diff --git a/ruby/ql/lib/codeql/ruby/experimental/UnicodeBypassValidationQuery.qll b/ruby/ql/lib/codeql/ruby/experimental/UnicodeBypassValidationQuery.qll index 7a5be05ac303..f38ab9df3dab 100644 --- a/ruby/ql/lib/codeql/ruby/experimental/UnicodeBypassValidationQuery.qll +++ b/ruby/ql/lib/codeql/ruby/experimental/UnicodeBypassValidationQuery.qll @@ -158,6 +158,8 @@ private module UnicodeBypassValidationConfig implements DataFlow::StateConfigSig ) and state = PostValidationState() } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/experimental/ZipSlipQuery.qll b/ruby/ql/lib/codeql/ruby/experimental/ZipSlipQuery.qll index cb6dfc931bd4..0e4163ec35cc 100644 --- a/ruby/ql/lib/codeql/ruby/experimental/ZipSlipQuery.qll +++ b/ruby/ql/lib/codeql/ruby/experimental/ZipSlipQuery.qll @@ -29,6 +29,8 @@ private module ZipSlipConfig implements DataFlow::ConfigSig { } predicate isBarrier(DataFlow::Node node) { node instanceof ZipSlip::Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Excon.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Excon.qll index 47789542f23d..adf7384183e1 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Excon.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Excon.qll @@ -118,6 +118,10 @@ private module ExconDisablesCertificateValidationConfig implements DataFlow::Con predicate isSink(DataFlow::Node sink) { sink = any(ExconHttpRequest req).getCertificateValidationControllingValue() } + + predicate observeDiffInformedIncrementalMode() { + none() // Used for a library model + } } private module ExconDisablesCertificateValidationFlow = diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Faraday.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Faraday.qll index f832ebb89b7d..834180a7ee49 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Faraday.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Faraday.qll @@ -99,6 +99,10 @@ private module FaradayDisablesCertificateValidationConfig implements DataFlow::S predicate isSink(DataFlow::Node sink, FlowState state) { sink = any(FaradayHttpRequest req).getCertificateValidationControllingValue(state) } + + predicate observeDiffInformedIncrementalMode() { + none() // Used for a library model + } } private module FaradayDisablesCertificateValidationFlow = diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/HttpClient.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/HttpClient.qll index 111967f23cc9..c766ef96f23a 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/HttpClient.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/HttpClient.qll @@ -80,6 +80,10 @@ private module HttpClientDisablesCertificateValidationConfig implements DataFlow predicate isSink(DataFlow::Node sink) { sink = any(HttpClientRequest req).getCertificateValidationControllingValue() } + + predicate observeDiffInformedIncrementalMode() { + none() // Used for a library model + } } private module HttpClientDisablesCertificateValidationFlow = diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Httparty.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Httparty.qll index f5320cd35c81..e9f94f771f1a 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Httparty.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Httparty.qll @@ -70,6 +70,10 @@ private module HttpartyDisablesCertificateValidationConfig implements DataFlow:: predicate isSink(DataFlow::Node sink) { sink = any(HttpartyRequest req).getCertificateValidationControllingValue() } + + predicate observeDiffInformedIncrementalMode() { + none() // Used for a library model + } } private module HttpartyDisablesCertificateValidationFlow = diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/NetHttp.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/NetHttp.qll index 509d106f29cb..e09917ae21ab 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/NetHttp.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/NetHttp.qll @@ -103,6 +103,10 @@ private module NetHttpDisablesCertificateValidationConfig implements DataFlow::C predicate isSink(DataFlow::Node sink) { sink = any(NetHttpRequest req).getCertificateValidationControllingValue() } + + predicate observeDiffInformedIncrementalMode() { + none() // Used for a library model + } } private module NetHttpDisablesCertificateValidationFlow = diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/OpenURI.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/OpenURI.qll index fb8a55e775d8..8ccb744f84e1 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/OpenURI.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/OpenURI.qll @@ -110,6 +110,10 @@ private module OpenUriDisablesCertificateValidationConfig implements DataFlow::C or sink = any(OpenUriKernelOpenRequest req).getCertificateValidationControllingValue() } + + predicate observeDiffInformedIncrementalMode() { + none() // Used for a library model + } } private module OpenUriDisablesCertificateValidationFlow = diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/RestClient.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/RestClient.qll index 5516e56493ca..cac94f7166f2 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/RestClient.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/RestClient.qll @@ -73,6 +73,10 @@ private module RestClientDisablesCertificateValidationConfig implements DataFlow predicate isSink(DataFlow::Node sink) { sink = any(RestClientHttpRequest req).getCertificateValidationControllingValue() } + + predicate observeDiffInformedIncrementalMode() { + none() // Used for a library model + } } private module RestClientDisablesCertificateValidationFlow = diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Typhoeus.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Typhoeus.qll index c1b13323f9a6..2eae03a77481 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Typhoeus.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Typhoeus.qll @@ -64,6 +64,10 @@ private module TyphoeusDisablesCertificateValidationConfig implements DataFlow:: predicate isSink(DataFlow::Node sink) { sink = any(TyphoeusHttpRequest req).getCertificateValidationControllingValue() } + + predicate observeDiffInformedIncrementalMode() { + none() // Used for a library model + } } private module TyphoeusDisablesCertificateValidationFlow = diff --git a/ruby/ql/lib/codeql/ruby/frameworks/stdlib/Pathname.qll b/ruby/ql/lib/codeql/ruby/frameworks/stdlib/Pathname.qll index 217cfaf50d61..cee494cb2fec 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/stdlib/Pathname.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/stdlib/Pathname.qll @@ -52,6 +52,10 @@ module Pathname { ] ) } + + predicate observeDiffInformedIncrementalMode() { + none() // Used for a library model + } } private module PathnameFlow = DataFlow::Global; diff --git a/ruby/ql/lib/codeql/ruby/security/CleartextLoggingQuery.qll b/ruby/ql/lib/codeql/ruby/security/CleartextLoggingQuery.qll index 38dc08731f42..36ed0fa30a59 100644 --- a/ruby/ql/lib/codeql/ruby/security/CleartextLoggingQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/CleartextLoggingQuery.qll @@ -27,6 +27,8 @@ private module Config implements DataFlow::ConfigSig { cs.isAny() and isSink(node) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/CleartextStorageQuery.qll b/ruby/ql/lib/codeql/ruby/security/CleartextStorageQuery.qll index 60dfd216609c..66817f0f9abf 100644 --- a/ruby/ql/lib/codeql/ruby/security/CleartextStorageQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/CleartextStorageQuery.qll @@ -26,6 +26,8 @@ private module Config implements DataFlow::ConfigSig { cs.isAny() and isSink(node) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/CodeInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/CodeInjectionQuery.qll index 9394601c5ed8..3a738703cf11 100644 --- a/ruby/ql/lib/codeql/ruby/security/CodeInjectionQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/CodeInjectionQuery.qll @@ -31,6 +31,8 @@ private module Config implements DataFlow::StateConfigSig { predicate isBarrierIn(DataFlow::Node node) { node instanceof Source } int fieldFlowBranchLimit() { result = 10 } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/CommandInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/CommandInjectionQuery.qll index 74d00b254790..a5b4d965894a 100644 --- a/ruby/ql/lib/codeql/ruby/security/CommandInjectionQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/CommandInjectionQuery.qll @@ -23,6 +23,8 @@ private module Config implements DataFlow::ConfigSig { node instanceof StringConstCompareBarrier or node instanceof StringConstArrayInclusionCallBarrier } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/ConditionalBypassQuery.qll b/ruby/ql/lib/codeql/ruby/security/ConditionalBypassQuery.qll index fa7e829d684f..fee3990f09b8 100644 --- a/ruby/ql/lib/codeql/ruby/security/ConditionalBypassQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/ConditionalBypassQuery.qll @@ -17,6 +17,8 @@ private module Config implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/HardcodedDataInterpretedAsCodeQuery.qll b/ruby/ql/lib/codeql/ruby/security/HardcodedDataInterpretedAsCodeQuery.qll index 3fdd6ffc2a4f..7dae6ab8532e 100644 --- a/ruby/ql/lib/codeql/ruby/security/HardcodedDataInterpretedAsCodeQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/HardcodedDataInterpretedAsCodeQuery.qll @@ -33,6 +33,8 @@ private module Config implements DataFlow::StateConfigSig { ) and stateTo = FlowState::Taint() } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll b/ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll index 6a2eb63198ab..51992d4be471 100644 --- a/ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll @@ -17,6 +17,8 @@ module HttpToFileAccessConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/ImproperLdapAuthQuery.qll b/ruby/ql/lib/codeql/ruby/security/ImproperLdapAuthQuery.qll index bddc6d2c3c45..7e9d4390ba6a 100644 --- a/ruby/ql/lib/codeql/ruby/security/ImproperLdapAuthQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/ImproperLdapAuthQuery.qll @@ -13,6 +13,8 @@ private module ImproperLdapAuthConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll b/ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll index 9e813209b53c..641766acc707 100644 --- a/ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll @@ -20,6 +20,8 @@ private module InsecureDownloadConfig implements DataFlow::StateConfigSig { predicate isSink(DataFlow::Node sink, FlowState label) { sink.(Sink).getAFlowLabel() = label } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/InsecureRandomnessQuery.qll b/ruby/ql/lib/codeql/ruby/security/InsecureRandomnessQuery.qll index 1cb503a30c81..7cc5e6f98388 100644 --- a/ruby/ql/lib/codeql/ruby/security/InsecureRandomnessQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/InsecureRandomnessQuery.qll @@ -13,6 +13,8 @@ private module InsecureRandomnessConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/KernelOpenQuery.qll b/ruby/ql/lib/codeql/ruby/security/KernelOpenQuery.qll index 14e9a7e31a74..085be309ec1c 100644 --- a/ruby/ql/lib/codeql/ruby/security/KernelOpenQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/KernelOpenQuery.qll @@ -85,6 +85,8 @@ private module KernelOpenConfig implements DataFlow::ConfigSig { node instanceof StringConstArrayInclusionCallBarrier or node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/LdapInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/LdapInjectionQuery.qll index 73dcac76b995..770357c2d1b5 100644 --- a/ruby/ql/lib/codeql/ruby/security/LdapInjectionQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/LdapInjectionQuery.qll @@ -26,6 +26,8 @@ private module LdapInjectionConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { LI::isAdditionalFlowStep(node1, node2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll index 648f9496ea19..487dc31d4f0b 100644 --- a/ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll @@ -73,6 +73,8 @@ private module LogInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/MassAssignmentQuery.qll b/ruby/ql/lib/codeql/ruby/security/MassAssignmentQuery.qll index 0d6bcd0a34f7..aeb4bffeccea 100644 --- a/ruby/ql/lib/codeql/ruby/security/MassAssignmentQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/MassAssignmentQuery.qll @@ -59,6 +59,8 @@ private module Config implements DataFlow::StateConfigSig { state2 instanceof FlowState::Permitted ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Taint tracking for reasoning about user input used for mass assignment. */ diff --git a/ruby/ql/lib/codeql/ruby/security/PathInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/PathInjectionQuery.qll index 55329c50717d..ff2cac8f78ed 100644 --- a/ruby/ql/lib/codeql/ruby/security/PathInjectionQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/PathInjectionQuery.qll @@ -20,6 +20,8 @@ private module PathInjectionConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node instanceof Path::PathSanitization or node instanceof PathInjection::Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/ReflectedXSSQuery.qll b/ruby/ql/lib/codeql/ruby/security/ReflectedXSSQuery.qll index d1618a949042..277092f2de0a 100644 --- a/ruby/ql/lib/codeql/ruby/security/ReflectedXSSQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/ReflectedXSSQuery.qll @@ -22,6 +22,8 @@ private module ReflectedXssConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { RX::isAdditionalXssTaintStep(node1, node2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/SensitiveGetQueryQuery.qll b/ruby/ql/lib/codeql/ruby/security/SensitiveGetQueryQuery.qll index d3fe93fa764a..f1dc2194d24c 100644 --- a/ruby/ql/lib/codeql/ruby/security/SensitiveGetQueryQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/SensitiveGetQueryQuery.qll @@ -16,6 +16,10 @@ private module SensitiveGetQueryConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof Source } predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + predicate observeDiffInformedIncrementalMode() { + none() // Disabled since the alert references `Source.getHandler()` + } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/ServerSideRequestForgeryQuery.qll b/ruby/ql/lib/codeql/ruby/security/ServerSideRequestForgeryQuery.qll index 2e8aed1c0b87..2cbb9635a946 100644 --- a/ruby/ql/lib/codeql/ruby/security/ServerSideRequestForgeryQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/ServerSideRequestForgeryQuery.qll @@ -22,6 +22,8 @@ private module ServerSideRequestForgeryConfig implements DataFlow::ConfigSig { node instanceof StringConstCompareBarrier or node instanceof StringConstArrayInclusionCallBarrier } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/SqlInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/SqlInjectionQuery.qll index 40a9b603bf4e..4d075d0661b5 100644 --- a/ruby/ql/lib/codeql/ruby/security/SqlInjectionQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/SqlInjectionQuery.qll @@ -13,6 +13,8 @@ private module SqlInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/StackTraceExposureQuery.qll b/ruby/ql/lib/codeql/ruby/security/StackTraceExposureQuery.qll index 8342c382cdb2..4df59d9c8eb6 100644 --- a/ruby/ql/lib/codeql/ruby/security/StackTraceExposureQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/StackTraceExposureQuery.qll @@ -17,6 +17,8 @@ private module StackTraceExposureConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/StoredXSSQuery.qll b/ruby/ql/lib/codeql/ruby/security/StoredXSSQuery.qll index b6520fedf4fe..c9b383aa3bae 100644 --- a/ruby/ql/lib/codeql/ruby/security/StoredXSSQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/StoredXSSQuery.qll @@ -32,6 +32,8 @@ private module StoredXssConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { isAdditionalXssTaintStep(node1, node2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll b/ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll index 1231921649e7..8ecdde85e768 100644 --- a/ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll @@ -19,6 +19,8 @@ module TaintedFormatStringConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/TemplateInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/TemplateInjectionQuery.qll index 3e3610915496..78407a745fb4 100644 --- a/ruby/ql/lib/codeql/ruby/security/TemplateInjectionQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/TemplateInjectionQuery.qll @@ -13,6 +13,8 @@ private module TemplateInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionQuery.qll b/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionQuery.qll index 06dc8797832a..24f86a2687a7 100644 --- a/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionQuery.qll @@ -24,6 +24,8 @@ private module UnsafeCodeConstructionConfig implements DataFlow::ConfigSig { // override to require the path doesn't have unmatched return steps DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationQuery.qll b/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationQuery.qll index ad7749d68aa6..f5dc63a3b9ab 100644 --- a/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationQuery.qll @@ -17,6 +17,8 @@ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeDeserialization::Sink } predicate isBarrier(DataFlow::Node node) { node instanceof UnsafeDeserialization::Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionQuery.qll b/ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionQuery.qll index 44e008cfa8b4..75b73162b2a4 100644 --- a/ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionQuery.qll @@ -21,6 +21,8 @@ private module UnsafeHtmlConstructionConfig implements DataFlow::ConfigSig { // override to require the path doesn't have unmatched return steps DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionQuery.qll b/ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionQuery.qll index 6e3ac947a514..6041c38130e2 100644 --- a/ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionQuery.qll @@ -26,6 +26,8 @@ private module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigS // override to require the path doesn't have unmatched return steps DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/UrlRedirectQuery.qll b/ruby/ql/lib/codeql/ruby/security/UrlRedirectQuery.qll index 6169de81269a..5065833c6ac6 100644 --- a/ruby/ql/lib/codeql/ruby/security/UrlRedirectQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/UrlRedirectQuery.qll @@ -22,6 +22,8 @@ private module UrlRedirectConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { UrlRedirect::isAdditionalTaintStep(node1, node2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/WeakSensitiveDataHashingQuery.qll b/ruby/ql/lib/codeql/ruby/security/WeakSensitiveDataHashingQuery.qll index dd9c389b4c34..7ce8d213d2f5 100644 --- a/ruby/ql/lib/codeql/ruby/security/WeakSensitiveDataHashingQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/WeakSensitiveDataHashingQuery.qll @@ -28,6 +28,8 @@ module NormalHashFunction { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on sensitive data" vulnerabilities. */ @@ -54,6 +56,8 @@ module ComputationallyExpensiveHashFunction { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on passwords" vulnerabilities. */ diff --git a/ruby/ql/lib/codeql/ruby/security/XpathInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/XpathInjectionQuery.qll index 4385b324fa6e..adbff127a8d7 100644 --- a/ruby/ql/lib/codeql/ruby/security/XpathInjectionQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/XpathInjectionQuery.qll @@ -24,6 +24,8 @@ private module XpathInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/regexp/MissingFullAnchorQuery.qll b/ruby/ql/lib/codeql/ruby/security/regexp/MissingFullAnchorQuery.qll index febfa0712d9b..6ff8843d4588 100644 --- a/ruby/ql/lib/codeql/ruby/security/regexp/MissingFullAnchorQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/regexp/MissingFullAnchorQuery.qll @@ -17,6 +17,8 @@ private module MissingFullAnchorConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll b/ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll index 98a42fcf5e7c..e0b7d59bb1f8 100644 --- a/ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll @@ -18,6 +18,8 @@ private module PolynomialReDoSConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/lib/codeql/ruby/security/regexp/RegExpInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/regexp/RegExpInjectionQuery.qll index 3e6f6f83ef8d..66cdb67395e0 100644 --- a/ruby/ql/lib/codeql/ruby/security/regexp/RegExpInjectionQuery.qll +++ b/ruby/ql/lib/codeql/ruby/security/regexp/RegExpInjectionQuery.qll @@ -17,6 +17,8 @@ private module RegExpInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof RegExpInjection::Sink } predicate isBarrier(DataFlow::Node node) { node instanceof RegExpInjection::Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/ruby/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql b/ruby/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql index 5ab6d29af7ba..bcf41780d6e2 100644 --- a/ruby/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql +++ b/ruby/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql @@ -57,6 +57,8 @@ module BombsConfig implements DataFlow::ConfigSig { nodeTo = cn ) } + + predicate observeDiffInformedIncrementalMode() { any() } } module Bombs = TaintTracking::Global; diff --git a/ruby/ql/src/experimental/decompression-api/DecompressionApi.ql b/ruby/ql/src/experimental/decompression-api/DecompressionApi.ql index 5869e5862fb2..aeb559417307 100644 --- a/ruby/ql/src/experimental/decompression-api/DecompressionApi.ql +++ b/ruby/ql/src/experimental/decompression-api/DecompressionApi.ql @@ -39,6 +39,8 @@ private module DecompressionApiConfig implements DataFlow::ConfigSig { // our Decompression APIs defined above will be the sinks we use for this query predicate isSink(DataFlow::Node sink) { sink instanceof DecompressionApiUse } + + predicate observeDiffInformedIncrementalMode() { any() } } private module DecompressionApiFlow = TaintTracking::Global; diff --git a/ruby/ql/src/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.ql b/ruby/ql/src/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.ql index 557b7daefd3f..4af2425b1a82 100644 --- a/ruby/ql/src/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.ql +++ b/ruby/ql/src/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.ql @@ -86,6 +86,8 @@ private module HttpVerbConfig implements DataFlow::ConfigSig { exists(ExprNodes::ConditionalExprCfgNode c | c.getCondition() = sink.asExpr()) or exists(ExprNodes::CaseExprCfgNode c | c.getValue() = sink.asExpr()) } + + predicate observeDiffInformedIncrementalMode() { any() } } private module HttpVerbFlow = TaintTracking::Global; diff --git a/ruby/ql/src/experimental/weak-params/WeakParams.ql b/ruby/ql/src/experimental/weak-params/WeakParams.ql index 8b1654c63687..faec728a2dd8 100644 --- a/ruby/ql/src/experimental/weak-params/WeakParams.ql +++ b/ruby/ql/src/experimental/weak-params/WeakParams.ql @@ -46,6 +46,8 @@ private module WeakParamsConfig implements DataFlow::ConfigSig { // the sink is an instance of a Model class that receives a method call predicate isSink(DataFlow::Node node) { node = any(PersistentWriteAccess a).getValue() } + + predicate observeDiffInformedIncrementalMode() { any() } } private module WeakParamsFlow = TaintTracking::Global; diff --git a/ruby/ql/src/queries/meta/TaintedNodes.ql b/ruby/ql/src/queries/meta/TaintedNodes.ql index ee35afeed317..8ddda63b359e 100644 --- a/ruby/ql/src/queries/meta/TaintedNodes.ql +++ b/ruby/ql/src/queries/meta/TaintedNodes.ql @@ -19,6 +19,8 @@ private module BasicTaintConfig implements DataFlow::ConfigSig { // To reduce noise from synthetic nodes, only count nodes that have an associated expression. exists(node.asExpr().getExpr()) } + + predicate observeDiffInformedIncrementalMode() { any() } } private module BasicTaintFlow = TaintTracking::Global; diff --git a/ruby/ql/src/queries/security/cwe-611/Xxe.ql b/ruby/ql/src/queries/security/cwe-611/Xxe.ql index ba1df49549b9..af6a2fd77645 100644 --- a/ruby/ql/src/queries/security/cwe-611/Xxe.ql +++ b/ruby/ql/src/queries/security/cwe-611/Xxe.ql @@ -31,6 +31,8 @@ private module XxeConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeXxeSink } + + predicate observeDiffInformedIncrementalMode() { any() } } private module XxeFlow = TaintTracking::Global; diff --git a/ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql b/ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql index 5580118e9333..478e758d844c 100644 --- a/ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql +++ b/ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql @@ -54,6 +54,8 @@ private module PermissivePermissionsConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { exists(FileSystemPermissionModification mod | mod.getAPermissionNode() = sink) } + + predicate observeDiffInformedIncrementalMode() { any() } } private module PermissivePermissionsFlow = DataFlow::Global; diff --git a/ruby/ql/src/queries/security/cwe-798/HardcodedCredentials.ql b/ruby/ql/src/queries/security/cwe-798/HardcodedCredentials.ql index e37bc91f2583..c568e8d2aafc 100644 --- a/ruby/ql/src/queries/security/cwe-798/HardcodedCredentials.ql +++ b/ruby/ql/src/queries/security/cwe-798/HardcodedCredentials.ql @@ -147,6 +147,8 @@ private module HardcodedCredentialsConfig implements DataFlow::ConfigSig { binop.getExpr() instanceof AddExpr ) } + + predicate observeDiffInformedIncrementalMode() { any() } } private module HardcodedCredentialsFlow = DataFlow::Global;