Python: patch-generated stubs

d10c · d10c · commit a20ac73128df · 2025-07-04T11:48:29.000+02:00
diff --git a/python/ql/lib/semmle/python/security/dataflow/LdapInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/LdapInjectionQuery.qll
@@ -20,7 +20,17 @@ private module LdapInjectionDnConfig implements DataFlow::ConfigSig {
 
   predicate isBarrier(DataFlow::Node node) { node instanceof DnSanitizer }
 
-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 21 (/Users/d10c/src/semmle-code/ql/python/ql/src/Security/CWE-090/LdapInjection.ql@26:8:26:21), Column 5 does not select a source or sink originating from the flow call on line 21 (/Users/d10c/src/semmle-code/ql/python/ql/src/Security/CWE-090/LdapInjection.ql@27:68:27:83)
+  }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 21 (/Users/d10c/src/semmle-code/ql/python/ql/src/Security/CWE-090/LdapInjection.ql@26:8:26:21), Column 5 does not select a source or sink originating from the flow call on line 21 (/Users/d10c/src/semmle-code/ql/python/ql/src/Security/CWE-090/LdapInjection.ql@27:68:27:83)
+  }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 21 (/Users/d10c/src/semmle-code/ql/python/ql/src/Security/CWE-090/LdapInjection.ql@26:8:26:21), Column 5 does not select a source or sink originating from the flow call on line 21 (/Users/d10c/src/semmle-code/ql/python/ql/src/Security/CWE-090/LdapInjection.ql@27:68:27:83)
+  }
 }
 
 /** Global taint-tracking for detecting "LDAP injection via the distinguished name (DN) parameter" vulnerabilities. */
@@ -33,7 +43,17 @@ private module LdapInjectionFilterConfig implements DataFlow::ConfigSig {
 
   predicate isBarrier(DataFlow::Node node) { node instanceof FilterSanitizer }
 
-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 24 (/Users/d10c/src/semmle-code/ql/python/ql/src/Security/CWE-090/LdapInjection.ql@26:8:26:21), Column 5 does not select a source or sink originating from the flow call on line 24 (/Users/d10c/src/semmle-code/ql/python/ql/src/Security/CWE-090/LdapInjection.ql@27:68:27:83)
+  }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 24 (/Users/d10c/src/semmle-code/ql/python/ql/src/Security/CWE-090/LdapInjection.ql@26:8:26:21), Column 5 does not select a source or sink originating from the flow call on line 24 (/Users/d10c/src/semmle-code/ql/python/ql/src/Security/CWE-090/LdapInjection.ql@27:68:27:83)
+  }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 24 (/Users/d10c/src/semmle-code/ql/python/ql/src/Security/CWE-090/LdapInjection.ql@26:8:26:21), Column 5 does not select a source or sink originating from the flow call on line 24 (/Users/d10c/src/semmle-code/ql/python/ql/src/Security/CWE-090/LdapInjection.ql@27:68:27:83)
+  }
 }
 
 /** Global taint-tracking for detecting "LDAP injection via the filter parameter" vulnerabilities. */
diff --git a/python/ql/lib/semmle/python/security/dataflow/WeakSensitiveDataHashingQuery.qll b/python/ql/lib/semmle/python/security/dataflow/WeakSensitiveDataHashingQuery.qll
@@ -33,8 +33,6 @@ module NormalHashFunction {
     predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
       sensitiveDataExtraStepForCalls(node1, node2)
     }
-
-    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on sensitive data" vulnerabilities. */
@@ -65,8 +63,6 @@ module ComputationallyExpensiveHashFunction {
     predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
       sensitiveDataExtraStepForCalls(node1, node2)
     }
-
-    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on passwords" vulnerabilities. */
diff --git a/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.ql b/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.ql
@@ -26,6 +26,10 @@ private module PossibleTimingAttackAgainstHashConfig implements DataFlow::Config
   predicate isSource(DataFlow::Node source) { source instanceof ProduceCryptoCall }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 5 selects source.getResultType (/Users/d10c/src/semmle-code/ql/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.ql@41:3:41:54)
+  }
 }
 
 module PossibleTimingAttackAgainstHashFlow =
diff --git a/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.ql b/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.ql
@@ -25,6 +25,10 @@ private module TimingAttackAgainstHashConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ProduceCryptoCall }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 5 selects source.getResultType (/Users/d10c/src/semmle-code/ql/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.ql@39:3:39:54)
+  }
 }
 
 module TimingAttackAgainstHashFlow = TaintTracking::Global<TimingAttackAgainstHashConfig>;

Original file line number	Diff line number	Diff line change
`@@ -33,8 +33,6 @@ module NormalHashFunction {`
`33`	`33`	`predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {`
`34`	`34`	`sensitiveDataExtraStepForCalls(node1, node2)`
`35`	`35`	`}`
`36`		`-`
`37`		`- predicate observeDiffInformedIncrementalMode() { any() }`
`38`	`36`	`}`
`39`	`37`
`40`	`38`	`/** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on sensitive data" vulnerabilities. */`
`@@ -65,8 +63,6 @@ module ComputationallyExpensiveHashFunction {`
`65`	`63`	`predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {`
`66`	`64`	`sensitiveDataExtraStepForCalls(node1, node2)`
`67`	`65`	`}`
`68`		`-`
`69`		`- predicate observeDiffInformedIncrementalMode() { any() }`
`70`	`66`	`}`
`71`	`67`
`72`	`68`	`/** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on passwords" vulnerabilities. */`
Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,10 @@ private module PossibleTimingAttackAgainstHashConfig implements DataFlow::Config`
`26`	`26`	`predicate isSource(DataFlow::Node source) { source instanceof ProduceCryptoCall }`
`27`	`27`
`28`	`28`	`predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }`
	`29`	`+`
	`30`	`+ predicate observeDiffInformedIncrementalMode() {`
	`31`	`+ any() // TODO: Make sure that the location overrides match the query's select clause: Column 5 selects source.getResultType (/Users/d10c/src/semmle-code/ql/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.ql@41:3:41:54)`
	`32`	`+ }`
`29`	`33`	`}`
`30`	`34`
`31`	`35`	`module PossibleTimingAttackAgainstHashFlow =`
Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,10 @@ private module TimingAttackAgainstHashConfig implements DataFlow::ConfigSig {`
`25`	`25`	`predicate isSource(DataFlow::Node source) { source instanceof ProduceCryptoCall }`
`26`	`26`
`27`	`27`	`predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }`
	`28`	`+`
	`29`	`+ predicate observeDiffInformedIncrementalMode() {`
	`30`	`+ any() // TODO: Make sure that the location overrides match the query's select clause: Column 5 selects source.getResultType (/Users/d10c/src/semmle-code/ql/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.ql@39:3:39:54)`
	`31`	`+ }`
`28`	`32`	`}`
`29`	`33`
`30`	`34`	`module TimingAttackAgainstHashFlow = TaintTracking::Global<TimingAttackAgainstHashConfig>;`