Merge branch 'main' into constcrypto

Author: geoffw0

.github/codeql/codeql-config.yml

@@ -4,9 +4,13 @@ queries:
   - uses: security-and-quality
 
 paths-ignore:
+  - '/actions/ql/test'
   - '/cpp/'
   - '/java/'
   - '/python/'
   - '/javascript/ql/test'
+  - '/javascript/ql/integration-tests'
   - '/javascript/extractor/tests'
+  - '/javascript/extractor/parser-tests'
+  - '/javascript/ql/src/'
   - '/rust/ql'

.github/workflows/codeql-analysis.yml

@@ -18,6 +18,10 @@ on:
 
 jobs:
   CodeQL-Build:
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['actions', 'csharp']
 
     runs-on: ubuntu-latest
 
@@ -38,9 +42,8 @@ jobs:
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
       uses: github/codeql-action/init@main
-      # Override language selection by uncommenting this and choosing your languages
       with:
-        languages: csharp
+        languages: ${{ matrix.language }}
         config-file: ./.github/codeql/codeql-config.yml
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).

Cargo.lock

@@ -73,6 +73,7 @@ use_repo(
     tree_sitter_extractors_deps,
     "vendor_ts__anyhow-1.0.96",
     "vendor_ts__argfile-0.2.1",
+    "vendor_ts__chalk-ir-0.99.0",
     "vendor_ts__chrono-0.4.39",
     "vendor_ts__clap-4.5.31",
     "vendor_ts__dunce-1.0.5",
@@ -94,6 +95,7 @@ use_repo(
     "vendor_ts__ra_ap_hir-0.0.266",
     "vendor_ts__ra_ap_hir_def-0.0.266",
     "vendor_ts__ra_ap_hir_expand-0.0.266",
+    "vendor_ts__ra_ap_hir_ty-0.0.266",
     "vendor_ts__ra_ap_ide_db-0.0.266",
     "vendor_ts__ra_ap_intern-0.0.266",
     "vendor_ts__ra_ap_load-cargo-0.0.266",

MODULE.bazel

@@ -1,5 +1,5 @@
 /**
- * @name PATH Enviroment Variable built from user-controlled sources
+ * @name PATH environment variable built from user-controlled sources
  * @description Building the PATH environment variable from user-controlled sources may alter the execution of following system commands
  * @kind path-problem
  * @problem.severity error

actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql

@@ -1,5 +1,5 @@
 /**
- * @name PATH Enviroment Variable built from user-controlled sources
+ * @name PATH environment variable built from user-controlled sources
  * @description Building the PATH environment variable from user-controlled sources may alter the execution of following system commands
  * @kind path-problem
  * @problem.severity error

actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql

@@ -1,5 +1,5 @@
 /**
- * @name Enviroment Variable built from user-controlled sources
+ * @name Environment variable built from user-controlled sources
  * @description Building an environment variable from user-controlled sources may alter the execution of following system commands
  * @kind path-problem
  * @problem.severity error

actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql

@@ -1,5 +1,5 @@
 /**
- * @name Enviroment Variable built from user-controlled sources
+ * @name Environment variable built from user-controlled sources
  * @description Building an environment variable from user-controlled sources may alter the execution of following system commands
  * @kind path-problem
  * @problem.severity error

actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql

@@ -43,7 +43,7 @@ jobs:
 The following example, correctly creates a temporary directory and extracts the contents of the artifact there before calling `cmd.sh`.
 
 ```yaml
-name: Insecure Workflow
+name: Secure Workflow
 
 on:
   workflow_run:

actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.md

@@ -43,7 +43,7 @@ jobs:
 The following example, correctly creates a temporary directory and extracts the contents of the artifact there before calling `cmd.sh`.
 
 ```yaml
-name: Insecure Workflow
+name: Secure Workflow
 
 on:
   workflow_run: