From e4a1847dade236bff587894f1912ce0437d72dd3 Mon Sep 17 00:00:00 2001 From: Asger F Date: Thu, 23 Jan 2025 10:15:59 +0100 Subject: [PATCH 1/7] Python: mass enable diff-informed data flow --- .../dataflow/CleartextLoggingQuery.qll | 2 ++ .../dataflow/CleartextStorageQuery.qll | 2 ++ .../security/dataflow/CodeInjectionQuery.qll | 2 ++ .../dataflow/CommandInjectionQuery.qll | 2 ++ .../security/dataflow/CookieInjectionQuery.qll | 2 ++ .../dataflow/HttpHeaderInjectionQuery.qll | 2 ++ .../security/dataflow/LdapInjectionQuery.qll | 14 ++++++++++++++ .../security/dataflow/LogInjectionQuery.qll | 2 ++ .../security/dataflow/NoSqlInjectionQuery.qll | 2 ++ .../dataflow/PamAuthorizationQuery.qll | 2 ++ .../security/dataflow/PathInjectionQuery.qll | 2 ++ .../security/dataflow/PolynomialReDoSQuery.qll | 7 +++++++ .../security/dataflow/ReflectedXssQuery.qll | 2 ++ .../security/dataflow/RegexInjectionQuery.qll | 6 ++++++ .../dataflow/ServerSideRequestForgeryQuery.qll | 13 +++++++++++++ .../security/dataflow/SqlInjectionQuery.qll | 2 ++ .../dataflow/StackTraceExposureQuery.qll | 2 ++ .../python/security/dataflow/TarSlipQuery.qll | 2 ++ .../dataflow/TemplateInjectionQuery.qll | 2 ++ .../dataflow/UnsafeDeserializationQuery.qll | 2 ++ .../UnsafeShellCommandConstructionQuery.qll | 7 +++++++ .../security/dataflow/UrlRedirectQuery.qll | 2 ++ .../dataflow/WeakSensitiveDataHashingQuery.qll | 12 ++++++++++++ .../python/security/dataflow/XmlBombQuery.qll | 2 ++ .../security/dataflow/XpathInjectionQuery.qll | 2 ++ .../python/security/dataflow/XxeQuery.qll | 2 ++ .../CWE-020-ExternalAPIs/ExternalAPIs.qll | 7 +++++++ .../ql/src/Security/CWE-327/FluentApiModel.qll | 6 ++++++ .../Security/CWE-798/HardcodedCredentials.ql | 2 ++ .../Security/CWE-022bis/TarSlipImprov.ql | 2 ++ .../Security/CWE-091/XsltInjectionQuery.qll | 2 ++ .../src/experimental/Security/CWE-094/Js2Py.ql | 2 ++ .../CWE-176/UnicodeBypassValidationQuery.qll | 2 ++ .../PossibleTimingAttackAgainstHash.ql | 6 ++++++ .../TimingAttackAgainstHash.ql | 6 ++++++ .../TimingAttackAgainstHeaderValue.ql | 2 ++ ...PossibleTimingAttackAgainstSensitiveInfo.ql | 2 ++ .../TimingAttackAgainstSensitiveInfo.ql | 2 ++ .../WebAppConstantSecretKey.ql | 2 ++ ...UnsafeUsageOfClientSideEncryptionVersion.ql | 2 ++ .../Security/CWE-340/TokenBuiltFromUUID.ql | 2 ++ .../Security/CWE-346/CorsBypass.ql | 2 ++ .../ClientSuppliedIpUsedInSecurityCheck.ql | 2 ++ .../Security/CWE-770/UnicodeDoS.ql | 2 ++ .../Security/UnsafeUnpackQuery.qll | 2 ++ .../semmle/python/libraries/SmtpLib.qll | 6 ++++++ .../python/security/DecompressionBomb.qll | 2 ++ .../python/security/InsecureRandomness.qll | 2 ++ .../python/security/LdapInsecureAuth.qll | 2 ++ .../python/security/RemoteCommandExecution.qll | 2 ++ .../semmle/python/security/TimingAttack.qll | 18 ++++++++++++++++++ .../semmle/python/security/ZipSlip.qll | 2 ++ .../python/security/dataflow/EmailXss.qll | 2 ++ .../python/security/injection/CsvInjection.qll | 2 ++ .../ModificationOfParameterWithDefault.qll | 6 +++++- 55 files changed, 197 insertions(+), 1 deletion(-) diff --git a/python/ql/lib/semmle/python/security/dataflow/CleartextLoggingQuery.qll b/python/ql/lib/semmle/python/security/dataflow/CleartextLoggingQuery.qll index 03b1db49d170..def13197d4aa 100644 --- a/python/ql/lib/semmle/python/security/dataflow/CleartextLoggingQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/CleartextLoggingQuery.qll @@ -21,6 +21,8 @@ private module CleartextLoggingConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "Clear-text logging of sensitive information" vulnerabilities. */ diff --git a/python/ql/lib/semmle/python/security/dataflow/CleartextStorageQuery.qll b/python/ql/lib/semmle/python/security/dataflow/CleartextStorageQuery.qll index 7ee85230c84f..190a8536887d 100644 --- a/python/ql/lib/semmle/python/security/dataflow/CleartextStorageQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/CleartextStorageQuery.qll @@ -21,6 +21,8 @@ private module CleartextStorageConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "Clear-text storage of sensitive information" vulnerabilities. */ diff --git a/python/ql/lib/semmle/python/security/dataflow/CodeInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/CodeInjectionQuery.qll index 486d06a6b21b..188bf56f30a2 100644 --- a/python/ql/lib/semmle/python/security/dataflow/CodeInjectionQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/CodeInjectionQuery.qll @@ -17,6 +17,8 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "code injection" vulnerabilities. */ diff --git a/python/ql/lib/semmle/python/security/dataflow/CommandInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/CommandInjectionQuery.qll index 18bcbe8cdd5e..cc2358c9a697 100644 --- a/python/ql/lib/semmle/python/security/dataflow/CommandInjectionQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/CommandInjectionQuery.qll @@ -20,6 +20,8 @@ module CommandInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "command injection" vulnerabilities. */ diff --git a/python/ql/lib/semmle/python/security/dataflow/CookieInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/CookieInjectionQuery.qll index 2b089fb27793..e017ec959f41 100644 --- a/python/ql/lib/semmle/python/security/dataflow/CookieInjectionQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/CookieInjectionQuery.qll @@ -20,6 +20,8 @@ module CookieInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "cookie injection" vulnerabilities. */ diff --git a/python/ql/lib/semmle/python/security/dataflow/HttpHeaderInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/HttpHeaderInjectionQuery.qll index 1583ee704918..82266f531622 100644 --- a/python/ql/lib/semmle/python/security/dataflow/HttpHeaderInjectionQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/HttpHeaderInjectionQuery.qll @@ -16,6 +16,8 @@ private module HeaderInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node node) { node instanceof HttpHeaderInjection::Sink } predicate isBarrier(DataFlow::Node node) { node instanceof HttpHeaderInjection::Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "HTTP Header injection" vulnerabilities. */ diff --git a/python/ql/lib/semmle/python/security/dataflow/LdapInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/LdapInjectionQuery.qll index 527c1cbfe432..a610f229844e 100644 --- a/python/ql/lib/semmle/python/security/dataflow/LdapInjectionQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/LdapInjectionQuery.qll @@ -19,6 +19,13 @@ private module LdapInjectionDnConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof DnSink } predicate isBarrier(DataFlow::Node node) { node instanceof DnSanitizer } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-090/LdapInjection.ql:26: Column 1 does not select a source or sink originating from the flow call on line 21 + // ql/src/Security/CWE-090/LdapInjection.ql:27: Column 5 does not select a source or sink originating from the flow call on line 21 + none() + } } /** Global taint-tracking for detecting "LDAP injection via the distinguished name (DN) parameter" vulnerabilities. */ @@ -30,6 +37,13 @@ private module LdapInjectionFilterConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof FilterSink } predicate isBarrier(DataFlow::Node node) { node instanceof FilterSanitizer } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-090/LdapInjection.ql:26: Column 1 does not select a source or sink originating from the flow call on line 24 + // ql/src/Security/CWE-090/LdapInjection.ql:27: Column 5 does not select a source or sink originating from the flow call on line 24 + none() + } } /** Global taint-tracking for detecting "LDAP injection via the filter parameter" vulnerabilities. */ diff --git a/python/ql/lib/semmle/python/security/dataflow/LogInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/LogInjectionQuery.qll index 7204accbdcf2..fa392cd2d58b 100644 --- a/python/ql/lib/semmle/python/security/dataflow/LogInjectionQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/LogInjectionQuery.qll @@ -17,6 +17,8 @@ private module LogInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "log injection" vulnerabilities. */ diff --git a/python/ql/lib/semmle/python/security/dataflow/NoSqlInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/NoSqlInjectionQuery.qll index 5b0daacb737b..a1b5eeb6a93a 100644 --- a/python/ql/lib/semmle/python/security/dataflow/NoSqlInjectionQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/NoSqlInjectionQuery.qll @@ -56,6 +56,8 @@ module NoSqlInjectionConfig implements DataFlow::StateConfigSig { predicate isBarrier(DataFlow::Node node) { node = any(NoSqlSanitizer noSqlSanitizer).getAnInput() } + + predicate observeDiffInformedIncrementalMode() { any() } } module NoSqlInjectionFlow = TaintTracking::GlobalWithState; diff --git a/python/ql/lib/semmle/python/security/dataflow/PamAuthorizationQuery.qll b/python/ql/lib/semmle/python/security/dataflow/PamAuthorizationQuery.qll index eb83d0bf84f0..8221083b1843 100644 --- a/python/ql/lib/semmle/python/security/dataflow/PamAuthorizationQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/PamAuthorizationQuery.qll @@ -31,6 +31,8 @@ private module PamAuthorizationConfig implements DataFlow::ConfigSig { // Flow from handle to the authenticate call in the final step exists(VulnPamAuthCall c | c.getArg(0) = node1 | node2 = c) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "PAM Authorization" vulnerabilities. */ diff --git a/python/ql/lib/semmle/python/security/dataflow/PathInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/PathInjectionQuery.qll index b3081fd9996a..f8bca406ece5 100644 --- a/python/ql/lib/semmle/python/security/dataflow/PathInjectionQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/PathInjectionQuery.qll @@ -71,6 +71,8 @@ module PathInjectionConfig implements DataFlow::StateConfigSig { stateFrom instanceof NotNormalized and stateTo instanceof NormalizedUnchecked } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "path injection" vulnerabilities. */ diff --git a/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll b/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll index 4e082aac26e4..a7e9a4ba6a6b 100644 --- a/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll @@ -17,6 +17,13 @@ private module PolynomialReDoSConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-730/PolynomialReDoS.ql:31: Column 1 selects sink.getHighlight + // ql/src/Security/CWE-730/PolynomialReDoS.ql:33: Column 5 does not select a source or sink originating from the flow call on line 24 + none() + } } /** Global taint-tracking for detecting "polynomial regular expression denial of service (ReDoS)" vulnerabilities. */ diff --git a/python/ql/lib/semmle/python/security/dataflow/ReflectedXssQuery.qll b/python/ql/lib/semmle/python/security/dataflow/ReflectedXssQuery.qll index 5f5b2dd58df5..223f0643183b 100644 --- a/python/ql/lib/semmle/python/security/dataflow/ReflectedXssQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/ReflectedXssQuery.qll @@ -17,6 +17,8 @@ private module ReflectedXssConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "reflected server-side cross-site scripting" vulnerabilities. */ diff --git a/python/ql/lib/semmle/python/security/dataflow/RegexInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/RegexInjectionQuery.qll index ae21270a63ea..1d55f592d3f6 100644 --- a/python/ql/lib/semmle/python/security/dataflow/RegexInjectionQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/RegexInjectionQuery.qll @@ -18,6 +18,12 @@ private module RegexInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-730/RegexInjection.ql:29: Column 7 selects sink.getRegexExecution + none() + } } /** Global taint-tracking for detecting "regular expression injection" vulnerabilities. */ diff --git a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll index 4cae5a301b1f..28173eb1328b 100644 --- a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll @@ -29,6 +29,13 @@ private module FullServerSideRequestForgeryConfig implements DataFlow::ConfigSig or node instanceof FullUrlControlSanitizer } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll:47: Flow call outside 'select' clause + // ql/src/Security/CWE-918/FullServerSideRequestForgery.ql:24: Column 1 selects sink.getRequest + none() + } } /** @@ -58,6 +65,12 @@ private module PartialServerSideRequestForgeryConfig implements DataFlow::Config predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-918/PartialServerSideRequestForgery.ql:24: Column 1 selects sink.getRequest + none() + } } /** diff --git a/python/ql/lib/semmle/python/security/dataflow/SqlInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/SqlInjectionQuery.qll index a63590643f3a..cc33baf2dd94 100644 --- a/python/ql/lib/semmle/python/security/dataflow/SqlInjectionQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/SqlInjectionQuery.qll @@ -17,6 +17,8 @@ private module SqlInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "SQL injection" vulnerabilities. */ diff --git a/python/ql/lib/semmle/python/security/dataflow/StackTraceExposureQuery.qll b/python/ql/lib/semmle/python/security/dataflow/StackTraceExposureQuery.qll index 57ef6d7ebb2a..8249c68a8075 100644 --- a/python/ql/lib/semmle/python/security/dataflow/StackTraceExposureQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/StackTraceExposureQuery.qll @@ -26,6 +26,8 @@ private module StackTraceExposureConfig implements DataFlow::ConfigSig { nodeTo = attr ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "stack trace exposure" vulnerabilities. */ diff --git a/python/ql/lib/semmle/python/security/dataflow/TarSlipQuery.qll b/python/ql/lib/semmle/python/security/dataflow/TarSlipQuery.qll index 162bfcd74ccb..c00c60177752 100644 --- a/python/ql/lib/semmle/python/security/dataflow/TarSlipQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/TarSlipQuery.qll @@ -17,6 +17,8 @@ private module TarSlipConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "tar slip" vulnerabilities. */ diff --git a/python/ql/lib/semmle/python/security/dataflow/TemplateInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/TemplateInjectionQuery.qll index 22c228f48d59..8764a3203a69 100644 --- a/python/ql/lib/semmle/python/security/dataflow/TemplateInjectionQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/TemplateInjectionQuery.qll @@ -17,6 +17,8 @@ private module TemplateInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node node) { node instanceof Sink } predicate isBarrierIn(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "template injection" vulnerabilities. */ diff --git a/python/ql/lib/semmle/python/security/dataflow/UnsafeDeserializationQuery.qll b/python/ql/lib/semmle/python/security/dataflow/UnsafeDeserializationQuery.qll index dd6925b79983..6edf60dcd36d 100644 --- a/python/ql/lib/semmle/python/security/dataflow/UnsafeDeserializationQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/UnsafeDeserializationQuery.qll @@ -17,6 +17,8 @@ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "code execution from deserialization" vulnerabilities. */ diff --git a/python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionQuery.qll index 51341cfe6cdc..89de8e6961fe 100644 --- a/python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionQuery.qll @@ -28,6 +28,13 @@ module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig { // override to require the path doesn't have unmatched return steps DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql:27: Column 1 selects sink.getStringConstruction + // ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql:29: Column 7 selects sink.getCommandExecution + none() + } } /** Global taint-tracking for detecting "shell command constructed from library input" vulnerabilities. */ diff --git a/python/ql/lib/semmle/python/security/dataflow/UrlRedirectQuery.qll b/python/ql/lib/semmle/python/security/dataflow/UrlRedirectQuery.qll index a9526f33ad34..36167cfc1034 100644 --- a/python/ql/lib/semmle/python/security/dataflow/UrlRedirectQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/UrlRedirectQuery.qll @@ -32,6 +32,8 @@ private module UrlRedirectConfig implements DataFlow::StateConfigSig { ) { any(UrlRedirect::AdditionalFlowStep a).step(nodeFrom, stateFrom, nodeTo, stateTo) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "URL redirection" vulnerabilities. */ diff --git a/python/ql/lib/semmle/python/security/dataflow/WeakSensitiveDataHashingQuery.qll b/python/ql/lib/semmle/python/security/dataflow/WeakSensitiveDataHashingQuery.qll index 04d8846d7d01..9efa8320f97b 100644 --- a/python/ql/lib/semmle/python/security/dataflow/WeakSensitiveDataHashingQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/WeakSensitiveDataHashingQuery.qll @@ -33,6 +33,12 @@ module NormalHashFunction { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { sensitiveDataExtraStepForCalls(node1, node2) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/python/security/dataflow/WeakSensitiveDataHashingQuery.qll:88: Flow call outside 'select' clause + none() + } } /** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on sensitive data" vulnerabilities. */ @@ -63,6 +69,12 @@ module ComputationallyExpensiveHashFunction { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { sensitiveDataExtraStepForCalls(node1, node2) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/python/security/dataflow/WeakSensitiveDataHashingQuery.qll:95: Flow call outside 'select' clause + none() + } } /** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on passwords" vulnerabilities. */ diff --git a/python/ql/lib/semmle/python/security/dataflow/XmlBombQuery.qll b/python/ql/lib/semmle/python/security/dataflow/XmlBombQuery.qll index e69e8ad63c68..2c445e0aeed6 100644 --- a/python/ql/lib/semmle/python/security/dataflow/XmlBombQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/XmlBombQuery.qll @@ -17,6 +17,8 @@ private module XmlBombConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "XML bomb" vulnerabilities. */ diff --git a/python/ql/lib/semmle/python/security/dataflow/XpathInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/XpathInjectionQuery.qll index 2a15669f6ff0..3a1f35f33679 100644 --- a/python/ql/lib/semmle/python/security/dataflow/XpathInjectionQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/XpathInjectionQuery.qll @@ -17,6 +17,8 @@ private module XpathInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "Xpath Injection" vulnerabilities. */ diff --git a/python/ql/lib/semmle/python/security/dataflow/XxeQuery.qll b/python/ql/lib/semmle/python/security/dataflow/XxeQuery.qll index da7c34a5bac3..0347d159b6ec 100644 --- a/python/ql/lib/semmle/python/security/dataflow/XxeQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/XxeQuery.qll @@ -17,6 +17,8 @@ private module XxeConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "XML External Entity (XXE)" vulnerabilities. */ diff --git a/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll b/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll index d2b47c9a6a76..03f84b7903da 100644 --- a/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll +++ b/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll @@ -171,6 +171,13 @@ private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll:181: Flow call outside 'select' clause + // ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll:184: Flow call outside 'select' clause + none() + } } /** Global taint-tracking from `RemoteFlowSource`s to `ExternalApiDataNode`s. */ diff --git a/python/ql/src/Security/CWE-327/FluentApiModel.qll b/python/ql/src/Security/CWE-327/FluentApiModel.qll index ce62a1a590cf..d2118493e0fe 100644 --- a/python/ql/src/Security/CWE-327/FluentApiModel.qll +++ b/python/ql/src/Security/CWE-327/FluentApiModel.qll @@ -110,6 +110,12 @@ module InsecureContextConfiguration implements DataFlow::StateConfigSig { ) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-327/FluentApiModel.qll:130: Flow call outside 'select' clause + none() + } } private module InsecureContextFlow = DataFlow::GlobalWithState; diff --git a/python/ql/src/Security/CWE-798/HardcodedCredentials.ql b/python/ql/src/Security/CWE-798/HardcodedCredentials.ql index 6e48ada26a42..c8aecd7204ba 100644 --- a/python/ql/src/Security/CWE-798/HardcodedCredentials.ql +++ b/python/ql/src/Security/CWE-798/HardcodedCredentials.ql @@ -119,6 +119,8 @@ private module HardcodedCredentialsConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof HardcodedValueSource } predicate isSink(DataFlow::Node sink) { sink instanceof CredentialSink } + + predicate observeDiffInformedIncrementalMode() { any() } } module HardcodedCredentialsFlow = TaintTracking::Global; diff --git a/python/ql/src/experimental/Security/CWE-022bis/TarSlipImprov.ql b/python/ql/src/experimental/Security/CWE-022bis/TarSlipImprov.ql index 431fe293cecd..1727da1bcf55 100755 --- a/python/ql/src/experimental/Security/CWE-022bis/TarSlipImprov.ql +++ b/python/ql/src/experimental/Security/CWE-022bis/TarSlipImprov.ql @@ -109,6 +109,8 @@ private module TarSlipImprovConfig implements DataFlow::ConfigSig { nodeFrom = nodeTo.(API::CallNode).getArg(0) and nodeFrom = tarfileOpen().getReturn().getAValueReachableFromSource() } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting more "TarSlip" vulnerabilities. */ diff --git a/python/ql/src/experimental/Security/CWE-091/XsltInjectionQuery.qll b/python/ql/src/experimental/Security/CWE-091/XsltInjectionQuery.qll index 4ecae424ed1c..1430691bff8d 100644 --- a/python/ql/src/experimental/Security/CWE-091/XsltInjectionQuery.qll +++ b/python/ql/src/experimental/Security/CWE-091/XsltInjectionQuery.qll @@ -19,6 +19,8 @@ module XsltInjectionConfig implements DataFlow::ConfigSig { // opted for the more simple approach. nodeTo = elementTreeConstruction(nodeFrom) } + + predicate observeDiffInformedIncrementalMode() { any() } } module XsltInjectionFlow = TaintTracking::Global; diff --git a/python/ql/src/experimental/Security/CWE-094/Js2Py.ql b/python/ql/src/experimental/Security/CWE-094/Js2Py.ql index f5d6e3a6c10e..2bb3fea1b329 100644 --- a/python/ql/src/experimental/Security/CWE-094/Js2Py.ql +++ b/python/ql/src/experimental/Security/CWE-094/Js2Py.ql @@ -24,6 +24,8 @@ module Js2PyFlowConfig implements DataFlow::ConfigSig { API::moduleImport("js2py").getMember(["eval_js", "eval_js6", "EvalJs"]).getACall().getArg(_) = node } + + predicate observeDiffInformedIncrementalMode() { any() } } module Js2PyFlow = TaintTracking::Global; diff --git a/python/ql/src/experimental/Security/CWE-176/UnicodeBypassValidationQuery.qll b/python/ql/src/experimental/Security/CWE-176/UnicodeBypassValidationQuery.qll index f2c3b01ac30f..c0337117cf01 100644 --- a/python/ql/src/experimental/Security/CWE-176/UnicodeBypassValidationQuery.qll +++ b/python/ql/src/experimental/Security/CWE-176/UnicodeBypassValidationQuery.qll @@ -75,6 +75,8 @@ private module UnicodeBypassValidationConfig implements DataFlow::StateConfigSig ) and state instanceof PostValidation } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "Unicode transformation mishandling" vulnerabilities. */ diff --git a/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.ql b/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.ql index 82ba11c1d4ba..440dd540dbd8 100644 --- a/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.ql +++ b/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.ql @@ -26,6 +26,12 @@ private module PossibleTimingAttackAgainstHashConfig implements DataFlow::Config predicate isSource(DataFlow::Node source) { source instanceof ProduceCryptoCall } predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.ql:41: Column 5 selects source.getResultType + none() + } } module PossibleTimingAttackAgainstHashFlow = diff --git a/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.ql b/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.ql index e08f1dbb5177..a53381198809 100644 --- a/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.ql +++ b/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.ql @@ -25,6 +25,12 @@ private module TimingAttackAgainstHashConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ProduceCryptoCall } predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.ql:39: Column 5 selects source.getResultType + none() + } } module TimingAttackAgainstHashFlow = TaintTracking::Global; diff --git a/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.ql b/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.ql index a1da41530a8f..c59885c23bb7 100644 --- a/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.ql +++ b/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.ql @@ -23,6 +23,8 @@ private module TimingAttackAgainstHeaderValueConfig implements DataFlow::ConfigS predicate isSource(DataFlow::Node source) { source instanceof ClientSuppliedSecret } predicate isSink(DataFlow::Node sink) { sink instanceof CompareSink } + + predicate observeDiffInformedIncrementalMode() { any() } } module TimingAttackAgainstHeaderValueFlow = diff --git a/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.ql b/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.ql index cdf350dd7cd2..af54b3c28794 100644 --- a/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.ql +++ b/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.ql @@ -23,6 +23,8 @@ private module PossibleTimingAttackAgainstSensitiveInfoConfig implements DataFlo predicate isSource(DataFlow::Node source) { source instanceof SecretSource } predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink } + + predicate observeDiffInformedIncrementalMode() { any() } } module PossibleTimingAttackAgainstSensitiveInfoFlow = diff --git a/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql b/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql index 8ec4fac97e32..c1afcb22e6b2 100644 --- a/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql +++ b/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql @@ -24,6 +24,8 @@ private module TimingAttackAgainstSensitiveInfoConfig implements DataFlow::Confi predicate isSource(DataFlow::Node source) { source instanceof SecretSource } predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink } + + predicate observeDiffInformedIncrementalMode() { any() } } module TimingAttackAgainstSensitiveInfoFlow = diff --git a/python/ql/src/experimental/Security/CWE-287-ConstantSecretKey/WebAppConstantSecretKey.ql b/python/ql/src/experimental/Security/CWE-287-ConstantSecretKey/WebAppConstantSecretKey.ql index 7bb35012b389..f63f590ba376 100644 --- a/python/ql/src/experimental/Security/CWE-287-ConstantSecretKey/WebAppConstantSecretKey.ql +++ b/python/ql/src/experimental/Security/CWE-287-ConstantSecretKey/WebAppConstantSecretKey.ql @@ -52,6 +52,8 @@ private module WebAppConstantSecretKeyConfig implements DataFlow::StateConfigSig or state = Django() and DjangoConstantSecretKeyConfig::isSink(sink) } + + predicate observeDiffInformedIncrementalMode() { any() } } module WebAppConstantSecretKeyFlow = TaintTracking::GlobalWithState; diff --git a/python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql b/python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql index c548eac68364..a0fadbff3f3b 100644 --- a/python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql +++ b/python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql @@ -145,6 +145,8 @@ private module AzureBlobClientConfig implements DataFlow::StateConfigSig { node = call.getObject() ) } + + predicate observeDiffInformedIncrementalMode() { any() } } module AzureBlobClientFlow = DataFlow::GlobalWithState; diff --git a/python/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql b/python/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql index b91f2dd6237b..ab5a4243a746 100644 --- a/python/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql +++ b/python/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql @@ -51,6 +51,8 @@ private module TokenBuiltFromUuidConfig implements DataFlow::ConfigSig { nodeTo = call ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "TokenBuiltFromUUID" vulnerabilities. */ diff --git a/python/ql/src/experimental/Security/CWE-346/CorsBypass.ql b/python/ql/src/experimental/Security/CWE-346/CorsBypass.ql index 4b79b97ff4a6..01e661cb0bbf 100644 --- a/python/ql/src/experimental/Security/CWE-346/CorsBypass.ql +++ b/python/ql/src/experimental/Security/CWE-346/CorsBypass.ql @@ -79,6 +79,8 @@ module CorsBypassConfig implements DataFlow::ConfigSig { c.getReturn().asSource() = node2 and n.asSource() = node1 ) } + + predicate observeDiffInformedIncrementalMode() { any() } } module CorsFlow = TaintTracking::Global; diff --git a/python/ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql b/python/ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql index 219192ce45db..463bf59c436c 100644 --- a/python/ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql +++ b/python/ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql @@ -45,6 +45,8 @@ private module ClientSuppliedIpUsedInSecurityCheckConfig implements DataFlow::Co ss = node.asExpr() ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "client ip used in security check" vulnerabilities. */ diff --git a/python/ql/src/experimental/Security/CWE-770/UnicodeDoS.ql b/python/ql/src/experimental/Security/CWE-770/UnicodeDoS.ql index 47edf3ed0f92..61cdd34920de 100644 --- a/python/ql/src/experimental/Security/CWE-770/UnicodeDoS.ql +++ b/python/ql/src/experimental/Security/CWE-770/UnicodeDoS.ql @@ -108,6 +108,8 @@ private module UnicodeDoSConfig implements DataFlow::ConfigSig { .getACall() .getArg(_) } + + predicate observeDiffInformedIncrementalMode() { any() } } module UnicodeDoSFlow = TaintTracking::Global; diff --git a/python/ql/src/experimental/Security/UnsafeUnpackQuery.qll b/python/ql/src/experimental/Security/UnsafeUnpackQuery.qll index 338a5555c572..64da6b8d799a 100644 --- a/python/ql/src/experimental/Security/UnsafeUnpackQuery.qll +++ b/python/ql/src/experimental/Security/UnsafeUnpackQuery.qll @@ -208,6 +208,8 @@ module UnsafeUnpackConfig implements DataFlow::ConfigSig { nodeFrom = mcn.getArg(0) ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "UnsafeUnpacking" vulnerabilities. */ diff --git a/python/ql/src/experimental/semmle/python/libraries/SmtpLib.qll b/python/ql/src/experimental/semmle/python/libraries/SmtpLib.qll index f174220727e2..6712c9279f2e 100644 --- a/python/ql/src/experimental/semmle/python/libraries/SmtpLib.qll +++ b/python/ql/src/experimental/semmle/python/libraries/SmtpLib.qll @@ -38,6 +38,12 @@ module SmtpLib { predicate isSink(DataFlow::Node sink) { sink = smtpMimeMultipartInstance().getACall().getArgByName("_subparts") } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/semmle/python/libraries/SmtpLib.qll:91: Flow call outside 'select' clause + none() + } } module SmtpMessageFlow = TaintTracking::Global; diff --git a/python/ql/src/experimental/semmle/python/security/DecompressionBomb.qll b/python/ql/src/experimental/semmle/python/security/DecompressionBomb.qll index 552f901b7e0c..a2e50d0ade5d 100644 --- a/python/ql/src/experimental/semmle/python/security/DecompressionBomb.qll +++ b/python/ql/src/experimental/semmle/python/security/DecompressionBomb.qll @@ -408,6 +408,8 @@ module BombsConfig implements DataFlow::ConfigSig { isAdditionalTaintStepTextIOWrapper(pred, succ) ) } + + predicate observeDiffInformedIncrementalMode() { any() } } module BombsFlow = TaintTracking::Global; diff --git a/python/ql/src/experimental/semmle/python/security/InsecureRandomness.qll b/python/ql/src/experimental/semmle/python/security/InsecureRandomness.qll index 5a32a887bd5b..8bc09a7036ed 100644 --- a/python/ql/src/experimental/semmle/python/security/InsecureRandomness.qll +++ b/python/ql/src/experimental/semmle/python/security/InsecureRandomness.qll @@ -27,6 +27,8 @@ module InsecureRandomness { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "random values that are not cryptographically secure" vulnerabilities. */ diff --git a/python/ql/src/experimental/semmle/python/security/LdapInsecureAuth.qll b/python/ql/src/experimental/semmle/python/security/LdapInsecureAuth.qll index a63332137d19..630543e6f798 100644 --- a/python/ql/src/experimental/semmle/python/security/LdapInsecureAuth.qll +++ b/python/ql/src/experimental/semmle/python/security/LdapInsecureAuth.qll @@ -101,6 +101,8 @@ private module LdapInsecureAuthConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { exists(LdapBind ldapBind | not ldapBind.useSsl() and sink = ldapBind.getHost()) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "LDAP insecure authentications" vulnerabilities. */ diff --git a/python/ql/src/experimental/semmle/python/security/RemoteCommandExecution.qll b/python/ql/src/experimental/semmle/python/security/RemoteCommandExecution.qll index f4eed84c0c1c..6f4ea88a7472 100644 --- a/python/ql/src/experimental/semmle/python/security/RemoteCommandExecution.qll +++ b/python/ql/src/experimental/semmle/python/security/RemoteCommandExecution.qll @@ -10,6 +10,8 @@ module RemoteCommandExecutionConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } predicate isSink(DataFlow::Node sink) { sink = any(RemoteCommandExecution rce).getCommand() } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "secondary server command injection" vulnerabilities. */ diff --git a/python/ql/src/experimental/semmle/python/security/TimingAttack.qll b/python/ql/src/experimental/semmle/python/security/TimingAttack.qll index 6d8cc98f21ce..e20e78853529 100644 --- a/python/ql/src/experimental/semmle/python/security/TimingAttack.qll +++ b/python/ql/src/experimental/semmle/python/security/TimingAttack.qll @@ -271,6 +271,12 @@ module UserInputSecretConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof CredentialExpr } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/semmle/python/security/TimingAttack.qll:176: Flow call outside 'select' clause + none() + } } module UserInputSecretFlow = TaintTracking::Global; @@ -288,6 +294,12 @@ module UserInputInComparisonConfig implements DataFlow::ConfigSig { sink.asExpr() = [left, right] ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/semmle/python/security/TimingAttack.qll:165: Flow call outside 'select' clause + none() + } } module UserInputInComparisonFlow = TaintTracking::Global; @@ -304,6 +316,12 @@ private module ExcludeLenFuncConfig implements DataFlow::ConfigSig { sink.asExpr() = call.getArg(0) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/semmle/python/security/TimingAttack.qll:347: Flow call outside 'select' clause + none() + } } module ExcludeLenFuncFlow = TaintTracking::Global; diff --git a/python/ql/src/experimental/semmle/python/security/ZipSlip.qll b/python/ql/src/experimental/semmle/python/security/ZipSlip.qll index 5f8b4d940ef8..a6125015db01 100644 --- a/python/ql/src/experimental/semmle/python/security/ZipSlip.qll +++ b/python/ql/src/experimental/semmle/python/security/ZipSlip.qll @@ -34,6 +34,8 @@ private module ZipSlipConfig implements DataFlow::ConfigSig { ) and not sink.getScope().getLocation().getFile().inStdlib() } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "zip slip" vulnerabilities. */ diff --git a/python/ql/src/experimental/semmle/python/security/dataflow/EmailXss.qll b/python/ql/src/experimental/semmle/python/security/dataflow/EmailXss.qll index c08a0e6b258b..8f392a43a8a3 100644 --- a/python/ql/src/experimental/semmle/python/security/dataflow/EmailXss.qll +++ b/python/ql/src/experimental/semmle/python/security/dataflow/EmailXss.qll @@ -34,6 +34,8 @@ private module EmailXssConfig implements DataFlow::ConfigSig { nodeFrom = htmlContentCall.getArg(0) ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "Email XSS" vulnerabilities. */ diff --git a/python/ql/src/experimental/semmle/python/security/injection/CsvInjection.qll b/python/ql/src/experimental/semmle/python/security/injection/CsvInjection.qll index d08e9b090a6f..859f6d1e5e80 100644 --- a/python/ql/src/experimental/semmle/python/security/injection/CsvInjection.qll +++ b/python/ql/src/experimental/semmle/python/security/injection/CsvInjection.qll @@ -17,6 +17,8 @@ private module CsvInjectionConfig implements DataFlow::ConfigSig { node = DataFlow::BarrierGuard::getABarrierNode() or node instanceof ConstCompareBarrier } + + predicate observeDiffInformedIncrementalMode() { any() } } private predicate startsWithCheck(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) { diff --git a/python/ql/src/semmle/python/functions/ModificationOfParameterWithDefault.qll b/python/ql/src/semmle/python/functions/ModificationOfParameterWithDefault.qll index 290087f6a71c..86b069f2820d 100644 --- a/python/ql/src/semmle/python/functions/ModificationOfParameterWithDefault.qll +++ b/python/ql/src/semmle/python/functions/ModificationOfParameterWithDefault.qll @@ -45,11 +45,15 @@ module ModificationOfParameterWithDefault { copyTarget(node) and state in [true, false] } - private predicate copyTarget(DataFlow::Node node) { + private predicate observeDiffInformedIncrementalMode() { any() } + + predicate copyTarget(DataFlow::Node node) { node = API::moduleImport("copy").getMember(["copy", "deepcopy"]).getACall() or node.(DataFlow::MethodCallNode).calls(_, "copy") } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Global data-flow for detecting modifications of a parameters default value. */ From 9dfd1cc608922cad9aef0eb4541af3498eeed5d6 Mon Sep 17 00:00:00 2001 From: Asger F Date: Thu, 23 Jan 2025 13:49:03 +0100 Subject: [PATCH 2/7] Python: Fixup broken patch --- .../python/functions/ModificationOfParameterWithDefault.qll | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/python/ql/src/semmle/python/functions/ModificationOfParameterWithDefault.qll b/python/ql/src/semmle/python/functions/ModificationOfParameterWithDefault.qll index 86b069f2820d..d0d2580e7676 100644 --- a/python/ql/src/semmle/python/functions/ModificationOfParameterWithDefault.qll +++ b/python/ql/src/semmle/python/functions/ModificationOfParameterWithDefault.qll @@ -45,9 +45,7 @@ module ModificationOfParameterWithDefault { copyTarget(node) and state in [true, false] } - private predicate observeDiffInformedIncrementalMode() { any() } - - predicate copyTarget(DataFlow::Node node) { + private predicate copyTarget(DataFlow::Node node) { node = API::moduleImport("copy").getMember(["copy", "deepcopy"]).getACall() or node.(DataFlow::MethodCallNode).calls(_, "copy") From 15c2ccb880544ca51057d67acf8e6ec021a4f3d8 Mon Sep 17 00:00:00 2001 From: Asger F Date: Thu, 23 Jan 2025 13:50:02 +0100 Subject: [PATCH 3/7] Python: ignore experimental for now --- .../PossibleTimingAttackAgainstHash.ql | 6 ------ .../TimingAttackAgainstHash.ql | 6 ------ .../semmle/python/security/TimingAttack.qll | 18 ------------------ 3 files changed, 30 deletions(-) diff --git a/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.ql b/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.ql index 440dd540dbd8..82ba11c1d4ba 100644 --- a/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.ql +++ b/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.ql @@ -26,12 +26,6 @@ private module PossibleTimingAttackAgainstHashConfig implements DataFlow::Config predicate isSource(DataFlow::Node source) { source instanceof ProduceCryptoCall } predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink } - - predicate observeDiffInformedIncrementalMode() { - // TODO(diff-informed): Manually verify if config can be diff-informed. - // ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.ql:41: Column 5 selects source.getResultType - none() - } } module PossibleTimingAttackAgainstHashFlow = diff --git a/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.ql b/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.ql index a53381198809..e08f1dbb5177 100644 --- a/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.ql +++ b/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.ql @@ -25,12 +25,6 @@ private module TimingAttackAgainstHashConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ProduceCryptoCall } predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink } - - predicate observeDiffInformedIncrementalMode() { - // TODO(diff-informed): Manually verify if config can be diff-informed. - // ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.ql:39: Column 5 selects source.getResultType - none() - } } module TimingAttackAgainstHashFlow = TaintTracking::Global; diff --git a/python/ql/src/experimental/semmle/python/security/TimingAttack.qll b/python/ql/src/experimental/semmle/python/security/TimingAttack.qll index e20e78853529..6d8cc98f21ce 100644 --- a/python/ql/src/experimental/semmle/python/security/TimingAttack.qll +++ b/python/ql/src/experimental/semmle/python/security/TimingAttack.qll @@ -271,12 +271,6 @@ module UserInputSecretConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof CredentialExpr } - - predicate observeDiffInformedIncrementalMode() { - // TODO(diff-informed): Manually verify if config can be diff-informed. - // ql/src/experimental/semmle/python/security/TimingAttack.qll:176: Flow call outside 'select' clause - none() - } } module UserInputSecretFlow = TaintTracking::Global; @@ -294,12 +288,6 @@ module UserInputInComparisonConfig implements DataFlow::ConfigSig { sink.asExpr() = [left, right] ) } - - predicate observeDiffInformedIncrementalMode() { - // TODO(diff-informed): Manually verify if config can be diff-informed. - // ql/src/experimental/semmle/python/security/TimingAttack.qll:165: Flow call outside 'select' clause - none() - } } module UserInputInComparisonFlow = TaintTracking::Global; @@ -316,12 +304,6 @@ private module ExcludeLenFuncConfig implements DataFlow::ConfigSig { sink.asExpr() = call.getArg(0) ) } - - predicate observeDiffInformedIncrementalMode() { - // TODO(diff-informed): Manually verify if config can be diff-informed. - // ql/src/experimental/semmle/python/security/TimingAttack.qll:347: Flow call outside 'select' clause - none() - } } module ExcludeLenFuncFlow = TaintTracking::Global; From 975ce064fc30b83667e96ef9bc023479e05ebe23 Mon Sep 17 00:00:00 2001 From: Asger F Date: Thu, 23 Jan 2025 14:01:46 +0100 Subject: [PATCH 4/7] Python: implement for polynomial redos --- .../dataflow/PolynomialReDoSCustomizations.qll | 5 +++++ .../python/security/dataflow/PolynomialReDoSQuery.qll | 11 ++++++----- python/ql/src/Security/CWE-730/PolynomialReDoS.ql | 2 +- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSCustomizations.qll index 4cc464ca4caa..1e9148517bf2 100644 --- a/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSCustomizations.qll +++ b/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSCustomizations.qll @@ -35,6 +35,11 @@ module PolynomialReDoS { /** Gets the regex that is being executed by this node. */ abstract RegExpTerm getRegExp(); + /** Gets a term within the regexp that may perform polynomial back-tracking. */ + final PolynomialBackTrackingTerm getABacktrackingTerm() { + result.getRootTerm() = this.getRegExp() + } + /** * Gets the node to highlight in the alert message. */ diff --git a/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll b/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll index a7e9a4ba6a6b..89aa4961e6ef 100644 --- a/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll @@ -18,11 +18,12 @@ private module PolynomialReDoSConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } - predicate observeDiffInformedIncrementalMode() { - // TODO(diff-informed): Manually verify if config can be diff-informed. - // ql/src/Security/CWE-730/PolynomialReDoS.ql:31: Column 1 selects sink.getHighlight - // ql/src/Security/CWE-730/PolynomialReDoS.ql:33: Column 5 does not select a source or sink originating from the flow call on line 24 - none() + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.(Sink).getHighlight().getLocation() + or + result = sink.(Sink).getABacktrackingTerm().getLocation() } } diff --git a/python/ql/src/Security/CWE-730/PolynomialReDoS.ql b/python/ql/src/Security/CWE-730/PolynomialReDoS.ql index b3b4a8cac92a..f6dbe62c3a55 100644 --- a/python/ql/src/Security/CWE-730/PolynomialReDoS.ql +++ b/python/ql/src/Security/CWE-730/PolynomialReDoS.ql @@ -23,7 +23,7 @@ from where PolynomialReDoSFlow::flowPath(source, sink) and sinkNode = sink.getNode() and - regexp.getRootTerm() = sinkNode.getRegExp() + regexp = sinkNode.getABacktrackingTerm() // not ( // source.getNode().(Source).getKind() = "url" and // regexp.isAtEndLine() From d3ee6583992e486bd4d7334ab8b5d50a876b9cfe Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 20 Dec 2024 11:02:40 +0100 Subject: [PATCH 5/7] Python: resolve remaining TODOs --- .../security/dataflow/LdapInjectionQuery.qll | 14 ++----------- .../security/dataflow/RegexInjectionQuery.qll | 10 +++++---- .../ServerSideRequestForgeryQuery.qll | 21 +++++++++++-------- .../UnsafeShellCommandConstructionQuery.qll | 13 +++++++----- .../WeakSensitiveDataHashingQuery.qll | 12 ++--------- .../CWE-020-ExternalAPIs/ExternalAPIs.qll | 5 +---- .../src/Security/CWE-327/FluentApiModel.qll | 4 +--- .../semmle/python/libraries/SmtpLib.qll | 4 +--- 8 files changed, 33 insertions(+), 50 deletions(-) diff --git a/python/ql/lib/semmle/python/security/dataflow/LdapInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/LdapInjectionQuery.qll index a610f229844e..7d0f5da6a5a5 100644 --- a/python/ql/lib/semmle/python/security/dataflow/LdapInjectionQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/LdapInjectionQuery.qll @@ -20,12 +20,7 @@ private module LdapInjectionDnConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node instanceof DnSanitizer } - predicate observeDiffInformedIncrementalMode() { - // TODO(diff-informed): Manually verify if config can be diff-informed. - // ql/src/Security/CWE-090/LdapInjection.ql:26: Column 1 does not select a source or sink originating from the flow call on line 21 - // ql/src/Security/CWE-090/LdapInjection.ql:27: Column 5 does not select a source or sink originating from the flow call on line 21 - none() - } + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "LDAP injection via the distinguished name (DN) parameter" vulnerabilities. */ @@ -38,12 +33,7 @@ private module LdapInjectionFilterConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node instanceof FilterSanitizer } - predicate observeDiffInformedIncrementalMode() { - // TODO(diff-informed): Manually verify if config can be diff-informed. - // ql/src/Security/CWE-090/LdapInjection.ql:26: Column 1 does not select a source or sink originating from the flow call on line 24 - // ql/src/Security/CWE-090/LdapInjection.ql:27: Column 5 does not select a source or sink originating from the flow call on line 24 - none() - } + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "LDAP injection via the filter parameter" vulnerabilities. */ diff --git a/python/ql/lib/semmle/python/security/dataflow/RegexInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/RegexInjectionQuery.qll index 1d55f592d3f6..b7e234fd6cb4 100644 --- a/python/ql/lib/semmle/python/security/dataflow/RegexInjectionQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/RegexInjectionQuery.qll @@ -19,10 +19,12 @@ private module RegexInjectionConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } - predicate observeDiffInformedIncrementalMode() { - // TODO(diff-informed): Manually verify if config can be diff-informed. - // ql/src/Security/CWE-730/RegexInjection.ql:29: Column 7 selects sink.getRegexExecution - none() + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.(Sink).getLocation() + or + result = sink.(Sink).getRegexExecution().getLocation() } } diff --git a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll index 28173eb1328b..a9d6c6a99b02 100644 --- a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll @@ -30,11 +30,12 @@ private module FullServerSideRequestForgeryConfig implements DataFlow::ConfigSig node instanceof FullUrlControlSanitizer } - predicate observeDiffInformedIncrementalMode() { - // TODO(diff-informed): Manually verify if config can be diff-informed. - // ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll:47: Flow call outside 'select' clause - // ql/src/Security/CWE-918/FullServerSideRequestForgery.ql:24: Column 1 selects sink.getRequest - none() + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.(Sink).getLocation() + or + result = sink.(Sink).getRequest().getLocation() } } @@ -66,10 +67,12 @@ private module PartialServerSideRequestForgeryConfig implements DataFlow::Config predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } - predicate observeDiffInformedIncrementalMode() { - // TODO(diff-informed): Manually verify if config can be diff-informed. - // ql/src/Security/CWE-918/PartialServerSideRequestForgery.ql:24: Column 1 selects sink.getRequest - none() + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.(Sink).getLocation() + or + result = sink.(Sink).getRequest().getLocation() } } diff --git a/python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionQuery.qll index 89de8e6961fe..7ac03b3aa8e3 100644 --- a/python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionQuery.qll @@ -29,11 +29,14 @@ module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig { // override to require the path doesn't have unmatched return steps DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext } - predicate observeDiffInformedIncrementalMode() { - // TODO(diff-informed): Manually verify if config can be diff-informed. - // ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql:27: Column 1 selects sink.getStringConstruction - // ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql:29: Column 7 selects sink.getCommandExecution - none() + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.(Sink).getLocation() + or + result = sink.(Sink).getStringConstruction().getLocation() + or + result = sink.(Sink).getCommandExecution().getLocation() } } diff --git a/python/ql/lib/semmle/python/security/dataflow/WeakSensitiveDataHashingQuery.qll b/python/ql/lib/semmle/python/security/dataflow/WeakSensitiveDataHashingQuery.qll index 9efa8320f97b..a219eac00b20 100644 --- a/python/ql/lib/semmle/python/security/dataflow/WeakSensitiveDataHashingQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/WeakSensitiveDataHashingQuery.qll @@ -34,11 +34,7 @@ module NormalHashFunction { sensitiveDataExtraStepForCalls(node1, node2) } - predicate observeDiffInformedIncrementalMode() { - // TODO(diff-informed): Manually verify if config can be diff-informed. - // ql/lib/semmle/python/security/dataflow/WeakSensitiveDataHashingQuery.qll:88: Flow call outside 'select' clause - none() - } + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on sensitive data" vulnerabilities. */ @@ -70,11 +66,7 @@ module ComputationallyExpensiveHashFunction { sensitiveDataExtraStepForCalls(node1, node2) } - predicate observeDiffInformedIncrementalMode() { - // TODO(diff-informed): Manually verify if config can be diff-informed. - // ql/lib/semmle/python/security/dataflow/WeakSensitiveDataHashingQuery.qll:95: Flow call outside 'select' clause - none() - } + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on passwords" vulnerabilities. */ diff --git a/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll b/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll index 03f84b7903da..34649c0fb860 100644 --- a/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll +++ b/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll @@ -173,10 +173,7 @@ private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode } predicate observeDiffInformedIncrementalMode() { - // TODO(diff-informed): Manually verify if config can be diff-informed. - // ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll:181: Flow call outside 'select' clause - // ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll:184: Flow call outside 'select' clause - none() + none() // Not used for PR analysis } } diff --git a/python/ql/src/Security/CWE-327/FluentApiModel.qll b/python/ql/src/Security/CWE-327/FluentApiModel.qll index d2118493e0fe..8dd90a588217 100644 --- a/python/ql/src/Security/CWE-327/FluentApiModel.qll +++ b/python/ql/src/Security/CWE-327/FluentApiModel.qll @@ -112,9 +112,7 @@ module InsecureContextConfiguration implements DataFlow::StateConfigSig { } predicate observeDiffInformedIncrementalMode() { - // TODO(diff-informed): Manually verify if config can be diff-informed. - // ql/src/Security/CWE-327/FluentApiModel.qll:130: Flow call outside 'select' clause - none() + none() // Too complicated, but might be possible after some refactoring. } } diff --git a/python/ql/src/experimental/semmle/python/libraries/SmtpLib.qll b/python/ql/src/experimental/semmle/python/libraries/SmtpLib.qll index 6712c9279f2e..de93bac0934a 100644 --- a/python/ql/src/experimental/semmle/python/libraries/SmtpLib.qll +++ b/python/ql/src/experimental/semmle/python/libraries/SmtpLib.qll @@ -40,9 +40,7 @@ module SmtpLib { } predicate observeDiffInformedIncrementalMode() { - // TODO(diff-informed): Manually verify if config can be diff-informed. - // ql/src/experimental/semmle/python/libraries/SmtpLib.qll:91: Flow call outside 'select' clause - none() + none() // Used in library model } } From 7d6abb4e0a87ff25bb9265dc9e18bf7319f1af48 Mon Sep 17 00:00:00 2001 From: Asger F Date: Thu, 6 Feb 2025 11:30:18 +0100 Subject: [PATCH 6/7] JS: Disable diff-informedness for full SSRF Partial SSRF uses its result in a way that prevents diff-informedness --- .../dataflow/ServerSideRequestForgeryQuery.qll | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll index a9d6c6a99b02..e60afa470eca 100644 --- a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll @@ -30,12 +30,10 @@ private module FullServerSideRequestForgeryConfig implements DataFlow::ConfigSig node instanceof FullUrlControlSanitizer } - predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSinkLocation(DataFlow::Node sink) { - result = sink.(Sink).getLocation() - or - result = sink.(Sink).getRequest().getLocation() + predicate observeDiffInformedIncrementalMode() { + // The partial request forgery query depends on `fullyControlledRequest` to reject alerts about + // such full-controlled requests, regardless of the associated source. + none() } } From d3b9d1d89d8ed2f05bae32d0c47c17fc2a6bac22 Mon Sep 17 00:00:00 2001 From: Asger F Date: Thu, 6 Feb 2025 11:30:32 +0100 Subject: [PATCH 7/7] JS: Partial SSRF does not select the sink location --- .../python/security/dataflow/ServerSideRequestForgeryQuery.qll | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll index e60afa470eca..b466d34b2276 100644 --- a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll @@ -68,8 +68,7 @@ private module PartialServerSideRequestForgeryConfig implements DataFlow::Config predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { - result = sink.(Sink).getLocation() - or + // Note: this query does not select the sink itself result = sink.(Sink).getRequest().getLocation() } }