Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JS: Enable diff-informed queries #18528

Merged
merged 7 commits into from
Jan 20, 2025
Merged

JS: Enable diff-informed queries #18528

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
fd763a0
JS: Auto-patch diff informed queries
asgerf Dec 19, 2024
8fe622f
JS: Update PrototypePollutingFunction.ql
asgerf Jan 17, 2025
29da1fb
JS: Update ConditionalBypassQuery.qll
asgerf Jan 17, 2025
ecbd798
JS: Update DifferentKindsComparisonBypassQuery.qll
asgerf Jan 17, 2025
7c29ea9
JS: Update ExternalAPIUsedwithUntrustedData
asgerf Jan 17, 2025
a948915
JS: Add dummy extension with an empty diff
asgerf Dec 19, 2024
683ebca
Revert "JS: Add dummy extension with an empty diff"
asgerf Jan 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ module BrokenCryptoAlgorithmConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/BuildArtifactLeakQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@ module BuildArtifactLeakConfig implements DataFlow::ConfigSig {
contents = DataFlow::ContentSet::anyProperty() and
isSink(node)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,8 @@ module CleartextLoggingConfig implements DataFlow::ConfigSig {
contents = DataFlow::ContentSet::anyProperty() and
isSink(node)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/CleartextStorageQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ module ClearTextStorageConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

module ClearTextStorageFlow = TaintTracking::Global<ClearTextStorageConfig>;
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ module ClientSideRequestForgeryConfig implements DataFlow::ConfigSig {
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
isAdditionalRequestForgeryStep(node1, node2)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,8 @@ module ClientSideUrlRedirectConfig implements DataFlow::StateConfigSig {
state1 = state2
)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ module CodeInjectionConfig implements DataFlow::ConfigSig {
// HTML sanitizers are insufficient protection against code injection
node1 = node2.(HtmlSanitizerCall).getInput()
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { isSinkWithHighlight(sink, _) }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
4 changes: 4 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/ConditionalBypassQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,10 @@ module ConditionalBypassConfig implements DataFlow::ConfigSig {
// comparing a tainted expression against a constant gives a tainted result
node2.asExpr().(Comparison).hasOperands(node1.asExpr(), any(ConstantExpr c))
}

predicate observeDiffInformedIncrementalMode() {
none() // Disabled since the enclosing comparison is sometimes selected instead of the sink
}
}

/**
Expand Down
2 changes: 2 additions & 0 deletions ...pt/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ module CorsMisconfigurationConfig implements DataFlow::ConfigSig {
node instanceof Sanitizer or
node = TaintTracking::AdHocWhitelistCheckSanitizer::getABarrierNode()
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ module DeepObjectResourceExhaustionConfig implements DataFlow::StateConfigSig {
) {
TaintedObject::isAdditionalFlowStep(node1, state1, node2, state2)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
4 changes: 4 additions & 0 deletions ...script/ql/lib/semmle/javascript/security/dataflow/DifferentKindsComparisonBypassQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,10 @@ private module DifferentKindsComparisonBypassConfig implements DataFlow::ConfigS
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() {
none() // Disabled since multiple related sinks are selected simultaneously
}
}

/**
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,8 @@ module DomBasedXssConfig implements DataFlow::StateConfigSig {
state1 = state2
)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/ExceptionXssQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,8 @@ module ExceptionXssConfig implements DataFlow::StateConfigSig {
}

int accessPathLimit() { result = 1 }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
4 changes: 4 additions & 0 deletions ...ript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,10 @@ module ExternalAPIUsedWithUntrustedDataConfig implements DataFlow::ConfigSig {
// Also report values that escape while inside a property
isSink(node) and contents = DataFlow::ContentSet::anyProperty()
}

predicate observeDiffInformedIncrementalMode() {
none() // Not used for PR analysis
}
}

/**
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/FileAccessToHttpQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ module FileAccessToHttpConfig implements DataFlow::ConfigSig {
isSink(node) and
contents = DataFlow::ContentSet::anyProperty()
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,8 @@ module HardcodedCredentialsConfig implements DataFlow::ConfigSig {
node2 = n.getACall()
)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions ...script/ql/lib/semmle/javascript/security/dataflow/HardcodedDataInterpretedAsCodeQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@ module HardcodedDataInterpretedAsCodeConfig implements DataFlow::StateConfigSig
state1 = [FlowState::modified(), FlowState::unmodified()] and
state2 = FlowState::modified()
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions .../ql/lib/semmle/javascript/security/dataflow/HostHeaderPoisoningInEmailGenerationQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ module HostHeaderPoisoningConfig implements DataFlow::ConfigSig {
}

predicate isSink(DataFlow::Node node) { exists(EmailSender email | node = email.getABody()) }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ module HttpToFileAccessConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/ImproperCodeSanitizationQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ module ImproperCodeSanitizationConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions ...t/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,8 @@ module IncompleteHtmlAttributeSanitizationConfig implements DataFlow::StateConfi
}

predicate isBarrier(DataFlow::Node n) { n instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@ module IndirectCommandInjectionConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { isSinkWithHighlight(sink, _) }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ module InsecureDownloadConfig implements DataFlow::StateConfigSig {
predicate isSink(DataFlow::Node sink, FlowState state) { sink.(Sink).getAFlowState() = state }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/InsecureRandomnessQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,8 @@ module InsecureRandomnessConfig implements DataFlow::ConfigSig {
// taint steps as additional flow steps.
TaintTracking::defaultTaintStep(node1, node2)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/InsecureTemporaryFileQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ module InsecureTemporaryFileConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/InsufficientPasswordHashQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ module InsufficientPasswordHashConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@ module LogInjectionConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/LoopBoundInjectionQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@ module LoopBoundInjectionConfig implements DataFlow::StateConfigSig {
) {
TaintedObject::isAdditionalFlowStep(node1, state1, node2, state2)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,8 @@ module NosqlInjectionConfig implements DataFlow::StateConfigSig {
state1.isTaint() and
state2 = state1
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/PostMessageStarQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,8 @@ module PostMessageStarConfig implements DataFlow::ConfigSig {
// If an object leaks, all of its properties have leaked
isSink(node) and contents = DataFlow::ContentSet::anyProperty()
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,8 @@ module PrototypePollutingAssignmentConfig implements DataFlow::StateConfigSig {
or
node = DataFlow::MakeStateBarrierGuard<FlowState, BarrierGuard>::getABarrierNode(state)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/** Taint-tracking for reasoning about prototype-polluting assignments. */
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,8 @@ module PrototypePollutionConfig implements DataFlow::StateConfigSig {
predicate isBarrier(DataFlow::Node node, FlowState state) {
node = TaintedObject::SanitizerGuard::getABarrierNode(state)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ module ReflectedXssConfig implements DataFlow::ConfigSig {
predicate isBarrier(DataFlow::Node node) {
node instanceof Sanitizer or node = SharedXss::BarrierGuard::getABarrierNode()
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ module RegExpInjectionConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/RemotePropertyInjectionQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ module RemotePropertyInjectionConfig implements DataFlow::ConfigSig {
node instanceof Sanitizer or
node = StringConcatenation::getRoot(any(ConstantString str).flow())
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@ module RequestForgeryConfig implements DataFlow::ConfigSig {
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
isAdditionalRequestForgeryStep(node1, node2)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ module ResourceExhaustionConfig implements DataFlow::ConfigSig {
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
isNumericFlowStep(node1, node2)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/SecondOrderCommandInjectionQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,8 @@ module SecondOrderCommandInjectionConfig implements DataFlow::StateConfigSig {
TaintTracking::defaultTaintStep(node1, node2) and
state1 = state2
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@ module ServerSideUrlRedirectConfig implements DataFlow::ConfigSig {
node2 = call
)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions .../ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ module ShellCommandInjectionFromEnvironmentConfig implements DataFlow::ConfigSig
predicate isSink(DataFlow::Node sink) { isSinkWithHighlight(sink, _) }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ module SqlInjectionConfig implements DataFlow::ConfigSig {
node2 = call
)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/StackTraceExposureQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@ module StackTraceExposureConfig implements DataFlow::ConfigSig {
}

predicate isSink(DataFlow::Node snk) { snk instanceof Sink }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
Loading