• Improved modelling for the pycurl framework.

No user-facing changes.

• The experimental py/cors-misconfiguration-with-credentials query, which finds insecure CORS middleware configurations.

• The py/clear-text-logging-sensitive-data and py/clear-text-storage-sensitive-data queries have been updated to exclude the certificate classification of sensitive sources, which often do not contain sensitive data.

No user-facing changes.

• The py/cookie-injection query, originally contributed to the experimental query pack by @jorgectf, has been promoted to the main query pack. This query finds instances of cookies being set without the Secure, HttpOnly, or SameSite attributes set to secure values.

• The py/cookie-injection query, originally contributed to the experimental query pack by @jorgectf, has been promoted to the main query pack. This query finds instances of cookies being constructed from user input.

• Added models of streamlit PyPI package.

No user-facing changes.

• Adding Python support for Hardcoded Credentials as Models as Data
• Additional sanitizers have been added to the py/full-ssrf and py/partial-ssrf queries for methods that verify a string contains only a certain set of characters, such as .isalnum() as well as regular expression tests.

No user-facing changes.

• Added models for opml library.

• CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.

• Added models of gradio PyPI package.

• The py/header-injection query, originally contributed to the experimental query pack by @jorgectf, has been promoted to the main query pack and renamed to py/http-response-splitting. This query finds instances of http header injection / response splitting vulnerabilities.

No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

• The query py/nosql-injection for finding NoSQL injection vulnerabilities is now part of the default security suite.

No user-facing changes.

No user-facing changes.

• Added modeling of YARL's is_absolute method and checks of the netloc of a parsed URL as sanitizers for the py/url-redirection query, leading to fewer false positives.

No user-facing changes.

No user-facing changes.

No user-facing changes.

• Added modeling of more FileSystemAccess in packages cherrypy, aiofile, aiofiles, anyio, sanic, starlette, baize, and io. This will mainly affect the Uncontrolled data used in path expression (py/path-injection) query.

No user-facing changes.

No user-facing changes.

• The query py/nosql-injection for finding NoSQL injection vulnerabilities is now available in the default security suite.

• Improved URL redirection from remote source (py/url-redirection) query to not alert when URL has been checked with django.utils.http. url_has_allowed_host_and_scheme.
• Extended the py/command-line-injection query with sinks from Python's asyncio module.

No user-facing changes.

• Improved Reflected server-side cross-site scripting (py/reflective-xss) query to not alert on data passed to flask.jsonify. Since these HTTP responses are returned with mime-type application/json, they do not pose a security risk for XSS.
• Updated path explanations for @kind path-problem queries to always include left hand side of assignments, making paths easier to understand.

No user-facing changes.

No user-facing changes.

• Fixed modeling of aiohttp.ClientSession so we properly handle async with uses. This can impact results of server-side request forgery queries (py/full-ssrf, py/partial-ssrf).

• The query "Arbitrary file write during archive extraction ("Zip Slip")" (py/zipslip) has been renamed to "Arbitrary file access during archive extraction ("Zip Slip")."

No user-facing changes.

• The display name (@name) of the py/unsafe-deserialization query has been updated in favor of consistency with other languages.

No user-facing changes.

No user-facing changes.

• Nonlocal variables are excluded from alerts.

No user-facing changes.

• Added a new query, py/shell-command-constructed-from-input, to detect libraries that unsafely construct shell commands from their inputs.

No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

• The analysis/AlertSuppression.ql query has moved to the root folder. Users that refer to this query by path should update their configurations. The query has been updated to support the new # codeql[query-id] supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy # lgtm and # lgtm[query-id] comments can now also be placed on the line before an alert.
• Bumped the minimum keysize we consider secure for elliptic curve cryptography from 224 to 256 bits, following current best practices. This might effect results from the Use of weak cryptographic key (py/weak-crypto-key) query.
• Added modeling of getpass.getpass as a source of passwords, which will be an additional source for py/clear-text-logging-sensitive-data, py/clear-text-storage-sensitive-data, and py/weak-sensitive-data-hashing.

No user-facing changes.

No user-facing changes.

No user-facing changes.

No user-facing changes.

• Added model of cx_Oracle, oracledb, phonenixdb and pyodbc PyPI packages as a SQL interface following PEP249, resulting in additional sinks for py/sql-injection.
• Added model of executemany calls on PEP-249 compliant database APIs, resulting in additional sinks for py/sql-injection.
• Added model of pymssql PyPI package as a SQL interface following PEP249, resulting in additional sinks for py/sql-injection.
• The alert messages of many queries were changed to better follow the style guide and make the messages consistent with other languages.

• Fixed how flask.request is modeled as a RemoteFlowSource, such that we show fewer duplicated alert messages for Code Scanning alerts. The import, such as from flask import request, will now be shown as the first step in a path explanation.

No user-facing changes.

• Added the security-severity tag the py/redos, py/polynomial-redos, and py/regex-injection queries.

• The alert message of many queries have been changed to make the message consistent with other languages.

• Added a new query, py/suspicious-regexp-range, to detect character ranges in regular expressions that seem to match too many characters.

• Contextual queries and the query libraries they depend on have been moved to the codeql/python-all package.

• Contextual queries and the query libraries they depend on have been moved to the codeql/python-all package.

• Improved library modeling for the query "Request without certificate validation" (py/request-without-cert-validation), so it now also covers httpx, aiohttp.client, and urllib3.

• The query "Use of a broken or weak cryptographic algorithm" (py/weak-cryptographic-algorithm) now reports if a cryptographic operation is potentially insecure due to use of a weak block mode.

• The query "PAM authorization bypass due to incorrect usage" (py/pam-auth-bypass) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @porcupineyhairs.

• "XML external entity expansion" (py/xxe). Results will appear by default. This query was based on an experimental query by @jorgectf.
• "XML internal entity expansion" (py/xml-bomb). Results will appear by default. This query was based on an experimental query by @jorgectf.
• The query "CSRF protection weakened or disabled" (py/csrf-protection-disabled) has been implemented. Its results will now appear by default.

• The query "XPath query built from user-controlled sources" (py/xpath-injection) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @porcupineyhairs.

• The query "LDAP query built from user-controlled sources" (py/ldap-injection) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @jorgectf.
• The query "Log Injection" (py/log-injection) has been promoted from experimental to the main query pack. Its results will now appear when security-extended is used. This query was originally submitted as an experimental query by @haby0.

• The View AST functionality no longer prints detailed information about regular expressions, greatly improving performance.

• User names and other account information is no longer considered to be sensitive data for the queries py/clear-text-logging-sensitive-data and py/clear-text-storage-sensitive-data, since this lead to many false positives.

• Two new queries have been added for detecting Server-side request forgery (SSRF). Full server-side request forgery (py/full-ssrf) will only alert when the URL is fully user-controlled, and Partial server-side request forgery (py/partial-ssrf) will alert when any part of the URL is user-controlled. Only py/full-ssrf will be run by default.

• To support the new SSRF queries, the PyPI package requests has been modeled, along with http.client.HTTP[S]Connection from the standard library.

• Added modeling of many functions from the os module that uses file system paths, such as os.stat, os.chdir, os.mkdir, and so on. All of these are new sinks for the Uncontrolled data used in path expression (py/path-injection) query.
• Added modeling of the tempfile module for creating temporary files and directories, such as the functions tempfile.NamedTemporaryFile and tempfile.TemporaryDirectory. The suffix, prefix, and dir arguments are all vulnerable to path-injection, and these are new sinks for the Uncontrolled data used in path expression (py/path-injection) query.
• Extended the modeling of FastAPI such that fastapi.responses.FileResponse are considered FileSystemAccess, making them sinks for the Uncontrolled data used in path expression (py/path-injection) query.
• Added modeling of the posixpath, ntpath, and genericpath modules for path operations (although these are not supposed to be used), resulting in new sinks for the Uncontrolled data used in path expression (py/path-injection) query.
• Added modeling of wsgiref.simple_server applications, leading to new remote flow sources.

• Fixed the query ids of two queries that are meant for manual exploration: python/count-untrusted-data-external-api and python/untrusted-data-to-external-api have been changed to py/count-untrusted-data-external-api and py/untrusted-data-to-external-api.