github · asgerf · Dec 20, 2024 · Dec 20, 2024
@@ -21,6 +21,8 @@ private module CleartextLoggingConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Global taint-tracking for detecting "Clear-text logging of sensitive information" vulnerabilities. */

@@ -21,6 +21,8 @@ private module CleartextStorageConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Global taint-tracking for detecting "Clear-text storage of sensitive information" vulnerabilities. */

@@ -17,6 +17,8 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Global taint-tracking for detecting "code injection" vulnerabilities. */

@@ -20,6 +20,8 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Global taint-tracking for detecting "command injection" vulnerabilities. */

@@ -20,6 +20,8 @@ module CookieInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Global taint-tracking for detecting "cookie injection" vulnerabilities. */

@@ -16,6 +16,8 @@ private module HeaderInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node node) { node instanceof HttpHeaderInjection::Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof HttpHeaderInjection::Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Global taint-tracking for detecting "HTTP Header injection" vulnerabilities. */

@@ -19,6 +19,8 @@ private module LdapInjectionDnConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof DnSink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof DnSanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Global taint-tracking for detecting "LDAP injection via the distinguished name (DN) parameter" vulnerabilities. */
@@ -30,6 +32,8 @@ private module LdapInjectionFilterConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof FilterSink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof FilterSanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Global taint-tracking for detecting "LDAP injection via the filter parameter" vulnerabilities. */

@@ -17,6 +17,8 @@ private module LogInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Global taint-tracking for detecting "log injection" vulnerabilities. */

@@ -56,6 +56,8 @@ module NoSqlInjectionConfig implements DataFlow::StateConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     node = any(NoSqlSanitizer noSqlSanitizer).getAnInput()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module NoSqlInjectionFlow = TaintTracking::GlobalWithState<NoSqlInjectionConfig>;
@@ -31,6 +31,8 @@ private module PamAuthorizationConfig implements DataFlow::ConfigSig {
     // Flow from handle to the authenticate call in the final step
     exists(VulnPamAuthCall c | c.getArg(0) = node1 | node2 = c)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Global taint-tracking for detecting "PAM Authorization" vulnerabilities. */

@@ -71,6 +71,8 @@ module PathInjectionConfig implements DataFlow::StateConfigSig {
     stateFrom instanceof NotNormalized and
     stateTo instanceof NormalizedUnchecked
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Global taint-tracking for detecting "path injection" vulnerabilities. */

@@ -17,6 +17,8 @@ private module PolynomialReDoSConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Global taint-tracking for detecting "polynomial regular expression denial of service (ReDoS)" vulnerabilities. */

@@ -17,6 +17,8 @@ private module ReflectedXssConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Global taint-tracking for detecting "reflected server-side cross-site scripting" vulnerabilities. */

@@ -18,6 +18,8 @@ private module RegexInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Global taint-tracking for detecting "regular expression injection" vulnerabilities. */

@@ -29,6 +29,10 @@ private module FullServerSideRequestForgeryConfig implements DataFlow::ConfigSig
     or
     node instanceof FullUrlControlSanitizer
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // Disabled since the alert selects the associated request object
+  }
 }
 
 /**
@@ -58,6 +62,8 @@ private module PartialServerSideRequestForgeryConfig implements DataFlow::Config
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -17,6 +17,8 @@ private module SqlInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Global taint-tracking for detecting "SQL injection" vulnerabilities. */

@@ -26,6 +26,8 @@ private module StackTraceExposureConfig implements DataFlow::ConfigSig {
       nodeTo = attr
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Global taint-tracking for detecting "stack trace exposure" vulnerabilities. */

@@ -17,6 +17,8 @@ private module TarSlipConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Global taint-tracking for detecting "tar slip" vulnerabilities. */

@@ -17,6 +17,8 @@ private module TemplateInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node node) { node instanceof Sink }
 
   predicate isBarrierIn(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Global taint-tracking for detecting "template injection" vulnerabilities. */

@@ -17,6 +17,8 @@ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Global taint-tracking for detecting "code execution from deserialization" vulnerabilities. */

@@ -28,6 +28,8 @@ module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {
 
   // override to require the path doesn't have unmatched return steps
   DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Global taint-tracking for detecting "shell command constructed from library input" vulnerabilities. */

@@ -32,6 +32,8 @@ private module UrlRedirectConfig implements DataFlow::StateConfigSig {
   ) {
     any(UrlRedirect::AdditionalFlowStep a).step(nodeFrom, stateFrom, nodeTo, stateTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Global taint-tracking for detecting "URL redirection" vulnerabilities. */

@@ -33,6 +33,8 @@ module NormalHashFunction {
     predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
       sensitiveDataExtraStepForCalls(node1, node2)
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on sensitive data" vulnerabilities. */
@@ -63,6 +65,8 @@ module ComputationallyExpensiveHashFunction {
     predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
       sensitiveDataExtraStepForCalls(node1, node2)
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on passwords" vulnerabilities. */

@@ -17,6 +17,8 @@ private module XmlBombConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Global taint-tracking for detecting "XML bomb" vulnerabilities. */

@@ -17,6 +17,8 @@ private module XpathInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Global taint-tracking for detecting "Xpath Injection" vulnerabilities. */

@@ -17,6 +17,8 @@ private module XxeConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Global taint-tracking for detecting "XML External Entity (XXE)" vulnerabilities. */

@@ -171,6 +171,13 @@ private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll:181: Flow call outside 'select' clause
+    // ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll:184: Flow call outside 'select' clause
+    none()
+  }
 }
 
 /** Global taint-tracking from `RemoteFlowSource`s to `ExternalApiDataNode`s. */

@@ -110,6 +110,12 @@ module InsecureContextConfiguration implements DataFlow::StateConfigSig {
       )
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-327/FluentApiModel.qll:130: Flow call outside 'select' clause
+    none()
+  }
 }
 
 private module InsecureContextFlow = DataFlow::GlobalWithState<InsecureContextConfiguration>;

@@ -119,6 +119,8 @@ private module HardcodedCredentialsConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof HardcodedValueSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof CredentialSink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module HardcodedCredentialsFlow = TaintTracking::Global<HardcodedCredentialsConfig>;

@@ -109,6 +109,8 @@ private module TarSlipImprovConfig implements DataFlow::ConfigSig {
     nodeFrom = nodeTo.(API::CallNode).getArg(0) and
     nodeFrom = tarfileOpen().getReturn().getAValueReachableFromSource()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Global taint-tracking for detecting more "TarSlip" vulnerabilities. */

@@ -19,6 +19,8 @@ module XsltInjectionConfig implements DataFlow::ConfigSig {
     // opted for the more simple approach.
     nodeTo = elementTreeConstruction(nodeFrom)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module XsltInjectionFlow = TaintTracking::Global<XsltInjectionConfig>;
@@ -24,6 +24,8 @@ module Js2PyFlowConfig implements DataFlow::ConfigSig {
     API::moduleImport("js2py").getMember(["eval_js", "eval_js6", "EvalJs"]).getACall().getArg(_) =
       node
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module Js2PyFlow = TaintTracking::Global<Js2PyFlowConfig>;

@@ -75,6 +75,8 @@ private module UnicodeBypassValidationConfig implements DataFlow::StateConfigSig
     ) and
     state instanceof PostValidation
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Global taint-tracking for detecting "Unicode transformation mishandling" vulnerabilities. */

@@ -26,6 +26,8 @@ private module PossibleTimingAttackAgainstHashConfig implements DataFlow::Config
   predicate isSource(DataFlow::Node source) { source instanceof ProduceCryptoCall }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module PossibleTimingAttackAgainstHashFlow =

@@ -25,6 +25,8 @@ private module TimingAttackAgainstHashConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ProduceCryptoCall }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module TimingAttackAgainstHashFlow = TaintTracking::Global<TimingAttackAgainstHashConfig>;

@@ -23,6 +23,8 @@ private module TimingAttackAgainstHeaderValueConfig implements DataFlow::ConfigS
   predicate isSource(DataFlow::Node source) { source instanceof ClientSuppliedSecret }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof CompareSink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module TimingAttackAgainstHeaderValueFlow =

@@ -23,6 +23,8 @@ private module PossibleTimingAttackAgainstSensitiveInfoConfig implements DataFlo
   predicate isSource(DataFlow::Node source) { source instanceof SecretSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module PossibleTimingAttackAgainstSensitiveInfoFlow =

@@ -24,6 +24,8 @@ private module TimingAttackAgainstSensitiveInfoConfig implements DataFlow::Confi
   predicate isSource(DataFlow::Node source) { source instanceof SecretSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module TimingAttackAgainstSensitiveInfoFlow =

@@ -52,6 +52,8 @@ private module WebAppConstantSecretKeyConfig implements DataFlow::StateConfigSig
     or
     state = Django() and DjangoConstantSecretKeyConfig::isSink(sink)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module WebAppConstantSecretKeyFlow = TaintTracking::GlobalWithState<WebAppConstantSecretKeyConfig>;

@@ -145,6 +145,8 @@ private module AzureBlobClientConfig implements DataFlow::StateConfigSig {
       node = call.getObject()
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module AzureBlobClientFlow = DataFlow::GlobalWithState<AzureBlobClientConfig>;
-Original file line number
+Diff line change
@@ Expand Up @@
           nodeTo = attr
         )
       }
+      predicate observeDiffInformedIncrementalMode() { any() }
     }
     /** Global taint-tracking for detecting "stack trace exposure" vulnerabilities. */
@@ Expand Down @@