mirror of
https://github.com/github/codeql.git
synced 2025-12-16 16:53:25 +01:00
Merge pull request #20607 from d10c/d10c/update-diff-informed-testing
Update diff-informed testing to always treat sources and sinks as alert locations
This commit is contained in:
Nora Dimitrijević
@@ -100,8 +100,6 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig {
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node source) { none() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
result = sink.getLocation()
|
||||
or
|
||||
|
||||
@@ -333,8 +333,6 @@ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig {
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node source) { none() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
result = sink.getLocation()
|
||||
or
|
||||
|
||||
@@ -80,8 +80,6 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node source) { none() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
result = sink.getLocation()
|
||||
or
|
||||
|
||||
@@ -130,8 +130,6 @@ private module EnvPathInjectionConfig implements DataFlow::ConfigSig {
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node source) { none() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
result = sink.getLocation()
|
||||
or
|
||||
|
||||
@@ -184,8 +184,6 @@ private module EnvVarInjectionConfig implements DataFlow::ConfigSig {
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node source) { none() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
result = sink.getLocation()
|
||||
or
|
||||
|
||||
@@ -212,8 +212,6 @@ private module OutputClobberingConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
|
||||
}
|
||||
|
||||
/** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */
|
||||
|
||||
@@ -18,8 +18,6 @@ private module RequestForgeryConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
|
||||
}
|
||||
|
||||
/** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */
|
||||
|
||||
@@ -17,8 +17,6 @@ private module SecretExfiltrationConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof SecretExfiltrationSink }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
|
||||
}
|
||||
|
||||
/** Tracks flow of unsafe user input that is used in a context where it may lead to a secret exfiltration. */
|
||||
|
||||
@@ -26,8 +26,6 @@ private module MyConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
|
||||
}
|
||||
|
||||
module MyFlow = TaintTracking::Global<MyConfig>;
|
||||
|
||||
@@ -36,8 +36,6 @@ private module MyConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
|
||||
}
|
||||
|
||||
module MyFlow = TaintTracking::Global<MyConfig>;
|
||||
|
||||
@@ -27,8 +27,6 @@ private module MyConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
|
||||
}
|
||||
|
||||
module MyFlow = TaintTracking::Global<MyConfig>;
|
||||
|
||||
@@ -26,8 +26,6 @@ private module MyConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
|
||||
}
|
||||
|
||||
module MyFlow = TaintTracking::Global<MyConfig>;
|
||||
|
||||
@@ -36,8 +36,6 @@ private module MyConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
|
||||
}
|
||||
|
||||
module MyFlow = TaintTracking::Global<MyConfig>;
|
||||
|
||||
@@ -27,8 +27,6 @@ private module MyConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
|
||||
}
|
||||
|
||||
module MyFlow = TaintTracking::Global<MyConfig>;
|
||||
|
||||
@@ -85,10 +85,8 @@ module OverflowDestinationConfig implements DataFlow::ConfigSig {
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node source) { none() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
exists(FunctionCall fc | result = fc.getLocation() |
|
||||
exists(FunctionCall fc | result = [fc.getLocation(), sink.getLocation()] |
|
||||
sourceSized(fc, sink.asIndirectConvertedExpr())
|
||||
)
|
||||
}
|
||||
|
||||
@@ -171,12 +171,10 @@ module NonConstFlowConfig implements DataFlow::ConfigSig {
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node source) { none() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
result = sink.getLocation()
|
||||
or
|
||||
exists(FormattingFunctionCall call, Expr formatString | result = call.getLocation() |
|
||||
exists(FormattingFunctionCall call, Expr formatString |
|
||||
result = [call.getLocation(), sink.getLocation()]
|
||||
|
|
||||
isSinkImpl(sink, formatString) and
|
||||
call.getArgument(call.getFormatParameterIndex()) = formatString
|
||||
)
|
||||
|
||||
@@ -155,7 +155,7 @@ module ExecTaintConfig implements DataFlow::StateConfigSig {
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
exists(DataFlow::Node concatResult, Expr command, ExecState state |
|
||||
result = [concatResult.getLocation(), command.getLocation()] and
|
||||
result = [concatResult.getLocation(), command.getLocation(), sink.getLocation()] and
|
||||
isSink(sink, state) and
|
||||
isSinkImpl(sink, command, _) and
|
||||
concatResult = state.getOutgoingNode()
|
||||
|
||||
@@ -58,7 +58,9 @@ module SqlTaintedConfig implements DataFlow::ConfigSig {
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
exists(Expr taintedArg | result = taintedArg.getLocation() | taintedArg = asSinkExpr(sink))
|
||||
exists(Expr taintedArg | result = [taintedArg.getLocation(), sink.getLocation()] |
|
||||
taintedArg = asSinkExpr(sink)
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -128,7 +128,7 @@ module Config implements DataFlow::ConfigSig {
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
exists(BufferWrite bw | result = bw.getLocation() | isSink(sink, bw, _))
|
||||
exists(BufferWrite bw | result = [bw.getLocation(), sink.getLocation()] | isSink(sink, bw, _))
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -124,7 +124,8 @@ module UncontrolledArithConfig implements DataFlow::ConfigSig {
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node source) {
|
||||
result = getExpr(source).getLocation()
|
||||
isSource(source) and
|
||||
result = [getExpr(source).getLocation(), source.getLocation()]
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -95,7 +95,7 @@ module TaintedAllocationSizeConfig implements DataFlow::ConfigSig {
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
exists(Expr alloc | result = alloc.getLocation() | allocSink(alloc, sink))
|
||||
exists(Expr alloc | result = [alloc.getLocation(), sink.getLocation()] | allocSink(alloc, sink))
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -76,7 +76,9 @@ module Config implements DataFlow::ConfigSig {
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
exists(Expr condition | result = condition.getLocation() | isSink(sink, condition))
|
||||
exists(Expr condition | result = [condition.getLocation(), sink.getLocation()] |
|
||||
isSink(sink, condition)
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -51,7 +51,9 @@ module ToBufferConfig implements DataFlow::ConfigSig {
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
exists(SensitiveBufferWrite w | result = w.getLocation() | isSinkImpl(sink, w))
|
||||
exists(SensitiveBufferWrite w | result = [w.getLocation(), sink.getLocation()] |
|
||||
isSinkImpl(sink, w)
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -35,11 +35,13 @@ module FromSensitiveConfig implements DataFlow::ConfigSig {
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node sourceNode) {
|
||||
exists(SensitiveExpr source | result = source.getLocation() | isSourceImpl(sourceNode, source))
|
||||
exists(SensitiveExpr source | result = [source.getLocation(), sourceNode.getLocation()] |
|
||||
isSourceImpl(sourceNode, source)
|
||||
)
|
||||
}
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
exists(FileWrite w | result = w.getLocation() | isSinkImpl(sink, w, _))
|
||||
exists(FileWrite w | result = [w.getLocation(), sink.getLocation()] | isSinkImpl(sink, w, _))
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -249,7 +249,9 @@ module FromSensitiveConfig implements DataFlow::ConfigSig {
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
exists(NetworkSendRecv networkSendRecv | result = networkSendRecv.getLocation() |
|
||||
exists(NetworkSendRecv networkSendRecv |
|
||||
result = [networkSendRecv.getLocation(), sink.getLocation()]
|
||||
|
|
||||
isSinkSendRecv(sink, networkSendRecv)
|
||||
)
|
||||
}
|
||||
|
||||
@@ -127,13 +127,13 @@ module FromSensitiveConfig implements DataFlow::ConfigSig {
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node source) {
|
||||
exists(SensitiveExpr sensitive | result = sensitive.getLocation() |
|
||||
exists(SensitiveExpr sensitive | result = [sensitive.getLocation(), source.getLocation()] |
|
||||
isSourceImpl(source, sensitive)
|
||||
)
|
||||
}
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
exists(SqliteFunctionCall sqliteCall | result = sqliteCall.getLocation() |
|
||||
exists(SqliteFunctionCall sqliteCall | result = [sqliteCall.getLocation(), sink.getLocation()] |
|
||||
isSinkImpl(sink, sqliteCall, _)
|
||||
)
|
||||
}
|
||||
|
||||
@@ -91,10 +91,9 @@ module HttpStringToUrlOpenConfig implements DataFlow::ConfigSig {
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node source) {
|
||||
result = source.asIndirectExpr().getLocation()
|
||||
isSource(source) and
|
||||
result = [source.asIndirectExpr().getLocation(), source.getLocation()]
|
||||
}
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) { none() }
|
||||
}
|
||||
|
||||
module HttpStringToUrlOpen = TaintTracking::Global<HttpStringToUrlOpenConfig>;
|
||||
|
||||
@@ -50,8 +50,6 @@ module WordexpTaintConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node source) { none() }
|
||||
}
|
||||
|
||||
module WordexpTaint = TaintTracking::Global<WordexpTaintConfig>;
|
||||
|
||||
@@ -187,12 +187,14 @@ module ArrayAddressToDerefConfig implements DataFlow::StateConfigSig {
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node source) {
|
||||
exists(Variable v | result = v.getLocation() | isSourceImpl(source, v))
|
||||
exists(Variable v | result = v.getLocation() or result = source.getLocation() |
|
||||
isSourceImpl(source, v)
|
||||
)
|
||||
}
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
exists(PointerArithmeticInstruction pai, Instruction deref |
|
||||
result = [pai, deref].getLocation() and
|
||||
result = [[pai, deref].getLocation(), sink.getLocation()] and
|
||||
isInvalidPointerDerefSink2(sink, deref, _) and
|
||||
isSink(sink, ArrayAddressToDerefConfig::TOverflowArithmetic(pai))
|
||||
)
|
||||
|
||||
@@ -31,8 +31,6 @@ module DecompressionTaintConfig implements DataFlow::ConfigSig {
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node source) { none() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
exists(FunctionCall fc | result = [sink.getLocation(), fc.getLocation()] | isSink(fc, sink))
|
||||
}
|
||||
|
||||
@@ -39,8 +39,6 @@ module AddCertToRootStoreConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
|
||||
}
|
||||
|
||||
module AddCertToRootStore = DataFlow::Global<AddCertToRootStoreConfig>;
|
||||
|
||||
@@ -132,7 +132,7 @@ module UnhandledFileCloseConfig implements DataFlow::ConfigSig {
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node source) {
|
||||
exists(DataFlow::CallNode openCall | result = openCall.getLocation() |
|
||||
exists(DataFlow::CallNode openCall | result = [openCall.getLocation(), source.getLocation()] |
|
||||
isWritableFileHandle(source, openCall)
|
||||
)
|
||||
}
|
||||
|
||||
@@ -27,8 +27,6 @@ module Config implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -47,8 +47,6 @@ module Config implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -33,9 +33,9 @@ module ServerSideRequestForgery {
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node source) { none() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
result = sink.(Sink).getLocation()
|
||||
or
|
||||
result = sink.(Sink).getARequest().getLocation()
|
||||
}
|
||||
}
|
||||
|
||||
@@ -25,8 +25,6 @@ module ApkInstallationConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
|
||||
}
|
||||
|
||||
module ApkInstallationFlow = DataFlow::Global<ApkInstallationConfig>;
|
||||
|
||||
@@ -19,7 +19,9 @@ module ArithmeticOverflowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
exists(ArithExpr exp | result = exp.getLocation() | overflowSink(exp, sink.asExpr()))
|
||||
exists(ArithExpr exp | result = [exp.getLocation(), sink.getLocation()] |
|
||||
overflowSink(exp, sink.asExpr())
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -43,7 +45,9 @@ module ArithmeticUnderflowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
exists(ArithExpr exp | result = exp.getLocation() | underflowSink(exp, sink.asExpr()))
|
||||
exists(ArithExpr exp | result = [exp.getLocation(), sink.getLocation()] |
|
||||
underflowSink(exp, sink.asExpr())
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -25,7 +25,9 @@ module ArithmeticUncontrolledOverflowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
exists(ArithExpr exp | result = exp.getLocation() | overflowSink(exp, sink.asExpr()))
|
||||
exists(ArithExpr exp | result = [exp.getLocation(), sink.getLocation()] |
|
||||
overflowSink(exp, sink.asExpr())
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -46,7 +48,9 @@ module ArithmeticUncontrolledUnderflowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
exists(ArithExpr exp | result = exp.getLocation() | underflowSink(exp, sink.asExpr()))
|
||||
exists(ArithExpr exp | result = [exp.getLocation(), sink.getLocation()] |
|
||||
underflowSink(exp, sink.asExpr())
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -36,7 +36,11 @@ module InsecureCryptoConfig implements DataFlow::ConfigSig {
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
exists(CryptoAlgoSpec c | sink.asExpr() = c.getAlgoSpec() | result = c.getLocation())
|
||||
exists(CryptoAlgoSpec c | sink.asExpr() = c.getAlgoSpec() |
|
||||
result = c.getLocation()
|
||||
or
|
||||
result = sink.getLocation()
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -63,10 +63,14 @@ module InputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
|
||||
// only to prevent overlapping results between two queries.
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
// All queries use the argument as the primary location and do not use the
|
||||
// sink as an associated location.
|
||||
// ExecTainted.ql queries use the argument as the primary location;
|
||||
// ExecUnescaped.ql does not (used to prevent overlapping results).
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
exists(Expr argument | argumentToExec(argument, sink) | result = argument.getLocation())
|
||||
exists(Expr argument | argumentToExec(argument, sink) |
|
||||
result = argument.getLocation()
|
||||
or
|
||||
result = sink.getLocation()
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -51,7 +51,7 @@ module ConditionalBypassFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
exists(MethodCall m, Expr e | result = [m, e].getLocation() |
|
||||
exists(MethodCall m, Expr e | result = [[m, e].getLocation(), sink.getLocation()] |
|
||||
conditionControlsMethod(m, e) and
|
||||
sink.asExpr() = e
|
||||
)
|
||||
|
||||
@@ -22,7 +22,10 @@ module BoundedFlowSourceConfig implements DataFlow::ConfigSig {
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
exists(ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess |
|
||||
result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation() and
|
||||
result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation()
|
||||
or
|
||||
result = sink.getLocation()
|
||||
|
|
||||
arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), arrayCreation)
|
||||
)
|
||||
}
|
||||
|
||||
@@ -19,7 +19,10 @@ module ImproperValidationOfArrayConstructionConfig implements DataFlow::ConfigSi
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
exists(ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess |
|
||||
result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation() and
|
||||
result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation()
|
||||
or
|
||||
result = sink.getLocation()
|
||||
|
|
||||
arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), arrayCreation)
|
||||
)
|
||||
}
|
||||
|
||||
@@ -81,7 +81,9 @@ module InsecureCryptoConfig implements DataFlow::ConfigSig {
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
exists(CryptoAlgoSpec c | result = c.getLocation() | sink.asExpr() = c.getAlgoSpec())
|
||||
exists(CryptoAlgoSpec c | result = sink.getLocation() or result = c.getLocation() |
|
||||
sink.asExpr() = c.getAlgoSpec()
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -106,8 +106,9 @@ module NumericCastFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
exists(NumericNarrowingCastExpr cast |
|
||||
cast.getExpr() = sink.asExpr() and
|
||||
exists(NumericNarrowingCastExpr cast | cast.getExpr() = sink.asExpr() |
|
||||
result = sink.getLocation()
|
||||
or
|
||||
result = cast.getLocation()
|
||||
)
|
||||
}
|
||||
|
||||
@@ -40,8 +40,6 @@ module ExecTaintedEnvironmentConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node source) { none() }
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -63,8 +63,9 @@ module TaintedPermissionsCheckFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
exists(PermissionsConstruction p |
|
||||
sink.asExpr() = p.getInput() and
|
||||
exists(PermissionsConstruction p | sink.asExpr() = p.getInput() |
|
||||
result = sink.getLocation()
|
||||
or
|
||||
result = p.getLocation()
|
||||
)
|
||||
}
|
||||
|
||||
@@ -147,8 +147,6 @@ module TempDirSystemGetPropertyToCreateConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) { none() }
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -313,6 +313,8 @@ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
result = sink.(UnsafeDeserializationSink).getLocation()
|
||||
or
|
||||
result = sink.(UnsafeDeserializationSink).getMethodCall().getLocation()
|
||||
}
|
||||
}
|
||||
|
||||
@@ -46,12 +46,6 @@ module WebviewDebugEnabledConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node source) {
|
||||
// This module is only used in `WebviewDebuggingEnabled.ql`, which doesn't
|
||||
// select the source in any "$@" column.
|
||||
none()
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -34,8 +34,9 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
exists(DataFlow::Node node |
|
||||
isSinkWithHighlight(sink, node) and
|
||||
exists(DataFlow::Node node | isSinkWithHighlight(sink, node) |
|
||||
result = sink.getLocation()
|
||||
or
|
||||
result = node.getLocation()
|
||||
)
|
||||
}
|
||||
|
||||
@@ -30,8 +30,9 @@ module IndirectCommandInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
exists(DataFlow::Node node |
|
||||
isSinkWithHighlight(sink, node) and
|
||||
exists(DataFlow::Node node | isSinkWithHighlight(sink, node) |
|
||||
result = sink.getLocation()
|
||||
or
|
||||
result = node.getLocation()
|
||||
)
|
||||
}
|
||||
|
||||
@@ -33,7 +33,7 @@ module ShellCommandInjectionFromEnvironmentConfig implements DataFlow::ConfigSig
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
exists(DataFlow::Node node |
|
||||
isSinkWithHighlight(sink, node) and
|
||||
result = node.getLocation()
|
||||
result = [node.getLocation(), sink.getLocation()]
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -29,6 +29,8 @@ module PolynomialReDoSConfig implements DataFlow::ConfigSig {
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
result = sink.(Sink).getLocation()
|
||||
or
|
||||
result = sink.(Sink).getHighlight().getLocation()
|
||||
or
|
||||
result = sink.(Sink).getRegExp().getLocation()
|
||||
|
||||
@@ -29,10 +29,6 @@ module SsrfConfig implements DataFlow::ConfigSig {
|
||||
|
||||
predicate isBarrierOut(DataFlow::Node node) { strictSanitizingPrefixEdge(node, _) }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node source) {
|
||||
none() // Does not select the source
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
|
||||
@@ -21,6 +21,8 @@ private module PolynomialReDoSConfig implements DataFlow::ConfigSig {
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
result = sink.(Sink).getLocation()
|
||||
or
|
||||
result = sink.(Sink).getHighlight().getLocation()
|
||||
or
|
||||
result = sink.(Sink).getABacktrackingTerm().getLocation()
|
||||
|
||||
@@ -68,7 +68,8 @@ private module PartialServerSideRequestForgeryConfig implements DataFlow::Config
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
// Note: this query does not select the sink itself
|
||||
result = sink.(Sink).getLocation()
|
||||
or
|
||||
result = sink.(Sink).getRequest().getLocation()
|
||||
}
|
||||
}
|
||||
|
||||
@@ -147,8 +147,6 @@ private module AzureBlobClientConfig implements DataFlow::StateConfigSig {
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
|
||||
}
|
||||
|
||||
module AzureBlobClientFlow = DataFlow::GlobalWithState<AzureBlobClientConfig>;
|
||||
|
||||
@@ -81,8 +81,6 @@ module CorsBypassConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
|
||||
}
|
||||
|
||||
module CorsFlow = TaintTracking::Global<CorsBypassConfig>;
|
||||
|
||||
@@ -210,8 +210,6 @@ module UnsafeUnpackConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "UnsafeUnpacking" vulnerabilities. */
|
||||
|
||||
@@ -103,8 +103,6 @@ private module LdapInsecureAuthConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "LDAP insecure authentications" vulnerabilities. */
|
||||
|
||||
@@ -24,6 +24,8 @@ private module PolynomialReDoSConfig implements DataFlow::ConfigSig {
|
||||
predicate observeDiffInformedIncrementalMode() { none() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
result = sink.(Sink).getLocation()
|
||||
or
|
||||
result = sink.(Sink).getHighlight().getLocation()
|
||||
or
|
||||
result = sink.(Sink).getRegExp().getRootTerm().getLocation()
|
||||
|
||||
@@ -88,8 +88,6 @@ private module HttpVerbConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node source) { none() }
|
||||
}
|
||||
|
||||
private module HttpVerbFlow = TaintTracking::Global<HttpVerbConfig>;
|
||||
|
||||
@@ -48,8 +48,6 @@ private module WeakParamsConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node node) { node = any(PersistentWriteAccess a).getValue() }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node source) { none() }
|
||||
}
|
||||
|
||||
private module WeakParamsFlow = TaintTracking::Global<WeakParamsConfig>;
|
||||
|
||||
@@ -60,8 +60,9 @@ private module PermissivePermissionsConfig implements DataFlow::ConfigSig {
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
exists(FileSystemPermissionModification mod |
|
||||
sinkDef(sink, mod) and
|
||||
exists(FileSystemPermissionModification mod | sinkDef(sink, mod) |
|
||||
result = sink.getLocation()
|
||||
or
|
||||
result = mod.getLocation()
|
||||
)
|
||||
}
|
||||
|
||||
@@ -74,7 +74,9 @@ module PartitionedCookieConfig implements DataFlow::ConfigSig {
|
||||
node instanceof Barrier
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
predicate observeDiffInformedIncrementalMode() {
|
||||
none() // only used negatively
|
||||
}
|
||||
}
|
||||
|
||||
module InsecureCookieFlow = TaintTracking::Global<InsecureCookieConfig>;
|
||||
|
||||
@@ -32,7 +32,9 @@ module AccessAfterLifetimeConfig implements DataFlow::ConfigSig {
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node source) {
|
||||
exists(Variable target, DataFlow::Node sink | result = target.getLocation() |
|
||||
exists(Variable target, DataFlow::Node sink |
|
||||
result = [target.getLocation(), source.getLocation()]
|
||||
|
|
||||
isSink(sink) and
|
||||
narrowDereferenceAfterLifetime(source, sink, target)
|
||||
)
|
||||
|
||||
@@ -466,8 +466,10 @@ module Configs<LocationSig Location, InputSig<Location> Lang> {
|
||||
* `observeDiffInformedIncrementalMode`). By default, this is the location
|
||||
* of the source itself, but this predicate should include any locations
|
||||
* that are reported as the primary-location of the query or as an
|
||||
* additional location ("$@" interpolation). For a query that doesn't
|
||||
* report the source at all, this predicate can be `none()`.
|
||||
* additional location ("$@" interpolation). Queries with `@kind path-problem`
|
||||
* that override this predicate should also return the location of the source
|
||||
* itself. For a query that doesn't report the source at all, this predicate
|
||||
* should be `none()`.
|
||||
*/
|
||||
default Location getASelectedSourceLocation(Node source) { result = source.getLocation() }
|
||||
|
||||
@@ -477,8 +479,10 @@ module Configs<LocationSig Location, InputSig<Location> Lang> {
|
||||
* `observeDiffInformedIncrementalMode`). By default, this is the location
|
||||
* of the sink itself, but this predicate should include any locations
|
||||
* that are reported as the primary-location of the query or as an
|
||||
* additional location ("$@" interpolation). For a query that doesn't
|
||||
* report the sink at all, this predicate can be `none()`.
|
||||
* additional location ("$@" interpolation). Queries with `@kind path-problem`
|
||||
* that override this predicate should also return the location of the sink
|
||||
* itself. For a query that doesn't report the sink at all, this predicate
|
||||
* should be `none()`.
|
||||
*/
|
||||
default Location getASelectedSinkLocation(Node sink) { result = sink.getLocation() }
|
||||
}
|
||||
@@ -615,8 +619,10 @@ module Configs<LocationSig Location, InputSig<Location> Lang> {
|
||||
* `observeDiffInformedIncrementalMode`). By default, this is the location
|
||||
* of the source itself, but this predicate should include any locations
|
||||
* that are reported as the primary-location of the query or as an
|
||||
* additional location ("$@" interpolation). For a query that doesn't
|
||||
* report the source at all, this predicate can be `none()`.
|
||||
* additional location ("$@" interpolation). Queries with `@kind path-problem`
|
||||
* that override this predicate should also return the location of the source
|
||||
* itself. For a query that doesn't report the source at all, this predicate
|
||||
* should be `none()`.
|
||||
*/
|
||||
default Location getASelectedSourceLocation(Node source) { result = source.getLocation() }
|
||||
|
||||
@@ -626,8 +632,10 @@ module Configs<LocationSig Location, InputSig<Location> Lang> {
|
||||
* `observeDiffInformedIncrementalMode`). By default, this is the location
|
||||
* of the sink itself, but this predicate should include any locations
|
||||
* that are reported as the primary-location of the query or as an
|
||||
* additional location ("$@" interpolation). For a query that doesn't
|
||||
* report the sink at all, this predicate can be `none()`.
|
||||
* additional location ("$@" interpolation). Queries with `@kind path-problem`
|
||||
* that override this predicate should also return the location of the sink
|
||||
* itself. For a query that doesn't report the sink at all, this predicate
|
||||
* should be `none()`.
|
||||
*/
|
||||
default Location getASelectedSinkLocation(Node sink) { result = sink.getLocation() }
|
||||
}
|
||||
|
||||
@@ -52,12 +52,13 @@ module CleartextStorageDatabaseConfig implements DataFlow::ConfigSig {
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
exists(DataFlow::Node cleanSink | result = cleanSink.getLocation() |
|
||||
cleanSink = sink.(DataFlow::PostUpdateNode).getPreUpdateNode()
|
||||
or
|
||||
not sink instanceof DataFlow::PostUpdateNode and
|
||||
cleanSink = sink
|
||||
)
|
||||
result = sink.(CleartextStorageDatabaseSink).getLocation()
|
||||
or
|
||||
result =
|
||||
sink.(CleartextStorageDatabaseSink)
|
||||
.(DataFlow::PostUpdateNode)
|
||||
.getPreUpdateNode()
|
||||
.getLocation()
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -34,12 +34,13 @@ module CleartextStoragePreferencesConfig implements DataFlow::ConfigSig {
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
exists(DataFlow::Node cleanSink | result = cleanSink.getLocation() |
|
||||
cleanSink = sink.(DataFlow::PostUpdateNode).getPreUpdateNode()
|
||||
or
|
||||
not sink instanceof DataFlow::PostUpdateNode and
|
||||
cleanSink = sink
|
||||
)
|
||||
result = sink.(CleartextStoragePreferencesSink).getLocation()
|
||||
or
|
||||
result =
|
||||
sink.(CleartextStoragePreferencesSink)
|
||||
.(DataFlow::PostUpdateNode)
|
||||
.getPreUpdateNode()
|
||||
.getLocation()
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -40,8 +40,6 @@ module ConstantPasswordConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
|
||||
}
|
||||
|
||||
module ConstantPasswordFlow = TaintTracking::Global<ConstantPasswordConfig>;
|
||||
|
||||
@@ -36,8 +36,6 @@ module InsufficientHashIterationsConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
|
||||
}
|
||||
|
||||
module InsufficientHashIterationsFlow = TaintTracking::Global<InsufficientHashIterationsConfig>;
|
||||
|
||||
@@ -42,8 +42,6 @@ module StaticInitializationVectorConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
|
||||
}
|
||||
|
||||
module StaticInitializationVectorFlow = TaintTracking::Global<StaticInitializationVectorConfig>;
|
||||
|
||||
@@ -41,8 +41,6 @@ module StringLengthConflationConfig implements DataFlow::StateConfigSig {
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -24,8 +24,6 @@ module UnsafeJsEvalConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -26,8 +26,6 @@ module UnsafeUnpackConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
Reference in New Issue
Block a user