Merge branch 'main' into stdlib-optparse

2025-12-18 01:33:15 +01:00 · 2024-10-01 12:48:09 +02:00
parent 2eac11edd6 cb0b388345
commit 7816f34d75
735 changed files with 7366 additions and 4701 deletions
--- a/python/ql/src/CHANGELOG.md
+++ b/python/ql/src/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 1.3.0
+
+### New Queries
+
+* The `py/cors-misconfiguration-with-credentials` query, which finds insecure CORS middleware configurations.
+
 ## 1.2.2

 ### Minor Analysis Improvements
--- a/python/ql/src/change-notes/2024-08-26-Cors-misconfiguration-middleware.md
+++ b/python/ql/src/change-notes/2024-08-26-Cors-misconfiguration-middleware.md
@@ -1,4 +0,0 @@
---
-category: newQuery
---
-* The `py/cors-misconfiguration-with-credentials` query, which finds insecure CORS middleware configurations.
--- a/python/ql/src/change-notes/released/1.3.0.md
+++ b/python/ql/src/change-notes/released/1.3.0.md
@@ -0,0 +1,5 @@
+## 1.3.0
+
+### New Queries
+
+* The `py/cors-misconfiguration-with-credentials` query, which finds insecure CORS middleware configurations.
--- a/python/ql/src/codeql-pack.release.yml
+++ b/python/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.2.2
+lastReleaseVersion: 1.3.0
--- a/python/ql/src/experimental/Security/CWE-074/TemplateInjectionCustomizations.qll
+++ b/python/ql/src/experimental/Security/CWE-074/TemplateInjectionCustomizations.qll
@@ -33,9 +33,14 @@ module TemplateInjection {
  abstract class Sanitizer extends DataFlow::Node { }

  /**
-   * A source of remote user input, considered as a flow source.
+   * DEPRECATED: Use `ActiveThreatModelSource` from Concepts instead!
   */
-  class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
+  deprecated class RemoteFlowSourceAsSource = ActiveThreatModelSourceAsSource;
+
+  /**
+   * An active threat-model source, considered as a flow source.
+   */
+  private class ActiveThreatModelSourceAsSource extends Source, ActiveThreatModelSource { }

  /**
   * A SQL statement of a SQL construction, considered as a flow sink.
--- a/python/ql/src/experimental/Security/CWE-091/XsltInjectionCustomizations.qll
+++ b/python/ql/src/experimental/Security/CWE-091/XsltInjectionCustomizations.qll
@@ -33,9 +33,14 @@ module XsltInjection {
  abstract class Sanitizer extends DataFlow::Node { }

  /**
-   * A source of remote user input, considered as a flow source.
+   * DEPRECATED: Use `ActiveThreatModelSource` from Concepts instead!
   */
-  class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
+  deprecated class RemoteFlowSourceAsSource = ActiveThreatModelSourceAsSource;
+
+  /**
+   * An active threat-model source, considered as a flow source.
+   */
+  private class ActiveThreatModelSourceAsSource extends Source, ActiveThreatModelSource { }

  /**
   * An XSLT construction, considered as a flow sink.
--- a/python/ql/src/experimental/Security/CWE-094/Js2Py.ql
+++ b/python/ql/src/experimental/Security/CWE-094/Js2Py.ql
@@ -18,7 +18,7 @@ import semmle.python.dataflow.new.RemoteFlowSources
 import semmle.python.Concepts

 module Js2PyFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node node) { node instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node node) { node instanceof ActiveThreatModelSource }

  predicate isSink(DataFlow::Node node) {
    API::moduleImport("js2py").getMember(["eval_js", "eval_js6", "EvalJs"]).getACall().getArg(_) =
--- a/python/ql/src/qlpack.yml
+++ b/python/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/python-queries
-version: 1.2.3-dev
+version: 1.3.1-dev
 groups:
  - python
  - queries