github · d10c · Jul 15, 2025 · Jul 16, 2025
@@ -51,6 +51,10 @@ private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
   }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // risky since used in library: normal use in UntrustedDataToExternalApi.ql; used via ExternalApiUsedWithUntrustedData (no location) in CountUntrustedDataToExternalAPI.ql
+  }
 }
 
 module UntrustedDataToExternalApiFlow = TaintTracking::Global<UntrustedDataToExternalApiConfig>;
@@ -46,6 +46,10 @@ private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // risky since used in library: normal use in IRUntrustedDataToExternalApi.ql; used via ExternalApiUsedWithUntrustedData (no location) in IRCountUntrustedDataToExternalAPI.ql
+  }
 }
 
 module UntrustedDataToExternalApiFlow = TaintTracking::Global<UntrustedDataToExternalApiConfig>;
@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-020/CountUntrustedDataToExternalAPI.ql
+postprocess:
+ - utils/test/PrettyPrintModels.ql
+ - utils/test/InlineExpectationsTestQuery.ql
@@ -0,0 +1,18 @@
+typedef unsigned long size_t;
+typedef size_t FILE;
+
+char *strcat(char *s1, const char *s2);
+char *fgets(char *s, int n, FILE *stream);
+char *fputs(const char *s, FILE *stream);
+
+void do_get(FILE* request, FILE* response) {
+  char page[1024];
+  fgets(page, 1024, request);
+
+  char buffer[1024];
+  strcat(buffer, "The page \"");
+  strcat(buffer, page);
+  strcat(buffer, "\" was not found.");
+
+  fputs(buffer, response);
+}
@@ -0,0 +1,18 @@
+typedef unsigned long size_t;
+typedef size_t FILE;
+
+char *strcat(char *s1, const char *s2);
+char *fgets(char *s, int n, FILE *stream);
+char *fputs(const char *s, FILE *stream);
+
+void do_get(FILE* request, FILE* response) {
+  char user_id[1024];
+  fgets(user_id, 1024, request);
+
+  char buffer[1024];
+  strcat(buffer, "SELECT * FROM user WHERE user_id='");
+  strcat(buffer, user_id);
+  strcat(buffer, "'");
+
+  fputs(buffer, response);
+}
@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-020/IRCountUntrustedDataToExternalAPI.ql
+postprocess:
+ - utils/test/PrettyPrintModels.ql
+ - utils/test/InlineExpectationsTestQuery.ql
@@ -0,0 +1,4 @@
+#select
+edges
+nodes
+subpaths
@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql
+postprocess:
+ - utils/test/PrettyPrintModels.ql
+ - utils/test/InlineExpectationsTestQuery.ql
@@ -0,0 +1,4 @@
+#select
+edges
+nodes
+subpaths
@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
+postprocess:
+ - utils/test/PrettyPrintModels.ql
+ - utils/test/InlineExpectationsTestQuery.ql
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: sinkModel
+    data: # namespace, type, subtypes, name,    signature, ext, input,         kind,          provenance
+      - [   "",        "",   False,    "fputs", "",        "",  "Argument[0]", "remote-sink", "manual"]
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: sourceModel
+    data: # namespace, type, subtypes, name,    signature, ext, output,        kind,     provenance
+      - [   "",        "",   False,    "fgets", "",        "",  "Argument[0]", "remote", "manual"]