codeql/5.0.0.md at 628f85aebcf23ee9a7a944c8ca8d00aefc00b8eb

hohn/codeql

mirror of https://github.com/github/codeql.git synced 2026-04-21 15:05:56 +02:00

Files

Henry Mercer 9507ec0853 Fix "be be" typos

2025-10-14 11:09:43 +01:00

5.0.0

The member predicate writesField on DataFlow::Write now uses the post-update node for base when that is the node being updated, which is in all cases except initializing a struct literal. A new member predicate writesFieldPreUpdate has been added for cases where this behaviour is not desired.
The member predicate writesElement on DataFlow::Write now uses the post-update node for base when that is the node being updated, which is in all cases except initializing an array/slice/map literal. A new member predicate writesElementPreUpdate has been added for cases where this behaviour is not desired.

The class SqlInjection::NumericOrBooleanSanitizer has been deprecated. Use SimpleTypeSanitizer from semmle.go.security.Sanitizers instead.
The member predicate writesComponent on DataFlow::Write has been deprecated. Instead, use writesFieldPreUpdate and writesElementPreUpdate, or their new versions writesField and writesElement.

The shape of the Go data-flow graph has changed. Previously for code like x := def(); use1(x); use2(x), there would be edges from the definition of x to each use. Now there is an edge from the definition to the first use, then another from the first use to the second, and so on. This means that data-flow barriers work differently - flow will not reach any uses after the barrier node. Where this is not desired it may be necessary to add an additional flow step to propagate the flow forward. Additionally, when a variable may be subject to a side-effect, such as updating an array, passing a pointer to a function that might write through it or writing to a field of a struct, there is now a dedicated post-update node representing the variable after this side-effect has taken place. Previously post-update nodes were aliases for either a variable's definition, or were equal to the pre-update node. This led to backwards steps in the data-flow graph, which could cause false positives. For example, in the previous code there would be an edge from x in use2(x) back to the definition of x. If we define our sources as any argument of use2 and our sinks as any argument of use1 then this would lead to a false positive path. Now there are distinct post-update nodes and no backwards edge to the definition, so we will not find this false positive path.

The query go/request-forgery will no longer report alerts when the user input is of a simple type, like a number or a boolean.
For the query go/unvalidated-url-redirection, when untrusted data is assigned to the Host field of a url.URL struct, we consider the whole struct untrusted. We now also include the case when this happens during struct initialization, for example &url.URL{Host: untrustedData}.
go/unvalidated-url-redirection and go/request-forgery have a shared notion of a safe URL, which is known to not be malicious. Some URLs which were incorrectly considered safe are now correctly considered unsafe. This may lead to more alerts for those two queries.