Merge pull request #18528 from asgerf/jss/diff-informed

JS: Enable diff-informed queries
github · Jan 20, 2025 · f319003 · f319003
2 parents 1b2d7bc + 683ebca
commit f319003
Show file tree

Hide file tree

Showing 71 changed files with 157 additions and 0 deletions.
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll
@@ -25,6 +25,8 @@ module BrokenCryptoAlgorithmConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/BuildArtifactLeakQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/BuildArtifactLeakQuery.qll
@@ -30,6 +30,8 @@ module BuildArtifactLeakConfig implements DataFlow::ConfigSig {
     contents = DataFlow::ContentSet::anyProperty() and
     isSink(node)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingQuery.qll
@@ -41,6 +41,8 @@ module CleartextLoggingConfig implements DataFlow::ConfigSig {
     contents = DataFlow::ContentSet::anyProperty() and
     isSink(node)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextStorageQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextStorageQuery.qll
@@ -25,6 +25,8 @@ module ClearTextStorageConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module ClearTextStorageFlow = TaintTracking::Global<ClearTextStorageConfig>;

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll
@@ -31,6 +31,8 @@ module ClientSideRequestForgeryConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     isAdditionalRequestForgeryStep(node1, node2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectQuery.qll
@@ -54,6 +54,8 @@ module ClientSideUrlRedirectConfig implements DataFlow::StateConfigSig {
       state1 = state2
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionQuery.qll
@@ -24,6 +24,8 @@ module CodeInjectionConfig implements DataFlow::ConfigSig {
     // HTML sanitizers are insufficient protection against code injection
     node1 = node2.(HtmlSanitizerCall).getInput()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll
@@ -30,6 +30,8 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { isSinkWithHighlight(sink, _) }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ConditionalBypassQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ConditionalBypassQuery.qll
@@ -24,6 +24,10 @@ module ConditionalBypassConfig implements DataFlow::ConfigSig {
     // comparing a tainted expression against a constant gives a tainted result
     node2.asExpr().(Comparison).hasOperands(node1.asExpr(), any(ConstantExpr c))
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // Disabled since the enclosing comparison is sometimes selected instead of the sink
+  }
 }
 
 /**

diff --git a/...pt/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll b/...pt/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll
@@ -23,6 +23,8 @@ module CorsMisconfigurationConfig implements DataFlow::ConfigSig {
     node instanceof Sanitizer or
     node = TaintTracking::AdHocWhitelistCheckSanitizer::getABarrierNode()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll
@@ -33,6 +33,8 @@ module DeepObjectResourceExhaustionConfig implements DataFlow::StateConfigSig {
   ) {
     TaintedObject::isAdditionalFlowStep(node1, state1, node2, state2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/...script/ql/lib/semmle/javascript/security/dataflow/DifferentKindsComparisonBypassQuery.qll b/...script/ql/lib/semmle/javascript/security/dataflow/DifferentKindsComparisonBypassQuery.qll
@@ -20,6 +20,10 @@ private module DifferentKindsComparisonBypassConfig implements DataFlow::ConfigS
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // Disabled since multiple related sinks are selected simultaneously
+  }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssQuery.qll
@@ -113,6 +113,8 @@ module DomBasedXssConfig implements DataFlow::StateConfigSig {
       state1 = state2
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ExceptionXssQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ExceptionXssQuery.qll
@@ -155,6 +155,8 @@ module ExceptionXssConfig implements DataFlow::StateConfigSig {
   }
 
   int accessPathLimit() { result = 1 }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/...ript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll b/...ript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll
@@ -31,6 +31,10 @@ module ExternalAPIUsedWithUntrustedDataConfig implements DataFlow::ConfigSig {
     // Also report values that escape while inside a property
     isSink(node) and contents = DataFlow::ContentSet::anyProperty()
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // Not used for PR analysis
+  }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/FileAccessToHttpQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/FileAccessToHttpQuery.qll
@@ -24,6 +24,8 @@ module FileAccessToHttpConfig implements DataFlow::ConfigSig {
     isSink(node) and
     contents = DataFlow::ContentSet::anyProperty()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsQuery.qll
@@ -69,6 +69,8 @@ module HardcodedCredentialsConfig implements DataFlow::ConfigSig {
       node2 = n.getACall()
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/...script/ql/lib/semmle/javascript/security/dataflow/HardcodedDataInterpretedAsCodeQuery.qll b/...script/ql/lib/semmle/javascript/security/dataflow/HardcodedDataInterpretedAsCodeQuery.qll
@@ -34,6 +34,8 @@ module HardcodedDataInterpretedAsCodeConfig implements DataFlow::StateConfigSig
     state1 = [FlowState::modified(), FlowState::unmodified()] and
     state2 = FlowState::modified()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/.../ql/lib/semmle/javascript/security/dataflow/HostHeaderPoisoningInEmailGenerationQuery.qll b/.../ql/lib/semmle/javascript/security/dataflow/HostHeaderPoisoningInEmailGenerationQuery.qll
@@ -17,6 +17,8 @@ module HostHeaderPoisoningConfig implements DataFlow::ConfigSig {
   }
 
   predicate isSink(DataFlow::Node node) { exists(EmailSender email | node = email.getABody()) }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessQuery.qll
@@ -17,6 +17,8 @@ module HttpToFileAccessConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ImproperCodeSanitizationQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ImproperCodeSanitizationQuery.qll
@@ -19,6 +19,8 @@ module ImproperCodeSanitizationConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/...t/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationQuery.qll b/...t/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationQuery.qll
@@ -42,6 +42,8 @@ module IncompleteHtmlAttributeSanitizationConfig implements DataFlow::StateConfi
   }
 
   predicate isBarrier(DataFlow::Node n) { n instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll
@@ -26,6 +26,8 @@ module IndirectCommandInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { isSinkWithHighlight(sink, _) }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll
@@ -23,6 +23,8 @@ module InsecureDownloadConfig implements DataFlow::StateConfigSig {
   predicate isSink(DataFlow::Node sink, FlowState state) { sink.(Sink).getAFlowState() = state }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureRandomnessQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureRandomnessQuery.qll
@@ -40,6 +40,8 @@ module InsecureRandomnessConfig implements DataFlow::ConfigSig {
     // taint steps as additional flow steps.
     TaintTracking::defaultTaintStep(node1, node2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureTemporaryFileQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureTemporaryFileQuery.qll
@@ -19,6 +19,8 @@ module InsecureTemporaryFileConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/InsufficientPasswordHashQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/InsufficientPasswordHashQuery.qll
@@ -25,6 +25,8 @@ module InsufficientPasswordHashConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll
@@ -28,6 +28,8 @@ module LogInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/LoopBoundInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/LoopBoundInjectionQuery.qll
@@ -38,6 +38,8 @@ module LoopBoundInjectionConfig implements DataFlow::StateConfigSig {
   ) {
     TaintedObject::isAdditionalFlowStep(node1, state1, node2, state2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionQuery.qll
@@ -51,6 +51,8 @@ module NosqlInjectionConfig implements DataFlow::StateConfigSig {
     state1.isTaint() and
     state2 = state1
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/PostMessageStarQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/PostMessageStarQuery.qll
@@ -37,6 +37,8 @@ module PostMessageStarConfig implements DataFlow::ConfigSig {
     // If an object leaks, all of its properties have leaked
     isSink(node) and contents = DataFlow::ContentSet::anyProperty()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll
@@ -113,6 +113,8 @@ module PrototypePollutingAssignmentConfig implements DataFlow::StateConfigSig {
     or
     node = DataFlow::MakeStateBarrierGuard<FlowState, BarrierGuard>::getABarrierNode(state)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Taint-tracking for reasoning about prototype-polluting assignments. */

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll
@@ -47,6 +47,8 @@ module PrototypePollutionConfig implements DataFlow::StateConfigSig {
   predicate isBarrier(DataFlow::Node node, FlowState state) {
     node = TaintedObject::SanitizerGuard::getABarrierNode(state)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssQuery.qll
@@ -18,6 +18,8 @@ module ReflectedXssConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     node instanceof Sanitizer or node = SharedXss::BarrierGuard::getABarrierNode()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionQuery.qll
@@ -19,6 +19,8 @@ module RegExpInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/RemotePropertyInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/RemotePropertyInjectionQuery.qll
@@ -23,6 +23,8 @@ module RemotePropertyInjectionConfig implements DataFlow::ConfigSig {
     node instanceof Sanitizer or
     node = StringConcatenation::getRoot(any(ConstantString str).flow())
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll
@@ -26,6 +26,8 @@ module RequestForgeryConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     isAdditionalRequestForgeryStep(node1, node2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionQuery.qll
@@ -27,6 +27,8 @@ module ResourceExhaustionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     isNumericFlowStep(node1, node2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/SecondOrderCommandInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/SecondOrderCommandInjectionQuery.qll
@@ -47,6 +47,8 @@ module SecondOrderCommandInjectionConfig implements DataFlow::StateConfigSig {
     TaintTracking::defaultTaintStep(node1, node2) and
     state1 = state2
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectQuery.qll
@@ -30,6 +30,8 @@ module ServerSideUrlRedirectConfig implements DataFlow::ConfigSig {
       node2 = call
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/.../ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll b/.../ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll
@@ -27,6 +27,8 @@ module ShellCommandInjectionFromEnvironmentConfig implements DataFlow::ConfigSig
   predicate isSink(DataFlow::Node sink) { isSinkWithHighlight(sink, _) }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionQuery.qll
@@ -31,6 +31,8 @@ module SqlInjectionConfig implements DataFlow::ConfigSig {
       node2 = call
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/StackTraceExposureQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/StackTraceExposureQuery.qll
@@ -28,6 +28,8 @@ module StackTraceExposureConfig implements DataFlow::ConfigSig {
   }
 
   predicate isSink(DataFlow::Node snk) { snk instanceof Sink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
-Original file line number
+Diff line change
@@ Expand Up @@
       predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
       predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+      predicate observeDiffInformedIncrementalMode() { any() }
     }
     /**
@@ Expand Down @@