Actions: mass enable diff-informed data flow

asgerf · asgerf · commit 54d2ae2482d1 · 2025-01-23T10:29:18.000+01:00
diff --git a/actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll
@@ -88,6 +88,12 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig {
       run.getScript().getAnEnvReachingArgumentInjectionSink(var, _, _)
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-088/ArgumentInjectionCritical.ql:29: Column 7 does not select a source or sink originating from the flow call on line 22
+    none()
+  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */
diff --git a/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
@@ -316,6 +316,12 @@ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql:28: Column 7 does not select a source or sink originating from the flow call on line 21
+    none()
+  }
 }
 
 /** Tracks flow of unsafe artifacts that is used in an insecure way. */
diff --git a/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll
@@ -35,6 +35,13 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-094/CodeInjectionCritical.ql:36: Column 7 does not select a source or sink originating from the flow call on line 24
+    // ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql:48: Column 7 does not select a source or sink originating from the flow call on line 23
+    none()
+  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */
diff --git a/actions/ql/lib/codeql/actions/security/CommandInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/CommandInjectionQuery.qll
@@ -16,6 +16,12 @@ private module CommandInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-078/CommandInjectionCritical.ql:30: Column 7 does not select a source or sink originating from the flow call on line 23
+    none()
+  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */
diff --git a/actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll
@@ -108,6 +108,12 @@ private module EnvPathInjectionConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-077/EnvPathInjectionCritical.ql:39: Column 7 does not select a source or sink originating from the flow call on line 23
+    none()
+  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate the PATH environment variable. */
diff --git a/actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll
@@ -163,6 +163,12 @@ private module EnvVarInjectionConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-077/EnvVarInjectionCritical.ql:48: Column 7 does not select a source or sink originating from the flow call on line 24
+    none()
+  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */
diff --git a/actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll
@@ -214,6 +214,8 @@ private module OutputClobberingConfig implements DataFlow::ConfigSig {
       )
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */
diff --git a/actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll b/actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll
@@ -16,6 +16,8 @@ private module RequestForgeryConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */
diff --git a/actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll b/actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll
@@ -15,6 +15,8 @@ private module SecretExfiltrationConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof SecretExfiltrationSink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Tracks flow of unsafe user input that is used in a context where it may lead to a secret exfiltration. */
diff --git a/actions/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/actions/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll
@@ -70,6 +70,12 @@ private module ActionsMutableRefCheckoutConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll:238: Flow call outside 'select' clause
+    none()
+  }
 }
 
 module ActionsMutableRefCheckoutFlow = TaintTracking::Global<ActionsMutableRefCheckoutConfig>;
@@ -121,6 +127,12 @@ private module ActionsSHACheckoutConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll:273: Flow call outside 'select' clause
+    none()
+  }
 }
 
 module ActionsSHACheckoutFlow = TaintTracking::Global<ActionsSHACheckoutConfig>;
diff --git a/actions/ql/src/Models/CompositeActionsSinks.ql b/actions/ql/src/Models/CompositeActionsSinks.ql
@@ -24,6 +24,8 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     sink instanceof CodeInjectionSink and not madSink(sink, "code-injection")
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;
diff --git a/actions/ql/src/Models/CompositeActionsSources.ql b/actions/ql/src/Models/CompositeActionsSources.ql
@@ -34,6 +34,8 @@ private module MyConfig implements DataFlow::ConfigSig {
     isSink(node) and
     set instanceof DataFlow::FieldContent
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;
diff --git a/actions/ql/src/Models/CompositeActionsSummaries.ql b/actions/ql/src/Models/CompositeActionsSummaries.ql
@@ -25,6 +25,8 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     exists(CompositeAction c | c.getAnOutputExpr() = sink.asExpr())
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;
diff --git a/actions/ql/src/Models/ReusableWorkflowsSinks.ql b/actions/ql/src/Models/ReusableWorkflowsSinks.ql
@@ -24,6 +24,8 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     sink instanceof CodeInjectionSink and not madSink(sink, "code-injection")
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;
diff --git a/actions/ql/src/Models/ReusableWorkflowsSources.ql b/actions/ql/src/Models/ReusableWorkflowsSources.ql
@@ -34,6 +34,8 @@ private module MyConfig implements DataFlow::ConfigSig {
     isSink(node) and
     set instanceof DataFlow::FieldContent
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;
diff --git a/actions/ql/src/Models/ReusableWorkflowsSummaries.ql b/actions/ql/src/Models/ReusableWorkflowsSummaries.ql
@@ -25,6 +25,8 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     exists(ReusableWorkflow w | w.getAnOutputExpr() = sink.asExpr())
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

Original file line number	Diff line number	Diff line change
`@@ -88,6 +88,12 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig {`
`88`	`88`	`run.getScript().getAnEnvReachingArgumentInjectionSink(var, _, _)`
`89`	`89`	`)`
`90`	`90`	`}`
	`91`	`+`
	`92`	`+ predicate observeDiffInformedIncrementalMode() {`
	`93`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`94`	`+ // ql/src/Security/CWE-088/ArgumentInjectionCritical.ql:29: Column 7 does not select a source or sink originating from the flow call on line 22`
	`95`	`+ none()`
	`96`	`+ }`
`91`	`97`	`}`
`92`	`98`
`93`	`99`	`/** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */`
Original file line number	Diff line number	Diff line change
`@@ -316,6 +316,12 @@ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig {`
`316`	`316`	`exists(run.getScript().getAFileReadCommand())`
`317`	`317`	`)`
`318`	`318`	`}`
	`319`	`+`
	`320`	`+ predicate observeDiffInformedIncrementalMode() {`
	`321`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`322`	`+ // ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql:28: Column 7 does not select a source or sink originating from the flow call on line 21`
	`323`	`+ none()`
	`324`	`+ }`
`319`	`325`	`}`
`320`	`326`
`321`	`327`	`/** Tracks flow of unsafe artifacts that is used in an insecure way. */`
Original file line number	Diff line number	Diff line change
`@@ -35,6 +35,13 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {`
`35`	`35`	`exists(run.getScript().getAFileReadCommand())`
`36`	`36`	`)`
`37`	`37`	`}`
	`38`	`+`
	`39`	`+ predicate observeDiffInformedIncrementalMode() {`
	`40`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`41`	`+ // ql/src/Security/CWE-094/CodeInjectionCritical.ql:36: Column 7 does not select a source or sink originating from the flow call on line 24`
	`42`	`+ // ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql:48: Column 7 does not select a source or sink originating from the flow call on line 23`
	`43`	`+ none()`
	`44`	`+ }`
`38`	`45`	`}`
`39`	`46`
`40`	`47`	`/** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */`
Original file line number	Diff line number	Diff line change
`@@ -108,6 +108,12 @@ private module EnvPathInjectionConfig implements DataFlow::ConfigSig {`
`108`	`108`	`exists(run.getScript().getAFileReadCommand())`
`109`	`109`	`)`
`110`	`110`	`}`
	`111`	`+`
	`112`	`+ predicate observeDiffInformedIncrementalMode() {`
	`113`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`114`	`+ // ql/src/Security/CWE-077/EnvPathInjectionCritical.ql:39: Column 7 does not select a source or sink originating from the flow call on line 23`
	`115`	`+ none()`
	`116`	`+ }`
`111`	`117`	`}`
`112`	`118`
`113`	`119`	`/** Tracks flow of unsafe user input that is used to construct and evaluate the PATH environment variable. */`
Original file line number	Diff line number	Diff line change
`@@ -163,6 +163,12 @@ private module EnvVarInjectionConfig implements DataFlow::ConfigSig {`
`163`	`163`	`exists(run.getScript().getAFileReadCommand())`
`164`	`164`	`)`
`165`	`165`	`}`
	`166`	`+`
	`167`	`+ predicate observeDiffInformedIncrementalMode() {`
	`168`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`169`	`+ // ql/src/Security/CWE-077/EnvVarInjectionCritical.ql:48: Column 7 does not select a source or sink originating from the flow call on line 24`
	`170`	`+ none()`
	`171`	`+ }`
`166`	`172`	`}`
`167`	`173`
`168`	`174`	`/** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */`
Original file line number	Diff line number	Diff line change
`@@ -214,6 +214,8 @@ private module OutputClobberingConfig implements DataFlow::ConfigSig {`
`214`	`214`	`)`
`215`	`215`	`)`
`216`	`216`	`}`
	`217`	`+`
	`218`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`217`	`219`	`}`
`218`	`220`
`219`	`221`	`/** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */`
Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,8 @@ private module RequestForgeryConfig implements DataFlow::ConfigSig {`
`16`	`16`	`predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }`
`17`	`17`
`18`	`18`	`predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }`
	`19`	`+`
	`20`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`19`	`21`	`}`
`20`	`22`
`21`	`23`	`/** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */`
Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,8 @@ private module SecretExfiltrationConfig implements DataFlow::ConfigSig {`
`15`	`15`	`predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }`
`16`	`16`
`17`	`17`	`predicate isSink(DataFlow::Node sink) { sink instanceof SecretExfiltrationSink }`
	`18`	`+`
	`19`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`18`	`20`	`}`
`19`	`21`
`20`	`22`	`/** Tracks flow of unsafe user input that is used in a context where it may lead to a secret exfiltration. */`
Original file line number	Diff line number	Diff line change
`@@ -70,6 +70,12 @@ private module ActionsMutableRefCheckoutConfig implements DataFlow::ConfigSig {`
`70`	`70`	`exists(run.getScript().getAFileReadCommand())`
`71`	`71`	`)`
`72`	`72`	`}`
	`73`	`+`
	`74`	`+ predicate observeDiffInformedIncrementalMode() {`
	`75`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`76`	`+ // ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll:238: Flow call outside 'select' clause`
	`77`	`+ none()`
	`78`	`+ }`
`73`	`79`	`}`
`74`	`80`
`75`	`81`	`module ActionsMutableRefCheckoutFlow = TaintTracking::Global<ActionsMutableRefCheckoutConfig>;`
`@@ -121,6 +127,12 @@ private module ActionsSHACheckoutConfig implements DataFlow::ConfigSig {`
`121`	`127`	`exists(run.getScript().getAFileReadCommand())`
`122`	`128`	`)`
`123`	`129`	`}`
	`130`	`+`
	`131`	`+ predicate observeDiffInformedIncrementalMode() {`
	`132`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`133`	`+ // ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll:273: Flow call outside 'select' clause`
	`134`	`+ none()`
	`135`	`+ }`
`124`	`136`	`}`
`125`	`137`
`126`	`138`	`module ActionsSHACheckoutFlow = TaintTracking::Global<ActionsSHACheckoutConfig>;`
Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,8 @@ private module MyConfig implements DataFlow::ConfigSig {`
`24`	`24`	`predicate isSink(DataFlow::Node sink) {`
`25`	`25`	`sink instanceof CodeInjectionSink and not madSink(sink, "code-injection")`
`26`	`26`	`}`
	`27`	`+`
	`28`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`27`	`29`	`}`
`28`	`30`
`29`	`31`	`module MyFlow = TaintTracking::Global<MyConfig>;`