mirror of
https://github.com/github/codeql.git
synced 2025-12-17 01:03:14 +01:00
Merge pull request #18341 from asgerf/py/diff-informed
Python: enable diff-informed data flow queries
This commit is contained in:
Asger F
@@ -21,6 +21,8 @@ private module CleartextLoggingConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "Clear-text logging of sensitive information" vulnerabilities. */
|
||||
|
||||
@@ -21,6 +21,8 @@ private module CleartextStorageConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "Clear-text storage of sensitive information" vulnerabilities. */
|
||||
|
||||
@@ -17,6 +17,8 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "code injection" vulnerabilities. */
|
||||
|
||||
@@ -20,6 +20,8 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "command injection" vulnerabilities. */
|
||||
|
||||
@@ -20,6 +20,8 @@ module CookieInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "cookie injection" vulnerabilities. */
|
||||
|
||||
@@ -16,6 +16,8 @@ private module HeaderInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node node) { node instanceof HttpHeaderInjection::Sink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof HttpHeaderInjection::Sanitizer }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "HTTP Header injection" vulnerabilities. */
|
||||
|
||||
@@ -19,6 +19,8 @@ private module LdapInjectionDnConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof DnSink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof DnSanitizer }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "LDAP injection via the distinguished name (DN) parameter" vulnerabilities. */
|
||||
@@ -30,6 +32,8 @@ private module LdapInjectionFilterConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof FilterSink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof FilterSanitizer }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "LDAP injection via the filter parameter" vulnerabilities. */
|
||||
|
||||
@@ -17,6 +17,8 @@ private module LogInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "log injection" vulnerabilities. */
|
||||
|
||||
@@ -56,6 +56,8 @@ module NoSqlInjectionConfig implements DataFlow::StateConfigSig {
|
||||
predicate isBarrier(DataFlow::Node node) {
|
||||
node = any(NoSqlSanitizer noSqlSanitizer).getAnInput()
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
module NoSqlInjectionFlow = TaintTracking::GlobalWithState<NoSqlInjectionConfig>;
|
||||
|
||||
@@ -31,6 +31,8 @@ private module PamAuthorizationConfig implements DataFlow::ConfigSig {
|
||||
// Flow from handle to the authenticate call in the final step
|
||||
exists(VulnPamAuthCall c | c.getArg(0) = node1 | node2 = c)
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "PAM Authorization" vulnerabilities. */
|
||||
|
||||
@@ -71,6 +71,8 @@ module PathInjectionConfig implements DataFlow::StateConfigSig {
|
||||
stateFrom instanceof NotNormalized and
|
||||
stateTo instanceof NormalizedUnchecked
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "path injection" vulnerabilities. */
|
||||
|
||||
@@ -35,6 +35,11 @@ module PolynomialReDoS {
|
||||
/** Gets the regex that is being executed by this node. */
|
||||
abstract RegExpTerm getRegExp();
|
||||
|
||||
/** Gets a term within the regexp that may perform polynomial back-tracking. */
|
||||
final PolynomialBackTrackingTerm getABacktrackingTerm() {
|
||||
result.getRootTerm() = this.getRegExp()
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the node to highlight in the alert message.
|
||||
*/
|
||||
|
||||
@@ -17,6 +17,14 @@ private module PolynomialReDoSConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
result = sink.(Sink).getHighlight().getLocation()
|
||||
or
|
||||
result = sink.(Sink).getABacktrackingTerm().getLocation()
|
||||
}
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "polynomial regular expression denial of service (ReDoS)" vulnerabilities. */
|
||||
|
||||
@@ -17,6 +17,8 @@ private module ReflectedXssConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "reflected server-side cross-site scripting" vulnerabilities. */
|
||||
|
||||
@@ -18,6 +18,14 @@ private module RegexInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
result = sink.(Sink).getLocation()
|
||||
or
|
||||
result = sink.(Sink).getRegexExecution().getLocation()
|
||||
}
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "regular expression injection" vulnerabilities. */
|
||||
|
||||
@@ -29,6 +29,12 @@ private module FullServerSideRequestForgeryConfig implements DataFlow::ConfigSig
|
||||
or
|
||||
node instanceof FullUrlControlSanitizer
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() {
|
||||
// The partial request forgery query depends on `fullyControlledRequest` to reject alerts about
|
||||
// such full-controlled requests, regardless of the associated source.
|
||||
none()
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -58,6 +64,13 @@ private module PartialServerSideRequestForgeryConfig implements DataFlow::Config
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
// Note: this query does not select the sink itself
|
||||
result = sink.(Sink).getRequest().getLocation()
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -17,6 +17,8 @@ private module SqlInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "SQL injection" vulnerabilities. */
|
||||
|
||||
@@ -26,6 +26,8 @@ private module StackTraceExposureConfig implements DataFlow::ConfigSig {
|
||||
nodeTo = attr
|
||||
)
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "stack trace exposure" vulnerabilities. */
|
||||
|
||||
@@ -17,6 +17,8 @@ private module TarSlipConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "tar slip" vulnerabilities. */
|
||||
|
||||
@@ -17,6 +17,8 @@ private module TemplateInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node node) { node instanceof Sink }
|
||||
|
||||
predicate isBarrierIn(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "template injection" vulnerabilities. */
|
||||
|
||||
@@ -17,6 +17,8 @@ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "code execution from deserialization" vulnerabilities. */
|
||||
|
||||
@@ -28,6 +28,16 @@ module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {
|
||||
|
||||
// override to require the path doesn't have unmatched return steps
|
||||
DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
result = sink.(Sink).getLocation()
|
||||
or
|
||||
result = sink.(Sink).getStringConstruction().getLocation()
|
||||
or
|
||||
result = sink.(Sink).getCommandExecution().getLocation()
|
||||
}
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "shell command constructed from library input" vulnerabilities. */
|
||||
|
||||
@@ -32,6 +32,8 @@ private module UrlRedirectConfig implements DataFlow::StateConfigSig {
|
||||
) {
|
||||
any(UrlRedirect::AdditionalFlowStep a).step(nodeFrom, stateFrom, nodeTo, stateTo)
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "URL redirection" vulnerabilities. */
|
||||
|
||||
@@ -33,6 +33,8 @@ module NormalHashFunction {
|
||||
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
sensitiveDataExtraStepForCalls(node1, node2)
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on sensitive data" vulnerabilities. */
|
||||
@@ -63,6 +65,8 @@ module ComputationallyExpensiveHashFunction {
|
||||
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
sensitiveDataExtraStepForCalls(node1, node2)
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on passwords" vulnerabilities. */
|
||||
|
||||
@@ -17,6 +17,8 @@ private module XmlBombConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "XML bomb" vulnerabilities. */
|
||||
|
||||
@@ -17,6 +17,8 @@ private module XpathInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "Xpath Injection" vulnerabilities. */
|
||||
|
||||
@@ -17,6 +17,8 @@ private module XxeConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "XML External Entity (XXE)" vulnerabilities. */
|
||||
|
||||
@@ -171,6 +171,10 @@ private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() {
|
||||
none() // Not used for PR analysis
|
||||
}
|
||||
}
|
||||
|
||||
/** Global taint-tracking from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
|
||||
|
||||
@@ -110,6 +110,10 @@ module InsecureContextConfiguration implements DataFlow::StateConfigSig {
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() {
|
||||
none() // Too complicated, but might be possible after some refactoring.
|
||||
}
|
||||
}
|
||||
|
||||
private module InsecureContextFlow = DataFlow::GlobalWithState<InsecureContextConfiguration>;
|
||||
|
||||
@@ -23,7 +23,7 @@ from
|
||||
where
|
||||
PolynomialReDoSFlow::flowPath(source, sink) and
|
||||
sinkNode = sink.getNode() and
|
||||
regexp.getRootTerm() = sinkNode.getRegExp()
|
||||
regexp = sinkNode.getABacktrackingTerm()
|
||||
// not (
|
||||
// source.getNode().(Source).getKind() = "url" and
|
||||
// regexp.isAtEndLine()
|
||||
|
||||
@@ -119,6 +119,8 @@ private module HardcodedCredentialsConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof HardcodedValueSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof CredentialSink }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
module HardcodedCredentialsFlow = TaintTracking::Global<HardcodedCredentialsConfig>;
|
||||
|
||||
@@ -109,6 +109,8 @@ private module TarSlipImprovConfig implements DataFlow::ConfigSig {
|
||||
nodeFrom = nodeTo.(API::CallNode).getArg(0) and
|
||||
nodeFrom = tarfileOpen().getReturn().getAValueReachableFromSource()
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting more "TarSlip" vulnerabilities. */
|
||||
|
||||
@@ -19,6 +19,8 @@ module XsltInjectionConfig implements DataFlow::ConfigSig {
|
||||
// opted for the more simple approach.
|
||||
nodeTo = elementTreeConstruction(nodeFrom)
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
module XsltInjectionFlow = TaintTracking::Global<XsltInjectionConfig>;
|
||||
|
||||
@@ -24,6 +24,8 @@ module Js2PyFlowConfig implements DataFlow::ConfigSig {
|
||||
API::moduleImport("js2py").getMember(["eval_js", "eval_js6", "EvalJs"]).getACall().getArg(_) =
|
||||
node
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
module Js2PyFlow = TaintTracking::Global<Js2PyFlowConfig>;
|
||||
|
||||
@@ -75,6 +75,8 @@ private module UnicodeBypassValidationConfig implements DataFlow::StateConfigSig
|
||||
) and
|
||||
state instanceof PostValidation
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "Unicode transformation mishandling" vulnerabilities. */
|
||||
|
||||
@@ -23,6 +23,8 @@ private module TimingAttackAgainstHeaderValueConfig implements DataFlow::ConfigS
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ClientSuppliedSecret }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof CompareSink }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
module TimingAttackAgainstHeaderValueFlow =
|
||||
|
||||
@@ -23,6 +23,8 @@ private module PossibleTimingAttackAgainstSensitiveInfoConfig implements DataFlo
|
||||
predicate isSource(DataFlow::Node source) { source instanceof SecretSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
module PossibleTimingAttackAgainstSensitiveInfoFlow =
|
||||
|
||||
@@ -24,6 +24,8 @@ private module TimingAttackAgainstSensitiveInfoConfig implements DataFlow::Confi
|
||||
predicate isSource(DataFlow::Node source) { source instanceof SecretSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
module TimingAttackAgainstSensitiveInfoFlow =
|
||||
|
||||
@@ -52,6 +52,8 @@ private module WebAppConstantSecretKeyConfig implements DataFlow::StateConfigSig
|
||||
or
|
||||
state = Django() and DjangoConstantSecretKeyConfig::isSink(sink)
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
module WebAppConstantSecretKeyFlow = TaintTracking::GlobalWithState<WebAppConstantSecretKeyConfig>;
|
||||
|
||||
@@ -145,6 +145,8 @@ private module AzureBlobClientConfig implements DataFlow::StateConfigSig {
|
||||
node = call.getObject()
|
||||
)
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
module AzureBlobClientFlow = DataFlow::GlobalWithState<AzureBlobClientConfig>;
|
||||
|
||||
@@ -51,6 +51,8 @@ private module TokenBuiltFromUuidConfig implements DataFlow::ConfigSig {
|
||||
nodeTo = call
|
||||
)
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "TokenBuiltFromUUID" vulnerabilities. */
|
||||
|
||||
@@ -79,6 +79,8 @@ module CorsBypassConfig implements DataFlow::ConfigSig {
|
||||
c.getReturn().asSource() = node2 and n.asSource() = node1
|
||||
)
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
module CorsFlow = TaintTracking::Global<CorsBypassConfig>;
|
||||
|
||||
@@ -45,6 +45,8 @@ private module ClientSuppliedIpUsedInSecurityCheckConfig implements DataFlow::Co
|
||||
ss = node.asExpr()
|
||||
)
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "client ip used in security check" vulnerabilities. */
|
||||
|
||||
@@ -108,6 +108,8 @@ private module UnicodeDoSConfig implements DataFlow::ConfigSig {
|
||||
.getACall()
|
||||
.getArg(_)
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
module UnicodeDoSFlow = TaintTracking::Global<UnicodeDoSConfig>;
|
||||
|
||||
@@ -208,6 +208,8 @@ module UnsafeUnpackConfig implements DataFlow::ConfigSig {
|
||||
nodeFrom = mcn.getArg(0)
|
||||
)
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "UnsafeUnpacking" vulnerabilities. */
|
||||
|
||||
@@ -38,6 +38,10 @@ module SmtpLib {
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
sink = smtpMimeMultipartInstance().getACall().getArgByName("_subparts")
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() {
|
||||
none() // Used in library model
|
||||
}
|
||||
}
|
||||
|
||||
module SmtpMessageFlow = TaintTracking::Global<SmtpMessageConfig>;
|
||||
|
||||
@@ -408,6 +408,8 @@ module BombsConfig implements DataFlow::ConfigSig {
|
||||
isAdditionalTaintStepTextIOWrapper(pred, succ)
|
||||
)
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
module BombsFlow = TaintTracking::Global<BombsConfig>;
|
||||
|
||||
@@ -27,6 +27,8 @@ module InsecureRandomness {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "random values that are not cryptographically secure" vulnerabilities. */
|
||||
|
||||
@@ -101,6 +101,8 @@ private module LdapInsecureAuthConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(LdapBind ldapBind | not ldapBind.useSsl() and sink = ldapBind.getHost())
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "LDAP insecure authentications" vulnerabilities. */
|
||||
|
||||
@@ -10,6 +10,8 @@ module RemoteCommandExecutionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink = any(RemoteCommandExecution rce).getCommand() }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "secondary server command injection" vulnerabilities. */
|
||||
|
||||
@@ -34,6 +34,8 @@ private module ZipSlipConfig implements DataFlow::ConfigSig {
|
||||
) and
|
||||
not sink.getScope().getLocation().getFile().inStdlib()
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "zip slip" vulnerabilities. */
|
||||
|
||||
@@ -34,6 +34,8 @@ private module EmailXssConfig implements DataFlow::ConfigSig {
|
||||
nodeFrom = htmlContentCall.getArg(0)
|
||||
)
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global taint-tracking for detecting "Email XSS" vulnerabilities. */
|
||||
|
||||
@@ -17,6 +17,8 @@ private module CsvInjectionConfig implements DataFlow::ConfigSig {
|
||||
node = DataFlow::BarrierGuard<startsWithCheck/3>::getABarrierNode() or
|
||||
node instanceof ConstCompareBarrier
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
private predicate startsWithCheck(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) {
|
||||
|
||||
@@ -50,6 +50,8 @@ module ModificationOfParameterWithDefault {
|
||||
or
|
||||
node.(DataFlow::MethodCallNode).calls(_, "copy")
|
||||
}
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
/** Global data-flow for detecting modifications of a parameters default value. */
|
||||
|
||||
Reference in New Issue
Block a user