Skip to content

Commit 43c9b95

Browse files
henrymercerhenrymercer
authored
Merge branch 'main' into post-release-prep/codeql-cli-2.25.2
2 parents 242090e + 666c8bf commit 43c9b95

File tree

229 files changed

+48817
-40742
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

229 files changed

+48817
-40742
lines changed

MODULE.bazel

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@ bazel_dep(name = "abseil-cpp", version = "20260107.1", repo_name = "absl")
2727
bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
2828
bazel_dep(name = "fmt", version = "12.1.0-codeql.1")
2929
bazel_dep(name = "rules_kotlin", version = "2.2.2-codeql.1")
30-
bazel_dep(name = "gazelle", version = "0.47.0")
30+
bazel_dep(name = "gazelle", version = "0.50.0")
3131
bazel_dep(name = "rules_dotnet", version = "0.21.5-codeql.1")
3232
bazel_dep(name = "googletest", version = "1.17.0.bcr.2")
3333
bazel_dep(name = "rules_rust", version = "0.69.0")

actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql

Lines changed: 15 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -26,10 +26,23 @@ string permissionsForJob(Job job) {
2626
"{" + concat(string permission | permission = jobNeedsPermission(job) | permission, ", ") + "}"
2727
}
2828

29+
predicate jobHasPermissions(Job job) {
30+
exists(job.getPermissions())
31+
or
32+
exists(job.getEnclosingWorkflow().getPermissions())
33+
or
34+
// The workflow is reusable and cannot be triggered in any other way; check callers
35+
exists(ReusableWorkflow r | r = job.getEnclosingWorkflow() |
36+
not exists(Event e | e = r.getOn().getAnEvent() | e.getName() != "workflow_call") and
37+
forall(Job caller | caller = job.getEnclosingWorkflow().(ReusableWorkflow).getACaller() |
38+
jobHasPermissions(caller)
39+
)
40+
)
41+
}
42+
2943
from Job job, string permissions
3044
where
31-
not exists(job.getPermissions()) and
32-
not exists(job.getEnclosingWorkflow().getPermissions()) and
45+
not jobHasPermissions(job) and
3346
// exists a trigger event that is not a workflow_call
3447
exists(Event e |
3548
e = job.getATriggerEvent() and

actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,6 @@ from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sin
2020
where
2121
ArtifactPoisoningFlow::flowPath(source, sink) and
2222
event = getRelevantEventInPrivilegedContext(sink.getNode())
23-
select sink.getNode(), source, sink,
24-
"Potential artifact poisoning in $@, which may be controlled by an external user ($@).", sink,
25-
sink.getNode().toString(), event, event.getName()
23+
select source.getNode(), source, sink,
24+
"Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@).",
25+
event, event.getName()

actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,5 @@ from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sin
2020
where
2121
ArtifactPoisoningFlow::flowPath(source, sink) and
2222
inNonPrivilegedContext(sink.getNode().asExpr())
23-
select sink.getNode(), source, sink,
24-
"Potential artifact poisoning in $@, which may be controlled by an external user.", sink,
25-
sink.getNode().toString()
23+
select source.getNode(), source, sink,
24+
"Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user."

actions/ql/src/change-notes/2026-04-02-alert-msg-poisoning.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
---
2+
category: majorAnalysis
3+
---
4+
* Fixed alert messages in `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` as they previously included a redundant placeholder in the alert message that would on occasion contain a long block of yml that makes the alert difficult to understand. Also clarify the wording to make it clear that it is not the artifact that is being poisoned, but instead a potentially untrusted artifact that is consumed. Also change the alert location to be the source, to align more with other queries reporting an artifact (e.g. zipslip) which is more useful.

actions/ql/src/change-notes/2026-04-02-permissions.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
---
2+
category: minorAnalysis
3+
---
4+
* The query `actions/missing-workflow-permissions` no longer produces false positive results on reusable workflows where all callers set permissions.

actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms11.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
on:
2+
workflow_call:
3+
4+
jobs:
5+
build:
6+
name: Build and test
7+
runs-on: ubuntu-latest
8+
steps:
9+
- uses: actions/deploy-pages

actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms12.yml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
on:
2+
workflow_dispatch:
3+
4+
permissions:
5+
contents: read
6+
id-token: write
7+
pages: write
8+
9+
jobs:
10+
call-workflow:
11+
uses: ./.github/workflows/perms11.yml

actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected

Lines changed: 18 additions & 18 deletions
Large diffs are not rendered by default.

cpp/ql/integration-tests/query-suite/cpp-code-scanning.qls.expected

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,10 +7,12 @@ ql/cpp/ql/src/Diagnostics/ExtractedFiles.ql
77
ql/cpp/ql/src/Diagnostics/ExtractionWarnings.ql
88
ql/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
99
ql/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
10+
ql/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
1011
ql/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
1112
ql/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
1213
ql/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
1314
ql/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
15+
ql/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
1416
ql/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
1517
ql/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
1618
ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
@@ -28,6 +30,7 @@ ql/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
2830
ql/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
2931
ql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
3032
ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
33+
ql/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
3134
ql/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
3235
ql/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
3336
ql/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
@@ -40,6 +43,7 @@ ql/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
4043
ql/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql
4144
ql/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql
4245
ql/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql
46+
ql/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
4347
ql/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
4448
ql/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
4549
ql/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql

0 commit comments

Comments
 (0)