JS: Resolve inserted TODOs

asgerf · asgerf · commit 6423033db62b · 2025-01-23T13:02:52.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll
@@ -26,10 +26,12 @@ module BrokenCryptoAlgorithmConfig implements DataFlow::ConfigSig {
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 
-  predicate observeDiffInformedIncrementalMode() {
-    // TODO(diff-informed): Manually verify if config can be diff-informed.
-    // ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql:27: Column 5 selects sink.getInitialization
-    none()
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.(Sink).getLocation()
+    or
+    result = sink.(Sink).getInitialization().getLocation()
   }
 }
 
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll
@@ -32,10 +32,12 @@ module ClientSideRequestForgeryConfig implements DataFlow::ConfigSig {
     isAdditionalRequestForgeryStep(node1, node2)
   }
 
-  predicate observeDiffInformedIncrementalMode() {
-    // TODO(diff-informed): Manually verify if config can be diff-informed.
-    // ql/src/Security/CWE-918/ClientSideRequestForgery.ql:24: Column 1 selects sink.getARequest
-    none()
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.(Sink).getLocation()
+    or
+    result = sink.(Sink).getARequest().getLocation()
   }
 }
 
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll
@@ -31,11 +31,13 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 
-  predicate observeDiffInformedIncrementalMode() {
-    // TODO(diff-informed): Manually verify if config can be diff-informed.
-    // ql/src/Security/CWE-078/CommandInjection.ql:31: Column 1 does not select a source or sink originating from the flow call on line 24
-    // ql/src/experimental/heuristics/ql/src/Security/CWE-078/CommandInjection.ql:34: Column 1 does not select a source or sink originating from the flow call on line 26
-    none()
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(DataFlow::Node node |
+      isSinkWithHighlight(sink, node) and
+      result = node.getLocation()
+    )
   }
 }
 
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll
@@ -24,11 +24,12 @@ module CorsMisconfigurationConfig implements DataFlow::ConfigSig {
     node = TaintTracking::AdHocWhitelistCheckSanitizer::getABarrierNode()
   }
 
-  predicate observeDiffInformedIncrementalMode() {
-    // TODO(diff-informed): Manually verify if config can be diff-informed.
-    // ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql:22: Column 5 selects sink.getCredentialsHeader
-    // ql/src/experimental/heuristics/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql:25: Column 5 selects sink.getCredentialsHeader
-    none()
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.(Sink).getLocation()
+    or
+    result = sink.(Sink).getCredentialsHeader().getLocation()
   }
 }
 
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll
@@ -34,10 +34,15 @@ module DeepObjectResourceExhaustionConfig implements DataFlow::StateConfigSig {
     TaintedObject::isAdditionalFlowStep(node1, state1, node2, state2)
   }
 
-  predicate observeDiffInformedIncrementalMode() {
-    // TODO(diff-informed): Manually verify if config can be diff-informed.
-    // ql/src/Security/CWE-400/DeepObjectResourceExhaustion.ql:23: Column 7 does not select a source or sink originating from the flow call on line 19
-    none()
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.(Sink).getLocation()
+    or
+    exists(DataFlow::Node link |
+      sink.(Sink).hasReason(link, _) and
+      result = link.getLocation()
+    )
   }
 }
 
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll
@@ -27,10 +27,13 @@ module IndirectCommandInjectionConfig implements DataFlow::ConfigSig {
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 
-  predicate observeDiffInformedIncrementalMode() {
-    // TODO(diff-informed): Manually verify if config can be diff-informed.
-    // ql/src/Security/CWE-078/IndirectCommandInjection.ql:29: Column 1 does not select a source or sink originating from the flow call on line 25
-    none()
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(DataFlow::Node node |
+      isSinkWithHighlight(sink, node) and
+      result = node.getLocation()
+    )
   }
 }
 
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll
@@ -24,10 +24,12 @@ module InsecureDownloadConfig implements DataFlow::StateConfigSig {
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 
-  predicate observeDiffInformedIncrementalMode() {
-    // TODO(diff-informed): Manually verify if config can be diff-informed.
-    // ql/src/Security/CWE-829/InsecureDownload.ql:21: Column 5 selects sink.getDownloadCall
-    none()
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.(Sink).getLocation()
+    or
+    result = sink.(Sink).getDownloadCall().getLocation()
   }
 }
 
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionQuery.qll
@@ -52,14 +52,7 @@ module NosqlInjectionConfig implements DataFlow::StateConfigSig {
     state2 = state1
   }
 
-  predicate observeDiffInformedIncrementalMode() {
-    // TODO(diff-informed): Manually verify if config can be diff-informed.
-    // ql/src/Security/CWE-089/SqlInjection.ql:35: Column 1 does not select a source or sink originating from the flow call on line 32
-    // ql/src/Security/CWE-089/SqlInjection.ql:35: Column 5 does not select a source or sink originating from the flow call on line 32
-    // ql/src/experimental/heuristics/ql/src/Security/CWE-089/SqlInjection.ql:37: Column 1 does not select a source or sink originating from the flow call on line 34
-    // ql/src/experimental/heuristics/ql/src/Security/CWE-089/SqlInjection.ql:37: Column 5 does not select a source or sink originating from the flow call on line 34
-    none()
-  }
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll
@@ -48,10 +48,15 @@ module PrototypePollutionConfig implements DataFlow::StateConfigSig {
     node = TaintedObject::SanitizerGuard::getABarrierNode(state)
   }
 
-  predicate observeDiffInformedIncrementalMode() {
-    // TODO(diff-informed): Manually verify if config can be diff-informed.
-    // ql/src/Security/CWE-915/PrototypePollutingMergeCall.ql:30: Column 7 does not select a source or sink originating from the flow call on line 26
-    none()
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.(Sink).getLocation()
+    or
+    exists(Locatable loc |
+      sink.(Sink).dependencyInfo(_, loc) and
+      result = loc.getLocation()
+    )
   }
 }
 
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll
@@ -27,10 +27,12 @@ module RequestForgeryConfig implements DataFlow::ConfigSig {
     isAdditionalRequestForgeryStep(node1, node2)
   }
 
-  predicate observeDiffInformedIncrementalMode() {
-    // TODO(diff-informed): Manually verify if config can be diff-informed.
-    // ql/src/Security/CWE-918/RequestForgery.ql:21: Column 1 selects sink.getARequest
-    none()
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.(Sink).getLocation()
+    or
+    result = sink.(Sink).getARequest().getLocation()
   }
 }
 
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll
@@ -28,10 +28,13 @@ module ShellCommandInjectionFromEnvironmentConfig implements DataFlow::ConfigSig
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 
-  predicate observeDiffInformedIncrementalMode() {
-    // TODO(diff-informed): Manually verify if config can be diff-informed.
-    // ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql:30: Column 1 does not select a source or sink originating from the flow call on line 26
-    none()
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(DataFlow::Node node |
+      isSinkWithHighlight(sink, node) and
+      result = node.getLocation()
+    )
   }
 }
 
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionQuery.qll
@@ -32,14 +32,7 @@ module SqlInjectionConfig implements DataFlow::ConfigSig {
     )
   }
 
-  predicate observeDiffInformedIncrementalMode() {
-    // TODO(diff-informed): Manually verify if config can be diff-informed.
-    // ql/src/Security/CWE-089/SqlInjection.ql:35: Column 1 does not select a source or sink originating from the flow call on line 28
-    // ql/src/Security/CWE-089/SqlInjection.ql:35: Column 5 does not select a source or sink originating from the flow call on line 28
-    // ql/src/experimental/heuristics/ql/src/Security/CWE-089/SqlInjection.ql:37: Column 1 does not select a source or sink originating from the flow call on line 30
-    // ql/src/experimental/heuristics/ql/src/Security/CWE-089/SqlInjection.ql:37: Column 5 does not select a source or sink originating from the flow call on line 30
-    none()
-  }
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll
@@ -33,10 +33,12 @@ module UnsafeCodeConstruction {
 
     DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
 
-    predicate observeDiffInformedIncrementalMode() {
-      // TODO(diff-informed): Manually verify if config can be diff-informed.
-      // ql/src/Security/CWE-094/UnsafeCodeConstruction.ql:26: Column 7 selects sink.getCodeSink
-      none()
+    predicate observeDiffInformedIncrementalMode() { any() }
+
+    Location getASelectedSinkLocation(DataFlow::Node sink) {
+      result = sink.(Sink).getLocation()
+      or
+      result = sink.(Sink).getCodeSink().getLocation()
     }
   }
 
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll
@@ -61,10 +61,12 @@ module UnsafeHtmlConstructionConfig implements DataFlow::StateConfigSig {
 
   DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
 
-  predicate observeDiffInformedIncrementalMode() {
-    // TODO(diff-informed): Manually verify if config can be diff-informed.
-    // ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql:25: Column 7 selects sink.getSink
-    none()
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.(Sink).getLocation()
+    or
+    result = sink.(Sink).getSink().getLocation()
   }
 }
 
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll
@@ -37,10 +37,12 @@ module UnsafeJQueryPluginConfig implements DataFlow::ConfigSig {
     node = any(StringReplaceCall call).getRawReplacement()
   }
 
-  predicate observeDiffInformedIncrementalMode() {
-    // TODO(diff-informed): Manually verify if config can be diff-informed.
-    // ql/src/Security/CWE-079/UnsafeJQueryPlugin.ql:25: Column 5 selects source.getPlugin
-    none()
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    result = source.(Source).getLocation()
+    or
+    result = source.(Source).getPlugin().getLocation()
   }
 }
 
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll
@@ -26,11 +26,14 @@ module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {
 
   DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
 
-  predicate observeDiffInformedIncrementalMode() {
-    // TODO(diff-informed): Manually verify if config can be diff-informed.
-    // ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql:24: Column 1 selects sink.getAlertLocation
-    // ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql:26: Column 7 selects sink.getCommandExecution
-    none()
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.(Sink).getLocation()
+    or
+    result = sink.(Sink).getAlertLocation().getLocation()
+    or
+    result = sink.(Sink).getCommandExecution().getLocation()
   }
 }
 
diff --git a/javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll b/javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll
@@ -26,11 +26,14 @@ module PolynomialReDoSConfig implements DataFlow::ConfigSig {
 
   int fieldFlowBranchLimit() { result = 1 } // library inputs are too expensive on some projects
 
-  predicate observeDiffInformedIncrementalMode() {
-    // TODO(diff-informed): Manually verify if config can be diff-informed.
-    // ql/src/Performance/PolynomialReDoS.ql:31: Column 1 selects sink.getHighlight
-    // ql/src/Performance/PolynomialReDoS.ql:33: Column 5 selects sink.getRegExp
-    none()
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.(Sink).getLocation()
+    or
+    result = sink.(Sink).getHighlight().getLocation()
+    or
+    result = sink.(Sink).getRegExp().getLocation()
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -26,10 +26,12 @@ module BrokenCryptoAlgorithmConfig implements DataFlow::ConfigSig {`
`26`	`26`
`27`	`27`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
`28`	`28`
`29`		`- predicate observeDiffInformedIncrementalMode() {`
`30`		`- // TODO(diff-informed): Manually verify if config can be diff-informed.`
`31`		`- // ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql:27: Column 5 selects sink.getInitialization`
`32`		`- none()`
	`29`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
	`30`	`+`
	`31`	`+ Location getASelectedSinkLocation(DataFlow::Node sink) {`
	`32`	`+ result = sink.(Sink).getLocation()`
	`33`	`+ or`
	`34`	`+ result = sink.(Sink).getInitialization().getLocation()`
`33`	`35`	`}`
`34`	`36`	`}`
`35`	`37`
Original file line number	Diff line number	Diff line change
`@@ -32,10 +32,12 @@ module ClientSideRequestForgeryConfig implements DataFlow::ConfigSig {`
`32`	`32`	`isAdditionalRequestForgeryStep(node1, node2)`
`33`	`33`	`}`
`34`	`34`
`35`		`- predicate observeDiffInformedIncrementalMode() {`
`36`		`- // TODO(diff-informed): Manually verify if config can be diff-informed.`
`37`		`- // ql/src/Security/CWE-918/ClientSideRequestForgery.ql:24: Column 1 selects sink.getARequest`
`38`		`- none()`
	`35`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
	`36`	`+`
	`37`	`+ Location getASelectedSinkLocation(DataFlow::Node sink) {`
	`38`	`+ result = sink.(Sink).getLocation()`
	`39`	`+ or`
	`40`	`+ result = sink.(Sink).getARequest().getLocation()`
`39`	`41`	`}`
`40`	`42`	`}`
`41`	`43`
Original file line number	Diff line number	Diff line change
`@@ -24,11 +24,12 @@ module CorsMisconfigurationConfig implements DataFlow::ConfigSig {`
`24`	`24`	`node = TaintTracking::AdHocWhitelistCheckSanitizer::getABarrierNode()`
`25`	`25`	`}`
`26`	`26`
`27`		`- predicate observeDiffInformedIncrementalMode() {`
`28`		`- // TODO(diff-informed): Manually verify if config can be diff-informed.`
`29`		`- // ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql:22: Column 5 selects sink.getCredentialsHeader`
`30`		`- // ql/src/experimental/heuristics/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql:25: Column 5 selects sink.getCredentialsHeader`
`31`		`- none()`
	`27`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
	`28`	`+`
	`29`	`+ Location getASelectedSinkLocation(DataFlow::Node sink) {`
	`30`	`+ result = sink.(Sink).getLocation()`
	`31`	`+ or`
	`32`	`+ result = sink.(Sink).getCredentialsHeader().getLocation()`
`32`	`33`	`}`
`33`	`34`	`}`
`34`	`35`
Original file line number	Diff line number	Diff line change
`@@ -34,10 +34,15 @@ module DeepObjectResourceExhaustionConfig implements DataFlow::StateConfigSig {`
`34`	`34`	`TaintedObject::isAdditionalFlowStep(node1, state1, node2, state2)`
`35`	`35`	`}`
`36`	`36`
`37`		`- predicate observeDiffInformedIncrementalMode() {`
`38`		`- // TODO(diff-informed): Manually verify if config can be diff-informed.`
`39`		`- // ql/src/Security/CWE-400/DeepObjectResourceExhaustion.ql:23: Column 7 does not select a source or sink originating from the flow call on line 19`
`40`		`- none()`
	`37`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
	`38`	`+`
	`39`	`+ Location getASelectedSinkLocation(DataFlow::Node sink) {`
	`40`	`+ result = sink.(Sink).getLocation()`
	`41`	`+ or`
	`42`	`+ exists(DataFlow::Node link \|`
	`43`	`+ sink.(Sink).hasReason(link, _) and`
	`44`	`+ result = link.getLocation()`
	`45`	`+ )`
`41`	`46`	`}`
`42`	`47`	`}`
`43`	`48`
Original file line number	Diff line number	Diff line change
`@@ -24,10 +24,12 @@ module InsecureDownloadConfig implements DataFlow::StateConfigSig {`
`24`	`24`
`25`	`25`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
`26`	`26`
`27`		`- predicate observeDiffInformedIncrementalMode() {`
`28`		`- // TODO(diff-informed): Manually verify if config can be diff-informed.`
`29`		`- // ql/src/Security/CWE-829/InsecureDownload.ql:21: Column 5 selects sink.getDownloadCall`
`30`		`- none()`
	`27`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
	`28`	`+`
	`29`	`+ Location getASelectedSinkLocation(DataFlow::Node sink) {`
	`30`	`+ result = sink.(Sink).getLocation()`
	`31`	`+ or`
	`32`	`+ result = sink.(Sink).getDownloadCall().getLocation()`
`31`	`33`	`}`
`32`	`34`	`}`
`33`	`35`
Original file line number	Diff line number	Diff line change
`@@ -52,14 +52,7 @@ module NosqlInjectionConfig implements DataFlow::StateConfigSig {`
`52`	`52`	`state2 = state1`
`53`	`53`	`}`
`54`	`54`
`55`		`- predicate observeDiffInformedIncrementalMode() {`
`56`		`- // TODO(diff-informed): Manually verify if config can be diff-informed.`
`57`		`- // ql/src/Security/CWE-089/SqlInjection.ql:35: Column 1 does not select a source or sink originating from the flow call on line 32`
`58`		`- // ql/src/Security/CWE-089/SqlInjection.ql:35: Column 5 does not select a source or sink originating from the flow call on line 32`
`59`		`- // ql/src/experimental/heuristics/ql/src/Security/CWE-089/SqlInjection.ql:37: Column 1 does not select a source or sink originating from the flow call on line 34`
`60`		`- // ql/src/experimental/heuristics/ql/src/Security/CWE-089/SqlInjection.ql:37: Column 5 does not select a source or sink originating from the flow call on line 34`
`61`		`- none()`
`62`		`- }`
	`55`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`63`	`56`	`}`
`64`	`57`
`65`	`58`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -48,10 +48,15 @@ module PrototypePollutionConfig implements DataFlow::StateConfigSig {`
`48`	`48`	`node = TaintedObject::SanitizerGuard::getABarrierNode(state)`
`49`	`49`	`}`
`50`	`50`
`51`		`- predicate observeDiffInformedIncrementalMode() {`
`52`		`- // TODO(diff-informed): Manually verify if config can be diff-informed.`
`53`		`- // ql/src/Security/CWE-915/PrototypePollutingMergeCall.ql:30: Column 7 does not select a source or sink originating from the flow call on line 26`
`54`		`- none()`
	`51`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
	`52`	`+`
	`53`	`+ Location getASelectedSinkLocation(DataFlow::Node sink) {`
	`54`	`+ result = sink.(Sink).getLocation()`
	`55`	`+ or`
	`56`	`+ exists(Locatable loc \|`
	`57`	`+ sink.(Sink).dependencyInfo(_, loc) and`
	`58`	`+ result = loc.getLocation()`
	`59`	`+ )`
`55`	`60`	`}`
`56`	`61`	`}`
`57`	`62`
Original file line number	Diff line number	Diff line change
`@@ -27,10 +27,12 @@ module RequestForgeryConfig implements DataFlow::ConfigSig {`
`27`	`27`	`isAdditionalRequestForgeryStep(node1, node2)`
`28`	`28`	`}`
`29`	`29`
`30`		`- predicate observeDiffInformedIncrementalMode() {`
`31`		`- // TODO(diff-informed): Manually verify if config can be diff-informed.`
`32`		`- // ql/src/Security/CWE-918/RequestForgery.ql:21: Column 1 selects sink.getARequest`
`33`		`- none()`
	`30`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
	`31`	`+`
	`32`	`+ Location getASelectedSinkLocation(DataFlow::Node sink) {`
	`33`	`+ result = sink.(Sink).getLocation()`
	`34`	`+ or`
	`35`	`+ result = sink.(Sink).getARequest().getLocation()`
`34`	`36`	`}`
`35`	`37`	`}`
`36`	`38`