hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-14 11:19:27 +02:00
Code Issues Packages Projects Releases Wiki Activity
87,421 Commits 1,759 Branches 167 Tags
copilot/vscode-mndb17m3-9fpv
Commit Graph

5030 Commits

Author SHA1 Message Date
Owen Mansel-Chan
0b808e1170 Merge pull request #21807 from owen-mc/java/improve-qhelp-unsafe-deserialization 
Shared: improve qhelp for unsafe deserialization queries
 2026-05-12 22:22:49 +01:00
Owen Mansel-Chan
a5ef036465 Note that common standard library types can be vulnerable to gadget-chain attacks 2026-05-08 14:18:54 +01:00
Owen Mansel-Chan
ed9477aac9 Ruby: Clarify that deserialization following a schema is safe 2026-05-08 14:06:16 +01:00
Paolo Tranquilli
f9e42ac443 Merge pull request #21794 from github/post-release-prep/codeql-cli-2.25.4 
Post-release preparation for codeql-cli-2.25.4
 2026-05-07 14:43:24 +02:00
Taus
82bbdee832 yeast: Support separate output node types in extractor generator 
Language and LanguageSpec gain optional output_node_types field.
When set, the generator produces dbscheme/QL from the output types
and the extractor validates TRAP against them.

All existing extractors pass None (no behavior change).
Ruby extract() calls gain vec![] for the new rules parameter.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-05-06 11:34:09 +00:00
Taus
9ad431dea1 yeast: Integrate yeast with shared tree-sitter extractor 
extract() gains a rules parameter. When empty, uses tree-sitter native
traversal (no behavior change). When non-empty, runs yeast desugaring
and extracts via traverse_yeast.

Adds AstNode trait abstracting over tree_sitter::Node and yeast::Node,
with minimal changes to existing Visitor methods (Node -> &N in 6
signatures).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-05-06 11:34:09 +00:00
github-actions[bot]
7610277199 Post-release preparation for codeql-cli-2.25.4 2026-05-05 10:10:06 +00:00
github-actions[bot]
88e1d86c27 Release preparation for version 2.25.4 2026-05-05 09:34:30 +00:00
Tom Hvitved
18da5f61cd Ruby: Remove deprecated references to deprecated shared code 2026-04-23 11:29:04 +02:00
Owen Mansel-Chan
6efb21314a Merge pull request #21523 from owen-mc/docs/mad/barriers 
Document models-as-data barriers and barrier guards and add change notes
 2026-04-21 13:49:19 +01:00
github-actions[bot]
a0bab539bb Post-release preparation for codeql-cli-2.25.3 2026-04-20 12:40:34 +00:00
github-actions[bot]
c861d99802 Release preparation for version 2.25.3 2026-04-20 09:27:23 +00:00
Owen Mansel-Chan
76d165e71e "modelling" -> "modeling" in docs 2026-04-14 15:27:39 +01:00
Owen Mansel-Chan
8f17b73796 Fix link formatting in change notes 2026-04-14 15:27:37 +01:00
Owen Mansel-Chan
c86ba38a4e Add change notes 2026-04-14 15:27:31 +01:00
Henry Mercer
43c9b95e6f Merge branch 'main' into post-release-prep/codeql-cli-2.25.2 2026-04-14 13:56:52 +01:00
Owen Mansel-Chan
7458674470 Merge pull request #21584 from owen-mc/shared/update-mad-comments 
Shared: update code comments explaining models-as-data format to include barriers and barrier guards
 2026-04-14 09:30:28 +01:00
github-actions[bot]
242090e0ac Post-release preparation for codeql-cli-2.25.2 2026-04-06 13:49:20 +00:00
github-actions[bot]
4fe2f6d2b4 Release preparation for version 2.25.2 2026-04-06 10:30:38 +00:00
Óscar San José
59eec7ffa2 Merge branch 'main' of https://github.com/github/codeql into post-release-prep/codeql-cli-2.25.1 2026-03-30 10:51:12 +02:00
github-actions[bot]
ce6e6d5db3 Post-release preparation for codeql-cli-2.25.1 2026-03-30 08:43:48 +00:00
Owen Mansel-Chan
37aac05964 Replace branch with acceptingValue 2026-03-27 22:39:10 +00:00
Owen Mansel-Chan
10fddc7b96 Add barriers and barrier guards to MaD format explanations 2026-03-27 09:47:24 +00:00
github-actions[bot]
fb011842c9 Release preparation for version 2.25.1 2026-03-25 23:43:06 +00:00
github-actions[bot]
8cf0954796 Release preparation for version 2.25.1 2026-03-25 08:28:30 +00:00
Tom Hvitved
cc99867969 Merge pull request #21511 from hvitved/ruby/empty-stats 
Ruby: Use empty DB stats
 2026-03-24 08:25:43 +01:00
Tom Hvitved
4b364639a2 Ruby: Fix join orders following DB stats removal 2026-03-20 13:13:38 +01:00
Óscar San José
2139b97628 Merge branch 'main' into post-release-prep/codeql-cli-2.25.0 2026-03-19 13:07:00 +01:00
Tom Hvitved
750f1ae8e9 Ruby: Use empty DB stats 2026-03-19 10:18:42 +01:00
github-actions[bot]
e3dbf5b022 Post-release preparation for codeql-cli-2.25.0 2026-03-16 16:03:22 +00:00
github-actions[bot]
d6055754b6 Release preparation for version 2.25.0 2026-03-16 12:15:34 +00:00
Owen Mansel-Chan
52809133f5 Add change notes 2026-03-13 11:10:43 +00:00
Owen Mansel-Chan
056aa342fe Change @security-severity for log injection queries from 7.8 to 6.1 2026-03-13 10:02:01 +00:00
Owen Mansel-Chan
f58a6e5d3a Change @security-severity for XSS queries from 6.1 to 7.8 2026-03-13 10:01:02 +00:00
Óscar San José
3b9eba2afc Merge branch 'main' of https://github.com/github/codeql into oscarsj/merge-back-rc-3.21 2026-03-06 16:20:36 +01:00
Owen Mansel-Chan
c82f75604a Add change notes 2026-03-05 10:34:30 +00:00
Owen Mansel-Chan
1950fd33db Ruby: Inline expectation should have space before $ 2026-03-04 13:11:41 +00:00
Owen Mansel-Chan
6001c735ff Ruby: Inline expectation should have space after $ 
This was a regex-find-replace from `# \$(?! )` (using a negative lookahead) to `# $ `.
 2026-03-04 12:45:06 +00:00
github-actions[bot]
e152f08468 Post-release preparation for codeql-cli-2.24.3 2026-03-02 22:51:27 +00:00
github-actions[bot]
7795badd18 Release preparation for version 2.24.3 2026-03-02 13:23:40 +00:00
Owen Mansel-Chan
12bd709219 Merge pull request #21341 from owen-mc/rb/accept-mad-sanitizers 
Ruby: Accept MaD sanitizers for queries with MaD sinks and convert some existing sanitizers
 2026-02-23 11:44:05 +00:00
Owen Mansel-Chan
1d6b8c5120 Use postprocessing queries for unrelated test 
Need to do this because the model numbering was changing. At the same
time we may as well use inline expectations.
 2026-02-18 13:49:53 +00:00
Owen Mansel-Chan
05d681fe19 Update taintstep test for models becoming MaD 2026-02-18 13:49:50 +00:00
Owen Mansel-Chan
f577e973bc Update other test in same folder 2026-02-18 13:39:06 +00:00
Owen Mansel-Chan
1bff7a3eb8 Add change note 2026-02-17 22:29:35 +00:00
Owen Mansel-Chan
eb7f1989c7 Reinstate ql model for String#shellescape 2026-02-17 22:27:15 +00:00
Owen Mansel-Chan
de5470a85c Add MaD barriers for Shellwords.escape and shellescape 
Note that this will only block flow for queries that use the kind `command-injection`.
 2026-02-17 22:27:13 +00:00
Owen Mansel-Chan
b3681f7a0c Model flow through Shellwords escape and shellescape 2026-02-17 22:27:11 +00:00
Owen Mansel-Chan
6294c3b3b8 Remove Shellwords sanitizer in ql 
Note that some sanitizers had no effect because flow through those functions wasn't modeled.
 2026-02-17 22:27:10 +00:00
Owen Mansel-Chan
4aee99f0eb Reinstate SQLite3 sanitizer in MaD 2026-02-17 22:27:08 +00:00