Merge branch 'main' of https://github.com/github/codeql into oscarsj/merge-back-rc-3.20

2026-04-28 18:25:24 +02:00 · 2025-12-05 19:31:47 +01:00
parent 5addb53e0f 9a95acadb5
commit bc6133de5c
602 changed files with 25261 additions and 3631 deletions
--- a/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql
+++ b/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql
@@ -118,7 +118,7 @@ where
  // implicit: no setAllowContentAccess(false)
  exists(WebViewSource source |
    source.asExpr() = e and
-    not WebViewDisallowContentAccessFlow::flow(source, _)
+    not WebViewDisallowContentAccessFlow::flowFrom(source)
  )
 select e,
  "Sensitive information may be exposed via a malicious link due to access to content:// links being allowed in this WebView."
--- a/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
@@ -85,7 +85,7 @@ private module JxBrowserFlow = DataFlow::Global<JxBrowserFlowConfig>;

 deprecated query predicate problems(DataFlow::Node src, string message) {
  JxBrowserFlowConfig::isSource(src) and
-  not JxBrowserFlow::flow(src, _) and
+  not JxBrowserFlow::flowFrom(src) and
  not isSafeJxBrowserVersion() and
  message = "This JxBrowser instance may not check HTTPS certificates."
 }
--- a/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql
@@ -50,7 +50,7 @@ private Expr getAccessControlAllowOriginHeaderName() {
 * A taint-tracking configuration for flow from a source node to CorsProbableCheckAccess methods.
 */
 module CorsSourceReachesCheckConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { CorsOriginFlow::flow(source, _) }
+  predicate isSource(DataFlow::Node source) { CorsOriginFlow::flowFrom(source) }

  predicate isSink(DataFlow::Node sink) {
    sink.asExpr() = any(CorsProbableCheckAccess check).getAnArgument()
@@ -86,7 +86,7 @@ deprecated query predicate problems(
  string message1, DataFlow::Node sourceNode, string message2
 ) {
  CorsOriginFlow::flowPath(source, sink) and
-  not CorsSourceReachesCheckFlow::flow(sourceNode, _) and
+  not CorsSourceReachesCheckFlow::flowFrom(sourceNode) and
  sinkNode = sink.getNode() and
  message1 = "CORS header is being set using user controlled value $@." and
  sourceNode = source.getNode() and
--- a/java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.ql
@@ -17,7 +17,7 @@ deprecated import JwtAuth0 as JwtAuth0
 deprecated module JwtDecodeConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) {
    source instanceof RemoteFlowSource and
-    not FlowToJwtVerify::flow(source, _)
+    not FlowToJwtVerify::flowFrom(source)
  }

  predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(JwtAuth0::GetPayload a) }
--- a/java/ql/src/utils/modelgenerator/internal/CaptureModels.qll
+++ b/java/ql/src/utils/modelgenerator/internal/CaptureModels.qll
@@ -218,6 +218,8 @@ module SummaryModelGeneratorInput implements SummaryModelGeneratorInputSig {
    )
  }

+  int contentAccessPathLimitInternal() { result = 2 }
+
  predicate isField(DataFlow::ContentSet c) {
    c instanceof DataFlowUtil::FieldContent or
    c instanceof DataFlowUtil::SyntheticFieldContent