From e963c698fcbf73e76a34287f5c5eb72d527ef524 Mon Sep 17 00:00:00 2001 From: Asger F Date: Thu, 23 Jan 2025 10:26:46 +0100 Subject: [PATCH] C#: mass enable diff-informed data flow --- .../lib/semmle/code/csharp/frameworks/Sql.qll | 6 ++ .../code/csharp/frameworks/system/Xml.qll | 6 ++ .../EncryptionKeyDataFlowQuery.qll | 2 + .../HardcodedSymmetricEncryptionKey.qll | 2 + .../dataflow/CleartextStorageQuery.qll | 2 + .../security/dataflow/CodeInjectionQuery.qll | 2 + .../dataflow/CommandInjectionQuery.qll | 2 + .../dataflow/ConditionalBypassQuery.qll | 6 ++ .../ExposureOfPrivateInformationQuery.qll | 2 + .../security/dataflow/ExternalAPIsQuery.qll | 7 ++ .../security/dataflow/LDAPInjectionQuery.qll | 2 + .../security/dataflow/LogForgingQuery.qll | 2 + .../dataflow/MissingXMLValidationQuery.qll | 2 + .../csharp/security/dataflow/ReDoSQuery.qll | 8 ++ .../security/dataflow/RegexInjectionQuery.qll | 2 + .../dataflow/ResourceInjectionQuery.qll | 2 + .../security/dataflow/SqlInjectionQuery.qll | 2 + .../security/dataflow/TaintedPathQuery.qll | 2 + .../dataflow/UnsafeDeserializationQuery.qll | 78 +++++++++++++++++++ .../security/dataflow/UrlRedirectQuery.qll | 2 + .../security/dataflow/XPathInjectionQuery.qll | 2 + .../csharp/security/dataflow/XSSQuery.qll | 6 ++ .../csharp/security/dataflow/ZipSlipQuery.qll | 2 + .../flowsinks/ExternalLocationSink.qll | 6 ++ .../csharp/security/xml/InsecureXMLQuery.qll | 7 ++ csharp/ql/src/API Abuse/FormatInvalid.ql | 8 ++ .../NoDisposeCallOnLocalIDisposable.ql | 6 ++ .../LeapYear/UnsafeYearConstruction.ql | 2 + .../ThreadUnsafeICryptoTransformLambda.ql | 7 ++ .../Security Features/CWE-091/XMLInjection.ql | 2 + .../CWE-114/AssemblyPathInjection.ql | 2 + .../CWE-134/UncontrolledFormatString.ql | 2 + .../CWE-201/ExposureInTransmittedData.ql | 2 + .../CWE-209/ExceptionInformationExposure.ql | 2 + .../CWE-327/DontInstallRootCert.ql | 2 + .../CWE-327/InsecureSQLConnection.ql | 2 + .../CWE-798/HardcodedConnectionString.ql | 6 ++ .../CWE-838/InappropriateEncoding.ql | 13 ++++ .../Security Features/InsecureRandomness.ql | 2 + .../CWE-099/TaintedWebClientLib.qll | 6 ++ .../experimental/CWE-918/RequestForgery.qll | 6 ++ .../CWE-759/HashWithoutSalt.ql | 6 ++ .../JsonWebTokenHandlerLib.qll | 6 ++ .../UnsafeTypeUsedDataContractSerializer.ql | 6 ++ .../backdoor/PotentialTimeBomb.ql | 18 +++++ .../backdoor/ProcessNameToHashTaintFlow.ql | 6 ++ .../dataflow/flowsources/AuthCookie.qll | 24 ++++++ 47 files changed, 298 insertions(+) diff --git a/csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll b/csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll index 75f72352deb6..ee51f99b1f57 100644 --- a/csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll +++ b/csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll @@ -68,6 +68,12 @@ private module DapperCommandDefitionMethodCallSqlConfig implements DataFlow::Con node.asExpr() = mc.getArgumentForName("command") ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/code/csharp/frameworks/Sql.qll:54: Flow call outside 'select' clause + none() + } } private module DapperCommandDefinitionMethodCallSql = diff --git a/csharp/ql/lib/semmle/code/csharp/frameworks/system/Xml.qll b/csharp/ql/lib/semmle/code/csharp/frameworks/system/Xml.qll index c0edf9e110e1..06a36d7b429a 100644 --- a/csharp/ql/lib/semmle/code/csharp/frameworks/system/Xml.qll +++ b/csharp/ql/lib/semmle/code/csharp/frameworks/system/Xml.qll @@ -167,6 +167,12 @@ private module SettingsDataFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source.asExpr() instanceof XmlReaderSettingsCreation } predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof XmlReaderSettingsInstance } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/code/csharp/frameworks/system/Xml.qll:190: Flow call outside 'select' clause + none() + } } private module SettingsDataFlow = DataFlow::Global; diff --git a/csharp/ql/lib/semmle/code/csharp/security/cryptography/EncryptionKeyDataFlowQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/cryptography/EncryptionKeyDataFlowQuery.qll index 82bd0d30cab5..61c036f031b1 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/cryptography/EncryptionKeyDataFlowQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/cryptography/EncryptionKeyDataFlowQuery.qll @@ -70,6 +70,8 @@ private module SymmetricKeyConfig implements DataFlow::ConfigSig { /** Holds if the node is a key sanitizer. */ predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof KeySanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/cryptography/HardcodedSymmetricEncryptionKey.qll b/csharp/ql/lib/semmle/code/csharp/security/cryptography/HardcodedSymmetricEncryptionKey.qll index 2e387cc2da67..37690c169c0b 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/cryptography/HardcodedSymmetricEncryptionKey.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/cryptography/HardcodedSymmetricEncryptionKey.qll @@ -82,6 +82,8 @@ module HardcodedSymmetricEncryptionKey { succ.asExpr() = mc ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/CleartextStorageQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/CleartextStorageQuery.qll index cbb10146a6a1..3e4642411f0c 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/CleartextStorageQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/CleartextStorageQuery.qll @@ -32,6 +32,8 @@ private module ClearTextStorageConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll index 8ec9122864fb..20d5bbe10cab 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll @@ -33,6 +33,8 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll index 84352389c419..9528676af8e6 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll @@ -42,6 +42,8 @@ module CommandInjectionConfig implements DataFlow::ConfigSig { * `node` from the data flow graph. */ predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll index f92bb0d2f44a..48abeaa94bde 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll @@ -39,6 +39,12 @@ private module ConditionalBypassConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security Features/CWE-807/ConditionalBypass.ql:23: Column 5 selects sink.getSensitiveMethodCall + none() + } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformationQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformationQuery.qll index 0726acb05ed9..85782fe49369 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformationQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformationQuery.qll @@ -32,6 +32,8 @@ private module ExposureOfPrivateInformationConfig implements DataFlow::ConfigSig predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll index f1a64f6810b8..17311943764d 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll @@ -78,6 +78,13 @@ private module RemoteSourceToExternalApiConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll:88: Flow call outside 'select' clause + // ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll:91: Flow call outside 'select' clause + none() + } } /** A module for tracking flow from `ActiveThreatModelSource`s to `ExternalApiDataNode`s. */ diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll index e2e96034c41e..c2e25f0e522d 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll @@ -45,6 +45,8 @@ module LdapInjectionConfig implements DataFlow::ConfigSig { * `node` from the data flow graph. */ predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll index 422b5dc717a5..e06e728514de 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll @@ -35,6 +35,8 @@ private module LogForgingConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/MissingXMLValidationQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/MissingXMLValidationQuery.qll index 3401dab7ea24..3fcdc2b88ca7 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/MissingXMLValidationQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/MissingXMLValidationQuery.qll @@ -39,6 +39,8 @@ private module MissingXmlValidationConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { exists(sink.(Sink).getReason()) } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll index 94dbf1d4cdcc..dbd80a6a7a12 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll @@ -33,6 +33,8 @@ private module ReDoSConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** @@ -77,6 +79,12 @@ private module ExponentialRegexDataFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node s) { isExponentialRegex(s.asExpr()) } predicate isSink(DataFlow::Node s) { s.asExpr() = any(RegexOperation c).getPattern() } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll:92: Flow call outside 'select' clause + none() + } } module ExponentialRegexDataFlow = DataFlow::Global; diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/RegexInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/RegexInjectionQuery.qll index 620c07a9ea21..5cd232588296 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/RegexInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/RegexInjectionQuery.qll @@ -33,6 +33,8 @@ private module RegexInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ResourceInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ResourceInjectionQuery.qll index 40814729e559..e1542986411f 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ResourceInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ResourceInjectionQuery.qll @@ -32,6 +32,8 @@ private module ResourceInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/SqlInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/SqlInjectionQuery.qll index cc7b61c31f21..510b03811432 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/SqlInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/SqlInjectionQuery.qll @@ -43,6 +43,8 @@ module SqlInjectionConfig implements DataFlow::ConfigSig { * `node` from the data flow graph. */ predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/TaintedPathQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/TaintedPathQuery.qll index bdc7245aeb2d..2f20eb6e3421 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/TaintedPathQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/TaintedPathQuery.qll @@ -35,6 +35,8 @@ private module TaintedPathConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll index 5d9d18dcbac6..1fa384139d1c 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll @@ -59,6 +59,13 @@ private module TaintToObjectMethodTrackingConfig implements DataFlow::ConfigSig predicate isSink(DataFlow::Node sink) { sink instanceof InstanceMethodSink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:59: Column 1 does not select a source or sink originating from the flow call on line 33 + // ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:60: Column 5 does not select a source or sink originating from the flow call on line 33 + none() + } } /** @@ -77,6 +84,13 @@ private module JsonConvertTrackingConfig implements DataFlow::ConfigSig { } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:59: Column 1 does not select a source or sink originating from the flow call on line 55 + // ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:60: Column 5 does not select a source or sink originating from the flow call on line 55 + none() + } } /** @@ -133,6 +147,13 @@ private module TypeNameTrackingConfig implements DataFlow::ConfigSig { ) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:59: Column 1 does not select a source or sink originating from the flow call on line 56 + // ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:60: Column 5 does not select a source or sink originating from the flow call on line 56 + none() + } } /** @@ -149,6 +170,13 @@ private module TaintToConstructorOrStaticMethodTrackingConfig implements DataFlo predicate isSink(DataFlow::Node sink) { sink instanceof ConstructorOrStaticMethodSink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:59: Column 1 does not select a source or sink originating from the flow call on line 50 + // ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:60: Column 5 does not select a source or sink originating from the flow call on line 50 + none() + } } /** @@ -186,6 +214,13 @@ private module TaintToObjectTypeTrackingConfig implements DataFlow::ConfigSig { oc.getObjectType() instanceof StrongTypeDeserializer ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:59: Column 1 does not select a source or sink originating from the flow call on line 43 + // ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:60: Column 5 does not select a source or sink originating from the flow call on line 43 + none() + } } /** @@ -210,6 +245,13 @@ private module WeakTypeCreationToUsageTrackingConfig implements DataFlow::Config sink.asExpr() = mc.getQualifier() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:59: Column 1 does not select a source or sink originating from the flow call on line 37 + // ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:60: Column 5 does not select a source or sink originating from the flow call on line 37 + none() + } } /** @@ -342,6 +384,12 @@ private module DataContractJsonSafeConstructorTrackingConfig implements DataFlow mc.getQualifier() = sink.asExpr() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll:28: Flow call outside 'select' clause + none() + } } private module DataContractJsonSafeConstructorTracking = @@ -389,6 +437,12 @@ private module JavaScriptSerializerSafeConstructorTrackingConfig implements Data mc.getQualifier() = sink.asExpr() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll:29: Flow call outside 'select' clause + none() + } } private module JavaScriptSerializerSafeConstructorTracking = @@ -434,6 +488,12 @@ private module XmlObjectSerializerDerivedConstructorTrackingConfig implements Da mc.getQualifier() = sink.asExpr() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll:30: Flow call outside 'select' clause + none() + } } private module XmlObjectSerializerDerivedConstructorTracking = @@ -476,6 +536,12 @@ private module XmlSerializerSafeConstructorTrackingConfig implements DataFlow::C mc.getQualifier() = sink.asExpr() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll:31: Flow call outside 'select' clause + none() + } } private module XmlSerializerSafeConstructorTracking = @@ -522,6 +588,12 @@ private module DataContractSerializerSafeConstructorTrackingConfig implements Da mc.getQualifier() = sink.asExpr() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll:32: Flow call outside 'select' clause + none() + } } private module DataContractSerializerSafeConstructorTracking = @@ -564,6 +636,12 @@ private module XmlMessageFormatterSafeConstructorTrackingConfig implements DataF mc.getQualifier() = sink.asExpr() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll:33: Flow call outside 'select' clause + none() + } } private module XmlMessageFormatterSafeConstructorTracking = diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll index 0838fe7be4b6..b095305742dd 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll @@ -37,6 +37,8 @@ private module UrlRedirectConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/XPathInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/XPathInjectionQuery.qll index 140870c70fae..5cf934ef43e7 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/XPathInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/XPathInjectionQuery.qll @@ -43,6 +43,8 @@ module XpathInjectionConfig implements DataFlow::ConfigSig { * `node` from the data flow graph. */ predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll index 2d687b51d67a..8baba893ef7f 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll @@ -158,6 +158,12 @@ module XssTrackingConfig implements DataFlow::ConfigSig { * `node` from the data flow graph. */ predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll:22: Flow call outside 'select' clause + none() + } } module XssTracking = TaintTracking::Global; diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ZipSlipQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ZipSlipQuery.qll index fad3917553dd..1639563e9640 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ZipSlipQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ZipSlipQuery.qll @@ -30,6 +30,8 @@ private module ZipSlipConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ExternalLocationSink.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ExternalLocationSink.qll index 3bcfdde669a4..c5e3c5bcd29a 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ExternalLocationSink.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ExternalLocationSink.qll @@ -111,6 +111,12 @@ private module LocalFileOutputStreamConfig implements DataFlow::ConfigSig { oc.getObjectType() instanceof SystemIOStreamWriterClass ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ExternalLocationSink.qll:124: Flow call outside 'select' clause + none() + } } private module LocalFileOutputStreamFlow = DataFlow::Global; diff --git a/csharp/ql/lib/semmle/code/csharp/security/xml/InsecureXMLQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/xml/InsecureXMLQuery.qll index 1abeaf797b00..9e9dacbdb63a 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/xml/InsecureXMLQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/xml/InsecureXMLQuery.qll @@ -213,6 +213,13 @@ module XmlReader { predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(InsecureXmlReaderCreate create).getSettings() } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/code/csharp/security/xml/InsecureXMLQuery.qll:186: Flow call outside 'select' clause + // ql/lib/semmle/code/csharp/security/xml/InsecureXMLQuery.qll:194: Flow call outside 'select' clause + none() + } } private module SettingsDataFlow = DataFlow::Global; diff --git a/csharp/ql/src/API Abuse/FormatInvalid.ql b/csharp/ql/src/API Abuse/FormatInvalid.ql index 235daa1ecc25..c21bcfad4a0f 100644 --- a/csharp/ql/src/API Abuse/FormatInvalid.ql +++ b/csharp/ql/src/API Abuse/FormatInvalid.ql @@ -18,6 +18,14 @@ module FormatInvalidConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node n) { n.asExpr() instanceof StringLiteral } predicate isSink(DataFlow::Node n) { exists(FormatCall c | n.asExpr() = c.getFormatExpr()) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/API Abuse/FormatInvalid.ql:31: Flow call outside 'select' clause + // ql/src/API Abuse/FormatInvalid.ql:44: Flow call outside 'select' clause + // ql/src/API Abuse/FormatInvalid.ql:62: Flow call outside 'select' clause + none() + } } module FormatInvalid = DataFlow::Global; diff --git a/csharp/ql/src/API Abuse/NoDisposeCallOnLocalIDisposable.ql b/csharp/ql/src/API Abuse/NoDisposeCallOnLocalIDisposable.ql index 3072b154812f..3b241d73a75a 100644 --- a/csharp/ql/src/API Abuse/NoDisposeCallOnLocalIDisposable.ql +++ b/csharp/ql/src/API Abuse/NoDisposeCallOnLocalIDisposable.ql @@ -87,6 +87,12 @@ module DisposeCallOnLocalIDisposableConfig implements DataFlow::ConfigSig { isSink(node) and not node instanceof ReturnNode } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/API Abuse/NoDisposeCallOnLocalIDisposable.ql:100: Flow call outside 'select' clause + none() + } } module DisposeCallOnLocalIDisposable = DataFlow::Global; diff --git a/csharp/ql/src/Likely Bugs/LeapYear/UnsafeYearConstruction.ql b/csharp/ql/src/Likely Bugs/LeapYear/UnsafeYearConstruction.ql index c98f2bef8a2b..8da3a910b0da 100644 --- a/csharp/ql/src/Likely Bugs/LeapYear/UnsafeYearConstruction.ql +++ b/csharp/ql/src/Likely Bugs/LeapYear/UnsafeYearConstruction.ql @@ -26,6 +26,8 @@ module UnsafeYearCreationFromArithmeticConfig implements DataFlow::ConfigSig { oc.getObjectType().getABaseType*().hasFullyQualifiedName("System", "DateTime") ) } + + predicate observeDiffInformedIncrementalMode() { any() } } module UnsafeYearCreationFromArithmetic = diff --git a/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql b/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql index 9f70760ba602..e69d97320fbe 100644 --- a/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql +++ b/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql @@ -24,6 +24,13 @@ module NotThreadSafeCryptoUsageIntoParallelInvokeConfig implements DataFlow::Con } predicate isSink(DataFlow::Node sink) { sink instanceof ParallelSink } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql:37: Column 1 does not select a source or sink originating from the flow call on line 34 + // ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql:37: Column 3 does not select a source or sink originating from the flow call on line 34 + none() + } } module NotThreadSafeCryptoUsageIntoParallelInvoke = diff --git a/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql b/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql index 16eca675e6a1..2276b660f9f7 100644 --- a/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql +++ b/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql @@ -45,6 +45,8 @@ module XmlInjectionConfig implements DataFlow::ConfigSig { mc = node.asExpr() ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql b/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql index 118591f3f9ef..9cd6fc68b4ce 100644 --- a/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql +++ b/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql @@ -41,6 +41,8 @@ module AssemblyPathInjectionConfig implements DataFlow::ConfigSig { name = "UnsafeLoadFrom" and arg = 0 ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql b/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql index a027170dc372..e32b043b53f4 100644 --- a/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql +++ b/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql @@ -22,6 +22,8 @@ module FormatStringConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(FormatCall call | call.hasInsertions()).getFormatExpr() } + + predicate observeDiffInformedIncrementalMode() { any() } } module FormatString = TaintTracking::Global; diff --git a/csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql b/csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql index 0d71a08fe97e..a29919fc09dc 100644 --- a/csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql +++ b/csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql @@ -41,6 +41,8 @@ module ExposureInTransmittedDataConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { sink instanceof RemoteFlowSink } + + predicate observeDiffInformedIncrementalMode() { any() } } module ExposureInTransmittedData = TaintTracking::Global; diff --git a/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql b/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql index 114bdf7ccea4..7ec34b7c3cce 100644 --- a/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql +++ b/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql @@ -59,6 +59,8 @@ module ExceptionInformationExposureConfig implements DataFlow::ConfigSig { // Do not flow through Message sanitizer.asExpr().getType().(RefType).getABaseType*() instanceof SystemExceptionClass } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql b/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql index 15da9c2d8243..b48ddbf0f350 100644 --- a/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql +++ b/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql @@ -37,6 +37,8 @@ module AddCertToRootStoreConfig implements DataFlow::ConfigSig { sink.asExpr() = mc.getQualifier() ) } + + predicate observeDiffInformedIncrementalMode() { any() } } module AddCertToRootStore = DataFlow::Global; diff --git a/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.ql b/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.ql index adde1b948e4f..330ad1c1c329 100644 --- a/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.ql +++ b/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.ql @@ -40,6 +40,8 @@ module InsecureSqlConnectionConfig implements DataFlow::ConfigSig { ) ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql b/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql index 09f4bdca26bf..fdfd5cc19082 100644 --- a/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql +++ b/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql @@ -38,6 +38,12 @@ module ConnectionStringConfig implements DataFlow::ConfigSig { } predicate isBarrier(DataFlow::Node node) { node instanceof StringFormatSanitizer } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security Features/CWE-798/HardcodedConnectionString.ql:52: Column 5 does not select a source or sink originating from the flow call on line 49 + none() + } } /** diff --git a/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql b/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql index b35247634eae..76a52461a9e8 100644 --- a/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql +++ b/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql @@ -50,6 +50,13 @@ module RequiresEncodingConfig implements DataF } int fieldFlowBranchLimit() { result = 0 } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security Features/CWE-838/InappropriateEncoding.ql:146: Flow call outside 'select' clause + // ql/src/Security Features/CWE-838/InappropriateEncoding.ql:149: Flow call outside 'select' clause + none() + } } /** An encoded value, for example through a call to `HttpServerUtility.HtmlEncode`. */ @@ -104,6 +111,12 @@ module EncodingConfigurations { predicate isBarrier = Super::isBarrier/1; int fieldFlowBranchLimit() { result = Super::fieldFlowBranchLimit() } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security Features/CWE-838/InappropriateEncoding.ql:143: Flow call outside 'select' clause + none() + } } module SqlExpr = TaintTracking::Global; diff --git a/csharp/ql/src/Security Features/InsecureRandomness.ql b/csharp/ql/src/Security Features/InsecureRandomness.ql index 504756e1db50..2c2df7010c67 100644 --- a/csharp/ql/src/Security Features/InsecureRandomness.ql +++ b/csharp/ql/src/Security Features/InsecureRandomness.ql @@ -49,6 +49,8 @@ module Random { // succ = array_or_indexer[pred] - use of random numbers in an index succ.asExpr().(ElementAccess).getAnIndex() = pred.asExpr() } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/src/experimental/CWE-099/TaintedWebClientLib.qll b/csharp/ql/src/experimental/CWE-099/TaintedWebClientLib.qll index a088f5100af8..6ae0b0742740 100644 --- a/csharp/ql/src/experimental/CWE-099/TaintedWebClientLib.qll +++ b/csharp/ql/src/experimental/CWE-099/TaintedWebClientLib.qll @@ -48,6 +48,12 @@ private module TaintedWebClientConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/CWE-099/TaintedWebClient.ql:25: Flow call outside 'select' clause + none() + } } /** diff --git a/csharp/ql/src/experimental/CWE-918/RequestForgery.qll b/csharp/ql/src/experimental/CWE-918/RequestForgery.qll index 9ab1351f4142..6e4840a4ce59 100644 --- a/csharp/ql/src/experimental/CWE-918/RequestForgery.qll +++ b/csharp/ql/src/experimental/CWE-918/RequestForgery.qll @@ -52,6 +52,12 @@ module RequestForgery { } predicate isBarrier(DataFlow::Node node) { node instanceof Barrier } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/CWE-918/RequestForgery.ql:21: Flow call outside 'select' clause + none() + } } /** diff --git a/csharp/ql/src/experimental/Security Features/CWE-759/HashWithoutSalt.ql b/csharp/ql/src/experimental/Security Features/CWE-759/HashWithoutSalt.ql index f18798c8b086..081683e7559a 100644 --- a/csharp/ql/src/experimental/Security Features/CWE-759/HashWithoutSalt.ql +++ b/csharp/ql/src/experimental/Security Features/CWE-759/HashWithoutSalt.ql @@ -188,6 +188,12 @@ module HashWithoutSaltConfig implements DataFlow::ConfigSig { mc.getArgument(0) = node.asExpr() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/Security Features/CWE-759/HashWithoutSalt.ql:201: Flow call outside 'select' clause + none() + } } module HashWithoutSalt = TaintTracking::Global; diff --git a/csharp/ql/src/experimental/Security Features/JsonWebTokenHandler/JsonWebTokenHandlerLib.qll b/csharp/ql/src/experimental/Security Features/JsonWebTokenHandler/JsonWebTokenHandlerLib.qll index ae2c1442e7c2..06fda1e89d68 100644 --- a/csharp/ql/src/experimental/Security Features/JsonWebTokenHandler/JsonWebTokenHandlerLib.qll +++ b/csharp/ql/src/experimental/Security Features/JsonWebTokenHandler/JsonWebTokenHandlerLib.qll @@ -34,6 +34,12 @@ private module FalseValueFlowsToTokenValidationParametersPropertyWriteToBypassVa predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(TokenValidationParametersPropertySensitiveValidation p).getAnAssignedValue() } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/Security Features/JsonWebTokenHandler/security-validation-disabled.ql:22: Flow call outside 'select' clause + none() + } } module FalseValueFlowsToTokenValidationParametersPropertyWriteToBypassValidation = diff --git a/csharp/ql/src/experimental/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.ql b/csharp/ql/src/experimental/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.ql index 49245d3d8f56..d03403c86a86 100644 --- a/csharp/ql/src/experimental/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.ql +++ b/csharp/ql/src/experimental/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.ql @@ -35,6 +35,12 @@ deprecated module FlowToDataSerializerConstructorConfig implements DataFlow::Con predicate isSource(DataFlow::Node node) { unsafeDataContractTypeCreation(node.asExpr()) } predicate isSink(DataFlow::Node node) { xmlSerializerConstructorArgument(node.asExpr()) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.ql:46: Flow call outside 'select' clause + none() + } } deprecated module FlowToDataSerializerConstructor = diff --git a/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql b/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql index 6a4eeb002b33..43c6f3f1d311 100644 --- a/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql +++ b/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql @@ -84,6 +84,12 @@ private module FlowsFromGetLastWriteTimeConfigToTimeSpanArithmeticCallableConfig call = dateTime.getATimeSpanArithmeticCallable().getACall() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql:162: Flow call outside 'select' clause + none() + } } /** @@ -110,6 +116,12 @@ private module FlowsFromTimeSpanArithmeticToTimeComparisonCallableConfig impleme call = dateTime.getAComparisonCallable().getACall() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql:166: Flow call outside 'select' clause + none() + } } /** @@ -133,6 +145,12 @@ private module FlowsFromTimeComparisonCallableToSelectionStatementConditionConfi predicate isSink(DataFlow::Node sink) { exists(SelectionStmt sel | sel.getCondition().getAChild*() = sink.asExpr()) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql:170: Flow call outside 'select' clause + none() + } } /** diff --git a/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql b/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql index c8b23f476fd2..030107dfd3af 100644 --- a/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql +++ b/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql @@ -18,6 +18,12 @@ module DataFlowFromMethodToHashConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { isSuspiciousPropertyName(source.asExpr()) } predicate isSink(DataFlow::Node sink) { isGetHash(sink.asExpr()) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql:52: Flow call outside 'select' clause + none() + } } module DataFlowFromMethodToHash = TaintTracking::Global; diff --git a/csharp/ql/src/experimental/dataflow/flowsources/AuthCookie.qll b/csharp/ql/src/experimental/dataflow/flowsources/AuthCookie.qll index e91ae9de5385..35537432be79 100644 --- a/csharp/ql/src/experimental/dataflow/flowsources/AuthCookie.qll +++ b/csharp/ql/src/experimental/dataflow/flowsources/AuthCookie.qll @@ -34,6 +34,12 @@ private module AuthCookieNameConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { isAuthVariable(source.asExpr()) } predicate isSink(DataFlow::Node sink) { exists(Call c | sink.asExpr() = c.getAnArgument()) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/dataflow/flowsources/AuthCookie.qll:14: Flow call outside 'select' clause + none() + } } /** @@ -56,6 +62,15 @@ private module CookieOptionsTrackingConfig implements DataFlow::ConfigSig { mc.getArgument(2) = sink.asExpr() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql:42: Flow call outside 'select' clause + // ql/src/experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql:80: Flow call outside 'select' clause + // ql/src/experimental/Security Features/CWE-614/CookieWithoutSecure.ql:41: Flow call outside 'select' clause + // ql/src/experimental/Security Features/CWE-614/CookieWithoutSecure.ql:86: Flow call outside 'select' clause + none() + } } /** @@ -167,6 +182,15 @@ private module OnAppendCookieTrackingConfig impl MicrosoftAspNetCoreCookiePolicyAppendCookieContext ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql:39: Flow call outside 'select' clause + // ql/src/experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql:70: Flow call outside 'select' clause + // ql/src/experimental/Security Features/CWE-614/CookieWithoutSecure.ql:33: Flow call outside 'select' clause + // ql/src/experimental/Security Features/CWE-614/CookieWithoutSecure.ql:83: Flow call outside 'select' clause + none() + } } private string getPropertyNameSecure() { result = "Secure" }