JS: Diff-informed queries: phase 3 (non-trivial locations) #20078
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR enables diff-informed mode on JavaScript queries that select locations other than dataflow sources or sinks by implementing non-trivial location overrides. The changes add the necessary predicates to support diff-informed incremental analysis while ensuring proper location reporting for query results.
Key changes:
- Adds
observeDiffInformedIncrementalMode()predicates to enable/disable diff-informed mode on specific queries - Implements
getASelectedSinkLocation()methods to override location selection for queries with custom highlighting logic - Refactors location selection logic to handle cases where custom sink highlighting is available
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| decodeJwtWithoutVerification.ql | Disables diff-informed mode due to secondary config usage |
| EnvValueAndKeyInjection.ql | Disables diff-informed mode due to complex location override requirements |
| ShellCommandInjectionFromEnvironmentQuery.qll | Enables diff-informed mode and refactors location selection logic |
| IndirectCommandInjectionQuery.qll | Enables diff-informed mode and refactors location selection logic |
| isSinkWithHighlight(sink, node) and | ||
| result = node.getLocation() | ||
| exists(DataFlow::Node highlight | result = highlight.getLocation() | | ||
| if isSinkWithHighlight(sink, _) |
There was a problem hiding this comment.
Why is this changed needed?
According to the data flow configuration the sink nodes are exactly those where isSinkWithHighlight(sink, _) holds.
There was a problem hiding this comment.
It also seems off to me. The change causes getASelectedSinkLocation to contain an entry all data flow nodes. It should be restricted to those that are sinks, which it was to begin with.
There was a problem hiding this comment.
Ok, I see. The original query contains:
if IndirectCommandInjectionConfig::isSinkWithHighlight(sink.getNode(), _)
then IndirectCommandInjectionConfig::isSinkWithHighlight(sink.getNode(), highlight)
else highlight = sink.getNode()which is what this diff does. But isSinkWithHighlight is sink = highlight or isIndirectCommandArgument(sink, highlight), so you can't have not isSinkWithHighlight(sink, _) and highlight = sink). So the original is correct.
| exists(DataFlow::Node node | | ||
| isSinkWithHighlight(sink, node) and | ||
| result = node.getLocation() | ||
| exists(DataFlow::Node highlight | result = highlight.getLocation() | |
|
Since this PR adds nothing new to #18574, I will close it. |
This PR enables diff-informed mode on queries that select a location other than dataflow source or sink. This entails adding a non-trivial location override that returns the locations that are actually selected.
Prior work includes PRs like #19663, #19759, and #19817. This PR uses the same patch script as those PRs to find candidate queries to convert to diff-enabled. This is the final step in mass-enabling diff-informed queries on all the languages.
Commit-by-commit reviewing is recommended.