mirror of
https://github.com/github/codeql.git
synced 2026-06-25 22:57:01 +02:00
Compare commits
1 Commits
codeql-cli
...
copilot/co
| Author | SHA1 | Date | |
|---|---|---|---|
|
7a4dd94838 |
@@ -1,10 +1,3 @@
|
||||
## 0.4.38
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* GitHub Actions queries now better account for permission checks on jobs that call reusable workflows.
|
||||
* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results.
|
||||
|
||||
## 0.4.37
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: fix
|
||||
---
|
||||
* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results.
|
||||
@@ -1,6 +0,0 @@
|
||||
## 0.4.38
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* GitHub Actions queries now better account for permission checks on jobs that call reusable workflows.
|
||||
* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.4.38
|
||||
lastReleaseVersion: 0.4.37
|
||||
|
||||
@@ -42,15 +42,6 @@ string actor_not_attacker_event() {
|
||||
]
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the outer caller of `ej`, i.e. the `ExternalJob` that calls the
|
||||
* reusable workflow containing `ej`. Used with transitive closure to
|
||||
* walk up nested reusable workflow chains.
|
||||
*/
|
||||
private ExternalJob getAnOuterCaller(ExternalJob ej) {
|
||||
result = ej.getEnclosingWorkflow().(ReusableWorkflow).getACaller()
|
||||
}
|
||||
|
||||
/** An If node that contains an actor, user or label check */
|
||||
abstract class ControlCheck extends AstNode {
|
||||
ControlCheck() {
|
||||
@@ -62,170 +53,43 @@ abstract class ControlCheck extends AstNode {
|
||||
|
||||
predicate protects(AstNode node, Event event, string category) {
|
||||
// The check dominates the step it should protect
|
||||
this.dominates(node, event) and
|
||||
this.dominates(node) and
|
||||
// The check is effective against the event and category
|
||||
this.protectsCategoryAndEvent(category, event.getName()) and
|
||||
// The check can be triggered by the event
|
||||
this.getATriggerEvent() = event and
|
||||
// For reusable workflows, there must be no unprotected caller chain for this event.
|
||||
(
|
||||
not node.getEnclosingWorkflow() instanceof ReusableWorkflow
|
||||
or
|
||||
this.dominatesSameWorkflow(node, event)
|
||||
or
|
||||
not exists(ExternalJob directCaller |
|
||||
directCaller = node.getEnclosingWorkflow().(ReusableWorkflow).getACaller() and
|
||||
unprotectedCallerChain(directCaller, event, category)
|
||||
)
|
||||
)
|
||||
this.getATriggerEvent() = event
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if this control check must execute and pass before `node` can run.
|
||||
*/
|
||||
predicate dominates(AstNode node, Event event) {
|
||||
this.dominatesSameWorkflow(node, event)
|
||||
or
|
||||
// When the node is inside a reusable workflow,
|
||||
// this check dominates via at least one caller chain.
|
||||
this.dominatesViaCaller(node, event, _)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if this control check dominates `node` within the same workflow.
|
||||
*/
|
||||
predicate dominatesSameWorkflow(AstNode node, Event event) {
|
||||
this.getATriggerEvent() = event and
|
||||
(
|
||||
// Step-level: the check is an `if:` on the step containing `node`,
|
||||
// or on the enclosing job, or on a needed job/step.
|
||||
this instanceof If and
|
||||
(
|
||||
node.getEnclosingStep().getIf() = this or
|
||||
node.getEnclosingJob().getIf() = this or
|
||||
node.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or
|
||||
node.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this
|
||||
)
|
||||
or
|
||||
// Job-level: the check is an environment on the enclosing job or a needed job.
|
||||
this instanceof Environment and
|
||||
(
|
||||
node.getEnclosingJob().getEnvironment() = this
|
||||
or
|
||||
node.getEnclosingJob().getANeededJob().getEnvironment() = this
|
||||
)
|
||||
or
|
||||
// Step-level: the check is a Run/UsesStep that precedes `node`'s step
|
||||
// in the same job, or is a step in a needed job.
|
||||
(
|
||||
this instanceof Run or
|
||||
this instanceof UsesStep
|
||||
) and
|
||||
(
|
||||
this.(Step).getAFollowingStep() = node.getEnclosingStep()
|
||||
or
|
||||
node.getEnclosingJob().getANeededJob().(LocalJob).getAStep() = this
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if this control check dominates `node` in a reusable workflow
|
||||
* via the caller chain starting at `directCaller`.
|
||||
*/
|
||||
predicate dominatesViaCaller(AstNode node, Event event, ExternalJob directCaller) {
|
||||
directCaller = node.getEnclosingWorkflow().(ReusableWorkflow).getACaller() and
|
||||
directCaller.getATriggerEvent() = event and
|
||||
exists(ExternalJob caller |
|
||||
caller = getAnOuterCaller*(directCaller) and
|
||||
this.dominatesCaller(caller)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if this control check directly dominates `caller`.
|
||||
*/
|
||||
predicate dominatesCaller(ExternalJob caller) {
|
||||
predicate dominates(AstNode node) {
|
||||
this instanceof If and
|
||||
(
|
||||
caller.getIf() = this or
|
||||
caller.getANeededJob().(LocalJob).getIf() = this or
|
||||
caller.getANeededJob().(LocalJob).getAStep().getIf() = this
|
||||
node.getEnclosingStep().getIf() = this or
|
||||
node.getEnclosingJob().getIf() = this or
|
||||
node.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or
|
||||
node.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this
|
||||
)
|
||||
or
|
||||
this instanceof Environment and
|
||||
(
|
||||
caller.getEnvironment() = this or
|
||||
caller.getANeededJob().getEnvironment() = this
|
||||
node.getEnclosingJob().getEnvironment() = this
|
||||
or
|
||||
node.getEnclosingJob().getANeededJob().getEnvironment() = this
|
||||
)
|
||||
or
|
||||
(this instanceof Run or this instanceof UsesStep) and
|
||||
caller.getANeededJob().(LocalJob).getAStep() = this
|
||||
(
|
||||
this instanceof Run or
|
||||
this instanceof UsesStep
|
||||
) and
|
||||
(
|
||||
this.(Step).getAFollowingStep() = node.getEnclosingStep()
|
||||
or
|
||||
node.getEnclosingJob().getANeededJob().(LocalJob).getAStep() = this.(Step)
|
||||
)
|
||||
}
|
||||
|
||||
abstract predicate protectsCategoryAndEvent(string category, string event);
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if this control check directly protects `caller`.
|
||||
*/
|
||||
bindingset[caller, event, category]
|
||||
private predicate protectedCaller(ExternalJob caller, Event event, string category) {
|
||||
exists(ControlCheck check |
|
||||
check.protectsCategoryAndEvent(category, event.getName()) and
|
||||
check.getATriggerEvent() = event and
|
||||
check.dominatesCaller(caller)
|
||||
)
|
||||
}
|
||||
|
||||
cached
|
||||
private newtype TCallerState =
|
||||
MkCallerState(ExternalJob caller, Event event, string category) {
|
||||
caller.getATriggerEvent() = event and
|
||||
category = any_category()
|
||||
}
|
||||
|
||||
private class CallerState extends TCallerState, MkCallerState {
|
||||
ExternalJob caller;
|
||||
Event event;
|
||||
string category;
|
||||
|
||||
CallerState() { this = MkCallerState(caller, event, category) }
|
||||
|
||||
ExternalJob getCaller() { result = caller }
|
||||
|
||||
Event getEvent() { result = event }
|
||||
|
||||
string getCategory() { result = category }
|
||||
|
||||
/**
|
||||
* Gets an outer caller state if this caller is not protected.
|
||||
*/
|
||||
CallerState getUnprotectedOuterState() {
|
||||
not protectedCaller(this.getCaller(), this.getEvent(), this.getCategory()) and
|
||||
result = MkCallerState(getAnOuterCaller(this.getCaller()), this.getEvent(), this.getCategory())
|
||||
}
|
||||
|
||||
predicate isUnprotectedOutermost() {
|
||||
not protectedCaller(this.getCaller(), this.getEvent(), this.getCategory()) and
|
||||
not exists(getAnOuterCaller(this.getCaller()))
|
||||
}
|
||||
|
||||
string toString() { result = caller + " / " + event + " / " + category }
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if there is a caller path from `caller` to an outer workflow that has no protection.
|
||||
*/
|
||||
bindingset[caller, event, category]
|
||||
private predicate unprotectedCallerChain(ExternalJob caller, Event event, string category) {
|
||||
exists(CallerState start, CallerState outermost |
|
||||
start = MkCallerState(caller, event, category) and
|
||||
outermost = start.getUnprotectedOuterState*() and
|
||||
outermost.isUnprotectedOutermost()
|
||||
)
|
||||
}
|
||||
|
||||
abstract class AssociationCheck extends ControlCheck {
|
||||
// Checks if the actor is a MEMBER/OWNER the repo
|
||||
// - they are effective against pull requests and workflow_run (since these are triggered by pull_requests) since they can control who is making the PR
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/actions-all
|
||||
version: 0.4.38
|
||||
version: 0.4.38-dev
|
||||
library: true
|
||||
warnOnImplicitThis: true
|
||||
dependencies:
|
||||
|
||||
@@ -1,9 +1,3 @@
|
||||
## 0.6.30
|
||||
|
||||
### Query Metadata Changes
|
||||
|
||||
* The name, description, and alert message of `actions/untrusted-checkout/medium` have been corrected to describe a non-privileged context.
|
||||
|
||||
## 0.6.29
|
||||
|
||||
### Query Metadata Changes
|
||||
|
||||
@@ -18,7 +18,7 @@ from LocalJob job, LabelCheck check, MutableRefCheckoutStep checkout, Event even
|
||||
where
|
||||
job.isPrivileged() and
|
||||
job.getAStep() = checkout and
|
||||
check.dominates(checkout, event) and
|
||||
check.dominates(checkout) and
|
||||
(
|
||||
job.getATriggerEvent() = event and
|
||||
event.getName() = "pull_request_target" and
|
||||
|
||||
@@ -34,8 +34,8 @@ where
|
||||
check instanceof AssociationCheck or
|
||||
check instanceof PermissionCheck
|
||||
) and
|
||||
check.dominates(checkout, event) and
|
||||
date_check.dominates(checkout, event)
|
||||
check.dominates(checkout) and
|
||||
date_check.dominates(checkout)
|
||||
)
|
||||
or
|
||||
// not issue_comment triggered workflows
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
## 0.6.30
|
||||
|
||||
### Query Metadata Changes
|
||||
|
||||
---
|
||||
category: queryMetadata
|
||||
---
|
||||
* The name, description, and alert message of `actions/untrusted-checkout/medium` have been corrected to describe a non-privileged context.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.6.30
|
||||
lastReleaseVersion: 0.6.29
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/actions-queries
|
||||
version: 0.6.30
|
||||
version: 0.6.30-dev
|
||||
library: false
|
||||
warnOnImplicitThis: true
|
||||
groups: [actions, queries]
|
||||
|
||||
@@ -1,17 +0,0 @@
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
COMMIT_SHA:
|
||||
type: string
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
with:
|
||||
ref: ${{ inputs.COMMIT_SHA }}
|
||||
- run: |
|
||||
npm install
|
||||
npm run lint
|
||||
|
||||
@@ -1,13 +0,0 @@
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
COMMIT_SHA:
|
||||
type: string
|
||||
|
||||
jobs:
|
||||
build:
|
||||
uses: TestOrg/TestRepo/.github/workflows/build.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ inputs.COMMIT_SHA }}
|
||||
|
||||
|
||||
@@ -1,33 +0,0 @@
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
COMMIT_SHA:
|
||||
type: string
|
||||
|
||||
jobs:
|
||||
is-collaborator:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Get User Permission
|
||||
id: checkAccess
|
||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||
with:
|
||||
require: write
|
||||
username: ${{ github.actor }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Check User Permission
|
||||
if: steps.checkAccess.outputs.require-result == 'false'
|
||||
run: |
|
||||
echo "${{ github.actor }} does not have permissions on this repo."
|
||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||
exit 1
|
||||
build_safe:
|
||||
needs: is-collaborator
|
||||
uses: TestOrg/TestRepo/.github/workflows/build_nested.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ inputs.COMMIT_SHA }}
|
||||
build_unsafe:
|
||||
uses: TestOrg/TestRepo/.github/workflows/build_nested.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ inputs.COMMIT_SHA }}
|
||||
@@ -1,31 +0,0 @@
|
||||
on:
|
||||
pull_request_target:
|
||||
|
||||
jobs:
|
||||
is-collaborator:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Get User Permission
|
||||
id: checkAccess
|
||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||
with:
|
||||
require: write
|
||||
username: ${{ github.actor }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Check User Permission
|
||||
if: steps.checkAccess.outputs.require-result == 'false'
|
||||
run: |
|
||||
echo "${{ github.actor }} does not have permissions on this repo."
|
||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||
exit 1
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
#needs: is-collaborator Mistake, doesn't wait for the collaborator - no security check
|
||||
steps:
|
||||
- name: Checkout repo
|
||||
uses: actions/checkout@4
|
||||
with:
|
||||
ref: ${{ github.event.pull_request.head.sha }} # should alert
|
||||
fetch-depth: 2
|
||||
- run: yarn test
|
||||
@@ -1,26 +0,0 @@
|
||||
on:
|
||||
pull_request_target:
|
||||
|
||||
jobs:
|
||||
is-collaborator:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Get User Permission
|
||||
id: checkAccess
|
||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||
with:
|
||||
require: write
|
||||
username: ${{ github.actor }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Check User Permission
|
||||
if: steps.checkAccess.outputs.require-result == 'false'
|
||||
run: |
|
||||
echo "${{ github.actor }} does not have permissions on this repo."
|
||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||
exit 1
|
||||
build:
|
||||
needs: is-collaborator
|
||||
uses: TestOrg/TestRepo/.github/workflows/build.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # shouldn't alert since permission check
|
||||
@@ -1,31 +0,0 @@
|
||||
on:
|
||||
pull_request_target:
|
||||
|
||||
jobs:
|
||||
is-collaborator:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Get User Permission
|
||||
id: checkAccess
|
||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||
with:
|
||||
require: write
|
||||
username: ${{ github.actor }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Check User Permission
|
||||
if: steps.checkAccess.outputs.require-result == 'false'
|
||||
run: |
|
||||
echo "${{ github.actor }} does not have permissions on this repo."
|
||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||
exit 1
|
||||
build_unsafe:
|
||||
# needs: is-collaborator
|
||||
uses: TestOrg/TestRepo/.github/workflows/build.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # should alert since no permission check
|
||||
build_safe:
|
||||
needs: is-collaborator
|
||||
uses: TestOrg/TestRepo/.github/workflows/build.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # shouldn't alert since permission check
|
||||
@@ -1,8 +0,0 @@
|
||||
on:
|
||||
pull_request_target:
|
||||
|
||||
jobs:
|
||||
build:
|
||||
uses: TestOrg/TestRepo/.github/workflows/build_nested_branching.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
|
||||
@@ -1,26 +0,0 @@
|
||||
on:
|
||||
pull_request_target:
|
||||
|
||||
jobs:
|
||||
is-collaborator:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Get User Permission
|
||||
id: checkAccess
|
||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||
with:
|
||||
require: write
|
||||
username: ${{ github.actor }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Check User Permission
|
||||
if: steps.checkAccess.outputs.require-result == 'false'
|
||||
run: |
|
||||
echo "${{ github.actor }} does not have permissions on this repo."
|
||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||
exit 1
|
||||
build:
|
||||
needs: is-collaborator
|
||||
uses: TestOrg/TestRepo/.github/workflows/build_nested.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # shouldn't alert since permission check
|
||||
@@ -1,26 +0,0 @@
|
||||
on:
|
||||
pull_request_target:
|
||||
|
||||
jobs:
|
||||
is-collaborator:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Get User Permission
|
||||
id: checkAccess
|
||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||
with:
|
||||
require: write
|
||||
username: ${{ github.actor }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Check User Permission
|
||||
if: steps.checkAccess.outputs.require-result == 'false'
|
||||
run: |
|
||||
echo "${{ github.actor }} does not have permissions on this repo."
|
||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||
exit 1
|
||||
build:
|
||||
# needs: is-collaborator
|
||||
uses: TestOrg/TestRepo/.github/workflows/build_nested.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
|
||||
@@ -1,41 +0,0 @@
|
||||
on:
|
||||
pull_request_target:
|
||||
|
||||
jobs:
|
||||
is-collaborator:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Get User Permission
|
||||
id: checkAccess
|
||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||
with:
|
||||
require: write
|
||||
username: ${{ github.actor }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Check User Permission
|
||||
if: steps.checkAccess.outputs.require-result == 'false'
|
||||
run: |
|
||||
echo "${{ github.actor }} does not have permissions on this repo."
|
||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||
exit 1
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
needs: is-collaborator
|
||||
steps:
|
||||
- name: Checkout repo
|
||||
uses: actions/checkout@4
|
||||
with:
|
||||
ref: ${{ github.event.pull_request.head.sha }} # shouldn't alert since permission check
|
||||
fetch-depth: 2
|
||||
- run: yarn test
|
||||
build_unsafe:
|
||||
runs-on: ubuntu-latest
|
||||
# needs: is-collaborator
|
||||
steps:
|
||||
- name: Checkout repo
|
||||
uses: actions/checkout@4
|
||||
with:
|
||||
ref: ${{ github.event.pull_request.head.sha }} # should alert since no permission check
|
||||
fetch-depth: 2
|
||||
- run: yarn test
|
||||
@@ -1,48 +0,0 @@
|
||||
on:
|
||||
pull_request_target:
|
||||
|
||||
jobs:
|
||||
is-collaborator-a:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Get User Permission
|
||||
id: checkAccess
|
||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||
with:
|
||||
require: write
|
||||
username: ${{ github.actor }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Check User Permission
|
||||
if: steps.checkAccess.outputs.require-result == 'false'
|
||||
run: |
|
||||
echo "${{ github.actor }} does not have permissions on this repo."
|
||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||
exit 1
|
||||
caller-a:
|
||||
needs: is-collaborator-a
|
||||
uses: TestOrg/TestRepo/.github/workflows/build.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
|
||||
is-collaborator-b:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Get User Permission
|
||||
id: checkAccess
|
||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||
with:
|
||||
require: write
|
||||
username: ${{ github.actor }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Check User Permission
|
||||
if: steps.checkAccess.outputs.require-result == 'false'
|
||||
run: |
|
||||
echo "${{ github.actor }} does not have permissions on this repo."
|
||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||
exit 1
|
||||
caller-b:
|
||||
needs: is-collaborator-b
|
||||
uses: TestOrg/TestRepo/.github/workflows/build.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
|
||||
@@ -93,8 +93,6 @@ edges
|
||||
| .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step |
|
||||
| .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone |
|
||||
| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:48:9:52:57 | Run Step |
|
||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:14:9:17:7 | Run Step |
|
||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build_nested_branching.yml:11:9:19:6 | Uses Step: checkAccess | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build_nested_branching.yml:19:9:25:2 | Run Step |
|
||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:14:9:19:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step |
|
||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:25:9:70:20 | Run Step |
|
||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step |
|
||||
@@ -336,17 +334,6 @@ edges
|
||||
| .github/workflows/untrusted_checkout_6.yml:11:9:14:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:14:9:17:6 | Uses Step |
|
||||
| .github/workflows/untrusted_checkout_6.yml:14:9:17:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:17:9:21:6 | Uses Step |
|
||||
| .github/workflows/untrusted_checkout_6.yml:17:9:21:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:21:9:23:23 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_no_needs.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_no_needs.yml:16:9:22:2 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_no_needs.yml:26:9:31:6 | Uses Step | .github/workflows/untrusted_checkout_no_needs.yml:31:9:31:23 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_permission_check_reusable2.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permission_check_reusable2.yml:16:9:22:2 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_permission_check_reusable.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permission_check_reusable.yml:16:9:22:2 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_permission_check_reusable_level2.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permission_check_reusable_level2.yml:16:9:22:2 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_permission_check_reusable_no_needs.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permission_check_reusable_no_needs.yml:16:9:22:2 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_permissions_check.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permissions_check.yml:16:9:22:2 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_permissions_check.yml:26:9:31:6 | Uses Step | .github/workflows/untrusted_checkout_permissions_check.yml:31:9:32:2 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_permissions_check.yml:36:9:41:6 | Uses Step | .github/workflows/untrusted_checkout_permissions_check.yml:41:9:41:22 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_two_callers_both_protected.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_two_callers_both_protected.yml:16:9:22:2 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_two_callers_both_protected.yml:30:9:38:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_two_callers_both_protected.yml:38:9:44:2 | Run Step |
|
||||
| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step |
|
||||
| .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step |
|
||||
| .github/workflows/workflow_run_untrusted_checkout_3.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_3.yml:16:9:18:31 | Uses Step |
|
||||
@@ -357,9 +344,6 @@ edges
|
||||
| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:14:9:17:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_permission_check_reusable2.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:14:9:17:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_permission_check_reusable_branching_nested.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:14:9:17:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_permission_check_reusable_no_needs.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||
@@ -393,5 +377,3 @@ edges
|
||||
| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
|
||||
| .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/untrusted_checkout_no_needs.yml:26:9:31:6 | Uses Step | .github/workflows/untrusted_checkout_no_needs.yml:26:9:31:6 | Uses Step | .github/workflows/untrusted_checkout_no_needs.yml:31:9:31:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_no_needs.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/untrusted_checkout_permissions_check.yml:36:9:41:6 | Uses Step | .github/workflows/untrusted_checkout_permissions_check.yml:36:9:41:6 | Uses Step | .github/workflows/untrusted_checkout_permissions_check.yml:41:9:41:22 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_permissions_check.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||
|
||||
@@ -1,20 +1,3 @@
|
||||
## 11.0.0
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
* Removed the deprecated `overrideReturnsNull` predicate from `Options.qll`. Use `CustomOptions.overrideReturnsNull` instead.
|
||||
* Removed the deprecated `returnsNull` predicate from `Options.qll`. Use `CustomOptions.returnsNull` instead.
|
||||
* Removed the deprecated `exits` predicate from `Options.qll`. Use `CustomOptions.exits` instead.
|
||||
* Removed the deprecated `exprExits` predicate from `Options.qll`. Use `CustomOptions.exprExits` instead.
|
||||
* Removed the deprecated `alwaysCheckReturnValue` predicate from `Options.qll`. Use `CustomOptions.alwaysCheckReturnValue` instead.
|
||||
* Removed the deprecated `okToIgnoreReturnValue` predicate from `Options.qll`. Use `CustomOptions.okToIgnoreReturnValue` instead.
|
||||
* Removed the deprecated `semmle.code.cpp.Member`. Import `semmle.code.cpp.Element` and/or `semmle.code.cpp.Type` directly.
|
||||
* Removed the deprecated `UnknownDefaultLocation` class. Use `UnknownLocation` instead.
|
||||
* Removed the deprecated `UnknownExprLocation` class. Use `UnknownLocation` instead.
|
||||
* Removed the deprecated `UnknownStmtLocation` class. Use `UnknownLocation` instead.
|
||||
* Removed the deprecated `TemplateParameter` class. Use `TypeTemplateParameter` instead.
|
||||
* Support for class resolution across link targets has been removed for databases which were created with CodeQL versions before 1.23.0.
|
||||
|
||||
## 10.2.0
|
||||
|
||||
### Deprecated APIs
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
## 11.0.0
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
---
|
||||
category: breaking
|
||||
---
|
||||
* Removed the deprecated `overrideReturnsNull` predicate from `Options.qll`. Use `CustomOptions.overrideReturnsNull` instead.
|
||||
* Removed the deprecated `returnsNull` predicate from `Options.qll`. Use `CustomOptions.returnsNull` instead.
|
||||
* Removed the deprecated `exits` predicate from `Options.qll`. Use `CustomOptions.exits` instead.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 11.0.0
|
||||
lastReleaseVersion: 10.2.0
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/cpp-all
|
||||
version: 11.0.0
|
||||
version: 10.2.1-dev
|
||||
groups: cpp
|
||||
dbscheme: semmlecode.cpp.dbscheme
|
||||
extractor: cpp
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
## 1.6.5
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.6.4
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 1.6.5
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.6.5
|
||||
lastReleaseVersion: 1.6.4
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/cpp-queries
|
||||
version: 1.6.5
|
||||
version: 1.6.5-dev
|
||||
groups:
|
||||
- cpp
|
||||
- queries
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
## 1.7.69
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.7.68
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 1.7.69
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.7.69
|
||||
lastReleaseVersion: 1.7.68
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-solorigate-all
|
||||
version: 1.7.69
|
||||
version: 1.7.69-dev
|
||||
groups:
|
||||
- csharp
|
||||
- solorigate
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
## 1.7.69
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.7.68
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 1.7.69
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.7.69
|
||||
lastReleaseVersion: 1.7.68
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-solorigate-queries
|
||||
version: 1.7.69
|
||||
version: 1.7.69-dev
|
||||
groups:
|
||||
- csharp
|
||||
- solorigate
|
||||
|
||||
@@ -1,19 +1,3 @@
|
||||
## 7.0.0
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
* Renamed types related to *operation* expressions. The QL classes `BinaryArithmeticOperation`, `BinaryBitwiseOperation`, and `BinaryLogicalOperation` now include compound assignments; for example, `BinaryArithmeticOperation` now includes `a += b`.
|
||||
|
||||
### Major Analysis Improvements
|
||||
|
||||
* Added Razor Page handler method parameters (e.g., `OnGet`, `OnPost`, `OnPostAsync`) as remote flow sources, enabling security queries such as `cs/sql-injection` to detect vulnerabilities in `PageModel` subclasses.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Improved property and indexer call target resolution for partially overridden properties and indexers.
|
||||
* Improved extraction of range-access expressions on spans and strings (for example, `a[0..3]`). These expressions are now extracted as `Slice` (span) or `Substring` (string) calls.
|
||||
* Improved call target resolution for ref-return properties and indexers.
|
||||
|
||||
## 6.0.2
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Improved call target resolution for ref-return properties and indexers.
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Improved extraction of range-access expressions on spans and strings (for example, `a[0..3]`). These expressions are now extracted as `Slice` (span) or `Substring` (string) calls.
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Improved property and indexer call target resolution for partially overridden properties and indexers.
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: majorAnalysis
|
||||
---
|
||||
* Added Razor Page handler method parameters (e.g., `OnGet`, `OnPost`, `OnPostAsync`) as remote flow sources, enabling security queries such as `cs/sql-injection` to detect vulnerabilities in `PageModel` subclasses.
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: breaking
|
||||
---
|
||||
* Renamed types related to *operation* expressions. The QL classes `BinaryArithmeticOperation`, `BinaryBitwiseOperation`, and `BinaryLogicalOperation` now include compound assignments; for example, `BinaryArithmeticOperation` now includes `a += b`.
|
||||
@@ -1,15 +0,0 @@
|
||||
## 7.0.0
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
* Renamed types related to *operation* expressions. The QL classes `BinaryArithmeticOperation`, `BinaryBitwiseOperation`, and `BinaryLogicalOperation` now include compound assignments; for example, `BinaryArithmeticOperation` now includes `a += b`.
|
||||
|
||||
### Major Analysis Improvements
|
||||
|
||||
* Added Razor Page handler method parameters (e.g., `OnGet`, `OnPost`, `OnPostAsync`) as remote flow sources, enabling security queries such as `cs/sql-injection` to detect vulnerabilities in `PageModel` subclasses.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Improved property and indexer call target resolution for partially overridden properties and indexers.
|
||||
* Improved extraction of range-access expressions on spans and strings (for example, `a[0..3]`). These expressions are now extracted as `Slice` (span) or `Substring` (string) calls.
|
||||
* Improved call target resolution for ref-return properties and indexers.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 7.0.0
|
||||
lastReleaseVersion: 6.0.2
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-all
|
||||
version: 7.0.0
|
||||
version: 6.0.3-dev
|
||||
groups: csharp
|
||||
dbscheme: semmlecode.csharp.dbscheme
|
||||
extractor: csharp
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
## 1.7.5
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.7.4
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -14,6 +14,54 @@
|
||||
|
||||
import csharp
|
||||
|
||||
/**
|
||||
* Gets a callable that either directly captures local variable `v`, or which
|
||||
* is enclosed by the callable that declares `v` and encloses a callable that
|
||||
* captures `v`.
|
||||
*/
|
||||
Callable getACapturingCallableAncestor(LocalVariable v) {
|
||||
result = v.getACapturingCallable()
|
||||
or
|
||||
exists(Callable mid | mid = getACapturingCallableAncestor(v) |
|
||||
result = mid.getEnclosingCallable() and
|
||||
not v.getEnclosingCallable() = result
|
||||
)
|
||||
}
|
||||
|
||||
Expr getADelegateExpr(Callable c) {
|
||||
c = result.(CallableAccess).getTarget()
|
||||
or
|
||||
result = c.(AnonymousFunctionExpr)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `c` is a call where any delegate argument is evaluated immediately.
|
||||
*/
|
||||
predicate nonEscapingCall(Call c) {
|
||||
exists(string name | c.getTarget().hasName(name) |
|
||||
name =
|
||||
[
|
||||
"ForEach", "Count", "Any", "All", "Average", "Aggregate", "First", "Last", "FirstOrDefault",
|
||||
"LastOrDefault", "LongCount", "Max", "Single", "SingleOrDefault", "Sum"
|
||||
]
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `v` is a captured local variable, and one of the callables capturing
|
||||
* `v` may escape the local scope.
|
||||
*/
|
||||
predicate mayEscape(LocalVariable v) {
|
||||
exists(Callable c, Expr e, Expr succ | c = getACapturingCallableAncestor(v) |
|
||||
e = getADelegateExpr(c) and
|
||||
DataFlow::localExprFlow(e, succ) and
|
||||
not succ = any(DelegateCall dc).getExpr() and
|
||||
not succ = any(Cast cast).getExpr() and
|
||||
not succ = any(Call call | nonEscapingCall(call)).getAnArgument() and
|
||||
not succ = any(AssignableDefinition ad | ad.getTarget() instanceof LocalVariable).getSource()
|
||||
)
|
||||
}
|
||||
|
||||
class RelevantDefinition extends AssignableDefinition {
|
||||
RelevantDefinition() {
|
||||
this.(AssignableDefinitions::AssignmentDefinition).getAssignment() =
|
||||
@@ -46,6 +94,8 @@ class RelevantDefinition extends AssignableDefinition {
|
||||
// SSA definitions are only created for live variables
|
||||
this = any(SsaExplicitWrite ssaDef).getDefinition()
|
||||
or
|
||||
mayEscape(v)
|
||||
or
|
||||
v.isCaptured()
|
||||
)
|
||||
}
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 1.7.5
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.7.5
|
||||
lastReleaseVersion: 1.7.4
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-queries
|
||||
version: 1.7.5
|
||||
version: 1.7.5-dev
|
||||
groups:
|
||||
- csharp
|
||||
- queries
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
## 1.0.52
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.0.51
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 1.0.52
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.0.52
|
||||
lastReleaseVersion: 1.0.51
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql-go-consistency-queries
|
||||
version: 1.0.52
|
||||
version: 1.0.52-dev
|
||||
groups:
|
||||
- go
|
||||
- queries
|
||||
|
||||
@@ -1,20 +1,3 @@
|
||||
## 7.2.0
|
||||
|
||||
### Deprecated APIs
|
||||
|
||||
* `FuncTypeExpr.getResultDecl()` has been deprecated. Use `FuncTypeExpr.getResultDecl(int i)` instead.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Added models for the `log/slog` package (Go 1.21+). Its logging functions and
|
||||
`*slog.Logger` methods (`Debug`/`Info`/`Warn`/`Error`, their `Context`
|
||||
variants, and `Log`/`LogAttrs`) are now recognized as logging sinks, so the
|
||||
`go/log-injection` and `go/clear-text-logging` queries cover code that logs
|
||||
through `slog`.
|
||||
* `DataFlow::ResultNode`s are no longer created for returned expressions in functions with named result parameters. In this case there are already result nodes corresponding to `IR::ReadResultInstruction`s at the end of the function body.
|
||||
* `FuncTypeExpr.getNumResult()` now gets the number of result parameters. It previously got the number of result declarations, which is different when one result declaration declares more than one variable, as in `x, y int`. All uses of it expected the number of result parameters. Its QLDoc has been updated.
|
||||
* More logging functions are now recognized as not returning or panicking.
|
||||
|
||||
## 7.1.2
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* More logging functions are now recognized as not returning or panicking.
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: deprecated
|
||||
---
|
||||
* `FuncTypeExpr.getResultDecl()` has been deprecated. Use `FuncTypeExpr.getResultDecl(int i)` instead.
|
||||
4
go/ql/lib/change-notes/2026-06-08-fix-result-nodes.md
Normal file
4
go/ql/lib/change-notes/2026-06-08-fix-result-nodes.md
Normal file
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* `DataFlow::ResultNode`s are no longer created for returned expressions in functions with named result parameters. In this case there are already result nodes corresponding to `IR::ReadResultInstruction`s at the end of the function body.
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* `FuncTypeExpr.getNumResult()` now gets the number of result parameters. It previously got the number of result declarations, which is different when one result declaration declares more than one variable, as in `x, y int`. All uses of it expected the number of result parameters. Its QLDoc has been updated.
|
||||
8
go/ql/lib/change-notes/2026-06-17-model-log-slog.md
Normal file
8
go/ql/lib/change-notes/2026-06-17-model-log-slog.md
Normal file
@@ -0,0 +1,8 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added models for the `log/slog` package (Go 1.21+). Its logging functions and
|
||||
`*slog.Logger` methods (`Debug`/`Info`/`Warn`/`Error`, their `Context`
|
||||
variants, and `Log`/`LogAttrs`) are now recognized as logging sinks, so the
|
||||
`go/log-injection` and `go/clear-text-logging` queries cover code that logs
|
||||
through `slog`.
|
||||
@@ -1,16 +0,0 @@
|
||||
## 7.2.0
|
||||
|
||||
### Deprecated APIs
|
||||
|
||||
* `FuncTypeExpr.getResultDecl()` has been deprecated. Use `FuncTypeExpr.getResultDecl(int i)` instead.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Added models for the `log/slog` package (Go 1.21+). Its logging functions and
|
||||
`*slog.Logger` methods (`Debug`/`Info`/`Warn`/`Error`, their `Context`
|
||||
variants, and `Log`/`LogAttrs`) are now recognized as logging sinks, so the
|
||||
`go/log-injection` and `go/clear-text-logging` queries cover code that logs
|
||||
through `slog`.
|
||||
* `DataFlow::ResultNode`s are no longer created for returned expressions in functions with named result parameters. In this case there are already result nodes corresponding to `IR::ReadResultInstruction`s at the end of the function body.
|
||||
* `FuncTypeExpr.getNumResult()` now gets the number of result parameters. It previously got the number of result declarations, which is different when one result declaration declares more than one variable, as in `x, y int`. All uses of it expected the number of result parameters. Its QLDoc has been updated.
|
||||
* More logging functions are now recognized as not returning or panicking.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 7.2.0
|
||||
lastReleaseVersion: 7.1.2
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/go-all
|
||||
version: 7.2.0
|
||||
version: 7.1.3-dev
|
||||
groups: go
|
||||
dbscheme: go.dbscheme
|
||||
extractor: go
|
||||
|
||||
@@ -1,9 +1,3 @@
|
||||
## 1.6.5
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The query `go/unhandled-writable-file-close` ("Writable file handle closed without error handling") now produces fewer false positives. A deferred call to `Close` that is preceded on every execution path by a handled call to `Sync` on the same file handle is no longer flagged.
|
||||
|
||||
## 1.6.4
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
## 1.6.5
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The query `go/unhandled-writable-file-close` ("Writable file handle closed without error handling") now produces fewer false positives. A deferred call to `Close` that is preceded on every execution path by a handled call to `Sync` on the same file handle is no longer flagged.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.6.5
|
||||
lastReleaseVersion: 1.6.4
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/go-queries
|
||||
version: 1.6.5
|
||||
version: 1.6.5-dev
|
||||
groups:
|
||||
- go
|
||||
- queries
|
||||
|
||||
@@ -1,7 +1,9 @@
|
||||
import pathlib
|
||||
import pytest
|
||||
|
||||
|
||||
def test(codeql, java_full, kotlinc_2_3_20):
|
||||
@pytest.mark.kotlin1
|
||||
def test(codeql, java_full):
|
||||
java_srcs = " ".join([str(s) for s in pathlib.Path().glob("*.java")])
|
||||
codeql.database.create(
|
||||
command=[
|
||||
|
||||
@@ -1,6 +1,8 @@
|
||||
import commands
|
||||
import pytest
|
||||
|
||||
|
||||
def test(codeql, java_full, kotlinc_2_3_20):
|
||||
@pytest.mark.kotlin1
|
||||
def test(codeql, java_full):
|
||||
commands.run("kotlinc -language-version 1.9 test.kt -d lib")
|
||||
codeql.database.create(command="kotlinc -language-version 1.9 user.kt -cp lib")
|
||||
|
||||
@@ -1,2 +1,6 @@
|
||||
def test(codeql, java_full, kotlinc_2_3_20):
|
||||
codeql.database.create(command=f"kotlinc -J-Xmx2G -language-version 1.9 SomeClass.kt")
|
||||
import pytest
|
||||
|
||||
|
||||
@pytest.mark.kotlin1
|
||||
def test(codeql, java_full):
|
||||
codeql.database.create(command="kotlinc -J-Xmx2G -language-version 1.9 SomeClass.kt")
|
||||
|
||||
@@ -1,6 +1,8 @@
|
||||
import commands
|
||||
import pytest
|
||||
|
||||
|
||||
def test(codeql, java_full, kotlinc_2_3_20):
|
||||
@pytest.mark.kotlin1
|
||||
def test(codeql, java_full):
|
||||
commands.run("kotlinc -language-version 1.9 A.kt")
|
||||
codeql.database.create(command="kotlinc -cp . -language-version 1.9 B.kt C.kt")
|
||||
|
||||
@@ -1,6 +1,8 @@
|
||||
import commands
|
||||
import pytest
|
||||
|
||||
|
||||
def test(codeql, java_full, kotlinc_2_3_20):
|
||||
@pytest.mark.kotlin1
|
||||
def test(codeql, java_full):
|
||||
commands.run(["javac", "Test.java", "-d", "bin"])
|
||||
codeql.database.create(command="kotlinc -language-version 1.9 user.kt -cp bin")
|
||||
|
||||
@@ -1,7 +1,9 @@
|
||||
import commands
|
||||
import pytest
|
||||
|
||||
|
||||
def test(codeql, java_full, kotlinc_2_3_20):
|
||||
@pytest.mark.kotlin1
|
||||
def test(codeql, java_full):
|
||||
# Compile the JavaDefns2 copy outside tracing, to make sure the Kotlin view of it matches the Java view seen by the traced javac compilation of JavaDefns.java below.
|
||||
commands.run(["javac", "JavaDefns2.java"])
|
||||
codeql.database.create(
|
||||
|
||||
@@ -1,13 +1,3 @@
|
||||
## 9.2.0
|
||||
|
||||
### New Features
|
||||
|
||||
* Kotlin 2.4.0 can now be analysed.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Improved modeling of Apache HttpClient `execute` method sinks for `java/ssrf` and `java/non-https-url`.
|
||||
|
||||
## 9.1.2
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
@@ -1,9 +1,4 @@
|
||||
## 9.2.0
|
||||
|
||||
### New Features
|
||||
|
||||
* Kotlin 2.4.0 can now be analysed.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Improved modeling of Apache HttpClient `execute` method sinks for `java/ssrf` and `java/non-https-url`.
|
||||
4
java/ql/lib/change-notes/2026-06-04-kotlin-2.4.0.md
Normal file
4
java/ql/lib/change-notes/2026-06-04-kotlin-2.4.0.md
Normal file
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: feature
|
||||
---
|
||||
* Kotlin 2.4.0 can now be analysed.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 9.2.0
|
||||
lastReleaseVersion: 9.1.2
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/java-all
|
||||
version: 9.2.0
|
||||
version: 9.1.3-dev
|
||||
groups: java
|
||||
dbscheme: config/semmlecode.dbscheme
|
||||
extractor: java
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
## 1.11.5
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.11.4
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 1.11.5
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.11.5
|
||||
lastReleaseVersion: 1.11.4
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/java-queries
|
||||
version: 1.11.5
|
||||
version: 1.11.5-dev
|
||||
groups:
|
||||
- java
|
||||
- queries
|
||||
|
||||
@@ -1,14 +1,3 @@
|
||||
## 2.8.0
|
||||
|
||||
### New Features
|
||||
|
||||
* Added `UseMemoDirective` and `UseNoMemoDirective` classes to model the React compiler directives `"use memo"` and `"use no memo"`.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Added more prompt-injection sinks for the OpenAI, Anthropic, and Google GenAI SDKs: OpenAI `videos.create`/`edit`/`extend`/`remix` (Sora) prompts and `beta.realtime.sessions.create` instructions, Anthropic legacy `completions.create` prompts, and Google GenAI `caches.create` cached contents and system instructions.
|
||||
* The OpenAI legacy `completions.create` prompt is now treated as a user-prompt-injection sink instead of a system-prompt-injection sink, since the legacy `/v1/completions` endpoint takes a single free-form prompt with no role separation.
|
||||
|
||||
## 2.7.2
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: feature
|
||||
---
|
||||
* Added `UseMemoDirective` and `UseNoMemoDirective` classes to model the React compiler directives `"use memo"` and `"use no memo"`.
|
||||
@@ -1,10 +1,5 @@
|
||||
## 2.8.0
|
||||
|
||||
### New Features
|
||||
|
||||
* Added `UseMemoDirective` and `UseNoMemoDirective` classes to model the React compiler directives `"use memo"` and `"use no memo"`.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added more prompt-injection sinks for the OpenAI, Anthropic, and Google GenAI SDKs: OpenAI `videos.create`/`edit`/`extend`/`remix` (Sora) prompts and `beta.realtime.sessions.create` instructions, Anthropic legacy `completions.create` prompts, and Google GenAI `caches.create` cached contents and system instructions.
|
||||
* The OpenAI legacy `completions.create` prompt is now treated as a user-prompt-injection sink instead of a system-prompt-injection sink, since the legacy `/v1/completions` endpoint takes a single free-form prompt with no role separation.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 2.8.0
|
||||
lastReleaseVersion: 2.7.2
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/javascript-all
|
||||
version: 2.8.0
|
||||
version: 2.7.3-dev
|
||||
groups: javascript
|
||||
dbscheme: semmlecode.javascript.dbscheme
|
||||
extractor: javascript
|
||||
|
||||
@@ -1,10 +1,3 @@
|
||||
## 2.4.0
|
||||
|
||||
### New Queries
|
||||
|
||||
* Added a new query, `js/system-prompt-injection`, to detect cases where untrusted, user-provided values flow into the system prompt of an AI model, allowing an attacker to manipulate the model's behavior.
|
||||
* Added a new experimental query, `javascript/ssrf-ipv6-transition-incomplete-guard`, to detect SSRF host-validation guards that reject private IPv4 ranges but fail to unwrap IPv6-transition forms (IPv4-mapped `::ffff:`, NAT64 `64:ff9b::`, 6to4 `2002::`), allowing the guard to be bypassed by wrapping an internal IPv4 address in a transition literal.
|
||||
|
||||
## 2.3.11
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,6 +1,4 @@
|
||||
## 2.4.0
|
||||
|
||||
### New Queries
|
||||
|
||||
* Added a new query, `js/system-prompt-injection`, to detect cases where untrusted, user-provided values flow into the system prompt of an AI model, allowing an attacker to manipulate the model's behavior.
|
||||
---
|
||||
category: newQuery
|
||||
---
|
||||
* Added a new experimental query, `javascript/ssrf-ipv6-transition-incomplete-guard`, to detect SSRF host-validation guards that reject private IPv4 ranges but fail to unwrap IPv6-transition forms (IPv4-mapped `::ffff:`, NAT64 `64:ff9b::`, 6to4 `2002::`), allowing the guard to be bypassed by wrapping an internal IPv4 address in a transition literal.
|
||||
@@ -0,0 +1,5 @@
|
||||
---
|
||||
category: newQuery
|
||||
---
|
||||
|
||||
* Added a new query, `js/system-prompt-injection`, to detect cases where untrusted, user-provided values flow into the system prompt of an AI model, allowing an attacker to manipulate the model's behavior.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 2.4.0
|
||||
lastReleaseVersion: 2.3.11
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/javascript-queries
|
||||
version: 2.4.0
|
||||
version: 2.3.12-dev
|
||||
groups:
|
||||
- javascript
|
||||
- queries
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
## 1.0.52
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.0.51
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 1.0.52
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.0.52
|
||||
lastReleaseVersion: 1.0.51
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
name: codeql/suite-helpers
|
||||
version: 1.0.52
|
||||
version: 1.0.52-dev
|
||||
groups: shared
|
||||
warnOnImplicitThis: true
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user