ci: update sus stub

damyanpetev · damyanpetev · commit 4dc57d6a26b3 · 2026-03-06T15:06:07.000+02:00
diff --git a/.github/codeql/custom-queries-javascript/ShellSanitizer.ql b/.github/codeql/custom-queries-javascript/ShellSanitizer.ql
@@ -9,9 +9,10 @@ module UtilSanitizerConfig implements DataFlow::ConfigSig {
 	predicate isBarrier(DataFlow::Node nd) {
 		nd.(DataFlow::CallNode).getCalleeName() = "sanitizeShellArg"
 	}
-	/** Minimal stubs required by ConfigSig (false should be no extra action). */
-	predicate isSource(DataFlow::Node n) { false }
-	predicate isSink(DataFlow::Node n) { false }
+	/** Minimal stubs required by ConfigSig */
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 }
 
 module UtilSanitizerConfigFlow = TaintTracking::Global<UtilSanitizerConfig>;

Original file line number	Diff line number	Diff line change
`@@ -9,9 +9,10 @@ module UtilSanitizerConfig implements DataFlow::ConfigSig {`
`9`	`9`	`predicate isBarrier(DataFlow::Node nd) {`
`10`	`10`	`nd.(DataFlow::CallNode).getCalleeName() = "sanitizeShellArg"`
`11`	`11`	`}`
`12`		`- /** Minimal stubs required by ConfigSig (false should be no extra action). */`
`13`		`- predicate isSource(DataFlow::Node n) { false }`
`14`		`- predicate isSink(DataFlow::Node n) { false }`
	`12`	`+ /** Minimal stubs required by ConfigSig */`
	`13`	`+ predicate isSource(DataFlow::Node source) { source instanceof Source }`
	`14`	`+`
	`15`	`+ predicate isSink(DataFlow::Node sink) { sink instanceof Sink }`
`15`	`16`	`}`
`16`	`17`
`17`	`18`	`module UtilSanitizerConfigFlow = TaintTracking::Global<UtilSanitizerConfig>;`