JS: Rerun patch query after bugfix

2026-04-26 17:25:19 +02:00 · 2025-01-23 10:31:32 +01:00
parent 28f307390a
commit dba76a0e4d
19 changed files with 105 additions and 19 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll
@@ -26,7 +26,11 @@ module BrokenCryptoAlgorithmConfig implements DataFlow::ConfigSig {

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql:27: Column 5 selects sink.getInitialization
+    none()
+  }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll
@@ -32,7 +32,11 @@ module ClientSideRequestForgeryConfig implements DataFlow::ConfigSig {
    isAdditionalRequestForgeryStep(node1, node2)
  }

-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-918/ClientSideRequestForgery.ql:24: Column 1 selects sink.getARequest
+    none()
+  }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll
@@ -31,7 +31,12 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-078/CommandInjection.ql:31: Column 1 does not select a source or sink originating from the flow call on line 24
+    // ql/src/experimental/heuristics/ql/src/Security/CWE-078/CommandInjection.ql:34: Column 1 does not select a source or sink originating from the flow call on line 26
+    none()
+  }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll
@@ -24,7 +24,12 @@ module CorsMisconfigurationConfig implements DataFlow::ConfigSig {
    node = TaintTracking::AdHocWhitelistCheckSanitizer::getABarrierNode()
  }

-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql:22: Column 5 selects sink.getCredentialsHeader
+    // ql/src/experimental/heuristics/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql:25: Column 5 selects sink.getCredentialsHeader
+    none()
+  }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll
@@ -34,7 +34,11 @@ module DeepObjectResourceExhaustionConfig implements DataFlow::StateConfigSig {
    TaintedObject::isAdditionalFlowStep(node1, state1, node2, state2)
  }

-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-400/DeepObjectResourceExhaustion.ql:23: Column 7 does not select a source or sink originating from the flow call on line 19
+    none()
+  }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll
@@ -27,7 +27,11 @@ module IndirectCommandInjectionConfig implements DataFlow::ConfigSig {

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-078/IndirectCommandInjection.ql:29: Column 1 does not select a source or sink originating from the flow call on line 25
+    none()
+  }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll
@@ -24,7 +24,11 @@ module InsecureDownloadConfig implements DataFlow::StateConfigSig {

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-829/InsecureDownload.ql:21: Column 5 selects sink.getDownloadCall
+    none()
+  }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionQuery.qll
@@ -52,7 +52,14 @@ module NosqlInjectionConfig implements DataFlow::StateConfigSig {
    state2 = state1
  }

-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-089/SqlInjection.ql:35: Column 1 does not select a source or sink originating from the flow call on line 32
+    // ql/src/Security/CWE-089/SqlInjection.ql:35: Column 5 does not select a source or sink originating from the flow call on line 32
+    // ql/src/experimental/heuristics/ql/src/Security/CWE-089/SqlInjection.ql:37: Column 1 does not select a source or sink originating from the flow call on line 34
+    // ql/src/experimental/heuristics/ql/src/Security/CWE-089/SqlInjection.ql:37: Column 5 does not select a source or sink originating from the flow call on line 34
+    none()
+  }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll
@@ -48,7 +48,11 @@ module PrototypePollutionConfig implements DataFlow::StateConfigSig {
    node = TaintedObject::SanitizerGuard::getABarrierNode(state)
  }

-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-915/PrototypePollutingMergeCall.ql:30: Column 7 does not select a source or sink originating from the flow call on line 26
+    none()
+  }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll
@@ -27,7 +27,11 @@ module RequestForgeryConfig implements DataFlow::ConfigSig {
    isAdditionalRequestForgeryStep(node1, node2)
  }

-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-918/RequestForgery.ql:21: Column 1 selects sink.getARequest
+    none()
+  }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll
@@ -28,7 +28,11 @@ module ShellCommandInjectionFromEnvironmentConfig implements DataFlow::ConfigSig

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql:30: Column 1 does not select a source or sink originating from the flow call on line 26
+    none()
+  }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionQuery.qll
@@ -32,7 +32,14 @@ module SqlInjectionConfig implements DataFlow::ConfigSig {
    )
  }

-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-089/SqlInjection.ql:35: Column 1 does not select a source or sink originating from the flow call on line 28
+    // ql/src/Security/CWE-089/SqlInjection.ql:35: Column 5 does not select a source or sink originating from the flow call on line 28
+    // ql/src/experimental/heuristics/ql/src/Security/CWE-089/SqlInjection.ql:37: Column 1 does not select a source or sink originating from the flow call on line 30
+    // ql/src/experimental/heuristics/ql/src/Security/CWE-089/SqlInjection.ql:37: Column 5 does not select a source or sink originating from the flow call on line 30
+    none()
+  }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll
@@ -33,7 +33,11 @@ module UnsafeCodeConstruction {

    DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }

-    predicate observeDiffInformedIncrementalMode() { any() }
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // ql/src/Security/CWE-094/UnsafeCodeConstruction.ql:26: Column 7 selects sink.getCodeSink
+      none()
+    }
  }

  /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll
@@ -61,7 +61,11 @@ module UnsafeHtmlConstructionConfig implements DataFlow::StateConfigSig {

  DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }

-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql:25: Column 7 selects sink.getSink
+    none()
+  }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll
@@ -37,7 +37,11 @@ module UnsafeJQueryPluginConfig implements DataFlow::ConfigSig {
    node = any(StringReplaceCall call).getRawReplacement()
  }

-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-079/UnsafeJQueryPlugin.ql:25: Column 5 selects source.getPlugin
+    none()
+  }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll
@@ -26,7 +26,12 @@ module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {

  DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }

-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql:24: Column 1 selects sink.getAlertLocation
+    // ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql:26: Column 7 selects sink.getCommandExecution
+    none()
+  }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll
@@ -26,7 +26,12 @@ module PolynomialReDoSConfig implements DataFlow::ConfigSig {

  int fieldFlowBranchLimit() { result = 1 } // library inputs are too expensive on some projects

-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Performance/PolynomialReDoS.ql:31: Column 1 selects sink.getHighlight
+    // ql/src/Performance/PolynomialReDoS.ql:33: Column 5 selects sink.getRegExp
+    none()
+  }
 }

 /** Taint-tracking for reasoning about polynomial regular expression denial-of-service attacks. */
--- a/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql
+++ b/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql
@@ -34,7 +34,11 @@ module EnvValueAndKeyInjectionConfig implements DataFlow::ConfigSig {
    )
  }

-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql:71: Column 1 does not select a source or sink originating from the flow call on line 68
+    none()
+  }
 }

 module EnvValueAndKeyInjectionFlow = TaintTracking::Global<EnvValueAndKeyInjectionConfig>;
--- a/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql
+++ b/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql
@@ -28,7 +28,11 @@ module VerifiedDecodeConfig implements DataFlow::ConfigSig {

  predicate isSink(DataFlow::Node sink) { sink = verifiedDecode() }

-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql:42: Column 5 does not select a source or sink originating from the flow call on line 41
+    none()
+  }
 }

 module VerifiedDecodeFlow = TaintTracking::Global<VerifiedDecodeConfig>;