Actions: mass enable diff-informed data flow

d10c · d10c · commit f2bd454e99af · 2025-06-11T19:10:11.000+02:00
An auto-generated patch that enables diff-informed data flow in the obvious cases. Builds on #18346 and github/codeql-patch#88
diff --git a/actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll
@@ -214,6 +214,8 @@ private module OutputClobberingConfig implements DataFlow::ConfigSig {
       )
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */
diff --git a/actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll b/actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll
@@ -16,6 +16,8 @@ private module RequestForgeryConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */
diff --git a/actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll b/actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll
@@ -15,6 +15,8 @@ private module SecretExfiltrationConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof SecretExfiltrationSink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Tracks flow of unsafe user input that is used in a context where it may lead to a secret exfiltration. */
diff --git a/actions/ql/src/Models/CompositeActionsSinks.ql b/actions/ql/src/Models/CompositeActionsSinks.ql
@@ -24,6 +24,8 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     sink instanceof CodeInjectionSink and not madSink(sink, "code-injection")
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;
diff --git a/actions/ql/src/Models/CompositeActionsSources.ql b/actions/ql/src/Models/CompositeActionsSources.ql
@@ -34,6 +34,8 @@ private module MyConfig implements DataFlow::ConfigSig {
     isSink(node) and
     set instanceof DataFlow::FieldContent
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;
diff --git a/actions/ql/src/Models/CompositeActionsSummaries.ql b/actions/ql/src/Models/CompositeActionsSummaries.ql
@@ -25,6 +25,8 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     exists(CompositeAction c | c.getAnOutputExpr() = sink.asExpr())
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;
diff --git a/actions/ql/src/Models/ReusableWorkflowsSinks.ql b/actions/ql/src/Models/ReusableWorkflowsSinks.ql
@@ -24,6 +24,8 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     sink instanceof CodeInjectionSink and not madSink(sink, "code-injection")
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;
diff --git a/actions/ql/src/Models/ReusableWorkflowsSources.ql b/actions/ql/src/Models/ReusableWorkflowsSources.ql
@@ -34,6 +34,8 @@ private module MyConfig implements DataFlow::ConfigSig {
     isSink(node) and
     set instanceof DataFlow::FieldContent
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;
diff --git a/actions/ql/src/Models/ReusableWorkflowsSummaries.ql b/actions/ql/src/Models/ReusableWorkflowsSummaries.ql
@@ -25,6 +25,8 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     exists(ReusableWorkflow w | w.getAnOutputExpr() = sink.asExpr())
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

Original file line number	Diff line number	Diff line change
`@@ -214,6 +214,8 @@ private module OutputClobberingConfig implements DataFlow::ConfigSig {`
`214`	`214`	`)`
`215`	`215`	`)`
`216`	`216`	`}`
	`217`	`+`
	`218`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`217`	`219`	`}`
`218`	`220`
`219`	`221`	`/** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */`
Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,8 @@ private module RequestForgeryConfig implements DataFlow::ConfigSig {`
`16`	`16`	`predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }`
`17`	`17`
`18`	`18`	`predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }`
	`19`	`+`
	`20`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`19`	`21`	`}`
`20`	`22`
`21`	`23`	`/** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */`
Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,8 @@ private module SecretExfiltrationConfig implements DataFlow::ConfigSig {`
`15`	`15`	`predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }`
`16`	`16`
`17`	`17`	`predicate isSink(DataFlow::Node sink) { sink instanceof SecretExfiltrationSink }`
	`18`	`+`
	`19`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`18`	`20`	`}`
`19`	`21`
`20`	`22`	`/** Tracks flow of unsafe user input that is used in a context where it may lead to a secret exfiltration. */`
Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,8 @@ private module MyConfig implements DataFlow::ConfigSig {`
`24`	`24`	`predicate isSink(DataFlow::Node sink) {`
`25`	`25`	`sink instanceof CodeInjectionSink and not madSink(sink, "code-injection")`
`26`	`26`	`}`
	`27`	`+`
	`28`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`27`	`29`	`}`
`28`	`30`
`29`	`31`	`module MyFlow = TaintTracking::Global<MyConfig>;`
Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,8 @@ private module MyConfig implements DataFlow::ConfigSig {`
`34`	`34`	`isSink(node) and`
`35`	`35`	`set instanceof DataFlow::FieldContent`
`36`	`36`	`}`
	`37`	`+`
	`38`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`37`	`39`	`}`
`38`	`40`
`39`	`41`	`module MyFlow = TaintTracking::Global<MyConfig>;`
Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,8 @@ private module MyConfig implements DataFlow::ConfigSig {`
`25`	`25`	`predicate isSink(DataFlow::Node sink) {`
`26`	`26`	`exists(CompositeAction c \| c.getAnOutputExpr() = sink.asExpr())`
`27`	`27`	`}`
	`28`	`+`
	`29`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`28`	`30`	`}`
`29`	`31`
`30`	`32`	`module MyFlow = TaintTracking::Global<MyConfig>;`