github · asgerf · Dec 19, 2024 · Dec 19, 2024 · Dec 19, 2024 · Dec 19, 2024
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/util
+      extensible: restrictAlertsTo
+    data:
+      - ["dummy", 1, 1]
@@ -25,6 +25,8 @@ module BrokenCryptoAlgorithmConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -30,6 +30,8 @@ module BuildArtifactLeakConfig implements DataFlow::ConfigSig {
     contents = DataFlow::ContentSet::anyProperty() and
     isSink(node)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -41,6 +41,8 @@ module CleartextLoggingConfig implements DataFlow::ConfigSig {
     contents = DataFlow::ContentSet::anyProperty() and
     isSink(node)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -25,6 +25,8 @@ module ClearTextStorageConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module ClearTextStorageFlow = TaintTracking::Global<ClearTextStorageConfig>;

@@ -31,6 +31,8 @@ module ClientSideRequestForgeryConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     isAdditionalRequestForgeryStep(node1, node2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -54,6 +54,8 @@ module ClientSideUrlRedirectConfig implements DataFlow::StateConfigSig {
       state1 = state2
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -24,6 +24,8 @@ module CodeInjectionConfig implements DataFlow::ConfigSig {
     // HTML sanitizers are insufficient protection against code injection
     node1 = node2.(HtmlSanitizerCall).getInput()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -30,6 +30,8 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { isSinkWithHighlight(sink, _) }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -24,6 +24,14 @@ module ConditionalBypassConfig implements DataFlow::ConfigSig {
     // comparing a tainted expression against a constant gives a tainted result
     node2.asExpr().(Comparison).hasOperands(node1.asExpr(), any(ConstantExpr c))
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/lib/semmle/javascript/security/dataflow/ConditionalBypassQuery.qll:104: Flow call outside 'select' clause
+    // ql/lib/semmle/javascript/security/dataflow/ConditionalBypassQuery.qll:113: Flow call outside 'select' clause
+    // ql/lib/semmle/javascript/security/dataflow/ConditionalBypassQuery.qll:115: Flow call outside 'select' clause
+    none()
+  }
 }
 
 /**

@@ -23,6 +23,8 @@ module CorsMisconfigurationConfig implements DataFlow::ConfigSig {
     node instanceof Sanitizer or
     node = TaintTracking::AdHocWhitelistCheckSanitizer::getABarrierNode()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -33,6 +33,8 @@ module DeepObjectResourceExhaustionConfig implements DataFlow::StateConfigSig {
   ) {
     TaintedObject::isAdditionalFlowStep(node1, state1, node2, state2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -20,6 +20,13 @@ private module DifferentKindsComparisonBypassConfig implements DataFlow::ConfigS
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/lib/semmle/javascript/security/dataflow/DifferentKindsComparisonBypassQuery.qll:39: Flow call outside 'select' clause
+    // ql/lib/semmle/javascript/security/dataflow/DifferentKindsComparisonBypassQuery.qll:40: Flow call outside 'select' clause
+    none()
+  }
 }
 
 /**

@@ -114,6 +114,8 @@ module DomBasedXssConfig implements DataFlow::StateConfigSig {
       state1 = state2
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -153,6 +153,8 @@ module ExceptionXssConfig implements DataFlow::StateConfigSig {
     canThrowSensitiveInformation(node1) and
     node2 = getExceptionTarget(node1)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -31,6 +31,14 @@ module ExternalAPIUsedWithUntrustedDataConfig implements DataFlow::ConfigSig {
     // Also report values that escape while inside a property
     isSink(node) and contents = DataFlow::ContentSet::anyProperty()
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll:96: Flow call outside 'select' clause
+    // ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll:99: Flow call outside 'select' clause
+    // ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll:109: Flow call outside 'select' clause
+    none()
+  }
 }
 
 /**

@@ -24,6 +24,8 @@ module FileAccessToHttpConfig implements DataFlow::ConfigSig {
     isSink(node) and
     contents = DataFlow::ContentSet::anyProperty()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -69,6 +69,8 @@ module HardcodedCredentialsConfig implements DataFlow::ConfigSig {
       node2 = n.getACall()
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -34,6 +34,8 @@ module HardcodedDataInterpretedAsCodeConfig implements DataFlow::StateConfigSig
     state1 = [FlowState::modified(), FlowState::unmodified()] and
     state2 = FlowState::modified()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -17,6 +17,8 @@ module HostHeaderPoisoningConfig implements DataFlow::ConfigSig {
   }
 
   predicate isSink(DataFlow::Node node) { exists(EmailSender email | node = email.getABody()) }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -17,6 +17,8 @@ module HttpToFileAccessConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -19,6 +19,8 @@ module ImproperCodeSanitizationConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -42,6 +42,8 @@ module IncompleteHtmlAttributeSanitizationConfig implements DataFlow::StateConfi
   }
 
   predicate isBarrier(DataFlow::Node n) { n instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -26,6 +26,8 @@ module IndirectCommandInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { isSinkWithHighlight(sink, _) }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -23,6 +23,8 @@ module InsecureDownloadConfig implements DataFlow::StateConfigSig {
   predicate isSink(DataFlow::Node sink, FlowState state) { sink.(Sink).getAFlowState() = state }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -40,6 +40,8 @@ module InsecureRandomnessConfig implements DataFlow::ConfigSig {
     // taint steps as additional flow steps.
     TaintTracking::defaultTaintStep(node1, node2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -19,6 +19,8 @@ module InsecureTemporaryFileConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -25,6 +25,8 @@ module InsufficientPasswordHashConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -28,6 +28,8 @@ module LogInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -38,6 +38,8 @@ module LoopBoundInjectionConfig implements DataFlow::StateConfigSig {
   ) {
     TaintedObject::isAdditionalFlowStep(node1, state1, node2, state2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -51,6 +51,8 @@ module NosqlInjectionConfig implements DataFlow::StateConfigSig {
     state1.isTaint() and
     state2 = state1
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -37,6 +37,8 @@ module PostMessageStarConfig implements DataFlow::ConfigSig {
     // If an object leaks, all of its properties have leaked
     isSink(node) and contents = DataFlow::ContentSet::anyProperty()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -121,6 +121,8 @@ module PrototypePollutingAssignmentConfig implements DataFlow::StateConfigSig {
     or
     node = DataFlow::MakeStateBarrierGuard<FlowState, BarrierGuard>::getABarrierNode(state)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Taint-tracking for reasoning about prototype-polluting assignments. */

@@ -47,6 +47,8 @@ module PrototypePollutionConfig implements DataFlow::StateConfigSig {
   predicate isBarrier(DataFlow::Node node, FlowState state) {
     node = TaintedObject::SanitizerGuard::getABarrierNode(state)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -18,6 +18,8 @@ module ReflectedXssConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     node instanceof Sanitizer or node = SharedXss::BarrierGuard::getABarrierNode()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -19,6 +19,8 @@ module RegExpInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -23,6 +23,8 @@ module RemotePropertyInjectionConfig implements DataFlow::ConfigSig {
     node instanceof Sanitizer or
     node = StringConcatenation::getRoot(any(ConstantString str).flow())
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -26,6 +26,8 @@ module RequestForgeryConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     isAdditionalRequestForgeryStep(node1, node2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -27,6 +27,8 @@ module ResourceExhaustionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     isNumericFlowStep(node1, node2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -47,6 +47,8 @@ module SecondOrderCommandInjectionConfig implements DataFlow::StateConfigSig {
     TaintTracking::defaultTaintStep(node1, node2) and
     state1 = state2
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -30,6 +30,8 @@ module ServerSideUrlRedirectConfig implements DataFlow::ConfigSig {
       node2 = call
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -27,6 +27,8 @@ module ShellCommandInjectionFromEnvironmentConfig implements DataFlow::ConfigSig
   predicate isSink(DataFlow::Node sink) { isSinkWithHighlight(sink, _) }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
-Original file line number
+Diff line change
@@ Expand Up @@
       predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
       predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+      predicate observeDiffInformedIncrementalMode() { any() }
     }
     /**
@@ Expand Down @@