Merge branch 'main' of https://github.com/github/codeql into oscarsj/merge-back-rc-3.20

csharp/ql/integration-tests/all-platforms/dotnet_10/test.py

@@ -1,9 +1,7 @@
 import pytest
 
-@pytest.mark.skip(reason=".NET 10 info command crashes")
 def test1(codeql, csharp):
     codeql.database.create()
 
-@pytest.mark.skip(reason=".NET 10 info command crashes")
 def test2(codeql, csharp):
     codeql.database.create(build_mode="none")

csharp/ql/lib/change-notes/2025-12-03-run-tracer-after-compilation.md

@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* Fixed an issue where compiler-generated files were not being extracted. The extractor now runs after compilation completes to ensure all generated files are properly analyzed.

csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll

@@ -52,7 +52,7 @@ class IDbCommandConstructionSqlExpr extends SqlExpr, ObjectCreation {
 class DapperCommandDefinitionMethodCallSqlExpr extends SqlExpr, ObjectCreation {
   DapperCommandDefinitionMethodCallSqlExpr() {
     this.getObjectType() instanceof Dapper::CommandDefinitionStruct and
-    DapperCommandDefinitionMethodCallSql::flow(DataFlow::exprNode(this), _)
+    DapperCommandDefinitionMethodCallSql::flowFromExpr(this)
   }
 
   override Expr getSql() { result = this.getArgumentForName("commandText") }

csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll

@@ -85,7 +85,7 @@ module RemoteSourceToExternalApi = TaintTracking::Global<RemoteSourceToExternalA
 
 /** A node representing untrusted data being passed to an external API. */
 class UntrustedExternalApiDataNode extends ExternalApiDataNode {
-  UntrustedExternalApiDataNode() { RemoteSourceToExternalApi::flow(_, this) }
+  UntrustedExternalApiDataNode() { RemoteSourceToExternalApi::flowTo(this) }
 
   /** Gets a source of untrusted data which is passed to this external API data node. */
   DataFlow::Node getAnUntrustedSource() { RemoteSourceToExternalApi::flow(result, this) }

csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll

@@ -91,7 +91,7 @@ class ExponentialRegexSink extends DataFlow::ExprNode, Sink {
   ExponentialRegexSink() {
     exists(RegexOperation regexOperation |
       // Exponential regex flows to the pattern argument
-      ExponentialRegexDataFlow::flow(_, DataFlow::exprNode(regexOperation.getPattern()))
+      ExponentialRegexDataFlow::flowToExpr(regexOperation.getPattern())
     |
       // This is used as an input for this pattern
       this.getExpr() = regexOperation.getInput() and

csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql

@@ -53,7 +53,7 @@ where
   // JsonConvert static method call, but with additional unsafe typename tracking
   exists(DataFlow::Node settingsCallArg |
     JsonConvertTracking::flowPath(userInput.asPathNode3(), deserializeCallArg.asPathNode3()) and
-    TypeNameTracking::flow(_, settingsCallArg) and
+    TypeNameTracking::flowTo(settingsCallArg) and
     sameParent(deserializeCallArg.getNode(), settingsCallArg)
   )
 select deserializeCallArg, userInput, deserializeCallArg, "$@ flows to unsafe deserializer.",

csharp/ql/src/Security Features/CWE-614/CookieWithoutSecure.ql

@@ -46,10 +46,7 @@ predicate insecureCookieOptionsCreation(ObjectCreation oc) {
   // `Secure` property in `CookieOptions` passed to IResponseCookies.Append(...) wasn't set
   oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
   secureFalseOrNotSet(oc) and
-  exists(DataFlow::Node creation |
-    CookieOptionsTracking::flow(creation, _) and
-    creation.asExpr() = oc
-  )
+  CookieOptionsTracking::flowFromExpr(oc)
 }
 
 predicate insecureCookieAppend(Expr sink) {

csharp/ql/src/utils/modelgenerator/internal/CaptureModels.qll

@@ -260,6 +260,8 @@ module SummaryModelGeneratorInput implements SummaryModelGeneratorInputSig {
     )
   }
 
+  int contentAccessPathLimitInternal() { result = 2 }
+
   bindingset[d]
   private string getFullyQualifiedName(Declaration d) {
     exists(string qualifier, string name |