From 701386cfa7dfe2875d7d8304a451c36c9db078bb Mon Sep 17 00:00:00 2001 From: Asger F Date: Thu, 23 Jan 2025 10:27:07 +0100 Subject: [PATCH] Go: mass enable diff-informed data flow --- go/ql/lib/semmle/go/StringOps.qll | 6 +++ .../go/security/AllocationSizeOverflow.qll | 12 +++++ .../semmle/go/security/CleartextLogging.qll | 2 + .../semmle/go/security/CommandInjection.qll | 14 ++++++ go/ql/lib/semmle/go/security/ExternalAPIs.qll | 9 ++++ .../go/security/HardcodedCredentials.qll | 7 +++ .../IncorrectIntegerConversionLib.qll | 6 +++ .../semmle/go/security/InsecureRandomness.qll | 7 +++ go/ql/lib/semmle/go/security/LogInjection.qll | 2 + .../go/security/MissingJwtSignatureCheck.qll | 8 ++++ .../semmle/go/security/OpenUrlRedirect.qll | 2 + go/ql/lib/semmle/go/security/ReflectedXss.qll | 6 +++ .../lib/semmle/go/security/RequestForgery.qll | 6 +++ go/ql/lib/semmle/go/security/SafeUrlFlow.qll | 8 ++++ go/ql/lib/semmle/go/security/SqlInjection.qll | 2 + .../lib/semmle/go/security/StoredCommand.qll | 2 + go/ql/lib/semmle/go/security/StoredXss.qll | 2 + go/ql/lib/semmle/go/security/StringBreak.qll | 2 + go/ql/lib/semmle/go/security/TaintedPath.qll | 2 + .../security/UncontrolledAllocationSize.qll | 2 + .../semmle/go/security/UnsafeUnzipSymlink.qll | 8 ++++ .../lib/semmle/go/security/XPathInjection.qll | 2 + go/ql/lib/semmle/go/security/ZipSlip.qll | 2 + .../UnhandledCloseWritableHandle.ql | 6 +++ .../CWE-020/IncompleteHostnameRegexp.ql | 2 + .../Security/CWE-020/MissingRegexpAnchor.ql | 2 + .../CWE-020/SuspiciousCharacterInRegexp.ql | 2 + .../Security/CWE-209/StackTraceExposure.ql | 2 + .../CWE-322/InsecureHostKeyCallback.ql | 7 +++ .../Security/CWE-326/InsufficientKeySize.ql | 2 + go/ql/src/Security/CWE-327/InsecureTLS.ql | 13 ++++++ .../Security/CWE-352/ConstantOauth2State.ql | 14 ++++++ .../src/Security/CWE-601/BadRedirectCheck.ql | 6 +++ go/ql/src/Security/CWE-640/EmailInjection.qll | 2 + .../experimental/CWE-090/LDAPInjection.qll | 2 + .../src/experimental/CWE-1004/AuthCookie.qll | 45 +++++++++++++++++++ go/ql/src/experimental/CWE-203/Timing.ql | 2 + .../src/experimental/CWE-285/PamAuthBypass.ql | 4 ++ .../ImproperLdapAuthCustomizations.qll | 2 + .../experimental/CWE-321-V2/HardCodedKeys.ql | 8 ++++ .../WeakCryptoAlgorithmCustomizations.qll | 2 + .../src/experimental/CWE-369/DivideByZero.ql | 2 + .../CWE-74/DsnInjectionCustomizations.qll | 2 + .../CWE-79/HTMLTemplateEscapingPassthrough.ql | 18 ++++++++ .../CWE-807/SensitiveConditionBypass.qll | 6 +++ .../experimental/CWE-840/ConditionalBypass.ql | 9 ++++ go/ql/src/experimental/CWE-918/SSRF.qll | 6 +++ .../CWE-942/CorsMisconfiguration.ql | 26 ++++++++++- .../experimental/Unsafe/WrongUsageOfUnsafe.ql | 8 ++++ .../frameworks/DecompressionBombs.qll | 2 + 50 files changed, 320 insertions(+), 1 deletion(-) diff --git a/go/ql/lib/semmle/go/StringOps.qll b/go/ql/lib/semmle/go/StringOps.qll index 37a13a197142..8c589929720b 100644 --- a/go/ql/lib/semmle/go/StringOps.qll +++ b/go/ql/lib/semmle/go/StringOps.qll @@ -231,6 +231,12 @@ module StringOps { call.getTarget().hasQualifiedName("strings", "Replacer", ["Replace", "WriteString"]) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/go/StringOps.qll:250: Flow call outside 'select' clause + none() + } } /** diff --git a/go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll b/go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll index 9531e2798129..5085ddb8972f 100644 --- a/go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll +++ b/go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll @@ -19,6 +19,12 @@ module AllocationSizeOverflow { predicate isSink(DataFlow::Node nd) { nd = Builtin::len().getACall().getArgument(0) } predicate isBarrier(DataFlow::Node nd) { nd instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/go/security/AllocationSizeOverflow.qll:30: Flow call outside 'select' clause + none() + } } /** @@ -56,6 +62,12 @@ module AllocationSizeOverflow { succ = c ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-190/AllocationSizeOverflow.ql:25: Column 5 does not select a source or sink originating from the flow call on line 22 + none() + } } /** Tracks taint flow to find allocation-size overflows. */ diff --git a/go/ql/lib/semmle/go/security/CleartextLogging.qll b/go/ql/lib/semmle/go/security/CleartextLogging.qll index 2e0c9665c4b6..5218d03d9081 100644 --- a/go/ql/lib/semmle/go/security/CleartextLogging.qll +++ b/go/ql/lib/semmle/go/security/CleartextLogging.qll @@ -46,6 +46,8 @@ module CleartextLogging { // Also exclude protobuf field fetches, since they amount to single field reads. not any(Protobuf::GetMethod gm).taintStep(src, trg) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/go/ql/lib/semmle/go/security/CommandInjection.qll b/go/ql/lib/semmle/go/security/CommandInjection.qll index 7dc6f3991fc1..5b8d0e6cb2a8 100644 --- a/go/ql/lib/semmle/go/security/CommandInjection.qll +++ b/go/ql/lib/semmle/go/security/CommandInjection.qll @@ -24,6 +24,13 @@ module CommandInjection { } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-078/CommandInjection.ql:28: Column 1 does not select a source or sink originating from the flow call on line 26 + // ql/src/Security/CWE-078/CommandInjection.ql:28: Column 5 does not select a source or sink originating from the flow call on line 26 + none() + } } /** @@ -80,6 +87,13 @@ module CommandInjection { node instanceof Sanitizer or node = any(ArgumentArrayWithDoubleDash array).getASanitizedElement() } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-078/CommandInjection.ql:28: Column 1 does not select a source or sink originating from the flow call on line 27 + // ql/src/Security/CWE-078/CommandInjection.ql:28: Column 5 does not select a source or sink originating from the flow call on line 27 + none() + } } /** diff --git a/go/ql/lib/semmle/go/security/ExternalAPIs.qll b/go/ql/lib/semmle/go/security/ExternalAPIs.qll index 6799099b999f..202524cda5e5 100644 --- a/go/ql/lib/semmle/go/security/ExternalAPIs.qll +++ b/go/ql/lib/semmle/go/security/ExternalAPIs.qll @@ -186,6 +186,13 @@ private module UntrustedDataConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/go/security/ExternalAPIs.qll:210: Flow call outside 'select' clause + // ql/lib/semmle/go/security/ExternalAPIs.qll:213: Flow call outside 'select' clause + none() + } } /** @@ -197,6 +204,8 @@ private module UntrustedDataToUnknownExternalApiConfig implements DataFlow::Conf predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof UnknownExternalApiDataNode } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/go/ql/lib/semmle/go/security/HardcodedCredentials.qll b/go/ql/lib/semmle/go/security/HardcodedCredentials.qll index 0be50fc23062..ed9a7a1e838e 100644 --- a/go/ql/lib/semmle/go/security/HardcodedCredentials.qll +++ b/go/ql/lib/semmle/go/security/HardcodedCredentials.qll @@ -30,6 +30,13 @@ module HardcodedCredentials { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-798/HardcodedCredentials.ql:65: Column 1 does not select a source or sink originating from the flow call on line 62 + // ql/src/Security/CWE-798/HardcodedCredentials.ql:65: Column 3 does not select a source or sink originating from the flow call on line 62 + none() + } } /** Tracks taint flow for reasoning about hardcoded credentials. */ diff --git a/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll b/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll index 3c6cddc427f8..d72454b5e002 100644 --- a/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll +++ b/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll @@ -440,6 +440,12 @@ private module ConversionWithoutBoundsCheckConfig implements DataFlow::StateConf state2 = node2.(FlowStateTransformer).transform(state1) and DataFlow::simpleLocalFlowStep(node1, node2, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-681/IncorrectIntegerConversionQuery.ql:26: Column 1 selects sink.getASuccessor + none() + } } /** diff --git a/go/ql/lib/semmle/go/security/InsecureRandomness.qll b/go/ql/lib/semmle/go/security/InsecureRandomness.qll index 83746f7b96ed..0e7c00779029 100644 --- a/go/ql/lib/semmle/go/security/InsecureRandomness.qll +++ b/go/ql/lib/semmle/go/security/InsecureRandomness.qll @@ -39,6 +39,13 @@ module InsecureRandomness { n2.getType() instanceof IntegerType ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-338/InsecureRandomness.ql:33: Column 1 does not select a source or sink originating from the flow call on line 26 + // ql/src/Security/CWE-338/InsecureRandomness.ql:34: Column 5 does not select a source or sink originating from the flow call on line 26 + none() + } } /** diff --git a/go/ql/lib/semmle/go/security/LogInjection.qll b/go/ql/lib/semmle/go/security/LogInjection.qll index d8bc586ed916..3db7e27c7815 100644 --- a/go/ql/lib/semmle/go/security/LogInjection.qll +++ b/go/ql/lib/semmle/go/security/LogInjection.qll @@ -21,6 +21,8 @@ module LogInjection { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks taint flow for reasoning about log injection vulnerabilities. */ diff --git a/go/ql/lib/semmle/go/security/MissingJwtSignatureCheck.qll b/go/ql/lib/semmle/go/security/MissingJwtSignatureCheck.qll index 73605d65b024..f5467b03c6d6 100644 --- a/go/ql/lib/semmle/go/security/MissingJwtSignatureCheck.qll +++ b/go/ql/lib/semmle/go/security/MissingJwtSignatureCheck.qll @@ -23,6 +23,8 @@ module MissingJwtSignatureCheck { predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { any(AdditionalFlowStep s).step(nodeFrom, nodeTo) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks taint flow for reasoning about JWT vulnerabilities. */ @@ -36,6 +38,12 @@ module MissingJwtSignatureCheck { predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { any(AdditionalFlowStep s).step(nodeFrom, nodeTo) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/go/security/MissingJwtSignatureCheck.qll:18: Flow call outside 'select' clause + none() + } } private module SafeParse = TaintTracking::Global; diff --git a/go/ql/lib/semmle/go/security/OpenUrlRedirect.qll b/go/ql/lib/semmle/go/security/OpenUrlRedirect.qll index bfe47f260cd6..1d2d7a1c60bb 100644 --- a/go/ql/lib/semmle/go/security/OpenUrlRedirect.qll +++ b/go/ql/lib/semmle/go/security/OpenUrlRedirect.qll @@ -54,6 +54,8 @@ module OpenUrlRedirect { or hostnameSanitizingPrefixEdge(node, _) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks taint flow from unvalidated, untrusted data to URL redirections. */ diff --git a/go/ql/lib/semmle/go/security/ReflectedXss.qll b/go/ql/lib/semmle/go/security/ReflectedXss.qll index 1068c6fae3d1..7eacf00ca04a 100644 --- a/go/ql/lib/semmle/go/security/ReflectedXss.qll +++ b/go/ql/lib/semmle/go/security/ReflectedXss.qll @@ -22,6 +22,12 @@ module ReflectedXss { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-079/ReflectedXss.ql:36: Column 7 selects sink.getAssociatedLoc + none() + } } /** Tracks taint flow from untrusted data to XSS attack vectors. */ diff --git a/go/ql/lib/semmle/go/security/RequestForgery.qll b/go/ql/lib/semmle/go/security/RequestForgery.qll index bdf26a1f18fe..d7d0d73ce2fe 100644 --- a/go/ql/lib/semmle/go/security/RequestForgery.qll +++ b/go/ql/lib/semmle/go/security/RequestForgery.qll @@ -31,6 +31,12 @@ module RequestForgery { w.writesField(v.getAUse(), f, pred) and succ = v.getAUse() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-918/RequestForgery.ql:25: Column 1 selects sink.getARequest + none() + } } /** Tracks taint flow from untrusted data to request forgery attack vectors. */ diff --git a/go/ql/lib/semmle/go/security/SafeUrlFlow.qll b/go/ql/lib/semmle/go/security/SafeUrlFlow.qll index d74e2156a609..d6513c3264d8 100644 --- a/go/ql/lib/semmle/go/security/SafeUrlFlow.qll +++ b/go/ql/lib/semmle/go/security/SafeUrlFlow.qll @@ -36,6 +36,14 @@ module SafeUrlFlow { or node instanceof SanitizerEdge } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-601/OpenUrlRedirect.ql:26: Column 5 does not select a source or sink originating from the flow call on line 24 + // ql/src/Security/CWE-918/RequestForgery.ql:25: Column 1 selects sink.getARequest + // ql/src/Security/CWE-918/RequestForgery.ql:26: Column 7 does not select a source or sink originating from the flow call on line 24 + none() + } } /** Tracks taint flow for reasoning about safe URLs. */ diff --git a/go/ql/lib/semmle/go/security/SqlInjection.qll b/go/ql/lib/semmle/go/security/SqlInjection.qll index e24b30f40d38..5b7513090258 100644 --- a/go/ql/lib/semmle/go/security/SqlInjection.qll +++ b/go/ql/lib/semmle/go/security/SqlInjection.qll @@ -23,6 +23,8 @@ module SqlInjection { } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks taint flow for reasoning about SQL-injection vulnerabilities. */ diff --git a/go/ql/lib/semmle/go/security/StoredCommand.qll b/go/ql/lib/semmle/go/security/StoredCommand.qll index 38555370cfcc..983f739bdab2 100644 --- a/go/ql/lib/semmle/go/security/StoredCommand.qll +++ b/go/ql/lib/semmle/go/security/StoredCommand.qll @@ -26,6 +26,8 @@ module StoredCommand { predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjection::Sink } predicate isBarrier(DataFlow::Node node) { node instanceof CommandInjection::Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks taint flow for reasoning about command-injection vulnerabilities. */ diff --git a/go/ql/lib/semmle/go/security/StoredXss.qll b/go/ql/lib/semmle/go/security/StoredXss.qll index 2bf6bf248048..3bea8e8c1e00 100644 --- a/go/ql/lib/semmle/go/security/StoredXss.qll +++ b/go/ql/lib/semmle/go/security/StoredXss.qll @@ -22,6 +22,8 @@ module StoredXss { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks taint flow for reasoning about XSS. */ diff --git a/go/ql/lib/semmle/go/security/StringBreak.qll b/go/ql/lib/semmle/go/security/StringBreak.qll index 02b4c5b3313b..87a676b6f97f 100644 --- a/go/ql/lib/semmle/go/security/StringBreak.qll +++ b/go/ql/lib/semmle/go/security/StringBreak.qll @@ -26,6 +26,8 @@ module StringBreak { predicate isBarrier(DataFlow::Node node, FlowState state) { state = node.(Sanitizer).getQuote() } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/go/ql/lib/semmle/go/security/TaintedPath.qll b/go/ql/lib/semmle/go/security/TaintedPath.qll index 674cda1157cf..b814ad5d4ac6 100644 --- a/go/ql/lib/semmle/go/security/TaintedPath.qll +++ b/go/ql/lib/semmle/go/security/TaintedPath.qll @@ -17,6 +17,8 @@ module TaintedPath { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks taint flow for reasoning about path-traversal vulnerabilities. */ diff --git a/go/ql/lib/semmle/go/security/UncontrolledAllocationSize.qll b/go/ql/lib/semmle/go/security/UncontrolledAllocationSize.qll index 885aa7a7053c..91bbcfaa1edd 100644 --- a/go/ql/lib/semmle/go/security/UncontrolledAllocationSize.qll +++ b/go/ql/lib/semmle/go/security/UncontrolledAllocationSize.qll @@ -27,6 +27,8 @@ module UncontrolledAllocationSize { node2 = cn.getResult(0) ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks taint flow for reasoning about uncontrolled allocation size issues. */ diff --git a/go/ql/lib/semmle/go/security/UnsafeUnzipSymlink.qll b/go/ql/lib/semmle/go/security/UnsafeUnzipSymlink.qll index 1d18ac5f639a..c94dd2a15af5 100644 --- a/go/ql/lib/semmle/go/security/UnsafeUnzipSymlink.qll +++ b/go/ql/lib/semmle/go/security/UnsafeUnzipSymlink.qll @@ -20,6 +20,12 @@ module UnsafeUnzipSymlink { predicate isSink(DataFlow::Node sink) { sink instanceof EvalSymlinksSink } predicate isBarrier(DataFlow::Node node) { node instanceof EvalSymlinksInvalidator } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/go/security/UnsafeUnzipSymlink.qll:35: Flow call outside 'select' clause + none() + } } /** @@ -44,6 +50,8 @@ module UnsafeUnzipSymlink { predicate isSink(DataFlow::Node sink) { sink instanceof SymlinkSink } predicate isBarrier(DataFlow::Node node) { node instanceof SymlinkSanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/go/ql/lib/semmle/go/security/XPathInjection.qll b/go/ql/lib/semmle/go/security/XPathInjection.qll index 61bd00977daf..900b81053370 100644 --- a/go/ql/lib/semmle/go/security/XPathInjection.qll +++ b/go/ql/lib/semmle/go/security/XPathInjection.qll @@ -19,6 +19,8 @@ module XPathInjection { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/go/ql/lib/semmle/go/security/ZipSlip.qll b/go/ql/lib/semmle/go/security/ZipSlip.qll index f16daf84c3dd..6de2be91509a 100644 --- a/go/ql/lib/semmle/go/security/ZipSlip.qll +++ b/go/ql/lib/semmle/go/security/ZipSlip.qll @@ -17,6 +17,8 @@ module ZipSlip { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks taint flow for reasoning about zip-slip vulnerabilities. */ diff --git a/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql b/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql index 8846f52fb743..1653ed0447c3 100644 --- a/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql +++ b/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql @@ -127,6 +127,12 @@ module UnhandledFileCloseConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { isWritableFileHandle(source, _) } predicate isSink(DataFlow::Node sink) { isCloseSink(sink, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql:152: Column 5 does not select a source or sink originating from the flow call on line 146 + none() + } } /** diff --git a/go/ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql b/go/ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql index 03018ee1c32d..18ddcc99f94e 100644 --- a/go/ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql +++ b/go/ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql @@ -103,6 +103,8 @@ module IncompleteHostNameRegexpConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { StringOps::Concatenation::taintStep(node1, node2) } + + predicate observeDiffInformedIncrementalMode() { any() } } module Flow = DataFlow::Global; diff --git a/go/ql/src/Security/CWE-020/MissingRegexpAnchor.ql b/go/ql/src/Security/CWE-020/MissingRegexpAnchor.ql index df93440ac526..ad38c1a50dcb 100644 --- a/go/ql/src/Security/CWE-020/MissingRegexpAnchor.ql +++ b/go/ql/src/Security/CWE-020/MissingRegexpAnchor.ql @@ -72,6 +72,8 @@ module Config implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { isSourceString(source, _) } predicate isSink(DataFlow::Node sink) { sink instanceof RegexpPattern } + + predicate observeDiffInformedIncrementalMode() { any() } } module Flow = DataFlow::Global; diff --git a/go/ql/src/Security/CWE-020/SuspiciousCharacterInRegexp.ql b/go/ql/src/Security/CWE-020/SuspiciousCharacterInRegexp.ql index 81cc634346a3..933fa95dc270 100644 --- a/go/ql/src/Security/CWE-020/SuspiciousCharacterInRegexp.ql +++ b/go/ql/src/Security/CWE-020/SuspiciousCharacterInRegexp.ql @@ -40,6 +40,8 @@ module SuspiciousCharacterInRegexpConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { isSourceString(source, _) } predicate isSink(DataFlow::Node sink) { sink instanceof RegexpPattern } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/go/ql/src/Security/CWE-209/StackTraceExposure.ql b/go/ql/src/Security/CWE-209/StackTraceExposure.ql index 3440fdba3148..408e12b3c15e 100644 --- a/go/ql/src/Security/CWE-209/StackTraceExposure.ql +++ b/go/ql/src/Security/CWE-209/StackTraceExposure.ql @@ -62,6 +62,8 @@ module StackTraceExposureConfig implements DataFlow::ConfigSig { cgn.dominates(node.getBasicBlock()) ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql b/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql index 2c292785f7f1..3922e78d3795 100644 --- a/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql +++ b/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql @@ -68,6 +68,13 @@ module Config implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { writeIsSink(sink, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-322/InsecureHostKeyCallback.ql:90: Flow call outside 'select' clause + // ql/src/Security/CWE-322/InsecureHostKeyCallback.ql:96: Flow call outside 'select' clause + none() + } } /** diff --git a/go/ql/src/Security/CWE-326/InsufficientKeySize.ql b/go/ql/src/Security/CWE-326/InsufficientKeySize.ql index 19db3ef63ae4..6fa421baaeb3 100644 --- a/go/ql/src/Security/CWE-326/InsufficientKeySize.ql +++ b/go/ql/src/Security/CWE-326/InsufficientKeySize.ql @@ -25,6 +25,8 @@ module Config implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node = DataFlow::BarrierGuard::getABarrierNode() } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/go/ql/src/Security/CWE-327/InsecureTLS.ql b/go/ql/src/Security/CWE-327/InsecureTLS.ql index a4a9ab1f549a..35fa1f822d40 100644 --- a/go/ql/src/Security/CWE-327/InsecureTLS.ql +++ b/go/ql/src/Security/CWE-327/InsecureTLS.ql @@ -71,6 +71,13 @@ module TlsVersionFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { intIsSource(source, _) } predicate isSink(DataFlow::Node sink) { isSink(sink, _, _, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-327/InsecureTLS.ql:87: Flow call outside 'select' clause + // ql/src/Security/CWE-327/InsecureTLS.ql:128: Flow call outside 'select' clause + none() + } } /** @@ -201,6 +208,12 @@ module TlsInsecureCipherSuitesFlowConfig implements DataFlow::ConfigSig { * suites. */ predicate isBarrierOut(DataFlow::Node node) { isSink(node) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-327/InsecureTLS.ql:221: Flow call outside 'select' clause + none() + } } /** diff --git a/go/ql/src/Security/CWE-352/ConstantOauth2State.ql b/go/ql/src/Security/CWE-352/ConstantOauth2State.ql index daaac1ce4f3b..e4a00415a0b9 100644 --- a/go/ql/src/Security/CWE-352/ConstantOauth2State.ql +++ b/go/ql/src/Security/CWE-352/ConstantOauth2State.ql @@ -40,6 +40,8 @@ module ConstantStateFlowConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { isSinkCall(sink, _) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** @@ -110,6 +112,12 @@ module PrivateUrlFlowsToAuthCodeUrlCallConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { isSinkCall(sink, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-352/ConstantOauth2State.ql:134: Flow call outside 'select' clause + none() + } } /** @@ -144,6 +152,12 @@ module FlowToPrintConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source = any(AuthCodeUrl m).getACall().getResult() } predicate isSink(DataFlow::Node sink) { isSinkCall(sink, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-352/ConstantOauth2State.ql:153: Flow call outside 'select' clause + none() + } } module FlowToPrintFlow = DataFlow::Global; diff --git a/go/ql/src/Security/CWE-601/BadRedirectCheck.ql b/go/ql/src/Security/CWE-601/BadRedirectCheck.ql index bc60e1339eb9..f2d3e019ac38 100644 --- a/go/ql/src/Security/CWE-601/BadRedirectCheck.ql +++ b/go/ql/src/Security/CWE-601/BadRedirectCheck.ql @@ -123,6 +123,12 @@ module Config implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { sink instanceof OpenUrlRedirect::Sink } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-601/BadRedirectCheck.ql:176: Column 1 does not select a source or sink originating from the flow call on line 175 + none() + } } module Flow = TaintTracking::Global; diff --git a/go/ql/src/Security/CWE-640/EmailInjection.qll b/go/ql/src/Security/CWE-640/EmailInjection.qll index 35b7795ad55f..e3016b44aa1a 100644 --- a/go/ql/src/Security/CWE-640/EmailInjection.qll +++ b/go/ql/src/Security/CWE-640/EmailInjection.qll @@ -20,6 +20,8 @@ module EmailInjection { predicate isSource(DataFlow::Node source) { source instanceof Source } predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks taint flow for reasoning about email-injection vulnerabilities. */ diff --git a/go/ql/src/experimental/CWE-090/LDAPInjection.qll b/go/ql/src/experimental/CWE-090/LDAPInjection.qll index fd138fa06458..a770666fe93e 100644 --- a/go/ql/src/experimental/CWE-090/LDAPInjection.qll +++ b/go/ql/src/experimental/CWE-090/LDAPInjection.qll @@ -101,6 +101,8 @@ private module LdapInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof LdapSink } predicate isBarrier(DataFlow::Node node) { node instanceof LdapSanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/go/ql/src/experimental/CWE-1004/AuthCookie.qll b/go/ql/src/experimental/CWE-1004/AuthCookie.qll index 411da5a79fa0..721a1e3332b1 100644 --- a/go/ql/src/experimental/CWE-1004/AuthCookie.qll +++ b/go/ql/src/experimental/CWE-1004/AuthCookie.qll @@ -76,6 +76,12 @@ private module NameToNetHttpCookieTrackingConfig implements DataFlow::ConfigSig sl = succ.asExpr() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.ql:46: Flow call outside 'select' clause + none() + } } /** Tracks taint flow from sensitive names to `net/http.SetCookie`. */ @@ -95,6 +101,13 @@ private module BoolToNetHttpCookieTrackingConfig implements DataFlow::ConfigSig sl = succ.asExpr() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.ql:48: Flow call outside 'select' clause + // ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.ql:52: Flow call outside 'select' clause + none() + } } /** @@ -116,6 +129,12 @@ private module BoolToGinSetCookieTrackingConfig implements DataFlow::ConfigSig { ) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.ql:99: Column 1 does not select a source or sink originating from the flow call on line 97 + none() + } } /** @@ -133,6 +152,12 @@ private module NameToGinSetCookieTrackingConfig implements DataFlow::ConfigSig { mcn.getArgument(0) = sink ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/CWE-1004/AuthCookie.qll:114: Flow call outside 'select' clause + none() + } } /** @@ -184,6 +209,12 @@ private module GorillaCookieStoreSaveTrackingConfig implements DataFlow::ConfigS succ = cn.getResult(0) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.ql:70: Flow call outside 'select' clause + none() + } } /** @@ -208,6 +239,13 @@ private module GorillaSessionOptionsTrackingConfig implements DataFlow::ConfigSi succ = base ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.ql:72: Flow call outside 'select' clause + // ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.ql:77: Flow call outside 'select' clause + none() + } } /** @@ -235,6 +273,13 @@ private module BoolToGorillaSessionOptionsTrackingConfig implements DataFlow::Co succ = base ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.ql:80: Flow call outside 'select' clause + // ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.ql:85: Flow call outside 'select' clause + none() + } } /** diff --git a/go/ql/src/experimental/CWE-203/Timing.ql b/go/ql/src/experimental/CWE-203/Timing.ql index ab0b50a657a9..e488adf2f97f 100644 --- a/go/ql/src/experimental/CWE-203/Timing.ql +++ b/go/ql/src/experimental/CWE-203/Timing.ql @@ -102,6 +102,8 @@ module Config implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { sink instanceof Sink and not isBadResult(sink) } + + predicate observeDiffInformedIncrementalMode() { any() } } module Flow = TaintTracking::Global; diff --git a/go/ql/src/experimental/CWE-285/PamAuthBypass.ql b/go/ql/src/experimental/CWE-285/PamAuthBypass.ql index 02f47ba2b738..db2dc94f8f07 100644 --- a/go/ql/src/experimental/CWE-285/PamAuthBypass.ql +++ b/go/ql/src/experimental/CWE-285/PamAuthBypass.ql @@ -42,6 +42,8 @@ module PamStartToAcctMgmtConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { exists(PamAcctMgmt p | p.getACall().getReceiver() = sink) } + + predicate observeDiffInformedIncrementalMode() { any() } } module PamStartToAcctMgmtFlow = TaintTracking::Global; @@ -55,6 +57,8 @@ module PamStartToAuthenticateConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { exists(PamAuthenticate p | p.getACall().getReceiver() = sink) } + + predicate observeDiffInformedIncrementalMode() { any() } } module PamStartToAuthenticateFlow = TaintTracking::Global; diff --git a/go/ql/src/experimental/CWE-287/ImproperLdapAuthCustomizations.qll b/go/ql/src/experimental/CWE-287/ImproperLdapAuthCustomizations.qll index 7a62041a774a..0a2739eabc79 100644 --- a/go/ql/src/experimental/CWE-287/ImproperLdapAuthCustomizations.qll +++ b/go/ql/src/experimental/CWE-287/ImproperLdapAuthCustomizations.qll @@ -74,6 +74,8 @@ module ImproperLdapAuth { predicate isSink(DataFlow::Node sink) { sink instanceof LdapAuthSink } predicate isBarrier(DataFlow::Node node) { node instanceof LdapSanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/go/ql/src/experimental/CWE-321-V2/HardCodedKeys.ql b/go/ql/src/experimental/CWE-321-V2/HardCodedKeys.ql index 39cc2ca99176..79d9b6c2da93 100644 --- a/go/ql/src/experimental/CWE-321-V2/HardCodedKeys.ql +++ b/go/ql/src/experimental/CWE-321-V2/HardCodedKeys.ql @@ -33,6 +33,8 @@ module JwtParseWithConstantKeyConfig implements DataFlow::ConfigSig { // second part is the JWT Parsing Functions that get a string or byte as an argument sink = any(JwtParse jp).getKeyArg() } + + predicate observeDiffInformedIncrementalMode() { any() } } module GolangJwtKeyFuncConfig implements DataFlow::ConfigSig { @@ -45,6 +47,12 @@ module GolangJwtKeyFuncConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink = any(JwtParseWithKeyFunction parseJwt).getKeyFuncArg() } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/CWE-321-V2/HardCodedKeys.ql:27: Flow call outside 'select' clause + none() + } } module JwtParseWithConstantKey = TaintTracking::Global; diff --git a/go/ql/src/experimental/CWE-327/WeakCryptoAlgorithmCustomizations.qll b/go/ql/src/experimental/CWE-327/WeakCryptoAlgorithmCustomizations.qll index 1d64d731f507..b9104f1fe096 100644 --- a/go/ql/src/experimental/CWE-327/WeakCryptoAlgorithmCustomizations.qll +++ b/go/ql/src/experimental/CWE-327/WeakCryptoAlgorithmCustomizations.qll @@ -54,6 +54,8 @@ module WeakCryptoAlgorithm { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/go/ql/src/experimental/CWE-369/DivideByZero.ql b/go/ql/src/experimental/CWE-369/DivideByZero.ql index b6709b97d712..99cd120dbf8b 100644 --- a/go/ql/src/experimental/CWE-369/DivideByZero.ql +++ b/go/ql/src/experimental/CWE-369/DivideByZero.ql @@ -45,6 +45,8 @@ module Config implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink = DataFlow::exprNode(any(QuoExpr e).getRightOperand()) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/go/ql/src/experimental/CWE-74/DsnInjectionCustomizations.qll b/go/ql/src/experimental/CWE-74/DsnInjectionCustomizations.qll index 2c3208550720..88a45d70ba52 100644 --- a/go/ql/src/experimental/CWE-74/DsnInjectionCustomizations.qll +++ b/go/ql/src/experimental/CWE-74/DsnInjectionCustomizations.qll @@ -19,6 +19,8 @@ private module DsnInjectionConfig implements DataFlow::ConfigSig { } predicate isBarrier(DataFlow::Node node) { node instanceof RegexpCheckBarrier } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/go/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql b/go/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql index 0aff713f26bc..15029eaefba1 100644 --- a/go/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql +++ b/go/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql @@ -50,6 +50,12 @@ module UntrustedToPassthroughTypeConversionConfig implements DataFlow::ConfigSig predicate isBarrier(DataFlow::Node node) { node instanceof SharedXss::Sanitizer or node.getType() instanceof NumericType } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql:24: Flow call outside 'select' clause + none() + } } /** @@ -85,6 +91,12 @@ module PassthroughTypeConversionToTemplateExecutionCallConfig implements DataFlo } predicate isSink(DataFlow::Node sink) { isSinkToTemplateExec(sink, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql:70: Flow call outside 'select' clause + none() + } } /** @@ -112,6 +124,12 @@ module FromUntrustedToTemplateExecutionCallConfig implements DataFlow::ConfigSig predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { isSinkToTemplateExec(sink, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql:133: Flow call outside 'select' clause + none() + } } /** diff --git a/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll b/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll index 2f2ca94fa87f..7faced1a4215 100644 --- a/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll +++ b/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll @@ -59,6 +59,12 @@ private module Config implements DataFlow::ConfigSig { not c.isPotentialFalsePositive() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/CWE-807/SensitiveConditionBypass.ql:33: Column 1 does not select a source or sink originating from the flow call on line 24 + none() + } } /** diff --git a/go/ql/src/experimental/CWE-840/ConditionalBypass.ql b/go/ql/src/experimental/CWE-840/ConditionalBypass.ql index b70be1ff42db..74f1d736a090 100644 --- a/go/ql/src/experimental/CWE-840/ConditionalBypass.ql +++ b/go/ql/src/experimental/CWE-840/ConditionalBypass.ql @@ -22,6 +22,15 @@ module Config implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { exists(ComparisonExpr c | c.getAnOperand() = sink.asExpr()) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/CWE-840/ConditionalBypass.ql:38: Column 1 does not select a source or sink originating from the flow call on line 34 + // ql/src/experimental/CWE-840/ConditionalBypass.ql:38: Column 1 does not select a source or sink originating from the flow call on line 36 + // ql/src/experimental/CWE-840/ConditionalBypass.ql:38: Column 3 does not select a source or sink originating from the flow call on line 34 + // ql/src/experimental/CWE-840/ConditionalBypass.ql:39: Column 5 does not select a source or sink originating from the flow call on line 36 + none() + } } /** Tracks taint flow for reasoning about conditional bypass. */ diff --git a/go/ql/src/experimental/CWE-918/SSRF.qll b/go/ql/src/experimental/CWE-918/SSRF.qll index b1374da8a5f7..3b6b0b40c76e 100644 --- a/go/ql/src/experimental/CWE-918/SSRF.qll +++ b/go/ql/src/experimental/CWE-918/SSRF.qll @@ -30,6 +30,12 @@ module ServerSideRequestForgery { predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } predicate isBarrierOut(DataFlow::Node node) { node instanceof SanitizerEdge } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/CWE-918/SSRF.ql:23: Column 1 selects sink.getARequest + none() + } } /** Tracks taint flow for reasoning about request forgery vulnerabilities. */ diff --git a/go/ql/src/experimental/CWE-942/CorsMisconfiguration.ql b/go/ql/src/experimental/CWE-942/CorsMisconfiguration.ql index 342f1addfe06..7e05453bf4b5 100644 --- a/go/ql/src/experimental/CWE-942/CorsMisconfiguration.ql +++ b/go/ql/src/experimental/CWE-942/CorsMisconfiguration.ql @@ -67,6 +67,12 @@ module UntrustedToAllowOriginHeaderConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { isSinkHW(sink, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/CWE-942/CorsMisconfiguration.ql:129: Flow call outside 'select' clause + none() + } } module UntrustedToAllowOriginConfigConfig implements DataFlow::ConfigSig { @@ -75,6 +81,12 @@ module UntrustedToAllowOriginConfigConfig implements DataFlow::ConfigSig { additional predicate isSinkWrite(DataFlow::Node sink, UniversalOriginWrite w) { sink = w } predicate isSink(DataFlow::Node sink) { isSinkWrite(sink, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/CWE-942/CorsMisconfiguration.ql:132: Flow call outside 'select' clause + none() + } } /** @@ -173,7 +185,13 @@ module FromUntrustedConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { isSinkCgn(sink, _) } - additional predicate isSinkCgn(DataFlow::Node sink, ControlFlow::ConditionGuardNode cgn) { + additional predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/CWE-942/CorsMisconfiguration.ql:221: Flow call outside 'select' clause + none() + } + + predicate isSinkCgn(DataFlow::Node sink, ControlFlow::ConditionGuardNode cgn) { exists(IfStmt ifs | exists(Expr operand | operand = ifs.getCond().getAChildExpr*() and @@ -205,6 +223,12 @@ module FromUntrustedConfig implements DataFlow::ConfigSig { cgn.getCondition() = ifs.getCond() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/CWE-942/CorsMisconfiguration.ql:221: Flow call outside 'select' clause + none() + } } /** diff --git a/go/ql/src/experimental/Unsafe/WrongUsageOfUnsafe.ql b/go/ql/src/experimental/Unsafe/WrongUsageOfUnsafe.ql index e0f0098be4e0..20f6c19f0cfc 100644 --- a/go/ql/src/experimental/Unsafe/WrongUsageOfUnsafe.ql +++ b/go/ql/src/experimental/Unsafe/WrongUsageOfUnsafe.ql @@ -51,6 +51,14 @@ module UnsafeTypeCastingConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { conversionIsSource(source, _) } predicate isSink(DataFlow::Node sink) { typeCastNodeIsSink(sink, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/Unsafe/WrongUsageOfUnsafe.ql:73: Flow call outside 'select' clause + // ql/src/experimental/Unsafe/WrongUsageOfUnsafe.ql:120: Flow call outside 'select' clause + // ql/src/experimental/Unsafe/WrongUsageOfUnsafe.ql:150: Flow call outside 'select' clause + none() + } } /** Tracks taint flow for reasoning about type casting from a `unsafe.Pointer`. */ diff --git a/go/ql/src/experimental/frameworks/DecompressionBombs.qll b/go/ql/src/experimental/frameworks/DecompressionBombs.qll index 5828cd60e523..170104ebd43b 100644 --- a/go/ql/src/experimental/frameworks/DecompressionBombs.qll +++ b/go/ql/src/experimental/frameworks/DecompressionBombs.qll @@ -56,6 +56,8 @@ module DecompressionBomb { addStep.isAdditionalFlowStep(fromNode, fromState, toNode, toState) ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks taint flow for reasoning about decompression bomb vulnerabilities. */