hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-23 18:33:42 +01:00
Code Issues Packages Projects Releases Wiki Activity
85,780 Commits 1,693 Branches 161 Tags
4bb110beb87256fdef01f122b2bf9f8c7d254b70
Commit Graph

85780 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
REDMOND\brodes
4bb110beb8 More copilot suggestions. 2026-02-10 11:46:16 -05:00
REDMOND\brodes
a91cf6b7cb Applying copilot PR suggestions. 2026-02-10 11:37:11 -05:00
Ben Rodes
9f8ed710e2 Update python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2026-02-10 11:09:25 -05:00
REDMOND\brodes
23bab81855 Added change log 2026-02-09 13:22:35 -05:00
REDMOND\brodes
df54459552 Restore prior PR change log (accidentally removed) 2026-02-09 13:19:02 -05:00
Ben Rodes
85ae4045c5 Merge branch 'main' into azure_python_sanitizer_upstream2 2026-02-09 13:12:38 -05:00
yoff
5ad42f8bcc Merge pull request #20563 from microsoft/azure_python_sdk_url_summary_upstream 
Azure python sdk url summary upstream
 2026-02-09 18:34:36 +01:00
Ian Lynagh
b5e3168032 Merge pull request #21286 from github/andersfugmann/kotlin_2.3.10-no-artifacts 
Kotlin: Support Kotlin 2.3.10
 2026-02-09 13:26:40 +00:00
Michael B. Gale
71e8730c63 Merge pull request #21263 from github/mbg/csharp/registry-diagnostic 
C#: Add diagnostic for private registry usage
 2026-02-09 12:58:43 +00:00
Owen Mansel-Chan
90401b3ad3 Merge pull request #21254 from owen-mc/go/astnode-get-enclosing-block 
Go: Add `AstNode.getEnclosingBlock()`
 2026-02-06 22:23:15 +00:00
Jon Janego
d0bd8459a1 Merge pull request #21291 from github/codeql-spark-run-21760759512 
Update changelog documentation site
 2026-02-06 12:28:56 -06:00
Jon Janego
1c43ceae95 Merge branch 'main' into codeql-spark-run-21760759512 2026-02-06 12:16:31 -06:00
Jon Janego
5bf2d9442e Fix formatting in changelog for Go path injection query 2026-02-06 12:14:03 -06:00
Jon Janego
c40d784a4d Update codeql-cli-2.23.1.rst 2026-02-06 12:13:34 -06:00
Jon Janego
bf6568b928 Fix formatting for Kotlin version support note 2026-02-06 12:12:55 -06:00
Jon Janego
79ad064a93 Fix formatting in Kotlin version support note 2026-02-06 12:12:16 -06:00
Jon Janego
552976d057 Update codeql-cli-2.19.1.rst 2026-02-06 12:11:49 -06:00
github-actions[bot]
353cd31ce6 update codeql documentation 2026-02-06 18:09:49 +00:00
REDMOND\brodes
f6c302b68c Removing commented out test cases. 2026-02-06 11:28:48 -05:00
REDMOND\brodes
4f11913ee5 removing SSRFSink.qll 2026-02-06 11:23:58 -05:00
REDMOND\brodes
42f6e6a19c Fixing inefficiently passed variable in nested existential quantification. 2026-02-06 11:20:15 -05:00
REDMOND\brodes
97f19d03ad Updating test case expected alerts. 2026-02-06 11:20:13 -05:00
REDMOND\brodes
97ddab0724 Added support for new URIValidator in AntiSSRF library. Updated test caes to use postprocessing results. Currently results for partial ssrf still need work, it is flagging cases where the URL is fully controlled, but is sanitized. I'm not sure if this should be flagged yet. 2026-02-06 11:20:11 -05:00
REDMOND\brodes
27e19813be Removing an upstream change log, not needed for local fork update. 2026-02-06 11:20:10 -05:00
REDMOND\brodes
88adb05d4b Adjusting acryonym for SSRF for casing standards. 2026-02-06 11:20:08 -05:00
REDMOND\brodes
265922d2e5 Adding docs. 2026-02-06 11:20:01 -05:00
REDMOND\brodes
7db97799c1 Moved change log to correct location. 2026-02-06 11:19:22 -05:00
Ben Rodes
08b72d0a86 Update python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2026-02-06 11:18:51 -05:00
Ben Rodes
46a2a249f9 Update python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2026-02-06 11:18:49 -05:00
REDMOND\brodes
b8ba905253 Added change logs. 2026-02-06 11:18:23 -05:00
REDMOND\brodes
9912aaaf1a Adding azure sdk test cases and updated test expected file. 2026-02-06 11:18:16 -05:00
Paolo Tranquilli
48db24d184 Merge pull request #21287 from github/redsun82/fix-rust-deps-patching 
Bazel: fix Rust deps patching for semver build metadata
 2026-02-06 17:17:24 +01:00
REDMOND\brodes
8459eec239 Moving the SsrfSink concept into Concepts.qll, and renaming to HttpClientRequestFromModel as suggested in PR review. 2026-02-06 09:26:49 -05:00
Anders Fugmann
c5179e40c6 Kotlin: Add change note for supporting 2.3.10 2026-02-06 14:59:34 +01:00
github-actions[bot]
38830ddc5c Bazel: fix Rust deps patching for semver build metadata 
Handle crate versions containing `+` build metadata (e.g., `0.9.11+spec-1.1.0`).
Bazel repo names use `-` instead of `+`, so the generated labels need patching
to reference the correct repo name.

Also adds documentation for both patching issues handled by patch_defs.py.
 2026-02-06 14:58:34 +01:00
Anders Fugmann
d5827b5cca Kotlin: Support Kotlin 2.3.10 2026-02-06 14:54:08 +01:00
Mathias Vorreiter Pedersen
2c05624088 Merge pull request #21280 from MathiasVP/make-getChildCount-more-robust 
C++: Make 'getChildCount' more robust by counting indices instead of elements
 2026-02-06 12:19:20 +00:00
Ben Rodes
ac1987f264 Update python/ql/lib/change-notes/2025-09-30-azure_ssrf_models.md 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2026-02-05 15:44:44 -05:00
Mathias Vorreiter Pedersen
d57a42a7f7 C++: Make 'getChildCount' more robust by counting indexes instead of 'TranslatedDeclarationEntry's. 2026-02-05 20:23:45 +00:00
Taus
5adc9f8ff0 Merge pull request #21274 from github/tausbn/python-fix-parsing-of-format-specifiers 
Python: Fix syntax error when `=` is used as a format fill character
 2026-02-05 16:37:42 +01:00
Taus
8c27437628 Python: Bump extractor version and add change note 2026-02-05 13:50:54 +00:00
Taus
12ee93042b Python: Add tests 2026-02-05 13:47:24 +00:00
Taus
bac356c9a1 Python: Regenerate parser files 2026-02-05 13:46:59 +00:00
Taus
68c1a3d389 Python: Fix syntax error when = is used as a format fill character 
An example (provided by @redsun82) is the string `f"{x:=^20}"`. Parsing
this (with unnamed nodes shown) illustrates the problem:

```
module [0, 0] - [2, 0]
  expression_statement [0, 0] - [0, 11]
    string [0, 0] - [0, 11]
      string_start [0, 0] - [0, 2]
      interpolation [0, 2] - [0, 10]
        "{" [0, 2] - [0, 3]
        expression: named_expression [0, 3] - [0, 9]
          name: identifier [0, 3] - [0, 4]
          ":=" [0, 4] - [0, 6]
          ERROR [0, 6] - [0, 7]
            "^" [0, 6] - [0, 7]
          value: integer [0, 7] - [0, 9]
        "}" [0, 9] - [0, 10]
      string_end [0, 10] - [0, 11]
```
Observe that we've managed to combine the format specifier token `:` and
the fill character `=` in a single token (which doesn't match the `:` we
expect in the grammar rule), and hence we get a syntax error.

If we change the `=` to some other character (e.g. a `-`), we instead
get

```
module [0, 0] - [2, 0]
  expression_statement [0, 0] - [0, 11]
    string [0, 0] - [0, 11]
      string_start [0, 0] - [0, 2]
      interpolation [0, 2] - [0, 10]
        "{" [0, 2] - [0, 3]
        expression: identifier [0, 3] - [0, 4]
        format_specifier: format_specifier [0, 4] - [0, 9]
          ":" [0, 4] - [0, 5]
        "}" [0, 9] - [0, 10]
      string_end [0, 10] - [0, 11]
```
and in particular no syntax error.

To fix this, we want to ensure that the `:` is lexed on its own, and the
`token(prec(1, ...))` construction can be used to do exactly this.

Finally, you may wonder why `=` is special here. I think what's going on
is that the lexer knows that `:=` is a token on its own (because it's
used in the walrus operator), and so it greedily consumes the following
`=` with this in mind.
 2026-02-05 13:45:54 +00:00
Paolo Tranquilli
05bef12ddd Merge pull request #21265 from github/redsun82/csharp-csrf-inheritance 
C#: Fix CSRF query to check antiforgery attributes on base classes
 2026-02-05 14:20:30 +01:00
Idriss Riouak
1df3adf021 Merge pull request #21244 from github/idrissrio/cpp/overlay/changes-json 
C/C++ overlay: use files table instead of `overlayChangedFiles` for overlay discard
 2026-02-05 13:15:07 +01:00
idrissrio
e26c199426 C/C++ overlay: use files table instead of overlayChangedFiles for overlay discard 2026-02-05 12:43:01 +01:00
Tom Hvitved
1203da1b66 Merge pull request #21253 from paldepind/rust/as-path-trait 
Rust: Resolve `as` paths to trait
 2026-02-05 12:38:16 +01:00
Paolo Tranquilli
f79bd3f4cf C#: accept location changes in test 2026-02-05 12:14:59 +01:00
Mathias Vorreiter Pedersen
476df7de73 Merge pull request #21260 from MathiasVP/add-windows-remote-flow-sources 
C++: Add more Win32 and Azure SDK remote flow sources
 2026-02-05 10:47:03 +00:00