From 3fa825904299473ad952208c604ce31c0ba4a562 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 13:21:04 +0200 Subject: [PATCH 01/77] Actions/OutputClobberingQuery actions/ql/src/experimental/Security/CWE-074/OutputClobberingHigh.ql uses source as endpoint --- .../ql/lib/codeql/actions/security/OutputClobberingQuery.qll | 2 -- 1 file changed, 2 deletions(-) diff --git a/actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index 4454a5496a2f..22b4879df126 100644 --- a/actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -212,8 +212,6 @@ private module OutputClobberingConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } /** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */ From 890ca8e7d128fda92f88826fa8bb045bd749aadf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 13:22:57 +0200 Subject: [PATCH 02/77] Actions/RequestForgeryQuery actions/ql/src/experimental/Security/CWE-918/RequestForgery.ql uses source as endpoint --- actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll | 2 -- 1 file changed, 2 deletions(-) diff --git a/actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll b/actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll index d96a12e2608d..fb89ebdc8baf 100644 --- a/actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll +++ b/actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll @@ -18,8 +18,6 @@ private module RequestForgeryConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } /** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */ From bb103073031e165936fe9d289b70091d425ffdad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 13:24:12 +0200 Subject: [PATCH 03/77] Actions/SecretExfiltrationQuery actions/ql/src/experimental/Security/CWE-200/SecretExfiltration.ql uses source as endpoint --- .../ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll | 2 -- 1 file changed, 2 deletions(-) diff --git a/actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll b/actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll index 15cd726c4bba..b3d59210053c 100644 --- a/actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll +++ b/actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll @@ -17,8 +17,6 @@ private module SecretExfiltrationConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof SecretExfiltrationSink } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } /** Tracks flow of unsafe user input that is used in a context where it may lead to a secret exfiltration. */ From d36b721513998333872792fe3a251af06ea2f0b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 13:26:05 +0200 Subject: [PATCH 04/77] Actions/CompositeActionsSinks Same file uses source as endpoint --- actions/ql/src/Models/CompositeActionsSinks.ql | 2 -- 1 file changed, 2 deletions(-) diff --git a/actions/ql/src/Models/CompositeActionsSinks.ql b/actions/ql/src/Models/CompositeActionsSinks.ql index 65d3fdce9dc7..82f0754f03e2 100644 --- a/actions/ql/src/Models/CompositeActionsSinks.ql +++ b/actions/ql/src/Models/CompositeActionsSinks.ql @@ -26,8 +26,6 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } module MyFlow = TaintTracking::Global; From 78f2cee51c218641ec6be3d3983a9b5f5e06d07c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 13:27:01 +0200 Subject: [PATCH 05/77] Actions/CompositeActionsSources Same file uses source as endpoint --- actions/ql/src/Models/CompositeActionsSources.ql | 2 -- 1 file changed, 2 deletions(-) diff --git a/actions/ql/src/Models/CompositeActionsSources.ql b/actions/ql/src/Models/CompositeActionsSources.ql index 2f3e98b3401e..c9974cd73614 100644 --- a/actions/ql/src/Models/CompositeActionsSources.ql +++ b/actions/ql/src/Models/CompositeActionsSources.ql @@ -36,8 +36,6 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } module MyFlow = TaintTracking::Global; From 9c24ce065003c70a19c6d27d0d4a60564c560002 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 13:27:58 +0200 Subject: [PATCH 06/77] Actions/CompositeActionsSummaries Same file uses source as endpoint --- actions/ql/src/Models/CompositeActionsSummaries.ql | 2 -- 1 file changed, 2 deletions(-) diff --git a/actions/ql/src/Models/CompositeActionsSummaries.ql b/actions/ql/src/Models/CompositeActionsSummaries.ql index 1979c381f5d6..814498f639e0 100644 --- a/actions/ql/src/Models/CompositeActionsSummaries.ql +++ b/actions/ql/src/Models/CompositeActionsSummaries.ql @@ -27,8 +27,6 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } module MyFlow = TaintTracking::Global; From a972ef7e314f9f8607d9afa2c17bdb16b4b4e6f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 13:29:46 +0200 Subject: [PATCH 07/77] Actions/ReusableWorkflowsSinks Same file uses source as endpoint --- actions/ql/src/Models/ReusableWorkflowsSinks.ql | 2 -- 1 file changed, 2 deletions(-) diff --git a/actions/ql/src/Models/ReusableWorkflowsSinks.ql b/actions/ql/src/Models/ReusableWorkflowsSinks.ql index 2b08f2445d90..8d02debbdb4a 100644 --- a/actions/ql/src/Models/ReusableWorkflowsSinks.ql +++ b/actions/ql/src/Models/ReusableWorkflowsSinks.ql @@ -26,8 +26,6 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } module MyFlow = TaintTracking::Global; From 1243c6362d23e9add3a892688d0f03844f5977a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 13:34:43 +0200 Subject: [PATCH 08/77] Actions/ReusableWorkflowsSources --- actions/ql/src/Models/ReusableWorkflowsSources.ql | 2 -- 1 file changed, 2 deletions(-) diff --git a/actions/ql/src/Models/ReusableWorkflowsSources.ql b/actions/ql/src/Models/ReusableWorkflowsSources.ql index 831191e4bfb6..a7112bf37584 100644 --- a/actions/ql/src/Models/ReusableWorkflowsSources.ql +++ b/actions/ql/src/Models/ReusableWorkflowsSources.ql @@ -36,8 +36,6 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } module MyFlow = TaintTracking::Global; From 5a1a887fd2d9e962fb03e5bbaea6b9b1be5fa71d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 13:35:15 +0200 Subject: [PATCH 09/77] Actions/ReusableWorkflowsSummaries --- actions/ql/src/Models/ReusableWorkflowsSummaries.ql | 2 -- 1 file changed, 2 deletions(-) diff --git a/actions/ql/src/Models/ReusableWorkflowsSummaries.ql b/actions/ql/src/Models/ReusableWorkflowsSummaries.ql index fd2d4b396a08..a05bec744f84 100644 --- a/actions/ql/src/Models/ReusableWorkflowsSummaries.ql +++ b/actions/ql/src/Models/ReusableWorkflowsSummaries.ql @@ -27,8 +27,6 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } module MyFlow = TaintTracking::Global; From ad31f1ab6de248613ba1f734241594f8bd386067 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 13:36:15 +0200 Subject: [PATCH 10/77] C++/WordexpTainted Same file usees source and sink as endpoints --- cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql | 2 -- 1 file changed, 2 deletions(-) diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql b/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql index 1d032a63ba34..cfe04ba23bfa 100644 --- a/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql +++ b/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql @@ -50,8 +50,6 @@ module WordexpTaintConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node source) { none() } } module WordexpTaint = TaintTracking::Global; From ba22f0d7d2865db5738efa19c65f03a792f50c2f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 13:36:52 +0200 Subject: [PATCH 11/77] C#/DontInstallRootCert --- csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql | 2 -- 1 file changed, 2 deletions(-) diff --git a/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql b/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql index d2d226716777..b48ddbf0f350 100644 --- a/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql +++ b/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql @@ -39,8 +39,6 @@ module AddCertToRootStoreConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } module AddCertToRootStore = DataFlow::Global; From 7722f31cb8b3862d72467247caf694362f53ca36 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 13:43:24 +0200 Subject: [PATCH 12/77] Go/DivideByZero --- go/ql/src/experimental/CWE-369/DivideByZero.ql | 2 -- 1 file changed, 2 deletions(-) diff --git a/go/ql/src/experimental/CWE-369/DivideByZero.ql b/go/ql/src/experimental/CWE-369/DivideByZero.ql index 8afd165832bc..99cd120dbf8b 100644 --- a/go/ql/src/experimental/CWE-369/DivideByZero.ql +++ b/go/ql/src/experimental/CWE-369/DivideByZero.ql @@ -47,8 +47,6 @@ module Config implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } /** From 59a8e9b78ccc1422b7204abff99620885e29c0cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 14:04:17 +0200 Subject: [PATCH 13/77] Go/InsufficientKeySize --- go/ql/src/Security/CWE-326/InsufficientKeySize.ql | 2 -- 1 file changed, 2 deletions(-) diff --git a/go/ql/src/Security/CWE-326/InsufficientKeySize.ql b/go/ql/src/Security/CWE-326/InsufficientKeySize.ql index 5d0ee7ac6ab3..6fa421baaeb3 100644 --- a/go/ql/src/Security/CWE-326/InsufficientKeySize.ql +++ b/go/ql/src/Security/CWE-326/InsufficientKeySize.ql @@ -27,8 +27,6 @@ module Config implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } /** From 913550f4084389b8eec315c358c63c0cf4b2e9d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 14:27:49 +0200 Subject: [PATCH 14/77] Java/ArbitraryApkInstallationQuery java/ql/src/Security/CWE/CWE-094/ArbitraryApkInstallation.ql --- .../semmle/code/java/security/ArbitraryApkInstallationQuery.qll | 2 -- 1 file changed, 2 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll b/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll index 8c833bb79d60..e907a9ffeaa8 100644 --- a/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll @@ -25,8 +25,6 @@ module ApkInstallationConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } module ApkInstallationFlow = DataFlow::Global; From a228936c6386ab5544aeec2b410c649f2590117e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 14:56:11 +0200 Subject: [PATCH 15/77] Java/ArithmeticTainted java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql --- .../lib/semmle/code/java/security/ArithmeticTaintedQuery.qll | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll b/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll index fbb8509f48f9..c3d4e7876d56 100644 --- a/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll @@ -19,6 +19,8 @@ module ArithmeticOverflowConfig implements DataFlow::ConfigSig { } Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getLocation() + or exists(ArithExpr exp | result = exp.getLocation() | overflowSink(exp, sink.asExpr())) } } @@ -43,6 +45,8 @@ module ArithmeticUnderflowConfig implements DataFlow::ConfigSig { } Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getLocation() + or exists(ArithExpr exp | result = exp.getLocation() | underflowSink(exp, sink.asExpr())) } } From 1129230e1021724a79c919b23af08933abf6e34a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 14:57:34 +0200 Subject: [PATCH 16/77] Java/ArithmeticUncontrolledQuery java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql --- .../semmle/code/java/security/ArithmeticUncontrolledQuery.qll | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll b/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll index 6b7b337ad656..ac79aef3f377 100644 --- a/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll @@ -25,6 +25,8 @@ module ArithmeticUncontrolledOverflowConfig implements DataFlow::ConfigSig { } Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getLocation() + or exists(ArithExpr exp | result = exp.getLocation() | overflowSink(exp, sink.asExpr())) } } @@ -46,6 +48,8 @@ module ArithmeticUncontrolledUnderflowConfig implements DataFlow::ConfigSig { } Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getLocation() + or exists(ArithExpr exp | result = exp.getLocation() | underflowSink(exp, sink.asExpr())) } } From b023880a0a1d12f40551c4cd4e73318b9b001364 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 14:59:49 +0200 Subject: [PATCH 17/77] Java/BrokenCryptoAlgorithmQuery java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql --- .../semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll | 2 ++ 1 file changed, 2 insertions(+) diff --git a/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll b/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll index 0c1f14c902b6..9bcf9dc2eaf2 100644 --- a/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll +++ b/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll @@ -36,6 +36,8 @@ module InsecureCryptoConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getLocation() + or exists(CryptoAlgoSpec c | sink.asExpr() = c.getAlgoSpec() | result = c.getLocation()) } } From 4482e831d71233d769678752203854d534bcebad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Thu, 9 Oct 2025 09:56:44 +0200 Subject: [PATCH 18/77] Java/CommandLineQuery https://github.com/github/codeql/blob/85a4dd0325104ecd613c9e3e7c25190d41906605/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql https://github.com/github/codeql/blob/857b51be5895bf437ea25b5ce2581527d5af69fb/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql https://github.com/github/codeql/blob/b6e56f26c7509a041ce92bdda13db0a09da886e3/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql --- java/ql/lib/semmle/code/java/security/CommandLineQuery.qll | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll index a1c75f93802e..82d24eb718ec 100644 --- a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll +++ b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll @@ -63,9 +63,11 @@ module InputToArgumentToExecFlowConfig implements DataFlow::ConfigSig { // only to prevent overlapping results between two queries. predicate observeDiffInformedIncrementalMode() { any() } - // All queries use the argument as the primary location and do not use the - // sink as an associated location. + // ExecTainted.ql queries use the argument as the primary location; + // ExecUnescaped.ql does not (used to prevent overlapping results). Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getLocation() + or exists(Expr argument | argumentToExec(argument, sink) | result = argument.getLocation()) } } From dc1dff98b0f2cefd93b53240575a42ab81bd71d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Thu, 9 Oct 2025 10:15:54 +0200 Subject: [PATCH 19/77] Java/ConditionalBypass java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql --- .../ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll | 2 ++ 1 file changed, 2 insertions(+) diff --git a/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll b/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll index 314570369377..087ca674cda6 100644 --- a/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll @@ -51,6 +51,8 @@ module ConditionalBypassFlowConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getLocation() + or exists(MethodCall m, Expr e | result = [m, e].getLocation() | conditionControlsMethod(m, e) and sink.asExpr() = e From 9eeeec336e445c9ef08a470ded1c6bd7da6af6f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Thu, 9 Oct 2025 10:42:45 +0200 Subject: [PATCH 20/77] Java/ImproperValidationOfArrayConstructionCodeSpecifiedQuery java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql --- .../ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll | 2 ++ 1 file changed, 2 insertions(+) diff --git a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll index e952971c389f..487d9e3924e1 100644 --- a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll @@ -21,6 +21,8 @@ module BoundedFlowSourceConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getLocation() + or exists(ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess | result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation() and arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), arrayCreation) From eebff9c282be8d3a39fb84a19605cc5ec15d6696 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Thu, 9 Oct 2025 10:44:22 +0200 Subject: [PATCH 21/77] Java/ImproperValidationOfArrayConstructionFlow java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql --- .../security/ImproperValidationOfArrayConstructionQuery.qll | 2 ++ 1 file changed, 2 insertions(+) diff --git a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll index 913d50b3159d..d37a8d882b3e 100644 --- a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll @@ -18,6 +18,8 @@ module ImproperValidationOfArrayConstructionConfig implements DataFlow::ConfigSi predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getLocation() + or exists(ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess | result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation() and arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), arrayCreation) From 247ae1d23c07147576b0d792741a8bc1c375cfd9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Thu, 9 Oct 2025 14:00:05 +0200 Subject: [PATCH 22/77] Java/MaybeBrokenCryptoAlgorithmQuery java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql --- .../code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll b/java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll index 57622b367f31..22c7320a55aa 100644 --- a/java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll +++ b/java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll @@ -81,7 +81,9 @@ module InsecureCryptoConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { - exists(CryptoAlgoSpec c | result = c.getLocation() | sink.asExpr() = c.getAlgoSpec()) + exists(CryptoAlgoSpec c | result = sink.getLocation() or result = c.getLocation() | + sink.asExpr() = c.getAlgoSpec() + ) } } From 72a97773b1904757a7ae46ffa8090df7b926dd1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Thu, 9 Oct 2025 14:01:26 +0200 Subject: [PATCH 23/77] Java/NumericCastTaintedQuery java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql --- .../semmle/code/java/security/NumericCastTaintedQuery.qll | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll b/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll index bfe22c69e642..841ff4f85153 100644 --- a/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll +++ b/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll @@ -106,8 +106,9 @@ module NumericCastFlowConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { - exists(NumericNarrowingCastExpr cast | - cast.getExpr() = sink.asExpr() and + exists(NumericNarrowingCastExpr cast | cast.getExpr() = sink.asExpr() | + result = sink.getLocation() + or result = cast.getLocation() ) } From 697f428eae3fd331084b173567e0f10c2be87892 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Thu, 9 Oct 2025 14:05:43 +0200 Subject: [PATCH 24/77] Java/TaintedEnvironmentVariableQuery java/ql/src/Security/CWE/CWE-078/ExecTaintedEnvironment.ql --- .../code/java/security/TaintedEnvironmentVariableQuery.qll | 2 -- 1 file changed, 2 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll b/java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll index d972b59986a6..2bc9dba92f01 100644 --- a/java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll @@ -40,8 +40,6 @@ module ExecTaintedEnvironmentConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node source) { none() } } /** From 2a889f4f98f19374bf5b12d525d5730da3b1564a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Thu, 9 Oct 2025 14:14:10 +0200 Subject: [PATCH 25/77] Java/TaintedPermissionsCheckQuery java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql --- .../code/java/security/TaintedPermissionsCheckQuery.qll | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll b/java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll index bbec7d4f4e6c..7113c7036e4c 100644 --- a/java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll @@ -63,8 +63,9 @@ module TaintedPermissionsCheckFlowConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { - exists(PermissionsConstruction p | - sink.asExpr() = p.getInput() and + exists(PermissionsConstruction p | sink.asExpr() = p.getInput() | + result = sink.getLocation() + or result = p.getLocation() ) } From 4439322e8881a7602c8a94d8ca144a3102d0f704 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Thu, 9 Oct 2025 14:15:17 +0200 Subject: [PATCH 26/77] Java/TempDirLocalInformationDisclosureQuery java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql --- .../java/security/TempDirLocalInformationDisclosureQuery.qll | 2 -- 1 file changed, 2 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll b/java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll index 098362f2bd53..0ae1d7e4df01 100644 --- a/java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll @@ -147,8 +147,6 @@ module TempDirSystemGetPropertyToCreateConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSinkLocation(DataFlow::Node sink) { none() } } /** From 518c0818a4a98d5b19a8e453b995c7f0a3e9ee4b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Thu, 9 Oct 2025 14:38:37 +0200 Subject: [PATCH 27/77] Java/UnsafeDeserializationQuery java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql --- .../semmle/code/java/security/UnsafeDeserializationQuery.qll | 2 ++ 1 file changed, 2 insertions(+) diff --git a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll index f5968898adcf..e0a66626be44 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll @@ -313,6 +313,8 @@ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getLocation() + or result = sink.(UnsafeDeserializationSink).getMethodCall().getLocation() } } From f24a6f64ab6245d173f8b21aad81d5cba039ea4f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Thu, 9 Oct 2025 14:41:30 +0200 Subject: [PATCH 28/77] Java/WebviewDebugEnabledQuery java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.ql --- .../code/java/security/WebviewDebuggingEnabledQuery.qll | 6 ------ 1 file changed, 6 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll b/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll index 080a7bb482f6..90e47521bf04 100644 --- a/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll +++ b/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll @@ -46,12 +46,6 @@ module WebviewDebugEnabledConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node source) { - // This module is only used in `WebviewDebuggingEnabled.ql`, which doesn't - // select the source in any "$@" column. - none() - } } /** From 2a30ea923abfd4e6fd2856cf7eb09d3358af6a22 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Fri, 10 Oct 2025 17:30:59 +0200 Subject: [PATCH 29/77] JS/CommandInjectionQuery javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-078/CommandInjection.ql javascript/ql/src/Security/CWE-078/CommandInjection.ql --- .../javascript/security/dataflow/CommandInjectionQuery.qll | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll index 7c013e1f4ace..228f2b8c72c1 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll @@ -34,8 +34,9 @@ module CommandInjectionConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { - exists(DataFlow::Node node | - isSinkWithHighlight(sink, node) and + exists(DataFlow::Node node | isSinkWithHighlight(sink, node) | + result = sink.getLocation() + or result = node.getLocation() ) } From 71cf0426072d8520d17b50dd549460d79d846b6a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Tue, 14 Oct 2025 13:14:50 +0200 Subject: [PATCH 30/77] JS/IndirectCommandInjectionQuery javascript/ql/src/Security/CWE-078/IndirectCommandInjection.ql --- .../security/dataflow/IndirectCommandInjectionQuery.qll | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll index 87d85911a1ba..6dbba8261fbf 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll @@ -30,8 +30,9 @@ module IndirectCommandInjectionConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { - exists(DataFlow::Node node | - isSinkWithHighlight(sink, node) and + exists(DataFlow::Node node | isSinkWithHighlight(sink, node) | + result = sink.getLocation() + or result = node.getLocation() ) } From 94343254e345b3966df6744641fc93a6efae1f2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Tue, 14 Oct 2025 13:28:30 +0200 Subject: [PATCH 31/77] JS/ShellCommandInjectionFromEnvironmentQuery javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql --- .../dataflow/ShellCommandInjectionFromEnvironmentQuery.qll | 2 ++ 1 file changed, 2 insertions(+) diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll index 1d396da5b20d..34cee84aaae2 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll @@ -31,6 +31,8 @@ module ShellCommandInjectionFromEnvironmentConfig implements DataFlow::ConfigSig predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getLocation() + or exists(DataFlow::Node node | isSinkWithHighlight(sink, node) and result = node.getLocation() From bcdbe0b50ad5c65f44c1146d7917444616839538 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Tue, 14 Oct 2025 13:51:58 +0200 Subject: [PATCH 32/77] JS/PolynomialReDoSQuery javascript/ql/src/Performance/PolynomialReDoS.ql --- .../semmle/javascript/security/regexp/PolynomialReDoSQuery.qll | 2 ++ 1 file changed, 2 insertions(+) diff --git a/javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll b/javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll index e68fd5af415f..d1baf9c45230 100644 --- a/javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll @@ -29,6 +29,8 @@ module PolynomialReDoSConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.(Sink).getLocation() + or result = sink.(Sink).getHighlight().getLocation() or result = sink.(Sink).getRegExp().getLocation() From bb80d832767a1b6c85489a8aa4b9eb38e6871086 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Tue, 14 Oct 2025 13:53:11 +0200 Subject: [PATCH 33/77] JS/SSRF javascript/ql/src/experimental/Security/CWE-918/SSRF.ql --- javascript/ql/src/experimental/Security/CWE-918/SSRF.qll | 4 ---- 1 file changed, 4 deletions(-) diff --git a/javascript/ql/src/experimental/Security/CWE-918/SSRF.qll b/javascript/ql/src/experimental/Security/CWE-918/SSRF.qll index 03bc9f990385..380f594c21e3 100644 --- a/javascript/ql/src/experimental/Security/CWE-918/SSRF.qll +++ b/javascript/ql/src/experimental/Security/CWE-918/SSRF.qll @@ -29,10 +29,6 @@ module SsrfConfig implements DataFlow::ConfigSig { predicate isBarrierOut(DataFlow::Node node) { strictSanitizingPrefixEdge(node, _) } - Location getASelectedSourceLocation(DataFlow::Node source) { - none() // Does not select the source - } - predicate observeDiffInformedIncrementalMode() { any() } } From baccdcc07f890fe140c693ab28c55d9f4a633fad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Tue, 14 Oct 2025 14:00:02 +0200 Subject: [PATCH 34/77] Python/PolynomialReDoSQuery python/ql/src/Security/CWE-730/PolynomialReDoS.ql --- .../semmle/python/security/dataflow/PolynomialReDoSQuery.qll | 2 ++ 1 file changed, 2 insertions(+) diff --git a/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll b/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll index 89aa4961e6ef..11ccf27d7eb3 100644 --- a/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll @@ -21,6 +21,8 @@ private module PolynomialReDoSConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.(Sink).getLocation() + or result = sink.(Sink).getHighlight().getLocation() or result = sink.(Sink).getABacktrackingTerm().getLocation() From 37fff48dcd3b18cf475a7ca78e74099011d982ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Tue, 14 Oct 2025 14:02:17 +0200 Subject: [PATCH 35/77] Python/ServerSideRequestForgeryQuery python/ql/src/Security/CWE-918/PartialServerSideRequestForgery.ql --- .../python/security/dataflow/ServerSideRequestForgeryQuery.qll | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll index b466d34b2276..e60afa470eca 100644 --- a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll @@ -68,7 +68,8 @@ private module PartialServerSideRequestForgeryConfig implements DataFlow::Config predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { - // Note: this query does not select the sink itself + result = sink.(Sink).getLocation() + or result = sink.(Sink).getRequest().getLocation() } } From 6d5731686236d4cf070ed2f7821d01714654c0b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Tue, 14 Oct 2025 14:04:05 +0200 Subject: [PATCH 36/77] Python/UnsafeUnpackQuery python/ql/src/experimental/Security/CWE-022bis/UnsafeUnpack.ql --- python/ql/src/experimental/Security/UnsafeUnpackQuery.qll | 2 -- 1 file changed, 2 deletions(-) diff --git a/python/ql/src/experimental/Security/UnsafeUnpackQuery.qll b/python/ql/src/experimental/Security/UnsafeUnpackQuery.qll index 79e50fbd36e9..64da6b8d799a 100644 --- a/python/ql/src/experimental/Security/UnsafeUnpackQuery.qll +++ b/python/ql/src/experimental/Security/UnsafeUnpackQuery.qll @@ -210,8 +210,6 @@ module UnsafeUnpackConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } /** Global taint-tracking for detecting "UnsafeUnpacking" vulnerabilities. */ From 4bc9ede2e8e03c3a5557093a45de5e13f2853b5d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Tue, 14 Oct 2025 14:05:02 +0200 Subject: [PATCH 37/77] Python/UnsafeUsageOfClientSideEncryptionVersion --- .../CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql | 2 -- 1 file changed, 2 deletions(-) diff --git a/python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql b/python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql index a93787c9d790..a0fadbff3f3b 100644 --- a/python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql +++ b/python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql @@ -147,8 +147,6 @@ private module AzureBlobClientConfig implements DataFlow::StateConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } module AzureBlobClientFlow = DataFlow::GlobalWithState; From 998de144ea691d0a393cb71f6f277a7fad8eaa12 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Tue, 14 Oct 2025 14:08:35 +0200 Subject: [PATCH 38/77] Python/CorsBypass --- python/ql/src/experimental/Security/CWE-346/CorsBypass.ql | 2 -- 1 file changed, 2 deletions(-) diff --git a/python/ql/src/experimental/Security/CWE-346/CorsBypass.ql b/python/ql/src/experimental/Security/CWE-346/CorsBypass.ql index 4bb8440c02cd..01e661cb0bbf 100644 --- a/python/ql/src/experimental/Security/CWE-346/CorsBypass.ql +++ b/python/ql/src/experimental/Security/CWE-346/CorsBypass.ql @@ -81,8 +81,6 @@ module CorsBypassConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } module CorsFlow = TaintTracking::Global; From 1ff24cbee85fd268476d9967d31c7f2bdb0b3014 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Tue, 14 Oct 2025 14:09:52 +0200 Subject: [PATCH 39/77] Python/LdapInsecureAuth python/ql/src/experimental/Security/CWE-522/LdapInsecureAuth.ql --- .../experimental/semmle/python/security/LdapInsecureAuth.qll | 2 -- 1 file changed, 2 deletions(-) diff --git a/python/ql/src/experimental/semmle/python/security/LdapInsecureAuth.qll b/python/ql/src/experimental/semmle/python/security/LdapInsecureAuth.qll index 431f9f9ab732..630543e6f798 100644 --- a/python/ql/src/experimental/semmle/python/security/LdapInsecureAuth.qll +++ b/python/ql/src/experimental/semmle/python/security/LdapInsecureAuth.qll @@ -103,8 +103,6 @@ private module LdapInsecureAuthConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } /** Global taint-tracking for detecting "LDAP insecure authentications" vulnerabilities. */ From 6519bd990911f4b2af64bb78b1c2d22b698f5061 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Tue, 14 Oct 2025 14:15:08 +0200 Subject: [PATCH 40/77] Ruby/PolynomialReDoSQuery ruby/ql/src/queries/security/cwe-1333/PolynomialReDoS.ql --- .../ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll b/ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll index 81179717e01e..7ff627714624 100644 --- a/ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll @@ -24,6 +24,8 @@ private module PolynomialReDoSConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { none() } Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.(Sink).getLocation() + or result = sink.(Sink).getHighlight().getLocation() or result = sink.(Sink).getRegExp().getRootTerm().getLocation() From 50f2540db191a3853b8573d20737c8cefbe577d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Tue, 14 Oct 2025 14:19:21 +0200 Subject: [PATCH 41/77] Ruby/ManuallyCheckHttpVerb --- .../manually-check-http-verb/ManuallyCheckHttpVerb.ql | 2 -- 1 file changed, 2 deletions(-) diff --git a/ruby/ql/src/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.ql b/ruby/ql/src/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.ql index 80113ee78232..4af2425b1a82 100644 --- a/ruby/ql/src/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.ql +++ b/ruby/ql/src/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.ql @@ -88,8 +88,6 @@ private module HttpVerbConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node source) { none() } } private module HttpVerbFlow = TaintTracking::Global; From 495be51ae755274ab86e6330f0b48a4303ec9f7e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Tue, 14 Oct 2025 14:19:55 +0200 Subject: [PATCH 42/77] Ruby/WeakParams --- ruby/ql/src/experimental/weak-params/WeakParams.ql | 2 -- 1 file changed, 2 deletions(-) diff --git a/ruby/ql/src/experimental/weak-params/WeakParams.ql b/ruby/ql/src/experimental/weak-params/WeakParams.ql index 2abc151a9201..faec728a2dd8 100644 --- a/ruby/ql/src/experimental/weak-params/WeakParams.ql +++ b/ruby/ql/src/experimental/weak-params/WeakParams.ql @@ -48,8 +48,6 @@ private module WeakParamsConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node node) { node = any(PersistentWriteAccess a).getValue() } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node source) { none() } } private module WeakParamsFlow = TaintTracking::Global; From 6ede0a795040aafbceba817505fc1c4e7279e56b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Tue, 14 Oct 2025 14:24:40 +0200 Subject: [PATCH 43/77] Ruby/WeakFilePermissions --- ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql b/ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql index dbc5db91d998..eef9f9e8f8dc 100644 --- a/ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql +++ b/ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql @@ -60,8 +60,9 @@ private module PermissivePermissionsConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { - exists(FileSystemPermissionModification mod | - sinkDef(sink, mod) and + exists(FileSystemPermissionModification mod | sinkDef(sink, mod) | + result = sink.getLocation() + or result = mod.getLocation() ) } From 462d8c5dc464f531797a487da066e6855e108b26 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Tue, 14 Oct 2025 14:47:36 +0200 Subject: [PATCH 44/77] Shared: update qldoc --- shared/dataflow/codeql/dataflow/DataFlow.qll | 24 +++++++++++++------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/shared/dataflow/codeql/dataflow/DataFlow.qll b/shared/dataflow/codeql/dataflow/DataFlow.qll index 49f84d45b2ad..7f9c0194374b 100644 --- a/shared/dataflow/codeql/dataflow/DataFlow.qll +++ b/shared/dataflow/codeql/dataflow/DataFlow.qll @@ -466,8 +466,10 @@ module Configs Lang> { * `observeDiffInformedIncrementalMode`). By default, this is the location * of the source itself, but this predicate should include any locations * that are reported as the primary-location of the query or as an - * additional location ("$@" interpolation). For a query that doesn't - * report the source at all, this predicate can be `none()`. + * additional location ("$@" interpolation). Queries with `@kind path-problem` + * that override this predicate should also return the location of the source + * itself. For a query that doesn't report the source at all, this predicate + * should be `none()`. */ default Location getASelectedSourceLocation(Node source) { result = source.getLocation() } @@ -477,8 +479,10 @@ module Configs Lang> { * `observeDiffInformedIncrementalMode`). By default, this is the location * of the sink itself, but this predicate should include any locations * that are reported as the primary-location of the query or as an - * additional location ("$@" interpolation). For a query that doesn't - * report the sink at all, this predicate can be `none()`. + * additional location ("$@" interpolation). Queries with `@kind path-problem` + * that override this predicate should also return the location of the sink + * itself. For a query that doesn't report the sink at all, this predicate + * should be `none()`. */ default Location getASelectedSinkLocation(Node sink) { result = sink.getLocation() } } @@ -615,8 +619,10 @@ module Configs Lang> { * `observeDiffInformedIncrementalMode`). By default, this is the location * of the source itself, but this predicate should include any locations * that are reported as the primary-location of the query or as an - * additional location ("$@" interpolation). For a query that doesn't - * report the source at all, this predicate can be `none()`. + * additional location ("$@" interpolation). Queries with `@kind path-problem` + * that override this predicate should also return the location of the source + * itself. For a query that doesn't report the source at all, this predicate + * should be `none()`. */ default Location getASelectedSourceLocation(Node source) { result = source.getLocation() } @@ -626,8 +632,10 @@ module Configs Lang> { * `observeDiffInformedIncrementalMode`). By default, this is the location * of the sink itself, but this predicate should include any locations * that are reported as the primary-location of the query or as an - * additional location ("$@" interpolation). For a query that doesn't - * report the sink at all, this predicate can be `none()`. + * additional location ("$@" interpolation). Queries with `@kind path-problem` + * that override this predicate should also return the location of the sink + * itself. For a query that doesn't report the sink at all, this predicate + * should be `none()`. */ default Location getASelectedSinkLocation(Node sink) { result = sink.getLocation() } } From 2332cea330ce40e49a2128527ebee06ded4e9bc9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Tue, 14 Oct 2025 14:51:42 +0200 Subject: [PATCH 45/77] Swift/CleartextStorageDatabaseQuery swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.ql --- .../swift/security/CleartextStorageDatabaseQuery.qll | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll b/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll index 989d928a8c71..21bcb89efe4f 100644 --- a/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll +++ b/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll @@ -52,12 +52,9 @@ module CleartextStorageDatabaseConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { - exists(DataFlow::Node cleanSink | result = cleanSink.getLocation() | - cleanSink = sink.(DataFlow::PostUpdateNode).getPreUpdateNode() - or - not sink instanceof DataFlow::PostUpdateNode and - cleanSink = sink - ) + result = sink.(CleartextStorageDatabaseSink).getLocation() + or + result = sink.(DataFlow::PostUpdateNode).getPreUpdateNode().getLocation() } } From c190fae737e6f0c8501dd41ad43fe72d5f102cf4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Tue, 14 Oct 2025 14:55:28 +0200 Subject: [PATCH 46/77] Swift/CleartextStoragePreferencesQuery swift/ql/src/queries/Security/CWE-312/CleartextStoragePreferences.ql --- .../swift/security/CleartextStoragePreferencesQuery.qll | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll b/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll index c3665589482a..a0d3414f2497 100644 --- a/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll +++ b/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll @@ -34,12 +34,9 @@ module CleartextStoragePreferencesConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { - exists(DataFlow::Node cleanSink | result = cleanSink.getLocation() | - cleanSink = sink.(DataFlow::PostUpdateNode).getPreUpdateNode() - or - not sink instanceof DataFlow::PostUpdateNode and - cleanSink = sink - ) + result = sink.(CleartextStoragePreferencesSink).getLocation() + or + result = sink.(DataFlow::PostUpdateNode).getPreUpdateNode().getLocation() } } From 6c52d4ba914854022afb27ed7ed282e3b113cbba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Tue, 14 Oct 2025 14:56:45 +0200 Subject: [PATCH 47/77] Swift/ConstantPasswordQuery swift/ql/src/queries/Security/CWE-259/ConstantPassword.ql --- swift/ql/lib/codeql/swift/security/ConstantPasswordQuery.qll | 2 -- 1 file changed, 2 deletions(-) diff --git a/swift/ql/lib/codeql/swift/security/ConstantPasswordQuery.qll b/swift/ql/lib/codeql/swift/security/ConstantPasswordQuery.qll index c0d4d7cd8963..91d46b764df5 100644 --- a/swift/ql/lib/codeql/swift/security/ConstantPasswordQuery.qll +++ b/swift/ql/lib/codeql/swift/security/ConstantPasswordQuery.qll @@ -40,8 +40,6 @@ module ConstantPasswordConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } module ConstantPasswordFlow = TaintTracking::Global; From 7ba7c435f2a2ea2bebbc3ed7e25362e64a081b2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Tue, 14 Oct 2025 14:58:37 +0200 Subject: [PATCH 48/77] Swift/InsufficientHashIterationsQuery swift/ql/src/queries/Security/CWE-916/InsufficientHashIterations.ql --- .../codeql/swift/security/InsufficientHashIterationsQuery.qll | 2 -- 1 file changed, 2 deletions(-) diff --git a/swift/ql/lib/codeql/swift/security/InsufficientHashIterationsQuery.qll b/swift/ql/lib/codeql/swift/security/InsufficientHashIterationsQuery.qll index f1f21dabe034..0a7fea3d3c53 100644 --- a/swift/ql/lib/codeql/swift/security/InsufficientHashIterationsQuery.qll +++ b/swift/ql/lib/codeql/swift/security/InsufficientHashIterationsQuery.qll @@ -36,8 +36,6 @@ module InsufficientHashIterationsConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } module InsufficientHashIterationsFlow = TaintTracking::Global; From 5a6f731ab7f3ebd9b64e9b8bb9ec7827ec20747b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Tue, 14 Oct 2025 14:59:10 +0200 Subject: [PATCH 49/77] Swift/StaticInitializationVectorQuery swift/ql/src/queries/Security/CWE-1204/StaticInitializationVector.ql --- .../codeql/swift/security/StaticInitializationVectorQuery.qll | 2 -- 1 file changed, 2 deletions(-) diff --git a/swift/ql/lib/codeql/swift/security/StaticInitializationVectorQuery.qll b/swift/ql/lib/codeql/swift/security/StaticInitializationVectorQuery.qll index fb6e21cac52d..3c4359e02db0 100644 --- a/swift/ql/lib/codeql/swift/security/StaticInitializationVectorQuery.qll +++ b/swift/ql/lib/codeql/swift/security/StaticInitializationVectorQuery.qll @@ -42,8 +42,6 @@ module StaticInitializationVectorConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } module StaticInitializationVectorFlow = TaintTracking::Global; From cd86e7d6f5b44240f514101884140cd1e55e95c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Tue, 14 Oct 2025 15:04:00 +0200 Subject: [PATCH 50/77] Swift/StringLengthConflationQuery swift/ql/src/queries/Security/CWE-135/StringLengthConflation.ql --- .../lib/codeql/swift/security/StringLengthConflationQuery.qll | 2 -- 1 file changed, 2 deletions(-) diff --git a/swift/ql/lib/codeql/swift/security/StringLengthConflationQuery.qll b/swift/ql/lib/codeql/swift/security/StringLengthConflationQuery.qll index 5ddcd2333e28..eb17306f22f0 100644 --- a/swift/ql/lib/codeql/swift/security/StringLengthConflationQuery.qll +++ b/swift/ql/lib/codeql/swift/security/StringLengthConflationQuery.qll @@ -41,8 +41,6 @@ module StringLengthConflationConfig implements DataFlow::StateConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } /** From 895bd93062e95614da38a75ed773773e205e03bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Tue, 14 Oct 2025 15:04:58 +0200 Subject: [PATCH 51/77] Swift/UnsafeJsEvalQuery swift/ql/src/queries/Security/CWE-094/UnsafeJsEval.ql --- swift/ql/lib/codeql/swift/security/UnsafeJsEvalQuery.qll | 2 -- 1 file changed, 2 deletions(-) diff --git a/swift/ql/lib/codeql/swift/security/UnsafeJsEvalQuery.qll b/swift/ql/lib/codeql/swift/security/UnsafeJsEvalQuery.qll index e82db8f4e7bf..92b061b2af40 100644 --- a/swift/ql/lib/codeql/swift/security/UnsafeJsEvalQuery.qll +++ b/swift/ql/lib/codeql/swift/security/UnsafeJsEvalQuery.qll @@ -24,8 +24,6 @@ module UnsafeJsEvalConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } /** From 8a750b3125de037323663c32cb0c3651cc06f04b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Tue, 14 Oct 2025 15:06:21 +0200 Subject: [PATCH 52/77] Swift/UnsafeUnpackQuery swift/ql/src/experimental/Security/CWE-022/UnsafeUnpack.ql --- swift/ql/lib/codeql/swift/security/UnsafeUnpackQuery.qll | 2 -- 1 file changed, 2 deletions(-) diff --git a/swift/ql/lib/codeql/swift/security/UnsafeUnpackQuery.qll b/swift/ql/lib/codeql/swift/security/UnsafeUnpackQuery.qll index a8485ff99471..e79bce5ba143 100644 --- a/swift/ql/lib/codeql/swift/security/UnsafeUnpackQuery.qll +++ b/swift/ql/lib/codeql/swift/security/UnsafeUnpackQuery.qll @@ -26,8 +26,6 @@ module UnsafeUnpackConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } /** From 1f53ffbdd7b12042931983c7be08a1eda580c33c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 15 Oct 2025 12:42:24 +0200 Subject: [PATCH 53/77] Actions/ArtifactPoisoningQuery actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql --- .../ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll | 2 -- 1 file changed, 2 deletions(-) diff --git a/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 9f3ed33db961..af3b9d62367c 100644 --- a/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -333,8 +333,6 @@ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } - Location getASelectedSourceLocation(DataFlow::Node source) { none() } - Location getASelectedSinkLocation(DataFlow::Node sink) { result = sink.getLocation() or From edc72d29d772c1fcbd7a821254a3b6995f899af1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 15 Oct 2025 12:50:11 +0200 Subject: [PATCH 54/77] Actions/EnvPathInjectionQuery actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql --- .../ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll | 2 -- 1 file changed, 2 deletions(-) diff --git a/actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll index 46c1c4d32006..e97bbbb2b805 100644 --- a/actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll +++ b/actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -130,8 +130,6 @@ private module EnvPathInjectionConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } - Location getASelectedSourceLocation(DataFlow::Node source) { none() } - Location getASelectedSinkLocation(DataFlow::Node sink) { result = sink.getLocation() or From c40223319cdc197bc3fe2ed3a4156052de5b6f08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 15 Oct 2025 12:52:07 +0200 Subject: [PATCH 55/77] Actions/EnvVarInjectionQuery actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql --- actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll | 2 -- 1 file changed, 2 deletions(-) diff --git a/actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index ea8a800ef3f6..40810477d927 100644 --- a/actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -184,8 +184,6 @@ private module EnvVarInjectionConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } - Location getASelectedSourceLocation(DataFlow::Node source) { none() } - Location getASelectedSinkLocation(DataFlow::Node sink) { result = sink.getLocation() or From 62fde8f6e773f801a38f27398eb3f0a8c0784820 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 15 Oct 2025 13:02:36 +0200 Subject: [PATCH 56/77] Actions/ArgumentInjectionQuery actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionMedium.ql --- .../ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll | 2 -- 1 file changed, 2 deletions(-) diff --git a/actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll index 1795e9493cb4..7d3334adcf31 100644 --- a/actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll +++ b/actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll @@ -100,8 +100,6 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } - Location getASelectedSourceLocation(DataFlow::Node source) { none() } - Location getASelectedSinkLocation(DataFlow::Node sink) { result = sink.getLocation() or From 974d174757808eaaa7a2784b6c12f70d03019907 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 15 Oct 2025 13:05:51 +0200 Subject: [PATCH 57/77] Actions/CodeInjectionQuery actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql --- actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll | 2 -- 1 file changed, 2 deletions(-) diff --git a/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll index c58e3949a024..0f77acc2444b 100644 --- a/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll +++ b/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll @@ -80,8 +80,6 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } - Location getASelectedSourceLocation(DataFlow::Node source) { none() } - Location getASelectedSinkLocation(DataFlow::Node sink) { result = sink.getLocation() or From 464f6cb096dbcbaf44ad6811fd941d40249cb48e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 15 Oct 2025 13:17:29 +0200 Subject: [PATCH 58/77] C++/ConstantSizeArrayOffByOne --- .../Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql b/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql index b7b2de6000ae..58f5dc2ade4b 100644 --- a/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql +++ b/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql @@ -187,12 +187,14 @@ module ArrayAddressToDerefConfig implements DataFlow::StateConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSourceLocation(DataFlow::Node source) { - exists(Variable v | result = v.getLocation() | isSourceImpl(source, v)) + exists(Variable v | result = v.getLocation() or result = source.getLocation() | + isSourceImpl(source, v) + ) } Location getASelectedSinkLocation(DataFlow::Node sink) { exists(PointerArithmeticInstruction pai, Instruction deref | - result = [pai, deref].getLocation() and + result = [[pai, deref].getLocation(), sink.getLocation()] and isInvalidPointerDerefSink2(sink, deref, _) and isSink(sink, ArrayAddressToDerefConfig::TOverflowArithmetic(pai)) ) From 65d79ff6fc624b0653d8797eb0a5ec6a04a5a272 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 15 Oct 2025 13:20:18 +0200 Subject: [PATCH 59/77] C++/ExecTainted --- cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql b/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql index 9119f5271fe6..0e5f0f36f105 100644 --- a/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql +++ b/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql @@ -155,7 +155,7 @@ module ExecTaintConfig implements DataFlow::StateConfigSig { Location getASelectedSinkLocation(DataFlow::Node sink) { exists(DataFlow::Node concatResult, Expr command, ExecState state | - result = [concatResult.getLocation(), command.getLocation()] and + result = [concatResult.getLocation(), command.getLocation(), sink.getLocation()] and isSink(sink, state) and isSinkImpl(sink, command, _) and concatResult = state.getOutgoingNode() From a4ac0392a6bc9cb77754b42e70e577723ec74e39 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 15 Oct 2025 13:30:09 +0200 Subject: [PATCH 60/77] C++/OverflowDestination --- cpp/ql/src/Critical/OverflowDestination.ql | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/cpp/ql/src/Critical/OverflowDestination.ql b/cpp/ql/src/Critical/OverflowDestination.ql index df14cafd1527..f3f25dfa8223 100644 --- a/cpp/ql/src/Critical/OverflowDestination.ql +++ b/cpp/ql/src/Critical/OverflowDestination.ql @@ -85,10 +85,8 @@ module OverflowDestinationConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } - Location getASelectedSourceLocation(DataFlow::Node source) { none() } - Location getASelectedSinkLocation(DataFlow::Node sink) { - exists(FunctionCall fc | result = fc.getLocation() | + exists(FunctionCall fc | result = [fc.getLocation(), sink.getLocation()] | sourceSized(fc, sink.asIndirectConvertedExpr()) ) } From 2756e8255fe246ec4939fdaac3cd6ab56b80cec1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 15 Oct 2025 13:30:40 +0200 Subject: [PATCH 61/77] C++/UnboundedWrite --- cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql b/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql index ff9bc59b716b..4d33ede93150 100644 --- a/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql +++ b/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql @@ -128,7 +128,7 @@ module Config implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { - exists(BufferWrite bw | result = bw.getLocation() | isSink(sink, bw, _)) + exists(BufferWrite bw | result = [bw.getLocation(), sink.getLocation()] | isSink(sink, bw, _)) } } From f7a1a4cf755a0213e9b423ad3d1ce0baefd14056 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 15 Oct 2025 13:37:06 +0200 Subject: [PATCH 62/77] C++/NonConstantFormat --- cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql b/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql index 34817ff92295..ed39b8da5cd1 100644 --- a/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql +++ b/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql @@ -171,12 +171,10 @@ module NonConstFlowConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } - Location getASelectedSourceLocation(DataFlow::Node source) { none() } - Location getASelectedSinkLocation(DataFlow::Node sink) { - result = sink.getLocation() - or - exists(FormattingFunctionCall call, Expr formatString | result = call.getLocation() | + exists(FormattingFunctionCall call, Expr formatString | + result = [call.getLocation(), sink.getLocation()] + | isSinkImpl(sink, formatString) and call.getArgument(call.getFormatParameterIndex()) = formatString ) From 0ed27f4e81ebc8d1d3d57eae32f3cee33712715b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 15 Oct 2025 13:39:20 +0200 Subject: [PATCH 63/77] C++/CleartextSqliteDatabase --- cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql b/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql index a6f567600f9d..7cd146e2cace 100644 --- a/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql +++ b/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql @@ -127,13 +127,13 @@ module FromSensitiveConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSourceLocation(DataFlow::Node source) { - exists(SensitiveExpr sensitive | result = sensitive.getLocation() | + exists(SensitiveExpr sensitive | result = [sensitive.getLocation(), source.getLocation()] | isSourceImpl(source, sensitive) ) } Location getASelectedSinkLocation(DataFlow::Node sink) { - exists(SqliteFunctionCall sqliteCall | result = sqliteCall.getLocation() | + exists(SqliteFunctionCall sqliteCall | result = [sqliteCall.getLocation(), sink.getLocation()] | isSinkImpl(sink, sqliteCall, _) ) } From 17b261a506e1b58bee23c1fc2e3cdebf8507b94b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 15 Oct 2025 13:52:37 +0200 Subject: [PATCH 64/77] C++/AuthenticationBypass --- cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql b/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql index 74386b30bbab..8ee429b8c529 100644 --- a/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql +++ b/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql @@ -76,7 +76,9 @@ module Config implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { - exists(Expr condition | result = condition.getLocation() | isSink(sink, condition)) + exists(Expr condition | result = [condition.getLocation(), sink.getLocation()] | + isSink(sink, condition) + ) } } From d89aa0f19daf60e06a8c44c8ba7243c900831e7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 15 Oct 2025 14:03:40 +0200 Subject: [PATCH 65/77] C++/CleartextBufferWrite --- cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql b/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql index c671ad5af7f2..c03c433a532d 100644 --- a/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql +++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql @@ -51,7 +51,9 @@ module ToBufferConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { - exists(SensitiveBufferWrite w | result = w.getLocation() | isSinkImpl(sink, w)) + exists(SensitiveBufferWrite w | result = [w.getLocation(), sink.getLocation()] | + isSinkImpl(sink, w) + ) } } From b0180409f41f58e0a528ff4046b82987a7f1e0a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 15 Oct 2025 14:04:32 +0200 Subject: [PATCH 66/77] C++/CleartextFileWrite --- cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql b/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql index 6aff19ceb4af..17f4b7ae0fdb 100644 --- a/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql +++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql @@ -35,11 +35,13 @@ module FromSensitiveConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSourceLocation(DataFlow::Node sourceNode) { - exists(SensitiveExpr source | result = source.getLocation() | isSourceImpl(sourceNode, source)) + exists(SensitiveExpr source | result = [source.getLocation(), sourceNode.getLocation()] | + isSourceImpl(sourceNode, source) + ) } Location getASelectedSinkLocation(DataFlow::Node sink) { - exists(FileWrite w | result = w.getLocation() | isSinkImpl(sink, w, _)) + exists(FileWrite w | result = [w.getLocation(), sink.getLocation()] | isSinkImpl(sink, w, _)) } } From bbe2bf2b7fa0a1a7133f6b2174a530a00a487b20 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 15 Oct 2025 14:05:15 +0200 Subject: [PATCH 67/77] C++/CleartextTransmission --- cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql b/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql index 10bb10d6a2bb..01d078cf545c 100644 --- a/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql +++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql @@ -249,7 +249,9 @@ module FromSensitiveConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { - exists(NetworkSendRecv networkSendRecv | result = networkSendRecv.getLocation() | + exists(NetworkSendRecv networkSendRecv | + result = [networkSendRecv.getLocation(), sink.getLocation()] + | isSinkSendRecv(sink, networkSendRecv) ) } From 1321cbb021627fe4b71d7eb1c48cd8eaf94dd971 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 15 Oct 2025 14:10:12 +0200 Subject: [PATCH 68/77] C++/DecompressionBombs --- .../src/experimental/Security/CWE/CWE-409/DecompressionBombs.ql | 2 -- 1 file changed, 2 deletions(-) diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-409/DecompressionBombs.ql b/cpp/ql/src/experimental/Security/CWE/CWE-409/DecompressionBombs.ql index fbeb4cde5fd1..ec4ba042cb7e 100644 --- a/cpp/ql/src/experimental/Security/CWE/CWE-409/DecompressionBombs.ql +++ b/cpp/ql/src/experimental/Security/CWE/CWE-409/DecompressionBombs.ql @@ -31,8 +31,6 @@ module DecompressionTaintConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } - Location getASelectedSourceLocation(DataFlow::Node source) { none() } - Location getASelectedSinkLocation(DataFlow::Node sink) { exists(FunctionCall fc | result = [sink.getLocation(), fc.getLocation()] | isSink(fc, sink)) } From f3d51e01513c643cefa4e5e9c6c8e291dfd8d98a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 15 Oct 2025 14:15:43 +0200 Subject: [PATCH 69/77] C++/ArithmeticUncontrolled --- cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql index 64705f078c69..55158ccbf726 100644 --- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql +++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql @@ -124,7 +124,7 @@ module UncontrolledArithConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSourceLocation(DataFlow::Node source) { - result = getExpr(source).getLocation() + result = [getExpr(source).getLocation(), source.getLocation()] } } From a65d4d59975bd653adcd004d4ae108ef54d44dfb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 15 Oct 2025 14:20:24 +0200 Subject: [PATCH 70/77] C++/TaintedAllocationSize --- cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql index 0149f483cc12..cf3542ebae5c 100644 --- a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql +++ b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql @@ -95,7 +95,7 @@ module TaintedAllocationSizeConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { - exists(Expr alloc | result = alloc.getLocation() | allocSink(alloc, sink)) + exists(Expr alloc | result = [alloc.getLocation(), sink.getLocation()] | allocSink(alloc, sink)) } } From ec63547925ea5173ca55df7c891317ea8faa7db9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 15 Oct 2025 14:35:13 +0200 Subject: [PATCH 71/77] C++/UseOfHttp --- cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql b/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql index d12340035bde..f6db506f47cc 100644 --- a/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql +++ b/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql @@ -91,10 +91,8 @@ module HttpStringToUrlOpenConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSourceLocation(DataFlow::Node source) { - result = source.asIndirectExpr().getLocation() + result = [source.asIndirectExpr().getLocation(), source.getLocation()] } - - Location getASelectedSinkLocation(DataFlow::Node sink) { none() } } module HttpStringToUrlOpen = TaintTracking::Global; From d41268fc843732e5469dd3af2897796d11f73f03 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 15 Oct 2025 14:37:52 +0200 Subject: [PATCH 72/77] Go/UnhandledCloseWritableHandle --- go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql b/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql index 48e4f98fdb22..25b1c8ae8fc9 100644 --- a/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql +++ b/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql @@ -132,7 +132,7 @@ module UnhandledFileCloseConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSourceLocation(DataFlow::Node source) { - exists(DataFlow::CallNode openCall | result = openCall.getLocation() | + exists(DataFlow::CallNode openCall | result = [openCall.getLocation(), source.getLocation()] | isWritableFileHandle(source, openCall) ) } From 0f0bd0f455cf6ea8361b026c5a05e5c3a1010fcf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 15 Oct 2025 14:41:36 +0200 Subject: [PATCH 73/77] Go/SSRF go/ql/src/experimental/CWE-918/SSRF.ql --- go/ql/src/experimental/CWE-918/SSRF.qll | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/go/ql/src/experimental/CWE-918/SSRF.qll b/go/ql/src/experimental/CWE-918/SSRF.qll index f0d3cc935a14..998ce83ba74c 100644 --- a/go/ql/src/experimental/CWE-918/SSRF.qll +++ b/go/ql/src/experimental/CWE-918/SSRF.qll @@ -33,9 +33,9 @@ module ServerSideRequestForgery { predicate observeDiffInformedIncrementalMode() { any() } - Location getASelectedSourceLocation(DataFlow::Node source) { none() } - Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.(Sink).getLocation() + or result = sink.(Sink).getARequest().getLocation() } } From 4952cb27fbb7a5818baf6e6976023f5e0176851c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 15 Oct 2025 14:54:05 +0200 Subject: [PATCH 74/77] Rust/AccessAfterLifetime --- rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql b/rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql index fce64dcf0ff1..65c6d8616381 100644 --- a/rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql +++ b/rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql @@ -32,7 +32,9 @@ module AccessAfterLifetimeConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSourceLocation(DataFlow::Node source) { - exists(Variable target, DataFlow::Node sink | result = target.getLocation() | + exists(Variable target, DataFlow::Node sink | + result = [target.getLocation(), source.getLocation()] + | isSink(sink) and narrowDereferenceAfterLifetime(source, sink, target) ) From 8e0c453c37262447878f407121d4f0d1c01b5fe9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 15 Oct 2025 15:07:34 +0200 Subject: [PATCH 75/77] Rust/InsecureCookie --- rust/ql/src/queries/security/CWE-614/InsecureCookie.ql | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rust/ql/src/queries/security/CWE-614/InsecureCookie.ql b/rust/ql/src/queries/security/CWE-614/InsecureCookie.ql index e2d7288db45b..3fb4924470fe 100644 --- a/rust/ql/src/queries/security/CWE-614/InsecureCookie.ql +++ b/rust/ql/src/queries/security/CWE-614/InsecureCookie.ql @@ -74,7 +74,9 @@ module PartitionedCookieConfig implements DataFlow::ConfigSig { node instanceof Barrier } - predicate observeDiffInformedIncrementalMode() { any() } + predicate observeDiffInformedIncrementalMode() { + none() // only used negatively + } } module InsecureCookieFlow = TaintTracking::Global; From 96e153676919539aa42ab7477309600506f31965 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 15 Oct 2025 16:29:39 +0200 Subject: [PATCH 76/77] C++/SqlTainted --- cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql b/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql index 5a823b8672c5..5d08afbe304a 100644 --- a/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql +++ b/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql @@ -58,7 +58,9 @@ module SqlTaintedConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { - exists(Expr taintedArg | result = taintedArg.getLocation() | taintedArg = asSinkExpr(sink)) + exists(Expr taintedArg | result = [taintedArg.getLocation(), sink.getLocation()] | + taintedArg = asSinkExpr(sink) + ) } } From a0975e7e196691c313b268371dd9989d9474bee3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Thu, 16 Oct 2025 14:19:05 +0200 Subject: [PATCH 77/77] Constrain location overrides to actual sources/sinks --- .../Security/CWE/CWE-190/ArithmeticUncontrolled.ql | 1 + cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql | 1 + .../code/java/security/ArithmeticTaintedQuery.qll | 12 ++++++------ .../java/security/ArithmeticUncontrolledQuery.qll | 12 ++++++------ .../java/security/BrokenCryptoAlgorithmQuery.qll | 8 +++++--- .../semmle/code/java/security/CommandLineQuery.qll | 8 +++++--- .../code/java/security/ConditionalBypassQuery.qll | 4 +--- ...lidationOfArrayConstructionCodeSpecifiedQuery.qll | 7 ++++--- .../ImproperValidationOfArrayConstructionQuery.qll | 7 ++++--- .../java/security/UnsafeDeserializationQuery.qll | 2 +- .../ShellCommandInjectionFromEnvironmentQuery.qll | 4 +--- .../swift/security/CleartextStorageDatabaseQuery.qll | 6 +++++- .../security/CleartextStoragePreferencesQuery.qll | 6 +++++- 13 files changed, 45 insertions(+), 33 deletions(-) diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql index 55158ccbf726..3126573ac5a2 100644 --- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql +++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql @@ -124,6 +124,7 @@ module UncontrolledArithConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSourceLocation(DataFlow::Node source) { + isSource(source) and result = [getExpr(source).getLocation(), source.getLocation()] } } diff --git a/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql b/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql index f6db506f47cc..682d83874333 100644 --- a/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql +++ b/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql @@ -91,6 +91,7 @@ module HttpStringToUrlOpenConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSourceLocation(DataFlow::Node source) { + isSource(source) and result = [source.asIndirectExpr().getLocation(), source.getLocation()] } } diff --git a/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll b/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll index c3d4e7876d56..65e73f841495 100644 --- a/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll @@ -19,9 +19,9 @@ module ArithmeticOverflowConfig implements DataFlow::ConfigSig { } Location getASelectedSinkLocation(DataFlow::Node sink) { - result = sink.getLocation() - or - exists(ArithExpr exp | result = exp.getLocation() | overflowSink(exp, sink.asExpr())) + exists(ArithExpr exp | result = [exp.getLocation(), sink.getLocation()] | + overflowSink(exp, sink.asExpr()) + ) } } @@ -45,9 +45,9 @@ module ArithmeticUnderflowConfig implements DataFlow::ConfigSig { } Location getASelectedSinkLocation(DataFlow::Node sink) { - result = sink.getLocation() - or - exists(ArithExpr exp | result = exp.getLocation() | underflowSink(exp, sink.asExpr())) + exists(ArithExpr exp | result = [exp.getLocation(), sink.getLocation()] | + underflowSink(exp, sink.asExpr()) + ) } } diff --git a/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll b/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll index ac79aef3f377..3c1ceaddc2fe 100644 --- a/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll @@ -25,9 +25,9 @@ module ArithmeticUncontrolledOverflowConfig implements DataFlow::ConfigSig { } Location getASelectedSinkLocation(DataFlow::Node sink) { - result = sink.getLocation() - or - exists(ArithExpr exp | result = exp.getLocation() | overflowSink(exp, sink.asExpr())) + exists(ArithExpr exp | result = [exp.getLocation(), sink.getLocation()] | + overflowSink(exp, sink.asExpr()) + ) } } @@ -48,9 +48,9 @@ module ArithmeticUncontrolledUnderflowConfig implements DataFlow::ConfigSig { } Location getASelectedSinkLocation(DataFlow::Node sink) { - result = sink.getLocation() - or - exists(ArithExpr exp | result = exp.getLocation() | underflowSink(exp, sink.asExpr())) + exists(ArithExpr exp | result = [exp.getLocation(), sink.getLocation()] | + underflowSink(exp, sink.asExpr()) + ) } } diff --git a/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll b/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll index 9bcf9dc2eaf2..60f1e179397c 100644 --- a/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll +++ b/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll @@ -36,9 +36,11 @@ module InsecureCryptoConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { - result = sink.getLocation() - or - exists(CryptoAlgoSpec c | sink.asExpr() = c.getAlgoSpec() | result = c.getLocation()) + exists(CryptoAlgoSpec c | sink.asExpr() = c.getAlgoSpec() | + result = c.getLocation() + or + result = sink.getLocation() + ) } } diff --git a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll index 82d24eb718ec..b6b9d02e289d 100644 --- a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll +++ b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll @@ -66,9 +66,11 @@ module InputToArgumentToExecFlowConfig implements DataFlow::ConfigSig { // ExecTainted.ql queries use the argument as the primary location; // ExecUnescaped.ql does not (used to prevent overlapping results). Location getASelectedSinkLocation(DataFlow::Node sink) { - result = sink.getLocation() - or - exists(Expr argument | argumentToExec(argument, sink) | result = argument.getLocation()) + exists(Expr argument | argumentToExec(argument, sink) | + result = argument.getLocation() + or + result = sink.getLocation() + ) } } diff --git a/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll b/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll index 087ca674cda6..babf129f19e6 100644 --- a/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll @@ -51,9 +51,7 @@ module ConditionalBypassFlowConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { - result = sink.getLocation() - or - exists(MethodCall m, Expr e | result = [m, e].getLocation() | + exists(MethodCall m, Expr e | result = [[m, e].getLocation(), sink.getLocation()] | conditionControlsMethod(m, e) and sink.asExpr() = e ) diff --git a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll index 487d9e3924e1..97a6d159bc94 100644 --- a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll @@ -21,10 +21,11 @@ module BoundedFlowSourceConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { - result = sink.getLocation() - or exists(ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess | - result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation() and + result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation() + or + result = sink.getLocation() + | arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), arrayCreation) ) } diff --git a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll index d37a8d882b3e..74b8af7e588f 100644 --- a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll @@ -18,10 +18,11 @@ module ImproperValidationOfArrayConstructionConfig implements DataFlow::ConfigSi predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { - result = sink.getLocation() - or exists(ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess | - result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation() and + result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation() + or + result = sink.getLocation() + | arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), arrayCreation) ) } diff --git a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll index e0a66626be44..dc771a466063 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll @@ -313,7 +313,7 @@ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { - result = sink.getLocation() + result = sink.(UnsafeDeserializationSink).getLocation() or result = sink.(UnsafeDeserializationSink).getMethodCall().getLocation() } diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll index 34cee84aaae2..e1dcdd339d9b 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll @@ -31,11 +31,9 @@ module ShellCommandInjectionFromEnvironmentConfig implements DataFlow::ConfigSig predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { - result = sink.getLocation() - or exists(DataFlow::Node node | isSinkWithHighlight(sink, node) and - result = node.getLocation() + result = [node.getLocation(), sink.getLocation()] ) } } diff --git a/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll b/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll index 21bcb89efe4f..50a421a05dc4 100644 --- a/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll +++ b/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll @@ -54,7 +54,11 @@ module CleartextStorageDatabaseConfig implements DataFlow::ConfigSig { Location getASelectedSinkLocation(DataFlow::Node sink) { result = sink.(CleartextStorageDatabaseSink).getLocation() or - result = sink.(DataFlow::PostUpdateNode).getPreUpdateNode().getLocation() + result = + sink.(CleartextStorageDatabaseSink) + .(DataFlow::PostUpdateNode) + .getPreUpdateNode() + .getLocation() } } diff --git a/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll b/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll index a0d3414f2497..578fe0b36e0a 100644 --- a/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll +++ b/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll @@ -36,7 +36,11 @@ module CleartextStoragePreferencesConfig implements DataFlow::ConfigSig { Location getASelectedSinkLocation(DataFlow::Node sink) { result = sink.(CleartextStoragePreferencesSink).getLocation() or - result = sink.(DataFlow::PostUpdateNode).getPreUpdateNode().getLocation() + result = + sink.(CleartextStoragePreferencesSink) + .(DataFlow::PostUpdateNode) + .getPreUpdateNode() + .getLocation() } }