From 8286cc2696d2266c7ce72ce1df92a409fbf27b1f Mon Sep 17 00:00:00 2001 From: Chuan-kai Lin Date: Thu, 24 Apr 2025 11:09:55 -0700 Subject: [PATCH 1/2] Python: update diff-informed expected files This commit adds expected files for diff-informed testing. These expected files describe how diff-informed queries produce alerts that are not completely in accordance with the given diff ranges. --- .../DIFF-INFORMED/UnsafeUnpack/1-104,106-201.expected | 4 ++++ .../DIFF-INFORMED/UnsafeUnpack/1-111,113-201.expected | 4 ++++ .../DIFF-INFORMED/UnsafeUnpack/1-119,121-201.expected | 4 ++++ .../DIFF-INFORMED/UnsafeUnpack/1-141,143-201.expected | 4 ++++ .../DIFF-INFORMED/UnsafeUnpack/1-166,168-201.expected | 4 ++++ .../DIFF-INFORMED/UnsafeUnpack/1-175,177-201.expected | 4 ++++ .../DIFF-INFORMED/UnsafeUnpack/1-18,20-201.expected | 4 ++++ .../DIFF-INFORMED/UnsafeUnpack/1-200.expected | 3 +++ .../DIFF-INFORMED/UnsafeUnpack/1-33,35-201.expected | 4 ++++ .../DIFF-INFORMED/UnsafeUnpack/1-47,49-201.expected | 4 ++++ .../DIFF-INFORMED/UnsafeUnpack/1-51,53-201.expected | 4 ++++ .../DIFF-INFORMED/UnsafeUnpack/1-65,67-201.expected | 4 ++++ .../DIFF-INFORMED/UnsafeUnpack/1-86,88-201.expected | 4 ++++ .../1-10,12-89.expected | 4 ++++ .../1-20,22-89.expected | 4 ++++ .../1-30,32-89.expected | 4 ++++ .../1-42,44-89.expected | 4 ++++ .../1-74,76-89.expected | 4 ++++ .../CWE-346/DIFF-INFORMED/CorsBypass/1-7,9-17.expected | 4 ++++ .../CWE-522/DIFF-INFORMED/LdapInsecureAuth/26566.expected | 7 +++++++ .../CWE-522/DIFF-INFORMED/LdapInsecureAuth/6ecfd.expected | 7 +++++++ .../CWE-522/DIFF-INFORMED/LdapInsecureAuth/70ac5.expected | 7 +++++++ .../CWE-522/DIFF-INFORMED/LdapInsecureAuth/81fd1.expected | 7 +++++++ .../PolynomialReDoS/test.py/(11,29)-(11,31).expected | 3 +++ .../PolynomialReDoS/test.py/(18,21)-(18,23).expected | 3 +++ .../PolynomialReDoS/test.py/(20,271)-(20,272).expected | 3 +++ .../PolynomialReDoS/test.py/(8,19)-(8,21).expected | 3 +++ .../PolynomialReDoS/test.py/(9,25)-(9,27).expected | 3 +++ .../PartialServerSideRequestForgery/3bb27.expected | 6 ++++++ 29 files changed, 124 insertions(+) create mode 100644 python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-104,106-201.expected create mode 100644 python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-111,113-201.expected create mode 100644 python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-119,121-201.expected create mode 100644 python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-141,143-201.expected create mode 100644 python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-166,168-201.expected create mode 100644 python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-175,177-201.expected create mode 100644 python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-18,20-201.expected create mode 100644 python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-200.expected create mode 100644 python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-33,35-201.expected create mode 100644 python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-47,49-201.expected create mode 100644 python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-51,53-201.expected create mode 100644 python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-65,67-201.expected create mode 100644 python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-86,88-201.expected create mode 100644 python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-10,12-89.expected create mode 100644 python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-20,22-89.expected create mode 100644 python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-30,32-89.expected create mode 100644 python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-42,44-89.expected create mode 100644 python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-74,76-89.expected create mode 100644 python/ql/test/experimental/query-tests/Security/CWE-346/DIFF-INFORMED/CorsBypass/1-7,9-17.expected create mode 100644 python/ql/test/experimental/query-tests/Security/CWE-522/DIFF-INFORMED/LdapInsecureAuth/26566.expected create mode 100644 python/ql/test/experimental/query-tests/Security/CWE-522/DIFF-INFORMED/LdapInsecureAuth/6ecfd.expected create mode 100644 python/ql/test/experimental/query-tests/Security/CWE-522/DIFF-INFORMED/LdapInsecureAuth/70ac5.expected create mode 100644 python/ql/test/experimental/query-tests/Security/CWE-522/DIFF-INFORMED/LdapInsecureAuth/81fd1.expected create mode 100644 python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(11,29)-(11,31).expected create mode 100644 python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(18,21)-(18,23).expected create mode 100644 python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(20,271)-(20,272).expected create mode 100644 python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(8,19)-(8,21).expected create mode 100644 python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(9,25)-(9,27).expected create mode 100644 python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/DIFF-INFORMED/PartialServerSideRequestForgery/3bb27.expected diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-104,106-201.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-104,106-201.expected new file mode 100644 index 000000000000..638341e63231 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-104,106-201.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + UnsafeUnpack.py:1-104 + UnsafeUnpack.py:106-201 +Wrongly included: | UnsafeUnpack.py:105:35:105:42 | ControlFlowNode for savepath | Unsafe extraction from a malicious tarball retrieved from a remote location. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-111,113-201.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-111,113-201.expected new file mode 100644 index 000000000000..227ee12e2a85 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-111,113-201.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + UnsafeUnpack.py:1-111 + UnsafeUnpack.py:113-201 +Wrongly included: | UnsafeUnpack.py:112:35:112:43 | ControlFlowNode for file_path | Unsafe extraction from a malicious tarball retrieved from a remote location. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-119,121-201.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-119,121-201.expected new file mode 100644 index 000000000000..63e6ad6d1dc9 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-119,121-201.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + UnsafeUnpack.py:1-119 + UnsafeUnpack.py:121-201 +Wrongly included: | UnsafeUnpack.py:120:41:120:58 | ControlFlowNode for uploaded_file_path | Unsafe extraction from a malicious tarball retrieved from a remote location. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-141,143-201.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-141,143-201.expected new file mode 100644 index 000000000000..bdbb5c401720 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-141,143-201.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + UnsafeUnpack.py:1-141 + UnsafeUnpack.py:143-201 +Wrongly included: | UnsafeUnpack.py:142:49:142:51 | ControlFlowNode for tar | Unsafe extraction from a malicious tarball retrieved from a remote location. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-166,168-201.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-166,168-201.expected new file mode 100644 index 000000000000..9c94c7b0a5b5 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-166,168-201.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + UnsafeUnpack.py:1-166 + UnsafeUnpack.py:168-201 +Wrongly included: | UnsafeUnpack.py:167:67:167:72 | ControlFlowNode for result | Unsafe extraction from a malicious tarball retrieved from a remote location. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-175,177-201.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-175,177-201.expected new file mode 100644 index 000000000000..3abf3ade3f9c --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-175,177-201.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + UnsafeUnpack.py:1-175 + UnsafeUnpack.py:177-201 +Wrongly included: | UnsafeUnpack.py:176:1:176:34 | ControlFlowNode for Attribute() | Unsafe extraction from a malicious tarball retrieved from a remote location. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-18,20-201.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-18,20-201.expected new file mode 100644 index 000000000000..75c809596bd9 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-18,20-201.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + UnsafeUnpack.py:1-18 + UnsafeUnpack.py:20-201 +Wrongly included: | UnsafeUnpack.py:19:35:19:41 | ControlFlowNode for tarpath | Unsafe extraction from a malicious tarball retrieved from a remote location. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-200.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-200.expected new file mode 100644 index 000000000000..7b67373bc6cb --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-200.expected @@ -0,0 +1,3 @@ +Filtering alerts to these ranges: + UnsafeUnpack.py:1-200 +Wrongly included: | UnsafeUnpack.py:201:29:201:36 | ControlFlowNode for Attribute | Unsafe extraction from a malicious tarball retrieved from a remote location. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-33,35-201.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-33,35-201.expected new file mode 100644 index 000000000000..0d876dfb8b34 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-33,35-201.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + UnsafeUnpack.py:1-33 + UnsafeUnpack.py:35-201 +Wrongly included: | UnsafeUnpack.py:34:23:34:38 | ControlFlowNode for local_ziped_path | Unsafe extraction from a malicious tarball retrieved from a remote location. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-47,49-201.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-47,49-201.expected new file mode 100644 index 000000000000..f20b971d45ed --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-47,49-201.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + UnsafeUnpack.py:1-47 + UnsafeUnpack.py:49-201 +Wrongly included: | UnsafeUnpack.py:48:23:48:37 | ControlFlowNode for compressed_file | Unsafe extraction from a malicious tarball retrieved from a remote location. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-51,53-201.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-51,53-201.expected new file mode 100644 index 000000000000..7701b7cdc968 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-51,53-201.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + UnsafeUnpack.py:1-51 + UnsafeUnpack.py:53-201 +Wrongly included: | UnsafeUnpack.py:52:23:52:37 | ControlFlowNode for compressed_file | Unsafe extraction from a malicious tarball retrieved from a remote location. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-65,67-201.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-65,67-201.expected new file mode 100644 index 000000000000..526193cad021 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-65,67-201.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + UnsafeUnpack.py:1-65 + UnsafeUnpack.py:67-201 +Wrongly included: | UnsafeUnpack.py:66:23:66:37 | ControlFlowNode for compressed_file | Unsafe extraction from a malicious tarball retrieved from a remote location. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-86,88-201.expected b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-86,88-201.expected new file mode 100644 index 000000000000..bf35c97fddd4 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-86,88-201.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + UnsafeUnpack.py:1-86 + UnsafeUnpack.py:88-201 +Wrongly included: | UnsafeUnpack.py:87:23:87:29 | ControlFlowNode for tarpath | Unsafe extraction from a malicious tarball retrieved from a remote location. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-10,12-89.expected b/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-10,12-89.expected new file mode 100644 index 000000000000..a2f9b06ddc20 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-10,12-89.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + test.py:1-10 + test.py:12-89 +Wrongly included: | test.py:11:9:11:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-20,22-89.expected b/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-20,22-89.expected new file mode 100644 index 000000000000..c7a502e290b3 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-20,22-89.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + test.py:1-20 + test.py:22-89 +Wrongly included: | test.py:21:9:21:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-30,32-89.expected b/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-30,32-89.expected new file mode 100644 index 000000000000..52d6a0ac12d3 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-30,32-89.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + test.py:1-30 + test.py:32-89 +Wrongly included: | test.py:31:9:31:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-42,44-89.expected b/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-42,44-89.expected new file mode 100644 index 000000000000..e2861a0c2f24 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-42,44-89.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + test.py:1-42 + test.py:44-89 +Wrongly included: | test.py:43:9:43:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-74,76-89.expected b/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-74,76-89.expected new file mode 100644 index 000000000000..85b1e2f26fbe --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-74,76-89.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + test.py:1-74 + test.py:76-89 +Wrongly included: | test.py:75:9:75:10 | ControlFlowNode for bc | Unsafe usage of v1 version of Azure Storage client-side encryption | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-346/DIFF-INFORMED/CorsBypass/1-7,9-17.expected b/python/ql/test/experimental/query-tests/Security/CWE-346/DIFF-INFORMED/CorsBypass/1-7,9-17.expected new file mode 100644 index 000000000000..c6023d1864f8 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-346/DIFF-INFORMED/CorsBypass/1-7,9-17.expected @@ -0,0 +1,4 @@ +Filtering alerts to these ranges: + Cors.py:1-7 + Cors.py:9-17 +Wrongly included: | Cors.py:8:12:8:17 | ControlFlowNode for origin | Potentially incorrect string comparison which could lead to a CORS bypass. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-522/DIFF-INFORMED/LdapInsecureAuth/26566.expected b/python/ql/test/experimental/query-tests/Security/CWE-522/DIFF-INFORMED/LdapInsecureAuth/26566.expected new file mode 100644 index 000000000000..852d26e4eb90 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-522/DIFF-INFORMED/LdapInsecureAuth/26566.expected @@ -0,0 +1,7 @@ +Filtering alerts to these ranges: + ldap2_private.py:all + ldap2_remote.py:all + ldap3_private.py:all + ldap3_remote.py:1-114 + ldap3_remote.py:116-146 +Wrongly included: | ldap3_remote.py:115:18:115:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-522/DIFF-INFORMED/LdapInsecureAuth/6ecfd.expected b/python/ql/test/experimental/query-tests/Security/CWE-522/DIFF-INFORMED/LdapInsecureAuth/6ecfd.expected new file mode 100644 index 000000000000..f19dd276aec9 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-522/DIFF-INFORMED/LdapInsecureAuth/6ecfd.expected @@ -0,0 +1,7 @@ +Filtering alerts to these ranges: + ldap2_private.py:all + ldap2_remote.py:all + ldap3_private.py:all + ldap3_remote.py:1-138 + ldap3_remote.py:140-146 +Wrongly included: | ldap3_remote.py:139:18:139:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-522/DIFF-INFORMED/LdapInsecureAuth/70ac5.expected b/python/ql/test/experimental/query-tests/Security/CWE-522/DIFF-INFORMED/LdapInsecureAuth/70ac5.expected new file mode 100644 index 000000000000..3e4a6322d643 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-522/DIFF-INFORMED/LdapInsecureAuth/70ac5.expected @@ -0,0 +1,7 @@ +Filtering alerts to these ranges: + ldap2_private.py:all + ldap2_remote.py:all + ldap3_private.py:all + ldap3_remote.py:1-101 + ldap3_remote.py:103-146 +Wrongly included: | ldap3_remote.py:102:18:102:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-522/DIFF-INFORMED/LdapInsecureAuth/81fd1.expected b/python/ql/test/experimental/query-tests/Security/CWE-522/DIFF-INFORMED/LdapInsecureAuth/81fd1.expected new file mode 100644 index 000000000000..ca807a3b06d7 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-522/DIFF-INFORMED/LdapInsecureAuth/81fd1.expected @@ -0,0 +1,7 @@ +Filtering alerts to these ranges: + ldap2_private.py:all + ldap2_remote.py:all + ldap3_private.py:all + ldap3_remote.py:1-126 + ldap3_remote.py:128-146 +Wrongly included: | ldap3_remote.py:127:18:127:21 | ControlFlowNode for host | This LDAP host is authenticated insecurely. | diff --git a/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(11,29)-(11,31).expected b/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(11,29)-(11,31).expected new file mode 100644 index 000000000000..433095ccbd61 --- /dev/null +++ b/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(11,29)-(11,31).expected @@ -0,0 +1,3 @@ +Filtering alerts to these ranges: + test.py:(11,29)-(11,31) +Wrongly omitted: | test.py:12:17:12:20 | ControlFlowNode for text | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | test.py:11:29:11:31 | \s+ | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(18,21)-(18,23).expected b/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(18,21)-(18,23).expected new file mode 100644 index 000000000000..168a04765fa1 --- /dev/null +++ b/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(18,21)-(18,23).expected @@ -0,0 +1,3 @@ +Filtering alerts to these ranges: + test.py:(18,21)-(18,23) +Wrongly omitted: | test.py:16:24:16:30 | ControlFlowNode for my_text | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | test.py:18:21:18:23 | \s+ | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(20,271)-(20,272).expected b/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(20,271)-(20,272).expected new file mode 100644 index 000000000000..463c62c5f772 --- /dev/null +++ b/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(20,271)-(20,272).expected @@ -0,0 +1,3 @@ +Filtering alerts to these ranges: + test.py:(20,271)-(20,272) +Wrongly omitted: | test.py:21:18:21:21 | ControlFlowNode for text | This $@ that depends on a $@ may run slow on strings starting with 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC' and with many repetitions of 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC'. | test.py:20:271:20:272 | .* | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(8,19)-(8,21).expected b/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(8,19)-(8,21).expected new file mode 100644 index 000000000000..3e7cff97d6da --- /dev/null +++ b/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(8,19)-(8,21).expected @@ -0,0 +1,3 @@ +Filtering alerts to these ranges: + test.py:(8,19)-(8,21) +Wrongly omitted: | test.py:8:30:8:33 | ControlFlowNode for text | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | test.py:8:19:8:21 | \s+ | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(9,25)-(9,27).expected b/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(9,25)-(9,27).expected new file mode 100644 index 000000000000..200b64e1958c --- /dev/null +++ b/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(9,25)-(9,27).expected @@ -0,0 +1,3 @@ +Filtering alerts to these ranges: + test.py:(9,25)-(9,27) +Wrongly omitted: | test.py:9:32:9:35 | ControlFlowNode for text | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | test.py:9:25:9:27 | \d+ | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/DIFF-INFORMED/PartialServerSideRequestForgery/3bb27.expected b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/DIFF-INFORMED/PartialServerSideRequestForgery/3bb27.expected new file mode 100644 index 000000000000..cda13af94ed7 --- /dev/null +++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/DIFF-INFORMED/PartialServerSideRequestForgery/3bb27.expected @@ -0,0 +1,6 @@ +Filtering alerts to these ranges: + full_partial_test.py:all + test_http_client.py:2-21 + test_http_client.py:23-37 + test_requests.py:all +Wrongly included: | test_http_client.py:22:5:22:31 | ControlFlowNode for Attribute() | Part of the URL of this request depends on a $@. | test_http_client.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | From 2e5fa6733437251e6c32b8be301cf8549ec83c4d Mon Sep 17 00:00:00 2001 From: Chuan-kai Lin Date: Thu, 24 Apr 2025 13:38:24 -0700 Subject: [PATCH 2/2] Python: disable diff-informed PolynomialReDoS.ql This commit disabled diff-informed for PolynomialReDoS.ql because it could miss some alerts within diff ranges. --- .../security/dataflow/PolynomialReDoSQuery.qll | 12 +++++++++++- .../PolynomialReDoS/test.py/(11,29)-(11,31).expected | 3 --- .../PolynomialReDoS/test.py/(18,21)-(18,23).expected | 3 --- .../test.py/(20,271)-(20,272).expected | 3 --- .../PolynomialReDoS/test.py/(8,19)-(8,21).expected | 3 --- .../PolynomialReDoS/test.py/(9,25)-(9,27).expected | 3 --- 6 files changed, 11 insertions(+), 16 deletions(-) delete mode 100644 python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(11,29)-(11,31).expected delete mode 100644 python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(18,21)-(18,23).expected delete mode 100644 python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(20,271)-(20,272).expected delete mode 100644 python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(8,19)-(8,21).expected delete mode 100644 python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(9,25)-(9,27).expected diff --git a/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll b/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll index 89aa4961e6ef..0e52764c1950 100644 --- a/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll @@ -18,7 +18,17 @@ private module PolynomialReDoSConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } - predicate observeDiffInformedIncrementalMode() { any() } + // Diff-informed incremental mode is currently disabled for this query due to + // API limitations. The query exposes sink.getABacktrackingTerm() as an alert + // location, but there is no way to express that information through + // getASelectedSinkLocation() because there is no @location in the CodeQL + // database that corresponds to a term inside a regular expression. As a + // result, this query could miss alerts in diff-informed incremental mode. + // + // To address this problem, we need to have a version of + // getASelectedSinkLocation() that uses hasLocationInfo() instead of + // returning Location objects. + predicate observeDiffInformedIncrementalMode() { none() } Location getASelectedSinkLocation(DataFlow::Node sink) { result = sink.(Sink).getHighlight().getLocation() diff --git a/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(11,29)-(11,31).expected b/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(11,29)-(11,31).expected deleted file mode 100644 index 433095ccbd61..000000000000 --- a/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(11,29)-(11,31).expected +++ /dev/null @@ -1,3 +0,0 @@ -Filtering alerts to these ranges: - test.py:(11,29)-(11,31) -Wrongly omitted: | test.py:12:17:12:20 | ControlFlowNode for text | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | test.py:11:29:11:31 | \s+ | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(18,21)-(18,23).expected b/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(18,21)-(18,23).expected deleted file mode 100644 index 168a04765fa1..000000000000 --- a/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(18,21)-(18,23).expected +++ /dev/null @@ -1,3 +0,0 @@ -Filtering alerts to these ranges: - test.py:(18,21)-(18,23) -Wrongly omitted: | test.py:16:24:16:30 | ControlFlowNode for my_text | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | test.py:18:21:18:23 | \s+ | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(20,271)-(20,272).expected b/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(20,271)-(20,272).expected deleted file mode 100644 index 463c62c5f772..000000000000 --- a/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(20,271)-(20,272).expected +++ /dev/null @@ -1,3 +0,0 @@ -Filtering alerts to these ranges: - test.py:(20,271)-(20,272) -Wrongly omitted: | test.py:21:18:21:21 | ControlFlowNode for text | This $@ that depends on a $@ may run slow on strings starting with 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC' and with many repetitions of 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC'. | test.py:20:271:20:272 | .* | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(8,19)-(8,21).expected b/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(8,19)-(8,21).expected deleted file mode 100644 index 3e7cff97d6da..000000000000 --- a/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(8,19)-(8,21).expected +++ /dev/null @@ -1,3 +0,0 @@ -Filtering alerts to these ranges: - test.py:(8,19)-(8,21) -Wrongly omitted: | test.py:8:30:8:33 | ControlFlowNode for text | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | test.py:8:19:8:21 | \s+ | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value | diff --git a/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(9,25)-(9,27).expected b/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(9,25)-(9,27).expected deleted file mode 100644 index 200b64e1958c..000000000000 --- a/python/ql/test/query-tests/Security/CWE-730-PolynomialReDoS/DIFF-INFORMED/PolynomialReDoS/test.py/(9,25)-(9,27).expected +++ /dev/null @@ -1,3 +0,0 @@ -Filtering alerts to these ranges: - test.py:(9,25)-(9,27) -Wrongly omitted: | test.py:9:32:9:35 | ControlFlowNode for text | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | test.py:9:25:9:27 | \d+ | regular expression | test.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value |