Merge pull request #18337 from asgerf/rb/diff-informed

Ruby: enable diff-informed data flow queries

ruby/ql/lib/codeql/ruby/experimental/UnicodeBypassValidationQuery.qll

@@ -158,6 +158,8 @@ private module UnicodeBypassValidationConfig implements DataFlow::StateConfigSig
     ) and
     state = PostValidationState()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

ruby/ql/lib/codeql/ruby/experimental/ZipSlipQuery.qll

@@ -29,6 +29,8 @@ private module ZipSlipConfig implements DataFlow::ConfigSig {
   }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof ZipSlip::Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

ruby/ql/lib/codeql/ruby/frameworks/http_clients/Excon.qll

@@ -118,6 +118,10 @@ private module ExconDisablesCertificateValidationConfig implements DataFlow::Con
   predicate isSink(DataFlow::Node sink) {
     sink = any(ExconHttpRequest req).getCertificateValidationControllingValue()
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // Used for a library model
+  }
 }
 
 private module ExconDisablesCertificateValidationFlow =

ruby/ql/lib/codeql/ruby/frameworks/http_clients/Faraday.qll

@@ -99,6 +99,10 @@ private module FaradayDisablesCertificateValidationConfig implements DataFlow::S
   predicate isSink(DataFlow::Node sink, FlowState state) {
     sink = any(FaradayHttpRequest req).getCertificateValidationControllingValue(state)
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // Used for a library model
+  }
 }
 
 private module FaradayDisablesCertificateValidationFlow =

ruby/ql/lib/codeql/ruby/frameworks/http_clients/HttpClient.qll

@@ -80,6 +80,10 @@ private module HttpClientDisablesCertificateValidationConfig implements DataFlow
   predicate isSink(DataFlow::Node sink) {
     sink = any(HttpClientRequest req).getCertificateValidationControllingValue()
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // Used for a library model
+  }
 }
 
 private module HttpClientDisablesCertificateValidationFlow =

ruby/ql/lib/codeql/ruby/frameworks/http_clients/Httparty.qll

@@ -70,6 +70,10 @@ private module HttpartyDisablesCertificateValidationConfig implements DataFlow::
   predicate isSink(DataFlow::Node sink) {
     sink = any(HttpartyRequest req).getCertificateValidationControllingValue()
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // Used for a library model
+  }
 }
 
 private module HttpartyDisablesCertificateValidationFlow =

ruby/ql/lib/codeql/ruby/frameworks/http_clients/NetHttp.qll

@@ -103,6 +103,10 @@ private module NetHttpDisablesCertificateValidationConfig implements DataFlow::C
   predicate isSink(DataFlow::Node sink) {
     sink = any(NetHttpRequest req).getCertificateValidationControllingValue()
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // Used for a library model
+  }
 }
 
 private module NetHttpDisablesCertificateValidationFlow =

ruby/ql/lib/codeql/ruby/frameworks/http_clients/OpenURI.qll

@@ -110,6 +110,10 @@ private module OpenUriDisablesCertificateValidationConfig implements DataFlow::C
     or
     sink = any(OpenUriKernelOpenRequest req).getCertificateValidationControllingValue()
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // Used for a library model
+  }
 }
 
 private module OpenUriDisablesCertificateValidationFlow =

ruby/ql/lib/codeql/ruby/frameworks/http_clients/RestClient.qll

@@ -73,6 +73,10 @@ private module RestClientDisablesCertificateValidationConfig implements DataFlow
   predicate isSink(DataFlow::Node sink) {
     sink = any(RestClientHttpRequest req).getCertificateValidationControllingValue()
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // Used for a library model
+  }
 }
 
 private module RestClientDisablesCertificateValidationFlow =

ruby/ql/lib/codeql/ruby/frameworks/http_clients/Typhoeus.qll

@@ -64,6 +64,10 @@ private module TyphoeusDisablesCertificateValidationConfig implements DataFlow::
   predicate isSink(DataFlow::Node sink) {
     sink = any(TyphoeusHttpRequest req).getCertificateValidationControllingValue()
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // Used for a library model
+  }
 }
 
 private module TyphoeusDisablesCertificateValidationFlow =

ruby/ql/lib/codeql/ruby/frameworks/stdlib/Pathname.qll

@@ -52,6 +52,10 @@ module Pathname {
             ]
         )
     }
+
+    predicate observeDiffInformedIncrementalMode() {
+      none() // Used for a library model
+    }
   }
 
   private module PathnameFlow = DataFlow::Global<PathnameConfig>;

ruby/ql/lib/codeql/ruby/security/CleartextLoggingQuery.qll

@@ -27,6 +27,8 @@ private module Config implements DataFlow::ConfigSig {
     cs.isAny() and
     isSink(node)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/CleartextStorageQuery.qll

@@ -26,6 +26,8 @@ private module Config implements DataFlow::ConfigSig {
     cs.isAny() and
     isSink(node)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/CodeInjectionQuery.qll

@@ -31,6 +31,8 @@ private module Config implements DataFlow::StateConfigSig {
   predicate isBarrierIn(DataFlow::Node node) { node instanceof Source }
 
   int fieldFlowBranchLimit() { result = 10 }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/CommandInjectionQuery.qll

@@ -23,6 +23,8 @@ private module Config implements DataFlow::ConfigSig {
     node instanceof StringConstCompareBarrier or
     node instanceof StringConstArrayInclusionCallBarrier
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/ConditionalBypassQuery.qll

@@ -17,6 +17,8 @@ private module Config implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/HardcodedDataInterpretedAsCodeQuery.qll

@@ -33,6 +33,8 @@ private module Config implements DataFlow::StateConfigSig {
     ) and
     stateTo = FlowState::Taint()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll

@@ -17,6 +17,8 @@ module HttpToFileAccessConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/ImproperLdapAuthQuery.qll

@@ -13,6 +13,8 @@ private module ImproperLdapAuthConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll

@@ -20,6 +20,8 @@ private module InsecureDownloadConfig implements DataFlow::StateConfigSig {
   predicate isSink(DataFlow::Node sink, FlowState label) { sink.(Sink).getAFlowLabel() = label }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/InsecureRandomnessQuery.qll

@@ -13,6 +13,8 @@ private module InsecureRandomnessConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/KernelOpenQuery.qll

@@ -85,6 +85,8 @@ private module KernelOpenConfig implements DataFlow::ConfigSig {
     node instanceof StringConstArrayInclusionCallBarrier or
     node instanceof Sanitizer
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/LdapInjectionQuery.qll

@@ -26,6 +26,8 @@ private module LdapInjectionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     LI::isAdditionalFlowStep(node1, node2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll

@@ -73,6 +73,8 @@ private module LogInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/MassAssignmentQuery.qll

@@ -59,6 +59,8 @@ private module Config implements DataFlow::StateConfigSig {
       state2 instanceof FlowState::Permitted
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Taint tracking for reasoning about user input used for mass assignment. */

ruby/ql/lib/codeql/ruby/security/PathInjectionQuery.qll

@@ -20,6 +20,8 @@ private module PathInjectionConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     node instanceof Path::PathSanitization or node instanceof PathInjection::Sanitizer
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/ReflectedXSSQuery.qll

@@ -22,6 +22,8 @@ private module ReflectedXssConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     RX::isAdditionalXssTaintStep(node1, node2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/SensitiveGetQueryQuery.qll

@@ -16,6 +16,10 @@ private module SensitiveGetQueryConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof Source }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // Disabled since the alert references `Source.getHandler()`
+  }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/ServerSideRequestForgeryQuery.qll

@@ -22,6 +22,8 @@ private module ServerSideRequestForgeryConfig implements DataFlow::ConfigSig {
     node instanceof StringConstCompareBarrier or
     node instanceof StringConstArrayInclusionCallBarrier
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/SqlInjectionQuery.qll

@@ -13,6 +13,8 @@ private module SqlInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/StackTraceExposureQuery.qll

@@ -17,6 +17,8 @@ private module StackTraceExposureConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/StoredXSSQuery.qll

@@ -32,6 +32,8 @@ private module StoredXssConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     isAdditionalXssTaintStep(node1, node2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll

@@ -19,6 +19,8 @@ module TaintedFormatStringConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/TemplateInjectionQuery.qll

@@ -13,6 +13,8 @@ private module TemplateInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionQuery.qll

@@ -24,6 +24,8 @@ private module UnsafeCodeConstructionConfig implements DataFlow::ConfigSig {
 
   // override to require the path doesn't have unmatched return steps
   DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationQuery.qll

@@ -17,6 +17,8 @@ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeDeserialization::Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof UnsafeDeserialization::Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionQuery.qll

@@ -21,6 +21,8 @@ private module UnsafeHtmlConstructionConfig implements DataFlow::ConfigSig {
 
   // override to require the path doesn't have unmatched return steps
   DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionQuery.qll

@@ -26,6 +26,8 @@ private module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigS
 
   // override to require the path doesn't have unmatched return steps
   DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/UrlRedirectQuery.qll

@@ -22,6 +22,8 @@ private module UrlRedirectConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     UrlRedirect::isAdditionalTaintStep(node1, node2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/WeakSensitiveDataHashingQuery.qll

@@ -28,6 +28,8 @@ module NormalHashFunction {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on sensitive data" vulnerabilities. */
@@ -54,6 +56,8 @@ module ComputationallyExpensiveHashFunction {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on passwords" vulnerabilities. */

ruby/ql/lib/codeql/ruby/security/XpathInjectionQuery.qll

@@ -24,6 +24,8 @@ private module XpathInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**