Merge pull request #14631 from hmac/hmac-dynamic-neutral-model

JS/Ruby/Python: Add neutralModel extensible predicate
github · Oct 30, 2023 · dc9f171 · dc9f171
2 parents 3a9ffe1 + 083be30
commit dc9f171
Show file tree

Hide file tree

Showing 7 changed files with 40 additions and 3 deletions.
diff --git a/codeql-workspace.yml b/codeql-workspace.yml
@@ -29,6 +29,7 @@ provide:
   - "swift/extractor-pack/codeql-extractor.yml"
   - "swift/integration-tests/qlpack.yml"
   - "ql/extractor-pack/codeql-extractor.yml"
+  - ".github/codeql/extensions/**/codeql-pack.yml"
 
 versionPolicies:
   default:

diff --git a/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsExtensions.qll b/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsExtensions.qll
@@ -17,14 +17,21 @@ extensible predicate sourceModel(string type, string path, string kind);
 extensible predicate sinkModel(string type, string path, string kind);
 
 /**
- * Holds if calls to `(type, path)`, the value referred to by `input`
+ * Holds if in calls to `(type, path)`, the value referred to by `input`
  * can flow to the value referred to by `output`.
  *
  * `kind` should be either `value` or `taint`, for value-preserving or taint-preserving steps,
  * respectively.
  */
 extensible predicate summaryModel(string type, string path, string input, string output, string kind);
 
+/**
+ * Holds if calls to `(type, path)` should be considered neutral. The meaning of this depends on the `kind`.
+ * If `kind` is `summary`, the call does not propagate data flow. If `kind` is `source`, the call is not a source.
+ * If `kind` is `sink`, the call is not a sink.
+ */
+extensible predicate neutralModel(string type, string path, string kind);
+
 /**
  * Holds if `(type2, path)` should be seen as an instance of `type1`.
  */

diff --git a/javascript/ql/lib/semmle/javascript/frameworks/data/internal/model.yml b/javascript/ql/lib/semmle/javascript/frameworks/data/internal/model.yml
@@ -15,6 +15,11 @@ extensions:
       extensible: summaryModel
     data: []
 
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: neutralModel
+    data: []
+
   - addsTo:
       pack: codeql/javascript-all
       extensible: typeModel

diff --git a/python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModelsExtensions.qll b/python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModelsExtensions.qll
@@ -17,14 +17,21 @@ extensible predicate sourceModel(string type, string path, string kind);
 extensible predicate sinkModel(string type, string path, string kind);
 
 /**
- * Holds if calls to `(type, path)`, the value referred to by `input`
+ * Holds if in calls to `(type, path)`, the value referred to by `input`
  * can flow to the value referred to by `output`.
  *
  * `kind` should be either `value` or `taint`, for value-preserving or taint-preserving steps,
  * respectively.
  */
 extensible predicate summaryModel(string type, string path, string input, string output, string kind);
 
+/**
+ * Holds if calls to `(type, path)` should be considered neutral. The meaning of this depends on the `kind`.
+ * If `kind` is `summary`, the call does not propagate data flow. If `kind` is `source`, the call is not a source.
+ * If `kind` is `sink`, the call is not a sink.
+ */
+extensible predicate neutralModel(string type, string path, string kind);
+
 /**
  * Holds if `(type2, path)` should be seen as an instance of `type1`.
  */

diff --git a/python/ql/lib/semmle/python/frameworks/data/internal/empty.model.yml b/python/ql/lib/semmle/python/frameworks/data/internal/empty.model.yml
@@ -15,6 +15,11 @@ extensions:
       extensible: summaryModel
     data: []
 
+  - addsTo:
+      pack: codeql/python-all
+      extensible: neutralModel
+    data: []
+
   - addsTo:
       pack: codeql/python-all
       extensible: typeModel

diff --git a/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModelsExtensions.qll b/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModelsExtensions.qll
@@ -17,14 +17,21 @@ extensible predicate sourceModel(string type, string path, string kind);
 extensible predicate sinkModel(string type, string path, string kind);
 
 /**
- * Holds if calls to `(type, path)`, the value referred to by `input`
+ * Holds if in calls to `(type, path)`, the value referred to by `input`
  * can flow to the value referred to by `output`.
  *
  * `kind` should be either `value` or `taint`, for value-preserving or taint-preserving steps,
  * respectively.
  */
 extensible predicate summaryModel(string type, string path, string input, string output, string kind);
 
+/**
+ * Holds if calls to `(type, path)` should be considered neutral. The meaning of this depends on the `kind`.
+ * If `kind` is `summary`, the call does not propagate data flow. If `kind` is `source`, the call is not a source.
+ * If `kind` is `sink`, the call is not a sink.
+ */
+extensible predicate neutralModel(string type, string path, string kind);
+
 /**
  * Holds if `(type2, path)` should be seen as an instance of `type1`.
  */

diff --git a/ruby/ql/lib/codeql/ruby/frameworks/data/internal/model.yml b/ruby/ql/lib/codeql/ruby/frameworks/data/internal/model.yml
@@ -15,6 +15,11 @@ extensions:
       extensible: summaryModel
     data: []
 
+  - addsTo:
+      pack: codeql/ruby-all
+      extensible: neutralModel
+    data: []
+
   - addsTo:
       pack: codeql/ruby-all
       extensible: typeModel