codeql

mirror of https://github.com/github/codeql.git synced 2026-05-14 11:19:27 +02:00

Author	SHA1	Message	Date
BazookaMusic	98379cffcb	Documentation	2026-05-12 16:11:31 +02:00
BazookaMusic	9006ddb793	default threat model	2026-05-12 15:28:08 +02:00
BazookaMusic	74a3ba1f0d	changes for spliting into system and user	2026-05-04 11:57:43 +02:00
BazookaMusic	0b7133c4ce	JS: Add prompt injection detection (CWE-1427) for OpenAI, Anthropic, and Google GenAI SDKs Add experimental CodeQL query detecting prompt injection vulnerabilities in JavaScript/TypeScript applications using AI SDK libraries. Modeled frameworks: - openai (OpenAI, AzureOpenAI): responses, chat.completions, completions, images, embeddings, beta.assistants, beta.threads, audio APIs - @openai/agents: Agent instructions, handoffDescription, run/Runner.run, asTool, tool() - @anthropic-ai/sdk: messages.create, beta.messages.create, beta.agents.create/update - @google/genai (GoogleGenAI): generateContent, generateContentStream, generateImages, editImage, chats, live.connect Includes role-based filtering (system/developer/assistant/model roles) and constant-comparison sanitizer guard.	2026-04-30 17:39:09 +02:00
Mathias Vorreiter Pedersen	154d213fd2	Merge pull request #21768 from github/speed-up-unchecked-leap-year-after-modification C++: Speed up `cpp/leap-year/unchecked-after-arithmetic-year-modification`	2026-04-30 16:06:17 +01:00
Michael Nebel	4446f42846	Merge pull request #21684 from michaelnebel/csharp/improve-reachability-checks C#: Improve BMN feed checking & handling.	2026-04-30 15:53:52 +02:00
Owen Mansel-Chan	87c35e6401	Merge pull request #21654 from MarkLee131/fix/sensitive-log-hash-sanitizer Java: treat hash/encrypt/digest methods as sensitive-log sanitizers	2026-04-30 13:21:03 +01:00
Tom Hvitved	a473fdb709	Merge pull request #21759 from hvitved/csharp/cfg-params C#: Include parameters and their defaults in the CFG	2026-04-30 11:31:06 +02:00
Owen Mansel-Chan	fed42d655f	Merge pull request #21656 from MarkLee131/fix/trust-boundary-regexp-barrier Java: add RegexpCheckBarrier to trust-boundary-violation sanitizers	2026-04-29 14:59:01 +01:00
Michael Nebel	03d70b9f94	C#: Add another nuget.config integration test.	2026-04-29 15:47:32 +02:00
Michael Nebel	e29770c2b5	C#: Fix missing slash in comments.	2026-04-29 15:27:47 +02:00
MarkLee131	28a6ff208c	Merge remote-tracking branch 'origin/main' into fix/sensitive-log-hash-sanitizer # Conflicts: # java/ql/test/query-tests/security/CWE-532/SensitiveLogInfo.expected # java/ql/test/query-tests/security/CWE-532/Test.java	2026-04-29 20:59:59 +08:00
Tom Hvitved	e14b654e8a	Update shared/controlflow/codeql/controlflow/ControlFlowGraph.qll Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>	2026-04-29 14:57:35 +02:00
MarkLee131	51e2a5418b	Java: move EncryptedSensitiveMethodCall into Sanitizers.qll Address review feedback by moving the shared method-name-based encryption/hash/digest check into Sanitizers.qll, and reference it from both CleartextStorageQuery.qll and SensitiveLoggingQuery.qll instead of duplicating the definition.	2026-04-29 20:56:36 +08:00
MarkLee131	75162bb9eb	Update java/ql/test/query-tests/security/CWE-532/Test.java Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>	2026-04-29 20:53:58 +08:00
MarkLee131	49d014cbac	Merge branch 'main' into fix/trust-boundary-regexp-barrier	2026-04-29 20:48:22 +08:00
MarkLee131	d27ee86242	Java: refactor trust-boundary sanitizers into TrustBoundaryValidationSanitizer subclasses Address review feedback by introducing dedicated subclasses of TrustBoundaryValidationSanitizer for SimpleTypeSanitizer, RegexpCheckBarrier, and the HttpServletSession type check, so isBarrier only references the abstract class.	2026-04-29 20:46:11 +08:00
Jack Nørskov Jørgensen	0192ffab07	Merge pull request #21751 from github/jacknojo/move_java_generated_mads Move generated MaDs into modelgenerator/	2026-04-29 14:33:58 +02:00
Tom Hvitved	99b5cecb18	Java: Adapt to changes in shared CFG library	2026-04-29 14:03:06 +02:00
Tom Hvitved	99023f8b59	C#: Add upgrade/downgrade scripts	2026-04-29 14:03:05 +02:00
Tom Hvitved	b6c464281b	C#: Move internal logic into `internal/ControlFlowGraph.qll`	2026-04-29 14:01:14 +02:00
Tom Hvitved	d4a32476da	C#: No need to special-case default arguments in nullness analysis	2026-04-29 14:01:13 +02:00
Tom Hvitved	6c42418faf	C#: Use parameter CFG nodes in SSA	2026-04-29 14:01:11 +02:00
Tom Hvitved	cbe207ab65	C#: Include parameters and their defaults in the CFG	2026-04-29 14:01:09 +02:00
Tom Hvitved	d792e11b7f	C#: Add tests for methods with default parameters	2026-04-29 14:01:08 +02:00
Tom Hvitved	77639817fe	C#: Remove unintended CP	2026-04-29 14:01:06 +02:00
Josef Svenningsson	68be006a29	Merge pull request #21641 from github/josefs/promptInjectionImprovements Improve prompt inject for Python	2026-04-29 11:23:52 +01:00
Mathias Vorreiter Pedersen	96d6ee61ff	Update cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql Co-authored-by: Jeroen Ketema <93738568+jketema@users.noreply.github.com>	2026-04-29 10:55:02 +01:00
Michael Nebel	bfd3683b0b	Merge pull request #21372 from michaelnebel/csharp14/usercompoundassignment C# 14: User defined compound assignment operators.	2026-04-29 11:22:35 +02:00
Asger F	c95083b176	Merge pull request #21697 from yearn/js/vercel-node-framework JS: Add support for @vercel/node serverless functions	2026-04-29 10:58:53 +02:00
Mathias Vorreiter Pedersen	dfd85c321c	C++: Compute 'IgnorableOperationToOperationSourceCandidateConfig' after an initial round of the query to reduce the number of sinks.	2026-04-28 22:02:32 +01:00
Jeroen Ketema	c2beef1900	Merge pull request #21765 from jketema/switch C++: Fix join-order problem in `getNextSwitchCase`	2026-04-28 21:57:10 +02:00
Josef Svenningsson	25a8aa97b2	Fix openai prompt injection tests	2026-04-28 18:24:26 +01:00
Josef Svenningsson	691aeb0815	Remove the chat completion create logic.	2026-04-28 18:24:24 +01:00
Josef Svenningsson	a05e191518	Add tests for anthropic prompt injection models	2026-04-28 18:24:22 +01:00
Josef Svenningsson	e069c9c2ee	Fix tests	2026-04-28 18:24:19 +01:00
Josef Svenningsson	bb18bb084c	Improve prompt inject for Python	2026-04-28 18:24:16 +01:00
murderteeth	6f774470b3	Merge branch 'main' into js/vercel-node-framework	2026-04-28 12:30:27 -04:00
murderteeth	18b06f1cf4	Model res.json and res.jsonp as Vercel response sinks Vercel API handlers more often return JSON than HTML, so res.send is not the only response body sink that matters. Mirror Express's ResponseJsonCall by also matching res.json(...) and res.jsonp(...) on the response (direct and chained), and exercise the new behavior in the library-test fixture. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-28 16:14:53 +00:00
murderteeth	1b87140ce7	Regenerate DatabaseAccesses.expected for new vercel.ts fixture The CWE-089/untyped/vercel.ts fixture added in this PR introduces a conn.query(...) call that DatabaseAccesses.ql reports, so its .expected baseline needs the corresponding entry. Output produced by `codeql test accept`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-28 15:57:06 +00:00
Jeroen Ketema	29dd56f83f	C++: Make formatting of `switch` statement examples more uniform	2026-04-28 16:36:54 +02:00
Jeroen Ketema	0bc23c3af1	C++: Match example with text	2026-04-28 16:33:17 +02:00
Jeroen Ketema	f634b328ee	C++: Fix join-order problem in `getNextSwitchCase` Before on `neovim`: ``` [2026-04-28 14:54:20] Evaluated non-recursive predicate Stmt::SwitchCase.getNextSwitchCase/0#dispred#2d3cb6d3@ac8178o2 in 68ms (size: 20848). Evaluated relational algebra for predicate Stmt::SwitchCase.getNextSwitchCase/0#dispred#2d3cb6d3@ac8178o2 with tuple counts: 21888 ~0% {2} r1 = SCAN switch_case OUTPUT In.2, In.0 21888 ~0% {4} \| JOIN WITH #switch_caseMerge_21#join_rhs ON FIRST 1 OUTPUT Lhs.1, Lhs.0, _, Rhs.1 21888 ~4% {3} \| REWRITE WITH Tmp.2 := 1, Out.2 := (In.3 - Tmp.2) KEEPING 3 24091916 ~0% {3} \| JOIN WITH switch_case ON FIRST 1 OUTPUT Lhs.2, Rhs.2, Lhs.1 20848 ~2% {2} \| JOIN WITH #switch_caseMerge_12#join_rhs ON FIRST 2 OUTPUT Lhs.1, Lhs.2 return r1 ``` After: ``` [2026-04-28 15:30:53] Evaluated non-recursive predicate Stmt::SwitchCase.getNextSwitchCase/0#dispred#2d3cb6d3@bf9801oj in 0ms (size: 20848). Evaluated relational algebra for predicate Stmt::SwitchCase.getNextSwitchCase/0#dispred#2d3cb6d3@bf9801oj with tuple counts: 21888 ~0% {4} r1 = SCAN switch_case OUTPUT In.0, _, In.2, In.1 21888 ~1% {3} \| REWRITE WITH Tmp.1 := 1, Out.1 := (In.3 + Tmp.1) KEEPING 3 20848 ~2% {2} \| JOIN WITH switch_case ON FIRST 2 OUTPUT Lhs.2, Rhs.2 return r1 ```	2026-04-28 15:44:53 +02:00
Jeroen Ketema	fa8c1d6226	C++: Add a `getSwitchCase` predicate to `SwitchStmt`	2026-04-28 15:44:12 +02:00
Mathias Vorreiter Pedersen	1ba9601257	Merge pull request #21764 from github/add-strsafe.h-models C++: Add `Strsafe.h` models	2026-04-28 12:10:26 +01:00
Michael Nebel	67aa342fe5	C#: Update test expected output for integration tests.	2026-04-28 12:46:41 +02:00
Owen Mansel-Chan	b07d2fb7d7	Merge pull request #21740 from owen-mc/go/overlay-correctness Go: improve accuracy of overlay annotations	2026-04-28 11:35:14 +01:00
Mathias Vorreiter Pedersen	c59d6cb2a7	C++: Accept query test change.	2026-04-28 11:35:08 +01:00
Mathias Vorreiter Pedersen	f28d5d2f59	C++: Add change note.	2026-04-28 10:57:04 +01:00
Mathias Vorreiter Pedersen	86d8e362a1	C++: Accept test changes.	2026-04-28 10:50:50 +01:00

1 2 3 4 5 ...

87233 Commits