Commit Graph

88491 Commits

Author SHA1 Message Date
Taus
11afcce8b3 yeast: Fix bug in matching (_)
Turns out, `(_)` would match both named and unnamed nodes, as we never
checked the value of the `match_unnamed` field. This is the real reason
why the final catch-all rule we removed in the last commit was
superfluous -- unnamed nodes were being caught by the penultimate rule
instead (and mapped to `unsupported_node`).

Having fixed the bug, we now (correctly) get errors due to unmatched
unnamed nodes in the input. To fix this, we change the catch-all rule to
match unnamed nodes as well. This restores the previous behaviour
exactly.

At some point, we should find a better way to handle unnamed nodes, as
it seems wasteful to map these to `unsupported_node` (since we in
practice only use them for their string content). Perhaps we should not
attempt to translate unnamed nodes at all?
2026-07-09 11:48:50 +00:00
Taus
ee04938ded yeast: Require type annotations on root-level Rust interpolations
In order to facilitate static type checking of rules (and to make it
easier for human readers as well), rust blocks at the root level (i.e.
rules of the form `... => { ... }`) must now have a type annotation in
front.

All other forms are unaffected: if the right hand side of a rule is a
tree, we can read the type of the root node directly. For interpolations
that happen inside of such a tree, we can recover the type by looking at
what field we're interpolating into, and consulting the output schema.

All existing uses have been updated to have the appropriate type
annotations, though these are of course not checked yet (and so could be
wrong).

Finally, this commit also removes the final catch-all rule `_ @node =>
{node}`. Because of the preceding rule that matches `(_) @node`, this
rule would only ever match unnamed nodes, and I think in practice it did
not match at all (at least not in our current set of tests).

To give it a proper type we would have to add some notion of an "any"
type, which I would like to avoid. If it _does_ turn out to be needed,
we can easily add it back (ideally with a test-case that shows why it's
still needed).
2026-07-09 11:48:50 +00:00
Taus
ea36f2d7f8 yeast: add rules! macro
This macro allows the easy addition of multiple rules at the same time.
In addition, it also accepts an input and output schema, which
eventually will be used to check the validity of the rewrite rules.
2026-07-09 11:39:30 +00:00
Taus
1fb4f9d208 yeast: Move schema and YAML loader into yeast-schema crate
For type checking rules, we need to be able to load schemas (so we know
what to check against). However, since we can't have yeast-macros
depending on yeast (where the schema-handling code currently lives) as
this would introduce a circular dependency, we instead split the
schema-related code into its own yeast-schema crate.
2026-07-09 11:39:30 +00:00
Taus
33da3ef74e yeast: Fix typo
Co-authored-by: Jeroen Ketema <93738568+jketema@users.noreply.github.com>
2026-07-08 16:35:01 +02:00
Taus
9b7a9c3851 yeast: Use clone-and-drop for per-rule context isolation
In order to avoid having context changes bubble up through the tree (or
from one sibling to another) the current framework makes a copy of the
context before calling `translate` recursively, and then restores it
afterwards.

However, this is a bit silly -- after we're done with all of the
translations, there's really no need to restore the context (as it
doesn't get accessed again).

So instead we change it from "save and then restore" to "clone and then
drop". Each rule invocation gets its own copy of the context, and simply
drops it when it's done.
2026-07-08 12:33:36 +00:00
Taus
13510b1ddd yeast: Add BuildCtx::scoped for isolated context modification
A previous commit added a translate_reset method on BuildCtx, which had
the effect of performing a translation in a completely empty context.

One issue with this is that this is an all-or-nothing proposition -- If
you want to preserve _some_ parts of the context, you have to do
something more complicated. Moreover, if you introduce a contextual
value that _should_ be preserved, all of the existing uses of
translate_reset now silently do the wrong thing.

There are two patterns that we want to address. The first one is "modify
the context in some way, then do a translation". If the translation is
the last step of a Rust block, then we don't actually need
translate_reset -- we could just reset the context and then call
`translate`. The fact that the outer context is restored afterwards
means it's okay to make destructive changes to `ctx.user_ctx` -- none of
these changes will persist.

The second pattern is the same, but where we want to do more
translations using the original context, after having performed a
translation with a modified context. In this case, we cannot just
overwrite the context, since that would invalidate the subsequent
translations.

Instead, we introduce a new method `ctx.scoped` which takes a closure as
an argument. With this we can now write

```
ctx.scoped(|ctx| ctx.reset(); ctx.translate(...));
```

and the closure is run with a copy of `ctx` that has a clone of
`user_ctx` on the inside, so no changes will persist.

(You may wonder: why not just clone `ctx` and use the clone? The answer
is that `ctx` owns mutable pointers to the AST etc., and this makes it
awkward to just "clone" it. The closure circumvents this issue nicely,
since it can borrow these pointers internally.)

For now, this rewrite has the same behaviour as the version that used
translate_reset -- we clear the entire `user_ctx`. However, we could
imagine being more fine-grained in this approach, by implementing, say,
SwiftContext::reset_modifiers (which would only affect what modifiers
are currently in the context, leaving everything else as-is).
2026-07-08 12:33:35 +00:00
Taus
8272848620 yeast: Implement IntoIterator for Id as a singleton
There's an awkward divide in yeast between returning a list of nodes or
optional node (both of which are iterable), and returning a single node
(which is not). In practice, we would like all of these cases to be
handled transparently: if a single node is returned, it behaves as if it
were a singleton list containing that node. This gives us a uniform
interface during translation -- no matter what is returned, it will be
an iterable of nodes.

To facilitate this, we make the slightly unorthodox choice of
implementing IntoIterator for Id, with the behaviour detailed above.
2026-07-08 12:33:35 +00:00
Taus
3c3f740a25 Merge pull request #22120 from asgerf/unified/local-scoping
Unified: implement local scoping
2026-07-08 14:33:14 +02:00
Owen Mansel-Chan
134e30260d Merge pull request #22119 from owen-mc/java/fix-tainted-path-pattern-sanitization
Java: fix `@Pattern` sanitization for `java/path-injection`
2026-07-08 11:37:15 +01:00
Owen Mansel-Chan
a16e19a3b1 Merge pull request #22127 from owen-mc/cpp/convert-qlref-inline-expectations
C++: Convert qlref tests to inline expectations
2026-07-08 11:36:35 +01:00
Owen Mansel-Chan
69ed2da241 Merge pull request #22134 from github/workflow/coverage/update
Update CSV framework coverage reports
2026-07-08 11:19:06 +01:00
github-actions[bot]
bc966f62e2 Add changed framework coverage reports 2026-07-08 00:38:59 +00:00
Owen Mansel-Chan
8363d2d66d Merge pull request #22132 from joshimar/java/spring-webclient-uri-ssrf-sink
Java: Model Spring reactive `WebClient.uri` as a request forgery sink
2026-07-08 00:40:33 +01:00
Luis Azanza
b8f8370c33 Update java/ql/lib/change-notes/2026-06-30-spring-webclient-uri-ssrf.md
Update change note to be more technically accurate

Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
2026-07-07 16:21:09 -07:00
Luis Azanza
6ff2a4c0d6 Apply suggestion from @owen-mc
Removing Apple Inc notice per feedback provided by GitHub

Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
2026-07-07 16:10:05 -07:00
Luis Azanza
1db31327a7 Java: Model Spring reactive WebClient.uri as a request forgery sink 2026-07-07 13:30:48 -07:00
Owen Mansel-Chan
19745e13b5 Fix some lines with // $ ... // $ MISSING:
Note that when a line is marked `// BAD [NOT DETECTED]` but actually has
an alert, I assume that the `[NOT DETECTED]` is outdated and should be
deleted.
2026-07-07 20:48:39 +01:00
Owen Mansel-Chan
9d9590623d Address review comments 2026-07-07 20:48:36 +01:00
Owen Mansel-Chan
a812e4aa99 Refactor creating barriers with annotations 2026-07-07 12:44:19 +01:00
Owen Mansel-Chan
fa16728522 Fix comments in one test 2026-07-07 12:06:43 +01:00
Owen Mansel-Chan
76d8ae8694 Add MISSING: tag 2026-07-07 10:59:21 +01:00
Owen Mansel-Chan
843ac7c6b0 Add SPURIOUS: tags 2026-07-07 10:54:11 +01:00
Owen Mansel-Chan
a2c5d4c818 C++: Convert qlref tests to inline expectations 2026-07-07 09:49:50 +01:00
Asger F
bfb3ead314 Apply suggestions from code review
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
2026-07-03 14:29:54 +02:00
Owen Mansel-Chan
e5bd62dbd3 Add change note 2026-07-03 11:34:11 +01:00
Owen Mansel-Chan
76b4f4f223 Fix @Pattern sanitizer for TaintedPath 2026-07-03 11:34:06 +01:00
Owen Mansel-Chan
077b531e41 Add failing TaintedPath test for @Pattern sanitizer 2026-07-03 11:34:03 +01:00
Asger F
c23c3d9e79 unified: Translate bare names in patterns correctly
- Context is fully reset when stepping into an expr/stmt/body.
- Binding modifier is rolled into outer_modifiers.
2026-07-03 11:59:58 +02:00
Asger F
036ed04eee unified: Support OrPattern bindings 2026-07-03 11:59:57 +02:00
Asger F
891e244116 unified: Add WhileStmt as a Conditional 2026-07-03 11:59:55 +02:00
Asger F
c8eb2071d8 unified: Add tests with 'while let' 2026-07-03 11:59:53 +02:00
Asger F
e7bff859e8 unified: More fixes in test cases 2026-07-03 11:59:51 +02:00
Asger F
6ea146f65b unified: Fix broken block syntax
The original test was not valid Swift syntax
2026-07-03 11:59:50 +02:00
Asger F
a86c7ba422 unified: Flatten GuardIfStmt into the enclosing block 2026-07-03 11:59:47 +02:00
Asger F
d0cd4ac536 Shared: remove unused getLhs() predicate 2026-07-03 11:54:26 +02:00
Owen Mansel-Chan
c3a0b65c0c Merge pull request #22115 from owen-mc/java/update-mad-docs
Java: Add section in models docs about specifying java types
2026-07-03 09:16:29 +01:00
Owen Mansel-Chan
268e9eadac Add section on specifying java types 2026-07-02 22:09:51 +01:00
Geoffrey White
ab1bc853fc Merge pull request #22053 from geoffw0/arith
Rust: Fix FPs in rust/hard-coded-cryptographic-value
2026-07-02 17:37:38 +01:00
Michael B. Gale
f4d8358454 Merge pull request #22110 from github/post-release-prep/codeql-cli-2.26.0
Post-release preparation for codeql-cli-2.26.0
2026-07-02 15:32:22 +01:00
Nora Dimitrijević
0a02b16c43 Merge pull request #22095 from d10c/d10c/drop-bracket-style-links
Remove [[ link syntax from C# XSS sink
2026-07-02 15:45:30 +02:00
Owen Mansel-Chan
4aef485d3c Merge pull request #22106 from github/workflow/coverage/update
Update CSV framework coverage reports
2026-07-02 14:08:20 +01:00
github-actions[bot]
5e50fc8471 Post-release preparation for codeql-cli-2.26.0 2026-07-02 12:26:43 +00:00
Michael B. Gale
e4a7b4ff51 Merge pull request #22109 from github/release-prep/2.26.0
Release preparation for version 2.26.0
codeql-cli/latest codeql-cli/v2.26.0
2026-07-02 13:02:15 +01:00
Michael B. Gale
66ddf3b4c6 Remove unnecessary changenote for the hotfix 2026-07-02 12:58:05 +01:00
github-actions[bot]
1af9609eed Release preparation for version 2.26.0 2026-07-02 11:43:30 +00:00
Mathias Vorreiter Pedersen
4f4cdf434b Merge pull request #22061 from MathiasVP/mad-write-through-model
Shared: Support flow summaries from `ReturnValue`s
2026-07-02 12:38:44 +01:00
Michael B. Gale
79eeaa2028 Merge pull request #22108 from hvitved/python-hot-fix
Python: release hotfix
2026-07-02 12:31:20 +01:00
Geoffrey White
1f4ae86a84 Apply suggestions from code review
Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
2026-07-02 11:26:26 +01:00
Tom Hvitved
797f58b5d5 Merge pull request #22052 from hvitved/rust/type-constraint-base-type-match-gen
Type inference: Generalize `typeConstraintBaseTypeMatch`
2026-07-02 11:57:28 +02:00