JS: Auto-patch diff informed queries

2026-04-25 08:45:14 +02:00 · 2024-12-19 13:22:17 +01:00
parent d8b1d00905
commit fd763a0883
71 changed files with 173 additions and 0 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll
@@ -25,6 +25,8 @@ module BrokenCryptoAlgorithmConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/BuildArtifactLeakQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/BuildArtifactLeakQuery.qll
@@ -30,6 +30,8 @@ module BuildArtifactLeakConfig implements DataFlow::ConfigSig {
    contents = DataFlow::ContentSet::anyProperty() and
    isSink(node)
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingQuery.qll
@@ -41,6 +41,8 @@ module CleartextLoggingConfig implements DataFlow::ConfigSig {
    contents = DataFlow::ContentSet::anyProperty() and
    isSink(node)
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextStorageQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextStorageQuery.qll
@@ -25,6 +25,8 @@ module ClearTextStorageConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 module ClearTextStorageFlow = TaintTracking::Global<ClearTextStorageConfig>;
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll
@@ -31,6 +31,8 @@ module ClientSideRequestForgeryConfig implements DataFlow::ConfigSig {
  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
    isAdditionalRequestForgeryStep(node1, node2)
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectQuery.qll
@@ -54,6 +54,8 @@ module ClientSideUrlRedirectConfig implements DataFlow::StateConfigSig {
      state1 = state2
    )
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionQuery.qll
@@ -24,6 +24,8 @@ module CodeInjectionConfig implements DataFlow::ConfigSig {
    // HTML sanitizers are insufficient protection against code injection
    node1 = node2.(HtmlSanitizerCall).getInput()
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll
@@ -30,6 +30,8 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { isSinkWithHighlight(sink, _) }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ConditionalBypassQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ConditionalBypassQuery.qll
@@ -24,6 +24,14 @@ module ConditionalBypassConfig implements DataFlow::ConfigSig {
    // comparing a tainted expression against a constant gives a tainted result
    node2.asExpr().(Comparison).hasOperands(node1.asExpr(), any(ConstantExpr c))
  }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/lib/semmle/javascript/security/dataflow/ConditionalBypassQuery.qll:104: Flow call outside 'select' clause
+    // ql/lib/semmle/javascript/security/dataflow/ConditionalBypassQuery.qll:113: Flow call outside 'select' clause
+    // ql/lib/semmle/javascript/security/dataflow/ConditionalBypassQuery.qll:115: Flow call outside 'select' clause
+    none()
+  }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll
@@ -23,6 +23,8 @@ module CorsMisconfigurationConfig implements DataFlow::ConfigSig {
    node instanceof Sanitizer or
    node = TaintTracking::AdHocWhitelistCheckSanitizer::getABarrierNode()
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll
@@ -33,6 +33,8 @@ module DeepObjectResourceExhaustionConfig implements DataFlow::StateConfigSig {
  ) {
    TaintedObject::isAdditionalFlowStep(node1, state1, node2, state2)
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/DifferentKindsComparisonBypassQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/DifferentKindsComparisonBypassQuery.qll
@@ -20,6 +20,13 @@ private module DifferentKindsComparisonBypassConfig implements DataFlow::ConfigS
  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/lib/semmle/javascript/security/dataflow/DifferentKindsComparisonBypassQuery.qll:39: Flow call outside 'select' clause
+    // ql/lib/semmle/javascript/security/dataflow/DifferentKindsComparisonBypassQuery.qll:40: Flow call outside 'select' clause
+    none()
+  }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssQuery.qll
@@ -113,6 +113,8 @@ module DomBasedXssConfig implements DataFlow::StateConfigSig {
      state1 = state2
    )
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ExceptionXssQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ExceptionXssQuery.qll
@@ -155,6 +155,8 @@ module ExceptionXssConfig implements DataFlow::StateConfigSig {
  }

  int accessPathLimit() { result = 1 }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll
@@ -31,6 +31,14 @@ module ExternalAPIUsedWithUntrustedDataConfig implements DataFlow::ConfigSig {
    // Also report values that escape while inside a property
    isSink(node) and contents = DataFlow::ContentSet::anyProperty()
  }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll:96: Flow call outside 'select' clause
+    // ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll:99: Flow call outside 'select' clause
+    // ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll:109: Flow call outside 'select' clause
+    none()
+  }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/FileAccessToHttpQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/FileAccessToHttpQuery.qll
@@ -24,6 +24,8 @@ module FileAccessToHttpConfig implements DataFlow::ConfigSig {
    isSink(node) and
    contents = DataFlow::ContentSet::anyProperty()
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsQuery.qll
@@ -69,6 +69,8 @@ module HardcodedCredentialsConfig implements DataFlow::ConfigSig {
      node2 = n.getACall()
    )
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedDataInterpretedAsCodeQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedDataInterpretedAsCodeQuery.qll
@@ -34,6 +34,8 @@ module HardcodedDataInterpretedAsCodeConfig implements DataFlow::StateConfigSig
    state1 = [FlowState::modified(), FlowState::unmodified()] and
    state2 = FlowState::modified()
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/HostHeaderPoisoningInEmailGenerationQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/HostHeaderPoisoningInEmailGenerationQuery.qll
@@ -17,6 +17,8 @@ module HostHeaderPoisoningConfig implements DataFlow::ConfigSig {
  }

  predicate isSink(DataFlow::Node node) { exists(EmailSender email | node = email.getABody()) }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessQuery.qll
@@ -17,6 +17,8 @@ module HttpToFileAccessConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ImproperCodeSanitizationQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ImproperCodeSanitizationQuery.qll
@@ -19,6 +19,8 @@ module ImproperCodeSanitizationConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationQuery.qll
@@ -42,6 +42,8 @@ module IncompleteHtmlAttributeSanitizationConfig implements DataFlow::StateConfi
  }

  predicate isBarrier(DataFlow::Node n) { n instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll
@@ -26,6 +26,8 @@ module IndirectCommandInjectionConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { isSinkWithHighlight(sink, _) }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll
@@ -23,6 +23,8 @@ module InsecureDownloadConfig implements DataFlow::StateConfigSig {
  predicate isSink(DataFlow::Node sink, FlowState state) { sink.(Sink).getAFlowState() = state }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureRandomnessQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureRandomnessQuery.qll
@@ -40,6 +40,8 @@ module InsecureRandomnessConfig implements DataFlow::ConfigSig {
    // taint steps as additional flow steps.
    TaintTracking::defaultTaintStep(node1, node2)
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureTemporaryFileQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureTemporaryFileQuery.qll
@@ -19,6 +19,8 @@ module InsecureTemporaryFileConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/InsufficientPasswordHashQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/InsufficientPasswordHashQuery.qll
@@ -25,6 +25,8 @@ module InsufficientPasswordHashConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll
@@ -28,6 +28,8 @@ module LogInjectionConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/LoopBoundInjectionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/LoopBoundInjectionQuery.qll
@@ -38,6 +38,8 @@ module LoopBoundInjectionConfig implements DataFlow::StateConfigSig {
  ) {
    TaintedObject::isAdditionalFlowStep(node1, state1, node2, state2)
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionQuery.qll
@@ -51,6 +51,8 @@ module NosqlInjectionConfig implements DataFlow::StateConfigSig {
    state1.isTaint() and
    state2 = state1
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/PostMessageStarQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/PostMessageStarQuery.qll
@@ -37,6 +37,8 @@ module PostMessageStarConfig implements DataFlow::ConfigSig {
    // If an object leaks, all of its properties have leaked
    isSink(node) and contents = DataFlow::ContentSet::anyProperty()
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll
@@ -113,6 +113,8 @@ module PrototypePollutingAssignmentConfig implements DataFlow::StateConfigSig {
    or
    node = DataFlow::MakeStateBarrierGuard<FlowState, BarrierGuard>::getABarrierNode(state)
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /** Taint-tracking for reasoning about prototype-polluting assignments. */
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll
@@ -47,6 +47,8 @@ module PrototypePollutionConfig implements DataFlow::StateConfigSig {
  predicate isBarrier(DataFlow::Node node, FlowState state) {
    node = TaintedObject::SanitizerGuard::getABarrierNode(state)
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssQuery.qll
@@ -18,6 +18,8 @@ module ReflectedXssConfig implements DataFlow::ConfigSig {
  predicate isBarrier(DataFlow::Node node) {
    node instanceof Sanitizer or node = SharedXss::BarrierGuard::getABarrierNode()
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionQuery.qll
@@ -19,6 +19,8 @@ module RegExpInjectionConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/RemotePropertyInjectionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/RemotePropertyInjectionQuery.qll
@@ -23,6 +23,8 @@ module RemotePropertyInjectionConfig implements DataFlow::ConfigSig {
    node instanceof Sanitizer or
    node = StringConcatenation::getRoot(any(ConstantString str).flow())
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll
@@ -26,6 +26,8 @@ module RequestForgeryConfig implements DataFlow::ConfigSig {
  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
    isAdditionalRequestForgeryStep(node1, node2)
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionQuery.qll
@@ -27,6 +27,8 @@ module ResourceExhaustionConfig implements DataFlow::ConfigSig {
  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
    isNumericFlowStep(node1, node2)
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/SecondOrderCommandInjectionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/SecondOrderCommandInjectionQuery.qll
@@ -47,6 +47,8 @@ module SecondOrderCommandInjectionConfig implements DataFlow::StateConfigSig {
    TaintTracking::defaultTaintStep(node1, node2) and
    state1 = state2
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectQuery.qll
@@ -30,6 +30,8 @@ module ServerSideUrlRedirectConfig implements DataFlow::ConfigSig {
      node2 = call
    )
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll
@@ -27,6 +27,8 @@ module ShellCommandInjectionFromEnvironmentConfig implements DataFlow::ConfigSig
  predicate isSink(DataFlow::Node sink) { isSinkWithHighlight(sink, _) }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionQuery.qll
@@ -31,6 +31,8 @@ module SqlInjectionConfig implements DataFlow::ConfigSig {
      node2 = call
    )
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/StackTraceExposureQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/StackTraceExposureQuery.qll
@@ -28,6 +28,8 @@ module StackTraceExposureConfig implements DataFlow::ConfigSig {
  }

  predicate isSink(DataFlow::Node snk) { snk instanceof Sink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/StoredXssQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/StoredXssQuery.qll
@@ -18,6 +18,8 @@ module StoredXssConfig implements DataFlow::ConfigSig {
  predicate isBarrier(DataFlow::Node node) {
    node instanceof Sanitizer or node = Shared::BarrierGuard::getABarrierNode()
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringQuery.qll
@@ -19,6 +19,8 @@ module TaintedFormatStringConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathQuery.qll
@@ -47,6 +47,8 @@ module TaintedPathConfig implements DataFlow::StateConfigSig {
  ) {
    TaintedPath::isAdditionalFlowStep(node1, state1, node2, state2)
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/TemplateObjectInjectionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/TemplateObjectInjectionQuery.qll
@@ -45,6 +45,8 @@ module TemplateObjectInjectionConfig implements DataFlow::StateConfigSig {
    TaintTracking::defaultTaintStep(node1, node2) and
    state1 = state2
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/TypeConfusionThroughParameterTamperingQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/TypeConfusionThroughParameterTamperingQuery.qll
@@ -27,6 +27,8 @@ module TypeConfusionConfig implements DataFlow::ConfigSig {
  predicate isBarrier(DataFlow::Node node) {
    node instanceof Barrier or node = DataFlow::MakeBarrierGuard<BarrierGuard>::getABarrierNode()
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll
@@ -32,6 +32,8 @@ module UnsafeCodeConstruction {
    }

    DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
  }

  /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationQuery.qll
@@ -18,6 +18,8 @@ module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccessQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccessQuery.qll
@@ -75,6 +75,8 @@ module UnsafeDynamicMethodAccessConfig implements DataFlow::StateConfigSig {
    TaintTracking::defaultTaintStep(node1, node2) and
    state1 = state2
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll
@@ -60,6 +60,8 @@ module UnsafeHtmlConstructionConfig implements DataFlow::StateConfigSig {
  }

  DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll
@@ -36,6 +36,8 @@ module UnsafeJQueryPluginConfig implements DataFlow::ConfigSig {
    // prefixing through a poor-mans templating system:
    node = any(StringReplaceCall call).getRawReplacement()
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll
@@ -25,6 +25,8 @@ module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {
  }

  DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallQuery.qll
@@ -91,6 +91,8 @@ module UnvalidatedDynamicMethodCallConfig implements DataFlow::StateConfigSig {
    TaintTracking::defaultTaintStep(node1, node2) and
    state1 = state2
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/XmlBombQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/XmlBombQuery.qll
@@ -19,6 +19,8 @@ module XmlBombConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/XpathInjectionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/XpathInjectionQuery.qll
@@ -20,6 +20,8 @@ module XpathInjectionConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomQuery.qll
@@ -28,6 +28,8 @@ module XssThroughDomConfig implements DataFlow::ConfigSig {
    node2 = DataFlow::globalVarRef("URL").getAMemberCall("createObjectURL") and
    node1 = node2.(DataFlow::InvokeNode).getArgument(0)
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/XxeQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/XxeQuery.qll
@@ -19,6 +19,8 @@ module XxeConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ZipSlipQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ZipSlipQuery.qll
@@ -44,6 +44,8 @@ module ZipSlipConfig implements DataFlow::StateConfigSig {
  ) {
    TaintedPath::isAdditionalFlowStep(node1, state1, node2, state2)
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /** A taint tracking configuration for unsafe archive extraction. */
--- a/javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll
@@ -25,6 +25,8 @@ module PolynomialReDoSConfig implements DataFlow::ConfigSig {
  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { none() }

  int fieldFlowBranchLimit() { result = 1 } // library inputs are too expensive on some projects
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /** Taint-tracking for reasoning about polynomial regular expression denial-of-service attacks. */
--- a/javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql
+++ b/javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql
@@ -283,6 +283,15 @@ module PropNameTrackingConfig implements DataFlow::StateConfigSig {
    // flows through any contents, apart from a capture content.
    result = 1
  }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-915/PrototypePollutingFunction.ql:516: Flow call outside 'select' clause
+    // ql/src/Security/CWE-915/PrototypePollutingFunction.ql:519: Flow call outside 'select' clause
+    // ql/src/Security/CWE-915/PrototypePollutingFunction.ql:520: Flow call outside 'select' clause
+    // ql/src/Security/CWE-915/PrototypePollutingFunction.ql:524: Flow call outside 'select' clause
+    none()
+  }
 }

 class FlowState = PropNameTrackingConfig::FlowState;
--- a/javascript/ql/src/experimental/Security/CWE-094-dataURL/CodeInjection.ql
+++ b/javascript/ql/src/experimental/Security/CWE-094-dataURL/CodeInjection.ql
@@ -87,6 +87,8 @@ module CodeInjectionConfig implements DataFlow::StateConfigSig {
    state1 = TTaint() and
    state2 = TUrlConstructor()
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 module CodeInjectionFlow = TaintTracking::GlobalWithState<CodeInjectionConfig>;
--- a/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql
+++ b/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql
@@ -33,6 +33,8 @@ module EnvValueAndKeyInjectionConfig implements DataFlow::ConfigSig {
      )
    )
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 module EnvValueAndKeyInjectionFlow = TaintTracking::Global<EnvValueAndKeyInjectionConfig>;
--- a/javascript/ql/src/experimental/Security/CWE-099/EnvValueInjection.ql
+++ b/javascript/ql/src/experimental/Security/CWE-099/EnvValueInjection.ql
@@ -19,6 +19,8 @@ module EnvValueInjectionConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) {
    sink = API::moduleImport("process").getMember("env").getAMember().asSink()
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 module EnvValueInjectionFlow = TaintTracking::Global<EnvValueInjectionConfig>;
--- a/javascript/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql
+++ b/javascript/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql
@@ -41,6 +41,8 @@ module TokenBuiltFromUuidConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof PredictableResultSource }

  predicate isSink(DataFlow::Node sink) { sink instanceof TokenAssignmentValueSink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 module TokenBuiltFromUuidFlow = TaintTracking::Global<TokenBuiltFromUuidConfig>;
--- a/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql
+++ b/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql
@@ -17,6 +17,8 @@ module UnverifiedDecodeConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }

  predicate isSink(DataFlow::Node sink) { sink = unverifiedDecode() }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 module UnverifiedDecodeFlow = TaintTracking::Global<UnverifiedDecodeConfig>;
@@ -25,6 +27,8 @@ module VerifiedDecodeConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }

  predicate isSink(DataFlow::Node sink) { sink = verifiedDecode() }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 module VerifiedDecodeFlow = TaintTracking::Global<VerifiedDecodeConfig>;
--- a/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.ql
+++ b/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.ql
@@ -23,6 +23,13 @@ module DecodeWithoutVerificationConfig implements DataFlow::ConfigSig {
    or
    sink = verifiedDecode()
  }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.ql:32: Flow call outside 'select' clause
+    // ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.ql:42: Flow call outside 'select' clause
+    none()
+  }
 }

 module DecodeWithoutVerificationFlow = TaintTracking::Global<DecodeWithoutVerificationConfig>;
--- a/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/DecompressionBombs.ql
+++ b/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/DecompressionBombs.ql
@@ -24,6 +24,8 @@ module DecompressionBombConfig implements DataFlow::ConfigSig {
      addstep.isAdditionalTaintStep(node1, node2)
    )
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 module DecompressionBombFlow = TaintTracking::Global<DecompressionBombConfig>;
--- a/javascript/ql/src/experimental/Security/CWE-918/SSRF.qll
+++ b/javascript/ql/src/experimental/Security/CWE-918/SSRF.qll
@@ -28,6 +28,8 @@ module SsrfConfig implements DataFlow::ConfigSig {
  }

  predicate isBarrierOut(DataFlow::Node node) { strictSanitizingPrefixEdge(node, _) }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 module SsrfFlow = TaintTracking::Global<SsrfConfig>;
--- a/javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfigurationQuery.qll
+++ b/javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfigurationQuery.qll
@@ -33,6 +33,8 @@ module CorsPermissiveConfigurationConfig implements DataFlow::StateConfigSig {
  }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 module CorsPermissiveConfigurationFlow =