[DIFF-INFORMED] C++: (IR) ExternalAPIs

d10c · d10c · commit 2b646feeb77b · 2025-08-15T11:55:59.000+02:00
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql#L19 https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql#L20
diff --git a/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll b/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll
@@ -51,6 +51,10 @@ private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
   }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // risky since used in library: normal use in UntrustedDataToExternalApi.ql; used via ExternalApiUsedWithUntrustedData (no location) in CountUntrustedDataToExternalAPI.ql
+  }
 }
 
 module UntrustedDataToExternalApiFlow = TaintTracking::Global<UntrustedDataToExternalApiConfig>;
diff --git a/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIsSpecific.qll b/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIsSpecific.qll
@@ -46,6 +46,10 @@ private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // risky since used in library: normal use in IRUntrustedDataToExternalApi.ql; used via ExternalApiUsedWithUntrustedData (no location) in IRCountUntrustedDataToExternalAPI.ql
+  }
 }
 
 module UntrustedDataToExternalApiFlow = TaintTracking::Global<UntrustedDataToExternalApiConfig>;

Original file line number	Diff line number	Diff line change
`@@ -51,6 +51,10 @@ private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {`
`51`	`51`	`}`
`52`	`52`
`53`	`53`	`predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }`
	`54`	`+`
	`55`	`+ predicate observeDiffInformedIncrementalMode() {`
	`56`	`+ none() // risky since used in library: normal use in UntrustedDataToExternalApi.ql; used via ExternalApiUsedWithUntrustedData (no location) in CountUntrustedDataToExternalAPI.ql`
	`57`	`+ }`
`54`	`58`	`}`
`55`	`59`
`56`	`60`	`module UntrustedDataToExternalApiFlow = TaintTracking::Global<UntrustedDataToExternalApiConfig>;`
Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,10 @@ private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {`
`46`	`46`	`predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }`
`47`	`47`
`48`	`48`	`predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }`
	`49`	`+`
	`50`	`+ predicate observeDiffInformedIncrementalMode() {`
	`51`	`+ none() // risky since used in library: normal use in IRUntrustedDataToExternalApi.ql; used via ExternalApiUsedWithUntrustedData (no location) in IRCountUntrustedDataToExternalAPI.ql`
	`52`	`+ }`
`49`	`53`	`}`
`50`	`54`
`51`	`55`	`module UntrustedDataToExternalApiFlow = TaintTracking::Global<UntrustedDataToExternalApiConfig>;`