Diff-informed queries: phase 3 (non-trivial locations) #19957

d10c · 2025-07-02T15:30:05Z

This PR enables diff-informed mode on queries that select a location other than dataflow source or sink. This entails adding a non-trivial location override that returns the locations that are actually selected.

Prior work includes PRs like #19663, #19759, and #19817. This PR uses the same patch script as those PRs to find candidate queries to convert to diff-enabled. This is the final step in mass-enabling diff-informed queries on all the languages.

Commit-by-commit reviewing is recommended.

I have split the commits that add/modify tests from the ones that enable/disable diff-informed queries.
If the commit modifies a .qll file, in the commit message I've included links to the queries that depend on that .qll for easier reviewing.
Feel free to delegate parts of the review to others who may be more specialized in certain languages.

Potentially tricky cases:

[TEST] C++: CWE-020/ExternalAPI: add tests based on qlhelp: I wasn't able to get alerts to show up for the qhelp-based tests; can someone from the language team chip in to what a useful test would look like? Similar case with the Python TimingAttackAgainstHash test. In contrast, in [TEST] Java: CWE-020/ExternalAPI I was able to get alerts just from the qhelp example, and in [TEST] C++: CleartextSqliteDatabase I was able to get alerts from a mostly Copilot-written test.
[DIFF-INFORMED] C++: (IR) ExternalAPIs: config used in two queries, but one of them without a location; I guess that's fine?
[DIFF-INFORMED] C++: SSLResultConflation: query uses a secondary config (i.e. calls the same config twice), but this does pass tests, unlike the other queries with secondary configs. Can I get a sanity check here? Let me know if you find other cases of secondary configs that are passing tests.
[DIFF-INFORMED] Java: LogInjection: disabled because of mysterious OOM during --check-diff-informed locally and in CI. Should create a follow-up issue.
I'm not sure how important it is to have the location overrides be as precise as possible by including all the clauses from the where, or if it's good enough to overapproximate and just pass the --check-diff-informed tests.

cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql

cpp/ql/src/experimental/Likely Bugs/ArrayAccessProductFlow.ql

actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll

...erimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.ql


go/ql/lib/semmle/go/security/HardcodedCredentials.qll

java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll

java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll

java/ql/lib/semmle/code/java/security/UnsafeCertTrustQuery.qll

cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql

d10c · 2025-07-15T08:24:06Z

DCA results: some slowdowns on Python, but they don't seem to be related to these changes. Java had some timeout-related failures, so I'll restart that. Overall, no negative performance impact on empty-diff.

…bably need to add MaD source)

https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql#L26

https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql#L68

https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/ruby/ql/src/queries/security/cwe-020/MissingFullAnchor.ql#L18

https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.ql#L33

https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/swift/ql/src/queries/Security/CWE-312/CleartextStoragePreferences.ql#L32

https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/swift/ql/src/queries/Security/CWE-757/InsecureTLS.ql#L18

https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/swift/ql/src/queries/Security/CWE-079/UnsafeWebViewFetch.ql#L24

github-actions bot added C# JS C++ Java Python Go Ruby Rust Pull requests that update Rust code Swift Actions Analysis of GitHub Actions labels Jul 2, 2025

github-advanced-security bot found potential problems Jul 2, 2025

View reviewed changes

d10c force-pushed the d10c/diff-informed-phase-3 branch from ff3a4b9 to 95fe462 Compare July 3, 2025 15:50

github-advanced-security bot found potential problems Jul 3, 2025

View reviewed changes

actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll Fixed Show fixed Hide fixed

d10c force-pushed the d10c/diff-informed-phase-3 branch 3 times, most recently from aff62c2 to 6d0ae3a Compare July 4, 2025 14:20

github-advanced-security bot found potential problems Jul 4, 2025

View reviewed changes

d10c force-pushed the d10c/diff-informed-phase-3 branch 2 times, most recently from c871f5e to 276c7f0 Compare July 7, 2025 09:42

github-advanced-security bot found potential problems Jul 7, 2025

View reviewed changes

go/ql/lib/semmle/go/security/HardcodedCredentials.qll Fixed Show fixed Hide fixed

go/ql/lib/semmle/go/security/HardcodedCredentials.qll Fixed Show fixed Hide fixed

d10c force-pushed the d10c/diff-informed-phase-3 branch 2 times, most recently from cb2db2f to c70036d Compare July 8, 2025 15:30

github-advanced-security bot found potential problems Jul 8, 2025

View reviewed changes

java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll Fixed Show fixed Hide fixed

java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll Fixed Show fixed Hide fixed

java/ql/lib/semmle/code/java/security/UnsafeCertTrustQuery.qll Fixed Show fixed Hide fixed

d10c force-pushed the d10c/diff-informed-phase-3 branch from c70036d to 08c4cc2 Compare July 9, 2025 16:47

github-advanced-security bot found potential problems Jul 9, 2025

View reviewed changes

cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql Fixed Show fixed Hide fixed

d10c force-pushed the d10c/diff-informed-phase-3 branch 2 times, most recently from 857b583 to 3e3e856 Compare July 11, 2025 12:49

d10c added 2 commits July 16, 2025 16:57

[TEST] C++: CWE-020/ExternalAPI: add tests based on qlhelp (TODO: pro…

6485899

…bably need to add MaD source)

[TEST] C++: CleartextSqliteDatabase: add new test

9fda6f5

d10c added 17 commits July 16, 2025 17:34

[DIFF-INFORMED] JS: ShellCommandInjectionFromEnvironment

5a8d5ca

https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql#L26

[DIFF-INFORMED] JS: EnvValueAndKeyInjection

c92266a

https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql#L68

[DIFF-INFORMED] JS: decodeJwtWithoutVerification

8e6b3fc

[DIFF-INFORMED] Python: (Possible)TimingAttackAgainstHash

979cb1f

[DIFF-INFORMED] Ruby: MissingFullAnchor

205932e

https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/ruby/ql/src/queries/security/cwe-020/MissingFullAnchor.ql#L18

[DIFF-INFORMED] Rust: RegexInjection

75316f9

[DIFF-INFORMED] Rust: TaintedPath

045ce09

[DIFF-INFORMED] Rust: SqlInjection

cb7d617

[DIFF-INFORMED] Rust: CleartextTransmission

e56ab7b

[DIFF-INFORMED] Rust: CleartextLogging

0c74889

[DIFF-INFORMED] Rust: UncontrolledAllocationSize

abb2d91

[DIFF-INFORMED] Rust: AccessAfterLifetime

0a49f0f

[DIFF-INFORMED] Rust: AccessInvalidPointer

33b7f2f

[DIFF-INFORMED] Swift: CleartextStorageDatabase

c314f6e

https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.ql#L33

[DIFF-INFORMED] Swift: CleartextStoragePreferences

019726a

https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/swift/ql/src/queries/Security/CWE-312/CleartextStoragePreferences.ql#L32

[DIFF-INFORMED] Swift: InsecureTLS

84a16b3

https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/swift/ql/src/queries/Security/CWE-757/InsecureTLS.ql#L18

[DIFF-INFORMED] Swift: UnsafeWebViewFetch

5112a9c

https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/swift/ql/src/queries/Security/CWE-079/UnsafeWebViewFetch.ql#L24

d10c force-pushed the d10c/diff-informed-phase-3 branch from 443655d to 5112a9c Compare July 16, 2025 15:36

d10c requested a review from michaelnebel July 16, 2025 15:52

d10c marked this pull request as ready for review July 16, 2025 15:52

d10c requested review from a team as code owners July 16, 2025 15:52

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Diff-informed queries: phase 3 (non-trivial locations) #19957

Diff-informed queries: phase 3 (non-trivial locations) #19957

d10c commented Jul 2, 2025 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Check warning

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

d10c commented Jul 15, 2025

Uh oh!

Uh oh!

		@@ -0,0 +1 @@
		experimental/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.ql

Diff-informed queries: phase 3 (non-trivial locations) #19957

Are you sure you want to change the base?

Diff-informed queries: phase 3 (non-trivial locations) #19957

Conversation

d10c commented Jul 2, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Check warning

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

d10c commented Jul 15, 2025

Uh oh!

Uh oh!

d10c commented Jul 2, 2025 •

edited

Loading