github · d10c · Jul 2, 2025 · Jul 3, 2025 · Jul 3, 2025 · Jul 3, 2025
@@ -1,6 +1,7 @@
 private import actions
 private import codeql.actions.TaintTracking
 private import codeql.actions.dataflow.ExternalFlow
+private import codeql.actions.security.ControlChecks
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.DataFlow
 
@@ -88,6 +89,19 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig {
       run.getScript().getAnEnvReachingArgumentInjectionSink(var, _, _)
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.getLocation()
+    or
+    exists(Event event | result = event.getLocation() |
+      inPrivilegedContext(sink.asExpr(), event) and
+      not exists(ControlCheck check | check.protects(sink.asExpr(), event, "argument-injection"))
+    )
+  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */

@@ -4,6 +4,7 @@ import codeql.actions.DataFlow
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.security.PoisonableSteps
 import codeql.actions.security.UntrustedCheckoutQuery
+import codeql.actions.security.ControlChecks
 
 string unzipRegexp() { result = "(unzip|tar)\\s+.*" }
 
@@ -316,6 +317,19 @@ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.getLocation()
+    or
+    exists(Event event | result = event.getLocation() |
+      inPrivilegedContext(sink.asExpr(), event) and
+      not exists(ControlCheck check | check.protects(sink.asExpr(), event, "artifact-poisoning"))
+    )
+  }
 }
 
 /** Tracks flow of unsafe artifacts that is used in an insecure way. */

@@ -3,6 +3,8 @@ private import codeql.actions.TaintTracking
 private import codeql.actions.dataflow.ExternalFlow
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.DataFlow
+import codeql.actions.security.ControlChecks
+import codeql.actions.security.CachePoisoningQuery
 
 class CodeInjectionSink extends DataFlow::Node {
   CodeInjectionSink() {
@@ -35,6 +37,53 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.getLocation()
+    or
+    // where clause from CodeInjectionCritical.ql
+    exists(Event event, RemoteFlowSource source | result = event.getLocation() |
+      inPrivilegedContext(sink.asExpr(), event) and
+      isSource(source) and
+      source.getEventName() = event.getName() and
+      not exists(ControlCheck check | check.protects(sink.asExpr(), event, "code-injection")) and
+      // exclude cases where the sink is a JS script and the expression uses toJson
+      not exists(UsesStep script |
+        script.getCallee() = "actions/github-script" and
+        script.getArgumentExpr("script") = sink.asExpr() and
+        exists(getAToJsonReferenceExpression(sink.asExpr().(Expression).getExpression(), _))
+      )
+    )
+    or
+    // where clause from CachePoisoningViaCodeInjection.ql
+    exists(Event event, LocalJob job, DataFlow::Node source | result = event.getLocation() |
+      job = sink.asExpr().getEnclosingJob() and
+      job.getATriggerEvent() = event and
+      // job can be triggered by an external user
+      event.isExternallyTriggerable() and
+      // the checkout is not controlled by an access check
+      isSource(source) and
+      not exists(ControlCheck check | check.protects(source.asExpr(), event, "code-injection")) and
+      // excluding privileged workflows since they can be exploited in easier circumstances
+      // which is covered by `actions/code-injection/critical`
+      not job.isPrivilegedExternallyTriggerable(event) and
+      (
+        // the workflow runs in the context of the default branch
+        runsOnDefaultBranch(event)
+        or
+        // the workflow caller runs in the context of the default branch
+        event.getName() = "workflow_call" and
+        exists(ExternalJob caller |
+          caller.getCallee() = job.getLocation().getFile().getRelativePath() and
+          runsOnDefaultBranch(caller.getATriggerEvent())
+        )
+      )
+    )
+  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */

@@ -3,6 +3,7 @@ private import codeql.actions.TaintTracking
 private import codeql.actions.dataflow.ExternalFlow
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.DataFlow
+import codeql.actions.security.ControlChecks
 
 private class CommandInjectionSink extends DataFlow::Node {
   CommandInjectionSink() { madSink(this, "command-injection") }
@@ -16,6 +17,22 @@ private module CommandInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.getLocation()
+    or
+    // where clause from CommandInjectionCritical.ql
+    exists(Event event | result = event.getLocation() |
+      inPrivilegedContext(sink.asExpr(), event) and
+      not exists(ControlCheck check |
+        check.protects(sink.asExpr(), event, ["command-injection", "code-injection"])
+      )
+    )
+  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */

@@ -3,6 +3,7 @@
 private import codeql.actions.dataflow.ExternalFlow
 private import codeql.actions.security.ArtifactPoisoningQuery
 private import codeql.actions.security.UntrustedCheckoutQuery
+private import codeql.actions.security.ControlChecks
 
 abstract class EnvPathInjectionSink extends DataFlow::Node { }
 
@@ -108,6 +109,35 @@
       exists(run.getScript().getAFileReadCommand())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any()
+  }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    none()
+  }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.getLocation()
+    or // where clause from EnvPathInjectionCritical.ql
+    exists(Event event, RemoteFlowSource source | result = event.getLocation() |
+      inPrivilegedContext(sink.asExpr(), event) and
+      isSource(source) and
+      (
+        not source.getSourceType() = "artifact" and
+        not exists(ControlCheck check |
+          check.protects(sink.asExpr(), event, "code-injection")
+        )
+        or
+        source.getSourceType() = "artifact" and
+        not exists(ControlCheck check |
+          check.protects(sink.asExpr(), event, ["untrusted-checkout", "artifact-poisoning"])
+        ) and
+        sink instanceof EnvPathInjectionFromFileReadSink
+      )
+    )
+  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate the PATH environment variable. */

@@ -163,6 +163,40 @@ private module EnvVarInjectionConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.getLocation()
+    or
+    // where clause from EnvVarInjectionCritical.ql
+    exists(Event event, RemoteFlowSource source | result = event.getLocation() |
+      inPrivilegedContext(sink.asExpr(), event) and
+      isSource(source) and
+      // exclude paths to file read sinks from non-artifact sources
+      (
+        // source is text
+        not source.getSourceType() = "artifact" and
+        not exists(ControlCheck check |
+          check.protects(sink.asExpr(), event, ["envvar-injection", "code-injection"])
+        )
+        or
+        // source is an artifact or a file from an untrusted checkout
+        source.getSourceType() = "artifact" and
+        not exists(ControlCheck check |
+          check
+              .protects(sink.asExpr(), event,
+                ["envvar-injection", "untrusted-checkout", "artifact-poisoning"])
+        ) and
+        (
+          sink instanceof EnvVarInjectionFromFileReadSink or
+          madSink(sink, "envvar-injection")
+        )
+      )
+    )
+  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */

@@ -82,6 +82,10 @@ module OverflowDestinationConfig implements DataFlow::ConfigSig {
       nodeIsBarrierEqualityCandidate(node, access, checkedVar)
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 91 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Critical/OverflowDestination.ql@93:8:93:9)
+  }
 }
 
 module OverflowDestination = TaintTracking::Global<OverflowDestinationConfig>;

@@ -168,6 +168,10 @@ module NonConstFlowConfig implements DataFlow::ConfigSig {
       cannotContainString(t)
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 5 does not select a source or sink originating from the flow call on line 181 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql@184:53:184:56)
+  }
 }
 
 module NonConstFlow = TaintTracking::Global<NonConstFlowConfig>;

@@ -215,6 +215,18 @@ private module LeapYearCheckConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     exists(ChecksForLeapYearFunctionCall fc | sink.asExpr() = fc.getAnArgument())
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 34 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@57:8:57:10), Column 1 does not select a source or sink originating from the flow call on line 41 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@57:8:57:10), Column 3 does not select a source or sink originating from the flow call on line 34 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@59:3:59:17), Column 3 does not select a source or sink originating from the flow call on line 41 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@59:3:59:17), Column 5 does not select a source or sink originating from the flow call on line 34 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@59:48:59:50), Column 5 does not select a source or sink originating from the flow call on line 41 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@59:48:59:50)
+  }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 34 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@57:8:57:10), Column 1 does not select a source or sink originating from the flow call on line 41 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@57:8:57:10), Column 3 does not select a source or sink originating from the flow call on line 34 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@59:3:59:17), Column 3 does not select a source or sink originating from the flow call on line 41 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@59:3:59:17), Column 5 does not select a source or sink originating from the flow call on line 34 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@59:48:59:50), Column 5 does not select a source or sink originating from the flow call on line 41 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@59:48:59:50)
+  }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 34 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@57:8:57:10), Column 1 does not select a source or sink originating from the flow call on line 41 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@57:8:57:10), Column 3 does not select a source or sink originating from the flow call on line 34 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@59:3:59:17), Column 3 does not select a source or sink originating from the flow call on line 41 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@59:3:59:17), Column 5 does not select a source or sink originating from the flow call on line 34 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@59:48:59:50), Column 5 does not select a source or sink originating from the flow call on line 41 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@59:48:59:50)
+  }
 }
 
 module LeapYearCheckFlow = DataFlow::Global<LeapYearCheckConfig>;
@@ -285,6 +297,8 @@ private module PossibleYearArithmeticOperationCheckConfig implements DataFlow::C
       aexpr.getLValue() = fa
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module PossibleYearArithmeticOperationCheckFlow =

@@ -51,6 +51,10 @@ private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
   }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Flow call outside 'select' clause (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll@13:36:13:80), Flow call outside 'select' clause (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll@16:43:16:92)
+  }
 }
 
 module UntrustedDataToExternalApiFlow = TaintTracking::Global<UntrustedDataToExternalApiConfig>;
@@ -46,6 +46,10 @@ private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Flow call outside 'select' clause (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll@13:36:13:80), Flow call outside 'select' clause (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll@16:43:16:92)
+  }
 }
 
 module UntrustedDataToExternalApiFlow = TaintTracking::Global<UntrustedDataToExternalApiConfig>;
@@ -93,6 +93,10 @@ module TaintedPathConfig implements DataFlow::ConfigSig {
     // make sinks barriers so that we only report the closest instance
     isSink(node)
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 selects sink.asIndirectArgument (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql@108:8:108:17)
+  }
 }
 
 module TaintedPath = TaintTracking::Global<TaintedPathConfig>;

@@ -150,6 +150,10 @@ module ExecTaintConfig implements DataFlow::StateConfigSig {
   predicate isBarrierOut(DataFlow::Node node) {
     isSink(node, _) // Prevent duplicates along a call chain, since `shellCommand` will include wrappers
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 161 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql@165:8:165:14), Column 7 does not select a source or sink originating from the flow call on line 161 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql@167:71:167:82)
+  }
 }
 
 module ExecTaint = TaintTracking::GlobalWithState<ExecTaintConfig>;

@@ -39,6 +39,10 @@ module Config implements DataFlow::ConfigSig {
     or
     node.asCertainDefinition().getUnspecifiedType() instanceof ArithmeticType
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 5 selects source.asIndirectExpr (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql@51:3:51:7)
+  }
 }
 
 module Flow = TaintTracking::Global<Config>;

@@ -54,6 +54,10 @@ module SqlTaintedConfig implements DataFlow::ConfigSig {
       sql.barrierSqlArgument(input, _)
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 74 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql@77:8:77:17)
+  }
 }
 
 module SqlTainted = TaintTracking::Global<SqlTaintedConfig>;

@@ -223,6 +223,14 @@
       state1 = state2 + delta
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 263 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql@269:8:269:41), Column 5 does not select a source or sink originating from the flow call on line 263 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql@270:58:270:63), Flow call outside 'select' clause (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql@249:5:249:76)
+  }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 263 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql@269:8:269:41), Column 5 does not select a source or sink originating from the flow call on line 263 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql@270:58:270:63), Flow call outside 'select' clause (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql@249:5:249:76)
+  }
 }
 
 module StringSizeFlow = ProductFlow::GlobalWithState<StringSizeConfig>;