Merge tag 'codeql-cli/latest' into auto/sync-main-pr

Compatible with the latest released version of the CodeQL CLI
2025-12-20 18:56:32 +01:00 · 2025-06-11 17:00:14 +00:00
parent b8a78f79eb 4d681f05bd
commit 7bfefefbf7
1052 changed files with 28053 additions and 10586 deletions
--- a/javascript/ql/lib/CHANGELOG.md
+++ b/javascript/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 2.6.5
+
+### Minor Analysis Improvements
+
+* Added taint flow through the `URL` constructor from the `url` package, improving the identification of SSRF vulnerabilities.
+
 ## 2.6.4

 ### Minor Analysis Improvements
--- a/javascript/ql/lib/change-notes/released/2.6.5.md
+++ b/javascript/ql/lib/change-notes/released/2.6.5.md
@@ -0,0 +1,5 @@
+## 2.6.5
+
+### Minor Analysis Improvements
+
+* Added taint flow through the `URL` constructor from the `url` package, improving the identification of SSRF vulnerabilities.
--- a/javascript/ql/lib/codeql-pack.release.yml
+++ b/javascript/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 2.6.4
+lastReleaseVersion: 2.6.5
--- a/javascript/ql/lib/qlpack.yml
+++ b/javascript/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/javascript-all
-version: 2.6.4
+version: 2.6.5
 groups: javascript
 dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript
--- a/javascript/ql/lib/semmle/javascript/frameworks/AngularJS/AngularJSCore.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/AngularJS/AngularJSCore.qll
@@ -550,20 +550,25 @@ class DirectiveTargetName extends string {
 *
 * See https://docs.angularjs.org/api/ng/service/$location for details.
 */
-private class LocationFlowSource extends RemoteFlowSource instanceof DataFlow::MethodCallNode {
+private class LocationFlowSource extends ClientSideRemoteFlowSource instanceof DataFlow::MethodCallNode
+{
+  private ClientSideRemoteFlowKind kind;
+
  LocationFlowSource() {
    exists(ServiceReference service, string m, int n |
      service.getName() = "$location" and
      this = service.getAMethodCall(m) and
      n = super.getNumArgument()
    |
-      m = "search" and n < 2
+      m = "search" and n < 2 and kind.isQuery()
      or
-      m = "hash" and n = 0
+      m = "hash" and n = 0 and kind.isFragment()
    )
  }

  override string getSourceType() { result = "$location" }
+
+  override ClientSideRemoteFlowKind getKind() { result = kind }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll
@@ -82,6 +82,13 @@ module RequestForgery {
      pred = url.getArgument(0)
    )
    or
+    exists(DataFlow::NewNode url |
+      url = API::moduleImport("url").getMember("URL").getAnInstantiation()
+    |
+      succ = url and
+      pred = url.getArgument(0)
+    )
+    or
    exists(HtmlSanitizerCall call |
      pred = call.getInput() and
      succ = call