Skip to content

Diff-informed queries: phase 3 (non-trivial locations) #19957

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 102 commits into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
102 commits
Select commit Hold shift + click to select a range
af50027
Actions: patch-generated stubs
d10c Jul 2, 2025
19fd24d
Actions: ArgumentInjection
d10c Jul 3, 2025
d65a1af
Actions: ArtifactPoisoning
d10c Jul 3, 2025
56b6628
Actions: CodeInjection
d10c Jul 3, 2025
8b44465
Actions: CommandInjection
d10c Jul 3, 2025
b129b68
Actions: EnvPathInjection
d10c Jul 3, 2025
862ccce
Actions: EnvVarInjection
d10c Jul 3, 2025
e44e1cb
C++: patch-generated stubs
d10c Jul 2, 2025
c94f12f
C++: OverflowDestination
d10c Jul 8, 2025
1dc93ac
C++: NonConstantFormat
d10c Jul 8, 2025
4f9dc4b
C++: LeapYear
d10c Jul 9, 2025
0d18ce4
C++: CWE-020/ExternalAPIs (+ add tests based on qhelp)
d10c Jul 9, 2025
87889d6
C++: TaintedPath
d10c Jul 9, 2025
b15a644
C++: ExecTainted
d10c Jul 9, 2025
7fe3ccd
C++: CgiXss
d10c Jul 9, 2025
2900785
C++: SqlTainted
d10c Jul 9, 2025
e00ed39
C++: OverrunWriteProductFlow (revert because product flows cannot be …
d10c Jul 9, 2025
4e3f4bf
C++: UnboundedWrite
d10c Jul 9, 2025
bad3e3e
C++: ImproperNullTerminationTainted
d10c Jul 9, 2025
7cbfa8e
C++: ArithmeticTainted
d10c Jul 9, 2025
a73032f
C++: ArithmeticUncontrolled
d10c Jul 9, 2025
066adde
C++: ArithmeticWithExtremeValues
d10c Jul 9, 2025
07189fe
C++: TaintedAllocationSize
d10c Jul 9, 2025
c744d1e
C++: AuthenticationBypass
d10c Jul 9, 2025
a6046f3
C++: SSLResultConflation
d10c Jul 9, 2025
fd0d513
C++: CleartextBufferWrite
d10c Jul 9, 2025
1cb5977
C++: CleartextFileWrite
d10c Jul 9, 2025
8a3c2c0
C++: CleartextTransmission
d10c Jul 9, 2025
ee596cd
C++: CleartextSqliteDatabase (+ tests)
d10c Jul 9, 2025
1f915b0
C++: UseOfHttp
d10c Jul 9, 2025
f1408de
C++: InsufficientKeySize
d10c Jul 9, 2025
c94973a
C++: IteratorToExpiredContainer
d10c Jul 9, 2025
a4ec01e
C++: UnsafeCreateProcessCall
d10c Jul 9, 2025
b54fad7
C++: UnsafeDaclSecurityDescriptor
d10c Jul 9, 2025
b09f370
C++: TaintedCondition
d10c Jul 9, 2025
f2f16dc
C++: TypeConfusion
d10c Jul 9, 2025
e34b169
C++: ArrayAccessProductFlow (revert because product flows cannot be d…
d10c Jul 9, 2025
0601afa
C++: ConstantSizeArrayOffByOne
d10c Jul 9, 2025
2bbebf5
C++: DecompressionBombs
d10c Jul 9, 2025
264eda8
C#: patch-generated stubs
d10c Jul 2, 2025
63ee16d
C#: ConditinalBypass
d10c Jul 4, 2025
4235828
C#: ExternalAPIsQuery/UntrustedDataToExternalAPI
d10c Jul 4, 2025
81fcaee
C#: UnsafeDeserialization
d10c Jul 4, 2025
3efbd04
C#: HardcodedConnectionString
d10c Jul 4, 2025
53631b0
Go: patch-generated stubs
d10c Jul 2, 2025
a5285d4
Go: AllocationSizeOverflow
d10c Jul 7, 2025
fb3b60e
Go: CommandInjection
d10c Jul 7, 2025
c69da7e
Go: ExternalAPIs
d10c Jul 7, 2025
fb2c1d3
Go: HardcodedCredentials
d10c Jul 7, 2025
cf34854
Go: IncorrectIntegerConversion
d10c Jul 7, 2025
d47d028
Go: InsecureRandomness
d10c Jul 7, 2025
7b9f4d3
Go: ReflectedXss
d10c Jul 7, 2025
b806789
Go: RequestForgery
d10c Jul 7, 2025
66d4a56
Go: SafeUrlFlow
d10c Jul 7, 2025
9b91481
Go: UnhandledCloseWritableHandle
d10c Jul 7, 2025
ca0ff8a
Go: InsecureHostKeyCallback
d10c Jul 7, 2025
4f29748
Go: BadRedirectCheck
d10c Jul 7, 2025
e82ed49
Go: AuthCookie/CookieWithoutHttpOnly/BoolToGin
d10c Jul 7, 2025
bfddddc
Go: SensitiveConditionBypass
d10c Jul 7, 2025
e2e5e6f
Go: ConditionalBypass
d10c Jul 7, 2025
c73f6c0
Go: SSRF
d10c Jul 7, 2025
cd46516
Java: patch-generated stubs
d10c Jul 2, 2025
5101710
Java: AndroidSensitiveCommuniation: (convert test to qlref)
d10c Jul 7, 2025
34b788d
Java: ArithmeticTainted
d10c Jul 7, 2025
672fc96
Java: ArithmeticUncontrolled
d10c Jul 7, 2025
51456ea
Java: ConditionalBypass (enable diff-informed + convert test to qlref)
d10c Jul 7, 2025
5d400d7
Java: ExternalAPIs (enable diff-informed + add tests based on qhelp)
d10c Jul 7, 2025
aff0c6e
Java: ExternallyControlledFormatString
d10c Jul 7, 2025
e5cc465
Java: ImproperValidationOfArray...
d10c Jul 7, 2025
7c5c650
Java: InsecureCookie
d10c Jul 7, 2025
a5dd768
Java: InsecureLdapAuth
d10c Jul 7, 2025
1ec25ff
Java: MaybeBrokenCryptoAlgorithm
d10c Jul 7, 2025
78caea3
Java: LogInjection (convert test to qlref)
d10c Jul 8, 2025
4f2f876
Java: SensitiveLogInfo (convert test to qlref)
d10c Jul 8, 2025
1072b58
Java: SqlConcatenated
d10c Jul 8, 2025
69f8688
Java: SqlInjection
d10c Jul 8, 2025
51bcd34
Java: TempDirLocalInformationDisclosure
d10c Jul 8, 2025
b0a314c
Java: TrustBoundaryViolations (convert test to qlref)
d10c Jul 8, 2025
900b4a3
Java: UnsafeCertTrust (+ convert test to qlref)
d10c Jul 8, 2025
633c6ca
Java: AndroidWebViewSettingsAllowsContentAccess
d10c Jul 8, 2025
02693a6
JS: patch-generated stubs
d10c Jul 2, 2025
b7f4255
JS: IndirectCommandInjection
d10c Jul 4, 2025
031e4c8
JS: NosqlInjection, SqlInjection
d10c Jul 4, 2025
9fc93e0
JS: ShellCommandInjection
d10c Jul 4, 2025
5112eb3
JS: EnvValueAndKeyInjection
d10c Jul 4, 2025
427a852
JS: decodeJwtWithoutVerification
d10c Jul 4, 2025
e0cd030
Python: patch-generated stubs
d10c Jul 2, 2025
58e9e4a
Python: LdapInjection
d10c Jul 4, 2025
86671a9
Python: WeakSensitiveDatHashing
d10c Jul 4, 2025
fbdf962
Python: PossibleTimingAttackAgainstHash (+ selecting source node inst…
d10c Jul 4, 2025
195b013
Python: TimingAttackAgainstHash (+ new test)
d10c Jul 4, 2025
83586ff
Ruby: patch-generated stubs
d10c Jul 2, 2025
5a8c2c9
Ruby: MissingFullAnchor
d10c Jul 4, 2025
5a130fe
Ruby: WeakSensitiveDataHashing
d10c Jul 4, 2025
525ca3b
Ruby: WeakFilePermissions
d10c Jul 4, 2025
d39010b
Rust: patch-generated stubs
d10c Jul 2, 2025
67d615a
Rust: AccessAfterLifetime
d10c Jul 4, 2025
0d20533
Swift: patch-generated stubs
d10c Jul 2, 2025
9cb57cc
Swift: CleartextStorageDatabase
d10c Jul 4, 2025
02d7fea
Swift: CleartextStoragePreferences
d10c Jul 4, 2025
057e266
Swift: UnsafeWebViewFetch
d10c Jul 4, 2025
3e3e856
Swift: InsecureTLSQuery
d10c Jul 10, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
private import actions
private import codeql.actions.TaintTracking
private import codeql.actions.dataflow.ExternalFlow
private import codeql.actions.security.ControlChecks
import codeql.actions.dataflow.FlowSources
import codeql.actions.DataFlow

Expand Down Expand Up @@ -88,6 +89,19 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig {
run.getScript().getAnEnvReachingArgumentInjectionSink(var, _, _)
)
}

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSourceLocation(DataFlow::Node source) { none() }

Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.getLocation()
or
exists(Event event | result = event.getLocation() |
inPrivilegedContext(sink.asExpr(), event) and
not exists(ControlCheck check | check.protects(sink.asExpr(), event, "argument-injection"))
)
}
}

/** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import codeql.actions.DataFlow
import codeql.actions.dataflow.FlowSources
import codeql.actions.security.PoisonableSteps
import codeql.actions.security.UntrustedCheckoutQuery
import codeql.actions.security.ControlChecks

string unzipRegexp() { result = "(unzip|tar)\\s+.*" }

Expand Down Expand Up @@ -316,6 +317,19 @@ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig {
exists(run.getScript().getAFileReadCommand())
)
}

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSourceLocation(DataFlow::Node source) { none() }

Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.getLocation()
or
exists(Event event | result = event.getLocation() |
inPrivilegedContext(sink.asExpr(), event) and
not exists(ControlCheck check | check.protects(sink.asExpr(), event, "artifact-poisoning"))
)
}
}

/** Tracks flow of unsafe artifacts that is used in an insecure way. */
Expand Down
49 changes: 49 additions & 0 deletions actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ private import codeql.actions.TaintTracking
private import codeql.actions.dataflow.ExternalFlow
import codeql.actions.dataflow.FlowSources
import codeql.actions.DataFlow
import codeql.actions.security.ControlChecks
import codeql.actions.security.CachePoisoningQuery

class CodeInjectionSink extends DataFlow::Node {
CodeInjectionSink() {
Expand Down Expand Up @@ -35,6 +37,53 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {
exists(run.getScript().getAFileReadCommand())
)
}

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSourceLocation(DataFlow::Node source) { none() }

Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.getLocation()
or
// where clause from CodeInjectionCritical.ql
exists(Event event, RemoteFlowSource source | result = event.getLocation() |
inPrivilegedContext(sink.asExpr(), event) and
isSource(source) and
source.getEventName() = event.getName() and
not exists(ControlCheck check | check.protects(sink.asExpr(), event, "code-injection")) and
// exclude cases where the sink is a JS script and the expression uses toJson
not exists(UsesStep script |
script.getCallee() = "actions/github-script" and
script.getArgumentExpr("script") = sink.asExpr() and
exists(getAToJsonReferenceExpression(sink.asExpr().(Expression).getExpression(), _))
)
)
or
// where clause from CachePoisoningViaCodeInjection.ql
exists(Event event, LocalJob job, DataFlow::Node source | result = event.getLocation() |
job = sink.asExpr().getEnclosingJob() and
job.getATriggerEvent() = event and
// job can be triggered by an external user
event.isExternallyTriggerable() and
// the checkout is not controlled by an access check
isSource(source) and
not exists(ControlCheck check | check.protects(source.asExpr(), event, "code-injection")) and
// excluding privileged workflows since they can be exploited in easier circumstances
// which is covered by `actions/code-injection/critical`
not job.isPrivilegedExternallyTriggerable(event) and
(
// the workflow runs in the context of the default branch
runsOnDefaultBranch(event)
or
// the workflow caller runs in the context of the default branch
event.getName() = "workflow_call" and
exists(ExternalJob caller |
caller.getCallee() = job.getLocation().getFile().getRelativePath() and
runsOnDefaultBranch(caller.getATriggerEvent())
)
)
)
}
}

/** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ private import codeql.actions.TaintTracking
private import codeql.actions.dataflow.ExternalFlow
import codeql.actions.dataflow.FlowSources
import codeql.actions.DataFlow
import codeql.actions.security.ControlChecks

private class CommandInjectionSink extends DataFlow::Node {
CommandInjectionSink() { madSink(this, "command-injection") }
Expand All @@ -16,6 +17,22 @@ private module CommandInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSourceLocation(DataFlow::Node source) { none() }

Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.getLocation()
or
// where clause from CommandInjectionCritical.ql
exists(Event event | result = event.getLocation() |
inPrivilegedContext(sink.asExpr(), event) and
not exists(ControlCheck check |
check.protects(sink.asExpr(), event, ["command-injection", "code-injection"])
)
)
}
}

/** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
private import codeql.actions.dataflow.ExternalFlow
private import codeql.actions.security.ArtifactPoisoningQuery
private import codeql.actions.security.UntrustedCheckoutQuery
private import codeql.actions.security.ControlChecks

Check warning

Code scanning / CodeQL

Redundant import Warning

Redundant import, the module is already imported inside
codeql.actions.security.ArtifactPoisoningQuery
.

abstract class EnvPathInjectionSink extends DataFlow::Node { }

Expand Down Expand Up @@ -108,6 +109,30 @@
exists(run.getScript().getAFileReadCommand())
)
}

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSourceLocation(DataFlow::Node source) { none() }

Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.getLocation()
or
// where clause from EnvPathInjectionCritical.ql
exists(Event event, RemoteFlowSource source | result = event.getLocation() |
inPrivilegedContext(sink.asExpr(), event) and
isSource(source) and
(
not source.getSourceType() = "artifact" and
not exists(ControlCheck check | check.protects(sink.asExpr(), event, "code-injection"))
or
source.getSourceType() = "artifact" and
not exists(ControlCheck check |
check.protects(sink.asExpr(), event, ["untrusted-checkout", "artifact-poisoning"])
) and
sink instanceof EnvPathInjectionFromFileReadSink
)
)
}
}

/** Tracks flow of unsafe user input that is used to construct and evaluate the PATH environment variable. */
Expand Down
34 changes: 34 additions & 0 deletions actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll
Original file line number Diff line number Diff line change
Expand Up @@ -163,6 +163,40 @@ private module EnvVarInjectionConfig implements DataFlow::ConfigSig {
exists(run.getScript().getAFileReadCommand())
)
}

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSourceLocation(DataFlow::Node source) { none() }

Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.getLocation()
or
// where clause from EnvVarInjectionCritical.ql
exists(Event event, RemoteFlowSource source | result = event.getLocation() |
inPrivilegedContext(sink.asExpr(), event) and
isSource(source) and
// exclude paths to file read sinks from non-artifact sources
(
// source is text
not source.getSourceType() = "artifact" and
not exists(ControlCheck check |
check.protects(sink.asExpr(), event, ["envvar-injection", "code-injection"])
)
or
// source is an artifact or a file from an untrusted checkout
source.getSourceType() = "artifact" and
not exists(ControlCheck check |
check
.protects(sink.asExpr(), event,
["envvar-injection", "untrusted-checkout", "artifact-poisoning"])
) and
(
sink instanceof EnvVarInjectionFromFileReadSink or
madSink(sink, "envvar-injection")
)
)
)
}
}

/** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */
Expand Down
10 changes: 10 additions & 0 deletions cpp/ql/src/Critical/OverflowDestination.ql
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,16 @@ module OverflowDestinationConfig implements DataFlow::ConfigSig {
nodeIsBarrierEqualityCandidate(node, access, checkedVar)
)
}

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSourceLocation(DataFlow::Node source) { none() }

Location getASelectedSinkLocation(DataFlow::Node sink) {
exists(FunctionCall fc | result = fc.getLocation() |
sourceSized(fc, sink.asIndirectConvertedExpr())
)
}
}

module OverflowDestination = TaintTracking::Global<OverflowDestinationConfig>;
Expand Down
13 changes: 13 additions & 0 deletions cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,19 @@ module NonConstFlowConfig implements DataFlow::ConfigSig {
cannotContainString(t)
)
}

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSourceLocation(DataFlow::Node source) { none() }

Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.getLocation()
or
exists(FormattingFunctionCall call, Expr formatString | result = call.getLocation() |
isSinkImpl(sink, formatString) and
call.getArgument(call.getFormatParameterIndex()) = formatString
)
}
}

module NonConstFlow = TaintTracking::Global<NonConstFlowConfig>;
Expand Down
12 changes: 12 additions & 0 deletions cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll
Original file line number Diff line number Diff line change
Expand Up @@ -215,6 +215,10 @@ private module LeapYearCheckConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) {
exists(ChecksForLeapYearFunctionCall fc | sink.asExpr() = fc.getAnArgument())
}

predicate observeDiffInformedIncrementalMode() {
none() // only used negatively in UncheckedLeapYearAfterYearModification.ql
}
}

module LeapYearCheckFlow = DataFlow::Global<LeapYearCheckConfig>;
Expand Down Expand Up @@ -285,6 +289,14 @@ private module PossibleYearArithmeticOperationCheckConfig implements DataFlow::C
aexpr.getLValue() = fa
)
}

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSourceLocation(DataFlow::Node source) {
result = source.asExpr().getLocation()
}

Location getASelectedSinkLocation(DataFlow::Node sink) { result = sink.asExpr().getLocation() }
}

module PossibleYearArithmeticOperationCheckFlow =
Expand Down
4 changes: 4 additions & 0 deletions cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,10 @@ private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
}

predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }

predicate observeDiffInformedIncrementalMode() {
any() // normal use in UntrustedDataToExternalApi.ql; used via ExternalApiUsedWithUntrustedData (no location) in CountUntrustedDataToExternalAPI.ql
}
}

module UntrustedDataToExternalApiFlow = TaintTracking::Global<UntrustedDataToExternalApiConfig>;
4 changes: 4 additions & 0 deletions cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIsSpecific.qll
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,10 @@ private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }

predicate observeDiffInformedIncrementalMode() {
any() // normal use in IRUntrustedDataToExternalApi.ql; used via ExternalApiUsedWithUntrustedData (no location) in IRCountUntrustedDataToExternalAPI.ql
}
}

module UntrustedDataToExternalApiFlow = TaintTracking::Global<UntrustedDataToExternalApiConfig>;
6 changes: 6 additions & 0 deletions cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,12 @@ module TaintedPathConfig implements DataFlow::ConfigSig {
// make sinks barriers so that we only report the closest instance
isSink(node)
}

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.asIndirectArgument().getLocation()
}
}

module TaintedPath = TaintTracking::Global<TaintedPathConfig>;
Expand Down
11 changes: 11 additions & 0 deletions cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,17 @@ module ExecTaintConfig implements DataFlow::StateConfigSig {
predicate isBarrierOut(DataFlow::Node node) {
isSink(node, _) // Prevent duplicates along a call chain, since `shellCommand` will include wrappers
}

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSinkLocation(DataFlow::Node sink) {
exists(DataFlow::Node concatResult, Expr command, ExecState state |
result = [concatResult.getLocation(), command.getLocation()] and
isSink(sink, state) and
isSinkImpl(sink, command, _) and
concatResult = state.getOutgoingNode()
)
}
}

module ExecTaint = TaintTracking::GlobalWithState<ExecTaintConfig>;
Expand Down
6 changes: 6 additions & 0 deletions cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,12 @@ module Config implements DataFlow::ConfigSig {
or
node.asCertainDefinition().getUnspecifiedType() instanceof ArithmeticType
}

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSourceLocation(DataFlow::Node source) {
exists(QueryString query | result = query.getLocation() | query = source.asIndirectExpr())
}
}

module Flow = TaintTracking::Global<Config>;
Expand Down
6 changes: 6 additions & 0 deletions cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,12 @@ module SqlTaintedConfig implements DataFlow::ConfigSig {
sql.barrierSqlArgument(input, _)
)
}

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSinkLocation(DataFlow::Node sink) {
exists(Expr taintedArg | result = taintedArg.getLocation() | taintedArg = asSinkExpr(sink))
}
}

module SqlTainted = TaintTracking::Global<SqlTaintedConfig>;
Expand Down
6 changes: 6 additions & 0 deletions cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,12 @@ module Config implements DataFlow::ConfigSig {
// Block flow if the node is guarded by any <, <= or = operations.
node = DataFlow::BarrierGuard<lessThanOrEqual/3>::getABarrierNode()
}

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSinkLocation(DataFlow::Node sink) {
exists(BufferWrite bw | result = bw.getLocation() | isSink(sink, bw, _))
}
}

module Flow = TaintTracking::Global<Config>;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,12 @@ private module Config implements DataFlow::ConfigSig {
}

predicate isSink(DataFlow::Node sink) { isSink(sink, _) }

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSinkLocation(DataFlow::Node sink) {
exists(VariableAccess va | result = va.getLocation() | isSink(sink, va))
}
}

module Flow = TaintTracking::Global<Config>;
Expand Down
Loading
Loading