Skip to content

Resolve 2.23.5 conflict #298

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dilanbhalla merged 581 commits into from
Nov 16, 2025
Merged

Resolve 2.23.5 conflict #298

dilanbhalla merged 581 commits into from
Nov 16, 2025

Conversation

@chanel-y
Copy link

@chanel-y chanel-y commented Nov 14, 2025
edited
Loading

Accepted incoming for the following merge conflicts:

TaintedPathQuery doesn't seem to be changing functionality, just accomodating the deprecation of the AbstractValue (github@4f6528a)

ZipSlipQuery.qll is just adding more sources and sinks

TaintedPathQuery.qll

class PathCheck extends Sanitizer {
  Guard g;

  PathCheck() {
<<<<<<< HEAD
    // This expression is structurally replicated in a dominating guard
    exists(AbstractValues::BooleanValue v | g = this.(GuardedDataFlowNode).getAGuard(_, v))
  }

  override predicate isBarrier(TaintedPathConfig::FlowState state) {
    g.(WeakGuard).isBarrier(state)
    or
    not g instanceof WeakGuard
=======
    // This expression is structurally replicated in a dominating guard which is not a "weak" check
    exists(Guard g, GuardValue v |
      g = this.(GuardedDataFlowNode).getAGuard(_, v) and
      exists(v.asBooleanValue()) and
      not g instanceof WeakGuard
    )
>>>>>>> codeql-cli/latest
  }
}

ZipSlipQuery.qll


/**
 * A taint tracking module for Zip Slip.
 */
<<<<<<< HEAD
module ZipSlip = TaintTracking::Global<ZipSlipConfig>;
=======
module ZipSlip = TaintTracking::Global<ZipSlipConfig>;

/** An access to the `FullName` property of a `ZipArchiveEntry`. */
class ArchiveFullNameSource extends Source {
  ArchiveFullNameSource() {
    exists(PropertyAccess pa | this.asExpr() = pa |
      pa.getTarget()
          .getDeclaringType()
          .hasFullyQualifiedName("System.IO.Compression", "ZipArchiveEntry") and
      pa.getTarget().getName() = "FullName"
    )
  }
}

/** An argument to the `ExtractToFile` extension method. */
class ExtractToFileArgSink extends Sink {
  ExtractToFileArgSink() {
    exists(MethodCall mc |
      mc.getTarget()
          .hasFullyQualifiedName("System.IO.Compression", "ZipFileExtensions", "ExtractToFile") and
      this.asExpr() = mc.getArgumentForName("destinationFileName")
    )
  }
}

/** A path argument to a `File.Open`, `File.OpenWrite`, or `File.Create` method call. */
class FileOpenArgSink extends Sink {
  FileOpenArgSink() {
    exists(MethodCall mc |
      mc.getTarget().hasFullyQualifiedName("System.IO", "File", "Open") or
      mc.getTarget().hasFullyQualifiedName("System.IO", "File", "OpenWrite") or
      mc.getTarget().hasFullyQualifiedName("System.IO", "File", "Create")
    |
      this.asExpr() = mc.getArgumentForName("path")
    )
  }
}

/** A path argument to a call to the `FileStream` constructor. */
class FileStreamArgSink extends Sink {
  FileStreamArgSink() {
    exists(ObjectCreation oc |
      oc.getTarget().getDeclaringType().hasFullyQualifiedName("System.IO", "FileStream")
    |
      this.asExpr() = oc.getArgumentForName("path")
    )
  }
}

/**
 * A path argument to a call to the `FileStream` constructor.
 *
 * This constructor can accept a tainted file name and subsequently be used to open a file stream.
 */
class FileInfoArgSink extends Sink {
  FileInfoArgSink() {
    exists(ObjectCreation oc |
      oc.getTarget().getDeclaringType().hasFullyQualifiedName("System.IO", "FileInfo")
    |
      this.asExpr() = oc.getArgumentForName("fileName")
    )
  }
}

/**
 * A call to `GetFileName`.
 *
 * This is considered a sanitizer because it extracts just the file name, not the full path.
 */
class GetFileNameSanitizer extends Sanitizer {
  GetFileNameSanitizer() {
    exists(MethodCall mc |
      mc.getTarget().hasFullyQualifiedName("System.IO", "Path", "GetFileName")
    |
      this.asExpr() = mc
    )
  }
}

/**
 * A call to `Substring`.
 *
 * This is considered a sanitizer because `Substring` may be used to extract a single component
 * of a path to avoid ZipSlip.
 */
class SubstringSanitizer extends Sanitizer {
  SubstringSanitizer() {
    exists(MethodCall mc | mc.getTarget().hasFullyQualifiedName("System", "String", "Substring") |
      this.asExpr() = mc
    )
  }
}

private predicate stringCheckGuard(Guard g, Expr e, GuardValue v) {
  g.(MethodCall).getTarget().hasFullyQualifiedName("System", "String", "StartsWith") and
  g.(MethodCall).getQualifier() = e and
  // A StartsWith check against Path.Combine is not sufficient, because the ".." elements have
  // not yet been resolved.
  not exists(MethodCall combineCall |
    combineCall.getTarget().hasFullyQualifiedName("System.IO", "Path", "Combine") and
    DataFlow::localExprFlow(combineCall, e)
  ) and
  v.asBooleanValue() = true
}

/**
 * A call to `String.StartsWith()` that indicates that the tainted path value is being
 * validated to ensure that it occurs within a permitted output path.
 */
class StringCheckSanitizer extends Sanitizer {
  StringCheckSanitizer() { this = DataFlow::BarrierGuard<stringCheckGuard/3>::getABarrierNode() }
}
>>>>>>> codeql-cli/latest

hvitved and others added 30 commits October 24, 2025 09:34
@hvitved
Add change note
ce37916
@hvitved
Merge pull request github#20592 from hvitved/rust/type-inference-bran…
672977a 
…ch-propagation

Rust: Non-symmetric type propagation for lub coercions
@hvitved
Rust: More type inference tests
2a43a95
@hvitved
Rust: Compute incompatible blanket implementations
0e885e9
@joefarebrother
Merge pull request github#20494 from joefarebrother/python-insecure-c…
8c277bd 
…ookie-split

Python: Split Insecure Cookie query into multiple queries
@hvitved
Address review comments
a4eab48
@bdrodes
Crypto: Fixed bug in WeakSymmetricCipher.qll, forgot to not only filt…
ed492c7 
…er if !=AES but the algorithm must still be a SymmetriCipher algorithm.
@hvitved
Merge pull request github#20688 from hvitved/java/request-forgery-mat…
32f21d6 
…ches-sanitizer

Java: Treat `x.matches(regexp)` as a sanitizer for request forgery
@jketema
Swift: Make extractor compile with Swift 6.2
2ef8bb0
@jketema
Swift: Fix unavailability checks after 6.2 upgrade
22dddb0
@jketema
Swift: Update generated files
e79c0b0
@jketema
Swift: Mangle function type lifetimes
300b5b1
@jketema
Swift: Fix AvailabilitySpec trap generation
626bc55
@jketema
Swift: Compensate for backwards going locations
d890fee
@jketema
Swift: Update KeyPathComponent for new kind values
bc835a3
@jketema
Swift: Update expected test results after 6.2 update
7890dc6
@jketema
Swift: Update PoundDiagnosticDecl test
b50ffe2 
These elements are no longer present in the Swift 6.2 AST.
@jketema
Swift: Document that tests disabled with Swift 6.1 are still broken w…
192c9c3 
…ith 6.2
@jketema
Swift: Update expected integration test results
4d9827f
@jketema
Swift: Work around assertion failures in mangler
06d0d48
@jketema
Swift: Remove flags related to explict modules in the tracer config
79fd35a 
We have not found a good way to support these.
@jketema
Swift: Special case the xcode-fails-spm-works test results on macOS 26
2843761 
macOS 26 comes with Xcode 26, which does not call the compiler on the file
with the `#error` diagnostic directive.
@jketema
Swift: Add upgrade and downgrade scripts
e415772
@jketema
Swift: Add change notes
74384bb
@paldepind
Merge pull request github#20645 from paldepind/cpp/range-analysis-mea…
a0a6f28 
…sure

C++: Range analysis measure bounds
@paldepind
C++: Add toString for RelationStrictness
17e0dec 
This helps for debugging.
@paldepind
C++: Fix typos in tests
3af9885
@paldepind
C++: Use or instead of if
383e6a4 
The proposition in the true branch implied the condition, so `or` is more appropriate. Also eliminated an existentially quantified variable.
@paldepind
C++: Simplify boundFromGuard
5709964 
The last disjunct in `boundFromGuard` is moved into `linearBoundFromGuard`. This avoids repeating the calculation for `boundValue`.

`getBounds` and `getExprTypeBounds` are turned into predicates with result. Their middle argument was the "output" which was confusing.
@paldepind
C++: Make small trivial tweaks
d1ea1af
aschackmull and others added 28 commits October 31, 2025 14:23
@aschackmull
C#: Deprecate AbstractValue.
4f6528a
@aschackmull
C#: Review fix and simplification.
fa20075
@igfoo
Kotlin: Avoid infinite recursion when extracting recursive interfaces
1efecc0
@igfoo
Kotlin: Add a test for nested types
9182da1
@igfoo
Kotlin: Add a test for recursive interfaces
06218d8
@aschackmull
Merge pull request github#20737 from aschackmull/csharp/deprecate-abs…
bda6513 
…tractvalue

C#: Deprecate AbstractValue.
@igfoo
Merge pull request github#20726 from igfoo/igfoo/ClassInstanceStack
7ff696b 
Kotlin: Avoid infinite recursion when extracting recursive interfaces
@jketema
Merge pull request github#20732 from jketema/swift-6.2-elements
d354b0c 
Swift: Support AST elements new in Swift 6.2
Release preparation for version 2.23.4
64fcdd1
@mbg
C#: Minor changelog improvements
e825a3a
@mbg
Merge pull request github#20745 from github/release-prep/2.23.4
637e12e 
Release preparation for version 2.23.4
@asgerf @mbg
Merge pull request github#20752 from asgerf/actions/dont-fail-if-no-js
6790684 
Actions: don't fail if no JS/TS code was found
@mbg
Merge pull request github#20754 from github/mbg/2.23.4/backport-dont-…
da1e93e 
…fail-if-no-js

Backport: Merge pull request github#20752 from asgerf/actions/dont-fail-if-no-js
@esteffin
Revert "Merge pull request github#20645 from paldepind/cpp/range-anal…
e7c029a 
…ysis-measure"

This reverts commit a0a6f28, reversing
changes made to 32f21d6.
@mbg
Revert "Release preparation for version 2.23.4"
6ce8f07
@mbg
Merge pull request github#20775 from github/esteffin/revert-20645-cpp…
9d2206b 
…-range-analysis-measure

Revert "Merge pull request github#20645 from paldepind/cpp/range-analysis-m…
@mbg
Merge pull request github#20777 from github/revert-20745-release-prep…
eb32c32 
…/2.23.4

Revert "Release preparation for version 2.23.4"
Release preparation for version 2.23.4
6342da9
@mbg
C#: Minor changelog improvements
262bfe0
@mbg
Revert C++ range analysis change note
0cbc935
@mbg
Merge pull request github#20778 from github/release-prep/2.23.4
714296b 
Release preparation for version 2.23.4
@mbg
Revert "Release preparation for version 2.23.4"
8ba29a7
@mbg
Merge pull request github#20803 from github/revert-20778-release-prep…
5b1e651 
…/2.23.4

Revert "Release preparation for version 2.23.4"
Release preparation for version 2.23.5
e4f25c9
@mbg
C#: Minor changelog improvements
ac9a297
@mbg
Revert C++ range analysis change note
b4fed5b
@mbg
Merge pull request github#20812 from github/release-prep/2.23.5
e5fa4a6 
Release preparation for version 2.23.5
@chanel-y
resolved merge conflicts, accepting incoming change
a26da74
@dilanbhalla dilanbhalla merged commit fe4dc76 into main Nov 16, 2025
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dilanbhalla dilanbhalla dilanbhalla approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.