From 293b59501f5c5ceea3eaffac8727a70445909280 Mon Sep 17 00:00:00 2001 From: Asger F Date: Thu, 19 Dec 2024 10:15:29 +0100 Subject: [PATCH 1/4] Dummy commit --- javascript/ql/dummy | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 javascript/ql/dummy diff --git a/javascript/ql/dummy b/javascript/ql/dummy new file mode 100644 index 000000000000..e69de29bb2d1 From 3beb599703476163e60af9d6c3ce215d5c7f8a62 Mon Sep 17 00:00:00 2001 From: Asger F Date: Thu, 19 Dec 2024 10:24:05 +0100 Subject: [PATCH 2/4] Update TaintedPath.expected --- .../CWE-022/TaintedPath/TaintedPath.expected | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected index 7aa4dfd0bca7..c1985970e3b0 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected @@ -134,6 +134,22 @@ nodes | TaintedPath.js:196:31:196:34 | path | semmle.label | path | | TaintedPath.js:197:45:197:48 | path | semmle.label | path | | TaintedPath.js:198:35:198:38 | path | semmle.label | path | +| TaintedPath.js:202:7:202:48 | path | semmle.label | path | +| TaintedPath.js:202:14:202:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:202:14:202:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:202:14:202:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:202:24:202:30 | req.url | semmle.label | req.url | +| TaintedPath.js:206:29:206:32 | path | semmle.label | path | +| TaintedPath.js:206:29:206:85 | path.re ... '), '') | semmle.label | path.re ... '), '') | +| TaintedPath.js:211:7:211:48 | path | semmle.label | path | +| TaintedPath.js:211:14:211:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:211:14:211:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:211:14:211:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:211:24:211:30 | req.url | semmle.label | req.url | +| TaintedPath.js:213:29:213:32 | path | semmle.label | path | +| TaintedPath.js:213:29:213:68 | path.re ... '), '') | semmle.label | path.re ... '), '') | +| TaintedPath.js:216:31:216:34 | path | semmle.label | path | +| TaintedPath.js:216:31:216:69 | path.re ... '), '') | semmle.label | path.re ... '), '') | | examples/TaintedPath.js:8:7:8:52 | filePath | semmle.label | filePath | | examples/TaintedPath.js:8:18:8:41 | url.par ... , true) | semmle.label | url.par ... , true) | | examples/TaintedPath.js:8:18:8:47 | url.par ... ).query | semmle.label | url.par ... ).query | @@ -614,6 +630,20 @@ edges | TaintedPath.js:195:14:195:43 | url.par ... ).query | TaintedPath.js:195:14:195:48 | url.par ... ry.path | provenance | Config | | TaintedPath.js:195:14:195:48 | url.par ... ry.path | TaintedPath.js:195:7:195:48 | path | provenance | | | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:195:14:195:37 | url.par ... , true) | provenance | Config | +| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path | provenance | | +| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query | provenance | Config | +| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path | provenance | | +| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) | provenance | Config | +| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') | provenance | Config | +| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:213:29:213:32 | path | provenance | | +| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:216:31:216:34 | path | provenance | | +| TaintedPath.js:211:14:211:37 | url.par ... , true) | TaintedPath.js:211:14:211:43 | url.par ... ).query | provenance | Config | +| TaintedPath.js:211:14:211:43 | url.par ... ).query | TaintedPath.js:211:14:211:48 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:211:14:211:48 | url.par ... ry.path | TaintedPath.js:211:7:211:48 | path | provenance | | +| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) | provenance | Config | +| TaintedPath.js:213:29:213:32 | path | TaintedPath.js:213:29:213:68 | path.re ... '), '') | provenance | Config | +| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') | provenance | Config | | examples/TaintedPath.js:8:7:8:52 | filePath | examples/TaintedPath.js:11:36:11:43 | filePath | provenance | | | examples/TaintedPath.js:8:18:8:41 | url.par ... , true) | examples/TaintedPath.js:8:18:8:47 | url.par ... ).query | provenance | Config | | examples/TaintedPath.js:8:18:8:47 | url.par ... ).query | examples/TaintedPath.js:8:18:8:52 | url.par ... ry.path | provenance | Config | @@ -965,6 +995,9 @@ subpaths | TaintedPath.js:196:31:196:34 | path | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:196:31:196:34 | path | This path depends on a $@. | TaintedPath.js:195:24:195:30 | req.url | user-provided value | | TaintedPath.js:197:45:197:48 | path | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:197:45:197:48 | path | This path depends on a $@. | TaintedPath.js:195:24:195:30 | req.url | user-provided value | | TaintedPath.js:198:35:198:38 | path | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:198:35:198:38 | path | This path depends on a $@. | TaintedPath.js:195:24:195:30 | req.url | user-provided value | +| TaintedPath.js:206:29:206:85 | path.re ... '), '') | TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:206:29:206:85 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:202:24:202:30 | req.url | user-provided value | +| TaintedPath.js:213:29:213:68 | path.re ... '), '') | TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:213:29:213:68 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:211:24:211:30 | req.url | user-provided value | +| TaintedPath.js:216:31:216:69 | path.re ... '), '') | TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:216:31:216:69 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:211:24:211:30 | req.url | user-provided value | | examples/TaintedPath.js:11:29:11:43 | ROOT + filePath | examples/TaintedPath.js:8:28:8:34 | req.url | examples/TaintedPath.js:11:29:11:43 | ROOT + filePath | This path depends on a $@. | examples/TaintedPath.js:8:28:8:34 | req.url | user-provided value | | express.js:8:20:8:32 | req.query.bar | express.js:8:20:8:32 | req.query.bar | express.js:8:20:8:32 | req.query.bar | This path depends on a $@. | express.js:8:20:8:32 | req.query.bar | user-provided value | | handlebars.js:11:32:11:39 | filePath | handlebars.js:29:46:29:60 | req.params.path | handlebars.js:11:32:11:39 | filePath | This path depends on a $@. | handlebars.js:29:46:29:60 | req.params.path | user-provided value | From 47be8bac82a732d4b71df8ee318a125e8621669a Mon Sep 17 00:00:00 2001 From: Asger F Date: Thu, 19 Dec 2024 13:22:17 +0100 Subject: [PATCH 3/4] JS: Auto-patch diff informed queries --- .../security/dataflow/BrokenCryptoAlgorithmQuery.qll | 2 ++ .../security/dataflow/BuildArtifactLeakQuery.qll | 2 ++ .../security/dataflow/CleartextLoggingQuery.qll | 2 ++ .../security/dataflow/CleartextStorageQuery.qll | 2 ++ .../security/dataflow/ClientSideRequestForgeryQuery.qll | 2 ++ .../security/dataflow/ClientSideUrlRedirectQuery.qll | 2 ++ .../javascript/security/dataflow/CodeInjectionQuery.qll | 2 ++ .../security/dataflow/CommandInjectionQuery.qll | 2 ++ .../security/dataflow/ConditionalBypassQuery.qll | 8 ++++++++ .../dataflow/CorsMisconfigurationForCredentialsQuery.qll | 2 ++ .../dataflow/DeepObjectResourceExhaustionQuery.qll | 2 ++ .../dataflow/DifferentKindsComparisonBypassQuery.qll | 7 +++++++ .../javascript/security/dataflow/DomBasedXssQuery.qll | 2 ++ .../javascript/security/dataflow/ExceptionXssQuery.qll | 2 ++ .../dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll | 8 ++++++++ .../security/dataflow/FileAccessToHttpQuery.qll | 2 ++ .../security/dataflow/HardcodedCredentialsQuery.qll | 2 ++ .../dataflow/HardcodedDataInterpretedAsCodeQuery.qll | 2 ++ .../HostHeaderPoisoningInEmailGenerationQuery.qll | 2 ++ .../security/dataflow/HttpToFileAccessQuery.qll | 2 ++ .../security/dataflow/ImproperCodeSanitizationQuery.qll | 2 ++ .../IncompleteHtmlAttributeSanitizationQuery.qll | 2 ++ .../security/dataflow/IndirectCommandInjectionQuery.qll | 2 ++ .../security/dataflow/InsecureDownloadQuery.qll | 2 ++ .../security/dataflow/InsecureRandomnessQuery.qll | 2 ++ .../security/dataflow/InsecureTemporaryFileQuery.qll | 2 ++ .../security/dataflow/InsufficientPasswordHashQuery.qll | 2 ++ .../javascript/security/dataflow/LogInjectionQuery.qll | 2 ++ .../security/dataflow/LoopBoundInjectionQuery.qll | 2 ++ .../javascript/security/dataflow/NosqlInjectionQuery.qll | 2 ++ .../security/dataflow/PostMessageStarQuery.qll | 2 ++ .../dataflow/PrototypePollutingAssignmentQuery.qll | 2 ++ .../security/dataflow/PrototypePollutionQuery.qll | 2 ++ .../javascript/security/dataflow/ReflectedXssQuery.qll | 2 ++ .../security/dataflow/RegExpInjectionQuery.qll | 2 ++ .../security/dataflow/RemotePropertyInjectionQuery.qll | 2 ++ .../javascript/security/dataflow/RequestForgeryQuery.qll | 2 ++ .../security/dataflow/ResourceExhaustionQuery.qll | 2 ++ .../dataflow/SecondOrderCommandInjectionQuery.qll | 2 ++ .../security/dataflow/ServerSideUrlRedirectQuery.qll | 2 ++ .../ShellCommandInjectionFromEnvironmentQuery.qll | 2 ++ .../javascript/security/dataflow/SqlInjectionQuery.qll | 2 ++ .../security/dataflow/StackTraceExposureQuery.qll | 2 ++ .../javascript/security/dataflow/StoredXssQuery.qll | 2 ++ .../security/dataflow/TaintedFormatStringQuery.qll | 2 ++ .../javascript/security/dataflow/TaintedPathQuery.qll | 2 ++ .../security/dataflow/TemplateObjectInjectionQuery.qll | 2 ++ .../TypeConfusionThroughParameterTamperingQuery.qll | 2 ++ .../security/dataflow/UnsafeCodeConstruction.qll | 2 ++ .../security/dataflow/UnsafeDeserializationQuery.qll | 2 ++ .../security/dataflow/UnsafeDynamicMethodAccessQuery.qll | 2 ++ .../security/dataflow/UnsafeHtmlConstructionQuery.qll | 2 ++ .../security/dataflow/UnsafeJQueryPluginQuery.qll | 2 ++ .../dataflow/UnsafeShellCommandConstructionQuery.qll | 2 ++ .../dataflow/UnvalidatedDynamicMethodCallQuery.qll | 2 ++ .../semmle/javascript/security/dataflow/XmlBombQuery.qll | 2 ++ .../javascript/security/dataflow/XpathInjectionQuery.qll | 2 ++ .../javascript/security/dataflow/XssThroughDomQuery.qll | 2 ++ .../lib/semmle/javascript/security/dataflow/XxeQuery.qll | 2 ++ .../semmle/javascript/security/dataflow/ZipSlipQuery.qll | 2 ++ .../javascript/security/regexp/PolynomialReDoSQuery.qll | 2 ++ .../src/Security/CWE-915/PrototypePollutingFunction.ql | 9 +++++++++ .../Security/CWE-094-dataURL/CodeInjection.ql | 2 ++ .../Security/CWE-099/EnvValueAndKeyInjection.ql | 2 ++ .../experimental/Security/CWE-099/EnvValueInjection.ql | 2 ++ .../experimental/Security/CWE-340/TokenBuiltFromUUID.ql | 2 ++ .../Security/CWE-347/decodeJwtWithoutVerification.ql | 4 ++++ .../CWE-347/decodeJwtWithoutVerificationLocalSource.ql | 7 +++++++ .../CWE-522-DecompressionBombs/DecompressionBombs.ql | 2 ++ javascript/ql/src/experimental/Security/CWE-918/SSRF.qll | 2 ++ .../CWE-942/CorsPermissiveConfigurationQuery.qll | 2 ++ 71 files changed, 173 insertions(+) diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll index 90fb4b4ffa56..cb16f59a1e99 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll @@ -25,6 +25,8 @@ module BrokenCryptoAlgorithmConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/BuildArtifactLeakQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/BuildArtifactLeakQuery.qll index 5ccaeea6ad63..c044d7b0cbc0 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/BuildArtifactLeakQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/BuildArtifactLeakQuery.qll @@ -30,6 +30,8 @@ module BuildArtifactLeakConfig implements DataFlow::ConfigSig { contents = DataFlow::ContentSet::anyProperty() and isSink(node) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingQuery.qll index 9bb2ffa0a6a7..efed5ba46ab3 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingQuery.qll @@ -41,6 +41,8 @@ module CleartextLoggingConfig implements DataFlow::ConfigSig { contents = DataFlow::ContentSet::anyProperty() and isSink(node) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextStorageQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextStorageQuery.qll index d4ee8a8297dd..0fbd576959e4 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextStorageQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextStorageQuery.qll @@ -25,6 +25,8 @@ module ClearTextStorageConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } module ClearTextStorageFlow = TaintTracking::Global; diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll index d26fe2d50e85..95072467af6e 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll @@ -31,6 +31,8 @@ module ClientSideRequestForgeryConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { isAdditionalRequestForgeryStep(node1, node2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectQuery.qll index bc0e1354757e..526eaf1be361 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectQuery.qll @@ -54,6 +54,8 @@ module ClientSideUrlRedirectConfig implements DataFlow::StateConfigSig { state1 = state2 ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionQuery.qll index 811a9575504f..cc9b3f16a4fc 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionQuery.qll @@ -24,6 +24,8 @@ module CodeInjectionConfig implements DataFlow::ConfigSig { // HTML sanitizers are insufficient protection against code injection node1 = node2.(HtmlSanitizerCall).getInput() } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll index bb93c6320f1a..d54c8baee1b3 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll @@ -30,6 +30,8 @@ module CommandInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { isSinkWithHighlight(sink, _) } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ConditionalBypassQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ConditionalBypassQuery.qll index 8db7c27b5f73..cdcac824db8e 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ConditionalBypassQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ConditionalBypassQuery.qll @@ -24,6 +24,14 @@ module ConditionalBypassConfig implements DataFlow::ConfigSig { // comparing a tainted expression against a constant gives a tainted result node2.asExpr().(Comparison).hasOperands(node1.asExpr(), any(ConstantExpr c)) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/javascript/security/dataflow/ConditionalBypassQuery.qll:104: Flow call outside 'select' clause + // ql/lib/semmle/javascript/security/dataflow/ConditionalBypassQuery.qll:113: Flow call outside 'select' clause + // ql/lib/semmle/javascript/security/dataflow/ConditionalBypassQuery.qll:115: Flow call outside 'select' clause + none() + } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll index 0be461f51184..4c2c3f4debc9 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll @@ -23,6 +23,8 @@ module CorsMisconfigurationConfig implements DataFlow::ConfigSig { node instanceof Sanitizer or node = TaintTracking::AdHocWhitelistCheckSanitizer::getABarrierNode() } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll index ca40447145c5..2999381581da 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll @@ -33,6 +33,8 @@ module DeepObjectResourceExhaustionConfig implements DataFlow::StateConfigSig { ) { TaintedObject::isAdditionalFlowStep(node1, state1, node2, state2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/DifferentKindsComparisonBypassQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/DifferentKindsComparisonBypassQuery.qll index 266d0b9413f8..c51bf736d873 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/DifferentKindsComparisonBypassQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/DifferentKindsComparisonBypassQuery.qll @@ -20,6 +20,13 @@ private module DifferentKindsComparisonBypassConfig implements DataFlow::ConfigS predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/javascript/security/dataflow/DifferentKindsComparisonBypassQuery.qll:39: Flow call outside 'select' clause + // ql/lib/semmle/javascript/security/dataflow/DifferentKindsComparisonBypassQuery.qll:40: Flow call outside 'select' clause + none() + } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssQuery.qll index 6979ec12a2e7..1eccd4de17db 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssQuery.qll @@ -114,6 +114,8 @@ module DomBasedXssConfig implements DataFlow::StateConfigSig { state1 = state2 ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ExceptionXssQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ExceptionXssQuery.qll index 71603d38ecd6..975df8c4157e 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ExceptionXssQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ExceptionXssQuery.qll @@ -153,6 +153,8 @@ module ExceptionXssConfig implements DataFlow::StateConfigSig { canThrowSensitiveInformation(node1) and node2 = getExceptionTarget(node1) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll index 2af00bdac2a3..23fc0aa89872 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll @@ -31,6 +31,14 @@ module ExternalAPIUsedWithUntrustedDataConfig implements DataFlow::ConfigSig { // Also report values that escape while inside a property isSink(node) and contents = DataFlow::ContentSet::anyProperty() } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll:96: Flow call outside 'select' clause + // ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll:99: Flow call outside 'select' clause + // ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll:109: Flow call outside 'select' clause + none() + } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/FileAccessToHttpQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/FileAccessToHttpQuery.qll index 6b713af340a0..21efb2b77702 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/FileAccessToHttpQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/FileAccessToHttpQuery.qll @@ -24,6 +24,8 @@ module FileAccessToHttpConfig implements DataFlow::ConfigSig { isSink(node) and contents = DataFlow::ContentSet::anyProperty() } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsQuery.qll index a14a4ad5e224..d589b3a15595 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsQuery.qll @@ -69,6 +69,8 @@ module HardcodedCredentialsConfig implements DataFlow::ConfigSig { node2 = n.getACall() ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedDataInterpretedAsCodeQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedDataInterpretedAsCodeQuery.qll index 550797e1757e..0d33ee11876f 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedDataInterpretedAsCodeQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedDataInterpretedAsCodeQuery.qll @@ -34,6 +34,8 @@ module HardcodedDataInterpretedAsCodeConfig implements DataFlow::StateConfigSig state1 = [FlowState::modified(), FlowState::unmodified()] and state2 = FlowState::modified() } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/HostHeaderPoisoningInEmailGenerationQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/HostHeaderPoisoningInEmailGenerationQuery.qll index acc2eacec07b..4271ef3e9b68 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/HostHeaderPoisoningInEmailGenerationQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/HostHeaderPoisoningInEmailGenerationQuery.qll @@ -17,6 +17,8 @@ module HostHeaderPoisoningConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node node) { exists(EmailSender email | node = email.getABody()) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessQuery.qll index 9b3d7635c870..0525367d1e22 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessQuery.qll @@ -17,6 +17,8 @@ module HttpToFileAccessConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ImproperCodeSanitizationQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ImproperCodeSanitizationQuery.qll index aad78a027d85..1601208ed38e 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ImproperCodeSanitizationQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ImproperCodeSanitizationQuery.qll @@ -19,6 +19,8 @@ module ImproperCodeSanitizationConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationQuery.qll index c04015921257..578c15635bbb 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationQuery.qll @@ -42,6 +42,8 @@ module IncompleteHtmlAttributeSanitizationConfig implements DataFlow::StateConfi } predicate isBarrier(DataFlow::Node n) { n instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll index a0bb45e78ec0..a83575ada200 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll @@ -26,6 +26,8 @@ module IndirectCommandInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { isSinkWithHighlight(sink, _) } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll index 6a633ec324e5..dd3fafabc3ef 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll @@ -23,6 +23,8 @@ module InsecureDownloadConfig implements DataFlow::StateConfigSig { predicate isSink(DataFlow::Node sink, FlowState state) { sink.(Sink).getAFlowState() = state } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureRandomnessQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureRandomnessQuery.qll index 93b8b448d92d..1fa4cd272b3b 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureRandomnessQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureRandomnessQuery.qll @@ -40,6 +40,8 @@ module InsecureRandomnessConfig implements DataFlow::ConfigSig { // taint steps as additional flow steps. TaintTracking::defaultTaintStep(node1, node2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureTemporaryFileQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureTemporaryFileQuery.qll index 66e63b0a7a49..ee2f1bb96d15 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureTemporaryFileQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureTemporaryFileQuery.qll @@ -19,6 +19,8 @@ module InsecureTemporaryFileConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/InsufficientPasswordHashQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/InsufficientPasswordHashQuery.qll index d01e46360fd0..c29592569880 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/InsufficientPasswordHashQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/InsufficientPasswordHashQuery.qll @@ -25,6 +25,8 @@ module InsufficientPasswordHashConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll index e8e4847bfce8..607af3d0f163 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll @@ -28,6 +28,8 @@ module LogInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/LoopBoundInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/LoopBoundInjectionQuery.qll index 2b8a64dbced0..522df62eca56 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/LoopBoundInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/LoopBoundInjectionQuery.qll @@ -38,6 +38,8 @@ module LoopBoundInjectionConfig implements DataFlow::StateConfigSig { ) { TaintedObject::isAdditionalFlowStep(node1, state1, node2, state2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionQuery.qll index dbb5140d7c42..e7d93aabb977 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionQuery.qll @@ -51,6 +51,8 @@ module NosqlInjectionConfig implements DataFlow::StateConfigSig { state1.isTaint() and state2 = state1 } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/PostMessageStarQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/PostMessageStarQuery.qll index 5fde270041e4..188f2d20fd7f 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/PostMessageStarQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/PostMessageStarQuery.qll @@ -37,6 +37,8 @@ module PostMessageStarConfig implements DataFlow::ConfigSig { // If an object leaks, all of its properties have leaked isSink(node) and contents = DataFlow::ContentSet::anyProperty() } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll index e385640d6960..f8e88022268a 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll @@ -121,6 +121,8 @@ module PrototypePollutingAssignmentConfig implements DataFlow::StateConfigSig { or node = DataFlow::MakeStateBarrierGuard::getABarrierNode(state) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Taint-tracking for reasoning about prototype-polluting assignments. */ diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll index 03d5e0c62a1b..1f9ed6108183 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll @@ -47,6 +47,8 @@ module PrototypePollutionConfig implements DataFlow::StateConfigSig { predicate isBarrier(DataFlow::Node node, FlowState state) { node = TaintedObject::SanitizerGuard::getABarrierNode(state) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssQuery.qll index 9af157fe4233..55688d4b5ff9 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssQuery.qll @@ -18,6 +18,8 @@ module ReflectedXssConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer or node = SharedXss::BarrierGuard::getABarrierNode() } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionQuery.qll index 476fd9ccd850..606b0df62517 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionQuery.qll @@ -19,6 +19,8 @@ module RegExpInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/RemotePropertyInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/RemotePropertyInjectionQuery.qll index d3cbfeb8268d..8f1f174d8ecf 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/RemotePropertyInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/RemotePropertyInjectionQuery.qll @@ -23,6 +23,8 @@ module RemotePropertyInjectionConfig implements DataFlow::ConfigSig { node instanceof Sanitizer or node = StringConcatenation::getRoot(any(ConstantString str).flow()) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll index 74317ebcc083..a558604c82bc 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll @@ -26,6 +26,8 @@ module RequestForgeryConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { isAdditionalRequestForgeryStep(node1, node2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionQuery.qll index 95360d0face4..cfad24432289 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionQuery.qll @@ -27,6 +27,8 @@ module ResourceExhaustionConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { isNumericFlowStep(node1, node2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/SecondOrderCommandInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/SecondOrderCommandInjectionQuery.qll index 16d15b42ce47..0c5af5abd37c 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/SecondOrderCommandInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/SecondOrderCommandInjectionQuery.qll @@ -47,6 +47,8 @@ module SecondOrderCommandInjectionConfig implements DataFlow::StateConfigSig { TaintTracking::defaultTaintStep(node1, node2) and state1 = state2 } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectQuery.qll index dc45a6c5614e..e889480b48b7 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectQuery.qll @@ -30,6 +30,8 @@ module ServerSideUrlRedirectConfig implements DataFlow::ConfigSig { node2 = call ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll index 8d04d283c002..668086bc9b58 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll @@ -27,6 +27,8 @@ module ShellCommandInjectionFromEnvironmentConfig implements DataFlow::ConfigSig predicate isSink(DataFlow::Node sink) { isSinkWithHighlight(sink, _) } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionQuery.qll index f91a9ce27d3c..69dabac14680 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionQuery.qll @@ -31,6 +31,8 @@ module SqlInjectionConfig implements DataFlow::ConfigSig { node2 = call ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/StackTraceExposureQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/StackTraceExposureQuery.qll index cb05f91c7278..254df5aabe6e 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/StackTraceExposureQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/StackTraceExposureQuery.qll @@ -28,6 +28,8 @@ module StackTraceExposureConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node snk) { snk instanceof Sink } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/StoredXssQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/StoredXssQuery.qll index 87a870abe35b..48e186bd71e3 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/StoredXssQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/StoredXssQuery.qll @@ -18,6 +18,8 @@ module StoredXssConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer or node = Shared::BarrierGuard::getABarrierNode() } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringQuery.qll index b10088af82ee..55338477cb49 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringQuery.qll @@ -19,6 +19,8 @@ module TaintedFormatStringConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathQuery.qll index ad08ebc5f401..8b50a69cedce 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathQuery.qll @@ -47,6 +47,8 @@ module TaintedPathConfig implements DataFlow::StateConfigSig { ) { TaintedPath::isAdditionalFlowStep(node1, state1, node2, state2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/TemplateObjectInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/TemplateObjectInjectionQuery.qll index 66e401d40ac1..348e59937b5e 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/TemplateObjectInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/TemplateObjectInjectionQuery.qll @@ -45,6 +45,8 @@ module TemplateObjectInjectionConfig implements DataFlow::StateConfigSig { TaintTracking::defaultTaintStep(node1, node2) and state1 = state2 } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/TypeConfusionThroughParameterTamperingQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/TypeConfusionThroughParameterTamperingQuery.qll index 7ca9e9509f50..03e8c5c48ebb 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/TypeConfusionThroughParameterTamperingQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/TypeConfusionThroughParameterTamperingQuery.qll @@ -27,6 +27,8 @@ module TypeConfusionConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node instanceof Barrier or node = DataFlow::MakeBarrierGuard::getABarrierNode() } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll index fc1e6c79b384..2a4f1b2279d7 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll @@ -36,6 +36,8 @@ module UnsafeCodeConstruction { } DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationQuery.qll index edb3f93fa1b2..b0621c6ac48e 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationQuery.qll @@ -18,6 +18,8 @@ module UnsafeDeserializationConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccessQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccessQuery.qll index 86a225f894a8..423b50f17f70 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccessQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccessQuery.qll @@ -75,6 +75,8 @@ module UnsafeDynamicMethodAccessConfig implements DataFlow::StateConfigSig { TaintTracking::defaultTaintStep(node1, node2) and state1 = state2 } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll index 5fdf3825405f..85eb1457e2cb 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll @@ -66,6 +66,8 @@ module UnsafeHtmlConstructionConfig implements DataFlow::StateConfigSig { } DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll index e7bf16cf0c32..1462eb2bb2b9 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll @@ -39,6 +39,8 @@ module UnsafeJQueryPluginConfig implements DataFlow::ConfigSig { // prefixing through a poor-mans templating system: node = any(StringReplaceCall call).getRawReplacement() } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll index 5eb11826bffd..e8dd46e08845 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll @@ -33,6 +33,8 @@ module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig { } DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallQuery.qll index d8b29fca9014..39d153fad0a0 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallQuery.qll @@ -78,6 +78,8 @@ module UnvalidatedDynamicMethodCallConfig implements DataFlow::StateConfigSig { TaintTracking::defaultTaintStep(node1, node2) and state1 = state2 } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/XmlBombQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/XmlBombQuery.qll index e6ff29f81c52..99f5874cf578 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/XmlBombQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/XmlBombQuery.qll @@ -19,6 +19,8 @@ module XmlBombConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/XpathInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/XpathInjectionQuery.qll index 9016c19bd9ea..fcae5a0eb767 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/XpathInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/XpathInjectionQuery.qll @@ -20,6 +20,8 @@ module XpathInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomQuery.qll index 2313751d9e70..09a2b61ee28a 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomQuery.qll @@ -30,6 +30,8 @@ module XssThroughDomConfig implements DataFlow::ConfigSig { node2 = DataFlow::globalVarRef("URL").getAMemberCall("createObjectURL") and node1 = node2.(DataFlow::InvokeNode).getArgument(0) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/XxeQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/XxeQuery.qll index c82289b28bc4..616768030a36 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/XxeQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/XxeQuery.qll @@ -19,6 +19,8 @@ module XxeConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ZipSlipQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ZipSlipQuery.qll index 39c18429fdea..b59a78462b8c 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ZipSlipQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ZipSlipQuery.qll @@ -44,6 +44,8 @@ module ZipSlipConfig implements DataFlow::StateConfigSig { ) { TaintedPath::isAdditionalFlowStep(node1, state1, node2, state2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** A taint tracking configuration for unsafe archive extraction. */ diff --git a/javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll b/javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll index 0c0f502bb06b..e6d856dd2169 100644 --- a/javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll @@ -29,6 +29,8 @@ module PolynomialReDoSConfig implements DataFlow::ConfigSig { } int fieldFlowBranchLimit() { result = 1 } // library inputs are too expensive on some projects + + predicate observeDiffInformedIncrementalMode() { any() } } /** Taint-tracking for reasoning about polynomial regular expression denial-of-service attacks. */ diff --git a/javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql b/javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql index ba7c6d177cbb..25724389d825 100644 --- a/javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql +++ b/javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql @@ -277,6 +277,15 @@ module PropNameTrackingConfig implements DataFlow::StateConfigSig { node instanceof DataFlow::VarAccessBarrier or node = DataFlow::MakeBarrierGuard::getABarrierNode() } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-915/PrototypePollutingFunction.ql:516: Flow call outside 'select' clause + // ql/src/Security/CWE-915/PrototypePollutingFunction.ql:519: Flow call outside 'select' clause + // ql/src/Security/CWE-915/PrototypePollutingFunction.ql:520: Flow call outside 'select' clause + // ql/src/Security/CWE-915/PrototypePollutingFunction.ql:524: Flow call outside 'select' clause + none() + } } class FlowState = PropNameTrackingConfig::FlowState; diff --git a/javascript/ql/src/experimental/Security/CWE-094-dataURL/CodeInjection.ql b/javascript/ql/src/experimental/Security/CWE-094-dataURL/CodeInjection.ql index f0734b877c96..c1a0229565ff 100644 --- a/javascript/ql/src/experimental/Security/CWE-094-dataURL/CodeInjection.ql +++ b/javascript/ql/src/experimental/Security/CWE-094-dataURL/CodeInjection.ql @@ -87,6 +87,8 @@ module CodeInjectionConfig implements DataFlow::StateConfigSig { state1 = TTaint() and state2 = TUrlConstructor() } + + predicate observeDiffInformedIncrementalMode() { any() } } module CodeInjectionFlow = TaintTracking::GlobalWithState; diff --git a/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql b/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql index e66406f84053..5c8ba19f16bc 100644 --- a/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql +++ b/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql @@ -33,6 +33,8 @@ module EnvValueAndKeyInjectionConfig implements DataFlow::ConfigSig { ) ) } + + predicate observeDiffInformedIncrementalMode() { any() } } module EnvValueAndKeyInjectionFlow = TaintTracking::Global; diff --git a/javascript/ql/src/experimental/Security/CWE-099/EnvValueInjection.ql b/javascript/ql/src/experimental/Security/CWE-099/EnvValueInjection.ql index 82490a5200a1..743fb6000d95 100644 --- a/javascript/ql/src/experimental/Security/CWE-099/EnvValueInjection.ql +++ b/javascript/ql/src/experimental/Security/CWE-099/EnvValueInjection.ql @@ -19,6 +19,8 @@ module EnvValueInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink = API::moduleImport("process").getMember("env").getAMember().asSink() } + + predicate observeDiffInformedIncrementalMode() { any() } } module EnvValueInjectionFlow = TaintTracking::Global; diff --git a/javascript/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql b/javascript/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql index 2f039b8fc3b4..604c8cb82b03 100644 --- a/javascript/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql +++ b/javascript/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql @@ -41,6 +41,8 @@ module TokenBuiltFromUuidConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof PredictableResultSource } predicate isSink(DataFlow::Node sink) { sink instanceof TokenAssignmentValueSink } + + predicate observeDiffInformedIncrementalMode() { any() } } module TokenBuiltFromUuidFlow = TaintTracking::Global; diff --git a/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql b/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql index 1ee38491d5fa..29808686d8f4 100644 --- a/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql +++ b/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql @@ -17,6 +17,8 @@ module UnverifiedDecodeConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink = unverifiedDecode() } + + predicate observeDiffInformedIncrementalMode() { any() } } module UnverifiedDecodeFlow = TaintTracking::Global; @@ -25,6 +27,8 @@ module VerifiedDecodeConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink = verifiedDecode() } + + predicate observeDiffInformedIncrementalMode() { any() } } module VerifiedDecodeFlow = TaintTracking::Global; diff --git a/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.ql b/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.ql index d75041426a12..767526fdd703 100644 --- a/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.ql +++ b/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.ql @@ -23,6 +23,13 @@ module DecodeWithoutVerificationConfig implements DataFlow::ConfigSig { or sink = verifiedDecode() } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.ql:32: Flow call outside 'select' clause + // ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.ql:42: Flow call outside 'select' clause + none() + } } module DecodeWithoutVerificationFlow = TaintTracking::Global; diff --git a/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/DecompressionBombs.ql b/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/DecompressionBombs.ql index 17e3f1f2fd9e..81143dfb1368 100644 --- a/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/DecompressionBombs.ql +++ b/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/DecompressionBombs.ql @@ -24,6 +24,8 @@ module DecompressionBombConfig implements DataFlow::ConfigSig { addstep.isAdditionalTaintStep(node1, node2) ) } + + predicate observeDiffInformedIncrementalMode() { any() } } module DecompressionBombFlow = TaintTracking::Global; diff --git a/javascript/ql/src/experimental/Security/CWE-918/SSRF.qll b/javascript/ql/src/experimental/Security/CWE-918/SSRF.qll index 690c673401da..380f594c21e3 100644 --- a/javascript/ql/src/experimental/Security/CWE-918/SSRF.qll +++ b/javascript/ql/src/experimental/Security/CWE-918/SSRF.qll @@ -28,6 +28,8 @@ module SsrfConfig implements DataFlow::ConfigSig { } predicate isBarrierOut(DataFlow::Node node) { strictSanitizingPrefixEdge(node, _) } + + predicate observeDiffInformedIncrementalMode() { any() } } module SsrfFlow = TaintTracking::Global; diff --git a/javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfigurationQuery.qll b/javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfigurationQuery.qll index bddc732dea21..3605a1adaa93 100644 --- a/javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfigurationQuery.qll +++ b/javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfigurationQuery.qll @@ -33,6 +33,8 @@ module CorsPermissiveConfigurationConfig implements DataFlow::StateConfigSig { } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } module CorsPermissiveConfigurationFlow = From e9e054c9d4c6d018188dde174fa4ba27f62ef017 Mon Sep 17 00:00:00 2001 From: Asger F Date: Thu, 19 Dec 2024 13:36:43 +0100 Subject: [PATCH 4/4] JS: Add dummy extension with an empty diff --- javascript/ql/lib/ext/diff.model.yml | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 javascript/ql/lib/ext/diff.model.yml diff --git a/javascript/ql/lib/ext/diff.model.yml b/javascript/ql/lib/ext/diff.model.yml new file mode 100644 index 000000000000..247b06872346 --- /dev/null +++ b/javascript/ql/lib/ext/diff.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/util + extensible: restrictAlertsTo + data: + - ["dummy", 1, 1]