From 52c9a3c39252b870636391a6f34317a9d5cfba98 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 6 Jun 2025 15:56:46 +0200
Subject: [PATCH] codeql: taint basename()

---
 .github/codeql-queries/PotentiallyDangerousFunction.ql | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/codeql-queries/PotentiallyDangerousFunction.ql b/.github/codeql-queries/PotentiallyDangerousFunction.ql
index d5a5635c356..40e2bbb6f9e 100644
--- a/.github/codeql-queries/PotentiallyDangerousFunction.ql
+++ b/.github/codeql-queries/PotentiallyDangerousFunction.ql
@@ -49,6 +49,9 @@ predicate potentiallyDangerousFunction(Function f, string message) {
   ) or (
     f.getQualifiedName() = "dirname" and
     message = "Call dirname() is icky. Use path_extract_directory() instead."
+  ) or (
+    f.getQualifiedName() = "basename" and
+    message = "Call basename() is icky. Use path_extract_filename() instead."
   )
 }
 
-- 
2.47.3