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Incomplete switch over enum
+ * @description A switch statement of enum type should explicitly reference each
+ *   of the members of that enum.
+ * @kind problem
+ * @id go/examples/incomplete-switch
+ */
+
+import go
+
+from ExpressionSwitchStmt ss, DeclaredConstant c, NamedType t
+where
+  t.getUnderlyingType() instanceof IntegerType and
+  t = ss.getExpr().getType() and
+  c.getType() = t and
+  forall(CaseClause case | case = ss.getACase() | not case = c.getAReference().getParent())
+select ss, "This switch statement is not exhaustive: missing $@", c, c.getName()

ql/lib/go.dbscheme

@@ -308,7 +308,8 @@ case @expr.kind of
 | 48 = @andnotexpr
 | 49 = @sendchantypeexpr
 | 50 = @recvchantypeexpr
-| 51 = @sendrcvchantypeexpr;
+| 51 = @sendrcvchantypeexpr
+| 52 = @errorexpr;
 
 @basiclit = @intlit | @floatlit | @imaglit | @charlit | @stringlit;
 

ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 0.0.7
+version: 0.0.8-dev
 groups: go
 dbscheme: go.dbscheme
 extractor: go

ql/lib/semmle/go/frameworks/SQL.qll

@@ -83,7 +83,11 @@ module SQL {
       SquirrelQueryString() {
         exists(Function fn |
           exists(string sq |
-            sq = package(["github.com/Masterminds", "github.com/lann"], "squirrel")
+            sq =
+              package([
+                  "github.com/Masterminds/squirrel", "gopkg.in/Masterminds/squirrel",
+                  "github.com/lann/squirrel"
+                ], "")
           |
             // first argument to `squirrel.Expr`
             fn.hasQualifiedName(sq, "Expr")

ql/lib/semmle/go/security/TaintedPathCustomizations.qll

@@ -76,6 +76,20 @@ module TaintedPath {
     }
   }
 
+  /**
+   * A call to `filepath.Clean("/" + e)`, considered to sanitize `e` against path traversal.
+   */
+  class FilepathCleanSanitizer extends Sanitizer {
+    FilepathCleanSanitizer() {
+      exists(DataFlow::CallNode cleanCall, StringOps::Concatenation concatNode |
+        cleanCall = any(Function f | f.hasQualifiedName("path/filepath", "Clean")).getACall() and
+        concatNode = cleanCall.getArgument(0) and
+        concatNode.getOperand(0).asExpr().(StringLit).getValue() = "/" and
+        this = cleanCall.getResult()
+      )
+    }
+  }
+
   /**
    * A check of the form `!strings.Contains(nd, "..")`, considered as a sanitizer guard for
    * path traversal.