C#: mass enable diff-informed data flow

github · Dec 20, 2024 · 9a975f3 · 9a975f3
1 parent 772b972
commit 9a975f3
Show file tree

Hide file tree

Showing 47 changed files with 243 additions and 0 deletions.
diff --git a/csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll b/csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll
@@ -68,6 +68,12 @@ private module DapperCommandDefitionMethodCallSqlConfig implements DataFlow::Con
       node.asExpr() = mc.getArgumentForName("command")
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll:54: Flow call outside 'select' clause
+    none()
+  }
 }
 
 private module DapperCommandDefinitionMethodCallSql =

diff --git a/csharp/ql/lib/semmle/code/csharp/frameworks/system/Xml.qll b/csharp/ql/lib/semmle/code/csharp/frameworks/system/Xml.qll
@@ -167,6 +167,12 @@ private module SettingsDataFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source.asExpr() instanceof XmlReaderSettingsCreation }
 
   predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof XmlReaderSettingsInstance }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // csharp/ql/lib/semmle/code/csharp/frameworks/system/Xml.qll:190: Flow call outside 'select' clause
+    none()
+  }
 }
 
 private module SettingsDataFlow = DataFlow::Global<SettingsDataFlowConfig>;

diff --git a/csharp/ql/lib/semmle/code/csharp/security/cryptography/EncryptionKeyDataFlowQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/cryptography/EncryptionKeyDataFlowQuery.qll
@@ -70,6 +70,8 @@ private module SymmetricKeyConfig implements DataFlow::ConfigSig {
 
   /** Holds if the node is a key sanitizer. */
   predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof KeySanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/csharp/ql/lib/semmle/code/csharp/security/cryptography/HardcodedSymmetricEncryptionKey.qll b/csharp/ql/lib/semmle/code/csharp/security/cryptography/HardcodedSymmetricEncryptionKey.qll
@@ -82,6 +82,8 @@ module HardcodedSymmetricEncryptionKey {
         succ.asExpr() = mc
       )
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /**

diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/CleartextStorageQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/CleartextStorageQuery.qll
@@ -32,6 +32,8 @@ private module ClearTextStorageConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll
@@ -33,6 +33,8 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll
@@ -42,6 +42,8 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {
    * `node` from the data flow graph.
    */
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll
@@ -39,6 +39,8 @@ private module ConditionalBypassConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformationQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformationQuery.qll
@@ -32,6 +32,8 @@ private module ExposureOfPrivateInformationConfig implements DataFlow::ConfigSig
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll
@@ -78,6 +78,13 @@ private module RemoteSourceToExternalApiConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll:88: Flow call outside 'select' clause
+    // csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll:91: Flow call outside 'select' clause
+    none()
+  }
 }
 
 /** A module for tracking flow from `ActiveThreatModelSource`s to `ExternalApiDataNode`s. */

diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll
@@ -45,6 +45,8 @@ module LdapInjectionConfig implements DataFlow::ConfigSig {
    * `node` from the data flow graph.
    */
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll
@@ -35,6 +35,8 @@ private module LogForgingConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/MissingXMLValidationQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/MissingXMLValidationQuery.qll
@@ -39,6 +39,8 @@ private module MissingXmlValidationConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { exists(sink.(Sink).getReason()) }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll
@@ -33,6 +33,8 @@ private module ReDoSConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
@@ -77,6 +79,12 @@ private module ExponentialRegexDataFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node s) { isExponentialRegex(s.asExpr()) }
 
   predicate isSink(DataFlow::Node s) { s.asExpr() = any(RegexOperation c).getPattern() }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll:92: Flow call outside 'select' clause
+    none()
+  }
 }
 
 module ExponentialRegexDataFlow = DataFlow::Global<ExponentialRegexDataFlowConfig>;

diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/RegexInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/RegexInjectionQuery.qll
@@ -33,6 +33,8 @@ private module RegexInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ResourceInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ResourceInjectionQuery.qll
@@ -32,6 +32,8 @@ private module ResourceInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/SqlInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/SqlInjectionQuery.qll
@@ -43,6 +43,8 @@ module SqlInjectionConfig implements DataFlow::ConfigSig {
    * `node` from the data flow graph.
    */
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/TaintedPathQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/TaintedPathQuery.qll
@@ -35,6 +35,8 @@ private module TaintedPathConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll
@@ -59,6 +59,8 @@ private module TaintToObjectMethodTrackingConfig implements DataFlow::ConfigSig
   predicate isSink(DataFlow::Node sink) { sink instanceof InstanceMethodSink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
@@ -77,6 +79,15 @@ private module JsonConvertTrackingConfig implements DataFlow::ConfigSig {
   }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:59: Column 1 does not select a source or sink originating from the flow call on line 55
+    // csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:59: Column 2 does not select a source or sink originating from the flow call on line 55
+    // csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:59: Column 3 does not select a source or sink originating from the flow call on line 55
+    // csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:60: Column 5 does not select a source or sink originating from the flow call on line 55
+    none()
+  }
 }
 
 /**
@@ -133,6 +144,15 @@ private module TypeNameTrackingConfig implements DataFlow::ConfigSig {
       )
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:59: Column 1 does not select a source or sink originating from the flow call on line 56
+    // csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:59: Column 2 does not select a source or sink originating from the flow call on line 56
+    // csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:59: Column 3 does not select a source or sink originating from the flow call on line 56
+    // csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:60: Column 5 does not select a source or sink originating from the flow call on line 56
+    none()
+  }
 }
 
 /**
@@ -149,6 +169,8 @@ private module TaintToConstructorOrStaticMethodTrackingConfig implements DataFlo
   predicate isSink(DataFlow::Node sink) { sink instanceof ConstructorOrStaticMethodSink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
@@ -186,6 +208,8 @@ private module TaintToObjectTypeTrackingConfig implements DataFlow::ConfigSig {
       oc.getObjectType() instanceof StrongTypeDeserializer
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
@@ -210,6 +234,8 @@ private module WeakTypeCreationToUsageTrackingConfig implements DataFlow::Config
       sink.asExpr() = mc.getQualifier()
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
@@ -342,6 +368,12 @@ private module DataContractJsonSafeConstructorTrackingConfig implements DataFlow
       mc.getQualifier() = sink.asExpr()
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll:28: Flow call outside 'select' clause
+    none()
+  }
 }
 
 private module DataContractJsonSafeConstructorTracking =
@@ -389,6 +421,12 @@ private module JavaScriptSerializerSafeConstructorTrackingConfig implements Data
       mc.getQualifier() = sink.asExpr()
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll:29: Flow call outside 'select' clause
+    none()
+  }
 }
 
 private module JavaScriptSerializerSafeConstructorTracking =
@@ -434,6 +472,12 @@ private module XmlObjectSerializerDerivedConstructorTrackingConfig implements Da
       mc.getQualifier() = sink.asExpr()
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll:30: Flow call outside 'select' clause
+    none()
+  }
 }
 
 private module XmlObjectSerializerDerivedConstructorTracking =
@@ -476,6 +520,12 @@ private module XmlSerializerSafeConstructorTrackingConfig implements DataFlow::C
       mc.getQualifier() = sink.asExpr()
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll:31: Flow call outside 'select' clause
+    none()
+  }
 }
 
 private module XmlSerializerSafeConstructorTracking =
@@ -522,6 +572,12 @@ private module DataContractSerializerSafeConstructorTrackingConfig implements Da
       mc.getQualifier() = sink.asExpr()
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll:32: Flow call outside 'select' clause
+    none()
+  }
 }
 
 private module DataContractSerializerSafeConstructorTracking =
@@ -564,6 +620,12 @@ private module XmlMessageFormatterSafeConstructorTrackingConfig implements DataF
       mc.getQualifier() = sink.asExpr()
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll:33: Flow call outside 'select' clause
+    none()
+  }
 }
 
 private module XmlMessageFormatterSafeConstructorTracking =

diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll
@@ -37,6 +37,8 @@ private module UrlRedirectConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/XPathInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/XPathInjectionQuery.qll
@@ -43,6 +43,8 @@ module XpathInjectionConfig implements DataFlow::ConfigSig {
    * `node` from the data flow graph.
    */
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll
@@ -158,6 +158,12 @@ module XssTrackingConfig implements DataFlow::ConfigSig {
    * `node` from the data flow graph.
    */
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll:22: Flow call outside 'select' clause
+    none()
+  }
 }
 
 module XssTracking = TaintTracking::Global<XssTrackingConfig>;

diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ZipSlipQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ZipSlipQuery.qll
@@ -30,6 +30,8 @@ private module ZipSlipConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ExternalLocationSink.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ExternalLocationSink.qll
@@ -111,6 +111,12 @@ private module LocalFileOutputStreamConfig implements DataFlow::ConfigSig {
       oc.getObjectType() instanceof SystemIOStreamWriterClass
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ExternalLocationSink.qll:124: Flow call outside 'select' clause
+    none()
+  }
 }
 
 private module LocalFileOutputStreamFlow = DataFlow::Global<LocalFileOutputStreamConfig>;
-Original file line number
+Diff line change
@@ Expand Up @@
       /** Holds if the node is a key sanitizer. */
       predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof KeySanitizer }
+      predicate observeDiffInformedIncrementalMode() { any() }
     }
     /**
@@ Expand Down @@