codeql

mirror of https://github.com/github/codeql.git synced 2026-06-19 03:41:07 +02:00

Author	SHA1	Message	Date
Sotiris Dragonas	018ba92b1e	Add additional Python prompt-injection sinks for uncovered SDK methods Cover prompt-carrying public API methods that were missing from the framework models: - OpenAI: videos.create/create_and_poll/edit/remix/extend (Sora, user), beta.realtime.sessions.create instructions (system), and role-filtered beta.threads.messages.create content (Assistants API). - Anthropic: legacy completions.create prompt (user). - agents: Agent.as_tool tool_description (system). - Google GenAI: caches.create CreateCachedContentConfig system_instruction (system) and contents (user). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-06-18 17:02:14 +03:00
Sotiris Dragonas	8e5f214041	Fix OpenRouter Python API and expand model coverage Verified all prompt-injection framework models against the real Python SDK sources: - OpenRouter: the official openrouter SDK uses client.chat.send(messages=) (not chat.completions.create), client.embeddings.generate(input=) (not embeddings.create), and client.responses.send(input=, instructions=). Corrected the framework qll and model, and fixed the test files that used the wrong API. - Anthropic: added the managed-agents system prompt sink (beta.agents.create/update Argument[system:]). - Google GenAI: added models.edit_image Argument[prompt:] as user content. OpenAI, agents and LangChain models were confirmed correct against their SDK sources. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-06-18 16:53:37 +03:00
Sotiris Dragonas	72bc52b2fd	Python: promote prompt injection queries from experimental to production Mirror the JavaScript layout from PR #21953: - Move SystemPromptInjection.ql / UserPromptInjection.ql to src/Security/CWE-1427 - Move customizations, query and framework libs to python/ql/lib - Move the AIPrompt concept to the production Concepts.qll - Drop the experimental tag; py/system-prompt-injection (high precision) now joins the code-scanning, security-extended and security-and-quality suites, while py/user-prompt-injection (low precision) stays out of the default suites - Move query tests to python/ql/test/query-tests/Security Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-06-18 16:30:29 +03:00
Sotiris Dragonas	db493ef30a	Python: port prompt injection queries (system + user) from JS PR #21953 Replace the experimental py/prompt-injection query with two queries mirroring the JavaScript split: - py/system-prompt-injection (system prompt / tool description / developer prompt) - py/user-prompt-injection (user-role prompt) Supports OpenAI (+Agents), Anthropic, Google GenAI, LangChain and OpenRouter via MaD models plus role-filtered framework sinks that MaD cannot express. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-06-18 13:52:51 +03:00
Owen Mansel-Chan	330e904449	Merge pull request #22004 from sauyon/go-model-log-slog Go: Model `log/slog` as a logging sink	2026-06-18 11:20:08 +01:00
sauyon	b7ef551b52	Address review: exercise variadic args/attrs in slog Log/LogAttrs tests Copilot review on #22004: the Log/LogAttrs test cases didn't pass any variadic args/attrs, so the Argument[..3] portion of the sink range was untested. Pass an ...any arg to slog.Log/Logger.Log and a slog.Attr to slog.LogAttrs/Logger.LogAttrs, with inline expectations asserting they're captured as logged components. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-17 20:27:00 -07:00
sauyon	00427d204c	Go: Model `log/slog` as a logging sink The standard-library structured logger `log/slog` (Go 1.21+) was not modeled, so `go/log-injection` and `go/clear-text-logging` were blind to any code that logs through it. Model its logging functions and `*slog.Logger` methods — `Debug`, `Info`, `Warn`, `Error`, their `Context` variants, and `Log`/`LogAttrs` — as `log-injection` sinks (the kind that feeds `LoggerCall`, powering both queries). Adds `log/slog` cases to the `LoggerCall` library test. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-17 20:02:29 -07:00
Owen Mansel-Chan	e618883866	Merge pull request #21969 from github/copilot/investigate-missing-alerts Python: Track instance attributes through type tracking	2026-06-18 00:04:45 +01:00
Owen Mansel-Chan	c7c1eca415	Merge branch 'main' into copilot/investigate-missing-alerts	2026-06-17 22:54:22 +01:00
Mathias Vorreiter Pedersen	3dd3e2c643	Merge pull request #21998 from MathiasVP/fix-autogenerated-dbschemes Shared/Python: #21935 follow up	2026-06-17 17:30:20 +01:00
Mathias Vorreiter Pedersen	55f2f041ee	Shared: Ensure that YAML comment extraction is properly reflected in the dbscheme template.	2026-06-17 17:05:04 +01:00
Mathias Vorreiter Pedersen	004a5b4645	Python: Ensure that YAML comment extraction is properly reflected in the dbscheme template.	2026-06-17 17:04:43 +01:00
Sotiris Dragonas	7960c5c291	Merge pull request #21953 from github/bazookamusic/cwe-1427 [Javascript] Prompt Injection queries	2026-06-17 18:05:18 +03:00
Sotiris Dragonas	57f20064ba	Merge branch 'main' into bazookamusic/cwe-1427	2026-06-17 17:12:20 +03:00
Owen Mansel-Chan	1f9899d7db	Extend added type tracking step to related types	2026-06-17 15:04:53 +01:00
Owen Mansel-Chan	dd61dd2d74	Fix FP for py/modification-of-locals	2026-06-17 14:24:18 +01:00
Owen Mansel-Chan	47c2c9e763	Add test for FP for py/modification-of-locals	2026-06-17 14:22:42 +01:00
Michael B. Gale	1cb5be52d0	Merge branch 'add-yaml-comments'	2026-06-17 13:59:08 +01:00
Owen Mansel-Chan	ea7510bf72	Refactor ReExposedInstance logic into one place	2026-06-17 13:10:47 +01:00
Owen Mansel-Chan	415857cacb	Fix FP for py/should-use-with	2026-06-17 13:01:36 +01:00
Sotiris Dragonas	ac3e38e7ad	Merge branch 'main' into bazookamusic/cwe-1427	2026-06-17 14:55:35 +03:00
Owen Mansel-Chan	d72144646a	Add test for FP for py/should-use-with	2026-06-17 12:55:17 +01:00
Sotiris Dragonas	b15a1afa24	Merge branch 'bazookamusic/cwe-1427' of https://github.com/github/codeql into bazookamusic/cwe-1427	2026-06-17 14:55:04 +03:00
Sotiris Dragonas	c444f41a3f	1. Enable inline expectations for tests 2. Add annotations for sources 2. Fix a modelling issue in the openai library - missing coverage for a legacy method when moving to MaDs and a mistake in the assistants.create models	2026-06-17 14:53:48 +03:00
Owen Mansel-Chan	199fd864ad	Fix FP for py/file-not-closed	2026-06-17 12:36:04 +01:00
Henry Mercer	929870d828	Merge pull request #21994 from github/henrymercer/mergeback-rc-3-22-into-main Merge `rc/3.22` into `main`	2026-06-17 12:21:52 +01:00
Owen Mansel-Chan	1154db4f86	Merge pull request #21957 from owen-mc/go/fix-result-node Go: fix `DataFlow::ResultNode` and some related things	2026-06-17 12:20:27 +01:00
Owen Mansel-Chan	890969433f	Add test for FP for py/file-not-closed	2026-06-17 12:19:03 +01:00
Mathias Vorreiter Pedersen	71daa20313	Merge branch 'main' into add-yaml-comments	2026-06-17 12:07:21 +01:00
Owen Mansel-Chan	0a065c93de	Update QLDoc for ResultNode	2026-06-17 11:03:23 +01:00
Owen Mansel-Chan	6161922ba4	Merge pull request #21940 from owen-mc/go/unhandled-writable-file-close Go: Improve precision of `go/unhandled-writable-file-close`	2026-06-17 10:58:08 +01:00
Owen Mansel-Chan	df416fa542	Merge pull request #21977 from owen-mc/code-owners-actions Make alert coverage team the code owners for `/actions/`	2026-06-17 10:56:52 +01:00
Sotiris Dragonas	274f014d31	Merge branch 'main' into bazookamusic/cwe-1427	2026-06-17 12:53:03 +03:00
Sotiris Dragonas	b9025a54af	Fix prompt injection severity	2026-06-17 12:52:33 +03:00
Henry Mercer	1d11151135	Merge `rc/3.22` into `main`	2026-06-17 10:41:44 +01:00
Jeroen Ketema	e6e5f0dffd	Merge pull request #21992 from jketema/jketema/swift-filter Swift: Filter more clang options not recognized by off-the-shelf clang	2026-06-17 11:32:58 +02:00
Mathias Vorreiter Pedersen	c12cf88c52	Merge branch 'main' into add-yaml-comments	2026-06-17 10:17:06 +01:00
Anders Schack-Mulligen	3654205ae2	Merge pull request #21991 from github/copilot/change-ast-for-else-branches Ruby: Add CaseElseBranch AST node to distinguish else-branch from its body	2026-06-17 09:52:39 +02:00
Anders Schack-Mulligen	027f302932	Ruby: improve return type	2026-06-17 08:47:14 +02:00
Jon Janego	72f34c2b3b	Merge pull request #21971 from github/mario-campos/fix-changenote-grammar Fix changelog copy errors in change-notes and CHANGELOG.md files	2026-06-16 10:15:25 -05:00
Jeroen Ketema	2eb9c54456	Swift: Update test to ensure stabilitry across Xcode versions	2026-06-16 16:57:01 +02:00
Owen Mansel-Chan	4d70c5f87e	Merge pull request #21973 from github/copilot/convert-qlref-tests Swift: Convert .qlref security query tests to inline expectation tests	2026-06-16 14:34:34 +01:00
Jeroen Ketema	4bfc2fd791	Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>	2026-06-16 14:53:48 +02:00
Jeroen Ketema	7ef19112e4	Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>	2026-06-16 14:53:18 +02:00
Jeroen Ketema	c5dc05483b	Merge pull request #21990 from jketema/jketema/telemetry-prep Java: Use fixture for filtering diagnostics	2026-06-16 13:53:33 +02:00
Owen Mansel-Chan	7f3181b145	Merge pull request #21972 from github/copilot/qlref-conversion-instructions Ruby: Convert CodeQL .qlref tests to inline expectations	2026-06-16 12:31:17 +01:00
Michael Nebel	e94d279234	Merge pull request #21984 from forks-felickz/felickz/razor-page-handler-sources C#: Add Razor Page handler method parameters as remote flow sources	2026-06-16 13:15:51 +02:00
Owen Mansel-Chan	48aefff964	Add SPURIOUS and MISSING to some comments	2026-06-16 10:40:39 +01:00
Owen Mansel-Chan	c5e020c68c	Work around problem with comments in heredocs	2026-06-16 10:40:37 +01:00
Anders Schack-Mulligen	8778e881cb	Ruby: Accept two more test changes for new AST node.	2026-06-16 11:14:15 +02:00

1 2 3 4 5 ...

88098 Commits