Merge branch 'main' into post-release-prep/codeql-cli-2.25.0

python/ql/lib/change-notes/2026-03-11-fix-unresolved-relative-imports.md

@@ -0,0 +1,5 @@
+---
+category: fix
+---
+
+- Fixed the resolution of relative imports such as `from . import helper` inside namespace packages (directories without an `__init__.py` file), which previously did not work correctly, leading to missing flow.

python/ql/lib/semmle/python/Import.qll

@@ -17,6 +17,10 @@ private predicate valid_module_name(string name) {
   exists(Module m | m.getName() = name)
   or
   exists(Builtin cmod | cmod.getClass() = Builtin::special("ModuleType") and cmod.getName() = name)
+  or
+  // Namespace packages may not have a corresponding Module entity,
+  // but their names are still valid for the purpose of import resolution.
+  name = moduleNameFromFile(any(Folder f))
 }
 
 /** An artificial expression representing an import */

python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql

@@ -4,7 +4,7 @@
  *              cause a cross-site scripting vulnerability.
  * @kind problem
  * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
  * @precision medium
  * @id py/jinja2/autoescape-false
  * @tags security

python/ql/src/Security/CWE-079/ReflectedXss.ql

@@ -4,7 +4,7 @@
  *              allows for a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
  * @sub-severity high
  * @precision high
  * @id py/reflective-xss

python/ql/src/Security/CWE-117/LogInjection.ql

@@ -4,7 +4,7 @@
  *              insertion of forged log entries by a malicious user.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 7.8
+ * @security-severity 6.1
  * @precision medium
  * @id py/log-injection
  * @tags security

python/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md

@@ -0,0 +1,5 @@
+---
+category: queryMetadata
+---
+* The `@security-severity` metadata of `py/log-injection` has been reduced from 7.8 (high) to 6.1 (medium).
+* The `@security-severity` metadata of `py/jinja2/autoescape-false` and `py/reflective-xss` has been increased from 6.1 (medium) to 7.8 (high).

python/ql/test/experimental/import-resolution-namespace-relative/pkg/caller.py

@@ -0,0 +1,5 @@
+from . import helper
+
+def use_relative():
+    tainted = source()
+    helper.process(tainted)

python/ql/test/experimental/import-resolution-namespace-relative/pkg/helper.py

@@ -0,0 +1,5 @@
+def process(value):
+    sink(value) #$ flow=source
+
+def process2(value):
+    sink(value) #$ flow=source

python/ql/test/experimental/import-resolution-namespace-relative/pkg/sub/caller2.py

@@ -0,0 +1,5 @@
+from .. import helper
+
+def use_multi_level_relative():
+    tainted = source()
+    helper.process2(tainted)

python/ql/test/experimental/import-resolution-namespace-relative/test.expected

@@ -0,0 +1 @@
+

python/ql/test/experimental/import-resolution-namespace-relative/test.ql

@@ -0,0 +1,35 @@
+import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import utils.test.InlineExpectationsTest
+
+private module TestConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) {
+    node.(DataFlow::CallCfgNode).getFunction().asCfgNode().(NameNode).getId() = "source"
+  }
+
+  predicate isSink(DataFlow::Node node) {
+    exists(DataFlow::CallCfgNode call |
+      call.getFunction().asCfgNode().(NameNode).getId() = "sink" and
+      node = call.getArg(0)
+    )
+  }
+}
+
+private module TestFlow = TaintTracking::Global<TestConfig>;
+
+module FlowTest implements TestSig {
+  string getARelevantTag() { result = "flow" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(DataFlow::Node sink |
+      TestFlow::flow(_, sink) and
+      tag = "flow" and
+      location = sink.getLocation() and
+      value = "source" and
+      element = sink.toString()
+    )
+  }
+}
+
+import MakeTest<FlowTest>