From b79ce6d30b031335fd4a05a5af69483c1993668e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Tue, 17 Jun 2025 15:36:52 +0200 Subject: [PATCH] Python: mass enable diff-informed data flow `none()` location overrides An auto-generated patch that enables diff-informed data flow in the obvious cases. Builds on github#18346 and github/codeql-patch#88 --- .../CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql | 2 ++ python/ql/src/experimental/Security/CWE-346/CorsBypass.ql | 2 ++ python/ql/src/experimental/Security/UnsafeUnpackQuery.qll | 2 ++ .../experimental/semmle/python/security/LdapInsecureAuth.qll | 2 ++ 4 files changed, 8 insertions(+) diff --git a/python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql b/python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql index a0fadbff3f3b..a93787c9d790 100644 --- a/python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql +++ b/python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql @@ -147,6 +147,8 @@ private module AzureBlobClientConfig implements DataFlow::StateConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } module AzureBlobClientFlow = DataFlow::GlobalWithState; diff --git a/python/ql/src/experimental/Security/CWE-346/CorsBypass.ql b/python/ql/src/experimental/Security/CWE-346/CorsBypass.ql index 01e661cb0bbf..4bb8440c02cd 100644 --- a/python/ql/src/experimental/Security/CWE-346/CorsBypass.ql +++ b/python/ql/src/experimental/Security/CWE-346/CorsBypass.ql @@ -81,6 +81,8 @@ module CorsBypassConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } module CorsFlow = TaintTracking::Global; diff --git a/python/ql/src/experimental/Security/UnsafeUnpackQuery.qll b/python/ql/src/experimental/Security/UnsafeUnpackQuery.qll index 64da6b8d799a..79e50fbd36e9 100644 --- a/python/ql/src/experimental/Security/UnsafeUnpackQuery.qll +++ b/python/ql/src/experimental/Security/UnsafeUnpackQuery.qll @@ -210,6 +210,8 @@ module UnsafeUnpackConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } /** Global taint-tracking for detecting "UnsafeUnpacking" vulnerabilities. */ diff --git a/python/ql/src/experimental/semmle/python/security/LdapInsecureAuth.qll b/python/ql/src/experimental/semmle/python/security/LdapInsecureAuth.qll index 630543e6f798..431f9f9ab732 100644 --- a/python/ql/src/experimental/semmle/python/security/LdapInsecureAuth.qll +++ b/python/ql/src/experimental/semmle/python/security/LdapInsecureAuth.qll @@ -103,6 +103,8 @@ private module LdapInsecureAuthConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } /** Global taint-tracking for detecting "LDAP insecure authentications" vulnerabilities. */