hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-14 11:19:27 +02:00
Code Issues Packages Projects Releases Wiki Activity
87,371 Commits 1,759 Branches 167 Tags
1f3e3e0cb6b758609b164ea5f0b81b08053ea748
Commit Graph

6012 Commits

Author SHA1 Message Date
MarkLee131
26af52897d Merge branch 'main' into fix/path-injection-read-subkind 2026-05-07 23:48:42 +08:00
github-actions[bot]
7610277199 Post-release preparation for codeql-cli-2.25.4 2026-05-05 10:10:06 +00:00
github-actions[bot]
88e1d86c27 Release preparation for version 2.25.4 2026-05-05 09:34:30 +00:00
MarkLee131
467394123c Merge branch 'main' into fix/path-injection-read-subkind 2026-05-04 18:56:12 +08:00
Anders Schack-Mulligen
c7904b12c8 Java: Fix reference in deprecated code. 2026-05-04 10:52:27 +02:00
Anders Schack-Mulligen
17fded4aa5 Java: Delete old deprecated code. 2026-05-04 10:52:27 +02:00
Kaixuan Li
07e97e20d8 Merge branch 'github:main' into fix/path-injection-read-subkind 2026-04-21 22:59:53 +10:00
MarkLee131
c336a1595d Java: split read-only path sinks into path-injection[read] 
Introduce a new Models-as-Data sink sub-kind path-injection[read] for
models that only read from or inspect a path. The general
java/path-injection query and its PathInjectionSanitizer barrier
continue to consider both path-injection and path-injection[read]
sinks, so no alerts are lost. The java/zipslip query deliberately
selects only path-injection sinks, since read-only accesses such as
ClassLoader.getResource or FileInputStream are outside the archive
extraction threat model.

Addresses https://github.com/github/codeql/issues/21606 along the lines
proposed on the issue thread: prefer path-injection[read] over a
[create] sub-kind so that miscategorizing a sink causes a false
positive (easy to spot) rather than a false negative.

- shared/mad/codeql/mad/ModelValidation.qll: allow path-injection[...]
  as a valid sink kind.
- java/ql/lib/ext/*.model.yml: relabel the models that PR #12916
  migrated from the historical read-file kind (plus the newer
  ClassLoader resource-lookup variants that share the same read-only
  semantics).
- java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll and
  PathSanitizer.qll: select both path-injection and
  path-injection[read] sinks/barriers.
- java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll: keep only
  path-injection, with a comment explaining why path-injection[read]
  is excluded.
- java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipTest.java:
  add m7 regression covering the Dubbo-style classpath lookup from
  issue #21606 and assert no alert is produced.
- Update TaintedPath.expected for the renamed kinds in the models list.
- Add change-notes under java/ql/lib/change-notes and
  java/ql/src/change-notes.
 2026-04-21 09:17:36 +10:00
github-actions[bot]
a0bab539bb Post-release preparation for codeql-cli-2.25.3 2026-04-20 12:40:34 +00:00
github-actions[bot]
c861d99802 Release preparation for version 2.25.3 2026-04-20 09:27:23 +00:00
github-actions[bot]
242090e0ac Post-release preparation for codeql-cli-2.25.2 2026-04-06 13:49:20 +00:00
github-actions[bot]
4fe2f6d2b4 Release preparation for version 2.25.2 2026-04-06 10:30:38 +00:00
Óscar San José
59eec7ffa2 Merge branch 'main' of https://github.com/github/codeql into post-release-prep/codeql-cli-2.25.1 2026-03-30 10:51:12 +02:00
github-actions[bot]
ce6e6d5db3 Post-release preparation for codeql-cli-2.25.1 2026-03-30 08:43:48 +00:00
github-actions[bot]
fb011842c9 Release preparation for version 2.25.1 2026-03-25 23:43:06 +00:00
github-actions[bot]
8cf0954796 Release preparation for version 2.25.1 2026-03-25 08:28:30 +00:00
Óscar San José
2139b97628 Merge branch 'main' into post-release-prep/codeql-cli-2.25.0 2026-03-19 13:07:00 +01:00
github-actions[bot]
e3dbf5b022 Post-release preparation for codeql-cli-2.25.0 2026-03-16 16:03:22 +00:00
github-actions[bot]
d6055754b6 Release preparation for version 2.25.0 2026-03-16 12:15:34 +00:00
Owen Mansel-Chan
52809133f5 Add change notes 2026-03-13 11:10:43 +00:00
Owen Mansel-Chan
056aa342fe Change @security-severity for log injection queries from 7.8 to 6.1 2026-03-13 10:02:01 +00:00
Owen Mansel-Chan
f58a6e5d3a Change @security-severity for XSS queries from 6.1 to 7.8 2026-03-13 10:01:02 +00:00
Óscar San José
3b9eba2afc Merge branch 'main' of https://github.com/github/codeql into oscarsj/merge-back-rc-3.21 2026-03-06 16:20:36 +01:00
Anders Schack-Mulligen
8ef4be49aa Merge pull request #21412 from aschackmull/java/binary-assignment 
Java: Make Assignment extend BinaryExpr.
 2026-03-05 13:19:45 +01:00
Anders Schack-Mulligen
ec1d034ee0 Java: Make Assignment extend BinaryExpr. 2026-03-05 11:31:59 +01:00
Anders Schack-Mulligen
3c129fcd23 Java: Align BinaryExpr.getOp() with AssignOp.getOp(). 2026-03-04 13:46:04 +01:00
Owen Mansel-Chan
ef345a3279 Java: Inline expectation should have space after $ 
This was a regex-find-replace from `// \$(?! )` (using a negative lookahead) to `// $ `.
 2026-03-04 12:44:54 +00:00
github-actions[bot]
e152f08468 Post-release preparation for codeql-cli-2.24.3 2026-03-02 22:51:27 +00:00
github-actions[bot]
7795badd18 Release preparation for version 2.24.3 2026-03-02 13:23:40 +00:00
Anders Schack-Mulligen
48e3724299 Java/Cfg: Introduce new shared CFG library and replace the Java CFG. 2026-02-23 15:09:50 +01:00
Anders Schack-Mulligen
2e987343dd Java: Preparatory tweaks. 2026-02-23 15:09:48 +01:00
Idriss Riouak
744ade6720 Merge pull request #21338 from github/idrissrio/java/fix-change-note 
Java: Fix Maven change note
 2026-02-17 14:48:37 +01:00
Idriss Riouak
c877487e11 Merge pull request #21337 from github/idrissrio/java/jdk26-note 
Java: Add change note for Java 26 and updated supported languages
 2026-02-17 14:48:16 +01:00
idrissrio
5151df456c Java: Fix Maven change note 2026-02-17 14:27:27 +01:00
idrissrio
8aa839f4c0 Java: Address review comments 2026-02-17 14:19:12 +01:00
idrissrio
bd94ceddd9 Java: Add change note for JDK 26 2026-02-17 13:58:55 +01:00
Owen Mansel-Chan
94e3d86f6a Merge pull request #21319 from owen-mc/java/javax-jakarta 
Java: Always use both "javax" and "jakarta" at the beginning of Jave EE packages
 2026-02-17 08:31:52 +00:00
github-actions[bot]
b5898c5a30 Post-release preparation for codeql-cli-2.24.2 2026-02-16 17:07:45 +00:00
github-actions[bot]
ef04f927fb Release preparation for version 2.24.2 2026-02-16 13:29:25 +00:00
Owen Mansel-Chan
53b8f2abb1 Apply copilot's fixes 2026-02-16 11:02:20 +00:00
Owen Mansel-Chan
31840902cd Fix places which already dealt with both javax and jakarta 2026-02-16 11:02:16 +00:00
Owen Mansel-Chan
a5e6f6daf9 Replace "javax" with javaxOrJakarta() 
This is just a find-replace of `"javax` with `javaxOrJakarta() + "`.
 2026-02-16 11:02:12 +00:00
Owen Mansel-Chan
ca4c988e97 Remove redundant variable 2026-02-13 22:58:09 +00:00
Owen Mansel-Chan
fa3fba4a00 Use new regex-related classes (no functional change) 2026-02-11 13:09:46 +00:00
Anders Schack-Mulligen
4fcf3fbff8 Java: Make loop classes extend LoopStmt and use getBody instead of getStmt. 2026-02-04 14:43:31 +01:00
Anders Schack-Mulligen
6f40ac15b4 Java: Rename ReturnStmt.getResult to getExpr. 2026-02-04 14:43:31 +01:00
Anders Schack-Mulligen
36fa0a22f9 Java: Rename getTrueExpr/getFalseExpr on ConditionalExpr to getThen/getElse. 2026-02-04 13:38:11 +01:00
Anders Schack-Mulligen
5e6e64b2b7 Java: Rename UnaryExpr.getExpr to getOperand. 2026-02-04 10:50:49 +01:00
github-actions[bot]
73d06f26cb Post-release preparation for codeql-cli-2.24.1 2026-02-02 14:04:26 +00:00
github-actions[bot]
0db542e9f0 Release preparation for version 2.24.1 2026-02-02 12:09:09 +00:00