From 5fe17abe31a67b0ba9a7c53ffb4ae0596872511f Mon Sep 17 00:00:00 2001 From: Fredrik Dahlgren Date: Thu, 29 May 2025 13:27:11 +0200 Subject: [PATCH 1/9] Added signature input nodes to signature verify operation nodes --- .../codeql/quantum/experimental/Model.qll | 73 +++++++++++++++++-- 1 file changed, 68 insertions(+), 5 deletions(-) diff --git a/shared/quantum/codeql/quantum/experimental/Model.qll b/shared/quantum/codeql/quantum/experimental/Model.qll index 5370f72ef47..c8b52080ca9 100644 --- a/shared/quantum/codeql/quantum/experimental/Model.qll +++ b/shared/quantum/codeql/quantum/experimental/Model.qll @@ -424,6 +424,17 @@ module CryptographyBase Input> { final override ConsumerInputDataFlowNode getInputNode() { result = inputNode } } + final private class SignatureArtifactConsumer extends ArtifactConsumerAndInstance { + ConsumerInputDataFlowNode inputNode; + + SignatureArtifactConsumer() { + exists(SignatureOperationInstance op | inputNode = op.getSignatureConsumer()) and + this = Input::dfn_to_element(inputNode) + } + + final override ConsumerInputDataFlowNode getInputNode() { result = inputNode } + } + /** * An artifact that is produced by an operation, representing a concrete artifact instance rather than a synthetic consumer artifact. */ @@ -458,6 +469,8 @@ module CryptographyBase Input> { } override DataFlowNode getOutputNode() { result = creator.getOutputArtifact() } + + KeyOperationInstance getCreator() { result = creator } } /** @@ -782,6 +795,17 @@ module CryptographyBase Input> { abstract ArtifactOutputDataFlowNode getOutputArtifact(); } + /** + * A key operation instance representing a signature being generated or verified. + */ + abstract class SignatureOperationInstance extends KeyOperationInstance { + /** + * Gets the consumer of the signature that is being verified in case of a + * verification operation. + */ + abstract ConsumerInputDataFlowNode getSignatureConsumer(); + } + /** * A key-based algorithm instance used in cryptographic operations such as encryption, decryption, * signing, verification, and key wrapping. @@ -1264,6 +1288,7 @@ module CryptographyBase Input> { TNonceInput(NonceArtifactConsumer e) or TMessageInput(MessageArtifactConsumer e) or TSaltInput(SaltArtifactConsumer e) or + TSignatureInput(SignatureArtifactConsumer e) or TRandomNumberGeneration(RandomNumberGenerationInstance e) { e.flowsTo(_) } or // Key Creation Operation union type (e.g., key generation, key load) TKeyCreationOperation(KeyCreationOperationInstance e) or @@ -1325,14 +1350,14 @@ module CryptographyBase Input> { /** * Returns the child of this node with the given edge name. * - * This predicate is overriden by derived classes to construct the graph of cryptographic operations. + * This predicate is overridden by derived classes to construct the graph of cryptographic operations. */ NodeBase getChild(string edgeName) { none() } /** * Defines properties of this node by name and either a value or location or both. * - * This predicate is overriden by derived classes to construct the graph of cryptographic operations. + * This predicate is overridden by derived classes to construct the graph of cryptographic operations. */ predicate properties(string key, string value, Location location) { none() } @@ -1505,6 +1530,20 @@ module CryptographyBase Input> { override LocatableElement asElement() { result = instance } } + /** + * A signature input. This may represent a signature, or a signature component + * such as the scalar values r and s in ECDSA. + */ + final class SignatureArtifactNode extends ArtifactNode, TSignatureInput { + SignatureArtifactConsumer instance; + + SignatureArtifactNode() { this = TSignatureInput(instance) } + + final override string getInternalType() { result = "SignatureInput" } + + override LocatableElement asElement() { result = instance } + } + /** * A salt input. */ @@ -1528,13 +1567,22 @@ module CryptographyBase Input> { KeyOperationOutputNode() { this = TKeyOperationOutput(instance) } - final override string getInternalType() { result = "KeyOperationOutput" } + override string getInternalType() { result = "KeyOperationOutput" } override LocatableElement asElement() { result = instance } override string getSourceNodeRelationship() { none() } } + class SignOperationOutputNode extends KeyOperationOutputNode { + SignOperationOutputNode() { + this.asElement().(KeyOperationOutputArtifactInstance).getCreator().getKeyOperationSubtype() = + TSignMode() + } + + override string getInternalType() { result = "SignatureOutput" } + } + /** * A source of random number generation. */ @@ -2107,6 +2155,7 @@ module CryptographyBase Input> { } class SignatureOperationNode extends KeyOperationNode { + override SignatureOperationInstance instance; string nodeName; SignatureOperationNode() { @@ -2116,6 +2165,20 @@ module CryptographyBase Input> { } override string getInternalType() { result = nodeName } + + SignatureArtifactNode getASignatureArtifact() { + result.asElement() = instance.getSignatureConsumer().getConsumer() + } + + override NodeBase getChild(string key) { + result = super.getChild(key) + or + // [KNOWN_OR_UNKNOWN] + key = "Signature" and + if exists(this.getASignatureArtifact()) + then result = this.getASignatureArtifact() + else result = this + } } /** @@ -2563,6 +2626,8 @@ module CryptographyBase Input> { or curveName = "CURVE25519" and keySize = 255 and curveFamily = CURVE25519() or + curveName = "CURVE448" and keySize = 448 and curveFamily = CURVE448() + or // TODO: separate these into key agreement logic or sign/verify (ECDSA / ECDH) // or // curveName = "X25519" and keySize = 255 and curveFamily = CURVE25519() @@ -2570,8 +2635,6 @@ module CryptographyBase Input> { // curveName = "ED25519" and keySize = 255 and curveFamily = CURVE25519() // or // curveName = "ED448" and keySize = 448 and curveFamily = CURVE448() - // curveName = "CURVE448" and keySize = 448 and curveFamily = CURVE448() - // or // or // curveName = "X448" and keySize = 448 and curveFamily = CURVE448() curveName = "SM2" and keySize in [256, 512] and curveFamily = SM2() From 08277e4eccaf326c82feaa4f1f5f4a8e1f8bd143 Mon Sep 17 00:00:00 2001 From: Simon Friis Vindum Date: Thu, 29 May 2025 15:31:17 +0200 Subject: [PATCH 2/9] Rust: Refactor type equality --- .../codeql/rust/internal/TypeInference.qll | 109 +++++++----------- 1 file changed, 43 insertions(+), 66 deletions(-) diff --git a/rust/ql/lib/codeql/rust/internal/TypeInference.qll b/rust/ql/lib/codeql/rust/internal/TypeInference.qll index fcacfd5d3da..8399bde8aa8 100644 --- a/rust/ql/lib/codeql/rust/internal/TypeInference.qll +++ b/rust/ql/lib/codeql/rust/internal/TypeInference.qll @@ -207,81 +207,58 @@ private Type inferAssignmentOperationType(AstNode n, TypePath path) { } /** - * Holds if the type of `n1` at `path1` is the same as the type of `n2` at - * `path2` and type information should propagate in both directions through the - * type equality. + * Holds if the type tree of `n1` at `prefix1` should be equal to the type tree + * of `n2` at `prefix2` and type information should propagate in both directions + * through the type equality. */ -bindingset[path1] -bindingset[path2] -private predicate typeEquality(AstNode n1, TypePath path1, AstNode n2, TypePath path2) { - exists(Variable v | - path1 = path2 and - n1 = v.getAnAccess() - | - n2 = v.getPat() +private predicate typeEquality(AstNode n1, TypePath prefix1, AstNode n2, TypePath prefix2) { + prefix1.isEmpty() and + prefix2.isEmpty() and + ( + exists(Variable v | n1 = v.getAnAccess() | + n2 = v.getPat() + or + n2 = v.getParameter().(SelfParam) + ) or - n2 = v.getParameter().(SelfParam) - ) - or - exists(LetStmt let | - let.getPat() = n1 and - let.getInitializer() = n2 and - path1 = path2 - ) - or - n1 = n2.(ParenExpr).getExpr() and - path1 = path2 - or - n1 = n2.(BlockExpr).getStmtList().getTailExpr() and - path1 = path2 - or - n1 = n2.(IfExpr).getABranch() and - path1 = path2 - or - n1 = n2.(MatchExpr).getAnArm().getExpr() and - path1 = path2 - or - exists(BreakExpr break | - break.getExpr() = n1 and - break.getTarget() = n2.(LoopExpr) and - path1 = path2 - ) - or - exists(AssignmentExpr be | - n1 = be.getLhs() and - n2 = be.getRhs() and - path1 = path2 - ) -} - -bindingset[path1] -private predicate typeEqualityLeft(AstNode n1, TypePath path1, AstNode n2, TypePath path2) { - typeEquality(n1, path1, n2, path2) - or - n2 = - any(DerefExpr pe | - pe.getExpr() = n1 and - path1.isCons(TRefTypeParameter(), path2) + exists(LetStmt let | + let.getPat() = n1 and + let.getInitializer() = n2 ) -} - -bindingset[path2] -private predicate typeEqualityRight(AstNode n1, TypePath path1, AstNode n2, TypePath path2) { - typeEquality(n1, path1, n2, path2) - or - n2 = - any(DerefExpr pe | - pe.getExpr() = n1 and - path1 = TypePath::cons(TRefTypeParameter(), path2) + or + n1 = n2.(ParenExpr).getExpr() + or + n1 = n2.(BlockExpr).getStmtList().getTailExpr() + or + n1 = n2.(IfExpr).getABranch() + or + n1 = n2.(MatchExpr).getAnArm().getExpr() + or + exists(BreakExpr break | + break.getExpr() = n1 and + break.getTarget() = n2.(LoopExpr) ) + or + exists(AssignmentExpr be | + n1 = be.getLhs() and + n2 = be.getRhs() + ) + ) + or + n1 = n2.(DerefExpr).getExpr() and + prefix1 = TypePath::singleton(TRefTypeParameter()) and + prefix2.isEmpty() } pragma[nomagic] private Type inferTypeEquality(AstNode n, TypePath path) { - exists(AstNode n2, TypePath path2 | result = inferType(n2, path2) | - typeEqualityRight(n, path, n2, path2) + exists(TypePath prefix1, AstNode n2, TypePath prefix2, TypePath suffix | + result = inferType(n2, prefix2.appendInverse(suffix)) and + path = prefix1.append(suffix) + | + typeEquality(n, prefix1, n2, prefix2) or - typeEqualityLeft(n2, path2, n, path) + typeEquality(n2, prefix2, n, prefix1) ) } From 19cc3e335f70bcce7f7507d2542f50358f752e9b Mon Sep 17 00:00:00 2001 From: Napalys Klicius Date: Mon, 26 May 2025 15:56:19 +0200 Subject: [PATCH 3/9] JS: Add test case for `RequestForgery` with url wrapped via package `URL` --- .../ql/test/query-tests/Security/CWE-918/serverSide.js | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js b/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js index 3f9392c5d99..3ed8d7c4a69 100644 --- a/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js +++ b/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js @@ -133,3 +133,12 @@ var server2 = http.createServer(function(req, res) { var myEncodedUrl = `${something}/bla/${encodeURIComponent(tainted)}`; axios.get(myEncodedUrl); }) + +var server2 = http.createServer(function(req, res) { + const { URL } = require('url'); + const input = req.query.url; // $MISSING:Source[js/request-forgery] + const target = new URL(input); + axios.get(target.toString()); // $MISSING:Alert[js/request-forgery] + axios.get(target); // $MISSING:Alert[js/request-forgery] + axios.get(target.href); // $MISSING:Alert[js/request-forgery] +}); From b9b62fa1c155c9495097e5e4ceee39f14c05d291 Mon Sep 17 00:00:00 2001 From: Napalys Klicius Date: Fri, 30 May 2025 18:32:02 +0200 Subject: [PATCH 4/9] JS: Add `URL` from `url` package constructor taint step for request forgery detection --- .../dataflow/RequestForgeryCustomizations.qll | 7 ++++++ .../Security/CWE-918/RequestForgery.expected | 22 +++++++++++++++++++ .../Security/CWE-918/serverSide.js | 8 +++---- 3 files changed, 33 insertions(+), 4 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll index 6cc6f6e798c..8d182d116c6 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll @@ -82,6 +82,13 @@ module RequestForgery { pred = url.getArgument(0) ) or + exists(DataFlow::NewNode url | + url = API::moduleImport("url").getMember("URL").getAnInstantiation() + | + succ = url and + pred = url.getArgument(0) + ) + or exists(HtmlSanitizerCall call | pred = call.getInput() and succ = call diff --git a/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected b/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected index b3d3055cd86..dde72095df1 100644 --- a/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected +++ b/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected @@ -30,6 +30,9 @@ | serverSide.js:117:20:117:30 | new ws(url) | serverSide.js:115:25:115:35 | request.url | serverSide.js:117:27:117:29 | url | The $@ of this request depends on a $@. | serverSide.js:117:27:117:29 | url | URL | serverSide.js:115:25:115:35 | request.url | user-provided value | | serverSide.js:125:5:128:6 | axios({ ... \\n }) | serverSide.js:123:29:123:35 | req.url | serverSide.js:127:14:127:20 | tainted | The $@ of this request depends on a $@. | serverSide.js:127:14:127:20 | tainted | URL | serverSide.js:123:29:123:35 | req.url | user-provided value | | serverSide.js:131:5:131:20 | axios.get(myUrl) | serverSide.js:123:29:123:35 | req.url | serverSide.js:131:15:131:19 | myUrl | The $@ of this request depends on a $@. | serverSide.js:131:15:131:19 | myUrl | URL | serverSide.js:123:29:123:35 | req.url | user-provided value | +| serverSide.js:141:3:141:30 | axios.g ... ring()) | serverSide.js:139:17:139:29 | req.query.url | serverSide.js:141:13:141:29 | target.toString() | The $@ of this request depends on a $@. | serverSide.js:141:13:141:29 | target.toString() | URL | serverSide.js:139:17:139:29 | req.query.url | user-provided value | +| serverSide.js:142:3:142:19 | axios.get(target) | serverSide.js:139:17:139:29 | req.query.url | serverSide.js:142:13:142:18 | target | The $@ of this request depends on a $@. | serverSide.js:142:13:142:18 | target | URL | serverSide.js:139:17:139:29 | req.query.url | user-provided value | +| serverSide.js:143:3:143:24 | axios.g ... t.href) | serverSide.js:139:17:139:29 | req.query.url | serverSide.js:143:13:143:23 | target.href | The $@ of this request depends on a $@. | serverSide.js:143:13:143:23 | target.href | URL | serverSide.js:139:17:139:29 | req.query.url | user-provided value | edges | Request/app/api/proxy/route2.serverSide.ts:4:9:4:15 | { url } | Request/app/api/proxy/route2.serverSide.ts:4:9:4:34 | url | provenance | | | Request/app/api/proxy/route2.serverSide.ts:4:9:4:34 | url | Request/app/api/proxy/route2.serverSide.ts:5:27:5:29 | url | provenance | | @@ -106,6 +109,15 @@ edges | serverSide.js:123:29:123:35 | req.url | serverSide.js:123:19:123:42 | url.par ... , true) | provenance | | | serverSide.js:130:9:130:45 | myUrl | serverSide.js:131:15:131:19 | myUrl | provenance | | | serverSide.js:130:37:130:43 | tainted | serverSide.js:130:9:130:45 | myUrl | provenance | | +| serverSide.js:139:9:139:29 | input | serverSide.js:140:26:140:30 | input | provenance | | +| serverSide.js:139:17:139:29 | req.query.url | serverSide.js:139:9:139:29 | input | provenance | | +| serverSide.js:140:9:140:31 | target | serverSide.js:141:13:141:18 | target | provenance | | +| serverSide.js:140:9:140:31 | target | serverSide.js:142:13:142:18 | target | provenance | | +| serverSide.js:140:9:140:31 | target | serverSide.js:143:13:143:18 | target | provenance | | +| serverSide.js:140:18:140:31 | new URL(input) | serverSide.js:140:9:140:31 | target | provenance | | +| serverSide.js:140:26:140:30 | input | serverSide.js:140:18:140:31 | new URL(input) | provenance | Config | +| serverSide.js:141:13:141:18 | target | serverSide.js:141:13:141:29 | target.toString() | provenance | | +| serverSide.js:143:13:143:18 | target | serverSide.js:143:13:143:23 | target.href | provenance | | nodes | Request/app/api/proxy/route2.serverSide.ts:4:9:4:15 | { url } | semmle.label | { url } | | Request/app/api/proxy/route2.serverSide.ts:4:9:4:34 | url | semmle.label | url | @@ -199,4 +211,14 @@ nodes | serverSide.js:130:9:130:45 | myUrl | semmle.label | myUrl | | serverSide.js:130:37:130:43 | tainted | semmle.label | tainted | | serverSide.js:131:15:131:19 | myUrl | semmle.label | myUrl | +| serverSide.js:139:9:139:29 | input | semmle.label | input | +| serverSide.js:139:17:139:29 | req.query.url | semmle.label | req.query.url | +| serverSide.js:140:9:140:31 | target | semmle.label | target | +| serverSide.js:140:18:140:31 | new URL(input) | semmle.label | new URL(input) | +| serverSide.js:140:26:140:30 | input | semmle.label | input | +| serverSide.js:141:13:141:18 | target | semmle.label | target | +| serverSide.js:141:13:141:29 | target.toString() | semmle.label | target.toString() | +| serverSide.js:142:13:142:18 | target | semmle.label | target | +| serverSide.js:143:13:143:18 | target | semmle.label | target | +| serverSide.js:143:13:143:23 | target.href | semmle.label | target.href | subpaths diff --git a/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js b/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js index 3ed8d7c4a69..aec8c4195c8 100644 --- a/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js +++ b/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js @@ -136,9 +136,9 @@ var server2 = http.createServer(function(req, res) { var server2 = http.createServer(function(req, res) { const { URL } = require('url'); - const input = req.query.url; // $MISSING:Source[js/request-forgery] + const input = req.query.url; // $Source[js/request-forgery] const target = new URL(input); - axios.get(target.toString()); // $MISSING:Alert[js/request-forgery] - axios.get(target); // $MISSING:Alert[js/request-forgery] - axios.get(target.href); // $MISSING:Alert[js/request-forgery] + axios.get(target.toString()); // $Alert[js/request-forgery] + axios.get(target); // $Alert[js/request-forgery] + axios.get(target.href); // $Alert[js/request-forgery] }); From 0b6a747737f9826a7006d93c6a3a119d3def8a70 Mon Sep 17 00:00:00 2001 From: Napalys Klicius Date: Fri, 30 May 2025 18:33:59 +0200 Subject: [PATCH 5/9] Added change note --- .../ql/lib/change-notes/2025-05-30-url-package-taint-step.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 javascript/ql/lib/change-notes/2025-05-30-url-package-taint-step.md diff --git a/javascript/ql/lib/change-notes/2025-05-30-url-package-taint-step.md b/javascript/ql/lib/change-notes/2025-05-30-url-package-taint-step.md new file mode 100644 index 00000000000..75b975f8868 --- /dev/null +++ b/javascript/ql/lib/change-notes/2025-05-30-url-package-taint-step.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Added taint flow through the `URL` constructor in request forgery detection, improving the identification of SSRF vulnerabilities. From c981c4fe3056eaaffbacb011fa11468b3a675249 Mon Sep 17 00:00:00 2001 From: Napalys Klicius Date: Mon, 2 Jun 2025 13:34:47 +0200 Subject: [PATCH 6/9] Update javascript/ql/lib/change-notes/2025-05-30-url-package-taint-step.md Co-authored-by: Asger F --- .../ql/lib/change-notes/2025-05-30-url-package-taint-step.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/lib/change-notes/2025-05-30-url-package-taint-step.md b/javascript/ql/lib/change-notes/2025-05-30-url-package-taint-step.md index 75b975f8868..f875f796415 100644 --- a/javascript/ql/lib/change-notes/2025-05-30-url-package-taint-step.md +++ b/javascript/ql/lib/change-notes/2025-05-30-url-package-taint-step.md @@ -1,4 +1,4 @@ --- category: minorAnalysis --- -* Added taint flow through the `URL` constructor in request forgery detection, improving the identification of SSRF vulnerabilities. +* Added taint flow through the `URL` constructor from the `url` package, improving the identification of SSRF vulnerabilities. From d0739b21e588e29e71b3bd31905b3fd9a1fd6514 Mon Sep 17 00:00:00 2001 From: Fredrik Dahlgren Date: Mon, 2 Jun 2025 15:37:33 +0200 Subject: [PATCH 7/9] Restricted signature input nodes to verify nodes --- shared/quantum/codeql/quantum/experimental/Model.qll | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/shared/quantum/codeql/quantum/experimental/Model.qll b/shared/quantum/codeql/quantum/experimental/Model.qll index c8b52080ca9..10875a49b68 100644 --- a/shared/quantum/codeql/quantum/experimental/Model.qll +++ b/shared/quantum/codeql/quantum/experimental/Model.qll @@ -2173,7 +2173,8 @@ module CryptographyBase Input> { override NodeBase getChild(string key) { result = super.getChild(key) or - // [KNOWN_OR_UNKNOWN] + // [KNOWN_OR_UNKNOWN] - only if we know the type is verify + this.getKeyOperationSubtype() = TVerifyMode() and key = "Signature" and if exists(this.getASignatureArtifact()) then result = this.getASignatureArtifact() From b1afa6681cedcc3f8aa27b8b6a330796d07e5e07 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Mon, 2 Jun 2025 17:24:59 +0200 Subject: [PATCH 8/9] CI: remove deprecated `windows-2019` usage --- .github/workflows/build-ripunzip.yml | 2 +- .github/workflows/csharp-qltest.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-ripunzip.yml b/.github/workflows/build-ripunzip.yml index bd05313187c..d4638ad56bd 100644 --- a/.github/workflows/build-ripunzip.yml +++ b/.github/workflows/build-ripunzip.yml @@ -17,7 +17,7 @@ jobs: strategy: fail-fast: false matrix: - os: [ubuntu-22.04, macos-13, windows-2019] + os: [ubuntu-22.04, macos-13, windows-2022] runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/csharp-qltest.yml b/.github/workflows/csharp-qltest.yml index c8683eec02d..ef0b93c50c8 100644 --- a/.github/workflows/csharp-qltest.yml +++ b/.github/workflows/csharp-qltest.yml @@ -36,7 +36,7 @@ jobs: unit-tests: strategy: matrix: - os: [ubuntu-latest, windows-2019] + os: [ubuntu-latest, windows-latest] runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@v4 From baac2eecb000f16ac4ed4c4fa31e029627a840d6 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Mon, 2 Jun 2025 17:30:34 +0200 Subject: [PATCH 9/9] Ripunzip: update default workflow versions --- .github/workflows/build-ripunzip.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-ripunzip.yml b/.github/workflows/build-ripunzip.yml index d4638ad56bd..3e32b868985 100644 --- a/.github/workflows/build-ripunzip.yml +++ b/.github/workflows/build-ripunzip.yml @@ -6,11 +6,11 @@ on: ripunzip-version: description: "what reference to checktout from google/runzip" required: false - default: v1.2.1 + default: v2.0.2 openssl-version: description: "what reference to checkout from openssl/openssl for Linux" required: false - default: openssl-3.3.0 + default: openssl-3.5.0 jobs: build: