[codex] Merge upstream into fork#5
Merged
Merged
Conversation
Add constructor call resolution to the call graph so that new ClassName(), ClassName(), and ClassName.new() create edges to the constructor method (using Lang_config's constructor_names). Fix object_mappings lookup to use SID-aware comparison, preventing same-named variables in different scopes from resolving to the wrong class. Add type annotation fallback so that method calls on typed parameters (e.g. Python's `def f(x: ClassName)`) resolve when object_mappings has no entry.
Extract tok_of_eorig helper to recover source-level tokens from IL expressions. Call graph edges are keyed by source positions, but IL construction often creates expressions with synthetic tokens. The eorig back-pointer preserves the original source position. Apply this to get_signature_for_object and DRY the simple call path which already had the same logic inlined. Also resolve obj.method() patterns in ToSinkInCall effects.
Remove id_resolved guard from mk_class_constructor_name so the IL New instruction always carries a constructor reference. In call_with_intrafile, detect constructor calls via the call graph and remap the callee to obj.Constructor so Sig_inst can instantiate BThis field effects onto the target variable. Prepend self arg for Python constructors (which have explicit self in params but not in call args). Read back the shape from lval_env after ToLval effects so it propagates through intermediate assignments.
Add tests for Java, Python, and Ruby demonstrating: - False negative fixed: zero-arg constructors with internal sources - False positive fixed: constructors ignoring tainted args - Cross-function flow via type annotations on parameters Update test_python_constructor.py with type annotation on sink_ex. Update test_ruby_zero_arg_dispatch.rb todoruleid -> ruleid.
fix: proper constructor taint analysis
Dockerfile: Preprocess for better line continuations and comments
Replace G.OtherParam with G.ParamPattern for OtherParamExpr and OtherParamPair in the Elixir-to-generic translation. Add Container(Dict) handling in expr_to_pattern so map patterns convert to PatList rather than falling through to opaque OtherPat.
Translate the => operator as keyval (Container(Tuple, ...)) instead of
Call(Id("=>"), ...) so arrow pairs share the same structure as keyword
pairs. Wrap map items in OtherExpr("MapPairArrow")/OtherExpr("MapPairKeyword")
to preserve syntax distinction for pattern matching. Add OtherExpr-to-OtherPat
conversion in expr_to_pattern, and unwrap the tags in AST_to_IL for Elixir.
Add dots_arrow_map test for arrow-syntax map patterns. Both tests include negative cases proving the two forms do not cross-match.
elixir: fix map destructuring in function parameters
Fix: Elixir scanner CRLF handling
The OtherExpr("MapPairArrow"/"MapPairKeyword") wrappers introduced
for map items were opaque to the dict function in AST_to_IL, breaking
taint propagation through map value expressions. Unwrap these tags
so dict entries are processed normally.
elixir: fix taint propagation through map value expressions
…afile (opengrep#638) * add tests and fix the chaining of methods in all langs * simplification of access removed tok_of_eorig
Release v1.17.0
…gh-destructuring-structs-in-args Elixir: Updates to syntax (part 1)
mfow-nullify
force-pushed
the
upstream-merge
branch
from
14b637a to
6e30354
Compare
dnjg
approved these changes
Apr 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Automated merge branch for syncing Nullify-Platform/opengrep with upstream/main.
This PR is created and updated by the upstream merge automation.
Validation: