Merge branch 'main' into actions/dep-updates

Author: GeekMasher

.codeqlversion

@@ -0,0 +1 @@
+2.20.1

.github/actions/install-codeql/action.yml

@@ -1,31 +1,44 @@
 name: Setup CodeQL CLI
 description: |
   Install a CodeQL CLI or re-use an existing one from the cache and it to the path.
-inputs:
+
+outputs:
   codeql-cli-version:
-    description: |
-      The version of the CodeQL CLI to be downloaded.
+    description: "The version of the CodeQL CLI that was installed or retrieved from cache"
+    value: ${{ steps.codeql-version.outputs.codeql-cli-version }}
 
 runs:
   using: composite
   steps:
+    - name: "CodeQL Version"
+      id: codeql-version
+      shell: bash
+      run: |
+        echo "Reading CodeQL CLI version from .codeqlversion file."
+        CODEQL_CLI_VERSION=$(cat ./.codeqlversion)
+        echo "CODEQL_CLI_VERSION=${CODEQL_CLI_VERSION}" >> $GITHUB_ENV
+        echo "codeql-cli-version=${CODEQL_CLI_VERSION}" >> $GITHUB_OUTPUT
+
     - name: Cache CodeQL
       id: cache-codeql
       uses: actions/cache@v4
       with:
         # A list of files, directories, and wildcard patterns to cache and restore
         path: ${{github.workspace}}/codeql_home
         # An explicit key for restoring and saving the cache
-        key: codeql-home-${{ inputs.codeql-cli-version }}
+        key: codeql-home-${{ steps.codeql-version.outputs.codeql-cli-version }}
 
     - name: Install CodeQL
+      id: install-codeql
       if: steps.cache-codeql.outputs.cache-hit != 'true'
       shell: bash
       env:
         GITHUB_TOKEN: ${{ github.token }}
         CODEQL_HOME: ${{ github.workspace }}/codeql_home
-        CODEQL_CLI_VERSION: ${{ inputs.codeql-cli-version }}
+        CODEQL_CLI_VERSION: ${{ steps.codeql-version.outputs.codeql-cli-version }}
       run: |
+        echo "Installing CodeQL CLI v${CODEQL_CLI_VERSION}."
+
         mkdir -p $CODEQL_HOME
         echo "Change directory to $CODEQL_HOME"
         pushd $CODEQL_HOME
@@ -38,6 +51,7 @@ runs:
 
         popd
         echo "Done."
+        echo "codeql-cli-version=${CODEQL_CLI_VERSION}" >> $GITHUB_OUTPUT
 
     - name: Add CodeQL to the PATH
       shell: bash

.github/workflows/ci.yml

@@ -5,9 +5,6 @@ on:
     branches: [ main ]
   workflow_dispatch:
 
-env:
-  CODEQL_CLI_VERSION: 2.20.1
-
 jobs:
   compile-and-test:
     runs-on: ubuntu-latest
@@ -31,15 +28,14 @@ jobs:
 
       - name: Setup CodeQL
         if: steps.changes.outputs.src == 'true'
+        id: install-codeql
         uses: ./.github/actions/install-codeql
-        with:
-          codeql-cli-version: ${{ env.CODEQL_CLI_VERSION }}
 
       - name: Install Packs
         if: steps.changes.outputs.src == 'true'
         env:
           GITHUB_TOKEN: ${{ github.token }}
-          CODEQL_CLI_VERSION: ${{ env.CODEQL_CLI_VERSION }}
+          CODEQL_CLI_VERSION: ${{ steps.install-codeql.outputs.codeql-cli-version }}
         run: |
           gh repo clone github/codeql -- -b codeql-cli-${CODEQL_CLI_VERSION} # to make stubs available for tests
           codeql pack install "${{ matrix.language }}/lib"
@@ -175,8 +171,6 @@ jobs:
       - name: Setup CodeQL
         if: steps.changes.outputs.src == 'true'
         uses: ./.github/actions/install-codeql
-        with:
-          codeql-cli-version: ${{ env.CODEQL_CLI_VERSION }}
 
       - name: Install Packs
         if: steps.changes.outputs.src == 'true'
@@ -210,8 +204,6 @@ jobs:
       - name: Setup CodeQL
         if: steps.changes.outputs.src == 'true'
         uses: ./.github/actions/install-codeql
-        with:
-          codeql-cli-version: ${{ env.CODEQL_CLI_VERSION }}
 
       - name: Install CodeQL
         if: steps.changes.outputs.src == 'true'
@@ -238,14 +230,10 @@ jobs:
       - name: Setup CodeQL
         if: steps.changes.outputs.src == 'true'
         uses: ./.github/actions/install-codeql
-        with:
-          codeql-cli-version: ${{ env.CODEQL_CLI_VERSION }}
 
       - name: "Check Configurations"
         if: steps.changes.outputs.src == 'true'
         env:
           GITHUB_TOKEN: ${{ github.token }}
         run: |
           ./.github/scripts/pr-configs.sh "${{ github.event.number }}"
-
-

.github/workflows/publish.yml

@@ -5,8 +5,6 @@ on:
     branches: [main]
   workflow_dispatch:
 
-env:
-  CODEQL_CLI_VERSION: 2.20.1
 
 jobs:
   queries:
@@ -42,8 +40,6 @@ jobs:
       - name: Setup CodeQL
         if: steps.check_version.outputs.publish == 'true'
         uses: ./.github/actions/install-codeql
-        with:
-          codeql-cli-version: ${{ env.CODEQL_CLI_VERSION }}
 
       - name: Publish codeql-LANG-queries (src) pack.
         if: steps.check_version.outputs.publish == 'true'
@@ -87,8 +83,6 @@ jobs:
       - name: Setup CodeQL
         if: steps.check_version.outputs.publish == 'true'
         uses: ./.github/actions/install-codeql
-        with:
-          codeql-cli-version: ${{ env.CODEQL_CLI_VERSION }}
 
       - name: Publish codeql-LANG-libs (lib) pack
         if: steps.check_version.outputs.publish == 'true'
@@ -131,8 +125,6 @@ jobs:
       - name: Setup CodeQL
         if: steps.check_version.outputs.publish == 'true'
         uses: ./.github/actions/install-codeql
-        with:
-          codeql-cli-version: ${{ env.CODEQL_CLI_VERSION }}
 
       - name: Publish codeql-LANG-extensions (ext) pack
         if: steps.check_version.outputs.publish == 'true'
@@ -176,8 +168,6 @@ jobs:
       - name: Setup CodeQL
         if: steps.check_version.outputs.publish == 'true'
         uses: ./.github/actions/install-codeql
-        with:
-          codeql-cli-version: ${{ env.CODEQL_CLI_VERSION }}
 
       - name: Publish codeql-LANG-library-sources (ext-library-sources) pack
         if: steps.check_version.outputs.publish == 'true'

.github/workflows/update-release.yml

@@ -29,7 +29,7 @@ jobs:
           private-key: ${{ secrets.SECLABS_APP_KEY }}
 
       - name: "Patch Release Me"
-        uses: 42ByteLabs/patch-release-me@67fb9fab3595fd3fee1dfa539e080fef0488c909 # 0.5.4
+        uses: 42ByteLabs/patch-release-me@63750b1c6fc917cdb605f13ad44c9e10e9d6ef5d # 0.6.0
         with:
           # Bump (patch)
           mode: ${{ inputs.mode }}

CONTRIBUTING.md

@@ -4,10 +4,6 @@ We welcome contributions to our CodeQL Community Packs libraries and queries. Go
 
 There is lots of useful documentation to help you write queries, ranging from information about query file structure to tutorials for specific target languages. For more information on the documentation available, see [CodeQL queries](https://codeql.github.com/docs/writing-codeql-queries/codeql-queries) on [codeql.github.com](https://codeql.github.com).
 
-## Change notes
-
-Any nontrivial user-visible change to a query pack or library pack should have a change note. For details on how to add a change note for your change, see [this guide](docs/change-notes.md).
-
 ## Submitting a new query
 
 If you have an idea for a query that you would like to share with other CodeQL users, please open a pull request to add it to this repository. New queries start out in a `<language>/ql/src/` directory, to which they can be merged when they meet the following requirements.

configs/synthetics.yml

@@ -105,6 +105,7 @@ paths-ignore:
     - "vendor/**"
     - "examples/**"
     - "tests/**"
+    - "test/**"
     - "site-packages/**"
 
     # JavaScript

go/lib/codeql-pack.lock.yml

@@ -2,19 +2,19 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 1.1.8
+    version: 2.0.4
   codeql/go-all:
-    version: 3.0.1
+    version: 4.2.2
   codeql/mad:
-    version: 1.0.14
+    version: 1.0.20
   codeql/ssa:
-    version: 1.0.14
+    version: 1.0.20
   codeql/threat-models:
-    version: 1.0.14
+    version: 1.0.20
   codeql/tutorial:
-    version: 1.0.14
+    version: 1.0.20
   codeql/typetracking:
-    version: 1.0.14
+    version: 2.0.4
   codeql/util:
-    version: 2.0.1
+    version: 2.0.7
 compiled: false

go/lib/ghsl.qll

@@ -0,0 +1,4 @@
+import go
+import ghsl.Utils
+import ghsl.LocalSources
+import ghsl.Sinks

go/lib/ghsl/Sinks.qll

@@ -0,0 +1,48 @@
+private import go
+private import semmle.go.dataflow.DataFlow
+private import semmle.go.security.CommandInjectionCustomizations
+private import semmle.go.security.OpenUrlRedirectCustomizations
+private import semmle.go.security.ReflectedXssCustomizations
+private import semmle.go.security.RequestForgeryCustomizations
+private import semmle.go.security.SqlInjectionCustomizations
+private import semmle.go.security.UnsafeUnzipSymlinkCustomizations
+private import semmle.go.security.XPathInjectionCustomizations
+private import semmle.go.security.ZipSlipCustomizations
+
+/**
+ * List of all the sinks that we want to check.
+ */
+class AllSinks extends DataFlow::Node {
+  private string sink;
+
+  AllSinks() {
+    this instanceof CommandInjection::Sink and
+    sink = "command-injection"
+    or
+    this instanceof OpenUrlRedirect::Sink and
+    sink = "open-url-redirect"
+    or
+    this instanceof ReflectedXss::Sink and
+    sink = "reflected-xss"
+    or
+    this instanceof RequestForgery::Sink and
+    sink = "request-forgery"
+    or
+    this instanceof SqlInjection::Sink and
+    sink = "sql-injection"
+    or
+    this instanceof UnsafeUnzipSymlink::EvalSymlinksSink and
+    sink = "unsafe-unzip"
+    or
+    this instanceof XPathInjection::Sink and
+    sink = "xpath-injection"
+    or
+    this instanceof ZipSlip::Sink and
+    sink = "zip-slip"
+  }
+
+  /**
+   * Gets the sink sink type.
+   */
+  string sinkType() { result = sink }
+}