JS: Disable diff-informedness for full SSRF

asgerf · asgerf · commit 7d6abb4e0a87 · 2025-02-06T11:30:18.000+01:00
Partial SSRF uses its result in a way that prevents diff-informedness
diff --git a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll
@@ -30,12 +30,10 @@ private module FullServerSideRequestForgeryConfig implements DataFlow::ConfigSig
     node instanceof FullUrlControlSanitizer
   }
 
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.(Sink).getLocation()
-    or
-    result = sink.(Sink).getRequest().getLocation()
+  predicate observeDiffInformedIncrementalMode() {
+    // The partial request forgery query depends on `fullyControlledRequest` to reject alerts about
+    // such full-controlled requests, regardless of the associated source.
+    none()
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -30,12 +30,10 @@ private module FullServerSideRequestForgeryConfig implements DataFlow::ConfigSig`
`30`	`30`	`node instanceof FullUrlControlSanitizer`
`31`	`31`	`}`
`32`	`32`
`33`		`- predicate observeDiffInformedIncrementalMode() { any() }`
`34`		`-`
`35`		`- Location getASelectedSinkLocation(DataFlow::Node sink) {`
`36`		`- result = sink.(Sink).getLocation()`
`37`		`- or`
`38`		`- result = sink.(Sink).getRequest().getLocation()`
	`33`	`+ predicate observeDiffInformedIncrementalMode() {`
	`34`	+ // The partial request forgery query depends on `fullyControlledRequest` to reject alerts about
	`35`	`+ // such full-controlled requests, regardless of the associated source.`
	`36`	`+ none()`
`39`	`37`	`}`
`40`	`38`	`}`
`41`	`39`