From 329fd803e26945260f90997b1df60f018f4f927c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 16:36:24 +0200 Subject: [PATCH 1/8] [DIFF-INFORMED] Rust: RegexInjection --- rust/ql/src/queries/security/CWE-020/RegexInjection.ql | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rust/ql/src/queries/security/CWE-020/RegexInjection.ql b/rust/ql/src/queries/security/CWE-020/RegexInjection.ql index 14d6d8e167ed..287c616a43ed 100644 --- a/rust/ql/src/queries/security/CWE-020/RegexInjection.ql +++ b/rust/ql/src/queries/security/CWE-020/RegexInjection.ql @@ -34,6 +34,8 @@ module RegexInjectionConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { any(AdditionalFlowStep s).step(nodeFrom, nodeTo) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** From 574bb871e0268918725ecbbafff86db13fff8f5e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 16:36:51 +0200 Subject: [PATCH 2/8] [DIFF-INFORMED] Rust: TaintedPath --- rust/ql/src/queries/security/CWE-022/TaintedPath.ql | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rust/ql/src/queries/security/CWE-022/TaintedPath.ql b/rust/ql/src/queries/security/CWE-022/TaintedPath.ql index 8896cf608427..7acfc2055764 100644 --- a/rust/ql/src/queries/security/CWE-022/TaintedPath.ql +++ b/rust/ql/src/queries/security/CWE-022/TaintedPath.ql @@ -79,6 +79,8 @@ module TaintedPathConfig implements DataFlow::StateConfigSig { stateFrom instanceof NotNormalized and stateTo instanceof NormalizedUnchecked } + + predicate observeDiffInformedIncrementalMode() { any() } } module TaintedPathFlow = TaintTracking::GlobalWithState; From 78c40e209b377f09f4606c79a8a070293b9e6fa3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 16:37:16 +0200 Subject: [PATCH 3/8] [DIFF-INFORMED] Rust: SqlInjection --- rust/ql/src/queries/security/CWE-089/SqlInjection.ql | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rust/ql/src/queries/security/CWE-089/SqlInjection.ql b/rust/ql/src/queries/security/CWE-089/SqlInjection.ql index f61295263bfb..883fafd00d25 100644 --- a/rust/ql/src/queries/security/CWE-089/SqlInjection.ql +++ b/rust/ql/src/queries/security/CWE-089/SqlInjection.ql @@ -26,6 +26,8 @@ module SqlInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node node) { node instanceof Sink } predicate isBarrier(DataFlow::Node barrier) { barrier instanceof Barrier } + + predicate observeDiffInformedIncrementalMode() { any() } } module SqlInjectionFlow = TaintTracking::Global; From 091163bf8e4b3e7135621808fb3a4c988358f88c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 16:37:47 +0200 Subject: [PATCH 4/8] [DIFF-INFORMED] Rust: CleartextTransmission --- rust/ql/src/queries/security/CWE-311/CleartextTransmission.ql | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rust/ql/src/queries/security/CWE-311/CleartextTransmission.ql b/rust/ql/src/queries/security/CWE-311/CleartextTransmission.ql index 739dca0f4185..508937533899 100644 --- a/rust/ql/src/queries/security/CWE-311/CleartextTransmission.ql +++ b/rust/ql/src/queries/security/CWE-311/CleartextTransmission.ql @@ -37,6 +37,8 @@ module CleartextTransmissionConfig implements DataFlow::ConfigSig { // make sources barriers so that we only report the closest instance isSource(node) } + + predicate observeDiffInformedIncrementalMode() { any() } } module CleartextTransmissionFlow = TaintTracking::Global; From fcc38007567bf5e71fdba8261f0f3bb67b7e87f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 16:38:16 +0200 Subject: [PATCH 5/8] [DIFF-INFORMED] Rust: CleartextLogging --- rust/ql/src/queries/security/CWE-312/CleartextLogging.ql | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rust/ql/src/queries/security/CWE-312/CleartextLogging.ql b/rust/ql/src/queries/security/CWE-312/CleartextLogging.ql index c2a1dcc747f5..b1c56114c7bd 100644 --- a/rust/ql/src/queries/security/CWE-312/CleartextLogging.ql +++ b/rust/ql/src/queries/security/CWE-312/CleartextLogging.ql @@ -45,6 +45,8 @@ module CleartextLoggingConfig implements DataFlow::ConfigSig { isSink(node) and c.getAReadContent() instanceof DataFlow::TuplePositionContent } + + predicate observeDiffInformedIncrementalMode() { any() } } module CleartextLoggingFlow = TaintTracking::Global; From 56ae8684e1ccc0f6b596161d7944ccd8acc7a861 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 16:38:47 +0200 Subject: [PATCH 6/8] [DIFF-INFORMED] Rust: UncontrolledAllocationSize --- .../src/queries/security/CWE-770/UncontrolledAllocationSize.ql | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rust/ql/src/queries/security/CWE-770/UncontrolledAllocationSize.ql b/rust/ql/src/queries/security/CWE-770/UncontrolledAllocationSize.ql index 3d25ede3187d..cb5fe07b4aa8 100644 --- a/rust/ql/src/queries/security/CWE-770/UncontrolledAllocationSize.ql +++ b/rust/ql/src/queries/security/CWE-770/UncontrolledAllocationSize.ql @@ -32,6 +32,8 @@ module UncontrolledAllocationConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node barrier) { barrier instanceof Barrier } + + predicate observeDiffInformedIncrementalMode() { any() } } module UncontrolledAllocationFlow = TaintTracking::Global; From 31a73d466b9cc7be2e401ff76818a3fea8a9650d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 16:41:19 +0200 Subject: [PATCH 7/8] [DIFF-INFORMED] Rust: AccessAfterLifetime --- .../security/CWE-825/AccessAfterLifetime.ql | 33 ++++++++++++++----- 1 file changed, 24 insertions(+), 9 deletions(-) diff --git a/rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql b/rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql index b4f652668b71..fce64dcf0ff1 100644 --- a/rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql +++ b/rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql @@ -28,10 +28,33 @@ module AccessAfterLifetimeConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node node) { node instanceof AccessAfterLifetime::Sink } predicate isBarrier(DataFlow::Node barrier) { barrier instanceof AccessAfterLifetime::Barrier } + + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSourceLocation(DataFlow::Node source) { + exists(Variable target, DataFlow::Node sink | result = target.getLocation() | + isSink(sink) and + narrowDereferenceAfterLifetime(source, sink, target) + ) + } } module AccessAfterLifetimeFlow = TaintTracking::Global; +pragma[inline] +predicate narrowDereferenceAfterLifetime(DataFlow::Node source, DataFlow::Node sink, Variable target) { + // check that the dereference is outside the lifetime of the target + AccessAfterLifetime::dereferenceAfterLifetime(source, sink, target) and + // include only results inside `unsafe` blocks, as other results tend to be false positives + ( + sink.asExpr().getExpr().getEnclosingBlock*().isUnsafe() or + sink.asExpr().getExpr().getEnclosingCallable().(Function).isUnsafe() + ) and + // exclude cases with sources / sinks in macros, since these results are difficult to interpret + not source.asExpr().getExpr().isFromMacroExpansion() and + not sink.asExpr().getExpr().isFromMacroExpansion() +} + from AccessAfterLifetimeFlow::PathNode sourceNode, AccessAfterLifetimeFlow::PathNode sinkNode, Variable target @@ -39,14 +62,6 @@ where // flow from a pointer or reference to the dereference AccessAfterLifetimeFlow::flowPath(sourceNode, sinkNode) and // check that the dereference is outside the lifetime of the target - AccessAfterLifetime::dereferenceAfterLifetime(sourceNode.getNode(), sinkNode.getNode(), target) and - // include only results inside `unsafe` blocks, as other results tend to be false positives - ( - sinkNode.getNode().asExpr().getExpr().getEnclosingBlock*().isUnsafe() or - sinkNode.getNode().asExpr().getExpr().getEnclosingCallable().(Function).isUnsafe() - ) and - // exclude cases with sources / sinks in macros, since these results are difficult to interpret - not sourceNode.getNode().asExpr().getExpr().isFromMacroExpansion() and - not sinkNode.getNode().asExpr().getExpr().isFromMacroExpansion() + narrowDereferenceAfterLifetime(sourceNode.getNode(), sinkNode.getNode(), target) select sinkNode.getNode(), sourceNode, sinkNode, "Access of a pointer to $@ after its lifetime has ended.", target, target.toString() From 83fe9e0d514b4e50352da9d5825bf243e11bad9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 16:43:24 +0200 Subject: [PATCH 8/8] [DIFF-INFORMED] Rust: AccessInvalidPointer --- rust/ql/src/queries/security/CWE-825/AccessInvalidPointer.ql | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rust/ql/src/queries/security/CWE-825/AccessInvalidPointer.ql b/rust/ql/src/queries/security/CWE-825/AccessInvalidPointer.ql index d0a13b9ddb14..5177e1fb0e03 100644 --- a/rust/ql/src/queries/security/CWE-825/AccessInvalidPointer.ql +++ b/rust/ql/src/queries/security/CWE-825/AccessInvalidPointer.ql @@ -32,6 +32,8 @@ module AccessInvalidPointerConfig implements DataFlow::ConfigSig { // make sinks barriers so that we only report the closest instance isSink(node) } + + predicate observeDiffInformedIncrementalMode() { any() } } module AccessInvalidPointerFlow = TaintTracking::Global; pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy