Ruby: rerun patch query after bugfix

2025-12-17 01:03:14 +01:00 · 2025-01-23 10:33:58 +01:00
parent 28f307390a
commit 1c136e3cd0
10 changed files with 58 additions and 11 deletions
--- a/ruby/ql/lib/codeql/ruby/security/ConditionalBypassQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/ConditionalBypassQuery.qll
@@ -18,7 +18,11 @@ private module Config implements DataFlow::ConfigSig {

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/experimental/cwe-807/ConditionalBypass.ql:78: Flow call outside 'select' clause
+    none()
+  }
 }

 /**
--- a/ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll
@@ -21,7 +21,11 @@ private module InsecureDownloadConfig implements DataFlow::StateConfigSig {

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/queries/security/cwe-829/InsecureDownload.ql:20: Column 5 selects sink.getDownloadCall
+    none()
+  }
 }

 /**
--- a/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionQuery.qll
@@ -25,7 +25,11 @@ private module UnsafeCodeConstructionConfig implements DataFlow::ConfigSig {
  // override to require the path doesn't have unmatched return steps
  DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }

-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/queries/security/cwe-094/UnsafeCodeConstruction.ql:25: Column 7 selects sink.getCodeSink
+    none()
+  }
 }

 /**
--- a/ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionQuery.qll
@@ -22,7 +22,11 @@ private module UnsafeHtmlConstructionConfig implements DataFlow::ConfigSig {
  // override to require the path doesn't have unmatched return steps
  DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }

-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/queries/security/cwe-079/UnsafeHtmlConstruction.ql:24: Column 7 selects sink.getXssSink
+    none()
+  }
 }

 /**
--- a/ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionQuery.qll
@@ -27,7 +27,12 @@ private module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigS
  // override to require the path doesn't have unmatched return steps
  DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }

-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/queries/security/cwe-078/UnsafeShellCommandConstruction.ql:26: Column 1 selects sink.getStringConstruction
+    // ql/src/queries/security/cwe-078/UnsafeShellCommandConstruction.ql:28: Column 7 selects sink.getCommandExecution
+    none()
+  }
 }

 /**
--- a/ruby/ql/lib/codeql/ruby/security/WeakSensitiveDataHashingQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/WeakSensitiveDataHashingQuery.qll
@@ -29,7 +29,11 @@ module NormalHashFunction {

    predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

-    predicate observeDiffInformedIncrementalMode() { any() }
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // ql/lib/codeql/ruby/security/WeakSensitiveDataHashingQuery.qll:83: Flow call outside 'select' clause
+      none()
+    }
  }

  /** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on sensitive data" vulnerabilities. */
@@ -57,7 +61,11 @@ module ComputationallyExpensiveHashFunction {

    predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

-    predicate observeDiffInformedIncrementalMode() { any() }
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // ql/lib/codeql/ruby/security/WeakSensitiveDataHashingQuery.qll:90: Flow call outside 'select' clause
+      none()
+    }
  }

  /** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on passwords" vulnerabilities. */
--- a/ruby/ql/lib/codeql/ruby/security/regexp/MissingFullAnchorQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/regexp/MissingFullAnchorQuery.qll
@@ -18,7 +18,12 @@ private module MissingFullAnchorConfig implements DataFlow::ConfigSig {

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/queries/security/cwe-020/MissingFullAnchor.ql:20: Column 7 selects sink.getCallNode
+    // ql/src/queries/security/cwe-020/MissingFullAnchor.ql:20: Column 9 selects sink.getRegex
+    none()
+  }
 }

 /**
--- a/ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll
@@ -19,7 +19,12 @@ private module PolynomialReDoSConfig implements DataFlow::ConfigSig {

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/queries/security/cwe-1333/PolynomialReDoS.ql:27: Column 1 selects sink.getHighlight
+    // ql/src/queries/security/cwe-1333/PolynomialReDoS.ql:29: Column 5 selects sink.getRegExp
+    none()
+  }
 }

 /**
--- a/ruby/ql/src/experimental/decompression-api/DecompressionApi.ql
+++ b/ruby/ql/src/experimental/decompression-api/DecompressionApi.ql
@@ -40,7 +40,11 @@ private module DecompressionApiConfig implements DataFlow::ConfigSig {
  // our Decompression APIs defined above will be the sinks we use for this query
  predicate isSink(DataFlow::Node sink) { sink instanceof DecompressionApiUse }

-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/experimental/decompression-api/DecompressionApi.ql:54: Column 5 selects sink.getCall
+    none()
+  }
 }

 private module DecompressionApiFlow = TaintTracking::Global<DecompressionApiConfig>;
--- a/ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql
+++ b/ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql
@@ -55,7 +55,11 @@ private module PermissivePermissionsConfig implements DataFlow::ConfigSig {
    exists(FileSystemPermissionModification mod | mod.getAPermissionNode() = sink)
  }

-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/queries/security/cwe-732/WeakFilePermissions.ql:71: Column 5 does not select a source or sink originating from the flow call on line 69
+    none()
+  }
 }

 private module PermissivePermissionsFlow = DataFlow::Global<PermissivePermissionsConfig>;