Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JS: Enable diff-informed queries #18528

Merged
merged 7 commits into from
Jan 20, 2025
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -25,6 +25,8 @@ module BrokenCryptoAlgorithmConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -30,6 +30,8 @@ module BuildArtifactLeakConfig implements DataFlow::ConfigSig {
contents = DataFlow::ContentSet::anyProperty() and
isSink(node)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -41,6 +41,8 @@ module CleartextLoggingConfig implements DataFlow::ConfigSig {
contents = DataFlow::ContentSet::anyProperty() and
isSink(node)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -25,6 +25,8 @@ module ClearTextStorageConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

module ClearTextStorageFlow = TaintTracking::Global<ClearTextStorageConfig>;
Original file line number Diff line number Diff line change
@@ -31,6 +31,8 @@ module ClientSideRequestForgeryConfig implements DataFlow::ConfigSig {
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
isAdditionalRequestForgeryStep(node1, node2)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -54,6 +54,8 @@ module ClientSideUrlRedirectConfig implements DataFlow::StateConfigSig {
state1 = state2
)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -24,6 +24,8 @@ module CodeInjectionConfig implements DataFlow::ConfigSig {
// HTML sanitizers are insufficient protection against code injection
node1 = node2.(HtmlSanitizerCall).getInput()
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -30,6 +30,8 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { isSinkWithHighlight(sink, _) }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -24,6 +24,10 @@ module ConditionalBypassConfig implements DataFlow::ConfigSig {
// comparing a tainted expression against a constant gives a tainted result
node2.asExpr().(Comparison).hasOperands(node1.asExpr(), any(ConstantExpr c))
}

predicate observeDiffInformedIncrementalMode() {
none() // Disabled since the enclosing comparison is sometimes selected instead of the sink
}
}

/**
Original file line number Diff line number Diff line change
@@ -23,6 +23,8 @@ module CorsMisconfigurationConfig implements DataFlow::ConfigSig {
node instanceof Sanitizer or
node = TaintTracking::AdHocWhitelistCheckSanitizer::getABarrierNode()
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -33,6 +33,8 @@ module DeepObjectResourceExhaustionConfig implements DataFlow::StateConfigSig {
) {
TaintedObject::isAdditionalFlowStep(node1, state1, node2, state2)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -20,6 +20,10 @@ private module DifferentKindsComparisonBypassConfig implements DataFlow::ConfigS
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() {
none() // Disabled since multiple related sinks are selected simultaneously
}
}

/**
Original file line number Diff line number Diff line change
@@ -113,6 +113,8 @@ module DomBasedXssConfig implements DataFlow::StateConfigSig {
state1 = state2
)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -155,6 +155,8 @@ module ExceptionXssConfig implements DataFlow::StateConfigSig {
}

int accessPathLimit() { result = 1 }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -31,6 +31,10 @@ module ExternalAPIUsedWithUntrustedDataConfig implements DataFlow::ConfigSig {
// Also report values that escape while inside a property
isSink(node) and contents = DataFlow::ContentSet::anyProperty()
}

predicate observeDiffInformedIncrementalMode() {
none() // Not used for PR analysis
}
}

/**
Original file line number Diff line number Diff line change
@@ -24,6 +24,8 @@ module FileAccessToHttpConfig implements DataFlow::ConfigSig {
isSink(node) and
contents = DataFlow::ContentSet::anyProperty()
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -69,6 +69,8 @@ module HardcodedCredentialsConfig implements DataFlow::ConfigSig {
node2 = n.getACall()
)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -34,6 +34,8 @@ module HardcodedDataInterpretedAsCodeConfig implements DataFlow::StateConfigSig
state1 = [FlowState::modified(), FlowState::unmodified()] and
state2 = FlowState::modified()
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -17,6 +17,8 @@ module HostHeaderPoisoningConfig implements DataFlow::ConfigSig {
}

predicate isSink(DataFlow::Node node) { exists(EmailSender email | node = email.getABody()) }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -17,6 +17,8 @@ module HttpToFileAccessConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -19,6 +19,8 @@ module ImproperCodeSanitizationConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -42,6 +42,8 @@ module IncompleteHtmlAttributeSanitizationConfig implements DataFlow::StateConfi
}

predicate isBarrier(DataFlow::Node n) { n instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -26,6 +26,8 @@ module IndirectCommandInjectionConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { isSinkWithHighlight(sink, _) }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -23,6 +23,8 @@ module InsecureDownloadConfig implements DataFlow::StateConfigSig {
predicate isSink(DataFlow::Node sink, FlowState state) { sink.(Sink).getAFlowState() = state }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -40,6 +40,8 @@ module InsecureRandomnessConfig implements DataFlow::ConfigSig {
// taint steps as additional flow steps.
TaintTracking::defaultTaintStep(node1, node2)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -19,6 +19,8 @@ module InsecureTemporaryFileConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -25,6 +25,8 @@ module InsufficientPasswordHashConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -28,6 +28,8 @@ module LogInjectionConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -38,6 +38,8 @@ module LoopBoundInjectionConfig implements DataFlow::StateConfigSig {
) {
TaintedObject::isAdditionalFlowStep(node1, state1, node2, state2)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -51,6 +51,8 @@ module NosqlInjectionConfig implements DataFlow::StateConfigSig {
state1.isTaint() and
state2 = state1
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -37,6 +37,8 @@ module PostMessageStarConfig implements DataFlow::ConfigSig {
// If an object leaks, all of its properties have leaked
isSink(node) and contents = DataFlow::ContentSet::anyProperty()
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -113,6 +113,8 @@ module PrototypePollutingAssignmentConfig implements DataFlow::StateConfigSig {
or
node = DataFlow::MakeStateBarrierGuard<FlowState, BarrierGuard>::getABarrierNode(state)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/** Taint-tracking for reasoning about prototype-polluting assignments. */
Original file line number Diff line number Diff line change
@@ -47,6 +47,8 @@ module PrototypePollutionConfig implements DataFlow::StateConfigSig {
predicate isBarrier(DataFlow::Node node, FlowState state) {
node = TaintedObject::SanitizerGuard::getABarrierNode(state)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -18,6 +18,8 @@ module ReflectedXssConfig implements DataFlow::ConfigSig {
predicate isBarrier(DataFlow::Node node) {
node instanceof Sanitizer or node = SharedXss::BarrierGuard::getABarrierNode()
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -19,6 +19,8 @@ module RegExpInjectionConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -23,6 +23,8 @@ module RemotePropertyInjectionConfig implements DataFlow::ConfigSig {
node instanceof Sanitizer or
node = StringConcatenation::getRoot(any(ConstantString str).flow())
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -26,6 +26,8 @@ module RequestForgeryConfig implements DataFlow::ConfigSig {
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
isAdditionalRequestForgeryStep(node1, node2)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -27,6 +27,8 @@ module ResourceExhaustionConfig implements DataFlow::ConfigSig {
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
isNumericFlowStep(node1, node2)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -47,6 +47,8 @@ module SecondOrderCommandInjectionConfig implements DataFlow::StateConfigSig {
TaintTracking::defaultTaintStep(node1, node2) and
state1 = state2
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -30,6 +30,8 @@ module ServerSideUrlRedirectConfig implements DataFlow::ConfigSig {
node2 = call
)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -27,6 +27,8 @@ module ShellCommandInjectionFromEnvironmentConfig implements DataFlow::ConfigSig
predicate isSink(DataFlow::Node sink) { isSinkWithHighlight(sink, _) }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -31,6 +31,8 @@ module SqlInjectionConfig implements DataFlow::ConfigSig {
node2 = call
)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -28,6 +28,8 @@ module StackTraceExposureConfig implements DataFlow::ConfigSig {
}

predicate isSink(DataFlow::Node snk) { snk instanceof Sink }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -18,6 +18,8 @@ module StoredXssConfig implements DataFlow::ConfigSig {
predicate isBarrier(DataFlow::Node node) {
node instanceof Sanitizer or node = Shared::BarrierGuard::getABarrierNode()
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -19,6 +19,8 @@ module TaintedFormatStringConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -47,6 +47,8 @@ module TaintedPathConfig implements DataFlow::StateConfigSig {
) {
TaintedPath::isAdditionalFlowStep(node1, state1, node2, state2)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -45,6 +45,8 @@ module TemplateObjectInjectionConfig implements DataFlow::StateConfigSig {
TaintTracking::defaultTaintStep(node1, node2) and
state1 = state2
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -27,6 +27,8 @@ module TypeConfusionConfig implements DataFlow::ConfigSig {
predicate isBarrier(DataFlow::Node node) {
node instanceof Barrier or node = DataFlow::MakeBarrierGuard<BarrierGuard>::getABarrierNode()
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -32,6 +32,8 @@ module UnsafeCodeConstruction {
}

DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -18,6 +18,8 @@ module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -75,6 +75,8 @@ module UnsafeDynamicMethodAccessConfig implements DataFlow::StateConfigSig {
TaintTracking::defaultTaintStep(node1, node2) and
state1 = state2
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -60,6 +60,8 @@ module UnsafeHtmlConstructionConfig implements DataFlow::StateConfigSig {
}

DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -36,6 +36,8 @@ module UnsafeJQueryPluginConfig implements DataFlow::ConfigSig {
// prefixing through a poor-mans templating system:
node = any(StringReplaceCall call).getRawReplacement()
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -25,6 +25,8 @@ module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {
}

DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -91,6 +91,8 @@ module UnvalidatedDynamicMethodCallConfig implements DataFlow::StateConfigSig {
TaintTracking::defaultTaintStep(node1, node2) and
state1 = state2
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -19,6 +19,8 @@ module XmlBombConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -20,6 +20,8 @@ module XpathInjectionConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -28,6 +28,8 @@ module XssThroughDomConfig implements DataFlow::ConfigSig {
node2 = DataFlow::globalVarRef("URL").getAMemberCall("createObjectURL") and
node1 = node2.(DataFlow::InvokeNode).getArgument(0)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -19,6 +19,8 @@ module XxeConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Original file line number Diff line number Diff line change
@@ -44,6 +44,8 @@ module ZipSlipConfig implements DataFlow::StateConfigSig {
) {
TaintedPath::isAdditionalFlowStep(node1, state1, node2, state2)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/** A taint tracking configuration for unsafe archive extraction. */
Original file line number Diff line number Diff line change
@@ -25,6 +25,8 @@ module PolynomialReDoSConfig implements DataFlow::ConfigSig {
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { none() }

int fieldFlowBranchLimit() { result = 1 } // library inputs are too expensive on some projects

predicate observeDiffInformedIncrementalMode() { any() }
}

/** Taint-tracking for reasoning about polynomial regular expression denial-of-service attacks. */
Original file line number Diff line number Diff line change
@@ -283,6 +283,10 @@ module PropNameTrackingConfig implements DataFlow::StateConfigSig {
// flows through any contents, apart from a capture content.
result = 1
}

predicate observeDiffInformedIncrementalMode() {
none() // Disabled since the alert references some locations other than the source or sink
}
}

class FlowState = PropNameTrackingConfig::FlowState;
Original file line number Diff line number Diff line change
@@ -87,6 +87,8 @@ module CodeInjectionConfig implements DataFlow::StateConfigSig {
state1 = TTaint() and
state2 = TUrlConstructor()
}

predicate observeDiffInformedIncrementalMode() { any() }
}

module CodeInjectionFlow = TaintTracking::GlobalWithState<CodeInjectionConfig>;
Original file line number Diff line number Diff line change
@@ -33,6 +33,8 @@ module EnvValueAndKeyInjectionConfig implements DataFlow::ConfigSig {
)
)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

module EnvValueAndKeyInjectionFlow = TaintTracking::Global<EnvValueAndKeyInjectionConfig>;
Original file line number Diff line number Diff line change
@@ -19,6 +19,8 @@ module EnvValueInjectionConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) {
sink = API::moduleImport("process").getMember("env").getAMember().asSink()
}

predicate observeDiffInformedIncrementalMode() { any() }
}

module EnvValueInjectionFlow = TaintTracking::Global<EnvValueInjectionConfig>;
Original file line number Diff line number Diff line change
@@ -41,6 +41,8 @@ module TokenBuiltFromUuidConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof PredictableResultSource }

predicate isSink(DataFlow::Node sink) { sink instanceof TokenAssignmentValueSink }

predicate observeDiffInformedIncrementalMode() { any() }
}

module TokenBuiltFromUuidFlow = TaintTracking::Global<TokenBuiltFromUuidConfig>;
Original file line number Diff line number Diff line change
@@ -17,6 +17,8 @@ module UnverifiedDecodeConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }

predicate isSink(DataFlow::Node sink) { sink = unverifiedDecode() }

predicate observeDiffInformedIncrementalMode() { any() }
}

module UnverifiedDecodeFlow = TaintTracking::Global<UnverifiedDecodeConfig>;
@@ -25,6 +27,8 @@ module VerifiedDecodeConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }

predicate isSink(DataFlow::Node sink) { sink = verifiedDecode() }

predicate observeDiffInformedIncrementalMode() { any() }
}

module VerifiedDecodeFlow = TaintTracking::Global<VerifiedDecodeConfig>;
Original file line number Diff line number Diff line change
@@ -23,6 +23,13 @@ module DecodeWithoutVerificationConfig implements DataFlow::ConfigSig {
or
sink = verifiedDecode()
}

predicate observeDiffInformedIncrementalMode() {
// TODO(diff-informed): Manually verify if config can be diff-informed.
// ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.ql:32: Flow call outside 'select' clause
// ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.ql:42: Flow call outside 'select' clause
none()
}
}

module DecodeWithoutVerificationFlow = TaintTracking::Global<DecodeWithoutVerificationConfig>;
Original file line number Diff line number Diff line change
@@ -24,6 +24,8 @@ module DecompressionBombConfig implements DataFlow::ConfigSig {
addstep.isAdditionalTaintStep(node1, node2)
)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

module DecompressionBombFlow = TaintTracking::Global<DecompressionBombConfig>;
2 changes: 2 additions & 0 deletions javascript/ql/src/experimental/Security/CWE-918/SSRF.qll
Original file line number Diff line number Diff line change
@@ -28,6 +28,8 @@ module SsrfConfig implements DataFlow::ConfigSig {
}

predicate isBarrierOut(DataFlow::Node node) { strictSanitizingPrefixEdge(node, _) }

predicate observeDiffInformedIncrementalMode() { any() }
}

module SsrfFlow = TaintTracking::Global<SsrfConfig>;
Original file line number Diff line number Diff line change
@@ -33,6 +33,8 @@ module CorsPermissiveConfigurationConfig implements DataFlow::StateConfigSig {
}

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

module CorsPermissiveConfigurationFlow =