From 43e318fb60d57fda0bea74bd03f4456554686e01 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 16:06:17 +0200 Subject: [PATCH 1/4] [DIFF-INFORMED] JS: IndirectCommandInjection https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/javascript/ql/src/Security/CWE-078/IndirectCommandInjection.ql#L25 --- .../security/dataflow/IndirectCommandInjectionQuery.qll | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll index 87d85911a1ba..dc08ff47acf6 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll @@ -30,9 +30,10 @@ module IndirectCommandInjectionConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { - exists(DataFlow::Node node | - isSinkWithHighlight(sink, node) and - result = node.getLocation() + exists(DataFlow::Node highlight | result = highlight.getLocation() | + if isSinkWithHighlight(sink, _) + then isSinkWithHighlight(sink, highlight) + else highlight = sink ) } } From f3974c3c343ac341f1ea008cdd522b32be6d8fea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 16:07:08 +0200 Subject: [PATCH 2/4] [DIFF-INFORMED] JS: ShellCommandInjectionFromEnvironment https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql#L26 --- .../dataflow/ShellCommandInjectionFromEnvironmentQuery.qll | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll index 1d396da5b20d..f95dc66b06ff 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll @@ -31,9 +31,10 @@ module ShellCommandInjectionFromEnvironmentConfig implements DataFlow::ConfigSig predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { - exists(DataFlow::Node node | - isSinkWithHighlight(sink, node) and - result = node.getLocation() + exists(DataFlow::Node highlight | result = highlight.getLocation() | + if isSinkWithHighlight(sink, _) + then isSinkWithHighlight(sink, highlight) + else highlight = sink ) } } From 4b43cf4834ad4ed4666851622436ef6d6b7632e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 16:08:26 +0200 Subject: [PATCH 3/4] [DIFF-INFORMED] JS: EnvValueAndKeyInjection https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql#L68 --- .../experimental/Security/CWE-099/EnvValueAndKeyInjection.ql | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql b/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql index e66406f84053..53a31c3268de 100644 --- a/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql +++ b/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql @@ -33,6 +33,10 @@ module EnvValueAndKeyInjectionConfig implements DataFlow::ConfigSig { ) ) } + + predicate observeDiffInformedIncrementalMode() { + none() // can't override location accurately because of secondary use in select. + } } module EnvValueAndKeyInjectionFlow = TaintTracking::Global; From bd6b27e6061b0bba16e0d2d2818df6aead98e90c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 16:08:57 +0200 Subject: [PATCH 4/4] [DIFF-INFORMED] JS: decodeJwtWithoutVerification --- .../Security/CWE-347/decodeJwtWithoutVerification.ql | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql b/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql index 429744bbbd1d..17d66cdf5770 100644 --- a/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql +++ b/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql @@ -27,6 +27,10 @@ module VerifiedDecodeConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink = verifiedDecode() } + + predicate observeDiffInformedIncrementalMode() { + none() // used as secondary config + } } module VerifiedDecodeFlow = TaintTracking::Global; pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy