Merge pull request #14631 from hmac/hmac-dynamic-neutral-model

JS/Ruby/Python: Add neutralModel extensible predicate
2026-04-28 02:05:14 +02:00 · 2023-10-30 12:50:09 +00:00
parent 3a9ffe189e 083be305e1
commit dc9f171ee6
7 changed files with 40 additions and 3 deletions
--- a/codeql-workspace.yml
+++ b/codeql-workspace.yml
@@ -29,6 +29,7 @@ provide:
  - "swift/extractor-pack/codeql-extractor.yml"
  - "swift/integration-tests/qlpack.yml"
  - "ql/extractor-pack/codeql-extractor.yml"
+  - ".github/codeql/extensions/**/codeql-pack.yml"

 versionPolicies:
  default:
--- a/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsExtensions.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsExtensions.qll
@@ -17,7 +17,7 @@ extensible predicate sourceModel(string type, string path, string kind);
 extensible predicate sinkModel(string type, string path, string kind);

 /**
- * Holds if calls to `(type, path)`, the value referred to by `input`
+ * Holds if in calls to `(type, path)`, the value referred to by `input`
 * can flow to the value referred to by `output`.
 *
 * `kind` should be either `value` or `taint`, for value-preserving or taint-preserving steps,
@@ -25,6 +25,13 @@ extensible predicate sinkModel(string type, string path, string kind);
 */
 extensible predicate summaryModel(string type, string path, string input, string output, string kind);

+/**
+ * Holds if calls to `(type, path)` should be considered neutral. The meaning of this depends on the `kind`.
+ * If `kind` is `summary`, the call does not propagate data flow. If `kind` is `source`, the call is not a source.
+ * If `kind` is `sink`, the call is not a sink.
+ */
+extensible predicate neutralModel(string type, string path, string kind);
+
 /**
 * Holds if `(type2, path)` should be seen as an instance of `type1`.
 */
--- a/javascript/ql/lib/semmle/javascript/frameworks/data/internal/model.yml
+++ b/javascript/ql/lib/semmle/javascript/frameworks/data/internal/model.yml
@@ -15,6 +15,11 @@ extensions:
      extensible: summaryModel
    data: []

+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: neutralModel
+    data: []
+
  - addsTo:
      pack: codeql/javascript-all
      extensible: typeModel
--- a/python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModelsExtensions.qll
+++ b/python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModelsExtensions.qll
@@ -17,7 +17,7 @@ extensible predicate sourceModel(string type, string path, string kind);
 extensible predicate sinkModel(string type, string path, string kind);

 /**
- * Holds if calls to `(type, path)`, the value referred to by `input`
+ * Holds if in calls to `(type, path)`, the value referred to by `input`
 * can flow to the value referred to by `output`.
 *
 * `kind` should be either `value` or `taint`, for value-preserving or taint-preserving steps,
@@ -25,6 +25,13 @@ extensible predicate sinkModel(string type, string path, string kind);
 */
 extensible predicate summaryModel(string type, string path, string input, string output, string kind);

+/**
+ * Holds if calls to `(type, path)` should be considered neutral. The meaning of this depends on the `kind`.
+ * If `kind` is `summary`, the call does not propagate data flow. If `kind` is `source`, the call is not a source.
+ * If `kind` is `sink`, the call is not a sink.
+ */
+extensible predicate neutralModel(string type, string path, string kind);
+
 /**
 * Holds if `(type2, path)` should be seen as an instance of `type1`.
 */
--- a/python/ql/lib/semmle/python/frameworks/data/internal/empty.model.yml
+++ b/python/ql/lib/semmle/python/frameworks/data/internal/empty.model.yml
@@ -15,6 +15,11 @@ extensions:
      extensible: summaryModel
    data: []

+  - addsTo:
+      pack: codeql/python-all
+      extensible: neutralModel
+    data: []
+
  - addsTo:
      pack: codeql/python-all
      extensible: typeModel
--- a/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModelsExtensions.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModelsExtensions.qll
@@ -17,7 +17,7 @@ extensible predicate sourceModel(string type, string path, string kind);
 extensible predicate sinkModel(string type, string path, string kind);

 /**
- * Holds if calls to `(type, path)`, the value referred to by `input`
+ * Holds if in calls to `(type, path)`, the value referred to by `input`
 * can flow to the value referred to by `output`.
 *
 * `kind` should be either `value` or `taint`, for value-preserving or taint-preserving steps,
@@ -25,6 +25,13 @@ extensible predicate sinkModel(string type, string path, string kind);
 */
 extensible predicate summaryModel(string type, string path, string input, string output, string kind);

+/**
+ * Holds if calls to `(type, path)` should be considered neutral. The meaning of this depends on the `kind`.
+ * If `kind` is `summary`, the call does not propagate data flow. If `kind` is `source`, the call is not a source.
+ * If `kind` is `sink`, the call is not a sink.
+ */
+extensible predicate neutralModel(string type, string path, string kind);
+
 /**
 * Holds if `(type2, path)` should be seen as an instance of `type1`.
 */
--- a/ruby/ql/lib/codeql/ruby/frameworks/data/internal/model.yml
+++ b/ruby/ql/lib/codeql/ruby/frameworks/data/internal/model.yml
@@ -15,6 +15,11 @@ extensions:
      extensible: summaryModel
    data: []

+  - addsTo:
+      pack: codeql/ruby-all
+      extensible: neutralModel
+    data: []
+
  - addsTo:
      pack: codeql/ruby-all
      extensible: typeModel