Actions: mass enable diff-informed data flow

github · Jan 23, 2025 · 54d2ae2 · 54d2ae2
1 parent 28f3073
commit 54d2ae2
Show file tree

Hide file tree

Showing 16 changed files with 67 additions and 0 deletions.
diff --git a/actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll
@@ -88,6 +88,12 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig {
       run.getScript().getAnEnvReachingArgumentInjectionSink(var, _, _)
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-088/ArgumentInjectionCritical.ql:29: Column 7 does not select a source or sink originating from the flow call on line 22
+    none()
+  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */

diff --git a/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
@@ -316,6 +316,12 @@ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql:28: Column 7 does not select a source or sink originating from the flow call on line 21
+    none()
+  }
 }
 
 /** Tracks flow of unsafe artifacts that is used in an insecure way. */

diff --git a/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll
@@ -35,6 +35,13 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-094/CodeInjectionCritical.ql:36: Column 7 does not select a source or sink originating from the flow call on line 24
+    // ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql:48: Column 7 does not select a source or sink originating from the flow call on line 23
+    none()
+  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */

diff --git a/actions/ql/lib/codeql/actions/security/CommandInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/CommandInjectionQuery.qll
@@ -16,6 +16,12 @@ private module CommandInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-078/CommandInjectionCritical.ql:30: Column 7 does not select a source or sink originating from the flow call on line 23
+    none()
+  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */

diff --git a/actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll
@@ -108,6 +108,12 @@ private module EnvPathInjectionConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-077/EnvPathInjectionCritical.ql:39: Column 7 does not select a source or sink originating from the flow call on line 23
+    none()
+  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate the PATH environment variable. */

diff --git a/actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll
@@ -163,6 +163,12 @@ private module EnvVarInjectionConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-077/EnvVarInjectionCritical.ql:48: Column 7 does not select a source or sink originating from the flow call on line 24
+    none()
+  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */

diff --git a/actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll
@@ -214,6 +214,8 @@ private module OutputClobberingConfig implements DataFlow::ConfigSig {
       )
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */

diff --git a/actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll b/actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll
@@ -16,6 +16,8 @@ private module RequestForgeryConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */

diff --git a/actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll b/actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll
@@ -15,6 +15,8 @@ private module SecretExfiltrationConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof SecretExfiltrationSink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Tracks flow of unsafe user input that is used in a context where it may lead to a secret exfiltration. */

diff --git a/actions/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/actions/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll
@@ -70,6 +70,12 @@ private module ActionsMutableRefCheckoutConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll:238: Flow call outside 'select' clause
+    none()
+  }
 }
 
 module ActionsMutableRefCheckoutFlow = TaintTracking::Global<ActionsMutableRefCheckoutConfig>;
@@ -121,6 +127,12 @@ private module ActionsSHACheckoutConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll:273: Flow call outside 'select' clause
+    none()
+  }
 }
 
 module ActionsSHACheckoutFlow = TaintTracking::Global<ActionsSHACheckoutConfig>;

diff --git a/actions/ql/src/Models/CompositeActionsSinks.ql b/actions/ql/src/Models/CompositeActionsSinks.ql
@@ -24,6 +24,8 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     sink instanceof CodeInjectionSink and not madSink(sink, "code-injection")
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

diff --git a/actions/ql/src/Models/CompositeActionsSources.ql b/actions/ql/src/Models/CompositeActionsSources.ql
@@ -34,6 +34,8 @@ private module MyConfig implements DataFlow::ConfigSig {
     isSink(node) and
     set instanceof DataFlow::FieldContent
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

diff --git a/actions/ql/src/Models/CompositeActionsSummaries.ql b/actions/ql/src/Models/CompositeActionsSummaries.ql
@@ -25,6 +25,8 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     exists(CompositeAction c | c.getAnOutputExpr() = sink.asExpr())
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

diff --git a/actions/ql/src/Models/ReusableWorkflowsSinks.ql b/actions/ql/src/Models/ReusableWorkflowsSinks.ql
@@ -24,6 +24,8 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     sink instanceof CodeInjectionSink and not madSink(sink, "code-injection")
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

diff --git a/actions/ql/src/Models/ReusableWorkflowsSources.ql b/actions/ql/src/Models/ReusableWorkflowsSources.ql
@@ -34,6 +34,8 @@ private module MyConfig implements DataFlow::ConfigSig {
     isSink(node) and
     set instanceof DataFlow::FieldContent
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

diff --git a/actions/ql/src/Models/ReusableWorkflowsSummaries.ql b/actions/ql/src/Models/ReusableWorkflowsSummaries.ql
@@ -25,6 +25,8 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     exists(ReusableWorkflow w | w.getAnOutputExpr() = sink.asExpr())
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;
-Original file line number
+Diff line change
@@ Expand Up @@
           )
         )
       }
+      predicate observeDiffInformedIncrementalMode() { any() }
     }
     /** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */
@@ Expand Down @@