JS: Use HTTP responses as taint sources

2026-06-11 16:01:09 +02:00 · 2024-06-13 09:33:06 +02:00
29 changed files with 56 additions and 6568 deletions
--- a/config/dbscheme-fragments.json
+++ b/config/dbscheme-fragments.json
@@ -28,7 +28,6 @@
    "/*- Yaml dbscheme -*/",
    "/*- Blame dbscheme -*/",
    "/*- JSON dbscheme -*/",
-    "/*- Python dbscheme -*/",
-    "/*- Empty location -*/"
+    "/*- Python dbscheme -*/"
  ]
 }
--- a/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.qhelp
+++ b/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.qhelp
@@ -12,8 +12,8 @@ the required buffer size, but do not allocate space for the zero terminator.
 </overview>
 <recommendation>
 <p>
-The highlighted code segment creates a buffer without ensuring it's large enough to accommodate the copied data.
-This leaves the code susceptible to a buffer overflow attack, which could lead to anything from program crashes to malicious code execution.
+The expression highlighted by this rule creates a buffer that is of insufficient size to contain
+the data being copied. This makes the code vulnerable to buffer overflow which can result in anything from a segmentation fault to a security vulnerability (particularly if the array is on stack-allocated memory).
 </p>

 <p>
--- a/cpp/ql/test/library-tests/padding/options
+++ b/cpp/ql/test/library-tests/padding/options
@@ -1 +0,0 @@
-semmle-extractor-options: -D__x86_64=1
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll
@@ -94,8 +94,6 @@ private import FlowSummaryImpl::Public
 private import FlowSummaryImpl::Private
 private import FlowSummaryImpl::Private::External
 private import semmle.code.csharp.commons.QualifiedName
-private import semmle.code.csharp.dispatch.OverridableCallable
-private import semmle.code.csharp.frameworks.System
 private import codeql.mad.ModelValidation as SharedModelVal

 private predicate relevantNamespace(string namespace) {
@@ -444,16 +442,20 @@ predicate sourceNode(Node node, string kind) { sourceNode(node, kind, _) }
 */
 predicate sinkNode(Node node, string kind) { sinkNode(node, kind, _) }

-private predicate isOverridableCallable(OverridableCallable c) {
-  not exists(Type t, Callable base | c.getOverridee+() = base and t = base.getDeclaringType() |
-    t instanceof SystemObjectClass or
-    t instanceof SystemValueTypeClass
+/** Holds if the summary should apply for all overrides of `c`. */
+predicate isBaseCallableOrPrototype(UnboundCallable c) {
+  c.getDeclaringType() instanceof Interface
+  or
+  exists(Modifiable m | m = [c.(Modifiable), c.(Accessor).getDeclaration()] |
+    m.isAbstract()
+    or
+    c.getDeclaringType().(Modifiable).isAbstract() and m.(Virtualizable).isVirtual()
  )
 }

 /** Gets a string representing whether the summary should apply for all overrides of `c`. */
 private string getCallableOverride(UnboundCallable c) {
-  if isOverridableCallable(c) then result = "true" else result = "false"
+  if isBaseCallableOrPrototype(c) then result = "true" else result = "false"
 }

 private module QualifiedNameInput implements QualifiedNameInputSig {
--- a/csharp/ql/src/utils/modelgenerator/internal/CaptureModelsSpecific.qll
+++ b/csharp/ql/src/utils/modelgenerator/internal/CaptureModelsSpecific.qll
@@ -8,7 +8,6 @@ private import semmle.code.csharp.commons.Collections as Collections
 private import semmle.code.csharp.dataflow.internal.DataFlowDispatch
 private import semmle.code.csharp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 private import semmle.code.csharp.frameworks.system.linq.Expressions
-private import semmle.code.csharp.frameworks.System
 import semmle.code.csharp.dataflow.internal.ExternalFlow as ExternalFlow
 import semmle.code.csharp.dataflow.internal.DataFlowImplCommon as DataFlowImplCommon
 import semmle.code.csharp.dataflow.internal.DataFlowPrivate as DataFlowPrivate
@@ -20,12 +19,10 @@ module TaintTracking = CS::TaintTracking;

 class Type = CS::Type;

-class Callable = CS::Callable;
-
 /**
 * Holds if any of the parameters of `api` are `System.Func<>`.
 */
-private predicate isHigherOrder(Callable api) {
+private predicate isHigherOrder(CS::Callable api) {
  exists(Type t | t = api.getAParameter().getType().getUnboundDeclaration() |
    t instanceof SystemLinqExpressions::DelegateExtType
  )
@@ -35,56 +32,23 @@ private predicate irrelevantAccessor(CS::Accessor a) {
  a.getDeclaration().(CS::Property).isReadWrite()
 }

-private predicate isUninterestingForModels(Callable api) {
-  api.getDeclaringType().getNamespace().getFullName() = ""
-  or
-  api instanceof CS::ConversionOperator
-  or
-  api instanceof Util::MainMethod
-  or
-  api instanceof CS::Destructor
-  or
-  api instanceof CS::AnonymousFunctionExpr
-  or
-  api.(CS::Constructor).isParameterless()
-  or
-  exists(Type decl | decl = api.getDeclaringType() |
-    decl instanceof SystemObjectClass or
-    decl instanceof SystemValueTypeClass
-  )
-  or
+/**
+ * Holds if it is relevant to generate models for `api`.
+ */
+private predicate isRelevantForModels(CS::Callable api) {
+  [api.(CS::Modifiable), api.(CS::Accessor).getDeclaration()].isEffectivelyPublic() and
+  api.getDeclaringType().getNamespace().getFullName() != "" and
+  not api instanceof CS::ConversionOperator and
+  not api instanceof Util::MainMethod and
+  not api instanceof CS::Destructor and
+  not api instanceof CS::AnonymousFunctionExpr and
+  not api.(CS::Constructor).isParameterless() and
+  // Disregard all APIs that have a manual model.
+  not api = any(FlowSummaryImpl::Public::SummarizedCallable sc | sc.applyManualModel()) and
+  not api = any(FlowSummaryImpl::Public::NeutralSummaryCallable sc | sc.hasManualModel()) and
  // Disregard properties that have both a get and a set accessor,
  // which implicitly means auto implemented properties.
-  irrelevantAccessor(api)
-}
-
-private predicate relevant(Callable api) {
-  [api.(CS::Modifiable), api.(CS::Accessor).getDeclaration()].isEffectivelyPublic() and
-  api.fromSource() and
-  api.isUnboundDeclaration() and
-  not isUninterestingForModels(api)
-}
-
-private Callable getARelevantOverrideeOrImplementee(Overridable m) {
-  m.overridesOrImplements(result) and relevant(result)
-}
-
-/**
- * Gets the super implementation of `api` if it is relevant.
- * If such a super implementation does not exist, returns `api` if it is relevant.
- */
-private Callable liftedImpl(Callable api) {
-  (
-    result = getARelevantOverrideeOrImplementee(api)
-    or
-    result = api and relevant(api)
-  ) and
-  not exists(getARelevantOverrideeOrImplementee(result))
-}
-
-private predicate hasManualModel(Callable api) {
-  api = any(FlowSummaryImpl::Public::SummarizedCallable sc | sc.applyManualModel()) or
-  api = any(FlowSummaryImpl::Public::NeutralSummaryCallable sc | sc.hasManualModel())
+  not irrelevantAccessor(api)
 }

 /**
@@ -102,37 +66,23 @@ predicate isUninterestingForDataFlowModels(CS::Callable api) { isHigherOrder(api
 predicate isUninterestingForTypeBasedFlowModels(CS::Callable api) { none() }

 /**
- * A class of callables that are potentially relevant for generating summary, source, sink
- * and neutral models.
+ * A class of callables that are relevant generating summary, source and sinks models for.
 *
- * In the Standard library and 3rd party libraries it is the callables (or callables that have a
- * super implementation) that can be called from outside the library itself.
+ * In the Standard library and 3rd party libraries it the callables that can be called
+ * from outside the library itself.
 */
-class TargetApiSpecific extends Callable {
-  private Callable lift;
-
+class TargetApiSpecific extends CS::Callable {
  TargetApiSpecific() {
-    lift = liftedImpl(this) and
-    not hasManualModel(lift)
+    this.fromSource() and
+    this.isUnboundDeclaration() and
+    isRelevantForModels(this)
  }
-
-  /**
-   * Gets the callable that a model will be lifted to.
-   *
-   * The lifted callable is relevant in terms of model
-   * generation (this is ensured by `liftedImpl`).
-   */
-  Callable lift() { result = lift }
-
-  /**
-   * Holds if `this` is relevant in terms of model generation.
-   */
-  predicate isRelevant() { relevant(this) }
 }

-string asPartialModel(TargetApiSpecific api) { result = ExternalFlow::asPartialModel(api.lift()) }
+predicate asPartialModel = ExternalFlow::asPartialModel/1;

-string asPartialNeutralModel(TargetApiSpecific api) { result = ExternalFlow::getSignature(api) }
+/** Computes the first 4 columns for neutral CSV rows of `c`. */
+predicate asPartialNeutralModel = ExternalFlow::getSignature/1;

 /**
 * Holds if `t` is a type that is generally used for bulk data in collection types.
@@ -201,7 +151,7 @@ string paramReturnNodeAsOutput(CS::Callable c, ParameterPosition pos) {
 /**
 * Gets the enclosing callable of `ret`.
 */
-Callable returnNodeEnclosingCallable(DataFlow::Node ret) {
+CS::Callable returnNodeEnclosingCallable(DataFlow::Node ret) {
  result = DataFlowImplCommon::getNodeEnclosingCallable(ret).asCallable()
 }

@@ -226,24 +176,12 @@ private predicate isRelevantMemberAccess(DataFlow::Node node) {

 predicate sinkModelSanitizer(DataFlow::Node node) { none() }

-private class ManualNeutralSinkCallable extends Callable {
-  ManualNeutralSinkCallable() {
-    this =
-      any(FlowSummaryImpl::Public::NeutralCallable nc |
-        nc.hasManualModel() and nc.getKind() = "sink"
-      )
-  }
-}
-
 /**
 * Holds if `source` is an api entrypoint relevant for creating sink models.
 */
 predicate apiSource(DataFlow::Node source) {
  (isRelevantMemberAccess(source) or source instanceof DataFlow::ParameterNode) and
-  exists(Callable enclosing | enclosing = source.getEnclosingCallable() |
-    relevant(enclosing) and
-    not enclosing instanceof ManualNeutralSinkCallable
-  )
+  isRelevantForModels(source.getEnclosingCallable())
 }

 /**
--- a/csharp/ql/src/utils/modelgenerator/internal/CaptureSummaryFlowQuery.qll
+++ b/csharp/ql/src/utils/modelgenerator/internal/CaptureSummaryFlowQuery.qll
@@ -81,13 +81,10 @@ string captureFlow(DataFlowTargetApi api) {
 }

 /**
- * Gets the neutral summary model for `api`, if any.
- * A neutral summary model is generated, if we are not generating
- * a summary model that applies to `api` and if it relevant to generate
- * a model for `api`.
+ * Gets the neutral model for `api`, if any.
+ * A neutral model is generated, if there does not exist summary model.
 */
 string captureNoFlow(DataFlowTargetApi api) {
-  not exists(DataFlowTargetApi api0 | exists(captureFlow(api0)) and api0.lift() = api.lift()) and
-  api.isRelevant() and
+  not exists(captureFlow(api)) and
  result = ModelPrinting::asNeutralSummaryModel(api)
 }
--- a/csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.ql
+++ b/csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.ql
@@ -1,17 +1,6 @@
 import shared.FlowSummaries
 private import semmle.code.csharp.dataflow.internal.ExternalFlow

-/** Holds if `c` is a base callable or prototype. */
-private predicate isBaseCallableOrPrototype(UnboundCallable c) {
-  c.getDeclaringType() instanceof Interface
-  or
-  exists(Modifiable m | m = [c.(Modifiable), c.(Accessor).getDeclaration()] |
-    m.isAbstract()
-    or
-    c.getDeclaringType().(Modifiable).isAbstract() and m.(Virtualizable).isVirtual()
-  )
-}
-
 class IncludeFilteredSummarizedCallable extends IncludeSummarizedCallable {
  /**
   * Holds if flow is propagated between `input` and `output` and
--- a/csharp/ql/test/utils/modelgenerator/dataflow/Summaries.cs
+++ b/csharp/ql/test/utils/modelgenerator/dataflow/Summaries.cs
@@ -245,7 +245,7 @@ public class DerivedClass1Flow : BaseClassFlow

 public class DerivedClass2Flow : BaseClassFlow
 {
-    // summary=Models;BaseClassFlow;true;ReturnParam;(System.Object);;Argument[0];ReturnValue;taint;df-generated
+    // summary=Models;DerivedClass2Flow;false;ReturnParam;(System.Object);;Argument[0];ReturnValue;taint;df-generated
    public override object ReturnParam(object input)
    {
        return input;
@@ -490,76 +490,3 @@ public class ParameterlessConstructor
        IsInitialized = true;
    }
 }
-
-public class Inheritance
-{
-    public abstract class BasePublic
-    {
-        public abstract string Id(string x);
-    }
-
-    public class AImplBasePublic : BasePublic
-    {
-        // summary=Models;Inheritance+BasePublic;true;Id;(System.String);;Argument[0];ReturnValue;taint;df-generated
-        public override string Id(string x)
-        {
-            return x;
-        }
-    }
-
-    public interface IPublic1
-    {
-        string Id(string x);
-    }
-
-    public interface IPublic2
-    {
-        string Id(string x);
-    }
-
-    public abstract class B : IPublic1
-    {
-        public abstract string Id(string x);
-    }
-
-    private abstract class C : IPublic2
-    {
-        public abstract string Id(string x);
-    }
-
-    public class BImpl : B
-    {
-        // summary=Models;Inheritance+IPublic1;true;Id;(System.String);;Argument[0];ReturnValue;taint;df-generated
-        public override string Id(string x)
-        {
-            return x;
-        }
-    }
-
-    private class CImpl : C
-    {
-        // summary=Models;Inheritance+IPublic2;true;Id;(System.String);;Argument[0];ReturnValue;taint;df-generated
-        public override string Id(string x)
-        {
-            return x;
-        }
-    }
-
-    public interface IPublic3
-    {
-        string Prop { get; }
-    }
-
-    public abstract class D : IPublic3
-    {
-        public abstract string Prop { get; }
-    }
-
-    public class DImpl : D
-    {
-        private string tainted;
-
-        // summary=Models;Inheritance+IPublic3;true;get_Prop;();;Argument[this];ReturnValue;taint;df-generated
-        public override string Prop { get { return tainted; } }
-    }
-}
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.17.2.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.17.2.rst
@@ -1,170 +0,0 @@
-.. _codeql-cli-2.17.2:
-
-==========================
-CodeQL 2.17.2 (2024-05-07)
-==========================
-
-.. contents:: Contents
-   :depth: 2
-   :local:
-   :backlinks: none
-
-This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
-
-Security Coverage
-----------------
-
-CodeQL 2.17.2 runs a total of 413 security queries when configured with the Default suite (covering 161 CWE). The Extended suite enables an additional 130 queries (covering 34 more CWE). 1 security query has been added with this release.
-
-CodeQL CLI
----------
-
-Improvements
-~~~~~~~~~~~~
-
-*   When uploading a SARIF file to GitHub using :code:`codeql github upload-results`, the CodeQL CLI now waits for the file to be processed by GitHub. If any errors occurred during processing of the analysis results, the command will log these and return a non-zero exit code. To disable this behaviour, pass the
-    :code:`--no-wait-for-processing` flag.
-    
-    By default, the command will wait for the SARIF file to be processed for a maximum of 2 minutes, however this is configurable with the
-    :code:`--wait-for-processing-timeout` option.
-    
-*   The build tracer is no longer enabled when using the |link-code-none-build-mode-1|_
-    to analyze a compiled language, thus improving performance.
-
-Known Issues
-~~~~~~~~~~~~
-
-*   The beta support for analyzing Swift in this release and all previous releases requires :code:`g++-13` when running on Linux. Users analyzing Swift using the :code:`ubuntu-latest`, :code:`ubuntu-22.04`, or
-    :code:`ubuntu-20.04` runner images for GitHub Actions should update their workflows to install :code:`g++-13`. For more information, see `the runner images announcement <https://github.com/actions/runner-images/issues/9679>`__.
-
-Query Packs
-----------
-
-Minor Analysis Improvements
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-C/C++
-"""""
-
-*   The "Uncontrolled data used in path expression" query (:code:`cpp/path-injection`) query produces fewer near-duplicate results.
-*   The "Global variable may be used before initialization" query (:code:`cpp/global-use-before-init`) no longer raises an alert on global variables that are initialized when they are declared.
-*   The "Inconsistent null check of pointer" query (:code:`cpp/inconsistent-nullness-testing`) query no longer raises an alert when the guarded check is in a macro expansion.
-
-Golang
-""""""
-
-*   The query :code:`go/incomplete-hostname-regexp` now recognizes more sources involving concatenation of string literals and also follows flow through string concatenation. This may lead to more alerts.
-*   Added some more barriers to flow for :code:`go/incorrect-integer-conversion` to reduce false positives, especially around type switches.
-
-JavaScript/TypeScript
-"""""""""""""""""""""
-
-*   The JavaScript extractor will on longer report syntax errors related to "strict mode".
-    Files containing such errors are now being fully analyzed along with other sources files.
-    This improves our support for source files that technically break the "strict mode" rules,
-    but where a build steps transforms the code such that it ends up working at runtime.
-
-Language Libraries
------------------
-
-Breaking Changes
-~~~~~~~~~~~~~~~~
-
-C/C++
-"""""
-
-*   Deleted the deprecated :code:`GlobalValueNumberingImpl.qll` implementation.
-
-C#
-""
-
-*   Deleted the deprecated :code:`getAssemblyName` predicate from the :code:`Operator` class. Use :code:`getFunctionName` instead.
-*   Deleted the deprecated :code:`LShiftOperator`, :code:`RShiftOperator`, :code:`AssignLShiftExpr`, :code:`AssignRShiftExpr`, :code:`LShiftExpr`, and :code:`RShiftExpr` aliases.
-*   Deleted the deprecated :code:`getCallableDescription` predicate from the :code:`ExternalApiDataNode` class. Use :code:`hasQualifiedName` instead.
-
-Golang
-""""""
-
-*   Deleted the deprecated :code:`CsvRemoteSource` alias. Use :code:`MaDRemoteSource` instead.
-
-Java
-""""
-
-*   Deleted the deprecated :code:`AssignLShiftExpr`, :code:`AssignRShiftExpr`, :code:`AssignURShiftExpr`, :code:`LShiftExpr`, :code:`RShiftExpr`, and :code:`URShiftExpr` aliases.
-
-JavaScript/TypeScript
-"""""""""""""""""""""
-
-*   Deleted the deprecated :code:`getInput` predicate from the :code:`CryptographicOperation` class. Use :code:`getAnInput` instead.
-*   Deleted the deprecated :code:`RegExpPatterns` module from :code:`Regexp.qll`.
-*   Deleted the deprecated :code:`semmle/javascript/security/BadTagFilterQuery.qll`, :code:`semmle/javascript/security/OverlyLargeRangeQuery.qll`, :code:`semmle/javascript/security/regexp/RegexpMatching.qll`, and :code:`Security/CWE-020/HostnameRegexpShared.qll` files.
-
-Python
-""""""
-
-*   Deleted the deprecated :code:`RegExpPatterns` module from :code:`Regexp.qll`.
-*   Deleted the deprecated :code:`Security/CWE-020/HostnameRegexpShared.qll` file.
-
-Ruby
-""""
-
-*   Deleted the deprecated :code:`RegExpPatterns` module from :code:`Regexp.qll`.
-*   Deleted the deprecated :code:`security/cwe-020/HostnameRegexpShared.qll` file.
-
-Minor Analysis Improvements
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-C/C++
-"""""
-
-*   Source models have been added for the standard library function :code:`getc` (and variations).
-*   Source, sink and flow models for the ZeroMQ (ZMQ) networking library have been added.
-*   Parameters of functions without definitions now have :code:`ParameterNode`\ s.
-*   The alias analysis used internally by various libraries has been improved to answer alias questions more conservatively. As a result, some queries may report fewer false positives.
-
-C#
-""
-
-*   Generated .NET Runtime models for properties with both getters and setters have been removed as this is now handled by the data flow library.
-
-JavaScript/TypeScript
-"""""""""""""""""""""
-
-*   Improved detection of whether a file uses CommonJS module system.
-
-Deprecated APIs
-~~~~~~~~~~~~~~~
-
-Golang
-""""""
-
-*   To make Go consistent with other language libraries, the :code:`UntrustedFlowSource` name has been deprecated throughout. Use :code:`RemoteFlowSource` instead, which replaces it.
-*   Where modules have classes named :code:`UntrustedFlowAsSource`, these are also deprecated and the :code:`Source` class in the same module or the :code:`RemoteFlowSource` class should be used instead.
-
-Python
-""""""
-
-*   Renamed the :code:`StrConst` class to :code:`StringLiteral`, for greater consistency with other languages. The :code:`StrConst` and :code:`Str` classes are now deprecated and will be removed in a future release.
-
-New Features
-~~~~~~~~~~~~
-
-C/C++
-"""""
-
-*   Models-as-Data support has been added for C/C++. This feature allows flow sources, sinks and summaries to be expressed in compact strings as an alternative to modelling each source / sink / summary with explicit QL. See :code:`dataflow/ExternalFlow.qll` for documentation and specification of the model format, and :code:`models/implementations/ZMQ.qll` for a simple example of models. Importing models from :code:`.yml` is not yet supported.
-
-Shared Libraries
----------------
-
-Major Analysis Improvements
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Dataflow Analysis
-"""""""""""""""""
-
-*   The data flow library performs heuristic filtering of code paths that have a high degree of control-flow uncertainty for improved performance in cases that are deemed unlikely to yield true positive flow paths. This filtering can be controlled with the :code:`fieldFlowBranchLimit` predicate in configurations. Two bugs have been fixed in relation to this: Some cases of high uncertainty were not being correctly identified. This fix improves performance in certain scenarios. Another group of cases of low uncertainty were also being misidentified, which led to false negatives. Taken together, we generally expect some additional query results with more true positives and fewer false positives.
-
-.. |link-code-none-build-mode-1| replace:: :code:`none` build mode
-.. _link-code-none-build-mode-1: https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes
-
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.17.3.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.17.3.rst
@@ -1,74 +0,0 @@
-.. _codeql-cli-2.17.3:
-
-==========================
-CodeQL 2.17.3 (2024-05-17)
-==========================
-
-.. contents:: Contents
-   :depth: 2
-   :local:
-   :backlinks: none
-
-This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
-
-Security Coverage
-----------------
-
-CodeQL 2.17.3 runs a total of 414 security queries when configured with the Default suite (covering 161 CWE). The Extended suite enables an additional 131 queries (covering 35 more CWE). 2 security queries have been added with this release.
-
-CodeQL CLI
----------
-
-Improvements
-~~~~~~~~~~~~
-
-*   The language server that our IDE integration is built on now defaults to fine-grained dependency tracking for incremental error-checking after file changes. This slightly improves the latency of refreshing errors after local source code edits and will enable significant speedups in the future.
-*   We now properly handle globs (such as :code:`folder/**/*.py`) in :code:`paths` configuration to specify what files to include for Python analysis (see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#specifying-directories-to-scan).
-*   TRAP import (a part of :code:`codeql database create` and :code:`codeql database finalize`)
-    now supports allocating 2^32 IDs during the import process. The previous limit was 2^31 IDs.
-
-Query Packs
-----------
-
-New Queries
-~~~~~~~~~~~
-
-C/C++
-"""""
-
-*   Added a new query, :code:`cpp/iterator-to-expired-container`, to detect the creation of iterators owned by a temporary objects that are about to be destroyed.
-
-Python
-""""""
-
-*   The :code:`py/header-injection` query, originally contributed to the experimental query pack by @jorgectf, has been promoted to the main query pack and renamed to :code:`py/http-response-splitting`. This query finds instances of http header injection / response splitting vulnerabilities.
-
-Language Libraries
------------------
-
-Breaking Changes
-~~~~~~~~~~~~~~~~
-
-Java
-""""
-
-*   The Java extractor no longer supports the :code:`ODASA_JAVA_LAYOUT`, :code:`ODASA_TOOLS` and :code:`ODASA_HOME` legacy environment variables.
-*   The Java extractor no longer supports the :code:`ODASA_BUILD_ERROR_DIR` legacy environment variable.
-
-Major Analysis Improvements
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Python
-""""""
-
-*   Added modeling of the :code:`pyramid` framework, leading to new remote flow sources and sinks.
-
-Minor Analysis Improvements
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Golang
-""""""
-
-*   Fixed a bug that stopped built-in functions from being referenced using the predicate :code:`hasQualifiedName` because technically they do not belong to any package. Now you can use the empty string as the package, e.g. :code:`f.hasQualifiedName("", "len")`.
-*   Fixed a bug that stopped data flow models for built-in functions from having any effect because the package "" was not parsed correctly.
-*   Fixed a bug that stopped data flow from being followed through variadic arguments to built-in functions or to functions called using a variable.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.8.1.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.8.1.rst
@@ -82,7 +82,7 @@ Bug Fixes
 Python
 """"""

-*   The `View AST functionality <https://docs.github.com/en/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/exploring-the-structure-of-your-source-code>`__ no longer prints detailed information about regular expressions, greatly improving performance.
+*   The `View AST functionality <https://docs.github.com/en/code-security/codeql-for-vs-code/using-the-advanced-functionality-of-the-codeql-for-vs-code-extension/exploring-the-structure-of-your-source-code/>`__ no longer prints detailed information about regular expressions, greatly improving performance.

 Minor Analysis Improvements
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
--- a/docs/codeql/codeql-overview/codeql-changelog/index.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/index.rst
@@ -11,8 +11,6 @@ A list of queries for each suite and language `is available here <https://docs.g
 .. toctree::
   :maxdepth: 1

-   codeql-cli-2.17.3
-   codeql-cli-2.17.2
   codeql-cli-2.17.1
   codeql-cli-2.17.0
   codeql-cli-2.16.6
--- a/docs/ql-style-guide.md
+++ b/docs/ql-style-guide.md
@@ -7,8 +7,6 @@ Note, if you use [CodeQL for Visual Studio Code](https://docs.github.com/en/code

 Words in *italic* are defined in the [Glossary](#glossary).

-TODOCS
-
 ## Indentation
 1. *Always* use 2 spaces for indentation.
 1. *Always* indent:
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/RemoteFlowSources.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/RemoteFlowSources.qll
@@ -177,3 +177,12 @@ private class ExternalRemoteFlowSource extends RemoteFlowSource {

  override string getSourceType() { result = ap.getSourceType() }
 }
+
+/**
+ * A response from an outgoing network request.
+ */
+private class ResponseSource extends RemoteFlowSource {
+  ResponseSource() { this = any(ClientRequest r).getAResponseDataNode() }
+
+  override string getSourceType() { result = "a response from a remote server" }
+}
--- a/python/ql/lib/change-notes/2024-05-20-flask-session-interface.md
+++ b/python/ql/lib/change-notes/2024-05-20-flask-session-interface.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The `request` parameter of Flask `SessionInterface.open_session` method is now modeled as a remote flow source.
--- a/python/ql/lib/semmle/python/frameworks/Flask.qll
+++ b/python/ql/lib/semmle/python/frameworks/Flask.qll
@@ -101,19 +101,6 @@ module Flask {
  /** Gets a reference to the `flask.request` object. */
  API::Node request() {
    result = API::moduleImport(["flask", "flask_restful"]).getMember("request")
-    or
-    result = sessionInterfaceRequestParam()
-  }
-
-  /** Gets a `request` parameter of an implementation of `open_session` in a subclass of `flask.sessions.SessionInterface` */
-  private API::Node sessionInterfaceRequestParam() {
-    result =
-      API::moduleImport("flask")
-          .getMember("sessions")
-          .getMember("SessionInterface")
-          .getASubclass+()
-          .getMember("open_session")
-          .getParameter(1)
  }

  /**
--- a/python/ql/test/library-tests/frameworks/flask/session_interface.py
+++ b/python/ql/test/library-tests/frameworks/flask/session_interface.py
@@ -1,5 +0,0 @@
-import flask 
-
-class MySessionInterface(flask.sessions.SessionInterface):
-    def open_session(self, app, request):
-        ensure_tainted(request) # $tainted
--- a/ql/ql/src/ql.dbscheme
+++ b/ql/ql/src/ql.dbscheme
@@ -36,12 +36,6 @@ containerparent(
  unique int child: @container ref
 );

-/*- Empty location -*/
-
-empty_location(
-  int location: @location_default ref
-);
-
 /*- Source location prefix -*/

 /**
--- a/ruby/downgrades/63af05c01bdd6a38f280e41ac0453db52f46989c/old.dbscheme
+++ b/ruby/downgrades/63af05c01bdd6a38f280e41ac0453db52f46989c/old.dbscheme
--- a/ruby/downgrades/63af05c01bdd6a38f280e41ac0453db52f46989c/ruby.dbscheme
+++ b/ruby/downgrades/63af05c01bdd6a38f280e41ac0453db52f46989c/ruby.dbscheme
--- a/ruby/downgrades/63af05c01bdd6a38f280e41ac0453db52f46989c/upgrade.properties
+++ b/ruby/downgrades/63af05c01bdd6a38f280e41ac0453db52f46989c/upgrade.properties
@@ -1,3 +0,0 @@
-description: Remove `empty_location` relation
-compatibility: backwards
-empty_location.rel: delete
--- a/ruby/ql/lib/codeql/Locations.qll
+++ b/ruby/ql/lib/codeql/Locations.qll
@@ -64,5 +64,5 @@ class Location extends @location_default {

 /** An entity representing an empty location. */
 class EmptyLocation extends Location {
-  EmptyLocation() { empty_location(this) }
+  EmptyLocation() { this.hasLocationInfo("", 0, 0, 0, 0) }
 }
--- a/ruby/ql/lib/ruby.dbscheme
+++ b/ruby/ql/lib/ruby.dbscheme
@@ -36,12 +36,6 @@ containerparent(
  unique int child: @container ref
 );

-/*- Empty location -*/
-
-empty_location(
-  int location: @location_default ref
-);
-
 /*- Source location prefix -*/

 /**
--- a/ruby/ql/lib/upgrades/440de75c71e9206ce16eed49a22c76e7889b5fc3/empty_location.ql
+++ b/ruby/ql/lib/upgrades/440de75c71e9206ce16eed49a22c76e7889b5fc3/empty_location.ql
@@ -1,13 +0,0 @@
-class EmptyFile extends @file {
-  EmptyFile() { files(this, "") }
-
-  string toString() { none() }
-}
-
-class Location extends @location_default {
-  string toString() { none() }
-}
-
-from EmptyFile f, Location l
-where locations_default(l, f, 0, 0, 0, 0)
-select l
--- a/ruby/ql/lib/upgrades/440de75c71e9206ce16eed49a22c76e7889b5fc3/old.dbscheme
+++ b/ruby/ql/lib/upgrades/440de75c71e9206ce16eed49a22c76e7889b5fc3/old.dbscheme
--- a/ruby/ql/lib/upgrades/440de75c71e9206ce16eed49a22c76e7889b5fc3/ruby.dbscheme
+++ b/ruby/ql/lib/upgrades/440de75c71e9206ce16eed49a22c76e7889b5fc3/ruby.dbscheme
--- a/ruby/ql/lib/upgrades/440de75c71e9206ce16eed49a22c76e7889b5fc3/upgrade.properties
+++ b/ruby/ql/lib/upgrades/440de75c71e9206ce16eed49a22c76e7889b5fc3/upgrade.properties
@@ -1,3 +0,0 @@
-description: Add `empty_location` relation
-compatibility: backwards
-empty_location.rel: run empty_location.qlo
--- a/shared/tree-sitter-extractor/src/extractor/mod.rs
+++ b/shared/tree-sitter-extractor/src/extractor/mod.rs
@@ -75,7 +75,7 @@ fn populate_empty_file(writer: &mut trap::Writer) -> trap::Label {

 pub fn populate_empty_location(writer: &mut trap::Writer) {
    let file_label = populate_empty_file(writer);
-    let loc_label = global_location(
+    global_location(
        writer,
        file_label,
        trap::Location {
@@ -85,7 +85,6 @@ pub fn populate_empty_location(writer: &mut trap::Writer) {
            end_column: 0,
        },
    );
-    writer.add_tuple("empty_location", vec![trap::Arg::Label(loc_label)]);
 }

 pub fn populate_parent_folders(
--- a/shared/tree-sitter-extractor/src/generator/prefix.dbscheme
+++ b/shared/tree-sitter-extractor/src/generator/prefix.dbscheme
@@ -33,12 +33,6 @@ containerparent(
  unique int child: @container ref
 );

-/*- Empty location -*/
-
-empty_location(
-  int location: @location_default ref
-);
-
 /*- Source location prefix -*/

 /**