hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-14 11:19:27 +02:00
Code Issues Packages Projects Releases Wiki Activity
86,602 Commits 1,759 Branches 167 Tags
c9fcdf3e8037f70cd46a7466266074b4b557c459
Commit Graph

12087 Commits

Author SHA1 Message Date
Henry Mercer
c9fcdf3e80 JS: Add regression test for YAML extraction 
SnakeYAML 2.3 has [a bug](https://bitbucket.org/snakeyaml/snakeyaml/issues/1098) where it crashes with an `IndexOutOfBoundsException` when a Unicode surrogate pair (e.g. an emoji) straddles the 1024 character internal buffer boundary.  This happens because the high surrogate can end up as the last character in the data window, and the reader tries to read the low surrogate past the end of the buffer.

This caused languages that extract YAML, most notably JavaScript and Actions, to fail when the codebase contained a YAML file with an emoji at an unlucky position in the file.
 2026-03-24 18:47:52 +00:00
github-actions[bot]
e3dbf5b022 Post-release preparation for codeql-cli-2.25.0 2026-03-16 16:03:22 +00:00
github-actions[bot]
d6055754b6 Release preparation for version 2.25.0 2026-03-16 12:15:34 +00:00
Asger F
22f16dda85 Merge pull request #21368 from asgerf/browser-sources 
JS: Add 'browser' source kinds
 2026-03-16 09:24:54 +01:00
Asger F
821cc0e875 JS: Address PR review comments 
- Fix misplaced semicolons in test files (was inside comment, moved before it)
- Update QLdoc comments to reference new browser source kind names
- Update docs to list browser source kinds and fix outdated 'only remote' note

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-03-13 14:58:04 +01:00
Asger F
b8c44be599 Add QL test for bun/tsx shebang recognition in TypeScript files 
Add test files with #!/usr/bin/env bun, #!/usr/bin/env tsx, and
#!/usr/bin/env node shebangs. The query lists extracted .ts files,
verifying that all three shebangs are recognized and the files are
not skipped by the extractor.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-03-12 10:09:56 +01:00
Asger F
84d1828a9c JavaScript extractor: recognise bun and tsx in shebang lines 
Update the shebang regexp (renamed NODE_INVOCATION -> JS_INVOCATION) to
also match 'bun' and 'tsx' so that scripts using these runtimes are
correctly identified as JavaScript files.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-03-12 09:35:36 +01:00
Asger F
5db30c9947 JS: Add change note 2026-03-11 15:40:07 +01:00
Asger F
4a001f960f JS: Add tests in request forgery queries 2026-03-11 13:53:25 +01:00
Asger F
1253553aec JS: Add browser source kinds 2026-03-11 13:50:07 +01:00
Óscar San José
3b9eba2afc Merge branch 'main' of https://github.com/github/codeql into oscarsj/merge-back-rc-3.21 2026-03-06 16:20:36 +01:00
Asger F
c9fa7fa283 Merge pull request #21369 from asgerf/js/this-bindings 
JS: Emit variables for 'this'
 2026-03-05 13:36:38 +01:00
Owen Mansel-Chan
c82f75604a Add change notes 2026-03-05 10:34:30 +00:00
Owen Mansel-Chan
99a4fe4828 Update expected test output column numbers 2026-03-04 15:02:53 +00:00
Owen Mansel-Chan
ea30f02271 js: Inline expectation should have space before $ 2026-03-04 13:11:35 +00:00
Owen Mansel-Chan
0eccd902c2 js: Inline expectation should have space after $ 
This was a regex-find-replace from `// \$(?! )` (using a negative lookahead) to `// $ `.
 2026-03-04 12:45:03 +00:00
github-actions[bot]
e152f08468 Post-release preparation for codeql-cli-2.24.3 2026-03-02 22:51:27 +00:00
github-actions[bot]
7795badd18 Release preparation for version 2.24.3 2026-03-02 13:23:40 +00:00
Asger F
f2cc0da936 JS: Add upgrade/downgrade scripts but with 'partial' compatibility 2026-03-02 11:09:19 +01:00
Asger F
d440b5fa85 JS: Update TRAP files 2026-02-27 14:15:34 +01:00
Asger F
47895b3334 JS: Update test for UniquePropertyNames test 
This query now reports the alert previously found by DuplicateProperty
 2026-02-27 13:37:29 +01:00
Asger F
71fb6bf915 JS: Mark corresponding lost result for the getter 2026-02-27 13:35:43 +01:00
Asger F
c673bd9151 JS: Document a missing alert due to limitation in structural comparison 2026-02-27 13:34:55 +01:00
Asger F
0f2de46648 JS: Emit variable bindings for 'this' expressions 2026-02-27 11:44:54 +01:00
Asger F
f0f58dacb3 JS: Also emit 'this' variable for class scopes 2026-02-27 11:44:31 +01:00
Asger F
4a3b86c652 JS: Update test output 2026-02-27 11:13:50 +01:00
Asger F
e0ab5ce49b JS: Emit variables for 'this' 
The extractor does not emit bindings for 'this', we just ensure that a variable exists for it
 2026-02-25 10:17:02 +01:00
Asger F
f0e665d08c Merge pull request #21349 from asgerf/mobx-wrapper 
Support React components wrapped by 'mobx-react'
 2026-02-25 09:24:45 +01:00
Owen Mansel-Chan
ada9c452f0 Merge pull request #21336 from owen-mc/js/accept-mad-sanitizers 
JS: Accept MaD sanitizers for queries with MaD sinks
 2026-02-23 13:44:54 +00:00
Asger F
27638c7029 JS: Add change note 2026-02-20 11:20:46 +01:00
Asger F
a684943bb7 JS: Model mobx-react{-lite} as higher-order component builders 2026-02-19 11:26:46 +01:00
Asger F
a0099d64c8 JS: Add mobx-react and mobx-react-lite tests 2026-02-19 11:26:44 +01:00
Paolo Tranquilli
dfe451128e Merge branch 'main' into redsun82/bazel-9 2026-02-19 11:05:32 +01:00
Owen Mansel-Chan
05f9b4124d Revert "javascript: remove sanitizer to be replaced by model" 
This reverts commit da2f77d615.
 2026-02-17 14:39:04 +00:00
Owen Mansel-Chan
b8f9dd9de5 Revert "javascript: add MaD model" 
This reverts commit 75bd4a7a12.
 2026-02-17 14:38:56 +00:00
Owen Mansel-Chan
61e8f91404 Accept MaD sanitizers for queries with MaD sinks 2026-02-17 12:45:24 +00:00
github-actions[bot]
b5898c5a30 Post-release preparation for codeql-cli-2.24.2 2026-02-16 17:07:45 +00:00
github-actions[bot]
ef04f927fb Release preparation for version 2.24.2 2026-02-16 13:29:25 +00:00
Paolo Tranquilli
10a2824b82 refactor: migrate BUILD files to explicit rules_java imports 
Add explicit load statements for java_library and java_test from
@rules_java//java:defs.bzl in:
- javascript/extractor/BUILD.bazel
- javascript/extractor/test/com/semmle/js/extractor/test/BUILD.bazel
 2026-02-10 13:44:06 +01:00
github-actions[bot]
73d06f26cb Post-release preparation for codeql-cli-2.24.1 2026-02-02 14:04:26 +00:00
github-actions[bot]
0db542e9f0 Release preparation for version 2.24.1 2026-02-02 12:09:09 +00:00
Tom Hvitved
b974a84bef Merge pull request #21051 from hvitved/shared/flow-summary-provenance-filtering 
Shared: Provenance-based filtering of flow summaries
 2026-01-26 17:24:34 +01:00
Tom Hvitved
0f6bae0ae1 Add change notes 2026-01-26 12:40:22 +01:00
Tom Hvitved
93dad867cd JS: Adapt to changes in FlowSummaryImpl 2026-01-26 12:40:21 +01:00
yoff
d05901ad3f python/javascript/ruby: mark internal predicates 2026-01-22 17:30:24 +01:00
yoff
75bd4a7a12 javascript: add MaD model 
- consider if the model is in the right place
- consider if the barrier kind (sink kind) is the appropriate one
 2026-01-22 17:30:24 +01:00
yoff
da2f77d615 javascript: remove sanitizer to be replaced by model 2026-01-22 17:30:24 +01:00
yoff
3dbfb9fa4b python: add machinery for MaD barriers 
and reinstate previously removed barrier
now as a MaD row
 2026-01-22 17:30:24 +01:00
Ian Lynagh
a299174f4d javascript: Add up/downgrade scripts 2026-01-20 11:56:15 +00:00
Ian Lynagh
4140121e96 javascript: Use more standard shared dbscheme sections 
We now use the shared "Overlay support" and "Database metadata".
 2026-01-20 11:56:14 +00:00