hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-31 12:48:17 +02:00
Code Issues Packages Projects Releases Wiki Activity
86,449 Commits 1,723 Branches 164 Tags
codeql-cli/v2.25.1
Commit Graph

86449 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
REDMOND\brodes
f6c302b68c Removing commented out test cases. 2026-02-06 11:28:48 -05:00
REDMOND\brodes
4f11913ee5 removing SSRFSink.qll 2026-02-06 11:23:58 -05:00
REDMOND\brodes
42f6e6a19c Fixing inefficiently passed variable in nested existential quantification. 2026-02-06 11:20:15 -05:00
REDMOND\brodes
97f19d03ad Updating test case expected alerts. 2026-02-06 11:20:13 -05:00
REDMOND\brodes
97ddab0724 Added support for new URIValidator in AntiSSRF library. Updated test caes to use postprocessing results. Currently results for partial ssrf still need work, it is flagging cases where the URL is fully controlled, but is sanitized. I'm not sure if this should be flagged yet. 2026-02-06 11:20:11 -05:00
REDMOND\brodes
27e19813be Removing an upstream change log, not needed for local fork update. 2026-02-06 11:20:10 -05:00
REDMOND\brodes
88adb05d4b Adjusting acryonym for SSRF for casing standards. 2026-02-06 11:20:08 -05:00
REDMOND\brodes
265922d2e5 Adding docs. 2026-02-06 11:20:01 -05:00
REDMOND\brodes
7db97799c1 Moved change log to correct location. 2026-02-06 11:19:22 -05:00
Ben Rodes
08b72d0a86 Update python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2026-02-06 11:18:51 -05:00
Ben Rodes
46a2a249f9 Update python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2026-02-06 11:18:49 -05:00
REDMOND\brodes
b8ba905253 Added change logs. 2026-02-06 11:18:23 -05:00
REDMOND\brodes
9912aaaf1a Adding azure sdk test cases and updated test expected file. 2026-02-06 11:18:16 -05:00
Paolo Tranquilli
48db24d184 Merge pull request #21287 from github/redsun82/fix-rust-deps-patching 
Bazel: fix Rust deps patching for semver build metadata
 2026-02-06 17:17:24 +01:00
REDMOND\brodes
8459eec239 Moving the SsrfSink concept into Concepts.qll, and renaming to HttpClientRequestFromModel as suggested in PR review. 2026-02-06 09:26:49 -05:00
Anders Fugmann
c5179e40c6 Kotlin: Add change note for supporting 2.3.10 2026-02-06 14:59:34 +01:00
github-actions[bot]
38830ddc5c Bazel: fix Rust deps patching for semver build metadata 
Handle crate versions containing `+` build metadata (e.g., `0.9.11+spec-1.1.0`).
Bazel repo names use `-` instead of `+`, so the generated labels need patching
to reference the correct repo name.

Also adds documentation for both patching issues handled by patch_defs.py.
 2026-02-06 14:58:34 +01:00
Anders Fugmann
d5827b5cca Kotlin: Support Kotlin 2.3.10 2026-02-06 14:54:08 +01:00
Michael Nebel
6c355a1bf8 C#: Update test expected output. 2026-02-06 14:38:27 +01:00
Michael Nebel
e550d4937c C#: Update parameter modifiers test to include lambda expression from the new test file. 2026-02-06 14:37:50 +01:00
Michael Nebel
62a6b5985d C#: Add test cases for lambda parameter modifiers. 2026-02-06 14:37:11 +01:00
Mathias Vorreiter Pedersen
2c05624088 Merge pull request #21280 from MathiasVP/make-getChildCount-more-robust 
C++: Make 'getChildCount' more robust by counting indices instead of elements
 2026-02-06 12:19:20 +00:00
Ben Rodes
ac1987f264 Update python/ql/lib/change-notes/2025-09-30-azure_ssrf_models.md 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2026-02-05 15:44:44 -05:00
Mathias Vorreiter Pedersen
d57a42a7f7 C++: Make 'getChildCount' more robust by counting indexes instead of 'TranslatedDeclarationEntry's. 2026-02-05 20:23:45 +00:00
Tom Hvitved
32aaac27ec Rust: Add type inference regression test 2026-02-05 17:29:42 +01:00
Tom Hvitved
2dc7576232 Rust: Rework call disambiguation logic 2026-02-05 17:29:40 +01:00
Geoffrey White
05a487ec3b Rust: Repair following merge. 2026-02-05 15:56:58 +00:00
Geoffrey White
c0a5c63e8e Merge branch 'main' into neutralmodels 2026-02-05 15:53:28 +00:00
Taus
5adc9f8ff0 Merge pull request #21274 from github/tausbn/python-fix-parsing-of-format-specifiers 
Python: Fix syntax error when `=` is used as a format fill character
 2026-02-05 16:37:42 +01:00
Michael Nebel
02e4a8b6f7 C#: Add change-note. 2026-02-05 15:52:43 +01:00
Michael Nebel
bd3e4d3d7e C#: Add MaD tests for extensions. 2026-02-05 15:38:29 +01:00
Michael Nebel
4b6a53b577 C#: Add extension data flow test. 2026-02-05 15:38:27 +01:00
Michael Nebel
6cbe000d51 C#: Add PrintAst test for extensions. 2026-02-05 15:38:25 +01:00
Michael Nebel
c040daab9c C#: Add extensions test. 2026-02-05 15:38:20 +01:00
Michael Nebel
849823eff6 C#: Add dispatch logic for calling extensions accessors as methods. 2026-02-05 15:38:16 +01:00
Michael Nebel
e831c80a23 C#: Replace extension parameter access with the corresponding synthetic parameter. 2026-02-05 15:38:14 +01:00
Michael Nebel
5e02a86542 C#: Add extension call classes. 2026-02-05 15:38:12 +01:00
Michael Nebel
b9f36f37b6 C#: Add extension callable and accessor classes. 2026-02-05 15:38:09 +01:00
Michael Nebel
9a4a6cfcb8 C#: Add ExtensionType to the QL library. 2026-02-05 15:38:07 +01:00
Michael Nebel
edfdc9812f C#: Extract extension types and members. Replacing invocations to static generated methods with invocation of extension type member. 2026-02-05 15:38:05 +01:00
Michael Nebel
ab505e3281 C#: Add class for making synthetic parameter entities. 2026-02-05 15:38:02 +01:00
Taus
8c27437628 Python: Bump extractor version and add change note 2026-02-05 13:50:54 +00:00
Taus
12ee93042b Python: Add tests 2026-02-05 13:47:24 +00:00
Taus
bac356c9a1 Python: Regenerate parser files 2026-02-05 13:46:59 +00:00
Taus
68c1a3d389 Python: Fix syntax error when = is used as a format fill character 
An example (provided by @redsun82) is the string `f"{x:=^20}"`. Parsing
this (with unnamed nodes shown) illustrates the problem:

```
module [0, 0] - [2, 0]
  expression_statement [0, 0] - [0, 11]
    string [0, 0] - [0, 11]
      string_start [0, 0] - [0, 2]
      interpolation [0, 2] - [0, 10]
        "{" [0, 2] - [0, 3]
        expression: named_expression [0, 3] - [0, 9]
          name: identifier [0, 3] - [0, 4]
          ":=" [0, 4] - [0, 6]
          ERROR [0, 6] - [0, 7]
            "^" [0, 6] - [0, 7]
          value: integer [0, 7] - [0, 9]
        "}" [0, 9] - [0, 10]
      string_end [0, 10] - [0, 11]
```
Observe that we've managed to combine the format specifier token `:` and
the fill character `=` in a single token (which doesn't match the `:` we
expect in the grammar rule), and hence we get a syntax error.

If we change the `=` to some other character (e.g. a `-`), we instead
get

```
module [0, 0] - [2, 0]
  expression_statement [0, 0] - [0, 11]
    string [0, 0] - [0, 11]
      string_start [0, 0] - [0, 2]
      interpolation [0, 2] - [0, 10]
        "{" [0, 2] - [0, 3]
        expression: identifier [0, 3] - [0, 4]
        format_specifier: format_specifier [0, 4] - [0, 9]
          ":" [0, 4] - [0, 5]
        "}" [0, 9] - [0, 10]
      string_end [0, 10] - [0, 11]
```
and in particular no syntax error.

To fix this, we want to ensure that the `:` is lexed on its own, and the
`token(prec(1, ...))` construction can be used to do exactly this.

Finally, you may wonder why `=` is special here. I think what's going on
is that the lexer knows that `:=` is a token on its own (because it's
used in the walrus operator), and so it greedily consumes the following
`=` with this in mind.
 2026-02-05 13:45:54 +00:00
Tom Hvitved
2764d697d2 Rust: Merge Input1 and Input2 modules 2026-02-05 14:29:46 +01:00
Tom Hvitved
c62d95ac9d Rust: More type inference tests 2026-02-05 14:29:41 +01:00
Paolo Tranquilli
05bef12ddd Merge pull request #21265 from github/redsun82/csharp-csrf-inheritance 
C#: Fix CSRF query to check antiforgery attributes on base classes
 2026-02-05 14:20:30 +01:00
Idriss Riouak
1df3adf021 Merge pull request #21244 from github/idrissrio/cpp/overlay/changes-json 
C/C++ overlay: use files table instead of `overlayChangedFiles` for overlay discard
 2026-02-05 13:15:07 +01:00
Tom Hvitved
025f73301b Rust: Move some overloading tests into a separate file 2026-02-05 12:49:53 +01:00