Actions: patch-generated stubs

d10c · d10c · commit cecb2df7d274 · 2025-07-03T17:49:49.000+02:00
diff --git a/actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll
@@ -88,6 +88,10 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig {
       run.getScript().getAnEnvReachingArgumentInjectionSink(var, _, _)
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 7 does not select a source or sink originating from the flow call on line 22 (/Users/d10c/src/semmle-code/ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql@29:62:29:66)
+  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */
diff --git a/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
@@ -316,6 +316,10 @@ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 7 does not select a source or sink originating from the flow call on line 21 (/Users/d10c/src/semmle-code/ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql@28:30:28:34)
+  }
 }
 
 /** Tracks flow of unsafe artifacts that is used in an insecure way. */
diff --git a/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll
@@ -35,6 +35,10 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 7 does not select a source or sink originating from the flow call on line 23 (/Users/d10c/src/semmle-code/ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql@48:60:48:64), Column 7 does not select a source or sink originating from the flow call on line 24 (/Users/d10c/src/semmle-code/ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql@36:60:36:64)
+  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */
diff --git a/actions/ql/lib/codeql/actions/security/CommandInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/CommandInjectionQuery.qll
@@ -16,6 +16,10 @@ private module CommandInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 7 does not select a source or sink originating from the flow call on line 23 (/Users/d10c/src/semmle-code/ql/actions/ql/src/experimental/Security/CWE-078/CommandInjectionCritical.ql@30:60:30:64)
+  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */
diff --git a/actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll
@@ -108,6 +108,10 @@ private module EnvPathInjectionConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 7 does not select a source or sink originating from the flow call on line 23 (/Users/d10c/src/semmle-code/ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql@39:36:39:40)
+  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate the PATH environment variable. */
diff --git a/actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll
@@ -163,6 +163,10 @@ private module EnvVarInjectionConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 7 does not select a source or sink originating from the flow call on line 24 (/Users/d10c/src/semmle-code/ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql@48:36:48:40)
+  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */

Original file line number	Diff line number	Diff line change
`@@ -88,6 +88,10 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig {`
`88`	`88`	`run.getScript().getAnEnvReachingArgumentInjectionSink(var, _, _)`
`89`	`89`	`)`
`90`	`90`	`}`
	`91`	`+`
	`92`	`+ predicate observeDiffInformedIncrementalMode() {`
	`93`	`+ any() // TODO: Make sure that the location overrides match the query's select clause: Column 7 does not select a source or sink originating from the flow call on line 22 (/Users/d10c/src/semmle-code/ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql@29:62:29:66)`
	`94`	`+ }`
`91`	`95`	`}`
`92`	`96`
`93`	`97`	`/** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */`
Original file line number	Diff line number	Diff line change
`@@ -316,6 +316,10 @@ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig {`
`316`	`316`	`exists(run.getScript().getAFileReadCommand())`
`317`	`317`	`)`
`318`	`318`	`}`
	`319`	`+`
	`320`	`+ predicate observeDiffInformedIncrementalMode() {`
	`321`	`+ any() // TODO: Make sure that the location overrides match the query's select clause: Column 7 does not select a source or sink originating from the flow call on line 21 (/Users/d10c/src/semmle-code/ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql@28:30:28:34)`
	`322`	`+ }`
`319`	`323`	`}`
`320`	`324`
`321`	`325`	`/** Tracks flow of unsafe artifacts that is used in an insecure way. */`
Original file line number	Diff line number	Diff line change
`@@ -35,6 +35,10 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {`
`35`	`35`	`exists(run.getScript().getAFileReadCommand())`
`36`	`36`	`)`
`37`	`37`	`}`
	`38`	`+`
	`39`	`+ predicate observeDiffInformedIncrementalMode() {`
	`40`	`+ any() // TODO: Make sure that the location overrides match the query's select clause: Column 7 does not select a source or sink originating from the flow call on line 23 (/Users/d10c/src/semmle-code/ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql@48:60:48:64), Column 7 does not select a source or sink originating from the flow call on line 24 (/Users/d10c/src/semmle-code/ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql@36:60:36:64)`
	`41`	`+ }`
`38`	`42`	`}`
`39`	`43`
`40`	`44`	`/** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */`
Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,10 @@ private module CommandInjectionConfig implements DataFlow::ConfigSig {`
`16`	`16`	`predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }`
`17`	`17`
`18`	`18`	`predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }`
	`19`	`+`
	`20`	`+ predicate observeDiffInformedIncrementalMode() {`
	`21`	`+ any() // TODO: Make sure that the location overrides match the query's select clause: Column 7 does not select a source or sink originating from the flow call on line 23 (/Users/d10c/src/semmle-code/ql/actions/ql/src/experimental/Security/CWE-078/CommandInjectionCritical.ql@30:60:30:64)`
	`22`	`+ }`
`19`	`23`	`}`
`20`	`24`
`21`	`25`	`/** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */`
Original file line number	Diff line number	Diff line change
`@@ -108,6 +108,10 @@ private module EnvPathInjectionConfig implements DataFlow::ConfigSig {`
`108`	`108`	`exists(run.getScript().getAFileReadCommand())`
`109`	`109`	`)`
`110`	`110`	`}`
	`111`	`+`
	`112`	`+ predicate observeDiffInformedIncrementalMode() {`
	`113`	`+ any() // TODO: Make sure that the location overrides match the query's select clause: Column 7 does not select a source or sink originating from the flow call on line 23 (/Users/d10c/src/semmle-code/ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql@39:36:39:40)`
	`114`	`+ }`
`111`	`115`	`}`
`112`	`116`
`113`	`117`	`/** Tracks flow of unsafe user input that is used to construct and evaluate the PATH environment variable. */`
Original file line number	Diff line number	Diff line change
`@@ -163,6 +163,10 @@ private module EnvVarInjectionConfig implements DataFlow::ConfigSig {`
`163`	`163`	`exists(run.getScript().getAFileReadCommand())`
`164`	`164`	`)`
`165`	`165`	`}`
	`166`	`+`
	`167`	`+ predicate observeDiffInformedIncrementalMode() {`
	`168`	`+ any() // TODO: Make sure that the location overrides match the query's select clause: Column 7 does not select a source or sink originating from the flow call on line 24 (/Users/d10c/src/semmle-code/ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql@48:36:48:40)`
	`169`	`+ }`
`166`	`170`	`}`
`167`	`171`
`168`	`172`	`/** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */`