hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-30 20:28:15 +02:00
Code Issues Packages Projects Releases Wiki Activity
86,433 Commits 1,724 Branches 164 Tags
427ccee3b9f8d9cfae52a48a5081e36dfa320453
Commit Graph

9831 Commits

Author SHA1 Message Date
Taus
5a65282241 Merge pull request #21429 from github/tausbn/fix-bad-join-in-method-call-order 
Python: Fix bad join in method call order computation
 2026-03-10 18:17:35 +01:00
Taus
5d74ad5bc6 Merge pull request #21419 from github/tausbn/python-improve-overloaded-method-resolution 
Python: Improve modelling of overloaded methods
 2026-03-09 16:25:05 +01:00
Taus
f2bad1e6e1 Python: Improve docstring and make predicate private 2026-03-09 13:41:38 +00:00
Taus
c5360ba46c Python: Fix bad join in method call order computation 
This join had badness 1127 on the project FiacreT/M-moire, producing ~31
million tuples in order to end up with only ~27k tuples later in the
pipeline. With the fix, we reduce this by roughly the full 31 million
(the new materialised helper predicate accounting for roughly 130k
tuples on its own).

Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com>
 2026-03-09 13:09:29 +00:00
Óscar San José
3b9eba2afc Merge branch 'main' of https://github.com/github/codeql into oscarsj/merge-back-rc-3.21 2026-03-06 16:20:36 +01:00
Taus
66ca10c338 Python: Add change note 2026-03-05 22:20:03 +00:00
Taus
fa61f6f3df Python: Model @typing.overload in method resolution 
Adds `hasOverloadDecorator` as a predicate on functions. It looks for
decorators called `overload` or `something.overload` (usually
`typing.overload` or `t.overload`). These are then filtered out in the
predicates that (approximate) resolving methods according to the MRO.

As the test introduced in the previous commit shows, this removes the
spurious resolutions we had before.
 2026-03-05 22:20:03 +00:00
Taus
0561a63003 Python: Add test for overloaded __init__ resolution 
Adds a test showing that `@typing.overload` stubs are spuriously
resolved as call targets alongside the actual `__init__` implementation.
 2026-03-05 22:20:03 +00:00
Owen Mansel-Chan
c82f75604a Add change notes 2026-03-05 10:34:30 +00:00
Owen Mansel-Chan
99a4fe4828 Update expected test output column numbers 2026-03-04 15:02:53 +00:00
Owen Mansel-Chan
aa28c94562 Remove double space after $ in inline expectations tests 2026-03-04 14:12:42 +00:00
Owen Mansel-Chan
91b6801db1 py: Inline expectation should have space before $ 2026-03-04 13:11:38 +00:00
Owen Mansel-Chan
5a97348e78 python: Inline expectation should have space after $ 
This was a regex-find-replace from `# \$(?! )` (using a negative lookahead) to `# $ `.
 2026-03-04 12:45:05 +00:00
github-actions[bot]
e152f08468 Post-release preparation for codeql-cli-2.24.3 2026-03-02 22:51:27 +00:00
github-actions[bot]
7795badd18 Release preparation for version 2.24.3 2026-03-02 13:23:40 +00:00
yoff
600f585a31 Merge pull request #21296 from yoff/python/bool-comparison-guards 
Python: Handle guards being compared to boolean literals
 2026-02-26 21:13:51 +01:00
yoff
89e5a9bd72 Update python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll 
Co-authored-by: Taus <tausbn@github.com>
 2026-02-26 13:14:26 +01:00
yoff
cfbae50845 Python: convert barrier guard to MaD 2026-02-26 13:12:34 +01:00
yoff
9b9c9304c7 Python: simplify logic, suggested in review 2026-02-25 18:16:38 +01:00
yoff
c4f8748a42 Python: simplify barrier guard 2026-02-25 18:03:40 +01:00
Taus
6bfb1e1fae Merge pull request #21344 from github/tausbn/python-remove-points-to-from-metrics-libraries 
Python: Remove points-to from metrics library
 2026-02-24 15:55:16 +01:00
Taus
f107235db2 Update change note 2026-02-24 15:08:36 +01:00
yoff
7df44f9418 python: add change note 2026-02-24 10:00:22 +01:00
yoff
7351e82c92 python: handle guards compared to boolean literals 2026-02-24 10:00:22 +01:00
yoff
8488039fb9 python: add tests for guards compared to booleans 2026-02-24 10:00:21 +01:00
Jon Janego
e14b4f1c5c Merge branch 'main' into codeql-spark-run-22317536589 2026-02-23 11:52:17 -06:00
Jon Janego
79ac95d8a8 Fix syntax error with '=' in format specifier 2026-02-23 11:50:03 -06:00
Taus
480ae619e6 Merge pull request #21116 from github/tausbn/python-add-dataflow-overlay-annotations 
Add `overlay[local]` annotations
 2026-02-21 13:44:09 +01:00
Taus
07099f17d6 Python: Add change note 2026-02-19 12:32:27 +00:00
Taus
e8de8433f4 Python: Update all metrics-dependant queries 
The ones that no longer require points-to no longer import
`LegacyPointsTo`. The ones that do use the specific
`...MetricsWithPointsTo` classes that are applicable.
 2026-02-19 12:32:27 +00:00
Taus
20fea3955e Python: Remove points-to from Metrics.qll 
Moves the classes/predicates that _actually_ depend on points-to to the
`LegacyPointsTo` module, leaving behind a module that contains all of
the metrics-related stuff (line counts, nesting depth, etc.) that don't
need points-to to be evaluated.

Consequently, `Metrics` is now no longer a private import in
`python.qll`.
 2026-02-19 12:32:27 +00:00
Taus
6b6d8862b0 Merge pull request #21288 from microsoft/azure_python_sanitizer_upstream2 
Azure python sanitizer upstream2
 2026-02-18 14:59:59 +01:00
Taus
3d4785f29f Python: Add change note 2026-02-18 12:51:35 +00:00
Ben Rodes
a1eaf42cbf Update python/ql/lib/change-notes/2026-02-09-ssrf_test_case_cleanup_and_new_ssrf_barriers.md 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2026-02-17 13:05:51 -05:00
Ben Rodes
ceb3b21e0f Update python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll 
Co-authored-by: Taus <tausbn@github.com>
 2026-02-17 10:28:43 -05:00
github-actions[bot]
b5898c5a30 Post-release preparation for codeql-cli-2.24.2 2026-02-16 17:07:45 +00:00
Taus
cd62cdadff Python: Fix bad join in returnStep 2026-02-16 16:48:08 +00:00
Taus
304cd12fff Python: Fix bad join in missing_imported_module 
This caused a ~30x blowup in intermediate tuples, now back to baseline.
 2026-02-16 13:48:33 +00:00
Taus
987b10ab3e Python: Fix bad join in OutgoingRequestCall 
On `keras-team/keras`, this was producing ~200 million intermediate
tuples in order to produce a total of ... 2 tuples.

After the refactor, max intermediate tuple count is ~80k for the
charpred (and 4 for the new helper predicate).
 2026-02-16 13:48:33 +00:00
Taus
72f5109ec2 Python: Add more overlay[caller] to Flow.qll 
These were causing the repo `gufolabs/noc` to spend ~30 seconds
evaluating `ControlFlowNode.strictlyDominates`. Just in case, I added
`overlay[caller] to the other instances of `pragma[inline]` as well.
 2026-02-16 13:48:33 +00:00
Taus
248932db7a Python: Fix frameworks/data/warnings.ql 2026-02-16 13:48:32 +00:00
Taus
306d7d1b5d Python: DataFlowDispatch.qll annotations 2026-02-16 13:48:32 +00:00
Taus
7ea96c43ec Python: DataFlowPrivate.qll annotations 2026-02-16 13:48:32 +00:00
Taus
bd71db87be Python: DataFlowPublic.qll annotations 2026-02-16 13:48:32 +00:00
Taus
c46c662b72 Python: LocalSources.qll annotations 2026-02-16 13:48:32 +00:00
Taus
df0f2f8ce4 Python: Simple dataflow annotations 
None of these required any changes to the dataflow libraries, so it
seemed easiest to put them in their own commit.
 2026-02-16 13:48:32 +00:00
Taus
51ebec9164 Python: Fix broken queries 2026-02-16 13:48:32 +00:00
Taus
fd7b123ee3 Python: Add overlay annotations to AST classes 
... and everything else that it depends on.
 2026-02-16 13:48:32 +00:00
github-actions[bot]
ef04f927fb Release preparation for version 2.24.2 2026-02-16 13:29:25 +00:00
REDMOND\brodes
4d4e7a1b5c Pretty print for tests. 2026-02-12 08:28:08 -05:00