Merge pull request #20075 from d10c/d10c/diff-informed-phase-3-go

d10c · web-flow · commit 0512940c0c46 · 2025-08-15T12:23:53.000+02:00
Go: Diff-informed queries: phase 3 (non-trivial locations)
diff --git a/go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll b/go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll
@@ -56,6 +56,17 @@ module AllocationSizeOverflow {
         succ = c
       )
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
+
+    Location getASelectedSinkLocation(DataFlow::Node sink) {
+      result = sink.getLocation()
+      or
+      exists(DataFlow::Node allocsz |
+        isSinkWithAllocationSize(sink, allocsz) and
+        result = allocsz.getLocation()
+      )
+    }
   }
 
   /** Tracks taint flow to find allocation-size overflows. */
diff --git a/go/ql/lib/semmle/go/security/CommandInjection.qll b/go/ql/lib/semmle/go/security/CommandInjection.qll
@@ -24,6 +24,8 @@ module CommandInjection {
     }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /**
@@ -80,6 +82,8 @@ module CommandInjection {
       node instanceof Sanitizer or
       node = any(ArgumentArrayWithDoubleDash array).getASanitizedElement()
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /**
diff --git a/go/ql/lib/semmle/go/security/ExternalAPIs.qll b/go/ql/lib/semmle/go/security/ExternalAPIs.qll
@@ -186,6 +186,8 @@ private module UntrustedDataConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/go/ql/lib/semmle/go/security/HardcodedCredentials.qll b/go/ql/lib/semmle/go/security/HardcodedCredentials.qll
@@ -30,6 +30,8 @@ module HardcodedCredentials {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow for reasoning about hardcoded credentials. */
diff --git a/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll b/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll
@@ -440,6 +440,12 @@ private module ConversionWithoutBoundsCheckConfig implements DataFlow::StateConf
     state2 = node2.(FlowStateTransformer).transform(state1) and
     DataFlow::simpleLocalFlowStep(node1, node2, _)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.getASuccessor().getLocation()
+  }
 }
 
 /**
diff --git a/go/ql/lib/semmle/go/security/InsecureRandomness.qll b/go/ql/lib/semmle/go/security/InsecureRandomness.qll
@@ -39,6 +39,10 @@ module InsecureRandomness {
         n2.getType() instanceof IntegerType
       )
     }
+
+    predicate observeDiffInformedIncrementalMode() {
+      none() // Can't have accurate sink location override because of secondary use of `flowPath` in select.
+    }
   }
 
   /**
diff --git a/go/ql/lib/semmle/go/security/ReflectedXss.qll b/go/ql/lib/semmle/go/security/ReflectedXss.qll
@@ -22,6 +22,14 @@ module ReflectedXss {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
+
+    Location getASelectedSinkLocation(DataFlow::Node sink) {
+      result = sink.getLocation()
+      or
+      result = sink.(SharedXss::Sink).getAssociatedLoc().getLocation()
+    }
   }
 
   /** Tracks taint flow from untrusted data to XSS attack vectors. */
diff --git a/go/ql/lib/semmle/go/security/RequestForgery.qll b/go/ql/lib/semmle/go/security/RequestForgery.qll
@@ -31,6 +31,14 @@ module RequestForgery {
         w.writesField(v.getAUse(), f, pred) and succ = v.getAUse()
       )
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
+
+    Location getASelectedSinkLocation(DataFlow::Node sink) {
+      result = sink.getLocation()
+      or
+      result = sink.(Sink).getARequest().getLocation()
+    }
   }
 
   /** Tracks taint flow from untrusted data to request forgery attack vectors. */
diff --git a/go/ql/lib/semmle/go/security/SafeUrlFlow.qll b/go/ql/lib/semmle/go/security/SafeUrlFlow.qll
@@ -36,6 +36,10 @@ module SafeUrlFlow {
       or
       node instanceof SanitizerEdge
     }
+
+    predicate observeDiffInformedIncrementalMode() {
+      none() // only used as secondary configuration
+    }
   }
 
   /** Tracks taint flow for reasoning about safe URLs. */
diff --git a/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql b/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql
@@ -128,6 +128,14 @@ module UnhandledFileCloseConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { isWritableFileHandle(source, _) }
 
   predicate isSink(DataFlow::Node sink) { isCloseSink(sink, _) }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    exists(DataFlow::CallNode openCall | result = openCall.getLocation() |
+      isWritableFileHandle(source, openCall)
+    )
+  }
 }
 
 /**
diff --git a/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql b/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql
@@ -68,6 +68,8 @@ module Config implements DataFlow::ConfigSig {
   }
 
   predicate isSink(DataFlow::Node sink) { writeIsSink(sink, _) }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/go/ql/src/Security/CWE-601/BadRedirectCheck.ql b/go/ql/src/Security/CWE-601/BadRedirectCheck.ql
@@ -123,6 +123,17 @@ module Config implements DataFlow::ConfigSig {
   }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof OpenUrlRedirect::Sink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    result = source.getLocation()
+    or
+    exists(DataFlow::Node check |
+      isCheckedSource(source, check) and
+      result = check.getLocation()
+    )
+  }
 }
 
 module Flow = TaintTracking::Global<Config>;
diff --git a/go/ql/src/experimental/CWE-1004/AuthCookie.qll b/go/ql/src/experimental/CWE-1004/AuthCookie.qll
@@ -116,6 +116,12 @@ private module BoolToGinSetCookieTrackingConfig implements DataFlow::ConfigSig {
       )
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // Merged with other flows in CookieWithoutHttpOnly.ql
+  }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
 }
 
 /**
diff --git a/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll b/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll
@@ -59,6 +59,14 @@ private module Config implements DataFlow::ConfigSig {
       not c.isPotentialFalsePositive()
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(ComparisonExpr comp | result = comp.getLocation() | sink.asExpr() = comp.getAnOperand())
+  }
 }
 
 /**
diff --git a/go/ql/src/experimental/CWE-840/ConditionalBypass.ql b/go/ql/src/experimental/CWE-840/ConditionalBypass.ql
@@ -22,6 +22,10 @@ module Config implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     exists(ComparisonExpr c | c.getAnOperand() = sink.asExpr())
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // can't override the locations accurately because of secondary use of config.
+  }
 }
 
 /** Tracks taint flow for reasoning about conditional bypass. */
diff --git a/go/ql/src/experimental/CWE-918/SSRF.qll b/go/ql/src/experimental/CWE-918/SSRF.qll
@@ -30,6 +30,14 @@ module ServerSideRequestForgery {
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 
     predicate isBarrierOut(DataFlow::Node node) { node instanceof SanitizerEdge }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
+
+    Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
+    Location getASelectedSinkLocation(DataFlow::Node sink) {
+      result = sink.(Sink).getARequest().getLocation()
+    }
   }
 
   /** Tracks taint flow for reasoning about request forgery vulnerabilities. */

Original file line number	Diff line number	Diff line change
`@@ -56,6 +56,17 @@ module AllocationSizeOverflow {`
`56`	`56`	`succ = c`
`57`	`57`	`)`
`58`	`58`	`}`
	`59`	`+`
	`60`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
	`61`	`+`
	`62`	`+ Location getASelectedSinkLocation(DataFlow::Node sink) {`
	`63`	`+ result = sink.getLocation()`
	`64`	`+ or`
	`65`	`+ exists(DataFlow::Node allocsz \|`
	`66`	`+ isSinkWithAllocationSize(sink, allocsz) and`
	`67`	`+ result = allocsz.getLocation()`
	`68`	`+ )`
	`69`	`+ }`
`59`	`70`	`}`
`60`	`71`
`61`	`72`	`/** Tracks taint flow to find allocation-size overflows. */`
Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,8 @@ module CommandInjection {`
`24`	`24`	`}`
`25`	`25`
`26`	`26`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`27`	`+`
	`28`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`27`	`29`	`}`
`28`	`30`
`29`	`31`	`/**`
`@@ -80,6 +82,8 @@ module CommandInjection {`
`80`	`82`	`node instanceof Sanitizer or`
`81`	`83`	`node = any(ArgumentArrayWithDoubleDash array).getASanitizedElement()`
`82`	`84`	`}`
	`85`	`+`
	`86`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`83`	`87`	`}`
`84`	`88`
`85`	`89`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -186,6 +186,8 @@ private module UntrustedDataConfig implements DataFlow::ConfigSig {`
`186`	`186`	`predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }`
`187`	`187`
`188`	`188`	`predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }`
	`189`	`+`
	`190`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`189`	`191`	`}`
`190`	`192`
`191`	`193`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,8 @@ module HardcodedCredentials {`
`30`	`30`	`predicate isSink(DataFlow::Node sink) { sink instanceof Sink }`
`31`	`31`
`32`	`32`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`33`	`+`
	`34`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`33`	`35`	`}`
`34`	`36`
`35`	`37`	`/** Tracks taint flow for reasoning about hardcoded credentials. */`
Original file line number	Diff line number	Diff line change
`@@ -440,6 +440,12 @@ private module ConversionWithoutBoundsCheckConfig implements DataFlow::StateConf`
`440`	`440`	`state2 = node2.(FlowStateTransformer).transform(state1) and`
`441`	`441`	`DataFlow::simpleLocalFlowStep(node1, node2, _)`
`442`	`442`	`}`
	`443`	`+`
	`444`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
	`445`	`+`
	`446`	`+ Location getASelectedSinkLocation(DataFlow::Node sink) {`
	`447`	`+ result = sink.getASuccessor().getLocation()`
	`448`	`+ }`
`443`	`449`	`}`
`444`	`450`
`445`	`451`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -39,6 +39,10 @@ module InsecureRandomness {`
`39`	`39`	`n2.getType() instanceof IntegerType`
`40`	`40`	`)`
`41`	`41`	`}`
	`42`	`+`
	`43`	`+ predicate observeDiffInformedIncrementalMode() {`
	`44`	+ none() // Can't have accurate sink location override because of secondary use of `flowPath` in select.
	`45`	`+ }`
`42`	`46`	`}`
`43`	`47`
`44`	`48`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,14 @@ module RequestForgery {`
`31`	`31`	`w.writesField(v.getAUse(), f, pred) and succ = v.getAUse()`
`32`	`32`	`)`
`33`	`33`	`}`
	`34`	`+`
	`35`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
	`36`	`+`
	`37`	`+ Location getASelectedSinkLocation(DataFlow::Node sink) {`
	`38`	`+ result = sink.getLocation()`
	`39`	`+ or`
	`40`	`+ result = sink.(Sink).getARequest().getLocation()`
	`41`	`+ }`
`34`	`42`	`}`
`35`	`43`
`36`	`44`	`/** Tracks taint flow from untrusted data to request forgery attack vectors. */`
Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,10 @@ module SafeUrlFlow {`
`36`	`36`	`or`
`37`	`37`	`node instanceof SanitizerEdge`
`38`	`38`	`}`
	`39`	`+`
	`40`	`+ predicate observeDiffInformedIncrementalMode() {`
	`41`	`+ none() // only used as secondary configuration`
	`42`	`+ }`
`39`	`43`	`}`
`40`	`44`
`41`	`45`	`/** Tracks taint flow for reasoning about safe URLs. */`