hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #20075 from d10c/d10c/diff-informed-phase-3-go

Browse Source 
Go: Diff-informed queries: phase 3 (non-trivial locations)
This commit is contained in:
Nora Dimitrijević
2025-08-15 12:23:53 +02:00
committed by GitHub
parent 8000e7c442 8824677e87
commit 0512940c0c
16 changed files with 96 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll
View File

@@ -56,6 +56,17 @@ module AllocationSizeOverflow {
succ = c succ = c
) )
} }
predicate observeDiffInformedIncrementalMode() { any() }
Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.getLocation()
or
exists(DataFlow::Node allocsz |
isSinkWithAllocationSize(sink, allocsz) and
result = allocsz.getLocation()
)
}
} }
/** Tracks taint flow to find allocation-size overflows. */ /** Tracks taint flow to find allocation-size overflows. */

4
go/ql/lib/semmle/go/security/CommandInjection.qll
View File

@@ -24,6 +24,8 @@ module CommandInjection {
} }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
predicate observeDiffInformedIncrementalMode() { any() }
} }
/** /**
@@ -80,6 +82,8 @@ module CommandInjection {
node instanceof Sanitizer or node instanceof Sanitizer or
node = any(ArgumentArrayWithDoubleDash array).getASanitizedElement() node = any(ArgumentArrayWithDoubleDash array).getASanitizedElement()
} }
predicate observeDiffInformedIncrementalMode() { any() }
} }
/** /**

2
go/ql/lib/semmle/go/security/ExternalAPIs.qll
View File

@@ -186,6 +186,8 @@ private module UntrustedDataConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode } predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
predicate observeDiffInformedIncrementalMode() { any() }
} }
/** /**

2
go/ql/lib/semmle/go/security/HardcodedCredentials.qll
View File

@@ -30,6 +30,8 @@ module HardcodedCredentials {
predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
predicate observeDiffInformedIncrementalMode() { any() }
} }
/** Tracks taint flow for reasoning about hardcoded credentials. */ /** Tracks taint flow for reasoning about hardcoded credentials. */

6
go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll
View File

@@ -440,6 +440,12 @@ private module ConversionWithoutBoundsCheckConfig implements DataFlow::StateConf
state2 = node2.(FlowStateTransformer).transform(state1) and state2 = node2.(FlowStateTransformer).transform(state1) and
DataFlow::simpleLocalFlowStep(node1, node2, _) DataFlow::simpleLocalFlowStep(node1, node2, _)
} }
predicate observeDiffInformedIncrementalMode() { any() }
Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.getASuccessor().getLocation()
}
} }
/** /**

4
go/ql/lib/semmle/go/security/InsecureRandomness.qll
View File

@@ -39,6 +39,10 @@ module InsecureRandomness {
n2.getType() instanceof IntegerType n2.getType() instanceof IntegerType
) )
} }
predicate observeDiffInformedIncrementalMode() {
none() // Can't have accurate sink location override because of secondary use of `flowPath` in select.
}
} }
/** /**

8
go/ql/lib/semmle/go/security/ReflectedXss.qll
View File

@@ -22,6 +22,14 @@ module ReflectedXss {
predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
predicate observeDiffInformedIncrementalMode() { any() }
Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.getLocation()
or
result = sink.(SharedXss::Sink).getAssociatedLoc().getLocation()
}
} }
/** Tracks taint flow from untrusted data to XSS attack vectors. */ /** Tracks taint flow from untrusted data to XSS attack vectors. */

8
go/ql/lib/semmle/go/security/RequestForgery.qll
View File

@@ -31,6 +31,14 @@ module RequestForgery {
w.writesField(v.getAUse(), f, pred) and succ = v.getAUse() w.writesField(v.getAUse(), f, pred) and succ = v.getAUse()
) )
} }
predicate observeDiffInformedIncrementalMode() { any() }
Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.getLocation()
or
result = sink.(Sink).getARequest().getLocation()
}
} }
/** Tracks taint flow from untrusted data to request forgery attack vectors. */ /** Tracks taint flow from untrusted data to request forgery attack vectors. */

4
go/ql/lib/semmle/go/security/SafeUrlFlow.qll
View File

@@ -36,6 +36,10 @@ module SafeUrlFlow {
or or
node instanceof SanitizerEdge node instanceof SanitizerEdge
} }
predicate observeDiffInformedIncrementalMode() {
none() // only used as secondary configuration
}
} }
/** Tracks taint flow for reasoning about safe URLs. */ /** Tracks taint flow for reasoning about safe URLs. */

8
go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql
View File

@@ -128,6 +128,14 @@ module UnhandledFileCloseConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { isWritableFileHandle(source, _) } predicate isSource(DataFlow::Node source) { isWritableFileHandle(source, _) }
predicate isSink(DataFlow::Node sink) { isCloseSink(sink, _) } predicate isSink(DataFlow::Node sink) { isCloseSink(sink, _) }
predicate observeDiffInformedIncrementalMode() { any() }
Location getASelectedSourceLocation(DataFlow::Node source) {
exists(DataFlow::CallNode openCall | result = openCall.getLocation() |
isWritableFileHandle(source, openCall)
)
}
} }
/** /**

2
go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql
View File

@@ -68,6 +68,8 @@ module Config implements DataFlow::ConfigSig {
} }
predicate isSink(DataFlow::Node sink) { writeIsSink(sink, _) } predicate isSink(DataFlow::Node sink) { writeIsSink(sink, _) }
predicate observeDiffInformedIncrementalMode() { any() }
} }
/** /**

11
go/ql/src/Security/CWE-601/BadRedirectCheck.ql
View File

@@ -123,6 +123,17 @@ module Config implements DataFlow::ConfigSig {
} }
predicate isSink(DataFlow::Node sink) { sink instanceof OpenUrlRedirect::Sink } predicate isSink(DataFlow::Node sink) { sink instanceof OpenUrlRedirect::Sink }
predicate observeDiffInformedIncrementalMode() { any() }
Location getASelectedSourceLocation(DataFlow::Node source) {
result = source.getLocation()
or
exists(DataFlow::Node check |
isCheckedSource(source, check) and
result = check.getLocation()
)
}
} }
module Flow = TaintTracking::Global<Config>; module Flow = TaintTracking::Global<Config>;

6
go/ql/src/experimental/CWE-1004/AuthCookie.qll
View File

@@ -116,6 +116,12 @@ private module BoolToGinSetCookieTrackingConfig implements DataFlow::ConfigSig {
) )
) )
} }
predicate observeDiffInformedIncrementalMode() {
any() // Merged with other flows in CookieWithoutHttpOnly.ql
}
Location getASelectedSourceLocation(DataFlow::Node source) { none() }
} }
/** /**

8
go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll
View File

@@ -59,6 +59,14 @@ private module Config implements DataFlow::ConfigSig {
not c.isPotentialFalsePositive() not c.isPotentialFalsePositive()
) )
} }
predicate observeDiffInformedIncrementalMode() { any() }
Location getASelectedSourceLocation(DataFlow::Node source) { none() }
Location getASelectedSinkLocation(DataFlow::Node sink) {
exists(ComparisonExpr comp | result = comp.getLocation() | sink.asExpr() = comp.getAnOperand())
}
} }
/** /**

4
go/ql/src/experimental/CWE-840/ConditionalBypass.ql
View File

@@ -22,6 +22,10 @@ module Config implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { predicate isSink(DataFlow::Node sink) {
exists(ComparisonExpr c | c.getAnOperand() = sink.asExpr()) exists(ComparisonExpr c | c.getAnOperand() = sink.asExpr())
} }
predicate observeDiffInformedIncrementalMode() {
none() // can't override the locations accurately because of secondary use of config.
}
} }
/** Tracks taint flow for reasoning about conditional bypass. */ /** Tracks taint flow for reasoning about conditional bypass. */

8
go/ql/src/experimental/CWE-918/SSRF.qll
View File

@@ -30,6 +30,14 @@ module ServerSideRequestForgery {
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
predicate isBarrierOut(DataFlow::Node node) { node instanceof SanitizerEdge } predicate isBarrierOut(DataFlow::Node node) { node instanceof SanitizerEdge }
predicate observeDiffInformedIncrementalMode() { any() }
Location getASelectedSourceLocation(DataFlow::Node source) { none() }
Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.(Sink).getARequest().getLocation()
}
} }
/** Tracks taint flow for reasoning about request forgery vulnerabilities. */ /** Tracks taint flow for reasoning about request forgery vulnerabilities. */