Merge pull request #20074 from d10c/d10c/diff-informed-phase-3-csharp

C#: Diff-informed queries: phase 3 (non-trivial locations)

csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll

@@ -39,6 +39,15 @@ private module ConditionalBypassConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.getLocation()
+    or
+    // from ConditionalBypass.ql
+    result = sink.(Sink).getSensitiveMethodCall().getLocation()
+  }
 }
 
 /**

csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll

@@ -59,6 +59,10 @@ private module TaintToObjectMethodTrackingConfig implements DataFlow::ConfigSig
   predicate isSink(DataFlow::Node sink) { sink instanceof InstanceMethodSink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // used in one of the disjuncts in UnsafeDeserializationUntrustedInput.ql
+  }
 }
 
 /**
@@ -77,6 +81,10 @@ private module JsonConvertTrackingConfig implements DataFlow::ConfigSig {
   }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // used in one of the disjuncts in UnsafeDeserializationUntrustedInput.ql
+  }
 }
 
 /**
@@ -133,6 +141,10 @@ private module TypeNameTrackingConfig implements DataFlow::ConfigSig {
       )
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // Only used as secondary config in UnsafeDeserializationUntrustedInput.ql
+  }
 }
 
 /**
@@ -149,6 +161,10 @@ private module TaintToConstructorOrStaticMethodTrackingConfig implements DataFlo
   predicate isSink(DataFlow::Node sink) { sink instanceof ConstructorOrStaticMethodSink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // used in one of the disjuncts in UnsafeDeserializationUntrustedInput.ql
+  }
 }
 
 /**
@@ -186,6 +202,10 @@ private module TaintToObjectTypeTrackingConfig implements DataFlow::ConfigSig {
       oc.getObjectType() instanceof StrongTypeDeserializer
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // only used as secondary config in UnsafeDeserializationUntrustedInput.ql
+  }
 }
 
 /**
@@ -210,6 +230,10 @@ private module WeakTypeCreationToUsageTrackingConfig implements DataFlow::Config
       sink.asExpr() = mc.getQualifier()
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // only used as secondary config in UnsafeDeserializationUntrustedInput.ql
+  }
 }
 
 /**

csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql

@@ -24,6 +24,8 @@ module NotThreadSafeCryptoUsageIntoParallelInvokeConfig implements DataFlow::Con
   }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ParallelSink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module NotThreadSafeCryptoUsageIntoParallelInvoke =

csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql

@@ -38,6 +38,12 @@ module ConnectionStringConfig implements DataFlow::ConfigSig {
   }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof StringFormatSanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    any(Call call | call.getAnArgument() = sink.asExpr()).getLocation() = result
+  }
 }
 
 /**