microsoft
diff --git a/‎csharp/documentation/library-coverage/coverage.csv
Lines changed: 1 addition & 1 deletion b/‎csharp/documentation/library-coverage/coverage.csv
Lines changed: 1 addition & 1 deletion
diff --git a/‎csharp/documentation/library-coverage/coverage.rst
Lines changed: 2 additions & 2 deletions b/‎csharp/documentation/library-coverage/coverage.rst
Lines changed: 2 additions & 2 deletions
diff --git a/‎csharp/ql/lib/change-notes/2025-02-13-csharp13-dotnet9.md
Lines changed: 4 additions & 0 deletions b/‎csharp/ql/lib/change-notes/2025-02-13-csharp13-dotnet9.md
Lines changed: 4 additions & 0 deletions
diff --git a/‎docs/codeql/reusables/supported-versions-compilers.rst
Lines changed: 2 additions & 2 deletions b/‎docs/codeql/reusables/supported-versions-compilers.rst
Lines changed: 2 additions & 2 deletions
diff --git a/‎go/documentation/library-coverage/coverage.csv
Lines changed: 2 additions & 1 deletion b/‎go/documentation/library-coverage/coverage.csv
Lines changed: 2 additions & 1 deletion
diff --git a/‎go/documentation/library-coverage/coverage.rst
Lines changed: 3 additions & 3 deletions b/‎go/documentation/library-coverage/coverage.rst
Lines changed: 3 additions & 3 deletions
diff --git a/‎java/ql/src/Security/CWE/CWE-020/ExternalAPITaintStepExample.java
Lines changed: 1 addition & 0 deletions b/‎java/ql/src/Security/CWE/CWE-020/ExternalAPITaintStepExample.java
Lines changed: 1 addition & 0 deletions
diff --git a/‎java/ql/src/Security/CWE/CWE-023/PartialPathTraversalBad.java
Lines changed: 1 addition & 0 deletions b/‎java/ql/src/Security/CWE/CWE-023/PartialPathTraversalBad.java
Lines changed: 1 addition & 0 deletions
diff --git a/‎java/ql/src/Security/CWE/CWE-023/PartialPathTraversalGood.java
Lines changed: 1 addition & 0 deletions b/‎java/ql/src/Security/CWE/CWE-023/PartialPathTraversalGood.java
Lines changed: 1 addition & 0 deletions
diff --git a/‎java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterfaceExample.java
Lines changed: 1 addition & 0 deletions b/‎java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterfaceExample.java
Lines changed: 1 addition & 0 deletions
@@ -42,5 +42,5 @@ MySql.Data.MySqlClient,48,,,,,,,,,,,,48,,,,,,,,,,
 Newtonsoft.Json,,,91,,,,,,,,,,,,,,,,,,,73,18
 ServiceStack,194,,7,27,,,,,75,,,,92,,,,,,,,,7,
 SourceGenerators,,,5,,,,,,,,,,,,,,,,,,,,5
-System,54,47,12221,,6,5,5,,,4,1,,33,2,,6,15,17,4,3,,5921,6300
+System,54,47,12241,,6,5,5,,,4,1,,33,2,,6,15,17,4,3,,5941,6300
 Windows.Security.Cryptography.Core,1,,,,,,,1,,,,,,,,,,,,,,,
@@ -16,7 +16,7 @@ container/ring,,,5,,,,,,,,,,,,,,,,,,,,,,,5,
 context,,,5,,,,,,,,,,,,,,,,,,,,,,,5,
 crypto,,,10,,,,,,,,,,,,,,,,,,,,,,,10,
 database/sql,30,18,12,,,,,,,,,,,,30,,,,,,18,,,,,12,
-encoding,,,77,,,,,,,,,,,,,,,,,,,,,,,77,
+encoding,,,81,,,,,,,,,,,,,,,,,,,,,,,81,
 errors,,,3,,,,,,,,,,,,,,,,,,,,,,,3,
 expvar,,,6,,,,,,,,,,,,,,,,,,,,,,,6,
 fmt,3,,16,,,,3,,,,,,,,,,,,,,,,,,,16,
@@ -139,4 +139,5 @@ syscall,5,2,8,5,,,,,,,,,,,,,,,,,,2,,,,8,
 text/scanner,,,3,,,,,,,,,,,,,,,,,,,,,,,3,
 text/tabwriter,,,1,,,,,,,,,,,,,,,,,,,,,,,1,
 text/template,,,4,,,,,,,,,,,,,,,,,,,,,,,4,
+weak,,,2,,,,,,,,,,,,,,,,,,,,,,,2,
 xorm.io/xorm,34,,,,,,,,,,,,,,34,,,,,,,,,,,,
@@ -4,6 +4,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
 
 		StringBuilder sqlQueryBuilder = new StringBuilder();
 		sqlQueryBuilder.append("SELECT * FROM user WHERE user_id='");
+		// BAD: a request parameter is concatenated directly into a SQL query
 		sqlQueryBuilder.append(request.getParameter("user_id"));
 		sqlQueryBuilder.append("'");
 
 
@@ -1,5 +1,6 @@
 public class PartialPathTraversalBad {
     public void example(File dir, File parent) throws IOException {
+        // BAD: dir.getCanonicalPath() not slash-terminated
         if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath())) {
             throw new IOException("Path traversal attempt: " + dir.getCanonicalPath());
         }
 
@@ -2,6 +2,7 @@
 
 public class PartialPathTraversalGood {
     public void example(File dir, File parent) throws IOException {
+        // GOOD: Check if dir.Path() is normalised
         if (!dir.toPath().normalize().startsWith(parent.toPath())) {
             throw new IOException("Path traversal attempt: " + dir.getCanonicalPath());
         }
 
@@ -20,4 +20,5 @@ public String studentEmail(String studentName) {
 webview.loadData("", "text/html", null);
 
 String name = "Robert'; DROP TABLE students; --";
+// BAD: Untrusted input loaded into WebView
 webview.loadUrl("javascript:alert(exposedObject.studentEmail(\""+ name +"\"))");
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,6 @@`
`1`	`1`	`public class PartialPathTraversalBad {`
`2`	`2`	`public void example(File dir, File parent) throws IOException {`
	`3`	`+ // BAD: dir.getCanonicalPath() not slash-terminated`
`3`	`4`	`if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath())) {`
`4`	`5`	`throw new IOException("Path traversal attempt: " + dir.getCanonicalPath());`
`5`	`6`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,7 @@`
`2`	`2`
`3`	`3`	`public class PartialPathTraversalGood {`
`4`	`4`	`public void example(File dir, File parent) throws IOException {`
	`5`	`+ // GOOD: Check if dir.Path() is normalised`
`5`	`6`	`if (!dir.toPath().normalize().startsWith(parent.toPath())) {`
`6`	`7`	`throw new IOException("Path traversal attempt: " + dir.getCanonicalPath());`
`7`	`8`	`}`