From 43e318fb60d57fda0bea74bd03f4456554686e01 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 16:06:17 +0200 Subject: [PATCH 1/4] [DIFF-INFORMED] JS: IndirectCommandInjection https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/javascript/ql/src/Security/CWE-078/IndirectCommandInjection.ql#L25 --- .../security/dataflow/IndirectCommandInjectionQuery.qll | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll index 87d85911a1ba..dc08ff47acf6 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll @@ -30,9 +30,10 @@ module IndirectCommandInjectionConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { - exists(DataFlow::Node node | - isSinkWithHighlight(sink, node) and - result = node.getLocation() + exists(DataFlow::Node highlight | result = highlight.getLocation() | + if isSinkWithHighlight(sink, _) + then isSinkWithHighlight(sink, highlight) + else highlight = sink ) } } From f3974c3c343ac341f1ea008cdd522b32be6d8fea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 16:07:08 +0200 Subject: [PATCH 2/4] [DIFF-INFORMED] JS: ShellCommandInjectionFromEnvironment https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql#L26 --- .../dataflow/ShellCommandInjectionFromEnvironmentQuery.qll | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll index 1d396da5b20d..f95dc66b06ff 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll @@ -31,9 +31,10 @@ module ShellCommandInjectionFromEnvironmentConfig implements DataFlow::ConfigSig predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { - exists(DataFlow::Node node | - isSinkWithHighlight(sink, node) and - result = node.getLocation() + exists(DataFlow::Node highlight | result = highlight.getLocation() | + if isSinkWithHighlight(sink, _) + then isSinkWithHighlight(sink, highlight) + else highlight = sink ) } } From 4b43cf4834ad4ed4666851622436ef6d6b7632e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 16:08:26 +0200 Subject: [PATCH 3/4] [DIFF-INFORMED] JS: EnvValueAndKeyInjection https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql#L68 --- .../experimental/Security/CWE-099/EnvValueAndKeyInjection.ql | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql b/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql index e66406f84053..53a31c3268de 100644 --- a/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql +++ b/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql @@ -33,6 +33,10 @@ module EnvValueAndKeyInjectionConfig implements DataFlow::ConfigSig { ) ) } + + predicate observeDiffInformedIncrementalMode() { + none() // can't override location accurately because of secondary use in select. + } } module EnvValueAndKeyInjectionFlow = TaintTracking::Global; From bd6b27e6061b0bba16e0d2d2818df6aead98e90c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 16:08:57 +0200 Subject: [PATCH 4/4] [DIFF-INFORMED] JS: decodeJwtWithoutVerification --- .../Security/CWE-347/decodeJwtWithoutVerification.ql | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql b/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql index 429744bbbd1d..17d66cdf5770 100644 --- a/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql +++ b/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql @@ -27,6 +27,10 @@ module VerifiedDecodeConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink = verifiedDecode() } + + predicate observeDiffInformedIncrementalMode() { + none() // used as secondary config + } } module VerifiedDecodeFlow = TaintTracking::Global;