hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-09 23:14:13 +02:00
Code Issues Packages Projects Releases Wiki Activity
87,862 Commits 1,775 Branches 169 Tags
main
Commit Graph

3260 Commits

Author SHA1 Message Date
Tom Hvitved
f5919875b7 Merge pull request #21941 from hvitved/python/content-approx 
Python: Implement `ContentApprox`
 2026-06-09 15:46:04 +02:00
yoff
0cea01c22f Merge pull request #21926 from github/yoff/python-simplify-decorator-predicates 
Python: simplify decorator-detection predicates to pure AST match
 2026-06-08 22:04:33 +02:00
Tom Hvitved
cc1ea25856 Python: Implement ContentApprox 2026-06-08 08:41:28 +02:00
Owen Mansel-Chan
1f91f915c7 Merge pull request #21888 from owen-mc/py/remove-imprecise-container-steps 
Python: Remove imprecise container steps #2
 2026-06-04 22:16:24 +01:00
Owen Mansel-Chan
da999ee440 Address review comments 2026-06-03 21:24:16 +01:00
Owen Mansel-Chan
6f2cc43f32 Remove imprecise model for tuple() 2026-06-02 21:59:48 +01:00
Owen Mansel-Chan
5042fdee84 Remove imprecise model for list() 2026-06-02 21:59:46 +01:00
Owen Mansel-Chan
04341c47bd Tweak model for str.join 2026-06-02 21:59:44 +01:00
Owen Mansel-Chan
c3ef1ddd64 Add MaD models for lxml and xml etree.fromstringlist 2026-06-02 16:15:01 +01:00
Owen Mansel-Chan
dede5bc49b Track flow through tuple() with list with tainted elements 2026-06-02 16:14:59 +01:00
Owen Mansel-Chan
ad97b6dd64 Use access path for str.join model 2026-06-02 16:14:56 +01:00
yoff
5fb75ac987 Python: simplify decorator-detection predicates to pure AST match 
The internal predicates that identify `@staticmethod`, `@classmethod` and
`@property` decorators previously required the decorator's `NameNode` to
satisfy `isGlobal()` (i.e. no SSA def reaches the decorator's name use).
That filter was correct but unnecessarily indirect: these three names
are builtins, and even when a class body redefines one, the class body
has not started executing at the decorator position, so Python uses the
builtin.

Match the decorator's AST `Name` directly instead, dropping the CFG/SSA
detour. The slight semantic change — `isGlobal()` would have rejected
module-level shadowing of these builtins — is negligible in practice
and explicitly documented in the change note.

`hasContextmanagerDecorator` and `hasOverloadDecorator` keep the
`NameNode.isGlobal()` check because their target names (`contextmanager`,
`overload`) are imported, not builtin, and local shadowing is a real
concern.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-06-01 14:04:43 +00:00
Owen Mansel-Chan
b38440490a Address review comment 2026-05-31 21:47:44 +01:00
github-actions[bot]
cfb18c2477 Post-release preparation for codeql-cli-2.25.6 2026-05-29 12:04:35 +00:00
github-actions[bot]
8b6f969cdb Release preparation for version 2.25.6 2026-05-29 11:27:54 +00:00
Henry Mercer
9bc0c1b1ab Revert "Release preparation for version 2.25.6" 2026-05-29 12:13:50 +01:00
Owen Mansel-Chan
aee33a0cc9 Add missing code for TAnyTupleOrDictionaryElement 2026-05-29 10:26:24 +01:00
Owen Mansel-Chan
df15a719cb Add a ContentSet for any tuple or dictionary element 2026-05-28 16:48:23 +01:00
Owen Mansel-Chan
812e8e6b34 Add change note 2026-05-28 11:37:54 +01:00
Owen Mansel-Chan
80c6f082d1 Fix TODO in containerStep 2026-05-28 11:34:02 +01:00
Owen Mansel-Chan
ec13e1bcd3 Add wildcard ContentSets to avoid performance problems 2026-05-27 15:28:07 +01:00
github-actions[bot]
44a914e40f Release preparation for version 2.25.6 2026-05-25 10:23:26 +00:00
Óscar San José
996e79131e Merge branch 'main' into post-release-prep/codeql-cli-2.25.5 2026-05-22 16:32:30 +02:00
Rasmus Lerchedahl Petersen
0ecca91dea Python: typo 2026-05-21 16:59:16 +01:00
Rasmus Lerchedahl Petersen
f669a4f3bf Python: Make sure all imprecise taint bubbles up 2026-05-21 16:59:14 +01:00
Rasmus Lerchedahl Petersen
9a180036a5 Python: conversion step for format_map 
and adjust collection test
 2026-05-21 16:59:08 +01:00
Rasmus Lerchedahl Petersen
facb3b681d Python: recover taint for % format strings 2026-05-21 16:57:50 +01:00
Rasmus Lerchedahl Petersen
b67694b2ab Python: Remove imprecise container steps 
- remove `tupleStoreStep` and `dictStoreStep` from `containerStep`
   These are imprecise compared to the content being precise.
- add implicit reads to recover taint at sinks
- add implicit read steps for decoders
  to supplement the `AdditionalTaintStep`
  that now only covers when the full container is tainted.
 2026-05-21 16:57:44 +01:00
github-actions[bot]
9f64000962 Post-release preparation for codeql-cli-2.25.5 2026-05-18 15:20:31 +00:00
github-actions[bot]
e38616a2ef Release preparation for version 2.25.5 2026-05-18 12:05:32 +00:00
Geoffrey White
a4b2c0f6fd Update change notes (Copilot's suggestions). 2026-05-15 09:24:29 +01:00
Geoffrey White
59dbd68a5e Add change notes. 2026-05-14 14:46:05 +01:00
github-actions[bot]
7610277199 Post-release preparation for codeql-cli-2.25.4 2026-05-05 10:10:06 +00:00
github-actions[bot]
88e1d86c27 Release preparation for version 2.25.4 2026-05-05 09:34:30 +00:00
Josef Svenningsson
68be006a29 Merge pull request #21641 from github/josefs/promptInjectionImprovements 
Improve prompt inject for Python
 2026-04-29 11:23:52 +01:00
Josef Svenningsson
bb18bb084c Improve prompt inject for Python 2026-04-28 18:24:16 +01:00
Owen Mansel-Chan
6efb21314a Merge pull request #21523 from owen-mc/docs/mad/barriers 
Document models-as-data barriers and barrier guards and add change notes
 2026-04-21 13:49:19 +01:00
Michael B. Gale
58e9bad0a0 Merge pull request #21737 from github/post-release-prep/codeql-cli-2.25.3 
Post-release preparation for codeql-cli-2.25.3
 2026-04-21 11:48:30 +02:00
Taus
b108e173a5 Merge pull request #21695 from github/tausbn/python-add-support-for-pep-798 
Python: Add support for PEP-798
 2026-04-20 15:01:01 +02:00
github-actions[bot]
a0bab539bb Post-release preparation for codeql-cli-2.25.3 2026-04-20 12:40:34 +00:00
github-actions[bot]
c861d99802 Release preparation for version 2.25.3 2026-04-20 09:27:23 +00:00
Owen Mansel-Chan
8f17b73796 Fix link formatting in change notes 2026-04-14 15:27:37 +01:00
Owen Mansel-Chan
c86ba38a4e Add change notes 2026-04-14 15:27:31 +01:00
Henry Mercer
43c9b95e6f Merge branch 'main' into post-release-prep/codeql-cli-2.25.2 2026-04-14 13:56:52 +01:00
Taus
15790aa00c Python: Add change note 2026-04-14 13:27:31 +02:00
Taus
c748fdf8ee Merge pull request #21694 from github/tausbn/python-add-support-for-pep-810 
Python: Add support for PEP 810
 2026-04-14 13:27:08 +02:00
Owen Mansel-Chan
7458674470 Merge pull request #21584 from owen-mc/shared/update-mad-comments 
Shared: update code comments explaining models-as-data format to include barriers and barrier guards
 2026-04-14 09:30:28 +01:00
Taus
86020d9eed Python: Add change note 2026-04-10 14:43:30 +00:00
Taus
1ddfed6b6b Python: Add QL support for lazy imports 
Adds a new `isLazy` predicate to the relevant classes, and adds the
relevant dbscheme (and up/downgrade) changes. On upgrades we do nothing,
and on downgrades we remove the `is_lazy` bits.
 2026-04-10 14:25:08 +00:00
Taus
16683aee0e Merge pull request #21590 from github/tausbn/python-improve-bind-all-interfaces-query 
Python: Improve "bind all interfaces" query
 2026-04-07 17:59:48 +02:00