Skip to content

Merge upstream codeql-cli-2.22.3 #20841

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1,171 commits into from
Closed

Merge upstream codeql-cli-2.22.3 #20841

wants to merge 1,171 commits into from
+279,999 −1,464

Conversation

@chanel-y
Copy link
Contributor

@chanel-y chanel-y commented Nov 14, 2025

Accepted incoming for the following merge conflicts:

TaintedPathQuery doesn't seem to be changing functionality, just accomodating the deprecation of the AbstractValue (4f6528a)

ZipSlipQuery.qll is just adding more sources and sinks

TaintedPathQuery.qll

class PathCheck extends Sanitizer {
  Guard g;

  PathCheck() {
<<<<<<< HEAD
    // This expression is structurally replicated in a dominating guard
    exists(AbstractValues::BooleanValue v | g = this.(GuardedDataFlowNode).getAGuard(_, v))
  }

  override predicate isBarrier(TaintedPathConfig::FlowState state) {
    g.(WeakGuard).isBarrier(state)
    or
    not g instanceof WeakGuard
=======
    // This expression is structurally replicated in a dominating guard which is not a "weak" check
    exists(Guard g, GuardValue v |
      g = this.(GuardedDataFlowNode).getAGuard(_, v) and
      exists(v.asBooleanValue()) and
      not g instanceof WeakGuard
    )
>>>>>>> codeql-cli/latest
  }
}

ZipSlipQuery.qll


/**
 * A taint tracking module for Zip Slip.
 */
<<<<<<< HEAD
module ZipSlip = TaintTracking::Global<ZipSlipConfig>;
=======
module ZipSlip = TaintTracking::Global<ZipSlipConfig>;

/** An access to the `FullName` property of a `ZipArchiveEntry`. */
class ArchiveFullNameSource extends Source {
  ArchiveFullNameSource() {
    exists(PropertyAccess pa | this.asExpr() = pa |
      pa.getTarget()
          .getDeclaringType()
          .hasFullyQualifiedName("System.IO.Compression", "ZipArchiveEntry") and
      pa.getTarget().getName() = "FullName"
    )
  }
}

/** An argument to the `ExtractToFile` extension method. */
class ExtractToFileArgSink extends Sink {
  ExtractToFileArgSink() {
    exists(MethodCall mc |
      mc.getTarget()
          .hasFullyQualifiedName("System.IO.Compression", "ZipFileExtensions", "ExtractToFile") and
      this.asExpr() = mc.getArgumentForName("destinationFileName")
    )
  }
}

/** A path argument to a `File.Open`, `File.OpenWrite`, or `File.Create` method call. */
class FileOpenArgSink extends Sink {
  FileOpenArgSink() {
    exists(MethodCall mc |
      mc.getTarget().hasFullyQualifiedName("System.IO", "File", "Open") or
      mc.getTarget().hasFullyQualifiedName("System.IO", "File", "OpenWrite") or
      mc.getTarget().hasFullyQualifiedName("System.IO", "File", "Create")
    |
      this.asExpr() = mc.getArgumentForName("path")
    )
  }
}

/** A path argument to a call to the `FileStream` constructor. */
class FileStreamArgSink extends Sink {
  FileStreamArgSink() {
    exists(ObjectCreation oc |
      oc.getTarget().getDeclaringType().hasFullyQualifiedName("System.IO", "FileStream")
    |
      this.asExpr() = oc.getArgumentForName("path")
    )
  }
}

/**
 * A path argument to a call to the `FileStream` constructor.
 *
 * This constructor can accept a tainted file name and subsequently be used to open a file stream.
 */
class FileInfoArgSink extends Sink {
  FileInfoArgSink() {
    exists(ObjectCreation oc |
      oc.getTarget().getDeclaringType().hasFullyQualifiedName("System.IO", "FileInfo")
    |
      this.asExpr() = oc.getArgumentForName("fileName")
    )
  }
}

/**
 * A call to `GetFileName`.
 *
 * This is considered a sanitizer because it extracts just the file name, not the full path.
 */
class GetFileNameSanitizer extends Sanitizer {
  GetFileNameSanitizer() {
    exists(MethodCall mc |
      mc.getTarget().hasFullyQualifiedName("System.IO", "Path", "GetFileName")
    |
      this.asExpr() = mc
    )
  }
}

/**
 * A call to `Substring`.
 *
 * This is considered a sanitizer because `Substring` may be used to extract a single component
 * of a path to avoid ZipSlip.
 */
class SubstringSanitizer extends Sanitizer {
  SubstringSanitizer() {
    exists(MethodCall mc | mc.getTarget().hasFullyQualifiedName("System", "String", "Substring") |
      this.asExpr() = mc
    )
  }
}

private predicate stringCheckGuard(Guard g, Expr e, GuardValue v) {
  g.(MethodCall).getTarget().hasFullyQualifiedName("System", "String", "StartsWith") and
  g.(MethodCall).getQualifier() = e and
  // A StartsWith check against Path.Combine is not sufficient, because the ".." elements have
  // not yet been resolved.
  not exists(MethodCall combineCall |
    combineCall.getTarget().hasFullyQualifiedName("System.IO", "Path", "Combine") and
    DataFlow::localExprFlow(combineCall, e)
  ) and
  v.asBooleanValue() = true
}

/**
 * A call to `String.StartsWith()` that indicates that the tainted path value is being
 * validated to ensure that it occurs within a permitted output path.
 */
class StringCheckSanitizer extends Sanitizer {
  StringCheckSanitizer() { this = DataFlow::BarrierGuard<stringCheckGuard/3>::getABarrierNode() }
}
>>>>>>> codeql-cli/latest

MathiasVP and others added 30 commits May 21, 2025 17:43
@MathiasVP
Merge pull request #235 from microsoft/update-typegen-2
0e887d8 
PS: Restructure generated files
@MathiasVP
C#: Small optimization. Avoid a small CP between sinks and states.
b40a437
@MathiasVP
C#: Add a false negative.
03e671a
@MathiasVP
C#: Fix FN by blocking flow out of the function call instead of out o…
a2d4c20 
…f the argument (which is incorrect when there is use-use flow).
@MathiasVP
C#: Add a false positive.
db7119c
@MathiasVP
C#: Recognize more path-normalization steps.
4dfa886
@MathiasVP
C#: Accept test changes.
2186fef
@MathiasVP
Merge pull request #237 from microsoft/fix-fps-in-tainted-path
10a8863 
C#: Fix FPs (and a small FN) in `cs/path-injection`
@dilanbhalla
Update sync-main.yml
8ef8210
@dilanbhalla
Merge pull request #238 from microsoft/dilan/sync-repo-auth
126ddf9 
Auth Bug: Sync Main
@dilanbhalla
Update sync-main.yml
8aa1099
@chanel-y
Merge pull request #239 from microsoft/dilan/sync-main-auth-2
8ef818c 
Sync Main: Auth Bug (fix attempt 2)
Merge tag 'codeql-cli/latest' into auto/sync-main-pr
4645586 
Compatible with the latest released version of the CodeQL CLI
@chanel-y
added hasbranchedge
0d11efc
@dilanbhalla
Merge pull request #242 from microsoft/powershell-guardpredicate-fix
0644878 
added hasbranchedge
Merge branch 'main' of https://github.com/microsoft/codeql into auto/…
58acb60 
…sync-main-pr
@LWSimpkins
fix powershell qhelp files
25fb1aa
@dilanbhalla
Merge pull request #243 from microsoft/lwsimpkins/fix-qhelp
3d84e5a 
fix powershell qhelp files
@LWSimpkins
fix failing qhelp files
077549d
Merge branch 'main' of https://github.com/microsoft/codeql into auto/…
9521d06 
…sync-main-pr
@LWSimpkins
Merge branch 'main' into lwsimpkins/fix-qhelp
7668175
@dilanbhalla
Merge pull request #244 from microsoft/lwsimpkins/fix-qhelp
64bc3ed 
fix failing qhelp files
Merge branch 'main' of https://github.com/microsoft/codeql into auto/…
b8a78f7 
…sync-main-pr
Merge tag 'codeql-cli/latest' into auto/sync-main-pr
7bfefef 
Compatible with the latest released version of the CodeQL CLI
@MathiasVP
PS: Remove unnecessary data extension pattern. All the models are mat…
b88ed68 
…ched by the other two patterns.
@dilanbhalla
Merge pull request #245 from microsoft/fix-extensional-warnings-power…
ed8cc6a 
…shell

PS: Remove unnecessary data extension pattern to fix warning
@dilanbhalla
Merge branch 'main' into auto/sync-main-pr
dae0582
@dilanbhalla
Merge pull request #240 from microsoft/auto/sync-main-pr
8e09d96 
Sync Main (autogenerated)
@chanel-y
update to invokesink
f882af9
@MathiasVP
PS: Add 'Node.getCallee' predicate on DataFlow::CallNode.
229914f
ropwareJB and others added 10 commits November 4, 2025 10:52
@ropwareJB
Parameterize TaintTrackingStack over Global Dataflow implementation
18ff8d2
@dilanbhalla
Merge pull request #294 from microsoft/jb1/dataflowstack-overlay
7eef5ba 
DataFlowStack parameterized over Dataflow implementation
@ropwareJB
csharp taintrackingstack update to interface
cfa09c6
@dilanbhalla
Merge pull request #295 from microsoft/jb1/dataflowstack-overlay2
635b32d 
C# TaintTrackingStack Update to interface
@ropwareJB
DataFlowStack updated
f0ffcd0
@ropwareJB
Merge pull request #296 from microsoft/jb1/dataflowstack-java
12969dd 
DataFlowStack interface update
@ropwareJB
Generic FlowStack module covering both DataFlowStack and TaintTrackin…
b179734 
…gStack
@ropwareJB
Refactor {Data,TaintTracking}FlowStack
4bf4363
@ropwareJB
Merge pull request #297 from microsoft/jb1/flowstack-refactor
5087c8d 
refactor: {Data,TaintTracking}FlowStack
@chanel-y
resolved merge conflicts, accepting incoming change
a26da74
Copilot AI review requested due to automatic review settings November 14, 2025 17:28
@chanel-y chanel-y requested review from a team as code owners November 14, 2025 17:28
Copilot AI reviewed Nov 14, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR merges upstream CodeQL changes from version 2.22.3, primarily consisting of auto-generated stub files for the Microsoft.Identity.ServiceEssentials.SDK package and related test configuration updates.

  • Added auto-generated C# stub files for Microsoft Identity and IdentityModel libraries (version 6.34.0.0 and 1.19.6.0)
  • Added test query reference files for JWT security validation queries
  • All changes are generated stub files intended to be correct by design

Reviewed Changes

Copilot reviewed 258 out of 4384 changed files in this pull request and generated no comments.

Show a summary per file
File Description
Microsoft.IdentityModel.S2S.cs Auto-generated stub for S2S authentication protocol handlers and validation classes
Microsoft.IdentityModel.S2S.Tokens.cs Auto-generated stub for S2S token management, logging, and validation utilities
Microsoft.IdentityModel.Protocols.cs Auto-generated stub for OpenID Connect protocol configuration and retrieval
Microsoft.IdentityModel.Protocols.SignedHttpRequest.cs Auto-generated stub for signed HTTP request validation and creation
Microsoft.IdentityModel.Protocols.OpenIdConnect.cs Auto-generated stub for OpenID Connect message handling and configuration
Microsoft.IdentityModel.Logging.cs Auto-generated stub for identity model event logging and telemetry
Microsoft.IdentityModel.JsonWebTokens.cs Auto-generated stub for JWT token handling and validation
Microsoft.IdentityModel.Abstractions.cs Auto-generated stub for identity model logging abstractions
Microsoft.Identity.ServiceEssentials.TokenAcquisition.cs Auto-generated stub for token acquisition functionality
Microsoft.Identity.ServiceEssentials.Modules.TrV2Module.cs Auto-generated stub for tenant restrictions v2 module
Microsoft.Identity.ServiceEssentials.Core.cs Auto-generated stub for core service essentials types
Microsoft.Identity.ServiceEssentials.Caching.cs Auto-generated stub for caching functionality
Microsoft.Identity.ServiceEssentials.Authentication.cs Auto-generated stub for authentication ticket providers
Microsoft.Identity.Abstractions.cs Auto-generated stub for identity abstractions and token acquisition
Microsoft.Extensions.Primitives.cs Auto-generated stub for extension primitive types
Microsoft.Extensions.Options.cs Auto-generated stub for options pattern types
Microsoft.Extensions.Options.ConfigurationExtensions.cs Auto-generated stub for configuration binding extensions
Microsoft.Extensions.Logging.cs Auto-generated stub for logging infrastructure
Microsoft.Extensions.Logging.Abstractions.cs Auto-generated stub for logging abstraction interfaces
Microsoft.Extensions.DependencyInjection.cs Auto-generated stub for dependency injection container
AadIssuerValidationDataFlow.qlref Test query reference for AAD issuer validation data flow analysis
security-validation-disabled.qlref Test query reference for JWT security validation checks

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 14, 2025
View reviewed changes
.github/workflows/microsoft-codeql-pack-publish.yml
Comment on lines +8 to +16
runs-on: ubuntu-latest
steps:
- name: Fail if not on main branch
run: |
if [ "$GITHUB_REF" != "refs/heads/main" ]; then
echo "This workflow can only run on the 'main' branch."
exit 1
fi
codeqlversion:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}
.github/workflows/microsoft-codeql-pack-publish.yml
Comment on lines +17 to +35
needs: check-branch
runs-on: ubuntu-latest
outputs:
codeql_version: ${{ steps.set_codeql_version.outputs.codeql_version }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set CodeQL Version
id: set_codeql_version
run: |
git fetch
git fetch --tags
CURRENT_COMMIT=$(git rev-list -1 HEAD)
CURRENT_TAG=$(git describe --tags --abbrev=0 --match 'codeql-cli/v*' $CURRENT_COMMIT)
CODEQL_VERSION="${CURRENT_TAG#codeql-cli/}"
echo "CODEQL_VERSION=$CODEQL_VERSION" >> $GITHUB_OUTPUT
publishlibs:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
.github/workflows/microsoft-codeql-pack-publish.yml
Comment on lines +36 to +97
environment: secure-publish
needs: codeqlversion
runs-on: ubuntu-latest
strategy:
matrix:
language: ['powershell']
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install CodeQL
shell: bash
run: |
gh extension install github/gh-codeql
gh codeql download "${{ needs.codeqlversion.outputs.codeql_version }}"
gh codeql set-version "${{ needs.codeqlversion.outputs.codeql_version }}"
env:
GITHUB_TOKEN: ${{ github.token }}
- name: Publish OS Microsoft CodeQL Lib Pack
shell: bash
run: |
# Download latest qlpack
gh codeql pack download "microsoft/$LANGUAGE-all"
PACK_DIR="$HOME/.codeql/packages/microsoft/$LANGUAGE-all"
VERSION_COUNT=$(ls -d "$PACK_DIR"/*/ | wc -l)
[[ "$VERSION_COUNT" -ne 1 ]] && { echo "Expected exactly one version in $PACK_DIR, but found $VERSION_COUNT. Exiting."; exit 1; }

# Increment version
CURRENT_VERSION=$(ls -v "$PACK_DIR" | tail -n 1)
MAJOR=$(echo "$CURRENT_VERSION" | cut -d. -f1)
MINOR=$(echo "$CURRENT_VERSION" | cut -d. -f2)
PATCH=$(echo "$CURRENT_VERSION" | cut -d. -f3)
NEXT_VERSION="$MAJOR.$MINOR.$((PATCH + 1))"

# Extract dependencies from the existing qlpack.yml before deleting
DEPENDENCIES=$(yq 'select(has("dependencies")) | .dependencies | {"dependencies": .}' "$LANGUAGE/ql/lib/qlpack.yml" 2>/dev/null)
DATAEXTENSIONS=$(yq 'select(has("dataExtensions")) | .dataExtensions | {"dataExtensions": .}' "$LANGUAGE/ql/lib/qlpack.yml" 2>/dev/null)
rm -f "$LANGUAGE/ql/lib/qlpack.yml" "$LANGUAGE/ql/lib/qlpack.lock"

# Create new qlpack.yml with modified content
cat <<EOF > "$LANGUAGE/ql/lib/qlpack.yml"
name: microsoft/$LANGUAGE-all
version: $NEXT_VERSION
extractor: $LANGUAGE
groups:
- $LANGUAGE
- microsoft-all
dbscheme: semmlecode.$LANGUAGE.dbscheme
extractor: $LANGUAGE
library: true
upgrades: upgrades
$DEPENDENCIES
$DATAEXTENSIONS
warnOnImplicitThis: true
EOF

# Publish pack
cat "$LANGUAGE/ql/lib/qlpack.yml"
gh codeql pack publish "$LANGUAGE/ql/lib"
env:
LANGUAGE: ${{ matrix.language }}
GITHUB_TOKEN: ${{ secrets.PACKAGE_PUBLISH }}
publish:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
.github/workflows/microsoft-codeql-pack-publish.yml
Comment on lines +98 to +151
environment: secure-publish
needs: codeqlversion
runs-on: ubuntu-latest
strategy:
matrix:
language: ['csharp', 'cpp', 'java', 'javascript', 'python', 'ruby', 'go', 'rust', 'swift', 'powershell', 'iac']
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install CodeQL
shell: bash
run: |
gh extension install github/gh-codeql
gh codeql download "${{ needs.codeqlversion.outputs.codeql_version }}"
gh codeql set-version "${{ needs.codeqlversion.outputs.codeql_version }}"
env:
GITHUB_TOKEN: ${{ github.token }}
- name: Publish OS Microsoft CodeQL Pack
shell: bash
run: |
# Download latest qlpack
gh codeql pack download "microsoft/$LANGUAGE-queries"
PACK_DIR="$HOME/.codeql/packages/microsoft/$LANGUAGE-queries"
VERSION_COUNT=$(ls -d "$PACK_DIR"/*/ | wc -l)
[[ "$VERSION_COUNT" -ne 1 ]] && { echo "Expected exactly one version in $PACK_DIR, but found $VERSION_COUNT. Exiting."; exit 1; }

# Increment version
CURRENT_VERSION=$(ls -v "$PACK_DIR" | tail -n 1)
MAJOR=$(echo "$CURRENT_VERSION" | cut -d. -f1)
MINOR=$(echo "$CURRENT_VERSION" | cut -d. -f2)
PATCH=$(echo "$CURRENT_VERSION" | cut -d. -f3)
NEXT_VERSION="$MAJOR.$MINOR.$((PATCH + 1))"

# Extract dependencies from the existing qlpack.yml before deleting
DEPENDENCIES=$(yq 'select(has("dependencies")) | .dependencies | {"dependencies": .}' "$LANGUAGE/ql/src/qlpack.yml" 2>/dev/null)
rm -f "$LANGUAGE/ql/src/qlpack.yml" "$LANGUAGE/ql/src/qlpack.lock"

# Create new qlpack.yml with modified content
cat <<EOF > "$LANGUAGE/ql/src/qlpack.yml"
name: microsoft/$LANGUAGE-queries
version: $NEXT_VERSION
extractor: $LANGUAGE
groups:
- $LANGUAGE
- queries
$DEPENDENCIES
EOF

# Publish pack
cat "$LANGUAGE/ql/src/qlpack.yml"
gh codeql pack publish "$LANGUAGE/ql/src"
env:
LANGUAGE: ${{ matrix.language }}
GITHUB_TOKEN: ${{ secrets.PACKAGE_PUBLISH }}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 14, 2025
View reviewed changes
Copy link

@github-advanced-security github-advanced-security bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

@jketema
Copy link
Contributor

jketema commented Nov 14, 2025

Wrong repository, I believe. Closing.

@jketema jketema closed this Nov 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

C# C++ documentation Go Java JS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@chanel-y @jketema @MathiasVP @dilanbhalla @LWSimpkins @ropwareJB @5idg5