Have started an all-projects evaluation

Have started an all-projects evaluation

Any news on that front?

Have started an all-projects evaluation

Any news on that front?

47 hits. Observations from triaging the first 20:

• Some FPs due to not checking the templated element flows to the sink (i.e., you currently check we have input -> conversion and input -> execution, but not conversion -> execution. This sort of "waypoint" query, where we want A -> B -> C (here A = remoteflowsource, B = template.JS, C = template.Execute) we need to use three configs: one checking A -> B, one B -> C (either of these can be optimised by restricting to those Bs that match the other; note in this case the configs are dependent and TaintTracking2 must be used), and a third checking A -> C where the B steps are marked as additional flow steps. The long-term fix here is flow tags, which will allow us to solve this in one config.
• Some FPs because the escaped value has been converted to an integer (e.g. template.HTML("<b>" + userControlledInt + "</b>"))

Is it this: https://codeql.github.com/docs/codeql-language-guides/using-flow-labels-for-precise-data-flow-analysis/

Is there an example of flow tags in codeql-go?

I added an extra flow condition, and it seems to work (added a test). Not sure about where and how/why use TaintTracking2.

It's probably very inefficient 😬

Flow tags are a feature available in the Javascript dataflow lib but regrettably not in Go yet.

Is my code correct? AFAICT it works.

Looks good -- it's possible to make a bit more efficient by restricting some of the flows to only investigate sources/sinks that are involved in a flow according to one of the others (starting with whichever flow we expect to be most rare, then working out from there). That would require using TaintTracking2 etc so dependent flows don't use the same instance of TaintTracking; however it's not necessary particularly when the waypoint (B, type conversion to html/template.JS or similar) is quite unusual. I'll try this out on LGTM now.

Using the same instance of TaintTracking for all the flows is kinda messing up the steps that are displayed in the results (I think that's the cause).

How can that be avoided? I'm trying to use TaintTracking2 but don't know how to combine them together.

Use a different version of TaintTracking for each Configuration. The DataFlow::Node types they use can be directly compared.

There's only TaintTracking and TaintTracking2.

Nope, still same.

Using two ~instances, TaintTracking and TaintTracking2, removes things from the .expected file (probably registering only steps from the TaintTracking).

Not sure whether that's good.

The expected file has three subsections: nodes, edges, and results (the top-level #select). If it removes only nodes and edges that's at least harmless; if it removes results too that's more of a problem. Can you post a diff between two different revisions, with the code changes and corresponding expected file changes?

I get the same results with both versions of the query (the first version that uses only one TaintTracking, and the second version using the two different TaintTracking).

Never mind. That seems to be the flow steps in a regular flow, too.

Going back to using one instance of TaintTracking because it saves all nodes and edges (the results don't change).

Just noticed these had been done -- please do ping when you've applied review suggestions, or it's quite easy not to notice

Rebased and set to automerge if CI passes.

CI passed, but the automerge didn't happen.

please do ping when you've applied review suggestions, or it's quite easy not to notice

I will 🤗

CI passed, but the automerge didn't happen.

Maybe it's missing the approval.