hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-14 19:29:28 +02:00
Code Issues Packages Projects Releases Wiki Activity
87,236 Commits 1,758 Branches 167 Tags
bafa8921166f61d474b777073dc0c489a95f402e
Commit Graph

1814 Commits

Author SHA1 Message Date
MarkLee131
936f0c650c Address review comments on path-injection[read] sub-kind 
- shared/mad/codeql/mad/ModelValidation.qll: shorten the comment
  for `path-injection[%]` to `// Java-only currently`, matching the
  style of other language-scoped entries and dropping API examples
  and the java/zipslip reference.
- java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll: replace
  the `File.exists` example in the QLDoc with `FileReader`, since
  `File.exists` is still labelled plain `path-injection`, not
  `path-injection[read]`.
 2026-04-30 19:06:04 +08:00
MarkLee131
90741b15e2 Merge branch 'main' into fix/path-injection-read-subkind 2026-04-30 18:37:12 +08:00
Tom Hvitved
e14b654e8a Update shared/controlflow/codeql/controlflow/ControlFlowGraph.qll 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2026-04-29 14:57:35 +02:00
Tom Hvitved
cbe207ab65 C#: Include parameters and their defaults in the CFG 2026-04-29 14:01:09 +02:00
Tom Hvitved
cbc12324bb Merge pull request #21703 from hvitved/rust/type-inference-sibling 
Rust: Refine `implSiblings`
 2026-04-24 12:36:51 +02:00
Tom Hvitved
c64223ae56 Merge pull request #21748 from hvitved/shared/remove-deprecated 
Shared: Remove deprecated code
 2026-04-23 14:44:17 +02:00
Tom Hvitved
90ae086822 Shared: Remove deprecated code 2026-04-23 11:24:14 +02:00
Tom Hvitved
1a84b2b555 CFG: Use dense ranking 2026-04-23 11:22:38 +02:00
Tom Hvitved
71fa2166ee Apply suggestions from code review 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2026-04-22 17:06:31 +02:00
Tom Hvitved
39cd86a48e C#: Move handling of callables into shared control flow library 2026-04-22 14:11:57 +02:00
Tom Hvitved
e60275c4de Rust: Refine implSiblings 
Consider two implementations of the same trait to be siblings when the
type being implemented by one is an instantiation of the type being
implemented by the other.
 2026-04-22 13:32:56 +02:00
Anders Schack-Mulligen
f912731cd4 Merge pull request #21565 from aschackmull/csharp/cfg2 
C#: Replace CFG with the shared implementation
 2026-04-21 15:50:38 +02:00
Kaixuan Li
07e97e20d8 Merge branch 'github:main' into fix/path-injection-read-subkind 2026-04-21 22:59:53 +10:00
Anders Schack-Mulligen
67c0515d3c Cfg: Undo consistency check change. 2026-04-21 13:10:03 +02:00
Anders Schack-Mulligen
9de02b7ae6 Cfg: Use consistent casing in additional node tags. 2026-04-21 10:56:10 +02:00
MarkLee131
c336a1595d Java: split read-only path sinks into path-injection[read] 
Introduce a new Models-as-Data sink sub-kind path-injection[read] for
models that only read from or inspect a path. The general
java/path-injection query and its PathInjectionSanitizer barrier
continue to consider both path-injection and path-injection[read]
sinks, so no alerts are lost. The java/zipslip query deliberately
selects only path-injection sinks, since read-only accesses such as
ClassLoader.getResource or FileInputStream are outside the archive
extraction threat model.

Addresses https://github.com/github/codeql/issues/21606 along the lines
proposed on the issue thread: prefer path-injection[read] over a
[create] sub-kind so that miscategorizing a sink causes a false
positive (easy to spot) rather than a false negative.

- shared/mad/codeql/mad/ModelValidation.qll: allow path-injection[...]
  as a valid sink kind.
- java/ql/lib/ext/*.model.yml: relabel the models that PR #12916
  migrated from the historical read-file kind (plus the newer
  ClassLoader resource-lookup variants that share the same read-only
  semantics).
- java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll and
  PathSanitizer.qll: select both path-injection and
  path-injection[read] sinks/barriers.
- java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll: keep only
  path-injection, with a comment explaining why path-injection[read]
  is excluded.
- java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipTest.java:
  add m7 regression covering the Dubbo-style classpath lookup from
  issue #21606 and assert no alert is produced.
- Update TaintedPath.expected for the renamed kinds in the models list.
- Add change-notes under java/ql/lib/change-notes and
  java/ql/src/change-notes.
 2026-04-21 09:17:36 +10:00
Anders Schack-Mulligen
e928c224ae C#/Cfg: Some simple review fixes. 2026-04-20 14:43:27 +02:00
github-actions[bot]
a0bab539bb Post-release preparation for codeql-cli-2.25.3 2026-04-20 12:40:34 +00:00
github-actions[bot]
c861d99802 Release preparation for version 2.25.3 2026-04-20 09:27:23 +00:00
Henry Mercer
43c9b95e6f Merge branch 'main' into post-release-prep/codeql-cli-2.25.2 2026-04-14 13:56:52 +01:00
Tom Hvitved
b749ad645a Merge pull request #21706 from hvitved/rust/type-inference-perf-fixes 
Rust: Improve performance of two type inference predicates
 2026-04-14 13:06:26 +02:00
Owen Mansel-Chan
7458674470 Merge pull request #21584 from owen-mc/shared/update-mad-comments 
Shared: update code comments explaining models-as-data format to include barriers and barrier guards
 2026-04-14 09:30:28 +01:00
Tom Hvitved
0db62b2e68 Type inference: Fix bad join 
Before
```
Pipeline standard for TypeInference::M2::SatisfiesConstraintWithTypeMatching<TypeInference::FunctionCallMatching::AccessConstraint::RelevantAccess,TypeMention::TypeMention,TypeInference::FunctionCallMatching::AccessConstraint::SatisfiesTypeParameterConstraintInput>::TermIsInstantiationOfCondition::typeParametersHaveEqualInstantiationToIndex/4#dde26112@d5eb7x9q was evaluated in 471 iterations totaling 24306ms (delta sizes total: 42097188).
        5676156578   ~1%    {7} r1 = JOIN `TypeInference::M2::SatisfiesConstraintWithTypeMatching<TypeInference::FunctionCallMatching::AccessConstraint::RelevantAccess,TypeMention::TypeMention,TypeInference::FunctionCallMatching::AccessConstraint::SatisfiesTypeParameterConstraintInput>::TermIsInstantiationOfCondition::typeParametersHaveEqualInstantiationToIndex/4#dde26112#prev_delta` WITH `TypeInference::M2::SatisfiesConstraintWithTypeMatching<TypeInference::FunctionCallMatching::AccessConstraint::RelevantAccess,TypeMention::TypeMention,TypeInference::FunctionCallMatching::AccessConstraint::SatisfiesTypeParameterConstraintInput>::TermIsInstantiationOfCondition::typeParametersEqual/4#a276e5d4#prev` ON FIRST 3 OUTPUT Lhs.0, Lhs.1, Lhs.2, Rhs.3, _, Lhs.3, _
                            {5}    | REWRITE WITH Tmp.4 := 1, Out.4 := (Tmp.4 + In.5), Tmp.6 := 0, TEST Out.4 != Tmp.6 KEEPING 5
        5676156578   ~1%    {5}    | SCAN OUTPUT In.1, In.4, In.3, In.0, In.2
          41691564   ~1%    {4}    | JOIN WITH `TypeInference::M2::SatisfiesConstraintWithTypeMatching<TypeInference::AssocFunctionResolution::ArgSatisfiesBlanketLikeConstraint::ArgumentTypeAndBlanketOffset,TypeMention::TypeMention,TypeInference::AssocFunctionResolution::ArgSatisfiesBlanketLikeConstraint::SatisfiesBlanketConstraint::Inp>::TermIsInstantiationOfCondition::getNthTypeParameter/2#40c66343` ON FIRST 3 OUTPUT Lhs.3, Lhs.0, Lhs.4, Lhs.1

          42097188   ~2%    {4} r2 = SCAN `TypeInference::M2::SatisfiesConstraintWithTypeMatching<TypeInference::FunctionCallMatching::AccessConstraint::RelevantAccess,TypeMention::TypeMention,TypeInference::FunctionCallMatching::AccessConstraint::SatisfiesTypeParameterConstraintInput>::TermIsInstantiationOfCondition::typeParametersEqual/4#a276e5d4#prev_delta` OUTPUT In.1, In.3, In.0, In.2

          42097188   ~1%    {5} r3 = JOIN r2 WITH `TypeInference::M2::SatisfiesConstraintWithTypeMatching<TypeInference::AssocFunctionResolution::ArgSatisfiesBlanketLikeConstraint::ArgumentTypeAndBlanketOffset,TypeMention::TypeMention,TypeInference::AssocFunctionResolution::ArgSatisfiesBlanketLikeConstraint::SatisfiesBlanketConstraint::Inp>::TermIsInstantiationOfCondition::getNthTypeParameter/2#40c66343_021#join_rhs` ON FIRST 2 OUTPUT Lhs.2, Lhs.0, Lhs.3, Rhs.2, _
                            {4}    | REWRITE WITH Tmp.4 := 0, TEST InOut.3 != Tmp.4 KEEPING 4
          41691564   ~1%    {5}    | SCAN OUTPUT In.0, In.1, In.2, _, In.3
          41691564   ~1%    {5}    | REWRITE WITH Tmp.3 := 1, Out.3 := (InOut.4 - Tmp.3)
                 0   ~0%    {4}    | JOIN WITH `TypeInference::M2::SatisfiesConstraintWithTypeMatching<TypeInference::FunctionCallMatching::AccessConstraint::RelevantAccess,TypeMention::TypeMention,TypeInference::FunctionCallMatching::AccessConstraint::SatisfiesTypeParameterConstraintInput>::TermIsInstantiationOfCondition::typeParametersHaveEqualInstantiationToIndex/4#dde26112#prev` ON FIRST 4 OUTPUT Lhs.0, Lhs.1, Lhs.2, Lhs.4

          42097188   ~0%    {6} r4 = JOIN r2 WITH `TypeInference::M2::SatisfiesConstraintWithTypeMatching<TypeInference::AssocFunctionResolution::ArgSatisfiesBlanketLikeConstraint::ArgumentTypeAndBlanketOffset,TypeMention::TypeMention,TypeInference::AssocFunctionResolution::ArgSatisfiesBlanketLikeConstraint::SatisfiesBlanketConstraint::Inp>::TermIsInstantiationOfCondition::getNthTypeParameter/2#40c66343_021#join_rhs` ON FIRST 2 OUTPUT Lhs.2, Lhs.0, Lhs.3, Lhs.1, Rhs.2, _
                            {5}    | REWRITE WITH Tmp.5 := 0, TEST InOut.4 = Tmp.5 KEEPING 5
            405624   ~1%    {5}    | SCAN OUTPUT In.1, _, In.3, In.0, In.2
            405624   ~1%    {5}    | REWRITE WITH Out.1 := 0
            405624   ~0%    {4}    | JOIN WITH `TypeInference::M2::SatisfiesConstraintWithTypeMatching<TypeInference::AssocFunctionResolution::ArgSatisfiesBlanketLikeConstraint::ArgumentTypeAndBlanketOffset,TypeMention::TypeMention,TypeInference::AssocFunctionResolution::ArgSatisfiesBlanketLikeConstraint::SatisfiesBlanketConstraint::Inp>::TermIsInstantiationOfCondition::getNthTypeParameter/2#40c66343` ON FIRST 3 OUTPUT Lhs.3, Lhs.0, Lhs.4, _
            405624   ~1%    {4}    | REWRITE WITH Out.3 := 0

          42097188   ~1%    {4} r5 = r1 UNION r3 UNION r4
          42097188   ~1%    {4}    | AND NOT `TypeInference::M2::SatisfiesConstraintWithTypeMatching<TypeInference::FunctionCallMatching::AccessConstraint::RelevantAccess,TypeMention::TypeMention,TypeInference::FunctionCallMatching::AccessConstraint::SatisfiesTypeParameterConstraintInput>::TermIsInstantiationOfCondition::typeParametersHaveEqualInstantiationToIndex/4#dde26112#prev`(FIRST 4)
                            return r5
```

After
```
Pipeline standard for TypeInference::M2::SatisfiesConstraintWithTypeMatching<TypeInference::FunctionCallMatching::AccessConstraint::RelevantAccess,TypeMention::TypeMention,TypeInference::FunctionCallMatching::AccessConstraint::SatisfiesTypeParameterConstraintInput>::TermIsInstantiationOfCondition::typeParametersHaveEqualInstantiationToIndex/4#dde26112@96df1x2u was evaluated in 471 iterations totaling 4058ms (delta sizes total: 42097188).
        42097188   ~0%    {4} r1 = SCAN `TypeInference::M2::SatisfiesConstraintWithTypeMatching<TypeInference::FunctionCallMatching::AccessConstraint::RelevantAccess,TypeMention::TypeMention,TypeInference::FunctionCallMatching::AccessConstraint::SatisfiesTypeParameterConstraintInput>::TermIsInstantiationOfCondition::typeParametersEqual/5#ddfcf430#prev_delta` OUTPUT In.3, In.0, In.1, In.2
          405624   ~0%    {4}    | JOIN WITH const_0 ON FIRST 1 OUTPUT Lhs.1, Lhs.2, Lhs.3, _
          405624   ~1%    {4}    | REWRITE WITH Out.3 := 0

        42097188   ~1%    {6} r2 = SCAN `TypeInference::M2::SatisfiesConstraintWithTypeMatching<TypeInference::FunctionCallMatching::AccessConstraint::RelevantAccess,TypeMention::TypeMention,TypeInference::FunctionCallMatching::AccessConstraint::SatisfiesTypeParameterConstraintInput>::TermIsInstantiationOfCondition::typeParametersHaveEqualInstantiationToIndex/4#dde26112#prev_delta` OUTPUT In.0, In.1, In.2, _, In.3, _
        42097188   ~1%    {4}    | REWRITE WITH Tmp.3 := 1, Out.3 := (Tmp.3 + In.4), Tmp.5 := 0, TEST Out.3 != Tmp.5 KEEPING 4
        41691564   ~1%    {4}    | JOIN WITH `TypeInference::M2::SatisfiesConstraintWithTypeMatching<TypeInference::FunctionCallMatching::AccessConstraint::RelevantAccess,TypeMention::TypeMention,TypeInference::FunctionCallMatching::AccessConstraint::SatisfiesTypeParameterConstraintInput>::TermIsInstantiationOfCondition::typeParametersEqual/5#ddfcf430#prev` ON FIRST 4 OUTPUT Lhs.0, Lhs.1, Lhs.2, Lhs.3

        42097188   ~1%    {6} r3 = SCAN `TypeInference::M2::SatisfiesConstraintWithTypeMatching<TypeInference::FunctionCallMatching::AccessConstraint::RelevantAccess,TypeMention::TypeMention,TypeInference::FunctionCallMatching::AccessConstraint::SatisfiesTypeParameterConstraintInput>::TermIsInstantiationOfCondition::typeParametersEqual/5#ddfcf430#prev_delta` OUTPUT In.0, In.1, In.2, In.3, In.4, _
                          {5}    | REWRITE WITH Tmp.5 := 0, TEST InOut.3 != Tmp.5 KEEPING 5
        41691564   ~1%    {5}    | SCAN OUTPUT In.0, In.1, In.2, _, In.3
        41691564   ~1%    {5}    | REWRITE WITH Tmp.3 := 1, Out.3 := (InOut.4 - Tmp.3)
               0   ~0%    {4}    | JOIN WITH `TypeInference::M2::SatisfiesConstraintWithTypeMatching<TypeInference::FunctionCallMatching::AccessConstraint::RelevantAccess,TypeMention::TypeMention,TypeInference::FunctionCallMatching::AccessConstraint::SatisfiesTypeParameterConstraintInput>::TermIsInstantiationOfCondition::typeParametersHaveEqualInstantiationToIndex/4#dde26112#prev` ON FIRST 4 OUTPUT Lhs.0, Lhs.1, Lhs.2, Lhs.4

        42097188   ~1%    {4} r4 = r1 UNION r2 UNION r3
        42097188   ~1%    {4}    | AND NOT `TypeInference::M2::SatisfiesConstraintWithTypeMatching<TypeInference::FunctionCallMatching::AccessConstraint::RelevantAccess,TypeMention::TypeMention,TypeInference::FunctionCallMatching::AccessConstraint::SatisfiesTypeParameterConstraintInput>::TermIsInstantiationOfCondition::typeParametersHaveEqualInstantiationToIndex/4#dde26112#prev`(FIRST 4)
                          return r4
```
 2026-04-14 09:34:13 +02:00
Anders Schack-Mulligen
d5c9fd1085 C#/Cfg: A bit more qldoc. 2026-04-10 15:47:25 +02:00
Anders Schack-Mulligen
ff978d1a8c C#: Replace CFG. 2026-04-10 15:47:13 +02:00
Anders Schack-Mulligen
b85b02abb4 Cfg: Add dominance predicates to shared ControlFlowNode. 2026-04-10 15:47:10 +02:00
Anders Schack-Mulligen
88aaff863b Cfg: Extend consistency checks. 2026-04-10 15:47:09 +02:00
Anders Schack-Mulligen
6ffed8523c Cfg/Java: Move InstanceOfExpr CFG into shared lib. 2026-04-10 15:47:09 +02:00
Anders Schack-Mulligen
0b6c416fd4 Cfg: Support short-circuiting compound assignments. 2026-04-10 15:47:08 +02:00
Anders Schack-Mulligen
a53cffc121 Cfg: Support GotoStmt. 2026-04-10 15:47:07 +02:00
Anders Schack-Mulligen
93a594e9c0 Cfg: Support Throw expressions. 2026-04-10 15:47:07 +02:00
Tom Hvitved
33cc887be0 Merge pull request #21592 from hvitved/dataflow/source-call-context-type-flow 
Data flow: Add hook for preventing lambda dispatch in source call contexts
 2026-04-09 13:44:42 +02:00
Tom Hvitved
d704b753c8 Fix CP in typeFlowParamType 
Forgot to link `p` with `c` using `nodeEnclosingCallable(p, c)`.
 2026-04-09 09:19:55 +02:00
Taus
16683aee0e Merge pull request #21590 from github/tausbn/python-improve-bind-all-interfaces-query 
Python: Improve "bind all interfaces" query
 2026-04-07 17:59:48 +02:00
Mathias Vorreiter Pedersen
5e145aa27d Merge pull request #21631 from MathiasVP/expose-fwd-stage-1 
Dataflow: Expose stage 1's `fwdFlow`
 2026-04-07 11:29:56 +01:00
Mathias Vorreiter Pedersen
e06294bcb4 Shared: Respond to review comments. 2026-04-07 11:11:04 +01:00
Tom Hvitved
0d4524f8f3 Address review comments 2026-04-07 11:40:10 +02:00
Tom Hvitved
1e1a8732a3 Data flow: Add hook for preventing lambda dispatch in source call contexts 2026-04-07 11:40:08 +02:00
Tom Hvitved
7d184d0c7f Merge pull request #21206 from hvitved/rust/type-inference-closure-param-context-typed 
Rust: Infer argument types based on trait bounds on parameters
 2026-04-07 09:17:30 +02:00
github-actions[bot]
242090e0ac Post-release preparation for codeql-cli-2.25.2 2026-04-06 13:49:20 +00:00
github-actions[bot]
4fe2f6d2b4 Release preparation for version 2.25.2 2026-04-06 10:30:38 +00:00
Mathias Vorreiter Pedersen
4d8b782695 Shared: Also expose dataflow stage 1's forward flow predicate. 2026-04-02 10:56:09 +01:00
Óscar San José
59eec7ffa2 Merge branch 'main' of https://github.com/github/codeql into post-release-prep/codeql-cli-2.25.1 2026-03-30 10:51:12 +02:00
github-actions[bot]
ce6e6d5db3 Post-release preparation for codeql-cli-2.25.1 2026-03-30 08:43:48 +00:00
Owen Mansel-Chan
37aac05964 Replace branch with acceptingValue 2026-03-27 22:39:10 +00:00
Owen Mansel-Chan
a7fdc4b543 Replace acceptingvalue with acceptingValue 2026-03-27 22:15:45 +00:00
Tom Hvitved
6dc98cfd01 Rust: Infer argument types based on trait bounds on parameters 2026-03-27 11:39:03 +01:00
Taus
c439fc5d45 Python: Replace type tracking with global data-flow 
This takes care of most of the false negatives from the preceding
commit.

Additionally, we add models for some known wrappers of `socket.socket`
from the `gevent` and `eventlet` packages.
 2026-03-26 15:35:33 +00:00
github-actions[bot]
fb011842c9 Release preparation for version 2.25.1 2026-03-25 23:43:06 +00:00
Tom Hvitved
6295f57a87 Rust: Take additional type parameter constraints into account 2026-03-25 10:11:04 +01:00