Actions: ArgumentInjection

d10c · d10c · commit 4e7cf07cabf5 · 2025-07-03T14:54:45.000+02:00
diff --git a/actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll
@@ -3,6 +3,7 @@ private import codeql.actions.TaintTracking
 private import codeql.actions.dataflow.ExternalFlow
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.DataFlow
+import codeql.actions.security.ControlChecks
 
 abstract class ArgumentInjectionSink extends DataFlow::Node {
   abstract string getCommand();
@@ -89,8 +90,17 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig {
     )
   }
 
-  predicate observeDiffInformedIncrementalMode() {
-    any() // TODO: Make sure that the ___location overrides match the query's select clause: Column 7 does not select a source or sink originating from the flow call on line 22 (/Users/d10c/src/semmle-code/ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql@29:62:29:66)
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.getLocation()
+    or
+    exists(Event event | result = event.getLocation() |
+      inPrivilegedContext(sink.asExpr(), event) and
+      not exists(ControlCheck check | check.protects(sink.asExpr(), event, "argument-injection"))
+    )
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@ private import codeql.actions.TaintTracking`
`3`	`3`	`private import codeql.actions.dataflow.ExternalFlow`
`4`	`4`	`import codeql.actions.dataflow.FlowSources`
`5`	`5`	`import codeql.actions.DataFlow`
	`6`	`+import codeql.actions.security.ControlChecks`
`6`	`7`
`7`	`8`	`abstract class ArgumentInjectionSink extends DataFlow::Node {`
`8`	`9`	`abstract string getCommand();`
`@@ -89,8 +90,17 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig {`
`89`	`90`	`)`
`90`	`91`	`}`
`91`	`92`
`92`		`- predicate observeDiffInformedIncrementalMode() {`
`93`		`- any() // TODO: Make sure that the ___location overrides match the query's select clause: Column 7 does not select a source or sink originating from the flow call on line 22 (/Users/d10c/src/semmle-code/ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql@29:62:29:66)`
	`93`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
	`94`	`+`
	`95`	`+ Location getASelectedSourceLocation(DataFlow::Node source) { none() }`
	`96`	`+`
	`97`	`+ Location getASelectedSinkLocation(DataFlow::Node sink) {`
	`98`	`+ result = sink.getLocation()`
	`99`	`+ or`
	`100`	`+ exists(Event event \| result = event.getLocation() \|`
	`101`	`+ inPrivilegedContext(sink.asExpr(), event) and`
	`102`	`+ not exists(ControlCheck check \| check.protects(sink.asExpr(), event, "argument-injection"))`
	`103`	`+ )`
`94`	`104`	`}`
`95`	`105`	`}`
`96`	`106`