From e0d16a863bb7ec749386741f527f99075d9359e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:07:21 +0200 Subject: [PATCH 01/15] [DIFF-INFORMED] Go: AllocationSizeOverflow https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/Security/CWE-190/AllocationSizeOverflow.ql#L24 --- .../lib/semmle/go/security/AllocationSizeOverflow.qll | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll b/go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll index 9531e2798129..079ab35ee366 100644 --- a/go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll +++ b/go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll @@ -56,6 +56,17 @@ module AllocationSizeOverflow { succ = c ) } + + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getLocation() + or + exists(DataFlow::Node allocsz | + isSinkWithAllocationSize(sink, allocsz) and + result = allocsz.getLocation() + ) + } } /** Tracks taint flow to find allocation-size overflows. */ From 89f760460b303eeb400569d7ecc78297e456bc38 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:08:18 +0200 Subject: [PATCH 02/15] [DIFF-INFORMED] Go: CommandInjection https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/Security/CWE-078/CommandInjection.ql#L28 --- go/ql/lib/semmle/go/security/CommandInjection.qll | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/go/ql/lib/semmle/go/security/CommandInjection.qll b/go/ql/lib/semmle/go/security/CommandInjection.qll index 7dc6f3991fc1..1774d77af54e 100644 --- a/go/ql/lib/semmle/go/security/CommandInjection.qll +++ b/go/ql/lib/semmle/go/security/CommandInjection.qll @@ -24,6 +24,8 @@ module CommandInjection { } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** @@ -80,6 +82,8 @@ module CommandInjection { node instanceof Sanitizer or node = any(ArgumentArrayWithDoubleDash array).getASanitizedElement() } + + predicate observeDiffInformedIncrementalMode() { any() } } /** From 109f6ddc2d0b56407c9c9fb7c591da2322ee745a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:09:28 +0200 Subject: [PATCH 03/15] [DIFF-INFORMED] Go: ExternalAPIs https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql#L18 --- go/ql/lib/semmle/go/security/ExternalAPIs.qll | 2 ++ 1 file changed, 2 insertions(+) diff --git a/go/ql/lib/semmle/go/security/ExternalAPIs.qll b/go/ql/lib/semmle/go/security/ExternalAPIs.qll index 4a561c17136e..f85f939258f1 100644 --- a/go/ql/lib/semmle/go/security/ExternalAPIs.qll +++ b/go/ql/lib/semmle/go/security/ExternalAPIs.qll @@ -186,6 +186,8 @@ private module UntrustedDataConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode } + + predicate observeDiffInformedIncrementalMode() { any() } } /** From f228818b1f537af85bb77596d697244879dae5b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:21:26 +0200 Subject: [PATCH 04/15] [DIFF-INFORMED] Go: HardcodedCredentials https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/Security/CWE-798/HardcodedCredentials.ql#L62 --- go/ql/lib/semmle/go/security/HardcodedCredentials.qll | 2 ++ 1 file changed, 2 insertions(+) diff --git a/go/ql/lib/semmle/go/security/HardcodedCredentials.qll b/go/ql/lib/semmle/go/security/HardcodedCredentials.qll index 0be50fc23062..877a2b4570e2 100644 --- a/go/ql/lib/semmle/go/security/HardcodedCredentials.qll +++ b/go/ql/lib/semmle/go/security/HardcodedCredentials.qll @@ -30,6 +30,8 @@ module HardcodedCredentials { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks taint flow for reasoning about hardcoded credentials. */ From ce7eb9b16a23d66f480c2665336033237d4334e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:23:10 +0200 Subject: [PATCH 05/15] [DIFF-INFORMED] Go: IncorrectIntegerConversion https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/Security/CWE-681/IncorrectIntegerConversionQuery.ql#L23 --- .../semmle/go/security/IncorrectIntegerConversionLib.qll | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll b/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll index 9125ab6e400a..7864205d1dce 100644 --- a/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll +++ b/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll @@ -440,6 +440,12 @@ private module ConversionWithoutBoundsCheckConfig implements DataFlow::StateConf state2 = node2.(FlowStateTransformer).transform(state1) and DataFlow::simpleLocalFlowStep(node1, node2, _) } + + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getASuccessor().getLocation() + } } /** From 4b473622bc26de3809d62335c5d5cb5ba9dfdba8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:24:18 +0200 Subject: [PATCH 06/15] [DIFF-INFORMED] Go: InsecureRandomness https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/Security/CWE-338/InsecureRandomness.ql#L19 --- go/ql/lib/semmle/go/security/InsecureRandomness.qll | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/go/ql/lib/semmle/go/security/InsecureRandomness.qll b/go/ql/lib/semmle/go/security/InsecureRandomness.qll index 83746f7b96ed..4dac659eabf9 100644 --- a/go/ql/lib/semmle/go/security/InsecureRandomness.qll +++ b/go/ql/lib/semmle/go/security/InsecureRandomness.qll @@ -39,6 +39,10 @@ module InsecureRandomness { n2.getType() instanceof IntegerType ) } + + predicate observeDiffInformedIncrementalMode() { + none() // Can't have accurate sink location override because of secondary use of `flowPath` in select. + } } /** From 8c8625d9129128ad2dd83582872c8a4d4d09a1a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:26:12 +0200 Subject: [PATCH 07/15] [DIFF-INFORMED] Go: ReflectedXss https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/Security/CWE-079/ReflectedXss.ql#L23 --- go/ql/lib/semmle/go/security/ReflectedXss.qll | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/go/ql/lib/semmle/go/security/ReflectedXss.qll b/go/ql/lib/semmle/go/security/ReflectedXss.qll index 1068c6fae3d1..35501269cc1c 100644 --- a/go/ql/lib/semmle/go/security/ReflectedXss.qll +++ b/go/ql/lib/semmle/go/security/ReflectedXss.qll @@ -22,6 +22,14 @@ module ReflectedXss { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getLocation() + or + result = sink.(SharedXss::Sink).getAssociatedLoc().getLocation() + } } /** Tracks taint flow from untrusted data to XSS attack vectors. */ From d6ef585110ee1d7abf3caa519f69939b68efde13 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:33:38 +0200 Subject: [PATCH 08/15] [DIFF-INFORMED] Go: RequestForgery, SafeUrlFlow https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/Security/CWE-918/RequestForgery.ql#L21 https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/Security/CWE-601/OpenUrlRedirect.ql#L24 --- go/ql/lib/semmle/go/security/RequestForgery.qll | 8 ++++++++ go/ql/lib/semmle/go/security/SafeUrlFlow.qll | 4 ++++ 2 files changed, 12 insertions(+) diff --git a/go/ql/lib/semmle/go/security/RequestForgery.qll b/go/ql/lib/semmle/go/security/RequestForgery.qll index bdf26a1f18fe..176b67403e6e 100644 --- a/go/ql/lib/semmle/go/security/RequestForgery.qll +++ b/go/ql/lib/semmle/go/security/RequestForgery.qll @@ -31,6 +31,14 @@ module RequestForgery { w.writesField(v.getAUse(), f, pred) and succ = v.getAUse() ) } + + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getLocation() + or + result = sink.(Sink).getARequest().getLocation() + } } /** Tracks taint flow from untrusted data to request forgery attack vectors. */ diff --git a/go/ql/lib/semmle/go/security/SafeUrlFlow.qll b/go/ql/lib/semmle/go/security/SafeUrlFlow.qll index d74e2156a609..77b7aeda591b 100644 --- a/go/ql/lib/semmle/go/security/SafeUrlFlow.qll +++ b/go/ql/lib/semmle/go/security/SafeUrlFlow.qll @@ -36,6 +36,10 @@ module SafeUrlFlow { or node instanceof SanitizerEdge } + + predicate observeDiffInformedIncrementalMode() { + none() // only used as secondary configuration + } } /** Tracks taint flow for reasoning about safe URLs. */ From 19b373aa904e45472a98f58ffdfb911713513bf1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:36:52 +0200 Subject: [PATCH 09/15] [DIFF-INFORMED] Go: SensitiveConditionBypass https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.ql#L33 --- .../src/experimental/CWE-807/SensitiveConditionBypass.qll | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll b/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll index 2f2ca94fa87f..33e6c6c01440 100644 --- a/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll +++ b/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll @@ -59,6 +59,14 @@ private module Config implements DataFlow::ConfigSig { not c.isPotentialFalsePositive() ) } + + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSourceLocation(DataFlow::Node source) { none() } + + Location getASelectedSinkLocation(DataFlow::Node sink) { + exists(ComparisonExpr comp | result = comp.getLocation() | sink.asExpr() = comp.getAnOperand()) + } } /** From 7bd6703f1974a224126c846fd785fbe5129e7c91 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:37:34 +0200 Subject: [PATCH 10/15] [DIFF-INFORMED] Go: ConditionalBypass --- go/ql/src/experimental/CWE-840/ConditionalBypass.ql | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/go/ql/src/experimental/CWE-840/ConditionalBypass.ql b/go/ql/src/experimental/CWE-840/ConditionalBypass.ql index b70be1ff42db..64f7c3c9ac21 100644 --- a/go/ql/src/experimental/CWE-840/ConditionalBypass.ql +++ b/go/ql/src/experimental/CWE-840/ConditionalBypass.ql @@ -22,6 +22,10 @@ module Config implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { exists(ComparisonExpr c | c.getAnOperand() = sink.asExpr()) } + + predicate observeDiffInformedIncrementalMode() { + none() // can't override the locations accurately because of secondary use of config. + } } /** Tracks taint flow for reasoning about conditional bypass. */ From a1fe72c423570dc437ce1cbd9671ad2bdf792bc3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:39:05 +0200 Subject: [PATCH 11/15] [DIFF-INFORMED] Go: SSRF https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/experimental/CWE-918/SSRF.ql#L23 --- go/ql/src/experimental/CWE-918/SSRF.qll | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/go/ql/src/experimental/CWE-918/SSRF.qll b/go/ql/src/experimental/CWE-918/SSRF.qll index b1374da8a5f7..05abe7bf8e47 100644 --- a/go/ql/src/experimental/CWE-918/SSRF.qll +++ b/go/ql/src/experimental/CWE-918/SSRF.qll @@ -30,6 +30,14 @@ module ServerSideRequestForgery { predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } predicate isBarrierOut(DataFlow::Node node) { node instanceof SanitizerEdge } + + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSourceLocation(DataFlow::Node source) { none() } + + Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.(Sink).getARequest().getLocation() + } } /** Tracks taint flow for reasoning about request forgery vulnerabilities. */ From 7b759f44f817b99d085cb01e641a91309ef2b0fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:43:28 +0200 Subject: [PATCH 12/15] [DIFF-INFORMED] Go: AuthCookie https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.ql#L97 --- go/ql/src/experimental/CWE-1004/AuthCookie.qll | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/go/ql/src/experimental/CWE-1004/AuthCookie.qll b/go/ql/src/experimental/CWE-1004/AuthCookie.qll index 411da5a79fa0..b16f09ac1858 100644 --- a/go/ql/src/experimental/CWE-1004/AuthCookie.qll +++ b/go/ql/src/experimental/CWE-1004/AuthCookie.qll @@ -116,6 +116,12 @@ private module BoolToGinSetCookieTrackingConfig implements DataFlow::ConfigSig { ) ) } + + predicate observeDiffInformedIncrementalMode() { + any() // Merged with other flows in CookieWithoutHttpOnly.ql + } + + Location getASelectedSourceLocation(DataFlow::Node source) { none() } } /** From 188fc0d933adad0f658def161788762540819cdf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:44:30 +0200 Subject: [PATCH 13/15] [DIFF-INFORMED] Go: UnhandledCloseWritableHandle --- .../src/InconsistentCode/UnhandledCloseWritableHandle.ql | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql b/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql index d3210c48011e..3fd09ac040e3 100644 --- a/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql +++ b/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql @@ -128,6 +128,14 @@ module UnhandledFileCloseConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { isWritableFileHandle(source, _) } predicate isSink(DataFlow::Node sink) { isCloseSink(sink, _) } + + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSourceLocation(DataFlow::Node source) { + exists(DataFlow::CallNode openCall | result = openCall.getLocation() | + isWritableFileHandle(source, openCall) + ) + } } /** From b4010ac2b4df41803e9f632d5811e39fca4096f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:44:56 +0200 Subject: [PATCH 14/15] [DIFF-INFORMED] Go: InsecureHostKeyCallback --- go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql | 2 ++ 1 file changed, 2 insertions(+) diff --git a/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql b/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql index c0b5898601c9..5fef19007131 100644 --- a/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql +++ b/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql @@ -68,6 +68,8 @@ module Config implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { writeIsSink(sink, _) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** From 8824677e87972a758b183bdd2ba616f0174744d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:45:25 +0200 Subject: [PATCH 15/15] [DIFF-INFORMED] Go: BadRedirectCheck --- go/ql/src/Security/CWE-601/BadRedirectCheck.ql | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/go/ql/src/Security/CWE-601/BadRedirectCheck.ql b/go/ql/src/Security/CWE-601/BadRedirectCheck.ql index bc60e1339eb9..7b4cc9f99fcd 100644 --- a/go/ql/src/Security/CWE-601/BadRedirectCheck.ql +++ b/go/ql/src/Security/CWE-601/BadRedirectCheck.ql @@ -123,6 +123,17 @@ module Config implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { sink instanceof OpenUrlRedirect::Sink } + + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSourceLocation(DataFlow::Node source) { + result = source.getLocation() + or + exists(DataFlow::Node check | + isCheckedSource(source, check) and + result = check.getLocation() + ) + } } module Flow = TaintTracking::Global; pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy