hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-14 19:29:28 +02:00
Code Issues Packages Projects Releases Wiki Activity
87,123 Commits 1,758 Branches 167 Tags
81a00134aa55d817faabb65b7ebd7edaa9577c8b
Commit Graph

12969 Commits

Author SHA1 Message Date
Owen Mansel-Chan
9fbe447428 Merge pull request #21749 from github/copilot/add-hibernate-sql-injection-tests 
Add Hibernate SQL injection sink models and coverage
 2026-04-24 09:36:46 +01:00
copilot-swe-agent[bot]
083909ee3b Add Java change note for Hibernate sinks 
Agent-Logs-Url: https://github.com/github/codeql/sessions/41769e74-a435-4aaf-b5f7-92060f6cd84e

Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com>
 2026-04-23 14:10:29 +00:00
copilot-swe-agent[bot]
25d232b815 Model additional Hibernate query sinks 
Agent-Logs-Url: https://github.com/github/codeql/sessions/fc2c7f71-3493-4bf7-9136-34571a1d4b47

Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com>
 2026-04-23 13:41:03 +00:00
Tom Hvitved
eee5b067b3 Merge pull request #21743 from hvitved/cfg/body-parts 
C#: Move handling of callables into shared control flow library
 2026-04-23 14:10:46 +02:00
copilot-swe-agent[bot]
081ad03b4b Add Hibernate SQL injection sink tests 
Agent-Logs-Url: https://github.com/github/codeql/sessions/2e7aecca-63ea-489f-8b87-4cc557655919

Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com>
 2026-04-23 10:04:52 +00:00
Owen Mansel-Chan
9f19791d8c Merge branch 'main' into fix/path-injection-torealpath 2026-04-23 10:40:47 +01:00
Tom Hvitved
6ebf4ee394 Java: Adapt to changes in CFG library 2026-04-22 14:11:58 +02:00
Anders Schack-Mulligen
f912731cd4 Merge pull request #21565 from aschackmull/csharp/cfg2 
C#: Replace CFG with the shared implementation
 2026-04-21 15:50:38 +02:00
Owen Mansel-Chan
6efb21314a Merge pull request #21523 from owen-mc/docs/mad/barriers 
Document models-as-data barriers and barrier guards and add change notes
 2026-04-21 13:49:19 +01:00
Owen Mansel-Chan
c91b5b3c2e Merge pull request #21650 from MarkLee131/fix/sensitive-log-fp-regex 
Java: reduce false positives in sensitive-log
 2026-04-21 13:48:32 +01:00
Michael B. Gale
58e9bad0a0 Merge pull request #21737 from github/post-release-prep/codeql-cli-2.25.3 
Post-release preparation for codeql-cli-2.25.3
 2026-04-21 11:48:30 +02:00
github-actions[bot]
a0bab539bb Post-release preparation for codeql-cli-2.25.3 2026-04-20 12:40:34 +00:00
Owen Mansel-Chan
9f310c20f3 Merge pull request #21734 from owen-mc/java/fix-partial-path-traversal 
Java: fix bug in partial path traversal
 2026-04-20 11:52:55 +01:00
github-actions[bot]
c861d99802 Release preparation for version 2.25.3 2026-04-20 09:27:23 +00:00
MarkLee131
92d205d1a8 Use set literal for getCommonSensitiveInfoFPRegex 
Replace the five-way result = ... or result = ... disjunction with a
single equality on a set literal. Addresses the CodeQL style alert
"Use a set literal in place of or" reported by the self-scan on this
PR. Pure refactor, no semantic change.
 2026-04-19 23:29:07 -04:00
Owen Mansel-Chan
c6f641eac4 Add change note 
Co-authored-by: Copilot <copilot@github.com>
 2026-04-19 07:18:48 +01:00
Owen Mansel-Chan
6d4a3974ce Fix bug so += File.separator is recognized 2026-04-19 07:18:42 +01:00
Owen Mansel-Chan
6099c5d034 Add SPURIOUS test for += File.separator 2026-04-19 07:18:00 +01:00
Owen Mansel-Chan
63d20a54d4 Use inline expectations with second test 
Co-authored-by: Copilot <copilot@github.com>
 2026-04-19 07:17:05 +01:00
Owen Mansel-Chan
dca7046d8c Make inline expectation comments specify query 2026-04-18 10:35:15 +01:00
Salah Baddou
fb2d53e72a Address review: inline Woodstox into XmlParsers, move changelog to lib 2026-04-17 18:46:51 +04:00
Salah Baddou
f5131f9bc6 Java: Add XXE sink model for Woodstox WstxInputFactory 
`com.ctc.wstx.stax.WstxInputFactory` overrides `createXMLStreamReader`,
`createXMLEventReader` and `setProperty` from `XMLInputFactory`, so the
existing `XmlInputFactory` model in `XmlParsers.qll` does not match calls
where the static receiver type is `WstxInputFactory` (or its supertype
`org.codehaus.stax2.XMLInputFactory2`). Woodstox is vulnerable to XXE in
its default configuration, so these missed sinks were false negatives in
`java/xxe`.

This adds a scoped framework model under
`semmle/code/java/frameworks/woodstox/WoodstoxXml.qll` (registered in the
`Frameworks` module of `XmlParsers.qll`) that recognises these calls as
XXE sinks and treats the factory as safe when both
`javax.xml.stream.supportDTD` and
`javax.xml.stream.isSupportingExternalEntities` are disabled — mirroring
the existing `XMLInputFactory` safe-configuration logic.
 2026-04-17 18:46:51 +04:00
Owen Mansel-Chan
8f17b73796 Fix link formatting in change notes 2026-04-14 15:27:37 +01:00
Owen Mansel-Chan
c86ba38a4e Add change notes 2026-04-14 15:27:31 +01:00
Henry Mercer
43c9b95e6f Merge branch 'main' into post-release-prep/codeql-cli-2.25.2 2026-04-14 13:56:52 +01:00
Owen Mansel-Chan
7458674470 Merge pull request #21584 from owen-mc/shared/update-mad-comments 
Shared: update code comments explaining models-as-data format to include barriers and barrier guards
 2026-04-14 09:30:28 +01:00
Anders Schack-Mulligen
6ffed8523c Cfg/Java: Move InstanceOfExpr CFG into shared lib. 2026-04-10 15:47:09 +02:00
Anders Schack-Mulligen
0b6c416fd4 Cfg: Support short-circuiting compound assignments. 2026-04-10 15:47:08 +02:00
Anders Schack-Mulligen
a53cffc121 Cfg: Support GotoStmt. 2026-04-10 15:47:07 +02:00
Anders Schack-Mulligen
93a594e9c0 Cfg: Support Throw expressions. 2026-04-10 15:47:07 +02:00
idrissrio
6f199b90ba Java: Accept new test results for JDK 26 
Accept new ByteOrder.getEntries, List.ofLazy, and Map.ofLazy entries
in kotlin2 test expected files.
 2026-04-07 09:28:25 +02:00
idrissrio
3ccbd8032c Java: Accept new test results for JDK 26 
JDK 26 added ofLazy methods to List, Map, and Set collections.
Update expected test output to include these new methods.
 2026-04-07 09:28:23 +02:00
idrissrio
5a6eb79470 Java: Pin CWE-676 test to --release 25 
Thread.stop() was removed in JDK 26. Pin the test to --release 25.
 2026-04-07 09:28:22 +02:00
idrissrio
74b0e8c19a Java: Accept new test results after JDK 26 extractor upgrade 2026-04-07 09:28:20 +02:00
github-actions[bot]
242090e0ac Post-release preparation for codeql-cli-2.25.2 2026-04-06 13:49:20 +00:00
github-actions[bot]
4fe2f6d2b4 Release preparation for version 2.25.2 2026-04-06 10:30:38 +00:00
MarkLee131
46ef0204ef Remove secretQuestion from FP exclusion list 
secretQuestion is ambiguous: it could be the question text (not
sensitive) or a security question answer. Worse, the regex
secrets?(question) also matches secretQuestionAnswer, which is
clearly sensitive. Drop it to avoid false negatives.
 2026-04-04 21:58:32 +08:00
MarkLee131
20cfe29199 Java: reduce false positives in sensitive-log by expanding FP exclusion regex 
The getCommonSensitiveInfoFPRegex() only excluded "null", "tokenizer", and
"tokenImage", causing widespread false positives for common non-sensitive
variable names containing "token" or "secret".

This adds exclusions for three categories:
- Pagination/iteration tokens: nextToken (AWS SDK), pageToken (GCP),
  continuationToken (Azure), etc.
- Token metadata: tokenType (OAuth), tokenEndpoint (OIDC), tokenCount,
  tokenIndex, tokenLength, tokenUrl, etc.
- Secret metadata: secretName (K8s/AWS), secretId (Azure),
  secretVersion, secretArn, secretPath, etc.

All truly sensitive variable names (accessToken, clientSecret, secretKey,
refreshToken, etc.) remain correctly flagged.
 2026-04-04 21:33:35 +08:00
MarkLee131
9ff4ed286f Java: recognize Path.toRealPath() as path normalization sanitizer 
PathNormalizeSanitizer recognized Path.normalize() and
File.getCanonicalPath()/getCanonicalFile(), but not Path.toRealPath().

toRealPath() is strictly stronger than normalize() (resolves symlinks
and verifies file existence in addition to normalizing ".." components),
and is functionally equivalent to File.getCanonicalPath() for the NIO.2
API. CERT FIO16-J and OWASP both recommend it for path traversal defense.

This adds toRealPath to PathNormalizeSanitizer alongside normalize,
reducing false positives for code using idiomatic NIO.2 path handling.
 2026-04-04 20:59:45 +08:00
Paolo Tranquilli
628f85aebc Kotlin: accept test changes 2026-03-30 15:35:19 +02:00
Paolo Tranquilli
106d6b91f3 Merge remote-tracking branch 'origin/main' into wild-crest-ql 2026-03-30 14:21:28 +02:00
Paolo Tranquilli
6433b80b25 Kotlin: accept integration test changes 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-03-30 14:21:19 +02:00
Paolo Tranquilli
1d028382da Merge branch 'main' into wild-crest-ql 2026-03-30 12:04:16 +02:00
Óscar San José
59eec7ffa2 Merge branch 'main' of https://github.com/github/codeql into post-release-prep/codeql-cli-2.25.1 2026-03-30 10:51:12 +02:00
github-actions[bot]
ce6e6d5db3 Post-release preparation for codeql-cli-2.25.1 2026-03-30 08:43:48 +00:00
Paolo Tranquilli
6fad5b823c Kotlin: accept test changes 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-03-30 10:07:17 +02:00
MarkLee131
e6adfbca77 Address review: update QLDoc comment and fix expected test output 
- Clarify that arithmeticUsedInBoundsCheck applies to if-condition
  comparisons, not all comparisons
- Update expected test line numbers to reflect added test calls
 2026-03-29 11:53:06 +08:00
Kaixuan Li
b595a70384 Update java/ql/lib/change-notes/2026-03-28-tainted-arithmetic-bounds-check.md 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2026-03-29 11:45:27 +08:00
Kaixuan Li
938039d82c Merge branch 'main' into fix/tainted-arithmetic-bounds-check-barrier 2026-03-29 10:25:39 +08:00
Kaixuan Li
f5cfc5e282 Update java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.java 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2026-03-29 10:25:10 +08:00