hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into idrissrio/preprocessor-multiline

Browse Source
This commit is contained in:
idrissrio
2025-03-21 10:28:24 +01:00
parent 878e621a38 7bd1c4d2ae
commit 99d9b87b33
400 changed files with 6262 additions and 4638 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
MODULE.bazel
View File

@@ -28,7 +28,7 @@ bazel_dep(name = "rules_kotlin", version = "2.0.0-codeql.1")
bazel_dep(name = "gazelle", version = "0.40.0")
bazel_dep(name = "rules_dotnet", version = "0.17.4")
bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
bazel_dep(name = "rules_rust", version = "0.57.1")
bazel_dep(name = "rules_rust", version = "0.58.0")
bazel_dep(name = "zstd", version = "1.5.5.bcr.1")
bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)

8
actions/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,11 @@
## 0.4.5
No user-facing changes.
## 0.4.4
No user-facing changes.
## 0.4.3
### New Features

3
actions/ql/lib/change-notes/released/0.4.4.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.4.4
No user-facing changes.

3
actions/ql/lib/change-notes/released/0.4.5.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.4.5
No user-facing changes.

2
actions/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.4.3
lastReleaseVersion: 0.4.5

2
actions/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/actions-all
version: 0.4.4-dev
version: 0.4.6-dev
library: true
warnOnImplicitThis: true
dependencies:

13
actions/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,16 @@
## 0.5.2
No user-facing changes.
## 0.5.1
### Bug Fixes
* The `actions/unversioned-immutable-action` query will no longer report any alerts, since the
Immutable Actions feature is not yet available for customer use. The query remains in the
default Code Scanning suites for use internal to GitHub. Once the Immutable Actions feature is
available, the query will be updated to report alerts again.
## 0.5.0
### Breaking Changes

7
actions/ql/src/change-notes/2025-02-27-immutable-actions-list.md → actions/ql/src/change-notes/released/0.5.1.md
View File

@@ -1,6 +1,7 @@
---
category: fix
---
## 0.5.1
### Bug Fixes
* The `actions/unversioned-immutable-action` query will no longer report any alerts, since the
Immutable Actions feature is not yet available for customer use. The query has also been moved
to the experimental folder and will not be used in code scanning unless it is explicitly added

3
actions/ql/src/change-notes/released/0.5.2.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.5.2
No user-facing changes.

2
actions/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.5.0
lastReleaseVersion: 0.5.2

2
actions/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/actions-queries
version: 0.5.1-dev
version: 0.5.3-dev
library: false
warnOnImplicitThis: true
groups: [actions, queries]

11
cpp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,14 @@
## 4.0.3
No user-facing changes.
## 4.0.2
### Minor Analysis Improvements
* Modified the `getBufferSize` predicate in `commons/Buffer.qll` to be more tolerant in some cases involving member variables in a larger struct or class.
* Fixed an issue where the `getBufferSize` predicate in `commons/Buffer.qll` was returning results for references inside `offsetof` expressions, which are not accesses to a buffer.
## 4.0.1
No user-facing changes.

4
cpp/ql/lib/change-notes/2025-02-20-getbuffersize.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Fixed an issue where the `getBufferSize` predicate in `commons/Buffer.qll` was returning results for references inside `offsetof` expressions, which are not accesses to a buffer.

4
cpp/ql/lib/change-notes/2025-02-25-getbuffersize.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Modified the `getBufferSize` predicate in `commons/Buffer.qll` to be more tolerant in some cases involving member variables in a larger struct or class.

6
cpp/ql/lib/change-notes/released/4.0.2.md Normal file
View File

@@ -0,0 +1,6 @@
## 4.0.2
### Minor Analysis Improvements
* Modified the `getBufferSize` predicate in `commons/Buffer.qll` to be more tolerant in some cases involving member variables in a larger struct or class.
* Fixed an issue where the `getBufferSize` predicate in `commons/Buffer.qll` was returning results for references inside `offsetof` expressions, which are not accesses to a buffer.

3
cpp/ql/lib/change-notes/released/4.0.3.md Normal file
View File

@@ -0,0 +1,3 @@
## 4.0.3
No user-facing changes.

2
cpp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 4.0.1
lastReleaseVersion: 4.0.3

2
cpp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-all
version: 4.0.2-dev
version: 4.0.4-dev
groups: cpp
dbscheme: semmlecode.cpp.dbscheme
extractor: cpp

11
cpp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,14 @@
## 1.3.6
No user-facing changes.
## 1.3.5
### Minor Analysis Improvements
* Due to changes in libraries the query "Static array access may cause overflow" (`cpp/static-buffer-overflow`) will no longer report cases where multiple fields of a struct or class are written with a single `memset` or similar operation.
* The query "Call to memory access function may overflow buffer" (`cpp/overflow-buffer`) has been added to the security-extended query suite. The query detects a range of buffer overflow and underflow issues.
## 1.3.4
No user-facing changes.

4
cpp/ql/src/change-notes/2025-02-20-overflow-buffer.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The query "Call to memory access function may overflow buffer" (`cpp/overflow-buffer`) has been added to the security-extended query suite. The query detects a range of buffer overflow and underflow issues.

4
cpp/ql/src/change-notes/2025-02-27-static-buffer-overflow.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Due to changes in libraries the query "Static array access may cause overflow" (`cpp/static-buffer-overflow`) will no longer report cases where multiple fields of a struct or class are written with a single `memset` or similar operation.

6
cpp/ql/src/change-notes/released/1.3.5.md Normal file
View File

@@ -0,0 +1,6 @@
## 1.3.5
### Minor Analysis Improvements
* Due to changes in libraries the query "Static array access may cause overflow" (`cpp/static-buffer-overflow`) will no longer report cases where multiple fields of a struct or class are written with a single `memset` or similar operation.
* The query "Call to memory access function may overflow buffer" (`cpp/overflow-buffer`) has been added to the security-extended query suite. The query detects a range of buffer overflow and underflow issues.

3
cpp/ql/src/change-notes/released/1.3.6.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.3.6
No user-facing changes.

2
cpp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.3.4
lastReleaseVersion: 1.3.6

2
cpp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-queries
version: 1.3.5-dev
version: 1.3.7-dev
groups:
- cpp
- queries

8
csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
View File

@@ -1,3 +1,11 @@
## 1.7.36
No user-facing changes.
## 1.7.35
No user-facing changes.
## 1.7.34
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.35.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.7.35
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.36.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.7.36
No user-facing changes.

2
csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.34
lastReleaseVersion: 1.7.36

2
csharp/ql/campaigns/Solorigate/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-all
version: 1.7.35-dev
version: 1.7.37-dev
groups:
- csharp
- solorigate

8
csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
View File

@@ -1,3 +1,11 @@
## 1.7.36
No user-facing changes.
## 1.7.35
No user-facing changes.
## 1.7.34
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.35.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.7.35
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.36.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.7.36
No user-facing changes.

2
csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.34
lastReleaseVersion: 1.7.36

2
csharp/ql/campaigns/Solorigate/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-queries
version: 1.7.35-dev
version: 1.7.37-dev
groups:
- csharp
- solorigate

8
csharp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,11 @@
## 5.1.2
No user-facing changes.
## 5.1.1
No user-facing changes.
## 5.1.0
### Deprecated APIs

3
csharp/ql/lib/change-notes/released/5.1.1.md Normal file
View File

@@ -0,0 +1,3 @@
## 5.1.1
No user-facing changes.

3
csharp/ql/lib/change-notes/released/5.1.2.md Normal file
View File

@@ -0,0 +1,3 @@
## 5.1.2
No user-facing changes.

2
csharp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 5.1.0
lastReleaseVersion: 5.1.2

2
csharp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-all
version: 5.1.1-dev
version: 5.1.3-dev
groups: csharp
dbscheme: semmlecode.csharp.dbscheme
extractor: csharp

10
csharp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,13 @@
## 1.0.19
No user-facing changes.
## 1.0.18
### Minor Analysis Improvements
* C#: Improve precision of the query `cs/call-to-object-tostring` for value tuples.
## 1.0.17
No user-facing changes.

7
csharp/ql/src/change-notes/2025-02-24-object-tostring.md → csharp/ql/src/change-notes/released/1.0.18.md
View File

@@ -1,4 +1,5 @@
---
category: minorAnalysis
---
## 1.0.18
### Minor Analysis Improvements
* C#: Improve precision of the query `cs/call-to-object-tostring` for value tuples.

3
csharp/ql/src/change-notes/released/1.0.19.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.0.19
No user-facing changes.

2
csharp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.0.17
lastReleaseVersion: 1.0.19

2
csharp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-queries
version: 1.0.18-dev
version: 1.0.20-dev
groups:
- csharp
- queries

8
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.5.rst
View File

@@ -109,6 +109,14 @@ Python
* Fixed a bug in the extractor where a comment inside a subscript could sometimes cause the AST to be missing nodes.
* Using the :code:`break` and :code:`continue` keywords outside of a loop, which is a syntax error but is accepted by our parser, would cause the control-flow construction to fail. This is now no longer the case.
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Golang
""""""
* Go 1.24 is now supported. This includes the new language feature of generic type aliases.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~

120
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.6.rst Normal file
View File

@@ -0,0 +1,120 @@
.. _codeql-cli-2.20.6:
==========================
CodeQL 2.20.6 (2025-03-06)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.20.6 runs a total of 450 security queries when configured with the Default suite (covering 168 CWE). The Extended suite enables an additional 137 queries (covering 35 more CWE). 1 security query has been added with this release.
CodeQL CLI
----------
Miscellaneous
~~~~~~~~~~~~~
* The CodeQL XML extractor is now able to parse documents in a wider array of character sets.
* The build of Eclipse Temurin OpenJDK that is used to run the CodeQL CLI has been updated to version 21.0.6.
Query Packs
-----------
Bug Fixes
~~~~~~~~~
GitHub Actions
""""""""""""""
* The :code:`actions/unversioned-immutable-action` query will no longer report any alerts, since the Immutable Actions feature is not yet available for customer use. The query remains in the default Code Scanning suites for use internal to GitHub. Once the Immutable Actions feature is available, the query will be updated to report alerts again.
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Java/Kotlin
"""""""""""
* Fixed false positive alerts in the java query "Cross-site scripting" (:code:`java/xss`) when :code:`javax.servlet.http.HttpServletResponse` is used with a content type which is not exploitable.
JavaScript/TypeScript
"""""""""""""""""""""
* Improved precision of data flow through arrays, fixing some spurious flows that would sometimes cause the :code:`length` property of an array to be seen as tainted.
* Improved call resolution logic to better handle calls resolving "downwards", targeting a method declared in a subclass of the enclosing class. Data flow analysis has also improved to avoid spurious flow between unrelated classes in the class hierarchy.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* Due to changes in libraries the query "Static array access may cause overflow" (:code:`cpp/static-buffer-overflow`) will no longer report cases where multiple fields of a struct or class are written with a single :code:`memset` or similar operation.
* The query "Call to memory access function may overflow buffer" (:code:`cpp/overflow-buffer`) has been added to the security-extended query suite. The query detects a range of buffer overflow and underflow issues.
C#
""
* C#: Improve precision of the query :code:`cs/call-to-object-tostring` for value tuples.
Language Libraries
------------------
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* Added support for the :code:`response` threat model kind, which can enabled with `advanced setup <https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models>`__. When enabled, the response data coming back from an outgoing HTTP request is considered a source of taint.
* Added support for the :code:`useQuery` hook from :code:`@tanstack/react-query`.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* Modified the :code:`getBufferSize` predicate in :code:`commons/Buffer.qll` to be more tolerant in some cases involving member variables in a larger struct or class.
* Fixed an issue where the :code:`getBufferSize` predicate in :code:`commons/Buffer.qll` was returning results for references inside :code:`offsetof` expressions, which are not accesses to a buffer.
Golang
""""""
* The location info for the following classes has been changed slightly to match a location that is in the database: :code:`BasicBlock`, :code:`ControlFlow::EntryNode`, :code:`ControlFlow::ExitNode`, :code:`ControlFlow::ConditionGuardNode`, :code:`IR::ImplicitLiteralElementIndexInstruction`, :code:`IR::EvalImplicitTrueInstruction`, :code:`SsaImplicitDefinition`, :code:`SsaPhiNode`.
* Added :code:`database` source models for the :code:`github.com/rqlite/gorqlite` package.
* Added :code:`database` source models for database methods from the :code:`go.mongodb.org/mongo-driver/mongo` package.
Java/Kotlin
"""""""""""
* Added a path injection sanitizer for the :code:`child` argument of a :code:`java.io.File` constructor if that argument does not contain path traversal sequences.
JavaScript/TypeScript
"""""""""""""""""""""
* The :code:`response.download()` function in :code:`express` is now recognized as a sink for path traversal attacks.
Deprecated APIs
~~~~~~~~~~~~~~~
Golang
""""""
* The member predicate :code:`hasLocationInfo` has been deprecated on the following classes: :code:`BasicBlock`, :code:`Callable`, :code:`Content`, :code:`ContentSet`, :code:`ControlFlow::Node`, :code:`DataFlowCallable`, :code:`DataFlow::Node`, :code:`Entity`, :code:`GVN`, :code:`HtmlTemplate::TemplateStmt`, :code:`IR:WriteTarget`, :code:`SourceSinkInterpretationInput::SourceOrSinkElement`, :code:`SourceSinkInterpretationInput::InterpretNode`, :code:`SsaVariable`, :code:`SsaDefinition`, :code:`SsaWithFields`, :code:`StringOps::ConcatenationElement`, :code:`Type`, and :code:`VariableWithFields`. Use :code:`getLocation()` instead.
New Features
~~~~~~~~~~~~
Java/Kotlin
"""""""""""
* The Java extractor and QL libraries now support Java 24.

1
docs/codeql/codeql-overview/codeql-changelog/index.rst
View File

@@ -11,6 +11,7 @@ A list of queries for each suite and language `is available here <https://docs.g
.. toctree::
:maxdepth: 1
codeql-cli-2.20.6
codeql-cli-2.20.5
codeql-cli-2.20.4
codeql-cli-2.20.3

2
docs/codeql/reusables/supported-versions-compilers.rst
View File

@@ -17,7 +17,7 @@
.NET 5, .NET 6, .NET 7, .NET 8, .NET 9","``.sln``, ``.csproj``, ``.cs``, ``.cshtml``, ``.xaml``"
Go (aka Golang), "Go up to 1.24", "Go 1.11 or more recent", ``.go``
Java,"Java 7 to 22 [5]_","javac (OpenJDK and Oracle JDK),
Java,"Java 7 to 24 [5]_","javac (OpenJDK and Oracle JDK),
Eclipse compiler for Java (ECJ) [6]_",``.java``
Kotlin,"Kotlin 1.5.0 to 2.1.2\ *x*","kotlinc",``.kt``

5
go/extractor/util/util.go
View File

@@ -307,5 +307,8 @@ func fileExists(path string) bool {
// and contains a `modules.txt` file.
func IsGolangVendorDirectory(dirPath string) bool {
return filepath.Base(dirPath) == "vendor" &&
(fileExists(filepath.Join(dirPath, "modules.txt")) || fileExists(filepath.Join(dirPath, "../glide.yaml")))
(fileExists(filepath.Join(dirPath, "modules.txt")) ||
fileExists(filepath.Join(dirPath, "../glide.yaml")) ||
fileExists(filepath.Join(dirPath, "../Gopkg.lock")) ||
fileExists(filepath.Join(dirPath, "../vendor.conf")))
}

8
go/ql/consistency-queries/CHANGELOG.md
View File

@@ -1,3 +1,11 @@
## 1.0.19
No user-facing changes.
## 1.0.18
No user-facing changes.
## 1.0.17
No user-facing changes.

3
go/ql/consistency-queries/change-notes/released/1.0.18.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.0.18
No user-facing changes.

3
go/ql/consistency-queries/change-notes/released/1.0.19.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.0.19
No user-facing changes.

2
go/ql/consistency-queries/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.0.17
lastReleaseVersion: 1.0.19

2
go/ql/consistency-queries/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql-go-consistency-queries
version: 1.0.18-dev
version: 1.0.20-dev
groups:
- go
- queries

20
go/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,23 @@
## 4.2.1
No user-facing changes.
## 4.2.0
### Deprecated APIs
* The member predicate `hasLocationInfo` has been deprecated on the following classes: `BasicBlock`, `Callable`, `Content`, `ContentSet`, `ControlFlow::Node`, `DataFlowCallable`, `DataFlow::Node`, `Entity`, `GVN`, `HtmlTemplate::TemplateStmt`, `IR:WriteTarget`, `SourceSinkInterpretationInput::SourceOrSinkElement`, `SourceSinkInterpretationInput::InterpretNode`, `SsaVariable`, `SsaDefinition`, `SsaWithFields`, `StringOps::ConcatenationElement`, `Type`, and `VariableWithFields`. Use `getLocation()` instead.
### Major Analysis Improvements
* Go 1.24 is now supported. This includes the new language feature of generic type aliases.
### Minor Analysis Improvements
* The location info for the following classes has been changed slightly to match a location that is in the database: `BasicBlock`, `ControlFlow::EntryNode`, `ControlFlow::ExitNode`, `ControlFlow::ConditionGuardNode`, `IR::ImplicitLiteralElementIndexInstruction`, `IR::EvalImplicitTrueInstruction`, `SsaImplicitDefinition`, `SsaPhiNode`.
* Added `database` source models for the `github.com/rqlite/gorqlite` package.
* Added `database` source models for database methods from the `go.mongodb.org/mongo-driver/mongo` package.
## 4.1.0
### Deprecated APIs

5
go/ql/lib/change-notes/2025-01-14-mongodb-models.md
View File

@@ -1,5 +0,0 @@
---
category: minorAnalysis
---
* Added `database` source models for database methods from the `go.mongodb.org/mongo-driver/mongo` package.

4
go/ql/lib/change-notes/2025-02-25-go-database-rqlite-sources.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Added `database` source models for the `github.com/rqlite/gorqlite` package.

4
go/ql/lib/change-notes/2025-02-26-location-info-changed.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The location info for the following classes has been changed slightly to match a location that is in the database: `BasicBlock`, `ControlFlow::EntryNode`, `ControlFlow::ExitNode`, `ControlFlow::ConditionGuardNode`, `IR::ImplicitLiteralElementIndexInstruction`, `IR::EvalImplicitTrueInstruction`, `SsaImplicitDefinition`, `SsaPhiNode`.

4
go/ql/lib/change-notes/2025-02-27-go-version-1-24.md
View File

@@ -1,4 +0,0 @@
---
category: majorAnalysis
---
* Go 1.24 is now supported. This includes the new language feature of generic type aliases.

4
go/ql/lib/change-notes/2025-02-27-haslocationinfo-deprecated.md
View File

@@ -1,4 +0,0 @@
---
category: deprecated
---
* The member predicate `hasLocationInfo` has been deprecated on the following classes: `BasicBlock`, `Callable`, `Content`, `ContentSet`, `ControlFlow::Node`, `DataFlowCallable`, `DataFlow::Node`, `Entity`, `GVN`, `HtmlTemplate::TemplateStmt`, `IR:WriteTarget`, `SourceSinkInterpretationInput::SourceOrSinkElement`, `SourceSinkInterpretationInput::InterpretNode`, `SsaVariable`, `SsaDefinition`, `SsaWithFields`, `StringOps::ConcatenationElement`, `Type`, and `VariableWithFields`. Use `getLocation()` instead.

15
go/ql/lib/change-notes/released/4.2.0.md Normal file
View File

@@ -0,0 +1,15 @@
## 4.2.0
### Deprecated APIs
* The member predicate `hasLocationInfo` has been deprecated on the following classes: `BasicBlock`, `Callable`, `Content`, `ContentSet`, `ControlFlow::Node`, `DataFlowCallable`, `DataFlow::Node`, `Entity`, `GVN`, `HtmlTemplate::TemplateStmt`, `IR:WriteTarget`, `SourceSinkInterpretationInput::SourceOrSinkElement`, `SourceSinkInterpretationInput::InterpretNode`, `SsaVariable`, `SsaDefinition`, `SsaWithFields`, `StringOps::ConcatenationElement`, `Type`, and `VariableWithFields`. Use `getLocation()` instead.
### Major Analysis Improvements
* Go 1.24 is now supported. This includes the new language feature of generic type aliases.
### Minor Analysis Improvements
* The location info for the following classes has been changed slightly to match a location that is in the database: `BasicBlock`, `ControlFlow::EntryNode`, `ControlFlow::ExitNode`, `ControlFlow::ConditionGuardNode`, `IR::ImplicitLiteralElementIndexInstruction`, `IR::EvalImplicitTrueInstruction`, `SsaImplicitDefinition`, `SsaPhiNode`.
* Added `database` source models for the `github.com/rqlite/gorqlite` package.
* Added `database` source models for database methods from the `go.mongodb.org/mongo-driver/mongo` package.

3
go/ql/lib/change-notes/released/4.2.1.md Normal file
View File

@@ -0,0 +1,3 @@
## 4.2.1
No user-facing changes.

2
go/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 4.1.0
lastReleaseVersion: 4.2.1

2
go/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/go-all
version: 4.1.1-dev
version: 4.2.2-dev
groups: go
dbscheme: go.dbscheme
extractor: go

8
go/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,11 @@
## 1.1.10
No user-facing changes.
## 1.1.9
No user-facing changes.
## 1.1.8
### Minor Analysis Improvements

3
go/ql/src/change-notes/released/1.1.10.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.1.10
No user-facing changes.

3
go/ql/src/change-notes/released/1.1.9.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.1.9
No user-facing changes.

2
go/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.1.8
lastReleaseVersion: 1.1.10

2
go/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/go-queries
version: 1.1.9-dev
version: 1.1.11-dev
groups:
- go
- queries

3
java/ql/integration-tests/java/buildless-inherit-trust-store/server.py
View File

@@ -4,7 +4,8 @@ import ssl
httpd = HTTPServer(('localhost', 4443), SimpleHTTPRequestHandler)
sslctx = ssl.SSLContext()
sslctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
sslctx.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
sslctx.load_cert_chain(certfile="../cert.pem", keyfile="../key.pem")
httpd.socket = sslctx.wrap_socket (httpd.socket, server_side=True)

14
java/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,17 @@
## 7.1.1
No user-facing changes.
## 7.1.0
### New Features
* The Java extractor and QL libraries now support Java 24.
### Minor Analysis Improvements
* Added a path injection sanitizer for the `child` argument of a `java.io.File` constructor if that argument does not contain path traversal sequences.
## 7.0.1
No user-facing changes.

4
java/ql/lib/change-notes/2025-02-27-jdk-24.md
View File

@@ -1,4 +0,0 @@
---
category: feature
---
* The Java extractor and QL libraries now support Java 24.

11
java/ql/lib/change-notes/2025-01-16-file-constructor-sanitizer.md → java/ql/lib/change-notes/released/7.1.0.md
View File

@@ -1,4 +1,9 @@
---
category: minorAnalysis
---
## 7.1.0
### New Features
* The Java extractor and QL libraries now support Java 24.
### Minor Analysis Improvements
* Added a path injection sanitizer for the `child` argument of a `java.io.File` constructor if that argument does not contain path traversal sequences.

3
java/ql/lib/change-notes/released/7.1.1.md Normal file
View File

@@ -0,0 +1,3 @@
## 7.1.1
No user-facing changes.

2
java/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 7.0.1
lastReleaseVersion: 7.1.1

2
java/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/java-all
version: 7.0.2-dev
version: 7.1.2-dev
groups: java
dbscheme: config/semmlecode.dbscheme
extractor: java

10
java/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,13 @@
## 1.3.1
No user-facing changes.
## 1.3.0
### Major Analysis Improvements
* Fixed false positive alerts in the java query "Cross-site scripting" (`java/xss`) when `javax.servlet.http.HttpServletResponse` is used with a content type which is not exploitable.
## 1.2.0
### New Queries

7
java/ql/src/change-notes/2025-01-28-fix-xss-content-type-safe.md → java/ql/src/change-notes/released/1.3.0.md
View File

@@ -1,4 +1,5 @@
---
category: majorAnalysis
---
## 1.3.0
### Major Analysis Improvements
* Fixed false positive alerts in the java query "Cross-site scripting" (`java/xss`) when `javax.servlet.http.HttpServletResponse` is used with a content type which is not exploitable.

3
java/ql/src/change-notes/released/1.3.1.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.3.1
No user-facing changes.

2
java/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.2.0
lastReleaseVersion: 1.3.1

2
java/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/java-queries
version: 1.2.1-dev
version: 1.3.2-dev
groups:
- java
- queries

6
javascript/extractor/src/com/semmle/js/parser/JSDocParser.java
View File

@@ -561,7 +561,8 @@ public class JSDocParser {
private Token scanTypeName() {
char ch, ch2;
value = new String(Character.toChars(advance()));
StringBuilder sb = new StringBuilder();
sb.append((char)advance());
while (index < endIndex && isTypeName(source.charAt(index))) {
ch = source.charAt(index);
if (ch == '.') {
@@ -572,8 +573,9 @@ public class JSDocParser {
}
}
}
value += new String(Character.toChars(advance()));
sb.append((char)advance());
}
value = sb.toString();
return Token.NAME;
}

15
javascript/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,18 @@
## 2.5.1
No user-facing changes.
## 2.5.0
### Major Analysis Improvements
* Added support for the `response` threat model kind, which can enabled with [advanced setup](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models). When enabled, the response data coming back from an outgoing HTTP request is considered a source of taint.
* Added support for the `useQuery` hook from `@tanstack/react-query`.
### Minor Analysis Improvements
* The `response.download()` function in `express` is now recognized as a sink for path traversal attacks.
## 2.4.1
### Minor Analysis Improvements

4
javascript/ql/lib/change-notes/2025-02-12-express-download.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The `response.download()` function in `express` is now recognized as a sink for path traversal attacks.

4
javascript/ql/lib/change-notes/2025-03-17-underscore-string.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added support for the `underscore.string` package.

4
javascript/ql/lib/change-notes/2025-03-20-apollo-server.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added support for the `ApolloServer` class from `@apollo/server` and similar packages. In particular, the incoming data in a GraphQL resolver is now seen as a source of untrusted user input.

4
javascript/ql/lib/change-notes/2025-03-20-superagent.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Improved support for `superagent` to handle the case where the package is directly called as a function, or via the `.del()` or `.agent()` method.

12
javascript/ql/lib/change-notes/2025-02-21-tanstack.md → javascript/ql/lib/change-notes/released/2.5.0.md
View File

@@ -1,6 +1,10 @@
---
category: majorAnalysis
---
---
## 2.5.0
### Major Analysis Improvements
* Added support for the `response` threat model kind, which can enabled with [advanced setup](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models). When enabled, the response data coming back from an outgoing HTTP request is considered a source of taint.
* Added support for the `useQuery` hook from `@tanstack/react-query`.
### Minor Analysis Improvements
* The `response.download()` function in `express` is now recognized as a sink for path traversal attacks.

3
javascript/ql/lib/change-notes/released/2.5.1.md Normal file
View File

@@ -0,0 +1,3 @@
## 2.5.1
No user-facing changes.

2
javascript/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 2.4.1
lastReleaseVersion: 2.5.1

15
javascript/ql/lib/ext/apollo-server.model.yml Normal file
View File

@@ -0,0 +1,15 @@
extensions:
- addsTo:
pack: codeql/javascript-all
extensible: sourceModel
data:
- ["@apollo/server", "Member[ApolloServer,ApolloServerBase].Argument[0].AnyMember.AnyMember.AnyMember.Parameter[1]", "remote"]
- addsTo:
pack: codeql/javascript-all
extensible: typeModel
data:
- ["@apollo/server", "@apollo/server/standalone", ""]
- ["@apollo/server", "apollo-server-express", ""]
- ["@apollo/server", "apollo-server-core", ""]
- ["@apollo/server", "apollo-server", ""]

35
javascript/ql/lib/ext/underscore.string.model.yml Normal file
View File

@@ -0,0 +1,35 @@
extensions:
- addsTo:
pack: codeql/javascript-all
extensible: typeModel
data:
- ["'underscore.string'.Wrapper", "'underscore.string'", "ReturnValue"]
- ["'underscore.string'.Wrapper", "'underscore.string'.Wrapper", "Member[slugify,capitalize,decapitalize,clean,cleanDiacritics,swapCase,escapeHTML,unescapeHTML,wrap,dedent,reverse,pred,succ,titleize,camelize,classify,underscored,dasherize,humanize,trim,ltrim,rtrim,truncate,sprintf,strRight,strRightBack,strLeft,strLeftBack,stripTags,unquote,strip,lstrip,rstrip,camelcase].ReturnValue"]
- ["'underscore.string'.Wrapper", "'underscore.string'.Wrapper", "Member[insert,replaceAll,join,splice,prune,pad,lpad,rpad,repeat,surround,quote,q,rjust,ljust].ReturnValue"]
- ["'underscore.string'.Wrapper", "'underscore.string'.Wrapper", "Member[toUpperCase,toLowerCase,replace,slice,substring,substr,concat].ReturnValue"]
- ["'underscore.string'.Wrapper", "'underscore.string'.Wrapper", "Member[tap].ReturnValue"]
- addsTo:
pack: codeql/javascript-all
extensible: summaryModel
data:
- ["'underscore.string'", "Member[slugify,capitalize,decapitalize,clean,cleanDiacritics,swapCase,escapeHTML,unescapeHTML,wrap,dedent,reverse,pred,succ,titleize,camelize,classify,underscored,dasherize,humanize,trim,ltrim,rtrim,truncate,sprintf,strRight,strRightBack,strLeft,strLeftBack,stripTags,unquote,strip,lstrip,rstrip,camelcase]", "Argument[0]", "ReturnValue", "taint"]
- ["'underscore.string'", "Member[chop,chars,words,lines]", "Argument[0]", "ReturnValue.ArrayElement", "taint"]
- ["'underscore.string'", "Member[toSentence,toSentenceSerial]", "Argument[0].ArrayElement", "ReturnValue", "taint"]
- ["'underscore.string'", "Member[insert,replaceAll,splice,prune,pad,lpad,rpad,repeat,rjust,ljust]", "Argument[0,2]", "ReturnValue", "taint"]
- ["'underscore.string'", "Member[splice]", "Argument[0,3]", "ReturnValue", "taint"]
- ["'underscore.string'", "Member[join]", "Argument[0..]", "ReturnValue", "taint"]
- ["'underscore.string'", "Member[surround,quote,q]", "Argument[0,1]", "ReturnValue", "taint"]
- ["'underscore.string'", "", "Argument[0]", "ReturnValue", "taint"]
- ["'underscore.string'.Wrapper", "Member[slugify,capitalize,decapitalize,clean,cleanDiacritics,swapCase,escapeHTML,unescapeHTML,wrap,dedent,reverse,pred,succ,titleize,camelize,classify,underscored,dasherize,humanize,trim,ltrim,rtrim,truncate,sprintf,strRight,strRightBack,strLeft,strLeftBack,stripTags,unquote,value,strip,lstrip,rstrip,camelcase]", "Argument[this]", "ReturnValue", "taint"]
- ["'underscore.string'.Wrapper", "Member[insert,replaceAll,join,splice,prune,pad,lpad,rpad,repeat,surround,quote,q,rjust,ljust]", "Argument[this]", "ReturnValue", "taint"]
- ["'underscore.string'.Wrapper", "Member[insert,replaceAll,prune,pad,lpad,rpad,repeat,rjust,ljust]", "Argument[1]", "ReturnValue", "taint"]
- ["'underscore.string'.Wrapper", "Member[surround,quote,q]", "Argument[0]", "ReturnValue", "taint"]
- ["'underscore.string'.Wrapper", "Member[splice]", "Argument[2]", "ReturnValue", "taint"]
- ["'underscore.string'.Wrapper", "Member[join,concat]", "Argument[0..]", "ReturnValue", "taint"]
- ["'underscore.string'.Wrapper", "Member[toUpperCase,toLowerCase,replace,slice,substring,substr,split]", "Argument[this]", "ReturnValue", "taint"]
- ["'underscore.string'.Wrapper", "Member[tap]", "Argument[this]", "ReturnValue", "taint"]
- ["'underscore.string'.Wrapper", "Member[tap]", "Argument[0].ReturnValue", "ReturnValue", "taint"]
- ["'underscore.string'.Wrapper", "Member[tap]", "Argument[this]", "Argument[0].Parameter[1]", "taint"]
- ["'underscore.string'", "Member[map]", "Argument[0]", "Argument[1].Parameter[0]", "taint"]
- ["'underscore.string'", "Member[map]", "Argument[1].ReturnValue", "ReturnValue", "taint"]

1
javascript/ql/lib/javascript.qll
View File

@@ -143,3 +143,4 @@ import semmle.javascript.linters.ESLint
import semmle.javascript.linters.JSLint
import semmle.javascript.linters.Linting
import semmle.javascript.security.dataflow.RemoteFlowSources
import semmle.javascript.frameworks.UnderscoreDotString

2
javascript/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/javascript-all
version: 2.4.2-dev
version: 2.5.2-dev
groups: javascript
dbscheme: semmlecode.javascript.dbscheme
extractor: javascript

25
javascript/ql/lib/semmle/javascript/frameworks/ClientRequests.qll
View File

@@ -513,6 +513,13 @@ module ClientRequest {
}
}
/**
* Gets the name of a superagent request method.
*/
private string getSuperagentRequestMethodName() {
result = [httpMethodName(), any(Http::RequestMethodName m), "del", "DEL"]
}
/**
* A model of a URL request made using the `superagent` library.
*/
@@ -520,10 +527,22 @@ module ClientRequest {
DataFlow::Node url;
SuperAgentUrlRequest() {
exists(string moduleName, DataFlow::SourceNode callee | this = callee.getACall() |
moduleName = "superagent" and
callee = DataFlow::moduleMember(moduleName, httpMethodName()) and
exists(string moduleName | moduleName = "superagent" |
// Handle method calls like superagent.get(url)
this = API::moduleImport(moduleName).getMember(getSuperagentRequestMethodName()).getACall() and
url = this.getArgument(0)
or
// Handle direct calls like superagent('GET', url)
this = API::moduleImport(moduleName).getACall() and
this.getArgument(0).mayHaveStringValue(getSuperagentRequestMethodName()) and
url = this.getArgument(1)
or
// Handle agent calls like superagent.agent().get(url)
exists(DataFlow::SourceNode agent |
agent = API::moduleImport(moduleName).getMember("agent").getACall() and
this = agent.getAMethodCall(httpMethodName()) and
url = this.getArgument(0)
)
)
}

26
javascript/ql/lib/semmle/javascript/frameworks/UnderscoreDotString.qll Normal file
View File

@@ -0,0 +1,26 @@
/**
* Provides classes for modeling data flow behavior of the Underscore.string library (https://www.npmjs.com/package/underscore.string).
*/
private import javascript
private import semmle.javascript.dataflow.internal.AdditionalFlowInternal
/**
* Models data flow for the Underscore.string library.
*/
private class UnderscoreDotString extends AdditionalFlowInternal {
/**
* Some of the methods in `underscore.string` have the same name as methods from `Array.prototype`.
* This prevents methods like `splice` from propagating into Argument[this].ArrayElement.
*/
override predicate clearsContent(DataFlow::Node node, DataFlow::ContentSet contents) {
exists(DataFlow::CallNode call |
call =
ModelOutput::getATypeNode(["'underscore.string'.Wrapper", "'underscore.string'"])
.getAMember()
.getACall() and
node = call.getReceiver().getPostUpdateNode() and
contents = DataFlow::ContentSet::arrayElement()
)
}
}

14
javascript/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,17 @@
## 1.5.1
No user-facing changes.
## 1.5.0
### Major Analysis Improvements
* Improved precision of data flow through arrays, fixing some spurious flows
that would sometimes cause the `length` property of an array to be seen as tainted.
* Improved call resolution logic to better handle calls resolving "downwards", targeting
a method declared in a subclass of the enclosing class. Data flow analysis
has also improved to avoid spurious flow between unrelated classes in the class hierarchy.
## 1.4.1
### Bug Fixes

5
javascript/ql/src/change-notes/2025-02-18-no-implicit-array-taint.md
View File

@@ -1,5 +0,0 @@
---
category: majorAnalysis
---
* Improved precision of data flow through arrays, fixing some spurious flows
that would sometimes cause the `length` property of an array to be seen as tainted.

9
javascript/ql/src/change-notes/2025-02-17-downward-calls.md → javascript/ql/src/change-notes/released/1.5.0.md
View File

@@ -1,6 +1,9 @@
---
category: majorAnalysis
---
## 1.5.0
### Major Analysis Improvements
* Improved precision of data flow through arrays, fixing some spurious flows
that would sometimes cause the `length` property of an array to be seen as tainted.
* Improved call resolution logic to better handle calls resolving "downwards", targeting
a method declared in a subclass of the enclosing class. Data flow analysis
has also improved to avoid spurious flow between unrelated classes in the class hierarchy.

Some files were not shown because too many files have changed in this diff Show More