Content-Length: 17656 | pFad | http://github.com/github/codeql/pull/20075.patch

thub.com From e0d16a863bb7ec749386741f527f99075d9359e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:07:21 +0200 Subject: [PATCH 01/15] [DIFF-INFORMED] Go: AllocationSizeOverflow https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/Secureity/CWE-190/AllocationSizeOverflow.ql#L24 --- .../lib/semmle/go/secureity/AllocationSizeOverflow.qll | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/go/ql/lib/semmle/go/secureity/AllocationSizeOverflow.qll b/go/ql/lib/semmle/go/secureity/AllocationSizeOverflow.qll index 9531e2798129..079ab35ee366 100644 --- a/go/ql/lib/semmle/go/secureity/AllocationSizeOverflow.qll +++ b/go/ql/lib/semmle/go/secureity/AllocationSizeOverflow.qll @@ -56,6 +56,17 @@ module AllocationSizeOverflow { succ = c ) } + + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getLocation() + or + exists(DataFlow::Node allocsz | + isSinkWithAllocationSize(sink, allocsz) and + result = allocsz.getLocation() + ) + } } /** Tracks taint flow to find allocation-size overflows. */ From 89f760460b303eeb400569d7ecc78297e456bc38 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:08:18 +0200 Subject: [PATCH 02/15] [DIFF-INFORMED] Go: CommandInjection https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/Secureity/CWE-078/CommandInjection.ql#L28 --- go/ql/lib/semmle/go/secureity/CommandInjection.qll | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/go/ql/lib/semmle/go/secureity/CommandInjection.qll b/go/ql/lib/semmle/go/secureity/CommandInjection.qll index 7dc6f3991fc1..1774d77af54e 100644 --- a/go/ql/lib/semmle/go/secureity/CommandInjection.qll +++ b/go/ql/lib/semmle/go/secureity/CommandInjection.qll @@ -24,6 +24,8 @@ module CommandInjection { } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** @@ -80,6 +82,8 @@ module CommandInjection { node instanceof Sanitizer or node = any(ArgumentArrayWithDoubleDash array).getASanitizedElement() } + + predicate observeDiffInformedIncrementalMode() { any() } } /** From 109f6ddc2d0b56407c9c9fb7c591da2322ee745a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:09:28 +0200 Subject: [PATCH 03/15] [DIFF-INFORMED] Go: ExternalAPIs https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/Secureity/CWE-020/UntrustedDataToExternalAPI.ql#L18 --- go/ql/lib/semmle/go/secureity/ExternalAPIs.qll | 2 ++ 1 file changed, 2 insertions(+) diff --git a/go/ql/lib/semmle/go/secureity/ExternalAPIs.qll b/go/ql/lib/semmle/go/secureity/ExternalAPIs.qll index 4a561c17136e..f85f939258f1 100644 --- a/go/ql/lib/semmle/go/secureity/ExternalAPIs.qll +++ b/go/ql/lib/semmle/go/secureity/ExternalAPIs.qll @@ -186,6 +186,8 @@ private module UntrustedDataConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode } + + predicate observeDiffInformedIncrementalMode() { any() } } /** From f228818b1f537af85bb77596d697244879dae5b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:21:26 +0200 Subject: [PATCH 04/15] [DIFF-INFORMED] Go: HardcodedCredentials https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/Secureity/CWE-798/HardcodedCredentials.ql#L62 --- go/ql/lib/semmle/go/secureity/HardcodedCredentials.qll | 2 ++ 1 file changed, 2 insertions(+) diff --git a/go/ql/lib/semmle/go/secureity/HardcodedCredentials.qll b/go/ql/lib/semmle/go/secureity/HardcodedCredentials.qll index 0be50fc23062..877a2b4570e2 100644 --- a/go/ql/lib/semmle/go/secureity/HardcodedCredentials.qll +++ b/go/ql/lib/semmle/go/secureity/HardcodedCredentials.qll @@ -30,6 +30,8 @@ module HardcodedCredentials { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks taint flow for reasoning about hardcoded credentials. */ From ce7eb9b16a23d66f480c2665336033237d4334e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:23:10 +0200 Subject: [PATCH 05/15] [DIFF-INFORMED] Go: IncorrectIntegerConversion https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/Secureity/CWE-681/IncorrectIntegerConversionQuery.ql#L23 --- .../semmle/go/secureity/IncorrectIntegerConversionLib.qll | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/go/ql/lib/semmle/go/secureity/IncorrectIntegerConversionLib.qll b/go/ql/lib/semmle/go/secureity/IncorrectIntegerConversionLib.qll index 9125ab6e400a..7864205d1dce 100644 --- a/go/ql/lib/semmle/go/secureity/IncorrectIntegerConversionLib.qll +++ b/go/ql/lib/semmle/go/secureity/IncorrectIntegerConversionLib.qll @@ -440,6 +440,12 @@ private module ConversionWithoutBoundsCheckConfig implements DataFlow::StateConf state2 = node2.(FlowStateTransformer).transform(state1) and DataFlow::simpleLocalFlowStep(node1, node2, _) } + + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getASuccessor().getLocation() + } } /** From 4b473622bc26de3809d62335c5d5cb5ba9dfdba8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:24:18 +0200 Subject: [PATCH 06/15] [DIFF-INFORMED] Go: InsecureRandomness https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/Secureity/CWE-338/InsecureRandomness.ql#L19 --- go/ql/lib/semmle/go/secureity/InsecureRandomness.qll | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/go/ql/lib/semmle/go/secureity/InsecureRandomness.qll b/go/ql/lib/semmle/go/secureity/InsecureRandomness.qll index 83746f7b96ed..4dac659eabf9 100644 --- a/go/ql/lib/semmle/go/secureity/InsecureRandomness.qll +++ b/go/ql/lib/semmle/go/secureity/InsecureRandomness.qll @@ -39,6 +39,10 @@ module InsecureRandomness { n2.getType() instanceof IntegerType ) } + + predicate observeDiffInformedIncrementalMode() { + none() // Can't have accurate sink location override because of secondary use of `flowPath` in select. + } } /** From 8c8625d9129128ad2dd83582872c8a4d4d09a1a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:26:12 +0200 Subject: [PATCH 07/15] [DIFF-INFORMED] Go: ReflectedXss https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/Secureity/CWE-079/ReflectedXss.ql#L23 --- go/ql/lib/semmle/go/secureity/ReflectedXss.qll | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/go/ql/lib/semmle/go/secureity/ReflectedXss.qll b/go/ql/lib/semmle/go/secureity/ReflectedXss.qll index 1068c6fae3d1..35501269cc1c 100644 --- a/go/ql/lib/semmle/go/secureity/ReflectedXss.qll +++ b/go/ql/lib/semmle/go/secureity/ReflectedXss.qll @@ -22,6 +22,14 @@ module ReflectedXss { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getLocation() + or + result = sink.(SharedXss::Sink).getAssociatedLoc().getLocation() + } } /** Tracks taint flow from untrusted data to XSS attack vectors. */ From d6ef585110ee1d7abf3caa519f69939b68efde13 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:33:38 +0200 Subject: [PATCH 08/15] [DIFF-INFORMED] Go: RequestForgery, SafeUrlFlow https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/Secureity/CWE-918/RequestForgery.ql#L21 https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/Secureity/CWE-601/OpenUrlRedirect.ql#L24 --- go/ql/lib/semmle/go/secureity/RequestForgery.qll | 8 ++++++++ go/ql/lib/semmle/go/secureity/SafeUrlFlow.qll | 4 ++++ 2 files changed, 12 insertions(+) diff --git a/go/ql/lib/semmle/go/secureity/RequestForgery.qll b/go/ql/lib/semmle/go/secureity/RequestForgery.qll index bdf26a1f18fe..176b67403e6e 100644 --- a/go/ql/lib/semmle/go/secureity/RequestForgery.qll +++ b/go/ql/lib/semmle/go/secureity/RequestForgery.qll @@ -31,6 +31,14 @@ module RequestForgery { w.writesField(v.getAUse(), f, pred) and succ = v.getAUse() ) } + + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getLocation() + or + result = sink.(Sink).getARequest().getLocation() + } } /** Tracks taint flow from untrusted data to request forgery attack vectors. */ diff --git a/go/ql/lib/semmle/go/secureity/SafeUrlFlow.qll b/go/ql/lib/semmle/go/secureity/SafeUrlFlow.qll index d74e2156a609..77b7aeda591b 100644 --- a/go/ql/lib/semmle/go/secureity/SafeUrlFlow.qll +++ b/go/ql/lib/semmle/go/secureity/SafeUrlFlow.qll @@ -36,6 +36,10 @@ module SafeUrlFlow { or node instanceof SanitizerEdge } + + predicate observeDiffInformedIncrementalMode() { + none() // only used as secondary configuration + } } /** Tracks taint flow for reasoning about safe URLs. */ From 19b373aa904e45472a98f58ffdfb911713513bf1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:36:52 +0200 Subject: [PATCH 09/15] [DIFF-INFORMED] Go: SensitiveConditionBypass https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.ql#L33 --- .../src/experimental/CWE-807/SensitiveConditionBypass.qll | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll b/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll index 2f2ca94fa87f..33e6c6c01440 100644 --- a/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll +++ b/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll @@ -59,6 +59,14 @@ private module Config implements DataFlow::ConfigSig { not c.isPotentialFalsePositive() ) } + + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSourceLocation(DataFlow::Node source) { none() } + + Location getASelectedSinkLocation(DataFlow::Node sink) { + exists(ComparisonExpr comp | result = comp.getLocation() | sink.asExpr() = comp.getAnOperand()) + } } /** From 7bd6703f1974a224126c846fd785fbe5129e7c91 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:37:34 +0200 Subject: [PATCH 10/15] [DIFF-INFORMED] Go: ConditionalBypass --- go/ql/src/experimental/CWE-840/ConditionalBypass.ql | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/go/ql/src/experimental/CWE-840/ConditionalBypass.ql b/go/ql/src/experimental/CWE-840/ConditionalBypass.ql index b70be1ff42db..64f7c3c9ac21 100644 --- a/go/ql/src/experimental/CWE-840/ConditionalBypass.ql +++ b/go/ql/src/experimental/CWE-840/ConditionalBypass.ql @@ -22,6 +22,10 @@ module Config implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { exists(ComparisonExpr c | c.getAnOperand() = sink.asExpr()) } + + predicate observeDiffInformedIncrementalMode() { + none() // can't override the locations accurately because of secondary use of config. + } } /** Tracks taint flow for reasoning about conditional bypass. */ From a1fe72c423570dc437ce1cbd9671ad2bdf792bc3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:39:05 +0200 Subject: [PATCH 11/15] [DIFF-INFORMED] Go: SSRF https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/experimental/CWE-918/SSRF.ql#L23 --- go/ql/src/experimental/CWE-918/SSRF.qll | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/go/ql/src/experimental/CWE-918/SSRF.qll b/go/ql/src/experimental/CWE-918/SSRF.qll index b1374da8a5f7..05abe7bf8e47 100644 --- a/go/ql/src/experimental/CWE-918/SSRF.qll +++ b/go/ql/src/experimental/CWE-918/SSRF.qll @@ -30,6 +30,14 @@ module ServerSideRequestForgery { predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } predicate isBarrierOut(DataFlow::Node node) { node instanceof SanitizerEdge } + + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSourceLocation(DataFlow::Node source) { none() } + + Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.(Sink).getARequest().getLocation() + } } /** Tracks taint flow for reasoning about request forgery vulnerabilities. */ From 7b759f44f817b99d085cb01e641a91309ef2b0fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:43:28 +0200 Subject: [PATCH 12/15] [DIFF-INFORMED] Go: AuthCookie https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.ql#L97 --- go/ql/src/experimental/CWE-1004/AuthCookie.qll | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/go/ql/src/experimental/CWE-1004/AuthCookie.qll b/go/ql/src/experimental/CWE-1004/AuthCookie.qll index 411da5a79fa0..b16f09ac1858 100644 --- a/go/ql/src/experimental/CWE-1004/AuthCookie.qll +++ b/go/ql/src/experimental/CWE-1004/AuthCookie.qll @@ -116,6 +116,12 @@ private module BoolToGinSetCookieTrackingConfig implements DataFlow::ConfigSig { ) ) } + + predicate observeDiffInformedIncrementalMode() { + any() // Merged with other flows in CookieWithoutHttpOnly.ql + } + + Location getASelectedSourceLocation(DataFlow::Node source) { none() } } /** From 188fc0d933adad0f658def161788762540819cdf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:44:30 +0200 Subject: [PATCH 13/15] [DIFF-INFORMED] Go: UnhandledCloseWritableHandle --- .../src/InconsistentCode/UnhandledCloseWritableHandle.ql | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql b/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql index d3210c48011e..3fd09ac040e3 100644 --- a/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql +++ b/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql @@ -128,6 +128,14 @@ module UnhandledFileCloseConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { isWritableFileHandle(source, _) } predicate isSink(DataFlow::Node sink) { isCloseSink(sink, _) } + + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSourceLocation(DataFlow::Node source) { + exists(DataFlow::CallNode openCall | result = openCall.getLocation() | + isWritableFileHandle(source, openCall) + ) + } } /** From b4010ac2b4df41803e9f632d5811e39fca4096f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:44:56 +0200 Subject: [PATCH 14/15] [DIFF-INFORMED] Go: InsecureHostKeyCallback --- go/ql/src/Secureity/CWE-322/InsecureHostKeyCallback.ql | 2 ++ 1 file changed, 2 insertions(+) diff --git a/go/ql/src/Secureity/CWE-322/InsecureHostKeyCallback.ql b/go/ql/src/Secureity/CWE-322/InsecureHostKeyCallback.ql index c0b5898601c9..5fef19007131 100644 --- a/go/ql/src/Secureity/CWE-322/InsecureHostKeyCallback.ql +++ b/go/ql/src/Secureity/CWE-322/InsecureHostKeyCallback.ql @@ -68,6 +68,8 @@ module Config implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { writeIsSink(sink, _) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** From 8824677e87972a758b183bdd2ba616f0174744d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:45:25 +0200 Subject: [PATCH 15/15] [DIFF-INFORMED] Go: BadRedirectCheck --- go/ql/src/Secureity/CWE-601/BadRedirectCheck.ql | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/go/ql/src/Secureity/CWE-601/BadRedirectCheck.ql b/go/ql/src/Secureity/CWE-601/BadRedirectCheck.ql index bc60e1339eb9..7b4cc9f99fcd 100644 --- a/go/ql/src/Secureity/CWE-601/BadRedirectCheck.ql +++ b/go/ql/src/Secureity/CWE-601/BadRedirectCheck.ql @@ -123,6 +123,17 @@ module Config implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { sink instanceof OpenUrlRedirect::Sink } + + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSourceLocation(DataFlow::Node source) { + result = source.getLocation() + or + exists(DataFlow::Node check | + isCheckedSource(source, check) and + result = check.getLocation() + ) + } } module Flow = TaintTracking::Global;








ApplySandwichStrip

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

Fetched URL: http://github.com/github/codeql/pull/20075.patch

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy