From 4dc632f742c1e82b21e5150876c59586e7eb521c Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 20 Dec 2024 10:10:29 +0100 Subject: [PATCH 1/4] Ruby: mass enable diff-informed data flow --- .../experimental/UnicodeBypassValidationQuery.qll | 2 ++ .../ql/lib/codeql/ruby/experimental/ZipSlipQuery.qll | 2 ++ .../codeql/ruby/frameworks/http_clients/Excon.qll | 6 ++++++ .../codeql/ruby/frameworks/http_clients/Faraday.qll | 6 ++++++ .../ruby/frameworks/http_clients/HttpClient.qll | 6 ++++++ .../codeql/ruby/frameworks/http_clients/Httparty.qll | 6 ++++++ .../codeql/ruby/frameworks/http_clients/NetHttp.qll | 6 ++++++ .../codeql/ruby/frameworks/http_clients/OpenURI.qll | 7 +++++++ .../ruby/frameworks/http_clients/RestClient.qll | 6 ++++++ .../codeql/ruby/frameworks/http_clients/Typhoeus.qll | 6 ++++++ .../lib/codeql/ruby/frameworks/stdlib/Pathname.qll | 6 ++++++ .../codeql/ruby/security/CleartextLoggingQuery.qll | 2 ++ .../codeql/ruby/security/CleartextStorageQuery.qll | 2 ++ .../lib/codeql/ruby/security/CodeInjectionQuery.qll | 2 ++ .../codeql/ruby/security/CommandInjectionQuery.qll | 2 ++ .../codeql/ruby/security/ConditionalBypassQuery.qll | 6 ++++++ .../security/HardcodedDataInterpretedAsCodeQuery.qll | 2 ++ .../codeql/ruby/security/HttpToFileAccessQuery.qll | 2 ++ .../codeql/ruby/security/ImproperLdapAuthQuery.qll | 2 ++ .../codeql/ruby/security/InsecureDownloadQuery.qll | 2 ++ .../codeql/ruby/security/InsecureRandomnessQuery.qll | 2 ++ ruby/ql/lib/codeql/ruby/security/KernelOpenQuery.qll | 2 ++ .../lib/codeql/ruby/security/LdapInjectionQuery.qll | 2 ++ .../lib/codeql/ruby/security/LogInjectionQuery.qll | 2 ++ .../lib/codeql/ruby/security/MassAssignmentQuery.qll | 2 ++ .../lib/codeql/ruby/security/PathInjectionQuery.qll | 2 ++ .../lib/codeql/ruby/security/ReflectedXSSQuery.qll | 2 ++ .../codeql/ruby/security/SensitiveGetQueryQuery.qll | 6 ++++++ .../ruby/security/ServerSideRequestForgeryQuery.qll | 2 ++ .../lib/codeql/ruby/security/SqlInjectionQuery.qll | 2 ++ .../codeql/ruby/security/StackTraceExposureQuery.qll | 2 ++ ruby/ql/lib/codeql/ruby/security/StoredXSSQuery.qll | 2 ++ .../ruby/security/TaintedFormatStringQuery.qll | 2 ++ .../codeql/ruby/security/TemplateInjectionQuery.qll | 2 ++ .../ruby/security/UnsafeCodeConstructionQuery.qll | 2 ++ .../ruby/security/UnsafeDeserializationQuery.qll | 2 ++ .../ruby/security/UnsafeHtmlConstructionQuery.qll | 2 ++ .../security/UnsafeShellCommandConstructionQuery.qll | 2 ++ .../ql/lib/codeql/ruby/security/UrlRedirectQuery.qll | 2 ++ .../ruby/security/WeakSensitiveDataHashingQuery.qll | 12 ++++++++++++ .../lib/codeql/ruby/security/XpathInjectionQuery.qll | 2 ++ .../ruby/security/regexp/MissingFullAnchorQuery.qll | 2 ++ .../ruby/security/regexp/PolynomialReDoSQuery.qll | 2 ++ .../ruby/security/regexp/RegExpInjectionQuery.qll | 2 ++ .../CWE-522-DecompressionBombs/DecompressionBombs.ql | 2 ++ .../decompression-api/DecompressionApi.ql | 2 ++ .../ManuallyCheckHttpVerb.ql | 2 ++ ruby/ql/src/experimental/weak-params/WeakParams.ql | 2 ++ ruby/ql/src/queries/meta/TaintedNodes.ql | 2 ++ ruby/ql/src/queries/security/cwe-611/Xxe.ql | 2 ++ .../queries/security/cwe-732/WeakFilePermissions.ql | 2 ++ .../queries/security/cwe-798/HardcodedCredentials.ql | 2 ++ 52 files changed, 159 insertions(+) diff --git a/ruby/ql/lib/codeql/ruby/experimental/UnicodeBypassValidationQuery.qll b/ruby/ql/lib/codeql/ruby/experimental/UnicodeBypassValidationQuery.qll index 7a5be05ac303..f38ab9df3dab 100644 --- a/ruby/ql/lib/codeql/ruby/experimental/UnicodeBypassValidationQuery.qll +++ b/ruby/ql/lib/codeql/ruby/experimental/UnicodeBypassValidationQuery.qll @@ -158,6 +158,8 @@ private module UnicodeBypassValidationConfig implements DataFlow::StateConfigSig ) and state = PostValidationState() } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/experimental/ZipSlipQuery.qll b/ruby/ql/lib/codeql/ruby/experimental/ZipSlipQuery.qll index cb6dfc931bd4..0e4163ec35cc 100644 --- a/ruby/ql/lib/codeql/ruby/experimental/ZipSlipQuery.qll +++ b/ruby/ql/lib/codeql/ruby/experimental/ZipSlipQuery.qll @@ -29,6 +29,8 @@ private module ZipSlipConfig implements DataFlow::ConfigSig { } predicate isBarrier(DataFlow::Node node) { node instanceof ZipSlip::Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Excon.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Excon.qll index 47789542f23d..a97f48d3503c 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Excon.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Excon.qll @@ -118,6 +118,12 @@ private module ExconDisablesCertificateValidationConfig implements DataFlow::Con predicate isSink(DataFlow::Node sink) { sink = any(ExconHttpRequest req).getCertificateValidationControllingValue() } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // lib/codeql/ruby/frameworks/http_clients/Excon.qll:74: Flow call outside 'select' clause + none() + } } private module ExconDisablesCertificateValidationFlow = diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Faraday.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Faraday.qll index f832ebb89b7d..5091f7d634be 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Faraday.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Faraday.qll @@ -99,6 +99,12 @@ private module FaradayDisablesCertificateValidationConfig implements DataFlow::S predicate isSink(DataFlow::Node sink, FlowState state) { sink = any(FaradayHttpRequest req).getCertificateValidationControllingValue(state) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // lib/codeql/ruby/frameworks/http_clients/Faraday.qll:80: Flow call outside 'select' clause + none() + } } private module FaradayDisablesCertificateValidationFlow = diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/HttpClient.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/HttpClient.qll index 111967f23cc9..788cce6ac307 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/HttpClient.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/HttpClient.qll @@ -80,6 +80,12 @@ private module HttpClientDisablesCertificateValidationConfig implements DataFlow predicate isSink(DataFlow::Node sink) { sink = any(HttpClientRequest req).getCertificateValidationControllingValue() } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // lib/codeql/ruby/frameworks/http_clients/HttpClient.qll:67: Flow call outside 'select' clause + none() + } } private module HttpClientDisablesCertificateValidationFlow = diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Httparty.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Httparty.qll index f5320cd35c81..a0de0b1214e0 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Httparty.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Httparty.qll @@ -70,6 +70,12 @@ private module HttpartyDisablesCertificateValidationConfig implements DataFlow:: predicate isSink(DataFlow::Node sink) { sink = any(HttpartyRequest req).getCertificateValidationControllingValue() } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // lib/codeql/ruby/frameworks/http_clients/Httparty.qll:59: Flow call outside 'select' clause + none() + } } private module HttpartyDisablesCertificateValidationFlow = diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/NetHttp.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/NetHttp.qll index 509d106f29cb..803dc5cccfd8 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/NetHttp.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/NetHttp.qll @@ -103,6 +103,12 @@ private module NetHttpDisablesCertificateValidationConfig implements DataFlow::C predicate isSink(DataFlow::Node sink) { sink = any(NetHttpRequest req).getCertificateValidationControllingValue() } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // lib/codeql/ruby/frameworks/http_clients/NetHttp.qll:90: Flow call outside 'select' clause + none() + } } private module NetHttpDisablesCertificateValidationFlow = diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/OpenURI.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/OpenURI.qll index fb8a55e775d8..86f614f9388e 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/OpenURI.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/OpenURI.qll @@ -110,6 +110,13 @@ private module OpenUriDisablesCertificateValidationConfig implements DataFlow::C or sink = any(OpenUriKernelOpenRequest req).getCertificateValidationControllingValue() } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // lib/codeql/ruby/frameworks/http_clients/OpenURI.qll:48: Flow call outside 'select' clause + // lib/codeql/ruby/frameworks/http_clients/OpenURI.qll:95: Flow call outside 'select' clause + none() + } } private module OpenUriDisablesCertificateValidationFlow = diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/RestClient.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/RestClient.qll index 5516e56493ca..865a5bea580c 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/RestClient.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/RestClient.qll @@ -73,6 +73,12 @@ private module RestClientDisablesCertificateValidationConfig implements DataFlow predicate isSink(DataFlow::Node sink) { sink = any(RestClientHttpRequest req).getCertificateValidationControllingValue() } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // lib/codeql/ruby/frameworks/http_clients/RestClient.qll:60: Flow call outside 'select' clause + none() + } } private module RestClientDisablesCertificateValidationFlow = diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Typhoeus.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Typhoeus.qll index c1b13323f9a6..0572616361e5 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Typhoeus.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Typhoeus.qll @@ -64,6 +64,12 @@ private module TyphoeusDisablesCertificateValidationConfig implements DataFlow:: predicate isSink(DataFlow::Node sink) { sink = any(TyphoeusHttpRequest req).getCertificateValidationControllingValue() } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // lib/codeql/ruby/frameworks/http_clients/Typhoeus.qll:53: Flow call outside 'select' clause + none() + } } private module TyphoeusDisablesCertificateValidationFlow = diff --git a/ruby/ql/lib/codeql/ruby/frameworks/stdlib/Pathname.qll b/ruby/ql/lib/codeql/ruby/frameworks/stdlib/Pathname.qll index 217cfaf50d61..6f28ecd3ce21 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/stdlib/Pathname.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/stdlib/Pathname.qll @@ -52,6 +52,12 @@ module Pathname { ] ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // lib/codeql/ruby/frameworks/stdlib/Pathname.qll:30: Flow call outside 'select' clause + none() + } } private module PathnameFlow = DataFlow::Global; diff --git a/ruby/ql/lib/codeql/ruby/security/CleartextLoggingQuery.qll b/ruby/ql/lib/codeql/ruby/security/CleartextLoggingQuery.qll index 38dc08731f42..36ed0fa30a59 100644 --- a/ruby/ql/lib/codeql/ruby/security/CleartextLoggingQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/CleartextLoggingQuery.qll @@ -27,6 +27,8 @@ private module Config implements DataFlow::ConfigSig { cs.isAny() and isSink(node) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/CleartextStorageQuery.qll b/ruby/ql/lib/codeql/ruby/security/CleartextStorageQuery.qll index 60dfd216609c..66817f0f9abf 100644 --- a/ruby/ql/lib/codeql/ruby/security/CleartextStorageQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/CleartextStorageQuery.qll @@ -26,6 +26,8 @@ private module Config implements DataFlow::ConfigSig { cs.isAny() and isSink(node) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/CodeInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/CodeInjectionQuery.qll index 9394601c5ed8..3a738703cf11 100644 --- a/ruby/ql/lib/codeql/ruby/security/CodeInjectionQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/CodeInjectionQuery.qll @@ -31,6 +31,8 @@ private module Config implements DataFlow::StateConfigSig { predicate isBarrierIn(DataFlow::Node node) { node instanceof Source } int fieldFlowBranchLimit() { result = 10 } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/CommandInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/CommandInjectionQuery.qll index 74d00b254790..a5b4d965894a 100644 --- a/ruby/ql/lib/codeql/ruby/security/CommandInjectionQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/CommandInjectionQuery.qll @@ -23,6 +23,8 @@ private module Config implements DataFlow::ConfigSig { node instanceof StringConstCompareBarrier or node instanceof StringConstArrayInclusionCallBarrier } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/ConditionalBypassQuery.qll b/ruby/ql/lib/codeql/ruby/security/ConditionalBypassQuery.qll index fa7e829d684f..8f71fe64a5bc 100644 --- a/ruby/ql/lib/codeql/ruby/security/ConditionalBypassQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/ConditionalBypassQuery.qll @@ -17,6 +17,12 @@ private module Config implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // src/experimental/cwe-807/ConditionalBypass.ql:78: Flow call outside 'select' clause + none() + } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/HardcodedDataInterpretedAsCodeQuery.qll b/ruby/ql/lib/codeql/ruby/security/HardcodedDataInterpretedAsCodeQuery.qll index 3fdd6ffc2a4f..7dae6ab8532e 100644 --- a/ruby/ql/lib/codeql/ruby/security/HardcodedDataInterpretedAsCodeQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/HardcodedDataInterpretedAsCodeQuery.qll @@ -33,6 +33,8 @@ private module Config implements DataFlow::StateConfigSig { ) and stateTo = FlowState::Taint() } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll b/ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll index 6a2eb63198ab..51992d4be471 100644 --- a/ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll @@ -17,6 +17,8 @@ module HttpToFileAccessConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/ImproperLdapAuthQuery.qll b/ruby/ql/lib/codeql/ruby/security/ImproperLdapAuthQuery.qll index bddc6d2c3c45..7e9d4390ba6a 100644 --- a/ruby/ql/lib/codeql/ruby/security/ImproperLdapAuthQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/ImproperLdapAuthQuery.qll @@ -13,6 +13,8 @@ private module ImproperLdapAuthConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll b/ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll index 9e813209b53c..641766acc707 100644 --- a/ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll @@ -20,6 +20,8 @@ private module InsecureDownloadConfig implements DataFlow::StateConfigSig { predicate isSink(DataFlow::Node sink, FlowState label) { sink.(Sink).getAFlowLabel() = label } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/InsecureRandomnessQuery.qll b/ruby/ql/lib/codeql/ruby/security/InsecureRandomnessQuery.qll index 1cb503a30c81..7cc5e6f98388 100644 --- a/ruby/ql/lib/codeql/ruby/security/InsecureRandomnessQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/InsecureRandomnessQuery.qll @@ -13,6 +13,8 @@ private module InsecureRandomnessConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/KernelOpenQuery.qll b/ruby/ql/lib/codeql/ruby/security/KernelOpenQuery.qll index 14e9a7e31a74..085be309ec1c 100644 --- a/ruby/ql/lib/codeql/ruby/security/KernelOpenQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/KernelOpenQuery.qll @@ -85,6 +85,8 @@ private module KernelOpenConfig implements DataFlow::ConfigSig { node instanceof StringConstArrayInclusionCallBarrier or node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/LdapInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/LdapInjectionQuery.qll index 73dcac76b995..770357c2d1b5 100644 --- a/ruby/ql/lib/codeql/ruby/security/LdapInjectionQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/LdapInjectionQuery.qll @@ -26,6 +26,8 @@ private module LdapInjectionConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { LI::isAdditionalFlowStep(node1, node2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll index 648f9496ea19..487dc31d4f0b 100644 --- a/ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll @@ -73,6 +73,8 @@ private module LogInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/MassAssignmentQuery.qll b/ruby/ql/lib/codeql/ruby/security/MassAssignmentQuery.qll index 0d6bcd0a34f7..aeb4bffeccea 100644 --- a/ruby/ql/lib/codeql/ruby/security/MassAssignmentQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/MassAssignmentQuery.qll @@ -59,6 +59,8 @@ private module Config implements DataFlow::StateConfigSig { state2 instanceof FlowState::Permitted ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Taint tracking for reasoning about user input used for mass assignment. */ diff --git a/ruby/ql/lib/codeql/ruby/security/PathInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/PathInjectionQuery.qll index 55329c50717d..ff2cac8f78ed 100644 --- a/ruby/ql/lib/codeql/ruby/security/PathInjectionQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/PathInjectionQuery.qll @@ -20,6 +20,8 @@ private module PathInjectionConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node instanceof Path::PathSanitization or node instanceof PathInjection::Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/ReflectedXSSQuery.qll b/ruby/ql/lib/codeql/ruby/security/ReflectedXSSQuery.qll index d1618a949042..277092f2de0a 100644 --- a/ruby/ql/lib/codeql/ruby/security/ReflectedXSSQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/ReflectedXSSQuery.qll @@ -22,6 +22,8 @@ private module ReflectedXssConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { RX::isAdditionalXssTaintStep(node1, node2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/SensitiveGetQueryQuery.qll b/ruby/ql/lib/codeql/ruby/security/SensitiveGetQueryQuery.qll index d3fe93fa764a..8b571e7a854b 100644 --- a/ruby/ql/lib/codeql/ruby/security/SensitiveGetQueryQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/SensitiveGetQueryQuery.qll @@ -16,6 +16,12 @@ private module SensitiveGetQueryConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof Source } predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // src/queries/security/cwe-598/SensitiveGetQuery.ql:21: Column 3 does not select a source or sink originating from the flow call on line 20 + none() + } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/ServerSideRequestForgeryQuery.qll b/ruby/ql/lib/codeql/ruby/security/ServerSideRequestForgeryQuery.qll index 2e8aed1c0b87..2cbb9635a946 100644 --- a/ruby/ql/lib/codeql/ruby/security/ServerSideRequestForgeryQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/ServerSideRequestForgeryQuery.qll @@ -22,6 +22,8 @@ private module ServerSideRequestForgeryConfig implements DataFlow::ConfigSig { node instanceof StringConstCompareBarrier or node instanceof StringConstArrayInclusionCallBarrier } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/SqlInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/SqlInjectionQuery.qll index 40a9b603bf4e..4d075d0661b5 100644 --- a/ruby/ql/lib/codeql/ruby/security/SqlInjectionQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/SqlInjectionQuery.qll @@ -13,6 +13,8 @@ private module SqlInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/StackTraceExposureQuery.qll b/ruby/ql/lib/codeql/ruby/security/StackTraceExposureQuery.qll index 8342c382cdb2..4df59d9c8eb6 100644 --- a/ruby/ql/lib/codeql/ruby/security/StackTraceExposureQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/StackTraceExposureQuery.qll @@ -17,6 +17,8 @@ private module StackTraceExposureConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/StoredXSSQuery.qll b/ruby/ql/lib/codeql/ruby/security/StoredXSSQuery.qll index b6520fedf4fe..c9b383aa3bae 100644 --- a/ruby/ql/lib/codeql/ruby/security/StoredXSSQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/StoredXSSQuery.qll @@ -32,6 +32,8 @@ private module StoredXssConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { isAdditionalXssTaintStep(node1, node2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll b/ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll index 1231921649e7..8ecdde85e768 100644 --- a/ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll @@ -19,6 +19,8 @@ module TaintedFormatStringConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/TemplateInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/TemplateInjectionQuery.qll index 3e3610915496..78407a745fb4 100644 --- a/ruby/ql/lib/codeql/ruby/security/TemplateInjectionQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/TemplateInjectionQuery.qll @@ -13,6 +13,8 @@ private module TemplateInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionQuery.qll b/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionQuery.qll index 06dc8797832a..24f86a2687a7 100644 --- a/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionQuery.qll @@ -24,6 +24,8 @@ private module UnsafeCodeConstructionConfig implements DataFlow::ConfigSig { // override to require the path doesn't have unmatched return steps DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationQuery.qll b/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationQuery.qll index ad7749d68aa6..f5dc63a3b9ab 100644 --- a/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationQuery.qll @@ -17,6 +17,8 @@ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeDeserialization::Sink } predicate isBarrier(DataFlow::Node node) { node instanceof UnsafeDeserialization::Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionQuery.qll b/ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionQuery.qll index 44e008cfa8b4..75b73162b2a4 100644 --- a/ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionQuery.qll @@ -21,6 +21,8 @@ private module UnsafeHtmlConstructionConfig implements DataFlow::ConfigSig { // override to require the path doesn't have unmatched return steps DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionQuery.qll b/ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionQuery.qll index 6e3ac947a514..6041c38130e2 100644 --- a/ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionQuery.qll @@ -26,6 +26,8 @@ private module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigS // override to require the path doesn't have unmatched return steps DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/UrlRedirectQuery.qll b/ruby/ql/lib/codeql/ruby/security/UrlRedirectQuery.qll index 6169de81269a..5065833c6ac6 100644 --- a/ruby/ql/lib/codeql/ruby/security/UrlRedirectQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/UrlRedirectQuery.qll @@ -22,6 +22,8 @@ private module UrlRedirectConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { UrlRedirect::isAdditionalTaintStep(node1, node2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/WeakSensitiveDataHashingQuery.qll b/ruby/ql/lib/codeql/ruby/security/WeakSensitiveDataHashingQuery.qll index dd9c389b4c34..b2d52f903c79 100644 --- a/ruby/ql/lib/codeql/ruby/security/WeakSensitiveDataHashingQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/WeakSensitiveDataHashingQuery.qll @@ -28,6 +28,12 @@ module NormalHashFunction { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // lib/codeql/ruby/security/WeakSensitiveDataHashingQuery.qll:79: Flow call outside 'select' clause + none() + } } /** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on sensitive data" vulnerabilities. */ @@ -54,6 +60,12 @@ module ComputationallyExpensiveHashFunction { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // lib/codeql/ruby/security/WeakSensitiveDataHashingQuery.qll:86: Flow call outside 'select' clause + none() + } } /** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on passwords" vulnerabilities. */ diff --git a/ruby/ql/lib/codeql/ruby/security/XpathInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/XpathInjectionQuery.qll index 4385b324fa6e..adbff127a8d7 100644 --- a/ruby/ql/lib/codeql/ruby/security/XpathInjectionQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/XpathInjectionQuery.qll @@ -24,6 +24,8 @@ private module XpathInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/regexp/MissingFullAnchorQuery.qll b/ruby/ql/lib/codeql/ruby/security/regexp/MissingFullAnchorQuery.qll index febfa0712d9b..6ff8843d4588 100644 --- a/ruby/ql/lib/codeql/ruby/security/regexp/MissingFullAnchorQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/regexp/MissingFullAnchorQuery.qll @@ -17,6 +17,8 @@ private module MissingFullAnchorConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll b/ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll index 98a42fcf5e7c..e0b7d59bb1f8 100644 --- a/ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll @@ -18,6 +18,8 @@ private module PolynomialReDoSConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/regexp/RegExpInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/regexp/RegExpInjectionQuery.qll index 3e6f6f83ef8d..66cdb67395e0 100644 --- a/ruby/ql/lib/codeql/ruby/security/regexp/RegExpInjectionQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/regexp/RegExpInjectionQuery.qll @@ -17,6 +17,8 @@ private module RegExpInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof RegExpInjection::Sink } predicate isBarrier(DataFlow::Node node) { node instanceof RegExpInjection::Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql b/ruby/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql index 5ab6d29af7ba..bcf41780d6e2 100644 --- a/ruby/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql +++ b/ruby/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql @@ -57,6 +57,8 @@ module BombsConfig implements DataFlow::ConfigSig { nodeTo = cn ) } + + predicate observeDiffInformedIncrementalMode() { any() } } module Bombs = TaintTracking::Global; diff --git a/ruby/ql/src/experimental/decompression-api/DecompressionApi.ql b/ruby/ql/src/experimental/decompression-api/DecompressionApi.ql index 5869e5862fb2..aeb559417307 100644 --- a/ruby/ql/src/experimental/decompression-api/DecompressionApi.ql +++ b/ruby/ql/src/experimental/decompression-api/DecompressionApi.ql @@ -39,6 +39,8 @@ private module DecompressionApiConfig implements DataFlow::ConfigSig { // our Decompression APIs defined above will be the sinks we use for this query predicate isSink(DataFlow::Node sink) { sink instanceof DecompressionApiUse } + + predicate observeDiffInformedIncrementalMode() { any() } } private module DecompressionApiFlow = TaintTracking::Global; diff --git a/ruby/ql/src/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.ql b/ruby/ql/src/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.ql index 557b7daefd3f..4af2425b1a82 100644 --- a/ruby/ql/src/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.ql +++ b/ruby/ql/src/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.ql @@ -86,6 +86,8 @@ private module HttpVerbConfig implements DataFlow::ConfigSig { exists(ExprNodes::ConditionalExprCfgNode c | c.getCondition() = sink.asExpr()) or exists(ExprNodes::CaseExprCfgNode c | c.getValue() = sink.asExpr()) } + + predicate observeDiffInformedIncrementalMode() { any() } } private module HttpVerbFlow = TaintTracking::Global; diff --git a/ruby/ql/src/experimental/weak-params/WeakParams.ql b/ruby/ql/src/experimental/weak-params/WeakParams.ql index 8b1654c63687..faec728a2dd8 100644 --- a/ruby/ql/src/experimental/weak-params/WeakParams.ql +++ b/ruby/ql/src/experimental/weak-params/WeakParams.ql @@ -46,6 +46,8 @@ private module WeakParamsConfig implements DataFlow::ConfigSig { // the sink is an instance of a Model class that receives a method call predicate isSink(DataFlow::Node node) { node = any(PersistentWriteAccess a).getValue() } + + predicate observeDiffInformedIncrementalMode() { any() } } private module WeakParamsFlow = TaintTracking::Global; diff --git a/ruby/ql/src/queries/meta/TaintedNodes.ql b/ruby/ql/src/queries/meta/TaintedNodes.ql index ee35afeed317..8ddda63b359e 100644 --- a/ruby/ql/src/queries/meta/TaintedNodes.ql +++ b/ruby/ql/src/queries/meta/TaintedNodes.ql @@ -19,6 +19,8 @@ private module BasicTaintConfig implements DataFlow::ConfigSig { // To reduce noise from synthetic nodes, only count nodes that have an associated expression. exists(node.asExpr().getExpr()) } + + predicate observeDiffInformedIncrementalMode() { any() } } private module BasicTaintFlow = TaintTracking::Global; diff --git a/ruby/ql/src/queries/security/cwe-611/Xxe.ql b/ruby/ql/src/queries/security/cwe-611/Xxe.ql index ba1df49549b9..af6a2fd77645 100644 --- a/ruby/ql/src/queries/security/cwe-611/Xxe.ql +++ b/ruby/ql/src/queries/security/cwe-611/Xxe.ql @@ -31,6 +31,8 @@ private module XxeConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeXxeSink } + + predicate observeDiffInformedIncrementalMode() { any() } } private module XxeFlow = TaintTracking::Global; diff --git a/ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql b/ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql index 5580118e9333..478e758d844c 100644 --- a/ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql +++ b/ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql @@ -54,6 +54,8 @@ private module PermissivePermissionsConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { exists(FileSystemPermissionModification mod | mod.getAPermissionNode() = sink) } + + predicate observeDiffInformedIncrementalMode() { any() } } private module PermissivePermissionsFlow = DataFlow::Global; diff --git a/ruby/ql/src/queries/security/cwe-798/HardcodedCredentials.ql b/ruby/ql/src/queries/security/cwe-798/HardcodedCredentials.ql index e37bc91f2583..c568e8d2aafc 100644 --- a/ruby/ql/src/queries/security/cwe-798/HardcodedCredentials.ql +++ b/ruby/ql/src/queries/security/cwe-798/HardcodedCredentials.ql @@ -147,6 +147,8 @@ private module HardcodedCredentialsConfig implements DataFlow::ConfigSig { binop.getExpr() instanceof AddExpr ) } + + predicate observeDiffInformedIncrementalMode() { any() } } private module HardcodedCredentialsFlow = DataFlow::Global; From 871cdb014d902a580a17a6426e3aadf4ba9b9a15 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 20 Dec 2024 10:34:53 +0100 Subject: [PATCH 2/4] Ruby: fix TODOs left by the patch query --- .../codeql/ruby/frameworks/http_clients/Excon.qll | 4 +--- .../codeql/ruby/frameworks/http_clients/Faraday.qll | 4 +--- .../ruby/frameworks/http_clients/HttpClient.qll | 4 +--- .../codeql/ruby/frameworks/http_clients/Httparty.qll | 4 +--- .../codeql/ruby/frameworks/http_clients/NetHttp.qll | 4 +--- .../codeql/ruby/frameworks/http_clients/OpenURI.qll | 5 +---- .../ruby/frameworks/http_clients/RestClient.qll | 4 +--- .../codeql/ruby/frameworks/http_clients/Typhoeus.qll | 4 +--- .../lib/codeql/ruby/frameworks/stdlib/Pathname.qll | 4 +--- .../codeql/ruby/security/ConditionalBypassQuery.qll | 6 +----- .../codeql/ruby/security/SensitiveGetQueryQuery.qll | 4 +--- .../ruby/security/WeakSensitiveDataHashingQuery.qll | 12 ++---------- 12 files changed, 13 insertions(+), 46 deletions(-) diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Excon.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Excon.qll index a97f48d3503c..adf7384183e1 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Excon.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Excon.qll @@ -120,9 +120,7 @@ private module ExconDisablesCertificateValidationConfig implements DataFlow::Con } predicate observeDiffInformedIncrementalMode() { - // TODO(diff-informed): Manually verify if config can be diff-informed. - // lib/codeql/ruby/frameworks/http_clients/Excon.qll:74: Flow call outside 'select' clause - none() + none() // Used for a library model } } diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Faraday.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Faraday.qll index 5091f7d634be..834180a7ee49 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Faraday.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Faraday.qll @@ -101,9 +101,7 @@ private module FaradayDisablesCertificateValidationConfig implements DataFlow::S } predicate observeDiffInformedIncrementalMode() { - // TODO(diff-informed): Manually verify if config can be diff-informed. - // lib/codeql/ruby/frameworks/http_clients/Faraday.qll:80: Flow call outside 'select' clause - none() + none() // Used for a library model } } diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/HttpClient.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/HttpClient.qll index 788cce6ac307..c766ef96f23a 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/HttpClient.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/HttpClient.qll @@ -82,9 +82,7 @@ private module HttpClientDisablesCertificateValidationConfig implements DataFlow } predicate observeDiffInformedIncrementalMode() { - // TODO(diff-informed): Manually verify if config can be diff-informed. - // lib/codeql/ruby/frameworks/http_clients/HttpClient.qll:67: Flow call outside 'select' clause - none() + none() // Used for a library model } } diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Httparty.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Httparty.qll index a0de0b1214e0..e9f94f771f1a 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Httparty.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Httparty.qll @@ -72,9 +72,7 @@ private module HttpartyDisablesCertificateValidationConfig implements DataFlow:: } predicate observeDiffInformedIncrementalMode() { - // TODO(diff-informed): Manually verify if config can be diff-informed. - // lib/codeql/ruby/frameworks/http_clients/Httparty.qll:59: Flow call outside 'select' clause - none() + none() // Used for a library model } } diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/NetHttp.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/NetHttp.qll index 803dc5cccfd8..e09917ae21ab 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/NetHttp.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/NetHttp.qll @@ -105,9 +105,7 @@ private module NetHttpDisablesCertificateValidationConfig implements DataFlow::C } predicate observeDiffInformedIncrementalMode() { - // TODO(diff-informed): Manually verify if config can be diff-informed. - // lib/codeql/ruby/frameworks/http_clients/NetHttp.qll:90: Flow call outside 'select' clause - none() + none() // Used for a library model } } diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/OpenURI.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/OpenURI.qll index 86f614f9388e..8ccb744f84e1 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/OpenURI.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/OpenURI.qll @@ -112,10 +112,7 @@ private module OpenUriDisablesCertificateValidationConfig implements DataFlow::C } predicate observeDiffInformedIncrementalMode() { - // TODO(diff-informed): Manually verify if config can be diff-informed. - // lib/codeql/ruby/frameworks/http_clients/OpenURI.qll:48: Flow call outside 'select' clause - // lib/codeql/ruby/frameworks/http_clients/OpenURI.qll:95: Flow call outside 'select' clause - none() + none() // Used for a library model } } diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/RestClient.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/RestClient.qll index 865a5bea580c..cac94f7166f2 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/RestClient.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/RestClient.qll @@ -75,9 +75,7 @@ private module RestClientDisablesCertificateValidationConfig implements DataFlow } predicate observeDiffInformedIncrementalMode() { - // TODO(diff-informed): Manually verify if config can be diff-informed. - // lib/codeql/ruby/frameworks/http_clients/RestClient.qll:60: Flow call outside 'select' clause - none() + none() // Used for a library model } } diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Typhoeus.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Typhoeus.qll index 0572616361e5..2eae03a77481 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Typhoeus.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Typhoeus.qll @@ -66,9 +66,7 @@ private module TyphoeusDisablesCertificateValidationConfig implements DataFlow:: } predicate observeDiffInformedIncrementalMode() { - // TODO(diff-informed): Manually verify if config can be diff-informed. - // lib/codeql/ruby/frameworks/http_clients/Typhoeus.qll:53: Flow call outside 'select' clause - none() + none() // Used for a library model } } diff --git a/ruby/ql/lib/codeql/ruby/frameworks/stdlib/Pathname.qll b/ruby/ql/lib/codeql/ruby/frameworks/stdlib/Pathname.qll index 6f28ecd3ce21..cee494cb2fec 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/stdlib/Pathname.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/stdlib/Pathname.qll @@ -54,9 +54,7 @@ module Pathname { } predicate observeDiffInformedIncrementalMode() { - // TODO(diff-informed): Manually verify if config can be diff-informed. - // lib/codeql/ruby/frameworks/stdlib/Pathname.qll:30: Flow call outside 'select' clause - none() + none() // Used for a library model } } diff --git a/ruby/ql/lib/codeql/ruby/security/ConditionalBypassQuery.qll b/ruby/ql/lib/codeql/ruby/security/ConditionalBypassQuery.qll index 8f71fe64a5bc..fee3990f09b8 100644 --- a/ruby/ql/lib/codeql/ruby/security/ConditionalBypassQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/ConditionalBypassQuery.qll @@ -18,11 +18,7 @@ private module Config implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } - predicate observeDiffInformedIncrementalMode() { - // TODO(diff-informed): Manually verify if config can be diff-informed. - // src/experimental/cwe-807/ConditionalBypass.ql:78: Flow call outside 'select' clause - none() - } + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/SensitiveGetQueryQuery.qll b/ruby/ql/lib/codeql/ruby/security/SensitiveGetQueryQuery.qll index 8b571e7a854b..f1dc2194d24c 100644 --- a/ruby/ql/lib/codeql/ruby/security/SensitiveGetQueryQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/SensitiveGetQueryQuery.qll @@ -18,9 +18,7 @@ private module SensitiveGetQueryConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate observeDiffInformedIncrementalMode() { - // TODO(diff-informed): Manually verify if config can be diff-informed. - // src/queries/security/cwe-598/SensitiveGetQuery.ql:21: Column 3 does not select a source or sink originating from the flow call on line 20 - none() + none() // Disabled since the alert references `Source.getHandler()` } } diff --git a/ruby/ql/lib/codeql/ruby/security/WeakSensitiveDataHashingQuery.qll b/ruby/ql/lib/codeql/ruby/security/WeakSensitiveDataHashingQuery.qll index b2d52f903c79..7ce8d213d2f5 100644 --- a/ruby/ql/lib/codeql/ruby/security/WeakSensitiveDataHashingQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/WeakSensitiveDataHashingQuery.qll @@ -29,11 +29,7 @@ module NormalHashFunction { predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } - predicate observeDiffInformedIncrementalMode() { - // TODO(diff-informed): Manually verify if config can be diff-informed. - // lib/codeql/ruby/security/WeakSensitiveDataHashingQuery.qll:79: Flow call outside 'select' clause - none() - } + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on sensitive data" vulnerabilities. */ @@ -61,11 +57,7 @@ module ComputationallyExpensiveHashFunction { predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } - predicate observeDiffInformedIncrementalMode() { - // TODO(diff-informed): Manually verify if config can be diff-informed. - // lib/codeql/ruby/security/WeakSensitiveDataHashingQuery.qll:86: Flow call outside 'select' clause - none() - } + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on passwords" vulnerabilities. */ From 772c3363d24fe83ab2e6fc18f86378b5e9f336c3 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 17 Jan 2025 13:26:13 +0100 Subject: [PATCH 3/4] Add dummy extension with an empty diff --- ruby/ql/lib/emptydiff.model.yml | 6 ++++++ ruby/ql/lib/qlpack.yml | 1 + 2 files changed, 7 insertions(+) create mode 100644 ruby/ql/lib/emptydiff.model.yml diff --git a/ruby/ql/lib/emptydiff.model.yml b/ruby/ql/lib/emptydiff.model.yml new file mode 100644 index 000000000000..247b06872346 --- /dev/null +++ b/ruby/ql/lib/emptydiff.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/util + extensible: restrictAlertsTo + data: + - ["dummy", 1, 1] diff --git a/ruby/ql/lib/qlpack.yml b/ruby/ql/lib/qlpack.yml index fa3b6fbd3c36..e7cdf182f690 100644 --- a/ruby/ql/lib/qlpack.yml +++ b/ruby/ql/lib/qlpack.yml @@ -16,4 +16,5 @@ dependencies: dataExtensions: - codeql/ruby/frameworks/**/model.yml - codeql/ruby/frameworks/**/*.model.yml + - '*.model.yml' warnOnImplicitThis: true From 29b829bf4a9c655e148dc6f69941aec5738a967f Mon Sep 17 00:00:00 2001 From: Asger F Date: Mon, 20 Jan 2025 11:20:57 +0100 Subject: [PATCH 4/4] Revert "Add dummy extension with an empty diff" This reverts commit 772c3363d24fe83ab2e6fc18f86378b5e9f336c3. --- ruby/ql/lib/emptydiff.model.yml | 6 ------ ruby/ql/lib/qlpack.yml | 1 - 2 files changed, 7 deletions(-) delete mode 100644 ruby/ql/lib/emptydiff.model.yml diff --git a/ruby/ql/lib/emptydiff.model.yml b/ruby/ql/lib/emptydiff.model.yml deleted file mode 100644 index 247b06872346..000000000000 --- a/ruby/ql/lib/emptydiff.model.yml +++ /dev/null @@ -1,6 +0,0 @@ -extensions: - - addsTo: - pack: codeql/util - extensible: restrictAlertsTo - data: - - ["dummy", 1, 1] diff --git a/ruby/ql/lib/qlpack.yml b/ruby/ql/lib/qlpack.yml index e7cdf182f690..fa3b6fbd3c36 100644 --- a/ruby/ql/lib/qlpack.yml +++ b/ruby/ql/lib/qlpack.yml @@ -16,5 +16,4 @@ dependencies: dataExtensions: - codeql/ruby/frameworks/**/model.yml - codeql/ruby/frameworks/**/*.model.yml - - '*.model.yml' warnOnImplicitThis: true