Ruby: patch-generated stubs

d10c · d10c · commit 7bcd749b0ae1 · 2025-07-03T17:50:21.000+02:00
diff --git a/ruby/ql/lib/codeql/ruby/security/WeakSensitiveDataHashingQuery.qll b/ruby/ql/lib/codeql/ruby/security/WeakSensitiveDataHashingQuery.qll
@@ -28,8 +28,6 @@ module NormalHashFunction {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
-
-    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on sensitive data" vulnerabilities. */
@@ -56,8 +54,6 @@ module ComputationallyExpensiveHashFunction {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
-
-    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on passwords" vulnerabilities. */
diff --git a/ruby/ql/lib/codeql/ruby/security/regexp/MissingFullAnchorQuery.qll b/ruby/ql/lib/codeql/ruby/security/regexp/MissingFullAnchorQuery.qll
@@ -17,6 +17,10 @@ private module MissingFullAnchorConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 7 selects sink.getCallNode (/Users/d10c/src/semmle-code/ql/ruby/ql/src/queries/security/cwe-020/MissingFullAnchor.ql@20:41:20:62), Column 9 selects sink.getRegex (/Users/d10c/src/semmle-code/ql/ruby/ql/src/queries/security/cwe-020/MissingFullAnchor.ql@20:76:20:94)
+  }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll b/ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll
@@ -18,6 +18,10 @@ private module PolynomialReDoSConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 selects sink.getHighlight (/Users/d10c/src/semmle-code/ql/ruby/ql/src/queries/security/cwe-1333/PolynomialReDoS.ql@27:8:27:30), Column 5 selects sink.getRegExp (/Users/d10c/src/semmle-code/ql/ruby/ql/src/queries/security/cwe-1333/PolynomialReDoS.ql@29:67:29:72)
+  }
 }
 
 /**
diff --git a/ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql b/ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql
@@ -59,11 +59,16 @@ private module PermissivePermissionsConfig implements DataFlow::ConfigSig {
 
   predicate observeDiffInformedIncrementalMode() { any() }
 
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    none() // TODO: Make sure that this source location matches the query's select clause: Column 5 does not select a source or sink originating from the flow call on line 78 (/Users/d10c/src/semmle-code/ql/ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql@81:84:81:86)
+  }
+
   Location getASelectedSinkLocation(DataFlow::Node sink) {
     exists(FileSystemPermissionModification mod |
       sinkDef(sink, mod) and
       result = mod.getLocation()
     )
+    // TODO: Make sure that this sink location matches the query's select clause: Column 5 does not select a source or sink originating from the flow call on line 78 (/Users/d10c/src/semmle-code/ql/ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql@81:84:81:86)
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -28,8 +28,6 @@ module NormalHashFunction {`
`28`	`28`	`predicate isSink(DataFlow::Node sink) { sink instanceof Sink }`
`29`	`29`
`30`	`30`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
`31`		`-`
`32`		`- predicate observeDiffInformedIncrementalMode() { any() }`
`33`	`31`	`}`
`34`	`32`
`35`	`33`	`/** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on sensitive data" vulnerabilities. */`
`@@ -56,8 +54,6 @@ module ComputationallyExpensiveHashFunction {`
`56`	`54`	`predicate isSink(DataFlow::Node sink) { sink instanceof Sink }`
`57`	`55`
`58`	`56`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
`59`		`-`
`60`		`- predicate observeDiffInformedIncrementalMode() { any() }`
`61`	`57`	`}`
`62`	`58`
`63`	`59`	`/** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on passwords" vulnerabilities. */`
Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,10 @@ private module MissingFullAnchorConfig implements DataFlow::ConfigSig {`
`17`	`17`	`predicate isSink(DataFlow::Node sink) { sink instanceof Sink }`
`18`	`18`
`19`	`19`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`20`	`+`
	`21`	`+ predicate observeDiffInformedIncrementalMode() {`
	`22`	`+ any() // TODO: Make sure that the location overrides match the query's select clause: Column 7 selects sink.getCallNode (/Users/d10c/src/semmle-code/ql/ruby/ql/src/queries/security/cwe-020/MissingFullAnchor.ql@20:41:20:62), Column 9 selects sink.getRegex (/Users/d10c/src/semmle-code/ql/ruby/ql/src/queries/security/cwe-020/MissingFullAnchor.ql@20:76:20:94)`
	`23`	`+ }`
`20`	`24`	`}`
`21`	`25`
`22`	`26`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,10 @@ private module PolynomialReDoSConfig implements DataFlow::ConfigSig {`
`18`	`18`	`predicate isSink(DataFlow::Node sink) { sink instanceof Sink }`
`19`	`19`
`20`	`20`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`21`	`+`
	`22`	`+ predicate observeDiffInformedIncrementalMode() {`
	`23`	`+ any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 selects sink.getHighlight (/Users/d10c/src/semmle-code/ql/ruby/ql/src/queries/security/cwe-1333/PolynomialReDoS.ql@27:8:27:30), Column 5 selects sink.getRegExp (/Users/d10c/src/semmle-code/ql/ruby/ql/src/queries/security/cwe-1333/PolynomialReDoS.ql@29:67:29:72)`
	`24`	`+ }`
`21`	`25`	`}`
`22`	`26`
`23`	`27`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -59,11 +59,16 @@ private module PermissivePermissionsConfig implements DataFlow::ConfigSig {`
`59`	`59`
`60`	`60`	`predicate observeDiffInformedIncrementalMode() { any() }`
`61`	`61`
	`62`	`+ Location getASelectedSourceLocation(DataFlow::Node source) {`
	`63`	`+ none() // TODO: Make sure that this source location matches the query's select clause: Column 5 does not select a source or sink originating from the flow call on line 78 (/Users/d10c/src/semmle-code/ql/ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql@81:84:81:86)`
	`64`	`+ }`
	`65`	`+`
`62`	`66`	`Location getASelectedSinkLocation(DataFlow::Node sink) {`
`63`	`67`	`exists(FileSystemPermissionModification mod \|`
`64`	`68`	`sinkDef(sink, mod) and`
`65`	`69`	`result = mod.getLocation()`
`66`	`70`	`)`
	`71`	`+ // TODO: Make sure that this sink location matches the query's select clause: Column 5 does not select a source or sink originating from the flow call on line 78 (/Users/d10c/src/semmle-code/ql/ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql@81:84:81:86)`
`67`	`72`	`}`
`68`	`73`	`}`
`69`	`74`