github · cklin · Apr 24, 2025 · Apr 24, 2025
@@ -18,7 +18,17 @@ private module PolynomialReDoSConfig implements DataFlow::ConfigSig {
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 
-  predicate observeDiffInformedIncrementalMode() { any() }
+  // Diff-informed incremental mode is currently disabled for this query due to
+  // API limitations. The query exposes sink.getABacktrackingTerm() as an alert
+  // location, but there is no way to express that information through
+  // getASelectedSinkLocation() because there is no @location in the CodeQL
+  // database that corresponds to a term inside a regular expression. As a
+  // result, this query could miss alerts in diff-informed incremental mode.
+  //
+  // To address this problem, we need to have a version of
+  // getASelectedSinkLocation() that uses hasLocationInfo() instead of
+  // returning Location objects.
+  predicate observeDiffInformedIncrementalMode() { none() }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
     result = sink.(Sink).getHighlight().getLocation()

@@ -0,0 +1,4 @@
+Filtering alerts to these ranges:
+  UnsafeUnpack.py:1-104
+  UnsafeUnpack.py:106-201
+Wrongly included: | UnsafeUnpack.py:105:35:105:42 | ControlFlowNode for savepath | Unsafe extraction from a malicious tarball retrieved from a remote location. |
@@ -0,0 +1,4 @@
+Filtering alerts to these ranges:
+  UnsafeUnpack.py:1-111
+  UnsafeUnpack.py:113-201
+Wrongly included: | UnsafeUnpack.py:112:35:112:43 | ControlFlowNode for file_path | Unsafe extraction from a malicious tarball retrieved from a remote location. |
@@ -0,0 +1,4 @@
+Filtering alerts to these ranges:
+  UnsafeUnpack.py:1-119
+  UnsafeUnpack.py:121-201
+Wrongly included: | UnsafeUnpack.py:120:41:120:58 | ControlFlowNode for uploaded_file_path | Unsafe extraction from a malicious tarball retrieved from a remote location. |
@@ -0,0 +1,4 @@
+Filtering alerts to these ranges:
+  UnsafeUnpack.py:1-141
+  UnsafeUnpack.py:143-201
+Wrongly included: | UnsafeUnpack.py:142:49:142:51 | ControlFlowNode for tar | Unsafe extraction from a malicious tarball retrieved from a remote location. |
@@ -0,0 +1,4 @@
+Filtering alerts to these ranges:
+  UnsafeUnpack.py:1-166
+  UnsafeUnpack.py:168-201
+Wrongly included: | UnsafeUnpack.py:167:67:167:72 | ControlFlowNode for result | Unsafe extraction from a malicious tarball retrieved from a remote location. |
@@ -0,0 +1,4 @@
+Filtering alerts to these ranges:
+  UnsafeUnpack.py:1-175
+  UnsafeUnpack.py:177-201
+Wrongly included: | UnsafeUnpack.py:176:1:176:34 | ControlFlowNode for Attribute() | Unsafe extraction from a malicious tarball retrieved from a remote location. |
@@ -0,0 +1,4 @@
+Filtering alerts to these ranges:
+  UnsafeUnpack.py:1-18
+  UnsafeUnpack.py:20-201
+Wrongly included: | UnsafeUnpack.py:19:35:19:41 | ControlFlowNode for tarpath | Unsafe extraction from a malicious tarball retrieved from a remote location. |
@@ -0,0 +1,3 @@
+Filtering alerts to these ranges:
+  UnsafeUnpack.py:1-200
+Wrongly included: | UnsafeUnpack.py:201:29:201:36 | ControlFlowNode for Attribute | Unsafe extraction from a malicious tarball retrieved from a remote location. |
@@ -0,0 +1,4 @@
+Filtering alerts to these ranges:
+  UnsafeUnpack.py:1-33
+  UnsafeUnpack.py:35-201
+Wrongly included: | UnsafeUnpack.py:34:23:34:38 | ControlFlowNode for local_ziped_path | Unsafe extraction from a malicious tarball retrieved from a remote location. |
@@ -0,0 +1,4 @@
+Filtering alerts to these ranges:
+  UnsafeUnpack.py:1-47
+  UnsafeUnpack.py:49-201
+Wrongly included: | UnsafeUnpack.py:48:23:48:37 | ControlFlowNode for compressed_file | Unsafe extraction from a malicious tarball retrieved from a remote location. |
@@ -0,0 +1,4 @@
+Filtering alerts to these ranges:
+  UnsafeUnpack.py:1-51
+  UnsafeUnpack.py:53-201
+Wrongly included: | UnsafeUnpack.py:52:23:52:37 | ControlFlowNode for compressed_file | Unsafe extraction from a malicious tarball retrieved from a remote location. |
@@ -0,0 +1,4 @@
+Filtering alerts to these ranges:
+  UnsafeUnpack.py:1-65
+  UnsafeUnpack.py:67-201
+Wrongly included: | UnsafeUnpack.py:66:23:66:37 | ControlFlowNode for compressed_file | Unsafe extraction from a malicious tarball retrieved from a remote location. |
@@ -0,0 +1,4 @@
+Filtering alerts to these ranges:
+  UnsafeUnpack.py:1-86
+  UnsafeUnpack.py:88-201
+Wrongly included: | UnsafeUnpack.py:87:23:87:29 | ControlFlowNode for tarpath | Unsafe extraction from a malicious tarball retrieved from a remote location. |
@@ -0,0 +1,4 @@
+Filtering alerts to these ranges:
+  test.py:1-10
+  test.py:12-89
+Wrongly included: | test.py:11:9:11:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption |
@@ -0,0 +1,4 @@
+Filtering alerts to these ranges:
+  test.py:1-20
+  test.py:22-89
+Wrongly included: | test.py:21:9:21:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption |
@@ -0,0 +1,4 @@
+Filtering alerts to these ranges:
+  test.py:1-30
+  test.py:32-89
+Wrongly included: | test.py:31:9:31:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption |
@@ -0,0 +1,4 @@
+Filtering alerts to these ranges:
+  test.py:1-42
+  test.py:44-89
+Wrongly included: | test.py:43:9:43:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption |
@@ -0,0 +1,4 @@
+Filtering alerts to these ranges:
+  test.py:1-74
+  test.py:76-89
+Wrongly included: | test.py:75:9:75:10 | ControlFlowNode for bc | Unsafe usage of v1 version of Azure Storage client-side encryption |
@@ -0,0 +1,4 @@
+Filtering alerts to these ranges:
+  Cors.py:1-7
+  Cors.py:9-17
+Wrongly included: | Cors.py:8:12:8:17 | ControlFlowNode for origin | Potentially incorrect string comparison which could lead to a CORS bypass. |
@@ -0,0 +1,7 @@
+Filtering alerts to these ranges:
+  ldap2_private.py:all
+  ldap2_remote.py:all
+  ldap3_private.py:all
+  ldap3_remote.py:1-114
+  ldap3_remote.py:116-146
+Wrongly included: | ldap3_remote.py:115:18:115:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. |
@@ -0,0 +1,7 @@
+Filtering alerts to these ranges:
+  ldap2_private.py:all
+  ldap2_remote.py:all
+  ldap3_private.py:all
+  ldap3_remote.py:1-138
+  ldap3_remote.py:140-146
+Wrongly included: | ldap3_remote.py:139:18:139:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. |
@@ -0,0 +1,7 @@
+Filtering alerts to these ranges:
+  ldap2_private.py:all
+  ldap2_remote.py:all
+  ldap3_private.py:all
+  ldap3_remote.py:1-101
+  ldap3_remote.py:103-146
+Wrongly included: | ldap3_remote.py:102:18:102:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. |
@@ -0,0 +1,7 @@
+Filtering alerts to these ranges:
+  ldap2_private.py:all
+  ldap2_remote.py:all
+  ldap3_private.py:all
+  ldap3_remote.py:1-126
+  ldap3_remote.py:128-146
+Wrongly included: | ldap3_remote.py:127:18:127:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. |
@@ -0,0 +1,6 @@
+Filtering alerts to these ranges:
+  full_partial_test.py:all
+  test_http_client.py:2-21
+  test_http_client.py:23-37
+  test_requests.py:all
+Wrongly included: | test_http_client.py:22:5:22:31 | ControlFlowNode for Attribute() | Part of the URL of this request depends on a $@. | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |