Skip to content

Diff-informed queries: phase 3 (non-trivial locations) #19957

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 103 commits into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
103 commits
Select commit Hold shift + click to select a range
3ef2e0a
Actions: patch-generated stubs
d10c Jul 2, 2025
bc3e982
Actions: ArgumentInjection
d10c Jul 3, 2025
0232dee
Actions: ArtifactPoisoning
d10c Jul 3, 2025
ede4d44
Actions: CodeInjection
d10c Jul 3, 2025
454c825
Actions: CommandInjection
d10c Jul 3, 2025
fc8a757
Actions: EnvPathInjection
d10c Jul 3, 2025
08df17f
Actions: EnvVarInjection
d10c Jul 3, 2025
55ed8e9
C++: patch-generated stubs
d10c Jul 2, 2025
d924a90
C++: OverflowDestination
d10c Jul 8, 2025
7b52e81
C++: NonConstantFormat
d10c Jul 8, 2025
d1b8f4e
C++: LeapYear
d10c Jul 9, 2025
011507a
C++: CWE-020/ExternalAPIs (+ add tests based on qhelp)
d10c Jul 9, 2025
98eaae0
C++: TaintedPath
d10c Jul 9, 2025
242bc3d
C++: ExecTainted
d10c Jul 9, 2025
a58acdb
C++: CgiXss
d10c Jul 9, 2025
7e4b2c8
C++: SqlTainted
d10c Jul 9, 2025
1c30a95
C++: OverrunWriteProductFlow (revert because product flows cannot be …
d10c Jul 9, 2025
350f566
C++: UnboundedWrite
d10c Jul 9, 2025
21dd827
C++: ImproperNullTerminationTainted
d10c Jul 9, 2025
443c5fb
C++: ArithmeticTainted
d10c Jul 9, 2025
43921ce
C++: ArithmeticUncontrolled
d10c Jul 9, 2025
08d2343
C++: ArithmeticWithExtremeValues
d10c Jul 9, 2025
39d0ae7
C++: TaintedAllocationSize
d10c Jul 9, 2025
a4df621
C++: AuthenticationBypass
d10c Jul 9, 2025
61b8a48
C++: SSLResultConflation
d10c Jul 9, 2025
21df636
C++: CleartextBufferWrite
d10c Jul 9, 2025
1e40445
C++: CleartextFileWrite
d10c Jul 9, 2025
340a043
C++: CleartextTransmission
d10c Jul 9, 2025
708db01
C++: CleartextSqliteDatabase (+ tests)
d10c Jul 9, 2025
ee25fec
C++: UseOfHttp
d10c Jul 9, 2025
753e28e
C++: InsufficientKeySize
d10c Jul 9, 2025
70990db
C++: IteratorToExpiredContainer
d10c Jul 9, 2025
c250f8e
C++: UnsafeCreateProcessCall
d10c Jul 9, 2025
666efdf
C++: UnsafeDaclSecurityDescriptor
d10c Jul 9, 2025
0da4f6c
C++: TaintedCondition
d10c Jul 9, 2025
9a902dd
C++: TypeConfusion
d10c Jul 9, 2025
a54f75d
C++: ArrayAccessProductFlow (revert because product flows cannot be d…
d10c Jul 9, 2025
a161dd3
C++: ConstantSizeArrayOffByOne
d10c Jul 9, 2025
e023b41
C++: DecompressionBombs
d10c Jul 9, 2025
7e0cb19
C#: patch-generated stubs
d10c Jul 2, 2025
8e80b8f
C#: ConditinalBypass
d10c Jul 4, 2025
4347820
C#: ExternalAPIsQuery/UntrustedDataToExternalAPI
d10c Jul 4, 2025
6ddef99
C#: UnsafeDeserialization
d10c Jul 4, 2025
e0254bc
C#: HardcodedConnectionString
d10c Jul 4, 2025
1be5eba
Go: patch-generated stubs
d10c Jul 2, 2025
3440b06
Go: AllocationSizeOverflow
d10c Jul 7, 2025
6b871bc
Go: CommandInjection
d10c Jul 7, 2025
9a2d7a3
Go: ExternalAPIs
d10c Jul 7, 2025
a535157
Go: HardcodedCredentials
d10c Jul 7, 2025
a09f750
Go: IncorrectIntegerConversion
d10c Jul 7, 2025
4bf054c
Go: InsecureRandomness
d10c Jul 7, 2025
f9a271e
Go: ReflectedXss
d10c Jul 7, 2025
3e17d3a
Go: RequestForgery
d10c Jul 7, 2025
601b987
Go: SafeUrlFlow
d10c Jul 7, 2025
4da6199
Go: UnhandledCloseWritableHandle
d10c Jul 7, 2025
0c0de89
Go: InsecureHostKeyCallback
d10c Jul 7, 2025
9ec8576
Go: BadRedirectCheck
d10c Jul 7, 2025
ac2bae6
Go: AuthCookie/CookieWithoutHttpOnly/BoolToGin
d10c Jul 7, 2025
ebee081
Go: SensitiveConditionBypass
d10c Jul 7, 2025
9882a00
Go: ConditionalBypass
d10c Jul 7, 2025
b423a99
Go: SSRF
d10c Jul 7, 2025
e5f0576
Java: patch-generated stubs
d10c Jul 2, 2025
e4d0209
Java: PolynomialReDos (keep excluded)
d10c Jul 7, 2025
2903228
Java: AndroidSensitiveCommuniation: (convert test to qlref)
d10c Jul 7, 2025
68d133b
Java: ArithmeticTainted
d10c Jul 7, 2025
077814e
Java: ArithmeticUncontrolled
d10c Jul 7, 2025
ae5b456
Java: ConditionalBypass (enable diff-informed + convert test to qlref)
d10c Jul 7, 2025
dd7470d
Java: ExternalAPIs (enable diff-informed + add tests based on qhelp)
d10c Jul 7, 2025
a5b773e
Java: ExternallyControlledFormatString
d10c Jul 7, 2025
57e643c
Java: ImproperValidationOfArray...
d10c Jul 7, 2025
1a2f959
Java: InsecureCookie
d10c Jul 7, 2025
f4074df
Java: InsecureLdapAuth
d10c Jul 7, 2025
09b805b
Java: MaybeBrokenCryptoAlgorithm
d10c Jul 7, 2025
90ae98f
Java: LogInjection (convert test to qlref)
d10c Jul 8, 2025
b54734c
Java: SensitiveLogInfo (convert test to qlref)
d10c Jul 8, 2025
1644fb1
Java: SqlConcatenated
d10c Jul 8, 2025
24e06ea
Java: SqlInjection
d10c Jul 8, 2025
d0da8b3
Java: TempDirLocalInformationDisclosure
d10c Jul 8, 2025
d216f6b
Java: TrustBoundaryViolations (convert test to qlref)
d10c Jul 8, 2025
1b689ff
Java: UnsafeCertTrust (+ convert test to qlref)
d10c Jul 8, 2025
5ec4516
Java: AndroidWebViewSettingsAllowsContentAccess
d10c Jul 8, 2025
8d778f4
JS: patch-generated stubs
d10c Jul 2, 2025
be73e65
JS: IndirectCommandInjection
d10c Jul 4, 2025
6775c36
JS: NosqlInjection, SqlInjection
d10c Jul 4, 2025
38f953c
JS: ShellCommandInjection
d10c Jul 4, 2025
bbaaf2e
JS: EnvValueAndKeyInjection
d10c Jul 4, 2025
8422641
JS: decodeJwtWithoutVerification
d10c Jul 4, 2025
eeada7a
Python: patch-generated stubs
d10c Jul 2, 2025
f545b94
Python: LdapInjection
d10c Jul 4, 2025
2a15bce
Python: WeakSensitiveDatHashing
d10c Jul 4, 2025
e23c7f6
Python: PossibleTimingAttackAgainstHash (+ selecting source node inst…
d10c Jul 4, 2025
9fb0625
Python: TimingAttackAgainstHash (+ new test)
d10c Jul 4, 2025
68ce699
Ruby: patch-generated stubs
d10c Jul 2, 2025
bff0771
Ruby: MissingFullAnchor
d10c Jul 4, 2025
ab78839
Ruby: PolynomialReDoS: keep excluded
d10c Jul 4, 2025
db2a64f
Ruby: WeakSensitiveDataHashing
d10c Jul 4, 2025
eac30c2
Ruby: WeakFilePermissions
d10c Jul 4, 2025
8a02c56
Rust: patch-generated stubs
d10c Jul 2, 2025
c98398d
Rust: AccessAfterLifetime
d10c Jul 4, 2025
7633b34
Swift: patch-generated stubs
d10c Jul 2, 2025
18fbdb7
Swift: CleartextStorageDatabase
d10c Jul 4, 2025
c5f1e06
Swift: CleartextStoragePreferences
d10c Jul 4, 2025
08c4cc2
Swift: UnsafeWebViewFetch
d10c Jul 4, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
private import actions
private import codeql.actions.TaintTracking
private import codeql.actions.dataflow.ExternalFlow
private import codeql.actions.security.ControlChecks
import codeql.actions.dataflow.FlowSources
import codeql.actions.DataFlow

Expand Down Expand Up @@ -88,6 +89,19 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig {
run.getScript().getAnEnvReachingArgumentInjectionSink(var, _, _)
)
}

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSourceLocation(DataFlow::Node source) { none() }

Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.getLocation()
or
exists(Event event | result = event.getLocation() |
inPrivilegedContext(sink.asExpr(), event) and
not exists(ControlCheck check | check.protects(sink.asExpr(), event, "argument-injection"))
)
}
}

/** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import codeql.actions.DataFlow
import codeql.actions.dataflow.FlowSources
import codeql.actions.security.PoisonableSteps
import codeql.actions.security.UntrustedCheckoutQuery
import codeql.actions.security.ControlChecks

string unzipRegexp() { result = "(unzip|tar)\\s+.*" }

Expand Down Expand Up @@ -316,6 +317,19 @@ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig {
exists(run.getScript().getAFileReadCommand())
)
}

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSourceLocation(DataFlow::Node source) { none() }

Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.getLocation()
or
exists(Event event | result = event.getLocation() |
inPrivilegedContext(sink.asExpr(), event) and
not exists(ControlCheck check | check.protects(sink.asExpr(), event, "artifact-poisoning"))
)
}
}

/** Tracks flow of unsafe artifacts that is used in an insecure way. */
Expand Down
49 changes: 49 additions & 0 deletions actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ private import codeql.actions.TaintTracking
private import codeql.actions.dataflow.ExternalFlow
import codeql.actions.dataflow.FlowSources
import codeql.actions.DataFlow
import codeql.actions.security.ControlChecks
import codeql.actions.security.CachePoisoningQuery

class CodeInjectionSink extends DataFlow::Node {
CodeInjectionSink() {
Expand Down Expand Up @@ -35,6 +37,53 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {
exists(run.getScript().getAFileReadCommand())
)
}

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSourceLocation(DataFlow::Node source) { none() }

Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.getLocation()
or
// where clause from CodeInjectionCritical.ql
exists(Event event, RemoteFlowSource source | result = event.getLocation() |
inPrivilegedContext(sink.asExpr(), event) and
isSource(source) and
source.getEventName() = event.getName() and
not exists(ControlCheck check | check.protects(sink.asExpr(), event, "code-injection")) and
// exclude cases where the sink is a JS script and the expression uses toJson
not exists(UsesStep script |
script.getCallee() = "actions/github-script" and
script.getArgumentExpr("script") = sink.asExpr() and
exists(getAToJsonReferenceExpression(sink.asExpr().(Expression).getExpression(), _))
)
)
or
// where clause from CachePoisoningViaCodeInjection.ql
exists(Event event, LocalJob job, DataFlow::Node source | result = event.getLocation() |
job = sink.asExpr().getEnclosingJob() and
job.getATriggerEvent() = event and
// job can be triggered by an external user
event.isExternallyTriggerable() and
// the checkout is not controlled by an access check
isSource(source) and
not exists(ControlCheck check | check.protects(source.asExpr(), event, "code-injection")) and
// excluding privileged workflows since they can be exploited in easier circumstances
// which is covered by `actions/code-injection/critical`
not job.isPrivilegedExternallyTriggerable(event) and
(
// the workflow runs in the context of the default branch
runsOnDefaultBranch(event)
or
// the workflow caller runs in the context of the default branch
event.getName() = "workflow_call" and
exists(ExternalJob caller |
caller.getCallee() = job.getLocation().getFile().getRelativePath() and
runsOnDefaultBranch(caller.getATriggerEvent())
)
)
)
}
}

/** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ private import codeql.actions.TaintTracking
private import codeql.actions.dataflow.ExternalFlow
import codeql.actions.dataflow.FlowSources
import codeql.actions.DataFlow
import codeql.actions.security.ControlChecks

private class CommandInjectionSink extends DataFlow::Node {
CommandInjectionSink() { madSink(this, "command-injection") }
Expand All @@ -16,6 +17,22 @@ private module CommandInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSourceLocation(DataFlow::Node source) { none() }

Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.getLocation()
or
// where clause from CommandInjectionCritical.ql
exists(Event event | result = event.getLocation() |
inPrivilegedContext(sink.asExpr(), event) and
not exists(ControlCheck check |
check.protects(sink.asExpr(), event, ["command-injection", "code-injection"])
)
)
}
}

/** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
private import codeql.actions.dataflow.ExternalFlow
private import codeql.actions.security.ArtifactPoisoningQuery
private import codeql.actions.security.UntrustedCheckoutQuery
private import codeql.actions.security.ControlChecks

Check warning

Code scanning / CodeQL

Redundant import Warning

Redundant import, the module is already imported inside
codeql.actions.security.ArtifactPoisoningQuery
.

abstract class EnvPathInjectionSink extends DataFlow::Node { }

Expand Down Expand Up @@ -108,6 +109,35 @@
exists(run.getScript().getAFileReadCommand())
)
}

predicate observeDiffInformedIncrementalMode() {
any()
}

Location getASelectedSourceLocation(DataFlow::Node source) {
none()
}

Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.getLocation()
or // where clause from EnvPathInjectionCritical.ql
exists(Event event, RemoteFlowSource source | result = event.getLocation() |
inPrivilegedContext(sink.asExpr(), event) and
isSource(source) and
(
not source.getSourceType() = "artifact" and
not exists(ControlCheck check |
check.protects(sink.asExpr(), event, "code-injection")
)
or
source.getSourceType() = "artifact" and
not exists(ControlCheck check |
check.protects(sink.asExpr(), event, ["untrusted-checkout", "artifact-poisoning"])
) and
sink instanceof EnvPathInjectionFromFileReadSink
)
)
}
}

/** Tracks flow of unsafe user input that is used to construct and evaluate the PATH environment variable. */
Expand Down
34 changes: 34 additions & 0 deletions actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll
Original file line number Diff line number Diff line change
Expand Up @@ -163,6 +163,40 @@ private module EnvVarInjectionConfig implements DataFlow::ConfigSig {
exists(run.getScript().getAFileReadCommand())
)
}

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSourceLocation(DataFlow::Node source) { none() }

Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.getLocation()
or
// where clause from EnvVarInjectionCritical.ql
exists(Event event, RemoteFlowSource source | result = event.getLocation() |
inPrivilegedContext(sink.asExpr(), event) and
isSource(source) and
// exclude paths to file read sinks from non-artifact sources
(
// source is text
not source.getSourceType() = "artifact" and
not exists(ControlCheck check |
check.protects(sink.asExpr(), event, ["envvar-injection", "code-injection"])
)
or
// source is an artifact or a file from an untrusted checkout
source.getSourceType() = "artifact" and
not exists(ControlCheck check |
check
.protects(sink.asExpr(), event,
["envvar-injection", "untrusted-checkout", "artifact-poisoning"])
) and
(
sink instanceof EnvVarInjectionFromFileReadSink or
madSink(sink, "envvar-injection")
)
)
)
}
}

/** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */
Expand Down
10 changes: 10 additions & 0 deletions cpp/ql/src/Critical/OverflowDestination.ql
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,16 @@ module OverflowDestinationConfig implements DataFlow::ConfigSig {
nodeIsBarrierEqualityCandidate(node, access, checkedVar)
)
}

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSourceLocation(DataFlow::Node source) { none() }

Location getASelectedSinkLocation(DataFlow::Node sink) {
exists(FunctionCall fc | result = fc.getLocation() |
sourceSized(fc, sink.asIndirectConvertedExpr())
)
}
}

module OverflowDestination = TaintTracking::Global<OverflowDestinationConfig>;
Expand Down
13 changes: 13 additions & 0 deletions cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,19 @@ module NonConstFlowConfig implements DataFlow::ConfigSig {
cannotContainString(t)
)
}

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSourceLocation(DataFlow::Node source) { none() }

Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.getLocation()
or
exists(FormattingFunctionCall call, Expr formatString | result = call.getLocation() |
isSinkImpl(sink, formatString) and
call.getArgument(call.getFormatParameterIndex()) = formatString
)
}
}

module NonConstFlow = TaintTracking::Global<NonConstFlowConfig>;
Expand Down
6 changes: 6 additions & 0 deletions cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll
Original file line number Diff line number Diff line change
Expand Up @@ -215,6 +215,10 @@ private module LeapYearCheckConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) {
exists(ChecksForLeapYearFunctionCall fc | sink.asExpr() = fc.getAnArgument())
}

predicate observeDiffInformedIncrementalMode() {
none() // only used negatively in UncheckedLeapYearAfterYearModification.ql
}
}

module LeapYearCheckFlow = DataFlow::Global<LeapYearCheckConfig>;
Expand Down Expand Up @@ -285,6 +289,8 @@ private module PossibleYearArithmeticOperationCheckConfig implements DataFlow::C
aexpr.getLValue() = fa
)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

module PossibleYearArithmeticOperationCheckFlow =
Expand Down
4 changes: 4 additions & 0 deletions cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,10 @@ private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
}

predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }

predicate observeDiffInformedIncrementalMode() {
any() // normal use in UntrustedDataToExternalApi.ql; used via ExternalApiUsedWithUntrustedData (no location) in CountUntrustedDataToExternalAPI.ql
}
}

module UntrustedDataToExternalApiFlow = TaintTracking::Global<UntrustedDataToExternalApiConfig>;
4 changes: 4 additions & 0 deletions cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIsSpecific.qll
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,10 @@ private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }

predicate observeDiffInformedIncrementalMode() {
any() // normal use in IRUntrustedDataToExternalApi.ql; used via ExternalApiUsedWithUntrustedData (no location) in IRCountUntrustedDataToExternalAPI.ql
}
}

module UntrustedDataToExternalApiFlow = TaintTracking::Global<UntrustedDataToExternalApiConfig>;
6 changes: 6 additions & 0 deletions cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,12 @@ module TaintedPathConfig implements DataFlow::ConfigSig {
// make sinks barriers so that we only report the closest instance
isSink(node)
}

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.asIndirectArgument().getLocation()
}
}

module TaintedPath = TaintTracking::Global<TaintedPathConfig>;
Expand Down
11 changes: 11 additions & 0 deletions cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,17 @@ module ExecTaintConfig implements DataFlow::StateConfigSig {
predicate isBarrierOut(DataFlow::Node node) {
isSink(node, _) // Prevent duplicates along a call chain, since `shellCommand` will include wrappers
}

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSinkLocation(DataFlow::Node sink) {
exists(DataFlow::Node concatResult, Expr command, ExecState state |
result = [concatResult.getLocation(), command.getLocation()] and
isSink(sink, state) and
isSinkImpl(sink, command, _) and
concatResult = state.getOutgoingNode()
)
}
}

module ExecTaint = TaintTracking::GlobalWithState<ExecTaintConfig>;
Expand Down
6 changes: 6 additions & 0 deletions cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,12 @@ module Config implements DataFlow::ConfigSig {
or
node.asCertainDefinition().getUnspecifiedType() instanceof ArithmeticType
}

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSourceLocation(DataFlow::Node source) {
exists(QueryString query | result = query.getLocation() | query = source.asIndirectExpr())
}
}

module Flow = TaintTracking::Global<Config>;
Expand Down
6 changes: 6 additions & 0 deletions cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,12 @@ module SqlTaintedConfig implements DataFlow::ConfigSig {
sql.barrierSqlArgument(input, _)
)
}

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSinkLocation(DataFlow::Node sink) {
exists(Expr taintedArg | result = taintedArg.getLocation() | taintedArg = asSinkExpr(sink))
}
}

module SqlTainted = TaintTracking::Global<SqlTaintedConfig>;
Expand Down
6 changes: 6 additions & 0 deletions cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,12 @@ module Config implements DataFlow::ConfigSig {
// Block flow if the node is guarded by any <, <= or = operations.
node = DataFlow::BarrierGuard<lessThanOrEqual/3>::getABarrierNode()
}

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSinkLocation(DataFlow::Node sink) {
exists(BufferWrite bw | result = bw.getLocation() | isSink(sink, bw, _))
}
}

module Flow = TaintTracking::Global<Config>;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,12 @@ private module Config implements DataFlow::ConfigSig {
}

predicate isSink(DataFlow::Node sink) { isSink(sink, _) }

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSinkLocation(DataFlow::Node sink) {
exists(VariableAccess va | result = va.getLocation() | isSink(sink, va))
}
}

module Flow = TaintTracking::Global<Config>;
Expand Down
Loading
Loading