From e5d3e6ba6578c2bf2b1e956fdae509f8d8b61854 Mon Sep 17 00:00:00 2001
From: Jamis Buck <jamis.buck@mongodb.com>
Date: Tue, 7 May 2024 16:20:36 -0600
Subject: [PATCH 1/5] let's try out codeql

---
 .github/workflows/codeql.yml | 74 ++++++++++++++++++++++++++++++++++++
 1 file changed, 74 insertions(+)
 create mode 100644 .github/workflows/codeql.yml

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000000..a2481e9bfd
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,74 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    branches: [ "master" ]
+  schedule:
+    - cron: '20 0 * * 0'
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+    runs-on: 'ubuntu-latest'
+    timeout-minutes: 360
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: ruby
+          build-mode: none
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+    # If the analyze step fails for one of the languages you are analyzing with
+    # "We were unable to automatically build your code", modify the matrix above
+    # to set the build mode to "manual" for that language. Then modify this step
+    # to build your code.
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+    - if: matrix.build-mode == 'manual'
+      run: |
+        echo 'If you are using a "manual" build mode for one or more of the' \
+          'languages you are analyzing, replace this with the commands to build' \
+          'your code, for example:'
+        echo '  make bootstrap'
+        echo '  make release'
+        exit 1
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"
+

From 51e461e316315f0b363cde2c9e2bdb5542f88947 Mon Sep 17 00:00:00 2001
From: Jamis Buck <jamis.buck@mongodb.com>
Date: Tue, 7 May 2024 16:59:38 -0600
Subject: [PATCH 2/5] .evergreen/tools.rb is not referenced anywhere

we can remove it, to remove the warnings it generates
---
 .evergreen/tools.rb | 67 ---------------------------------------------
 1 file changed, 67 deletions(-)
 delete mode 100644 .evergreen/tools.rb

diff --git a/.evergreen/tools.rb b/.evergreen/tools.rb
deleted file mode 100644
index 77d78a1980..0000000000
--- a/.evergreen/tools.rb
+++ /dev/null
@@ -1,67 +0,0 @@
-require 'json'
-require 'open-uri'
-
-class ServerVersionRegistry
-  def initialize(desired_version, arch)
-    @desired_version, @arch = desired_version, arch
-  end
-
-  attr_reader :desired_version, :arch
-
-  def download_url
-    @download_url ||= begin
-      info = JSON.load(uri_open('http://downloads.mongodb.org/current.json').read)
-      version = info['versions'].detect do |version|
-        version['version'].start_with?(desired_version) &&
-        !version['version'].include?('-') &&
-        # Sometimes the download situation is borked and there is a release
-        # with no downloads... skip those.
-        !version['downloads'].empty?
-      end
-      # Allow RC releases if there isn't a GA release.
-      version ||= info['versions'].detect do |version|
-        version['version'].start_with?(desired_version) &&
-        # Sometimes the download situation is borked and there is a release
-        # with no downloads... skip those.
-        !version['downloads'].empty?
-      end
-      if version.nil?
-        info = JSON.load(URI.parse('http://downloads.mongodb.org/full.json').open.read)
-        versions = info['versions'].select do |version|
-          version['version'].start_with?(desired_version) &&
-          !version['downloads'].empty?
-        end
-        # Get rid of rc, beta etc. versions if there is a GA release.
-        if versions.any? { |version| !version.include?('-') }
-          versions.delete_if do |version|
-            version['version'].include?('-')
-          end
-        end
-        # Versions are ordered with newest first, take the first one i.e. the most
-        # recent one.
-        version = versions.first
-        if version.nil?
-          STDERR.puts "Error: no version #{desired_version}"
-          exit 2
-        end
-      end
-      dl = version['downloads'].detect do |dl|
-        dl['archive']['url'].index("enterprise-#{arch}") &&
-        dl['arch'] == 'x86_64'
-      end
-      unless dl
-        STDERR.puts "Error: no download for #{arch} for #{version['version']}"
-        exit 2
-      end
-      url = dl['archive']['url']
-    end
-  end
-
-  def uri_open(*args)
-    if RUBY_VERSION < '2.5'
-      open(*args)
-    else
-      URI.open(*args)
-    end
-  end
-end

From a86d7017dc9444a54f88b6e357bcafb61d4a41ee Mon Sep 17 00:00:00 2001
From: Jamis Buck <jamis.buck@mongodb.com>
Date: Wed, 8 May 2024 09:34:24 -0600
Subject: [PATCH 3/5] this is not well-documented; hopefully this works to
 exclude those paths

---
 .github/workflows/codeql.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index a2481e9bfd..097e92dec2 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -45,6 +45,10 @@ jobs:
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
+        config:
+          paths-ignore:
+            - .evergreen
+            - spec
         # If you wish to specify custom queries, you can do so here or in a config file.
         # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
@@ -71,4 +75,3 @@ jobs:
       uses: github/codeql-action/analyze@v3
       with:
         category: "/language:${{matrix.language}}"
-

From 53d256ac3501925ee2511f0ec891406524524e3e Mon Sep 17 00:00:00 2001
From: Jamis Buck <jamis.buck@mongodb.com>
Date: Wed, 8 May 2024 10:59:38 -0600
Subject: [PATCH 4/5] action docs say this should be a "YAML string"

---
 .github/workflows/codeql.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 097e92dec2..7df4fbfe9b 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -45,7 +45,7 @@ jobs:
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
-        config:
+        config: |
           paths-ignore:
             - .evergreen
             - spec

From 6adba3d3258cc7c493833996b61cb595cc3d46c4 Mon Sep 17 00:00:00 2001
From: Jamis Buck <jamis.buck@mongodb.com>
Date: Wed, 8 May 2024 15:32:45 -0600
Subject: [PATCH 5/5] static analysis reported "Polynomial regular expression
 used on uncontrolled data"

---
 lib/mongo/socket/ssl.rb | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/lib/mongo/socket/ssl.rb b/lib/mongo/socket/ssl.rb
index aef137a5a4..10bb7b4d6c 100644
--- a/lib/mongo/socket/ssl.rb
+++ b/lib/mongo/socket/ssl.rb
@@ -287,7 +287,7 @@ def set_cert(context, options)
         # for instance, if there is no newline between two certificates
         # this code will extract them both but OpenSSL fails in this situation.
         if cert_text
-          certs = cert_text.scan(/-----BEGIN CERTIFICATE-----(?:.|\n)+?-----END CERTIFICATE-----/)
+          certs = extract_certs(cert_text)
           if certs.length > 1
             context.cert = OpenSSL::X509::Certificate.new(certs.shift)
             context.extra_chain_cert = certs.map do |cert|
@@ -390,6 +390,27 @@ def run_tls_context_hooks
           hook.call(@context)
         end
       end
+
+      BEGIN_CERT = "-----BEGIN CERTIFICATE-----"
+      END_CERT = "-----END CERTIFICATE-----"
+
+      # This was originally a scan + regex, but the regex was particularly
+      # inefficient and was flagged as a concern by static analysis.
+      def extract_certs(text)
+        [].tap do |list|
+          pos = 0
+
+          while (begin_idx = text.index(BEGIN_CERT, pos))
+            end_idx = text.index(END_CERT, begin_idx)
+            break unless end_idx
+
+            end_idx += END_CERT.length
+            list.push(text[begin_idx...end_idx])
+
+            pos = end_idx
+          end
+        end
+      end
     end
   end
 end