hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-14 11:19:27 +02:00
Code Issues Packages Projects Releases Wiki Activity
86,994 Commits 1,759 Branches 167 Tags
8060d2ff24a9aa9ef0cc771c5e906dfba3e62f02
Commit Graph

86994 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Michael Nebel
8060d2ff24 C#: Streamline the implementation for ASP.NET Core tainted members. 2026-04-21 13:40:02 +02:00
Michael Nebel
921d93e427 C#: Add an ASP.NET flow source example when using the WebMethod attribute. 2026-04-21 13:39:59 +02:00
Michael Nebel
dba1b7539f C#: Taint members of types used in ASP.NET remote flow source context. 2026-04-21 13:39:56 +02:00
Michael Nebel
77da545ab4 C#: Reclassify some sources as AspNetRemoteFlowSource. 2026-04-21 13:39:54 +02:00
Michael Nebel
0062eb1209 C#: Update remote flow sources test to also report tainted members. 2026-04-21 13:39:51 +02:00
Michael B. Gale
58e9bad0a0 Merge pull request #21737 from github/post-release-prep/codeql-cli-2.25.3 
Post-release preparation for codeql-cli-2.25.3
 2026-04-21 11:48:30 +02:00
Jeroen Ketema
7f2a13bc7a Merge pull request #21728 from jketema/jketema/swift-6.3.1 
Swift: Update to Swift 6.3.1
 2026-04-20 19:33:08 +02:00
Jeroen Ketema
abd08440a1 Swift: Update to Swift 6.3.1 2026-04-20 16:30:29 +02:00
Jeroen Ketema
d5ded932d3 Merge pull request #21723 from jketema/swift-fixed-array 
Swift: Expose the generic arguments of `BuiltinFixedArrayType`s
 2026-04-20 16:17:41 +02:00
Taus
b108e173a5 Merge pull request #21695 from github/tausbn/python-add-support-for-pep-798 
Python: Add support for PEP-798
 2026-04-20 15:01:01 +02:00
github-actions[bot]
a0bab539bb Post-release preparation for codeql-cli-2.25.3 2026-04-20 12:40:34 +00:00
Owen Mansel-Chan
9f310c20f3 Merge pull request #21734 from owen-mc/java/fix-partial-path-traversal 
Java: fix bug in partial path traversal
 2026-04-20 11:52:55 +01:00
Michael B. Gale
a73f7cb79d Merge pull request #21736 from github/release-prep/2.25.3 
Release preparation for version 2.25.3
 2026-04-20 12:29:07 +02:00
Michael B. Gale
abf374433b Merge changelog entries for cpp/implicit-function-declaration 2026-04-20 12:24:05 +02:00
Michael B. Gale
34b5dcfd5f Improve wording of actions note 2026-04-20 11:40:32 +02:00
github-actions[bot]
c861d99802 Release preparation for version 2.25.3 2026-04-20 09:27:23 +00:00
Owen Mansel-Chan
c6f641eac4 Add change note 
Co-authored-by: Copilot <copilot@github.com>
 2026-04-19 07:18:48 +01:00
Owen Mansel-Chan
6d4a3974ce Fix bug so += File.separator is recognized 2026-04-19 07:18:42 +01:00
Owen Mansel-Chan
6099c5d034 Add SPURIOUS test for += File.separator 2026-04-19 07:18:00 +01:00
Owen Mansel-Chan
63d20a54d4 Use inline expectations with second test 
Co-authored-by: Copilot <copilot@github.com>
 2026-04-19 07:17:05 +01:00
Owen Mansel-Chan
dca7046d8c Make inline expectation comments specify query 2026-04-18 10:35:15 +01:00
Owen Mansel-Chan
2764580cdf Merge pull request #21718 from chmodxxx/java/woodstox-xxe 
Java: Add XXE sink model for Woodstox WstxInputFactory
 2026-04-17 17:25:15 +01:00
Salah Baddou
fb2d53e72a Address review: inline Woodstox into XmlParsers, move changelog to lib 2026-04-17 18:46:51 +04:00
Salah Baddou
f5131f9bc6 Java: Add XXE sink model for Woodstox WstxInputFactory 
`com.ctc.wstx.stax.WstxInputFactory` overrides `createXMLStreamReader`,
`createXMLEventReader` and `setProperty` from `XMLInputFactory`, so the
existing `XmlInputFactory` model in `XmlParsers.qll` does not match calls
where the static receiver type is `WstxInputFactory` (or its supertype
`org.codehaus.stax2.XMLInputFactory2`). Woodstox is vulnerable to XXE in
its default configuration, so these missed sinks were false negatives in
`java/xxe`.

This adds a scoped framework model under
`semmle/code/java/frameworks/woodstox/WoodstoxXml.qll` (registered in the
`Frameworks` module of `XmlParsers.qll`) that recognises these calls as
XXE sinks and treats the factory as safe when both
`javax.xml.stream.supportDTD` and
`javax.xml.stream.isSupportingExternalEntities` are disabled — mirroring
the existing `XMLInputFactory` safe-configuration logic.
 2026-04-17 18:46:51 +04:00
Taus
ac23e16786 Python: Move Python 3.15 data-flow tests to a separate file 
We won't be able to run these tests until Python 3.15 is actually out
(and our CI is using it), so it seemed easiest to just put them in their
own test directory.
 2026-04-17 13:16:46 +00:00
Owen Mansel-Chan
29b07d5d07 Merge pull request #21721 from owen-mc/go/remove-global-function-jump-step-from-local-flow 
Go: Remove global function step from local flow
 2026-04-17 14:09:16 +01:00
Tom Hvitved
14bdb62cf8 Merge pull request #21726 from hvitved/csharp/useless-to-string-fps 
C#: Fix FPs in `RedundantToStringCall.ql`
 2026-04-17 14:59:22 +02:00
Jeroen Ketema
3073c1c94c Merge pull request #21725 from github/jeongsoolee09/add-aligned-alloc-model 
Add models of various `aligned_alloc`s
 2026-04-17 14:31:25 +02:00
Owen Mansel-Chan
bc28e1726c Refactor to get rid of duplication 2026-04-17 13:24:16 +01:00
Taus
dc36609743 Python: Add data-flow tests 
Alas, all these demonstrate is that we already don't fully support the
desugared `yield from` form.
 2026-04-17 12:15:04 +00:00
Tom Hvitved
7bfdfbefa9 Add change note 2026-04-17 13:57:08 +02:00
Tom Hvitved
0235df8758 C#: Improve alert message for RedundantToStringCall.ql 2026-04-17 13:55:00 +02:00
Jeroen Ketema
e3b88cbad3 Swift: Fix change note 2026-04-17 13:29:24 +02:00
Jeroen Ketema
dd2440086f Swift: Add change note 2026-04-17 13:24:17 +02:00
Jeongsoo Lee
abec00cd34 Update cpp/ql/src/change-notes/2026-04-16-add-model-for-aligned-alloc.md 
Co-authored-by: Jeroen Ketema <93738568+jketema@users.noreply.github.com>
 2026-04-17 07:08:38 -04:00
Owen Mansel-Chan
9f4fd7fab0 Remove a data flow consistency exclusion 
This is no longer needed.
 2026-04-17 11:27:36 +01:00
Paolo Tranquilli
5342cc79fb Merge pull request #21574 from github/redsun82/actions/remove-harden-runner-false-positive 
Remove false positive injection sink models for `docker/build-push-action` and `step-security/harden-runner`
 2026-04-17 09:43:45 +02:00
Tom Hvitved
426962e348 C#: Fix FPs in RedundantToStringCall.ql 2026-04-17 09:37:19 +02:00
Tom Hvitved
33e9c02079 C#: Add more tests for RedundantToStringCall.ql 2026-04-17 09:33:13 +02:00
jeongsoolee09
553ed103c3 Add a change note 2026-04-16 21:31:55 -04:00
jeongsoolee09
d2d594a8ff Add models of ::aligned_alloc, std::aligned_alloc, and bsl::aligned_alloc 2026-04-16 21:21:09 -04:00
Taus
6c675fcede Python: Consolidate duplicated code 2026-04-16 21:14:42 +00:00
Jeroen Ketema
efddfab564 Swift: Expose the generic arguments of BuiltinFixedArrays 2026-04-16 17:07:20 +02:00
Owen Mansel-Chan
f6135b70ea Remove global function step from local flow 2026-04-16 11:15:01 +01:00
Tom Hvitved
ee34e3353d Merge pull request #21698 from hvitved/rust/type-inference-index-expr 
Rust: Replace special handling of index expressions in type inference
 2026-04-16 09:03:06 +02:00
Jon Janego
f95ee129df Merge pull request #21713 from github/codeql-spark-run-24459914636 
Update changelog documentation site for codeql-cli-2.25.2
 2026-04-15 09:55:53 -05:00
github-actions[bot]
d24fb29ff4 update codeql documentation 2026-04-15 14:23:47 +00:00
Jeroen Ketema
97d8993fc5 Merge pull request #21667 from jketema/jketema/swift-6.3 
Swift: Update to Swift 6.3
 2026-04-15 14:07:23 +02:00
Jeroen Ketema
7d1c62daa6 Swift: Address review comment 2026-04-15 13:37:15 +02:00
Tom Hvitved
597d81038a Merge pull request #21708 from github/copilot/fix-missed-opportunity-to-use-select 
Fix false positive in `MissedSelectOpportunity` when foreach body uses `await`
 2026-04-15 11:32:02 +02:00