[DIFF-INFORMED] C#: UnsafeDeserializationQuery

d10c · d10c · commit d556fc81a08d · 2025-07-17T11:43:53.000+02:00
https://github.com/d10c/codeql/blob/57c8b6e2299f5d6e991bd1a198a58692b6d6e016/csharp/ql/src/Security%20Features/CWE-502/UnsafeDeserializationUntrustedInput.ql#L59
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll
@@ -59,6 +59,10 @@ private module TaintToObjectMethodTrackingConfig implements DataFlow::ConfigSig
   predicate isSink(DataFlow::Node sink) { sink instanceof InstanceMethodSink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // used in one of the disjuncts in UnsafeDeserializationUntrustedInput.ql
+  }
 }
 
 /**
@@ -77,6 +81,10 @@ private module JsonConvertTrackingConfig implements DataFlow::ConfigSig {
   }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // used in one of the disjuncts in UnsafeDeserializationUntrustedInput.ql
+  }
 }
 
 /**
@@ -133,6 +141,10 @@ private module TypeNameTrackingConfig implements DataFlow::ConfigSig {
       )
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // Only used as secondary config in UnsafeDeserializationUntrustedInput.ql
+  }
 }
 
 /**
@@ -149,6 +161,10 @@ private module TaintToConstructorOrStaticMethodTrackingConfig implements DataFlo
   predicate isSink(DataFlow::Node sink) { sink instanceof ConstructorOrStaticMethodSink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // used in one of the disjuncts in UnsafeDeserializationUntrustedInput.ql
+  }
 }
 
 /**
@@ -186,6 +202,10 @@ private module TaintToObjectTypeTrackingConfig implements DataFlow::ConfigSig {
       oc.getObjectType() instanceof StrongTypeDeserializer
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // only used as secondary config in UnsafeDeserializationUntrustedInput.ql
+  }
 }
 
 /**
@@ -210,6 +230,10 @@ private module WeakTypeCreationToUsageTrackingConfig implements DataFlow::Config
       sink.asExpr() = mc.getQualifier()
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // only used as secondary config in UnsafeDeserializationUntrustedInput.ql
+  }
 }
 
 /**

Original file line number	Diff line number	Diff line change
`@@ -59,6 +59,10 @@ private module TaintToObjectMethodTrackingConfig implements DataFlow::ConfigSig`
`59`	`59`	`predicate isSink(DataFlow::Node sink) { sink instanceof InstanceMethodSink }`
`60`	`60`
`61`	`61`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`62`	`+`
	`63`	`+ predicate observeDiffInformedIncrementalMode() {`
	`64`	`+ any() // used in one of the disjuncts in UnsafeDeserializationUntrustedInput.ql`
	`65`	`+ }`
`62`	`66`	`}`
`63`	`67`
`64`	`68`	`/**`
`@@ -77,6 +81,10 @@ private module JsonConvertTrackingConfig implements DataFlow::ConfigSig {`
`77`	`81`	`}`
`78`	`82`
`79`	`83`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`84`	`+`
	`85`	`+ predicate observeDiffInformedIncrementalMode() {`
	`86`	`+ any() // used in one of the disjuncts in UnsafeDeserializationUntrustedInput.ql`
	`87`	`+ }`
`80`	`88`	`}`
`81`	`89`
`82`	`90`	`/**`
`@@ -133,6 +141,10 @@ private module TypeNameTrackingConfig implements DataFlow::ConfigSig {`
`133`	`141`	`)`
`134`	`142`	`)`
`135`	`143`	`}`
	`144`	`+`
	`145`	`+ predicate observeDiffInformedIncrementalMode() {`
	`146`	`+ none() // Only used as secondary config in UnsafeDeserializationUntrustedInput.ql`
	`147`	`+ }`
`136`	`148`	`}`
`137`	`149`
`138`	`150`	`/**`
`@@ -149,6 +161,10 @@ private module TaintToConstructorOrStaticMethodTrackingConfig implements DataFlo`
`149`	`161`	`predicate isSink(DataFlow::Node sink) { sink instanceof ConstructorOrStaticMethodSink }`
`150`	`162`
`151`	`163`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`164`	`+`
	`165`	`+ predicate observeDiffInformedIncrementalMode() {`
	`166`	`+ any() // used in one of the disjuncts in UnsafeDeserializationUntrustedInput.ql`
	`167`	`+ }`
`152`	`168`	`}`
`153`	`169`
`154`	`170`	`/**`
`@@ -186,6 +202,10 @@ private module TaintToObjectTypeTrackingConfig implements DataFlow::ConfigSig {`
`186`	`202`	`oc.getObjectType() instanceof StrongTypeDeserializer`
`187`	`203`	`)`
`188`	`204`	`}`
	`205`	`+`
	`206`	`+ predicate observeDiffInformedIncrementalMode() {`
	`207`	`+ none() // only used as secondary config in UnsafeDeserializationUntrustedInput.ql`
	`208`	`+ }`
`189`	`209`	`}`
`190`	`210`
`191`	`211`	`/**`
`@@ -210,6 +230,10 @@ private module WeakTypeCreationToUsageTrackingConfig implements DataFlow::Config`
`210`	`230`	`sink.asExpr() = mc.getQualifier()`
`211`	`231`	`)`
`212`	`232`	`}`
	`233`	`+`
	`234`	`+ predicate observeDiffInformedIncrementalMode() {`
	`235`	`+ none() // only used as secondary config in UnsafeDeserializationUntrustedInput.ql`
	`236`	`+ }`
`213`	`237`	`}`
`214`	`238`
`215`	`239`	`/**`