Skip to content

Diff-informed queries: phase 3 (non-trivial locations) #19957

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 72 commits into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
72 commits
Select commit Hold shift + click to select a range
dfd98c8
Actions: patch-generated stubs
d10c Jul 2, 2025
6115a9e
Actions: ArgumentInjection
d10c Jul 3, 2025
283f467
Actions: ArtifactPoisoning
d10c Jul 3, 2025
bf7fc73
Actions: CodeInjection
d10c Jul 3, 2025
61d9418
Actions: CommandInjection
d10c Jul 3, 2025
f3ea6c9
Actions: EnvPathInjection
d10c Jul 3, 2025
46c4451
Actions: EnvVarInjection
d10c Jul 3, 2025
520339a
C++: patch-generated stubs
d10c Jul 2, 2025
4017197
C#: patch-generated stubs
d10c Jul 2, 2025
c015301
C#: ConditinalBypass
d10c Jul 4, 2025
5b38790
C#: ExternalAPIsQuery/UntrustedDataToExternalAPI
d10c Jul 4, 2025
572cca9
C#: UnsafeDeserialization
d10c Jul 4, 2025
a8b2523
C#: HardcodedConnectionString
d10c Jul 4, 2025
34a7701
Go: patch-generated stubs
d10c Jul 2, 2025
a4b6937
Go: AllocationSizeOverflow
d10c Jul 7, 2025
773ba3d
Go: CommandInjection
d10c Jul 7, 2025
bfe1517
Go: ExternalAPIs
d10c Jul 7, 2025
15b6063
Go: HardcodedCredentials
d10c Jul 7, 2025
5dccba3
Go: IncorrectIntegerConversion
d10c Jul 7, 2025
fc39971
Go: InsecureRandomness
d10c Jul 7, 2025
6c119d9
Go: ReflectedXss
d10c Jul 7, 2025
264d949
Go: RequestForgery
d10c Jul 7, 2025
165dc33
Go: SafeUrlFlow
d10c Jul 7, 2025
e57b47c
Go: UnhandledCloseWritableHandle
d10c Jul 7, 2025
1b5e998
Go: InsecureHostKeyCallback
d10c Jul 7, 2025
1fde1a6
Go: BadRedirectCheck
d10c Jul 7, 2025
754baaf
Go: AuthCookie/CookieWithoutHttpOnly/BoolToGin
d10c Jul 7, 2025
79cf6fd
Go: SensitiveConditionBypass
d10c Jul 7, 2025
fd6ca2e
Go: ConditionalBypass
d10c Jul 7, 2025
0ab18eb
Go: SSRF
d10c Jul 7, 2025
8f99f41
Java: patch-generated stubs
d10c Jul 2, 2025
eb0bde7
Java: PolynomialReDos (keep excluded)
d10c Jul 7, 2025
488f211
Java: AndroidSensitiveCommuniation: (convert test to qlref)
d10c Jul 7, 2025
6c2b42b
Java: ArithmeticTainted
d10c Jul 7, 2025
15c88b0
Java: ArithmeticUncontrolled
d10c Jul 7, 2025
1e8462b
Java: ConditionalBypass (enable diff-informed + convert test to qlref)
d10c Jul 7, 2025
0fa5f66
Java: ExternalAPIs (enable diff-informed + add tests based on qhelp)
d10c Jul 7, 2025
6f7ac14
Java: ExternallyControlledFormatString
d10c Jul 7, 2025
fed5777
Java: ImproperValidationOfArray...
d10c Jul 7, 2025
a777bed
Java: InsecureCookie
d10c Jul 7, 2025
fe08cce
Java: InsecureLdapAuth
d10c Jul 7, 2025
b376381
Java: MaybeBrokenCryptoAlgorithm
d10c Jul 7, 2025
61ddff6
Java: LogInjection (convert test to qlref)
d10c Jul 8, 2025
197ffa0
Java: SensitiveLogInfo (convert test to qlref)
d10c Jul 8, 2025
a45d780
Java: SqlConcatenated
d10c Jul 8, 2025
098cea4
Java: SqlInjection
d10c Jul 8, 2025
eceb5b2
Java: TempDirLocalInformationDisclosure
d10c Jul 8, 2025
6987334
Java: TrustBoundaryViolations (convert test to qlref)
d10c Jul 8, 2025
e76a1f7
Java: UnsafeCertTrust (+ convert test to qlref)
d10c Jul 8, 2025
ffc467a
Java: AndroidWebViewSettingsAllowsContentAccess
d10c Jul 8, 2025
aa90f3c
JS: patch-generated stubs
d10c Jul 2, 2025
87c01d8
JS: IndirectCommandInjection
d10c Jul 4, 2025
fbd9c03
JS: NosqlInjection, SqlInjection
d10c Jul 4, 2025
9c19cc0
JS: ShellCommandInjection
d10c Jul 4, 2025
27e79d3
JS: EnvValueAndKeyInjection
d10c Jul 4, 2025
4efdb98
JS: decodeJwtWithoutVerification
d10c Jul 4, 2025
391b5d2
Python: patch-generated stubs
d10c Jul 2, 2025
0ba3f22
Python: LdapInjection
d10c Jul 4, 2025
f9304f4
Python: WeakSensitiveDatHashing
d10c Jul 4, 2025
e069641
Python: PossibleTimingAttackAgainstHash (+ selecting source node inst…
d10c Jul 4, 2025
2470c7b
Python: TimingAttackAgainstHash (+ new test)
d10c Jul 4, 2025
15c29c0
Ruby: patch-generated stubs
d10c Jul 2, 2025
801f66e
Ruby: MissingFullAnchor
d10c Jul 4, 2025
0d29d9b
Ruby: PolynomialReDoS: keep excluded
d10c Jul 4, 2025
31e7129
Ruby: WeakSensitiveDataHashing
d10c Jul 4, 2025
ff9b24b
Ruby: WeakFilePermissions
d10c Jul 4, 2025
45a19ee
Rust: patch-generated stubs
d10c Jul 2, 2025
14e27e8
Rust: AccessAfterLifetime
d10c Jul 4, 2025
f7854de
Swift: patch-generated stubs
d10c Jul 2, 2025
9badc48
Swift: CleartextStorageDatabase
d10c Jul 4, 2025
9f8b149
Swift: CleartextStoragePreferences
d10c Jul 4, 2025
c70036d
Swift: UnsafeWebViewFetch
d10c Jul 4, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
private import actions
private import codeql.actions.TaintTracking
private import codeql.actions.dataflow.ExternalFlow
private import codeql.actions.security.ControlChecks
import codeql.actions.dataflow.FlowSources
import codeql.actions.DataFlow

Expand Down Expand Up @@ -88,6 +89,19 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig {
run.getScript().getAnEnvReachingArgumentInjectionSink(var, _, _)
)
}

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSourceLocation(DataFlow::Node source) { none() }

Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.getLocation()
or
exists(Event event | result = event.getLocation() |
inPrivilegedContext(sink.asExpr(), event) and
not exists(ControlCheck check | check.protects(sink.asExpr(), event, "argument-injection"))
)
}
}

/** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import codeql.actions.DataFlow
import codeql.actions.dataflow.FlowSources
import codeql.actions.security.PoisonableSteps
import codeql.actions.security.UntrustedCheckoutQuery
import codeql.actions.security.ControlChecks

string unzipRegexp() { result = "(unzip|tar)\\s+.*" }

Expand Down Expand Up @@ -316,6 +317,19 @@ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig {
exists(run.getScript().getAFileReadCommand())
)
}

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSourceLocation(DataFlow::Node source) { none() }

Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.getLocation()
or
exists(Event event | result = event.getLocation() |
inPrivilegedContext(sink.asExpr(), event) and
not exists(ControlCheck check | check.protects(sink.asExpr(), event, "artifact-poisoning"))
)
}
}

/** Tracks flow of unsafe artifacts that is used in an insecure way. */
Expand Down
49 changes: 49 additions & 0 deletions actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ private import codeql.actions.TaintTracking
private import codeql.actions.dataflow.ExternalFlow
import codeql.actions.dataflow.FlowSources
import codeql.actions.DataFlow
import codeql.actions.security.ControlChecks
import codeql.actions.security.CachePoisoningQuery

class CodeInjectionSink extends DataFlow::Node {
CodeInjectionSink() {
Expand Down Expand Up @@ -35,6 +37,53 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {
exists(run.getScript().getAFileReadCommand())
)
}

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSourceLocation(DataFlow::Node source) { none() }

Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.getLocation()
or
// where clause from CodeInjectionCritical.ql
exists(Event event, RemoteFlowSource source | result = event.getLocation() |
inPrivilegedContext(sink.asExpr(), event) and
isSource(source) and
source.getEventName() = event.getName() and
not exists(ControlCheck check | check.protects(sink.asExpr(), event, "code-injection")) and
// exclude cases where the sink is a JS script and the expression uses toJson
not exists(UsesStep script |
script.getCallee() = "actions/github-script" and
script.getArgumentExpr("script") = sink.asExpr() and
exists(getAToJsonReferenceExpression(sink.asExpr().(Expression).getExpression(), _))
)
)
or
// where clause from CachePoisoningViaCodeInjection.ql
exists(Event event, LocalJob job, DataFlow::Node source | result = event.getLocation() |
job = sink.asExpr().getEnclosingJob() and
job.getATriggerEvent() = event and
// job can be triggered by an external user
event.isExternallyTriggerable() and
// the checkout is not controlled by an access check
isSource(source) and
not exists(ControlCheck check | check.protects(source.asExpr(), event, "code-injection")) and
// excluding privileged workflows since they can be exploited in easier circumstances
// which is covered by `actions/code-injection/critical`
not job.isPrivilegedExternallyTriggerable(event) and
(
// the workflow runs in the context of the default branch
runsOnDefaultBranch(event)
or
// the workflow caller runs in the context of the default branch
event.getName() = "workflow_call" and
exists(ExternalJob caller |
caller.getCallee() = job.getLocation().getFile().getRelativePath() and
runsOnDefaultBranch(caller.getATriggerEvent())
)
)
)
}
}

/** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ private import codeql.actions.TaintTracking
private import codeql.actions.dataflow.ExternalFlow
import codeql.actions.dataflow.FlowSources
import codeql.actions.DataFlow
import codeql.actions.security.ControlChecks

private class CommandInjectionSink extends DataFlow::Node {
CommandInjectionSink() { madSink(this, "command-injection") }
Expand All @@ -16,6 +17,22 @@ private module CommandInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSourceLocation(DataFlow::Node source) { none() }

Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.getLocation()
or
// where clause from CommandInjectionCritical.ql
exists(Event event | result = event.getLocation() |
inPrivilegedContext(sink.asExpr(), event) and
not exists(ControlCheck check |
check.protects(sink.asExpr(), event, ["command-injection", "code-injection"])
)
)
}
}

/** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
private import codeql.actions.dataflow.ExternalFlow
private import codeql.actions.security.ArtifactPoisoningQuery
private import codeql.actions.security.UntrustedCheckoutQuery
private import codeql.actions.security.ControlChecks

Check warning

Code scanning / CodeQL

Redundant import Warning

Redundant import, the module is already imported inside
codeql.actions.security.ArtifactPoisoningQuery
.

abstract class EnvPathInjectionSink extends DataFlow::Node { }

Expand Down Expand Up @@ -108,6 +109,35 @@
exists(run.getScript().getAFileReadCommand())
)
}

predicate observeDiffInformedIncrementalMode() {
any()
}

Location getASelectedSourceLocation(DataFlow::Node source) {
none()
}

Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.getLocation()
or // where clause from EnvPathInjectionCritical.ql
exists(Event event, RemoteFlowSource source | result = event.getLocation() |
inPrivilegedContext(sink.asExpr(), event) and
isSource(source) and
(
not source.getSourceType() = "artifact" and
not exists(ControlCheck check |
check.protects(sink.asExpr(), event, "code-injection")
)
or
source.getSourceType() = "artifact" and
not exists(ControlCheck check |
check.protects(sink.asExpr(), event, ["untrusted-checkout", "artifact-poisoning"])
) and
sink instanceof EnvPathInjectionFromFileReadSink
)
)
}
}

/** Tracks flow of unsafe user input that is used to construct and evaluate the PATH environment variable. */
Expand Down
34 changes: 34 additions & 0 deletions actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll
Original file line number Diff line number Diff line change
Expand Up @@ -163,6 +163,40 @@ private module EnvVarInjectionConfig implements DataFlow::ConfigSig {
exists(run.getScript().getAFileReadCommand())
)
}

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSourceLocation(DataFlow::Node source) { none() }

Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.getLocation()
or
// where clause from EnvVarInjectionCritical.ql
exists(Event event, RemoteFlowSource source | result = event.getLocation() |
inPrivilegedContext(sink.asExpr(), event) and
isSource(source) and
// exclude paths to file read sinks from non-artifact sources
(
// source is text
not source.getSourceType() = "artifact" and
not exists(ControlCheck check |
check.protects(sink.asExpr(), event, ["envvar-injection", "code-injection"])
)
or
// source is an artifact or a file from an untrusted checkout
source.getSourceType() = "artifact" and
not exists(ControlCheck check |
check
.protects(sink.asExpr(), event,
["envvar-injection", "untrusted-checkout", "artifact-poisoning"])
) and
(
sink instanceof EnvVarInjectionFromFileReadSink or
madSink(sink, "envvar-injection")
)
)
)
}
}

/** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */
Expand Down
4 changes: 4 additions & 0 deletions cpp/ql/src/Critical/OverflowDestination.ql
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,10 @@ module OverflowDestinationConfig implements DataFlow::ConfigSig {
nodeIsBarrierEqualityCandidate(node, access, checkedVar)
)
}

predicate observeDiffInformedIncrementalMode() {
any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 91 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Critical/OverflowDestination.ql@93:8:93:9)
}
}

module OverflowDestination = TaintTracking::Global<OverflowDestinationConfig>;
Expand Down
4 changes: 4 additions & 0 deletions cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,10 @@ module NonConstFlowConfig implements DataFlow::ConfigSig {
cannotContainString(t)
)
}

predicate observeDiffInformedIncrementalMode() {
any() // TODO: Make sure that the location overrides match the query's select clause: Column 5 does not select a source or sink originating from the flow call on line 181 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql@184:53:184:56)
}
}

module NonConstFlow = TaintTracking::Global<NonConstFlowConfig>;
Expand Down
14 changes: 14 additions & 0 deletions cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll
Original file line number Diff line number Diff line change
Expand Up @@ -215,6 +215,18 @@ private module LeapYearCheckConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) {
exists(ChecksForLeapYearFunctionCall fc | sink.asExpr() = fc.getAnArgument())
}

predicate observeDiffInformedIncrementalMode() {
any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 34 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@57:8:57:10), Column 1 does not select a source or sink originating from the flow call on line 41 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@57:8:57:10), Column 3 does not select a source or sink originating from the flow call on line 34 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@59:3:59:17), Column 3 does not select a source or sink originating from the flow call on line 41 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@59:3:59:17), Column 5 does not select a source or sink originating from the flow call on line 34 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@59:48:59:50), Column 5 does not select a source or sink originating from the flow call on line 41 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@59:48:59:50)
}

Location getASelectedSourceLocation(DataFlow::Node source) {
none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 34 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@57:8:57:10), Column 1 does not select a source or sink originating from the flow call on line 41 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@57:8:57:10), Column 3 does not select a source or sink originating from the flow call on line 34 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@59:3:59:17), Column 3 does not select a source or sink originating from the flow call on line 41 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@59:3:59:17), Column 5 does not select a source or sink originating from the flow call on line 34 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@59:48:59:50), Column 5 does not select a source or sink originating from the flow call on line 41 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@59:48:59:50)
}

Location getASelectedSinkLocation(DataFlow::Node sink) {
none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 34 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@57:8:57:10), Column 1 does not select a source or sink originating from the flow call on line 41 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@57:8:57:10), Column 3 does not select a source or sink originating from the flow call on line 34 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@59:3:59:17), Column 3 does not select a source or sink originating from the flow call on line 41 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@59:3:59:17), Column 5 does not select a source or sink originating from the flow call on line 34 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@59:48:59:50), Column 5 does not select a source or sink originating from the flow call on line 41 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql@59:48:59:50)
}
}

module LeapYearCheckFlow = DataFlow::Global<LeapYearCheckConfig>;
Expand Down Expand Up @@ -285,6 +297,8 @@ private module PossibleYearArithmeticOperationCheckConfig implements DataFlow::C
aexpr.getLValue() = fa
)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

module PossibleYearArithmeticOperationCheckFlow =
Expand Down
4 changes: 4 additions & 0 deletions cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,10 @@ private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
}

predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }

predicate observeDiffInformedIncrementalMode() {
any() // TODO: Make sure that the location overrides match the query's select clause: Flow call outside 'select' clause (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll@13:36:13:80), Flow call outside 'select' clause (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll@16:43:16:92)
}
}

module UntrustedDataToExternalApiFlow = TaintTracking::Global<UntrustedDataToExternalApiConfig>;
4 changes: 4 additions & 0 deletions cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIsSpecific.qll
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,10 @@ private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }

predicate observeDiffInformedIncrementalMode() {
any() // TODO: Make sure that the location overrides match the query's select clause: Flow call outside 'select' clause (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll@13:36:13:80), Flow call outside 'select' clause (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll@16:43:16:92)
}
}

module UntrustedDataToExternalApiFlow = TaintTracking::Global<UntrustedDataToExternalApiConfig>;
4 changes: 4 additions & 0 deletions cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,10 @@ module TaintedPathConfig implements DataFlow::ConfigSig {
// make sinks barriers so that we only report the closest instance
isSink(node)
}

predicate observeDiffInformedIncrementalMode() {
any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 selects sink.asIndirectArgument (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql@108:8:108:17)
}
}

module TaintedPath = TaintTracking::Global<TaintedPathConfig>;
Expand Down
4 changes: 4 additions & 0 deletions cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,10 @@ module ExecTaintConfig implements DataFlow::StateConfigSig {
predicate isBarrierOut(DataFlow::Node node) {
isSink(node, _) // Prevent duplicates along a call chain, since `shellCommand` will include wrappers
}

predicate observeDiffInformedIncrementalMode() {
any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 161 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql@165:8:165:14), Column 7 does not select a source or sink originating from the flow call on line 161 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql@167:71:167:82)
}
}

module ExecTaint = TaintTracking::GlobalWithState<ExecTaintConfig>;
Expand Down
4 changes: 4 additions & 0 deletions cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,10 @@ module Config implements DataFlow::ConfigSig {
or
node.asCertainDefinition().getUnspecifiedType() instanceof ArithmeticType
}

predicate observeDiffInformedIncrementalMode() {
any() // TODO: Make sure that the location overrides match the query's select clause: Column 5 selects source.asIndirectExpr (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql@51:3:51:7)
}
}

module Flow = TaintTracking::Global<Config>;
Expand Down
4 changes: 4 additions & 0 deletions cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,10 @@ module SqlTaintedConfig implements DataFlow::ConfigSig {
sql.barrierSqlArgument(input, _)
)
}

predicate observeDiffInformedIncrementalMode() {
any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 74 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql@77:8:77:17)
}
}

module SqlTainted = TaintTracking::Global<SqlTaintedConfig>;
Expand Down
8 changes: 8 additions & 0 deletions cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql
Original file line number Diff line number Diff line change
Expand Up @@ -223,6 +223,14 @@
state1 = state2 + delta
)
}

predicate observeDiffInformedIncrementalMode() {

Check warning

Code scanning / CodeQL

Dead code Warning

This code is never used, and it's not publicly exported.
any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 263 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql@269:8:269:41), Column 5 does not select a source or sink originating from the flow call on line 263 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql@270:58:270:63), Flow call outside 'select' clause (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql@249:5:249:76)
}

Location getASelectedSinkLocation(DataFlow::Node sink) {

Check warning

Code scanning / CodeQL

Dead code Warning

This code is never used, and it's not publicly exported.
none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 263 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql@269:8:269:41), Column 5 does not select a source or sink originating from the flow call on line 263 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql@270:58:270:63), Flow call outside 'select' clause (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql@249:5:249:76)
}
}

module StringSizeFlow = ProductFlow::GlobalWithState<StringSizeConfig>;
Expand Down
Loading
Loading