hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-21 12:51:08 +02:00
Code Issues Packages Projects Releases Wiki Activity
88,137 Commits 1,785 Branches 169 Tags
d86ec1a4b4bcbe2176a05e9b8c019df10dfd6bfc
Commit Graph

88137 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Sotiris Dragonas
d86ec1a4b4 Merge pull request #22012 from github/bazookamusic/js-prompt-injection-sinks 
JS Prompt Injection - Add some more sinks and reclassify legacy API
 2026-06-19 17:41:41 +03:00
Owen Mansel-Chan
b54d95d7c8 Merge pull request #21967 from github/copilot/conversion-of-codeql-queries 
Convert selected Python qlref tests to inline expectations
 2026-06-19 14:56:36 +01:00
Michael Nebel
a076ffcc9a Merge pull request #21996 from michaelnebel/csharp/fixpathcombineissues 
C#: Fix the `cs/path-combine` code quality issues in the extractor.
 2026-06-19 15:49:24 +02:00
Owen Mansel-Chan
f65d1e82cf Merge pull request #21554 from github/copilot/make-go-use-ssa-library 
Go: use shared SSA library (codeql.ssa.Ssa)
 2026-06-19 13:40:37 +01:00
Owen Mansel-Chan
27f6ffc00e Delete accidentally included text file 2026-06-19 13:24:06 +01:00
Owen Mansel-Chan
c9d45217d2 Fix order of comments in test 2026-06-19 13:23:52 +01:00
Owen Mansel-Chan
451fc2e4e7 Undo conversion for queries that import LegacyPointsTo 2026-06-19 12:22:42 +01:00
Owen Mansel-Chan
5497f2c5fe Convert Python qlref tests to inline expectations 2026-06-19 12:22:40 +01:00
Owen Mansel-Chan
1496fb6b12 Shared: allow comment starting with # after inline expectation comment 2026-06-19 11:20:30 +01:00
Sotiris Dragonas
38435fc3f2 Merge branch 'main' into bazookamusic/js-prompt-injection-sinks 2026-06-19 12:19:50 +03:00
Michael Nebel
03b525b689 C#: Handle the places where we could risk that Path.Combine would have thrown away the first argument. 2026-06-19 10:22:52 +02:00
Michael Nebel
f7b3f851e8 C#: Rename PathCombine to PathJoin. 2026-06-19 10:22:49 +02:00
Michael Nebel
131d4a0d81 C#: Fix the cs/path-combine code quality issues in the extractor. 2026-06-19 10:22:40 +02:00
Michael Nebel
2686026608 Merge pull request #21993 from michaelnebel/csharp/dropmono 
C#: Only use `nuget.exe` on Windows or machines with Mono.
 2026-06-19 09:53:04 +02:00
Owen Mansel-Chan
1d69c30ec1 Merge pull request #22010 from github/workflow/coverage/update 
Update CSV framework coverage reports
 2026-06-19 03:26:14 +01:00
github-actions[bot]
65a3153066 Add changed framework coverage reports 2026-06-19 01:06:45 +00:00
Sotiris Dragonas
ea87f59480 JS: Add and reclassify prompt-injection sinks for AI SDKs 
Add missing system/user prompt-injection sinks across the OpenAI,
Anthropic, and Google GenAI JavaScript models:

- OpenAI videos.create/edit/extend/remix prompts (user)
- OpenAI beta.realtime.sessions.create instructions (system)
- Anthropic legacy completions.create prompt (user)
- Google GenAI caches.create config.systemInstruction (system)
- Google GenAI caches.create config.contents (user)

Also reclassify the OpenAI legacy completions.create prompt from
system-prompt-injection to user-prompt-injection: the legacy
/v1/completions endpoint takes a single free-form prompt with no role
separation, so it is the text-in/text-out equivalent of a user message.

Note: videos.remix takes the prompt in Argument[1] (remix(videoID, body)),
and Google GenAI caches.create nests both contents and systemInstruction
under config, so the model entries differ slightly from a naive mapping.

Add corresponding test cases with inline annotations and regenerate the
.expected files.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
 2026-06-18 17:32:10 +03:00
Owen Mansel-Chan
db5fac17bf Add QLDoc to MakeSsa to silence CI 2026-06-18 14:54:21 +01:00
Owen Mansel-Chan
fc06aa1a32 Update expected data flow consistency results 2026-06-18 14:54:19 +01:00
Henry Mercer
4e7e363067 Merge branch 'main' into copilot/make-go-use-ssa-library 2026-06-18 14:31:47 +01:00
Anders Schack-Mulligen
779309edb1 Merge pull request #21999 from aschackmull/cfg/parameter-pattern 
Cfg: Distinguish parameters from their patterns.
 2026-06-18 15:18:22 +02:00
Owen Mansel-Chan
2d34b0be1b Merge branch 'main' into copilot/make-go-use-ssa-library 2026-06-18 14:09:20 +01:00
Owen Mansel-Chan
8c07e95f05 Rename mayCapture to mayUpdateCapturedVariable 2026-06-18 12:41:25 +01:00
Owen Mansel-Chan
f04c8ccbc7 Use module already provided by BasicBlocks lib 2026-06-18 12:37:27 +01:00
Owen Mansel-Chan
7222f1d3ad Remove change note 2026-06-18 12:34:20 +01:00
Jeroen Ketema
5016fcb396 Merge pull request #21995 from jketema/jketema/tele 
Java: Update expected test results after extractor changes
 2026-06-18 12:51:29 +02:00
Michael Nebel
142a72c77b C#: Address review comments. 2026-06-18 12:48:09 +02:00
Owen Mansel-Chan
330e904449 Merge pull request #22004 from sauyon/go-model-log-slog 
Go: Model `log/slog` as a logging sink
 2026-06-18 11:20:08 +01:00
Anders Schack-Mulligen
f844cd3754 Java/C#: Adapt to signature change. 2026-06-18 11:00:30 +02:00
Anders Schack-Mulligen
3a3ec1be90 Cfg: Distinguish parameters from their patterns. 2026-06-18 11:00:30 +02:00
Michael Nebel
c747352f41 C#: Fix some code quality issues by replacing Path.Combine with Path.Join. 2026-06-18 08:28:58 +02:00
Michael Nebel
dfdd12190e C#: Rename NugetExeWrapper to PackagesConfigRestorer. 2026-06-18 08:28:56 +02:00
Michael Nebel
63057db753 C#: Only download and use nuget.exe in case of windows or mono is installed. 2026-06-18 08:28:54 +02:00
Michael Nebel
21f8caf153 C#: Re-factor the NugetExeWrapper, introduce an interface and a factory method for constructing package config restorers. 2026-06-18 08:28:51 +02:00
Michael Nebel
9b34cfa362 C#: Invert logic in HasPackageSource. 2026-06-18 08:28:49 +02:00
Michael Nebel
944d76de44 C#: Use the build actions IsWindows in the NugetExeWrapper. 2026-06-18 08:28:47 +02:00
sauyon
b7ef551b52 Address review: exercise variadic args/attrs in slog Log/LogAttrs tests 
Copilot review on #22004: the Log/LogAttrs test cases didn't pass any
variadic args/attrs, so the Argument[..3] portion of the sink range was
untested. Pass an ...any arg to slog.Log/Logger.Log and a slog.Attr to
slog.LogAttrs/Logger.LogAttrs, with inline expectations asserting they're
captured as logged components.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-06-17 20:27:00 -07:00
sauyon
00427d204c Go: Model log/slog as a logging sink 
The standard-library structured logger `log/slog` (Go 1.21+) was not
modeled, so `go/log-injection` and `go/clear-text-logging` were blind to
any code that logs through it.

Model its logging functions and `*slog.Logger` methods — `Debug`, `Info`,
`Warn`, `Error`, their `Context` variants, and `Log`/`LogAttrs` — as
`log-injection` sinks (the kind that feeds `LoggerCall`, powering both
queries). Adds `log/slog` cases to the `LoggerCall` library test.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-06-17 20:02:29 -07:00
Owen Mansel-Chan
e618883866 Merge pull request #21969 from github/copilot/investigate-missing-alerts 
Python: Track instance attributes through type tracking
 2026-06-18 00:04:45 +01:00
Owen Mansel-Chan
c7c1eca415 Merge branch 'main' into copilot/investigate-missing-alerts 2026-06-17 22:54:22 +01:00
Mathias Vorreiter Pedersen
3dd3e2c643 Merge pull request #21998 from MathiasVP/fix-autogenerated-dbschemes 
Shared/Python: #21935 follow up
 2026-06-17 17:30:20 +01:00
Mathias Vorreiter Pedersen
55f2f041ee Shared: Ensure that YAML comment extraction is properly reflected in the dbscheme template. 2026-06-17 17:05:04 +01:00
Mathias Vorreiter Pedersen
004a5b4645 Python: Ensure that YAML comment extraction is properly reflected in the dbscheme template. 2026-06-17 17:04:43 +01:00
Jeroen Ketema
fefe01ecbf Java: Update expected test results after extractor changes 2026-06-17 17:40:23 +02:00
Sotiris Dragonas
7960c5c291 Merge pull request #21953 from github/bazookamusic/cwe-1427 
[Javascript] Prompt Injection queries
 2026-06-17 18:05:18 +03:00
Sotiris Dragonas
57f20064ba Merge branch 'main' into bazookamusic/cwe-1427 2026-06-17 17:12:20 +03:00
Owen Mansel-Chan
1f9899d7db Extend added type tracking step to related types 2026-06-17 15:04:53 +01:00
Owen Mansel-Chan
dd61dd2d74 Fix FP for py/modification-of-locals 2026-06-17 14:24:18 +01:00
Owen Mansel-Chan
47c2c9e763 Add test for FP for py/modification-of-locals 2026-06-17 14:22:42 +01:00
Michael B. Gale
1cb5be52d0 Merge branch 'add-yaml-comments' 2026-06-17 13:59:08 +01:00