Merge pull request #20074 from d10c/d10c/diff-informed-phase-3-csharp

d10c · web-flow · commit 8000e7c442fc · 2025-08-15T12:07:47.000+02:00
C#: Diff-informed queries: phase 3 (non-trivial locations)
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll
@@ -39,6 +39,15 @@ private module ConditionalBypassConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.getLocation()
+    or
+    // from ConditionalBypass.ql
+    result = sink.(Sink).getSensitiveMethodCall().getLocation()
+  }
 }
 
 /**
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll
@@ -59,6 +59,10 @@ private module TaintToObjectMethodTrackingConfig implements DataFlow::ConfigSig
   predicate isSink(DataFlow::Node sink) { sink instanceof InstanceMethodSink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // used in one of the disjuncts in UnsafeDeserializationUntrustedInput.ql
+  }
 }
 
 /**
@@ -77,6 +81,10 @@ private module JsonConvertTrackingConfig implements DataFlow::ConfigSig {
   }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // used in one of the disjuncts in UnsafeDeserializationUntrustedInput.ql
+  }
 }
 
 /**
@@ -133,6 +141,10 @@ private module TypeNameTrackingConfig implements DataFlow::ConfigSig {
       )
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // Only used as secondary config in UnsafeDeserializationUntrustedInput.ql
+  }
 }
 
 /**
@@ -149,6 +161,10 @@ private module TaintToConstructorOrStaticMethodTrackingConfig implements DataFlo
   predicate isSink(DataFlow::Node sink) { sink instanceof ConstructorOrStaticMethodSink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // used in one of the disjuncts in UnsafeDeserializationUntrustedInput.ql
+  }
 }
 
 /**
@@ -186,6 +202,10 @@ private module TaintToObjectTypeTrackingConfig implements DataFlow::ConfigSig {
       oc.getObjectType() instanceof StrongTypeDeserializer
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // only used as secondary config in UnsafeDeserializationUntrustedInput.ql
+  }
 }
 
 /**
@@ -210,6 +230,10 @@ private module WeakTypeCreationToUsageTrackingConfig implements DataFlow::Config
       sink.asExpr() = mc.getQualifier()
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // only used as secondary config in UnsafeDeserializationUntrustedInput.ql
+  }
 }
 
 /**
diff --git a/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql b/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql
@@ -24,6 +24,8 @@ module NotThreadSafeCryptoUsageIntoParallelInvokeConfig implements DataFlow::Con
   }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ParallelSink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module NotThreadSafeCryptoUsageIntoParallelInvoke =
diff --git a/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql b/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql
@@ -38,6 +38,12 @@ module ConnectionStringConfig implements DataFlow::ConfigSig {
   }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof StringFormatSanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    any(Call call | call.getAnArgument() = sink.asExpr()).getLocation() = result
+  }
 }
 
 /**

Original file line number	Diff line number	Diff line change
`@@ -59,6 +59,10 @@ private module TaintToObjectMethodTrackingConfig implements DataFlow::ConfigSig`
`59`	`59`	`predicate isSink(DataFlow::Node sink) { sink instanceof InstanceMethodSink }`
`60`	`60`
`61`	`61`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`62`	`+`
	`63`	`+ predicate observeDiffInformedIncrementalMode() {`
	`64`	`+ any() // used in one of the disjuncts in UnsafeDeserializationUntrustedInput.ql`
	`65`	`+ }`
`62`	`66`	`}`
`63`	`67`
`64`	`68`	`/**`
`@@ -77,6 +81,10 @@ private module JsonConvertTrackingConfig implements DataFlow::ConfigSig {`
`77`	`81`	`}`
`78`	`82`
`79`	`83`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`84`	`+`
	`85`	`+ predicate observeDiffInformedIncrementalMode() {`
	`86`	`+ any() // used in one of the disjuncts in UnsafeDeserializationUntrustedInput.ql`
	`87`	`+ }`
`80`	`88`	`}`
`81`	`89`
`82`	`90`	`/**`
`@@ -133,6 +141,10 @@ private module TypeNameTrackingConfig implements DataFlow::ConfigSig {`
`133`	`141`	`)`
`134`	`142`	`)`
`135`	`143`	`}`
	`144`	`+`
	`145`	`+ predicate observeDiffInformedIncrementalMode() {`
	`146`	`+ none() // Only used as secondary config in UnsafeDeserializationUntrustedInput.ql`
	`147`	`+ }`
`136`	`148`	`}`
`137`	`149`
`138`	`150`	`/**`
`@@ -149,6 +161,10 @@ private module TaintToConstructorOrStaticMethodTrackingConfig implements DataFlo`
`149`	`161`	`predicate isSink(DataFlow::Node sink) { sink instanceof ConstructorOrStaticMethodSink }`
`150`	`162`
`151`	`163`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`164`	`+`
	`165`	`+ predicate observeDiffInformedIncrementalMode() {`
	`166`	`+ any() // used in one of the disjuncts in UnsafeDeserializationUntrustedInput.ql`
	`167`	`+ }`
`152`	`168`	`}`
`153`	`169`
`154`	`170`	`/**`
`@@ -186,6 +202,10 @@ private module TaintToObjectTypeTrackingConfig implements DataFlow::ConfigSig {`
`186`	`202`	`oc.getObjectType() instanceof StrongTypeDeserializer`
`187`	`203`	`)`
`188`	`204`	`}`
	`205`	`+`
	`206`	`+ predicate observeDiffInformedIncrementalMode() {`
	`207`	`+ none() // only used as secondary config in UnsafeDeserializationUntrustedInput.ql`
	`208`	`+ }`
`189`	`209`	`}`
`190`	`210`
`191`	`211`	`/**`
`@@ -210,6 +230,10 @@ private module WeakTypeCreationToUsageTrackingConfig implements DataFlow::Config`
`210`	`230`	`sink.asExpr() = mc.getQualifier()`
`211`	`231`	`)`
`212`	`232`	`}`
	`233`	`+`
	`234`	`+ predicate observeDiffInformedIncrementalMode() {`
	`235`	`+ none() // only used as secondary config in UnsafeDeserializationUntrustedInput.ql`
	`236`	`+ }`
`213`	`237`	`}`
`214`	`238`
`215`	`239`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,8 @@ module NotThreadSafeCryptoUsageIntoParallelInvokeConfig implements DataFlow::Con`
`24`	`24`	`}`
`25`	`25`
`26`	`26`	`predicate isSink(DataFlow::Node sink) { sink instanceof ParallelSink }`
	`27`	`+`
	`28`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`27`	`29`	`}`
`28`	`30`
`29`	`31`	`module NotThreadSafeCryptoUsageIntoParallelInvoke =`
Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,12 @@ module ConnectionStringConfig implements DataFlow::ConfigSig {`
`38`	`38`	`}`
`39`	`39`
`40`	`40`	`predicate isBarrier(DataFlow::Node node) { node instanceof StringFormatSanitizer }`
	`41`	`+`
	`42`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
	`43`	`+`
	`44`	`+ Location getASelectedSinkLocation(DataFlow::Node sink) {`
	`45`	`+ any(Call call \| call.getAnArgument() = sink.asExpr()).getLocation() = result`
	`46`	`+ }`
`41`	`47`	`}`
`42`	`48`
`43`	`49`	`/**`