From e059c9360a1ba664762c55b8eb9abb05f93f5019 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 20 Dec 2024 10:08:53 +0100 Subject: [PATCH] Go: mass enable diff-informed data flow --- go/ql/lib/semmle/go/StringOps.qll | 6 +++ .../go/security/AllocationSizeOverflow.qll | 8 ++++ .../semmle/go/security/CleartextLogging.qll | 2 + .../semmle/go/security/CommandInjection.qll | 4 ++ go/ql/lib/semmle/go/security/ExternalAPIs.qll | 9 ++++ .../go/security/HardcodedCredentials.qll | 2 + .../IncorrectIntegerConversionLib.qll | 2 + .../semmle/go/security/InsecureRandomness.qll | 2 + go/ql/lib/semmle/go/security/LogInjection.qll | 7 ++++ .../go/security/MissingJwtSignatureCheck.qll | 8 ++++ .../semmle/go/security/OpenUrlRedirect.qll | 2 + go/ql/lib/semmle/go/security/ReflectedXss.qll | 2 + .../lib/semmle/go/security/RequestForgery.qll | 2 + go/ql/lib/semmle/go/security/SafeUrlFlow.qll | 2 + go/ql/lib/semmle/go/security/SqlInjection.qll | 2 + .../lib/semmle/go/security/StoredCommand.qll | 2 + go/ql/lib/semmle/go/security/StoredXss.qll | 2 + go/ql/lib/semmle/go/security/StringBreak.qll | 2 + go/ql/lib/semmle/go/security/TaintedPath.qll | 2 + .../security/UncontrolledAllocationSize.qll | 10 +++++ .../semmle/go/security/UnsafeUnzipSymlink.qll | 8 ++++ .../lib/semmle/go/security/XPathInjection.qll | 2 + go/ql/lib/semmle/go/security/ZipSlip.qll | 2 + .../UnhandledCloseWritableHandle.ql | 2 + .../CWE-020/IncompleteHostnameRegexp.ql | 2 + .../Security/CWE-020/MissingRegexpAnchor.ql | 2 + .../CWE-020/SuspiciousCharacterInRegexp.ql | 2 + .../Security/CWE-209/StackTraceExposure.ql | 2 + .../CWE-322/InsecureHostKeyCallback.ql | 7 ++++ .../Security/CWE-326/InsufficientKeySize.ql | 2 + go/ql/src/Security/CWE-327/InsecureTLS.ql | 13 ++++++ .../Security/CWE-352/ConstantOauth2State.ql | 14 +++++++ .../src/Security/CWE-601/BadRedirectCheck.ql | 2 + go/ql/src/Security/CWE-640/EmailInjection.qll | 2 + .../experimental/CWE-090/LDAPInjection.qll | 2 + .../src/experimental/CWE-1004/AuthCookie.qll | 41 +++++++++++++++++++ go/ql/src/experimental/CWE-203/Timing.ql | 2 + .../src/experimental/CWE-285/PamAuthBypass.ql | 4 ++ .../ImproperLdapAuthCustomizations.qll | 2 + .../experimental/CWE-321-V2/HardCodedKeys.ql | 8 ++++ .../WeakCryptoAlgorithmCustomizations.qll | 2 + .../src/experimental/CWE-369/DivideByZero.ql | 2 + .../CWE-74/DsnInjectionCustomizations.qll | 2 + .../CWE-79/HTMLTemplateEscapingPassthrough.ql | 18 ++++++++ .../CWE-807/SensitiveConditionBypass.qll | 2 + .../experimental/CWE-840/ConditionalBypass.ql | 2 + go/ql/src/experimental/CWE-918/SSRF.qll | 2 + .../CWE-942/CorsMisconfiguration.ql | 26 +++++++++++- .../experimental/Unsafe/WrongUsageOfUnsafe.ql | 8 ++++ .../frameworks/DecompressionBombs.qll | 2 + 50 files changed, 264 insertions(+), 1 deletion(-) diff --git a/go/ql/lib/semmle/go/StringOps.qll b/go/ql/lib/semmle/go/StringOps.qll index 37a13a197142..f72dd0cbe6a2 100644 --- a/go/ql/lib/semmle/go/StringOps.qll +++ b/go/ql/lib/semmle/go/StringOps.qll @@ -231,6 +231,12 @@ module StringOps { call.getTarget().hasQualifiedName("strings", "Replacer", ["Replace", "WriteString"]) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // go/ql/lib/semmle/go/StringOps.qll:250: Flow call outside 'select' clause + none() + } } /** diff --git a/go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll b/go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll index 9531e2798129..3fdfc265ba65 100644 --- a/go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll +++ b/go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll @@ -19,6 +19,12 @@ module AllocationSizeOverflow { predicate isSink(DataFlow::Node nd) { nd = Builtin::len().getACall().getArgument(0) } predicate isBarrier(DataFlow::Node nd) { nd instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll:30: Flow call outside 'select' clause + none() + } } /** @@ -56,6 +62,8 @@ module AllocationSizeOverflow { succ = c ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks taint flow to find allocation-size overflows. */ diff --git a/go/ql/lib/semmle/go/security/CleartextLogging.qll b/go/ql/lib/semmle/go/security/CleartextLogging.qll index 2e0c9665c4b6..5218d03d9081 100644 --- a/go/ql/lib/semmle/go/security/CleartextLogging.qll +++ b/go/ql/lib/semmle/go/security/CleartextLogging.qll @@ -46,6 +46,8 @@ module CleartextLogging { // Also exclude protobuf field fetches, since they amount to single field reads. not any(Protobuf::GetMethod gm).taintStep(src, trg) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/go/ql/lib/semmle/go/security/CommandInjection.qll b/go/ql/lib/semmle/go/security/CommandInjection.qll index 7dc6f3991fc1..1774d77af54e 100644 --- a/go/ql/lib/semmle/go/security/CommandInjection.qll +++ b/go/ql/lib/semmle/go/security/CommandInjection.qll @@ -24,6 +24,8 @@ module CommandInjection { } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** @@ -80,6 +82,8 @@ module CommandInjection { node instanceof Sanitizer or node = any(ArgumentArrayWithDoubleDash array).getASanitizedElement() } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/go/ql/lib/semmle/go/security/ExternalAPIs.qll b/go/ql/lib/semmle/go/security/ExternalAPIs.qll index 6799099b999f..d5ebd80fd0d0 100644 --- a/go/ql/lib/semmle/go/security/ExternalAPIs.qll +++ b/go/ql/lib/semmle/go/security/ExternalAPIs.qll @@ -186,6 +186,13 @@ private module UntrustedDataConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // go/ql/lib/semmle/go/security/ExternalAPIs.qll:210: Flow call outside 'select' clause + // go/ql/lib/semmle/go/security/ExternalAPIs.qll:213: Flow call outside 'select' clause + none() + } } /** @@ -197,6 +204,8 @@ private module UntrustedDataToUnknownExternalApiConfig implements DataFlow::Conf predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof UnknownExternalApiDataNode } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/go/ql/lib/semmle/go/security/HardcodedCredentials.qll b/go/ql/lib/semmle/go/security/HardcodedCredentials.qll index 0be50fc23062..877a2b4570e2 100644 --- a/go/ql/lib/semmle/go/security/HardcodedCredentials.qll +++ b/go/ql/lib/semmle/go/security/HardcodedCredentials.qll @@ -30,6 +30,8 @@ module HardcodedCredentials { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks taint flow for reasoning about hardcoded credentials. */ diff --git a/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll b/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll index 3c6cddc427f8..28131846e124 100644 --- a/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll +++ b/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll @@ -440,6 +440,8 @@ private module ConversionWithoutBoundsCheckConfig implements DataFlow::StateConf state2 = node2.(FlowStateTransformer).transform(state1) and DataFlow::simpleLocalFlowStep(node1, node2, _) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/go/ql/lib/semmle/go/security/InsecureRandomness.qll b/go/ql/lib/semmle/go/security/InsecureRandomness.qll index 83746f7b96ed..98fc3c6de4cf 100644 --- a/go/ql/lib/semmle/go/security/InsecureRandomness.qll +++ b/go/ql/lib/semmle/go/security/InsecureRandomness.qll @@ -39,6 +39,8 @@ module InsecureRandomness { n2.getType() instanceof IntegerType ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/go/ql/lib/semmle/go/security/LogInjection.qll b/go/ql/lib/semmle/go/security/LogInjection.qll index d8bc586ed916..7ba449873ae8 100644 --- a/go/ql/lib/semmle/go/security/LogInjection.qll +++ b/go/ql/lib/semmle/go/security/LogInjection.qll @@ -21,6 +21,13 @@ module LogInjection { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // shared/dataflow/codeql/dataflow/test/InlineFlowTest.qll:122: Flow call outside 'select' clause + // shared/dataflow/codeql/dataflow/test/InlineFlowTest.qll:140: Flow call outside 'select' clause + none() + } } /** Tracks taint flow for reasoning about log injection vulnerabilities. */ diff --git a/go/ql/lib/semmle/go/security/MissingJwtSignatureCheck.qll b/go/ql/lib/semmle/go/security/MissingJwtSignatureCheck.qll index 73605d65b024..60505090472c 100644 --- a/go/ql/lib/semmle/go/security/MissingJwtSignatureCheck.qll +++ b/go/ql/lib/semmle/go/security/MissingJwtSignatureCheck.qll @@ -23,6 +23,8 @@ module MissingJwtSignatureCheck { predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { any(AdditionalFlowStep s).step(nodeFrom, nodeTo) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks taint flow for reasoning about JWT vulnerabilities. */ @@ -36,6 +38,12 @@ module MissingJwtSignatureCheck { predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { any(AdditionalFlowStep s).step(nodeFrom, nodeTo) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // go/ql/lib/semmle/go/security/MissingJwtSignatureCheck.qll:18: Flow call outside 'select' clause + none() + } } private module SafeParse = TaintTracking::Global; diff --git a/go/ql/lib/semmle/go/security/OpenUrlRedirect.qll b/go/ql/lib/semmle/go/security/OpenUrlRedirect.qll index bfe47f260cd6..1d2d7a1c60bb 100644 --- a/go/ql/lib/semmle/go/security/OpenUrlRedirect.qll +++ b/go/ql/lib/semmle/go/security/OpenUrlRedirect.qll @@ -54,6 +54,8 @@ module OpenUrlRedirect { or hostnameSanitizingPrefixEdge(node, _) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks taint flow from unvalidated, untrusted data to URL redirections. */ diff --git a/go/ql/lib/semmle/go/security/ReflectedXss.qll b/go/ql/lib/semmle/go/security/ReflectedXss.qll index 1068c6fae3d1..c9fed48c2114 100644 --- a/go/ql/lib/semmle/go/security/ReflectedXss.qll +++ b/go/ql/lib/semmle/go/security/ReflectedXss.qll @@ -22,6 +22,8 @@ module ReflectedXss { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks taint flow from untrusted data to XSS attack vectors. */ diff --git a/go/ql/lib/semmle/go/security/RequestForgery.qll b/go/ql/lib/semmle/go/security/RequestForgery.qll index bdf26a1f18fe..864c6b4f53ce 100644 --- a/go/ql/lib/semmle/go/security/RequestForgery.qll +++ b/go/ql/lib/semmle/go/security/RequestForgery.qll @@ -31,6 +31,8 @@ module RequestForgery { w.writesField(v.getAUse(), f, pred) and succ = v.getAUse() ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks taint flow from untrusted data to request forgery attack vectors. */ diff --git a/go/ql/lib/semmle/go/security/SafeUrlFlow.qll b/go/ql/lib/semmle/go/security/SafeUrlFlow.qll index d74e2156a609..1759c819a9af 100644 --- a/go/ql/lib/semmle/go/security/SafeUrlFlow.qll +++ b/go/ql/lib/semmle/go/security/SafeUrlFlow.qll @@ -36,6 +36,8 @@ module SafeUrlFlow { or node instanceof SanitizerEdge } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks taint flow for reasoning about safe URLs. */ diff --git a/go/ql/lib/semmle/go/security/SqlInjection.qll b/go/ql/lib/semmle/go/security/SqlInjection.qll index e24b30f40d38..5b7513090258 100644 --- a/go/ql/lib/semmle/go/security/SqlInjection.qll +++ b/go/ql/lib/semmle/go/security/SqlInjection.qll @@ -23,6 +23,8 @@ module SqlInjection { } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks taint flow for reasoning about SQL-injection vulnerabilities. */ diff --git a/go/ql/lib/semmle/go/security/StoredCommand.qll b/go/ql/lib/semmle/go/security/StoredCommand.qll index 38555370cfcc..983f739bdab2 100644 --- a/go/ql/lib/semmle/go/security/StoredCommand.qll +++ b/go/ql/lib/semmle/go/security/StoredCommand.qll @@ -26,6 +26,8 @@ module StoredCommand { predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjection::Sink } predicate isBarrier(DataFlow::Node node) { node instanceof CommandInjection::Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks taint flow for reasoning about command-injection vulnerabilities. */ diff --git a/go/ql/lib/semmle/go/security/StoredXss.qll b/go/ql/lib/semmle/go/security/StoredXss.qll index 2bf6bf248048..3bea8e8c1e00 100644 --- a/go/ql/lib/semmle/go/security/StoredXss.qll +++ b/go/ql/lib/semmle/go/security/StoredXss.qll @@ -22,6 +22,8 @@ module StoredXss { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks taint flow for reasoning about XSS. */ diff --git a/go/ql/lib/semmle/go/security/StringBreak.qll b/go/ql/lib/semmle/go/security/StringBreak.qll index 02b4c5b3313b..87a676b6f97f 100644 --- a/go/ql/lib/semmle/go/security/StringBreak.qll +++ b/go/ql/lib/semmle/go/security/StringBreak.qll @@ -26,6 +26,8 @@ module StringBreak { predicate isBarrier(DataFlow::Node node, FlowState state) { state = node.(Sanitizer).getQuote() } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/go/ql/lib/semmle/go/security/TaintedPath.qll b/go/ql/lib/semmle/go/security/TaintedPath.qll index 674cda1157cf..b814ad5d4ac6 100644 --- a/go/ql/lib/semmle/go/security/TaintedPath.qll +++ b/go/ql/lib/semmle/go/security/TaintedPath.qll @@ -17,6 +17,8 @@ module TaintedPath { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks taint flow for reasoning about path-traversal vulnerabilities. */ diff --git a/go/ql/lib/semmle/go/security/UncontrolledAllocationSize.qll b/go/ql/lib/semmle/go/security/UncontrolledAllocationSize.qll index 885aa7a7053c..31d0bd1b9b04 100644 --- a/go/ql/lib/semmle/go/security/UncontrolledAllocationSize.qll +++ b/go/ql/lib/semmle/go/security/UncontrolledAllocationSize.qll @@ -27,6 +27,16 @@ module UncontrolledAllocationSize { node2 = cn.getResult(0) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // shared/dataflow/codeql/dataflow/test/InlineFlowTest.qll:114: Flow call outside 'select' clause + // shared/dataflow/codeql/dataflow/test/InlineFlowTest.qll:122: Flow call outside 'select' clause + // shared/dataflow/codeql/dataflow/test/InlineFlowTest.qll:122: Flow call outside 'select' clause + // shared/dataflow/codeql/dataflow/test/InlineFlowTest.qll:139: Flow call outside 'select' clause + // shared/dataflow/codeql/dataflow/test/InlineFlowTest.qll:140: Flow call outside 'select' clause + none() + } } /** Tracks taint flow for reasoning about uncontrolled allocation size issues. */ diff --git a/go/ql/lib/semmle/go/security/UnsafeUnzipSymlink.qll b/go/ql/lib/semmle/go/security/UnsafeUnzipSymlink.qll index 1d18ac5f639a..5f9c3665ad14 100644 --- a/go/ql/lib/semmle/go/security/UnsafeUnzipSymlink.qll +++ b/go/ql/lib/semmle/go/security/UnsafeUnzipSymlink.qll @@ -20,6 +20,12 @@ module UnsafeUnzipSymlink { predicate isSink(DataFlow::Node sink) { sink instanceof EvalSymlinksSink } predicate isBarrier(DataFlow::Node node) { node instanceof EvalSymlinksInvalidator } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // go/ql/lib/semmle/go/security/UnsafeUnzipSymlink.qll:35: Flow call outside 'select' clause + none() + } } /** @@ -44,6 +50,8 @@ module UnsafeUnzipSymlink { predicate isSink(DataFlow::Node sink) { sink instanceof SymlinkSink } predicate isBarrier(DataFlow::Node node) { node instanceof SymlinkSanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/go/ql/lib/semmle/go/security/XPathInjection.qll b/go/ql/lib/semmle/go/security/XPathInjection.qll index 61bd00977daf..900b81053370 100644 --- a/go/ql/lib/semmle/go/security/XPathInjection.qll +++ b/go/ql/lib/semmle/go/security/XPathInjection.qll @@ -19,6 +19,8 @@ module XPathInjection { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/go/ql/lib/semmle/go/security/ZipSlip.qll b/go/ql/lib/semmle/go/security/ZipSlip.qll index f16daf84c3dd..6de2be91509a 100644 --- a/go/ql/lib/semmle/go/security/ZipSlip.qll +++ b/go/ql/lib/semmle/go/security/ZipSlip.qll @@ -17,6 +17,8 @@ module ZipSlip { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks taint flow for reasoning about zip-slip vulnerabilities. */ diff --git a/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql b/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql index 8846f52fb743..78c70ca4ad54 100644 --- a/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql +++ b/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql @@ -127,6 +127,8 @@ module UnhandledFileCloseConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { isWritableFileHandle(source, _) } predicate isSink(DataFlow::Node sink) { isCloseSink(sink, _) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/go/ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql b/go/ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql index 03018ee1c32d..18ddcc99f94e 100644 --- a/go/ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql +++ b/go/ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql @@ -103,6 +103,8 @@ module IncompleteHostNameRegexpConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { StringOps::Concatenation::taintStep(node1, node2) } + + predicate observeDiffInformedIncrementalMode() { any() } } module Flow = DataFlow::Global; diff --git a/go/ql/src/Security/CWE-020/MissingRegexpAnchor.ql b/go/ql/src/Security/CWE-020/MissingRegexpAnchor.ql index df93440ac526..ad38c1a50dcb 100644 --- a/go/ql/src/Security/CWE-020/MissingRegexpAnchor.ql +++ b/go/ql/src/Security/CWE-020/MissingRegexpAnchor.ql @@ -72,6 +72,8 @@ module Config implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { isSourceString(source, _) } predicate isSink(DataFlow::Node sink) { sink instanceof RegexpPattern } + + predicate observeDiffInformedIncrementalMode() { any() } } module Flow = DataFlow::Global; diff --git a/go/ql/src/Security/CWE-020/SuspiciousCharacterInRegexp.ql b/go/ql/src/Security/CWE-020/SuspiciousCharacterInRegexp.ql index 81cc634346a3..933fa95dc270 100644 --- a/go/ql/src/Security/CWE-020/SuspiciousCharacterInRegexp.ql +++ b/go/ql/src/Security/CWE-020/SuspiciousCharacterInRegexp.ql @@ -40,6 +40,8 @@ module SuspiciousCharacterInRegexpConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { isSourceString(source, _) } predicate isSink(DataFlow::Node sink) { sink instanceof RegexpPattern } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/go/ql/src/Security/CWE-209/StackTraceExposure.ql b/go/ql/src/Security/CWE-209/StackTraceExposure.ql index 3440fdba3148..408e12b3c15e 100644 --- a/go/ql/src/Security/CWE-209/StackTraceExposure.ql +++ b/go/ql/src/Security/CWE-209/StackTraceExposure.ql @@ -62,6 +62,8 @@ module StackTraceExposureConfig implements DataFlow::ConfigSig { cgn.dominates(node.getBasicBlock()) ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql b/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql index 2c292785f7f1..4465e3699b73 100644 --- a/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql +++ b/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql @@ -68,6 +68,13 @@ module Config implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { writeIsSink(sink, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql:90: Flow call outside 'select' clause + // go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql:96: Flow call outside 'select' clause + none() + } } /** diff --git a/go/ql/src/Security/CWE-326/InsufficientKeySize.ql b/go/ql/src/Security/CWE-326/InsufficientKeySize.ql index 19db3ef63ae4..6fa421baaeb3 100644 --- a/go/ql/src/Security/CWE-326/InsufficientKeySize.ql +++ b/go/ql/src/Security/CWE-326/InsufficientKeySize.ql @@ -25,6 +25,8 @@ module Config implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node = DataFlow::BarrierGuard::getABarrierNode() } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/go/ql/src/Security/CWE-327/InsecureTLS.ql b/go/ql/src/Security/CWE-327/InsecureTLS.ql index a4a9ab1f549a..2e808c080772 100644 --- a/go/ql/src/Security/CWE-327/InsecureTLS.ql +++ b/go/ql/src/Security/CWE-327/InsecureTLS.ql @@ -71,6 +71,13 @@ module TlsVersionFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { intIsSource(source, _) } predicate isSink(DataFlow::Node sink) { isSink(sink, _, _, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // go/ql/src/Security/CWE-327/InsecureTLS.ql:87: Flow call outside 'select' clause + // go/ql/src/Security/CWE-327/InsecureTLS.ql:128: Flow call outside 'select' clause + none() + } } /** @@ -201,6 +208,12 @@ module TlsInsecureCipherSuitesFlowConfig implements DataFlow::ConfigSig { * suites. */ predicate isBarrierOut(DataFlow::Node node) { isSink(node) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // go/ql/src/Security/CWE-327/InsecureTLS.ql:221: Flow call outside 'select' clause + none() + } } /** diff --git a/go/ql/src/Security/CWE-352/ConstantOauth2State.ql b/go/ql/src/Security/CWE-352/ConstantOauth2State.ql index daaac1ce4f3b..2b1b5c40e9a5 100644 --- a/go/ql/src/Security/CWE-352/ConstantOauth2State.ql +++ b/go/ql/src/Security/CWE-352/ConstantOauth2State.ql @@ -40,6 +40,8 @@ module ConstantStateFlowConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { isSinkCall(sink, _) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** @@ -110,6 +112,12 @@ module PrivateUrlFlowsToAuthCodeUrlCallConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { isSinkCall(sink, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // go/ql/src/Security/CWE-352/ConstantOauth2State.ql:134: Flow call outside 'select' clause + none() + } } /** @@ -144,6 +152,12 @@ module FlowToPrintConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source = any(AuthCodeUrl m).getACall().getResult() } predicate isSink(DataFlow::Node sink) { isSinkCall(sink, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // go/ql/src/Security/CWE-352/ConstantOauth2State.ql:153: Flow call outside 'select' clause + none() + } } module FlowToPrintFlow = DataFlow::Global; diff --git a/go/ql/src/Security/CWE-601/BadRedirectCheck.ql b/go/ql/src/Security/CWE-601/BadRedirectCheck.ql index bc60e1339eb9..a522bbdf3d88 100644 --- a/go/ql/src/Security/CWE-601/BadRedirectCheck.ql +++ b/go/ql/src/Security/CWE-601/BadRedirectCheck.ql @@ -123,6 +123,8 @@ module Config implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { sink instanceof OpenUrlRedirect::Sink } + + predicate observeDiffInformedIncrementalMode() { any() } } module Flow = TaintTracking::Global; diff --git a/go/ql/src/Security/CWE-640/EmailInjection.qll b/go/ql/src/Security/CWE-640/EmailInjection.qll index 35b7795ad55f..e3016b44aa1a 100644 --- a/go/ql/src/Security/CWE-640/EmailInjection.qll +++ b/go/ql/src/Security/CWE-640/EmailInjection.qll @@ -20,6 +20,8 @@ module EmailInjection { predicate isSource(DataFlow::Node source) { source instanceof Source } predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks taint flow for reasoning about email-injection vulnerabilities. */ diff --git a/go/ql/src/experimental/CWE-090/LDAPInjection.qll b/go/ql/src/experimental/CWE-090/LDAPInjection.qll index fd138fa06458..a770666fe93e 100644 --- a/go/ql/src/experimental/CWE-090/LDAPInjection.qll +++ b/go/ql/src/experimental/CWE-090/LDAPInjection.qll @@ -101,6 +101,8 @@ private module LdapInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof LdapSink } predicate isBarrier(DataFlow::Node node) { node instanceof LdapSanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/go/ql/src/experimental/CWE-1004/AuthCookie.qll b/go/ql/src/experimental/CWE-1004/AuthCookie.qll index 411da5a79fa0..cbdf03b7e9d5 100644 --- a/go/ql/src/experimental/CWE-1004/AuthCookie.qll +++ b/go/ql/src/experimental/CWE-1004/AuthCookie.qll @@ -76,6 +76,12 @@ private module NameToNetHttpCookieTrackingConfig implements DataFlow::ConfigSig sl = succ.asExpr() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // go/ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.ql:46: Flow call outside 'select' clause + none() + } } /** Tracks taint flow from sensitive names to `net/http.SetCookie`. */ @@ -95,6 +101,13 @@ private module BoolToNetHttpCookieTrackingConfig implements DataFlow::ConfigSig sl = succ.asExpr() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // go/ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.ql:48: Flow call outside 'select' clause + // go/ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.ql:52: Flow call outside 'select' clause + none() + } } /** @@ -116,6 +129,8 @@ private module BoolToGinSetCookieTrackingConfig implements DataFlow::ConfigSig { ) ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** @@ -133,6 +148,12 @@ private module NameToGinSetCookieTrackingConfig implements DataFlow::ConfigSig { mcn.getArgument(0) = sink ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // go/ql/src/experimental/CWE-1004/AuthCookie.qll:114: Flow call outside 'select' clause + none() + } } /** @@ -184,6 +205,12 @@ private module GorillaCookieStoreSaveTrackingConfig implements DataFlow::ConfigS succ = cn.getResult(0) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // go/ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.ql:70: Flow call outside 'select' clause + none() + } } /** @@ -208,6 +235,13 @@ private module GorillaSessionOptionsTrackingConfig implements DataFlow::ConfigSi succ = base ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // go/ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.ql:72: Flow call outside 'select' clause + // go/ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.ql:77: Flow call outside 'select' clause + none() + } } /** @@ -235,6 +269,13 @@ private module BoolToGorillaSessionOptionsTrackingConfig implements DataFlow::Co succ = base ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // go/ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.ql:80: Flow call outside 'select' clause + // go/ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.ql:85: Flow call outside 'select' clause + none() + } } /** diff --git a/go/ql/src/experimental/CWE-203/Timing.ql b/go/ql/src/experimental/CWE-203/Timing.ql index ab0b50a657a9..e488adf2f97f 100644 --- a/go/ql/src/experimental/CWE-203/Timing.ql +++ b/go/ql/src/experimental/CWE-203/Timing.ql @@ -102,6 +102,8 @@ module Config implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { sink instanceof Sink and not isBadResult(sink) } + + predicate observeDiffInformedIncrementalMode() { any() } } module Flow = TaintTracking::Global; diff --git a/go/ql/src/experimental/CWE-285/PamAuthBypass.ql b/go/ql/src/experimental/CWE-285/PamAuthBypass.ql index 02f47ba2b738..db2dc94f8f07 100644 --- a/go/ql/src/experimental/CWE-285/PamAuthBypass.ql +++ b/go/ql/src/experimental/CWE-285/PamAuthBypass.ql @@ -42,6 +42,8 @@ module PamStartToAcctMgmtConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { exists(PamAcctMgmt p | p.getACall().getReceiver() = sink) } + + predicate observeDiffInformedIncrementalMode() { any() } } module PamStartToAcctMgmtFlow = TaintTracking::Global; @@ -55,6 +57,8 @@ module PamStartToAuthenticateConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { exists(PamAuthenticate p | p.getACall().getReceiver() = sink) } + + predicate observeDiffInformedIncrementalMode() { any() } } module PamStartToAuthenticateFlow = TaintTracking::Global; diff --git a/go/ql/src/experimental/CWE-287/ImproperLdapAuthCustomizations.qll b/go/ql/src/experimental/CWE-287/ImproperLdapAuthCustomizations.qll index 7a62041a774a..0a2739eabc79 100644 --- a/go/ql/src/experimental/CWE-287/ImproperLdapAuthCustomizations.qll +++ b/go/ql/src/experimental/CWE-287/ImproperLdapAuthCustomizations.qll @@ -74,6 +74,8 @@ module ImproperLdapAuth { predicate isSink(DataFlow::Node sink) { sink instanceof LdapAuthSink } predicate isBarrier(DataFlow::Node node) { node instanceof LdapSanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/go/ql/src/experimental/CWE-321-V2/HardCodedKeys.ql b/go/ql/src/experimental/CWE-321-V2/HardCodedKeys.ql index 39cc2ca99176..c5b804becbee 100644 --- a/go/ql/src/experimental/CWE-321-V2/HardCodedKeys.ql +++ b/go/ql/src/experimental/CWE-321-V2/HardCodedKeys.ql @@ -33,6 +33,8 @@ module JwtParseWithConstantKeyConfig implements DataFlow::ConfigSig { // second part is the JWT Parsing Functions that get a string or byte as an argument sink = any(JwtParse jp).getKeyArg() } + + predicate observeDiffInformedIncrementalMode() { any() } } module GolangJwtKeyFuncConfig implements DataFlow::ConfigSig { @@ -45,6 +47,12 @@ module GolangJwtKeyFuncConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink = any(JwtParseWithKeyFunction parseJwt).getKeyFuncArg() } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // go/ql/src/experimental/CWE-321-V2/HardCodedKeys.ql:27: Flow call outside 'select' clause + none() + } } module JwtParseWithConstantKey = TaintTracking::Global; diff --git a/go/ql/src/experimental/CWE-327/WeakCryptoAlgorithmCustomizations.qll b/go/ql/src/experimental/CWE-327/WeakCryptoAlgorithmCustomizations.qll index 1d64d731f507..b9104f1fe096 100644 --- a/go/ql/src/experimental/CWE-327/WeakCryptoAlgorithmCustomizations.qll +++ b/go/ql/src/experimental/CWE-327/WeakCryptoAlgorithmCustomizations.qll @@ -54,6 +54,8 @@ module WeakCryptoAlgorithm { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/go/ql/src/experimental/CWE-369/DivideByZero.ql b/go/ql/src/experimental/CWE-369/DivideByZero.ql index b6709b97d712..99cd120dbf8b 100644 --- a/go/ql/src/experimental/CWE-369/DivideByZero.ql +++ b/go/ql/src/experimental/CWE-369/DivideByZero.ql @@ -45,6 +45,8 @@ module Config implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink = DataFlow::exprNode(any(QuoExpr e).getRightOperand()) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/go/ql/src/experimental/CWE-74/DsnInjectionCustomizations.qll b/go/ql/src/experimental/CWE-74/DsnInjectionCustomizations.qll index 2c3208550720..88a45d70ba52 100644 --- a/go/ql/src/experimental/CWE-74/DsnInjectionCustomizations.qll +++ b/go/ql/src/experimental/CWE-74/DsnInjectionCustomizations.qll @@ -19,6 +19,8 @@ private module DsnInjectionConfig implements DataFlow::ConfigSig { } predicate isBarrier(DataFlow::Node node) { node instanceof RegexpCheckBarrier } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/go/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql b/go/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql index 0aff713f26bc..a49b240d4f33 100644 --- a/go/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql +++ b/go/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql @@ -50,6 +50,12 @@ module UntrustedToPassthroughTypeConversionConfig implements DataFlow::ConfigSig predicate isBarrier(DataFlow::Node node) { node instanceof SharedXss::Sanitizer or node.getType() instanceof NumericType } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // go/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql:24: Flow call outside 'select' clause + none() + } } /** @@ -85,6 +91,12 @@ module PassthroughTypeConversionToTemplateExecutionCallConfig implements DataFlo } predicate isSink(DataFlow::Node sink) { isSinkToTemplateExec(sink, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // go/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql:70: Flow call outside 'select' clause + none() + } } /** @@ -112,6 +124,12 @@ module FromUntrustedToTemplateExecutionCallConfig implements DataFlow::ConfigSig predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { isSinkToTemplateExec(sink, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // go/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql:133: Flow call outside 'select' clause + none() + } } /** diff --git a/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll b/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll index 2f2ca94fa87f..6b03a37bffff 100644 --- a/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll +++ b/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll @@ -59,6 +59,8 @@ private module Config implements DataFlow::ConfigSig { not c.isPotentialFalsePositive() ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/go/ql/src/experimental/CWE-840/ConditionalBypass.ql b/go/ql/src/experimental/CWE-840/ConditionalBypass.ql index b70be1ff42db..06c3c09b6510 100644 --- a/go/ql/src/experimental/CWE-840/ConditionalBypass.ql +++ b/go/ql/src/experimental/CWE-840/ConditionalBypass.ql @@ -22,6 +22,8 @@ module Config implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { exists(ComparisonExpr c | c.getAnOperand() = sink.asExpr()) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks taint flow for reasoning about conditional bypass. */ diff --git a/go/ql/src/experimental/CWE-918/SSRF.qll b/go/ql/src/experimental/CWE-918/SSRF.qll index b1374da8a5f7..9a18cd71a8b1 100644 --- a/go/ql/src/experimental/CWE-918/SSRF.qll +++ b/go/ql/src/experimental/CWE-918/SSRF.qll @@ -30,6 +30,8 @@ module ServerSideRequestForgery { predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } predicate isBarrierOut(DataFlow::Node node) { node instanceof SanitizerEdge } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks taint flow for reasoning about request forgery vulnerabilities. */ diff --git a/go/ql/src/experimental/CWE-942/CorsMisconfiguration.ql b/go/ql/src/experimental/CWE-942/CorsMisconfiguration.ql index 7a1ff256be1a..a81ce0c3ee26 100644 --- a/go/ql/src/experimental/CWE-942/CorsMisconfiguration.ql +++ b/go/ql/src/experimental/CWE-942/CorsMisconfiguration.ql @@ -67,6 +67,12 @@ module UntrustedToAllowOriginHeaderConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { isSinkHW(sink, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // go/ql/src/experimental/CWE-942/CorsMisconfiguration.ql:129: Flow call outside 'select' clause + none() + } } module UntrustedToAllowOriginConfigConfig implements DataFlow::ConfigSig { @@ -75,6 +81,12 @@ module UntrustedToAllowOriginConfigConfig implements DataFlow::ConfigSig { additional predicate isSinkWrite(DataFlow::Node sink, GinCors::AllowOriginsWrite w) { sink = w } predicate isSink(DataFlow::Node sink) { isSinkWrite(sink, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // go/ql/src/experimental/CWE-942/CorsMisconfiguration.ql:132: Flow call outside 'select' clause + none() + } } /** @@ -173,7 +185,13 @@ module FromUntrustedConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { isSinkCgn(sink, _) } - additional predicate isSinkCgn(DataFlow::Node sink, ControlFlow::ConditionGuardNode cgn) { + additional predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // go/ql/src/experimental/CWE-942/CorsMisconfiguration.ql:221: Flow call outside 'select' clause + none() + } + + predicate isSinkCgn(DataFlow::Node sink, ControlFlow::ConditionGuardNode cgn) { exists(IfStmt ifs | exists(Expr operand | operand = ifs.getCond().getAChildExpr*() and @@ -205,6 +223,12 @@ module FromUntrustedConfig implements DataFlow::ConfigSig { cgn.getCondition() = ifs.getCond() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // go/ql/src/experimental/CWE-942/CorsMisconfiguration.ql:221: Flow call outside 'select' clause + none() + } } /** diff --git a/go/ql/src/experimental/Unsafe/WrongUsageOfUnsafe.ql b/go/ql/src/experimental/Unsafe/WrongUsageOfUnsafe.ql index e0f0098be4e0..5ecaa0ac1cec 100644 --- a/go/ql/src/experimental/Unsafe/WrongUsageOfUnsafe.ql +++ b/go/ql/src/experimental/Unsafe/WrongUsageOfUnsafe.ql @@ -51,6 +51,14 @@ module UnsafeTypeCastingConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { conversionIsSource(source, _) } predicate isSink(DataFlow::Node sink) { typeCastNodeIsSink(sink, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // go/ql/src/experimental/Unsafe/WrongUsageOfUnsafe.ql:73: Flow call outside 'select' clause + // go/ql/src/experimental/Unsafe/WrongUsageOfUnsafe.ql:120: Flow call outside 'select' clause + // go/ql/src/experimental/Unsafe/WrongUsageOfUnsafe.ql:150: Flow call outside 'select' clause + none() + } } /** Tracks taint flow for reasoning about type casting from a `unsafe.Pointer`. */ diff --git a/go/ql/src/experimental/frameworks/DecompressionBombs.qll b/go/ql/src/experimental/frameworks/DecompressionBombs.qll index 5828cd60e523..170104ebd43b 100644 --- a/go/ql/src/experimental/frameworks/DecompressionBombs.qll +++ b/go/ql/src/experimental/frameworks/DecompressionBombs.qll @@ -56,6 +56,8 @@ module DecompressionBomb { addStep.isAdditionalFlowStep(fromNode, fromState, toNode, toState) ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks taint flow for reasoning about decompression bomb vulnerabilities. */