Merge pull request #18574 from asgerf/js/diff-informed2

JS: fix and improve diff-informed queries

javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll

@@ -27,6 +27,12 @@ module BrokenCryptoAlgorithmConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.(Sink).getLocation()
+    or
+    result = sink.(Sink).getInitialization().getLocation()
+  }
 }
 
 /**

javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll

@@ -33,6 +33,12 @@ module ClientSideRequestForgeryConfig implements DataFlow::ConfigSig {
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.(Sink).getLocation()
+    or
+    result = sink.(Sink).getARequest().getLocation()
+  }
 }
 
 /**

javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll

@@ -32,6 +32,13 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(DataFlow::Node node |
+      isSinkWithHighlight(sink, node) and
+      result = node.getLocation()
+    )
+  }
 }
 
 /**

javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll

@@ -25,6 +25,12 @@ module CorsMisconfigurationConfig implements DataFlow::ConfigSig {
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.(Sink).getLocation()
+    or
+    result = sink.(Sink).getCredentialsHeader().getLocation()
+  }
 }
 
 /**

javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll

@@ -35,6 +35,15 @@ module DeepObjectResourceExhaustionConfig implements DataFlow::StateConfigSig {
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.(Sink).getLocation()
+    or
+    exists(DataFlow::Node link |
+      sink.(Sink).hasReason(link, _) and
+      result = link.getLocation()
+    )
+  }
 }
 
 /**

javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll

@@ -28,6 +28,13 @@ module IndirectCommandInjectionConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(DataFlow::Node node |
+      isSinkWithHighlight(sink, node) and
+      result = node.getLocation()
+    )
+  }
 }
 
 /**

javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll

@@ -25,6 +25,12 @@ module InsecureDownloadConfig implements DataFlow::StateConfigSig {
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.(Sink).getLocation()
+    or
+    result = sink.(Sink).getDownloadCall().getLocation()
+  }
 }
 
 /**

javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll

@@ -49,6 +49,15 @@ module PrototypePollutionConfig implements DataFlow::StateConfigSig {
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.(Sink).getLocation()
+    or
+    exists(Locatable loc |
+      sink.(Sink).dependencyInfo(_, loc) and
+      result = loc.getLocation()
+    )
+  }
 }
 
 /**

javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll

@@ -28,6 +28,12 @@ module RequestForgeryConfig implements DataFlow::ConfigSig {
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.(Sink).getLocation()
+    or
+    result = sink.(Sink).getARequest().getLocation()
+  }
 }
 
 /**

javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll

@@ -29,6 +29,13 @@ module ShellCommandInjectionFromEnvironmentConfig implements DataFlow::ConfigSig
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(DataFlow::Node node |
+      isSinkWithHighlight(sink, node) and
+      result = node.getLocation()
+    )
+  }
 }
 
 /**

javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll

@@ -34,6 +34,12 @@ module UnsafeCodeConstruction {
     DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
 
     predicate observeDiffInformedIncrementalMode() { any() }
+
+    Location getASelectedSinkLocation(DataFlow::Node sink) {
+      result = sink.(Sink).getLocation()
+      or
+      result = sink.(Sink).getCodeSink().getLocation()
+    }
   }
 
   /**

javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll

@@ -62,6 +62,12 @@ module UnsafeHtmlConstructionConfig implements DataFlow::StateConfigSig {
   DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.(Sink).getLocation()
+    or
+    result = sink.(Sink).getSink().getLocation()
+  }
 }
 
 /**

javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll

@@ -38,6 +38,12 @@ module UnsafeJQueryPluginConfig implements DataFlow::ConfigSig {
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    result = source.(Source).getLocation()
+    or
+    result = source.(Source).getPlugin().getLocation()
+  }
 }
 
 /**

javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll

@@ -27,6 +27,14 @@ module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {
   DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.(Sink).getLocation()
+    or
+    result = sink.(Sink).getAlertLocation().getLocation()
+    or
+    result = sink.(Sink).getCommandExecution().getLocation()
+  }
 }
 
 /**

javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll

@@ -27,6 +27,14 @@ module PolynomialReDoSConfig implements DataFlow::ConfigSig {
   int fieldFlowBranchLimit() { result = 1 } // library inputs are too expensive on some projects
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.(Sink).getLocation()
+    or
+    result = sink.(Sink).getHighlight().getLocation()
+    or
+    result = sink.(Sink).getRegExp().getLocation()
+  }
 }
 
 /** Taint-tracking for reasoning about polynomial regular expression denial-of-service attacks. */

javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql

@@ -33,8 +33,6 @@ module EnvValueAndKeyInjectionConfig implements DataFlow::ConfigSig {
       )
     )
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module EnvValueAndKeyInjectionFlow = TaintTracking::Global<EnvValueAndKeyInjectionConfig>;

javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql

@@ -27,8 +27,6 @@ module VerifiedDecodeConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
 
   predicate isSink(DataFlow::Node sink) { sink = verifiedDecode() }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module VerifiedDecodeFlow = TaintTracking::Global<VerifiedDecodeConfig>;