Merge branch 'ruby-framework-grape' of github.com:felickz/codeql into ruby-framework-grape

Author: felickz

cpp/ql/lib/change-notes/2025-09-02-vla.md

@@ -1,4 +1,4 @@
 ---
 category: feature
 ---
-* Added predicates `getTransitiveNumberOfVlaDimensionStmts`, `getTransitiveVlaDimensionStmt`, and `getParentVlaDecl` to `VlaDeclStmt` for handling `VlaDeclStmt`s whose base type defined in terms of an other `VlaDeclStmt` via a `typedef`.
+* Added predicates `getTransitiveNumberOfVlaDimensionStmts`, `getTransitiveVlaDimensionStmt`, and `getParentVlaDecl` to `VlaDeclStmt` for handling `VlaDeclStmt`s whose base type is defined in terms of another `VlaDeclStmt` via a `typedef`.

csharp/ql/src/Likely Bugs/LeapYear/UnsafeYearConstruction.qhelp

@@ -12,7 +12,7 @@
 <example>
   <p>In this example, we are incrementing/decrementing the current date by one year when creating a new <code>System.DateTime</code> object. This may work most of the time, but on any given February 29th, the resulting value will be invalid.</p>
   <sample src="UnsafeYearConstructionBad.cs" />
-  <p>To fix this bug, we add/substract years to the current date by calling <code>AddYears</code> method on it.</p>
+  <p>To fix this bug, we add/subtract years to the current date by calling <code>AddYears</code> method on it.</p>
   <sample src="UnsafeYearConstructionGood.cs" />
 </example>
 <references>

javascript/ql/src/LanguageFeatures/LengthComparisonOffByOne.ql

@@ -33,6 +33,18 @@ ConditionGuardNode getLengthLEGuard(Variable index, Variable array) {
   )
 }
 
+/**
+ * Gets a condition that checks that `index` is less than `array.length`.
+ */
+ConditionGuardNode getLengthLTGuard(Variable index, Variable array) {
+  exists(RelationalComparison cmp | cmp instanceof GTExpr or cmp instanceof LTExpr |
+    cmp = result.getTest() and
+    result.getOutcome() = true and
+    cmp.getGreaterOperand() = arrayLen(array) and
+    cmp.getLesserOperand() = index.getAnAccess()
+  )
+}
+
 /**
  * Gets a condition that checks that `index` is not equal to `array.length`.
  */
@@ -62,7 +74,8 @@ where
   elementRead(ea, array, index, bb) and
   // and the read is guarded by the comparison
   cond.dominates(bb) and
-  // but the read is not guarded by another check that `index != array.length`
-  not getLengthNEGuard(index, array).dominates(bb)
+  // but the read is not guarded by another check that `index != array.length` or `index < array.length`
+  not getLengthNEGuard(index, array).dominates(bb) and
+  not getLengthLTGuard(index, array).dominates(bb)
 select cond.getTest(), "Off-by-one index comparison against length may lead to out-of-bounds $@.",
   ea, "read"

javascript/ql/src/Security/CWE-116/IncompleteMultiCharacterSanitization.qhelp

@@ -108,7 +108,7 @@ str.replace(/\.\.\//g, "");
 </sample>
 
 <p>
-The regular expression attempts to strip out all occurences of <code>/../</code> from <code>str</code>.
+The regular expression attempts to strip out all occurrences of <code>/../</code> from <code>str</code>.
 This will not work as expected: for the string <code>/./.././</code>, for example, it will remove the single
 occurrence of <code>/../</code> in the middle, but the remainder of the string then becomes
 <code>/../</code>, which is another instance of the substring we were trying to remove.

javascript/ql/src/change-notes/2025-09-12-off-by-one.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Query `js/index-out-of-bounds` no longer produces a false-positive when a strictly-less-than check overrides a previous less-than-or-equal test.

javascript/ql/test/query-tests/LanguageFeatures/LengthComparisonOffByOne/tst.js

@@ -55,3 +55,11 @@ function badContains(a, elt) {
       return true;
   return false;
 }
+
+// OK - incorrect upper bound, but extra check
+function badContains2(a, elt) {
+  for (let i = 0; i <= a.length; ++i)
+    if (i < a.length && a[i] === elt)
+      return true;
+  return false;
+}

ruby/ql/lib/codeql/ruby/frameworks/Grape.qll

@@ -136,7 +136,9 @@ private class GrapeParamsCall extends ParamsCallImpl {
       this.getParent+() = api.getADeclaration()
     )
   }
-}/**
+}
+
+/**
  * A call to `headers` from within a Grape API endpoint or headers block.
  * Headers can also be a source of user input.
  */

rust/ql/integration-tests/query-suite/rust-code-scanning.qls.expected

@@ -19,6 +19,7 @@ ql/rust/ql/src/queries/security/CWE-328/WeakSensitiveDataHashing.ql
 ql/rust/ql/src/queries/security/CWE-770/UncontrolledAllocationSize.ql
 ql/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.ql
 ql/rust/ql/src/queries/security/CWE-825/AccessInvalidPointer.ql
+ql/rust/ql/src/queries/security/CWE-918/RequestForgery.ql
 ql/rust/ql/src/queries/summary/LinesOfCode.ql
 ql/rust/ql/src/queries/summary/LinesOfUserCode.ql
 ql/rust/ql/src/queries/summary/NodesWithTypeAtLengthLimit.ql

rust/ql/integration-tests/query-suite/rust-security-and-quality.qls.expected

@@ -22,6 +22,7 @@ ql/rust/ql/src/queries/security/CWE-770/UncontrolledAllocationSize.ql
 ql/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.ql
 ql/rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql
 ql/rust/ql/src/queries/security/CWE-825/AccessInvalidPointer.ql
+ql/rust/ql/src/queries/security/CWE-918/RequestForgery.ql
 ql/rust/ql/src/queries/summary/LinesOfCode.ql
 ql/rust/ql/src/queries/summary/LinesOfUserCode.ql
 ql/rust/ql/src/queries/summary/NodesWithTypeAtLengthLimit.ql

rust/ql/integration-tests/query-suite/rust-security-extended.qls.expected

@@ -21,6 +21,7 @@ ql/rust/ql/src/queries/security/CWE-770/UncontrolledAllocationSize.ql
 ql/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.ql
 ql/rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql
 ql/rust/ql/src/queries/security/CWE-825/AccessInvalidPointer.ql
+ql/rust/ql/src/queries/security/CWE-918/RequestForgery.ql
 ql/rust/ql/src/queries/summary/LinesOfCode.ql
 ql/rust/ql/src/queries/summary/LinesOfUserCode.ql
 ql/rust/ql/src/queries/summary/NodesWithTypeAtLengthLimit.ql