hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-07 22:31:39 +02:00
Code Issues Packages Projects Releases Wiki Activity
87,559 Commits 1,777 Branches 169 Tags
df15a719cb77241ab46f4268ec7c424c206aa03d
Commit Graph

526 Commits

Author SHA1 Message Date
MarkLee131
26af52897d Merge branch 'main' into fix/path-injection-read-subkind 2026-05-07 23:48:42 +08:00
github-actions[bot]
88e1d86c27 Release preparation for version 2.25.4 2026-05-05 09:34:30 +00:00
Kaixuan Li
07e97e20d8 Merge branch 'github:main' into fix/path-injection-read-subkind 2026-04-21 22:59:53 +10:00
MarkLee131
c336a1595d Java: split read-only path sinks into path-injection[read] 
Introduce a new Models-as-Data sink sub-kind path-injection[read] for
models that only read from or inspect a path. The general
java/path-injection query and its PathInjectionSanitizer barrier
continue to consider both path-injection and path-injection[read]
sinks, so no alerts are lost. The java/zipslip query deliberately
selects only path-injection sinks, since read-only accesses such as
ClassLoader.getResource or FileInputStream are outside the archive
extraction threat model.

Addresses https://github.com/github/codeql/issues/21606 along the lines
proposed on the issue thread: prefer path-injection[read] over a
[create] sub-kind so that miscategorizing a sink causes a false
positive (easy to spot) rather than a false negative.

- shared/mad/codeql/mad/ModelValidation.qll: allow path-injection[...]
  as a valid sink kind.
- java/ql/lib/ext/*.model.yml: relabel the models that PR #12916
  migrated from the historical read-file kind (plus the newer
  ClassLoader resource-lookup variants that share the same read-only
  semantics).
- java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll and
  PathSanitizer.qll: select both path-injection and
  path-injection[read] sinks/barriers.
- java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll: keep only
  path-injection, with a comment explaining why path-injection[read]
  is excluded.
- java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipTest.java:
  add m7 regression covering the Dubbo-style classpath lookup from
  issue #21606 and assert no alert is produced.
- Update TaintedPath.expected for the renamed kinds in the models list.
- Add change-notes under java/ql/lib/change-notes and
  java/ql/src/change-notes.
 2026-04-21 09:17:36 +10:00
github-actions[bot]
c861d99802 Release preparation for version 2.25.3 2026-04-20 09:27:23 +00:00
github-actions[bot]
4fe2f6d2b4 Release preparation for version 2.25.2 2026-04-06 10:30:38 +00:00
Óscar San José
59eec7ffa2 Merge branch 'main' of https://github.com/github/codeql into post-release-prep/codeql-cli-2.25.1 2026-03-30 10:51:12 +02:00
github-actions[bot]
fb011842c9 Release preparation for version 2.25.1 2026-03-25 23:43:06 +00:00
github-actions[bot]
8cf0954796 Release preparation for version 2.25.1 2026-03-25 08:28:30 +00:00
Óscar San José
2139b97628 Merge branch 'main' into post-release-prep/codeql-cli-2.25.0 2026-03-19 13:07:00 +01:00
github-actions[bot]
d6055754b6 Release preparation for version 2.25.0 2026-03-16 12:15:34 +00:00
Owen Mansel-Chan
52809133f5 Add change notes 2026-03-13 11:10:43 +00:00
github-actions[bot]
7795badd18 Release preparation for version 2.24.3 2026-03-02 13:23:40 +00:00
Idriss Riouak
744ade6720 Merge pull request #21338 from github/idrissrio/java/fix-change-note 
Java: Fix Maven change note
 2026-02-17 14:48:37 +01:00
Idriss Riouak
c877487e11 Merge pull request #21337 from github/idrissrio/java/jdk26-note 
Java: Add change note for Java 26 and updated supported languages
 2026-02-17 14:48:16 +01:00
idrissrio
5151df456c Java: Fix Maven change note 2026-02-17 14:27:27 +01:00
idrissrio
8aa839f4c0 Java: Address review comments 2026-02-17 14:19:12 +01:00
idrissrio
bd94ceddd9 Java: Add change note for JDK 26 2026-02-17 13:58:55 +01:00
github-actions[bot]
ef04f927fb Release preparation for version 2.24.2 2026-02-16 13:29:25 +00:00
github-actions[bot]
0db542e9f0 Release preparation for version 2.24.1 2026-02-02 12:09:09 +00:00
Nick Rolfe
783676566c Fix typo in changelog 2026-01-19 15:12:05 +00:00
github-actions[bot]
4142b9c4ce Release preparation for version 2.24.0 2026-01-19 14:49:14 +00:00
Mauro Baluda
4b7662f652 Merge branch 'main' into couchdb 2026-01-13 21:50:44 +01:00
Ian Lynagh
dcd0a69759 Merge remote-tracking branch 'upstream/main' into igfoo/mb 2026-01-13 01:01:35 +00:00
Mauro Baluda
4c8058d97b Merge branch 'github:main' into couchdb 2026-01-09 17:20:40 +01:00
github-actions[bot]
c00663766e Release preparation for version 2.23.9 2026-01-05 11:57:06 +00:00
Mauro Baluda
cb341609e7 Add change notes for Couchbase sinks 2025-12-24 20:41:11 +01:00
Mauro Baluda
15ee88ee24 SQLi test case 2025-12-24 20:30:21 +01:00
yoff
50e9057db1 java: add change note 2025-12-16 10:11:05 +01:00
github-actions[bot]
66c51e979e Release preparation for version 2.23.8 2025-12-08 14:38:23 +00:00
idrissrio
a0e7afde8e Java: Add change note for Maven compiler flags 2025-12-08 12:14:03 +01:00
github-actions[bot]
a045b317ac Release preparation for version 2.23.7 2025-12-02 15:31:27 +00:00
github-actions[bot]
19a13467e0 Release preparation for version 2.23.7 2025-12-01 16:07:37 +00:00
Paul Hodgkinson
801cd72965 Merge branch 'main' into java-kotlin-sensitive-logging-substring-barriers 2025-11-20 12:24:22 +00:00
aegilops
1e67907516 Merge commit 2025-11-20 12:22:39 +00:00
aegilops
62ee6d3a33 Made changes requested by reviewers - bounded() for range checking, style and better comments 2025-11-20 11:46:42 +00:00
github-actions[bot]
18fa6799ce Release preparation for version 2.23.6 2025-11-17 16:38:07 +00:00
Paul Hodgkinson
7b25e22a37 Merge branch 'main' into java-kotlin-sensitive-logging-substring-barriers 2025-11-17 11:03:39 +00:00
aegilops
528c451007 Added change note, adjusted spacing in comment 2025-11-17 11:02:59 +00:00
Idriss Riouak
d916ebdc24 Java: Address review comments. Improve Change note 
Co-authored-by: Chris Smowton <smowton@github.com>
 2025-11-14 09:53:09 +01:00
idrissrio
e6d4e515b0 Java: Add change note for Maven Java version auto-detection 2025-11-13 09:41:32 +01:00
Napalys Klicius
d122534398 Merge pull request #20671 from github/napalys/adjust_query_severity 
Adjust query severity ratings
 2025-11-11 12:37:31 +01:00
github-actions[bot]
64fcdd1f2f Release preparation for version 2.23.4 2025-11-03 14:52:23 +00:00
yoff
4461be180a Merge pull request #19539 from yoff/java/conflicting-access 2025-10-28 20:37:44 +01:00
Tom Hvitved
ce379161fc Add change note 2025-10-24 09:34:11 +02:00
Napalys Klicius
9c70ae04fb Add change note 2025-10-22 11:48:16 +00:00
Joe Farebrother
f57526eedc Merge pull request #20572 from joefarebrother/java-httponly-cookie-promote 
Java: Promote Sensitive Cookie without HttpOnly query from experimental
 2025-10-15 10:28:40 +01:00
github-actions[bot]
33542f7d40 Release preparation for version 2.23.3 2025-10-14 09:30:24 +00:00
Joe Farebrother
1c54296545 Add change note 2025-10-13 14:51:17 +01:00
yoff
5b30153113 java: add Escaping query (P1) 2025-10-09 09:14:16 +02:00