Merge branch 'main' into add-php-support

Author: drmckay

csharp/ql/src/Bad Practices/PathCombine.ql

@@ -1,6 +1,7 @@
 /**
- * @name Call to System.IO.Path.Combine
- * @description Finds calls to System.IO.Path's Combine method
+ * @name Call to 'System.IO.Path.Combine' may silently drop its earlier arguments
+ * @description 'Path.Combine' may silently drop its earlier arguments
+ *              if its later arguments are absolute paths.
  * @kind problem
  * @problem.severity recommendation
  * @precision very-high
@@ -15,4 +16,4 @@ import semmle.code.csharp.frameworks.System
 
 from MethodCall call
 where call.getTarget().hasFullyQualifiedName("System.IO", "Path", "Combine")
-select call, "Call to 'System.IO.Path.Combine'."
+select call, "Call to 'System.IO.Path.Combine' may silently drop its earlier arguments."

csharp/ql/src/change-notes/2025-12-16-path-combine-metadata.md

@@ -0,0 +1,4 @@
+---
+category: queryMetadata
+---
+* Updated the `name`, `description`, and alert message of `cs/path-combine` to have more details about why it's a problem.

csharp/ql/test/query-tests/Bad Practices/Path Combine/PathCombine.expected

@@ -1 +1 @@
-| PathCombine.cs:7:9:7:54 | call to method Combine | Call to 'System.IO.Path.Combine'. |
+| PathCombine.cs:7:9:7:54 | call to method Combine | Call to 'System.IO.Path.Combine' may silently drop its earlier arguments. |

javascript/ql/lib/change-notes/2025-10-21-react-precallgraph-step.md

@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* Added `PreCallGraphStep` flow model for React's `useRef` hook.
+* Added a `DomValueSource` that uses the `current` property off the object returned by React's `useRef` hook.

javascript/ql/lib/semmle/javascript/frameworks/React.qll

@@ -612,6 +612,25 @@ private class UseStateStep extends PreCallGraphStep {
   }
 }
 
+/**
+ * Step through a `useRef` call.
+ *
+ * It returns an object with a single property (`current`) initialized to the initial value.
+ *
+ * For example:
+ * ```js
+ * const inputRef1 = useRef(initialValue);
+ * ```
+ */
+private class UseRefStep extends PreCallGraphStep {
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(DataFlow::CallNode call | call = react().getAMemberCall("useRef") |
+      pred = call.getArgument(0) and // initial state
+      succ = call.getAPropertyRead("current")
+    )
+  }
+}
+
 /**
  * A step through a React context object.
  *
@@ -785,6 +804,17 @@ private class ReactRouterLocationSource extends DOM::LocationSource::Range {
   }
 }
 
+private class UseRefDomValueSource extends DOM::DomValueSource::Range {
+  UseRefDomValueSource() {
+    this =
+      any(JsxAttribute attrib | attrib.getName() = "ref")
+          .getValue()
+          .flow()
+          .getALocalSource()
+          .getAPropertyRead("current")
+  }
+}
+
 /**
  * Gets a reference to a function which, if called with a React component, returns wrapped
  * version of that component, which we model as a direct reference to the underlying component.

rust/ast-generator/src/main.rs

@@ -15,6 +15,7 @@ use ungrammar::Grammar;
 
 fn class_name(type_name: &str) -> String {
     match type_name {
+        "Adt" => "TypeItem".to_owned(),
         "BinExpr" => "BinaryExpr".to_owned(),
         "ElseBranch" => "Expr".to_owned(),
         "Fn" => "Function".to_owned(),

rust/downgrades/c467bf63916002287b7bde8ce8b094c57579bd81/downgrade.ql

@@ -0,0 +1,73 @@
+class Element extends @element {
+  string toString() { none() }
+}
+
+class Enum extends Element, @enum { }
+
+class Struct extends Element, @struct { }
+
+class Union extends Element, @union { }
+
+class Attr extends Element, @attr { }
+
+class GenericParamList extends Element, @generic_param_list { }
+
+class Name extends Element, @name { }
+
+class Visibility extends Element, @visibility { }
+
+class WhereClause extends Element, @where_clause { }
+
+query predicate new_enum_attrs(Enum enum, int index, Attr attr) {
+  type_item_attrs(enum, index, attr)
+}
+
+query predicate new_enum_generic_param_lists(Enum enum, GenericParamList g) {
+  type_item_generic_param_lists(enum, g)
+}
+
+query predicate new_enum_names(Enum enum, Name name) { type_item_names(enum, name) }
+
+query predicate new_enum_visibilities(Enum enum, Visibility visibility) {
+  type_item_visibilities(enum, visibility)
+}
+
+query predicate new_enum_where_clauses(Enum enum, WhereClause whereClause) {
+  type_item_where_clauses(enum, whereClause)
+}
+
+query predicate new_struct_attrs(Struct struct, int index, Attr attr) {
+  type_item_attrs(struct, index, attr)
+}
+
+query predicate new_struct_generic_param_lists(Struct struct, GenericParamList g) {
+  type_item_generic_param_lists(struct, g)
+}
+
+query predicate new_struct_names(Struct struct, Name name) { type_item_names(struct, name) }
+
+query predicate new_struct_visibilities(Struct struct, Visibility visibility) {
+  type_item_visibilities(struct, visibility)
+}
+
+query predicate new_struct_where_clauses(Struct struct, WhereClause whereClause) {
+  type_item_where_clauses(struct, whereClause)
+}
+
+query predicate new_union_attrs(Union union, int index, Attr attr) {
+  type_item_attrs(union, index, attr)
+}
+
+query predicate new_union_generic_param_lists(Union union, GenericParamList g) {
+  type_item_generic_param_lists(union, g)
+}
+
+query predicate new_union_names(Union union, Name name) { type_item_names(union, name) }
+
+query predicate new_union_visibilities(Union union, Visibility visibility) {
+  type_item_visibilities(union, visibility)
+}
+
+query predicate new_union_where_clauses(Union union, WhereClause whereClause) {
+  type_item_where_clauses(union, whereClause)
+}