CLI Update 2.26.0#372
Merged
Merged
Conversation
ASP.NET Core Razor Page handler method parameters (OnGet, OnPost, etc.) were not modeled as remote flow sources, causing security queries like SQL injection to miss vulnerabilities in PageModel subclasses. This adds AspNetCorePageHandlerMethodParameter, analogous to the existing AspNetCoreActionMethodParameter for MVC controllers, using the existing PageModelClass.getAHandlerMethod() from Razor.qll. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Remove @RasmusWL from CODEOWNERS
Cfg: Add support for unless and until statements
After a {expr} or {..expr} placeholder, an optional chain of
.<builtin>() calls may follow. Currently the only builtin is:
.map(param -> template)
which applies the template to each element of the iterable and
collects the resulting node IDs. A chain auto-splices into the
enclosing field/child position.
Example:
path: {parts}.map(p -> (identifier #{p}))
The framework is extensible: additional builtins can be added by
matching on the method name in parse_chain_suffix.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
A left fold over an iterable where the first element seeds the accumulator: - first -> init : converts the first element to the initial accumulator - acc, elem -> fold : fold step; acc = current accumulator, elem = next element - Empty iterable produces nothing (0-element splice) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Ensure the full wildcard _ supports quantifiers - Also rewrite unnamed nodes in one-shot phases
When a field pattern has a bare capture with no preceding pattern atom (i.e. `foo: @bar`), implicitly use a true wildcard (`_`, match_unnamed: true) as the node pattern, making it equivalent to `foo: _ @bar`. This is a convenience shorthand: in practice every `field: _ @cap` in the Swift rules can now be written more concisely as `field: @cap`. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
…xpectation-tests Java: Improve inline expectations test comments
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
…ations C#: Refactor- and rename operation expressions.
C#: Add models as data tests for compound assignment operators.
Yeast/Unified: Extract comments
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
C#: Remove redundant code from `DeadStoreOfLocal.ql`
Actions: Fix dominates() false positive in reusable workflows
Kotlin: Update tests to use new `kotlin_2_3_20` fixture
Rust: Remove some redundant imports / casts
Mergeback github#21947 into `main`
Unified/swift: new AST spec and Swift mappings
Release preparation for version 2.26.0
The `instanceFieldStep` disjunct of `TypeTrackingInput::levelStepCall` that was added in 7.2.0 uses `classInstanceTracker(cls)` -- which is itself a type-tracker -- inside `levelStepCall`. That creates a structural mutual recursion between the main type-tracker fixpoint and `classInstanceTracker`, causing the type-tracker delta to blow up to ~100M tuples per iteration on some OOP-heavy Python codebases. Verified on the python/mypy database: SSRF query wall time goes from ~12s before the offending commit to >40 minutes after it. This hotfix temporarily drops the `instanceFieldStep` disjunct and keeps only `inheritedFieldStep`, which does not pull on the call graph and is well-behaved (verified at ~12s on mypy). The `instanceFieldStep` helper predicate itself is kept in place, and the `levelStepCall` body has a commented-out call to it so the change is trivial to re-enable once the recursion issue is properly addressed.
…ble-instance-field-step Python: hotfix - disable instanceFieldStep to avoid type-tracker blowup
…/2.26.0 Revert "Release preparation for version 2.26.0"
Python: release hotfix
Release preparation for version 2.26.0
Compatible with the latest released version of the CodeQL CLI
denislevin
approved these changes
Jul 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.