JS: Rerun patch query after bugfix

asgerf · asgerf · commit dba76a0e4d3a · 2025-01-23T10:31:32.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll
@@ -26,7 +26,11 @@ module BrokenCryptoAlgorithmConfig implements DataFlow::ConfigSig {
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 
-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql:27: Column 5 selects sink.getInitialization
+    none()
+  }
 }
 
 /**
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll
@@ -32,7 +32,11 @@ module ClientSideRequestForgeryConfig implements DataFlow::ConfigSig {
     isAdditionalRequestForgeryStep(node1, node2)
   }
 
-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-918/ClientSideRequestForgery.ql:24: Column 1 selects sink.getARequest
+    none()
+  }
 }
 
 /**
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll
@@ -31,7 +31,12 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 
-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-078/CommandInjection.ql:31: Column 1 does not select a source or sink originating from the flow call on line 24
+    // ql/src/experimental/heuristics/ql/src/Security/CWE-078/CommandInjection.ql:34: Column 1 does not select a source or sink originating from the flow call on line 26
+    none()
+  }
 }
 
 /**
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll
@@ -24,7 +24,12 @@ module CorsMisconfigurationConfig implements DataFlow::ConfigSig {
     node = TaintTracking::AdHocWhitelistCheckSanitizer::getABarrierNode()
   }
 
-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql:22: Column 5 selects sink.getCredentialsHeader
+    // ql/src/experimental/heuristics/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql:25: Column 5 selects sink.getCredentialsHeader
+    none()
+  }
 }
 
 /**
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll
@@ -34,7 +34,11 @@ module DeepObjectResourceExhaustionConfig implements DataFlow::StateConfigSig {
     TaintedObject::isAdditionalFlowStep(node1, state1, node2, state2)
   }
 
-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-400/DeepObjectResourceExhaustion.ql:23: Column 7 does not select a source or sink originating from the flow call on line 19
+    none()
+  }
 }
 
 /**
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll
@@ -27,7 +27,11 @@ module IndirectCommandInjectionConfig implements DataFlow::ConfigSig {
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 
-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-078/IndirectCommandInjection.ql:29: Column 1 does not select a source or sink originating from the flow call on line 25
+    none()
+  }
 }
 
 /**
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll
@@ -24,7 +24,11 @@ module InsecureDownloadConfig implements DataFlow::StateConfigSig {
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 
-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-829/InsecureDownload.ql:21: Column 5 selects sink.getDownloadCall
+    none()
+  }
 }
 
 /**
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionQuery.qll
@@ -52,7 +52,14 @@ module NosqlInjectionConfig implements DataFlow::StateConfigSig {
     state2 = state1
   }
 
-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-089/SqlInjection.ql:35: Column 1 does not select a source or sink originating from the flow call on line 32
+    // ql/src/Security/CWE-089/SqlInjection.ql:35: Column 5 does not select a source or sink originating from the flow call on line 32
+    // ql/src/experimental/heuristics/ql/src/Security/CWE-089/SqlInjection.ql:37: Column 1 does not select a source or sink originating from the flow call on line 34
+    // ql/src/experimental/heuristics/ql/src/Security/CWE-089/SqlInjection.ql:37: Column 5 does not select a source or sink originating from the flow call on line 34
+    none()
+  }
 }
 
 /**
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll
@@ -48,7 +48,11 @@ module PrototypePollutionConfig implements DataFlow::StateConfigSig {
     node = TaintedObject::SanitizerGuard::getABarrierNode(state)
   }
 
-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-915/PrototypePollutingMergeCall.ql:30: Column 7 does not select a source or sink originating from the flow call on line 26
+    none()
+  }
 }
 
 /**
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll
@@ -27,7 +27,11 @@ module RequestForgeryConfig implements DataFlow::ConfigSig {
     isAdditionalRequestForgeryStep(node1, node2)
   }
 
-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-918/RequestForgery.ql:21: Column 1 selects sink.getARequest
+    none()
+  }
 }
 
 /**
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll
@@ -28,7 +28,11 @@ module ShellCommandInjectionFromEnvironmentConfig implements DataFlow::ConfigSig
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 
-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql:30: Column 1 does not select a source or sink originating from the flow call on line 26
+    none()
+  }
 }
 
 /**
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionQuery.qll
@@ -32,7 +32,14 @@ module SqlInjectionConfig implements DataFlow::ConfigSig {
     )
   }
 
-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-089/SqlInjection.ql:35: Column 1 does not select a source or sink originating from the flow call on line 28
+    // ql/src/Security/CWE-089/SqlInjection.ql:35: Column 5 does not select a source or sink originating from the flow call on line 28
+    // ql/src/experimental/heuristics/ql/src/Security/CWE-089/SqlInjection.ql:37: Column 1 does not select a source or sink originating from the flow call on line 30
+    // ql/src/experimental/heuristics/ql/src/Security/CWE-089/SqlInjection.ql:37: Column 5 does not select a source or sink originating from the flow call on line 30
+    none()
+  }
 }
 
 /**
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll
@@ -33,7 +33,11 @@ module UnsafeCodeConstruction {
 
     DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
 
-    predicate observeDiffInformedIncrementalMode() { any() }
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // ql/src/Security/CWE-094/UnsafeCodeConstruction.ql:26: Column 7 selects sink.getCodeSink
+      none()
+    }
   }
 
   /**
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll
@@ -61,7 +61,11 @@ module UnsafeHtmlConstructionConfig implements DataFlow::StateConfigSig {
 
   DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
 
-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql:25: Column 7 selects sink.getSink
+    none()
+  }
 }
 
 /**
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll
@@ -37,7 +37,11 @@ module UnsafeJQueryPluginConfig implements DataFlow::ConfigSig {
     node = any(StringReplaceCall call).getRawReplacement()
   }
 
-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-079/UnsafeJQueryPlugin.ql:25: Column 5 selects source.getPlugin
+    none()
+  }
 }
 
 /**
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll
@@ -26,7 +26,12 @@ module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {
 
   DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
 
-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql:24: Column 1 selects sink.getAlertLocation
+    // ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql:26: Column 7 selects sink.getCommandExecution
+    none()
+  }
 }
 
 /**
diff --git a/javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll b/javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll
@@ -26,7 +26,12 @@ module PolynomialReDoSConfig implements DataFlow::ConfigSig {
 
   int fieldFlowBranchLimit() { result = 1 } // library inputs are too expensive on some projects
 
-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Performance/PolynomialReDoS.ql:31: Column 1 selects sink.getHighlight
+    // ql/src/Performance/PolynomialReDoS.ql:33: Column 5 selects sink.getRegExp
+    none()
+  }
 }
 
 /** Taint-tracking for reasoning about polynomial regular expression denial-of-service attacks. */
diff --git a/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql b/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql
@@ -34,7 +34,11 @@ module EnvValueAndKeyInjectionConfig implements DataFlow::ConfigSig {
     )
   }
 
-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql:71: Column 1 does not select a source or sink originating from the flow call on line 68
+    none()
+  }
 }
 
 module EnvValueAndKeyInjectionFlow = TaintTracking::Global<EnvValueAndKeyInjectionConfig>;
diff --git a/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql b/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql
@@ -28,7 +28,11 @@ module VerifiedDecodeConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { sink = verifiedDecode() }
 
-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql:42: Column 5 does not select a source or sink originating from the flow call on line 41
+    none()
+  }
 }
 
 module VerifiedDecodeFlow = TaintTracking::Global<VerifiedDecodeConfig>;

Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,11 @@ module ClientSideRequestForgeryConfig implements DataFlow::ConfigSig {`
`32`	`32`	`isAdditionalRequestForgeryStep(node1, node2)`
`33`	`33`	`}`
`34`	`34`
`35`		`- predicate observeDiffInformedIncrementalMode() { any() }`
	`35`	`+ predicate observeDiffInformedIncrementalMode() {`
	`36`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`37`	`+ // ql/src/Security/CWE-918/ClientSideRequestForgery.ql:24: Column 1 selects sink.getARequest`
	`38`	`+ none()`
	`39`	`+ }`
`36`	`40`	`}`
`37`	`41`
`38`	`42`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,12 @@ module CorsMisconfigurationConfig implements DataFlow::ConfigSig {`
`24`	`24`	`node = TaintTracking::AdHocWhitelistCheckSanitizer::getABarrierNode()`
`25`	`25`	`}`
`26`	`26`
`27`		`- predicate observeDiffInformedIncrementalMode() { any() }`
	`27`	`+ predicate observeDiffInformedIncrementalMode() {`
	`28`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`29`	`+ // ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql:22: Column 5 selects sink.getCredentialsHeader`
	`30`	`+ // ql/src/experimental/heuristics/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql:25: Column 5 selects sink.getCredentialsHeader`
	`31`	`+ none()`
	`32`	`+ }`
`28`	`33`	`}`
`29`	`34`
`30`	`35`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,11 @@ module DeepObjectResourceExhaustionConfig implements DataFlow::StateConfigSig {`
`34`	`34`	`TaintedObject::isAdditionalFlowStep(node1, state1, node2, state2)`
`35`	`35`	`}`
`36`	`36`
`37`		`- predicate observeDiffInformedIncrementalMode() { any() }`
	`37`	`+ predicate observeDiffInformedIncrementalMode() {`
	`38`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`39`	`+ // ql/src/Security/CWE-400/DeepObjectResourceExhaustion.ql:23: Column 7 does not select a source or sink originating from the flow call on line 19`
	`40`	`+ none()`
	`41`	`+ }`
`38`	`42`	`}`
`39`	`43`
`40`	`44`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -52,7 +52,14 @@ module NosqlInjectionConfig implements DataFlow::StateConfigSig {`
`52`	`52`	`state2 = state1`
`53`	`53`	`}`
`54`	`54`
`55`		`- predicate observeDiffInformedIncrementalMode() { any() }`
	`55`	`+ predicate observeDiffInformedIncrementalMode() {`
	`56`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`57`	`+ // ql/src/Security/CWE-089/SqlInjection.ql:35: Column 1 does not select a source or sink originating from the flow call on line 32`
	`58`	`+ // ql/src/Security/CWE-089/SqlInjection.ql:35: Column 5 does not select a source or sink originating from the flow call on line 32`
	`59`	`+ // ql/src/experimental/heuristics/ql/src/Security/CWE-089/SqlInjection.ql:37: Column 1 does not select a source or sink originating from the flow call on line 34`
	`60`	`+ // ql/src/experimental/heuristics/ql/src/Security/CWE-089/SqlInjection.ql:37: Column 5 does not select a source or sink originating from the flow call on line 34`
	`61`	`+ none()`
	`62`	`+ }`
`56`	`63`	`}`
`57`	`64`
`58`	`65`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,11 @@ module PrototypePollutionConfig implements DataFlow::StateConfigSig {`
`48`	`48`	`node = TaintedObject::SanitizerGuard::getABarrierNode(state)`
`49`	`49`	`}`
`50`	`50`
`51`		`- predicate observeDiffInformedIncrementalMode() { any() }`
	`51`	`+ predicate observeDiffInformedIncrementalMode() {`
	`52`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`53`	`+ // ql/src/Security/CWE-915/PrototypePollutingMergeCall.ql:30: Column 7 does not select a source or sink originating from the flow call on line 26`
	`54`	`+ none()`
	`55`	`+ }`
`52`	`56`	`}`
`53`	`57`
`54`	`58`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,11 @@ module RequestForgeryConfig implements DataFlow::ConfigSig {`
`27`	`27`	`isAdditionalRequestForgeryStep(node1, node2)`
`28`	`28`	`}`
`29`	`29`
`30`		`- predicate observeDiffInformedIncrementalMode() { any() }`
	`30`	`+ predicate observeDiffInformedIncrementalMode() {`
	`31`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`32`	`+ // ql/src/Security/CWE-918/RequestForgery.ql:21: Column 1 selects sink.getARequest`
	`33`	`+ none()`
	`34`	`+ }`
`31`	`35`	`}`
`32`	`36`
`33`	`37`	`/**`